1220 lines
No EOL
41 KiB
JSON
1220 lines
No EOL
41 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-11-15",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Multi-stage malware sneaks into Google Play",
|
|
"publish_timestamp": "1540544872",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1540544859",
|
|
"uuid": "5a26b513-1ffc-497b-8cac-c53a950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#3a7300",
|
|
"local": false,
|
|
"name": "circl:incident-classification=\"malware\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512486183",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a26b520-8974-4557-9ecb-4260950d210f",
|
|
"value": "https://www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Hardcoded domains hosting links to the third-stage payloads",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512983564",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5a2e4c0c-e20c-4386-bdc9-c566950d210f",
|
|
"value": "loaderclientarea24.ru"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Hardcoded domains hosting links to the third-stage payloads",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512983564",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5a2e4c0c-5e7c-446d-979f-c566950d210f",
|
|
"value": "loaderclientarea22.ru"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Hardcoded domains hosting links to the third-stage payloads",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512983565",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5a2e4c0d-6ec0-4617-b698-c566950d210f",
|
|
"value": "loaderclientarea20.ru"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Hardcoded domains hosting links to the third-stage payloads",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512983565",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5a2e4c0d-0d90-4608-b0e4-c566950d210f",
|
|
"value": "loaderclientarea15.ru"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Hardcoded domains hosting links to the third-stage payloads",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512983566",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5a2e4c0e-ae14-4d56-81da-c566950d210f",
|
|
"value": "loaderclientarea13.ru"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512983689",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5a2e4c7f-9ce8-418d-ae08-b401950d210f",
|
|
"value": "Anti-detection features\r\n\r\nThese malware samples all employ a multi-stage architecture and encryption to stay under the radar.\r\n\r\nAfter being downloaded and installed, these apps do not request any suspicious permissions and even mimic the activity the user expects them to exhibit.\r\n\r\nAlong with this, the malicious app also decrypts and executes its payload \u00e2\u20ac\u201c that is, the first-stage payload. This payload decrypts and executes the second-stage payload, which is stored in the assets of the initial app downloaded from Google Play. These steps are invisible to the user and serve as obfuscatory measures.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1512980550",
|
|
"uuid": "5a2e4046-8b60-456b-8b75-5467950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512980551",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2e4047-627c-4afe-ad93-5467950d210f",
|
|
"value": "com.fleeeishei.erabladmounsem"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1512980551",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a2e4047-c114-4e01-a486-5467950d210f",
|
|
"value": "9ab5a05bc3c8f1931a3a49278e18d2116f529704"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1512981093",
|
|
"uuid": "5a2e4265-81d0-44f3-ba7c-5daf950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512981093",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2e4265-a550-4765-9096-5daf950d210f",
|
|
"value": "com.softmuiiurket.cleanerforandroid"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1512981093",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a2e4265-101c-4d05-bc25-5daf950d210f",
|
|
"value": "2e47c816a517548a0fbf809324d63868708d00d0"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1512981190",
|
|
"uuid": "5a2e42c6-1420-41e4-8580-60de950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512981190",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2e42c7-e288-4015-9475-60de950d210f",
|
|
"value": "com.expjhvjhertsoft.bestrambooster"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1512981191",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a2e42c7-b2f4-48b0-aae7-60de950d210f",
|
|
"value": "de64139e6e91ac0dde755d2ef49d60251984652f"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1512981250",
|
|
"uuid": "5a2e4302-df2c-4db4-8bba-71d3950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512981250",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2e4302-2af4-4a8d-8dfc-71d3950d210f",
|
|
"value": "gotov.games.toppro"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1512981251",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a2e4303-e28c-4e2a-88ed-71d3950d210f",
|
|
"value": "6ab844c8fd654aaec29dac095214f4430012ee0e"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1512982248",
|
|
"uuid": "5a2e46e8-f488-40cd-a9ec-878d950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512982248",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2e46e8-f98c-4f05-97d2-878d950d210f",
|
|
"value": "slots.forgame.vul"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1512982249",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a2e46e9-0ab4-43e6-a86b-878d950d210f",
|
|
"value": "c8dd6815f30367695938a7613c11e029055279a2"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1512982939",
|
|
"uuid": "5a2e499b-4ccc-4e5c-ae67-bb07950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512982940",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2e499c-bd18-454a-8c41-bb07950d210f",
|
|
"value": "com.bucholregaum.hampelpa"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1512982940",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a2e499c-6844-42cf-a8a5-bb07950d210f",
|
|
"value": "47442bfdfbc0fb350b8b30271c310fe44ffb119a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1512983131",
|
|
"uuid": "5a2e4a5b-b27c-4c2f-9112-ba38950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512983131",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2e4a5b-7ac0-4033-928f-ba38950d210f",
|
|
"value": "com.peridesuramant.worldnews"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1512983132",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a2e4a5c-16bc-4f0c-af79-ba38950d210f",
|
|
"value": "604e6dcdf1fa1f7b5a85892ac3761bed81405bf6"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1512983191",
|
|
"uuid": "5a2e4a97-e268-44ea-ada6-bbe1950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512983191",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2e4a97-4708-494b-bd75-bbe1950d210f",
|
|
"value": "com.peridesurrramant.worldnews"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1512983192",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a2e4a98-5a44-43ff-b3dd-bbe1950d210f",
|
|
"value": "532079b31e3acef2d71c75b31d77480304b2f7b9"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1540544746",
|
|
"uuid": "11c074b2-9ef5-468f-9a71-70ea7abb9d67",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1540544747",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "2ac16804-e560-4e29-ad01-27042587a12f",
|
|
"value": "4e6183687717cf7d7adc906cf5450729"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1540544748",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "1154318f-99a1-4cec-a476-426edf64b4c5",
|
|
"value": "c8dd6815f30367695938a7613c11e029055279a2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1540544748",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "266765a1-c1ed-4aa0-8a18-0381c4874621",
|
|
"value": "d6e48539252c4425bbb8f4b7e60f9ca6cbb703f324bbf1dde025a3d935b74cb9"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540544749",
|
|
"uuid": "df8032d7-cbe9-49fd-9747-63d74730df9f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540544749",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "72b61313-867c-48fe-afae-33879fda2b33",
|
|
"value": "2018-10-04T21:24:43"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540544750",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "4f384fe0-2a17-4c90-81bd-1eea46dcb4dc",
|
|
"value": "https://www.virustotal.com/file/d6e48539252c4425bbb8f4b7e60f9ca6cbb703f324bbf1dde025a3d935b74cb9/analysis/1538688283/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540544750",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2fdf0dd7-f0e3-4a27-b288-fd731165a63b",
|
|
"value": "30/61"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1540544750",
|
|
"uuid": "475d3bb8-eb86-4c51-a3a3-15ab39d91ddf",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1540544750",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "4c10cead-648f-4430-85ac-c6658eebe39b",
|
|
"value": "21af98ec1a99ae37367d2e71d16b85fa"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1540544751",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "bbc3978a-a6d2-49b8-b9cf-68df872f8f8c",
|
|
"value": "de64139e6e91ac0dde755d2ef49d60251984652f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1540544752",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "8824a4d3-611b-49c5-bb5e-cfe69f714fc9",
|
|
"value": "f0c97217377ab0b4dd71baf5529d79e6349e477e69d4043a82f9c768ef46a932"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540544758",
|
|
"uuid": "94031eb7-4ff3-486e-b44f-eb4fa2ab0c1c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540544764",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "beace62d-a2d6-42ad-a1ff-0d85f7ccf447",
|
|
"value": "2018-10-04T21:32:29"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540544771",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "f5e4dc71-0ada-47da-9c85-dd7999b9fdb4",
|
|
"value": "https://www.virustotal.com/file/f0c97217377ab0b4dd71baf5529d79e6349e477e69d4043a82f9c768ef46a932/analysis/1538688749/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540544772",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "69190414-96bf-48ed-8a7c-2e002e4ef9eb",
|
|
"value": "30/62"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1540544772",
|
|
"uuid": "90b018c5-f3af-4ebf-9bb9-452b205d3038",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1540544772",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "ddc61b53-fbe7-4ba3-b256-83ffa0752eb2",
|
|
"value": "f9617beec1b56eace79e870cb0925ffd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1540544773",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "13871cc9-e679-4ca2-afa8-d96af64952cd",
|
|
"value": "604e6dcdf1fa1f7b5a85892ac3761bed81405bf6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1540544774",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "e5e884f8-79f2-45d4-a1b1-8950b7b1a4da",
|
|
"value": "3fc104c7fb8f6419aa5b45a3abfcc545ddb8e225f1b6dcaf5824075cbdf5dddd"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540544774",
|
|
"uuid": "caa22be8-c2c9-465f-8aaa-c20e3eafec9f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540544774",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "f3bd1117-6b76-40f4-b890-3ff8c3a11b3a",
|
|
"value": "2018-10-04T21:32:21"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540544775",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "081c6e6e-4bcc-4223-9840-923e63ed044c",
|
|
"value": "https://www.virustotal.com/file/3fc104c7fb8f6419aa5b45a3abfcc545ddb8e225f1b6dcaf5824075cbdf5dddd/analysis/1538688741/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540544776",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "70e00152-a2f1-46fd-b7c7-55f38c1255a4",
|
|
"value": "30/62"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1540544776",
|
|
"uuid": "a62c5ce0-9e21-466e-b317-a0a00fef80ef",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1540544776",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "f8e88752-587f-4287-b7f9-90bdbe4ab467",
|
|
"value": "c4acc83183ac0fabe92fc02ae5ef3ca4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1540544782",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c7bb87-41d2-4a89-a85c-f3a11f396353",
|
|
"value": "9ab5a05bc3c8f1931a3a49278e18d2116f529704"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1540544783",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "178d0135-a2a4-4460-a8d5-ffc3aa2c10d7",
|
|
"value": "dd857e8505cedf84b316eb0f5cdcba1386fb8412bc630e671f474aeedfccb387"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540544783",
|
|
"uuid": "1263f071-0c4b-4d90-b6ef-81682679e425",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540544784",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "8aa24a31-7fdd-4ed4-a632-705aa09205d3",
|
|
"value": "2018-10-04T21:32:25"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540544784",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "0cc5c304-cd11-41a5-9583-7e971aad4310",
|
|
"value": "https://www.virustotal.com/file/dd857e8505cedf84b316eb0f5cdcba1386fb8412bc630e671f474aeedfccb387/analysis/1538688745/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540544785",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5263a8d1-50e1-4f76-8f4b-d73cef90d7ed",
|
|
"value": "34/62"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1540544785",
|
|
"uuid": "959b41df-ba0f-4520-a633-f28b0d7e5b21",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1540544785",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "74fded8c-363d-4cce-a9ba-cf1e3cc79711",
|
|
"value": "a0dcd9907a3726edfb8e7de48b3aa8f6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1540544786",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "d1c9f224-f8bf-4f1b-ad39-10c17c45aa5f",
|
|
"value": "6ab844c8fd654aaec29dac095214f4430012ee0e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1540544786",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "95392806-aafd-4ed0-8961-2d113a91c471",
|
|
"value": "e980dc97b0b63158e251e6055d0f4362bf0a105bd999146de048f13a8f4aadb7"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540544787",
|
|
"uuid": "9c3a68e0-2e10-46ad-adda-0237549ebcd1",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540544787",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "fac591a5-dfe8-45be-994b-d62da1b2a50d",
|
|
"value": "2018-10-04T21:24:52"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540544788",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58702d62-de2f-4573-b03a-f18fd9513e2e",
|
|
"value": "https://www.virustotal.com/file/e980dc97b0b63158e251e6055d0f4362bf0a105bd999146de048f13a8f4aadb7/analysis/1538688292/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540544789",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "7a7627ca-a13a-48e8-8fad-142354ccfc99",
|
|
"value": "29/62"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1540544789",
|
|
"uuid": "973efe60-da30-4d60-aa15-6a1ee7f82e22",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1540544789",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "eebe66ee-cae3-4df9-bf37-57eb24bc39fe",
|
|
"value": "327d37ad6391c674f2f5a96e08cbc95f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1540544790",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "ae0d611b-4218-4a01-bb20-9264bb985b11",
|
|
"value": "47442bfdfbc0fb350b8b30271c310fe44ffb119a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1540544797",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "6d703e81-fa21-4eb7-a86e-377b41a9fe82",
|
|
"value": "ef3dfcd3e1351f46ee3cbfb3f71fe9d06a445d8affe2e679f34d8bf4bb618849"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540544803",
|
|
"uuid": "6b985af4-f961-4f8d-b2f7-513b6ed1c140",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540544807",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "1b0b2e29-f922-40e2-b9e7-e1138cc8cd16",
|
|
"value": "2018-10-04T21:32:08"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540544812",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "e48a740f-3a6a-4209-b09f-9ce33ca4d094",
|
|
"value": "https://www.virustotal.com/file/ef3dfcd3e1351f46ee3cbfb3f71fe9d06a445d8affe2e679f34d8bf4bb618849/analysis/1538688728/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540544817",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "6184c6e0-29e2-4165-8e42-ccf5bbb23b19",
|
|
"value": "31/61"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1540544817",
|
|
"uuid": "ae8d1770-da33-4160-92e5-bc56fe5781d5",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1540544817",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "df466324-c711-408a-9c41-57106454e24d",
|
|
"value": "2d5b8b4a868cbb8947f869f789fef5ff"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1540544818",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "ae740bde-3aee-4fdf-8dae-fb41e1ecf2c2",
|
|
"value": "532079b31e3acef2d71c75b31d77480304b2f7b9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1540544819",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "2f95949f-0d9b-41f9-9737-30730cfc6e8f",
|
|
"value": "d2a6cbe9acd4193188f7aa6d922c916999845da82171889526550790f5632b47"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540544826",
|
|
"uuid": "095999e8-cf65-4068-9aa8-111b4596ae64",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540544834",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "9f46d30d-be05-4c45-be71-9d342e9a2fa1",
|
|
"value": "2018-10-04T21:32:13"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540544834",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5d3c8f72-90a2-466d-82ae-de692d5e9523",
|
|
"value": "https://www.virustotal.com/file/d2a6cbe9acd4193188f7aa6d922c916999845da82171889526550790f5632b47/analysis/1538688733/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540544835",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "4d7c5d08-44bb-456b-8b95-19a3c5f79d4c",
|
|
"value": "28/60"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1540544835",
|
|
"uuid": "01689a22-9fef-4b84-bc15-84a951d19e66",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1540544835",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "789b0449-1bb1-4388-8cda-eecdcc7f1e91",
|
|
"value": "2ed45ea4f3b26adcc5eaa88b5234c997"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1540544836",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "c9cef300-9236-4344-ae2e-25ce759a513b",
|
|
"value": "2e47c816a517548a0fbf809324d63868708d00d0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1540544837",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1e920e36-32ef-47ff-a121-17daaaa4467a",
|
|
"value": "ab9f1a59fcae8374282a39f244f164b58dbed4d16c37366bf2272c9509a7502e"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540544837",
|
|
"uuid": "2f933552-e105-4559-9ba2-4adb53dde71b",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540544837",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "973e093c-1a25-4961-9a70-1047fb6be0e7",
|
|
"value": "2018-10-04T21:31:07"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540544838",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "8f0d0a5f-9323-4973-b32a-adaf4007fe08",
|
|
"value": "https://www.virustotal.com/file/ab9f1a59fcae8374282a39f244f164b58dbed4d16c37366bf2272c9509a7502e/analysis/1538688667/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540544838",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2367705e-c040-48af-8d75-755949bfadf7",
|
|
"value": "30/60"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |