misp-circl-feed/feeds/circl/stix-2.1/d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6.json

210 lines
No EOL
9.6 KiB
JSON

{
"type": "bundle",
"id": "bundle--d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-09-24T08:14:48.000Z",
"modified": "2021-09-24T08:14:48.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-09-24T08:14:48.000Z",
"modified": "2021-09-24T08:14:48.000Z",
"name": "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines",
"published": "2021-09-24T08:14:56Z",
"object_refs": [
"indicator--327ed82a-9666-498f-8ecc-192fc7c06f12",
"x-misp-object--4639d0ff-7a62-41b3-a940-cdcb09f3fe35",
"indicator--eefe6bfb-d38a-4a21-bc00-ecbd6506cffd",
"indicator--96abab21-a8a7-4869-b680-89144e5625e7",
"x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7",
"relationship--123b2916-7ec5-4cb9-8d19-723988ba1cc4"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"",
"misp-galaxy:threat-actor=\"Turla Group\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--327ed82a-9666-498f-8ecc-192fc7c06f12",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-09-24T08:10:34.000Z",
"modified": "2021-09-24T08:10:34.000Z",
"pattern": "[file:hashes.SHA256 = '030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-09-24T08:10:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--4639d0ff-7a62-41b3-a940-cdcb09f3fe35",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-09-24T08:10:17.000Z",
"modified": "2021-09-24T08:10:17.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://blog.talosintelligence.com/2021/09/tinyturla.html",
"category": "External analysis",
"uuid": "65654f61-cd9f-416f-a840-debc025dc4da"
},
{
"type": "text",
"object_relation": "summary",
"value": "Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware.",
"category": "Other",
"uuid": "4368eb41-7e59-4a68-b66c-c9c7c51a11dc"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog post",
"category": "Other",
"uuid": "83b51ac8-9547-41f0-b3ac-5f6c4cfa2ebb"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--eefe6bfb-d38a-4a21-bc00-ecbd6506cffd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-09-24T08:11:00.000Z",
"modified": "2021-09-24T08:11:00.000Z",
"pattern": "import \\\\\"pe\\\\\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \\\\\"Cisco Talos\\\\\"\r\ndescription = \\\\\"Detects Tiny Turla backdoor DLL\\\\\"\r\nstrings:\r\n$a = \\\\\"Title:\\\\\" fullword wide\r\n$b = \\\\\"Hosts\\\\\" fullword wide\r\n$c = \\\\\"Security\\\\\" fullword wide\r\n$d = \\\\\"TimeLong\\\\\" fullword wide\r\n$e = \\\\\"TimeShort\\\\\" fullword wide\r\n$f = \\\\\"MachineGuid\\\\\" fullword wide\r\n$g = \\\\\"POST\\\\\" fullword wide\r\n$h = \\\\\"WinHttpSetOption\\\\\" fullword ascii\r\n$i = \\\\\"WinHttpQueryDataAvailable\\\\\" fullword ascii\r\n\r\ncondition:\r\npe.is_pe and\r\npe.characteristics & pe.DLL and\r\npe.exports(\\\\\"ServiceMain\\\\\") and\r\nall of them\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2021-09-24T08:11:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--96abab21-a8a7-4869-b680-89144e5625e7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-09-24T08:14:48.000Z",
"modified": "2021-09-24T08:14:48.000Z",
"pattern": "[file:hashes.MD5 = '028878c4b6ab475ed0be97eca6f92af9' AND file:hashes.SHA1 = '02c37ccdfccfe03560a4bf069f46e8ae3a5d2348' AND file:hashes.SHA256 = '030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-09-24T08:14:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-09-24T08:12:06.000Z",
"modified": "2021-09-24T08:12:06.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-09-24T06:19:11+00:00",
"category": "Other",
"uuid": "e8315fa6-f0c1-4e44-9bcc-c7a6d7aa8ebb"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/detection/f-030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01-1632464351",
"category": "Payload delivery",
"uuid": "0643f79e-7e59-46ad-b98d-b00f28b73c5c"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "48/68",
"category": "Payload delivery",
"uuid": "b6fb0bca-c924-4dfc-937b-30cfe83b1ceb"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--123b2916-7ec5-4cb9-8d19-723988ba1cc4",
"created": "2021-09-24T08:12:06.000Z",
"modified": "2021-09-24T08:12:06.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--96abab21-a8a7-4869-b680-89144e5625e7",
"target_ref": "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}