misp-circl-feed/feeds/circl/misp/5d2deea3-eea0-41ea-91bf-4a8b950d210f.json

509 lines
16 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2019-07-16",
"extends_uuid": "",
"info": "OSINT - Turla renews its arsenal with Topinambour",
"publish_timestamp": "1563341597",
"published": true,
"threat_level_id": "3",
"timestamp": "1563341373",
"uuid": "5d2deea3-eea0-41ea-91bf-4a8b950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#065100",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:tool=\"Turla\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#004646",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0087e8",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563291330",
"to_ids": false,
"type": "link",
"uuid": "5d2deec2-d68c-42e1-a113-431a950d210f",
"value": "https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/"
},
{
"category": "Network activity",
"comment": "VPSs used as control servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340553",
"to_ids": true,
"type": "ip-dst",
"uuid": "5d2eaf09-77e8-4b3d-b76a-4c24950d210f",
"value": "197.168.0.73"
},
{
"category": "Network activity",
"comment": "VPSs used as control servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340553",
"to_ids": true,
"type": "ip-dst",
"uuid": "5d2eaf09-b090-4e59-8fc4-48b0950d210f",
"value": "197.168.0.98"
},
{
"category": "Network activity",
"comment": "VPSs used as control servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340553",
"to_ids": true,
"type": "ip-dst",
"uuid": "5d2eaf09-28d4-4104-8899-49ea950d210f",
"value": "197.168.0.212"
},
{
"category": "Network activity",
"comment": "VPSs used as control servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340553",
"to_ids": true,
"type": "ip-dst",
"uuid": "5d2eaf09-81a0-42fb-89ea-409c950d210f",
"value": "197.168.0.243"
},
{
"category": "Network activity",
"comment": "VPSs used as control servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340553",
"to_ids": true,
"type": "ip-dst",
"uuid": "5d2eaf09-4220-4c52-8f69-495d950d210f",
"value": "197.168.0.247"
},
{
"category": "Network activity",
"comment": "VPSs used as control servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340553",
"to_ids": true,
"type": "ip-dst",
"uuid": "5d2eaf09-8e14-4a01-9196-4f4a950d210f",
"value": "197.168.0.250"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340574",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1e-1780-4e3d-926d-6909950d210f",
"value": "47870ff98164155f088062c95c448783"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340575",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1f-3464-4f4f-8bc8-6909950d210f",
"value": "2c1e73da56f4da619c4c53b521404874"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340575",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1f-1ef8-49ac-80b4-6909950d210f",
"value": "6acf316fed472300fa50db54fa6f3cbc"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340575",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1f-88a4-4b9d-9f9f-6909950d210f",
"value": "9573f452004b16eabd20fa65a6c2c1c4"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340575",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1f-fc50-4986-82ae-6909950d210f",
"value": "3772a34d1b731697e2879bef54967332"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340575",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1f-5a48-49a2-aedd-6909950d210f",
"value": "d967d96ea5d0962e08844d140c2874e0"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340575",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1f-3874-40d8-ac02-6909950d210f",
"value": "a80bbd753c07512b31ab04bd5e3324c2"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340575",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1f-cb24-4c0e-801b-6909950d210f",
"value": "37dc2eb8ee56aeba4dbd4cf46f87ae9a"
},
{
"category": "Payload delivery",
"comment": "Some campaign-related hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1563340575",
"to_ids": true,
"type": "md5",
"uuid": "5d2eaf1f-c4e0-4dd9-9522-6909950d210f",
"value": "710f729ab26f058f2dbf08664edb3986"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"name": "credential",
"template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
"template_version": "3",
"timestamp": "1563340906",
"uuid": "5d2eb06a-8388-4e76-860a-48fb950d210f",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "notification",
"timestamp": "1563340906",
"to_ids": false,
"type": "text",
"uuid": "5d2eb06a-5558-4ee2-becb-4bfd950d210f",
"value": "none"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "origin",
"timestamp": "1563340906",
"to_ids": false,
"type": "text",
"uuid": "5d2eb06a-0620-40cf-a658-47e4950d210f",
"value": "malware-analysis"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "type",
"timestamp": "1563340906",
"to_ids": false,
"type": "text",
"uuid": "5d2eb06a-3a84-4bf3-a0ef-4b21950d210f",
"value": "encryption-key"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "password",
"timestamp": "1563340906",
"to_ids": false,
"type": "text",
"uuid": "5d2eb06a-dcf8-4b20-9da6-4a5d950d210f",
"value": "01a8cbd328df18fd49965d68e2879433"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1563340907",
"to_ids": false,
"type": "text",
"uuid": "5d2eb06b-cd84-4c28-8384-4d75950d210f",
"value": "RC4 encription - JavaScript KopiLuwak - \u00e2\u20ac\u0153bYVAoFGJKj7rfs1M\u00e2\u20ac\u009d plus hash based upon Windows installation date"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"name": "credential",
"template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
"template_version": "3",
"timestamp": "1563341019",
"uuid": "5d2eb0db-d6d4-49a4-9422-4326950d210f",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "notification",
"timestamp": "1563341019",
"to_ids": false,
"type": "text",
"uuid": "5d2eb0db-4520-4026-8925-408b950d210f",
"value": "none"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "origin",
"timestamp": "1563341019",
"to_ids": false,
"type": "text",
"uuid": "5d2eb0db-dbbc-4124-a078-4d06950d210f",
"value": "malware-analysis"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "type",
"timestamp": "1563341019",
"to_ids": false,
"type": "text",
"uuid": "5d2eb0db-7a94-4183-9388-4782950d210f",
"value": "encryption-key"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "password",
"timestamp": "1563341019",
"to_ids": false,
"type": "text",
"uuid": "5d2eb0db-1240-4869-a720-4b49950d210f",
"value": "TrumpTower"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1563341019",
"to_ids": false,
"type": "text",
"uuid": "5d2eb0db-429c-4c89-aaa8-45af950d210f",
"value": "RC4 encryption - .NET"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"name": "credential",
"template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
"template_version": "3",
"timestamp": "1563341092",
"uuid": "5d2eb124-24ac-46d9-b0b6-4f90950d210f",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "notification",
"timestamp": "1563341092",
"to_ids": false,
"type": "text",
"uuid": "5d2eb124-f908-474e-8674-433b950d210f",
"value": "none"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "origin",
"timestamp": "1563341092",
"to_ids": false,
"type": "text",
"uuid": "5d2eb124-ab4c-49ac-9468-4791950d210f",
"value": "malware-analysis"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "type",
"timestamp": "1563341092",
"to_ids": false,
"type": "text",
"uuid": "5d2eb124-1bb4-45a5-a0e8-4c53950d210f",
"value": "encryption-key"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "password",
"timestamp": "1563341092",
"to_ids": false,
"type": "text",
"uuid": "5d2eb124-2b58-4cce-b185-4d29950d210f",
"value": "TimesNewRoman"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1563341092",
"to_ids": false,
"type": "text",
"uuid": "5d2eb124-2eac-4bd2-ac56-41ae950d210f",
"value": "RC4 - PowerShell"
}
]
},
{
"comment": "",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "7",
"timestamp": "1563341373",
"uuid": "5d2eb23d-dd60-4a91-9c0c-6bc1950d210f",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "text",
"timestamp": "1563341373",
"to_ids": false,
"type": "text",
"uuid": "5d2eb23d-e684-48f4-a34f-6bc1950d210f",
"value": "The malware communicates with a legitimate compromised WordPress-based website and gets four byte length commands from URL like \u00e2\u20ac\u0153http://<legitimate domain>/wp-includes/Requests/Socks.php\u00e2\u20ac\u009d."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "scheme",
"timestamp": "1563341373",
"to_ids": false,
"type": "text",
"uuid": "5d2eb23d-b148-4154-8d6c-6bc1950d210f",
"value": "http"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "resource_path",
"timestamp": "1563341373",
"to_ids": false,
"type": "text",
"uuid": "5d2eb23d-8210-4082-9621-6bc1950d210f",
"value": "wp-includes/Requests/Socks.ph"
}
]
}
]
}
}