264 lines
No EOL
9.2 KiB
JSON
264 lines
No EOL
9.2 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2021-09-24",
|
|
"extends_uuid": "",
|
|
"info": "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines",
|
|
"publish_timestamp": "1632471296",
|
|
"published": true,
|
|
"threat_level_id": "1",
|
|
"timestamp": "1632471288",
|
|
"uuid": "d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": "0",
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": "0",
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#12e200",
|
|
"local": "0",
|
|
"name": "misp-galaxy:threat-actor=\"Turla Group\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1632471034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "327ed82a-9666-498f-8ecc-192fc7c06f12",
|
|
"value": "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "4",
|
|
"timestamp": "1632471017",
|
|
"uuid": "4639d0ff-7a62-41b3-a940-cdcb09f3fe35",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1632471017",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "65654f61-cd9f-416f-a840-debc025dc4da",
|
|
"value": "https://blog.talosintelligence.com/2021/09/tinyturla.html"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1632471017",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "4368eb41-7e59-4a68-b66c-c9c7c51a11dc",
|
|
"value": "Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware."
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "type",
|
|
"timestamp": "1632471017",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "83b51ac8-9547-41f0-b3ac-5f6c4cfa2ebb",
|
|
"value": "Blog post"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1632471060",
|
|
"uuid": "eefe6bfb-d38a-4a21-bc00-ecbd6506cffd",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "context",
|
|
"timestamp": "1632471060",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "d670480f-3907-4e8b-87cb-f3e905b41082",
|
|
"value": "all"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1632471060",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "150de82b-b716-475b-a8c3-bd093c32c9db",
|
|
"value": "import \"pe\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \"Cisco Talos\"\r\ndescription = \"Detects Tiny Turla backdoor DLL\"\r\nstrings:\r\n$a = \"Title:\" fullword wide\r\n$b = \"Hosts\" fullword wide\r\n$c = \"Security\" fullword wide\r\n$d = \"TimeLong\" fullword wide\r\n$e = \"TimeShort\" fullword wide\r\n$f = \"MachineGuid\" fullword wide\r\n$g = \"POST\" fullword wide\r\n$h = \"WinHttpSetOption\" fullword ascii\r\n$i = \"WinHttpQueryDataAvailable\" fullword ascii\r\n\r\ncondition:\r\npe.is_pe and\r\npe.characteristics & pe.DLL and\r\npe.exports(\"ServiceMain\") and\r\nall of them\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1632471288",
|
|
"uuid": "96abab21-a8a7-4869-b680-89144e5625e7",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "96abab21-a8a7-4869-b680-89144e5625e7",
|
|
"referenced_uuid": "f06729c8-10e4-4d20-9605-1661be3ae2c7",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1632471126",
|
|
"uuid": "ddab642d-65a9-4959-9171-68d8fcde64eb"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1632471288",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "3b77b5ee-d61f-4058-b201-96bba8d4b1b0",
|
|
"value": "028878c4b6ab475ed0be97eca6f92af9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1632471288",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "38d60352-93fb-4aa3-ac12-0d5c1f52bc7d",
|
|
"value": "02c37ccdfccfe03560a4bf069f46e8ae3a5d2348"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1632471288",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "ca150bd0-5e16-496f-b43d-0b655cb96c37",
|
|
"value": "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "4",
|
|
"timestamp": "1632471126",
|
|
"uuid": "f06729c8-10e4-4d20-9605-1661be3ae2c7",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1632471034",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "e8315fa6-f0c1-4e44-9bcc-c7a6d7aa8ebb",
|
|
"value": "2021-09-24T06:19:11+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1632471034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "0643f79e-7e59-46ad-b98d-b00f28b73c5c",
|
|
"value": "https://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/detection/f-030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01-1632464351"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1632471034",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "b6fb0bca-c924-4dfc-937b-30cfe83b1ceb",
|
|
"value": "48/68"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |