mirror of https://github.com/MISP/misp-training
2297 lines
3.3 MiB
JSON
2297 lines
3.3 MiB
JSON
![]() |
{
|
|||
|
"Event": {
|
|||
|
"id": "2855",
|
|||
|
"orgc_id": "1",
|
|||
|
"org_id": "1",
|
|||
|
"date": "2022-03-24",
|
|||
|
"threat_level_id": "3",
|
|||
|
"info": "Successful Scam call involving money transfer",
|
|||
|
"published": false,
|
|||
|
"uuid": "53d2f469-9f7f-4e40-8dc1-a721f1b223fb",
|
|||
|
"attribute_count": "31",
|
|||
|
"analysis": "2",
|
|||
|
"timestamp": "1675788758",
|
|||
|
"distribution": "3",
|
|||
|
"proposal_email_lock": false,
|
|||
|
"locked": false,
|
|||
|
"publish_timestamp": "0",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"disable_correlation": false,
|
|||
|
"extends_uuid": "",
|
|||
|
"protected": null,
|
|||
|
"event_creator_email": "sami.mokaddem@circl.lu",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
|
|||
|
"local": true
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
|
|||
|
"local": true
|
|||
|
},
|
|||
|
"Attribute": [
|
|||
|
{
|
|||
|
"id": "546729",
|
|||
|
"type": "ip-src",
|
|||
|
"category": "Payload delivery",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119510",
|
|||
|
"comment": "IP address of the scammer collected from the RDP log file",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "0",
|
|||
|
"object_relation": null,
|
|||
|
"first_seen": "2022-03-24T11:47:27.000000+00:00",
|
|||
|
"last_seen": null,
|
|||
|
"value": "194.78.89.250",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": [],
|
|||
|
"Sighting": [
|
|||
|
{
|
|||
|
"id": "81870",
|
|||
|
"attribute_id": "546729",
|
|||
|
"event_id": "2855",
|
|||
|
"org_id": "1",
|
|||
|
"date_sighting": "1657271154",
|
|||
|
"uuid": "e94c1425-3d9a-4626-af95-b9e7b936e796",
|
|||
|
"source": "",
|
|||
|
"type": "0",
|
|||
|
"attribute_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
|
|||
|
"Organisation": {
|
|||
|
"id": "1",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
|
|||
|
"name": "Training"
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "81871",
|
|||
|
"attribute_id": "546729",
|
|||
|
"event_id": "2855",
|
|||
|
"org_id": "1",
|
|||
|
"date_sighting": "1657271164",
|
|||
|
"uuid": "bfa84e56-fcc7-41e5-a3e3-eecb641eada1",
|
|||
|
"source": "",
|
|||
|
"type": "0",
|
|||
|
"attribute_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
|
|||
|
"Organisation": {
|
|||
|
"id": "1",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
|
|||
|
"name": "Training"
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "81872",
|
|||
|
"attribute_id": "546729",
|
|||
|
"event_id": "2855",
|
|||
|
"org_id": "1",
|
|||
|
"date_sighting": "1657271170",
|
|||
|
"uuid": "e4a21c87-ca9b-440f-a7af-b60e248c8456",
|
|||
|
"source": "",
|
|||
|
"type": "0",
|
|||
|
"attribute_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
|
|||
|
"Organisation": {
|
|||
|
"id": "1",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
|
|||
|
"name": "Training"
|
|||
|
}
|
|||
|
}
|
|||
|
]
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546740",
|
|||
|
"type": "phone-number",
|
|||
|
"category": "Financial fraud",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "38d27219-bfa1-43d9-a7c4-3769296e32d5",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119489",
|
|||
|
"comment": "Phone number used by the scammer to call the victim",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "0",
|
|||
|
"object_relation": null,
|
|||
|
"first_seen": "2022-03-24T11:42:43.000000+00:00",
|
|||
|
"last_seen": null,
|
|||
|
"value": "+12243359185",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
}
|
|||
|
],
|
|||
|
"ShadowAttribute": [],
|
|||
|
"RelatedEvent": [
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3659",
|
|||
|
"date": "2023-08-31",
|
|||
|
"threat_level_id": "3",
|
|||
|
"info": "Scam call from a pretended Microsoft employee (JMP)",
|
|||
|
"published": false,
|
|||
|
"uuid": "dd4ae541-c7cc-418b-85dd-e9d60a97f034",
|
|||
|
"analysis": "0",
|
|||
|
"timestamp": "1693494978",
|
|||
|
"distribution": "1",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3660",
|
|||
|
"date": "2023-08-31",
|
|||
|
"threat_level_id": "2",
|
|||
|
"info": "Scam call pretending to be Microsoft support leading to Ransomware (JRK)",
|
|||
|
"published": true,
|
|||
|
"uuid": "a886fe7e-0e1d-4b75-8129-4b33cf19f20a",
|
|||
|
"analysis": "1",
|
|||
|
"timestamp": "1693494973",
|
|||
|
"distribution": "3",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3324",
|
|||
|
"date": "2023-02-07",
|
|||
|
"threat_level_id": "1",
|
|||
|
"info": "MISP Encoding Exercise: Scam call JD",
|
|||
|
"published": false,
|
|||
|
"uuid": "c2db89c3-f0fe-49d1-a6ea-a4c17e62c472",
|
|||
|
"analysis": "1",
|
|||
|
"timestamp": "1675785515",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3327",
|
|||
|
"date": "2023-02-07",
|
|||
|
"threat_level_id": "4",
|
|||
|
"info": "Scam call",
|
|||
|
"published": false,
|
|||
|
"uuid": "e1054edc-0217-4e53-9a12-1ffa352fa4dc",
|
|||
|
"analysis": "1",
|
|||
|
"timestamp": "1675788656",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3077",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "1",
|
|||
|
"info": "Scam call",
|
|||
|
"published": false,
|
|||
|
"uuid": "b5abc54c-7353-417d-9311-60014196e2fe",
|
|||
|
"analysis": "0",
|
|||
|
"timestamp": "1670336065",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3078",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "1",
|
|||
|
"info": "Scam call Ressources",
|
|||
|
"published": false,
|
|||
|
"uuid": "61eb3ac1-5f65-4b8e-9985-3c2e298fa558",
|
|||
|
"analysis": "0",
|
|||
|
"timestamp": "1670335025",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3079",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "3",
|
|||
|
"info": "Scam call for money transfer.",
|
|||
|
"published": false,
|
|||
|
"uuid": "5e662ab4-a6ba-463c-b142-25d14e078fd8",
|
|||
|
"analysis": "1",
|
|||
|
"timestamp": "1670337939",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3080",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "2",
|
|||
|
"info": "Scam call - Attempt to transfer money to a novice scammer",
|
|||
|
"published": false,
|
|||
|
"uuid": "739d0647-eaaf-430b-b1e1-db8659bcd750",
|
|||
|
"analysis": "1",
|
|||
|
"timestamp": "1670337434",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3082",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "1",
|
|||
|
"info": "scam call bt",
|
|||
|
"published": false,
|
|||
|
"uuid": "2fd61b74-6f22-446a-be92-0014a4144f99",
|
|||
|
"analysis": "0",
|
|||
|
"timestamp": "1670338817",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3083",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "2",
|
|||
|
"info": "Scam call to transfer money",
|
|||
|
"published": false,
|
|||
|
"uuid": "ffa6021c-ec8f-488a-a8f6-9c31da2e40a4",
|
|||
|
"analysis": "0",
|
|||
|
"timestamp": "1670337074",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3084",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "1",
|
|||
|
"info": "Scam call",
|
|||
|
"published": false,
|
|||
|
"uuid": "0e2749ef-631f-410c-8b7d-902c05319a06",
|
|||
|
"analysis": "0",
|
|||
|
"timestamp": "1670337202",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3085",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "2",
|
|||
|
"info": "Scam call with potential malicious binary (JRK)",
|
|||
|
"published": false,
|
|||
|
"uuid": "f1bb7998-38d5-40cc-83e6-bee9d1a1daf9",
|
|||
|
"analysis": "2",
|
|||
|
"timestamp": "1670337311",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3086",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "2",
|
|||
|
"info": "Training Scam call",
|
|||
|
"published": false,
|
|||
|
"uuid": "a27d1e76-dc03-47e9-a3e6-62a313b98a33",
|
|||
|
"analysis": "0",
|
|||
|
"timestamp": "1670336125",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3090",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "2",
|
|||
|
"info": "Scam Call from Wallace Breen",
|
|||
|
"published": false,
|
|||
|
"uuid": "6dfca20a-4b30-4264-9170-3835b0d6fed5",
|
|||
|
"analysis": "2",
|
|||
|
"timestamp": "1670336645",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3091",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "2",
|
|||
|
"info": "Microsoft support scam call",
|
|||
|
"published": false,
|
|||
|
"uuid": "5ba99c07-21fc-48b0-93e3-b7efbda5e72d",
|
|||
|
"analysis": "2",
|
|||
|
"timestamp": "1670339466",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"Event": {
|
|||
|
"id": "3092",
|
|||
|
"date": "2022-12-06",
|
|||
|
"threat_level_id": "3",
|
|||
|
"info": "Fraud Event through scam call",
|
|||
|
"published": false,
|
|||
|
"uuid": "39deb907-731b-42e8-bace-ff1e9f2ea085",
|
|||
|
"analysis": "0",
|
|||
|
"timestamp": "1670335931",
|
|||
|
"distribution": "0",
|
|||
|
"org_id": "1",
|
|||
|
"orgc_id": "1",
|
|||
|
"Org": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "1",
|
|||
|
"name": "Training",
|
|||
|
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
],
|
|||
|
"Galaxy": [
|
|||
|
{
|
|||
|
"id": "25",
|
|||
|
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
|
|||
|
"name": "Attack Pattern",
|
|||
|
"type": "mitre-attack-pattern",
|
|||
|
"description": "ATT&CK Tactic",
|
|||
|
"version": "9",
|
|||
|
"icon": "map",
|
|||
|
"namespace": "mitre-attack",
|
|||
|
"enabled": true,
|
|||
|
"local_only": false,
|
|||
|
"kill_chain_order": {
|
|||
|
"mitre-attack": [
|
|||
|
"reconnaissance",
|
|||
|
"resource-development",
|
|||
|
"initial-access",
|
|||
|
"execution",
|
|||
|
"persistence",
|
|||
|
"privilege-escalation",
|
|||
|
"defense-evasion",
|
|||
|
"credential-access",
|
|||
|
"discovery",
|
|||
|
"lateral-movement",
|
|||
|
"collection",
|
|||
|
"command-and-control",
|
|||
|
"exfiltration",
|
|||
|
"impact"
|
|||
|
],
|
|||
|
"mitre-mobile-attack": [
|
|||
|
"initial-access",
|
|||
|
"execution",
|
|||
|
"persistence",
|
|||
|
"privilege-escalation",
|
|||
|
"defense-evasion",
|
|||
|
"credential-access",
|
|||
|
"discovery",
|
|||
|
"lateral-movement",
|
|||
|
"collection",
|
|||
|
"command-and-control",
|
|||
|
"exfiltration",
|
|||
|
"impact",
|
|||
|
"network-effects",
|
|||
|
"remote-service-effects"
|
|||
|
],
|
|||
|
"mitre-pre-attack": [
|
|||
|
"priority-definition-planning",
|
|||
|
"priority-definition-direction",
|
|||
|
"target-selection",
|
|||
|
"technical-information-gathering",
|
|||
|
"people-information-gathering",
|
|||
|
"organizational-information-gathering",
|
|||
|
"technical-weakness-identification",
|
|||
|
"people-weakness-identification",
|
|||
|
"organizational-weakness-identification",
|
|||
|
"adversary-opsec",
|
|||
|
"establish-&-maintain-infrastructure",
|
|||
|
"persona-development",
|
|||
|
"build-capabilities",
|
|||
|
"test-capabilities",
|
|||
|
"stage-capabilities"
|
|||
|
]
|
|||
|
},
|
|||
|
"GalaxyCluster": [
|
|||
|
{
|
|||
|
"id": "64276",
|
|||
|
"collection_uuid": "dcb864dc-775f-11e7-9fbb-1f41b4996683",
|
|||
|
"type": "mitre-attack-pattern",
|
|||
|
"value": "Phishing - T1566",
|
|||
|
"tag_name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
|
|||
|
"description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)",
|
|||
|
"galaxy_id": "25",
|
|||
|
"source": "https://github.com/mitre/cti",
|
|||
|
"authors": [
|
|||
|
"MITRE"
|
|||
|
],
|
|||
|
"version": "25",
|
|||
|
"uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"org_id": "0",
|
|||
|
"orgc_id": "0",
|
|||
|
"default": true,
|
|||
|
"locked": false,
|
|||
|
"extends_uuid": "",
|
|||
|
"extends_version": "0",
|
|||
|
"published": false,
|
|||
|
"deleted": false,
|
|||
|
"GalaxyClusterRelation": [],
|
|||
|
"Org": {
|
|||
|
"id": "0",
|
|||
|
"name": "MISP",
|
|||
|
"date_created": "",
|
|||
|
"date_modified": "",
|
|||
|
"description": "Automatically generated MISP organisation",
|
|||
|
"type": "",
|
|||
|
"nationality": "Not specified",
|
|||
|
"sector": "",
|
|||
|
"created_by": "0",
|
|||
|
"uuid": "0",
|
|||
|
"contacts": "",
|
|||
|
"local": true,
|
|||
|
"restricted_to_domain": [],
|
|||
|
"landingpage": null
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "0",
|
|||
|
"name": "MISP",
|
|||
|
"date_created": "",
|
|||
|
"date_modified": "",
|
|||
|
"description": "Automatically generated MISP organisation",
|
|||
|
"type": "",
|
|||
|
"nationality": "Not specified",
|
|||
|
"sector": "",
|
|||
|
"created_by": "0",
|
|||
|
"uuid": "0",
|
|||
|
"contacts": "",
|
|||
|
"local": true,
|
|||
|
"restricted_to_domain": [],
|
|||
|
"landingpage": null
|
|||
|
},
|
|||
|
"TargetingClusterRelation": [
|
|||
|
{
|
|||
|
"id": "82078",
|
|||
|
"galaxy_cluster_id": "63601",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "subtechnique-of",
|
|||
|
"galaxy_cluster_uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82288",
|
|||
|
"galaxy_cluster_id": "63935",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "subtechnique-of",
|
|||
|
"galaxy_cluster_uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82316",
|
|||
|
"galaxy_cluster_id": "63963",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "subtechnique-of",
|
|||
|
"galaxy_cluster_uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82747",
|
|||
|
"galaxy_cluster_id": "64392",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "21da4fd4-27ad-4e9c-b93d-0b9b14d02c96",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82810",
|
|||
|
"galaxy_cluster_id": "64417",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "12241367-a8b7-49b4-b86e-2236901ba50c",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "83469",
|
|||
|
"galaxy_cluster_id": "64524",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "83620",
|
|||
|
"galaxy_cluster_id": "64534",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "83748",
|
|||
|
"galaxy_cluster_id": "64554",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "84796",
|
|||
|
"galaxy_cluster_id": "64590",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "uses",
|
|||
|
"galaxy_cluster_uuid": "c77c5576-ca19-42ed-a36f-4b4486a84133",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "85153",
|
|||
|
"galaxy_cluster_id": "64608",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "uses",
|
|||
|
"galaxy_cluster_uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "88974",
|
|||
|
"galaxy_cluster_id": "64800",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "uses",
|
|||
|
"galaxy_cluster_uuid": "95047f03-4811-4300-922e-1ba937d53a61",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "91910",
|
|||
|
"galaxy_cluster_id": "65033",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "uses",
|
|||
|
"galaxy_cluster_uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "98619",
|
|||
|
"galaxy_cluster_id": "66523",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "98698",
|
|||
|
"galaxy_cluster_id": "66596",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "98809",
|
|||
|
"galaxy_cluster_id": "66704",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "99142",
|
|||
|
"galaxy_cluster_id": "66977",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "99607",
|
|||
|
"galaxy_cluster_id": "67390",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "99691",
|
|||
|
"galaxy_cluster_id": "67451",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "e8a95b5e-c891-46e2-b33a-93937d3abc31",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "99966",
|
|||
|
"galaxy_cluster_id": "67698",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "100178",
|
|||
|
"galaxy_cluster_id": "67917",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "b5de2919-b74a-4805-91a7-5049accbaefe",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "100200",
|
|||
|
"galaxy_cluster_id": "67930",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "100222",
|
|||
|
"galaxy_cluster_id": "67942",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "5039f3d2-406a-4c1a-9350-7a5a85dc84c2",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "100246",
|
|||
|
"galaxy_cluster_id": "67959",
|
|||
|
"referenced_galaxy_cluster_id": "64276",
|
|||
|
"referenced_galaxy_cluster_uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
}
|
|||
|
],
|
|||
|
"meta": {
|
|||
|
"external_id": [
|
|||
|
"T1566"
|
|||
|
],
|
|||
|
"kill_chain": [
|
|||
|
"mitre-attack:initial-access"
|
|||
|
],
|
|||
|
"mitre_data_sources": [
|
|||
|
"Application Log: Application Log Content",
|
|||
|
"File: File Creation",
|
|||
|
"Network Traffic: Network Traffic Content",
|
|||
|
"Network Traffic: Network Traffic Flow"
|
|||
|
],
|
|||
|
"mitre_platforms": [
|
|||
|
"Linux",
|
|||
|
"macOS",
|
|||
|
"Windows",
|
|||
|
"SaaS",
|
|||
|
"Office 365",
|
|||
|
"Google Workspace"
|
|||
|
],
|
|||
|
"refs": [
|
|||
|
"https://attack.mitre.org/techniques/T1566",
|
|||
|
"https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends",
|
|||
|
"https://blog.sygnia.co/luna-moth-false-subscription-scams",
|
|||
|
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide",
|
|||
|
"https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/",
|
|||
|
"https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/",
|
|||
|
"https://www.cisa.gov/uscert/ncas/alerts/aa23-025a",
|
|||
|
"https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf",
|
|||
|
"https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/",
|
|||
|
"https://www.proofpoint.com/us/threat-reference/email-spoofing"
|
|||
|
]
|
|||
|
},
|
|||
|
"tag_id": 1943,
|
|||
|
"event_tag_id": "12605",
|
|||
|
"local": false,
|
|||
|
"relationship_type": false
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "64048",
|
|||
|
"collection_uuid": "dcb864dc-775f-11e7-9fbb-1f41b4996683",
|
|||
|
"type": "mitre-attack-pattern",
|
|||
|
"value": "User Execution - T1204",
|
|||
|
"tag_name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
|
|||
|
"description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)",
|
|||
|
"galaxy_id": "25",
|
|||
|
"source": "https://github.com/mitre/cti",
|
|||
|
"authors": [
|
|||
|
"MITRE"
|
|||
|
],
|
|||
|
"version": "25",
|
|||
|
"uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"org_id": "0",
|
|||
|
"orgc_id": "0",
|
|||
|
"default": true,
|
|||
|
"locked": false,
|
|||
|
"extends_uuid": "",
|
|||
|
"extends_version": "0",
|
|||
|
"published": false,
|
|||
|
"deleted": false,
|
|||
|
"GalaxyClusterRelation": [],
|
|||
|
"Org": {
|
|||
|
"id": "0",
|
|||
|
"name": "MISP",
|
|||
|
"date_created": "",
|
|||
|
"date_modified": "",
|
|||
|
"description": "Automatically generated MISP organisation",
|
|||
|
"type": "",
|
|||
|
"nationality": "Not specified",
|
|||
|
"sector": "",
|
|||
|
"created_by": "0",
|
|||
|
"uuid": "0",
|
|||
|
"contacts": "",
|
|||
|
"local": true,
|
|||
|
"restricted_to_domain": [],
|
|||
|
"landingpage": null
|
|||
|
},
|
|||
|
"Orgc": {
|
|||
|
"id": "0",
|
|||
|
"name": "MISP",
|
|||
|
"date_created": "",
|
|||
|
"date_modified": "",
|
|||
|
"description": "Automatically generated MISP organisation",
|
|||
|
"type": "",
|
|||
|
"nationality": "Not specified",
|
|||
|
"sector": "",
|
|||
|
"created_by": "0",
|
|||
|
"uuid": "0",
|
|||
|
"contacts": "",
|
|||
|
"local": true,
|
|||
|
"restricted_to_domain": [],
|
|||
|
"landingpage": null
|
|||
|
},
|
|||
|
"TargetingClusterRelation": [
|
|||
|
{
|
|||
|
"id": "82202",
|
|||
|
"galaxy_cluster_id": "63849",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "subtechnique-of",
|
|||
|
"galaxy_cluster_uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82215",
|
|||
|
"galaxy_cluster_id": "63862",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "subtechnique-of",
|
|||
|
"galaxy_cluster_uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82218",
|
|||
|
"galaxy_cluster_id": "63865",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "subtechnique-of",
|
|||
|
"galaxy_cluster_uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82670",
|
|||
|
"galaxy_cluster_id": "64333",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "90f39ee1-d5a3-4aaa-9f28-3b42815b0d46",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82745",
|
|||
|
"galaxy_cluster_id": "64392",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "21da4fd4-27ad-4e9c-b93d-0b9b14d02c96",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "82804",
|
|||
|
"galaxy_cluster_id": "64417",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "12241367-a8b7-49b4-b86e-2236901ba50c",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "83464",
|
|||
|
"galaxy_cluster_id": "64524",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "83577",
|
|||
|
"galaxy_cluster_id": "64533",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "mitigates",
|
|||
|
"galaxy_cluster_uuid": "47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "85013",
|
|||
|
"galaxy_cluster_id": "64601",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "uses",
|
|||
|
"galaxy_cluster_uuid": "d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "97896",
|
|||
|
"galaxy_cluster_id": "65898",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "98882",
|
|||
|
"galaxy_cluster_id": "66761",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "1412aa78-a24c-4abd-83df-767dfb2c5bbe",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "99406",
|
|||
|
"galaxy_cluster_id": "67207",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "99961",
|
|||
|
"galaxy_cluster_id": "67694",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "100250",
|
|||
|
"galaxy_cluster_id": "67959",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "100268",
|
|||
|
"galaxy_cluster_id": "67974",
|
|||
|
"referenced_galaxy_cluster_id": "64048",
|
|||
|
"referenced_galaxy_cluster_uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
|||
|
"referenced_galaxy_cluster_type": "related-to",
|
|||
|
"galaxy_cluster_uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca",
|
|||
|
"distribution": "3",
|
|||
|
"sharing_group_id": null,
|
|||
|
"default": true
|
|||
|
}
|
|||
|
],
|
|||
|
"meta": {
|
|||
|
"external_id": [
|
|||
|
"T1204"
|
|||
|
],
|
|||
|
"kill_chain": [
|
|||
|
"mitre-attack:execution"
|
|||
|
],
|
|||
|
"mitre_data_sources": [
|
|||
|
"Application Log: Application Log Content",
|
|||
|
"Command: Command Execution",
|
|||
|
"Container: Container Creation",
|
|||
|
"Container: Container Start",
|
|||
|
"File: File Creation",
|
|||
|
"Image: Image Creation",
|
|||
|
"Instance: Instance Creation",
|
|||
|
"Instance: Instance Start",
|
|||
|
"Network Traffic: Network Connection Creation",
|
|||
|
"Network Traffic: Network Traffic Content",
|
|||
|
"Process: Process Creation"
|
|||
|
],
|
|||
|
"mitre_platforms": [
|
|||
|
"Linux",
|
|||
|
"Windows",
|
|||
|
"macOS",
|
|||
|
"IaaS",
|
|||
|
"Containers"
|
|||
|
],
|
|||
|
"refs": [
|
|||
|
"https://attack.mitre.org/techniques/T1204",
|
|||
|
"https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery"
|
|||
|
]
|
|||
|
},
|
|||
|
"tag_id": 1259,
|
|||
|
"event_tag_id": "12606",
|
|||
|
"local": false,
|
|||
|
"relationship_type": false
|
|||
|
}
|
|||
|
]
|
|||
|
}
|
|||
|
],
|
|||
|
"Object": [
|
|||
|
{
|
|||
|
"id": "34232",
|
|||
|
"name": "file",
|
|||
|
"meta-category": "file",
|
|||
|
"description": "File object describing a file with meta-information",
|
|||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|||
|
"template_version": "24",
|
|||
|
"event_id": "2855",
|
|||
|
"uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
|
|||
|
"timestamp": "1648119667",
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"comment": "",
|
|||
|
"deleted": false,
|
|||
|
"first_seen": "2022-03-24T12:08:18.000000+00:00",
|
|||
|
"last_seen": null,
|
|||
|
"ObjectReference": [
|
|||
|
{
|
|||
|
"id": "11815",
|
|||
|
"uuid": "e58d9caa-35cb-4d1a-85c7-b469b1551ea8",
|
|||
|
"timestamp": "1648119667",
|
|||
|
"object_id": "34232",
|
|||
|
"referenced_uuid": "8a571393-5eeb-4b95-a781-247f49dc6a51",
|
|||
|
"referenced_id": "34233",
|
|||
|
"referenced_type": "1",
|
|||
|
"relationship_type": "downloaded-from",
|
|||
|
"comment": "",
|
|||
|
"deleted": false,
|
|||
|
"event_id": "2855",
|
|||
|
"source_uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
|
|||
|
"Object": {
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"uuid": "8a571393-5eeb-4b95-a781-247f49dc6a51",
|
|||
|
"name": "url",
|
|||
|
"meta-category": "network"
|
|||
|
}
|
|||
|
}
|
|||
|
],
|
|||
|
"Attribute": [
|
|||
|
{
|
|||
|
"id": "546723",
|
|||
|
"type": "malware-sample",
|
|||
|
"category": "Payload installation",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "a80ce85b-8da9-49d0-9380-8c7d87b32673",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119411",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34232",
|
|||
|
"object_relation": "malware-sample",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "bin.exe|06596279d333d831e0b62265563a13ef",
|
|||
|
"Galaxy": [],
|
|||
|
"data": "UEsDBBQACQAIAMBGeFTr7QSccUcmALjnTwAgABwAMDY1OTYyNzlkMzMzZDgzMWUwYjYyMjY1NTYzYTEzZWZVVAkAA6gxPGKoMTxidXgLAAEEIQAAAAQhAAAAp8jqJ1DyColTPMb/IBbZoBe/NvB1FV5jPrSYHGtYHkkF67D9ZxnvAGwHxN7eWpnf5P2IldhWatiP2ITaYOAl1mdm9OYmcesEi49L38N083jKVvyL3moFLqJdefbT/OK1EFQ0mrM3e7p1T6y7hO61839/lQ9fUjn+YqYr0+cwZF268oQBkyIl6uaZfU5jBh9hQYaogMuXcHzPFC5bNvP2mu/j25MANVczD9Lnx/YK3HRNUI38s8W5g31NzMD76Kpi00cbsR6jZFMWxLGt05Uph/b+vXQgjsKSWeoXjOA2p8q3+dVgpy+1UMomtyivbOeO1ZfnWfm7gmhWHGKcdktoIQf41L4jXiDdN5HhwmVyPHeAVLI+NNVtZzUE+RINKvneNbP4H/NzsSCSkfGTpZGb6ha1YlvTBbFg/Gtwwvb9jDmcXDOuX9DcIk4xVO0eDMFhDuzF94CkO8Yis8gVjU4ygFVKTchTkplD7TOdQL6va0d3Tx7QPIKYYORJ48tr+OVT798R8xCRYWrbTn7qiOtLl/Ryo6ezyHFHVmuhoXMg5GaIeRgq7XMQcbeh96QJE/Djgw4dQ9mjh4yYAAGHd5LZwzDGB3OEmZPGVynD33XflQ6aAteSixcrwQGvY5L3nzFqxHZy23aU8UZnpvMj+RaSYAZ4NM8CYSnz87ysgVMIZaWQmRcinZX0BOHowJ4clhbwC8NX050FFsn01S+duW3pnVTREqGNLY1pEbHh8aDlOykhpTE3PXormPmn7VZFaIJ8UI7DTFPQmRRlECaNgMDMFEQAGjas/tYFVklS402E/iY7x4HWjgJ1QsyfbEPos2q1C06I8pgWngsXfRsLk/fEgZVX5uXbjnJhpvnYiXMF3ASP+bJtj8l99kGkWHDB/jOoBFokrI3S/Qwe+ZAIr+ISWNHhVlFinnPHELX8QYFiZIUmJIJ2hN1+JbGX4gbs/AL98rQzSCh1GVoLiBTVrPnVBq2HhkjuxpF59iR3LKf+Sumeg2vPRDpZGlmPtMrRnyPwLtSDqkMzkOoeTGRs2RFh/IwpPd4VisfrpFL8Ux50LMrYERIVsAwdMWeZtw/3uM0EKMsQSY7dMAjRIfinkWorSeX2G16TJo7BzPuHDidrdcyNwpLLIq7jj3/Z73EuyFoLZu83QgIPYIk8W0zUvVpCsT4JOHV6JJoNqxN66O7/ViBnYUWIdVPmqT9TcRpIpwz315skt6ihYdjvycn9ctDVsdsD9QIFvPrVyJxvivuN4HAjwus7UEoff589XIExs7bHMS68KA9IqF63L6IfF664HvTdxNc6uEuby8GeJmDKQApC8vpAeznmnIRMRxMjneDrn6kUYJq4JMcfg0LjvibDQVBvFt9+31+MA6OEi99ctIl9cFK3pIuzCXIGi0jph5J/1lCELvpJTGpFGgJK2tTRKK+LZYNpg3P4BPAkSLyQYAp5U3+ktEE5O71EoNRiWtTw1Zed3fj+bCAqzKy1vGsfnWnEqOpPLYiA2//Kj3wYCzpZHnthRuUxnvPP6M9MBWq6vL8yi58VAijeJp+ppfzbnv2sP3Q5w6pSlizY8ZmRhcg7gV+gcYP804N0VmKF5ETrjzJXCLRHL6Bf+MBDMZM55coYLgfc3OpnJY04G9OVIcqfJaXrQrRH2obMnKQn1D5iO08B7/K3JzyxrwRaviijVAzCuple0KrZOV4bnqGsig4tJS2vL3+W5WmMDWNmhl5ky6NUNZfxkrReOp7+4ZTW4hpPKeocaKP4AH3QASD6POQfoEpm3R4Gw+sFxASsOn//ThbJSa9M/PaLpvPeyLTd9PPbpDqVxUqEzJXpmHhUDOaB61XEDylJKX9UiJCfvo5V6ouop9ILNsc/uWjo6TYAZcxPCPzmPOqSdk+Q5m4DXGDz0YxO8Avq4aRXtlHFRa8aFMdw8XApPTAa9YL09J5PvWzAzbzpWcJwPB9ZZZmqkAtOK+IpT3RoqZdgotkVa3g3usOQROtIc+PxWybXYl3Mb5iS33tWzz9HuePKDrEA8/iE1Hw7XuuTSAR/aHcEImCc5Pyp0U/sNE1fJNAh5NjFu5geapy6xx1u3GpDkxNQAY40MHC6kbtgt0PNpxTfgPmj519nJ06HRdGF856p82A/JWG9kgWM7YM5Q7cflrsp/kQisufaLEFU+nLfG+cex1V5t9576/THDIEU/DjqXTF1JqOkozF5LdSJ+q8fyRlVXPn1NXFZG60VRyp6vlfsD9PBIRRyF9ZWbuFpO+U8EBwe1UdGEJlDbbDsm8o0wJruV1H/yc3GC0I1cQwFIqtEslmPcOaTnWZ5bxcxg5Tx+EFDxJcduRcYmIz+GZrPjTHeLZTfC6u72LO6iJedLHLCA+t6pU/P8N3mGeRP3ByDdGOAAy7g9MKEzsKqkTCQQ5yDFd2XIc+XZiubiortz+YSfGGYF50uRzOk0PIFF/3O99TlOrQElZiySrL2nVo7/HcgvbvBWgATQrrII7vHHbwIdrymT3Ix5Gi3wTwV0sSvkdZrghoiRvn4ahkOKmB0JQkWz99tO7xYINnjma/rlEh73wzfIuhybMEWtJUfCeJtZkcJcttlJhOEyMmF+jayF/HuezQrA7QNb8VvWIFC9Z+meuiGlWYJwAzGDyeEVLuquKsibCtVltGuf55Uo5pNLnThV3f+clRji+fG/oHYhgCHIwJAHxCC59J8YSBhc8bXpbNEZa78SSTbFzpF/4eD6iqmSzXDRfcz6G2MHdf577iqfsKhh/ORZxcfvg5odBM0VEFPte+Qq/0URzxhbwQzODOz4vbBVtNZBBTNj+9ublx3j1cbP1dS3DrDkcLxL/zXytR13sWuLJtpLn8Kl8Hhv6MbWLRmTfHnTOPK1Z5jsnZT9BwwwJlSdLVxN5pYzWglRKjOqhuivRcJzKtxS23PhikOF+PgDNRTe5frWNnpyDlF8Ghpgf/bpT7MODKy704h1mrP+NLzsAesskj8dEGSLE3re62AXyXi0ZIpDkMiVUI70F6gzL9xRYqtifxtaUr4IcU36nb3z0v4R5gI4m4PSAoME8b+OTZcoDDrzA1kFgCVCdH5ap+lBnRT5qWZ0baLr2l+CxEXjuK2F5Pco5bC7Psse3n/LWX9aLmB5TnjwI0ujVyZ6gpldJbJXlBEryxzzfjKvMKQ7FFWk4B3ZfV4cohJuv7C6XCaywuR1MWVydrbsVd5vZ0Ub80eczYDugGUoVcZjCi8vWB5YRuBeSKPAQ9hgtkq3aJ3EK6GnHgQCCcpGhRhRfvUsAdunRU71MHxRMRiAbSEPKHY9QELP1G9EIukpMTE3OqU+y5JAM/2eE6MPfis8e7kZod9r/WZAiEmyjGYtT+0nerpjqbZ5N73OJuN85fIp6Zj6oHMarydDfLibtkZblyChhPiax3arzAAloHKQjBfoUK+IKstDMaia0mOpD/5bEGWpc2iOFWOj2AzQTXQOlSemuZJv/xXHWQEY2yzxXaEgfpvzNC+S6Sy8YlH3i3LHU9CZ6E4uwzh/YixJzCue2uFRQb0/XV7OP1OkKxSAObhPusmwzneJbbrqhbKUM4O9cC0bnu+sJ3r1GWjWLXMJfXEppUGlOdSFu5Y+SkwPmPBdDPyFrZysicqbK10BJ/jZqHHbLEQtY7+Umrc9yK2skMyXPogEiKFw9F/e8G9ECPqOIG4kdoNcAXGOug1cB1GMTlMsilI6CHcf/YYZMwcw25QX3RLb3k3z1Hbj4KRbQjwi4CYB957WHugAYd+a10zkfcVEznXGmq/EvCFut+fko/QcTYC047aG3xoFK5UQBPPxjbkK8nSdmbMvnakMcADFf3xIPUCGZPbKPFHMFqRHonBj4fZjekRDszfPs6jH3npHXvAfyEpNjRLQ/5+LvMzU6JHFZhQ3FF94BDxTjfgGnz4RLhmEfd0xB+IQ9zd6jWeSdRsStxNJV1PXX
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546724",
|
|||
|
"type": "filename",
|
|||
|
"category": "Payload installation",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "c45388c1-58be-4e48-aa90-b2445da50711",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119411",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34232",
|
|||
|
"object_relation": "filename",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "bin.exe",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546725",
|
|||
|
"type": "md5",
|
|||
|
"category": "Payload installation",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "377e9258-8dd5-4322-9820-5d563893e151",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119411",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34232",
|
|||
|
"object_relation": "md5",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "06596279d333d831e0b62265563a13ef",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546726",
|
|||
|
"type": "sha1",
|
|||
|
"category": "Payload installation",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "1bc2a5e0-bc92-4425-bd4e-781bd022f45f",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119411",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34232",
|
|||
|
"object_relation": "sha1",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "514328c420f87ef4d920f08620395915d45e6eaf",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546727",
|
|||
|
"type": "sha256",
|
|||
|
"category": "Payload installation",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "4fd7fc0b-dec8-4953-9bb5-0c6a1bedbbd8",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119411",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34232",
|
|||
|
"object_relation": "sha256",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "fdb8bf01985f33c301dc2bb6bf19fd864f62bae92bc09cce9378859dbb5a0846",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546728",
|
|||
|
"type": "size-in-bytes",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "3f0763ef-cdaf-47be-b68c-e96a68c665ce",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119411",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34232",
|
|||
|
"object_relation": "size-in-bytes",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "5236664",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
}
|
|||
|
]
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "34233",
|
|||
|
"name": "url",
|
|||
|
"meta-category": "network",
|
|||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
|||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
|||
|
"template_version": "9",
|
|||
|
"event_id": "2855",
|
|||
|
"uuid": "8a571393-5eeb-4b95-a781-247f49dc6a51",
|
|||
|
"timestamp": "1648119431",
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"comment": "URL used by the scammer to download the binary",
|
|||
|
"deleted": false,
|
|||
|
"first_seen": "2022-03-24T12:06:32.000000+00:00",
|
|||
|
"last_seen": null,
|
|||
|
"ObjectReference": [],
|
|||
|
"Attribute": [
|
|||
|
{
|
|||
|
"id": "546730",
|
|||
|
"type": "url",
|
|||
|
"category": "Network activity",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "3cab98f1-53cd-47a0-8829-0e7b7d00734f",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119431",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34233",
|
|||
|
"object_relation": "url",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "https://zdgyot.ugic0k.ru/assets/bin.exe",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546731",
|
|||
|
"type": "domain",
|
|||
|
"category": "Network activity",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "34060945-e8a7-4f7a-865d-bcdb60ab926e",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119431",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34233",
|
|||
|
"object_relation": "domain",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "zdgyot.ugic0k.ru",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546732",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "04678f67-5a50-40f8-8ad1-72de41a0c03d",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119431",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34233",
|
|||
|
"object_relation": "domain_without_tld",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "zdgyot.ugic0k",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546733",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "fb5e1ba0-d452-4411-9fd0-840c562d0962",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119431",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34233",
|
|||
|
"object_relation": "resource_path",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "/assets/bin.exe",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546734",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "d28f3a71-0f97-43fd-a48b-bfe45fc94e68",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119431",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34233",
|
|||
|
"object_relation": "scheme",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "https",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546735",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "467f8165-6a94-4949-83be-a0bb5dc71bc2",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119431",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34233",
|
|||
|
"object_relation": "tld",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "ru",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
}
|
|||
|
]
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "34234",
|
|||
|
"name": "bank-account",
|
|||
|
"meta-category": "financial",
|
|||
|
"description": "An object describing bank account information based on account description from goAML 4.0.",
|
|||
|
"template_uuid": "b4712203-95a8-4883-80e9-b566f5df11c9",
|
|||
|
"template_version": "3",
|
|||
|
"event_id": "2855",
|
|||
|
"uuid": "809be621-e949-4eff-83f8-b95b1fcf834a",
|
|||
|
"timestamp": "1648119391",
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"comment": "Bank account that received the money. Supposed to belong to the scammer",
|
|||
|
"deleted": false,
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"ObjectReference": [],
|
|||
|
"Attribute": [
|
|||
|
{
|
|||
|
"id": "546736",
|
|||
|
"type": "iban",
|
|||
|
"category": "Financial fraud",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "d0d61385-c8dc-473b-81b2-5e0b9f691d43",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119391",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34234",
|
|||
|
"object_relation": "iban",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "GB29NWBK60161331926819",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546737",
|
|||
|
"type": "bic",
|
|||
|
"category": "Financial fraud",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "e67fb353-31e4-49a9-8452-e98828ea2c55",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119391",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34234",
|
|||
|
"object_relation": "swift",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "NWBK",
|
|||
|
"Galaxy": [],
|
|||
|
"validationIssue": true,
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546738",
|
|||
|
"type": "bank-account-nr",
|
|||
|
"category": "Financial fraud",
|
|||
|
"to_ids": true,
|
|||
|
"uuid": "acd69ba0-2258-4c6b-bf20-910d72f4c16f",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119391",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34234",
|
|||
|
"object_relation": "account",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "31926819",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546739",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "07c77e9b-11ae-46b7-9a2c-c4e1f91f40b9",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119391",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34234",
|
|||
|
"object_relation": "currency-code",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "GBP",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
}
|
|||
|
]
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "34235",
|
|||
|
"name": "person",
|
|||
|
"meta-category": "misc",
|
|||
|
"description": "An object which describes a person or an identity.",
|
|||
|
"template_uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
|
|||
|
"template_version": "16",
|
|||
|
"event_id": "2855",
|
|||
|
"uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
|
|||
|
"timestamp": "1648119654",
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"comment": "Name of the scammer given to the victim. Name confirmed to be the owner of the bank account and phone number",
|
|||
|
"deleted": false,
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"ObjectReference": [
|
|||
|
{
|
|||
|
"id": "11811",
|
|||
|
"uuid": "f0897b0d-63c2-4a7e-8036-e1d6409d369e",
|
|||
|
"timestamp": "1648119613",
|
|||
|
"object_id": "34235",
|
|||
|
"referenced_uuid": "38d27219-bfa1-43d9-a7c4-3769296e32d5",
|
|||
|
"referenced_id": "546740",
|
|||
|
"referenced_type": "0",
|
|||
|
"relationship_type": "owner-of",
|
|||
|
"comment": "",
|
|||
|
"deleted": false,
|
|||
|
"event_id": "2855",
|
|||
|
"source_uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
|
|||
|
"Attribute": {
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"uuid": "38d27219-bfa1-43d9-a7c4-3769296e32d5",
|
|||
|
"value": "+12243359185",
|
|||
|
"type": "phone-number",
|
|||
|
"category": "Financial fraud",
|
|||
|
"to_ids": true
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "11812",
|
|||
|
"uuid": "6e7b12b8-ca97-4a4d-a993-15a471b24123",
|
|||
|
"timestamp": "1648119626",
|
|||
|
"object_id": "34235",
|
|||
|
"referenced_uuid": "809be621-e949-4eff-83f8-b95b1fcf834a",
|
|||
|
"referenced_id": "34234",
|
|||
|
"referenced_type": "1",
|
|||
|
"relationship_type": "owner-of",
|
|||
|
"comment": "",
|
|||
|
"deleted": false,
|
|||
|
"event_id": "2855",
|
|||
|
"source_uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
|
|||
|
"Object": {
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"uuid": "809be621-e949-4eff-83f8-b95b1fcf834a",
|
|||
|
"name": "bank-account",
|
|||
|
"meta-category": "financial"
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "11813",
|
|||
|
"uuid": "69dd6c18-74ad-4e78-8a4a-e0a2dae9b698",
|
|||
|
"timestamp": "1648119640",
|
|||
|
"object_id": "34235",
|
|||
|
"referenced_uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
|
|||
|
"referenced_id": "34232",
|
|||
|
"referenced_type": "1",
|
|||
|
"relationship_type": "downloaded",
|
|||
|
"comment": "",
|
|||
|
"deleted": false,
|
|||
|
"event_id": "2855",
|
|||
|
"source_uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
|
|||
|
"Object": {
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
|
|||
|
"name": "file",
|
|||
|
"meta-category": "file"
|
|||
|
}
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "11814",
|
|||
|
"uuid": "f6a61320-6e1c-4462-9767-09a5a8620cfd",
|
|||
|
"timestamp": "1648119654",
|
|||
|
"object_id": "34235",
|
|||
|
"referenced_uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
|
|||
|
"referenced_id": "34232",
|
|||
|
"referenced_type": "1",
|
|||
|
"relationship_type": "installed",
|
|||
|
"comment": "",
|
|||
|
"deleted": false,
|
|||
|
"event_id": "2855",
|
|||
|
"source_uuid": "e1691da4-7737-4410-a817-f3f8f4419ff1",
|
|||
|
"Object": {
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"uuid": "d3297d1c-f80f-4542-8b36-d45a301e9072",
|
|||
|
"name": "file",
|
|||
|
"meta-category": "file"
|
|||
|
}
|
|||
|
}
|
|||
|
],
|
|||
|
"Attribute": [
|
|||
|
{
|
|||
|
"id": "546741",
|
|||
|
"type": "last-name",
|
|||
|
"category": "Person",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "081bbab8-1b17-4883-b0cf-4ac8ee88bd87",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648114902",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34235",
|
|||
|
"object_relation": "last-name",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "Breen",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546742",
|
|||
|
"type": "full-name",
|
|||
|
"category": "Person",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "1512fe92-9c44-4282-9a59-939defe50226",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648114902",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34235",
|
|||
|
"object_relation": "full-name",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "Wallace Breen",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546743",
|
|||
|
"type": "first-name",
|
|||
|
"category": "Person",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "6e0ab22d-f7dc-4f6d-92ad-f32567b65d9d",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648114902",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34235",
|
|||
|
"object_relation": "first-name",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "Wallace",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546744",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "ca995c18-c86d-47f0-88ed-a0db5da89cc5",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648114902",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34235",
|
|||
|
"object_relation": "role",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "Accused",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546745",
|
|||
|
"type": "gender",
|
|||
|
"category": "Person",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "2387f01f-959e-4438-9e0f-8c1b2b397ddb",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648114902",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34235",
|
|||
|
"object_relation": "gender",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "Male",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546746",
|
|||
|
"type": "nationality",
|
|||
|
"category": "Person",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "c4bcdac5-7876-4657-871d-9d199f5abb8a",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648114902",
|
|||
|
"comment": "",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34235",
|
|||
|
"object_relation": "nationality",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "British",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
}
|
|||
|
]
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "34236",
|
|||
|
"name": "geolocation",
|
|||
|
"meta-category": "misc",
|
|||
|
"description": "An object to describe a geographic location.",
|
|||
|
"template_uuid": "cd6f2238-ba55-4888-82c4-104e6e1acf21",
|
|||
|
"template_version": "7",
|
|||
|
"event_id": "2855",
|
|||
|
"uuid": "ec290bb1-e339-4a03-bb78-93cc43c39ccf",
|
|||
|
"timestamp": "1648119890",
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"deleted": false,
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"ObjectReference": [
|
|||
|
{
|
|||
|
"id": "11816",
|
|||
|
"uuid": "8232c0b7-a475-4116-94d6-a481c3f3000b",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"object_id": "34236",
|
|||
|
"referenced_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
|
|||
|
"referenced_id": "546729",
|
|||
|
"referenced_type": "0",
|
|||
|
"relationship_type": "related-to",
|
|||
|
"comment": "",
|
|||
|
"deleted": false,
|
|||
|
"event_id": "2855",
|
|||
|
"source_uuid": "ec290bb1-e339-4a03-bb78-93cc43c39ccf",
|
|||
|
"Attribute": {
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
|
|||
|
"value": "194.78.89.250",
|
|||
|
"type": "ip-src",
|
|||
|
"category": "Payload delivery",
|
|||
|
"to_ids": true
|
|||
|
}
|
|||
|
}
|
|||
|
],
|
|||
|
"Attribute": [
|
|||
|
{
|
|||
|
"id": "546747",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "dede9764-3d1f-4487-998b-3cd0ff4946e6",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34236",
|
|||
|
"object_relation": "country",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "Belgium",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546748",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "59587e01-fdf4-4a9b-9224-974c3a99a5ed",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34236",
|
|||
|
"object_relation": "countrycode",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "BE",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546749",
|
|||
|
"type": "float",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "d7b26734-a0ce-465a-9a80-c735e1e01068",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34236",
|
|||
|
"object_relation": "latitude",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "50.8333",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546750",
|
|||
|
"type": "float",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "054ce836-6a3f-433e-af9b-6ead75854af1",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34236",
|
|||
|
"object_relation": "longitude",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "4",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546751",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "45e0807b-9495-49f2-919f-23d1e0642332",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34236",
|
|||
|
"object_relation": "text",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "db_source: GeoOpen-Country-ASN. build_db: 2022-02-06 09:30:25. Latitude and longitude are country average.",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
}
|
|||
|
]
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "34237",
|
|||
|
"name": "asn",
|
|||
|
"meta-category": "network",
|
|||
|
"description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
|
|||
|
"template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",
|
|||
|
"template_version": "4",
|
|||
|
"event_id": "2855",
|
|||
|
"uuid": "2535a80f-03f7-4bce-81b4-251419327fa6",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"deleted": false,
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"ObjectReference": [
|
|||
|
{
|
|||
|
"id": "11817",
|
|||
|
"uuid": "e86d355c-1991-41b3-bffa-d22382c92c98",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"object_id": "34237",
|
|||
|
"referenced_uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
|
|||
|
"referenced_id": "546729",
|
|||
|
"referenced_type": "0",
|
|||
|
"relationship_type": "related-to",
|
|||
|
"comment": "",
|
|||
|
"deleted": false,
|
|||
|
"event_id": "2855",
|
|||
|
"source_uuid": "2535a80f-03f7-4bce-81b4-251419327fa6",
|
|||
|
"Attribute": {
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"uuid": "8d651574-d18d-489b-ad8c-e04d586bebef",
|
|||
|
"value": "194.78.89.250",
|
|||
|
"type": "ip-src",
|
|||
|
"category": "Payload delivery",
|
|||
|
"to_ids": true
|
|||
|
}
|
|||
|
}
|
|||
|
],
|
|||
|
"Attribute": [
|
|||
|
{
|
|||
|
"id": "546752",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "a4757a19-2db2-4747-885d-70a2c4472586",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": false,
|
|||
|
"object_id": "34237",
|
|||
|
"object_relation": "asn",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "5432",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "546753",
|
|||
|
"type": "text",
|
|||
|
"category": "Other",
|
|||
|
"to_ids": false,
|
|||
|
"uuid": "4fb09589-4c4d-4b5d-bf42-b7a9429432de",
|
|||
|
"event_id": "2855",
|
|||
|
"distribution": "5",
|
|||
|
"timestamp": "1648119891",
|
|||
|
"comment": "194.78.89.250: Enriched via the mmdb_lookup module",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"deleted": false,
|
|||
|
"disable_correlation": true,
|
|||
|
"object_id": "34237",
|
|||
|
"object_relation": "description",
|
|||
|
"first_seen": null,
|
|||
|
"last_seen": null,
|
|||
|
"value": "ASNOrganization: PROXIMUS-ISP-AS. db_source: GeoOpen-Country-ASN. build_db: 2022-02-06 09:30:25.",
|
|||
|
"Galaxy": [],
|
|||
|
"ShadowAttribute": []
|
|||
|
}
|
|||
|
]
|
|||
|
}
|
|||
|
],
|
|||
|
"EventReport": [
|
|||
|
{
|
|||
|
"id": "71",
|
|||
|
"uuid": "ae25f4a2-f35d-4adb-bb03-b6ce21115117",
|
|||
|
"event_id": "2855",
|
|||
|
"name": "Executive summary of the case",
|
|||
|
"content": "# Executive summary of the case\r\nA victim was called by the suspected scammer @[object](e1691da4-7737-4410-a817-f3f8f4419ff1) using the following number: @[attribute](38d27219-bfa1-43d9-a7c4-3769296e32d5).\r\nThe scammer prentended to be a a microsoft employee, managed to convince the victim that he could help by using remote desktop assistance.\r\n\r\nOnce he had access, the scammer downloaded a binary @[object](d3297d1c-f80f-4542-8b36-d45a301e9072) from the following url @[object](8a571393-5eeb-4b95-a781-247f49dc6a51). He then proceed to install the binary, probably to use it a backdoor for future access.\r\n\r\nAfter the installation, he asked the victim to transfer money to the scammer bank account: @[attribute](d0d61385-c8dc-473b-81b2-5e0b9f691d43)\r\n\r\nThe day after, the victim suspecting a scam contacted the police.\r\n\r\n# Technique used\r\n\r\n| | |\r\n| -------- | -------- |\r\n| Social vector | @[tag](veris:action:social:vector=\"Phone\") |\r\n| Potential hacking vector | @[tag](veris:action:hacking:vector=\"Desktop sharing\") |\r\n| Actor motive | @[tag](veris:actor:external:motive=\"Financial\") |\r\n| Impacted loss | @[tag](veris:impact:loss:variety=\"Asset and fraud\") |\r\n| Loss rating | @[tag](veris:impact:loss:rating=\"Minor\") |\r\n\r\n# Information collected after analysis\r\n- According to the phone number, IP address and bank account, the scammer @[object](e1691da4-7737-4410-a817-f3f8f4419ff1) is very likely based in @[attribute](dede9764-3d1f-4487-998b-3cd0ff4946e6).\r\n\r\n# Timeline\r\n- **2022-03-25 11:42:43 UTC+0**: Scammer called the victim pretending to be a microsoft employee\r\n- **2022-03-25 11:47:27 UTC+0**: Scammer convinced the victim to be helped via remote desktop assistance\r\n- **2022-03-25 12:06:32 UTC+0**: Scammer downladed the binary on the victim's computer\r\n- **2022-03-25 12:08:18 UTC+0**: Scammer installed the binary on the victim's computer\r\n- **2022-03-25 12:17:51 UTC+0**: Scammer asked the victim to transfer money on a bank account for the help he provided\r\n- **2022-03-25 12:25:04 UTC+0**: Victim executed the money transfer\r\n- **2022-03-25 08:39:21 UTC+0**: Victim contacted police",
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"timestamp": "1648133481",
|
|||
|
"deleted": false
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "178",
|
|||
|
"uuid": "49fc95e7-ebe4-4a69-98a5-cac2c31276b3",
|
|||
|
"event_id": "2855",
|
|||
|
"name": "Event report (1675788758)",
|
|||
|
"content": "## Successful Scam call involving money transfer\n - *Date*: 2022-03-24\n - *Last update*: 2022-06-30 15:24:18\n - *Threat level*: Low\n - *Attribute count*: 31\n#### Tags\n - @[tag](workflow:state=\"complete\")\n - @[tag](tlp:green)\n - @[tag](veris:action:hacking:vector=\"Desktop sharing\")\n - @[tag](veris:action:social:variety=\"Scam\")\n - @[tag](veris:action:social:vector=\"Phone\")\n - @[tag](veris:actor:external:motive=\"Financial\")\n - @[tag](veris:impact:loss:rating=\"Minor\")\n - @[tag](veris:impact:loss:variety=\"Asset and fraud\")\n - @[tag](social-engineering-attack-vectors:non-technical=\"technical-expert\")\n - @[tag](social-engineering-attack-vectors:technical=\"vishing\")\n#### Galaxies\n - *Name*: Attack Pattern\n - *Description*: ATT&CK Tactic\n - @[tag](misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\")\n - @[tag](misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\")\n#### Correlations\n - MISP Encoding Exercise: Scam call JD\n - Scam call\n - Scam call\n - Scam call Ressources\n - Scam call for money transfer.\n - Scam call - Attempt to transfer money to a novice scammer\n - scam call bt\n - Scam call to transfer money\n - Scam call\n - Scam call with potential malicious binary (JRK)\n - Training Scam call\n - Scam Call from Wallace Breen\n - Microsoft support scam call\n - Fraud Event through scam call\n### Objects\n - @[object](d3297d1c-f80f-4542-8b36-d45a301e9072)\n - @[object](8a571393-5eeb-4b95-a781-247f49dc6a51)\n - @[object](809be621-e949-4eff-83f8-b95b1fcf834a)\n - @[object](e1691da4-7737-4410-a817-f3f8f4419ff1)\n - @[object](ec290bb1-e339-4a03-bb78-93cc43c39ccf)\n - @[object](2535a80f-03f7-4bce-81b4-251419327fa6)\n### Attributes\n - @[attribute](8d651574-d18d-489b-ad8c-e04d586bebef)\n - @[attribute](38d27219-bfa1-43d9-a7c4-3769296e32d5)\n### ATT&CK Matrix\n@[galaxymatrix](c4e851fa-775f-11e7-8163-b774922098cd)",
|
|||
|
"distribution": "5",
|
|||
|
"sharing_group_id": "0",
|
|||
|
"timestamp": "1675788758",
|
|||
|
"deleted": false
|
|||
|
}
|
|||
|
],
|
|||
|
"CryptographicKey": [],
|
|||
|
"Tag": [
|
|||
|
{
|
|||
|
"id": "261",
|
|||
|
"name": "workflow:state=\"complete\"",
|
|||
|
"colour": "#e2007a",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "9",
|
|||
|
"name": "tlp:green",
|
|||
|
"colour": "#33FF00",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "2263",
|
|||
|
"name": "veris:action:hacking:vector=\"Desktop sharing\"",
|
|||
|
"colour": "#00748d",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "587",
|
|||
|
"name": "veris:action:social:variety=\"Scam\"",
|
|||
|
"colour": "#00b2d9",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "2266",
|
|||
|
"name": "veris:action:social:vector=\"Phone\"",
|
|||
|
"colour": "#00809c",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "2267",
|
|||
|
"name": "veris:actor:external:motive=\"Financial\"",
|
|||
|
"colour": "#0096b7",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "2268",
|
|||
|
"name": "veris:impact:loss:rating=\"Minor\"",
|
|||
|
"colour": "#00bde6",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "2269",
|
|||
|
"name": "veris:impact:loss:variety=\"Asset and fraud\"",
|
|||
|
"colour": "#00bde7",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "2262",
|
|||
|
"name": "social-engineering-attack-vectors:non-technical=\"technical-expert\"",
|
|||
|
"colour": "#00c643",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "2270",
|
|||
|
"name": "social-engineering-attack-vectors:technical=\"vishing\"",
|
|||
|
"colour": "#003e15",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": false,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "1943",
|
|||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
|
|||
|
"colour": "#0088cc",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": true,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
},
|
|||
|
{
|
|||
|
"id": "1259",
|
|||
|
"name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
|
|||
|
"colour": "#0088cc",
|
|||
|
"exportable": true,
|
|||
|
"user_id": "0",
|
|||
|
"hide_tag": false,
|
|||
|
"numerical_value": null,
|
|||
|
"is_galaxy": true,
|
|||
|
"is_custom_galaxy": false,
|
|||
|
"local_only": false,
|
|||
|
"local": 0,
|
|||
|
"relationship_type": null
|
|||
|
}
|
|||
|
]
|
|||
|
}
|
|||
|
}
|