{ "Event": { "analysis": "2", "date": "2017-09-13", "extends_uuid": "", "info": "OSINT - DownAndExec: Banking malware utilizes CDNs in Brazil", "publish_timestamp": "1518771437", "published": true, "threat_level_id": "3", "timestamp": "1518231673", "uuid": "5a3bcbe0-3d70-427d-8744-4bdb950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#3b7500", "name": "circl:incident-classification=\"malware\"" }, { "colour": "#002f76", "name": "ms-caro-malware-full:malware-family=\"Banker\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1518185087", "to_ids": false, "type": "link", "uuid": "5a3cc4fd-5fd0-4c16-a65a-4c62950d210f", "value": "https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1518185087", "to_ids": false, "type": "comment", "uuid": "5a5c6f2a-afc8-41e1-8a1f-43b9950d210f", "value": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware.\r\n\r\nThe attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent \u00e2\u20ac\u0153fileless\u00e2\u20ac\u009d banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.\r\n\r\nThe purpose of this article is to offer an analysis of the downAndExec standard that is making extensive use of JS scripts to download and execute \u00e2\u20ac\u201d in this particular instance, banking malware on victims\u00e2\u20ac\u2122 computers.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "timestamp": "1516009242", "to_ids": true, "type": "sha1", "uuid": "5a5c771a-0068-47dc-8e20-47ad950d210f", "value": "30fc877887d6845007503f3abd44ec261a0d40c7" }, { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "timestamp": "1516009243", "to_ids": true, "type": "sha1", "uuid": "5a5c771b-1804-42f0-9701-4e5d950d210f", "value": "34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d" }, { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "timestamp": "1516009243", "to_ids": true, "type": "sha1", "uuid": "5a5c771b-5054-4f25-914e-4aee950d210f", "value": "bffaabcce3f4cced896f745a7ec4eba207028683" }, { "category": "Payload delivery", "comment": "JS/TrojanDownloader.Agent.QPA", "deleted": false, "disable_correlation": false, "timestamp": "1516009243", "to_ids": true, "type": "md5", "uuid": "5a5c771b-6a2c-45ff-8d55-47b0950d210f", "value": "2ad3b1669e8302035e24c838b3c08f2c" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADYV", "deleted": false, "disable_correlation": false, "timestamp": "1516009244", "to_ids": true, "type": "md5", "uuid": "5a5c771c-9a58-45ea-a3c7-4555950d210f", "value": "51aed47cc54e9671f3ea71f8ee584952" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1518185088", "to_ids": true, "type": "url", "uuid": "5a5c7a0d-71d4-465e-b761-ae5c950d210f", "value": "https://1402712571.rsc.cdn77.org" }, { "category": "Network activity", "comment": "inactive", "deleted": false, "disable_correlation": false, "timestamp": "1518185088", "to_ids": true, "type": "url", "uuid": "5a5c7a0e-4c48-42d5-acbc-ae5c950d210f", "value": "https://1356485243.rsc.cdn77.org" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "9", "timestamp": "1516007689", "uuid": "5a5c7109-1514-4b03-aca8-c84f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1516007689", "to_ids": true, "type": "filename", "uuid": "5a5c7109-5130-4ebe-b03f-c84f950d210f", "value": "AppAdobeFPlayer_1497851813.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1516007689", "to_ids": true, "type": "sha1", "uuid": "5a5c7109-2f84-45bc-9d98-c84f950d210f", "value": "37648e4b95636e3ee5a68e3fa8c0735125126c17" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1516007690", "to_ids": false, "type": "text", "uuid": "5a5c710a-8db4-4e36-b0fb-c84f950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "9", "timestamp": "1516007724", "uuid": "5a5c712c-c8f0-4033-a3c6-ae5c950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1516007724", "to_ids": true, "type": "filename", "uuid": "5a5c712c-0134-4465-ba20-ae5c950d210f", "value": "Consulta_Resultado05062017.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1516007725", "to_ids": true, "type": "sha1", "uuid": "5a5c712d-e004-466f-962e-ae5c950d210f", "value": "38b7611bb20985512f86dc2c38247593e58a1df6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1516007725", "to_ids": false, "type": "text", "uuid": "5a5c712d-95c8-4631-9db2-ae5c950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "9", "timestamp": "1516007763", "uuid": "5a5c7153-7a80-4f92-a162-af7f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1516007763", "to_ids": true, "type": "filename", "uuid": "5a5c7153-0adc-445d-b839-af7f950d210f", "value": "NotaFiscal.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1516007763", "to_ids": true, "type": "sha1", "uuid": "5a5c7153-2508-479f-9107-af7f950d210f", "value": "67458b503047852dd603080946842472e575b856" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1516007764", "to_ids": false, "type": "text", "uuid": "5a5c7154-87f0-429a-841b-af7f950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "9", "timestamp": "1516007781", "uuid": "5a5c7165-f8fc-41f9-84f1-4c94950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1516007782", "to_ids": true, "type": "filename", "uuid": "5a5c7166-b778-4b50-bf8c-4a77950d210f", "value": "n\u00c3\u00a3o confirmado 923337.crdownload" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1516007782", "to_ids": true, "type": "sha1", "uuid": "5a5c7166-feb8-4fe9-850f-4c20950d210f", "value": "8ea2c548bcb974a380fece046a7e3f0218632ff2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1516007782", "to_ids": false, "type": "text", "uuid": "5a5c7166-c488-4cde-ba04-4555950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "9", "timestamp": "1516007805", "uuid": "5a5c717d-7e58-4fbf-8c33-c84f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1516007805", "to_ids": true, "type": "filename", "uuid": "5a5c717d-99a0-43bb-bdae-c84f950d210f", "value": "5ae9e0f3867ae8a317031fc9a5ed886e.virus" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1516007806", "to_ids": true, "type": "sha1", "uuid": "5a5c717e-2c94-40f8-8d01-c84f950d210f", "value": "bffaabcce3f4cced896f745a7ec4eba2070286b3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1516007806", "to_ids": false, "type": "text", "uuid": "5a5c717e-5a6c-4020-b20d-c84f950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "9", "timestamp": "1516007826", "uuid": "5a5c7192-cb54-4a77-8f2f-ae1e950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1516007826", "to_ids": true, "type": "filename", "uuid": "5a5c7192-e888-4aa3-a6ee-ae1e950d210f", "value": "Consulta_Resultado05062017.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1516007827", "to_ids": true, "type": "sha1", "uuid": "5a5c7193-8034-49ae-8259-ae1e950d210f", "value": "effb36259accdfff07c036c5a41b357692577265" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1516007827", "to_ids": false, "type": "text", "uuid": "5a5c7193-8710-4df4-b99d-ae1e950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185091", "uuid": "352791b2-86bb-41ad-9481-10549ebea11f", "ObjectReference": [ { "comment": "", "object_uuid": "352791b2-86bb-41ad-9481-10549ebea11f", "referenced_uuid": "db289675-d7e8-42b0-a80d-1d0f73eac08b", "relationship_type": "analysed-with", "timestamp": "1518771436", "uuid": "5a7daa9b-5060-452a-89f5-448a02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADYV", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185089", "to_ids": true, "type": "sha1", "uuid": "5a7daa81-4b18-40ae-8f01-431e02de0b81", "value": "5c5d23fcb759d900c0158948695b43f63df4a99d" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADYV", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185089", "to_ids": true, "type": "sha256", "uuid": "5a7daa81-64f8-4faa-a99c-4d5302de0b81", "value": "08895e31448976adfbe419d1db92650bfb8b937f13597e6222fba965d3e999e0" }, { "category": "Payload delivery", "comment": "Win32/Spy.Banker.ADYV", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185089", "to_ids": true, "type": "md5", "uuid": "5a7daa81-8ca8-4479-8be1-451102de0b81", "value": "51aed47cc54e9671f3ea71f8ee584952" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185090", "uuid": "db289675-d7e8-42b0-a80d-1d0f73eac08b", "Attribute": [ { "category": "External analysis", "comment": "Win32/Spy.Banker.ADYV", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185090", "to_ids": false, "type": "link", "uuid": "5a7daa82-5084-4e96-b1b7-481e02de0b81", "value": "https://www.virustotal.com/file/08895e31448976adfbe419d1db92650bfb8b937f13597e6222fba965d3e999e0/analysis/1509045877/" }, { "category": "Other", "comment": "Win32/Spy.Banker.ADYV", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185090", "to_ids": false, "type": "text", "uuid": "5a7daa82-ce04-4a13-b4dc-4dd902de0b81", "value": "42/66" }, { "category": "Other", "comment": "Win32/Spy.Banker.ADYV", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185091", "to_ids": false, "type": "datetime", "uuid": "5a7daa83-7f20-42ba-9919-459c02de0b81", "value": "2017-10-26T19:24:37" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185094", "uuid": "323bf06e-4c08-4825-9e3d-490b985d27f1", "ObjectReference": [ { "comment": "", "object_uuid": "323bf06e-4c08-4825-9e3d-490b985d27f1", "referenced_uuid": "3c950c89-f255-4ce4-bdf5-b3cb9a34eada", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-1a14-4a07-a404-480c02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "JS/TrojanDownloader.Agent.QPA", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185091", "to_ids": true, "type": "sha1", "uuid": "5a7daa83-dc7c-4d41-8a83-439d02de0b81", "value": "21e6bfad68531acefa1a059015fb008742b5aeec" }, { "category": "Payload delivery", "comment": "JS/TrojanDownloader.Agent.QPA", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185092", "to_ids": true, "type": "sha256", "uuid": "5a7daa84-4450-4d1f-8a39-428802de0b81", "value": "15a739c1e02245e4f686ff46ca616ab73663fffac9c4de4290a1af4668405878" }, { "category": "Payload delivery", "comment": "JS/TrojanDownloader.Agent.QPA", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185092", "to_ids": true, "type": "md5", "uuid": "5a7daa84-7690-4c43-bbf7-407302de0b81", "value": "2ad3b1669e8302035e24c838b3c08f2c" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185093", "uuid": "3c950c89-f255-4ce4-bdf5-b3cb9a34eada", "Attribute": [ { "category": "External analysis", "comment": "JS/TrojanDownloader.Agent.QPA", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185093", "to_ids": false, "type": "link", "uuid": "5a7daa85-4e94-4767-b81b-491502de0b81", "value": "https://www.virustotal.com/file/15a739c1e02245e4f686ff46ca616ab73663fffac9c4de4290a1af4668405878/analysis/1509155544/" }, { "category": "Other", "comment": "JS/TrojanDownloader.Agent.QPA", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185093", "to_ids": false, "type": "text", "uuid": "5a7daa85-34f4-42de-856c-427902de0b81", "value": "26/59" }, { "category": "Other", "comment": "JS/TrojanDownloader.Agent.QPA", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185094", "to_ids": false, "type": "datetime", "uuid": "5a7daa86-e0c4-4f48-a687-466c02de0b81", "value": "2017-10-28T01:52:24" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185097", "uuid": "989dca8a-94e7-414f-9bb9-299b6407cfe4", "ObjectReference": [ { "comment": "", "object_uuid": "989dca8a-94e7-414f-9bb9-299b6407cfe4", "referenced_uuid": "b8d9d264-06d8-465a-81c9-a4cd48c9deaa", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-4a50-4114-bb65-418202de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185094", "to_ids": true, "type": "sha1", "uuid": "5a7daa86-b30c-4e77-b3a5-4bef02de0b81", "value": "37648e4b95636e3ee5a68e3fa8c0735125126c17" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185094", "to_ids": true, "type": "sha256", "uuid": "5a7daa87-3a34-46e3-b034-4e5602de0b81", "value": "ce300e38c0adbba46b1d46066cc3be3e5ce990c6406cb3e1713936acd124d174" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185095", "to_ids": true, "type": "md5", "uuid": "5a7daa87-95f8-4f8e-b7f8-495a02de0b81", "value": "c5d56198560f2e263c7ae1af6fccae6c" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185095", "uuid": "b8d9d264-06d8-465a-81c9-a4cd48c9deaa", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185095", "to_ids": false, "type": "link", "uuid": "5a7daa87-4afc-47dd-876d-492602de0b81", "value": "https://www.virustotal.com/file/ce300e38c0adbba46b1d46066cc3be3e5ce990c6406cb3e1713936acd124d174/analysis/1509045679/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185096", "to_ids": false, "type": "text", "uuid": "5a7daa88-e2ac-4bd7-a8c1-484502de0b81", "value": "45/67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185096", "to_ids": false, "type": "datetime", "uuid": "5a7daa88-7f20-461d-890d-44bc02de0b81", "value": "2017-10-26T19:21:19" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185100", "uuid": "ec87a3b7-5f72-4b59-8d53-6e2767f4328f", "ObjectReference": [ { "comment": "", "object_uuid": "ec87a3b7-5f72-4b59-8d53-6e2767f4328f", "referenced_uuid": "8c9d5426-4f3b-4bfd-b166-40f4e69c8998", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-fed4-4fae-a8a4-48cb02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185097", "to_ids": true, "type": "sha1", "uuid": "5a7daa89-5b00-47b6-8e10-414002de0b81", "value": "67458b503047852dd603080946842472e575b856" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185097", "to_ids": true, "type": "sha256", "uuid": "5a7daa89-0be8-4c1a-9aed-4fa802de0b81", "value": "d7b430e18426fad00576add9e88c6b0c78eb194376dfa416ab805f5757188990" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185098", "to_ids": true, "type": "md5", "uuid": "5a7daa8a-a198-4534-a467-4db302de0b81", "value": "1a5748d445565bf35a3cb6e6b6959fe2" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185098", "uuid": "8c9d5426-4f3b-4bfd-b166-40f4e69c8998", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185098", "to_ids": false, "type": "link", "uuid": "5a7daa8a-7c2c-4d8b-b395-413b02de0b81", "value": "https://www.virustotal.com/file/d7b430e18426fad00576add9e88c6b0c78eb194376dfa416ab805f5757188990/analysis/1509045752/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185099", "to_ids": false, "type": "text", "uuid": "5a7daa8b-6934-465e-8d8e-4ff202de0b81", "value": "40/67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185099", "to_ids": false, "type": "datetime", "uuid": "5a7daa8b-a6c8-404d-af6d-4e1302de0b81", "value": "2017-10-26T19:22:32" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185102", "uuid": "5e44b32b-6d75-4ac9-a643-96970dee4e3e", "ObjectReference": [ { "comment": "", "object_uuid": "5e44b32b-6d75-4ac9-a643-96970dee4e3e", "referenced_uuid": "532bbc5d-ad5f-4281-88f9-a027f31718ae", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-8594-4197-bfec-42de02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185099", "to_ids": true, "type": "sha1", "uuid": "5a7daa8b-3a50-4639-b8cf-440f02de0b81", "value": "30fc877887d6845007503f3abd44ec261a0d40c7" }, { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185100", "to_ids": true, "type": "sha256", "uuid": "5a7daa8c-34c4-4126-8a4c-45b102de0b81", "value": "74c115091077182b4e9f1dc141fd2c91c50b0c61fd22117f71f880ebc4fe72bc" }, { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185100", "to_ids": true, "type": "md5", "uuid": "5a7daa8c-c330-4a61-a4e8-412602de0b81", "value": "ab4832be975c95ce0348416741225143" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185101", "uuid": "532bbc5d-ad5f-4281-88f9-a027f31718ae", "Attribute": [ { "category": "External analysis", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185101", "to_ids": false, "type": "link", "uuid": "5a7daa8d-995c-4415-90b2-41a602de0b81", "value": "https://www.virustotal.com/file/74c115091077182b4e9f1dc141fd2c91c50b0c61fd22117f71f880ebc4fe72bc/analysis/1509045590/" }, { "category": "Other", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185101", "to_ids": false, "type": "text", "uuid": "5a7daa8d-7378-4f23-913b-467a02de0b81", "value": "36/66" }, { "category": "Other", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185101", "to_ids": false, "type": "datetime", "uuid": "5a7daa8d-bf5c-453b-8111-49d202de0b81", "value": "2017-10-26T19:19:50" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185105", "uuid": "362d20e1-90b1-45c8-b536-5e2fc281fe8a", "ObjectReference": [ { "comment": "", "object_uuid": "362d20e1-90b1-45c8-b536-5e2fc281fe8a", "referenced_uuid": "0d641165-660b-4c56-a989-5f27840d94f1", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-f4c4-4ba5-9428-4b5002de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185102", "to_ids": true, "type": "sha1", "uuid": "5a7daa8e-faf0-4774-bfb6-4c6c02de0b81", "value": "34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d" }, { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185102", "to_ids": true, "type": "sha256", "uuid": "5a7daa8e-2fb4-4d5d-8ceb-408602de0b81", "value": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745" }, { "category": "Payload delivery", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185103", "to_ids": true, "type": "md5", "uuid": "5a7daa8f-fccc-4952-a114-445002de0b81", "value": "71b6a493388e7d0b40c83ce903bc6b04" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185103", "uuid": "0d641165-660b-4c56-a989-5f27840d94f1", "Attribute": [ { "category": "External analysis", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185103", "to_ids": false, "type": "link", "uuid": "5a7daa8f-e930-4c13-b96f-493d02de0b81", "value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1517914078/" }, { "category": "Other", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185104", "to_ids": false, "type": "text", "uuid": "5a7daa90-99dc-4e0c-b651-4bbc02de0b81", "value": "59/65" }, { "category": "Other", "comment": "NSIS/TrojanDropper.Agent.CL", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185104", "to_ids": false, "type": "datetime", "uuid": "5a7daa90-e0ec-488b-87f7-418802de0b81", "value": "2018-02-06T10:47:58" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185108", "uuid": "9e1132f7-a6f0-4966-8d8e-a8ba91337184", "ObjectReference": [ { "comment": "", "object_uuid": "9e1132f7-a6f0-4966-8d8e-a8ba91337184", "referenced_uuid": "9ddbe62a-df3a-4968-8fb1-4b46e61d0abe", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-7d98-4166-acd6-475202de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185105", "to_ids": true, "type": "sha1", "uuid": "5a7daa91-0ed8-4164-ad3f-4f8e02de0b81", "value": "bffaabcce3f4cced896f745a7ec4eba2070286b3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185105", "to_ids": true, "type": "sha256", "uuid": "5a7daa91-3f68-4a2c-ab50-47f202de0b81", "value": "45211c815cac28a399e3ad01d742b5811dae54d93918e969c685d4e8356d7c28" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185105", "to_ids": true, "type": "md5", "uuid": "5a7daa91-ce94-4fb6-a16d-4b8602de0b81", "value": "5ae9e0f3867ae8a317031fc9a5ed886e" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185106", "uuid": "9ddbe62a-df3a-4968-8fb1-4b46e61d0abe", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185106", "to_ids": false, "type": "link", "uuid": "5a7daa92-a268-4a80-8fe2-422502de0b81", "value": "https://www.virustotal.com/file/45211c815cac28a399e3ad01d742b5811dae54d93918e969c685d4e8356d7c28/analysis/1505331152/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185106", "to_ids": false, "type": "text", "uuid": "5a7daa92-9ac8-48be-a710-4ceb02de0b81", "value": "39/64" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185107", "to_ids": false, "type": "datetime", "uuid": "5a7daa93-b3d4-4672-b604-454802de0b81", "value": "2017-09-13T19:32:32" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185110", "uuid": "a4602179-8407-4714-8ce8-73e739f8f93e", "ObjectReference": [ { "comment": "", "object_uuid": "a4602179-8407-4714-8ce8-73e739f8f93e", "referenced_uuid": "23e90ff7-f68e-4f1e-abfb-1d24b0480d18", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-f750-46d3-9e5b-41c302de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185107", "to_ids": true, "type": "sha1", "uuid": "5a7daa93-e5f8-4fb3-80ad-46ef02de0b81", "value": "38b7611bb20985512f86dc2c38247593e58a1df6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185108", "to_ids": true, "type": "sha256", "uuid": "5a7daa94-e6a0-4933-a1a8-443202de0b81", "value": "6b08e5d92c7067eae8e222f2d13ba2a59fe36421eb2ece5054b5d97c593a38e2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185108", "to_ids": true, "type": "md5", "uuid": "5a7daa94-c79c-4d5b-8de5-4edc02de0b81", "value": "e383d317b3c7bbd65a7c303746b7f12d" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185108", "uuid": "23e90ff7-f68e-4f1e-abfb-1d24b0480d18", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185109", "to_ids": false, "type": "link", "uuid": "5a7daa95-e77c-431d-bc9c-4cdc02de0b81", "value": "https://www.virustotal.com/file/6b08e5d92c7067eae8e222f2d13ba2a59fe36421eb2ece5054b5d97c593a38e2/analysis/1509045704/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185109", "to_ids": false, "type": "text", "uuid": "5a7daa95-db80-4bcf-8c20-450a02de0b81", "value": "39/67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185109", "to_ids": false, "type": "datetime", "uuid": "5a7daa95-88e8-49fe-be81-421b02de0b81", "value": "2017-10-26T19:21:44" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185113", "uuid": "368ea62b-9c92-41fd-aa29-ad77f6f49144", "ObjectReference": [ { "comment": "", "object_uuid": "368ea62b-9c92-41fd-aa29-ad77f6f49144", "referenced_uuid": "ffa1925f-32e0-4ddf-ac99-db930609d495", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-de8c-45d3-bcdd-433202de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185110", "to_ids": true, "type": "sha1", "uuid": "5a7daa96-4bf0-4ab4-950f-4a8e02de0b81", "value": "8ea2c548bcb974a380fece046a7e3f0218632ff2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185110", "to_ids": true, "type": "sha256", "uuid": "5a7daa96-26bc-4e71-8b7d-40f602de0b81", "value": "66d9360a2a41a119a9337539e110d79f6e74e405755029d9241bf9afc20beed6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185111", "to_ids": true, "type": "md5", "uuid": "5a7daa97-0970-4c6b-9cc0-4c4102de0b81", "value": "782eace45e76c28862396a2b6d5b3f1c" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185111", "uuid": "ffa1925f-32e0-4ddf-ac99-db930609d495", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185111", "to_ids": false, "type": "link", "uuid": "5a7daa97-96ac-4b57-877e-4cc502de0b81", "value": "https://www.virustotal.com/file/66d9360a2a41a119a9337539e110d79f6e74e405755029d9241bf9afc20beed6/analysis/1510180391/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185111", "to_ids": false, "type": "text", "uuid": "5a7daa97-1e08-4336-bef5-44c302de0b81", "value": "41/67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185112", "to_ids": false, "type": "datetime", "uuid": "5a7daa98-6474-4cc5-85d9-481a02de0b81", "value": "2017-11-08T22:33:11" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1518185115", "uuid": "b4c72aed-63bf-4f2a-8794-047d36abe533", "ObjectReference": [ { "comment": "", "object_uuid": "b4c72aed-63bf-4f2a-8794-047d36abe533", "referenced_uuid": "43e3402c-ec4a-4afc-859b-18cdd344f48f", "relationship_type": "analysed-with", "timestamp": "1518771437", "uuid": "5a7daa9b-37dc-4b69-808c-4fc502de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1518185112", "to_ids": true, "type": "sha1", "uuid": "5a7daa98-4df8-4fcf-a9f7-400e02de0b81", "value": "effb36259accdfff07c036c5a41b357692577265" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1518185113", "to_ids": true, "type": "sha256", "uuid": "5a7daa99-e394-4da0-b7ab-47ba02de0b81", "value": "91301d3daab1a87dfc8b4e39f8a120ea5523e04ac86fee970cecc6760e05c8fe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1518185113", "to_ids": true, "type": "md5", "uuid": "5a7daa99-ace0-4814-8d0c-469e02de0b81", "value": "b917b09c778d7aa7e5a2d98a5fba5b1e" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1518185113", "uuid": "43e3402c-ec4a-4afc-859b-18cdd344f48f", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1518185114", "to_ids": false, "type": "link", "uuid": "5a7daa9a-b7e8-4340-a315-416602de0b81", "value": "https://www.virustotal.com/file/91301d3daab1a87dfc8b4e39f8a120ea5523e04ac86fee970cecc6760e05c8fe/analysis/1509045798/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1518185114", "to_ids": false, "type": "text", "uuid": "5a7daa9a-f554-4959-827d-4d0702de0b81", "value": "38/67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1518185114", "to_ids": false, "type": "datetime", "uuid": "5a7daa9a-d1fc-4984-9be0-45e902de0b81", "value": "2017-10-26T19:23:18" } ] } ] } }