2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-09-24T08:14:48.000Z" ,
"modified" : "2021-09-24T08:14:48.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-09-24T08:14:48.000Z" ,
"modified" : "2021-09-24T08:14:48.000Z" ,
"name" : "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines" ,
"published" : "2021-09-24T08:14:56Z" ,
"object_refs" : [
"indicator--327ed82a-9666-498f-8ecc-192fc7c06f12" ,
"x-misp-object--4639d0ff-7a62-41b3-a940-cdcb09f3fe35" ,
"indicator--eefe6bfb-d38a-4a21-bc00-ecbd6506cffd" ,
"indicator--96abab21-a8a7-4869-b680-89144e5625e7" ,
"x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7" ,
2024-08-07 08:13:15 +00:00
"relationship--c43c0b80-28e7-4a56-bbcc-eba97e67310f"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"" ,
"misp-galaxy:threat-actor=\"Turla Group\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--327ed82a-9666-498f-8ecc-192fc7c06f12" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-09-24T08:10:34.000Z" ,
"modified" : "2021-09-24T08:10:34.000Z" ,
"pattern" : "[file:hashes.SHA256 = '030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-09-24T08:10:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--4639d0ff-7a62-41b3-a940-cdcb09f3fe35" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-09-24T08:10:17.000Z" ,
"modified" : "2021-09-24T08:10:17.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://blog.talosintelligence.com/2021/09/tinyturla.html" ,
"category" : "External analysis" ,
"uuid" : "65654f61-cd9f-416f-a840-debc025dc4da"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware." ,
"category" : "Other" ,
"uuid" : "4368eb41-7e59-4a68-b66c-c9c7c51a11dc"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Blog post" ,
"category" : "Other" ,
"uuid" : "83b51ac8-9547-41f0-b3ac-5f6c4cfa2ebb"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--eefe6bfb-d38a-4a21-bc00-ecbd6506cffd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-09-24T08:11:00.000Z" ,
"modified" : "2021-09-24T08:11:00.000Z" ,
"pattern" : "import \\\\\"pe\\\\\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \\\\\"Cisco Talos\\\\\"\r\ndescription = \\\\\"Detects Tiny Turla backdoor DLL\\\\\"\r\nstrings:\r\n$a = \\\\\"Title:\\\\\" fullword wide\r\n$b = \\\\\"Hosts\\\\\" fullword wide\r\n$c = \\\\\"Security\\\\\" fullword wide\r\n$d = \\\\\"TimeLong\\\\\" fullword wide\r\n$e = \\\\\"TimeShort\\\\\" fullword wide\r\n$f = \\\\\"MachineGuid\\\\\" fullword wide\r\n$g = \\\\\"POST\\\\\" fullword wide\r\n$h = \\\\\"WinHttpSetOption\\\\\" fullword ascii\r\n$i = \\\\\"WinHttpQueryDataAvailable\\\\\" fullword ascii\r\n\r\ncondition:\r\npe.is_pe and\r\npe.characteristics & pe.DLL and\r\npe.exports(\\\\\"ServiceMain\\\\\") and\r\nall of them\r\n}" ,
"pattern_type" : "yara" ,
2023-12-14 14:30:15 +00:00
"pattern_version" : "2.1" ,
2023-04-21 14:44:17 +00:00
"valid_from" : "2021-09-24T08:11:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_context" : "all"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--96abab21-a8a7-4869-b680-89144e5625e7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-09-24T08:14:48.000Z" ,
"modified" : "2021-09-24T08:14:48.000Z" ,
"pattern" : "[file:hashes.MD5 = '028878c4b6ab475ed0be97eca6f92af9' AND file:hashes.SHA1 = '02c37ccdfccfe03560a4bf069f46e8ae3a5d2348' AND file:hashes.SHA256 = '030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-09-24T08:14:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-09-24T08:12:06.000Z" ,
"modified" : "2021-09-24T08:12:06.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2021-09-24T06:19:11+00:00" ,
"category" : "Other" ,
"uuid" : "e8315fa6-f0c1-4e44-9bcc-c7a6d7aa8ebb"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/detection/f-030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01-1632464351" ,
"category" : "Payload delivery" ,
"uuid" : "0643f79e-7e59-46ad-b98d-b00f28b73c5c"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "48/68" ,
"category" : "Payload delivery" ,
"uuid" : "b6fb0bca-c924-4dfc-937b-30cfe83b1ceb"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-08-07 08:13:15 +00:00
"id" : "relationship--c43c0b80-28e7-4a56-bbcc-eba97e67310f" ,
2023-04-21 14:44:17 +00:00
"created" : "2021-09-24T08:12:06.000Z" ,
"modified" : "2021-09-24T08:12:06.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--96abab21-a8a7-4869-b680-89144e5625e7" ,
"target_ref" : "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}