210 lines
No EOL
9.6 KiB
JSON
210 lines
No EOL
9.6 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-09-24T08:14:48.000Z",
|
|
"modified": "2021-09-24T08:14:48.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-09-24T08:14:48.000Z",
|
|
"modified": "2021-09-24T08:14:48.000Z",
|
|
"name": "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines",
|
|
"published": "2021-09-24T08:14:56Z",
|
|
"object_refs": [
|
|
"indicator--327ed82a-9666-498f-8ecc-192fc7c06f12",
|
|
"x-misp-object--4639d0ff-7a62-41b3-a940-cdcb09f3fe35",
|
|
"indicator--eefe6bfb-d38a-4a21-bc00-ecbd6506cffd",
|
|
"indicator--96abab21-a8a7-4869-b680-89144e5625e7",
|
|
"x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7",
|
|
"relationship--43aa8f2b-ef34-4c97-8f6d-ccbc53d35500"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"",
|
|
"misp-galaxy:threat-actor=\"Turla Group\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--327ed82a-9666-498f-8ecc-192fc7c06f12",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-09-24T08:10:34.000Z",
|
|
"modified": "2021-09-24T08:10:34.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-09-24T08:10:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--4639d0ff-7a62-41b3-a940-cdcb09f3fe35",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-09-24T08:10:17.000Z",
|
|
"modified": "2021-09-24T08:10:17.000Z",
|
|
"labels": [
|
|
"misp:name=\"report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://blog.talosintelligence.com/2021/09/tinyturla.html",
|
|
"category": "External analysis",
|
|
"uuid": "65654f61-cd9f-416f-a840-debc025dc4da"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "summary",
|
|
"value": "Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware.",
|
|
"category": "Other",
|
|
"uuid": "4368eb41-7e59-4a68-b66c-c9c7c51a11dc"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Blog post",
|
|
"category": "Other",
|
|
"uuid": "83b51ac8-9547-41f0-b3ac-5f6c4cfa2ebb"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--eefe6bfb-d38a-4a21-bc00-ecbd6506cffd",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-09-24T08:11:00.000Z",
|
|
"modified": "2021-09-24T08:11:00.000Z",
|
|
"pattern": "import \\\\\"pe\\\\\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \\\\\"Cisco Talos\\\\\"\r\ndescription = \\\\\"Detects Tiny Turla backdoor DLL\\\\\"\r\nstrings:\r\n$a = \\\\\"Title:\\\\\" fullword wide\r\n$b = \\\\\"Hosts\\\\\" fullword wide\r\n$c = \\\\\"Security\\\\\" fullword wide\r\n$d = \\\\\"TimeLong\\\\\" fullword wide\r\n$e = \\\\\"TimeShort\\\\\" fullword wide\r\n$f = \\\\\"MachineGuid\\\\\" fullword wide\r\n$g = \\\\\"POST\\\\\" fullword wide\r\n$h = \\\\\"WinHttpSetOption\\\\\" fullword ascii\r\n$i = \\\\\"WinHttpQueryDataAvailable\\\\\" fullword ascii\r\n\r\ncondition:\r\npe.is_pe and\r\npe.characteristics & pe.DLL and\r\npe.exports(\\\\\"ServiceMain\\\\\") and\r\nall of them\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-09-24T08:11:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_context": "all"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--96abab21-a8a7-4869-b680-89144e5625e7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-09-24T08:14:48.000Z",
|
|
"modified": "2021-09-24T08:14:48.000Z",
|
|
"pattern": "[file:hashes.MD5 = '028878c4b6ab475ed0be97eca6f92af9' AND file:hashes.SHA1 = '02c37ccdfccfe03560a4bf069f46e8ae3a5d2348' AND file:hashes.SHA256 = '030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-09-24T08:14:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2021-09-24T08:12:06.000Z",
|
|
"modified": "2021-09-24T08:12:06.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2021-09-24T06:19:11+00:00",
|
|
"category": "Other",
|
|
"uuid": "e8315fa6-f0c1-4e44-9bcc-c7a6d7aa8ebb"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/detection/f-030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01-1632464351",
|
|
"category": "Payload delivery",
|
|
"uuid": "0643f79e-7e59-46ad-b98d-b00f28b73c5c"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "48/68",
|
|
"category": "Payload delivery",
|
|
"uuid": "b6fb0bca-c924-4dfc-937b-30cfe83b1ceb"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--43aa8f2b-ef34-4c97-8f6d-ccbc53d35500",
|
|
"created": "2021-09-24T08:12:06.000Z",
|
|
"modified": "2021-09-24T08:12:06.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--96abab21-a8a7-4869-b680-89144e5625e7",
|
|
"target_ref": "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |