631 lines
155 KiB
JSON
631 lines
155 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2019-04-27",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - BabyShark Malware Part Two \u00e2\u20ac\u201c Attacks Continue Using KimJongRAT and PCRat",
|
||
|
"publish_timestamp": "1556355761",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1556350998",
|
||
|
"uuid": "5cc3fa33-2fac-4dbd-9e06-60de02de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:tool=\"BabyShark\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1556347460",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cc3fa44-db00-4a96-9e27-607502de0b81",
|
||
|
"value": "In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.\r\n\r\nWhile tracking the latest activities of the threat group, Unit 42 researchers were able to collect both the BabyShark malware\u00e2\u20ac\u2122s server-side and client-side files, as well as two encoded secondary PE payload files that the malware installs on the victim hosts upon receiving an operator\u00e2\u20ac\u2122s command. By analyzing the files, we were able to further understand the overall multi-staging structure of the BabyShark malware and features, such as how it attempts to maintain operational security and supported remote administration commands. Based on our research, it appears the malware author calls the encoded secondary payload \u00e2\u20ac\u0153Cowboy\u00e2\u20ac\u009d regardless of what malware family is delivered.\r\n\r\nOur research shows the most recent malicious activities involving BabyShark malware appear to be carried out for two purposes:\r\n\r\n Espionage on nuclear security and the Korean peninsula\u00e2\u20ac\u2122s national security issues\r\n Financial gain with focus on the cryptocurrency industry based on the decoy contents used in the samples, shown in Figure 1. Xcryptocrash is an online cryptocurrency gambling game."
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAAA00AAAHHCAYAAABjt7O7AAAKrWlDQ1BJQ0MgUHJvZmlsZQAASImVlgdUU2kWx7/30hstIdIJNXTpVXoNIEQ6iEpIKKGEEAggdmRwBMeCiggoIzoIouCoFFERsWAbBBTBOiCDgroOFrCgsg9Yws7u2d2z/5yb73duvvd/931595wLAHmAIxSmwDIApAoyRUHeboyIyCgGbhiggSwgACNA4XAzhK5stj9ANL/+VZP3ATSz3jWe8fr33/+rZHlxGVwAIDbCsbwMbirCZ5Bo4wpFmQCgkABa2ZnCGS5FmCZCCkT4+AwnzHH7DMfO8b3ZPSFB7giPAoAncziiBABIH5A8I4ubgPiQaQibCnh8AcIeCDtxEzk8hPMRNkpNTZvhkwjrxf6TT8JfPGMlnhxOgoTnnmVWeA9+hjCFs/r/PI7/rdQU8fw9NJEgJ4p8gpCVjpxZTXKan4QFsQGB88znze6f5USxT+g8czPco+aZx/Hwm2dxcqjrPHNEC9fyM1kh8yxKC5L4C1IC/CX+cSwJx2V4Bs9zPN+LNc+5iSHh85zFDwuY54zkYL+FPe6SvEgcJKk5XuQlecbUjIXauJyFe2Umhvgs1BAhqYcX5+EpyQtCJfuFmW4ST2EKe6H+FG9JPiMrWHJtJvKCzXMSx5e94MOWnA/wAJ7AH/kwABuYA0tgBuwAUlVmXM7MOw3c04SrRfyExEyGK9I1cQyWgGtixDA3NbMDYKYH5/7i9wOzvQXR8Qs53ggAFjN9oreQS0I6+Nwk0k6NCznmEAAyBwBoZ3PFoqy5HHrmCwOIQBrQgCJQA1pADxgj9VkDB+CCVOwLAkEIiAQrARckglQgAtlgLdgECkAR2An2gjJQCQ6DGnACnALN4Dy4BK6BW6Ab9IFHYBCMgFdgHEyCKQiCcBAFokKKkDqkAxlC5pAt5AR5Qv5QEBQJxUAJkAASQ2uhzVARVAyVQYegWuhX6Cx0CboB9UAPoCFoDHoHfYFRMBmmwaqwLrwYtoVdYT84BF4BJ8DpcC6cD2+HS+Eq+DjcBF+Cb8F98CD8Cp5AARQJRUdpoIxRtih3VCAqChWPEqHWowpRJagqVD2qFdWJuosaRL1GfUZj0VQ0A22MdkD7oEPRXHQ6ej16G7oMXYNuQl9B30UPocfR3zEUjArGEGOPYWEiMAmYbEwBpgRTjWnEXMX0YUYwk1gslo5lYm2wPthIbBJ2DXYb9gC2AduO7cEOYydwOJwizhDniAvEcXCZuALcftxx3EVcL24E9wlPwqvjzfFe+Ci8AJ+HL8Efw7fhe/Ev8FMEGYIOwZ4QSOARVhN2EI4QWgl3CCOEKaIskUl0JIYQk4ibiKXEeuJV4mPiexKJpEmyIy0j8UkbSaWkk6TrpCHSZ7Ic2YDsTo4mi8nbyUfJ7eQH5PcUCkWX4kKJomRStlNqKZcpTymfpKhSJlIsKZ7UBqlyqSapXqk30gRpHWlX6ZXSudIl0qel70i/liHI6Mq4y3Bk1suUy5yV6ZeZkKXKmskGyqbKbpM9JntDdlQOJ6cr5ynHk8uXOyx3WW6YiqJqUd2pXOpm6hHqVeoIDUtj0li0JFoR7QStizYuLydvKR8mnyNfLn9BfpCOouvSWfQU+g76Kfp9+pdFqotcF8Ut2rqoflHvoo8KygouCnEKhQoNCn0KXxQZip6KyYq7FJsVnyihlQyUlillKx1Uuqr0Wpmm7KDMVS5UPqX8UAVWMVAJUlmjcljltsqEqpqqt6pQdb/qZdXXanQ1F7UktT1qbWpj6lR1J3W++h71i+ovGfIMV0YKo5RxhTGuoaLhoyHWOKTRpTGlydQM1czTbNB8okXUstWK19qj1aE1rq2uvVR7rXad9kMdgo6tTqLOPp1OnY+6TN1w3S26zbqjTAUmi5nLrGM+1qPoOeul61Xp3dPH6tvqJ+sf0O82gA2sDBINyg3uGMKG1oZ8wwOGPUYYIzsjgVGVUb8x2djVOMu4znjIhG7ib5Jn0mzyZrH24qjFuxZ3Lv5uamWaYnrE9JGZnJmvWZ5Zq9k7cwNzrnm5+T0LioWXxQaLFou3loaWcZYHLQesqFZLrbZYdVh9s7axFlnXW4/ZaNvE2FTY9NvSbNm222yv22Hs3Ow22J23+2xvbZ9pf8r+Twdjh2SHYw6jS5hL4pYcWTLsqOnIcTzkOOjEcIpx+tlp0FnDmeNc5fzMRcuF51Lt8sJV3zXJ9bjrGzdTN5Fbo9tHd3v3de7tHigPb49Cjy5POc9QzzLPp16aXgledV7j3lbea7zbfTA+fj67fPpZqiwuq5Y17mvju873ih/ZL9ivzO+Zv4G/yL91KbzUd+nupY8DdAIEAc2BIJAVuDvwCZvJTmefW4Zdxl5Wvux5kFnQ2qDOYGrwquBjwZMhbiE7Qh6F6oWKQzvCpMOiw2rDPoZ7hBeHD0YsjlgXcStSKZIf2RKFiwqLqo6aWO65fO/ykWir6ILo+yuYK3JW3FiptDJl5YVV0qs4q07HYGLCY47FfOUEcqo4E7Gs2IrYca47dx/3Fc+Ft4c3FucYVxz3It4xvjh+NMExYXfCWKJzYknia747v4z/NsknqTLpY3Jg8tHk6ZTwlIZUfGpM6lmBnCBZcCVNLS0nrUdoKCwQDqbbp+9NHxf5iaozoIwVGS2ZNGTYuS3WE/8gHspyyirP+pQdln06RzZHkHN7tcHqratf5Hrl/rIGvYa7pmOtxtpNa4fWua47tB5aH7u+Y4PWhvwNIxu9N9ZsIm5K3vRbnmlecd6HzeGbW/NV8zfmD//g/UNdgVSBqKB/i8OWyh/RP/J/7NpqsXX/1u+FvMKbRaZFJUVft3G33fzJ7KfSn6a3x2/v2mG94+BO7E7Bzvu7nHfVFMsW5xYP7166u2kPY0/hng97V+29UWJZUrmPuE+8b7DUv7Rlv/b+nfu/liWW9ZW7lTdUqFRsrfh4gHeg96DLwfpK1cqiyi8/838eOOR9qKlKt6rkMPZw1uHnR8KOdP5i+0tttVJ1UfW3o4KjgzVBNVdqbWprj6kc21EH14nrxo5HH+8+4XGipd64/lADvaHoJDgpPvny15hf75/yO9Vx2vZ0/RmdMxWN1MbCJqhpddN4c2LzYEtkS89Z37MdrQ6tjedMzh09r3G+/IL8hR1txLb8tumLuRcn2oXtry8lXBruWNXx6HLE5XtXll3puup39fo1r2uXO107L153vH7+hv2Nszdtbzbfsr7VdNvqduNvVr81dll3Nd2xudPSbdfd2rOkp63XuffSXY+71+6x7t3qC+jruR96f6A/un9wgDcw+iDlwduHWQ+nHm18jHlc+ETmSclTladVv+v/3jBoPXhhyGPo9rPgZ4+GucOv/sj44+tI/nPK85IX6i9qR81Hz495jXW/XP5y5JXw1dTrgr/J/q3ijd6bM3+6/Hl7PGJ85K3o7fS7be8V3x/9YPmhY4I98XQydXLqY+EnxU81n20/d34J//JiKvsr7mvpN/1vrd/9vj+eTp2eFnJEnNlRAIUEHB8PwLujAFAiAaB2A0CUmpuRZwXNzfWzBP4Tz83Rs7IGALECYUgEuQBQgQQTCemNALCRNcQFwBYWkviHMuItzOe8SM3IaFIyPf0emQ1x+gB865+enmqenv5WjRT7EJljJudm8xnJIPN/9wNTC1///tAh8K/6Oze9BkYKTefQAAABnWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1556347506",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
|
||
|
"value": "Fig-2.-BabyShark-flowchart.png"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1556347642",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cc3fafa-8580-46cb-916a-44db02de0b81",
|
||
|
"value": "75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cc3fafb-5408-433e-8b31-408b02de0b81",
|
||
|
"value": "f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"Ghost RAT\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cc3fafb-c8c0-42e6-bc0b-44a502de0b81",
|
||
|
"value": "d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1556347661",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cc3fafb-7a28-4088-8973-4cc602de0b81",
|
||
|
"value": "4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cc3fafb-5174-4cf6-b028-4e1202de0b81",
|
||
|
"value": "33ce9bcaeb0733a77ff0d85263ce03502ac20873bf58a118d1810861caced254"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cc3fafb-7744-4075-838a-49c702de0b81",
|
||
|
"value": "bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "script",
|
||
|
"template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1556350620",
|
||
|
"uuid": "5cc4069c-ed84-47b2-8f41-43b0950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "script",
|
||
|
"timestamp": "1556350621",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cc4069d-e05c-4b0b-a27b-42ee950d210f",
|
||
|
"value": "import base64\r\n\r\nwith open(\u00e2\u20ac\u02dccowboy\u00e2\u20ac\u2122, \u00e2\u20ac\u02dcr\u00e2\u20ac\u2122) as file_in, open(\u00e2\u20ac\u02dccowboy_clear.bin\u00e2\u20ac\u2122, \u00e2\u20ac\u02dcwb\u00e2\u20ac\u2122) as file_out:\r\n\r\n EncStr = file_in.read()\r\n\r\n BlkSz = 10\r\n\r\n len_EncStr = len(EncStr)\r\n\r\n NonBlk10_ptr = len_EncStr \u00e2\u20ac\u201c (BlkSz -1) * (len_EncStr // BlkSz)\r\n\r\n NonBlk10 = EncStr [:NonBlk10_ptr]\r\n\r\n result = \u00e2\u20ac\u009d\r\n\r\n EncStr = EncStr [NonBlk10_ptr::]\r\n\r\n #print EncStr\r\n\r\n x = range (-1,BlkSz-1)\r\n\r\n Blksize1 = len_EncStr // BlkSz\r\n\r\n for n in x:\r\n\r\n loop_buff1_ptr = n * (len_EncStr // BlkSz)\r\n\r\n loop_buff1 = EncStr [loop_buff1_ptr:loop_buff1_ptr+Blksize1]\r\n\r\n #print loop_buff1\r\n\r\n result = loop_buff1 + result\r\n\r\n result = result + NonBlk10\r\n\r\n clear = base64.b64decode(result)[::-1]\r\n\r\n print clear\r\n\r\nfile_out.write(clear)"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "language",
|
||
|
"timestamp": "1556350621",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cc4069d-8094-4565-8c48-4b4c950d210f",
|
||
|
"value": "Python"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "comment",
|
||
|
"timestamp": "1556350621",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cc4069d-95dc-4ca0-ab95-4114950d210f",
|
||
|
"value": "Python Script for Decoding Cowboy"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1556350621",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cc4069d-0010-4538-93dc-4a8d950d210f",
|
||
|
"value": "Trusted"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1556350996",
|
||
|
"uuid": "c5a73ecb-7963-487b-9c12-4b0e86a495ae",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "c5a73ecb-7963-487b-9c12-4b0e86a495ae",
|
||
|
"referenced_uuid": "ec43ff24-211c-430f-84ab-5f57fa153d60",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1556350998",
|
||
|
"uuid": "5cc40816-4a30-4cb8-9ad3-496c02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1556347642",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "19a3a10e-b84f-4aa5-ab4c-7f9b953fe3cd",
|
||
|
"value": "03dbc1b3d79a4ff70f06fd6e67e00985"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1556347642",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "33b3ee68-bc4d-4687-89c9-8c4ee7559f4b",
|
||
|
"value": "dbfdf474c76428f02fc4fbe408a8fe81a9402421"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1556347642",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "2dde1a01-73af-44c4-af4f-8e50af5fce10",
|
||
|
"value": "75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1556350997",
|
||
|
"uuid": "ec43ff24-211c-430f-84ab-5f57fa153d60",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1556347642",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "1ef7752b-f188-42f5-8df8-5eb52e7c1a3e",
|
||
|
"value": "2019-04-27T00:43:44"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1556347642",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "8e8a2ce7-e747-4d32-9183-77f4d3439518",
|
||
|
"value": "https://www.virustotal.com/file/75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5/analysis/1556325824/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1556347642",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "10278f12-9615-4779-8ec1-d851b3124373",
|
||
|
"value": "24/63"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1556350997",
|
||
|
"uuid": "e04af19f-c666-456b-95c9-b1b19d401d5d",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e04af19f-c666-456b-95c9-b1b19d401d5d",
|
||
|
"referenced_uuid": "af318753-2c6d-41cc-a37b-f9db1cec6b7a",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1556350998",
|
||
|
"uuid": "5cc40816-3cf4-4961-9c86-405002de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59937698-0462-4916-9401-a449ceeaf275",
|
||
|
"value": "57ef27823865c8f7784b0d37fd2c4aa8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "54bf48bb-1951-43bb-a2e3-3ee1eec3d708",
|
||
|
"value": "d953005a70bf9d6282a9792c2598218657f31e25"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "27ed8cdb-a74f-42c8-8122-800d872421a9",
|
||
|
"value": "bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1556350997",
|
||
|
"uuid": "af318753-2c6d-41cc-a37b-f9db1cec6b7a",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "52406c92-c58c-45e1-a839-40a456d351a1",
|
||
|
"value": "2019-04-24T20:00:44"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "cd77c1bb-6b7e-41c2-a379-e94a091812aa",
|
||
|
"value": "https://www.virustotal.com/file/bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1/analysis/1556136044/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "34e8e79b-d608-4c84-91bd-d00813a4e0f8",
|
||
|
"value": "3/71"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1556350997",
|
||
|
"uuid": "1ca9e3cc-11cf-4417-ae89-12d0db9e9240",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "1ca9e3cc-11cf-4417-ae89-12d0db9e9240",
|
||
|
"referenced_uuid": "210c73d6-356a-4be2-ba0a-cbf5b9ed607e",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1556350998",
|
||
|
"uuid": "5cc40816-1d2c-42b1-bef2-4dda02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1556347661",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "843942ce-eff1-4c4a-bcb0-ee548167631e",
|
||
|
"value": "6590830061f85c0acc5259013555d079"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1556347661",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "8144efb4-fbe1-4615-95d3-132368afd869",
|
||
|
"value": "b014e1b20499fcbab4c8e7af351ce08ac7f7832e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1556347661",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "ceaefccd-0342-4b65-8221-c297bde4f007",
|
||
|
"value": "4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1556350997",
|
||
|
"uuid": "210c73d6-356a-4be2-ba0a-cbf5b9ed607e",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1556347661",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "9ed264d6-a346-4239-b5af-573ec35466d9",
|
||
|
"value": "2019-04-26T09:23:39"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1556347661",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "b7329de0-871d-4813-84a6-ca73093ef4a7",
|
||
|
"value": "https://www.virustotal.com/file/4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7/analysis/1556270619/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Word Macro Document",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1556347661",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a5f82c6b-902f-4b62-8bb2-a4b00f39e40b",
|
||
|
"value": "5/71"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1556350997",
|
||
|
"uuid": "41e3fdee-552a-4961-8183-635188ef931d",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "41e3fdee-552a-4961-8183-635188ef931d",
|
||
|
"referenced_uuid": "5620ac27-0a6e-466a-90ff-6e97ab1e498d",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1556350998",
|
||
|
"uuid": "5cc40816-62d0-4dd8-9ad8-468202de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "9c9e28d5-e458-4d26-85d7-1bddaf4982a2",
|
||
|
"value": "61f42c2dc1da18b046c6b274abe6f4ca"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "c41b6a5b-b0c8-4917-9507-1b5047077c0d",
|
||
|
"value": "da188539e0dddae87245bcbc6e30eeb8ea607657"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "bb5b12d6-6da0-4702-b3d2-829e7f6e605c",
|
||
|
"value": "d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1556350997",
|
||
|
"uuid": "5620ac27-0a6e-466a-90ff-6e97ab1e498d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "74fc5c3e-b17b-4d9e-88a5-f222d2fd231e",
|
||
|
"value": "2018-12-31T07:08:17"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "4afc8fc9-8686-4923-8dba-43f8fcc94109",
|
||
|
"value": "https://www.virustotal.com/file/d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712/analysis/1546240097/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1556347643",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "67182b20-bb11-4fa0-b212-31ac0634bc3a",
|
||
|
"value": "11/68"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|