mirror of https://github.com/MISP/PyMISP
2490 lines
297 KiB
JSON
2490 lines
297 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"id": "1203",
|
||
|
"orgc_id": "2",
|
||
|
"org_id": "1",
|
||
|
"date": "2019-02-22",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - New BabyShark Malware Targets U.S. National Security Think Tanks",
|
||
|
"published": true,
|
||
|
"uuid": "5c706a30-8ad4-4fcc-9e17-4d3d02de0b81",
|
||
|
"attribute_count": "79",
|
||
|
"analysis": "0",
|
||
|
"timestamp": "1551169938",
|
||
|
"distribution": "3",
|
||
|
"proposal_email_lock": false,
|
||
|
"locked": false,
|
||
|
"publish_timestamp": "1551169938",
|
||
|
"sharing_group_id": "0",
|
||
|
"disable_correlation": false,
|
||
|
"extends_uuid": "",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239006",
|
||
|
"type": "link",
|
||
|
"category": "External analysis",
|
||
|
"to_ids": false,
|
||
|
"uuid": "5c706a3f-bfc4-43aa-8158-4ba702de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871103",
|
||
|
"comment": "",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "https:\/\/unit42.paloaltonetworks.com\/new-babyshark-malware-targets-u-s-national-security-think-tanks\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239007",
|
||
|
"type": "comment",
|
||
|
"category": "External analysis",
|
||
|
"to_ids": false,
|
||
|
"uuid": "5c706a50-24a0-41c5-abcc-4a8c02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871120",
|
||
|
"comment": "",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert\u2019s name and had a subject referencing North Korea\u2019s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing \u201cBabyShark\u201d.\r\n\r\nBabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator. Figure 1, below, shows the flow of execution.",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239008",
|
||
|
"type": "url",
|
||
|
"category": "Network activity",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706a6a-e8dc-4bdd-b4a6-455002de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871146",
|
||
|
"comment": "",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "https:\/\/tdalpacafarm.com\/files\/kr\/contents\/Vkggy0.hta",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239009",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aa9-6d34-4e8e-9eee-4baf02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239010",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aa9-5228-42ab-9124-429e02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239011",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aa9-c114-48bf-ad10-414e02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239012",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aa9-633c-4553-a6d5-4f6002de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239013",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aaa-033c-4199-abb5-47d502de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239014",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aaa-e2bc-4506-85f2-4af102de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239015",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aaa-65e8-447c-bc54-46a502de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239016",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aaa-4ca8-4489-bbde-4c2f02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239017",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706aaa-090c-47e7-b8ca-4c8f02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239018",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706ada-4610-4c99-a616-416a02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871258",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239019",
|
||
|
"type": "filename",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706b8e-91f8-4722-ac8b-4aff02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871438",
|
||
|
"comment": "Decoy Filename",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "Kendall-AFA 2014 Conference-17Sept14.pdf",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239020",
|
||
|
"type": "filename",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706b8e-f1a4-404c-9a5d-41a902de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871438",
|
||
|
"comment": "Decoy Filename",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "U.S. Nuclear Deterrence.pdf",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239021",
|
||
|
"type": "filename",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706b8e-e198-4d15-a8d6-4f9702de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871438",
|
||
|
"comment": "Decoy Filename",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "\uc81c30\ucc28\ud55c\ubbf8\uc548\ubcf4 \uc548\ub0b4\uc7a5 ENKO.fdp.etadpU.scr (translates to 30th Korea-U.S. National Security Invitation Update)",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239022",
|
||
|
"type": "filename",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c706b8e-f3ec-4eb9-9829-4f3f02de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871438",
|
||
|
"comment": "Decoy Filename",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239023",
|
||
|
"type": "attachment",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "5c706dae-90f4-4374-b312-489102de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871982",
|
||
|
"comment": "BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator. Figure 1, below, shows the flow of execution.",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "Figure-1-BabyShark-execution-flow.png",
|
||
|
"Galaxy": [],
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAABc4AAAOKCAYAAAHVbvP3AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAIdUAACHVAQSctJ0AAP+lSURBVHhe7N0HuBNF+zbwvyi9SZEivVlAFCwgKIIFRVEUC\/aGUhRRwN4Vu4INsIEVRPEVEQUUpKioFEEQaUpHkN6Rjvt993PmyZns2bRzkpxNcv+ua67dmS3ZJJvJk83szP85RBmAJzplBJ7olBF4olNG4IlOGYEnOmUEnuiUEXiiU0bgiU4ZIeSJXr169ZCJIvu\/\/2Md4ich3w28UZ07d3Y6deoUlFDONzEyvEbly5d3ChcubEooP4U90b2gvEKFCjzZI9DXZ+\/evXytfCBXJzpUqlQpI99APOdonre9TsuWLZ0DBw6YXGTYFt8G4YQ7hilTppg5x\/nvv\/+cefPmmVzu6ePNmTNH5gsWLBj2GPwm5JGGehIod6dME83zdi+P5XXCuvXr15d5nKheevbsKdMNGzbIFHbt2iXb4kTXx5swYYJMYd++fWbOcQ4ePCjT\/fv3y1TzvXv3dr7\/\/nvnr7\/+crp06RLYj+5X51NNyCOO9smk4pMOJ5rn0759ezkx3OuWK1dOypAeffRRU5oFJ+ztt98eWI60ceNGszQYlsGAAQNkavvss8\/MXLYdO3bIdNasWTK1T\/SJEyfKNFoNGzY0c8F0f4D5X375RV6Dl156yZT6W8h31X5i4URaD8tTMUWi60S7fijYdvfu3SYXWV4eK1qo5ZPxOMkU8tnoE61SpYrMeyXQaSjubVIphaPLBw4cKNO8qFatmpmjRAn5buobWa9ePadYsWKeCaI5IVIxhWOv9\/nnn0dcX9nb6TbRbkt5E\/JVjvYNSLc3Kprn89Zbb5m5bNju77\/\/NrnQ9BsAP\/h4kidPxBO9RYsWUqt7JeCblfUa6OuAacmSJWXe\/cNx586dQetS8kQ80atWrRp4c9wJdEo5Pfjgg2aOr1N+i3iiR8I3MDRWBv4R9kTHnxGREt9Eb3hdNFH+C3uiR5uI\/I5nKWUEnuiUEXiiU0YIeaLjh2asDjvsMDPnOOPHj3cWL15scuFpnI9t4gH7mzFjhvPqq6+aEsp0nie6\/r2Plm84aXDS23fK6ImJ6erVqwPzJUqUcCZPnizzOGkvueSSwLp33nmnzF944YUyLVq0qJRjXtc59NBDpXmq5tHmeevWrYH1Mf3nn39kmf4pA\/Y+APM1a9Z0XnvtNZnHn15afv7558v8tm3bnOLFi8s82vPAcccdJ1NKP9lnh0VPGtw6B17NSdu0aWPmsunJCDjRL7vsMplH2ZFHHinz7dq1k6lNtylUqJDMjx49WvIrV66UDx3KNNm6du0qUy23WwHWqVNHTnSbrvf0008727dvl3nbuHHjzFze9O\/fP5DIH4LPnAwxaNAgzxM9XkJ9MCn\/8J1IAJ7o\/pOrd2LUqFFmLvn69u1r5uJPbyfLK57o\/hP2nfj333+dPn36yHyDBg2cM844Q+Zxy9jzzz8vt1HpPY3oGQCee+455+yzz3bmz5\/vrF+\/Xsp0CvrmlypVSqbqm2++kel3330n01NPPdXp1auXrH\/ttdcG+pMZOnSoTAEhCITap5v+6MQJ\/fjjjwd+YMf7hMT+NJE\/eL4T5513nkxxor\/77rtyNQQnur55ONHvuOOOHDUglnXr1i3QhFd\/xOqJ\/sMPP8gUN\/F6wQ9VXKLEfq655hrnqquuMktycp9E+IHpxV5P5ytWrCgfntNPP13y8YbH0UT+EPU7sWLFCmfmzJlyfRrXx7ds2RJ0V7nehLtnzx5n3bp1ztq1ayUPS5cuNXOO88Ybb8h05MiRMv3iiy9kCthu7ty5Mo8bfO1r+WPHjpUpruysWbNG5pVe3dB9hmJ\/MO2bJLxupMgLnuj+w3ciAXii+0++vBPx+tHnVzzR\/SfsO4EYHbTfEDeU46TVcANhjS3aO+TRixX+qUT3bW7awxVCJ\/j9999lqvCnEkS6Lo57NAHhVyLZJzlPdv\/wfBf0zdETHTp06JDjzStSpIjz\/vvvO8uWLZO8\/qUOWAcnunsbm7vcaz2v7SKpXbu23AIIus\/p06dL3paobxZ9zNwcOyVG2HcClw7xZmnbF\/wAPeSQQ2QePTrhR+Dy5csljx+f+sZedNFFMv3ggw+cSy+9VC5Lut90fCg++eQTuQKCXq2wHGVDhgwJdMeGMt3Ovb3yKsdVnxo1aphc9jr41gi1n3hL1uNQdPhuUEbgiU4ZIeyJ3qhRIzMXmv4zan9Vh\/ra\/umnn8xcsGi\/5u1r87nFkCIzeb7rdvNSnBh6crhPksGDBwd+0GGZtj9HQpz+8MMP59gGtMx9BcWG3wJNmzYNxO+AP5RCwfqtWrUyOccZM2aMmXOcl19+2cxlrUeZJ+dZaMFJgZMM7bwxtU9abVeiZfYUCe1IcOME\/tLXfzi1\/25N2s0y9lW6dGnn1ltvlfXQ3EDpjRpLliyRE\/3nn3+W8saNG0s56LRt27YyhZNPPlmmuAFDHwP\/0Oq6lFmS+q7r3+4ffvihTImShdUbZQSe6AmCEAktJMkfeKIniPv3A+UvvgsJYp\/gPNnzH9+BGOGkjebEda+Du65i8eKLLzqzZ882udhhyEV32yPbE088IW38Qz2XSHdraWO6VMETPRdwcuCuK9xlFYr7BEIel0ijhfVxRxbaCek4UoAWoujmQ\/OhhmfEcpzMOq\/rv\/POO87mzZtlHo3ytNzNPtFxswzWw0AGgFarw4cPlz58UoX3s6SI0GcNrv1rXzKHH3544ISKNPhWs2bNAuuGgsZt2DduKdT\/DNAaFJ1E6bZ6H60X\/c\/CXl+HSjziiCPkeHXIey840fW\/CNzHi\/V0tLrTTjuNJ3qm0BME01hqarcCBQqEPNkofvgK5xJOTq3p8qJfv37OokWLTI4ShSd6LuDkRtK2+NGe7LqdJrQTinZbyhu+yrmkJ6jeXaXtgqKFdRPV3QblxBM9j3DCIqGDVDuP1Lp1aykD9I+j5UcddZQppWThiZ4L9smMFErlypXNXNY2lH\/46ueCfYKHO4GjWYeSg+9ALuiJrsmLLtM+JSl\/8USnjMATnTICT3TKCDzRKSPwRKeMwBOdMgJPdMoIPNETBG29NSVauI6dKAtP9AQJ9YeSV1koEyZMkCkGI65Vq5Y0573xxhtlOBx0DPXbb7\/J2E0YBgd0v9HuP5PwFUkQPaHtky7aE\/DLL7+UqZ7ouCMIt9BNnTrV+fHHH6UMUI4uNTACIPY9bdo0Z+HChWYp2XiiJ0heTvTcCjUyCfFET5hQJ7pXOSUeX+0E8TqhMY\/hKd3llHh8tRNET2b7hLbL7PJQEKPrAGaPPPJIYBzVOXPmBLq50G6we\/ToIVNAlxZw1113yRR69uwp07vvvlumbr1795ZRudHacsSIEaY0m44Vq+PEphqe6AkSywntptvgRK9UqZJTpkwZOdHRFTf6YsGVF\/w4xXp6ons9jpbZg5KhTGN5+4etvT3m0W\/N6tWrZV6XpXLf8jlfHYoLPUH0JMkN+woK+lFp0qSJDLaAka5xY7Y98IFdoyu9ZQ8nuo7Sp8PXQ5cuXcycE1iOTo\/wGPgwbN26VTpQgo8++kimqYonegLYJ3leT3aKD74DCcKT3F\/4LiQQT3L\/4DtBGYEnOmUEnuhpQruWDpUyHV+BNIETPRSe7DzR0wZP9PB4oqcJPdG9Tmqe6DzR00Yya3TdXzTJL3iiJxDeaB0vKNGSfaKjyYDuE9N\/\/\/038Dh28mK3mdFmCJdeeqlMYfz48TLVZgdoxKbdc2PImtzgiZ5AeKPDjfwWT+4TXU80jE6n8\/Gi+4smeRk1apSZyxofSb322ms5tsM87onVcjRoyw2e6AnkfsMSKZk1Olo26j4jpVDKly8vrTKRAN989evXl3mM66S05SWe39y5c517771X8rHiiZ4Lkd5EZa9jtxpMFD0ur\/Tee++ZtcLDjSGR
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239024",
|
||
|
"type": "yara",
|
||
|
"category": "Artifacts dropped",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5c72ae10-aa9c-4068-853b-4b4602de0b81",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1551019536",
|
||
|
"comment": "",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "0",
|
||
|
"object_relation": null,
|
||
|
"value": "import \"pe\"\r\n\r\nrule MAL_PE_Type_BabyShark_Loader {\r\n meta:\r\n description = \"Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks\"\r\n author = \"Florian Roth\"\r\n reference = \"https:\/\/unit42.paloaltonetworks.com\/new-babyshark-malware-targets-u-s-national-security-think-tanks\/\"\r\n date = \"2019-02-24\"\r\n hash1 = \"6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c\"\r\n strings:\r\n $x1 = \"reg add \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Command Processor\\\" \/v AutoRun \/t REG_SZ \/d \\\"%s\\\" \/f\" fullword ascii\r\n $x2 = \/mshta\\.exe http:\\\/\\\/[a-z0-9\\.\\\/]{5,30}\\.hta\/\r\n\r\n $xc1 = { 57 69 6E 45 78 65 63 00 6B 65 72 6E 65 6C 33 32\r\n 2E 44 4C 4C 00 00 00 00 } \/* WinExec kernel32.DLL *\/\r\n condition:\r\n uint16(0) == 0x5a4d and (\r\n pe.imphash() == \"57b6d88707d9cd1c87169076c24f962e\" or\r\n 1 of them or\r\n for any i in (0 .. pe.number_of_signatures) : (\r\n pe.signatures[i].issuer contains \"thawte SHA256 Code Signing CA\" and\r\n pe.signatures[i].serial == \"0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d\"\r\n )\r\n )\r\n}",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
],
|
||
|
"ShadowAttribute": [],
|
||
|
"RelatedEvent": [
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "847",
|
||
|
"date": "2018-09-09",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Multi-exploit IoT\/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall",
|
||
|
"published": true,
|
||
|
"uuid": "5b991442-a9f0-4b5b-bc56-445f950d210f",
|
||
|
"analysis": "2",
|
||
|
"timestamp": "1550654013",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "912",
|
||
|
"date": "2018-08-15",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - \u809a\u8111\u866b\u7ec4\u7ec7\uff08APT-C-35\uff09\u79fb\u52a8\u7aef\u653b\u51fb\u6d3b\u52a8\u63ed\u9732",
|
||
|
"published": true,
|
||
|
"uuid": "5b746d63-8c10-46b5-8c1a-49ec02de0b81",
|
||
|
"analysis": "0",
|
||
|
"timestamp": "1550654282",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "562",
|
||
|
"date": "2018-08-05",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Off-the-shelf RATs Targeting Pakistan",
|
||
|
"published": true,
|
||
|
"uuid": "5b671098-3024-42db-b972-42ae02de0b81",
|
||
|
"analysis": "0",
|
||
|
"timestamp": "1550653216",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "365",
|
||
|
"date": "2018-05-15",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - RAT Gone Rogue: Meet ARS VBS Loader",
|
||
|
"published": true,
|
||
|
"uuid": "5afaeb66-962c-4cd6-a5c8-419e950d210f",
|
||
|
"analysis": "0",
|
||
|
"timestamp": "1550651981",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "1077",
|
||
|
"date": "2018-05-04",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Who's who in the zoo. Cyberespionage operation targets android users in the Middle East.",
|
||
|
"published": true,
|
||
|
"uuid": "5aec0f0f-7fe0-4e42-8f64-44e5950d210f",
|
||
|
"analysis": "2",
|
||
|
"timestamp": "1550655221",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "774",
|
||
|
"date": "2018-04-17",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Talos\/Cisco Threat Roundup for April 6 - 13",
|
||
|
"published": true,
|
||
|
"uuid": "5ad5bc00-d988-48bb-9293-2135950d210f",
|
||
|
"analysis": "2",
|
||
|
"timestamp": "1550653867",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "598",
|
||
|
"date": "2018-03-15",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors",
|
||
|
"published": true,
|
||
|
"uuid": "5aaa8a97-0cac-48bd-877a-41b5950d210f",
|
||
|
"analysis": "2",
|
||
|
"timestamp": "1550653433",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "885",
|
||
|
"date": "2018-03-13",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Gozi ISFB Remains Active in 2018, Leverages \"Dark Cloud\" Botnet For Distribution",
|
||
|
"published": false,
|
||
|
"uuid": "5aa7b639-62d8-46e6-be6c-4db8950d210f",
|
||
|
"analysis": "0",
|
||
|
"timestamp": "1550654228",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "217",
|
||
|
"date": "2018-03-09",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Apache SOLR: the new target for cryptominers",
|
||
|
"published": true,
|
||
|
"uuid": "5aa23875-d0dc-49d6-82a6-d309950d210f",
|
||
|
"analysis": "0",
|
||
|
"timestamp": "1550506784",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "483",
|
||
|
"date": "2018-01-25",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Dark Caracal Cyber-espionage at a Global Scale",
|
||
|
"published": true,
|
||
|
"uuid": "5a69ed26-44c8-423c-a8dc-4f7b950d210f",
|
||
|
"analysis": "2",
|
||
|
"timestamp": "1550652819",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"Event": {
|
||
|
"id": "865",
|
||
|
"date": "2018-01-16",
|
||
|
"threat_level_id": "3",
|
||
|
"info": "OSINT - Skygofree: Following in the footsteps of HackingTeam",
|
||
|
"published": true,
|
||
|
"uuid": "5b6d858f-6cb0-4a06-b826-57f5950d210f",
|
||
|
"analysis": "2",
|
||
|
"timestamp": "1550654071",
|
||
|
"distribution": "3",
|
||
|
"org_id": "1",
|
||
|
"orgc_id": "2",
|
||
|
"Org": {
|
||
|
"id": "1",
|
||
|
"name": "ORGNAME",
|
||
|
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
|
||
|
},
|
||
|
"Orgc": {
|
||
|
"id": "2",
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Galaxy": [
|
||
|
{
|
||
|
"id": "22",
|
||
|
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
|
||
|
"name": "Attack Pattern",
|
||
|
"type": "mitre-attack-pattern",
|
||
|
"description": "ATT&CK Tactic",
|
||
|
"version": "7",
|
||
|
"icon": "map",
|
||
|
"namespace": "mitre-attack",
|
||
|
"GalaxyCluster": [
|
||
|
{
|
||
|
"id": "2714",
|
||
|
"collection_uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881",
|
||
|
"type": "mitre-attack-pattern",
|
||
|
"value": "Stolen Developer Credentials or Signing Keys - T1441",
|
||
|
"tag_name": "misp-galaxy:mitre-attack-pattern=\"Stolen Developer Credentials or Signing Keys - T1441\"",
|
||
|
"description": "An adversary could steal developer account credentials on an app store and\/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).\n\nDetection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.\n\nPlatforms: Android, iOS",
|
||
|
"galaxy_id": "22",
|
||
|
"source": "https:\/\/github.com\/mitre\/cti",
|
||
|
"authors": [
|
||
|
"MITRE"
|
||
|
],
|
||
|
"version": "8",
|
||
|
"uuid": "",
|
||
|
"tag_id": "704",
|
||
|
"meta": {
|
||
|
"external_id": [
|
||
|
"T1441"
|
||
|
],
|
||
|
"refs": [
|
||
|
"https:\/\/attack.mitre.org\/techniques\/T1441"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"id": "10866",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "1db36cab-7b13-4758-b16a-9e9862d0973e",
|
||
|
"timestamp": "1550871228",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4700",
|
||
|
"uuid": "5c706abe-99e0-49bd-b7ee-4d5002de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10866",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "1db36cab-7b13-4758-b16a-9e9862d0973e",
|
||
|
"referenced_uuid": "aea77d6f-2193-40e9-82c5-59726e0dfd2d",
|
||
|
"referenced_id": "10867",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "aea77d6f-2193-40e9-82c5-59726e0dfd2d",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239025",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "6411ce6c-7a8c-4523-848b-3ebb80b47f65",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10866",
|
||
|
"object_relation": "md5",
|
||
|
"value": "404ab5a93767a986b47c9fec33eb8be9",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239026",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "a0a8cacd-9d55-4c55-9055-14e08141cc6c",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10866",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "0a631b0072cee1e20854b187276a0ba560d6d4f8",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239027",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "61768832-cc80-4637-a0c4-794253bba246",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10866",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10867",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "aea77d6f-2193-40e9-82c5-59726e0dfd2d",
|
||
|
"timestamp": "1550871228",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239028",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "4eb49e21-42c9-4653-93da-600ca773ffa9",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10867",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:12:18",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239029",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "0a0bda5b-9761-44e3-a0da-c365c6fbab76",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10867",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0\/analysis\/1550866338\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239030",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "6fa3c325-b92c-41bd-8ab3-283272c6b440",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10867",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "25\/60",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10868",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "3b8f6a45-0b7f-4bea-ad61-0369f01cc306",
|
||
|
"timestamp": "1550871228",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4701",
|
||
|
"uuid": "5c706abe-9e0c-4b24-b6af-436302de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10868",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "3b8f6a45-0b7f-4bea-ad61-0369f01cc306",
|
||
|
"referenced_uuid": "7ba926a9-161b-4412-99ff-cee104b6a329",
|
||
|
"referenced_id": "10869",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "7ba926a9-161b-4412-99ff-cee104b6a329",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239031",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "d45365f9-5d44-41d1-bbf0-4128f2ecabef",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10868",
|
||
|
"object_relation": "md5",
|
||
|
"value": "d40c20a77371309045f5123af76637b2",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239032",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "91bd51d5-5847-4c09-8152-0754aca32ffa",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10868",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "d1207b7b846b80418b459e9d03e1b5afbd3e97a7",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239033",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "f46f938e-8d82-4d8a-b996-6343846b798a",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10868",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10869",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "7ba926a9-161b-4412-99ff-cee104b6a329",
|
||
|
"timestamp": "1550871228",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239034",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "6e483df8-fa53-4b98-b6da-100b79de2663",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10869",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:07:15",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239035",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "ce797b8c-fa71-4267-a4ee-94eb6e873e88",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10869",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2\/analysis\/1550866035\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239036",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "86a138ea-5eba-4594-a3fb-e8af55be9dbe",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10869",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "20\/60",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10870",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a",
|
||
|
"timestamp": "1550871228",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4702",
|
||
|
"uuid": "5c706abe-fc0c-4d62-be6c-425302de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10870",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a",
|
||
|
"referenced_uuid": "5de67962-66f3-48c8-b33f-734e4b8dc989",
|
||
|
"referenced_id": "10871",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "5de67962-66f3-48c8-b33f-734e4b8dc989",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239037",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "de3bac84-c7e2-48f8-8d32-116274000be5",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10870",
|
||
|
"object_relation": "md5",
|
||
|
"value": "093ecb712d438ab01b3f07718428dcc7",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239038",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "14e391d3-7730-4841-8ede-2deb0f3ad706",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10870",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "89b9b7f2c3eb275eabe78c04a30dc09281a201e6",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239039",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "eb9245ad-132c-4279-a3ad-d7f5aa0131cc",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10870",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10871",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "5de67962-66f3-48c8-b33f-734e4b8dc989",
|
||
|
"timestamp": "1550871228",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239040",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "0bd77c93-27ad-47e8-bd9d-c38732323fd5",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10871",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:03:13",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239041",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "155a8b3c-e603-4283-91b2-1a6258b93bf8",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10871",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa\/analysis\/1550865793\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239042",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "162fe627-abe9-4abb-8095-c39dee340f84",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10871",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "22\/60",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10872",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "89e0ad73-a186-4959-b978-2311ee49e4af",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4703",
|
||
|
"uuid": "5c706abe-7c28-48ab-bce2-4c9702de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10872",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "89e0ad73-a186-4959-b978-2311ee49e4af",
|
||
|
"referenced_uuid": "99e0b99b-e1cf-4451-8eec-972978c821d8",
|
||
|
"referenced_id": "10873",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "99e0b99b-e1cf-4451-8eec-972978c821d8",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239043",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "2ca5845e-286c-458e-a970-568968a3575f",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10872",
|
||
|
"object_relation": "md5",
|
||
|
"value": "711eb1d89764d45f4ff2622143f744c2",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239044",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "1ad21473-1980-45ee-a596-fb6890abded1",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10872",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "548b64c0f904733dd5433f6f3878487eeda54fa1",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239045",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "e6c1fd36-35fe-49bc-9483-00dff515a29b",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10872",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10873",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "99e0b99b-e1cf-4451-8eec-972978c821d8",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239046",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "f2a9431e-464e-4ae7-a53f-e24685f03b82",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10873",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-11-27 12:07:50",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239047",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "2ce90e53-a834-4ac6-9db6-6213d7629ccc",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10873",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0\/analysis\/1543320470\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239048",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "99bd1115-adc9-42b0-9500-878f593f001c",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10873",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "22\/60",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10874",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "4dbf697b-11ce-447f-85c6-cd02a2365a7f",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4704",
|
||
|
"uuid": "5c706abe-b378-4ec6-ab67-490f02de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10874",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "4dbf697b-11ce-447f-85c6-cd02a2365a7f",
|
||
|
"referenced_uuid": "1d288045-6e66-43a6-94b7-600044369fa7",
|
||
|
"referenced_id": "10875",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "1d288045-6e66-43a6-94b7-600044369fa7",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239049",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "b9b1470d-a8f1-4aab-aec6-9c20f8452879",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10874",
|
||
|
"object_relation": "md5",
|
||
|
"value": "6b116d471a787eb520869ed5c6965fa8",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239050",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "2bea0406-889e-4e2a-9ea3-da2cc2e443fc",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10874",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "ec4bd72fcb440f47912d06c75a9d56ad86953f70",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239051",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "6c390d2d-82a8-4fbd-b8c6-cd1f11ca8d0e",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10874",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10875",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "1d288045-6e66-43a6-94b7-600044369fa7",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239052",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "2ca3b301-e08c-4cfa-b005-90ff52d13af0",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10875",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:11:49",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239053",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "1082dea9-353d-4932-a02c-3f87fe6c059a",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10875",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a\/analysis\/1550866309\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239054",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "9675abe7-0743-435a-881d-bfd772c55225",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10875",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "22\/58",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10876",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "6860e975-938c-413d-b144-74cde72c25dc",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4705",
|
||
|
"uuid": "5c706abe-be44-449d-8118-46c202de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10876",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "6860e975-938c-413d-b144-74cde72c25dc",
|
||
|
"referenced_uuid": "ee3df33a-a5df-4f0a-887d-9fe0aba2d90a",
|
||
|
"referenced_id": "10877",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "ee3df33a-a5df-4f0a-887d-9fe0aba2d90a",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239055",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "9d066d52-7b45-425f-96d7-15be7fc74c74",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10876",
|
||
|
"object_relation": "md5",
|
||
|
"value": "1f1f44a01d5784028302d6ad5e7133aa",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239056",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "f3258f42-f31d-4a7c-9113-c4dc96dacf9c",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10876",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "cb1125d5a57a529bf88bf590c0cb675f37261839",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239057",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "6d73772d-9487-4f05-8917-0040d6f1d3af",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10876",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10877",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "ee3df33a-a5df-4f0a-887d-9fe0aba2d90a",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239058",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "03562590-3096-4587-b05d-11a6e257b5d9",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10877",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:04:58",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239059",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "bf0ca902-1a55-4640-a8d9-41f0e0f7a29d",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10877",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e\/analysis\/1550865898\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239060",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "68ed8acc-bb3c-4654-b65b-c25b8a3c37cd",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10877",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "21\/55",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10878",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "df5dd372-ecd6-4595-ab34-45bff1decb63",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4706",
|
||
|
"uuid": "5c706abe-a1b8-45fc-bd1a-45d702de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10878",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "df5dd372-ecd6-4595-ab34-45bff1decb63",
|
||
|
"referenced_uuid": "f2146c3b-d6f7-471c-bb4a-2b831e2849f6",
|
||
|
"referenced_id": "10879",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "f2146c3b-d6f7-471c-bb4a-2b831e2849f6",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239061",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "dfc28b74-63f1-48d0-b637-eeb604df4e7a",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10878",
|
||
|
"object_relation": "md5",
|
||
|
"value": "76e71cf45e99d03a92c8271998a1caee",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239062",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "1eaec0ad-a007-4b29-89da-15b34bc69c18",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10878",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "818bfc1fdb8126b58835e77f13afa9435e883919",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239063",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "7a651cf8-2950-41c8-b2c5-80ea25c87d99",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10878",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10879",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "f2146c3b-d6f7-471c-bb4a-2b831e2849f6",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239064",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "b1e2fbea-a39d-41ce-a748-bc257b01aa2b",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10879",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:10:06",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239065",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "9c2da65e-0e42-454e-9b9f-0daafbb29344",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10879",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7\/analysis\/1550866206\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239066",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "3e79140e-f74f-4b0b-8e17-496f1058e477",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871210",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10879",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "9\/61",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10880",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4707",
|
||
|
"uuid": "5c706abe-1b10-4475-8d35-4f1202de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10880",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc",
|
||
|
"referenced_uuid": "a6c1afed-624f-4d81-b96a-4ff02a693e66",
|
||
|
"referenced_id": "10881",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "a6c1afed-624f-4d81-b96a-4ff02a693e66",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239067",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "63d6a412-efd3-4c8e-94a3-8a1e15d4dc16",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10880",
|
||
|
"object_relation": "md5",
|
||
|
"value": "1a6f9190e7c53cd4e9ca4532547131af",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239068",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "8f650e7b-4a3b-4cd9-af6a-192825d323f9",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10880",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "88708e9562a8c4ee4601b3990a664bc63b378753",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239069",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "389e4069-cbbf-47a4-87ae-a03ae00575df",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10880",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10881",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "a6c1afed-624f-4d81-b96a-4ff02a693e66",
|
||
|
"timestamp": "1550871229",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239070",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "741b8b1f-d387-4dff-9809-a2a5cc0e76f8",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10881",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:03:34",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239071",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "b55b0030-557e-4368-9429-5e431a631b7e",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10881",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8\/analysis\/1550865814\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239072",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "0f619020-6f30-4b40-a3c0-9f13b13fc9b3",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10881",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "22\/60",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10882",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "fd57be37-61cc-4452-85b5-518d55586335",
|
||
|
"timestamp": "1550871230",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4708",
|
||
|
"uuid": "5c706abe-c730-41b2-b328-4bb202de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10882",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "fd57be37-61cc-4452-85b5-518d55586335",
|
||
|
"referenced_uuid": "e59804a1-c4d9-4228-93bb-1a1f626c25ef",
|
||
|
"referenced_id": "10883",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "e59804a1-c4d9-4228-93bb-1a1f626c25ef",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239073",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "3015da1a-86da-45d2-8a84-9a1ed0ff02a3",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10882",
|
||
|
"object_relation": "md5",
|
||
|
"value": "056b178bbeea109d705439aa4e203d09",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239074",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5b3dd29a-6054-4832-9173-9f6f8d8b7e67",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10882",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "5ae5ca0daccfa21706e157a19bdb67e48cbfe137",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239075",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "a7c9b4a7-ec51-4f6d-82f3-95946ff53992",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10882",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10883",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "e59804a1-c4d9-4228-93bb-1a1f626c25ef",
|
||
|
"timestamp": "1550871230",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239076",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "d2f63c18-56a3-44a8-83b8-bf9bbfe22b05",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10883",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:08:55",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239077",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "c077dd9c-a1a5-4941-94a7-b69610709486",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10883",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6\/analysis\/1550866135\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239078",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "c248a416-67d8-4f60-ab77-8d537265a29a",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871209",
|
||
|
"comment": "Malicious Documents",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10883",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "23\/60",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10884",
|
||
|
"name": "file",
|
||
|
"meta-category": "file",
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "56b391e4-f005-4caa-ae12-a90db6664ebd",
|
||
|
"timestamp": "1550871270",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"id": "4709",
|
||
|
"uuid": "5c706ae7-2e68-4e97-a879-463902de0b81",
|
||
|
"timestamp": "1551169938",
|
||
|
"object_id": "10884",
|
||
|
"event_id": "1203",
|
||
|
"source_uuid": "56b391e4-f005-4caa-ae12-a90db6664ebd",
|
||
|
"referenced_uuid": "fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d",
|
||
|
"referenced_id": "10885",
|
||
|
"referenced_type": "1",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"Object": {
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"uuid": "fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc"
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239079",
|
||
|
"type": "md5",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "9d7f165e-8028-41ba-bade-a9d6f2d94721",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871258",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10884",
|
||
|
"object_relation": "md5",
|
||
|
"value": "9f76d2f73020064374efe67dc28fa006",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239080",
|
||
|
"type": "sha1",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "c8464fee-b069-490b-9f90-18bbcb7fa57c",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871258",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10884",
|
||
|
"object_relation": "sha1",
|
||
|
"value": "d96c04952ba0cb61b64bc7f08d7257913d8b7968",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239081",
|
||
|
"type": "sha256",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": true,
|
||
|
"uuid": "bb21148d-46b8-4238-bb70-ed8322362dd5",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871258",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10884",
|
||
|
"object_relation": "sha256",
|
||
|
"value": "6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"id": "10885",
|
||
|
"name": "virustotal-report",
|
||
|
"meta-category": "misc",
|
||
|
"description": "VirusTotal report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"event_id": "1203",
|
||
|
"uuid": "fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d",
|
||
|
"timestamp": "1550871270",
|
||
|
"distribution": "5",
|
||
|
"sharing_group_id": "0",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"ObjectReference": [],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"id": "239082",
|
||
|
"type": "datetime",
|
||
|
"category": "Other",
|
||
|
"to_ids": false,
|
||
|
"uuid": "17038529-b686-4618-946f-6ac94dddf423",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871258",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10885",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-02-22 20:15:46",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239083",
|
||
|
"type": "link",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "45431bd9-aea9-46b1-a9e3-ed17d1fcf05f",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871258",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10885",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https:\/\/www.virustotal.com\/file\/6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c\/analysis\/1550866546\/",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
},
|
||
|
{
|
||
|
"id": "239084",
|
||
|
"type": "text",
|
||
|
"category": "Payload delivery",
|
||
|
"to_ids": false,
|
||
|
"uuid": "f4343cea-ba6d-4c9b-99e8-d7a157be74f3",
|
||
|
"event_id": "1203",
|
||
|
"distribution": "5",
|
||
|
"timestamp": "1550871258",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"sharing_group_id": "0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_id": "10885",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "15\/68",
|
||
|
"Galaxy": [],
|
||
|
"ShadowAttribute": []
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"Tag": [
|
||
|
{
|
||
|
"id": "7",
|
||
|
"name": "type:OSINT",
|
||
|
"colour": "#004646",
|
||
|
"exportable": true,
|
||
|
"user_id": "0",
|
||
|
"hide_tag": false,
|
||
|
"numerical_value": null
|
||
|
},
|
||
|
{
|
||
|
"id": "39",
|
||
|
"name": "osint:lifetime=\"perpetual\"",
|
||
|
"colour": "#0071c3",
|
||
|
"exportable": true,
|
||
|
"user_id": "0",
|
||
|
"hide_tag": false,
|
||
|
"numerical_value": null
|
||
|
},
|
||
|
{
|
||
|
"id": "4",
|
||
|
"name": "tlp:white",
|
||
|
"colour": "#ffffff",
|
||
|
"exportable": true,
|
||
|
"user_id": "0",
|
||
|
"hide_tag": false,
|
||
|
"numerical_value": null
|
||
|
},
|
||
|
{
|
||
|
"id": "704",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Stolen Developer Credentials or Signing Keys - T1441\"",
|
||
|
"colour": "#0088cc",
|
||
|
"exportable": true,
|
||
|
"user_id": "0",
|
||
|
"hide_tag": false,
|
||
|
"numerical_value": null
|
||
|
},
|
||
|
{
|
||
|
"id": "705",
|
||
|
"name": "misp-galaxy:tool=\"BabyShark\"",
|
||
|
"colour": "#0088cc",
|
||
|
"exportable": true,
|
||
|
"user_id": "0",
|
||
|
"hide_tag": false,
|
||
|
"numerical_value": null
|
||
|
},
|
||
|
{
|
||
|
"id": "706",
|
||
|
"name": "misp-galaxy:threat-actor=\"STOLEN PENCIL\"",
|
||
|
"colour": "#0088cc",
|
||
|
"exportable": true,
|
||
|
"user_id": "0",
|
||
|
"hide_tag": false,
|
||
|
"numerical_value": null
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|