MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
MISP/app/files/scripts/stixtest/stix1_observables_test.xml

1039 lines
92 KiB
XML
Raw Blame History

<stix:STIX_Package
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:AccountObj="http://cybox.mitre.org/objects#AccountObject-2"
xmlns:ArtifactObj="http://cybox.mitre.org/objects#ArtifactObject-2"
xmlns:ASObj="http://cybox.mitre.org/objects#ASObject-1"
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:PortObj="http://cybox.mitre.org/objects#PortObject-2"
xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
xmlns:EmailMessageObj="http://cybox.mitre.org/objects#EmailMessageObject-2"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:HTTPSessionObj="http://cybox.mitre.org/objects#HTTPSessionObject-2"
xmlns:HostnameObj="http://cybox.mitre.org/objects#HostnameObject-1"
xmlns:MutexObj="http://cybox.mitre.org/objects#MutexObject-2"
xmlns:PipeObj="http://cybox.mitre.org/objects#PipeObject-2"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2"
xmlns:WinRegistryKeyObj="http://cybox.mitre.org/objects#WinRegistryKeyObject-2"
xmlns:WinServiceObj="http://cybox.mitre.org/objects#WinServiceObject-2"
xmlns:NetworkConnectionObj="http://cybox.mitre.org/objects#NetworkConnectionObject-2"
xmlns:NetworkSocketObj="http://cybox.mitre.org/objects#NetworkSocketObject-2"
xmlns:SocketAddressObj="http://cybox.mitre.org/objects#SocketAddressObject-1"
xmlns:SystemObj="http://cybox.mitre.org/objects#SystemObject-2"
xmlns:ProcessObj="http://cybox.mitre.org/objects#ProcessObject-2"
xmlns:X509CertificateObj="http://cybox.mitre.org/objects#X509CertificateObject-2"
xmlns:WhoisObj="http://cybox.mitre.org/objects#WhoisObject-2"
xmlns:WinExecutableFileObj="http://cybox.mitre.org/objects#WinExecutableFileObject-2"
xmlns:UnixUserAccountObj="http://cybox.mitre.org/objects#UnixUserAccountObject-2"
xmlns:UserAccountObj="http://cybox.mitre.org/objects#UserAccountObject-2"
xmlns:WinUserAccountObj="http://cybox.mitre.org/objects#WinUserAccountObject-2"
xmlns:marking="http://data-marking.mitre.org/Marking-1"
xmlns:tlpMarking="http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:incident="http://stix.mitre.org/Incident-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:coa="http://stix.mitre.org/CourseOfAction-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:ciqIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xmlns:snortTM="http://stix.mitre.org/extensions/TestMechanism#Snort-1"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xmlns:ORGNAME="https://localhost"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
id="ORGNAME:Package-2c3ea3a1-be16-4853-b751-2af5a210a828" version="1.1.1" timestamp="2020-03-23T12:34:17.787525">
<stix:STIX_Header>
<stix:Title>Export from ORGNAME MISP</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Threat Report</stix:Package_Intent>
</stix:STIX_Header>
<stix:Related_Packages>
<stix:Related_Package>
<stix:Package id="ORGNAME:STIXPackage-5ac4db18-0c58-4436-a3fa-01ef0a00020f" version="1.1.1" timestamp="2020-03-23T10:18:50">
<stix:STIX_Header>
<stix:Title>Export from ORGNAME MISP</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Threat Report</stix:Package_Intent>
</stix:STIX_Header>
<stix:TTPs>
<stix:TTP id="ORGNAME:TTP-dcb864dc-775f-11e7-9fbb-1f41b4996683" timestamp="2020-03-23T11:34:18.043819+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Attack Pattern (MISP Galaxy)</ttp:Title>
<ttp:Behavior>
<ttp:Attack_Patterns>
<ttp:Attack_Pattern capec_id="CAPEC-471" id="ORGNAME:AttackPattern-46944654-fcc1-4f63-9dad-628102376586">
<ttp:Title>DLL Search Order Hijacking - T1038</ttp:Title>
<ttp:Description>Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.
Adversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL.
Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant Search Order)
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.</ttp:Description>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns>
</ttp:Behavior>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-d752161c-78f6-11e7-a0ea-bfa79b407ce4" timestamp="2020-03-23T11:34:18.044606+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Malware (MISP Galaxy)</ttp:Title>
<ttp:Behavior>
<ttp:Malware>
<ttp:Malware_Instance id="ORGNAME:MalwareInstance-7551188b-8f91-4d34-8350-0d0c57b2b913">
<ttp:Name>Elise</ttp:Name>
<ttp:Name>BKDR_ESILE</ttp:Name>
<ttp:Name>Page</ttp:Name>
<ttp:Title>Elise - S0081</ttp:Title>
<ttp:Description>[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of
tools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)</ttp:Description>
</ttp:Malware_Instance>
</ttp:Malware>
</ttp:Behavior>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-d700dc5c-78f6-11e7-a476-5f748c8e4fe0" timestamp="2020-03-23T11:34:18.044807+00:00" xsi:type='ttp:TTPType'>
<ttp:Title>Tool (MISP Galaxy)</ttp:Title>
<ttp:Resources>
<ttp:Tools>
<ttp:Tool id="ORGNAME:ToolInformation-362dc67f-4e85-4562-9dac-1b6b7f3ec4b5">
<cyboxCommon:Name>ifconfig - S0101</cyboxCommon:Name>
<cyboxCommon:Description>[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)</cyboxCommon:Description>
</ttp:Tool>
</ttp:Tools>
</ttp:Resources>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-5ac4db18-0150-4435-b016-01ef0a00020f" timestamp="2019-08-12T11:50:38" xsi:type='ttp:TTPType'>
<ttp:Title>External analysis: CVE-2017-11774 (MISP Attribute)</ttp:Title>
<ttp:Exploit_Targets>
<ttp:Exploit_Target>
<stixCommon:Exploit_Target id="ORGNAME:ExploitTarget-5ac4db18-0150-4435-b016-01ef0a00020f" timestamp="2019-08-12T11:50:38" xsi:type='et:ExploitTargetType'>
<et:Title>Vulnerability CVE-2017-11774</et:Title>
<et:Vulnerability>
<et:CVE_ID>CVE-2017-11774</et:CVE_ID>
<et:References/>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</ttp:Exploit_Target>
</ttp:Exploit_Targets>
<ttp:Handling>
<marking:Marking>
<marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="WHITE"/>
</marking:Marking>
</ttp:Handling>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-13f1e6e7-87ab-4ced-bb84-d9461b3eb36a" timestamp="2019-08-12T12:20:13" xsi:type='ttp:TTPType'>
<ttp:Title>vulnerability: weakness (MISP Object)</ttp:Title>
<ttp:Exploit_Targets>
<ttp:Exploit_Target>
<stixCommon:Exploit_Target id="ORGNAME:ExploitTarget-13f1e6e7-87ab-4ced-bb84-d9461b3eb36a" timestamp="2019-08-12T12:20:13" xsi:type='et:ExploitTargetType'>
<et:Weakness>
<et:Description>The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.</et:Description>
<et:CWE_ID>CWE-119</et:CWE_ID>
</et:Weakness>
</stixCommon:Exploit_Target>
</ttp:Exploit_Target>
</ttp:Exploit_Targets>
<ttp:Handling>
<marking:Marking>
<marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="WHITE"/>
</marking:Marking>
</ttp:Handling>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-7edfed6f-7b06-46ea-8aba-9c4075df40d1" timestamp="2019-08-12T12:20:14" xsi:type='ttp:TTPType'>
<ttp:Title>vulnerability: attack-pattern (MISP Object)</ttp:Title>
<ttp:Behavior>
<ttp:Attack_Patterns>
<ttp:Attack_Pattern capec_id="CAPEC-9" id="ORGNAME:AttackPattern-7edfed6f-7b06-46ea-8aba-9c4075df40d1">
<ttp:Title>Buffer Overflow in Local Command-Line Utilities</ttp:Title>
<ttp:Description>This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.</ttp:Description>
</ttp:Attack_Pattern>
</ttp:Attack_Patterns>
</ttp:Behavior>
<ttp:Handling>
<marking:Marking>
<marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="WHITE"/>
</marking:Marking>
</ttp:Handling>
</stix:TTP>
<stix:TTP id="ORGNAME:TTP-5e57b76e-e974-451a-b893-1440a964451a" timestamp="2020-03-23T10:18:50" xsi:type='ttp:TTPType'>
<ttp:Title>vulnerability: vulnerability (MISP Object)</ttp:Title>
<ttp:Exploit_Targets>
<ttp:Exploit_Target>
<stixCommon:Exploit_Target id="ORGNAME:ExploitTarget-5e57b76e-e974-451a-b893-1440a964451a" timestamp="2020-03-23T10:18:50" xsi:type='et:ExploitTargetType'>
<et:Vulnerability>
<et:Description>Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."</et:Description>
<et:CVE_ID>CVE-2017-11774</et:CVE_ID>
<et:CVSS_Score>
<et:Overall_Score>6.8</et:Overall_Score>
</et:CVSS_Score>
<et:Published_DateTime precision="second">2017-10-13T07:29:00.427000+00:00</et:Published_DateTime>
<et:References>
<stixCommon:Reference>http://www.securityfocus.com/bid/101098</stixCommon:Reference>
<stixCommon:Reference>http://www.securitytracker.com/id/1039542</stixCommon:Reference>
<stixCommon:Reference>https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774</stixCommon:Reference>
<stixCommon:Reference>https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/</stixCommon:Reference>
</et:References>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</ttp:Exploit_Target>
</ttp:Exploit_Targets>
<ttp:Related_TTPs>
<ttp:Related_TTP>
<stixCommon:Relationship>targeted-by</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-7edfed6f-7b06-46ea-8aba-9c4075df40d1" timestamp="2019-08-12T12:20:14" xsi:type='ttp:TTPType'/>
</ttp:Related_TTP>
<ttp:Related_TTP>
<stixCommon:Relationship>weakened-by</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-13f1e6e7-87ab-4ced-bb84-d9461b3eb36a" timestamp="2019-08-12T12:20:13" xsi:type='ttp:TTPType'/>
</ttp:Related_TTP>
</ttp:Related_TTPs>
<ttp:Handling>
<marking:Marking>
<marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="WHITE"/>
</marking:Marking>
</ttp:Handling>
</stix:TTP>
</stix:TTPs>
<stix:Incidents>
<stix:Incident id="ORGNAME:Incident-5ac4db18-0c58-4436-a3fa-01ef0a00020f" timestamp="2020-03-23T10:20:55" xsi:type='incident:IncidentType'>
<incident:Title>STIX observables test event</incident:Title>
<incident:External_ID source="MISP Event">1256</incident:External_ID>
<incident:Time>
<incident:Incident_Discovery precision="second">2018-03-28T00:00:00</incident:Incident_Discovery>
<incident:Incident_Reported precision="second">2020-03-23T10:20:55</incident:Incident_Reported>
</incident:Time>
<incident:Reporter>
<stixCommon:Identity>
<stixCommon:Name>ORGNAME_387</stixCommon:Name>
</stixCommon:Identity>
</incident:Reporter>
<incident:Status xsi:type="stixVocabs:IncidentStatusVocab-1.0">New</incident:Status>
<incident:Related_Observables>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:File-5ac4db18-1294-41ba-a57f-01ef0a00020f">
<cybox:Object id="ORGNAME:FileObject-5ac4db18-1294-41ba-a57f-01ef0a00020f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">b2a5abfeef9e36964281a31e17b57c97</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:File-5ac4db18-0ee0-4e31-b4b6-01ef0a00020f">
<cybox:Object id="ORGNAME:FileObject-5ac4db18-0ee0-4e31-b4b6-01ef0a00020f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5898fc860300e228dcd54c0b1045b5fa0dcda502</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:File-5ac4db18-02f4-42eb-b89b-01ef0a00020f">
<cybox:Object id="ORGNAME:FileObject-5ac4db18-02f4-42eb-b89b-01ef0a00020f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:File-5ac4db18-be00-43c7-9527-01ef0a00020f">
<cybox:Object id="ORGNAME:FileObject-5ac4db18-be00-43c7-9527-01ef0a00020f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui</FileObj:File_Name>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5898fc860300e228dcd54c0b1045b5fa0dcda502</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:Address-5ac4db18-62f0-4f12-906d-01ef0a00020f">
<cybox:Object id="ORGNAME:AddressObject-5ac4db18-62f0-4f12-906d-01ef0a00020f">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="true" is_destination="false">
<AddressObj:Address_Value condition="Equals">1.2.3.4</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:Hostname-5ac4db18-e320-42b6-afb4-01ef0a00020f">
<cybox:Object id="ORGNAME:HostnameObject-5ac4db18-e320-42b6-afb4-01ef0a00020f">
<cybox:Properties xsi:type="HostnameObj:HostnameObjectType">
<HostnameObj:Hostname_Value condition="Equals">www.circl.lu</HostnameObj:Hostname_Value>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:ObservableComposition-5ac4db18-d4dc-4e7b-be94-01ef0a00020f">
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="ORGNAME:Address-5ac4db18-d4dc-4e7b-be94-01ef0a00020f">
<cybox:Object id="ORGNAME:AddressObject-5ac4db18-d4dc-4e7b-be94-01ef0a00020f">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="false" is_destination="true">
<AddressObj:Address_Value condition="Equals">1.2.3.4</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="ORGNAME:DomainName-5ac4db18-d4dc-4e7b-be94-01ef0a00020f">
<cybox:Object id="ORGNAME:DomainNameObject-5ac4db18-d4dc-4e7b-be94-01ef0a00020f">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">www.circl.lu</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:Port-5ac4db18-aec4-4efd-9b85-01ef0a00020f">
<cybox:Object id="ORGNAME:PortObject-5ac4db18-aec4-4efd-9b85-01ef0a00020f">
<cybox:Properties xsi:type="PortObj:PortObjectType">
<PortObj:Port_Value condition="Equals">2510</PortObj:Port_Value>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:EmailMessage-5ac4db18-70bc-4d45-b435-01ef0a00020f">
<cybox:Object id="ORGNAME:EmailMessageObject-5ac4db18-70bc-4d45-b435-01ef0a00020f">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:From xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value condition="Equals">christian.studer@circl.lu</AddressObj:Address_Value>
</EmailMessageObj:From>
</EmailMessageObj:Header>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:EmailMessage-5ac4db18-3f90-4a8c-aada-01ef0a00020f">
<cybox:Object id="ORGNAME:EmailMessageObject-5ac4db18-3f90-4a8c-aada-01ef0a00020f">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:Subject condition="Equals">Oui</EmailMessageObj:Subject>
</EmailMessageObj:Header>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>External analysis</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:URI-5ac4db18-4984-4a75-8203-01ef0a00020f">
<cybox:Object id="ORGNAME:URIObject-5ac4db18-4984-4a75-8203-01ef0a00020f">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">https://www.circl.lu/team</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Persistence mechanism</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:WinRegistryKey-5ac4db18-e380-4cfa-bd53-01ef0a00020f">
<cybox:Object id="ORGNAME:WinRegistryKeyObject-5ac4db18-e380-4cfa-bd53-01ef0a00020f">
<cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
<WinRegistryKeyObj:Key condition="Equals">Software\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key>
<WinRegistryKeyObj:Hive condition="Equals">HKEY_CURRENT_USER</WinRegistryKeyObj:Hive>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Persistence mechanism</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:WinRegistryKey-5ac4db18-598c-48d0-89f2-01ef0a00020f">
<cybox:Object id="ORGNAME:WinRegistryKeyObject-5ac4db18-598c-48d0-89f2-01ef0a00020f">
<cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
<WinRegistryKeyObj:Key condition="Equals">Software\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key>
<WinRegistryKeyObj:Hive condition="Equals">HKEY_CURRENT_USER</WinRegistryKeyObj:Hive>
<WinRegistryKeyObj:Values>
<WinRegistryKeyObj:Value>
<WinRegistryKeyObj:Data condition="Equals">%TEMP%\seagate.exe</WinRegistryKeyObj:Data>
</WinRegistryKeyObj:Value>
</WinRegistryKeyObj:Values>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:Mutex-5ac4db18-47c4-4631-b3c8-01ef0a00020f">
<cybox:Object id="ORGNAME:MutexObject-5ac4db18-47c4-4631-b3c8-01ef0a00020f">
<cybox:Properties xsi:type="MutexObj:MutexObjectType">
<MutexObj:Name condition="Equals">no idea</MutexObj:Name>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:File-5ac4db18-0d5c-4305-a505-01ef0a00020f">
<cybox:Object id="ORGNAME:FileObject-5ac4db18-0d5c-4305-a505-01ef0a00020f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui</FileObj:File_Name>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SSDEEP</cyboxCommon:Type>
<cyboxCommon:Fuzzy_Hash_Value condition="Equals">12288:LLaIgXMVvf2u/n42bDaxGrAz1N4QiqPW44NGMJw3:LLFgXMVvf2cDaxG0N4RPK</cyboxCommon:Fuzzy_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:SocketAddress-5ac4db18-14b0-4554-9999-01ef0a00020f">
<cybox:Object id="ORGNAME:SocketAddressObject-5ac4db18-14b0-4554-9999-01ef0a00020f">
<cybox:Properties xsi:type="SocketAddressObj:SocketAddressObjectType">
<SocketAddressObj:IP_Address xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="false" is_destination="true">
<AddressObj:Address_Value condition="Equals">12.34.56.78</AddressObj:Address_Value>
</SocketAddressObj:IP_Address>
<SocketAddressObj:Port xsi:type="PortObj:PortObjectType">
<PortObj:Port_Value condition="Equals">2510</PortObj:Port_Value>
</SocketAddressObj:Port>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:System-5ac4db18-ddfc-4fde-b936-01ef0a00020f">
<cybox:Object id="ORGNAME:SystemObject-5ac4db18-ddfc-4fde-b936-01ef0a00020f">
<cybox:Properties xsi:type="SystemObj:SystemObjectType">
<SystemObj:Network_Interface_List>
<SystemObj:Network_Interface>
<SystemObj:MAC>5E:FF:56:A2:AF:15</SystemObj:MAC>
</SystemObj:Network_Interface>
</SystemObj:Network_Interface_List>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:File-5ac4db18-4a4c-4623-bea4-01ef0a00020f">
<cybox:Object id="ORGNAME:FileObject-5ac4db18-4a4c-4623-bea4-01ef0a00020f">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">fa3d5d670dc1d153b999c3aec7b1d815cc33c4dc</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:EmailMessage-5ac4db18-5634-4e63-a270-01ef0a00020f">
<cybox:Object id="ORGNAME:EmailMessageObject-5ac4db18-5634-4e63-a270-01ef0a00020f">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:Reply_To xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value condition="Equals">jean@michel.crapaud</AddressObj:Address_Value>
</EmailMessageObj:Reply_To>
</EmailMessageObj:Header>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Network activity</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:AutonomousSystem-5b23a25a-08c0-497c-8475-04660a00020f">
<cybox:Object id="ORGNAME:AutonomousSystemObject-5b23a25a-08c0-497c-8475-04660a00020f">
<cybox:Properties xsi:type="ASObj:ASObjectType">
<ASObj:Handle condition="Equals">AS66642</ASObj:Handle>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Artifacts dropped</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:Pipe-5d886bec-7414-46ea-be16-0e42a964451a">
<cybox:Object id="ORGNAME:PipeObject-5d886bec-7414-46ea-be16-0e42a964451a">
<cybox:Properties xsi:type="PipeObj:PipeObjectType">
<PipeObj:Name condition="Equals">\\.\pipe\testpipe</PipeObj:Name>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>Payload delivery</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:Artifact-5e384a51-9868-4cba-b7c0-3c7ba964451a">
<cybox:Title>oui.oui</cybox:Title>
<cybox:Object id="ORGNAME:ArtifactObject-5e384a51-9868-4cba-b7c0-3c7ba964451a">
<cybox:Properties xsi:type="ArtifactObj:ArtifactObjectType">
<ArtifactObj:Raw_Artifact><![CDATA[ZWNobyAiREFOR0VST1VTIE1BTFdBUkUiIAoK]]></ArtifactObj:Raw_Artifact>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>file</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:WinRegistryKey-5ac4db18-7ba4-4c60-ae41-01ef0a00020f">
<cybox:Object id="ORGNAME:WinRegistryKeyObject-5ac4db18-7ba4-4c60-ae41-01ef0a00020f">
<cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
<WinRegistryKeyObj:Key condition="Equals">system\bar\foo</WinRegistryKeyObj:Key>
<WinRegistryKeyObj:Hive condition="Equals">HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive>
<WinRegistryKeyObj:Values>
<WinRegistryKeyObj:Value>
<WinRegistryKeyObj:Name condition="Equals">Oui</WinRegistryKeyObj:Name>
<WinRegistryKeyObj:Data condition="Equals">qwertyuiop</WinRegistryKeyObj:Data>
<WinRegistryKeyObj:Datatype condition="Equals">REG_SZ</WinRegistryKeyObj:Datatype>
</WinRegistryKeyObj:Value>
</WinRegistryKeyObj:Values>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:domain-ip_ObservableComposition-5ac4db18-3900-4b41-8099-01ef0a00020f">
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="ORGNAME:DomainName-5ac4db18-0150-45de-8473-01ef0a00020f">
<cybox:Object id="ORGNAME:DomainNameObject-5ac4db18-0150-45de-8473-01ef0a00020f">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">www.circl.lu</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="ORGNAME:Address-5ac4db18-f138-44b1-9b12-01ef0a00020f">
<cybox:Object id="ORGNAME:AddressObject-5ac4db18-f138-44b1-9b12-01ef0a00020f">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="false" is_destination="true">
<AddressObj:Address_Value condition="Equals">8.8.8.8</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:x509Certificate-5ac4db18-7d84-4ab3-b47b-01ef0a00020f">
<cybox:Object id="ORGNAME:x509CertificateObject-5ac4db18-7d84-4ab3-b47b-01ef0a00020f">
<cybox:Properties xsi:type="X509CertificateObj:X509CertificateObjectType">
<X509CertificateObj:Certificate>
<X509CertificateObj:Version>1</X509CertificateObj:Version>
<X509CertificateObj:Serial_Number>1234567890</X509CertificateObj:Serial_Number>
<X509CertificateObj:Issuer>mr oui</X509CertificateObj:Issuer>
<X509CertificateObj:Subject_Public_Key>
<X509CertificateObj:Public_Key_Algorithm>oui algo</X509CertificateObj:Public_Key_Algorithm>
</X509CertificateObj:Subject_Public_Key>
</X509CertificateObj:Certificate>
<X509CertificateObj:Certificate_Signature>
<X509CertificateObj:Signature_Algorithm>SHA1</X509CertificateObj:Signature_Algorithm>
<X509CertificateObj:Signature>5898fc860300e228dcd54c0b1045b5fa0dcda502</X509CertificateObj:Signature>
</X509CertificateObj:Certificate_Signature>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:url_ObservableComposition-5ac4db18-0040-46e6-b788-01ef0a00020f">
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="ORGNAME:URI-5ac4db18-e6c0-48ba-bcb9-01ef0a00020f">
<cybox:Object id="ORGNAME:URIObject-5ac4db18-e6c0-48ba-bcb9-01ef0a00020f">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value condition="Equals">https://www.circl.lu</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="ORGNAME:DomainName-5ac4db18-3a9c-4688-b4fb-01ef0a00020f">
<cybox:Object id="ORGNAME:DomainNameObject-5ac4db18-3a9c-4688-b4fb-01ef0a00020f">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">www.circl.lu</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:ip-port_ObservableComposition-5ac4db19-f4d0-460f-94c8-01ef0a00020f">
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="ORGNAME:DomainName-5ac4db19-b0d8-4c05-ab80-01ef0a00020f">
<cybox:Object id="ORGNAME:DomainNameObject-5ac4db19-b0d8-4c05-ab80-01ef0a00020f">
<cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
<DomainNameObj:Value condition="Equals">www.circl.lu</DomainNameObj:Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="ORGNAME:srcPort-5ac4db19-c3b4-4190-88e7-01ef0a00020f">
<cybox:Object id="ORGNAME:PortObject-5ac4db19-c3b4-4190-88e7-01ef0a00020f">
<cybox:Properties xsi:type="PortObj:PortObjectType">
<PortObj:Port_Value condition="Equals">443</PortObj:Port_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="ORGNAME:dstPort-5ac4db19-14c4-4013-8c8e-01ef0a00020f">
<cybox:Object id="ORGNAME:PortObject-5ac4db19-14c4-4013-8c8e-01ef0a00020f">
<cybox:Properties xsi:type="PortObj:PortObjectType">
<PortObj:Port_Value condition="Equals">443</PortObj:Port_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="ORGNAME:Address-5ac4db19-171c-44f5-8959-01ef0a00020f">
<cybox:Object id="ORGNAME:AddressObject-5ac4db19-171c-44f5-8959-01ef0a00020f">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="false" is_destination="true">
<AddressObj:Address_Value condition="Equals">8.8.8.8</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:NetworkConnection-5afb32e7-cb00-4dd5-ba41-02090a00020f">
<cybox:Object id="ORGNAME:NetworkConnectionObject-5afb32e7-cb00-4dd5-ba41-02090a00020f">
<cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
<NetworkConnectionObj:Layer3_Protocol>IP</NetworkConnectionObj:Layer3_Protocol>
<NetworkConnectionObj:Layer4_Protocol>TCP</NetworkConnectionObj:Layer4_Protocol>
<NetworkConnectionObj:Layer7_Protocol>HTTP</NetworkConnectionObj:Layer7_Protocol>
<NetworkConnectionObj:Source_Socket_Address xsi:type="SocketAddressObj:SocketAddressObjectType">
<SocketAddressObj:IP_Address xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="true" is_destination="false">
<AddressObj:Address_Value condition="Equals">1.2.3.4</AddressObj:Address_Value>
</SocketAddressObj:IP_Address>
<SocketAddressObj:Port xsi:type="PortObj:PortObjectType">
<PortObj:Port_Value condition="Equals">2510</PortObj:Port_Value>
</SocketAddressObj:Port>
</NetworkConnectionObj:Source_Socket_Address>
<NetworkConnectionObj:Destination_Socket_Address xsi:type="SocketAddressObj:SocketAddressObjectType">
<SocketAddressObj:IP_Address xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="false" is_destination="true">
<AddressObj:Address_Value condition="Equals">8.8.8.8</AddressObj:Address_Value>
</SocketAddressObj:IP_Address>
<SocketAddressObj:Hostname xsi:type="HostnameObj:HostnameObjectType">
<HostnameObj:Hostname_Value condition="Equals">www.hostname.circl.lu</HostnameObj:Hostname_Value>
</SocketAddressObj:Hostname>
<SocketAddressObj:Port xsi:type="PortObj:PortObjectType">
<PortObj:Port_Value condition="Equals">443</PortObj:Port_Value>
</SocketAddressObj:Port>
</NetworkConnectionObj:Destination_Socket_Address>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:NetworkSocket-5afb332f-1fbc-4028-be0d-02070a00020f">
<cybox:Object id="ORGNAME:NetworkSocketObject-5afb332f-1fbc-4028-be0d-02070a00020f">
<cybox:Properties xsi:type="NetworkSocketObj:NetworkSocketObjectType" is_blocking="false" is_listening="true">
<NetworkSocketObj:Address_Family>AF_SECURITY</NetworkSocketObj:Address_Family>
<NetworkSocketObj:Domain>PF_UNSPEC</NetworkSocketObj:Domain>
<NetworkSocketObj:Local_Address xsi:type="SocketAddressObj:SocketAddressObjectType">
<SocketAddressObj:IP_Address xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="true" is_destination="false">
<AddressObj:Address_Value condition="Equals">1.2.3.4</AddressObj:Address_Value>
</SocketAddressObj:IP_Address>
<SocketAddressObj:Port xsi:type="PortObj:PortObjectType">
<PortObj:Port_Value condition="Equals">2510</PortObj:Port_Value>
</SocketAddressObj:Port>
</NetworkSocketObj:Local_Address>
<NetworkSocketObj:Protocol>TCP</NetworkSocketObj:Protocol>
<NetworkSocketObj:Remote_Address xsi:type="SocketAddressObj:SocketAddressObjectType">
<SocketAddressObj:IP_Address xsi:type="AddressObj:AddressObjectType" category="ipv4-addr" is_source="false" is_destination="true">
<AddressObj:Address_Value condition="Equals">8.8.8.8</AddressObj:Address_Value>
</SocketAddressObj:IP_Address>
<SocketAddressObj:Hostname xsi:type="HostnameObj:HostnameObjectType">
<HostnameObj:Hostname_Value condition="Equals">google.com</HostnameObj:Hostname_Value>
</SocketAddressObj:Hostname>
<SocketAddressObj:Port xsi:type="PortObj:PortObjectType">
<PortObj:Port_Value condition="Equals">443</PortObj:Port_Value>
</SocketAddressObj:Port>
</NetworkSocketObj:Remote_Address>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:Whois-5b0d1bd1-7508-4002-85d0-026b0a00020f">
<cybox:Object id="ORGNAME:WhoisObject-5b0d1bd1-7508-4002-85d0-026b0a00020f">
<cybox:Properties xsi:type="WhoisObj:WhoisObjectType">
<WhoisObj:Domain_Name xsi:type="URIObj:URIObjectType">
<URIObj:Value>www.circl.lu</URIObj:Value>
</WhoisObj:Domain_Name>
<WhoisObj:IP_Address xsi:type="AddressObj:AddressObjectType">
<AddressObj:Address_Value>1.2.3.4</AddressObj:Address_Value>
</WhoisObj:IP_Address>
<WhoisObj:Nameservers>
<WhoisObj:Nameserver xsi:type="URIObj:URIObjectType">
<URIObj:Value>circl.lu</URIObj:Value>
</WhoisObj:Nameserver>
</WhoisObj:Nameservers>
<WhoisObj:Creation_Date condition="Equals" precision="day">2017-05-22</WhoisObj:Creation_Date>
<WhoisObj:Registrants>
<WhoisObj:Registrant>
<WhoisObj:Name condition="Equals">Registrant Name</WhoisObj:Name>
<WhoisObj:Email_Address xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value condition="Equals">registrant@email.com</AddressObj:Address_Value>
</WhoisObj:Email_Address>
<WhoisObj:Phone_Number condition="Equals">0123456789</WhoisObj:Phone_Number>
<WhoisObj:Organization condition="Equals">Registrant Org</WhoisObj:Organization>
</WhoisObj:Registrant>
</WhoisObj:Registrants>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>misc</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:Account-5b1f9adb-6b24-4752-83fe-02030a00020f">
<cybox:Object id="ORGNAME:AccountObject-5b1f9adb-6b24-4752-83fe-02030a00020f">
<cybox:Properties xsi:type="AccountObj:AccountObjectType">
<AccountObj:Description>MISP default credentials</AccountObj:Description>
<AccountObj:Authentication>
<AccountObj:Authentication_Type>password</AccountObj:Authentication_Type>
<AccountObj:Authentication_Data>Password1234</AccountObj:Authentication_Data>
<AccountObj:Structured_Authentication_Mechanism>
<AccountObj:Description>clear-text</AccountObj:Description>
</AccountObj:Structured_Authentication_Mechanism>
</AccountObj:Authentication>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:AutonomousSystem-5b23c878-df00-4f88-8722-02710a00020f">
<cybox:Object id="ORGNAME:AutonomousSystemObject-5b23c878-df00-4f88-8722-02710a00020f">
<cybox:Properties xsi:type="ASObj:ASObjectType">
<ASObj:Name>AS name</ASObj:Name>
<ASObj:Handle>AS66642</ASObj:Handle>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>misc</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:UnixUserAccount-5d234f9d-7310-4141-99c8-2f45a964451a">
<cybox:Object id="ORGNAME:UnixUserAccountObject-5d234f9d-7310-4141-99c8-2f45a964451a">
<cybox:Properties xsi:type="UnixUserAccountObj:UnixUserAccountObjectType">
<AccountObj:Authentication>
<AccountObj:Authentication_Data condition="Equals">P4ssw0rd1234!</AccountObj:Authentication_Data>
</AccountObj:Authentication>
<UserAccountObj:Full_Name condition="Equals">Misp</UserAccountObj:Full_Name>
<UserAccountObj:Home_Directory condition="Equals">/home/misp</UserAccountObj:Home_Directory>
<UserAccountObj:Username condition="Equals">misp</UserAccountObj:Username>
<UnixUserAccountObj:Group_ID>1002</UnixUserAccountObj:Group_ID>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>file</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:file_ObservableComposition-5e384a61-41f4-4345-ab87-3ccda964451a">
<cybox:Observable_Composition operator="AND">
<cybox:Observable id="ORGNAME:Artifact-5e384a61-44d8-448c-9d3e-3ccda964451a">
<cybox:Title>oui</cybox:Title>
<cybox:Object id="ORGNAME:ArtifactObject-5e384a61-44d8-448c-9d3e-3ccda964451a">
<cybox:Properties xsi:type="ArtifactObj:ArtifactObjectType">
<ArtifactObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">8764605c6f388c89096b534d33565802</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</ArtifactObj:Hashes>
<ArtifactObj:Raw_Artifact><![CDATA[UEsDBAoACQAAAKuLQ1AvUbiwLwAAACMAAAAgABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAkAA2FKOF5hSjhedXgLAAEEIQAAAAQhAAAAr8yRUrxnnbTmZ+TfII2jzPn2bHzIVP86IGSVrTVNrA3vHFfKU+ESaEcVKbOyOXdQSwcIL1G4sC8AAAAjAAAAUEsDBAoACQAAAKuLQ1BAAezaDwAAAAMAAAAtABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQJAANhSjheYUo4XnV4CwABBCEAAAAEIQAAAGWLK6zSjg7CdftqyJII31BLBwhAAezaDwAAAAMAAABQSwECHgMKAAkAAACri0NQL1G4sC8AAAAjAAAAIAAYAAAAAAABAAAApIEAAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAUAA2FKOF51eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAACri0NQQAHs2g8AAAADAAAALQAYAAAAAAABAAAApIGZAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQFAANhSjhedXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAB8BAAAAAA==]]></ArtifactObj:Raw_Artifact>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="ORGNAME:File-5e384a61-41f4-4345-ab87-3ccda964451a">
<cybox:Object id="ORGNAME:FileObject-5e384a61-41f4-4345-ab87-3ccda964451a">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui</FileObj:File_Name>
<FileObj:Size_In_Bytes condition="Equals">35</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">8764605c6f388c89096b534d33565802</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">46aba99aa7158e4609aaa72b50990842fd22ae86</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observable_Composition>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>network</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:EmailMessage-5e3967f3-b870-4638-b366-22fda964451a">
<cybox:Object id="ORGNAME:EmailMessageObject-5e3967f3-b870-4638-b366-22fda964451a">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Header>
<EmailMessageObj:To>
<EmailMessageObj:Recipient xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value>oui@to.lu</AddressObj:Address_Value>
</EmailMessageObj:Recipient>
</EmailMessageObj:To>
<EmailMessageObj:CC>
<EmailMessageObj:Recipient xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value>oui1@cc.com</AddressObj:Address_Value>
</EmailMessageObj:Recipient>
<EmailMessageObj:Recipient xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value>oui2@cc.com</AddressObj:Address_Value>
</EmailMessageObj:Recipient>
</EmailMessageObj:CC>
<EmailMessageObj:From xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value condition="Equals">oui@source.com</AddressObj:Address_Value>
</EmailMessageObj:From>
<EmailMessageObj:Subject condition="Equals">Le Oui</EmailMessageObj:Subject>
<EmailMessageObj:Reply_To xsi:type="AddressObj:AddressObjectType" category="e-mail">
<AddressObj:Address_Value condition="Equals">oui@reply.com</AddressObj:Address_Value>
</EmailMessageObj:Reply_To>
<EmailMessageObj:X_Mailer condition="Equals">oui_X-mailer</EmailMessageObj:X_Mailer>
</EmailMessageObj:Header>
<EmailMessageObj:Attachments>
<EmailMessageObj:File object_reference="ORGNAME:FileObject-5e3967f3-43ac-4486-a5b6-22fda964451a"/>
<EmailMessageObj:File object_reference="ORGNAME:FileObject-5e3967f3-0e50-44cc-ab7a-22fda964451a"/>
</EmailMessageObj:Attachments>
</cybox:Properties>
<cybox:Related_Objects>
<cybox:Related_Object id="ORGNAME:FileObject-5e3967f3-43ac-4486-a5b6-22fda964451a">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui.jpg</FileObj:File_Name>
</cybox:Properties>
<cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Contains</cybox:Relationship>
</cybox:Related_Object>
<cybox:Related_Object id="ORGNAME:FileObject-5e3967f3-0e50-44cc-ab7a-22fda964451a">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name condition="Equals">oui.png</FileObj:File_Name>
</cybox:Properties>
<cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Contains</cybox:Relationship>
</cybox:Related_Object>
</cybox:Related_Objects>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
<incident:Related_Observable>
<stixCommon:Relationship>file</stixCommon:Relationship>
<stixCommon:Observable id="ORGNAME:WinExecutableFile-5ac4db19-c620-4b8d-a5a7-01ef0a00020f">
<cybox:Object id="ORGNAME:WinExecutableFileObject-5ac4db19-c620-4b8d-a5a7-01ef0a00020f">
<cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name condition="Equals">oui</FileObj:File_Name>
<FileObj:Size_In_Bytes condition="Equals">1234</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">b2a5abfeef9e36964281a31e17b57c97</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">5898fc860300e228dcd54c0b1045b5fa0dcda502</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
<WinExecutableFileObj:Headers>
<WinExecutableFileObj:File_Header>
<WinExecutableFileObj:Number_Of_Sections>8</WinExecutableFileObj:Number_Of_Sections>
</WinExecutableFileObj:File_Header>
</WinExecutableFileObj:Headers>
<WinExecutableFileObj:Sections>
<WinExecutableFileObj:Section>
<WinExecutableFileObj:Section_Header>
<WinExecutableFileObj:Name>.rsrc</WinExecutableFileObj:Name>
<WinExecutableFileObj:Size_Of_Raw_Data>305152</WinExecutableFileObj:Size_Of_Raw_Data>
</WinExecutableFileObj:Section_Header>
<WinExecutableFileObj:Entropy>
<WinExecutableFileObj:Value>7.836462238824369</WinExecutableFileObj:Value>
</WinExecutableFileObj:Entropy>
<WinExecutableFileObj:Header_Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">8a2a5fc2ce56b3b04d58539a95390600</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">0aeb9def096e9f73e9460afe6f8783a32c7eabdf</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA512</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
<cyboxCommon:Hash>
<cyboxCommon:Type condition="Equals">Other</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals">6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</WinExecutableFileObj:Header_Hashes>
</WinExecutableFileObj:Section>
</WinExecutableFileObj:Sections>
</cybox:Properties>
</cybox:Object>
</stixCommon:Observable>
</incident:Related_Observable>
</incident:Related_Observables>
<incident:Leveraged_TTPs>
<incident:Leveraged_TTP>
<stixCommon:Relationship>vulnerability</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-13f1e6e7-87ab-4ced-bb84-d9461b3eb36a" timestamp="2019-08-12T12:20:13" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
<incident:Leveraged_TTP>
<stixCommon:Relationship>vulnerability</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-7edfed6f-7b06-46ea-8aba-9c4075df40d1" timestamp="2019-08-12T12:20:14" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
<incident:Leveraged_TTP>
<stixCommon:Relationship>vulnerability</stixCommon:Relationship>
<stixCommon:TTP idref="ORGNAME:TTP-5e57b76e-e974-451a-b893-1440a964451a" timestamp="2020-03-23T10:18:50" xsi:type='ttp:TTPType'/>
</incident:Leveraged_TTP>
</incident:Leveraged_TTPs>
<incident:COA_Taken>
<incident:Course_Of_Action id="ORGNAME:CourseOfAction-5d515039-9a68-468b-9c78-3affa964451a" timestamp="2020-03-23T11:34:18.051910+00:00" xsi:type='coa:CourseOfActionType'>
<coa:Title>Block traffic to PIVY C2 Server (10.10.10.10)</coa:Title>
<coa:Stage xsi:type="stixVocabs:COAStageVocab-1.0">Response</coa:Stage>
<coa:Objective>
<coa:Description>Block communication between the PIVY agents and the C2 Server</coa:Description>
</coa:Objective>
<coa:Impact timestamp="2020-03-23T11:34:18.052015+00:00">
<stixCommon:Value>Low</stixCommon:Value>
</coa:Impact>
<coa:Cost timestamp="2020-03-23T11:34:18.051997+00:00">
<stixCommon:Value>Low</stixCommon:Value>
</coa:Cost>
<coa:Efficacy timestamp="2020-03-23T11:34:18.052037+00:00">
<stixCommon:Value>High</stixCommon:Value>
</coa:Efficacy>
</incident:Course_Of_Action>
</incident:COA_Taken>
<incident:History>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">Event Threat Level: Undefined</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp:tool="misp2stix"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-attack-pattern="DLL Injection"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-malware="Elise"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-intrusion-set="APT16"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-tool="ifconfig"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-intrusion-set="APT16 - G0023"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-malware="Elise - S0081"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-tool="ifconfig - S0101"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: tlp:white</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:mitre-course-of-action="Access Token Manipulation Mitigation - T1134"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">MISP Tag: misp-galaxy:threat-actor="APT 16"</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">attribute[Other][comment]: oui, c'est un comment</incident:Journal_Entry>
</incident:History_Item>
<incident:History_Item>
<incident:Journal_Entry time_precision="second">attribute[Other][other]: bla</incident:Journal_Entry>
</incident:History_Item>
</incident:History>
<incident:Information_Source>
<stixCommon:Identity>
<stixCommon:Name>ORGNAME</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:References>
<stixCommon:Reference>https://www.circl.lu</stixCommon:Reference>
</stixCommon:References>
</incident:Information_Source>
<incident:Handling>
<marking:Marking>
<marking:Controlled_Structure>../../../descendant-or-self::node()</marking:Controlled_Structure>
<marking:Marking_Structure xsi:type='tlpMarking:TLPMarkingStructureType' color="WHITE"/>
</marking:Marking>
</incident:Handling>
</stix:Incident>
</stix:Incidents>
<stix:Courses_Of_Action>
<stix:Course_Of_Action id="ORGNAME:CourseOfAction-c61fee9f-16fb-4f8c-bbf0-869093fcd4a6" timestamp="2020-03-23T11:34:18.045047+00:00" xsi:type='coa:CourseOfActionType'>
<coa:Title>Access Token Manipulation Mitigation - T1134</coa:Title>
<coa:Description>Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.
Any user can also spoof access tokens if they have legitimate credentials. Follow mitigation guidelines for preventing adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration &gt; [Policies] &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration &gt; [Policies] &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment: Replace a process level token. (Citation: Microsoft Replace Process Token)
Also limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.</coa:Description>
</stix:Course_Of_Action>
</stix:Courses_Of_Action>
<stix:Threat_Actors>
<stix:Threat_Actor id="ORGNAME:ThreatActor-1f73e14f-b882-4032-a565-26dc653b0daf" timestamp="2020-03-23T11:34:18.045253+00:00" xsi:type='ta:ThreatActorType'>
<ta:Title>APT 16</ta:Title>
<ta:Description>Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.</ta:Description>
<ta:Intended_Effect timestamp="2020-03-23T11:34:18.045606+00:00">
<stixCommon:Value>Espionage</stixCommon:Value>
</ta:Intended_Effect>
</stix:Threat_Actor>
</stix:Threat_Actors>
</stix:Package>
</stix:Related_Package>
</stix:Related_Packages>
</stix:STIX_Package>
Reference in New Issue View Git Blame Copy Permalink