2283 lines
No EOL
76 KiB
JSON
2283 lines
No EOL
76 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2018-10-04",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Indicators of Compromise for Malware used by APT28",
|
|
"publish_timestamp": "1538643817",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1538643710",
|
|
"uuid": "5bb5d045-acf8-42ac-97ce-45c5950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#12e000",
|
|
"local": "0",
|
|
"name": "misp-galaxy:threat-actor=\"Sofacy\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:microsoft-activity-group=\"STRONTIUM\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0c9900",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"X-Tunnel\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0c9800",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"X-Agent\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5bb5d10c-0674-4b1c-bfc8-c4b3950d210f",
|
|
"value": "https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d166-9890-499a-a671-c4b3950d210f",
|
|
"value": "139.5.177.205"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d167-d8ac-415a-9ca1-c4b3950d210f",
|
|
"value": "80.255.6.15"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d167-81c4-4f97-b256-c4b3950d210f",
|
|
"value": "89.34.111.107"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d169-71cc-4869-ae98-c4b3950d210f",
|
|
"value": "86.106.131.229"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d169-16d8-4961-aa8b-c4b3950d210f",
|
|
"value": "139.5.177.206"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d16a-a108-4237-b8a8-c4b3950d210f",
|
|
"value": "185.181.102.203"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d16a-f3cc-4ca9-80d9-c4b3950d210f",
|
|
"value": "185.181.102.204"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d16a-2780-4012-a411-c4b3950d210f",
|
|
"value": "169.239.129.31"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d16b-b5d0-47fe-824c-c4b3950d210f",
|
|
"value": "malaytravelgroup.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d16b-bf50-4cea-b981-c4b3950d210f",
|
|
"value": "worldimagebucket.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d16c-4910-4922-8e60-c4b3950d210f",
|
|
"value": "fundseats.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d16c-d10c-4be3-a955-c4b3950d210f",
|
|
"value": "globaltechengineers.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d16d-cf00-4e63-91b3-c4b3950d210f",
|
|
"value": "beststreammusic.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d16d-a53c-4321-9eea-c4b3950d210f",
|
|
"value": "thepiratecinemaclub.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d16e-b670-42a3-add0-c4b3950d210f",
|
|
"value": "coindmarket.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1ca-3df4-4822-bd62-c1ce950d210f",
|
|
"value": "213.252.247.112"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1cb-d934-4924-986f-c1ce950d210f",
|
|
"value": "185.86.148.15"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1cc-ee40-470d-b092-c1ce950d210f",
|
|
"value": "89.45.67.110"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1cc-c3f0-472c-b8d5-c1ce950d210f",
|
|
"value": "185.86.150.205"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1cc-0d70-47be-8c1f-c1ce950d210f",
|
|
"value": "193.37.255.10"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642381",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1cd-6ee0-4029-9050-c1ce950d210f",
|
|
"value": "195.12.50.171"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1cd-57f8-46ca-a83c-c1ce950d210f",
|
|
"value": "51.38.128.110"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1ce-df28-4687-b97a-c1ce950d210f",
|
|
"value": "185.144.83.124"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1ce-ffa0-4a69-a827-c1ce950d210f",
|
|
"value": "185.216.35.10"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1cf-6d5c-4f9a-90a7-c1ce950d210f",
|
|
"value": "185.94.192.122"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1cf-9f9c-4d21-bbba-c1ce950d210f",
|
|
"value": "185.216.35.7"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d0-5b5c-4074-bf11-c1ce950d210f",
|
|
"value": "103.253.41.124"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d2-2464-4f9b-95e5-c1ce950d210f",
|
|
"value": "185.189.112.195"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d6-b204-48ce-a655-c1ce950d210f",
|
|
"value": "185.230.124.246"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d7-333c-4291-9538-c1ce950d210f",
|
|
"value": "87.120.254.106"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642391",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d7-0da4-4af0-a0e6-c1ce950d210f",
|
|
"value": "77.81.98.122"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d8-73d0-4aaf-a912-c1ce950d210f",
|
|
"value": "89.34.111.132"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d8-09c0-4dcc-b662-c1ce950d210f",
|
|
"value": "46.21.147.55"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d9-6a78-4e6c-b5a1-c1ce950d210f",
|
|
"value": "103.208.86.57"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1d9-f01c-43c8-9798-c1ce950d210f",
|
|
"value": "185.128.24.104"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1da-c230-40cc-9174-c1ce950d210f",
|
|
"value": "145.239.67.8"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1da-2c88-46f0-9d33-c1ce950d210f",
|
|
"value": "185.210.219.250"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d1db-13ac-464b-93e9-c1ce950d210f",
|
|
"value": "86.105.9.174"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1db-2e8c-4af8-bcfe-c1ce950d210f",
|
|
"value": "creekcounty.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1db-a804-4da6-8a19-c1ce950d210f",
|
|
"value": "virtsvc.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1dc-b4cc-4d04-8b28-c1ce950d210f",
|
|
"value": "moderntips.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1dc-3a0c-44a2-95c1-c1ce950d210f",
|
|
"value": "daysheduler.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1dd-0614-4c6f-bf02-c1ce950d210f",
|
|
"value": "escochart.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1dd-8474-4dfc-938c-c1ce950d210f",
|
|
"value": "loungecinemaclub.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1de-7174-4cc8-9a17-c1ce950d210f",
|
|
"value": "genericnetworkaddress.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1de-54c0-43e9-8dc3-c1ce950d210f",
|
|
"value": "bulgariatripholidays.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1df-3b1c-44e7-90b8-c1ce950d210f",
|
|
"value": "georgia-travel.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1df-699c-40dc-b6d5-c1ce950d210f",
|
|
"value": "bbcweather.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e0-9604-4c74-849c-c1ce950d210f",
|
|
"value": "politicweekend.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e0-2504-4112-88f4-c1ce950d210f",
|
|
"value": "truefashionnews.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e0-29d8-4e71-bec6-c1ce950d210f",
|
|
"value": "protonhardstorage.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e1-111c-4871-99e8-c1ce950d210f",
|
|
"value": "moldtravelgroup.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e4-b89c-4cf8-84d5-c1ce950d210f",
|
|
"value": "iboxmit.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e6-e000-49f7-a4ee-c1ce950d210f",
|
|
"value": "brownvelocity.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e7-e364-4e33-ba48-c1ce950d210f",
|
|
"value": "pointtk.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e8-2464-4d1e-87bd-c1ce950d210f",
|
|
"value": "narrowpass.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e8-a384-4de3-805c-c1ce950d210f",
|
|
"value": "powernoderesources.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bb5d1e9-567c-45b7-9103-c1ce950d210f",
|
|
"value": "topcinemaclub.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "5bb5d244-d7ac-487b-acb8-347d950d210f",
|
|
"value": "alert tcp $HOME_NET any -> $EXTERNAL_NET any (flow:established,from_client; msg: \"XAgent Beacon\"; content:\"HTTP/1.1|0d 0a|Accept|3a|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*\";!\"Host|3a| yandex.ru\";; pcre: \"/^(?:GET|POST)\\ /(?:watch|search|find|results|open|search|close)\\/\\?(?:text=|from=|aq=|ai=|ags=|oe=|btnG=|oprnd=|utm=|channel=|itwm=)/\";)"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "5bb5d25b-fbc8-4a6b-9fb8-ef06950d210f",
|
|
"value": "alert tcp $HOME_NET any -> $EXTERNAL_NET any (flow:established,from_client; msg:: \"XAgent itwm beacon v1\"; content:\"/?itwm\"; fast_pattern; pcre: \"/itwm=[A-Za-z0-9\\-\\_]{29,35}/\";)"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "X-Agent",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642577",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "5bb5d27b-901c-4bdb-90f8-c448950d210f",
|
|
"value": "alert tcp $HOME_NET any -> $EXTERNAL_NET any (flow:established,from_client; msg:: \"XAgent itwm beacon v2\"; content:\"&itwm\"; fast_pattern; pcre: \"/&itwm=[A-Za-z0-9\\-\\_]{29,35}/\";)"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "X-Agent - chost.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642681",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb5d2f9-3b6c-4b33-a7ef-c472950d210f",
|
|
"value": "46e2957e699fae6de1a212dd98ba4e2bb969497d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "X-Agent - msoutlook.dll",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642682",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb5d2fa-72e4-4f7e-b41d-c472950d210f",
|
|
"value": "c53930772beb2779d932655d6c3de5548810af3d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "X-Agent - Samp_(16).file",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642682",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb5d2fa-5c08-4396-b9cd-c472950d210f",
|
|
"value": "fa695e88c87843ca0ba9fc04b176899ff90e9ac5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "X-Agent - outlook.dll",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642682",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb5d2fa-ea80-4f30-99fe-c472950d210f",
|
|
"value": "046a8adc2ef0f68107e96babc59f41b6f0a57803"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642729",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d329-86c4-44ba-bf2a-c1ce950d210f",
|
|
"value": "185.86.151.2"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642729",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d329-b624-414f-b52d-c1ce950d210f",
|
|
"value": "46.21.147.76"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642732",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d32c-6704-4d4f-99e8-c1ce950d210f",
|
|
"value": "46.21.147.71"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642733",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d32d-6c70-44bf-87af-c1ce950d210f",
|
|
"value": "162.208.10.66"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642733",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d32d-ef70-4882-ac34-c1ce950d210f",
|
|
"value": "185.86.151.104"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642734",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d32e-2f2c-473d-809a-c1ce950d210f",
|
|
"value": "185.86.149.116"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642736",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d330-9880-45a6-af27-c1ce950d210f",
|
|
"value": "86.106.131.54"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642737",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d331-46c0-4bcc-9db4-c1ce950d210f",
|
|
"value": "185.181.102.201"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642737",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d331-7ce0-4875-aea8-c1ce950d210f",
|
|
"value": "179.43.158.20"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642737",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d331-e3e0-4d37-a87b-c1ce950d210f",
|
|
"value": "85.204.124.77"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642738",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d332-55a0-47ca-97c0-c1ce950d210f",
|
|
"value": "185.86.148.184"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642738",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d332-4c88-48ba-b4da-c1ce950d210f",
|
|
"value": "185.183.107.40"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642739",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d333-90b8-42a7-b2dd-c1ce950d210f",
|
|
"value": "185.94.191.65"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642739",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d333-2b4c-447e-a336-c1ce950d210f",
|
|
"value": "94.177.12.150"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642740",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d334-b85c-4214-a3f9-c1ce950d210f",
|
|
"value": "54.37.104.106"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642740",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d334-0ffc-4ccd-8dca-c1ce950d210f",
|
|
"value": "93.113.131.103"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642741",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d335-40c0-45df-9473-c1ce950d210f",
|
|
"value": "169.239.129.121"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP addresses have been used as Command and Control (C2) servers for APT28 LoJack communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642741",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d335-6358-408b-bbd9-c1ce950d210f",
|
|
"value": "169.239.128.133"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The Snort rule provided may detect false positives due to CompuTrace/Lojack being legitimate software. The NCSC highly recommend 4 of 8network administrators assess their environment for the presence of CompuTrace/Lojack and adjust the signatures accordingly to exclude the legitimate use of CompuTrace.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642808",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "5bb5d378-41b4-4b13-a739-c1cf950d210f",
|
|
"value": "alert tcp any any <> any any (flow: established; msg: \"APT28 -CompuTrace_Beacon_UserAgent\"; content: \"|0d0a|TagId|3a| \";fast_pattern; content: \"POST / \"; content:!\"namequery.com\";content:!\"Host: 209.53.113.\"; content:!\"dnssearch.org\";content:!\"Cookie:\"; content:!\"fnbcorporate.co.za\";content:!\"207.6.98.\"; pcre: \"/Mozilla\\/[0-9]{1,2}.[0-9]{1,2}\\(compatible\\; MSIE [0-9]{1,2}.[0-9]{1,2}\\;\\)\\x0d\\x0a/\";)"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "SHA-1 hash of a CompuTrace file used by APT28 - filename dcbfd12321fa7c4fa9a72486ced578fdc00dcee79e6d95aa481791f044a55dll",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642854",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb5d3a6-3140-4a82-88ee-ef05950d210f",
|
|
"value": "d70db6a6d660aae58ccfc688a2890391fd873bfb"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "XTUNNEL - picturecrawling.com",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642939",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d3c9-dfa4-4e25-a4f1-c1bd950d210f",
|
|
"value": "23.163.0.59"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "XTUNNEL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642895",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d3cf-c108-4b0b-bcce-c1bd950d210f",
|
|
"value": "86.105.1.123"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "XTUNNEL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642897",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d3d1-de18-4c22-b9fa-c1bd950d210f",
|
|
"value": "185.86.149.218"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "XTUNNEL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642900",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d3d4-8ef4-4288-8c7a-c1bd950d210f",
|
|
"value": "185.145.128.80"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "XTUNNEL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642907",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d3db-3010-4743-9545-c1bd950d210f",
|
|
"value": "89.37.226.106"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "XTUNNEL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538642909",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d3dd-0bd4-4c9c-8b2e-c1bd950d210f",
|
|
"value": "94.177.12.238"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "gpu.dll - XTUNNEL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643004",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5bb5d43c-dbac-4b0b-8b1d-c1bd950d210f",
|
|
"value": "8dbe37dfb0d498f96fb7f1e09e9e5c8f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "lncstnt.exe - XTUNNEL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643007",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5bb5d43f-ea80-4cac-a371-c1bd950d210f",
|
|
"value": "5086989639aed17227b8d6b041ef3163"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "following IP addresses have been used for ZEBROCY victim communications",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643067",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d47b-2248-4fe5-9cde-c472950d210f",
|
|
"value": "176.223.111.243"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "following IP addresses have been used for ZEBROCY victim communications",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643070",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d47e-d378-4536-8004-c472950d210f",
|
|
"value": "172.104.21.26"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "following IP addresses have been used for ZEBROCY victim communications",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643072",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d480-a5a8-471d-986f-c472950d210f",
|
|
"value": "188.241.68.118"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "following IP addresses have been used for ZEBROCY victim communications",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643076",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d484-8ae8-47e3-b684-c472950d210f",
|
|
"value": "89.45.67.153"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "following IP addresses have been used for ZEBROCY victim communications",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643078",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d486-c108-438c-81ac-c472950d210f",
|
|
"value": "185.25.50.93"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "following IP addresses have been used for ZEBROCY victim communications",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643087",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bb5d48f-2934-46d2-a216-c472950d210f",
|
|
"value": "45.124.132.127"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "ZEBROCY victim communication",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643141",
|
|
"to_ids": true,
|
|
"type": "snort",
|
|
"uuid": "5bb5d4c5-272c-4e74-9c60-fa9a950d210f",
|
|
"value": "alert tcp $HOME_NET any -> $EXTERNAL_NET any (flow:established,from_client; msg: \"APT28 - Web/request -FILE- content-type\"; content: \"-FILE-\"; pcre: \"/[A-Z0-9\\-]{16}-FILE-[^\\r\\n]+.tmp/\""
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "ZEBROCY file",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643200",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb5d500-7ee4-45c6-bd0c-c4b1950d210f",
|
|
"value": "913ac13ff245baeff843a99dc2cbc1ff5f8c025c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "ZEBROCY file",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643203",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb5d503-ac48-47ee-af45-c4b1950d210f",
|
|
"value": "b758c7775d9bcdc0473fc2e738b32f05b464b175"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "UpnP Error Handler",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538643224",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb5d518-6338-482f-a79c-c448950d210f",
|
|
"value": "3e7dfe9a8d5955a825cb51cb6eec0cd07c569b41"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643327",
|
|
"uuid": "caa8d31d-eb67-43f6-8999-5509553133ec",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "caa8d31d-eb67-43f6-8999-5509553133ec",
|
|
"referenced_uuid": "674e1271-97d4-41e3-91d0-54c6bbf08991",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643538",
|
|
"uuid": "5bb5d652-ae80-4553-bdf4-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643327",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "3cabf356-4627-4673-a269-fd961063199c",
|
|
"value": "5086989639aed17227b8d6b041ef3163"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643329",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "ec89cda2-4451-4525-b494-3094fb30cf23",
|
|
"value": "5fa9f62b9616849e1f23ae3582f7d72eff030768"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643332",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "81e6bf11-b703-4474-aac5-6092cac14e37",
|
|
"value": "c5f8236e578a2b877fe538b2ef6f4aeceeb1b9cb73bba4d02fd368a5eb85cfab"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643335",
|
|
"uuid": "674e1271-97d4-41e3-91d0-54c6bbf08991",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643337",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "6223a185-c824-4867-a415-02ecf1749930",
|
|
"value": "2018-09-21T16:46:48"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643340",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "b8dfbb91-e70f-4d1d-b69f-068f90e5409e",
|
|
"value": "https://www.virustotal.com/file/c5f8236e578a2b877fe538b2ef6f4aeceeb1b9cb73bba4d02fd368a5eb85cfab/analysis/1537548408/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643343",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "f4b84a8a-267d-4055-83ed-6bb5df945245",
|
|
"value": "39/64"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643347",
|
|
"uuid": "485ae42f-750e-4236-a90f-160868391c0b",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "485ae42f-750e-4236-a90f-160868391c0b",
|
|
"referenced_uuid": "8bd069b9-50a6-405a-ac7a-2b37c349c988",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643538",
|
|
"uuid": "5bb5d652-2cdc-48c8-b0ce-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643347",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "df97bd36-5cac-456c-b72f-85d5f8a8056a",
|
|
"value": "8dbe37dfb0d498f96fb7f1e09e9e5c8f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643350",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "9d5458f0-6556-493b-9e09-8d62f0548592",
|
|
"value": "4c1f39ae7ac7cafc3554790b0d3cdc0136dc43d2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643353",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "f7e1a668-f69b-4a34-8bd7-5a3f4230865e",
|
|
"value": "fc224a6cca956a59812a13e53ba08a279996ea2ee194fe20fb10170ca5c2db6a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643356",
|
|
"uuid": "8bd069b9-50a6-405a-ac7a-2b37c349c988",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643359",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "e05a496d-23ad-431f-9c3c-c7ad8b72c262",
|
|
"value": "2018-09-24T12:43:53"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643363",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "3681b6d3-8233-42cb-b947-5ec748df0093",
|
|
"value": "https://www.virustotal.com/file/fc224a6cca956a59812a13e53ba08a279996ea2ee194fe20fb10170ca5c2db6a/analysis/1537793033/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643366",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "4a94b98c-18f3-43d2-87d2-5c0c83bd195b",
|
|
"value": "43/66"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643369",
|
|
"uuid": "5ae8b212-92e6-41bb-a081-ce4048cd35cd",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5ae8b212-92e6-41bb-a081-ce4048cd35cd",
|
|
"referenced_uuid": "bb0904bb-62d2-4005-bff9-eec2f9714288",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643538",
|
|
"uuid": "5bb5d652-4d2c-483c-9e54-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643368",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "35d65802-3cb6-42b4-ab43-a2f292496b30",
|
|
"value": "10036063be45f92a9a743425fbf5abc7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643372",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "93ec6c66-21be-4b58-8a4a-b4252a9c136c",
|
|
"value": "d70db6a6d660aae58ccfc688a2890391fd873bfb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643375",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "7b42a47b-b0eb-4634-ad87-93e240e147be",
|
|
"value": "3f48dbbf86f29e01809550f4272a894ff4b09bd48b0637bd6745db84d2cec2b6"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643378",
|
|
"uuid": "bb0904bb-62d2-4005-bff9-eec2f9714288",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643381",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "1d1dcb0e-2b06-4bc5-a54f-71b6903a983a",
|
|
"value": "2018-10-04T03:26:52"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643383",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "b98a15e8-cce7-4837-ac91-ad987e0c4628",
|
|
"value": "https://www.virustotal.com/file/3f48dbbf86f29e01809550f4272a894ff4b09bd48b0637bd6745db84d2cec2b6/analysis/1538623612/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643386",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "cef987d3-50f2-441d-9432-25bd46fe2aa9",
|
|
"value": "41/67"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643389",
|
|
"uuid": "0bd5f889-77cf-401b-a393-461130ea63de",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "0bd5f889-77cf-401b-a393-461130ea63de",
|
|
"referenced_uuid": "88f4c7c3-4777-4590-8e27-931fe204135c",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643538",
|
|
"uuid": "5bb5d652-93b8-4d64-a85b-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643386",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "eea02b54-de23-4f1a-b85e-334bbd1e8112",
|
|
"value": "d29899195c604f0615885bc6c2fdf7a8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643389",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "c3834319-4534-4a8e-913a-c58ab52a9ce2",
|
|
"value": "fa695e88c87843ca0ba9fc04b176899ff90e9ac5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643391",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "3bd3bcb4-497e-4fb2-b87a-1567e3c3a16b",
|
|
"value": "86a588672837afdc1900ad9e78c7d0ae7a842bdd972dbdc5bdff2574a37f5acc"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643394",
|
|
"uuid": "88f4c7c3-4777-4590-8e27-931fe204135c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643398",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "49596d84-c139-4047-b2ef-cce2037c1751",
|
|
"value": "2018-07-27T00:32:44"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643400",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "af68e965-cc52-439f-a26b-e179ad304d05",
|
|
"value": "https://www.virustotal.com/file/86a588672837afdc1900ad9e78c7d0ae7a842bdd972dbdc5bdff2574a37f5acc/analysis/1532651564/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643403",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "0441ed29-7eb2-4777-a467-ca297b1c6789",
|
|
"value": "35/61"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643406",
|
|
"uuid": "d4c3355f-a6ff-4aad-b733-effa1fa3f446",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "d4c3355f-a6ff-4aad-b733-effa1fa3f446",
|
|
"referenced_uuid": "64589ade-c0e3-46cb-8dc9-bd2b8e03958d",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643538",
|
|
"uuid": "5bb5d652-fcc0-4892-804b-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643406",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "86de6075-1470-4d48-9977-0ee570dc4df0",
|
|
"value": "fc0cb1dbab4bc6504e644f311d9bb4a1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643409",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "3d5c7948-fe58-42dc-bdba-50ce2cd26f12",
|
|
"value": "c53930772beb2779d932655d6c3de5548810af3d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643411",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "147687a4-79fc-4c4d-b463-311dd953ae21",
|
|
"value": "a1c73ce193ffa5323aaef73fbabbc2a984e10900f09cf9fcb0cb11606a23c402"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643414",
|
|
"uuid": "64589ade-c0e3-46cb-8dc9-bd2b8e03958d",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643415",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "c1ff0d67-f8df-497f-95b6-2ffd6bf7176e",
|
|
"value": "2018-07-03T09:59:52"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643418",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "02324d5a-0a2a-4a8f-b65e-cf774956dddd",
|
|
"value": "https://www.virustotal.com/file/a1c73ce193ffa5323aaef73fbabbc2a984e10900f09cf9fcb0cb11606a23c402/analysis/1530611992/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643421",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5e788972-1d3d-4b9a-95f7-3fb76db9715d",
|
|
"value": "41/65"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643424",
|
|
"uuid": "8a110b38-0dad-4295-b40f-fb60fb395e8f",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "8a110b38-0dad-4295-b40f-fb60fb395e8f",
|
|
"referenced_uuid": "5afd32c5-ee31-48c3-ba20-0a1f10b339e6",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643538",
|
|
"uuid": "5bb5d652-2ebc-4cdd-a123-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643421",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "28d5ed41-afb0-4ef8-a776-753cb12cea3a",
|
|
"value": "b50640a28a1d4f2acdce93adf2ea326c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643424",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "4d2b4952-8f89-42f0-9682-b92c7818fe8d",
|
|
"value": "b758c7775d9bcdc0473fc2e738b32f05b464b175"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643428",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "4337bb40-11b1-4325-a98c-e312f6d8d60f",
|
|
"value": "2b19497db8cb05cd3d22996efe5af8eac0f2ea51e80f606b7b8a79dfaa2f58e2"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643430",
|
|
"uuid": "5afd32c5-ee31-48c3-ba20-0a1f10b339e6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643433",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "37ca8cc3-2a4e-4acc-8f95-3411382dc8b0",
|
|
"value": "2018-09-11T00:23:21"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643436",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "81ac484b-e234-4312-bb47-ded2265b8b8e",
|
|
"value": "https://www.virustotal.com/file/2b19497db8cb05cd3d22996efe5af8eac0f2ea51e80f606b7b8a79dfaa2f58e2/analysis/1536625401/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643439",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "f29b012f-ca21-41b2-9b40-6697832b2a12",
|
|
"value": "44/68"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643445",
|
|
"uuid": "b063122d-ef2d-47dc-b3d1-7efb48e23569",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "b063122d-ef2d-47dc-b3d1-7efb48e23569",
|
|
"referenced_uuid": "1181b169-e791-49d6-af39-3729a8a9859b",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643538",
|
|
"uuid": "5bb5d652-9060-4f1a-a189-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643442",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "bac5d92f-7f50-44e1-8ffd-75a3bd36d9c7",
|
|
"value": "4fa6cd01571905b9c7c8fc9a359b655e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643446",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "fd0a975d-1206-4d3d-b39c-37dcf9271e10",
|
|
"value": "46e2957e699fae6de1a212dd98ba4e2bb969497d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643449",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a5a22ac-5b04-4f7b-84bc-da297466f85c",
|
|
"value": "b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643452",
|
|
"uuid": "1181b169-e791-49d6-af39-3729a8a9859b",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643456",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "cdaedd02-5290-470f-b143-be59989f1464",
|
|
"value": "2018-09-04T10:08:34"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643459",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "34363d3f-d54e-41ed-9dfe-4ba2b8b9214b",
|
|
"value": "https://www.virustotal.com/file/b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6/analysis/1536055714/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643462",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "212837d3-8b9c-4da8-b2ba-0cee22d2760a",
|
|
"value": "21/65"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643468",
|
|
"uuid": "37b700a5-e7a6-4b89-b39f-639dc8d788e4",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "37b700a5-e7a6-4b89-b39f-639dc8d788e4",
|
|
"referenced_uuid": "05e3f750-290b-4985-ba2e-b639851b0ddf",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643538",
|
|
"uuid": "5bb5d652-c8c0-43a1-bd45-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643468",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "a3ff9bfc-ac9f-48b4-adaa-a5cdbeceed98",
|
|
"value": "961e79a33f432ea96d2c8bf9eb010006"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643471",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "c1e8fd64-2ab8-4f34-b0b0-3b22d9c47197",
|
|
"value": "913ac13ff245baeff843a99dc2cbc1ff5f8c025c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643474",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "b9c7a4da-f19a-4a2b-96fd-4e5d3c4722de",
|
|
"value": "a15a4e21fe3b06870d52f7383ef45e4ac0dde727b02b3d340f0ba6346b43add1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643477",
|
|
"uuid": "05e3f750-290b-4985-ba2e-b639851b0ddf",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643482",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "4c862a8c-164a-4e20-beac-21a28e57f450",
|
|
"value": "2018-10-03T17:22:50"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643485",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "3c5c3a4d-27ce-40af-8115-b07e34311568",
|
|
"value": "https://www.virustotal.com/file/a15a4e21fe3b06870d52f7383ef45e4ac0dde727b02b3d340f0ba6346b43add1/analysis/1538587370/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643488",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "44a8fce4-4591-47c1-a599-0ff5195b2167",
|
|
"value": "40/68"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643491",
|
|
"uuid": "a67002ca-f1b7-4ae5-89b7-92ae322384c4",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "a67002ca-f1b7-4ae5-89b7-92ae322384c4",
|
|
"referenced_uuid": "6490158f-6e4a-4b70-8615-db28a126e06f",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643539",
|
|
"uuid": "5bb5d653-1ddc-4b26-9599-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643488",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "81ac6763-3ce1-4c44-b632-b7d8ff6ba060",
|
|
"value": "809cbf6cfded8d571d20fe27d6cf91f9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643491",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "cbb29c50-ee3f-4b08-9934-0adcd040bbd4",
|
|
"value": "046a8adc2ef0f68107e96babc59f41b6f0a57803"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643494",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "dc993734-acbf-48ff-bf01-1dff43536422",
|
|
"value": "001d65185910ae8cd9e7e2472745e593be62b98eae3f5f2266a29c37e56daa1d"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643497",
|
|
"uuid": "6490158f-6e4a-4b70-8615-db28a126e06f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643497",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "ecf40020-4547-44fb-8bd8-b0294caa709a",
|
|
"value": "2018-06-21T12:27:14"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643501",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "388a0d75-ae89-475d-af6f-2d1e1c741581",
|
|
"value": "https://www.virustotal.com/file/001d65185910ae8cd9e7e2472745e593be62b98eae3f5f2266a29c37e56daa1d/analysis/1529584034/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643505",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "e1c92c53-6e9a-41c2-9b7d-c0b75c75ed20",
|
|
"value": "38/66"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "11",
|
|
"timestamp": "1538643511",
|
|
"uuid": "a48848a5-0b95-4b22-a285-de582b5e4213",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "a48848a5-0b95-4b22-a285-de582b5e4213",
|
|
"referenced_uuid": "80a96246-61ca-4ad7-92ee-1fec639cc36c",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1538643539",
|
|
"uuid": "5bb5d653-e994-49ce-9a14-c4b802de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538643512",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "10ad84d8-67c4-4a04-97b9-73959a176c4e",
|
|
"value": "be6f600e05d6d958a9f614fc415ecba1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538643515",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5929be26-9d6c-4ece-84cd-f4313da19b7e",
|
|
"value": "3e7dfe9a8d5955a825cb51cb6eec0cd07c569b41"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538643518",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "16929d12-281f-48b6-9d8c-0005b95ba3d8",
|
|
"value": "a6576282d17cca390e35306a423dcb5ac9276c28eaba63f74001757edc3688df"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1538643523",
|
|
"uuid": "80a96246-61ca-4ad7-92ee-1fec639cc36c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1538643528",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "6afd14d5-aaa2-4e91-8b35-67b241367c28",
|
|
"value": "2018-08-24T15:03:55"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1538643532",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "fc3ea1a9-30c5-4b9b-9521-779263a44955",
|
|
"value": "https://www.virustotal.com/file/a6576282d17cca390e35306a423dcb5ac9276c28eaba63f74001757edc3688df/analysis/1535123035/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1538643535",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5f106e2c-460a-4bf1-ac69-cd1ab771761b",
|
|
"value": "37/67"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |