misp-circl-feed/feeds/circl/misp/5a462890-bb44-47c7-ba3b-21bda5fe7088.json

{
  "Event": {
    "analysis": "2",
    "date": "2017-12-29",
    "extends_uuid": "",
    "info": "Threat Analysis: Malicious Microsoft Word Documents Being Used in Targeted Attack Campaigns",
    "publish_timestamp": "1524609534",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1514549711",
    "uuid": "5a462890-bb44-47c7-ba3b-21bda5fe7088",
    "Orgc": {
      "name": "Crimeware",
      "uuid": "569f692d-b290-40cc-ae1a-2c48ff32448e"
    },
    "Tag": [
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#00223b",
        "local": false,
        "name": "osint:source-type=\"blog-post\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "data": "/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAAA8AAD/4QMqaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjYtYzE0MiA3OS4xNjA5MjQsIDIwMTcvMDcvMTMtMDE6MDY6MzkgICAgICAgICI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bXA6Q3JlYXRvclRvb2w9IkFkb2JlIFBob3Rvc2hvcCBDQyAoV2luZG93cykiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6RTNBQkE4MDBFNEUzMTFFN0E3ODBGN0UyQjUxQjlBMzUiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6RTNBQkE4MDFFNEUzMTFFN0E3ODBGN0UyQjUxQjlBMzUiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDpFM0FCQTdGRUU0RTMxMUU3QTc4MEY3RTJCNTFCOUEzNSIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDpFM0FCQTdGRkU0RTMxMUU3QTc4MEY3RTJCNTFCOUEzNSIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/Pv/uAA5BZG9iZQBkwAAAAAH/2wCEAAYEBAQFBAYFBQYJBgUGCQsIBgYICwwKCgsKCgwQDAwMDAwMEAwODxAPDgwTExQUExMcGxsbHB8fHx8fHx8fHx8BBwcHDQwNGBAQGBoVERUaHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fH//AABEIAZMEAAMBEQACEQEDEQH/xADIAAEAAgMBAQEAAAAAAAAAAAAAAwQBAgUGBwgBAQADAQEBAAAAAAAAAAAAAAACAwQBBQYQAAICAQMCAgUFCQoLBwMEAwECAAMEERIFIQYxE0FRIjIUYXEzFQeBkaFCUmKyIxax0XKConOTs3S0kkNTY4PTJDQ1VgjBwkSEVXU28OEl8dLDN1RFRhEBAAIAAgUJBQYFBAIDAQAAAAECEQMhMUESBFFhcYGRwdETFKGxMlIF8OEiQnKSgqKy0jPxwuIjYrPyQzRT/9oADAMBAAIRAxEAPwD9UwEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQOXR3V2zfyzcPTyuLZyqsyNgpchuDVgl12A66qAdR6JCMyuOGOlotwmbFN+a23OXDQ6kmzkBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA53cHOY/B8TfyeRRfk1Ubd1OLWbbTvYKNqDT8rrI3tuxiv4fInNvFImImeWcIfPew+38HuTtjmeUxmfis7l+WzcjF5ShUTkMepsgN5ZfqyEhSrLu8D8szZVItWZ1YzPS9r6hxNsjOpSfx1pl1iaz8Ezu6+d3/sr5DkL+F5DD5DOs5C/jOUzMGvIvIa5qqLNFLnxJ6yzh5mYmJnHCZY/q+XSuZW1a7sXpW2EasZjY9pL3lEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA+b8Bm9wdo8lza85xlWL2vk8nmZ7dwvl1BUXKs1pU0DWz2mKr85mWk2pM4x+HGdOL3eIplcTSnl2mc6KVrubs/ljTp1c6D7Ju3+3c/N5nvFKRdyd3L8guLyAeza2O7+ztTcKyCGPXbOcPSszNtuMp/WOJzaVpkTOFIy6Y10a8O19Pmt8+QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQK2ZRl3GoY+ScZUdXsZVViwVgSntAjay6g+n1QPJ8p2r35nYmTi/tJSara6a6hdg49oDVZptax1ZdrM+Kq1kabQ+rqF6AcmMUq3ms4xOEunw3A9w4KW1W8rW2N8ZfbjY1GNTSleHbYrVUeyo9qtAw3ektqfCIjAtabTjM4y9FOokBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAjyWyFxrWxlV8gIxpRzopfT2Qx9AJgeeyr+9HKmnHVRWpsGq16u20AKyjI095m1XdpoAd2vswNsm/vGyy0V4y0pTajUsprbzE2WiwaGwa+0E267fHr6dAl5S3nclt3EeYKLanWxrE8l6ragXr2LcFLeczBGOmgAgVRld0jt74VKbH5wecLGdFGiEv5TK4auhm619BYSBrrqQYFrKyu66ccPXRU5Flm4bdxWpWUISBZq25NzEqCddBsMCGvke8muSv4KrXy2sbeuxeptCBmFr7T7KdF3+PXb6AtYOfzleJddzGP5be7RRiVm2w+zrrqrWD5Oug19PWBBx690eZgHIFi1nc2TWxpYoC1p2WMpbftU1KjJ46EtprpAkxE5spx1mWcinyFusz9TU5fYdK62SrfuZ927VPydPEwJcm7lLr8h8RL/hnwm8g6V1kZAYgAJbtcMR+UNsDTKzu4KqcBcfDNltoCZIs2kq4rFpbVH2gfq2r6/jsvo1gT8Fb3BbVa/MVVUMGK01VjUlQSNzMHce
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514548004",
        "to_ids": false,
        "type": "attachment",
        "uuid": "5a462b24-9d10-4f02-afce-24b9a5fe7088",
        "value": "Figure_10_fixed_for_release.jpg"
      },
      {
        "category": "External analysis",
        "comment": "Payload",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547847",
        "to_ids": false,
        "type": "link",
        "uuid": "5a462a87-dd74-4356-be5c-21c0a5fe7088",
        "value": "https://www.cobaltstrike.com/"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547489",
        "to_ids": false,
        "type": "link",
        "uuid": "5a462921-ae28-47ba-b058-24b8a5fe7088",
        "value": "https://www.carbonblack.com/2017/12/19/threat-analysis-malicious-microsoft-word-documents-used-targeted-attack-campaigns/"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547517",
        "to_ids": false,
        "type": "text",
        "uuid": "5a46293d-1dd0-4aa8-b2dc-24cea5fe7088",
        "value": "A Microsoft Word document (.doc) believed to be malicious was recently submitted to Carbon Black\u00e2\u20ac\u2122s Threat Analysis Unit (TAU). The submitting organization did not feel that that document (and subsequent payload) was fully executing in their analysis environment, and questioned whether or not it was actually malicious.\r\n\r\nThe submitted file was part of a targeted attack against an organization, and would not properly run unless the infected system configured for a domain that matched a hard coded pattern. The malicious carrier file contained embedded macros which would launch a series of VB scripts. Ultimately the scripts would inject a Cobalt Strike payload into a running process. While researching this variant TAU discovered numerous other variants (both .doc and .docx formats), which were written in the same manner. Only one instance contained the portion of code to ensure the script would only run at a targeted domain. All of these variants had very low coverage when run through an analysis engine, and as this technique emerges it will continue to be used in targeted attacks and eventually commoditized."
      },
      {
        "category": "Network activity",
        "comment": "Cobalt Strike C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547712",
        "to_ids": true,
        "type": "domain",
        "uuid": "5a462a00-89c8-449f-8cee-24c3a5fe7088",
        "value": "carbon-copy-marketing.com"
      },
      {
        "category": "Network activity",
        "comment": "Cobalt Strike C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547713",
        "to_ids": true,
        "type": "domain",
        "uuid": "5a462a01-69f8-4ee8-b0ce-24c3a5fe7088",
        "value": "free-clipart-archive.com"
      },
      {
        "category": "Network activity",
        "comment": "Cobalt Strike C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547713",
        "to_ids": true,
        "type": "domain",
        "uuid": "5a462a01-04d0-4bb8-ae2e-24c3a5fe7088",
        "value": "stationmovil.com"
      },
      {
        "category": "Network activity",
        "comment": "Cobalt Strike C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547713",
        "to_ids": true,
        "type": "domain",
        "uuid": "5a462a01-f43c-4d17-8f06-24c3a5fe7088",
        "value": "www.bankingandfinanceexpert.com"
      },
      {
        "category": "Network activity",
        "comment": "Cobalt Strike C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547713",
        "to_ids": true,
        "type": "domain",
        "uuid": "5a462a01-40a8-4652-9457-24c3a5fe7088",
        "value": "www.themediaeducation.com"
      },
      {
        "category": "Network activity",
        "comment": "Cobalt Strike C2",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547712",
        "to_ids": true,
        "type": "ip-dst",
        "uuid": "5a462a00-2338-4071-b27e-24c3a5fe7088",
        "value": "212.83.58.231"
      },
      {
        "category": "Payload delivery",
        "comment": "Embedded payload",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547603",
        "to_ids": true,
        "type": "filename",
        "uuid": "5a462993-bad8-4de5-bc25-21bea5fe7088",
        "value": "Cobalt_Strike.dll"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "md5",
        "uuid": "5a462a39-a918-4393-9c0f-21c0a5fe7088",
        "value": "3f06c23c4119d720b2a627ab5454a3e0"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "md5",
        "uuid": "5a462a39-b014-485d-858b-21c0a5fe7088",
        "value": "376396fceb8e52425780459c41ac3ab4"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "md5",
        "uuid": "5a462a39-9690-4c69-96a4-21c0a5fe7088",
        "value": "d79a8e0a9e8c7294351657f7897fd121"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "md5",
        "uuid": "5a462a39-bc88-4dd8-99ef-21c0a5fe7088",
        "value": "c17cfcab0d115732a262da8a58dcf318"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "md5",
        "uuid": "5a462a39-971c-44eb-8fac-21c0a5fe7088",
        "value": "81af1f218c0a44ea39aa3eca78f24bc0"
      },
      {
        "category": "Payload delivery",
        "comment": "Embedded payload",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547604",
        "to_ids": true,
        "type": "md5",
        "uuid": "5a462994-0180-478c-950f-21bea5fe7088",
        "value": "f2f52c78d594c37b546f6c09207cb481"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "md5",
        "uuid": "5a462a39-041c-420e-84fc-21c0a5fe7088",
        "value": "c916685d48dec5891e92c09e18300381"
      },
      {
        "category": "Payload delivery",
        "comment": "Embedded payload",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547604",
        "to_ids": true,
        "type": "sha1",
        "uuid": "5a462994-4a3c-4344-a383-21bea5fe7088",
        "value": "12bc1affe86327d9f78684cde46cfff4dee57149"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5a462a39-9f74-4044-ba5f-21c0a5fe7088",
        "value": "277226cb5f59de6f4493a42e42f7ea575d65da7a033ae343166ad4fa96db8654"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5a462a39-c24c-450f-acd2-21c0a5fe7088",
        "value": "76e2277c63303df6c5b32fdacffcf37c8657ec263070a533eba100d83cade81e"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5a462a39-85fc-4ac2-ad5d-21c0a5fe7088",
        "value": "2519e09e54ccc18c7dfc938760b48b559b7e4fb8465e12d8144083d2178789e2"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5a462a39-4008-4bbb-85cc-21c0a5fe7088",
        "value": "c10ee375a841fd537ede2afa9e68817ddaaaf2e6587a519c267aac6c1fe8d081"
      },
      {
        "category": "Payload delivery",
        "comment": "Embedded payload",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547604",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5a462994-4cd4-4f75-b09a-21bea5fe7088",
        "value": "fa405c36d82b264568219b521886d2e7ef589674874983c7db1d67928003489e"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5a462a39-905c-4cb6-bb25-21c0a5fe7088",
        "value": "9416893eb0b8b1e7b4afd342887fa358d1ea7dbd56d4a51a25a801715c761356"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1514547769",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5a462a39-99e0-4dd8-bf3d-21c0a5fe7088",
        "value": "2a31a24ce994ae3465e77d4ec190882804233209b7f67bd4ef03375bd9b5f9ed"
      }
    ]
  }
}
chg: [feed] added 2023-04-21 13:25:09 +00:00			`{`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"Event": {`
			`"analysis": "2",`
			`"date": "2017-12-29",`
			`"extends_uuid": "",`
			`"info": "Threat Analysis: Malicious Microsoft Word Documents Being Used in Targeted Attack Campaigns",`
			`"publish_timestamp": "1524609534",`
			`"published": true,`
			`"threat_level_id": "3",`
			`"timestamp": "1514549711",`
			`"uuid": "5a462890-bb44-47c7-ba3b-21bda5fe7088",`
			`"Orgc": {`
			`"name": "Crimeware",`
			`"uuid": "569f692d-b290-40cc-ae1a-2c48ff32448e"`
			`},`
			`"Tag": [`
			`{`
			`"colour": "#ffffff",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "tlp:white",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#00223b",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "osint:source-type=\"blog-post\"",`
			`"relationship_type": ""`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			"data": "/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAAA8AAD/4QMqaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjYtYzE0MiA3OS4xNjA5MjQsIDIwMTcvMDcvMTMtMDE6MDY6MzkgICAgICAgICI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bXA6Q3JlYXRvclRvb2w9IkFkb2JlIFBob3Rvc2hvcCBDQyAoV2luZG93cykiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6RTNBQkE4MDBFNEUzMTFFN0E3ODBGN0UyQjUxQjlBMzUiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6RTNBQkE4MDFFNEUzMTFFN0E3ODBGN0UyQjUxQjlBMzUiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDpFM0FCQTdGRUU0RTMxMUU3QTc4MEY3RTJCNTFCOUEzNSIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDpFM0FCQTdGRkU0RTMxMUU3QTc4MEY3RTJCNTFCOUEzNSIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/Pv/uAA5BZG9iZQBkwAAAAAH/2wCEAAYEBAQFBAYFBQYJBgUGCQsIBgYICwwKCgsKCgwQDAwMDAwMEAwODxAPDgwTExQUExMcGxsbHB8fHx8fHx8fHx8BBwcHDQwNGBAQGBoVERUaHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fH//AABEIAZMEAAMBEQACEQEDEQH/xADIAAEAAgMBAQEAAAAAAAAAAAAAAwQBAgUGBwgBAQADAQEBAAAAAAAAAAAAAAACAwQBBQYQAAICAQMCAgUFCQoLBwMEAwECAAMEERIFIQYxE0FRIjIUYXEzFQeBkaFCUmKyIxax0XKConOTs3S0kkNTY4PTJDQ1VgjBwkSEVXU28OEl8dLDN1RFRhEBAAIAAgUJBQYFBAIDAQAAAAECEQMhMUESBFFhcYGRwdETFKGxMlIF8OEiQnKSgqKy0jPxwuIjYrPyQzRT/9oADAMBAAIRAxEAPwD9UwEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQOXR3V2zfyzcPTyuLZyqsyNgpchuDVgl12A66qAdR6JCMyuOGOlotwmbFN+a23OXDQ6kmzkBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA53cHOY/B8TfyeRRfk1Ubd1OLWbbTvYKNqDT8rrI3tuxiv4fInNvFImImeWcIfPew+38HuTtjmeUxmfis7l+WzcjF5ShUTkMepsgN5ZfqyEhSrLu8D8szZVItWZ1YzPS9r6hxNsjOpSfx1pl1iaz8Ezu6+d3/sr5DkL+F5DD5DOs5C/jOUzMGvIvIa5qqLNFLnxJ6yzh5mYmJnHCZY/q+XSuZW1a7sXpW2EasZjY9pL3lEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA+b8Bm9wdo8lza85xlWL2vk8nmZ7dwvl1BUXKs1pU0DWz2mKr85mWk2pM4x+HGdOL3eIplcTSnl2mc6KVrubs/ljTp1c6D7Ju3+3c/N5nvFKRdyd3L8guLyAeza2O7+ztTcKyCGPXbOcPSszNtuMp/WOJzaVpkTOFIy6Y10a8O19Pmt8+QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQK2ZRl3GoY+ScZUdXsZVViwVgSntAjay6g+n1QPJ8p2r35nYmTi/tJSara6a6hdg49oDVZptax1ZdrM+Kq1kabQ+rqF6AcmMUq3ms4xOEunw3A9w4KW1W8rW2N8ZfbjY1GNTSleHbYrVUeyo9qtAw3ektqfCIjAtabTjM4y9FOokBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAjyWyFxrWxlV8gIxpRzopfT2Qx9AJgeeyr+9HKmnHVRWpsGq16u20AKyjI095m1XdpoAd2vswNsm/vGyy0V4y0pTajUsprbzE2WiwaGwa+0E267fHr6dAl5S3nclt3EeYKLanWxrE8l6ragXr2LcFLeczBGOmgAgVRld0jt74VKbH5wecLGdFGiEv5TK4auhm619BYSBrrqQYFrKyu66ccPXRU5Flm4bdxWpWUISBZq25NzEqCddBsMCGvke8muSv4KrXy2sbeuxeptCBmFr7T7KdF3+PXb6AtYOfzleJddzGP5be7RRiVm2w+zrrqrWD5Oug19PWBBx690eZgHIFi1nc2TWxpYoC1p2WMpbftU1KjJ46EtprpAkxE5spx1mWcinyFusz9TU5fYdK62SrfuZ927VPydPEwJcm7lLr8h8RL/hnwm8g6V1kZAYgAJbtcMR+UNsDTKzu4KqcBcfDNltoCZIs2kq4rFpbVH2gfq2r6/jsvo1gT8Fb3BbVa/MVVUMGK01VjUlQSNzMHce
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514548004",`
			`"to_ids": false,`
			`"type": "attachment",`
			`"uuid": "5a462b24-9d10-4f02-afce-24b9a5fe7088",`
			`"value": "Figure_10_fixed_for_release.jpg"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "Payload",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547847",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5a462a87-dd74-4356-be5c-21c0a5fe7088",`
			`"value": "https://www.cobaltstrike.com/"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547489",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5a462921-ae28-47ba-b058-24b8a5fe7088",`
			`"value": "https://www.carbonblack.com/2017/12/19/threat-analysis-malicious-microsoft-word-documents-used-targeted-attack-campaigns/"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547517",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5a46293d-1dd0-4aa8-b2dc-24cea5fe7088",`
			"value": "A Microsoft Word document (.doc) believed to be malicious was recently submitted to Carbon Black\u00e2\u20ac\u2122s Threat Analysis Unit (TAU). The submitting organization did not feel that that document (and subsequent payload) was fully executing in their analysis environment, and questioned whether or not it was actually malicious.\r\n\r\nThe submitted file was part of a targeted attack against an organization, and would not properly run unless the infected system configured for a domain that matched a hard coded pattern. The malicious carrier file contained embedded macros which would launch a series of VB scripts. Ultimately the scripts would inject a Cobalt Strike payload into a running process. While researching this variant TAU discovered numerous other variants (both .doc and .docx formats), which were written in the same manner. Only one instance contained the portion of code to ensure the script would only run at a targeted domain. All of these variants had very low coverage when run through an analysis engine, and as this technique emerges it will continue to be used in targeted attacks and eventually commoditized."
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "Cobalt Strike C2",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547712",`
			`"to_ids": true,`
			`"type": "domain",`
			`"uuid": "5a462a00-89c8-449f-8cee-24c3a5fe7088",`
			`"value": "carbon-copy-marketing.com"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "Cobalt Strike C2",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547713",`
			`"to_ids": true,`
			`"type": "domain",`
			`"uuid": "5a462a01-69f8-4ee8-b0ce-24c3a5fe7088",`
			`"value": "free-clipart-archive.com"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "Cobalt Strike C2",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547713",`
			`"to_ids": true,`
			`"type": "domain",`
			`"uuid": "5a462a01-04d0-4bb8-ae2e-24c3a5fe7088",`
			`"value": "stationmovil.com"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "Cobalt Strike C2",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547713",`
			`"to_ids": true,`
			`"type": "domain",`
			`"uuid": "5a462a01-f43c-4d17-8f06-24c3a5fe7088",`
			`"value": "www.bankingandfinanceexpert.com"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "Cobalt Strike C2",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547713",`
			`"to_ids": true,`
			`"type": "domain",`
			`"uuid": "5a462a01-40a8-4652-9457-24c3a5fe7088",`
			`"value": "www.themediaeducation.com"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "Cobalt Strike C2",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547712",`
			`"to_ids": true,`
			`"type": "ip-dst",`
			`"uuid": "5a462a00-2338-4071-b27e-24c3a5fe7088",`
			`"value": "212.83.58.231"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "Embedded payload",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547603",`
			`"to_ids": true,`
			`"type": "filename",`
			`"uuid": "5a462993-bad8-4de5-bc25-21bea5fe7088",`
			`"value": "Cobalt_Strike.dll"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "5a462a39-a918-4393-9c0f-21c0a5fe7088",`
			`"value": "3f06c23c4119d720b2a627ab5454a3e0"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "5a462a39-b014-485d-858b-21c0a5fe7088",`
			`"value": "376396fceb8e52425780459c41ac3ab4"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "5a462a39-9690-4c69-96a4-21c0a5fe7088",`
			`"value": "d79a8e0a9e8c7294351657f7897fd121"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "5a462a39-bc88-4dd8-99ef-21c0a5fe7088",`
			`"value": "c17cfcab0d115732a262da8a58dcf318"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "5a462a39-971c-44eb-8fac-21c0a5fe7088",`
			`"value": "81af1f218c0a44ea39aa3eca78f24bc0"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "Embedded payload",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547604",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "5a462994-0180-478c-950f-21bea5fe7088",`
			`"value": "f2f52c78d594c37b546f6c09207cb481"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "5a462a39-041c-420e-84fc-21c0a5fe7088",`
			`"value": "c916685d48dec5891e92c09e18300381"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "Embedded payload",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547604",`
			`"to_ids": true,`
			`"type": "sha1",`
			`"uuid": "5a462994-4a3c-4344-a383-21bea5fe7088",`
			`"value": "12bc1affe86327d9f78684cde46cfff4dee57149"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a462a39-9f74-4044-ba5f-21c0a5fe7088",`
			`"value": "277226cb5f59de6f4493a42e42f7ea575d65da7a033ae343166ad4fa96db8654"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a462a39-c24c-450f-acd2-21c0a5fe7088",`
			`"value": "76e2277c63303df6c5b32fdacffcf37c8657ec263070a533eba100d83cade81e"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a462a39-85fc-4ac2-ad5d-21c0a5fe7088",`
			`"value": "2519e09e54ccc18c7dfc938760b48b559b7e4fb8465e12d8144083d2178789e2"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a462a39-4008-4bbb-85cc-21c0a5fe7088",`
			`"value": "c10ee375a841fd537ede2afa9e68817ddaaaf2e6587a519c267aac6c1fe8d081"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "Embedded payload",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547604",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a462994-4cd4-4f75-b09a-21bea5fe7088",`
			`"value": "fa405c36d82b264568219b521886d2e7ef589674874983c7db1d67928003489e"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a462a39-905c-4cb6-bb25-21c0a5fe7088",`
			`"value": "9416893eb0b8b1e7b4afd342887fa358d1ea7dbd56d4a51a25a801715c761356"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1514547769",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a462a39-99e0-4dd8-bf3d-21c0a5fe7088",`
			`"value": "2a31a24ce994ae3465e77d4ec190882804233209b7f67bd4ef03375bd9b5f9ed"`
			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`]`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`}`