351 lines
11 KiB
JSON
351 lines
11 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2019-01-28",
|
||
|
"extends_uuid": "",
|
||
|
"info": "2019-01-28: Turla Kazuar RAT",
|
||
|
"publish_timestamp": "1548767977",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1548767952",
|
||
|
"uuid": "5c502e8e-09e8-4c7c-9135-4c1b950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"Turla RAT\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#12e200",
|
||
|
"name": "misp-galaxy:threat-actor=\"Turla Group\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#065100",
|
||
|
"name": "misp-galaxy:tool=\"Turla\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"Kazuar\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-malware=\"Kazuar - S0265\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:tool=\"Kazuar\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#440055",
|
||
|
"name": "ms-caro-malware:malware-type=\"RemoteAccess\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#4bec00",
|
||
|
"name": "enisa:nefarious-activity-abuse=\"remote-access-tool\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#008ba9",
|
||
|
"name": "veris:asset:variety=\"S - Remote access\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00bde6",
|
||
|
"name": "veris:action:misuse:vector=\"Remote access\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#001739",
|
||
|
"name": "ms-caro-malware-full:malware-type=\"RemoteAccess\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#5f0044",
|
||
|
"name": "CERT-XLM:malicious-code=\"spyware-rat\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#002642",
|
||
|
"name": "osint:source-type=\"microblog-post\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1548760999",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c5037a7-d6f4-47ee-bb67-4cc3950d210f",
|
||
|
"value": "northviewcanada.com/wp-content/galler/slider/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1548761000",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c5037a8-fcf8-4d3c-bab5-4c1e950d210f",
|
||
|
"value": "zycie-chotomowa.pl/wp-content/languages/index.php"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "microblog",
|
||
|
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
|
||
|
"template_version": "5",
|
||
|
"timestamp": "1548759728",
|
||
|
"uuid": "5c5032b0-5a34-4e58-bcf7-0435950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "post",
|
||
|
"timestamp": "1548759728",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c5032b0-929c-4c5c-bd49-0435950d210f",
|
||
|
"value": "2019-01-28: #Turla #Kazuar #RAT: Component: { loader, service, solver, sender, singler, scripter } C2: { northviewcanada[.com/wp-content/galler/slider/, zycie-chotomowa[.pl/wp-content/languages/index.php } MD5: 988df2967a7239a4b916cc9fcedaff68 cc @DrunkBinary"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1548759728",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c5032b0-6b0c-42df-8c8b-0435950d210f",
|
||
|
"value": "Twitter"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1548759728",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c5032b0-ea2c-4c6f-9ba0-0435950d210f",
|
||
|
"value": "https://twitter.com/VK_Intel/status/1089959988116799491"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "username-quoted",
|
||
|
"timestamp": "1548759728",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c5032b0-e2a8-4d81-a227-0435950d210f",
|
||
|
"value": "DrunkBinary"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "creation-date",
|
||
|
"timestamp": "1548759728",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5c5032b0-6d34-4368-8ba7-0435950d210f",
|
||
|
"value": "2019-01-28T10:54:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "username",
|
||
|
"timestamp": "1548759728",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c5032b0-4528-4080-bbb4-0435950d210f",
|
||
|
"value": "VK_Intel"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1548761278",
|
||
|
"uuid": "5c5038be-fe38-403c-a413-0435950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1548761278",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5c5038be-b8a4-41df-a614-0435950d210f",
|
||
|
"value": "988df2967a7239a4b916cc9fcedaff68"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1548761278",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c5038be-ec78-4d5b-91f0-0435950d210f",
|
||
|
"value": "Malicious"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1548767943",
|
||
|
"uuid": "8670f30a-fed5-4ecf-8486-544baa950b1d",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "8670f30a-fed5-4ecf-8486-544baa950b1d",
|
||
|
"referenced_uuid": "9001b360-5644-40b6-8310-2c8aa8711aab",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1548767943",
|
||
|
"uuid": "5c5052c7-ec80-46a5-9eb3-4c3602de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1548767943",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "839827fd-8db6-4baf-b6c6-8ca80a321668",
|
||
|
"value": "988df2967a7239a4b916cc9fcedaff68"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1548767943",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "6dc280a4-698a-46fc-b336-3b42958143cd",
|
||
|
"value": "321fac7d4cabce35ce0adc67c700f47d47359021"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1548767943",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "7fd1ea29-dcde-427f-998b-00f5403c01b4",
|
||
|
"value": "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1548767943",
|
||
|
"uuid": "9001b360-5644-40b6-8310-2c8aa8711aab",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1548767943",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "d510388b-8e85-4a4d-90a3-54861f1c0110",
|
||
|
"value": "2019-01-29T07:35:34"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1548767943",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "c8f2c1f7-80d2-4ea5-9750-e9a85809f91d",
|
||
|
"value": "https://www.virustotal.com/file/44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac/analysis/1548747334/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1548767943",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "c977a42a-64e2-4f6d-b065-86ac107beec4",
|
||
|
"value": "42/69"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|