2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2015-01-20" ,
"extends_uuid" : "" ,
"info" : "OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos\u00e2\u20ac\u2122 actors from Gdata" ,
"publish_timestamp" : "1498163570" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1498163317" ,
"uuid" : "54bf5a6f-ac50-4f71-9cd3-7080950d210b" ,
"Orgc" : {
"name" : "CthulhuSPRL.be" ,
"uuid" : "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#33FF00" ,
"local" : "0" ,
"name" : "tlp:green" ,
"relationship_type" : ""
} ,
{
"colour" : "#12e200" ,
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Turla Group\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826680" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54bf5a78-e410-48e5-a257-419f950d210b" ,
"value" : "https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826723" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "54bf5aa3-f5f8-4cbb-a0b4-6ec8950d210b" ,
"value" : "Cobra"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826724" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "54bf5aa4-a808-4ae9-b975-6ec8950d210b" ,
"value" : "Agent.BTZ"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826724" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "54bf5aa4-8258-4f24-b1ce-6ec8950d210b" ,
"value" : "Carbon"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826724" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "54bf5aa4-0be8-4cf6-acca-6ec8950d210b" ,
"value" : "Uroburos"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826746" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "54bf5aba-42a0-4bd9-99e1-46e6950d210b" ,
"value" : "Snake"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826746" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "54bf5aba-b358-43b9-9afe-407a950d210b" ,
"value" : "Turla"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826769" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "54bf5ad1-8da0-4ac9-9e20-7511950d210b" ,
"value" : "cb1b68d9971c2353c2d6a8119c49b51f"
} ,
{
"category" : "Antivirus detection" ,
"comment" : "Gdata" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826816" ,
"to_ids" : true ,
"type" : "text" ,
"uuid" : "54bf5b00-3a30-4dad-9a2f-9372950d210b" ,
"value" : "Backdoor.TurlaCarbon.A"
} ,
{
"category" : "Antivirus detection" ,
"comment" : "Gdata" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826816" ,
"to_ids" : true ,
"type" : "text" ,
"uuid" : "54bf5b00-7080-42c5-848d-9372950d210b" ,
"value" : "Win32.Trojan.Cobra.B"
} ,
{
"category" : "Attribution" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826841" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "54bf5b19-b504-45c0-8440-4553950d210b" ,
"value" : "f:\\Workshop\\Projects\\cobra\\carbon_system\\x64\\Release\\carbon_system.pdb"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Randomly choosen from one of the three" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826889" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5b49-57c4-4b9c-a422-ed9b950d210b" ,
"value" : "ipvpn.dll"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Randomly choosen from one of the three" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826889" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5b49-edc8-462c-b987-ed9b950d210b" ,
"value" : "srsvc.dll"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Randomly choosen from one of the three" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421826889" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5b49-7968-4324-88e0-ed9b950d210b" ,
"value" : "kmsvc.dll"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827005" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "54bf5bbd-c090-4d32-b2a9-4199950d210b" ,
"value" : "Services names randomly choosen to match the dropped files among: ipvpn, srservice and hkmsvc.\r\nService display names and service descriptions are available in the blog post."
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827017" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "54bf5bc9-adb0-4fa7-9f0b-6011950d210b" ,
"value" : "Data entered by David Andr\u00c3\u00a9"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827084" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "54bf5c0c-b3d4-4a26-8d42-96f9950d210b" ,
"value" : "43e896ede6fe025ee90f7f27c6d376a4"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827101" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "54bf5c1d-15b8-4343-87d8-409e950d210b" ,
"value" : "e6d1dcc6c2601e592f2b03f35b06fa8f"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827145" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "54bf5c49-46f8-4ffc-a42c-7080950d210b" ,
"value" : "Global\\MSCTF.Shared.MUTEX.zRX"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827145" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "54bf5c49-0f14-4709-90a7-7080950d210b" ,
"value" : "Global\\DBWindowsBase"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827146" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "54bf5c4a-55a4-4bdf-b979-7080950d210b" ,
"value" : "Global\\IEFrame.LockDefaultBrowser"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827146" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "54bf5c4a-be70-468d-9116-7080950d210b" ,
"value" : "Global\\WinSta0_DesktopSessionMut"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827146" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "54bf5c4a-84fc-40f9-8964-7080950d210b" ,
"value" : "Global\\{5FA3BC02-920F-D42A-68BC-04F2A75BE158}"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827146" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "54bf5c4a-6a00-40cb-ae26-7080950d210b" ,
"value" : "Global\\SENS.LockStarterCacheResource"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827146" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "54bf5c4a-c754-4726-b5bc-7080950d210b" ,
"value" : "Global\\ShimSharedMemoryLock"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-cb10-4624-99c0-6ec8950d210b" ,
"value" : "bootmisc.sdi"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-09b4-46b4-90b0-6ec8950d210b" ,
"value" : "C_56743.NLS"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-d088-4afa-94cc-6ec8950d210b" ,
"value" : "b9s3coff.ax"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-6ee0-49ba-b47c-6ec8950d210b" ,
"value" : "a67ncodc.ax"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-5574-4298-a0f0-6ec8950d210b" ,
"value" : "vndkrmn.dic"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-7214-4418-bc8b-6ec8950d210b" ,
"value" : "qavsrc.dat"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-06a0-462b-9659-6ec8950d210b" ,
"value" : "miniport.dat"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-bd70-4db0-aa40-6ec8950d210b" ,
"value" : "asmcerts.rs"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827225" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "54bf5c99-71dc-4d6f-9040-6ec8950d210b" ,
"value" : "getcert.rs"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate compromised websites using a previously vulnerable wordpress. All patched and cleaned up at blog post publication time." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827375" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5ce1-a618-4841-a6fb-4617950d210b" ,
"value" : "soheylistore.ir"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate compromised websites using a previously vulnerable wordpress. All patched and cleaned up at blog post publication time." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827375" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5ce1-7a38-453c-a2e5-477d950d210b" ,
"value" : "tazohor.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate compromised websites using a previously vulnerable wordpress. All patched and cleaned up at blog post publication time." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827375" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5ce2-8e2c-43bf-bf02-475d950d210b" ,
"value" : "jucheafrica.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Legitimate compromised websites using a previously vulnerable wordpress. All patched and cleaned up at blog post publication time." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827375" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5ce2-e228-40c9-9a18-4d75950d210b" ,
"value" : "61paris.fr"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827440" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "54bf5d70-d930-4f50-b42a-4b37950d210b" ,
"value" : "554450c1ecb925693fedbb9e56702646"
} ,
{
"category" : "Network activity" ,
"comment" : "Internet connectivity check" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827483" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5d9b-c570-4280-a5ac-96f9950d210b" ,
"value" : "www.google.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Internet connectivity check" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827483" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5d9b-5330-46fe-82f5-96f9950d210b" ,
"value" : "www.yahoo.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Internet connectivity check" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827483" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5d9b-264c-4cd3-8c19-96f9950d210b" ,
"value" : "www.bing.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Internet connectivity check" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827483" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5d9b-3e8c-4493-a6a9-96f9950d210b" ,
"value" : "update.microsoft.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Internet connectivity check" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827483" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5d9b-1a7c-4995-b9e6-96f9950d210b" ,
"value" : "windowsupdate.microsoft.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Internet connectivity check" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827484" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "54bf5d9c-f77c-4060-bfac-96f9950d210b" ,
"value" : "microsoft.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Could be used to create an IDS signature" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421827547" ,
"to_ids" : false ,
"type" : "url" ,
"uuid" : "54bf5ddb-dcb0-4a9b-985d-9372950d210b" ,
"value" : "http://%s/%s?uid=%d&context=%s&mode=text&data=%s"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "The orchestrator creates two named pipes in order to communicate with stage 3 or to receive messages from an external machine" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421829866" ,
"to_ids" : true ,
"type" : "named pipe" ,
"uuid" : "54bf66ea-a4f0-4c7c-8142-6ec8950d210b" ,
"value" : "\\\\.\\\\pipe\\sdlrpc"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "The orchestrator creates two named pipes in order to communicate with stage 3 or to receive messages from an external machine" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1421829866" ,
"to_ids" : true ,
"type" : "named pipe" ,
"uuid" : "54bf66ea-06bc-4544-b7bb-6ec8950d210b" ,
"value" : "\\\\.\\\\pipe\\comnap"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Automatically added (via 554450c1ecb925693fedbb9e56702646)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455836158" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c64bfe-ca00-4d5c-99d4-59a3950d210f" ,
"value" : "7ce746bb988cb3b7e64f08174bdb02938555ea53"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Automatically added (via e6d1dcc6c2601e592f2b03f35b06fa8f)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455836160" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c64c00-b428-41ae-965e-5f51950d210f" ,
"value" : "7c43f5df784bf50423620d8f1c96e43d8d9a9b28"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Automatically added (via 43e896ede6fe025ee90f7f27c6d376a4)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455836161" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c64c01-4688-443b-a26e-481c950d210f" ,
"value" : "a28164de29e51f154be12d163ce5818fceb69233"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Automatically added (via cb1b68d9971c2353c2d6a8119c49b51f)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455836163" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c64c03-ce3c-42b8-8261-59a1950d210f" ,
"value" : "cbde204e7641830017bb84b89223131b2126bc46"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Automatically added (via 554450c1ecb925693fedbb9e56702646)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455836159" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c64bff-85c8-4610-a8b5-c650950d210f" ,
"value" : "8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Automatically added (via e6d1dcc6c2601e592f2b03f35b06fa8f)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455836160" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c64c00-0b84-4a87-9ba0-5ca1950d210f" ,
"value" : "ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Automatically added (via 43e896ede6fe025ee90f7f27c6d376a4)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455836162" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c64c02-d8ec-49fd-a075-4318950d210f" ,
"value" : "1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Automatically added (via cb1b68d9971c2353c2d6a8119c49b51f)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455836164" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c64c04-26b4-4bca-973a-4d72950d210f" ,
"value" : "3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}