2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2017-12-14" ,
"extends_uuid" : "" ,
"info" : "OSINT - Attackers Deploy New ICS Attack Framework \u00e2\u20ac\u0153TRITON\u00e2\u20ac\u009d and Cause Operational Disruption to Critical Infrastructure" ,
"publish_timestamp" : "1518770742" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1515812452" ,
"uuid" : "5a329d19-03e0-4eaa-8b4d-4310950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#74e800" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "circl:topic=\"industry\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00839f" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "veris:asset:variety=\"S - SCADA\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1513267804" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a329d36-5584-4ad4-9110-9267950d210f" ,
"value" : "Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.\r\n\r\nTRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence." ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#007ed9" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:certainty=\"93\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1513267804" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a329d83-6bcc-4736-b576-2965950d210f" ,
"value" : "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#007ed9" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:certainty=\"93\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1513267804" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5a329e18-c1bc-42ab-a0ce-4ec9950d210f" ,
"value" : "rule TRITON_ICS_FRAMEWORK\r\n{\r\n meta:\r\n author = \"nicholas.carr @itsreallynick\"\r\n md5 = \"0face841f7b2953e7c29c064d6886523\"\r\n description = \"TRITON framework recovered during Mandiant ICS incident response\"\r\n strings:\r\n $python_compiled = \".pyc\" nocase ascii wide\r\n $python_module_01 = \"__module__\" nocase ascii wide\r\n $python_module_02 = \"<module>\" nocase ascii wide\r\n $python_script_01 = \"import Ts\" nocase ascii wide\r\n $python_script_02 = \"def ts_\" nocase ascii wide \r\n\r\n $py_cnames_01 = \"TS_cnames.py\" nocase ascii wide\r\n $py_cnames_02 = \"TRICON\" nocase ascii wide\r\n $py_cnames_03 = \"TriStation \" nocase ascii wide\r\n $py_cnames_04 = \" chassis \" nocase ascii wide \r\n\r\n $py_tslibs_01 = \"GetCpStatus\" nocase ascii wide\r\n $py_tslibs_02 = \"ts_\" ascii wide\r\n $py_tslibs_03 = \" sequence\" nocase ascii wide\r\n $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide\r\n $py_tslibs_05 = /module\\s?version/ nocase ascii wide\r\n $py_tslibs_06 = \"bad \" nocase ascii wide\r\n $py_tslibs_07 = \"prog_cnt\" nocase ascii wide \r\n\r\n $py_tsbase_01 = \"TsBase.py\" nocase ascii wide\r\n $py_tsbase_02 = \".TsBase(\" nocase ascii wide \r\n \r\n $py_tshi_01 = \"TsHi.py\" nocase ascii wide\r\n $py_tshi_02 = \"keystate\" nocase ascii wide\r\n $py_tshi_03 = \"GetProjectInfo\" nocase ascii wide\r\n $py_tshi_04 = \"GetProgramTable\" nocase ascii wide\r\n $py_tshi_05 = \"SafeAppendProgramMod\" nocase ascii wide\r\n $py_tshi_06 = \".TsHi(\" ascii nocase wide \r\n\r\n $py_tslow_01 = \"TsLow.py\" nocase ascii wide\r\n $py_tslow_02 = \"print_last_error\" ascii nocase wide\r\n $py_tslow_03 = \".TsLow(\" ascii nocase wide\r\n $py_tslow_04 = \"tcm_\" ascii wide\r\n $py_tslow_05 = \" TCM found\" nocase ascii wide \r\n\r\n $py_crc_01 = \"crc.pyc\" nocase ascii wide\r\n $py_crc_02 = \"CRC16_MODBUS\" ascii wide\r\n $py_crc_03 = \"Kotov Alaxander\" nocase ascii wide\r\n $py_crc_04 = \"CRC_CCITT_XMODEM\" ascii wide\r\n $py_crc_05 = \"crc16ret\" ascii wide\r\n $py_crc_06 = \"CRC16_CCITT_x1D0F\" ascii wide\r\n $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide \r\n\r\n $py_sh_01 = \"sh.pyc\" nocase ascii wide \r\n\r\n $py_keyword_01 = \" FAILURE\" ascii wide\r\n $py_keyword_02 = \"symbol table\" nocase ascii wide \r\n\r\n $py_TRIDENT_01 = \"inject.bin\" ascii nocase wide\r\n $py_TRIDENT_02 = \"imain.bin\" ascii nocase wide \r\n\r\n condition:\r\n 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB\r\n}"
} ,
{
"category" : "External analysis" ,
"comment" : "TRITON Architecture and Attack Scenario" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A 88 A A A E m C A Y A A A B c X 6 K g A A A A A X N S R 0 I A r s 4 c 6 Q A A A A l w S F l z A A A X E g A A F x I B Z 5 / S U g A A Q A B J R E F U e A H s v Q e 4 X d d 5 n v m f d j t 67 x 0 g S K I Q I A k W E e y k K J G S b F l y k + P E T i b O j B T H m o z t x H a c x 49 L P H E y s S 15 b E f W x H 4 S K 1 Y k W S R F s f c C s A B E I d F 77 x 23 n T b v 96 + z 770 A S Z G S S Q G g / n V x z t l 79 f V t P H u t b / 1 l 5 f b t P 1 i 3 C I F A I B A I B A K B Q C A Q C A Q C g U A g E A g E A o F A I P A W B H I 5 s 1 K p y f J v S Y m I Q C A Q C A Q C g U A g E A g E A o F A I B A I B A K B Q C A Q O A e B I M / n w B E 3 g U A g E A g E A o F A I B A I B A K B Q C A Q C A Q C g c B b E Q j y / F Z M I i Y Q C A Q C g U A g E A g E A o F A I B A I B A K B Q C A Q O A e B I M / n w B E 3 g U A g E A g E A o F A I B A I B A K B Q C A Q C A Q C g c B b E Q j y / F Z M I i Y Q C A Q C g U A g E A g E A o F A I B A I B A K B Q C A Q O A e B I M / n w B E 3 g U A g E A g E A o F A I B A I B A K B Q C A Q C A Q C g c B b E Q j y / F Z M I i Y Q C A Q C g U A g E A g E A o F A I B A I B A K B Q C A Q O A e B I M / n w B E 3 g U A g E A g E A o F A I B A I B A K B Q C A Q C A Q C g c B b E Q j y / F Z M I i Y Q C A Q C g U A g E A g E L m U E c u d 1 X v f n x 52 X J W 4 / Y A T i G X z A A E f 1 g U A g 8 M N A I M j z D w P l a C M Q C A Q C g U A g E A g E f i g I 5 J w l n 8 u U U 9 w P p f l L u p E 6 v a / X 9 d 3 / 6 z f / 0 C / q V L 3 x H P 6 h Q E b 5 Q C A Q u N A I B H m + 0E8 g 2 g 8 E A o F A I B A I B A K B 7 w u B c w h e g + x l F d T q t b c Q w G q 1 a j k 44 b m U O i s R v x k C u V z O 8 r m 845 f P s 0 T M A O P 3 H 0 J 8 v V 7 L W 63 W / 2 y y N u M 3 E A g E A o F L C Y H i p d T Z 6 G s g E A g E A o F A I B A I B A I i Y y L Q T v S s I d U k T k F p J B L b u O Y 3 n 88 Z t K 3 B B T N G q N w R B i I g T P W X 4 d q X B p g 1 / n 4 Q A u 118 k x 4 Y u n Z 9 F U a F 4 F A I B A I X H o I h O T 50 n t m 0 e N A I B A I B A K B Q O B H D w E R O z 4 K A 4 m z Z K I i e + c E k T U n b I l k J 7 m p S H P e C W B W z z l l 4 g Z s 0 o Z D H T F 9 v Q b W + t f A / Q c h z n 1 l B j y 7 g D k Q C A Q C g U s Z g f N m m 0 t 5 K N H 3 Q C A Q C A Q C g U A g E P i R Q C C E x x / M Y x a u 2 p / Q 54 P G + I O u / 4 N B K G o N B A K B H 3 E E g j z / i P 8 H i O E H A o F A I B A I B A K X B A I N a b L 6 m p f 9 L L b N S b J Z 92 v F Z 1 J S c T 8 F z 0 M 5 x S u v V I f 156 r d K U t 8 D 0 S g D k b g B V C O s e M 2 A P e B W d / L d Y a 1 a w G g O q 96 s 2 f x X s p H n k A g E A g E L j Y E g j x f b E 8 k + h M I B A K B Q C A Q C A Q C b 0 V g g O p v R s p E j m F j f W T Y S Z r I 3 n m l F a 8 y 5 H b y d l 5 y 3 D Y Q c I w a m x I Z x m n T I V N //wGhajy7tz6ZH7C+KBYIBAKBwAVCIByGXSDgo9lAIBAIBAKBQCAQ+D4QOI8UZ1LRt6vBybPnx1EYZFCeo50Mujry+dT67Wr40YxLyCSiLHxlSy5HYQpvcSL2A0KUbWTwQCIEAoFAIHDJIRDk+ZJ7ZNHhQCAQCAQCgUAgEBAJGxgGkmnnZZJ28tdH1sicxZ9fdmA9cZ0QyHDLnLEJ3x8kuLRZGxk8Ln8eDb0AXUcIBAKBQOBSQyDI86X2xKK/gUAgEAgEAoFAIPAWBCrlsj3y6KNW5nfC+PE2bdp0Gz1mlNxH+xnPBw4etO3bt9n+ffusWCzZR+/5qJVKpT4K10fFye8k7zxuJxIoL9R9Bd7Sg3MjsuJ99XpydpeoY3bXV5IIlVMzbwlin0o9P80zY4Xn8Vm9GkNmEz6gJs+rRrJKZL2na41OV/wpuVqzN99407p7emzuZZfZoMGDPEeqfUB973KZak5tnT512jZs3GhNxaJdfvnlVmpq9tLfb53v0mQkBwKBQCDwgSIQ5PkDhTcqDwQCgUAgEAgEAoEfBgKVSsUefOAB6+zstIULFloxX7QxY0Y7NxQx3LNrl734wgu2evVqa21usdvvuN3Jcx+RlEMrgvNjkUu/bZBKvxer9CwNoqksiR6m2L7kdJsRVCe9qTq5LevL1agztZoqVrrIZN4JfOqLKnOp+vmtUVBla9TjfU4VKTPxkOJ8o7Niw428byWqKqTyytDIzxFV1XLVVrz2qp06dcrGjxtngwYNUjdSUP2NMWVRb/ebjSj95uzEyZP2Evi3tLTa9Bkz+sjz25WNuEAgEAgELlYEwmHYxfpkol+BQCAQCAQCgUAg8H0jILImCecLL75gvb0V7urW3dtjr7y83DZv2mxVpKriiolkwhkhgq6i7KQzZxVZ+ZLuHy/Nl5PF5HDMnY4RpZDT+dLkVZv+oQ6FTIU8q9fjPGVgaS/qeeXbOn0gzl5TwapUrI9q9Hq4SqrT6nwWErnP7vQr4u2/lD03tb+csqRsyZ7Z8aB+5VBblWrF1q5ZY6++tsJOnz7t9Yl4q/00wlSXrkXe9dsfn/qsQnXqShjlvJ5XXn3NVr6+0np6e90W3R2+KWOEQCAQCAQuEQSCPF8iDyq6GQgEAoFAIBAIBALvjoDIY3d3l+1ARftJ1Lgr0LpHHvqubdy8ORFBHIiJ6OXkRAwOmAihSCvOsWo1K0KIC9SRJ1GLpIwIO7M8r3kRx6pXRn2qk3LK7wSWX1HKzGZYcRmxJVPftcil1MH1J2FxHj6rOgr6EJdoaopTXVTjQbVX1X99VIi8CuqTKtIoq9oI4LeONNnHqTT9a3y8AF952s/q1a/G4SH79Rv6B2ZpDFRAUK5sXBLc1+X9nBYz2q7x1MHUG1QBgkvJ6YDGkmGTUuI7EAgEAoGLH4FQ2774n1H0MBAIBAKBQCAQCATeIwLFglNeO3vmtL38ysu26OpF9tKyZdZ5+ow1u41zIqQiqwp79uy13bt32/PPP2eHDx1y4jhu1Fi7etFiu3L+PBshu2nybtu63R555GHbi81099kuGzlypF27ZIktvvoqGzp0mB07dgy15BdtxYqVdvzECWtpbbLhw4fbjOmz7Llnn7X2QW32r3/1/7KXl79iTzz+uA0dPMR+67d/G4Kb+rFlyxb78y9/2UYOHWJf/NVfs9bWVtuxY4etWvW6rVy50k5QZ0dHu8278kq7+uprbNbs2dbd1WV/9B//bzt69LjNmT3Hxo4dbStpf85lc23x4oWM/zXbuWMnmwZnrFwpW3tbi02aPNWWLLnGFi1axLhE9mt2/wP327o319Hvk1YoFGzOrNnW09PrpFfSYVHxMlL8NWvX2DNPP20HDx5Cql+25uYmGz16lN1yyy02H6yamlrt5MkT9jJS/teQWh8+fIS4Jps2bQp5WwS3B5HmJMfXbYOop6T4DgQCgUDgokYgyPNF/Xiic4FAIBAIBAKBQCDw/SBQgvyNHDkC29oW27Vnl/23r37VDh7eb3Omz7auzi47cOgg0lBqdKlo3Zog1FXspXdBVNvbO6wKady2dYt1nj1DuYP22Z/9KZfcPvTAg7Zh8wYvN2LkKDtw8IA7IJt7xVw7fny7rUAl+bnnn7fTZ07ZMMh0b08F52QHIed77Oixo5BR6q5U3Sb7yJEjOOWq0gmktBBJ8UfZbB85fBihcZLUrlq1GiL+qq1Zs9qdoA0bOtSOHztuL770EkT6pB09ctTmL1xox/nV9Rqk7Zs2NjvJHovDtJZSk+3buxdifcRaILAlNhVOHj9OX4+xsXAKLM5Cwq+15cuX29NPPmNnGW9zSzOkvxXi+4qdJV3EWhLlnu5u27Jls33rm9+0Q+DX0dHhpFjO2TZv3kQbx1wdvr291Q4c2G/f/e537TT20m3gKZq8ccMGnI/1JgE00mw//irtGQR3/n7+c0feQCAQuOAIBHm+4I8gOhAIBAKBQCAQCAQC7xcCUsceOWqUDRs2zLbv3Glbt2110jZp8mQ7Bsk7eORQIs80KK3k1tYWJMeDcYwF4YRw1yC127dtt0MQ2VYkvRnH27d/P4S604nj2NGjnaAPHzHCiqUiJPWIbdu+xUnyhAkTbPq06a7OfBbnZTt37WzIVrOa+kcq9Wkl9qlU9yfZLsqJeJ+lzalTp9q0KZNt37
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1513267804" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5a32a070-b0a4-474f-9bfc-ff9b950d210f" ,
"value" : "Fig4.png"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674203" ,
"uuid" : "5a329e5c-3c30-4479-8f9f-2a67950d210f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5a329e5c-3c30-4479-8f9f-2a67950d210f" ,
"referenced_uuid" : "5a329eeb-e7ac-4084-9454-4bec950d210f" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "uses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1518770741" ,
"uuid" : "5a38c0a6-013c-42d7-afb8-475a950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674200" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a329e5d-472c-41fd-9c05-2a67950d210f" ,
"value" : "trilog.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674200" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a329e5d-efbc-4987-ba8a-2a67950d210f" ,
"value" : "6c39c3f4a08d3d78f2eb973a94bd7718"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "state" ,
"timestamp" : "1513674200" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a329e5d-a588-4067-8081-2a67950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674200" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d5d8-8c24-4e13-b652-4adc950d210f" ,
"value" : "e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674225" ,
"uuid" : "5a329e91-1290-4a62-b508-4925950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a329e92-458c-4552-b75f-4b0e950d210f" ,
"value" : "imain.bin"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674225" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a329e92-91d0-441e-a339-48f2950d210f" ,
"value" : "437f135ba179959a580412e564d3107f"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "state" ,
"timestamp" : "1513674225" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a329e92-1584-4761-9cad-45d4950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674226" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d5f2-56b4-42b2-a479-4206950d210f" ,
"value" : "08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674358" ,
"uuid" : "5a329eba-7948-4b75-91de-2b04950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674358" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a329eba-dff0-47d4-a53b-2b04950d210f" ,
"value" : "inject.bin"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674358" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a329eba-d520-4fc4-a2c4-2b04950d210f" ,
"value" : "0544d425c7555dc4e9d76b571f31f500"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "state" ,
"timestamp" : "1513674358" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a329ebb-30d4-495d-aa01-2b04950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674359" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d677-c1fc-4b65-a5d8-4c0b950d210f" ,
"value" : "5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674396" ,
"uuid" : "5a329eeb-e7ac-4084-9454-4bec950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674396" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a329eec-e3dc-4dd4-945b-4a1b950d210f" ,
"value" : "library.zip"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674396" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a329eec-ab34-4e6c-bc45-44c8950d210f" ,
"value" : "0face841f7b2953e7c29c064d6886523"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "state" ,
"timestamp" : "1513674396" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a329eec-df40-4cae-8aa9-4360950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674396" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d69c-4b0c-489b-ab48-4508950d210f" ,
"value" : "bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674423" ,
"uuid" : "5a329f19-9c64-4780-b20c-9267950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674423" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a329f1a-62a8-4916-803e-9267950d210f" ,
"value" : "TS_cnames.pyc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674423" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a329f1a-ca60-4043-875e-9267950d210f" ,
"value" : "e98f4f3505f05bf90e17554fbc97bba9"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "state" ,
"timestamp" : "1513674423" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a329f1a-31a8-414f-99ce-9267950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674423" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d6b7-3f4c-4c5b-aeef-4450950d210f" ,
"value" : "2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674452" ,
"uuid" : "5a329f4f-cdac-4595-a728-2b04950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674452" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a329f4f-b1fc-4a2c-8889-2b04950d210f" ,
"value" : "TsBase.pyc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674452" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a329f4f-fa54-434f-a9c9-2b04950d210f" ,
"value" : "288166952f934146be172f6353e9a1f5"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "state" ,
"timestamp" : "1513674452" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a329f4f-4804-46c1-8f8e-2b04950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674452" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d6d4-f4ec-49b3-a21c-4ce3950d210f" ,
"value" : "1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674471" ,
"uuid" : "5a329f96-7da4-43bc-9c4d-2b05950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674471" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a329f96-6a1c-4faa-9a8b-2b05950d210f" ,
"value" : "TsHi.pyc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674471" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a329f96-2ec4-4872-a7aa-2b05950d210f" ,
"value" : "27c69aa39024d21ea109cc9c9d944a04"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1513674471" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a329f96-2dd4-48f7-a2e5-2b05950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674472" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d6e8-3108-409b-9198-4837950d210f" ,
"value" : "758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674490" ,
"uuid" : "5a32a014-88ac-4798-8647-2b04950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674490" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a32a014-9ae8-458c-ad0b-2b04950d210f" ,
"value" : "TsLow.pyc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674490" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a32a014-9580-47f7-8b75-2b04950d210f" ,
"value" : "f6b3a73c8c87506acda430671360ce15"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1513674490" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a32a014-1538-4688-9a6f-2b04950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674490" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d6fa-a1dc-4abe-b287-4c05950d210f" ,
"value" : "5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513674509" ,
"uuid" : "5a32a032-9bc0-4803-8608-2d89950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1513674509" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a32a032-77e0-403a-bd1d-2d89950d210f" ,
"value" : "sh.pyc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513674509" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a32a032-1d28-4210-9c38-2d89950d210f" ,
"value" : "8b675db417cc8b23f4c43f3de5c83438"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1513674509" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a32a032-ddf0-418f-b7c8-2d89950d210f" ,
"value" : "Malicious"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513674510" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a38d70e-4d88-4a07-badf-4fee950d210f" ,
"value" : "c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1513267807" ,
"uuid" : "5ecdb8e9-1d4c-4890-91cf-4afba4c0dfc5" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5ecdb8e9-1d4c-4890-91cf-4afba4c0dfc5" ,
"referenced_uuid" : "d48d9e02-0841-488c-bdb3-76402d3e6543" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1518770742" ,
"uuid" : "5a32a25d-12c4-415c-91dc-47a502de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1513267804" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a32a25c-232c-4bec-a662-4bc302de0b81" ,
"value" : "dc81f383624955e0c0441734f9f1dabfe03f373c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1513267804" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a32a25c-39ec-4ddc-babd-438602de0b81" ,
"value" : "6c39c3f4a08d3d78f2eb973a94bd7718"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1513267804" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a32a25c-6f24-43b8-975d-4c0602de0b81" ,
"value" : "e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "1" ,
"timestamp" : "1513267804" ,
"uuid" : "d48d9e02-0841-488c-bdb3-76402d3e6543" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1513267804" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a32a25c-3990-410f-b677-46fc02de0b81" ,
"value" : "https://www.virustotal.com/file/e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230/analysis/1513264635/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1513267805" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a32a25d-0afc-4393-8b3e-477a02de0b81" ,
"value" : "1/66"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1513267805" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5a32a25d-eb14-43a2-a1a5-48b002de0b81" ,
"value" : "2017-12-14T15:17:15"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}