{ "Event": { "analysis": "1", "date": "2018-03-12", "extends_uuid": "", "info": "OSINT - Turla Nautilus Implant", "publish_timestamp": "1520844465", "published": true, "threat_level_id": "3", "timestamp": "1520844403", "uuid": "5aa63cdc-2e9c-4621-8499-4c47950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0c9100", "name": "admiralty-scale:source-reliability=\"f\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-entreprise-attack-intrusion-set=\"Turla\"" }, { "colour": "#065000", "name": "misp-galaxy:tool=\"Wipbot\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1520844303", "to_ids": false, "type": "link", "uuid": "5aa63d2c-9dcc-40a0-95a7-4b0d950d210f", "value": "https://mobile.twitter.com/DrunkBinary/status/972946982141603841" }, { "category": "Payload installation", "comment": "Turla Nautilus", "deleted": false, "disable_correlation": false, "timestamp": "1520844094", "to_ids": true, "type": "sha256", "uuid": "5aa63d3e-e47c-4856-9084-4e77950d210f", "value": "f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db" }, { "category": "Network activity", "comment": "Appears to contact", "deleted": false, "disable_correlation": false, "timestamp": "1520844303", "to_ids": true, "type": "ip-dst", "uuid": "5aa63d54-b08c-49c6-a9ae-409c950d210f", "value": "2.20.189.34" }, { "category": "External analysis", "comment": "Same sample, different name submitted", "deleted": false, "disable_correlation": false, "timestamp": "1520844304", "to_ids": false, "type": "link", "uuid": "5aa63d6c-fa70-4259-b59c-4fcd950d210f", "value": "https://www.reverse.it/sample/f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db?environmentId=120" } ], "Object": [ { "comment": "", "deleted": false, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "name": "microblog", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "template_version": "4", "timestamp": "1520844242", "uuid": "5aa63dd2-e3dc-45d0-b0dc-4c65950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "post", "timestamp": "1520844242", "to_ids": false, "type": "text", "uuid": "5aa63dd2-2844-4794-8565-488f950d210f", "value": "What appears to be an actually new sample of the Turla Nautilus Implant\r\n f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1520844243", "to_ids": false, "type": "text", "uuid": "5aa63dd3-715c-400a-b730-43a3950d210f", "value": "Twitter" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "url", "timestamp": "1520844243", "to_ids": true, "type": "url", "uuid": "5aa63dd3-0f8c-49c5-bda3-4a94950d210f", "value": "https://mobile.twitter.com/DrunkBinary/status/972946982141603841" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "username", "timestamp": "1520844243", "to_ids": false, "type": "text", "uuid": "5aa63dd3-b8b0-410e-98d1-4787950d210f", "value": "DrunkBinary" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1520844307", "uuid": "ac04d932-cbe1-441e-82dc-9c9cb4703445", "ObjectReference": [ { "comment": "", "object_uuid": "ac04d932-cbe1-441e-82dc-9c9cb4703445", "referenced_uuid": "8c91f218-7e54-4698-9338-efd8d3842a1b", "relationship_type": "analysed-with", "timestamp": "1520844306", "uuid": "5aa63e12-ba84-4450-8f9b-45d502de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Turla Nautilus", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1520844304", "to_ids": true, "type": "sha1", "uuid": "5aa63e10-a24c-410d-99af-4dc502de0b81", "value": "04b0ed6e26b7ec4140cb9535771207802b0c0463" }, { "category": "Payload delivery", "comment": "Turla Nautilus", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1520844305", "to_ids": true, "type": "sha256", "uuid": "5aa63e11-365c-4ae3-98db-4c8602de0b81", "value": "f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db" }, { "category": "Payload delivery", "comment": "Turla Nautilus", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1520844305", "to_ids": true, "type": "md5", "uuid": "5aa63e11-3bfc-45cf-b4e2-4d2102de0b81", "value": "f58bdc5edfa14e23164fd00569b3db3f" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1520844306", "uuid": "8c91f218-7e54-4698-9338-efd8d3842a1b", "Attribute": [ { "category": "External analysis", "comment": "Turla Nautilus", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1520844306", "to_ids": false, "type": "link", "uuid": "5aa63e12-8758-4399-96d9-485b02de0b81", "value": "https://www.virustotal.com/file/f3d488f5f8c74547f1b247c342307ff8d1380907db768e7b6da11d38e0c086db/analysis/1520818696/" }, { "category": "Other", "comment": "Turla Nautilus", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1520844306", "to_ids": false, "type": "text", "uuid": "5aa63e12-e6fc-4a8f-96d4-400502de0b81", "value": "13/63" }, { "category": "Other", "comment": "Turla Nautilus", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1520844306", "to_ids": false, "type": "datetime", "uuid": "5aa63e12-f7b8-4cf5-b48a-47e402de0b81", "value": "2018-03-12T01:38:16" } ] } ] } }