{ "Event": { "analysis": "1", "date": "2020-11-26", "extends_uuid": "", "info": "[Threat Intel] Actor behind Operation LagTime targets Russia", "protected": false, "publish_timestamp": "1780039623", "published": true, "threat_level_id": "2", "timestamp": "1780039622", "uuid": "d8a848e6-56b5-48d5-8088-69ff0f0bad05", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"8.t Dropper\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Medium\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770842594", "to_ids": false, "type": "link", "uuid": "9a62ec3b-6a2f-4250-8b58-c8de1e80bb25", "value": "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736669216", "to_ids": false, "type": "text", "uuid": "b374299d-204e-41eb-ab84-75c6b1214a87", "value": "A look at some of the malware used in Operation LagTime and how it may have been used to target Russia and the rest of Europe. and other countries in a campaign of cyber-espionage." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736669216", "to_ids": false, "type": "text", "uuid": "d152d780-30d4-44a3-80f3-86b8bc18fd17", "value": "Name: Actor behind Operation LagTime targets Russia\nAuthor: AlienVault\nAdversary: \nTags: [\"Armenia\", \"Azerbaijan\", \"LagTime\"]\nTgtd countries: [\"Malaysia\", \"Russian Federation\"]\nMlwr families: []\nAttack_ids: []\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747504593", "to_ids": true, "type": "hostname", "uuid": "184a76cb-5051-441f-ab58-f0dd8f5b1b08", "value": "custom.songuulcomiss.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The configuration of the backdoor\u2019s C2, 103.106.250.239 which is hosted in Malaysia", "deleted": false, "disable_correlation": false, "timestamp": "1780039622", "to_ids": true, "type": "ip-dst", "uuid": "687af3e8-4db4-43bf-a941-24e4418aa94b", "value": "103.106.250.239", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#78321d", "local": false, "name": "asn:asn=\"55720\"", "relationship_type": "" }, { "colour": "#295f2f", "local": false, "name": "asn:as-owner=\"GIGABIT-MY Gigabit Hosting Sdn Bhd\"", "relationship_type": "" }, { "colour": "#12ee4d", "local": false, "name": "asn:as-country=\"MY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747503772", "uuid": "1ec71bd5-600a-49bc-8011-713454fb0dde", "Attribute": [ { "category": "Payload delivery", "comment": "Rtf file - version 7 of royal road document", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747503772", "to_ids": true, "type": "md5", "uuid": "e484eea7-a601-4886-ac1a-fa9c4e134d44", "value": "ae1b4a5775aca501954076b8024b04ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rtf file - version 7 of royal road document", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740280974", "to_ids": true, "type": "sha1", "uuid": "82f5597a-8dab-4db5-b6fc-82ffb8b931a9", "value": "2d678cba2795d0339331125692e9a850a043a22f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rtf file - version 7 of royal road document", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740280975", "to_ids": true, "type": "sha256", "uuid": "0a2ff044-9fe1-4e6a-8ad1-00c7a081256d", "value": "f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740280645", "to_ids": true, "type": "ssdeep", "uuid": "a43a5290-dff0-4472-ae43-0a646fc472c8", "value": "12288:tx8XBkRrBNv+AleVjv8DeZ48Fhi3BCXCQW:tx8XBkRrBNv+AleVj0DeZ489i" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740280645", "to_ids": false, "type": "size-in-bytes", "uuid": "2f16ac66-74a4-4843-b9bb-eef4fb06f8d9", "value": "555643" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740280645", "to_ids": true, "type": "vhash", "uuid": "8dde641f-ac9c-4a4b-8ec1-9ef3fffbc8e7", "value": "83da33a5decf1611b352314f1ec02b524" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740280645", "to_ids": true, "type": "filename", "uuid": "d0715c52-867b-46a7-9a5a-94481f6a3bc0", "value": "i7y0pxnks.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 28/05/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740280645", "to_ids": false, "type": "text", "uuid": "68a3a0d2-4c1f-4eef-a9d6-6c0795e0a983", "value": "Rtf file - version 7 of royal road document\r\nType Description: Rich Text Format\n\nMicrosoft: None\nVT Total Detection:33/63" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747503793", "uuid": "388611ad-3fdd-4a6a-8bec-c085d82209e4", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747503793", "to_ids": true, "type": "md5", "uuid": "2ec6e56f-34fb-4194-bdf3-6b2c9bf98463", "value": "0a2e7c01b847d3b1c6eebe6af63dc140", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740280976", "to_ids": true, "type": "sha1", "uuid": "04c62491-e444-4fb9-adb9-858f382ed04d", "value": "b81c02f2cf5b67b3247d56970c66f7485ce4a517", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740280976", "to_ids": true, "type": "sha256", "uuid": "6c9be765-6bba-47ca-a6e6-3f995fbf16ea", "value": "46a9ca7d5364fbe5fd3d6ffb0f8d86e9a9e566708657e59ef8873d3ed536348d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740280666", "to_ids": true, "type": "ssdeep", "uuid": "61e2982b-bd05-409e-8a78-94ab1ab309c3", "value": "3072:6s8m7j33ccjwXv1hA1xrnWVjKe9Exa10dcyadZ5N:6SjwNWxqRKDjCdF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740280666", "to_ids": false, "type": "size-in-bytes", "uuid": "cd8c42aa-bb58-4ff0-acdc-83bb2bba51dd", "value": "135168" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740280666", "to_ids": true, "type": "vhash", "uuid": "25e5de09-8810-4bb3-987d-6ddb3f9a7668", "value": "015056655d15556028z5fbz13z3bzb7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740280666", "to_ids": true, "type": "filename", "uuid": "b036d071-39dc-44e5-a058-102617d94c39", "value": "46a9ca7d5364fbe5fd3d6ffb0f8d86e9a9e566708657e59ef8873d3ed536348d_unpacked" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 21/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740280666", "to_ids": false, "type": "text", "uuid": "fc102e72-cf9c-4a9c-95a4-362af62fac8e", "value": "Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/OpLag!MTB\nVT Total Detection:58/72" } ] } ] } }