{ "Event": { "analysis": "0", "date": "2019-07-16", "extends_uuid": "", "info": "OSINT - Turla renews its arsenal with Topinambour", "publish_timestamp": "1563341597", "published": true, "threat_level_id": "3", "timestamp": "1563341373", "uuid": "5d2deea3-eea0-41ea-91bf-4a8b950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\"", "relationship_type": "" }, { "colour": "#065100", "local": "0", "name": "misp-galaxy:tool=\"Turla\"", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1563291330", "to_ids": false, "type": "link", "uuid": "5d2deec2-d68c-42e1-a113-431a950d210f", "value": "https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/" }, { "category": "Network activity", "comment": "VPSs used as control servers", "deleted": false, "disable_correlation": false, "timestamp": "1563340553", "to_ids": true, "type": "ip-dst", "uuid": "5d2eaf09-77e8-4b3d-b76a-4c24950d210f", "value": "197.168.0.73" }, { "category": "Network activity", "comment": "VPSs used as control servers", "deleted": false, "disable_correlation": false, "timestamp": "1563340553", "to_ids": true, "type": "ip-dst", "uuid": "5d2eaf09-b090-4e59-8fc4-48b0950d210f", "value": "197.168.0.98" }, { "category": "Network activity", "comment": "VPSs used as control servers", "deleted": false, "disable_correlation": false, "timestamp": "1563340553", "to_ids": true, "type": "ip-dst", "uuid": "5d2eaf09-28d4-4104-8899-49ea950d210f", "value": "197.168.0.212" }, { "category": "Network activity", "comment": "VPSs used as control servers", "deleted": false, "disable_correlation": false, "timestamp": "1563340553", "to_ids": true, "type": "ip-dst", "uuid": "5d2eaf09-81a0-42fb-89ea-409c950d210f", "value": "197.168.0.243" }, { "category": "Network activity", "comment": "VPSs used as control servers", "deleted": false, "disable_correlation": false, "timestamp": "1563340553", "to_ids": true, "type": "ip-dst", "uuid": "5d2eaf09-4220-4c52-8f69-495d950d210f", "value": "197.168.0.247" }, { "category": "Network activity", "comment": "VPSs used as control servers", "deleted": false, "disable_correlation": false, "timestamp": "1563340553", "to_ids": true, "type": "ip-dst", "uuid": "5d2eaf09-8e14-4a01-9196-4f4a950d210f", "value": "197.168.0.250" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340574", "to_ids": true, "type": "md5", "uuid": "5d2eaf1e-1780-4e3d-926d-6909950d210f", "value": "47870ff98164155f088062c95c448783" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340575", "to_ids": true, "type": "md5", "uuid": "5d2eaf1f-3464-4f4f-8bc8-6909950d210f", "value": "2c1e73da56f4da619c4c53b521404874" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340575", "to_ids": true, "type": "md5", "uuid": "5d2eaf1f-1ef8-49ac-80b4-6909950d210f", "value": "6acf316fed472300fa50db54fa6f3cbc" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340575", "to_ids": true, "type": "md5", "uuid": "5d2eaf1f-88a4-4b9d-9f9f-6909950d210f", "value": "9573f452004b16eabd20fa65a6c2c1c4" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340575", "to_ids": true, "type": "md5", "uuid": "5d2eaf1f-fc50-4986-82ae-6909950d210f", "value": "3772a34d1b731697e2879bef54967332" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340575", "to_ids": true, "type": "md5", "uuid": "5d2eaf1f-5a48-49a2-aedd-6909950d210f", "value": "d967d96ea5d0962e08844d140c2874e0" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340575", "to_ids": true, "type": "md5", "uuid": "5d2eaf1f-3874-40d8-ac02-6909950d210f", "value": "a80bbd753c07512b31ab04bd5e3324c2" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340575", "to_ids": true, "type": "md5", "uuid": "5d2eaf1f-cb24-4c0e-801b-6909950d210f", "value": "37dc2eb8ee56aeba4dbd4cf46f87ae9a" }, { "category": "Payload delivery", "comment": "Some campaign-related hashes", "deleted": false, "disable_correlation": false, "timestamp": "1563340575", "to_ids": true, "type": "md5", "uuid": "5d2eaf1f-c4e0-4dd9-9522-6909950d210f", "value": "710f729ab26f058f2dbf08664edb3986" } ], "Object": [ { "comment": "", "deleted": false, "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "meta-category": "misc", "name": "credential", "template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", "template_version": "3", "timestamp": "1563340906", "uuid": "5d2eb06a-8388-4e76-860a-48fb950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "notification", "timestamp": "1563340906", "to_ids": false, "type": "text", "uuid": "5d2eb06a-5558-4ee2-becb-4bfd950d210f", "value": "none" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "origin", "timestamp": "1563340906", "to_ids": false, "type": "text", "uuid": "5d2eb06a-0620-40cf-a658-47e4950d210f", "value": "malware-analysis" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "type", "timestamp": "1563340906", "to_ids": false, "type": "text", "uuid": "5d2eb06a-3a84-4bf3-a0ef-4b21950d210f", "value": "encryption-key" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "password", "timestamp": "1563340906", "to_ids": false, "type": "text", "uuid": "5d2eb06a-dcf8-4b20-9da6-4a5d950d210f", "value": "01a8cbd328df18fd49965d68e2879433" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1563340907", "to_ids": false, "type": "text", "uuid": "5d2eb06b-cd84-4c28-8384-4d75950d210f", "value": "RC4 encription - JavaScript KopiLuwak - \u00e2\u20ac\u0153bYVAoFGJKj7rfs1M\u00e2\u20ac\u009d plus hash based upon Windows installation date" } ] }, { "comment": "", "deleted": false, "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "meta-category": "misc", "name": "credential", "template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", "template_version": "3", "timestamp": "1563341019", "uuid": "5d2eb0db-d6d4-49a4-9422-4326950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "notification", "timestamp": "1563341019", "to_ids": false, "type": "text", "uuid": "5d2eb0db-4520-4026-8925-408b950d210f", "value": "none" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "origin", "timestamp": "1563341019", "to_ids": false, "type": "text", "uuid": "5d2eb0db-dbbc-4124-a078-4d06950d210f", "value": "malware-analysis" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "type", "timestamp": "1563341019", "to_ids": false, "type": "text", "uuid": "5d2eb0db-7a94-4183-9388-4782950d210f", "value": "encryption-key" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "password", "timestamp": "1563341019", "to_ids": false, "type": "text", "uuid": "5d2eb0db-1240-4869-a720-4b49950d210f", "value": "TrumpTower" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1563341019", "to_ids": false, "type": "text", "uuid": "5d2eb0db-429c-4c89-aaa8-45af950d210f", "value": "RC4 encryption - .NET" } ] }, { "comment": "", "deleted": false, "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "meta-category": "misc", "name": "credential", "template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", "template_version": "3", "timestamp": "1563341092", "uuid": "5d2eb124-24ac-46d9-b0b6-4f90950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "notification", "timestamp": "1563341092", "to_ids": false, "type": "text", "uuid": "5d2eb124-f908-474e-8674-433b950d210f", "value": "none" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "origin", "timestamp": "1563341092", "to_ids": false, "type": "text", "uuid": "5d2eb124-ab4c-49ac-9468-4791950d210f", "value": "malware-analysis" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "type", "timestamp": "1563341092", "to_ids": false, "type": "text", "uuid": "5d2eb124-1bb4-45a5-a0e8-4c53950d210f", "value": "encryption-key" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "password", "timestamp": "1563341092", "to_ids": false, "type": "text", "uuid": "5d2eb124-2b58-4cce-b185-4d29950d210f", "value": "TimesNewRoman" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1563341092", "to_ids": false, "type": "text", "uuid": "5d2eb124-2eac-4bd2-ac56-41ae950d210f", "value": "RC4 - PowerShell" } ] }, { "comment": "", "deleted": false, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "name": "url", "template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", "template_version": "7", "timestamp": "1563341373", "uuid": "5d2eb23d-dd60-4a91-9c0c-6bc1950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "text", "timestamp": "1563341373", "to_ids": false, "type": "text", "uuid": "5d2eb23d-e684-48f4-a34f-6bc1950d210f", "value": "The malware communicates with a legitimate compromised WordPress-based website and gets four byte length commands from URL like \u00e2\u20ac\u0153http:///wp-includes/Requests/Socks.php\u00e2\u20ac\u009d." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "scheme", "timestamp": "1563341373", "to_ids": false, "type": "text", "uuid": "5d2eb23d-b148-4154-8d6c-6bc1950d210f", "value": "http" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "resource_path", "timestamp": "1563341373", "to_ids": false, "type": "text", "uuid": "5d2eb23d-8210-4082-9621-6bc1950d210f", "value": "wp-includes/Requests/Socks.ph" } ] } ] } }