{ "type": "bundle", "id": "bundle--5aa63cdc-2e9c-4621-8499-4c47950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:46:43.000Z", "modified": "2018-03-12T08:46:43.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5aa63cdc-2e9c-4621-8499-4c47950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:46:43.000Z", "modified": "2018-03-12T08:46:43.000Z", "name": "OSINT - Turla Nautilus Implant", "published": "2018-03-12T08:47:45Z", "object_refs": [ "observed-data--5aa63d2c-9dcc-40a0-95a7-4b0d950d210f", "url--5aa63d2c-9dcc-40a0-95a7-4b0d950d210f", "indicator--5aa63d3e-e47c-4856-9084-4e77950d210f", "indicator--5aa63d54-b08c-49c6-a9ae-409c950d210f", "observed-data--5aa63d6c-fa70-4259-b59c-4fcd950d210f", "url--5aa63d6c-fa70-4259-b59c-4fcd950d210f", "x-misp-object--5aa63dd2-e3dc-45d0-b0dc-4c65950d210f", "indicator--ac04d932-cbe1-441e-82dc-9c9cb4703445", "x-misp-object--8c91f218-7e54-4698-9338-efd8d3842a1b", "relationship--5e03857f-169a-4f64-9dc8-2e3b6ff44c24" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "admiralty-scale:source-reliability=\"f\"", "misp-galaxy:mitre-entreprise-attack-intrusion-set=\"Turla\"", "misp-galaxy:tool=\"Wipbot\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aa63d2c-9dcc-40a0-95a7-4b0d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:45:03.000Z", "modified": "2018-03-12T08:45:03.000Z", "first_observed": "2018-03-12T08:45:03Z", "last_observed": "2018-03-12T08:45:03Z", "number_observed": 1, "object_refs": [ "url--5aa63d2c-9dcc-40a0-95a7-4b0d950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aa63d2c-9dcc-40a0-95a7-4b0d950d210f", "value": "https://mobile.twitter.com/DrunkBinary/status/972946982141603841" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa63d3e-e47c-4856-9084-4e77950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:41:34.000Z", "modified": "2018-03-12T08:41:34.000Z", "description": "Turla Nautilus", "pattern": "[file:hashes.SHA256 = 'f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T08:41:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa63d54-b08c-49c6-a9ae-409c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:45:03.000Z", "modified": "2018-03-12T08:45:03.000Z", "description": "Appears to contact", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '2.20.189.34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T08:45:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aa63d6c-fa70-4259-b59c-4fcd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:45:04.000Z", "modified": "2018-03-12T08:45:04.000Z", "first_observed": "2018-03-12T08:45:04Z", "last_observed": "2018-03-12T08:45:04Z", "number_observed": 1, "object_refs": [ "url--5aa63d6c-fa70-4259-b59c-4fcd950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aa63d6c-fa70-4259-b59c-4fcd950d210f", "value": "https://www.reverse.it/sample/f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db?environmentId=120" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5aa63dd2-e3dc-45d0-b0dc-4c65950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:44:02.000Z", "modified": "2018-03-12T08:44:02.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "What appears to be an actually new sample of the Turla Nautilus Implant\r\n f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db", "category": "Other", "uuid": "5aa63dd2-2844-4794-8565-488f950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5aa63dd3-715c-400a-b730-43a3950d210f" }, { "type": "url", "object_relation": "url", "value": "https://mobile.twitter.com/DrunkBinary/status/972946982141603841", "category": "External analysis", "to_ids": true, "uuid": "5aa63dd3-0f8c-49c5-bda3-4a94950d210f" }, { "type": "text", "object_relation": "username", "value": "DrunkBinary", "category": "Other", "uuid": "5aa63dd3-b8b0-410e-98d1-4787950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ac04d932-cbe1-441e-82dc-9c9cb4703445", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:45:07.000Z", "modified": "2018-03-12T08:45:07.000Z", "pattern": "[file:hashes.MD5 = 'f58bdc5edfa14e23164fd00569b3db3f' AND file:hashes.SHA1 = '04b0ed6e26b7ec4140cb9535771207802b0c0463' AND file:hashes.SHA256 = 'f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T08:45:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8c91f218-7e54-4698-9338-efd8d3842a1b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T08:45:06.000Z", "modified": "2018-03-12T08:45:06.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db/analysis/1520818696/", "category": "External analysis", "comment": "Turla Nautilus", "uuid": "5aa63e12-8758-4399-96d9-485b02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "13/63", "category": "Other", "comment": "Turla Nautilus", "uuid": "5aa63e12-e6fc-4a8f-96d4-400502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-12T01:38:16", "category": "Other", "comment": "Turla Nautilus", "uuid": "5aa63e12-f7b8-4cf5-b48a-47e402de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5e03857f-169a-4f64-9dc8-2e3b6ff44c24", "created": "2018-03-12T08:45:06.000Z", "modified": "2018-03-12T08:45:06.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--ac04d932-cbe1-441e-82dc-9c9cb4703445", "target_ref": "x-misp-object--8c91f218-7e54-4698-9338-efd8d3842a1b" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }