misp-circl-feed/feeds/circl/stix-2.1/5c92319e-45b8-4164-bce2-4894950d210f.json

638 lines
7.6 MiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5c92319e-45b8-4164-bce2-4894950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:46:40.000Z",
"modified": "2019-03-20T14:46:40.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5c92319e-45b8-4164-bce2-4894950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:46:40.000Z",
"modified": "2019-03-20T14:46:40.000Z",
"name": "OSINT - APT-C-27 (Goldmouse): Suspected Target Attack against the Middle East with WinRAR Exploit",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5c9231e8-66d4-4bf3-a8a7-4d87950d210f",
"url--5c9231e8-66d4-4bf3-a8a7-4d87950d210f",
"x-misp-attribute--5c9231fb-5288-45ca-947c-4f67950d210f",
"observed-data--5c9236d7-f338-4ab4-8d7b-4fc4950d210f",
"file--5c9236d7-f338-4ab4-8d7b-4fc4950d210f",
"artifact--5c9236d7-f338-4ab4-8d7b-4fc4950d210f",
"observed-data--5c923891-4300-445b-80ef-4578950d210f",
"file--5c923891-4300-445b-80ef-4578950d210f",
"artifact--5c923891-4300-445b-80ef-4578950d210f",
"observed-data--5c924f31-9e90-4f55-9b35-4f43950d210f",
"file--5c924f31-9e90-4f55-9b35-4f43950d210f",
"observed-data--5c924f31-5170-43f6-a619-4ea8950d210f",
"file--5c924f31-5170-43f6-a619-4ea8950d210f",
"observed-data--5c924f31-ad34-4375-ba9f-4dc7950d210f",
"file--5c924f31-ad34-4375-ba9f-4dc7950d210f",
"x-misp-object--5c9233af-23c0-4016-b150-4f5e950d210f",
"indicator--5c9236bc-379c-45cf-9069-6f74950d210f",
"indicator--5c924175-85d8-4e3d-9d43-45f8950d210f",
"indicator--5c9249a3-a864-407d-80b3-4043950d210f",
"indicator--5c924a6c-b788-41d4-818c-48ab950d210f",
"indicator--5c924a84-5e58-4db3-adf2-43e8950d210f",
"indicator--5c924aab-d144-4234-9f46-4441950d210f",
"indicator--5c924abf-b364-4901-b980-411b950d210f",
"indicator--5c924b25-c328-4e1b-98be-46c4950d210f",
"indicator--5c924b34-ecb8-4a8d-84ef-42fc950d210f",
"indicator--5c924e77-0b40-49bf-b352-48af950d210f",
"indicator--5c924e9e-f600-4b57-bb6b-4fe6950d210f",
"indicator--5c924edc-76d4-48a2-a677-40df950d210f",
"indicator--5c924f87-7304-4153-a92a-45c9950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:malpedia=\"NjRAT\"",
"misp-galaxy:rat=\"NJRat\"",
"misp-galaxy:tool=\"njRAT\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c9231e8-66d4-4bf3-a8a7-4d87950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T12:29:24.000Z",
"modified": "2019-03-20T12:29:24.000Z",
"first_observed": "2019-03-20T12:29:24Z",
"last_observed": "2019-03-20T12:29:24Z",
"number_observed": 1,
"object_refs": [
"url--5c9231e8-66d4-4bf3-a8a7-4d87950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c9231e8-66d4-4bf3-a8a7-4d87950d210f",
"value": "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5c9231fb-5288-45ca-947c-4f67950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T12:48:33.000Z",
"modified": "2019-03-20T12:48:33.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "On March 17, 2019, 360 Threat Intelligence Center captured a target attack sample against the Middle East by exploiting WinRAR vulnerability (CVE-2018-20250[6]), and it seems that the attack is carried out by the Goldmouse APT group (APT-C-27). There is a decoy Word document inside the archive regarding terrorist attacks to lure the victim into decompressing. When the archive gets decompressed on the vulnerable computer, the embedded njRAT backdoor (Telegram Desktop.exe) will be extracted to the startup folder and then triggered into execution if the victim restarts the computer or performs re-login. After that, the attacker is capable to control the compromised device.\r\n\r\nAfter conducting correlation analysis, we suspect the Goldmouse APT group (APT-C-27) may have a hand behind the attack. In addition, we discover multiple related Android samples that disguised as common applications to attack specific targets after performing further investigations. Considering the language being used in the malicious code is Arabic, it seems that the attacker is familiar with Arabic language as well."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c9236d7-f338-4ab4-8d7b-4fc4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T12:49:27.000Z",
"modified": "2019-03-20T12:49:27.000Z",
"first_observed": "2019-03-20T12:49:27Z",
"last_observed": "2019-03-20T12:49:27Z",
"number_observed": 1,
"object_refs": [
"file--5c9236d7-f338-4ab4-8d7b-4fc4950d210f",
"artifact--5c9236d7-f338-4ab4-8d7b-4fc4950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c9236d7-f338-4ab4-8d7b-4fc4950d210f",
"name": "D2BOiosU0AATpdM.jpeg",
"content_ref": "artifact--5c9236d7-f338-4ab4-8d7b-4fc4950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5c9236d7-f338-4ab4-8d7b-4fc4950d210f",
"payload_bin": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wgARCAKwBJoDASIAAhEBAxEB/8QAGwABAAMBAQEBAAAAAAAAAAAAAAMEBQIBBgf/xAAaAQEBAQEBAQEAAAAAAAAAAAAAAQIEAwUG/9oADAMBAAIQAxAAAAGrcji7ua11Wv43wi93zyOYyZHwTouSdVsHXkCyfzmEseQSWd+U5Cwi6TtWlJFb0sILVnDro4PD13HHTzs5SrIvfelisQa+ddtn47m69hNs5uA0+1yWncjAaM5jt8YDfgMdoXzAp/V5OfT4hVcf6O0qi0qi17UFtULbVBbVOksq8ydK/C21QtqHwz177FvMiOU5Rdx08jJUclHPESubFkKPyakecWSOJDxx6dI+z1GlkSQ2deAOF7cDtwjtwrpyO/OR05F36TD/AELo+N8y35/Xh+YfTxHzr6Cc+YfTj5h9OPmPPp6xgvp/T5d9KPmvkv1X8r6ufUr2dDOMXUsdY3V5utqi2KXVslTm75VPq14lL24KXN5VXm4szrFkUe7aKXtz0q+WyVFsVPbXpT5vCnFopasd72yCK4Mz3SS0tWtdmtT4n7+hz9eb9FVtYuN3pw3efs8d5QwXUnnnQU7go3gixPoMnPr+fPHB+r9eD14PXg9eD14PeuFl+1jd3y0bOEs3WLwz9FHgje8wpC/cwDW13hE+iwueJr36D54u3zjLnStYfpryYY3uMQmlawy7nGMN7zCJsMcujofPD6HnAM3KnvOff14mvXg9eD14PXg9eDW/Qvz39C6/gV7B7fOQzCncBFKOeg4djjsIeLIfln6n+WdnJr/T/M/Ry+TcR83Te9h7si7h8JPY41tcwkklpyluCThfPY40msUbRJTs1ifyt2SecRS3ZKlizmP2sWOoSzSVektwSRnHscUt6SrPZ24Hfzn0Hzu8/MDs5z6LOxc5q5Wo/VPyv9V5/Y6zOf10WLFqb75/Yix53znXR88fQsHg+hfP2zVAM80Hz1k2Hz4+gZukAGF6bjDmNZRoG6xJjVYdg1ADHNhhRH0TBjPomNEbzGlNQAyDXYVc+lZ2WfSsD03nPQKhbfN3TXfNXDZZGuAGdln0rG6NcAAAAAHPEWcbbA0y37899AfNaVLYMH5P7H4/s5Nf6f5j6LN0lfnn6bTDzI+vfLyR9IrtSwr5HpnffP6dl1U7892FdFhUx8+v0b5jqT6Vm2tSwp1556jPqRtvnrcuspyeiwzLks3uNKaijNVhXgsu+/HS+mfrfmt2Pz1+dv0x7+X5vJ+iI/OYf0xX5n+q1rPlvrz15ekMnRI0gc9cr1F2OOJhz34OnI6j6Efkoi76DrkdOR7z6OPJBFKHsffhzJx6duR155yRy+iJLye8SCLrvw7cjrzwcuhBK4PfAnQCfyEdOQ65EvUAnQCWIOu4hOgE6AToBOgE6v6TuOSXyIc2IfSVx6Ur/Ipfnn6h+X9nJsb2DvRa4758OnEzt6l565oTUz7P2OT0yz9Cj6+dj3kxNn24dW4PH2gI/L1j0Y/ZileztHeoO+GfG1UsQz1q2b2fL7Yr2PXyzJXU1Rht85unIeufMHexfXzrxQ+dnhu6efofP6dGtZzOT2yNGXqW/wB1bHrihcgkqbjvgKExZVIDSZ85ZUpidnaZzH1mmorXiJLXJJIq5dUbyFYWPeay22ZZLXkEx0fPn0HOfoTUENrjWPfJepfc3SoWe2eZpeaGksoWEsee9crWpaECSw3KhT2atyq0UvtnC2Ki2Ki2KnN2pVsY0AAAARShFAlxXsBTuHMfvKy+e+HWd38kfce5eoe9c9AD8u/Ufy7s5Nfewt2LXHfnh0/M4/2tXFzKH0w0B6Rk3ufTxr8TvXyztDyXx97Yx6V6GtjeftPSvJYdiKXfnBR08zPlZir9zWjne+s3LHHfpaMnfObV4teS3R6RHJzGdLNY1n5f6WC1560szTp8/rVvwey+Xak/v599Z05Yq2uTLkvjPaAzur4x9KYU7vgkyNPgraMQl8jCtakKdwMnWDmOYUppx550GbpJqGTrm56Q5ZtUpMvedDvB1dTTUKnlvaMU2vMzSOou8yzVZ88tkAFavY41MmHfgzcS5odlWG6M7V891OsbfhzcDjb9M+za4KUej2XCAwdnyPeKaz1ZxX0Pc6ksZ2jFfznuam89EcVgRSvR1z0APy79R/Luzj2N3C3YtDx6ouLCK0sgCvnX0SPmNDXGXBtihfKUL4wqn1CAp56j57rfGDvFARR2UV/LIjkBTuDLpfQjE3PPY0aV3NxrS4wZDd5oaJW9sQknXPQfK/TEhkmsZhpszTCtGXWBpF1R9Lpjmx5Vsp1z1TW37XkJI5Pmz6P357eO0PRI+c+jHME4gs1C3ka8Ws5Fy3xqTQTd+e1az4RSR9J1Q0fK4k5jlmABW9891mwzes60GXMXmb6aNT3zWbanDnWkyrpYZcxeUL4AY1ovs3k1GbYLSncKvr0moX6xHFJEWvY6hr9c9AD8v/UPy/t49fdwt2LRS5+q6ilHnvh15gUfLp+w7zLOvG0o3mTP7W6zuy8zJkus64SqUa6KkS6yZTRVC22dOlpkdLqueUkSWCmQrMp3jnmKVLwlK1keejD705sa56563mlc9CtZCCcZukCGYUp5hDXvEVbReXQVbQr2AUL7wsE4Pmfpnr6fG/T209HPXO+b3OuVyteWbFS3UllJjj3rkpJuKuckZcmlCTAArR2Y9Th2St3MIYrY44m9JuPGdePRX7lEfXQ76iDnoRddjiGyOZ4hD316d9c9CvY8PQc9c9AD8v8A1D8w7ePW38DcyvReufqkRiTnnwzMz6r3xVpu21Pq0tr+WUsXFhZBL0ivHcVV9spY/JVVPbRIObKWv1Ms5r2kvNO8qWSsStLIlpX+VQWOUmgp0V2mVIaLL7NFU4LnVewAAAAAAFesaLO8NIAAAAAADmhcJQACiXmTIaTKlNBlxmwAAAr8FnrnoAAAAAIc81mX6abjsAAAAAFEudV7AABz1z0EFU0fzD9P/MO3j1vofn97OdP356jzdn2L5uvH1ldJc9dRlkRiRGO5a8svdaT5ua+pfK65pRdZZrdfK3zb8oXDjqnAbD5iU+icDtwO3A7cDtwO3A7rTQnXFoV/ZxB7MIvZBF30OXQ5dDl0OXQ5dDl0I/JRF5MOXQ5dDl0OXQ5dDl0OXQh6kHLocuhzzIIE4o2JhTnlHHvQ5dDl0OYpxx70OXQ5dDl0OXQ5dCLiwKyyOPehy6HLocuhy6HLoc8yCLvocuhy6HHvQ5dDn8y/T/zDt49jbxPosyyp2+Tp9StWJKIkoiSiJKI5CaCUDz0AAEHHJNMrFlCJgAAAAI5Iy2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB+Y/p35j28ex9D899DhQuL3z+yKx09nLocuhy6HLocu/SNII0gjSCNII0gy6f0A+dfRD52r9YPlfppCRpCxpBGkEaQRx2ISyAAAAAAAAAAAAAAAAAACKKPAPrY/k5j6WX4f7U7rYN8062fePb/zf0J2AAAAAAAAAAAAAAAAAAAAAAAAAeHv5l+mfmfbx6u/gfQZzj61Gzx9cmglu+gAAAddc9AAAAAGdFocFbI+j4KNLd6PnfpoZj0AAACvYrlgAAAAAAAAAAAAAAAAAADz2E8lp3T3jP0yhej8M2/JRNNnaIAAAAAAAAAAAAAAAAAAAAAAAAA898H5n+mfmfbxa23i7mZR0c/R5+yTjqvjdr2v0l6StZQFA6p3KR7zF0c2auqjH2Mea1c2WC552qdwzebdOWb2v1U/laSKtvyaoZIOw5kObVKc7hq2yevDYNAAAAAAAAAAAAAAAAAAADB3uT5ax9BWKt+emfM/SXYz5+3x
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c923891-4300-445b-80ef-4578950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T12:56:49.000Z",
"modified": "2019-03-20T12:56:49.000Z",
"first_observed": "2019-03-20T12:56:49Z",
"last_observed": "2019-03-20T12:56:49Z",
"number_observed": 1,
"object_refs": [
"file--5c923891-4300-445b-80ef-4578950d210f",
"artifact--5c923891-4300-445b-80ef-4578950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c923891-4300-445b-80ef-4578950d210f",
"name": "[Analysis_Report]Operation_Kabar_Cobra.pdf",
"content_ref": "artifact--5c923891-4300-445b-80ef-4578950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5c923891-4300-445b-80ef-4578950d210f",
"payload_bin": "JVBERi0xLjUNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhrby1LUikgL1N0cnVjdFRyZWVSb290IDIxNyAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+Pj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCA1Mi9LaWRzWyAzIDAgUiAxNiAwIFIgMjEgMCBSIDIzIDAgUiAyNyAwIFIgMjggMCBSIDI5IDAgUiAzMCAwIFIgMzEgMCBSIDMyIDAgUiAzNCAwIFIgMzUgMCBSIDM2IDAgUiAzNyAwIFIgMzggMCBSIDM5IDAgUiA0MCAwIFIgNDEgMCBSIDQyIDAgUiA0MyAwIFIgNDQgMCBSIDQ1IDAgUiA0NiAwIFIgNDcgMCBSIDQ4IDAgUiA0OSAwIFIgNTAgMCBSIDUxIDAgUiA1MiAwIFIgNTMgMCBSIDU0IDAgUiA1NSAwIFIgNTYgMCBSIDU4IDAgUiA2MCAwIFIgNjEgMCBSIDYyIDAgUiA2MyAwIFIgNjUgMCBSIDY3IDAgUiA2OCAwIFIgNjkgMCBSIDcwIDAgUiA3MSAwIFIgNzIgMCBSIDczIDAgUiA3NCAwIFIgNzcgMCBSIDc4IDAgUiA4MCAwIFIgODEgMCBSIDgyIDAgUl0gPj4NCmVuZG9iag0KMyAwIG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9Gb250PDwvRjEgNSAwIFIvRjIgOSAwIFI+Pi9FeHRHU3RhdGU8PC9HUzcgNyAwIFIvR1M4IDggMCBSPj4vWE9iamVjdDw8L01ldGExNCAxNCAwIFIvTWV0YTE1IDE1IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0ltYWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDU5NS4zMiA4NDEuOTJdIC9Db250ZW50cyA0IDAgUi9Hcm91cDw8L1R5cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMgMD4+DQplbmRvYmoNCjQgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMTUzMz4+DQpzdHJlYW0NCnictVpNb+M2EL0b8H/gUSpqZjj8XgQBZCdZ7EfQbpOih2wPTpqmi2aTNkm7KNAf36FsJ2lleVyZzMGWJUV8fEO+N0NK7H0r9vf3TmZvDgXsvZ/fXovq6nby/Wl9cCCmhzPx+3gEEtJfCF4JEDZaqVEEo2REcX81Hv3wlbgdj6Zn49HesRJBghFnP49H6WYQSlgnnRHee6lQnH2mu16fenH9kB6sEAVI9IE+rfbi/rq9HHouf/d6PBIJToxOnF2eVwiq/lGcvR2Pjqj5D3T16GQmxItOqTKdclHG8K9ere/M+j6cV5GBjWVgeyM1DIadqNfUUGJeCqYHulAPwm7EAwPblIEd9C7E00BnYNtCsL30Zvh4mVDzAcJ2A8aV6ULEXYf8s9pwYuPLdEGBkuCGDx6O+VAKtpWA5WDHMrARCZAWjrQyuAKwVR6f1bjeaB1dcEPo/ua3q/v546daV3e34t38ola2mtOvezGrTXV3cU/Hc65veey22zcdtfRxeOfYoOQxXMoK3JqY2KBIRxewRUIpWlDvPtW2+vzwx6/1RGH1Fwcxj6N2IBKzoR8jS5wZBgTXACFrhz4g+4CHGnAaDhg8eZywA04pQjecJZeNJYUpXr0saQVgbTyYKLVPbSBHVx7L6qK0G1DydIV8dFmKWy9bsZmCd44jKY/TdLH5XcYUQj6SwsYx1ZgIGjXDEubR/g44BC2jHswSZmMJIchg1wMR0OY4l1vrFBZSc0QC2TfgebbyqTnqDWHbBzebAdkzx1IhNUeSp+gHs5RPzdFuCBexZD24Y8WxVEjEMenT8JmXp6zoogo7xS5mi90yt9NEUuyGzs88WMWJps5TDHSweSdt6APHkqRVNpIoSg43sOQMNNqB9cuUpSFHNvoIgp8uTnhQ0NgjjsdC+btyStpeHj9WVBk1lL276pQ+oTqa1RNTfaw5fguJv4pK6sFBz6f9KjpJZVhf0Cm+y/zUTyngx1xsS5kAOkkF4lC6BpuA6+aBXiqzmrOL4hatasG0B8sCaKYovafpwSasOo8hdIFSiQaWAcozNzi77wBCIHnhAJGNHh+CbnxSG465PKl+FyiitHpX5szglH8NIJdWuVjmKAExugFkkxCTJ/3vAjWeB8ozN7gM6AKyIJ1imWumDvBoRkLnSOjIxqyechTmsYUuYsrjrN+ZwjxbI110AbcQFUQghw2E0ifbZaDafNEmydMcdxRgE7ng5tnf6ADUQP/Azg9KSSgxSeQpbaLm+CvkHxqjhLgZq1BS2Xa7RbAjMk+F0YWpSRsZmOfV34IGpIn8vBlccXSBGSMDL9qL/IpkpzlGCFMPU8stR9g8dUgXsce0br+j9NhC3qIJF7LC+KqeoGrnDqVfHNI8dUgXKWX2gUU64dAVMhgdjfSMhLc7qTZt69DU9shuaBdyGwPbhJwlMk9JsgZdTOrHoAskPDQYF4YIrQwlY6Qvv7Uq2XzlizEgNZ+ENzMAb7kcyBayHmON1LsLUSHHMdZvMb1frTx8Cx0qVMcYr6UOu04fV8htTNJzx6Hz2E4cToFcIdMxwUt2ILIMFvIZE0F6Nr4hgko6Y+FJdugrrn6wb/oUsqHlOorTsvWZHvBf0ixafhhXyXQ0/6We6Oq2nvjqprbV/KI9e0lT7S5d+Mx1qFRppCHl9kyHWLpzmFX/shWVwwY36D5loIzmu0KlUdrWtAw+nr1Sa2nBpo3pzeCa53H5fn7xdfpO+v+mntjF2TRE5VN+2tzUk9iO4PTrPt2QXjG5pqeE6rFdp34QdaQrsbp6SJO1uqK7bKj+rOnwJ8lxUcj+MLi0pLJrpAq9ELbY56GaEFbg/scysV8t2T299UyAJi8RObLUsEIVMbX1DArJzwjl6h8ogTLPP8D49JKTMjYkkJ4eZVOSc5lesj65epzT7Dy8Ex9evHLdxbfa6kHxhX33etS24mNMSyLUSFo6t3Z14mY8Ol3XwmrpTaUWFo+wNlCoXzxieaLvEXoDicSCb4sLoPmuVG98lVSaAgj/5Q8pAC7xF8hVUxb2TJ9dS98/wF1jWw0KZW5kc3RyZWFtDQplbmRvYmoNCjUgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjEvQmFzZUZvbnQvQUJDREVFK01hbGd1bkdvdGhpY1JlZ3VsYXIvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDYgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjUvV2lkdGhzIDEzNjE5IDAgUj4+DQplbmRvYmoNCjYgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQUJDREVFK01hbGd1bkdvdGhpY1JlZ3VsYXIvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgMTA4OC9EZXNjZW50IC0yMDAvQ2FwSGVpZ2h0IDgwMC9BdmdXaWR0aCA0NjMvTWF4V2lkdGggMTM1OS9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ni9Gb250QkJveFsgLTE2MCAtMjAwIDExOTkgODAwXSAvRm9udEZpbGUyIDEzNjE3IDAgUj4+DQplbmRvYmoNCjcgMCBvYmoNCjw8L1R5cGUvRXh0R1N0YXRlL0JNL05vcm1hbC9jYSAxPj4NCmVuZG9iag0KOCAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL0NBIDE+Pg0KZW5kb2JqDQo5IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UeXBlMC9CYXN
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c924f31-9e90-4f55-9b35-4f43950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:33:21.000Z",
"modified": "2019-03-20T14:33:21.000Z",
"first_observed": "2019-03-20T14:33:21Z",
"last_observed": "2019-03-20T14:33:21Z",
"number_observed": 1,
"object_refs": [
"file--5c924f31-9e90-4f55-9b35-4f43950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c924f31-9e90-4f55-9b35-4f43950d210f",
"name": "%USERPROFILE%\\documents\\visual studio 2012\\Projects\\New March\\New March\\obj\\Debug\\New March.pdb"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c924f31-5170-43f6-a619-4ea8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:33:21.000Z",
"modified": "2019-03-20T14:33:21.000Z",
"first_observed": "2019-03-20T14:33:21Z",
"last_observed": "2019-03-20T14:33:21Z",
"number_observed": 1,
"object_refs": [
"file--5c924f31-5170-43f6-a619-4ea8950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c924f31-5170-43f6-a619-4ea8950d210f",
"name": "%USERPROFILE%\\documents\\visual studio 2012\\Projects\\March\\March\\obj\\Debug\\March.pdb"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c924f31-ad34-4375-ba9f-4dc7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:33:21.000Z",
"modified": "2019-03-20T14:33:21.000Z",
"first_observed": "2019-03-20T14:33:21Z",
"last_observed": "2019-03-20T14:33:21Z",
"number_observed": 1,
"object_refs": [
"file--5c924f31-ad34-4375-ba9f-4dc7950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c924f31-ad34-4375-ba9f-4dc7950d210f",
"name": "%USERPROFILE%\\documents\\visual studio 2012\\Projects\\December\\December\\obj\\Debug\\December.pdb"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5c9233af-23c0-4016-b150-4f5e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T12:35:59.000Z",
"modified": "2019-03-20T12:35:59.000Z",
"labels": [
"misp:name=\"microblog\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "post",
"value": "Analysis report of targeted attack against the Middle East with #WinRAR exploit (#CVE-2018-20250) that seems conducted by #APT-C-27 (#Goldmouse). #njRAT is extracted to the startup folder and we discovered multiple related #Android samples as well.\r\n\r\n(link: https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/) ti.360.net/blog/articles/\u2026",
"category": "Other",
"uuid": "5c9233af-1768-4a7a-892a-441e950d210f"
},
{
"type": "text",
"object_relation": "type",
"value": "Twitter",
"category": "Other",
"uuid": "5c9233af-9768-48dc-8e02-4a0d950d210f"
},
{
"type": "url",
"object_relation": "url",
"value": "https://mobile.twitter.com/360TIC/status/1107981000573771776",
"category": "Network activity",
"to_ids": true,
"uuid": "5c9233af-3b98-4300-bdfc-49cb950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/",
"category": "Network activity",
"to_ids": true,
"uuid": "5c9233af-9650-4a68-bc99-4982950d210f"
},
{
"type": "datetime",
"object_relation": "creation-date",
"value": "Mar 19, 2019 1:23 PM",
"category": "Other",
"uuid": "5c9233af-0238-4ecc-8225-49ff950d210f"
},
{
"type": "text",
"object_relation": "username",
"value": "360TIC",
"category": "Other",
"uuid": "5c9233af-f284-4cad-962c-428a950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "microblog"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c9236bc-379c-45cf-9069-6f74950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T12:49:00.000Z",
"modified": "2019-03-20T12:49:00.000Z",
"pattern": "[file:hashes.MD5 = '314e8105f28530eb0bf54891b9b3ff69' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T12:49:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924175-85d8-4e3d-9d43-45f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T13:34:45.000Z",
"modified": "2019-03-20T13:34:45.000Z",
"description": "Backdoor",
"pattern": "[file:hashes.MD5 = '36027a4abfb702107a103478f6af49be' AND file:hashes.SHA256 = '76fd23de8f977f51d832a87d7b0f7692a0ff8af333d74fa5ade2e99fec010689' AND file:name = 'Telegram Desktop.exe' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T13:34:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c9249a3-a864-407d-80b3-4043950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:09:39.000Z",
"modified": "2019-03-20T14:09:39.000Z",
"description": "Malicious ACE Archive",
"pattern": "[file:hashes.MD5 = '314e8105f28530eb0bf54891b9b3ff69' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:09:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924a6c-b788-41d4-818c-48ab950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:13:00.000Z",
"modified": "2019-03-20T14:13:00.000Z",
"description": "Backdoor",
"pattern": "[file:hashes.MD5 = '83483a2ca251ac498aac2abe682063da' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:13:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924a84-5e58-4db3-adf2-43e8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:13:24.000Z",
"modified": "2019-03-20T14:13:24.000Z",
"description": "Backdoor",
"pattern": "[file:hashes.MD5 = '9dafb0f428ef660d4923fe9f4f53bfc0' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:13:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924aab-d144-4234-9f46-4441950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:14:03.000Z",
"modified": "2019-03-20T14:14:03.000Z",
"description": "Backdoor",
"pattern": "[file:hashes.MD5 = '2bdf97da0a1b3a40d12bf65f361e3baa' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:14:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924abf-b364-4901-b980-411b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:14:23.000Z",
"modified": "2019-03-20T14:14:23.000Z",
"description": "Backdoor",
"pattern": "[file:hashes.MD5 = '1d3493a727c3bf3c93d8fd941ff8accd' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:14:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924b25-c328-4e1b-98be-46c4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:16:05.000Z",
"modified": "2019-03-20T14:16:05.000Z",
"description": "Backdoor",
"pattern": "[file:hashes.MD5 = '72df8c8bab5196ef4dce0dadd4c0887e' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:16:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924b34-ecb8-4a8d-84ef-42fc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:16:20.000Z",
"modified": "2019-03-20T14:16:20.000Z",
"description": "Backdoor",
"pattern": "[file:hashes.MD5 = '6e36f8ab2bbbba5b027ae3347029d1a3' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:16:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924e77-0b40-49bf-b352-48af950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:30:15.000Z",
"modified": "2019-03-20T14:30:15.000Z",
"description": "Android Sample",
"pattern": "[file:hashes.MD5 = '5bc2de103000ca1495d4254b6608967f' AND file:name = '\u0628\u0648 \u0623\u064a\u0648\u0628 - \u0627\u0644\u0642\u0631\u064a\u062a\u064a\u0646 \u0623\u0628\u0648 \u0645\u062d\u0645\u062f.apk' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:30:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924e9e-f600-4b57-bb6b-4fe6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:30:54.000Z",
"modified": "2019-03-20T14:30:54.000Z",
"description": "Android Sample",
"pattern": "[file:hashes.MD5 = 'ed81446dd50034258e5ead2aa34b33ed' AND file:name = 'chatsecureupdate2019.apk' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:30:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924edc-76d4-48a2-a677-40df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:31:56.000Z",
"modified": "2019-03-20T14:31:56.000Z",
"description": "Android Sample",
"pattern": "[file:hashes.MD5 = '1cc32f2a351927777fc3b2ae5639f4d5' AND file:name = 'OfficeUpdate2019.apk' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:31:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c924f87-7304-4153-a92a-45c9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-03-20T14:34:47.000Z",
"modified": "2019-03-20T14:34:47.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.137.255.56') AND network-traffic:dst_port = '1921' AND network-traffic:dst_port = '1994' AND network-traffic:dst_port = '1740']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-03-20T14:34:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}