MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64
Common Information
| Type | Value |
|---|---|
| UUID | 638073a7-21fd-4541-b8f9-d60871b3dac8 |
| Fingerprint | 0ce5ca914f9c8c456f587147cc528ba8e441192d7dba157ea59eaece0a9d19a5 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 28, 2020, 5:03 p.m. |
| Added to db | March 10, 2024, 3:59 a.m. |
| Last updated | Aug. 31, 2024, 3:12 a.m. |
| Headline | MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64 |
| Title | MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64 |
| Detected Hints/Tags/Attributes | 139/3/51 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | www.phenoelit.org |
|
| Details | Domain | 11 | govcert.ch |
|
| Details | Domain | 1 | sync.pid |
|
| Details | Domain | 10 | gcc.gnu.org |
|
| Details | Domain | 1 | leonardocompany.com |
|
| Details | File | 1 | tc_sock.bin |
|
| Details | File | 3 | releases.html |
|
| Details | md5 | 3 | 0994d9deb50352e76b0322f48ee576c6 |
|
| Details | md5 | 3 | 14ecd5e6fc8e501037b54ca263896a11 |
|
| Details | md5 | 3 | 19fbd8cbfb12482e8020a887d6427315 |
|
| Details | md5 | 2 | edf900cebb70c6d1fcab0234062bfc28 |
|
| Details | md5 | 2 | ea06b213d5924de65407e8931b1e4326 |
|
| Details | md5 | 2 | e079ec947d3d4dacb21e993b760a65dc |
|
| Details | md5 | 1 | ad6731c123c4806f91e1327f35194722 |
|
| Details | md5 | 2 | b4587870ecf51e8ef67d98bb83bc4be7 |
|
| Details | md5 | 1 | 7533ef5300263eec3a677b3f0636ae73 |
|
| Details | sha1 | 1 | 8dc3d053e5008ab92a17dc47fed43213a9873db0 |
|
| Details | sha1 | 1 | 04686b0d2fdafa7cb6c17adc551abade334d7b85 |
|
| Details | sha1 | 1 | 7f043eb95d74d051ac780aee52ebf1c497c43060 |
|
| Details | sha1 | 1 | 4594453e2e4002101481dc44f203d3ffebe079ae |
|
| Details | sha1 | 1 | 09580f1deb096bb50d082bd169271d41756adf73 |
|
| Details | sha1 | 1 | 9d133d7e0616573a7d1c822cc878149e7aa7bad6 |
|
| Details | sha1 | 1 | 0675329cfa4d13ee35f74c1cc236bc630b7de464 |
|
| Details | sha1 | 1 | f5a1a9180913bbeb1641af48660fbb756325f91e |
|
| Details | sha1 | 1 | c67abb20ae5100f12ce084279827632fdbcb222a |
|
| Details | sha256 | 1 | 1d5e4466a6c5723cd30caf8b1c3d33d1a3d4c94c25e2ebe186c02b8b41daf905 |
|
| Details | sha256 | 2 | 67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502 |
|
| Details | sha256 | 1 | 3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4 |
|
| Details | sha256 | 1 | 8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667 |
|
| Details | sha256 | 1 | 2dabb2c5c04da560a6b56dbaa565d1eab8189d1fa4a85557a22157877065ea08 |
|
| Details | sha256 | 1 | 5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8 |
|
| Details | sha256 | 1 | d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0 |
|
| Details | sha256 | 1 | 8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc |
|
| Details | sha256 | 1 | d9f2467ff11efae921ec83e074e4f8d2eac7881d76bff60a872a801bd45ce3d5 |
|
| Details | IPv4 | 2 | 82.146.175.43 |
|
| Details | IPv4 | 3 | 192.168.202.1 |
|
| Details | IPv4 | 1 | 192.168.202.130 |
|
| Details | IPv4 | 1 | 10.11.60.129 |
|
| Details | IPv4 | 1 | 10.188.60.129 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 695 | T1059 |
|
| Details | MITRE ATT&CK Techniques | 19 | T1205 |
|
| Details | MITRE ATT&CK Techniques | 22 | T1024 |
|
| Details | MITRE ATT&CK Techniques | 23 | T1032 |
|
| Details | MITRE ATT&CK Techniques | 42 | T1158 |
|
| Details | MITRE ATT&CK Techniques | 265 | T1222 |
|
| Details | MITRE ATT&CK Techniques | 23 | T1094 |
|
| Details | Url | 1 | http://www.phenoelit.org/stuff/cd00r.c |
|
| Details | Url | 1 | https://gcc.gnu.org/releases.html |
|
| Details | Yara rule | 1 | rule APT_MAL_LNX_Turla_Apr202004_1 {
meta:
description = "Detects Turla Linux malware x64 x32"
date = "2020-04-24"
hash1 = "67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502"
hash2 = "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc"
hash3 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
hash4 = "1d5e4466a6c5723cd30caf8b1c3d33d1a3d4c94c25e2ebe186c02b8b41daf905"
hash5 = "2dabb2c5c04da560a6b56dbaa565d1eab8189d1fa4a85557a22157877065ea08"
hash6 = "3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4"
hash7 = "5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8"
hash8 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
hash9 = "d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0"
strings:
$s1 = "/root/.hsperfdata" ascii fullword
$s2 = "Desc| Filename | size |state|" ascii fullword
$s3 = "VS filesystem: %s" ascii fullword
$s4 = "File already exist on remote filesystem !" ascii fullword
$s5 = "/tmp/.sync.pid" ascii fullword
$s6 = "rem_fd: ssl " ascii fullword
$s7 = "TREX_PID=%u" ascii fullword
$s8 = "/tmp/.xdfg" ascii fullword
$s9 = "__we_are_happy__" ascii fullword
$s10 = "/root/.sess" ascii fullword
$s11 = "ZYSZLRTS^Z@@NM@@G_Y_FE" ascii fullword
condition:
uint16(0) == 0x457f and filesize < 5000KB and 4 of them
} |
|
| Details | Yara rule | 1 | rule APT_MAL_LNX_Turla_Apr202004_1_opcode {
meta:
description = "Detects Turla Linux malware x64 x32"
date = "2020-04-24"
hash1 = "67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502"
hash2 = "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc"
hash3 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
hash4 = "1d5e4466a6c5723cd30caf8b1c3d33d1a3d4c94c25e2ebe186c02b8b41daf905"
hash5 = "2dabb2c5c04da560a6b56dbaa565d1eab8189d1fa4a85557a22157877065ea08"
hash6 = "3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4"
hash7 = "5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8"
hash8 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
hash9 = "d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0"
strings:
$op0 = { 8D 41 05 32 06 48 FF C6 88 81 E0 80 69 00 }
$op1 = { 48 FF C1 48 83 F9 49 75 E9 }
$op2 = { C7 05 9B 7D 29 00 1D 00 00 00 C7 05 2D 7B 29 00 65 74 68 30 C6 05 2A 7B 29 00 00 E8 }
$op3 = { BF FF FF FF FF E8 96 9D 0A 00 90 90 90 90 90 90 90 90 90 90 89 F0 }
$op4 = { 88 D3 80 C3 05 32 9A C1 D6 0C 08 88 9A 60 A1 0F 08 42 83 FA 08 76 E9 }
$op5 = { 8B 8D 50 DF FF FF B8 09 00 00 00 89 44 24 04 89 0C 24 E8 DD E5 02 00 }
$op6 = { 8D 5A 05 32 9A 60 26 0C 08 88 9A 20 F4 0E 08 42 83 FA 48 76 EB }
$op7 = { 8D 4A 05 32 8A 25 26 0C 08 88 8A 20 F4 0E 08 42 83 FA 08 76 EB }
condition:
uint16(0) == 0x457f and filesize < 5000KB and 2 of them
} |