2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2023-04-13" ,
"extends_uuid" : "" ,
"info" : "SNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference" ,
"publish_timestamp" : "1681482760" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1681482747" ,
"uuid" : "e9bf73b9-f82c-4203-ba04-deacf8d9fbd6" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:clear" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"SNOWYAMBER\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"HALFRIG\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"QUARTERRIG\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ZIP" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464468" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "9f520974-6089-4bc0-ba9a-11703af0898f" ,
"value" : "totalmassasje.no/schedule.php"
} ,
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464468" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "562de197-3e0b-483d-af2c-04cfba0bce91" ,
"value" : "signitivelogics.com/Schedule.html"
} ,
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - Cobalt Strike Team Server" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464468" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "0c5341a9-472a-40b8-8977-228aaba8303c" ,
"value" : "humanecosmetics.com/category/noteworthy/6426-7346-9789"
} ,
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464468" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "06c6b49d-dddb-4625-b38e-f89e0cbfda04" ,
"value" : "signitivelogics.com/BMW.html"
} ,
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - BRUTERATEL C2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464468" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "b81fc0d1-1c31-4246-b49a-92538284c5fe" ,
"value" : "badriatimimi.com"
} ,
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ZIP" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464468" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "54bbcc91-53f4-48ed-9cee-69e4e0b96b18" ,
"value" : "literaturaelsalvador.com/Instructions.html"
} ,
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - ENVYSCOUT URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464468" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "3a852cbe-b663-4419-8d52-8f4f49e5ceb1" ,
"value" : "parquesanrafael.cl/note.html"
} ,
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - ENVYSCOUT URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464468" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "9bb49ae8-9921-4464-af2a-13f0eabfe6aa" ,
"value" : "inovaoftalmologia.com.br/form.html"
} ,
{
"category" : "Network activity" ,
"comment" : "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681464494" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "ae2fc1c5-a21c-4bd7-94b7-abd2f666aaa2" ,
"value" : "literaturaelsalvador.com/Schedule.htm"
} ,
{
"category" : "Network activity" ,
"comment" : "HALFRIG - ENVYSCOUT backend fingerprint collector" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681476835" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "e2a4c314-dc62-4791-8be9-c07f6ebd9627" ,
"value" : "sawabfoundation.net/p.php? ip=<IP>&ua=<USER_AGENT>"
} ,
{
"category" : "Network activity" ,
"comment" : "HALFRIG - ENVYSCOUT" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681476858" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "d9a7d34e-df43-4ca9-9637-ad7b20680423" ,
"value" : "sawabfoundation.net/note.html"
} ,
{
"category" : "Network activity" ,
"comment" : "HALFRIG - compromised hosting used for ENVYSCOUT" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681476854" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "2b5638cd-1596-4e4f-a905-8b917864a264" ,
"value" : "sawabfoundation.net"
} ,
{
"category" : "Network activity" ,
"comment" : "HALFRIG - CobaltStrike redirector" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681476846" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "20985b84-445b-4cd8-9a4e-438717131374" ,
"value" : "communitypowersports.com"
} ,
{
"category" : "Network activity" ,
"comment" : "HALFRIG - CobaltStrike C2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681476841" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "2f775c20-527b-41db-a86c-93bd41aec7d4" ,
"value" : "sanjosemotosport.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681478675" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "2ff30677-8495-4288-995c-aaa072af7afc" ,
"value" : "bc4b0bd5da76b683cc28849b1eed504d"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG C2 URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681478863" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "47b0c033-bc69-42e8-a379-c7ebf4b198bb" ,
"value" : "pateke.com/auth/login.php"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG C2 URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681478863" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "693b2be5-19c4-4d78-96b1-aeeae581b3d2" ,
"value" : "pateke.com/index.php"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG Domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681478863" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "42762f0f-da00-4fd6-88bd-df723863f89f" ,
"value" : "pateke.com"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG server IP" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681478863" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "852c2f54-d64d-40e9-b77a-51c430c03616" ,
"value" : "85.195.89.91"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG - COBALT STRIKE Handler URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "4d3cbcdc-8254-4fdf-bf4b-3b6a31cc43b7" ,
"value" : "gatewan.com/c/msdownload/update/others/2021/10/se9fW4z8WJtmMyPQu"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG - COBALT STRIKE Handler URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "0c680fdd-0f59-4cea-9c23-b20d5bde3f51" ,
"value" : "gatewan.com/c/msdownload/update/others/2021/10/8PaDBDxLtokI3eH8"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG - COBALT STRIKE C2 Domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "97ca781f-93d1-4322-bbba-6c50f2b33733" ,
"value" : "gatewan.com"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG - COBALT STRIKE C2 IP" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "944935b8-4dfc-47f4-8095-0b32d08d276c" ,
"value" : "91.218.183.90"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG C2 URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "3bc6c7dd-e199-4aaa-8c0d-c362959fc990" ,
"value" : "sharpledge.com/login.php"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG C2 Domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5136e6ff-c602-438f-8884-40f313c4bd1f" ,
"value" : "sharpledge.com"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG server IP" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "844c8b61-bfaf-40f4-9cdb-559a8867323e" ,
"value" : "51.75.210.218"
} ,
{
"category" : "Network activity" ,
"comment" : "URL to ENYVYSCOUT used to deliver QUARTERRIG" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "0927d840-3cee-45af-894c-954bed55034f" ,
"value" : "sylvio.com.br/form.php"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG - Domain used to host ENVYSCOUT" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681479078" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "ffbadd58-a7f1-4292-8c9d-825654816429" ,
"value" : "sylvio.com.br"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1681479729" ,
"uuid" : "cacc499d-1523-42de-990f-6ba57a4f4cc5" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1681479729" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "2f37fc00-2762-4853-ab11-ef4ab8ad401e" ,
"value" : "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1681479729" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "e39a0bf4-28c2-4764-8b28-551226d11673" ,
"value" : "SNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1681479729" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ca00a9f2-cd8a-455d-a6e5-08a0fb0012b4" ,
"value" : "Report"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " J V B E R i 0 x L j c N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h l b i 1 V U y k g L 1 N 0 c n V j d F R y Z W V S b 290 I D Y z I D A g U i 9 N Y X J r S W 5 m b z w 8 L 0 1 h c m t l Z C B 0 c n V l P j 4 v T W V 0 Y W R h d G E g M T M w M i A w I F I v V m l l d 2 V y U H J l Z m V y Z W 5 j Z X M g M T M w M y A w I F I + P g 0 K Z W 5 k b 2 J q D Q o y I D A g b 2 J q D Q o 8 P C 9 U e X B l L 1 B h Z 2 V z L 0 N v d W 50 I D E x L 0 t p Z H N b I D M g M C B S I D E 1 I D A g U i A y N C A w I F I g M j Y g M C B S I D I 5 I D A g U i A z M C A w I F I g M z I g M C B S I D M z I D A g U i A 1 N C A w I F I g N T Y g M C B S I D U 4 I D A g U l 0 g P j 4 N C m V u Z G 9 i a g 0 K M y A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l L 1 B h c m V u d C A y I D A g U i 9 S Z X N v d X J j Z X M 8 P C 9 G b 250 P D w v R j E g N S A w I F I v R j I g O S A w I F I v R j M g M T E g M C B S L 0 Y 0 I D E z I D A g U j 4 + L 0 V 4 d E d T d G F 0 Z T w 8 L 0 d T N y A 3 I D A g U i 9 H U z g g O C A w I F I + P i 9 Q c m 9 j U 2 V 0 W y 9 Q R E Y v V G V 4 d C 9 J b W F n Z U I v S W 1 h Z 2 V D L 0 l t Y W d l S V 0 g P j 4 v T W V k a W F C b 3 h b I D A g M C A 1 O T U u M z I g O D Q x L j k y X S A v Q 29 u d G V u d H M g N C A w I F I v R 3 J v d X A 8 P C 9 U e X B l L 0 d y b 3 V w L 1 M v V H J h b n N w Y X J l b m N 5 L 0 N T L 0 R l d m l j Z V J H Q j 4 + L 1 R h Y n M v U y 9 T d H J 1 Y 3 R Q Y X J l b n R z I D A + P g 0 K Z W 5 k b 2 J q D Q o 0 I D A g b 2 J q D Q o 8 P C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v T G V u Z 3 R o I D E x N D g + P g 0 K c 3 R y Z W F t D Q p 4 n L 1 Y 227 b O B B 9 N + B / 4 F M h F W u a w z s X R Y H E T d M U z W 4 a u y g W Q R / c R H E N Z O 3 U d V P k 73 e G j h P Z k i J f 1 P U D Y Z I j z Z k z F w 7 V P Z j N x 9 f D y z l 79 a p 7 M J 8 P L 79 l V + y i O 5 j e f u k O 7 m + z 7 t l w N J 4 M 5 + P p p N v / + X V O S + + y 4 V U 2 e / 2 a H b 7 p s e / t l u C C f t 47 Y I K Z Y L i S z G v g Q b J Z 1 m 59 f s k m 7 d b h o N 3 q v g U G w I V m g + t 2 i 6 Q F A y a D 49 Y x F y w 9 O P g X 5 Y 77 j o 1 + 4 K v Z K M 78 w + y 43 b p I W N r R O N j 8 n y 9 s 8 L 7 d O k I d H 9 u t B j A p k F x B H l O E 8 o h g N 30 o y 45 O e 4 x 1 z 4 j w 0 97 J G y a a I 9 I J 7 q V m z g p 6 o g Z 0 A Q j s B k Q y M D z Y U i D S c G + 3 B i K b B y I s 19 s z o p o D o p T l L j D r L Q 9 + a y C 6 c U a s d d z o r Y G Y 3 Y C o Z 4 D o w N X W O G z z O K T n Y W s c b l c c q h S E 8 a E E R D 8 F S P 5 K Q S V / p y C T z z T 8 k 4 J J D m g 4 p e k h D U c k c k 7 //qiB7RuCLb3kASpg13EXGuZOK8KyjuIdkReJ+kD0vE1BLzg6oekxDXVswY4luoAUUFxDFdLa+rxjga4iTAfPhSvA+EiEfSKaImuRqwFNn8Irz18N5h1reTHStCXqKjDXUrdjJdcMfCl11lM1jzC4MS7uzkb52XkEdjLtsfPsOktVMssm2KlcZnu1KgVA4BRXanNAtUzljprOAhlI6fwSECpYRXjzuBClwSsAWlx5eHVrYVD0X4UKib2NzWlYEbNKkDpc/tZuXb9c0vi70SJ9+8PtV7BuiqxrD2FjO6TErHjSLISxdm3rwQ7ugXa88A8jRYmkioTaMIp0iBZZHRe049rHFytP3abRmmsTF0zABSxmFmuarfTG/2UFRXdjZlR5yRa8JIIKG0ebsCCUyRmovbN+fS+XHYYuRqwDQXAL9Hrln6Y3y32J3X5QVR74jQiJ8h0gVrHrCuwadKjaNZcxCtD1pbm8UiEJoTF4ukoOirRYLbhWzAaOlR4fUgqjh3WkUlRicUEGzY1cWBlWeS9atWy1gByqtOHOYM+ruXJM4p0g4BGJJ1ss9PQOQfu/qL4Tu8/L9x/0facXWw4k6LnSURCJA/AU009nyAqwXPu12dOPJ5BcvdkYPIEMc8ZwW7xQvJ+O045MJngAztnw6o5u7HHlx3SWdlRyz77S7P7PwrG4FyiNISJlFajaC6homBupuS3eg0+JgEjGDQ3x33w4u2e96c9JqpN5lrpkNiapyB9Nb1bFR9RZ0Cb2FSZh/Wx2F9dL2oy9DDEycCwEFYbU8gkN8ylC2XX+RbM2Kyso4SuU1dosm7XZYtERRep7R+TucxoGGAYcw+bsQ8M8BCCnVwBY46GUimX3Td0zZQPVbHB0Z8T8xNq7LH6t5wRy1c4BB0/fuTDHdRTEDthRppfXOplrajd59pGI4hc2JNDThirLA1Dxg+QBpuItOmI2vll8oFx3x34YSDn2laUYGB1+WuIN6fIikUKqpnUrQ9+vKuyvzQnTsB88liNZrO93wIl40bDx1GyISqUVifAftrp/9g0KZW5kc3RyZWFtDQplbmRvYmoNCjUgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjEvQmFzZUZvbnQvQkNERUVFK1JhamRoYW5pLVJlZ3VsYXIvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDYgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjIvV2lkdGhzIDEyODcgMCBSPj4NCmVuZG9iag0KNiAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCA5MzAvRGVzY2VudCAtMzQ2L0NhcEhlaWdodCA5MzAvQXZnV2lkdGggNDc3L01heFdpZHRoIDI0MzYvRm9udFdlaWdodCA0MDAvWEhlaWdodCAyNTAvU3RlbVYgNDcvRm9udEJCb3hbIC00MTYgLTM0NiAyMDIwIDkzMF0gL0ZvbnRGaWxlMiAxMjg1IDAgUj4+DQplbmRvYmoNCjcgMCBvYmoNCjw8L1R5cGUvRXh0R1N0YXRlL0JNL05vcm1hbC9jYSAxPj4NCmVuZG9iag0KOCAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL0NBIDE+Pg0KZW5kb2JqDQo5IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YyL0Jhc2VGb250L0JDREZFRStWZXJkYW5hLUJvbGQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEwIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMzIvV2lkdGhzIDEyODggMCBSPj4NCmVuZG9iag0KMTAgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNERkVFK1ZlcmRhbmEtQm9sZC9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCAxMDA1L0Rlc2NlbnQgLTIwNy9DYXBIZWlnaHQgNzY1L0F2Z1dpZHRoIDU2OC9NYXhXaWR0aCAyMjU3L0ZvbnRXZWlnaHQgNzAwL1hIZWlnaHQgMjUwL1N0ZW1WIDU2L0ZvbnRCQm94WyAtNTUwIC0yMDcgMTcwNyA3NjVdIC9Gb250RmlsZTIgMTI4OSAwIFI+Pg0KZW5kb2JqDQoxMSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMy9CYXNlRm9udC9CQ0RHRUUrUmFqZGhhbmktU2VtaUJvbGQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEyIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTE2L1dpZHRocyAxMjkwIDAgUj4+DQplbmRvYmoNCjEyIDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudC
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "report-file" ,
"timestamp" : "1681479729" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "cfc505c6-f0a1-429f-abe7-2e4c4a24961b" ,
"value" : "IoC_Reference_.pdf"
}
]
} ,
{
"comment" : "SNOWYAMBER" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"last_seen" : "2022-10-24T00:00:00+00:00" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681462657" ,
"uuid" : "fb5d8e74-975e-4396-b9bf-cfbd14e06cb0" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681462657" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "2f2fa766-b5f5-4b3c-b1f9-9e8ad118de12" ,
"value" : "c938934c0f5304541087313382aee163e0c5239c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681462657" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "b1b07f24-46ee-4738-a45d-852823961cfd" ,
"value" : "d0efe94196b4923eb644ec0b53d226cc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681462657" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "d97ad83a-8aac-4e69-9955-a5fa982eb2ea" ,
"value" : "381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681462657" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "06c90783-e9bd-45e4-8ba9-523723da9ea8" ,
"value" : "7za.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681462657" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "60e1f4a4-eff6-42f8-a9b0-85187cd9133b" ,
"value" : "270336"
}
]
} ,
{
"comment" : "SNOWYAMBER\r\nIt seems that the adversary made a mistake while compiling this sample. Internal functions were added to exports (authored by the adversary as well as those from libraries: SysWhispers3, Nlohmann JSON, Obfuscate). While binary itself is stripped, those exported functions have names that can be demangled revealing naming, prototypes and datatypes." ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"last_seen" : "2023-02-08T00:00:00+00:00" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681462625" ,
"uuid" : "13f7ac43-2427-4631-8b19-4204fd4636ed" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"last_seen" : "2023-02-08T00:00:00+00:00" ,
"object_relation" : "sha1" ,
"timestamp" : "1681462625" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5b960982-8a40-4dda-999a-1609e4a5937f" ,
"value" : "8eb64670c10505322d45f6114bc9f7de0826e3a1"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"last_seen" : "2023-02-08T00:00:00+00:00" ,
"object_relation" : "md5" ,
"timestamp" : "1681462625" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "530e6412-6bdb-4e2f-83c3-06e3678014b4" ,
"value" : "cf36bf564fbb7d5ec4cec9b0f185f6c9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"last_seen" : "2023-02-08T00:00:00+00:00" ,
"object_relation" : "sha256" ,
"timestamp" : "1681462625" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "38805898-8f45-406c-9ee2-ae0b9b3490c2" ,
"value" : "e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"last_seen" : "2023-02-08T00:00:00+00:00" ,
"object_relation" : "filename" ,
"timestamp" : "1681462625" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "d73895fb-bf06-454d-842b-1d20f3d9a46f" ,
"value" : "BugSplatRc64.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"last_seen" : "2023-02-08T00:00:00+00:00" ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681462625" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "1cbdee03-7166-4105-aaa7-684392336768" ,
"value" : "271360"
}
]
} ,
{
"comment" : "SNOWYAMBER" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"last_seen" : "2023-02-07T00:00:00+00:00" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681463367" ,
"uuid" : "54bb5140-f5d0-4478-9776-5d68204038ba" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"last_seen" : "2023-02-07T00:00:00+00:00" ,
"object_relation" : "sha1" ,
"timestamp" : "1681463367" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "f8ee4b18-ac61-493b-8f08-2597af1a3b7d" ,
"value" : "3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"last_seen" : "2023-02-07T00:00:00+00:00" ,
"object_relation" : "md5" ,
"timestamp" : "1681463367" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "46f42927-db76-4f9b-9457-2bf8d53c79f4" ,
"value" : "82ecb8474efe5fedcb8f57b8aafa93d2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"last_seen" : "2023-02-07T00:00:00+00:00" ,
"object_relation" : "sha256" ,
"timestamp" : "1681463367" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "fed5574d-3b36-48d5-a6e1-ae8e99cb81ac" ,
"value" : "4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"last_seen" : "2023-02-07T00:00:00+00:00" ,
"object_relation" : "filename" ,
"timestamp" : "1681463367" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "a26937bc-0896-4f45-87e8-dea667726fc8" ,
"value" : "BugSplatRc64.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"last_seen" : "2023-02-07T00:00:00+00:00" ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681463367" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "ae5073c9-ad22-42ca-97d1-5df2f7330d13" ,
"value" : "301056"
}
]
} ,
{
"comment" : "SNOWYAMBER - 2nd stage - CobaltStrike beacon (decrypted)\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681463822" ,
"uuid" : "98923877-e697-4e46-be52-89926b10186a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681463822" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "a4f06cd5-babb-4b76-8d9a-15a5f7ba2eae" ,
"value" : "aaf973a56b17a0a82cf1b3a49ff68da1c50283d4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681463822" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "c388a994-9389-4074-b9f1-2e619b23dfa5" ,
"value" : "800db035f9b6f1e86a7f446a8a8e3947"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681463822" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c6e796a-4796-401c-8998-38cf83200752" ,
"value" : "032855b043108967a6c2de154624c16b70a0b7d0d0a0e93064b387f59537cc1e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681463822" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "99dbb00f-d5a0-4bdd-bc8e-8c7f7797382a" ,
"value" : "hXaIk1725.pdf"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681463822" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "3d44e02b-34f3-4f3b-a2fa-6dff653a1456" ,
"value" : "261635"
}
]
} ,
{
"comment" : "SNOWYAMBER - 2nd stage \u2013 BruteRatel stageless badger (decrypted)" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681463931" ,
"uuid" : "d44e1f2d-6dd6-4a1f-b648-59d690e84b70" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681463931" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "89a074eb-9205-41bd-82da-8107367aad9a" ,
"value" : "a8a82a7da2979b128cbeddf4e70f9d5725ef666b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681463931" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "871dc6d0-ca85-4409-90bf-4a8434da4450" ,
"value" : "0e594576bb36b025e80eab7c35dc885e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681463931" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "16364669-d667-4f1e-9e66-114e4831f5f8" ,
"value" : "ec687a447ca036b10c28c1f9e1e9cef9f2078fdbc2ffdb4d8dd32e834b310c0d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681463931" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "1c1ab1c0-d02d-4bec-b21e-cf9732b269db" ,
"value" : "hXaIk1314.pdf"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681463931" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "7b5c67a9-8566-4907-b967-0f0b563c3f85" ,
"value" : "347837"
}
]
} ,
{
"comment" : "HALFRIG - Legitimate binary used for loading malicious DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681474053" ,
"uuid" : "4a36fbd0-f4e4-4265-af09-1c860934b981" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681474053" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "0a733573-c0bb-40f0-bd6f-5547258fc830" ,
"value" : "d9d40cb3e2fe05cf223dc0b592a592c132340042"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681474053" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "97d25ec2-8897-4630-b3ec-39942bb6e740" ,
"value" : "83863beee3502e42ced7e4b6dacb9eac"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681474053" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "6bfdc945-8eee-47fb-bef6-0011e3ddec6c" ,
"value" : "cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681474053" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "e2ee465d-fa44-4062-a299-4a18837dee8f" ,
"value" : "Note.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681474053" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "c5e20a08-b3ab-4a15-afe0-4a18ab2b0518" ,
"value" : "1597000"
}
]
} ,
{
"comment" : "HALFRIG - Virtual disc container" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681474157" ,
"uuid" : "b995157a-f9c8-4e1c-a338-e65775627ddd" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681474157" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "d1126a3e-b7e7-41df-a2f6-00bdbb4003a7" ,
"value" : "fbb482415f5312ed64b3a0ebee7fed5e6610c21a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681474157" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "3c2a7d7f-e6b9-4911-9ebb-974a929f6341" ,
"value" : "0e5ed33778ee9c020aa067546384abcb"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681474157" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "8a75210a-bb70-4ba1-a30b-376e6f54e2e9" ,
"value" : "d1455c42553fab54e78c874525c812aaefb1f3cc69f9c314649bd6e4e57b9fa9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681474157" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "f2d6af30-2e3a-489c-9baa-c737af264d6b" ,
"value" : "Note.iso"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681474157" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "938d57ac-25d5-4446-81ef-35264ed2adcf" ,
"value" : "2688000"
}
]
} ,
{
"comment" : "HALFRIG - 1st module\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681474501" ,
"uuid" : "674e907b-7058-4613-98d0-76d938cfd6e2" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681474501" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "006bd3c1-da13-44ab-ba25-43ed0e0bd40d" ,
"value" : "f61e0d09be2fc81d6f325aa7041be6136a747c2d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681474501" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "f062d6a7-7b8d-487f-9f27-46db1a03b734" ,
"value" : "f532c0247b683de8936982e86876093b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681474501" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "059f9665-b53b-413f-9b49-3ab5cffcb001" ,
"value" : "ddf218e4e7ccd5e8bd502fb115d1e7fbfaa393fb7e0b3b9001168caebc771c50"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681474501" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "d5684f57-90df-4ecd-8c9d-4ada438e5f60" ,
"value" : "AppvIsvSubsystems64.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681474501" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "72620fa7-26bc-4e3a-888c-fdc49f979bd5" ,
"value" : "27000"
}
]
} ,
{
"comment" : "HALFRIG - 2nd module" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681474768" ,
"uuid" : "36164b07-dc2e-458a-b3f5-b6117f239934" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681474768" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "f9b2e3fc-194f-4914-b664-0887b5e45d60" ,
"value" : "e418d37fdcf4c288884bfe744b416cbdb0243a9e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681474768" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "dd8a4816-88e2-4d7e-bcb0-1a13c30b7541" ,
"value" : "abc87df854f31725dd1d7231f6f07354"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681474768" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "ccd39975-d7ef-45c1-9a67-fab8899d6047" ,
"value" : "efeb7d9d0fabe464a32c4e33fe756d6ef7a9b369c0f1462b3dd573b6b667488e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681474768" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "4ae05e95-159b-4892-8ade-6ccc1248da32" ,
"value" : "msword.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681474768" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "d90e6770-f556-4b10-a2eb-008ba244778f" ,
"value" : "53000"
}
]
} ,
{
"comment" : "HALFRIG - 3rd module" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681475778" ,
"uuid" : "ceed65f8-1499-4487-b95f-e9acbe047956" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681475778" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "638ed2c8-e324-4eb5-84ca-ea44f9e854f6" ,
"value" : "6dff9a9f13300a5ce72a70d907ff7854599e990a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681475778" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "03138635-1274-49f3-8175-14ea0e4a25c8" ,
"value" : "2ffaa8cbc7f0d21d03d3dd897d974dba"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681475778" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "73e295c3-2dd4-46b0-9348-1b7b29815a33" ,
"value" : "cfa65036aff012d7478694ea733e3e882cf8e18f336af5fba3ed2ef29160d45b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681475779" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "9a443bbf-97e6-46b9-a009-51ab863ef2fb" ,
"value" : "envsrv.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681475779" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "4175b3f2-7fa0-4e0a-b0de-c0e14f2b7799" ,
"value" : "56000"
}
]
} ,
{
"comment" : "HALFRIG - 4th module (shellcode stager)" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681476174" ,
"uuid" : "fc2c7391-60a9-4f16-b09c-5dc9b0743454" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681476174" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5efce5d4-ca6c-444b-857e-4bb4e1835bce" ,
"value" : "a677b6aa958fe02cac0730d36e8123648e02884f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681476174" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "8e70d9d5-2daf-455a-abdd-6b2b8f25eeca" ,
"value" : "5b6d8a474c556fe327004ed8a33edcdb"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681476174" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "cc193f4e-45d8-43cd-ad79-772185431bb1" ,
"value" : "86edfd6c7a2fab8c50a372494e3d5b08c032cca754396f6e288d5d4c5738cb4c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681476174" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "3036ecde-41da-4706-90f3-578424d6e069" ,
"value" : "mschost.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681476174" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "d2909d5d-7c63-493f-bf40-71077f9c5084" ,
"value" : "391000"
}
]
} ,
{
"comment" : "QUARTERRIG - Legitimate executable used to load the malicious DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681476733" ,
"uuid" : "60ed09c9-da38-4dce-b8b4-e21e8fc1933a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681476733" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "a271996a-4d68-425d-be19-29e6d19d7924" ,
"value" : "b260d80fa81885d63565773480ca1e436ab657a0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681476733" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "915bf969-a544-45dd-b904-57ad01555b6b" ,
"value" : "b1820abc3a1ce2d32af04c18f9d2bfc3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681476733" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "cda553b5-2284-4430-88be-ba9d7686dd33" ,
"value" : "6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681476733" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "ff800fa6-7fab-4310-b388-0c55bbac8ba2" ,
"value" : "Note.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681476733" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "ca9ce146-bfca-4521-a33a-079e3772f704" ,
"value" : "1600000"
}
]
} ,
{
"comment" : "QUARTERRIG - Virtual disc container" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681476790" ,
"uuid" : "3ae9fc2a-cfda-45c7-a247-d73f73a51930" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681476790" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "b497783c-ac5a-42a6-be16-a7400ee140d9" ,
"value" : "52932be0bd8e381127aab9c639e6699fd1ecf268"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681476790" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "3187dfba-3c58-42be-b788-7cc4d83c2f92" ,
"value" : "22adbffd1dbf3e13d036f936049a2e98"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681476790" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "2e786370-8c9d-4a6b-a2d3-37143ab6f83d" ,
"value" : "c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681476790" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2b1fde15-6e95-4ed6-a0ec-3f580eb5ac00" ,
"value" : "Note.iso"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681476790" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "4fd40647-7934-47ef-bf3c-80c313deb405" ,
"value" : "2624000"
}
]
} ,
{
"comment" : "QUARTERRIG - loader" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681476911" ,
"uuid" : "69e85677-63c6-4d60-bb2c-9301d469e077" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681476911" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5e507bd8-a6d0-4224-8a9d-ae0944c8dd54" ,
"value" : "ca1ef3aeed9c0c5cfa355b6255a5ab238229a051"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681476911" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "9c95d310-2c8a-4e13-a012-f5e5f12bfa0c" ,
"value" : "db2d9d2704d320ecbd606a8720c22559"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681476911" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "81bb5a50-7542-48c2-b291-1c7ef684dbf6" ,
"value" : "18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681476911" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "9d8e7d25-7ec3-4dd3-b424-3742d0d130c9" ,
"value" : "AppvIsvSubsystems64.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681476911" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "fad8a1b3-3c75-4866-ab39-b258b91f7fff" ,
"value" : "28000"
}
]
} ,
{
"comment" : "QUARTERRIG - Encrypted resource containing the second stage" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681476970" ,
"uuid" : "7f85f95f-7e80-49be-985f-26c62453e9ec" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681476970" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "9868eae3-d3e9-4a50-ae30-d3c05992ef2f" ,
"value" : "02cd4148754c9337dfa2c3b0c31d9fdd064616a0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681476970" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "2ed86428-162d-46ef-9a6a-3c40b8571282" ,
"value" : "166f7269c2a69d8d1294a753f9e53214"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681476970" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "40f2fd97-ecbc-48c2-88cf-97bd2b4c3537" ,
"value" : "3c4c2ade1d7a2c55d3df4c19de72a9a6f68d7a281f44a0336e55b6d0f54ec36a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681476970" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "3ed93f83-9d69-441e-b595-bf25d7c3429c" ,
"value" : "bdcmetadataresource.xsd"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681476970" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "29baaed1-1f42-46cc-b467-6b22580ea213" ,
"value" : "456000"
}
]
} ,
{
"comment" : "QUARTERRIG - Virtual disc container" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681477060" ,
"uuid" : "2ecea181-6b4c-42f8-9db6-b84bfdab7392" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681477060" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "6c03b419-0563-4ea3-8e87-13620a9c7c31" ,
"value" : "86dcdf623d0951e2f804c9fb4ef816fa5e6a22c3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681477060" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "980c1dfe-4b96-4766-b110-238a86d5ba52" ,
"value" : "1609bcb75babd9a3e823811b4329b3b9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681477060" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "0c83fb9b-64fb-40d0-8e55-08bda228544a" ,
"value" : "91b42488d1b8e5b547b945714c76c2af16b9566b35757bf055cec1fee9dff1b0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681477060" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "6efc8b83-0622-4d33-a2a4-c64255f2a68b" ,
"value" : "Invite.iso"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681477060" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "521a097f-306e-402b-8b6f-ef62f51b7acf" ,
"value" : "6464000"
}
]
} ,
{
"comment" : "QUARTERRIG - Legitimate executable used to load the malicious DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681477252" ,
"uuid" : "f253b7db-5840-4c70-9bc9-a2880e555148" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681477252" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "0fa9f316-b5eb-4e01-9a28-81e6388a74d4" ,
"value" : "15511f1944d96b6b51291e3a68a2a1a560d95305"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681477252" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59f75606-dbd8-4d8a-988b-2225b85bdbbe" ,
"value" : "d2027751280330559d1b42867e063a0f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681477252" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "bd8382d9-40da-401a-8c44-40d28c4baf54" ,
"value" : "35271a5d3b8e046546417d174abd0839b9b5adfc6b89990fc67c852aafa9ebb0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681477252" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "0d6043c3-df88-4fea-9e51-cb5f3d2c0543" ,
"value" : "Invite.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681477252" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "2584127a-4f01-447f-a140-c602107fedd1" ,
"value" : "5380000"
}
]
} ,
{
"comment" : "QUATERRIG loader" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681477900" ,
"uuid" : "e4bdcae2-8d1c-4fa4-9f7c-aeafa565b79e" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681477900" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "1c9e4b52-ee15-4b92-a642-c2900ad02b0c" ,
"value" : "b91e71d8867ed8bf33ec39d07f4f7fa2c1eeb386"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681477900" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "46de7f6f-4f12-4cf6-8226-49cdff2e068f" ,
"value" : "bd4cbcd9161e365067d0279b63a784ac"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681477900" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "41ab02e3-a960-4569-a3f5-ba120073ac1a" ,
"value" : "673f91a2085358e3266f466845366f30cf741060edeb31e9a93e2c92033bba28"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681477900" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "6682666c-d88a-4054-93fd-d49e73abd248" ,
"value" : "winhttp.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681477900" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "567557f7-dba2-4651-a598-b37cf7f1ed15" ,
"value" : "32000"
}
]
} ,
{
"comment" : "QUARTERRIG - Encrypted resource containing the second stage" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681478003" ,
"uuid" : "72df797d-68f8-4a2e-8483-964cf53d94e5" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681478003" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "4de728cb-b60b-493b-a70b-f6fa771abb46" ,
"value" : "1f65d068d0fbaec88e6bcce5f83771ab42a7a8c5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681478003" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "e2ae1a9c-0544-47a5-8029-408c0cefdc68" ,
"value" : "8dcac7513d569ca41126987d876a9940"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681478003" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "b532f11c-c208-49e1-bb06-5222b656881e" ,
"value" : "9c6683fbb0bf44557472bcef94c213c25a56df539f46449a487a40eecb828a14"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681478003" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "386c4a43-655d-485d-afdb-8cc3887c2d11" ,
"value" : "Stamp.aapp"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681478003" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "c6ab1b57-6ad1-4c5a-869b-959b39546067" ,
"value" : "460000"
}
]
} ,
{
"comment" : "QUARTERRIG - Virtual disc container" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681478123" ,
"uuid" : "4423841b-a166-4a48-acf1-d0c7198907f5" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681478123" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "8f405a09-5ba3-4a22-8b32-7013ca618cc3" ,
"value" : "bacb46d2ce5dfcaf8544125903f69f01091bc3d6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681478123" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "7619be89-96ba-4de9-a1df-1780c639daee" ,
"value" : "3aca0abdd7ec958a539705d5a4244196"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681478123" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "d62e2fdd-4eee-4cbb-b4f0-cf4fec5e4e64" ,
"value" : "10f1c5462eb006246cb7af5d696163db5facc452befbfd525f72507bb925131d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681478123" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "d1ede274-5546-464f-bd8a-6628f21ea614" ,
"value" : "Note.iso"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681478123" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "15bd34d3-19ad-4ff7-a7ce-4d5b84471e30" ,
"value" : "2688000"
}
]
} ,
{
"comment" : "QUATERRIG loader" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681478213" ,
"uuid" : "eb54a2c7-2b9c-4809-a253-d800821ecf38" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681478213" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "fa9b1b10-b4f5-446c-8316-87b0463c3273" ,
"value" : "6382ae2061c865ddcb9337f155ae2d036e232dfe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681478213" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "f709c101-59ab-4a6e-98e2-3b51bac30cff" ,
"value" : "9159d3c58c5d970ed25c2db9c9487d7a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681478213" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "6475ffa6-684b-47fa-9771-4e36597426a3" ,
"value" : "a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681478213" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "f21d48ea-c6a4-4662-bfcb-bceb7e7036af" ,
"value" : "AppvIsvSubsystems64.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681478213" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "d9d74923-7005-4e8f-ae3b-293b5d7eb724" ,
"value" : "26000"
}
]
} ,
{
"comment" : "QUARTERRIG - Encrypted resource containing the second stage" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681478668" ,
"uuid" : "38c908cd-2958-4021-b434-7271ec84bada" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681478668" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "95e5f437-8b6c-421c-b923-55d6cd19a512" ,
"value" : "8dcac7513d569ca41126987d876a9940"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681478668" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58715af3-fab4-44ca-a41f-76523672cb98" ,
"value" : "15d6036b6b8283571f947d325ea77364c9d48bfa064a865cd24678a466aa5e38"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681478668" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "13e5b2c1-70dd-4cd6-a564-cac990f41572" ,
"value" : "bdcmetadataresource.xsd"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681478668" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "44ecfdc9-20f9-4e30-ab0a-6e40e2581cf6" ,
"value" : "479000"
}
]
}
]
}
}