{"Event": {"info": "OSINT - #APT #Bitter", "Tag": [{"colour": "#e7007d", "exportable": true, "name": "workflow:state=\"incomplete\""}, {"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#0071c3", "exportable": true, "name": "osint:lifetime=\"perpetual\""}, {"colour": "#0087e8", "exportable": true, "name": "osint:certainty=\"50\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}], "publish_timestamp": "0", "timestamp": "1573199847", "Object": [{"comment": "", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "uuid": "5dc432ca-bb14-48e1-85f1-4ba9950d210f", "sharing_group_id": "0", "timestamp": "1573139146", "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "template_version": "8", "Attribute": [{"comment": "", "category": "Other", "uuid": "5dc432ca-6a3c-43c0-bc72-4e56950d210f", "timestamp": "1573139146", "to_ids": false, "value": "#APT #Bitter\r\n7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c\r\nWN: E-passport record.docx\r\nNC: http://comglobal[.]com[.]pk/wp-content/g\r\nhttp://nim[.]gov[.]pk/img/g.txt\r\nC2: tvnservereventlog[.]net\r\nAC: TemplateInjection->CVE-2017-11882->EXE", "disable_correlation": false, "object_relation": "post", "type": "text"}, {"comment": "", "category": "External analysis", "uuid": "5dc432ca-a900-4186-92bf-44b7950d210f", "timestamp": "1573139146", "to_ids": false, "value": "https://mobile.twitter.com/ccxsaber/status/1192326844529422337", "disable_correlation": false, "object_relation": "link", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5dc432ca-2b74-46e5-9fcd-4da3950d210f", "timestamp": "1573139146", "to_ids": false, "value": "Twitter", "disable_correlation": true, "object_relation": "type", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5dc432ca-8464-4074-91bb-4834950d210f", "timestamp": "1573139146", "to_ids": false, "value": "#APT", "disable_correlation": false, "object_relation": "hashtag", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5dc432ca-0038-4424-b855-4737950d210f", "timestamp": "1573139146", "to_ids": false, "value": "#Bitter", "disable_correlation": false, "object_relation": "hashtag", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5dc432ca-6750-4c32-9c75-41f7950d210f", "timestamp": "1573139146", "to_ids": false, "value": "ccxsaber", "disable_correlation": false, "object_relation": "username", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5dc432ca-08a4-4cf1-98ff-4d46950d210f", "timestamp": "1573139146", "to_ids": false, "value": "Informative", "disable_correlation": true, "object_relation": "state", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5dc432ca-0200-43ce-b9bd-470f950d210f", "timestamp": "1573139146", "to_ids": false, "value": "Nov 7, 2019 7:24 AM", "disable_correlation": false, "object_relation": "creation-date", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "microblog"}, {"comment": "", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "uuid": "5dc433d5-6b28-4a6f-a24d-4417950d210f", "sharing_group_id": "0", "timestamp": "1573139413", "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "template_version": "5", "Attribute": [{"comment": "", "category": "Other", "uuid": "5dc433d5-7f68-42d3-9b25-418f950d210f", "timestamp": "1573139413", "to_ids": false, "value": "CVE-2017-11882", "disable_correlation": false, "object_relation": "id", "type": "text"}], "distribution": "5", "meta-category": "vulnerability", "name": "vulnerability"}, {"comment": "", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "uuid": "5dc43482-808c-494b-a2ca-cb10950d210f", "sharing_group_id": "0", "timestamp": "1573139586", "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "template_version": "8", "Attribute": [{"comment": "", "category": "Other", "uuid": "5dc43482-0f30-4961-af0b-cb10950d210f", "timestamp": "1573139586", "to_ids": false, "value": "I guess exe is ArtraDownloader", "disable_correlation": false, "object_relation": "post", "type": "text"}, {"comment": "", "category": "External analysis", "uuid": "5dc43482-7630-4772-a9ba-cb10950d210f", "timestamp": "1573139586", "to_ids": false, "value": "https://mobile.twitter.com/kalki_poison/status/1192339289117360128", "disable_correlation": false, "object_relation": "link", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5dc43482-ba5c-4bf4-8c86-cb10950d210f", "timestamp": "1573139586", "to_ids": false, "value": "Twitter", "disable_correlation": true, "object_relation": "type", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5dc43482-3204-463c-bfdd-cb10950d210f", "timestamp": "1573139586", "to_ids": false, "value": "kalki_poison", "disable_correlation": false, "object_relation": "username", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5dc43482-817c-4868-a552-cb10950d210f", "timestamp": "1573139586", "to_ids": false, "value": "Informative", "disable_correlation": true, "object_relation": "state", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5dc43482-a528-4d87-9175-cb10950d210f", "timestamp": "1573139586", "to_ids": false, "value": "Nov 7, 2019 8:13 AM", "disable_correlation": false, "object_relation": "creation-date", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "microblog"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5dc51fe7-143c-444d-9a5b-ff54950d210f", "sharing_group_id": "0", "timestamp": "1573199847", "description": "File object describing a file with meta-information", "template_version": "17", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5dc51fe7-a314-4041-b38d-ff54950d210f", "timestamp": "1573199847", "to_ids": true, "value": "7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}], "analysis": "0", "Attribute": [{"comment": "WN", "category": "Payload delivery", "uuid": "5dc43359-ff10-4414-a40a-4e83950d210f", "timestamp": "1573139289", "to_ids": true, "value": "record.docx", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "NC", "category": "Network activity", "uuid": "5dc43359-15ec-40e4-9de2-4245950d210f", "timestamp": "1573139289", "to_ids": true, "value": "http://comglobal.com.pk/wp-content/g", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "", "category": "Network activity", "uuid": "5dc43359-a3ec-4806-85ec-4976950d210f", "timestamp": "1573139289", "to_ids": true, "value": "http://nim.gov.pk/img/g.txt", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "C2", "category": "Network activity", "uuid": "5dc43359-a998-40d0-89bd-42fa950d210f", "timestamp": "1573139289", "to_ids": true, "value": "tvnservereventlog.net", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "", "category": "External analysis", "uuid": "5dc4340a-0144-4e8b-a548-44f4950d210f", "timestamp": "1573139466", "to_ids": false, "value": "CVE-2017-11882", "disable_correlation": false, "object_relation": null, "type": "vulnerability"}], "extends_uuid": "", "published": false, "date": "2019-11-07", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5dc42bcc-a46c-42f4-b473-407e950d210f"}}