misp-circl-feed/feeds/circl/misp/5bfd7696-5874-4de3-acf3-4478950d210f.json

864 lines
291 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2018-11-27",
"extends_uuid": "",
"info": "OSINT - DNSpionage Campaign Targets Middle East",
"publish_timestamp": "1543339204",
"published": true,
"threat_level_id": "3",
"timestamp": "1543338554",
"uuid": "5bfd7696-5874-4de3-acf3-4478950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0026eb",
"name": "estimative-language:confidence-in-analytic-judgment=\"moderate\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338377",
"to_ids": false,
"type": "text",
"uuid": "5bfd76aa-1978-4706-96ab-4795950d210f",
"value": "Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.\r\n\r\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication with the attackers.\r\n\r\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.\r\n\r\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338376",
"to_ids": false,
"type": "link",
"uuid": "5bfd76b7-2150-40f1-bcf0-45c1950d210f",
"value": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337899",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77ab-0e54-41cd-9846-4b59950d210f",
"value": "memail.mea.com.lb"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337899",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77ab-d404-4f61-96d7-465c950d210f",
"value": "autodiscover.mea.com.lb"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337900",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77ac-07a8-4505-bc1a-42a2950d210f",
"value": "owa.mea.com.lb"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337900",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77ac-47b4-4aa1-a4ce-4249950d210f",
"value": "www.mea.com.lb"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337901",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77ad-c6a0-43e1-933f-4527950d210f",
"value": "autodiscover.mea.aero"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337901",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77ad-64c4-4f18-b372-4bcf950d210f",
"value": "autodiscover.meacorp.com.lb"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337902",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77ae-b530-4ddb-93cb-47a8950d210f",
"value": "meacorp.com.lb"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337902",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77ae-eccc-4314-a8d4-49d8950d210f",
"value": "memailr.meacorp.com.lb"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337903",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77af-7364-425f-97d6-40db950d210f",
"value": "meoutlook.meacorp.com.lb"
},
{
"category": "Network activity",
"comment": "Domains in the MEA certificate (on 185.20.187.8):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337903",
"to_ids": true,
"type": "hostname",
"uuid": "5bfd77af-63ec-4f18-a2fd-4ec4950d210f",
"value": "tmec.mea.com.lb"
},
{
"category": "Network activity",
"comment": "C2 Server Domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337927",
"to_ids": true,
"type": "domain",
"uuid": "5bfd77c7-d470-494a-be58-4980950d210f",
"value": "0ffice36o.com"
},
{
"category": "Network activity",
"comment": "C2 Server IP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337952",
"to_ids": true,
"type": "ip-dst",
"uuid": "5bfd77e0-fbb0-4b89-aa5f-4808950d210f",
"value": "185.20.184.138"
},
{
"category": "Network activity",
"comment": "C2 Server IP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337952",
"to_ids": true,
"type": "ip-dst",
"uuid": "5bfd77e0-421c-4574-adca-4866950d210f",
"value": "185.20.187.8"
},
{
"category": "Network activity",
"comment": "C2 Server IP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337953",
"to_ids": true,
"type": "ip-dst",
"uuid": "5bfd77e1-1974-4553-a30a-4cae950d210f",
"value": "185.161.211.72"
},
{
"category": "Payload delivery",
"comment": "DNSpionage sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337978",
"to_ids": true,
"type": "sha256",
"uuid": "5bfd77fa-7770-4829-8002-4ad0950d210f",
"value": "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
},
{
"category": "Payload delivery",
"comment": "DNSpionage sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337979",
"to_ids": true,
"type": "sha256",
"uuid": "5bfd77fb-be64-4578-9d94-432e950d210f",
"value": "82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969"
},
{
"category": "Payload delivery",
"comment": "DNSpionage sample",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543337979",
"to_ids": true,
"type": "sha256",
"uuid": "5bfd77fb-6e28-4951-a4b9-40fb950d210f",
"value": "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
},
{
"category": "Payload delivery",
"comment": "(LB submit)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338022",
"to_ids": true,
"type": "sha256",
"uuid": "5bfd7826-b5bc-482e-a28b-40f8950d210f",
"value": "9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14"
},
{
"category": "Payload delivery",
"comment": "(LB submit)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338023",
"to_ids": true,
"type": "sha256",
"uuid": "5bfd7827-4588-4e21-8357-46a3950d210f",
"value": "15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa"
},
{
"category": "Payload delivery",
"comment": "(RU submit)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338023",
"to_ids": true,
"type": "sha256",
"uuid": "5bfd7827-f984-473a-abe0-4fb5950d210f",
"value": "e279985597af22dddf1217ee35a8cffb17d1418ae1b4bae2d9ea79c0c6963a85"
},
{
"category": "Network activity",
"comment": "Fake job website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338044",
"to_ids": true,
"type": "domain",
"uuid": "5bfd783c-daf8-40c2-a92d-4976950d210f",
"value": "hr-wipro.com"
},
{
"category": "Network activity",
"comment": "Fake job website",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338045",
"to_ids": true,
"type": "domain",
"uuid": "5bfd783d-af70-4573-a50e-4816950d210f",
"value": "hr-suncor.com"
},
{
"category": "Network activity",
"comment": "Attribute #1350628 enriched by dns.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338426",
"to_ids": false,
"type": "ip-src",
"uuid": "5bfd79ba-9690-4fe1-8117-4976e387cbd9",
"value": "91.199.39.133"
},
{
"category": "Network activity",
"comment": "Attribute #1350629 enriched by dns.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338427",
"to_ids": false,
"type": "ip-src",
"uuid": "5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
"value": "40.101.8.168"
},
{
"category": "Network activity",
"comment": "Attribute #1350631 enriched by dns.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338428",
"to_ids": false,
"type": "ip-src",
"uuid": "5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
"value": "104.16.1.7"
},
{
"category": "Network activity",
"comment": "Attribute #1350638 enriched by dns.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338429",
"to_ids": false,
"type": "ip-src",
"uuid": "5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
"value": "185.20.184.138"
},
{
"category": "Network activity",
"comment": "Attribute #1350648 enriched by dns.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1543338429",
"to_ids": false,
"type": "ip-src",
"uuid": "5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
"value": "185.161.211.79"
},
{
"category": "External analysis",
"comment": "",
"data": "iVBORw0KGgoAAAANSUhEUgAABY4AAAPSCAIAAABTbNkMAAAAA3NCSVQICAjb4U/gAAAAX3pUWHRSYXcgcHJvZmlsZSB0eXBlIEFQUDEAAAiZ40pPzUstykxWKCjKT8vMSeVSAANjEy4TSxNLo0QDAwMLAwgwNDAwNgSSRkC2OVQo0QAFmJibpQGhuVmymSmIzwUAT7oVaBst2IwAACAASURBVHic7L3XnxxHlu93Tpi0VVm+qw3QDQwMCYIAZ5aXa+/sXj3oozd9PvpLpVe9SLq7K+nunZ3VDDkckiBBuDblfdpweojqQjcAwgwJgATy+4HJqnSRUZkZESd+5xw0xgDAnXvHQuo4lVIbRpEgAgAYgDP/bRYNPPm9EDrJhMtJtx2GPgcAY4w9MkEEe7SnMAaUMlJqIbVSBowBYzZHXn9YL25OZwAAEDmnvu8wRp955HcYRNRaKyUBgFJGEM0L9ykpKSkpKXkNKKVEUQgplZKUUt/3GeNv7OyMUc910vi7o0f/mxT9Zuuy79ff2NmfwNiej1badmYQCSEICADaaKO1McaAQUA80ynafAkAgICAhBAA1FoDGAC0GDD2CADr78j6H7I52GkBtNYKAJAQggQQwRittTHarHtTgIhICCIioDFGG22M3vTp1msBjTk9IwAi2uPb5afP/rZYrca93h1Kt/b2/5dK9IFSSuuyW1RSUlLyy8Z1eLvVAABmP4ceA4Ba6PzI424aLdu4vnBjxpAx6sF7Z3H4izHGIOKmL1g2yCUlJSUlbwtKKfV9722d3mzmLyggBaCbXs2bB20XiPKnOzQE4FW7OfTp7V90hNMCPLUvAiHPPderFe3nBkOgAKcTbGWvqKSkpOQd4lyj/tat4yUlJSUlJSUlL4m1VABQRAb2T8n7BCJFpIhkba0oKSkpKXmHKBv1kpKSkpKSkl8ep36hiEgQGAL7xUsESl4Va6dAAggbL+KSkpKSkneDtanClJq5kpKSkpKSkl8S5jT6AgHrA4KlqeJ9gwI5q6owZYe2pKSk5JfO5j2+NlVobZQ2QmqpjP5L3/NPR+F8KfD1ivYQkRJkFDknlDx5qk34z83CuwSe4W2XpaSkpKSk5HWAAGztAAJvLqhnyc8BRI7IsDRRlZSUlLyLrE0VUpmsUNNFEadSKP1q8ZPPZQR5dTMHnjdW/KRjagRkFF2HVgLWqDrUfbIxM8YopbTWSmlj9E957p8BiISuIaW1oqSkpKTkXcPYNBkMiYPoIJamivcLRE6QI9IyVkVJSUnJu8faVHE8TFaZOpmIRaKEAvXy5oYnMpk+S5hw9qtntiTPG0X/iKbHWkAYAZfqZpVd2NKtmuO7lDMCpzIKKWVeFEYbRil5fozsXyDGmKIoCCGO4zBGS2tFSUlJSck7w+MEIEjJena9jMD1fmF/dESKgGUCkJKSkpJ3jHWj/odvpovMHM5glhNNHA0E4KVf+Y9VFZus3OfWPmmqOL8WnjRHPO/TK2H9HlAVWCSdivlwWVzZCy50w42pQkqZZfkqjhmlzUbd89y//GQ/S7IsnyULrQ0gIHEpKbUVJSUlJSXvGLhOAwFlrIr3D6SIBJGUSexKSkpK3j3Wpoo/3Vsmio4LL1ZUE2KQvkR66jMKirNhKp5qLM4qLZ5sSl5oDTndAZ956BftigRAUZOTOBMIMUXTiNwo5LA2VSitNaPUdR3f9wLff6Xj//xBwDhOCiG01lopUgatKCkpKSl5x0BrqrCxKkpVxXsGMiSsdAApKSkp+VlhAIwxWoMxoE8jQ8KpkoCgzd314oHpulH/5jAFx8eKS1wfNGi9eef/oC3BAOLzLQ3POjc+Ial4YctybodXGmdb/w9ERqjDM5l8fzJxUF3bj+xqrY2UklLSaTeDwA98n7N3rYtDEJVSaZYprZXW9J2LG1pSUlJS8l5jez6EgeGAHMpYFe8ZiAzRQWQIWPp/lJSUlPwcMOtwkKaQRigjlVFKa2MQgFJkBBlDTglnhL5ocL8enA/mwgncSkAYUmOU0WcDTD771b+xjjxjyyf/f9GxnjRCnPlwfnRtTkNwvshmgdbzxCASRpA5hRSrpRzPdSHU6aGM0pozFvh+JQw5Y+9erAqtje+52ug0y80rhUotKSkpKSn5uWMzliEiw7Wd4l2bcih5ERwJR2SlA0hJSUnJW8cYMMYU0iS5SnMd5zordKGMVFoZjWAYJZwgp+g7pOqzwKMuJ5T+oPJ/3agrZZRSSiqUQgultYanvDueLMozkn089fklR8dP5it9bnuDT8a7ePYR7T8IxlBEY5TUWmuD5y7LmJcu4i8bm4n1/bjWkpKSkpL3CgRkgA4gK1UV7x3Ibb5SgBcofUtKSkpKXjfGGKHMPJEn42I4l7NYxbkutBFaS6MQDUPCARmayCPbDd5tOO26G/qMkmfn2WCb42ptlJJESqWkUc9N22n9TZ5M/vHUVs9dC/ByATSf8e3aDPGy6grQSoHVnTxdkvciXrQBMPZHe/evtaSkpKTkfcHYGQcEYIgMgQGUYTXfL6ygZm2qKCkpKSl5S1g9RVroWSyHM/FoVIzmaplBJo0CMAhA0BgArUEZ0GbmQFKoRChpoK2h6jOHPcNYwc4cXhuttJZaieeYKsyZv6f/4plv8cxnXG/zPFPFY4mEObcXnFt39lyn656UYvzQ8dGgQtD6aXeV90dpUNopSkpKSkreQYw5zQDCARiY0lTxvkGRWBMV/nB3s6SkpKTk9WKMEdLMVvJeLzueiMnKpAIBmesSzojDwXWMNipJRZqrTJiVVKuJmGUqkyaX+mI74CHCU9IKdub4RmulldQ/rKo4TfRhzn+Bm2Vzxmxx9vsf5qnMpWsTxHoZn157Zr8XWCvOmiqMMs+2Srz7Y/j1tNM7fpUlJSUlJe8Xj9vvdfoPWqoq3j9smJIyVkVJSUnJ20Qos0zVeCFOpqI/V5mghLIo5NWAVXzqOcio0VoVgq1SNVmp6UrMV0osFSU5JRgF3HeIw58MtPnYAcRYVYWSWkn9PFWFOWOMePYW51c/32DxrLVnlRNPHPfcNvgCHxCrvECDmuAzVBXvgZXiHO/TtZaUlJSUvBcYAESgCDamZmmqeL9AYKc/PSm7OSUlJSVvi1yY4Uz0pmIW60wQILwS8r0O226yTo1xhqtUg2EV101y9WBQPBoSbUyciuFCObToRCJ0aY1wSp5lqgAAMFprhRq1llr/cKyKpwNVnFu7/qfqs712UA04AEhl0lwuEzFZFojQqXsAMJxlBHG76QFAb5quUnnuOM8QTTx9Rnxsr/gBEAG0QU2IVj+hr0eSpuPxBABarWbg+wCgtRZCSKmUVpQQ13XZO5H61F5XksTT6TTPckJIGIatVssPgtd0LqWkUooQ+hbrMInj4XAYxzEAUEZdxw3CsFarua77ms6YpulkPAaAZqvl+/5rOssPkaXpdDoFgEaj4b3xs1uSJBmt63z9ignDsNPpBGH44n3jeDgcaqObzVYQBJTSdy+bz48hy7L5bAYAtXrd87wn1tqaB4B2pxP8wHOd5/lyuQSAarVKEOM4NgBBECBinudGa+44jLF3oOaTJBmNhkkcG/PK9+FZlFJFUSilEIBSyh2H0l/GENoYY4wRQqRJAohhGHL+OFBllmXz+TzPMgBwPa9Wqz19R70NbAYQ/UqqCillluVxnCyXyyIvAMD13FqtFoaB4/BX/b1stC8ppBASCfq+98vqA+R5sXnGXdd5Y+dVStsnBQAoIY77FzwpdK2qKGNVlJSUlPylKKUKIdI0Xa1iAKhUQt/3Hf4KrWEh9GQpRwudFKiBcspCn3XqrNtgFZ8W0mRCIUCryjwHs8KkhZ6s5CpWsZDjperN8tAnnkNdfq4neVZVYYxRWoPWUmv1dAk2hgMDmxAPT0aSWK82eqfh/89/t/3hfgQAi0Qej5KvHy7++9djTvE/32wAwD9/PmCU/I9/1QaE//13veUqf7qVMedDWZw5oQGwdohzAZ+fdlNERNBANDFGPcuJ8S80XozHk//7//0dAPzD330WXNgDACHEYrFcxUmWZa7rdLc6v6xuyg8hhFgulw/u3/uP//
"deleted": false,
"disable_correlation": true,
"timestamp": "1543338952",
"to_ids": false,
"type": "attachment",
"uuid": "5bfd7bc8-433c-4ebd-91b6-49ee950d210f",
"value": "image3.png"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1543338542",
"uuid": "6e6483af-2f0d-424d-a499-d6a3e6353299",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1543338543",
"to_ids": true,
"type": "md5",
"uuid": "369db5ce-880b-4453-a667-0f7460f7611c",
"value": "d2052cb9016dab6592c532d5ea47cb7e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1543338543",
"to_ids": true,
"type": "sha1",
"uuid": "dabf3395-46e7-4e3b-94e7-334eb4ada635",
"value": "1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1543338544",
"to_ids": true,
"type": "sha256",
"uuid": "da6900b9-edab-45ae-94c0-4647d4f3248a",
"value": "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1543338544",
"uuid": "84a65bd8-7fce-49dd-a208-c370fd9b4712",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1543338544",
"to_ids": false,
"type": "datetime",
"uuid": "9c2d143f-d491-4afc-9e0b-6503bd33421e",
"value": "2018-11-27T16:07:22"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1543338545",
"to_ids": false,
"type": "link",
"uuid": "1c5fc483-b964-4969-8b7b-6fb343e6b1a4",
"value": "https://www.virustotal.com/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/analysis/1543334842/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1543338545",
"to_ids": false,
"type": "text",
"uuid": "861f0fee-95e9-4a77-adc7-7b56fc44bb17",
"value": "27/66"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1543338545",
"uuid": "bf245fce-307d-43b4-99a1-1621912adaa1",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1543338545",
"to_ids": true,
"type": "md5",
"uuid": "9ea5e7c7-19ad-4e62-9ba1-35080597e636",
"value": "48320f502811645fa1f2f614bd8a385a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1543338546",
"to_ids": true,
"type": "sha1",
"uuid": "38677f8a-3521-4ad7-b0ec-435f473d886f",
"value": "1f007ab17b62cca88a5681f02089ab33adc10eec"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1543338546",
"to_ids": true,
"type": "sha256",
"uuid": "9b0f66b3-6d3d-42ed-997c-cb836bb4d229",
"value": "15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1543338547",
"uuid": "eefe884e-c9ac-4c89-a933-c7a28b86f3e4",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1543338547",
"to_ids": false,
"type": "datetime",
"uuid": "e87b0956-d6a7-4677-ade1-e88763b6824c",
"value": "2018-11-27T16:10:08"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1543338547",
"to_ids": false,
"type": "link",
"uuid": "64af8286-4eb6-4fbd-9709-63f829fd7545",
"value": "https://www.virustotal.com/file/15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa/analysis/1543335008/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1543338548",
"to_ids": false,
"type": "text",
"uuid": "65f0de8b-c1b9-436f-b1f0-7cc10e5a132a",
"value": "24/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1543338548",
"uuid": "4000505b-9af4-4fce-9268-7be10e3505ad",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1543338548",
"to_ids": true,
"type": "md5",
"uuid": "a13c8888-556a-4ac0-98da-d0c4b5fde62c",
"value": "ba6bd22449d990be6fd9acf7e710c192"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1543338548",
"to_ids": true,
"type": "sha1",
"uuid": "7d798c10-d436-445c-9a32-d4a8bb418aba",
"value": "14810a41ad9cca0f1028483e0ed3f52591772a61"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1543338549",
"to_ids": true,
"type": "sha256",
"uuid": "4d64c138-1bda-4e43-ba28-8ce8cabe7bd0",
"value": "e279985597af22dddf1217ee35a8cffb17d1418ae1b4bae2d9ea79c0c6963a85"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1543338549",
"uuid": "8287973f-a9fd-4a35-a0e1-7078c2728c2f",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1543338549",
"to_ids": false,
"type": "datetime",
"uuid": "7d8312d5-277c-41b9-968f-debc2f28976d",
"value": "2018-11-27T05:32:45"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1543338550",
"to_ids": false,
"type": "link",
"uuid": "744b795b-0f4d-4428-94a2-78bb84392988",
"value": "https://www.virustotal.com/file/e279985597af22dddf1217ee35a8cffb17d1418ae1b4bae2d9ea79c0c6963a85/analysis/1543296765/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1543338550",
"to_ids": false,
"type": "text",
"uuid": "0c749f4d-79de-44e6-8b84-af9b9da6c64c",
"value": "1/57"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1543338550",
"uuid": "825a35c4-4f37-4ab4-99aa-102f48160497",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1543338550",
"to_ids": true,
"type": "md5",
"uuid": "f1c6e3f8-d974-43aa-9bc2-75513ea83563",
"value": "807482efce3397ece64a1ded3d436139"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1543338551",
"to_ids": true,
"type": "sha1",
"uuid": "5c5cea32-f162-491c-95e9-f8a5c7fd6ce6",
"value": "9ea865e000e3e15cec15efc466801bb181ba40a1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1543338551",
"to_ids": true,
"type": "sha256",
"uuid": "95b47e89-58ae-4a84-a2cc-e5b17c36f730",
"value": "9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1543338552",
"uuid": "ebaeaa9d-fa51-4c9f-9d88-0496e017318b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1543338552",
"to_ids": false,
"type": "datetime",
"uuid": "8cd9e418-9e12-481c-bb48-133603686037",
"value": "2018-11-27T05:31:55"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1543338552",
"to_ids": false,
"type": "link",
"uuid": "19294000-dacb-4a1a-9e30-6aca6211ece9",
"value": "https://www.virustotal.com/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14/analysis/1543296715/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1543338553",
"to_ids": false,
"type": "text",
"uuid": "b9b3772e-c257-45e0-9508-0b0701be1ddc",
"value": "26/58"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1543338553",
"uuid": "d0fd14c2-720a-4bb3-bc6f-f2caa1412a2e",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1543338553",
"to_ids": true,
"type": "md5",
"uuid": "6136232b-406c-4e2b-b3fa-f9f7ff52cbcf",
"value": "c00c9f6ebf2979292d524acff19dd306"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1543338553",
"to_ids": true,
"type": "sha1",
"uuid": "4c26482a-5ffa-414d-abd6-2159b52d65b5",
"value": "1022620da25db2497dc237adedb53755e6b859e3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1543338554",
"to_ids": true,
"type": "sha256",
"uuid": "9438a9e0-4ff0-46d1-8de2-f655c01f7d45",
"value": "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1543338554",
"uuid": "b59e3757-0be0-4ea6-91c2-cf6eb149c993",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1543338554",
"to_ids": false,
"type": "datetime",
"uuid": "e60e9d16-e737-46fe-b844-903b12497fb5",
"value": "2018-11-20T21:56:27"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1543338555",
"to_ids": false,
"type": "link",
"uuid": "2b939201-2374-42a8-9c04-2c1bed37ecdc",
"value": "https://www.virustotal.com/file/45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff/analysis/1542750987/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1543338555",
"to_ids": false,
"type": "text",
"uuid": "9eea241b-cd72-4723-aeb3-d7ef52caaa2c",
"value": "33/67"
}
]
}
]
}
}