967 lines
34 KiB
JSON
967 lines
34 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2018-05-04",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Lojack Becomes a Double-Agent",
|
||
|
"publish_timestamp": "1525782978",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1525782957",
|
||
|
"uuid": "5aec6eea-74a4-43f9-8910-498d950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525762636",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5aec6ef5-5a7c-4347-831f-74f2950d210f",
|
||
|
"value": "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525762637",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5af00b50-fc10-4c75-9377-4bbd950d210f",
|
||
|
"value": "ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. They also target industries that do business with such organizations, such as defense contractors. Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen. Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads."
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525681445",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af00d25-a910-4e88-a867-426e950d210f",
|
||
|
"value": "cf45ec807321d12f8df35fa434591460"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525681555",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af00d93-a6b4-4b8f-9fb1-43ca950d210f",
|
||
|
"value": "f1df1a795eb784f7bfc3ba9a7e3b00ac"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Rogue C2 Servers",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525762637",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5af00d94-ffd8-4907-918e-4383950d210f",
|
||
|
"value": "sysanalyticweb.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525681556",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af00d94-6300-43dd-ba35-4b40950d210f",
|
||
|
"value": "6eaa1ff5f33df3169c209f98cc5012d0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525681556",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af00d94-9d14-48f9-8270-47f7950d210f",
|
||
|
"value": "f3c6e16f0dd2b0e55a7dad365c3877d4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Rogue C2 Servers",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525762638",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5af00d95-e6a8-4e88-96c9-419c950d210f",
|
||
|
"value": "elaxo.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Rogue C2 Servers",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525762638",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5af00d95-7908-4212-8d24-4172950d210f",
|
||
|
"value": "ikmtrust.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525681558",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af00d96-edac-43fa-be4f-4e88950d210f",
|
||
|
"value": "f391556d9f89499fa8ee757cb3472710"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Rogue C2 Servers",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525762639",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5af00d96-5b48-4c5b-9e1d-4883950d210f",
|
||
|
"value": "lxwo.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525762639",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "5af01102-533c-4841-929e-47b9950d210f",
|
||
|
"value": "search.namequery.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525682560",
|
||
|
"to_ids": false,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af01180-185c-49e1-9d78-4cb0950d210f",
|
||
|
"value": "e78e3b0171b189074d2539c7baaa0719"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525682560",
|
||
|
"to_ids": false,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af01180-6ba0-4139-922a-4e95950d210f",
|
||
|
"value": "ac1a85d3ca1b6265cad4ed41b696f9b7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525762639",
|
||
|
"to_ids": false,
|
||
|
"type": "yara",
|
||
|
"uuid": "5af015d7-9b54-4085-9086-4b65950d210f",
|
||
|
"value": "rule ComputraceAgent\r\n{\r\n meta:\r\n description = \"Absolute Computrace Agent Executable\"\r\n thread_level = 3\r\n in_the_wild = true\r\n strings:\r\n $a = {D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04}\r\n $mz = {4d 5a}\r\n $b1 = {72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00}\r\n $b2 = {54 61 67 49 64 00}\r\n condition:\r\n ($mz at 0 ) and ($a or ($b1 and $b2))\r\n}"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "The agent achieves this persistence through a modular design as noted by Vitaliy Kamlyuk, Sergey Belov, and Anibal Sacco in a presentation at Blackhat, 2014",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525782879",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5af1995f-cdb4-416c-a13f-48fd950d210f",
|
||
|
"value": "https://www.blackhat.com/docs/us-14/materials/us-14-Kamluk-Computrace-Backdoor-Revisited-WP.pdf"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1525762643",
|
||
|
"uuid": "74089204-8a39-410d-b274-c63a7c6edd93",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "74089204-8a39-410d-b274-c63a7c6edd93",
|
||
|
"referenced_uuid": "9c973c81-cfc7-45f9-895d-ce12cb73e25f",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1525762657",
|
||
|
"uuid": "5af14a61-ef2c-40c5-97d7-44bb02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1525762640",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af14a50-67a8-44c2-bf21-46a002de0b81",
|
||
|
"value": "f391556d9f89499fa8ee757cb3472710"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1525762640",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5af14a50-5904-4f75-9108-41a402de0b81",
|
||
|
"value": "2529f6eda28d54490119d2123d22da56783c704f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1525762641",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5af14a51-655c-49ea-bc19-462e02de0b81",
|
||
|
"value": "060448ffd71fe2edbb5fe7c6298ad2b077e57fa6ed6d4250fbd799dd85488843"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1525762641",
|
||
|
"uuid": "9c973c81-cfc7-45f9-895d-ce12cb73e25f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1525762641",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5af14a51-af7c-4242-938c-4a6502de0b81",
|
||
|
"value": "2018-05-07T19:19:38"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1525762642",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5af14a52-a9ac-44c6-a47c-45bd02de0b81",
|
||
|
"value": "37/66"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1525762642",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5af14a52-4f74-4dc9-bc66-476e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/060448ffd71fe2edbb5fe7c6298ad2b077e57fa6ed6d4250fbd799dd85488843/analysis/1525720778/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1525762645",
|
||
|
"uuid": "c24f479b-83fb-41c6-8f0d-8ccf53b431c1",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "c24f479b-83fb-41c6-8f0d-8ccf53b431c1",
|
||
|
"referenced_uuid": "2f9fccfb-465f-406c-aeef-3e329a966f34",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1525762657",
|
||
|
"uuid": "5af14a61-fc18-4169-a78b-425902de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1525762642",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af14a52-3f50-44ac-9355-4a7102de0b81",
|
||
|
"value": "6eaa1ff5f33df3169c209f98cc5012d0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1525762643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5af14a53-81a4-4f29-b074-425802de0b81",
|
||
|
"value": "10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1525762643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5af14a53-e474-4d3d-8163-496902de0b81",
|
||
|
"value": "27dd9de09e22efa2ef12e9e2f462fa9da83684bdb4ec900dd86439c5758107d9"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1525762643",
|
||
|
"uuid": "2f9fccfb-465f-406c-aeef-3e329a966f34",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1525762643",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5af14a53-4c14-41f6-a7e4-40d402de0b81",
|
||
|
"value": "2018-05-07T19:19:25"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1525762644",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5af14a54-aea0-4d40-b51d-4b0a02de0b81",
|
||
|
"value": "39/66"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1525762644",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5af14a54-2e64-444f-995b-477d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/27dd9de09e22efa2ef12e9e2f462fa9da83684bdb4ec900dd86439c5758107d9/analysis/1525720765/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1525762647",
|
||
|
"uuid": "dd0cab48-6f62-4bd6-b10a-18200635fb54",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "dd0cab48-6f62-4bd6-b10a-18200635fb54",
|
||
|
"referenced_uuid": "c01bde93-91b5-4cfe-82f2-35da847471b9",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1525762657",
|
||
|
"uuid": "5af14a61-30c8-420a-a536-47f702de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1525762644",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af14a54-ac70-449a-8f8a-404b02de0b81",
|
||
|
"value": "cf45ec807321d12f8df35fa434591460"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1525762645",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5af14a55-ee20-4a25-8c7d-463d02de0b81",
|
||
|
"value": "ddaa06a4021baf980a08caea899f2904609410b9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1525762645",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5af14a55-8384-4c7a-8775-450802de0b81",
|
||
|
"value": "0860f29226069a732f988cb70ea6d51057d204d421bb709b8e759376b0c4d201"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1525762646",
|
||
|
"uuid": "c01bde93-91b5-4cfe-82f2-35da847471b9",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1525762646",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5af14a56-0e3c-4e31-986e-412d02de0b81",
|
||
|
"value": "2018-05-07T19:19:42"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1525762646",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5af14a56-5194-443a-9a91-40e202de0b81",
|
||
|
"value": "38/66"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1525762646",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5af14a56-8afc-4bf6-ada7-45e802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0860f29226069a732f988cb70ea6d51057d204d421bb709b8e759376b0c4d201/analysis/1525720782/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1525762650",
|
||
|
"uuid": "5eda63ae-1893-42e5-846a-e9995000bde9",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5eda63ae-1893-42e5-846a-e9995000bde9",
|
||
|
"referenced_uuid": "669adb50-5e7d-4c8d-8510-38a08aea3ba7",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1525762657",
|
||
|
"uuid": "5af14a61-fd38-4698-a9b7-424802de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1525762647",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af14a57-0628-400a-84c7-4c7502de0b81",
|
||
|
"value": "f1df1a795eb784f7bfc3ba9a7e3b00ac"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1525762647",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5af14a57-1228-47a2-b8de-487102de0b81",
|
||
|
"value": "1470995de2278ae79646d524e7c311dad29aee17"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1525762648",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5af14a58-e0f8-4cfa-8522-4a7902de0b81",
|
||
|
"value": "e029ed8cfe34185c94b15c74f52d6fdf9bf9b635853c466b2589c1d9f3639200"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1525762648",
|
||
|
"uuid": "669adb50-5e7d-4c8d-8510-38a08aea3ba7",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1525762648",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5af14a58-552c-4cec-a7b2-4cb802de0b81",
|
||
|
"value": "2018-05-07T19:19:47"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1525762649",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5af14a59-2cc0-4f38-a25d-447602de0b81",
|
||
|
"value": "40/65"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1525762649",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5af14a59-8ae8-48a9-9ffa-4fcd02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e029ed8cfe34185c94b15c74f52d6fdf9bf9b635853c466b2589c1d9f3639200/analysis/1525720787/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1525762652",
|
||
|
"uuid": "41d7368a-bbcc-4b09-8db4-959a210b2e52",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "41d7368a-bbcc-4b09-8db4-959a210b2e52",
|
||
|
"referenced_uuid": "14781af2-cede-4e8a-b613-76a5eb9bd981",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1525762657",
|
||
|
"uuid": "5af14a61-542c-443c-b59a-41c002de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1525762649",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af14a59-d550-444c-b37d-46d202de0b81",
|
||
|
"value": "e78e3b0171b189074d2539c7baaa0719"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1525762650",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5af14a5a-5288-45cd-bc78-40a902de0b81",
|
||
|
"value": "5f45bf0f57aa1f7c9d676740989b58cbffaf0ceb"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1525762650",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5af14a5a-4c18-442c-9ee0-43b002de0b81",
|
||
|
"value": "998aa45b4cd6ca30610c3f7dc1603c2c1feb49b0e2d968d29f64f1658f4d40d5"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1525762650",
|
||
|
"uuid": "14781af2-cede-4e8a-b613-76a5eb9bd981",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1525762651",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5af14a5b-431c-4912-8b73-4f4a02de0b81",
|
||
|
"value": "2018-05-07T10:10:04"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1525762651",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5af14a5b-1414-4b04-837f-467d02de0b81",
|
||
|
"value": "12/66"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1525762651",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5af14a5b-f6e8-4eee-8b26-407b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/998aa45b4cd6ca30610c3f7dc1603c2c1feb49b0e2d968d29f64f1658f4d40d5/analysis/1525687804/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1525762654",
|
||
|
"uuid": "e7b0d6ff-7062-460a-baaa-2f1387ae9eda",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e7b0d6ff-7062-460a-baaa-2f1387ae9eda",
|
||
|
"referenced_uuid": "e8a84d77-4552-4789-9fff-c5b4d1f21c0b",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1525762658",
|
||
|
"uuid": "5af14a62-0e70-4de0-ba1b-420702de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1525762651",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af14a5b-c5bc-4fb1-b15c-469802de0b81",
|
||
|
"value": "f3c6e16f0dd2b0e55a7dad365c3877d4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1525762652",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5af14a5c-9200-4848-96bc-45f302de0b81",
|
||
|
"value": "397d97e278110a48bd2cb11bb5632b99a9100dbd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1525762652",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5af14a5c-a190-467d-be5d-456302de0b81",
|
||
|
"value": "fa8de430fb491d898ee4e557977f036f2aae5f019c3b0552c9e0223da748fc27"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1525762653",
|
||
|
"uuid": "e8a84d77-4552-4789-9fff-c5b4d1f21c0b",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1525762653",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5af14a5d-f2e8-40ca-8c36-4c1f02de0b81",
|
||
|
"value": "2018-05-07T19:19:32"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1525762653",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5af14a5d-144c-4b96-995e-4be302de0b81",
|
||
|
"value": "41/66"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1525762653",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5af14a5d-e504-4fec-a7e5-4ca802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/fa8de430fb491d898ee4e557977f036f2aae5f019c3b0552c9e0223da748fc27/analysis/1525720772/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1525762657",
|
||
|
"uuid": "f8bd20cd-39f4-4edd-b539-348389f5df61",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "f8bd20cd-39f4-4edd-b539-348389f5df61",
|
||
|
"referenced_uuid": "1015a558-4051-4d03-9a34-a0c9448ee953",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1525762658",
|
||
|
"uuid": "5af14a62-c714-4da2-bfa9-4f8c02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1525762654",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5af14a5e-982c-4118-a164-40c002de0b81",
|
||
|
"value": "ac1a85d3ca1b6265cad4ed41b696f9b7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1525762655",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5af14a5f-a228-4461-a712-408e02de0b81",
|
||
|
"value": "8ff7b74efffadb3a102ed0ec614c918526d0ea6b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1525762655",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5af14a5f-9bf4-491b-b1fe-4b6902de0b81",
|
||
|
"value": "32d8c36c829be1cdbed56201a0e663227fe74d479f1732a7974fb50fdf09c02e"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1525762655",
|
||
|
"uuid": "1015a558-4051-4d03-9a34-a0c9448ee953",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1525762656",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5af14a60-7864-4f9e-9808-499c02de0b81",
|
||
|
"value": "2018-05-07T01:42:42"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1525762656",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5af14a60-6228-4a34-aaf8-48bc02de0b81",
|
||
|
"value": "8/65"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Clean samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1525762656",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5af14a60-3b6c-4561-aba5-47b102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/32d8c36c829be1cdbed56201a0e663227fe74d479f1732a7974fb50fdf09c02e/analysis/1525657362/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|