KopiLuwak: A New JavaScript Payload from Turla
Tags
country: Cyprus Greece Qatar Romania Russia Ukraine
attack-pattern: Data Domains - T1583.001 Domains - T1584.001 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Server - T1583.004 Server - T1584.004
Show in Graph
Common Information
Type Value
UUID 51fcde81-3209-4d60-b1e8-e034ef737cec
Fingerprint b401518109af8681
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 2, 2017, 3 p.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 18, 2024, 1:38 a.m.
Headline KopiLuwak: A New JavaScript Payload from Turla
Title KopiLuwak: A New JavaScript Payload from Turla
Detected Hints/Tags/Attributes 67/2/22
Source URLs
Redirection Url
Details Source https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/
URL Provider
Details Provider Source level domain
Details securelist.com securelist.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
wscript.shell.run
Details Domain 5 
soligro.com
Details Domain 1 
belcollegium.org
Details File 5 
vbscript.reg
Details File 2 
vuy5oj112flw51h6s.exe
Details File 2 
mailform.js
Details File 1 
appdatalocalmicrosoftwindowsmailform.js
Details File 1 
appdatalocaltempmailform.js
Details File 1 
datamicrosoftwindowsmailform.js
Details File 376 
wscript.exe
Details File 2127 
cmd.exe
Details File 2 
dat.tmp
Details File 17 
wow64.dll
Details File 19 
db.php
Details File 1 
class-wp-upload-plugins-list-table.php
Details md5 1 
6e7991f93c53a58ba63a602b277e07f7
Details md5 1 
05d07279ed123b3a9170fa2c540d2919
Details md5 2 
2f532d6baec3d0ec7b1f98aed4774843
Details IPv4 1 
195.251.32.62
Details Url 1 
http://soligro.com/wp-includes/pomo/db.php
Details Url 1 
http://belcollegium.org/wp-admin/includes/class-wp-upload-plugins-list-table.php
Details Windows Registry Key 1 
HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionrunmailform