{ "Event": { "analysis": "0", "date": "2018-06-26", "extends_uuid": "", "info": "OSINT - RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families", "publish_timestamp": "1530610129", "published": true, "threat_level_id": "3", "timestamp": "1530610086", "uuid": "5b325da8-0434-48ad-8b27-48de950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"KHRAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:rat=\"KhRAT\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#3a7300", "local": false, "name": "circl:incident-classification=\"malware\"", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"RANCOR\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530093820", "to_ids": false, "type": "text", "uuid": "5b325dc2-90c0-4944-9e86-4072950d210f", "value": "Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.\r\n\r\nWe believe this group is previously unidentified and therefore have we have dubbed it \u00e2\u20ac\u0153RANCOR\u00e2\u20ac\u009d. The Rancor group\u00e2\u20ac\u2122s attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers\u00e2\u20ac\u2122 toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to:\r\n\r\n Singapore\r\n Cambodia\r\n\r\nWe identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages. These decoys contain details from public news articles focused primarily on political news and events. Based on this, we believe the Rancor attackers were targeting political entities. Additionally, these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook.\r\n\r\nThe malware and infrastructure used in these attacks falls into two distinct clusters, which we are labeling A and B, that are linked through their use of the PLAINTEE malware and several \u00e2\u20ac\u0153softer\u00e2\u20ac\u009d linkages.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530093831", "to_ids": false, "type": "link", "uuid": "5b325dd5-5a74-419b-bc1a-41d7950d210f", "value": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Loader", "deleted": false, "disable_correlation": false, "timestamp": "1530086619", "to_ids": true, "type": "hostname", "uuid": "5b3344db-0f88-4bec-b454-422a950d210f", "value": "www.facebook-apps.com" }, { "category": "Network activity", "comment": "Loader", "deleted": false, "disable_correlation": false, "timestamp": "1530086620", "to_ids": true, "type": "hostname", "uuid": "5b3344dc-bedc-4624-8b60-4f7b950d210f", "value": "dlj40s.jdanief.xyz" }, { "category": "Network activity", "comment": "Loader", "deleted": false, "disable_correlation": false, "timestamp": "1530087538", "to_ids": true, "type": "ip-dst", "uuid": "5b334872-9e80-4ce8-80c8-49df950d210f", "value": "89.46.222.97" }, { "category": "Artifacts dropped", "comment": "PLAINTEE", "deleted": false, "disable_correlation": false, "timestamp": "1530088211", "to_ids": false, "type": "mutex", "uuid": "5b334b13-a7cc-48de-9517-4db9950d210f", "value": "microsoftfuckedupb" }, { "category": "Artifacts dropped", "comment": "PLAINTEE", "deleted": false, "disable_correlation": false, "timestamp": "1530088286", "to_ids": false, "type": "mutex", "uuid": "5b334b5e-3568-42d1-98f3-4f63950d210f", "value": "Microsoftfuckedup" }, { "category": "Network activity", "comment": "PLAINTEE", "deleted": false, "disable_correlation": false, "timestamp": "1530089821", "to_ids": true, "type": "ip-dst", "uuid": "5b33515d-58b4-42bd-9440-4d80950d210f", "value": "199.247.6.253" }, { "category": "Network activity", "comment": "PLAINTEE", "deleted": false, "disable_correlation": false, "timestamp": "1530089822", "to_ids": true, "type": "ip-dst", "uuid": "5b33515e-eef0-41af-82e3-4542950d210f", "value": "45.76.176.236" }, { "category": "Network activity", "comment": "PLAINTEE - DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090480", "to_ids": true, "type": "hostname", "uuid": "5b33515f-86a4-4d15-81eb-4878950d210f", "value": "goole.authorizeddns.us" }, { "category": "Network activity", "comment": "PLAINTEE - DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090500", "to_ids": true, "type": "ip-dst", "uuid": "5b33515f-a7e4-455a-83e1-41af950d210f", "value": "103.75.189.74" }, { "category": "Network activity", "comment": "PLAINTEE", "deleted": false, "disable_correlation": false, "timestamp": "1530089824", "to_ids": true, "type": "ip-dst", "uuid": "5b335160-6560-4bbf-b10a-47c9950d210f", "value": "131.153.48.146" }, { "category": "Network activity", "comment": "DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090468", "to_ids": true, "type": "hostname", "uuid": "5b3353b3-0db4-4cbf-a6a8-4578950d210f", "value": "microsoft.authorizeddns.us" }, { "category": "Payload delivery", "comment": "DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090483", "to_ids": true, "type": "filename", "uuid": "5b3353b4-8968-45b6-9874-4b21950d210f", "value": "www.google_ssl.onmypc.org" }, { "category": "Network activity", "comment": "DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090446", "to_ids": true, "type": "hostname", "uuid": "5b3353b5-a744-4a97-99f1-4219950d210f", "value": "ftp.chinhphu.ddns.ms" }, { "category": "Network activity", "comment": "DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090472", "to_ids": true, "type": "hostname", "uuid": "5b3353b5-c0b8-468f-b5b7-4156950d210f", "value": "www.microsoft.https443.org" }, { "category": "Network activity", "comment": "DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090464", "to_ids": true, "type": "hostname", "uuid": "5b3353b6-6d70-4c7d-ad9e-40bc950d210f", "value": "msdns.otzo.com" }, { "category": "Network activity", "comment": "DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090515", "to_ids": true, "type": "ip-dst", "uuid": "5b3353b6-ea54-49bb-8b4d-42bf950d210f", "value": "103.75.191.177" }, { "category": "Network activity", "comment": "DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090508", "to_ids": true, "type": "ip-dst", "uuid": "5b3353b6-d9c4-4e9a-bfbf-41ad950d210f", "value": "103.75.191.75" }, { "category": "Network activity", "comment": "DDKONG", "deleted": false, "disable_correlation": false, "timestamp": "1530090512", "to_ids": true, "type": "ip-dst", "uuid": "5b3353b7-7b08-4e4c-9806-4b78950d210f", "value": "45.121.146.26" } ], "Object": [ { "comment": "PLAINTEE older variant", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530085277", "uuid": "5b333f9d-538c-44ae-af71-405a950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530085278", "to_ids": true, "type": "sha256", "uuid": "5b333f9e-7d48-458b-97c7-4e11950d210f", "value": "bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530085278", "to_ids": false, "type": "text", "uuid": "5b333f9e-a574-4b2b-ba1a-4474950d210f", "value": "Malicious" } ] }, { "comment": "PLAINTEE older variant", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530085323", "uuid": "5b333fcb-7060-4d26-8dc5-4970950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530085323", "to_ids": true, "type": "sha256", "uuid": "5b333fcb-6a2c-4c56-b413-45a6950d210f", "value": "6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530085324", "to_ids": false, "type": "text", "uuid": "5b333fcc-d750-492b-b4da-4fb5950d210f", "value": "Malicious" } ] }, { "comment": "Loader - Delivery via HTA Loader", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530091740", "uuid": "5b334422-f2f8-4b4e-8873-47b4950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530091740", "to_ids": true, "type": "sha256", "uuid": "5b334423-c998-4b87-979b-491c950d210f", "value": "1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530091740", "to_ids": false, "type": "text", "uuid": "5b334424-42f0-4ca5-9dab-4495950d210f", "value": "Malicious" } ] }, { "comment": "Loader - Delivery via document property macro", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530091095", "uuid": "5b3349f9-6a74-42cd-a80f-4c15950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530091095", "to_ids": true, "type": "sha256", "uuid": "5b3349f9-ae18-4fd9-a70b-428e950d210f", "value": "a789a282e0d65a050cccae66c56632245af1c8a589ace2ca5ca79572289fd483" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530091095", "to_ids": false, "type": "text", "uuid": "5b3349f9-8038-4e5d-8acf-40d2950d210f", "value": "Malicious" } ] }, { "comment": "PLAINTEE", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530090088", "uuid": "5b335268-0f64-4354-a783-4b2d950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530090089", "to_ids": true, "type": "sha256", "uuid": "5b335269-8de4-45a6-9a32-4edc950d210f", "value": "863a9199decf36895d5d7d148ce9fd622e825f393d7ebe7591b4d37ef3f5f677" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530090089", "to_ids": false, "type": "text", "uuid": "5b335269-f780-463b-a6ee-4f82950d210f", "value": "Malicious" } ] }, { "comment": "PLAINTEE", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530090105", "uuid": "5b335279-2d7c-47dd-a880-40af950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530090106", "to_ids": true, "type": "sha256", "uuid": "5b33527a-61c4-4832-945c-4e0f950d210f", "value": "22a5bd54f15f33f4218454e53679d7cfae32c03ddb6ec186fb5e6f8b7f7c098b" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530090107", "to_ids": false, "type": "text", "uuid": "5b33527b-e118-4033-86c2-406e950d210f", "value": "Malicious" } ] }, { "comment": "PLAINTEE - PE32 executable (DLL) (GUI) Intel 80386, for MS Windows", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530093649", "uuid": "5b3352a3-669c-429e-93c5-4079950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5b3352a3-669c-429e-93c5-4079950d210f", "referenced_uuid": "5b334872-9e80-4ce8-80c8-49df950d210f", "relationship_type": "connected-to", "timestamp": "1530091056", "uuid": "5b335630-cb00-4433-be5c-4ee0950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530093646", "to_ids": true, "type": "sha256", "uuid": "5b3352a3-381c-4964-9c1a-4f99950d210f", "value": "c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530093646", "to_ids": false, "type": "text", "uuid": "5b3352a5-5e30-49cd-808f-4200950d210f", "value": "Malicious" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1530093646", "to_ids": true, "type": "md5", "uuid": "5b33604e-234c-4b17-99cf-47b5950d210f", "value": "d5679158937ce288837efe62bc1d9693" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1530093647", "to_ids": true, "type": "sha1", "uuid": "5b33604f-4450-4809-85ae-4bb1950d210f", "value": "0bdb44255e9472d80ee0197d0bfad7d8eb4a18e9" } ] }, { "comment": "PLAINTEE", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530090171", "uuid": "5b3352bb-b844-43d1-ad06-4b7f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530090171", "to_ids": true, "type": "sha256", "uuid": "5b3352bb-8a1c-4b9e-9d7f-4de5950d210f", "value": "6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530090171", "to_ids": false, "type": "text", "uuid": "5b3352bb-4c54-462d-a66a-4a20950d210f", "value": "Malicious" } ] }, { "comment": "PLAINTEE - PE32 executable (DLL) (GUI) Intel 80386, for MS Windows", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530093695", "uuid": "5b3352e8-2f2c-4dbd-9eff-457f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530093695", "to_ids": true, "type": "sha256", "uuid": "5b3352e8-f3fc-4f85-9988-4160950d210f", "value": "b099c31515947f0e86eed0c26c76805b13ca2d47ecbdb61fd07917732e38ae78" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530093695", "to_ids": false, "type": "text", "uuid": "5b3352e8-df14-44a0-8701-4335950d210f", "value": "Malicious" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1530093696", "to_ids": true, "type": "md5", "uuid": "5b336080-25ec-468b-9a14-4ac2950d210f", "value": "7c65565dcf5b40bd8358472d032bc8fb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1530093697", "to_ids": true, "type": "sha1", "uuid": "5b336081-726c-454a-b365-4159950d210f", "value": "ac3f20ddc2567af0b050c672ecd59dddab1fe55e" } ] }, { "comment": "PLAINTEE", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530090233", "uuid": "5b3352f9-5c88-4d97-b859-4b93950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530090233", "to_ids": true, "type": "sha256", "uuid": "5b3352f9-1348-45c7-ad80-4fa3950d210f", "value": "bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530090235", "to_ids": false, "type": "text", "uuid": "5b3352fb-4950-47c8-91fb-4491950d210f", "value": "Malicious" } ] }, { "comment": "PLAINTEE", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530090253", "uuid": "5b33530d-aa10-4f2b-b024-449f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530090253", "to_ids": true, "type": "sha256", "uuid": "5b33530d-3518-4c76-8c99-4947950d210f", "value": "9f779d920443d50ef48d4abfa40b43f5cb2c4eb769205b973b115e04f3b978f5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530090254", "to_ids": false, "type": "text", "uuid": "5b33530e-2114-46c5-9980-42fd950d210f", "value": "Malicious" } ] }, { "comment": "Loader - Delivery via DLL Loader", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530092253", "uuid": "5b3354cd-2058-4b73-9df3-4133950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5b3354cd-2058-4b73-9df3-4133950d210f", "referenced_uuid": "5b3354fd-c4c4-482f-a3e3-4bdb950d210f", "relationship_type": "connected-to", "timestamp": "1530090769", "uuid": "5b335511-3890-48d5-aee6-4c14950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530092250", "to_ids": true, "type": "sha256", "uuid": "5b3354cd-3df8-402d-b26d-491c950d210f", "value": "0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530092250", "to_ids": false, "type": "text", "uuid": "5b3354cf-5da8-42dc-9313-4695950d210f", "value": "Malicious" } ] }, { "comment": "C2", "deleted": false, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "5", "timestamp": "1530090749", "uuid": "5b3354fd-c4c4-482f-a3e3-4bdb950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1530090749", "to_ids": true, "type": "ip-dst", "uuid": "5b3354fd-ae14-42be-9280-46e4950d210f", "value": "89.46.222.97" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1530090749", "to_ids": true, "type": "domain", "uuid": "5b3354fd-dc04-4a21-85ec-4395950d210f", "value": "facebook-apps.com" } ] }, { "comment": "DDKONg - PE32 executable (DLL) (GUI) Intel 80386, for MS Windows", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530092327", "uuid": "5b335b27-0e54-43fb-970a-4c73950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1530092327", "to_ids": true, "type": "md5", "uuid": "5b335b27-eda4-4aa3-b0e4-42d1950d210f", "value": "6fa5bcedaf124cdaccfa5548eed7f4b0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1530092328", "to_ids": true, "type": "sha1", "uuid": "5b335b28-0708-4dd8-8cd2-4499950d210f", "value": "25ba920cb440b4a1c127c8eb0fb23ee783c9e01a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530092328", "to_ids": true, "type": "sha256", "uuid": "5b335b28-d834-4321-9ff8-4b29950d210f", "value": "119572fafe502907e1d036cdf76f62b0308b2676ebdfc3a51dbab614d92bc7d0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530092328", "to_ids": false, "type": "text", "uuid": "5b335b28-4f2c-42c3-be89-40a4950d210f", "value": "Malicious" } ] }, { "comment": "Plugin downloaded during runtime for DDKong sample.DDKong sample - PE32 executable (DLL) (GUI) Intel 80386, for MS Windows", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530092635", "uuid": "5b335c5b-9a8c-4f72-a350-4591950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1530092635", "to_ids": true, "type": "md5", "uuid": "5b335c5b-4fe0-4894-80b8-4906950d210f", "value": "a5164c686c405734b7362bc6b02488cb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1530092635", "to_ids": true, "type": "sha1", "uuid": "5b335c5b-8600-4030-b8f7-43c4950d210f", "value": "03defdda9397e7536cf39951246483a0339ccd35" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530092636", "to_ids": true, "type": "sha256", "uuid": "5b335c5c-7f2c-4d32-94ce-4330950d210f", "value": "0517b62233c9574cb24b78fb533f6e92d35bc6451770f9f6001487ff9c154ad7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530092636", "to_ids": false, "type": "text", "uuid": "5b335c5c-0a20-40cb-9607-4ef8950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530105077", "uuid": "5b338cf5-09c4-49a2-9488-6911950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530105077", "to_ids": true, "type": "sha256", "uuid": "5b338cf5-f044-4b3e-80f9-6911950d210f", "value": "c78fef9ef931ffc559ea416d45dc6f43574f524ba073713fddb79e4f8ec1a319" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530105078", "to_ids": false, "type": "text", "uuid": "5b338cf6-86c8-4488-b869-6911950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530105123", "uuid": "5b338d23-d4e0-4283-b2a1-6911950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530105123", "to_ids": true, "type": "sha256", "uuid": "5b338d23-1584-4bce-8a9a-6911950d210f", "value": "0f102e66bc2df4d14dc493ba8b93a88f6b622c168e0c2b63d0ceb7589910999d" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530105125", "to_ids": false, "type": "text", "uuid": "5b338d25-f5e8-42a9-a93c-6911950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530105149", "uuid": "5b338d3d-b4a8-4b78-9ec1-6911950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530105149", "to_ids": true, "type": "sha256", "uuid": "5b338d3d-e6d8-46c0-a764-6911950d210f", "value": "82e1e296403be99129aced295e1c12fbb23f871c6fa2acafab9e08d9a728cb96" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530105150", "to_ids": false, "type": "text", "uuid": "5b338d3e-422c-4953-8a54-6911950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609106", "uuid": "48ba6e13-09f5-446b-9696-dd43ff1924a7", "ObjectReference": [ { "comment": "", "object_uuid": "48ba6e13-09f5-446b-9696-dd43ff1924a7", "referenced_uuid": "3b010446-7afc-4607-bdf2-7d1e0f550f4a", "relationship_type": "analysed-with", "timestamp": "1530105522", "uuid": "5b338eb2-bf60-4c5e-821c-43f602de0b81" }, { "comment": "", "object_uuid": "48ba6e13-09f5-446b-9696-dd43ff1924a7", "referenced_uuid": "d51eb0b4-51f1-4cda-868d-8ff1024de0bc", "relationship_type": "analysed-with", "timestamp": "1530609142", "uuid": "5b3b3df6-0340-454a-be92-4b1102de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105482", "uuid": "3b010446-7afc-4607-bdf2-7d1e0f550f4a", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609106", "uuid": "2191df90-0868-4154-9da7-ebb1fc04afb8", "ObjectReference": [ { "comment": "", "object_uuid": "2191df90-0868-4154-9da7-ebb1fc04afb8", "referenced_uuid": "4b87e0fc-b38b-40a1-bb46-402498c0e827", "relationship_type": "analysed-with", "timestamp": "1530105523", "uuid": "5b338eb3-2c24-475a-8142-4f2302de0b81" }, { "comment": "", "object_uuid": "2191df90-0868-4154-9da7-ebb1fc04afb8", "referenced_uuid": "8e02a81e-6121-45f2-ba18-dc8c17897ffc", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-e2f8-4e40-a5bc-408a02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105487", "uuid": "4b87e0fc-b38b-40a1-bb46-402498c0e827", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609106", "uuid": "56bba473-0d45-4b8c-8d1d-b722ebc2aefa", "ObjectReference": [ { "comment": "", "object_uuid": "56bba473-0d45-4b8c-8d1d-b722ebc2aefa", "referenced_uuid": "3791a2f2-8068-4583-845d-d0a38d0d5f11", "relationship_type": "analysed-with", "timestamp": "1530105523", "uuid": "5b338eb3-0610-4928-9595-4db502de0b81" }, { "comment": "", "object_uuid": "56bba473-0d45-4b8c-8d1d-b722ebc2aefa", "referenced_uuid": "b5ecdf79-2bac-4362-afb7-f4b77f08754a", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-22b4-4a86-8398-49c602de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105491", "uuid": "3791a2f2-8068-4583-845d-d0a38d0d5f11", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609106", "uuid": "2e2c8997-8848-4d46-8f1d-172737e258ce", "ObjectReference": [ { "comment": "", "object_uuid": "2e2c8997-8848-4d46-8f1d-172737e258ce", "referenced_uuid": "994f5e7a-bbff-4ccd-b521-4af728076b9b", "relationship_type": "analysed-with", "timestamp": "1530105523", "uuid": "5b338eb3-fe9c-4066-896a-4a5102de0b81" }, { "comment": "", "object_uuid": "2e2c8997-8848-4d46-8f1d-172737e258ce", "referenced_uuid": "8866a1fa-79e0-43a0-8436-bf77275639ea", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-599c-404c-81f8-40bb02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105494", "uuid": "994f5e7a-bbff-4ccd-b521-4af728076b9b", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609107", "uuid": "bad2cd96-e6c3-487a-8935-28ef07751b2d", "ObjectReference": [ { "comment": "", "object_uuid": "bad2cd96-e6c3-487a-8935-28ef07751b2d", "referenced_uuid": "fa8aae14-51ae-4de9-9813-238d85ffcc42", "relationship_type": "analysed-with", "timestamp": "1530105523", "uuid": "5b338eb3-5ac8-4763-804d-47b002de0b81" }, { "comment": "", "object_uuid": "bad2cd96-e6c3-487a-8935-28ef07751b2d", "referenced_uuid": "6ec36b69-0386-41e6-92de-711b8a0842ac", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-f57c-4cd1-a160-40cd02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105497", "uuid": "fa8aae14-51ae-4de9-9813-238d85ffcc42", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609107", "uuid": "5e7b0cd5-84eb-4c69-beb2-7f7db2ad6101", "ObjectReference": [ { "comment": "", "object_uuid": "5e7b0cd5-84eb-4c69-beb2-7f7db2ad6101", "referenced_uuid": "bed6e009-2d42-47a0-84f1-12427f4ff522", "relationship_type": "analysed-with", "timestamp": "1530105523", "uuid": "5b338eb3-3c28-4113-84ea-456d02de0b81" }, { "comment": "", "object_uuid": "5e7b0cd5-84eb-4c69-beb2-7f7db2ad6101", "referenced_uuid": "bf35ad2e-603c-492e-bc00-549bdd9481fe", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-ccd0-436a-af14-4e3702de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105501", "uuid": "bed6e009-2d42-47a0-84f1-12427f4ff522", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609107", "uuid": "365db456-80ba-443a-b956-843a1a4cb7a8", "ObjectReference": [ { "comment": "", "object_uuid": "365db456-80ba-443a-b956-843a1a4cb7a8", "referenced_uuid": "84129c9d-378e-477f-90b6-c754134a86a1", "relationship_type": "analysed-with", "timestamp": "1530105523", "uuid": "5b338eb3-5dbc-41e4-8bc2-4e2302de0b81" }, { "comment": "", "object_uuid": "365db456-80ba-443a-b956-843a1a4cb7a8", "referenced_uuid": "89c0d58c-2092-4c1e-89c8-9a4707e4a740", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-9c7c-44b0-b45a-42dd02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105510", "uuid": "84129c9d-378e-477f-90b6-c754134a86a1", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609107", "uuid": "3deff8a7-8e00-4b54-a4bf-1fcdd7bf387f", "ObjectReference": [ { "comment": "", "object_uuid": "3deff8a7-8e00-4b54-a4bf-1fcdd7bf387f", "referenced_uuid": "2e6a29ad-5626-4495-bbfd-35acdee329e0", "relationship_type": "analysed-with", "timestamp": "1530105523", "uuid": "5b338eb3-bbdc-4412-bbe5-484102de0b81" }, { "comment": "", "object_uuid": "3deff8a7-8e00-4b54-a4bf-1fcdd7bf387f", "referenced_uuid": "7d2748ea-c864-4b20-b149-1466153ddd37", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-bb34-410d-8bd6-474c02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105516", "uuid": "2e6a29ad-5626-4495-bbfd-35acdee329e0", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609107", "uuid": "5a837ade-bafe-45f2-816f-03095c0e0135", "ObjectReference": [ { "comment": "", "object_uuid": "5a837ade-bafe-45f2-816f-03095c0e0135", "referenced_uuid": "34f23e73-32cb-434e-837b-f4d22a714360", "relationship_type": "analysed-with", "timestamp": "1530105523", "uuid": "5b338eb3-361c-44eb-80ac-4eb702de0b81" }, { "comment": "", "object_uuid": "5a837ade-bafe-45f2-816f-03095c0e0135", "referenced_uuid": "61f7e371-94d9-483c-91da-e3947752185b", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-9508-4f62-afab-4ef802de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530105519", "uuid": "34f23e73-32cb-434e-837b-f4d22a714360", "Attribute": [] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106048", "uuid": "5b3390c0-6268-40af-9ab0-68df950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106049", "to_ids": true, "type": "sha256", "uuid": "5b3390c1-5c88-41db-8ce8-68df950d210f", "value": "84607a2abfd64d61299b0313337e85dd371642e9654b12288c8a1fc7c8c1cf0a" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106049", "to_ids": false, "type": "text", "uuid": "5b3390c1-5a6c-4bbf-be0b-68df950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106070", "uuid": "5b3390d6-42fc-46d2-b142-6861950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106070", "to_ids": true, "type": "sha256", "uuid": "5b3390d6-2b08-4989-9d8a-6861950d210f", "value": "a725abb8fe76939f0e0532978eacd7d4afb4459bb6797ec32a7a9f670778bd7e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106071", "to_ids": false, "type": "text", "uuid": "5b3390d7-7834-45b5-b55b-6861950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106087", "uuid": "5b3390e7-57f0-4f04-879a-4bb9950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106087", "to_ids": true, "type": "sha256", "uuid": "5b3390e7-be90-4ebd-9201-4a51950d210f", "value": "15f4c0a589dff62200fd7c885f1e7aa8863b8efa91e23c020de271061f4918eb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106087", "to_ids": false, "type": "text", "uuid": "5b3390e7-39d4-4df9-b1e6-427c950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106103", "uuid": "5b3390f7-4030-4aa5-b421-3027950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106103", "to_ids": true, "type": "sha256", "uuid": "5b3390f7-9204-4473-9734-3027950d210f", "value": "9996e108ade2ef3911d5d38e9f3c1deb0300aa0a82d33e36d376c6927e3ee5af" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106104", "to_ids": false, "type": "text", "uuid": "5b3390f8-b53c-4527-929e-3027950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106149", "uuid": "5b339125-37a4-4213-bc65-4e4c950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106149", "to_ids": true, "type": "sha256", "uuid": "5b339125-ae04-4d04-a67a-4fb0950d210f", "value": "18e102201409237547ab2754daa212cc1454f32c993b6e10a0297b0e6a980823" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106149", "to_ids": false, "type": "text", "uuid": "5b339125-18c4-4008-990a-47c9950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106173", "uuid": "5b33913d-8114-4770-a12b-68df950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106173", "to_ids": true, "type": "sha256", "uuid": "5b33913d-5234-499b-a1ea-68df950d210f", "value": "b8528c8e325db76b139d46e9f29835382a1b48d8941c47060076f367539c2559" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106174", "to_ids": false, "type": "text", "uuid": "5b33913e-6518-45bf-bbaf-68df950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106193", "uuid": "5b339151-0254-4c6c-a8a6-44fb950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106194", "to_ids": true, "type": "sha256", "uuid": "5b339152-f184-43f7-b786-4d75950d210f", "value": "01315e211bac543195f2c703033ba31b229001f844854b147c4b2a0973a7d17b" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106194", "to_ids": false, "type": "text", "uuid": "5b339152-c358-4e13-a064-496a950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106211", "uuid": "5b339163-3204-4054-bb53-4e3d950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106211", "to_ids": true, "type": "sha256", "uuid": "5b339163-177c-4327-8fcb-4b32950d210f", "value": "df14de6b43f902ac8c35ecf0582ddb33e12e682700eb55dc4706b73f5aed40f6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106212", "to_ids": false, "type": "text", "uuid": "5b339164-6248-4606-81a3-4f26950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106228", "uuid": "5b339174-eafc-4de2-873a-da6b950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106228", "to_ids": true, "type": "sha256", "uuid": "5b339174-2814-4420-8f87-da6b950d210f", "value": "177906cb9170adc26082e44d9ad1b3fbdcba7c0b57e28b614c1b66cc4a99f906" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106230", "to_ids": false, "type": "text", "uuid": "5b339176-74f0-4547-825f-da6b950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106249", "uuid": "5b339189-bcf4-44cc-908a-6911950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106249", "to_ids": true, "type": "sha256", "uuid": "5b339189-db80-480f-9c7d-6911950d210f", "value": "113ae6f4d6a2963d5c9a7f42f782b176da096d17296f5a546433f7f27f260895" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106251", "to_ids": false, "type": "text", "uuid": "5b33918b-02dc-4431-b8ad-6911950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106267", "uuid": "5b33919b-c95c-4f0b-ac98-689c950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106267", "to_ids": true, "type": "sha256", "uuid": "5b33919b-6ecc-4fa5-b9f3-689c950d210f", "value": "119572fafe502907e1d036cdf76f62b0308b2676ebdfc3a51dbab614d92bc7d0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106268", "to_ids": false, "type": "text", "uuid": "5b33919c-e25c-458f-884f-689c950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106295", "uuid": "5b3391b7-53c8-4a3a-aceb-dee7950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106295", "to_ids": true, "type": "sha256", "uuid": "5b3391b7-1be0-4b8a-8338-dee7950d210f", "value": "5afbee76af2a09c173cf782fd5e51b5076b87f19b709577ddae1c8e5455fc642" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106296", "to_ids": false, "type": "text", "uuid": "5b3391b8-c930-470d-8eb5-dee7950d210f", "value": "Malicious" } ] }, { "comment": "DDKONG", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530106312", "uuid": "5b3391c8-0bf4-4091-bff9-da6b950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1530106312", "to_ids": true, "type": "sha256", "uuid": "5b3391c8-7d50-471f-a254-da6b950d210f", "value": "128adaba3e6251d1af305a85ebfaafb2a8028eed3b9b031c54176ca7cef539d2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1530106313", "to_ids": false, "type": "text", "uuid": "5b3391c9-42f4-41f9-8376-da6b950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609107", "uuid": "019a94d0-c591-4b83-94aa-daff7409c321", "ObjectReference": [ { "comment": "", "object_uuid": "019a94d0-c591-4b83-94aa-daff7409c321", "referenced_uuid": "db6b617b-49c8-43b4-8908-afe5af51cee7", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-7354-4668-98a0-413b02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609105", "uuid": "db6b617b-49c8-43b4-8908-afe5af51cee7", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609114", "uuid": "d828cbe9-16af-4937-ada0-720c7367914b", "ObjectReference": [ { "comment": "", "object_uuid": "d828cbe9-16af-4937-ada0-720c7367914b", "referenced_uuid": "c92cf1ba-27fb-41a2-8ca0-cce941a58606", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-ef00-4325-8de5-4dc602de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609113", "uuid": "c92cf1ba-27fb-41a2-8ca0-cce941a58606", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609117", "uuid": "ea16e710-32df-4c89-b829-35a82d88c511", "ObjectReference": [ { "comment": "", "object_uuid": "ea16e710-32df-4c89-b829-35a82d88c511", "referenced_uuid": "c0504c9d-3f68-4187-b5ab-c27a322a30e9", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-9970-4132-a7c2-486502de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609115", "uuid": "c0504c9d-3f68-4187-b5ab-c27a322a30e9", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609120", "uuid": "095c3d91-1477-4199-89d0-a8eae5dc7c40", "ObjectReference": [ { "comment": "", "object_uuid": "095c3d91-1477-4199-89d0-a8eae5dc7c40", "referenced_uuid": "4968cfb4-ca59-44f4-bdbf-694750b99d4c", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-b43c-4292-a899-420102de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609118", "uuid": "4968cfb4-ca59-44f4-bdbf-694750b99d4c", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609123", "uuid": "de4c3619-8744-47c3-b8cd-6fda495bd942", "ObjectReference": [ { "comment": "", "object_uuid": "de4c3619-8744-47c3-b8cd-6fda495bd942", "referenced_uuid": "df29dca7-7156-4cfe-a8ba-3ccd39c0cec5", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-9a2c-4619-a5a7-4c8702de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609121", "uuid": "df29dca7-7156-4cfe-a8ba-3ccd39c0cec5", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609126", "uuid": "7b66e013-aa3e-47f4-8332-2b066e66a6e6", "ObjectReference": [ { "comment": "", "object_uuid": "7b66e013-aa3e-47f4-8332-2b066e66a6e6", "referenced_uuid": "a1cacbf6-59f6-415f-baff-edff18badf81", "relationship_type": "analysed-with", "timestamp": "1530609143", "uuid": "5b3b3df7-bab8-4fc5-880c-4cf802de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609125", "uuid": "a1cacbf6-59f6-415f-baff-edff18badf81", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609130", "uuid": "0f4fd687-aa8e-457d-84fd-42c38b4c82a3", "ObjectReference": [ { "comment": "", "object_uuid": "0f4fd687-aa8e-457d-84fd-42c38b4c82a3", "referenced_uuid": "303af87f-901c-403e-9f6d-1d3d82fdaa16", "relationship_type": "analysed-with", "timestamp": "1530609144", "uuid": "5b3b3df8-1fe8-4ef0-98bc-4d2b02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609128", "uuid": "303af87f-901c-403e-9f6d-1d3d82fdaa16", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609132", "uuid": "90d4404c-2895-4d88-ab4e-d996ba26c724", "ObjectReference": [ { "comment": "", "object_uuid": "90d4404c-2895-4d88-ab4e-d996ba26c724", "referenced_uuid": "6ec49067-5762-48e9-9fbd-28092708d5ba", "relationship_type": "analysed-with", "timestamp": "1530609144", "uuid": "5b3b3df8-abbc-4210-b753-400f02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609130", "uuid": "6ec49067-5762-48e9-9fbd-28092708d5ba", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609135", "uuid": "1e424c4b-7b22-435e-bbee-376e02c27c01", "ObjectReference": [ { "comment": "", "object_uuid": "1e424c4b-7b22-435e-bbee-376e02c27c01", "referenced_uuid": "20ddb2fc-05bf-41a5-840f-987eb82ed0c4", "relationship_type": "analysed-with", "timestamp": "1530609144", "uuid": "5b3b3df8-e498-4f2a-8e6b-496f02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609133", "uuid": "20ddb2fc-05bf-41a5-840f-987eb82ed0c4", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609137", "uuid": "a6f4384b-c7bb-466b-bd50-905a7c5ae4c8", "ObjectReference": [ { "comment": "", "object_uuid": "a6f4384b-c7bb-466b-bd50-905a7c5ae4c8", "referenced_uuid": "e281f0e7-57ca-4348-ae1c-79b7de45d17f", "relationship_type": "analysed-with", "timestamp": "1530609144", "uuid": "5b3b3df8-350c-43f2-9c53-45c702de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609135", "uuid": "e281f0e7-57ca-4348-ae1c-79b7de45d17f", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609139", "uuid": "9942331c-fb6a-48ca-8a9d-8c088b87eceb", "ObjectReference": [ { "comment": "", "object_uuid": "9942331c-fb6a-48ca-8a9d-8c088b87eceb", "referenced_uuid": "91446d13-bed9-4a80-9b2f-b2fed41ef4c8", "relationship_type": "analysed-with", "timestamp": "1530609144", "uuid": "5b3b3df8-a374-4515-b322-4baf02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609138", "uuid": "91446d13-bed9-4a80-9b2f-b2fed41ef4c8", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530609142", "uuid": "442da37d-2272-45e1-b75c-ef0ca6c63019", "ObjectReference": [ { "comment": "", "object_uuid": "442da37d-2272-45e1-b75c-ef0ca6c63019", "referenced_uuid": "a833bc24-8211-4579-86d9-4f756414083c", "relationship_type": "analysed-with", "timestamp": "1530609144", "uuid": "5b3b3df8-49b8-483d-bc57-4d3102de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530609140", "uuid": "a833bc24-8211-4579-86d9-4f756414083c", "Attribute": [] } ] } }