2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2019-07-16" ,
"extends_uuid" : "" ,
"info" : "OSINT - Turla renews its arsenal with Topinambour" ,
"publish_timestamp" : "1563341597" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1563341373" ,
"uuid" : "5d2deea3-eea0-41ea-91bf-4a8b950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#065100" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Turla\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563291330" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5d2deec2-d68c-42e1-a113-431a950d210f" ,
"value" : "https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/"
} ,
{
"category" : "Network activity" ,
"comment" : "VPSs used as control servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340553" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5d2eaf09-77e8-4b3d-b76a-4c24950d210f" ,
"value" : "197.168.0.73"
} ,
{
"category" : "Network activity" ,
"comment" : "VPSs used as control servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340553" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5d2eaf09-b090-4e59-8fc4-48b0950d210f" ,
"value" : "197.168.0.98"
} ,
{
"category" : "Network activity" ,
"comment" : "VPSs used as control servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340553" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5d2eaf09-28d4-4104-8899-49ea950d210f" ,
"value" : "197.168.0.212"
} ,
{
"category" : "Network activity" ,
"comment" : "VPSs used as control servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340553" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5d2eaf09-81a0-42fb-89ea-409c950d210f" ,
"value" : "197.168.0.243"
} ,
{
"category" : "Network activity" ,
"comment" : "VPSs used as control servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340553" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5d2eaf09-4220-4c52-8f69-495d950d210f" ,
"value" : "197.168.0.247"
} ,
{
"category" : "Network activity" ,
"comment" : "VPSs used as control servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340553" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5d2eaf09-8e14-4a01-9196-4f4a950d210f" ,
"value" : "197.168.0.250"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340574" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1e-1780-4e3d-926d-6909950d210f" ,
"value" : "47870ff98164155f088062c95c448783"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340575" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1f-3464-4f4f-8bc8-6909950d210f" ,
"value" : "2c1e73da56f4da619c4c53b521404874"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340575" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1f-1ef8-49ac-80b4-6909950d210f" ,
"value" : "6acf316fed472300fa50db54fa6f3cbc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340575" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1f-88a4-4b9d-9f9f-6909950d210f" ,
"value" : "9573f452004b16eabd20fa65a6c2c1c4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340575" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1f-fc50-4986-82ae-6909950d210f" ,
"value" : "3772a34d1b731697e2879bef54967332"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340575" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1f-5a48-49a2-aedd-6909950d210f" ,
"value" : "d967d96ea5d0962e08844d140c2874e0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340575" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1f-3874-40d8-ac02-6909950d210f" ,
"value" : "a80bbd753c07512b31ab04bd5e3324c2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340575" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1f-cb24-4c0e-801b-6909950d210f" ,
"value" : "37dc2eb8ee56aeba4dbd4cf46f87ae9a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Some campaign-related hashes" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1563340575" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5d2eaf1f-c4e0-4dd9-9522-6909950d210f" ,
"value" : "710f729ab26f058f2dbf08664edb3986"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s)." ,
"meta-category" : "misc" ,
"name" : "credential" ,
"template_uuid" : "a27e98c9-9b0e-414c-8076-d201e039ca09" ,
"template_version" : "3" ,
"timestamp" : "1563340906" ,
"uuid" : "5d2eb06a-8388-4e76-860a-48fb950d210f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "notification" ,
"timestamp" : "1563340906" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb06a-5558-4ee2-becb-4bfd950d210f" ,
"value" : "none"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "origin" ,
"timestamp" : "1563340906" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb06a-0620-40cf-a658-47e4950d210f" ,
"value" : "malware-analysis"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "type" ,
"timestamp" : "1563340906" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb06a-3a84-4bf3-a0ef-4b21950d210f" ,
"value" : "encryption-key"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "password" ,
"timestamp" : "1563340906" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb06a-dcf8-4b20-9da6-4a5d950d210f" ,
"value" : "01a8cbd328df18fd49965d68e2879433"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1563340907" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb06b-cd84-4c28-8384-4d75950d210f" ,
"value" : "RC4 encription - JavaScript KopiLuwak - \u00e2\u20ac\u0153bYVAoFGJKj7rfs1M\u00e2\u20ac\u009d plus hash based upon Windows installation date"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s)." ,
"meta-category" : "misc" ,
"name" : "credential" ,
"template_uuid" : "a27e98c9-9b0e-414c-8076-d201e039ca09" ,
"template_version" : "3" ,
"timestamp" : "1563341019" ,
"uuid" : "5d2eb0db-d6d4-49a4-9422-4326950d210f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "notification" ,
"timestamp" : "1563341019" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb0db-4520-4026-8925-408b950d210f" ,
"value" : "none"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "origin" ,
"timestamp" : "1563341019" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb0db-dbbc-4124-a078-4d06950d210f" ,
"value" : "malware-analysis"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "type" ,
"timestamp" : "1563341019" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb0db-7a94-4183-9388-4782950d210f" ,
"value" : "encryption-key"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "password" ,
"timestamp" : "1563341019" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb0db-1240-4869-a720-4b49950d210f" ,
"value" : "TrumpTower"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1563341019" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb0db-429c-4c89-aaa8-45af950d210f" ,
"value" : "RC4 encryption - .NET"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s)." ,
"meta-category" : "misc" ,
"name" : "credential" ,
"template_uuid" : "a27e98c9-9b0e-414c-8076-d201e039ca09" ,
"template_version" : "3" ,
"timestamp" : "1563341092" ,
"uuid" : "5d2eb124-24ac-46d9-b0b6-4f90950d210f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "notification" ,
"timestamp" : "1563341092" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb124-f908-474e-8674-433b950d210f" ,
"value" : "none"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "origin" ,
"timestamp" : "1563341092" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb124-ab4c-49ac-9468-4791950d210f" ,
"value" : "malware-analysis"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "type" ,
"timestamp" : "1563341092" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb124-1bb4-45a5-a0e8-4c53950d210f" ,
"value" : "encryption-key"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "password" ,
"timestamp" : "1563341092" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb124-2b58-4cce-b185-4d29950d210f" ,
"value" : "TimesNewRoman"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1563341092" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb124-2eac-4bd2-ac56-41ae950d210f" ,
"value" : "RC4 - PowerShell"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata." ,
"meta-category" : "network" ,
"name" : "url" ,
"template_uuid" : "60efb77b-40b5-4c46-871b-ed1ed999fce5" ,
"template_version" : "7" ,
"timestamp" : "1563341373" ,
"uuid" : "5d2eb23d-dd60-4a91-9c0c-6bc1950d210f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "text" ,
"timestamp" : "1563341373" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb23d-e684-48f4-a34f-6bc1950d210f" ,
"value" : "The malware communicates with a legitimate compromised WordPress-based website and gets four byte length commands from URL like \u00e2\u20ac\u0153http://<legitimate domain>/wp-includes/Requests/Socks.php\u00e2\u20ac\u009d."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "scheme" ,
"timestamp" : "1563341373" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb23d-b148-4154-8d6c-6bc1950d210f" ,
"value" : "http"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "resource_path" ,
"timestamp" : "1563341373" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5d2eb23d-8210-4082-9621-6bc1950d210f" ,
"value" : "wp-includes/Requests/Socks.ph"
}
]
}
]
}
}