4895 lines
179 KiB
JSON
4895 lines
179 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2021-03-26",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Analyzing attacks taking advantage of the Exchange Server vulnerabilities",
|
||
|
"publish_timestamp": "1616759997",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1616759918",
|
||
|
"uuid": "174f7375-c811-4c4a-81e0-1d41582f340d",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains abused by Lemon Duck:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755834",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "fa803eb4-4247-4e1e-9c9b-aa3308d2d9f3",
|
||
|
"value": "down.sqlnetcat.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains abused by Lemon Duck:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755834",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "0507d917-2bfd-418a-9c91-65edfe6df45f",
|
||
|
"value": "t.sqlnetcat.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains abused by Lemon Duck:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755834",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "27883473-9495-4bdc-84e1-8898c13d1f52",
|
||
|
"value": "t.netcatkit.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pydomer DGA network indicators:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755867",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "222418c5-b7f1-494e-9044-bfb11f195703",
|
||
|
"value": "uiiuui.com/search/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pydomer DGA network indicators:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755867",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "fb9b415d-0c5f-4bc2-a966-8f2de3e6b5ad",
|
||
|
"value": "yuuuuu43.com/vpn-service/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pydomer DGA network indicators:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755867",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "d3418d73-07c0-4c8e-887e-1c0ef132491c",
|
||
|
"value": "yuuuuu44.com/vpn-service/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pydomer DGA network indicators:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755867",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "30133a6e-5b42-4d43-b14e-14c0ce5c48fd",
|
||
|
"value": "yuuuuu46.com/search/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755893",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "1b11e7b2-b5d3-49ce-a2e4-67b4b733805c",
|
||
|
"value": "7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "09c6e13b-9ee3-4d11-91c7-2934ce6214a5",
|
||
|
"value": "866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "90d44c63-36d4-4adb-94ae-477475eeba3e",
|
||
|
"value": "910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "ca05457f-042b-4300-9c5e-52a335f989ef",
|
||
|
"value": "a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6a2ad2ef-58be-4303-b7cf-41a1caaab335",
|
||
|
"value": "b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6a380c0c-1f8f-4f16-92c7-631f398034e9",
|
||
|
"value": "c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "e50aa7c3-ae00-4429-91d7-7962db057e92",
|
||
|
"value": "c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5ac9bd59-8ee3-44c0-a842-128312afcb41",
|
||
|
"value": "0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "53c5263a-7e99-412a-83ca-bed51b063a7c",
|
||
|
"value": "3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "1c8b9c11-d832-4d3a-aa72-6f20a40e9ce6",
|
||
|
"value": "4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "eb98ccd1-b6c2-459f-877c-6fc9cb5682ed",
|
||
|
"value": "56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "ec22d510-f3af-4807-b40d-0e9a84073347",
|
||
|
"value": "69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5b9913c1-e277-4947-a05d-52a3528c82ad",
|
||
|
"value": "737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "a1f758e0-7568-4ed1-ab37-a8ee02e22359",
|
||
|
"value": "893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "a7c061b6-8737-4833-9bfb-7dc7a9877edc",
|
||
|
"value": "9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "e8ef454d-3103-4a3c-9660-115baf72420d",
|
||
|
"value": "9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "58eddb96-5c84-408e-9a47-11034fd78da8",
|
||
|
"value": "a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "2d57e2fe-cd02-4ccf-b1fd-d14398c8cff4",
|
||
|
"value": "d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "d3143632-5173-4516-9327-8e22f0deb6e6",
|
||
|
"value": "db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "9eefe9a8-57b4-4af0-9e46-a5ecc756d2a2",
|
||
|
"value": "dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "1eb9c95a-aca6-4e17-95d8-85eb5580f05b",
|
||
|
"value": "f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "151610f0-2fb7-46d6-b3e1-b3b627878ada",
|
||
|
"value": "f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "eecf9939-d3d5-443a-ade5-374142e5bef8",
|
||
|
"value": "fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "637ef6c0-1d6c-4a0e-97a7-8c29d3a272ec",
|
||
|
"value": "027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "fecb1042-b6de-46ee-b3b8-e9b2a7d2e30c",
|
||
|
"value": "10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "e2526249-0422-4096-8b1e-7c189aea6270",
|
||
|
"value": "2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "7f7b791d-774d-4852-9456-2e5cbb6f47f8",
|
||
|
"value": "904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "1f505bb0-aa2c-41c5-bce0-b30cc941a94d",
|
||
|
"value": "bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "741ebe5a-d450-44ba-989d-98b2164a8591",
|
||
|
"value": "e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "debe77bb-8d18-4911-9726-a46c85d44795",
|
||
|
"value": "fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "a011b404-9097-48e4-a602-1372b238d3b3",
|
||
|
"value": "feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "3b0ce211-02ae-466d-9390-cf91f7c73014",
|
||
|
"value": "201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "493ab996-5d1b-4bcf-932d-2305a6541f26",
|
||
|
"value": "2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "a7e87b24-f989-402d-8673-d8741bc08184",
|
||
|
"value": "4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "fd66b672-274f-4bd0-9de6-04b1d46fd965",
|
||
|
"value": "511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "94aecbb8-5189-4e6e-9356-0172dcc89638",
|
||
|
"value": "65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "140c1e65-1d74-4e0f-9306-0690d7c91fed",
|
||
|
"value": "811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "fe58049f-d796-48a7-b572-0256fb1c719f",
|
||
|
"value": "8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "68db0c1e-4c28-43a4-96db-e85fe0dc2e53",
|
||
|
"value": "a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "e26ca02c-6819-4602-bbb8-ce6534aed660",
|
||
|
"value": "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "411617df-f081-4b02-92fa-6374ee8b0f59",
|
||
|
"value": "dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "9749a54a-4be5-4059-acbf-033d614dee7d",
|
||
|
"value": "Behavior:Win32/Exmann"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a4071d67-2ea4-49d1-9c9b-0ee81234d809",
|
||
|
"value": "Behavior:Win32/IISExchgSpawnEMS"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "0178d543-9d09-4643-b5b6-ef0d2ea32e37",
|
||
|
"value": "Exploit:ASP/CVE-2021-27065"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "3e1c27bd-054d-4e1c-a7f6-b1d0aae91db7",
|
||
|
"value": "Exploit:Script/Exmann"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "77f83632-b74c-4bfd-a23d-c1cf3221bbf4",
|
||
|
"value": "Trojan:Win32/IISExchgSpawnCMD"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "3d8a57d8-98ae-427a-ab43-ff07a8971b36",
|
||
|
"value": "Behavior:Win32/IISExchgDropWebshellBackdoor:JS/Webshell"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "eb8743cd-6e7e-40b3-a6c6-b6270ad1dba0",
|
||
|
"value": "Backdoor:PHP/Chopper"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "59e6151f-accb-40b8-b1a4-884ec8c14134",
|
||
|
"value": "Backdoor:ASP/Chopper"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "669a2dc2-269d-4a5d-8025-21151208a7d3",
|
||
|
"value": "Backdoor:MSIL/Chopper"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b0de41c7-ec23-491d-a31f-3dce62abf9af",
|
||
|
"value": "Trojan:JS/Chopper"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a09f91d6-2103-422c-bf5b-6451f4a1acdc",
|
||
|
"value": "Trojan:Win32/Chopper"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "1315cf20-b279-490f-aded-5ae5c53ba9d3",
|
||
|
"value": "Behavior:Win32/WebShellTerminal"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "368c532e-2cfb-4946-b88f-8c0fea358d20",
|
||
|
"value": "Trojan:PowerShell/LemonDuck"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1616756002",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "7a16683b-3e4a-49dc-941f-13299d77d90a",
|
||
|
"value": "Trojan:Win32/LemonDuck"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Metadata used to generate an executive level report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "report",
|
||
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616755813",
|
||
|
"uuid": "c96a5a0f-a2d4-4072-8eb2-e85fdf0632fb",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1616755813",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "a0b6693c-59ff-4826-bb18-bf10284c3ac8",
|
||
|
"value": "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "summary",
|
||
|
"timestamp": "1616755813",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "9d33109c-e0e3-480d-9e5d-451d5200837b",
|
||
|
"value": "The first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in this blog. In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker."
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "5c1324e4-da6a-4392-9f78-9c6f497a56ac",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5c1324e4-da6a-4392-9f78-9c6f497a56ac",
|
||
|
"referenced_uuid": "f8791d29-bcbb-43ba-8b31-371d281757a8",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "70475bf3-af2c-4e8f-8a05-02e5aa1acb41"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "aeb9a696-750e-46e3-80fd-9d66233cf1b0",
|
||
|
"value": "1e746f685711c3595bee0585c12f0527"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "89988228-11a1-497a-b982-5dc8e2743cdc",
|
||
|
"value": "16154da1fa113cd1db105900fcc07b427002ffc3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "489db95c-f3e5-4020-976f-02f1f9532ae7",
|
||
|
"value": "737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "f8791d29-bcbb-43ba-8b31-371d281757a8",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "2c14bc86-d2e7-421f-97fd-0111b11444ca",
|
||
|
"value": "2021-03-23T04:27:01+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "16ade091-6021-4ba4-8743-5cb033d138d2",
|
||
|
"value": "https://www.virustotal.com/gui/file/737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4/detection/f-737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4-1616473621"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "4be959d2-a3b2-423d-8071-9e27a3c5051c",
|
||
|
"value": "29/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "a195cd72-0b3b-4c16-a185-1dbba192b089",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "a195cd72-0b3b-4c16-a185-1dbba192b089",
|
||
|
"referenced_uuid": "58d36f16-09f7-4ff6-a4eb-d771e9a0ac91",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "c5da7d6d-1ab3-48a0-8a1e-bbf0d87d456d"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "63fe26ed-28d0-45d3-a815-0aee20b29bb0",
|
||
|
"value": "c6eeb14485d93f4e30fb79f3a57518fc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "04491eb6-ec3d-4672-8cb7-eb578188f131",
|
||
|
"value": "b7d99521348d319f57d2b2ba7045295fc99cf6a7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "05b44343-a41a-4c74-9e60-b2629cce7124",
|
||
|
"value": "feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "58d36f16-09f7-4ff6-a4eb-d771e9a0ac91",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "869695b6-6123-41ec-b764-34b73b34cd86",
|
||
|
"value": "2021-03-22T07:29:43+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "fe0b5dbb-63a9-42e7-9492-c8c45a3a86fd",
|
||
|
"value": "https://www.virustotal.com/gui/file/feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede/detection/f-feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede-1616398183"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "f3726946-77f5-4753-a2cf-839b5a52ff81",
|
||
|
"value": "54/69"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "9e5710ce-d800-4726-b66b-0a2f6568a769",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "9e5710ce-d800-4726-b66b-0a2f6568a769",
|
||
|
"referenced_uuid": "85a7f022-e867-4bba-9f60-572f10e9ab09",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "623e2359-cd49-4532-87da-82bfc3cb3193"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "7cab9e6e-f69d-44e2-812b-db0e8849fc17",
|
||
|
"value": "0e55ead3b8fd305d9a54f78c7b56741a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "269f049d-b0a8-40d9-ae60-0d214548c86e",
|
||
|
"value": "f7b084e581a8dcea450c2652f8058d93797413c3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "61bfbb67-8fec-4e5a-9077-2c363a3ecb74",
|
||
|
"value": "2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "85a7f022-e867-4bba-9f60-572f10e9ab09",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "e07381f9-9bee-4e66-894f-f2bbc781f4e8",
|
||
|
"value": "2021-03-25T17:09:24+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "12e6d6a8-5382-49d6-a882-1c49a4fef03d",
|
||
|
"value": "https://www.virustotal.com/gui/file/2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff/detection/f-2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff-1616692164"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "3c8c05fb-53d5-4c0b-b55c-15c4b5e6867f",
|
||
|
"value": "53/69"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "98476378-a729-4dc9-8381-460968f44e41",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "98476378-a729-4dc9-8381-460968f44e41",
|
||
|
"referenced_uuid": "ed01adb0-7935-4acc-944a-3be3b2e9a6ba",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "2582f2a6-03dd-4da5-961d-f7b644556e3a"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "4bc99a9e-466f-4050-98df-c4d97ad5f491",
|
||
|
"value": "b2511bc215734adbdc43af963bdedb2c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "de58f43d-a758-4c26-9d5a-ec1b4bb59d21",
|
||
|
"value": "b50cea98ed2a0704d076eaa4b6f1f2195ee86f5d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "0a3f7f44-0bd2-45d7-8d6b-782598e908f5",
|
||
|
"value": "a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "ed01adb0-7935-4acc-944a-3be3b2e9a6ba",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "d22cd8fe-d76c-48a3-9887-b9d52c902884",
|
||
|
"value": "2021-02-18T08:41:32+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "c4d928fd-0a39-4333-a5c1-c949bed6ea2a",
|
||
|
"value": "https://www.virustotal.com/gui/file/a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85/detection/f-a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85-1613637692"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d065c60f-6b99-488a-82c9-5283e1929633",
|
||
|
"value": "29/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "16eab987-8119-482e-81ca-637d7ab2027a",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "16eab987-8119-482e-81ca-637d7ab2027a",
|
||
|
"referenced_uuid": "b7849f75-6ff1-4c9b-864e-cc8932dbc2b7",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "6136b229-b449-4df8-a5b9-8b02dc20080d"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "88aa0dfa-6f9c-46de-b8ab-802822226783",
|
||
|
"value": "a7e571312e05d547936aab18f0b30fbf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "55136475-2a91-42f0-bf3f-1144e7e92aab",
|
||
|
"value": "e0d643e759b2adf736b451aff9afa92811ab8a99"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "243a7146-c337-4bda-9595-c9704ee04482",
|
||
|
"value": "027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "b7849f75-6ff1-4c9b-864e-cc8932dbc2b7",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "6c62d0c4-7948-4777-b360-0e0ca1f00c15",
|
||
|
"value": "2021-03-22T04:07:46+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "c37add88-56ce-4830-b5b2-6e4956834b7b",
|
||
|
"value": "https://www.virustotal.com/gui/file/027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27/detection/f-027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27-1616386066"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d37f4ba9-848b-4f9c-8aa7-a859dbddf418",
|
||
|
"value": "50/69"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "684ab1ab-994d-4245-851c-ef8bf31ecf0a",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "684ab1ab-994d-4245-851c-ef8bf31ecf0a",
|
||
|
"referenced_uuid": "aea3278c-3824-4f96-bc2f-6e38d8709530",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "95eb2208-b057-4b85-b051-de1a2b8c435d"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "8f09a0d6-cba4-484c-8507-0063804261de",
|
||
|
"value": "faa5f4def7e037324f5f87239ddead2d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "e86ecba7-23f5-42b3-b530-daa9f689b39c",
|
||
|
"value": "00eb93b35a629ecbefca468fa5614c159b3becb9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "52fc2080-2eb3-49d2-99f0-44df7c7af4a4",
|
||
|
"value": "910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "aea3278c-3824-4f96-bc2f-6e38d8709530",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "779a7676-e85a-4eb5-b611-cf5015c61f2d",
|
||
|
"value": "2021-03-26T06:32:11+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "950b8e9d-341b-4f62-a28a-8f494f11e2e9",
|
||
|
"value": "https://www.virustotal.com/gui/file/910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db/detection/f-910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db-1616740331"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "1281a4ee-9000-485e-849a-eccb2e395abf",
|
||
|
"value": "40/71"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "1004ee8d-26bb-4973-908a-e29a9d26ba90",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "1004ee8d-26bb-4973-908a-e29a9d26ba90",
|
||
|
"referenced_uuid": "0ce9950f-81f9-4d2c-b28e-a87d2e61ad44",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "1230b123-b432-4030-adb3-73a7739f5777"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "58c0d010-544e-4a36-95ec-3920b1f68a43",
|
||
|
"value": "c914cd653e0e3dedc050e182b04d0877"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "e689d41f-0dad-474b-b399-30ec77624f3d",
|
||
|
"value": "dcb9118569388375b855e965a587440f069e68c9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "115151f3-2216-447f-bccb-15fae6682dc6",
|
||
|
"value": "dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "0ce9950f-81f9-4d2c-b28e-a87d2e61ad44",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "ca8b61d9-7a2a-4f5e-ae87-83791af7778d",
|
||
|
"value": "2021-03-23T04:27:02+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "079d2673-59d0-4e8f-8fd8-a4551bf99f39",
|
||
|
"value": "https://www.virustotal.com/gui/file/dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd/detection/f-dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd-1616473622"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "c9c9fe50-c187-4197-8af0-2caa64bf3880",
|
||
|
"value": "28/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "0afc4005-8a2c-4238-b974-17f9eaaf1abe",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "0afc4005-8a2c-4238-b974-17f9eaaf1abe",
|
||
|
"referenced_uuid": "765e5f0d-99b2-4dd8-a53b-09a1050eb769",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "b4609786-e114-4a80-9af9-94b6993e0774"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "8a3e44c0-0b46-4355-858a-3c52bbbdf38a",
|
||
|
"value": "e294d6f427c64f77b5b61bb7b17dd12c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "1c30183b-f624-4631-97e5-f10e18a766ba",
|
||
|
"value": "ccdae3ada854cc441106ec52c12823439bab6cba"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "58d3a190-d7bc-45c3-a1ea-1b5735f52195",
|
||
|
"value": "9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "765e5f0d-99b2-4dd8-a53b-09a1050eb769",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "fd566086-2351-4fcb-bb21-66e09063e930",
|
||
|
"value": "2021-03-09T04:36:07+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "3038f774-92f5-4d00-8ce4-d0052950c231",
|
||
|
"value": "https://www.virustotal.com/gui/file/9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719/detection/f-9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719-1615264567"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "7238d3f9-a1aa-4050-916a-faef0506f0c7",
|
||
|
"value": "27/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756675",
|
||
|
"uuid": "1eef1450-95b2-4f02-9fe0-679b4daa21b5",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "1eef1450-95b2-4f02-9fe0-679b4daa21b5",
|
||
|
"referenced_uuid": "05c62c41-284d-45fd-935b-dd3dd959eeda",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "b7364a74-5c61-41c3-afd4-f8220a80e4d2"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "8f37588f-98cc-4998-aa9e-802f349444ca",
|
||
|
"value": "7778e6a03a9bee17640353d3a11bb0b7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "9153620c-88f8-4871-82e5-f1895e1badec",
|
||
|
"value": "119e1bca56f4d920ef6e2aa54c6f34534aba1182"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "abaa642e-c92e-403a-9efc-2cadd86e442d",
|
||
|
"value": "69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "05c62c41-284d-45fd-935b-dd3dd959eeda",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "ffde5223-08ca-47d2-85f6-90f96f98f06d",
|
||
|
"value": "2021-03-15T04:27:09+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "97356146-dfa8-4890-873a-55fa6db1a654",
|
||
|
"value": "https://www.virustotal.com/gui/file/69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e/detection/f-69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e-1615782429"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "4d39fabd-788a-412c-ad6b-cdbe0c6a5e8b",
|
||
|
"value": "26/58"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "7f25639e-80d5-478f-8daf-f4fb76bc9881",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "7f25639e-80d5-478f-8daf-f4fb76bc9881",
|
||
|
"referenced_uuid": "95d67997-6f0c-478c-977d-362d30cc8f98",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "3ea20f03-ca1c-4806-bbbe-58e7635b75d2"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "b2afb12c-03ad-4844-8fd0-a52abe2ceb67",
|
||
|
"value": "9f05994819a3d8c1a3769352c7c39d1d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "8c4bc519-5ab0-48cd-b97c-9dd092d0abb7",
|
||
|
"value": "eb2457196e04dfdd54f70bd32ed02ae854d45bc0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6527bc28-38b4-4603-b824-ae65ad4fa3b5",
|
||
|
"value": "10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "95d67997-6f0c-478c-977d-362d30cc8f98",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "4fcee4c5-8cc1-46bb-a02a-8aa51d1d80fa",
|
||
|
"value": "2021-03-17T12:54:53+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "e04b13ea-7938-4f04-a85b-33cb3b46d734",
|
||
|
"value": "https://www.virustotal.com/gui/file/10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da/detection/f-10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da-1615985693"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d60fa16f-0465-4515-8225-9dfded930054",
|
||
|
"value": "53/68"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "da78b3bd-a286-47ca-abe8-be8b9dabe016",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "da78b3bd-a286-47ca-abe8-be8b9dabe016",
|
||
|
"referenced_uuid": "8b6d1dc2-9dfb-47a4-84e0-0be59cf32f5d",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "0b934db4-1d71-4ee6-977a-9e3b89319810"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "9cec1da1-c0f2-4219-9e82-a660443f6b20",
|
||
|
"value": "96c2f4acef5807b54ded4e0dae6ed79d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "624c6301-d1c6-48cb-a4f0-f549f83c6d4e",
|
||
|
"value": "3e93999954ce080a4dc2875638745a92c539bd50"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "b7046d71-1228-4be4-b6c7-5b61100cee9c",
|
||
|
"value": "c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "8b6d1dc2-9dfb-47a4-84e0-0be59cf32f5d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "bf40e2d4-3f17-4de7-ba22-f2b175920607",
|
||
|
"value": "2021-03-26T10:43:42+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "05e6b33a-5599-4596-a3e3-0ba912d7e913",
|
||
|
"value": "https://www.virustotal.com/gui/file/c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908/detection/f-c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908-1616755422"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "45af6b9a-9266-4a2d-bcd7-2482ed300deb",
|
||
|
"value": "46/71"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "823fb96f-f21b-4fc9-bd0b-3b8a95635f48",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "823fb96f-f21b-4fc9-bd0b-3b8a95635f48",
|
||
|
"referenced_uuid": "26a182ac-3493-4ea4-bfae-c1921a1a7dc4",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "69d002ca-e425-49c6-95fd-67466dc09343"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "81de2068-332a-4425-bd42-7660931ca733",
|
||
|
"value": "fe15fc6341baad2a111462854f96a2bc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "ffa874da-1472-42a3-bba4-31849f0a3853",
|
||
|
"value": "90cd4f920d48c05fd3cad8275223f596c6388cbd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "cb33d3c6-80e8-4ba7-b4fc-e1f9e53d98ec",
|
||
|
"value": "a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "26a182ac-3493-4ea4-bfae-c1921a1a7dc4",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "3e9b9f18-cf79-4cba-bf36-dd3aca92a364",
|
||
|
"value": "2021-03-18T12:35:49+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "ce113efe-ce5c-4923-96f1-4af810a2ee65",
|
||
|
"value": "https://www.virustotal.com/gui/file/a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a/detection/f-a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a-1616070949"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ef51397f-7aea-4f59-ba77-0ad6496a261a",
|
||
|
"value": "28/59"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "6fd128cd-2a9d-407f-9c31-54eb6cbdc427",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "6fd128cd-2a9d-407f-9c31-54eb6cbdc427",
|
||
|
"referenced_uuid": "3c697682-5a8a-4d1c-8cfc-8c64aabe226d",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "6fa79745-4dd2-4401-ac38-702e20c46107"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "6d9a126f-e295-4aea-853a-020177d25b6d",
|
||
|
"value": "aef2ae9b36989bab8818696de5ccd5e7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "bdbef063-0ac1-4765-98c3-3212c17e40a9",
|
||
|
"value": "f985022d7705d1ec575a1eef4ee32506d8b82871"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "55a7bbf4-a5b3-4df2-83cd-fcaccee2dcda",
|
||
|
"value": "201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "3c697682-5a8a-4d1c-8cfc-8c64aabe226d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "12757096-d165-4389-af0f-6d799d73e476",
|
||
|
"value": "2021-03-26T03:50:32+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "51934ad8-7c30-46c7-97a0-81f699bb9b23",
|
||
|
"value": "https://www.virustotal.com/gui/file/201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41/detection/f-201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41-1616730632"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "13724e64-8624-4872-a693-ca8ecd923611",
|
||
|
"value": "21/58"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "9e421a7c-0c63-4d01-a5d1-c1a9e033114e",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "9e421a7c-0c63-4d01-a5d1-c1a9e033114e",
|
||
|
"referenced_uuid": "8fa3df06-0c22-438d-a3fc-700d32e0a9a3",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "fd96800c-f6b3-415b-850c-27a6f74e102d"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "a0932207-27cc-4755-9355-dbc854469dbd",
|
||
|
"value": "a5f6b6e95ef8a26081259813ca18e17b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "b790060f-33ff-4a3c-b5f0-8ef7d4c5a02e",
|
||
|
"value": "242bc043057bb12e27a9fe4db20d6bdb953cbc11"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "cb4c06b3-a1a1-454c-a463-dd75cbc4e463",
|
||
|
"value": "866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "8fa3df06-0c22-438d-a3fc-700d32e0a9a3",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "e9085519-41c1-4fa7-8276-2e2cbb45ca85",
|
||
|
"value": "2021-03-25T06:49:59+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "117b374e-1ab8-43b8-ade5-3bf3c701b3b1",
|
||
|
"value": "https://www.virustotal.com/gui/file/866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc/detection/f-866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc-1616654999"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "4266730a-eb89-4cad-9fa8-c5848d9bc3b9",
|
||
|
"value": "43/70"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "2c46c27a-354d-42e7-b5be-3dd8a5b06c5c",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "2c46c27a-354d-42e7-b5be-3dd8a5b06c5c",
|
||
|
"referenced_uuid": "a528334c-62cf-42b0-a6dc-3f7d3cbcbc28",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "15b604bf-18e6-4e3d-a744-c95bedcff220"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "af3ac3bb-1150-46ce-bfdf-1cfdeebd5a1c",
|
||
|
"value": "aa2efe290df3c38c26c70b1f40f69812"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "0c7ed391-e388-496e-9ba5-b6e23a768233",
|
||
|
"value": "f6013bcaaa4f2df7c05ed2777bf845e844666297"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "a2c441f5-41b9-43b7-b59e-3968018c42dd",
|
||
|
"value": "a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "a528334c-62cf-42b0-a6dc-3f7d3cbcbc28",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "10c72310-3b26-4d22-9637-4f083d7abcbd",
|
||
|
"value": "2021-03-25T09:30:16+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "33363245-a8b5-454e-a858-568492e1a9be",
|
||
|
"value": "https://www.virustotal.com/gui/file/a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287/detection/f-a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287-1616664616"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "9588211c-a3d0-4083-967b-115f56cd2415",
|
||
|
"value": "40/69"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "4a2d5efc-ae3f-4fc7-91f4-f6bda3e321b7",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "4a2d5efc-ae3f-4fc7-91f4-f6bda3e321b7",
|
||
|
"referenced_uuid": "e9c28a40-0154-4e1b-8466-f5e58326910f",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "174b74f5-8f85-472a-b83b-bd7fafe88c96"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "60579fa1-9cae-491a-a8b2-34a841ee3b5a",
|
||
|
"value": "aaed26520f0d31b13e8adf80a4e9effd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "b3d1088f-98fb-4fbc-9ff3-7be9898f1933",
|
||
|
"value": "2c5a683e8119345faf98fb0bb5f31a8cbfe0537e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "9335a213-3c6b-4c56-b1aa-a16a2124b9e5",
|
||
|
"value": "56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "e9c28a40-0154-4e1b-8466-f5e58326910f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "3691a68a-97e7-40d1-96d5-279bdbb823fe",
|
||
|
"value": "2020-12-03T14:02:35+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "db2973a4-4243-4bfb-a292-dc59b7d221a6",
|
||
|
"value": "https://www.virustotal.com/gui/file/56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c/detection/f-56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c-1607004155"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ee1570f1-abde-4958-ade7-c8937a7d2524",
|
||
|
"value": "25/59"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "b027bf1e-1eed-4043-82f7-53ea4ac6537d",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "b027bf1e-1eed-4043-82f7-53ea4ac6537d",
|
||
|
"referenced_uuid": "95e0a63b-bdab-4cb0-8f1a-d13825af20ac",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "c214c985-6547-4d1e-bba8-f3dbd5f76dd8"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "85608c07-4039-4f23-a0a0-5faf7cf3d876",
|
||
|
"value": "efcab2b28307300ee2c918b41f32cf91"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "f3cc7158-527f-4bde-8818-2b9f22a1cdb6",
|
||
|
"value": "bba0ad4f924e240f60e9a4a57e0d63c948023a6d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "3f10b5a8-c149-4e00-a692-1c1e9d18f672",
|
||
|
"value": "9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "95e0a63b-bdab-4cb0-8f1a-d13825af20ac",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "50c88681-8d74-4a69-b928-5795c7d17555",
|
||
|
"value": "2020-12-06T08:14:53+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "69adb5ac-d9c3-448e-b037-855ef18f6276",
|
||
|
"value": "https://www.virustotal.com/gui/file/9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd/detection/f-9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd-1607242493"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "442afd97-0df6-4e62-9930-0590d97ff0a3",
|
||
|
"value": "27/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "5b361066-2b82-4c80-b4ae-690998433d3c",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5b361066-2b82-4c80-b4ae-690998433d3c",
|
||
|
"referenced_uuid": "19a03f3c-f5cf-4d7b-91ce-0a64f148c996",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "b0853037-ab65-415d-9e97-bb34df1c6034"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "8d45676f-7eed-4865-ae02-b4c18554c082",
|
||
|
"value": "db49b6f1f379122685be9553c5cc0f37"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "1936c69b-5148-4ad1-93f5-882ea4fc8781",
|
||
|
"value": "45788a5c0c0d97d9bed9c0e6115eca1edbad8ba6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "91dbc2b1-80a8-4b9f-aac9-036f687c57dd",
|
||
|
"value": "d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "19a03f3c-f5cf-4d7b-91ce-0a64f148c996",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "3de97867-9c81-4932-bf7a-a014dd32cb61",
|
||
|
"value": "2021-01-07T03:05:17+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "6cee7b26-43d0-4d2c-b152-8cba5b80813a",
|
||
|
"value": "https://www.virustotal.com/gui/file/d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09/detection/f-d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09-1609988717"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "463b5e6d-e62f-45eb-a630-83e80c2e3c51",
|
||
|
"value": "24/61"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "cec9ab1b-4f09-409d-a4a8-08c1b0f08a67",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "cec9ab1b-4f09-409d-a4a8-08c1b0f08a67",
|
||
|
"referenced_uuid": "6edfb384-06fe-45b9-aae5-0fcce4c8cbb5",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "562c29f9-ee62-4e18-a8a9-a728a4256978"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5367847e-94da-48d5-85c7-9ac0595b67b4",
|
||
|
"value": "b4b1c0f3183e3c3982f66d31690facaf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "44520e6a-ed0a-4fb3-8394-471d2707fde9",
|
||
|
"value": "0e0d4c62550e0cd384e29699e708ea23faa45306"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6ec40a25-0ddc-4f6c-a5fb-98735c9cdfb5",
|
||
|
"value": "fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756676",
|
||
|
"uuid": "6edfb384-06fe-45b9-aae5-0fcce4c8cbb5",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "7127659c-1f05-4542-9463-c60b3caa7361",
|
||
|
"value": "2021-03-15T04:27:09+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "4fcd49cf-96d4-49de-b561-ba64e807bd8d",
|
||
|
"value": "https://www.virustotal.com/gui/file/fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0/detection/f-fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0-1615782429"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "fa4661b2-e1d8-4463-ba67-240b1caec5b5",
|
||
|
"value": "26/59"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "606c37d3-7072-49e9-ba9a-f091642c58b6",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "606c37d3-7072-49e9-ba9a-f091642c58b6",
|
||
|
"referenced_uuid": "bb54eee9-dba0-4f63-923c-66c696cca73c",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "d8994124-4ab8-48d7-8fbf-45566091528e"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "662ac674-a092-415d-8509-46f170829706",
|
||
|
"value": "4271c75235072f7ee56f4ce16bd4d853"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "707c3bf1-0479-4f9d-b2dc-49b205c06814",
|
||
|
"value": "d184b29929d7f1aafba350d2782ec9dd87d1237d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "b6cff6a4-82aa-4e3f-a2f4-150c039f03fa",
|
||
|
"value": "bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "bb54eee9-dba0-4f63-923c-66c696cca73c",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "c311092c-9fd7-4b98-9331-5b30137dfefe",
|
||
|
"value": "2021-03-23T17:43:54+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "e2500eff-8ca7-43e8-8204-7fe8ac52b6a1",
|
||
|
"value": "https://www.virustotal.com/gui/file/bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748/detection/f-bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748-1616521434"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "fe2dafe7-37c1-47ae-8f67-04193fd9e19c",
|
||
|
"value": "10/63"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "833d3f3f-8273-4951-b714-6706bc1347d0",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "833d3f3f-8273-4951-b714-6706bc1347d0",
|
||
|
"referenced_uuid": "6f0ad91d-0c15-4f01-ba3f-a15cbd48b6a8",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "50314cee-5eb0-4c02-aebd-170b65489bf9"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "dc07f400-4359-4e3d-85a4-63f5066e7cc0",
|
||
|
"value": "6be28a4523984698e7154671f73361bf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "c127de54-a655-457d-8c79-41ed1abf3d3c",
|
||
|
"value": "b974375ef0f6dcb6ce30558df2ed8570bf1ad642"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "c05ddf1e-ffe2-454f-82aa-e649cfad0eae",
|
||
|
"value": "fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "6f0ad91d-0c15-4f01-ba3f-a15cbd48b6a8",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "a3e60ca7-e125-48d8-8980-e78a84afffc6",
|
||
|
"value": "2021-03-25T17:11:43+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "6e9e247d-ebe2-4145-a351-ab4d0d4700ff",
|
||
|
"value": "https://www.virustotal.com/gui/file/fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65/detection/f-fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65-1616692303"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d97605b6-c63f-49f0-8adf-68ec73a1f598",
|
||
|
"value": "53/69"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "c8d6ed6d-f0aa-47b6-8065-4ff64c44f84e",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "c8d6ed6d-f0aa-47b6-8065-4ff64c44f84e",
|
||
|
"referenced_uuid": "9d8eaadf-241c-44f3-881f-e1eca0fb8930",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "f4439000-a3a5-4ca3-8cab-bc3a8d31491e"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "fbc2292d-1425-475a-9330-78d1b449cec1",
|
||
|
"value": "5544ba9ad1b56101b5d52b5270421d4a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "b5df28f7-52f6-4dce-b7f7-24a4e920bdfc",
|
||
|
"value": "fc6f5ce56166d9b4516ba207f3a653b722e1a8df"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "d5013909-1b73-4d52-af3e-fbbcf36e6fdd",
|
||
|
"value": "511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "9d8eaadf-241c-44f3-881f-e1eca0fb8930",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "8b7429ee-e68e-4bdf-8f49-639d1eb15d28",
|
||
|
"value": "2021-03-25T17:44:24+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "0626fc1d-da91-4406-9f0d-e47bb57f4380",
|
||
|
"value": "https://www.virustotal.com/gui/file/511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1/detection/f-511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1-1616694264"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a92b2542-caa5-45b9-b6a9-bb2ee1daf6e7",
|
||
|
"value": "34/58"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "e9848d4d-51a5-4495-a5e7-5f4eb22d65de",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e9848d4d-51a5-4495-a5e7-5f4eb22d65de",
|
||
|
"referenced_uuid": "f39954b4-1c19-4fa5-b0f9-82346bc77b66",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "30b3405e-31c8-4a3a-8243-5b4d1c5222a9"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "f0a3af82-58da-48c6-9518-df801e737bfc",
|
||
|
"value": "4b3039cf227c611c45d2242d1228a121"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "31456574-a3d0-4aa1-b3af-95eb260f9a22",
|
||
|
"value": "0ba9a76f55aaa495670d74d21850d0155ff5d6a5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "9afd4f21-877f-4dcd-a62f-1c6e9726232d",
|
||
|
"value": "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "f39954b4-1c19-4fa5-b0f9-82346bc77b66",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "0c197ea2-c1df-4351-a387-bd4be90f2662",
|
||
|
"value": "2021-03-25T09:08:41+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "182062ff-0869-47fb-ab25-9a1ab1e4757a",
|
||
|
"value": "https://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/detection/f-b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0-1616663321"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b8a7520c-49cf-4bea-a8ed-d8418350286d",
|
||
|
"value": "36/59"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "b7d9a669-06f5-4327-9db0-dc1c4bac34d3",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "b7d9a669-06f5-4327-9db0-dc1c4bac34d3",
|
||
|
"referenced_uuid": "8411ca42-9757-4c57-9a19-df38d572db9d",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "c14b3cf4-e423-4e0c-a44c-8888db323164"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "85e15130-e2b0-46d5-aec6-f92f4cf66e9a",
|
||
|
"value": "f8b604ca7aa304a479f2461d1b74e795"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "2d58ce70-be08-4cc5-9155-37337061106a",
|
||
|
"value": "0539c6df68e9ef15cbfa1f07daca8fd759fef874"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "d6d42064-7f52-4071-9e51-19cb9cc3d7a5",
|
||
|
"value": "b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "8411ca42-9757-4c57-9a19-df38d572db9d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "3415562e-3531-4526-ab5a-18e148b88458",
|
||
|
"value": "2021-03-25T09:28:40+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "be3f7eea-6ce4-4649-a2cf-04a4e6dc38cf",
|
||
|
"value": "https://www.virustotal.com/gui/file/b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f/detection/f-b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f-1616664520"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a472f375-7e35-41c7-a008-50bf3c58b73b",
|
||
|
"value": "40/68"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "10dc6fd6-69a1-441d-9ec0-b2b8042645f8",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "10dc6fd6-69a1-441d-9ec0-b2b8042645f8",
|
||
|
"referenced_uuid": "f44ca745-607f-49ac-9dec-697a3b79a777",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "40f9e595-ec5a-4ee4-9647-477496d85fe9"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "c0070d30-c68c-404e-b198-99c105c4b7ff",
|
||
|
"value": "20e8e55625f68ed42a793d76d359a858"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "ad876b67-2838-47ba-b3b6-eb1eaab3e6da",
|
||
|
"value": "7b7a1653030fd3ad4464b7f09d9ac401a5f691c9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "4107cb19-2010-4aea-b085-4499240b959d",
|
||
|
"value": "c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "f44ca745-607f-49ac-9dec-697a3b79a777",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5fe7cddd-dc1e-49bd-b2a6-7863f6e2b18c",
|
||
|
"value": "2021-03-25T07:25:00+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "f0850dc7-1cfe-46ae-9180-7b25675af3cb",
|
||
|
"value": "https://www.virustotal.com/gui/file/c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a/detection/f-c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a-1616657100"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755894",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "6c4d92c4-d849-4e24-849c-59d7ff0c9958",
|
||
|
"value": "38/70"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "ec87de38-6059-474d-8c30-ca86b5fcbf04",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "ec87de38-6059-474d-8c30-ca86b5fcbf04",
|
||
|
"referenced_uuid": "e3ba17ec-4c02-44c4-a995-6b9aec19a3d9",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "db5b5601-d4f8-43ff-9711-9a9a4eb4c9ba"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "3362870f-9372-47e0-a023-00fecc1c7d80",
|
||
|
"value": "36d1edc364161e1446e015a8feec84c8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "1936667f-4762-458c-aa6f-833c17cb0046",
|
||
|
"value": "995d12119b2ef37bcbbe097d0e520853ef1eb599"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5f39eb39-c9ca-4e61-987f-951036698567",
|
||
|
"value": "3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "e3ba17ec-4c02-44c4-a995-6b9aec19a3d9",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "87f05b33-46ac-40a5-92ee-1b1de0a3bea9",
|
||
|
"value": "2021-03-23T04:30:17+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "24684a9d-9f35-4c32-b640-31095c647fbf",
|
||
|
"value": "https://www.virustotal.com/gui/file/3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec/detection/f-3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec-1616473817"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ca52efdb-5859-45cf-bc11-070769185f0c",
|
||
|
"value": "29/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "76ad3172-9d1b-4f7c-98c2-fd2d596c6230",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "76ad3172-9d1b-4f7c-98c2-fd2d596c6230",
|
||
|
"referenced_uuid": "b0723db5-d97e-40e9-bf23-af388906ec59",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "314fa72e-07a3-46b0-9923-083918c55487"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755893",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "d05a003a-52f3-40b6-87a9-262033801655",
|
||
|
"value": "8ccd905c0bbf09e76d19ea5de1455cb3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755893",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "2805d5ff-71c0-48b0-ba8f-95d347c5d046",
|
||
|
"value": "9129fa215f3a35daa0179681c4c0177c5ff731ce"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755893",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "047a9c08-ca58-46c3-bb47-7f11f139ad7e",
|
||
|
"value": "7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "b0723db5-d97e-40e9-bf23-af388906ec59",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755893",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "969ff01a-1fce-44e1-bcc1-9606b11364ef",
|
||
|
"value": "2021-03-25T12:22:04+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755893",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "afea2cd9-f8e1-407b-8673-320db908bf88",
|
||
|
"value": "https://www.virustotal.com/gui/file/7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382/detection/f-7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382-1616674924"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Pydomer associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755893",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "1e6bf9ec-f1e3-48d0-bc25-33ac307ed723",
|
||
|
"value": "22/68"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "ac1f3911-ed5d-4bfa-b66b-ab5dbd3a3643",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "ac1f3911-ed5d-4bfa-b66b-ab5dbd3a3643",
|
||
|
"referenced_uuid": "5c09a38f-67c4-4893-94ce-dc4be8805532",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "d17fdef2-9617-4cfa-8a0c-e3415bfa97c4"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "0f484582-436b-4398-9e2d-ebb3677c3c96",
|
||
|
"value": "f2e22df5e284587dc36f8041129af391"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "165c3553-47e2-44d1-92e5-fee33d2e543e",
|
||
|
"value": "6c9ec01e105f92727d6acee24a0db0f3ee54b02c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "b21b7f3a-ce90-4375-aabd-37124f6933a4",
|
||
|
"value": "dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756677",
|
||
|
"uuid": "5c09a38f-67c4-4893-94ce-dc4be8805532",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "501b4cb9-9c77-42cf-bc67-a853dd21d69c",
|
||
|
"value": "2021-03-18T14:34:53+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "e50b4719-fbbe-4a2a-bf98-bede02cd0947",
|
||
|
"value": "https://www.virustotal.com/gui/file/dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d/detection/f-dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d-1616078093"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b5eabe27-cb81-4090-ae50-2548281d3124",
|
||
|
"value": "8/56"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "f6ffeb66-f913-4ca9-b06a-e970a0662461",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "f6ffeb66-f913-4ca9-b06a-e970a0662461",
|
||
|
"referenced_uuid": "9fac7d5a-3e37-4fad-9d0f-e4f8032858dd",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "d23dcc37-21ae-4bc9-bea5-d7fc08717db5"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "91f4ed7f-e0f1-4a81-b22d-560546c9eefa",
|
||
|
"value": "321df9000c3de177ad6b5544c621c73c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "bb3c13c9-7d03-4dd6-9a29-e227ebecdd0b",
|
||
|
"value": "e273fdfe22553b5ab45c4775e66ae685ad9d9421"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "422e0a70-8257-41cc-8c57-a1d3859acfba",
|
||
|
"value": "f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "9fac7d5a-3e37-4fad-9d0f-e4f8032858dd",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5a7f6b6e-5620-42bc-8093-23ae31786bb5",
|
||
|
"value": "2021-03-23T04:33:43+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "337fcab4-164c-4aa3-b464-50c420934d87",
|
||
|
"value": "https://www.virustotal.com/gui/file/f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f/detection/f-f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f-1616474023"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "eebcb1d2-65a5-460c-be66-42b15829d872",
|
||
|
"value": "28/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "cb71cee8-5c22-47e4-9983-045ccd5d4247",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "cb71cee8-5c22-47e4-9983-045ccd5d4247",
|
||
|
"referenced_uuid": "9d7c47c1-a44d-41e2-8d4b-86fe9230480d",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "d506fe70-252b-4f21-b26d-d80ea7313e8a"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "fae3d0ce-47c0-4199-a587-7fae10b0dc3b",
|
||
|
"value": "8a047f4917d75bb0bb6659e41569a9b7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "9aa7902b-b98c-483c-8572-ff398d8d0653",
|
||
|
"value": "388ac00a76db82a0ac2434d1b4fb7420bab1a403"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "1525fa71-8aa0-4c16-933c-00c2015f40d4",
|
||
|
"value": "f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "9d7c47c1-a44d-41e2-8d4b-86fe9230480d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "7796fe41-cc68-488c-866a-72803ef21625",
|
||
|
"value": "2021-01-13T04:56:42+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "29441525-7fa9-4f94-90b5-65ec62e47f84",
|
||
|
"value": "https://www.virustotal.com/gui/file/f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501/detection/f-f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501-1610513802"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "8691f11a-d438-464a-a9c5-c28d06e4cc91",
|
||
|
"value": "27/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "0737e5f5-f011-41ba-aa2d-17120ee75143",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "0737e5f5-f011-41ba-aa2d-17120ee75143",
|
||
|
"referenced_uuid": "6cedfe74-4a3e-467c-8c7b-b77096d91548",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756680",
|
||
|
"uuid": "d7083c33-02ad-4009-a91c-928e0e5d6e2b"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "e0241868-3e40-44c2-842e-86b27fbb2b98",
|
||
|
"value": "4ef04cba6bec2c3a164b9b755efbeb1c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "2e9917e4-3e0a-4195-80eb-1791b50ff7a3",
|
||
|
"value": "49644cbbb9d234bd4f7a47ed596c8bbfefd39065"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "339330f9-a033-4cd5-b1a0-f28abeaaf535",
|
||
|
"value": "8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "6cedfe74-4a3e-467c-8c7b-b77096d91548",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "02d6ff72-f9d1-4dda-b6b2-22b21f911cf1",
|
||
|
"value": "2021-03-23T11:33:56+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "33a391d1-534c-43d3-8b89-440a8966be9c",
|
||
|
"value": "https://www.virustotal.com/gui/file/8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc/detection/f-8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc-1616499236"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "file hashes for some of the web shells observed during attacks",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755955",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b412fd3b-24c9-407c-8550-b7a8c4ab8e66",
|
||
|
"value": "31/59"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "683f8f38-5b8a-43a9-bf1c-0ddacb515026",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "683f8f38-5b8a-43a9-bf1c-0ddacb515026",
|
||
|
"referenced_uuid": "a9888d4c-c487-4210-a1bf-5d61b925881b",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756681",
|
||
|
"uuid": "ace668fc-5768-422d-9216-0452483f29ab"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "71ea88e7-6517-4a9b-b33f-91946913078a",
|
||
|
"value": "9e1545e5fe21f6d11c7151b7625b4dc2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "6e31e40e-be9e-4da6-b65b-02969ce87f8c",
|
||
|
"value": "b5c4b59a8073730e4001154f104c6e58fa0d69da"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c8f2ca7-f086-43e7-a3a0-4a83139b2000",
|
||
|
"value": "db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "a9888d4c-c487-4210-a1bf-5d61b925881b",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "1cedb96f-3b85-4286-abb6-bc4bd0135f90",
|
||
|
"value": "2021-01-15T23:37:13+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "d5654fb2-f319-4492-b673-b2a46bf4e397",
|
||
|
"value": "https://www.virustotal.com/gui/file/db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd/detection/f-db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd-1610753833"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "0b9df251-54d1-4c39-81c0-d1ae7dfc74b6",
|
||
|
"value": "26/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "bcb634ef-c629-450c-a194-3197dcac08bf",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "bcb634ef-c629-450c-a194-3197dcac08bf",
|
||
|
"referenced_uuid": "2c95845e-1117-4e6b-8a9b-7749a7ced7c7",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756681",
|
||
|
"uuid": "5cf79b53-0051-4245-bf51-6acb2838e7eb"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "b410e33a-c188-4144-8e49-f7c1be6012f9",
|
||
|
"value": "3a9ff0529a0d9f0ddb3567d5e1faf1a0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "6476e2b7-d0ab-4f00-a0aa-fcab0eadb09b",
|
||
|
"value": "113ea510f7bda4da632e44f53743a158eae9d4f5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "e01cbdb4-b2da-4d13-aa34-c05d79ec0382",
|
||
|
"value": "893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "2c95845e-1117-4e6b-8a9b-7749a7ced7c7",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "cc1a7dae-41f5-44c2-8276-80e1ae5c6a55",
|
||
|
"value": "2021-03-15T04:23:56+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "06399175-7fa7-4c9e-80e9-659eda1fdeb0",
|
||
|
"value": "https://www.virustotal.com/gui/file/893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e/detection/f-893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e-1615782236"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "c0d6686a-49c6-41f8-b9c6-b8682d1d7820",
|
||
|
"value": "27/58"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "7f7d67ca-ce09-4e6b-a5d2-f85caddf61a6",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "7f7d67ca-ce09-4e6b-a5d2-f85caddf61a6",
|
||
|
"referenced_uuid": "a5904b21-912d-4cff-b24a-4d743a6f890c",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756681",
|
||
|
"uuid": "7c253f4d-0ea5-4550-9576-4a1c1cdfbf36"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5e3cf044-37f9-41cd-8211-d9f4024b7968",
|
||
|
"value": "cdda3913408c4c46a6c575421485fa5b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "a93b94a2-278e-4053-96b2-b46b31a1f938",
|
||
|
"value": "56eec7392297e7301159094d7e461a696fe5b90f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "b8c38910-cbfb-4732-9366-4ade4c184bfc",
|
||
|
"value": "e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "a5904b21-912d-4cff-b24a-4d743a6f890c",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "31a7ec95-06dd-45f2-b5c5-f697e268ff8d",
|
||
|
"value": "2021-03-25T17:09:58+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "70e4338c-3c35-46e4-89d0-31adb709c954",
|
||
|
"value": "https://www.virustotal.com/gui/file/e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6/detection/f-e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6-1616692198"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DoejoCrypt associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755934",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "622b1cbc-1cfa-45e4-876b-54850e42821c",
|
||
|
"value": "56/69"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "957a32d8-3998-442b-9d7b-d6e338bcf6bd",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "957a32d8-3998-442b-9d7b-d6e338bcf6bd",
|
||
|
"referenced_uuid": "73e98549-dbf0-4b91-bde1-90b475eb2a3a",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756681",
|
||
|
"uuid": "81b086ce-2343-4c26-98f6-22e91436ec79"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "93fb2d90-a90e-448d-b31c-a1f202e0da7d",
|
||
|
"value": "0fa1e6af698aa1bac8a404bc39073165"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "74132276-70a2-4f71-a709-f5e313513da5",
|
||
|
"value": "183d1c960d56b6b2c8d0e7a8d1133b2c1a68ab4f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "60de652a-101c-48ce-b01c-c085519eef29",
|
||
|
"value": "4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "73e98549-dbf0-4b91-bde1-90b475eb2a3a",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "77367d54-61d6-4838-8653-c88b6742386d",
|
||
|
"value": "2021-03-17T06:38:46+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "018861d0-77ec-4363-a736-166eb6cbfd14",
|
||
|
"value": "https://www.virustotal.com/gui/file/4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9/detection/f-4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9-1615963126"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "66b6fa85-808c-4517-b5a2-0eebea469065",
|
||
|
"value": "30/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "22",
|
||
|
"timestamp": "1616756678",
|
||
|
"uuid": "e170a06d-f86e-49d4-be62-e263f4ac31b5",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e170a06d-f86e-49d4-be62-e263f4ac31b5",
|
||
|
"referenced_uuid": "4e19d71d-f21c-4af9-b179-538df8759078",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1616756681",
|
||
|
"uuid": "a599c396-1752-4a5a-8336-7199e7513bbc"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "63bd2b63-98c6-450c-9bfb-e0b589da7d42",
|
||
|
"value": "a54b9ccaaf2f66bc9492e2c574fe9be4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "6ef623f4-7f9c-439b-82b5-1de294671253",
|
||
|
"value": "60ef117443b1c8a07fd83ed9c44912a24b07539e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "e7b34efc-5f82-4e31-8703-4e0b7149693e",
|
||
|
"value": "0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616756679",
|
||
|
"uuid": "4e19d71d-f21c-4af9-b179-538df8759078",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "e3e47dbc-e35d-4bb4-865a-da00c5ce450b",
|
||
|
"value": "2020-12-04T10:59:17+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "df30a638-4dc5-4215-ae5c-bca49563c24f",
|
||
|
"value": "https://www.virustotal.com/gui/file/0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc/detection/f-0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc-1607079557"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Lemon Duck associated hashes",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1616755909",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "edd55caf-4550-435b-b94f-3b3c858ade5d",
|
||
|
"value": "25/59"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "down.sqlnetcat.com: enriched via the farsight_passivedns module.",
|
||
|
"deleted": false,
|
||
|
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
|
||
|
"meta-category": "network",
|
||
|
"name": "passive-dns",
|
||
|
"template_uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616759825",
|
||
|
"uuid": "582d3eb2-516a-46f3-92a9-717dfcac5325",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "582d3eb2-516a-46f3-92a9-717dfcac5325",
|
||
|
"referenced_uuid": "fa803eb4-4247-4e1e-9c9b-aa3308d2d9f3",
|
||
|
"relationship_type": "related-to",
|
||
|
"timestamp": "1616759830",
|
||
|
"uuid": "9c360bdb-3da7-40b5-9158-66c907c6f371"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: down.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "rdata",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "0bddeafa-7a6c-400d-9d17-c7aa61e801e8",
|
||
|
"value": "down.eatuo.com."
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: down.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "count",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "counter",
|
||
|
"uuid": "d3a9ba89-5715-47c2-aaf3-112bd25dfdea",
|
||
|
"value": "6928"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: down.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "rrname",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b9a5a870-8263-458d-a835-e59abaf32391",
|
||
|
"value": "down.sqlnetcat.com."
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: down.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "rrtype",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "743087e5-0cea-4a21-9235-1ddca94dcd29",
|
||
|
"value": "CNAME"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: down.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "bailiwick",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "f04a1396-21bb-4c5d-8d34-ad6dd4238355",
|
||
|
"value": "sqlnetcat.com."
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "t.sqlnetcat.com: enriched via the farsight_passivedns module.",
|
||
|
"deleted": false,
|
||
|
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
|
||
|
"meta-category": "network",
|
||
|
"name": "passive-dns",
|
||
|
"template_uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616759831",
|
||
|
"uuid": "99391dd6-a586-481c-a586-bbd508b34b67",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "99391dd6-a586-481c-a586-bbd508b34b67",
|
||
|
"referenced_uuid": "0507d917-2bfd-418a-9c91-65edfe6df45f",
|
||
|
"relationship_type": "related-to",
|
||
|
"timestamp": "1616759831",
|
||
|
"uuid": "392fdfb7-4fb8-4b4b-b588-92c46d0757bc"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "rdata",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "2571e00a-31e2-44ab-bbf1-fb729c1bd1d9",
|
||
|
"value": "cvc.7766.org."
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "count",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "counter",
|
||
|
"uuid": "459889b7-6a66-4e7f-81f8-b61a79b90bb9",
|
||
|
"value": "5851"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "rrname",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "4eaea8f2-4d8d-466b-83ac-129b7bde1e93",
|
||
|
"value": "t.sqlnetcat.com."
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "rrtype",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "88047db8-d719-43a1-ab87-1f975c0d78ec",
|
||
|
"value": "CNAME"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.sqlnetcat.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "bailiwick",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "2b366322-44f6-456e-8e5c-b74974416de2",
|
||
|
"value": "sqlnetcat.com."
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "t.netcatkit.com: enriched via the farsight_passivedns module.",
|
||
|
"deleted": false,
|
||
|
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
|
||
|
"meta-category": "network",
|
||
|
"name": "passive-dns",
|
||
|
"template_uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
|
||
|
"template_version": "3",
|
||
|
"timestamp": "1616759833",
|
||
|
"uuid": "b9f8ea05-6c6c-4f30-89dd-ad1c3062fc95",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "b9f8ea05-6c6c-4f30-89dd-ad1c3062fc95",
|
||
|
"referenced_uuid": "27883473-9495-4bdc-84e1-8898c13d1f52",
|
||
|
"relationship_type": "related-to",
|
||
|
"timestamp": "1616759833",
|
||
|
"uuid": "e0c7957d-6e3f-4b11-bab9-26160d6a8658"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.netcatkit.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "rdata",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ca77ccb5-20fe-4fd7-9fe3-af3a7808a75e",
|
||
|
"value": "cvc.7766.org."
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.netcatkit.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "count",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "counter",
|
||
|
"uuid": "73584055-6503-49ff-b62b-4d9fb61c4bfa",
|
||
|
"value": "8442"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.netcatkit.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "rrname",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "0c57824d-8a0a-4bb7-b2bc-baccdb26f000",
|
||
|
"value": "t.netcatkit.com."
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.netcatkit.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "rrtype",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ce08cee5-ee8f-4c0e-aae6-1dfca662707b",
|
||
|
"value": "CNAME"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from an rrset lookup on DNSDB about the hostname: t.netcatkit.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "bailiwick",
|
||
|
"timestamp": "1616759918",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d2ec7460-18fc-49f2-b6f9-5be19664dcdd",
|
||
|
"value": "netcatkit.com."
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|