{
  "Event": {
    "analysis": "2",
    "date": "2019-09-15",
    "extends_uuid": "",
    "info": "On-memory post exploit payloads from encoded binary",
    "publish_timestamp": "1568643213",
    "published": true,
    "threat_level_id": "2",
    "timestamp": "1568643188",
    "uuid": "5d7dba44-67d4-4fad-b919-4c2d950d210f",
    "Orgc": {
      "name": "MalwareMustDie",
      "uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f"
    },
    "Tag": [
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#380046",
        "local": false,
        "name": "ms-caro-malware:malware-type=\"HackTool\"",
        "relationship_type": ""
      },
      {
        "colour": "#ffc100",
        "local": false,
        "name": "poshc2 beacon",
        "relationship_type": ""
      },
      {
        "colour": "#c1e21c",
        "local": false,
        "name": " C2",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:course-of-action=\"PowerShell Mitigation\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:course-of-action=\"Network Sniffing Mitigation\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:course-of-action=\"Credential Dumping Mitigation\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "Internal reference",
        "comment": "Threat analysis report and analysis screenshots",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1568520892",
        "to_ids": false,
        "type": "link",
        "uuid": "5d7dbabc-3ef8-4eb1-9500-448e950d210f",
        "value": "https://imgur.com/a/k60b8pm"
      },
      {
        "category": "Network activity",
        "comment": "The attacker C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1568520952",
        "to_ids": true,
        "type": "ip-dst",
        "uuid": "5d7dbaf8-3e4c-4334-a278-403c950d210f",
        "value": "154.121.50.129"
      },
      {
        "category": "Network activity",
        "comment": "The attacker C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1568520989",
        "to_ids": true,
        "type": "hostname",
        "uuid": "5d7dbb1d-a2ec-4534-9e0b-48f0950d210f",
        "value": "amazon34.duckdns.org"
      },
      {
        "category": "Payload delivery",
        "comment": "The post exploitation outbound traffic for attack initiation (beacon and reverse HTTP)",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1568521103",
        "to_ids": false,
        "type": "url",
        "uuid": "5d7dbb8f-210c-4f25-86d9-4e5c950d210f",
        "value": "https://pastebin.com/Pgi3pMgj"
      },
      {
        "category": "Payload delivery",
        "comment": "The post exploitation outbound traffic for attack initiation (beacon and reverse HTTP)",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1568521103",
        "to_ids": false,
        "type": "url",
        "uuid": "5d7dbb8f-2dec-4875-b15d-4f31950d210f",
        "value": "https://pastebin.com/SAQRkmef"
      },
      {
        "category": "Network activity",
        "comment": "The attacker C2's network AS Number",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1568521195",
        "to_ids": false,
        "type": "AS",
        "uuid": "5d7dbbeb-9aa0-4209-beda-4a70950d210f",
        "value": "AS327712"
      }
    ]
  }
}