2350 lines
No EOL
80 KiB
JSON
2350 lines
No EOL
80 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2018-06-26",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families",
|
|
"publish_timestamp": "1530610129",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1530610086",
|
|
"uuid": "5b325da8-0434-48ad-8b27-48de950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"KHRAT\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:rat=\"KhRAT\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#3a7300",
|
|
"local": false,
|
|
"name": "circl:incident-classification=\"malware\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:threat-actor=\"RANCOR\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530093820",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b325dc2-90c0-4944-9e86-4072950d210f",
|
|
"value": "Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.\r\n\r\nWe believe this group is previously unidentified and therefore have we have dubbed it \u00e2\u20ac\u0153RANCOR\u00e2\u20ac\u009d. The Rancor group\u00e2\u20ac\u2122s attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers\u00e2\u20ac\u2122 toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to:\r\n\r\n Singapore\r\n Cambodia\r\n\r\nWe identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages. These decoys contain details from public news articles focused primarily on political news and events. Based on this, we believe the Rancor attackers were targeting political entities. Additionally, these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook.\r\n\r\nThe malware and infrastructure used in these attacks falls into two distinct clusters, which we are labeling A and B, that are linked through their use of the PLAINTEE malware and several \u00e2\u20ac\u0153softer\u00e2\u20ac\u009d linkages.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530093831",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5b325dd5-5a74-419b-bc1a-41d7950d210f",
|
|
"value": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530086619",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b3344db-0f88-4bec-b454-422a950d210f",
|
|
"value": "www.facebook-apps.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530086620",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b3344dc-bedc-4624-8b60-4f7b950d210f",
|
|
"value": "dlj40s.jdanief.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530087538",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b334872-9e80-4ce8-80c8-49df950d210f",
|
|
"value": "89.46.222.97"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530088211",
|
|
"to_ids": false,
|
|
"type": "mutex",
|
|
"uuid": "5b334b13-a7cc-48de-9517-4db9950d210f",
|
|
"value": "microsoftfuckedupb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530088286",
|
|
"to_ids": false,
|
|
"type": "mutex",
|
|
"uuid": "5b334b5e-3568-42d1-98f3-4f63950d210f",
|
|
"value": "Microsoftfuckedup"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530089821",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b33515d-58b4-42bd-9440-4d80950d210f",
|
|
"value": "199.247.6.253"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530089822",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b33515e-eef0-41af-82e3-4542950d210f",
|
|
"value": "45.76.176.236"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "PLAINTEE - DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090480",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b33515f-86a4-4d15-81eb-4878950d210f",
|
|
"value": "goole.authorizeddns.us"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "PLAINTEE - DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090500",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b33515f-a7e4-455a-83e1-41af950d210f",
|
|
"value": "103.75.189.74"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530089824",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b335160-6560-4bbf-b10a-47c9950d210f",
|
|
"value": "131.153.48.146"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090468",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b3353b3-0db4-4cbf-a6a8-4578950d210f",
|
|
"value": "microsoft.authorizeddns.us"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090483",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5b3353b4-8968-45b6-9874-4b21950d210f",
|
|
"value": "www.google_ssl.onmypc.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090446",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b3353b5-a744-4a97-99f1-4219950d210f",
|
|
"value": "ftp.chinhphu.ddns.ms"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090472",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b3353b5-c0b8-468f-b5b7-4156950d210f",
|
|
"value": "www.microsoft.https443.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090464",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5b3353b6-6d70-4c7d-ad9e-40bc950d210f",
|
|
"value": "msdns.otzo.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090515",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b3353b6-ea54-49bb-8b4d-42bf950d210f",
|
|
"value": "103.75.191.177"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090508",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b3353b6-d9c4-4e9a-bfbf-41ad950d210f",
|
|
"value": "103.75.191.75"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530090512",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b3353b7-7b08-4e4c-9806-4b78950d210f",
|
|
"value": "45.121.146.26"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "PLAINTEE older variant",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530085277",
|
|
"uuid": "5b333f9d-538c-44ae-af71-405a950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530085278",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b333f9e-7d48-458b-97c7-4e11950d210f",
|
|
"value": "bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530085278",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b333f9e-a574-4b2b-ba1a-4474950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLAINTEE older variant",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530085323",
|
|
"uuid": "5b333fcb-7060-4d26-8dc5-4970950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530085323",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b333fcb-6a2c-4c56-b413-45a6950d210f",
|
|
"value": "6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530085324",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b333fcc-d750-492b-b4da-4fb5950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Loader - Delivery via HTA Loader",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530091740",
|
|
"uuid": "5b334422-f2f8-4b4e-8873-47b4950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530091740",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b334423-c998-4b87-979b-491c950d210f",
|
|
"value": "1dc5966572e94afc2fbcf8e93e3382eef4e4d7b5bc02f24069c403a28fa6a458"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530091740",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b334424-42f0-4ca5-9dab-4495950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Loader - Delivery via document property macro",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530091095",
|
|
"uuid": "5b3349f9-6a74-42cd-a80f-4c15950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530091095",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3349f9-ae18-4fd9-a70b-428e950d210f",
|
|
"value": "a789a282e0d65a050cccae66c56632245af1c8a589ace2ca5ca79572289fd483"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530091095",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3349f9-8038-4e5d-8acf-40d2950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530090088",
|
|
"uuid": "5b335268-0f64-4354-a783-4b2d950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530090089",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b335269-8de4-45a6-9a32-4edc950d210f",
|
|
"value": "863a9199decf36895d5d7d148ce9fd622e825f393d7ebe7591b4d37ef3f5f677"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530090089",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b335269-f780-463b-a6ee-4f82950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530090105",
|
|
"uuid": "5b335279-2d7c-47dd-a880-40af950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530090106",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b33527a-61c4-4832-945c-4e0f950d210f",
|
|
"value": "22a5bd54f15f33f4218454e53679d7cfae32c03ddb6ec186fb5e6f8b7f7c098b"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530090107",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b33527b-e118-4033-86c2-406e950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLAINTEE - PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530093649",
|
|
"uuid": "5b3352a3-669c-429e-93c5-4079950d210f",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5b3352a3-669c-429e-93c5-4079950d210f",
|
|
"referenced_uuid": "5b334872-9e80-4ce8-80c8-49df950d210f",
|
|
"relationship_type": "connected-to",
|
|
"timestamp": "1530091056",
|
|
"uuid": "5b335630-cb00-4433-be5c-4ee0950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530093646",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3352a3-381c-4964-9c1a-4f99950d210f",
|
|
"value": "c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530093646",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3352a5-5e30-49cd-808f-4200950d210f",
|
|
"value": "Malicious"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1530093646",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b33604e-234c-4b17-99cf-47b5950d210f",
|
|
"value": "d5679158937ce288837efe62bc1d9693"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1530093647",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5b33604f-4450-4809-85ae-4bb1950d210f",
|
|
"value": "0bdb44255e9472d80ee0197d0bfad7d8eb4a18e9"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530090171",
|
|
"uuid": "5b3352bb-b844-43d1-ad06-4b7f950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530090171",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3352bb-8a1c-4b9e-9d7f-4de5950d210f",
|
|
"value": "6aad1408a72e7adc88c2e60631a6eee3d77f18a70e4eee868623588612efdd31"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530090171",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3352bb-4c54-462d-a66a-4a20950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLAINTEE - PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530093695",
|
|
"uuid": "5b3352e8-2f2c-4dbd-9eff-457f950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530093695",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3352e8-f3fc-4f85-9988-4160950d210f",
|
|
"value": "b099c31515947f0e86eed0c26c76805b13ca2d47ecbdb61fd07917732e38ae78"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530093695",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3352e8-df14-44a0-8701-4335950d210f",
|
|
"value": "Malicious"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1530093696",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b336080-25ec-468b-9a14-4ac2950d210f",
|
|
"value": "7c65565dcf5b40bd8358472d032bc8fb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1530093697",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5b336081-726c-454a-b365-4159950d210f",
|
|
"value": "ac3f20ddc2567af0b050c672ecd59dddab1fe55e"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530090233",
|
|
"uuid": "5b3352f9-5c88-4d97-b859-4b93950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530090233",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3352f9-1348-45c7-ad80-4fa3950d210f",
|
|
"value": "bcd37f1d625772c162350e5383903fe8dbed341ebf0dc38035be5078624c039e"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530090235",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3352fb-4950-47c8-91fb-4491950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PLAINTEE",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530090253",
|
|
"uuid": "5b33530d-aa10-4f2b-b024-449f950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530090253",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b33530d-3518-4c76-8c99-4947950d210f",
|
|
"value": "9f779d920443d50ef48d4abfa40b43f5cb2c4eb769205b973b115e04f3b978f5"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530090254",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b33530e-2114-46c5-9980-42fd950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Loader - Delivery via DLL Loader",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530092253",
|
|
"uuid": "5b3354cd-2058-4b73-9df3-4133950d210f",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5b3354cd-2058-4b73-9df3-4133950d210f",
|
|
"referenced_uuid": "5b3354fd-c4c4-482f-a3e3-4bdb950d210f",
|
|
"relationship_type": "connected-to",
|
|
"timestamp": "1530090769",
|
|
"uuid": "5b335511-3890-48d5-aee6-4c14950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530092250",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3354cd-3df8-402d-b26d-491c950d210f",
|
|
"value": "0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530092250",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3354cf-5da8-42dc-9313-4695950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "C2",
|
|
"deleted": false,
|
|
"description": "A domain and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "5",
|
|
"timestamp": "1530090749",
|
|
"uuid": "5b3354fd-c4c4-482f-a3e3-4bdb950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1530090749",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b3354fd-ae14-42be-9280-46e4950d210f",
|
|
"value": "89.46.222.97"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1530090749",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5b3354fd-dc04-4a21-85ec-4395950d210f",
|
|
"value": "facebook-apps.com"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONg - PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530092327",
|
|
"uuid": "5b335b27-0e54-43fb-970a-4c73950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1530092327",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b335b27-eda4-4aa3-b0e4-42d1950d210f",
|
|
"value": "6fa5bcedaf124cdaccfa5548eed7f4b0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1530092328",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5b335b28-0708-4dd8-8cd2-4499950d210f",
|
|
"value": "25ba920cb440b4a1c127c8eb0fb23ee783c9e01a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530092328",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b335b28-d834-4321-9ff8-4b29950d210f",
|
|
"value": "119572fafe502907e1d036cdf76f62b0308b2676ebdfc3a51dbab614d92bc7d0"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530092328",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b335b28-4f2c-42c3-be89-40a4950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Plugin downloaded during runtime for DDKong sample.DDKong sample - PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530092635",
|
|
"uuid": "5b335c5b-9a8c-4f72-a350-4591950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1530092635",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b335c5b-4fe0-4894-80b8-4906950d210f",
|
|
"value": "a5164c686c405734b7362bc6b02488cb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1530092635",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5b335c5b-8600-4030-b8f7-43c4950d210f",
|
|
"value": "03defdda9397e7536cf39951246483a0339ccd35"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530092636",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b335c5c-7f2c-4d32-94ce-4330950d210f",
|
|
"value": "0517b62233c9574cb24b78fb533f6e92d35bc6451770f9f6001487ff9c154ad7"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530092636",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b335c5c-0a20-40cb-9607-4ef8950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530105077",
|
|
"uuid": "5b338cf5-09c4-49a2-9488-6911950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530105077",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b338cf5-f044-4b3e-80f9-6911950d210f",
|
|
"value": "c78fef9ef931ffc559ea416d45dc6f43574f524ba073713fddb79e4f8ec1a319"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530105078",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b338cf6-86c8-4488-b869-6911950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530105123",
|
|
"uuid": "5b338d23-d4e0-4283-b2a1-6911950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530105123",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b338d23-1584-4bce-8a9a-6911950d210f",
|
|
"value": "0f102e66bc2df4d14dc493ba8b93a88f6b622c168e0c2b63d0ceb7589910999d"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530105125",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b338d25-f5e8-42a9-a93c-6911950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530105149",
|
|
"uuid": "5b338d3d-b4a8-4b78-9ec1-6911950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530105149",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b338d3d-e6d8-46c0-a764-6911950d210f",
|
|
"value": "82e1e296403be99129aced295e1c12fbb23f871c6fa2acafab9e08d9a728cb96"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530105150",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b338d3e-422c-4953-8a54-6911950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609106",
|
|
"uuid": "48ba6e13-09f5-446b-9696-dd43ff1924a7",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "48ba6e13-09f5-446b-9696-dd43ff1924a7",
|
|
"referenced_uuid": "3b010446-7afc-4607-bdf2-7d1e0f550f4a",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105522",
|
|
"uuid": "5b338eb2-bf60-4c5e-821c-43f602de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "48ba6e13-09f5-446b-9696-dd43ff1924a7",
|
|
"referenced_uuid": "d51eb0b4-51f1-4cda-868d-8ff1024de0bc",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609142",
|
|
"uuid": "5b3b3df6-0340-454a-be92-4b1102de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105482",
|
|
"uuid": "3b010446-7afc-4607-bdf2-7d1e0f550f4a",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609106",
|
|
"uuid": "2191df90-0868-4154-9da7-ebb1fc04afb8",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "2191df90-0868-4154-9da7-ebb1fc04afb8",
|
|
"referenced_uuid": "4b87e0fc-b38b-40a1-bb46-402498c0e827",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105523",
|
|
"uuid": "5b338eb3-2c24-475a-8142-4f2302de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "2191df90-0868-4154-9da7-ebb1fc04afb8",
|
|
"referenced_uuid": "8e02a81e-6121-45f2-ba18-dc8c17897ffc",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-e2f8-4e40-a5bc-408a02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105487",
|
|
"uuid": "4b87e0fc-b38b-40a1-bb46-402498c0e827",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609106",
|
|
"uuid": "56bba473-0d45-4b8c-8d1d-b722ebc2aefa",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "56bba473-0d45-4b8c-8d1d-b722ebc2aefa",
|
|
"referenced_uuid": "3791a2f2-8068-4583-845d-d0a38d0d5f11",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105523",
|
|
"uuid": "5b338eb3-0610-4928-9595-4db502de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "56bba473-0d45-4b8c-8d1d-b722ebc2aefa",
|
|
"referenced_uuid": "b5ecdf79-2bac-4362-afb7-f4b77f08754a",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-22b4-4a86-8398-49c602de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105491",
|
|
"uuid": "3791a2f2-8068-4583-845d-d0a38d0d5f11",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609106",
|
|
"uuid": "2e2c8997-8848-4d46-8f1d-172737e258ce",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "2e2c8997-8848-4d46-8f1d-172737e258ce",
|
|
"referenced_uuid": "994f5e7a-bbff-4ccd-b521-4af728076b9b",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105523",
|
|
"uuid": "5b338eb3-fe9c-4066-896a-4a5102de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "2e2c8997-8848-4d46-8f1d-172737e258ce",
|
|
"referenced_uuid": "8866a1fa-79e0-43a0-8436-bf77275639ea",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-599c-404c-81f8-40bb02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105494",
|
|
"uuid": "994f5e7a-bbff-4ccd-b521-4af728076b9b",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609107",
|
|
"uuid": "bad2cd96-e6c3-487a-8935-28ef07751b2d",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "bad2cd96-e6c3-487a-8935-28ef07751b2d",
|
|
"referenced_uuid": "fa8aae14-51ae-4de9-9813-238d85ffcc42",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105523",
|
|
"uuid": "5b338eb3-5ac8-4763-804d-47b002de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "bad2cd96-e6c3-487a-8935-28ef07751b2d",
|
|
"referenced_uuid": "6ec36b69-0386-41e6-92de-711b8a0842ac",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-f57c-4cd1-a160-40cd02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105497",
|
|
"uuid": "fa8aae14-51ae-4de9-9813-238d85ffcc42",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609107",
|
|
"uuid": "5e7b0cd5-84eb-4c69-beb2-7f7db2ad6101",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5e7b0cd5-84eb-4c69-beb2-7f7db2ad6101",
|
|
"referenced_uuid": "bed6e009-2d42-47a0-84f1-12427f4ff522",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105523",
|
|
"uuid": "5b338eb3-3c28-4113-84ea-456d02de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5e7b0cd5-84eb-4c69-beb2-7f7db2ad6101",
|
|
"referenced_uuid": "bf35ad2e-603c-492e-bc00-549bdd9481fe",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-ccd0-436a-af14-4e3702de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105501",
|
|
"uuid": "bed6e009-2d42-47a0-84f1-12427f4ff522",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609107",
|
|
"uuid": "365db456-80ba-443a-b956-843a1a4cb7a8",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "365db456-80ba-443a-b956-843a1a4cb7a8",
|
|
"referenced_uuid": "84129c9d-378e-477f-90b6-c754134a86a1",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105523",
|
|
"uuid": "5b338eb3-5dbc-41e4-8bc2-4e2302de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "365db456-80ba-443a-b956-843a1a4cb7a8",
|
|
"referenced_uuid": "89c0d58c-2092-4c1e-89c8-9a4707e4a740",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-9c7c-44b0-b45a-42dd02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105510",
|
|
"uuid": "84129c9d-378e-477f-90b6-c754134a86a1",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609107",
|
|
"uuid": "3deff8a7-8e00-4b54-a4bf-1fcdd7bf387f",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "3deff8a7-8e00-4b54-a4bf-1fcdd7bf387f",
|
|
"referenced_uuid": "2e6a29ad-5626-4495-bbfd-35acdee329e0",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105523",
|
|
"uuid": "5b338eb3-bbdc-4412-bbe5-484102de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "3deff8a7-8e00-4b54-a4bf-1fcdd7bf387f",
|
|
"referenced_uuid": "7d2748ea-c864-4b20-b149-1466153ddd37",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-bb34-410d-8bd6-474c02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105516",
|
|
"uuid": "2e6a29ad-5626-4495-bbfd-35acdee329e0",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609107",
|
|
"uuid": "5a837ade-bafe-45f2-816f-03095c0e0135",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5a837ade-bafe-45f2-816f-03095c0e0135",
|
|
"referenced_uuid": "34f23e73-32cb-434e-837b-f4d22a714360",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530105523",
|
|
"uuid": "5b338eb3-361c-44eb-80ac-4eb702de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5a837ade-bafe-45f2-816f-03095c0e0135",
|
|
"referenced_uuid": "61f7e371-94d9-483c-91da-e3947752185b",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-9508-4f62-afab-4ef802de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530105519",
|
|
"uuid": "34f23e73-32cb-434e-837b-f4d22a714360",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106048",
|
|
"uuid": "5b3390c0-6268-40af-9ab0-68df950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106049",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3390c1-5c88-41db-8ce8-68df950d210f",
|
|
"value": "84607a2abfd64d61299b0313337e85dd371642e9654b12288c8a1fc7c8c1cf0a"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106049",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3390c1-5a6c-4bbf-be0b-68df950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106070",
|
|
"uuid": "5b3390d6-42fc-46d2-b142-6861950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106070",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3390d6-2b08-4989-9d8a-6861950d210f",
|
|
"value": "a725abb8fe76939f0e0532978eacd7d4afb4459bb6797ec32a7a9f670778bd7e"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106071",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3390d7-7834-45b5-b55b-6861950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106087",
|
|
"uuid": "5b3390e7-57f0-4f04-879a-4bb9950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106087",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3390e7-be90-4ebd-9201-4a51950d210f",
|
|
"value": "15f4c0a589dff62200fd7c885f1e7aa8863b8efa91e23c020de271061f4918eb"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106087",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3390e7-39d4-4df9-b1e6-427c950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106103",
|
|
"uuid": "5b3390f7-4030-4aa5-b421-3027950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106103",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3390f7-9204-4473-9734-3027950d210f",
|
|
"value": "9996e108ade2ef3911d5d38e9f3c1deb0300aa0a82d33e36d376c6927e3ee5af"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106104",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3390f8-b53c-4527-929e-3027950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106149",
|
|
"uuid": "5b339125-37a4-4213-bc65-4e4c950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106149",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b339125-ae04-4d04-a67a-4fb0950d210f",
|
|
"value": "18e102201409237547ab2754daa212cc1454f32c993b6e10a0297b0e6a980823"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106149",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b339125-18c4-4008-990a-47c9950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106173",
|
|
"uuid": "5b33913d-8114-4770-a12b-68df950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106173",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b33913d-5234-499b-a1ea-68df950d210f",
|
|
"value": "b8528c8e325db76b139d46e9f29835382a1b48d8941c47060076f367539c2559"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106174",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b33913e-6518-45bf-bbaf-68df950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106193",
|
|
"uuid": "5b339151-0254-4c6c-a8a6-44fb950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106194",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b339152-f184-43f7-b786-4d75950d210f",
|
|
"value": "01315e211bac543195f2c703033ba31b229001f844854b147c4b2a0973a7d17b"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106194",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b339152-c358-4e13-a064-496a950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106211",
|
|
"uuid": "5b339163-3204-4054-bb53-4e3d950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106211",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b339163-177c-4327-8fcb-4b32950d210f",
|
|
"value": "df14de6b43f902ac8c35ecf0582ddb33e12e682700eb55dc4706b73f5aed40f6"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106212",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b339164-6248-4606-81a3-4f26950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106228",
|
|
"uuid": "5b339174-eafc-4de2-873a-da6b950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106228",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b339174-2814-4420-8f87-da6b950d210f",
|
|
"value": "177906cb9170adc26082e44d9ad1b3fbdcba7c0b57e28b614c1b66cc4a99f906"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106230",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b339176-74f0-4547-825f-da6b950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106249",
|
|
"uuid": "5b339189-bcf4-44cc-908a-6911950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106249",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b339189-db80-480f-9c7d-6911950d210f",
|
|
"value": "113ae6f4d6a2963d5c9a7f42f782b176da096d17296f5a546433f7f27f260895"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106251",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b33918b-02dc-4431-b8ad-6911950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106267",
|
|
"uuid": "5b33919b-c95c-4f0b-ac98-689c950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106267",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b33919b-6ecc-4fa5-b9f3-689c950d210f",
|
|
"value": "119572fafe502907e1d036cdf76f62b0308b2676ebdfc3a51dbab614d92bc7d0"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106268",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b33919c-e25c-458f-884f-689c950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106295",
|
|
"uuid": "5b3391b7-53c8-4a3a-aceb-dee7950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106295",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3391b7-1be0-4b8a-8338-dee7950d210f",
|
|
"value": "5afbee76af2a09c173cf782fd5e51b5076b87f19b709577ddae1c8e5455fc642"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106296",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3391b8-c930-470d-8eb5-dee7950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "DDKONG",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530106312",
|
|
"uuid": "5b3391c8-0bf4-4091-bff9-da6b950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1530106312",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3391c8-7d50-471f-a254-da6b950d210f",
|
|
"value": "128adaba3e6251d1af305a85ebfaafb2a8028eed3b9b031c54176ca7cef539d2"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1530106313",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5b3391c9-42f4-41f9-8376-da6b950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609107",
|
|
"uuid": "019a94d0-c591-4b83-94aa-daff7409c321",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "019a94d0-c591-4b83-94aa-daff7409c321",
|
|
"referenced_uuid": "db6b617b-49c8-43b4-8908-afe5af51cee7",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-7354-4668-98a0-413b02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609105",
|
|
"uuid": "db6b617b-49c8-43b4-8908-afe5af51cee7",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609114",
|
|
"uuid": "d828cbe9-16af-4937-ada0-720c7367914b",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "d828cbe9-16af-4937-ada0-720c7367914b",
|
|
"referenced_uuid": "c92cf1ba-27fb-41a2-8ca0-cce941a58606",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-ef00-4325-8de5-4dc602de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609113",
|
|
"uuid": "c92cf1ba-27fb-41a2-8ca0-cce941a58606",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609117",
|
|
"uuid": "ea16e710-32df-4c89-b829-35a82d88c511",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "ea16e710-32df-4c89-b829-35a82d88c511",
|
|
"referenced_uuid": "c0504c9d-3f68-4187-b5ab-c27a322a30e9",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-9970-4132-a7c2-486502de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609115",
|
|
"uuid": "c0504c9d-3f68-4187-b5ab-c27a322a30e9",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609120",
|
|
"uuid": "095c3d91-1477-4199-89d0-a8eae5dc7c40",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "095c3d91-1477-4199-89d0-a8eae5dc7c40",
|
|
"referenced_uuid": "4968cfb4-ca59-44f4-bdbf-694750b99d4c",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-b43c-4292-a899-420102de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609118",
|
|
"uuid": "4968cfb4-ca59-44f4-bdbf-694750b99d4c",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609123",
|
|
"uuid": "de4c3619-8744-47c3-b8cd-6fda495bd942",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "de4c3619-8744-47c3-b8cd-6fda495bd942",
|
|
"referenced_uuid": "df29dca7-7156-4cfe-a8ba-3ccd39c0cec5",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-9a2c-4619-a5a7-4c8702de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609121",
|
|
"uuid": "df29dca7-7156-4cfe-a8ba-3ccd39c0cec5",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609126",
|
|
"uuid": "7b66e013-aa3e-47f4-8332-2b066e66a6e6",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "7b66e013-aa3e-47f4-8332-2b066e66a6e6",
|
|
"referenced_uuid": "a1cacbf6-59f6-415f-baff-edff18badf81",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609143",
|
|
"uuid": "5b3b3df7-bab8-4fc5-880c-4cf802de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609125",
|
|
"uuid": "a1cacbf6-59f6-415f-baff-edff18badf81",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609130",
|
|
"uuid": "0f4fd687-aa8e-457d-84fd-42c38b4c82a3",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "0f4fd687-aa8e-457d-84fd-42c38b4c82a3",
|
|
"referenced_uuid": "303af87f-901c-403e-9f6d-1d3d82fdaa16",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609144",
|
|
"uuid": "5b3b3df8-1fe8-4ef0-98bc-4d2b02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609128",
|
|
"uuid": "303af87f-901c-403e-9f6d-1d3d82fdaa16",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609132",
|
|
"uuid": "90d4404c-2895-4d88-ab4e-d996ba26c724",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "90d4404c-2895-4d88-ab4e-d996ba26c724",
|
|
"referenced_uuid": "6ec49067-5762-48e9-9fbd-28092708d5ba",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609144",
|
|
"uuid": "5b3b3df8-abbc-4210-b753-400f02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609130",
|
|
"uuid": "6ec49067-5762-48e9-9fbd-28092708d5ba",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609135",
|
|
"uuid": "1e424c4b-7b22-435e-bbee-376e02c27c01",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "1e424c4b-7b22-435e-bbee-376e02c27c01",
|
|
"referenced_uuid": "20ddb2fc-05bf-41a5-840f-987eb82ed0c4",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609144",
|
|
"uuid": "5b3b3df8-e498-4f2a-8e6b-496f02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609133",
|
|
"uuid": "20ddb2fc-05bf-41a5-840f-987eb82ed0c4",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609137",
|
|
"uuid": "a6f4384b-c7bb-466b-bd50-905a7c5ae4c8",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "a6f4384b-c7bb-466b-bd50-905a7c5ae4c8",
|
|
"referenced_uuid": "e281f0e7-57ca-4348-ae1c-79b7de45d17f",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609144",
|
|
"uuid": "5b3b3df8-350c-43f2-9c53-45c702de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609135",
|
|
"uuid": "e281f0e7-57ca-4348-ae1c-79b7de45d17f",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609139",
|
|
"uuid": "9942331c-fb6a-48ca-8a9d-8c088b87eceb",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "9942331c-fb6a-48ca-8a9d-8c088b87eceb",
|
|
"referenced_uuid": "91446d13-bed9-4a80-9b2f-b2fed41ef4c8",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609144",
|
|
"uuid": "5b3b3df8-a374-4515-b322-4baf02de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609138",
|
|
"uuid": "91446d13-bed9-4a80-9b2f-b2fed41ef4c8",
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1530609142",
|
|
"uuid": "442da37d-2272-45e1-b75c-ef0ca6c63019",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "442da37d-2272-45e1-b75c-ef0ca6c63019",
|
|
"referenced_uuid": "a833bc24-8211-4579-86d9-4f756414083c",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1530609144",
|
|
"uuid": "5b3b3df8-49b8-483d-bc57-4d3102de0b81"
|
|
}
|
|
],
|
|
"Attribute": []
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1530609140",
|
|
"uuid": "a833bc24-8211-4579-86d9-4f756414083c",
|
|
"Attribute": []
|
|
}
|
|
]
|
|
}
|
|
} |