adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5a3faeda-9524-4a8c-a329-b4d302de0b81.json

1079 lines
3.8 MiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "0",
"date": "2017-12-24",
"extends_uuid": "",
"info": "OSINT - Repository containting orignal and decompiled files of TRISIS/TRITON/HATMAN malware",
"publish_timestamp": "1621926315",
"published": true,
"threat_level_id": "2",
"timestamp": "1621849558",
"uuid": "5a3faeda-9524-4a8c-a329-b4d302de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:tool=\"TRISIS\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00839f",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "veris:asset:variety=\"S - SCADA\"",
"relationship_type": ""
},
{
"colour": "#74e800",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "circl:topic=\"industry\"",
"relationship_type": ""
},
{
"colour": "#0fc000",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "admiralty-scale:information-credibility=\"2\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "Yara rules to match the known binary components of the HatMan malware targeting Triconex safety controllers. Any matching components should hit using the \"hatman\" rule in addition to a more specific \"hatman_*\" rule.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1518454567",
"to_ids": true,
"type": "yara",
"uuid": "5a3faf9a-f514-4358-8ace-b1e202de0b81",
"value": "/*\r\n * DESCRIPTION: Yara rules to match the known binary components of the HatMan\r\n * malware targeting Triconex safety controllers. Any matching\r\n * components should hit using the \"hatman\" rule in addition to a\r\n * more specific \"hatman_*\" rule.\r\n * AUTHOR: DHS/NCCIC/ICS-CERT\r\n */\r\n\r\n/* Globally only look at small files. */\r\n\r\nprivate global rule hatman_filesize : hatman {\r\n condition:\r\n filesize < 100KB\r\n}\r\n\r\n/* Private rules that are used at the end in the public rules. */\r\n\r\nprivate rule hatman_setstatus : hatman {\r\n strings:\r\n $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c \r\n ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c \r\n ?? ?? 82 40 ?? ?? 42 38 }\r\n condition:\r\n $preset\r\n}\r\nprivate rule hatman_memcpy : hatman {\r\n strings:\r\n $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01 \r\n 9c a3 00 01 42 00 ff f8 4e 80 00 20 }\r\n $memcpy_le = { a6 03 a9 7c ff ff 84 38 ff ff 63 38 01 00 a4 8c\r\n 01 00 a3 9c f8 ff 00 42 20 00 80 4e }\r\n condition:\r\n $memcpy_be or $memcpy_le\r\n}\r\nprivate rule hatman_dividers : hatman {\r\n strings:\r\n $div1 = { 9a 78 56 00 }\r\n $div2 = { 34 12 00 00 }\r\n condition:\r\n $div1 and $div2\r\n}\r\nprivate rule hatman_nullsub : hatman {\r\n strings:\r\n $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e }\r\n condition:\r\n $nullsub\r\n}\r\nprivate rule hatman_origaddr : hatman {\r\n strings:\r\n $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 }\r\n $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e }\r\n condition:\r\n $oaddr_be or $oaddr_le\r\n}\r\nprivate rule hatman_origcode : hatman {\r\n strings:\r\n $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 }\r\n $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e }\r\n condition:\r\n $ocode_be or $ocode_le\r\n}\r\nprivate rule hatman_mftmsr : hatman {\r\n strings:\r\n $mfmsr_be = { 7c 63 00 a6 }\r\n $mfmsr_le = { a6 00 63 7c }\r\n $mtmsr_be = { 7c 63 01 24 }\r\n $mtmsr_le = { 24 01 63 7c }\r\n condition:\r\n ($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)\r\n}\r\nprivate rule hatman_loadoff : hatman {\r\n strings:\r\n $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00\r\n 40 82 ?? ?? 28 03 00 00 41 82 ?? ?? }\r\n $loadoff_le = { 04 00 60 80 ?? ?? 00 48 ff ff 60 70 00 00 00 28 \r\n ?? ?? 82 40 00 00 03 28 ?? ?? 82 41 }\r\n condition:\r\n $loadoff_be or $loadoff_le\r\n}\r\nprivate rule hatman_injector_int : hatman {\r\n condition:\r\n hatman_memcpy and hatman_origaddr and hatman_loadoff\r\n}\r\nprivate rule hatman_payload_int : hatman {\r\n condition:\r\n hatman_memcpy and hatman_origcode and hatman_mftmsr\r\n}\r\n\r\n/* Actual public rules to match using the private rules. */\r\n\r\nrule hatman_compiled_python : hatman {\r\n condition:\r\n hatman_nullsub and hatman_setstatus and hatman_dividers\r\n}\r\nrule hatman_injector : hatman {\r\n condition:\r\n hatman_injector_int and not hatman_payload_int\r\n}\r\nrule hatman_payload : hatman {\r\n condition:\r\n hatman_payload_int and not hatman_injector_int\r\n}\r\nrule hatman_combined : hatman {\r\n condition:\r\n hatman_injector_int and hatman_payload_int and hatman_dividers\r\n}\r\nrule hatman : hatman {\r\n meta:\r\n author = \"DHS/NCCIC/ICS-CERT\"\r\n description = \"Matches the known samples of the HatMan malware.\"\r\n condition:\r\n hatman_compiled_python or hatman_injector or hatman_payload\r\n or
},
{
"category": "Artifacts dropped",
"comment": "mandiant.yara",
"deleted": false,
"disable_correlation": false,
"timestamp": "1518454567",
"to_ids": true,
"type": "yara",
"uuid": "5a3fafbc-3504-43c9-be65-4e4d02de0b81",
"value": "rule TRITON_ICS_FRAMEWORK\r\n{\r\n meta:\r\n author = \"nicholas.carr @itsreallynick\"\r\n md5 = \"0face841f7b2953e7c29c064d6886523\"\r\n description = \"TRITON framework recovered during Mandiant ICS incident response\"\r\n strings:\r\n $python_compiled = \".pyc\" nocase ascii wide\r\n $python_module_01 = \"__module__\" nocase ascii wide\r\n $python_module_02 = \"<module>\" nocase ascii wide\r\n $python_script_01 = \"import Ts\" nocase ascii wide\r\n $python_script_02 = \"def ts_\" nocase ascii wide \r\n\r\n $py_cnames_01 = \"TS_cnames.py\" nocase ascii wide\r\n $py_cnames_02 = \"TRICON\" nocase ascii wide\r\n $py_cnames_03 = \"TriStation \" nocase ascii wide\r\n $py_cnames_04 = \" chassis \" nocase ascii wide \r\n\r\n $py_tslibs_01 = \"GetCpStatus\" nocase ascii wide\r\n $py_tslibs_02 = \"ts_\" ascii wide\r\n $py_tslibs_03 = \" sequence\" nocase ascii wide\r\n $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide\r\n $py_tslibs_05 = /module\\s?version/ nocase ascii wide\r\n $py_tslibs_06 = \"bad \" nocase ascii wide\r\n $py_tslibs_07 = \"prog_cnt\" nocase ascii wide \r\n\r\n $py_tsbase_01 = \"TsBase.py\" nocase ascii wide\r\n $py_tsbase_02 = \".TsBase(\" nocase ascii wide \r\n \r\n $py_tshi_01 = \"TsHi.py\" nocase ascii wide\r\n $py_tshi_02 = \"keystate\" nocase ascii wide\r\n $py_tshi_03 = \"GetProjectInfo\" nocase ascii wide\r\n $py_tshi_04 = \"GetProgramTable\" nocase ascii wide\r\n $py_tshi_05 = \"SafeAppendProgramMod\" nocase ascii wide\r\n $py_tshi_06 = \".TsHi(\" ascii nocase wide \r\n\r\n $py_tslow_01 = \"TsLow.py\" nocase ascii wide\r\n $py_tslow_02 = \"print_last_error\" ascii nocase wide\r\n $py_tslow_03 = \".TsLow(\" ascii nocase wide\r\n $py_tslow_04 = \"tcm_\" ascii wide\r\n $py_tslow_05 = \" TCM found\" nocase ascii wide \r\n\r\n $py_crc_01 = \"crc.pyc\" nocase ascii wide\r\n $py_crc_02 = \"CRC16_MODBUS\" ascii wide\r\n $py_crc_03 = \"Kotov Alaxander\" nocase ascii wide\r\n $py_crc_04 = \"CRC_CCITT_XMODEM\" ascii wide\r\n $py_crc_05 = \"crc16ret\" ascii wide\r\n $py_crc_06 = \"CRC16_CCITT_x1D0F\" ascii wide\r\n $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide \r\n\r\n $py_sh_01 = \"sh.pyc\" nocase ascii wide \r\n\r\n $py_keyword_01 = \" FAILURE\" ascii wide\r\n $py_keyword_02 = \"symbol table\" nocase ascii wide \r\n\r\n $py_TRIDENT_01 = \"inject.bin\" ascii nocase wide\r\n $py_TRIDENT_02 = \"imain.bin\" ascii nocase wide \r\n\r\n condition:\r\n 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB\r\n}"
},
{
"category": "Social network",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1518454567",
"to_ids": false,
"type": "github-username",
"uuid": "5a3faff3-8d78-430b-9d19-4cc702de0b81",
"value": "ICSrepo"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1518454567",
"to_ids": false,
"type": "link",
"uuid": "5a3fb014-cacc-4379-9b55-4e7102de0b81",
"value": "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN/",
"Tag": [
{
"colour": "#00497f",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"source-code-repository\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "Decompiled code",
"deleted": false,
"disable_correlation": false,
"timestamp": "1518454567",
"to_ids": false,
"type": "link",
"uuid": "5a3fb039-5e74-435d-8157-b4d302de0b81",
"value": "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN/tree/master/decompiled_code",
"Tag": [
{
"colour": "#00497f",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"source-code-repository\"",
"relationship_type": ""
}
]
},
{
"category": "Payload delivery",
"comment": "Tarball of the git repository including decompiled code",
"data": "H4sIANiwP1oAA+w8CXAc1ZW2CQWeAHEChLCE8CNjWxqsmb57RobYQhJY2GMbScaAbYY/3X80ve7pHrp7JAvLrCHmcDiXY7GDca1ZY2KoBMxyeNkNwUAVLISzigJCwsKyhcmGLDcpYAv2/d89l6TxjGyXqCzzS7b6eO+/+/33j1ZfT3dvd29rX0933+JFrfPb+xLti6KTDmzjoKmyTH/zqsyV/y60Sbwo8KoqcoIsTeJ4UVSFSUg+wHyM2fKuhx2EJmE9b+J8dbha7/9KW99Y9u/pau9MdEWy+oGhQQ2sSFI1+ys8p46wv6SAuyDuwJDfe/uG23/6dOS7AIoi3wngYj72EthCCWwOYoegHpKzXcOznaFQaDogdBJXc4ycZ9hWKNSXMVzkFCGQZlseNiwX2Y7Rb1jYRC7O5kziImzpSCeanc0ZJtGRa+cdDR7baZQNCGHPw9oqw+qHXrJZ2zKHUN4FUMNC3ZYOlnIM6K8DKDi2iXqHXI9kXdTc3dHbgsJ9jgG0yeow6sVp4g0BCiDks8TyoAsfGDWDpC2MR+jBJI4bQafZDsraQN2w0raTxVQsBALCe+TZqCm8kGAHlAEg4aZIKNSFtQwI148t40IfWGf6SFG+PaqNgjjANlWM47m+GBjpRjpNHOAIWThLULOv+qiv+Kiv9hafJS+DPUDHrm3NhhtC+3ORZSOQcXagH78X4BoZHnAGeKZOHBQuqD4ZqD48hlXSBrUJ4ys1RAkU2WaUNTtvwhvae95iFqAgg4apt4VCw2gRJey3YZTolNFe2zCzGaM/DiQg01psqPxm7DYapC4kIAN+Zdr9EfVCyhiXkoiqkJiUxpKu4LjKK3osDjlKERQdx1OoCE9Wk4I0iibGNTEtYS6mi7oaSwskFVdFHJdSuqryMUbGNFIOdoYonWGkKumYpIuYEFlMCTFZkVVZi6dlGXBiKlFRCf5CIxeQ4dJYA874tJoS4rJIVE2Ia5BbdSUWU2RBZGSMLGiaCQMYOq+KJMbxClHFNJcWNF5NyZBqscjzQJigAjy4b9E2kqimeVFOYV6Nx+U4lmOcxAtEBkIiKCLNyGDT9IlQDFlSBRIniq6mtZQIwKIQU2JqjPBpoqVjMoC0mwWnwyl7gBJu3bsDUBcIUSzsaBljgCKCd7pEyzvgtIOGl0E57LqDtqO3oTBEL9Eg0sOhUCEMSskmqdk6KYuCsjSUG/IyEEmMs9mF8PBoLKcdO4vCJVuHGRBLY+Ey04QL/BXyAI10KiELlMWsw4Jie4ibN72xAiRBgA197zGwF3+u9qbcvZm7DiM/dyc94nqR3FA5D3krNyRQqJPgkipoyCRKhedSTxxGpzErglRpX9HBW9ZDEa3SjAWTDGEHJ518ZU6iDxF7iJpZ8ulGOIswS0Z2ugX06oFpR6ZXpl7KSrkI7XlQo1M7ndRIDgw6C5Y2sOVFGH/DaJ7huZCQTXPIMrRVqDkRvG/xo05zWzXiFKE75/dGF3V0dHdEYXhq7ejq6StTBx1Fl2WG0JJ8yjTcDIg2F3W71iwPEjnSsdVPHDvvzg2Fem3IszliQxYv5GCa+vOWAQPcIB0UHGy4vmroAOHmg/ydK/bM3tQYg7NGf8aj2b5IO0KN0O8QAMpbnmHSXlzik7TsoH+NQmXwQGGUYDxYmpnXAS1d8BLgxoRxzEPeoB3gwcCOB7Bh4hTIFTAx22c8S7BF+RyCcQ5pUIXo9qBl2linqjHSaJVlD6JBNh7C6OwSGnwRUCagUt+AUXo2MJUipkEGAl2UD9ZuNNDmYMYuDXKMD+jOITAgUkJUT0wwpnGcwynDpCoHGJ3kTHuIcQOy0SHaDAoXHwOb8EgHATUQilUvIL9N7WCALXG/HUEja6YsXkVV5fl1iI9oUJbo0F6yN2UKa1gnWQMz/n2zQQJcBVUB5PGcYw9Qi+skTSyXatbMM6EZqotpDnWpRzFWAMW0bVZuUTpFt4CiyPdQv/ChPEGshVkZ6Hi0Wuh0QAwXHiKU8byc2xaN6uxRBLqIpiDZRCHnuIYbDaYXHB/J6enKTgrhg5pPMxzSNURaKjocHByMpOEFGSJlvWZAt16rQ3y7RwWYSER5IerrHzhv9a3TapHBVhqR/ovWtAP1CtVTK/Dl2VYk42XNSnaKUdrMoraSmWJw54Pf/fZAFIxH3CjoGkNOjzJ3j+q2xipON5po72nl1VZRFkD6GQLnF3czuoQZMW5GXPJrVHjuF6Zw0Yedfkh0OlwGhXeyV+ZiHQXNLSMwRMNUZWz9D4BFbaYoQYpxsqpIXAiwwu0W1NA5HQOr1HmpO5c5Hs2wQClr0mRiAjYJw/jJijXNa0OU7DwdonlVFjuhIGNrXjP2WuCBZljsHaX6dU9jGm0f25jz/9IofUCWgsa//iPLEtdY/5mIVsv+FUXQPtKosf4j84JUaX+BE3ixsf4zEY1aOVj4ScIQmDytpz3RtWxxz4LQmpBfrmaJh9tCpUIa+yX2KagJyuCMbWIY9bHjjCiPm8owsrpMwWtNXstR9NISE0UNVqaKwziMYRrMsOg8UM87tIIpVhMgBK1BDZ2uskChkIPyhxS6pitIVr9bLs6J/gQwWayJgRzMi7QmKHM1DEUUdjXDgOmmTsbAytrgFiTJ8RQtWbhNjg9ZoMgn+3c/qQ81mMT5dKHwo0VMnzs+XEYWyhfkuWMxjFCoEjmp0eUmNyDa1xvcg7Jq0i2iCoE1OxYvqh9JZEiO0ev56231Y0oUE2kZDPW0OxbeaCE9F6azBSFPJ15HjpLN19ZtEZPJyHRaE5RJBpOYC/LE0kj9JKhc0aLZm+cbwwvtweFTAbdl+Xlt2MxlcNvKaN3d0fCM+v63wp0LceWCmutHV6gUKZih1S+ASlFgutIPpvLqtEsKQArO51JZ6/K8Ah6zSsRHbB6LYglvVA8Zo0h3vlEnVYrDaK4iUOFD/V0vkhg43hLH/luied1W2q4XVSqh9kOq7KPT2npxWYqms5L2XI5YetBFwtbr7UAJFDzfaC54foBYNdDswaJewX/rVCzDEnz/MSwvCQOQlySOYztjkB0bWwxYBaJj8To2ElOup2VrxDUFZbpEfR0Jf12kvuTqaIEy4KquAchHYZro6OnglWRiceepS3v3wh5DYMIvsD17ALWbeDWMm8Spk5YU0ErCDLmvL3k2EOxK1KInBzLxikO8WsBKSRqfxmq+kzutFhbNJtEyrOXnJSH77U3bbiZQtpupouvROBDIdK05QESntXcvXNrTtRfeigjMRu5QNmWbyKsSlKPpwTDZ2bWorzDIWzQb0GX62h5bxBT88iBY399rWMLcXjfo8FpeHAl0d665UDiEW9g6klp4WHjAlj6MCwk6GYmJU0Nrv+6attHqb7XmfxXL2vtIo8b8TxVkYeT8jxcb+/8T0qLhEAqjzq7ejp7uJX3dixe1oXNK2zGejbLY0zJs3ZCuvFuILULSbX6oPi260kmzAX3tL3DS3ipacVeZLW/SqVphox65/j59xW48Xa9kJAFyVF9lRN0MW7vPGB7KF/c/mjLYy2LIc2xWS5fndT+nUUHwaNboarubI5qRNrQCcjLso0coePvSvvmLe9p88NE7OgASDYWiYXS6aafozBexMwt0VZ3uergge7DnGWGQULAMQCWI+hm4z2VAtZhD24InyJ9/j5GWy9Itz3ELIOEyHpYEnQeWoxsfVO/+yQOP6YeUdvL9fRgfuJK5cq5c4rls9jOSrVET6RNzdFHe39o8Ba1BMQ5xHJI4JGqIXsGPItCn9BncxPw3cCPAvYhUrbzsrmxz59KfmEChERQhpb6U/evLv5EEJMaqwUNbW80Qgcyg/7F0lyVZLTdUW3E+XDJFfMUB8zhOpcAKonzFJJRO0x96o4iFmxiAMU1AdVBV2DgAiQEQFROuKDoIK5HAQqCxMYQtZ8wMGAN+KFdxymHABfBGNeffAG/0BkhBt8BbTKvKVwAjUgYpO4BNnUVAzIDMoBKpRKluhJL+bKeM6SpW0Y0BKHucOhwaIPngmoofx0iNIVmh/K2tgBLKoEQJ8ULg79VZZl3TyomhV+HUypumm0/VZrQAWOAhMAfnm6
"deleted": false,
"disable_correlation": false,
"timestamp": "1518454567",
"to_ids": false,
"type": "attachment",
"uuid": "5a3fb104-c860-4517-a674-b3a102de0b81",
"value": "TRISIS-TRITON-HATMAN-repo-decompiled-code.tar.gz"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "8",
"timestamp": "1514123068",
"uuid": "043762e7-6aa0-4a14-83d2-81a2109b7490",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "mimetype",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf39-f56c-4a28-8ed2-4e9302de0b81",
"value": "Zip archive data, at least v2.0 to extract"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha1",
"uuid": "5a3faf39-1170-4b7b-8da7-496002de0b81",
"value": "1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1518454567",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a3faf39-1ab4-4b65-907f-4fa702de0b81",
"value": "1708616"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1518454567",
"to_ids": true,
"type": "filename",
"uuid": "5a3faf39-29dc-43cc-9aa9-4d6302de0b81",
"value": "library.zip"
},
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAI11mEshbRbCFBMIAEgSGgAgABwAMGZhY2U4NDFmN2IyOTUzZTdjMjljMDY0ZDY4ODY1MjNVVAkAAzmvP1o5rz9adXgLAAEEIQAAAAQhAAAA9C0jKa5y2JeW2rj8o4OdNo0Xpfwscgc4Av8h+22oYmgkXiju7FiVv32ivIWFmC5lAWWMjndg1yFSSbbUVw1S7cg/bY3l740v+4yfuAU/YklUXurG5zCGMHGheVEVZnLL7NHTRghYAi07A2gaAhkut4HVaMXzhaT6rQlIf2jhLALVXnH2710b8PgbkROJ7J/H0gOlKSjMSl31ZOlyvfFKV3O9IXBpepTHY0L17Pm6PrF7F+rmsGSrofRYE/rna9WMuII3HfrMfgV6aQetgiNjxl/7vJdeyejR3cHGIP91jLtEYBOoGXvTeYEEPHtVdMbHzenty+9p5Cl2Ah67Ysujc6bzaaEZnqdrArP7+MDxLwOGnZUyfJMfxdqK/uWKIuKDG7gWMkgOJ5eALeDicrU2jESD9gAePNNoBogGGB0CynwtlAR5DJbpGCA6upcuk/JF9PSGwSvePVLHfnhxRuYZKrT1/YqD/PXIFQBlzN7ueCnSsrbURjDzwyKFlL+Hgsk9dBrI7p6IdPnpvVVpg5IXI0zGuUZW86WL+I2+kproU7B8Cd0CEXs5Nuet6oHoRXieHW0ieOQfJvVVhLDInufLpyhzfE9QYiWDVlfhu/md/LDyhICHj+cg4EsiX81UBkpRX0MZ6ngvBL+HzGE1YJc1VA4oJ9eisKzxguTD5urkloJEjNH1NANB+wR8NMbs267toj2KVvfaThK2qhZ106W/7sT+eic9ca19WWDdnDhoAagNohfBVT+ggjNk2Nnbthp/+Zz2WrwbN0ooZwhXm2khw77dc/kwxejL+LnUBofEGTZDU4i4qnl3rzLlGD4qf67K66ergD0nIiF7BlrdjDUumyy0Wm6rAUisYVOV0PgFE3U7JFCrfWYHr2bRyhzQOYzI59Q9oV/s/OLVd9gGrJdlfz73vs76jUT0C2KPhjRsq1rUYt6inXdHPGHYEf4vWBm0xXj8s7ZaidwVWRaiRrHOgCziajLfdqfWE1QfhN0LgIZ0qC87LSeKrFn3g9k/9nyb5jMWcaPKvI3gcw2PqdzZhxVKFi3CPZjqfYWozrDTOLj6wsUVUAO7cVcqSEjxtKt6m+NsXPWWlJWXv+APe7t+63D2JF0RvXYf8zjRguT9mWQY1PlawHm0X3GF/V7AwMs2QZ4srMf0woPmZDA8olc2uj08UYxRD1tQhlddGh2MbrnkCV95U/ZhBiL7gVpo8GkMC2qfYkd6UIzQiPMaIQtVlZnprbl4D4GVzpkW66+kXLyONJLqesbxCplnE6NEpp2MI69RZ3d2S08gS3oXCyxXdnWUoO2KAlxuoe2qswfDbKa3IAiJP75OTU63Pxjbx+ixCVL1RGL5H7iCbRG6G3d7jQCij/fv7k2KoMhZYZ/TFQ08UArQXS2sD7hf4RG4k24ouYea9GEvKHCD3oljdWZQ8hIowqBHj50dG7r2VkuXIlHAcMc3MzOVlQJ9bJdUn4jYlG24ynkJIM75B03Xy7BqWkj3qzAB7JfPVgp40rOIeEfcZCgI+vJCQTjTsiivwUw8prxwbwHewmkcvzAAhyH2N06TEo6NYex2l+UeWunko51iM5QS4GawrGE5IazEJHeiC/9Mof0nQ6Rv0n42Qykafu+iqbs7yhthh+qPvWZ96O6ErN/TvIZ8lvxByTKAtJQpwAsBaUaG8D07ZTdbGFNY420OWXQKBij90+cfnSYEfpVpVerTxlKuBiW9BJehQ91BoqpgbGFltc4Zz0IGGCfYjwUgng65t5tHhIQT7L07B4Fxfk+5oDB2upG/DV5mea+/T56FSeHF+SSwY8zUPECMMEfntiZQVyTFte5eNrIQYZzuedU3Vfjov71JutxJ65lwpGpDqZLYAUtzIDUonfXo61LuwF016JrslofPj0zZZCSZuqolEzuBrNenYQRkSGfU5DurnjqZhm7s0AQeH9vr1ujWW2pvICnNgOHstQjKq3RlFgNO1pNGIUjFO6kDMAth7hC+FPyJzs19F+2KKiwCUm9qQTixiCMJFu2ZsptY3OuUjLgtc/v4GzJxrwIGTZXXQw1/xG+wzXT5Jb9HXEcIfthp5Ex34Q5QwtygnlvyR9BUeFFqAvGeHQiOGlvEoTJ65nsXzFH16M7AmscRDIfDJIDiAmk3aBHnFrVhf/b3t9pGGl8ulr9aDoyv0BwlHXrr2NoD35K+id4QxadXUKI0ZtTL5f8D+37cVZJMFfejy+uNt2xe3ZEVgFEDtwzXBhiHnmG182DA3bZj5PgVfRI0VcEForXmzdi+/0rt+iat3WKH/pt/7zHE4r2eWwL1R8KebC7aajHqxQAO8byUdV7pTfSP94s73amZqMmLQ3qdlDUQ9Kzj+I0a64FF5gvBnzgqGiRF0TvZsRQGb5b9o0OHuCREL/YxmHn4vSROHzSRfYkfbycYoZU+JYoUYqdLz52InqluzgasqXQSK5eo7qAVW2/TmEh8wLNh6lQdMkV3GfCWBe/bG1VMnW/SnNW5434xZGEzdglUIyzaUAoOxWy6Cz4YW8Zho4Lv649Hq0R0+yY8k+6Pj/vEjXfRMOg3byhJITPGb0oq9Ab7b1RKKrOAKhjZeO/pYe8TS7F41OcM+duaJA+1xVC2220vhTZfM0LwYIgDq/XMibFup6MhZD8VLfWp9xahZS7qXspIBv5wo39ahtqHD3ZLgY3pAKpztSRHjYm35ekV6mkxN5qU9SxQOSzGryXAG3dCwx43tonQ1CRRs5VlZ9UyxkIWEC1eB0d/ssf2ROh/F0Odva8b+EmobSo2e4WHS2PzvCK0J1uMlqc5HY/kE3mvHgy0o+4KvyWs9vGeRRCUdkq3xotlrl1Fv/ml6Hpaj2ij9zXpgjKGGodLCDgCI52In9Z3Rg8FWdeqRY07Y5WjlkgvS4MVrHjJ++EyohgMPNyPTpYjUzBt4VyRe0g7Ow19lAm+h6FR1zetWrQWVbM8+IXP8k1aH1TaJ3xKZ5b33+ZaIOR6I6SnJwsg17ycajKTl7vfv3AuTWzvHSwYDUF4LsE4Zh5R6CfkNlZS8CHUKqS9TXGoDA/cGBbtX2IdlaHNPWJRi0KfaYZ8G3GLamqrWpzKuYIyULeewyXcbbfRQZJTipSBJ5a47WaPCKjXhnv/2Io9zMVFpTdLG97L/K9M9cMDlSjgoMGl3xABHJ3pTfNL2pBco+Ujz3SpCFRSLJ01aSyPQYXzh31aACsTC7vBfEdE5/shyTIVcIA+E2cmfHTD4gki5ole/lduggiRKau7t8BsM8HyDWh4/KzfRYYvDXcBuanYfggNNlJwJO3Gpp5rm9mNcEsEKj6d7t00r+Xvm0BcSG/HK4Ly09xw27RoDv3VvlyhukGHFANvNyOJq1BvW1wSGv6iy5pDBhw0GGxLMkcKWUgagqjUK41e9XGycPj4YMKnZ3PUO/G6JWD3kfOPqwhjGpdFgYgaRS0ppD1r2cYFfMyatSOTcze4krfvNepsPFbZKBkI4sg6E5YnmOQ4vO9VrfPY5XkMLC305bWBkSykOPc8iK9sW5/XXZfjt4zuTVVB/gVAgr0L/0xn1qKnotMNmqwqquNzfrnZHvsHIfLemXZExwYA99eVPjFVhx7DbB2gtigey3FMUmPbk6du76ruza2ElbEa3BI/Aeic9pcITEn8LiaFNXjqYSmufzbwrO7oeIIra6CTW7qAtU0iEei/k/rZqdN8ec8UdesbG3BkC7dwzxK5ivAX12ESGVkzXG9Po2YXuNiJr8L18N+iRZBkbB+UYAJYOKqNsR6DKw7Vtkp+JyKct4PJKYMy5+9l/qlLkzOzKRx5gGXXNwv4KfXVw9NbAOQT0wj3o8JwxKwoW14WycqpIYGUBO8LNQCvAnv6YvNU5leBZH08xJ0dTpo1yh7I2NLDn1HZG/NFgojmAdAWxeZGG1IG8RLH17GbjPjc/k6cwRj1anElxY93BjuoDlHZQB6+ZA+Rk6
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1518454567",
"to_ids": true,
"type": "malware-sample",
"uuid": "5a3faf39-3f18-4a01-afcb-444a02de0b81",
"value": "library.zip|0face841f7b2953e7c29c064d6886523"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1518454567",
"to_ids": false,
"type": "float",
"uuid": "5a3faf3a-7cf8-4e46-806e-4eb102de0b81",
"value": "5.16152185627"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1518454567",
"to_ids": true,
"type": "ssdeep",
"uuid": "5a3faf3a-39c8-4908-81e0-471102de0b81",
"value": "12288:z4tCV9Jybp/AX2Ng4TBDHbowjbVMdX4lMBydixDoCbs+oKRpT1gLhcFAsLc4z0DL:xkAJ4TB6XIM/70txaYB57ATltTlHu"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha256",
"uuid": "5a3faf3a-fbd8-4997-9e96-4cb502de0b81",
"value": "bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha512",
"uuid": "5a3faf3a-23b8-4415-97b3-4db102de0b81",
"value": "8ba13408061876abd7336560cdef24c23b8a619af8c53e29e970e620b8fc79be1910fc02c2a68307c37f7d3e5502d6b14e3392cd95abaf875aa419b618435910"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1518454567",
"to_ids": true,
"type": "md5",
"uuid": "5a3faf3a-8d94-40df-9613-4cc502de0b81",
"value": "0face841f7b2953e7c29c064d6886523"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "8",
"timestamp": "1514123066",
"uuid": "185d44d0-544a-4e42-839f-d6502950565c",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "mimetype",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf3a-029c-4694-966a-450102de0b81",
"value": "data"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha1",
"uuid": "5a3faf3a-550c-4da0-8df9-4d4802de0b81",
"value": "b47ad4840089247b058121e95732beb82e6311d0"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1518454567",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a3faf3a-dbf4-4c9a-9225-43cb02de0b81",
"value": "436"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1518454567",
"to_ids": true,
"type": "filename",
"uuid": "5a3faf3a-2d28-45d7-b930-4ec502de0b81",
"value": "imain.bin"
},
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAI11mEuAPgr4aAEAALQBAAAgABwANDM3ZjEzNWJhMTc5OTU5YTU4MDQxMmU1NjRkMzEwN2ZVVAkAAzqvP1o6rz9adXgLAAEEIQAAAAQhAAAAi9qeDRSR3JRmL4y+RbQcBKzTIVcIvvzgBQUJGxpQGo/rsCYwfRiGd6QDSo0rzBqRUwMLQygNUGRUre9SLFUIzKvHOqYz9X0AF1W6ValugkhcHYqKCztpB0yrG+nTmlGGTK/iO/N1Ik6UI6A+y/cV9YAhYZddiuDLdqLHI0VMJ0Oy3XpOkdfIg0h3hcJY0/5GgJ5d6YPV4mFb4jAfQayCi8WoAq01EniDIHzJXqcq7Os73CTqCaI55gtx2uzBacNIgJetRATkdxGvVjzjF2tDUNETabCqDZVdPuRn8z0lOiitbKg/RjbiXurQSPccHG4ELd21Wo5UU93g0fFRErU+h82ca/45279esLNp7yBGk0H9PzUGQwxqB9bkC2zEEaEfdGDf8KFU2CYh0fuD2ZrX3BWJTo8RYlSWp3nULB+Cb8cHwvxw2NHudtkNbLhsH0SoEngmREMXGEIKUVgm55q7Ty/DlG9Ns/7JUEsHCIA+CvhoAQAAtAEAAFBLAwQKAAkAAACNdZhLJh2UbBUAAAAJAAAALQAcADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmLmZpbGVuYW1lLnR4dFVUCQADOq8/WjqvP1p1eAsAAQQhAAAABCEAAAAP07aDX0AtOaGghobkL0gKKRzjLgxQSwcIJh2UbBUAAAAJAAAAUEsBAh4DFAAJAAgAjXWYS4A+CvhoAQAAtAEAACAAGAAAAAAAAAAAAKSBAAAAADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmVVQFAAM6rz9adXgLAAEEIQAAAAQhAAAAUEsBAh4DCgAJAAAAjXWYSyYdlGwVAAAACQAAAC0AGAAAAAAAAQAAAKSB0gEAADQzN2YxMzViYTE3OTk1OWE1ODA0MTJlNTY0ZDMxMDdmLmZpbGVuYW1lLnR4dFVUBQADOq8/WnV4CwABBCEAAAAEIQAAAFBLBQYAAAAAAgACANkAAABeAgAAAAA=",
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1518454567",
"to_ids": true,
"type": "malware-sample",
"uuid": "5a3faf3b-3c58-43e5-a379-43ce02de0b81",
"value": "imain.bin|437f135ba179959a580412e564d3107f"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1518454567",
"to_ids": false,
"type": "float",
"uuid": "5a3faf3b-8244-49e9-8ac9-40e302de0b81",
"value": "5.44610603085"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1518454567",
"to_ids": true,
"type": "ssdeep",
"uuid": "5a3faf3b-eb18-47b2-b147-4e0f02de0b81",
"value": "12:7s5q/29Vdb5t+JuqqNvIlUBrlf+X9tZaf:Qg/0B5titsvIaBrlf+X9tkf"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha256",
"uuid": "5a3faf3b-fb80-4326-93d2-4eb002de0b81",
"value": "08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha512",
"uuid": "5a3faf3b-ed10-46eb-86ed-4f0e02de0b81",
"value": "9db880f9429573c2471c55f1578319bb7eeb2243b64493d79a3caa0ed964f88c2b560a862f54b7b768ce9e184a3763181e233a94ca896275a43d38bef1c6359c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1518454567",
"to_ids": true,
"type": "md5",
"uuid": "5a3faf3b-c64c-41c0-a03f-4a2702de0b81",
"value": "437f135ba179959a580412e564d3107f"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "2",
"timestamp": "1514123067",
"uuid": "1f1c1f68-c9e7-43e0-9779-98ba4c889dbe",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha1",
"uuid": "5a3faf3b-1f74-4a7f-bf41-4c6d02de0b81",
"value": "3f1ac2364c8e06237f6f841a302f249108aeaf9b"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf3b-7c44-459a-b890-46e402de0b81",
"value": ".text"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1518454567",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a3faf3b-00cc-4562-860b-4a1f02de0b81",
"value": "8704"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1518454567",
"to_ids": false,
"type": "float",
"uuid": "5a3faf3b-8cf4-48d1-85a6-461302de0b81",
"value": "6.24017560026"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1518454567",
"to_ids": true,
"type": "ssdeep",
"uuid": "5a3faf3b-cab0-45f9-82d5-493a02de0b81",
"value": "768:W7fTBN81tL4OGpnvnRzLC5uE4LCwtbyhmjBBvpLJzpVA8NQ8oazAlo1sBG87jGrk:dlQOb7TH"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha256",
"uuid": "5a3faf3c-2ab0-440e-afc9-4cea02de0b81",
"value": "bf235b24aec5b15ea5255261dee81284137c2f31ae64e03c6311377a00ac114b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha512",
"uuid": "5a3faf3c-5608-4b73-9045-4ac602de0b81",
"value": "818a9eea1164f02a20207c906c0d007ec98bc589a323d9993fd0859f6b9aa59f4c85e9966afc05281bab7feddad5e25a8039d2bf7a98b0e60b3214cf89ed008f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1518454567",
"to_ids": true,
"type": "md5",
"uuid": "5a3faf3c-b134-453e-9d99-41ee02de0b81",
"value": "1d2a14142d0e98c0ede881657be0b620"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "2",
"timestamp": "1514123068",
"uuid": "11861108-bcc4-4e10-9cb9-9d3a3acf27df",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha1",
"uuid": "5a3faf3c-b884-46ce-9b6b-468e02de0b81",
"value": "a07c2e5b0b903b4d4602474a2c3e26300cb5de71"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf3c-f938-40c4-9bf8-483f02de0b81",
"value": ".rdata"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1518454567",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a3faf3c-9cec-450e-bced-4d0702de0b81",
"value": "2560"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1518454567",
"to_ids": false,
"type": "float",
"uuid": "5a3faf3c-3664-49e1-bc80-4b1602de0b81",
"value": "5.02793750695"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1518454567",
"to_ids": true,
"type": "ssdeep",
"uuid": "5a3faf3c-0900-4dba-bbab-486902de0b81",
"value": "192:bPwY+mHo4aSgsRPwY+mHo4GF4M+7xzGtXH5dJL7VGO7tr0F:UNmxgTNm0QF"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha256",
"uuid": "5a3faf3c-33cc-4f2f-b1c9-4c0c02de0b81",
"value": "f510bee135f800f910f5987c2684c3051756e7182939b93dfddc457c4be8a005"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha512",
"uuid": "5a3faf3c-bf00-4a5e-bd96-4a9302de0b81",
"value": "990bd0267b536b3768fdbb768e5dd3035c0f420f807c31e54eee794144b97e2a13390e0d40b33da6d84b600bb83d8d64f207ccffc9784243fc0c54f0241df514"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1518454567",
"to_ids": true,
"type": "md5",
"uuid": "5a3faf3c-de90-4c8b-8ec0-444502de0b81",
"value": "4959dc6a9b68e9d55b254ce76c458eed"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "2",
"timestamp": "1514123068",
"uuid": "5e60369b-411a-40af-92f1-18e01ca64a63",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha1",
"uuid": "5a3faf3c-4cbc-49af-95a7-45d502de0b81",
"value": "196e027a8328ce2ac5fa1431d501c257a9a79f1a"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf3c-335c-4646-96d2-499c02de0b81",
"value": ".data"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1518454567",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a3faf3c-af84-470a-8d32-473c02de0b81",
"value": "3072"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1518454567",
"to_ids": false,
"type": "float",
"uuid": "5a3faf3c-87f8-4286-9f2b-44d802de0b81",
"value": "4.52960066296"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1518454567",
"to_ids": true,
"type": "ssdeep",
"uuid": "5a3faf3c-1334-4264-bbf8-46f202de0b81",
"value": "96:o1uiM+CMvScnq2p20lZ+IG6Vg8xHj6tJlDiABF3Z+qd9NUjHJ2C:o1uirCmlZ+/8xHuRDzX2pB"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha256",
"uuid": "5a3faf3c-4c3c-4587-bf34-40e702de0b81",
"value": "eda3c565062b52ab2ff5cd7ec7e7a9e3198da40387d916c0e74881b4636a2d5c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha512",
"uuid": "5a3faf3c-df08-42b7-a668-4f7902de0b81",
"value": "fd978c87f845c632997d723ea3d1ec6d8fd61f4f30f8c3a95e71015b3ee693538ad5878d99f5111c096e22020e6363ce2642ab09a5b52e5c8de1ad0797659c63"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1518454567",
"to_ids": true,
"type": "md5",
"uuid": "5a3faf3c-5780-46c3-92b9-468d02de0b81",
"value": "2354a2e07869f9a732f463fe084ad6c5"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"name": "pe-section",
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"template_version": "2",
"timestamp": "1514123068",
"uuid": "7dbb436b-9e54-4d16-89e8-05f54984e2d0",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha1",
"uuid": "5a3faf3c-bab4-480c-9a98-42bb02de0b81",
"value": "b9511de0a85e2bcba775228260c748ed0b9faff0"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "name",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf3c-9140-4ee9-85e0-4cef02de0b81",
"value": ".rsrc"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1518454567",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a3faf3d-50c0-4c80-bd70-4e0d02de0b81",
"value": "6144"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1518454567",
"to_ids": false,
"type": "float",
"uuid": "5a3faf3d-2ea8-4996-9f9c-4ab202de0b81",
"value": "5.06803807105"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1518454567",
"to_ids": true,
"type": "ssdeep",
"uuid": "5a3faf3d-46d4-4580-849f-4a8702de0b81",
"value": "192:cFRr2VNBK3keWukvnmsg7Lapoyl0yrKzNVOQfcdfQDnmnVY7n9:JukvnmhvEwNVOgrmi"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha256",
"uuid": "5a3faf3d-c6a0-4765-bf0b-413002de0b81",
"value": "9b8a7bec5a92a7c61abd1db2afc121c00ffa803422ee2e4e9c419bb2d2533d7a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha512",
"uuid": "5a3faf3d-7400-4926-bf0f-416902de0b81",
"value": "d89a6dd18dffc82c9a532d925ca1e0177d0ee6152ea3598336aa5f56804330b7dae82891828b83cc11708ce50975dfa089933124f4561ea4aca77f96ad73c320"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1518454567",
"to_ids": true,
"type": "md5",
"uuid": "5a3faf3d-6af0-4505-9281-4d7002de0b81",
"value": "fe8374bfc19886efe88fb53c50e26e35"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "2",
"timestamp": "1514123071",
"uuid": "157e2cb3-598b-4663-af34-28358808dd9d",
"ObjectReference": [
{
"comment": "Section 0 of PE",
"object_uuid": "157e2cb3-598b-4663-af34-28358808dd9d",
"referenced_uuid": "1f1c1f68-c9e7-43e0-9779-98ba4c889dbe",
"relationship_type": "included-in",
"timestamp": "1621849558",
"uuid": "5a3faf3d-9398-4d9a-bd0d-486d02de0b81"
},
{
"comment": "Section 1 of PE",
"object_uuid": "157e2cb3-598b-4663-af34-28358808dd9d",
"referenced_uuid": "11861108-bcc4-4e10-9cb9-9d3a3acf27df",
"relationship_type": "included-in",
"timestamp": "1621849558",
"uuid": "5a3faf3d-5df8-49ff-a06a-4c5e02de0b81"
},
{
"comment": "Section 2 of PE",
"object_uuid": "157e2cb3-598b-4663-af34-28358808dd9d",
"referenced_uuid": "5e60369b-411a-40af-92f1-18e01ca64a63",
"relationship_type": "included-in",
"timestamp": "1621849558",
"uuid": "5a3faf3e-3b08-4634-9310-497402de0b81"
},
{
"comment": "Section 3 of PE",
"object_uuid": "157e2cb3-598b-4663-af34-28358808dd9d",
"referenced_uuid": "7dbb436b-9e54-4d16-89e8-05f54984e2d0",
"relationship_type": "included-in",
"timestamp": "1621849558",
"uuid": "5a3faf3e-63e0-47f5-9987-405102de0b81"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1518454567",
"to_ids": false,
"type": "datetime",
"uuid": "5a3faf3d-e4e0-4f79-899f-430802de0b81",
"value": "2008-11-10T09:40:34"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entrypoint-address",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf3d-2c2c-4980-a897-4e3102de0b81",
"value": "4205352"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf3d-cd54-47e9-ab6c-4c0702de0b81",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "number-sections",
"timestamp": "1518454567",
"to_ids": false,
"type": "counter",
"uuid": "5a3faf3d-297c-416b-aaed-42c202de0b81",
"value": "4"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "8",
"timestamp": "1514123071",
"uuid": "e40170d2-b26f-424f-a788-196651e787fb",
"ObjectReference": [
{
"comment": "PE indicators",
"object_uuid": "e40170d2-b26f-424f-a788-196651e787fb",
"referenced_uuid": "157e2cb3-598b-4663-af34-28358808dd9d",
"relationship_type": "included-in",
"timestamp": "1621849558",
"uuid": "5a3faf3e-e228-4fa8-bc2c-4f6202de0b81"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "mimetype",
"timestamp": "1518454567",
"to_ids": false,
"type": "text",
"uuid": "5a3faf3d-5610-4b63-89d2-4f5e02de0b81",
"value": "PE32 executable (console) Intel 80386, for MS Windows"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha1",
"uuid": "5a3faf3d-1014-4d57-9e30-4b9702de0b81",
"value": "dc81f383624955e0c0441734f9f1dabfe03f373c"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1518454567",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a3faf3d-e6dc-4e09-b357-4a4602de0b81",
"value": "21504"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1518454567",
"to_ids": true,
"type": "filename",
"uuid": "5a3faf3d-0b5c-413f-ac50-492702de0b81",
"value": "trilog.exe"
},
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAI51mEuwUn4I5SkAAABUAAAgABwANmMzOWMzZjRhMDhkM2Q3OGYyZWI5NzNhOTRiZDc3MThVVAkAAzuvP1o7rz9adXgLAAEEIQAAAAQhAAAAwcsVoJcmVtjiXTmFZ8v2Au3R9plCnp19GO9cyIdXlre/8QMdJFw0r6RL8mYD7EsHmBtEBxEZqbuZnto+XXZ2Y2plxW0/cfSTU1cOvIGyd4HE8OnINTPTt5rU2dRZiRJNTYxkJ5GBNgqf7gTfpwG0Do1MhNc9i+DVjLYzFGEQghMnUQc6qnLY2p6/U20X4OpV2GMv9k7jzQZSF/OJ4yIwtK6/YSt7mkzMZM9Jx6+cbx1Nn/b02dIna3BBSGXfdkZjOmpWu+Udew5zncVuavu5aW88IX7WYhIVOXJ7OcGSrHtc16WjNAwym2G2iOaQRA/0Nnh8MxioMs5eH3bY0nEXh5v+0s1eO82I9UJ9VNTI1m0cxXVMpIoiCKmSciJ/Z1Vhw8ZKa6I4YbrRfvd1m14dMc57lro706tuOCP/H0pRe9MWoBhAegjgPDsgXheJWPw80EBeQS2/8lihpnlhsfbpXIRk/G4o8ByilycyX4WxxTkAsHBxXVqtuXvIOwtIpFyPOQoOx3bseOAQ+pgvg4qUmxFWT4x/n4Hv2JtGqAGn2+9rNn2PDOGu6QpqOHVgglSvPOltWpkmltuVY/XQjVBPzwoVBxHXdfBnO1dXQil9ayOGxAGnqFucPXHbrSl69TEX9G/84RKP7G9tvwsg6lYWgrReY36Oswn8YyAxqiYrpcjNoziu2TrteZ+PHNqIjRrds/ChgCRPqzTRzwiUfDW4bhkt0piobo2FsPs5ozHbr1zxou2CKBrrBVOkfD8kjRSrLlkj8rUoGreXEQ3QiwIdaVx5zrPIk5W/gfvslkEdep6n+/RFlBhvFcgzkceX/0xPrudDtiwmG4WzndsDON7vUJ3q/6MkH9KElp/1yP3/j3t2KTYz3wbiYfdBEVVNtgFg+s2ktjnQ/EveICPsmMG3rfmNDZ8dXWuHlCZFK8tcyKWY1GOUh5IubQd16rfXZ512bdiqU8PHZNWs4SHT3Bg4co85FfQ71U7Ntfh+9YI7Hsnlzs7Ol4I/hkozlXJA9TPeUM17wkpnHaZoW7GnQGZrDr1zoGN/gdJeoyI3CusdlDQph45RQo8GG4PfAnz4Dr/SvjqjBe3/tQOpjUU/yFkUNrIWFD58y2Ebz64CzkTzNkkmnh3QhH3ayEGp13oWdsAGuEicqYo9Wo6ggY3jKNVDZjgz0ocRhRPzO92W1IS4IYm100hjY32DkiBmWLcX5xUoO3W6DNgrOZjQg0nX5aKAH9xcON9Y5kGB9DENIoAZ8mbM/QWO9hVk+O0xJ+0o0bbe7P8tQ71oQV2Wyod/i9qjAabfqFRuyCXdsGskethUyEWhCeSG6ZtOh82Bq4BCdINbY+A0o+A+bnrwkpIilRr1B1iebGA8rVvYZn8N5nk09DBYuK+Igj7rjkzBFHtw8wnM8HYdp6g+p6KJK/zn6RMjb5LmJyXQPo9uMZmh0reRAPBgYfML1Zb00YQcUZqAwQFBT7X5DaAH4k2ofmg/NU0ppLljPwuvUpKXooaf+knShCC06fOrUI6XsXttcBQ8z0aUnzaM7gS9kigO8tt6d+YKb5qKgqY3HM69X2bFaYkj76fgTsednSpneKIoXI1pqeP2F0QLjaKP3K5mGVVzUP8bPwUyfKavlzg4PPe/NlfVM6lg6Jv2NQ8/mgcmGf70ObIMWRD1mtv+Jy1jTlInR70dl2W8PCBkh1mTfQoUYV9kApH4jBewDfORo8HWsR9oZaPD/YQoT5Gb6Tv4paWZDbW3WmVtl2H1MYGXFopDP2uWuA1PUAIgR3J5TKQzqOgvrJAf+mtHqKNyMgZHWHB8zkQSmapHa8luIh/1xezapN9cY4W3vtfBg2gX6ZVKDpn4Wix/bKIyWwNDvYCqL90E9+zeIlq9LSUkwSQhmGI2Xrtt93ijYASyoBx/scTko8R/ubzdCRY4b97yRJLWDgsWkhYUDwVRzPOLbsa14r1Ggh92ujC1NbzoQ+Im5bvZZWXIsJozj+Q3iD78kMHuavr/U9meuKEqaiZgDpRn3rTo17p7BJYUNiwsyBAgS0wBTxkL88DvBL9LpdBSMrh+JVf20afarrWLLiu9DHhtqufuTKmn6N5EGKND19BRu5nhNau6EbvuKI2kPd/XasklTQklTMYC5/qNRVR/y9vV+ai861bVV2LVHZ943SEqp+S4eTBTWKTH2aLzIu/kP4StoeNCpeJpDpy2iOwk+MOLsxkTNG5GLdf/Ab18z+a6Y1KVHTAIIAwe4dWOm3wX4STeuIos/AjK8M7lXoMAKdnUta2GLOMXUJopi5dFzz4Ac2Dy/+BgXzX4rIhaPIC4cLH+NSu4Q08hFpFa43KsGPI/W1285C97RXsDThuyZySlUv1gkoTKSbwv8Vz/rY90M94huwnybFyr2R2YTPcAWb6YuyItZhnqvE2rGu6HjOxH14QBTb+pnlnTkvL3WfhI55bg9E7kr4BTupuBSZcgLUdvRZbYXiFHh+njTFz+EBj0EUtRLlFK2YI51Rw7vexPpwx+TQ72qcYq3Vt6hAW5/6ztKOBYWPtb68dbjJN8UwVZxOGAKN518P5Cr8JspScN+Mbl4q3tJr2NXhDCrRRxWEfv2IRiApYtQLag9D1VDIaOtTbtvk1zASfjhPTJ6nOKwzkwFxC/5ldSIPv7GrK+4gKDTQjP01EpZbcR14wfVCBZ3+qz1Pa3yKUVOxpmPlAV6owe0FHOMvFqyJlh/Rr15Gqxu5Eyw+vba9RSJdaPyUI6u+6UqXvTXSaj5gMQUivnOGwxRE4+oIoc+kt0WMkfeSvjHkn7fvhWH7oQSzw9+JAad+Dvb619/Z+sG2s/Xod0gotvQ6mhsFh8qoGWLge7kczQy8WN96rcy/mWuAVR5yqAi2GPZ+UmqLv1/YwR8r1NC1hXSfiROfE4+JmSYvE1G6o1MBsmHawU5/ErUbzhKn31pLj0vdole9AZhD/z1n/hPypUYpeCrn7/BJYN6+rEBaQOwW0luBvP4e8s42v/IDKIT+JmWhNXiAxGZ79gK2aiVoq6NLFEwPjmbFdLwnwbKSlT0KFCt4OlHnW1gw5vgBURIKDuWWEcoH3WS/W3FBDpUlbPcB+MZs/liUQu/V+k29826zF/x+NX0CFktEtiFhTdTfIMCYBk6rYWswkIGNVJDHvn/NuFlQ4LGyhd7/W8Ygtl4JiybtxX+QPtBPfz3+9g/jyHR/KGa1H1/w8PVNOeo8rEkr3U2b8p3OOxkNSQwo/c2yvwoZCseV/DvPwe2j4Ow1CcS59hDuPXEZNMnStlAfIOmiaagjyOVNZc255jxSP1lu77Xq83/r2OTKKlLSIa4e5ZUq5sDxlEz6h9xSXj177yRzdfcKS5qH1gHv+n0YNpTyRdkR6zLTIpE2b9xLGiwJ69gwdmMFOoKXO7GADitY+tAah1kDXJaREfT6XBKwE5cC+Kf6G1kv1/4Xb2P8e+rvEVQbk8K+o4yxynR295+zoCS7T8zFZJoDQ4FGzhePWTFVTw9majjStqfqWrRDuNdPxSdK4o7Xtc4JOleiE3+/dOqyGsv5tHfT2U3dDUp4DQPYa9YAhzZvAde+V7gEA1FwCC4N0pCuCta6Zd/nyonwMTydTkj9pohKUAYkeTa1d7AwwoWdlXIcKNCw0i1em5hISUFn5u4Tkz7aZezfqtOn5PQqqNBxC3s70Wt8K5RtaEL3jZZiBYEZlox2052D21nIMbWa0GG79KZ55e6oIRgqKJGHPwVOLQzG2MhUVn6oK00mrf909NZd+OBr1l3wQNMihzVP5rsC8mUKKzeJ+2x1fOMFCkzTnjiQ6Qz2wYQ+pAC7ik/kWlqhg7Gcxr4QFhWZBYuBbjPNwIEBGhYLPAWc0eKah0kFCnD3aAf7FOwni4ySMD2CRvZJ8/Q5pJlthUge4aZkboXzMd1ZEJcnIq2xwnETmfleNm/EPXki53Q6837NMKvClYh2137ix4tx
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1518454567",
"to_ids": true,
"type": "malware-sample",
"uuid": "5a3faf3d-1b2c-4600-a58e-4a2b02de0b81",
"value": "trilog.exe|6c39c3f4a08d3d78f2eb973a94bd7718"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "entropy",
"timestamp": "1518454567",
"to_ids": false,
"type": "float",
"uuid": "5a3faf3d-28e0-4a56-b5fc-4f8e02de0b81",
"value": "5.7735612938"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1518454567",
"to_ids": true,
"type": "ssdeep",
"uuid": "5a3faf3d-87bc-40c7-a85b-48cf02de0b81",
"value": "384:eIn2vPeqUfmEZ+nUn0fJCfMdXWgugoL2RrXdUWJCXXtB:eBPeqYmEb0kUX9XdUzXv"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha256",
"uuid": "5a3faf3d-f5d0-4581-a6b9-467102de0b81",
"value": "e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1518454567",
"to_ids": true,
"type": "sha512",
"uuid": "5a3faf3d-7af0-4f77-8564-4b6602de0b81",
"value": "57c4aa07aede473e5b8424e4ed8173d0a6215306cf9cc44ab91e4745025a01a720929a02a25f4db24eff81b624d6d6ddfda191be06014bb319a933b9bad12eec"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1518454567",
"to_ids": true,
"type": "md5",
"uuid": "5a3faf3d-e924-43b5-a06f-4a9802de0b81",
"value": "6c39c3f4a08d3d78f2eb973a94bd7718"
}
]
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
chg: [gen] updated
2023-12-14 14:30:15 +00:00
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
Reference in a new issue Copy permalink