{ "Event": { "analysis": "2", "date": "2018-01-31", "extends_uuid": "", "info": "OSINT - Smominru Monero mining botnet making millions for operators", "publish_timestamp": "1518771269", "published": true, "threat_level_id": "3", "timestamp": "1517540435", "uuid": "5a7238f2-7ea4-499a-89f6-450b02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517488861", "to_ids": false, "type": "text", "uuid": "5a723909-f0f0-4dfa-b8b7-44fe02de0b81", "value": "Even with recent volatility in the price of most cryptocurrencies, especially Bitcoin, interest among mainstream users and the media remains high. At the same time, Bitcoin alternatives like Monero and Ethereum continue their overall upward trend in value (Figure 1), putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions. Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which had earned millions of dollars for its operators." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517488862", "to_ids": false, "type": "link", "uuid": "5a723916-3788-47c7-a70a-432502de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators" }, { "category": "Payload delivery", "comment": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144).", "deleted": false, "disable_correlation": false, "timestamp": "1517488862", "to_ids": false, "type": "vulnerability", "uuid": "5a723935-bf74-4ea6-ba45-ee7702de0b81", "value": "CVE-2017-0144" }, { "category": "Payload delivery", "comment": "At least 25 hosts were conducting attacks via EternalBlue (CVE-2017-0144 SMB) to infect new nodes and increase the size of the botnet. The hosts all appear to sit behind the network autonomous system AS63199. Other researchers also reported attacks via MySQL [3], and we believe the actors are also likely using EsteemAudit (CVE-2017-0176), like most other EternalBlue attackers. The botnet\u00e2\u20ac\u2122s command and control (C&C) infrastructure is hosted behind SharkTech, who we notified of the abuse but did not receive a reply to abuse notification.", "deleted": false, "disable_correlation": false, "timestamp": "1517488863", "to_ids": false, "type": "vulnerability", "uuid": "5a723955-5430-48e4-976e-465a02de0b81", "value": "CVE-2017-0176" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488863", "to_ids": true, "type": "ip-dst", "uuid": "5a72399d-8ba0-4d8e-bd4a-4d4102de0b81", "value": "148.153.34.114" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488864", "to_ids": true, "type": "ip-dst", "uuid": "5a72399d-0d98-4599-89c2-4c9e02de0b81", "value": "118.193.81.70" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488864", "to_ids": true, "type": "ip-dst", "uuid": "5a72399e-cd14-491a-bb01-4cde02de0b81", "value": "118.193.31.14" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488865", "to_ids": true, "type": "ip-dst", "uuid": "5a72399e-0cbc-46d1-8db9-4aad02de0b81", "value": "118.193.28.58" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488865", "to_ids": true, "type": "ip-dst", "uuid": "5a72399f-5eec-49b8-9e5b-497102de0b81", "value": "164.52.12.110" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488866", "to_ids": true, "type": "ip-dst", "uuid": "5a72399f-4114-48f0-bd34-4ce902de0b81", "value": "148.153.24.98" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488866", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a0-9fbc-4402-afa4-437302de0b81", "value": "164.52.13.58" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488866", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a0-9a04-48d4-854d-440602de0b81", "value": "148.153.38.78" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488867", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a0-1728-4a2c-b7a8-49ac02de0b81", "value": "118.193.22.58" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488867", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a1-3eb8-4e05-8a34-42f502de0b81", "value": "103.241.229.122" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488868", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a1-df5c-4a4f-9230-4cc102de0b81", "value": "148.153.39.186" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488868", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a2-b0c0-4de5-89c2-4aaa02de0b81", "value": "148.153.14.246" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488869", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a2-8e18-403a-b976-46cf02de0b81", "value": "118.193.31.110" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488869", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a2-72dc-4348-bb4f-499d02de0b81", "value": "118.193.27.198" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488870", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a3-1900-4d9f-91ae-482f02de0b81", "value": "164.52.25.106" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488870", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a3-66e4-4708-9a76-47a002de0b81", "value": "164.52.1.46" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488871", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a4-e710-43bf-98dd-490d02de0b81", "value": "148.153.36.34" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488871", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a4-4890-4892-a9db-40e102de0b81", "value": "118.193.21.186" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488872", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a5-9d44-4b30-a5a7-4baf02de0b81", "value": "164.52.12.162" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488872", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a5-224c-4629-bb56-4b8e02de0b81", "value": "148.153.24.106" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488873", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a5-8f14-4b49-85f3-4eb502de0b81", "value": "148.153.44.46" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488873", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a6-f020-4087-81a4-42fe02de0b81", "value": "164.52.11.222" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488874", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a6-861c-4d25-a9fd-4c0c02de0b81", "value": "118.193.29.6" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488874", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a7-2978-41cc-8885-428902de0b81", "value": "148.153.8.86" }, { "category": "Network activity", "comment": "Attacking IP (via EB)", "deleted": false, "disable_correlation": false, "timestamp": "1517488874", "to_ids": true, "type": "ip-dst", "uuid": "5a7239a7-9454-42de-b5ae-481102de0b81", "value": "164.52.1.14" }, { "category": "Payload delivery", "comment": "ups.rar", "deleted": false, "disable_correlation": false, "timestamp": "1517435618", "to_ids": true, "type": "sha256", "uuid": "5a723ae2-140c-452f-889f-4daa02de0b81", "value": "da3b2e4da23aae505bf991cb68833d01d0c5b75645d246dfa9b6e403be1798c8" }, { "category": "Payload delivery", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "timestamp": "1517435618", "to_ids": true, "type": "sha256", "uuid": "5a723ae2-c428-440c-9be4-4bb102de0b81", "value": "8ceb370e5f32dd732809c827f8eda38cc9b746d40adea3dca33b8c27ee38eb6f" }, { "category": "Payload delivery", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "timestamp": "1517435619", "to_ids": true, "type": "sha256", "uuid": "5a723ae3-8304-4789-91de-4b0b02de0b81", "value": "5e15c97546a19759a8397e51e98a2d8168e6e27aff4dc518220459ed3184e4e2" }, { "category": "Payload delivery", "comment": "64.rar", "deleted": false, "disable_correlation": false, "timestamp": "1517435619", "to_ids": true, "type": "sha256", "uuid": "5a723ae3-feb8-4011-993a-493e02de0b81", "value": "2e3f534bd6b7d1cf18dc727820124faed92fb28f1d4626c9658587b9b3c09509" }, { "category": "Payload delivery", "comment": "0107.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "timestamp": "1517435620", "to_ids": true, "type": "sha256", "uuid": "5a723ae4-261c-4c19-b8cd-4cd602de0b81", "value": "b7f8b5cb8fc7bd5c14105fde118f5ac7a808e590e52f16c70128b4bd28aa4b5a" }, { "category": "Payload delivery", "comment": "0121.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "timestamp": "1517435620", "to_ids": true, "type": "sha256", "uuid": "5a723ae4-1520-45c3-b378-412002de0b81", "value": "32e0712ff24e5f9ab8ee682a53514c501486f0836ef24125503335d86bd10a4e" }, { "category": "Payload delivery", "comment": "0126.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "timestamp": "1517435621", "to_ids": true, "type": "sha256", "uuid": "5a723ae5-1970-44f3-bdbf-423e02de0b81", "value": "3b1824b41f3853376e21153d9125781dbb57b820d8a9a6cc037f82ea87f50973" }, { "category": "Payload delivery", "comment": "0114.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "timestamp": "1517435621", "to_ids": true, "type": "sha256", "uuid": "5a723ae5-64bc-4529-86ee-420e02de0b81", "value": "f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d" }, { "category": "Network activity", "comment": "Smominru C&C (Binary Server)", "deleted": false, "disable_correlation": false, "timestamp": "1517435771", "to_ids": true, "type": "ip-dst", "uuid": "5a723b7b-b10c-4792-977a-411302de0b81", "value": "209.58.186.145" }, { "category": "Network activity", "comment": "Smominru C&C", "deleted": false, "disable_correlation": false, "timestamp": "1517435772", "to_ids": true, "type": "ip-dst", "uuid": "5a723b7c-92ec-49fd-be05-47b102de0b81", "value": "103.95.29.8" }, { "category": "Network activity", "comment": "Smominru C&C (WMI call)", "deleted": false, "disable_correlation": false, "timestamp": "1517435772", "to_ids": true, "type": "ip-dst", "uuid": "5a723b7c-f44c-442c-a15d-43f102de0b81", "value": "45.58.140.194" }, { "category": "Network activity", "comment": "Smominru C&C (binary server)", "deleted": false, "disable_correlation": false, "timestamp": "1517435772", "to_ids": true, "type": "ip-dst", "uuid": "5a723b7d-5ee4-4b59-aae7-409102de0b81", "value": "170.178.171.162" }, { "category": "Network activity", "comment": "Smominru C&C (WMI call) Sinkholed domain", "deleted": false, "disable_correlation": false, "timestamp": "1517435773", "to_ids": true, "type": "ip-dst", "uuid": "5a723b7d-cf18-46da-b75d-42cb02de0b81", "value": "103.95.30.26" }, { "category": "Network activity", "comment": "Smominru binary server", "deleted": false, "disable_correlation": false, "timestamp": "1517435773", "to_ids": true, "type": "ip-dst", "uuid": "5a723b7d-39fc-4346-b8dc-4d2202de0b81", "value": "68.64.166.82" }, { "category": "Network activity", "comment": "Smominru binary server", "deleted": false, "disable_correlation": false, "timestamp": "1517435774", "to_ids": true, "type": "ip-dst", "uuid": "5a723b7e-8b04-4a40-862f-455402de0b81", "value": "27.255.79.151" }, { "category": "Payload delivery", "comment": "Smominru C&C", "deleted": false, "disable_correlation": false, "timestamp": "1517488875", "to_ids": true, "type": "filename", "uuid": "5a723b7e-eab4-493f-ba7b-4dbe02de0b81", "value": "down.my0709.xyz" }, { "category": "Network activity", "comment": "Smominru C&C", "deleted": false, "disable_correlation": false, "timestamp": "1517435775", "to_ids": true, "type": "ip-dst", "uuid": "5a723b7f-97d8-449f-8ed6-489b02de0b81", "value": "198.148.80.194" } ], "Object": [ { "comment": "", "deleted": false, "description": "An address used in a cryptocurrency", "meta-category": "financial", "name": "coin-address", "template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", "template_version": "2", "timestamp": "1517435390", "uuid": "5a7239fe-2ec0-4295-a0f1-ee7702de0b81", "Attribute": [ { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "address", "timestamp": "1517435391", "to_ids": true, "type": "btc", "uuid": "5a7239ff-8b94-41dd-91e0-ee7702de0b81", "value": "43Lm9q14s7GhMLpUsiXY3MH6G67Sn81B5DqmN46u8WnBXNvJmC6FwH3ZMwAmkEB1nHSrujgthFPQeQCFPCwwE7m7TpspYBd" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "symbol", "timestamp": "1517435391", "to_ids": false, "type": "text", "uuid": "5a7239ff-9bcc-43f2-8e1f-ee7702de0b81", "value": "XMR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "text", "timestamp": "1517435392", "to_ids": false, "type": "text", "uuid": "5a723a00-2378-4cb9-8c44-ee7702de0b81", "value": "used after 2018-01-14" } ] }, { "comment": "", "deleted": false, "description": "An address used in a cryptocurrency", "meta-category": "financial", "name": "coin-address", "template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", "template_version": "2", "timestamp": "1517435459", "uuid": "5a723a43-35dc-43c6-aebc-448102de0b81", "Attribute": [ { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "address", "timestamp": "1517435460", "to_ids": true, "type": "btc", "uuid": "5a723a44-1f80-459f-ab1f-4f7b02de0b81", "value": "47Tscy1QuJn1fxHiBRjWFtgHmvqkW71YZCQL33LeunfH4rsGEHx5UGTPdfXNJtMMATMz8bmaykGVuDFGWP3KyufBSdzxBb2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "symbol", "timestamp": "1517435460", "to_ids": false, "type": "text", "uuid": "5a723a44-3498-4397-9114-49b602de0b81", "value": "XMR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "text", "timestamp": "1517435461", "to_ids": false, "type": "text", "uuid": "5a723a45-3cb4-4b1b-80a1-4d6102de0b81", "value": "used from before 2017/05 till 2017/09\r\n\r\n \r\n\r\nMined 2000 Monero" } ] }, { "comment": "", "deleted": false, "description": "An address used in a cryptocurrency", "meta-category": "financial", "name": "coin-address", "template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", "template_version": "2", "timestamp": "1517435512", "uuid": "5a723a78-fa6c-4f56-b48b-41ff02de0b81", "Attribute": [ { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "address", "timestamp": "1517435512", "to_ids": true, "type": "btc", "uuid": "5a723a78-bfe8-4820-84b5-4a5602de0b81", "value": "45bbP2muiJHD8Fd5tZyPAfC2RsajyEcsRVVMZ7Tm5qJjdTMprexz6yQ5DVQ1BbmjkMYm9nMid2QSbiGLvvfau7At5V18FzQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "symbol", "timestamp": "1517435512", "to_ids": false, "type": "text", "uuid": "5a723a78-7cb8-482c-baf0-447e02de0b81", "value": "XMR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "text", "timestamp": "1517435513", "to_ids": false, "type": "text", "uuid": "5a723a79-95e4-426e-9a91-4ee402de0b81", "value": "from 2017/09 till 2018-01-13\r\n\r\nMined around 6800 Monero" } ] }, { "comment": "Smominru C&C", "deleted": false, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "5", "timestamp": "1517478243", "uuid": "5a72dd50-62b4-49c8-ba81-b1ce950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517478243", "to_ids": true, "type": "ip-dst", "uuid": "5a72dd50-2b88-42d5-acde-b1ce950d210f", "value": "198.148.80.194" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517478243", "to_ids": true, "type": "domain", "uuid": "5a72dd50-a684-44f6-9cb4-b1ce950d210f", "value": "down.down0116.info" } ] }, { "comment": "Smominru C&C (Binary Server)", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517478223", "uuid": "5a72e14f-c2c4-4a5b-b3b9-5bec950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517478223", "to_ids": true, "type": "domain", "uuid": "5a72e14f-192c-4747-84e5-5bec950d210f", "value": "down.oo000oo.club" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517478223", "to_ids": true, "type": "ip-dst", "uuid": "5a72e14f-19fc-42c9-85b8-5bec950d210f", "value": "209.58.186.145" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517478224", "to_ids": false, "type": "port", "uuid": "5a72e150-385c-4dfb-a4a0-5bec950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517478378", "uuid": "5a72e1ea-ce94-495a-ab42-7a86950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517478378", "to_ids": true, "type": "domain", "uuid": "5a72e1ea-2f24-4c8c-b1fa-7a86950d210f", "value": "www.cyg2016.xyz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517478379", "to_ids": true, "type": "ip-dst", "uuid": "5a72e1eb-0690-4781-890d-7a86950d210f", "value": "103.95.29.8" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517478379", "to_ids": false, "type": "port", "uuid": "5a72e1eb-f7fc-4b93-b7e4-7a86950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C (Binary Server)", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517478472", "uuid": "5a72e248-e0fc-4718-8b49-8f0b950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517478473", "to_ids": true, "type": "domain", "uuid": "5a72e249-8258-4d48-8ee0-8f0b950d210f", "value": "down.mys2016.info" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517478473", "to_ids": true, "type": "ip-dst", "uuid": "5a72e249-80e4-4c04-94e8-8f0b950d210f", "value": "103.95.29.8" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517478474", "to_ids": false, "type": "port", "uuid": "5a72e24a-e768-4491-9ac5-8f0b950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C (WMI call)", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517478612", "uuid": "5a72e2d4-d378-4bfe-89bc-b1e2950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517478612", "to_ids": true, "type": "domain", "uuid": "5a72e2d4-6c00-4ae9-b564-b1e2950d210f", "value": "wmi.mykings.top.info" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517478612", "to_ids": true, "type": "ip-dst", "uuid": "5a72e2d4-f494-469b-b4c1-b1e2950d210f", "value": "45.58.140.194" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517478613", "to_ids": false, "type": "port", "uuid": "5a72e2d5-5fc0-4bb0-822f-b1e2950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C (WMI call)", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517478716", "uuid": "5a72e33c-e520-40ad-991f-b1fb950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517478717", "to_ids": true, "type": "domain", "uuid": "5a72e33d-9b10-4c7a-a604-b1fb950d210f", "value": "wmi.oo000oo.club" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517478717", "to_ids": true, "type": "ip-dst", "uuid": "5a72e33d-cc40-416f-9d28-b1fb950d210f", "value": "45.58.140.194" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517478718", "to_ids": false, "type": "port", "uuid": "5a72e33e-6250-4f01-8aff-b1fb950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517479147", "uuid": "5a72e4eb-bb78-4f19-ae51-b1db950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517479147", "to_ids": true, "type": "domain", "uuid": "5a72e4eb-4bc4-486c-99c2-b1db950d210f", "value": "xmr.5b6b7b.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517479148", "to_ids": true, "type": "ip-dst", "uuid": "5a72e4ec-342c-4238-9164-b1db950d210f", "value": "45.58.140.194" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517479148", "to_ids": false, "type": "port", "uuid": "5a72e4ec-73e8-4b09-b260-b1db950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C (binary server)", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517480257", "uuid": "5a72e941-384c-4ed5-8bb4-4b0a950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517480257", "to_ids": true, "type": "domain", "uuid": "5a72e941-dcc0-46d3-ba29-4246950d210f", "value": "64.myxmr.pw" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517480257", "to_ids": true, "type": "ip-dst", "uuid": "5a72e941-a440-41a2-b723-48d4950d210f", "value": "170.178.171.162" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517480258", "to_ids": false, "type": "port", "uuid": "5a72e942-23c4-4e85-9525-41b4950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C (WMI call) - Sinkholed domain", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517480825", "uuid": "5a72eb79-1514-4dc9-87d4-4763950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517480825", "to_ids": true, "type": "domain", "uuid": "5a72eb79-d3a8-4ef6-ba17-4045950d210f", "value": "wmi.my0709.xyz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517480826", "to_ids": true, "type": "ip-dst", "uuid": "5a72eb7a-1e88-4a3f-afe7-4663950d210f", "value": "103.95.30.26" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517480826", "to_ids": false, "type": "port", "uuid": "5a72eb7a-1190-4302-9678-4bf5950d210f", "value": "8888" } ] }, { "comment": "Smominru binary server", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481180", "uuid": "5a72ecdc-ad08-41d6-b1cc-8f0b950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481180", "to_ids": true, "type": "domain", "uuid": "5a72ecdc-f4dc-4bf4-ba96-8f0b950d210f", "value": "ftp.ruisgood.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481181", "to_ids": true, "type": "ip-dst", "uuid": "5a72ecdd-5588-44bd-b5be-8f0b950d210f", "value": "68.64.166.82" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481181", "to_ids": false, "type": "port", "uuid": "5a72ecdd-9ec0-4659-8edd-8f0b950d210f", "value": "21" } ] }, { "comment": "Smominru binary server", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481280", "uuid": "5a72ed40-73e4-40d3-b0c0-b1fb950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481281", "to_ids": true, "type": "domain", "uuid": "5a72ed41-e808-4e0f-a381-b1fb950d210f", "value": "ftp.oo000oo.me" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481281", "to_ids": true, "type": "ip-dst", "uuid": "5a72ed41-3f74-4d68-916b-b1fb950d210f", "value": "68.64.166.82" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481281", "to_ids": false, "type": "port", "uuid": "5a72ed41-2ac8-4618-a365-b1fb950d210f", "value": "21" } ] }, { "comment": "Smominru binary server", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481308", "uuid": "5a72ed5c-1854-41db-ac03-5bf2950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481308", "to_ids": true, "type": "domain", "uuid": "5a72ed5c-8a7c-4a3b-a651-5bf2950d210f", "value": "ftp.ftp0118.info" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481309", "to_ids": true, "type": "ip-dst", "uuid": "5a72ed5d-94b0-46fa-8863-5bf2950d210f", "value": "68.64.166.82" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481309", "to_ids": false, "type": "port", "uuid": "5a72ed5d-8d1c-49b5-8024-5bf2950d210f", "value": "21" } ] }, { "comment": "Smominru binary server", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481332", "uuid": "5a72ed74-9234-4129-81bb-47f3950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481333", "to_ids": true, "type": "domain", "uuid": "5a72ed75-9880-448e-9b02-47c1950d210f", "value": "js.mys2016.info" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481333", "to_ids": true, "type": "ip-dst", "uuid": "5a72ed75-ca30-4ea5-b0cd-449e950d210f", "value": "27.255.79.151" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481333", "to_ids": false, "type": "port", "uuid": "5a72ed75-f48c-4c10-8388-4bc8950d210f", "value": "280" } ] }, { "comment": "Smominru C&C (Binary Server)", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481386", "uuid": "5a72edaa-8670-4ea1-a903-4e28950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481386", "to_ids": true, "type": "domain", "uuid": "5a72edaa-342c-4783-8194-406f950d210f", "value": "64.mymyxmra.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481387", "to_ids": true, "type": "ip-dst", "uuid": "5a72edab-b200-44bb-adeb-431e950d210f", "value": "170.178.171.162" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481387", "to_ids": false, "type": "port", "uuid": "5a72edab-c7a0-4413-a928-4c03950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481481", "uuid": "5a72ee09-c0b0-48d0-9a90-4d69950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481481", "to_ids": true, "type": "domain", "uuid": "5a72ee09-54e0-4300-93b4-4f49950d210f", "value": "xmr.xmr5b.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481482", "to_ids": true, "type": "ip-dst", "uuid": "5a72ee0a-1624-4b74-b56a-4ee8950d210f", "value": "45.58.140.194" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481482", "to_ids": false, "type": "port", "uuid": "5a72ee0a-d9b8-4825-82d7-4d2b950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481552", "uuid": "5a72ee50-f530-4793-8783-6767950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481553", "to_ids": true, "type": "domain", "uuid": "5a72ee51-4fc0-4d0d-8efb-6767950d210f", "value": "js.my0115.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481553", "to_ids": false, "type": "port", "uuid": "5a72ee51-7088-4a4d-9dc8-6767950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C (WMI call)", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481587", "uuid": "5a72ee73-9cc0-4425-b60a-4260950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481587", "to_ids": true, "type": "domain", "uuid": "5a72ee73-add0-484f-a7fd-4ee3950d210f", "value": "wmi.my0115.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481588", "to_ids": true, "type": "ip-dst", "uuid": "5a72ee74-7974-4ccd-aa57-48be950d210f", "value": "103.95.30.26" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481588", "to_ids": false, "type": "port", "uuid": "5a72ee74-fed8-4e91-9d7f-47b5950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C (Binary Server)", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517481613", "uuid": "5a72ee8d-cc5c-48e6-b05a-5bee950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481613", "to_ids": true, "type": "domain", "uuid": "5a72ee8d-0174-4c34-b302-5bee950d210f", "value": "down.my0115.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481614", "to_ids": true, "type": "ip-dst", "uuid": "5a72ee8e-7834-49ad-acf0-5bee950d210f", "value": "103.95.30.26" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517481614", "to_ids": false, "type": "port", "uuid": "5a72ee8e-99a4-4314-937e-5bee950d210f", "value": "8888" } ] }, { "comment": "Smominru C&C", "deleted": false, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "5", "timestamp": "1517481633", "uuid": "5a72eea1-0f08-4da7-a5a1-b1db950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1517481633", "to_ids": true, "type": "ip-dst", "uuid": "5a72eea1-5d20-4812-a933-b1db950d210f", "value": "103.95.30.26" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517481634", "to_ids": true, "type": "domain", "uuid": "5a72eea2-e5dc-4b35-9f01-b1db950d210f", "value": "down.my0709.xyz" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517488879", "uuid": "1e2fd26e-d1ec-406d-bb1b-b4d72f61d52f", "ObjectReference": [ { "comment": "", "object_uuid": "1e2fd26e-d1ec-406d-bb1b-b4d72f61d52f", "referenced_uuid": "0b7e3026-09c1-4f49-af9a-07f5ceb0592b", "relationship_type": "analysed-with", "timestamp": "1518771268", "uuid": "5a730b04-c964-45f2-8265-4b3a02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517488876", "to_ids": true, "type": "sha1", "uuid": "5a730aec-ea98-4103-9143-470302de0b81", "value": "a56c110dcf859d83aa1fa5ad455e94539dfa8d12" }, { "category": "Payload delivery", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517488876", "to_ids": true, "type": "md5", "uuid": "5a730aec-0a08-4fce-90b5-4eb102de0b81", "value": "1487e2b148f7a4869c212f78cb28d682" }, { "category": "Payload delivery", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517488877", "to_ids": true, "type": "sha256", "uuid": "5a730aed-5d18-427e-86aa-43c802de0b81", "value": "8ceb370e5f32dd732809c827f8eda38cc9b746d40adea3dca33b8c27ee38eb6f" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517488877", "uuid": "0b7e3026-09c1-4f49-af9a-07f5ceb0592b", "Attribute": [ { "category": "External analysis", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517488877", "to_ids": false, "type": "link", "uuid": "5a730aed-3e50-42bb-927c-450902de0b81", "value": "https://www.virustotal.com/file/8ceb370e5f32dd732809c827f8eda38cc9b746d40adea3dca33b8c27ee38eb6f/analysis/1517456055/" }, { "category": "Other", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517488878", "to_ids": false, "type": "text", "uuid": "5a730aee-fe60-4ff3-a8a3-428102de0b81", "value": "45/65" }, { "category": "Other", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517488878", "to_ids": false, "type": "datetime", "uuid": "5a730aee-cf3c-4a4b-b699-434c02de0b81", "value": "2018-02-01T03:34:15" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517488882", "uuid": "b538582a-ca89-45a4-895c-35d517c9b279", "ObjectReference": [ { "comment": "", "object_uuid": "b538582a-ca89-45a4-895c-35d517c9b279", "referenced_uuid": "a804d5b1-7ca5-406d-9a56-e06577b0629d", "relationship_type": "analysed-with", "timestamp": "1518771268", "uuid": "5a730b05-66c8-4573-9dae-44f102de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "0107.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517488879", "to_ids": true, "type": "sha1", "uuid": "5a730aef-b894-4a00-a320-40ae02de0b81", "value": "d789b6b33d739810cab2e3f5a55933dd16721823" }, { "category": "Payload delivery", "comment": "0107.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517488879", "to_ids": true, "type": "md5", "uuid": "5a730aef-2530-437d-925f-472102de0b81", "value": "ff604679b2e12040dea81f6ecffd5ea2" }, { "category": "Payload delivery", "comment": "0107.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517488880", "to_ids": true, "type": "sha256", "uuid": "5a730af0-79dc-47e8-a72d-48d402de0b81", "value": "b7f8b5cb8fc7bd5c14105fde118f5ac7a808e590e52f16c70128b4bd28aa4b5a" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517488880", "uuid": "a804d5b1-7ca5-406d-9a56-e06577b0629d", "Attribute": [ { "category": "External analysis", "comment": "0107.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517488880", "to_ids": false, "type": "link", "uuid": "5a730af0-28d8-461f-8bc1-48eb02de0b81", "value": "https://www.virustotal.com/file/b7f8b5cb8fc7bd5c14105fde118f5ac7a808e590e52f16c70128b4bd28aa4b5a/analysis/1517457171/" }, { "category": "Other", "comment": "0107.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517488881", "to_ids": false, "type": "text", "uuid": "5a730af1-ebd8-4440-a145-46e502de0b81", "value": "49/66" }, { "category": "Other", "comment": "0107.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517488881", "to_ids": false, "type": "datetime", "uuid": "5a730af1-2a48-4e30-b9dc-468602de0b81", "value": "2018-02-01T03:52:51" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517488885", "uuid": "c7f56e48-5ca3-4ab4-8a44-d508a7c3f1b5", "ObjectReference": [ { "comment": "", "object_uuid": "c7f56e48-5ca3-4ab4-8a44-d508a7c3f1b5", "referenced_uuid": "857bce07-e7e4-4cfb-a435-fbb587cf250a", "relationship_type": "analysed-with", "timestamp": "1518771268", "uuid": "5a730b05-0150-4550-9b86-44a802de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "0126.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517488882", "to_ids": true, "type": "sha1", "uuid": "5a730af2-eea8-413a-b78a-492b02de0b81", "value": "6ca9bc55382736c6fb173afb789318ee7067f206" }, { "category": "Payload delivery", "comment": "0126.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517488882", "to_ids": true, "type": "md5", "uuid": "5a730af2-b2c4-426d-b64b-42bb02de0b81", "value": "0224b573793d1780e3fec22739526c8f" }, { "category": "Payload delivery", "comment": "0126.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517488883", "to_ids": true, "type": "sha256", "uuid": "5a730af3-52d4-418d-8c97-40d102de0b81", "value": "3b1824b41f3853376e21153d9125781dbb57b820d8a9a6cc037f82ea87f50973" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517488883", "uuid": "857bce07-e7e4-4cfb-a435-fbb587cf250a", "Attribute": [ { "category": "External analysis", "comment": "0126.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517488883", "to_ids": false, "type": "link", "uuid": "5a730af3-4578-439d-b113-485d02de0b81", "value": "https://www.virustotal.com/file/3b1824b41f3853376e21153d9125781dbb57b820d8a9a6cc037f82ea87f50973/analysis/1517153840/" }, { "category": "Other", "comment": "0126.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517488884", "to_ids": false, "type": "text", "uuid": "5a730af4-2254-4135-a0e4-4ed602de0b81", "value": "28/66" }, { "category": "Other", "comment": "0126.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517488884", "to_ids": false, "type": "datetime", "uuid": "5a730af4-9a70-46ec-b537-492902de0b81", "value": "2018-01-28T15:37:20" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517488888", "uuid": "994aa712-e77a-411f-bec0-cf4b547a61a1", "ObjectReference": [ { "comment": "", "object_uuid": "994aa712-e77a-411f-bec0-cf4b547a61a1", "referenced_uuid": "28763b93-461a-4389-8100-45731b4fcb27", "relationship_type": "analysed-with", "timestamp": "1518771268", "uuid": "5a730b05-a2e0-47fe-a4fe-4e3c02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "64.rar", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517488885", "to_ids": true, "type": "sha1", "uuid": "5a730af5-1824-4820-bb8e-44b902de0b81", "value": "53accdd58a67fe7bc7fbcaefa1e2b65c13aba9ff" }, { "category": "Payload delivery", "comment": "64.rar", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517488886", "to_ids": true, "type": "md5", "uuid": "5a730af6-8c40-43fa-959b-4ea502de0b81", "value": "6ca24e8ae6988ee1187be72c777e7397" }, { "category": "Payload delivery", "comment": "64.rar", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517488886", "to_ids": true, "type": "sha256", "uuid": "5a730af6-91e8-4591-b16d-4a0402de0b81", "value": "2e3f534bd6b7d1cf18dc727820124faed92fb28f1d4626c9658587b9b3c09509" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517488887", "uuid": "28763b93-461a-4389-8100-45731b4fcb27", "Attribute": [ { "category": "External analysis", "comment": "64.rar", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517488887", "to_ids": false, "type": "link", "uuid": "5a730af7-d48c-4b0b-be0c-452702de0b81", "value": "https://www.virustotal.com/file/2e3f534bd6b7d1cf18dc727820124faed92fb28f1d4626c9658587b9b3c09509/analysis/1517457638/" }, { "category": "Other", "comment": "64.rar", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517488887", "to_ids": false, "type": "text", "uuid": "5a730af7-12c8-4405-af2c-47c102de0b81", "value": "42/64" }, { "category": "Other", "comment": "64.rar", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517488888", "to_ids": false, "type": "datetime", "uuid": "5a730af8-d5c4-4360-b181-4c4002de0b81", "value": "2018-02-01T04:00:38" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517488891", "uuid": "fae35839-05f9-4c5d-86f2-0694b89e6be3", "ObjectReference": [ { "comment": "", "object_uuid": "fae35839-05f9-4c5d-86f2-0694b89e6be3", "referenced_uuid": "38c84b61-e001-46f6-a99c-172c5e4e5d67", "relationship_type": "analysed-with", "timestamp": "1518771268", "uuid": "5a730b05-de7c-4803-ad11-495902de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "0121.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517488888", "to_ids": true, "type": "sha1", "uuid": "5a730af8-ba7c-4433-beba-416202de0b81", "value": "c788a27c9f18f1e732e34e60a73b83ccdcfd9a29" }, { "category": "Payload delivery", "comment": "0121.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517488889", "to_ids": true, "type": "md5", "uuid": "5a730af9-6634-4f1e-9756-40de02de0b81", "value": "ebdc2be63b2fcb8fe22845c75850c9e6" }, { "category": "Payload delivery", "comment": "0121.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517488889", "to_ids": true, "type": "sha256", "uuid": "5a730af9-3898-4143-bd27-421302de0b81", "value": "32e0712ff24e5f9ab8ee682a53514c501486f0836ef24125503335d86bd10a4e" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517488890", "uuid": "38c84b61-e001-46f6-a99c-172c5e4e5d67", "Attribute": [ { "category": "External analysis", "comment": "0121.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517488890", "to_ids": false, "type": "link", "uuid": "5a730afa-b5b4-4ef0-9030-4a5302de0b81", "value": "https://www.virustotal.com/file/32e0712ff24e5f9ab8ee682a53514c501486f0836ef24125503335d86bd10a4e/analysis/1517399898/" }, { "category": "Other", "comment": "0121.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517488890", "to_ids": false, "type": "text", "uuid": "5a730afa-eb88-472e-9db8-491e02de0b81", "value": "43/66" }, { "category": "Other", "comment": "0121.rar (Smominru Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517488891", "to_ids": false, "type": "datetime", "uuid": "5a730afb-ff20-49ea-8d61-439d02de0b81", "value": "2018-01-31T11:58:18" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517488894", "uuid": "959bcddc-d26f-44f7-9a79-07df0acb6a95", "ObjectReference": [ { "comment": "", "object_uuid": "959bcddc-d26f-44f7-9a79-07df0acb6a95", "referenced_uuid": "33bb45b6-d3bd-4cc1-bec6-84cb666c0c0d", "relationship_type": "analysed-with", "timestamp": "1518771268", "uuid": "5a730b05-8e28-4baf-9bc9-4f8d02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517488891", "to_ids": true, "type": "sha1", "uuid": "5a730afb-fd50-4da2-96af-4f8902de0b81", "value": "368ef0af957492ad0b55ce1351da1b44f67dbcb8" }, { "category": "Payload delivery", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517488892", "to_ids": true, "type": "md5", "uuid": "5a730afc-08b8-4f2c-8c4a-498b02de0b81", "value": "f63e34b172bc6c88c002a2d25c738ea9" }, { "category": "Payload delivery", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517488892", "to_ids": true, "type": "sha256", "uuid": "5a730afc-2d2c-4a34-b967-454102de0b81", "value": "5e15c97546a19759a8397e51e98a2d8168e6e27aff4dc518220459ed3184e4e2" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517488893", "uuid": "33bb45b6-d3bd-4cc1-bec6-84cb666c0c0d", "Attribute": [ { "category": "External analysis", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517488893", "to_ids": false, "type": "link", "uuid": "5a730afd-5ae4-4e1d-976f-4e1e02de0b81", "value": "https://www.virustotal.com/file/5e15c97546a19759a8397e51e98a2d8168e6e27aff4dc518220459ed3184e4e2/analysis/1517462947/" }, { "category": "Other", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517488893", "to_ids": false, "type": "text", "uuid": "5a730afd-1514-4e7f-8862-49ae02de0b81", "value": "37/63" }, { "category": "Other", "comment": "EternalBlue dropped", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517488894", "to_ids": false, "type": "datetime", "uuid": "5a730afe-2ad4-4d85-af66-4a4702de0b81", "value": "2018-02-01T05:29:07" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517488897", "uuid": "eb0f9ec8-b388-422a-99dc-5d7a32e340b3", "ObjectReference": [ { "comment": "", "object_uuid": "eb0f9ec8-b388-422a-99dc-5d7a32e340b3", "referenced_uuid": "c38c22d3-60e6-4336-94d4-f9772f9e56fe", "relationship_type": "analysed-with", "timestamp": "1518771268", "uuid": "5a730b05-3230-49fc-b2f1-49ae02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "0114.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517488894", "to_ids": true, "type": "sha1", "uuid": "5a730afe-0fdc-4e97-bb5b-406d02de0b81", "value": "b8a53e651be77914428f6a3cefc797041ff3df51" }, { "category": "Payload delivery", "comment": "0114.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517488895", "to_ids": true, "type": "md5", "uuid": "5a730aff-4bd8-43e9-ac6d-47ea02de0b81", "value": "822b8150022ba179560ac42384ff997e" }, { "category": "Payload delivery", "comment": "0114.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517488895", "to_ids": true, "type": "sha256", "uuid": "5a730aff-4a6c-4daf-90be-493202de0b81", "value": "f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517488896", "uuid": "c38c22d3-60e6-4336-94d4-f9772f9e56fe", "Attribute": [ { "category": "External analysis", "comment": "0114.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517488896", "to_ids": false, "type": "link", "uuid": "5a730b00-d828-4158-99c6-4f4702de0b81", "value": "https://www.virustotal.com/file/f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d/analysis/1517332171/" }, { "category": "Other", "comment": "0114.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517488896", "to_ids": false, "type": "text", "uuid": "5a730b00-cfac-4258-a9b1-4f4202de0b81", "value": "49/65" }, { "category": "Other", "comment": "0114.rar (Smominru - Coin Miner)", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517488897", "to_ids": false, "type": "datetime", "uuid": "5a730b01-39ac-4f84-93b3-498602de0b81", "value": "2018-01-30T17:09:31" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517488900", "uuid": "055ccd02-bd02-4e47-9fd1-1e668f23f024", "ObjectReference": [ { "comment": "", "object_uuid": "055ccd02-bd02-4e47-9fd1-1e668f23f024", "referenced_uuid": "1718834e-3131-4711-92e4-4fd9e25abcb7", "relationship_type": "analysed-with", "timestamp": "1518771269", "uuid": "5a730b05-9ea0-4f53-a361-49d802de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "ups.rar", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517488897", "to_ids": true, "type": "sha1", "uuid": "5a730b01-a8a0-4494-8ea7-4b8002de0b81", "value": "0b5616228f6556b320ac0d2f586504538abb638e" }, { "category": "Payload delivery", "comment": "ups.rar", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517488898", "to_ids": true, "type": "md5", "uuid": "5a730b02-ecac-48c3-9481-409b02de0b81", "value": "6b13994f83dad0d45764911a88564a7b" }, { "category": "Payload delivery", "comment": "ups.rar", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517488898", "to_ids": true, "type": "sha256", "uuid": "5a730b02-df4c-4212-8585-439002de0b81", "value": "da3b2e4da23aae505bf991cb68833d01d0c5b75645d246dfa9b6e403be1798c8" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517488899", "uuid": "1718834e-3131-4711-92e4-4fd9e25abcb7", "Attribute": [ { "category": "External analysis", "comment": "ups.rar", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517488899", "to_ids": false, "type": "link", "uuid": "5a730b03-589c-47de-a519-4d8702de0b81", "value": "https://www.virustotal.com/file/da3b2e4da23aae505bf991cb68833d01d0c5b75645d246dfa9b6e403be1798c8/analysis/1517457719/" }, { "category": "Other", "comment": "ups.rar", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517488899", "to_ids": false, "type": "text", "uuid": "5a730b03-0afc-42a7-a1b0-48e002de0b81", "value": "49/64" }, { "category": "Other", "comment": "ups.rar", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517488900", "to_ids": false, "type": "datetime", "uuid": "5a730b04-ae70-4fab-b15f-48c602de0b81", "value": "2018-02-01T04:01:59" } ] } ] } }