adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/6b6fa46d-4a17-44a4-a234-d69487b04597.json

447 lines
No EOL
28 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2023-08-25",
"extends_uuid": "",
"info": "CISA - MAR-10459736.r1.v1 - WHIRLPOOL Variant",
"publish_timestamp": "1692944626",
"published": true,
"threat_level_id": "3",
"timestamp": "1692944619",
"uuid": "6b6fa46d-4a17-44a4-a234-d69487b04597",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:clear",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload installation",
"comment": "The file 'ssld' is a Linux ELF reverse shell and is a variant of WHIRLPOOL malware used on the Barracuda Email Security Gateway (ESG) device (Figure 1). The file looks for an encoded string with a '.io' extension (Figure 2). The string will be decoded and the data will be passed as the C2 which will include the Internet Protocol (IP) address and port number used to establish a reverse shell.",
"deleted": false,
"disable_correlation": false,
"first_seen": "2023-08-17T19:19:43.944668+00:00",
"timestamp": "1691615579",
"to_ids": true,
"type": "yara",
"uuid": "3e5f8fc0-da1f-47f0-8b6e-f4c4b033ce47",
"value": "'namespace'='CISA_Consolidated.yara' rule_name=CISA_10452108_02 rule_content=rule CISA_10452108_02 : WHIRLPOOL backdoor communicates_with_c2 installs_other_components\n{\n\tmeta:\n\t\tAuthor = \"CISA Code & Media Analysis\"\n\t\tIncident = \"10452108\"\n\t\tDate = \"2023-06-20\"\n\t\tLast_Modified = \"20230804_1730\"\n\t\tActor = \"n/a\"\n\t\tFamily = \"WHIRLPOOL\"\n\t\tCapabilities = \"communicates-with-c2 installs-other-components\"\n\t\tMalware_Type = \"backdoor\"\n\t\tTool_Type = \"unknown\"\n\t\tDescription = \"Detects malicious Linux WHIRLPOOL samples\"\n\t\tSHA256_1 = \"83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c\"\n\t\tSHA256_2 = \"8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347\"\n\tstrings:\n\t\t$s0 = { 65 72 72 6f 72 20 2d 31 20 65 78 69 74 }\n\t\t$s1 = { 63 72 65 61 74 65 20 73 6f 63 6b 65 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }\n\t\t$s2 = { c7 00 20 32 3e 26 66 c7 40 04 31 00 }\n\t\t$a3 = { 70 6c 61 69 6e 5f 63 6f 6e 6e 65 63 74 }\n\t\t$a4 = { 63 6f 6e 6e 65 63 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }\n\t\t$a5 = { 73 73 6c 5f 63 6f 6e 6e 65 63 74 }\n\tcondition:\n\t\tuint32(0) == 0x464c457f and 4 of them\n}"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)",
"meta-category": "misc",
"name": "identity",
"template_uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990",
"template_version": "1",
"timestamp": "1681321989",
"uuid": "8e112e72-aa8f-4190-a359-28a9abae2896",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1692944331",
"to_ids": false,
"type": "text",
"uuid": "859d081f-0018-48da-af2b-2fd024ad0d7d",
"value": "GeminiProduction_CMA",
"Tag": [
{
"colour": "#005226",
"local": "0",
"name": "misp:confidence-level=\"completely-confident\"",
"relationship_type": ""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "description",
"timestamp": "1692944331",
"to_ids": false,
"type": "text",
"uuid": "bfcb83d2-b259-438f-bdc8-a43915673d80",
"value": "Cybersecurity and Infrastructure Security Agency Production Identity. Code and Media Analysis.",
"Tag": [
{
"colour": "#005226",
"local": "0",
"name": "misp:confidence-level=\"completely-confident\"",
"relationship_type": ""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "identity_class",
"timestamp": "1692944331",
"to_ids": false,
"type": "text",
"uuid": "d38cf44f-19e5-49bd-b39a-ad8ebf954d45",
"value": "system",
"Tag": [
{
"colour": "#005226",
"local": "0",
"name": "misp:confidence-level=\"completely-confident\"",
"relationship_type": ""
}
]
}
]
},
{
"comment": "",
"deleted": false,
"description": "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.",
"meta-category": "misc",
"name": "malware-analysis",
"template_uuid": "8229ee82-7218-4ff5-9eac-57961a6f0288",
"template_version": "1",
"timestamp": "1691615579",
"uuid": "07141506-e989-4a25-b510-797383e9b01a",
"ObjectReference": [
{
"comment": "",
"object_uuid": "07141506-e989-4a25-b510-797383e9b01a",
"referenced_uuid": "efd3fd98-6f1b-590d-bdd4-1e0753d3a689",
"relationship_type": "analyses",
"timestamp": "1692944331",
"uuid": "97ecd299-8512-4e61-bcde-5465d3f4e2f3"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "product",
"timestamp": "1692944331",
"to_ids": false,
"type": "text",
"uuid": "42e406d8-bcb1-468d-b9d1-195810672cab",
"value": "eset"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "result",
"timestamp": "1692944331",
"to_ids": false,
"type": "text",
"uuid": "aea648ae-f790-412a-8511-22728becdb95",
"value": "unknown"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "result_name",
"timestamp": "1692944331",
"to_ids": false,
"type": "text",
"uuid": "e2f4500e-7dea-4009-8c50-d8915623816a",
"value": "a variant of Linux/WhirlPool.A trojan"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1691615579",
"uuid": "efd3fd98-6f1b-590d-bdd4-1e0753d3a689",
"ObjectReference": [
{
"comment": "",
"object_uuid": "efd3fd98-6f1b-590d-bdd4-1e0753d3a689",
"referenced_uuid": "626a2549-5775-43a8-b8bb-2fe2682a6dae",
"relationship_type": "associated-with",
"timestamp": "1692944331",
"uuid": "0626f6c9-bf7a-479e-a859-9e8aaca5c167"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1692944331",
"to_ids": true,
"type": "md5",
"uuid": "e9137ec7-592d-4cd3-a135-fa3c821d50cb",
"value": "77e1e9bf69b09ed0840534adb8258540"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1692944331",
"to_ids": true,
"type": "sha1",
"uuid": "5f51c077-1d78-40f7-ac58-034bcbdff910",
"value": "deadca9bd85ee5c4e086fd81eee09407b769e9b6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1692944331",
"to_ids": true,
"type": "sha256",
"uuid": "5e064e2f-2cbd-4362-a68d-a955e47a2cd0",
"value": "0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1692944331",
"to_ids": true,
"type": "sha512",
"uuid": "e2994827-7640-4181-9ce8-53925b0026f1",
"value": "3ad6bd00c4195c9b1757a9d697196e8beffb343c331509c2eda24bbbd009cc1af552a1900ab04d169a22d273e6359cb2ff149050a7f792b9630108a4af226e2d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1692944331",
"to_ids": true,
"type": "ssdeep",
"uuid": "d8f3d964-78ae-4e93-900f-08fb1d569fa8",
"value": "98304:1z2EGoxipg0NPbuqbVxbNgqE+Q+F4YGZLx4BAFm/CyU:LLXYGNFLj"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1692944331",
"to_ids": true,
"type": "filename",
"uuid": "f213075f-0b12-46ee-b52e-7c9c9651fcfa",
"value": "ssld"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1692944331",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "4f8aa9e3-a8bc-480a-9432-20ee8ef3679d",
"value": "5034648"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Malware is a type of TTP that represents malicious code.",
"meta-category": "misc",
"name": "malware",
"template_uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
"template_version": "1",
"timestamp": "1691615579",
"uuid": "626a2549-5775-43a8-b8bb-2fe2682a6dae",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1692944331",
"to_ids": false,
"type": "text",
"uuid": "2d538923-b375-4471-b5f4-69f653cf572e",
"value": "The file 'ssld' is a Linux ELF reverse shell and is a variant of WHIRLPOOL malware used on the Barracuda Email Security Gateway (ESG) device (Figure 1). The file looks for an encoded string with a '.io' extension (Figure 2). The string will be decoded and the data will be passed as the C2 which will include the Internet Protocol (IP) address and port number used to establish a reverse shell."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "is_family",
"timestamp": "1692944331",
"to_ids": false,
"type": "boolean",
"uuid": "2b74c868-0c2e-4e1f-bb81-7cf1cc9d2c0b",
"value": "0"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "malware_type",
"timestamp": "1692944331",
"to_ids": false,
"type": "text",
"uuid": "be1cbecb-8dd5-4cf9-899f-a58169012721",
"value": "trojan"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2023-08-17T19:19:43.953009+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1691615579",
"uuid": "31532fc0-d3ee-479f-8482-a4d49732d5af",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1692944331",
"to_ids": true,
"type": "md5",
"uuid": "4f992ff1-08a6-4659-b962-93388c468a2d",
"value": "77e1e9bf69b09ed0840534adb8258540"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1692944331",
"to_ids": true,
"type": "sha1",
"uuid": "23f4ad3c-0727-4c5d-af13-b9f6812b4e75",
"value": "deadca9bd85ee5c4e086fd81eee09407b769e9b6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1692944331",
"to_ids": true,
"type": "sha256",
"uuid": "3806a4ad-a863-4f3f-95dc-4ab555aa5dad",
"value": "0af253e60456b03af49cc675f71d47b2dd9a48f50a927e43b9d8116985c06459"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha512",
"timestamp": "1692944331",
"to_ids": true,
"type": "sha512",
"uuid": "63291d10-2a0f-4170-b774-1139ef17277e",
"value": "3ad6bd00c4195c9b1757a9d697196e8beffb343c331509c2eda24bbbd009cc1af552a1900ab04d169a22d273e6359cb2ff149050a7f792b9630108a4af226e2d"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing the original file used to import data in MISP.",
"meta-category": "file",
"name": "original-imported-file",
"template_uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5",
"template_version": "2",
"timestamp": "1692944338",
"uuid": "74888f9e-4968-4601-944d-100a179c1b88",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"data": "ewogICAgInR5cGUiOiAiYnVuZGxlIiwKICAgICJpZCI6ICJidW5kbGUtLTc4ZDc0MDVkLWM3NjktNGVmYi05NTUwLTQwNWEzNThhMmQ3NiIsCiAgICAib2JqZWN0cyI6IFsKICAgICAgICB7CiAgICAgICAgICAgICJ0eXBlIjogImlkZW50aXR5IiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAiaWQiOiAiaWRlbnRpdHktLThlMTEyZTcyLWFhOGYtNDE5MC1hMzU5LTI4YTlhYmFlMjg5NiIsCiAgICAgICAgICAgICJjcmVhdGVkX2J5X3JlZiI6ICJpZGVudGl0eS0tNDJhYzNjOTItNjBkMi00MThmLWJhOGUtODM4OTQ0ZTYxMTBiIiwKICAgICAgICAgICAgImNyZWF0ZWQiOiAiMjAyMy0wNC0xMlQxNzo1MzowOS42NDZaIiwKICAgICAgICAgICAgIm1vZGlmaWVkIjogIjIwMjMtMDQtMTJUMTc6NTM6MDkuNjQ2WiIsCiAgICAgICAgICAgICJuYW1lIjogIkdlbWluaVByb2R1Y3Rpb25fQ01BIiwKICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogIkN5YmVyc2VjdXJpdHkgYW5kIEluZnJhc3RydWN0dXJlIFNlY3VyaXR5IEFnZW5jeSBQcm9kdWN0aW9uIElkZW50aXR5LiBDb2RlIGFuZCBNZWRpYSBBbmFseXNpcy4iLAogICAgICAgICAgICAiaWRlbnRpdHlfY2xhc3MiOiAic3lzdGVtIiwKICAgICAgICAgICAgImNvbmZpZGVuY2UiOiAxMDAsCiAgICAgICAgICAgICJsYW5nIjogImVuIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS1iYWI0YTYzYy1hZWQ5LTRjZjUtYTc2Ni1kZmNhNWFiYWMyYmIiCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAiZmlsZSIsCiAgICAgICAgICAgICJzcGVjX3ZlcnNpb24iOiAiMi4xIiwKICAgICAgICAgICAgImlkIjogImZpbGUtLWVmZDNmZDk4LTZmMWItNTkwZC1iZGQ0LTFlMDc1M2QzYTY4OSIsCiAgICAgICAgICAgICJoYXNoZXMiOiB7CiAgICAgICAgICAgICAgICAiTUQ1IjogIjc3ZTFlOWJmNjliMDllZDA4NDA1MzRhZGI4MjU4NTQwIiwKICAgICAgICAgICAgICAgICJTSEEtMSI6ICJkZWFkY2E5YmQ4NWVlNWM0ZTA4NmZkODFlZWUwOTQwN2I3NjllOWI2IiwKICAgICAgICAgICAgICAgICJTSEEtMjU2IjogIjBhZjI1M2U2MDQ1NmIwM2FmNDljYzY3NWY3MWQ0N2IyZGQ5YTQ4ZjUwYTkyN2U0M2I5ZDgxMTY5ODVjMDY0NTkiLAogICAgICAgICAgICAgICAgIlNIQS01MTIiOiAiM2FkNmJkMDBjNDE5NWM5YjE3NTdhOWQ2OTcxOTZlOGJlZmZiMzQzYzMzMTUwOWMyZWRhMjRiYmJkMDA5Y2MxYWY1NTJhMTkwMGFiMDRkMTY5YTIyZDI3M2U2MzU5Y2IyZmYxNDkwNTBhN2Y3OTJiOTYzMDEwOGE0YWYyMjZlMmQiLAogICAgICAgICAgICAgICAgIlNTREVFUCI6ICI5ODMwNDoxejJFR294aXBnME5QYnVxYlZ4Yk5ncUUrUStGNFlHWkx4NEJBRm0vQ3lVOkxMWFlHTkZMaiIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInNpemUiOiA1MDM0NjQ4LAogICAgICAgICAgICAibmFtZSI6ICJzc2xkIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS05NDg2OGM4OS04M2MyLTQ2NGItOTI5Yi1hMWE4YWEzYzg0ODciCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAiaW5kaWNhdG9yIiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAiaWQiOiAiaW5kaWNhdG9yLS0zZTVmOGZjMC1kYTFmLTQ3ZjAtOGI2ZS1mNGM0YjAzM2NlNDciLAogICAgICAgICAgICAiY3JlYXRlZF9ieV9yZWYiOiAiaWRlbnRpdHktLThlMTEyZTcyLWFhOGYtNDE5MC1hMzU5LTI4YTlhYmFlMjg5NiIsCiAgICAgICAgICAgICJjcmVhdGVkIjogIjIwMjMtMDgtMDlUMjE6MTI6NTkuMDAwWiIsCiAgICAgICAgICAgICJtb2RpZmllZCI6ICIyMDIzLTA4LTA5VDIxOjEyOjU5LjAwMFoiLAogICAgICAgICAgICAibmFtZSI6ICJzc2xkIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS05NDg2OGM4OS04M2MyLTQ2NGItOTI5Yi1hMWE4YWEzYzg0ODciCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJkZXNjcmlwdGlvbiI6ICJUaGUgZmlsZSAnc3NsZCcgaXMgYSBMaW51eCBFTEYgcmV2ZXJzZSBzaGVsbCBhbmQgaXMgYSB2YXJpYW50IG9mIFdISVJMUE9PTCBtYWx3YXJlIHVzZWQgb24gdGhlIEJhcnJhY3VkYSBFbWFpbCBTZWN1cml0eSBHYXRld2F5IChFU0cpIGRldmljZSAoRmlndXJlIDEpLiBUaGUgZmlsZSBsb29rcyBmb3IgYW4gZW5jb2RlZCBzdHJpbmcgd2l0aCBhICcuaW8nIGV4dGVuc2lvbiAoRmlndXJlIDIpLiBUaGUgc3RyaW5nIHdpbGwgYmUgZGVjb2RlZCBhbmQgdGhlIGRhdGEgd2lsbCBiZSBwYXNzZWQgYXMgdGhlIEMyIHdoaWNoIHdpbGwgaW5jbHVkZSB0aGUgSW50ZXJuZXQgUHJvdG9jb2wgKElQKSBhZGRyZXNzIGFuZCBwb3J0IG51bWJlciB1c2VkIHRvIGVzdGFibGlzaCBhIHJldmVyc2Ugc2hlbGwuIiwKICAgICAgICAgICAgImluZGljYXRvcl90eXBlcyI6IFsKICAgICAgICAgICAgICAgICJtYWxpY2lvdXMtYWN0aXZpdHkiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJwYXR0ZXJuIjogIiAnbmFtZXNwYWNlJz0nQ0lTQV9Db25zb2xpZGF0ZWQueWFyYScgcnVsZV9uYW1lPUNJU0FfMTA0NTIxMDhfMDIgcnVsZV9jb250ZW50PXJ1bGUgQ0lTQV8xMDQ1MjEwOF8wMiA6IFdISVJMUE9PTCBiYWNrZG9vciBjb21tdW5pY2F0ZXNfd2l0aF9jMiBpbnN0YWxsc19vdGhlcl9jb21wb25lbnRzXG57XG5cdG1ldGE6XG5cdFx0QXV0aG9yID0gXCJDSVNBIENvZGUgJiBNZWRpYSBBbmFseXNpc1wiXG5cdFx0SW5jaWRlbnQgPSBcIjEwNDUyMTA4XCJcblx0XHREYXRlID0gXCIyMDIzLTA2LTIwXCJcblx0XHRMYXN0X01vZGlmaWVkID0gXCIyMDIzMDgwNF8xNzMwXCJcblx0XHRBY3RvciA9IFwibi9hXCJcblx0XHRGYW1pbHkgPSBcIldISVJMUE9PTFwiXG5cdFx0Q2FwYWJpbGl0aWVzID0gXCJjb21tdW5pY2F0ZXMtd2l0aC1jMiBpbnN0YWxscy1vdGhlci1jb21wb25lbnRzXCJcblx0XHRNYWx3YXJlX1R5cGUgPSBcImJhY2tkb29yXCJcblx0XHRUb29sX1R5cGUgPSBcInVua25vd25cIlxuXHRcdERlc2NyaXB0aW9uID0gXCJEZXRlY3RzIG1hbGljaW91cyBMaW51eCBXSElSTFBPT0wgc2FtcGxlc1wiXG5cdFx0U0hBMjU2XzEgPSBcIjgzY2E2MzYyNTNmZDFlYjg5OGIyNDQ4NTU4MzhlMjI4MWYyNTdiYmU4ZWFkNDI4YjY5NTI4ZmM1MGI2MGFlOWNcIlxuXHRcdFNIQTI1Nl8yID0gXCI4ODQ5YTMyNzNlMDM2MmM0NWI0OTI4Mzc1ZDE5NjcxNDIyNGVjMjJjYjFkMmRmNWQwMjliZjU3MzQ5ODYwMzQ3XCJcblx0c3RyaW5nczpcblx0XHQkczAgPSB7IDY1IDcyIDcyIDZmIDcyIDIwIDJkIDMxIDIwIDY1IDc4IDY5IDc0IH1cblx0XHQkczEgPSB7IDYzIDcyIDY1IDYxIDc0IDY1IDIwIDczIDZmIDYzIDZiIDY1IDc0IDIwIDY1IDcyIDcyIDZmIDcyIDNhIDIwIDI1IDczIDI4IDY1IDcyIDcyIDZmIDcyIDNhIDIwIDI1IDY0IDI5IH1cblx0XHQkczIgPSB7IGM3IDAwIDIwIDMyIDNlIDI2IDY2IGM3IDQwIDA0IDMxIDAwIH1cblx0XHQkYTMgPSB7IDcwIDZjIDYxIDY5IDZlIDVmIDYzIDZmIDZlIDZlIDY1IDYzIDc0IH1cblx0XHQkYTQgPSB7IDYzIDZmIDZlIDZlIDY1IDYzIDc0IDIwIDY1IDcyIDcyIDZmIDcyIDNhIDIwIDI1IDczIDI4IDY1IDcyIDcyIDZmIDcyIDNhIDIwIDI1IDY0IDI5IH1cblx0XHQkYTUgPSB7IDczIDczIDZjIDVmIDYzIDZmIDZlIDZlIDY1IDYzIDc0IH1cblx0Y29uZGl0aW9uOlxuXHRcdHVpbnQzMigwKSA9PSAweDQ2NGM0NTdmIGFuZCA0IG9mIHRoZW1cbn1cbiIsCiAgICAgICAgICAgICJwYXR0ZXJuX3R5cGUiOiAieWFyYSIsCiAgICAgICAgICAgICJ2YWxpZF9mcm9tIjogIjIwMjMtMDgtMTdUMTk6MTk6NDMuOTQ0NjY4WiIKICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAibWFsd2FyZS1hbmFseXNpcyIsCiAgICAgICAgICAgICJzcGVjX3ZlcnNpb24iOiAiMi4xIiwKICAgICAgICAgICAgImlkIjogIm1hbHdhcmUtYW5hbHlzaXMtLTA3MTQxNTA2LWU5ODktNGEyNS1iNTEwLTc5NzM4M2U5YjAxYSIsCiAgICAgICAgICAgICJjcmVhdGVkX2J5X3JlZiI6ICJpZGVudGl0eS0tOGUxMTJlNzItYWE4Zi00MTkwLWEzNTktMjhhOWFiYWUyODk2IiwKICAgICAgICAgICAgImNyZWF0ZWQiOiAiMjAyMy0wOC0wOVQyMToxMjo1OS4wMDBaIiwKICAgICAgICAgICAgIm1vZGlmaWVkIjogIjIwMjMtMDgtMDlUMjE6MTI6NTkuMDAwWiIsCiAgICAgICAgICAgICJwcm9kdWN0IjogImVzZXQiLAogICAgICAgICAgICAib2JqZWN0X21hcmtpbmdfcmVmcyI6IFsKICAgICAgICAgICAgICAgICJtYXJraW5nLWRlZmluaXRpb24tLTk0ODY4Yzg5LTgzYzItNDY0Yi05MjliLWExYThhYTNjODQ4NyIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgInJlc3VsdF9uYW1lIjogImEgdmFyaWFudCBvZiBMaW51eC9XaGlybFBvb2wuQSB0cm9qYW4iLAogICAgICAgICAgICAicmVzdWx0IjogInVua25vd24iLAogICAgICAgICAgICAic2FtcGxlX3JlZiI6ICJmaWxlLS1lZmQzZmQ5OC02ZjFiLTU5MGQtYmRkNC0xZTA3NTNkM2E2ODkiCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAgICJ0eXBlIjogIm1hbHdhcmUiLAogICAgICAgICAgICAic3BlY192ZXJzaW9uIjogIjIuMSIsCiAgICAgICAgICAgICJpZCI6ICJtYWx3YXJlLS02MjZhMjU0OS01Nzc1LTQzYTgtYjhiYi0yZmUyNjgyYTZkYWUiLAogICAgICAgICAgICAiY3JlYXRlZF9ieV9yZWYiOiAiaWRlbnRpdHktLThlMTEyZTcyLWFhOGYtNDE5MC1hMzU5LTI4YTlhYmFlMjg5NiIsCiAgICAgICAgICAgICJjcmVhdGVkIjogIjIwMjMtMDgtMDlUMjE6MTI6NTkuMDAwWiIsCiAgICAgICAgICAgICJtb2RpZmllZCI6ICIyMDIzLTA4LTA5VDIxOjEyOjU5LjAwMFoiLAogICAgICAgICAgICAib2JqZWN0X21hcmtpbmdfcmVmcyI6IFsKICAgICAgICAgICAgICAgICJtYXJraW5nLWRlZmluaXRpb24tLTk0ODY4Yzg5LTgzYzItNDY0Yi05MjliLWExYThhYTNjODQ4NyIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogIlRoZSBmaWxlICdzc2xkJyBpcyBhIExpbnV4IEVMRiByZXZlcnNlIHNoZWxsIGFuZCBpcyBhIHZhcmlhbnQgb2YgV0hJUkxQT09MIG1hbHdhcmUgdXNlZCBvbiB0aGUgQmFycmFjdWRhIEVtYWlsIFNlY3VyaXR5IEdhdGV3YXkgKEVTRykgZGV2aWNlIChGaWd1cmUgMSkuIFRoZSBmaWxlIGxvb2tzIGZvciBhbiBlbmNvZGVkIHN0cmluZyB3aXRoIGEgJy5pbycgZXh0ZW5zaW9uIChGaWd1cmUgMikuIFRoZSBzdHJpbmcgd2lsbCBiZSBkZWNvZGVkIGFuZCB0aGUgZGF0YSB3aWxsIGJlIHBhc3NlZCBhcyB0aGUgQzIgd2hpY2ggd2lsbCBpbmNsdWRlIHRoZSBJbnRlcm5ldCBQcm90b2NvbCAoSVApIGFkZHJlc3MgYW5kIHBvcnQgbnVtYmVyIHVzZWQgdG8gZXN0YWJsaXNoIGEgcmV2ZXJzZSBzaGVsbC4iLAogICAgICAgICAgICAibWFsd2FyZV90eXBlcyI6IFsKICAgICAgICAgICAgICAgICJ0cm9qYW4iCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJpc19mYW1pbHkiOiBmYWxzZSwKICAgICAgICAgICAgInNhbXBsZV9yZWZzIjogWwogICAgICAgICAgICAgICAgImZpbGUtLWVmZDNmZDk4LTZmMWItNTkwZC1iZGQ0LTFlMDc1M2QzYTY4OSIKICAgICAgICAgICAgXQogICAgICAgIH0sCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbmRpY2F0b3IiLAogICAgICAgICAgICAic3BlY192ZXJzaW9uIjogIjIuMSIsCiAgICAgICAgICAgICJpZCI6ICJpbmRpY2F0b3ItLTMxNTMyZmMwLWQzZWUtNDc5Zi04NDgyLWE0ZDQ5NzMyZDVhZiIsCiAgICAgICAgICAgICJjcmVhdGVkX2J5X3JlZiI6ICJpZGVudGl0eS0tOGUxMTJlNzItYWE4Zi00MTkwLWEzNTktMjhhOWFiYWUyODk2IiwKICAgICAgICAgICAgImNyZWF0ZWQiOiAiMjAyMy0wOC0wOVQyMToxMjo1OS4wMDBaIiwKICAgICAgICAgICAgIm1vZGlmaWVkIjogIjIwMjMtMDgtMDlUMjE6MTI6NTkuMDAwWiIsCiAgICAgICAgICAgICJuYW1lIjogInNzbGQiLAogICAgICAgICAgICAib2JqZWN0X21hcmtpbmdfcmVmcyI6IFsKICAgICAgICAgICAgICAgICJtYXJraW5nLWRlZmluaXRpb24tLTk0ODY4Yzg5LTgzYzItNDY0Yi05MjliLWExYThhYTNjODQ4NyIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgImluZGljYXRvcl90eXBlcyI6IFsKICAgICAgICAgICAgICAgICJtYWxpY2lvdXMtYWN0aXZpdHkiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJwYXR0ZXJuIjogIltmaWxlOmhhc2hlcy4nTUQ1Jz0nNzdlMWU5YmY2OWIwOWVkMDg0MDUzNGFkYjgyNTg1NDAnIE9SIGZpbGU6aGFzaGVzLidTSEEtMSc9J2RlYWRjYTliZDg1ZWU1YzRlMDg2ZmQ4MWVlZTA5NDA3Yjc2OWU5YjYnIE9SIGZpbGU6aGFzaGVzLidTSEEtMjU2Jz0nMGFmMjUzZTYwNDU2YjAzYWY0OWNjNjc1ZjcxZDQ3YjJkZDlhNDhmNTBhOTI3ZTQzYjlkODExNjk4NWMwNjQ1OScgT1IgZmlsZTpoYXNoZXMuJ1NIQS01MTInPSczYWQ2YmQwMGM0MTk1YzliMTc1N2E5ZDY5NzE5NmU4YmVmZmIzNDNjMzMxNTA5YzJlZGEyNGJiYmQwMDljYzFhZjU1MmExOTAwYWIwNGQxNjlhMjJkMjczZTYzNTljYjJmZjE0OTA1MGE3Zjc5MmI5NjMwMTA4YTRhZjIyNmUyZCddIiwKICAgICAgICAgICAgInBhdHRlcm5fdHlwZSI6ICJzdGl4IiwKICAgICAgICAgICAgInBhdHRlcm5fdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAidmFsaWRfZnJvbSI6ICIyMDIzLTA4LTE3VDE5OjE5OjQzLjk1MzAwOVoiCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAgICJ0eXBlIjogInJlcG9ydCIsCiAgICAgICAgICAgICJzcGVjX3ZlcnNpb24iOiAiMi4xIiwKICAgICAgICAgICAgImlkIjogInJlcG9ydC0tNmI2ZmE0NmQtNGExNy00NGE0LWEyMzQtZDY5NDg3YjA0NTk3IiwKICAgICAgICAgICAgImNyZWF0ZWRfYnlfcmVmIjogImlkZW50aXR5LS04ZTExMmU3Mi1hYThmLTQxOTAtYTM1OS0yOGE5YWJhZTI4OTYiLAogICAgICAgICAgICAiY3JlYXRlZCI6ICIyMDIzLTA4LTA5VDIxOjEyOjU5LjAwMFoiLAogICAgICAgICAgICAibW9kaWZpZWQiOiAiMjAyMy0wOC0xN1QxOToxOTo0My45ODk0MjlaIiwKICAgICAgICAgICAgIm5hbWUiOiAiTUFSLTEwNDU5NzM2LnIxLnYxIC0gV0hJUkxQT09MIFZhcmlhbnQiLAogICAgICAgICAgICAib2JqZWN0X21hcmtpbmdfcmVmcyI6IFsKICAgICAgICAgICAgICAgICJtYXJraW5nLWRlZmluaXRpb24tLTk0ODY4Yzg5LTgzYzItNDY0Yi05MjliLWExYThhYTNjODQ4NyIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogIkNJU0Egb2J0YWluZWQgYSB2YXJpYW50IG9mIHRoZSBXSElSTFBPT0wgYmFja2Rvb3IuIFRoZSBtYWx3YXJlIHdhcyB1c2VkIGJ5IHRocmVhdCBhY3RvcnMgZXhwbG9pdGluZyBDVkUtMjAyMy0yODY4LCBhIGZvcm1lciB6ZXJvLWRheSB2dWxuZXJhYmlsaXR5IGFmZmVjdGluZyB2ZXJzaW9ucyA1LjEuMy4wMDEtOS4yLjAuMDA2IG9mIEJhcnJhY3VkYSBFbWFpbCBTZWN1cml0eSBHYXRld2F5IChFU0cpLlxyXG5cclxuV0hJUkxQT09MIGlzIGEgYmFja2Rvb3IgdGhhdCBlc3RhYmxpc2hlcyBhIFRyYW5zcG9ydCBMYXllciBTZWN1cml0eSAoVExTKSByZXZlcnNlIHNoZWxsIHRvIHRoZSBDb21tYW5kLWFuZC1Db250cm9sIChDMikgc2VydmVyLlxyXG5cclxuRm9yIGluZm9ybWF0aW9uIGFib3V0IHJlbGF0ZWQgbWFsd2FyZSwgc3BlY2lmaWNhbGx5IGluZm9ybWF0aW9uIG9uIHRoZSBpbml0aWFsIGV4cGxvaXQgcGF5bG9hZCBhbmQgb3RoZXIgYmFja2Rvb3JzLCBzZWUgQ0lTQSBBbGVydDogQ0lTQSBSZWxlYXNlcyBNYWx3YXJlIEFuYWx5c2lzIFJlcG9ydHMgb24gQmFycmFjdWRhIEJhY2tkb29ycy4gICIsCiAgICAgICAgICAgICJyZXBvcnRfdHlwZXMiOiBbCiAgICAgICAgICAgICAgICAib2JzZXJ2ZWQtZGF0YSIsCiAgICAgICAgICAgICAgICAibWFsd2FyZSIsCiAgICAgICAgICAgICAgICAiaW5kaWNhdG9yIgogICAgICAgICAgICBdLAogICAgICAgICAgICAicHVibGlzaGVkIjogIjIwMjMtMDgtMDlUMjE6MTI6NTlaIiwKICAgICAgICAgICAgIm9iamVjdF9yZWZzIjogWwogICAgICAgICAgICAgICAgImlkZW50aXR5LS04ZTExMmU3Mi1hYThmLTQxOTAtYTM1OS0yOGE5YWJhZTI4OTYiLAogICAgICAgICAgICAgICAgImZpbGUtLWVmZDNmZDk4LTZmMWItNTkwZC1iZGQ0LTFlMDc1M2QzYTY4OSIsCiAgICAgICAgICAgICAgICAiaW5kaWNhdG9yLS0zZTVmOGZjMC1kYTFmLTQ3ZjAtOGI2ZS1mNGM0YjAzM2NlNDciLAogICAgICAgICAgICAgICAgIm1hbHdhcmUtYW5hbHlzaXMtLTA3MTQxNTA2LWU5ODktNGEyNS1iNTEwLTc5NzM4M2U5YjAxYSIsCiAgICAgICAgICAgICAgICAibWFsd2FyZS0tNjI2YTI1NDktNTc3NS00M2E4LWI4YmItMmZlMjY4MmE2ZGFlIiwKICAgICAgICAgICAgICAgICJpbmRpY2F0b3ItLTMxNTMyZmMwLWQzZWUtNDc5Zi04NDgyLWE0ZDQ5NzMyZDVhZiIKICAgICAgICAgICAgXQogICAgICAgIH0KICAgIF0KfQ==",
"deleted": false,
"disable_correlation": true,
"object_relation": "imported-sample",
"timestamp": "1692944338",
"to_ids": false,
"type": "attachment",
"uuid": "3cebdcfe-65ce-4b62-b622-aa56867ef744",
"value": "MAR-10459736.r1.v1.CLEAR_stix2.json"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "format",
"timestamp": "1692944338",
"to_ids": false,
"type": "text",
"uuid": "5c4002e7-7313-479e-911e-eb4920d76fc7",
"value": "STIX 2.1"
}
]
}
]
}
}
Reference in a new issue View git blame Copy permalink