822 lines
1.4 MiB
JSON
822 lines
1.4 MiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2018-08-17",
|
||
|
"extends_uuid": "",
|
||
|
"info": "Turla Outlook White Paper",
|
||
|
"publish_timestamp": "1668553629",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1668551496",
|
||
|
"uuid": "5b773e07-e694-458b-b99c-27f30a016219",
|
||
|
"Orgc": {
|
||
|
"name": "ESET",
|
||
|
"uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#12e200",
|
||
|
"name": "misp-galaxy:threat-actor=\"Turla Group\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Email Collection\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Component Object Model Hijacking - T1122\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Email Collection - T1114\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#9d6800",
|
||
|
"name": "cert-ist:threat_targeted_sector=\"Academic and Research\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#986400",
|
||
|
"name": "cert-ist:threat_targeted_sector=\"Gov\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#e49600",
|
||
|
"name": "cert-ist:threat_targeted_region=\"Western Europe\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#fea700",
|
||
|
"name": "cert-ist:enriched"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#372500",
|
||
|
"name": "cert-ist:ioc_accuracy=\"medium\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#3c2700",
|
||
|
"name": "cert-ist:threat_level=\"medium\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#f8a400",
|
||
|
"name": "cert-ist:threat_type=\"apt\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#FFC000",
|
||
|
"name": "tlp:amber"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ff0000",
|
||
|
"name": "BR_CTI_Investigar"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1534805111",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5b773e89-9738-4bbb-90bc-2fb20a016219",
|
||
|
"value": "%appdata%\\Microsoft\\Windows\\scawrdot.db"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1534805102",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5b773e89-7e14-4280-9249-2fb20a016219",
|
||
|
"value": "%appdata%\\Microsoft\\Windows\\flobcsnd.dat"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1534541449",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5b773e89-4934-4d34-be4c-2fb20a016219",
|
||
|
"value": "mapid.tlb"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1534541449",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5b773e89-1e7c-48d3-a6cb-2fb20a016219",
|
||
|
"value": "msmime.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "COM hijacking",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1534541549",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "5b773eed-662c-4150-b6ef-2fb10a016219",
|
||
|
"value": "HKCU\\Software\\Classes\\CLSID\\{49CBB1C7-97D1-485A-9EC1-A26065633066}"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "COM hijacking",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1534541549",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "5b773eed-6158-4680-941f-2fb10a016219",
|
||
|
"value": "HKCU\\Software\\Classes\\CLSID\\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Virtual File System",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1534541580",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "5b773f0c-07c4-4a31-b191-2fb20a016219",
|
||
|
"value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Settings\\ZonePolicy\\"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "White Paper",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1534881925",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "5b7c7085-9658-46bf-afdc-59530a016219",
|
||
|
"value": "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1535462367",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5b854bdf-32a4-4f17-8bab-32abc0a8ab16",
|
||
|
"value": "https://github.com/eset/malware-ioc/tree/master/turla"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf",
|
||
|
"data": "JVBERi0xLjQNJeLjz9MNCjE1MjUgMCBvYmoNPDwvTGluZWFyaXplZCAxL0wgMTAzMjUyMC9PIDE1MjcvRSA1NzM5OC9OIDI0L1QgMTAwMTkwMy9IIFsgODkzIDEwMjhdPj4NZW5kb2JqDSAgICAgICAgIA14cmVmDQoxNTI1IDI5DQowMDAwMDAwMDE2IDAwMDAwIG4NCjAwMDAwMDIxMzEgMDAwMDAgbg0KMDAwMDAwMjI5NCAwMDAwMCBuDQowMDAwMDAyNzQ5IDAwMDAwIG4NCjAwMDAwMDMxMDQgMDAwMDAgbg0KMDAwMDAwMzk2MiAwMDAwMCBuDQowMDAwMDA0Mzc4IDAwMDAwIG4NCjAwMDAwMDQ0OTMgMDAwMDAgbg0KMDAwMDAwNDcyNyAwMDAwMCBuDQowMDAwMDA1MTAwIDAwMDAwIG4NCjAwMDAwMDU4ODggMDAwMDAgbg0KMDAwMDAwNjYyNiAwMDAwMCBuDQowMDAwMDA3Mjc2IDAwMDAwIG4NCjAwMDAwMDc4MTkgMDAwMDAgbg0KMDAwMDAwODM1MiAwMDAwMCBuDQowMDAwMDA4OTA1IDAwMDAwIG4NCjAwMDAwMDk0NTkgMDAwMDAgbg0KMDAwMDAxMDA1MSAwMDAwMCBuDQowMDAwMDEwNTM4IDAwMDAwIG4NCjAwMDAwMTA5NDEgMDAwMDAgbg0KMDAwMDAxMTM4NSAwMDAwMCBuDQowMDAwMDExOTk1IDAwMDAwIG4NCjAwMDAwMTI2NjQgMDAwMDAgbg0KMDAwMDAxNDQ4NiAwMDAwMCBuDQowMDAwMDIwNzQ5IDAwMDAwIG4NCjAwMDAwMjMzODggMDAwMDAgbg0KMDAwMDA1NzM1NyAwMDAwMCBuDQowMDAwMDAxOTIxIDAwMDAwIG4NCjAwMDAwMDA4OTMgMDAwMDAgbg0KdHJhaWxlcg08PC9TaXplIDE1NTQvUm9vdCAxNTI2IDAgUi9JbmZvIDQyMSAwIFIvSURbPEYzQTFFN0VEQ0E0QzQ5NzhCODBDNDNDMzNEQTAxQzdDPjxCMTdBRDA3NTY5RUM0Mjg1OTFFNTFDQzZBNzk4QzBBRD5dL1ByZXYgMTAwMTg5MC9YUmVmU3RtIDE5MjE+Pg1zdGFydHhyZWYNMA0lJUVPRg0gICAgICAgICAgICAgIA0xNTUzIDAgb2JqDTw8L0MgMTExMC9GaWx0ZXIvRmxhdGVEZWNvZGUvSSAxMTMyL0xlbmd0aCA5MzcvUyA5Mjg+PnN0cmVhbQ0KaN5iYGBgYmBg+cTAxsDAtpZBkAEBBIFi7AwsDBwxDOKGwd46R6N1zvAxTj2tw+CQ4dlw98BLX7uFB503/ri+yq9St4pXbG37mj2TrlruO7q5JyWOOdsxTqokajf3vhkMDEJPmGotLscUlj5MY70V8l0kkjUy5+oTJKsYmFiZZBwUEnunmqQscFjg3MHCY7hpWc8UDpEfhQxTBJRsXj7VPKflMFFKZdllRaOMjQGN4e0CHBwJmYJLXXYmMilfm20UaCS06rQUh4hAIU/khgyHjq+nw6SNZmwM8zrLwsVh0eJxSTVmK1Dl2dU6LRcnrWyy49pi0eDdISi3sVmsL3JPXs7JRUtn2pY83ByedVm3RkDrwCNGPQWXKhPPIOmw1pfJbl7LOP4qhXgc5OATzTp6xH1C0d2Hm47GaOdc5Vysd9kKZC2LB7/HVClVoLVhLRsXqwY71AhoKDzi4FfamXUkM0jJbC3YFCfXDw6LD3ewOCqFZPQurIoAuYW1ScZBicV9tk7KqmRHkSYuBZuI9L4V9hyNgi9uLvKapLhZtWuhiYBOwiNGfgVXLRePswtNUlYlHWRay6cgZHpi0pIIh47PWReAQbfBYRNzB6tMo+Czs5I+ESscnzhNACpRWSm5uCNnkzDIDxwOAa/FdeUcuoAeM+7IWbVFrWeaj4CWwyNGZa/OoqstHP08PJxbUycADVuU0OjILnCxmznVVzJFQBuoxJCHh8tSY9KShJyFwW6RihwTtVQSHNtYFCwiek4Iyn1Muq57Xbokkrvt1K3dGhknA0DxmpbRAaIqOhqAJHtHByy+RUPDOyA8RkEhJSX1DjCPSUnFBSwBVC0oCORUdMC0CAoKineAQQOYKwTTA+IIG4N1Qc0wNk5Lh6oDyYRWwDUJQs1zcQeLMBsDlQJBOpjH4pKWVgFVCeTAmOwQmklJyRysmVFQSdnYJBxuprCxsTnEZtbQCqhusC6Yw11cQ2GuIyPbAC1MYuATmwg0SRKIvcBmSjMIMK5h9GC2Z2xliGA4zxjF9JPpOFM+EwvjLyY+Jn4mU8YzjBWMC5ncmZrYmSViuExapjHwMdYyFjDWMRkx+nN9ZVzAsF4gjfE4gyXjUSY1hiSGY/wMDIkMwm7pDC+ZtJmyGEQZPzPpCqkzRDC5MHyXv8M4l8EVaK82IytDHsNkBjEGcSAWY3jMcJkhjMkYzBZjWIScoRknM/A9lwAyeBgYAmfDRZcy8Hs8BzGAeBdAgAEAKnFYdA1lbmRzdHJlYW0NZW5kb2JqDTE1NTIgMCBvYmoNPDwvRGVjb2RlUGFybXM8PC9Db2x1bW5zIDQvUHJlZGljdG9yIDEyPj4vRmlsdGVyL0ZsYXRlRGVjb2RlL0luZGV4WzQyMiAxMTAzXS9MZW5ndGggNTYvU2l6ZSAxNTI1L1R5cGUvWFJlZi9XWzEgMiAxXT4+c3RyZWFtDQpo3uzRoQEAMAzDsKT/s+H9ui9GKqID7JmeTJJiEb0aeA7P4Tk8h+fwHJ7Dc3iOn8+fAAMAH+cUQg1lbmRzdHJlYW0NZW5kb2JqDTE1MjYgMCBvYmoNPDwvTGFuZyhlbi1VUykvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDQyMCAwIFIvUGFnZXMgNDE1IDAgUi9TdHJ1Y3RUcmVlUm9vdCA0MjIgMCBSL1R5cGUvQ2F0YWxvZy9WaWV3ZXJQcmVmZXJlbmNlczw8L0RpcmVjdGlvbi9MMlI+Pj4+DWVuZG9iag0xNTI3IDAgb2JqDTw8L0FydEJveFswLjAgMC4wIDU5NS4yNzYgODQxLjg5XS9CbGVlZEJveFswLjAgMC4wIDU5NS4yNzYgODQxLjg5XS9Db250ZW50c1sxNTM2IDAgUiAxNTM3IDAgUiAxNTM4IDAgUiAxNTM5IDAgUiAxNTQwIDAgUiAxNTQxIDAgUiAxNTQ1IDAgUiAxNTQ2IDAgUl0vQ3JvcEJveFswLjAgMC4wIDU5NS4yNzYgODQxLjg5XS9NZWRpYUJveFswLjAgMC4wIDU5NS4yNzYgODQxLjg5XS9QYXJlbnQgNDE2IDAgUi9SZXNvdXJjZXM8PC9FeHRHU3RhdGU8PC9HUzAgMTUzMSAwIFI+Pi9Gb250PDwvVDFfMCAxNTI4IDAgUi9UMV8xIDE1MjkgMCBSL1QxXzIgMTU0MiAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dF0vUHJvcGVydGllczw8L01DMCAxNTUxIDAgUj4+Pj4vUm90YXRlIDAvU3RydWN0UGFyZW50cyAwL1RyaW1Cb3hbMC4wIDAuMCA1OTUuMjc2IDg0MS44OV0vVHlwZS9QYWdlPj4NZW5kb2JqDTE1MjggMCBvYmoNPDwvQmFzZUZvbnQvSVRGRk1RK0ZlZHJhU2Fuc0FsdFByby1Cb2xkTEYvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZpcnN0Q2hhciAzMi9Gb250RGVzY3JpcHRvciAxNTMzIDAgUi9MYXN0Q2hhciA4OS9TdWJ0eXBlL1R5cGUxL1RvVW5pY29kZSAxNTMwIDAgUi9UeXBlL0ZvbnQvV2lkdGhzWzIzMSAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDMwNyAwIDAgMzc1IDU0MCA1MTMgNTg5IDUzNCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNzE4IDY4MSA2NzcgNzg3IDYxMSA2MTEgNzA5IDgwNiAzMzYgMCA3MjMgNTY5IDk5MyA4MD
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1535632135",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5b87e307-7618-4378-ba96-4abb9f590eb0",
|
||
|
"value": "Eset-Turla-Outlook-Backdoor.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Merged from event 11961",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1535355608",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5b83aad8-f964-4899-9743-7267d5388438",
|
||
|
"value": "rule turla_outlook_log { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"First bytes of the encrypted Turla Outlook logs\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 }"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Merged from event 11961",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1535355614",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5b83aade-d508-4f29-9577-7267d5388438",
|
||
|
"value": "rule outlook_misty1 { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Detects the Turla MISTY1 implementation\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) }"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Merged from event 11961",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1535355619",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5b83aae3-1b28-417a-90e4-7267d5388438",
|
||
|
"value": "rule turla_outlook_gen { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Turla Outlook malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"Outlook\" ascii wide $s2 = \"Outlook Express\" ascii wide $s3 = \"Outlook watchdog\" ascii wide $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide $s5 = \"Mail Event Window\" ascii wide $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide $s9 = \"rctrl_renwnd32\" ascii wide $s10 = \"NetUIHWND\" ascii wide $s11 = \"homePostalAddress\" ascii wide $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide $s14 = \"IPM.Note\" ascii wide $s15 = \"MAPILogonEx\" ascii wide $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide $s17 = \"PowerShellRunner.dll\" ascii wide $s18 = \"cmd container\" ascii wide $s19 = \"mapid.tlb\" ascii wide nocase $s20 = \"Content-Type: F)*+\" ascii wide fullword condition: 5 of them }"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Merged from event 11961",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1535355624",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5b83aae8-5a50-4714-b5ba-7267d5388438",
|
||
|
"value": "import \"pe\"rule turla_outlook_exports { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Export names of Turla Outlook Malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" condition: (pe.exports(\"install\") or pe.exports(\"Install\")) and pe.exports(\"TBP_Initialize\") and pe.exports(\"TBP_Finalize\") and pe.exports(\"TBP_GetName\") and pe.exports(\"DllRegisterServer\") and pe.exports(\"DllGetClassObject\") }"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Merged from event 11961",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1535355630",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5b83aaee-6008-4818-a291-7267d5388438",
|
||
|
"value": "rule turla_outlook_filenames { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Turla Outlook filenames\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"mapid.tlb\" $s2 = \"msmime.dll\" $s3 = \"scawrdot.db\" condition: any of them }"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Merged from event 11961",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1535355635",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5b83aaf3-23b4-4a0e-8ceb-7267d5388438",
|
||
|
"value": "rule turla_outlook_pdf { meta: author = \"ESET Research\" date = \"22-08-2018\" description = \"Detect PDF documents generated by Turla Outlook malware\" reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" source = \"https://github.com/eset/malware-ioc/\" contact = \"github@eset.com\" license = \"BSD 2-Clause\" strings: $s1 = \"Adobe PDF Library 9.0\" ascii wide nocase $s2 = \"Acrobat PDFMaker 9.0\" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = \"W5M0MpCehiHzreSzNTczkc9d\" ascii wide nocase $s6 = \"PDF-1.4\" ascii wide nocase condition: 5 of them }"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Attack name",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355825",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5b83abb1-2524-4295-9eee-7268d5388438",
|
||
|
"value": "Turla"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST External link",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355825",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5b83abb1-76b4-4b70-80bd-10f2d5388438",
|
||
|
"value": "https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Attack Alias",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355826",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b83abb2-7e1c-4cfa-8c10-10a6d5388438",
|
||
|
"value": "Snake"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Attack Alias",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355826",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b83abb2-9420-4692-aa94-10f4d5388438",
|
||
|
"value": "Uroburos"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Attack Alias",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355826",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b83abb2-6450-4242-908f-7265d5388438",
|
||
|
"value": "Venomous Bear"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Attack Alias",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355826",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b83abb2-409c-4018-bfbc-7267d5388438",
|
||
|
"value": "KRYPTON"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Attack Alias",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355826",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b83abb2-4064-4b38-b5d7-726ad5388438",
|
||
|
"value": "Waterbug"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Attack Alias",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355826",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b83abb2-90ec-47c7-8869-10a7d5388438",
|
||
|
"value": "WhiteBear"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Description",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355826",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b83abb2-5c5c-411d-a011-726bd5388438",
|
||
|
"value": "these IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017.\r\n\r\nThe extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer."
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Cert-IST Malware Name",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355826",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5b83abb2-45e0-4bf4-8ad2-0968d5388438",
|
||
|
"value": "Outlook"
|
||
|
},
|
||
|
{
|
||
|
"category": "Targeting data",
|
||
|
"comment": "Cert-IST Targeted Country",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355827",
|
||
|
"to_ids": false,
|
||
|
"type": "target-location",
|
||
|
"uuid": "5b83abb3-5430-49a6-b4cb-7268d5388438",
|
||
|
"value": "Germany"
|
||
|
},
|
||
|
{
|
||
|
"category": "Targeting data",
|
||
|
"comment": "Cert-IST Targeted Country",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355827",
|
||
|
"to_ids": false,
|
||
|
"type": "target-location",
|
||
|
"uuid": "5b83abb3-e5fc-480d-b4a6-10f2d5388438",
|
||
|
"value": "France"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Cert-IST First Seen Date",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355827",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5b83abb3-39a4-4cb2-a08f-10a6d5388438",
|
||
|
"value": "2015-12-31T23:00:00+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Cert-IST First Disclosed Date",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"timestamp": "1535355827",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5b83abb3-7e7c-4c8f-a29f-10f4d5388438",
|
||
|
"value": "2018-08-21T22:00:00+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1536139344",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5b8fa050-e5e8-424e-9b8d-07a7d5388438",
|
||
|
"value": "https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "File 7009af646c6c3e6abc0af744152ca968",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1535632211",
|
||
|
"uuid": "dbbfc337-d1f9-462f-aca7-ddc30563ddd9",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1535632211",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "84e013cb-ecaf-4f21-9ee8-796886e3454a",
|
||
|
"value": "https://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1535632211",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "31d8cb43-4506-45d0-93c0-0785a2394bbe",
|
||
|
"value": "48/65"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "comment",
|
||
|
"timestamp": "1535632211",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "50384da0-f70b-4e0d-96cf-653a6bfe5c6d",
|
||
|
"value": "Bkav (1.3.0.8876) Detection: No detection\r\nMicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: Trojan.Turla\r\nMcAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C\r\nCylance (2.3.1.101) Detection: Unsafe\r\nZillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28222) Detection: Trojan ( 00461fd31 )\r\nK7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 )\r\nTrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180\r\nSymantec (1.7.0.0) Detection: Trojan.Turla\r\nESET-NOD32 (17963) Detection: Win32/Turla.N\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV\r\nPaloalto (1.0) Detection: generic.ml\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0\r\nKaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen\r\nBitDefender (7.2) Detection: Trojan.GenericKD.1592844\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp\r\nViRobot (2014.3.20.0) Detection: No detection\r\nAegisLab (4.2) Detection: Trojan.Win32.Turla.m!c\r\nAvast (18.4.3895.0) Detection: Win32:Turla-P [Trj]\r\nRising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J)\r\nEndgame (3.0.1) Detection: No detection\r\nSophos (4.98.0) Detection: Troj/Turla-F\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844\r\nDrWeb (7.0.33.6080) Detection: BackDoor.Turla.27\r\nVIPRE (69182) Detection: Trojan.Win32.Generic!BT\r\nInvincea (6.3.5.26121) Detection: No detection\r\nMcAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C\r\nEmsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B)\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.H\r\nJiangmin (16.0.100) Detection: Backdoor/Turla.b\r\nWebroot (1.0.0.403) Detection: W32.Trojan.GenKD\r\nAvira (8.3.3.6) Detection: TR/Rogue.290816.12\r\nMAX (2017.11.15.1) Detection: malware (ai score=83)\r\nAntiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric\r\nKingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud)\r\nMicrosoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha\r\nArcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen\r\nAhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973\r\nVBA32 (3.33.0) Detection: BScope.Trojan.Bitrep\r\nAVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT\r\nTACHYON (2018-08-29.02) Detection: No detection\r\nAd-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nZoner (1.0) Detection: No detection\r\nTencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir\r\nYandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU\r\nIkarus (0.1.5.2) Detection: Trojan.SuspectCRC\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: W32/Turla.N!tr\r\nAVG (18.4.3895.0) Detection: Win32:Turla-P [Trj]\r\nPanda (4.6.4.2) Detection: Trj/Genetic.gen\r\nCrowdStrike (1.0) Detection: No detection\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1535632211",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "78651b01-2afe-40cb-b40d-a1e929df79b0",
|
||
|
"value": "2018-08-29T14:17:42"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Backdoor DLL",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1535632211",
|
||
|
"uuid": "8adddb25-84d0-4480-9221-68e2d85b6cba",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "Expanded with virustotal data",
|
||
|
"object_uuid": "8adddb25-84d0-4480-9221-68e2d85b6cba",
|
||
|
"referenced_uuid": "dbbfc337-d1f9-462f-aca7-ddc30563ddd9",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1615290675",
|
||
|
"uuid": "5b87e353-0e6c-4295-b5ca-4c4f9f590eb0"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1535632211",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "04ef56e8-d383-4896-b8da-38dc73c6433b",
|
||
|
"value": "7009af646c6c3e6abc0af744152ca968"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1535632211",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "d1abb482-c179-40d6-b11c-870dbadd2ab7",
|
||
|
"value": "8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1535632211",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "ad918b1b-4c0e-4cce-b05c-0ca7e0ec6e48",
|
||
|
"value": "e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "File af8889f4705145d4390ee8d581f45436",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1535632268",
|
||
|
"uuid": "628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1535632268",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5ca9d215-5e2a-42c3-bea4-b66b2748f54e",
|
||
|
"value": "https://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1535632268",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ff44d53e-022b-4782-ab44-0ac4df101a82",
|
||
|
"value": "44/65"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "comment",
|
||
|
"timestamp": "1535632268",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "304c97d6-a81d-4b24-87b9-3b198f39a2bb",
|
||
|
"value": "Bkav (1.3.0.8876) Detection: No detection\r\nMicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: Trojan.Turla\r\nMcAfee (6.0.6.653) Detection: RDN/Generic.com\r\nCylance (2.3.1.101) Detection: Unsafe\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28228) Detection: Trojan ( 004fb2be1 )\r\nK7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 )\r\nTrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.I\r\nSymantec (1.7.0.0) Detection: Trojan.Gen.2\r\nESET-NOD32 (17964) Detection: a variant of Win32/Turla.R\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18\r\nPaloalto (1.0) Detection: generic.ml\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0\r\nKaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak\r\nBitDefender (7.2) Detection: Trojan.Generic.21818445\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt\r\nViRobot (2014.3.20.0) Detection: No detection\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nAvast (18.4.3895.0) Detection: Win32:Malware-gen\r\nTencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey\r\nAd-Aware (3.0.5.370) Detection: Trojan.Generic.21818445\r\nSophos (4.98.0) Detection: Mal/Generic-S\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445\r\nDrWeb (7.0.33.6080) Detection: BackDoor.Turla.111\r\nVIPRE (69200) Detection: No detection\r\nInvincea (6.3.5.26121) Detection: heuristic\r\nMcAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com\r\nEmsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B)\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284\r\nJiangmin (16.0.100) Detection: No detection\r\nWebroot (1.0.0.403) Detection: No detection\r\nAvira (8.3.3.6) Detection: TR/AD.Turla.ckypp\r\nAntiy-AVL (3.0.0.1) Detection: No detection\r\nKingsoft (2013.8.14.323) Detection: No detection\r\nMicrosoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C\r\nEndgame (3.0.1) Detection: No detection\r\nArcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D\r\nAegisLab (4.2) Detection: Trojan.Win32.Turla.4!c\r\nZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445\r\nTACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096\r\nAhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124\r\nALYac (1.1.1.5) Detection: Trojan.Turla.Gen\r\nAVware (1.6.0.52) Detection: No detection\r\nMAX (2017.11.15.1) Detection: malware (ai score=100)\r\nVBA32 (3.33.0) Detection: BScope.Trojan.Bitrep\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nZoner (1.0) Detection: No detection\r\nRising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD)\r\nYandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg\r\nIkarus (0.1.5.2) Detection: Trojan.Win32.Turla\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: W32/Turla.AK!tr\r\nAVG (18.4.3895.0) Detection: Win32:Malware-gen\r\nPanda (4.6.4.2) Detection: Trj/GdSda.A\r\nCrowdStrike (1.0) Detection: No detection\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1535632268",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5adce2fa-bb3d-4a93-b348-3da8877ae372",
|
||
|
"value": "2018-08-30T05:52:57"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Backdoor DLL",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1535632268",
|
||
|
"uuid": "46a74309-e65f-4fd7-b816-917ade7475c9",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "Expanded with virustotal data",
|
||
|
"object_uuid": "46a74309-e65f-4fd7-b816-917ade7475c9",
|
||
|
"referenced_uuid": "628b1eb2-aac1-4aa0-a89f-b2dc8752c3fd",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1615290675",
|
||
|
"uuid": "5b87e38d-e34c-4ddb-866a-56449f590eb0"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1535632268",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "ee9ee1a5-ec3f-4abc-9900-84243a5466c0",
|
||
|
"value": "af8889f4705145d4390ee8d581f45436"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1535632269",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "52f15861-f1bd-4d93-8285-09558f3438c4",
|
||
|
"value": "cf943895684c6ff8d1e922a76b71a188cfb371d7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1535632269",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "13ba97ae-2892-41a2-ab84-536ced0401f1",
|
||
|
"value": "6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Backdoor DLL",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1535632297",
|
||
|
"uuid": "cba9ad80-221b-4873-af6c-3a5e678f9a3b",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1535632297",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "d0795a4d-3f92-4460-9182-0641e0d080a0",
|
||
|
"value": "851dffa6cd611dc70c9a0d5b487ff00bc3853f30"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "File ff8c3f362d7c9b9a19cfa09b4b3cfc75",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1535632321",
|
||
|
"uuid": "1da8705f-aa50-4400-b643-5912e7beb7f6",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1535632321",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "18187d0c-367d-4bdd-903b-1535c3b6295c",
|
||
|
"value": "https://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1535632321",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "c9b90b46-8d03-4899-a721-3535cdbef578",
|
||
|
"value": "48/67"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "comment",
|
||
|
"timestamp": "1535632321",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "56d584fc-bfc7-424a-b4ce-d5b46c612323",
|
||
|
"value": "Bkav (1.3.0.8876) Detection: W32.eHeur.Malware10\r\nMicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575\r\nCMC (1.1.0.977) Detection: No detection\r\nCAT-QuickHeal (14.00) Detection: TrojanSpy.Agent\r\nMcAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C\r\nCylance (2.3.1.101) Detection: Unsafe\r\nZillya (2.0.0.3626) Detection: No detection\r\nTheHacker (6.8.0.5.3634) Detection: No detection\r\nK7GW (10.61.28216) Detection: Trojan ( 005097051 )\r\nK7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 )\r\nArcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F\r\nTrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18\r\nBaidu (1.0.0.2) Detection: No detection\r\nBabable (9107201) Detection: No detection\r\nCyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554\r\nSymantec (1.7.0.0) Detection: Trojan.Turla\r\nESET-NOD32 (17962) Detection: Win32/Turla.AW\r\nTrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18\r\nAvast (18.4.3895.0) Detection: Win32:Malware-gen\r\nClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1\r\nKaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe\r\nBitDefender (7.2) Detection: Gen:Variant.Zusy.258575\r\nNANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod\r\nViRobot (2014.3.20.0) Detection: No detection\r\nAegisLab (4.2) Detection: Troj.W32.Gen.lJ0K\r\nRising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD)\r\nAd-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575\r\nEmsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B)\r\nComodo (None) Detection: No detection\r\nF-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575\r\nDrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438\r\nVIPRE (69176) Detection: Trojan.Win32.Generic!BT\r\nInvincea (6.3.5.26121) Detection: heuristic\r\nMcAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc\r\nSophos (4.98.0) Detection: Mal/Generic-S\r\nSentinelOne (1.0.17.227) Detection: No detection\r\nF-Prot (4.7.1.166) Detection: W32/Turla.G\r\nJiangmin (16.0.100) Detection: No detection\r\nWebroot (1.0.0.403) Detection: No detection\r\nAvira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw\r\nAntiy-AVL (3.0.0.1) Detection: No detection\r\nKingsoft (2013.8.14.323) Detection: No detection\r\nEndgame (3.0.1) Detection: malicious (high confidence)\r\nMicrosoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn\r\nSUPERAntiSpyware (5.6.0.1032) Detection: No detection\r\nZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe\r\nAvast-Mobile (180828-12) Detection: No detection\r\nGData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575\r\nTACHYON (2018-08-29.02) Detection: No detection\r\nAhnLab-V3 (3.13.1.21616) Detection: No detection\r\nALYac (1.1.1.5) Detection: Trojan.Turla.Gen\r\nAVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT\r\nMAX (2017.11.15.1) Detection: malware (ai score=100)\r\nVBA32 (3.33.0) Detection: TrojanSpy.Agent\r\nMalwarebytes (2.1.1.1115) Detection: No detection\r\nPanda (4.6.4.2) Detection: Trj/GdSda.A\r\nZoner (1.0) Detection: No detection\r\nTencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye\r\nYandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA\r\nIkarus (0.1.5.2) Detection: Trojan.Win32.Turla\r\neGambit (None) Detection: No detection\r\nFortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr\r\nAVG (18.4.3895.0) Detection: Win32:Malware-gen\r\nCybereason (1.2.27) Detection: malicious.62d7c9\r\nPaloalto (1.0) Detection: generic.ml\r\nCrowdStrike (1.0) Detection: malicious_confidence_70% (D)\r\nQihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1535632321",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "73940c69-6556-412e-915e-d7d1a07f205b",
|
||
|
"value": "2018-08-29T09:57:38"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Dropper",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1535632321",
|
||
|
"uuid": "73bb4f5c-2b1c-40be-a290-1b5c585f226c",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "Expanded with virustotal data",
|
||
|
"object_uuid": "73bb4f5c-2b1c-40be-a290-1b5c585f226c",
|
||
|
"referenced_uuid": "1da8705f-aa50-4400-b643-5912e7beb7f6",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1615290675",
|
||
|
"uuid": "5b87e3c1-f3c0-429c-9c70-4ab79f590eb0"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1535632321",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "186f573b-10b7-4933-9570-6ce05f358444",
|
||
|
"value": "ff8c3f362d7c9b9a19cfa09b4b3cfc75"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1535632321",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "c82b6c8e-89bf-4738-81b8-290eb6dd52b7",
|
||
|
"value": "f992abe8a67120667a01b88cd5bf11ca39d491a0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1535632321",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "915c97f0-9d0e-4eb2-a6f0-8a21c23d0569",
|
||
|
"value": "881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|