247 lines
No EOL
7.7 KiB
JSON
247 lines
No EOL
7.7 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2019-05-01",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Kernel Mode Malicious Loader",
|
|
"publish_timestamp": "1556694084",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1556694075",
|
|
"uuid": "5cc92e5a-c624-4343-8352-40fd02de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": "0",
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": "0",
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1556688489",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5cc92e69-74a8-4690-90f4-482d02de0b81",
|
|
"value": "http://45.227.252.54"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "first stage",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1556688522",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5cc92e8a-6df8-4361-ab1b-4d4002de0b81",
|
|
"value": "9cfced68abe4f2c0dc5c42f47652592077c26fd6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "unpacked stage",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1556688522",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5cc92e8a-a568-4e06-8c35-42c102de0b81",
|
|
"value": "e1111022deeeed0389ff01ebb02489c45fa2f71a"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1556688803",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5cc92fa3-f1cc-46c7-9084-48c902de0b81",
|
|
"value": "https://twitter.com/PRODAFT/status/1123241137710555136"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1556694075",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5cc9443b-9b54-4abf-a421-1ba002de0b81",
|
|
"value": "45.227.252.54"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "Malicious kernel mode loader",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1556688878",
|
|
"uuid": "5cc92fee-df1c-4c88-837f-4d7a02de0b81",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1556688878",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5cc92fee-7418-4df1-af0a-415d02de0b81",
|
|
"value": "73f346da7642fae92677a71b01bfcd460f8604bc"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1556688878",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5cc92fee-0ed8-466c-bbf5-4dd002de0b81",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1556689366",
|
|
"uuid": "837ee41b-cf9d-4b16-8de6-383694cf6f5c",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "837ee41b-cf9d-4b16-8de6-383694cf6f5c",
|
|
"referenced_uuid": "cd55b14c-14bc-4c8c-86e5-170d7444012a",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1556689367",
|
|
"uuid": "5cc931d7-3af0-43cc-8f7a-4f4502de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "first stage",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1556688522",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59804e8e-6d94-4912-9cc0-a5c2bd1421c7",
|
|
"value": "3ae249513649876a34c60e04f385e156"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "first stage",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1556688522",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "158a8aed-fdd7-45b8-ba6c-fc6a96ef5f67",
|
|
"value": "9cfced68abe4f2c0dc5c42f47652592077c26fd6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "first stage",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1556688522",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "bb6af612-a0ed-4c80-b890-971bdec595e1",
|
|
"value": "1284962d30eabb8e47261414350c01ec04555800a3866f4e6cf1e20816e25a2e"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1556689367",
|
|
"uuid": "cd55b14c-14bc-4c8c-86e5-170d7444012a",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "first stage",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1556688522",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "09a8c2c4-491f-4dab-b9ba-2d669878f830",
|
|
"value": "2019-02-23T10:47:04"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "first stage",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1556688522",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "d63e7483-709b-4a33-9799-1109f24b823d",
|
|
"value": "https://www.virustotal.com/file/1284962d30eabb8e47261414350c01ec04555800a3866f4e6cf1e20816e25a2e/analysis/1550918824/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "first stage",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1556688522",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "0f752f01-5f37-4c8a-8ad8-56622bfe8a6a",
|
|
"value": "33/66"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |