Skip to content

Instantly share code, notes, and snippets.

@traut

traut/context-859ed63f-c259-4e70-892c-15860825ea66.json

Last active May 9, 2020 15:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save traut/8f71b9e6d454a1388fb36c29965f3260 to your computer and use it in GitHub Desktop.
Save traut/8f71b9e6d454a1388fb36c29965f3260 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
context-859ed63f-c259-4e70-892c-15860825ea66.json
{
"id": "bundle--f39d5a20-939b-44d8-ab7b-42edff352317",
"objects": [
{
"type": "identity",
"id": "identity--18d1436d-9d9d-4c05-8d88-bc4a39ff6bce",
"created": "2019-01-01T01:00:00.123Z",
"modified": "2019-01-01T01:00:00.123Z",
"name": "EclecticIQ",
"identity_class": "organization",
"sectors": [
"technology"
]
},
{
"created": "2017-01-20T00:00:00.000Z",
"definition": {
"tlp": "white"
},
"definition_type": "tlp",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"type": "marking-definition"
},
{
"created": "2019-04-18T17:55:37.824Z",
"id": "indicator--6afa3e33-c566-5342-aa46-40f77ba3869e",
"labels": [
"observables",
"admiralty-code--usually-reliable",
"admiralty-code--probably-true",
"source--eiq-fusion",
"theme--generic-threats",
"malware--remote-access-trojan",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:18.990Z",
"name": "Indicator for \"StealJob Campaign - Donot Team Android Malware \"",
"pattern": "[domain-name:value = 'jasper.drivethrough.top']",
"type": "indicator",
"valid_from": "2019-04-10T04:00:00Z"
},
{
"created": "2019-04-17T17:16:08.119Z",
"id": "indicator--1df9cede-d6ab-5cc1-82de-19020a7e5344",
"labels": [
"observables",
"kill-chain-phase--delivery",
"kill-chain-phase--installation",
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.007Z",
"name": "Indicator for \"Attack Pattern: Spearphishing email deceives user to install decoy KashmirVoice app\"",
"pattern": "[file:name = 'KashmirVoice.apk']",
"type": "indicator",
"valid_from": "2019-04-10T04:00:00Z"
},
{
"created": "2019-11-07T13:37:22.813Z",
"id": "indicator--ca90e2b8-62ce-5072-98fd-60d7654fd308",
"labels": [
"observables",
"admiralty-code--fairly-reliable",
"admiralty-code--possibly-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--apt",
"threat-actors--apt",
"industry-sector--energy",
"industry-sector--defense",
"industry-sector--government-national",
"threat-actors--espionage",
"threat-actors--nation-state"
],
"modified": "2019-12-04T16:40:19.011Z",
"name": "Indicator for \"Intrusion Set: Donot Team\"",
"pattern": "[actor-id:value = 'Donot Team' AND actor-id:value = 'SectorE02' AND actor-id:value = 'APT-C-35' AND actor-id:value = 'DoNot Team']",
"type": "indicator",
"valid_from": "2018-08-16T08:23:03.733364Z"
},
{
"created": "2019-04-17T15:06:56.247Z",
"id": "indicator--f8ccc04e-9a28-5d4c-8eb7-fdefdcbe1dd3",
"labels": [
"observables",
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"malware--remote-access-trojan",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.018Z",
"name": "Indicator for \"Targeted Victim: Kashmir Voice application users\"",
"pattern": "[country:value = 'Pakistan' AND product:value = 'KashmirVoice']",
"type": "indicator",
"valid_from": "2019-04-10T04:00:00Z"
},
{
"created": "2019-11-07T15:06:26.063Z",
"id": "indicator--b263d424-b39a-56f8-9c4c-628a921a294c",
"labels": [
"observables",
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--generic-threats",
"industry-sector--defense",
"industry-sector--government-national",
"malware--information-stealer-harvester",
"targeted-technology--microsoft-products",
"malware--downloader"
],
"modified": "2019-12-04T16:40:19.022Z",
"name": "Indicator for \"SectorE02 Spearphishing Campaign March-July 2019\"",
"pattern": "[country:value = 'Pakistan' AND industry:value = 'Defense']",
"type": "indicator",
"valid_from": "2019-02-28T23:00:00Z"
},
{
"created": "2019-11-07T14:15:44.553Z",
"id": "indicator--f749f40b-d7ae-5fca-9829-924a792a22cd",
"labels": [
"observables",
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--apt",
"threat-actors--apt",
"industry-sector--defense",
"industry-sector--government-national",
"targeted-technology--microsoft-products"
],
"modified": "2019-12-04T16:40:19.025Z",
"name": "Indicator for \"Targeted Victim: Pakistan Defense and Intelligence Organizations\"",
"pattern": "[industry:value = 'Defence' AND country:value = 'Pakistan']",
"type": "indicator",
"valid_from": "2019-07-10T22:00:00Z"
},
{
"created": "2019-10-30T15:58:58.392Z",
"description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.",
"id": "attack-pattern--2c70447f-21a8-5788-990c-a7826be4e776",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"theme--generic-threats",
"source-type--open-source",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.027Z",
"name": "Technique/T1123: Audio Capture",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:15:59.266132+00:00",
"estimated_threat_start_time": "2018-05-15T15:15:59.266132+00:00",
"first_ingest_time": "2019-10-30T15:05:38.055754+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:05:38.055754+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/T1123: Audio Capture",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://attack.mitre.org}ttp-4a22c6ce-79ec-512e-850c-e888e64b235e"
},
{
"created": "2019-04-18T17:55:37.824Z",
"description": "\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\" />\n <meta name=\"generator\" content=\"EclecticIQ Platform\" />\n <title>StealJob Campaign - Donot Team Android Malware </title>\n </head>\n <body>\n \n <article itemscope itemtype=\"http://eclecticiq.com/microdata/entity-description\">\n <meta itemprop=\"type\" content=\"report\" />\n <h1 itemprop=\"title\">StealJob Campaign - Donot Team Android Malware </h1>\n <div itemprop=\"content\">\n \n <section itemscope itemtype=\"http://eclecticiq.com/microdata/section\">\n <h1 itemprop=\"title\">Analysis</h1>\n <div itemprop=\"content\">\n <p><u>Reconnaissance Focus</u></p><p></p><p>Given the breakdown of the actions that the malware performs and the use of a decoy KashmirVoice.apk, analysts note that this campaign is focused on reconnaissance of the victim devices. Victimology here is interesting, as the Voice of Kashmir refers to a website that &quot;...propagates the violence of the Indian army and is suspected of being established in Pakistan&quot;. Analysts suspect that governments or nation-state supported groups who have a strategic interest in the Kashmir conflict between India and Pakistan would have a motivation to use or acquire this malware.</p><p></p><p>This malware focuses on the gathering of sensitive information such as location, SMS messages, recording, and obtaining historical call information from the victim device.</p><ul><li>live_recording_scheduling_job</li><li>tag_network_info_job</li><li>tag_directory_trees_job</li><li>tag_live_recordings_job - Perform recording </li><li>tag_key_logs_job</li><li>tag_user_profile_job</li><li>tag_location_job - Get geo-location </li><li>tag_apps_info_job - Obtain installed applications </li><li>tag_sms_job - Steal SMS messages </li><li>tag_calls_logs_job - Obtain historical calls </li><li>tag_notifications_job</li><li>tag_location_sender_job</li><li>tag_files_sending_job</li></ul><p></p><p><u>Infrastructure Overlap</u></p><p></p><p>Analysts identified infrastructure that is shared between both Donot campaigns:</p><ul><li> <span\n itemscope \n itemtype=\"http://eclecticiq.com/microdata/relationship\"\n >\n \n <meta itemprop=\"type\" content=\"indicators\" />\n <meta itemprop=\"entity-type\" content=\"indicator\" />\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}indicator-6d86c1c0-2c99-4587-b1ce-9e0a84b8ddee\" />\n <mark itemprop=\"content\">Jasper.drivethrough.top</mark>\n </span></li></ul><p>Registration information for that domain is as follows:</p><p> </p><p>Email: d3l7a[@]protonmail[.]com<br/>Name: daiyu xiang<br/>Organization: delta corp<br/></p><p>Analysts identified only one other domain registered with that email address: instaslideshow[.]top. </p><p></p><p>Despite this infrastructure overlap, both campaigns also use similar political lures. The campaign from 2017-2018 used a mobile RAT disguised as KNS Lite (Kashmir News Service) to target organisations in Pakistan. In this campaign, the APK sample that was discovered is called &quot;KashmirVoice&quot; (Kashmir Voice) application. This indicates that the same targeting is at play in both campaigns. </p><p> <br/></p>\n </div>\n </section>\n </div>\n </article>\n\n </body>\n </html>\n",
"external_references": [
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/"
}
],
"id": "report--6afa3e33-c566-5342-aa46-40f77ba3869e",
"labels": [
"admiralty-code--usually-reliable",
"admiralty-code--probably-true",
"source--eiq-fusion",
"theme--generic-threats",
"malware--remote-access-trojan",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.027Z",
"name": "StealJob Campaign - Donot Team Android Malware ",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"object_refs": [
"indicator--6afa3e33-c566-5342-aa46-40f77ba3869e",
"campaign--7675bcdd-75ec-56db-9cf8-77ae50a6483b",
"campaign--ee07858f-740b-55dc-a19f-f083161a0337"
],
"published": "2019-04-18T17:55:37.824344Z",
"type": "report",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T17:03:50.686080+00:00",
"half_life": 60,
"ingest_time": "2019-10-30T17:41:13.447638+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Malware ",
"Malware - Remote Access Trojan"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "StealJob Campaign - Donot Team Android Malware ",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}report-0b0132da-2b01-4de1-84f6-6664d188e651"
},
{
"created": "2019-04-17T17:16:08.119Z",
"description": "<p> </p><ol><li>It disguises as a benign application and induces the user into installing. It tricks the victim that the software has been uninstalled while indeed it hides its icon to protect itself from being removed:</li><li>The name of the sample is disguised as KashmirVoice to lure the victim for installation, the package name and icon are not counterfeited since it might be a test sample.</li></ol><p></p><p>The malware supports up to 20 remote control commands with test operations included. The remote control commands contain obtaining contact list, text messages, call records, geographic location, user files, and installed applications.</p>",
"external_references": [
{
"description": "User Execution ",
"external_id": "1204",
"source_name": "mitre-attack"
},
{
"description": "Spearphishing Attachment ",
"external_id": "1193",
"source_name": "mitre-attack"
},
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/"
}
],
"id": "attack-pattern--1df9cede-d6ab-5cc1-82de-19020a7e5344",
"labels": [
"kill-chain-phase--delivery",
"kill-chain-phase--installation",
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.028Z",
"name": "Attack Pattern: Spearphishing email deceives user to install decoy KashmirVoice app",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T17:15:25.359113+00:00",
"half_life": 50,
"ingest_time": "2019-10-30T17:39:34.782284+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Kill Chain Phases",
"Kill chain phase - Delivery"
],
[
"Kill Chain Phases",
"Kill chain phase - Installation"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Attack Pattern: Spearphishing email deceives user to install decoy KashmirVoice app",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-399bac41-54b6-49ec-ae34-a7614bdb26ab"
},
{
"created": "2019-04-17T15:06:56.247Z",
"description": "<p> It disguises as a benign application and induces the user into installing. It tricks the victim that the software has been uninstalled while indeed it hides its icon to protect itself from being removed </p>",
"external_references": [
{
"description": "Location Tracking ",
"external_id": "1033",
"source_name": "mitre-attack"
},
{
"description": "Capture SMS Messages ",
"external_id": "1015",
"source_name": "mitre-attack"
},
{
"description": "Access Call Log ",
"external_id": "1036",
"source_name": "mitre-attack"
},
{
"description": "System Information Discovery ",
"external_id": "1029",
"source_name": "mitre-attack"
},
{
"description": "System Firmware ",
"external_id": "1019",
"source_name": "mitre-attack"
},
{
"description": "Access Sensitive Data in Device Logs ",
"external_id": "1016",
"source_name": "mitre-attack"
},
{
"description": "Application Discovery ",
"external_id": "1021",
"source_name": "mitre-attack"
},
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/"
}
],
"id": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"labels": [
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"malware--remote-access-trojan",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.029Z",
"name": "Malware Variant: StealJob Android malware jy38ap",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "malware",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T15:00:35.279314+00:00",
"half_life": 70,
"ingest_time": "2019-10-30T17:39:35.385601+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Malware ",
"Malware - Remote Access Trojan"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Malware Variant: StealJob Android malware jy38ap",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-e2c0ff83-4664-4f86-9190-4ea27bec0c54"
},
{
"created": "2018-08-16T13:08:29.102Z",
"description": "<p>Android malware used by Donot Team/APT-C-35.</p>",
"external_references": [
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/"
}
],
"id": "malware--2021430c-554b-54ae-ad87-55c21a1cb2e2",
"labels": [
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"source--eiq-fusion",
"theme--generic-threats",
"theme--apt",
"threat-actors--apt",
"industry-sector--government-national",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.030Z",
"name": "Malware Variant: Unnamed Android malware 7dh38",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "malware",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-08-16T09:20:33.259912+00:00",
"estimated_threat_start_time": "2018-08-16T09:20:33.259912+00:00",
"first_ingest_time": "2018-08-16T13:08:24.862256+00:00",
"half_life": 182,
"ingest_time": "2019-10-30T16:07:30.377129+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Malware Variant: Unnamed Android malware 7dh38",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-0ea9aa3e-c480-48ca-a33d-9efb687c0e9a"
},
{
"created": "2019-10-30T15:59:08.709Z",
"description": "Adversaries may communicate using a custom command and control protocol instead of using existing [[Technique/T1071|Standard Application Layer Protocol]] to encapsulate commands. Implementations could mimic well-known protocols.",
"id": "attack-pattern--65117bfa-89e9-5c59-85d6-1f1c714b6d85",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"theme--generic-threats",
"source-type--open-source",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.030Z",
"name": "Technique/T1094: Custom Command and Control Protocol",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:16:15.488877+00:00",
"estimated_threat_start_time": "2018-05-15T15:16:15.488877+00:00",
"first_ingest_time": "2019-10-30T14:53:36.231503+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T14:53:36.231503+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/T1094: Custom Command and Control Protocol",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://attack.mitre.org}ttp-5a57bd91-6578-5427-b941-be65a4d08ee1"
},
{
"created": "2019-10-30T15:58:58.706Z",
"description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via [[Technique/T1193|Spearphishing Attachment]] with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via [[Technique/T1192|Spearphishing Link]] that leads to exploitation of a browser or application vulnerability via [[Technique/T1203|Exploitation for Client Execution]]. While User Execution frequently occurs shortly after [[Initial Access]] it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.",
"id": "attack-pattern--34e5a805-69fd-5dc6-890c-cd216e098f22",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"theme--generic-threats",
"source-type--open-source",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.031Z",
"name": "Technique/T1204: User Execution",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:18:00.102926+00:00",
"estimated_threat_start_time": "2018-05-15T15:18:00.102926+00:00",
"first_ingest_time": "2019-10-30T14:55:15.751760+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T14:55:15.751760+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/T1204: User Execution",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://attack.mitre.org}ttp-f32e2de2-bf25-5ef5-89f2-9090727a7d9e"
},
{
"created": "2019-04-17T15:06:56.247Z",
"id": "indicator--f89320fa-8683-5543-aab3-92bcfa982eb0",
"labels": [
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"malware--remote-access-trojan",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.031Z",
"name": "StealJob samples",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"pattern": "[file:name = 'KashmirVoice.apk' AND file:hashes.MD5 = '4aea3ec301b3c0e6d813795ca7e191bb' AND file:hashes.MD5 = '98a8f1a4ec5893f0b8acbca683ca4a7d' AND file:hashes.MD5 = 'd3f53bcf02ede4adda304fc7f03a2000' AND file:hashes.MD5 = 'CDF10316664D181749A8BA90A3C07454' AND file:hashes.MD5 = 'bf06a2b21b1178cff1e9e4bf0e6fa966']",
"type": "indicator",
"valid_from": "2019-04-10T04:00:00Z",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T15:02:55.991855+00:00",
"half_life": 10,
"ingest_time": "2019-10-30T17:39:34.066269+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Malware ",
"Malware - Remote Access Trojan"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "StealJob samples",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}indicator-bc083d03-4589-421d-8c17-b49a4e92e7e7"
},
{
"created": "2019-10-30T15:59:50.924Z",
"description": "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.",
"id": "attack-pattern--56b7b811-bf35-5d2e-aec4-23ab8cbefa2a",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"targeted-technology--ios",
"theme--generic-threats",
"source-type--open-source",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.042Z",
"name": "Technique/T1019: System Firmware",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:17:50.674412+00:00",
"estimated_threat_start_time": "2018-05-15T15:17:50.674412+00:00",
"first_ingest_time": "2019-10-30T15:59:48.492950+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:59:48.492950+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - iOS"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/T1019: System Firmware",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://attack.mitre.org}ttp-3bb8e85c-172f-5135-bdef-eea482af240f"
},
{
"created": "2019-04-17T17:17:13.153Z",
"description": "<p> The malware will save the corresponding phone information as a json file and upload to the attacker. saved files will be uploaded to C2 </p>",
"external_references": [
{
"description": "Custom Command and Control Protocol ",
"external_id": "1094",
"source_name": "mitre-attack"
},
{
"description": "Remote File Copy ",
"external_id": "1105",
"source_name": "mitre-attack"
},
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/"
}
],
"id": "attack-pattern--86282038-ee61-5621-8d7a-cd9854c4e2ea",
"labels": [
"kill-chain-phase--command-and-control",
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.043Z",
"name": "Attack Pattern: Saved json files from victim phone will be uploaded to C2",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T17:17:12.429921+00:00",
"half_life": 50,
"ingest_time": "2019-10-30T17:39:34.700881+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Kill Chain Phases",
"Kill chain phase - Command and Control"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Attack Pattern: Saved json files from victim phone will be uploaded to C2",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-94a02da9-3c15-45a5-8d1b-7fdccf646efa"
},
{
"created": "2019-11-07T14:15:44.553Z",
"description": "\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\" />\n <meta name=\"generator\" content=\"EclecticIQ Platform\" />\n <title>SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government</title>\n </head>\n <body>\n \n <article itemscope itemtype=\"http://eclecticiq.com/microdata/entity-description\">\n <meta itemprop=\"type\" content=\"report\" />\n <h1 itemprop=\"title\">SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government</h1>\n <div itemprop=\"content\">\n \n <section itemscope itemtype=\"http://eclecticiq.com/microdata/section\">\n <h1 itemprop=\"title\">Analysis</h1>\n <div itemprop=\"content\">\n <p>From March to July this year, the ThreatRecon team noticed a spearphishing campaign by threat actor SectorE02 targeting defense and intelligence agencies within the Government of Pakistan. Spearphishing emails are sent to targeted victims via Excel XLS files, which asks their victims to enable macros, allowing for downloader execution. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.</p><p></p><p>SectorE02 (aka Donot Team) targets Pakistani government deference and intelligence agencies. Their arsenal includes a modular framework researchers have dubbed the “YTY Framework”, which has a Windows and mobile version. </p><p> </p><p>Modular framework usage allows SectorE02 to constantly modify and remake individual plugins of the framework, as well as pick and choose which plugins – if any – are sent to their victims. This modularity also permits low detection probability by antivirus engines, as each module is granular and will not even work without certain previously dropped files. </p>\n </div>\n </section>\n </div>\n </article>\n\n </body>\n </html>\n",
"external_references": [
{
"source_name": "external-url",
"url": "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/"
},
{
"source_name": "external-url",
"url": "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia"
},
{
"source_name": "external-url",
"url": "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/"
},
{
"source_name": "external-url",
"url": "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty"
},
{
"source_name": "external-url",
"url": "https://attack.mitre.org/software/S0248/"
},
{
"source_name": "external-url",
"url": "https://otx.alienvault.com/pulse/5aa2d723eb6bea7d0b672e1b"
},
{
"source_name": "external-url",
"url": "https://malpedia.caad.fkie.fraunhofer.de/actor/apt-c-35"
},
{
"source_name": "external-url",
"url": "https://www.reuters.com/article/us-india-cyber-threat/exclusive-india-and-pakistan-hit-by-spy-malware-cybersecurity-firm-idUSKCN1B80Y2"
}
],
"id": "report--8940891e-c748-53a3-9201-6f8bfbc45f33",
"labels": [
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--generic-threats",
"theme--apt",
"threat-actors--apt",
"industry-sector--defense",
"industry-sector--government-national",
"malware--dropper",
"malware--information-stealer-harvester",
"targeted-technology--microsoft-products",
"malware--downloader"
],
"modified": "2019-12-04T16:40:19.044Z",
"name": "SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"object_refs": [
"campaign--b263d424-b39a-56f8-9c4c-628a921a294c",
"malware--f33099bf-5a82-5265-bc01-ef43d0e47281"
],
"published": "2019-11-07T14:15:44.553422Z",
"type": "report",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-08-01T22:00:00+00:00",
"estimated_threat_start_time": "2019-02-28T23:00:00+00:00",
"first_ingest_time": "2019-11-07T13:47:40.839042+00:00",
"half_life": 5,
"ingest_time": "2019-11-14T23:29:44.998094+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Defense"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Malware ",
"Malware - Dropper"
],
[
"Malware ",
"Malware - Information Stealer Harvester"
],
[
"Targeted Technology",
"Targeted Technology - Microsoft products"
],
[
"Malware ",
"Malware - Downloader"
]
],
"title": "SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}report-1c6b6e48-56d9-4fda-82cd-9dad75359500"
},
{
"aliases": [
"DoNot Team",
"SectorE02",
"APT-C-35",
"Intrusion Set: Donot Team",
"Donot Team"
],
"created": "2019-11-07T13:37:22.813Z",
"description": "<p>Targets government agencies in the Kashmir region.</p>",
"external_references": [
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/"
},
{
"source_name": "external-url",
"url": "https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading"
}
],
"first_seen": "2018-08-16T08:23:03.733364Z",
"last_seen": "2019-01-11T02:11:03.733364Z",
"resource_level": "team",
"id": "intrusion-set--ca90e2b8-62ce-5072-98fd-60d7654fd308",
"labels": [
"admiralty-code--fairly-reliable",
"admiralty-code--possibly-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--apt",
"threat-actors--apt",
"industry-sector--energy",
"industry-sector--defense",
"industry-sector--government-national",
"threat-actors--espionage",
"threat-actors--nation-state"
],
"modified": "2019-11-07T13:37:22.813Z",
"name": "Intrusion Set: Donot Team",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"secondary_motivations": [
"political"
],
"created_by_ref": "identity--18d1436d-9d9d-4c05-8d88-bc4a39ff6bce",
"type": "intrusion-set",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-02-02T09:23:03+00:00",
"estimated_threat_start_time": "2018-08-16T08:23:03.733364+00:00",
"first_ingest_time": "2019-11-01T21:55:48.412183+00:00",
"half_life": 720,
"ingest_time": "2019-11-14T23:29:44.469913+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Energy"
],
[
"Industry Sector",
"Industry Sector - Defense"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Threat Actors",
"Threat Actors - Espionage"
],
[
"Threat Actors",
"Threat Actors - Nation-state"
]
],
"title": "Intrusion Set: Donot Team",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}threat-actor-80187da5-c937-4094-a3ad-b575f318b1a7"
},
{
"created": "2019-04-17T15:06:56.247Z",
"description": "<p> The APK sample being discovered is called &quot;KashmirVoice&quot; (Kashmir Voice) app. Kashmir refers to the abbreviation of Jammu-Kashmir, including Kashmir Valley and Jammu.</p>",
"external_references": [
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/"
}
],
"id": "identity--f8ccc04e-9a28-5d4c-8eb7-fdefdcbe1dd3",
"identity_class": "organization",
"labels": [
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"malware--remote-access-trojan",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.046Z",
"name": "Targeted Victim: Kashmir Voice application users",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "identity",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T14:26:00.301996+00:00",
"half_life": 80,
"ingest_time": "2019-10-30T17:39:35.310242+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Malware ",
"Malware - Remote Access Trojan"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Targeted Victim: Kashmir Voice application users",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-ca583175-76ac-4523-8eb9-8a55101f7337"
},
{
"created": "2019-10-30T18:26:31.403Z",
"description": "\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\" />\n <meta name=\"generator\" content=\"EclecticIQ Platform\" />\n <title>EclecticIQ Monthly APT Trend Report - August 2018 </title>\n </head>\n <body>\n \n <article itemscope itemtype=\"http://eclecticiq.com/microdata/entity-description\">\n <meta itemprop=\"type\" content=\"report\" />\n <h1 itemprop=\"title\">EclecticIQ Monthly APT Trend Report - August 2018 </h1>\n <div itemprop=\"content\">\n \n <section itemscope itemtype=\"http://eclecticiq.com/microdata/section\">\n <h1 itemprop=\"title\">Analysis</h1>\n <div itemprop=\"content\">\n \n <p>This report is aimed to provide an overview of trends seen from August 2018 in Advanced Persistence Threats, the threat actors behind them or emerging, and the technology being used or exploited on a regular basis. Where applicable, the report will provide knowledge of known exploits and core attack patterns seen used in the course of the breaches.</p><p></p><p>This report is not exhaustive in nature and as such, will not include every advanced persistent threat or threat actor announced.</p><p></p><p>EclecticIQ analysts have detected the following numbers in the given time frame related with APT:</p><ul><li>Campaigns: 12</li><li>Threat Actors: 6</li><li>Attack Patterns: 110</li><li>Malware and variants: 43 (28 Variants)</li></ul><p> </p><p><strong><u>Campaigns </u></strong></p><p></p><p>During the month of August, new campaigns with financial and political advantage motivations have been detected. </p><p></p><p><u>Political Campaigns</u></p><p></p><p>Secureworks researchers observed a credential harvesting campaign leveraging fake university login portals. It has been attributed to the Iranian actor Cobalt Dickens. [<span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-7e25148a-e49a-44c9-b36e-36af7ea3c05f\">\n <mark itemprop=\"content\">Cobalt Dickens credential harvesting</mark>\n </span>].</p><p></p><p>A joint investigation of security researchers and Facebook identified and removed hundreds of accounts tied to Iranian actors that were promoting Iran’s geopolitical agenda around the world. The campaign included such fake websites like “US Journal,” “Liberty Free Press,” \"Real Progressive Front,\" \"The British Left,\" and \"Instituto Manquehue\" aimed to push political propaganda in favour of Iran. [<span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-2de62dcc-3063-4bc3-b31d-a998f5956d33\">\n <mark itemprop=\"content\">Suspected Iranian Information Ops Campaign on Facebook</mark>\n </span> and <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-2cdb77c2-3b11-4123-8f52-69c26ef0f135\">\n <mark itemprop=\"content\">Suspected Russian Information Ops Campaign on Facebook</mark>\n </span>]</p><p></p><p>From July 2017 to at least August 2018, Donot Team launched a campaign, <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-75a48103-0b5f-4631-9afd-9732274db60e\">\n <mark itemprop=\"content\">Donot 2018 campaign targeting Android devices</mark>\n </span>, that used a mobile RAT disguised as KNS Lite (Kashmir News Service) to target organisations in Pakistan.</p><p></p><p>Also the political campaign from the Gorgon Group have continued to have activity:</p><ul><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-9acdf7f3-8257-489b-af0d-f0b5fa93ea03\">\n <mark itemprop=\"content\">Gorgon Group Political Campaign 2018</mark>\n </span> </li></ul><p><u>Financial Campaigns</u></p><p></p><p>One of the most relevant campaigns of this months is <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-c8101bf2-d87b-4160-b42e-c4f9cbeac74c\">\n <mark itemprop=\"content\">Operation AppleJeus</mark>\n </span> targeting multiple platforms like Linux, Windows and MacOS. The trojan was downloaded from an update of the cryptocurrency trading program <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-51ad15be-3f2e-4d12-9b97-f85dc32bdf85\">\n <mark itemprop=\"content\">Malware: Celas Trade Pro</mark>\n </span> which is unclear if it was a compromised tool or a malicious tool created with that purpose. </p><p></p><p>Following the financial motivation pursued by North Korean threat actors, Ryuk, a targeted and well-planned Ransomware, has attacked various organizations worldwide. So far the campaign, <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-1e74b9e2-fe5d-41fc-a8b9-cbfa80fe9546\">\n <mark itemprop=\"content\">Ryuk (August 2018)</mark>\n </span>, has targeted several enterprises, while encrypting hundreds of PC, storage and data centers in each infected company. </p><p></p><p>Gorgon Group also has been running a criminal campaign <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-bad509d9-8aeb-403e-b25b-cca52125dd4d\">\n <mark itemprop=\"content\">Gorgon Group Criminal Campaign 2018</mark>\n </span>.</p><p></p><p>TA505 Group has launched several campaigns this month targeting banks clients:</p><ul><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-7fcf951b-7bbb-4e77-a635-9f458a4241e9\">\n <mark itemprop=\"content\">TA505 - PDF Attachment campaign</mark>\n </span> </li><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-f552ba4e-7b60-4fee-a60d-ada891211900\">\n <mark itemprop=\"content\">TA505 - Microsoft Word attachment campaign</mark>\n </span></li><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-73ede634-c6d8-4952-a553-b3c32820d8c9\">\n <mark itemprop=\"content\">TA505 - Sales &amp; iqy attachment campaign</mark>\n </span></li><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-3389fcd5-c1ff-4a65-b2de-cdc1fd812a0d\">\n <mark itemprop=\"content\">TA505 - Password-protected ZIP campaign</mark>\n </span></li><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"campaigns\">\n <meta itemprop=\"entity-type\" content=\"campaign\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}campaign-f4fc0dcd-924d-4fef-83ba-a59645109d05\">\n <mark itemprop=\"content\">TA505 - Major Bank &amp; iqy attachment campaign</mark>\n </span></li></ul><p></p><p><strong><u>Threat Actors</u></strong></p><p></p><p><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"threat_actors\">\n <meta itemprop=\"entity-type\" content=\"threat-actor\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}threat-actor-fb77e416-7530-49e7-8d58-28b18adc8fae\">\n <mark itemprop=\"content\">Intrusion Set: Donot Team</mark>\n </span> was first exposed by the 360-day team in March 2017, and several domestic and international security teams continued to track and disclose the organization's latest attacks. The exposed attacks were carried out on the PC side. In August 2018, the threat actor launched a new campaign targeting mobile users with the RAT disguised as KNS Lite (Kashmir News Service). </p><p></p><p><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"threat_actors\">\n <meta itemprop=\"entity-type\" content=\"threat-actor\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}threat-actor-bf272ded-743c-4fce-be02-d8c14323f095\">\n <mark itemprop=\"content\">Intrusion Set: Cobalt Dickens</mark>\n </span> has been targeting members of university communities worldwide phishing the login portal. It is still unclear how far the threat actor might have gained access with the credentials obtained in the phishing portal. </p><p></p><p>Security researchers have identified that a threat actor dubbed<span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"threat_actors\">\n <meta itemprop=\"entity-type\" content=\"threat-actor\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}threat-actor-7875cd72-f1ea-467e-ac2d-270844e73986\">\n <mark itemprop=\"content\">Intrusion Set: WindShift</mark>\n </span> has leveraged multiple vulnerabilities present in all Apple Mac models to target governmental and critical infrastructure sectors across the Middle East since at least 2016. </p><p></p><p>Well known threat actors like <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"threat_actors\">\n <meta itemprop=\"entity-type\" content=\"threat-actor\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}threat-actor-dcb5cfca-4d5d-42cd-aece-7b76c10f3691\">\n <mark itemprop=\"content\">Intrusion Set: Lazarus Group</mark>\n </span> and <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"threat_actors\">\n <meta itemprop=\"entity-type\" content=\"threat-actor\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}threat-actor-2224c0a7-dbfa-488e-b30e-c5d0c89dae9d\">\n <mark itemprop=\"content\">Intrusion Set: Leviathan</mark>\n </span> have also been behind campaigns this month. </p><p></p><p>Also at the beginning of the month on Aug. 1, 2018, the United States District Attorney’s Office for the Western District of Washington unsealed indictments and announced the arrests of three individuals within the leadership ranks of <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"threat_actors\">\n <meta itemprop=\"entity-type\" content=\"threat-actor\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}threat-actor-2ec6bf8b-8063-4729-8e57-90011422d3bd\">\n <mark itemprop=\"content\">Intrusion Set: FIN7</mark>\n </span> .</p><p></p><p> </p><p><strong><u>Attack Patterns</u></strong></p><p></p><p>During August, most of the campaigns have used in the delivery kill chain phase and the attack pattern <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://attack.mitre.org}ttp-74363990-674f-52ed-878f-9ca58b1c5eb0\">\n <mark itemprop=\"content\">Technique/T1193: Spearphishing Attachment</mark>\n </span>. The group TA505 have used this attack pattern to distribute many of their malicious documents:</p><ul><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-2388eaa6-6d0b-4581-b016-68ddd39f7bbd\">\n <mark itemprop=\"content\">Attack Pattern: Spear-phishing with “.iqy” Attachment and Sales Theme</mark>\n </span> </li><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-dcb48b05-7cc9-4b20-97cf-641bea6f79a7\">\n <mark itemprop=\"content\">Attack Pattern: Spear-phishing with “.iqy” Attachment and Bank Theme</mark>\n </span> </li><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-6283f4b7-6bff-4a18-95a7-0a4cea74cee6\">\n <mark itemprop=\"content\">Attack Pattern: Spear-phishing with PDF Attachment</mark>\n </span> </li><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-96922e53-b448-464e-8a6b-479c74870200\">\n <mark itemprop=\"content\">Attack Pattern: Spear-phishing with MS Word Attachments</mark>\n </span> </li></ul><p>Regarding the campaigns targeting US Local Election Officials, we identified two attack patterns:</p><ul><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-29f41cda-b7fe-4171-b45a-5847558df82a\">\n <mark itemprop=\"content\">Attack Pattern: Spearphishing emails spoofing Unknown US company manufacturing election hardware and software containing malicious word document</mark>\n </span> </li><li><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-f04f85ed-c730-4b3a-ba2d-555909f64224\">\n <mark itemprop=\"content\">Attack Pattern:Malicious word doc contains VBS script that runs Powershell to retrieve unknown payload from remote server</mark>\n </span> </li></ul><p>During the operation carried out by Windshift targeting universities, the attack pattern used included the spoofing of legitimate login portals: <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-7437859f-fdf0-452b-a068-12481382c28e\">\n <mark itemprop=\"content\">Attack Pattern: Spoofed university login pages</mark>\n </span> </p><p></p><p>During the political campaign targeting Facebook users, security researchers have detected brute forcing attack patterns to Facebook Iranian accounts. <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-567d5b34-6ec7-4ad9-95ed-07e30f05df42\">\n <mark itemprop=\"content\">Attack Pattern: Iranian influence operations attempting to break into Facebook accounts</mark>\n </span></p><p></p><p>One attack pattern attacking the supply chain of a trading program has been used during the operation AppleJeus: <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-2ac8774f-10d0-41ff-80e7-3a94c51c53ac\">\n <mark itemprop=\"content\">Attack Pattern: Fake Update for Celas Trade Pro Program</mark>\n </span></p><p></p><p> </p><p><strong><u>Malware</u></strong></p><p></p><p>Though there have been several malware and variants active this month, it is worth to mention the emergence of <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-d856eaf6-c66d-45df-a95d-6d6c7aea1d7a\">\n <mark itemprop=\"content\">Malware: Ryuk</mark>\n </span> by Lazarus Group, a malware which has significant code overlap with <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-5bcab0d4-f626-43b1-ba8a-2f9b53161753\">\n <mark itemprop=\"content\">Malware: Hermes</mark>\n </span>. The main purpose of this malware is to finance this group, which is a clear intent in NK threat actors. </p><p></p><p>Another malware that is worth mentioning is the <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-7e1b7650-5417-4762-ac7d-b1d727d9eb16\">\n <mark itemprop=\"content\">Malware: Turla Outlook Backdoor</mark>\n </span>. ESET released a report <br>this month detailing the capabilities of this malware that has been active since 2013. iSight reported on early June about a new Turla malware targeting European Government Agencies.</p><p></p><p><span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-13065c51-9112-4d53-89f6-68dff26dc4ec\">\n <mark itemprop=\"content\">Malware: BISKVIT</mark>\n </span> is a multi-component malware written in C# that targeted an exhibition being held annually in Russia called <em>Army 2018 International Military and Technical Forum</em>. BISKVIT is modular and is so far known to be capable of downloading files and components, hide execution of downloaded and local files, download of dynamic configuration files, update or delete itself. This malware has been seen this month by the FortiGuard Labs team when a malicious PPSX file exploiting <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"exploit_targets\">\n <meta itemprop=\"entity-type\" content=\"exploit-target\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}exploit-target-b37ec557-2ae5-439b-a9b0-d362046fcb7e\">\n <mark itemprop=\"content\">CVE-2017-0199</mark>\n </span> that had been crafted for Russian speakers. </p><p></p><p>Trend Micro reported about a campaign targeting users in Japan with the <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-da0ca59f-347a-497b-8305-b28b14963ae7\">\n <mark itemprop=\"content\">Malware: Bebloh</mark>\n </span> and <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-68e37e92-eab3-46bd-9651-6d4cc4d22baf\">\n <mark itemprop=\"content\">Malware: Ursnif</mark>\n </span> Trojans.</p><p></p><p>The threat actor Windshift has been using the malware <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-c4e11141-d7fe-4761-acdc-1fc893253b15\">\n <mark itemprop=\"content\">Malware: WindTale</mark>\n </span> and <span itemscope=\"\" itemtype=\"http://eclecticiq.com/microdata/relationship\">\n \n <meta itemprop=\"type\" content=\"ttps\">\n <meta itemprop=\"entity-type\" content=\"ttp\">\n <meta itemprop=\"entity-id\" content=\"{https://www.eclecticiq.com/ns}ttp-e58f80b3-4fe4-47ac-a33c-b64f8d57462a\">\n <mark itemprop=\"content\">Malware: WindTape</mark>\n </span>.</p><p></p><p></p>\n \n </div>\n </section>\n </div>\n </article>\n\n </body>\n </html>\n",
"external_references": [
{
"source_name": "external-url",
"url": "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/"
},
{
"source_name": "external-url",
"url": "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap"
},
{
"source_name": "external-url",
"url": "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/"
},
{
"source_name": "external-url",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/"
},
{
"source_name": "external-url",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/iqy-and-powershell-abused-by-spam-campaign-to-infect-users-in-japan-with-bebloh-and-ursnif/"
},
{
"source_name": "external-url",
"url": "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/"
},
{
"source_name": "external-url",
"url": "https://www.eset.com/int/about/newsroom/press-releases/announcements/turla-targets-diplomats-in-eastern-europe-using-fake-adobe-flash-player-installers/"
},
{
"source_name": "external-url",
"url": "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities"
},
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/"
},
{
"source_name": "external-url",
"url": "https://securelist.com/operation-applejeus/87553/"
},
{
"source_name": "external-url",
"url": "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/#153f48cb6fd6"
}
],
"id": "report--05a32e0d-0950-510e-b2dd-99793d1b6a5b",
"labels": [
"theme--financial-crime",
"threat-actors--cybercriminal",
"admiralty-code--confirmed-by-other-sources",
"threat-actors--apt",
"source--eiq-fusion",
"theme--critical-infrastructure",
"theme--apt",
"malware--remote-access-trojan",
"targeted-technology--facebook",
"theme--indonesia",
"admiralty-code--fairly-reliable",
"threat-actors--nation-state",
"theme--mena",
"theme--generic-threats",
"threat-actors--espionage"
],
"modified": "2019-12-04T16:40:19.047Z",
"name": "EclecticIQ Monthly APT Trend Report - August 2018 ",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"object_refs": [
"campaign--ee07858f-740b-55dc-a19f-f083161a0337",
"attack-pattern--789e7f1f-b423-5b44-a183-9f478edd52a6"
],
"published": "2019-10-30T18:26:31.403968Z",
"type": "report",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-09-06T15:43:50.760433+00:00",
"estimated_threat_start_time": "2018-09-06T15:43:50.760433+00:00",
"first_ingest_time": "2018-09-14T09:57:38.944169+00:00",
"half_life": 182,
"ingest_time": "2019-10-30T16:16:14.314217+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Theme",
"Theme - Financial Crime"
],
[
"Threat Actors",
"Threat Actors - Cybercriminal"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Theme",
"Theme - APT"
],
[
"Malware ",
"Malware - Remote Access Trojan"
],
[
"Targeted Technology",
"Targeted Technology - Social Media Platforms",
"Targeted Technology - Facebook"
],
[
"Theme",
"Theme - Indonesia"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Threat Actors",
"Threat Actors - Nation-state"
],
[
"Theme",
"Theme - MENA"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Threat Actors",
"Threat Actors - Espionage"
]
],
"title": "EclecticIQ Monthly APT Trend Report - August 2018 ",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}report-930268ea-0324-4863-9932-44ca3be94103"
},
{
"aliases": [
"StealJob "
],
"created": "2019-04-18T02:32:45.184Z",
"description": "<p> Recently, researchers have observed a large-scale upgrade of its malicious Android APK framework to make it more stable and practical. Since the new APK framework is quite different from the one used in the past, we named it as StealJob since “job” is frequently used in the code. </p>",
"external_references": [
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/"
}
],
"first_seen": "2019-04-10T04:00:00Z",
"last_seen": "2019-07-12T04:00:00Z",
"id": "campaign--7675bcdd-75ec-56db-9cf8-77ae50a6483b",
"labels": [
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"malware--remote-access-trojan",
"targeted-technology--android",
"advantage--political",
"unauthorized-access",
"denial-and-deception"
],
"modified": "2019-04-18T02:32:45.184Z",
"name": "Donot Team: StealJob Android malware campaign ",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"objective": "Advantage - Political, Unauthorized Access, Denial and Deception",
"type": "campaign",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-18T02:29:09.514946+00:00",
"half_life": 1000,
"ingest_time": "2019-10-30T17:39:35.483054+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Malware ",
"Malware - Remote Access Trojan"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Donot Team: StealJob Android malware campaign ",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}campaign-009a7c73-264b-4ca5-a728-4dac32178831"
},
{
"created": "2019-10-30T15:58:42.325Z",
"description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.",
"id": "attack-pattern--5e02f94d-5713-571c-903a-e21c94de0be5",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"source-type--open-source",
"theme--generic-threats",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.049Z",
"name": "Technique/MOB-T1033: Location Tracking",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:56:03.500711+00:00",
"estimated_threat_start_time": "2018-05-15T15:56:03.500711+00:00",
"first_ingest_time": "2019-10-30T15:33:40.923780+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:33:40.923780+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/MOB-T1033: Location Tracking",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-e64ca0d4-a086-4b40-b8c7-770022ff46d8"
},
{
"created": "2019-10-30T16:00:37.665Z",
"description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device as described by Kurtz, however use of private API calls will likely prevent the application from being distributed through Apple's App Store.",
"id": "attack-pattern--63633866-b981-50d6-b358-1d66dea101ea",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"targeted-technology--android",
"targeted-technology--ios",
"theme--generic-threats",
"source-type--open-source",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.049Z",
"name": "Technique/MOB-T1021: Application Discovery",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:55:40.924735+00:00",
"estimated_threat_start_time": "2018-05-15T15:55:40.924735+00:00",
"first_ingest_time": "2019-10-30T15:38:04.890321+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:38:04.890321+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - iOS"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/MOB-T1021: Application Discovery",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://attack.mitre.org}ttp-c2d2a850-fdfe-566c-a6b5-10c1485b6f13"
},
{
"aliases": [
"Credential Harvesting Campaign Targeting South Asian Government and Defence Organizations"
],
"created": "2019-03-28T08:39:17.436Z",
"external_references": [
{
"source_name": "external-url",
"url": "https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading"
}
],
"first_seen": "2019-02-01T23:00:00Z",
"last_seen": "2019-09-02T11:00:00Z",
"id": "campaign--ecc5c539-9b50-5490-b202-7ebad6dd471d",
"labels": [
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--apt",
"industry-sector--energy",
"industry-sector--defense",
"industry-sector--government-national",
"threat-actors--nation-state",
"industry-sector--non-profit",
"theft--credential-theft"
],
"modified": "2019-03-28T08:39:17.436Z",
"name": "Credential Harvesting Campaign Targeting South Asian Government and Defence Organizations",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"objective": "Theft - Credential Theft",
"type": "campaign",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-02-01T23:00:00+00:00",
"estimated_threat_start_time": "2019-02-01T23:00:00+00:00",
"first_ingest_time": "2019-03-28T08:39:16.800771+00:00",
"half_life": 360,
"ingest_time": "2019-10-30T17:32:08.633004+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - APT"
],
[
"Industry Sector",
"Industry Sector - Energy"
],
[
"Industry Sector",
"Industry Sector - Defense"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Threat Actors",
"Threat Actors - Nation-state"
],
[
"Industry Sector",
"Industry Sector - Non-Profit"
]
],
"title": "Credential Harvesting Campaign Targeting South Asian Government and Defence Organizations",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}campaign-756fc5b8-63a0-42ff-9dc6-523aa2db2230"
},
{
"created": "2019-11-07T13:39:30.079Z",
"id": "indicator--121c3fd3-42ef-5686-9c18-ff2ab5775f56",
"labels": [
"kill-chain-phase--weaponization",
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--generic-threats",
"theme--apt",
"threat-actors--apt",
"industry-sector--defense",
"malware--information-stealer-harvester",
"targeted-technology--microsoft-products",
"malware--downloader"
],
"modified": "2019-12-04T16:40:19.050Z",
"name": "Malicious Excel Files Associated with SectorE02 Activity",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"pattern": "[file:hashes.'SHA-256' = '1f64ab4db42ad68b4b99120ef6e9d1409cf606d31d932c0d306bb11c8ddcb2b4' AND file:hashes.'SHA-256' = '7703c3385894dd3468c468745c747bf5c75f37a9b1fcaf2a1d0f291ecb7abce6' AND file:hashes.'SHA-256' = 'aa1c8adc4b7d352e487842b1d3017f627230ff1057350aaca1ffeb4d6abae16a' AND file:hashes.'SHA-256' = '6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055' AND file:hashes.'SHA-256' = 'f0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842' AND file:hashes.'SHA-256' = 'fdcf3873df6f83336539c4997ce69fce459737c6d655f1972422f861437858a9' AND file:hashes.'SHA-256' = '95ea070bbfca04fff58a7092d61527aad0474914ffd2501d96991faad1388c7a' AND file:hashes.'SHA-256' = '5a70d423fb336448fc7a71fbc3c7a4f0397bc7fa1ec32f7cc42824a432051c33' AND file:hashes.'SHA-256' = '42775c20aa5b73b2eaecb5b107ce59d105f978660e6e43f53f804733ce3f7cbe' AND file:hashes.'SHA-256' = 'cc2c2694d0284153605a98c0e7493fb90aff0d78e7f03e37c80fb505fbf3f93f' AND file:hashes.'SHA-256' = 'a06a5b1d63ca67da90ba6cd9cbc00d6872707a1b49d44de26d6eb5ce7dd7d545']",
"type": "indicator",
"valid_from": "2019-02-28T23:00:00Z",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-08-01T22:00:00+00:00",
"estimated_threat_start_time": "2019-02-28T23:00:00+00:00",
"first_ingest_time": "2019-11-07T13:39:29.528636+00:00",
"half_life": 5,
"ingest_time": "2019-11-14T23:29:44.220370+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Kill Chain Phases",
"Kill chain phase - Weaponization"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Defense"
],
[
"Malware ",
"Malware - Information Stealer Harvester"
],
[
"Targeted Technology",
"Targeted Technology - Microsoft products"
],
[
"Malware ",
"Malware - Downloader"
]
],
"title": "Malicious Excel Files Associated with SectorE02 Activity",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}indicator-5a0eed46-c59b-45a7-b124-74a6dfd43d03"
},
{
"aliases": [
"Donot 2018 campaign targeting mobile devices"
],
"created": "2019-10-30T17:05:53.469Z",
"description": "<p>From July 2017 to at least August 2018, Donot Team has used a mobile RAT disguised as KNS Lite (Kashmir News Service) to target organisations in Pakistan.</p>",
"external_references": [
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/"
}
],
"first_seen": "2018-08-16T08:45:50.158581Z",
"id": "campaign--ee07858f-740b-55dc-a19f-f083161a0337",
"labels": [
"targeted-technology--android",
"admiralty-code--fairly-reliable",
"theme--apt",
"industry-sector--government-national",
"source--eiq-fusion",
"theme--financial-crime",
"theme--critical-infrastructure",
"admiralty-code--possibly-true",
"threat-actors--apt",
"theft--intellectual-property",
"theft--theft-of-proprietary-information"
],
"modified": "2019-10-30T17:05:53.469Z",
"name": "Donot 2018 campaign targeting Android devices",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"objective": "Theft - Intellectual Property, Theft - Theft of Proprietary Information",
"type": "campaign",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-08-16T08:45:50.158581+00:00",
"estimated_threat_start_time": "2018-08-16T08:45:50.158581+00:00",
"first_ingest_time": "2019-10-30T16:07:38.688215+00:00",
"half_life": 1000,
"ingest_time": "2019-10-30T16:07:38.688215+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Theme",
"Theme - APT"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Financial Crime"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Threat Actors",
"Threat Actors - APT"
]
],
"title": "Donot 2018 campaign targeting Android devices",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}campaign-75a48103-0b5f-4631-9afd-9732274db60e"
},
{
"created": "2019-11-07T12:56:44.368Z",
"description": "<p>SectorE02&#x27;s framework consists of a lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and exfiltration uploader plugin.</p><p></p><p>The lure file is an excel document with names such as Credit_Score.xls, Advance_Salary.xls, CSD_Schemes_2019.xls, and Agrani_Bank.xls. In some instances, it masqueraded as an Excel calculator from the National Bank of Pakistan.</p><p></p><p>In later stages of the campaign, however, the group appeared to switch to using a MsgBox to show an error saying “This file is corrupted”. At the back, the excel macro would retrieve encoded data stored in itself, and the encoding here is just a simple decimal encoding with a comma (or exclamation mark) as a separator. The same encoding is used for the dropped executable, although more often one entire file is encoded as a zip archive containing two files – a batch script and executable which is then unzipped and executed.</p><p></p><p>The dropped batch scripts follow the same basic format: creating folders with the hidden, system, and archive attributes, dropping the batch and executable files there, and setting persistence through either scheduled tasks or the autorun registry key. A text file containing the %COMPUTERNAME% variable and random digits will also be saved as “win.txt”, and this file is required for the executable downloader.</p><p></p><p>The batch file that is dropped is used for three main purposes: 1) to set up the first folder, which is used to store the text file containing the computer name, 2) to set up what we call the “common exfiltration folder” which each individual plugin uses for different purposes, and 3) to set up persistence via scheduled task or registry run keys.</p>",
"external_references": [
{
"description": "Spearphishing Attachment",
"external_id": "CAPEC-1193",
"source_name": "capec"
},
{
"description": "Command-Line Interface",
"external_id": "CAPEC-1059",
"source_name": "capec"
},
{
"description": "Scheduled Task",
"external_id": "CAPEC-1053",
"source_name": "capec"
},
{
"description": "Scripting",
"external_id": "CAPEC-1064",
"source_name": "capec"
},
{
"description": "User Execution",
"external_id": "CAPEC-1204",
"source_name": "capec"
},
{
"description": "Hidden Files and Directories",
"external_id": "CAPEC-1158",
"source_name": "capec"
},
{
"description": "Registry Run Keys / Startup Folder",
"external_id": "CAPEC-1060",
"source_name": "capec"
},
{
"description": "Remote File Copy",
"external_id": "CAPEC-1105",
"source_name": "capec"
},
{
"description": "Exfiltration Over Command and Control",
"external_id": "CAPEC-1041",
"source_name": "capec"
},
{
"source_name": "external-url",
"url": "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/"
}
],
"id": "attack-pattern--3de3f846-269d-5839-ac91-820f38c11922",
"labels": [
"kill-chain-phase--exploitation",
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--generic-threats",
"theme--apt",
"threat-actors--apt",
"industry-sector--government-national",
"targeted-technology--microsoft-products"
],
"modified": "2019-12-04T16:40:19.068Z",
"name": "Attack Pattern: Using Enabled Macros from Spearphishing Attachment to Obtain and Maintain Persistence",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-08-01T22:00:00+00:00",
"estimated_threat_start_time": "2019-02-28T23:00:00+00:00",
"first_ingest_time": "2019-11-07T12:56:43.997134+00:00",
"half_life": 5,
"ingest_time": "2019-11-14T23:29:44.389040+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Kill Chain Phases",
"Kill chain phase - Exploitation"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Targeted Technology",
"Targeted Technology - Microsoft products"
]
],
"title": "Attack Pattern: Using Enabled Macros from Spearphishing Attachment to Obtain and Maintain Persistence",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-4fe6ebf5-cffd-477e-938c-590ba4642ff7"
},
{
"created": "2019-10-30T15:58:42.291Z",
"description": "An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.",
"id": "attack-pattern--ce992ef6-3e08-55b5-9602-9e0e3108605b",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"source-type--open-source",
"theme--generic-threats",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.069Z",
"name": "Technique/MOB-T1032: Microphone or Camera Recordings",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:56:12.421872+00:00",
"estimated_threat_start_time": "2018-05-15T15:56:12.421872+00:00",
"first_ingest_time": "2019-10-30T15:33:41.113919+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:33:41.113919+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/MOB-T1032: Microphone or Camera Recordings",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-533fd841-d6ed-489e-8a07-c4405855ea5b"
},
{
"aliases": [
"SectorE02 Spear Phishing Campaign March-July 2019"
],
"created": "2019-11-07T15:06:26.063Z",
"description": "<p>From March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.</p>",
"external_references": [
{
"source_name": "external-url",
"url": "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/"
}
],
"first_seen": "2019-02-28T23:00:00Z",
"id": "campaign--b263d424-b39a-56f8-9c4c-628a921a294c",
"labels": [
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--generic-threats",
"industry-sector--defense",
"industry-sector--government-national",
"malware--information-stealer-harvester",
"targeted-technology--microsoft-products",
"malware--downloader",
"advantage--military",
"advantage--political",
"theft--credential-theft",
"denial-and-deception",
"unauthorized-access"
],
"modified": "2019-11-07T15:06:26.063Z",
"name": "SectorE02 Spearphishing Campaign March-July 2019",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"objective": "Advantage - Military, Advantage - Political, Theft - Credential Theft, Denial and Deception, Unauthorized Access",
"type": "campaign",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-08-01T22:00:00+00:00",
"estimated_threat_start_time": "2019-02-28T23:00:00+00:00",
"first_ingest_time": "2019-11-07T15:06:17.437339+00:00",
"half_life": 1000,
"ingest_time": "2019-11-14T23:29:44.527702+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Industry Sector",
"Industry Sector - Defense"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Malware ",
"Malware - Information Stealer Harvester"
],
[
"Targeted Technology",
"Targeted Technology - Microsoft products"
],
[
"Malware ",
"Malware - Downloader"
]
],
"title": "SectorE02 Spearphishing Campaign March-July 2019",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}campaign-de173288-23b3-4dc3-aed1-ac02f679dbc0"
},
{
"created": "2019-04-17T15:06:56.247Z",
"description": "<p> It disguises as a benign application and induces the user into installing. It tricks the victim that the software has been uninstalled while indeed it hides its icon to protect itself from being removed </p>",
"external_references": [
{
"description": "Location Tracking ",
"external_id": "1033",
"source_name": "mitre-attack"
},
{
"description": "Capture SMS Messages ",
"external_id": "1015",
"source_name": "mitre-attack"
},
{
"description": "Access Call Log ",
"external_id": "1036",
"source_name": "mitre-attack"
},
{
"description": "System Information Discovery ",
"external_id": "1029",
"source_name": "mitre-attack"
},
{
"description": "System Firmware ",
"external_id": "1019",
"source_name": "mitre-attack"
},
{
"description": "Access Sensitive Data in Device Logs ",
"external_id": "1016",
"source_name": "mitre-attack"
},
{
"description": "Application Discovery ",
"external_id": "1021",
"source_name": "mitre-attack"
},
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/"
}
],
"id": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"labels": [
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"malware--remote-access-trojan",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.070Z",
"name": "Malware: StealJob Android malware",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "malware",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T14:56:53.472899+00:00",
"half_life": 70,
"ingest_time": "2019-10-30T17:39:34.743471+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Malware ",
"Malware - Remote Access Trojan"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Malware: StealJob Android malware",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-9345fdd2-cec3-465a-ba8f-5525cf50533b"
},
{
"created": "2019-11-07T14:15:44.553Z",
"description": "<p>om March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.</p>",
"external_references": [
{
"source_name": "external-url",
"url": "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/"
}
],
"id": "identity--f749f40b-d7ae-5fca-9829-924a792a22cd",
"identity_class": "class",
"labels": [
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--apt",
"threat-actors--apt",
"industry-sector--defense",
"industry-sector--government-national",
"targeted-technology--microsoft-products"
],
"modified": "2019-12-04T16:40:19.071Z",
"name": "Targeted Victim: Pakistan Defense and Intelligence Organizations",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"sectors": [
"defense",
"government-national"
],
"type": "identity",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-07-28T22:00:00+00:00",
"estimated_threat_start_time": "2019-07-10T22:00:00+00:00",
"first_ingest_time": "2019-11-07T13:38:54.251790+00:00",
"half_life": 12,
"ingest_time": "2019-11-14T23:29:44.423982+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Defense"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Targeted Technology",
"Targeted Technology - Microsoft products"
]
],
"title": "Targeted Victim: Pakistan Defense and Intelligence Organizations",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-ec38d343-1d98-4e31-9c09-bb5df95a9fd2"
},
{
"created": "2018-05-22T11:41:08.587Z",
"description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.",
"id": "attack-pattern--422b19a4-3885-5c15-9397-a6ef7768af84",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"source--mitre",
"theme--generic-threats",
"source-type--open-source",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.071Z",
"name": "Technique/MOB-T1016: Access Sensitive Data in Device Logs",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:55:34.361405+00:00",
"estimated_threat_start_time": "2018-05-15T15:55:34.361405+00:00",
"first_ingest_time": "2018-05-15T15:55:34.361405+00:00",
"half_life": 9000,
"ingest_time": "2019-10-30T16:01:04.308602+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Source",
"Source - Mitre"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Technique/MOB-T1016: Access Sensitive Data in Device Logs",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://attack.mitre.org}ttp-0192ca61-0f53-5d8e-9662-e920428de1c4"
},
{
"created": "2019-10-30T15:58:37.922Z",
"description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [[Technique/T1204|User Execution]] to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.",
"id": "attack-pattern--789e7f1f-b423-5b44-a183-9f478edd52a6",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"theme--generic-threats",
"source-type--open-source",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.072Z",
"name": "Technique/T1193: Spearphishing Attachment",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:17:45.117011+00:00",
"estimated_threat_start_time": "2018-05-15T15:17:45.117011+00:00",
"first_ingest_time": "2019-10-30T14:53:54.381124+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T14:53:54.381124+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/T1193: Spearphishing Attachment",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://attack.mitre.org}ttp-74363990-674f-52ed-878f-9ca58b1c5eb0"
},
{
"created": "2019-10-30T18:53:57.205Z",
"description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as [FTP](https://attack.mitre.org/software/S0095). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.\n\nAdversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076).\n\nDetection\nMonitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
"external_references": [
{
"source_name": "external-url",
"url": "https://attack.mitre.org/techniques/T1105"
},
{
"source_name": "external-url",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
"id": "attack-pattern--7932ee75-ca9c-52a4-b678-8a020571907d",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"theme--generic-threats",
"source-type--open-source",
"source--mitre",
"source--eiq-fusion"
],
"modified": "2019-12-04T16:40:19.072Z",
"name": "Technique/T1105: Remote File Copy",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2017-05-31T21:31:16.408Z",
"estimated_threat_start_time": "2018-11-28T13:01:12.469877+00:00",
"first_ingest_time": "2019-10-30T14:59:12.710020+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T14:59:12.710020+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Source",
"Source - Mitre"
],
[
"Source",
"Source - EIQ Fusion"
]
],
"title": "Technique/T1105: Remote File Copy",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-9c02b8f5-2321-4f22-87c4-4970c7b8df6e"
},
{
"created": "2019-04-18T02:33:34.176Z",
"id": "indicator--736cbc31-0ef4-5c1c-9507-065f4f7c6ed0",
"labels": [
"kill-chain-phase--command-and-control",
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.073Z",
"name": "StealJob C2",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"pattern": "[domain-name:value = 'bike.drivethrough.top' AND domain-name:value = 'help.domainoutlet.site' AND domain-name:value = 'justin.drinkeatgood.space' AND domain-name:value = 'car.drivethrough.top' AND domain-name:value = 'drinkeatgood.space' AND domain-name:value = 'jasper.drivethrough.top' AND domain-name:value = 'alter.drivethrough.top' AND domain-name:value = 'guild.domainoutlet.site' AND domain-name:value = 'digest.drinkeatgood.space' AND domain-name:value = 'qwe.drivethrough.top' AND domain-name:value = 'param.drivethrough.top' AND domain-name:value = 'ground.domainoutlet.site' AND domain-name:value = 'guide.domainoutlet.site' AND domain-name:value = 'genwar.drivethrough.top' AND ipv4-addr:value = '139.180.135.59:4233']",
"type": "indicator",
"valid_from": "2019-04-10T04:00:00Z",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T13:53:21.594385+00:00",
"half_life": 10,
"ingest_time": "2019-10-30T17:39:34.891288+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Kill Chain Phases",
"Kill chain phase - Command and Control"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "StealJob C2",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}indicator-08a30f2a-9373-4cf3-b7e2-a10f28fcf6d8"
},
{
"created": "2019-11-07T13:41:22.163Z",
"id": "indicator--331df789-8400-57b2-ba3c-bca651c5bad2",
"labels": [
"kill-chain-phase--weaponization",
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--generic-threats",
"theme--apt",
"threat-actors--apt",
"industry-sector--defense",
"malware--dropper",
"malware--information-stealer-harvester",
"targeted-technology--microsoft-products",
"malware--downloader"
],
"modified": "2019-12-04T16:40:19.085Z",
"name": "Batch Scripts and Plugins Associated with SectorE02 Activity",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"pattern": "[uri-hash-sha256:value = 'e726c07f3422aaee45187bae9edb1772146ccac50315264b86820db77b42b31c' AND uri-hash-sha256:value = '13f27543d03fd4bee3267bdc37300e578994f55edabc031de936ff476482ceb4' AND uri-hash-sha256:value = 'd4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e' AND uri-hash-sha256:value = '62dfec7fe0025e8863c2252abb4ec1abdb4b916b76972910c6a47728bfb648a7' AND uri-hash-sha256:value = 'b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384' AND uri-hash-sha256:value = '5acfd1b49ae86ef66b94a3e0209a2d2a3592c31b57ccbaa4bb9540fcf3403574' AND uri-hash-sha256:value = 'f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5' AND uri-hash-sha256:value = 'd71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa' AND uri-hash-sha256:value = '8fff7f07ebf0a1e0a4eabdcf57744739f39de643d831c36416b663bd243590e1' AND uri-hash-sha256:value = '57a9a17baaf61de5cffa8b2e2ec340a179e7e1cd70e046cbd832655c44bc7c1d' AND uri-hash-sha256:value = '08b11f246e2ebcfc049f198c055fc855e0af1f8499ba18791e3232efa913b01a' AND uri-hash-sha256:value = 'ce1df70e96b4780329d393ff7a37513aec222030e80606ee3ef99b306951d74d' AND uri-hash-sha256:value = '92b12010772166647f510ad91731e931d58bc077bfc9f9d39adc678cc00fb65d' AND uri-hash-sha256:value = '1b46735d6b6aebefd5809274de1aaa56b5fac314b33c2fa51b001e07b4f7e4d7' AND uri-hash-sha256:value = 'f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37' AND uri-hash-sha256:value = 'cd03ed9e4f3257836e11016294c8701baa12414b59f221e556cbed16a946b205' AND uri-hash-sha256:value = '9169dab8579d49253f72439f7572e0aabeb685c5ca63bf91fff81502764e79bb' AND file:hashes.'SHA-256' = '13f27543d03fd4bee3267bdc37300e578994f55edabc031de936ff476482ceb4' AND file:hashes.'SHA-256' = 'f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37' AND file:hashes.'SHA-256' = '8fff7f07ebf0a1e0a4eabdcf57744739f39de643d831c36416b663bd243590e1' AND file:hashes.'SHA-256' = 'd71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa' AND file:hashes.'SHA-256' = '08b11f246e2ebcfc049f198c055fc855e0af1f8499ba18791e3232efa913b01a' AND file:hashes.'SHA-256' = 'f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5' AND file:hashes.'SHA-256' = '62dfec7fe0025e8863c2252abb4ec1abdb4b916b76972910c6a47728bfb648a7' AND file:hashes.'SHA-256' = 'd4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e']",
"type": "indicator",
"valid_from": "2019-02-28T23:00:00Z",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-08-01T22:00:00+00:00",
"estimated_threat_start_time": "2019-02-28T23:00:00+00:00",
"first_ingest_time": "2019-11-07T13:41:21.675450+00:00",
"half_life": 4,
"ingest_time": "2019-11-14T23:29:45.024559+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Kill Chain Phases",
"Kill chain phase - Weaponization"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Defense"
],
[
"Malware ",
"Malware - Dropper"
],
[
"Malware ",
"Malware - Information Stealer Harvester"
],
[
"Targeted Technology",
"Targeted Technology - Microsoft products"
],
[
"Malware ",
"Malware - Downloader"
]
],
"title": "Batch Scripts and Plugins Associated with SectorE02 Activity",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}indicator-a6113fd1-783e-4e0f-8eba-ccb306532b5c"
},
{
"created": "2019-10-30T16:00:32.641Z",
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class.\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in .",
"id": "attack-pattern--48c0b6bf-02b3-58e1-bbd6-4a37dc8931a1",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"targeted-technology--android",
"targeted-technology--ios",
"theme--generic-threats",
"source-type--open-source",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.110Z",
"name": "Technique/MOB-T1029: System Information Discovery",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:56:27.723222+00:00",
"estimated_threat_start_time": "2018-05-15T15:56:27.723222+00:00",
"first_ingest_time": "2019-10-30T15:10:00.144113+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:10:00.144113+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - iOS"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/MOB-T1029: System Information Discovery",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://attack.mitre.org}ttp-cf449f76-5695-5e1c-8c37-b3b8fea32fa5"
},
{
"created": "2019-11-07T15:06:25.978Z",
"description": "<p>SectorE02&#x27;s arsenal includes a modular framework researchers have dubbed the “YTY Framework,” which has a Windows and mobile version. Usage of this framework allows the SectorE02 group to constantly modify and even remake individual plugins of the framework, and pick and choose which plugins – if any – are sent to their victims. </p><p></p><p>This modularity also allows the SectorE02 group to maintain low detections by antivirus engines because each module only does something simple and will not even work without certain previously dropped files. SectorE02&#x27;s framework consists of a lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and exfiltration uploader plugin.</p>",
"external_references": [
{
"description": "Spearphishing Attachment",
"external_id": "CAPEC-1193",
"source_name": "capec"
},
{
"description": "Command-Line Interface",
"external_id": "CAPEC-1059",
"source_name": "capec"
},
{
"description": "Scheduled Task",
"external_id": "CAPEC-1053",
"source_name": "capec"
},
{
"description": "Scripting",
"external_id": "CAPEC-1064",
"source_name": "capec"
},
{
"description": "User Execution",
"external_id": "CAPEC-1204",
"source_name": "capec"
},
{
"description": "Hidden Files and Directories",
"external_id": "CAPEC-1158",
"source_name": "capec"
},
{
"description": "Registry Run Keys / Startup Folder",
"external_id": "CAPEC-1060",
"source_name": "capec"
},
{
"description": "Deobfuscate/Decode Files or Information",
"external_id": "CAPEC-1140",
"source_name": "capec"
},
{
"description": "File Deletion",
"external_id": "CAPEC-1107",
"source_name": "capec"
},
{
"description": "Indicator Removal from Tools",
"external_id": "CAPEC-1066",
"source_name": "capec"
},
{
"description": "Modify Registry",
"external_id": "CAPEC-1112",
"source_name": "capec"
},
{
"description": "Obfuscated Files or Information",
"external_id": "CAPEC-1027",
"source_name": "capec"
},
{
"description": "Input Capture",
"external_id": "CAPEC-1056",
"source_name": "capec"
},
{
"description": "Application Window Discovery",
"external_id": "CAPEC-1010",
"source_name": "capec"
},
{
"description": "File and Directory Discovery",
"external_id": "CAPEC-1083",
"source_name": "capec"
},
{
"description": "System Information Discovery",
"external_id": "CAPEC-1082",
"source_name": "capec"
},
{
"description": "Virtualization/Sandbox Evasion",
"external_id": "CAPEC-1497",
"source_name": "capec"
},
{
"description": "Automated Collection",
"external_id": "CAPEC-1119",
"source_name": "capec"
},
{
"description": "Data from Local System",
"external_id": "CAPEC-1005",
"source_name": "capec"
},
{
"description": "Data from Network Shared Drive",
"external_id": "CAPEC-1039",
"source_name": "capec"
},
{
"description": "Data from Removable Media",
"external_id": "CAPEC-1025",
"source_name": "capec"
},
{
"description": "Data Staged",
"external_id": "CAPEC-1074",
"source_name": "capec"
},
{
"description": "Email Collection",
"external_id": "CAPEC-1114",
"source_name": "capec"
},
{
"description": "Screen Capture",
"external_id": "CAPEC-1113",
"source_name": "capec"
},
{
"description": "Commonly Used Port",
"external_id": "CAPEC-1043",
"source_name": "capec"
},
{
"description": "Standard Application Layer Protocol",
"external_id": "CAPEC-1071",
"source_name": "capec"
},
{
"description": "Automated Exfiltration",
"external_id": "CAPEC-1020",
"source_name": "capec"
},
{
"description": "Exfiltration Over Command and Control Channel",
"external_id": "CAPEC-1041",
"source_name": "capec"
},
{
"source_name": "external-url",
"url": "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/"
}
],
"id": "malware--f33099bf-5a82-5265-bc01-ef43d0e47281",
"labels": [
"kill-chain-phase--reconnaissance",
"kill-chain-phase--delivery",
"kill-chain-phase--exploitation",
"kill-chain-phase--installation",
"kill-chain-phase--command-and-control",
"kill-chain-phase--actions-on-objectives",
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"theme--critical-infrastructure",
"source--eiq-fusion",
"theme--generic-threats",
"theme--apt",
"threat-actors--apt",
"industry-sector--defense",
"theme--financial-crime",
"industry-sector--government-national",
"kill-chain--internal--internal-exploitation",
"targeted-technology--microsoft-products",
"kill-chain--internal--internal-reconnaissance",
"kill-chain--target-manipulation--execution",
"kill-chain--target-manipulation--installation",
"kill-chain--target-manipulation--target-exploitation",
"kill-chain--target-manipulation--target-reconnaissance"
],
"modified": "2019-12-04T16:40:19.112Z",
"name": "Malware Variant: \"YTY Framework\" Modular Malware ghr36t",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "malware",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-08-01T22:00:00+00:00",
"estimated_threat_start_time": "2019-02-28T23:00:00+00:00",
"first_ingest_time": "2019-11-07T15:06:17.292099+00:00",
"half_life": 720,
"ingest_time": "2019-11-14T23:29:45.393143+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Kill Chain Phases",
"Kill chain phase - Reconnaissance"
],
[
"Kill Chain Phases",
"Kill chain phase - Delivery"
],
[
"Kill Chain Phases",
"Kill chain phase - Exploitation"
],
[
"Kill Chain Phases",
"Kill chain phase - Installation"
],
[
"Kill Chain Phases",
"Kill chain phase - Command and Control"
],
[
"Kill Chain Phases",
"Kill chain phase - Actions on Objectives"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Theme",
"Theme - Critical Infrastructure"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Defense"
],
[
"Theme",
"Theme - Financial Crime"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Kill Chain Phases",
"Kill Chain - Internal - Internal Exploitation"
],
[
"Targeted Technology",
"Targeted Technology - Microsoft products"
],
[
"Kill Chain Phases",
"Kill Chain - Internal - Internal Reconnaissance"
],
[
"Kill Chain Phases",
"Kill Chain - Target Manipulation - Execution"
],
[
"Kill Chain Phases",
"Kill Chain - Target Manipulation - Installation"
],
[
"Kill Chain Phases",
"Kill Chain - Target Manipulation - Target Exploitation"
],
[
"Kill Chain Phases",
"Kill Chain - Target Manipulation - Target Reconnaissance"
]
],
"title": "Malware Variant: \"YTY Framework\" Modular Malware ghr36t",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-0afe7b01-c531-4e05-8c91-092585a13054"
},
{
"created": "2019-10-30T15:59:56.020Z",
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.",
"id": "attack-pattern--f40e8325-6cb9-5a0e-9342-613a43ae6177",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"targeted-technology--android",
"targeted-technology--ios",
"source-type--open-source",
"theme--generic-threats",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.114Z",
"name": "Technique/MOB-T1036: Access Call Log",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:55:32.043341+00:00",
"estimated_threat_start_time": "2018-05-15T15:55:32.043341+00:00",
"first_ingest_time": "2019-10-30T15:33:40.970244+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:33:40.970244+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - iOS"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/MOB-T1036: Access Call Log",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-b8bbbef9-696b-4e78-8c18-0cdfee823cc0"
},
{
"created": "2019-10-30T16:00:02.856Z",
"description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.",
"id": "attack-pattern--c91624e9-f7fa-589a-a169-cba5cd64c8ac",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"targeted-technology--android",
"targeted-technology--ios",
"source-type--open-source",
"theme--generic-threats",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.114Z",
"name": "Technique/MOB-T1015: Capture SMS Messages",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:55:44.256266+00:00",
"estimated_threat_start_time": "2018-05-15T15:55:44.256266+00:00",
"first_ingest_time": "2019-10-30T15:33:41.094370+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:33:41.094370+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - iOS"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/MOB-T1015: Capture SMS Messages",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-8aa1119e-f46f-4f00-b2ff-7c3b73c654d7"
},
{
"created": "2019-04-17T14:06:32.071Z",
"description": "<p> The malware will save the corresponding phone information as a json file and upload to the attacker. </p>",
"external_references": [
{
"description": "Capture SMS Messages ",
"external_id": "1015",
"source_name": "mitre-attack"
},
{
"description": "Access Call Log ",
"external_id": "1036",
"source_name": "mitre-attack"
},
{
"description": "System Information Discovery ",
"external_id": "1029",
"source_name": "mitre-attack"
},
{
"description": "Access Sensitive Data or Credentials in Files ",
"external_id": "1012",
"source_name": "mitre-attack"
},
{
"description": "Microphone or Camera Recordings ",
"external_id": "1032",
"source_name": "mitre-attack"
},
{
"description": "Audio Capture ",
"external_id": "1123",
"source_name": "mitre-attack"
},
{
"description": "Application Discovery ",
"external_id": "1021",
"source_name": "mitre-attack"
},
{
"description": "System Firmware ",
"external_id": "1019",
"source_name": "mitre-attack"
},
{
"description": "Location Tracking ",
"external_id": "1033",
"source_name": "mitre-attack"
},
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/"
}
],
"id": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"labels": [
"kill-chain-phase--actions-on-objectives",
"admiralty-code--usually-reliable",
"admiralty-code--possibly-true",
"source--eiq-fusion",
"theme--generic-threats",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.115Z",
"name": "Attack Pattern: Malware obtains remote control command by reading a local database file and proceeds with malicious commands",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2019-04-10T04:00:00+00:00",
"estimated_threat_start_time": "2019-04-10T04:00:00+00:00",
"first_ingest_time": "2019-04-17T13:33:17.939344+00:00",
"half_life": 50,
"ingest_time": "2019-10-30T17:39:34.666466+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Kill Chain Phases",
"Kill chain phase - Actions on Objectives"
],
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Usually reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Possibly True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Attack Pattern: Malware obtains remote control command by reading a local database file and proceeds with malicious commands ",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-cf5dde09-079f-4b74-a5c5-c4b3889a8964"
},
{
"created": "2019-10-30T15:58:42.308Z",
"description": "An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).",
"id": "attack-pattern--3fb2af28-99e4-5ab6-8fb3-aeef091886d9",
"labels": [
"admiralty-code--completely-reliable",
"admiralty-code--confirmed-by-other-sources",
"source-type--open-source",
"theme--generic-threats",
"source--mitre"
],
"modified": "2019-12-04T16:40:19.115Z",
"name": "Technique/MOB-T1012: Access Sensitive Data or Credentials in Files",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "attack-pattern",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-05-15T15:55:35.729405+00:00",
"estimated_threat_start_time": "2018-05-15T15:55:35.729405+00:00",
"first_ingest_time": "2019-10-30T15:33:40.899334+00:00",
"half_life": 720,
"ingest_time": "2019-10-30T15:33:40.899334+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Completely reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Confirmed by other sources"
],
[
"Source Type",
"Source Type - Open Source"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Source",
"Source - Mitre"
]
],
"title": "Technique/MOB-T1012: Access Sensitive Data or Credentials in Files",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-c46c3d87-0826-4b26-b5ae-ca0dca58a5ac"
},
{
"created": "2018-08-16T13:08:24.516Z",
"description": "<p>APT-C-35 was observed targeting organisations in the disputed South Asian region of Kashmir, as well as in India and Pakistan throughout 2018.</p>",
"external_references": [
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/"
}
],
"id": "identity--bec2cf4a-ca38-5501-bf74-ee40f8c6d322",
"identity_class": "group",
"labels": [
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"source--eiq-fusion",
"theme--generic-threats",
"theme--apt",
"threat-actors--apt",
"theme--financial-crime",
"industry-sector--government-national",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.116Z",
"name": "Targeted Victim: Kashmiri, Indian and Pakistani organisations",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"sectors": [
"government-national"
],
"type": "identity",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-08-16T09:17:51.243643+00:00",
"estimated_threat_start_time": "2018-08-16T09:17:51.243643+00:00",
"first_ingest_time": "2018-08-16T09:17:51.243643+00:00",
"half_life": 9999,
"ingest_time": "2019-10-30T16:07:31.256723+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Theme",
"Theme - Financial Crime"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Targeted Victim: Kashmiri, Indian and Pakistani organisations",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-c8544572-604c-4578-bd3a-327a7e2ff876"
},
{
"created": "2018-08-16T13:09:16.724Z",
"description": "<p>Android malware used by Donot Team/APT-C-35.</p><p></p><p>The malware is disguised with icons from legitimate apps: one is disguised as targeted Kashmiri news, the Indian Sikh-related application icon; the other is disguised as a universal VPN, Google service-related application icon. There is also a game &quot;Cannons And Soldiers&quot; app icon, guessing that the target being attacked should be a fan of the game.</p>",
"external_references": [
{
"description": "Access Call Log",
"external_id": "MOB-T1036",
"source_name": "mitre-attack"
},
{
"description": "Access Sensitive Data in Device Logs",
"external_id": "MOB-T1016",
"source_name": "mitre-attack"
},
{
"description": "Capture SMS Messages",
"external_id": "MOB-T1015",
"source_name": "mitre-attack"
},
{
"source_name": "external-url",
"url": "https://ti.360.net/blog/articles/analysis-of-donot-andriod-sample/"
}
],
"id": "malware--ac61ccef-f439-575b-8965-0b73e7748106",
"labels": [
"admiralty-code--fairly-reliable",
"admiralty-code--probably-true",
"source--eiq-fusion",
"theme--generic-threats",
"theme--apt",
"threat-actors--apt",
"industry-sector--government-national",
"targeted-technology--android"
],
"modified": "2019-12-04T16:40:19.116Z",
"name": "Malware Variant: Unnamed Android malware 7dh38",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"type": "malware",
"x_eclecticiq_meta": {
"estimated_observed_time": "2018-08-16T09:20:33.259912+00:00",
"estimated_threat_start_time": "2018-08-16T09:20:33.259912+00:00",
"first_ingest_time": "2018-08-16T13:08:24.872180+00:00",
"half_life": 182,
"ingest_time": "2019-10-30T16:07:30.162984+00:00",
"source_reliability": "A",
"tags": [],
"taxonomy_paths": [
[
"Admiralty Code",
"Admiralty Code - Reliability",
"Admiralty Code - Fairly reliable"
],
[
"Admiralty Code",
"Admiralty Code - Credibility",
"Admiralty Code - Probably True"
],
[
"Source",
"Source - EIQ Fusion"
],
[
"Theme",
"Theme - Generic Threats"
],
[
"Theme",
"Theme - APT"
],
[
"Threat Actors",
"Threat Actors - APT"
],
[
"Industry Sector",
"Industry Sector - Government National"
],
[
"Targeted Technology",
"Targeted Technology - Operating Systems",
"Targeted Technology - Android"
]
],
"title": "Malware Variant: Unnamed Android malware 7dh38",
"tlp_color": "WHITE"
},
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}ttp-cf60c7df-61a1-4a9b-a8f7-1ae2a774c20e"
},
{
"created": "2019-12-04T16:40:19.117Z",
"id": "relationship--3a10ceec-93d8-5ded-ac85-fac127607162",
"modified": "2019-12-04T16:40:19.117Z",
"relationship_type": "indicates",
"source_ref": "indicator--1df9cede-d6ab-5cc1-82de-19020a7e5344",
"target_ref": "attack-pattern--1df9cede-d6ab-5cc1-82de-19020a7e5344",
"type": "relationship"
},
{
"created": "2019-12-04T16:40:19.117Z",
"id": "relationship--f2d1b7a6-811f-508f-bb16-97fde24321dc",
"modified": "2019-12-04T16:40:19.117Z",
"relationship_type": "indicates",
"source_ref": "indicator--ca90e2b8-62ce-5072-98fd-60d7654fd308",
"target_ref": "intrusion-set--ca90e2b8-62ce-5072-98fd-60d7654fd308",
"type": "relationship"
},
{
"created": "2019-12-04T16:40:19.117Z",
"id": "relationship--d1382714-c34a-58a5-adb4-d666764ffb8e",
"modified": "2019-12-04T16:40:19.117Z",
"relationship_type": "x-indicates",
"source_ref": "indicator--f8ccc04e-9a28-5d4c-8eb7-fdefdcbe1dd3",
"target_ref": "identity--f8ccc04e-9a28-5d4c-8eb7-fdefdcbe1dd3",
"type": "relationship"
},
{
"created": "2019-12-04T16:40:19.117Z",
"id": "relationship--760fdebe-d3bd-51ee-8db3-c21d7763288b",
"modified": "2019-12-04T16:40:19.117Z",
"relationship_type": "indicates",
"source_ref": "indicator--b263d424-b39a-56f8-9c4c-628a921a294c",
"target_ref": "campaign--b263d424-b39a-56f8-9c4c-628a921a294c",
"type": "relationship"
},
{
"created": "2019-12-04T16:40:19.117Z",
"id": "relationship--2ef97b20-3e76-56e7-81f7-797fe9befa8d",
"modified": "2019-12-04T16:40:19.117Z",
"relationship_type": "x-indicates",
"source_ref": "indicator--f749f40b-d7ae-5fca-9829-924a792a22cd",
"target_ref": "identity--f749f40b-d7ae-5fca-9829-924a792a22cd",
"type": "relationship"
},
{
"created": "2019-04-17T17:15:28.688Z",
"id": "relationship--2d4b1eb1-e677-51dc-a8f6-7f26f913a49c",
"modified": "2019-12-04T16:40:19.118Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--1df9cede-d6ab-5cc1-82de-19020a7e5344",
"target_ref": "attack-pattern--34e5a805-69fd-5dc6-890c-cd216e098f22",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-da293198-c085-4bd5-af5f-162117a42dee"
},
{
"created": "2019-04-17T17:15:28.685Z",
"id": "relationship--483387ca-a0fb-5c9a-950b-63ce679a22f9",
"modified": "2019-12-04T16:40:19.118Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--1df9cede-d6ab-5cc1-82de-19020a7e5344",
"target_ref": "attack-pattern--789e7f1f-b423-5b44-a183-9f478edd52a6",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-c3138497-0973-431f-8908-6a3c2a536f9f"
},
{
"created": "2019-04-17T15:00:52.659Z",
"id": "relationship--e3911d24-25cf-501d-b759-4b714edf71c8",
"modified": "2019-12-04T16:40:19.118Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--56b7b811-bf35-5d2e-aec4-23ab8cbefa2a",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-aae73dd5-d167-4702-8fa8-f2ab2a6bbf0b"
},
{
"created": "2019-04-17T15:00:42.204Z",
"id": "relationship--f5826da1-d50a-5816-b88c-67e686b66da0",
"modified": "2019-12-04T16:40:19.119Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--5e02f94d-5713-571c-903a-e21c94de0be5",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-e2e52a58-1259-4e46-a987-d17c8804b2d0"
},
{
"created": "2019-04-17T15:00:43.619Z",
"id": "relationship--ba174c79-3a4e-5331-b839-99d08bf0c37f",
"modified": "2019-12-04T16:40:19.119Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--63633866-b981-50d6-b358-1d66dea101ea",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-13239dc6-5171-431a-ab34-c3e7f986df8f"
},
{
"created": "2019-04-17T15:00:46.786Z",
"id": "relationship--a77f6e9b-bbbf-5eba-86d0-241f2cfab164",
"modified": "2019-12-04T16:40:19.119Z",
"relationship_type": "variant-of",
"source_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"target_ref": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-e4a8d34f-ccf1-4cc6-8474-c0399d35073e"
},
{
"created": "2019-04-17T15:00:52.534Z",
"id": "relationship--22fb263b-a5e5-5913-b88b-baffd1055e21",
"modified": "2019-12-04T16:40:19.119Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--422b19a4-3885-5c15-9397-a6ef7768af84",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-00bf08fa-9243-40d5-bc0a-c5642d16a608"
},
{
"created": "2019-04-17T15:00:51.841Z",
"id": "relationship--5684bf04-0829-5009-8271-3762ff5aad67",
"modified": "2019-12-04T16:40:19.120Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--48c0b6bf-02b3-58e1-bbd6-4a37dc8931a1",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-b3a85fd8-358c-41b0-8988-ecef94c972b9"
},
{
"created": "2019-04-17T15:00:51.769Z",
"id": "relationship--03454bf6-ba8e-5e82-a37d-bbd77bacafbc",
"modified": "2019-12-04T16:40:19.120Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--f40e8325-6cb9-5a0e-9342-613a43ae6177",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-ebfdfbfb-d4e3-49f5-88c4-3c35e4356e1d"
},
{
"created": "2019-04-17T15:00:48.534Z",
"id": "relationship--77392a12-d358-516c-8972-6a1d34bc17fd",
"modified": "2019-12-04T16:40:19.120Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--c91624e9-f7fa-589a-a169-cba5cd64c8ac",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-61534a35-f35b-4aa4-b6ec-f36f2f45752c"
},
{
"created": "2019-04-17T15:03:01.078Z",
"id": "relationship--c301d33a-7fc9-5060-8df6-1cacb55598c0",
"modified": "2019-12-04T16:40:19.121Z",
"relationship_type": "indicates",
"source_ref": "indicator--f89320fa-8683-5543-aab3-92bcfa982eb0",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-8f487a67-30f2-488e-96e1-bdd6ecf67dcf"
},
{
"created": "2019-04-17T17:17:16.002Z",
"id": "relationship--6124cee8-4ede-5d77-8ffa-ad7b96ba50c0",
"modified": "2019-12-04T16:40:19.121Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--86282038-ee61-5621-8d7a-cd9854c4e2ea",
"target_ref": "attack-pattern--65117bfa-89e9-5c59-85d6-1f1c714b6d85",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-71af6134-7952-40d1-b565-d9e4e2a3fef3"
},
{
"created": "2019-04-17T17:17:15.853Z",
"id": "relationship--47b0ca91-0f5d-5f02-9ff8-ecd41b7f0583",
"modified": "2019-12-04T16:40:19.121Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--86282038-ee61-5621-8d7a-cd9854c4e2ea",
"target_ref": "attack-pattern--7932ee75-ca9c-52a4-b678-8a020571907d",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-829599dc-5345-44d1-898a-4f37ffb0b62f"
},
{
"created": "2019-11-07T13:37:24.748Z",
"id": "relationship--54b60261-1ab7-5864-977a-bb52605487a4",
"modified": "2019-12-04T16:40:19.122Z",
"relationship_type": "x-associated_campaigns",
"source_ref": "intrusion-set--ca90e2b8-62ce-5072-98fd-60d7654fd308",
"target_ref": "campaign--7675bcdd-75ec-56db-9cf8-77ae50a6483b",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-3d35aa45-0815-4ae9-969c-163a3dab4f09"
},
{
"created": "2019-11-07T13:37:24.748Z",
"id": "relationship--3db8b210-5cd7-547e-97d0-55a7e9a48019",
"modified": "2019-12-04T16:40:19.122Z",
"relationship_type": "x-associated_campaigns",
"source_ref": "intrusion-set--ca90e2b8-62ce-5072-98fd-60d7654fd308",
"target_ref": "campaign--ecc5c539-9b50-5490-b202-7ebad6dd471d",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-d3063420-3822-4f44-a556-f5fcea995d6d"
},
{
"created": "2019-11-07T13:37:24.924Z",
"id": "relationship--d9fd0e29-94d4-5d27-b3e3-16b2684b93f6",
"modified": "2019-12-04T16:40:19.122Z",
"relationship_type": "x-associated_campaigns",
"source_ref": "intrusion-set--ca90e2b8-62ce-5072-98fd-60d7654fd308",
"target_ref": "campaign--ee07858f-740b-55dc-a19f-f083161a0337",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-2b875b01-586e-45b6-89c8-73f304c6755a"
},
{
"created": "2019-04-17T17:15:28.943Z",
"id": "relationship--d0463bc4-2e50-5cab-a5f3-30519e05af31",
"modified": "2019-12-04T16:40:19.123Z",
"relationship_type": "uses",
"source_ref": "campaign--7675bcdd-75ec-56db-9cf8-77ae50a6483b",
"target_ref": "attack-pattern--1df9cede-d6ab-5cc1-82de-19020a7e5344",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-3c0c9dc8-52eb-4442-bc16-6c6aab3f4f23"
},
{
"created": "2019-04-17T15:00:43.755Z",
"id": "relationship--d6287e7b-0d8a-50bc-9547-1677eda958b7",
"modified": "2019-12-04T16:40:19.123Z",
"relationship_type": "uses",
"source_ref": "campaign--7675bcdd-75ec-56db-9cf8-77ae50a6483b",
"target_ref": "malware--c8a98228-2943-5da2-b9b3-2f7e30cfa15f",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-abee385a-6d83-4781-b53a-9dc9f1f5269a"
},
{
"created": "2019-04-17T17:17:17.145Z",
"id": "relationship--260b6977-b8b8-57e3-8284-1ebea7aff111",
"modified": "2019-12-04T16:40:19.123Z",
"relationship_type": "uses",
"source_ref": "campaign--7675bcdd-75ec-56db-9cf8-77ae50a6483b",
"target_ref": "attack-pattern--86282038-ee61-5621-8d7a-cd9854c4e2ea",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-21d0ee34-ac2a-43ba-bb92-cb3eea87d00e"
},
{
"created": "2019-04-17T14:26:05.171Z",
"id": "relationship--02bae38a-21c0-5cf0-aa03-7079e23142ff",
"modified": "2019-12-04T16:40:19.124Z",
"relationship_type": "targets",
"source_ref": "campaign--7675bcdd-75ec-56db-9cf8-77ae50a6483b",
"target_ref": "identity--f8ccc04e-9a28-5d4c-8eb7-fdefdcbe1dd3",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-aac9a73e-c105-4e21-9dde-153115d91ce9"
},
{
"created": "2019-04-17T14:11:17.648Z",
"id": "relationship--e39603ea-bc7e-5a2d-9dcc-740a59818940",
"modified": "2019-12-04T16:40:19.124Z",
"relationship_type": "uses",
"source_ref": "campaign--7675bcdd-75ec-56db-9cf8-77ae50a6483b",
"target_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-56afa5c5-b250-4570-8423-bf1b8d14d26b"
},
{
"created": "2018-08-16T11:22:29.964Z",
"id": "relationship--264dd0d7-6416-5b81-bdd2-4f88f4d05b3f",
"modified": "2019-12-04T16:40:19.124Z",
"relationship_type": "uses",
"source_ref": "campaign--ee07858f-740b-55dc-a19f-f083161a0337",
"target_ref": "malware--2021430c-554b-54ae-ad87-55c21a1cb2e2",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-d9a45e02-8db2-4c20-ad8d-d3b540b028cb"
},
{
"created": "2018-08-16T11:22:30.208Z",
"id": "relationship--ad9830f5-8412-5822-91f2-8f4b5b4ecb2d",
"modified": "2019-12-04T16:40:19.125Z",
"relationship_type": "targets",
"source_ref": "campaign--ee07858f-740b-55dc-a19f-f083161a0337",
"target_ref": "identity--bec2cf4a-ca38-5501-bf74-ee40f8c6d322",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-61260dd6-bed2-43a3-9498-c0a441c69f06"
},
{
"created": "2018-08-16T11:22:30.362Z",
"id": "relationship--b866e024-3b5f-583a-8cdb-073af99a349d",
"modified": "2019-12-04T16:40:19.125Z",
"relationship_type": "uses",
"source_ref": "campaign--ee07858f-740b-55dc-a19f-f083161a0337",
"target_ref": "malware--ac61ccef-f439-575b-8965-0b73e7748106",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-db6df6cd-c7ba-4776-bd92-09e6f2177447"
},
{
"created": "2019-11-07T13:37:25.161Z",
"id": "relationship--065064d6-1702-5cc9-9b87-9bce03fddbed",
"modified": "2019-12-04T16:40:19.125Z",
"relationship_type": "attributed-to",
"source_ref": "campaign--b263d424-b39a-56f8-9c4c-628a921a294c",
"target_ref": "intrusion-set--ca90e2b8-62ce-5072-98fd-60d7654fd308",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-51aa3068-2449-4a87-9dbc-c43544cfe9c7"
},
{
"created": "2019-11-07T12:56:45.140Z",
"id": "relationship--8a5adef1-9c33-5e9e-8218-e662cfc9a290",
"modified": "2019-12-04T16:40:19.125Z",
"relationship_type": "uses",
"source_ref": "campaign--b263d424-b39a-56f8-9c4c-628a921a294c",
"target_ref": "attack-pattern--3de3f846-269d-5839-ac91-820f38c11922",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-bb7c777f-c6a3-4776-bca6-7eac1597c9d5"
},
{
"created": "2019-11-07T13:38:57.008Z",
"id": "relationship--42255661-90c1-5159-9e62-30a59fbb81db",
"modified": "2019-12-04T16:40:19.126Z",
"relationship_type": "targets",
"source_ref": "campaign--b263d424-b39a-56f8-9c4c-628a921a294c",
"target_ref": "identity--f749f40b-d7ae-5fca-9829-924a792a22cd",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-cbe8b37b-51b2-45d1-9356-94298a6f5881"
},
{
"created": "2019-11-07T12:59:05.548Z",
"id": "relationship--dcb23815-cb20-59d9-bd30-7a7e86b8959e",
"modified": "2019-12-04T16:40:19.126Z",
"relationship_type": "uses",
"source_ref": "campaign--b263d424-b39a-56f8-9c4c-628a921a294c",
"target_ref": "malware--f33099bf-5a82-5265-bc01-ef43d0e47281",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-a7f19378-97ae-48da-a2b9-9b258513b8ff"
},
{
"created": "2019-04-17T14:56:57.196Z",
"id": "relationship--9b860e9e-1c65-521a-93cc-b3c6f00fb4b7",
"modified": "2019-12-04T16:40:19.126Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--56b7b811-bf35-5d2e-aec4-23ab8cbefa2a",
"target_ref": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-47533007-c7b7-4a10-9c64-e72695cac28e"
},
{
"created": "2019-04-17T14:56:56.159Z",
"id": "relationship--add61b6f-a1a6-5886-a73d-23f49b9e302c",
"modified": "2019-12-04T16:40:19.127Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--5e02f94d-5713-571c-903a-e21c94de0be5",
"target_ref": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-6ecf1554-f644-4bb7-a44d-ccd3ad5e0731"
},
{
"created": "2019-04-17T14:56:57.322Z",
"id": "relationship--d58f812f-f98a-5102-869f-02a52f64d625",
"modified": "2019-12-04T16:40:19.127Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--63633866-b981-50d6-b358-1d66dea101ea",
"target_ref": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-3a2cca7e-d353-4577-a23d-788047975068"
},
{
"created": "2019-04-17T14:56:57.267Z",
"id": "relationship--fb644d67-b18c-5aac-8eeb-8e729c994bd5",
"modified": "2019-12-04T16:40:19.127Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--422b19a4-3885-5c15-9397-a6ef7768af84",
"target_ref": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-06fc9fb8-2f9d-4ae3-af9b-96b7cb240f8c"
},
{
"created": "2019-04-17T14:56:56.165Z",
"id": "relationship--787566eb-e9a2-505e-b31b-67411af627c6",
"modified": "2019-12-04T16:40:19.128Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--48c0b6bf-02b3-58e1-bbd6-4a37dc8931a1",
"target_ref": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-44d9001e-ee9f-46ef-8b78-ef13a330edb5"
},
{
"created": "2019-04-17T14:56:56.162Z",
"id": "relationship--9fd38d5d-2324-5dd2-af4e-cea58753bb5b",
"modified": "2019-12-04T16:40:19.128Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--f40e8325-6cb9-5a0e-9342-613a43ae6177",
"target_ref": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-0bd0d9b9-a12b-4c86-8100-7f5cd47708a7"
},
{
"created": "2019-04-17T14:56:56.160Z",
"id": "relationship--23ae6eb3-29c0-5ca9-84b8-a227cacd207b",
"modified": "2019-12-04T16:40:19.128Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--c91624e9-f7fa-589a-a169-cba5cd64c8ac",
"target_ref": "malware--410d178c-481f-5164-b0e3-5d1196fef3f4",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-a0b69cf0-57e1-45e1-bbc2-e58b2a3ad178"
},
{
"created": "2019-04-17T17:17:17.259Z",
"id": "relationship--c23a810f-1360-5333-9a26-84eb5f527a43",
"modified": "2019-12-04T16:40:19.129Z",
"relationship_type": "indicates",
"source_ref": "indicator--736cbc31-0ef4-5c1c-9507-065f4f7c6ed0",
"target_ref": "attack-pattern--86282038-ee61-5621-8d7a-cd9854c4e2ea",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-6baf7439-f0ad-49c1-b59a-9773d1f83dd7"
},
{
"created": "2019-11-07T13:41:31.101Z",
"id": "relationship--5689cdaa-81b6-52ba-8891-f873c3048281",
"modified": "2019-12-04T16:40:19.129Z",
"relationship_type": "indicates",
"source_ref": "indicator--331df789-8400-57b2-ba3c-bca651c5bad2",
"target_ref": "attack-pattern--3de3f846-269d-5839-ac91-820f38c11922",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-d913d56c-38c0-463a-bb54-26bbcddecd96"
},
{
"created": "2019-11-07T12:59:05.325Z",
"id": "relationship--49a10838-f4bf-5124-b119-0f92446c39e8",
"modified": "2019-12-04T16:40:19.129Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--34e5a805-69fd-5dc6-890c-cd216e098f22",
"target_ref": "malware--f33099bf-5a82-5265-bc01-ef43d0e47281",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-4fa9f647-efa9-4df2-a7b9-4eb908f38c7b"
},
{
"created": "2019-11-07T12:59:05.056Z",
"id": "relationship--c757933d-9a49-5fda-b3b0-abdbeb740c41",
"modified": "2019-12-04T16:40:19.130Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--789e7f1f-b423-5b44-a183-9f478edd52a6",
"target_ref": "malware--f33099bf-5a82-5265-bc01-ef43d0e47281",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-5dc3a8a2-8526-4424-afd4-54b2a9d0a745"
},
{
"created": "2019-04-17T13:33:22.696Z",
"id": "relationship--0a3f2392-6994-57a0-acf6-569a640c9de7",
"modified": "2019-12-04T16:40:19.130Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--2c70447f-21a8-5788-990c-a7826be4e776",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-0476e472-ddad-403e-9fe0-3d6a08b7806f"
},
{
"created": "2019-04-17T13:33:21.687Z",
"id": "relationship--fdd5d71d-6a62-5f96-b359-d64f6ffb425f",
"modified": "2019-12-04T16:40:19.130Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--56b7b811-bf35-5d2e-aec4-23ab8cbefa2a",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-a2564cf9-c7d9-4717-9caa-a2a85094aefa"
},
{
"created": "2019-04-17T13:33:21.084Z",
"id": "relationship--da05e38a-5aca-53bb-bd71-fd62316af45f",
"modified": "2019-12-04T16:40:19.131Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--5e02f94d-5713-571c-903a-e21c94de0be5",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-f2805c0d-12ff-4205-9271-7ffe21d4d26e"
},
{
"created": "2019-04-17T13:33:22.239Z",
"id": "relationship--cb86c38a-2185-500a-a0d9-62801d5c3254",
"modified": "2019-12-04T16:40:19.131Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--63633866-b981-50d6-b358-1d66dea101ea",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-d7421563-3a94-4bd4-ac52-72470783fff7"
},
{
"created": "2019-04-17T13:33:23.185Z",
"id": "relationship--f5bec838-a6a4-5b1c-9e99-9117ffbb128a",
"modified": "2019-12-04T16:40:19.131Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--ce992ef6-3e08-55b5-9602-9e0e3108605b",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-cba24147-f3fc-48c2-ae17-c69b4c2253a4"
},
{
"created": "2019-04-17T13:33:24.756Z",
"id": "relationship--3f27968a-1bb8-563e-b8f7-8a0e02b404a4",
"modified": "2019-12-04T16:40:19.131Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--48c0b6bf-02b3-58e1-bbd6-4a37dc8931a1",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-a3480979-3785-431e-ab51-46b908fee945"
},
{
"created": "2019-04-17T13:33:24.662Z",
"id": "relationship--7d8908e1-535e-51b6-b464-c5d75acbc7ca",
"modified": "2019-12-04T16:40:19.132Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--f40e8325-6cb9-5a0e-9342-613a43ae6177",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-91f63f31-173d-47fd-a3a1-d2047eb97aa7"
},
{
"created": "2019-04-17T13:33:23.871Z",
"id": "relationship--89d7329b-b786-57b4-b184-99dfbfbaa67d",
"modified": "2019-12-04T16:40:19.132Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--c91624e9-f7fa-589a-a169-cba5cd64c8ac",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-23c887dd-e9c8-4f29-822d-5e7c4accf29e"
},
{
"created": "2019-04-17T13:33:23.672Z",
"id": "relationship--cd2fa66a-ca7a-5e27-b8cf-a0ff67d7dedc",
"modified": "2019-12-04T16:40:19.132Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--cd1b550c-0f9d-56e7-a15e-14e31efb20d3",
"target_ref": "attack-pattern--3fb2af28-99e4-5ab6-8fb3-aeef091886d9",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-50d2cb46-1335-4628-b828-99c62e4f4bfb"
},
{
"created": "2018-08-16T10:07:23.694Z",
"id": "relationship--5662b30b-d1a0-54e6-ba80-d713f4c64083",
"modified": "2019-12-04T16:40:19.133Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--422b19a4-3885-5c15-9397-a6ef7768af84",
"target_ref": "malware--ac61ccef-f439-575b-8965-0b73e7748106",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-ca0440ca-fd41-4a75-8086-104756827856"
},
{
"created": "2018-08-16T10:07:23.664Z",
"id": "relationship--d0ee963d-ef97-502b-81d8-f95a2d600578",
"modified": "2019-12-04T16:40:19.133Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--f40e8325-6cb9-5a0e-9342-613a43ae6177",
"target_ref": "malware--ac61ccef-f439-575b-8965-0b73e7748106",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-4b0c5b1c-c55f-45f1-89ea-6ef1367fda2b"
},
{
"created": "2018-08-16T10:07:23.694Z",
"id": "relationship--2cf2ac7a-15fe-51d5-b0b8-ca7b310bd0a8",
"modified": "2019-12-04T16:40:19.133Z",
"relationship_type": "uses",
"source_ref": "attack-pattern--c91624e9-f7fa-589a-a169-cba5cd64c8ac",
"target_ref": "malware--ac61ccef-f439-575b-8965-0b73e7748106",
"type": "relationship",
"x_eclecticiq_stix1_id": "{https://www.eclecticiq.com/ns}relation-ca5024db-af3b-4fa2-a64c-fec47df4457c"
}
],
"spec_version": "2.0",
"type": "bundle"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment