misp-circl-feed/feeds/circl/misp/5cacf210-9ecc-4a53-90a5-4c6a02de0b81.json


			
				
				
					
						
						
						
							
							
							{"Event": {"info": "OSINT - Flame 2.0: Risen from the Ashes", "Tag": [{"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-enterprise-attack-malware=\"Flame\""}, {"colour": "#086900", "exportable": true, "name": "misp-galaxy:tool=\"Flame\""}, {"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#0071c3", "exportable": true, "name": "osint:lifetime=\"perpetual\""}, {"colour": "#0087e8", "exportable": true, "name": "osint:certainty=\"50\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}], "publish_timestamp": "1554838926", "timestamp": "1554889105", "Object": [{"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5cacf2d6-8170-4ec2-8fa9-42a202de0b81", "sharing_group_id": "0", "timestamp": "1554838230", "description": "File object describing a file with meta-information", "template_version": "16", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5cacf2d7-4520-4c61-a7b7-496002de0b81", "timestamp": "1554838231", "to_ids": true, "value": "sensrsvcs.dll", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5cacf2d7-1f44-4107-924a-49f502de0b81", "timestamp": "1554838231", "to_ids": true, "value": "15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5cacf2d7-28d8-41c2-af57-45a102de0b81", "timestamp": "1554838231", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5cacf361-d240-4b8b-89c1-479e02de0b81", "sharing_group_id": "0", "timestamp": "1554838369", "description": "File object describing a file with meta-information", "template_version": "16", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5cacf361-6c44-4972-a2fd-4b5602de0b81", "timestamp": "1554838369", "to_ids": true, "value": "sensrsvcs.dll", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5cacf361-49ec-49fb-b370-481d02de0b81", "timestamp": "1554838369", "to_ids": true, "value": "426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5cacf361-c0b0-4065-aea0-42c102de0b81", "timestamp": "1554838369", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5cacf3a6-2794-4cca-b073-4d0102de0b81", "sharing_group_id": "0", "timestamp": "1554838438", "description": "File object describing a file with meta-information", "template_version": "16", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5cacf3a6-fd0c-4a14-b288-4aa002de0b81", "timestamp": "1554838438", "to_ids": true, "value": "sensrsvr.dll", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5cacf3a6-ea84-4354-8b70-485d02de0b81", "timestamp": "1554838438", "to_ids": true, "value": "af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5cacf3a6-e26c-4181-bb78-4a6602de0b81", "timestamp": "1554838438", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5cacf3d5-4984-4241-beef-4ecd02de0b81", "sharing_group_id": "0", "timestamp": "1554838485", "description": "File object describing a file with meta-information", "template_version": "16", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5cacf3d5-6870-48b9-94c0-4b7202de0b81", "timestamp": "1554838485", "to_ids": true, "value": "sensrsvr.dll", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5cacf3d5-a0a4-489d-8869-4dbe02de0b81", "timestamp": "1554838485", "to_ids": true, "value": "69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5cacf3d5-8efc-42c2-b9ac-444a02de0b81", "timestamp": "1554838485", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5cacf425-1e2c-467f-b0d9-4b9a02de0b81", "sharing_group_id": "0", "timestamp": "1554838565", "description": "File object describing a file with meta-information", "template_version": "16", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5cacf425-f994-4916-9275-4c5702de0b81", "timestamp": "1554838565", "to_ids": true, "value": "wmisvcs64.dll", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5cacf425-f364-4fee-ab61-43dd02de0b81", "timestamp": "1554838565", "to_ids": true, "value": "0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5cacf425-9de8-46e7-a50d-449b02de0b81", "timestamp": "1554838565", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5cacf45c-a150-42cc-91d0-472b02de0b81", "sharing_group_id": "0", "timestamp": "1554838620", "description": "File object describing a file with meta-information", "template_version": "16", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5cacf45c-1064-4097-91b7-455a02de0b81", "timestamp": "1554838620", "to_ids": true, "value": "wmisvcs64.dll", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5cacf45c-b174-4112-b5ab-4dc502de0b81", "timestamp": "1554838620", "to_ids": true, "value": "8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5cacf45c-834c-44fe-aa7c-456802de0b81", "timestamp": "1554838620", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5cacf4a2-992c-465c-b7e7-470f02de0b81", "sharing_group_id": "0", "timestamp": "1554838690", "description": "File object describing a file with meta-information", "template_version": "16", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5cacf4a3-0348-46a7-8ce5-407102de0b81", "timestamp": "1554838691", "to_ids": true, "value": "wmihost64.dll", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5cacf4a3-a838-4be0-86d9-48d102de0b81", "timestamp": "1554838691", "to_ids": true, "value": "b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5cacf4a3-1950-4bff-bc55-408902de0b81", "timestamp": "1554838691", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5cacf4eb-ea8c-4cef-bbf0-4f8b02de0b81", "sharing_group_id": "0", "timestamp": "1554838763", "description": "File object describing a file with meta-information", "template_version": "16", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5cacf4eb-6174-4bd9-95cc-452d02de0b81", "timestamp": "1554838763", "to_ids": true, "value": "wmihost.dll", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5cacf4ec-dbbc-4e39-aff7-4e2702de0b81", "timestamp": "1554838764", "to_ids": true, "value": "134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5cacf4ec-b64c-40d5-aad0-44c802de0b81", "timestamp": "1554838764", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "3ebf26f8-6710-4b32-a4a0-15d339e5350f", "sharing_group_id": "0", "timestamp": "1554838847", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "3ebf26f8-6710-4b32-a4a0-15d339e5350f", "uuid": "5cacf541-a88c-4f64-b894-0c6a02de0b81", "timestamp": "1554838849", "referenced_uuid": "019aaeec-55dd-4ce1-b20a-d92710b6b041", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "d3beb008-c415-4ade-b918-90434b66231b", "timestamp": "1554838485", "to_ids": true, "value": "2529ecdd21ad9854d52ab737306bee59", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "f69b78b9-abe4-45c2-831a-52f33f4ee4c2", "timestamp": "1554838485", "to_ids": true, "value": "b144c68108d9a9208accb562b141d8b8a15550d7", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "2636d8b4-4856-4adb-b108-a276b7baae38", "timestamp": "1554838485", "to_ids": true, "value": "69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "019aaeec-55dd-4ce1-b20a-d92710b6b041", "sharing_group_id": "0", "timestamp": "1554838847", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "cda2bde6-b763-42f6-a894-5fd2298cec87", "timestamp": "1554838485", "to_ids": false, "value": "2019-04-09 19:25:12", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "f12fd4ac-1d89-4c87-ab7f-8981d9e12f24", "timestamp": "1554838485", "to_ids": false, "value": "https://www.virustotal.com/file/69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64/analysis/1554837912/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "d7f96a43-c836-49fa-9a47-c9c7b955509d", "timestamp": "1554838485", "to_ids": false, "value": "4/70", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "8697b11b-da93-4d4f-b701-a09aab24cb0d", "sharing_group_id": "0", "timestamp": "1554838847", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "8697b11b-da93-4d4f-b701-a09aab24cb0d", "uuid": "5cacf541-8058-4e58-add0-0c6a02de0b81", "timestamp": "1554838849", "referenced_uuid": "e44af2bf-950a-474b-8042-113d217e5f63", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "06fbfd7c-eae7-4e79-8264-b85d0e6d05ea", "timestamp": "1554838231", "to_ids": true, "value": "2a2614756387176845187a7de247a98a", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "17f922a0-2366-44e1-a5e4-799d90b3accd", "timestamp": "1554838231", "to_ids": true, "value": "ef2f8fca2a010f49ab4080a6439651320b95e44f", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "68b70b42-5165-48c7-a668-9941189654a6", "timestamp": "1554838231", "to_ids": true, "value": "15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "e44af2bf-950a-474b-8042-113d217e5f63", "sharing_group_id": "0", "timestamp": "1554838847", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "23b15a5c-28e3-447a-b7a1-0cd24b6cf23f", "timestamp": "1554838231", "to_ids": false, "value": "2019-04-09 19:37:57", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "e1f5cd2c-1b4b-4a24-9bc5-35d4794acab5", "timestamp": "1554838231", "to_ids": false, "value": "https://www.virustotal.com/file/15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1/analysis/1554838677/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "93a80e3b-e83c-4712-82e1-31c4e053ea2d", "timestamp": "1554838231", "to_ids": false, "value": "6/66", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "48fb1669-d25d-4800-a4bd-443720406f95", "sharing_group_id": "0", "timestamp": "1554838847", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "48fb1669-d25d-4800-a4bd-443720406f95", "uuid": "5cacf541-e0dc-41bf-bf95-0c6a02de0b81", "timestamp": "1554838849", "referenced_uuid": "be651b15-0ff4-4119-9a0a-de4730dc814d", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "15ac6d2c-2e47-491c-9ec7-48307f6bd7e7", "timestamp": "1554838369", "to_ids": true, "value": "7ab1c0c5e7d1ed834bccdfcafb5b07f2", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "3df47b50-8fb8-48e5-adf0-4f683b221154", "timestamp": "1554838369", "to_ids": true, "value": "21d3d7c33f63def5aed98d54dac5de218c49a35f", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "41e27c17-f729-4413-9004-78f3fd471f04", "timestamp": "1554838369", "to_ids": true, "value": "426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "be651b15-0ff4-4119-9a0a-de4730dc814d", "sharing_group_id": "0", "timestamp": "1554838847", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "912c83ff-cdc9-4485-a904-2384fb9e195c", "timestamp": "1554838369", "to_ids": false, "value": "2019-04-09 19:23:23", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "fbc9682d-7d72-44c9-9b9d-2666493b4c12", "timestamp": "1554838369", "to_ids": false, "value": "https://www.virustotal.com/file/426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82/analysis/1554837803/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "03ee7243-f176-46d0-a04f-f34ae5ea6ddc", "timestamp": "1554838369", "to_ids": false, "value": "7/66", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "7cc0330c-8e97-4662-8588-c4d54f58407c", "sharing_group_id": "0", "timestamp": "1554838848", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "7cc0330c-8e97-4662-8588-c4d54f58407c", "uuid": "5cacf541-ca50-4973-b393-0c6a02de0b81", "timestamp": "1554838849", "referenced_uuid": "5cf63775-757f-43f1-94ea-a33377e12cd1", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "c20fedd3-f5fb-46d5-a0f2-ff16d88594e7", "timestamp": "1554838565", "to_ids": true, "value": "15a0b9948d60e6bc6f60d7226caa923f", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "ac46c69b-7e58-4e2b-bf83-99b626421f50", "timestamp": "1554838565", "to_ids": true, "value": "16a02af1746adbc173a5dc5a16012468133777c5", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "bfcc17ff-5f55-4584-b21e-ab99acf3f3cf", "timestamp": "1554838565", "to_ids": true, "value": "0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "5cf63775-757f-43f1-94ea-a33377e12cd1", "sharing_group_id": "0", "timestamp": "1554838848", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "1e091e6a-ebe5-4c3b-9b5f-c9cb6a375015", "timestamp": "1554838565", "to_ids": false, "value": "2019-04-09 19:37:54", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "8962d991-4022-46cd-b23b-ac1b66118e2e", "timestamp": "1554838565", "to_ids": false, "value": "https://www.virustotal.com/file/0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb/analysis/1554838674/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "15ef209b-969d-49a7-8eff-cd865725bfc8", "timestamp": "1554838565", "to_ids": false, "value": "6/69", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "c301c4d8-3408-4e94-ac87-70c6b3f8d7a7", "sharing_group_id": "0", "timestamp": "1554838848", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "c301c4d8-3408-4e94-ac87-70c6b3f8d7a7", "uuid": "5cacf541-bda8-489c-a410-0c6a02de0b81", "timestamp": "1554838849", "referenced_uuid": "d0ff9ea2-f4ed-4174-b077-308b005ae017", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "44ac52c9-7b3d-4bc3-a3d8-ee0c69c444b2", "timestamp": "1554838438", "to_ids": true, "value": "98303a3a424c407a3e27ab818066811c", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "f445613b-a4bc-4845-bb5f-704f7a3e1419", "timestamp": "1554838438", "to_ids": true, "value": "5ab8b1ac11789606333ff94066cae6048a335ac5", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "d2c29a86-1c78-42e2-92b7-9615dedaf6a6", "timestamp": "1554838438", "to_ids": true, "value": "af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "d0ff9ea2-f4ed-4174-b077-308b005ae017", "sharing_group_id": "0", "timestamp": "1554838848", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "a56f74da-1eb6-4b0e-9946-f4f64bfaa448", "timestamp": "1554838438", "to_ids": false, "value": "2019-04-09 19:28:00", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "5ddc77d8-25bf-48b8-ba1e-a3e473a00edf", "timestamp": "1554838438", "to_ids": false, "value": "https://www.virustotal.com/file/af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4/analysis/1554838080/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "425ae711-425a-4400-bdea-ca8ccb8e9021", "timestamp": "1554838438", "to_ids": false, "value": "10/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "8c4f64e3-e346-40b6-b06f-8575a9ce1a83", "sharing_group_id": "0", "timestamp": "1554838848", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "8c4f64e3-e346-40b6-b06f-8575a9ce1a83", "uuid": "5cacf541-fbc0-4e29-bd29-0c6a02de0b81", "timestamp": "1554838849", "referenced_uuid": "9a473378-5c49-4dc1-a58b-38b7ac011d49", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "3ba5fd21-f80c-47e8-887d-c31b9f056aba", "timestamp": "1554838691", "to_ids": true, "value": "6ce0a12d7461f3267af7fa835a0b5677", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "48228a8a-4922-4009-92e8-2d09032e03ff", "timestamp": "1554838691", "to_ids": true, "value": "941195b52f5ea4eb60027c3aeb67cd72e95f4c8e", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "0adc5417-5ff3-424e-a85e-20a3b70c6eae", "timestamp": "1554838691", "to_ids": true, "value": "b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "9a473378-5c49-4dc1-a58b-38b7ac011d49", "sharing_group_id": "0", "timestamp": "1554838848", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "2294d851-edaf-4560-93de-6a3163cca0b4", "timestamp": "1554838691", "to_ids": false, "value": "2019-04-09 19:16:19", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "086df5b9-0480-41c0-8d26-10c5e04a6d41", "timestamp": "1554838691", "to_ids": false, "value": "https://www.virustotal.com/file/b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362/analysis/1554837379/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "a9717401-7206-494d-983b-0f029dcf4c2a", "timestamp": "1554838691", "to_ids": false, "value": "5/68", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "287dff0c-5d73-4dca-badb-6de37ea6e766", "sharing_group_id": "0", "timestamp": "1554838848", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "287dff0c-5d73-4dca-badb-6de37ea6e766", "uuid": "5cacf541-c9dc-4189-86e5-0c6a02de0b81", "timestamp": "1554838849", "referenced_uuid": "6e6742a5-13ab-483f-a968-22170d66e6e2", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "8704d0ab-026a-4cd6-a1ea-601e141846b8", "timestamp": "1554838620", "to_ids": true, "value": "883034ba4657ba4765a20f680721d0ea", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "f2244073-568a-46af-a9f5-30f8ae1d8142", "timestamp": "1554838620", "to_ids": true, "value": "eafb4e041587f4204c2dda9bbb91622ce34421f0", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "f921bdd4-97cd-4115-a9dc-12a3c1c83a0f", "timestamp": "1554838620", "to_ids": true, "value": "8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "6e6742a5-13ab-483f-a968-22170d66e6e2", "sharing_group_id": "0", "timestamp": "1554838848", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "12cc2922-c79a-47cd-9c00-a1c9edb9b3e8", "timestamp": "1554838620", "to_ids": false, "value": "2019-04-09 17:37:57", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "1cb396f5-1a48-470f-acd5-72a4ee4a577d", "timestamp": "1554838620", "to_ids": false, "value": "https://www.virustotal.com/file/8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad/analysis/1554831477/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "9dececda-d7d7-428b-aeb1-294204d06505", "timestamp": "1554838620", "to_ids": false, "value": "3/70", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "8403c5f0-33ff-475b-b1f1-aa1df43eff9d", "sharing_group_id": "0", "timestamp": "1554838848", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "8403c5f0-33ff-475b-b1f1-aa1df43eff9d", "uuid": "5cacf542-b6f8-4c90-8dda-0c6a02de0b81", "timestamp": "1554838849", "referenced_uuid": "13e40b04-1b14-4396-9507-786fb8ee0191", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "e6cbf1a9-04e1-44ef-99c8-460e255450b1", "timestamp": "1554838764", "to_ids": true, "value": "294be9caf93116430f7a8007a202e9fd", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "061860d6-88d6-45d0-8a49-a7b364efe30c", "timestamp": "1554838764", "to_ids": true, "value": "45f348b46a745c1f45e4eac0185d73cc4e65edc3", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "0c74253c-be8e-41aa-81a0-6cc1724c3dfc", "timestamp": "1554838764", "to_ids": true, "value": "134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "13e40b04-1b14-4396-9507-786fb8ee0191", "sharing_group_id": "0", "timestamp": "1554838849", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "6d627e0b-8860-4c24-b070-3147b81c8326", "timestamp": "1554838764", "to_ids": false, "value": "2019-04-09 19:26:22", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "a47abd4b-72f6-4b58-89c9-210de35edc1c", "timestamp": "1554838764", "to_ids": false, "value": "https://www.virustotal.com/file/134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4/analysis/1554837982/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "39dce544-f7ac-41b8-82d1-512fb42eb17b", "timestamp": "1554838764", "to_ids": false, "value": "7/69", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "uuid": "5cad948e-7a68-4202-ac52-46ea950d210f", "sharing_group_id": "0", "timestamp": "1554879630", "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "template_version": "5", "Attribute": [{"comment": "", "category": "Other", "uuid": "5cad948e-7698-48e9-b3e4-4e8a950d210f", "timestamp": "1554879630", "to_ids": false, "value": "@juanandres_gs\r\n and @silascutler\r\n released research into FLAME 2.0 Risen from the Ashes at #TheSAS2019 (link: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0) medium.com/chronicle-blog\u2026 #yara rules included in the technical report (link: https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf) storage.googleapis.com/chronicle-rese\u2026", "disable_correlation": false, "object_relation": "post", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5cad948e-6674-469c-b14a-4206950d210f", "timestamp": "1554879630", "to_ids": false, "value": "Twitter", "disable_correlation": true, "object_relation": "type", "type": "text"}, {"comment": "", "category": "Network activity", "uuid": "5cad948e-1124-4eda-a29c-4d75950d210f", "timestamp": "1554879630", "to_ids": true, "value": "https://mobile.twitter.com/markus_neis/status/1115478572116742144", "disable_correlation": false, "object_relation": "url", "type": "url"}, {"comment": "", "category": "Other", "uuid": "5cad948e-ff3c-4461-bdc9-4e64950d210f", "timestamp": "1554879630", "to_ids": false, "value": "@juanandres_gs", "disable_correlation": false, "object_relation": "username-quoted", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5cad948e-7ee4-4ce8-9b4f-4c13950d210f", "timestamp": "1554879630", "to_ids": false, "value": "@silascutler", "disable_correlation": false, "object_relation": "username-quoted", "type": "text"}, {"comment": "", "category": "Network activity", "uuid": "5cad948e-52d0-4f79-8ea3-4674950d210f", "timestamp": "1554879630", "to_ids": true, "value": "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", "disable_correlation": false, "object_relation": "link", "type": "url"}, {"comment": "", "category": "Network activity", "uuid": "5cad948e-5a4c-43c9-94df-4e0a950d210f", "timestamp": "1554879630", "to_ids": true, "value": "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0", "disable_correlation": false, "object_relation": "link", "type": "url"}, {"comment": "", "category": "Network activity", "uuid": "5cad948e-daa0-4671-bad1-46b3950d210f", "timestamp": "1554879630", "to_ids": true, "value": "https://t.co/E2b4nT2Xcl?amp=1", "disable_correlation": false, "object_relation": "link", "type": "url"}, {"comment": "", "category": "Network activity", "uuid": "5cad948e-65c0-457c-85bc-4152950d210f", "timestamp": "1554879630", "to_ids": true, "value": "https://t.co/TajWhD5Bhq?amp=1", "disable_correlation": false, "object_relation": "link", "type": "url"}, {"comment": "", "category": "Other", "uuid": "5cad948e-5738-46b0-8c2a-49fa950d210f", "timestamp": "1554879630", "to_ids": false, "value": "Apr 9, 2019 6:56 AM", "disable_correlation": false, "object_relation": "creation-date", "type": "datetime"}, {"comment": "", "category": "Other", "uuid": "5cad948e-326c-435c-be57-4450950d210f", "timestamp": "1554879630", "to_ids": false, "value": "markus_neis", "disable_correlation": false, "object_relation": "username", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "microblog"}], "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5cacf25c-be88-4f49-9371-486d02de0b81", "timestamp": "1554838108", "to_ids": false, "value": "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5cacf275-91f8-48f8-86b3-4a6602de0b81", "timestamp": "1554838133", "to_ids": false, "value": "Our investigation into the GOSSIPGIRL Supra Threat Actor (STA) started with a REPLICANTFARM signature name that tentatively links the cryptonym GOSSIPGIRL to Flame. From there,1we investigated MiniFlame and Gauss \u2013two families related to the Flame platform\u2013 withoutfinding any indication of succession to Flame\u2019s operations. Our investigation continued ontoStuxnet and Duqu but the altogether disappearance of Flame never sat right with us.", "disable_correlation": false, "object_relation": null, "type": "text"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5cacf524-c7cc-4a00-bcf6-0c6a02de0b81", "timestamp": "1554838820", "to_ids": true, "value": "import\u200b \u200b\"pe\"import\u200b \u200b\"hash\"rule FLAME2_Orchestrator{meta:desc \u200b=\u200b \u200b\"Encrypted resources in Flame2.0 Orchestrators\"author \u200b=\u200b \u200b\"turla @ Uppercase\"hash1 \u200b=\"15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1\"hash2 \u200b=\"426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82\"hash3 \u200b=\"af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4\"condition:for\u200b any i \u200bin\u200b \u200b(\u200b0.\u200b.\u200bpe\u200b.\u200bnumber_of_resources \u200b-\u200b \u200b1\u200b):(\u200b(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"53b19d9863d8ff8cde8e4358d1b57c04\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"4849cc439e524ef6a9964a3666dddb13\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"62bfe21a8eb76fd07e22326c0073fef5\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"dfed2c71749b04dad46d0ce52834492c\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9119aa701b39242a98be118d9c237ecc\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"b69d168e29fba6c88ad4e670949815aa\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"4849cc439e524ef6a9964a3666dddb13\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"1933a1e254b1657a6a2eb8ad1fbe6fa3\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"dfed2c71749b04dad46d0ce52834492c\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9119aa701b39242a98be118d9c237ecc\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"b69d168e29fba6c88ad4e670949815aa\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"17c794f7056349cb82889b5e5b030d15\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"e15187f79b6916cb6763d29d215623c1\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"923963bb24f2e2ceac9f9759071dba88\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9a2766aba7f2a56ef1ab24cf171ee0ed\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"ebe15bfb5a3944ea4952ddf0f73aa6e8\")\u200b)}", "disable_correlation": false, "object_relation": null, "type": "yara"}], "extends_uuid": "", "published": false, "date": "2019-04-09", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5cacf210-9ecc-4a53-90a5-4c6a02de0b81"}}
						
						
					
				
				
					
						Reference in a new issue
					
					View git blame
					Copy permalink