{ "Event": { "analysis": "2", "date": "2019-05-01", "extends_uuid": "", "info": "OSINT - Kernel Mode Malicious Loader", "publish_timestamp": "1556694084", "published": true, "threat_level_id": "3", "timestamp": "1556694075", "uuid": "5cc92e5a-c624-4343-8352-40fd02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": false, "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556688489", "to_ids": true, "type": "url", "uuid": "5cc92e69-74a8-4690-90f4-482d02de0b81", "value": "http://45.227.252.54" }, { "category": "Payload delivery", "comment": "first stage", "deleted": false, "disable_correlation": false, "timestamp": "1556688522", "to_ids": true, "type": "sha1", "uuid": "5cc92e8a-6df8-4361-ab1b-4d4002de0b81", "value": "9cfced68abe4f2c0dc5c42f47652592077c26fd6" }, { "category": "Payload delivery", "comment": "unpacked stage", "deleted": false, "disable_correlation": false, "timestamp": "1556688522", "to_ids": true, "type": "sha1", "uuid": "5cc92e8a-a568-4e06-8c35-42c102de0b81", "value": "e1111022deeeed0389ff01ebb02489c45fa2f71a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556688803", "to_ids": false, "type": "link", "uuid": "5cc92fa3-f1cc-46c7-9084-48c902de0b81", "value": "https://twitter.com/PRODAFT/status/1123241137710555136" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1556694075", "to_ids": true, "type": "ip-dst", "uuid": "5cc9443b-9b54-4abf-a421-1ba002de0b81", "value": "45.227.252.54" } ], "Object": [ { "comment": "Malicious kernel mode loader", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1556688878", "uuid": "5cc92fee-df1c-4c88-837f-4d7a02de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556688878", "to_ids": true, "type": "sha1", "uuid": "5cc92fee-7418-4df1-af0a-415d02de0b81", "value": "73f346da7642fae92677a71b01bfcd460f8604bc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1556688878", "to_ids": false, "type": "text", "uuid": "5cc92fee-0ed8-466c-bbf5-4dd002de0b81", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1556689366", "uuid": "837ee41b-cf9d-4b16-8de6-383694cf6f5c", "ObjectReference": [ { "comment": "", "object_uuid": "837ee41b-cf9d-4b16-8de6-383694cf6f5c", "referenced_uuid": "cd55b14c-14bc-4c8c-86e5-170d7444012a", "relationship_type": "analysed-with", "timestamp": "1556689367", "uuid": "5cc931d7-3af0-43cc-8f7a-4f4502de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "first stage", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1556688522", "to_ids": true, "type": "md5", "uuid": "59804e8e-6d94-4912-9cc0-a5c2bd1421c7", "value": "3ae249513649876a34c60e04f385e156" }, { "category": "Payload delivery", "comment": "first stage", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1556688522", "to_ids": true, "type": "sha1", "uuid": "158a8aed-fdd7-45b8-ba6c-fc6a96ef5f67", "value": "9cfced68abe4f2c0dc5c42f47652592077c26fd6" }, { "category": "Payload delivery", "comment": "first stage", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1556688522", "to_ids": true, "type": "sha256", "uuid": "bb6af612-a0ed-4c80-b890-971bdec595e1", "value": "1284962d30eabb8e47261414350c01ec04555800a3866f4e6cf1e20816e25a2e" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1556689367", "uuid": "cd55b14c-14bc-4c8c-86e5-170d7444012a", "Attribute": [ { "category": "Other", "comment": "first stage", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1556688522", "to_ids": false, "type": "datetime", "uuid": "09a8c2c4-491f-4dab-b9ba-2d669878f830", "value": "2019-02-23T10:47:04" }, { "category": "Payload delivery", "comment": "first stage", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1556688522", "to_ids": false, "type": "link", "uuid": "d63e7483-709b-4a33-9799-1109f24b823d", "value": "https://www.virustotal.com/file/1284962d30eabb8e47261414350c01ec04555800a3866f4e6cf1e20816e25a2e/analysis/1550918824/" }, { "category": "Payload delivery", "comment": "first stage", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1556688522", "to_ids": false, "type": "text", "uuid": "0f752f01-5f37-4c8a-8ad8-56622bfe8a6a", "value": "33/66" } ] } ] } }