927 lines
No EOL
37 KiB
JSON
927 lines
No EOL
37 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2018-11-22",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Turla PNG Dropper is back",
|
|
"publish_timestamp": "1542987293",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1542987280",
|
|
"uuid": "5bf7ba12-bec4-4d01-8330-4373950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#12e200",
|
|
"local": false,
|
|
"name": "misp-galaxy:threat-actor=\"Turla Group\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1542962230",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
|
|
"value": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1542962228",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7bb86-3374-4ece-8226-4383950d210f",
|
|
"value": "This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group researchers have uncovered samples with a new payload that we have internally named RegRunnerSvc.\r\n\r\nIt\u00e2\u20ac\u2122s worth noting at this point that there are other components to this infection that we have not managed to obtain. There will be a first stage dropper that will drop and install the PNG Dropper/RegRunnerSvc. Nevertheless, we think that this it is worth documenting this new use of the PNG Dropper.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1542962976",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
|
|
"value": "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1542969240",
|
|
"to_ids": false,
|
|
"type": "yara",
|
|
"uuid": "5bf7d798-4a08-48f1-9e9c-4744950d210f",
|
|
"value": "rule turla_png_dropper {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Detects the PNG Dropper used by the Turla group\"\r\n sha256 = \r\n\"6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27\"\r\n\r\n strings:\r\n $api0 = \"GdiplusStartup\"\r\n $api1 = \"GdipAlloc\"\r\n $api2 = \"GdipCreateBitmapFromStreamICM\"\r\n $api3 = \"GdipBitmapLockBits\"\r\n $api4 = \"GdipGetImageWidth\"\r\n $api5 = \"GdipGetImageHeight\"\r\n $api6 = \"GdiplusShutdown\"\r\n\r\n $code32 = {\r\n 8B 46 3C // mov eax, [esi+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n 66 39 4C 30 18 // cmp [eax+esi+18h], cx\r\n 8B 44 30 28 // mov eax, [eax+esi+28h]\r\n 6A 00 // push 0\r\n B9 AF BE AD DE // mov ecx, 0DEADBEAFh\r\n 51 // push ecx\r\n 51 // push ecx\r\n 03 C6 // add eax, esi\r\n 56 // push esi\r\n FF D0 // call eax\r\n }\r\n\r\n $code64 = {\r\n 48 63 43 3C // movsxd rax, dword ptr [rbx+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n BA AF BE AD DE // mov edx, 0DEADBEAFh\r\n 66 39 4C 18 18 // cmp [rax+rbx+18h], cx\r\n 8B 44 18 28 // mov eax, [rax+rbx+28h]\r\n 45 33 C9 // xor r9d, r9d\r\n 44 8B C2 // mov r8d, edx\r\n 48 8B CB // mov rcx, rbx\r\n 48 03 C3 // add rax, rbx\r\n FF D0 // call rax\r\n }\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n all of ($api*) and \r\n 1 of ($code*)\r\n}"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1542969294",
|
|
"to_ids": false,
|
|
"type": "yara",
|
|
"uuid": "5bf7d7ce-2514-4e61-ac16-6b24950d210f",
|
|
"value": "rule turla_png_reg_enum_payload {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Payload that has most recently been dropped by the\r\nTurla PNG Dropper\"\r\n shas256 =\r\n\"fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3\"\r\n\r\n strings:\r\n $crypt00 = \"Microsoft Software Key Storage Provider\" wide\r\n $crypt01 = \"ChainingModeCBC\" wide\r\n $crypt02 = \"AES\" wide\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n pe.imports(\"advapi32.dll\", \"StartServiceCtrlDispatcherA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumValueA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumKeyExA\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenStorageProvider\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptEnumKeys\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenKey\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptDecrypt\") and\r\n pe.imports(\"ncrypt.dll\", \"BCryptGenerateSymmetricKey\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptGetProperty\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptDecrypt\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptEncrypt\") and \r\n all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1542970221",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
|
|
"value": "https://github.com/carbonblack/threat-research-tools/tree/master/png_extract"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1542971162",
|
|
"to_ids": false,
|
|
"type": "yara",
|
|
"uuid": "5bf7df1a-f8d4-46d6-837e-446b950d210f",
|
|
"value": "rule PNG_dropper:RU TR APT\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \u00e2\u20ac\u0153CarbonBlack Threat Research\u00e2\u20ac\u009d\r\n\r\n date = \u00e2\u20ac\u01532017-June-11\u00e2\u20ac\u009d\r\n\r\n description = \u00e2\u20ac\u0153Dropper tool that extracts payload from PNG resources\u00e2\u20ac\u009d\r\n\r\n yara_version = \u00e2\u20ac\u01533.5.0\u00e2\u20ac\u009d\r\n\r\n exemplar_hashes = \u00e2\u20ac\u01533a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3, 69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290, eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158 \u00e2\u20ac\u0153\r\n\r\n strings:\r\n\r\n$s1 = \u00e2\u20ac\u0153GdipGetImageWidth\u00e2\u20ac\u009d\r\n\r\n$s2 = \u00e2\u20ac\u0153GdipGetImageHeight\u00e2\u20ac\u009d\r\n\r\n$s3 = \u00e2\u20ac\u0153GdipCreateBitmapFromStream\u00e2\u20ac\u009d\r\n\r\n$s4 = \u00e2\u20ac\u0153GdipCreateBitmapFromStreamICM\u00e2\u20ac\u009d\r\n\r\n$s5 = \u00e2\u20ac\u0153GdipBitmapLockBits\u00e2\u20ac\u009d\r\n\r\n$s6 = \u00e2\u20ac\u0153GdipBitmapUnlockBits\u00e2\u20ac\u009d\r\n\r\n$s7 = \u00e2\u20ac\u0153LockResource\u00e2\u20ac\u009d\r\n\r\n$s8 = \u00e2\u20ac\u0153LoadResource\u00e2\u20ac\u009d\r\n\r\n$s9 = \u00e2\u20ac\u0153ExpandEnvironmentStringsW\u00e2\u20ac\u009d\r\n\r\n$s10 = \u00e2\u20ac\u0153SetFileTime\u00e2\u20ac\u009d\r\n\r\n$s11 = \u00e2\u20ac\u0153memcmp\u00e2\u20ac\u009d\r\n\r\n$s12 = \u00e2\u20ac\u0153strlen\u00e2\u20ac\u009d\r\n\r\n$s13 = \u00e2\u20ac\u0153memcpy\u00e2\u20ac\u009d\r\n\r\n$s14 = \u00e2\u20ac\u0153memchr\u00e2\u20ac\u009d\r\n\r\n$s15 = \u00e2\u20ac\u0153memmove\u00e2\u20ac\u009d\r\n\r\n$s16 = \u00e2\u20ac\u0153ZwQueryValueKey\u00e2\u20ac\u009d\r\n\r\n$s17 = \u00e2\u20ac\u0153ZwQueryInformationProcess\u00e2\u20ac\u009d\r\n\r\n$s18 = \u00e2\u20ac\u0153FindNextFile\u00e2\u20ac\u009d\r\n\r\n$s19 = \u00e2\u20ac\u0153GetModuleHandle\u00e2\u20ac\u009d\r\n\r\n$s20 = \u00e2\u20ac\u0153VirtualFree\u00e2\u20ac\u009d\r\n\r\n$PNG1 = {89 50 4E 47 [8] 49 48 44 52} //PNG Header\r\n\r\n$bin32_bit1 = {50 68 07 10 06 00 6A 07 8?} //BitmapLockBits_x86\r\n\r\n$bin64_bit1 = {41 B? 07 10 06 00} //BitmapLockBits_x64\r\n\r\n$bin64_bit2 = {41 B? 07 00 00 00}//BitmapLockBits_x64\r\n\r\n$bin32_virt1 = {6A 40 68 00 10 00 00 50 53} //VirtualAlloc_x86\r\n\r\n$bin64_virt1 = {40 41 B? 00 10 00 00}//VirtualAlloc_x64\r\n\r\n \r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and// MZ header check\r\n\r\n filesize < 6MB and\r\n\r\n 18 of ($s*) and\r\n\r\n (#PNG1 > 7) and\r\n\r\n//checks for multiple PNG headers\r\n\r\n ((#bin32_bit1 > 1 and $bin32_virt1) or\r\n\r\n//More than 1 of $bin32_bit and $bi32_virt1\r\n\r\n (for 1 of ($bin64_bit*) : (# > 2) and $bin64_virt1))\r\n\r\n//1 of $bin64_bit \u00e2\u20ac\u201c present more that 2 times and $bin64_Virt1\r\n\r\n}"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "PNG Dropper",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542970068",
|
|
"uuid": "5bf7dad4-098c-4666-9e4d-4958950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542970068",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5bf7dad4-db18-4586-9b00-4988950d210f",
|
|
"value": "6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542970069",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7dad5-ee80-4267-9991-49d4950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Payload contained in the PNG dropper",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542970154",
|
|
"uuid": "5bf7db2a-2440-4ed3-ae21-6b24950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542970154",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5bf7db2a-6678-4b72-b145-6b24950d210f",
|
|
"value": "fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542970155",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7db2b-3808-4718-9d6b-6b24950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971483",
|
|
"uuid": "5bf7e05b-4018-4130-afed-4d90950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1542971483",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5bf7e05b-60bc-4d89-ae68-41a3950d210f",
|
|
"value": "f84aa30676d2c05ed290b43c4c1e2d4c"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971484",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e05c-5eb4-477d-8b71-472a950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971497",
|
|
"uuid": "5bf7e069-2af4-442f-a0c4-4cd4950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1542971497",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5bf7e069-b618-4cf0-a583-4a9e950d210f",
|
|
"value": "ae2ec6d8e455c674d5486ce198d4d46e"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971498",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e06a-3020-402e-997f-458d950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971595",
|
|
"uuid": "5bf7e0cb-7f0c-4eef-a610-f5d5950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1542971595",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5bf7e0cb-cbf0-4b3e-861f-f5d5950d210f",
|
|
"value": "7a1a174dd24d3f88454615102a074600"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971595",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e0cb-c628-4527-930c-f5d5950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971618",
|
|
"uuid": "5bf7e0e2-94c8-47df-a0ae-4620950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1542971619",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bf7e0e3-9014-4a74-a457-4f81950d210f",
|
|
"value": "645985805780510670092469b7627a23803eefd1"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971619",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e0e3-8a8c-45a5-8619-4eb3950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971683",
|
|
"uuid": "5bf7e123-cbfc-4f9c-a8c0-4064950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1542971684",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bf7e124-a378-40e4-a94c-4e58950d210f",
|
|
"value": "17941a20d86c9518c168c7f765785095a57246a3"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971684",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e124-4584-4dae-8be4-4740950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971782",
|
|
"uuid": "5bf7e186-6c94-4a68-90a1-493a950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1542971782",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bf7e186-cb30-44d9-b585-48bd950d210f",
|
|
"value": "ba221b85c1923866ce2ec3cd0824970216052c82"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971783",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e187-1184-4eda-aee5-4727950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971848",
|
|
"uuid": "5bf7e1c8-5f30-420c-b9e1-f5d5950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542971848",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5bf7e1c8-e5bc-43ed-b004-f5d5950d210f",
|
|
"value": "eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971849",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e1c9-1fac-4081-9c58-f5d5950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971906",
|
|
"uuid": "5bf7e202-29a4-4f46-94cc-fb4f950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542971906",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5bf7e202-341c-42e8-80ac-fb4f950d210f",
|
|
"value": "69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971907",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e203-5a04-410b-b272-fb4f950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1542971920",
|
|
"uuid": "5bf7e210-29f8-4e5c-964e-37a2950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542971920",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5bf7e210-9948-4834-a0df-37a2950d210f",
|
|
"value": "3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1542971921",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bf7e211-2910-4ac8-a5b9-37a2950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1542987247",
|
|
"uuid": "370ee35f-2e62-4fa1-87de-59a36b9ad817",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1542987247",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "b2221f9c-1ec7-4db4-b68b-4a0602a72a52",
|
|
"value": "7a1a174dd24d3f88454615102a074600"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1542987248",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "c0a23277-a937-47f9-8761-a4912552b6aa",
|
|
"value": "645985805780510670092469b7627a23803eefd1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542987248",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "d0e263d7-b204-47bc-ba11-d372c6e954d1",
|
|
"value": "eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1542987249",
|
|
"uuid": "003ceafa-e652-4272-89f0-356846947659",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1542987249",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "ded701b7-f8e5-4a51-94eb-9509c5a5f6c7",
|
|
"value": "2018-10-17T23:41:05"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1542987249",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "2b06642b-d74e-4910-9a74-980fdb5cebb3",
|
|
"value": "https://www.virustotal.com/file/eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158/analysis/1539819665/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1542987250",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2a5f6f23-8854-48fd-bb7c-dda116812263",
|
|
"value": "48/67"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1542987250",
|
|
"uuid": "672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1542987250",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "3d4227f3-7900-4736-ab21-d4a27e607a18",
|
|
"value": "f84aa30676d2c05ed290b43c4c1e2d4c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1542987250",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "e5ffabb1-86a8-44ca-88e8-15f6327d759f",
|
|
"value": "17941a20d86c9518c168c7f765785095a57246a3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542987251",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "2678d24f-e74d-4b73-b66b-dcc94b2cfdbf",
|
|
"value": "69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1542987251",
|
|
"uuid": "ebf1d2c1-c387-463f-ac79-5573cec56447",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1542987251",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "6443cb5d-0517-4dda-b7b7-7eb5d39ae7fa",
|
|
"value": "2018-09-27T23:11:14"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1542987252",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "3e316cfb-ba54-4612-9ee6-20204adc750d",
|
|
"value": "https://www.virustotal.com/file/69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290/analysis/1538089874/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1542987252",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "e2c20e0f-18f6-4fbf-86ad-f0d025f17266",
|
|
"value": "24/68"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1542987252",
|
|
"uuid": "07a6a6dc-9c22-4773-8432-cdd60d62f8bc",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1542987252",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "b3877b2d-3d83-4d75-b058-bbc1712c42e1",
|
|
"value": "ae2ec6d8e455c674d5486ce198d4d46e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1542987253",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "d9a5a82b-ec36-46b9-9601-1e24fb36c7fa",
|
|
"value": "ba221b85c1923866ce2ec3cd0824970216052c82"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542987253",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "d4bee0b8-b4cc-4cce-b3aa-2e81601f9f03",
|
|
"value": "3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1542987254",
|
|
"uuid": "dfee9eb0-06b6-4817-aa43-a2d63f0a49f2",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1542987254",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "a4daa13a-1374-4259-af44-d8c88ea2cc58",
|
|
"value": "2018-10-17T04:41:54"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1542987254",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "a305ca88-cd28-4233-af68-b4def8e76110",
|
|
"value": "https://www.virustotal.com/file/3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3/analysis/1539751314/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1542987255",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "ad12f987-16cf-453d-8e0f-bd6d3758823d",
|
|
"value": "45/67"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1542987255",
|
|
"uuid": "b12e81db-47cb-482e-8deb-e6c98261d878",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1542987255",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "750f4fa1-9568-4fbe-a2c5-438d1a9038e5",
|
|
"value": "d2e8e75c30dccd98a95d25b218ba7d2e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1542987255",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "d67d0172-d108-4b6a-a9b0-0a02eee57dd4",
|
|
"value": "72997e699d6c7cd5a2409535bfdef58695ed46fa"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1542987256",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "018dc18d-32d8-4f27-bc50-a6825580a146",
|
|
"value": "6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1542987256",
|
|
"uuid": "cf0b0660-5bc6-4da8-816b-f6133511fbf0",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1542987256",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "9797ab40-8d7c-4a60-ab23-f6f99e9492b0",
|
|
"value": "2018-11-23T13:40:06"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1542987257",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "2817750f-5b18-463e-baa8-19fba2fb0765",
|
|
"value": "https://www.virustotal.com/file/6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27/analysis/1542980406/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1542987257",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "164f9a1b-2a21-40de-be22-762bb37ab16e",
|
|
"value": "47/69"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |