misp-circl-feed/feeds/circl/misp/5a29b981-af60-4e6f-af70-480b950d210f.json


			
				
				
					
						
						
						
							
							
							{"Event": {"info": "OSINT - THE SHADOWS OF GHOSTS INSIDE THE RESPONSE OF A UNIQUE CARBANAK INTRUSION", "Tag": [{"colour": "#e7007d", "exportable": true, "name": "workflow:state=\"incomplete\""}, {"colour": "#620035", "exportable": true, "name": "workflow:todo=\"review-for-false-positive\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-intrusion-set=\"Carbanak\""}, {"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:tool=\"SSHDoor\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:malpedia=\"SSHDoor\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:malpedia=\"MimiKatz\""}, {"colour": "#064800", "exportable": true, "name": "misp-galaxy:tool=\"Mimikatz\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\""}], "publish_timestamp": "0", "timestamp": "1540548671", "Object": [{"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f8bf2-f160-4b0f-9e7a-493e950d210f", "sharing_group_id": "0", "timestamp": "1513065458", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f8bf2-1674-4a13-b3e3-4128950d210f", "timestamp": "1513065458", "to_ids": true, "value": "ssh", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8bf2-1100-432c-acd1-4b14950d210f", "timestamp": "1513065458", "to_ids": true, "value": "ba2f90f85cada4be24d925cbff0c2efea6e7f3a8", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8bf3-0b00-4286-87fd-4c04950d210f", "timestamp": "1513065459", "to_ids": true, "value": "a365fd9076af4d841c84accd58287801", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f8bf4-5f10-48bc-bd2d-42ba950d210f", "timestamp": "1513065460", "to_ids": false, "value": "1180521", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f8c82-07a8-45b4-9457-4200950d210f", "sharing_group_id": "0", "timestamp": "1513065602", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f8c83-87c4-4b10-ba75-4949950d210f", "timestamp": "1513065603", "to_ids": true, "value": "sshd", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8c83-5a94-47e7-b07d-4b40950d210f", "timestamp": "1513065603", "to_ids": true, "value": "96e56c39f38b4ef5ac4196ca12742127f286c6fa", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8c84-228c-4e77-89a3-4297950d210f", "timestamp": "1513065604", "to_ids": true, "value": "9e2e4df27698615df92822646dc9e16b", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f8c86-145c-4d87-8501-4df8950d210f", "timestamp": "1513065606", "to_ids": false, "value": "1614437", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f8d2a-dec0-4067-b077-4e7d950d210f", "sharing_group_id": "0", "timestamp": "1540548455", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f8d2a-9e14-417a-88b8-416c950d210f", "timestamp": "1513065770", "to_ids": true, "value": "auditd", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8d2b-76d0-4d0d-91f9-4dfa950d210f", "timestamp": "1513065771", "to_ids": true, "value": "1d3501b30183ba213fb4c22a00d89db6fd50cc34", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8d2b-8724-4467-9a4c-4c0b950d210f", "timestamp": "1513065771", "to_ids": true, "value": "b57dc2bc16dfdb3de55923aef9a98401", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f8d2c-c0b4-4d0b-8f72-4790950d210f", "timestamp": "1513065772", "to_ids": false, "value": "21616", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f8d6f-5e3c-43b1-a21b-4f5b950d210f", "sharing_group_id": "0", "timestamp": "1513065839", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f8d6f-68e4-49b5-9767-449c950d210f", "timestamp": "1513065839", "to_ids": true, "value": "winexe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8d70-802c-4da0-9f23-4cfb950d210f", "timestamp": "1513065840", "to_ids": true, "value": "286bf53934aa33ddf220d61c394af79221a152f1", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8d71-29c8-495a-ab4a-4484950d210f", "timestamp": "1513065841", "to_ids": true, "value": "edce844a219c7534e6a1e7c77c3cb020", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f8d72-6bfc-4984-8e7e-4017950d210f", "timestamp": "1513065842", "to_ids": false, "value": "8126714", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f8dca-2278-4017-835c-4e9b950d210f", "sharing_group_id": "0", "timestamp": "1513065930", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f8dca-8f4c-46e5-9a94-4d5c950d210f", "timestamp": "1513065930", "to_ids": true, "value": "l", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8dcb-8688-4c09-bd9f-4cbd950d210f", "timestamp": "1513065931", "to_ids": true, "value": "149a9270d9160120229b7c088975c2754e3b5333", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8dcd-95dc-4d19-b5f6-44fc950d210f", "timestamp": "1513065933", "to_ids": true, "value": "771fa63231fb42ee97aa17818a53f432", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f8dcd-81e4-48db-8e2c-49f4950d210f", "timestamp": "1513065933", "to_ids": false, "value": "16333", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f8e07-cd40-4b64-9b3f-4cc0950d210f", "sharing_group_id": "0", "timestamp": "1513065991", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f8e07-df00-4c4c-9eae-4607950d210f", "timestamp": "1513065991", "to_ids": true, "value": "pscan", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8e08-a200-4d44-bd99-4a60950d210f", "timestamp": "1513065992", "to_ids": true, "value": "039f814cdd4ac6f675c908067d5be1d6f9acc31f", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8e09-1034-451b-a189-4cf2950d210f", "timestamp": "1513065993", "to_ids": true, "value": "0f1c4a2a795fb58bd3c5724af6f1f71a", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f8e0a-0fe0-412a-b6a9-445b950d210f", "timestamp": "1513065994", "to_ids": false, "value": "10340", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f8e44-5d50-48a8-be17-4d0a950d210f", "sharing_group_id": "0", "timestamp": "1540548456", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f8e44-db50-4840-a77c-4c6b950d210f", "timestamp": "1513066052", "to_ids": true, "value": "ctlmon.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8e45-e990-4e9f-a063-457b950d210f", "timestamp": "1513066053", "to_ids": true, "value": "450605b6761ff8dd025978f44724b11e0c5eadcc", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f8e46-9578-456f-85af-4bbd950d210f", "timestamp": "1513066054", "to_ids": true, "value": "370d420948672e04ba8eac10bfe6fc9c", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f8e48-9474-43c6-afcc-4df6950d210f", "timestamp": "1513066056", "to_ids": false, "value": "4392448", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f950e-862c-4a2b-a94e-45a3950d210f", "sharing_group_id": "0", "timestamp": "1513067790", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f950f-a388-4ecf-95ee-45a3950d210f", "timestamp": "1513067791", "to_ids": true, "value": "ctlmon_v2.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f950f-8394-40d6-a993-45a3950d210f", "timestamp": "1513067791", "to_ids": true, "value": "08f527bef45cb001150ef12ad9ab91d1822bb9c7", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9510-f6ac-45ae-8116-45a3950d210f", "timestamp": "1513067792", "to_ids": true, "value": "5ddf9683692154986494ca9dd74b588f", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f9511-8660-4f40-a239-45a3950d210f", "timestamp": "1513067793", "to_ids": false, "value": "4047691", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f9576-3c3c-4790-9339-397e950d210f", "sharing_group_id": "0", "timestamp": "1513067894", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f9577-223c-4685-ae5b-397e950d210f", "timestamp": "1513067895", "to_ids": true, "value": "ctlmon_v3.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9577-6514-4582-857b-397e950d210f", "timestamp": "1513067895", "to_ids": true, "value": "7b27771de1a2540008758e9894bfe168f26bffa0", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9578-aafc-43ec-aef1-397e950d210f", "timestamp": "1513067896", "to_ids": true, "value": "f9766140642c24d422e19e9cf35f2827", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f9579-ced4-42fa-a9e6-397e950d210f", "timestamp": "1513067897", "to_ids": false, "value": "4063744", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f95ab-28d4-49bf-ac64-1e00950d210f", "sharing_group_id": "0", "timestamp": "1513067947", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f95ab-760c-40ca-9614-1e00950d210f", "timestamp": "1513067947", "to_ids": true, "value": "svcmd.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f95ac-69b8-44b5-bc0b-1e00950d210f", "timestamp": "1513067948", "to_ids": true, "value": "54074b3934955d4121d1a01fe2ed5493c3f7f16d", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f95ad-d658-4903-ab18-1e00950d210f", "timestamp": "1513067949", "to_ids": true, "value": "8b3a91038ecb2f57de5bbd29848b6dc4", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f95ad-4268-46b2-bc80-1e00950d210f", "timestamp": "1513067949", "to_ids": false, "value": "47104", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f95f0-4c64-4b47-a395-4a58950d210f", "sharing_group_id": "0", "timestamp": "1513068016", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f95f0-396c-470c-b4fa-4a58950d210f", "timestamp": "1513068016", "to_ids": true, "value": "TINYP2.bin", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f95f1-dc78-4535-a56d-4a58950d210f", "timestamp": "1513068017", "to_ids": true, "value": "6c17113f66efa5115111a9e67c6ddd026ba9b55d", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f95f1-9778-4a49-81de-4a58950d210f", "timestamp": "1513068017", "to_ids": true, "value": "7393cb0f409f8f51b7745981ac30b8b6", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f95f2-367c-4e53-9b9f-4a58950d210f", "timestamp": "1513068018", "to_ids": false, "value": "277504", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f9643-08a8-4902-b7f4-4843950d210f", "sharing_group_id": "0", "timestamp": "1513068099", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f9643-2558-42c6-b55c-4013950d210f", "timestamp": "1513068099", "to_ids": true, "value": "ps.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9644-8278-4f47-a436-44c0950d210f", "timestamp": "1513068100", "to_ids": true, "value": "c020f8939f136b4785dda7b2e4b80ced96e23663", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9644-9f14-41d2-93b4-4013950d210f", "timestamp": "1513068100", "to_ids": true, "value": "c4d746b8e5e8e12a50a18c9d61e01864", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f9645-1164-4d31-a514-4ea6950d210f", "timestamp": "1513068101", "to_ids": false, "value": "234496", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f99b1-a784-4add-bcf7-4933950d210f", "sharing_group_id": "0", "timestamp": "1540548456", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f99b1-fdd0-4093-8ae6-4933950d210f", "timestamp": "1513068977", "to_ids": true, "value": "UIAutomationCore.dll.bin", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f99b2-2df0-4763-809c-4933950d210f", "timestamp": "1513068978", "to_ids": true, "value": "457b1cd985ed07baffd8c66ff40e9c1b6da93753", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f99b3-f0f4-4452-9488-4933950d210f", "timestamp": "1513068979", "to_ids": true, "value": "bd126a7b59d5d1f97ba89a3e71425731", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f99b3-e034-471f-952a-4933950d210f", "timestamp": "1513068979", "to_ids": false, "value": "401408", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f99dc-c454-41e9-a090-458d950d210f", "sharing_group_id": "0", "timestamp": "1540548456", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f99dc-c60c-4138-97b1-458d950d210f", "timestamp": "1513069020", "to_ids": true, "value": "pscp.bin", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f99dd-3594-4126-a957-458d950d210f", "timestamp": "1513069021", "to_ids": true, "value": "9240e1744e7272e59e482f68a10f126fdf501be0", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f99de-76c4-41b6-8cd7-458d950d210f", "timestamp": "1513069022", "to_ids": true, "value": "b3135736bcfdab27f891dbe4009a8c80", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f99de-dc70-4b39-8500-458d950d210f", "timestamp": "1513069022", "to_ids": false, "value": "359336", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f9a7d-1ccc-48f4-a0d0-1d7a950d210f", "sharing_group_id": "0", "timestamp": "1513069181", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f9a7e-e840-4ac1-98a4-1d7a950d210f", "timestamp": "1513069182", "to_ids": true, "value": "xxx32.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9a7e-b664-41a1-a2ed-1d7a950d210f", "timestamp": "1513069182", "to_ids": true, "value": "2197e35f14ff9960985c982ed6d16d5bd5366062", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9a7f-36f0-46d5-83b2-1d7a950d210f", "timestamp": "1513069183", "to_ids": true, "value": "6499863d47b68030f0c5ffafaffb1344", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f9a80-33b8-4f1c-be08-1d7a950d210f", "timestamp": "1513069184", "to_ids": false, "value": "528896", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f9e7f-cbd0-4050-845b-4a58950d210f", "sharing_group_id": "0", "timestamp": "1513070207", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f9e7f-dc80-413b-8ea4-4a58950d210f", "timestamp": "1513070207", "to_ids": true, "value": "xxx64.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9e7f-b194-4ec4-85f2-4a58950d210f", "timestamp": "1513070207", "to_ids": true, "value": "355603b1922886044884afbdfa9c9a6626b6669a", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9e7f-86cc-4e41-8307-4a58950d210f", "timestamp": "1513070207", "to_ids": true, "value": "752d245f1026482a967a763dae184569", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f9e7f-9900-437d-9cf8-4a58950d210f", "timestamp": "1513070207", "to_ids": false, "value": "589312", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f9e9a-48a0-4ed3-91fe-825f950d210f", "sharing_group_id": "0", "timestamp": "1513070234", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f9e9a-f134-4cd4-aa71-825f950d210f", "timestamp": "1513070234", "to_ids": true, "value": "ccs.bmp", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9e9b-0f30-42a3-aee5-825f950d210f", "timestamp": "1513070235", "to_ids": true, "value": "6bc46528da6cd224fa5e58ccd9df5b05c46c673d", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9e9c-6fe8-4336-9427-825f950d210f", "timestamp": "1513070236", "to_ids": true, "value": "d406e037f034b89c85758af1a98110be", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f9e9d-f6c4-437e-a544-825f950d210f", "timestamp": "1513070237", "to_ids": false, "value": "82944", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2f9f45-8874-4ec0-9e5f-7e7d950d210f", "sharing_group_id": "0", "timestamp": "1540548456", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2f9f46-874c-41b8-94da-7e7d950d210f", "timestamp": "1513070406", "to_ids": true, "value": "infos.bmp", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9f46-48f0-4030-9d44-7e7d950d210f", "timestamp": "1513070406", "to_ids": true, "value": "42ce9c2bd246a0243fa91309938042e434b39876", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2f9f47-a1a8-4446-9483-7e7d950d210f", "timestamp": "1513070407", "to_ids": true, "value": "ab8bed25f9ff64a4b07be5d3bc34f26b", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2f9f48-c5ac-4c97-be90-7e7d950d210f", "timestamp": "1513070408", "to_ids": false, "value": "494080", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a2fa096-2e10-4212-81a1-4a63950d210f", "sharing_group_id": "0", "timestamp": "1513070742", "description": "File object describing a file with meta-information", "template_version": "7", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a2fa096-f48c-4693-adbc-4c9c950d210f", "timestamp": "1513070742", "to_ids": true, "value": "pscan.bmp", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2fa096-19b8-4f8c-bddd-4116950d210f", "timestamp": "1513070742", "to_ids": true, "value": "ca5e195692399dca99a4d8299dc9ff816168a6dc", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a2fa097-89d4-47a9-a5a1-4530950d210f", "timestamp": "1513070743", "to_ids": true, "value": "d825fbd90087d2350e89cbf205a1b71c", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Other", "uuid": "5a2fa098-efa0-46e7-bbce-45ad950d210f", "timestamp": "1513070744", "to_ids": false, "value": "65024", "disable_correlation": false, "object_relation": "size-in-bytes", "type": "size-in-bytes"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "5a2fa0d4-3fd4-450d-9d4c-7e7b950d210f", "sharing_group_id": "0", "timestamp": "1513070804", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "5", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5a2fa0d4-7eb8-41cb-b809-7e7b950d210f", "timestamp": "1513070804", "to_ids": false, "value": "443", "disable_correlation": false, "object_relation": "dst-port", "type": "port"}, {"comment": "", "category": "Network activity", "uuid": "5a2fa0d5-6444-48de-aa7f-7e7b950d210f", "timestamp": "1513070805", "to_ids": true, "value": "107.181.246.146", "disable_correlation": false, "object_relation": "ip", "type": "ip-dst"}], "distribution": "5", "meta-category": "network", "name": "ip-port"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "89923362-01fd-4462-9078-fa8ec72fb5d9", "sharing_group_id": "0", "timestamp": "1513185763", "description": "File object describing a file with meta-information", "template_version": "7", "ObjectReference": [{"comment": "", "object_uuid": "89923362-01fd-4462-9078-fa8ec72fb5d9", "uuid": "5a3161e2-9cb0-4877-954a-435102de0b81", "timestamp": "1513185762", "referenced_uuid": "43dfa9b6-ada3-4c52-836c-b9472dacb095", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a3161e0-7510-404f-b9a3-49d802de0b81", "timestamp": "1513185760", "to_ids": true, "value": "8c7659e6ee9fe5ead17cae2969d3148730be509b", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a3161e0-515c-4598-b011-41cb02de0b81", "timestamp": "1513185760", "to_ids": true, "value": "e3c061fa0450056e30285fd44a74cd2a", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a3161e0-2ad0-444c-9a20-478902de0b81", "timestamp": "1513185760", "to_ids": true, "value": "e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "43dfa9b6-ada3-4c52-836c-b9472dacb095", "sharing_group_id": "0", "timestamp": "1513185760", "description": "VirusTotal report", "template_version": "1", "Attribute": [{"comment": "Host Indicators", "category": "External analysis", "uuid": "5a3161e0-7518-48ff-8668-464302de0b81", "timestamp": "1513185760", "to_ids": false, "value": "https://www.virustotal.com/file/e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa/analysis/1513180609/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "Host Indicators", "category": "Other", "uuid": "5a3161e0-4a20-406c-8f4e-432702de0b81", "timestamp": "1513185760", "to_ids": false, "value": "0/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}, {"comment": "Host Indicators", "category": "Other", "uuid": "5a3161e0-2548-4a4e-a11f-461402de0b81", "timestamp": "1513185760", "to_ids": false, "value": "2017-12-13 15:56:49", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "9bb176f2-bd20-46fc-b023-173cc70ca916", "sharing_group_id": "0", "timestamp": "1513185763", "description": "File object describing a file with meta-information", "template_version": "7", "ObjectReference": [{"comment": "", "object_uuid": "9bb176f2-bd20-46fc-b023-173cc70ca916", "uuid": "5a3161e2-325c-44ea-9926-41a402de0b81", "timestamp": "1513185762", "referenced_uuid": "ed40b0bd-3168-4d2b-a6be-55ac4a22f043", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a3161e0-945c-4728-a162-472002de0b81", "timestamp": "1513185760", "to_ids": true, "value": "42ce9c2bd246a0243fa91309938042e434b39876", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e0-add8-4678-8b6d-426002de0b81", "timestamp": "1513185760", "to_ids": true, "value": "ab8bed25f9ff64a4b07be5d3bc34f26b", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e0-6118-4250-bec3-4d3402de0b81", "timestamp": "1513185760", "to_ids": true, "value": "91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "ed40b0bd-3168-4d2b-a6be-55ac4a22f043", "sharing_group_id": "0", "timestamp": "1513185760", "description": "VirusTotal report", "template_version": "1", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a3161e0-b6a4-44ba-9bc7-4a7002de0b81", "timestamp": "1513185760", "to_ids": false, "value": "https://www.virustotal.com/file/91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81/analysis/1512663932/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5a3161e0-2ffc-4265-a867-4c3202de0b81", "timestamp": "1513185760", "to_ids": false, "value": "0/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5a3161e0-3b04-46b9-a02c-4cf402de0b81", "timestamp": "1513185760", "to_ids": false, "value": "2017-12-07 16:25:32", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "00aa97a0-e3ba-4abb-9f43-f1050891a7c9", "sharing_group_id": "0", "timestamp": "1513185763", "description": "File object describing a file with meta-information", "template_version": "7", "ObjectReference": [{"comment": "", "object_uuid": "00aa97a0-e3ba-4abb-9f43-f1050891a7c9", "uuid": "5a3161e2-63b0-49f6-b39a-40e402de0b81", "timestamp": "1513185762", "referenced_uuid": "24f8e29e-62a4-44f0-a621-8e49495fe6f5", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a3161e1-53c4-4a96-abbd-44a402de0b81", "timestamp": "1513185761", "to_ids": true, "value": "1d3501b30183ba213fb4c22a00d89db6fd50cc34", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e1-105c-4528-8bd7-4b8b02de0b81", "timestamp": "1513185761", "to_ids": true, "value": "b57dc2bc16dfdb3de55923aef9a98401", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e1-8b68-4857-84eb-4caf02de0b81", "timestamp": "1513185761", "to_ids": true, "value": "3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "24f8e29e-62a4-44f0-a621-8e49495fe6f5", "sharing_group_id": "0", "timestamp": "1513185761", "description": "VirusTotal report", "template_version": "1", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a3161e1-b860-4724-ae56-4d9802de0b81", "timestamp": "1513185761", "to_ids": false, "value": "https://www.virustotal.com/file/3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523/analysis/1512654000/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5a3161e1-6e0c-4549-af43-450602de0b81", "timestamp": "1513185761", "to_ids": false, "value": "15/59", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5a3161e1-618c-4f11-bdac-4c7e02de0b81", "timestamp": "1513185761", "to_ids": false, "value": "2017-12-07 13:40:00", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "b542464d-5ee4-4028-8de3-db54d17c64ce", "sharing_group_id": "0", "timestamp": "1513185764", "description": "File object describing a file with meta-information", "template_version": "7", "ObjectReference": [{"comment": "", "object_uuid": "b542464d-5ee4-4028-8de3-db54d17c64ce", "uuid": "5a3161e2-6eb8-4922-b24b-4e1a02de0b81", "timestamp": "1513185762", "referenced_uuid": "0f1de71f-46a2-475a-87ec-f980d6db213b", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a3161e1-66a8-4227-be9f-4d1b02de0b81", "timestamp": "1513185761", "to_ids": true, "value": "9240e1744e7272e59e482f68a10f126fdf501be0", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e1-e404-4638-b45d-4d0f02de0b81", "timestamp": "1513185761", "to_ids": true, "value": "b3135736bcfdab27f891dbe4009a8c80", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e1-fe30-4b5b-af02-4c0f02de0b81", "timestamp": "1513185761", "to_ids": true, "value": "b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "0f1de71f-46a2-475a-87ec-f980d6db213b", "sharing_group_id": "0", "timestamp": "1513185761", "description": "VirusTotal report", "template_version": "1", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a3161e2-673c-4d02-b7f1-460902de0b81", "timestamp": "1513185762", "to_ids": false, "value": "https://www.virustotal.com/file/b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e/analysis/1512431431/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5a3161e2-4c44-4f90-9448-461502de0b81", "timestamp": "1513185762", "to_ids": false, "value": "0/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5a3161e2-7180-4ce2-9e15-4f0d02de0b81", "timestamp": "1513185762", "to_ids": false, "value": "2017-12-04 23:50:31", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "91f0fa15-c3f6-41d7-bf1b-79bb33f8390b", "sharing_group_id": "0", "timestamp": "1513185765", "description": "File object describing a file with meta-information", "template_version": "7", "ObjectReference": [{"comment": "", "object_uuid": "91f0fa15-c3f6-41d7-bf1b-79bb33f8390b", "uuid": "5a3161e2-f2bc-44a9-9f1b-476a02de0b81", "timestamp": "1513185762", "referenced_uuid": "e630b519-28d2-45d2-be53-c5cc2faef367", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a3161e2-e638-4c30-a4ce-4b4502de0b81", "timestamp": "1513185762", "to_ids": true, "value": "457b1cd985ed07baffd8c66ff40e9c1b6da93753", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e2-5668-467f-9992-476e02de0b81", "timestamp": "1513185762", "to_ids": true, "value": "bd126a7b59d5d1f97ba89a3e71425731", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e2-638c-44ee-b8b0-43c202de0b81", "timestamp": "1513185762", "to_ids": true, "value": "a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "e630b519-28d2-45d2-be53-c5cc2faef367", "sharing_group_id": "0", "timestamp": "1513185762", "description": "VirusTotal report", "template_version": "1", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a3161e2-ba9c-4b83-b774-4ee902de0b81", "timestamp": "1513185762", "to_ids": false, "value": "https://www.virustotal.com/file/a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599/analysis/1513176180/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5a3161e2-1ddc-4e37-a6e5-4a1d02de0b81", "timestamp": "1513185762", "to_ids": false, "value": "2/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5a3161e2-6204-4d87-bca0-4b1402de0b81", "timestamp": "1513185762", "to_ids": false, "value": "2017-12-13 14:43:00", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "d7de718f-c607-49dd-8c9e-563927bb5164", "sharing_group_id": "0", "timestamp": "1513185765", "description": "File object describing a file with meta-information", "template_version": "7", "ObjectReference": [{"comment": "", "object_uuid": "d7de718f-c607-49dd-8c9e-563927bb5164", "uuid": "5a3161e2-04f0-4198-bde5-4de302de0b81", "timestamp": "1513185762", "referenced_uuid": "989b543e-eb41-458d-9ac8-e34620fc5226", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a3161e2-b1e8-4375-b5af-4aa802de0b81", "timestamp": "1513185762", "to_ids": true, "value": "450605b6761ff8dd025978f44724b11e0c5eadcc", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e2-8714-40b1-8c3b-4e4002de0b81", "timestamp": "1513185762", "to_ids": true, "value": "370d420948672e04ba8eac10bfe6fc9c", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5a3161e2-6c20-4594-bd14-472502de0b81", "timestamp": "1513185762", "to_ids": true, "value": "9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "989b543e-eb41-458d-9ac8-e34620fc5226", "sharing_group_id": "0", "timestamp": "1513185762", "description": "VirusTotal report", "template_version": "1", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a3161e2-152c-4e9c-8885-4ae402de0b81", "timestamp": "1513185762", "to_ids": false, "value": "https://www.virustotal.com/file/9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765/analysis/1512431431/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5a3161e2-8d84-4fbd-8c38-490602de0b81", "timestamp": "1513185762", "to_ids": false, "value": "33/68", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5a3161e2-3fc8-4bbb-811c-478302de0b81", "timestamp": "1513185762", "to_ids": false, "value": "2017-12-04 23:50:31", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "c9a1352e-1cf8-4120-a36a-0ba1412edb36", "sharing_group_id": "0", "timestamp": "1540548456", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "aec805a5-83b1-4d39-add2-491096984907", "timestamp": "1540548456", "to_ids": false, "value": "2018-10-26 09:45:28", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "74184839-2f88-4a23-b69d-0d13d8c62102", "timestamp": "1540548457", "to_ids": false, "value": "https://www.virustotal.com/file/b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e/analysis/1540547128/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "4f0e29fc-09d6-4152-9243-651af8bfb108", "timestamp": "1540548458", "to_ids": false, "value": "0/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "f1c24a94-020b-4842-bd00-554487f85e0c", "sharing_group_id": "0", "timestamp": "1540548458", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "a16db00e-858c-4e85-8cdd-3935eafb0e32", "timestamp": "1540548458", "to_ids": false, "value": "2017-12-07 13:40:00", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "eb41cadf-ee59-43e8-9759-9579024141ff", "timestamp": "1540548458", "to_ids": false, "value": "https://www.virustotal.com/file/3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523/analysis/1512654000/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "967b51b7-7183-4d8c-8416-c4dd3f4a383c", "timestamp": "1540548459", "to_ids": false, "value": "15/59", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "799449bf-c6a1-444f-9361-c8b81002729a", "sharing_group_id": "0", "timestamp": "1540548459", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "1eca75fd-0135-4438-9b98-108913702714", "timestamp": "1540548459", "to_ids": false, "value": "2018-10-26 06:34:45", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "0184c0bd-362e-47d3-87d3-392a1a875865", "timestamp": "1540548460", "to_ids": false, "value": "https://www.virustotal.com/file/a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599/analysis/1540535685/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "9b2ff29b-3590-4f10-973d-896279089abf", "timestamp": "1540548460", "to_ids": false, "value": "1/65", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "d3b462b9-f076-47dd-996e-7b92f83a871d", "sharing_group_id": "0", "timestamp": "1540548460", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "fe2d043e-f81e-41c8-94d5-780c68b08520", "timestamp": "1540548461", "to_ids": false, "value": "2018-06-18 00:06:58", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "d7b94bd9-d044-4ba3-92d9-09fcf121b98f", "timestamp": "1540548461", "to_ids": false, "value": "https://www.virustotal.com/file/9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765/analysis/1529280418/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "63f46b9d-5d23-416f-bba8-76c30370b049", "timestamp": "1540548468", "to_ids": false, "value": "36/68", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "de299626-d70b-4856-8577-71a19b22be1c", "sharing_group_id": "0", "timestamp": "1540548468", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "c49a7d33-16db-499d-a52e-147a32818bbf", "timestamp": "1540548468", "to_ids": false, "value": "2017-12-07 16:25:32", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "07006736-b056-47cb-9f62-b5fc0da977cf", "timestamp": "1540548472", "to_ids": false, "value": "https://www.virustotal.com/file/91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81/analysis/1512663932/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5e3c1df6-c79f-4d33-a8fc-0343fe4e14fb", "timestamp": "1540548473", "to_ids": false, "value": "0/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "9bd18f1d-456c-4ba3-b22f-3ac0da8caacf", "sharing_group_id": "0", "timestamp": "1540548473", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "75f7800c-d9d1-456c-b907-811d025d44d1", "timestamp": "1540548473", "to_ids": true, "value": "7393cb0f409f8f51b7745981ac30b8b6", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "0d45c8ff-c065-4f9b-80be-a1ed1a4e48cf", "timestamp": "1540548473", "to_ids": true, "value": "6c17113f66efa5115111a9e67c6ddd026ba9b55d", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "3cc50e2f-e1ae-47ac-aad1-3e2dd02fc01b", "timestamp": "1540548474", "to_ids": true, "value": "a1d3fa684d406f82a2d93f4617c5b2dba5b70336db7e7a83b5a2822afe56fb0b", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "de2cafef-52b7-46ec-b981-f9a5dea89f65", "sharing_group_id": "0", "timestamp": "1540548475", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "5f0cc7ad-b6e0-408c-9006-8ae86e66228c", "timestamp": "1540548475", "to_ids": false, "value": "2018-07-19 12:25:03", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "e35f9d09-6da2-4827-9556-c49ee43ef0bf", "timestamp": "1540548475", "to_ids": false, "value": "https://www.virustotal.com/file/a1d3fa684d406f82a2d93f4617c5b2dba5b70336db7e7a83b5a2822afe56fb0b/analysis/1532003103/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "4406a5d5-7d31-43c6-bd2d-9ccad5886875", "timestamp": "1540548481", "to_ids": false, "value": "21/67", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}], "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a29b997-3ed0-4604-bfc8-4dcd950d210f", "timestamp": "1513185759", "to_ids": false, "value": "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "Network activity", "uuid": "5a2fa0b0-1dac-4180-866f-4933950d210f", "timestamp": "1513185760", "to_ids": true, "value": "185.117.88.97", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a2fa0b1-bab4-4930-8497-4933950d210f", "timestamp": "1513185760", "to_ids": true, "value": "95.215.45.116", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a2fa0b2-14b4-4773-ac02-4933950d210f", "timestamp": "1513185760", "to_ids": true, "value": "95.215.46.116", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a2fa0b2-6704-405c-94d4-4933950d210f", "timestamp": "1513185760", "to_ids": true, "value": "185.61.148.96", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a2fa0b2-b574-43d4-8765-4933950d210f", "timestamp": "1513185760", "to_ids": true, "value": "185.61.148.145", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a2fa0b2-10f8-4461-9ea5-4933950d210f", "timestamp": "1513185760", "to_ids": true, "value": "185.86.151.174", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad90-0854-4508-9b1a-4889950d210f", "timestamp": "1513185760", "to_ids": true, "value": "slpar.org", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad91-5048-4a72-934e-471e950d210f", "timestamp": "1513185760", "to_ids": true, "value": "centos-repo.org", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad92-1bf0-4fc7-8825-409b950d210f", "timestamp": "1513185760", "to_ids": true, "value": "185.165.29.26", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad93-02fc-46f3-a23e-4bb5950d210f", "timestamp": "1513185760", "to_ids": true, "value": "185.165.29.27", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad93-bba0-45ef-a648-45e9950d210f", "timestamp": "1513185760", "to_ids": true, "value": "5.45.179.173", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad94-2034-4a1a-a49e-4826950d210f", "timestamp": "1513185760", "to_ids": true, "value": "95.215.47.122", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad95-d9d0-4aab-b427-4177950d210f", "timestamp": "1513185760", "to_ids": true, "value": "192.99.14.211", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad95-7e60-4860-b6fe-42b9950d210f", "timestamp": "1513185760", "to_ids": true, "value": "95.215.61.192", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Network Indicators", "category": "Network activity", "uuid": "5a2fad96-5484-48ce-b77e-47b3950d210f", "timestamp": "1513185760", "to_ids": true, "value": "95.215.44.129", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a2fb05d-c778-4fbe-b043-4e56950d210f", "timestamp": "1513164716", "to_ids": true, "value": "1bd7d0c3023c55b5df0201cc5d7bbce1", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a2fb05d-35b8-4ab7-a7f0-42e3950d210f", "timestamp": "1513164716", "to_ids": true, "value": "c01fd758abb423c8336ee1bd5035a6c7", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a2fb05e-ff64-4760-8516-43bc950d210f", "timestamp": "1513164716", "to_ids": true, "value": "0810d239169a13fc0e2e53fc72d2e5f0", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a2fb05f-6cd0-45a2-99b2-4ff8950d210f", "timestamp": "1513164716", "to_ids": true, "value": "d66e31794836dfd2c344d0be435c6d12", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a2fb05f-6338-4c73-9185-4dcc950d210f", "timestamp": "1513164716", "to_ids": true, "value": "e3c061fa0450056e30285fd44a74cd2a", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a2fb060-05d0-4bf6-a42d-4598950d210f", "timestamp": "1513164716", "to_ids": true, "value": "90d4cc6d4b81b8c462f5aa7166fee6fb", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a2fb061-92fc-400e-a558-410a950d210f", "timestamp": "1513164716", "to_ids": true, "value": "eb87856732236e1ac7e168fe264f1b43", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Host Indicators", "category": "Payload delivery", "uuid": "5a2fb061-28e4-4908-8d24-4c41950d210f", "timestamp": "1513164716", "to_ids": true, "value": "209bc26396e838e4b665fe3d1ccf7787", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a", "category": "Payload delivery", "uuid": "5a310fac-7af4-44fd-b616-da3b02de0b81", "timestamp": "1513185760", "to_ids": true, "value": "e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a", "category": "Payload delivery", "uuid": "5a310fac-a020-462a-8ac7-da3b02de0b81", "timestamp": "1513185760", "to_ids": true, "value": "8c7659e6ee9fe5ead17cae2969d3148730be509b", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a", "category": "External analysis", "uuid": "5a310fac-4260-4700-8a51-da3b02de0b81", "timestamp": "1513185760", "to_ids": false, "value": "https://www.virustotal.com/file/e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa/analysis/1513123824/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5bd2e2ab-7b04-4327-acbb-4d71950d210f", "timestamp": "1540547243", "to_ids": false, "value": "This report shares actionable threat intelligence and proven threat hunting and incident response methods used by the RSA Incident Response (IR) Team to successfully respond to an intrusion in early-to-mid 2017 by the threat actor group known as CARBANAK,  also known as FIN7. The methodology discussed in this report is designed, and has been tested, to be effective on several currently available security technologies. While the majority of examples shown in this document use the RSA NetWitness\u00ae Suite in their illustrations, the methodology, query logic, and behavioral indicators discussed can be used effectively with any security product providing the necessary visibility. The intrusion and response described in this paper highlight key behavioral tactics, techniques, and procedures (TTP) unique to this engagement, giving significant insight into the thought processes, preparation, and adaptive nature of actors within the CARBANAK threat actor group. This paper also illustrates the RSA Incident Response Team\u2019s Incident Response and Threat Hunting Methodology: an unorthodox, adaptive and highly effective methodology used to successfully detect, investigate, scope, track, contain, and ultimately expel these and many other advanced adversaries.", "disable_correlation": false, "object_relation": null, "type": "text"}], "extends_uuid": "", "published": false, "date": "2017-12-07", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5a29b981-af60-4e6f-af70-480b950d210f"}}
						
						
					
				
				
					
						Reference in a new issue
					
					View git blame
					Copy permalink