adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/ea593018-b2e9-4e7e-8da9-cc20a751e3f6.json

6311 lines
No EOL
217 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "0",
"date": "2023-07-21",
"extends_uuid": "",
"info": "MoustachedBouncer: Espionage against foreign diplomats in Belarus",
"publish_timestamp": "1691696845",
"published": true,
"threat_level_id": "1",
"timestamp": "1691696643",
"uuid": "ea593018-b2e9-4e7e-8da9-cc20a751e3f6",
"Orgc": {
"name": "ESET",
"uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:target-information=\"Belarus\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Email address used by NightClub.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689946468",
"to_ids": false,
"type": "email-src",
"uuid": "6135dc84-9e57-4a3c-8406-7338cf1c742f",
"value": "glen.morriss75@seznam.cz"
},
{
"category": "Network activity",
"comment": "Email address used by NightClub.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689946468",
"to_ids": false,
"type": "email-src",
"uuid": "2efaebfc-00e9-468b-a5af-c3f320ed2e30",
"value": "fhtgbbwi@mail.ru"
},
{
"category": "Network activity",
"comment": "Email address used by MoustachedBouncer operators.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689946468",
"to_ids": false,
"type": "email-dst",
"uuid": "9bce6827-ba66-443b-98b2-2e9cf741add2",
"value": "nvjfnvjfnjf@mail.ru"
},
{
"category": "Network activity",
"comment": "Email address used by MoustachedBouncer operators.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1689946468",
"to_ids": false,
"type": "email-dst",
"uuid": "e4e35985-a451-4725-a8c1-403499277264",
"value": "sunyaf@seznam.cz"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Victim object describes the target of an attack or abuse.",
"meta-category": "misc",
"name": "victim",
"template_uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d",
"template_version": "6",
"timestamp": "1689947027",
"uuid": "33a36cb8-e7ec-4a16-a737-67bc4d3882cc",
"Attribute": [
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "regions",
"timestamp": "1689946468",
"to_ids": false,
"type": "target-location",
"uuid": "0490c25a-53f0-495e-bf75-6e376e39667d",
"value": "BY"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sectors",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "39e532d5-f490-46e8-9b8f-2410e5d9123f",
"value": "Foreign diplomatic mission"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689947032",
"uuid": "f1e2370c-0cb8-424b-ab63-2f165161e29b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "70d90102-e702-4696-8588-d81d4e81fe5f",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946468",
"to_ids": true,
"type": "text",
"uuid": "65d4eb70-eed5-49e2-9904-dbf13c390ecf",
"value": "JS/TrojanDownloader.Agent.YJJ"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"first_seen": "2022-02-28T00:00:00+00:00",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947036",
"uuid": "11fe4f04-22b9-43e1-a0e0-ab1cbede8509",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1689946468",
"to_ids": false,
"type": "domain",
"uuid": "ae13d755-f844-4203-9888-d081d62d94b7",
"value": "updates.microsoft.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2022-03-01T00:00:00+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689947023",
"uuid": "68673e6b-f462-42b1-96c4-71b9cc0687b2",
"ObjectReference": [
{
"comment": "",
"object_uuid": "68673e6b-f462-42b1-96c4-71b9cc0687b2",
"referenced_uuid": "11fe4f04-22b9-43e1-a0e0-ab1cbede8509",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "19a9b336-6d8a-4f47-a9ce-2c051a77b352"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "b36ce15f-a6c6-4759-965d-02f1d01994d1",
"value": "http"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946468",
"to_ids": true,
"type": "url",
"uuid": "6ac7b12a-3a21-42ab-9573-0cb880ae0f65",
"value": "http://updates.microsoft.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "port",
"timestamp": "1689946468",
"to_ids": false,
"type": "port",
"uuid": "966f1853-d464-49fc-8794-669cb3ab22d0",
"value": "80"
}
]
},
{
"comment": "Fake Windows update webpage.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-03-01T05:53:02+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946468",
"uuid": "5ce832e8-cbee-4eda-a2e4-278006d1f10d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5ce832e8-cbee-4eda-a2e4-278006d1f10d",
"referenced_uuid": "f1e2370c-0cb8-424b-ab63-2f165161e29b",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "7a25c18a-7dc7-4efb-9fd0-9c38e5444264"
},
{
"comment": "",
"object_uuid": "5ce832e8-cbee-4eda-a2e4-278006d1f10d",
"referenced_uuid": "68673e6b-f462-42b1-96c4-71b9cc0687b2",
"relationship_type": "downloaded-from",
"timestamp": "1689946470",
"uuid": "0685ca59-abaf-4439-8c45-a81d0441090f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946468",
"to_ids": false,
"type": "filename",
"uuid": "d6fe3c91-6df6-4b02-b37d-0145bdb2f265",
"value": "index.html"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946468",
"to_ids": true,
"type": "md5",
"uuid": "777c5de8-7f77-4a7f-90c2-12dd47424567",
"value": "41898dae353a85c04282979c44448beb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946468",
"to_ids": true,
"type": "sha1",
"uuid": "ad1d3c19-7627-4d1d-9d92-f3436b33a8ff",
"value": "02790dc4b276dfbb26c714f29d19e53129bb6186"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946468",
"to_ids": true,
"type": "sha256",
"uuid": "44415a8e-4b9d-4585-a329-90df4565f42c",
"value": "b654f03e7e9125169088a8b4ee5cd04e3f96982ff1148eef2781d9f2613b08bb"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2022-03-01T00:00:00+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689947043",
"uuid": "ba525ea8-9e77-40dd-a06e-167099c0d338",
"ObjectReference": [
{
"comment": "",
"object_uuid": "ba525ea8-9e77-40dd-a06e-167099c0d338",
"referenced_uuid": "11fe4f04-22b9-43e1-a0e0-ab1cbede8509",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "0712f52a-2a5a-441f-af96-db3747f4e621"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "6d2fb86d-c88e-4eda-a4de-28bc994fed86",
"value": "http"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946468",
"to_ids": true,
"type": "url",
"uuid": "eca396c5-c21e-456f-bff3-d4b7ecde6e34",
"value": "http://updates.microsoft.com/jdrop.js"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "c148fcb5-0a2e-4a4c-91d6-e7998023c6ff",
"value": "/jdrop.js"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "port",
"timestamp": "1689946468",
"to_ids": false,
"type": "port",
"uuid": "cc015abc-73c1-482a-af7d-94a4093b3a40",
"value": "80"
}
]
},
{
"comment": "JavaScript code that triggers the download prompt of the fake Windows update.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-03-01T05:54:16+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946468",
"uuid": "9178f8b0-99a7-4cfd-9273-b83b5e871630",
"ObjectReference": [
{
"comment": "",
"object_uuid": "9178f8b0-99a7-4cfd-9273-b83b5e871630",
"referenced_uuid": "f1e2370c-0cb8-424b-ab63-2f165161e29b",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "496bdaa5-1ecf-46fc-9d06-b106213988ab"
},
{
"comment": "",
"object_uuid": "9178f8b0-99a7-4cfd-9273-b83b5e871630",
"referenced_uuid": "ba525ea8-9e77-40dd-a06e-167099c0d338",
"relationship_type": "downloaded-from",
"timestamp": "1689946470",
"uuid": "d22cf3c2-8a16-4a7d-afe2-aecf67d862a9"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946468",
"to_ids": false,
"type": "filename",
"uuid": "62458381-df12-4ae1-b1e8-b1c58206d5d8",
"value": "jdrop.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946468",
"to_ids": true,
"type": "md5",
"uuid": "fa38692f-8821-4c8b-816f-a4a4b210a69e",
"value": "56f8c84135c3b42d332ac720c25d0b76"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946468",
"to_ids": true,
"type": "sha1",
"uuid": "fa8051d8-29c4-482a-a3a0-aa54238e0c56",
"value": "6eff58edf7ac0fc60f0b8f7e22cfe243566e2a13"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946468",
"to_ids": true,
"type": "sha256",
"uuid": "9dbdf47a-9e9e-4296-bec6-e13650fd583b",
"value": "498a903f94e91159ccf1b43f363e83252345295435b084ba7d912e3bd0021980"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689947048",
"uuid": "8555643c-fc32-4c47-aecf-00ad3e0b6d48",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "d1c6dda7-59be-4fc8-ae98-02a71fcad6dd",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946468",
"to_ids": true,
"type": "text",
"uuid": "1bb7e7e8-fbff-4c9a-b1ff-95330c38ee38",
"value": "WinGo/Agent.ET"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689947051",
"uuid": "b5cb5d88-8a8d-49ab-8e16-17195de44963",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "3f45530f-1f1f-4c19-90b5-9324e11ef84c",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946468",
"to_ids": false,
"type": "datetime",
"uuid": "d1c8f5ab-4a9d-4c7f-9636-f5e1d44130f3",
"value": "1970-01-01T00:00:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946468",
"to_ids": false,
"type": "imphash",
"uuid": "742b0657-d017-4333-bfbc-cc0f505045f8",
"value": "c7269d59926fa4252270f407e4dab043"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946468",
"to_ids": false,
"type": "authentihash",
"uuid": "7a3f58fc-16b1-4b50-82f7-29592b1a362a",
"value": "85aec9a10f2b988b3426bd704dfc26ae8ab549c876f27d1e1c4bbce0f9de3ce6"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2022-02-28T00:00:00+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689947039",
"uuid": "697d3e35-143a-43c0-9ab9-6766488e069d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "697d3e35-143a-43c0-9ab9-6766488e069d",
"referenced_uuid": "11fe4f04-22b9-43e1-a0e0-ab1cbede8509",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "d65efc13-62a4-4de2-aae8-b6e99861211b"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "6c5bb496-1860-4dd6-b558-1b6fc73d7926",
"value": "http"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946468",
"to_ids": true,
"type": "url",
"uuid": "39500972-e8ed-4c0c-8c5c-19177295b465",
"value": "http://updates.microsoft.com/MicrosoftUpdate845255.zip"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946468",
"to_ids": false,
"type": "text",
"uuid": "828e9791-c175-41c5-b7cd-6987a4b5aa24",
"value": "/MicrosoftUpdate845255.zip"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "port",
"timestamp": "1689946468",
"to_ids": false,
"type": "port",
"uuid": "89c6ee3f-1026-4f99-88fe-cc040cf62063",
"value": "80"
}
]
},
{
"comment": "Disco dropper.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-02-28T09:05:56+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946468",
"uuid": "6918d59c-5802-4ec0-b720-53efb2b33ba1",
"ObjectReference": [
{
"comment": "",
"object_uuid": "6918d59c-5802-4ec0-b720-53efb2b33ba1",
"referenced_uuid": "8555643c-fc32-4c47-aecf-00ad3e0b6d48",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "871bde50-72b4-497c-ab11-c01054f38523"
},
{
"comment": "",
"object_uuid": "6918d59c-5802-4ec0-b720-53efb2b33ba1",
"referenced_uuid": "b5cb5d88-8a8d-49ab-8e16-17195de44963",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "72b038b5-f705-41a2-92b1-ddab3dd8d226"
},
{
"comment": "",
"object_uuid": "6918d59c-5802-4ec0-b720-53efb2b33ba1",
"referenced_uuid": "697d3e35-143a-43c0-9ab9-6766488e069d",
"relationship_type": "downloaded-from",
"timestamp": "1689946470",
"uuid": "939555b4-6168-411a-a218-40b484b615a2"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946468",
"to_ids": false,
"type": "filename",
"uuid": "5339b125-dc6c-4af7-8239-1fc198726c0c",
"value": "MicrosoftUpdate845255.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946468",
"to_ids": true,
"type": "md5",
"uuid": "f187076b-29c0-4894-a87e-1189dbf001f1",
"value": "367c31aa5e1d3f4d36e56303d73b760d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "c9fb0d70-6759-4a81-ac8e-44c6a38b6c9c",
"value": "e65eb4467ddb1c99b09ae87ba0a964c36bab4c30"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "e8261a66-7b30-461b-b603-5d0328c2f20f",
"value": "645aa19daec5752821b194ddbd4a4ec5f0c3072cb58fb140aa6b16abb9cbcfca"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946883",
"uuid": "c28c3bbd-4d77-4ff1-80fe-04ef2e7dff06",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "8264cb02-da17-472e-a0b0-d15ea8198be4",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "b1eff63c-6263-4abd-8b1b-72b5998ccc35",
"value": "WinGo/Runner.B"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946889",
"uuid": "dfd98fbd-2f3d-4109-9e12-9bb1f0cf6259",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "31cc91c4-b749-4135-831e-0f1619e0513d",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "53357943-2229-4088-8bb5-5b2418d72619",
"value": "1970-01-01T00:00:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "492fe843-734a-4aad-9960-1a58d8b7344d",
"value": "c7269d59926fa4252270f407e4dab043"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "56694665-de16-40e6-9353-1d6e25c85aaa",
"value": "c016e33501534b84afae053928410f273631ac73f712a059d1dbe613fdbf1cdf"
}
]
},
{
"comment": "Disco plug-in. Execute PowerShell scripts.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2021-11-29T14:33:05+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "cced97f0-086a-4a31-b902-952a7a2d3aa0",
"ObjectReference": [
{
"comment": "",
"object_uuid": "cced97f0-086a-4a31-b902-952a7a2d3aa0",
"referenced_uuid": "c28c3bbd-4d77-4ff1-80fe-04ef2e7dff06",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "c355e9a8-7a02-4152-8029-118683487a46"
},
{
"comment": "",
"object_uuid": "cced97f0-086a-4a31-b902-952a7a2d3aa0",
"referenced_uuid": "dfd98fbd-2f3d-4109-9e12-9bb1f0cf6259",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "b1768bd7-a84d-4b62-bc54-213587d3e75c"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "ad6560b2-c426-462e-8614-3dbe8aa940b7",
"value": "driverpackUpdate.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "8a8937bb-d3cc-4965-92c2-e19e90445030",
"value": "b1f2f44b213831056e2d1fa34031b5df"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "27e0fb1c-7bd7-48e0-9589-d75acf179d4b",
"value": "3a9b699a25257cbd0476cb1239ff9b25810305fe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "47856ef3-3dbd-4d01-bb0d-4cad4eeccf59",
"value": "89b7c003b65365241e100d895a7ad7926d8eafe109ba26669cfc9f6c259ad8fd"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946913",
"uuid": "b8e8926b-f611-4d76-a56a-5b61d8b4167d",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "868bac42-49a1-4480-bc0e-07222c08e5ac",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "dd0ff957-5250-414b-bfec-714162dfb457",
"value": "WinGo/Runner.C"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946877",
"uuid": "39ae74ee-34c8-42ea-a5bf-4e6feb0d4674",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "85499470-4938-4ab6-b6b9-1b1490441e82",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "24cd99d9-c406-46bd-8603-4f14ee80f6b1",
"value": "1970-01-01T00:00:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "bf6e57fd-4c41-4675-960d-48633923b573",
"value": "c7269d59926fa4252270f407e4dab043"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "4106d79f-d72a-4cfa-b4ca-e7aa3f08b2ec",
"value": "8fbd81ffe1d2361607673bc002492ab67e83a512600c3fb8890283ffb5656564"
}
]
},
{
"comment": "\"Fake\" SMB share IP address.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689946469",
"uuid": "65405377-76ee-4c40-ab8f-db7f8204428c",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689946469",
"to_ids": false,
"type": "ip-dst",
"uuid": "3e1117e5-cb5b-4e0a-a582-259650f8eba1",
"value": "38.9.8.78"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2022-03-07T11:49:25+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689946908",
"uuid": "a179fa6a-7dae-43b3-a0da-0100a562d440",
"ObjectReference": [
{
"comment": "",
"object_uuid": "a179fa6a-7dae-43b3-a0da-0100a562d440",
"referenced_uuid": "65405377-76ee-4c40-ab8f-db7f8204428c",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "c054e91e-d58c-4115-b824-5b781a1a2fd8"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "f66e279f-01bb-4f40-b986-6c85b27103e9",
"value": "smb"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946469",
"to_ids": true,
"type": "url",
"uuid": "8501fd71-336e-45a3-a65f-d9ae8a28f4e1",
"value": "smb://38.9.8.78/driverpack/DPU.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "587cd247-8b36-4a36-a2bc-d1940e680cfc",
"value": "/driverpack/DPU.exe"
}
]
},
{
"comment": "Disco plug-in. Execute PowerShell scripts.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-03-07T11:49:25+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "5f677eb8-5b42-49b4-84a1-9a8f7143a6a2",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5f677eb8-5b42-49b4-84a1-9a8f7143a6a2",
"referenced_uuid": "b8e8926b-f611-4d76-a56a-5b61d8b4167d",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "5387ab10-1a02-48be-8bdf-efc6dddae463"
},
{
"comment": "",
"object_uuid": "5f677eb8-5b42-49b4-84a1-9a8f7143a6a2",
"referenced_uuid": "39ae74ee-34c8-42ea-a5bf-4e6feb0d4674",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "4d7edd1c-5775-404d-bacb-fc04ae1659ab"
},
{
"comment": "",
"object_uuid": "5f677eb8-5b42-49b4-84a1-9a8f7143a6a2",
"referenced_uuid": "a179fa6a-7dae-43b3-a0da-0100a562d440",
"relationship_type": "downloaded-from",
"timestamp": "1689946470",
"uuid": "c6c8cf5f-1b50-4958-9da8-c34ec7c1874b"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "d92ac200-6c2c-47d3-b3c5-ea6a21dce932",
"value": "DPU.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "4483209e-b0ea-45ab-8142-42cb5f47a231",
"value": "05821f6ad89a5c9c586ff662e82b0e1c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "87e54a81-b9a3-4acb-a822-133acbd2943a",
"value": "19e3d06fbe276d4aaea25abc36cc40ea88435630"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "f80a817d-3b3c-4e66-b26b-ffae10d32c2e",
"value": "9fc8a77b40ac77ae892bd43fd174fc21d3dafff0e7fcceefea98bd4dc7e26a32"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946920",
"uuid": "6d176998-9af8-4733-936d-bd29d6a19973",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "d0547013-efa2-4d2f-9072-b3b111437f0b",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "01084c24-38d2-4842-90cd-2c2cd1ac03f3",
"value": "Win64/Exploit.CVE-2021-1732.I"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946902",
"uuid": "00fe6521-be7e-47d1-a37b-8e082e5d55cf",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "8da58246-09ef-4b84-9464-312bdf4c233c",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "6d6635a5-2250-45dd-a7ea-706d390b7a72",
"value": "2021-11-29T13:33:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "e4df4f91-1624-4bfd-92ce-a1ee96e014e6",
"value": "ef263ccd3c50525efd62546d5922e7de"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "69d8f75c-8224-4126-8f4f-1e98f5a35f22",
"value": "31f087f93e353bc1d79a31bc80e242991a79bda48eea27f49a57f90ad913f7d3"
}
]
},
{
"comment": "Disco plug-in. LPE exploit for CVE-2021-1732.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2021-11-29T14:15:13+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "dfd3f545-7c14-4041-b14e-781dc3dd0828",
"ObjectReference": [
{
"comment": "",
"object_uuid": "dfd3f545-7c14-4041-b14e-781dc3dd0828",
"referenced_uuid": "6d176998-9af8-4733-936d-bd29d6a19973",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "c96617b4-43ce-4a2b-a170-667df94e77a7"
},
{
"comment": "",
"object_uuid": "dfd3f545-7c14-4041-b14e-781dc3dd0828",
"referenced_uuid": "00fe6521-be7e-47d1-a37b-8e082e5d55cf",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "ee855517-2688-4f6e-88fd-691db7305274"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "476418b3-6cde-410a-8e6f-194931fee58f",
"value": "sdrive.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": false,
"type": "md5",
"uuid": "9d6aa46a-09fa-4b8d-9888-1c1dbc24b599",
"value": "5445ca8e5f076c2147bc9312b61a224a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": false,
"type": "sha1",
"uuid": "07ec711a-f0e8-446f-84dd-c2abaa40ee15",
"value": "52be04c420795b0d9c7cd1a4acbf8d5953fafd16"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": false,
"type": "sha256",
"uuid": "eae59680-c18c-454d-b08e-fee0c59b1567",
"value": "b0b8effdda97a3589daaae373bf321810bc29b22623eb12ad7b46fb931e40d9b"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946897",
"uuid": "64d9ba53-9e9e-475f-92ea-592ed9d0ad25",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "ccd7ca1a-bfa1-4f0c-8391-a0c807789468",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "de652205-268d-46d9-939a-9ac79a257355",
"value": "WinGo/Agent.EV"
}
]
},
{
"comment": "Merged from event 1548",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946469",
"uuid": "d6560272-9243-4a9e-9bab-eeab7d6b6541",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "7290a370-d777-4bd1-ae70-d8a467867f1e",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "14715635-64a4-4e38-974f-bcfd95b5d54a",
"value": "1970-01-01T00:00:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "40cba63a-0d35-4cc7-8a41-90170d84086a",
"value": "c7269d59926fa4252270f407e4dab043"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "44303605-5ef1-43da-91bc-1432388df6b0",
"value": "dfe87b9de008e466a174a8930e7b93d3d8b580857e7c6d1da847adee373067bc"
}
]
},
{
"comment": "Disco plug-in. Reverse proxy based on revsocks.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-03-02T17:03:52+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "ab4d0f8a-ad97-4164-ad21-0c00225d1f2d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "ab4d0f8a-ad97-4164-ad21-0c00225d1f2d",
"referenced_uuid": "64d9ba53-9e9e-475f-92ea-592ed9d0ad25",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "9263232f-ab67-4a56-8718-0480ce8c8722"
},
{
"comment": "",
"object_uuid": "ab4d0f8a-ad97-4164-ad21-0c00225d1f2d",
"referenced_uuid": "d6560272-9243-4a9e-9bab-eeab7d6b6541",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "5c9c1b1a-17e1-42b0-bad7-3579b05c6a3b"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "e0824c5d-3d8d-4560-85a3-373e153fa910",
"value": "nod32update.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "c70f5144-91d5-4d9d-a20e-aa39eebc6030",
"value": "14500d005f29b5cf9452ea21de0a5771"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "9cd18064-7c87-4ccd-bd80-485a3eeac198",
"value": "0241a01d4b03bd360dd09165b59b63ac2ceceafb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "6fe5b859-f4ff-437e-b1b2-43057f52f40b",
"value": "f7aa0d7d2ef62e3bb9c925375823250f896da6e05d7d8e64ec8cdf8d26932699"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946880",
"uuid": "32734d0e-bfcc-44d7-96a3-d1e272ec5d44",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "f2c1ba17-40d3-4675-814a-429cae5c429e",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "5ace8b27-35d1-4d51-9495-873eb7926ae1",
"value": "WinGo/Spy.Agent.W"
}
]
},
{
"comment": "Merged from event 1548",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946469",
"uuid": "906f9bcd-da99-4235-a25c-b9dc5d700e01",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "29f3fde2-67ff-4dcc-8d4f-0491dd1ded03",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "0b88648a-620f-4a74-ae72-e80ed5515c36",
"value": "1970-01-01T00:00:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "48df24bb-9f20-4fd5-92a3-7eed9ede3d92",
"value": "c7269d59926fa4252270f407e4dab043"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "e70bc43b-af08-4aab-bdff-cd140e32a21e",
"value": "58ee19a2e8e695c300e6857923c12257c6b6448203cfe1588a94011d31c7d199"
}
]
},
{
"comment": "\"Fake\" SMB share IP address.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689946469",
"uuid": "c4d10ea4-e0a6-4689-bd55-e052e8263355",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689946469",
"to_ids": false,
"type": "ip-dst",
"uuid": "502e7ced-cfdd-4a22-b372-2ce2ef516b6e",
"value": "209.19.37.184"
}
]
},
{
"comment": "Merged from event 1548",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2021-11-26T13:56:48+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689946469",
"uuid": "548f46db-2410-4a8a-9c86-cff918474455",
"ObjectReference": [
{
"comment": "",
"object_uuid": "548f46db-2410-4a8a-9c86-cff918474455",
"referenced_uuid": "c4d10ea4-e0a6-4689-bd55-e052e8263355",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "fc242d86-96f5-4714-9f3a-d284c7fc4d51"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "0fdb5894-d03c-49e6-8950-93beaaabeb81",
"value": "smb"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946469",
"to_ids": true,
"type": "url",
"uuid": "692d7f63-e107-40d1-a401-8e885ba8b399",
"value": "smb://209.19.37.184/driverpack/aact.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "6c21b6a6-3baa-43f2-885f-094e8c5f1d78",
"value": "/driverpack/aact.exe"
}
]
},
{
"comment": "Disco plug-in. Take screenshots.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2021-11-26T13:56:48+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "933e9ea5-4cc8-40b0-82ad-303ee1fcc3f7",
"ObjectReference": [
{
"comment": "",
"object_uuid": "933e9ea5-4cc8-40b0-82ad-303ee1fcc3f7",
"referenced_uuid": "32734d0e-bfcc-44d7-96a3-d1e272ec5d44",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "76f17f11-24ea-4dbb-a980-b5286daab97f"
},
{
"comment": "",
"object_uuid": "933e9ea5-4cc8-40b0-82ad-303ee1fcc3f7",
"referenced_uuid": "906f9bcd-da99-4235-a25c-b9dc5d700e01",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "9a4772f8-e4f0-4180-bd7b-2b1958b04411"
},
{
"comment": "",
"object_uuid": "933e9ea5-4cc8-40b0-82ad-303ee1fcc3f7",
"referenced_uuid": "548f46db-2410-4a8a-9c86-cff918474455",
"relationship_type": "downloaded-from",
"timestamp": "1689946470",
"uuid": "a8c28d90-2c7b-4855-9e2d-19e6511981f8"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "5c80d65b-2261-42a7-bea7-bb353531e145",
"value": "aact.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "5d6a660e-c9ec-4edb-a6a9-fd398c4fece5",
"value": "f75c4a594ed7a85cddffc9ca817bca81"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "2cf040d1-2617-4aa1-b573-edb8b5cf32f0",
"value": "a01f1a9336c83ffe1b13410c93c1b04e15e2996c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "ad6b6576-b794-4505-80a2-c7d5a051fc4a",
"value": "5e3b7c34db0b8c155d06b026ee935c11cf58635532faff628281a0ddd5dd7bd0"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946923",
"uuid": "a6c9e653-caaa-497e-9f55-40cb5df88c72",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "f922798d-d33a-451c-aca9-ec412e7ff0af",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "7d875487-4c31-4c3d-8bd7-c6981ccf2886",
"value": "WinGo/Agent.BT"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946939",
"uuid": "d7315525-4a21-4b79-9b98-78f904c491db",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "37fa7d84-7bb3-4912-b01a-8f4db051c3c0",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "e51ab181-827f-46c4-8347-4dc355ae5cba",
"value": "1970-01-01T00:00:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "bbaf5bd8-dd6b-4afa-b2be-9a4f98013ba5",
"value": "4035d2883e01d64f3e7a9dccb1d63af5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "a652156c-a9ff-42b5-be03-36bddb8c816d",
"value": "2bcc0ed647811018dff4387d0294ce8855d97fac865a582972cb0f469a06efea"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2022-02-28T17:47:16+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689946944",
"uuid": "8f92e3b4-2a26-4733-a153-fcfdbe095edf",
"ObjectReference": [
{
"comment": "",
"object_uuid": "8f92e3b4-2a26-4733-a153-fcfdbe095edf",
"referenced_uuid": "c4d10ea4-e0a6-4689-bd55-e052e8263355",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "9887172a-bec5-41d4-a8a6-e3d814746cea"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "5a570c97-f083-4817-a044-c9efbec9ccd8",
"value": "smb"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946469",
"to_ids": true,
"type": "url",
"uuid": "4dcb2d25-cfa5-4c2e-9f6b-4977e914a035",
"value": "smb://209.19.37.184/driverpack/officetelemetry.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "630529ac-589c-4438-a412-9fc9deeb3f67",
"value": "/driverpack/officetelemetry.exe"
}
]
},
{
"comment": "Disco plug-in. Reverse proxy based on revsocks. ",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-02-28T17:47:16+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "3c3efb45-ae68-4077-bc7c-799a40c414c8",
"ObjectReference": [
{
"comment": "",
"object_uuid": "3c3efb45-ae68-4077-bc7c-799a40c414c8",
"referenced_uuid": "a6c9e653-caaa-497e-9f55-40cb5df88c72",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "4c91f8c5-c7e8-43eb-9a6b-65feb229b79f"
},
{
"comment": "",
"object_uuid": "3c3efb45-ae68-4077-bc7c-799a40c414c8",
"referenced_uuid": "d7315525-4a21-4b79-9b98-78f904c491db",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "dc03713a-3ace-4984-a92f-cc6b2e4460aa"
},
{
"comment": "",
"object_uuid": "3c3efb45-ae68-4077-bc7c-799a40c414c8",
"referenced_uuid": "8f92e3b4-2a26-4733-a153-fcfdbe095edf",
"relationship_type": "downloaded-from",
"timestamp": "1689946470",
"uuid": "2e53d336-aed1-4001-96fb-d88f37016d44"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "c04c533c-b1c8-46ce-a869-08b4d60d74ca",
"value": "officetelemetry.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "58e6a048-0c3e-4bfd-b2a3-284d1330d4ef",
"value": "72adcf5641dbea85fd7f99844c66d2ec"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "0f865cf5-50b0-45ca-ad71-7a3b14134fb8",
"value": "c2aa90b441391adefaa3a841aa8ce777d6ec7e18"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "e21786b6-b1e6-4264-bc72-34f64387b57c",
"value": "ae81489226c57b09672fe5f6ac34c89123598960cbaf8ca8b00e43f75879bd43"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946949",
"uuid": "f2913348-56e8-4176-9564-b227eeb36058",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "7849665c-3356-4e7a-9e9a-978113134cf5",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "310ef853-d340-4688-b207-ae0f786387f7",
"value": "1970-01-01T00:00:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "babc5d7f-f06a-4f6c-91a3-f66f4bad8660",
"value": "a56f115ee5ef2625bd949acaeec66b76"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "61a148d6-2285-4144-bc40-ec4f8ce82d3a",
"value": "5e08b28cbdb4e680b2938e43ae46a0cc402cc33d199e408817a9d50c81e7d374"
}
]
},
{
"comment": "\"Fake\" SMB IP address.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689946469",
"uuid": "9b19629c-cdb5-48c3-8464-f0a11f9af688",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689946469",
"to_ids": false,
"type": "ip-dst",
"uuid": "98d93643-21af-4cca-aec8-a65713d71b28",
"value": "52.3.8.25"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2022-03-04T15:26:10+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689946930",
"uuid": "9c898012-fbc4-42cf-85b1-8b7cfd52fb02",
"ObjectReference": [
{
"comment": "",
"object_uuid": "9c898012-fbc4-42cf-85b1-8b7cfd52fb02",
"referenced_uuid": "9b19629c-cdb5-48c3-8464-f0a11f9af688",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "7d025dba-3305-4e0d-ab23-9a31b2ba2218"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "33a10178-9154-4c87-b671-2b5b568bef6e",
"value": "smb"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946469",
"to_ids": true,
"type": "url",
"uuid": "bc913dd0-e729-4671-b7ef-2e3e2ce121ec",
"value": "smb://52.3.8.25/oracle/oracleTelemetry.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "09688187-6089-46f6-abfc-e8f3a872552c",
"value": "/oracle/oracleTelemetry.exe"
}
]
},
{
"comment": "Disco plug-in packed with Themida. Take screenshots. ",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-03-04T15:26:10+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "b4355207-5ed7-4bcc-b9fd-ce733e35e948",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b4355207-5ed7-4bcc-b9fd-ce733e35e948",
"referenced_uuid": "32734d0e-bfcc-44d7-96a3-d1e272ec5d44",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "658d6802-598e-44ac-b37d-d09f10b432a9"
},
{
"comment": "",
"object_uuid": "b4355207-5ed7-4bcc-b9fd-ce733e35e948",
"referenced_uuid": "f2913348-56e8-4176-9564-b227eeb36058",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "2d3e68ac-01eb-4211-a813-66fb80f06e1e"
},
{
"comment": "",
"object_uuid": "b4355207-5ed7-4bcc-b9fd-ce733e35e948",
"referenced_uuid": "9c898012-fbc4-42cf-85b1-8b7cfd52fb02",
"relationship_type": "downloaded-from",
"timestamp": "1689946470",
"uuid": "af5ad6e6-d4f2-422d-a430-976d1e86f59e"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "01d28e7a-0a0d-4a96-92e3-d447262b9b87",
"value": "oracleTelemetry.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "c7de0a40-cacf-4ff5-9dda-d668c70357c3",
"value": "317e591a34c87537d614dfb41e895b91"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "a88ffb48-b11c-472c-affd-39cd80c002db",
"value": "c5b2323eae5e01a6019931ce35ff7623df7346ba"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "92f0728b-b616-4e66-b565-fc6e6f41bab5",
"value": "9f59ac2b6ad389950beefb899ef02cba02fc6038a44646e9a797ec9916d0acf9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946935",
"uuid": "e344f346-3a41-4316-b5e2-084f9b295757",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "8e325829-94bb-4506-bcf0-861feedfb89a",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "5f2a8fef-d23e-4abe-89d3-f4ac6a1aa6ee",
"value": "1970-01-01T00:00:00+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "1bc8c0d7-007c-4593-954d-a3b6c1930643",
"value": "c7269d59926fa4252270f407e4dab043"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "6395112b-896c-4846-badc-3b48acb9c69a",
"value": "8b4487327711ce2045032e9bc013a4024846137d187a311146807dcc0f33c580"
}
]
},
{
"comment": "\"Fake\" SMB IP address.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689946469",
"uuid": "7d2b9a59-a74c-4b12-89db-abd9a8a214aa",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689946469",
"to_ids": false,
"type": "ip-dst",
"uuid": "67cd29bb-c51a-46fe-9cd7-8020d81e55b7",
"value": "59.6.8.25"
}
]
},
{
"comment": "Merged from event 1548",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2022-03-02T17:03:56+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689946469",
"uuid": "98970377-e1e1-4548-b3bd-bf0fa58decf6",
"ObjectReference": [
{
"comment": "",
"object_uuid": "98970377-e1e1-4548-b3bd-bf0fa58decf6",
"referenced_uuid": "7d2b9a59-a74c-4b12-89db-abd9a8a214aa",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "674a300a-5c09-4d04-9da5-3399ab232615"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "baaa66b1-01fc-4d85-a27a-d2033dddf067",
"value": "smb"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946469",
"to_ids": true,
"type": "url",
"uuid": "55ed4486-0ce5-4472-bbc5-6a523b0048ca",
"value": "smb://59.6.8.25/outlooksync/outlooksync.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "9c69c8b8-6e8c-4127-bba7-a2b099539a65",
"value": "/outlooksync/outlooksync.exe"
}
]
},
{
"comment": "Disco plug-in. Take screenshots. ",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-03-02T17:03:56+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "064ba27d-6f2c-464f-9d53-6ca966c36a10",
"ObjectReference": [
{
"comment": "",
"object_uuid": "064ba27d-6f2c-464f-9d53-6ca966c36a10",
"referenced_uuid": "32734d0e-bfcc-44d7-96a3-d1e272ec5d44",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "7af4a482-2396-4c82-8323-bcf053706e90"
},
{
"comment": "",
"object_uuid": "064ba27d-6f2c-464f-9d53-6ca966c36a10",
"referenced_uuid": "e344f346-3a41-4316-b5e2-084f9b295757",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "0ddcc1d1-532e-4bfd-a2cd-b4d56e884d74"
},
{
"comment": "",
"object_uuid": "064ba27d-6f2c-464f-9d53-6ca966c36a10",
"referenced_uuid": "98970377-e1e1-4548-b3bd-bf0fa58decf6",
"relationship_type": "downloaded-from",
"timestamp": "1689946470",
"uuid": "48bd454e-94f1-4dfb-ae96-9bfe4881e1da"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "55790845-39de-4645-947c-aa8040537963",
"value": "outlooksync.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "5899d0a2-e066-461a-b0ae-f575d59f2b71",
"value": "05887f9c2b0d92032a32f6186523b760"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "c448c8d2-079f-4da4-b06e-c377dc9fb2e8",
"value": "c46cb98d0ceccb83ec7de070b3fa7afee7f41189"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "9fc26374-4f70-4fb6-bb39-73ed51b84aa1",
"value": "3c37a01c6b2f1cf9e15f043cb55c2ed0682d859179e5b51812dd80f676247bf4"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946874",
"uuid": "69f72631-333c-48b0-83ab-31046bac7283",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "b58042a7-6f1e-44ea-96e4-c832187d19c9",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "a7fa5dac-c0fc-42a0-b5b1-4c0d291314ac",
"value": "MSIL/TrojanDropper.Agent.FKQ"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946868",
"uuid": "1f9833ef-40d2-4a88-85ff-8b528ad865cb",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "2ce8a8d5-82fa-4d07-a1f5-9b8f7fae6661",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "372ecaaa-1ac3-4581-9e07-3f4a727e8c54",
"value": "2019-12-31T08:40:06+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "9d601bef-9e49-4dab-87f2-1316eabb01dc",
"value": "f34d5f2d4577ed6d9ceec516c1f5a744"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "cf72e99d-f9fe-47f1-82e5-11b4885d0bb5",
"value": "8f45749ded6c56a96d79f45f305542bdef89b858b354130d3c6bbacc31a23a04"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "company-name",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "eca49e43-1592-41e0-802e-aad55c61cc31",
"value": "Microsoft"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "file-description",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "ba82bcc5-9048-4b55-a61c-b29a98fe737f",
"value": "EdgeUpdate"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "file-version",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "058e0c50-2944-491d-84c7-ca85eb0141af",
"value": "1.0.0.0"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "legal-copyright",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "5d620760-5ba9-4a3c-a74b-cdb138acabb5",
"value": "Copyright \u00a9 Microsoft 2019"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "product-name",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "d3b53f4a-2f9b-44fa-827b-5b46e59fbc34",
"value": "EdgeUpdate"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "product-version",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "70e368f0-33df-4d93-b01e-0bed0abd24d3",
"value": "1.0.0.0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "original-filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "828cac42-25c7-4497-bf12-8b3cf668cccd",
"value": "EdgeUpdate.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "internal-filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "92415ba8-8eea-471e-b91a-782110b58b76",
"value": "EdgeUpdate.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "lang-id",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "92f00c7a-69ac-4ea6-802d-3cc406fcc6be",
"value": "000004b0"
}
]
},
{
"comment": "\"Fake\" SMB IP address.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689946469",
"uuid": "d20ab4c0-bf02-4485-98bb-e2abce3ceda1",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689946469",
"to_ids": false,
"type": "ip-dst",
"uuid": "0f0bbc39-b790-4bd4-a8d0-bdf31ad26b53",
"value": "24.9.51.94"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2020-01-08T06:24:19+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689946822",
"uuid": "47e4c9d1-054f-41a0-ae77-1b2308d051a4",
"ObjectReference": [
{
"comment": "",
"object_uuid": "47e4c9d1-054f-41a0-ae77-1b2308d051a4",
"referenced_uuid": "d20ab4c0-bf02-4485-98bb-e2abce3ceda1",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "58163042-70e4-4490-a96e-92c9e034cca8"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "d9f777d9-f883-484c-9568-f4ce9ad885d3",
"value": "smb"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946469",
"to_ids": true,
"type": "url",
"uuid": "a041aa83-2fc5-4f2c-bf84-2953dddb8b24",
"value": "smb://24.9.51.94/EDGEUPDATE/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "205260ec-24e4-42d7-b2f7-8167ff90a9e4",
"value": "/EDGEUPDATE/"
}
]
},
{
"comment": "Disco .NET dropper.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-01-08T06:24:19+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "2c3ed81a-0a2c-4fb4-9683-5c4e0fc458f7",
"ObjectReference": [
{
"comment": "",
"object_uuid": "2c3ed81a-0a2c-4fb4-9683-5c4e0fc458f7",
"referenced_uuid": "69f72631-333c-48b0-83ab-31046bac7283",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "33e336de-f87d-4fdc-ab1b-2deb73df8195"
},
{
"comment": "",
"object_uuid": "2c3ed81a-0a2c-4fb4-9683-5c4e0fc458f7",
"referenced_uuid": "1f9833ef-40d2-4a88-85ff-8b528ad865cb",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "652d39d2-a452-40c5-b406-dcaeda7f1345"
},
{
"comment": "",
"object_uuid": "2c3ed81a-0a2c-4fb4-9683-5c4e0fc458f7",
"referenced_uuid": "47e4c9d1-054f-41a0-ae77-1b2308d051a4",
"relationship_type": "connected-to",
"timestamp": "1689946470",
"uuid": "dd09bcd2-c4d0-492f-91f0-178753372c7f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "0cea5a6f-3c50-4e84-b9f0-e233aaeb2892",
"value": "kb4480959_EdgeUpdate.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "5c60c2d6-33a7-445b-a3dd-71a6ca7904e7",
"value": "4c2114ee7ae26fc09443b7e1b7658ca0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "afccc9f2-eba3-46ca-b9eb-b947e838b197",
"value": "a3ae82b19fee2756d6354e85a094f1a4598314ab"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "aa506651-7a99-482a-9af7-927eb7e35e23",
"value": "c4d7cef97f1111aed8b876e11e51faa772dfe0b8c51fa042aeee82ede0bfca22"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946826",
"uuid": "7009b0e1-4ff2-46c0-961f-ed918af0088a",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "adb5d0e4-9fac-4d74-aea3-4499865579fc",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "9ffb3fa6-ba55-48d3-86b9-5aa2ce9b4fb6",
"value": "Win32/Nightclub.B"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946830",
"uuid": "7a3326c8-6a3f-44bd-b5c6-b452daea50cf",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "2c1c3dd7-6eab-4f3b-ba36-dce394b78e0b",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "98eb1df6-3386-42d6-bfd1-d1961188c238",
"value": "2014-03-19T03:41:29+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "0f29097e-1e16-4526-b5a6-34704b39e8ec",
"value": "71a23744f5b8c234d0cdcc36bdf42d30"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "b51853f6-55a3-4185-9a28-65869f7e56bf",
"value": "2fd1169e25996e79bdc6553206df8e69c7bc0dd46d085f43013dae1ffe9419b0"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2020-01-23T08:51:05+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689946837",
"uuid": "1f683c76-940c-47d1-a3e4-30b0112f5458",
"ObjectReference": [
{
"comment": "",
"object_uuid": "1f683c76-940c-47d1-a3e4-30b0112f5458",
"referenced_uuid": "d20ab4c0-bf02-4485-98bb-e2abce3ceda1",
"relationship_type": "contains",
"timestamp": "1689946470",
"uuid": "99542ecf-b8cf-433a-b857-f8ad7a8ab48f"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "8c4a4693-39fc-4fae-8f03-a116ac20c61e",
"value": "smb"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1689946469",
"to_ids": true,
"type": "url",
"uuid": "24569cd0-ab13-4110-b96a-0323ae960ae8",
"value": "smb://24.9.51.94/EDGEUPDATE/update/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "e1cbdba8-d0a0-41a3-86c6-66d82833ba9d",
"value": "/EDGEUPDATE/update"
}
]
},
{
"comment": "NightClub plug-in used by Disco. Steal recent files. ",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-01-23T08:51:05+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "16a98b47-e930-429d-9503-058bcbe136e8",
"ObjectReference": [
{
"comment": "",
"object_uuid": "16a98b47-e930-429d-9503-058bcbe136e8",
"referenced_uuid": "7009b0e1-4ff2-46c0-961f-ed918af0088a",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "3ec1a9b3-8fd4-4023-b766-ddfbd4a8b4c0"
},
{
"comment": "",
"object_uuid": "16a98b47-e930-429d-9503-058bcbe136e8",
"referenced_uuid": "7a3326c8-6a3f-44bd-b5c6-b452daea50cf",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "8ea53275-12d9-4068-aa67-192b451110fa"
},
{
"comment": "",
"object_uuid": "16a98b47-e930-429d-9503-058bcbe136e8",
"referenced_uuid": "1f683c76-940c-47d1-a3e4-30b0112f5458",
"relationship_type": "connected-to",
"timestamp": "1689946470",
"uuid": "5d6e9345-4a34-4501-b09e-d138fbb37e8e"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "b7782974-17de-4815-b939-bd6b10a39cec",
"value": "WinSrcNT.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "766c847c-858c-4341-b48a-e80ba3e641cf",
"value": "f048c6118856a6edcb46fa90c88e8ecb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "15dfd8c2-6680-4f01-923a-ec2a54b83b21",
"value": "4f1cecf6d05571ae35ed00ac02d5e8e0f878a984"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "c5f686c6-0fa5-4a73-a353-d8ee220e279e",
"value": "45a9b848f0b8844a3819df4603fff92b16080f28f14393ac0fde42c5b5d64cbd"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946843",
"uuid": "e54ec09a-9757-40b4-86e7-e56e7235011e",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "a2ee429b-0dd6-492e-a840-80d4f97b2d25",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "a039fcb5-8197-4fc4-ba0f-46d4ca1e7bb3",
"value": "2014-03-05T03:11:48+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "bc622323-93df-435d-b67d-7c583989e7af",
"value": "71a23744f5b8c234d0cdcc36bdf42d30"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "c0bb2673-dde5-4b3d-b50e-88d529124d21",
"value": "c597b99a994af8b68cb086f74fe4252ccdb32f748b37185579830bb0883522ba"
}
]
},
{
"comment": "NightClub plug-in used by Disco. Steal recent files.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-01-22T07:46:03+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "a23881d4-86f0-4bf5-8e99-30f0036587ad",
"ObjectReference": [
{
"comment": "",
"object_uuid": "a23881d4-86f0-4bf5-8e99-30f0036587ad",
"referenced_uuid": "7009b0e1-4ff2-46c0-961f-ed918af0088a",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "66aad072-9231-44b3-a961-b32017b63615"
},
{
"comment": "",
"object_uuid": "a23881d4-86f0-4bf5-8e99-30f0036587ad",
"referenced_uuid": "e54ec09a-9757-40b4-86e7-e56e7235011e",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "24892fcf-61ce-4dcf-a78a-b8b2ac295ecf"
},
{
"comment": "",
"object_uuid": "a23881d4-86f0-4bf5-8e99-30f0036587ad",
"referenced_uuid": "1f683c76-940c-47d1-a3e4-30b0112f5458",
"relationship_type": "connected-to",
"timestamp": "1689946470",
"uuid": "67afba64-4c5c-4ae4-a06a-797503fdfd48"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "82d6ccb2-d4b4-4aac-a386-887e9144e377",
"value": "It11.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "ec19eed8-bb5f-46bb-b34e-5951219e4107",
"value": "7396b1e03da633fb1841daaaf0d395bb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "bc476531-7021-4605-8bbd-71355e79e5e2",
"value": "0daea89f91a55f46d33c294cfe84ef06ce22e393"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "26a9db43-8c0c-4473-9ceb-d25648ee2f39",
"value": "b19784949e32d0cc8a032be3b58962233dbff5bfec0b26f426202820f336e845"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946850",
"uuid": "1db5fc1c-dbbd-4b7c-b6cf-6b815fd8f74b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "d09eceb1-a8ba-4739-9abf-d1ba5a46fcc2",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "63d476ca-59e9-4fcd-83fd-c8129e205f74",
"value": "2019-09-02T22:18:43+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "092a5acc-ff3e-4e7d-8344-fa52119b4b1a",
"value": "60afcd30d3d4ee2edd0e49cdaae59994"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "ad394891-a00f-4356-a61e-b80539ca130b",
"value": "15ea306f6a76b52c0383b6a2884eda2f8860afa5e6d5ea98dd21b8b1590936c5"
}
]
},
{
"comment": "NightClub plug-in used by Disco. Make raw dumps of removable drives.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-01-14T08:23:06+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "453e6a83-70cc-4d4d-b8fc-6cf50e71d5cc",
"ObjectReference": [
{
"comment": "",
"object_uuid": "453e6a83-70cc-4d4d-b8fc-6cf50e71d5cc",
"referenced_uuid": "7009b0e1-4ff2-46c0-961f-ed918af0088a",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "e6f65af1-2a41-4c77-8c7a-2b38f9296638"
},
{
"comment": "",
"object_uuid": "453e6a83-70cc-4d4d-b8fc-6cf50e71d5cc",
"referenced_uuid": "1db5fc1c-dbbd-4b7c-b6cf-6b815fd8f74b",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "3f266187-1eaa-43fc-8a47-f5a28f431f4f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "790f1d5e-beda-4e09-a03a-0f7a0eabf3ae",
"value": "It3.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "474689eb-f3f0-4199-950b-4c7c5d3fa05b",
"value": "af727e5a0e45fac2e9c476c7a6fbd813"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "c781c783-9ca4-4531-983f-4bf5a6fadf28",
"value": "11cf38d971534d9b619581cedc19319962f3b996"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "d9013a3f-7522-4e08-8b90-7507744a9fb0",
"value": "a8640da964a129ea6dcea8452c847019d10628bdaedd42e6a0beb5114e558258"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946856",
"uuid": "435ccf96-5f50-4de2-a6a9-4b483a77a619",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "d459afcc-545a-481a-829f-8aaea3c0477b",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946469",
"to_ids": true,
"type": "text",
"uuid": "50dccbd3-ecb5-4547-afed-a81042a90405",
"value": "Win64/Nightclub.B"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946846",
"uuid": "14a942a7-acdf-4cf7-9ff3-ab14f8b591a9",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "4a1719c7-7200-413f-959b-44030ac7a1cb",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "a3e480a1-1b0f-46d2-b113-ef4cf6569c31",
"value": "2017-06-05T12:39:59+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "3d8778f6-52fd-42d2-b690-43893651ad50",
"value": "122adc45d7150dc4217005b05c74ffbf"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "dc81f344-c2df-450e-abf5-0d33eb8e3a85",
"value": "848be042079760376729879b30613dab9eb2665e0c5a03cdba241aa8b2543daf"
}
]
},
{
"comment": "NightClub (2017 version).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2019-12-03T10:06:22+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "5d96ae1b-0410-4d4a-978e-9731d2122885",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5d96ae1b-0410-4d4a-978e-9731d2122885",
"referenced_uuid": "435ccf96-5f50-4de2-a6a9-4b483a77a619",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "15a039b5-d054-4678-8675-c04fe794e673"
},
{
"comment": "",
"object_uuid": "5d96ae1b-0410-4d4a-978e-9731d2122885",
"referenced_uuid": "14a942a7-acdf-4cf7-9ff3-ab14f8b591a9",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "d4a2dc88-5b74-480a-a0da-e4ee7fa4aaf7"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "91d57888-d1b0-4eeb-b7b9-cc9942a81046",
"value": "metamn.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "997b78b7-19a9-4928-a532-8b9dae29b996",
"value": "494298fcd20f349680b4b9bf69049f25"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "daee20c7-9751-40ff-8c74-54a68ee132bc",
"value": "f92fe4dd679903f75ade64dc8a20d46dfbd3b277"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "722bcdf6-7237-41dd-bfa5-77714ba07325",
"value": "94a55354cf10a24bd3840072626f48fd0b7bbe18537760615555f92e82fab500"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946860",
"uuid": "adae0edc-d213-4688-a2a9-1e8107bb8fea",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "90fadda8-fecb-4188-8f3e-7efb57ecbbe5",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946469",
"to_ids": false,
"type": "datetime",
"uuid": "b6c896b4-a43c-4c62-b2fe-196258b1fcd5",
"value": "2017-06-14T09:57:30+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946469",
"to_ids": false,
"type": "imphash",
"uuid": "892a20a9-5a25-40e1-9b55-386f4a74686e",
"value": "371a19457e925c3aa70f3305a7aef799"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946469",
"to_ids": false,
"type": "authentihash",
"uuid": "71be1235-c6e6-49b2-9509-f9fb4d3feaec",
"value": "9bcead6af590134d1da3c116be912e98dd1844ae5581124c524f58ecca3df186"
}
]
},
{
"comment": "NightClub plugin. Keylogger.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-11-06T09:52:11+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946469",
"uuid": "e608c614-323c-47ad-8f91-8aa5c274177c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "e608c614-323c-47ad-8f91-8aa5c274177c",
"referenced_uuid": "435ccf96-5f50-4de2-a6a9-4b483a77a619",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "3d216589-50d3-477d-a28d-48b3468761a3"
},
{
"comment": "",
"object_uuid": "e608c614-323c-47ad-8f91-8aa5c274177c",
"referenced_uuid": "adae0edc-d213-4688-a2a9-1e8107bb8fea",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "8a7876ea-57e6-4ab6-8f9d-567f0d6a4ab5"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946469",
"to_ids": false,
"type": "filename",
"uuid": "721f9be6-efee-45b3-8db4-edc84c051ead",
"value": "et2z7q0FREZ.cr"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946469",
"to_ids": true,
"type": "md5",
"uuid": "b41d57bf-1b24-4117-8c5c-02eb5ebf93b2",
"value": "fa80ce4fce73226d6a1ece32555e3c9f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha1",
"uuid": "950e0b74-ad8c-4111-a870-6459565e3441",
"value": "6999730d0715606d14acd19329af0685b8ad0299"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946469",
"to_ids": true,
"type": "sha256",
"uuid": "851c8e79-9381-4045-8c93-5974e76e2c49",
"value": "90fcbd7b4b74bb396f29825f0abfc3cd9db86ff4a5177df24def249d52ef8c66"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946864",
"uuid": "d3a50bdf-45b6-4af5-9081-a10ddef0f412",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946469",
"to_ids": false,
"type": "text",
"uuid": "57662e1f-a1d8-460c-9e8d-63cede474a8d",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946470",
"to_ids": true,
"type": "text",
"uuid": "303995d7-e94a-4b72-93ec-705b8b040fbd",
"value": "Win64/Nightclub.A"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946766",
"uuid": "a3e3b961-6c52-40fb-83e8-2794611f8046",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "07218076-70e2-45e5-a562-f2c04537362f",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "32f8ce9f-d4eb-495c-aff3-233046ec38cd",
"value": "2017-06-14T09:57:36+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "90f3402a-489b-4596-936c-9a08cec99b6a",
"value": "0ec1d88490cb68e5fa0d4eeba0c61d42"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "884adb99-12b8-4ed1-82b6-310810d258e7",
"value": "0399ab30bd37102612796a087f89aaf33e0b1f9935ef160e390d8b0e02946f3a"
}
]
},
{
"comment": "NightClub plugin. File stealer.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2018-07-18T05:51:26+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "f4ad33db-9e3f-4178-835e-4851b778e17e",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f4ad33db-9e3f-4178-835e-4851b778e17e",
"referenced_uuid": "d3a50bdf-45b6-4af5-9081-a10ddef0f412",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "4cb6e6f4-75d6-47e7-9146-7fb62dfabaf0"
},
{
"comment": "",
"object_uuid": "f4ad33db-9e3f-4178-835e-4851b778e17e",
"referenced_uuid": "a3e3b961-6c52-40fb-83e8-2794611f8046",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "6f6bdaed-2ba3-461a-8dbc-16272626cb08"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "e199f94a-851f-4e1c-9349-6911fd6a72a4",
"value": "sTUlsWa1.cr"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "d17e344b-e76f-4e54-97bc-810085462fe6",
"value": "67b7bcb0621931a0a6e012851529d781"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "ff3af55c-d6eb-4949-a8a4-9b0d831d7131",
"value": "6e729e84c7672f048ed8ae847f20a0219e917fa3"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "b4c3d29d-a551-4104-8c7c-7b94e986be7e",
"value": "55d4ad1ab4dcb6b593da363a0b5d0e213e5960e541651502195e19202100ea56"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946763",
"uuid": "9b8609f6-b5a8-4281-a9b1-49bc36fdd23d",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "ddd7ce3f-81f2-4c1b-9cdb-6982b71c6638",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946470",
"to_ids": true,
"type": "text",
"uuid": "ea715e45-5811-47bf-a80b-54b926d7d381",
"value": "Win32/Nightclub.C"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946759",
"uuid": "95c0cda8-9847-4ec7-89b2-90c6f2ab9f21",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "8e56454c-6997-470c-8ed7-16acc27bd984",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "6350d481-9bd5-42c9-9f90-cd2539bc4a05",
"value": "2014-11-17T14:22:59+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "5c9e7528-2bd6-4654-9cf0-d68145db01ff",
"value": "58edb5f4eabbb52e430646a5ed1a1cd1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "187f7030-0e9c-41d0-82e4-4359a22bee14",
"value": "ae651295df5bcb65bf4a1c3d4c097d43f6af5caf68a4ad5f165c591dd71d202a"
}
]
},
{
"comment": "NightClub dropper.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2014-11-19T17:23:09+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "8e911c46-1453-4309-a88f-8caad577dce9",
"ObjectReference": [
{
"comment": "",
"object_uuid": "8e911c46-1453-4309-a88f-8caad577dce9",
"referenced_uuid": "9b8609f6-b5a8-4281-a9b1-49bc36fdd23d",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "2e722e73-99bd-421a-9306-8d4c7ba3ba68"
},
{
"comment": "",
"object_uuid": "8e911c46-1453-4309-a88f-8caad577dce9",
"referenced_uuid": "95c0cda8-9847-4ec7-89b2-90c6f2ab9f21",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "fd0e1764-0300-4100-8f72-f9d6c1178998"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "1725614c-cb2b-406a-a9df-ed9989719ff7",
"value": "EsetUpdate-0117583943.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "d1a807cf-c5a4-4206-bfa9-74d6ed80b598",
"value": "af5595472e4afc355f9f7977a580e0ae"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "3be86af3-44de-4c32-b9ce-60cf9e367f2e",
"value": "0401ee7f3bc384734bf7e352c4c4bc372840c30d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "184b9c31-a58d-4765-9f58-9bb1df2d6e4c",
"value": "ee2c61216ed691f8bf1f080fb9c7d7cfc6f370e6f5c0d493db523b48e699a2ec"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946756",
"uuid": "20b43104-86e0-45fc-9a91-1715f584acdd",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "8c58fe3e-aa2f-40ef-85b5-5ed0ec52006e",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "85d16090-eac5-43de-b796-0804484e3807",
"value": "2014-11-17T14:22:46+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "ad7de637-733b-4e2a-bd0e-871277459d1a",
"value": "72093c181ac0f7a289e462b70f8c131f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "7992ad3c-d44e-4aa7-8db6-250b1094f60a",
"value": "3120a67edf4ba7b327ebf236bda3835ce687a603a32fb4c6fe622d01d4187c3d"
}
]
},
{
"comment": "NightClub (2014).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2014-11-19T17:25:37+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "ab161fb0-237a-43f7-b34e-f402a7cccd8b",
"ObjectReference": [
{
"comment": "",
"object_uuid": "ab161fb0-237a-43f7-b34e-f402a7cccd8b",
"referenced_uuid": "9b8609f6-b5a8-4281-a9b1-49bc36fdd23d",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "54bac38c-14f1-4022-b17a-98ec2164ff49"
},
{
"comment": "",
"object_uuid": "ab161fb0-237a-43f7-b34e-f402a7cccd8b",
"referenced_uuid": "20b43104-86e0-45fc-9a91-1715f584acdd",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "f8b1c52d-3883-4848-8511-f4d2b60cafb9"
},
{
"comment": "",
"object_uuid": "ab161fb0-237a-43f7-b34e-f402a7cccd8b",
"referenced_uuid": "8e911c46-1453-4309-a88f-8caad577dce9",
"relationship_type": "dropped-by",
"timestamp": "1689946470",
"uuid": "3e9d97c3-ddb2-4f18-b94b-422705cb4b8b"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "f7a21281-9d35-4bbc-99c0-c3763b39bad2",
"value": "creh.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "d2be9c75-8efc-46a1-a4d3-bfdba57cb5dc",
"value": "f08ef7cadee08ba4a0696c4fbfb4c04b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "af3e77f2-fb93-4fee-ba6a-6cf3effb3e4b",
"value": "5b55250cc0da407201b5f042322cfdbf56041632"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "3e6c921a-f2e5-4386-a11b-78c0d2d3f8c0",
"value": "39d534148fe7ac7f3e03da1ceeee556b2e1db9cf466f7e03c24c4f899aa0c407"
}
]
},
{
"comment": " \"Fake\" SMB IP address. ",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689946470",
"uuid": "a0e531d8-baef-4c28-b6e6-b8cac7d35c51",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689946470",
"to_ids": false,
"type": "ip-dst",
"uuid": "fe52e8dc-3161-4098-a0a5-ebe7934369b5",
"value": "35.214.56.2"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946734",
"uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "8ed6e72f-e451-4f5d-aec4-d1d624a1569a",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946470",
"to_ids": true,
"type": "text",
"uuid": "e054378d-5045-4382-8791-d5fdafe3d9b9",
"value": "Win32/Nightclub.D"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946749",
"uuid": "899ede30-5028-48fb-99fa-07ee835a9200",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "109702d2-bba9-441e-b9a9-8790a8106921",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "49f49ba1-3c6d-40b9-a110-68ee9ac0951f",
"value": "2022-04-12T09:37:56+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "c18151bc-49f5-4d49-ad07-0c12b1bf8365",
"value": "4f462ccbd7a2130b0d806d5947a4b2a0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "ab9828be-0ecb-4886-9b02-7bf3b02065bc",
"value": "12cda9472533d4898dce572caad547f06a7016c23619448982ce413c52aa26a5"
}
]
},
{
"comment": "Orchestrator (NightClub).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-07-08T13:41:24+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "866d91f3-e765-42b7-bc40-f4849eecbdb3",
"ObjectReference": [
{
"comment": "",
"object_uuid": "866d91f3-e765-42b7-bc40-f4849eecbdb3",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "4120867d-8da1-4a68-9dd6-622d3a5af897"
},
{
"comment": "",
"object_uuid": "866d91f3-e765-42b7-bc40-f4849eecbdb3",
"referenced_uuid": "899ede30-5028-48fb-99fa-07ee835a9200",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "7290bc38-017f-4d3b-a929-e68d4a6e6537"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "00bd3c14-f5e1-4bad-9962-d37b18147256",
"value": "svhvost.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "021563b3-c07a-42ce-99dd-33fb80bbb2c0",
"value": "df08f277630f5593a8b297a5d6fd02ee"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "1edaf6a0-09d3-4ac2-8dd9-d3fc1bc92f2a",
"value": "d14d9118335c9bf6633cb2a41023486dacbeb052"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "6d6eeb6a-e8cf-42e7-8ed9-e616aaba0c0e",
"value": "54afe0eab3ce64a7c7a944e0ee9b9614d3358d28e35e8e56dd3c40f5846c4b9e"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946746",
"uuid": "42719644-b407-42ed-84e1-114f1a6cd729",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "c16e6c0c-6414-4c38-bafa-a3f974dab71a",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "7de234c5-b253-47aa-82d9-2077ef1216ff",
"value": "2022-04-12T09:37:08+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "208c034e-184f-4eb5-911f-cf4342b5af0f",
"value": "bcfeaded8d78f013e0e9714e4b82fbd2"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "386e8349-0f78-45be-8e8a-9f4e44c8a6df",
"value": "33f91a154c7c929997b25d25516ff77081261de058908216498a509a9e7cd8d9"
}
]
},
{
"comment": "Module agent (NightClub).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-07-06T13:55:47+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "efbd15be-c3a0-4988-b0a7-b0703b06ea53",
"ObjectReference": [
{
"comment": "",
"object_uuid": "efbd15be-c3a0-4988-b0a7-b0703b06ea53",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "5e79fdce-4f48-4de9-947f-1a72d06f64ee"
},
{
"comment": "",
"object_uuid": "efbd15be-c3a0-4988-b0a7-b0703b06ea53",
"referenced_uuid": "42719644-b407-42ed-84e1-114f1a6cd729",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "2432f59d-5733-4ae4-a91c-ef6bbbb62eee"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "b4b47272-6a91-413d-ab51-b73806b36f43",
"value": "schvost.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "0279a792-0124-4392-82e6-37e552af563f",
"value": "b8eac3478d5b505d234d04a3ec8eb172"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "17d8d241-960d-4602-91c9-48e60991dbd6",
"value": "e6de72516c1d4338d7e45e028340b54dcdc7a8ac"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "c2c72916-db7c-4935-89e2-5ebd8f275d74",
"value": "9c7dc4418f0cbce48a89b73ca81707d87554fea324544adefccfb297782bc49d"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946742",
"uuid": "76805542-8e3c-4810-9c54-55b0c04b6c16",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "47aae1bb-bcb5-49c6-a55d-919020fd7f76",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "f1922e6f-4327-46ff-9695-10ce2b37a5d3",
"value": "2022-04-27T07:42:27+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "9de08897-4845-4b0e-8b12-bf68be29e422",
"value": "65d8b1585a5def81b05324281d1c105f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "50aa569e-5a7d-41f4-a0dd-b9a1da303101",
"value": "254f7a9d74df5e2701be83bbc77f4d5a872e20ee19f5f4037f69b3466fffb1dd"
}
]
},
{
"comment": "Backdoor with DNS tunneling (NightClub plug-in).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-07-06T13:55:44+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "49a85d25-494f-4975-9d34-ea8e7361518e",
"ObjectReference": [
{
"comment": "",
"object_uuid": "49a85d25-494f-4975-9d34-ea8e7361518e",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "1406b952-e5bb-4dcc-9171-99cbb0cb7c31"
},
{
"comment": "",
"object_uuid": "49a85d25-494f-4975-9d34-ea8e7361518e",
"referenced_uuid": "76805542-8e3c-4810-9c54-55b0c04b6c16",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "e728abe8-3976-4adf-82bb-18253cab1644"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "3dce1df6-4279-4e02-855a-f87721a767a1",
"value": "nullnat.ini"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "f5fdb24e-3203-414c-86cb-0d0ed9bda307",
"value": "214e79625cc78e639e16cf62f42120da"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "cb2b99d7-bea5-4040-a376-2fcc231b9502",
"value": "3ad77281640e7ba754e9b203c8b6abfd3f6a7bdd"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "0831d5c6-5ae9-43fb-be80-ccdaedd354b3",
"value": "c53639a1675303bb45991288f1d2664781cfaf10f809289c65ba20ff9ab1025a"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946738",
"uuid": "1cc1cc28-6dff-4e25-9ab8-c2dc4bd02e1b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "dad3acd8-205c-4702-92d2-33fce145d9d2",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "3c2b252d-c64f-476c-b79c-387ca41028ab",
"value": "2022-04-12T08:43:29+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "f3eb6d10-b884-46dd-845e-992bdc98d745",
"value": "3cb60683a7c10a0a4b23925d0b1cae4b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "47312d31-e0f3-4853-939a-e5d6d6679a7a",
"value": "e2f7c3a6ac4bc489b023ca5204ebd717d5a5c42349257decfc44b87e9f426a34"
}
]
},
{
"comment": "Keylogger (NightClub plug-in).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-07-06T13:55:48+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "9940ddb2-2526-4783-a9b2-84aaeda0d4a5",
"ObjectReference": [
{
"comment": "",
"object_uuid": "9940ddb2-2526-4783-a9b2-84aaeda0d4a5",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "db6cc1ee-4df3-45fb-9a10-b10d0564afc2"
},
{
"comment": "",
"object_uuid": "9940ddb2-2526-4783-a9b2-84aaeda0d4a5",
"referenced_uuid": "1cc1cc28-6dff-4e25-9ab8-c2dc4bd02e1b",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "bcef524e-ce02-4a0b-a1fd-abfbc9bf03c9"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "a11f0353-b9bf-488a-a850-dde14f2560e7",
"value": "soccix.ini"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "fe93ba0a-32ab-48a1-ab64-811ace3ab3b7",
"value": "e2d4da7ccbd52b5b8b2bfe55f85d7e67"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "03693b6c-9028-40c1-9e32-208a9a8356b5",
"value": "142ff0770bc6e3d077fbb64d6f23499d9deb9093"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "e5f04a55-7f06-414b-a170-61a22fa20f08",
"value": "8f38f4da6cc8ac9f0512f503449140d6067d45d1b47c7628723364fc7647c1a6"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946753",
"uuid": "73e9ffe9-8abf-43d0-bf2b-b2eac124f6b1",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "15dd2404-c25b-459e-a219-ffdc72a41df4",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "f65a447f-8c00-47ff-93bf-1b63bf5ec69c",
"value": "2022-04-12T08:43:34+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "7adba273-6ac7-4319-8d0b-655234259975",
"value": "339d79e103c9d853bb18c751fd6718f9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "12286ee9-e54a-4735-9012-d0e93f7eef65",
"value": "a5d50b14db18054857226d25a5f3343c09bdecc4a1bd0f2086ab47bcf40e0943"
}
]
},
{
"comment": "Screenshotter (NightClub plug-in).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-07-06T13:55:45+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946779",
"uuid": "3b67328a-e7af-4dd0-be3c-296a0f1c6cfc",
"ObjectReference": [
{
"comment": "",
"object_uuid": "3b67328a-e7af-4dd0-be3c-296a0f1c6cfc",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "57f43bfb-8453-4932-89ab-dc5d0d21cbde"
},
{
"comment": "",
"object_uuid": "3b67328a-e7af-4dd0-be3c-296a0f1c6cfc",
"referenced_uuid": "73e9ffe9-8abf-43d0-bf2b-b2eac124f6b1",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "0745ca40-2d22-4a93-bcea-fc1ac8776d68"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "25620a4e-7286-4f60-8ceb-6a2982c03c6b",
"value": "oreonion.ini"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "694e441a-6369-40f8-b135-1167891e7820",
"value": "36106f11f4babc5cce3f899061b5b9ae"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "293da33d-699f-4260-b542-c41ee60090ee",
"value": "fe9527277c06d7f986161291ce7854ee79788cb8"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "8af1e059-fe4c-4e9b-af3a-9a117664c8e5",
"value": "79cb962862a9e5299f32ee948f6a5a8b696effcd0be40bd537f68d6d28dfb0fd"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946783",
"uuid": "17419941-1697-43a4-a3a7-53516c4b8614",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "95941b0f-d26a-43f7-9e3f-a3980cd4686f",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "8a8a3b08-35ef-4afd-b7c1-66eca0366240",
"value": "2019-01-14T05:42:03+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "6954732b-b4c1-4808-b9be-e7168d4c6b4c",
"value": "41b6c1548fc590155cb047f63dde61a8"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "11d9a52a-6e86-45f8-9cf3-7ae7f9f95012",
"value": "ea4e3a36184fe4181231e8ee82c6ba271b6b86237f2ca311b90d77e75f855c6a"
}
]
},
{
"comment": "Orchestrator (NightClub).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-11-10T06:34:47+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "f14245f9-6180-43ef-a0e0-6994a7ca739a",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f14245f9-6180-43ef-a0e0-6994a7ca739a",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "14a4592f-a88b-487a-8fcf-716e0235ee84"
},
{
"comment": "",
"object_uuid": "f14245f9-6180-43ef-a0e0-6994a7ca739a",
"referenced_uuid": "17419941-1697-43a4-a3a7-53516c4b8614",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "7f204582-43cf-4d87-a5e1-13466f058135"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "f0ecb112-3d0b-4786-9cb5-2dccde973389",
"value": "svhvost.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "ad5fb4ad-bfbd-458b-9a03-b4d53759d2c3",
"value": "a78602510d0ed6794beb25ee2b62f602"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "5bd60f91-e2de-4665-b8fb-33f5f12d8a42",
"value": "92115e21e565440b1a26ecc20d2552a214155669"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "87811270-5b30-472e-9484-795b3ee7d874",
"value": "185a6b60ab35878fe24e0f84f82a276127d8aff8f547dddfa5606cacebd3bd6a"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946814",
"uuid": "c1d092e8-489a-45df-a7d6-b69fc81e2136",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "a999ec78-4de6-4f92-8265-8227448e5c3f",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "69fc3cfb-1ab6-4742-b98b-f0a41799a241",
"value": "2019-01-14T05:42:02+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "a972795f-79be-457e-8c92-6de42ba4a7bf",
"value": "6fc6de7c6d0822f69218d408da86af0a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "0fcb993e-9d42-441d-a915-50eef4242fe5",
"value": "58d1ffaaf9134b7022da2642dade19a4544de4b1d874fc175358a9f50a091b56"
}
]
},
{
"comment": "Module agent (NightClub).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-11-10T06:45:43+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "430e9391-ed2c-4a15-932d-1355991c821f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "430e9391-ed2c-4a15-932d-1355991c821f",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "de85fee5-d125-446d-85e9-c6b225060cd9"
},
{
"comment": "",
"object_uuid": "430e9391-ed2c-4a15-932d-1355991c821f",
"referenced_uuid": "c1d092e8-489a-45df-a7d6-b69fc81e2136",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "39fcf3d6-f828-4a2d-97e2-1411526b8b5a"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "1453b6fe-385c-499f-9ae8-f1b31b49289b",
"value": "schvost.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "74e02481-92ff-4cf1-8ccf-2490531ec02e",
"value": "ef18329f1a8d4dfedee2eeb3853a4882"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "91f50f44-cc7f-45ba-9456-6c925e46d438",
"value": "de0b38e12c0af0fd63a67b03dd1f8c1bf7fa6128"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "d2f4d5d7-7531-4966-aeff-f8718cad6505",
"value": "4526f147fba692c577afbd1de2e91ab5e07e02a051cc8d1ab4a28d997ee7eba8"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946810",
"uuid": "bf487be6-3dcc-47cc-a9e6-256270637834",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "3c803c31-b039-406f-a88d-4ea0f97d2f61",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "879f8119-6251-418a-a9f7-46dfe9977247",
"value": "2019-01-14T05:42:01+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "23a313a7-859f-40f4-af89-9fd17d79c84d",
"value": "953daa2bc2bb55996033e09b176b9690"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "4462a345-f8d3-4260-91b8-b5b7fad5a989",
"value": "3ee19608e827bafd7a1723e1b005e891998bd16e9e0e564a2560b8b4cf525339"
}
]
},
{
"comment": "Record audio (NightClub plug-in).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-11-10T06:45:45+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "dcd75ccd-014c-4d10-9f1c-d3bb2d23083a",
"ObjectReference": [
{
"comment": "",
"object_uuid": "dcd75ccd-014c-4d10-9f1c-d3bb2d23083a",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "7c8e009f-0967-4959-8f5c-7fcbd354a0ee"
},
{
"comment": "",
"object_uuid": "dcd75ccd-014c-4d10-9f1c-d3bb2d23083a",
"referenced_uuid": "bf487be6-3dcc-47cc-a9e6-256270637834",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "03e0fa2e-1a60-4193-b0b4-0b84fab38818"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "b5a0de5d-15da-43ee-8914-c81be6951e75",
"value": "sysleg.ini"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "d95b0461-14e0-4531-b51e-788f5ff1966d",
"value": "e8ed8bb5958a6d544a3f480f796a6d5b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "c9f479d5-fd86-4e4c-96c1-40058a02dcdf",
"value": "d2b715a72bba307cc9bf7690439d34f62edf1324"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "58ff59c7-ece5-4594-95fa-c3a2c90cc446",
"value": "2d6126df41aa69bc9fc25d6f6d13d8005b8daaa766319e4a53bd5e5042142337"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946805",
"uuid": "0bef2e0e-9281-4fd1-a88e-418b06a9b16d",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "371bdd1d-762a-4dee-9cd6-f51ce12cf144",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "a38c4b02-cfd2-499f-b606-bfaabef5babe",
"value": "2019-01-14T05:42:03+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "d3384b76-cdaa-4904-8ba2-5dbf6b8dfd96",
"value": "7cb5da04751f85160f73090b6513857e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "00166c38-76a9-478f-b1b9-421123e91eff",
"value": "4c9a6230054e0f13d7a963051d5f3e2169a1ab345123192fc2279e36e672be41"
}
]
},
{
"comment": "Take screenshots (NightClub plug-in).",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2020-11-10T06:45:47+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1689946470",
"uuid": "9be8694b-8b3d-486b-b321-147f4bcf81fc",
"ObjectReference": [
{
"comment": "",
"object_uuid": "9be8694b-8b3d-486b-b321-147f4bcf81fc",
"referenced_uuid": "c52ba0bc-e33b-4722-9d36-440b4dabe881",
"relationship_type": "detected-as",
"timestamp": "1689946470",
"uuid": "e7413996-91ca-45e4-98e1-33028db4f859"
},
{
"comment": "",
"object_uuid": "9be8694b-8b3d-486b-b321-147f4bcf81fc",
"referenced_uuid": "0bef2e0e-9281-4fd1-a88e-418b06a9b16d",
"relationship_type": "includes",
"timestamp": "1689946470",
"uuid": "e2431c0c-a873-4b15-9c97-51e05b780221"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1689946470",
"to_ids": false,
"type": "filename",
"uuid": "eb0dd280-8a6b-4ea7-b891-56336783f9c5",
"value": "oreonion.ini"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1689946470",
"to_ids": true,
"type": "md5",
"uuid": "49557049-5706-41d1-89f6-5ef5798b7510",
"value": "08d70fd4747bd93067c345fc1903ca86"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha1",
"uuid": "3c2b897b-b0e7-4da8-b60b-c9d8ffec65b8",
"value": "df8ded42f9b7de1f439aec50f9c2a13cd5eb1db6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1689946470",
"to_ids": true,
"type": "sha256",
"uuid": "215c9cca-fcc3-48d8-a160-4b2b969dba35",
"value": "6deff2f98cbfda4ca7615b3160ed9f7163dd426f8503d4030bd36b69fae3f68a"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946802",
"uuid": "f03a31fe-4880-4b17-88e8-683cc53edb0b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "b88a2167-4dd4-4f6b-8a1b-3e8b388d8b03",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946470",
"to_ids": true,
"type": "text",
"uuid": "a19e00bc-d996-453e-8f68-554861b55d92",
"value": "Win32/Nightclub.F"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946772",
"uuid": "da8b7d10-0694-4249-9bd1-a5ad540a6e40",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "b93f2fa1-1ab2-4e09-915f-94f4e11fe663",
"value": "exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "7b48bd7e-ef3f-47fc-9041-6728d3f9b3e6",
"value": "2016-12-26T09:11:24+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "b9359f92-f15f-4446-9e70-cede6510ed7e",
"value": "2f5eecf908af0655a1bfe7277b77322c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "391e44ab-f4e9-4ac4-a71e-23e529ddff70",
"value": "dd117c18447c8f70a0f6bc05f37b31221cf8cf2133ae54c430bbd8995b72e227"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946795",
"uuid": "758bff01-3add-4f26-bc1b-3ea92ebe0ec6",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "a365fd22-6c6d-4c99-b61f-3b1f187d7640",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "e9d35fcc-61a7-480f-b3ec-adc548898bd8",
"value": "2016-12-26T09:11:17+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "57f119ad-237d-44cc-96f5-a8ec1de6747a",
"value": "3bf30da72df91ad2ca63bf95399061fd"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "c397a5dd-20ce-48d8-a885-6e7c5dd2c1c7",
"value": "0fae81f1b23d563d4e44a779796d4dddc4fd34f9d4139bd1dbb93394808ebeed"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946792",
"uuid": "2e7c479e-7c91-49e9-a8ae-4acf6ef8b3bc",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "8c9ace96-736f-4f47-ac59-2c5abd105160",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "c1868451-fe78-4d32-8d9f-05745ac18471",
"value": "2016-12-26T09:11:04+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "1e89cb45-eb79-4332-9013-7a8874c7261e",
"value": "c9c6c23afe612ae708600a1270fe814d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "102e3c9d-cdad-4ef9-aa8e-31759d2da973",
"value": "14c4e77aa195945f68739c6b860f72ec1e019879eb98eeb47655c6078d52c9ac"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1689946787",
"uuid": "b24fd92b-be6e-4560-9bdb-59a0def6afe3",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "software",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "1dd095a8-9024-4cf7-849d-5199f291c176",
"value": "ESET"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1689946470",
"to_ids": true,
"type": "text",
"uuid": "706ae0bb-96a5-470e-84d5-f4cf32207c29",
"value": "Win32/Nightclub.E"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"name": "pe",
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"template_version": "7",
"timestamp": "1689946798",
"uuid": "9c83e2e4-31c3-4851-90d9-725057096171",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1689946470",
"to_ids": false,
"type": "text",
"uuid": "7d3e5237-92f3-420d-9386-db64eee165b1",
"value": "dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "compilation-timestamp",
"timestamp": "1689946470",
"to_ids": false,
"type": "datetime",
"uuid": "c14a6ab3-e7b8-4007-b23f-28eaf8ffb184",
"value": "2017-03-13T13:27:40+00:00"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "imphash",
"timestamp": "1689946470",
"to_ids": false,
"type": "imphash",
"uuid": "f1cdb648-808e-4c85-8c0a-e1bc443349be",
"value": "e230ade5fee441b52f024c7f51644b5b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "authentihash",
"timestamp": "1689946470",
"to_ids": false,
"type": "authentihash",
"uuid": "1ad89d6a-1073-4f95-a244-5db4020b5255",
"value": "90cc318a654e1464cef513b7b5e99b760375e276b4b5b8b4fb9814fe8ae54de3"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947363",
"uuid": "96dccff4-1e0f-4e11-a29d-dd4e85d9dd35",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689947363",
"to_ids": false,
"type": "ip-dst",
"uuid": "82c8b1b4-6c13-4250-8ce9-9221961cd77e",
"value": "45.136.199.67"
}
]
},
{
"comment": "NightClub C&C server.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"first_seen": "2022-07-05T00:00:00+00:00",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947400",
"uuid": "f1549cfb-2f8a-49df-9a58-c6863a7ce5cd",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f1549cfb-2f8a-49df-9a58-c6863a7ce5cd",
"referenced_uuid": "96dccff4-1e0f-4e11-a29d-dd4e85d9dd35",
"relationship_type": "resolved-to",
"timestamp": "1689947363",
"uuid": "2fad6f19-b4fd-4b8f-a4bf-8275d21ec411"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2022-07-05T00:00:00+00:00",
"object_relation": "domain",
"timestamp": "1689947363",
"to_ids": false,
"type": "domain",
"uuid": "cffcc952-1960-4ef0-a9a7-f86f5b4b22a9",
"value": "securityocspdev.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947363",
"uuid": "c4853164-2333-41e1-9d6b-c622bd385a03",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689947363",
"to_ids": false,
"type": "ip-dst",
"uuid": "a87bface-5526-433a-a185-83adc80b0c97",
"value": "185.87.148.86"
}
]
},
{
"comment": "Suspected NightClub C&C server.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"first_seen": "2021-11-03T00:00:00+00:00",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947421",
"uuid": "0d7c814d-dcbe-44b3-a678-30edadecf71c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "0d7c814d-dcbe-44b3-a678-30edadecf71c",
"referenced_uuid": "c4853164-2333-41e1-9d6b-c622bd385a03",
"relationship_type": "resolved-to",
"timestamp": "1689947363",
"uuid": "d3b70496-27d9-4713-ace4-f1b5cb7d9b33"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2021-11-03T00:00:00+00:00",
"object_relation": "domain",
"timestamp": "1689947363",
"to_ids": false,
"type": "domain",
"uuid": "6b888415-35eb-41a6-b4c9-649790dccbe5",
"value": "centrocspupdate.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947363",
"uuid": "b442277b-946e-42c3-a9d6-7976cb65b884",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689947363",
"to_ids": false,
"type": "ip-dst",
"uuid": "50efb617-ca1d-45e1-be3b-59ddb11d1447",
"value": "185.87.151.130"
}
]
},
{
"comment": "Suspected NightClub C&C server.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"first_seen": "2021-11-11T00:00:00+00:00",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947417",
"uuid": "6a5712ea-cf3c-44f4-9788-1cf8df970630",
"ObjectReference": [
{
"comment": "",
"object_uuid": "6a5712ea-cf3c-44f4-9788-1cf8df970630",
"referenced_uuid": "b442277b-946e-42c3-a9d6-7976cb65b884",
"relationship_type": "resolved-to",
"timestamp": "1689947363",
"uuid": "72dd7bff-472b-4586-bb0b-a3cff39dfd75"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2021-11-11T00:00:00+00:00",
"object_relation": "domain",
"timestamp": "1689947363",
"to_ids": false,
"type": "domain",
"uuid": "fbb66ecf-5b6f-469f-8f36-01255c3728d6",
"value": "ocsp-atomsecure.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947363",
"uuid": "b20f1cc9-361c-441c-8bc3-eabb28b458e2",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689947363",
"to_ids": false,
"type": "ip-dst",
"uuid": "f58c0940-98b0-4ab0-9947-3bbf77273caa",
"value": "45.136.199.129"
}
]
},
{
"comment": "Suspected NightClub C&C server.",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"first_seen": "2022-10-12T00:00:00+00:00",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947414",
"uuid": "215fe060-4fbf-4342-a230-7b5a303d56c4",
"ObjectReference": [
{
"comment": "",
"object_uuid": "215fe060-4fbf-4342-a230-7b5a303d56c4",
"referenced_uuid": "b20f1cc9-361c-441c-8bc3-eabb28b458e2",
"relationship_type": "resolved-to",
"timestamp": "1689947363",
"uuid": "c97b24bf-dad4-4734-a227-d1f78a62e808"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2022-10-12T00:00:00+00:00",
"object_relation": "domain",
"timestamp": "1689947363",
"to_ids": false,
"type": "domain",
"uuid": "9a0ed427-09b2-4fa3-9447-8de10e641497",
"value": "dervasopssec.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947506",
"uuid": "29d07632-dfe0-45cc-9828-daea9263bee8",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1689947506",
"to_ids": false,
"type": "ip-dst",
"uuid": "51d90d29-95bd-4800-bdc3-4234ae60e814",
"value": "71.15.110.25"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"first_seen": "2023-01-13T00:00:00+00:00",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1689947514",
"uuid": "49efdf22-09cb-4003-83d2-912da3368585",
"ObjectReference": [
{
"comment": "",
"object_uuid": "49efdf22-09cb-4003-83d2-912da3368585",
"referenced_uuid": "29d07632-dfe0-45cc-9828-daea9263bee8",
"relationship_type": "resolved-to",
"timestamp": "1689947514",
"uuid": "0a4ba3c4-cb4f-41fa-930a-6917f1207e5d"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2023-01-13T00:00:00+00:00",
"object_relation": "domain",
"timestamp": "1689947514",
"to_ids": false,
"type": "domain",
"uuid": "ba1db68c-a465-4b55-a1b2-2c8d3594646b",
"value": "windows.network.troubleshooter.com"
}
]
},
{
"comment": "Fake update page - AitM.",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"first_seen": "2023-01-13T00:00:00+00:00",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1689947529",
"uuid": "45c10194-bac4-48dd-b603-be916b720d8d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "45c10194-bac4-48dd-b603-be916b720d8d",
"referenced_uuid": "49efdf22-09cb-4003-83d2-912da3368585",
"relationship_type": "contains",
"timestamp": "1689947514",
"uuid": "ef583d73-b436-499a-b191-31a6af6fb182"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"first_seen": "2023-01-13T00:00:00+00:00",
"object_relation": "scheme",
"timestamp": "1689947514",
"to_ids": false,
"type": "text",
"uuid": "cf744b14-ae7b-4668-8ef6-8786bb036d82",
"value": "http"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2023-01-13T00:00:00+00:00",
"object_relation": "url",
"timestamp": "1689947514",
"to_ids": true,
"type": "url",
"uuid": "1067bf56-d019-4afe-8b37-cba63d6724e4",
"value": "http://windows.network.troubleshooter.com/jdrop.js"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"first_seen": "2023-01-13T00:00:00+00:00",
"object_relation": "resource_path",
"timestamp": "1689947514",
"to_ids": false,
"type": "text",
"uuid": "81de91d9-8b8f-4556-8951-e09f077f2006",
"value": "/jdrop.js"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": true,
"first_seen": "2023-01-13T00:00:00+00:00",
"object_relation": "port",
"timestamp": "1689947514",
"to_ids": false,
"type": "port",
"uuid": "fb825ce2-6298-44b0-a5b9-ff1d990f8a68",
"value": "80"
}
]
}
]
}
}
Reference in a new issue View git blame Copy permalink