274 lines
172 KiB
JSON
274 lines
172 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2018-03-09",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - March 28, 2018: Malware Analysis Report (MAR-10135536.11) \u00e2\u20ac\u201c North Korean Trojan: SHARPKNOT",
|
||
|
"publish_timestamp": "1522335229",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1522335157",
|
||
|
"uuid": "5abc9cfc-4f24-40a6-b7e1-4870950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#002b4a",
|
||
|
"name": "osint:source-type=\"technical-report\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:tool=\"SHARPKNOT\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAI7AlgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iiigAooooAKKKKACiiigBK57xSxFlZlS4YXcZBRdzA4boO59q6GsPxGcR6cT0F/Cf501uOO6PH7XXfiHHDuC6xcTyQYKTaaAIyURiy/KMsD5gAPoB3rbF94wGiXd9bS6nPbWV6hhWeyWK6vLcqA42FeCrHg4GRmteH4gPLpb6q2hzxaY9vJPb3Ul1GBKFYKAR/AWJ4zUd54wv77wNqusWMR0+902Zo5Ip4/NDFduQM7TyGHJAI9K9BuTfwJar+v08jTTudRoMGo2+h2cerXRutQEYNxKVC5c8kAAAYHT8K0qwNXvr+z8TaHDDPGLO8llhmhMQLErGzhg+eOgGMVvnpXNJPfubR7BRRRUlHnniLVPFtt4yMNitytmDB9lWK0MscwJ/e7yFOCPdkwOeax9Fm8Qadql/a2cWr2+myXd/NJF/ZvywwkExyRMRlnLYwnOfTvXb6l4kvbTXxpFnoVxeztAs4dLiNF2btrE7umD+dZMvxMtI5Lpm0u9+xweeq3CjO5ogdwIxhc4ODk++K7aVKtOCUKad0uq+T3+75nPJx5tWQeEfEWs2ug6xqHiw6ir2aLLsmsxEvlhcgocDc5PUdjgV3NrMLm0hnaGSEyIrmKTG5MjODjuK42Tx8WsNRa78PylrTyFeETpKGM3K8qDwByeD9KdJ8RYRpthPDpktxPdpNKIYpg21I22t8wHJPGBge+KVTCVpu6p2u+jVtr9/mOM4rqVNR1TxZF46MES3K6eLqBYY0tC8MsBA8xmcKQGBzyXXGOhqraal4okS6e+vddgu44bkz20Okq0UTA4i8lsfP2wMtnJzit7TfF15qPiZ7FNJmWya1huEmdkQp5m7lwWzg4AAAzkHtioIfiGjverLpUsTWMU0l0HuE/clG2hW9Cx6e3NHsar0VNXSXVddv67i5o73Jvh/fa9e6Zct4iF4t+swDJPbCJFXHHlkD5gepPY8V159q4i48W3uoeCda1KyhOnXumswZJk80NtUNjkL1BHJHHvWhrni0aBMYpLCS422Bvi6yqoKh1Rhz3G4H3rOeGqznZRV7tW9En6dV1LjOKW509Gc1yUfjqGXxI2lR6fctEt39je4XkLLjPK4+72zn8K2de1mLQNHn1GaJ5VQqqxoQC7MwVRk8Dkjk1nKhUjKMHHWW3zKU0032NWmsR0NcfrGv61F4bvb0WX9l3VlcRq0cpSdZVJUHBGMfe6+1T+IPGsWhau+nrp0928MSzzGHqiMxAwMHceCccfWrjhK02lBXeuzXS3XbquovaxW51dFcnZeNY73xM2jRWDsGaZIrhZQVd4xll6YHXHUkHqBVNfHl2dI/tRvDdytmzrEkjXMXzOZPLwB6bu9Cwda9uXt1XXbr5MPaw7nb4orhrr4ix2tg0h0mU3kU80E9r56koYlDOQVB3DDDkDHrin3nxChhuzDbaVNcRp9mWVzMkZV5wDGoU8t15I6U1gq/8v4r/AD89O/QPaw7nbZo5zXIaT46i1bVvsdvpd0YpDMsE2RiRos5B4wucHHJ98Vn6f4k8Q3PhHXNduIDH5aym2jRIh5SozqzA7jv27eQ2MkccGh4OqtJpLZatfadl/wAHsHtY9D0DtSYrk9b8XvokNo50qa8Etm127pKibUQKXyD3wwPHXpSzeN4IvEttpK2Mkkc0kURnWQfI8ib1BXHHHqQfQGpjhqklzKOmr3XTfqHtYrqdZRXLWuuX1kniZ74fbF0uTMSwRBGZDGrhcZ5POM1jf8J3qGo2tlc6bYDzPt62ktoZFLSBoi4+YgeXgjuOxpxwtSTfLaytrfTVXX4A6kVueg5pa4l/iHClpBcJpk7RyWUd4MyqMK0oiK/UE/j2q1ZeLLpte1u0utMkis9PYYuA6cDy9/zDdklsZGB064oeGqpNuO3mu9u/cPaRex1dGBXnNp4+u47u/vL2ymWwe0t57C2xH5jec+xPmBxgnn5sY5/G6/xItrK/a01TTJrGSN2indp0dUkAUhQR97IZee3OehqngMReyjf0a/z6bO19dBKtDudzupa4OL4ilxbyyaBcx28kcMry/aIzsjkk8tWwOvzdvTmu77YrKrQnSspq1/NP8my4zjLYWiiisygooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAAdK5jxr/wAeGm/9hKD+T1046VzHjX/jw03/ALCUH8npPYip8LO4i/1Sf7oqSo4v9Un+6KkrI5QooooAKKKKACiiigAooooAKKKKACikzRmgQtFJmjNAC0UmaM0ALRSZozQAGsPxGQE04k4Av4ST+dbmawfEbFYdPZVLkX0RCg/ePPHPrTW447nJQW3w5lF/JAdDcSx4uikqkBXYe/ygtjpjnFSz6P4Bi0qZJ4dKWw+1bZd0vymdRjBO7lgCeK53Qfh7fXuhzQ62xsJFhuLa2gWKJvLErhy5ZSd+CAADjGD7VoX3gad9MlTUPENkJJdT+3mZ7TyVDmPZtUiQEHoQQ2eO9d75U7e0Zvra/KTSr8P5tYsNPubOyBW1jk0+4kkAikRnIVY23ZJ3Z7d673PNeb3vw9mmS3s28SwCYWEVonn2qtKwjm83cPnB6jHHYda9IHTDHJ7nHesp8tlyyuVC93dC0UUVkaHOX0fhSLxNbTXx0+PXG2+SZZgspxwuBn8uKyftHhGXxle2Nvp0B1JIna6vF8sxwFkO4sGbrjhiFPXDdak1nwIdW1W9ul1NYbTUXge7ha2V5CYcbfLkJ+QHAzwfardn4Vu7XxJq+r/b7Jl1BcCL+zxujIBC5bdyOfmGBu9q6I1LR+N7W3f3enlsYNO+3U5jwnb+EJdI1eSZzLpwuI/MuroQwQsyblTYsTZU9TkgE5BFdFc2/gV9Esjcf2SNODuLV2mAUsT8+1s5OT15+tUk8AXI8JPocmp2b/6Utwky6f5fRixBCvknJ4YEEDgVFP8ADeaXTtOhGtF7m0jnhaSeFnSSOVtxGBIG492Oe+a1lW5p8zqvfu+2/QUYtK3KapHg298UQ2Tw6e+qWMMRgBK5VeSipzyRjOMcZB71o6rbaFY6fq99f2sK208e+/cpnzVUYG4Dk8dMVkW/gd7DWrK/0+/t4FitoLaZWsUd3EWeUYn5CwOCcE4x6V0Gu6dJq+h3mnw3C273EZjErRiQLn1U8EdsVzubvG03b1emt/8Ag+upcVvdHK2cPge70W7km0uOxslmj84ahG0G59uUPzH5vlb8c1a1C18Bf2bYRX7aOL
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5abc9cfc-3014-460b-bc7a-4f1d950d210f",
|
||
|
"value": "Figure 1"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAJYAbwDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD2XxT/AMinq3/XpJ/6CaqNrmkNqbacNVsjfByv2YTr5mfTbnOat+KTnwnq3/XpJ/6Ca8x1jwtrtx4zvdZi0xprOPUILhLYTRJ9pCJtLBs5VgQDgkAg+tdWEpQqOSqS5bLTbV9tSoylFXirnoEWu6TcJcvDqNpIlqCbhknUiEDOd3Py9D19Khk8TaDD/rda09PkEnzXSD5TjDdehyOfevO9O0DxfYandanJpCynVIbpLu3R4lKFyTHk78PjjHAwCRWfB4E8R22jXtv/AGWZjLYQwwRPNEWicTB5F3ZwRkMw9mA7V6H1DC8z5qqtp1j8/ud/VFOrPpH8z1063pg006j/AGnZ/Yc4+0+cvl59N2cURazpczhYdSs5GaH7QoSdSTF/f6/d9+leet4V1c37a7/YcKp/ai3P9irMh+QRFC2fub8ndjpWangTXrm8lkfT2sopI7iULBPGQiyvk23XuuRnoCc1EcFhne9W3/gPlpvrbutH06le0n/KeuQXcF1bR3FpPHPBIMpJEwZWHsR1qp/bujvfPYDVbI3ikqbfz08wEdRtzmsrw3qNlpHhrTtO1S7s7G+tYFimt5LqLKEDHOG7jB/GuTvfDetXfjG41uLThcacmoQXccCzwgXKqm3zFbqCCA2CQCDWEMLTlOcZy5Ur2emuum+jvpt37DdR8qaWp3cXivw9MzLFrWmSFFLsFukOFAySeegFPPiLQ13E6tp42RrK2blOEOMMeehyMH3FeaaH4Y1+xaZrjw48heK52edcwFYC4k2iIK3Vt4Dbhjj8q1t4N8T2GlXtpFpnmG7sobaPdLEWgBfdKCSfmxzt9mHpx1PBYbmaVXt1jr369CPaVP5fzPW01bTpDalL+1b7Xn7NiZT52Ouzn5vwqtN4o8P2/wDrtb06PLFDvukHzDqOvUV5vF4S8TtFaaK9iYrez1KW4tdRieNVhVgdpEe4naH52+hxUD+D/EKQadbJot2iWct1+9huYPMdZGUrks3OcHPfmlHAYa9nW/GO2tnv6abp+Q3VqfynsMF1Dc28c9vKk0Mi7kkjYMrD1BHWpMFvvA/lWZ4fimttAsYZ7GKwlSIBrWJspEf7oOTn8680tre41bx7qY0aRmktdTSY3f29sQwADzU8onkM2R0xnjjFcdPDRq+0tKyh13623Wn3X8i3UcYp21Z69n2H5UZPpXmek+FdUMerynT77T9SxO2m3M2oeYkQk4VAqscYBzkjrz2FVofDHif+ztSTT7a50xJLSGNraW/8xrmZXBkdXBOzcuVzxnPatY4Sndr2q0tvbrbs33+9O9lqL2kv5T1UZ9MUYHcVzHhDTDpy37jSbnS4ppE8uCe7E5AVcZGCdo9snPt0rK8faFqWsahZvZ6dcXUKWdwjmK7EQ8wr+6yCwzhhn8R6VlGhCVXkcrLvp29beW5XO+Xmsd7hvSkw2M44rye+8N+L7u6tbiWG8aX7NbLC8V3GDayIAJMktxkjJIDZBxV/+w/Ei/EJdWFhKYVvSWljuECPblNo4L7uDyVwBxxWzwdJL+LHZv5rpv1/pNake1l/KekhSOg/SlyfSuA8J+HLiDXrm81LSL+2aO4lltJZdQ8yNEbjYEDnqCScj0rv81y1qcacuVS5vP8A4Zs1jJyV2haKKKgoKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAQ968+tP+Qnrn/YUn/mK9BPevPrT/AJCeuf8AYUn/AJipmYVtkd94r/5FPVv+vST/ANBNSsfnb6movFX/ACKerf8AXpJ/6CaY99aC9NobqAXJJIhMg3n/AIDnNKLFSaV7k9FVUv7KSVYkvLdpGyFVZVJOOuBntSwX9ldOUt7y3mcZJWOVWIx9DVXRtzR7lnpR1qhqmq22kWyzXPmNvcRxxxIXeRz0VQOpqK31/SrqziuVvYYkkzhZ3EbAg4IIJyCCMUJpvlW4uePNy31J5dK06eVpZrC1kkblneBGJ+pIq0iLGioihVUYCqMAD0ApI3jmjWSJ1dGGVZCCCPYisbVvFOnaNqNlY3RkMl3IIw6bSsRPTzMsCoPPOOxqrSl7urHotTdzRmqi6lYsICt7bET5EJEy/vMddvPP4UxNX0ySCWePUbN4Ym2ySLOhVD6E5wD9aLPsO6L1FZ02tadFZ3Vyl3BMttxIsMqMQ2MheuNx7A4pND1m28QaRDqVokyQylgFmUK4KsVIIBPcHvT9617CutjSpAiqSQoBPUgVTl1TToLkW01/axzswQRPMocseQME5zUdvrWn3OrXemRXKm8tNnmxnjG8EjHrwDnHTvR7w7o0aKpRarp086QQ6haSSyZKRpOrM2OuADk471dpNNbhcMYoxmql/f2+mWE17dPshhXcxxk/QDuTUlrcx3lnDdQ58qZFkTIwcEZFInmV+W+pPRRRQWFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAh7159af8hPXP+wpP/MV6Ce9efWn/IT1z/sKT/zFTMwrbI7zxV/yKeq/9ekn/oNcje+F9Vm8TNqazWbRreJcJvLK21RjaVAwT1+bNdd4q/5FPVf+vST/ANBrjb3xdcweLvsInthZLeLbSJIoVxkctndu698YrCfJpz9zmqez5f3m10SWfhOWP+1ftkOmIbzzXiuLVGM0RcYwMgYAGenrWd4ZUaVqVxe31mba3W1itI5E0+SIuwJz8uCSSBknp0q5ZeI9VvpdRaG70u6WwaYi2hjbzZlUfKRycDOB781P4W8Rahq+qSQT3VpcQpaJOTBCyFXY/cOT/DWcPZ80eT5fj/wf6sZL2TlHlund9u/+fz+Rcv3XxGkEmj3IF3YXCXKrcQyIjcEbSSoPQnpWd/wr62vbaD+0bqQ3QaR5DbhAmXcsQN6k4GcVseLb65s9Ale3Eo3sElmjIzBGfvOMkDOOBz1Nczb674nm0LSJdEsmuojahZpJIllJkUkHnzV9K6qL/fNJ2lb+v0Oj3FVtLWVvl22O706xi0zTreyhZmjgQIpfGSB64AH6V57e/DvU5vEkl9GNHuLd9UGoNPco5uChADQEgEbMZxzXoGlSXc+lWsl/H5d20YMqbdu1vTGTj8zXlHiHxPfXvjG1iOoWmnvZa0tlDbM8glZMA+a6hgrRscdR9DzXVSU3OXK/U6
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5abc9cfc-0ab0-4e02-a662-40d9950d210f",
|
||
|
"value": "Figure 2"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCADUAlgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD26TEcCMI1JIGSVpYyrW5do03D2qRSBCgIBBUcNSCeMjAZcdOhx/L3oAjtmWVjujXGOMLTN/7/AG+WmM4xtq3yoPyqPXFBPz/Koz60AHlR/wBxfyo8qP8AuL+VNaXa204z36nH44pxLAE4GPrQAeVH/cX8qPKj/uL+VIWITcQAo9z/AIUiSFxlce/+cUAO8qP+4v5UeVH/AHF/KlB65HTmk+Y84H5//WoAPKj/ALi/lR5Uf9xfypscvmAlMHBweT/hTwc5z2oATyo/7i/lR5Uf9xfyp1FADfKj/uL+VHlR/wBxfyp1FADfKj/uL+VHlR/3F/KnUUAN8qP+4v5UeVH/AHF/KnUUAN8qP+4v5UeVH/cX8qdRQA3yo/7i/lR5Uf8AcX8qdRQA3yo/7i/lR5Uf9xfyp1FADfKj/uL+VHlR/wBxfyp1FAEEyxxpuZBgdlHJqNZYns2mjVGAHG5cVaI3DH8jSKioMAYFAFFbpMENEjMODjC5OegB/wDr0fbYQ2PsxyG29BV/AHYelGB6DrmgCp5yNC8ghRCuMbsd8f561Et2gGXhQqMAkADnn/CtHFAAAwBQBSSdHjmby4lCIGBbkd+uO1MSZiwXyoSSpIGMZ4JzxnjoK0MCkwB2FAGfFcbp0RolwVBO1cnOAfy/D8aRrnEm0JBknAGOepGOv0rSwPT2pMD0HXNAFOWVUmCKkQ+Ukhxggc8n24/nTftMcdqJZY0J3FeMDPX/AD1q/gelJgYAxwO1AFJ5gLdZBHCrs7IA38WM4x78CpXZUfiJHTYWwoycjHH86sYHoKWgCgZx5MJCQ+Y/G0jr7DpSJPugmYRR7kYAYX35FX8A9RS0AZclzJEXRrePfj5flxk8k559BmrElzBHIyCJWAHUFfT/AOtVykCgMWAGT3xQBUjnjedYjAFJJBzjg4PHv07VZ8qP+4v5UeUnmebtXf03U+gBvlR/3F/Kjyo/7i/lTqKAG+VH/cX8qPKj/uL+VBY5OAOB60wzKJRGWQSHou7r+lAD/Kj/ALi/lR5Uf9xfypMtkjA/OlBOcED86ADyo/7i/lR5Uf8AcX8qMkjOAB9aZFMJlDRkHvjkf0oAf5Uf9xfyo8qP+4v5Uu7gkjpSEsqljtAHqf8A61AB5Uf9xfyo8qP+4v5UiuXXKlSPrz/KnL81ACeVH/cX8qPKj/uL+VS+X70eX70AReVH/cX8qPKj/uL+VS+X70eX70AReVH/AHF/Kjyo/wC4v5VL5fvSbB2bNAEflR/3F/Kjyo/7i/lUgUE4Dc0vl+9AEXlR/wBxfyo8qP8AuL+VSbPRqXy/egCLyo/7i/lR5Uf9xfyqXy/ejy/egCLyo/7i/lR5Uf8AcX8ql8v3o8v3oAryRoInIRc4PaipZUxC5z/CaKAIcHyF7fJ1/CowjiNkBTBIPBPt7e1Ykvik20zwfZs+WSmd3XFM/wCEvP8Az6f+PVusNVavYz9pA6PaA0jB3O7oOuPpTzwcnpiuZ/4S8/8APp/49Sf8Jef+fX/x+j6tV7B7WB0UkW9m2vjd22+lSBv3YB+9jp61zX/CXn/n0/8AHqP+EvP/AD6f+PUfVqvYPawOkcK8e1jjp2qOJPKdjuBU9TjpXP8A/CXn/n0/8eo/4S8/8+n/AI9R9Wq9g9rA6bqWx6CmSfNAyD7xXAFc7/wlx/59f/HqP+EuP/Pr/wCPUfVqvYPawN+MBZNwUKMdjnnOanHJY+tcz/wlp/59f/HqP+EsP/PqP++qX1ar2D2sDp6K5j/hLD/z6j/vqj/hLD/z6j/vqj6tV7B7WB09Fcz/AMJYf+fUf99Uf8JYf+fUf99UfVqvYPawOmormf8AhLD/AM+o/wC+qP8AhLD/AM+o/wC+qPq9XsHtYHTUVzX/AAlh/wCfUfnR/wAJWf8An1H50fV6vYPaQOlormv+ErP/AD6j/vqj/hKz/wA+o/76o+r1ewe1gdLRXNf8JWf+fUfnR/wlR/59R/31R9Xq9g9pA6Wiua/4So/8+o/76pf+EpP/AD6j86Pq9XsHtIHSUVzf/CUn/n1H/fVL/wAJT/07D/vqj6vU7B7SB0dFc5/wlJ/59h+dH/CUH/n2H/fVH1ep2D2sDo6K5z/hKD/z7D/vqj/hKD/z7D/vqj6vU7B7SB0dFc7/AMJOf+fYf99Uf8JOf+fYfnR9Xqdg9rA6Kiuc/wCEnb/n2H51atteinDbzHCQcYY9aTo1Er2GqkGbNFYtzr8cGBGUmY9l7VX/AOEmb/n2H50KjUavYTqQOiornf8AhJm/59h/31S/8JM3/PsP++qf1ep2D2kDoaK57/hJj/z7j86P+EmP/PuPzo+r1Owe0gdDRXPf8JKf+fcfnS/8JKf+fcfnR9Xqdg9pA6Ciuf8A+ElP/PuPzpP+EkP/ADwH50fV6nYPaQOhornv+EkP/PAfnS/8JIf+eA/Oj6vU7B7SB0FFc/8A8JI3/PAfnR/wkjf88B+dH1ep2D2kDeJwW6AnpmoLeFYSXbDSscs/P+FZP/CSN/zwH50DxGxIzAPzo+r1Ow/aQNtsNuG4jOORSrwRgkgL1NZE+veTLsRVlG3OVPFRf8JG3/PAfnSVGo+ge0gbL5MW0E7gRxkikjQByxyOwGScVkf8JEf+eA/Oj/hIm/54D86PY1Owe0gbZ+ZXxUU6+YU28jB44/rWT/wkR/54D86P+Ehb/ngPzo9jU7B7SBp28RidSTnAIJ45/ACrUZA5J71hf8JCx/5YD86P+Egb/ngPzo9jU7B7SB0XmJ/eX86PMT+8v51z3/CQN/zwH50f8JA3/PEfnR7Gp2D2kDofMT+8v50eYn95fzrnv+Egb/niPzo/4SBv+eI/Oj2NTsHtIHQb1P8AEv500EBvvrisL/hIG/54j86P+Egb/niPzo9jPsL2kDVaAbmYTKuTnA//AF0oh+8TcZJPHJ/xrJ/t9v8AniPzo/t9v+eI/Oj2M+we0gbEYWLnevI6Z/xNT+Yn95fzrA/t9v8AniPzo/t9v+eI/Oj2M+w/aQOg8xf7y/nR5if3l/Ouf/t9h/yxH51orcs8SPujG5A2McjIz61E4OGshxkpOyL/AJif3l/OjzE/vL+dZV9qRsrGa5+STy13bF6kfnVlpmViN8WRxj/JrPmRdixNIphkG5funv7UVmX+pG1ijJCP5sqw4U8jccZ/WijmEcHqur6Xa3t408GrARSP5ki2pMYweSGx0rLufF3hexSJrufULZZl3wmaEIHX1XPXqO9Z/i
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5abc9cfd-c088-465d-b61c-452d950d210f",
|
||
|
"value": "Figure 3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1522333385",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5abcf6c9-60b0-4aa8-b52b-4f7d950d210f",
|
||
|
"value": "rule r4_wiper_1\r\n{\r\nmeta:\r\nsource = \"NCCIC Partner\"\r\ndate = \"2017-12-12\"\r\nstrings:\r\n$mbr_code = { 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 5D 7C 33 C9 41 81 F9 00 ?? 74 24 B4 43 B0 00 CD 13 FE C2 80 FA 84 \r\n7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 83 55 06 00 EB D5 BE 4D 7C B4 43 B0 00 CD 13 33 C9 BE 5D 7C EB C5 }\r\n$controlServiceFoundlnBoth = { 83 EC 1C 57 68 3F 00 0F 00 6A \r\n00 6A 00 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 44 8B 44 24 24 53 56 6A \r\n24 50 57 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 85 F6 74 1C 8D 4C 24 0C 51 6A 01 56 FF 15 ?? ?? ?? ?? 68 E8 03 00 00 FF 15 ?\r\n? \r\n?? ?? ?? 56 FF D3 57 FF D3 5E 5B 33 C0 5F 83 C4 1C C3 33 C0 5F 83 C4 1C C3 }\r\ncondition:\r\nuint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and any of them\r\n}"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1522333432",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5abcf6f8-e8c4-4164-95fe-4ed7950d210f",
|
||
|
"value": "rule r4_wiper_2\r\n{\r\nmeta:\r\nsource = \"NCCIC Partner\"\r\ndate = \"2017-12-12\" \r\nstrings:\r\n// BIOS Extended Write\r\n$PhysicalDriveSTR = \"\\\\\\\\.\\\\PhysicalDrive\" wide\r\n$ExtendedWrite = { B4 43 B0 00 CD 13 } \r\ncondition:\r\nuint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and all of them\r\n}"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1522333919",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5abcf8df-cb18-4d66-b9dc-4453950d210f",
|
||
|
"value": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "10",
|
||
|
"timestamp": "1522310397",
|
||
|
"uuid": "4cca3ed7-3809-49d4-b41c-2e0827db2d75",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5abc9cfe-48cc-4290-80a0-4497950d210f",
|
||
|
"value": "350cba65e28c723cbf0724c19bd7ee69"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5abc9cfe-dec8-4475-84c3-4ea1950d210f",
|
||
|
"value": "c8cb01bc1f62c6d6b95caa7bf2cae167d5736ffa"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5abc9cff-68b8-42be-9e21-4479950d210f",
|
||
|
"value": "ca057fd197fc99cfb60b7379cb64475e6bd206fdd4b019f1f70c2214115f3b83"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "10",
|
||
|
"timestamp": "1522310399",
|
||
|
"uuid": "fdd73209-3bfc-4cc4-b70c-28f6bb7624f5",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5abc9cff-9f68-4333-8000-4f6c950d210f",
|
||
|
"value": "350cba65e28c723cbf0724c19bd7ee69"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5abc9d00-eabc-461f-a9dd-4fda950d210f",
|
||
|
"value": "c8cb01bc1f62c6d6b95caa7bf2cae167d5736ffa"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5abc9d00-7d6c-4233-85f3-481a950d210f",
|
||
|
"value": "ca057fd197fc99cfb60b7379cb64475e6bd206fdd4b019f1f70c2214115f3b83"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha512",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "sha512",
|
||
|
"uuid": "5abc9d01-8124-4f08-aa21-4e03950d210f",
|
||
|
"value": "a1642a8011d5196a4efcbea6ec37e3c1c5f56e1d0160f33d681c5c673757d4e0688a031aebf40a8ec485cf55f4eb5b5fd4e268850a58e684d0fc3c7dc3b632ea"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ssdeep",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "ssdeep",
|
||
|
"uuid": "5abc9d01-adbc-4868-8271-49fe950d210f",
|
||
|
"value": "192:s/7pzppvWcUcHfHxSnx5LqSe/7m8EI2K3A+Y6Geny6VuwjZhfJP4oynQ6f:K7pvWc/HfHsFGqrI2K3AZwuwzV4+6f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "mimetype",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": false,
|
||
|
"type": "mime-type",
|
||
|
"uuid": "5abc9d02-3a2c-464f-bbea-44c0950d210f",
|
||
|
"value": "PE32 executable (console) Intel 80386, for MS Windows"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5abc9d02-0738-4866-9763-4e63950d210f",
|
||
|
"value": "350CBA65E28C723CBF0724C19BD7EE69"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "5abc9d02-b564-4e68-8c0f-46c1950d210f",
|
||
|
"value": "20480"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "entropy",
|
||
|
"timestamp": "1522310803",
|
||
|
"to_ids": false,
|
||
|
"type": "float",
|
||
|
"uuid": "5abc9d02-9548-4884-8370-4006950d210f",
|
||
|
"value": "2.914359"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|