{"Event": {"info": "OSINT - Graftor - But I Never Asked for This\u2026", "Tag": [{"colour": "#0b8d00", "exportable": true, "name": "misp-galaxy:tool=\"Aumlib\""}, {"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}, {"colour": "#3b0020", "exportable": true, "name": "workflow:todo=\"expansion\""}, {"colour": "#620035", "exportable": true, "name": "workflow:todo=\"review-for-false-positive\""}, {"colour": "#52002c", "exportable": true, "name": "workflow:todo=\"review-before-publication\""}], "publish_timestamp": "0", "timestamp": "1513630056", "Object": [{"comment": "Graftor Dropper", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a37cfe7-03a8-43cf-91d9-4b46950d210f", "sharing_group_id": "0", "timestamp": "1513607143", "description": "File object describing a file with meta-information", "template_version": "8", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a37cfe7-6f98-4315-a202-4c06950d210f", "timestamp": "1513607143", "to_ids": true, "value": "2263387661.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a37cfe7-5374-4801-9361-4974950d210f", "timestamp": "1513607143", "to_ids": true, "value": "fd3ccf65eab21a77d2e440bd23c59d52e96a03a4", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a37cfe7-6a24-4e14-9dd3-43e3950d210f", "timestamp": "1513607143", "to_ids": true, "value": "41474cd23ff0a861625ec1304f882891826829ed26ed1662aae2e7ebbe3605f2", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5a37cfe7-d618-44f9-a0b5-493f950d210f", "timestamp": "1513607143", "to_ids": true, "value": "9b9ce661a764d84a4636812e1dfcb03b", "disable_correlation": false, "object_relation": "md5", "type": "md5"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "Dumped 2nd stage", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a37d02b-66d0-4d32-a418-4ae4950d210f", "sharing_group_id": "0", "timestamp": "1513607211", "description": "File object describing a file with meta-information", "template_version": "8", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a37d02b-4e68-4736-96c4-48f0950d210f", "timestamp": "1513607211", "to_ids": true, "value": "99c7627708c4ab1fca3222738c573e7376ab4070", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a37d02b-e8ac-444b-b393-45bd950d210f", "timestamp": "1513607211", "to_ids": true, "value": "eefdbe891e35390b84181eabe0ace6e202f5b2a050e800fb8e82327d5e57336d", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5a37d02b-3e24-4ca7-a2f6-454a950d210f", "timestamp": "1513607211", "to_ids": true, "value": "40bde09fc059f205f67b181c34de666b", "disable_correlation": false, "object_relation": "md5", "type": "md5"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "Dumped 3rd stage", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a37d070-e818-4ed7-ab3b-4a9c950d210f", "sharing_group_id": "0", "timestamp": "1513607280", "description": "File object describing a file with meta-information", "template_version": "8", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a37d071-5040-4414-b6ab-421d950d210f", "timestamp": "1513607281", "to_ids": true, "value": "7c4cd0ff0e004a62c9ab7f8bd991094226eca842", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a37d071-be28-4dbc-bc30-45b2950d210f", "timestamp": "1513607281", "to_ids": true, "value": "5eb2333956bebb81da365a26e56fea874797fa003107f95cda21273045d98385", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5a37d071-9f1c-49b6-bcc2-4a95950d210f", "timestamp": "1513607281", "to_ids": true, "value": "1e9f40e70ed3ab0ca9a52c216f807eff", "disable_correlation": false, "object_relation": "md5", "type": "md5"}], "distribution": "5", "meta-category": "file", "name": "file"}], "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a37ccc2-b818-4ea8-951f-4e6f950d210f", "timestamp": "1513606567", "to_ids": false, "value": "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Alternate Data Streams(ADS)", "category": "Payload delivery", "uuid": "5a37cf9b-0f4c-41d8-bd86-4fec950d210f", "timestamp": "1513607067", "to_ids": true, "value": "C:UsersdexAppDataLocalTemp2263387661.exe:Zone.Identifier", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Alternate Data Streams(ADS)", "category": "Payload delivery", "uuid": "5a37cf9b-0ac8-4fb2-aa7d-4f44950d210f", "timestamp": "1513607067", "to_ids": true, "value": "C:UsersdexAppDataLocalTempQBPO5ppcuhJG.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Alternate Data Streams(ADS)", "category": "Payload delivery", "uuid": "5a37cf9c-0980-4f21-b32c-478f950d210f", "timestamp": "1513607068", "to_ids": true, "value": "C:UsersdexAppDataLocalTemp2263387661.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Alternate Data Streams(ADS)", "category": "Payload delivery", "uuid": "5a37cf9c-57b8-4fda-8d1d-4bf6950d210f", "timestamp": "1513607068", "to_ids": true, "value": "C:UsersdexAppDataLocalTempAyWdp7tHPIeU.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Alternate Data Streams(ADS)", "category": "Payload delivery", "uuid": "5a37cf9c-df28-41b5-b61a-4783950d210f", "timestamp": "1513607068", "to_ids": true, "value": "C:WindowsSystem32regsvr32.exe:Zone.Identifier", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Command and Control Server GET Request", "category": "Network activity", "uuid": "5a37d08d-4b94-4832-a1c2-4e00950d210f", "timestamp": "1513607309", "to_ids": true, "value": "http://kskmasdqsjuzom.regularfood.gdn/J/ZGF0YV9maWxlcz0yMyZ0eXBlPXN0YXRpYyZuYW1lPVRlbXAlNUMyMjYzMzg3NjYxLmV4ZSZybmQ9ZTY5NjM5ZjJjYTdlNWNiNDU2ZmYwMDUyN2M2ODBlNDMxMTY0YmFhZGJlZWI3MTI5YjIwZGYzM2M3YzIzNTc1YQ", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Command and Control Server POST Request", "category": "Network activity", "uuid": "5a37d146-e344-482b-9b62-416f950d210f", "timestamp": "1513607494", "to_ids": true, "value": "http://kskmasdqsjuzom.regularfood.gdn/J/ZGF0YV9maWxlcz0yMyZ0eXBlPXN0YXRpYyZuYW1lPVRlbXAlNUMyMjYzMzg3NjYxLmV4ZSZybmQ9ZTY5NjM5ZjJjYTdlNWNiNDU2ZmYwMDUyN2M2ODBlNDMxMTY0YmFhZGJlZWI3MTI5YjIwZGYzM2M3YzIzNTc1YSZkZWxheT0zODk", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-6368-40e2-8542-4c9b950d210f", "timestamp": "1513607522", "to_ids": true, "value": "arolina.torchpound.gdn", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-19a0-412b-b81d-40c3950d210f", "timestamp": "1513630020", "to_ids": false, "value": "binupdate.mail.ru", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-a1fc-4218-8a59-45ac950d210f", "timestamp": "1513630012", "to_ids": false, "value": "crl.microsoft.com", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-54ac-4906-851c-4110950d210f", "timestamp": "1513607522", "to_ids": true, "value": "dreple.com", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-43cc-45b5-bdda-4ea7950d210f", "timestamp": "1513607522", "to_ids": true, "value": "gambling577.xyz", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-5b44-4686-bbf2-4983950d210f", "timestamp": "1513607522", "to_ids": true, "value": "jvusdtufhlreari.twiceprint.gdn", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-a7dc-4d9f-b7da-477a950d210f", "timestamp": "1513607522", "to_ids": true, "value": "kskmasdqsjuzom.regularfood.gdn", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-e218-417a-85d7-46d2950d210f", "timestamp": "1513607522", "to_ids": true, "value": "mentalaware.gdn", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-14a0-49d3-9b41-4453950d210f", "timestamp": "1513607522", "to_ids": true, "value": "mrds.mail.ru", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-27a8-44bb-a11d-47b9950d210f", "timestamp": "1513607522", "to_ids": true, "value": "nottotrack.com", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-18b4-45c1-85f4-449e950d210f", "timestamp": "1513607522", "to_ids": true, "value": "plugpackdownload.net", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-c1e8-4a7f-ba5e-4ec6950d210f", "timestamp": "1513607522", "to_ids": true, "value": "s2.symcb.com", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-e460-4ed8-bc65-4369950d210f", "timestamp": "1513607522", "to_ids": true, "value": "sputnikmailru.cdnmail.ru", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-f288-4ae4-a01c-4ad7950d210f", "timestamp": "1513607522", "to_ids": true, "value": "ss.symcd.com", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Domains from sandbox run", "category": "Network activity", "uuid": "5a37d162-0178-43d0-a643-4b31950d210f", "timestamp": "1513607522", "to_ids": true, "value": "xml.binupdate.mail.ru", "disable_correlation": false, "object_relation": null, "type": "hostname"}], "extends_uuid": "", "published": false, "date": "2017-09-05", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5a37ccac-13e4-4703-9487-4070950d210f"}}