misp-circl-feed/feeds/circl/misp/5c502e8e-09e8-4c7c-9135-4c1b950d210f.json

351 lines
No EOL
11 KiB
JSON

{
"Event": {
"analysis": "0",
"date": "2019-01-28",
"extends_uuid": "",
"info": "2019-01-28: Turla Kazuar RAT",
"publish_timestamp": "1548767977",
"published": true,
"threat_level_id": "3",
"timestamp": "1548767952",
"uuid": "5c502e8e-09e8-4c7c-9135-4c1b950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"name": "misp-galaxy:malpedia=\"Turla RAT\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\""
},
{
"colour": "#12e200",
"name": "misp-galaxy:threat-actor=\"Turla Group\""
},
{
"colour": "#065100",
"name": "misp-galaxy:tool=\"Turla\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:malpedia=\"Kazuar\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-malware=\"Kazuar - S0265\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:tool=\"Kazuar\""
},
{
"colour": "#004646",
"name": "type:OSINT"
},
{
"colour": "#0071c3",
"name": "osint:lifetime=\"perpetual\""
},
{
"colour": "#0087e8",
"name": "osint:certainty=\"50\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#440055",
"name": "ms-caro-malware:malware-type=\"RemoteAccess\""
},
{
"colour": "#4bec00",
"name": "enisa:nefarious-activity-abuse=\"remote-access-tool\""
},
{
"colour": "#008ba9",
"name": "veris:asset:variety=\"S - Remote access\""
},
{
"colour": "#00bde6",
"name": "veris:action:misuse:vector=\"Remote access\""
},
{
"colour": "#001739",
"name": "ms-caro-malware-full:malware-type=\"RemoteAccess\""
},
{
"colour": "#5f0044",
"name": "CERT-XLM:malicious-code=\"spyware-rat\""
},
{
"colour": "#002642",
"name": "osint:source-type=\"microblog-post\""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548760999",
"to_ids": true,
"type": "url",
"uuid": "5c5037a7-d6f4-47ee-bb67-4cc3950d210f",
"value": "northviewcanada.com/wp-content/galler/slider/"
},
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548761000",
"to_ids": true,
"type": "url",
"uuid": "5c5037a8-fcf8-4d3c-bab5-4c1e950d210f",
"value": "zycie-chotomowa.pl/wp-content/languages/index.php"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
"meta-category": "misc",
"name": "microblog",
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
"template_version": "5",
"timestamp": "1548759728",
"uuid": "5c5032b0-5a34-4e58-bcf7-0435950d210f",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "post",
"timestamp": "1548759728",
"to_ids": false,
"type": "text",
"uuid": "5c5032b0-929c-4c5c-bd49-0435950d210f",
"value": "2019-01-28: #Turla #Kazuar #RAT: Component: { loader, service, solver, sender, singler, scripter } C2: { northviewcanada[.com/wp-content/galler/slider/, zycie-chotomowa[.pl/wp-content/languages/index.php } MD5: 988df2967a7239a4b916cc9fcedaff68 cc @DrunkBinary"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1548759728",
"to_ids": false,
"type": "text",
"uuid": "5c5032b0-6b0c-42df-8c8b-0435950d210f",
"value": "Twitter"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1548759728",
"to_ids": true,
"type": "url",
"uuid": "5c5032b0-ea2c-4c6f-9ba0-0435950d210f",
"value": "https://twitter.com/VK_Intel/status/1089959988116799491"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "username-quoted",
"timestamp": "1548759728",
"to_ids": false,
"type": "text",
"uuid": "5c5032b0-e2a8-4d81-a227-0435950d210f",
"value": "DrunkBinary"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "creation-date",
"timestamp": "1548759728",
"to_ids": false,
"type": "datetime",
"uuid": "5c5032b0-6d34-4368-8ba7-0435950d210f",
"value": "2019-01-28T10:54:00"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "username",
"timestamp": "1548759728",
"to_ids": false,
"type": "text",
"uuid": "5c5032b0-4528-4080-bbb4-0435950d210f",
"value": "VK_Intel"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1548761278",
"uuid": "5c5038be-fe38-403c-a413-0435950d210f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1548761278",
"to_ids": true,
"type": "md5",
"uuid": "5c5038be-b8a4-41df-a614-0435950d210f",
"value": "988df2967a7239a4b916cc9fcedaff68"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1548761278",
"to_ids": false,
"type": "text",
"uuid": "5c5038be-ec78-4d5b-91f0-0435950d210f",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1548767943",
"uuid": "8670f30a-fed5-4ecf-8486-544baa950b1d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "8670f30a-fed5-4ecf-8486-544baa950b1d",
"referenced_uuid": "9001b360-5644-40b6-8310-2c8aa8711aab",
"relationship_type": "analysed-with",
"timestamp": "1548767943",
"uuid": "5c5052c7-ec80-46a5-9eb3-4c3602de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1548767943",
"to_ids": true,
"type": "md5",
"uuid": "839827fd-8db6-4baf-b6c6-8ca80a321668",
"value": "988df2967a7239a4b916cc9fcedaff68"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1548767943",
"to_ids": true,
"type": "sha1",
"uuid": "6dc280a4-698a-46fc-b336-3b42958143cd",
"value": "321fac7d4cabce35ce0adc67c700f47d47359021"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1548767943",
"to_ids": true,
"type": "sha256",
"uuid": "7fd1ea29-dcde-427f-998b-00f5403c01b4",
"value": "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1548767943",
"uuid": "9001b360-5644-40b6-8310-2c8aa8711aab",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1548767943",
"to_ids": false,
"type": "datetime",
"uuid": "d510388b-8e85-4a4d-90a3-54861f1c0110",
"value": "2019-01-29T07:35:34"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1548767943",
"to_ids": false,
"type": "link",
"uuid": "c8f2c1f7-80d2-4ea5-9750-e9a85809f91d",
"value": "https://www.virustotal.com/file/44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac/analysis/1548747334/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1548767943",
"to_ids": false,
"type": "text",
"uuid": "c977a42a-64e2-4f6d-b065-86ac107beec4",
"value": "42/69"
}
]
}
]
}
}