1071 lines
No EOL
35 KiB
JSON
1071 lines
No EOL
35 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "1",
|
|
"date": "2019-10-07",
|
|
"extends_uuid": "",
|
|
"info": "Emotet in Depth TTP 10-07-19",
|
|
"publish_timestamp": "1592358012",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1621850615",
|
|
"uuid": "5d9b5933-964c-433c-b84f-4c680a2fe004",
|
|
"Orgc": {
|
|
"name": "MiSOC",
|
|
"uuid": "5d49b744-1ef4-4480-b486-40f06b08ac45"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#4de3bf",
|
|
"name": "Emotet"
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-tool=\"Empire - S0363\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:tool=\"Emotet\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-tool=\"Cobalt Strike - S0154\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"New Service - T1050\""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"name": "osint:lifetime=\"perpetual\""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"name": "osint:certainty=\"50\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Maldoc 1st stage Download URL's",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1570462687",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5d9b5bdf-36e8-494f-9bda-4522a63f8736",
|
|
"value": "http://dulich.goasiatravel.com/calendar/u8hsm_46c4yi-6024747470/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Maldoc 1st stage Download URL's",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1570462687",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5d9b5bdf-b5ac-4550-8ee8-4491a63f8736",
|
|
"value": "https://drewnianazagroda.pl/c0nm/PtlOoIWOzs/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Maldoc 1st stage Download URL's",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1570462687",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5d9b5bdf-b0a8-4c75-a2b0-49b4a63f8736",
|
|
"value": "http://latestgovernment.com/pramodchoudhary.examqualify.com/CKBOIhWtjs/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Maldoc 1st stage Download URL's",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1570462687",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5d9b5bdf-b654-4401-9164-4f6ba63f8736",
|
|
"value": "https://kurumsalinternetsitesi.com/wp-content/wgSCKDClY/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Maldoc 1st stage Download URL's",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1570462687",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5d9b5bdf-9bf0-4a3f-8387-404ca63f8736",
|
|
"value": "https://edealsadvisor.com/wp-includes/ZqLAroEkK/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-879c-49ef-846b-315974656a8a",
|
|
"value": "http://201.184.105.242/ban/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-325c-4d0b-a401-315974656a8a",
|
|
"value": "http://201.184.105.242/cone/dma/arizona/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-7ae4-4276-abff-315974656a8a",
|
|
"value": "http://201.184.105.242/health/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-90e4-4122-9476-315974656a8a",
|
|
"value": "http://201.184.105.242/iplk/enable/loadan/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-f444-4981-917b-315974656a8a",
|
|
"value": "http://201.184.105.242/loadan/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-558c-4548-a83c-315974656a8a",
|
|
"value": "http://201.184.105.242/sess/pnp/ringin/merge/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-3d98-416c-9ff5-315974656a8a",
|
|
"value": "http://201.184.105.242/site/vermont/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-94f8-4ae2-9a3b-315974656a8a",
|
|
"value": "http://201.184.105.242/symbols/schema/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-4208-483c-badc-315974656a8a",
|
|
"value": "http://45.123.3.54/badge/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-e7d4-4ece-94ac-315974656a8a",
|
|
"value": "http://45.123.3.54/publish/acquire/enabled/merge/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-3188-4a7f-8e13-315974656a8a",
|
|
"value": "http://45.123.3.54/site/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-9f88-43a2-9b73-315974656a8a",
|
|
"value": "http://80.79.23.144/free/schema/scripts/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-5b0c-49d0-802a-315974656a8a",
|
|
"value": "http://80.79.23.144/results/cone/window/merge/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-4e48-4b7d-ba67-315974656a8a",
|
|
"value": "http://80.79.23.144/splash/prov/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-47a0-4480-a429-315974656a8a",
|
|
"value": "http://104.131.11.150/cookies/usbccid/enabled/merge/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-6acc-48a8-abba-315974656a8a",
|
|
"value": "http://104.131.11.150/dma/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-04f8-46df-bf49-315974656a8a",
|
|
"value": "http://104.131.11.150/img/enabled/scripts/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-cb88-445a-8eaa-315974656a8a",
|
|
"value": "http://142.44.162.209/pnp/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-3910-4501-8065-315974656a8a",
|
|
"value": "http://142.44.162.209/report/chunk/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-4910-4e43-9939-315974656a8a",
|
|
"value": "http://142.44.162.209/results/glitch/merge/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-55f8-4fd0-807a-315974656a8a",
|
|
"value": "http://178.254.6.27/site/results/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-24e0-4062-9bba-315974656a8a",
|
|
"value": "http://178.254.6.27/stubs/pnp/window/merge/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-560c-4070-b46f-315974656a8a",
|
|
"value": "http://178.254.6.27/taskbar/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-dec8-4574-9ced-315974656a8a",
|
|
"value": "http://192.254.173.31/child/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1571266221",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5da79ead-048c-4da7-92c0-315974656a8a",
|
|
"value": "http://192.254.173.31/json/add/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Source of the MISP event",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1576589797",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5df8d9e5-f7a0-45b8-87c3-45ea950d210f",
|
|
"value": "https://github.com/Hestat/intel-sharing/blob/master/powershell-empire-12-16-19/misp.event.7941.json"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "Selected Malware Document for sandbox run",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1570462332",
|
|
"uuid": "5d9b5a7c-7204-4384-9512-48970a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "malware-sample",
|
|
"timestamp": "1570462332",
|
|
"to_ids": true,
|
|
"type": "malware-sample",
|
|
"uuid": "5d9b5a7c-2560-44ac-969d-42e60a2fe004",
|
|
"value": "SCAN_10079460983_IB_1007.doc|9ce5126ffcbc936ad6c0155763898f19"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1570462332",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5d9b5a7c-c814-4b59-903f-4c0e0a2fe004",
|
|
"value": "SCAN_10079460983_IB_1007.doc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1570462332",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d9b5a7c-6d60-4555-90a2-42c30a2fe004",
|
|
"value": "9ce5126ffcbc936ad6c0155763898f19"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1570462332",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5d9b5a7c-74a0-4902-addb-4afa0a2fe004",
|
|
"value": "284534ae3c3ca467f098115d07cd7e14cbec9583"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1570462332",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5d9b5a7c-3ef8-48e9-8671-40760a2fe004",
|
|
"value": "dd007df90f91857a9efe65008cf015f7955ff05a5b243017e4931087f5742355"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "size-in-bytes",
|
|
"timestamp": "1570462332",
|
|
"to_ids": false,
|
|
"type": "size-in-bytes",
|
|
"uuid": "5d9b5a7c-4740-4d31-bca2-4f830a2fe004",
|
|
"value": "175104"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Cobalt strike payload called by powershell",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1570462376",
|
|
"uuid": "5d9b5aa8-9a10-4649-bfd4-4dff0a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "malware-sample",
|
|
"timestamp": "1570462376",
|
|
"to_ids": true,
|
|
"type": "malware-sample",
|
|
"uuid": "5d9b5aa8-5124-4bfe-bcc4-446c0a2fe004",
|
|
"value": "ikillyou.txt|26017e97acce09276f3b4c6800dec256"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1570462376",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5d9b5aa8-6c48-43a7-a725-4a860a2fe004",
|
|
"value": "ikillyou.txt"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1570462376",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d9b5aa8-a07c-4401-99ee-44b80a2fe004",
|
|
"value": "26017e97acce09276f3b4c6800dec256"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1570462376",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5d9b5aa8-e53c-4d68-a233-4d5f0a2fe004",
|
|
"value": "b49b6719495f8398f72e18c0e9450feacb0f9bd9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1570462376",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5d9b5aa8-732c-4ebc-b096-429a0a2fe004",
|
|
"value": "3306d41a09840db2e94e7497c911e8d61d15776b44346f02bbb6a88f5bd51caa"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "size-in-bytes",
|
|
"timestamp": "1570462376",
|
|
"to_ids": false,
|
|
"type": "size-in-bytes",
|
|
"uuid": "5d9b5aa8-72c0-4d0f-9783-47980a2fe004",
|
|
"value": "2789"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1570467114",
|
|
"uuid": "5d9b6d2a-f048-4333-a71b-4f830a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "malware-sample",
|
|
"timestamp": "1570467114",
|
|
"to_ids": true,
|
|
"type": "malware-sample",
|
|
"uuid": "5d9b6d2a-661c-4c0a-8813-4ab70a2fe004",
|
|
"value": "26017e97acce09276f3b4c6800dec256_unzipped_decoded.zip|0e8c5174646dcd87ac893271b80c9633"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Emotet Exe",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1570472117",
|
|
"uuid": "5d9b80b5-67ac-4570-8958-4ea90a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "malware-sample",
|
|
"timestamp": "1570472117",
|
|
"to_ids": true,
|
|
"type": "malware-sample",
|
|
"uuid": "5d9b80b5-83e8-4811-933f-40dc0a2fe004",
|
|
"value": "pixelproc.exe|9afcbf6f4f13a40791d368df767b4304",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:tool=\"Emotet\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1570472117",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5d9b80b5-1bfc-4bbd-aabf-4e400a2fe004",
|
|
"value": "pixelproc.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1570472117",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d9b80b5-ff4c-4d46-98ce-40cd0a2fe004",
|
|
"value": "9afcbf6f4f13a40791d368df767b4304"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1570472117",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5d9b80b5-c704-4916-a3bb-45780a2fe004",
|
|
"value": "019a178ee95b34980a2f07ee624528de5f4eae44"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1570472117",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5d9b80b5-437c-41c1-823b-459c0a2fe004",
|
|
"value": "16d007d650d117c68da005747378f16cebe820e75a2565be70602fad2cb6e1fe"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "size-in-bytes",
|
|
"timestamp": "1570472117",
|
|
"to_ids": false,
|
|
"type": "size-in-bytes",
|
|
"uuid": "5d9b80b5-e340-4e19-977b-47d30a2fe004",
|
|
"value": "221184"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Trickbot Exe",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1570472258",
|
|
"uuid": "5d9b8142-6bd0-484e-8a8f-43410a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "malware-sample",
|
|
"timestamp": "1570472258",
|
|
"to_ids": true,
|
|
"type": "malware-sample",
|
|
"uuid": "5d9b8142-9654-49da-af32-4ba80a2fe004",
|
|
"value": ".exe|9240845226d22642cbe5e0d39205d869"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1570472258",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5d9b8142-56b8-49a7-8e90-426d0a2fe004",
|
|
"value": ".exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1570472258",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d9b8142-3a1c-4760-872c-436f0a2fe004",
|
|
"value": "9240845226d22642cbe5e0d39205d869"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1570472258",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5d9b8142-04e4-4ebe-8564-44590a2fe004",
|
|
"value": "10dae0bced984456d3d7a2b059cd71a4762f1c5b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1570472258",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5d9b8142-b590-4445-81b3-4ffb0a2fe004",
|
|
"value": "4cbe34dc9928a6b93786a69bea92b3df0e04fd67d116fc1746d817496314de9e"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "size-in-bytes",
|
|
"timestamp": "1570472258",
|
|
"to_ids": false,
|
|
"type": "size-in-bytes",
|
|
"uuid": "5d9b8142-3e88-4463-b633-4ab80a2fe004",
|
|
"value": "393309"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Trickbot artifact",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1570472290",
|
|
"uuid": "5d9b8162-9658-45ba-897f-4cdd0a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "malware-sample",
|
|
"timestamp": "1570472290",
|
|
"to_ids": true,
|
|
"type": "malware-sample",
|
|
"uuid": "5d9b8162-fb20-4ad9-91da-45380a2fe004",
|
|
"value": "settings.ini|03dfc482ccecbbbc16c5c208ae55d49a"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1570472290",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5d9b8162-0990-4049-848a-459d0a2fe004",
|
|
"value": "settings.ini"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1570472290",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d9b8162-b0bc-42c4-8bb8-4d660a2fe004",
|
|
"value": "03dfc482ccecbbbc16c5c208ae55d49a"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1570472290",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5d9b8162-cae0-41f9-8933-42050a2fe004",
|
|
"value": "46b1ad83e2bbf22b08462656e979bca53afff6ba"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1570472290",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5d9b8162-0efc-48c5-a090-42360a2fe004",
|
|
"value": "e23033b26e459f6987fb65b9dd8a975a14c2ea9d903a720d4a67a32d43bff293"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "size-in-bytes",
|
|
"timestamp": "1570472290",
|
|
"to_ids": false,
|
|
"type": "size-in-bytes",
|
|
"uuid": "5d9b8162-9158-4838-8904-44830a2fe004",
|
|
"value": "63950"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Exchange DB file from trickbot",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1570472314",
|
|
"uuid": "5d9b817a-8320-4f3b-afee-43650a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "malware-sample",
|
|
"timestamp": "1570472314",
|
|
"to_ids": true,
|
|
"type": "malware-sample",
|
|
"uuid": "5d9b817a-6ea0-47b0-a1a3-47a00a2fe004",
|
|
"value": "grabber_temp.INTEG.RAW|b65e8c666af6ff39c67552e0c98f55d5"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1570472314",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5d9b817a-53e4-4d92-9256-4c0c0a2fe004",
|
|
"value": "grabber_temp.INTEG.RAW"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1570472314",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d9b817a-44f0-4c37-95f3-46e60a2fe004",
|
|
"value": "b65e8c666af6ff39c67552e0c98f55d5"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1570472314",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5d9b817a-6698-4f70-97c0-4a940a2fe004",
|
|
"value": "844ce6691b66a81237a592ec6bd2c59c8dbd52a0"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1570472314",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5d9b817a-dedc-4ee0-85b5-46f60a2fe004",
|
|
"value": "2826263cc5a3199167970f988c628c177ec45cee60618ae40e9fe84ec9167b73"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "size-in-bytes",
|
|
"timestamp": "1570472314",
|
|
"to_ids": false,
|
|
"type": "size-in-bytes",
|
|
"uuid": "5d9b817a-cc38-4f34-8da2-4e8d0a2fe004",
|
|
"value": "138246"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Cobalt Strike C2 Server",
|
|
"deleted": false,
|
|
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "ip-port",
|
|
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
|
|
"template_version": "8",
|
|
"timestamp": "1570472706",
|
|
"uuid": "5d9b8302-b1ec-49b1-8c31-46d50a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "dst-port",
|
|
"timestamp": "1570472706",
|
|
"to_ids": false,
|
|
"type": "port",
|
|
"uuid": "5d9b8302-1ecc-493a-b7fd-41d70a2fe004",
|
|
"value": "443"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1570472706",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d9b8302-fea8-4074-a5f1-4d020a2fe004",
|
|
"value": "144.202.75.93"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Powershell Empire C2",
|
|
"deleted": false,
|
|
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "ip-port",
|
|
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
|
|
"template_version": "8",
|
|
"timestamp": "1570472771",
|
|
"uuid": "5d9b8343-9d98-442f-b331-4a9a0a2fe004",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "dst-port",
|
|
"timestamp": "1570472771",
|
|
"to_ids": false,
|
|
"type": "port",
|
|
"uuid": "5d9b8343-c774-4cf8-a1d1-4c930a2fe004",
|
|
"value": "443"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1570472771",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d9b8343-6770-4d3d-b8a0-42a60a2fe004",
|
|
"value": "91.200.102.245"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |