270 lines
No EOL
11 KiB
JSON
270 lines
No EOL
11 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5c502e8e-09e8-4c7c-9135-4c1b950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-29T13:19:12.000Z",
|
|
"modified": "2019-01-29T13:19:12.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5c502e8e-09e8-4c7c-9135-4c1b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-29T13:19:12.000Z",
|
|
"modified": "2019-01-29T13:19:12.000Z",
|
|
"name": "2019-01-28: Turla Kazuar RAT",
|
|
"published": "2019-01-29T13:19:37Z",
|
|
"object_refs": [
|
|
"indicator--5c5037a7-d6f4-47ee-bb67-4cc3950d210f",
|
|
"indicator--5c5037a8-fcf8-4d3c-bab5-4c1e950d210f",
|
|
"x-misp-object--5c5032b0-5a34-4e58-bcf7-0435950d210f",
|
|
"indicator--5c5038be-fe38-403c-a413-0435950d210f",
|
|
"indicator--8670f30a-fed5-4ecf-8486-544baa950b1d",
|
|
"x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab",
|
|
"relationship--37897fbf-2e68-47c7-8bb3-f2fae0075132"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:malpedia=\"Turla RAT\"",
|
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\"",
|
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"",
|
|
"misp-galaxy:threat-actor=\"Turla Group\"",
|
|
"misp-galaxy:tool=\"Turla\"",
|
|
"misp-galaxy:malpedia=\"Kazuar\"",
|
|
"misp-galaxy:mitre-malware=\"Kazuar - S0265\"",
|
|
"misp-galaxy:tool=\"Kazuar\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"ms-caro-malware:malware-type=\"RemoteAccess\"",
|
|
"enisa:nefarious-activity-abuse=\"remote-access-tool\"",
|
|
"veris:asset:variety=\"S - Remote access\"",
|
|
"veris:action:misuse:vector=\"Remote access\"",
|
|
"ms-caro-malware-full:malware-type=\"RemoteAccess\"",
|
|
"CERT-XLM:malicious-code=\"spyware-rat\"",
|
|
"osint:source-type=\"microblog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c5037a7-d6f4-47ee-bb67-4cc3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-29T11:23:19.000Z",
|
|
"modified": "2019-01-29T11:23:19.000Z",
|
|
"description": "C2",
|
|
"pattern": "[url:value = 'northviewcanada.com/wp-content/galler/slider/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-29T11:23:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c5037a8-fcf8-4d3c-bab5-4c1e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-29T11:23:20.000Z",
|
|
"modified": "2019-01-29T11:23:20.000Z",
|
|
"description": "C2",
|
|
"pattern": "[url:value = 'zycie-chotomowa.pl/wp-content/languages/index.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-29T11:23:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5c5032b0-5a34-4e58-bcf7-0435950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-29T11:02:08.000Z",
|
|
"modified": "2019-01-29T11:02:08.000Z",
|
|
"labels": [
|
|
"misp:name=\"microblog\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "post",
|
|
"value": "2019-01-28: #Turla #Kazuar #RAT: Component: { loader, service, solver, sender, singler, scripter } C2: { northviewcanada[.com/wp-content/galler/slider/, zycie-chotomowa[.pl/wp-content/languages/index.php } MD5: 988df2967a7239a4b916cc9fcedaff68 cc @DrunkBinary",
|
|
"category": "Other",
|
|
"uuid": "5c5032b0-929c-4c5c-bd49-0435950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Twitter",
|
|
"category": "Other",
|
|
"uuid": "5c5032b0-6b0c-42df-8c8b-0435950d210f"
|
|
},
|
|
{
|
|
"type": "url",
|
|
"object_relation": "url",
|
|
"value": "https://twitter.com/VK_Intel/status/1089959988116799491",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5c5032b0-ea2c-4c6f-9ba0-0435950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username-quoted",
|
|
"value": "DrunkBinary",
|
|
"category": "Other",
|
|
"uuid": "5c5032b0-e2a8-4d81-a227-0435950d210f"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "creation-date",
|
|
"value": "2019-01-28T10:54:00",
|
|
"category": "Other",
|
|
"uuid": "5c5032b0-6d34-4368-8ba7-0435950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username",
|
|
"value": "VK_Intel",
|
|
"category": "Other",
|
|
"uuid": "5c5032b0-4528-4080-bbb4-0435950d210f"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "microblog"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c5038be-fe38-403c-a413-0435950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-29T11:27:58.000Z",
|
|
"modified": "2019-01-29T11:27:58.000Z",
|
|
"pattern": "[file:hashes.MD5 = '988df2967a7239a4b916cc9fcedaff68' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-29T11:27:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--8670f30a-fed5-4ecf-8486-544baa950b1d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-29T13:19:03.000Z",
|
|
"modified": "2019-01-29T13:19:03.000Z",
|
|
"pattern": "[file:hashes.MD5 = '988df2967a7239a4b916cc9fcedaff68' AND file:hashes.SHA1 = '321fac7d4cabce35ce0adc67c700f47d47359021' AND file:hashes.SHA256 = '44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-29T13:19:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-29T13:19:03.000Z",
|
|
"modified": "2019-01-29T13:19:03.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-29T07:35:34",
|
|
"category": "Other",
|
|
"uuid": "d510388b-8e85-4a4d-90a3-54861f1c0110"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac/analysis/1548747334/",
|
|
"category": "External analysis",
|
|
"uuid": "c8f2c1f7-80d2-4ea5-9750-e9a85809f91d"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "42/69",
|
|
"category": "Other",
|
|
"uuid": "c977a42a-64e2-4f6d-b065-86ac107beec4"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--37897fbf-2e68-47c7-8bb3-f2fae0075132",
|
|
"created": "2019-01-29T13:19:03.000Z",
|
|
"modified": "2019-01-29T13:19:03.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--8670f30a-fed5-4ecf-8486-544baa950b1d",
|
|
"target_ref": "x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |