1875 lines
No EOL
68 KiB
JSON
1875 lines
No EOL
68 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-05-23",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Operation Ke3chang Resurfaces With New TidePool Malware",
|
|
"publish_timestamp": "1518770959",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1515812422",
|
|
"uuid": "5742ea44-5ff4-4634-99c9-4b32950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1515750508",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5742ea80-3774-4bab-bcd8-4e5d950d210f",
|
|
"value": "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5742ea8c-70f4-42b1-8703-4f17950d210f",
|
|
"value": "Little has been published on the threat actors responsible for Operation Ke3chang since the report was released more than two years ago. However, Unit 42 has recently discovered the actors have continued to evolve their custom malware arsenal. We\u00e2\u20ac\u2122ve discovered a new malware family we\u00e2\u20ac\u2122ve named TidePool. It has strong behavioral ties to Ke3chang and is being used in an ongoing attack campaign against Indian embassy personnel worldwide. This targeting is also consistent with previous attacker TTPs; Ke3chang historically targeted the Ministry of Affairs, and also conducted several prior campaigns against India.\r\nThough we don\u00e2\u20ac\u2122t have comprehensive targeting information, the spear phishing emails we found targeted several Indian embassies in different countries. One decoy references an annual report filed by over 30 Indian embassies across the globe. The sender addresses of the phishing emails spoof real people with ties to Indian embassies, adding legitimacy to the emails to prompt the recipients to open the attached file. Also noteworthy, the actors are exploiting a relatively new vulnerability in their attacks with TidePool, which is detailed below.\r\nIn this report we will highlight the reuse of the code responsible for a variety of registry changes and command and control traffic over time as the Ke3chang actor has evolved their codebase to TidePool since the 2013 report."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "5742eaa5-cfec-4091-aaea-4f08950d210f",
|
|
"value": "CVE-2015-2545"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5742eac0-8830-4aa2-bd48-4aac950d210f",
|
|
"value": "%USERPROFILE%\\IEHelper\\mshtml.dll"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "TidePool",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5742ecbb-498c-480b-88ba-47f3950d210f",
|
|
"value": "goback.strangled.net"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003799",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ecd7-1e84-4225-b43b-4e9a950d210f",
|
|
"value": "67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003799",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ecd7-794c-4a74-9aa4-45b6950d210f",
|
|
"value": "2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003799",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ecd7-0b4c-477d-b70d-4795950d210f",
|
|
"value": "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool Dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003816",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ece8-e8dc-40e1-99db-4251950d210f",
|
|
"value": "38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003833",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ecf9-31f0-4440-92ce-4d63950d210f",
|
|
"value": "785e8a39eb66e872ff5abee48b7226e99bed2e12bc0f68fc430145a00fe523db"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003833",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ecf9-67a8-426a-a268-4549950d210f",
|
|
"value": "eea3f90db41f872da8ed542b37948656b1fb93b12a266e8de82c6c668e60e9fc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003945",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ed69-d374-40b6-8f10-48ff950d210f",
|
|
"value": "4d5e0eddcd014c63123f6a46af7e53b5ac25a7ff7de86f56277fe39bff32c7b5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003946",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ed6a-5da4-4e7b-948e-4fd9950d210f",
|
|
"value": "1896d190ed5c5d04d74f8c2bfe70434f472b43441be824e81a31b7257b717e51"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464003946",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ed6a-5254-4448-b588-4908950d210f",
|
|
"value": "de5060b7e9aaaeb8d24153fe35b77c27c95dadda5a5e727d99f407c8703db649"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464004032",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742edc0-5d9c-41a9-9a47-41d1950d210f",
|
|
"value": "71b548e09fd51250356111f394e5fc64ac54d5a07d9bc57852315484c2046093"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464004063",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742eddf-627c-4ff7-9423-4efd950d210f",
|
|
"value": "39fdcdf019c0fca350ec5bd3de31b6649456993b3f9642f966d610e0190f9297"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464004221",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742ee7d-d4dc-43df-b653-4408950d210f",
|
|
"value": "25a3b374894cacd922e7ff870bb19c84a9abfd69405dded13c3a6ceb5abe4d27"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464004276",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742eeb4-4b48-4312-9290-4c47950d210f",
|
|
"value": "12cc0fdc4f80942f0ba9039a22e701838332435883fa62d0cefd3992867a9e88"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464004276",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742eeb4-6690-48fc-b6d1-4a7d950d210f",
|
|
"value": "a4fae981b687fe230364508a3324cf6e6daa45ecddd6b7c7b532cdc980679076"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464004276",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5742eeb4-f0cc-48f9-b670-4a21950d210f",
|
|
"value": "c1a83a9600d69c91c19207a8ee16347202d50873b6dc4613ba4d6a6059610fa1"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750512",
|
|
"uuid": "d36aca31-f8d7-4ac8-bf33-30fd88480de8",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "d36aca31-f8d7-4ac8-bf33-30fd88480de8",
|
|
"referenced_uuid": "4c3e5932-e6a1-4554-9610-4cc1725c0b76",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770958",
|
|
"uuid": "5a588471-1b68-47a1-8505-490002de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846d-0614-49d1-9ace-481a02de0b81",
|
|
"value": "8e633f9ddb7902c1945f04203ed09e30838e1e74"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846d-95f8-45fb-a5e8-4b9202de0b81",
|
|
"value": "5ee64f9e44cddaa7ed11d752a149484d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846d-ef88-42a9-bef2-4d0202de0b81",
|
|
"value": "71b548e09fd51250356111f394e5fc64ac54d5a07d9bc57852315484c2046093"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750509",
|
|
"uuid": "4c3e5932-e6a1-4554-9610-4cc1725c0b76",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846d-41c0-45db-940a-4c7302de0b81",
|
|
"value": "https://www.virustotal.com/file/71b548e09fd51250356111f394e5fc64ac54d5a07d9bc57852315484c2046093/analysis/1464602237/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846d-595c-43da-80b0-496902de0b81",
|
|
"value": "42/57"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846d-05a0-469d-b6f7-40f502de0b81",
|
|
"value": "2016-05-30T09:57:17"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750512",
|
|
"uuid": "29317953-8a0f-4c20-9835-6cf7c4bdab52",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "29317953-8a0f-4c20-9835-6cf7c4bdab52",
|
|
"referenced_uuid": "abfa1b03-38a3-4cf7-9d5d-9bf1948898f4",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770958",
|
|
"uuid": "5a588471-26f8-4f54-83bd-48ec02de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846d-7b00-4e61-88b7-498402de0b81",
|
|
"value": "31b92f816c9f3f45aeb435d47b654cd02c07a633"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846d-74c8-422d-9abd-4c4202de0b81",
|
|
"value": "aebf03ceaef042a833ee5459016f5bde"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846d-d620-4252-a02b-4c7002de0b81",
|
|
"value": "785e8a39eb66e872ff5abee48b7226e99bed2e12bc0f68fc430145a00fe523db"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750509",
|
|
"uuid": "abfa1b03-38a3-4cf7-9d5d-9bf1948898f4",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846d-eb44-4ec5-9e87-4c8e02de0b81",
|
|
"value": "https://www.virustotal.com/file/785e8a39eb66e872ff5abee48b7226e99bed2e12bc0f68fc430145a00fe523db/analysis/1505182043/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846d-0504-4231-b21f-4ac402de0b81",
|
|
"value": "26/58"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750509",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846d-a1cc-4a40-a5cf-4a6002de0b81",
|
|
"value": "2017-09-12T02:07:23"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750512",
|
|
"uuid": "33819efb-eb82-4a95-b1bf-1f78fe34b6fa",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "33819efb-eb82-4a95-b1bf-1f78fe34b6fa",
|
|
"referenced_uuid": "72f41d65-1c52-4c37-a1d6-e5d684df9bd8",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770958",
|
|
"uuid": "5a588471-201c-4c5e-8698-44d102de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846d-c960-470a-9738-43f002de0b81",
|
|
"value": "4ec47f819c72a4618ef6426839709d9a2e060919"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846d-1434-497c-ba93-432502de0b81",
|
|
"value": "026936afbbbdd9034f0a24b4032bd2f8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750509",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846d-8464-443e-8906-46fc02de0b81",
|
|
"value": "39fdcdf019c0fca350ec5bd3de31b6649456993b3f9642f966d610e0190f9297"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750509",
|
|
"uuid": "72f41d65-1c52-4c37-a1d6-e5d684df9bd8",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846e-358c-4ff5-8734-494902de0b81",
|
|
"value": "https://www.virustotal.com/file/39fdcdf019c0fca350ec5bd3de31b6649456993b3f9642f966d610e0190f9297/analysis/1501706637/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846e-7b70-413d-9396-4f1202de0b81",
|
|
"value": "49/65"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012 (BS2005)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846e-445c-427f-bb00-45cf02de0b81",
|
|
"value": "2017-08-02T20:43:57"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750513",
|
|
"uuid": "f1715b9e-1213-45d0-b05e-89b657a557a9",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "f1715b9e-1213-45d0-b05e-89b657a557a9",
|
|
"referenced_uuid": "670070b9-6439-402d-b6ea-1224c3b9fea8",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770958",
|
|
"uuid": "5a588471-4de8-446b-9a5a-4ab302de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846e-57d8-4ec0-8e87-4a2f02de0b81",
|
|
"value": "8c248daec675cb873a9ee850336e871dd4642c5b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846e-8cec-448c-9b02-40db02de0b81",
|
|
"value": "c591263d56b57dfadd06a68dd9657343"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846e-cc4c-46f6-a3fc-467a02de0b81",
|
|
"value": "eea3f90db41f872da8ed542b37948656b1fb93b12a266e8de82c6c668e60e9fc"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750510",
|
|
"uuid": "670070b9-6439-402d-b6ea-1224c3b9fea8",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846e-51bc-42f7-9846-4fa902de0b81",
|
|
"value": "https://www.virustotal.com/file/eea3f90db41f872da8ed542b37948656b1fb93b12a266e8de82c6c668e60e9fc/analysis/1464690554/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846e-a788-4d48-9cfe-411b02de0b81",
|
|
"value": "21/56"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Weaponized document attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846e-7f4c-43ae-aa0a-4da402de0b81",
|
|
"value": "2016-05-31T10:29:14"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750513",
|
|
"uuid": "38b19130-caab-4039-85c5-064242831cd4",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "38b19130-caab-4039-85c5-064242831cd4",
|
|
"referenced_uuid": "b7768dd0-8628-45a0-a1c0-30ff2c345300",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770958",
|
|
"uuid": "5a588471-b8bc-4783-81ef-4e7202de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846e-8324-46a4-8dc7-418a02de0b81",
|
|
"value": "24cf8ab0b6999ab88c234b16c211e9c296131dbd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846e-be7c-4c04-a794-403e02de0b81",
|
|
"value": "98f58f61f4510be9c531feb5f000172f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846e-a768-4c48-8a7e-4d5b02de0b81",
|
|
"value": "12cc0fdc4f80942f0ba9039a22e701838332435883fa62d0cefd3992867a9e88"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750510",
|
|
"uuid": "b7768dd0-8628-45a0-a1c0-30ff2c345300",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846e-b074-40aa-a94e-4ffb02de0b81",
|
|
"value": "https://www.virustotal.com/file/12cc0fdc4f80942f0ba9039a22e701838332435883fa62d0cefd3992867a9e88/analysis/1480255582/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846e-cafc-4abd-948f-4cc502de0b81",
|
|
"value": "41/56"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846e-4330-4878-b3c4-4aa502de0b81",
|
|
"value": "2016-11-27T14:06:22"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750513",
|
|
"uuid": "1acad919-6ce1-465a-9c60-a3ac588a180d",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "1acad919-6ce1-465a-9c60-a3ac588a180d",
|
|
"referenced_uuid": "7cdf00e3-c53f-40b4-b7cd-514c78f9c864",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588471-a890-46d9-a29a-49eb02de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool Dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846e-c0d8-497c-ae39-42be02de0b81",
|
|
"value": "0246a237b281162059b84f1bc013d90bbb4104f7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool Dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846e-c1a0-4d4b-a5b4-406d02de0b81",
|
|
"value": "8ad9cb6b948bcf7f9211887e0cf6f02a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool Dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846e-a898-4fd3-9e79-4c6b02de0b81",
|
|
"value": "38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750510",
|
|
"uuid": "7cdf00e3-c53f-40b4-b7cd-514c78f9c864",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TidePool Dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846e-aed0-459e-b461-422402de0b81",
|
|
"value": "https://www.virustotal.com/file/38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f/analysis/1513864598/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "TidePool Dropper",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846e-31ec-46e9-9a74-4c8b02de0b81",
|
|
"value": "41/68"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "TidePool Dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846e-d154-44e8-bfb4-48f602de0b81",
|
|
"value": "2017-12-21T13:56:38"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750513",
|
|
"uuid": "64cf2807-9421-4a99-bcdd-e82af40c7346",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "64cf2807-9421-4a99-bcdd-e82af40c7346",
|
|
"referenced_uuid": "0b830feb-b802-42b3-9c13-f90d67dc3095",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-02ec-4237-aa59-44f502de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846e-bfd4-439a-9207-43a702de0b81",
|
|
"value": "47a963e7588e9af060dfac62b94076f270d4008e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846e-ce00-4d07-80ef-430a02de0b81",
|
|
"value": "9469dd12136b6514d82c3b01d6082f59"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750510",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846e-d1f4-4e16-8552-480902de0b81",
|
|
"value": "2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750510",
|
|
"uuid": "0b830feb-b802-42b3-9c13-f90d67dc3095",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846e-b3b4-44c8-8ba9-462402de0b81",
|
|
"value": "https://www.virustotal.com/file/2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18/analysis/1512091554/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750510",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846e-1ab8-41e1-a712-4e3702de0b81",
|
|
"value": "49/67"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846f-1e7c-4eed-b934-4db002de0b81",
|
|
"value": "2017-12-01T01:25:54"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750514",
|
|
"uuid": "96db58ab-0377-4a31-871b-c96f4652500e",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "96db58ab-0377-4a31-871b-c96f4652500e",
|
|
"referenced_uuid": "ea777cda-e274-445b-9504-912fdaf5ec18",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-33bc-426e-a54f-449202de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846f-312c-4741-838a-406902de0b81",
|
|
"value": "6793228ee3b6bd1a4bc91f17460b89d12d347fc9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846f-d510-455d-b7ac-4b7b02de0b81",
|
|
"value": "1aefd1c30d1710f901c70be7f1366cae"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846f-a67c-4ed3-8fb0-439802de0b81",
|
|
"value": "1896d190ed5c5d04d74f8c2bfe70434f472b43441be824e81a31b7257b717e51"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750511",
|
|
"uuid": "ea777cda-e274-445b-9504-912fdaf5ec18",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846f-8bb8-4de7-82fd-450e02de0b81",
|
|
"value": "https://www.virustotal.com/file/1896d190ed5c5d04d74f8c2bfe70434f472b43441be824e81a31b7257b717e51/analysis/1474270852/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846f-9d80-48cd-8e1f-42fd02de0b81",
|
|
"value": "20/55"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846f-eca0-41fa-88c7-463502de0b81",
|
|
"value": "2016-09-19T07:40:52"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750514",
|
|
"uuid": "ab660ec7-d756-4009-91c7-ef5ac5f7afcf",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "ab660ec7-d756-4009-91c7-ef5ac5f7afcf",
|
|
"referenced_uuid": "c4c4e9f6-4680-4789-b6a4-ec623a695c71",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-9948-41b6-a80f-44b402de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846f-3718-41f8-a605-4d5a02de0b81",
|
|
"value": "0e2c603e23219598dc3432d94df6dfae147cceab"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846f-70bc-4cfb-9839-479502de0b81",
|
|
"value": "3ed40dec891fd48c7ec6fa49b1058d24"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846f-bef8-4393-8c2a-419002de0b81",
|
|
"value": "de5060b7e9aaaeb8d24153fe35b77c27c95dadda5a5e727d99f407c8703db649"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750511",
|
|
"uuid": "c4c4e9f6-4680-4789-b6a4-ec623a695c71",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846f-cddc-4ff7-9b1d-421302de0b81",
|
|
"value": "https://www.virustotal.com/file/de5060b7e9aaaeb8d24153fe35b77c27c95dadda5a5e727d99f407c8703db649/analysis/1464236275/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846f-b4b4-42f1-8f52-4a1502de0b81",
|
|
"value": "20/56"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846f-582c-4af6-b645-436b02de0b81",
|
|
"value": "2016-05-26T04:17:55"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750514",
|
|
"uuid": "faaab687-1aa7-4f25-aab1-e4c6800a80ab",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "faaab687-1aa7-4f25-aab1-e4c6800a80ab",
|
|
"referenced_uuid": "b2e9a6ec-2c61-459b-9c48-a6d5b09d7fd6",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-6400-4a5b-9943-42e402de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846f-8cb4-4059-9093-49e002de0b81",
|
|
"value": "614ccb872e8feeab608a69d79c91bfeeb360ca9d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846f-f008-4475-aba0-4eaf02de0b81",
|
|
"value": "8c7cf7baaf20fe9bec63eb8928afdb41"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846f-22ec-4f17-85b8-4ea102de0b81",
|
|
"value": "a4fae981b687fe230364508a3324cf6e6daa45ecddd6b7c7b532cdc980679076"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750511",
|
|
"uuid": "b2e9a6ec-2c61-459b-9c48-a6d5b09d7fd6",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846f-1d68-41fa-a7b5-490b02de0b81",
|
|
"value": "https://www.virustotal.com/file/a4fae981b687fe230364508a3324cf6e6daa45ecddd6b7c7b532cdc980679076/analysis/1502697388/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846f-ce24-4e5d-9c03-47b402de0b81",
|
|
"value": "44/64"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012 - BS2005",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846f-9260-43c4-adae-4c1702de0b81",
|
|
"value": "2017-08-14T07:56:28"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750514",
|
|
"uuid": "8ec4d47a-540f-4bbb-bac4-083f4f481aab",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "8ec4d47a-540f-4bbb-bac4-083f4f481aab",
|
|
"referenced_uuid": "3cd6bcdd-bbcf-45e1-9950-90c48d7756db",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-6150-4116-82d5-48cd02de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846f-218c-4484-8f8e-494402de0b81",
|
|
"value": "8bed9000c2f6347e683beadb1a5d4dedaccbd21f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846f-464c-4ee4-adc5-4e6802de0b81",
|
|
"value": "aae962611da956a26a76d185455f1d44"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846f-b8b8-4726-8d59-47d602de0b81",
|
|
"value": "4d5e0eddcd014c63123f6a46af7e53b5ac25a7ff7de86f56277fe39bff32c7b5"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750511",
|
|
"uuid": "3cd6bcdd-bbcf-45e1-9950-90c48d7756db",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846f-7198-409e-929f-429e02de0b81",
|
|
"value": "https://www.virustotal.com/file/4d5e0eddcd014c63123f6a46af7e53b5ac25a7ff7de86f56277fe39bff32c7b5/analysis/1474272871/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a58846f-8398-4582-8767-42cc02de0b81",
|
|
"value": "18/55"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Phishing email",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a58846f-6240-47e0-98b2-4ceb02de0b81",
|
|
"value": "2016-09-19T08:14:31"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750514",
|
|
"uuid": "29618e84-7d70-49ea-8c5e-d888d51f24ab",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "29618e84-7d70-49ea-8c5e-d888d51f24ab",
|
|
"referenced_uuid": "88f47bd4-e874-45e1-9c95-941a7cb0f52f",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-b71c-427b-a0b4-44c302de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a58846f-37e0-42a7-a36c-4a6002de0b81",
|
|
"value": "a8fa7f331329bb6b0018b5663961f50f60372dfc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a58846f-e4ac-49a3-ac90-475402de0b81",
|
|
"value": "6bd64b291f2855bbdb011a0af1fab2fc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750511",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a58846f-0edc-4720-8bf5-4a4a02de0b81",
|
|
"value": "c1a83a9600d69c91c19207a8ee16347202d50873b6dc4613ba4d6a6059610fa1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750511",
|
|
"uuid": "88f47bd4-e874-45e1-9c95-941a7cb0f52f",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750511",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a58846f-fdb4-4ae5-ae96-481202de0b81",
|
|
"value": "https://www.virustotal.com/file/c1a83a9600d69c91c19207a8ee16347202d50873b6dc4613ba4d6a6059610fa1/analysis/1477459761/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750512",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a588470-026c-4325-bca5-415202de0b81",
|
|
"value": "39/56"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 2: 6/1/2012 \u00e2\u20ac\u201c 7/10/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750512",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a588470-5850-4dc3-bc6a-453d02de0b81",
|
|
"value": "2016-10-26T05:29:21"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750515",
|
|
"uuid": "0756b913-74c9-432d-819b-a421d08d375d",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "0756b913-74c9-432d-819b-a421d08d375d",
|
|
"referenced_uuid": "ecd39cdd-ca7c-48fd-b0e5-ad1d6abbce67",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-b670-44cf-9b6c-490502de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a588470-2acc-44af-8977-465a02de0b81",
|
|
"value": "1a14cfdf652bcd1df572e47ed261abe453a41399"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a588470-1d60-4979-910c-40e102de0b81",
|
|
"value": "be0cc8411c066eac246097045b73c282"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a588470-3ef0-44a4-8a69-429b02de0b81",
|
|
"value": "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750512",
|
|
"uuid": "ecd39cdd-ca7c-48fd-b0e5-ad1d6abbce67",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750512",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a588470-c0e4-4c3b-8361-437102de0b81",
|
|
"value": "https://www.virustotal.com/file/9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba/analysis/1512091725/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750512",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a588470-29dc-4540-804f-48f002de0b81",
|
|
"value": "48/67"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750512",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a588470-c608-4829-a0d1-477202de0b81",
|
|
"value": "2017-12-01T01:28:45"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750515",
|
|
"uuid": "2404272c-a873-48c4-bc1f-2af5dde7d96e",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "2404272c-a873-48c4-bc1f-2af5dde7d96e",
|
|
"referenced_uuid": "6a5caeb6-3bcf-454d-85ea-96e9e13142d9",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-4f6c-4f77-9331-4c2102de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a588470-9038-484d-860b-4c5d02de0b81",
|
|
"value": "f1f895aa6bdb7369525abfb86b4475241e9dbfbb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a588470-bff4-4898-81b7-48fd02de0b81",
|
|
"value": "bae673964e9bc2a45ebcc667895104ef"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a588470-9558-4a6c-960f-45c302de0b81",
|
|
"value": "67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750512",
|
|
"uuid": "6a5caeb6-3bcf-454d-85ea-96e9e13142d9",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750512",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a588470-d520-4bdf-a8cd-4b5002de0b81",
|
|
"value": "https://www.virustotal.com/file/67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed/analysis/1512091712/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750512",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a588470-5f84-413e-992a-4b8202de0b81",
|
|
"value": "49/66"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "TidePool DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750512",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a588470-eaf8-4911-8673-4ac302de0b81",
|
|
"value": "2017-12-01T01:28:32"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1515750515",
|
|
"uuid": "1bed7c4f-08df-4dce-8a44-b45a17fac214",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "1bed7c4f-08df-4dce-8a44-b45a17fac214",
|
|
"referenced_uuid": "2cc94589-3349-4fad-b8a0-f90063b03212",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518770959",
|
|
"uuid": "5a588472-901c-4b11-ab8a-4e5c02de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a588470-7fcc-4e61-a88b-4ea702de0b81",
|
|
"value": "1178ddd92e0121e2ede7e1091661a324d31f0de0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a588470-efe0-4e1f-a7cb-450902de0b81",
|
|
"value": "50611814ad2a843a8f998c57786abad7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1515750512",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a588470-3f9c-4d62-800f-427702de0b81",
|
|
"value": "25a3b374894cacd922e7ff870bb19c84a9abfd69405dded13c3a6ceb5abe4d27"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1515750512",
|
|
"uuid": "2cc94589-3349-4fad-b8a0-f90063b03212",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1515750513",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a588471-14f8-4028-b391-41de02de0b81",
|
|
"value": "https://www.virustotal.com/file/25a3b374894cacd922e7ff870bb19c84a9abfd69405dded13c3a6ceb5abe4d27/analysis/1464323932/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1515750513",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a588471-59e0-419e-854d-43bf02de0b81",
|
|
"value": "43/57"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Group 1: 3/1/2012 \u00e2\u20ac\u201c 3/22/2012",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1515750513",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a588471-c3b4-4b8c-8e72-40e002de0b81",
|
|
"value": "2016-05-27T04:38:52"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |