2023-06-14 17:31:25 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5c92319e-45b8-4164-bce2-4894950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:46:40.000Z" ,
"modified" : "2019-03-20T14:46:40.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5c92319e-45b8-4164-bce2-4894950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:46:40.000Z" ,
"modified" : "2019-03-20T14:46:40.000Z" ,
"name" : "OSINT - APT-C-27 (Goldmouse): Suspected Target Attack against the Middle East with WinRAR Exploit" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"observed-data--5c9231e8-66d4-4bf3-a8a7-4d87950d210f" ,
"url--5c9231e8-66d4-4bf3-a8a7-4d87950d210f" ,
"x-misp-attribute--5c9231fb-5288-45ca-947c-4f67950d210f" ,
"observed-data--5c9236d7-f338-4ab4-8d7b-4fc4950d210f" ,
"file--5c9236d7-f338-4ab4-8d7b-4fc4950d210f" ,
"artifact--5c9236d7-f338-4ab4-8d7b-4fc4950d210f" ,
"observed-data--5c923891-4300-445b-80ef-4578950d210f" ,
"file--5c923891-4300-445b-80ef-4578950d210f" ,
"artifact--5c923891-4300-445b-80ef-4578950d210f" ,
"observed-data--5c924f31-9e90-4f55-9b35-4f43950d210f" ,
"file--5c924f31-9e90-4f55-9b35-4f43950d210f" ,
"observed-data--5c924f31-5170-43f6-a619-4ea8950d210f" ,
"file--5c924f31-5170-43f6-a619-4ea8950d210f" ,
"observed-data--5c924f31-ad34-4375-ba9f-4dc7950d210f" ,
"file--5c924f31-ad34-4375-ba9f-4dc7950d210f" ,
"x-misp-object--5c9233af-23c0-4016-b150-4f5e950d210f" ,
"indicator--5c9236bc-379c-45cf-9069-6f74950d210f" ,
"indicator--5c924175-85d8-4e3d-9d43-45f8950d210f" ,
"indicator--5c9249a3-a864-407d-80b3-4043950d210f" ,
"indicator--5c924a6c-b788-41d4-818c-48ab950d210f" ,
"indicator--5c924a84-5e58-4db3-adf2-43e8950d210f" ,
"indicator--5c924aab-d144-4234-9f46-4441950d210f" ,
"indicator--5c924abf-b364-4901-b980-411b950d210f" ,
"indicator--5c924b25-c328-4e1b-98be-46c4950d210f" ,
"indicator--5c924b34-ecb8-4a8d-84ef-42fc950d210f" ,
"indicator--5c924e77-0b40-49bf-b352-48af950d210f" ,
"indicator--5c924e9e-f600-4b57-bb6b-4fe6950d210f" ,
"indicator--5c924edc-76d4-48a2-a677-40df950d210f" ,
"indicator--5c924f87-7304-4153-a92a-45c9950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:malpedia=\"NjRAT\"" ,
"misp-galaxy:rat=\"NJRat\"" ,
"misp-galaxy:tool=\"njRAT\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:certainty=\"50\"" ,
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c9231e8-66d4-4bf3-a8a7-4d87950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T12:29:24.000Z" ,
"modified" : "2019-03-20T12:29:24.000Z" ,
"first_observed" : "2019-03-20T12:29:24Z" ,
"last_observed" : "2019-03-20T12:29:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5c9231e8-66d4-4bf3-a8a7-4d87950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5c9231e8-66d4-4bf3-a8a7-4d87950d210f" ,
"value" : "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5c9231fb-5288-45ca-947c-4f67950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T12:48:33.000Z" ,
"modified" : "2019-03-20T12:48:33.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "On March 17, 2019, 360 Threat Intelligence Center captured a target attack sample against the Middle East by exploiting WinRAR vulnerability (CVE-2018-20250[6]), and it seems that the attack is carried out by the Goldmouse APT group (APT-C-27). There is a decoy Word document inside the archive regarding terrorist attacks to lure the victim into decompressing. When the archive gets decompressed on the vulnerable computer, the embedded njRAT backdoor (Telegram Desktop.exe) will be extracted to the startup folder and then triggered into execution if the victim restarts the computer or performs re-login. After that, the attacker is capable to control the compromised device.\r\n\r\nAfter conducting correlation analysis, we suspect the Goldmouse APT group (APT-C-27) may have a hand behind the attack. In addition, we discover multiple related Android samples that disguised as common applications to attack specific targets after performing further investigations. Considering the language being used in the malicious code is Arabic, it seems that the attacker is familiar with Arabic language as well."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c9236d7-f338-4ab4-8d7b-4fc4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T12:49:27.000Z" ,
"modified" : "2019-03-20T12:49:27.000Z" ,
"first_observed" : "2019-03-20T12:49:27Z" ,
"last_observed" : "2019-03-20T12:49:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5c9236d7-f338-4ab4-8d7b-4fc4950d210f" ,
"artifact--5c9236d7-f338-4ab4-8d7b-4fc4950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5c9236d7-f338-4ab4-8d7b-4fc4950d210f" ,
"name" : "D2BOiosU0AATpdM.jpeg" ,
"content_ref" : "artifact--5c9236d7-f338-4ab4-8d7b-4fc4950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5c9236d7-f338-4ab4-8d7b-4fc4950d210f" ,
"payload_bin" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 2 w B D A A g G B g c G B Q g H B w c J C Q g K D B Q N D A s L D B k S E w 8 U H R o f H h 0 a H B w g J C 4 n I C I s I x w c K D c p L D A x N D Q 0 H y c 5 P T g y P C 4 z N D L / 2 w B D A Q k J C Q w L D B g N D R g y I R w h M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j I y M j L / w g A R C A K w B J o D A S I A A h E B A x E B / 8 Q A G w A B A A M B A Q E B A A A A A A A A A A A A A A M E B Q I B B g f / x A A a A Q E B A Q E B A Q E A A A A A A A A A A A A A A Q I E A w U G / 9 o A D A M B A A I Q A x A A A A G r c j i 7 u a 11 W v 43 w i 93 z y O Y y Z H w T o u S d V s H X k C y f z m E s e Q S W d + U 5 C w i 6 T t W l J F b 0 s I L V n D r o 4 P D 13 H H T z s 5 S r I v f e l i s Q a + d d t n 47 m 69 h N s 5 u A 0 + 1 y W n c j A a M 5 j t 8 Y D f g M d o X z A p / V 5 O f T 4 h V c f 6 O 0 q i 0 q i 17 U F t U L b V B b V O k s q 8 y d K / C 21 Q t q H w z 177 F v M i O U 5 R d x 0 8 j J U c l H P E S u b F k K P y a k e c W S O J D x x 6 d I + z 1 G l k S Q 2 d e A O F 7 c D t w j t w r p y O / O R 0 5 F 36 T D / A E L o + N 8 y 35 / X h + Y f T x H z r 6 C c + Y f T j 5 h 9 O P m P P p 6 x g v p / T 5 d 9 K P m v k v 1 X 8 r 6 u f U r 2 d D O M X U s d Y 3 V 5 u t q i 2 K X V s l T m 75 V P q 14 l L 24 K X N 5 V X m 4 s z r F k U e 7 a K X t z 0 q + W y V F s V P b X p T 5 v C n F o p a s d 72 y C K 4 M z 3 S S 0 t W t d m t T 4 n 7 + h z 9 e b 9 F V t Y u N 3 p w 3 e f s 8 d 5 Q w X U n n n Q U 7 g o 3 g i x P o M n P r + f P H B + r 9 e D 14 P X g 9 e D 14 P e u F l + 1 j d 3 y 0 b O E s 3 W L w z 9 F H g j e 8 w p C / c w D W 13 h E + i w u e J r 36 D 54 u 3 z j L n S t Y f p r y Y Y 3 u M Q m l a w y 7 n G M N 7 z C J s M c u j o f P D 6 H n A M 3 K n v O f f 14 m v X g 9 e D 14 P X g 9 e D W / Q v z 39 C 6 / g V 7 B 7 f O Q z C n c B F K O e g 4 d j j s I e L I f l n 6 n + W d n J r / T / M / R y + T c R 83 T e 9 h 7 s i 7 h 8 J P Y 41 t c w k k l p y l u C T h f P Y 40 m s U b R J T s 1 i f y t 2 S e c R S 3 Z K l i z m P 2 s W O o S z S V e k t w S R n H s c U t 6 S r P Z 24 H f z n 0 H z u 8 / M D s 5 z 6 L O x c 5 q 5 W o / V P y v 9 V 5 / Y 6 z O f 10 W L F q b 75 / Y i x 53 z n X R 88 f Q s H g + h f P 2 z V A M 80 H z 1 k 2 H z 4 + g Z u k A G F 6 b j D m N Z R o G 6 x J j V Y d g 1 A D H N h h R H 0 T B j P o m N E b z G l N Q A y D X Y V c + l Z 2 W f S s D 0 3 n P Q K h b f N 3 T X f N X D Z Z G u A G d l n 0 r G 6 N c A A A A A H P E W c b b A 0 y 37899 A f N a V L Y M H 5 P 7 H 4 / s 5 N f 6 f 5 j 6 L N 0 l f n n 6 b T D z I + v f L y R 9 I r t S w r 5 H p n f f P 6 d l 1 U 7892 F d F h U x 8 + v 0 b 5 j q T 6 V m 2 t S w p 1556 j P q R t v n r c u s p y e i w z L k s 3 u N K a i j N V h X g s u + / H S + m f r f m t 2 P z 1 + d v 0 x 7 + X 5 v J + i I / O Y f 0 x X 5 n + q 1 r P l v r z 15 e k M n R I 0 g c 9 c r 1 F 2 O O J h z 34 O n I 6 j 6 E f k o i 76 D r k d O R 7 z 6 O P J B F K H s f f h z J x 6 d u R 155 y R y + i J L y e 8 S C L r v w 7 c j r z w c u h B K 4 P f A n Q C f y E d O Q 65 E v U A n Q C W I O u 4 h O g E 6 A T o B O g E 6 v 6 T u O S X y I c 2 I f S V x 6 U r / I p f n n 6 h + X 9 n J s b 2 D v R a 4758 O n E z t 6 l 565 o T U z 7 P 2 O T 0 y z 9 C j 6 + d j 3 k x N n 24 d W 4 P H 2 g I / L 1 j 0 Y / Z i l e z t H e o O + G f G 1 U s Q z 1 q 2 b 2 f L 7 Y r 2 P X y z J X U 1 R h t 85 u n I e u f M H e x f X z r x Q + d n h u 6 e f o f P 6 d G t Z z O T 2 y N G X q W / w B 1 b H r i h c g k q b j v g K E x Z V I D S Z 85 Z U p i d n a Z z H 1 m m o r X i J L X J J I q 5 d U b y F Y W P e a y 22 Z Z L X k E x 0 f P n 0 H O f o T U E N r j W P f J e p f c 3 S o W e 2 e Z p e a G k s o W E s e e 9 c r W p a E C S w 3 K h T 2 a t y q 0 U v t n C 2 K i 2 K i 2 K n N 2 p V s Y 0 A A A A R S h F A l x X s B T u H M f v K y + e + H W d 38 k f c e 5 e o e 9 c 9 A D 8 u / U f y 7 s 5 N f e w t 2 L X H f n h 0 / M 4 / 2 t X F z K H 0 w 0 B 6 R k 3 u f T x r 8 T v X y z t D y X x 97 Y x 6 V 6 G t j e f t P S v J Y d i K X f n B R 0 8 z P l Z i r 9 z W j n e + s 3 L H H f p a M n f O b V 4 t e S 3 R 6 R H J z G d L N Y 1 n 5 f 6 W C 1560 s z T p 8 / r V v w e y + X a k / v 599 Z 0 5 Y q 2 u T L k v j P a A z u r 4 x 9 K Y U 7 v g k y N P g r a M Q l 8 j C t a k K d w M n W D m O Y U p p x 550 G b p J q G T r m 56 Q 5 Z t U p M v e d D v B 1 d T T U K n l v a M U 2 v M z S O o u 8 y z V Z 88 t k A F a v Y 41 M m H f g z c S 5 o d l W G 6 M 7 V 891 O s b f h z c D j b 9 M + z a 4 K U e j 2 X C A w d n y P e K a z 1 Z x X 0 P c 6 k s Z 2 j F f z n u a m 89 E c V g R S v R 1 z 0 A P y 79 R / L u z j 2 N 3 C 3 Y t D x 6 o u L C K 0 s g C v n X 0 S P m N D X G X B t i h f K U L 4 w q n 1 C A p 56 j 57 r f G D v F A R R 2 U V / L I j k B T u D L p f Q j E 3 P P Y 0 a V 3 N x r S 4 w Z D d 5 o a J W 9 s Q k n X P Q f K / T E h k m s Z h p s z T C t G X W B p F 1 R 9 L p j m x 5 V s p 1 z 1 T W 37 X k J I 5 P m z 6 P 357 e O 0 P R I + c + j H M E 4 g s 1 C 3 k a 8 W s 5 F y 3 x q T Q T d + e 1 a z 4 R S R 9 J 1 Q 0 f K 4 k 5 j l m A B W 9891 m w z e s 60 G X M X m b 6 a N T 3 z W b a n D n W k y r p Y Z c x e U L 4 A Y 1 o v s 3 k 1 G b Y L S n c K v r 0 m o X 6 x H F J E W v Y 6 h r 9 c 9 A D 8 v / U P y / t 49 f d w t 2 L R S 5 + q 6 i l H n v h 15 g U f L p + w 7 z L O v G 0 o 3 m T P 7 W 6 z u y 8 z J k u s 64 S q U a 6 K k S 6 y Z T R V C 22 d O l p k d L q u e U k S W C m Q r M p 3 j n m K V L w l K 1 k e e j D 705 s a 56563 m l c 9 C t Z C C c Z u k C G Y U p 5 h D X v E V b R e X Q V b Q r 2 A U L 7 w s E 4 P m f p n r 6 f G / T 209 H P X O + b 3 O u V y t e W b F S 3 U l l J j j 3 r k p J u K u c k Z c m l C T A A r R 2 Y 9 T h 2 S t 3 M I Y r Y 44 m 9 J u P G d e P R X 7 l E f X Q 76 i D n o R d d j i G y O Z 4 h D 316 d 9 c 9 C v Y 8 P Q c 9 c 9 A D 8 v 8 A 1 D 8 w 7 e P W 38 D c y v R e u f q k R i T n n w z M z 6 r 3 x V p u 21 P q 0 t r + W U s X F h Z B L 0 i v H c V V 9 s p Y / J V V P b R I O b K W v 1 M s 5 r 2 k v N O 8 q W S s S t L I l p X + V Q W O U m g p 0 V 2 m V I a L L 7 N F U 4 L n V e w A A A A A A F e s a L O 8 N I A A A A A A D m h c J Q A C i X m T I a T K l N B l x m w A A A r 8 F n r n o A A A A A I c 81 m X 6 a b j s A A A A A F E u d V 7 A A B z 1 z 0 E F U 0 f z D 9 P / M O 3 j 1 v o f n 97 O d P 356 j z d n 2 L 5 u v H 1 l d J c 9 d R l k R i R G O 5 a 8 s v d a T 5 u a + p f K 65 p R d Z Z r d f K 3 z b 8 o X D j q n A b D 5 i U + i c D t w O 3 A 7 c D t w O 3 A 7 r T Q n X F o V / Z x B 7 M I v Z B F 30 O X Q 5 d D l 0 O X Q 5 d D l 0 I / J R F 5 M O X Q 5 d D l 0 O X Q 5 d D l 0 O X Q h 6 k H L o c u h z z I I E 4 o 2 J h T n l H H v Q 5 d D l 0 O Y p x x 70 O X Q 5 d D l 0 O X Q 5 d C L i w K y y O P e h y 6 H L o c u h y 6 H L o c 8 y C L v o c u h y 6 H H v Q 5 d D n 8 y / T / z D t 49 j b x P o s y y p 2 + T p 9 S t W J K I k o i S i J K I 5 C a C U D z 0 A A E H H J N M r F l C J g A A A A I 5 I y 2 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A B + Y / p 35 j 28 e x 9 D 899 D h Q u L 3 z + y K x 0 9 n L o c u h y 6 H L o c u / S N I I 0 g j S C N I I 0 g y 6 f 0 A + d f R D 52 r 9 Y P l f p p C R p C x p B G k E a Q R x 2 I S y A A A A A A A A A A A A A A A A A A C K K P A P r Y / k 5 j 6 W X 4 f 7 U 7 r Y N 8062 f e P b / z f 0 J 2 A A A A A A A A A A A A A A A A A A A A A A A A A e H v 5 l + m f m f b x 6 u / g f Q Z z j 61 G z x 9 c m g l u + g A A A d d c 9 A A A A A G d F o c F b I + j 4 K N L d 6 P n f p o Z j 0 A A A C v Y r l g A A A A A A A A A A A A A A A A A A D z 2E8 l p 3 T 3 j P 0 y h e j 8 M 2 / J R N N n a I A A A A A A A A A A A A A A A A A A A A A A A A A 898 H 5 n + m f m f b x a 23 i 7 m Z R 0 c / R 5 + y T j q v j d r 2 v 0 l 6 S t Z Q F A 6 p 3 K R 7 z F 0 c 2 a u q j H 2 M e a 1 c 2 W C 552 q d w z e b d O W b 2 v 1 U / l a S K t v y a o Z I O w 5 k O b V K c 7 h q 2 y e v D Y N A A A A A A A A A A A A A A A A A A A D B 3 u T 5 a x 9 B W K t + e m f M / S X Y z 5 + 3 x
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c923891-4300-445b-80ef-4578950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T12:56:49.000Z" ,
"modified" : "2019-03-20T12:56:49.000Z" ,
"first_observed" : "2019-03-20T12:56:49Z" ,
"last_observed" : "2019-03-20T12:56:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5c923891-4300-445b-80ef-4578950d210f" ,
"artifact--5c923891-4300-445b-80ef-4578950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5c923891-4300-445b-80ef-4578950d210f" ,
"name" : "[Analysis_Report]Operation_Kabar_Cobra.pdf" ,
"content_ref" : "artifact--5c923891-4300-445b-80ef-4578950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5c923891-4300-445b-80ef-4578950d210f" ,
"payload_bin" : " J V B E R i 0 x L j U N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h r b y 1 L U i k g L 1 N 0 c n V j d F R y Z W V S b 290 I D I x N y A w I F I v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + P j 4 N C m V u Z G 9 i a g 0 K M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l c y 9 D b 3 V u d C A 1 M i 9 L a W R z W y A z I D A g U i A x N i A w I F I g M j E g M C B S I D I z I D A g U i A y N y A w I F I g M j g g M C B S I D I 5 I D A g U i A z M C A w I F I g M z E g M C B S I D M y I D A g U i A z N C A w I F I g M z U g M C B S I D M 2 I D A g U i A z N y A w I F I g M z g g M C B S I D M 5 I D A g U i A 0 M C A w I F I g N D E g M C B S I D Q y I D A g U i A 0 M y A w I F I g N D Q g M C B S I D Q 1 I D A g U i A 0 N i A w I F I g N D c g M C B S I D Q 4 I D A g U i A 0 O S A w I F I g N T A g M C B S I D U x I D A g U i A 1 M i A w I F I g N T M g M C B S I D U 0 I D A g U i A 1 N S A w I F I g N T Y g M C B S I D U 4 I D A g U i A 2 M C A w I F I g N j E g M C B S I D Y y I D A g U i A 2 M y A w I F I g N j U g M C B S I D Y 3 I D A g U i A 2 O C A w I F I g N j k g M C B S I D c w I D A g U i A 3 M S A w I F I g N z I g M C B S I D c z I D A g U i A 3 N C A w I F I g N z c g M C B S I D c 4 I D A g U i A 4 M C A w I F I g O D E g M C B S I D g y I D A g U l 0 g P j 4 N C m V u Z G 9 i a g 0 K M y A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l L 1 B h c m V u d C A y I D A g U i 9 S Z X N v d X J j Z X M 8 P C 9 G b 250 P D w v R j E g N S A w I F I v R j I g O S A w I F I + P i 9 F e H R H U 3 R h d G U 8 P C 9 H U z c g N y A w I F I v R 1 M 4 I D g g M C B S P j 4 v W E 9 i a m V j d D w 8 L 0 1 l d G E x N C A x N C A w I F I v T W V 0 Y T E 1 I D E 1 I D A g U j 4 + L 1 B y b 2 N T Z X R b L 1 B E R i 9 U Z X h 0 L 0 l t Y W d l Q i 9 J b W F n Z U M v S W 1 h Z 2 V J X S A + P i 9 N Z W R p Y U J v e F s g M C A w I D U 5 N S 4 z M i A 4 N D E u O T J d I C 9 D b 250 Z W 50 c y A 0 I D A g U i 9 H c m 91 c D w 8 L 1 R 5 c G U v R 3 J v d X A v U y 9 U c m F u c 3 B h c m V u Y 3 k v Q 1 M v R G V 2 a W N l U k d C P j 4 v V G F i c y 9 T L 1 N 0 c n V j d F B h c m V u d H M g M D 4 + D Q p l b m R v Y m o N C j Q g M C B v Y m o N C j w 8 L 0 Z p b H R l c i 9 G b G F 0 Z U R l Y 29 k Z S 9 M Z W 5 n d G g g M T U z M z 4 + D Q p z d H J l Y W 0 N C n i c t V p N b + M 2 E L 0 b 8 H / g U S p q Z j j 8 X g Q B Z C d Z 7 E f Q b p O i h 2 w P T p q m i 2 a T N k m 7 K N A f 36 F s J 2 l l e V y Z z M G W J U V 8 f E O + N 0 N K 7 H 0 r 9 v f 3 T m Z v D g X s v Z / f X o v q 6 n b y / W l 9 c C C m h z P x + 3 g E E t J f C F 4 J E D Z a q V E E o 2 R E c X 81 H v 3 w l b g d j 6 Z n 49 H e s R J B g h F n P 49 H 6 W Y Q S l g n n R H e e 6 l Q n H 2 m u 16 f e n H 9 k B 6 s E A V I 9 I E + r f b i / r q 9 H H o u f / d 6 P B I J T o x O n F 2 e V w i q / l G c v R 2 P j q j 5 D 3 T 16 G Q m x I t O q T K d c l H G 8 K 9 e r e / M + j 6 c V 5 G B j W V g e y M 1 D I a d q N f U U G J e C q Y H u l A P w m 7 E A w P b l I E d 9 C 7E00 B n Y N t C s L 30 Z v h 4 m V D z A c J 2 A 8 a V 6 U L E X Y f 8 s 9 p w Y u P L d E G B k u C G D x 6 O + V A K t p W A 5 W D H M r A R C Z A W j r Q y u A K w V R 6 f 1 b j e a B 1 d c E P o / u a 3 q / v 546 d a V 3e34 t 38 o l a 2 m t O v e z G r T X V 3 c U / H c 65 v e e y 22 z c d t f R x e O f Y o O Q x X M o K 3 J q Y 2 K B I R x e w R U I p W l D v P t W 2 + v z w x 6 / 1 R G H 1 F w c x j 6 N 2 I B K z o R 8 j S 5 w Z B g T X A C F r h z 4 g + 4 C H G n A a D h g 8 e Z y w A 0 4 p Q j e c J Z e N J Y U p X r 0 s a Q V g b T y Y K L V P b S B H V x 7 L 6 q K 0 G 1 D y d I V 8 d F m K W y 9 b s Z m C d 44 j K Y / T d L H 5 X c Y U Q j 6 S w s Y x 1 Z g I G j X D E u b R / g 44 B C 2 j H s w S Z m M J I c h g 1 w M R 0 O Y 4 l 1 v r F B Z S c 0 Q C 2 T f g e b b y q T n q D W H b B z e b A d k z x 1 I h N U e S p + g H s 5 R P z d F u C B e x Z D 24 Y 8 W x V E j E M e n T 8 J m X p 6 z o o g o 7 x S 5 m i 90 y t 9 N E U u y G z s 88 W M W J p s 5 T D H S w e S d t 6 A P H k q R V N p I o S g 43 s O Q M N N q B 9 c u U p S F H N v o I g p 8 u T n h Q 0 N g j j s d C + b t y S t p e H j 9 W V B k 1 l L 276 p Q + o T q a 1 R N T f a w 5 f g u J v 4 p K 6 s F B z 6 f 9 K j p J Z V h f 0 C m + y / z U T y n g x 1 x s S 5 k A O k k F 4 l C 6 B p u A 6 + a B X i q z m r O L 4 h a t a s G 0 B 8 s C a K Y o v a f p w S a s O o 8 h d I F S i Q a W A c o z N z i 77 w B C I H n h A J G N H h + C b n x S G 465 P K l + F y i i t H p X 5 s z g l H 8 N I J d W u V j m K A E x u g F k k x C T J / 3 v A j W e B 8 o z N 7 g M 6 A K y I J 1 i m W u m D v B o R k L n S O j I x q y e c h T m s Y U u Y s r j r N + Z w j x b I 110 A b c Q F U Q g h w 2E0 i f b Z a D a f N E m y d M c d x R g E 7 n g 5 t n f 6 A D U Q P / A z g 9 K S S g x S e Q p b a L m + C v k H x q j h L g Z q 1 B S 2 X a 7 R b A j M k + F 0 Y W p S R s Z m O f V 34 I G p I n 8 v B l c c X S B G S M D L 9 q L / I p k p z l G C F M P U 8 s t R 9 g 8 d U g X s c e 0 b r + j 9 N h C 3 q I J F 7 L C + K q e o G r n D q V f H N I 8 d U g X K W X 2 g U U 64 d A V M h g d j f S M h L c 7 q T Z t 69 D U 9 s h u a B d y G w P b h J w l M k 9 J s g Z d T O r H o A s k P D Q Y F 4 Y I r Q w l Y 6 Q v v 7 U q 2 X z l i z E g N Z + E N z M A b 7 k c y B a y H m O N 1 L s L U S H H M d Z v M b 1 f r T x 8 C x 0 q V M c Y r 6 U O u 0 4 f V 8 h t T N J z x 6 H z 2E4 c T o F c I d M x w U t 2 I L I M F v I Z E 0 F 6 N r 4 h g k o 6 Y + F J d u g r r n 6 w b / o U s q H l O o r T s v W Z H v B f 0 i x a f h h X y X Q 0 / 6 W e 6 O q 2 n v j q p r b V / K I 9e0 l T 7 S 5 d + M x 1 q F R p p C H l 9 k y H W L p z m F X / s h W V w w Y 36 D 5 l o I z m u 0 K l U d r W t A w + n r 1 S a 2 n B p o 3 p z e C a 53 H 5 f n 7 x d f p O + v + m n t j F 2 T R E 5 V N + 2 t z U k 9 i O 4 P T r P t 2 Q X j G 5 p q e E 6 r F d p 34 Q d a Q r s b p 6 S J O 1 u q K 7 b K j + r O n w J 8 l x U c j + M L i 0 p L J r p A q 9 E L b Y 56 G a E F b g / s c y s V 8 t 2 T 299 U y A J i 8 R O b L U s E I V M b X 1 D A r J z w j l 6 h 8 o g T L P P 8 D 49 J K T M j Y k k J 4 e Z V O S c 5 l e s j 65 e p z T 7 D y 8 E x 9 e v H L d x b f a 6 k H x h X 33 e t S 24 m N M S y L U S F o 6 t 3 Z 14 m Y 8 O l 3 X w m r p T a U W F o + w N l C o X z x i e a L v E X o D i c S C b 4 s L o P m u V G 98 l V S a A g j / 5 Q 8 p A C 7 x F 8 h V U x b 2 T J 9 d S 98 / w F 1 j W w 0 K Z W 5 k c 3 R y Z W F t D Q p l b m R v Y m o N C j U g M C B v Y m o N C j w 8 L 1 R 5 c G U v R m 9 u d C 9 T d W J 0 e X B l L 1 R y d W V U e X B l L 0 5 h b W U v R j E v Q m F z Z U Z v b n Q v Q U J D R E V F K 0 1 h b G d 1 b k d v d G h p Y 1 J l Z 3 V s Y X I v R W 5 j b 2 R p b m c v V 2 l u Q W 5 z a U V u Y 29 k a W 5 n L 0 Z v b n R E Z X N j c m l w d G 9 y I D Y g M C B S L 0 Z p c n N 0 Q 2 h h c i A z M i 9 M Y X N 0 Q 2 h h c i A x M j U v V 2 l k d G h z I D E z N j E 5 I D A g U j 4 + D Q p l b m R v Y m o N C j Y g M C B v Y m o N C j w 8 L 1 R 5 c G U v R m 9 u d E R l c 2 N y a X B 0 b 3 I v R m 9 u d E 5 h b W U v Q U J D R E V F K 0 1 h b G d 1 b k d v d G h p Y 1 J l Z 3 V s Y X I v R m x h Z 3 M g M z I v S X R h b G l j Q W 5 n b G U g M C 9 B c 2 N l b n Q g M T A 4 O C 9 E Z X N j Z W 50 I C 0 y M D A v Q 2 F w S G V p Z 2 h 0 I D g w M C 9 B d m d X a W R 0 a C A 0 N j M v T W F 4 V 2 l k d G g g M T M 1 O S 9 G b 250 V 2 V p Z 2 h 0 I D Q w M C 9 Y S G V p Z 2 h 0 I D I 1 M C 9 T d G V t V i A 0 N i 9 G b 250 Q k J v e F s g L T E 2 M C A t M j A w I D E x O T k g O D A w X S A v R m 9 u d E Z p b G U y I D E z N j E 3 I D A g U j 4 + D Q p l b m R v Y m o N C j c g M C B v Y m o N C j w 8 L 1 R 5 c G U v R X h 0 R 1 N 0 Y X R l L 0 J N L 0 5 v c m 1 h b C 9 j Y S A x P j 4 N C m V u Z G 9 i a g 0 K O C A w I G 9 i a g 0 K P D w v V H l w Z S 9 F e H R H U 3 R h d G U v Q k 0 v T m 9 y b W F s L 0 N B I D E + P g 0 K Z W 5 k b 2 J q D Q o 5 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n Q v U 3 V i d H l w Z S 9 U e X B l M C 9 C Y X N
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c924f31-9e90-4f55-9b35-4f43950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:33:21.000Z" ,
"modified" : "2019-03-20T14:33:21.000Z" ,
"first_observed" : "2019-03-20T14:33:21Z" ,
"last_observed" : "2019-03-20T14:33:21Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5c924f31-9e90-4f55-9b35-4f43950d210f"
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5c924f31-9e90-4f55-9b35-4f43950d210f" ,
"name" : "%USERPROFILE%\\documents\\visual studio 2012\\Projects\\New March\\New March\\obj\\Debug\\New March.pdb"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c924f31-5170-43f6-a619-4ea8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:33:21.000Z" ,
"modified" : "2019-03-20T14:33:21.000Z" ,
"first_observed" : "2019-03-20T14:33:21Z" ,
"last_observed" : "2019-03-20T14:33:21Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5c924f31-5170-43f6-a619-4ea8950d210f"
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5c924f31-5170-43f6-a619-4ea8950d210f" ,
"name" : "%USERPROFILE%\\documents\\visual studio 2012\\Projects\\March\\March\\obj\\Debug\\March.pdb"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c924f31-ad34-4375-ba9f-4dc7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:33:21.000Z" ,
"modified" : "2019-03-20T14:33:21.000Z" ,
"first_observed" : "2019-03-20T14:33:21Z" ,
"last_observed" : "2019-03-20T14:33:21Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5c924f31-ad34-4375-ba9f-4dc7950d210f"
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5c924f31-ad34-4375-ba9f-4dc7950d210f" ,
"name" : "%USERPROFILE%\\documents\\visual studio 2012\\Projects\\December\\December\\obj\\Debug\\December.pdb"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5c9233af-23c0-4016-b150-4f5e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T12:35:59.000Z" ,
"modified" : "2019-03-20T12:35:59.000Z" ,
"labels" : [
"misp:name=\"microblog\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "post" ,
"value" : "Analysis report of targeted attack against the Middle East with #WinRAR exploit (#CVE-2018-20250) that seems conducted by #APT-C-27 (#Goldmouse). #njRAT is extracted to the startup folder and we discovered multiple related #Android samples as well.\r\n\r\n(link: https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/) ti.360.net/blog/articles/\u2026" ,
"category" : "Other" ,
"uuid" : "5c9233af-1768-4a7a-892a-441e950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "type" ,
"value" : "Twitter" ,
"category" : "Other" ,
"uuid" : "5c9233af-9768-48dc-8e02-4a0d950d210f"
} ,
{
"type" : "url" ,
"object_relation" : "url" ,
"value" : "https://mobile.twitter.com/360TIC/status/1107981000573771776" ,
"category" : "Network activity" ,
"to_ids" : true ,
"uuid" : "5c9233af-3b98-4300-bdfc-49cb950d210f"
} ,
{
"type" : "url" ,
"object_relation" : "link" ,
"value" : "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/" ,
"category" : "Network activity" ,
"to_ids" : true ,
"uuid" : "5c9233af-9650-4a68-bc99-4982950d210f"
} ,
{
"type" : "datetime" ,
"object_relation" : "creation-date" ,
"value" : "Mar 19, 2019 1:23 PM" ,
"category" : "Other" ,
"uuid" : "5c9233af-0238-4ecc-8225-49ff950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "username" ,
"value" : "360TIC" ,
"category" : "Other" ,
"uuid" : "5c9233af-f284-4cad-962c-428a950d210f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "microblog"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c9236bc-379c-45cf-9069-6f74950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T12:49:00.000Z" ,
"modified" : "2019-03-20T12:49:00.000Z" ,
"pattern" : "[file:hashes.MD5 = '314e8105f28530eb0bf54891b9b3ff69' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T12:49:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924175-85d8-4e3d-9d43-45f8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T13:34:45.000Z" ,
"modified" : "2019-03-20T13:34:45.000Z" ,
"description" : "Backdoor" ,
"pattern" : "[file:hashes.MD5 = '36027a4abfb702107a103478f6af49be' AND file:hashes.SHA256 = '76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689' AND file:name = 'Telegram Desktop.exe' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T13:34:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c9249a3-a864-407d-80b3-4043950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:09:39.000Z" ,
"modified" : "2019-03-20T14:09:39.000Z" ,
"description" : "Malicious ACE Archive" ,
"pattern" : "[file:hashes.MD5 = '314e8105f28530eb0bf54891b9b3ff69' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:09:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924a6c-b788-41d4-818c-48ab950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:13:00.000Z" ,
"modified" : "2019-03-20T14:13:00.000Z" ,
"description" : "Backdoor" ,
"pattern" : "[file:hashes.MD5 = '83483a2ca251ac498aac2abe682063da' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:13:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924a84-5e58-4db3-adf2-43e8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:13:24.000Z" ,
"modified" : "2019-03-20T14:13:24.000Z" ,
"description" : "Backdoor" ,
"pattern" : "[file:hashes.MD5 = '9dafb0f428ef660d4923fe9f4f53bfc0' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:13:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924aab-d144-4234-9f46-4441950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:14:03.000Z" ,
"modified" : "2019-03-20T14:14:03.000Z" ,
"description" : "Backdoor" ,
"pattern" : "[file:hashes.MD5 = '2bdf97da0a1b3a40d12bf65f361e3baa' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:14:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924abf-b364-4901-b980-411b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:14:23.000Z" ,
"modified" : "2019-03-20T14:14:23.000Z" ,
"description" : "Backdoor" ,
"pattern" : "[file:hashes.MD5 = '1d3493a727c3bf3c93d8fd941ff8accd' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:14:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924b25-c328-4e1b-98be-46c4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:16:05.000Z" ,
"modified" : "2019-03-20T14:16:05.000Z" ,
"description" : "Backdoor" ,
"pattern" : "[file:hashes.MD5 = '72df8c8bab5196ef4dce0dadd4c0887e' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:16:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924b34-ecb8-4a8d-84ef-42fc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:16:20.000Z" ,
"modified" : "2019-03-20T14:16:20.000Z" ,
"description" : "Backdoor" ,
"pattern" : "[file:hashes.MD5 = '6e36f8ab2bbbba5b027ae3347029d1a3' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:16:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924e77-0b40-49bf-b352-48af950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:30:15.000Z" ,
"modified" : "2019-03-20T14:30:15.000Z" ,
"description" : "Android Sample" ,
"pattern" : "[file:hashes.MD5 = '5bc2de103000ca1495d4254b6608967f' AND file:name = '\u0628\u0648 \u0623\u064a\u0648\u0628 - \u0627\u0644\u0642\u0631\u064a\u062a\u064a\u0646 \u0623\u0628\u0648 \u0645\u062d\u0645\u062f.apk' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:30:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924e9e-f600-4b57-bb6b-4fe6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:30:54.000Z" ,
"modified" : "2019-03-20T14:30:54.000Z" ,
"description" : "Android Sample" ,
"pattern" : "[file:hashes.MD5 = 'ed81446dd50034258e5ead2aa34b33ed' AND file:name = 'chatsecureupdate2019.apk' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:30:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924edc-76d4-48a2-a677-40df950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:31:56.000Z" ,
"modified" : "2019-03-20T14:31:56.000Z" ,
"description" : "Android Sample" ,
"pattern" : "[file:hashes.MD5 = '1cc32f2a351927777fc3b2ae5639f4d5' AND file:name = 'OfficeUpdate2019.apk' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:31:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c924f87-7304-4153-a92a-45c9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-03-20T14:34:47.000Z" ,
"modified" : "2019-03-20T14:34:47.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.137.255.56') AND network-traffic:dst_port = '1921' AND network-traffic:dst_port = '1994' AND network-traffic:dst_port = '1740']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-03-20T14:34:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
