1233 lines
No EOL
37 KiB
JSON
1233 lines
No EOL
37 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2018-05-23",
|
|
"extends_uuid": "",
|
|
"info": "Talos Blog: VPNFilter",
|
|
"publish_timestamp": "1557217340",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1527104159",
|
|
"uuid": "5b0598ec-97ac-4456-9246-dcdb0acd0835",
|
|
"Orgc": {
|
|
"name": "Synovus Financial",
|
|
"uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093886",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a7d-a3e0-4d18-a7fe-b8400acd0835",
|
|
"value": "0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093886",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a7d-1974-4a65-b03c-e0b50acd0835",
|
|
"value": "8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093886",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a7d-0b64-42db-a129-dbf60acd0835",
|
|
"value": "9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093886",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a7d-f178-4202-86cf-fb970acd0835",
|
|
"value": "37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093886",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a7d-5ad0-4008-8ae8-ce320acd0835",
|
|
"value": "d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094478",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a7d-4a20-47ac-b50a-ecde0acd0835",
|
|
"value": "http://photobucket.com/user/saragray1/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094481",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a7d-81bc-4322-b2c7-04370acd0835",
|
|
"value": "http://zuh3vcyskd4gipkm.onion/bin32/update.php",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094483",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a7f-c824-4320-a8a6-085b0acd0835",
|
|
"value": "http://photobucket.com/user/bob7301/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093887",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a7f-d374-412e-9380-085a0acd0835",
|
|
"value": "50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094486",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a80-3624-47c5-9527-08d20acd0835",
|
|
"value": "http://photobucket.com/user/nikkireed11/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093888",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a80-5060-4284-bc21-08d10acd0835",
|
|
"value": "4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094490",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a81-fa30-4539-8c5f-095f0acd0835",
|
|
"value": "http://photobucket.com/user/monicabelci4/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 3, plugins",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093889",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a81-6d98-4ec6-9560-09610acd0835",
|
|
"value": "f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094493",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a81-6dfc-49b8-90be-095d0acd0835",
|
|
"value": "http://photobucket.com/user/amandaseyfried1/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093889",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a81-6d98-49ac-9b95-09630acd0835",
|
|
"value": "776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093889",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a81-6e60-44a1-814b-095e0acd0835",
|
|
"value": "9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094495",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a82-4d68-4ef7-b896-0a990acd0835",
|
|
"value": "http://photobucket.com/user/eva_green1/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094497",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a82-7dd0-419a-b375-0aa00acd0835",
|
|
"value": "http://photobucket.com/user/jeniferaniston1/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 3, plugins",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093890",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a82-ebf4-4907-970c-0aa70acd0835",
|
|
"value": "afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094501",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a82-a558-4725-8498-0a9a0acd0835",
|
|
"value": "http://photobucket.com/user/suwe8/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094504",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a82-92b8-469e-8156-0a980acd0835",
|
|
"value": "http://photobucket.com/user/millerfred/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094506",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a82-20e4-4bb7-9818-0aa50acd0835",
|
|
"value": "http://photobucket.com/user/kmila302/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094508",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a82-6be0-4ba5-896b-0a9e0acd0835",
|
|
"value": "http://photobucket.com/user/katyperry45/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093890",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b059a82-85c0-4e16-9e4d-0a9f0acd0835",
|
|
"value": "0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1, downloads picture",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094511",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5b059a82-458c-4317-9ac7-0aa80acd0835",
|
|
"value": "http://photobucket.com/user/lisabraun87/library",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-af74-4f75-bf51-0aa00acd0835",
|
|
"value": "d113ce61ab1e4bfcb32fb3c53bd3cdeee81108d02d3886f6e2286e0b6a006747",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-3038-4637-a319-0aa00acd0835",
|
|
"value": "c52b3901a26df1680acbfb9e6184b321f0b22dd6c4bb107e5e071553d375c851",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-8f64-4625-a3ed-0aa00acd0835",
|
|
"value": "f372ebe8277b78d50c5600d0e2af3fe29b1e04b5435a7149f04edd165743c16d",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-d4c8-41ed-ab2d-0aa00acd0835",
|
|
"value": "be4715b029cbd3f8e2f37bc525005b2cb9cad977117a26fac94339a721e3f2a5",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-01f4-4734-a5a2-0aa00acd0835",
|
|
"value": "27af4b890db1a611d0054d5d4a7d9a36c9f52dffeb67a053be9ea03a495a9302",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-3ec0-4ac8-a8b6-0aa00acd0835",
|
|
"value": "fb47ba27dceea486aab7a0f8ec5674332ca1f6af962a1724df89d658d470348f",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-6994-433a-bc16-0aa00acd0835",
|
|
"value": "b25336c2dd388459dec37fa8d0467cf2ac3c81a272176128338a2c1d7c083c78",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-df04-424a-831b-0aa00acd0835",
|
|
"value": "cd75d3a70e3218688bdd23a0f618add964603736f7c899265b1d8386b9902526",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-06b8-4eea-9ef5-0aa00acd0835",
|
|
"value": "110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-2bb0-4fe2-abdb-0aa00acd0835",
|
|
"value": "909cf80d3ef4c52abc95d286df8d218462739889b6be4762a1d2fac1adb2ec2b",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-63cc-4cf3-8f1e-0aa00acd0835",
|
|
"value": "044bfa11ea91b5559f7502c3a504b19ee3c555e95907a98508825b4aa56294e4",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527093947",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-9990-4e08-bf61-0aa00acd0835",
|
|
"value": "c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-baa0-4df2-9da5-0aa00acd0835",
|
|
"value": "8f1d0cd5dd6585c3d5d478e18a85e7109c8a88489c46987621e01d21fab5095d",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "x509-fingerprint-sha256",
|
|
"uuid": "5b059abb-ec7c-4959-9548-0aa00acd0835",
|
|
"value": "d5dec646c957305d91303a1d7931b30e7fb2f38d54a1102e14fd7a4b9f6e0806",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094046",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5b059b06-76c8-42ef-a695-0ce50acd0835",
|
|
"value": "https://blog.talosintelligence.com/2018/05/VPNFilter.html",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "5f358afee76f2a74b1a3443c6012b27b: Enriched via VT\nAttribute #1743132 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094082",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5b059b42-1798-4ab9-92df-0d3005dc1b25",
|
|
"value": "%USERPROFILE%\\Documents\\qsync.php"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "5f358afee76f2a74b1a3443c6012b27b: Enriched via VT\nAttribute #1743132 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094083",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b43-3ca8-4c94-a835-0d3005dc1b25",
|
|
"value": "6144:gPgrKJ+zIIglQIU1BILPTQGEk9pmnhdTnfdkV8Ww+BthUeX2ut:gPkSAoQIUILwkwTy8Wye9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "92d47495c92d8c5dba107163df2bb212: Enriched via VT\nAttribute #1743133 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094086",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b46-3d9c-458f-80bb-0d3005dc1b25",
|
|
"value": "6144:BLXXE5rpmlrk7dHlG+wQ+GEfNB/ORZy+Om7BC:dU5rpkw7i+Z6fNBiC"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "4912aad5e79c78bc143e71633df9c17b: Enriched via VT\nAttribute #1743134 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094090",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b4a-bde0-4a4f-acae-0d3005dc1b25",
|
|
"value": "6144:cmbS6GCJukDhQnhcOsKMglGEZVHTMKc+Mkf7su:csS6zJuoOnMKMQZVYBu"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "19dd8b95fcca498582642f5a0b2fc58b: Enriched via VT\nAttribute #1743135 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094093",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b4d-cb7c-4a49-b039-0d3005dc1b25",
|
|
"value": "6144:+9GiuTGkBPoiJhaalRXd6Rv0XXvpPJ7tkISJZM9PJetlXSImnb:62T/oiHRXU8bCZM9X9b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "87049e223dd922dc1d8180c83e2fde77: Enriched via VT\nAttribute #1743136 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094097",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b51-6b8c-4566-ad05-0d3005dc1b25",
|
|
"value": "6144:aCwworoTxC3REpYGACnkEBWkTGEmRqCTGqmpc47qa:ax7olCBEanCpWKmRbha"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "45871bad3a9b4594fc3de39e4b5930ad: Enriched via VT\nAttribute #1743140 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094100",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b54-8974-4c23-a736-0d3005dc1b25",
|
|
"value": "6144:9QkvS9EWCxns8zTwJWIck9NpU6zT3C+rkoyoa3y0c2TLCAVrSj2+9Ea:89EhLkdfLQXoaE2TOAV2Rt"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "17e5e5c25eef807a08f02b8e435dda30: Enriched via VT\nAttribute #1743142 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094104",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b58-5a9c-4784-b358-0d3005dc1b25",
|
|
"value": "6144:baJi/5AF4DV6+aCOGi8eaFa63MNQmII5ktPLh:ba0RFaB6jyktd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "97444b5209278ed611e6a94076e814c8: Enriched via VT\nAttribute #1743144 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094107",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5b059b5b-7ba4-4371-8e6a-0d3005dc1b25",
|
|
"value": "vpnfilterm_ps"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "97444b5209278ed611e6a94076e814c8: Enriched via VT\nAttribute #1743144 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094107",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b5b-46ec-4e86-8e00-0d3005dc1b25",
|
|
"value": "384:MEoMAy/GRMYA0V/e3mAbCy5wjwl3eX02wcLieJIh/PyVMItRwMeZz+zr1gBePaI9:MEQeFYX0/cLhIJPyVMKfe0fYIT9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 1 if Photobucket Fails",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094527",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5b059b5e-3da8-4fc2-8da7-08d20acd0835",
|
|
"value": "toknowall.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "8e74e36ba104389aa6dc4d4429bcf0cf: Enriched via VT\nAttribute #1743146 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094111",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b5f-d4d0-4640-8fd0-0d3005dc1b25",
|
|
"value": "6144:muz6HAcALFnJ6A1HtguhY2xwaSV58bDSXBteLq:mo+vG17UE0BtB"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "42d891bcdee9588f8ed5d27456896a5e: Enriched via VT\nAttribute #1743147 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094115",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b63-af28-4bbc-bb18-0d3005dc1b25",
|
|
"value": "6144:uZXfvVijz85XiCcYuty8f0trKy1AUiJh8SWMJvEKKvk1Dc3F/FkZX97U:uXiwXi9tnfHv7tK81ugY"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "b5dc976043db9b42c9f6fa889205c68a: Enriched via VT\nAttribute #1743150 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094119",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b67-4818-4075-a163-0d3005dc1b25",
|
|
"value": "98304:ZUKUXKMOzkGNCPCEQi0EADYT9Bci7A5HqPwy/pfmITeaysckQj:tUXK6CBVlDYMf5HqPwyhuITTy"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "93ff367439becebd9d71c3e12041c95e: Enriched via VT\nAttribute #1743155 enriched by virustotal.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094122",
|
|
"to_ids": false,
|
|
"type": "ssdeep",
|
|
"uuid": "5b059b6a-b2c4-43a8-80d0-0d3005dc1b25",
|
|
"value": "6144:hlyC+z6zIitnujMMYNyCSyza7csDZmA/x2LwB7jvXHiY1:DCzgIiwMJ2DQux2L6Pr1"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094145",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b81-1950-4d6a-a03e-0aa30acd0835",
|
|
"value": "91.121.109.209"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094145",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b81-5cbc-44f0-8aa5-0aa30acd0835",
|
|
"value": "217.12.202.40"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094145",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b81-fc3c-4407-b68c-0aa30acd0835",
|
|
"value": "94.242.222.68"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-4d84-4afe-9c9b-0aa30acd0835",
|
|
"value": "82.118.242.124"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-4b90-4e10-8744-0aa30acd0835",
|
|
"value": "46.151.209.33"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-843c-47bc-bc1e-0aa30acd0835",
|
|
"value": "217.79.179.14"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-cf94-4cab-8abc-0aa30acd0835",
|
|
"value": "91.214.203.144"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-ce54-4359-8228-0aa30acd0835",
|
|
"value": "95.211.198.231"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-5f9c-4949-b910-0aa30acd0835",
|
|
"value": "195.154.180.60"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-baa0-4804-a02c-0aa30acd0835",
|
|
"value": "5.149.250.54"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-e848-4bb6-a465-0aa30acd0835",
|
|
"value": "91.200.13.76"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-85e4-48be-b33d-0aa30acd0835",
|
|
"value": "94.185.80.82"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094146",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5b059b82-c03c-4400-983a-0aa30acd0835",
|
|
"value": "62.210.180.229"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 1",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094798",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e0e-9e7c-4f4a-a1a3-0aa30acd0835",
|
|
"value": "45871bad3a9b4594fc3de39e4b5930ad"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 1",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094798",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e0e-8b0c-486a-b473-0aa30acd0835",
|
|
"value": "5f358afee76f2a74b1a3443c6012b27b"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094916",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e84-0dec-4d5e-b31c-0f810acd0835",
|
|
"value": "4912aad5e79c78bc143e71633df9c17b"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094916",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e84-b6f0-4a60-8d6e-0f810acd0835",
|
|
"value": "87049e223dd922dc1d8180c83e2fde77"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094916",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e84-3408-4d9c-94d6-0f810acd0835",
|
|
"value": "17e5e5c25eef807a08f02b8e435dda30"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094916",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e84-5850-4b83-a6e6-0f810acd0835",
|
|
"value": "42d891bcdee9588f8ed5d27456896a5e"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094916",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e84-1d48-43aa-ae5b-0f810acd0835",
|
|
"value": "19dd8b95fcca498582642f5a0b2fc58b"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094916",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e84-4ed8-4713-809f-0f810acd0835",
|
|
"value": "8e74e36ba104389aa6dc4d4429bcf0cf"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094916",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e84-17b8-4674-bbb7-0f810acd0835",
|
|
"value": "92d47495c92d8c5dba107163df2bb212"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094916",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059e84-d8c8-43a8-8069-0f810acd0835",
|
|
"value": "93ff367439becebd9d71c3e12041c95e"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 3 Plugins",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094964",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059eb4-c45c-4cd3-8de0-0f810acd0835",
|
|
"value": "97444b5209278ed611e6a94076e814c8"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Stage 3 Plugins",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1527094964",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5b059eb4-f058-450a-b54f-0f810acd0835",
|
|
"value": "b5dc976043db9b42c9f6fa889205c68a"
|
|
}
|
|
]
|
|
}
|
|
} |