{"id":677,"date":"2017-01-24T11:35:36","date_gmt":"2017-01-24T11:35:36","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=677"},"modified":"2017-01-24T11:35:36","modified_gmt":"2017-01-24T11:35:36","slug":"2017-01-23-dridex-malware-from-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=677","title":{"rendered":"2017-01-23 Dridex Malware from Malspam"},"content":{"rendered":"

Here is an example of some Dridex malspam that I was able to analyze yesterday. As usual the artifacts and such can be found over in my Github repo found here<\/a>. <\/p>\n

\"\"<\/a><\/p>\n

IOCs:
\n=====
\nrelish.net \/ 81.91.205.168 (Port 443)
\nwww1.relish.net \/ 81.91.205.167 (Port 443)
\nu4593764.ct.sendgrid.net \/ 167.89.125.30
\nagfirstnz-my.sharepoint.com, prodnet329-325selectora0000.sharepointonline.com.akadns.net \/ 104.146.164.65 (Port 443)
\nBrightSteps.sharepoint.com, prodnet324-328selectora0000.sharepointonline.com.akadns.net \/ 104.146.164.25 (Port 443)
\n212.227.105.182 (Port 8343)
\n91.121.30.169 (Port 4431)<\/p>\n

Artifacts:
\n==========
\nFile name: Bill View.js
\nFile size: 18KB
\nMD5 hash: 16e101cd7af89f643efecd1aa59a39cd
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073\/analysis\/<\/a>
\nPayload Security: http:\/\/www.hybrid-analysis.com\/sample\/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073?environmentId=100<\/a><\/p>\n

File name: qqBfqaxXe.exe
\nFile size: 154KB
\nMD5 hash: 55c2368aa15a128e946fafd700160375
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/a38ea56e8849addbe6fd94c5196e02169504f9384618edb192b5e87d1a645b97\/analysis\/<\/a>
\nPayload Security: http:\/\/www.hybrid-analysis.com\/sample\/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073?environmentId=100<\/a><\/p>\n

Analysis:
\n=========
\nWhen looking at the email there are two links that one can choose from: one that is click-able and one that would require the user to copy the link and paste it into a browser. When I copied the link www[.]relish[.]net\/assets\/files\/Bill_Walkthrough[.]pdf in my test VM, all I got was a redirect over to hxxps:\/\/www1[.]relish[.]net\/assets\/files\/Bill_Walkthrough[.]pdf and a PDF within the browser. I was not able to see anything malicious in the traffic (granted since this is over HTTPS, there may be something there that I am not aware of). There are no odd calls to other IP addresses or to other odd ports either. <\/p>\n

\r\nGET \/assets\/files\/Bill_Walkthrough.pdf HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident\/6.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: www.relish.net\r\nDNT: 1\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 301 Moved Permanently\r\nDate: Tue, 24 Jan 2017 10:43:24 GMT\r\nServer: Shelob (Cirith Ungol)\r\nLocation: http:\/\/www1.relish.net\/assets\/files\/Bill_Walkthrough.pdf\r\nContent-Length: 265\r\nConnection: close\r\nContent-Type: text\/html; charset=iso-8859-1\r\nSet-Cookie: SERVERID=a1; path=\/\r\nCache-control: private\r\n\r\n<!DOCTYPE HTML PUBLIC "-\/\/IETF\/\/DTD HTML 2.0\/\/EN">\r\n<html><head>\r\n<title>301 Moved Permanently<\/title>\r\n<\/head><body>\r\n<h1>Moved Permanently<\/h1>\r\n<p>The document has moved <a href="http:\/\/www1.relish.net\/assets\/files\/Bill_Walkthrough.pdf">here<\/a>.<\/p>\r\n<\/body><\/html><\/pre>\n
\"\"<\/a><\/p>\n
So using the actual click-able link in the email,<\/p>\n
\r\nhxxps:\/\/u4593764.ct.sendgrid.net\/wf\/click?upn=k9OTkOER8h7YFf7fJP9mBAZcqDUL275grn71x4zt0yw2Em-2B0a-2BmXdo47N2kVgjCKAQ1Q4LP4qPlK0ITYcdgZXoD9TfrtqJF1TVrkHwkWS2AGUTInNlOGo3s4bECuBRmpBZDxk4-2FyyyjSqrVyYIpGeMlu5zyOdP9WSTSPYuZmehzE3U9eUsbJWNoZokYy6WTf1d9DT7QUos1O0zaCktOPm3HiYfGpjJW0n91Q4gtzBr2PW6EbkbZPSK5-2Bi-2B8HLZ8p_-2BuyqbAT6LrWvGmCRH8NeQTy9rEdT64T-2FUVIvL-2BRmtG0XxQlgdBDnDMcjUVlyunGGxAEMitYZpPiTxvFp8hh2c2IOPMn071bJqWM-2FYi-2B8CQvR5Qe5YNE0kAJISNG2chxdjIMSuDpSeOLgW8LoxakqmxkUoTC7eg3hSYQiIddSs0IFLGUYe0F2f-2FNGSFJ50agi8VkBwdgGLChVGTqJxGn4m58PUGNGVx8Y1T3iFAplIPU-3D<\/pre>\n
I got asked if I wanted to save the file “Bill View.zip” which contained a Javascript file called “Bill View.js.” From what I can see, this file is hosted on a Sharepoint site as there is a request for the domain “agfirstnz-my.sharepoint.com” which ultimately directs points to the domain of “prodnet329-325selectora0000.sharepointonline.com.akadns.net.” The file is saved from that site over HTTPS:<\/p>\n
\r\n...........X.2...|.3.e...HXq......y..P.O.D.....\/.5...\r\n.....\t.\r\n.2.8.......B........ .....agfirstnz-my.sharepoint.com..........\r\n......................Q..X.2...]ZL.........xU..q..'.Z.B.. V.......>.c!...)..,.f..,b!...v1.....\t...................0..\r\n0..........Z.....V\/.3-\\[......0\r\n.\t*.H..\r\n.....0..1.0\t..U....US1.0...U...\r\nWashington1.0...U....Redmond1.0...U.\r\n..Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT SSL SHA20..\r\n160223194210Z.\r\n180222194210Z0..1.0\t..U....US1.0\t..U....WA1.0...U....Redmond1.0...U.\r\n..Microsoft Corporation1.0...U....Microsoft Corporation1.0...U....*.sharepoint.com0.."0\r\n.\t*.H..\r\n..........0..\r\n.......T....*'^.)....|....c..[.d.3..a..'....1...\/...~..:j.a.\/..-.CP.l.Q;..y..e....:.WK..f10.......]..J........X.A.f.Y.Q..u.o.\\.]3..%...QwY.....................d......1v..Oen.z.it..on.yHX`.r.ILD..........}R.uUd...7.pkM.o.w...=.%\/b.....!..f....!......y...h.B.............j0..f0...U........0...U.%..0...+.........+.......0...U........m.z......\t..(...G.0....U.....0....*.sharepoint.com.%*.sharepoint.apac.microsoftonline.com.%*.sharepoint.emea.microsoftonline.com. *.sharepoint.microsoftonline.com0...U.#..0...Q.$&..h"W.&+;Fb.{...0}..U...v0t0r.p.n.6http:\/\/mscrl.microsoft.com\/pki\/mscorp\/crl\/msitwww2.crl.4http:\/\/crl.microsoft.com\/pki\/mscorp\/crl\/msitwww2.crl0p..+........d0b0<..+.....0..0http:\/\/www.microsoft.com\/pki\/mscorp\/msitwww2.crt0"..+.....0...http:\/\/ocsp.msocsp.com0N..U. .G0E0C.\t+.....7*.0604..+........(http:\/\/www.microsoft.com\/pki\/mscorp\/cps.0'.\t+.....7.<\/pre>\n
Once I executed the Javascript file that was downloaded above, I saw a callback to BrightSteps.sharepoint.com which points to “prodnet324-328selectora0000.sharepointonline.com.akadns.net,” which is encrypted over HTTPS again. <\/p>\n
\r\n...........X.2.2^.%L;.^\r\n.$.g....p....\/..2.3....\/.5...\r\n.....\t.\r\n.2.8.......D........". ...brightsteps-my.sharepoint.com..........\r\n......................Q..X.2.....#..!........vD..[..o.... .?.......*..?i..0_[....3.uxa...Y....\t...................0..\r\n0..........Z.....V\/.3-\\[......0\r\n.\t*.H..\r\n.....0..1.0\t..U....US1.0...U...\r\nWashington1.0...U....Redmond1.0...U.\r\n..Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT SSL SHA20..\r\n160223194210Z.\r\n180222194210Z0..1.0\t..U....US1.0\t..U....WA1.0...U....Redmond1.0...U.\r\n..Microsoft Corporation1.0...U....Microsoft Corporation1.0...U....*.sharepoint.com0.."0\r\n.\t*.H..\r\n..........0..\r\n.......T....*'^.)....|....c..[.d.3..a..'....1...\/...~..:j.a.\/..-.CP.l.Q;..y..e....:.WK..f10.......]..J........X.A.f.Y.Q..u.o.\\.]3..%...QwY.....................d......1v..Oen.z.it..on.yHX`.r.ILD..........}R.uUd...7.pkM.o.w...=.%\/b.....!..f....!......y...h.B.............j0..f0...U........0...U.%..0...+.........+.......0...U........m.z......\t..(...G.0....U.....0....*.sharepoint.com.%*.sharepoint.apac.microsoftonline.com.%*.sharepoint.emea.microsoftonline.com. *.sharepoint.microsoftonline.com0...U.#..0...Q.$&..h"W.&+;Fb.{...0}..U...v0t0r.p.n.6http:\/\/mscrl.microsoft.com\/pki\/mscorp\/crl\/msitwww2.crl.4http:\/\/crl.microsoft.com\/pki\/mscorp\/crl\/msitwww2.crl0p..+........d0b0<..+.....0..0http:\/\/www.microsoft.com\/pki\/mscorp\/msitwww2.crt0"..+.....0...http:\/\/ocsp.msocsp.com0N..U. .G0E0C.\t+.....7*.0604..+........(http:\/\/www.microsoft.com\/pki\/mscorp\/cps.0'.\t+.....7.<\/pre>\n
From there, I then saw encrypted communication to the IP address of 212.227.105.182 via port 8343:<\/p>\n
\r\n....c..._..X..g...\tA,....&...*F_..w.Y&w.1v.....\/.5...\r\n.....\t.\r\n.2.8.......................\r\n..................Q...M..X..gzJ..4..1.....kl...#9........ 4.....o...{ZM4.Y....BhM*.D.....l.\/.......................0...0.........\t.....~..\r\n0\r\n.\t*.H..\r\n.....0..1.0\t..U....IQ1+0)..U..."Isucot ssowartit rsmavi sbaratyto21.0...U....Baghdad1.0...U.\r\n..Obonthat SEM1'0%..U....Supotinousa.athuauirsdwa.loans0..\r\n170115150504Z.\r\n170716150504Z0..1.0\t..U....IQ1+0)..U..."Isucot ssowartit rsmavi sbaratyto21.0...U....Baghdad1.0...U.\r\n..Obonthat SEM1'0%..U....Supotinousa.athuauirsdwa.loans0.."0\r\n.\t*.H..\r\n..........0..\r\n..........2..3..b.eez@K..:...H.Y..........eX.D ..l.u.sI=.*..{w....us..yY.Y.e.B.7.o...&w..\\.O..ul4.%._...H\\*Q.-.e....$....1I,#..\\%..dt..z...;.x..!..L1....7\r\nv.c..H|..?-...%...r...6U?.h.m|y.).......\t]......D&P\/...7R...@. ..,..S.c_wQ3..~.W.\/...Q.I...A>.?U.R..x..."I......P0N0...U......{.Y.p.I...KLq.@..h..0...U.#..0...{.Y.p.I...KLq.@..h..0...U....0....0\r\n.\t*.H..\r\n..........|C.........sp.".y_....GJ9...P...v.......][.y...@P......0"J-.q..6.o....-$.I..h.._.....\\-B.\\.!<..E@..z`\/C.....w.'0....Z...<..k..K.....hs.u....F.L#[..2#.r%.X...gr\/.}......x.@94..P....r...~f]..{2....Z{.........q.........($3..|..w..&....g.u5..H...(#......T5R!2........................Y5...Q).;...1..Doo........r.....r......\r\n..X.b..G(eMe.F..}....G..jK.Z..*WU...Z..C..t.....?0....#.....XOh........).........I.....Zpi.2Yy.!.......+Dj.....\\9........F..e.5;...o....\t.....T.]...k.(....R.6....[DvC...z.Rh\/.{..nT*...$......e...] ....G.F..P2....j..........0y.9.EC."*.....?.1...J.C.q..\r\n.6.4\r\n.sR.h.z._..j\r\n............0\r\n..i.....J._..Xh.._._.v.......?.5<H.}.$..RKh...........<.`OTl......)Sw`+.8....M.....x.....JC.c.u.....*VK..f#\tP-..c...x...5..\\h.dEY....\/t.d.=...!.....]...7h.a.7....&ge2R.....7'.6..`....IP.=.............P\r\n....A..Y........a.T.......xp..n...F....a\\..<.v#..yd.nb......W7.=>&]=...........D...n...k..D......H.%.T..<...2.IL..n..gY.....w.s>...1Z.J.,'... ....9rlBu.7<........?.|..~F...o.L....J.....;..OV.w(..^.Fb*\/^.H.\r\nl6.K..^..Ps.f(.f.l)6....=.Y..J...u.n.....a.J...7;#..I........\r\nk&\r\n.K....{..blK..Vd8i.F.h$.....,...yU.I..H1=.(G-.g.l..R......4......8ykx..:.......<I.V.1...&\/:...`...0F.......}...}O....).@..5\t.Xw..L}.c....^..e.IR.pa4\r\n......DmT...v.C}...CB......j..~t..?.OS.^l\r\n^A<......Eq|(.T..R.Z."\r\ng......~.....'...y..?..S....XyH..7.<..r_._\r\n..f..)GK..Hd..,....F..@.7J..f......_W{O..\/.k...M..#....z\r\nI..!.|.\t}..4...&..^#..%T.+p... |..T....I.T6(X...9.Viu>-.:..9..$..F...!q..pu...Au._.)?h..ZX....#!.~. .....[\r\n."\t..1i..b"..a'.>.p.xG....e-+qh>....=..1Hw........p..\/.6a{.i\\.jG@...{TY.jr..$. .."....9..s.Ab|>L.HR....'.$.\\.w.i....z...Q...`.An6...^.z..:..x.\/...[+.:%"oy...\r\n...i>.|...y...*J.x(1.....P=,f.n>Q&....z..C.....1.......m........H\r\n~..l.ON..*=jQ.K.(.}.c.o...0...N;....K.>5............D:.W.V..:.,..8... {.i.x}?...<....C..{v...W.F....zm;A1..=.r..h..-."N......3O....ve.%..78....w..C.os.2..mE.r6....C........;..<..q.o.}.HY-....`.I\\.[I.2K...@h.0_(J.u.....]1..1z.k,.)Q....P...l..>...i%.V....(h......g..\\l85k..?O...x"<yen..D......'.;...N.;..J....z..NlY.....L.....[...i.0.?..m..z.a..v.i..K.o?[..\/...J.Q..zf."}\r\nu<y......w9.`.a...\r\n....m..uv_=Y._..C#WX..(.CY....(...\r\n.3.p.S....J.HL=....U......N....+F....w.cud..s..9.......S.l^...@W.....].>.R.&,...A..L...^.s......%5_N]...@........Pc..I..<\/pre>\n
and then encrypted communication to the IP address of 91.121.30.169 via port 4431.<\/p>\n
\r\n....c..._..X....b8...Hd.....X'[.....d...}......\/.5...\r\n.....\t.\r\n.2.8.......................\r\n..................Q...M..X....>sE.\r\n.+...\/...Y...x$...h.%. .n\\#[E...x.]...5...>mT}2k..<h.i..\/.......................0...0.........\t...>.....0\r\n.\t*.H..\r\n.....0..1.0\t..U....JM1 0...U....Idnoim omirk2 Hantthan91.0...U....Kingston1.0...U.\r\n.\r\nAlerpe Co.1.0...U...\telantelit1%0#..U....Thai_lerec.0alermedspaf.guge0..\r\n170115150528Z.\r\n170716150528Z0..1.0\t..U....JM1 0...U....Idnoim omirk2 Hantthan91.0...U....Kingston1.0...U.\r\n.\r\nAlerpe Co.1.0...U...\telantelit1%0#..U....Thai_lerec.0alermedspaf.guge0.."0\r\n.\t*.H..\r\n..........0..\r\n......H...Y.].x.p.5OhI\\.,..5S..VMm...L.%..^.7.{'.*..'....w...r8..?..d.\t.....,..o.q.U*.\\)$,.w..i....?.:.+fJj.k........-N0.P.N..D&l6.~l*.Pb...D....._-p. .D7.u}.[.7..z.L.0...R..;..z...]...[B.E...._...\/...E....;.M`..N.+....>c8&\r\no.?.3....a.h...*... ...dQ..>...............P0N0...U........q.Qpt...\ti.Z.U...R0...U.#..0.....q.Qpt...\ti.Z.U...R0...U....0....0\r\n.\t*.H..\r\n..........J...x..Hu.j#.X,.J....O..0't.L.Wu.fd.FN.Wi...+).....;.........):.....*=...u..7.h....TX...#.......5:......&R1.......taq\r\n"S..o.Q....S ..?..C.if9.7..2...IF.%._.AE...nY.s-.U.SUT{..qn.&...5...*.q.c...P0.v.W...g.....N..`...W.\r\n.TK....E...!...............\t..4j.j.......................D.m....WxB.o.t.......ue.........9......~\\.... .?.UY...J.......l.*.pWU.).g.&g.">....~...=;...%%......'..JD..9\\.t.V."@..N....]..Q..c.5#.......rnO...z. -R.wH.....\t........^.@?.N....-..(..q..g6.....L..h'=....O...l......c........M_N......J.......\r\n\\.(k.u.$.pWh$\\..........0.....9..).(..!.Q.... \/..?..=..0q.,...].M}%Q.s\r\n9...........0L.....F.....'.cCu..l?.h.5.)Mm.....%W+3.C.............T...vv....".|.55.^u.V.}.pA..j..j.,w.~.C.Z..0....;.H1.aChbl....6f.y..CD..7.;cs]..".....dUd.....J....w.._uJX...O..@.|.}k........"....{......<\r\n........P...[.XL.....fd\r\n..\r\nf....-jn.\\.D....5........m..eW...A.}..a.\r\n#..+.5<".8.!.......'64.Gm.q.V...Y..M.Ys^.*1!c.......-...g.@\t.db...[...c. .\/jg..AG...x..........x.`C....`\r\n..R.;....s.....\\'.....[..F..@.;~.UF....y........N....WFc...1~s>z0....Gg'...$......).\t...{..t...T\r\n.|.k0f.\/!T........zw.....'...........9U.........?v..o..q.O....J..m........5D...[...w....U..'=.I...!{U.,..g.....E......w~.h....\/..{Ox....#...+.N.&...w7.9=..@4H+........sF....{.;r......l .\t.....;..t.n.~..E.W....y.w.@.....Lj:..#..e8....DJn.J...I.h..}.d.D.n.....!O}....[K...\t...+{........R.....ZD..#...>o...v.T..$.r..:W....-.i).`Z.i..4.....)^....7.iDN.8.$......}.w|.*........w.h;\r\n.|rL......\r\n...fl..1>.9...`.&m8[..&.c......M..[Fq..sL.....D;gN.w.(g.....1.NJ\t>].P..q".S..4.p..q...I..:.sk.7............G'".&."S.J.&..EkR\\..Z%....z#..i.....Y.-.&~tc...+y...z.0.#>...|.......{\t.x..#.P....[%\\.9h.@E.*H2p.R.j.S.e..b,...QZ.....$&...~...%.....;cY.#B.g..W.<Jk..b+7.i..klK...f.\t..k.1 J..N.e.@!i.1...^._...?..4}..`.FpI..H...........}Zn...i.>.M%.....\t..5..O. .C|%....Y..J.1g.A\r\n...T9.....y.N?...9.q..6:....C..T.p.*..RO.j.....mg(.....(....R..V.......z."".....F>N.wR....`..O.....7....b......O.....<.P...y.Q.m.......0...W.......L..\/.i.r.u+....K.Bzk*.'... ..\r\n....H.....q)F..N.&W...y.>.?.......U..Z.Rb.B.]..\\...y....P.&..F...E.:..n].m.9...Y...Pk...+.....(:)~l.ji>}..k..6V+..}laP_..$7qn....A.....B.<.......p..._....%...3...ph....oy.91....F..V#..{.Rs.Wx^..[N|....e..oHd...=%...\r\n.\t..`....l..P\r\n\t.......9....]7..;A.....g..{....rzO.<\/pre>\n","protected":false},"excerpt":{"rendered":"
Here is an example of some Dridex malspam that I was able to analyze yesterday. As usual the artifacts and such can be found over in my Github repo found here. IOCs: ===== relish.net \/ 81.91.205.168 (Port 443) www1.relish.net \/ 81.91.205.167 (Port 443) u4593764.ct.sendgrid.net \/ 167.89.125.30 agfirstnz-my.sharepoint.com, prodnet329-325selectora0000.sharepointonline.com.akadns.net \/ 104.146.164.65 (Port 443) BrightSteps.sharepoint.com, prodnet324-328selectora0000.sharepointonline.com.akadns.net \/ 104.146.164.25 (Port 443) 212.227.105.182 (Port 8343) 91.121.30.169 (Port 4431) Artifacts: ========== File name: Bill View.js File size: 18KB MD5 hash: 16e101cd7af89f643efecd1aa59a39cd Virustotal: http:\/\/www.virustotal.com\/en\/file\/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073\/analysis\/ Payload Security: http:\/\/www.hybrid-analysis.com\/sample\/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073?environmentId=100 File name: qqBfqaxXe.exe File size: 154KB MD5 hash: 55c2368aa15a128e946fafd700160375 Virustotal: http:\/\/www.virustotal.com\/en\/file\/a38ea56e8849addbe6fd94c5196e02169504f9384618edb192b5e87d1a645b97\/analysis\/ Payload Security: http:\/\/www.hybrid-analysis.com\/sample\/149c8da70249e7ab3b055bd7b8afa15bac2a5d069195db9686b210fa6eb76073?environmentId=100 Analysis: ========= When looking at…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-677","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=677"}],"version-history":[{"count":1,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/677\/revisions"}],"predecessor-version":[{"id":680,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/677\/revisions\/680"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}