495 lines
No EOL
16 KiB
JSON
495 lines
No EOL
16 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2019-07-16",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Turla renews its arsenal with Topinambour",
|
|
"publish_timestamp": "1563341597",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1563341373",
|
|
"uuid": "5d2deea3-eea0-41ea-91bf-4a8b950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\""
|
|
},
|
|
{
|
|
"colour": "#065100",
|
|
"name": "misp-galaxy:tool=\"Turla\""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"name": "osint:lifetime=\"perpetual\""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"name": "osint:certainty=\"50\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563291330",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5d2deec2-d68c-42e1-a113-431a950d210f",
|
|
"value": "https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "VPSs used as control servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340553",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d2eaf09-77e8-4b3d-b76a-4c24950d210f",
|
|
"value": "197.168.0.73"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "VPSs used as control servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340553",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d2eaf09-b090-4e59-8fc4-48b0950d210f",
|
|
"value": "197.168.0.98"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "VPSs used as control servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340553",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d2eaf09-28d4-4104-8899-49ea950d210f",
|
|
"value": "197.168.0.212"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "VPSs used as control servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340553",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d2eaf09-81a0-42fb-89ea-409c950d210f",
|
|
"value": "197.168.0.243"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "VPSs used as control servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340553",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d2eaf09-4220-4c52-8f69-495d950d210f",
|
|
"value": "197.168.0.247"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "VPSs used as control servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340553",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d2eaf09-8e14-4a01-9196-4f4a950d210f",
|
|
"value": "197.168.0.250"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340574",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1e-1780-4e3d-926d-6909950d210f",
|
|
"value": "47870ff98164155f088062c95c448783"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340575",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1f-3464-4f4f-8bc8-6909950d210f",
|
|
"value": "2c1e73da56f4da619c4c53b521404874"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340575",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1f-1ef8-49ac-80b4-6909950d210f",
|
|
"value": "6acf316fed472300fa50db54fa6f3cbc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340575",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1f-88a4-4b9d-9f9f-6909950d210f",
|
|
"value": "9573f452004b16eabd20fa65a6c2c1c4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340575",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1f-fc50-4986-82ae-6909950d210f",
|
|
"value": "3772a34d1b731697e2879bef54967332"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340575",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1f-5a48-49a2-aedd-6909950d210f",
|
|
"value": "d967d96ea5d0962e08844d140c2874e0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340575",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1f-3874-40d8-ac02-6909950d210f",
|
|
"value": "a80bbd753c07512b31ab04bd5e3324c2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340575",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1f-cb24-4c0e-801b-6909950d210f",
|
|
"value": "37dc2eb8ee56aeba4dbd4cf46f87ae9a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Some campaign-related hashes",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1563340575",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5d2eaf1f-c4e0-4dd9-9522-6909950d210f",
|
|
"value": "710f729ab26f058f2dbf08664edb3986"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
|
|
"meta-category": "misc",
|
|
"name": "credential",
|
|
"template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
|
|
"template_version": "3",
|
|
"timestamp": "1563340906",
|
|
"uuid": "5d2eb06a-8388-4e76-860a-48fb950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "notification",
|
|
"timestamp": "1563340906",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb06a-5558-4ee2-becb-4bfd950d210f",
|
|
"value": "none"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "origin",
|
|
"timestamp": "1563340906",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb06a-0620-40cf-a658-47e4950d210f",
|
|
"value": "malware-analysis"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "type",
|
|
"timestamp": "1563340906",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb06a-3a84-4bf3-a0ef-4b21950d210f",
|
|
"value": "encryption-key"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "password",
|
|
"timestamp": "1563340906",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb06a-dcf8-4b20-9da6-4a5d950d210f",
|
|
"value": "01a8cbd328df18fd49965d68e2879433"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "text",
|
|
"timestamp": "1563340907",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb06b-cd84-4c28-8384-4d75950d210f",
|
|
"value": "RC4 encription - JavaScript KopiLuwak - \u00e2\u20ac\u0153bYVAoFGJKj7rfs1M\u00e2\u20ac\u009d plus hash based upon Windows installation date"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
|
|
"meta-category": "misc",
|
|
"name": "credential",
|
|
"template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
|
|
"template_version": "3",
|
|
"timestamp": "1563341019",
|
|
"uuid": "5d2eb0db-d6d4-49a4-9422-4326950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "notification",
|
|
"timestamp": "1563341019",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb0db-4520-4026-8925-408b950d210f",
|
|
"value": "none"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "origin",
|
|
"timestamp": "1563341019",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb0db-dbbc-4124-a078-4d06950d210f",
|
|
"value": "malware-analysis"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "type",
|
|
"timestamp": "1563341019",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb0db-7a94-4183-9388-4782950d210f",
|
|
"value": "encryption-key"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "password",
|
|
"timestamp": "1563341019",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb0db-1240-4869-a720-4b49950d210f",
|
|
"value": "TrumpTower"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "text",
|
|
"timestamp": "1563341019",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb0db-429c-4c89-aaa8-45af950d210f",
|
|
"value": "RC4 encryption - .NET"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
|
|
"meta-category": "misc",
|
|
"name": "credential",
|
|
"template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
|
|
"template_version": "3",
|
|
"timestamp": "1563341092",
|
|
"uuid": "5d2eb124-24ac-46d9-b0b6-4f90950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "notification",
|
|
"timestamp": "1563341092",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb124-f908-474e-8674-433b950d210f",
|
|
"value": "none"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "origin",
|
|
"timestamp": "1563341092",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb124-ab4c-49ac-9468-4791950d210f",
|
|
"value": "malware-analysis"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "type",
|
|
"timestamp": "1563341092",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb124-1bb4-45a5-a0e8-4c53950d210f",
|
|
"value": "encryption-key"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "password",
|
|
"timestamp": "1563341092",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb124-2b58-4cce-b185-4d29950d210f",
|
|
"value": "TimesNewRoman"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "text",
|
|
"timestamp": "1563341092",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb124-2eac-4bd2-ac56-41ae950d210f",
|
|
"value": "RC4 - PowerShell"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
|
"meta-category": "network",
|
|
"name": "url",
|
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
|
"template_version": "7",
|
|
"timestamp": "1563341373",
|
|
"uuid": "5d2eb23d-dd60-4a91-9c0c-6bc1950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "text",
|
|
"timestamp": "1563341373",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb23d-e684-48f4-a34f-6bc1950d210f",
|
|
"value": "The malware communicates with a legitimate compromised WordPress-based website and gets four byte length commands from URL like \u00e2\u20ac\u0153http://<legitimate domain>/wp-includes/Requests/Socks.php\u00e2\u20ac\u009d."
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "scheme",
|
|
"timestamp": "1563341373",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb23d-b148-4154-8d6c-6bc1950d210f",
|
|
"value": "http"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "resource_path",
|
|
"timestamp": "1563341373",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5d2eb23d-8210-4082-9621-6bc1950d210f",
|
|
"value": "wp-includes/Requests/Socks.ph"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |