diff --git "a/data/processed/backup/cyner2_5class_train.jsonl" "b/data/processed/backup/cyner2_5class_train.jsonl"
new file mode 100644--- /dev/null
+++ "b/data/processed/backup/cyner2_5class_train.jsonl"
@@ -0,0 +1,7751 @@
+{"text": "We believe the TelePort Crew Threat Actor is operating out of Russia or Eastern Europe with the groups major motivations appearing to be financial in nature through cybercrime and/or corporate espionage.", "spans": {"Organization: financial": [[137, 146]]}, "info": {"id": "cyner2_5class_train_00000", "source": "cyner2_5class_train"}}
+{"text": "The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims.", "spans": {"Indicator: spear-phishing emails": [[59, 80]], "Malware: malicious Microsoft Excel documents": [[86, 121]], "Organization: victims.": [[136, 144]]}, "info": {"id": "cyner2_5class_train_00001", "source": "cyner2_5class_train"}}
+{"text": "Its major functionality is also implemented through the call of the asynchronous task ( “ org.starsizew.i ” ) , including uploading the incoming SMS messages to the remote C2 server and executing any commands as instructed by the remote attacker .", "spans": {"Indicator: org.starsizew.i": [[90, 105]]}, "info": {"id": "cyner2_5class_train_00002", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.WebToos.A6 Trojan.Gadoopt.Win64.4 Trojan/Gadoopt.aa Win64.Backdoor.Gadoopt.b TROJ_WEBTOOS_EL150244.UVPM Win.Trojan.Win64-93 BackDoor.Gates.19 TROJ_WEBTOOS_EL150244.UVPM TR/Gadoopt.maz Trojan:Win32/WebToos.A Win64/Gadoopt.AA Trojan.Win32.WebToos", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.WebToos.A6": [[26, 43]], "Indicator: Trojan.Gadoopt.Win64.4": [[44, 66]], "Indicator: Trojan/Gadoopt.aa": [[67, 84]], "Indicator: Win64.Backdoor.Gadoopt.b": [[85, 109]], "Indicator: TROJ_WEBTOOS_EL150244.UVPM": [[110, 136], [175, 201]], "Indicator: Win.Trojan.Win64-93": [[137, 156]], "Indicator: BackDoor.Gates.19": [[157, 174]], "Indicator: TR/Gadoopt.maz": [[202, 216]], "Indicator: Trojan:Win32/WebToos.A": [[217, 239]], "Indicator: Win64/Gadoopt.AA": [[240, 256]], "Indicator: Trojan.Win32.WebToos": [[257, 277]]}, "info": {"id": "cyner2_5class_train_00003", "source": "cyner2_5class_train"}}
+{"text": "A short , constant string of characters is inserted at strategic points to break up keywords : At runtime , the delimiter is removed before using the string : API OBFUSCATION SMS and toll fraud generally requires a few basic behaviors ( for example , disabling WiFi or accessing SMS ) , which are accessible by a handful of APIs .", "spans": {}, "info": {"id": "cyner2_5class_train_00004", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodc4c.Trojan.f31e Win32.Packed.VMProtect.a Trojan.Win32.Zapchast.ajbs Trojan.Win32.Black.elkboj Trojan.Win32.Z.Vmprotbad.242576[h] W32/Trojan.TYMW-2040 Trojan/Win32.PcClient.R191990 Trojan.VMProtect! Trojan.Win32.VMProtect Trj/CI.A Win32/Trojan.f26", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodc4c.Trojan.f31e": [[26, 49]], "Indicator: Win32.Packed.VMProtect.a": [[50, 74]], "Indicator: Trojan.Win32.Zapchast.ajbs": [[75, 101]], "Indicator: Trojan.Win32.Black.elkboj": [[102, 127]], "Indicator: Trojan.Win32.Z.Vmprotbad.242576[h]": [[128, 162]], "Indicator: W32/Trojan.TYMW-2040": [[163, 183]], "Indicator: Trojan/Win32.PcClient.R191990": [[184, 213]], "Indicator: Trojan.VMProtect!": [[214, 231]], "Indicator: Trojan.Win32.VMProtect": [[232, 254]], "Indicator: Trj/CI.A": [[255, 263]], "Indicator: Win32/Trojan.f26": [[264, 280]]}, "info": {"id": "cyner2_5class_train_00005", "source": "cyner2_5class_train"}}
+{"text": "Below is a collection of API methods and a brief description around their purpose .", "spans": {}, "info": {"id": "cyner2_5class_train_00006", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9952 PWS:MSIL/Bahmajip.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9952": [[26, 68]], "Indicator: PWS:MSIL/Bahmajip.A": [[69, 88]]}, "info": {"id": "cyner2_5class_train_00007", "source": "cyner2_5class_train"}}
+{"text": "HTTP Communication In addition to the MQTT communication , the app also uses plain text HTTP communication in order to download the .dex file and upload collected data .", "spans": {}, "info": {"id": "cyner2_5class_train_00008", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.Radminer!O TrojanDropper.Small.PQ4 Worm.Radminer.Win32.8 Trojan/Radmin.b TROJ_SPNR.03EF12 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.XJGC-7764 Remacc.Radmin TROJ_SPNR.03EF12 Dos.Trojan.RAdmin-17 Trojan-Dropper.RadmIns Worm.Win32.Radminer.d Trojan.Win32.Radminer.dxpafi Worm.Win32.A.Radminer.307200 Trojan.DownLoader9.15517 BehavesLike.Win32.Skintrim.fh W32/Trojan2.OCDS Trojan[RemoteAdmin]/Win32.RAdmin Backdoor:Win32/Radmin.B Worm.Win32.Radminer.d Trojan/Win32.RAdmin.R103271 Trj/CI.A Trojan.Radmin.B Win32/Radmin.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.Radminer!O": [[26, 47]], "Indicator: TrojanDropper.Small.PQ4": [[48, 71]], "Indicator: Worm.Radminer.Win32.8": [[72, 93]], "Indicator: Trojan/Radmin.b": [[94, 109]], "Indicator: TROJ_SPNR.03EF12": [[110, 126], [205, 221]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[127, 169]], "Indicator: W32/Trojan.XJGC-7764": [[170, 190]], "Indicator: Remacc.Radmin": [[191, 204]], "Indicator: Dos.Trojan.RAdmin-17": [[222, 242]], "Indicator: Trojan-Dropper.RadmIns": [[243, 265]], "Indicator: Worm.Win32.Radminer.d": [[266, 287], [475, 496]], "Indicator: Trojan.Win32.Radminer.dxpafi": [[288, 316]], "Indicator: Worm.Win32.A.Radminer.307200": [[317, 345]], "Indicator: Trojan.DownLoader9.15517": [[346, 370]], "Indicator: BehavesLike.Win32.Skintrim.fh": [[371, 400]], "Indicator: W32/Trojan2.OCDS": [[401, 417]], "Indicator: Trojan[RemoteAdmin]/Win32.RAdmin": [[418, 450]], "Indicator: Backdoor:Win32/Radmin.B": [[451, 474]], "Indicator: Trojan/Win32.RAdmin.R103271": [[497, 524]], "Indicator: Trj/CI.A": [[525, 533]], "Indicator: Trojan.Radmin.B": [[534, 549]], "Indicator: Win32/Radmin.B": [[550, 564]]}, "info": {"id": "cyner2_5class_train_00009", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Antavmu.Win32.50 Trojan/Antavmu.ejw Trojan.Heur2.RP.E5C8CC Win32.Trojan.WisdomEyes.16070401.9500.9564 W32/Trojan2.IKTO Downloader.Trojan Win.Trojan.Antavmu-74 Trojan-Downloader.Win32.Murlo.vqg Trojan.Win32.Antavmu.wseg Spyware.Antavmu.455005 TrojWare.Win32.Antavmu.~bar Trojan.1 Trojan.Win32.Antavmu W32/Trojan.ASFC-3590 Trojan.Antavmu.y Troj.W32.Antavmu.jf!c Trojan-Downloader.Win32.Murlo.vqg Trojan/Win32.Antavmu.R18411 Trojan.1 Trojan.Antavmu!m7hjC7OtKPY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Antavmu.Win32.50": [[26, 49]], "Indicator: Trojan/Antavmu.ejw": [[50, 68]], "Indicator: Trojan.Heur2.RP.E5C8CC": [[69, 91]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9564": [[92, 134]], "Indicator: W32/Trojan2.IKTO": [[135, 151]], "Indicator: Downloader.Trojan": [[152, 169]], "Indicator: Win.Trojan.Antavmu-74": [[170, 191]], "Indicator: Trojan-Downloader.Win32.Murlo.vqg": [[192, 225], [393, 426]], "Indicator: Trojan.Win32.Antavmu.wseg": [[226, 251]], "Indicator: Spyware.Antavmu.455005": [[252, 274]], "Indicator: TrojWare.Win32.Antavmu.~bar": [[275, 302]], "Indicator: Trojan.1": [[303, 311], [455, 463]], "Indicator: Trojan.Win32.Antavmu": [[312, 332]], "Indicator: W32/Trojan.ASFC-3590": [[333, 353]], "Indicator: Trojan.Antavmu.y": [[354, 370]], "Indicator: Troj.W32.Antavmu.jf!c": [[371, 392]], "Indicator: Trojan/Win32.Antavmu.R18411": [[427, 454]], "Indicator: Trojan.Antavmu!m7hjC7OtKPY": [[464, 490]]}, "info": {"id": "cyner2_5class_train_00010", "source": "cyner2_5class_train"}}
+{"text": "] today svcws [ .", "spans": {"Indicator: svcws [ .": [[8, 17]]}, "info": {"id": "cyner2_5class_train_00011", "source": "cyner2_5class_train"}}
+{"text": "Figure 4 : Loader calls initialization method Technical Analysis – Core Module With the main purpose of spreading the infection , “ Agent Smith ” implements in the “ core ” module : A series of ‘ Bundle ’ vulnerabilities , which is used to install applications without the victim ’ s awareness .", "spans": {"Malware: Agent Smith": [[132, 143]], "Vulnerability: Bundle": [[196, 202]]}, "info": {"id": "cyner2_5class_train_00012", "source": "cyner2_5class_train"}}
+{"text": "Control of malware from a single center provides maximum flexibility .", "spans": {}, "info": {"id": "cyner2_5class_train_00013", "source": "cyner2_5class_train"}}
+{"text": "A new online banking malware with the same technique used in Operation Emmental has been hitting users in Japan.", "spans": {"Malware: banking malware": [[13, 28]]}, "info": {"id": "cyner2_5class_train_00014", "source": "cyner2_5class_train"}}
+{"text": "Once granted permission , it hides its icon from the launcher application list then starts a service that it keeps running in the background .", "spans": {}, "info": {"id": "cyner2_5class_train_00015", "source": "cyner2_5class_train"}}
+{"text": "The most advanced mobile malicious programs today are Trojans targeting users ’ bank accounts – the most attractive source of criminal earnings .", "spans": {}, "info": {"id": "cyner2_5class_train_00016", "source": "cyner2_5class_train"}}
+{"text": "The name of this injector is based on its version information which is the same for both dotRunpeX versions, consistent across all samples we analyzed and containing ProductName – RunpeX.Stub.Framework.", "spans": {"Malware: injector": [[17, 25]], "Malware: dotRunpeX versions,": [[89, 108]], "Malware: ProductName": [[166, 177]], "Indicator: RunpeX.Stub.Framework.": [[180, 202]]}, "info": {"id": "cyner2_5class_train_00017", "source": "cyner2_5class_train"}}
+{"text": "The researchers wrote : While profit is powerful motivation for any attacker , Yingmob ’ s apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures , including productizing the access to the 85 million Android devices it controls .", "spans": {"Organization: Yingmob": [[79, 86]], "System: Android": [[261, 268]]}, "info": {"id": "cyner2_5class_train_00018", "source": "cyner2_5class_train"}}
+{"text": "If you want to know more about them — our researchers have an article about them on Securelist .", "spans": {"Organization: Securelist": [[84, 94]]}, "info": {"id": "cyner2_5class_train_00019", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_DROPPER.FK Win32.Trojan.WisdomEyes.16070401.9500.9995 Infostealer.Gampass TROJ_DROPPER.FK Trojan.Win32.XDR.euxmtw Trojan.MulDrop.18385 BehavesLike.Win32.Virut.cc Win32.Infect.a.124448 Win32/Trojan.5f3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_DROPPER.FK": [[26, 41], [105, 120]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[42, 84]], "Indicator: Infostealer.Gampass": [[85, 104]], "Indicator: Trojan.Win32.XDR.euxmtw": [[121, 144]], "Indicator: Trojan.MulDrop.18385": [[145, 165]], "Indicator: BehavesLike.Win32.Virut.cc": [[166, 192]], "Indicator: Win32.Infect.a.124448": [[193, 214]], "Indicator: Win32/Trojan.5f3": [[215, 231]]}, "info": {"id": "cyner2_5class_train_00020", "source": "cyner2_5class_train"}}
+{"text": "Server-side Carrier Checks In the JavaScript bridge API obfuscation example covered above , the server supplied the app with the necessary strings to complete the billing process .", "spans": {}, "info": {"id": "cyner2_5class_train_00021", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Delfsnif W32/Backdoor2.GYBX Backdoor.Trojan Trojan.Win32.Delphi.bjxrjc BehavesLike.Win32.Rontokbro.dm W32/Backdoor.XFVH-7108 Backdoor.Delfsnif Trj/CI.A Win32.Trojan.Crypt.Alih Hoax.Win32.BadJoke.FakeKAV Win32/Trojan.160", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Delfsnif": [[26, 43], [160, 177]], "Indicator: W32/Backdoor2.GYBX": [[44, 62]], "Indicator: Backdoor.Trojan": [[63, 78]], "Indicator: Trojan.Win32.Delphi.bjxrjc": [[79, 105]], "Indicator: BehavesLike.Win32.Rontokbro.dm": [[106, 136]], "Indicator: W32/Backdoor.XFVH-7108": [[137, 159]], "Indicator: Trj/CI.A": [[178, 186]], "Indicator: Win32.Trojan.Crypt.Alih": [[187, 210]], "Indicator: Hoax.Win32.BadJoke.FakeKAV": [[211, 237]], "Indicator: Win32/Trojan.160": [[238, 254]]}, "info": {"id": "cyner2_5class_train_00022", "source": "cyner2_5class_train"}}
+{"text": "However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA.", "spans": {"Indicator: attacks": [[31, 38]], "Organization: nations": [[59, 66]]}, "info": {"id": "cyner2_5class_train_00023", "source": "cyner2_5class_train"}}
+{"text": "Others may have the necessary permissions , but are missing the classes containing the fraud code .", "spans": {}, "info": {"id": "cyner2_5class_train_00024", "source": "cyner2_5class_train"}}
+{"text": "The documents were found to drop the following malware families: The previously discussed CONFUCIUS_B malware family A backdoor previously not discussed in the public domain, commonly detected by some antivirus solutions as BioData A previously unknown backdoor that we have named MY24", "spans": {"Indicator: documents": [[4, 13]], "Malware: malware families:": [[47, 64]], "Malware: CONFUCIUS_B malware family": [[90, 116]], "Malware: backdoor": [[119, 127]], "Indicator: the public domain,": [[156, 174]], "System: antivirus solutions": [[201, 220]], "Indicator: BioData": [[224, 231]], "Malware: unknown backdoor": [[245, 261]], "Malware: MY24": [[281, 285]]}, "info": {"id": "cyner2_5class_train_00025", "source": "cyner2_5class_train"}}
+{"text": "Google later implemented platform-level changes that practically eliminated this attack surface .", "spans": {"Organization: Google": [[0, 6]]}, "info": {"id": "cyner2_5class_train_00026", "source": "cyner2_5class_train"}}
+{"text": "The spammed attachments are using a RTF trick or a feature of Windows OS that allows dropping an executable – but not running it – simply by opening the RTF document", "spans": {"Indicator: The spammed attachments": [[0, 23]], "Indicator: RTF trick": [[36, 45]], "Indicator: feature of Windows OS": [[51, 72]], "Indicator: RTF document": [[153, 165]]}, "info": {"id": "cyner2_5class_train_00027", "source": "cyner2_5class_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00028", "source": "cyner2_5class_train"}}
+{"text": "Every sample we found was different in size and activity from the others but the internal name and other identifiers were disturbingly similar.", "spans": {}, "info": {"id": "cyner2_5class_train_00029", "source": "cyner2_5class_train"}}
+{"text": "The malware disguises itself as a file helper app and then uses very advanced anti-debug and anti-hook techniques to prevent it from being reverse engineered.", "spans": {"Malware: malware": [[4, 11]], "Indicator: disguises": [[12, 21]], "Indicator: file helper app": [[34, 49]], "Indicator: very advanced anti-debug and anti-hook techniques": [[64, 113]]}, "info": {"id": "cyner2_5class_train_00030", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.KillAV.60689 Packed.Win32.TDSS!O Trojan.KillAV.Win32.3036 Trojan/KillAV.caq W32/Trojan2.GLAK Infostealer.Onlinegame Trojan.Win32.KillAV.60689 TrojWare.Win32.Patched.KSU Trojan.Click.28899 Trojan.1 W32/Trojan.ANJW-2244 Trojan/KillAV.qx Worm:Win32/QQnof.A Trojan.Zusy.D1B0EC Troj.W32.KillAV.caq!c Trojan/Win32.KillAV.C155326 Trojan.1 Trojan.Win32.Jhee W32/KillAV.CAQ!tr Trj/KillAV.FJ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.KillAV.60689": [[26, 49]], "Indicator: Packed.Win32.TDSS!O": [[50, 69]], "Indicator: Trojan.KillAV.Win32.3036": [[70, 94]], "Indicator: Trojan/KillAV.caq": [[95, 112]], "Indicator: W32/Trojan2.GLAK": [[113, 129]], "Indicator: Infostealer.Onlinegame": [[130, 152]], "Indicator: Trojan.Win32.KillAV.60689": [[153, 178]], "Indicator: TrojWare.Win32.Patched.KSU": [[179, 205]], "Indicator: Trojan.Click.28899": [[206, 224]], "Indicator: Trojan.1": [[225, 233], [360, 368]], "Indicator: W32/Trojan.ANJW-2244": [[234, 254]], "Indicator: Trojan/KillAV.qx": [[255, 271]], "Indicator: Worm:Win32/QQnof.A": [[272, 290]], "Indicator: Trojan.Zusy.D1B0EC": [[291, 309]], "Indicator: Troj.W32.KillAV.caq!c": [[310, 331]], "Indicator: Trojan/Win32.KillAV.C155326": [[332, 359]], "Indicator: Trojan.Win32.Jhee": [[369, 386]], "Indicator: W32/KillAV.CAQ!tr": [[387, 404]], "Indicator: Trj/KillAV.FJ": [[405, 418]]}, "info": {"id": "cyner2_5class_train_00031", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9979 Backdoor.Trojan Win32/Cyreho.A Trojan.DownLoad2.18592 W32.Trojan.Trojan-Backdoor-Cele TR/Dldr.Ftp.E Trojan/Win32.Unknown Trojan.Heur.VP.E82FB1 Trojan:Win32/Cyreho.A Trojan.VBRA.02524 Win32.Trojan.Dldr.Oyeu Trojan.Win32.Darkddoser W32/VB.NZ!tr Win32/Trojan.9b7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9979": [[26, 68]], "Indicator: Backdoor.Trojan": [[69, 84]], "Indicator: Win32/Cyreho.A": [[85, 99]], "Indicator: Trojan.DownLoad2.18592": [[100, 122]], "Indicator: W32.Trojan.Trojan-Backdoor-Cele": [[123, 154]], "Indicator: TR/Dldr.Ftp.E": [[155, 168]], "Indicator: Trojan/Win32.Unknown": [[169, 189]], "Indicator: Trojan.Heur.VP.E82FB1": [[190, 211]], "Indicator: Trojan:Win32/Cyreho.A": [[212, 233]], "Indicator: Trojan.VBRA.02524": [[234, 251]], "Indicator: Win32.Trojan.Dldr.Oyeu": [[252, 274]], "Indicator: Trojan.Win32.Darkddoser": [[275, 298]], "Indicator: W32/VB.NZ!tr": [[299, 311]], "Indicator: Win32/Trojan.9b7": [[312, 328]]}, "info": {"id": "cyner2_5class_train_00032", "source": "cyner2_5class_train"}}
+{"text": "Additionally, we have observed instances of the IsSpace and TidePool malware families being delivered via the same techniques.", "spans": {"Malware: IsSpace": [[48, 55]], "Malware: TidePool malware families": [[60, 85]]}, "info": {"id": "cyner2_5class_train_00033", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Pccontrol.2.1 Backdoor.Pccontrol.2.1 Backdoor.PcControl!Vqgcs0rOUEs PcControl.C Backdoor.Win32.PcControl.21 Backdoor.Pccontrol.2.1 Trojan.Win32.PcControl.cbiyio Backdoor.Pccontrol.2.1 Backdoor.Win32.PcControl.21 Backdoor.Pccontrol.2.1 BackDoor.Control.21 BKDR_PCCONTROL.A W32/Risk.SRBI-7988 BDS/PcControl.21.1 Trojan[Backdoor]/Win32.PcControl Backdoor:Win32/PCControl.2_1 Backdoor.Pccontrol.2.1 Backdoor.Pccontrol.2.1 Backdoor.PcControl Backdoor.Win32.PcControl.aa Win32/PcControl.21 W32/PcCont.21!tr.bdr BackDoor.Pccontrol.C Bck/PcControl.21", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Pccontrol.2.1": [[26, 48], [49, 71], [143, 165], [196, 218], [247, 269], [407, 429], [430, 452]], "Indicator: Backdoor.PcControl!Vqgcs0rOUEs": [[72, 102]], "Indicator: PcControl.C": [[103, 114]], "Indicator: Backdoor.Win32.PcControl.21": [[115, 142], [219, 246]], "Indicator: Trojan.Win32.PcControl.cbiyio": [[166, 195]], "Indicator: BackDoor.Control.21": [[270, 289]], "Indicator: BKDR_PCCONTROL.A": [[290, 306]], "Indicator: W32/Risk.SRBI-7988": [[307, 325]], "Indicator: BDS/PcControl.21.1": [[326, 344]], "Indicator: Trojan[Backdoor]/Win32.PcControl": [[345, 377]], "Indicator: Backdoor:Win32/PCControl.2_1": [[378, 406]], "Indicator: Backdoor.PcControl": [[453, 471]], "Indicator: Backdoor.Win32.PcControl.aa": [[472, 499]], "Indicator: Win32/PcControl.21": [[500, 518]], "Indicator: W32/PcCont.21!tr.bdr": [[519, 539]], "Indicator: BackDoor.Pccontrol.C": [[540, 560]], "Indicator: Bck/PcControl.21": [[561, 577]]}, "info": {"id": "cyner2_5class_train_00034", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Bacterio61.A Trojan.Bacterio61.A Trojan.Bacterio61.r3 Trojan.Bacterio61.A Trojan.Bacterio61.A Trojan.Bacterio61!xosA0+L/cz0 Trojan.Dropper TROJ_BACTERIO.61 Trojan.Win32.Bacterio61 Trojan.Win32.Bacterio61.fdse Trojan.Win32.RenAll[h] PE:Trojan.Bacterio61!1073791980 Trojan.Bacterio61.A TrojWare.Win32.RenAll Trojan.Bacterio61.A Trojan.Bacterio61.Win32.1 TROJ_BACTERIO.61 W32/Virus.NFQE-4477 Trojan/Win32.Bacterio61 Win32.Troj.Bacterio61.kcloud Win-Trojan/RenAll.94208 Trojan.Bacterio61.A Win32.Trojan.Bacterio61.ddnb W32/Bacterio61.A!tr Trojan.Win32.Bacterio61.aW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Bacterio61.A": [[26, 45], [46, 65], [87, 106], [107, 126], [297, 316], [339, 358], [499, 518]], "Indicator: Trojan.Bacterio61.r3": [[66, 86]], "Indicator: Trojan.Bacterio61!xosA0+L/cz0": [[127, 156]], "Indicator: Trojan.Dropper": [[157, 171]], "Indicator: TROJ_BACTERIO.61": [[172, 188], [385, 401]], "Indicator: Trojan.Win32.Bacterio61": [[189, 212]], "Indicator: Trojan.Win32.Bacterio61.fdse": [[213, 241]], "Indicator: Trojan.Win32.RenAll[h]": [[242, 264]], "Indicator: PE:Trojan.Bacterio61!1073791980": [[265, 296]], "Indicator: TrojWare.Win32.RenAll": [[317, 338]], "Indicator: Trojan.Bacterio61.Win32.1": [[359, 384]], "Indicator: W32/Virus.NFQE-4477": [[402, 421]], "Indicator: Trojan/Win32.Bacterio61": [[422, 445]], "Indicator: Win32.Troj.Bacterio61.kcloud": [[446, 474]], "Indicator: Win-Trojan/RenAll.94208": [[475, 498]], "Indicator: Win32.Trojan.Bacterio61.ddnb": [[519, 547]], "Indicator: W32/Bacterio61.A!tr": [[548, 567]], "Indicator: Trojan.Win32.Bacterio61.aW": [[568, 594]]}, "info": {"id": "cyner2_5class_train_00035", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.CDB.3cb9 Virus.Win32.Patched", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.CDB.3cb9": [[26, 39]], "Indicator: Virus.Win32.Patched": [[40, 59]]}, "info": {"id": "cyner2_5class_train_00036", "source": "cyner2_5class_train"}}
+{"text": "Finally , the Ashas adware family has its code hidden under the com.google.xxx package name .", "spans": {"Malware: Ashas": [[14, 19]]}, "info": {"id": "cyner2_5class_train_00037", "source": "cyner2_5class_train"}}
+{"text": "Figure 1 : Landing page for phishing scheme asking for the victim ’ s signatory number and PIN using stolen branding from Bank Austria Because the actor delivered phishing links using the bit.ly URL shortener , we can access delivery statistics for this particular campaign .", "spans": {"System: Bank Austria": [[122, 134]], "Indicator: bit.ly": [[188, 194]]}, "info": {"id": "cyner2_5class_train_00038", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.4CE7 Backdoor/W32.Tropoly.C Backdoor.CPEX.Win32.21496 Trojan/Inject.aisx Trojan.Heur.E7B492 Trojan.Win32.A.Inject.48640.F TrojWare.Win32.Pincav.N Trojan.PWS.Reggin.91 BehavesLike.Win32.Ramnit.pc Trojan.Win32.Inject Trojan/Inject.hnq Troj.W32.Inject.aisx!c Trojan/Win32.OnlineGameHack.R2669 PWS-OnlineGames.ge BScope.TrojanPSW.Magania.1314 Trojan.Inject!H2RbMIi2jvQ Trj/Inject.IR Win32/Trojan.65a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.4CE7": [[26, 42]], "Indicator: Backdoor/W32.Tropoly.C": [[43, 65]], "Indicator: Backdoor.CPEX.Win32.21496": [[66, 91]], "Indicator: Trojan/Inject.aisx": [[92, 110]], "Indicator: Trojan.Heur.E7B492": [[111, 129]], "Indicator: Trojan.Win32.A.Inject.48640.F": [[130, 159]], "Indicator: TrojWare.Win32.Pincav.N": [[160, 183]], "Indicator: Trojan.PWS.Reggin.91": [[184, 204]], "Indicator: BehavesLike.Win32.Ramnit.pc": [[205, 232]], "Indicator: Trojan.Win32.Inject": [[233, 252]], "Indicator: Trojan/Inject.hnq": [[253, 270]], "Indicator: Troj.W32.Inject.aisx!c": [[271, 293]], "Indicator: Trojan/Win32.OnlineGameHack.R2669": [[294, 327]], "Indicator: PWS-OnlineGames.ge": [[328, 346]], "Indicator: BScope.TrojanPSW.Magania.1314": [[347, 376]], "Indicator: Trojan.Inject!H2RbMIi2jvQ": [[377, 402]], "Indicator: Trj/Inject.IR": [[403, 416]], "Indicator: Win32/Trojan.65a": [[417, 433]]}, "info": {"id": "cyner2_5class_train_00039", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Tregwihc.Trojan Trojan.Inject.GK Worm/W32.AutoRun.114688 W32/Autorun.worm.dw W32/AutoRun.lrf TROJ_FAM_0000e93.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9992 W32/Worm.FWLR-5025 Trojan.Minit Win32/Milsni.D TROJ_FAM_0000e93.TOMA Win.Worm.Autorun-376 Win32.Rootkit.Uroburos.C Trojan.Inject.GK Trojan.Win32.AutoRun.ftwn Worm.Win32.Autorun.114688.I W32.W.AutoRun.lrf!c Trojan.Inject.GK Worm.Win32.AutoRun.COB Trojan.Inject.GK Win32.HLLW.Autoruner.5122 Worm.AutoRun.Win32.35 W32/Autorun.worm.dw W32/Worm.AKXJ Worm/AutoRun.fma Worm:Win32/Yacspeel.A.dll WORM/Autorun.Byt.34 Worm/Win32.AutoRun Worm:Win32/Yacspeel.A.dll Worm/Win32.AutoRun.R1836 Trojan.Inject.GK Worm.Win32.AutoRun.byt Trj/Autorun.RN Win32/AutoRun.COB Win32.Worm.Autorun.Lohz Virus.Win32.AutoRun.sd W32/AutoRun.BDJ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Tregwihc.Trojan": [[26, 45]], "Indicator: Trojan.Inject.GK": [[46, 62], [303, 319], [394, 410], [434, 450], [666, 682]], "Indicator: Worm/W32.AutoRun.114688": [[63, 86]], "Indicator: W32/Autorun.worm.dw": [[87, 106], [499, 518]], "Indicator: W32/AutoRun.lrf": [[107, 122]], "Indicator: TROJ_FAM_0000e93.TOMA": [[123, 144], [235, 256]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[145, 187]], "Indicator: W32/Worm.FWLR-5025": [[188, 206]], "Indicator: Trojan.Minit": [[207, 219]], "Indicator: Win32/Milsni.D": [[220, 234]], "Indicator: Win.Worm.Autorun-376": [[257, 277]], "Indicator: Win32.Rootkit.Uroburos.C": [[278, 302]], "Indicator: Trojan.Win32.AutoRun.ftwn": [[320, 345]], "Indicator: Worm.Win32.Autorun.114688.I": [[346, 373]], "Indicator: W32.W.AutoRun.lrf!c": [[374, 393]], "Indicator: Worm.Win32.AutoRun.COB": [[411, 433]], "Indicator: Win32.HLLW.Autoruner.5122": [[451, 476]], "Indicator: Worm.AutoRun.Win32.35": [[477, 498]], "Indicator: W32/Worm.AKXJ": [[519, 532]], "Indicator: Worm/AutoRun.fma": [[533, 549]], "Indicator: Worm:Win32/Yacspeel.A.dll": [[550, 575], [615, 640]], "Indicator: WORM/Autorun.Byt.34": [[576, 595]], "Indicator: Worm/Win32.AutoRun": [[596, 614]], "Indicator: Worm/Win32.AutoRun.R1836": [[641, 665]], "Indicator: Worm.Win32.AutoRun.byt": [[683, 705]], "Indicator: Trj/Autorun.RN": [[706, 720]], "Indicator: Win32/AutoRun.COB": [[721, 738]], "Indicator: Win32.Worm.Autorun.Lohz": [[739, 762]], "Indicator: Virus.Win32.AutoRun.sd": [[763, 785]], "Indicator: W32/AutoRun.BDJ!tr": [[786, 804]]}, "info": {"id": "cyner2_5class_train_00040", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: LNK.Trojan.3171 LNK/Trojan.TPJW-5 LNK_ARGULONG.SMLNK HEUR:Trojan.WinLNK.Powecod.a LNK_ARGULONG.SMLNK LNK/Trojan.TPJW-5 HEUR:Trojan.WinLNK.Powecod.a Trojan.LNK virus.lnk.powershell.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: LNK.Trojan.3171": [[26, 41]], "Indicator: LNK/Trojan.TPJW-5": [[42, 59], [127, 144]], "Indicator: LNK_ARGULONG.SMLNK": [[60, 78], [108, 126]], "Indicator: HEUR:Trojan.WinLNK.Powecod.a": [[79, 107], [145, 173]], "Indicator: Trojan.LNK": [[174, 184]], "Indicator: virus.lnk.powershell.a": [[185, 207]]}, "info": {"id": "cyner2_5class_train_00041", "source": "cyner2_5class_train"}}
+{"text": "] commediauploader [ .", "spans": {"Indicator: [ .": [[19, 22]]}, "info": {"id": "cyner2_5class_train_00042", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SasfisB.Worm Win32.Worm.Wukill.D Email-Worm.Win32.Rays!O Worm.WuKill Worm.Rays.Win32.1 Worm.Wukill Win32.Worm-Email.Rays.a W32.Wullik@mm Win.Worm.Rays-1 Email-Worm.Win32.Rays.d Win32.Worm.Wukill.D Trojan.Win32.Rays.cvmxdt W32.W.Basun.lwAE Trojan.Win32.FakeFolder.wid Win32.Worm.Wukill.D Win32.Worm.Wukill.D Win32.HLLM.Xgray Email-Worm.Win32.Rays Worm.Rays.d.49152 Win32.Worm.Wukill.D I-Worm.Win32.Rays.49152 Email-Worm.Win32.Rays.d Win32.Trojan.Wukill.B Win32/Rays.worm.15024 Win32.Worm.Wukill.D SScope.Trojan.VBRA.4977 I-Worm.Wukill.B W32/Fawkes.A!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SasfisB.Worm": [[26, 42]], "Indicator: Win32.Worm.Wukill.D": [[43, 62], [207, 226], [297, 316], [317, 336], [394, 413], [506, 525]], "Indicator: Email-Worm.Win32.Rays!O": [[63, 86]], "Indicator: Worm.WuKill": [[87, 98]], "Indicator: Worm.Rays.Win32.1": [[99, 116]], "Indicator: Worm.Wukill": [[117, 128]], "Indicator: Win32.Worm-Email.Rays.a": [[129, 152]], "Indicator: W32.Wullik@mm": [[153, 166]], "Indicator: Win.Worm.Rays-1": [[167, 182]], "Indicator: Email-Worm.Win32.Rays.d": [[183, 206], [438, 461]], "Indicator: Trojan.Win32.Rays.cvmxdt": [[227, 251]], "Indicator: W32.W.Basun.lwAE": [[252, 268]], "Indicator: Trojan.Win32.FakeFolder.wid": [[269, 296]], "Indicator: Win32.HLLM.Xgray": [[337, 353]], "Indicator: Email-Worm.Win32.Rays": [[354, 375]], "Indicator: Worm.Rays.d.49152": [[376, 393]], "Indicator: I-Worm.Win32.Rays.49152": [[414, 437]], "Indicator: Win32.Trojan.Wukill.B": [[462, 483]], "Indicator: Win32/Rays.worm.15024": [[484, 505]], "Indicator: SScope.Trojan.VBRA.4977": [[526, 549]], "Indicator: I-Worm.Wukill.B": [[550, 565]], "Indicator: W32/Fawkes.A!worm": [[566, 583]]}, "info": {"id": "cyner2_5class_train_00043", "source": "cyner2_5class_train"}}
+{"text": "The document contains an encoded Visual Basic Script VBScript typical of previous Carbanak malware.", "spans": {"Indicator: document": [[4, 12]], "Indicator: Visual Basic Script VBScript": [[33, 61]], "Malware: Carbanak malware.": [[82, 99]]}, "info": {"id": "cyner2_5class_train_00044", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Fynloski.H Win32.Trojan Trojan.MSIL.Crypt.cxp Trojan.Inject.54745 TR/PSW.Fignotok.LW Trojan-Dropper.Small!IK Trojan/Jorik.ovo TrojanDownloader:Win32/Batosecu.A Trojan/Win32.Jorik Trojan.Jorik.Fynloski.ft Trojan-Dropper.Small Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Fynloski.H": [[26, 40]], "Indicator: Win32.Trojan": [[41, 53]], "Indicator: Trojan.MSIL.Crypt.cxp": [[54, 75]], "Indicator: Trojan.Inject.54745": [[76, 95]], "Indicator: TR/PSW.Fignotok.LW": [[96, 114]], "Indicator: Trojan-Dropper.Small!IK": [[115, 138]], "Indicator: Trojan/Jorik.ovo": [[139, 155]], "Indicator: TrojanDownloader:Win32/Batosecu.A": [[156, 189]], "Indicator: Trojan/Win32.Jorik": [[190, 208]], "Indicator: Trojan.Jorik.Fynloski.ft": [[209, 233]], "Indicator: Trojan-Dropper.Small": [[234, 254]], "Indicator: Trj/CI.A": [[255, 263]]}, "info": {"id": "cyner2_5class_train_00045", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke.Jepruss Hoax.Win32.BadJoke!O Joke.Russianjep Joke.Jepruss Joke.Jepruss W32/Joke.NX Joke.JepRuss JOKE_ONLYGAME.A Win.Joke.Jep-1 Joke.Jepruss Hoax.Win32.BadJoke.JepRuss Joke.Jepruss Riskware.Win32.JepRuss.hybz Joke.Win32.FakeScreen Hoax.W32.BadJoke.JepRuss!c Joke.Jepruss Joke.Win32.Jep.Russ Joke.Jepruss Joke.Justgame Tool.BadJoke.Win32.23 JOKE_ONLYGAME.A W32/Joke.TMKA-5158 not-virus:Joke.Win32.JepRuss HackTool[Hoax]/Win32.JepRuss Win32.Joke.JepRuss.kcloud Hoax.Win32.BadJoke.JepRuss Win-Joke/Delete_Game.916512 Win32/Jep.Russ Win32.Trojan-psw.Badjoke.Lmkt Trojan.Jep!7Qg0TmyJLB0 Joke.Win32.RussianJep", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke.Jepruss": [[26, 38], [76, 88], [89, 101], [158, 170], [198, 210], [288, 300], [321, 333]], "Indicator: Hoax.Win32.BadJoke!O": [[39, 59]], "Indicator: Joke.Russianjep": [[60, 75]], "Indicator: W32/Joke.NX": [[102, 113]], "Indicator: Joke.JepRuss": [[114, 126]], "Indicator: JOKE_ONLYGAME.A": [[127, 142], [370, 385]], "Indicator: Win.Joke.Jep-1": [[143, 157]], "Indicator: Hoax.Win32.BadJoke.JepRuss": [[171, 197], [489, 515]], "Indicator: Riskware.Win32.JepRuss.hybz": [[211, 238]], "Indicator: Joke.Win32.FakeScreen": [[239, 260]], "Indicator: Hoax.W32.BadJoke.JepRuss!c": [[261, 287]], "Indicator: Joke.Win32.Jep.Russ": [[301, 320]], "Indicator: Joke.Justgame": [[334, 347]], "Indicator: Tool.BadJoke.Win32.23": [[348, 369]], "Indicator: W32/Joke.TMKA-5158": [[386, 404]], "Indicator: not-virus:Joke.Win32.JepRuss": [[405, 433]], "Indicator: HackTool[Hoax]/Win32.JepRuss": [[434, 462]], "Indicator: Win32.Joke.JepRuss.kcloud": [[463, 488]], "Indicator: Win-Joke/Delete_Game.916512": [[516, 543]], "Indicator: Win32/Jep.Russ": [[544, 558]], "Indicator: Win32.Trojan-psw.Badjoke.Lmkt": [[559, 588]], "Indicator: Trojan.Jep!7Qg0TmyJLB0": [[589, 611]], "Indicator: Joke.Win32.RussianJep": [[612, 633]]}, "info": {"id": "cyner2_5class_train_00046", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Seimon.G Trojan.Seimon.G Trojan.Seimon.G Trojan.Seimon!4f7JwSpV94c Trojan.Seimon.G TrojWare.Win32.Trojan.Seimon.G0 Trojan.Seimon.G Trojan.DownLoad.3195 BehavesLike.Win32.PWSGamania.lh W32/PhishExe.B!tr.dldr Trojan[:HEUR]/Win32.Unknown Trojan.Seimon.G Trojan/Win32.Casino BScope.Trojan-Downloader.ILoveLanch.pj Virus.Win32.Cloaker Trojan.Seimon.G", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Seimon.G": [[26, 41], [42, 57], [58, 73], [100, 115], [148, 163], [268, 283], [363, 378]], "Indicator: Trojan.Seimon!4f7JwSpV94c": [[74, 99]], "Indicator: TrojWare.Win32.Trojan.Seimon.G0": [[116, 147]], "Indicator: Trojan.DownLoad.3195": [[164, 184]], "Indicator: BehavesLike.Win32.PWSGamania.lh": [[185, 216]], "Indicator: W32/PhishExe.B!tr.dldr": [[217, 239]], "Indicator: Trojan[:HEUR]/Win32.Unknown": [[240, 267]], "Indicator: Trojan/Win32.Casino": [[284, 303]], "Indicator: BScope.Trojan-Downloader.ILoveLanch.pj": [[304, 342]], "Indicator: Virus.Win32.Cloaker": [[343, 362]]}, "info": {"id": "cyner2_5class_train_00047", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9563 W32/Application.THZK-5586 BehavesLike.Win32.BadFile.rc Trojan.Win32.PSW Trojan.Application.Zusy.D3D00C Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9563": [[26, 68]], "Indicator: W32/Application.THZK-5586": [[69, 94]], "Indicator: BehavesLike.Win32.BadFile.rc": [[95, 123]], "Indicator: Trojan.Win32.PSW": [[124, 140]], "Indicator: Trojan.Application.Zusy.D3D00C": [[141, 171]], "Indicator: Trj/GdSda.A": [[172, 183]]}, "info": {"id": "cyner2_5class_train_00048", "source": "cyner2_5class_train"}}
+{"text": "WolfRAT application screen The Google GMS and Firebase service has been added , however , no configuration has been found , even though services seem to be referenced in the of a new class .", "spans": {"Malware: WolfRAT": [[0, 7]], "System: Google GMS": [[31, 41]], "System: Firebase": [[46, 54]]}, "info": {"id": "cyner2_5class_train_00049", "source": "cyner2_5class_train"}}
+{"text": "The page was designed to steal users ’ bank card details : 2017–2018 From early 2017 , the HTML phishing pages bank.html , update.html and extortionist.html started appearing in the assets folder .", "spans": {"Indicator: bank.html": [[111, 120]], "Indicator: update.html": [[123, 134]], "Indicator: extortionist.html": [[139, 156]]}, "info": {"id": "cyner2_5class_train_00050", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.KillFiles!O Trojan.Birele Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Risk.GBTW-1754 Ransom_Birele.R038C0DLB17 Trojan-Ransom.Win32.Birele.gss Trojan.Win32.Dropper.rpje Trojan.Win32.Scar.56320.B Troj.Ransom.W32.Birele!c Worm.Win32.Autorun.GVIT Trojan.MulDrop1.6138 Trojan.Birele.Win32.7887 BehavesLike.Win32.Ransom.fc Virus.Win32.VBInject W32/MalwareS.BBSH Trojan/Scar.pgv Trojan/Win32.KillFiles PWS:Win32/Kiction.A Trojan.Zusy.DAEF Trojan/Win32.Scar.R18936 Trojan-Ransom.Win32.Birele.gss Worm.Spreader Worm.AutoRun Win32.Trojan.Birele.Pgda W32/KillFiles.GMU!tr Win32/Trojan.Ransom.f31", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.KillFiles!O": [[26, 50]], "Indicator: Trojan.Birele": [[51, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[65, 107]], "Indicator: W32/Risk.GBTW-1754": [[108, 126]], "Indicator: Ransom_Birele.R038C0DLB17": [[127, 152]], "Indicator: Trojan-Ransom.Win32.Birele.gss": [[153, 183], [499, 529]], "Indicator: Trojan.Win32.Dropper.rpje": [[184, 209]], "Indicator: Trojan.Win32.Scar.56320.B": [[210, 235]], "Indicator: Troj.Ransom.W32.Birele!c": [[236, 260]], "Indicator: Worm.Win32.Autorun.GVIT": [[261, 284]], "Indicator: Trojan.MulDrop1.6138": [[285, 305]], "Indicator: Trojan.Birele.Win32.7887": [[306, 330]], "Indicator: BehavesLike.Win32.Ransom.fc": [[331, 358]], "Indicator: Virus.Win32.VBInject": [[359, 379]], "Indicator: W32/MalwareS.BBSH": [[380, 397]], "Indicator: Trojan/Scar.pgv": [[398, 413]], "Indicator: Trojan/Win32.KillFiles": [[414, 436]], "Indicator: PWS:Win32/Kiction.A": [[437, 456]], "Indicator: Trojan.Zusy.DAEF": [[457, 473]], "Indicator: Trojan/Win32.Scar.R18936": [[474, 498]], "Indicator: Worm.Spreader": [[530, 543]], "Indicator: Worm.AutoRun": [[544, 556]], "Indicator: Win32.Trojan.Birele.Pgda": [[557, 581]], "Indicator: W32/KillFiles.GMU!tr": [[582, 602]], "Indicator: Win32/Trojan.Ransom.f31": [[603, 626]]}, "info": {"id": "cyner2_5class_train_00051", "source": "cyner2_5class_train"}}
+{"text": "Here is a command and control protocol fragment : Commands from C2 server parsing In total , the malicious APK handles 16 different commands : Command Endpoint Description 1 reqsmscal.php Send specified SMS message 2 reqsmscal.php Call specified number 3 reqsmscal.php Exfiltrate device info , such as phone model and OS version 4 reqsmscal.php Exfiltrate a list of all installed applications 5 reqsmscal.php Exfiltrate default browser history ( limited to a given date ) 6 reqsmscal.php Exfiltrate Chrome browser history ( limited to a given date ) 7 reqsmscal.php Exfiltrate memory card file structure 8 reqsmscal.php Record surrounding sound for 80 seconds 1 reqcalllog.php Exfiltrate all call logs 2 reqcalllog.php Exfiltrate all SMS messages 3 reqcalllog.php Upload specified file from the device to the C2 4 reqcalllog.php Download file from specified URL and save on device 5 reqcalllog.php Delete specified file 6,7,8 reqcalllog.php Commands not yet implemented 9 reqcalllog.php Take photo ( muted audio ) with rear camera , send to C2 10 reqcalllog.php Take photo ( muted audio ) with front camera , send to C2 All observed samples with Smali injections were signed by the same debug certificate ( 0x936eacbe07f201df ) .", "spans": {"Indicator: reqsmscal.php": [[174, 187], [217, 230], [255, 268], [331, 344], [395, 408], [474, 487], [552, 565], [606, 619]], "Indicator: reqcalllog.php": [[662, 676], [704, 718], [749, 763], [814, 828], [883, 897], [926, 940], [972, 986], [1047, 1061]]}, "info": {"id": "cyner2_5class_train_00052", "source": "cyner2_5class_train"}}
+{"text": "It will also report the version of Android that the phone is running and any additional capabilities .", "spans": {"System: Android": [[35, 42]]}, "info": {"id": "cyner2_5class_train_00053", "source": "cyner2_5class_train"}}
+{"text": "In the beginning , this threat group mainly targeted Asian countries .", "spans": {}, "info": {"id": "cyner2_5class_train_00054", "source": "cyner2_5class_train"}}
+{"text": "If Google Play Protect detects one of these apps , Google Play Protect will show a warning to users .", "spans": {"System: Google Play Protect": [[3, 22], [51, 70]]}, "info": {"id": "cyner2_5class_train_00055", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Jacard Win32.Trojan.WisdomEyes.16070401.9500.9987 W32/Trojan.YDYO-6019 Trojan-Banker.BestaFera Trojan-Banker.Win32.BestaFera.amyc Trojan.Win32.Banker.euxhdn Trojan.Win32.Z.Jacard.2528768 BehavesLike.Win32.BadFile.vh TR/Spy.Banker.vvhlz Trojan[Banker]/Win32.BestaFera TrojanDownloader:Win32/Qulkonwi.A Trojan.Jacard.D8CA Trojan-Banker.Win32.BestaFera.amyc Trj/GdSda.A Win32.Trojan-banker.Bestafera.Wmsm W32/Banker.ADUT!tr.spy Win32/Trojan.252", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Jacard": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[40, 82]], "Indicator: W32/Trojan.YDYO-6019": [[83, 103]], "Indicator: Trojan-Banker.BestaFera": [[104, 127]], "Indicator: Trojan-Banker.Win32.BestaFera.amyc": [[128, 162], [353, 387]], "Indicator: Trojan.Win32.Banker.euxhdn": [[163, 189]], "Indicator: Trojan.Win32.Z.Jacard.2528768": [[190, 219]], "Indicator: BehavesLike.Win32.BadFile.vh": [[220, 248]], "Indicator: TR/Spy.Banker.vvhlz": [[249, 268]], "Indicator: Trojan[Banker]/Win32.BestaFera": [[269, 299]], "Indicator: TrojanDownloader:Win32/Qulkonwi.A": [[300, 333]], "Indicator: Trojan.Jacard.D8CA": [[334, 352]], "Indicator: Trj/GdSda.A": [[388, 399]], "Indicator: Win32.Trojan-banker.Bestafera.Wmsm": [[400, 434]], "Indicator: W32/Banker.ADUT!tr.spy": [[435, 457]], "Indicator: Win32/Trojan.252": [[458, 474]]}, "info": {"id": "cyner2_5class_train_00056", "source": "cyner2_5class_train"}}
+{"text": "Recently the Mobile Malware Research Team of Intel Security found on Google Play a new campaign of Android/Clicker.G in dozens of published malicious apps.", "spans": {"Organization: Mobile Malware Research Team of Intel Security": [[13, 59]], "System: Google Play": [[69, 80]], "Indicator: Android/Clicker.G": [[99, 116]], "System: malicious apps.": [[140, 155]]}, "info": {"id": "cyner2_5class_train_00057", "source": "cyner2_5class_train"}}
+{"text": "According to Google , whom we have contacted to alert about our discoveries , nearly 25 variants of this spyware were uploaded on Google Play Store .", "spans": {"Organization: Google": [[13, 19]], "System: Google Play Store": [[130, 147]]}, "info": {"id": "cyner2_5class_train_00058", "source": "cyner2_5class_train"}}
+{"text": "AlienVault Labs has extracted related samples and located the infrastructure used by attackers", "spans": {"Organization: AlienVault Labs": [[0, 15]]}, "info": {"id": "cyner2_5class_train_00059", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Brackash.C Trojan.Brackash.C Win32.Trojan.WisdomEyes.16070401.9500.9774 Trojan.Win32.Sadenav.b Trojan.Brackash.C Trojan.Brackash.C Brackash.dll Virus.Trojan.Win32.Sadenav Trojan/Sadenav.aic W32.Trojan.Brackash.C TR/Brackash.C100.2 Trojan/Win32.Sadenav Trojan.Brackash.C Trojan.Win32.Sadenav.b Trojan/Win32.Sadenav.R1894 Brackash.dll Trojan.Brackash.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Brackash.C": [[26, 43], [44, 61], [128, 145], [146, 163], [285, 302], [366, 383]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9774": [[62, 104]], "Indicator: Trojan.Win32.Sadenav.b": [[105, 127], [303, 325]], "Indicator: Brackash.dll": [[164, 176], [353, 365]], "Indicator: Virus.Trojan.Win32.Sadenav": [[177, 203]], "Indicator: Trojan/Sadenav.aic": [[204, 222]], "Indicator: W32.Trojan.Brackash.C": [[223, 244]], "Indicator: TR/Brackash.C100.2": [[245, 263]], "Indicator: Trojan/Win32.Sadenav": [[264, 284]], "Indicator: Trojan/Win32.Sadenav.R1894": [[326, 352]]}, "info": {"id": "cyner2_5class_train_00060", "source": "cyner2_5class_train"}}
+{"text": "One of the most common ways to do this is by displaying advertisements to users or by offering in-app purchases IAPs.", "spans": {}, "info": {"id": "cyner2_5class_train_00061", "source": "cyner2_5class_train"}}
+{"text": "In doing so , users can become victims to malicious apps portraying themselves as the original app .", "spans": {}, "info": {"id": "cyner2_5class_train_00062", "source": "cyner2_5class_train"}}
+{"text": "In reality , this downloaded app is a fake app that asks for credentials and Android permissions ( including camera and phone permissions ) , resulting in the user being bombarded with advertisements .", "spans": {"System: Android": [[77, 84]]}, "info": {"id": "cyner2_5class_train_00063", "source": "cyner2_5class_train"}}
+{"text": "This blog post outlines the details about the campaign that we discovered.", "spans": {}, "info": {"id": "cyner2_5class_train_00064", "source": "cyner2_5class_train"}}
+{"text": "The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices , though the mainstream kernel source is unaffected .", "spans": {"System: ARM-powered": [[60, 71]], "System: Android": [[72, 79], [202, 209]]}, "info": {"id": "cyner2_5class_train_00065", "source": "cyner2_5class_train"}}
+{"text": "The server can use this information to determine if the user ’ s carrier is one of Bread ’ s targets .", "spans": {"Malware: Bread": [[83, 88]]}, "info": {"id": "cyner2_5class_train_00066", "source": "cyner2_5class_train"}}
+{"text": "A new CC infrastructure consisting of a climbing club website.", "spans": {"System: CC infrastructure": [[6, 23]], "Indicator: a climbing club website.": [[38, 62]]}, "info": {"id": "cyner2_5class_train_00067", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: O97M.Dropper.BR W97M.Downloader W2000M/Dldr.Rogue.aipbta HEUR.VBA.Trojan.e virus.office.qexvmc.1095", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: O97M.Dropper.BR": [[26, 41]], "Indicator: W97M.Downloader": [[42, 57]], "Indicator: W2000M/Dldr.Rogue.aipbta": [[58, 82]], "Indicator: HEUR.VBA.Trojan.e": [[83, 100]], "Indicator: virus.office.qexvmc.1095": [[101, 125]]}, "info": {"id": "cyner2_5class_train_00068", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.BackdoorSlingup.Trojan Trojan/W32.Fsysna.77824.F Heur.Win32.VBKrypt.3!O Backdoor.Slingup.MF.150 Win32.Worm.VB.rt W32/Trojan.XMLD-4299 W32.Difobot BKDR_GORYNYCH.SM Trojan.Win32.Fsysna.ccit Trojan.Win32.Fsysna.dwujaf Troj.W32.Fsysna.tnPd Trojan.DownLoader14.15241 Trojan.Fsysna.Win32.7242 BKDR_GORYNYCH.SM BehavesLike.Win32.Backdoor.lt Worm.Win32.VB W32/Trojan3.TRB Trojan/Fsysna.dgo Trojan/Win32.Fsysna Trojan.Win32.Fsysna.ccit Trojan/Win32.VBInject.R158763 Trojan.Fsysna Trojan.Reconyc Win32/VB.OOB Win32.Trojan.Fsysna.Phgj", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BackdoorSlingup.Trojan": [[26, 52]], "Indicator: Trojan/W32.Fsysna.77824.F": [[53, 78]], "Indicator: Heur.Win32.VBKrypt.3!O": [[79, 101]], "Indicator: Backdoor.Slingup.MF.150": [[102, 125]], "Indicator: Win32.Worm.VB.rt": [[126, 142]], "Indicator: W32/Trojan.XMLD-4299": [[143, 163]], "Indicator: W32.Difobot": [[164, 175]], "Indicator: BKDR_GORYNYCH.SM": [[176, 192], [317, 333]], "Indicator: Trojan.Win32.Fsysna.ccit": [[193, 217], [432, 456]], "Indicator: Trojan.Win32.Fsysna.dwujaf": [[218, 244]], "Indicator: Troj.W32.Fsysna.tnPd": [[245, 265]], "Indicator: Trojan.DownLoader14.15241": [[266, 291]], "Indicator: Trojan.Fsysna.Win32.7242": [[292, 316]], "Indicator: BehavesLike.Win32.Backdoor.lt": [[334, 363]], "Indicator: Worm.Win32.VB": [[364, 377]], "Indicator: W32/Trojan3.TRB": [[378, 393]], "Indicator: Trojan/Fsysna.dgo": [[394, 411]], "Indicator: Trojan/Win32.Fsysna": [[412, 431]], "Indicator: Trojan/Win32.VBInject.R158763": [[457, 486]], "Indicator: Trojan.Fsysna": [[487, 500]], "Indicator: Trojan.Reconyc": [[501, 515]], "Indicator: Win32/VB.OOB": [[516, 528]], "Indicator: Win32.Trojan.Fsysna.Phgj": [[529, 553]]}, "info": {"id": "cyner2_5class_train_00069", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor:MSIL/Hulpob.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor:MSIL/Hulpob.A": [[26, 48]]}, "info": {"id": "cyner2_5class_train_00070", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Fsysna Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.HAEY-9385 Trojan.Bisonal Trojan.Win32.Fsysna.ccap Troj.W32.Fsysna!c Trojan.DownLoad3.19183 BehavesLike.Win32.Dropper.vz Trojan.Win32.Fsysna.ccap Trojan:Win32/Korlia.C Win-Trojan/Biscon.3140 Trj/CI.A Win32.Trojan.Fsysna.Tayn W32/Fsysna.CCAP!tr Win32/Trojan.732", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Fsysna": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[40, 82]], "Indicator: W32/Trojan.HAEY-9385": [[83, 103]], "Indicator: Trojan.Bisonal": [[104, 118]], "Indicator: Trojan.Win32.Fsysna.ccap": [[119, 143], [214, 238]], "Indicator: Troj.W32.Fsysna!c": [[144, 161]], "Indicator: Trojan.DownLoad3.19183": [[162, 184]], "Indicator: BehavesLike.Win32.Dropper.vz": [[185, 213]], "Indicator: Trojan:Win32/Korlia.C": [[239, 260]], "Indicator: Win-Trojan/Biscon.3140": [[261, 283]], "Indicator: Trj/CI.A": [[284, 292]], "Indicator: Win32.Trojan.Fsysna.Tayn": [[293, 317]], "Indicator: W32/Fsysna.CCAP!tr": [[318, 336]], "Indicator: Win32/Trojan.732": [[337, 353]]}, "info": {"id": "cyner2_5class_train_00071", "source": "cyner2_5class_train"}}
+{"text": "In addition, the compromised devices were pushed Trojan updates, which allowed the attackers to extend their capabilities.", "spans": {"System: compromised devices": [[17, 36]], "Malware: Trojan updates,": [[49, 64]]}, "info": {"id": "cyner2_5class_train_00072", "source": "cyner2_5class_train"}}
+{"text": "In February 2016 one of the largest cyber heists was committed and subsequently disclosed.", "spans": {}, "info": {"id": "cyner2_5class_train_00073", "source": "cyner2_5class_train"}}
+{"text": "Cyber espionage actors, now designated by FireEye as APT32 OceanLotus Group, are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists.", "spans": {"Organization: FireEye": [[42, 49]], "Indicator: intrusions": [[94, 104]], "Organization: private sector companies": [[110, 134]], "Organization: industries": [[151, 161]], "Organization: foreign governments, dissidents,": [[185, 217]], "Organization: journalists.": [[222, 234]]}, "info": {"id": "cyner2_5class_train_00074", "source": "cyner2_5class_train"}}
+{"text": "The infected apps in this campaign were downloaded several million times by unsuspecting users.", "spans": {"System: infected apps": [[4, 17]]}, "info": {"id": "cyner2_5class_train_00075", "source": "cyner2_5class_train"}}
+{"text": "Charger was found embedded in an app called EnergyRescue .", "spans": {"Malware: Charger": [[0, 7]], "Malware: EnergyRescue": [[44, 56]]}, "info": {"id": "cyner2_5class_train_00076", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Bot.MSIL Trojan.Win32.StartPage.czmqzt Trojan.DownLoader12.20620 BehavesLike.Win32.Backdoor.ch TR/Dropper.MSIL.47116 MSIL/StartPage.AI!tr Trj/CI.A Msil.Trojan.Dropper.Hqll Trojan.MSIL.StartPage MSIL3.BCNZ Trojan.MSIL.StartPage.AI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Bot.MSIL": [[26, 43]], "Indicator: Trojan.Win32.StartPage.czmqzt": [[44, 73]], "Indicator: Trojan.DownLoader12.20620": [[74, 99]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[100, 129]], "Indicator: TR/Dropper.MSIL.47116": [[130, 151]], "Indicator: MSIL/StartPage.AI!tr": [[152, 172]], "Indicator: Trj/CI.A": [[173, 181]], "Indicator: Msil.Trojan.Dropper.Hqll": [[182, 206]], "Indicator: Trojan.MSIL.StartPage": [[207, 228]], "Indicator: MSIL3.BCNZ": [[229, 239]], "Indicator: Trojan.MSIL.StartPage.AI": [[240, 264]]}, "info": {"id": "cyner2_5class_train_00077", "source": "cyner2_5class_train"}}
+{"text": "Primarily targets users in Brazil with fake attatchments, for example: Auto_De_Infracao_e_Sua_Notificacao_493275324.exe", "spans": {"Indicator: fake attatchments,": [[39, 57]], "Indicator: Auto_De_Infracao_e_Sua_Notificacao_493275324.exe": [[71, 119]]}, "info": {"id": "cyner2_5class_train_00078", "source": "cyner2_5class_train"}}
+{"text": "The connection between the two campaigns remains unclear , and it is possible that one borrowed code from the other , knowingly or unknowingly .", "spans": {}, "info": {"id": "cyner2_5class_train_00079", "source": "cyner2_5class_train"}}
+{"text": "This is named Red Leaves after strings found in the malware.", "spans": {"Malware: malware.": [[52, 60]]}, "info": {"id": "cyner2_5class_train_00080", "source": "cyner2_5class_train"}}
+{"text": "Reflection Most methods for hiding API usage tend to use Java reflection in some way .", "spans": {}, "info": {"id": "cyner2_5class_train_00081", "source": "cyner2_5class_train"}}
+{"text": "The malware first discovery was after a highly Libyan influential Telegram account compromised via web", "spans": {"Malware: malware": [[4, 11]], "Organization: highly Libyan influential": [[40, 65]], "Indicator: Telegram account compromised": [[66, 94]], "Vulnerability: web": [[99, 102]]}, "info": {"id": "cyner2_5class_train_00082", "source": "cyner2_5class_train"}}
+{"text": "Recently, we saw an app that leads to a third-party app store being offered on the official iOS App Store.", "spans": {"Malware: app": [[20, 23]], "System: third-party app store": [[40, 61]], "System: official iOS App Store.": [[83, 106]]}, "info": {"id": "cyner2_5class_train_00083", "source": "cyner2_5class_train"}}
+{"text": "This paper presents ESET's findings about Operation Groundbait based on our research into the Prikormka malware family.", "spans": {"Organization: ESET's": [[20, 26]], "Malware: Prikormka malware family.": [[94, 119]]}, "info": {"id": "cyner2_5class_train_00084", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.AutoRun.13924 W32.W.Fearso.kYUv HT_STARTPAGE_FB090419.UVPM Win32.Trojan.Delf.it HT_STARTPAGE_FB090419.UVPM Win.Trojan.Delf-1006 Trojan.Win32.Fsysna.digg TrojWare.Win32.Magania.~AD Worm.Delf.Win32.1099 Trojan[GameThief]/Win32.Nilage Trojan.Jacard.D150AA Trojan.Win32.Fsysna.digg HackTool.Win32.InjectDll.a Trojan.Crypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.AutoRun!O": [[26, 46]], "Indicator: Worm.AutoRun.13924": [[47, 65]], "Indicator: W32.W.Fearso.kYUv": [[66, 83]], "Indicator: HT_STARTPAGE_FB090419.UVPM": [[84, 110], [132, 158]], "Indicator: Win32.Trojan.Delf.it": [[111, 131]], "Indicator: Win.Trojan.Delf-1006": [[159, 179]], "Indicator: Trojan.Win32.Fsysna.digg": [[180, 204], [305, 329]], "Indicator: TrojWare.Win32.Magania.~AD": [[205, 231]], "Indicator: Worm.Delf.Win32.1099": [[232, 252]], "Indicator: Trojan[GameThief]/Win32.Nilage": [[253, 283]], "Indicator: Trojan.Jacard.D150AA": [[284, 304]], "Indicator: HackTool.Win32.InjectDll.a": [[330, 356]], "Indicator: Trojan.Crypt": [[357, 369]]}, "info": {"id": "cyner2_5class_train_00085", "source": "cyner2_5class_train"}}
+{"text": "In the course of our research we uncovered the activity of a hacking group which has Chinese origins.", "spans": {}, "info": {"id": "cyner2_5class_train_00086", "source": "cyner2_5class_train"}}
+{"text": "This means that all apps that were using this file will lose some functionality or even start crashing .", "spans": {}, "info": {"id": "cyner2_5class_train_00087", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Darby.N Win32.Worm.P2p.Darby.N Worm/W32.Darby.140470 W32.W.Darby.n!c Win32.Worm.P2p.Darby.N Worm.P2P.Darby!NxHEqfnePM8 W32/Darby.M W32.HLLW.Darby Win32/Darby.N P2P-Worm.Win32.Darby.n Trojan.Win32.Darby.epif Worm.Win32.Darby.140470.B[h] Win32.Worm.P2p.Darby.N Worm.Win32.Darby.N Win32.Worm.P2p.Darby.N BehavesLike.Win32.MultiDropper.cc W32/Darby.KOEV-0225 Worm/Darby.f WORM/Darby.N W32/Darby.N!tr Worm[P2P]/Win32.Darby Win32.Worm.P2p.Darby.N Win32/Darby.worm.140470 Worm:Win32/Darby.N Virus.Win32.Heur.p Win32.Worm-p2p.Darby.Pdwh P2P-Worm.Win32.Darby Win32.Worm.P2p.Darby.N Worm/Darby.P", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Darby.N": [[26, 39], [178, 191]], "Indicator: Win32.Worm.P2p.Darby.N": [[40, 62], [101, 123], [268, 290], [310, 332], [450, 472], [582, 604]], "Indicator: Worm/W32.Darby.140470": [[63, 84]], "Indicator: W32.W.Darby.n!c": [[85, 100]], "Indicator: Worm.P2P.Darby!NxHEqfnePM8": [[124, 150]], "Indicator: W32/Darby.M": [[151, 162]], "Indicator: W32.HLLW.Darby": [[163, 177]], "Indicator: P2P-Worm.Win32.Darby.n": [[192, 214]], "Indicator: Trojan.Win32.Darby.epif": [[215, 238]], "Indicator: Worm.Win32.Darby.140470.B[h]": [[239, 267]], "Indicator: Worm.Win32.Darby.N": [[291, 309]], "Indicator: BehavesLike.Win32.MultiDropper.cc": [[333, 366]], "Indicator: W32/Darby.KOEV-0225": [[367, 386]], "Indicator: Worm/Darby.f": [[387, 399]], "Indicator: WORM/Darby.N": [[400, 412]], "Indicator: W32/Darby.N!tr": [[413, 427]], "Indicator: Worm[P2P]/Win32.Darby": [[428, 449]], "Indicator: Win32/Darby.worm.140470": [[473, 496]], "Indicator: Worm:Win32/Darby.N": [[497, 515]], "Indicator: Virus.Win32.Heur.p": [[516, 534]], "Indicator: Win32.Worm-p2p.Darby.Pdwh": [[535, 560]], "Indicator: P2P-Worm.Win32.Darby": [[561, 581]], "Indicator: Worm/Darby.P": [[605, 617]]}, "info": {"id": "cyner2_5class_train_00088", "source": "cyner2_5class_train"}}
+{"text": "Yesterday, Microsoft patched CVE-2015-2424, a vulnerability in Microsoft Office discovered by iSIGHT Partners while monitoring the Russian cyber espionage team we call Tsar Team.", "spans": {"Organization: Microsoft": [[11, 20]], "Indicator: CVE-2015-2424,": [[29, 43]], "Vulnerability: vulnerability": [[46, 59]], "System: Microsoft Office": [[63, 79]], "Organization: iSIGHT Partners": [[94, 109]]}, "info": {"id": "cyner2_5class_train_00089", "source": "cyner2_5class_train"}}
+{"text": "All the IP addresses belong to the same company Hetzner , an IP-hosting firm in Germany .", "spans": {"Organization: Hetzner": [[48, 55]]}, "info": {"id": "cyner2_5class_train_00090", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsIemusi.2209 W32/Trojan.GCQE-8180 DDOS_HPNITOL.SM Trojan.Boht Trojan.Win32.DownLoad.bfqxfq Troj.W32.Vilsel.lmbl Trojan.DownLoad3.40817 BehavesLike.Win32.HLLPPhilis.lc Backdoor:Win32/Bezigate.B Trj/CI.A Win32/Delf.AJG Backdoor.Win32.PcClient W32/Inject.VXTT!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsIemusi.2209": [[26, 44]], "Indicator: W32/Trojan.GCQE-8180": [[45, 65]], "Indicator: DDOS_HPNITOL.SM": [[66, 81]], "Indicator: Trojan.Boht": [[82, 93]], "Indicator: Trojan.Win32.DownLoad.bfqxfq": [[94, 122]], "Indicator: Troj.W32.Vilsel.lmbl": [[123, 143]], "Indicator: Trojan.DownLoad3.40817": [[144, 166]], "Indicator: BehavesLike.Win32.HLLPPhilis.lc": [[167, 198]], "Indicator: Backdoor:Win32/Bezigate.B": [[199, 224]], "Indicator: Trj/CI.A": [[225, 233]], "Indicator: Win32/Delf.AJG": [[234, 248]], "Indicator: Backdoor.Win32.PcClient": [[249, 272]], "Indicator: W32/Inject.VXTT!tr": [[273, 291]]}, "info": {"id": "cyner2_5class_train_00091", "source": "cyner2_5class_train"}}
+{"text": "Distribution via botnets .", "spans": {}, "info": {"id": "cyner2_5class_train_00092", "source": "cyner2_5class_train"}}
+{"text": "The embedded app appears to be a media player .", "spans": {}, "info": {"id": "cyner2_5class_train_00093", "source": "cyner2_5class_train"}}
+{"text": "The real C & C address is encoded in the Twitter names , and can only be revealed once decoded .", "spans": {"Organization: Twitter": [[41, 48]]}, "info": {"id": "cyner2_5class_train_00094", "source": "cyner2_5class_train"}}
+{"text": "Oftentimes , the emailed link is a bit.ly shortened link , used to potentially evade detection .", "spans": {}, "info": {"id": "cyner2_5class_train_00095", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //mailsa-wqw [ .", "spans": {"Indicator: hxxp : //mailsa-wqw [ .": [[6, 29]]}, "info": {"id": "cyner2_5class_train_00096", "source": "cyner2_5class_train"}}
+{"text": "It eventually kills all threads that belong to these undesired modules ( using ZwQueryInformationThread native API with ThreadQuerySetWin32StartAddress information class ) .", "spans": {}, "info": {"id": "cyner2_5class_train_00097", "source": "cyner2_5class_train"}}
+{"text": "During an incident response engagement in September 2016, SecureWorks® incident response analysts observed payment card data being collected by a generic remote access trojan RAT rather than typical memory-scraping malware.", "spans": {"Organization: SecureWorks® incident response analysts": [[58, 97]], "Indicator: payment card data being collected": [[107, 140]], "Malware: generic remote access trojan RAT": [[146, 178]], "Malware: typical memory-scraping malware.": [[191, 223]]}, "info": {"id": "cyner2_5class_train_00098", "source": "cyner2_5class_train"}}
+{"text": "The said attackers, who showed familiarity and in-depth knowledge of their agencies' network topology, tools, and software, were able to gain access to their targeted servers and install malware.", "spans": {"System: agencies' network topology, tools, and software,": [[75, 123]], "Indicator: gain access": [[137, 148]], "System: targeted servers": [[158, 174]], "Malware: malware.": [[187, 195]]}, "info": {"id": "cyner2_5class_train_00099", "source": "cyner2_5class_train"}}
+{"text": "That attack was spearheaded by the malware ESET products detect as Diskcoder.C aka ExPetr, PetrWrap, Petya, or NotPetya.", "spans": {"Indicator: attack": [[5, 11]], "Malware: malware": [[35, 42]], "System: ESET products": [[43, 56]], "Indicator: Diskcoder.C": [[67, 78]], "Malware: ExPetr, PetrWrap, Petya,": [[83, 107]], "Malware: NotPetya.": [[111, 120]]}, "info": {"id": "cyner2_5class_train_00100", "source": "cyner2_5class_train"}}
+{"text": "Early September, Skycure Research Labs detected a fake app within one of our customer's organizations, identified through our crowd-sourced intelligence policies whereby anyone running the Skycure mobile app acts as a threat detecting sensor.", "spans": {"Organization: Skycure Research Labs": [[17, 38]], "System: fake app": [[50, 58]], "Organization: customer's organizations,": [[77, 102]], "System: crowd-sourced intelligence policies": [[126, 161]], "System: Skycure mobile app": [[189, 207]], "System: threat detecting sensor.": [[218, 242]]}, "info": {"id": "cyner2_5class_train_00101", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Udsdangerousobject.Multi Trojan.Scar.Win32.107576 Uds.Dangerousobject.Multi!c Trojan.Win32.Scar.qiea Trojan.Win32.Scar.eujcfc BehavesLike.Win32.Downloader.vc Trojan.Win32.Scar W32/Trojan.TSAL-4013 Trojan.Scar.kdh TR/Scar.xdjbi Trojan/Win32.Scar Trojan.Win32.Scar.qiea TrojanDropper:Win32/NukeSped.V Trojan/Win32.Scar.C2237182 Trojan.Scar Trj/GdSda.A Win32.Trojan.Scar.Hnkz Trojan.Scar!JEdUZG9Z4dw Win32/Trojan.6bc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Udsdangerousobject.Multi": [[26, 50]], "Indicator: Trojan.Scar.Win32.107576": [[51, 75]], "Indicator: Uds.Dangerousobject.Multi!c": [[76, 103]], "Indicator: Trojan.Win32.Scar.qiea": [[104, 126], [271, 293]], "Indicator: Trojan.Win32.Scar.eujcfc": [[127, 151]], "Indicator: BehavesLike.Win32.Downloader.vc": [[152, 183]], "Indicator: Trojan.Win32.Scar": [[184, 201]], "Indicator: W32/Trojan.TSAL-4013": [[202, 222]], "Indicator: Trojan.Scar.kdh": [[223, 238]], "Indicator: TR/Scar.xdjbi": [[239, 252]], "Indicator: Trojan/Win32.Scar": [[253, 270]], "Indicator: TrojanDropper:Win32/NukeSped.V": [[294, 324]], "Indicator: Trojan/Win32.Scar.C2237182": [[325, 351]], "Indicator: Trojan.Scar": [[352, 363]], "Indicator: Trj/GdSda.A": [[364, 375]], "Indicator: Win32.Trojan.Scar.Hnkz": [[376, 398]], "Indicator: Trojan.Scar!JEdUZG9Z4dw": [[399, 422]], "Indicator: Win32/Trojan.6bc": [[423, 439]]}, "info": {"id": "cyner2_5class_train_00102", "source": "cyner2_5class_train"}}
+{"text": "BlackSnake Ransomware is a new strain of malware that encrypts files and demands a ransom from victims, and is capable of performing clipper operations aimed at cryptocurrency users, according to Cyble Research and Intelligence Labs.", "spans": {"Malware: BlackSnake Ransomware": [[0, 21]], "Malware: malware": [[41, 48]], "Indicator: encrypts files": [[54, 68]], "Organization: cryptocurrency users,": [[161, 182]], "Organization: Cyble Research": [[196, 210]]}, "info": {"id": "cyner2_5class_train_00103", "source": "cyner2_5class_train"}}
+{"text": "For bogus applications to be profitable, they should be able to entice users into installing them.", "spans": {}, "info": {"id": "cyner2_5class_train_00104", "source": "cyner2_5class_train"}}
+{"text": "Desktop Trojans and Their Mobile Component The process by which Trojans attempt to infect mobile devices is at least a decade old .", "spans": {}, "info": {"id": "cyner2_5class_train_00105", "source": "cyner2_5class_train"}}
+{"text": "'' As was the case with HummingBad , the purpose of HummingWhale is to generate revenue by displaying fraudulent ads and automatically installing apps .", "spans": {"Malware: HummingBad": [[24, 34]], "Malware: HummingWhale": [[52, 64]]}, "info": {"id": "cyner2_5class_train_00106", "source": "cyner2_5class_train"}}
+{"text": "The group is highly selective in its approach and only appears to deploy its full range of tools once it establishes that the compromised organization is an intended target.", "spans": {}, "info": {"id": "cyner2_5class_train_00107", "source": "cyner2_5class_train"}}
+{"text": "It relies on spear-phishing emails sent to specific and strategic companies to conduct its campaigns.", "spans": {"Indicator: spear-phishing emails": [[13, 34]], "Organization: companies": [[66, 75]], "Organization: campaigns.": [[91, 101]]}, "info": {"id": "cyner2_5class_train_00108", "source": "cyner2_5class_train"}}
+{"text": "VXRLcredit contacted us regarding an APT phishing email that included a download link to a malware being hosted on a Geocities website.", "spans": {"Organization: VXRLcredit": [[0, 10]], "Indicator: phishing email": [[41, 55]], "Indicator: link": [[81, 85]], "Malware: malware": [[91, 98]], "Indicator: Geocities website.": [[117, 135]]}, "info": {"id": "cyner2_5class_train_00109", "source": "cyner2_5class_train"}}
+{"text": "The group's activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator MSDTC to extract and launch ransomware payloads.", "spans": {"Indicator: use of DLL hijacking": [[66, 86]], "System: Microsoft Distributed Transaction Coordinator MSDTC": [[91, 142]], "Malware: ransomware payloads.": [[165, 185]]}, "info": {"id": "cyner2_5class_train_00110", "source": "cyner2_5class_train"}}
+{"text": "GolfSpy ’ s configurations encoded by a custom algorithm ( right ) and its decoded version ( left ) As shown in Figure 3 , GolfSpy ’ s configurations ( e.g. , C & C server , secret keys ) are encoded by a customized algorithm .", "spans": {"Malware: GolfSpy": [[0, 7], [123, 130]]}, "info": {"id": "cyner2_5class_train_00111", "source": "cyner2_5class_train"}}
+{"text": ") As of this writing , no files were hosted at any of the links .", "spans": {}, "info": {"id": "cyner2_5class_train_00112", "source": "cyner2_5class_train"}}
+{"text": "Perhaps the most interesting part is that the attack e-mails had an APK attachment – a malicious program for Android .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "cyner2_5class_train_00113", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BKDR_KONUS.N Trojan.DownLoader24.32510 BKDR_KONUS.N BehavesLike.Win32.Trojan.fc Trojan.Razy.D27268 Trojan.Win32.Z.Razy.308742 Backdoor:Win32/Konus.A TScope.Malware-Cryptor.SB Trj/GdSda.A Win32/Trojan.797", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BKDR_KONUS.N": [[26, 38], [65, 77]], "Indicator: Trojan.DownLoader24.32510": [[39, 64]], "Indicator: BehavesLike.Win32.Trojan.fc": [[78, 105]], "Indicator: Trojan.Razy.D27268": [[106, 124]], "Indicator: Trojan.Win32.Z.Razy.308742": [[125, 151]], "Indicator: Backdoor:Win32/Konus.A": [[152, 174]], "Indicator: TScope.Malware-Cryptor.SB": [[175, 200]], "Indicator: Trj/GdSda.A": [[201, 212]], "Indicator: Win32/Trojan.797": [[213, 229]]}, "info": {"id": "cyner2_5class_train_00114", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.91D0 RiskWare.GameHack Win32.Trojan.WisdomEyes.16070401.9500.9693 Trojan.Adylkuzz Win32.Application.PUPStudio.B Trojan.Win32.PUPStudio.expchr BehavesLike.Win32.Downloader.rc Trojan.Win32.VMProtect TR/AvKill.fkiqo Trojan:Win32/Avkill.E Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.91D0": [[26, 42]], "Indicator: RiskWare.GameHack": [[43, 60]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9693": [[61, 103]], "Indicator: Trojan.Adylkuzz": [[104, 119]], "Indicator: Win32.Application.PUPStudio.B": [[120, 149]], "Indicator: Trojan.Win32.PUPStudio.expchr": [[150, 179]], "Indicator: BehavesLike.Win32.Downloader.rc": [[180, 211]], "Indicator: Trojan.Win32.VMProtect": [[212, 234]], "Indicator: TR/AvKill.fkiqo": [[235, 250]], "Indicator: Trojan:Win32/Avkill.E": [[251, 272]], "Indicator: Trj/CI.A": [[273, 281]]}, "info": {"id": "cyner2_5class_train_00115", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exp.OLE.CVE-2013-1331.A Exploit.OLE2.CVE-2013-1331.a!c Trojan.Mdropper Win32/Exploit.CVE-2013-1331.A TROJ_MDROPPR.ZMA Doc.Exploit.CVE_2013_1331-1 Exploit.OLE2.CVE-2013-1331.a Trojan.Dos.CVE-2013-1331.dftbiw DOC.S.CVE-2013-1331.115712 Win32.Exploit.Msoffice.Auto Exploit:W32/CVE-2013-1331.A TROJ_MDROPPR.ZMA EXP/CVE-2013-1331.A Exploit.OLE2.CVE-2013-1331.a Exploit.OLE2 MSWord/ScriptBridge.NT!exploit.CVE20131331 Win32/Trojan.Exploit.124", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exp.OLE.CVE-2013-1331.A": [[26, 49]], "Indicator: Exploit.OLE2.CVE-2013-1331.a!c": [[50, 80]], "Indicator: Trojan.Mdropper": [[81, 96]], "Indicator: Win32/Exploit.CVE-2013-1331.A": [[97, 126]], "Indicator: TROJ_MDROPPR.ZMA": [[127, 143], [316, 332]], "Indicator: Doc.Exploit.CVE_2013_1331-1": [[144, 171]], "Indicator: Exploit.OLE2.CVE-2013-1331.a": [[172, 200], [353, 381]], "Indicator: Trojan.Dos.CVE-2013-1331.dftbiw": [[201, 232]], "Indicator: DOC.S.CVE-2013-1331.115712": [[233, 259]], "Indicator: Win32.Exploit.Msoffice.Auto": [[260, 287]], "Indicator: Exploit:W32/CVE-2013-1331.A": [[288, 315]], "Indicator: EXP/CVE-2013-1331.A": [[333, 352]], "Indicator: Exploit.OLE2": [[382, 394]], "Indicator: MSWord/ScriptBridge.NT!exploit.CVE20131331": [[395, 437]], "Indicator: Win32/Trojan.Exploit.124": [[438, 462]]}, "info": {"id": "cyner2_5class_train_00116", "source": "cyner2_5class_train"}}
+{"text": "Malware Capabilities The Cybereason Nocturnus team has been following EventBot since the beginning of March 2020 .", "spans": {"Organization: Cybereason Nocturnus": [[25, 45]], "Malware: EventBot": [[70, 78]]}, "info": {"id": "cyner2_5class_train_00117", "source": "cyner2_5class_train"}}
+{"text": "The messages looked as follows : “ % USERNAME % , ti ho inviato il soldi sul subito subito-a [ .", "spans": {"Indicator: subito-a [ .": [[84, 96]]}, "info": {"id": "cyner2_5class_train_00118", "source": "cyner2_5class_train"}}
+{"text": "By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server.", "spans": {"Indicator: stolen credentials,": [[13, 32]], "System: server": [[77, 83]], "Malware: M.E.Doc": [[88, 95]], "Indicator: proxy connections": [[99, 116]], "Indicator: an actor-controlled server.": [[120, 147]]}, "info": {"id": "cyner2_5class_train_00119", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.BrontokTiwiHV.Worm Worm/W32.Brontok.87061 Email-Worm.Win32.Brontok!O Worm.Rahiwi.A3 W32/Brontok.am Trojan.Heur.fmMfr5EYVjjib Win32.Trojan.VB.bb W32.Rahiwi.A Win32/Tnega.OPKOELC WORM_BRONTOK.SMB Email-Worm.Win32.Brontok.am Trojan.Win32.Brontok.dmfkjc I-Worm.Win32.A.Brontok.58368[UPX] Worm.Brontok.Win32.1133 WORM_BRONTOK.SMB BehavesLike.Win32.YahLover.mt Email-Worm.Win32.Brontok Worm.Brontok.bt W32.Worm.Rahiwi WORM/Brontok.AM.15 Worm[Email]/Win32.Brontok W32.W.Brontok.mjGp Email-Worm.Win32.Brontok.am Worm:Win32/Rahiwi.A Worm/Win32.Brontok.C47526 Worm.Brontok I-Worm.VB.ET Worm.Win32.Brontok.aab I-Worm.Brontok!pJaU4TE3gZk W32/AutoRun.RPV!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.BrontokTiwiHV.Worm": [[26, 54]], "Indicator: Worm/W32.Brontok.87061": [[55, 77]], "Indicator: Email-Worm.Win32.Brontok!O": [[78, 104]], "Indicator: Worm.Rahiwi.A3": [[105, 119]], "Indicator: W32/Brontok.am": [[120, 134]], "Indicator: Trojan.Heur.fmMfr5EYVjjib": [[135, 160]], "Indicator: Win32.Trojan.VB.bb": [[161, 179]], "Indicator: W32.Rahiwi.A": [[180, 192]], "Indicator: Win32/Tnega.OPKOELC": [[193, 212]], "Indicator: WORM_BRONTOK.SMB": [[213, 229], [344, 360]], "Indicator: Email-Worm.Win32.Brontok.am": [[230, 257], [512, 539]], "Indicator: Trojan.Win32.Brontok.dmfkjc": [[258, 285]], "Indicator: I-Worm.Win32.A.Brontok.58368[UPX]": [[286, 319]], "Indicator: Worm.Brontok.Win32.1133": [[320, 343]], "Indicator: BehavesLike.Win32.YahLover.mt": [[361, 390]], "Indicator: Email-Worm.Win32.Brontok": [[391, 415]], "Indicator: Worm.Brontok.bt": [[416, 431]], "Indicator: W32.Worm.Rahiwi": [[432, 447]], "Indicator: WORM/Brontok.AM.15": [[448, 466]], "Indicator: Worm[Email]/Win32.Brontok": [[467, 492]], "Indicator: W32.W.Brontok.mjGp": [[493, 511]], "Indicator: Worm:Win32/Rahiwi.A": [[540, 559]], "Indicator: Worm/Win32.Brontok.C47526": [[560, 585]], "Indicator: Worm.Brontok": [[586, 598]], "Indicator: I-Worm.VB.ET": [[599, 611]], "Indicator: Worm.Win32.Brontok.aab": [[612, 634]], "Indicator: I-Worm.Brontok!pJaU4TE3gZk": [[635, 661]], "Indicator: W32/AutoRun.RPV!worm": [[662, 682]]}, "info": {"id": "cyner2_5class_train_00120", "source": "cyner2_5class_train"}}
+{"text": "Traditionally, the group attacked organizations in the US as well as other targets.", "spans": {"Indicator: attacked": [[25, 33]], "Organization: organizations": [[34, 47]], "Organization: targets.": [[75, 83]]}, "info": {"id": "cyner2_5class_train_00121", "source": "cyner2_5class_train"}}
+{"text": "Last month at the CERT-EU Conference in Brussels, Belgium, Volexity gave a presentation on a recent evolution in how attackers are maintaining persistence within victim networks.", "spans": {"Organization: CERT-EU Conference": [[18, 36]], "Organization: Volexity": [[59, 67]], "System: victim networks.": [[162, 178]]}, "info": {"id": "cyner2_5class_train_00122", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandownloader.Tedekeh BehavesLike.Win32.AdwareDealPly.tc TrojanDownloader:Win32/Tedekeh.A PUP.Optional.BundleInstaller Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Tedekeh": [[26, 50]], "Indicator: BehavesLike.Win32.AdwareDealPly.tc": [[51, 85]], "Indicator: TrojanDownloader:Win32/Tedekeh.A": [[86, 118]], "Indicator: PUP.Optional.BundleInstaller": [[119, 147]], "Indicator: Trj/CI.A": [[148, 156]]}, "info": {"id": "cyner2_5class_train_00123", "source": "cyner2_5class_train"}}
+{"text": "MalwareBytes recently encountered an atypical case of Sundown EK in the wild – usually the landing page is obfuscated, but in this case there was plain JavaScript.", "spans": {"Organization: MalwareBytes": [[0, 12]], "Malware: Sundown EK": [[54, 64]], "Indicator: landing page is obfuscated,": [[91, 118]], "Indicator: plain JavaScript.": [[146, 163]]}, "info": {"id": "cyner2_5class_train_00124", "source": "cyner2_5class_train"}}
+{"text": "Users do n't have to install any additional security services to keep their devices safe .", "spans": {}, "info": {"id": "cyner2_5class_train_00125", "source": "cyner2_5class_train"}}
+{"text": "In late 2016 , versions of the Trojan emerged that contained the card.html phishing page in the assets/www folder .", "spans": {"Indicator: card.html": [[65, 74]], "Indicator: assets/www": [[96, 106]]}, "info": {"id": "cyner2_5class_train_00126", "source": "cyner2_5class_train"}}
+{"text": "Providing the app has registered an intent to process particular events from the system , and one of said events occurs , HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request , or the system itself broadcasting a particular event has occurred .", "spans": {}, "info": {"id": "cyner2_5class_train_00127", "source": "cyner2_5class_train"}}
+{"text": "We have observed this group targeting defense, aerospace, and legal sector companies.", "spans": {"Organization: defense, aerospace,": [[38, 57]], "Organization: legal sector companies.": [[62, 85]]}, "info": {"id": "cyner2_5class_train_00128", "source": "cyner2_5class_train"}}
+{"text": "] com and appupdatemoremagic [ .", "spans": {"Indicator: appupdatemoremagic [ .": [[10, 32]]}, "info": {"id": "cyner2_5class_train_00129", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.32256.ACD Trojan/PSW.Ruftar.pmc BAT/LockScreen.EB Virus.BAT.Disabler", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.32256.ACD": [[26, 52]], "Indicator: Trojan/PSW.Ruftar.pmc": [[53, 74]], "Indicator: BAT/LockScreen.EB": [[75, 92]], "Indicator: Virus.BAT.Disabler": [[93, 111]]}, "info": {"id": "cyner2_5class_train_00130", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PasswordStealer Trojan.Zusy.D40C66 Win32.Trojan.WisdomEyes.16070401.9500.9505 Trojan.Win32.Steam.exnrza Trojan.Win32.Z.Zusy.517120.A W32.W.AutoRun.lmJt Trojan.PWS.Steam.14964 BehavesLike.Win32.Dropper.hh Trojan.Win32.PSW W32/Trojan.OYNU-3017 PWS:Win32/PWSteal.R!bit Trj/CI.A W32/Delf.ORF!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PasswordStealer": [[26, 48]], "Indicator: Trojan.Zusy.D40C66": [[49, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9505": [[68, 110]], "Indicator: Trojan.Win32.Steam.exnrza": [[111, 136]], "Indicator: Trojan.Win32.Z.Zusy.517120.A": [[137, 165]], "Indicator: W32.W.AutoRun.lmJt": [[166, 184]], "Indicator: Trojan.PWS.Steam.14964": [[185, 207]], "Indicator: BehavesLike.Win32.Dropper.hh": [[208, 236]], "Indicator: Trojan.Win32.PSW": [[237, 253]], "Indicator: W32/Trojan.OYNU-3017": [[254, 274]], "Indicator: PWS:Win32/PWSteal.R!bit": [[275, 298]], "Indicator: Trj/CI.A": [[299, 307]], "Indicator: W32/Delf.ORF!tr.pws": [[308, 327]]}, "info": {"id": "cyner2_5class_train_00131", "source": "cyner2_5class_train"}}
+{"text": "In recent weeks we've discovered that the group have been actively updating their Clayslide delivery documents, as well as the Helminth backdoor used against victims.", "spans": {"Indicator: Clayslide delivery documents,": [[82, 111]], "Malware: Helminth backdoor": [[127, 144]], "Organization: victims.": [[158, 166]]}, "info": {"id": "cyner2_5class_train_00132", "source": "cyner2_5class_train"}}
+{"text": "These attacks involved ITG03 actors inserting malware between an ATM and its home bank network, and likely required advanced knowledge of the ATM's network path or prior access to a bank's network.", "spans": {"Indicator: attacks": [[6, 13]], "Malware: malware": [[46, 53]], "System: ATM": [[65, 68]], "System: home bank network,": [[77, 95]], "System: ATM's network": [[142, 155]], "System: bank's network.": [[182, 197]]}, "info": {"id": "cyner2_5class_train_00133", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Sileco.IM3 Worm.Palevo.Win32.123726 Trojan/Downloader.Small.aolo Win32.Trojan.Shellcode2EXE.a P2P-Worm.Win32.Palevo.fiqf Trojan.Win32.Palevo.etybtm TrojWare.Win32.TrojanDownloader.Small.aolo0 Trojan:W32/Shell2Exe.A Win32/PatchFile.gk Worm[P2P]/Win32.Palevo TrojanDownloader:Win32/Sileco.A P2P-Worm.Win32.Palevo.fiqf Downloader/Win32.Small.R3049 Worm.Palevo Trojan.Silvana Win32.Trojan.Manualpatched.Dkq Trojan-Downloader.Win32.Sileco Trj/CI.A Win32/Worm.P2P-Worm.fb5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Sileco.IM3": [[26, 45]], "Indicator: Worm.Palevo.Win32.123726": [[46, 70]], "Indicator: Trojan/Downloader.Small.aolo": [[71, 99]], "Indicator: Win32.Trojan.Shellcode2EXE.a": [[100, 128]], "Indicator: P2P-Worm.Win32.Palevo.fiqf": [[129, 155], [324, 350]], "Indicator: Trojan.Win32.Palevo.etybtm": [[156, 182]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.aolo0": [[183, 226]], "Indicator: Trojan:W32/Shell2Exe.A": [[227, 249]], "Indicator: Win32/PatchFile.gk": [[250, 268]], "Indicator: Worm[P2P]/Win32.Palevo": [[269, 291]], "Indicator: TrojanDownloader:Win32/Sileco.A": [[292, 323]], "Indicator: Downloader/Win32.Small.R3049": [[351, 379]], "Indicator: Worm.Palevo": [[380, 391]], "Indicator: Trojan.Silvana": [[392, 406]], "Indicator: Win32.Trojan.Manualpatched.Dkq": [[407, 437]], "Indicator: Trojan-Downloader.Win32.Sileco": [[438, 468]], "Indicator: Trj/CI.A": [[469, 477]], "Indicator: Win32/Worm.P2P-Worm.fb5": [[478, 501]]}, "info": {"id": "cyner2_5class_train_00134", "source": "cyner2_5class_train"}}
+{"text": "The actors typically steal from financial institutions using targeted malware.", "spans": {"Organization: financial institutions": [[32, 54]], "Malware: malware.": [[70, 78]]}, "info": {"id": "cyner2_5class_train_00135", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Nubuler.D Downloader.Small.Win32.102411 Win32.Trojan-Downloader.Small.cj TROJ_NEBULER.SMF Trojan.MulDrop.origin TROJ_NEBULER.SMF BehavesLike.Win32.PWSOnlineGames.kc BDS/WinO.A Trojan:Win32/Nebuler.D Trojan.Nebuler.1 Trojan/Win32.CSon.R566 Nebuler.b Trojan.Win32.Nebuler", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Nubuler.D": [[26, 42]], "Indicator: Downloader.Small.Win32.102411": [[43, 72]], "Indicator: Win32.Trojan-Downloader.Small.cj": [[73, 105]], "Indicator: TROJ_NEBULER.SMF": [[106, 122], [145, 161]], "Indicator: Trojan.MulDrop.origin": [[123, 144]], "Indicator: BehavesLike.Win32.PWSOnlineGames.kc": [[162, 197]], "Indicator: BDS/WinO.A": [[198, 208]], "Indicator: Trojan:Win32/Nebuler.D": [[209, 231]], "Indicator: Trojan.Nebuler.1": [[232, 248]], "Indicator: Trojan/Win32.CSon.R566": [[249, 271]], "Indicator: Nebuler.b": [[272, 281]], "Indicator: Trojan.Win32.Nebuler": [[282, 302]]}, "info": {"id": "cyner2_5class_train_00136", "source": "cyner2_5class_train"}}
+{"text": "How does Chrysaor work ? To install Chrysaor , we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device .", "spans": {"Malware: Chrysaor": [[9, 17], [36, 44]]}, "info": {"id": "cyner2_5class_train_00137", "source": "cyner2_5class_train"}}
+{"text": "This is due to the fact that the exploit has been integrated into several exploit kits and many end users have not yet patched their machines.", "spans": {}, "info": {"id": "cyner2_5class_train_00138", "source": "cyner2_5class_train"}}
+{"text": "This research note outlines what we know about the use of Hacking Team's Remote Control System RCS by South Korea's National Intelligence Service NIS.", "spans": {"Organization: Hacking Team's": [[58, 72]], "System: Remote Control System RCS": [[73, 98]], "Organization: South Korea's National Intelligence Service NIS.": [[102, 150]]}, "info": {"id": "cyner2_5class_train_00139", "source": "cyner2_5class_train"}}
+{"text": "The goal of this paper is to provide some updates to our previous FTA on AlienSpy, the predecessor of JSocket, and to discuss its Android capabilities in detail.", "spans": {"Malware: AlienSpy,": [[73, 82]], "Malware: JSocket,": [[102, 110]], "System: Android": [[130, 137]]}, "info": {"id": "cyner2_5class_train_00140", "source": "cyner2_5class_train"}}
+{"text": "The first malware program belonging to this family was spotted in May 2016 and was dubbed Linux.DDoS.87.", "spans": {"Malware: malware program": [[10, 25]], "Malware: family": [[44, 50]], "Indicator: Linux.DDoS.87.": [[90, 104]]}, "info": {"id": "cyner2_5class_train_00141", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Vbiframe Trojan/Refroso.cwic Trojan.Strictor.D1D61 TROJ_CLICKER.CAQ Win32.Trojan.WisdomEyes.16070401.9500.9939 TROJ_CLICKER.CAQ Win.Trojan.Clicker-3888 Trojan-Clicker.Win32.VBiframe.fgl Virus.Win32.Sality.bgiylc Trojan.Win32.A.Refroso.110901 Troj.Clicker.W32.Vbiframe!c TrojWare.Win32.Downloader.VBIFrame.IK Trojan.Click.25308 Trojan.VBiframe.Win32.382 BehavesLike.Win32.BadFile.cc Trojan-Clicker.Win32.VBiframe TrojanClicker.VBiframe.vg Trojan/Win32.Refroso Trojan:Win32/Punad.G Trojan-Clicker.Win32.VBiframe.fgl Trojan/Win32.Clicker.R3068 SScope.Trojan.VBRA.3659 Trj/Clicker.ARC Trojan.DL.Pacoheir!0uqYAwP2RQg Win32/Trojan.Clicker.bd6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Vbiframe": [[26, 41]], "Indicator: Trojan/Refroso.cwic": [[42, 61]], "Indicator: Trojan.Strictor.D1D61": [[62, 83]], "Indicator: TROJ_CLICKER.CAQ": [[84, 100], [144, 160]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9939": [[101, 143]], "Indicator: Win.Trojan.Clicker-3888": [[161, 184]], "Indicator: Trojan-Clicker.Win32.VBiframe.fgl": [[185, 218], [513, 546]], "Indicator: Virus.Win32.Sality.bgiylc": [[219, 244]], "Indicator: Trojan.Win32.A.Refroso.110901": [[245, 274]], "Indicator: Troj.Clicker.W32.Vbiframe!c": [[275, 302]], "Indicator: TrojWare.Win32.Downloader.VBIFrame.IK": [[303, 340]], "Indicator: Trojan.Click.25308": [[341, 359]], "Indicator: Trojan.VBiframe.Win32.382": [[360, 385]], "Indicator: BehavesLike.Win32.BadFile.cc": [[386, 414]], "Indicator: Trojan-Clicker.Win32.VBiframe": [[415, 444]], "Indicator: TrojanClicker.VBiframe.vg": [[445, 470]], "Indicator: Trojan/Win32.Refroso": [[471, 491]], "Indicator: Trojan:Win32/Punad.G": [[492, 512]], "Indicator: Trojan/Win32.Clicker.R3068": [[547, 573]], "Indicator: SScope.Trojan.VBRA.3659": [[574, 597]], "Indicator: Trj/Clicker.ARC": [[598, 613]], "Indicator: Trojan.DL.Pacoheir!0uqYAwP2RQg": [[614, 644]], "Indicator: Win32/Trojan.Clicker.bd6": [[645, 669]]}, "info": {"id": "cyner2_5class_train_00142", "source": "cyner2_5class_train"}}
+{"text": "This powerful corporate espionage threat is specifically designed to target large enterprises in the technology, pharma, commodities and legal sectors, penetrating their security and exfiltrating commercially sensitive information.", "spans": {"Organization: large enterprises": [[76, 93]], "Organization: technology, pharma, commodities": [[101, 132]], "Organization: legal sectors,": [[137, 151]]}, "info": {"id": "cyner2_5class_train_00143", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ConfickerIOC.Worm Win32.Worm.Conficker.A Worm/W32.Kido.12304 Net-Worm.Win32.Kido!O Worm.Kido.11922 Trojan/Conficker.dam Win32.Worm.Conficker.m W32/Conficker.G W32.Downadup Win32/Conficker.B Win.Trojan.Rootkit-58 Win32.Worm.Conficker.A Net-Worm.Win32.Kido.jq Win32.Worm.Conficker.A Trojan.Win32.Kido.ghbd Worm.Win32.Conficker.4096 Win32.Worm.Conficker.A Trojan:W32/Downadup.AL Win32.HLLW.Autoruner.5555 Worm.Conficker.Win32.405 Net-Worm.Win32.Kido W32/Conficker.UCIE-3981 Worm/Kido.hw Worm[Net]/Win32.Kido Win32.Worm.Conficker.A Net-Worm.Win32.Kido.jq Trojan:WinNT/Conficker.B Win32/Conficker.worm.4096 Win32.Worm.Conficker.A Net-Worm.Kido Rootkit/Conficker.C Win32/Conficker.AA Trojan.Win32.Conficker.dd Worm.Conficker!L/CdK4RT60g Win32/RootKit.Conficker.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ConfickerIOC.Worm": [[26, 47]], "Indicator: Win32.Worm.Conficker.A": [[48, 70], [242, 264], [288, 310], [360, 382], [535, 557], [632, 654]], "Indicator: Worm/W32.Kido.12304": [[71, 90]], "Indicator: Net-Worm.Win32.Kido!O": [[91, 112]], "Indicator: Worm.Kido.11922": [[113, 128]], "Indicator: Trojan/Conficker.dam": [[129, 149]], "Indicator: Win32.Worm.Conficker.m": [[150, 172]], "Indicator: W32/Conficker.G": [[173, 188]], "Indicator: W32.Downadup": [[189, 201]], "Indicator: Win32/Conficker.B": [[202, 219]], "Indicator: Win.Trojan.Rootkit-58": [[220, 241]], "Indicator: Net-Worm.Win32.Kido.jq": [[265, 287], [558, 580]], "Indicator: Trojan.Win32.Kido.ghbd": [[311, 333]], "Indicator: Worm.Win32.Conficker.4096": [[334, 359]], "Indicator: Trojan:W32/Downadup.AL": [[383, 405]], "Indicator: Win32.HLLW.Autoruner.5555": [[406, 431]], "Indicator: Worm.Conficker.Win32.405": [[432, 456]], "Indicator: Net-Worm.Win32.Kido": [[457, 476]], "Indicator: W32/Conficker.UCIE-3981": [[477, 500]], "Indicator: Worm/Kido.hw": [[501, 513]], "Indicator: Worm[Net]/Win32.Kido": [[514, 534]], "Indicator: Trojan:WinNT/Conficker.B": [[581, 605]], "Indicator: Win32/Conficker.worm.4096": [[606, 631]], "Indicator: Net-Worm.Kido": [[655, 668]], "Indicator: Rootkit/Conficker.C": [[669, 688]], "Indicator: Win32/Conficker.AA": [[689, 707]], "Indicator: Trojan.Win32.Conficker.dd": [[708, 733]], "Indicator: Worm.Conficker!L/CdK4RT60g": [[734, 760]], "Indicator: Win32/RootKit.Conficker.A": [[761, 786]]}, "info": {"id": "cyner2_5class_train_00144", "source": "cyner2_5class_train"}}
+{"text": "'' There are 27 response codes that the C2 can use to make requests to the trojan , which pretty much match what 's listed in the capabilities section .", "spans": {}, "info": {"id": "cyner2_5class_train_00145", "source": "cyner2_5class_train"}}
+{"text": "We named this malware \" WolfRAT '' due to strong links between this malware ( and the command and control ( C2 ) infrastructure ) and Wolf Research , an infamous organization that developed interception and espionage-based malware and was publicly described by CSIS during Virus Bulletin 2018 .", "spans": {"Malware: WolfRAT": [[24, 31]], "Organization: Wolf Research": [[134, 147]]}, "info": {"id": "cyner2_5class_train_00146", "source": "cyner2_5class_train"}}
+{"text": "It is a very unusual way to get Device Administrator rights .", "spans": {}, "info": {"id": "cyner2_5class_train_00147", "source": "cyner2_5class_train"}}
+{"text": "Over the past seven months, Unit 42 has been investigating a series of attacks we attribute to a group we have code named Scarlet Mimic. The attacks began over four years ago and their targeting pattern suggests that this adversary's primary mission is to gather information about minority rights activists.", "spans": {"Organization: Unit 42": [[28, 35]], "Indicator: series of attacks": [[61, 78]], "Indicator: attacks": [[141, 148]]}, "info": {"id": "cyner2_5class_train_00148", "source": "cyner2_5class_train"}}
+{"text": "Recently McAfee labs came across a point-of-sale POS malware that spreads through malicious macros inside a doc file.", "spans": {"Organization: McAfee labs": [[9, 20]], "Malware: point-of-sale POS malware": [[35, 60]], "Indicator: malicious macros inside": [[82, 105]], "Indicator: doc file.": [[108, 117]]}, "info": {"id": "cyner2_5class_train_00149", "source": "cyner2_5class_train"}}
+{"text": "In October 2014, Kaspersky Lab started to research Blue Termite an Advanced Persistent Threat APT targeting Japan.", "spans": {"Organization: Kaspersky Lab": [[17, 30]]}, "info": {"id": "cyner2_5class_train_00150", "source": "cyner2_5class_train"}}
+{"text": "Just in May, we pointed out how it had gone through six separate versions with various differences in its routines.", "spans": {}, "info": {"id": "cyner2_5class_train_00151", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Spy.Bancos.if Trojan.Heur.EED312 TROJ_BANKER.BTB Win32.Trojan.Bancos.a Infostealer.Bancos TROJ_BANKER.BTB Win.Trojan.Bancos-122 Trojan-Banker.Win32.Bancos.if Trojan.Win32.Bancos.gaxc Troj.Banker.W32.Bancos.if!c TrojWare.Win32.Spy.Bancos.U Trojan.Bancos.Win32.1340 Trojan:Win32/Vlight.A TR/Spy.Bancos.IF Trojan[Banker]/Win32.Bancos Win32.Troj.Bancos.if.kcloud Trojan:Win32/Vlight.A Trojan-Banker.Win32.Bancos.if Win32.Trojan-banker.Bancos.Eehf Trojan.PWS.Bancos.OGQ Trojan-Banker.Win32.Bancos W32/Bancos.NJN!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Spy.Bancos.if": [[26, 46]], "Indicator: Trojan.Heur.EED312": [[47, 65]], "Indicator: TROJ_BANKER.BTB": [[66, 81], [123, 138]], "Indicator: Win32.Trojan.Bancos.a": [[82, 103]], "Indicator: Infostealer.Bancos": [[104, 122]], "Indicator: Win.Trojan.Bancos-122": [[139, 160]], "Indicator: Trojan-Banker.Win32.Bancos.if": [[161, 190], [414, 443]], "Indicator: Trojan.Win32.Bancos.gaxc": [[191, 215]], "Indicator: Troj.Banker.W32.Bancos.if!c": [[216, 243]], "Indicator: TrojWare.Win32.Spy.Bancos.U": [[244, 271]], "Indicator: Trojan.Bancos.Win32.1340": [[272, 296]], "Indicator: Trojan:Win32/Vlight.A": [[297, 318], [392, 413]], "Indicator: TR/Spy.Bancos.IF": [[319, 335]], "Indicator: Trojan[Banker]/Win32.Bancos": [[336, 363]], "Indicator: Win32.Troj.Bancos.if.kcloud": [[364, 391]], "Indicator: Win32.Trojan-banker.Bancos.Eehf": [[444, 475]], "Indicator: Trojan.PWS.Bancos.OGQ": [[476, 497]], "Indicator: Trojan-Banker.Win32.Bancos": [[498, 524]], "Indicator: W32/Bancos.NJN!tr": [[525, 542]]}, "info": {"id": "cyner2_5class_train_00152", "source": "cyner2_5class_train"}}
+{"text": "In the Windows space , Twitter , founded in 2006 , was first used to control botnets as early as in 2009 .", "spans": {"System: Windows": [[7, 14]], "Organization: Twitter": [[23, 30]]}, "info": {"id": "cyner2_5class_train_00153", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.AP3 TROJ_VBNA.SMD Win32.Trojan.Paskod.a TROJ_VBNA.SMD Trojan.Win32.Dynamer.lpd Trojan.Win32.Dynamer.exrxxx Trojan.Win32.Z.Paskod.114692.A Troj.W32.Dynamer.mqvJ TrojWare.Win32.Paskod.D Trojan.DownLoader11.38900 Trojan.Dynamer.Win32.5199 Trojan.Win32.Paskod Trojan/Dynamer.cli TrojanDownloader:Win32/Tinub.A Trojan.Heur.VB.E4CDDB Trojan.Win32.Dynamer.lpd Trojan/Win32.VBCrypt.R122576 BScope.Trojan.Diple Trj/GdSda.A Win32.Trojan.Dynamer.Tcbz W32/Paskod.E!tr Win32/Trojan.ff1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.AP3": [[26, 44]], "Indicator: TROJ_VBNA.SMD": [[45, 58], [81, 94]], "Indicator: Win32.Trojan.Paskod.a": [[59, 80]], "Indicator: Trojan.Win32.Dynamer.lpd": [[95, 119], [369, 393]], "Indicator: Trojan.Win32.Dynamer.exrxxx": [[120, 147]], "Indicator: Trojan.Win32.Z.Paskod.114692.A": [[148, 178]], "Indicator: Troj.W32.Dynamer.mqvJ": [[179, 200]], "Indicator: TrojWare.Win32.Paskod.D": [[201, 224]], "Indicator: Trojan.DownLoader11.38900": [[225, 250]], "Indicator: Trojan.Dynamer.Win32.5199": [[251, 276]], "Indicator: Trojan.Win32.Paskod": [[277, 296]], "Indicator: Trojan/Dynamer.cli": [[297, 315]], "Indicator: TrojanDownloader:Win32/Tinub.A": [[316, 346]], "Indicator: Trojan.Heur.VB.E4CDDB": [[347, 368]], "Indicator: Trojan/Win32.VBCrypt.R122576": [[394, 422]], "Indicator: BScope.Trojan.Diple": [[423, 442]], "Indicator: Trj/GdSda.A": [[443, 454]], "Indicator: Win32.Trojan.Dynamer.Tcbz": [[455, 480]], "Indicator: W32/Paskod.E!tr": [[481, 496]], "Indicator: Win32/Trojan.ff1": [[497, 513]]}, "info": {"id": "cyner2_5class_train_00154", "source": "cyner2_5class_train"}}
+{"text": "In Version 0.0.0.1 , the communication with the C2 is encrypted using Base64 and RC4 .", "spans": {}, "info": {"id": "cyner2_5class_train_00155", "source": "cyner2_5class_train"}}
+{"text": "One malware family seen in such attacks is known as SamSa', Samas', samsam', or most recently, MOKOPONI'.", "spans": {"Malware: malware": [[4, 11]], "Indicator: attacks": [[32, 39]], "Malware: SamSa', Samas', samsam',": [[52, 76]], "Malware: MOKOPONI'.": [[95, 105]]}, "info": {"id": "cyner2_5class_train_00156", "source": "cyner2_5class_train"}}
+{"text": "It seems to be part of a larger campaign, known as Pawn Storm", "spans": {}, "info": {"id": "cyner2_5class_train_00157", "source": "cyner2_5class_train"}}
+{"text": "Windows malware, also detected as: Trojan.Autoit, Trojan.Symmi.D10095, Trojan.Win32.Autoit.exnvng, Trojan.Win32.Z.Autoit.1079042, Troj.W32.Autoit!c, Trojan.Inject1.38999, Trojan.AutoIt.Win32.7, BehavesLike.Win32.Trojan.th, Trojan.Win32.Eupuds, Trojan.Autoit.ixi, Trojan:Win32/BrobanEup.A, Trojan.Autoit.Banker, Win32.Trojan.Autoit.Szbl, W32/Autoit.AAV!tr, Win32/Trojan.839,", "spans": {"Malware: Windows malware,": [[0, 16]], "Indicator: Trojan.Autoit,": [[35, 49]], "Indicator: Trojan.Symmi.D10095,": [[50, 70]], "Indicator: Trojan.Win32.Autoit.exnvng,": [[71, 98]], "Indicator: Trojan.Win32.Z.Autoit.1079042,": [[99, 129]], "Indicator: Troj.W32.Autoit!c,": [[130, 148]], "Indicator: Trojan.Inject1.38999,": [[149, 170]], "Indicator: Trojan.AutoIt.Win32.7,": [[171, 193]], "Indicator: BehavesLike.Win32.Trojan.th,": [[194, 222]], "Indicator: Trojan.Win32.Eupuds,": [[223, 243]], "Indicator: Trojan.Autoit.ixi,": [[244, 262]], "Indicator: Trojan:Win32/BrobanEup.A,": [[263, 288]], "Indicator: Trojan.Autoit.Banker,": [[289, 310]], "Indicator: Win32.Trojan.Autoit.Szbl,": [[311, 336]], "Indicator: W32/Autoit.AAV!tr,": [[337, 355]], "Indicator: Win32/Trojan.839,": [[356, 373]]}, "info": {"id": "cyner2_5class_train_00158", "source": "cyner2_5class_train"}}
+{"text": "The campaign has many stages of the infection chain and all needed to be unraveled before the final payload level was reached.", "spans": {}, "info": {"id": "cyner2_5class_train_00159", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.InterneC.Worm Trojan.Downloader.VB.VRF Trojan-PWS/W32.WebGame.24576.IS Trojan.VB.Win32.91134 Troj.GameThief.W32.OnLineGames.tqmr!c Trojan/VB.nti TROJ_DLOAD.FH W32/Worm.AUBX TROJ_DLOAD.FH Win.Spyware.56255-2 Trojan.Downloader.VB.VRF Trojan.Downloader.VB.VRF Trojan.Win32.OnLineGames.tibz Trojan.Win32.PSWIGames.24576.GZ Trojan.Downloader.VB.VRF Trojan.Downloader.VB.VRF Trojan.DownLoader.55879 BehavesLike.Win32.Trojan.mz W32/Worm.EUBY-4599 Trojan/PSW.OnLineGames.asrj TR/PSW.OnlineGames.tqmr Trojan[GameThief]/Win32.OnLineGames Trojan.Downloader.VB.VRF Trojan/Win32.OnlineGameHack.C140754 Trojan.Downloader.VB.VRF TrojanPSW.OnLineGames.a Win32.Trojan-GameThief.Onlinegames.inv Trojan.Mansund!mgpvcbFSAhU Trojan-GameThief.Win32.OnLineGames", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.InterneC.Worm": [[26, 43]], "Indicator: Trojan.Downloader.VB.VRF": [[44, 68], [237, 261], [262, 286], [349, 373], [374, 398], [558, 582], [619, 643]], "Indicator: Trojan-PWS/W32.WebGame.24576.IS": [[69, 100]], "Indicator: Trojan.VB.Win32.91134": [[101, 122]], "Indicator: Troj.GameThief.W32.OnLineGames.tqmr!c": [[123, 160]], "Indicator: Trojan/VB.nti": [[161, 174]], "Indicator: TROJ_DLOAD.FH": [[175, 188], [203, 216]], "Indicator: W32/Worm.AUBX": [[189, 202]], "Indicator: Win.Spyware.56255-2": [[217, 236]], "Indicator: Trojan.Win32.OnLineGames.tibz": [[287, 316]], "Indicator: Trojan.Win32.PSWIGames.24576.GZ": [[317, 348]], "Indicator: Trojan.DownLoader.55879": [[399, 422]], "Indicator: BehavesLike.Win32.Trojan.mz": [[423, 450]], "Indicator: W32/Worm.EUBY-4599": [[451, 469]], "Indicator: Trojan/PSW.OnLineGames.asrj": [[470, 497]], "Indicator: TR/PSW.OnlineGames.tqmr": [[498, 521]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[522, 557]], "Indicator: Trojan/Win32.OnlineGameHack.C140754": [[583, 618]], "Indicator: TrojanPSW.OnLineGames.a": [[644, 667]], "Indicator: Win32.Trojan-GameThief.Onlinegames.inv": [[668, 706]], "Indicator: Trojan.Mansund!mgpvcbFSAhU": [[707, 733]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[734, 768]]}, "info": {"id": "cyner2_5class_train_00160", "source": "cyner2_5class_train"}}
+{"text": "Indicators of Compromise ( IoCs ) SHA256 Detection e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe AndroidOS_SpyAgent.HRXB e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa AndroidOS_ProjectSpy.HRX 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d AndroidOS_ProjectSpy.HRX 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb IOS_ProjectSpy.A URLs cashnow [ .", "spans": {"Indicator: e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe": [[51, 115]], "Indicator: AndroidOS_SpyAgent.HRXB": [[116, 139]], "Indicator: e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa": [[140, 204]], "Indicator: 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d": [[230, 294]], "Indicator: 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb": [[320, 384]], "Indicator: IOS_ProjectSpy.A": [[385, 401]], "Indicator: cashnow [ .": [[407, 418]]}, "info": {"id": "cyner2_5class_train_00161", "source": "cyner2_5class_train"}}
+{"text": "\" Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals , '' Check Point researchers wrote in a recently published report .", "spans": {}, "info": {"id": "cyner2_5class_train_00162", "source": "cyner2_5class_train"}}
+{"text": "We hope that this writeup of our journey through all the multiple layers of protection , obfuscation , and anti-analysis techniques of FinFisher will be useful to other researchers studying this malware .", "spans": {"Malware: FinFisher": [[135, 144]]}, "info": {"id": "cyner2_5class_train_00163", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader Win32/Tnega.CfCAeIB Win.Trojan.Downloader-64707 Application.Win32.Kuaiba.BC Trojan.DownLoader10.13268 BehavesLike.Win32.Downloader.tc Win32.Trojan-Downloader.GMUnpackerInstaller.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader": [[26, 43]], "Indicator: Win32/Tnega.CfCAeIB": [[44, 63]], "Indicator: Win.Trojan.Downloader-64707": [[64, 91]], "Indicator: Application.Win32.Kuaiba.BC": [[92, 119]], "Indicator: Trojan.DownLoader10.13268": [[120, 145]], "Indicator: BehavesLike.Win32.Downloader.tc": [[146, 177]], "Indicator: Win32.Trojan-Downloader.GMUnpackerInstaller.B": [[178, 223]]}, "info": {"id": "cyner2_5class_train_00164", "source": "cyner2_5class_train"}}
+{"text": "Though there were multiple waves of messages following a similar tactic, each one carried the same malicious .doc file as an attachment SHA256: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e.", "spans": {"Indicator: messages": [[36, 44]], "Indicator: the same malicious .doc file": [[90, 118]], "Indicator: SHA256: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e.": [[136, 209]]}, "info": {"id": "cyner2_5class_train_00165", "source": "cyner2_5class_train"}}
+{"text": "In actual fact , the Trojan does not block anything and the phone can be used without any problems .", "spans": {}, "info": {"id": "cyner2_5class_train_00166", "source": "cyner2_5class_train"}}
+{"text": "The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.", "spans": {"Indicator: sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service,": [[73, 147]], "Malware: the EternalBlue exploit.": [[176, 200]]}, "info": {"id": "cyner2_5class_train_00167", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Troj.Undef.kcloud Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Troj.Undef.kcloud": [[26, 49]], "Indicator: Win32/Trojan.e6d": [[50, 66]]}, "info": {"id": "cyner2_5class_train_00168", "source": "cyner2_5class_train"}}
+{"text": "During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload.", "spans": {"Malware: Komplex": [[40, 47], [203, 210]], "Organization: individuals": [[97, 108]], "System: OS X": [[117, 121]], "Vulnerability: exploited a vulnerability": [[127, 152]], "Vulnerability: MacKeeper antivirus application": [[160, 191]], "Malware: payload.": [[216, 224]]}, "info": {"id": "cyner2_5class_train_00169", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W64/Risk.SHRD-0827 Riskware.Win64.Pwdump.bjsgmx Tool.Pwdump.80 W64/MalwareF.NVZY SPR/Tool.174080.1 Trojan[PSWTool]/Win32.CacheDump PUP.Optional.PasswordDump Trj/CI.A Riskware.Pwdump! not-a-virus:PSWTool.Win32.PWDump", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W64/Risk.SHRD-0827": [[26, 44]], "Indicator: Riskware.Win64.Pwdump.bjsgmx": [[45, 73]], "Indicator: Tool.Pwdump.80": [[74, 88]], "Indicator: W64/MalwareF.NVZY": [[89, 106]], "Indicator: SPR/Tool.174080.1": [[107, 124]], "Indicator: Trojan[PSWTool]/Win32.CacheDump": [[125, 156]], "Indicator: PUP.Optional.PasswordDump": [[157, 182]], "Indicator: Trj/CI.A": [[183, 191]], "Indicator: Riskware.Pwdump!": [[192, 208]], "Indicator: not-a-virus:PSWTool.Win32.PWDump": [[209, 241]]}, "info": {"id": "cyner2_5class_train_00170", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_DROPER.SMIA Win32.Trojan-Dropper.Delf.ay W32/Backdoor.WJXY-0415 Win32/Tnega.IX TROJ_DROPER.SMIA Trojan.Win32.Delf.cvuwsq Backdoor.Win32.ProRat.~O Trojan.Inject.5089 W32/Backdoor2.DVXL TrojanDropper:Win32/Amighelo.A Trojan.Heur.ED7518 Trojan.Win32.PSWIGames.1110528 Trojan.Amighelo Win32/TrojanDropper.Delf.NOD Trojan-Dropper.Win32.OnLineGames", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_DROPER.SMIA": [[26, 42], [110, 126]], "Indicator: Win32.Trojan-Dropper.Delf.ay": [[43, 71]], "Indicator: W32/Backdoor.WJXY-0415": [[72, 94]], "Indicator: Win32/Tnega.IX": [[95, 109]], "Indicator: Trojan.Win32.Delf.cvuwsq": [[127, 151]], "Indicator: Backdoor.Win32.ProRat.~O": [[152, 176]], "Indicator: Trojan.Inject.5089": [[177, 195]], "Indicator: W32/Backdoor2.DVXL": [[196, 214]], "Indicator: TrojanDropper:Win32/Amighelo.A": [[215, 245]], "Indicator: Trojan.Heur.ED7518": [[246, 264]], "Indicator: Trojan.Win32.PSWIGames.1110528": [[265, 295]], "Indicator: Trojan.Amighelo": [[296, 311]], "Indicator: Win32/TrojanDropper.Delf.NOD": [[312, 340]], "Indicator: Trojan-Dropper.Win32.OnLineGames": [[341, 373]]}, "info": {"id": "cyner2_5class_train_00171", "source": "cyner2_5class_train"}}
+{"text": "Our team was also able to test other commands in the lab either by tampering with the HTTP traffic from the C & C or by sending crafted SMS messages .", "spans": {}, "info": {"id": "cyner2_5class_train_00172", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9770 Trojan.FakeAV.13061 Worm:Win32/Gnoewin.A W32.W.Otwycal.l4av Win32/RiskWare.PEMalform.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9770": [[26, 68]], "Indicator: Trojan.FakeAV.13061": [[69, 88]], "Indicator: Worm:Win32/Gnoewin.A": [[89, 109]], "Indicator: W32.W.Otwycal.l4av": [[110, 128]], "Indicator: Win32/RiskWare.PEMalform.E": [[129, 155]]}, "info": {"id": "cyner2_5class_train_00173", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.BitMiner Trojan.Zusy.D41F53 Tool.BtcMine.1195 Backdoor.PePatch.Win32.108542 BehavesLike.Win32.Backdoor.th PUA.CoinMiner RiskTool.BitMiner.au RiskWare[RiskTool]/Win32.BitCoinMiner Trojan:Win32/Optiminz.A Unwanted/Win32.BitCoinMiner.R215923 Trj/CI.A Win32/Virus.RiskTool.435", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BitMiner": [[26, 41]], "Indicator: Trojan.Zusy.D41F53": [[42, 60]], "Indicator: Tool.BtcMine.1195": [[61, 78]], "Indicator: Backdoor.PePatch.Win32.108542": [[79, 108]], "Indicator: BehavesLike.Win32.Backdoor.th": [[109, 138]], "Indicator: PUA.CoinMiner": [[139, 152]], "Indicator: RiskTool.BitMiner.au": [[153, 173]], "Indicator: RiskWare[RiskTool]/Win32.BitCoinMiner": [[174, 211]], "Indicator: Trojan:Win32/Optiminz.A": [[212, 235]], "Indicator: Unwanted/Win32.BitCoinMiner.R215923": [[236, 271]], "Indicator: Trj/CI.A": [[272, 280]], "Indicator: Win32/Virus.RiskTool.435": [[281, 305]]}, "info": {"id": "cyner2_5class_train_00174", "source": "cyner2_5class_train"}}
+{"text": "It steals money from the victim ’ s bank account .", "spans": {}, "info": {"id": "cyner2_5class_train_00175", "source": "cyner2_5class_train"}}
+{"text": "The malware checks for sinkholing of its control servers before each network communication session and does not initiate its malicious activities—such as downloading and running the malicious payloads—if it thinks the Domain Name Service DNS records have been sinkholed.", "spans": {"Malware: malware": [[4, 11]], "Indicator: sinkholing": [[23, 33]], "Indicator: control servers": [[41, 56]], "Indicator: network communication session": [[69, 98]], "Malware: malicious": [[125, 134]], "Malware: malicious payloads—if": [[182, 203]], "System: Domain Name Service DNS": [[218, 241]], "Indicator: sinkholed.": [[260, 270]]}, "info": {"id": "cyner2_5class_train_00176", "source": "cyner2_5class_train"}}
+{"text": "However, the recent activity caught our attention due to a change to the URL structure of the landing pages.", "spans": {"Indicator: URL structure of the landing pages.": [[73, 108]]}, "info": {"id": "cyner2_5class_train_00177", "source": "cyner2_5class_train"}}
+{"text": "FURTHER READING New type of auto-rooting Android adware is nearly impossible to remove Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day , displays 20 million malicious advertisements , and generates more than $ 300,000 per month in revenue .", "spans": {"System: Android": [[41, 48]], "Organization: Check Point Software": [[118, 138]]}, "info": {"id": "cyner2_5class_train_00178", "source": "cyner2_5class_train"}}
+{"text": "In early versions of Asacub , .com , .biz , .info , .in , .pw were used as top-level domains .", "spans": {"Malware: Asacub": [[21, 27]]}, "info": {"id": "cyner2_5class_train_00179", "source": "cyner2_5class_train"}}
+{"text": "When running, the Kronos payload will download several other pieces of malware, but the one that caught our eye is a new credit card dumper with very low detection.", "spans": {"Malware: Kronos payload": [[18, 32]], "Malware: malware,": [[71, 79]], "Malware: credit card dumper": [[121, 139]]}, "info": {"id": "cyner2_5class_train_00180", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ursnif.100315 Trojan.Filecoder.Win32.1880 Uds.Dangerousobject.Multi!c TROJ_HPROVNIX.SM Win32.Trojan.WisdomEyes.16070401.9500.9985 Ransom.Cryptolocker TROJ_HPROVNIX.SM Trojan-Ransom.Win32.Snocry.dmd Trojan.Win32.Encoder.eaaxms Trojan.Win32.Z.Razy.262660 Trojan.Encoder.3689 BehavesLike.Win32.VirRansom.dh W32/Trojan.RVGU-3177 Trojan.Cryptolocker.c TR/WinPlock.262656 Trojan[Ransom]/Win32.Cryptolocker Ransom:Win32/WinPlock.A Trojan.Razy.D2A0E Trojan-Ransom.Win32.Snocry.dmd Trojan/Win32.CryptoWall.R173903 Trojan.Ransom.cryptolocker Ransom.FileCryptor Trj/GdSda.A Win32/Filecoder.NFJ Win32.Trojan.Filecoder.Wncw Trojan.Cryptolocker! Trojan.Win32.Filecoder W32/HPROVNIX.SM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ursnif.100315": [[26, 46]], "Indicator: Trojan.Filecoder.Win32.1880": [[47, 74]], "Indicator: Uds.Dangerousobject.Multi!c": [[75, 102]], "Indicator: TROJ_HPROVNIX.SM": [[103, 119], [183, 199]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[120, 162]], "Indicator: Ransom.Cryptolocker": [[163, 182]], "Indicator: Trojan-Ransom.Win32.Snocry.dmd": [[200, 230], [475, 505]], "Indicator: Trojan.Win32.Encoder.eaaxms": [[231, 258]], "Indicator: Trojan.Win32.Z.Razy.262660": [[259, 285]], "Indicator: Trojan.Encoder.3689": [[286, 305]], "Indicator: BehavesLike.Win32.VirRansom.dh": [[306, 336]], "Indicator: W32/Trojan.RVGU-3177": [[337, 357]], "Indicator: Trojan.Cryptolocker.c": [[358, 379]], "Indicator: TR/WinPlock.262656": [[380, 398]], "Indicator: Trojan[Ransom]/Win32.Cryptolocker": [[399, 432]], "Indicator: Ransom:Win32/WinPlock.A": [[433, 456]], "Indicator: Trojan.Razy.D2A0E": [[457, 474]], "Indicator: Trojan/Win32.CryptoWall.R173903": [[506, 537]], "Indicator: Trojan.Ransom.cryptolocker": [[538, 564]], "Indicator: Ransom.FileCryptor": [[565, 583]], "Indicator: Trj/GdSda.A": [[584, 595]], "Indicator: Win32/Filecoder.NFJ": [[596, 615]], "Indicator: Win32.Trojan.Filecoder.Wncw": [[616, 643]], "Indicator: Trojan.Cryptolocker!": [[644, 664]], "Indicator: Trojan.Win32.Filecoder": [[665, 687]], "Indicator: W32/HPROVNIX.SM!tr": [[688, 706]]}, "info": {"id": "cyner2_5class_train_00181", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9960 Virus.Win32.Virut W32.Dropper.Dunik", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9960": [[26, 68]], "Indicator: Virus.Win32.Virut": [[69, 86]], "Indicator: W32.Dropper.Dunik": [[87, 104]]}, "info": {"id": "cyner2_5class_train_00182", "source": "cyner2_5class_train"}}
+{"text": "However, the malware is flexible enough to grant access to all the resources in the victim's computer.", "spans": {"Malware: malware": [[13, 20]], "System: victim's computer.": [[84, 102]]}, "info": {"id": "cyner2_5class_train_00183", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Hexzone.352256 Trojan-Ransom.Win32.Hexzone.1!O Trojan.Hexzone Win32.Trojan.WisdomEyes.16070401.9500.9952 Trojan.Hexzone Ransom_Hexzone.R002C0DAD18 Trojan.Win32.Hexzone.ewziqv Trojan.Win32.Hexzone.352256 Troj.Ransom.W32.Hexzone!c TrojWare.Win32.Ransom.Hexzone.~jap3 Trojan.Blackmailer.454 Ransom_Hexzone.R002C0DAD18 Trojan-Ransom.Win32.Hexzone Trojan.Hexzone.q Trojan[Ransom]/Win32.Hexzone Adware.Heur.E6B8C4 Adware.Vundo/Variant-LIB Trojan:Win32/Hexzone.A!dll Trojan/Win32.Hexzone.R6919 Win32/Hexzone.I Trojan.Hexzone!FZcXjlI3fIw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Hexzone.352256": [[26, 51]], "Indicator: Trojan-Ransom.Win32.Hexzone.1!O": [[52, 83]], "Indicator: Trojan.Hexzone": [[84, 98], [142, 156]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9952": [[99, 141]], "Indicator: Ransom_Hexzone.R002C0DAD18": [[157, 183], [325, 351]], "Indicator: Trojan.Win32.Hexzone.ewziqv": [[184, 211]], "Indicator: Trojan.Win32.Hexzone.352256": [[212, 239]], "Indicator: Troj.Ransom.W32.Hexzone!c": [[240, 265]], "Indicator: TrojWare.Win32.Ransom.Hexzone.~jap3": [[266, 301]], "Indicator: Trojan.Blackmailer.454": [[302, 324]], "Indicator: Trojan-Ransom.Win32.Hexzone": [[352, 379]], "Indicator: Trojan.Hexzone.q": [[380, 396]], "Indicator: Trojan[Ransom]/Win32.Hexzone": [[397, 425]], "Indicator: Adware.Heur.E6B8C4": [[426, 444]], "Indicator: Adware.Vundo/Variant-LIB": [[445, 469]], "Indicator: Trojan:Win32/Hexzone.A!dll": [[470, 496]], "Indicator: Trojan/Win32.Hexzone.R6919": [[497, 523]], "Indicator: Win32/Hexzone.I": [[524, 539]], "Indicator: Trojan.Hexzone!FZcXjlI3fIw": [[540, 566]]}, "info": {"id": "cyner2_5class_train_00184", "source": "cyner2_5class_train"}}
+{"text": "Further investigation of GhostPush revealed more recent variants, which, unlike older ones, employ the following routines that make them harder to remove and detect:", "spans": {"Malware: GhostPush": [[25, 34]], "Malware: variants,": [[56, 65]]}, "info": {"id": "cyner2_5class_train_00185", "source": "cyner2_5class_train"}}
+{"text": "So far , legitimate app stores appear to be this malware ’ s Achilles heel ; disabling the installation of third-party apps has been an effective prevention measure .", "spans": {}, "info": {"id": "cyner2_5class_train_00186", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Downloader.Intexp.c Win32.Trojan.WisdomEyes.16070401.9500.9782 W32/Downloader.AJWJ Adware.IEPlugin Win.Downloader.64050-1 Trojan-Downloader.Win32.Intexp.c Trojan.Win32.Intexp.didb Trojan.Win32.Downloader.33280.AKE Troj.Downloader.W32.Intexp.c!c Win32.Trojan-downloader.Intexp.Alsx TrojWare.Win32.TrojanDownloader.Intexp.C Trojan.DownLoader.2369 Downloader.Intexp.Win32.13 BehavesLike.Win32.Koobface.nc Trojan-Downloader.Win32.OneClickNetSearch W32/Downloader.XUJA-4048 TrojanDownloader.Intexp.c W32.Malware.Downloader TR/Dldr.Intexp.B Trojan[Downloader]/Win32.Intexp Win32.TrojDownloader.Intexp.c.kcloud Trojan.Graftor.Elzob.DF6F Trojan-Downloader.Win32.Intexp.c TrojanDownloader:Win32/Intexp.C Trojan/Win32.HDC.C83257 TrojanDownloader.Intexp Win32/TrojanDownloader.Intexp.C Trojan.DL.Intexp!uQMofoaT248 W32/Malware_fam.NB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.Intexp.c": [[26, 52]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9782": [[53, 95]], "Indicator: W32/Downloader.AJWJ": [[96, 115]], "Indicator: Adware.IEPlugin": [[116, 131]], "Indicator: Win.Downloader.64050-1": [[132, 154]], "Indicator: Trojan-Downloader.Win32.Intexp.c": [[155, 187], [663, 695]], "Indicator: Trojan.Win32.Intexp.didb": [[188, 212]], "Indicator: Trojan.Win32.Downloader.33280.AKE": [[213, 246]], "Indicator: Troj.Downloader.W32.Intexp.c!c": [[247, 277]], "Indicator: Win32.Trojan-downloader.Intexp.Alsx": [[278, 313]], "Indicator: TrojWare.Win32.TrojanDownloader.Intexp.C": [[314, 354]], "Indicator: Trojan.DownLoader.2369": [[355, 377]], "Indicator: Downloader.Intexp.Win32.13": [[378, 404]], "Indicator: BehavesLike.Win32.Koobface.nc": [[405, 434]], "Indicator: Trojan-Downloader.Win32.OneClickNetSearch": [[435, 476]], "Indicator: W32/Downloader.XUJA-4048": [[477, 501]], "Indicator: TrojanDownloader.Intexp.c": [[502, 527]], "Indicator: W32.Malware.Downloader": [[528, 550]], "Indicator: TR/Dldr.Intexp.B": [[551, 567]], "Indicator: Trojan[Downloader]/Win32.Intexp": [[568, 599]], "Indicator: Win32.TrojDownloader.Intexp.c.kcloud": [[600, 636]], "Indicator: Trojan.Graftor.Elzob.DF6F": [[637, 662]], "Indicator: TrojanDownloader:Win32/Intexp.C": [[696, 727]], "Indicator: Trojan/Win32.HDC.C83257": [[728, 751]], "Indicator: TrojanDownloader.Intexp": [[752, 775]], "Indicator: Win32/TrojanDownloader.Intexp.C": [[776, 807]], "Indicator: Trojan.DL.Intexp!uQMofoaT248": [[808, 836]], "Indicator: W32/Malware_fam.NB": [[837, 855]]}, "info": {"id": "cyner2_5class_train_00187", "source": "cyner2_5class_train"}}
+{"text": "android.intent.action.CONNECTIVITY_CHANGE System notification that a change in network connectivity has occurred , either lost or established .", "spans": {"Indicator: android.intent.action.CONNECTIVITY_CHANGE": [[0, 41]]}, "info": {"id": "cyner2_5class_train_00188", "source": "cyner2_5class_train"}}
+{"text": "However , the director created a new organization in Cyprus named LokD .", "spans": {"Organization: LokD": [[66, 70]]}, "info": {"id": "cyner2_5class_train_00189", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Trojan.Win32.VB.dmoq Trojan.Win32.VB.ewrjie Trojan.Win32.Z.Camec.51712 Uds.Dangerousobject.Multi!c Win32.Trojan.Vb.Llgx BehavesLike.Win32.Trojan.qc Trojan/Win32.VB Trojan.Win32.VB.dmoq Trojan:Win32/Camec.B Trj/GdSda.A Trojan.Win32.Camec Win32/Trojan.7b5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Trojan.Win32.VB.dmoq": [[39, 59], [203, 223]], "Indicator: Trojan.Win32.VB.ewrjie": [[60, 82]], "Indicator: Trojan.Win32.Z.Camec.51712": [[83, 109]], "Indicator: Uds.Dangerousobject.Multi!c": [[110, 137]], "Indicator: Win32.Trojan.Vb.Llgx": [[138, 158]], "Indicator: BehavesLike.Win32.Trojan.qc": [[159, 186]], "Indicator: Trojan/Win32.VB": [[187, 202]], "Indicator: Trojan:Win32/Camec.B": [[224, 244]], "Indicator: Trj/GdSda.A": [[245, 256]], "Indicator: Trojan.Win32.Camec": [[257, 275]], "Indicator: Win32/Trojan.7b5": [[276, 292]]}, "info": {"id": "cyner2_5class_train_00190", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Delf.Win32.27191 Trojan/Delf.ahzk Trojan.Zusy.D3A909 Win32.Backdoor.Lukicsel.c Win32/Bifrose.AAB Win.Spyware.80655-2 W32.Lamer.lwJ1 TrojWare.Win32.Trojan.Lukicsel.~Q Trojan.MulDrop1.48720 BehavesLike.Win32.Eggnog.fc Trojan/Delf.qyz Trojan/Win32.Delf TrojanDropper:Win32/Lukicsel.B Trojan.Win32.Delf.364544.B Trojan.Delf Win32/Lukicsel.Q W32/Crypt.NTAB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Delf.Win32.27191": [[26, 49]], "Indicator: Trojan/Delf.ahzk": [[50, 66]], "Indicator: Trojan.Zusy.D3A909": [[67, 85]], "Indicator: Win32.Backdoor.Lukicsel.c": [[86, 111]], "Indicator: Win32/Bifrose.AAB": [[112, 129]], "Indicator: Win.Spyware.80655-2": [[130, 149]], "Indicator: W32.Lamer.lwJ1": [[150, 164]], "Indicator: TrojWare.Win32.Trojan.Lukicsel.~Q": [[165, 198]], "Indicator: Trojan.MulDrop1.48720": [[199, 220]], "Indicator: BehavesLike.Win32.Eggnog.fc": [[221, 248]], "Indicator: Trojan/Delf.qyz": [[249, 264]], "Indicator: Trojan/Win32.Delf": [[265, 282]], "Indicator: TrojanDropper:Win32/Lukicsel.B": [[283, 313]], "Indicator: Trojan.Win32.Delf.364544.B": [[314, 340]], "Indicator: Trojan.Delf": [[341, 352]], "Indicator: Win32/Lukicsel.Q": [[353, 369]], "Indicator: W32/Crypt.NTAB!tr": [[370, 387]]}, "info": {"id": "cyner2_5class_train_00191", "source": "cyner2_5class_train"}}
+{"text": "] 26 192 [ .", "spans": {"Indicator: 192 [ .": [[5, 12]]}, "info": {"id": "cyner2_5class_train_00192", "source": "cyner2_5class_train"}}
+{"text": "The use of adult-themed content echoes the one-click billing fraud app we've covered a few years back.", "spans": {"Indicator: adult-themed content": [[11, 31]], "Indicator: one-click billing fraud app": [[43, 70]]}, "info": {"id": "cyner2_5class_train_00193", "source": "cyner2_5class_train"}}
+{"text": "Malware code showing onCreate method Figure 9. onCreate method of the main class decrypting the payload Next , the malware-defined function decryptAssetToDex ( a meaningful name we assigned during analysis ) receives the string “ CuffGmrQRT ” as the first argument , which is the name of the encrypted file stored in the Assets folder .", "spans": {"Indicator: CuffGmrQRT": [[230, 240]]}, "info": {"id": "cyner2_5class_train_00194", "source": "cyner2_5class_train"}}
+{"text": "SHA256 Package Name App Name a6c7351b09a733a1b3ff8a0901c5bde fdc3b566bfcedcdf5a338c3a97c9f249b com.android.henbox 备份 ( Backup ) Table 3 HenBox variant used in description Once this variant of HenBox is installed on the victim ’ s device , the app can be executed in two different ways : One method for executing HenBox is for the victim to launch the malicious app ( named “ Backup ” , in this instance ) from the launcher view on their device , as shown in Figure 3 below .", "spans": {"Indicator: a6c7351b09a733a1b3ff8a0901c5bde": [[29, 60]], "Indicator: com.android.henbox": [[95, 113]], "Malware: HenBox": [[136, 142], [192, 198], [312, 318]]}, "info": {"id": "cyner2_5class_train_00195", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.MSIL Backdoor.Telebot BKDR_TELEBOT.VBV Win.Trojan.Nyetya-6332125-0 Backdoor.Msil.Teledoor!c Win32.Trojan.Telebot.Acxl BackDoor.Medoc.2 Trojan.TeleDoor.Win32.2 BKDR_TELEBOT.VBV Backdoor.Teledoor W32/Trojan.RZZO-3107 Backdoor.MSIL.ojt W32.Backdoor.Medoc TR/TeleDoor.ME.1 Trojan[Backdoor]/MSIL.TeleDoor Trojan/Win32.TeleDoor.C2029730 Backdoor.MSIL.Telebot Bck/Teledoors.A Trojan.TeleDoor!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.MSIL": [[26, 39]], "Indicator: Backdoor.Telebot": [[40, 56]], "Indicator: BKDR_TELEBOT.VBV": [[57, 73], [194, 210]], "Indicator: Win.Trojan.Nyetya-6332125-0": [[74, 101]], "Indicator: Backdoor.Msil.Teledoor!c": [[102, 126]], "Indicator: Win32.Trojan.Telebot.Acxl": [[127, 152]], "Indicator: BackDoor.Medoc.2": [[153, 169]], "Indicator: Trojan.TeleDoor.Win32.2": [[170, 193]], "Indicator: Backdoor.Teledoor": [[211, 228]], "Indicator: W32/Trojan.RZZO-3107": [[229, 249]], "Indicator: Backdoor.MSIL.ojt": [[250, 267]], "Indicator: W32.Backdoor.Medoc": [[268, 286]], "Indicator: TR/TeleDoor.ME.1": [[287, 303]], "Indicator: Trojan[Backdoor]/MSIL.TeleDoor": [[304, 334]], "Indicator: Trojan/Win32.TeleDoor.C2029730": [[335, 365]], "Indicator: Backdoor.MSIL.Telebot": [[366, 387]], "Indicator: Bck/Teledoors.A": [[388, 403]], "Indicator: Trojan.TeleDoor!": [[404, 420]]}, "info": {"id": "cyner2_5class_train_00196", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.BitMin.Win32.519 Trojan.Strictor.D1BA5D Trojan.Script.AutoIt.emewzp Trojan.BtcMine.1084 BehavesLike.Win32.BadFile.wc TR/BitCoinMiner.zzzlc Trojan/Win32.BitMin.C1728272 Trojan.Win32.Autoit Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BitMin.Win32.519": [[26, 49]], "Indicator: Trojan.Strictor.D1BA5D": [[50, 72]], "Indicator: Trojan.Script.AutoIt.emewzp": [[73, 100]], "Indicator: Trojan.BtcMine.1084": [[101, 120]], "Indicator: BehavesLike.Win32.BadFile.wc": [[121, 149]], "Indicator: TR/BitCoinMiner.zzzlc": [[150, 171]], "Indicator: Trojan/Win32.BitMin.C1728272": [[172, 200]], "Indicator: Trojan.Win32.Autoit": [[201, 220]], "Indicator: Trj/CI.A": [[221, 229]]}, "info": {"id": "cyner2_5class_train_00197", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/PSWSpider.E Backdoor.Bancodor.M Backdoor.Bancodor.M Backdoor.Bancodor.M Backdoor/Bancodor.m Backdoor.Bancodor.M W32/Bancodor.T@bd Backdoor.Badcodor Win32/Bancodor.M BKDR_BANCODOR.M Win.Trojan.Bancodor-27 Backdoor.Win32.Bancodor.m Trojan.Win32.Bancodor.dbrs Backdoor.Win32.Bancodor.513024[h] Backdoor.W32.Bancodor.m!c Backdoor.Bancodor.M Backdoor.Win32.Bancodor.~O Backdoor.Bancodor.M Trojan.Bancdo Backdoor.Bancodor.Win32.40 BKDR_BANCODOR.M W32/Bancodor.UWGT-1776 Backdoor/Bancodor.ak BDS/Bancodor.M.1 Trojan[Backdoor]/Win32.Bancodor Backdoor.Bancodor.M Backdoor:Win32/Bancodor.M Win-Trojan/Bancodor.513024.C Backdoor.Bancodor Bck/Bancodor.E Win32.Backdoor.Bancodor.Oyep Backdoor.Bancodor!IZl0vEMNH4U Backdoor.Win32.Bancodor Backdoor.Bancodor.M BackDoor.Bancodor.AS Backdoor.Win32.Bancodor.m", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/PSWSpider.E": [[26, 43]], "Indicator: Backdoor.Bancodor.M": [[44, 63], [64, 83], [84, 103], [124, 143], [349, 368], [396, 415], [566, 585], [757, 776]], "Indicator: Backdoor/Bancodor.m": [[104, 123]], "Indicator: W32/Bancodor.T@bd": [[144, 161]], "Indicator: Backdoor.Badcodor": [[162, 179]], "Indicator: Win32/Bancodor.M": [[180, 196]], "Indicator: BKDR_BANCODOR.M": [[197, 212], [457, 472]], "Indicator: Win.Trojan.Bancodor-27": [[213, 235]], "Indicator: Backdoor.Win32.Bancodor.m": [[236, 261], [798, 823]], "Indicator: Trojan.Win32.Bancodor.dbrs": [[262, 288]], "Indicator: Backdoor.Win32.Bancodor.513024[h]": [[289, 322]], "Indicator: Backdoor.W32.Bancodor.m!c": [[323, 348]], "Indicator: Backdoor.Win32.Bancodor.~O": [[369, 395]], "Indicator: Trojan.Bancdo": [[416, 429]], "Indicator: Backdoor.Bancodor.Win32.40": [[430, 456]], "Indicator: W32/Bancodor.UWGT-1776": [[473, 495]], "Indicator: Backdoor/Bancodor.ak": [[496, 516]], "Indicator: BDS/Bancodor.M.1": [[517, 533]], "Indicator: Trojan[Backdoor]/Win32.Bancodor": [[534, 565]], "Indicator: Backdoor:Win32/Bancodor.M": [[586, 611]], "Indicator: Win-Trojan/Bancodor.513024.C": [[612, 640]], "Indicator: Backdoor.Bancodor": [[641, 658]], "Indicator: Bck/Bancodor.E": [[659, 673]], "Indicator: Win32.Backdoor.Bancodor.Oyep": [[674, 702]], "Indicator: Backdoor.Bancodor!IZl0vEMNH4U": [[703, 732]], "Indicator: Backdoor.Win32.Bancodor": [[733, 756]], "Indicator: BackDoor.Bancodor.AS": [[777, 797]]}, "info": {"id": "cyner2_5class_train_00198", "source": "cyner2_5class_train"}}
+{"text": "We believe this indicates a fairly sustained campaign that has gained momentum over recent months .", "spans": {}, "info": {"id": "cyner2_5class_train_00199", "source": "cyner2_5class_train"}}
+{"text": "This ransomware family ’ s long history tells us that its evolution is far from over .", "spans": {}, "info": {"id": "cyner2_5class_train_00200", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper.GreenStuff.1.7 Win32.Trojan.WisdomEyes.16070401.9500.9688 Trojan.Dropper Win32/Pasorot.D Win.Trojan.Greenstuff-3 Trojan.Dropper.GreenStuff.1.7 Trojan-Dropper.Win32.GreenStuff.17 Trojan.Dropper.GreenStuff.1.7 Troj.Dropper.W32.GreenStuff.17!c Win32.Trojan-dropper.Greenstuff.Ebgv Trojan.Dropper.GreenStuff.1.7 TrojWare.Win32.TrojanDropper.GreenStuff.17 Trojan.Dropper.GreenStuff.1.7 Trojan.MulDrop.365 Dropper.GreenStuff.Win32.14 BehavesLike.Win32.Trojan.dc W32/Trojan.KLUP-2808 TrojanDropper.Exebinder TR/Pasorot.g Trojan[PSW]/Win32.Pasorot Trojan.Dropper.GreenStuff.1.7 Trojan-Dropper.Win32.GreenStuff.17 TrojanDropper:Win32/GreenStuff.1_7 Trojan/Win32.Downloader.C112567 TScope.Malware-Cryptor.SB Trj/Dropper.WF Win32/TrojanDropper.GreenStuff.17 W32/GreenSt.B!tr.dr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.GreenStuff.1.7": [[26, 55], [154, 183], [219, 248], [319, 348], [392, 421], [581, 610]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9688": [[56, 98]], "Indicator: Trojan.Dropper": [[99, 113]], "Indicator: Win32/Pasorot.D": [[114, 129]], "Indicator: Win.Trojan.Greenstuff-3": [[130, 153]], "Indicator: Trojan-Dropper.Win32.GreenStuff.17": [[184, 218], [611, 645]], "Indicator: Troj.Dropper.W32.GreenStuff.17!c": [[249, 281]], "Indicator: Win32.Trojan-dropper.Greenstuff.Ebgv": [[282, 318]], "Indicator: TrojWare.Win32.TrojanDropper.GreenStuff.17": [[349, 391]], "Indicator: Trojan.MulDrop.365": [[422, 440]], "Indicator: Dropper.GreenStuff.Win32.14": [[441, 468]], "Indicator: BehavesLike.Win32.Trojan.dc": [[469, 496]], "Indicator: W32/Trojan.KLUP-2808": [[497, 517]], "Indicator: TrojanDropper.Exebinder": [[518, 541]], "Indicator: TR/Pasorot.g": [[542, 554]], "Indicator: Trojan[PSW]/Win32.Pasorot": [[555, 580]], "Indicator: TrojanDropper:Win32/GreenStuff.1_7": [[646, 680]], "Indicator: Trojan/Win32.Downloader.C112567": [[681, 712]], "Indicator: TScope.Malware-Cryptor.SB": [[713, 738]], "Indicator: Trj/Dropper.WF": [[739, 753]], "Indicator: Win32/TrojanDropper.GreenStuff.17": [[754, 787]], "Indicator: W32/GreenSt.B!tr.dr": [[788, 807]]}, "info": {"id": "cyner2_5class_train_00201", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: MemScan:Trojan.Downloader.Modgof.A MemScan:Trojan.Downloader.Modgof.A Trojan.Scar.daok Trojan.Win32.Scar.tlmwj TROJ_AZAH.A Trojan.Win32.Scar.daok MemScan:Trojan.Downloader.Modgof.A Trojan.Scar!ZI1ghG8RGXc MemScan:Trojan.Downloader.Modgof.A Trojan.MulDrop1.43719 TROJ_AZAH.A Win32.Troj.Scar.kcloud Trojan.Win32.A.Downloader.120320.DL MemScan:Trojan.Downloader.Modgof.A Worm.Win32.FakeFolder.b W32/AZAH.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: MemScan:Trojan.Downloader.Modgof.A": [[26, 60], [61, 95], [172, 206], [231, 265], [359, 393]], "Indicator: Trojan.Scar.daok": [[96, 112]], "Indicator: Trojan.Win32.Scar.tlmwj": [[113, 136]], "Indicator: TROJ_AZAH.A": [[137, 148], [288, 299]], "Indicator: Trojan.Win32.Scar.daok": [[149, 171]], "Indicator: Trojan.Scar!ZI1ghG8RGXc": [[207, 230]], "Indicator: Trojan.MulDrop1.43719": [[266, 287]], "Indicator: Win32.Troj.Scar.kcloud": [[300, 322]], "Indicator: Trojan.Win32.A.Downloader.120320.DL": [[323, 358]], "Indicator: Worm.Win32.FakeFolder.b": [[394, 417]], "Indicator: W32/AZAH.A!tr": [[418, 431]]}, "info": {"id": "cyner2_5class_train_00202", "source": "cyner2_5class_train"}}
+{"text": "The first function is used for contact information stealing : the function upCon steals all contacts in the contact list and their information .", "spans": {}, "info": {"id": "cyner2_5class_train_00203", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.FakeGina.X Trojan.Fakegina Trojan.FakeGina.X Trojan/FakeGina.b TROJ_FAKEGINA.AA Win32.Trojan.FakeGina.b W32/Risk.LOJP-2889 Trojan.Fakegina TROJ_FAKEGINA.AA Trojan.FakeGina.X Trojan.FakeGina.X Trojan.FakeGina.X TrojWare.Win32.FakeGina.~B Trojan.FakeGina.X Trojan.FakeGina.Win32.121 Trojan.Win32.FakeGina W32/MalwareF.NCOX Trojan/Win32.FakeGina Trojan.FakeGina.X Trojan:Win32/Fakegina.T Trojan/Win32.FakeGina.R77324 Win32/FakeGina.B Win32.Trojan.Fakegina.Wmst W32/FakeGina.AA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.FakeGina.X": [[26, 43], [60, 77], [189, 206], [207, 224], [225, 242], [270, 287], [376, 393]], "Indicator: Trojan.Fakegina": [[44, 59], [156, 171]], "Indicator: Trojan/FakeGina.b": [[78, 95]], "Indicator: TROJ_FAKEGINA.AA": [[96, 112], [172, 188]], "Indicator: Win32.Trojan.FakeGina.b": [[113, 136]], "Indicator: W32/Risk.LOJP-2889": [[137, 155]], "Indicator: TrojWare.Win32.FakeGina.~B": [[243, 269]], "Indicator: Trojan.FakeGina.Win32.121": [[288, 313]], "Indicator: Trojan.Win32.FakeGina": [[314, 335]], "Indicator: W32/MalwareF.NCOX": [[336, 353]], "Indicator: Trojan/Win32.FakeGina": [[354, 375]], "Indicator: Trojan:Win32/Fakegina.T": [[394, 417]], "Indicator: Trojan/Win32.FakeGina.R77324": [[418, 446]], "Indicator: Win32/FakeGina.B": [[447, 463]], "Indicator: Win32.Trojan.Fakegina.Wmst": [[464, 490]], "Indicator: W32/FakeGina.AA!tr": [[491, 509]]}, "info": {"id": "cyner2_5class_train_00204", "source": "cyner2_5class_train"}}
+{"text": "While doing so , it will reach a service exported by “ Agent Smith ” , and sends out an authentication request that would lead to a call to the ‘ addAccount ’ method .", "spans": {"Malware: Agent Smith": [[55, 66]]}, "info": {"id": "cyner2_5class_train_00205", "source": "cyner2_5class_train"}}
+{"text": "The campaign targeted Japanese organizations by using at least two legitimate Japanese websites to host a strategic web compromise SWC, where victims ultimately downloaded a variant of the SOGU malware.", "spans": {"Malware: campaign": [[4, 12]], "Organization: Japanese organizations": [[22, 44]], "Indicator: Japanese websites": [[78, 95]], "Indicator: strategic web compromise SWC,": [[106, 135]], "Malware: SOGU malware.": [[189, 202]]}, "info": {"id": "cyner2_5class_train_00206", "source": "cyner2_5class_train"}}
+{"text": "It connects to a certain URL, likely controlled by the attacker, using a specific Go user-agent:", "spans": {"Indicator: URL,": [[25, 29]], "Indicator: attacker,": [[55, 64]], "System: Go user-agent:": [[82, 96]]}, "info": {"id": "cyner2_5class_train_00207", "source": "cyner2_5class_train"}}
+{"text": "The first phase is receiving malspam from a botnet.", "spans": {"Indicator: malspam": [[29, 36]], "Malware: botnet.": [[44, 51]]}, "info": {"id": "cyner2_5class_train_00208", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D49E51 W32/Trojan.ULWD-7621 Trojan.Win32.Drop.elkhrw BehavesLike.Win32.Sivis.kh Trojan-Dropper.Win32.Rubat W32/Win.G Trojan.SchoolGirl.er TR/Drop.Rubat.qlzld TrojanDropper:Win32/Rubat.A!bit Trojan.SchoolGirl", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D49E51": [[26, 47]], "Indicator: W32/Trojan.ULWD-7621": [[48, 68]], "Indicator: Trojan.Win32.Drop.elkhrw": [[69, 93]], "Indicator: BehavesLike.Win32.Sivis.kh": [[94, 120]], "Indicator: Trojan-Dropper.Win32.Rubat": [[121, 147]], "Indicator: W32/Win.G": [[148, 157]], "Indicator: Trojan.SchoolGirl.er": [[158, 178]], "Indicator: TR/Drop.Rubat.qlzld": [[179, 198]], "Indicator: TrojanDropper:Win32/Rubat.A!bit": [[199, 230]], "Indicator: Trojan.SchoolGirl": [[231, 248]]}, "info": {"id": "cyner2_5class_train_00209", "source": "cyner2_5class_train"}}
+{"text": "Unfortunately , for now we can ’ t say in what environment these landing pages were used in the wild , but according to all the information at our dsiposal , we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks .", "spans": {}, "info": {"id": "cyner2_5class_train_00210", "source": "cyner2_5class_train"}}
+{"text": "If the threat reappears on the device after the first installation , it means that the malware managed to install the persistency module in the System directory .", "spans": {}, "info": {"id": "cyner2_5class_train_00211", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.CominateU.Adware Trojan-GameThief.Win32.OnLineGames!O TrojanGameThief.OnLineGames Trojan.OnLineGames.Win32.78851 Trojan/OnLineGames.boaj Trojan.Zusy.Elzob.D484 W32/Risk.ADYI-1535 TSPY_ONLIN.SMUM Win.Spyware.82985-2 Trojan-GameThief.Win32.OnLineGames.boaj Trojan.Win32.OnLineGames.cptyo BackDoor.Sturf.170 TSPY_ONLIN.SMUM W32/MalwareF.AEIUQ Trojan/PSW.OnLineGames.cedq TR/Spy.671314 Trojan[GameThief]/Win32.OnLineGames Trojan-GameThief.Win32.OnLineGames.boaj Trojan/Win32.OnlineGameHack.R11892 TrojanPSW.OnLineGames.bo Win32/PSW.OnLineGames.QDP Trojan.PWS.OnLineGames!mLCnhslfoqM Trojan-GameThief.Win32.OnLineGames W32/Onlinegames.BOJI!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CominateU.Adware": [[26, 46]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[47, 83]], "Indicator: TrojanGameThief.OnLineGames": [[84, 111]], "Indicator: Trojan.OnLineGames.Win32.78851": [[112, 142]], "Indicator: Trojan/OnLineGames.boaj": [[143, 166]], "Indicator: Trojan.Zusy.Elzob.D484": [[167, 189]], "Indicator: W32/Risk.ADYI-1535": [[190, 208]], "Indicator: TSPY_ONLIN.SMUM": [[209, 224], [335, 350]], "Indicator: Win.Spyware.82985-2": [[225, 244]], "Indicator: Trojan-GameThief.Win32.OnLineGames.boaj": [[245, 284], [448, 487]], "Indicator: Trojan.Win32.OnLineGames.cptyo": [[285, 315]], "Indicator: BackDoor.Sturf.170": [[316, 334]], "Indicator: W32/MalwareF.AEIUQ": [[351, 369]], "Indicator: Trojan/PSW.OnLineGames.cedq": [[370, 397]], "Indicator: TR/Spy.671314": [[398, 411]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[412, 447]], "Indicator: Trojan/Win32.OnlineGameHack.R11892": [[488, 522]], "Indicator: TrojanPSW.OnLineGames.bo": [[523, 547]], "Indicator: Win32/PSW.OnLineGames.QDP": [[548, 573]], "Indicator: Trojan.PWS.OnLineGames!mLCnhslfoqM": [[574, 608]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[609, 643]], "Indicator: W32/Onlinegames.BOJI!tr.pws": [[644, 671]]}, "info": {"id": "cyner2_5class_train_00212", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Timer.55808.B Trojan-Ransom.Win32.Timer!O Trojan/Kryptik.sot Trojan.Boigy.4 TROJ_RANSOM.SMMJ Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Ransom.GED TROJ_RANSOM.SMMJ Trojan-Ransom.Win32.Timer.icg Trojan.Win32.Timer.dqvge Trojan.Win32.A.Timer.55808 Trojan.Winlock.4005 Trojan/Timer.cnd TR/Ramson.TR TrojanDropper:Win32/Dinome.A Trojan-Ransom.Win32.Timer.icg Trojan/Win32.Ransomlock.R11433 BScope.Trojan.Winlock.01505 Trj/Hexas.HEU Trojan-Downloader.Win32.Karagany", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Timer.55808.B": [[26, 50]], "Indicator: Trojan-Ransom.Win32.Timer!O": [[51, 78]], "Indicator: Trojan/Kryptik.sot": [[79, 97]], "Indicator: Trojan.Boigy.4": [[98, 112]], "Indicator: TROJ_RANSOM.SMMJ": [[113, 129], [190, 206]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[130, 172]], "Indicator: Win32/Ransom.GED": [[173, 189]], "Indicator: Trojan-Ransom.Win32.Timer.icg": [[207, 236], [368, 397]], "Indicator: Trojan.Win32.Timer.dqvge": [[237, 261]], "Indicator: Trojan.Win32.A.Timer.55808": [[262, 288]], "Indicator: Trojan.Winlock.4005": [[289, 308]], "Indicator: Trojan/Timer.cnd": [[309, 325]], "Indicator: TR/Ramson.TR": [[326, 338]], "Indicator: TrojanDropper:Win32/Dinome.A": [[339, 367]], "Indicator: Trojan/Win32.Ransomlock.R11433": [[398, 428]], "Indicator: BScope.Trojan.Winlock.01505": [[429, 456]], "Indicator: Trj/Hexas.HEU": [[457, 470]], "Indicator: Trojan-Downloader.Win32.Karagany": [[471, 503]]}, "info": {"id": "cyner2_5class_train_00213", "source": "cyner2_5class_train"}}
+{"text": "Given previous operational security errors from this actor in the past which resulted in exfiltrated content being publicly accessible Lookout Threat Intelligence is continuing to map out infrastructure and closely monitor their continued evolution .", "spans": {"Organization: Lookout Threat Intelligence": [[135, 162]]}, "info": {"id": "cyner2_5class_train_00214", "source": "cyner2_5class_train"}}
+{"text": "This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders .", "spans": {}, "info": {"id": "cyner2_5class_train_00215", "source": "cyner2_5class_train"}}
+{"text": "] nampriknum [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00216", "source": "cyner2_5class_train"}}
+{"text": "Aside from the natural value of phone numbers associated with the names of their owners .", "spans": {}, "info": {"id": "cyner2_5class_train_00217", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom/W32.Foreign.409600.C Trojan.Foreign Ransom_Foreign.R002C0DB418 Trojan-Ransom.Win32.Foreign.nxzy Trojan.Win32.Spambot.exqsne Trojan.Win32.Z.Trubsil.409600 Troj.Ransom.W32.Foreign!c Trojan.Spambot.15075 Ransom_Foreign.R002C0DB418 BehavesLike.Win32.Ransom.gc TR/Crypt.ZPACK.lpngp Backdoor:Win32/Trubsil.C Trojan-Ransom.Win32.Foreign.nxzy Trojan/Win32.Foreign.C2394896 TrojanRansom.Foreign Trj/GdSda.A W32/Kryptik.FRKA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom/W32.Foreign.409600.C": [[26, 53]], "Indicator: Trojan.Foreign": [[54, 68]], "Indicator: Ransom_Foreign.R002C0DB418": [[69, 95], [234, 260]], "Indicator: Trojan-Ransom.Win32.Foreign.nxzy": [[96, 128], [335, 367]], "Indicator: Trojan.Win32.Spambot.exqsne": [[129, 156]], "Indicator: Trojan.Win32.Z.Trubsil.409600": [[157, 186]], "Indicator: Troj.Ransom.W32.Foreign!c": [[187, 212]], "Indicator: Trojan.Spambot.15075": [[213, 233]], "Indicator: BehavesLike.Win32.Ransom.gc": [[261, 288]], "Indicator: TR/Crypt.ZPACK.lpngp": [[289, 309]], "Indicator: Backdoor:Win32/Trubsil.C": [[310, 334]], "Indicator: Trojan/Win32.Foreign.C2394896": [[368, 397]], "Indicator: TrojanRansom.Foreign": [[398, 418]], "Indicator: Trj/GdSda.A": [[419, 430]], "Indicator: W32/Kryptik.FRKA!tr": [[431, 450]]}, "info": {"id": "cyner2_5class_train_00218", "source": "cyner2_5class_train"}}
+{"text": "Due to the specific nature of its activity , Perkele is distributed in a rather unusual way .", "spans": {"Malware: Perkele": [[45, 52]]}, "info": {"id": "cyner2_5class_train_00219", "source": "cyner2_5class_train"}}
+{"text": "The link points to a web page with a similar sentence and a button for downloading the APK file of the Trojan to the device .", "spans": {}, "info": {"id": "cyner2_5class_train_00220", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DakusarDRAX.Trojan Trojan.Floxif Win32.Trojan.WisdomEyes.16070401.9500.9948 Win32/Flofix.D TROJ_FLOXIF_EK040354.UVPM Trojan.Win32.Floxif.cqjmcu Win32.FloodFix Trojan.Floxif.Win32.2 TROJ_FLOXIF_EK040354.UVPM TR/Spy.69337 Trojan:Win32/Floxif.E Virus/Win32.Fixflo.R204310 Trojan.Sly Win32/Floxif.E W32/Floxif.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DakusarDRAX.Trojan": [[26, 48]], "Indicator: Trojan.Floxif": [[49, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9948": [[63, 105]], "Indicator: Win32/Flofix.D": [[106, 120]], "Indicator: TROJ_FLOXIF_EK040354.UVPM": [[121, 146], [211, 236]], "Indicator: Trojan.Win32.Floxif.cqjmcu": [[147, 173]], "Indicator: Win32.FloodFix": [[174, 188]], "Indicator: Trojan.Floxif.Win32.2": [[189, 210]], "Indicator: TR/Spy.69337": [[237, 249]], "Indicator: Trojan:Win32/Floxif.E": [[250, 271]], "Indicator: Virus/Win32.Fixflo.R204310": [[272, 298]], "Indicator: Trojan.Sly": [[299, 309]], "Indicator: Win32/Floxif.E": [[310, 324]], "Indicator: W32/Floxif.E": [[325, 337]]}, "info": {"id": "cyner2_5class_train_00221", "source": "cyner2_5class_train"}}
+{"text": "] com Malicious Twitter accounts : https : //twitter.com/lucky88755 https : //twitter.com/lucky98745 https : //twitter.com/lucky876543 https : //twitter.com/luckyone1232 https : //twitter.com/sadwqewqeqw https : //twitter.com/gyugyu87418490 https : //twitter.com/fdgoer343 https : //twitter.com/sdfghuio342 https : //twitter.com/asdqweqweqeqw https : //twitter.com/ukenivor3 Malicious Instagram account : https : //www.instagram.com/freedomguidepeople1830/ Malicious Tumblr accounts : https : //mainsheetgyam.tumblr.com/ https : //hormonaljgrj.tumblr.com/ https : //globalanab.tumblr.com/ C & C addresses : 104 [ .", "spans": {"Organization: Twitter": [[16, 23]], "Indicator: https : //twitter.com/lucky88755": [[35, 67]], "Indicator: https : //twitter.com/lucky98745": [[68, 100]], "Indicator: https : //twitter.com/lucky876543": [[101, 134]], "Indicator: https : //twitter.com/luckyone1232": [[135, 169]], "Indicator: https : //twitter.com/sadwqewqeqw": [[170, 203]], "Indicator: https : //twitter.com/gyugyu87418490": [[204, 240]], "Indicator: https : //twitter.com/fdgoer343": [[241, 272]], "Indicator: https : //twitter.com/sdfghuio342": [[273, 306]], "Indicator: https : //twitter.com/asdqweqweqeqw": [[307, 342]], "Indicator: https : //twitter.com/ukenivor3": [[343, 374]], "Organization: Instagram": [[385, 394]], "Indicator: https : //www.instagram.com/freedomguidepeople1830/": [[405, 456]], "Organization: Tumblr": [[467, 473]], "Indicator: https : //mainsheetgyam.tumblr.com/": [[485, 520]], "Indicator: https : //hormonaljgrj.tumblr.com/": [[521, 555]], "Indicator: https : //globalanab.tumblr.com/": [[556, 588]], "Indicator: 104 [ .": [[607, 614]]}, "info": {"id": "cyner2_5class_train_00222", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 discovered new activity that appears related to an adversary group previously called C0d0so0 or Codoso", "spans": {"Organization: Unit 42": [[0, 7]]}, "info": {"id": "cyner2_5class_train_00223", "source": "cyner2_5class_train"}}
+{"text": "As a result , no new instances of this app can be installed on iOS devices and existing installations can no longer be run .", "spans": {"System: iOS": [[63, 66]]}, "info": {"id": "cyner2_5class_train_00224", "source": "cyner2_5class_train"}}
+{"text": "We have observed download attempts from the following domains:", "spans": {}, "info": {"id": "cyner2_5class_train_00225", "source": "cyner2_5class_train"}}
+{"text": "In 2022, they updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.", "spans": {"Malware: SysUpdate,": [[22, 32]], "Malware: custom malware families,": [[46, 70]], "Malware: malware": [[103, 110]], "System: Linux platform.": [[137, 152]]}, "info": {"id": "cyner2_5class_train_00226", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.3797 JS.Nemucod.LK VBS/DropExe.A!Camelot Trojan.Script.MLW.eafugn VBS.Dropper.102 TrojanDropper.VBS.aq TrojanDropper:VBS/Twexag.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.3797": [[26, 42]], "Indicator: JS.Nemucod.LK": [[43, 56]], "Indicator: VBS/DropExe.A!Camelot": [[57, 78]], "Indicator: Trojan.Script.MLW.eafugn": [[79, 103]], "Indicator: VBS.Dropper.102": [[104, 119]], "Indicator: TrojanDropper.VBS.aq": [[120, 140]], "Indicator: TrojanDropper:VBS/Twexag.A": [[141, 167]]}, "info": {"id": "cyner2_5class_train_00227", "source": "cyner2_5class_train"}}
+{"text": "East Asian government agencies came under siege when attackers targeted several servers within their networks.", "spans": {"Organization: East Asian government agencies": [[0, 30]], "System: networks.": [[101, 110]]}, "info": {"id": "cyner2_5class_train_00228", "source": "cyner2_5class_train"}}
+{"text": "Similar to other malware seen in the past , Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine , Russia , or Belarus .", "spans": {"Malware: Charger": [[44, 51]]}, "info": {"id": "cyner2_5class_train_00229", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/AutoRun.autv W32/Sohanad.G WORM_SOHANAD.DX Virus.Worm.AutoRun!IK Win32.HLLW.Autoruner.8327 WORM_SOHANAD.DX W32/Sohanad.G Worm/AutoRun.mky Malware.Imaut Virus.Worm.AutoRun SHeur.CIAA Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/AutoRun.autv": [[26, 42]], "Indicator: W32/Sohanad.G": [[43, 56], [137, 150]], "Indicator: WORM_SOHANAD.DX": [[57, 72], [121, 136]], "Indicator: Virus.Worm.AutoRun!IK": [[73, 94]], "Indicator: Win32.HLLW.Autoruner.8327": [[95, 120]], "Indicator: Worm/AutoRun.mky": [[151, 167]], "Indicator: Malware.Imaut": [[168, 181]], "Indicator: Virus.Worm.AutoRun": [[182, 200]], "Indicator: SHeur.CIAA": [[201, 211]], "Indicator: Trj/CI.A": [[212, 220]]}, "info": {"id": "cyner2_5class_train_00230", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.RansomKD.6014218 Ransom.Chicrypt Ransom.Chimera Trojan/Kryptik.edes Trojan.RansomKD.D5BC50A Ransom_Chicrypt.R002C0DIL17 W32/Ransom.IF Trojan-Ransom.Win32.Chimera.q Trojan.RansomKD.6014218 Trojan.Win32.Encoder.esuyoq Troj.Ransom.W32!c Win32.Trojan.Chimera.Edei Trojan.RansomKD.6014218 Trojan.RansomKD.6014218 Trojan.Encoder.2774 W32/Ransom.KXVS-1328 W32.Ransom.Chimera Trojan[Ransom]/Win32.Chimera Ransom:Win32/Chicrypt.A Trojan.Win32.Z.Ransom.647242 Trojan-Ransom.Win32.Chimera.q Win32.Trojan-Ransom.Chimera.D Trojan/Win32.Chimera.C1182585 Trojan.RansomKD.6014218 Hoax.Chimera Trojan.Kryptik!1o3s7Z7mkiE W32/Chimera.EDES!tr Win32/Trojan.37c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.RansomKD.6014218": [[26, 49], [197, 220], [293, 316], [317, 340], [573, 596]], "Indicator: Ransom.Chicrypt": [[50, 65]], "Indicator: Ransom.Chimera": [[66, 80]], "Indicator: Trojan/Kryptik.edes": [[81, 100]], "Indicator: Trojan.RansomKD.D5BC50A": [[101, 124]], "Indicator: Ransom_Chicrypt.R002C0DIL17": [[125, 152]], "Indicator: W32/Ransom.IF": [[153, 166]], "Indicator: Trojan-Ransom.Win32.Chimera.q": [[167, 196], [483, 512]], "Indicator: Trojan.Win32.Encoder.esuyoq": [[221, 248]], "Indicator: Troj.Ransom.W32!c": [[249, 266]], "Indicator: Win32.Trojan.Chimera.Edei": [[267, 292]], "Indicator: Trojan.Encoder.2774": [[341, 360]], "Indicator: W32/Ransom.KXVS-1328": [[361, 381]], "Indicator: W32.Ransom.Chimera": [[382, 400]], "Indicator: Trojan[Ransom]/Win32.Chimera": [[401, 429]], "Indicator: Ransom:Win32/Chicrypt.A": [[430, 453]], "Indicator: Trojan.Win32.Z.Ransom.647242": [[454, 482]], "Indicator: Win32.Trojan-Ransom.Chimera.D": [[513, 542]], "Indicator: Trojan/Win32.Chimera.C1182585": [[543, 572]], "Indicator: Hoax.Chimera": [[597, 609]], "Indicator: Trojan.Kryptik!1o3s7Z7mkiE": [[610, 636]], "Indicator: W32/Chimera.EDES!tr": [[637, 656]], "Indicator: Win32/Trojan.37c": [[657, 673]]}, "info": {"id": "cyner2_5class_train_00231", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ClickerAybn.Trojan Trojan-Spy.Win32.VB!O Trojan.Puzlice.A3 Win32.Trojan-Clicker.VB.c Win32/TrojanClicker.VB.NUE Win.Trojan.7640471-1 Worm.Win32.Autorun.gxay Trojan.Win32.VB2.cnioik Trojan.Win32.A.VB.55040 W32.Virut.lQTU TrojWare.Win32.Spy.VB.FRG Trojan.VbCrypt.68 Trojan.VB.Win32.83289 BehavesLike.Win32.Malware.nc Virus.Win32.Virut TrojanSpy.VB.cxx Trojan[Spy]/Win32.VB Worm.Win32.Autorun.gxay Trojan:Win32/Puzlice.A Win32/VB.BXL TScope.Trojan.VB Trojan.Vilsel TrojanSpy.VB!jmRymi1V2Tw W32/VBClicker.NUE!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ClickerAybn.Trojan": [[26, 48]], "Indicator: Trojan-Spy.Win32.VB!O": [[49, 70]], "Indicator: Trojan.Puzlice.A3": [[71, 88]], "Indicator: Win32.Trojan-Clicker.VB.c": [[89, 114]], "Indicator: Win32/TrojanClicker.VB.NUE": [[115, 141]], "Indicator: Win.Trojan.7640471-1": [[142, 162]], "Indicator: Worm.Win32.Autorun.gxay": [[163, 186], [401, 424]], "Indicator: Trojan.Win32.VB2.cnioik": [[187, 210]], "Indicator: Trojan.Win32.A.VB.55040": [[211, 234]], "Indicator: W32.Virut.lQTU": [[235, 249]], "Indicator: TrojWare.Win32.Spy.VB.FRG": [[250, 275]], "Indicator: Trojan.VbCrypt.68": [[276, 293]], "Indicator: Trojan.VB.Win32.83289": [[294, 315]], "Indicator: BehavesLike.Win32.Malware.nc": [[316, 344]], "Indicator: Virus.Win32.Virut": [[345, 362]], "Indicator: TrojanSpy.VB.cxx": [[363, 379]], "Indicator: Trojan[Spy]/Win32.VB": [[380, 400]], "Indicator: Trojan:Win32/Puzlice.A": [[425, 447]], "Indicator: Win32/VB.BXL": [[448, 460]], "Indicator: TScope.Trojan.VB": [[461, 477]], "Indicator: Trojan.Vilsel": [[478, 491]], "Indicator: TrojanSpy.VB!jmRymi1V2Tw": [[492, 516]], "Indicator: W32/VBClicker.NUE!tr": [[517, 537]]}, "info": {"id": "cyner2_5class_train_00232", "source": "cyner2_5class_train"}}
+{"text": "Some of them like takephoto , takevideo , recordaudio , getsentsms and uploadpictures are focused on espionage activities .", "spans": {}, "info": {"id": "cyner2_5class_train_00233", "source": "cyner2_5class_train"}}
+{"text": "A pro-democracy reform took place in 2011 which has helped the government create an atmopshere conducive to investor interest.", "spans": {}, "info": {"id": "cyner2_5class_train_00234", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Turla.B5 BKDR64_TURLA.NUS Trojan.Turla BKDR64_TURLA.NUS Win64.Rootkit.Uroburos.A Backdoor.Win64.Turla.c Trojan.Win64.Turla.dflvhj BackDoor.Turla.17 Trojan.Turla.Win64.1 BDS/Turla.fech Backdoor.Win64.Turla.c Backdoor:Win64/Turla.B!dha Trojan/Win64.Turla.C560438 Backdoor.Turla Trj/CI.A Win64/Turla.A Win32.Trojan.Url.Fdjm Trojan.Turla!2u6AW7YKCfw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Turla.B5": [[26, 43]], "Indicator: BKDR64_TURLA.NUS": [[44, 60], [74, 90]], "Indicator: Trojan.Turla": [[61, 73]], "Indicator: Win64.Rootkit.Uroburos.A": [[91, 115]], "Indicator: Backdoor.Win64.Turla.c": [[116, 138], [219, 241]], "Indicator: Trojan.Win64.Turla.dflvhj": [[139, 164]], "Indicator: BackDoor.Turla.17": [[165, 182]], "Indicator: Trojan.Turla.Win64.1": [[183, 203]], "Indicator: BDS/Turla.fech": [[204, 218]], "Indicator: Backdoor:Win64/Turla.B!dha": [[242, 268]], "Indicator: Trojan/Win64.Turla.C560438": [[269, 295]], "Indicator: Backdoor.Turla": [[296, 310]], "Indicator: Trj/CI.A": [[311, 319]], "Indicator: Win64/Turla.A": [[320, 333]], "Indicator: Win32.Trojan.Url.Fdjm": [[334, 355]], "Indicator: Trojan.Turla!2u6AW7YKCfw": [[356, 380]]}, "info": {"id": "cyner2_5class_train_00235", "source": "cyner2_5class_train"}}
+{"text": "So far we have identified the following behaviors : Sending device information to a remote command and control ( C2 ) server .", "spans": {}, "info": {"id": "cyner2_5class_train_00236", "source": "cyner2_5class_train"}}
+{"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner2_5class_train_00237", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Japik.6 TROJ_IKYTOK.SMI Win32.Trojan.WisdomEyes.16070401.9500.9979 Trojan.Ransomlock TROJ_IKYTOK.SMI Trojan.Packed.2232 Trojan.Kryptik.Win32.166130 BehavesLike.Win32.VTFlooder.fc Trojan-Downloader.Win32.Karagany TrojanDropper.Mudrop.cmh TrojanDropper:Win32/Sinmis.B Trojan/Win32.Menti.R9584 BScope.Malware-Cryptor.Tip", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Japik.6": [[26, 40]], "Indicator: TROJ_IKYTOK.SMI": [[41, 56], [118, 133]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9979": [[57, 99]], "Indicator: Trojan.Ransomlock": [[100, 117]], "Indicator: Trojan.Packed.2232": [[134, 152]], "Indicator: Trojan.Kryptik.Win32.166130": [[153, 180]], "Indicator: BehavesLike.Win32.VTFlooder.fc": [[181, 211]], "Indicator: Trojan-Downloader.Win32.Karagany": [[212, 244]], "Indicator: TrojanDropper.Mudrop.cmh": [[245, 269]], "Indicator: TrojanDropper:Win32/Sinmis.B": [[270, 298]], "Indicator: Trojan/Win32.Menti.R9584": [[299, 323]], "Indicator: BScope.Malware-Cryptor.Tip": [[324, 350]]}, "info": {"id": "cyner2_5class_train_00238", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.S23079 Win32.Trojan.Kryptik.bil Win.Malware.Zusy-5689799-0 Trojan.Inject2.38898 Trojan.Kryptik.Win32.992532 BehavesLike.Win32.PWSZbot.cm Trojan.Win32.Extenbro Backdoor.Androm.mnb TR/Crypt.ZPACK.pwvcr Trojan.Symmi.D10FCD Trojan/Win32.Androm.R192120", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.S23079": [[26, 47]], "Indicator: Win32.Trojan.Kryptik.bil": [[48, 72]], "Indicator: Win.Malware.Zusy-5689799-0": [[73, 99]], "Indicator: Trojan.Inject2.38898": [[100, 120]], "Indicator: Trojan.Kryptik.Win32.992532": [[121, 148]], "Indicator: BehavesLike.Win32.PWSZbot.cm": [[149, 177]], "Indicator: Trojan.Win32.Extenbro": [[178, 199]], "Indicator: Backdoor.Androm.mnb": [[200, 219]], "Indicator: TR/Crypt.ZPACK.pwvcr": [[220, 240]], "Indicator: Trojan.Symmi.D10FCD": [[241, 260]], "Indicator: Trojan/Win32.Androm.R192120": [[261, 288]]}, "info": {"id": "cyner2_5class_train_00239", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PDF/Phish.ECM Win32.Exploit.Pidief.Aexw PDF/Phish.ECM EXP/Pidief.EB.494 Exp.Pidief.Eb!c Trojan.PDF.Phishing Win32/Trojan.Exploit.ec6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PDF/Phish.ECM": [[26, 39], [66, 79]], "Indicator: Win32.Exploit.Pidief.Aexw": [[40, 65]], "Indicator: EXP/Pidief.EB.494": [[80, 97]], "Indicator: Exp.Pidief.Eb!c": [[98, 113]], "Indicator: Trojan.PDF.Phishing": [[114, 133]], "Indicator: Win32/Trojan.Exploit.ec6": [[134, 158]]}, "info": {"id": "cyner2_5class_train_00240", "source": "cyner2_5class_train"}}
+{"text": "We 've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms , so , unfortunately , it does n't seem that this will change any time soon .", "spans": {}, "info": {"id": "cyner2_5class_train_00241", "source": "cyner2_5class_train"}}
+{"text": "HenBox checks whether this execution is its first by using Android ’ s shared preferences feature to persist XML key-value pair data .", "spans": {"Malware: HenBox": [[0, 6]], "System: Android": [[59, 66]]}, "info": {"id": "cyner2_5class_train_00242", "source": "cyner2_5class_train"}}
+{"text": "MESSAGE – send SMS containing specified text to a specified number .", "spans": {}, "info": {"id": "cyner2_5class_train_00243", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.TSGrinder Trojan/Hacktool.TSGrinder.a W32/Tool.JPZP-4469 Crackin.0AC64262 HackTool.Win32.TSGrinder.a Trojan.Win32.TSGrinder.scgl HackTool.TSGrinder.192570 Hacktool.W32.Tsgrinder!c ApplicUnsaf.Win32.HackTool.TSGrinder.a Tool.TSGrinder W32/VirTool.AYV W32.Hack.Tool HackTool/Win32.TSGrinder HackTool.Win32.TSGrinder.a HackTool:Win32/Tsgrinder.A Win32.Hacktool.Tsgrinder.Stkm HackTool.TSGrinder!LpD0k7ExEpE HackTool.Win32.TSGrinder.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.TSGrinder": [[26, 44]], "Indicator: Trojan/Hacktool.TSGrinder.a": [[45, 72]], "Indicator: W32/Tool.JPZP-4469": [[73, 91]], "Indicator: Crackin.0AC64262": [[92, 108]], "Indicator: HackTool.Win32.TSGrinder.a": [[109, 135], [324, 350], [439, 465]], "Indicator: Trojan.Win32.TSGrinder.scgl": [[136, 163]], "Indicator: HackTool.TSGrinder.192570": [[164, 189]], "Indicator: Hacktool.W32.Tsgrinder!c": [[190, 214]], "Indicator: ApplicUnsaf.Win32.HackTool.TSGrinder.a": [[215, 253]], "Indicator: Tool.TSGrinder": [[254, 268]], "Indicator: W32/VirTool.AYV": [[269, 284]], "Indicator: W32.Hack.Tool": [[285, 298]], "Indicator: HackTool/Win32.TSGrinder": [[299, 323]], "Indicator: HackTool:Win32/Tsgrinder.A": [[351, 377]], "Indicator: Win32.Hacktool.Tsgrinder.Stkm": [[378, 407]], "Indicator: HackTool.TSGrinder!LpD0k7ExEpE": [[408, 438]]}, "info": {"id": "cyner2_5class_train_00244", "source": "cyner2_5class_train"}}
+{"text": "Every once in a while , authors leave behind a trace that allows us to attribute not only similar apps , but also multiple different PHA families to the same group or person .", "spans": {}, "info": {"id": "cyner2_5class_train_00245", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Lorozoad.A3 Trojan.Razy.D2614 Win32.Trojan.WisdomEyes.16070401.9500.9997 Win.Trojan.Lorozoad-1 Trojan.MSIL.Disfa.mcnf Trojan.Win32.Tiny.etgbky Trojan.Win32.Z.Razy.4608.CD Troj.Msil.Disfa!c TrojWare.MSIL.TrojanDownloader.Tiny.MXA BehavesLike.Win32.Trojan.xz TR/Dropper.MSIL.nsnpx Trojan.MSIL.Disfa.mcnf Trj/GdSda.A Msil.Trojan.Disfa.Pctb Trojan.Disfa!3Wzl0Mq4C1c Trojan-Downloader.MSIL.Tiny MSIL/Tiny.MX!tr.dldr Win32/Trojan.85b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Lorozoad.A3": [[26, 54]], "Indicator: Trojan.Razy.D2614": [[55, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[73, 115]], "Indicator: Win.Trojan.Lorozoad-1": [[116, 137]], "Indicator: Trojan.MSIL.Disfa.mcnf": [[138, 160], [322, 344]], "Indicator: Trojan.Win32.Tiny.etgbky": [[161, 185]], "Indicator: Trojan.Win32.Z.Razy.4608.CD": [[186, 213]], "Indicator: Troj.Msil.Disfa!c": [[214, 231]], "Indicator: TrojWare.MSIL.TrojanDownloader.Tiny.MXA": [[232, 271]], "Indicator: BehavesLike.Win32.Trojan.xz": [[272, 299]], "Indicator: TR/Dropper.MSIL.nsnpx": [[300, 321]], "Indicator: Trj/GdSda.A": [[345, 356]], "Indicator: Msil.Trojan.Disfa.Pctb": [[357, 379]], "Indicator: Trojan.Disfa!3Wzl0Mq4C1c": [[380, 404]], "Indicator: Trojan-Downloader.MSIL.Tiny": [[405, 432]], "Indicator: MSIL/Tiny.MX!tr.dldr": [[433, 453]], "Indicator: Win32/Trojan.85b": [[454, 470]]}, "info": {"id": "cyner2_5class_train_00246", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DownloadPdzLnrA.Trojan Worm.Win32.WBNA!O W32/WBNA.asj Win32.Trojan.WisdomEyes.16070401.9500.9988 Win.Trojan.Wbna-299 Worm.WBNA.Win32.2209 BehavesLike.Win32.VBObfus.qt W32/VB.PID!tr.dldr Worm/Win32.WBNA Worm.WBNA Win32/TrojanDownloader.VB.PID Trojan-Downloader.Win32.VB Win32/Trojan.c6e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DownloadPdzLnrA.Trojan": [[26, 52]], "Indicator: Worm.Win32.WBNA!O": [[53, 70]], "Indicator: W32/WBNA.asj": [[71, 83]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[84, 126]], "Indicator: Win.Trojan.Wbna-299": [[127, 146]], "Indicator: Worm.WBNA.Win32.2209": [[147, 167]], "Indicator: BehavesLike.Win32.VBObfus.qt": [[168, 196]], "Indicator: W32/VB.PID!tr.dldr": [[197, 215]], "Indicator: Worm/Win32.WBNA": [[216, 231]], "Indicator: Worm.WBNA": [[232, 241]], "Indicator: Win32/TrojanDownloader.VB.PID": [[242, 271]], "Indicator: Trojan-Downloader.Win32.VB": [[272, 298]], "Indicator: Win32/Trojan.c6e": [[299, 315]]}, "info": {"id": "cyner2_5class_train_00247", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Trojan.LNJS-3256 Trojan.Win32.Mazel.dsuwke BehavesLike.Win32.Sytro.lc TR/AD.Lentrigy.ejnsf RiskWare[Downloader]/NSIS.Mazel Trojan.Jaiko.851 TrojanDownloader:Win32/Rolkator.A Trj/CI.A Trojan.Win32.IRCBot Win32/Trojan.698", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.LNJS-3256": [[26, 46]], "Indicator: Trojan.Win32.Mazel.dsuwke": [[47, 72]], "Indicator: BehavesLike.Win32.Sytro.lc": [[73, 99]], "Indicator: TR/AD.Lentrigy.ejnsf": [[100, 120]], "Indicator: RiskWare[Downloader]/NSIS.Mazel": [[121, 152]], "Indicator: Trojan.Jaiko.851": [[153, 169]], "Indicator: TrojanDownloader:Win32/Rolkator.A": [[170, 203]], "Indicator: Trj/CI.A": [[204, 212]], "Indicator: Trojan.Win32.IRCBot": [[213, 232]], "Indicator: Win32/Trojan.698": [[233, 249]]}, "info": {"id": "cyner2_5class_train_00248", "source": "cyner2_5class_train"}}
+{"text": "We have not identified any other public names for this malware, so rather than introduce a new name to the industry we'll refer to this family as Sarvdap.", "spans": {"Malware: malware,": [[55, 63]], "Organization: industry": [[107, 115]], "Malware: family": [[136, 142]], "Malware: Sarvdap.": [[146, 154]]}, "info": {"id": "cyner2_5class_train_00249", "source": "cyner2_5class_train"}}
+{"text": "Notification handling method The class is only implemented in debug mode , pushing all captured information into the log .", "spans": {}, "info": {"id": "cyner2_5class_train_00250", "source": "cyner2_5class_train"}}
+{"text": "This information may be useful to any incident responder or blue team looking to defend an organisation.", "spans": {"Organization: incident responder": [[38, 56]], "Organization: blue team": [[60, 69]]}, "info": {"id": "cyner2_5class_train_00251", "source": "cyner2_5class_train"}}
+{"text": "In addition , at this stage the app can process one of these commands : • Collect device info • Install app • Is online ? • Change server domain Out of these , the most interesting command is the “ install app ” command that downloads an encrypted zip file containing the second phase dex file , unpacks and loads it .", "spans": {}, "info": {"id": "cyner2_5class_train_00252", "source": "cyner2_5class_train"}}
+{"text": "String Resources Used to Store App Data Red Alert 2.0 stores its data in an atypical location ( inside the Strings.xml file embedded in the app ) to fetch its critical data , such as the C2 address .", "spans": {"Malware: Red Alert 2.0": [[40, 53]], "Indicator: Strings.xml file": [[107, 123]]}, "info": {"id": "cyner2_5class_train_00253", "source": "cyner2_5class_train"}}
+{"text": "Infostealer.Banprox.B is a Trojan horse that may steal information from the compromised computer.", "spans": {"Indicator: Infostealer.Banprox.B": [[0, 21]], "Malware: Trojan horse": [[27, 39]], "Indicator: steal information": [[49, 66]], "System: compromised computer.": [[76, 97]]}, "info": {"id": "cyner2_5class_train_00254", "source": "cyner2_5class_train"}}
+{"text": "The incident used a Microsoft Excel file containing malicious macros which wrote a malicious executable and associated files to the victim machine.", "spans": {"Indicator: a Microsoft Excel file": [[18, 40]], "Malware: malicious macros": [[52, 68]], "Malware: malicious executable": [[83, 103]], "Indicator: associated files": [[108, 124]], "System: the victim machine.": [[128, 147]]}, "info": {"id": "cyner2_5class_train_00255", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.Locky.20 Win32.Trojan.WisdomEyes.16070401.9500.9879 Ransom_Falock.R002C0DAI18 Trojan.Win32.Z.Ransom.1819072 Ransom_Falock.R002C0DAI18 BehavesLike.Win32.Trojan.th W32/Trojan.CXBD-0386 Ransom:MSIL/Falock.A Trj/GdSda.A Trojan.MSIL.Crypt Win32/Trojan.Ransom.d73", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.Locky.20": [[26, 48]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9879": [[49, 91]], "Indicator: Ransom_Falock.R002C0DAI18": [[92, 117], [148, 173]], "Indicator: Trojan.Win32.Z.Ransom.1819072": [[118, 147]], "Indicator: BehavesLike.Win32.Trojan.th": [[174, 201]], "Indicator: W32/Trojan.CXBD-0386": [[202, 222]], "Indicator: Ransom:MSIL/Falock.A": [[223, 243]], "Indicator: Trj/GdSda.A": [[244, 255]], "Indicator: Trojan.MSIL.Crypt": [[256, 273]], "Indicator: Win32/Trojan.Ransom.d73": [[274, 297]]}, "info": {"id": "cyner2_5class_train_00256", "source": "cyner2_5class_train"}}
+{"text": "In addition, unlike many cyber attacks, an actual physical person was present money mule to pick up the money from affected ATM machines.", "spans": {"Indicator: cyber attacks,": [[25, 39]], "Malware: money mule": [[78, 88]], "System: ATM machines.": [[124, 137]]}, "info": {"id": "cyner2_5class_train_00257", "source": "cyner2_5class_train"}}
+{"text": "EventBot C2 URLs C2 URLs and other settings in a nested class .", "spans": {}, "info": {"id": "cyner2_5class_train_00258", "source": "cyner2_5class_train"}}
+{"text": "Trojan details Upon boot , the trojan will start by populating a shared preferences file with the configuration it has on its internal structures .", "spans": {}, "info": {"id": "cyner2_5class_train_00259", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Spammer.Mail.Norin.A Trojan/W32.Spammer.606720 Email-Flooder.W32.Norin.30!c TROJ_NORIN.30 Hacktool.Spammer TROJ_NORIN.30 Trojan.Spammer.Mail.Norin.A Email-Flooder.Win32.Norin.30 Trojan.Spammer.Mail.Norin.A Trojan.Win32.Norin.dkrt Spyware.Email-Flooder.Norin.606720 Trojan.Spammer.Mail.Norin.A Win32.Spammer.Mail.Norin.30 Trojan.Spammer.Mail.Norin.A Trojan.PWS.Wmhack Tool.Norin.Win32.1 Virus.Win32.Spammer W32/Risk.SGYO-3478 Spammer.Mail.Norin.30 TR/Flood.Norin.30 HackTool[Flooder]/Win32.Norin Win32.Hack.Norin.kcloud Trojan.Spammer.Mail.Norin.A Email-Flooder.Win32.Norin.30 Trojan.Spammer.Mail.Norin.A EmailFlooder.Norin Win32/Spammer.Mail.Norin.30 Win32.Virus.Spammer.Syhs Flooder.Norin!cC98wqxpE9A W32/Spam_Norin.30!tr Win32/Trojan.Flooder.81a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Spammer.Mail.Norin.A": [[26, 53], [154, 181], [211, 238], [298, 325], [354, 381], [552, 579], [609, 636]], "Indicator: Trojan/W32.Spammer.606720": [[54, 79]], "Indicator: Email-Flooder.W32.Norin.30!c": [[80, 108]], "Indicator: TROJ_NORIN.30": [[109, 122], [140, 153]], "Indicator: Hacktool.Spammer": [[123, 139]], "Indicator: Email-Flooder.Win32.Norin.30": [[182, 210], [580, 608]], "Indicator: Trojan.Win32.Norin.dkrt": [[239, 262]], "Indicator: Spyware.Email-Flooder.Norin.606720": [[263, 297]], "Indicator: Win32.Spammer.Mail.Norin.30": [[326, 353]], "Indicator: Trojan.PWS.Wmhack": [[382, 399]], "Indicator: Tool.Norin.Win32.1": [[400, 418]], "Indicator: Virus.Win32.Spammer": [[419, 438]], "Indicator: W32/Risk.SGYO-3478": [[439, 457]], "Indicator: Spammer.Mail.Norin.30": [[458, 479]], "Indicator: TR/Flood.Norin.30": [[480, 497]], "Indicator: HackTool[Flooder]/Win32.Norin": [[498, 527]], "Indicator: Win32.Hack.Norin.kcloud": [[528, 551]], "Indicator: EmailFlooder.Norin": [[637, 655]], "Indicator: Win32/Spammer.Mail.Norin.30": [[656, 683]], "Indicator: Win32.Virus.Spammer.Syhs": [[684, 708]], "Indicator: Flooder.Norin!cC98wqxpE9A": [[709, 734]], "Indicator: W32/Spam_Norin.30!tr": [[735, 755]], "Indicator: Win32/Trojan.Flooder.81a": [[756, 780]]}, "info": {"id": "cyner2_5class_train_00260", "source": "cyner2_5class_train"}}
+{"text": "This attack might also originate from China.", "spans": {"Indicator: attack": [[5, 11]]}, "info": {"id": "cyner2_5class_train_00261", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.186B Worm.Dorkbot.A Backdoor.W32.Padodor.kZnr Trojan/Spy.qukart Win32.Trojan-Spy.Quart.a Backdoor.Berbew!g1 Win32/Webber.W Win32.Qukart BKDR_BERBEW.SMA Win.Trojan.Crypted-36 Trojan-Proxy.Win32.Qukart.vjh Trojan.Win32.Qukart.etuxeg Worm.Win32.Qukart.K BackDoor.HangUp.43784 BKDR_BERBEW.SMA BehavesLike.Win32.Backdoor.cc Trojan.Win32.Senta TrojanProxy.Qukart.tsk Trojan-Proxy.Win32.Qukart.vjh Win-Trojan/Berbew.51712 TrojanProxy.Qukart Trojan-Ransom.Win32.Pornoasset.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.186B": [[26, 43]], "Indicator: Worm.Dorkbot.A": [[44, 58]], "Indicator: Backdoor.W32.Padodor.kZnr": [[59, 84]], "Indicator: Trojan/Spy.qukart": [[85, 102]], "Indicator: Win32.Trojan-Spy.Quart.a": [[103, 127]], "Indicator: Backdoor.Berbew!g1": [[128, 146]], "Indicator: Win32/Webber.W": [[147, 161]], "Indicator: Win32.Qukart": [[162, 174]], "Indicator: BKDR_BERBEW.SMA": [[175, 190], [312, 327]], "Indicator: Win.Trojan.Crypted-36": [[191, 212]], "Indicator: Trojan-Proxy.Win32.Qukart.vjh": [[213, 242], [400, 429]], "Indicator: Trojan.Win32.Qukart.etuxeg": [[243, 269]], "Indicator: Worm.Win32.Qukart.K": [[270, 289]], "Indicator: BackDoor.HangUp.43784": [[290, 311]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[328, 357]], "Indicator: Trojan.Win32.Senta": [[358, 376]], "Indicator: TrojanProxy.Qukart.tsk": [[377, 399]], "Indicator: Win-Trojan/Berbew.51712": [[430, 453]], "Indicator: TrojanProxy.Qukart": [[454, 472]], "Indicator: Trojan-Ransom.Win32.Pornoasset.a": [[473, 505]]}, "info": {"id": "cyner2_5class_train_00262", "source": "cyner2_5class_train"}}
+{"text": "] download .", "spans": {}, "info": {"id": "cyner2_5class_train_00263", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Heur.Corrupt.PE Tool.BtcMine.30 Backdoor.Win32.Cycbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Heur.Corrupt.PE": [[48, 63]], "Indicator: Tool.BtcMine.30": [[64, 79]], "Indicator: Backdoor.Win32.Cycbot": [[80, 101]]}, "info": {"id": "cyner2_5class_train_00264", "source": "cyner2_5class_train"}}
+{"text": "Equipped reverse shell payload with specific string After an in-depth look , we found that some versions of the reverse shell payload code share similarities with PRISM – a stealth reverse shell backdoor that is available on Github .", "spans": {"Malware: PRISM": [[163, 168]], "Organization: Github": [[225, 231]]}, "info": {"id": "cyner2_5class_train_00265", "source": "cyner2_5class_train"}}
+{"text": "The server ’ s response is a json , containing a link to a .jar file , class name and method name to be executed with reflection API .", "spans": {}, "info": {"id": "cyner2_5class_train_00266", "source": "cyner2_5class_train"}}
+{"text": "Using this SSH brute-forcing network, it took the attackers only a few days to gain root access and full control of the targeted server.", "spans": {"Indicator: SSH brute-forcing network,": [[11, 37]], "Indicator: gain root access and full control": [[79, 112]], "System: targeted server.": [[120, 136]]}, "info": {"id": "cyner2_5class_train_00267", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Cosmu.ajmd Trojan.Win32.Cosmu.cptjv Trojan.Win32.Cosmu.ajmd Win32.HLLW.Zebra.2 TR/PSW.Facepass.oina Trojan/Cosmu.fqh PWS:Win32/Facepass.B Trojan.Win32.A.Cosmu.436714 Trojan.Cosmu W32/Cosmu.AJMD!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Cosmu.ajmd": [[26, 43]], "Indicator: Trojan.Win32.Cosmu.cptjv": [[44, 68]], "Indicator: Trojan.Win32.Cosmu.ajmd": [[69, 92]], "Indicator: Win32.HLLW.Zebra.2": [[93, 111]], "Indicator: TR/PSW.Facepass.oina": [[112, 132]], "Indicator: Trojan/Cosmu.fqh": [[133, 149]], "Indicator: PWS:Win32/Facepass.B": [[150, 170]], "Indicator: Trojan.Win32.A.Cosmu.436714": [[171, 198]], "Indicator: Trojan.Cosmu": [[199, 211]], "Indicator: W32/Cosmu.AJMD!tr": [[212, 229]], "Indicator: Trj/CI.A": [[230, 238]]}, "info": {"id": "cyner2_5class_train_00268", "source": "cyner2_5class_train"}}
+{"text": "When we first discovered the OilRig attack campaign in May 2016, we believed at the time it was a unique attack campaign likely operated by a known, existing threat group.", "spans": {}, "info": {"id": "cyner2_5class_train_00269", "source": "cyner2_5class_train"}}
+{"text": "An attacker is paid by the network when one of these apps is installed successfully .", "spans": {}, "info": {"id": "cyner2_5class_train_00270", "source": "cyner2_5class_train"}}
+{"text": "To date , Unit 42 has seen four of the seven ( the first three in the list below , along with cdncool [ .", "spans": {"Indicator: cdncool [ .": [[94, 105]]}, "info": {"id": "cyner2_5class_train_00271", "source": "cyner2_5class_train"}}
+{"text": "Sundown is something of an outlier from typical exploit kits.", "spans": {"Malware: Sundown": [[0, 7]], "Malware: exploit kits.": [[48, 61]]}, "info": {"id": "cyner2_5class_train_00272", "source": "cyner2_5class_train"}}
+{"text": "The failure of Silicon Valley Bank SVB is a good opportunity for scammers to make a buck out of the crisis, warns the SANS™ Internet Storm Center ISS in Washington DC.", "spans": {"Organization: Silicon Valley Bank SVB": [[15, 38]], "Indicator: scammers": [[65, 73]], "Organization: the SANS™ Internet Storm Center ISS": [[114, 149]]}, "info": {"id": "cyner2_5class_train_00273", "source": "cyner2_5class_train"}}
+{"text": "We have examined all the detected versions , including the latest one that is signed by a certificate valid from September 14 , 2017 .", "spans": {}, "info": {"id": "cyner2_5class_train_00274", "source": "cyner2_5class_train"}}
+{"text": "For example, one version of the Shade cryptor checks victim computers for signs of accounting activity; if it finds any, it doesn't encrypt the files, but instead installs remote control tools in the infected system.", "spans": {"Malware: one version": [[13, 24]], "Malware: Shade cryptor": [[32, 45]], "System: victim computers": [[53, 69]], "Malware: remote control tools": [[172, 192]], "System: infected system.": [[200, 216]]}, "info": {"id": "cyner2_5class_train_00275", "source": "cyner2_5class_train"}}
+{"text": "This post intends to share the results of our research.", "spans": {}, "info": {"id": "cyner2_5class_train_00276", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.KeyLogger.464896.C TrojanSpy.KeyLogger!s9RPvqhksKk Infostealer.Gampass Win32.BDSBackdoor Trojan-Spy.Win32.KeyLogger.gds BackDoor.Cyber Virus.Win32.Delf.DTW!IK TrojanSpy.KeyLogger.cquv Win-Trojan/Keylogger.464896.G Trojan.Win32.Scar.cmim Trojan-PSW.Gampass Virus.Win32.Delf.DTW W32/KeyLogger.GDS!tr PSW.Keylog.AE Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.KeyLogger.464896.C": [[26, 59]], "Indicator: TrojanSpy.KeyLogger!s9RPvqhksKk": [[60, 91]], "Indicator: Infostealer.Gampass": [[92, 111]], "Indicator: Win32.BDSBackdoor": [[112, 129]], "Indicator: Trojan-Spy.Win32.KeyLogger.gds": [[130, 160]], "Indicator: BackDoor.Cyber": [[161, 175]], "Indicator: Virus.Win32.Delf.DTW!IK": [[176, 199]], "Indicator: TrojanSpy.KeyLogger.cquv": [[200, 224]], "Indicator: Win-Trojan/Keylogger.464896.G": [[225, 254]], "Indicator: Trojan.Win32.Scar.cmim": [[255, 277]], "Indicator: Trojan-PSW.Gampass": [[278, 296]], "Indicator: Virus.Win32.Delf.DTW": [[297, 317]], "Indicator: W32/KeyLogger.GDS!tr": [[318, 338]], "Indicator: PSW.Keylog.AE": [[339, 352]], "Indicator: Trj/CI.A": [[353, 361]]}, "info": {"id": "cyner2_5class_train_00277", "source": "cyner2_5class_train"}}
+{"text": "All that is needed is to get the original size of the DEX file and read everything that comes after this offset .", "spans": {}, "info": {"id": "cyner2_5class_train_00278", "source": "cyner2_5class_train"}}
+{"text": "The appearance of such forms is generated on cybercriminals' command.", "spans": {}, "info": {"id": "cyner2_5class_train_00279", "source": "cyner2_5class_train"}}
+{"text": "Recommendations Popular mobile platforms like Android are common targets for organized or commercialized monitoring operations .", "spans": {"System: Android": [[46, 53]]}, "info": {"id": "cyner2_5class_train_00280", "source": "cyner2_5class_train"}}
+{"text": "CVE-2017-11882 Exploit 8b212ee2d65c4da033c39aebaf59cc51ade45f32f4d91d1daa0bd367889f934d is a Microsoft Word RTF document that exploits `CVE-2017-11882` stack buffer overflow vulnerability in the Microsoft Equation Editor`EQNEDT32.EXE`.", "spans": {"Indicator: CVE-2017-11882": [[0, 14]], "Vulnerability: Exploit": [[15, 22]], "Indicator: 8b212ee2d65c4da033c39aebaf59cc51ade45f32f4d91d1daa0bd367889f934d": [[23, 87]], "Indicator: Microsoft Word RTF document": [[93, 120]], "Vulnerability: exploits": [[126, 134]], "Indicator: `CVE-2017-11882`": [[135, 151]], "Vulnerability: stack buffer overflow vulnerability": [[152, 187]], "System: the Microsoft Equation Editor`EQNEDT32.EXE`.": [[191, 235]]}, "info": {"id": "cyner2_5class_train_00281", "source": "cyner2_5class_train"}}
+{"text": "This IOC contains indicators for the BLACKCOFFEE malware family that is attributed to APT17.", "spans": {"Malware: BLACKCOFFEE malware": [[37, 56]]}, "info": {"id": "cyner2_5class_train_00282", "source": "cyner2_5class_train"}}
+{"text": "More apps could be added to the grabber target list in the future , such as the ones that were targeted in older versions : Facebook WhatsApp Skype Twitter Chrome Instagram Snapchat Viber The following screenshot shows the generic card grabber overlay screen : Ginp generic grabber The current active target list is available in the appendix , containing a total of 24 unique targets .", "spans": {"System: Facebook": [[124, 132]], "System: WhatsApp": [[133, 141]], "System: Skype": [[142, 147]], "System: Twitter": [[148, 155]], "System: Chrome": [[156, 162]], "System: Instagram": [[163, 172]], "System: Snapchat": [[173, 181]], "System: Viber": [[182, 187]], "Malware: Ginp": [[261, 265]]}, "info": {"id": "cyner2_5class_train_00283", "source": "cyner2_5class_train"}}
+{"text": "] 102 2020-03-29 http : //ora.blindsidefantasy [ .", "spans": {"Indicator: http : //ora.blindsidefantasy [ .": [[17, 50]]}, "info": {"id": "cyner2_5class_train_00284", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Neloweg TR/Drop.Elms.A PWS:Win32/Reder.B Trojan.Neloweg Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Neloweg": [[26, 40], [74, 88]], "Indicator: TR/Drop.Elms.A": [[41, 55]], "Indicator: PWS:Win32/Reder.B": [[56, 73]], "Indicator: Trj/CI.A": [[89, 97]]}, "info": {"id": "cyner2_5class_train_00285", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Inject.cvmjon Trojan.Taidoor TROJ_DROPPE.FS Trojan-Dropper.Win32.Injector.jmli Virus.Win32.Part.a TROJ_DROPPE.FS BehavesLike.Win32.Downloader.qm TrojanDropper.Injector.bmtq Trojan[Dropper]/Win32.Injector Win32.Troj.Injector.JM.kcloud Dropper/Win32.Injector TrojanDropper.Injector W32/Injector.JMLI!tr Trojan.Win32.Injector.aJX", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Inject.cvmjon": [[26, 52]], "Indicator: Trojan.Taidoor": [[53, 67]], "Indicator: TROJ_DROPPE.FS": [[68, 82], [137, 151]], "Indicator: Trojan-Dropper.Win32.Injector.jmli": [[83, 117]], "Indicator: Virus.Win32.Part.a": [[118, 136]], "Indicator: BehavesLike.Win32.Downloader.qm": [[152, 183]], "Indicator: TrojanDropper.Injector.bmtq": [[184, 211]], "Indicator: Trojan[Dropper]/Win32.Injector": [[212, 242]], "Indicator: Win32.Troj.Injector.JM.kcloud": [[243, 272]], "Indicator: Dropper/Win32.Injector": [[273, 295]], "Indicator: TrojanDropper.Injector": [[296, 318]], "Indicator: W32/Injector.JMLI!tr": [[319, 339]], "Indicator: Trojan.Win32.Injector.aJX": [[340, 365]]}, "info": {"id": "cyner2_5class_train_00286", "source": "cyner2_5class_train"}}
+{"text": "So we don't have a sensational hop from Linux Mirai to Windows Mirai just yet, that's just a silly statement.", "spans": {"System: Linux": [[40, 45]], "Malware: Mirai": [[46, 51], [63, 68]], "System: Windows": [[55, 62]]}, "info": {"id": "cyner2_5class_train_00287", "source": "cyner2_5class_train"}}
+{"text": "A Trojan for Linux written in Go programming language.", "spans": {"Malware: Trojan for": [[2, 12]], "System: Linux": [[13, 18]], "System: Go programming language.": [[30, 54]]}, "info": {"id": "cyner2_5class_train_00288", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Dropper.ALCD Win32/Rimecud.CU TROJ_DROPPR.SMF Win32.Worm.Peerfrag.Aojj Win32.HLLW.Lime.18 Worm.Palevo.Win32.18245 TROJ_DROPPR.SMF BehavesLike.Win32.Madangel.cc W32/Risk.KNKR-8810 Trojan.Zusy.D421A9 Win32/Peerfrag.DI P2P-Worm.Win32.Palevo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: W32/Dropper.ALCD": [[69, 85]], "Indicator: Win32/Rimecud.CU": [[86, 102]], "Indicator: TROJ_DROPPR.SMF": [[103, 118], [187, 202]], "Indicator: Win32.Worm.Peerfrag.Aojj": [[119, 143]], "Indicator: Win32.HLLW.Lime.18": [[144, 162]], "Indicator: Worm.Palevo.Win32.18245": [[163, 186]], "Indicator: BehavesLike.Win32.Madangel.cc": [[203, 232]], "Indicator: W32/Risk.KNKR-8810": [[233, 251]], "Indicator: Trojan.Zusy.D421A9": [[252, 270]], "Indicator: Win32/Peerfrag.DI": [[271, 288]], "Indicator: P2P-Worm.Win32.Palevo": [[289, 310]]}, "info": {"id": "cyner2_5class_train_00289", "source": "cyner2_5class_train"}}
+{"text": "Figure 10 .", "spans": {}, "info": {"id": "cyner2_5class_train_00290", "source": "cyner2_5class_train"}}
+{"text": "( We named the spyware \" Exodus '' after this Command & Control domain name .", "spans": {}, "info": {"id": "cyner2_5class_train_00291", "source": "cyner2_5class_train"}}
+{"text": "This variant, which we call MULTIGRAIN consists largely of a subset of slightly modified code from NewPosThings.", "spans": {"Malware: variant,": [[5, 13]], "Malware: MULTIGRAIN": [[28, 38]], "Malware: NewPosThings.": [[99, 112]]}, "info": {"id": "cyner2_5class_train_00292", "source": "cyner2_5class_train"}}
+{"text": "Whether this is a permanent return to locky or a one off, I don't know at this stage, but Locky have vanished for while before returned.", "spans": {}, "info": {"id": "cyner2_5class_train_00293", "source": "cyner2_5class_train"}}
+{"text": "It may even allow them to sell ad space directly to application developers .", "spans": {}, "info": {"id": "cyner2_5class_train_00294", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.SamDump.emgukv Uds.Dangerousobject.Multi!c Tool.SamDump.Win32.1 W32/Trojan.PXMQ-2326 TR/Rogue.9140774 PUP/Win32.SamDump.C241237 Riskware.HackTool!GhRtS0e2yEc Win32/Trojan.f29", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.SamDump.emgukv": [[26, 53]], "Indicator: Uds.Dangerousobject.Multi!c": [[54, 81]], "Indicator: Tool.SamDump.Win32.1": [[82, 102]], "Indicator: W32/Trojan.PXMQ-2326": [[103, 123]], "Indicator: TR/Rogue.9140774": [[124, 140]], "Indicator: PUP/Win32.SamDump.C241237": [[141, 166]], "Indicator: Riskware.HackTool!GhRtS0e2yEc": [[167, 196]], "Indicator: Win32/Trojan.f29": [[197, 213]]}, "info": {"id": "cyner2_5class_train_00295", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Dwn.ewbodt Trojan.Win32.Z.Starter.4103380 Trojan.DownLoader26.1573 BehavesLike.Win32.Dropper.wc Trojan.Win32.Chifrax W32/Trojan.BMGR-3693 Exploit:Win32/CplLnk.B Win32/Trojan.9b2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Dwn.ewbodt": [[26, 49]], "Indicator: Trojan.Win32.Z.Starter.4103380": [[50, 80]], "Indicator: Trojan.DownLoader26.1573": [[81, 105]], "Indicator: BehavesLike.Win32.Dropper.wc": [[106, 134]], "Indicator: Trojan.Win32.Chifrax": [[135, 155]], "Indicator: W32/Trojan.BMGR-3693": [[156, 176]], "Indicator: Exploit:Win32/CplLnk.B": [[177, 199]], "Indicator: Win32/Trojan.9b2": [[200, 216]]}, "info": {"id": "cyner2_5class_train_00296", "source": "cyner2_5class_train"}}
+{"text": "Because of the recent outbreak of the Locky ransomware, Dridex has become synonymous with the distribution of ransomware more generally.", "spans": {"Malware: Locky ransomware,": [[38, 55]], "Malware: ransomware": [[110, 120]]}, "info": {"id": "cyner2_5class_train_00297", "source": "cyner2_5class_train"}}
+{"text": "] databit [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00298", "source": "cyner2_5class_train"}}
+{"text": "PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero.", "spans": {"Malware: PhotoMiner": [[0, 10]], "Indicator: unique infection mechanism, reaching endpoints by infecting websites hosted": [[22, 97]], "System: FTP servers": [[101, 112]], "Indicator: mining Monero.": [[135, 149]]}, "info": {"id": "cyner2_5class_train_00299", "source": "cyner2_5class_train"}}
+{"text": "It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group s modus operandi.", "spans": {"Malware: malware;": [[93, 101]], "System: command and control infrastructure;": [[129, 164]]}, "info": {"id": "cyner2_5class_train_00300", "source": "cyner2_5class_train"}}
+{"text": "That domain, electronicfrontierfoundation.org, is designed to trick users into a false sense of trust and it appears to have been used in a spear phishing attack, though it is unclear who the intended targets were.", "spans": {"Indicator: domain,": [[5, 12]], "Indicator: electronicfrontierfoundation.org,": [[13, 46]], "Indicator: spear phishing attack,": [[140, 162]]}, "info": {"id": "cyner2_5class_train_00301", "source": "cyner2_5class_train"}}
+{"text": "Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign.", "spans": {"Organization: Unit 42": [[11, 18]], "Malware: Disttrack samples": [[35, 52]]}, "info": {"id": "cyner2_5class_train_00302", "source": "cyner2_5class_train"}}
+{"text": "The proliferation of Android devices – from smartphones to tablets and smart TVs – has opened up new possibilities for malware developers , as all these devices pack microphones , cameras and location-tracking hardware they can turn into the perfect spy tools .", "spans": {"Malware: Android": [[21, 28]]}, "info": {"id": "cyner2_5class_train_00303", "source": "cyner2_5class_train"}}
+{"text": "For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox.", "spans": {"Malware: JHUHUGIT implant": [[18, 34]], "Vulnerability: Flash zero-day": [[59, 73]], "Malware: Windows EoP exploit": [[85, 104]]}, "info": {"id": "cyner2_5class_train_00304", "source": "cyner2_5class_train"}}
+{"text": "However , our data suggests that there have been at least 2,729 infections between January 2016 and early April 2016 , with a peak in March of more than 1,100 infections .", "spans": {}, "info": {"id": "cyner2_5class_train_00305", "source": "cyner2_5class_train"}}
+{"text": "The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile.", "spans": {"Organization: organizations": [[146, 159]]}, "info": {"id": "cyner2_5class_train_00306", "source": "cyner2_5class_train"}}
+{"text": "All of the files that are being uploaded or downloaded are zip files encrypted by AES with ECB mode .", "spans": {}, "info": {"id": "cyner2_5class_train_00307", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_BREDLAB.SMD Trojan-Spy.Win32.Spenir.as Application.Win32.BlkIC.IMG TROJ_BREDLAB.SMD Backdoor/SdBot.prb HeurEngine.ZeroDayThreat Trojan.Win32.ProcessHijack", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_BREDLAB.SMD": [[26, 42], [98, 114]], "Indicator: Trojan-Spy.Win32.Spenir.as": [[43, 69]], "Indicator: Application.Win32.BlkIC.IMG": [[70, 97]], "Indicator: Backdoor/SdBot.prb": [[115, 133]], "Indicator: HeurEngine.ZeroDayThreat": [[134, 158]], "Indicator: Trojan.Win32.ProcessHijack": [[159, 185]]}, "info": {"id": "cyner2_5class_train_00308", "source": "cyner2_5class_train"}}
+{"text": "] infodavos-seaworth [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00309", "source": "cyner2_5class_train"}}
+{"text": "It continues to spread across small and medium-sized businesses across the globe, using the modular Gorynych/Diamond Fox botnet to exfiltrate stolen data.", "spans": {"Organization: small": [[30, 35]], "Organization: medium-sized businesses": [[40, 63]], "Malware: Gorynych/Diamond Fox botnet": [[100, 127]], "Indicator: exfiltrate stolen data.": [[131, 154]]}, "info": {"id": "cyner2_5class_train_00310", "source": "cyner2_5class_train"}}
+{"text": "Find out more about the 7 Android Security Hacks You Need to Do Right Now to keep your mobile data safe .", "spans": {"System: Android": [[26, 33]]}, "info": {"id": "cyner2_5class_train_00311", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Trojan.Mobsularch Trojan.ArchSMS.Win32.7426 Trojan/ArchSMS.nkit Win32.Trojan.WisdomEyes.16070401.9500.9644 TROJ_MALICIOUS_BK083028.TOMC Win.Trojan.Archsms-4649 Riskware.Win32.ArchSMS.cqmlwf TrojWare.Win32.Zusy.AJ Trojan.Fraudster.336 Trojan-Banker.Win32.Banbra Hoax.ArchSMS.jho HackTool[Hoax]/Win32.ArchSMS Win32.Troj.Hoax.kcloud Trojan:Win32/Mobsularch.A Trojan.Strictor.548 Win32.Trojan.ArchSMS.D Hoax.ArchSMS.nk Trojan.ArchSMS!pTXIElAMXBk W32/ArchSMS.VU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hoax.Win32.ArchSMS!O": [[26, 46]], "Indicator: Trojan.Mobsularch": [[47, 64]], "Indicator: Trojan.ArchSMS.Win32.7426": [[65, 90]], "Indicator: Trojan/ArchSMS.nkit": [[91, 110]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9644": [[111, 153]], "Indicator: TROJ_MALICIOUS_BK083028.TOMC": [[154, 182]], "Indicator: Win.Trojan.Archsms-4649": [[183, 206]], "Indicator: Riskware.Win32.ArchSMS.cqmlwf": [[207, 236]], "Indicator: TrojWare.Win32.Zusy.AJ": [[237, 259]], "Indicator: Trojan.Fraudster.336": [[260, 280]], "Indicator: Trojan-Banker.Win32.Banbra": [[281, 307]], "Indicator: Hoax.ArchSMS.jho": [[308, 324]], "Indicator: HackTool[Hoax]/Win32.ArchSMS": [[325, 353]], "Indicator: Win32.Troj.Hoax.kcloud": [[354, 376]], "Indicator: Trojan:Win32/Mobsularch.A": [[377, 402]], "Indicator: Trojan.Strictor.548": [[403, 422]], "Indicator: Win32.Trojan.ArchSMS.D": [[423, 445]], "Indicator: Hoax.ArchSMS.nk": [[446, 461]], "Indicator: Trojan.ArchSMS!pTXIElAMXBk": [[462, 488]], "Indicator: W32/ArchSMS.VU!tr": [[489, 506]]}, "info": {"id": "cyner2_5class_train_00312", "source": "cyner2_5class_train"}}
+{"text": "This is done using a series of syscalls as outlined below .", "spans": {}, "info": {"id": "cyner2_5class_train_00313", "source": "cyner2_5class_train"}}
+{"text": "Palo Alto Networks has collected over 20 samples of this particular malware family, and we have identified over $70,000 USD in Bitcoin payments to the attacker Cisco Talos yesterday reported this figure to be closer to $115,000 USD.", "spans": {"Organization: Palo Alto Networks": [[0, 18]], "Malware: samples": [[41, 48]], "Malware: malware family,": [[68, 83]], "Indicator: $70,000 USD in Bitcoin payments": [[112, 143]], "Organization: Cisco Talos": [[160, 171]]}, "info": {"id": "cyner2_5class_train_00314", "source": "cyner2_5class_train"}}
+{"text": "] infokalisi [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00315", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pitit.A3 HV_ABTITU_CG093139.RDXN TR/Barys.2445.24 Win32.Troj.Undef.kcloud Trojan.Kazy Trojan.Win32.Loader.L", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pitit.A3": [[26, 41]], "Indicator: HV_ABTITU_CG093139.RDXN": [[42, 65]], "Indicator: TR/Barys.2445.24": [[66, 82]], "Indicator: Win32.Troj.Undef.kcloud": [[83, 106]], "Indicator: Trojan.Kazy": [[107, 118]], "Indicator: Trojan.Win32.Loader.L": [[119, 140]]}, "info": {"id": "cyner2_5class_train_00316", "source": "cyner2_5class_train"}}
+{"text": "A collection of domains registered by Pawn Storm/Sofacy/APT28/Fancy Bear to target organisations", "spans": {"Indicator: domains": [[16, 23]], "Organization: organisations": [[83, 96]]}, "info": {"id": "cyner2_5class_train_00317", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.CoinMiner.A4 PUP.Optional.ChinAd W32.XiaobaMiner Win32/Oflwr.A!crypt Win.Trojan.Qhost-160 Trojan.Win32.BtcMine.exddfs Tool.BtcMine.1051 BehavesLike.Win32.Ransomware.th W32.Trojan.Qhost RiskWare/Win32.BitMiner.h Trojan.Forcud", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CoinMiner.A4": [[26, 42]], "Indicator: PUP.Optional.ChinAd": [[43, 62]], "Indicator: W32.XiaobaMiner": [[63, 78]], "Indicator: Win32/Oflwr.A!crypt": [[79, 98]], "Indicator: Win.Trojan.Qhost-160": [[99, 119]], "Indicator: Trojan.Win32.BtcMine.exddfs": [[120, 147]], "Indicator: Tool.BtcMine.1051": [[148, 165]], "Indicator: BehavesLike.Win32.Ransomware.th": [[166, 197]], "Indicator: W32.Trojan.Qhost": [[198, 214]], "Indicator: RiskWare/Win32.BitMiner.h": [[215, 240]], "Indicator: Trojan.Forcud": [[241, 254]]}, "info": {"id": "cyner2_5class_train_00318", "source": "cyner2_5class_train"}}
+{"text": "While it has become common to see new ransomware variants being distributed daily, it is not as common to find new ransomware infections being distributed via exploit kits.", "spans": {"Malware: ransomware": [[38, 48], [115, 125]], "Indicator: infections": [[126, 136]], "Malware: exploit kits.": [[159, 172]]}, "info": {"id": "cyner2_5class_train_00319", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.1FBC Win32.Trojan.WisdomEyes.16070401.9500.9950 Win.Exploit.Countdown-1 BackDoor.Meterpreter.37 Troj.W32.Jorik.Skor.lrUS Trojan:Win64/Meterpreter.A Trojan/Win32.Swrort.C695042", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.1FBC": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9950": [[43, 85]], "Indicator: Win.Exploit.Countdown-1": [[86, 109]], "Indicator: BackDoor.Meterpreter.37": [[110, 133]], "Indicator: Troj.W32.Jorik.Skor.lrUS": [[134, 158]], "Indicator: Trojan:Win64/Meterpreter.A": [[159, 185]], "Indicator: Trojan/Win32.Swrort.C695042": [[186, 213]]}, "info": {"id": "cyner2_5class_train_00320", "source": "cyner2_5class_train"}}
+{"text": "We previously highlighted the dangers of installing apps that enable IAPs using SMS messages, as these apps typically have access to all SMS messages sent to the phone.", "spans": {"Vulnerability: that enable IAPs using SMS messages,": [[57, 93]], "Vulnerability: access to all SMS messages": [[123, 149]]}, "info": {"id": "cyner2_5class_train_00321", "source": "cyner2_5class_train"}}
+{"text": "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace.docm", "spans": {"Organization: U.S. Allies": [[0, 11]], "Organization: Rivals Digest Trump's Victory": [[16, 45]], "Indicator: Peace.docm": [[85, 95]]}, "info": {"id": "cyner2_5class_train_00322", "source": "cyner2_5class_train"}}
+{"text": "Intrigued , we continued our search and found more interesting clues that could reveal some detailed information about the owners of the infected devices .", "spans": {}, "info": {"id": "cyner2_5class_train_00323", "source": "cyner2_5class_train"}}
+{"text": "In the example server response below , the green fields show text to be shown to the user .", "spans": {}, "info": {"id": "cyner2_5class_train_00324", "source": "cyner2_5class_train"}}
+{"text": "During the course of our research, it became evident that this actor had not built uWarrior from scratch, but rather opted to borrow components from several off-the-shelf tools.", "spans": {"Organization: actor": [[63, 68]], "Malware: uWarrior": [[83, 91]], "Malware: off-the-shelf tools.": [[157, 177]]}, "info": {"id": "cyner2_5class_train_00325", "source": "cyner2_5class_train"}}
+{"text": "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack the Linux Mint website to point to it.", "spans": {"System: Linux Mint ISO,": [[24, 39]], "Malware: backdoor": [[47, 55]], "Indicator: hack the Linux Mint website": [[78, 105]]}, "info": {"id": "cyner2_5class_train_00326", "source": "cyner2_5class_train"}}
+{"text": "Replicating framework.jar allows the app to intercept and modify the behavior of the Android standard API .", "spans": {"Indicator: framework.jar": [[12, 25]], "System: Android": [[85, 92]]}, "info": {"id": "cyner2_5class_train_00327", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.BindFile!O Trojan/Dropper.BindFile.a W32/Dropper.LIP Trojan.Spy-681 Trojan-Dropper.Win32.BindFile.e Trojan.Win32.BindFile.dcyo Trojan.Win32.BindFile.188416 PE:Dropper.BindFile.h!1173781522 TrojWare.Win32.TrojanDropper.BindFile.A Trojan.Progress.10 TrojanDropper.ExeBind.Mfc2 Dropper/Bindfile.496648 W32/Risk.SLHR-7237 Win32/TrojanDropper.BindFile.A Trojan-Dropper.Win32.BindFile W32/BindFile.A!tr Trojan.Win32.BindFile.bA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.BindFile!O": [[26, 57]], "Indicator: Trojan/Dropper.BindFile.a": [[58, 83]], "Indicator: W32/Dropper.LIP": [[84, 99]], "Indicator: Trojan.Spy-681": [[100, 114]], "Indicator: Trojan-Dropper.Win32.BindFile.e": [[115, 146]], "Indicator: Trojan.Win32.BindFile.dcyo": [[147, 173]], "Indicator: Trojan.Win32.BindFile.188416": [[174, 202]], "Indicator: PE:Dropper.BindFile.h!1173781522": [[203, 235]], "Indicator: TrojWare.Win32.TrojanDropper.BindFile.A": [[236, 275]], "Indicator: Trojan.Progress.10": [[276, 294]], "Indicator: TrojanDropper.ExeBind.Mfc2": [[295, 321]], "Indicator: Dropper/Bindfile.496648": [[322, 345]], "Indicator: W32/Risk.SLHR-7237": [[346, 364]], "Indicator: Win32/TrojanDropper.BindFile.A": [[365, 395]], "Indicator: Trojan-Dropper.Win32.BindFile": [[396, 425]], "Indicator: W32/BindFile.A!tr": [[426, 443]], "Indicator: Trojan.Win32.BindFile.bA": [[444, 468]]}, "info": {"id": "cyner2_5class_train_00328", "source": "cyner2_5class_train"}}
+{"text": "The attacks described here begin with a banking credential phishing scheme , followed by an attempt to trick the victim into installing Marcher , and finally with attempts to steal credit card information by the banking Trojan itself .", "spans": {"Malware: Marcher": [[136, 143]]}, "info": {"id": "cyner2_5class_train_00329", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Kryptik.aspo JAVA_EXPLOIT.TCC JAVA_EXPLOIT.TCC Win.Trojan.Hydraq-219 Exploit.Java.CVE20131493.cqvzpg Java.S.EX-CVE-2013-1493.206981 Exploit.Java.509 EXP/Java.HLP.JM W32/Kryptik.ASPO Trojan.Graftor.D13511 Exploit.Java.CVE-2013-1493 Java/Exploit.CVE-2013-1493.AL Unk.Win32.Script.400440 Trojan.Plugax!dr/f2r5A7aY Exploit.Java.HLP virus.java.cve-2013-1493.c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Kryptik.aspo": [[26, 45]], "Indicator: JAVA_EXPLOIT.TCC": [[46, 62], [63, 79]], "Indicator: Win.Trojan.Hydraq-219": [[80, 101]], "Indicator: Exploit.Java.CVE20131493.cqvzpg": [[102, 133]], "Indicator: Java.S.EX-CVE-2013-1493.206981": [[134, 164]], "Indicator: Exploit.Java.509": [[165, 181]], "Indicator: EXP/Java.HLP.JM": [[182, 197]], "Indicator: W32/Kryptik.ASPO": [[198, 214]], "Indicator: Trojan.Graftor.D13511": [[215, 236]], "Indicator: Exploit.Java.CVE-2013-1493": [[237, 263]], "Indicator: Java/Exploit.CVE-2013-1493.AL": [[264, 293]], "Indicator: Unk.Win32.Script.400440": [[294, 317]], "Indicator: Trojan.Plugax!dr/f2r5A7aY": [[318, 343]], "Indicator: Exploit.Java.HLP": [[344, 360]], "Indicator: virus.java.cve-2013-1493.c": [[361, 387]]}, "info": {"id": "cyner2_5class_train_00330", "source": "cyner2_5class_train"}}
+{"text": "We have seen Angler to be using bedep as its payload but adding vawtrak in its arsenal is something we haven't seen in the past until recently.", "spans": {"Malware: Angler": [[13, 19]], "Malware: bedep": [[32, 37]], "Malware: payload": [[45, 52]], "Malware: vawtrak": [[64, 71]]}, "info": {"id": "cyner2_5class_train_00331", "source": "cyner2_5class_train"}}
+{"text": "Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login to access internal corporate resources.", "spans": {"Indicator: implant JavaScript": [[41, 59]], "Indicator: login pages": [[72, 83]], "Indicator: steal employee credentials": [[121, 147]], "Indicator: login to access internal corporate resources.": [[156, 201]]}, "info": {"id": "cyner2_5class_train_00332", "source": "cyner2_5class_train"}}
+{"text": "Since then , the implant ’ s functionality has been improving and remarkable new features implemented , such as the ability to record audio surroundings via the microphone when an infected device is in a specified location ; the stealing of WhatsApp messages via Accessibility Services ; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals .", "spans": {"System: WhatsApp": [[241, 249]]}, "info": {"id": "cyner2_5class_train_00333", "source": "cyner2_5class_train"}}
+{"text": "Figure 8 .", "spans": {}, "info": {"id": "cyner2_5class_train_00334", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper BKDR_QBOT.SM Win32.Trojan-Dropper.Small.s Win32/Qakbot.KR BKDR_QBOT.SM Trojan.Win32.Gamania.tghgw Trojan.Win32.A.Mbro.191488 Trojan.PWS.Gamania.36525 W32/Trojan.XMWQ-0223 Trojan[Backdoor]/Win32.QBot TrojanDropper:Win32/Qakbot.A Dropper/Win32.Injector.R30051 Win32/TrojanDropper.Small.NMS Trojan.Kryptik!nABTr99RVjs Backdoor.Win32.Qakbot W32/Dropper.NMS!tr Win32/Trojan.a58", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper": [[26, 40]], "Indicator: BKDR_QBOT.SM": [[41, 53], [99, 111]], "Indicator: Win32.Trojan-Dropper.Small.s": [[54, 82]], "Indicator: Win32/Qakbot.KR": [[83, 98]], "Indicator: Trojan.Win32.Gamania.tghgw": [[112, 138]], "Indicator: Trojan.Win32.A.Mbro.191488": [[139, 165]], "Indicator: Trojan.PWS.Gamania.36525": [[166, 190]], "Indicator: W32/Trojan.XMWQ-0223": [[191, 211]], "Indicator: Trojan[Backdoor]/Win32.QBot": [[212, 239]], "Indicator: TrojanDropper:Win32/Qakbot.A": [[240, 268]], "Indicator: Dropper/Win32.Injector.R30051": [[269, 298]], "Indicator: Win32/TrojanDropper.Small.NMS": [[299, 328]], "Indicator: Trojan.Kryptik!nABTr99RVjs": [[329, 355]], "Indicator: Backdoor.Win32.Qakbot": [[356, 377]], "Indicator: W32/Dropper.NMS!tr": [[378, 396]], "Indicator: Win32/Trojan.a58": [[397, 413]]}, "info": {"id": "cyner2_5class_train_00335", "source": "cyner2_5class_train"}}
+{"text": "You can check the status of Google Play Protect on your device : Open your Android device 's Google Play Store app .", "spans": {"System: Google Play Protect": [[28, 47]], "System: Google Play Store": [[93, 110]]}, "info": {"id": "cyner2_5class_train_00336", "source": "cyner2_5class_train"}}
+{"text": "All of these Google Play Store pages have been taken down by Google .", "spans": {"System: Google Play Store": [[13, 30]], "Organization: Google": [[61, 67]]}, "info": {"id": "cyner2_5class_train_00337", "source": "cyner2_5class_train"}}
+{"text": "As of September 17th Dyreza now counts an additional twenty organizations directly involved in Fulfillment and Warehousing; four software companies that support Fulfillment and Warehousing; five Wholesale Computer Distributors; and its credential theft triggers include Apple, Iron Mountain, OtterBox and Badge Graphics Systems and many other well-known consumer- and business-facing technology and service brands.", "spans": {"Malware: Dyreza": [[21, 27]], "Organization: organizations": [[60, 73]], "Organization: Fulfillment": [[95, 106], [161, 172]], "Organization: Warehousing;": [[111, 123], [177, 189]], "Organization: software companies": [[129, 147]], "Organization: Wholesale Computer Distributors;": [[195, 227]], "Organization: Apple, Iron Mountain, OtterBox": [[270, 300]], "Organization: Badge Graphics Systems": [[305, 327]], "Organization: consumer-": [[354, 363]], "Organization: business-facing technology": [[368, 394]], "Organization: service brands.": [[399, 414]]}, "info": {"id": "cyner2_5class_train_00338", "source": "cyner2_5class_train"}}
+{"text": "This malware possesses the ability to Collect information about an infected computer and transfer it to the command and control server.", "spans": {"Malware: malware": [[5, 12]], "System: infected computer": [[67, 84]], "Indicator: command and control server.": [[108, 135]]}, "info": {"id": "cyner2_5class_train_00339", "source": "cyner2_5class_train"}}
+{"text": "Malware isn't usually thought to be old, but a recent phishing campaign using the MyDoom worm has shown that old tools can still be used to lure users into malware.", "spans": {"Malware: Malware": [[0, 7]], "Malware: the MyDoom worm": [[78, 93]], "Malware: malware.": [[156, 164]]}, "info": {"id": "cyner2_5class_train_00340", "source": "cyner2_5class_train"}}
+{"text": "2015–2016 Starting from mid-2015 , the Trojan began using the AES algorithm to encrypt data communicated between the infected device and the C & C : Also starting with the same version , data is sent in a POST request to the relative address with the format “ / [ number ] ” ( a pseudo-randomly generated number in the range 0–9999 ) .", "spans": {}, "info": {"id": "cyner2_5class_train_00341", "source": "cyner2_5class_train"}}
+{"text": "SSL is typically used to encrypt data between the client and the server, thus making the content unreadable by any systems sitting between the two end points, and significantly raising the cost of defence.", "spans": {}, "info": {"id": "cyner2_5class_train_00342", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Zapchast.113152 Backdoor.KeyBoy Trojan.Zapchast.Win32.29227 Trojan.Heur.LP.EDDB38 Win32.Trojan.WisdomEyes.151026.9950.9999 Backdoor.Kboy Trojan.Win32.Zapchast.afhn Trojan.Win32.Zapchast.cjltha Win32.Trojan.Zapchast.Htcu BehavesLike.Win32.GameVance.ch Trojan/Zapchast.iik TR/Spy.113152.29 Trojan/Win32.Zapchast Backdoor.Win32.KeyBoy.113152[h] Win-Trojan/Keyboy.113152 Trojan.Win32.Zapchast.afhn Trojan.Zapchast!0ThicNhZU3g Trojan.Win32.Zapchast W32/Zapchast.AFHN!tr Win32/Trojan.020", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Zapchast.113152": [[26, 52]], "Indicator: Backdoor.KeyBoy": [[53, 68]], "Indicator: Trojan.Zapchast.Win32.29227": [[69, 96]], "Indicator: Trojan.Heur.LP.EDDB38": [[97, 118]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9999": [[119, 159]], "Indicator: Backdoor.Kboy": [[160, 173]], "Indicator: Trojan.Win32.Zapchast.afhn": [[174, 200], [404, 430]], "Indicator: Trojan.Win32.Zapchast.cjltha": [[201, 229]], "Indicator: Win32.Trojan.Zapchast.Htcu": [[230, 256]], "Indicator: BehavesLike.Win32.GameVance.ch": [[257, 287]], "Indicator: Trojan/Zapchast.iik": [[288, 307]], "Indicator: TR/Spy.113152.29": [[308, 324]], "Indicator: Trojan/Win32.Zapchast": [[325, 346]], "Indicator: Backdoor.Win32.KeyBoy.113152[h]": [[347, 378]], "Indicator: Win-Trojan/Keyboy.113152": [[379, 403]], "Indicator: Trojan.Zapchast!0ThicNhZU3g": [[431, 458]], "Indicator: Trojan.Win32.Zapchast": [[459, 480]], "Indicator: W32/Zapchast.AFHN!tr": [[481, 501]], "Indicator: Win32/Trojan.020": [[502, 518]]}, "info": {"id": "cyner2_5class_train_00343", "source": "cyner2_5class_train"}}
+{"text": "Bot communicates with the botmaster using non-standard protocol built on top of TCP.", "spans": {"Malware: Bot": [[0, 3]], "Malware: botmaster": [[26, 35]], "Indicator: non-standard protocol built on top of TCP.": [[42, 84]]}, "info": {"id": "cyner2_5class_train_00344", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.QQKiller.183808 Trojan.Qqkiller.A Trojan.QQKiller.Win32.2 Trojan.Qqkiller.A Trojan/QQKiller.a Trojan.QQKiller!Y2SikmBtqEk Win32/QQKiller.A TROJ_QQKILLER.A Trojan.Win32.QQKiller.a Trojan.Win32.QQKiller.erxn Trojan.Win32.A.QQKiller.183808[h] Trojan.Qqkiller.A TrojWare.Win32.QQKiller.A Trojan.Qqkiller.A Trojan.Nudeq TROJ_QQKILLER.A BehavesLike.Win32.HLLPPhilis.cc W32/Trojan.ELFE-7308 Trojan/Win32.QQKiller TR/QQKiller.2 W32/GWGhost.A!tr Trojan/Win32.QQKiller Trojan.Qqkiller.A Troj.W32.QQKiller.a!c Win-Trojan/QQKiller.183808 Trojan.QQKiller Win32.Trojan.Qqkiller.Szkz Trojan.Win32.QQKiller Trojan.Qqkiller.A Trojan.Win32.QQKiller.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.QQKiller.183808": [[26, 52]], "Indicator: Trojan.Qqkiller.A": [[53, 70], [95, 112], [277, 294], [321, 338], [496, 513], [628, 645]], "Indicator: Trojan.QQKiller.Win32.2": [[71, 94]], "Indicator: Trojan/QQKiller.a": [[113, 130]], "Indicator: Trojan.QQKiller!Y2SikmBtqEk": [[131, 158]], "Indicator: Win32/QQKiller.A": [[159, 175]], "Indicator: TROJ_QQKILLER.A": [[176, 191], [352, 367]], "Indicator: Trojan.Win32.QQKiller.a": [[192, 215], [646, 669]], "Indicator: Trojan.Win32.QQKiller.erxn": [[216, 242]], "Indicator: Trojan.Win32.A.QQKiller.183808[h]": [[243, 276]], "Indicator: TrojWare.Win32.QQKiller.A": [[295, 320]], "Indicator: Trojan.Nudeq": [[339, 351]], "Indicator: BehavesLike.Win32.HLLPPhilis.cc": [[368, 399]], "Indicator: W32/Trojan.ELFE-7308": [[400, 420]], "Indicator: Trojan/Win32.QQKiller": [[421, 442], [474, 495]], "Indicator: TR/QQKiller.2": [[443, 456]], "Indicator: W32/GWGhost.A!tr": [[457, 473]], "Indicator: Troj.W32.QQKiller.a!c": [[514, 535]], "Indicator: Win-Trojan/QQKiller.183808": [[536, 562]], "Indicator: Trojan.QQKiller": [[563, 578]], "Indicator: Win32.Trojan.Qqkiller.Szkz": [[579, 605]], "Indicator: Trojan.Win32.QQKiller": [[606, 627]]}, "info": {"id": "cyner2_5class_train_00345", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Duqu.24960.B Trojan.Win32.Duqu!O Trojan/Duqu.a Trojan.Duqu.1 Win32.Trojan.WisdomEyes.16070401.9500.9896 W32/Duqu.C W32.Duqu Win32/Duqu.A RTKT_DUQU.SME Win.Trojan.Duqu-7 Trojan.Win32.Duqu.a Trojan.Win32.Duqu.eorzg Trojan.Win32.Duqu.24960 TrojWare.Win32.Duqu.A Trojan.Duqu.2 Trojan.Duqu.Win32.2 RTKT_DUQU.SME W32/Duqu.BOQU-9196 Trojan/Duqu.b TR/Duqu.A.1 Trojan/Win32.Duqu Trojan:WinNT/Duqu.B Troj.W32.Duqu.a!c Trojan.Win32.Duqu.a Trojan/Win32.Duqu.R13984 Trojan.Duqu.2102 Win32/Duqu.A Win32.Trojan.Duqu.Pjnh Trojan.Duqu!o6SU6/Pq/F4 Trojan.Win32.Duqu W32/Duqu.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Duqu.24960.B": [[26, 49]], "Indicator: Trojan.Win32.Duqu!O": [[50, 69]], "Indicator: Trojan/Duqu.a": [[70, 83]], "Indicator: Trojan.Duqu.1": [[84, 97]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9896": [[98, 140]], "Indicator: W32/Duqu.C": [[141, 151]], "Indicator: W32.Duqu": [[152, 160]], "Indicator: Win32/Duqu.A": [[161, 173], [507, 519]], "Indicator: RTKT_DUQU.SME": [[174, 187], [330, 343]], "Indicator: Win.Trojan.Duqu-7": [[188, 205]], "Indicator: Trojan.Win32.Duqu.a": [[206, 225], [445, 464]], "Indicator: Trojan.Win32.Duqu.eorzg": [[226, 249]], "Indicator: Trojan.Win32.Duqu.24960": [[250, 273]], "Indicator: TrojWare.Win32.Duqu.A": [[274, 295]], "Indicator: Trojan.Duqu.2": [[296, 309]], "Indicator: Trojan.Duqu.Win32.2": [[310, 329]], "Indicator: W32/Duqu.BOQU-9196": [[344, 362]], "Indicator: Trojan/Duqu.b": [[363, 376]], "Indicator: TR/Duqu.A.1": [[377, 388]], "Indicator: Trojan/Win32.Duqu": [[389, 406]], "Indicator: Trojan:WinNT/Duqu.B": [[407, 426]], "Indicator: Troj.W32.Duqu.a!c": [[427, 444]], "Indicator: Trojan/Win32.Duqu.R13984": [[465, 489]], "Indicator: Trojan.Duqu.2102": [[490, 506]], "Indicator: Win32.Trojan.Duqu.Pjnh": [[520, 542]], "Indicator: Trojan.Duqu!o6SU6/Pq/F4": [[543, 566]], "Indicator: Trojan.Win32.Duqu": [[567, 584]], "Indicator: W32/Duqu.A!tr": [[585, 598]]}, "info": {"id": "cyner2_5class_train_00346", "source": "cyner2_5class_train"}}
+{"text": "We identified 42 apps on Google Play as belonging to the campaign , which had been running since July 2018 .", "spans": {"System: Google Play": [[25, 36]]}, "info": {"id": "cyner2_5class_train_00347", "source": "cyner2_5class_train"}}
+{"text": "The malware takes these steps : Check if the system master boot record ( MBR ) contains an infection marker ( 0xD289C989C089 8-bytes value at offset 0x2C ) , and , if so , terminate itself Check again if the process is attached to a debugger ( using the techniques described previously ) Read , decrypt , and map the stage 5 malware ( written in the previous stage in msvcr90.dll ) Open winlogon.exe process Load user32.dll system library and read the KernelCallbackTable pointer from its own process environment block ( PEB ) ( Note : The KernelCallbackTable points to an array of graphic functions used by Win32 kernel subsystem module win32k.sys as call-back into user-mode .", "spans": {"Indicator: 0xD289C989C089": [[110, 124]], "Indicator: msvcr90.dll": [[368, 379]], "Indicator: winlogon.exe": [[387, 399]], "Indicator: user32.dll": [[413, 423]], "Indicator: KernelCallbackTable": [[452, 471]], "Indicator: win32k.sys": [[638, 648]]}, "info": {"id": "cyner2_5class_train_00348", "source": "cyner2_5class_train"}}
+{"text": "Versions overview The DenDroid code base was kept to such an extent that even the original base64-encoded password was kept .", "spans": {"Malware: DenDroid": [[22, 30]]}, "info": {"id": "cyner2_5class_train_00349", "source": "cyner2_5class_train"}}
+{"text": "The small or limited number is understandable given the nature of this campaign , but we also expect it to increase or even diversify in terms of distribution .", "spans": {}, "info": {"id": "cyner2_5class_train_00350", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Gamarue.2!O Trojan.Shamoon.1 trojan.win32.skeeyah.a!bit Win32.Trojan.WisdomEyes.16070401.9500.9991 W32.Disttrack.B WORM_DISTTRACK.SMC Win.Dropper.DistTrack-5744784-0 Backdoor.Win32.RemoteConnection.d Trojan.Win32.RemoteConnection.ekxrsg WORM_DISTTRACK.SMC Backdoor.RemoteConnection.a Trojan[Backdoor]/Win32.RemoteConnection Trojan:Win32/Depriz.E!dha Backdoor/Win32.RemoteConnection.C1761738 Backdoor.RemoteConnection!lEVCTonUnuw Trojan.Win32.Depriz Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Gamarue.2!O": [[26, 61]], "Indicator: Trojan.Shamoon.1": [[62, 78]], "Indicator: trojan.win32.skeeyah.a!bit": [[79, 105]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[106, 148]], "Indicator: W32.Disttrack.B": [[149, 164]], "Indicator: WORM_DISTTRACK.SMC": [[165, 183], [287, 305]], "Indicator: Win.Dropper.DistTrack-5744784-0": [[184, 215]], "Indicator: Backdoor.Win32.RemoteConnection.d": [[216, 249]], "Indicator: Trojan.Win32.RemoteConnection.ekxrsg": [[250, 286]], "Indicator: Backdoor.RemoteConnection.a": [[306, 333]], "Indicator: Trojan[Backdoor]/Win32.RemoteConnection": [[334, 373]], "Indicator: Trojan:Win32/Depriz.E!dha": [[374, 399]], "Indicator: Backdoor/Win32.RemoteConnection.C1761738": [[400, 440]], "Indicator: Backdoor.RemoteConnection!lEVCTonUnuw": [[441, 478]], "Indicator: Trojan.Win32.Depriz": [[479, 498]], "Indicator: Trj/GdSda.A": [[499, 510]]}, "info": {"id": "cyner2_5class_train_00351", "source": "cyner2_5class_train"}}
+{"text": "Perhaps more information on XLoader will be known in the future .", "spans": {"Malware: XLoader": [[28, 35]]}, "info": {"id": "cyner2_5class_train_00352", "source": "cyner2_5class_train"}}
+{"text": "The backdoor code is believed to have been left by mistake by the authors after completing the debugging process .", "spans": {}, "info": {"id": "cyner2_5class_train_00353", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Winsy Trojan.Win32.Winsy Trojan.Winsy Trojan.Winsy W32/Trojan.MBSD-8108 Trojan.Winsy Trojan.Win32.Winsy Trojan.Winsy Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Winsy": [[26, 38], [58, 70], [71, 83], [105, 117], [137, 149]], "Indicator: Trojan.Win32.Winsy": [[39, 57], [118, 136]], "Indicator: W32/Trojan.MBSD-8108": [[84, 104]], "Indicator: Trj/CI.A": [[150, 158]]}, "info": {"id": "cyner2_5class_train_00354", "source": "cyner2_5class_train"}}
+{"text": "The DGA hosted site further serves up a list of domains that are cycled through for C2.", "spans": {"Indicator: DGA hosted site": [[4, 19]], "Indicator: domains": [[48, 55]], "Indicator: C2.": [[84, 87]]}, "info": {"id": "cyner2_5class_train_00355", "source": "cyner2_5class_train"}}
+{"text": "Some are first uploaded with all the necessary code except the one line that actually initializes the billing process .", "spans": {}, "info": {"id": "cyner2_5class_train_00356", "source": "cyner2_5class_train"}}
+{"text": "But it would appear that BLU only took action after Kryptowire notified it along with Google , Adups and Amazon .", "spans": {"Organization: BLU": [[25, 28]], "Organization: Kryptowire": [[52, 62]], "Organization: Google": [[86, 92]], "Organization: Adups": [[95, 100]], "Organization: Amazon": [[105, 111]]}, "info": {"id": "cyner2_5class_train_00357", "source": "cyner2_5class_train"}}
+{"text": "Analysis of the additional spyware modules is future work .", "spans": {}, "info": {"id": "cyner2_5class_train_00358", "source": "cyner2_5class_train"}}
+{"text": "Today's blog reviews recent activity from these EITest HoeflerText popups on August 30, 2017 to discover more about this recent change.", "spans": {"Indicator: EITest HoeflerText popups": [[48, 73]]}, "info": {"id": "cyner2_5class_train_00359", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Exploit.DebPloit.A Trojan-Exploit/W32.DebPloit.45056 Exploit.DebPloit.Win32.4 Trojan/Exploit.DebPloit Trojan.Exploit.DebPloit.A Trojan.Exploit.DebPloit.A Exploit.DebPloit!VRtQm5q2mnY TROJ_DEPLOIT.A Exploit.Win32.DebPloit Exploit.Win32.DebPloit.yfoid Exploit.DebPloit.45056[h] Trojan.Exploit.DebPloit.A TrojWare.Win32.Exploit.DebPloit Trojan.Exploit.DebPloit.A BackDoor.Bifrost.634 TROJ_DEPLOIT.A W32/Risk.CTWU-4612 Exploit.WinNT.DebPloit Trojan[Exploit]/Win32.DebPloit WinNT.Hack.DebPloit.kcloud Win-Trojan/Debploit.45056.B Trojan.Exploit.DebPloit.A Trojan.Exploit.DebPloit.A Win32/Exploit.DebPloit Win32.Exploit.Debploit.Wptu W32/Debploit.B!tr Exploit.OY Trojan.Win32.DebPloit.aa Win32/Trojan.Exploit.672", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Exploit.DebPloit.A": [[26, 51], [135, 160], [161, 186], [309, 334], [367, 392], [557, 582], [583, 608]], "Indicator: Trojan-Exploit/W32.DebPloit.45056": [[52, 85]], "Indicator: Exploit.DebPloit.Win32.4": [[86, 110]], "Indicator: Trojan/Exploit.DebPloit": [[111, 134]], "Indicator: Exploit.DebPloit!VRtQm5q2mnY": [[187, 215]], "Indicator: TROJ_DEPLOIT.A": [[216, 230], [414, 428]], "Indicator: Exploit.Win32.DebPloit": [[231, 253]], "Indicator: Exploit.Win32.DebPloit.yfoid": [[254, 282]], "Indicator: Exploit.DebPloit.45056[h]": [[283, 308]], "Indicator: TrojWare.Win32.Exploit.DebPloit": [[335, 366]], "Indicator: BackDoor.Bifrost.634": [[393, 413]], "Indicator: W32/Risk.CTWU-4612": [[429, 447]], "Indicator: Exploit.WinNT.DebPloit": [[448, 470]], "Indicator: Trojan[Exploit]/Win32.DebPloit": [[471, 501]], "Indicator: WinNT.Hack.DebPloit.kcloud": [[502, 528]], "Indicator: Win-Trojan/Debploit.45056.B": [[529, 556]], "Indicator: Win32/Exploit.DebPloit": [[609, 631]], "Indicator: Win32.Exploit.Debploit.Wptu": [[632, 659]], "Indicator: W32/Debploit.B!tr": [[660, 677]], "Indicator: Exploit.OY": [[678, 688]], "Indicator: Trojan.Win32.DebPloit.aa": [[689, 713]], "Indicator: Win32/Trojan.Exploit.672": [[714, 738]]}, "info": {"id": "cyner2_5class_train_00360", "source": "cyner2_5class_train"}}
+{"text": "Around New Year, the Emsisoft Lab team was alerted to the presence of a new Globe variant, Globe3, which was infecting users using a new mode of operation.", "spans": {"Organization: Emsisoft Lab team": [[21, 38]], "Malware: Globe": [[76, 81]], "Malware: Globe3,": [[91, 98]], "Organization: users": [[119, 124]]}, "info": {"id": "cyner2_5class_train_00361", "source": "cyner2_5class_train"}}
+{"text": "We reverse engineered XLoader and found that it appears to target South Korea-based banks and game development companies .", "spans": {"Malware: XLoader": [[22, 29]]}, "info": {"id": "cyner2_5class_train_00362", "source": "cyner2_5class_train"}}
+{"text": "The DNS protocol is unlikely to be blocked allowing free communications out of the network and its use is unlikely to raise suspicion among network defenders.", "spans": {"System: DNS": [[4, 7]], "Vulnerability: protocol is unlikely to be blocked": [[8, 42]], "Vulnerability: free communications out of the network": [[52, 90]]}, "info": {"id": "cyner2_5class_train_00363", "source": "cyner2_5class_train"}}
+{"text": "UNIQUE FEATURES BY VERSION EventBot Version 0.0.0.1 RC4 and Base64 Packet Encryption EventBot RC4 and Base64 data decryption from the C2 RC4 and Base64 data decryption from the C2 .", "spans": {"Malware: EventBot": [[27, 35], [85, 93]]}, "info": {"id": "cyner2_5class_train_00364", "source": "cyner2_5class_train"}}
+{"text": "henbox_2 Figure 1 Uyghurapps [ .", "spans": {"Indicator: Uyghurapps [ .": [[18, 32]]}, "info": {"id": "cyner2_5class_train_00365", "source": "cyner2_5class_train"}}
+{"text": "Phishing targeting Google Docs", "spans": {"Indicator: Phishing": [[0, 8]], "System: Google Docs": [[19, 30]]}, "info": {"id": "cyner2_5class_train_00366", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Shiz.102400.S Backdoor.Win32.Shiz!O Backdoor/Shiz.fhrr Win32.Trojan.WisdomEyes.16070401.9500.9971 Win.Trojan.Shiz-787 Trojan.Win32.Shiz.whgln Trojan.KeyLogger.14845 Backdoor.Shiz.Win32.3116 BehavesLike.Win32.BadFile.cm Backdoor.Win32.Shiz Backdoor/Shiz.edz TR/Rogue.kdz.957021 Trojan[Backdoor]/Win32.Shiz Trojan.Zusy.D419A Trojan:Win32/Nahip.A Backdoor/Win32.Shiz.R34442 Win32/Spy.KeyLogger.NWE W32/KeyLogger.AFN!tr Backdoor.Shiz Win32/Trojan.460", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Shiz.102400.S": [[26, 52]], "Indicator: Backdoor.Win32.Shiz!O": [[53, 74]], "Indicator: Backdoor/Shiz.fhrr": [[75, 93]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9971": [[94, 136]], "Indicator: Win.Trojan.Shiz-787": [[137, 156]], "Indicator: Trojan.Win32.Shiz.whgln": [[157, 180]], "Indicator: Trojan.KeyLogger.14845": [[181, 203]], "Indicator: Backdoor.Shiz.Win32.3116": [[204, 228]], "Indicator: BehavesLike.Win32.BadFile.cm": [[229, 257]], "Indicator: Backdoor.Win32.Shiz": [[258, 277]], "Indicator: Backdoor/Shiz.edz": [[278, 295]], "Indicator: TR/Rogue.kdz.957021": [[296, 315]], "Indicator: Trojan[Backdoor]/Win32.Shiz": [[316, 343]], "Indicator: Trojan.Zusy.D419A": [[344, 361]], "Indicator: Trojan:Win32/Nahip.A": [[362, 382]], "Indicator: Backdoor/Win32.Shiz.R34442": [[383, 409]], "Indicator: Win32/Spy.KeyLogger.NWE": [[410, 433]], "Indicator: W32/KeyLogger.AFN!tr": [[434, 454]], "Indicator: Backdoor.Shiz": [[455, 468]], "Indicator: Win32/Trojan.460": [[469, 485]]}, "info": {"id": "cyner2_5class_train_00367", "source": "cyner2_5class_train"}}
+{"text": "] addroider.com ’ .", "spans": {}, "info": {"id": "cyner2_5class_train_00368", "source": "cyner2_5class_train"}}
+{"text": "When the current app on the foreground matches with an app targeted by the malware , the Trojan will show the corresponding phishing overlay , making the user think it is the app that was just started .", "spans": {}, "info": {"id": "cyner2_5class_train_00369", "source": "cyner2_5class_train"}}
+{"text": "In one case, the casino website was a direct gateway to Angler EK.", "spans": {"Indicator: casino website": [[17, 31]], "Malware: Angler EK.": [[56, 66]]}, "info": {"id": "cyner2_5class_train_00370", "source": "cyner2_5class_train"}}
+{"text": "Our analysis of the malware shows it uses multiple , advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices .", "spans": {"System: Google Play": [[82, 93]]}, "info": {"id": "cyner2_5class_train_00371", "source": "cyner2_5class_train"}}
+{"text": "Version 6.0 also adds a command called “ getPhoneState ” , which collects unique identifiers of mobile devices such as IMSI , ICCID , Android ID , and device serial number .", "spans": {"System: Android": [[134, 141]]}, "info": {"id": "cyner2_5class_train_00372", "source": "cyner2_5class_train"}}
+{"text": "We ’ ve documented several interesting attacks ( A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify ) which used ZIP files as well as DOC , XLS and PDF documents rigged with exploits .", "spans": {"System: Mac OS X": [[114, 122]]}, "info": {"id": "cyner2_5class_train_00373", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.JS.Redirector.xb Js.Trojan.Redirector.Amwl JS/BlacoleRef.CZ.26 Trojan/JS.Redirector.xb Trojan.JS.Redirector.xb Exploit.JS.Blacole JS/Iframe.WOR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.JS.Redirector.xb": [[26, 49], [120, 143]], "Indicator: Js.Trojan.Redirector.Amwl": [[50, 75]], "Indicator: JS/BlacoleRef.CZ.26": [[76, 95]], "Indicator: Trojan/JS.Redirector.xb": [[96, 119]], "Indicator: Exploit.JS.Blacole": [[144, 162]], "Indicator: JS/Iframe.WOR!tr": [[163, 179]]}, "info": {"id": "cyner2_5class_train_00374", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Aphexdoor.Litesock.A Backdoor/W32.Aphexdoor.23040 Trojan.Suckspro Backdoor.Aphexdoor.Win32.24 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor.YGRL-7760 Backdoor.Trojan Win32/Porsux.A Win.Trojan.Aphexdoor-8 Backdoor.Aphexdoor.Litesock.A Backdoor.Win32.Aphexdoor.LiteSock Backdoor.Aphexdoor.Litesock.A Trojan.Win32.Aphexdoor.ebrvay Backdoor.W32.Aphexdoor.LiteSock!c Backdoor.Aphexdoor.Litesock.A Backdoor.Aphexdoor.Litesock.A BackDoor.LiteSock BehavesLike.Win32.Downloader.mm Backdoor.Win32.Aphexdoor.LiteSock W32/Backdoor2.EYIV Backdoor/Aphexdoor.LiteSock Trojan[Backdoor]/Win32.Aphexdoor Backdoor.Aphexdoor.Litesock.A Backdoor.Win32.Aphexdoor.LiteSock Worm/Win32.Fesber.C58465 Backdoor.Aphexdoor.Litesock.A BScope.Trojan.RSP Bck/Corsbot.B Win32.Backdoor.Aphexdoor.Airh Trojan.Suckspro!fID1dcqse2s W32/Aphexdoor.LITESOCK!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Aphexdoor.Litesock.A": [[26, 55], [249, 278], [313, 342], [407, 436], [437, 466], [631, 660], [720, 749]], "Indicator: Backdoor/W32.Aphexdoor.23040": [[56, 84]], "Indicator: Trojan.Suckspro": [[85, 100]], "Indicator: Backdoor.Aphexdoor.Win32.24": [[101, 128]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[129, 171]], "Indicator: W32/Backdoor.YGRL-7760": [[172, 194]], "Indicator: Backdoor.Trojan": [[195, 210]], "Indicator: Win32/Porsux.A": [[211, 225]], "Indicator: Win.Trojan.Aphexdoor-8": [[226, 248]], "Indicator: Backdoor.Win32.Aphexdoor.LiteSock": [[279, 312], [517, 550], [661, 694]], "Indicator: Trojan.Win32.Aphexdoor.ebrvay": [[343, 372]], "Indicator: Backdoor.W32.Aphexdoor.LiteSock!c": [[373, 406]], "Indicator: BackDoor.LiteSock": [[467, 484]], "Indicator: BehavesLike.Win32.Downloader.mm": [[485, 516]], "Indicator: W32/Backdoor2.EYIV": [[551, 569]], "Indicator: Backdoor/Aphexdoor.LiteSock": [[570, 597]], "Indicator: Trojan[Backdoor]/Win32.Aphexdoor": [[598, 630]], "Indicator: Worm/Win32.Fesber.C58465": [[695, 719]], "Indicator: BScope.Trojan.RSP": [[750, 767]], "Indicator: Bck/Corsbot.B": [[768, 781]], "Indicator: Win32.Backdoor.Aphexdoor.Airh": [[782, 811]], "Indicator: Trojan.Suckspro!fID1dcqse2s": [[812, 839]], "Indicator: W32/Aphexdoor.LITESOCK!tr.bdr": [[840, 869]]}, "info": {"id": "cyner2_5class_train_00375", "source": "cyner2_5class_train"}}
+{"text": "Interestingly , the command and control server includes a publicly accessible interface to work with the victims : Some of the commands with rough translations : The command-and-control server is running Windows Server 2003 and has been configured for Chinese language : This , together with the logs , is a strong indicator that the attackers are Chinese-speaking .", "spans": {"System: Windows Server": [[204, 218]]}, "info": {"id": "cyner2_5class_train_00376", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.Chiviper!O Worm.AutoRun.14759 W32/AutoRun.sdc Win32.Trojan.WisdomEyes.16070401.9500.9975 WORM_OTORUN.SMIF Win.Trojan.Qhost-160 Worm.Win32.Chiviper.gk Trojan.Win32.AutoRun.onby Trojan.AVKill.11726 Worm.AutoRun.Win32.23223 WORM_OTORUN.SMIF BehavesLike.Win32.Ipamor.qt Worm.Win32.AutoRun WORM/Autorun.rmr win32.troj.onlinegamest.bc.kcloud Worm.Win32.Chiviper.gk Trojan/Win32.CSon.R2002 Worm.Chiviper Worm.AutoRun!t3rz8tcZQ1A W32/Chiviper.GK!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.Chiviper!O": [[26, 47]], "Indicator: Worm.AutoRun.14759": [[48, 66]], "Indicator: W32/AutoRun.sdc": [[67, 82]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9975": [[83, 125]], "Indicator: WORM_OTORUN.SMIF": [[126, 142], [258, 274]], "Indicator: Win.Trojan.Qhost-160": [[143, 163]], "Indicator: Worm.Win32.Chiviper.gk": [[164, 186], [373, 395]], "Indicator: Trojan.Win32.AutoRun.onby": [[187, 212]], "Indicator: Trojan.AVKill.11726": [[213, 232]], "Indicator: Worm.AutoRun.Win32.23223": [[233, 257]], "Indicator: BehavesLike.Win32.Ipamor.qt": [[275, 302]], "Indicator: Worm.Win32.AutoRun": [[303, 321]], "Indicator: WORM/Autorun.rmr": [[322, 338]], "Indicator: win32.troj.onlinegamest.bc.kcloud": [[339, 372]], "Indicator: Trojan/Win32.CSon.R2002": [[396, 419]], "Indicator: Worm.Chiviper": [[420, 433]], "Indicator: Worm.AutoRun!t3rz8tcZQ1A": [[434, 458]], "Indicator: W32/Chiviper.GK!worm": [[459, 479]]}, "info": {"id": "cyner2_5class_train_00377", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zbot.7 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Kazy-50 Trojan.Win32.Pamela.hnatv Trojan.Win32.A.Inject.75189 DDoS.Pamela Trojan.Inject.Win32.17142 BehavesLike.Win32.Dropper.pc Trojan.Win32.Inject Trojan/Inject.mra Trojan/Win32.Inject Trojan:Win32/Pucodex.A Trojan-Injector.191245", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zbot.7": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[40, 82]], "Indicator: Win.Trojan.Kazy-50": [[83, 101]], "Indicator: Trojan.Win32.Pamela.hnatv": [[102, 127]], "Indicator: Trojan.Win32.A.Inject.75189": [[128, 155]], "Indicator: DDoS.Pamela": [[156, 167]], "Indicator: Trojan.Inject.Win32.17142": [[168, 193]], "Indicator: BehavesLike.Win32.Dropper.pc": [[194, 222]], "Indicator: Trojan.Win32.Inject": [[223, 242]], "Indicator: Trojan/Inject.mra": [[243, 260]], "Indicator: Trojan/Win32.Inject": [[261, 280]], "Indicator: Trojan:Win32/Pucodex.A": [[281, 303]], "Indicator: Trojan-Injector.191245": [[304, 326]]}, "info": {"id": "cyner2_5class_train_00378", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Sober.135968 Packed.Win32.TDSS!O Worm.Sober.Win32.7 WORM_SOBER.AM Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Sober.DVXC-4063 W32.Sober.W@mm Win32/Sober.T WORM_SOBER.AM Win.Worm.Sober-43 Email-Worm.Win32.Sober.x Trojan.Win32.Sober.fxvm I-Worm.Win32.Sober.T Packer.W32.Tibs.l4Hz Worm.Win32.Sober.V Win32.HLLM.Sober BehavesLike.Win32.Autorun.cc Trojan.Win32.Pasta W32/Sober.V@mm I-Worm/Sober.p DR/Sober.T Worm[Email]/Win32.Sober Worm.Sober.t.kcloud Worm:Win32/Sober.Y@mm.dr Email-Worm.Win32.Sober.x Dropper/Win32.Sober.R86508 W32/Sober.s.dr TScope.Trojan.VB W32/Sober.AE.worm Win32/Sober.V Win32.Worm-email.Sober.Akew I-Worm.Sober.AF1 W32/Sober.T@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Sober.135968": [[26, 47]], "Indicator: Packed.Win32.TDSS!O": [[48, 67]], "Indicator: Worm.Sober.Win32.7": [[68, 86]], "Indicator: WORM_SOBER.AM": [[87, 100], [193, 206]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[101, 143]], "Indicator: W32/Sober.DVXC-4063": [[144, 163]], "Indicator: W32.Sober.W@mm": [[164, 178]], "Indicator: Win32/Sober.T": [[179, 192]], "Indicator: Win.Worm.Sober-43": [[207, 224]], "Indicator: Email-Worm.Win32.Sober.x": [[225, 249], [510, 534]], "Indicator: Trojan.Win32.Sober.fxvm": [[250, 273]], "Indicator: I-Worm.Win32.Sober.T": [[274, 294]], "Indicator: Packer.W32.Tibs.l4Hz": [[295, 315]], "Indicator: Worm.Win32.Sober.V": [[316, 334]], "Indicator: Win32.HLLM.Sober": [[335, 351]], "Indicator: BehavesLike.Win32.Autorun.cc": [[352, 380]], "Indicator: Trojan.Win32.Pasta": [[381, 399]], "Indicator: W32/Sober.V@mm": [[400, 414]], "Indicator: I-Worm/Sober.p": [[415, 429]], "Indicator: DR/Sober.T": [[430, 440]], "Indicator: Worm[Email]/Win32.Sober": [[441, 464]], "Indicator: Worm.Sober.t.kcloud": [[465, 484]], "Indicator: Worm:Win32/Sober.Y@mm.dr": [[485, 509]], "Indicator: Dropper/Win32.Sober.R86508": [[535, 561]], "Indicator: W32/Sober.s.dr": [[562, 576]], "Indicator: TScope.Trojan.VB": [[577, 593]], "Indicator: W32/Sober.AE.worm": [[594, 611]], "Indicator: Win32/Sober.V": [[612, 625]], "Indicator: Win32.Worm-email.Sober.Akew": [[626, 653]], "Indicator: I-Worm.Sober.AF1": [[654, 670]], "Indicator: W32/Sober.T@mm": [[671, 685]]}, "info": {"id": "cyner2_5class_train_00379", "source": "cyner2_5class_train"}}
+{"text": "To their credit , both Google and Amazon appear to have put pressure on device manufacturers to fix their devices when flaws are found , Strazzere says .", "spans": {"Organization: Google": [[23, 29]], "Organization: Amazon": [[34, 40]]}, "info": {"id": "cyner2_5class_train_00380", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint is tracking this attacker, believed to operate out of China, as TA459", "spans": {"Organization: Proofpoint": [[0, 10]]}, "info": {"id": "cyner2_5class_train_00381", "source": "cyner2_5class_train"}}
+{"text": "Data Encryption The Curve25519 encryption algorithm was implemented as of EventBot Version 0.0.0.2 .", "spans": {"Malware: EventBot": [[74, 82]]}, "info": {"id": "cyner2_5class_train_00382", "source": "cyner2_5class_train"}}
+{"text": "The first anti-sandbox technique is the loader checking the code segment .", "spans": {}, "info": {"id": "cyner2_5class_train_00383", "source": "cyner2_5class_train"}}
+{"text": "360 Network Security Research Lab recently discovered a new botnet that is scanning the entire Internet on a large scale.", "spans": {"Organization: 360 Network Security Research Lab": [[0, 33]], "Malware: botnet": [[60, 66]]}, "info": {"id": "cyner2_5class_train_00384", "source": "cyner2_5class_train"}}
+{"text": "In addition , we did not see traces of the Smali injection .", "spans": {}, "info": {"id": "cyner2_5class_train_00385", "source": "cyner2_5class_train"}}
+{"text": "Recently there was a huge wave of SMS messages , as well as Whatsapp messages , making the rounds asking users to download the latest version of TikTok at hxxp : //tiny [ .", "spans": {"System: Whatsapp": [[60, 68]], "System: TikTok": [[145, 151]], "Indicator: hxxp : //tiny [ .": [[155, 172]]}, "info": {"id": "cyner2_5class_train_00386", "source": "cyner2_5class_train"}}
+{"text": "The malware has existed since at least 2012, with threat actors using it for mass-spreading malware campaigns and for ongoing targeted attacks.", "spans": {"Malware: malware": [[4, 11]], "Indicator: attacks.": [[135, 143]]}, "info": {"id": "cyner2_5class_train_00387", "source": "cyner2_5class_train"}}
+{"text": "Triada : organized crime on Android Second , it substitutes the system functions and conceals its modules from the list of the running processes and installed apps .", "spans": {"Malware: Triada": [[0, 6]], "System: Android": [[28, 35]]}, "info": {"id": "cyner2_5class_train_00388", "source": "cyner2_5class_train"}}
+{"text": "Fragment of the database with targeted devices and specific memory addresses If the infected device is not listed in this database , the exploit tries to discover these addresses programmatically .", "spans": {}, "info": {"id": "cyner2_5class_train_00389", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.CareFree.a Win32/Tnega.TaRMRTC Trojan.Win32.Graftor.dogten Trojan.KillFiles.21059 BehavesLike.Win32.Downloader.mc TR/Graftor.cpoyxe Trojan.Ursu.D2DC2 Trojan/Win32.StartPage.R131400 Win32/Trojan.e36", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.CareFree.a": [[26, 49]], "Indicator: Win32/Tnega.TaRMRTC": [[50, 69]], "Indicator: Trojan.Win32.Graftor.dogten": [[70, 97]], "Indicator: Trojan.KillFiles.21059": [[98, 120]], "Indicator: BehavesLike.Win32.Downloader.mc": [[121, 152]], "Indicator: TR/Graftor.cpoyxe": [[153, 170]], "Indicator: Trojan.Ursu.D2DC2": [[171, 188]], "Indicator: Trojan/Win32.StartPage.R131400": [[189, 219]], "Indicator: Win32/Trojan.e36": [[220, 236]]}, "info": {"id": "cyner2_5class_train_00390", "source": "cyner2_5class_train"}}
+{"text": "This group has been active since at least 2014 and uses spear-phishing campaigns to target enterprises.", "spans": {"Malware: at": [[33, 35]], "Organization: target enterprises.": [[84, 103]]}, "info": {"id": "cyner2_5class_train_00391", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9992 Trojan-Spy.MSIL.KeyLogger.ctnb Trojan.Win32.Z.Keylogger.91136.M Msil.Trojan-spy.Keylogger.Wqde Trojan.DownLoader9.24657 TrojanSpy.MSIL.vlt TR/Downloader.gldnp Trojan[Spy]/MSIL.KeyLogger Trojan.MSILPerseus.D9E17 Trojan-Spy.MSIL.KeyLogger.ctnb Backdoor:MSIL/Cooatut.A TrojanSpy.MSIL.KeyLogger Trj/CI.A MSIL/Troob.AA Trojan.MSIL.Troob MSIL/Troob.AA!tr Win32/Trojan.Spy.144", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[26, 68]], "Indicator: Trojan-Spy.MSIL.KeyLogger.ctnb": [[69, 99], [280, 310]], "Indicator: Trojan.Win32.Z.Keylogger.91136.M": [[100, 132]], "Indicator: Msil.Trojan-spy.Keylogger.Wqde": [[133, 163]], "Indicator: Trojan.DownLoader9.24657": [[164, 188]], "Indicator: TrojanSpy.MSIL.vlt": [[189, 207]], "Indicator: TR/Downloader.gldnp": [[208, 227]], "Indicator: Trojan[Spy]/MSIL.KeyLogger": [[228, 254]], "Indicator: Trojan.MSILPerseus.D9E17": [[255, 279]], "Indicator: Backdoor:MSIL/Cooatut.A": [[311, 334]], "Indicator: TrojanSpy.MSIL.KeyLogger": [[335, 359]], "Indicator: Trj/CI.A": [[360, 368]], "Indicator: MSIL/Troob.AA": [[369, 382]], "Indicator: Trojan.MSIL.Troob": [[383, 400]], "Indicator: MSIL/Troob.AA!tr": [[401, 417]], "Indicator: Win32/Trojan.Spy.144": [[418, 438]]}, "info": {"id": "cyner2_5class_train_00392", "source": "cyner2_5class_train"}}
+{"text": "Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.", "spans": {"Malware: MacDownloader": [[9, 22]], "Indicator: simple exfiltration agent,": [[28, 54]]}, "info": {"id": "cyner2_5class_train_00393", "source": "cyner2_5class_train"}}
+{"text": "Throughout 2016, Proofpoint researchers tracked a cyber-espionage campaign targeting victims in Russia and neighboring countries.", "spans": {"Organization: Proofpoint researchers": [[17, 39]]}, "info": {"id": "cyner2_5class_train_00394", "source": "cyner2_5class_train"}}
+{"text": "This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations.", "spans": {"Organization: individuals": [[76, 87]], "Organization: South Korean organizations.": [[99, 126]]}, "info": {"id": "cyner2_5class_train_00395", "source": "cyner2_5class_train"}}
+{"text": "The Trojan is delivered in emails that mostly target corporate users.", "spans": {"Malware: The Trojan": [[0, 10]], "Indicator: emails": [[27, 33]], "Organization: corporate users.": [[53, 69]]}, "info": {"id": "cyner2_5class_train_00396", "source": "cyner2_5class_train"}}
+{"text": "We can trace activities of Pawn Storm back to 20041 and before our initial report in 2014 there wasn't much published about this actor group.", "spans": {}, "info": {"id": "cyner2_5class_train_00397", "source": "cyner2_5class_train"}}
+{"text": "Backdoor.Win32.Denis uses DNS tunneling for communication", "spans": {"Indicator: Backdoor.Win32.Denis": [[0, 20]], "Indicator: DNS tunneling for communication": [[26, 57]]}, "info": {"id": "cyner2_5class_train_00398", "source": "cyner2_5class_train"}}
+{"text": "A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre ARC was compromised.", "spans": {"Organization: Kuala Lumpur summit,": [[22, 42]], "Indicator: subdomain under asean.org": [[45, 70]], "Organization: the ASEAN Secretariat Resource Centre ARC": [[75, 116]]}, "info": {"id": "cyner2_5class_train_00399", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Flooder.MailSpam.AnonMail.A Email-Flooder.Win32.AnonMail!O Win32.Trojan.Anonmail.Agkt Flooder.MailSpam.AnonMail.A W32/Backdoor.SPH Hacktool.Flooder Win.Tool.MailSpam-3 Email-Flooder.Win32.AnonMail.a Flooder.MailSpam.AnonMail.A Trojan.Win32.AnonMail.dbio TrojWare.Win32.Spammer.AnonMail Trojan.AnMail Tool.AnonMail.Win32.14 Email-Flooder.Win32.AnonMail.A W32/Backdoor.CDAV-2869 Spammer.Mail.AnonMail TR/Nuker.AnonMail HackTool[Flooder]/Win32.AnonMail Email-Flooder.Win32.AnonMail.a Flooder.MailSpam.AnonMail.A Spammer.AnonMail Flooder.MailSpam.AnonMail.A Flooder.MailSpam.AnonMail.A Trj/CI.A Win32/Spammer.AnonMail", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Flooder.MailSpam.AnonMail.A": [[26, 53], [112, 139], [225, 252], [507, 534], [552, 579], [580, 607]], "Indicator: Email-Flooder.Win32.AnonMail!O": [[54, 84]], "Indicator: Win32.Trojan.Anonmail.Agkt": [[85, 111]], "Indicator: W32/Backdoor.SPH": [[140, 156]], "Indicator: Hacktool.Flooder": [[157, 173]], "Indicator: Win.Tool.MailSpam-3": [[174, 193]], "Indicator: Email-Flooder.Win32.AnonMail.a": [[194, 224], [476, 506]], "Indicator: Trojan.Win32.AnonMail.dbio": [[253, 279]], "Indicator: TrojWare.Win32.Spammer.AnonMail": [[280, 311]], "Indicator: Trojan.AnMail": [[312, 325]], "Indicator: Tool.AnonMail.Win32.14": [[326, 348]], "Indicator: Email-Flooder.Win32.AnonMail.A": [[349, 379]], "Indicator: W32/Backdoor.CDAV-2869": [[380, 402]], "Indicator: Spammer.Mail.AnonMail": [[403, 424]], "Indicator: TR/Nuker.AnonMail": [[425, 442]], "Indicator: HackTool[Flooder]/Win32.AnonMail": [[443, 475]], "Indicator: Spammer.AnonMail": [[535, 551]], "Indicator: Trj/CI.A": [[608, 616]], "Indicator: Win32/Spammer.AnonMail": [[617, 639]]}, "info": {"id": "cyner2_5class_train_00400", "source": "cyner2_5class_train"}}
+{"text": "the type of operation they are carrying out.", "spans": {}, "info": {"id": "cyner2_5class_train_00401", "source": "cyner2_5class_train"}}
+{"text": "REQUEST_COMPANION_RUN_IN_BACKGROUND - let the app run in the background .", "spans": {}, "info": {"id": "cyner2_5class_train_00402", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Mlw.eweujb Win32.Trojan.Inject.Auto BehavesLike.Win32.Trojan.hh TR/Dropper.MSIL.fkvxc Spyware.InfoStealer Trojan.MSIL.Inject MSIL/Injector.SZD!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Mlw.eweujb": [[26, 49]], "Indicator: Win32.Trojan.Inject.Auto": [[50, 74]], "Indicator: BehavesLike.Win32.Trojan.hh": [[75, 102]], "Indicator: TR/Dropper.MSIL.fkvxc": [[103, 124]], "Indicator: Spyware.InfoStealer": [[125, 144]], "Indicator: Trojan.MSIL.Inject": [[145, 163]], "Indicator: MSIL/Injector.SZD!tr": [[164, 184]], "Indicator: Trj/GdSda.A": [[185, 196]]}, "info": {"id": "cyner2_5class_train_00403", "source": "cyner2_5class_train"}}
+{"text": "In this research , we review common features of the malware and examine the improvements the threat actor made in each version .", "spans": {}, "info": {"id": "cyner2_5class_train_00404", "source": "cyner2_5class_train"}}
+{"text": "Little has been published on the threat actors responsible for Operation Ke3chang since the report was released more than two years ago.", "spans": {}, "info": {"id": "cyner2_5class_train_00405", "source": "cyner2_5class_train"}}
+{"text": "Exodus One checks-in by sending a POST request containing the app package name , the device IMEI and an encrypted body containing additional device information .", "spans": {}, "info": {"id": "cyner2_5class_train_00406", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PUP.Optional.VideiPlayer Trojan.ExtenBro! TROJ_SPNR.06HH14 Trojan-Downloader.MSIL.ExtInstall.o Trojan.Win32.Kivat.dfxucy TROJ_SPNR.06HH14 BehavesLike.Win32.Trojan.nt W32/Trojan.JMSU-4938 Variant.Kazy.doi W32/ExtenBro.E!tr Trojan.Kazy.D683A9 Uds.Dangerousobject.Multi!c TrojanDownloader:MSIL/Kivat.B Trojan.ExtenBro! Trj/Chgt.B Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PUP.Optional.VideiPlayer": [[26, 50]], "Indicator: Trojan.ExtenBro!": [[51, 67], [325, 341]], "Indicator: TROJ_SPNR.06HH14": [[68, 84], [147, 163]], "Indicator: Trojan-Downloader.MSIL.ExtInstall.o": [[85, 120]], "Indicator: Trojan.Win32.Kivat.dfxucy": [[121, 146]], "Indicator: BehavesLike.Win32.Trojan.nt": [[164, 191]], "Indicator: W32/Trojan.JMSU-4938": [[192, 212]], "Indicator: Variant.Kazy.doi": [[213, 229]], "Indicator: W32/ExtenBro.E!tr": [[230, 247]], "Indicator: Trojan.Kazy.D683A9": [[248, 266]], "Indicator: Uds.Dangerousobject.Multi!c": [[267, 294]], "Indicator: TrojanDownloader:MSIL/Kivat.B": [[295, 324]], "Indicator: Trj/Chgt.B": [[342, 352]], "Indicator: Win32/Trojan.Multi.daf": [[353, 375]]}, "info": {"id": "cyner2_5class_train_00407", "source": "cyner2_5class_train"}}
+{"text": "Hashes of samples Type Package name SHA256 digest Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928 Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04 Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213 Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d Mobile Campaign ‘ Bouncing Golf ’ Affects Middle East We uncovered a cyberespionage campaign targeting Middle Eastern countries .", "spans": {"Indicator: com.targetshoot.zombieapocalypse.sniper.zombieshootinggame": [[61, 119]], "Indicator: 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928": [[120, 184]], "Indicator: com.counterterrorist.cs.elite.combat.shootinggame": [[197, 246]], "Indicator: 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04": [[247, 311]], "Indicator: bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213": [[350, 414]], "Malware: Zen": [[415, 418]], "Indicator: com.lmt.register": [[426, 442]], "Indicator: eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d": [[443, 507]], "Malware: Bouncing Golf": [[526, 539]]}, "info": {"id": "cyner2_5class_train_00408", "source": "cyner2_5class_train"}}
+{"text": "Therefore , by simulating fraudulent clicks , these developers are making money without requiring a user to click on an advertisement .", "spans": {}, "info": {"id": "cyner2_5class_train_00409", "source": "cyner2_5class_train"}}
+{"text": "If it is the first execution , and if the app ’ s path does not contain “ /system/app ” ( i.e .", "spans": {"Indicator: /system/app": [[74, 85]]}, "info": {"id": "cyner2_5class_train_00410", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.Kolweb.a.2.Pack Trojan/Delf.cf W32/Trojan.ORX Trojan.Kolweb.A W32/Startpage.AHU Win32/Startpage.LM TROJ_DOWNLOAD.E Trojan.Win32.Kolweb.a Trojan.Win32.Kolweb.A!IK TrojWare.Win32.Kolweb.A Trojan.DownLoader.1317 TROJ_DOWNLOAD.E Trojan/PSW.Almat.coi Adware:Win32/Adtomi.B Win-Spyware/Xema.171008 W32/Trojan.ORX Trojan.Win32.Kolweb.a Win32/Kolweb.A Trojan.Win32.Kolweb.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Kolweb.a.2.Pack": [[26, 54]], "Indicator: Trojan/Delf.cf": [[55, 69]], "Indicator: W32/Trojan.ORX": [[70, 84], [331, 345]], "Indicator: Trojan.Kolweb.A": [[85, 100]], "Indicator: W32/Startpage.AHU": [[101, 118]], "Indicator: Win32/Startpage.LM": [[119, 137]], "Indicator: TROJ_DOWNLOAD.E": [[138, 153], [248, 263]], "Indicator: Trojan.Win32.Kolweb.a": [[154, 175], [346, 367]], "Indicator: Trojan.Win32.Kolweb.A!IK": [[176, 200]], "Indicator: TrojWare.Win32.Kolweb.A": [[201, 224]], "Indicator: Trojan.DownLoader.1317": [[225, 247]], "Indicator: Trojan/PSW.Almat.coi": [[264, 284]], "Indicator: Adware:Win32/Adtomi.B": [[285, 306]], "Indicator: Win-Spyware/Xema.171008": [[307, 330]], "Indicator: Win32/Kolweb.A": [[368, 382]], "Indicator: Trojan.Win32.Kolweb.A": [[383, 404]]}, "info": {"id": "cyner2_5class_train_00411", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.ES Trojan.Crypt.ES Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Crypt.ES Trojan.Win32.Crypt.ewgrry Trojan.Crypt.ES Trojan.Crypt.ES BehavesLike.Win32.BadFile.lm Backdoor:Win32/Huceqoo.A Trojan.Win32.Z.Crypt.73728.BQ Trojan/Win32.Scar.C8074 Trojan.Crypt.ES BScope.Trojan.Dropper.we Trj/GdSda.A Trojan.Crypt.ES Win32/Trojan.b63", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.ES": [[26, 41], [42, 57], [101, 116], [143, 158], [159, 174], [283, 298], [336, 351]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[58, 100]], "Indicator: Trojan.Win32.Crypt.ewgrry": [[117, 142]], "Indicator: BehavesLike.Win32.BadFile.lm": [[175, 203]], "Indicator: Backdoor:Win32/Huceqoo.A": [[204, 228]], "Indicator: Trojan.Win32.Z.Crypt.73728.BQ": [[229, 258]], "Indicator: Trojan/Win32.Scar.C8074": [[259, 282]], "Indicator: BScope.Trojan.Dropper.we": [[299, 323]], "Indicator: Trj/GdSda.A": [[324, 335]], "Indicator: Win32/Trojan.b63": [[352, 368]]}, "info": {"id": "cyner2_5class_train_00412", "source": "cyner2_5class_train"}}
+{"text": "msconf.exe is the main module that provides control of the implant and reverse shell feature .", "spans": {"Indicator: msconf.exe": [[0, 10]]}, "info": {"id": "cyner2_5class_train_00413", "source": "cyner2_5class_train"}}
+{"text": "However, this also leaves the C C traffic open for monitoring by others, including security researchers.", "spans": {"Indicator: C C traffic": [[30, 41]], "Organization: security researchers.": [[83, 104]]}, "info": {"id": "cyner2_5class_train_00414", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pws.Watcher.A Trojan-PSW.Win32.Watcher!O Trojan.Pws.Watcher.A Trojan.Pws.Watcher.A Trojan.Pws.Watcher.A Trojan.Win32.Watcher.ejkr Trojan.Win32.A.PSW-Watcher.492035 Troj.PSW32.W.Watcher.a!c Trojan.Pws.Watcher.A Trojan.Pws.Watcher.A Trojan.PWS.Watcher Trojan.Watcher.Win32.8 Trojan-PWS.Win32.Watcher.i Trojan/PSW.Watcher.a TR/PSW.Watcher.B PWS:Win32/Watcher.A Trojan.Pws.Watcher.A TrojanPSW.Watcher Win32/PSW.Watcher.A Win32.Trojan-qqpass.Qqrob.Wqwh W32/PSWAtcher.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pws.Watcher.A": [[26, 46], [74, 94], [95, 115], [116, 136], [222, 242], [243, 263], [391, 411]], "Indicator: Trojan-PSW.Win32.Watcher!O": [[47, 73]], "Indicator: Trojan.Win32.Watcher.ejkr": [[137, 162]], "Indicator: Trojan.Win32.A.PSW-Watcher.492035": [[163, 196]], "Indicator: Troj.PSW32.W.Watcher.a!c": [[197, 221]], "Indicator: Trojan.PWS.Watcher": [[264, 282]], "Indicator: Trojan.Watcher.Win32.8": [[283, 305]], "Indicator: Trojan-PWS.Win32.Watcher.i": [[306, 332]], "Indicator: Trojan/PSW.Watcher.a": [[333, 353]], "Indicator: TR/PSW.Watcher.B": [[354, 370]], "Indicator: PWS:Win32/Watcher.A": [[371, 390]], "Indicator: TrojanPSW.Watcher": [[412, 429]], "Indicator: Win32/PSW.Watcher.A": [[430, 449]], "Indicator: Win32.Trojan-qqpass.Qqrob.Wqwh": [[450, 480]], "Indicator: W32/PSWAtcher.A!tr": [[481, 499]]}, "info": {"id": "cyner2_5class_train_00415", "source": "cyner2_5class_train"}}
+{"text": "However , the app does create a WebView and registers a JavaScript interface to this class .", "spans": {}, "info": {"id": "cyner2_5class_train_00416", "source": "cyner2_5class_train"}}
+{"text": "In this way , the malware authors can submit their app and add the malicious capabilities only after their app is live on the Play Store .", "spans": {"System: Play Store": [[126, 136]]}, "info": {"id": "cyner2_5class_train_00417", "source": "cyner2_5class_train"}}
+{"text": "Enlarge / Top 20 countries targeted by Hummingbad/Shedun .", "spans": {"Malware: Hummingbad/Shedun": [[39, 56]]}, "info": {"id": "cyner2_5class_train_00418", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PSW.Barok.10 Trojan/W32.Barok.1056825 Trojan.Win32.Barok.bcusy W32/Pws.ZDD WS.Reputation.1 Barok.1_0 TROJ_BAROK.10 Trojan.Spy-11230 Trojan-PSW.Win32.Barok.10 Trojan.PSW.Barok.10 Trojan.PWS.Barok!QhmYol9M94M TrojWare.Win32.PSW.Barok.10 Trojan.PSW.Barok.10 TR/Barok.PSW.10 TROJ_BAROK.10 Trojan/PSW.Barok.10 Win32.Troj.Barok.kcloud PWS:Win32/Barok.1_0 Trojan.Win32.Barok_10.Setup Trojan.PSW.Barok.10 W32/Pws.ZDD Win-Trojan/Barok.Client.v10 PSW.Barok.A Hack.PSWbarok.10 Trojan-PWS.Win32.Barok.10 W32/Barok.10!tr.pws Trj/PSW.Barok.10", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PSW.Barok.10": [[26, 45], [191, 210], [268, 287], [410, 429]], "Indicator: Trojan/W32.Barok.1056825": [[46, 70]], "Indicator: Trojan.Win32.Barok.bcusy": [[71, 95]], "Indicator: W32/Pws.ZDD": [[96, 107], [430, 441]], "Indicator: WS.Reputation.1": [[108, 123]], "Indicator: Barok.1_0": [[124, 133]], "Indicator: TROJ_BAROK.10": [[134, 147], [304, 317]], "Indicator: Trojan.Spy-11230": [[148, 164]], "Indicator: Trojan-PSW.Win32.Barok.10": [[165, 190]], "Indicator: Trojan.PWS.Barok!QhmYol9M94M": [[211, 239]], "Indicator: TrojWare.Win32.PSW.Barok.10": [[240, 267]], "Indicator: TR/Barok.PSW.10": [[288, 303]], "Indicator: Trojan/PSW.Barok.10": [[318, 337]], "Indicator: Win32.Troj.Barok.kcloud": [[338, 361]], "Indicator: PWS:Win32/Barok.1_0": [[362, 381]], "Indicator: Trojan.Win32.Barok_10.Setup": [[382, 409]], "Indicator: Win-Trojan/Barok.Client.v10": [[442, 469]], "Indicator: PSW.Barok.A": [[470, 481]], "Indicator: Hack.PSWbarok.10": [[482, 498]], "Indicator: Trojan-PWS.Win32.Barok.10": [[499, 524]], "Indicator: W32/Barok.10!tr.pws": [[525, 544]], "Indicator: Trj/PSW.Barok.10": [[545, 561]]}, "info": {"id": "cyner2_5class_train_00419", "source": "cyner2_5class_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00420", "source": "cyner2_5class_train"}}
+{"text": "But , behind the scenes , the malware has not been removed ; instead it starts preparing its onslaught of attacks .", "spans": {}, "info": {"id": "cyner2_5class_train_00421", "source": "cyner2_5class_train"}}
+{"text": "XLoader can also hijack the infected device ( i.e. , send SMSs ) and sports self-protection/persistence mechanisms through device administrator privileges .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner2_5class_train_00422", "source": "cyner2_5class_train"}}
+{"text": "While the idea of malware as a service isn't a new one, with players such as Tox and Shark in the game, but it can be said that MacSpy is one of the first seen for the OS X platform.", "spans": {"Malware: malware": [[18, 25]], "Malware: Tox": [[77, 80]], "Malware: Shark": [[85, 90]], "Malware: MacSpy": [[128, 134]], "System: OS X platform.": [[168, 182]]}, "info": {"id": "cyner2_5class_train_00423", "source": "cyner2_5class_train"}}
+{"text": "At least in most recent versions , as of January 2019 , the Zip archive would actually contain the i686 , arm and arm64 versions of all deployed binaries .", "spans": {}, "info": {"id": "cyner2_5class_train_00424", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PUP.Optional.OpenCandy WS.Reputation.1 Trojan.DownLoader9.52502 TR/Dropper.A.23950 Win32.Troj.Undef.kcloud PE:PUF.OpenCandy!1.9DE5 Win32/Trojan.ca7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PUP.Optional.OpenCandy": [[26, 48]], "Indicator: WS.Reputation.1": [[49, 64]], "Indicator: Trojan.DownLoader9.52502": [[65, 89]], "Indicator: TR/Dropper.A.23950": [[90, 108]], "Indicator: Win32.Troj.Undef.kcloud": [[109, 132]], "Indicator: PE:PUF.OpenCandy!1.9DE5": [[133, 156]], "Indicator: Win32/Trojan.ca7": [[157, 173]]}, "info": {"id": "cyner2_5class_train_00425", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.Kykymber.P.Trojan Trojan.PWS.Onlinegames.KEGA Trojan-PWS.Win32.Kykymber.1!O PWS-OnlineGames.ke Trojan/PSW.Kykymber.kyz Win32.Trojan-PSW.OLGames.ay Infostealer.Gampass Win32/Gamepass.OQU Win.Spyware.79683-2 Trojan-PSW.Win32.Kykymber.kyz Trojan.PWS.Onlinegames.KEGA Trojan.Win32.OnLineGames.bkxdd Troj.PSW32.W.Kykymber.kyz!c Trojan.PSW.Win32.MiBao.a TrojWare.Win32.PSW.GamePass.A Trojan.PWS.Onlinegames.KEGA BehavesLike.Win32.PWSOnlineGames.pm TR/PSW.Kykymber.CD Trojan.Win32.A.PSW-Kykymber.43452[UPX] Trojan-PSW.Win32.Kykymber.kyz Trojan.PWS.Onlinegames.KEGA Trojan.PWS.Onlinegames.KEGA Win32/PSW.OnLineGames.QLR Trojan.PWS.Kykymber!KKmGLDbdY4I W32/OnLineGames.KY!tr.pws Trj/Kykymber.A Trojan.PSW.Win32.GameOnline.CP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.Kykymber.P.Trojan": [[26, 53]], "Indicator: Trojan.PWS.Onlinegames.KEGA": [[54, 81], [272, 299], [414, 441], [566, 593], [594, 621]], "Indicator: Trojan-PWS.Win32.Kykymber.1!O": [[82, 111]], "Indicator: PWS-OnlineGames.ke": [[112, 130]], "Indicator: Trojan/PSW.Kykymber.kyz": [[131, 154]], "Indicator: Win32.Trojan-PSW.OLGames.ay": [[155, 182]], "Indicator: Infostealer.Gampass": [[183, 202]], "Indicator: Win32/Gamepass.OQU": [[203, 221]], "Indicator: Win.Spyware.79683-2": [[222, 241]], "Indicator: Trojan-PSW.Win32.Kykymber.kyz": [[242, 271], [536, 565]], "Indicator: Trojan.Win32.OnLineGames.bkxdd": [[300, 330]], "Indicator: Troj.PSW32.W.Kykymber.kyz!c": [[331, 358]], "Indicator: Trojan.PSW.Win32.MiBao.a": [[359, 383]], "Indicator: TrojWare.Win32.PSW.GamePass.A": [[384, 413]], "Indicator: BehavesLike.Win32.PWSOnlineGames.pm": [[442, 477]], "Indicator: TR/PSW.Kykymber.CD": [[478, 496]], "Indicator: Trojan.Win32.A.PSW-Kykymber.43452[UPX]": [[497, 535]], "Indicator: Win32/PSW.OnLineGames.QLR": [[622, 647]], "Indicator: Trojan.PWS.Kykymber!KKmGLDbdY4I": [[648, 679]], "Indicator: W32/OnLineGames.KY!tr.pws": [[680, 705]], "Indicator: Trj/Kykymber.A": [[706, 720]], "Indicator: Trojan.PSW.Win32.GameOnline.CP": [[721, 751]]}, "info": {"id": "cyner2_5class_train_00426", "source": "cyner2_5class_train"}}
+{"text": "Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan.", "spans": {"Malware: malware,": [[62, 70]], "Malware: Android trojan.": [[94, 109]]}, "info": {"id": "cyner2_5class_train_00427", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor:Win32/Binanen.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor:Win32/Binanen.A": [[26, 50]]}, "info": {"id": "cyner2_5class_train_00428", "source": "cyner2_5class_train"}}
+{"text": "The stolen parameters follow : ID IMSI IMEI Phone number Operator AID Model Brand Version Build Battery percentage Wi-Fi connection state Wake time Are logs enabled ? Is the malware already set as the default SMS application ? [ True/False ] Signal strength Screen active [ True/False ] Orientation Was accessibility permission granted ? [ True/False ] Screen size List of the installed applications SMS messages saved on the device It is not uncommon for banking malware to harvest extensive amounts of data from the victim ’ s device .", "spans": {}, "info": {"id": "cyner2_5class_train_00429", "source": "cyner2_5class_train"}}
+{"text": "Then the Trojan will put the patched library back into the system directory .", "spans": {}, "info": {"id": "cyner2_5class_train_00430", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod912.Trojan.1f28 Win32.Trojan.WisdomEyes.16070401.9500.9823 Trojan.Munidub TROJ64_ASRUEX.A Trojan.Win64.MLW.eelpql TROJ64_ASRUEX.A BehavesLike.Win64.CrossRider.tm W64/Trojan.MCVO-8253 Trojan/Win32.Zapchast Trojan:Win64/Asruex.A!dha Trojan.Zapchast.pk Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod912.Trojan.1f28": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9823": [[50, 92]], "Indicator: Trojan.Munidub": [[93, 107]], "Indicator: TROJ64_ASRUEX.A": [[108, 123], [148, 163]], "Indicator: Trojan.Win64.MLW.eelpql": [[124, 147]], "Indicator: BehavesLike.Win64.CrossRider.tm": [[164, 195]], "Indicator: W64/Trojan.MCVO-8253": [[196, 216]], "Indicator: Trojan/Win32.Zapchast": [[217, 238]], "Indicator: Trojan:Win64/Asruex.A!dha": [[239, 264]], "Indicator: Trojan.Zapchast.pk": [[265, 283]], "Indicator: Trj/CI.A": [[284, 292]]}, "info": {"id": "cyner2_5class_train_00431", "source": "cyner2_5class_train"}}
+{"text": "POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and control CnC server.", "spans": {"Malware: POS malware": [[0, 11]], "Malware: malicious software": [[22, 40]], "Indicator: payment card information": [[55, 79]], "Vulnerability: memory": [[85, 91]], "Indicator: uploads": [[104, 111]], "Indicator: data": [[117, 121]], "Indicator: command and control CnC server.": [[127, 158]]}, "info": {"id": "cyner2_5class_train_00432", "source": "cyner2_5class_train"}}
+{"text": "However , when used maliciously , accessibility features can be used to exploit legitimate services for malicious purposes , like with EventBot .", "spans": {"Malware: EventBot": [[135, 143]]}, "info": {"id": "cyner2_5class_train_00433", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.DD2BF Trojan.DownLoader.18943 BehavesLike.Win32.Msposer.nm Trj/Lozyt.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.DD2BF": [[26, 46]], "Indicator: Trojan.DownLoader.18943": [[47, 70]], "Indicator: BehavesLike.Win32.Msposer.nm": [[71, 99]], "Indicator: Trj/Lozyt.A": [[100, 111]]}, "info": {"id": "cyner2_5class_train_00434", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.ANU Trojan.Enrume Ransom_Enrume.R00EC0DKG17 Trojan.Ransom.ANU Trojan.Ransom.ANU Trojan.Win32.Z.Ransom.6967658 Troj.Ransom.Anu!c Trojan.Ransom.ANU Trojan.Ransom.ANU Ransom_Enrume.R00EC0DKG17 BehavesLike.Win32.PUPXBC.vc TR/FileCoder.jtxjg Trojan.Ransom.ANU Trojan.Ransom.ANU Trj/CI.A Win32/Trojan.Ransom.2a7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.ANU": [[26, 43], [84, 101], [102, 119], [168, 185], [186, 203], [277, 294], [295, 312]], "Indicator: Trojan.Enrume": [[44, 57]], "Indicator: Ransom_Enrume.R00EC0DKG17": [[58, 83], [204, 229]], "Indicator: Trojan.Win32.Z.Ransom.6967658": [[120, 149]], "Indicator: Troj.Ransom.Anu!c": [[150, 167]], "Indicator: BehavesLike.Win32.PUPXBC.vc": [[230, 257]], "Indicator: TR/FileCoder.jtxjg": [[258, 276]], "Indicator: Trj/CI.A": [[313, 321]], "Indicator: Win32/Trojan.Ransom.2a7": [[322, 345]]}, "info": {"id": "cyner2_5class_train_00435", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SapinH.Trojan Trojan-Dropper.Win32.Injector!O Trojan.Mauvaise.SL1 Trojan.Chad Trojan.Packed.Win32.29983 Trojan.Application.Symmi.D73F9 Win32/Gamepass.HKIaME Trojan-Dropper.Win32.Injector.palw Trojan.Win32.KillProc.brmetk Troj.Dropper.W32.Injector.toQt Adware.Win32.Dropper.aaa Application.Win32.Kuaiba.BC Trojan.KillProc.22109 BehavesLike.Win32.VirRansom.fh TrojanDropper.Injector.ayai Trojan:Win32/Scoreem.A Trojan-Dropper.Win32.Injector.palw Dropper/Win32.Injector.R68328 TrojanDropper.Injector Trojan.DR.Injector!UEnRNWldneo Trojan.Win32.Senta W32/Injector.RREW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SapinH.Trojan": [[26, 43]], "Indicator: Trojan-Dropper.Win32.Injector!O": [[44, 75]], "Indicator: Trojan.Mauvaise.SL1": [[76, 95]], "Indicator: Trojan.Chad": [[96, 107]], "Indicator: Trojan.Packed.Win32.29983": [[108, 133]], "Indicator: Trojan.Application.Symmi.D73F9": [[134, 164]], "Indicator: Win32/Gamepass.HKIaME": [[165, 186]], "Indicator: Trojan-Dropper.Win32.Injector.palw": [[187, 221], [439, 473]], "Indicator: Trojan.Win32.KillProc.brmetk": [[222, 250]], "Indicator: Troj.Dropper.W32.Injector.toQt": [[251, 281]], "Indicator: Adware.Win32.Dropper.aaa": [[282, 306]], "Indicator: Application.Win32.Kuaiba.BC": [[307, 334]], "Indicator: Trojan.KillProc.22109": [[335, 356]], "Indicator: BehavesLike.Win32.VirRansom.fh": [[357, 387]], "Indicator: TrojanDropper.Injector.ayai": [[388, 415]], "Indicator: Trojan:Win32/Scoreem.A": [[416, 438]], "Indicator: Dropper/Win32.Injector.R68328": [[474, 503]], "Indicator: TrojanDropper.Injector": [[504, 526]], "Indicator: Trojan.DR.Injector!UEnRNWldneo": [[527, 557]], "Indicator: Trojan.Win32.Senta": [[558, 576]], "Indicator: W32/Injector.RREW!tr": [[577, 597]]}, "info": {"id": "cyner2_5class_train_00436", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SumanyaQZA.Worm Worm.AutoRun W32/Autorun.worm.j Worm.AutoRun.Win32.2713 TROJ_FAM_0001c56.TOMA Win32.Worm.AutoRun.d W32.SillyDC Win32/SillyFDC.CD TROJ_FAM_0001c56.TOMA Worm.Win32.AutoRun.beh Trojan.Win32.AutoRun.uvsfh Worm.Win32.Autorun.204800 Trojan.Copier.8 BehavesLike.Win32.VBObfus.dm Worm.Win32.VB Worm/AutoRun.ahnn Worm:Win32/Manyasu.A Worm/Win32.AutoRun Worm:Win32/Manyasu.A Trojan.Heur.E08BA4 Worm.Win32.AutoRun.beh Worm/Win32.AutoRun.R18800 Trojan.VBO.012000 Trj/Manyasu.A Win32/AutoRun.VB.IY Trojan.Win32.VB.mct Worm.AutoRun!WxdQD2QNztM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SumanyaQZA.Worm": [[26, 45]], "Indicator: Worm.AutoRun": [[46, 58]], "Indicator: W32/Autorun.worm.j": [[59, 77]], "Indicator: Worm.AutoRun.Win32.2713": [[78, 101]], "Indicator: TROJ_FAM_0001c56.TOMA": [[102, 123], [175, 196]], "Indicator: Win32.Worm.AutoRun.d": [[124, 144]], "Indicator: W32.SillyDC": [[145, 156]], "Indicator: Win32/SillyFDC.CD": [[157, 174]], "Indicator: Worm.Win32.AutoRun.beh": [[197, 219], [430, 452]], "Indicator: Trojan.Win32.AutoRun.uvsfh": [[220, 246]], "Indicator: Worm.Win32.Autorun.204800": [[247, 272]], "Indicator: Trojan.Copier.8": [[273, 288]], "Indicator: BehavesLike.Win32.VBObfus.dm": [[289, 317]], "Indicator: Worm.Win32.VB": [[318, 331]], "Indicator: Worm/AutoRun.ahnn": [[332, 349]], "Indicator: Worm:Win32/Manyasu.A": [[350, 370], [390, 410]], "Indicator: Worm/Win32.AutoRun": [[371, 389]], "Indicator: Trojan.Heur.E08BA4": [[411, 429]], "Indicator: Worm/Win32.AutoRun.R18800": [[453, 478]], "Indicator: Trojan.VBO.012000": [[479, 496]], "Indicator: Trj/Manyasu.A": [[497, 510]], "Indicator: Win32/AutoRun.VB.IY": [[511, 530]], "Indicator: Trojan.Win32.VB.mct": [[531, 550]], "Indicator: Worm.AutoRun!WxdQD2QNztM": [[551, 575]]}, "info": {"id": "cyner2_5class_train_00437", "source": "cyner2_5class_train"}}
+{"text": "The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and real time login attempts by the attackers.", "spans": {"Indicator: conferred": [[64, 73]], "Indicator: two-factor authentication in Gmail,": [[77, 112]], "Indicator: phone-call based phishing": [[133, 158]], "Indicator: real time login attempts": [[163, 187]]}, "info": {"id": "cyner2_5class_train_00438", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Stub!O Backdoor/Stub.j Win32.Worm.Delf.a Backdoor.Trojan Win32/Bosbot.D BKDR_STUB.G Backdoor.Win32.Stub.j Trojan.Win32.Stub.bbeaok Backdoor.Win32.A.Stub.114843[UPX] BackDoor.Stfu Backdoor.Stub.Win32.24 BKDR_STUB.G BehavesLike.Win32.Backdoor.cm Virus.Win32.Imponex Backdoor/Stub.n W32/Sality.Patched Trojan/Win32.Unknown Backdoor:Win32/Stub.P W32.W.Bagle.kZt7 Backdoor.Win32.Stub.j Win32.Worm.Imponex.A Trojan/Win32.Stub.C408823 BScope.Malware-Cryptor.Hlux W32/DelpDldr.A!tr.bdr W32/Knase.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Stub!O": [[26, 47]], "Indicator: Backdoor/Stub.j": [[48, 63]], "Indicator: Win32.Worm.Delf.a": [[64, 81]], "Indicator: Backdoor.Trojan": [[82, 97]], "Indicator: Win32/Bosbot.D": [[98, 112]], "Indicator: BKDR_STUB.G": [[113, 124], [243, 254]], "Indicator: Backdoor.Win32.Stub.j": [[125, 146], [400, 421]], "Indicator: Trojan.Win32.Stub.bbeaok": [[147, 171]], "Indicator: Backdoor.Win32.A.Stub.114843[UPX]": [[172, 205]], "Indicator: BackDoor.Stfu": [[206, 219]], "Indicator: Backdoor.Stub.Win32.24": [[220, 242]], "Indicator: BehavesLike.Win32.Backdoor.cm": [[255, 284]], "Indicator: Virus.Win32.Imponex": [[285, 304]], "Indicator: Backdoor/Stub.n": [[305, 320]], "Indicator: W32/Sality.Patched": [[321, 339]], "Indicator: Trojan/Win32.Unknown": [[340, 360]], "Indicator: Backdoor:Win32/Stub.P": [[361, 382]], "Indicator: W32.W.Bagle.kZt7": [[383, 399]], "Indicator: Win32.Worm.Imponex.A": [[422, 442]], "Indicator: Trojan/Win32.Stub.C408823": [[443, 468]], "Indicator: BScope.Malware-Cryptor.Hlux": [[469, 496]], "Indicator: W32/DelpDldr.A!tr.bdr": [[497, 518]], "Indicator: W32/Knase.C": [[519, 530]]}, "info": {"id": "cyner2_5class_train_00439", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Java.Adwind.dkmdei Java.Adwind.2 Trojan.Java.Adwind Trojan.Java.o JAVA/RemoteAd.dld Trojan:Java/Adwind.G Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Java.Adwind.dkmdei": [[69, 94]], "Indicator: Java.Adwind.2": [[95, 108]], "Indicator: Trojan.Java.Adwind": [[109, 127]], "Indicator: Trojan.Java.o": [[128, 141]], "Indicator: JAVA/RemoteAd.dld": [[142, 159]], "Indicator: Trojan:Java/Adwind.G": [[160, 180]], "Indicator: Trj/CI.A": [[181, 189]]}, "info": {"id": "cyner2_5class_train_00440", "source": "cyner2_5class_train"}}
+{"text": "The plugins are stored in its resource section and can be protected by the same VM .", "spans": {}, "info": {"id": "cyner2_5class_train_00441", "source": "cyner2_5class_train"}}
+{"text": "This functionality can be seen in Figure 6 .", "spans": {}, "info": {"id": "cyner2_5class_train_00442", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Patched.FR Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Sheedash Win32/Sfcpatched.A TROJ_PATCH.SMLD Win.Trojan.Sfcpatch-10 Trojan.Win32.Patched.fr Trojan.Win32.Patched.cwsyqv W32.W.AutoRun.kYRk Trojan.WinSpy.921 Trojan.Patched.Win32.27797 TROJ_PATCH.SMLD Trojan.Win32.Patched Trojan/Win32.Patched Trojan.Patched.1 Trojan.Win32.Patched.fr Trojan:Win32/Parchood.A Trojan/Win32.Patched.R3621 BScope.Trojan.Crex Trojan.Win32.Patched.f Trojan.Patched!j5lr5VQfEwA Win32/Trojan.2c9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Patched.FR": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[44, 86]], "Indicator: Backdoor.Sheedash": [[87, 104]], "Indicator: Win32/Sfcpatched.A": [[105, 123]], "Indicator: TROJ_PATCH.SMLD": [[124, 139], [279, 294]], "Indicator: Win.Trojan.Sfcpatch-10": [[140, 162]], "Indicator: Trojan.Win32.Patched.fr": [[163, 186], [354, 377]], "Indicator: Trojan.Win32.Patched.cwsyqv": [[187, 214]], "Indicator: W32.W.AutoRun.kYRk": [[215, 233]], "Indicator: Trojan.WinSpy.921": [[234, 251]], "Indicator: Trojan.Patched.Win32.27797": [[252, 278]], "Indicator: Trojan.Win32.Patched": [[295, 315]], "Indicator: Trojan/Win32.Patched": [[316, 336]], "Indicator: Trojan.Patched.1": [[337, 353]], "Indicator: Trojan:Win32/Parchood.A": [[378, 401]], "Indicator: Trojan/Win32.Patched.R3621": [[402, 428]], "Indicator: BScope.Trojan.Crex": [[429, 447]], "Indicator: Trojan.Win32.Patched.f": [[448, 470]], "Indicator: Trojan.Patched!j5lr5VQfEwA": [[471, 497]], "Indicator: Win32/Trojan.2c9": [[498, 514]]}, "info": {"id": "cyner2_5class_train_00443", "source": "cyner2_5class_train"}}
+{"text": "The group has been operating since 2012 and became particularly active in Q2 2015.", "spans": {}, "info": {"id": "cyner2_5class_train_00444", "source": "cyner2_5class_train"}}
+{"text": "SpyNote is similar to OmniRat and DroidJack, which are RATs remote administration tools that allow malware owners to gain remote administrative control of an Android device.", "spans": {"Malware: SpyNote": [[0, 7]], "Malware: OmniRat": [[22, 29]], "Malware: DroidJack,": [[34, 44]], "Malware: RATs remote administration tools": [[55, 87]], "Indicator: gain remote administrative control": [[117, 151]], "System: Android device.": [[158, 173]]}, "info": {"id": "cyner2_5class_train_00445", "source": "cyner2_5class_train"}}
+{"text": "As predicted following the leak of Hacking Team exploit codes covered here, the Zscaler security research team has recently started seeing a Chinese cyber espionage group weaponizing malware payloads using the 0-day exploits found in the leaked Hacking Team archives.", "spans": {"Organization: Hacking Team": [[35, 47], [245, 257]], "Malware: exploit codes": [[48, 61]], "Organization: Zscaler security research team": [[80, 110]], "Malware: malware payloads": [[183, 199]], "Malware: 0-day exploits": [[210, 224]]}, "info": {"id": "cyner2_5class_train_00446", "source": "cyner2_5class_train"}}
+{"text": "The World Anti-Doping Agency WADA has alerted their stakeholders that email phishing scams are being reported in connection with WADA and therefore asks its recipients to be careful.", "spans": {"Organization: The World Anti-Doping Agency WADA": [[0, 33]], "Indicator: email phishing scams": [[70, 90]], "Organization: WADA": [[129, 133]], "Organization: recipients": [[157, 167]]}, "info": {"id": "cyner2_5class_train_00447", "source": "cyner2_5class_train"}}
+{"text": "Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor.", "spans": {"Indicator: create accounts on those services": [[10, 43]], "Indicator: IP addresses": [[61, 73]], "Indicator: the domain names of real C2 servers": [[77, 112]], "Malware: backdoor.": [[144, 153]]}, "info": {"id": "cyner2_5class_train_00448", "source": "cyner2_5class_train"}}
+{"text": "The injection method used for winlogon.exe is also interesting and quite unusual .", "spans": {"Indicator: winlogon.exe": [[30, 42]]}, "info": {"id": "cyner2_5class_train_00449", "source": "cyner2_5class_train"}}
+{"text": "Succeeding monitoring efforts revealed a newer variant that exploits the social media platforms Instagram and Tumblr instead of Twitter to hide its C & C address .", "spans": {"Organization: Instagram": [[96, 105]], "Organization: Tumblr": [[110, 116]], "Organization: Twitter": [[128, 135]]}, "info": {"id": "cyner2_5class_train_00450", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: P2P-Worm.Win32.Delf!O Worm.Delf.9767 W32/Delf.ao WORM_YOOHOO.D Win32.Worm.Delf.a W32/SillyP2P.BR W32.HLLW.Yoohoo WORM_YOOHOO.D Win.Trojan.Delf-1033 P2P-Worm.Win32.Delf.ao Trojan.Win32.Delf.bojqna Win32.Worm-p2p.Delf.Lnfa Win32.HLLW.Woofka Worm.Delf.Win32.191 BehavesLike.Win32.Backdoor.ch Worm/Delf.ot Worm[P2P]/Win32.Delf Worm.Win32.A.P2P-Delf.70675[UPX] P2P-Worm.Win32.Delf.ao Win32/P2PDelf.worm.45056 Worm.Delf Win32/Delf.AO Worm.P2P.Delf.AAF!AU P2P-Worm.Win32.Delf W32/Delf.AO!worm.p2p W32/Spybot.TN.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: P2P-Worm.Win32.Delf!O": [[26, 47]], "Indicator: Worm.Delf.9767": [[48, 62]], "Indicator: W32/Delf.ao": [[63, 74]], "Indicator: WORM_YOOHOO.D": [[75, 88], [139, 152]], "Indicator: Win32.Worm.Delf.a": [[89, 106]], "Indicator: W32/SillyP2P.BR": [[107, 122]], "Indicator: W32.HLLW.Yoohoo": [[123, 138]], "Indicator: Win.Trojan.Delf-1033": [[153, 173]], "Indicator: P2P-Worm.Win32.Delf.ao": [[174, 196], [382, 404]], "Indicator: Trojan.Win32.Delf.bojqna": [[197, 221]], "Indicator: Win32.Worm-p2p.Delf.Lnfa": [[222, 246]], "Indicator: Win32.HLLW.Woofka": [[247, 264]], "Indicator: Worm.Delf.Win32.191": [[265, 284]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[285, 314]], "Indicator: Worm/Delf.ot": [[315, 327]], "Indicator: Worm[P2P]/Win32.Delf": [[328, 348]], "Indicator: Worm.Win32.A.P2P-Delf.70675[UPX]": [[349, 381]], "Indicator: Win32/P2PDelf.worm.45056": [[405, 429]], "Indicator: Worm.Delf": [[430, 439]], "Indicator: Win32/Delf.AO": [[440, 453]], "Indicator: Worm.P2P.Delf.AAF!AU": [[454, 474]], "Indicator: P2P-Worm.Win32.Delf": [[475, 494]], "Indicator: W32/Delf.AO!worm.p2p": [[495, 515]], "Indicator: W32/Spybot.TN.worm": [[516, 534]]}, "info": {"id": "cyner2_5class_train_00451", "source": "cyner2_5class_train"}}
+{"text": "RECEIVE_BOOT_COMPLETED - allow the application to launch itself after system boot .", "spans": {}, "info": {"id": "cyner2_5class_train_00452", "source": "cyner2_5class_train"}}
+{"text": "In February 2017, we observed an evolution of the Infy malware that we're calling Foudre lightning in French.", "spans": {"Malware: Infy malware": [[50, 62]], "Malware: Foudre": [[82, 88]]}, "info": {"id": "cyner2_5class_train_00453", "source": "cyner2_5class_train"}}
+{"text": "The ACCESS_SUPERUSER may have been removed because it was deprecated upon the release of Android 5.0 Lollipop which happened in 2014 .", "spans": {"System: Android 5.0": [[89, 100]], "System: Lollipop": [[101, 109]]}, "info": {"id": "cyner2_5class_train_00454", "source": "cyner2_5class_train"}}
+{"text": "IOC's related to a new version of Citadel that hit the streets on November 2015", "spans": {"Indicator: IOC's": [[0, 5]], "Malware: Citadel": [[34, 41]]}, "info": {"id": "cyner2_5class_train_00455", "source": "cyner2_5class_train"}}
+{"text": "One of these [ CVE-2015-5119 ] was a Flash zero-day .", "spans": {"Vulnerability: CVE-2015-5119": [[15, 28]]}, "info": {"id": "cyner2_5class_train_00456", "source": "cyner2_5class_train"}}
+{"text": "In July 2015, Check Point's Incident Response team was contacted by a customer after they noticed strange file system activities in one of their Linux-based DNS BIND servers.", "spans": {"Organization: Check Point's Incident Response team": [[14, 50]], "Indicator: strange file system activities": [[98, 128]], "System: Linux-based DNS BIND servers.": [[145, 174]]}, "info": {"id": "cyner2_5class_train_00457", "source": "cyner2_5class_train"}}
+{"text": "This new version CryptoWall includes multiple updates, such as a more streamlined network communication channel, modified ransom message, and the encryption of filenames.", "spans": {"Malware: CryptoWall": [[17, 27]], "Indicator: more streamlined network communication channel,": [[65, 112]], "Indicator: ransom message,": [[122, 137]], "Indicator: encryption of filenames.": [[146, 170]]}, "info": {"id": "cyner2_5class_train_00458", "source": "cyner2_5class_train"}}
+{"text": "They can also be installed by other malware, or by exploiting software vulnerabilities.", "spans": {"Malware: malware,": [[36, 44]], "Vulnerability: exploiting software vulnerabilities.": [[51, 87]]}, "info": {"id": "cyner2_5class_train_00459", "source": "cyner2_5class_train"}}
+{"text": "Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Indicator: Trojan.AndroidOS.Dvmap.a": [[36, 60]]}, "info": {"id": "cyner2_5class_train_00460", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackdoorAPT.Hikit.MD6 BKDR64_GOALMAY.SM BKDR64_GOALMAY.SM Win.Trojan.HiKit-41 Trojan.Hikit.Win64.4 BehavesLike.Win64.PdfCrypt.cc Trojan.Dropper Backdoor:Win64/Hikiti.N!dha Trojan/Win32.HDC.C1382826 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackdoorAPT.Hikit.MD6": [[26, 47]], "Indicator: BKDR64_GOALMAY.SM": [[48, 65], [66, 83]], "Indicator: Win.Trojan.HiKit-41": [[84, 103]], "Indicator: Trojan.Hikit.Win64.4": [[104, 124]], "Indicator: BehavesLike.Win64.PdfCrypt.cc": [[125, 154]], "Indicator: Trojan.Dropper": [[155, 169]], "Indicator: Backdoor:Win64/Hikiti.N!dha": [[170, 197]], "Indicator: Trojan/Win32.HDC.C1382826": [[198, 223]], "Indicator: Trj/CI.A": [[224, 232]]}, "info": {"id": "cyner2_5class_train_00461", "source": "cyner2_5class_train"}}
+{"text": "These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.", "spans": {"Indicator: attacks": [[6, 13]], "Organization: primary targets": [[95, 110]], "Organization: individuals": [[116, 127]], "Organization: organizations": [[132, 145]]}, "info": {"id": "cyner2_5class_train_00462", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Win32.ServStart.exsakp Trojan.Win32.Z.Servstart.15876.A Trojan.DownLoader9.26576 Trojan.Win32.Rozena TR/ServStart.dplva TrojanDownloader:Win32/Yemrok.A W32/Parite.dam W32/ServStart.DV!tr Win32/Trojan.849", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Trojan.Win32.ServStart.exsakp": [[48, 77]], "Indicator: Trojan.Win32.Z.Servstart.15876.A": [[78, 110]], "Indicator: Trojan.DownLoader9.26576": [[111, 135]], "Indicator: Trojan.Win32.Rozena": [[136, 155]], "Indicator: TR/ServStart.dplva": [[156, 174]], "Indicator: TrojanDownloader:Win32/Yemrok.A": [[175, 206]], "Indicator: W32/Parite.dam": [[207, 221]], "Indicator: W32/ServStart.DV!tr": [[222, 241]], "Indicator: Win32/Trojan.849": [[242, 258]]}, "info": {"id": "cyner2_5class_train_00463", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/VB.l Trojan.Heur.EC3E8C WORM_ZAKA.AD W32/VB.UQEY-1535 W32.HLLW.Asterz.intd WORM_ZAKA.AD Win.Worm.VB-29 P2P-Worm.Win32.VB.l Trojan.Win32.VB.hxbs Worm.Win32.P2P-VB.24576.D W32.W.VB.l!c Win32.VB.L Win32.HLLW.Kirk.24576 Worm.VB.Win32.51 BehavesLike.Win32.Virus.mz Trojan-Banker.Win32.Bancos W32/VB.KA@p2p Worm/VB.qvg Worm:Win32/Icasur.Q WORM/VB.A Worm[P2P]/Win32.VB Worm.P2PVB.a.kcloud Worm:Win32/Icasur.Q P2P-Worm.Win32.VB.l Worm.VB Win32/VB.L Win32.Virus.Vb.Lkdy Worm.P2P.Zaka.R W32/VB.L!worm.p2p", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/VB.l": [[26, 34]], "Indicator: Trojan.Heur.EC3E8C": [[35, 53]], "Indicator: WORM_ZAKA.AD": [[54, 66], [105, 117]], "Indicator: W32/VB.UQEY-1535": [[67, 83]], "Indicator: W32.HLLW.Asterz.intd": [[84, 104]], "Indicator: Win.Worm.VB-29": [[118, 132]], "Indicator: P2P-Worm.Win32.VB.l": [[133, 152], [432, 451]], "Indicator: Trojan.Win32.VB.hxbs": [[153, 173]], "Indicator: Worm.Win32.P2P-VB.24576.D": [[174, 199]], "Indicator: W32.W.VB.l!c": [[200, 212]], "Indicator: Win32.VB.L": [[213, 223]], "Indicator: Win32.HLLW.Kirk.24576": [[224, 245]], "Indicator: Worm.VB.Win32.51": [[246, 262]], "Indicator: BehavesLike.Win32.Virus.mz": [[263, 289]], "Indicator: Trojan-Banker.Win32.Bancos": [[290, 316]], "Indicator: W32/VB.KA@p2p": [[317, 330]], "Indicator: Worm/VB.qvg": [[331, 342]], "Indicator: Worm:Win32/Icasur.Q": [[343, 362], [412, 431]], "Indicator: WORM/VB.A": [[363, 372]], "Indicator: Worm[P2P]/Win32.VB": [[373, 391]], "Indicator: Worm.P2PVB.a.kcloud": [[392, 411]], "Indicator: Worm.VB": [[452, 459]], "Indicator: Win32/VB.L": [[460, 470]], "Indicator: Win32.Virus.Vb.Lkdy": [[471, 490]], "Indicator: Worm.P2P.Zaka.R": [[491, 506]], "Indicator: W32/VB.L!worm.p2p": [[507, 524]]}, "info": {"id": "cyner2_5class_train_00464", "source": "cyner2_5class_train"}}
+{"text": "Throughout 2015, Symantec.cloud has been detecting a stream of emails that have the Xtreme remote access Trojan RAT, which we detect as W32.Extrat, as an attachment.", "spans": {"Organization: Symantec.cloud": [[17, 31]], "Indicator: stream of emails": [[53, 69]], "Malware: Xtreme remote access Trojan RAT,": [[84, 116]], "Indicator: W32.Extrat,": [[136, 147]], "Organization: attachment.": [[154, 165]]}, "info": {"id": "cyner2_5class_train_00465", "source": "cyner2_5class_train"}}
+{"text": "In November 2016, we observed the reemergence of destructive attacks associated with the 2012 Shamoon attack campaign.", "spans": {"Indicator: attacks": [[61, 68]]}, "info": {"id": "cyner2_5class_train_00466", "source": "cyner2_5class_train"}}
+{"text": "This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery.", "spans": {"Malware: malware": [[5, 12]], "Malware: ransomware:": [[36, 47]], "Indicator: encrypts the data": [[51, 68]], "System: computer": [[76, 84]]}, "info": {"id": "cyner2_5class_train_00467", "source": "cyner2_5class_train"}}
+{"text": "TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server.", "spans": {"Malware: TREASUREHUNT": [[0, 12]], "Indicator: running processes, extracts payment card information from memory,": [[24, 89]], "Indicator: transmits": [[99, 108]], "Indicator: information": [[114, 125]], "Indicator: command and control server.": [[131, 158]]}, "info": {"id": "cyner2_5class_train_00468", "source": "cyner2_5class_train"}}
+{"text": "Technical analysis Obfuscation On top of recreating ransomware behavior in ways we haven ’ t seen before , the Android malware variant uses a new obfuscation technique unique to the Android platform .", "spans": {"System: Android": [[111, 118], [182, 189]]}, "info": {"id": "cyner2_5class_train_00469", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Androm Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.CFAT-3750 Trojan.MulDrop7.39399 Backdoor.Androm.tas Trojan[Backdoor]/Win32.Androm Trojan:Win32/Lamooc.A Trojan/Win32.Androm.C2185535 Backdoor.Androm Trj/GdSda.A Backdoor.Androm!dAFAsy80jho", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Androm": [[26, 41], [229, 244]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[42, 84]], "Indicator: W32/Trojan.CFAT-3750": [[85, 105]], "Indicator: Trojan.MulDrop7.39399": [[106, 127]], "Indicator: Backdoor.Androm.tas": [[128, 147]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[148, 177]], "Indicator: Trojan:Win32/Lamooc.A": [[178, 199]], "Indicator: Trojan/Win32.Androm.C2185535": [[200, 228]], "Indicator: Trj/GdSda.A": [[245, 256]], "Indicator: Backdoor.Androm!dAFAsy80jho": [[257, 284]]}, "info": {"id": "cyner2_5class_train_00470", "source": "cyner2_5class_train"}}
+{"text": "This is a common trick played by malware developers , making the user think the app may have been removed .", "spans": {}, "info": {"id": "cyner2_5class_train_00471", "source": "cyner2_5class_train"}}
+{"text": "This method checks if eight hours have passed from the first run of application , and if so , request containing the device ’ s data to the server .", "spans": {}, "info": {"id": "cyner2_5class_train_00472", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Comfoo.a Backdoor.Vinself TROJ_COMFOO.AI Trojan.PWS.DPD.14 TROJ_COMFOO.AI Trojan[Dropper]/Win32.Injector Backdoor:Win32/Comfoo.C Win-Trojan/Comfoo.114688 Backdoor.Win32.Comfoo W32/PWS_y.AI!tr Win32/Trojan.3fc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Comfoo.a": [[26, 41]], "Indicator: Backdoor.Vinself": [[42, 58]], "Indicator: TROJ_COMFOO.AI": [[59, 73], [92, 106]], "Indicator: Trojan.PWS.DPD.14": [[74, 91]], "Indicator: Trojan[Dropper]/Win32.Injector": [[107, 137]], "Indicator: Backdoor:Win32/Comfoo.C": [[138, 161]], "Indicator: Win-Trojan/Comfoo.114688": [[162, 186]], "Indicator: Backdoor.Win32.Comfoo": [[187, 208]], "Indicator: W32/PWS_y.AI!tr": [[209, 224]], "Indicator: Win32/Trojan.3fc": [[225, 241]]}, "info": {"id": "cyner2_5class_train_00473", "source": "cyner2_5class_train"}}
+{"text": "In October we saw an increase in infections.", "spans": {}, "info": {"id": "cyner2_5class_train_00474", "source": "cyner2_5class_train"}}
+{"text": "TeslaCrypt/AlphaCrypt uses AES256 encryption.", "spans": {"Indicator: TeslaCrypt/AlphaCrypt": [[0, 21]], "Indicator: AES256 encryption.": [[27, 45]]}, "info": {"id": "cyner2_5class_train_00475", "source": "cyner2_5class_train"}}
+{"text": "The principles of this bootkit's work, named HDRoot, have been described in the first part of our article.", "spans": {"Malware: bootkit's": [[23, 32]], "Indicator: HDRoot,": [[45, 52]]}, "info": {"id": "cyner2_5class_train_00476", "source": "cyner2_5class_train"}}
+{"text": "The body contains a message and URL .", "spans": {}, "info": {"id": "cyner2_5class_train_00477", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Stepaik.A Worm.Stepaik Win32.Stepaik.A W32/Trojan.ILKV-7384 Win32.Stepaik.A Email-Worm.Win32.Stepaik.c Win32.Stepaik.A Email.Worm.W32!c Win32.Stepaik.A Win32.Stepaik.A Trojan.Inject3.836 BehavesLike.Win32.Virut.mh Worm[Email]/Win32.Stepaik Email-Worm.Win32.Stepaik.c Win32.Stepaik.A Trj/CI.A Win32.Worm-email.Stepaik.Day Worm.Win32.Stepar W32/Stepaik.C@mm Win32/Trojan.7ee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Stepaik.A": [[26, 41], [55, 70], [92, 107], [135, 150], [168, 183], [184, 199], [299, 314]], "Indicator: Worm.Stepaik": [[42, 54]], "Indicator: W32/Trojan.ILKV-7384": [[71, 91]], "Indicator: Email-Worm.Win32.Stepaik.c": [[108, 134], [272, 298]], "Indicator: Email.Worm.W32!c": [[151, 167]], "Indicator: Trojan.Inject3.836": [[200, 218]], "Indicator: BehavesLike.Win32.Virut.mh": [[219, 245]], "Indicator: Worm[Email]/Win32.Stepaik": [[246, 271]], "Indicator: Trj/CI.A": [[315, 323]], "Indicator: Win32.Worm-email.Stepaik.Day": [[324, 352]], "Indicator: Worm.Win32.Stepar": [[353, 370]], "Indicator: W32/Stepaik.C@mm": [[371, 387]], "Indicator: Win32/Trojan.7ee": [[388, 404]]}, "info": {"id": "cyner2_5class_train_00478", "source": "cyner2_5class_train"}}
+{"text": "We setup a system with weak and default passwords to capture any and all malware spread in this fashion.", "spans": {"System: system": [[11, 17]], "Indicator: weak and default passwords": [[23, 49]], "Malware: malware": [[73, 80]], "Indicator: spread": [[81, 87]]}, "info": {"id": "cyner2_5class_train_00479", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.5B9D Packer.Malware.NSAnti.A Packer.Malware.NSAnti.A Trojan.MalPack.NSPack Trojan/PornoBlocker.afxh Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Packed.NsAnti Packer.Malware.NSAnti.A Packed.Win32.NSAnti.r Packer.Malware.NSAnti.A Trojan.Win32.NSAnti.fthc Packer.Malware.NSAnti.A BackDoor.Singu Packed.NSAnti.frd Packer.Malware.NSAnti.A Packed.Win32.NSAnti.r Trojan:Win32/Vanti.B.dll Trojan/Win32.Hupigon.C134220 TScope.Malware-Cryptor.SB Rootkit.Win32.Vanti.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.5B9D": [[26, 43]], "Indicator: Packer.Malware.NSAnti.A": [[44, 67], [68, 91], [203, 226], [249, 272], [298, 321], [355, 378]], "Indicator: Trojan.MalPack.NSPack": [[92, 113]], "Indicator: Trojan/PornoBlocker.afxh": [[114, 138]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[139, 181]], "Indicator: Trojan.Packed.NsAnti": [[182, 202]], "Indicator: Packed.Win32.NSAnti.r": [[227, 248], [379, 400]], "Indicator: Trojan.Win32.NSAnti.fthc": [[273, 297]], "Indicator: BackDoor.Singu": [[322, 336]], "Indicator: Packed.NSAnti.frd": [[337, 354]], "Indicator: Trojan:Win32/Vanti.B.dll": [[401, 425]], "Indicator: Trojan/Win32.Hupigon.C134220": [[426, 454]], "Indicator: TScope.Malware-Cryptor.SB": [[455, 480]], "Indicator: Rootkit.Win32.Vanti.D": [[481, 502]]}, "info": {"id": "cyner2_5class_train_00480", "source": "cyner2_5class_train"}}
+{"text": "We also found several apps containing the malware , which were developed by other developers on Google Play .", "spans": {"System: Google Play": [[96, 107]]}, "info": {"id": "cyner2_5class_train_00481", "source": "cyner2_5class_train"}}
+{"text": "The ransomware makes this connection presumably to report that your computer has been compromised.", "spans": {"Malware: ransomware": [[4, 14]], "System: computer": [[68, 76]], "Vulnerability: compromised.": [[86, 98]]}, "info": {"id": "cyner2_5class_train_00482", "source": "cyner2_5class_train"}}
+{"text": "This attack took advantage of a Java zero-day exploit and used hacked forums as watering holes.", "spans": {"Indicator: attack": [[5, 11]], "System: Java": [[32, 36]], "Malware: zero-day exploit": [[37, 53]], "Indicator: hacked forums as watering holes.": [[63, 95]]}, "info": {"id": "cyner2_5class_train_00483", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.QPassHV.Trojan Trojan.Zenshirsh.SL7 Trojan/QQPass.owd Win32.Trojan-PSW.QQPass.af Win32/Oflwr.A!crypt Trojan.Win32.Scar.oetk Trojan.Win32.DangerousObject.dnizrq Win32.Trojan.Scar.Wsts TrojWare.Win32.PWS.QQPass.AZF Trojan.DownLoader12.31656 Trojan.QQPass.Win32.24405 BehavesLike.Win32.Trojan.nc TR/PSW.QQSteal.boeu Trojan.Win32.Z.Qqpass.100934 Trojan.Scar Win32/PSW.QQPass.OWD Win32/Worm.Scar.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.QPassHV.Trojan": [[26, 50]], "Indicator: Trojan.Zenshirsh.SL7": [[51, 71]], "Indicator: Trojan/QQPass.owd": [[72, 89]], "Indicator: Win32.Trojan-PSW.QQPass.af": [[90, 116]], "Indicator: Win32/Oflwr.A!crypt": [[117, 136]], "Indicator: Trojan.Win32.Scar.oetk": [[137, 159]], "Indicator: Trojan.Win32.DangerousObject.dnizrq": [[160, 195]], "Indicator: Win32.Trojan.Scar.Wsts": [[196, 218]], "Indicator: TrojWare.Win32.PWS.QQPass.AZF": [[219, 248]], "Indicator: Trojan.DownLoader12.31656": [[249, 274]], "Indicator: Trojan.QQPass.Win32.24405": [[275, 300]], "Indicator: BehavesLike.Win32.Trojan.nc": [[301, 328]], "Indicator: TR/PSW.QQSteal.boeu": [[329, 348]], "Indicator: Trojan.Win32.Z.Qqpass.100934": [[349, 377]], "Indicator: Trojan.Scar": [[378, 389]], "Indicator: Win32/PSW.QQPass.OWD": [[390, 410]], "Indicator: Win32/Worm.Scar.B": [[411, 428]]}, "info": {"id": "cyner2_5class_train_00484", "source": "cyner2_5class_train"}}
+{"text": "Throughout the year, Bankbot has been distributed as benign apps, some of which made their way onto popular app stores.", "spans": {"Malware: Bankbot": [[21, 28]], "System: benign apps,": [[53, 65]], "System: popular app stores.": [[100, 119]]}, "info": {"id": "cyner2_5class_train_00485", "source": "cyner2_5class_train"}}
+{"text": "In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company.", "spans": {"Organization: Defense": [[31, 38]], "Organization: a U.S.-based technology company.": [[104, 136]]}, "info": {"id": "cyner2_5class_train_00486", "source": "cyner2_5class_train"}}
+{"text": "But attackers were still constantly looking for new methods to steal TANs .", "spans": {}, "info": {"id": "cyner2_5class_train_00487", "source": "cyner2_5class_train"}}
+{"text": "In the examined version , it was downloaded from : hxxp : //url [ .", "spans": {"Indicator: hxxp : //url [ .": [[51, 67]]}, "info": {"id": "cyner2_5class_train_00488", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.NSIS.Androm.7 Ransom.Onion.A Win32.Trojan.Injector.je Packed.NSISPacker!g7 Win32/Injector.CXKV TROJ_GE.F5258674 Zum.Ransom.NSIS.Cerber.1 Trojan.NSIS.Androm.7 Trojan.Win32.CXKV.ecdllh Trojan.Kovter.118 BehavesLike.Win32.Ransom.dc Trojan.Win32.Injector Trojan/Win32.Injector.cxkv Zum.Ransom.NSIS.Cerber.1 Trojan/Win32.Cerber.R180093 Trojan.Injector!M8gUkRYeGG8 W32/Injector.CXKV!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.NSIS.Androm.7": [[26, 46], [170, 190]], "Indicator: Ransom.Onion.A": [[47, 61]], "Indicator: Win32.Trojan.Injector.je": [[62, 86]], "Indicator: Packed.NSISPacker!g7": [[87, 107]], "Indicator: Win32/Injector.CXKV": [[108, 127]], "Indicator: TROJ_GE.F5258674": [[128, 144]], "Indicator: Zum.Ransom.NSIS.Cerber.1": [[145, 169], [311, 335]], "Indicator: Trojan.Win32.CXKV.ecdllh": [[191, 215]], "Indicator: Trojan.Kovter.118": [[216, 233]], "Indicator: BehavesLike.Win32.Ransom.dc": [[234, 261]], "Indicator: Trojan.Win32.Injector": [[262, 283]], "Indicator: Trojan/Win32.Injector.cxkv": [[284, 310]], "Indicator: Trojan/Win32.Cerber.R180093": [[336, 363]], "Indicator: Trojan.Injector!M8gUkRYeGG8": [[364, 391]], "Indicator: W32/Injector.CXKV!tr": [[392, 412]]}, "info": {"id": "cyner2_5class_train_00489", "source": "cyner2_5class_train"}}
+{"text": "It appears the same actor developed both the Komplex and XAgentOSX tools, based on similarities within the following project paths found within the tools.", "spans": {"Malware: Komplex": [[45, 52]], "Malware: XAgentOSX tools,": [[57, 73]], "Malware: tools.": [[148, 154]]}, "info": {"id": "cyner2_5class_train_00490", "source": "cyner2_5class_train"}}
+{"text": "The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell.", "spans": {"Malware: webshell": [[24, 32], [114, 122]], "Malware: webshells:": [[92, 102]], "Malware: webshell.": [[195, 204]]}, "info": {"id": "cyner2_5class_train_00491", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hacktool.Flystudio.16558 Trojan.DownLoader12.49203 Trojan-Downloader.Win32.Raykmerd Trojan/Badur.jao TR/Dldr.Raykmerd.amotd TrojanDownloader:Win32/Raykmerd.A Trojan.Badur", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Flystudio.16558": [[26, 50]], "Indicator: Trojan.DownLoader12.49203": [[51, 76]], "Indicator: Trojan-Downloader.Win32.Raykmerd": [[77, 109]], "Indicator: Trojan/Badur.jao": [[110, 126]], "Indicator: TR/Dldr.Raykmerd.amotd": [[127, 149]], "Indicator: TrojanDownloader:Win32/Raykmerd.A": [[150, 183]], "Indicator: Trojan.Badur": [[184, 196]]}, "info": {"id": "cyner2_5class_train_00492", "source": "cyner2_5class_train"}}
+{"text": "On September 18, 2015, we saw an activity on koreatimes.com where we captured a malicious binary.", "spans": {"Indicator: koreatimes.com": [[45, 59]], "Malware: malicious binary.": [[80, 97]]}, "info": {"id": "cyner2_5class_train_00493", "source": "cyner2_5class_train"}}
+{"text": "Much like we have seen in recent months , anyone can be impacted by a mobile device attack .", "spans": {}, "info": {"id": "cyner2_5class_train_00494", "source": "cyner2_5class_train"}}
+{"text": "EventBot method responsible for the library loading The method responsible for the library loading .", "spans": {}, "info": {"id": "cyner2_5class_train_00495", "source": "cyner2_5class_train"}}
+{"text": "During our investigation , we observed the C2 server sending multiple “ balance ” commands to different institutions , presumably to query the victim ’ s financial account balances .", "spans": {}, "info": {"id": "cyner2_5class_train_00496", "source": "cyner2_5class_train"}}
+{"text": "Triada ’ s functionality allows it to modify those messages , so the money is sent not to some app developer , but to the malware operators .", "spans": {"Malware: Triada": [[0, 6]]}, "info": {"id": "cyner2_5class_train_00497", "source": "cyner2_5class_train"}}
+{"text": "These innovations included two significant changes in Dyre behavior:", "spans": {"Malware: Dyre": [[54, 58]]}, "info": {"id": "cyner2_5class_train_00498", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FlameF.Worm Trojan.Flame.B Worm.Win32.Flame!O Worm.Flamea Worm.Win32.Flame.a Trojan/Flamer.a Win32.Trojan.WisdomEyes.16070401.9500.9790 W32/Flamer.A W32.Flamer Win32/Flame.A WORM_FLAMER.A Win.Worm.Flame-9 Trojan.Flame.B Worm.Win32.Flame.a Trojan.Flame.B Trojan.Win32.Flame.sbruw W32.W.Flame.a!c Win32.Worm.Flame.Wpjf Worm.Win32.Flame.a Trojan.Flame.B Win32.HLLW.Flame.1 Worm.Flame.Win32.3 WORM_FLAMER.A W32/Flamer.OWIT-2039 Worm/Flame.f W32.Worm.Flame TR/Flamer.A.1 Worm/Win32.Flame Trojan.Flame.B Worm.Win32.Flame.1721856 Worm.Win32.Flame.a Win-Trojan/Flamer.1721856 Worm.Flame Worm.Win32.Flame.a Trojan.Flame.B Win32/Flamer.A Trojan.Flame.A Worm.Win32.Flame W32/Flame.A!worm Trojan.Flame.3535 W32/Flamer.A.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FlameF.Worm": [[26, 41]], "Indicator: Trojan.Flame.B": [[42, 56], [235, 249], [269, 283], [366, 380], [513, 527], [628, 642]], "Indicator: Worm.Win32.Flame!O": [[57, 75]], "Indicator: Worm.Flamea": [[76, 87]], "Indicator: Worm.Win32.Flame.a": [[88, 106], [250, 268], [347, 365], [553, 571], [609, 627]], "Indicator: Trojan/Flamer.a": [[107, 122]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9790": [[123, 165]], "Indicator: W32/Flamer.A": [[166, 178]], "Indicator: W32.Flamer": [[179, 189]], "Indicator: Win32/Flame.A": [[190, 203]], "Indicator: WORM_FLAMER.A": [[204, 217], [419, 432]], "Indicator: Win.Worm.Flame-9": [[218, 234]], "Indicator: Trojan.Win32.Flame.sbruw": [[284, 308]], "Indicator: W32.W.Flame.a!c": [[309, 324]], "Indicator: Win32.Worm.Flame.Wpjf": [[325, 346]], "Indicator: Win32.HLLW.Flame.1": [[381, 399]], "Indicator: Worm.Flame.Win32.3": [[400, 418]], "Indicator: W32/Flamer.OWIT-2039": [[433, 453]], "Indicator: Worm/Flame.f": [[454, 466]], "Indicator: W32.Worm.Flame": [[467, 481]], "Indicator: TR/Flamer.A.1": [[482, 495]], "Indicator: Worm/Win32.Flame": [[496, 512]], "Indicator: Worm.Win32.Flame.1721856": [[528, 552]], "Indicator: Win-Trojan/Flamer.1721856": [[572, 597]], "Indicator: Worm.Flame": [[598, 608]], "Indicator: Win32/Flamer.A": [[643, 657]], "Indicator: Trojan.Flame.A": [[658, 672]], "Indicator: Worm.Win32.Flame": [[673, 689]], "Indicator: W32/Flame.A!worm": [[690, 706]], "Indicator: Trojan.Flame.3535": [[707, 724]], "Indicator: W32/Flamer.A.worm": [[725, 742]]}, "info": {"id": "cyner2_5class_train_00499", "source": "cyner2_5class_train"}}
+{"text": "FAKESPY CODE ANALYSIS Once the user clicks on the malicious link from the SMS message , the app asks them to approve installation from unknown resources .", "spans": {"Malware: FAKESPY": [[0, 7]]}, "info": {"id": "cyner2_5class_train_00500", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandropper.Exebundle2X Worm.WBNA.Win32.421402 Win.Worm.Drefir-14 Trojan.Win32.ExeBundle.exrqtj Trojan.Win32.Z.Exebundle.8609956 Trojan.MulDrop.1611 W32/Trojan.EGST-2925 TR/ExeBundle.272 Trojan[Downloader]/Win32.Small TrojanDropper:Win32/ExeBundle_2x.A Trojan.MulDrop Trj/CI.A Trojan.Dropper W32/Multidr.FD!tr Win32/Trojan.852", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandropper.Exebundle2X": [[26, 51]], "Indicator: Worm.WBNA.Win32.421402": [[52, 74]], "Indicator: Win.Worm.Drefir-14": [[75, 93]], "Indicator: Trojan.Win32.ExeBundle.exrqtj": [[94, 123]], "Indicator: Trojan.Win32.Z.Exebundle.8609956": [[124, 156]], "Indicator: Trojan.MulDrop.1611": [[157, 176]], "Indicator: W32/Trojan.EGST-2925": [[177, 197]], "Indicator: TR/ExeBundle.272": [[198, 214]], "Indicator: Trojan[Downloader]/Win32.Small": [[215, 245]], "Indicator: TrojanDropper:Win32/ExeBundle_2x.A": [[246, 280]], "Indicator: Trojan.MulDrop": [[281, 295]], "Indicator: Trj/CI.A": [[296, 304]], "Indicator: Trojan.Dropper": [[305, 319]], "Indicator: W32/Multidr.FD!tr": [[320, 337]], "Indicator: Win32/Trojan.852": [[338, 354]]}, "info": {"id": "cyner2_5class_train_00501", "source": "cyner2_5class_train"}}
+{"text": "Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans .", "spans": {"System: Kaspersky Lab": [[0, 13]]}, "info": {"id": "cyner2_5class_train_00502", "source": "cyner2_5class_train"}}
+{"text": "Our friends over at Bellingcat, which conducts open source investigations and writes extensively on Russia-related issues, recently shared a new tranche of spear-phishing emails they had received.", "spans": {"Organization: Bellingcat,": [[20, 31]], "Indicator: open source": [[47, 58]], "Indicator: spear-phishing emails": [[156, 177]]}, "info": {"id": "cyner2_5class_train_00503", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojWare.Win32.ChePro.RHZ TrojanDownloader:Win32/Hormelex.B Trojan/Win32.ChePro Trojan.Win32.Delf.PQD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojWare.Win32.ChePro.RHZ": [[26, 51]], "Indicator: TrojanDownloader:Win32/Hormelex.B": [[52, 85]], "Indicator: Trojan/Win32.ChePro": [[86, 105]], "Indicator: Trojan.Win32.Delf.PQD": [[106, 127]]}, "info": {"id": "cyner2_5class_train_00504", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Startsurf not-a-virus:AdWare.Win32.StartSurf.azas Riskware.Win32.StartSurf.expyou Adware.StartSurf.Win32.40359 BehavesLike.Win32.Dropper.jc TR/Drop.Kaymundler.bldbf Trojan.Application.Strictor.D1C262 Trojan.Win32.Z.Strictor.687398 not-a-virus:AdWare.Win32.StartSurf.azas TrojanDropper:Win32/Kaymundler.C PUP/Win32.OutBrowse.R215127 Adware.StartSurf RiskWare.Patcher Trj/CI.A Win32.Adware.Startsurf.Llhl PUA.StartSurf! Trojan-Dropper.Kaymundler Win32/Application.064", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Startsurf": [[26, 42]], "Indicator: not-a-virus:AdWare.Win32.StartSurf.azas": [[43, 82], [264, 303]], "Indicator: Riskware.Win32.StartSurf.expyou": [[83, 114]], "Indicator: Adware.StartSurf.Win32.40359": [[115, 143]], "Indicator: BehavesLike.Win32.Dropper.jc": [[144, 172]], "Indicator: TR/Drop.Kaymundler.bldbf": [[173, 197]], "Indicator: Trojan.Application.Strictor.D1C262": [[198, 232]], "Indicator: Trojan.Win32.Z.Strictor.687398": [[233, 263]], "Indicator: TrojanDropper:Win32/Kaymundler.C": [[304, 336]], "Indicator: PUP/Win32.OutBrowse.R215127": [[337, 364]], "Indicator: Adware.StartSurf": [[365, 381]], "Indicator: RiskWare.Patcher": [[382, 398]], "Indicator: Trj/CI.A": [[399, 407]], "Indicator: Win32.Adware.Startsurf.Llhl": [[408, 435]], "Indicator: PUA.StartSurf!": [[436, 450]], "Indicator: Trojan-Dropper.Kaymundler": [[451, 476]], "Indicator: Win32/Application.064": [[477, 498]]}, "info": {"id": "cyner2_5class_train_00505", "source": "cyner2_5class_train"}}
+{"text": "The attacks employed PlugX, a Remote Access Trojan RAT widely used in targeted attacks.", "spans": {"Indicator: attacks": [[4, 11]], "Malware: PlugX, a Remote Access Trojan RAT": [[21, 54]], "Indicator: attacks.": [[79, 87]]}, "info": {"id": "cyner2_5class_train_00506", "source": "cyner2_5class_train"}}
+{"text": "AdWind, also known as Frutas, UNRECOM, AlienSpy, and JSocket, is a Java-based RAT.", "spans": {"Malware: AdWind,": [[0, 7]], "Malware: Frutas, UNRECOM, AlienSpy,": [[22, 48]], "Malware: JSocket,": [[53, 61]], "Malware: Java-based RAT.": [[67, 82]]}, "info": {"id": "cyner2_5class_train_00507", "source": "cyner2_5class_train"}}
+{"text": "All the detections of this backdoored app were geolocated in Iran .", "spans": {}, "info": {"id": "cyner2_5class_train_00508", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9537 BehavesLike.Win32.AdwareWajam.rc Trojan:Win32/WebHijack.A!dll", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9537": [[26, 68]], "Indicator: BehavesLike.Win32.AdwareWajam.rc": [[69, 101]], "Indicator: Trojan:Win32/WebHijack.A!dll": [[102, 130]]}, "info": {"id": "cyner2_5class_train_00509", "source": "cyner2_5class_train"}}
+{"text": "In this example , the requests to the server take the following form : Here , the “ operator ” query parameter is the Mobile Country Code and Mobile Network Code .", "spans": {}, "info": {"id": "cyner2_5class_train_00510", "source": "cyner2_5class_train"}}
+{"text": "On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted.", "spans": {"Indicator: Transmission BitTorrent ailient installer": [[33, 74]], "System: OS X": [[79, 83]], "Malware: ransomware,": [[102, 113]]}, "info": {"id": "cyner2_5class_train_00511", "source": "cyner2_5class_train"}}
+{"text": "XLoader 6.0 also mirrors the way FakeSpy hides its real C & C server .", "spans": {"Malware: XLoader 6.0": [[0, 11]], "Malware: FakeSpy": [[33, 40]]}, "info": {"id": "cyner2_5class_train_00512", "source": "cyner2_5class_train"}}
+{"text": "The ransom payment is typically collected using a form of crypto-currency, such as Bitcoin.", "spans": {"Indicator: payment": [[11, 18]], "Indicator: crypto-currency,": [[58, 74]], "Indicator: Bitcoin.": [[83, 91]]}, "info": {"id": "cyner2_5class_train_00513", "source": "cyner2_5class_train"}}
+{"text": "Whilst we would prefer to disassociate ourselves with APT attacks against Governments our interest was piqued by a particular blog written by our friends over at TrendMicro", "spans": {"Indicator: attacks": [[58, 65]], "Organization: Governments": [[74, 85]], "Organization: TrendMicro": [[162, 172]]}, "info": {"id": "cyner2_5class_train_00514", "source": "cyner2_5class_train"}}
+{"text": "Since January 2016, a financially motivated threat actor whom Proofpoint has been tracking as TA530 has been targeting executives and other high-level employees, often through campaigns focused exclusively on a particular vertical.", "spans": {"Organization: Proofpoint": [[62, 72]], "Organization: executives": [[119, 129]], "Organization: high-level employees,": [[140, 161]]}, "info": {"id": "cyner2_5class_train_00515", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Injector.Win32.85625 Trojan/Injector.oqf Win32.Trojan.WisdomEyes.16070401.9500.9619 TSPY_INJECTOR_BL210174.TOMC Trojan.Win32.Inject.efoq Trojan.Win32.Inject.dzombd Trojan.Win32.A.Inject.172053 TSPY_INJECTOR_BL210174.TOMC BehavesLike.Win32.Injector.cc Win32.Malware Trojan/Inject.amig TR/Injector.10.12 Trojan/Win32.Inject Trojan:Win32/Meteit.D Trojan.Win32.Inject.efoq Trojan/Win32.VBKrypt.R27475 Trojan.Inject Win32.Trojan.Inject.Htma", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Injector.Win32.85625": [[26, 53]], "Indicator: Trojan/Injector.oqf": [[54, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9619": [[74, 116]], "Indicator: TSPY_INJECTOR_BL210174.TOMC": [[117, 144], [226, 253]], "Indicator: Trojan.Win32.Inject.efoq": [[145, 169], [377, 401]], "Indicator: Trojan.Win32.Inject.dzombd": [[170, 196]], "Indicator: Trojan.Win32.A.Inject.172053": [[197, 225]], "Indicator: BehavesLike.Win32.Injector.cc": [[254, 283]], "Indicator: Win32.Malware": [[284, 297]], "Indicator: Trojan/Inject.amig": [[298, 316]], "Indicator: TR/Injector.10.12": [[317, 334]], "Indicator: Trojan/Win32.Inject": [[335, 354]], "Indicator: Trojan:Win32/Meteit.D": [[355, 376]], "Indicator: Trojan/Win32.VBKrypt.R27475": [[402, 429]], "Indicator: Trojan.Inject": [[430, 443]], "Indicator: Win32.Trojan.Inject.Htma": [[444, 468]]}, "info": {"id": "cyner2_5class_train_00516", "source": "cyner2_5class_train"}}
+{"text": "IoCs C & C 100.51.100.00 108.62.118.131 172.81.134.165 172.86.120.207 185.212.128.152 185.212.128.192 185.61.000.108 185.61.138.108 185.61.138.37 188.209.52.101 5.206.225.57 alr992.date avito-app.pw backfround2.pw background1.xyz blacksolider93.com blass9g087.com brekelter2.com broplar3hf.xyz buy-youla.ru cd78cg210xy0.com copsoiteess.com farmatefc93.org firstclinsop.com holebrhuhh3.com holebrhuhh45.com karambga3j.net le22999a.pw leboncoin-bk.top leboncoin-buy.pw leboncoin-cz.info leboncoin-f.pw leboncoin-jp.info leboncoin-kp.top leboncoin-ny.info leboncoin-ql.top leboncoin-tr.info myyoula.ru sell-avito.ru sell-youla.ru sentel8ju67.com subito-li.pw subitop.pw web-gumtree.com whitehousejosh.com whitekalgoy3.com youlaprotect.ru Examples of malware 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa 54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745 bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811 e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049 ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5 f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df Tracking down the developer of Android adware affecting millions of users 24 Oct 2019 - 11:30AM We detected a large adware campaign running for about a year , with the involved apps installed eight million times from Google Play alone .", "spans": {"Indicator: 100.51.100.00": [[11, 24]], "Indicator: 108.62.118.131": [[25, 39]], "Indicator: 172.81.134.165": [[40, 54]], "Indicator: 172.86.120.207": [[55, 69]], "Indicator: 185.212.128.152": [[70, 85]], "Indicator: 185.212.128.192": [[86, 101]], "Indicator: 185.61.000.108": [[102, 116]], "Indicator: 185.61.138.108": [[117, 131]], "Indicator: 185.61.138.37": [[132, 145]], "Indicator: 188.209.52.101": [[146, 160]], "Indicator: 5.206.225.57": [[161, 173]], "Indicator: alr992.date": [[174, 185]], "Indicator: avito-app.pw": [[186, 198]], "Indicator: backfround2.pw": [[199, 213]], "Indicator: background1.xyz": [[214, 229]], "Indicator: blacksolider93.com": [[230, 248]], "Indicator: blass9g087.com": [[249, 263]], "Indicator: brekelter2.com": [[264, 278]], "Indicator: broplar3hf.xyz": [[279, 293]], "Indicator: buy-youla.ru": [[294, 306]], "Indicator: cd78cg210xy0.com": [[307, 323]], "Indicator: copsoiteess.com": [[324, 339]], "Indicator: farmatefc93.org": [[340, 355]], "Indicator: firstclinsop.com": [[356, 372]], "Indicator: holebrhuhh3.com": [[373, 388]], "Indicator: holebrhuhh45.com": [[389, 405]], "Indicator: karambga3j.net": [[406, 420]], "Indicator: le22999a.pw": [[421, 432]], "Indicator: leboncoin-bk.top": [[433, 449]], "Indicator: leboncoin-buy.pw": [[450, 466]], "Indicator: leboncoin-cz.info": [[467, 484]], "Indicator: leboncoin-f.pw": [[485, 499]], "Indicator: leboncoin-jp.info": [[500, 517]], "Indicator: leboncoin-kp.top": [[518, 534]], "Indicator: leboncoin-ny.info": [[535, 552]], "Indicator: leboncoin-ql.top": [[553, 569]], "Indicator: leboncoin-tr.info": [[570, 587]], "Indicator: myyoula.ru": [[588, 598]], "Indicator: sell-avito.ru": [[599, 612]], "Indicator: sell-youla.ru": [[613, 626]], "Indicator: sentel8ju67.com": [[627, 642]], "Indicator: subito-li.pw": [[643, 655]], "Indicator: subitop.pw": [[656, 666]], "Indicator: web-gumtree.com": [[667, 682]], "Indicator: whitehousejosh.com": [[683, 701]], "Indicator: whitekalgoy3.com": [[702, 718]], "Indicator: youlaprotect.ru": [[719, 734]], "Indicator: 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98": [[755, 819]], "Indicator: 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa": [[820, 884]], "Indicator: 54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe": [[885, 949]], "Indicator: 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745": [[950, 1014]], "Indicator: bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a": [[1015, 1079]], "Indicator: dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811": [[1080, 1144]], "Indicator: e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049": [[1145, 1209]], "Indicator: ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5": [[1210, 1274]], "Indicator: f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df": [[1275, 1339]], "System: Android": [[1371, 1378]], "System: Google Play": [[1557, 1568]]}, "info": {"id": "cyner2_5class_train_00517", "source": "cyner2_5class_train"}}
+{"text": "However , at the time of writing , we were unable to identify relevant conversations about the EventBot malware .", "spans": {"Malware: EventBot": [[95, 103]]}, "info": {"id": "cyner2_5class_train_00518", "source": "cyner2_5class_train"}}
+{"text": "The campaign was able to steal large amounts of data despite using relatively simple malware because it used clever social engineering tactics against its targets.", "spans": {"Indicator: steal large amounts of data": [[25, 52]], "Malware: malware": [[85, 92]], "Organization: targets.": [[155, 163]]}, "info": {"id": "cyner2_5class_train_00519", "source": "cyner2_5class_train"}}
+{"text": "Although the propagation trend seems to be slowing down a bit , the figure tells us that RuMMS malware is still alive in the wild .", "spans": {"Malware: RuMMS": [[89, 94]]}, "info": {"id": "cyner2_5class_train_00520", "source": "cyner2_5class_train"}}
+{"text": "It may also download potentially malicious files.", "spans": {"Malware: malicious files.": [[33, 49]]}, "info": {"id": "cyner2_5class_train_00521", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Kryptik.byz Trojan.Win32.Malware.1 Trojan.Kryptik.HFN Packed:W32/RoxorCrypt.A Trojan.DownLoad.35818 TROJ_RENOS.BHAM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Kryptik.byz": [[26, 44]], "Indicator: Trojan.Win32.Malware.1": [[45, 67]], "Indicator: Trojan.Kryptik.HFN": [[68, 86]], "Indicator: Packed:W32/RoxorCrypt.A": [[87, 110]], "Indicator: Trojan.DownLoad.35818": [[111, 132]], "Indicator: TROJ_RENOS.BHAM": [[133, 148]]}, "info": {"id": "cyner2_5class_train_00522", "source": "cyner2_5class_train"}}
+{"text": "To that end, we are elevating the OilRig attack campaign to be known as the OilRig group.", "spans": {}, "info": {"id": "cyner2_5class_train_00523", "source": "cyner2_5class_train"}}
+{"text": "This can also define what kind of evidences to collect .", "spans": {}, "info": {"id": "cyner2_5class_train_00524", "source": "cyner2_5class_train"}}
+{"text": "If the returned JSON object has the “ 4 ” key , it will turn on the kill switch and initiate its own removal by sending an intent and seamlessly confirming the uninstall using the accessibility service , all without the victim ever noticing anything .", "spans": {}, "info": {"id": "cyner2_5class_train_00525", "source": "cyner2_5class_train"}}
+{"text": "First off , the Trojan registers in the administration panel and receives the information it needs to operate from the C & C ( the SMS interception templates and the text that will be displayed on HTML pages ) : Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C & C .", "spans": {"Malware: Rotexy": [[212, 218]]}, "info": {"id": "cyner2_5class_train_00526", "source": "cyner2_5class_train"}}
+{"text": "We believe the espionage factor and political context make their attacks unique and very different from traditional targeted attacks.", "spans": {"Indicator: attacks": [[65, 72]], "Indicator: attacks.": [[125, 133]]}, "info": {"id": "cyner2_5class_train_00527", "source": "cyner2_5class_train"}}
+{"text": "In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two.", "spans": {"Indicator: watering holes": [[78, 92]], "System: systems": [[102, 109]]}, "info": {"id": "cyner2_5class_train_00528", "source": "cyner2_5class_train"}}
+{"text": "Due to this obfuscation , a part of the previously mentioned cfg class is now mapped to c/b/a/a/a or c/a/a/a/a .", "spans": {}, "info": {"id": "cyner2_5class_train_00529", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "cyner2_5class_train_00530", "source": "cyner2_5class_train"}}
+{"text": "Just like in previous examples , the malware author does not use this package .", "spans": {}, "info": {"id": "cyner2_5class_train_00531", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MiadheardLTO.Trojan Trojan/W32.Mask.348264 Trojandropper.Seedna Troj.W32.Careto!c Trojan/Appetite.c BKDR_CARETO.A W32/Mask.B Backdoor.Weevil.B BKDR_CARETO.A Trojan.Win32.Careto.au Trojan.Win32.Careto.dtnkyq Backdoor:W32/Mask.A W32/Mask.JDVW-6006 Trojan/SGH.c W32.Trojan.Careto Trojan/Win32.SGH Trojan.Mask.3 Trojan.Win32.Careto.au TrojanDropper:Win32/Seedna.A Trojan/Win32.Careto.C258082 Backdoor.Mask Win32/Appetite.C Win32.Trojan.Careto.Tcvo Trojan.SGH! Backdoor.Mask W32/Careto.AU!tr Win32/Trojan.d4e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MiadheardLTO.Trojan": [[26, 49]], "Indicator: Trojan/W32.Mask.348264": [[50, 72]], "Indicator: Trojandropper.Seedna": [[73, 93]], "Indicator: Troj.W32.Careto!c": [[94, 111]], "Indicator: Trojan/Appetite.c": [[112, 129]], "Indicator: BKDR_CARETO.A": [[130, 143], [173, 186]], "Indicator: W32/Mask.B": [[144, 154]], "Indicator: Backdoor.Weevil.B": [[155, 172]], "Indicator: Trojan.Win32.Careto.au": [[187, 209], [338, 360]], "Indicator: Trojan.Win32.Careto.dtnkyq": [[210, 236]], "Indicator: Backdoor:W32/Mask.A": [[237, 256]], "Indicator: W32/Mask.JDVW-6006": [[257, 275]], "Indicator: Trojan/SGH.c": [[276, 288]], "Indicator: W32.Trojan.Careto": [[289, 306]], "Indicator: Trojan/Win32.SGH": [[307, 323]], "Indicator: Trojan.Mask.3": [[324, 337]], "Indicator: TrojanDropper:Win32/Seedna.A": [[361, 389]], "Indicator: Trojan/Win32.Careto.C258082": [[390, 417]], "Indicator: Backdoor.Mask": [[418, 431], [486, 499]], "Indicator: Win32/Appetite.C": [[432, 448]], "Indicator: Win32.Trojan.Careto.Tcvo": [[449, 473]], "Indicator: Trojan.SGH!": [[474, 485]], "Indicator: W32/Careto.AU!tr": [[500, 516]], "Indicator: Win32/Trojan.d4e": [[517, 533]]}, "info": {"id": "cyner2_5class_train_00532", "source": "cyner2_5class_train"}}
+{"text": "Symantec believes that the attackers behind the Anthem breach are part of a highly resourceful cyberespionage group called Black Vine.", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Anthem": [[48, 54]], "Indicator: breach": [[55, 61]]}, "info": {"id": "cyner2_5class_train_00533", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 BehavesLike.Win32.Multiplug.ch Trojan:Win32/Autophyte.A!dha Backdoor/Win32.Akdoor.R198284", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: BehavesLike.Win32.Multiplug.ch": [[69, 99]], "Indicator: Trojan:Win32/Autophyte.A!dha": [[100, 128]], "Indicator: Backdoor/Win32.Akdoor.R198284": [[129, 158]]}, "info": {"id": "cyner2_5class_train_00534", "source": "cyner2_5class_train"}}
+{"text": "In the first iteration , the screen recording is started and will only stop when the RAT determines that WhatsApp is not running .", "spans": {"System: WhatsApp": [[105, 113]]}, "info": {"id": "cyner2_5class_train_00535", "source": "cyner2_5class_train"}}
+{"text": "The information is ideal for security professionals who investigate suspicious network activity in an Active Directory AD environment.", "spans": {"Organization: security professionals": [[29, 51]], "Indicator: suspicious network activity": [[68, 95]], "System: Active Directory AD environment.": [[102, 134]]}, "info": {"id": "cyner2_5class_train_00536", "source": "cyner2_5class_train"}}
+{"text": "Beyond the previously mentioned DroidVPN example , other viable embedded apps we found include apps currently available on Google Play , as well as many third-party app stores .", "spans": {"Indicator: DroidVPN": [[32, 40]], "System: Google Play": [[123, 134]]}, "info": {"id": "cyner2_5class_train_00537", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Visel.249856 Win32.Trojan.WisdomEyes.16070401.9500.9992 W32/Downldr2.DGSB BKDR_VISEL.DEN Win.Trojan.Visel-58 Trojan.Win32.Kebot.wbjcg Trojan.Win32.Downloader.249856.G Backdoor.Win32.Visel.~C BackDoor.Pigeon.12692 BKDR_VISEL.DEN W32/Downloader.STUZ-5379 Trojan[Backdoor]/Win32.Visel Backdoor:Win32/Visel.C Trojan/Win32.Xema.C45221 Backdoor.Visel Backdoor.Visel!uQ/Wu3cIR5E Bck/Pigeon.FK", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Visel.249856": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[52, 94]], "Indicator: W32/Downldr2.DGSB": [[95, 112]], "Indicator: BKDR_VISEL.DEN": [[113, 127], [252, 266]], "Indicator: Win.Trojan.Visel-58": [[128, 147]], "Indicator: Trojan.Win32.Kebot.wbjcg": [[148, 172]], "Indicator: Trojan.Win32.Downloader.249856.G": [[173, 205]], "Indicator: Backdoor.Win32.Visel.~C": [[206, 229]], "Indicator: BackDoor.Pigeon.12692": [[230, 251]], "Indicator: W32/Downloader.STUZ-5379": [[267, 291]], "Indicator: Trojan[Backdoor]/Win32.Visel": [[292, 320]], "Indicator: Backdoor:Win32/Visel.C": [[321, 343]], "Indicator: Trojan/Win32.Xema.C45221": [[344, 368]], "Indicator: Backdoor.Visel": [[369, 383]], "Indicator: Backdoor.Visel!uQ/Wu3cIR5E": [[384, 410]], "Indicator: Bck/Pigeon.FK": [[411, 424]]}, "info": {"id": "cyner2_5class_train_00538", "source": "cyner2_5class_train"}}
+{"text": "This is not the first time the country has been a victim of an APT.", "spans": {}, "info": {"id": "cyner2_5class_train_00539", "source": "cyner2_5class_train"}}
+{"text": "The Command & Control server also displays a favicon image which looks like a small orange ball .", "spans": {}, "info": {"id": "cyner2_5class_train_00540", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Droma.S60541 TrojWare.Win32.Sventore.A Trojan.MulDrop7.3471 W32/Trojan.IGFK-3098 TR/Aenjaris.ofeiu Trojan[Dropper]/Win32.Injector Trojan:Win32/Aenjaris.AI!bit Trojan.Zusy.D3FD29 Dropper/Win32.Injector.C1617864 BScope.Trojan.SvcHorse.01643", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Droma.S60541": [[26, 45]], "Indicator: TrojWare.Win32.Sventore.A": [[46, 71]], "Indicator: Trojan.MulDrop7.3471": [[72, 92]], "Indicator: W32/Trojan.IGFK-3098": [[93, 113]], "Indicator: TR/Aenjaris.ofeiu": [[114, 131]], "Indicator: Trojan[Dropper]/Win32.Injector": [[132, 162]], "Indicator: Trojan:Win32/Aenjaris.AI!bit": [[163, 191]], "Indicator: Trojan.Zusy.D3FD29": [[192, 210]], "Indicator: Dropper/Win32.Injector.C1617864": [[211, 242]], "Indicator: BScope.Trojan.SvcHorse.01643": [[243, 271]]}, "info": {"id": "cyner2_5class_train_00541", "source": "cyner2_5class_train"}}
+{"text": "The use of the obfuscation techniques was novel and this advisory discusses those in detail, along with how we detected them.", "spans": {}, "info": {"id": "cyner2_5class_train_00542", "source": "cyner2_5class_train"}}
+{"text": "DiamondFox list of panels.", "spans": {"Organization: DiamondFox": [[0, 10]]}, "info": {"id": "cyner2_5class_train_00543", "source": "cyner2_5class_train"}}
+{"text": "It tends to reuse old exploits and doesn't make an effort to disguise their activity.", "spans": {}, "info": {"id": "cyner2_5class_train_00544", "source": "cyner2_5class_train"}}
+{"text": "This framework allows anyone to develop a malicious app with the desired icon and communication address .", "spans": {}, "info": {"id": "cyner2_5class_train_00545", "source": "cyner2_5class_train"}}
+{"text": "Its main target was larger organizations with an annual income of USD 5 million or higher.", "spans": {"Organization: organizations": [[27, 40]], "Indicator: annual income of USD 5 million or higher.": [[49, 90]]}, "info": {"id": "cyner2_5class_train_00546", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Downloader.Quanader TROJ_PLISKAL.SM Trojan.Win32.Pliskal.etapgz Trojan.DownLoader25.64837 Trojan.Pliskal.Win32.48 TROJ_PLISKAL.SM Trojan.Win32.Pliskal Trojan.Zusy.D3EBDA Trojan/Win32.Pliskal.C1788294 Trojan.QuantLoader W32/Vilsel.CYCY!tr.dldr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Downloader.Quanader": [[69, 88]], "Indicator: TROJ_PLISKAL.SM": [[89, 104], [183, 198]], "Indicator: Trojan.Win32.Pliskal.etapgz": [[105, 132]], "Indicator: Trojan.DownLoader25.64837": [[133, 158]], "Indicator: Trojan.Pliskal.Win32.48": [[159, 182]], "Indicator: Trojan.Win32.Pliskal": [[199, 219]], "Indicator: Trojan.Zusy.D3EBDA": [[220, 238]], "Indicator: Trojan/Win32.Pliskal.C1788294": [[239, 268]], "Indicator: Trojan.QuantLoader": [[269, 287]], "Indicator: W32/Vilsel.CYCY!tr.dldr": [[288, 311]], "Indicator: Trj/GdSda.A": [[312, 323]]}, "info": {"id": "cyner2_5class_train_00547", "source": "cyner2_5class_train"}}
+{"text": "A new threat actor group from Europe is selling malware, including the Typhon Stealer, RootFinder Miner, and the Cryptonic Crypter, according to CYFIRMA research team.", "spans": {"Malware: malware,": [[48, 56]], "Malware: the Typhon Stealer, RootFinder Miner,": [[67, 104]], "Malware: the Cryptonic Crypter,": [[109, 131]], "Organization: CYFIRMA research team.": [[145, 167]]}, "info": {"id": "cyner2_5class_train_00548", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Buzy.D9C9 Downloader.Pelfpoi TROJ_PELPOI.SMIA Trojan.Win32.Snojan.bxtm TROJ_PELPOI.SMIA BehavesLike.Win32.PUPXAQ.wc Worm/Win32.AutoRun TrojanDownloader:Win32/Pelfpoi.L Trojan.Win32.Snojan.bxtm Downloader/Win32.Korad.R3803 W32/TrojanDldr.QJW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Buzy.D9C9": [[26, 42]], "Indicator: Downloader.Pelfpoi": [[43, 61]], "Indicator: TROJ_PELPOI.SMIA": [[62, 78], [104, 120]], "Indicator: Trojan.Win32.Snojan.bxtm": [[79, 103], [201, 225]], "Indicator: BehavesLike.Win32.PUPXAQ.wc": [[121, 148]], "Indicator: Worm/Win32.AutoRun": [[149, 167]], "Indicator: TrojanDownloader:Win32/Pelfpoi.L": [[168, 200]], "Indicator: Downloader/Win32.Korad.R3803": [[226, 254]], "Indicator: W32/TrojanDldr.QJW!tr": [[255, 276]]}, "info": {"id": "cyner2_5class_train_00549", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Phrovon.A TROJ_DLOADER.ZZT TROJ_DLOADER.ZZT Trojan.Win32.VB.euylta TrojWare.Win32.TrojanDownloader.VB.PMEA Trojan.DownLoader6.39644 BehavesLike.Win32.VBObfus.nz W32.Malware.Downloader TR/Dldr.VB.WNE TrojanDownloader:Win32/Phrovon.A Trojan.DL.Phrovon!yEJ5Hieu3rA Trojan-Downloader.Win32.Phrovon W32/VB.CWZ!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Phrovon.A": [[26, 42]], "Indicator: TROJ_DLOADER.ZZT": [[43, 59], [60, 76]], "Indicator: Trojan.Win32.VB.euylta": [[77, 99]], "Indicator: TrojWare.Win32.TrojanDownloader.VB.PMEA": [[100, 139]], "Indicator: Trojan.DownLoader6.39644": [[140, 164]], "Indicator: BehavesLike.Win32.VBObfus.nz": [[165, 193]], "Indicator: W32.Malware.Downloader": [[194, 216]], "Indicator: TR/Dldr.VB.WNE": [[217, 231]], "Indicator: TrojanDownloader:Win32/Phrovon.A": [[232, 264]], "Indicator: Trojan.DL.Phrovon!yEJ5Hieu3rA": [[265, 294]], "Indicator: Trojan-Downloader.Win32.Phrovon": [[295, 326]], "Indicator: W32/VB.CWZ!tr.dldr": [[327, 345]]}, "info": {"id": "cyner2_5class_train_00550", "source": "cyner2_5class_train"}}
+{"text": "There is a new malware called Rurktar.", "spans": {"Malware: new malware": [[11, 22]], "Malware: Rurktar.": [[30, 38]]}, "info": {"id": "cyner2_5class_train_00551", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.VBNA!O Trojan.VB.Win32.37651 Trojan.Heur.VP.E1E33B Win32.Trojan.WisdomEyes.16070401.9500.9951 Win.Trojan.VB-23833 Worm.Win32.VBNA.b Trojan.Win32.VB.etozpu W32.W.VBNA.lrnh Win32.Worm.Vbna.Sxew Trojan.DownLoader5.9157 Trojan.Win32.Doxiss W32/Trojan.DVWP-9373 Worm.VBNA.ahfg Worm/Win32.VBNA Trojan:Win32/Doxiss.A Worm.Win32.A.VBNA.147456.BA Worm.Win32.VBNA.b Worm/Win32.VBNA.C118872 TScope.Trojan.VB Win32/Spy.VB.NXN TrojanSpy.VB!5WGwmuBMWXM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.VBNA!O": [[26, 43]], "Indicator: Trojan.VB.Win32.37651": [[44, 65]], "Indicator: Trojan.Heur.VP.E1E33B": [[66, 87]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9951": [[88, 130]], "Indicator: Win.Trojan.VB-23833": [[131, 150]], "Indicator: Worm.Win32.VBNA.b": [[151, 168], [375, 392]], "Indicator: Trojan.Win32.VB.etozpu": [[169, 191]], "Indicator: W32.W.VBNA.lrnh": [[192, 207]], "Indicator: Win32.Worm.Vbna.Sxew": [[208, 228]], "Indicator: Trojan.DownLoader5.9157": [[229, 252]], "Indicator: Trojan.Win32.Doxiss": [[253, 272]], "Indicator: W32/Trojan.DVWP-9373": [[273, 293]], "Indicator: Worm.VBNA.ahfg": [[294, 308]], "Indicator: Worm/Win32.VBNA": [[309, 324]], "Indicator: Trojan:Win32/Doxiss.A": [[325, 346]], "Indicator: Worm.Win32.A.VBNA.147456.BA": [[347, 374]], "Indicator: Worm/Win32.VBNA.C118872": [[393, 416]], "Indicator: TScope.Trojan.VB": [[417, 433]], "Indicator: Win32/Spy.VB.NXN": [[434, 450]], "Indicator: TrojanSpy.VB!5WGwmuBMWXM": [[451, 475]]}, "info": {"id": "cyner2_5class_train_00552", "source": "cyner2_5class_train"}}
+{"text": "The app connects to the MQTT broker with hardcoded username and password and a unique device identifier generated for each device .", "spans": {}, "info": {"id": "cyner2_5class_train_00553", "source": "cyner2_5class_train"}}
+{"text": "Technical Analysis Permissions Marcher ’ s APK size is fairly small ( only 683KB for sample eb8f02fc30ec49e4af1560e54b53d1a7 ) , much smaller than most legitimate apps and other popular mobile malware samples .", "spans": {"Malware: Marcher": [[31, 38]], "Indicator: eb8f02fc30ec49e4af1560e54b53d1a7": [[92, 124]]}, "info": {"id": "cyner2_5class_train_00554", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.i Trojan/Crypt.i Win32/TrojanProxy.Lager.F W32/Lager.AI Trojan.Abwiz.D Klone.R Trojan.Crypt Trojan-Proxy.Win32.Lager.q Trojan.Proxy.Lager.Q Trojan-Proxy.Win32.Lager!IK TrojWare.Win32.TrojanProxy.Lager.F Trojan.Proxy.Lager.Q Trojan.Lopata TR/Drop.Abwiz TROJ_LAGER.F Trojan/Crypt.bh Trojan.Proxy.Lager.Q W32/Lager.AI Win-Dropper/Small.agq Trojan-Proxy.Win32.Lager.f Trojan-Proxy.Lager.f Trojan-Proxy.Win32.Lager Proxy.NM Bck/Galapoper.HP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.i": [[26, 40]], "Indicator: Trojan/Crypt.i": [[41, 55]], "Indicator: Win32/TrojanProxy.Lager.F": [[56, 81]], "Indicator: W32/Lager.AI": [[82, 94], [341, 353]], "Indicator: Trojan.Abwiz.D": [[95, 109]], "Indicator: Klone.R": [[110, 117]], "Indicator: Trojan.Crypt": [[118, 130]], "Indicator: Trojan-Proxy.Win32.Lager.q": [[131, 157]], "Indicator: Trojan.Proxy.Lager.Q": [[158, 178], [242, 262], [320, 340]], "Indicator: Trojan-Proxy.Win32.Lager!IK": [[179, 206]], "Indicator: TrojWare.Win32.TrojanProxy.Lager.F": [[207, 241]], "Indicator: Trojan.Lopata": [[263, 276]], "Indicator: TR/Drop.Abwiz": [[277, 290]], "Indicator: TROJ_LAGER.F": [[291, 303]], "Indicator: Trojan/Crypt.bh": [[304, 319]], "Indicator: Win-Dropper/Small.agq": [[354, 375]], "Indicator: Trojan-Proxy.Win32.Lager.f": [[376, 402]], "Indicator: Trojan-Proxy.Lager.f": [[403, 423]], "Indicator: Trojan-Proxy.Win32.Lager": [[424, 448]], "Indicator: Proxy.NM": [[449, 457]], "Indicator: Bck/Galapoper.HP": [[458, 474]]}, "info": {"id": "cyner2_5class_train_00555", "source": "cyner2_5class_train"}}
+{"text": "This is an interesting attack of the infamous Syrian Electronic Army SEA.", "spans": {}, "info": {"id": "cyner2_5class_train_00556", "source": "cyner2_5class_train"}}
+{"text": "Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption Kazaword to allegations of kidnapping.", "spans": {"Organization: the government of Kazakhstan": [[52, 80], [153, 181]], "Organization: American courts": [[97, 112]], "Indicator: anonymous website": [[221, 238]], "Indicator: publishes leaks alleging government corruption Kazaword to allegations of kidnapping.": [[244, 329]]}, "info": {"id": "cyner2_5class_train_00557", "source": "cyner2_5class_train"}}
+{"text": "Of course , this does not mean the digital signature of the software developer can be used .", "spans": {}, "info": {"id": "cyner2_5class_train_00558", "source": "cyner2_5class_train"}}
+{"text": "The system service ‘ AccountManagerService ’ looks for the application that can process this request .", "spans": {}, "info": {"id": "cyner2_5class_train_00559", "source": "cyner2_5class_train"}}
+{"text": "ESET researchers have since analyzed samples of malware, detected by ESET as Win32/Industroyer, capable of performing exactly that type of attack.", "spans": {"Organization: ESET researchers": [[0, 16]], "Malware: malware,": [[48, 56]], "Organization: ESET": [[69, 73]], "Indicator: Win32/Industroyer,": [[77, 95]], "Indicator: attack.": [[139, 146]]}, "info": {"id": "cyner2_5class_train_00560", "source": "cyner2_5class_train"}}
+{"text": "To infect a Windows computer, the user has to execute the malware by double-clicking on the .jar file.", "spans": {"System: Windows computer,": [[12, 29]], "Malware: malware": [[58, 65]], "Indicator: .jar file.": [[92, 102]]}, "info": {"id": "cyner2_5class_train_00561", "source": "cyner2_5class_train"}}
+{"text": "The command is a constructed string split into three parts using \" \" as a separator .", "spans": {}, "info": {"id": "cyner2_5class_train_00562", "source": "cyner2_5class_train"}}
+{"text": "] 99 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00563", "source": "cyner2_5class_train"}}
+{"text": "ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks.", "spans": {"Malware: ServStart": [[0, 9]], "Indicator: attacks.": [[98, 106]]}, "info": {"id": "cyner2_5class_train_00564", "source": "cyner2_5class_train"}}
+{"text": "FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission SEC filings at various organizations.", "spans": {"Organization: FireEye": [[0, 7]], "Organization: personnel": [[67, 76]], "Organization: United States Securities and Exchange Commission SEC": [[91, 143]], "Organization: various organizations.": [[155, 177]]}, "info": {"id": "cyner2_5class_train_00565", "source": "cyner2_5class_train"}}
+{"text": "Originally intended to target the Russian audience , the banker was later adapted , with minimal modifications , for the European “ market. ” The bulk of its victims ( more than 90 % ) reside in Russia , with France in second place ( 4 % ) .", "spans": {}, "info": {"id": "cyner2_5class_train_00566", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O Win32.Trojan.WisdomEyes.16070401.9500.9976 Backdoor.Win32.Hupigon.pjz BackDoor.Klj.25 BehavesLike.Win32.PWSGamania.fc Backdoor.Win32.Hupigon Trojan.Zilix.1 Backdoor.Win32.Hupigon.pjz Trojan/Win32.Hupigon.C127321 TScope.Trojan.Delf Win32.Backdoor.Hupigon.dgrz", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Hupigon!O": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9976": [[51, 93]], "Indicator: Backdoor.Win32.Hupigon.pjz": [[94, 120], [207, 233]], "Indicator: BackDoor.Klj.25": [[121, 136]], "Indicator: BehavesLike.Win32.PWSGamania.fc": [[137, 168]], "Indicator: Backdoor.Win32.Hupigon": [[169, 191]], "Indicator: Trojan.Zilix.1": [[192, 206]], "Indicator: Trojan/Win32.Hupigon.C127321": [[234, 262]], "Indicator: TScope.Trojan.Delf": [[263, 281]], "Indicator: Win32.Backdoor.Hupigon.dgrz": [[282, 309]]}, "info": {"id": "cyner2_5class_train_00567", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ursu.D15C9E Win32.Trojan.WisdomEyes.16070401.9500.9977 Backdoor.Trojan BKDR_ZEGOST.SM44 Trojan.Win32.Farfli.extksh Trojan.Win32.Z.Zegost.671744.A TrojWare.Win32.AntiAV.~D BKDR_ZEGOST.SM44 BehavesLike.Win32.Dropper.jm W32/Trojan.VXKT-0024 BDS/Zegost.pmxfd Trj/GdSda.A Win32.Trojan-gamethief.Onlinegames.Dvgf Backdoor.Win32.Dedipros Win32/Trojan.6ef", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ursu.D15C9E": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9977": [[45, 87]], "Indicator: Backdoor.Trojan": [[88, 103]], "Indicator: BKDR_ZEGOST.SM44": [[104, 120], [204, 220]], "Indicator: Trojan.Win32.Farfli.extksh": [[121, 147]], "Indicator: Trojan.Win32.Z.Zegost.671744.A": [[148, 178]], "Indicator: TrojWare.Win32.AntiAV.~D": [[179, 203]], "Indicator: BehavesLike.Win32.Dropper.jm": [[221, 249]], "Indicator: W32/Trojan.VXKT-0024": [[250, 270]], "Indicator: BDS/Zegost.pmxfd": [[271, 287]], "Indicator: Trj/GdSda.A": [[288, 299]], "Indicator: Win32.Trojan-gamethief.Onlinegames.Dvgf": [[300, 339]], "Indicator: Backdoor.Win32.Dedipros": [[340, 363]], "Indicator: Win32/Trojan.6ef": [[364, 380]]}, "info": {"id": "cyner2_5class_train_00568", "source": "cyner2_5class_train"}}
+{"text": "It ’ s also possible that the apps are being used to test other possible techniques .", "spans": {}, "info": {"id": "cyner2_5class_train_00569", "source": "cyner2_5class_train"}}
+{"text": "By mid-1998 the FBI and Department of Defense investigators had forensic evidence pointing to Russian ISPs.", "spans": {"Organization: the FBI": [[12, 19]], "Organization: Department of Defense investigators": [[24, 59]], "Indicator: Russian ISPs.": [[94, 107]]}, "info": {"id": "cyner2_5class_train_00570", "source": "cyner2_5class_train"}}
+{"text": "To make sure the trojan survives a device restart , it abuses already activated accessibility services that will launch the trojan right after start .", "spans": {}, "info": {"id": "cyner2_5class_train_00571", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Diple!O Worm.Yames W32/VBTrojan.9!Maximus WORM_YAMES.A WORM_YAMES.A Worm.Win32.VB W32/VBTrojan.9!Maximus Worm:Win32/Yames.A Trj/CI.A Win32/VB.ODO Win32.Worm.Vb.Sxeo W32/Vb.A!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Diple!O": [[26, 46]], "Indicator: Worm.Yames": [[47, 57]], "Indicator: W32/VBTrojan.9!Maximus": [[58, 80], [121, 143]], "Indicator: WORM_YAMES.A": [[81, 93], [94, 106]], "Indicator: Worm.Win32.VB": [[107, 120]], "Indicator: Worm:Win32/Yames.A": [[144, 162]], "Indicator: Trj/CI.A": [[163, 171]], "Indicator: Win32/VB.ODO": [[172, 184]], "Indicator: Win32.Worm.Vb.Sxeo": [[185, 203]], "Indicator: W32/Vb.A!worm": [[204, 217]]}, "info": {"id": "cyner2_5class_train_00572", "source": "cyner2_5class_train"}}
+{"text": "Regin has a wide range of standard capabilities, particularly around monitoring targets and stealing data.", "spans": {"Malware: Regin": [[0, 5]]}, "info": {"id": "cyner2_5class_train_00573", "source": "cyner2_5class_train"}}
+{"text": "Due to the violation of the integrity and availability of the web resources of a number of state organizations, the Government Computer Emergency Response Team of Ukraine CERT-UA is taking measures to investigate the circumstances of the incident on February 23, 2023.", "spans": {"Vulnerability: integrity": [[28, 37]], "System: web resources": [[62, 75]], "Organization: state organizations, the Government Computer Emergency Response Team of Ukraine CERT-UA": [[91, 178]]}, "info": {"id": "cyner2_5class_train_00574", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Mimikatz.S1196261 Tool.Mimikatz.Win32.409 W32/Petya.S Ransom.Petya Win.Trojan.Mimikatz-6331391-0 Riskware.Win32.Mimikatz.eqnxjb Troj.PSW32.W.WinCred.tp7F Win32.Trojan.Mimipet.Aiin Trojan:W32/Petya.H Tool.Mimikatz.64 W32/Petya.VKHI-2239 Trojan.Petya.e TR/Mimipet.airfqba Trojan[PSW]/Win32.WinCred Trojan:Win32/Petya.B!rsm Win32.Riskware.Mimikatz.A Trojan/Win32.Petya.R203330 Trojan.Ransom.Petya BScope.Trojan-Dropper.Injector Trojan.Petya Win32/RiskWare.Mimikatz.U Trojan.PWS.WinCred! hacktool.mimikatz W32/Petya.A!tr.ransom Trj/CryptoPetya.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Mimikatz.S1196261": [[26, 52]], "Indicator: Tool.Mimikatz.Win32.409": [[53, 76]], "Indicator: W32/Petya.S": [[77, 88]], "Indicator: Ransom.Petya": [[89, 101]], "Indicator: Win.Trojan.Mimikatz-6331391-0": [[102, 131]], "Indicator: Riskware.Win32.Mimikatz.eqnxjb": [[132, 162]], "Indicator: Troj.PSW32.W.WinCred.tp7F": [[163, 188]], "Indicator: Win32.Trojan.Mimipet.Aiin": [[189, 214]], "Indicator: Trojan:W32/Petya.H": [[215, 233]], "Indicator: Tool.Mimikatz.64": [[234, 250]], "Indicator: W32/Petya.VKHI-2239": [[251, 270]], "Indicator: Trojan.Petya.e": [[271, 285]], "Indicator: TR/Mimipet.airfqba": [[286, 304]], "Indicator: Trojan[PSW]/Win32.WinCred": [[305, 330]], "Indicator: Trojan:Win32/Petya.B!rsm": [[331, 355]], "Indicator: Win32.Riskware.Mimikatz.A": [[356, 381]], "Indicator: Trojan/Win32.Petya.R203330": [[382, 408]], "Indicator: Trojan.Ransom.Petya": [[409, 428]], "Indicator: BScope.Trojan-Dropper.Injector": [[429, 459]], "Indicator: Trojan.Petya": [[460, 472]], "Indicator: Win32/RiskWare.Mimikatz.U": [[473, 498]], "Indicator: Trojan.PWS.WinCred!": [[499, 518]], "Indicator: hacktool.mimikatz": [[519, 536]], "Indicator: W32/Petya.A!tr.ransom": [[537, 558]], "Indicator: Trj/CryptoPetya.B": [[559, 576]]}, "info": {"id": "cyner2_5class_train_00575", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.BitcodeN.Trojan Trojan.Dropper.VRM Trojan.FakeAV Trojan.Dropper.VRM TSPY_VBKEYLOG.SM Win32.Trojan.WisdomEyes.16070401.9500.9793 Win32/Tnega.ASRH TSPY_VBKEYLOG.SM Trojan.Dropper.VRM Trojan.Dropper.VRM Trojan.Dropper.VRM BehavesLike.Win32.Downloader.bh TR/Spy.jyiej Trojan:Win32/Glod.B Trojan.Dropper.VRM Trojan.Dropper.VRM Trojan.KeyLogger.OEU Win32/Spy.KeyLogger.OEU Backdoor.Win32.Xtrat", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BitcodeN.Trojan": [[26, 45]], "Indicator: Trojan.Dropper.VRM": [[46, 64], [79, 97], [192, 210], [211, 229], [230, 248], [314, 332], [333, 351]], "Indicator: Trojan.FakeAV": [[65, 78]], "Indicator: TSPY_VBKEYLOG.SM": [[98, 114], [175, 191]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9793": [[115, 157]], "Indicator: Win32/Tnega.ASRH": [[158, 174]], "Indicator: BehavesLike.Win32.Downloader.bh": [[249, 280]], "Indicator: TR/Spy.jyiej": [[281, 293]], "Indicator: Trojan:Win32/Glod.B": [[294, 313]], "Indicator: Trojan.KeyLogger.OEU": [[352, 372]], "Indicator: Win32/Spy.KeyLogger.OEU": [[373, 396]], "Indicator: Backdoor.Win32.Xtrat": [[397, 417]]}, "info": {"id": "cyner2_5class_train_00576", "source": "cyner2_5class_train"}}
+{"text": "Since then, we've encountered more samples in the wild.", "spans": {}, "info": {"id": "cyner2_5class_train_00577", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.GJUE Hacktool.Rootkit Win32/Fuzfle.BZ Trojan.Win32.Sentinel.cquvjc Trojan.Sentinel.based Trojan.Spammer W32/Trojan.UUTE-6344 Trojan/Win32.Unknown Spammer:WinNT/Srizbi.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: W32/Trojan2.GJUE": [[69, 85]], "Indicator: Hacktool.Rootkit": [[86, 102]], "Indicator: Win32/Fuzfle.BZ": [[103, 118]], "Indicator: Trojan.Win32.Sentinel.cquvjc": [[119, 147]], "Indicator: Trojan.Sentinel.based": [[148, 169]], "Indicator: Trojan.Spammer": [[170, 184]], "Indicator: W32/Trojan.UUTE-6344": [[185, 205]], "Indicator: Trojan/Win32.Unknown": [[206, 226]], "Indicator: Spammer:WinNT/Srizbi.A": [[227, 249]], "Indicator: Trj/CI.A": [[250, 258]]}, "info": {"id": "cyner2_5class_train_00578", "source": "cyner2_5class_train"}}
+{"text": "The spyware also appears to have an additional payload stored under the /res/raw/ directory .", "spans": {}, "info": {"id": "cyner2_5class_train_00579", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.RazyNHmA.Trojan Trojan.Kryptik.Win32.1323308 Win32.Trojan.Kryptik.aio Ransom.TeslaCrypt!g6 WORM_HPKASIDET.SM0 Trojan.Win32.Kryptik.evtvij Trojan.DownLoader25.63634 WORM_HPKASIDET.SM0 BehavesLike.Win32.Downloader.cc Trojan-Downloader.Win32.Wauchos Worm.Ngrbot.aeb TR/Crypt.ZPACK.avthl Backdoor:Win32/Pigskarb.A Trojan.Symmi.D104A4 Trojan/Win32.Upbot.C1489911 W32/Kryptik.FXQD!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.RazyNHmA.Trojan": [[26, 51]], "Indicator: Trojan.Kryptik.Win32.1323308": [[52, 80]], "Indicator: Win32.Trojan.Kryptik.aio": [[81, 105]], "Indicator: Ransom.TeslaCrypt!g6": [[106, 126]], "Indicator: WORM_HPKASIDET.SM0": [[127, 145], [200, 218]], "Indicator: Trojan.Win32.Kryptik.evtvij": [[146, 173]], "Indicator: Trojan.DownLoader25.63634": [[174, 199]], "Indicator: BehavesLike.Win32.Downloader.cc": [[219, 250]], "Indicator: Trojan-Downloader.Win32.Wauchos": [[251, 282]], "Indicator: Worm.Ngrbot.aeb": [[283, 298]], "Indicator: TR/Crypt.ZPACK.avthl": [[299, 319]], "Indicator: Backdoor:Win32/Pigskarb.A": [[320, 345]], "Indicator: Trojan.Symmi.D104A4": [[346, 365]], "Indicator: Trojan/Win32.Upbot.C1489911": [[366, 393]], "Indicator: W32/Kryptik.FXQD!tr": [[394, 413]]}, "info": {"id": "cyner2_5class_train_00580", "source": "cyner2_5class_train"}}
+{"text": "At the request of the German Bundestag the BSI analyzed these problems in network traffic.", "spans": {"Organization: the German Bundestag the BSI": [[18, 46]], "Indicator: problems": [[62, 70]], "System: network traffic.": [[74, 90]]}, "info": {"id": "cyner2_5class_train_00581", "source": "cyner2_5class_train"}}
+{"text": "The source process writes the native shellcode into the memory region allocated by mmap .", "spans": {}, "info": {"id": "cyner2_5class_train_00582", "source": "cyner2_5class_train"}}
+{"text": "Use of a shared hosting service to distribute malware is highly flexible and low cost for the threat actors .", "spans": {}, "info": {"id": "cyner2_5class_train_00583", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.335 W97M.Downloader.AFY W97M/Downloader.bxd VB:Trojan.Valyria.335 W97M.Downloader Win32/DarkNeuron.A W2KM_DARKNEURON.A VB:Trojan.Valyria.335 Trojan.Ole2.Vbs-heuristic.druvzi Heur:Trojan.Script.Downloader.7020638.0 VB:Trojan.Valyria.335 W2KM_DARKNEURON.A W97M/Downloader.bxd TrojanDropper:O97M/DarkNeuron.A!dha VB:Trojan.Valyria.335 virus.office.qexvmc.1100", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.335": [[26, 47], [88, 109], [163, 184], [258, 279], [354, 375]], "Indicator: W97M.Downloader.AFY": [[48, 67]], "Indicator: W97M/Downloader.bxd": [[68, 87], [298, 317]], "Indicator: W97M.Downloader": [[110, 125]], "Indicator: Win32/DarkNeuron.A": [[126, 144]], "Indicator: W2KM_DARKNEURON.A": [[145, 162], [280, 297]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[185, 217]], "Indicator: Heur:Trojan.Script.Downloader.7020638.0": [[218, 257]], "Indicator: TrojanDropper:O97M/DarkNeuron.A!dha": [[318, 353]], "Indicator: virus.office.qexvmc.1100": [[376, 400]]}, "info": {"id": "cyner2_5class_train_00584", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Exploit.Win32.BypassUAC.gmk Trojan.MulDrop7.677 BehavesLike.Win32.BadFile.ch Trojan-Downloader.MSIL.Tiny W32/Trojan.RVEW-7367 Exploit.Win32.BypassUAC.gmk TrojanDownloader:MSIL/BrobanDel.C!bit Win32.Trojan.Downloader.Phqh MSIL/Tiny.QK!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Exploit.Win32.BypassUAC.gmk": [[69, 96], [195, 222]], "Indicator: Trojan.MulDrop7.677": [[97, 116]], "Indicator: BehavesLike.Win32.BadFile.ch": [[117, 145]], "Indicator: Trojan-Downloader.MSIL.Tiny": [[146, 173]], "Indicator: W32/Trojan.RVEW-7367": [[174, 194]], "Indicator: TrojanDownloader:MSIL/BrobanDel.C!bit": [[223, 260]], "Indicator: Win32.Trojan.Downloader.Phqh": [[261, 289]], "Indicator: MSIL/Tiny.QK!tr.dldr": [[290, 310]]}, "info": {"id": "cyner2_5class_train_00585", "source": "cyner2_5class_train"}}
+{"text": "Svpeng does this to check if the cards from these banks are attached to the number of the infected phone and to find out the account balance .", "spans": {"Malware: Svpeng": [[0, 6]]}, "info": {"id": "cyner2_5class_train_00586", "source": "cyner2_5class_train"}}
+{"text": "U.S. President Donald Trump has ordered ByteDance , the parent company of TikTok , to sell its U.S. TikTok assets and also issued executive orders that would ban the social media apps TikTok and WeChat from operating in the U.S. if the sale doesn ’ t happen in the next few weeks .", "spans": {"Organization: ByteDance": [[40, 49]], "System: TikTok": [[74, 80], [100, 106], [184, 190]], "System: WeChat": [[195, 201]]}, "info": {"id": "cyner2_5class_train_00587", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DowlodN.Trojan W32/Downldr2.BCPJ Win.Downloader.24666-2 Trojan.Spambot.3004 BehavesLike.Win32.MoonLight.mc W32/Downloader.EITQ-0059 Trojan:Win32/Pramro.A Trojan.Win32.Downloader.28160.AO Trojan/Win32.CSon.R2002 Virus.Win32.Sality Bck/Spambot.G", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DowlodN.Trojan": [[26, 44]], "Indicator: W32/Downldr2.BCPJ": [[45, 62]], "Indicator: Win.Downloader.24666-2": [[63, 85]], "Indicator: Trojan.Spambot.3004": [[86, 105]], "Indicator: BehavesLike.Win32.MoonLight.mc": [[106, 136]], "Indicator: W32/Downloader.EITQ-0059": [[137, 161]], "Indicator: Trojan:Win32/Pramro.A": [[162, 183]], "Indicator: Trojan.Win32.Downloader.28160.AO": [[184, 216]], "Indicator: Trojan/Win32.CSon.R2002": [[217, 240]], "Indicator: Virus.Win32.Sality": [[241, 259]], "Indicator: Bck/Spambot.G": [[260, 273]]}, "info": {"id": "cyner2_5class_train_00588", "source": "cyner2_5class_train"}}
+{"text": "Ovidiy Stealer is priced at 450-750 Rubles ~$7-13 USD for one build, a price that includes a precompiled executable that is also crypted to thwart analysis and detection.", "spans": {"Malware: Ovidiy Stealer": [[0, 14]], "Malware: crypted": [[129, 136]], "Indicator: thwart analysis and detection.": [[140, 170]]}, "info": {"id": "cyner2_5class_train_00589", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Sekur.14236 Win32.Trojan.WisdomEyes.16070401.9500.9974 Trojan.Win32.Z.Sirefef.150528 Win32.Trojan.Crypt.Ligd BackDoor.Anunak.8 W32/Trojan.RFBB-7838 Trojan.Sirefef.181 PWS:Win32/Sekur.A Trj/GdSda.A Win32/Trojan.0c8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Sekur.14236": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9974": [[48, 90]], "Indicator: Trojan.Win32.Z.Sirefef.150528": [[91, 120]], "Indicator: Win32.Trojan.Crypt.Ligd": [[121, 144]], "Indicator: BackDoor.Anunak.8": [[145, 162]], "Indicator: W32/Trojan.RFBB-7838": [[163, 183]], "Indicator: Trojan.Sirefef.181": [[184, 202]], "Indicator: PWS:Win32/Sekur.A": [[203, 220]], "Indicator: Trj/GdSda.A": [[221, 232]], "Indicator: Win32/Trojan.0c8": [[233, 249]]}, "info": {"id": "cyner2_5class_train_00590", "source": "cyner2_5class_train"}}
+{"text": "The main difference is that Smaps transmits data as plain text , while Asacub encrypts data with the RC4 algorithm and then encodes it into base64 format .", "spans": {"Malware: Smaps": [[28, 33]], "Malware: Asacub": [[71, 77]]}, "info": {"id": "cyner2_5class_train_00591", "source": "cyner2_5class_train"}}
+{"text": "Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.", "spans": {"Indicator: network": [[29, 36]], "Indicator: encrypt multiple": [[53, 69]], "System: Windows systems": [[70, 85]], "Malware: SamSam.": [[92, 99]]}, "info": {"id": "cyner2_5class_train_00592", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Bladabindi.FC.2865 Trojan/Bladabindi.u TROJ_SPNR.0BGN14 Win32.Trojan.WisdomEyes.16070401.9500.9994 Win32/Tnega.MAGYUTC TROJ_SPNR.0BGN14 MSIL.Backdoor.Bladabindi.AX BackDoor.NJRat.355 HackTool.MSIL W32/Trojan.UVRI-0473 Trojan/MSIL.fiv W32.Hack.Tool HackTool:MSIL/Jaktinier.A!plugin HackTool.Jaktinier Trj/CI.A MSIL/Bladabindi.U Win32/Trojan.b0d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Bladabindi.FC.2865": [[26, 51]], "Indicator: Trojan/Bladabindi.u": [[52, 71]], "Indicator: TROJ_SPNR.0BGN14": [[72, 88], [152, 168]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[89, 131]], "Indicator: Win32/Tnega.MAGYUTC": [[132, 151]], "Indicator: MSIL.Backdoor.Bladabindi.AX": [[169, 196]], "Indicator: BackDoor.NJRat.355": [[197, 215]], "Indicator: HackTool.MSIL": [[216, 229]], "Indicator: W32/Trojan.UVRI-0473": [[230, 250]], "Indicator: Trojan/MSIL.fiv": [[251, 266]], "Indicator: W32.Hack.Tool": [[267, 280]], "Indicator: HackTool:MSIL/Jaktinier.A!plugin": [[281, 313]], "Indicator: HackTool.Jaktinier": [[314, 332]], "Indicator: Trj/CI.A": [[333, 341]], "Indicator: MSIL/Bladabindi.U": [[342, 359]], "Indicator: Win32/Trojan.b0d": [[360, 376]]}, "info": {"id": "cyner2_5class_train_00593", "source": "cyner2_5class_train"}}
+{"text": "Once executed , the module attempts to get root privileges on the device by exploiting the following vulnerabilities : CVE-2013-2094 CVE-2013-2595 CVE-2013-6282 CVE-2014-3153 ( futex aka TowelRoot ) CVE-2015-3636 Exploitation process After an in-depth look , we found that the exploit payload code shares several similarities with the public project android-rooting-tools .", "spans": {"Vulnerability: CVE-2013-2094": [[119, 132]], "Vulnerability: CVE-2013-2595": [[133, 146]], "Vulnerability: CVE-2013-6282": [[147, 160]], "Vulnerability: CVE-2014-3153": [[161, 174]], "Vulnerability: futex": [[177, 182]], "Vulnerability: TowelRoot": [[187, 196]], "Vulnerability: CVE-2015-3636": [[199, 212]]}, "info": {"id": "cyner2_5class_train_00594", "source": "cyner2_5class_train"}}
+{"text": "ITG03 actors stole money from multiple international banks via the compromise of the interbank funds transfer system SWIFT in 2016.", "spans": {"Organization: multiple international banks": [[30, 58]], "Organization: the interbank funds": [[81, 100]], "System: transfer system SWIFT": [[101, 122]]}, "info": {"id": "cyner2_5class_train_00595", "source": "cyner2_5class_train"}}
+{"text": "This appears to be an attack campaign focused on espionage.", "spans": {}, "info": {"id": "cyner2_5class_train_00596", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Symmi.DC2FF Win32.Trojan.WisdomEyes.16070401.9500.9877 Trojan.Win32.VB.ctxv Troj.W32.VB.mgqM Win32.Trojan.Vb.Ahyc TrojWare.Win32.Injector.DSTF Trojan:W32/Bepush.B Trojan.Blocker.Win32.25483 BehavesLike.Win32.Dropper.jh Trojan/VB.cxjy TR/Crypt.cfi.besd Trojan.Win32.VB.ctxv Trojan/Win32.Asprox.R132179 Win32/VB.RTN Trojan.VB!fKAQ4AnWSUA Trojan.Crypt W32/ExtenBro.AK!tr Win32/Trojan.682", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Symmi.DC2FF": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9877": [[45, 87]], "Indicator: Trojan.Win32.VB.ctxv": [[88, 108], [285, 305]], "Indicator: Troj.W32.VB.mgqM": [[109, 125]], "Indicator: Win32.Trojan.Vb.Ahyc": [[126, 146]], "Indicator: TrojWare.Win32.Injector.DSTF": [[147, 175]], "Indicator: Trojan:W32/Bepush.B": [[176, 195]], "Indicator: Trojan.Blocker.Win32.25483": [[196, 222]], "Indicator: BehavesLike.Win32.Dropper.jh": [[223, 251]], "Indicator: Trojan/VB.cxjy": [[252, 266]], "Indicator: TR/Crypt.cfi.besd": [[267, 284]], "Indicator: Trojan/Win32.Asprox.R132179": [[306, 333]], "Indicator: Win32/VB.RTN": [[334, 346]], "Indicator: Trojan.VB!fKAQ4AnWSUA": [[347, 368]], "Indicator: Trojan.Crypt": [[369, 381]], "Indicator: W32/ExtenBro.AK!tr": [[382, 400]], "Indicator: Win32/Trojan.682": [[401, 417]]}, "info": {"id": "cyner2_5class_train_00597", "source": "cyner2_5class_train"}}
+{"text": "LINKS TO WOLF INTELLIGENCE During the Virus Bulletin conference in 2018 , CSIS researchers Benoît Ancel and Aleksejs Kuprins did a presentation on Wolf Research and the offensive arsenal developed by the organization .", "spans": {"Organization: CSIS": [[74, 78]], "Organization: Wolf Research": [[147, 160]]}, "info": {"id": "cyner2_5class_train_00598", "source": "cyner2_5class_train"}}
+{"text": "call_number : to forward phone calls to intercept voice based two-factor authentication .", "spans": {}, "info": {"id": "cyner2_5class_train_00599", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Zbot.A4 Backdoor.Bot Troj.Dropper.W32.Dapato!c Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan.Zbot Win32.Trojan.Injector.CZ Trojan-Dropper.Win32.Dapato.ezng Trojan.Win32.Dapato.driscq Trojan.Emotet.63 BehavesLike.Win32.VirRansom.cc Trojan.Win32.Injector Trojan/Yakes.tsq Trojan/Win32.Deshacop Spammer:Win32/Emotet.G Trojan-Dropper.Win32.Dapato.ezng Trojan/Win32.Injector.R140545 BScope.Malware-Cryptor.Hlux Trj/PasswordStealer.BT W32/Injector.BYFS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Zbot.A4": [[26, 43]], "Indicator: Backdoor.Bot": [[44, 56]], "Indicator: Troj.Dropper.W32.Dapato!c": [[57, 82]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[83, 125]], "Indicator: Trojan.Zbot": [[126, 137]], "Indicator: Win32.Trojan.Injector.CZ": [[138, 162]], "Indicator: Trojan-Dropper.Win32.Dapato.ezng": [[163, 195], [355, 387]], "Indicator: Trojan.Win32.Dapato.driscq": [[196, 222]], "Indicator: Trojan.Emotet.63": [[223, 239]], "Indicator: BehavesLike.Win32.VirRansom.cc": [[240, 270]], "Indicator: Trojan.Win32.Injector": [[271, 292]], "Indicator: Trojan/Yakes.tsq": [[293, 309]], "Indicator: Trojan/Win32.Deshacop": [[310, 331]], "Indicator: Spammer:Win32/Emotet.G": [[332, 354]], "Indicator: Trojan/Win32.Injector.R140545": [[388, 417]], "Indicator: BScope.Malware-Cryptor.Hlux": [[418, 445]], "Indicator: Trj/PasswordStealer.BT": [[446, 468]], "Indicator: W32/Injector.BYFS!tr": [[469, 489]]}, "info": {"id": "cyner2_5class_train_00600", "source": "cyner2_5class_train"}}
+{"text": "Currently , this only affects Russian banks , but the technology behind Svpeng could easily be used to target other banking applications .", "spans": {"Malware: Svpeng": [[72, 78]]}, "info": {"id": "cyner2_5class_train_00601", "source": "cyner2_5class_train"}}
+{"text": "The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks.", "spans": {"Indicator: attack": [[4, 10]], "Malware: at": [[20, 22]], "Organization: organization": [[33, 45]], "Indicator: Shamoon attacks.": [[110, 126]]}, "info": {"id": "cyner2_5class_train_00602", "source": "cyner2_5class_train"}}
+{"text": "iOS development Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port .", "spans": {"System: iOS": [[0, 3], [126, 129]], "System: Android": [[34, 41]]}, "info": {"id": "cyner2_5class_train_00603", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_RUCE.C Win32.Trojan.WisdomEyes.16070401.9500.9969 TROJ_RUCE.C W32/Trojan.UCZC-3562 TR/Ruce.44544A Trojan.Hiloti.2 Trojan/Win32.Ruce.C1864771 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_RUCE.C": [[26, 37], [81, 92]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9969": [[38, 80]], "Indicator: W32/Trojan.UCZC-3562": [[93, 113]], "Indicator: TR/Ruce.44544A": [[114, 128]], "Indicator: Trojan.Hiloti.2": [[129, 144]], "Indicator: Trojan/Win32.Ruce.C1864771": [[145, 171]], "Indicator: Trj/CI.A": [[172, 180]]}, "info": {"id": "cyner2_5class_train_00604", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper/W32.Dapato.59904.C Trojan.Foidan Spyware.Zbot.ED TROJ_SPNR.11EJ13 Win32.Trojan.WisdomEyes.16070401.9500.9898 Trojan.Zbot TROJ_SPNR.11EJ13 Trojan-Dropper.Win32.Dapato.cdtt Trojan.Win32.Dapato.cqljwd Troj.Dropper.W32.Dapato.cdtt!c TrojWare.Win32.Kryptik.BAXK Trojan.Inject1.21866 Dropper.Dapato.Win32.27589 Trojan-Spy.Win32.Zbot W32/Trojan.JZAQ-0520 TrojanDropper.Dapato.sad TR/Drop.Dapato.cdtt Trojan[Dropper]/Win32.Dapato Trojan.Zusy.DD28A Trojan-Dropper.Win32.Dapato.cdtt Trojan:Win32/Foidan.A TrojanDropper.Dapato Win32.Trojan-dropper.Dapato.Pgng Trojan.DR.Dapato!3ZrfcO/CUjc W32/ZAccess.Y!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper/W32.Dapato.59904.C": [[26, 59]], "Indicator: Trojan.Foidan": [[60, 73]], "Indicator: Spyware.Zbot.ED": [[74, 89]], "Indicator: TROJ_SPNR.11EJ13": [[90, 106], [162, 178]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9898": [[107, 149]], "Indicator: Trojan.Zbot": [[150, 161]], "Indicator: Trojan-Dropper.Win32.Dapato.cdtt": [[179, 211], [481, 513]], "Indicator: Trojan.Win32.Dapato.cqljwd": [[212, 238]], "Indicator: Troj.Dropper.W32.Dapato.cdtt!c": [[239, 269]], "Indicator: TrojWare.Win32.Kryptik.BAXK": [[270, 297]], "Indicator: Trojan.Inject1.21866": [[298, 318]], "Indicator: Dropper.Dapato.Win32.27589": [[319, 345]], "Indicator: Trojan-Spy.Win32.Zbot": [[346, 367]], "Indicator: W32/Trojan.JZAQ-0520": [[368, 388]], "Indicator: TrojanDropper.Dapato.sad": [[389, 413]], "Indicator: TR/Drop.Dapato.cdtt": [[414, 433]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[434, 462]], "Indicator: Trojan.Zusy.DD28A": [[463, 480]], "Indicator: Trojan:Win32/Foidan.A": [[514, 535]], "Indicator: TrojanDropper.Dapato": [[536, 556]], "Indicator: Win32.Trojan-dropper.Dapato.Pgng": [[557, 589]], "Indicator: Trojan.DR.Dapato!3ZrfcO/CUjc": [[590, 618]], "Indicator: W32/ZAccess.Y!tr": [[619, 635]]}, "info": {"id": "cyner2_5class_train_00605", "source": "cyner2_5class_train"}}
+{"text": "The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements , generating revenues for the perpetrators behind it .", "spans": {}, "info": {"id": "cyner2_5class_train_00606", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.NSIS Troj.Nsis.Decryptor!c Trojan.Win32.Z.Decryptor.478934 Trojan.Inject1.52881 Trojan.Inject3 W32/Trojan.SALD-6852 Win32/Injector.BQWC Trojan.NSIS.Decryptor.m TrojanDropper:Win32/Bondat.A Trojan.Decryptor!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.NSIS": [[26, 37]], "Indicator: Troj.Nsis.Decryptor!c": [[38, 59]], "Indicator: Trojan.Win32.Z.Decryptor.478934": [[60, 91]], "Indicator: Trojan.Inject1.52881": [[92, 112]], "Indicator: Trojan.Inject3": [[113, 127]], "Indicator: W32/Trojan.SALD-6852": [[128, 148]], "Indicator: Win32/Injector.BQWC": [[149, 168]], "Indicator: Trojan.NSIS.Decryptor.m": [[169, 192]], "Indicator: TrojanDropper:Win32/Bondat.A": [[193, 221]], "Indicator: Trojan.Decryptor!": [[222, 239]]}, "info": {"id": "cyner2_5class_train_00607", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DepanserX.Trojan Backdoor/W32.Prorat.351276.AA Backdoor.Win32.Prorat!O Backdoor.Prorat.A8 Backdoor.Prorat.Win32.7 Backdoor/Prorat.b Win32.Trojan.WisdomEyes.16070401.9500.9886 W32/ProratP.L Backdoor.Prorat Win32/ProRat.I BKDR_PRORAT.F Win.Trojan.Prorat-9 Backdoor.Win32.Prorat.b Trojan.Win32.Prorat.fzuk Backdoor.W32.Prorat.l70O BackDoor.ProRat.1736 BKDR_PRORAT.F BehavesLike.Win32.Backdoor.fc W32/ProratP.L Backdoor/Prorat.cm BDS/Prorat.AC Trojan[Backdoor]/Win32.Prorat.f Backdoor:Win32/Prorat.N Backdoor.Win32.Prorat.351276.B Backdoor.Win32.Prorat.b Win32.Backdoor.Prorat.A Trojan/Win32.Prorat.R1757 MalwareScope.Trojan-PSW.Pinch.1 Backdoor.Prorat.AJ Backdoor.Win32.Prorat W32/Prorat.I!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DepanserX.Trojan": [[26, 46]], "Indicator: Backdoor/W32.Prorat.351276.AA": [[47, 76]], "Indicator: Backdoor.Win32.Prorat!O": [[77, 100]], "Indicator: Backdoor.Prorat.A8": [[101, 119]], "Indicator: Backdoor.Prorat.Win32.7": [[120, 143]], "Indicator: Backdoor/Prorat.b": [[144, 161]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9886": [[162, 204]], "Indicator: W32/ProratP.L": [[205, 218], [423, 436]], "Indicator: Backdoor.Prorat": [[219, 234]], "Indicator: Win32/ProRat.I": [[235, 249]], "Indicator: BKDR_PRORAT.F": [[250, 263], [379, 392]], "Indicator: Win.Trojan.Prorat-9": [[264, 283]], "Indicator: Backdoor.Win32.Prorat.b": [[284, 307], [557, 580]], "Indicator: Trojan.Win32.Prorat.fzuk": [[308, 332]], "Indicator: Backdoor.W32.Prorat.l70O": [[333, 357]], "Indicator: BackDoor.ProRat.1736": [[358, 378]], "Indicator: BehavesLike.Win32.Backdoor.fc": [[393, 422]], "Indicator: Backdoor/Prorat.cm": [[437, 455]], "Indicator: BDS/Prorat.AC": [[456, 469]], "Indicator: Trojan[Backdoor]/Win32.Prorat.f": [[470, 501]], "Indicator: Backdoor:Win32/Prorat.N": [[502, 525]], "Indicator: Backdoor.Win32.Prorat.351276.B": [[526, 556]], "Indicator: Win32.Backdoor.Prorat.A": [[581, 604]], "Indicator: Trojan/Win32.Prorat.R1757": [[605, 630]], "Indicator: MalwareScope.Trojan-PSW.Pinch.1": [[631, 662]], "Indicator: Backdoor.Prorat.AJ": [[663, 681]], "Indicator: Backdoor.Win32.Prorat": [[682, 703]], "Indicator: W32/Prorat.I!tr.bdr": [[704, 723]]}, "info": {"id": "cyner2_5class_train_00608", "source": "cyner2_5class_train"}}
+{"text": "As it turns out, the downloaded file is an HTA HTML Application file, a format that is becoming more and more common as a malware launch point.", "spans": {"Indicator: the downloaded file": [[17, 36]], "Indicator: an HTA HTML Application file,": [[40, 69]], "Indicator: format": [[72, 78]], "Malware: malware": [[122, 129]]}, "info": {"id": "cyner2_5class_train_00609", "source": "cyner2_5class_train"}}
+{"text": "This blog entry will introduce the details of Asruex.", "spans": {}, "info": {"id": "cyner2_5class_train_00610", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Rockse.Win32.2 BKDR_ROCKSE.A Backdoor.Rockse BKDR_ROCKSE.A Backdoor.Win32.Rockse Trojan.Win32.Rockse.hkwa Backdoor.Win32.Rockse BackDoor.Rockse BehavesLike.Win32.Dropper.gc Trojan.Win32.Rockse W32/Risk.RDKH-7511 BDS/Rockse.2 Trojan[Backdoor]/Win32.Rockse Win32.Hack.Rockse.kcloud Backdoor.W32.Rockse!c Backdoor.Win32.Rockse Backdoor.Rockse Win32.Backdoor.Rockse.Wkbu Backdoor.Rockse!5s6/g9tFaiQ W32/Rockse.A!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Rockse.Win32.2": [[26, 49]], "Indicator: BKDR_ROCKSE.A": [[50, 63], [80, 93]], "Indicator: Backdoor.Rockse": [[64, 79], [359, 374]], "Indicator: Backdoor.Win32.Rockse": [[94, 115], [141, 162], [337, 358]], "Indicator: Trojan.Win32.Rockse.hkwa": [[116, 140]], "Indicator: BackDoor.Rockse": [[163, 178]], "Indicator: BehavesLike.Win32.Dropper.gc": [[179, 207]], "Indicator: Trojan.Win32.Rockse": [[208, 227]], "Indicator: W32/Risk.RDKH-7511": [[228, 246]], "Indicator: BDS/Rockse.2": [[247, 259]], "Indicator: Trojan[Backdoor]/Win32.Rockse": [[260, 289]], "Indicator: Win32.Hack.Rockse.kcloud": [[290, 314]], "Indicator: Backdoor.W32.Rockse!c": [[315, 336]], "Indicator: Win32.Backdoor.Rockse.Wkbu": [[375, 401]], "Indicator: Backdoor.Rockse!5s6/g9tFaiQ": [[402, 429]], "Indicator: W32/Rockse.A!tr.bdr": [[430, 449]]}, "info": {"id": "cyner2_5class_train_00611", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Z.Notsocial.240128 Trojan.EmailSpy.origin BehavesLike.Win32.BadFile.dc Downloader/Win32.Mdm.R1834 Trojan.Win32.SpamTool", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Z.Notsocial.240128": [[26, 57]], "Indicator: Trojan.EmailSpy.origin": [[58, 80]], "Indicator: BehavesLike.Win32.BadFile.dc": [[81, 109]], "Indicator: Downloader/Win32.Mdm.R1834": [[110, 136]], "Indicator: Trojan.Win32.SpamTool": [[137, 158]]}, "info": {"id": "cyner2_5class_train_00612", "source": "cyner2_5class_train"}}
+{"text": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target , with SHA256 digest : ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5Upon installation , the app uses known framaroot exploits to escalate privileges and break Android 's application sandbox .", "spans": {"Malware: Chrysaor": [[53, 61]], "Indicator: com.network.android": [[72, 91]], "Organization: Samsung": [[107, 114]], "Indicator: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5Upon": [[152, 220]], "System: Android": [[307, 314]]}, "info": {"id": "cyner2_5class_train_00613", "source": "cyner2_5class_train"}}
+{"text": "After successful installation , tap Open and enable the device administrator .", "spans": {}, "info": {"id": "cyner2_5class_train_00614", "source": "cyner2_5class_train"}}
+{"text": "These countries are linked by a trade agreement as well as a cooperation on a range of non-financial matters.", "spans": {}, "info": {"id": "cyner2_5class_train_00615", "source": "cyner2_5class_train"}}
+{"text": "Cerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( Local injects obtained from C2 ) Keylogging SMS harvesting : SMS listing SMS harvesting : SMS forwarding Device info collection Contact list collection Application listing Location collection Overlaying : Targets list update SMS : Sending Calls : USSD request making Calls : Call forwarding Remote actions : App installing Remote actions : App starting Remote actions : App removal Remote actions : Showing arbitrary web pages Remote actions : Screen-locking Notifications : Push notifications C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Architecture : Modular Overlay attack Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information ( such as but not limited to : credit card information , banking credentials , mail credentials ) and Cerberus is no exception .", "spans": {"Malware: Cerberus": [[0, 8], [1041, 1049]]}, "info": {"id": "cyner2_5class_train_00616", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: Trojan.Unix.Mlw.evxpjx Linux.Trojan.Rootkit.40 Trojan/Linux.Rootkit.40 Trojan.Linux.Rootkit Linux/RootKit.40 Win32/RootKit.Rootkit.05f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Unix.Mlw.evxpjx": [[43, 65]], "Indicator: Linux.Trojan.Rootkit.40": [[66, 89]], "Indicator: Trojan/Linux.Rootkit.40": [[90, 113]], "Indicator: Trojan.Linux.Rootkit": [[114, 134]], "Indicator: Linux/RootKit.40": [[135, 151]], "Indicator: Win32/RootKit.Rootkit.05f": [[152, 177]]}, "info": {"id": "cyner2_5class_train_00617", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SvchostPP.Worm Trojan.VBS.Downloader.U Trojan.VBS.Downloader.U Trojan.StartPage.Win32.8162 Trojan.VBS.Downloader.U Win32.Trojan.WisdomEyes.16070401.9500.9984 W32/Trojan2.MMWH Trojan.Qhosts Win32/Delf.OF TROJ_FAM_00011b6.TOMA Win.Trojan.Delf-8259 Trojan.VBS.Downloader.U Trojan.VBS.Qhost.v Trojan.VBS.Downloader.U Trojan.Win32.StartPage.blxqw Trojan.VBS.Downloader.U Trojan.MulDrop1.37420 TROJ_FAM_00011b6.TOMA BehavesLike.Win32.Downloader.ch Trojan.VBS.Qhost W32/Trojan.DBWF-7475 Troj.VBS.StartPage.lgP3 Trojan.VBS.Qhost.v Trojan/Win32.Fakesys.R2395 VBS/TrojanDownloader.Psyme.NHE Trojan.DL.Delf.FCBW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SvchostPP.Worm": [[26, 44]], "Indicator: Trojan.VBS.Downloader.U": [[45, 68], [69, 92], [121, 144], [276, 299], [319, 342], [372, 395]], "Indicator: Trojan.StartPage.Win32.8162": [[93, 120]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[145, 187]], "Indicator: W32/Trojan2.MMWH": [[188, 204]], "Indicator: Trojan.Qhosts": [[205, 218]], "Indicator: Win32/Delf.OF": [[219, 232]], "Indicator: TROJ_FAM_00011b6.TOMA": [[233, 254], [418, 439]], "Indicator: Win.Trojan.Delf-8259": [[255, 275]], "Indicator: Trojan.VBS.Qhost.v": [[300, 318], [534, 552]], "Indicator: Trojan.Win32.StartPage.blxqw": [[343, 371]], "Indicator: Trojan.MulDrop1.37420": [[396, 417]], "Indicator: BehavesLike.Win32.Downloader.ch": [[440, 471]], "Indicator: Trojan.VBS.Qhost": [[472, 488]], "Indicator: W32/Trojan.DBWF-7475": [[489, 509]], "Indicator: Troj.VBS.StartPage.lgP3": [[510, 533]], "Indicator: Trojan/Win32.Fakesys.R2395": [[553, 579]], "Indicator: VBS/TrojanDownloader.Psyme.NHE": [[580, 610]], "Indicator: Trojan.DL.Delf.FCBW": [[611, 630]]}, "info": {"id": "cyner2_5class_train_00618", "source": "cyner2_5class_train"}}
+{"text": "Since Android version 7 ( Nougat ) this information is gathered using other means , perhaps inferring the devices used by potential victim run older versions of Android .", "spans": {"System: Android": [[6, 13], [161, 168]], "System: Nougat": [[26, 32]]}, "info": {"id": "cyner2_5class_train_00619", "source": "cyner2_5class_train"}}
+{"text": "The Carbanak financial APT group made the headlines when Group-IB and Fox-IT broke the news in December 2014, followed by the Kaspersky report in February 2015.", "spans": {"Organization: Group-IB": [[57, 65]], "Organization: Fox-IT": [[70, 76]], "Organization: Kaspersky": [[126, 135]]}, "info": {"id": "cyner2_5class_train_00620", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //mailsa-wqq [ .", "spans": {"Indicator: hxxp : //mailsa-wqq [ .": [[6, 29]]}, "info": {"id": "cyner2_5class_train_00621", "source": "cyner2_5class_train"}}
+{"text": "changeActivity : This command will set up the webview to overlay any of the target activities .", "spans": {}, "info": {"id": "cyner2_5class_train_00622", "source": "cyner2_5class_train"}}
+{"text": "Mandiant assesses with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime.", "spans": {"Organization: Mandiant": [[0, 8]]}, "info": {"id": "cyner2_5class_train_00623", "source": "cyner2_5class_train"}}
+{"text": "This is why getting access to their devices could be worth a lot more than for a normal user.", "spans": {}, "info": {"id": "cyner2_5class_train_00624", "source": "cyner2_5class_train"}}
+{"text": "ISSP informs on new wave of cyber attack in Ukraine on August 22, 2017", "spans": {"Indicator: ISSP": [[0, 4]], "Indicator: cyber attack": [[28, 40]]}, "info": {"id": "cyner2_5class_train_00625", "source": "cyner2_5class_train"}}
+{"text": "Example Response in JSON format In particular , short number “ +7494 ” is associated with a payment service provider in Russia .", "spans": {}, "info": {"id": "cyner2_5class_train_00626", "source": "cyner2_5class_train"}}
+{"text": "Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates.", "spans": {"Malware: Sowbug": [[0, 6]], "Indicator: espionage attacks": [[38, 55]], "Organization: the organizations": [[83, 100]]}, "info": {"id": "cyner2_5class_train_00627", "source": "cyner2_5class_train"}}
+{"text": "'' Strazzere says he also failed to reach MediaTek , a Taiwanese fabless semiconductor manufacturer whose chipsets that powered BLU phones also contained Adups software .", "spans": {"Organization: MediaTek": [[42, 50]], "Organization: BLU": [[128, 131]], "Organization: Adups": [[154, 159]]}, "info": {"id": "cyner2_5class_train_00628", "source": "cyner2_5class_train"}}
+{"text": "Our research team analyzed the malicious Android application that is most likely being spread by TrickBot and dubbed it “ TrickMo. ” Targeting users in Germany at this time , TrickMo is the latest variation in the transaction authentication number ( TAN ) -stealing malware category .", "spans": {"System: Android": [[41, 48]], "Malware: TrickBot": [[97, 105]], "Malware: TrickMo.": [[122, 130]], "Malware: TrickMo": [[175, 182]]}, "info": {"id": "cyner2_5class_train_00629", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9973 Trojan.DownLoader25.64806 Trojan.MSILPerseus.D23337 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9973": [[26, 68]], "Indicator: Trojan.DownLoader25.64806": [[69, 94]], "Indicator: Trojan.MSILPerseus.D23337": [[95, 120]], "Indicator: Trj/GdSda.A": [[121, 132]]}, "info": {"id": "cyner2_5class_train_00630", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Wanex.A WORM_WANEX.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9879 W32.Wanex WORM_WANEX.TOMA Win.Trojan.Delf-1033 Virus.Win32.Wanex Virus.Win32.Wanex.ggsj W32.Wanex!c Win32.Wanex.A Win32.HLLW.Pewk.46651 Virus.Wanex.Win32.1 backdoor.win32.xtrat.a Win32/Wanker.a GrayWare[AdWare]/Win32.Wanex.a Win32.Wanex.a.57014 Trojan/Win32.Buzus.R2227 Virus.Win32.Wanex Win32/Wanex.A Win32.Wanex Trojan-GameThief.Win32.OnLineGames Win32/Wanex.A W32/Wanexorl.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Wanex.A": [[26, 37]], "Indicator: WORM_WANEX.TOMA": [[38, 53], [107, 122]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9879": [[54, 96]], "Indicator: W32.Wanex": [[97, 106]], "Indicator: Win.Trojan.Delf-1033": [[123, 143]], "Indicator: Virus.Win32.Wanex": [[144, 161], [367, 384]], "Indicator: Virus.Win32.Wanex.ggsj": [[162, 184]], "Indicator: W32.Wanex!c": [[185, 196]], "Indicator: Win32.Wanex.A": [[197, 210]], "Indicator: Win32.HLLW.Pewk.46651": [[211, 232]], "Indicator: Virus.Wanex.Win32.1": [[233, 252]], "Indicator: backdoor.win32.xtrat.a": [[253, 275]], "Indicator: Win32/Wanker.a": [[276, 290]], "Indicator: GrayWare[AdWare]/Win32.Wanex.a": [[291, 321]], "Indicator: Win32.Wanex.a.57014": [[322, 341]], "Indicator: Trojan/Win32.Buzus.R2227": [[342, 366]], "Indicator: Win32/Wanex.A": [[385, 398], [446, 459]], "Indicator: Win32.Wanex": [[399, 410]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[411, 445]], "Indicator: W32/Wanexorl.A": [[460, 474]]}, "info": {"id": "cyner2_5class_train_00631", "source": "cyner2_5class_train"}}
+{"text": "The cybercriminals behind it kept the same masking and distribution methods , using names and icons imitating those of popular free ad services .", "spans": {}, "info": {"id": "cyner2_5class_train_00632", "source": "cyner2_5class_train"}}
+{"text": "Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen.", "spans": {}, "info": {"id": "cyner2_5class_train_00633", "source": "cyner2_5class_train"}}
+{"text": "Last week, thanks to the Check Point web sensor network, our researchers discovered a new and massive IoT Botnet, IoTroop'.", "spans": {"Organization: the Check Point web sensor network,": [[21, 56]], "Organization: researchers": [[61, 72]], "Malware: IoT Botnet, IoTroop'.": [[102, 123]]}, "info": {"id": "cyner2_5class_train_00634", "source": "cyner2_5class_train"}}
+{"text": "IRC Botnets alive, effective & evolving Magento exploits in the wild The CozyDuke toolset, which we believe has been under active development since at least 2011, consists of tools for infecting targeted hosts, establishing and maintaining backdoor access to the hosts, gathering information from them and gaining further access to other hosts inside the victim organization.", "spans": {"Malware: IRC Botnets": [[0, 11]], "Vulnerability: Magento exploits": [[40, 56]], "Malware: The CozyDuke toolset,": [[69, 90]], "Malware: backdoor": [[240, 248]], "Indicator: gathering information": [[270, 291]], "Indicator: gaining further access": [[306, 328]], "Indicator: hosts": [[338, 343]]}, "info": {"id": "cyner2_5class_train_00635", "source": "cyner2_5class_train"}}
+{"text": "Comparing strings from an old FakeSpy sample to a new one .", "spans": {"Malware: FakeSpy": [[30, 37]]}, "info": {"id": "cyner2_5class_train_00636", "source": "cyner2_5class_train"}}
+{"text": "In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and access management' tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command Control channels and perform other tasks to try to stay ahead of being detected.", "spans": {"Indicator: advanced methods": [[29, 45]], "Indicator: deliberate targeting and access management' tradecraft": [[104, 158]], "System: environment": [[209, 220]], "Indicator: new Command Control channels": [[286, 314]]}, "info": {"id": "cyner2_5class_train_00637", "source": "cyner2_5class_train"}}
+{"text": "The attack originates from a phishing email containing a Word document in Arabic language.", "spans": {"Indicator: attack": [[4, 10]], "Indicator: phishing email": [[29, 43]], "Indicator: Word document": [[57, 70]]}, "info": {"id": "cyner2_5class_train_00638", "source": "cyner2_5class_train"}}
+{"text": "] ee Backend server October 8 , 2020 Sophisticated new Android malware marks the latest evolution of mobile ransomware Attackers are persistent and motivated to continuously evolve – and no platform is immune .", "spans": {"System: Android": [[55, 62]]}, "info": {"id": "cyner2_5class_train_00639", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom:Win32/Cryptomix.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom:Win32/Cryptomix.A": [[26, 50]]}, "info": {"id": "cyner2_5class_train_00640", "source": "cyner2_5class_train"}}
+{"text": "The downloader also uses an uncommon technique to perform a timing check to decide whether it should perform its malicious activities.", "spans": {}, "info": {"id": "cyner2_5class_train_00641", "source": "cyner2_5class_train"}}
+{"text": "There has been a proliferation of malware specifically designed to extract payment card information from Point-of-Sale POS systems over the last two years.", "spans": {"Malware: malware": [[34, 41]], "Indicator: extract payment card information": [[67, 99]], "System: Point-of-Sale POS systems": [[105, 130]]}, "info": {"id": "cyner2_5class_train_00642", "source": "cyner2_5class_train"}}
+{"text": "Continued mirroring suggests it is likely a regularly cleaned staging server .", "spans": {}, "info": {"id": "cyner2_5class_train_00643", "source": "cyner2_5class_train"}}
+{"text": "With mobile devices increasingly used in the corporate environment , thanks to the popularity of BYOD policies , this malware has the potential to cause serious harm , mostly to consumers , and businesses that allow the installation of unsigned applications .", "spans": {}, "info": {"id": "cyner2_5class_train_00644", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Flooder.24292 TROJ_GICHTY.A W32/Risk.YWAF-8783 Hacktool.Flooder TROJ_GICHTY.A Win.Trojan.Gitch-1 Flooder.Win32.GichtyChatFlood.11 Trojan.Win32.GichtyChatFlood.dhga Flooder.W32.GichtyChatFlood.11!c TrojWare.Win32.Flooder.Chat.11 Trojan.Gichty.11 Tool.GichtyChatFlood.Win32.2 BehavesLike.Win32.Mydoom.mc Flooder.Chat.GichtyChatFlood.11 TR/GichtyChatFlood.11 Trojan.Heur.bmuee9li6sbi Flooder.Win32.GichtyChatFlood.11 Trojan.Win32.VB.2644 Win32/Flooder.Chat.GichtyChatFlood.11 Win32.Trojan.Gichtychatflood.Efbn Trojan.GichtyChatFlood!JHbWXCe+Dp8 Backdoor.Win32.VB Malware_fam.gw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Flooder.24292": [[26, 50]], "Indicator: TROJ_GICHTY.A": [[51, 64], [101, 114]], "Indicator: W32/Risk.YWAF-8783": [[65, 83]], "Indicator: Hacktool.Flooder": [[84, 100]], "Indicator: Win.Trojan.Gitch-1": [[115, 133]], "Indicator: Flooder.Win32.GichtyChatFlood.11": [[134, 166], [418, 450]], "Indicator: Trojan.Win32.GichtyChatFlood.dhga": [[167, 200]], "Indicator: Flooder.W32.GichtyChatFlood.11!c": [[201, 233]], "Indicator: TrojWare.Win32.Flooder.Chat.11": [[234, 264]], "Indicator: Trojan.Gichty.11": [[265, 281]], "Indicator: Tool.GichtyChatFlood.Win32.2": [[282, 310]], "Indicator: BehavesLike.Win32.Mydoom.mc": [[311, 338]], "Indicator: Flooder.Chat.GichtyChatFlood.11": [[339, 370]], "Indicator: TR/GichtyChatFlood.11": [[371, 392]], "Indicator: Trojan.Heur.bmuee9li6sbi": [[393, 417]], "Indicator: Trojan.Win32.VB.2644": [[451, 471]], "Indicator: Win32/Flooder.Chat.GichtyChatFlood.11": [[472, 509]], "Indicator: Win32.Trojan.Gichtychatflood.Efbn": [[510, 543]], "Indicator: Trojan.GichtyChatFlood!JHbWXCe+Dp8": [[544, 578]], "Indicator: Backdoor.Win32.VB": [[579, 596]], "Indicator: Malware_fam.gw": [[597, 611]]}, "info": {"id": "cyner2_5class_train_00645", "source": "cyner2_5class_train"}}
+{"text": "Payments are made to a specific Bitcoin account , but we haven ’ t identified any payments so far .", "spans": {"System: Bitcoin": [[32, 39]]}, "info": {"id": "cyner2_5class_train_00646", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Adware.Rogue.Windefender.B Aplicacion/TotalSecure2009.ae Fraudtool.TotalSecure2009!VN58ZBrXUCY Trojan-FakeAV.Win32.TotalSecure2009.ae Adware.Rogue.Windefender.B Trojan.Win32.Delflob!IK Adware.Rogue.Windefender Trojan.Fakealert.3458 Trojan:Win32/Delflob.I Adware.WinDefender2009.R.2828800 Adware.Rogue.Windefender.B Win-AppCare/Windefender.2828800 RogueAntiSpyware.WinDefender Trojan.Win32.Delflob", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.Rogue.Windefender.B": [[26, 52], [160, 186], [314, 340]], "Indicator: Aplicacion/TotalSecure2009.ae": [[53, 82]], "Indicator: Fraudtool.TotalSecure2009!VN58ZBrXUCY": [[83, 120]], "Indicator: Trojan-FakeAV.Win32.TotalSecure2009.ae": [[121, 159]], "Indicator: Trojan.Win32.Delflob!IK": [[187, 210]], "Indicator: Adware.Rogue.Windefender": [[211, 235]], "Indicator: Trojan.Fakealert.3458": [[236, 257]], "Indicator: Trojan:Win32/Delflob.I": [[258, 280]], "Indicator: Adware.WinDefender2009.R.2828800": [[281, 313]], "Indicator: Win-AppCare/Windefender.2828800": [[341, 372]], "Indicator: RogueAntiSpyware.WinDefender": [[373, 401]], "Indicator: Trojan.Win32.Delflob": [[402, 422]]}, "info": {"id": "cyner2_5class_train_00647", "source": "cyner2_5class_train"}}
+{"text": "It is worth noting that this number only shows hosts potentially vulnerable to the first exploit, while the second one is also required to execute code on the router or modem.", "spans": {"Vulnerability: hosts potentially vulnerable": [[47, 75]], "Malware: exploit,": [[89, 97]], "Malware: execute code": [[139, 151]], "System: router": [[159, 165]], "System: modem.": [[169, 175]]}, "info": {"id": "cyner2_5class_train_00648", "source": "cyner2_5class_train"}}
+{"text": "The data is encoded prior to transmission using a dword XOR routine, so IDS technology is unlikely to see raw Track data flying around a compromised network.", "spans": {"Indicator: data": [[4, 8]], "Indicator: encoded prior to transmission": [[12, 41]], "Indicator: dword XOR routine,": [[50, 68]], "System: IDS technology": [[72, 86]], "System: compromised network.": [[137, 157]]}, "info": {"id": "cyner2_5class_train_00649", "source": "cyner2_5class_train"}}
+{"text": "The Web page shown here on the left is hosted on a domain that seems apt : free-vpn [ .", "spans": {"Indicator: free-vpn [ .": [[75, 87]]}, "info": {"id": "cyner2_5class_train_00650", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Hupigon.AAAH Backdoor.Hupigon.AAAH Backdoor.Trojan Trojan.Dropper.Small-159 Backdoor.Hupigon.AAAH Virus.Win32.Delf!IK Packed.Win32.Klone.~KH Backdoor.Hupigon.AAAH Win32.Troj.Loader.fw.9734 TrojanDownloader:Win32/Bulilit.A Backdoor.Hupigon.AAAH BScope.HackTool.Sniffer.WpePro Backdoor.Trojan Virus.Win32.Delf W32/Shooo.A!tr Win32/Delf.2.K", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Hupigon.AAAH": [[26, 47], [48, 69], [111, 132], [176, 197], [257, 278]], "Indicator: Backdoor.Trojan": [[70, 85], [310, 325]], "Indicator: Trojan.Dropper.Small-159": [[86, 110]], "Indicator: Virus.Win32.Delf!IK": [[133, 152]], "Indicator: Packed.Win32.Klone.~KH": [[153, 175]], "Indicator: Win32.Troj.Loader.fw.9734": [[198, 223]], "Indicator: TrojanDownloader:Win32/Bulilit.A": [[224, 256]], "Indicator: BScope.HackTool.Sniffer.WpePro": [[279, 309]], "Indicator: Virus.Win32.Delf": [[326, 342]], "Indicator: W32/Shooo.A!tr": [[343, 357]], "Indicator: Win32/Delf.2.K": [[358, 372]]}, "info": {"id": "cyner2_5class_train_00651", "source": "cyner2_5class_train"}}
+{"text": "The cybercriminal group Lurk was one of the first to effectively employ fileless infection techniques in large-scale attacks—techniques that arguably became staples for other malefactors.", "spans": {"Organization: The cybercriminal group Lurk": [[0, 28]], "Indicator: employ fileless infection": [[65, 90]]}, "info": {"id": "cyner2_5class_train_00652", "source": "cyner2_5class_train"}}
+{"text": "In March 2013, the country of South Korea experienced a major cyberattack, affecting tens of thousands of computer systems in the financial and broadcasting industries.", "spans": {"Indicator: cyberattack,": [[62, 74]], "System: computer systems": [[106, 122]], "Organization: financial": [[130, 139]], "Organization: broadcasting industries.": [[144, 168]]}, "info": {"id": "cyner2_5class_train_00653", "source": "cyner2_5class_train"}}
+{"text": "This new RETADUP variant has features that would be useful for cybercrime instead of espionage.", "spans": {"Malware: RETADUP variant": [[9, 24]], "Indicator: cybercrime": [[63, 73]], "Indicator: espionage.": [[85, 95]]}, "info": {"id": "cyner2_5class_train_00654", "source": "cyner2_5class_train"}}
+{"text": "On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks.", "spans": {"Organization: Kaspersky Lab researchers": [[18, 43]], "Malware: ATMZombie,": [[55, 65]], "Malware: banking Trojan": [[68, 82]], "Malware: malware": [[118, 125]], "Indicator: steal money": [[134, 145]], "Organization: Israeli banks.": [[151, 165]]}, "info": {"id": "cyner2_5class_train_00655", "source": "cyner2_5class_train"}}
+{"text": "HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android .", "spans": {"Malware: HummingBad": [[0, 10]], "Vulnerability: unpatched vulnerabilities": [[68, 93]], "System: Android": [[153, 160]]}, "info": {"id": "cyner2_5class_train_00656", "source": "cyner2_5class_train"}}
+{"text": "] it Cosenza server1ct.exodus.connexxa [ .", "spans": {"Indicator: server1ct.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner2_5class_train_00657", "source": "cyner2_5class_train"}}
+{"text": "The code supports two different installation methods : setup in a UAC-enforced environment ( with limited privileges ) , or an installation with full-administrative privileges enabled ( in cases where the malware gains the ability to run with elevated permissions ) .", "spans": {"System: UAC-enforced environment": [[66, 90]]}, "info": {"id": "cyner2_5class_train_00658", "source": "cyner2_5class_train"}}
+{"text": "Figure 3 .", "spans": {}, "info": {"id": "cyner2_5class_train_00659", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Zbot.A4 Spyware.Zbot Trojan.Zbot.Win32.150744 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Zbot TROJ_MALKRYP.SM1 Trojan.Win32.Zbot.cuxeug Win32.Trojan.Spy.Pefj TrojWare.Win32.Injector.AYTP Trojan.PWS.Panda.2982 TROJ_MALKRYP.SM1 BehavesLike.Win32.PWSZbot.cc TrojanSpy.Zbot.ecmj TR/Spy.ZBot.rhwnxx Trojan[Spy]/Win32.Zbot Win32.Troj.Undef.kcloud Trojan:Win32/Tesch.B Trojan.Kazy.D53F00 Backdoor/Win32.Androm.R99103 BScope.Malware-Cryptor.Winlock.7414 Win32/Injector.AYPX TrojanSpy.Zbot!As9snjQ7nLU Trojan-Downloader.Win32.Carberp W32/Kryptik.WIF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Zbot.A4": [[26, 43]], "Indicator: Spyware.Zbot": [[44, 56]], "Indicator: Trojan.Zbot.Win32.150744": [[57, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[82, 124]], "Indicator: Trojan.Zbot": [[125, 136]], "Indicator: TROJ_MALKRYP.SM1": [[137, 153], [252, 268]], "Indicator: Trojan.Win32.Zbot.cuxeug": [[154, 178]], "Indicator: Win32.Trojan.Spy.Pefj": [[179, 200]], "Indicator: TrojWare.Win32.Injector.AYTP": [[201, 229]], "Indicator: Trojan.PWS.Panda.2982": [[230, 251]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[269, 297]], "Indicator: TrojanSpy.Zbot.ecmj": [[298, 317]], "Indicator: TR/Spy.ZBot.rhwnxx": [[318, 336]], "Indicator: Trojan[Spy]/Win32.Zbot": [[337, 359]], "Indicator: Win32.Troj.Undef.kcloud": [[360, 383]], "Indicator: Trojan:Win32/Tesch.B": [[384, 404]], "Indicator: Trojan.Kazy.D53F00": [[405, 423]], "Indicator: Backdoor/Win32.Androm.R99103": [[424, 452]], "Indicator: BScope.Malware-Cryptor.Winlock.7414": [[453, 488]], "Indicator: Win32/Injector.AYPX": [[489, 508]], "Indicator: TrojanSpy.Zbot!As9snjQ7nLU": [[509, 535]], "Indicator: Trojan-Downloader.Win32.Carberp": [[536, 567]], "Indicator: W32/Kryptik.WIF!tr": [[568, 586]]}, "info": {"id": "cyner2_5class_train_00660", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodc3b.Trojan.b7e0 Trojan/Downloader.Vqod.bq Trojan.DL.Vqod!a48Wt68Nq30 Trojan-Downloader.Win32.Vqod.bq Trojan.Win32.Vqod.cokvn Trojan.DownLoad2.31415 TR/Dldr.Vqod.bq Trojan[:HEUR]/Win32.Unknown Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Lisfonp.A Win-Trojan/Vqod.57856.B TrojanDownloader.Vqod Win32.Trojan-downloader.Vqod.Pgmj Trojan-Downloader.Win32.Lisfonp W32/Vqod.BQ!tr.dldr Win32/Trojan.7ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodc3b.Trojan.b7e0": [[26, 49]], "Indicator: Trojan/Downloader.Vqod.bq": [[50, 75]], "Indicator: Trojan.DL.Vqod!a48Wt68Nq30": [[76, 102]], "Indicator: Trojan-Downloader.Win32.Vqod.bq": [[103, 134]], "Indicator: Trojan.Win32.Vqod.cokvn": [[135, 158]], "Indicator: Trojan.DownLoad2.31415": [[159, 181]], "Indicator: TR/Dldr.Vqod.bq": [[182, 197]], "Indicator: Trojan[:HEUR]/Win32.Unknown": [[198, 225]], "Indicator: Win32.Troj.Undef.kcloud": [[226, 249]], "Indicator: TrojanDownloader:Win32/Lisfonp.A": [[250, 282]], "Indicator: Win-Trojan/Vqod.57856.B": [[283, 306]], "Indicator: TrojanDownloader.Vqod": [[307, 328]], "Indicator: Win32.Trojan-downloader.Vqod.Pgmj": [[329, 362]], "Indicator: Trojan-Downloader.Win32.Lisfonp": [[363, 394]], "Indicator: W32/Vqod.BQ!tr.dldr": [[395, 414]], "Indicator: Win32/Trojan.7ff": [[415, 431]]}, "info": {"id": "cyner2_5class_train_00661", "source": "cyner2_5class_train"}}
+{"text": "At launching, it checks for the presence of /var/run/dhcpclient-eth0.pid. file.", "spans": {"Indicator: /var/run/dhcpclient-eth0.pid. file.": [[44, 79]]}, "info": {"id": "cyner2_5class_train_00662", "source": "cyner2_5class_train"}}
+{"text": "Android.Oldboot acts as a system service and connects to the command-and-controller server using libgooglekernel.so library and receives commands to download , remove installed apps , and install malicious apps .", "spans": {"Malware: Android.Oldboot": [[0, 15]], "Indicator: libgooglekernel.so": [[97, 115]]}, "info": {"id": "cyner2_5class_train_00663", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.AutoIT.Injector.S Trojan/Cosmu.bizd AutoIt.Trojan.Injector.g Trojan.Packed.40821 Trojan.Autoit.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.AutoIT.Injector.S": [[26, 50]], "Indicator: Trojan/Cosmu.bizd": [[51, 68]], "Indicator: AutoIt.Trojan.Injector.g": [[69, 93]], "Indicator: Trojan.Packed.40821": [[94, 113]], "Indicator: Trojan.Autoit.F": [[114, 129]]}, "info": {"id": "cyner2_5class_train_00664", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O TrojanDownloader.Pipsek.B5 Downloader.Small.Win32.48755 Trojan/Downloader.Small.bjqy TROJ_REDOSD.SMQ Win32.Trojan.KillAV.c W32/KillAV.GG Trojan.Dropper Win32/Pigeon.BCUH TROJ_REDOSD.SMQ Trojan-Downloader.Win32.Small.bjqy Trojan.Win32.Small.bdavsq Trojan.Win32.A.Downloader.48432 TrojWare.Win32.AntiAV.nhr W32/KillAV.JXYA-5937 Trojan/Win32.Antavmu Trojan.Symmi.D2028 Trojan-Downloader.Win32.Small.bjqy Downloader/Win32.Small.R14220 Trojan.Antavmu Win32/AntiAV.NHJ Trojan.Win32.FakeUsp.c Trojan.AntiAV!GuYWyLBvRFY Trojan-Downloader.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Small!O": [[26, 57]], "Indicator: TrojanDownloader.Pipsek.B5": [[58, 84]], "Indicator: Downloader.Small.Win32.48755": [[85, 113]], "Indicator: Trojan/Downloader.Small.bjqy": [[114, 142]], "Indicator: TROJ_REDOSD.SMQ": [[143, 158], [228, 243]], "Indicator: Win32.Trojan.KillAV.c": [[159, 180]], "Indicator: W32/KillAV.GG": [[181, 194]], "Indicator: Trojan.Dropper": [[195, 209]], "Indicator: Win32/Pigeon.BCUH": [[210, 227]], "Indicator: Trojan-Downloader.Win32.Small.bjqy": [[244, 278], [424, 458]], "Indicator: Trojan.Win32.Small.bdavsq": [[279, 304]], "Indicator: Trojan.Win32.A.Downloader.48432": [[305, 336]], "Indicator: TrojWare.Win32.AntiAV.nhr": [[337, 362]], "Indicator: W32/KillAV.JXYA-5937": [[363, 383]], "Indicator: Trojan/Win32.Antavmu": [[384, 404]], "Indicator: Trojan.Symmi.D2028": [[405, 423]], "Indicator: Downloader/Win32.Small.R14220": [[459, 488]], "Indicator: Trojan.Antavmu": [[489, 503]], "Indicator: Win32/AntiAV.NHJ": [[504, 520]], "Indicator: Trojan.Win32.FakeUsp.c": [[521, 543]], "Indicator: Trojan.AntiAV!GuYWyLBvRFY": [[544, 569]], "Indicator: Trojan-Downloader.Win32.Small": [[570, 599]]}, "info": {"id": "cyner2_5class_train_00665", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Sality!O TrojanSpy.Zbot Trojan-Spy.Win32.Zbot.wjen Troj.Spy.W32.Zbot!c Trojan.PWS.Panda.9309 BehavesLike.Win32.Downloader.fc TR/AD.ZbotCitadel.kvrxb Trojan.Win32.Z.Zbot.312320.HY Trojan-Spy.Win32.Zbot.wjen Trojan/Win32.Zbot.C2294377 TrojanSpy.Zbot Trojan.Crypt.RV Win32/Spy.Zbot.AAO W32/Zbot.AAO!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Sality!O": [[26, 46]], "Indicator: TrojanSpy.Zbot": [[47, 61], [271, 285]], "Indicator: Trojan-Spy.Win32.Zbot.wjen": [[62, 88], [217, 243]], "Indicator: Troj.Spy.W32.Zbot!c": [[89, 108]], "Indicator: Trojan.PWS.Panda.9309": [[109, 130]], "Indicator: BehavesLike.Win32.Downloader.fc": [[131, 162]], "Indicator: TR/AD.ZbotCitadel.kvrxb": [[163, 186]], "Indicator: Trojan.Win32.Z.Zbot.312320.HY": [[187, 216]], "Indicator: Trojan/Win32.Zbot.C2294377": [[244, 270]], "Indicator: Trojan.Crypt.RV": [[286, 301]], "Indicator: Win32/Spy.Zbot.AAO": [[302, 320]], "Indicator: W32/Zbot.AAO!tr": [[321, 336]], "Indicator: Trj/CI.A": [[337, 345]]}, "info": {"id": "cyner2_5class_train_00666", "source": "cyner2_5class_train"}}
+{"text": "Small Trojans like Leech , Ztorg and Gopro now download one of the most advanced mobile Trojans our malware analysts have ever encountered — we call it Triada .", "spans": {"Malware: Leech": [[19, 24]], "Malware: Ztorg": [[27, 32]], "Malware: Gopro": [[37, 42]], "Malware: Triada": [[152, 158]]}, "info": {"id": "cyner2_5class_train_00667", "source": "cyner2_5class_train"}}
+{"text": "We can not say for sure if Wolf Research and Coralco Tech are linked , but this panel name , their offerings and the panel layout would suggest it should be considered suspiciously linked .", "spans": {"Organization: Wolf Research": [[27, 40]], "Organization: Coralco Tech": [[45, 57]]}, "info": {"id": "cyner2_5class_train_00668", "source": "cyner2_5class_train"}}
+{"text": "TYPE_VIEW_FOCUSED Represents the event of setting input focus of a View .", "spans": {}, "info": {"id": "cyner2_5class_train_00669", "source": "cyner2_5class_train"}}
+{"text": "This threat can collect your sensitive information without your consent.", "spans": {}, "info": {"id": "cyner2_5class_train_00670", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.Prostor!O TrojanPWS.Prostor Trojan.Prostor.Win32.53 Trojan/PSW.Prostor.h TROJ_PROSTOR.AA Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/PWStealer.APR Win32/Prostor.D TROJ_PROSTOR.AA Win.Trojan.Ag-1 Trojan-PSW.Win32.Prostor.h Trojan.Win32.Prostor.hoip Trojan.Win32.PSWProstor.16896 Virus.Malware.Sbg!c TrojWare.Win32.PSW.Prostor.~I Trojan.PWS.Prostor W32/PWS.PNJG-2228 Trojan/PSW.Prostor.y KIT/Prostor.I.1 Trojan[PSW]/Win32.Prostor Trojan-PSW.Win32.Prostor.h Trojan/Win32.Prostor.C16806 Trj/Prostor.F Win32.Trojan-qqpass.Qqrob.Lkdt Trojan.PWS.Prostor!B7NqNICS3Y4 Trojan-PWS.Win32.Prostor.h Win32/Trojan.PSW.7e6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.Prostor!O": [[26, 52]], "Indicator: TrojanPWS.Prostor": [[53, 70]], "Indicator: Trojan.Prostor.Win32.53": [[71, 94]], "Indicator: Trojan/PSW.Prostor.h": [[95, 115]], "Indicator: TROJ_PROSTOR.AA": [[116, 131], [209, 224]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[132, 174]], "Indicator: W32/PWStealer.APR": [[175, 192]], "Indicator: Win32/Prostor.D": [[193, 208]], "Indicator: Win.Trojan.Ag-1": [[225, 240]], "Indicator: Trojan-PSW.Win32.Prostor.h": [[241, 267], [474, 500]], "Indicator: Trojan.Win32.Prostor.hoip": [[268, 293]], "Indicator: Trojan.Win32.PSWProstor.16896": [[294, 323]], "Indicator: Virus.Malware.Sbg!c": [[324, 343]], "Indicator: TrojWare.Win32.PSW.Prostor.~I": [[344, 373]], "Indicator: Trojan.PWS.Prostor": [[374, 392]], "Indicator: W32/PWS.PNJG-2228": [[393, 410]], "Indicator: Trojan/PSW.Prostor.y": [[411, 431]], "Indicator: KIT/Prostor.I.1": [[432, 447]], "Indicator: Trojan[PSW]/Win32.Prostor": [[448, 473]], "Indicator: Trojan/Win32.Prostor.C16806": [[501, 528]], "Indicator: Trj/Prostor.F": [[529, 542]], "Indicator: Win32.Trojan-qqpass.Qqrob.Lkdt": [[543, 573]], "Indicator: Trojan.PWS.Prostor!B7NqNICS3Y4": [[574, 604]], "Indicator: Trojan-PWS.Win32.Prostor.h": [[605, 631]], "Indicator: Win32/Trojan.PSW.7e6": [[632, 652]]}, "info": {"id": "cyner2_5class_train_00671", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ThundeSnS.Trojan Trojan-Clicker.Win32.VB!O Trojan.Desurou Troj.W32.Scar!c Win32.Trojan.WisdomEyes.16070401.9500.9957 Trojan.Adclicker Win32/TrojanClicker.VB.NNM TROJ_VBCLICK.SMO Win.Trojan.Adclicker-49 Trojan.Win32.Scar.qppd Win32.Trojan.Scar.Akez Trojan.DownLoad1.52605 Trojan.VB.Win32.40030 TROJ_VBCLICK.SMO Trojan/Clicker.VB.esc Trojan-Clicker.Win32.VB TR/Click.VB.esc Trojan.Heur.VP2.EF8A48 Trojan/Win32.VB.R2074 Trojan.Win32.Scar.qppd Trojan.VBRA.07317 Trojan.CL.VB!imzVbRyD0G8 Win32/Trojan.fb0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ThundeSnS.Trojan": [[26, 46]], "Indicator: Trojan-Clicker.Win32.VB!O": [[47, 72]], "Indicator: Trojan.Desurou": [[73, 87]], "Indicator: Troj.W32.Scar!c": [[88, 103]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9957": [[104, 146]], "Indicator: Trojan.Adclicker": [[147, 163]], "Indicator: Win32/TrojanClicker.VB.NNM": [[164, 190]], "Indicator: TROJ_VBCLICK.SMO": [[191, 207], [323, 339]], "Indicator: Win.Trojan.Adclicker-49": [[208, 231]], "Indicator: Trojan.Win32.Scar.qppd": [[232, 254], [447, 469]], "Indicator: Win32.Trojan.Scar.Akez": [[255, 277]], "Indicator: Trojan.DownLoad1.52605": [[278, 300]], "Indicator: Trojan.VB.Win32.40030": [[301, 322]], "Indicator: Trojan/Clicker.VB.esc": [[340, 361]], "Indicator: Trojan-Clicker.Win32.VB": [[362, 385]], "Indicator: TR/Click.VB.esc": [[386, 401]], "Indicator: Trojan.Heur.VP2.EF8A48": [[402, 424]], "Indicator: Trojan/Win32.VB.R2074": [[425, 446]], "Indicator: Trojan.VBRA.07317": [[470, 487]], "Indicator: Trojan.CL.VB!imzVbRyD0G8": [[488, 512]], "Indicator: Win32/Trojan.fb0": [[513, 529]]}, "info": {"id": "cyner2_5class_train_00672", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Razy.D1E0B8 Win32.Trojan.WisdomEyes.16070401.9500.9905 TSPY_LOKI.SMA Trojan.PWS.Stealer.17779 TSPY_LOKI.SMA BehavesLike.Win32.VirRansom.nh Trojan:Win32/Pwsteal.Q!bit Trojan/Win32.naKocTb.C1675893 Win32.Trojan.Dropper.Heur Trojan.naKocTb!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Trojan.Razy.D1E0B8": [[46, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9905": [[65, 107]], "Indicator: TSPY_LOKI.SMA": [[108, 121], [147, 160]], "Indicator: Trojan.PWS.Stealer.17779": [[122, 146]], "Indicator: BehavesLike.Win32.VirRansom.nh": [[161, 191]], "Indicator: Trojan:Win32/Pwsteal.Q!bit": [[192, 218]], "Indicator: Trojan/Win32.naKocTb.C1675893": [[219, 248]], "Indicator: Win32.Trojan.Dropper.Heur": [[249, 274]], "Indicator: Trojan.naKocTb!": [[275, 290]]}, "info": {"id": "cyner2_5class_train_00673", "source": "cyner2_5class_train"}}
+{"text": "The IP address of both ora.carlaarrabitoarchitetto [ .", "spans": {"Indicator: ora.carlaarrabitoarchitetto [ .": [[23, 54]]}, "info": {"id": "cyner2_5class_train_00674", "source": "cyner2_5class_train"}}
+{"text": "ArborNetworks For the past few months ASERT has been keeping an eye on a relatively new banking malware banker known as Pkybot", "spans": {"Organization: ArborNetworks": [[0, 13]], "Organization: ASERT": [[38, 43]], "Malware: banking malware": [[88, 103]], "Malware: banker": [[104, 110]], "Malware: Pkybot": [[120, 126]]}, "info": {"id": "cyner2_5class_train_00675", "source": "cyner2_5class_train"}}
+{"text": "This class is based on public code belonging to the package praeda.muzikmekan , which can be found here among other places .", "spans": {"Indicator: praeda.muzikmekan": [[60, 77]]}, "info": {"id": "cyner2_5class_train_00676", "source": "cyner2_5class_train"}}
+{"text": "The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected device for as long as possible .", "spans": {}, "info": {"id": "cyner2_5class_train_00677", "source": "cyner2_5class_train"}}
+{"text": "Instead , it blocks access to devices by displaying a screen that appears over every other window , such that the user can ’ t do anything else .", "spans": {}, "info": {"id": "cyner2_5class_train_00678", "source": "cyner2_5class_train"}}
+{"text": "Broadcast receivers are components that allow you to register for various Android events .", "spans": {"System: Android": [[74, 81]]}, "info": {"id": "cyner2_5class_train_00679", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Hoax.W32.ArchSMS.HEUR.lFj0 Adware.Ziconarch.122880 Tool.SMSSend.178 Trojan.Win32.Ziconarch TR/ZipCoin.A HackTool[Hoax]/Win32.ArchSMS Trojan:Win32/Ziconarch.B.dam#2 Adware/Win32.SMSHoax.R13251 Win32/Trojan.048", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hoax.Win32.ArchSMS!O": [[26, 46]], "Indicator: Hoax.W32.ArchSMS.HEUR.lFj0": [[47, 73]], "Indicator: Adware.Ziconarch.122880": [[74, 97]], "Indicator: Tool.SMSSend.178": [[98, 114]], "Indicator: Trojan.Win32.Ziconarch": [[115, 137]], "Indicator: TR/ZipCoin.A": [[138, 150]], "Indicator: HackTool[Hoax]/Win32.ArchSMS": [[151, 179]], "Indicator: Trojan:Win32/Ziconarch.B.dam#2": [[180, 210]], "Indicator: Adware/Win32.SMSHoax.R13251": [[211, 238]], "Indicator: Win32/Trojan.048": [[239, 255]]}, "info": {"id": "cyner2_5class_train_00680", "source": "cyner2_5class_train"}}
+{"text": "IOCs related to an attack against banks in Poland", "spans": {"Indicator: IOCs": [[0, 4]], "Organization: banks": [[34, 39]]}, "info": {"id": "cyner2_5class_train_00681", "source": "cyner2_5class_train"}}
+{"text": "The ransomware author of Mole made a small mistake, which gives everyone the statistics of all the infected clients.", "spans": {"Malware: Mole": [[25, 29]]}, "info": {"id": "cyner2_5class_train_00682", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Kovter Ransom_HPCERBER.SMALY0A Win32.Trojan.WisdomEyes.16070401.9500.9998 Ransom_HPCERBER.SMALY0A Trojan.Win32.Pennelas.evftsg Downloader.BloKrypt.Win32.2 BehavesLike.Win32.Ransomware.hh Trojan-Downloader.Win32.Blocrypt TrojanDownloader.BloKrypt.c TR/Pennelas.tmcdy Trojan[Downloader]/Win32.BloKrypt Downloader/Win32.BloKrypt.C1680725 Trj/GdSda.A Win32/TrojanDownloader.Blocrypt.AK Trojan.DL.BloKrypt! W32/Kryptik.FKEL!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Trojan.Kovter": [[46, 59]], "Indicator: Ransom_HPCERBER.SMALY0A": [[60, 83], [127, 150]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[84, 126]], "Indicator: Trojan.Win32.Pennelas.evftsg": [[151, 179]], "Indicator: Downloader.BloKrypt.Win32.2": [[180, 207]], "Indicator: BehavesLike.Win32.Ransomware.hh": [[208, 239]], "Indicator: Trojan-Downloader.Win32.Blocrypt": [[240, 272]], "Indicator: TrojanDownloader.BloKrypt.c": [[273, 300]], "Indicator: TR/Pennelas.tmcdy": [[301, 318]], "Indicator: Trojan[Downloader]/Win32.BloKrypt": [[319, 352]], "Indicator: Downloader/Win32.BloKrypt.C1680725": [[353, 387]], "Indicator: Trj/GdSda.A": [[388, 399]], "Indicator: Win32/TrojanDownloader.Blocrypt.AK": [[400, 434]], "Indicator: Trojan.DL.BloKrypt!": [[435, 454]], "Indicator: W32/Kryptik.FKEL!tr": [[455, 474]]}, "info": {"id": "cyner2_5class_train_00683", "source": "cyner2_5class_train"}}
+{"text": "Odin very much resembles another Locky variant, Zepto.", "spans": {"Malware: Odin": [[0, 4]], "Malware: Locky variant, Zepto.": [[33, 54]]}, "info": {"id": "cyner2_5class_train_00684", "source": "cyner2_5class_train"}}
+{"text": "Trend of the year : mobile banking Trojans 2013 was marked by a rapid rise in the number of Android banking Trojans .", "spans": {"System: Android": [[92, 99]]}, "info": {"id": "cyner2_5class_train_00685", "source": "cyner2_5class_train"}}
+{"text": "Israeli media published the first reports about the social networking and social engineering aspects of this campaign .", "spans": {}, "info": {"id": "cyner2_5class_train_00686", "source": "cyner2_5class_train"}}
+{"text": "This new campaign includes new evasive macros and demonstrates continued evolution in their tools and techniques, showcasing attacker adaptation to evolving defenses and the widespread use of sandboxes.", "spans": {"Malware: evasive macros": [[31, 45]], "Malware: tools": [[92, 97]], "System: sandboxes.": [[192, 202]]}, "info": {"id": "cyner2_5class_train_00687", "source": "cyner2_5class_train"}}
+{"text": "Assuming these checks pass , one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app ’ s Dalvik code through the Java Native Interface ( JNI ) .", "spans": {}, "info": {"id": "cyner2_5class_train_00688", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDropper.Oblivion Trojan/Dropper.oblivion W32/Tool.JTFL-0204 TROJ_OBLIVION.B Win.Dropper.Oblivion-3 Trojan-Dropper.Win32.Oblivion Trojan.Win32.Oblivion.dksy Trojan.Win32.Z.Oblivion.53248 Troj.Dropper.W32.Oblivion!c TrojWare.Win32.TrojanDropper.Oblivion Dropper.Oblivion.Win32.1 TROJ_OBLIVION.B BehavesLike.Win32.Dropper.qt TrojanDropper.Win32.Oblivion W32.Trojan.Backdoor-Oblivion Trojan[Dropper]/Win32.Oblivion Trojan-Dropper.Win32.Oblivion Trojan/Win32.HDC.C97188 TrojanDropper.Oblivion Trj/Oblivion.Drp Win32/TrojanDropper.Oblivion Win32.Trojan-dropper.Oblivion.Wpjr Trojan.DR.Oblivion!js3IRiusBTg Trojan-Dropper.Win32.Oblivion W32/Oblivion.A!tr Win32/Trojan.Dropper.f88", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Oblivion": [[26, 48], [497, 519]], "Indicator: Trojan/Dropper.oblivion": [[49, 72]], "Indicator: W32/Tool.JTFL-0204": [[73, 91]], "Indicator: TROJ_OBLIVION.B": [[92, 107], [309, 324]], "Indicator: Win.Dropper.Oblivion-3": [[108, 130]], "Indicator: Trojan-Dropper.Win32.Oblivion": [[131, 160], [443, 472], [632, 661]], "Indicator: Trojan.Win32.Oblivion.dksy": [[161, 187]], "Indicator: Trojan.Win32.Z.Oblivion.53248": [[188, 217]], "Indicator: Troj.Dropper.W32.Oblivion!c": [[218, 245]], "Indicator: TrojWare.Win32.TrojanDropper.Oblivion": [[246, 283]], "Indicator: Dropper.Oblivion.Win32.1": [[284, 308]], "Indicator: BehavesLike.Win32.Dropper.qt": [[325, 353]], "Indicator: TrojanDropper.Win32.Oblivion": [[354, 382]], "Indicator: W32.Trojan.Backdoor-Oblivion": [[383, 411]], "Indicator: Trojan[Dropper]/Win32.Oblivion": [[412, 442]], "Indicator: Trojan/Win32.HDC.C97188": [[473, 496]], "Indicator: Trj/Oblivion.Drp": [[520, 536]], "Indicator: Win32/TrojanDropper.Oblivion": [[537, 565]], "Indicator: Win32.Trojan-dropper.Oblivion.Wpjr": [[566, 600]], "Indicator: Trojan.DR.Oblivion!js3IRiusBTg": [[601, 631]], "Indicator: W32/Oblivion.A!tr": [[662, 679]], "Indicator: Win32/Trojan.Dropper.f88": [[680, 704]]}, "info": {"id": "cyner2_5class_train_00689", "source": "cyner2_5class_train"}}
+{"text": "All those functions are implemented in asynchronous tasks by “ org.starsizew.i ” .", "spans": {"Indicator: org.starsizew.i": [[63, 78]]}, "info": {"id": "cyner2_5class_train_00690", "source": "cyner2_5class_train"}}
+{"text": "The other appears to be CVE-2015-1770.", "spans": {"Indicator: CVE-2015-1770.": [[24, 38]]}, "info": {"id": "cyner2_5class_train_00691", "source": "cyner2_5class_train"}}
+{"text": "First ( start ) module The first module , which was installed on the targeted device , could be controlled over the IRC protocol and enable deployment of other components by downloading a payload from the FTP server : @ install command As can be seen from the screenshot above , a new component was copied in the system path , though that sort of operation is impossible without root privileges .", "spans": {}, "info": {"id": "cyner2_5class_train_00692", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: P2P-Worm.Win32.Picsys!O Worm.Picsys.CC1 Worm.Picsys.Win32.3 W32/Picsys.b Win32.Worm.Picsys.a W32/Picsys.B W32.HLLW.Yoof Win32/Picsys.A WORM_SPYBOT.PA Win.Worm.Picsys-4 P2P-Worm.Win32.Picsys.b Trojan.Win32.Picsys.cxhvjd Worm.Win32.Picsys.aab Worm.Win32.Picsys.B Win32.HLLW.Morpheus.2 WORM_SPYBOT.PA BehavesLike.Win32.Picsys.mc W32/Picsys.FYLV-4646 I-Worm/P2P.Picsys Worm[P2P]/Win32.Picsys Worm:Win32/Yoof.E Worm.Win32.P2P-Picsys.65221 Worm/Win32.Picsys.C116429 W32/Picsys.worm.b Worm.Picsys Win32/Picsys.B Worm.Picsys!vNEZkf1mA50 P2P-Worm.Win32.Picsys.b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: P2P-Worm.Win32.Picsys!O": [[26, 49]], "Indicator: Worm.Picsys.CC1": [[50, 65]], "Indicator: Worm.Picsys.Win32.3": [[66, 85]], "Indicator: W32/Picsys.b": [[86, 98]], "Indicator: Win32.Worm.Picsys.a": [[99, 118]], "Indicator: W32/Picsys.B": [[119, 131]], "Indicator: W32.HLLW.Yoof": [[132, 145]], "Indicator: Win32/Picsys.A": [[146, 160]], "Indicator: WORM_SPYBOT.PA": [[161, 175], [309, 323]], "Indicator: Win.Worm.Picsys-4": [[176, 193]], "Indicator: P2P-Worm.Win32.Picsys.b": [[194, 217], [555, 578]], "Indicator: Trojan.Win32.Picsys.cxhvjd": [[218, 244]], "Indicator: Worm.Win32.Picsys.aab": [[245, 266]], "Indicator: Worm.Win32.Picsys.B": [[267, 286]], "Indicator: Win32.HLLW.Morpheus.2": [[287, 308]], "Indicator: BehavesLike.Win32.Picsys.mc": [[324, 351]], "Indicator: W32/Picsys.FYLV-4646": [[352, 372]], "Indicator: I-Worm/P2P.Picsys": [[373, 390]], "Indicator: Worm[P2P]/Win32.Picsys": [[391, 413]], "Indicator: Worm:Win32/Yoof.E": [[414, 431]], "Indicator: Worm.Win32.P2P-Picsys.65221": [[432, 459]], "Indicator: Worm/Win32.Picsys.C116429": [[460, 485]], "Indicator: W32/Picsys.worm.b": [[486, 503]], "Indicator: Worm.Picsys": [[504, 515]], "Indicator: Win32/Picsys.B": [[516, 530]], "Indicator: Worm.Picsys!vNEZkf1mA50": [[531, 554]]}, "info": {"id": "cyner2_5class_train_00693", "source": "cyner2_5class_train"}}
+{"text": "Our researchers are working closely with Google to investigate the source of the Gooligan campaign .", "spans": {"Organization: Google": [[41, 47]], "Malware: Gooligan campaign": [[81, 98]]}, "info": {"id": "cyner2_5class_train_00694", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Uds.Dangerousobject.Multi!c Trojan.Kazy.D5BCBA TROJ_SPNR.24AI13 Win32.Trojan.WisdomEyes.16070401.9500.9995 TROJ_SPNR.24AI13 Trojan.Win32.Scar.kdnc Trojan.DownLoader7.54481 BehavesLike.Win32.VirRansom.nc TR/Slamu.A Trojan.Win32.Scar.kdnc Trojan.Kryptik!2D0DfpBZg1g W32/DotNet.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Uds.Dangerousobject.Multi!c": [[26, 53]], "Indicator: Trojan.Kazy.D5BCBA": [[54, 72]], "Indicator: TROJ_SPNR.24AI13": [[73, 89], [133, 149]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[90, 132]], "Indicator: Trojan.Win32.Scar.kdnc": [[150, 172], [240, 262]], "Indicator: Trojan.DownLoader7.54481": [[173, 197]], "Indicator: BehavesLike.Win32.VirRansom.nc": [[198, 228]], "Indicator: TR/Slamu.A": [[229, 239]], "Indicator: Trojan.Kryptik!2D0DfpBZg1g": [[263, 289]], "Indicator: W32/DotNet.B!tr": [[290, 305]]}, "info": {"id": "cyner2_5class_train_00695", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.17708.D Trojan-GameThief.Win32.OnLineGames!O TrojanPWS.OnLineGames.ZF4 Trojan.OnLineGames.Win32.42164 Trojan/OnLineGames.bnbk Trojan.Graftor.D80DC Win32.Trojan.WisdomEyes.16070401.9500.9969 Win32/Gamepass.NKR TSPY_ONLINEG.SMV Win.Spyware.67145-2 Trojan-GameThief.Win32.OnLineGames.bnbk Trojan.Win32.OnLineGames.bqvvjm Trojan.Win32.PSWIGames.17708.E TrojWare.Win32.PSW.Onlinegames.OQU.1 Trojan.PWS.Wsgame.24647 TSPY_ONLINEG.SMV Trojan[GameThief]/Win32.OnLineGames TrojanDropper:Win32/Vtimrun.C Trojan-GameThief.Win32.OnLineGames.bnbk Dropper/Win32.OnlineGameHack.R137 BScope.Trojan-Dropper.OLGames.2512 Trojan.PWS.OnLineGames!ZUTM5XqTClQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.17708.D": [[26, 56]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[57, 93]], "Indicator: TrojanPWS.OnLineGames.ZF4": [[94, 119]], "Indicator: Trojan.OnLineGames.Win32.42164": [[120, 150]], "Indicator: Trojan/OnLineGames.bnbk": [[151, 174]], "Indicator: Trojan.Graftor.D80DC": [[175, 195]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9969": [[196, 238]], "Indicator: Win32/Gamepass.NKR": [[239, 257]], "Indicator: TSPY_ONLINEG.SMV": [[258, 274], [459, 475]], "Indicator: Win.Spyware.67145-2": [[275, 294]], "Indicator: Trojan-GameThief.Win32.OnLineGames.bnbk": [[295, 334], [542, 581]], "Indicator: Trojan.Win32.OnLineGames.bqvvjm": [[335, 366]], "Indicator: Trojan.Win32.PSWIGames.17708.E": [[367, 397]], "Indicator: TrojWare.Win32.PSW.Onlinegames.OQU.1": [[398, 434]], "Indicator: Trojan.PWS.Wsgame.24647": [[435, 458]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[476, 511]], "Indicator: TrojanDropper:Win32/Vtimrun.C": [[512, 541]], "Indicator: Dropper/Win32.OnlineGameHack.R137": [[582, 615]], "Indicator: BScope.Trojan-Dropper.OLGames.2512": [[616, 650]], "Indicator: Trojan.PWS.OnLineGames!ZUTM5XqTClQ": [[651, 685]]}, "info": {"id": "cyner2_5class_train_00696", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Valhalla.2048 Win32.Valhalla.2048 Trojan.Malpack Win32.Xorala Win32/Valla.2048 W32.Xorala Win32.Valhalla.2048 Virus.Win64.Xorala.cbehdj Win32.Valhalla.2048 Win32.Valhalla.2048 BehavesLike.Win64.Chir.cm W32/Xorala.b Win32.Valhalla.2048 Virus.Win32.Xorala Win32/Valla.2048", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Valhalla.2048": [[26, 45], [46, 65], [122, 141], [168, 187], [188, 207], [247, 266]], "Indicator: Trojan.Malpack": [[66, 80]], "Indicator: Win32.Xorala": [[81, 93]], "Indicator: Win32/Valla.2048": [[94, 110], [286, 302]], "Indicator: W32.Xorala": [[111, 121]], "Indicator: Virus.Win64.Xorala.cbehdj": [[142, 167]], "Indicator: BehavesLike.Win64.Chir.cm": [[208, 233]], "Indicator: W32/Xorala.b": [[234, 246]], "Indicator: Virus.Win32.Xorala": [[267, 285]]}, "info": {"id": "cyner2_5class_train_00697", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Spy.Bancos.Oer Trojan-PWS.Banker6!IK Trojan-PWS.Banker6 VBCrypt.DDL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Spy.Bancos.Oer": [[26, 46]], "Indicator: Trojan-PWS.Banker6!IK": [[47, 68]], "Indicator: Trojan-PWS.Banker6": [[69, 87]], "Indicator: VBCrypt.DDL": [[88, 99]]}, "info": {"id": "cyner2_5class_train_00698", "source": "cyner2_5class_train"}}
+{"text": "According to the DroidVPN app description , it “ helps bypass regional internet restrictions , web filtering and firewalls by tunneling traffic over ICMP. ” Some features may require devices to be rooted to function and according to some 3rd party app stores , unconditional rooting is required , which has additional security implications for the device .", "spans": {"Indicator: DroidVPN": [[17, 25]]}, "info": {"id": "cyner2_5class_train_00699", "source": "cyner2_5class_train"}}
+{"text": "The Locky variant of ransomware has been responsible for huge amounts of spam messages being sent on a daily basis.", "spans": {"Malware: The Locky variant": [[0, 17]], "Malware: ransomware": [[21, 31]], "Indicator: spam messages": [[73, 86]]}, "info": {"id": "cyner2_5class_train_00700", "source": "cyner2_5class_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00701", "source": "cyner2_5class_train"}}
+{"text": "TABLE OF CONTENTS Security Recommendations Introduction Threat Analysis Common Features Unique Features by Version Malware Under Active Development Suspected Detection Tests by the Threat Actor EventBot Infrastructure Cybereason Mobile Conclusion Indicators of Compromise MITRE ATT & CK for Mobile Breakdown SECURITY RECOMMENDATIONS Keep your mobile device up-to-date with the latest software updates from legitimate sources .", "spans": {"Malware: EventBot": [[194, 202]], "Organization: MITRE": [[272, 277]]}, "info": {"id": "cyner2_5class_train_00702", "source": "cyner2_5class_train"}}
+{"text": "The intricate anti-analysis methods reveal how much effort the FinFisher authors exerted to keep the malware hidden and difficult to analyze .", "spans": {"Malware: FinFisher": [[63, 72]]}, "info": {"id": "cyner2_5class_train_00703", "source": "cyner2_5class_train"}}
+{"text": "Fake SMS message luring users to enter a fake website , which contains the malicious APK ( JPCERT report ) .", "spans": {"Organization: JPCERT": [[91, 97]]}, "info": {"id": "cyner2_5class_train_00704", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.AE5C Downloader.Tibs.Win32.6 Trojan/Tibs.al Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Packed.13 Packed.Win32.Tibs.al Trojan.Win32.Small.erlei Win32.Packed.Tibs.Wtdn TrojWare.Win32.TrojanDownloader.Tibs.~mm Trojan.Packed.142 Trojan.Win32.Crypt TrojanDownloader.Tibs.amzo TR/Small.DBY.LH.14 Win32.TrojDownloader.Tibs.mm.kcloud TrojanDownloader:Win32/Nuwar.B Trojan.Heur.TP.ED17A6 Troj.Downloader.W32.Tibs.mm!c Packed.Win32.Tibs.al Trojan-Downloader.Revelation.Tibs.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.AE5C": [[26, 42]], "Indicator: Downloader.Tibs.Win32.6": [[43, 66]], "Indicator: Trojan/Tibs.al": [[67, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[82, 124]], "Indicator: Trojan.Packed.13": [[125, 141]], "Indicator: Packed.Win32.Tibs.al": [[142, 162], [454, 474]], "Indicator: Trojan.Win32.Small.erlei": [[163, 187]], "Indicator: Win32.Packed.Tibs.Wtdn": [[188, 210]], "Indicator: TrojWare.Win32.TrojanDownloader.Tibs.~mm": [[211, 251]], "Indicator: Trojan.Packed.142": [[252, 269]], "Indicator: Trojan.Win32.Crypt": [[270, 288]], "Indicator: TrojanDownloader.Tibs.amzo": [[289, 315]], "Indicator: TR/Small.DBY.LH.14": [[316, 334]], "Indicator: Win32.TrojDownloader.Tibs.mm.kcloud": [[335, 370]], "Indicator: TrojanDownloader:Win32/Nuwar.B": [[371, 401]], "Indicator: Trojan.Heur.TP.ED17A6": [[402, 423]], "Indicator: Troj.Downloader.W32.Tibs.mm!c": [[424, 453]], "Indicator: Trojan-Downloader.Revelation.Tibs.B": [[475, 510]]}, "info": {"id": "cyner2_5class_train_00705", "source": "cyner2_5class_train"}}
+{"text": "Lookout notified Google of the finding and Google removed the app immediately while also taking action on it in Google Play Protect .", "spans": {"Organization: Lookout": [[0, 7]], "Organization: Google": [[17, 23], [43, 49]], "System: Google Play Protect": [[112, 131]]}, "info": {"id": "cyner2_5class_train_00706", "source": "cyner2_5class_train"}}
+{"text": "Reports on this malware family have previously been published by both Intel Security and Microsoft.", "spans": {"Malware: malware": [[16, 23]], "Organization: Intel Security": [[70, 84]], "Organization: Microsoft.": [[89, 99]]}, "info": {"id": "cyner2_5class_train_00707", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.KeyLogger.178176.B Win32.Backdoor.Rbot.1470B0D03 WORM_SDBOT.CTJ Virus.Win32.Rbot!IK Worm/Rbot.210944 WORM_SDBOT.CTJ Heuristic.BehavesLike.Win32.PasswordStealer.H Virus.Win32.Rbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.KeyLogger.178176.B": [[26, 59]], "Indicator: Win32.Backdoor.Rbot.1470B0D03": [[60, 89]], "Indicator: WORM_SDBOT.CTJ": [[90, 104], [142, 156]], "Indicator: Virus.Win32.Rbot!IK": [[105, 124]], "Indicator: Worm/Rbot.210944": [[125, 141]], "Indicator: Heuristic.BehavesLike.Win32.PasswordStealer.H": [[157, 202]], "Indicator: Virus.Win32.Rbot": [[203, 219]]}, "info": {"id": "cyner2_5class_train_00708", "source": "cyner2_5class_train"}}
+{"text": "Methods and techniques 2013 not only saw a radical increase in output from mobile virus writers but also saw them actively applying methods and technologies that allowed cybercriminals to use their malware more effectively .", "spans": {}, "info": {"id": "cyner2_5class_train_00709", "source": "cyner2_5class_train"}}
+{"text": "While some findings where very interesting, others were misleading or simply wrong.", "spans": {}, "info": {"id": "cyner2_5class_train_00710", "source": "cyner2_5class_train"}}
+{"text": "Mexico has previously confirmed that it is a purchaser of NSO Group's spyware.", "spans": {"Malware: spyware.": [[70, 78]]}, "info": {"id": "cyner2_5class_train_00711", "source": "cyner2_5class_train"}}
+{"text": "The GolfSpy malware embedded in the apps is hardcoded with an internal name used by the attacker .", "spans": {"Malware: GolfSpy": [[4, 11]]}, "info": {"id": "cyner2_5class_train_00712", "source": "cyner2_5class_train"}}
+{"text": "A phone belonging to the Interdisciplinary Group of Independent Experts GIEI, a group of investigators from several countries, was sent text messages with links to NSO's exploit infrastructure", "spans": {"System: phone": [[2, 7]], "Organization: the Interdisciplinary Group of Independent Experts GIEI,": [[21, 77]], "Organization: group": [[80, 85]], "Organization: investigators": [[89, 102]], "Indicator: sent text messages with links": [[131, 160]], "Malware: NSO's exploit": [[164, 177]], "System: infrastructure": [[178, 192]]}, "info": {"id": "cyner2_5class_train_00713", "source": "cyner2_5class_train"}}
+{"text": "This blog post describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing emails to target officials in the Indian Embassies and Indian Ministry of External Affairs MEA.", "spans": {"Indicator: Uri terror attack": [[74, 91]], "Indicator: Kashmir protest themed spear phishing emails": [[96, 140]], "Organization: the Indian Embassies and Indian Ministry of External Affairs MEA.": [[164, 229]]}, "info": {"id": "cyner2_5class_train_00714", "source": "cyner2_5class_train"}}
+{"text": "After publication I was contacted by another analyst who was able to link the information from my blog to other samples from an actual campaign.", "spans": {"Organization: I": [[18, 19]], "Organization: analyst": [[45, 52]]}, "info": {"id": "cyner2_5class_train_00715", "source": "cyner2_5class_train"}}
+{"text": "In fact , with full access to the compromised Android smartphone , the opportunities for criminals to wreak havoc are significant – such as erasing infected phones or launching man-in-the-middle ( MITM ) attacks .", "spans": {"System: Android smartphone": [[46, 64]]}, "info": {"id": "cyner2_5class_train_00716", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Etumbotb Trojan/Ixeshe.i Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Etumbot.I Backdoor.Typideg Trojan.Etumbot.1 Trojan.Ixeshe.Win32.30 BKDR_ETUMBOT.UQU Trojan.Etumbot W32/Etumbot.UDKV-8115 Trojan.Graftor.D234F5 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Etumbotb": [[26, 43]], "Indicator: Trojan/Ixeshe.i": [[44, 59]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[60, 102]], "Indicator: W32/Etumbot.I": [[103, 116]], "Indicator: Backdoor.Typideg": [[117, 133]], "Indicator: Trojan.Etumbot.1": [[134, 150]], "Indicator: Trojan.Ixeshe.Win32.30": [[151, 173]], "Indicator: BKDR_ETUMBOT.UQU": [[174, 190]], "Indicator: Trojan.Etumbot": [[191, 205]], "Indicator: W32/Etumbot.UDKV-8115": [[206, 227]], "Indicator: Trojan.Graftor.D234F5": [[228, 249]], "Indicator: Trj/CI.A": [[250, 258]]}, "info": {"id": "cyner2_5class_train_00717", "source": "cyner2_5class_train"}}
+{"text": "The researcher came upon an interesting set of emails, which were soon determined to be part of a widespread spam campaign.", "spans": {"Organization: researcher": [[4, 14]], "Indicator: emails,": [[47, 54]]}, "info": {"id": "cyner2_5class_train_00718", "source": "cyner2_5class_train"}}
+{"text": "Version # 1 : June 2019 — Domain : databit [ .", "spans": {"Indicator: databit [ .": [[35, 46]]}, "info": {"id": "cyner2_5class_train_00719", "source": "cyner2_5class_train"}}
+{"text": "The site was infected with an iframe injector that redirects to Angler EK.", "spans": {"Indicator: site": [[4, 8]], "Indicator: iframe injector": [[30, 45]], "Malware: Angler EK.": [[64, 74]]}, "info": {"id": "cyner2_5class_train_00720", "source": "cyner2_5class_train"}}
+{"text": "The number of LINE users in Taiwan reaches up to 17 million in the same year.", "spans": {"Organization: LINE": [[14, 18]]}, "info": {"id": "cyner2_5class_train_00721", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.RockRat.S1875120 Troj.W32.Rockrat!c Trojan.Johnnie.D1566D Win32.Trojan.WisdomEyes.16070401.9500.9957 W32/Trojan.IKOU-3732 Backdoor.Rokrat TROJ_KORPODE.A Win.Trojan.Rokrat-6443187-0 Trojan.Win32.RockRat.exmijf Trojan.Inject3.2444 Trojan.RockRat.Win32.1 W32/RockRat.A Trojan.RockRat.a W32/FakeAV.BCMZ!tr Trojan/Win32.RockRat Trojan:Win32/Korpode.A!dha Trojan/Win32.Loader.R219535 Trj/CI.A Win32.Trojan.Rockrat.Ljuk Trojan.RockRat! Win32/Trojan.549", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.RockRat.S1875120": [[26, 49]], "Indicator: Troj.W32.Rockrat!c": [[50, 68]], "Indicator: Trojan.Johnnie.D1566D": [[69, 90]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9957": [[91, 133]], "Indicator: W32/Trojan.IKOU-3732": [[134, 154]], "Indicator: Backdoor.Rokrat": [[155, 170]], "Indicator: TROJ_KORPODE.A": [[171, 185]], "Indicator: Win.Trojan.Rokrat-6443187-0": [[186, 213]], "Indicator: Trojan.Win32.RockRat.exmijf": [[214, 241]], "Indicator: Trojan.Inject3.2444": [[242, 261]], "Indicator: Trojan.RockRat.Win32.1": [[262, 284]], "Indicator: W32/RockRat.A": [[285, 298]], "Indicator: Trojan.RockRat.a": [[299, 315]], "Indicator: W32/FakeAV.BCMZ!tr": [[316, 334]], "Indicator: Trojan/Win32.RockRat": [[335, 355]], "Indicator: Trojan:Win32/Korpode.A!dha": [[356, 382]], "Indicator: Trojan/Win32.Loader.R219535": [[383, 410]], "Indicator: Trj/CI.A": [[411, 419]], "Indicator: Win32.Trojan.Rockrat.Ljuk": [[420, 445]], "Indicator: Trojan.RockRat!": [[446, 461]], "Indicator: Win32/Trojan.549": [[462, 478]]}, "info": {"id": "cyner2_5class_train_00722", "source": "cyner2_5class_train"}}
+{"text": "Here ’ s another example of such an attack hitting Windows users : Going back to the Android Package ( APK ) file was attached to the e-mail , this is pushing an Android application named “ WUC ’ s Conference.apk ” .", "spans": {"System: Windows": [[51, 58]], "System: Android Package": [[85, 100]], "Malware: WUC ’ s Conference.apk": [[190, 212]]}, "info": {"id": "cyner2_5class_train_00723", "source": "cyner2_5class_train"}}
+{"text": "The injected code attempts to download them all and execute.", "spans": {}, "info": {"id": "cyner2_5class_train_00724", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Mudrop!O Spyware.WSLogger Trojan/Dropper.Mudrop.hs Win32.Trojan.WisdomEyes.16070401.9500.9934 W32/Risk.AAJK-2149 Infostealer.Tarno.B Win32/Mdrop.MD not-a-virus:PSWTool.Win32.WSLogger.a Trojan.Win32.Mudrop.dgpnb Trojan.WSLogger.38 BehavesLike.Win32.Wabot.cc W32/Dropper.AOIJ TrojanDropper.Mudrop.amp Trojan[Dropper]/Win32.Mudrop TrojanDropper:Win32/Spiloog.A!bit not-a-virus:PSWTool.Win32.WSLogger.a Dropper/Win32.Mudrop.R19044 TrojanDropper.Mudrop Trojan.DR.Mudrop!uBx16xyI0u0 Trojan-Dropper.Win32.Mudrop", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Mudrop!O": [[26, 55]], "Indicator: Spyware.WSLogger": [[56, 72]], "Indicator: Trojan/Dropper.Mudrop.hs": [[73, 97]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9934": [[98, 140]], "Indicator: W32/Risk.AAJK-2149": [[141, 159]], "Indicator: Infostealer.Tarno.B": [[160, 179]], "Indicator: Win32/Mdrop.MD": [[180, 194]], "Indicator: not-a-virus:PSWTool.Win32.WSLogger.a": [[195, 231], [409, 445]], "Indicator: Trojan.Win32.Mudrop.dgpnb": [[232, 257]], "Indicator: Trojan.WSLogger.38": [[258, 276]], "Indicator: BehavesLike.Win32.Wabot.cc": [[277, 303]], "Indicator: W32/Dropper.AOIJ": [[304, 320]], "Indicator: TrojanDropper.Mudrop.amp": [[321, 345]], "Indicator: Trojan[Dropper]/Win32.Mudrop": [[346, 374]], "Indicator: TrojanDropper:Win32/Spiloog.A!bit": [[375, 408]], "Indicator: Dropper/Win32.Mudrop.R19044": [[446, 473]], "Indicator: TrojanDropper.Mudrop": [[474, 494]], "Indicator: Trojan.DR.Mudrop!uBx16xyI0u0": [[495, 523]], "Indicator: Trojan-Dropper.Win32.Mudrop": [[524, 551]]}, "info": {"id": "cyner2_5class_train_00725", "source": "cyner2_5class_train"}}
+{"text": "We also discovered and analyzed live , misconfigured malicious command and control servers ( C2 ) , from which we were able to identify how the attacker gets new , infected apps to secretly install and the types of activities they are monitoring .", "spans": {}, "info": {"id": "cyner2_5class_train_00726", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor.Rurktar.3 Backdoor:MSIL/Rurktar.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor.Rurktar.3": [[26, 44]], "Indicator: Backdoor:MSIL/Rurktar.A": [[45, 68]]}, "info": {"id": "cyner2_5class_train_00727", "source": "cyner2_5class_train"}}
+{"text": "] somtum [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00728", "source": "cyner2_5class_train"}}
+{"text": "] XXXX.ru/mms.apk ( where XXXX.ru represents the hosting provider ’ s domain ) , we named this malware family RuMMS .", "spans": {"Indicator: XXXX.ru": [[26, 33]], "Malware: RuMMS": [[110, 115]]}, "info": {"id": "cyner2_5class_train_00729", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Jorik.IRCbot.iia Win32.Trojan.WisdomEyes.16070401.9500.9935 Win32.Worm.Autorun.R TrojWare.Win32.Kryptik.ACZQ Win32.HLLW.Autoruner1.3120 Trojan.Jorik.Win32.159726 BehavesLike.Win32.RAHack.pt Trojan/Jorik.ayqm Trojan/Win32.IRCbot Trojan.IRCbot Win32.Crypt W32/Jorik.FSC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Jorik.IRCbot.iia": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9935": [[50, 92]], "Indicator: Win32.Worm.Autorun.R": [[93, 113]], "Indicator: TrojWare.Win32.Kryptik.ACZQ": [[114, 141]], "Indicator: Win32.HLLW.Autoruner1.3120": [[142, 168]], "Indicator: Trojan.Jorik.Win32.159726": [[169, 194]], "Indicator: BehavesLike.Win32.RAHack.pt": [[195, 222]], "Indicator: Trojan/Jorik.ayqm": [[223, 240]], "Indicator: Trojan/Win32.IRCbot": [[241, 260]], "Indicator: Trojan.IRCbot": [[261, 274]], "Indicator: Win32.Crypt": [[275, 286]], "Indicator: W32/Jorik.FSC!tr": [[287, 303]]}, "info": {"id": "cyner2_5class_train_00730", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod94b.Trojan.33b2 Trojan.Proxy.Webber.B Trojan-Proxy/W32.Webber.6176 Trojan/Proxy.Webber.b Trojan.PR.Webber!M1rEz2z+nTg W32/Webber.XHQG-0071 Backdoor.Exdis Webber.CB Trojan-Proxy.Win32.Webber.b Trojan.Proxy.Webber.B Trojan.Win32.Webber.ejli Hoax.W32.Renos Trojan.Proxy.Webber.B TrojWare.Win32.TrojanProxy.Webber.B Trojan.Proxy.Webber.B Trojan.Webber.Win32.42 BehavesLike.Win32.Dropper.xm W32/Webber.J TrojanProxy.Webber.r TR/Proxy.Webber.B Trojan[Proxy]/Win32.Webber Win32.Troj.Webber.b.kcloud TrojanProxy:Win32/Webber.B Win-Trojan/Webber.6176 Trojan.Proxy.Webber.B Win32/TrojanProxy.Webber.B W32/DwnLdr.MO!tr Proxy.2.AM Trojan.Win32.Webber.aY Win32/Trojan.a1a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod94b.Trojan.33b2": [[26, 49]], "Indicator: Trojan.Proxy.Webber.B": [[50, 71], [226, 247], [288, 309], [346, 367], [576, 597]], "Indicator: Trojan-Proxy/W32.Webber.6176": [[72, 100]], "Indicator: Trojan/Proxy.Webber.b": [[101, 122]], "Indicator: Trojan.PR.Webber!M1rEz2z+nTg": [[123, 151]], "Indicator: W32/Webber.XHQG-0071": [[152, 172]], "Indicator: Backdoor.Exdis": [[173, 187]], "Indicator: Webber.CB": [[188, 197]], "Indicator: Trojan-Proxy.Win32.Webber.b": [[198, 225]], "Indicator: Trojan.Win32.Webber.ejli": [[248, 272]], "Indicator: Hoax.W32.Renos": [[273, 287]], "Indicator: TrojWare.Win32.TrojanProxy.Webber.B": [[310, 345]], "Indicator: Trojan.Webber.Win32.42": [[368, 390]], "Indicator: BehavesLike.Win32.Dropper.xm": [[391, 419]], "Indicator: W32/Webber.J": [[420, 432]], "Indicator: TrojanProxy.Webber.r": [[433, 453]], "Indicator: TR/Proxy.Webber.B": [[454, 471]], "Indicator: Trojan[Proxy]/Win32.Webber": [[472, 498]], "Indicator: Win32.Troj.Webber.b.kcloud": [[499, 525]], "Indicator: TrojanProxy:Win32/Webber.B": [[526, 552]], "Indicator: Win-Trojan/Webber.6176": [[553, 575]], "Indicator: Win32/TrojanProxy.Webber.B": [[598, 624]], "Indicator: W32/DwnLdr.MO!tr": [[625, 641]], "Indicator: Proxy.2.AM": [[642, 652]], "Indicator: Trojan.Win32.Webber.aY": [[653, 675]], "Indicator: Win32/Trojan.a1a": [[676, 692]]}, "info": {"id": "cyner2_5class_train_00731", "source": "cyner2_5class_train"}}
+{"text": "Ports 6203 and 6204 : Facebook extraction service .", "spans": {"Indicator: Ports 6203 and 6204": [[0, 19]], "Organization: Facebook": [[22, 30]]}, "info": {"id": "cyner2_5class_train_00732", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: DLOADER.Trojan Heuristic.Malware", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: DLOADER.Trojan": [[26, 40]], "Indicator: Heuristic.Malware": [[41, 58]]}, "info": {"id": "cyner2_5class_train_00733", "source": "cyner2_5class_train"}}
+{"text": "BusyGasper – the unfriendly spy 29 AUG 2018 In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that , as it turned out , belonged to an unknown spyware family .", "spans": {"Malware: BusyGasper": [[0, 10]], "System: Android": [[129, 136]]}, "info": {"id": "cyner2_5class_train_00734", "source": "cyner2_5class_train"}}
+{"text": "One of the obfuscation tricks included by the malware authors in a VM opcode dispatcher Even armed with the knowledge we have described so far , it still took us many hours to write a full-fledged opcode interpreter that ’ s able to reconstruct the real code executed by FinFisher .", "spans": {"Malware: FinFisher": [[271, 280]]}, "info": {"id": "cyner2_5class_train_00735", "source": "cyner2_5class_train"}}
+{"text": "The malware now targets more countries all over the world by masquerading as official post office and transportation services apps .", "spans": {}, "info": {"id": "cyner2_5class_train_00736", "source": "cyner2_5class_train"}}
+{"text": "They are never well detected but recent ones are getting very poor detections by antiviruses.", "spans": {}, "info": {"id": "cyner2_5class_train_00737", "source": "cyner2_5class_train"}}
+{"text": "However , all of those have been removed from Google Play – despite the fact that some of them didn ’ t contain any adware functionality .", "spans": {"System: Google Play": [[46, 57]]}, "info": {"id": "cyner2_5class_train_00738", "source": "cyner2_5class_train"}}
+{"text": "This exploit kit evolves on an almost constant basis.", "spans": {"Malware: exploit kit": [[5, 16]]}, "info": {"id": "cyner2_5class_train_00739", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Hacktool.MD Tool.Kiser.Win32.1373 HackTool.Win32.HackAV.c Application.Hacktool.MD Application.Hacktool.MD BehavesLike.Win32.BadFile.vm W32/Application.MUHU-1657 HackTool.HackAV.e HackTool:Win32/Kapahyku.A Application.Hacktool.MD HackTool.W32.HackAV.tn1i HackTool.Win32.HackAV.c Application.Hacktool.MD Unwanted/Win32.HackAV.R173782 RiskWare.Tool.HCK RiskWare.HackAV! PUA.RiskWare.HackAV Win32/Application.Hacktool.63c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Hacktool.MD": [[26, 49], [96, 119], [120, 143], [243, 266], [316, 339]], "Indicator: Tool.Kiser.Win32.1373": [[50, 71]], "Indicator: HackTool.Win32.HackAV.c": [[72, 95], [292, 315]], "Indicator: BehavesLike.Win32.BadFile.vm": [[144, 172]], "Indicator: W32/Application.MUHU-1657": [[173, 198]], "Indicator: HackTool.HackAV.e": [[199, 216]], "Indicator: HackTool:Win32/Kapahyku.A": [[217, 242]], "Indicator: HackTool.W32.HackAV.tn1i": [[267, 291]], "Indicator: Unwanted/Win32.HackAV.R173782": [[340, 369]], "Indicator: RiskWare.Tool.HCK": [[370, 387]], "Indicator: RiskWare.HackAV!": [[388, 404]], "Indicator: PUA.RiskWare.HackAV": [[405, 424]], "Indicator: Win32/Application.Hacktool.63c": [[425, 455]]}, "info": {"id": "cyner2_5class_train_00740", "source": "cyner2_5class_train"}}
+{"text": "The WildFire Locker ransomware has risen from the dead and rebranded itself using the apropos name of Hades Locker.", "spans": {"Malware: WildFire Locker ransomware": [[4, 30]], "Malware: Hades Locker.": [[102, 115]]}, "info": {"id": "cyner2_5class_train_00741", "source": "cyner2_5class_train"}}
+{"text": "We ’ ve noticed an increase in the number of attacks using this event as a lure .", "spans": {}, "info": {"id": "cyner2_5class_train_00742", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dos.Clodf80.Trojan.7c93 Trojan.AOL.PWS.SUPERNAUT.A Trojan.AOL.PWS.SUPERNAUT.A Smalltroj.JNY Trojan.AOL.Supernaut Trojan-IM.Win16.Supernaut Trojan.AOL.PWS.SUPERNAUT.A Trojan.Win16.Supernaut.hqzm Trojan.Win16.A.IM-Supernaut.47117 Win16.Trojan-im.Supernaut.Ebgh Trojan.AOL.PWS.SUPERNAUT.A TrojWare.Win16.AOL.Supernaut Trojan.AOL.PWS.SUPERNAUT.A Trojan.Supernaut.Win16.1 Trojan/AOL.Supernaut TR/Aol.Supernaut Trojan[IM]/Win16.Supernaut Win32.Troj.Undef.kcloud Trojan.AOL.PWS.SUPERNAUT.A Trojan.Win16.Supernaut.Au Win16/AOL.Supernaut NORMAL:Trojan.AOL.Supernaut!19246 Trojan-AOL.Win16.Supernaut W16/AOL.D!tr Trj/AOLPS.D Win32/Trojan.AOL.52f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dos.Clodf80.Trojan.7c93": [[26, 49]], "Indicator: Trojan.AOL.PWS.SUPERNAUT.A": [[50, 76], [77, 103], [165, 191], [285, 311], [341, 367], [482, 508]], "Indicator: Smalltroj.JNY": [[104, 117]], "Indicator: Trojan.AOL.Supernaut": [[118, 138]], "Indicator: Trojan-IM.Win16.Supernaut": [[139, 164]], "Indicator: Trojan.Win16.Supernaut.hqzm": [[192, 219]], "Indicator: Trojan.Win16.A.IM-Supernaut.47117": [[220, 253]], "Indicator: Win16.Trojan-im.Supernaut.Ebgh": [[254, 284]], "Indicator: TrojWare.Win16.AOL.Supernaut": [[312, 340]], "Indicator: Trojan.Supernaut.Win16.1": [[368, 392]], "Indicator: Trojan/AOL.Supernaut": [[393, 413]], "Indicator: TR/Aol.Supernaut": [[414, 430]], "Indicator: Trojan[IM]/Win16.Supernaut": [[431, 457]], "Indicator: Win32.Troj.Undef.kcloud": [[458, 481]], "Indicator: Trojan.Win16.Supernaut.Au": [[509, 534]], "Indicator: Win16/AOL.Supernaut": [[535, 554]], "Indicator: NORMAL:Trojan.AOL.Supernaut!19246": [[555, 588]], "Indicator: Trojan-AOL.Win16.Supernaut": [[589, 615]], "Indicator: W16/AOL.D!tr": [[616, 628]], "Indicator: Trj/AOLPS.D": [[629, 640]], "Indicator: Win32/Trojan.AOL.52f": [[641, 661]]}, "info": {"id": "cyner2_5class_train_00743", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Boaxxe.E Trojan.FakeMS.ED Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_ZBOT.SMUH Win32.Trojan.Zbot.N Packed.Win32.Krap.iu Trojan.Win32.Krap.brabpa Packer.W32.Krap.lKMc TrojWare.Win32.Kazy.FOF Trojan.DownLoad3.2720 Win32.Troj.Krap.iu.kcloud Trojan.Graftor.D487A Trojan/Win32.Plosa.R24487 Packed.Win32.Krap.iu BScope.Malware-Cryptor.SB.01798 Bck/Qbot.AO W32/ZBOT.HL!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Boaxxe.E": [[26, 41]], "Indicator: Trojan.FakeMS.ED": [[42, 58]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[59, 101]], "Indicator: TROJ_ZBOT.SMUH": [[102, 116]], "Indicator: Win32.Trojan.Zbot.N": [[117, 136]], "Indicator: Packed.Win32.Krap.iu": [[137, 157], [323, 343]], "Indicator: Trojan.Win32.Krap.brabpa": [[158, 182]], "Indicator: Packer.W32.Krap.lKMc": [[183, 203]], "Indicator: TrojWare.Win32.Kazy.FOF": [[204, 227]], "Indicator: Trojan.DownLoad3.2720": [[228, 249]], "Indicator: Win32.Troj.Krap.iu.kcloud": [[250, 275]], "Indicator: Trojan.Graftor.D487A": [[276, 296]], "Indicator: Trojan/Win32.Plosa.R24487": [[297, 322]], "Indicator: BScope.Malware-Cryptor.SB.01798": [[344, 375]], "Indicator: Bck/Qbot.AO": [[376, 387]], "Indicator: W32/ZBOT.HL!tr": [[388, 402]]}, "info": {"id": "cyner2_5class_train_00744", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Securityshield W32/Trojan.JOHS-0158 Trojan-FakeAV.Win32.SecurityShield.vip Trojan.Win32.FakeAV.euwntc Win32.Trojan-fakeav.Securityshield.Syrj Trojan.Click2.45032 BehavesLike.Win32.Spyware.dc TR/Pingdel.A.15 W32.W.AutoIt.mr6E Trojan-FakeAV.Win32.SecurityShield.vip Trojan.Win32.Pingdel W32/SecurityShield.RMG!tr Win32/Trojan.228", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Securityshield": [[26, 47]], "Indicator: W32/Trojan.JOHS-0158": [[48, 68]], "Indicator: Trojan-FakeAV.Win32.SecurityShield.vip": [[69, 107], [258, 296]], "Indicator: Trojan.Win32.FakeAV.euwntc": [[108, 134]], "Indicator: Win32.Trojan-fakeav.Securityshield.Syrj": [[135, 174]], "Indicator: Trojan.Click2.45032": [[175, 194]], "Indicator: BehavesLike.Win32.Spyware.dc": [[195, 223]], "Indicator: TR/Pingdel.A.15": [[224, 239]], "Indicator: W32.W.AutoIt.mr6E": [[240, 257]], "Indicator: Trojan.Win32.Pingdel": [[297, 317]], "Indicator: W32/SecurityShield.RMG!tr": [[318, 343]], "Indicator: Win32/Trojan.228": [[344, 360]]}, "info": {"id": "cyner2_5class_train_00745", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropper.Msil.BO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropper.Msil.BO": [[26, 41]]}, "info": {"id": "cyner2_5class_train_00746", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G W32.Virut.CF Win32/Virut.17408 PE_VIRUX.O Win.Phishing.NikoLata-6332081-0 Win32.Virus.Virut.Q Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.CE Win32.Virut.56 PE_VIRUX.O Trojan.MSIL.TrojanClicker Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.cr.61440 TrojanClicker:MSIL/Worfload.A!bit W32.Virut.lqtW Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.14 W32/Sality.AO Win32/Virut.NBP Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: W32.Virut.CF": [[73, 85]], "Indicator: Win32/Virut.17408": [[86, 103]], "Indicator: PE_VIRUX.O": [[104, 114], [247, 257]], "Indicator: Win.Phishing.NikoLata-6332081-0": [[115, 146]], "Indicator: Win32.Virus.Virut.Q": [[147, 166]], "Indicator: Virus.Win32.Virut.ce": [[167, 187], [390, 410]], "Indicator: Virus.Win32.Virut.hpeg": [[188, 210]], "Indicator: Virus.Win32.Virut.CE": [[211, 231]], "Indicator: Win32.Virut.56": [[232, 246]], "Indicator: Trojan.MSIL.TrojanClicker": [[258, 283]], "Indicator: Win32/Virut.bt": [[284, 298]], "Indicator: Virus/Win32.Virut.ce": [[299, 319]], "Indicator: Win32.Virut.cr.61440": [[320, 340]], "Indicator: TrojanClicker:MSIL/Worfload.A!bit": [[341, 374]], "Indicator: W32.Virut.lqtW": [[375, 389]], "Indicator: Win32/Virut.F": [[411, 424]], "Indicator: Virus.Virut.14": [[425, 439]], "Indicator: W32/Sality.AO": [[440, 453]], "Indicator: Win32/Virut.NBP": [[454, 469]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[470, 500]]}, "info": {"id": "cyner2_5class_train_00747", "source": "cyner2_5class_train"}}
+{"text": "Typically, file-less malware has been observed in the context of Exploit Kits such as Angler.", "spans": {"Malware: file-less malware": [[11, 28]], "Malware: Exploit Kits": [[65, 77]], "Malware: Angler.": [[86, 93]]}, "info": {"id": "cyner2_5class_train_00748", "source": "cyner2_5class_train"}}
+{"text": "These lures were expected, until we started digging into the actual documents attached and saw an interesting method within the Visual Basic VB macros in the attached documents used for dropping the malware.", "spans": {"Indicator: method": [[110, 116]], "Malware: Visual Basic VB macros": [[128, 150]], "Indicator: attached documents": [[158, 176]], "Malware: malware.": [[199, 207]]}, "info": {"id": "cyner2_5class_train_00749", "source": "cyner2_5class_train"}}
+{"text": "However, the occasional functional enhancements combined with its multiple layers of obfuscation and server-side polymorphism periodically breathe new life into this seemingly immortal malware.", "spans": {"Indicator: multiple layers of obfuscation": [[66, 96]], "Indicator: server-side polymorphism": [[101, 125]], "Malware: malware.": [[185, 193]]}, "info": {"id": "cyner2_5class_train_00750", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.CombotoD.Trojan Backdoor.Minaps BKDR_MINAPS.A W32/Trojan.WDQB-6441 Backdoor.Wakeminap!g1 BKDR_MINAPS.A Win.Downloader.133181-1 Trojan.Win32.Snojan.jj Trojan.Win32.A.Downloader.52224.HP DLOADER.Trojan Backdoor:Win32/Minaps.A Trojan.Win32.Snojan.jj Win32.Trojan.Snojan.Wrgx Win32/Trojan.cb9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CombotoD.Trojan": [[26, 45]], "Indicator: Backdoor.Minaps": [[46, 61]], "Indicator: BKDR_MINAPS.A": [[62, 75], [119, 132]], "Indicator: W32/Trojan.WDQB-6441": [[76, 96]], "Indicator: Backdoor.Wakeminap!g1": [[97, 118]], "Indicator: Win.Downloader.133181-1": [[133, 156]], "Indicator: Trojan.Win32.Snojan.jj": [[157, 179], [254, 276]], "Indicator: Trojan.Win32.A.Downloader.52224.HP": [[180, 214]], "Indicator: DLOADER.Trojan": [[215, 229]], "Indicator: Backdoor:Win32/Minaps.A": [[230, 253]], "Indicator: Win32.Trojan.Snojan.Wrgx": [[277, 301]], "Indicator: Win32/Trojan.cb9": [[302, 318]]}, "info": {"id": "cyner2_5class_train_00751", "source": "cyner2_5class_train"}}
+{"text": "Compromised hosts cause a victim's machine to be attached to the Andromeda botnet, giving attackers the ability to push plugins or additional malware onto these machines.", "spans": {"Indicator: Compromised hosts": [[0, 17]], "System: victim's machine": [[26, 42]], "Malware: Andromeda botnet,": [[65, 82]], "Malware: plugins": [[120, 127]], "Malware: additional malware": [[131, 149]], "System: machines.": [[161, 170]]}, "info": {"id": "cyner2_5class_train_00752", "source": "cyner2_5class_train"}}
+{"text": "In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained, as their final payload, the Scout malware tool from the HackingTeam RCS Galileo platform.", "spans": {"Indicator: spear phishing emails with malicious attachments": [[63, 111]], "Malware: final payload, the Scout malware tool": [[137, 174]], "Organization: HackingTeam": [[184, 195]], "System: RCS Galileo platform.": [[196, 217]]}, "info": {"id": "cyner2_5class_train_00753", "source": "cyner2_5class_train"}}
+{"text": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013.", "spans": {}, "info": {"id": "cyner2_5class_train_00754", "source": "cyner2_5class_train"}}
+{"text": "Package Name SHA256 digest SHA1 certificate com.network.android 98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c 516f8f516cc0fd8db53785a48c0a86554f75c3ba com.network.android 5353212b70aa096d918e4eb6b49eb5ad8f59d9bec02d089e88802c01e707c3a1 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.binary.sms.receiver 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8 31a8633c2cd67ae965524d0b2192e9f14d04d016 FinFisher exposed : A researcher ’ s tale of defeating traps , tricks , and complex virtual machines March 1 , 2018 Office 365 Advanced Threat Protection ( Office 365 ATP ) blocked many notable zero-day exploits in 2017 .", "spans": {"Indicator: com.network.android": [[44, 63], [170, 189]], "Indicator: 98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c": [[64, 128]], "Indicator: 516f8f516cc0fd8db53785a48c0a86554f75c3ba": [[129, 169]], "Indicator: 5353212b70aa096d918e4eb6b49eb5ad8f59d9bec02d089e88802c01e707c3a1": [[190, 254]], "Indicator: 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d": [[255, 295]], "Indicator: com.binary.sms.receiver": [[296, 319]], "Indicator: 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae": [[320, 384]], "Indicator: 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf": [[385, 425], [508, 548], [631, 671]], "Indicator: com.android.copy": [[426, 442], [549, 565], [672, 688]], "Indicator: e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4": [[443, 507]], "Indicator: 12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389": [[566, 630]], "Indicator: 6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8": [[689, 753]], "Indicator: 31a8633c2cd67ae965524d0b2192e9f14d04d016": [[754, 794]], "Malware: FinFisher": [[795, 804]], "System: Office 365 Advanced Threat Protection": [[911, 948]], "System: Office 365 ATP": [[951, 965]]}, "info": {"id": "cyner2_5class_train_00755", "source": "cyner2_5class_train"}}
+{"text": "However , within six months the malicious actors added the capability to infect iOS devices .", "spans": {"System: iOS": [[80, 83]]}, "info": {"id": "cyner2_5class_train_00756", "source": "cyner2_5class_train"}}
+{"text": "This malware has been around since 2011 and shows no signs of stopping.", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "cyner2_5class_train_00757", "source": "cyner2_5class_train"}}
+{"text": "Figure 4 .", "spans": {}, "info": {"id": "cyner2_5class_train_00758", "source": "cyner2_5class_train"}}
+{"text": "COVERAGE Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": {"Organization: Cisco": [[9, 14]], "System: Cloud Web Security": [[15, 33]], "System: Web Security Appliance": [[45, 67]]}, "info": {"id": "cyner2_5class_train_00759", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Trojan.Win32.Dwn.eenglt Win32.Trojan.Spy.Peqf Trojan.DownLoader14.35508 BehavesLike.Win32.HToolMimiKatz.dc Trojan.Symmi.D8341 PWS:Win32/Banker.UC!bit Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: Trojan.Win32.Dwn.eenglt": [[69, 92]], "Indicator: Win32.Trojan.Spy.Peqf": [[93, 114]], "Indicator: Trojan.DownLoader14.35508": [[115, 140]], "Indicator: BehavesLike.Win32.HToolMimiKatz.dc": [[141, 175]], "Indicator: Trojan.Symmi.D8341": [[176, 194]], "Indicator: PWS:Win32/Banker.UC!bit": [[195, 218]], "Indicator: Trj/CI.A": [[219, 227]]}, "info": {"id": "cyner2_5class_train_00760", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Swisyn.aqrf Win32.Trojan.WisdomEyes.16070401.9500.9996 Win.Trojan.Swisyn-969 Trojan.Win32.Swisyn.deruf Trojan.Win32.A.Swisyn.7680.G Uds.Dangerousobject.Multi!c Trojan.Swisyn.Win32.16931 BehavesLike.Win32.Trojan.zt Trojan/Swisyn.njs Trojan/Win32.Swisyn TrojanDownloader:Win32/Surin.B Trojan.Swisyn!uy708DPUCgU Trojan.Win32.Swisyn W32/Dx.WKM!tr Win32/Trojan.ee6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Swisyn.aqrf": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[45, 87]], "Indicator: Win.Trojan.Swisyn-969": [[88, 109]], "Indicator: Trojan.Win32.Swisyn.deruf": [[110, 135]], "Indicator: Trojan.Win32.A.Swisyn.7680.G": [[136, 164]], "Indicator: Uds.Dangerousobject.Multi!c": [[165, 192]], "Indicator: Trojan.Swisyn.Win32.16931": [[193, 218]], "Indicator: BehavesLike.Win32.Trojan.zt": [[219, 246]], "Indicator: Trojan/Swisyn.njs": [[247, 264]], "Indicator: Trojan/Win32.Swisyn": [[265, 284]], "Indicator: TrojanDownloader:Win32/Surin.B": [[285, 315]], "Indicator: Trojan.Swisyn!uy708DPUCgU": [[316, 341]], "Indicator: Trojan.Win32.Swisyn": [[342, 361]], "Indicator: W32/Dx.WKM!tr": [[362, 375]], "Indicator: Win32/Trojan.ee6": [[376, 392]]}, "info": {"id": "cyner2_5class_train_00761", "source": "cyner2_5class_train"}}
+{"text": "In addition , just as uncovering new characteristics is important , finding ones we ’ ve also seen in a different malware family like FakeSpy also provides valuable insight .", "spans": {"Malware: FakeSpy": [[134, 141]]}, "info": {"id": "cyner2_5class_train_00762", "source": "cyner2_5class_train"}}
+{"text": "Bookworm has little malicious functionality built-in, with its only core ability involving stealing keystrokes and clipboard contents.", "spans": {"Malware: Bookworm": [[0, 8]], "Malware: malicious": [[20, 29]], "Indicator: stealing keystrokes": [[91, 110]], "Indicator: clipboard contents.": [[115, 134]]}, "info": {"id": "cyner2_5class_train_00763", "source": "cyner2_5class_train"}}
+{"text": "] qwq-japan [ .", "spans": {}, "info": {"id": "cyner2_5class_train_00764", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.VBNA.28672.Z Trojan-Ransom.Win32.Blocker!O Worm.VBNA.Win32.168532 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/VB.OHY HT_DROJ_GG310200.UVPM Trojan-Ransom.Win32.Blocker.cdug Trojan.Win32.VB.crkzva Worm.Win32.VBNA.28672.I Trojan.MulDrop4.59381 HT_DROJ_GG310200.UVPM BehavesLike.Win32.VBObfus.mz Worm/VBNA.hggx Trojan/Win32.Vilsel.gic Trojan.Barys.D819 Trojan-Ransom.Win32.Blocker.cdug Trojan:Win32/Droj.A Worm/Win32.VBNA.R79506 Worm.VBNA Trojan.Crypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.VBNA.28672.Z": [[26, 47]], "Indicator: Trojan-Ransom.Win32.Blocker!O": [[48, 77]], "Indicator: Worm.VBNA.Win32.168532": [[78, 100]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[101, 143]], "Indicator: Win32/VB.OHY": [[144, 156]], "Indicator: HT_DROJ_GG310200.UVPM": [[157, 178], [281, 302]], "Indicator: Trojan-Ransom.Win32.Blocker.cdug": [[179, 211], [389, 421]], "Indicator: Trojan.Win32.VB.crkzva": [[212, 234]], "Indicator: Worm.Win32.VBNA.28672.I": [[235, 258]], "Indicator: Trojan.MulDrop4.59381": [[259, 280]], "Indicator: BehavesLike.Win32.VBObfus.mz": [[303, 331]], "Indicator: Worm/VBNA.hggx": [[332, 346]], "Indicator: Trojan/Win32.Vilsel.gic": [[347, 370]], "Indicator: Trojan.Barys.D819": [[371, 388]], "Indicator: Trojan:Win32/Droj.A": [[422, 441]], "Indicator: Worm/Win32.VBNA.R79506": [[442, 464]], "Indicator: Worm.VBNA": [[465, 474]], "Indicator: Trojan.Crypt": [[475, 487]]}, "info": {"id": "cyner2_5class_train_00765", "source": "cyner2_5class_train"}}
+{"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner2_5class_train_00766", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader26.11210 TR/Dropper.MSIL.aexpd Trojan:MSIL/Upadter.A Trj/GdSda.A Win32.Trojan.Inject.Auto Trojan.MSIL.Inject Win32/Backdoor.990", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.MSIL": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[40, 82]], "Indicator: Trojan.DownLoader26.11210": [[83, 108]], "Indicator: TR/Dropper.MSIL.aexpd": [[109, 130]], "Indicator: Trojan:MSIL/Upadter.A": [[131, 152]], "Indicator: Trj/GdSda.A": [[153, 164]], "Indicator: Win32.Trojan.Inject.Auto": [[165, 189]], "Indicator: Trojan.MSIL.Inject": [[190, 208]], "Indicator: Win32/Backdoor.990": [[209, 227]]}, "info": {"id": "cyner2_5class_train_00767", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandownloader.Tosct Win32.Trojan.WisdomEyes.16070401.9500.9994 BKDR_WEBRV.A Trojan.Click2.39104 BKDR_WEBRV.A W32/Trojan.KRMY-0312 Trojan.Heur.JP.ED64BF TrojanDownloader:Win32/Tosct.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Tosct": [[26, 48]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[49, 91]], "Indicator: BKDR_WEBRV.A": [[92, 104], [125, 137]], "Indicator: Trojan.Click2.39104": [[105, 124]], "Indicator: W32/Trojan.KRMY-0312": [[138, 158]], "Indicator: Trojan.Heur.JP.ED64BF": [[159, 180]], "Indicator: TrojanDownloader:Win32/Tosct.B": [[181, 211]]}, "info": {"id": "cyner2_5class_train_00768", "source": "cyner2_5class_train"}}
+{"text": "Today, RSA Research published an in-depth report on a commercial VPN network, originating in China, which we are calling Terracotta", "spans": {"Organization: RSA Research": [[7, 19]], "System: commercial VPN network,": [[54, 77]], "Malware: Terracotta": [[121, 131]]}, "info": {"id": "cyner2_5class_train_00769", "source": "cyner2_5class_train"}}
+{"text": "At the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently patched vulnerability in Windows Graphics Device Interface GDI to drop malware.", "spans": {"Indicator: malicious document": [[46, 64]], "Vulnerability: unknown vulnerability": [[79, 100]], "System: EPS": [[104, 107]], "Vulnerability: vulnerability": [[131, 144]], "System: Windows Graphics Device Interface": [[148, 181]], "Malware: malware.": [[194, 202]]}, "info": {"id": "cyner2_5class_train_00770", "source": "cyner2_5class_train"}}
+{"text": "Google also stated that they are taking numerous steps including proactively notifying affected accounts , revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future .", "spans": {"Organization: Google": [[0, 6]]}, "info": {"id": "cyner2_5class_train_00771", "source": "cyner2_5class_train"}}
+{"text": "This example shows one possible implementation of this technique .", "spans": {}, "info": {"id": "cyner2_5class_train_00772", "source": "cyner2_5class_train"}}
+{"text": "We reported it to Google on May 16 , 2020 and since May 19 , 2020 the app has no longer been available on Google Play .", "spans": {"Organization: Google": [[18, 24]], "System: Google Play": [[106, 117]]}, "info": {"id": "cyner2_5class_train_00773", "source": "cyner2_5class_train"}}
+{"text": "Increasingly, cyberattackers have been leveraging non-malware attack methods to target vulnerable organizations.", "spans": {"Malware: non-malware attack": [[50, 68]], "Vulnerability: vulnerable organizations.": [[87, 112]]}, "info": {"id": "cyner2_5class_train_00774", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.W32.Jorik.Virut.ltFj BehavesLike.Win32.Parite.cm Trojan.Kazy.D23845 Trojan:Win32/Dantmil.A Win32/RiskWare.PEMalform.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.W32.Jorik.Virut.ltFj": [[26, 51]], "Indicator: BehavesLike.Win32.Parite.cm": [[52, 79]], "Indicator: Trojan.Kazy.D23845": [[80, 98]], "Indicator: Trojan:Win32/Dantmil.A": [[99, 121]], "Indicator: Win32/RiskWare.PEMalform.E": [[122, 148]]}, "info": {"id": "cyner2_5class_train_00775", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.NSIS.BI Trojan.NSIS.Minix.A Trojan.Downloader.NSIS.BI TROJ_DLDR.SMIM Trackware.MegaSearch TROJ_DLDR.SMIM Win.Trojan.Clicker-3867 Trojan.Downloader.NSIS.BI Trojan.Downloader.NSIS.BI Trojan.Win32.Dwn.kvabt Trojan.Downloader.NSIS.BI Trojan.DownLoader4.20561 Downloader.NSIS.Win32.1874 TrojanDownloader:Win32/Minix.A Trj/CI.A W32/Dloader.EP!tr.NSIS Win32/Trojan.Downloader.79d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.NSIS.BI": [[26, 51], [72, 97], [173, 198], [199, 224], [248, 273]], "Indicator: Trojan.NSIS.Minix.A": [[52, 71]], "Indicator: TROJ_DLDR.SMIM": [[98, 112], [134, 148]], "Indicator: Trackware.MegaSearch": [[113, 133]], "Indicator: Win.Trojan.Clicker-3867": [[149, 172]], "Indicator: Trojan.Win32.Dwn.kvabt": [[225, 247]], "Indicator: Trojan.DownLoader4.20561": [[274, 298]], "Indicator: Downloader.NSIS.Win32.1874": [[299, 325]], "Indicator: TrojanDownloader:Win32/Minix.A": [[326, 356]], "Indicator: Trj/CI.A": [[357, 365]], "Indicator: W32/Dloader.EP!tr.NSIS": [[366, 388]], "Indicator: Win32/Trojan.Downloader.79d": [[389, 416]]}, "info": {"id": "cyner2_5class_train_00776", "source": "cyner2_5class_train"}}
+{"text": "The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback .", "spans": {}, "info": {"id": "cyner2_5class_train_00777", "source": "cyner2_5class_train"}}
+{"text": "Depending on the Trojan version , dynamically generated subdomains can also be used .", "spans": {}, "info": {"id": "cyner2_5class_train_00778", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Infostealer.Lokibot Trojan.PWS.Stealer.18836 TROJ_HPUTOTI.SMQ BehavesLike.Win32.Downloader.dh DR/Autoit.ppevb Trojan:Win32/Lepoh.A Spyware.LokiBot Trojan.Win32.Injector Trj/CI.A Win32/Trojan.15d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Infostealer.Lokibot": [[26, 45]], "Indicator: Trojan.PWS.Stealer.18836": [[46, 70]], "Indicator: TROJ_HPUTOTI.SMQ": [[71, 87]], "Indicator: BehavesLike.Win32.Downloader.dh": [[88, 119]], "Indicator: DR/Autoit.ppevb": [[120, 135]], "Indicator: Trojan:Win32/Lepoh.A": [[136, 156]], "Indicator: Spyware.LokiBot": [[157, 172]], "Indicator: Trojan.Win32.Injector": [[173, 194]], "Indicator: Trj/CI.A": [[195, 203]], "Indicator: Win32/Trojan.15d": [[204, 220]]}, "info": {"id": "cyner2_5class_train_00779", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Redsip.49152 Backdoor.Redsip.Win32.2 Trojan.Heur.LP.EDEA74 W32/Backdoor2.HIOG Hacktool.Keylogger Win32/Redsip.A BKDR_REDSIP.C Trojan.Win32.Redsip.dcevd Uds.Dangerousobject.Multi!c BKDR_REDSIP.C Backdoor.Win32.Redsip W32/Backdoor.WNDK-6859 TR/Spy.49152.662 Trojan[Backdoor]/Win32.Redsip Win32.Hack.Redsip.b.kcloud Backdoor:Win32/Redsip.B!svc Win-Trojan/Nightdragon.49152 Backdoor.Redsip Win32/Redsip.AA Win32.Trojan.Spy.Lohv W32/REDSIP.B!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Redsip.49152": [[26, 51]], "Indicator: Backdoor.Redsip.Win32.2": [[52, 75]], "Indicator: Trojan.Heur.LP.EDEA74": [[76, 97]], "Indicator: W32/Backdoor2.HIOG": [[98, 116]], "Indicator: Hacktool.Keylogger": [[117, 135]], "Indicator: Win32/Redsip.A": [[136, 150]], "Indicator: BKDR_REDSIP.C": [[151, 164], [219, 232]], "Indicator: Trojan.Win32.Redsip.dcevd": [[165, 190]], "Indicator: Uds.Dangerousobject.Multi!c": [[191, 218]], "Indicator: Backdoor.Win32.Redsip": [[233, 254]], "Indicator: W32/Backdoor.WNDK-6859": [[255, 277]], "Indicator: TR/Spy.49152.662": [[278, 294]], "Indicator: Trojan[Backdoor]/Win32.Redsip": [[295, 324]], "Indicator: Win32.Hack.Redsip.b.kcloud": [[325, 351]], "Indicator: Backdoor:Win32/Redsip.B!svc": [[352, 379]], "Indicator: Win-Trojan/Nightdragon.49152": [[380, 408]], "Indicator: Backdoor.Redsip": [[409, 424]], "Indicator: Win32/Redsip.AA": [[425, 440]], "Indicator: Win32.Trojan.Spy.Lohv": [[441, 462]], "Indicator: W32/REDSIP.B!tr.bdr": [[463, 482]]}, "info": {"id": "cyner2_5class_train_00780", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 has reported on various Sofacy group attacks over the last year, most recently with a post on Komplex, an OS X variant of a tool commonly used by the Sofacy group.", "spans": {"Indicator: Unit 42": [[0, 7]], "Malware: Komplex,": [[102, 110]], "System: OS X": [[114, 118]], "Malware: tool": [[132, 136]]}, "info": {"id": "cyner2_5class_train_00781", "source": "cyner2_5class_train"}}
+{"text": "However , this time the app name for both HenBox and the embedded app were identical : Islamawazi .", "spans": {"Malware: HenBox": [[42, 48]], "System: Islamawazi": [[87, 97]]}, "info": {"id": "cyner2_5class_train_00782", "source": "cyner2_5class_train"}}
+{"text": "We would also like to mention that if you come across an app hiding it 's icon , always try to search for the app in your device settings ( by going to Settings - > Apps - > Search for icon that was hidden ) .", "spans": {}, "info": {"id": "cyner2_5class_train_00783", "source": "cyner2_5class_train"}}
+{"text": "Analyzing malware is often like solving a puzzle, you have to do it piece by piece to reach the final image.", "spans": {}, "info": {"id": "cyner2_5class_train_00784", "source": "cyner2_5class_train"}}
+{"text": "By connecting multiple Black Vine campaigns, we traced how the attack group has evolved over the last three years.", "spans": {}, "info": {"id": "cyner2_5class_train_00785", "source": "cyner2_5class_train"}}
+{"text": "Dump data from the Viber messenger app .", "spans": {"System: Viber messenger": [[19, 34]]}, "info": {"id": "cyner2_5class_train_00786", "source": "cyner2_5class_train"}}
+{"text": "Following simple best practices , like strictly downloading applications or any files from trusted sources and being wary of unsolicited messages , can also prevent similar attacks from compromising devices .", "spans": {}, "info": {"id": "cyner2_5class_train_00787", "source": "cyner2_5class_train"}}
+{"text": "- There were two interesting sub-classes found inside Main Activity : Receiver and Sender .", "spans": {}, "info": {"id": "cyner2_5class_train_00788", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D2F05E Win32.Trojan.WisdomEyes.16070401.9500.9757 Trojan.Win32.Badur.cubwxj TrojWare.Win32.Delf.ebs Trojan.DownLoader9.4478 BehavesLike.Win32.Sytro.ch TrojanDownloader:Win32/Cefunlor.A Trojan/Win32.Downloader.R91863 TScope.Trojan.Delf Spyware.PasswordStealer Trojan-Dropper.Delf W32/Delf.RQV!tr.dldr Trj/Dtcontx.L", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D2F05E": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9757": [[45, 87]], "Indicator: Trojan.Win32.Badur.cubwxj": [[88, 113]], "Indicator: TrojWare.Win32.Delf.ebs": [[114, 137]], "Indicator: Trojan.DownLoader9.4478": [[138, 161]], "Indicator: BehavesLike.Win32.Sytro.ch": [[162, 188]], "Indicator: TrojanDownloader:Win32/Cefunlor.A": [[189, 222]], "Indicator: Trojan/Win32.Downloader.R91863": [[223, 253]], "Indicator: TScope.Trojan.Delf": [[254, 272]], "Indicator: Spyware.PasswordStealer": [[273, 296]], "Indicator: Trojan-Dropper.Delf": [[297, 316]], "Indicator: W32/Delf.RQV!tr.dldr": [[317, 337]], "Indicator: Trj/Dtcontx.L": [[338, 351]]}, "info": {"id": "cyner2_5class_train_00789", "source": "cyner2_5class_train"}}
+{"text": "Our data shows , on average , about three requests per hour to the drop host .", "spans": {}, "info": {"id": "cyner2_5class_train_00790", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G W32.Virut.CF Win32/Virut.17408 PE_VIRUX.R Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.lGNe Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 PE_VIRUX.R BehavesLike.Win32.Ramnit.fh Trojan.Win32.Malex Win32/Virut.bt Win32.Virut.dd.368640 TrojanDownloader:Win32/Otlard.D Virus.Win32.Virut.ce Win32.Virus.Virut.U Win32/Virut.F Virus.Virut.14 Win32/Virut.NBP W32/Virut.CE W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: W32.Virut.CF": [[73, 85]], "Indicator: Win32/Virut.17408": [[86, 103]], "Indicator: PE_VIRUX.R": [[104, 114], [233, 243]], "Indicator: Virus.Win32.Virut.ce": [[115, 135], [360, 380]], "Indicator: Virus.Win32.Virut.hpeg": [[136, 158]], "Indicator: W32.Virut.lGNe": [[159, 173]], "Indicator: Virus.Win32.Virut.CE": [[174, 194]], "Indicator: Win32.Virut.56": [[195, 209]], "Indicator: Virus.Virut.Win32.1938": [[210, 232]], "Indicator: BehavesLike.Win32.Ramnit.fh": [[244, 271]], "Indicator: Trojan.Win32.Malex": [[272, 290]], "Indicator: Win32/Virut.bt": [[291, 305]], "Indicator: Win32.Virut.dd.368640": [[306, 327]], "Indicator: TrojanDownloader:Win32/Otlard.D": [[328, 359]], "Indicator: Win32.Virus.Virut.U": [[381, 400]], "Indicator: Win32/Virut.F": [[401, 414]], "Indicator: Virus.Virut.14": [[415, 429]], "Indicator: Win32/Virut.NBP": [[430, 445]], "Indicator: W32/Virut.CE": [[446, 458]], "Indicator: W32/Sality.AO": [[459, 472]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[473, 503]]}, "info": {"id": "cyner2_5class_train_00791", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.SilentSpy.zmwjp Backdoor.SilentSpy Silentspy.F Win32/SilentSpy.208 BKDR_SILENTSPY.C Trojan.W32.Fadedoor.10B-3 Backdoor.Win32.SilentSpy.208 Backdoor.SilentSpy.D Backdoor.Win32.SilentSpy.208 BackDoor.Silent.208 BKDR_SILENTSPY.C Win32.Hack.SilentSpy.20.kcloud Backdoor.Win32.SilentSpy_208.559104 Win-Trojan/SilentSpy.559104 Backdoor.SilentSpy Win32/SilentSpy.208 Backdoor.Win32.SilentSpy.200 W32/Bdoor.ZT!tr.bdr BackDoor.Silentspy.G", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.SilentSpy.zmwjp": [[26, 54]], "Indicator: Backdoor.SilentSpy": [[55, 73], [360, 378]], "Indicator: Silentspy.F": [[74, 85]], "Indicator: Win32/SilentSpy.208": [[86, 105], [379, 398]], "Indicator: BKDR_SILENTSPY.C": [[106, 122], [248, 264]], "Indicator: Trojan.W32.Fadedoor.10B-3": [[123, 148]], "Indicator: Backdoor.Win32.SilentSpy.208": [[149, 177], [199, 227]], "Indicator: Backdoor.SilentSpy.D": [[178, 198]], "Indicator: BackDoor.Silent.208": [[228, 247]], "Indicator: Win32.Hack.SilentSpy.20.kcloud": [[265, 295]], "Indicator: Backdoor.Win32.SilentSpy_208.559104": [[296, 331]], "Indicator: Win-Trojan/SilentSpy.559104": [[332, 359]], "Indicator: Backdoor.Win32.SilentSpy.200": [[399, 427]], "Indicator: W32/Bdoor.ZT!tr.bdr": [[428, 447]], "Indicator: BackDoor.Silentspy.G": [[448, 468]]}, "info": {"id": "cyner2_5class_train_00792", "source": "cyner2_5class_train"}}
+{"text": "Analysis indicates there are currently two distinct variants of ViperRAT .", "spans": {"Malware: ViperRAT": [[64, 72]]}, "info": {"id": "cyner2_5class_train_00793", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Incognito Trojan.Win32.Meterpreter.exjxlb Trojan.Win64.Meterpreter W32/Trojan.VCYK-3916 HackTool.Meterpreter.ei HackTool/Win32.Meterpreter Trj/GdSda.A Win32.Hacktool.Meterpreter.Phqd Win32/Trojan.Hacktool.8d0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Incognito": [[26, 44]], "Indicator: Trojan.Win32.Meterpreter.exjxlb": [[45, 76]], "Indicator: Trojan.Win64.Meterpreter": [[77, 101]], "Indicator: W32/Trojan.VCYK-3916": [[102, 122]], "Indicator: HackTool.Meterpreter.ei": [[123, 146]], "Indicator: HackTool/Win32.Meterpreter": [[147, 173]], "Indicator: Trj/GdSda.A": [[174, 185]], "Indicator: Win32.Hacktool.Meterpreter.Phqd": [[186, 217]], "Indicator: Win32/Trojan.Hacktool.8d0": [[218, 243]]}, "info": {"id": "cyner2_5class_train_00794", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.PadoBot.86528 W32.Sality.U Worm.Padobot.D Win32/Sality.NBA W32/Korgo.V W32.Sality.AE Korgo.V PE_SALITY.RL Worm.Padobot.M Net-Worm.Win32.Padobot.m Worm.Padobot.BV.Dam Worm.Korgo Net-Worm.Win32.Padobot!IK Worm.Padobot.BV.Dam Win32.Lsabot W32/Sality.AT PE_SALITY.RL Win32/Sality.AA Worm:Win32/Korgo.V Win32.Sality.N Worm.Padobot.BV.Dam W32/Korgo.V Win32/IRCBot.worm.variant Virus.Win32.Sality.bakb Malware.Sality Worm.Padobot.bl Net-Worm.Win32.Padobot W32/Padobot!worm.im Worm/Korgo.A W32/Korgo.U.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.PadoBot.86528": [[26, 48]], "Indicator: W32.Sality.U": [[49, 61]], "Indicator: Worm.Padobot.D": [[62, 76]], "Indicator: Win32/Sality.NBA": [[77, 93]], "Indicator: W32/Korgo.V": [[94, 105], [368, 379]], "Indicator: W32.Sality.AE": [[106, 119]], "Indicator: Korgo.V": [[120, 127]], "Indicator: PE_SALITY.RL": [[128, 140], [285, 297]], "Indicator: Worm.Padobot.M": [[141, 155]], "Indicator: Net-Worm.Win32.Padobot.m": [[156, 180]], "Indicator: Worm.Padobot.BV.Dam": [[181, 200], [238, 257], [348, 367]], "Indicator: Worm.Korgo": [[201, 211]], "Indicator: Net-Worm.Win32.Padobot!IK": [[212, 237]], "Indicator: Win32.Lsabot": [[258, 270]], "Indicator: W32/Sality.AT": [[271, 284]], "Indicator: Win32/Sality.AA": [[298, 313]], "Indicator: Worm:Win32/Korgo.V": [[314, 332]], "Indicator: Win32.Sality.N": [[333, 347]], "Indicator: Win32/IRCBot.worm.variant": [[380, 405]], "Indicator: Virus.Win32.Sality.bakb": [[406, 429]], "Indicator: Malware.Sality": [[430, 444]], "Indicator: Worm.Padobot.bl": [[445, 460]], "Indicator: Net-Worm.Win32.Padobot": [[461, 483]], "Indicator: W32/Padobot!worm.im": [[484, 503]], "Indicator: Worm/Korgo.A": [[504, 516]], "Indicator: W32/Korgo.U.worm": [[517, 533]]}, "info": {"id": "cyner2_5class_train_00795", "source": "cyner2_5class_train"}}
+{"text": "The first message after establishing the connection is always sent by the server – the most important thing it contains is a random 128-byte key used for encrypting further communication.", "spans": {"System: server": [[74, 80]], "Indicator: random 128-byte key": [[125, 144]], "Indicator: encrypting further communication.": [[154, 187]]}, "info": {"id": "cyner2_5class_train_00796", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SampleswareTG.Trojan Trojan-GameThief.Win32.Magania!O Backdoor.Farfli.O Trojan/Magania.eken Win32.Trojan.Farfli.ai Win32/Farfli.GKH Win.Trojan.Magania-19224 Trojan-GameThief.Win32.Magania.uagj Trojan.Win32.Magania.bvkxn Troj.W32.MMM.ljA2 Backdoor.Win32.Gh0st.g Trojan.Magania.Win32.38676 BKDR_INJECT.SMJ BehavesLike.Win32.Backdoor.cc Backdoor/IRCBot.qan Trojan.Barys.62 Trojan-GameThief.Win32.Magania.uagj Trojan/Win32.PcClient.R12944 TrojanPSW.Magania Win32/Farfli.AK Trojan.Farfli!czCLTsqt/Nw Backdoor.Win32.FirstInj Backdoor.Win32.Gh0st.BH", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SampleswareTG.Trojan": [[26, 50]], "Indicator: Trojan-GameThief.Win32.Magania!O": [[51, 83]], "Indicator: Backdoor.Farfli.O": [[84, 101]], "Indicator: Trojan/Magania.eken": [[102, 121]], "Indicator: Win32.Trojan.Farfli.ai": [[122, 144]], "Indicator: Win32/Farfli.GKH": [[145, 161]], "Indicator: Win.Trojan.Magania-19224": [[162, 186]], "Indicator: Trojan-GameThief.Win32.Magania.uagj": [[187, 222], [400, 435]], "Indicator: Trojan.Win32.Magania.bvkxn": [[223, 249]], "Indicator: Troj.W32.MMM.ljA2": [[250, 267]], "Indicator: Backdoor.Win32.Gh0st.g": [[268, 290]], "Indicator: Trojan.Magania.Win32.38676": [[291, 317]], "Indicator: BKDR_INJECT.SMJ": [[318, 333]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[334, 363]], "Indicator: Backdoor/IRCBot.qan": [[364, 383]], "Indicator: Trojan.Barys.62": [[384, 399]], "Indicator: Trojan/Win32.PcClient.R12944": [[436, 464]], "Indicator: TrojanPSW.Magania": [[465, 482]], "Indicator: Win32/Farfli.AK": [[483, 498]], "Indicator: Trojan.Farfli!czCLTsqt/Nw": [[499, 524]], "Indicator: Backdoor.Win32.FirstInj": [[525, 548]], "Indicator: Backdoor.Win32.Gh0st.BH": [[549, 572]]}, "info": {"id": "cyner2_5class_train_00797", "source": "cyner2_5class_train"}}
+{"text": "Trojan activity At the time of the writing of this post , all URLs ( see IOC section ) found on the sample were inactive , and it does not seem to be widespread .", "spans": {}, "info": {"id": "cyner2_5class_train_00798", "source": "cyner2_5class_train"}}
+{"text": "Several months ago I examined a malware-tainted Word document titled ISIS_twitter_list.doc. I didn't think much of it and quickly moved on after a cursory analysis.", "spans": {"Indicator: malware-tainted Word document titled ISIS_twitter_list.doc.": [[32, 91]]}, "info": {"id": "cyner2_5class_train_00799", "source": "cyner2_5class_train"}}
+{"text": "A full list of all possible commands with descriptions can be found in Appendix II below .", "spans": {}, "info": {"id": "cyner2_5class_train_00800", "source": "cyner2_5class_train"}}
+{"text": "As of late December 2019, ITG03-derived macOS malware was discovered being hosted on a fake cryptocurrency-related website, also likely designed by ITG03.", "spans": {"System: macOS": [[40, 45]], "Malware: malware": [[46, 53]], "Indicator: a fake cryptocurrency-related website,": [[85, 123]]}, "info": {"id": "cyner2_5class_train_00801", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 W32/Backdoor.TGTY-5139 Backdoor.Trojan Win32/Smalldoor.RX BKDR_SHARK.WMP BackDoor.Werchan BKDR_SHARK.WMP W32/Backdoor2.HITJ Trojan.Graftor.Elzob.D3B3C TrojanProxy:Win32/Zolpiq.A Trojan/Win32.Dllbot.R811 Backdoor.Swofi.121 Win32/Trojan.256", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: W32/Backdoor.TGTY-5139": [[69, 91]], "Indicator: Backdoor.Trojan": [[92, 107]], "Indicator: Win32/Smalldoor.RX": [[108, 126]], "Indicator: BKDR_SHARK.WMP": [[127, 141], [159, 173]], "Indicator: BackDoor.Werchan": [[142, 158]], "Indicator: W32/Backdoor2.HITJ": [[174, 192]], "Indicator: Trojan.Graftor.Elzob.D3B3C": [[193, 219]], "Indicator: TrojanProxy:Win32/Zolpiq.A": [[220, 246]], "Indicator: Trojan/Win32.Dllbot.R811": [[247, 271]], "Indicator: Backdoor.Swofi.121": [[272, 290]], "Indicator: Win32/Trojan.256": [[291, 307]]}, "info": {"id": "cyner2_5class_train_00802", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Tinba.WR4 Trojan/Tinba.be Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor2.HYQY Trojan.Win32.Inject.dqhpeo TrojWare.Win32.Tinba.BD Trojan.PWS.Tinba.153 Dropper.Injector.Win32.66634 Trojan.Win32.Exploit W32/Backdoor.DVHN-3684 TrojanDropper.Injector.avtd TR/Crypt.Xpack.182297 Trojan[Dropper]/Win32.Injector Trojan/Win32.Small.R145411 TrojanDropper.Injector Trojan.Symmi.DD5E0 Win32/Tinba.BE Trojan.DR.Injector!OJez9sRxlMc W32/Deshacop.XO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tinba.WR4": [[26, 42]], "Indicator: Trojan/Tinba.be": [[43, 58]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[59, 101]], "Indicator: W32/Backdoor2.HYQY": [[102, 120]], "Indicator: Trojan.Win32.Inject.dqhpeo": [[121, 147]], "Indicator: TrojWare.Win32.Tinba.BD": [[148, 171]], "Indicator: Trojan.PWS.Tinba.153": [[172, 192]], "Indicator: Dropper.Injector.Win32.66634": [[193, 221]], "Indicator: Trojan.Win32.Exploit": [[222, 242]], "Indicator: W32/Backdoor.DVHN-3684": [[243, 265]], "Indicator: TrojanDropper.Injector.avtd": [[266, 293]], "Indicator: TR/Crypt.Xpack.182297": [[294, 315]], "Indicator: Trojan[Dropper]/Win32.Injector": [[316, 346]], "Indicator: Trojan/Win32.Small.R145411": [[347, 373]], "Indicator: TrojanDropper.Injector": [[374, 396]], "Indicator: Trojan.Symmi.DD5E0": [[397, 415]], "Indicator: Win32/Tinba.BE": [[416, 430]], "Indicator: Trojan.DR.Injector!OJez9sRxlMc": [[431, 461]], "Indicator: W32/Deshacop.XO!tr": [[462, 480]]}, "info": {"id": "cyner2_5class_train_00803", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BehavesLike.Win32.Dropper.dh Trojan.AD.Lnkget TR/AD.Lnkget.hrjck TrojanDownloader:BAT/Lnkget.B Trojan/Win32.PcClient.C204685", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Dropper.dh": [[26, 54]], "Indicator: Trojan.AD.Lnkget": [[55, 71]], "Indicator: TR/AD.Lnkget.hrjck": [[72, 90]], "Indicator: TrojanDownloader:BAT/Lnkget.B": [[91, 120]], "Indicator: Trojan/Win32.PcClient.C204685": [[121, 150]]}, "info": {"id": "cyner2_5class_train_00804", "source": "cyner2_5class_train"}}
+{"text": "The results are described in this report.The Trojan may then perform the following actions:Open and close the CD tray Steal Outlook password Steal login passwords to websites Intercept network traffic", "spans": {"Malware: Trojan": [[45, 51]], "Indicator: actions:Open and close the CD tray Steal Outlook password Steal login passwords to websites Intercept network traffic": [[83, 200]]}, "info": {"id": "cyner2_5class_train_00805", "source": "cyner2_5class_train"}}
+{"text": "In addition, this template file could also potentially be used to download other malicious payloads to the victim s computer.", "spans": {"Indicator: template file": [[18, 31]], "Indicator: download": [[66, 74]], "Malware: malicious payloads": [[81, 99]], "System: computer.": [[116, 125]]}, "info": {"id": "cyner2_5class_train_00806", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Xorist.13824 TrojanRansom.Xorist.bh Trojan/Xorist.bh Trojan.Xorist!Ff7hNbBp1Hc W32/NetworkWorm.ROB Trojan-Ransom.Win32.Xorist.bh Trojan.Encoder.91 TR/Ransom.Xorist.BH.3 Trojan/Xorist.q Trojan:Win32/Filecoder.D Trojan/Win32.Xorist Trojan-Ransom.Win32.Xorist", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Xorist.13824": [[26, 49]], "Indicator: TrojanRansom.Xorist.bh": [[50, 72]], "Indicator: Trojan/Xorist.bh": [[73, 89]], "Indicator: Trojan.Xorist!Ff7hNbBp1Hc": [[90, 115]], "Indicator: W32/NetworkWorm.ROB": [[116, 135]], "Indicator: Trojan-Ransom.Win32.Xorist.bh": [[136, 165]], "Indicator: Trojan.Encoder.91": [[166, 183]], "Indicator: TR/Ransom.Xorist.BH.3": [[184, 205]], "Indicator: Trojan/Xorist.q": [[206, 221]], "Indicator: Trojan:Win32/Filecoder.D": [[222, 246]], "Indicator: Trojan/Win32.Xorist": [[247, 266]], "Indicator: Trojan-Ransom.Win32.Xorist": [[267, 293]]}, "info": {"id": "cyner2_5class_train_00807", "source": "cyner2_5class_train"}}
+{"text": "It also appears the apps may still be in development or incubation , maybe waiting for a “ right time ” to inject the malicious codes .", "spans": {}, "info": {"id": "cyner2_5class_train_00808", "source": "cyner2_5class_train"}}
+{"text": "] com svc [ .", "spans": {"Indicator: svc [ .": [[6, 13]]}, "info": {"id": "cyner2_5class_train_00809", "source": "cyner2_5class_train"}}
+{"text": "Coverage Additional ways our customers can detect and block this threat are listed below .", "spans": {}, "info": {"id": "cyner2_5class_train_00810", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.KowinH.Worm Backdoor/W32.PopWin.17408 Backdoor.Win32.Popwin!O Trojan.FakeMS.ED Win32.Trojan.WisdomEyes.16070401.9500.9938 W32.Popwin Win32/Pipown.EI TROJ_NSPAK.A Backdoor.Win32.Popwin.anx Backdoor.Win32.Popwin.~IQ Trojan.Popwin TROJ_NSPAK.A Trojan[Backdoor]/Win32.Popwin Win32.Hack.NsPackT.a.kcloud Trojan:Win32/Pepatch.E Backdoor.Win32.Popwin.anx Worm/Win32.AutoRun.R7462 Worm.Win32.AutoRun Win32/Backdoor.1ad", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.KowinH.Worm": [[26, 41]], "Indicator: Backdoor/W32.PopWin.17408": [[42, 67]], "Indicator: Backdoor.Win32.Popwin!O": [[68, 91]], "Indicator: Trojan.FakeMS.ED": [[92, 108]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9938": [[109, 151]], "Indicator: W32.Popwin": [[152, 162]], "Indicator: Win32/Pipown.EI": [[163, 178]], "Indicator: TROJ_NSPAK.A": [[179, 191], [258, 270]], "Indicator: Backdoor.Win32.Popwin.anx": [[192, 217], [352, 377]], "Indicator: Backdoor.Win32.Popwin.~IQ": [[218, 243]], "Indicator: Trojan.Popwin": [[244, 257]], "Indicator: Trojan[Backdoor]/Win32.Popwin": [[271, 300]], "Indicator: Win32.Hack.NsPackT.a.kcloud": [[301, 328]], "Indicator: Trojan:Win32/Pepatch.E": [[329, 351]], "Indicator: Worm/Win32.AutoRun.R7462": [[378, 402]], "Indicator: Worm.Win32.AutoRun": [[403, 421]], "Indicator: Win32/Backdoor.1ad": [[422, 440]]}, "info": {"id": "cyner2_5class_train_00811", "source": "cyner2_5class_train"}}
+{"text": "A recent whois of “ goldncup.com ” .", "spans": {"Indicator: goldncup.com": [[20, 32]]}, "info": {"id": "cyner2_5class_train_00812", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.7B64 Trojan/W32.DoS.188416.C DoS.Win32.Small!O Trojan.Small DoS.W32.Small.to1D W32/VirTool.TK Win.Trojan.Small-13866 DoS.Win32.Small.ai Trojan.Win32.Small.bqdli Trojan.Win32.Small.188416 Trojan.Inject.762 Virus.Win32.Small W32/Tool.FQGY-6235 DoS.Small.h HackTool[DoS]/Win32.Small DoS.Win32.Small.ai HackTool:Win32/Upsodos.A Trojan/Win32.Flooder.R118574 DoS.Small Win32.Trojan.Small.Hpd Win32/Trojan.5b5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.7B64": [[26, 43]], "Indicator: Trojan/W32.DoS.188416.C": [[44, 67]], "Indicator: DoS.Win32.Small!O": [[68, 85]], "Indicator: Trojan.Small": [[86, 98]], "Indicator: DoS.W32.Small.to1D": [[99, 117]], "Indicator: W32/VirTool.TK": [[118, 132]], "Indicator: Win.Trojan.Small-13866": [[133, 155]], "Indicator: DoS.Win32.Small.ai": [[156, 174], [319, 337]], "Indicator: Trojan.Win32.Small.bqdli": [[175, 199]], "Indicator: Trojan.Win32.Small.188416": [[200, 225]], "Indicator: Trojan.Inject.762": [[226, 243]], "Indicator: Virus.Win32.Small": [[244, 261]], "Indicator: W32/Tool.FQGY-6235": [[262, 280]], "Indicator: DoS.Small.h": [[281, 292]], "Indicator: HackTool[DoS]/Win32.Small": [[293, 318]], "Indicator: HackTool:Win32/Upsodos.A": [[338, 362]], "Indicator: Trojan/Win32.Flooder.R118574": [[363, 391]], "Indicator: DoS.Small": [[392, 401]], "Indicator: Win32.Trojan.Small.Hpd": [[402, 424]], "Indicator: Win32/Trojan.5b5": [[425, 441]]}, "info": {"id": "cyner2_5class_train_00813", "source": "cyner2_5class_train"}}
+{"text": "Shamoon is designed to destroy computer hard drives by wiping the master boot record MBR and data irretrievably, unlike ransomware, which holds the data hostage for a fee.", "spans": {"Malware: Shamoon": [[0, 7]], "Indicator: destroy computer hard drives by wiping": [[23, 61]], "System: the master boot record MBR": [[62, 88]], "Malware: ransomware,": [[120, 131]]}, "info": {"id": "cyner2_5class_train_00814", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Turla Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Turla Backdoor.Win32.Turla.u Trojan.Win32.FKM.evjxqd Backdoor.W32.Turla!c Win32.Backdoor.Turla.Agvc W32/Trojan.GDRU-3141 Trojan.Win32.Z.Turla.37892 Backdoor.Win32.Turla.u Trojan:Win32/Ouftap.B W32/Turla.TCW!tr.bdr Backdoor.Turla Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Turla": [[26, 40], [305, 319]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[41, 83]], "Indicator: Trojan.Turla": [[84, 96]], "Indicator: Backdoor.Win32.Turla.u": [[97, 119], [239, 261]], "Indicator: Trojan.Win32.FKM.evjxqd": [[120, 143]], "Indicator: Backdoor.W32.Turla!c": [[144, 164]], "Indicator: Win32.Backdoor.Turla.Agvc": [[165, 190]], "Indicator: W32/Trojan.GDRU-3141": [[191, 211]], "Indicator: Trojan.Win32.Z.Turla.37892": [[212, 238]], "Indicator: Trojan:Win32/Ouftap.B": [[262, 283]], "Indicator: W32/Turla.TCW!tr.bdr": [[284, 304]], "Indicator: Trj/CI.A": [[320, 328]]}, "info": {"id": "cyner2_5class_train_00815", "source": "cyner2_5class_train"}}
+{"text": "To make the Twitoor botnet ’ s communication more resilient , botnet designers took various steps like encrypting their messages , using complex topologies of the C & C network – or using innovative means for communication , among them the use of social networks .", "spans": {"Malware: Twitoor": [[12, 19]]}, "info": {"id": "cyner2_5class_train_00816", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader/W32.Cabby.379904 Trojan.Mauvaise.SL1 Ransom.Maktub Trojan/Filecoder.MaktubLocker.b W32/Trojan2.PUUQ Ransom_HPLOCKY.SME Trojan-Downloader.Win32.Cabby.zipxi Trojan.Win32.Cabby.ejsael Troj.Downloader.W32.Cabby.tnvB TrojWare.Win32.Cabby.SA Trojan.Encoder.7386 Downloader.Cabby.Win32.1866 Ransom_HPLOCKY.SME BehavesLike.Win32.ICLoader.fc W32/Trojan.RLTC-3878 TrojanDownloader.Cabby.coy Trojan[Downloader]/Win32.Cabby Trojan-Downloader.Win32.Cabby.zipxi Trojan/Win32.Locky.R192278 TrojanDownloader.Cabby Win32/Filecoder.MaktubLocker.B Trojan.DL.Cabby! Trojan.FileCryptor", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader/W32.Cabby.379904": [[26, 60]], "Indicator: Trojan.Mauvaise.SL1": [[61, 80]], "Indicator: Ransom.Maktub": [[81, 94]], "Indicator: Trojan/Filecoder.MaktubLocker.b": [[95, 126]], "Indicator: W32/Trojan2.PUUQ": [[127, 143]], "Indicator: Ransom_HPLOCKY.SME": [[144, 162], [328, 346]], "Indicator: Trojan-Downloader.Win32.Cabby.zipxi": [[163, 198], [456, 491]], "Indicator: Trojan.Win32.Cabby.ejsael": [[199, 224]], "Indicator: Troj.Downloader.W32.Cabby.tnvB": [[225, 255]], "Indicator: TrojWare.Win32.Cabby.SA": [[256, 279]], "Indicator: Trojan.Encoder.7386": [[280, 299]], "Indicator: Downloader.Cabby.Win32.1866": [[300, 327]], "Indicator: BehavesLike.Win32.ICLoader.fc": [[347, 376]], "Indicator: W32/Trojan.RLTC-3878": [[377, 397]], "Indicator: TrojanDownloader.Cabby.coy": [[398, 424]], "Indicator: Trojan[Downloader]/Win32.Cabby": [[425, 455]], "Indicator: Trojan/Win32.Locky.R192278": [[492, 518]], "Indicator: TrojanDownloader.Cabby": [[519, 541]], "Indicator: Win32/Filecoder.MaktubLocker.B": [[542, 572]], "Indicator: Trojan.DL.Cabby!": [[573, 589]], "Indicator: Trojan.FileCryptor": [[590, 608]]}, "info": {"id": "cyner2_5class_train_00817", "source": "cyner2_5class_train"}}
+{"text": "The attack On March 24th , 2013 , the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list .", "spans": {}, "info": {"id": "cyner2_5class_train_00818", "source": "cyner2_5class_train"}}
+{"text": "Based on the mutexes and domain names of some of their C C servers, BlackTech's campaigns are likely designed to steal their target's technology.", "spans": {"Indicator: mutexes": [[13, 20]], "Indicator: domain names": [[25, 37]], "Indicator: C C servers,": [[55, 67]], "Indicator: steal": [[113, 118]], "Organization: technology.": [[134, 145]]}, "info": {"id": "cyner2_5class_train_00819", "source": "cyner2_5class_train"}}
+{"text": "In 2013 , there was evidence of cooperation ( most probably on a commercial basis ) between different groups of virus writers .", "spans": {}, "info": {"id": "cyner2_5class_train_00820", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.ChePro Win32.Trojan.WisdomEyes.16070401.9500.9810 Trojan-Banker.Win32.ChePro.ink Trojan.Win32.ChePro.eihuuw Trojan.Win32.Z.Banker.266752 Trojan.PWS.Banker1.15002 BehavesLike.Win32.Worm.dc Trojan.Banker.ChePro.ctf TR/Spy.Banker.hgsvz Trojan.Renos.96 Trojan-Banker.Win32.ChePro.ink Trojan:Win32/Tombrep.B Trojan/Win32.Banload.C579920 TrojanBanker.ChePro Trj/GdSda.A Win32.Trojan.Spy.Ebgv W32/Banker.ABMA!tr.spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.ChePro": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9810": [[40, 82]], "Indicator: Trojan-Banker.Win32.ChePro.ink": [[83, 113], [282, 312]], "Indicator: Trojan.Win32.ChePro.eihuuw": [[114, 140]], "Indicator: Trojan.Win32.Z.Banker.266752": [[141, 169]], "Indicator: Trojan.PWS.Banker1.15002": [[170, 194]], "Indicator: BehavesLike.Win32.Worm.dc": [[195, 220]], "Indicator: Trojan.Banker.ChePro.ctf": [[221, 245]], "Indicator: TR/Spy.Banker.hgsvz": [[246, 265]], "Indicator: Trojan.Renos.96": [[266, 281]], "Indicator: Trojan:Win32/Tombrep.B": [[313, 335]], "Indicator: Trojan/Win32.Banload.C579920": [[336, 364]], "Indicator: TrojanBanker.ChePro": [[365, 384]], "Indicator: Trj/GdSda.A": [[385, 396]], "Indicator: Win32.Trojan.Spy.Ebgv": [[397, 418]], "Indicator: W32/Banker.ABMA!tr.spy": [[419, 441]]}, "info": {"id": "cyner2_5class_train_00821", "source": "cyner2_5class_train"}}
+{"text": "This technique makes use of debuggers and software breakpoints useless .", "spans": {}, "info": {"id": "cyner2_5class_train_00822", "source": "cyner2_5class_train"}}
+{"text": "Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org .", "spans": {}, "info": {"id": "cyner2_5class_train_00823", "source": "cyner2_5class_train"}}
+{"text": "Figure 1 .", "spans": {}, "info": {"id": "cyner2_5class_train_00824", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint recently observed a targeted email campaign attempting a spearphishing attack using a Game of Thrones lure.", "spans": {"Organization: Proofpoint": [[0, 10]], "Indicator: a spearphishing attack": [[66, 88]], "System: a Game of Thrones": [[95, 112]]}, "info": {"id": "cyner2_5class_train_00825", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Trojan.WisdomEyes.16070401.9500.9727 Heur.Corrupt.PE Trojan.Win32.Refpron Packed.Koblu.adu", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9727": [[48, 90]], "Indicator: Heur.Corrupt.PE": [[91, 106]], "Indicator: Trojan.Win32.Refpron": [[107, 127]], "Indicator: Packed.Koblu.adu": [[128, 144]]}, "info": {"id": "cyner2_5class_train_00826", "source": "cyner2_5class_train"}}
+{"text": "- SpyNote RAT was also collecting the device ’ s location to identify the exact location of the victim .", "spans": {"Malware: SpyNote RAT": [[2, 13]]}, "info": {"id": "cyner2_5class_train_00827", "source": "cyner2_5class_train"}}
+{"text": "Without mobile threat detection , this attack would not be detected , leaving end users and organizations at risk .", "spans": {}, "info": {"id": "cyner2_5class_train_00828", "source": "cyner2_5class_train"}}
+{"text": "Yet our statistics says that about 60 % of Android users are still sitting with Android 4.4.2 and below .", "spans": {"System: Android": [[43, 50]], "System: Android 4.4.2 and below": [[80, 103]]}, "info": {"id": "cyner2_5class_train_00829", "source": "cyner2_5class_train"}}
+{"text": "Sending text “ call on ” will activate the USSD payment confirmation service .", "spans": {}, "info": {"id": "cyner2_5class_train_00830", "source": "cyner2_5class_train"}}
+{"text": "The blog describes an incident that took place in late September of 2022.", "spans": {}, "info": {"id": "cyner2_5class_train_00831", "source": "cyner2_5class_train"}}
+{"text": "[ Note : The analysis of the functionality below describes a single app , but applies to all apps of the Android/AdDisplay.Ashas family .", "spans": {"Malware: Android/AdDisplay.Ashas family": [[105, 135]]}, "info": {"id": "cyner2_5class_train_00832", "source": "cyner2_5class_train"}}
+{"text": "Using powerful filters, various methods of communication with its operators and an interesting persistence technique, it aims to exfiltrate selected files from governmental and public institutions, which are mostly focused on economic growth and cooperation in Central and Eastern Europe.", "spans": {"Indicator: powerful filters,": [[6, 23]], "Indicator: communication": [[43, 56]], "Indicator: exfiltrate selected files": [[129, 154]], "Organization: governmental": [[160, 172]], "Organization: public institutions,": [[177, 197]]}, "info": {"id": "cyner2_5class_train_00833", "source": "cyner2_5class_train"}}
+{"text": "Our published investigations have now confirmed at least 19 individuals targeted with NSO in Mexico, including lawyers, politicians, journalists, anti-corruption activists, scientists, public health campaigners, government officials, and their family members.", "spans": {"Organization: individuals": [[60, 71]], "Organization: NSO": [[86, 89]], "Organization: lawyers, politicians, journalists, anti-corruption activists, scientists, public health campaigners, government officials,": [[111, 233]], "Organization: family members.": [[244, 259]]}, "info": {"id": "cyner2_5class_train_00834", "source": "cyner2_5class_train"}}
+{"text": "The Windows bot's spreading method for Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute forces a remote telnet connection.", "spans": {"System: Windows": [[4, 11]], "Malware: bot's": [[12, 17]], "Malware: Mirai": [[39, 44]], "Malware: Mirai bots": [[92, 102]], "System: Linux host": [[108, 118]], "System: Windows host": [[126, 138]], "Indicator: brute forces a remote telnet connection.": [[158, 198]]}, "info": {"id": "cyner2_5class_train_00835", "source": "cyner2_5class_train"}}
+{"text": "Regularly update and patch the router ’ s software and firmware to prevent exploits , and enable its built-in firewall .", "spans": {}, "info": {"id": "cyner2_5class_train_00836", "source": "cyner2_5class_train"}}
+{"text": "We expect to see more diversification in the social engineering lures this threat group employs as time goes on .", "spans": {}, "info": {"id": "cyner2_5class_train_00837", "source": "cyner2_5class_train"}}
+{"text": "The malware , packaged within an Android game app called BrainTest , had been published to Google Play twice .", "spans": {"System: Android": [[33, 40]], "Malware: BrainTest": [[57, 66]], "System: Google Play": [[91, 102]]}, "info": {"id": "cyner2_5class_train_00838", "source": "cyner2_5class_train"}}
+{"text": "INTRODUCTION For the past few weeks , the Cybereason Nocturnus team has been investigating a new type of Android malware dubbed EventBot , which was first identified in March 2020 .", "spans": {"Organization: Cybereason Nocturnus": [[42, 62]], "System: Android": [[105, 112]], "Malware: EventBot": [[128, 136]]}, "info": {"id": "cyner2_5class_train_00839", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanAPT.Garveep.MUE.DR4 TROJ_TAPAOUX.B Win32.Trojan.WisdomEyes.16070401.9500.9680 Backdoor.Trojan TROJ_TAPAOUX.B Trojan.Win32.Drop.bgdoxj Trojan.Win32.Tapaoux.357344 Trojan.MulDrop1.12202 Trojan.Win32.Pincav W32/Trojan.TEGY-1102 Trojan:Win32/Tapaoux.A TR/Tapaoux.A.3 Trojan[Backdoor]/Win32.Tusha Trojan:Win32/Tapaoux.A Dropper/Win32.Mudrop.C58765 Trojan.Tapaoux.A Win32/Trojan.Dropper.663", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanAPT.Garveep.MUE.DR4": [[26, 51]], "Indicator: TROJ_TAPAOUX.B": [[52, 66], [126, 140]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9680": [[67, 109]], "Indicator: Backdoor.Trojan": [[110, 125]], "Indicator: Trojan.Win32.Drop.bgdoxj": [[141, 165]], "Indicator: Trojan.Win32.Tapaoux.357344": [[166, 193]], "Indicator: Trojan.MulDrop1.12202": [[194, 215]], "Indicator: Trojan.Win32.Pincav": [[216, 235]], "Indicator: W32/Trojan.TEGY-1102": [[236, 256]], "Indicator: Trojan:Win32/Tapaoux.A": [[257, 279], [324, 346]], "Indicator: TR/Tapaoux.A.3": [[280, 294]], "Indicator: Trojan[Backdoor]/Win32.Tusha": [[295, 323]], "Indicator: Dropper/Win32.Mudrop.C58765": [[347, 374]], "Indicator: Trojan.Tapaoux.A": [[375, 391]], "Indicator: Win32/Trojan.Dropper.663": [[392, 416]]}, "info": {"id": "cyner2_5class_train_00840", "source": "cyner2_5class_train"}}
+{"text": "Figure 5 .", "spans": {}, "info": {"id": "cyner2_5class_train_00841", "source": "cyner2_5class_train"}}
+{"text": "Technical Analysis The repackaged applications are embedded with malicious code , which can be found in the com.golf package .", "spans": {"Indicator: com.golf": [[108, 116]]}, "info": {"id": "cyner2_5class_train_00842", "source": "cyner2_5class_train"}}
+{"text": "The sample we analyzed in October , for example , contains a plugin that is able to spy on internet connections , and can even divert some SSL connections and steal data from encrypted traffic .", "spans": {}, "info": {"id": "cyner2_5class_train_00843", "source": "cyner2_5class_train"}}
+{"text": "New scheme , same goal In the past , Android ransomware used a special permission called “ SYSTEM_ALERT_WINDOW ” to display their ransom note .", "spans": {"System: Android": [[37, 44]]}, "info": {"id": "cyner2_5class_train_00844", "source": "cyner2_5class_train"}}
+{"text": "They are bolder and more reckless than their more experienced veteran counterparts.", "spans": {}, "info": {"id": "cyner2_5class_train_00845", "source": "cyner2_5class_train"}}
+{"text": "Extract current GPS coordinates of the phone .", "spans": {}, "info": {"id": "cyner2_5class_train_00846", "source": "cyner2_5class_train"}}
+{"text": "The criminals are also relying on a network of hacked servers to perform the multi-stage infection chain.", "spans": {"System: hacked servers": [[47, 61]], "Indicator: multi-stage infection chain.": [[77, 105]]}, "info": {"id": "cyner2_5class_train_00847", "source": "cyner2_5class_train"}}
+{"text": "Periodically Necurs goes offline and during these periods we typically see Locky activity decrease drastically.", "spans": {}, "info": {"id": "cyner2_5class_train_00848", "source": "cyner2_5class_train"}}
+{"text": "This particular ransomware appeared in 2014 when the operators of the Reveton Windows screen-locking ransomware decided to branch out and create an Android counterpart, which they began advertising on Russian-speaking hacking forums.", "spans": {"Malware: ransomware": [[16, 26]], "Malware: the Reveton Windows screen-locking ransomware": [[66, 111]], "System: Android": [[148, 155]]}, "info": {"id": "cyner2_5class_train_00849", "source": "cyner2_5class_train"}}
+{"text": "The White House and Department of State are two of the most spectacular known victims.", "spans": {"Organization: The White House and Department of State": [[0, 39]]}, "info": {"id": "cyner2_5class_train_00850", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.2E84 Trojan.Facebook.VP Trojan.Chromex!ZGfUkXSe3KA Worm.Win32.Febipos.da Trojan:W32/Febipos.A Trojan.FBookCRTD.Win32.1277 Worm/Febipos.h TR/Drop.Febipos.E.7 Worm/Win32.Febipos.da Trojan/Win32.Febipos.N1033287704 TrojanDropper:Win32/Febipos.E Win32.Trojan.Falsesign.Pcib Trojan.Chromex!ZGfUkXSe3KA Trojan.Win32.Spy Stolen.D87 Trj/Thymus.J Win32/Trojan.357", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.2E84": [[26, 43]], "Indicator: Trojan.Facebook.VP": [[44, 62]], "Indicator: Trojan.Chromex!ZGfUkXSe3KA": [[63, 89], [309, 335]], "Indicator: Worm.Win32.Febipos.da": [[90, 111]], "Indicator: Trojan:W32/Febipos.A": [[112, 132]], "Indicator: Trojan.FBookCRTD.Win32.1277": [[133, 160]], "Indicator: Worm/Febipos.h": [[161, 175]], "Indicator: TR/Drop.Febipos.E.7": [[176, 195]], "Indicator: Worm/Win32.Febipos.da": [[196, 217]], "Indicator: Trojan/Win32.Febipos.N1033287704": [[218, 250]], "Indicator: TrojanDropper:Win32/Febipos.E": [[251, 280]], "Indicator: Win32.Trojan.Falsesign.Pcib": [[281, 308]], "Indicator: Trojan.Win32.Spy": [[336, 352]], "Indicator: Stolen.D87": [[353, 363]], "Indicator: Trj/Thymus.J": [[364, 376]], "Indicator: Win32/Trojan.357": [[377, 393]]}, "info": {"id": "cyner2_5class_train_00851", "source": "cyner2_5class_train"}}
+{"text": "This case study contains information from an engagement that the RSA Incident Response IR team worked during the September to October 2013 timeframe.", "spans": {"Organization: RSA Incident Response IR team": [[65, 94]]}, "info": {"id": "cyner2_5class_train_00852", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packed.Win32.TDSS!O RiskWare.Tool.CK Trojan.Win32.AutoRun.omsr W32.SillyDC TROJ_LOSABEL.SMD Trojan.Killav-157 Worm.Win32.AutoRun.rpm Worm.Win32.Autorun.74752.D[h] PE:Worm.Win32.DownLoad.jy!1075170189 Worm.Win32.AutoRun.~KZI Worm.AutoRun.Win32.89087 TROJ_LOSABEL.SMD BehavesLike.Win32.Downloader.cm Worm/Win32.AutoRun TrojanDownloader:Win32/Losabel.G Worm/Win32.AutoRun Downloader.Rozena", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packed.Win32.TDSS!O": [[26, 45]], "Indicator: RiskWare.Tool.CK": [[46, 62]], "Indicator: Trojan.Win32.AutoRun.omsr": [[63, 88]], "Indicator: W32.SillyDC": [[89, 100]], "Indicator: TROJ_LOSABEL.SMD": [[101, 117], [275, 291]], "Indicator: Trojan.Killav-157": [[118, 135]], "Indicator: Worm.Win32.AutoRun.rpm": [[136, 158]], "Indicator: Worm.Win32.Autorun.74752.D[h]": [[159, 188]], "Indicator: PE:Worm.Win32.DownLoad.jy!1075170189": [[189, 225]], "Indicator: Worm.Win32.AutoRun.~KZI": [[226, 249]], "Indicator: Worm.AutoRun.Win32.89087": [[250, 274]], "Indicator: BehavesLike.Win32.Downloader.cm": [[292, 323]], "Indicator: Worm/Win32.AutoRun": [[324, 342], [376, 394]], "Indicator: TrojanDownloader:Win32/Losabel.G": [[343, 375]], "Indicator: Downloader.Rozena": [[395, 412]]}, "info": {"id": "cyner2_5class_train_00853", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.DNGuard", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.DNGuard": [[26, 45]]}, "info": {"id": "cyner2_5class_train_00854", "source": "cyner2_5class_train"}}
+{"text": "In the multiple incidents we have been involved in, the group has relied heavily on BeEF and Cobalt Strike.", "spans": {"Malware: BeEF": [[84, 88]], "Malware: Cobalt Strike.": [[93, 107]]}, "info": {"id": "cyner2_5class_train_00855", "source": "cyner2_5class_train"}}
+{"text": "The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools .", "spans": {}, "info": {"id": "cyner2_5class_train_00856", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.RP.E74F56 BKDR_INJECT.SMA Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_INJECT.SMA Win.Trojan.Downloader-50333 TrojWare.Win32.Downloader.Inject.~E Trojan.DownLoad3.17548 Backdoor.Win32.Nbdd W32/Trojan.LFAS-4542 Trojan[Downloader]/Win32.Small TrojanDropper:Win32/Surin.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.RP.E74F56": [[26, 47]], "Indicator: BKDR_INJECT.SMA": [[48, 63], [123, 138]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[64, 106]], "Indicator: Backdoor.Trojan": [[107, 122]], "Indicator: Win.Trojan.Downloader-50333": [[139, 166]], "Indicator: TrojWare.Win32.Downloader.Inject.~E": [[167, 202]], "Indicator: Trojan.DownLoad3.17548": [[203, 225]], "Indicator: Backdoor.Win32.Nbdd": [[226, 245]], "Indicator: W32/Trojan.LFAS-4542": [[246, 266]], "Indicator: Trojan[Downloader]/Win32.Small": [[267, 297]], "Indicator: TrojanDropper:Win32/Surin.A": [[298, 325]]}, "info": {"id": "cyner2_5class_train_00857", "source": "cyner2_5class_train"}}
+{"text": "Apps that have this permission can draw a window that belongs to the system group and can ’ t be dismissed .", "spans": {}, "info": {"id": "cyner2_5class_train_00858", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Mepaow.21127168 Trojan.Win32.Mepaow!O Trojanpws.Qqpass.16554 Trojan/Mepaow.mwv Win32.Trojan.WisdomEyes.16070401.9500.9707 Win32/Oflwr.A!crypt HV_MEPAOW_CI053B4B.RDXN Win32.Trojan.FlyStudio.F Trojan.Win32.Mepaow.mwv Trojan.Win32.Mepaow.dbtqtp Trojan.Win32.A.Mepaow.647168.A Troj.W32.Mepaow.mwv!c Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R Trojan.MulDrop3.13823 Trojan.Mepaow.Win32.1575 Packed.PePatch.hiy Trojan/Win32.Mepaow Trojan.Buzy.33 Trojan.Win32.Mepaow.mwv Trojan:Win32/Rusparail.A Trojan.Mepaow Trj/CI.A Win32.Trojan.Spy.Pbpm Trojan.Mepaow!GQd1AlSBw3E W32/QQPass.ELG!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Mepaow.21127168": [[26, 52]], "Indicator: Trojan.Win32.Mepaow!O": [[53, 74]], "Indicator: Trojanpws.Qqpass.16554": [[75, 97]], "Indicator: Trojan/Mepaow.mwv": [[98, 115]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9707": [[116, 158]], "Indicator: Win32/Oflwr.A!crypt": [[159, 178]], "Indicator: HV_MEPAOW_CI053B4B.RDXN": [[179, 202]], "Indicator: Win32.Trojan.FlyStudio.F": [[203, 227]], "Indicator: Trojan.Win32.Mepaow.mwv": [[228, 251], [479, 502]], "Indicator: Trojan.Win32.Mepaow.dbtqtp": [[252, 278]], "Indicator: Trojan.Win32.A.Mepaow.647168.A": [[279, 309]], "Indicator: Troj.W32.Mepaow.mwv!c": [[310, 331]], "Indicator: Worm.Win32.Dropper.RA": [[332, 353]], "Indicator: Trojan:W32/DelfInject.R": [[354, 377]], "Indicator: Trojan.MulDrop3.13823": [[378, 399]], "Indicator: Trojan.Mepaow.Win32.1575": [[400, 424]], "Indicator: Packed.PePatch.hiy": [[425, 443]], "Indicator: Trojan/Win32.Mepaow": [[444, 463]], "Indicator: Trojan.Buzy.33": [[464, 478]], "Indicator: Trojan:Win32/Rusparail.A": [[503, 527]], "Indicator: Trojan.Mepaow": [[528, 541]], "Indicator: Trj/CI.A": [[542, 550]], "Indicator: Win32.Trojan.Spy.Pbpm": [[551, 572]], "Indicator: Trojan.Mepaow!GQd1AlSBw3E": [[573, 598]], "Indicator: W32/QQPass.ELG!tr.pws": [[599, 620]]}, "info": {"id": "cyner2_5class_train_00859", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.TRSpy Trojan.DownLoader4.63572 Trojan/Win32.ADH Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.TRSpy": [[26, 37]], "Indicator: Trojan.DownLoader4.63572": [[38, 62]], "Indicator: Trojan/Win32.ADH": [[63, 79]], "Indicator: Trj/CI.A": [[80, 88]]}, "info": {"id": "cyner2_5class_train_00860", "source": "cyner2_5class_train"}}
+{"text": "Many of these domains are compromised legitimate websites, and will automatically expire from this pulse within a month.", "spans": {"Indicator: domains": [[14, 21]], "Indicator: compromised legitimate websites,": [[26, 58]]}, "info": {"id": "cyner2_5class_train_00861", "source": "cyner2_5class_train"}}
+{"text": "add a guard code to monitor its own processes,", "spans": {"Indicator: guard code": [[6, 16]]}, "info": {"id": "cyner2_5class_train_00862", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Onlinegames.P.mue Backdoor.Bot/Variant Trojan/Farfli.aag Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Inject.brokcs TrojWare.Win32.Farfli.S Trojan.DownLoad3.17387 BehavesLike.Win32.Virut.qh Win32.Troj.Injector.GD.kcloud Trojan.Graftor.DEF08 W32.W.Otwycal.kYP3 Trojan.Scar Win32/Farfli.AAG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Onlinegames.P.mue": [[26, 50]], "Indicator: Backdoor.Bot/Variant": [[51, 71]], "Indicator: Trojan/Farfli.aag": [[72, 89]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[90, 132]], "Indicator: Trojan.Win32.Inject.brokcs": [[133, 159]], "Indicator: TrojWare.Win32.Farfli.S": [[160, 183]], "Indicator: Trojan.DownLoad3.17387": [[184, 206]], "Indicator: BehavesLike.Win32.Virut.qh": [[207, 233]], "Indicator: Win32.Troj.Injector.GD.kcloud": [[234, 263]], "Indicator: Trojan.Graftor.DEF08": [[264, 284]], "Indicator: W32.W.Otwycal.kYP3": [[285, 303]], "Indicator: Trojan.Scar": [[304, 315]], "Indicator: Win32/Farfli.AAG": [[316, 332]]}, "info": {"id": "cyner2_5class_train_00863", "source": "cyner2_5class_train"}}
+{"text": "First , it modifies the Zygote process .", "spans": {"System: Zygote": [[24, 30]]}, "info": {"id": "cyner2_5class_train_00864", "source": "cyner2_5class_train"}}
+{"text": "There are various types of actors involved in the mobile malware industry : virus writers , testers , interface designers of both the malicious apps and the web pages they are distributed from , owners of the partner programs that spread the malware , and mobile botnet owners .", "spans": {}, "info": {"id": "cyner2_5class_train_00865", "source": "cyner2_5class_train"}}
+{"text": "The early targets: a vast number of US military and government networks, including Wright Patterson and Kelly Air Force Bases, the Army Research Lab, the Naval Sea Systems Command in Indian Head, Maryland, NASA, and the Department of Energy labs.", "spans": {"Organization: US military": [[36, 47]], "Organization: government networks,": [[52, 72]], "Organization: Wright Patterson": [[83, 99]], "Organization: Kelly Air Force Bases, the Army Research Lab, the Naval Sea Systems Command in Indian Head, Maryland, NASA,": [[104, 211]], "Organization: the Department of Energy labs.": [[216, 246]]}, "info": {"id": "cyner2_5class_train_00866", "source": "cyner2_5class_train"}}
+{"text": "Poseidon scans the memory for running processes and employs keystroke logging to gather payment card data and credentials.", "spans": {"Malware: Poseidon": [[0, 8]], "Malware: keystroke logging": [[60, 77]], "Indicator: gather payment card data": [[81, 105]], "Indicator: credentials.": [[110, 122]]}, "info": {"id": "cyner2_5class_train_00867", "source": "cyner2_5class_train"}}
+{"text": "Its main task is to bypass the two-factor authentication of the client in the online banking system .", "spans": {}, "info": {"id": "cyner2_5class_train_00868", "source": "cyner2_5class_train"}}
+{"text": "This week Proofpoint researchers observed several noteworthy changes in the macros used by an actor we refer to as TA530, who we previously examined in relation to large-scale personalized malware campaigns", "spans": {"Organization: Proofpoint researchers": [[10, 32]], "Malware: macros": [[76, 82]]}, "info": {"id": "cyner2_5class_train_00869", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AutoITFldE1.Worm Trojan.AutoIT.AHP Worm.AUTOIT.Tupym.A W32/Tupym.worm W32.W.AutoRun.llU2 WORM_SOHAND.SM Win32.Trojan.WisdomEyes.16070401.9500.9890 W32/Autorun.SX W32.Svich WORM_SOHAND.SM Win.Worm.Autorun-313 Virus.Win32.Virut.ce Trojan.AutoIT.AHP Trojan.AutoIT.AHP Virus.Win32.Virut.Ce Trojan.AutoIT.AHP Win32.Virut.56 Worm.Autorun.Win32.63723 Worm.Win32.AutoRun W32/Autorun.HBBB-2740 Worm/AutoRun.agto WORM/Autorun.aaer Virus/Win32.Virut.ce Trojan.AutoIT.AHP Virus.Win32.Virut.ce Trojan:Win32/Peaac.A!gfc HEUR/Fakon.mwf Trojan.AutoIT.AHP I-Worm.Autoit.EB Worm.Win32.Autorun.fnc Trojan.Autoit.ZA W32/Autoit.AHP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AutoITFldE1.Worm": [[26, 46]], "Indicator: Trojan.AutoIT.AHP": [[47, 64], [259, 276], [277, 294], [316, 333], [472, 489], [551, 568]], "Indicator: Worm.AUTOIT.Tupym.A": [[65, 84]], "Indicator: W32/Tupym.worm": [[85, 99]], "Indicator: W32.W.AutoRun.llU2": [[100, 118]], "Indicator: WORM_SOHAND.SM": [[119, 133], [202, 216]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9890": [[134, 176]], "Indicator: W32/Autorun.SX": [[177, 191]], "Indicator: W32.Svich": [[192, 201]], "Indicator: Win.Worm.Autorun-313": [[217, 237]], "Indicator: Virus.Win32.Virut.ce": [[238, 258], [490, 510]], "Indicator: Virus.Win32.Virut.Ce": [[295, 315]], "Indicator: Win32.Virut.56": [[334, 348]], "Indicator: Worm.Autorun.Win32.63723": [[349, 373]], "Indicator: Worm.Win32.AutoRun": [[374, 392]], "Indicator: W32/Autorun.HBBB-2740": [[393, 414]], "Indicator: Worm/AutoRun.agto": [[415, 432]], "Indicator: WORM/Autorun.aaer": [[433, 450]], "Indicator: Virus/Win32.Virut.ce": [[451, 471]], "Indicator: Trojan:Win32/Peaac.A!gfc": [[511, 535]], "Indicator: HEUR/Fakon.mwf": [[536, 550]], "Indicator: I-Worm.Autoit.EB": [[569, 585]], "Indicator: Worm.Win32.Autorun.fnc": [[586, 608]], "Indicator: Trojan.Autoit.ZA": [[609, 625]], "Indicator: W32/Autoit.AHP!tr": [[626, 643]]}, "info": {"id": "cyner2_5class_train_00870", "source": "cyner2_5class_train"}}
+{"text": "Rather, it uses a technique recently reported on by SensePost, which allows an attacker to craft a specifically created Microsoft Word document, which uses the Dynamic Data Exchange DDE protocol.", "spans": {"Malware: SensePost,": [[52, 62]], "Indicator: Microsoft Word document,": [[120, 144]], "System: the Dynamic Data Exchange DDE protocol.": [[156, 195]]}, "info": {"id": "cyner2_5class_train_00871", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader/W32.Greetyah.3584 Trojandownloader.Greetyah Downloader-BW.d Trojan/Downloader.Greetyah.b Win32/Wmpatch.B TROJ_GREETYAH.B Trojan-Downloader.Win32.Greetyah.b Trojan.Win32.Greetyah.hjbl Trojan.Win32.Downloader.3584.DU Troj.Downloader.W32.Greetyah.b!c Trojan-Downloader.Win32.Greetyah.b Trojan.Sysman Downloader.Greetyah.Win32.1 TROJ_GREETYAH.B Downloader-BW.d W32/Risk.VHLX-8577 TrojanDownloader.Greetyah.b W32.Malware.Downloader Trojan[Downloader]/Win32.Greetyah Trojan.Barys.D7C0 Trojan-Downloader.Win32.Greetyah.b TrojanDownloader:Win32/Greetyah.B Trojan/Win32.Downloader.R94251 Win32/TrojanDownloader.Greetyah.B Win32.Trojan-downloader.Greetyah.Llho Trojan.DL.Greetyah!8XCxgqzFn7g Trojan-Downloader.Win32.Tiny W32/Greetyah.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader/W32.Greetyah.3584": [[26, 61]], "Indicator: Trojandownloader.Greetyah": [[62, 87]], "Indicator: Downloader-BW.d": [[88, 103], [385, 400]], "Indicator: Trojan/Downloader.Greetyah.b": [[104, 132]], "Indicator: Win32/Wmpatch.B": [[133, 148]], "Indicator: TROJ_GREETYAH.B": [[149, 164], [369, 384]], "Indicator: Trojan-Downloader.Win32.Greetyah.b": [[165, 199], [292, 326], [523, 557]], "Indicator: Trojan.Win32.Greetyah.hjbl": [[200, 226]], "Indicator: Trojan.Win32.Downloader.3584.DU": [[227, 258]], "Indicator: Troj.Downloader.W32.Greetyah.b!c": [[259, 291]], "Indicator: Trojan.Sysman": [[327, 340]], "Indicator: Downloader.Greetyah.Win32.1": [[341, 368]], "Indicator: W32/Risk.VHLX-8577": [[401, 419]], "Indicator: TrojanDownloader.Greetyah.b": [[420, 447]], "Indicator: W32.Malware.Downloader": [[448, 470]], "Indicator: Trojan[Downloader]/Win32.Greetyah": [[471, 504]], "Indicator: Trojan.Barys.D7C0": [[505, 522]], "Indicator: TrojanDownloader:Win32/Greetyah.B": [[558, 591]], "Indicator: Trojan/Win32.Downloader.R94251": [[592, 622]], "Indicator: Win32/TrojanDownloader.Greetyah.B": [[623, 656]], "Indicator: Win32.Trojan-downloader.Greetyah.Llho": [[657, 694]], "Indicator: Trojan.DL.Greetyah!8XCxgqzFn7g": [[695, 725]], "Indicator: Trojan-Downloader.Win32.Tiny": [[726, 754]], "Indicator: W32/Greetyah.B!tr": [[755, 772]]}, "info": {"id": "cyner2_5class_train_00872", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9917 Trojan.Win32.ExtenBro.dqxgxi TR/Downloader.A.15310 TrojanDownloader:MSIL/Kilim.D Trj/CI.A Win32.Trojan.Downloader.Szvb Trojan.ExtenBro! MSIL/ExtenBro.BS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9917": [[26, 68]], "Indicator: Trojan.Win32.ExtenBro.dqxgxi": [[69, 97]], "Indicator: TR/Downloader.A.15310": [[98, 119]], "Indicator: TrojanDownloader:MSIL/Kilim.D": [[120, 149]], "Indicator: Trj/CI.A": [[150, 158]], "Indicator: Win32.Trojan.Downloader.Szvb": [[159, 187]], "Indicator: Trojan.ExtenBro!": [[188, 204]], "Indicator: MSIL/ExtenBro.BS!tr": [[205, 224]]}, "info": {"id": "cyner2_5class_train_00873", "source": "cyner2_5class_train"}}
+{"text": "Please install the app immediately to avoid blocking your account .", "spans": {}, "info": {"id": "cyner2_5class_train_00874", "source": "cyner2_5class_train"}}
+{"text": "Initial request by EventBot Initial request by EventBot to run as a service .", "spans": {"Malware: EventBot": [[19, 27], [47, 55]]}, "info": {"id": "cyner2_5class_train_00875", "source": "cyner2_5class_train"}}
+{"text": "The exploit takes advantage of a buffer overflow vulnerability in the demo version of a program called Uploader!.", "spans": {"Malware: exploit": [[4, 11]], "Vulnerability: buffer overflow vulnerability": [[33, 62]], "Malware: Uploader!.": [[103, 113]]}, "info": {"id": "cyner2_5class_train_00876", "source": "cyner2_5class_train"}}
+{"text": "( Please note this is a different app and not the same as the one being spread by hxxp : //tiny [ .", "spans": {"Indicator: hxxp : //tiny [ .": [[82, 99]]}, "info": {"id": "cyner2_5class_train_00877", "source": "cyner2_5class_train"}}
+{"text": "The subject is a series of targeted attacks against private companies around the world.", "spans": {}, "info": {"id": "cyner2_5class_train_00878", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.CoinMiner.q Win32/CoinMiner.TD Trojan.BAT.BitMin.f Trojan.BtcMine.941 BehavesLike.Win32.Dropper.vc Trojan.Win32.CoinMiner TR/CoinMiner.nelvs Trojan.BAT.BitMin.f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.CoinMiner.q": [[26, 50]], "Indicator: Win32/CoinMiner.TD": [[51, 69]], "Indicator: Trojan.BAT.BitMin.f": [[70, 89], [180, 199]], "Indicator: Trojan.BtcMine.941": [[90, 108]], "Indicator: BehavesLike.Win32.Dropper.vc": [[109, 137]], "Indicator: Trojan.Win32.CoinMiner": [[138, 160]], "Indicator: TR/CoinMiner.nelvs": [[161, 179]]}, "info": {"id": "cyner2_5class_train_00879", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HT_FASONG_GA250334.UVPM Win32.Trojan-PSW.OLGames.bm HT_FASONG_GA250334.UVPM Win.Worm.Fasong-5 Win32.HLLW.Fasong.1 Trojan.Scar.Win32.103683 BehavesLike.Win32.BadFile.vh Worm.Win32.Fasong Worm:Win32/Fasong.I Trojan.Zusy.D3494E W32.W.Fasong.lZpB Win32/Fasong.J Trojan.Scar!YU9FfkV5QC0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HT_FASONG_GA250334.UVPM": [[26, 49], [78, 101]], "Indicator: Win32.Trojan-PSW.OLGames.bm": [[50, 77]], "Indicator: Win.Worm.Fasong-5": [[102, 119]], "Indicator: Win32.HLLW.Fasong.1": [[120, 139]], "Indicator: Trojan.Scar.Win32.103683": [[140, 164]], "Indicator: BehavesLike.Win32.BadFile.vh": [[165, 193]], "Indicator: Worm.Win32.Fasong": [[194, 211]], "Indicator: Worm:Win32/Fasong.I": [[212, 231]], "Indicator: Trojan.Zusy.D3494E": [[232, 250]], "Indicator: W32.W.Fasong.lZpB": [[251, 268]], "Indicator: Win32/Fasong.J": [[269, 283]], "Indicator: Trojan.Scar!YU9FfkV5QC0": [[284, 307]]}, "info": {"id": "cyner2_5class_train_00880", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy has been in the wild since 2017 ; this latest campaign indicates that it has become more powerful .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner2_5class_train_00881", "source": "cyner2_5class_train"}}
+{"text": "eSurv 's logo is identical to the Command & Control server favicon .", "spans": {"Organization: eSurv": [[0, 5]]}, "info": {"id": "cyner2_5class_train_00882", "source": "cyner2_5class_train"}}
+{"text": "At the time of this writing the domain is still serving malware.", "spans": {"Indicator: domain": [[32, 38]], "Malware: malware.": [[56, 64]]}, "info": {"id": "cyner2_5class_train_00883", "source": "cyner2_5class_train"}}
+{"text": "Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.", "spans": {"Indicator: Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.": [[0, 94]]}, "info": {"id": "cyner2_5class_train_00884", "source": "cyner2_5class_train"}}
+{"text": "Gooligan , a family of Android malware that came to light in November after it compromised more than 1 million Google accounts , contained similar abilities to tamper with Google Play ratings .", "spans": {"Malware: Gooligan": [[0, 8]], "System: Android": [[23, 30]], "Organization: Google": [[111, 117]], "System: Google Play": [[172, 183]]}, "info": {"id": "cyner2_5class_train_00885", "source": "cyner2_5class_train"}}
+{"text": "Obviously , this inevitably leaves the device open not only to further compromise but to data tampering as well .", "spans": {}, "info": {"id": "cyner2_5class_train_00886", "source": "cyner2_5class_train"}}
+{"text": "In this article, we will describe the details of our investigation.", "spans": {}, "info": {"id": "cyner2_5class_train_00887", "source": "cyner2_5class_train"}}
+{"text": "Knownsec Security Team has followed up this incident ever since its happening.", "spans": {"Organization: Knownsec Security Team": [[0, 22]]}, "info": {"id": "cyner2_5class_train_00888", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Virus.Win32.Sality!O TrojanPWS.Vkont Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Z.Packer.40610 Troj.W32.AntiAV.lApy BehavesLike.Win32.HLLPPhilis.nc Trojan/PSW.VKont.c TR/PSW.VKont.wwdih PWS:Win32/Vkont.A Trj/StartPage.DGO Backdoor.Win32.Hupigon Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Virus.Win32.Sality!O": [[48, 68]], "Indicator: TrojanPWS.Vkont": [[69, 84]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[85, 127]], "Indicator: Trojan.Win32.Z.Packer.40610": [[128, 155]], "Indicator: Troj.W32.AntiAV.lApy": [[156, 176]], "Indicator: BehavesLike.Win32.HLLPPhilis.nc": [[177, 208]], "Indicator: Trojan/PSW.VKont.c": [[209, 227]], "Indicator: TR/PSW.VKont.wwdih": [[228, 246]], "Indicator: PWS:Win32/Vkont.A": [[247, 264]], "Indicator: Trj/StartPage.DGO": [[265, 282]], "Indicator: Backdoor.Win32.Hupigon": [[283, 305]], "Indicator: Win32/Trojan.2ff": [[306, 322]]}, "info": {"id": "cyner2_5class_train_00889", "source": "cyner2_5class_train"}}
+{"text": "As can be observed , the possibilities offered by the bot are pretty common .", "spans": {}, "info": {"id": "cyner2_5class_train_00890", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heuristic.BehavesLike.Win32.Packed.A TrojanDownloader:Win32/Whinetroe.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heuristic.BehavesLike.Win32.Packed.A": [[26, 62]], "Indicator: TrojanDownloader:Win32/Whinetroe.A": [[63, 97]]}, "info": {"id": "cyner2_5class_train_00891", "source": "cyner2_5class_train"}}
+{"text": "The two reports describe the same cybercriminal gang which stole up to several hundreds of millions of dollars from various financial institutions.", "spans": {"Organization: financial institutions.": [[124, 147]]}, "info": {"id": "cyner2_5class_train_00892", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Wozer.23552.B Worm.Wozer W32/Wozer.h Win32.Trojan.WisdomEyes.16070401.9500.9643 W32/Wozer.F W32.Wozer.Worm Email-Worm.Win32.Wozer.h Trojan.Win32.Wozer.eokb W32.W.Wozer.h!c Win32.Worm-email.Wozer.Wozu Worm.Win32.Wozer.H Win32.HLLW.Wozer.4 Worm.Wozer.Win32.11 BehavesLike.Win32.Backdoor.mc Backdoor.Win32.Optix I-Worm.Wozer.c Worm:Win32/Wozer.G@mm Worm[Email]/Win32.Wozer Worm.Wozer.h.kcloud Email-Worm.Win32.Wozer.h Worm:Win32/Wozer.G@mm Trojan/Win32.Rirc.R100483 Email-Worm.Wozer W32/Wozer.C.worm Win32/Wozer.H Worm.Wozer!/x/Vuw7rp3c W32/Wozer.H@mm Win32/Worm.Email-Worm.795", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Wozer.23552.B": [[26, 48]], "Indicator: Worm.Wozer": [[49, 59]], "Indicator: W32/Wozer.h": [[60, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9643": [[72, 114]], "Indicator: W32/Wozer.F": [[115, 126]], "Indicator: W32.Wozer.Worm": [[127, 141]], "Indicator: Email-Worm.Win32.Wozer.h": [[142, 166], [425, 449]], "Indicator: Trojan.Win32.Wozer.eokb": [[167, 190]], "Indicator: W32.W.Wozer.h!c": [[191, 206]], "Indicator: Win32.Worm-email.Wozer.Wozu": [[207, 234]], "Indicator: Worm.Win32.Wozer.H": [[235, 253]], "Indicator: Win32.HLLW.Wozer.4": [[254, 272]], "Indicator: Worm.Wozer.Win32.11": [[273, 292]], "Indicator: BehavesLike.Win32.Backdoor.mc": [[293, 322]], "Indicator: Backdoor.Win32.Optix": [[323, 343]], "Indicator: I-Worm.Wozer.c": [[344, 358]], "Indicator: Worm:Win32/Wozer.G@mm": [[359, 380], [450, 471]], "Indicator: Worm[Email]/Win32.Wozer": [[381, 404]], "Indicator: Worm.Wozer.h.kcloud": [[405, 424]], "Indicator: Trojan/Win32.Rirc.R100483": [[472, 497]], "Indicator: Email-Worm.Wozer": [[498, 514]], "Indicator: W32/Wozer.C.worm": [[515, 531]], "Indicator: Win32/Wozer.H": [[532, 545]], "Indicator: Worm.Wozer!/x/Vuw7rp3c": [[546, 568]], "Indicator: W32/Wozer.H@mm": [[569, 583]], "Indicator: Win32/Worm.Email-Worm.795": [[584, 609]]}, "info": {"id": "cyner2_5class_train_00893", "source": "cyner2_5class_train"}}
+{"text": "This post discusses our findings and potential security risks to iOS device users.", "spans": {"Vulnerability: potential security risks": [[37, 61]], "System: iOS device": [[65, 75]], "Organization: users.": [[76, 82]]}, "info": {"id": "cyner2_5class_train_00894", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Rootkit.27428 Trojan/W32.Rootkit.71040 Rootkit.27428 Backdoor.Rustock Rootkit.D6B24 Win32.Trojan.WisdomEyes.16070401.9500.9984 Hacktool.Rootkit Rootkit.27428 Rootkit.27428 Rootkit.27428 BehavesLike.Win32.Virut.kc Win32.Troj.Undef.kcloud Backdoor.Rustock Trojan.Win32.Rootkit Win32/RootKit.Rootkit.3e8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Rootkit.27428": [[26, 39], [65, 78], [170, 183], [184, 197], [198, 211]], "Indicator: Trojan/W32.Rootkit.71040": [[40, 64]], "Indicator: Backdoor.Rustock": [[79, 95], [263, 279]], "Indicator: Rootkit.D6B24": [[96, 109]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[110, 152]], "Indicator: Hacktool.Rootkit": [[153, 169]], "Indicator: BehavesLike.Win32.Virut.kc": [[212, 238]], "Indicator: Win32.Troj.Undef.kcloud": [[239, 262]], "Indicator: Trojan.Win32.Rootkit": [[280, 300]], "Indicator: Win32/RootKit.Rootkit.3e8": [[301, 326]]}, "info": {"id": "cyner2_5class_train_00895", "source": "cyner2_5class_train"}}
+{"text": "Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of the phone numbers infected have the international indicative for Australia .", "spans": {}, "info": {"id": "cyner2_5class_train_00896", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Kalockan Trojan.Graftor.D46F63 Win32.Trojan.WisdomEyes.16070401.9500.9926 Trojan.Win32.Z.Graftor.143360.EV BackDoor.Tdss Worm.Win32.Kalockan Worm:Win32/Kalockan.A Trj/CI.A Win32/Trojan.621", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Kalockan": [[26, 39]], "Indicator: Trojan.Graftor.D46F63": [[40, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9926": [[62, 104]], "Indicator: Trojan.Win32.Z.Graftor.143360.EV": [[105, 137]], "Indicator: BackDoor.Tdss": [[138, 151]], "Indicator: Worm.Win32.Kalockan": [[152, 171]], "Indicator: Worm:Win32/Kalockan.A": [[172, 193]], "Indicator: Trj/CI.A": [[194, 202]], "Indicator: Win32/Trojan.621": [[203, 219]]}, "info": {"id": "cyner2_5class_train_00897", "source": "cyner2_5class_train"}}
+{"text": "] website 107 [ .", "spans": {"Indicator: 107 [ .": [[10, 17]]}, "info": {"id": "cyner2_5class_train_00898", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Backdoor.Ciadoor.13.3 W32/VB-Dropper-based.2!Maximus Backdoor.Ciadoor BKDR_CIAD1.TOMA Backdoor.Win32.Ciadoor.cvi Backdoor.Win32.Ciadoor!IK Backdoor.Win32.Ciadoor.G Trojan.DownLoader.62487 BDS/Ciadoor.13.4 BKDR_CIAD1.TOMA Backdoor/Ciadoor.130 TrojanDropper:Win32/Ciadoor.C W32/VB-Dropper-based.2!Maximus Backdoor.Ciadoor.cvi Backdoor.CiaDoor.13 Backdoor.Win32.Ciadoor W32/Ciadoor.V13!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Backdoor.Ciadoor.13.3": [[26, 53]], "Indicator: W32/VB-Dropper-based.2!Maximus": [[54, 84], [304, 334]], "Indicator: Backdoor.Ciadoor": [[85, 101]], "Indicator: BKDR_CIAD1.TOMA": [[102, 117], [237, 252]], "Indicator: Backdoor.Win32.Ciadoor.cvi": [[118, 144]], "Indicator: Backdoor.Win32.Ciadoor!IK": [[145, 170]], "Indicator: Backdoor.Win32.Ciadoor.G": [[171, 195]], "Indicator: Trojan.DownLoader.62487": [[196, 219]], "Indicator: BDS/Ciadoor.13.4": [[220, 236]], "Indicator: Backdoor/Ciadoor.130": [[253, 273]], "Indicator: TrojanDropper:Win32/Ciadoor.C": [[274, 303]], "Indicator: Backdoor.Ciadoor.cvi": [[335, 355]], "Indicator: Backdoor.CiaDoor.13": [[356, 375]], "Indicator: Backdoor.Win32.Ciadoor": [[376, 398]], "Indicator: W32/Ciadoor.V13!tr.bdr": [[399, 421]]}, "info": {"id": "cyner2_5class_train_00899", "source": "cyner2_5class_train"}}
+{"text": "Third place is shared by Italy , Ukraine , and the United Kingdom .", "spans": {}, "info": {"id": "cyner2_5class_train_00900", "source": "cyner2_5class_train"}}
+{"text": "Using privilege escalation", "spans": {"Vulnerability: privilege escalation": [[6, 26]]}, "info": {"id": "cyner2_5class_train_00901", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Ursus.A Backdoor/W32.Ursus.3072 BKDR_URSUS.A Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_URSUS.A Win.Trojan.Ursus-1 Backdoor.Ursus.A Backdoor.Win32.Ursus Backdoor.Ursus.A Trojan.Win32.Ursus.ehmu Backdoor.Win32.Ursus.3072 Backdoor.W32.Ursus!c Backdoor.Ursus.A Backdoor.Win32.Ursus.A Backdoor.Ursus.A BACKDOOR.Trojan Backdoor.Ursus.Win32.1 W32.Trojan.Trojan-Backdoor-Ursu Trojan[Backdoor]/Win32.Ursus Backdoor.Ursus.A Backdoor.Win32.Ursus Backdoor:Win32/Ursus.A Backdoor.Ursus.A Backdoor.Ursus Bck/Ursus.B Win32/Ursus.A Win32.Backdoor.Ursus.Wvkp Backdoor.Ursus!H8M0lbEN7e8 Trojan.Win32.Ursus W32/Ursus.A!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Ursus.A": [[26, 42], [171, 187], [209, 225], [297, 313], [337, 353], [454, 470], [515, 531]], "Indicator: Backdoor/W32.Ursus.3072": [[43, 66]], "Indicator: BKDR_URSUS.A": [[67, 79], [139, 151]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[80, 122]], "Indicator: Backdoor.Trojan": [[123, 138]], "Indicator: Win.Trojan.Ursus-1": [[152, 170]], "Indicator: Backdoor.Win32.Ursus": [[188, 208], [471, 491]], "Indicator: Trojan.Win32.Ursus.ehmu": [[226, 249]], "Indicator: Backdoor.Win32.Ursus.3072": [[250, 275]], "Indicator: Backdoor.W32.Ursus!c": [[276, 296]], "Indicator: Backdoor.Win32.Ursus.A": [[314, 336]], "Indicator: BACKDOOR.Trojan": [[354, 369]], "Indicator: Backdoor.Ursus.Win32.1": [[370, 392]], "Indicator: W32.Trojan.Trojan-Backdoor-Ursu": [[393, 424]], "Indicator: Trojan[Backdoor]/Win32.Ursus": [[425, 453]], "Indicator: Backdoor:Win32/Ursus.A": [[492, 514]], "Indicator: Backdoor.Ursus": [[532, 546]], "Indicator: Bck/Ursus.B": [[547, 558]], "Indicator: Win32/Ursus.A": [[559, 572]], "Indicator: Win32.Backdoor.Ursus.Wvkp": [[573, 598]], "Indicator: Backdoor.Ursus!H8M0lbEN7e8": [[599, 625]], "Indicator: Trojan.Win32.Ursus": [[626, 644]], "Indicator: W32/Ursus.A!tr.bdr": [[645, 663]]}, "info": {"id": "cyner2_5class_train_00902", "source": "cyner2_5class_train"}}
+{"text": "Certificate information The Android package is named \" verReznov.Coampany .", "spans": {"System: Android": [[28, 35]], "Indicator: verReznov.Coampany": [[55, 73]]}, "info": {"id": "cyner2_5class_train_00903", "source": "cyner2_5class_train"}}
+{"text": "Downeks uses third party websites to determine the external IP of the victim machine, possibly to determine victim location with GeoIP.", "spans": {"Indicator: third party websites": [[13, 33]], "Indicator: external IP": [[51, 62]], "System: machine,": [[77, 85]], "Indicator: determine victim location with GeoIP.": [[98, 135]]}, "info": {"id": "cyner2_5class_train_00904", "source": "cyner2_5class_train"}}
+{"text": "Why you need the Bank Austria Security App : Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted .", "spans": {"System: Bank Austria Security App": [[17, 42]]}, "info": {"id": "cyner2_5class_train_00905", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.Paradise W32/Trojan.PLFO-2827 Ransom_Paradiz.R029C0DAC18 MSIL.Trojan-Ransom.Paradise.A Trojan.Win32.Encoder.exgjts Trojan.Encoder.14933 Ransom_Paradiz.R029C0DAC18 TR/FileCoder.gourg Ransom:MSIL/Paradiz.A!bit Ransom.FileCryptor Trj/GdSda.A Trojan.Filecoder!HVBN1jZrlCU MSIL/Paradise.A!tr.ransom", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.Paradise": [[26, 48]], "Indicator: W32/Trojan.PLFO-2827": [[49, 69]], "Indicator: Ransom_Paradiz.R029C0DAC18": [[70, 96], [176, 202]], "Indicator: MSIL.Trojan-Ransom.Paradise.A": [[97, 126]], "Indicator: Trojan.Win32.Encoder.exgjts": [[127, 154]], "Indicator: Trojan.Encoder.14933": [[155, 175]], "Indicator: TR/FileCoder.gourg": [[203, 221]], "Indicator: Ransom:MSIL/Paradiz.A!bit": [[222, 247]], "Indicator: Ransom.FileCryptor": [[248, 266]], "Indicator: Trj/GdSda.A": [[267, 278]], "Indicator: Trojan.Filecoder!HVBN1jZrlCU": [[279, 307]], "Indicator: MSIL/Paradise.A!tr.ransom": [[308, 333]]}, "info": {"id": "cyner2_5class_train_00906", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Tapazom Trojan.Heur.E5D2E1 Win32.Trojan.WisdomEyes.16070401.9500.9901 Trojan.Win32.Winlock.crkzwj Win32.Backdoor.Tapazom.Hrfh Trojan.Winlock.7759 Trojan.Delf.Win32.59125 Backdoor.Win32.Tapazom W32/Trojan.HYVM-8493 BDS/Tapazom.A.82 Trojan[Ransom]/Win32.Blocker Backdoor:Win32/Tapazom.A HEUR/Fakon.mwf Trojan.Blocker!KkFY0lqXiEM Win32/Trojan.e5e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Tapazom": [[26, 42]], "Indicator: Trojan.Heur.E5D2E1": [[43, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9901": [[62, 104]], "Indicator: Trojan.Win32.Winlock.crkzwj": [[105, 132]], "Indicator: Win32.Backdoor.Tapazom.Hrfh": [[133, 160]], "Indicator: Trojan.Winlock.7759": [[161, 180]], "Indicator: Trojan.Delf.Win32.59125": [[181, 204]], "Indicator: Backdoor.Win32.Tapazom": [[205, 227]], "Indicator: W32/Trojan.HYVM-8493": [[228, 248]], "Indicator: BDS/Tapazom.A.82": [[249, 265]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[266, 294]], "Indicator: Backdoor:Win32/Tapazom.A": [[295, 319]], "Indicator: HEUR/Fakon.mwf": [[320, 334]], "Indicator: Trojan.Blocker!KkFY0lqXiEM": [[335, 361]], "Indicator: Win32/Trojan.e5e": [[362, 378]]}, "info": {"id": "cyner2_5class_train_00907", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.MSIL.Zapchast.akhiw Trojan/MSIL.Zapchast Trojan.Strictor.D1662C Trojan.MSIL.Zapchast.akhiw W32/Zapchast.AKHIW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.MSIL.Zapchast.akhiw": [[69, 95], [140, 166]], "Indicator: Trojan/MSIL.Zapchast": [[96, 116]], "Indicator: Trojan.Strictor.D1662C": [[117, 139]], "Indicator: W32/Zapchast.AKHIW!tr": [[167, 188]]}, "info": {"id": "cyner2_5class_train_00908", "source": "cyner2_5class_train"}}
+{"text": "According to RiskIQ ’ s PassiveTotal , the domain expired 7 months ago .", "spans": {"System: RiskIQ": [[13, 19]]}, "info": {"id": "cyner2_5class_train_00909", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Flooder.581632 W32/Trojan.GGXC-4249 Hacktool.Flooder TROJ_DRBLAST.A Email-Flooder.Win32.DirectBlaster.651 Trojan.Win32.DirectBlaster.dggz Email-Flooder.W32.DirectBlaster.651!c Trojan.PWS.Hukle.67 TROJ_DRBLAST.A W32/Trojan.AFHI Flooder.DirectBlaster.b TR/Flood.DirectBlaster.651 HackTool[Flooder]/Win32.DirectBlaster Spammer:Win32/DirectBlaster.6_51 Email-Flooder.Win32.DirectBlaster.651 EmailFlooder.DirectBlaster Flooder/DBlaster.B Win32.Trojan.Directblaster.Wrqh Flooder.DirectBlaster!mE1A4daHzRk Malware_fam.gw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Flooder.581632": [[26, 51]], "Indicator: W32/Trojan.GGXC-4249": [[52, 72]], "Indicator: Hacktool.Flooder": [[73, 89]], "Indicator: TROJ_DRBLAST.A": [[90, 104], [233, 247]], "Indicator: Email-Flooder.Win32.DirectBlaster.651": [[105, 142], [386, 423]], "Indicator: Trojan.Win32.DirectBlaster.dggz": [[143, 174]], "Indicator: Email-Flooder.W32.DirectBlaster.651!c": [[175, 212]], "Indicator: Trojan.PWS.Hukle.67": [[213, 232]], "Indicator: W32/Trojan.AFHI": [[248, 263]], "Indicator: Flooder.DirectBlaster.b": [[264, 287]], "Indicator: TR/Flood.DirectBlaster.651": [[288, 314]], "Indicator: HackTool[Flooder]/Win32.DirectBlaster": [[315, 352]], "Indicator: Spammer:Win32/DirectBlaster.6_51": [[353, 385]], "Indicator: EmailFlooder.DirectBlaster": [[424, 450]], "Indicator: Flooder/DBlaster.B": [[451, 469]], "Indicator: Win32.Trojan.Directblaster.Wrqh": [[470, 501]], "Indicator: Flooder.DirectBlaster!mE1A4daHzRk": [[502, 535]], "Indicator: Malware_fam.gw": [[536, 550]]}, "info": {"id": "cyner2_5class_train_00910", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Backdoor.Trojan BehavesLike.Win32.BadFile.ht TrojanDropper:Win32/Fedripto.A Trojan.Buzy.DD86 Win32/Backdoor.e9a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: Backdoor.Trojan": [[69, 84]], "Indicator: BehavesLike.Win32.BadFile.ht": [[85, 113]], "Indicator: TrojanDropper:Win32/Fedripto.A": [[114, 144]], "Indicator: Trojan.Buzy.DD86": [[145, 161]], "Indicator: Win32/Backdoor.e9a": [[162, 180]]}, "info": {"id": "cyner2_5class_train_00911", "source": "cyner2_5class_train"}}
+{"text": "Those vulnerabilities could have enabled someone to gain broad access to an Android device .", "spans": {"System: Android": [[76, 83]]}, "info": {"id": "cyner2_5class_train_00912", "source": "cyner2_5class_train"}}
+{"text": "Other common functionalities include executing commands received from the attacker , taking screenshots of the victim 's device , fetching locations , stealing SMS messages and most common features that every spyware may poses .", "spans": {}, "info": {"id": "cyner2_5class_train_00913", "source": "cyner2_5class_train"}}
+{"text": "However, Unit 42 has recently discovered the actors have continued to evolve their custom malware arsenal.", "spans": {"Organization: Unit 42": [[9, 16]], "Malware: custom malware arsenal.": [[83, 106]]}, "info": {"id": "cyner2_5class_train_00914", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9931 W32/Trojan2.HLRY W32.W.Fearso.kYUv Trojan.DownLoader5.44969 BehavesLike.Win32.Rootkit.ph W32/Trojan.LZVM-6897 Trojan:Win32/Lukicsel.A W32/Dx.TOC!tr Win32/Trojan.c9e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9931": [[26, 68]], "Indicator: W32/Trojan2.HLRY": [[69, 85]], "Indicator: W32.W.Fearso.kYUv": [[86, 103]], "Indicator: Trojan.DownLoader5.44969": [[104, 128]], "Indicator: BehavesLike.Win32.Rootkit.ph": [[129, 157]], "Indicator: W32/Trojan.LZVM-6897": [[158, 178]], "Indicator: Trojan:Win32/Lukicsel.A": [[179, 202]], "Indicator: W32/Dx.TOC!tr": [[203, 216]], "Indicator: Win32/Trojan.c9e": [[217, 233]]}, "info": {"id": "cyner2_5class_train_00915", "source": "cyner2_5class_train"}}
+{"text": "Just starting to see the second run of today's Trickbot downloaders coming in.", "spans": {"Malware: Trickbot downloaders": [[47, 67]]}, "info": {"id": "cyner2_5class_train_00916", "source": "cyner2_5class_train"}}
+{"text": "] it Reggio Calabria server3bo.exodus.connexxa [ .", "spans": {"Indicator: server3bo.exodus.connexxa [ .": [[21, 50]]}, "info": {"id": "cyner2_5class_train_00917", "source": "cyner2_5class_train"}}
+{"text": "Sofacy also known as Fancy Bear Sednit STRONTIUM and APT28 is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries.", "spans": {"Organization: military": [[144, 152]], "Organization: government entities": [[157, 176]]}, "info": {"id": "cyner2_5class_train_00918", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TR/RedCap.dtrps Exploit:Win32/Spectre.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TR/RedCap.dtrps": [[26, 41]], "Indicator: Exploit:Win32/Spectre.A": [[42, 65]]}, "info": {"id": "cyner2_5class_train_00919", "source": "cyner2_5class_train"}}
+{"text": "The application recording is implemented via two methods : Using the Android MediaRecorder class to capture a video of the screen when the targeted application is presented to the user Using the accessibility service to save a text file containing the data of all the objects on the screen Both files are later sent to the C & C server of the attacker .", "spans": {"System: Android": [[69, 76]]}, "info": {"id": "cyner2_5class_train_00920", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.EB9A Trojan/AutoRun.VB.ahf W32/Risk.HKZN-7619 Worm.AutoRun.Win32.41218 W32/MalwareF.MDOM Trojan/Refroso.alid TR/Comitsproc.whlbv Trojan/Win32.Scar.R211104 TScope.Trojan.VB Trj/CI.A Win32.Worm.Autorun.Dyzv Worm.AutoRun!QjN27yFtykA Worm.Win32.AutoRun W32/AutoRun.RPV!worm Win32/Trojan.df1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.EB9A": [[26, 42]], "Indicator: Trojan/AutoRun.VB.ahf": [[43, 64]], "Indicator: W32/Risk.HKZN-7619": [[65, 83]], "Indicator: Worm.AutoRun.Win32.41218": [[84, 108]], "Indicator: W32/MalwareF.MDOM": [[109, 126]], "Indicator: Trojan/Refroso.alid": [[127, 146]], "Indicator: TR/Comitsproc.whlbv": [[147, 166]], "Indicator: Trojan/Win32.Scar.R211104": [[167, 192]], "Indicator: TScope.Trojan.VB": [[193, 209]], "Indicator: Trj/CI.A": [[210, 218]], "Indicator: Win32.Worm.Autorun.Dyzv": [[219, 242]], "Indicator: Worm.AutoRun!QjN27yFtykA": [[243, 267]], "Indicator: Worm.Win32.AutoRun": [[268, 286]], "Indicator: W32/AutoRun.RPV!worm": [[287, 307]], "Indicator: Win32/Trojan.df1": [[308, 324]]}, "info": {"id": "cyner2_5class_train_00921", "source": "cyner2_5class_train"}}
+{"text": "On 29 March 2017 the German Federal Office for Information Security BSI said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party.", "spans": {"Organization: German Federal Office for Information Security BSI": [[21, 71]], "Indicator: website": [[101, 108]], "Organization: Israeli newspaper Jerusalem Post": [[112, 144]], "Indicator: harmful third party.": [[177, 197]]}, "info": {"id": "cyner2_5class_train_00922", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus/W32.Induc Virus.Induc.Win32.1 W32.W.Deecee.lrKT Trojan.Induc.1 Win32.Virus.Induc.a W32/Trojan2.GROR W32.Induc.A Win32/Nedsym.C PE_INDUC.A Win.Virus.Induc-2 Virus.Win32.Induc.b Virus.Win32.Induc.dffkeg Win32.Induc.A Virus.Win32.Induc.A0 Win32.Induc PE_INDUC.A Trojan-Spy.Win32.Banker W32/Trojan.QGYF-1386 Win32/Induc.a W32/Induc.blr Trojan[Spy]/Win32.KeyLogger Win32.Induc.b.820224 Trojan:Win32/Nedsym.F Virus.Win32.Induc.b TrojanSpy.Delf Virus.Win32.Indcu.A.200014 Win32.Induc Virus.Win32.Induc.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus/W32.Induc": [[26, 41]], "Indicator: Virus.Induc.Win32.1": [[42, 61]], "Indicator: W32.W.Deecee.lrKT": [[62, 79]], "Indicator: Trojan.Induc.1": [[80, 94]], "Indicator: Win32.Virus.Induc.a": [[95, 114]], "Indicator: W32/Trojan2.GROR": [[115, 131]], "Indicator: W32.Induc.A": [[132, 143]], "Indicator: Win32/Nedsym.C": [[144, 158]], "Indicator: PE_INDUC.A": [[159, 169], [280, 290]], "Indicator: Win.Virus.Induc-2": [[170, 187]], "Indicator: Virus.Win32.Induc.b": [[188, 207], [435, 454]], "Indicator: Virus.Win32.Induc.dffkeg": [[208, 232]], "Indicator: Win32.Induc.A": [[233, 246]], "Indicator: Virus.Win32.Induc.A0": [[247, 267]], "Indicator: Win32.Induc": [[268, 279], [497, 508]], "Indicator: Trojan-Spy.Win32.Banker": [[291, 314]], "Indicator: W32/Trojan.QGYF-1386": [[315, 335]], "Indicator: Win32/Induc.a": [[336, 349]], "Indicator: W32/Induc.blr": [[350, 363]], "Indicator: Trojan[Spy]/Win32.KeyLogger": [[364, 391]], "Indicator: Win32.Induc.b.820224": [[392, 412]], "Indicator: Trojan:Win32/Nedsym.F": [[413, 434]], "Indicator: TrojanSpy.Delf": [[455, 469]], "Indicator: Virus.Win32.Indcu.A.200014": [[470, 496]], "Indicator: Virus.Win32.Induc.A": [[509, 528]]}, "info": {"id": "cyner2_5class_train_00923", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Geral!O Trojan.KillAV.Win32.4515 Trojan/KillAV.nka Trojan.Dropper.18 Trojan.KillAV Win32/Tnega.AANE Trojan.Win32.Drop.csaym Trojan.Win32.A.Downloader.44432[UPX] TrojWare.Win32.TrojanDownloader.Geral.djfl Trojan.MulDrop2.15 BehavesLike.Win32.Backdoor.pc Trojan.Win32.Claretore Trojan/Win32.Unknown Trojan:Win32/Bodime.C Win-Trojan/Inject.43892 Trojan.KillAV!AN0QbvE+MIE Win32/Trojan.BO.785", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Geral!O": [[26, 57]], "Indicator: Trojan.KillAV.Win32.4515": [[58, 82]], "Indicator: Trojan/KillAV.nka": [[83, 100]], "Indicator: Trojan.Dropper.18": [[101, 118]], "Indicator: Trojan.KillAV": [[119, 132]], "Indicator: Win32/Tnega.AANE": [[133, 149]], "Indicator: Trojan.Win32.Drop.csaym": [[150, 173]], "Indicator: Trojan.Win32.A.Downloader.44432[UPX]": [[174, 210]], "Indicator: TrojWare.Win32.TrojanDownloader.Geral.djfl": [[211, 253]], "Indicator: Trojan.MulDrop2.15": [[254, 272]], "Indicator: BehavesLike.Win32.Backdoor.pc": [[273, 302]], "Indicator: Trojan.Win32.Claretore": [[303, 325]], "Indicator: Trojan/Win32.Unknown": [[326, 346]], "Indicator: Trojan:Win32/Bodime.C": [[347, 368]], "Indicator: Win-Trojan/Inject.43892": [[369, 392]], "Indicator: Trojan.KillAV!AN0QbvE+MIE": [[393, 418]], "Indicator: Win32/Trojan.BO.785": [[419, 438]]}, "info": {"id": "cyner2_5class_train_00924", "source": "cyner2_5class_train"}}
+{"text": "Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play , Gmail , Google Photos , Google Docs , G Suite , Google Drive , and more .", "spans": {"System: Google Play": [[130, 141]], "System: Gmail": [[144, 149]], "System: Google Photos": [[152, 165]], "System: Google Docs": [[168, 179]], "System: G Suite": [[182, 189]], "System: Google Drive": [[192, 204]]}, "info": {"id": "cyner2_5class_train_00925", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.YRTS-5407 Trojan.MSIL.Androm.3 HackTool:MSIL/Boilod.C!bit Trojan/Win32.Boilod.C2311288", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: W32/Trojan.YRTS-5407": [[69, 89]], "Indicator: Trojan.MSIL.Androm.3": [[90, 110]], "Indicator: HackTool:MSIL/Boilod.C!bit": [[111, 137]], "Indicator: Trojan/Win32.Boilod.C2311288": [[138, 166]]}, "info": {"id": "cyner2_5class_train_00926", "source": "cyner2_5class_train"}}
+{"text": "The Trojan's technical details and the vectors of its propagation were recently described in the blog by Unit42.", "spans": {"Malware: Trojan's": [[4, 12]], "Indicator: vectors": [[39, 46]], "Organization: Unit42.": [[105, 112]]}, "info": {"id": "cyner2_5class_train_00927", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanAPT.LecnaCShip.MUE.Z4 Win32.Trojan.WisdomEyes.16070401.9500.9955 Infostealer.Spasip Trojan.Win32.ShipUp.bbuken Trojan.MulDrop4.6955 Trojan/ShipUp.hh TR/Drop.ShipUp.vauvq Worm:Win32/Shup.A Trojan/Win32.ShipUp.R191080 Trj/CI.A W32/Lecna.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanAPT.LecnaCShip.MUE.Z4": [[26, 53]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9955": [[54, 96]], "Indicator: Infostealer.Spasip": [[97, 115]], "Indicator: Trojan.Win32.ShipUp.bbuken": [[116, 142]], "Indicator: Trojan.MulDrop4.6955": [[143, 163]], "Indicator: Trojan/ShipUp.hh": [[164, 180]], "Indicator: TR/Drop.ShipUp.vauvq": [[181, 201]], "Indicator: Worm:Win32/Shup.A": [[202, 219]], "Indicator: Trojan/Win32.ShipUp.R191080": [[220, 247]], "Indicator: Trj/CI.A": [[248, 256]], "Indicator: W32/Lecna.C!tr": [[257, 271]]}, "info": {"id": "cyner2_5class_train_00928", "source": "cyner2_5class_train"}}
+{"text": "For the hardware virtualization check , the loader obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list .", "spans": {}, "info": {"id": "cyner2_5class_train_00929", "source": "cyner2_5class_train"}}
+{"text": "In this blog post , we describe Chrysaor , a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices , and how investigations like this help Google protect Android users from a variety of threats .", "spans": {"Malware: Chrysaor": [[32, 40]], "System: Android": [[136, 143], [207, 214]], "Organization: Google": [[192, 198]]}, "info": {"id": "cyner2_5class_train_00930", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: RiskWare.SecurityXploded W32/Trojan.BXPP-2784 Win32.Riskware.Passdump.A Trojan.Win32.Stealer.dbmdyq Trojan.PWS.Stealer.13033 RiskWare[PSWTool]/Win32.PasswordCracker Unwanted/Win32.HackTool.R117574 not-a-virus:PSWTool.PasswordCracker HackTool.Samples Win32/Virus.PSW.c09", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RiskWare.SecurityXploded": [[26, 50]], "Indicator: W32/Trojan.BXPP-2784": [[51, 71]], "Indicator: Win32.Riskware.Passdump.A": [[72, 97]], "Indicator: Trojan.Win32.Stealer.dbmdyq": [[98, 125]], "Indicator: Trojan.PWS.Stealer.13033": [[126, 150]], "Indicator: RiskWare[PSWTool]/Win32.PasswordCracker": [[151, 190]], "Indicator: Unwanted/Win32.HackTool.R117574": [[191, 222]], "Indicator: not-a-virus:PSWTool.PasswordCracker": [[223, 258]], "Indicator: HackTool.Samples": [[259, 275]], "Indicator: Win32/Virus.PSW.c09": [[276, 295]]}, "info": {"id": "cyner2_5class_train_00931", "source": "cyner2_5class_train"}}
+{"text": ") “ % USERNAME % , je vous ai envoyé un prepaiement m-leboncoin [ .", "spans": {"Indicator: m-leboncoin [ .": [[52, 67]]}, "info": {"id": "cyner2_5class_train_00932", "source": "cyner2_5class_train"}}
+{"text": "Svpeng sends the corresponding messages to the SMS services of two banks .", "spans": {"Malware: Svpeng": [[0, 6]]}, "info": {"id": "cyner2_5class_train_00933", "source": "cyner2_5class_train"}}
+{"text": "We have observed this trojan being submitted to public antivirus testing platforms , once as a package and once for each DLL to determine the detection ratio .", "spans": {}, "info": {"id": "cyner2_5class_train_00934", "source": "cyner2_5class_train"}}
+{"text": "The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app .", "spans": {"Malware: HenBox": [[4, 10]], "Indicator: DroidVPN": [[62, 70]]}, "info": {"id": "cyner2_5class_train_00935", "source": "cyner2_5class_train"}}
+{"text": "The domain was hosted by an IP address assigned to ito.gov[.]ir - The Iranian Ministry of Communication and Information Technology.", "spans": {"Indicator: domain": [[4, 10]], "Indicator: IP address assigned to ito.gov[.]ir": [[28, 63]], "Organization: The Iranian Ministry of Communication and Information Technology.": [[66, 131]]}, "info": {"id": "cyner2_5class_train_00936", "source": "cyner2_5class_train"}}
+{"text": "Take voice call playback process for example .", "spans": {}, "info": {"id": "cyner2_5class_train_00937", "source": "cyner2_5class_train"}}
+{"text": "Since at least November 2018, ITG03 actors have stolen money from ATMs in Asia and Africa, according to U.S. Government sources and Symantec.", "spans": {"System: ATMs": [[66, 70]], "Organization: U.S. Government sources": [[104, 127]], "Organization: Symantec.": [[132, 141]]}, "info": {"id": "cyner2_5class_train_00938", "source": "cyner2_5class_train"}}
+{"text": "DDE traditionally allows for the sending of messages between applications that share data, for example from Word to Excel or vice versa.", "spans": {"System: DDE": [[0, 3]], "Indicator: sending of messages between applications": [[33, 73]], "System: Word": [[108, 112]], "System: Excel": [[116, 121]]}, "info": {"id": "cyner2_5class_train_00939", "source": "cyner2_5class_train"}}
+{"text": "Privilege escalation requests The screens asking for the user 's approval wo n't close unless the user approves the privilege escalation .", "spans": {}, "info": {"id": "cyner2_5class_train_00940", "source": "cyner2_5class_train"}}
+{"text": "Before sending any data to the C2 using the trojan attempts to disguise its data , the data is serialized using JSON , which is then encoded in Base64 .", "spans": {}, "info": {"id": "cyner2_5class_train_00941", "source": "cyner2_5class_train"}}
+{"text": "The commands supported by the most recent version of the bot are listed below .", "spans": {}, "info": {"id": "cyner2_5class_train_00942", "source": "cyner2_5class_train"}}
+{"text": "Over the past few months, we've been following a new type of worm we named PhotoMiner.", "spans": {"Malware: worm": [[61, 65]], "Malware: PhotoMiner.": [[75, 86]]}, "info": {"id": "cyner2_5class_train_00943", "source": "cyner2_5class_train"}}
+{"text": "This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device 's settings .", "spans": {}, "info": {"id": "cyner2_5class_train_00944", "source": "cyner2_5class_train"}}
+{"text": "] com ) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose .", "spans": {"Indicator: purpose .": [[125, 134]]}, "info": {"id": "cyner2_5class_train_00945", "source": "cyner2_5class_train"}}
+{"text": "REQUEST_COMPANION_USE_DATA_IN_BACKGROUND - let the app use data in the background .", "spans": {}, "info": {"id": "cyner2_5class_train_00946", "source": "cyner2_5class_train"}}
+{"text": "Researchers at Lumen Black Lotus Labs have identified a never-before-seen campaign involving compromised routers.", "spans": {"Organization: Researchers": [[0, 11]], "Organization: Lumen Black Lotus Labs": [[15, 37]], "System: compromised routers.": [[93, 113]]}, "info": {"id": "cyner2_5class_train_00947", "source": "cyner2_5class_train"}}
+{"text": "It infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan RAT called HiatusRAT, and a variant of tcpdump that enables packet capture on the target device.", "spans": {"System: routers": [[26, 33]], "Indicator: malicious binaries,": [[50, 69]], "Malware: a Remote Access Trojan RAT": [[80, 106]], "Malware: HiatusRAT,": [[114, 124]], "Indicator: tcpdump": [[142, 149]], "Indicator: packet capture": [[163, 177]], "System: target device.": [[185, 199]]}, "info": {"id": "cyner2_5class_train_00948", "source": "cyner2_5class_train"}}
+{"text": "Once the device is compromised, a process of sophisticated intelligence gathering starts, exploiting the ability to access the phone's video and audio capabilities, SMS functions, and location.", "spans": {"System: device": [[9, 15]], "Indicator: compromised,": [[19, 31]], "Vulnerability: exploiting": [[90, 100]], "Indicator: access the phone's video and audio capabilities, SMS functions, and location.": [[116, 193]]}, "info": {"id": "cyner2_5class_train_00949", "source": "cyner2_5class_train"}}
+{"text": "This list is expected to grow in the future .", "spans": {}, "info": {"id": "cyner2_5class_train_00950", "source": "cyner2_5class_train"}}
+{"text": "Zscaler's cloud sandboxes recently detected a Remote Access Trojan RAT being delivered by a well-known Chinese cyber espionage group using the Hacking Team's 0-day exploits.", "spans": {"Organization: Zscaler's cloud": [[0, 15]], "System: sandboxes": [[16, 25]], "Organization: Hacking": [[143, 150]], "Organization: Team's": [[151, 157]], "Malware: 0-day exploits.": [[158, 173]]}, "info": {"id": "cyner2_5class_train_00951", "source": "cyner2_5class_train"}}
+{"text": "Tellingly , current virus writers have mastered commercial obfuscators .", "spans": {}, "info": {"id": "cyner2_5class_train_00952", "source": "cyner2_5class_train"}}
+{"text": "Most of the IP addresses belong to known bulletproof hosting networks that advertise their services on different forums.", "spans": {"Indicator: IP addresses": [[12, 24]], "Organization: bulletproof hosting networks": [[41, 69]]}, "info": {"id": "cyner2_5class_train_00953", "source": "cyner2_5class_train"}}
+{"text": "Some of them are iOS versions of the ones removed from Google Play , but none contain adware functionality .", "spans": {"System: iOS": [[17, 20]], "System: Google Play": [[55, 66]]}, "info": {"id": "cyner2_5class_train_00954", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Startpage.MP3 W32/Trojan2.NCFX Downloader.BBNK Win32/SillyDl.WLY Trojan.Downloader-96481 Trojan.Win32.A.Downloader.274432.H Trojan.DownLoad2.14890 TROJ_DLOAD.SMCV Heuristic.BehavesLike.Win32.AdSpyware.H TrojanDownloader:Win32/Sysfade.B W32/Trojan.QIXU-7273 HeurEngine.MaliciousPacker Win32/StartPage.NVY Trojan.Win32.Fednu.amu Trojan.Win32.StartPage Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Startpage.MP3": [[26, 46]], "Indicator: W32/Trojan2.NCFX": [[47, 63]], "Indicator: Downloader.BBNK": [[64, 79]], "Indicator: Win32/SillyDl.WLY": [[80, 97]], "Indicator: Trojan.Downloader-96481": [[98, 121]], "Indicator: Trojan.Win32.A.Downloader.274432.H": [[122, 156]], "Indicator: Trojan.DownLoad2.14890": [[157, 179]], "Indicator: TROJ_DLOAD.SMCV": [[180, 195]], "Indicator: Heuristic.BehavesLike.Win32.AdSpyware.H": [[196, 235]], "Indicator: TrojanDownloader:Win32/Sysfade.B": [[236, 268]], "Indicator: W32/Trojan.QIXU-7273": [[269, 289]], "Indicator: HeurEngine.MaliciousPacker": [[290, 316]], "Indicator: Win32/StartPage.NVY": [[317, 336]], "Indicator: Trojan.Win32.Fednu.amu": [[337, 359]], "Indicator: Trojan.Win32.StartPage": [[360, 382]], "Indicator: Trj/Downloader.MDW": [[383, 401]]}, "info": {"id": "cyner2_5class_train_00955", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesLTSHWDN.Trojan Trojan.Azberg.B Trojan.Skeeyah Dropper.FrauDrop.Win32.3255 Backdoor.W32.Azbreg.miLK TSPY_AZBREG_BL132B01.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Dropper TSPY_AZBREG_BL132B01.TOMC Win.Trojan.Azberg-1 Trojan.Azberg.B Trojan-Downloader.Win32.Bandit.ey Trojan.Azberg.B Trojan.Win32.Azbreg.dtleix Trojan.Win32.Z.Azbreg.209435 Trojan.Azberg.B W32/Trojan.QMPY-2353 Win32.Hack.Azbreg.a.kcloud Trojan.Azberg.B Trojan-Downloader.Win32.Bandit.ey Trojan:Win32/HistBoader.A Backdoor/Win32.Azbreg.R29412 Trojan.Azberg.B Trj/CI.A Win32.Trojan-downloader.Bandit.Sxef Backdoor.Azbreg!vdtQoRBMLTw Trojan.Crypt Win32/Trojan.Dropper.e71", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLTSHWDN.Trojan": [[26, 51]], "Indicator: Trojan.Azberg.B": [[52, 67], [266, 281], [316, 331], [388, 403], [452, 467], [557, 572]], "Indicator: Trojan.Skeeyah": [[68, 82]], "Indicator: Dropper.FrauDrop.Win32.3255": [[83, 110]], "Indicator: Backdoor.W32.Azbreg.miLK": [[111, 135]], "Indicator: TSPY_AZBREG_BL132B01.TOMC": [[136, 161], [220, 245]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[162, 204]], "Indicator: Trojan.Dropper": [[205, 219]], "Indicator: Win.Trojan.Azberg-1": [[246, 265]], "Indicator: Trojan-Downloader.Win32.Bandit.ey": [[282, 315], [468, 501]], "Indicator: Trojan.Win32.Azbreg.dtleix": [[332, 358]], "Indicator: Trojan.Win32.Z.Azbreg.209435": [[359, 387]], "Indicator: W32/Trojan.QMPY-2353": [[404, 424]], "Indicator: Win32.Hack.Azbreg.a.kcloud": [[425, 451]], "Indicator: Trojan:Win32/HistBoader.A": [[502, 527]], "Indicator: Backdoor/Win32.Azbreg.R29412": [[528, 556]], "Indicator: Trj/CI.A": [[573, 581]], "Indicator: Win32.Trojan-downloader.Bandit.Sxef": [[582, 617]], "Indicator: Backdoor.Azbreg!vdtQoRBMLTw": [[618, 645]], "Indicator: Trojan.Crypt": [[646, 658]], "Indicator: Win32/Trojan.Dropper.e71": [[659, 683]]}, "info": {"id": "cyner2_5class_train_00956", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9983 Trojan.Heriplor Trj/CI.A Trojan.Rogue!T/cJXL8TDNE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9983": [[26, 68]], "Indicator: Trojan.Heriplor": [[69, 84]], "Indicator: Trj/CI.A": [[85, 93]], "Indicator: Trojan.Rogue!T/cJXL8TDNE": [[94, 118]]}, "info": {"id": "cyner2_5class_train_00957", "source": "cyner2_5class_train"}}
+{"text": "It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.", "spans": {"Indicator: attacks": [[24, 31]], "Organization: organizations": [[40, 53]], "Organization: industries": [[66, 76]], "Indicator: phishing emails.": [[112, 128]]}, "info": {"id": "cyner2_5class_train_00958", "source": "cyner2_5class_train"}}
+{"text": "For years now, criminals behind banking Trojans, remote access tools RATs and other types of malware have targeted Microsoft Windows hosts in Brazil through malicious spam malspam.", "spans": {"Malware: banking Trojans, remote access tools RATs": [[32, 73]], "Malware: malware": [[93, 100]], "System: Microsoft Windows hosts": [[115, 138]], "Indicator: malicious spam malspam.": [[157, 180]]}, "info": {"id": "cyner2_5class_train_00959", "source": "cyner2_5class_train"}}
+{"text": "This runs code in the onCreate ( ) method of the app ’ s MainActivity class , which in effect is the program ’ s entry point .", "spans": {}, "info": {"id": "cyner2_5class_train_00960", "source": "cyner2_5class_train"}}
+{"text": "Riltok mobile Trojan : A banker with global reach 25 JUN 2019 Riltok is one of numerous families of mobile banking Trojans with standard ( for such malware ) functions and distribution methods .", "spans": {"Malware: Riltok": [[0, 6], [62, 68]]}, "info": {"id": "cyner2_5class_train_00961", "source": "cyner2_5class_train"}}
+{"text": "After receiving the command , the Trojan attempts to execute it , before informing C & C of the execution status and any data received .", "spans": {}, "info": {"id": "cyner2_5class_train_00962", "source": "cyner2_5class_train"}}
+{"text": "Palo Alto Networks researchers recently discovered a family of malware, designated ProxyBack, and observed over 20 versions that have been used to infect systems as far back as March 2014.", "spans": {"Organization: Palo Alto Networks": [[0, 18]], "Malware: family of malware,": [[53, 71]], "Malware: ProxyBack,": [[83, 93]], "Malware: 20 versions": [[112, 123]], "System: systems": [[154, 161]]}, "info": {"id": "cyner2_5class_train_00963", "source": "cyner2_5class_train"}}
+{"text": "The malicious ads would automatically no click required redirect users to a casino website used as decoy to silently load malicious iframes from disposable domains which ultimately lead to the Angler exploit kit.", "spans": {"Indicator: malicious ads": [[4, 17]], "Indicator: a casino website": [[74, 90]], "Indicator: decoy": [[99, 104]], "Indicator: malicious iframes": [[122, 139]], "Indicator: domains": [[156, 163]], "Malware: Angler exploit kit.": [[193, 212]]}, "info": {"id": "cyner2_5class_train_00964", "source": "cyner2_5class_train"}}
+{"text": "Typically, other exploit kits make an effort to hide their exploits.", "spans": {"Malware: exploit kits": [[17, 29]], "Malware: exploits.": [[59, 68]]}, "info": {"id": "cyner2_5class_train_00965", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Badoor.2.0 Backdoor.Win32.Zemac!O Backdoor.Badoor.2.0 W32/VBTrojan.19G!Maximus BKDR_ZEMAC.B Win.Trojan.Zemac-1 Backdoor.Win32.Zemac.b Backdoor.Badoor.2.0 Trojan.Win32.Zemac.fypm Backdoor.Badoor.2.0 TrojWare.Win32.BackDoor.2_0 Backdoor.Badoor.2.0 BackDoor.Zemac.200 BKDR_ZEMAC.B W32/VBTrojan.19G!Maximus Backdoor/Zemac.b TR/Zemac.B Trojan[Backdoor]/Win32.Zemac Backdoor:Win32/Zemac.B Backdoor.Win32.Zemac.b Backdoor.Badoor.2.0 Backdoor.Badoor.2.0 Backdoor.Zemac Win32/BackDoor.2_0 W32/Bdoor.AR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Badoor.2.0": [[26, 45], [69, 88], [169, 188], [213, 232], [261, 280], [441, 460], [461, 480]], "Indicator: Backdoor.Win32.Zemac!O": [[46, 68]], "Indicator: W32/VBTrojan.19G!Maximus": [[89, 113], [313, 337]], "Indicator: BKDR_ZEMAC.B": [[114, 126], [300, 312]], "Indicator: Win.Trojan.Zemac-1": [[127, 145]], "Indicator: Backdoor.Win32.Zemac.b": [[146, 168], [418, 440]], "Indicator: Trojan.Win32.Zemac.fypm": [[189, 212]], "Indicator: TrojWare.Win32.BackDoor.2_0": [[233, 260]], "Indicator: BackDoor.Zemac.200": [[281, 299]], "Indicator: Backdoor/Zemac.b": [[338, 354]], "Indicator: TR/Zemac.B": [[355, 365]], "Indicator: Trojan[Backdoor]/Win32.Zemac": [[366, 394]], "Indicator: Backdoor:Win32/Zemac.B": [[395, 417]], "Indicator: Backdoor.Zemac": [[481, 495]], "Indicator: Win32/BackDoor.2_0": [[496, 514]], "Indicator: W32/Bdoor.AR!tr": [[515, 530]]}, "info": {"id": "cyner2_5class_train_00966", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Flooder.Intelirc.1.5 Trojan.Flooder.Intelirc.1.5 Trojan.Flooder.Intelirc.1.5 Trojan.Flooder.Intelirc.1.5 Flooder.Win32.IntelIRC.15 Trojan.Flooder.Intelirc.1.5 Trojan.Win32.IntelIRC.dicf Flooder.W32.IntelIRC.15!c Trojan.Flooder.Intelirc.1.5 TrojWare.Win32.Flooder.IntelIRC.15 Trojan.Flooder.Intelirc.1.5 BackDoor.Spieluhr Tool.IntelIRC.Win32.1 Flooder.IntelIRC.b HackTool[Flooder]/Win32.IntelIRC Flooder.Win32.IntelIRC.15 Flooder.IntelIRC Win32/Flooder.IntelIRC.15 Trojan.Win32.Flooder Malware_fam.gw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Flooder.Intelirc.1.5": [[26, 53], [54, 81], [82, 109], [110, 137], [164, 191], [245, 272], [308, 335]], "Indicator: Flooder.Win32.IntelIRC.15": [[138, 163], [428, 453]], "Indicator: Trojan.Win32.IntelIRC.dicf": [[192, 218]], "Indicator: Flooder.W32.IntelIRC.15!c": [[219, 244]], "Indicator: TrojWare.Win32.Flooder.IntelIRC.15": [[273, 307]], "Indicator: BackDoor.Spieluhr": [[336, 353]], "Indicator: Tool.IntelIRC.Win32.1": [[354, 375]], "Indicator: Flooder.IntelIRC.b": [[376, 394]], "Indicator: HackTool[Flooder]/Win32.IntelIRC": [[395, 427]], "Indicator: Flooder.IntelIRC": [[454, 470]], "Indicator: Win32/Flooder.IntelIRC.15": [[471, 496]], "Indicator: Trojan.Win32.Flooder": [[497, 517]], "Indicator: Malware_fam.gw": [[518, 532]]}, "info": {"id": "cyner2_5class_train_00967", "source": "cyner2_5class_train"}}
+{"text": "The JAR file is the decrypted version of the file tong.luo , which is located in the assets folder .", "spans": {"Indicator: tong.luo": [[50, 58]]}, "info": {"id": "cyner2_5class_train_00968", "source": "cyner2_5class_train"}}
+{"text": "The malware uses the function sendAll to send messages that spread the malware to other devices .", "spans": {}, "info": {"id": "cyner2_5class_train_00969", "source": "cyner2_5class_train"}}
+{"text": "Talos continuously monitors malicious emails campaigns.", "spans": {"Organization: Talos": [[0, 5]]}, "info": {"id": "cyner2_5class_train_00970", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Slackbot.8329 Backdoor.Win32.Slackbot!O Backdoor/Slackbot.b TROJ_DLDER.A Win32.Trojan.WisdomEyes.16070401.9500.9979 W32/Slackbot.B Backdoor.Slackbot.10 Win32/Slack.10 TROJ_DLDER.A Win.Trojan.Slackbot-1 Backdoor.Win32.Slackbot.b Trojan.Win32.Slackbot.bmpwl Backdoor.Win32.Slackbot.7712 Virus.Malware.Sidldg!c Backdoor.Win32.Slackbot.B BackDoor.IRC.Sdbot.13459 Backdoor.Slackbot.Win32.28 BehavesLike.Win32.Downloader.xh Backdoor.Win32.Slackbot W32/Slackbot.TGFH-5934 Trojan/PSW.Magania.imu BDS/SlackBot.B1 Trojan[Backdoor]/Win32.Slackbot Backdoor:Win32/Slackbot.D Backdoor.Slackbot Backdoor.Win32.Slackbot.b Win-Trojan/Slackbot.8329 Backdoor.Slackbot Bck/Slackbot.Be Win32/Slackbot.B Trojan.Slackbot.B W32/Slackbot.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Slackbot.8329": [[26, 52]], "Indicator: Backdoor.Win32.Slackbot!O": [[53, 78]], "Indicator: Backdoor/Slackbot.b": [[79, 98]], "Indicator: TROJ_DLDER.A": [[99, 111], [206, 218]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9979": [[112, 154]], "Indicator: W32/Slackbot.B": [[155, 169]], "Indicator: Backdoor.Slackbot.10": [[170, 190]], "Indicator: Win32/Slack.10": [[191, 205]], "Indicator: Win.Trojan.Slackbot-1": [[219, 240]], "Indicator: Backdoor.Win32.Slackbot.b": [[241, 266], [619, 644]], "Indicator: Trojan.Win32.Slackbot.bmpwl": [[267, 294]], "Indicator: Backdoor.Win32.Slackbot.7712": [[295, 323]], "Indicator: Virus.Malware.Sidldg!c": [[324, 346]], "Indicator: Backdoor.Win32.Slackbot.B": [[347, 372]], "Indicator: BackDoor.IRC.Sdbot.13459": [[373, 397]], "Indicator: Backdoor.Slackbot.Win32.28": [[398, 424]], "Indicator: BehavesLike.Win32.Downloader.xh": [[425, 456]], "Indicator: Backdoor.Win32.Slackbot": [[457, 480]], "Indicator: W32/Slackbot.TGFH-5934": [[481, 503]], "Indicator: Trojan/PSW.Magania.imu": [[504, 526]], "Indicator: BDS/SlackBot.B1": [[527, 542]], "Indicator: Trojan[Backdoor]/Win32.Slackbot": [[543, 574]], "Indicator: Backdoor:Win32/Slackbot.D": [[575, 600]], "Indicator: Backdoor.Slackbot": [[601, 618], [670, 687]], "Indicator: Win-Trojan/Slackbot.8329": [[645, 669]], "Indicator: Bck/Slackbot.Be": [[688, 703]], "Indicator: Win32/Slackbot.B": [[704, 720]], "Indicator: Trojan.Slackbot.B": [[721, 738]], "Indicator: W32/Slackbot.B!tr": [[739, 756]]}, "info": {"id": "cyner2_5class_train_00971", "source": "cyner2_5class_train"}}
+{"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "cyner2_5class_train_00972", "source": "cyner2_5class_train"}}
+{"text": "The notification was intended to be used for system alerts or errors , but Android threats misused it to force the attacker-controlled UI to fully occupy the screen , blocking access to the device .", "spans": {"System: Android": [[75, 82]]}, "info": {"id": "cyner2_5class_train_00973", "source": "cyner2_5class_train"}}
+{"text": "A few months ago, we covered the ChessMaster cyberespionage campaign, which leveraged a variety of toolsets and malware such as ChChes and remote access trojans like RedLeaves and PlugX to compromise its targets—primarily organizations in Japan.", "spans": {"Malware: toolsets": [[99, 107]], "Malware: malware": [[112, 119]], "Malware: ChChes": [[128, 134]], "Malware: remote access trojans": [[139, 160]], "Malware: RedLeaves": [[166, 175]], "Malware: PlugX": [[180, 185]], "Indicator: compromise": [[189, 199]], "Organization: organizations": [[222, 235]]}, "info": {"id": "cyner2_5class_train_00974", "source": "cyner2_5class_train"}}
+{"text": "Based on the leaked code , the RCSAndroid app can do the following intrusive routines to spy on targets : Capture screenshots using the “ screencap ” command and framebuffer direct reading Monitor clipboard content Collect passwords for Wi-Fi networks and online acco ; .unts , including Skype , Facebook , Twitter , Google , WhatsApp , Mail , and LinkedIn Record using the microphone Collect SMS , MMS , and Gmail messages Record location Gather device information Capture photos using the front and back cameras Collect contacts and decode messages from IM accounts , including Facebook Messenger , WhatsApp , Skype , Viber , Line , WeChat , Hangouts , Telegram , and BlackBerry Messenger .", "spans": {"Malware: RCSAndroid": [[31, 41]], "System: Skype": [[288, 293], [612, 617]], "System: Facebook": [[296, 304]], "System: Twitter": [[307, 314]], "System: Google": [[317, 323]], "System: WhatsApp": [[326, 334], [601, 609]], "System: Mail": [[337, 341]], "System: LinkedIn": [[348, 356]], "System: Gmail": [[409, 414]], "System: Facebook Messenger": [[580, 598]], "System: Viber": [[620, 625]], "System: Line": [[628, 632]], "System: WeChat": [[635, 641]], "System: Hangouts": [[644, 652]], "System: Telegram": [[655, 663]], "System: BlackBerry Messenger": [[670, 690]]}, "info": {"id": "cyner2_5class_train_00975", "source": "cyner2_5class_train"}}
+{"text": "The nativesend method uses the Java Native Interface ( JNI ) to fetch and call the Android SMS API .", "spans": {"System: Android": [[83, 90]]}, "info": {"id": "cyner2_5class_train_00976", "source": "cyner2_5class_train"}}
+{"text": "This IP is located in Los Angeles , U.S.A. , at a hosting company named “ Emagine Concept Inc ” .", "spans": {"Organization: Emagine Concept Inc": [[74, 93]]}, "info": {"id": "cyner2_5class_train_00977", "source": "cyner2_5class_train"}}
+{"text": "As part of this breach, the media organization's website was being leveraged as a component of a malware campaign targeting select visitors.", "spans": {"Indicator: breach, the media organization's website": [[16, 56]], "Organization: visitors.": [[131, 140]]}, "info": {"id": "cyner2_5class_train_00978", "source": "cyner2_5class_train"}}
+{"text": "The buyer can then choose to host/spread/distribute it in whatever way they see fit - as opposed to some of the more recent turn-key offerings like Ransom32, ORX-Locker, or Encryptor RAAS, which lack a full administrative panel and other customization features present in a fully packaged malware kit'.", "spans": {"Malware: Ransom32, ORX-Locker,": [[148, 169]], "Malware: Encryptor RAAS,": [[173, 188]], "Malware: malware kit'.": [[289, 302]]}, "info": {"id": "cyner2_5class_train_00979", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.HLLP.Delf.B Worm.Niklas RiskWare.Tool.CK Win32.HLLP.Delf.B Win32.Trojan.WisdomEyes.16070401.9500.9630 W32.HLLW.Niklas Win32.HLLP.Delf.B Virus.Win32.HLLP.Delf.b Win32.HLLP.Delf.B Trojan.Win32.Niklas.hekr Trojan.Dropper/Packed Win32.HLLP.Delf.B TrojWare.Win32.Patched.KSU Win32.HLLP.Delf.B Win32.HLLW.Atmetka Virus.Delf.Win32.30 BehavesLike.Win32.Downloader.lc Worm:Win32/Niklas.C W32/Hllp.Delf.E Worm:Win32/Niklas.C W32.HLLP.Delf.b!c Virus.Win32.HLLP.Delf.b Trojan/Win32.Xema.C36267 Win32.HLLP.Delf.B Win32.Virus.Hllp.Dztg HLLP.Delf.SV1 Trojan-PWS.Win32.Lmir.awg W32/HLLP.DELF.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.HLLP.Delf.B": [[26, 43], [73, 90], [150, 167], [192, 209], [257, 274], [302, 319], [514, 531]], "Indicator: Worm.Niklas": [[44, 55]], "Indicator: RiskWare.Tool.CK": [[56, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9630": [[91, 133]], "Indicator: W32.HLLW.Niklas": [[134, 149]], "Indicator: Virus.Win32.HLLP.Delf.b": [[168, 191], [465, 488]], "Indicator: Trojan.Win32.Niklas.hekr": [[210, 234]], "Indicator: Trojan.Dropper/Packed": [[235, 256]], "Indicator: TrojWare.Win32.Patched.KSU": [[275, 301]], "Indicator: Win32.HLLW.Atmetka": [[320, 338]], "Indicator: Virus.Delf.Win32.30": [[339, 358]], "Indicator: BehavesLike.Win32.Downloader.lc": [[359, 390]], "Indicator: Worm:Win32/Niklas.C": [[391, 410], [427, 446]], "Indicator: W32/Hllp.Delf.E": [[411, 426]], "Indicator: W32.HLLP.Delf.b!c": [[447, 464]], "Indicator: Trojan/Win32.Xema.C36267": [[489, 513]], "Indicator: Win32.Virus.Hllp.Dztg": [[532, 553]], "Indicator: HLLP.Delf.SV1": [[554, 567]], "Indicator: Trojan-PWS.Win32.Lmir.awg": [[568, 593]], "Indicator: W32/HLLP.DELF.B": [[594, 609]]}, "info": {"id": "cyner2_5class_train_00980", "source": "cyner2_5class_train"}}
+{"text": "It also shows a current malware log .", "spans": {}, "info": {"id": "cyner2_5class_train_00981", "source": "cyner2_5class_train"}}
+{"text": "Websense Security Labs researchers have been monitoring a mass scale malvertising campaign that leads to Angler Exploit Kit.", "spans": {"Organization: Websense Security Labs": [[0, 22]], "Malware: Angler Exploit Kit.": [[105, 124]]}, "info": {"id": "cyner2_5class_train_00982", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Win32.Worm.Autorun.VN Virus.Win32.Virut.1!O W32.Virut.G Win32.Worm.Autorun.VN W32.W.Bnf.tnnw Win32.Worm.Autorun.VN W32.SillyFDC Win32/Virut.17408 WORM_OTORUN.SMXY Win.Trojan.VB-73727 Worm.Win32.AutoRun.hfp Win32.Worm.Autorun.VN Trojan.Win32.Autoruner1.csgwlt Worm.Win32.Autorun.afe Win32.Worm.Autorun.VN Virus.Win32.Virut.CE Win32.Worm.Autorun.VN Win32.Virut.56 WORM_OTORUN.SMXY BehavesLike.Win32.Gupboot.ht Worm.Win32.AutoRun Win32/Virut.bv WORM/Autorun.hfp Trojan/Win32.Unknown Worm:Win32/Wecykler.A Worm.Win32.AutoRun.364544.A Worm.Win32.AutoRun.hfp HEUR/Fakon.mwf W32/Autorun.worm.aaav Worm.AutoRun.Silly Backdoor.Bot Worm.AutoRun!iW63fF1TdWk W32/AutoRun.GP!worm W32/Sality.AO Worm.Win32.FakeFolder.BY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Win32.Worm.Autorun.VN": [[39, 60], [95, 116], [132, 153], [245, 266], [321, 342], [364, 385]], "Indicator: Virus.Win32.Virut.1!O": [[61, 82]], "Indicator: W32.Virut.G": [[83, 94]], "Indicator: W32.W.Bnf.tnnw": [[117, 131]], "Indicator: W32.SillyFDC": [[154, 166]], "Indicator: Win32/Virut.17408": [[167, 184]], "Indicator: WORM_OTORUN.SMXY": [[185, 201], [401, 417]], "Indicator: Win.Trojan.VB-73727": [[202, 221]], "Indicator: Worm.Win32.AutoRun.hfp": [[222, 244], [569, 591]], "Indicator: Trojan.Win32.Autoruner1.csgwlt": [[267, 297]], "Indicator: Worm.Win32.Autorun.afe": [[298, 320]], "Indicator: Virus.Win32.Virut.CE": [[343, 363]], "Indicator: Win32.Virut.56": [[386, 400]], "Indicator: BehavesLike.Win32.Gupboot.ht": [[418, 446]], "Indicator: Worm.Win32.AutoRun": [[447, 465]], "Indicator: Win32/Virut.bv": [[466, 480]], "Indicator: WORM/Autorun.hfp": [[481, 497]], "Indicator: Trojan/Win32.Unknown": [[498, 518]], "Indicator: Worm:Win32/Wecykler.A": [[519, 540]], "Indicator: Worm.Win32.AutoRun.364544.A": [[541, 568]], "Indicator: HEUR/Fakon.mwf": [[592, 606]], "Indicator: W32/Autorun.worm.aaav": [[607, 628]], "Indicator: Worm.AutoRun.Silly": [[629, 647]], "Indicator: Backdoor.Bot": [[648, 660]], "Indicator: Worm.AutoRun!iW63fF1TdWk": [[661, 685]], "Indicator: W32/AutoRun.GP!worm": [[686, 705]], "Indicator: W32/Sality.AO": [[706, 719]], "Indicator: Worm.Win32.FakeFolder.BY": [[720, 744]]}, "info": {"id": "cyner2_5class_train_00983", "source": "cyner2_5class_train"}}
+{"text": "In addition , the credit card grabber target list was expanded with Snapchat and Viber .", "spans": {"System: Snapchat": [[68, 76]], "System: Viber": [[81, 86]]}, "info": {"id": "cyner2_5class_train_00984", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameXLIIUAAR.Trojan Backdoor.Win32.Xtobox!O Backdoor/Xtob.m Win32.Trojan.WisdomEyes.16070401.9500.9787 W32/Risk.CVOB-2286 Win32/Tnega.AKCE Win.Trojan.Xtob-2 Backdoor.Win32.Xtob.m Trojan.Win32.Scar.bqzdl Backdoor.Win32.A.Xtob.118784[UPX] Backdoor.W32.Xtob!c BackDoor.Piroxcc TSPY_YAHOS_CD1000EC.RDXN BehavesLike.Win32.Dropper.dz Trojan.Win32.Scar W32/MalwareS.BFOO Trojan/Cosmu.drs Trojan[Backdoor]/Win32.Xtob Backdoor.Win32.Xtob.m Trojan:Win32/Scar.V Trojan/Win32.Scar.C104448 Backdoor.Xtob Win32.Backdoor.Xtob.Dyzl Trojan.Scar!bp+jOb+ovfY Win32/Backdoor.f23", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameXLIIUAAR.Trojan": [[26, 51]], "Indicator: Backdoor.Win32.Xtobox!O": [[52, 75]], "Indicator: Backdoor/Xtob.m": [[76, 91]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9787": [[92, 134]], "Indicator: W32/Risk.CVOB-2286": [[135, 153]], "Indicator: Win32/Tnega.AKCE": [[154, 170]], "Indicator: Win.Trojan.Xtob-2": [[171, 188]], "Indicator: Backdoor.Win32.Xtob.m": [[189, 210], [441, 462]], "Indicator: Trojan.Win32.Scar.bqzdl": [[211, 234]], "Indicator: Backdoor.Win32.A.Xtob.118784[UPX]": [[235, 268]], "Indicator: Backdoor.W32.Xtob!c": [[269, 288]], "Indicator: BackDoor.Piroxcc": [[289, 305]], "Indicator: TSPY_YAHOS_CD1000EC.RDXN": [[306, 330]], "Indicator: BehavesLike.Win32.Dropper.dz": [[331, 359]], "Indicator: Trojan.Win32.Scar": [[360, 377]], "Indicator: W32/MalwareS.BFOO": [[378, 395]], "Indicator: Trojan/Cosmu.drs": [[396, 412]], "Indicator: Trojan[Backdoor]/Win32.Xtob": [[413, 440]], "Indicator: Trojan:Win32/Scar.V": [[463, 482]], "Indicator: Trojan/Win32.Scar.C104448": [[483, 508]], "Indicator: Backdoor.Xtob": [[509, 522]], "Indicator: Win32.Backdoor.Xtob.Dyzl": [[523, 547]], "Indicator: Trojan.Scar!bp+jOb+ovfY": [[548, 571]], "Indicator: Win32/Backdoor.f23": [[572, 590]]}, "info": {"id": "cyner2_5class_train_00985", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.VB!O Trojan.VB Trojan.Infidesgate Win32/Adslock.A Trojan-Ransom.Win32.VB.du Troj.Ransom.W32!c Trojan.DownLoader4.48837 BehavesLike.Win32.Trojan.nz Trojan-Ransom.Win32.VB Trojan[Ransom]/Win32.VB Ransom:Win32/Adslock.A Trojan-Ransom.Win32.VB.du Trojan/Win32.HDC.C94839 Win32.Trojan.Vb.Piah Trojan.ATRAPS!J/1Dm4j1sNA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.VB!O": [[26, 50]], "Indicator: Trojan.VB": [[51, 60]], "Indicator: Trojan.Infidesgate": [[61, 79]], "Indicator: Win32/Adslock.A": [[80, 95]], "Indicator: Trojan-Ransom.Win32.VB.du": [[96, 121], [263, 288]], "Indicator: Troj.Ransom.W32!c": [[122, 139]], "Indicator: Trojan.DownLoader4.48837": [[140, 164]], "Indicator: BehavesLike.Win32.Trojan.nz": [[165, 192]], "Indicator: Trojan-Ransom.Win32.VB": [[193, 215]], "Indicator: Trojan[Ransom]/Win32.VB": [[216, 239]], "Indicator: Ransom:Win32/Adslock.A": [[240, 262]], "Indicator: Trojan/Win32.HDC.C94839": [[289, 312]], "Indicator: Win32.Trojan.Vb.Piah": [[313, 333]], "Indicator: Trojan.ATRAPS!J/1Dm4j1sNA": [[334, 359]]}, "info": {"id": "cyner2_5class_train_00986", "source": "cyner2_5class_train"}}
+{"text": "It ’ s been SophosLabs ’ observation that Red Alert Trojans usually have a randomized internal name like this .", "spans": {"Malware: Red Alert Trojans": [[42, 59]]}, "info": {"id": "cyner2_5class_train_00987", "source": "cyner2_5class_train"}}
+{"text": "It uses different topics that include the unique device identifier , which side is sending the message , and whether it is information message or command .", "spans": {}, "info": {"id": "cyner2_5class_train_00988", "source": "cyner2_5class_train"}}
+{"text": "A graphical representation of the data structure used to store each VM opcode The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization ( ASLR ) .", "spans": {}, "info": {"id": "cyner2_5class_train_00989", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropper.Sysn.Win32.882 Trojan.Win32.Spammer.dchmhr Trojan-Dropper.Win32.Sysn.ailj Trojan.DR.Sysn! Trojan.Spambot.12672 TR/Dynamer.ac.1747 Trojan[Dropper]/Win32.Sysn Win32.Troj.Sysn.ai.kcloud W32/Sysn.AILJ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropper.Sysn.Win32.882": [[26, 48]], "Indicator: Trojan.Win32.Spammer.dchmhr": [[49, 76]], "Indicator: Trojan-Dropper.Win32.Sysn.ailj": [[77, 107]], "Indicator: Trojan.DR.Sysn!": [[108, 123]], "Indicator: Trojan.Spambot.12672": [[124, 144]], "Indicator: TR/Dynamer.ac.1747": [[145, 163]], "Indicator: Trojan[Dropper]/Win32.Sysn": [[164, 190]], "Indicator: Win32.Troj.Sysn.ai.kcloud": [[191, 216]], "Indicator: W32/Sysn.AILJ!tr": [[217, 233]]}, "info": {"id": "cyner2_5class_train_00990", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.36864.BLO Win32.Trojan.WisdomEyes.16070401.9500.9887 Trojan.Win32.Small.vptjr Backdoor.Win32.Huigezi.oba BackDoor.IRC.NgrBot.189 Trojan.Zusy.D3B9D Trojan:Win32/Gutosver.A Trojan/Win32.Scar.R90823 TScope.Malware-Cryptor.SB W32/Small.NHC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.36864.BLO": [[26, 52]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9887": [[53, 95]], "Indicator: Trojan.Win32.Small.vptjr": [[96, 120]], "Indicator: Backdoor.Win32.Huigezi.oba": [[121, 147]], "Indicator: BackDoor.IRC.NgrBot.189": [[148, 171]], "Indicator: Trojan.Zusy.D3B9D": [[172, 189]], "Indicator: Trojan:Win32/Gutosver.A": [[190, 213]], "Indicator: Trojan/Win32.Scar.R90823": [[214, 238]], "Indicator: TScope.Malware-Cryptor.SB": [[239, 264]], "Indicator: W32/Small.NHC!tr": [[265, 281]]}, "info": {"id": "cyner2_5class_train_00991", "source": "cyner2_5class_train"}}
+{"text": "In this post we describe the technical details about a newly observed campaign of the notorious Crypt0l0cker aka TorrentLocker or Teerac ransomware.", "spans": {"Malware: Crypt0l0cker": [[96, 108]], "Malware: TorrentLocker": [[113, 126]], "Malware: Teerac ransomware.": [[130, 148]]}, "info": {"id": "cyner2_5class_train_00992", "source": "cyner2_5class_train"}}
+{"text": "Most online ads are displayed as a result of a chain of trust, from the publishers to the malicious advertiser via ad agencies and/or ad networks.", "spans": {}, "info": {"id": "cyner2_5class_train_00993", "source": "cyner2_5class_train"}}
+{"text": "The Android version was a hit from the get-go, and it was one of 2014 s most active Android threats, being detected in multiple campaigns during that year [1, 2, 3], including one that leveraged an SMS worm to automate and boost its infection process.", "spans": {"System: Android": [[4, 11], [84, 91]], "Indicator: SMS": [[198, 201]]}, "info": {"id": "cyner2_5class_train_00994", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.Spy.W32.Zbot.touj Trojan.Razy.D164A7 Win32.Trojan.WisdomEyes.16070401.9500.9649 Trojan.Win32.Zbot.eljrsb Trojan.Win32.Zbot.44544.AI Trojan.DownLoader22.26316 TrojanSpy.Zbot.fgio Trojan[Spy]/Win32.Zbot TrojanDownloader:Win32/Smordess.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.Spy.W32.Zbot.touj": [[26, 48]], "Indicator: Trojan.Razy.D164A7": [[49, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9649": [[68, 110]], "Indicator: Trojan.Win32.Zbot.eljrsb": [[111, 135]], "Indicator: Trojan.Win32.Zbot.44544.AI": [[136, 162]], "Indicator: Trojan.DownLoader22.26316": [[163, 188]], "Indicator: TrojanSpy.Zbot.fgio": [[189, 208]], "Indicator: Trojan[Spy]/Win32.Zbot": [[209, 231]], "Indicator: TrojanDownloader:Win32/Smordess.A": [[232, 265]]}, "info": {"id": "cyner2_5class_train_00995", "source": "cyner2_5class_train"}}
+{"text": "Simple Backdoor Exploit to Hack Android Devices All you need to do to gain root access of an affected Android device is… Send the text \" rootmydevice '' to any undocumented debugging process .", "spans": {"System: Android": [[32, 39], [102, 109]]}, "info": {"id": "cyner2_5class_train_00996", "source": "cyner2_5class_train"}}
+{"text": "The C2 server domain is linked to Thai food : Nampriknum [ .", "spans": {"Indicator: Nampriknum [ .": [[46, 60]]}, "info": {"id": "cyner2_5class_train_00997", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodceb.Trojan.2ec7 Trojan.Downloader.Delf.ER Trojan.Downloader.Delf.ER Downloader.Delf.Win32.5663 Trojan/Downloader.Delf.er Trojan.DL.Delf!VxwiJYoF8rw W32/Downloader.VRCK-6872 Trojan-Downloader.Win32.Delf.er Trojan.Downloader.Delf.ER Trojan.Win32.Delf.gudt Trojan.Win32.Downloader.17920.FB Trojan.Downloader.Delf.ER Trojan.Downloader.Delf.ER BehavesLike.Win32.PWSOnlineGames.lh W32/Downldr2.CMGJ TrojanDownloader.Dfg.a Trojan/Win32.Oirec Win32.Troj.Delf.er.kcloud PWS:Win32/Hacksoft.E Trojan.Downloader.Delf.ER Win-Trojan/Xema.variant TrojanDownloader.Delf Win32/TrojanDownloader.Delf.ER Win32.Trojan-downloader.Delf.Akoy Trojan-PWS.Win32.QQPass W32/DelpDldr.F!tr Downloader.Delf.4.BS Trojan.Win32.Delf.AVva", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodceb.Trojan.2ec7": [[26, 49]], "Indicator: Trojan.Downloader.Delf.ER": [[50, 75], [76, 101], [239, 264], [321, 346], [347, 372], [516, 541]], "Indicator: Downloader.Delf.Win32.5663": [[102, 128]], "Indicator: Trojan/Downloader.Delf.er": [[129, 154]], "Indicator: Trojan.DL.Delf!VxwiJYoF8rw": [[155, 181]], "Indicator: W32/Downloader.VRCK-6872": [[182, 206]], "Indicator: Trojan-Downloader.Win32.Delf.er": [[207, 238]], "Indicator: Trojan.Win32.Delf.gudt": [[265, 287]], "Indicator: Trojan.Win32.Downloader.17920.FB": [[288, 320]], "Indicator: BehavesLike.Win32.PWSOnlineGames.lh": [[373, 408]], "Indicator: W32/Downldr2.CMGJ": [[409, 426]], "Indicator: TrojanDownloader.Dfg.a": [[427, 449]], "Indicator: Trojan/Win32.Oirec": [[450, 468]], "Indicator: Win32.Troj.Delf.er.kcloud": [[469, 494]], "Indicator: PWS:Win32/Hacksoft.E": [[495, 515]], "Indicator: Win-Trojan/Xema.variant": [[542, 565]], "Indicator: TrojanDownloader.Delf": [[566, 587]], "Indicator: Win32/TrojanDownloader.Delf.ER": [[588, 618]], "Indicator: Win32.Trojan-downloader.Delf.Akoy": [[619, 652]], "Indicator: Trojan-PWS.Win32.QQPass": [[653, 676]], "Indicator: W32/DelpDldr.F!tr": [[677, 694]], "Indicator: Downloader.Delf.4.BS": [[695, 715]], "Indicator: Trojan.Win32.Delf.AVva": [[716, 738]]}, "info": {"id": "cyner2_5class_train_00998", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Gedza.c Trojan.Symmi.D54D9 Win32.Trojan.WisdomEyes.16070401.9500.9785 W32/P2P_Worm.TWVI-7072 W32.SillyP2P Win.Trojan.Aitselom-1 P2P-Worm.Win32.Gedza.c Trojan.Win32.Gedza.empl W32.W.Gedza.c!c Worm.Win32.Gedza.C Win32.HLLW.Aitselom Worm.Gedza.Win32.3 Worm.Win32.Gedza W32/P2PWorm.GQ Worm/Gedza.c Worm:Win32/Gedza.C WORM/Gedza.C.1 Worm[P2P]/Win32.Gedza Worm.Gedza.c.kcloud Worm:Win32/Gedza.C P2P-Worm.Win32.Gedza.c TScope.Trojan.Delf W32/Gedza.F.worm Win32/Gedza.C Worm.P2P.Gedza!r6gvDWKTb4U W32/Delf.NHN!tr Win32/Worm.a05", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Gedza.c": [[26, 37]], "Indicator: Trojan.Symmi.D54D9": [[38, 56]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9785": [[57, 99]], "Indicator: W32/P2P_Worm.TWVI-7072": [[100, 122]], "Indicator: W32.SillyP2P": [[123, 135]], "Indicator: Win.Trojan.Aitselom-1": [[136, 157]], "Indicator: P2P-Worm.Win32.Gedza.c": [[158, 180], [419, 441]], "Indicator: Trojan.Win32.Gedza.empl": [[181, 204]], "Indicator: W32.W.Gedza.c!c": [[205, 220]], "Indicator: Worm.Win32.Gedza.C": [[221, 239]], "Indicator: Win32.HLLW.Aitselom": [[240, 259]], "Indicator: Worm.Gedza.Win32.3": [[260, 278]], "Indicator: Worm.Win32.Gedza": [[279, 295]], "Indicator: W32/P2PWorm.GQ": [[296, 310]], "Indicator: Worm/Gedza.c": [[311, 323]], "Indicator: Worm:Win32/Gedza.C": [[324, 342], [400, 418]], "Indicator: WORM/Gedza.C.1": [[343, 357]], "Indicator: Worm[P2P]/Win32.Gedza": [[358, 379]], "Indicator: Worm.Gedza.c.kcloud": [[380, 399]], "Indicator: TScope.Trojan.Delf": [[442, 460]], "Indicator: W32/Gedza.F.worm": [[461, 477]], "Indicator: Win32/Gedza.C": [[478, 491]], "Indicator: Worm.P2P.Gedza!r6gvDWKTb4U": [[492, 518]], "Indicator: W32/Delf.NHN!tr": [[519, 534]], "Indicator: Win32/Worm.a05": [[535, 549]]}, "info": {"id": "cyner2_5class_train_00999", "source": "cyner2_5class_train"}}
+{"text": "It then calls a routine that adds a code section to a target module .", "spans": {}, "info": {"id": "cyner2_5class_train_01000", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Kangaroo Win32.Trojan.WisdomEyes.16070401.9500.9872 Trojan.Randsom.A Ransom_Apocalypse.R039C0DAT18 Win32.Trojan-Ransom.Apocalypse.D Trojan-Ransom.Win32.Kangar.a Trojan.Win32.Filecoder.epdfna Trojan.Encoder.5883 Ransom_Apocalypse.R039C0DAT18 BehavesLike.Win32.Worm.lt W32/Trojan.ATNA-2545 Ransom:Win32/Apocalypse.A!bit Trojan-Ransom.Win32.Kangar.a Trojan/Win32.Kangaroo.R194907 Trj/GdSda.A Trojan.Mikey.D127AA Win32/Filecoder.NIC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Kangaroo": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9872": [[42, 84]], "Indicator: Trojan.Randsom.A": [[85, 101]], "Indicator: Ransom_Apocalypse.R039C0DAT18": [[102, 131], [244, 273]], "Indicator: Win32.Trojan-Ransom.Apocalypse.D": [[132, 164]], "Indicator: Trojan-Ransom.Win32.Kangar.a": [[165, 193], [351, 379]], "Indicator: Trojan.Win32.Filecoder.epdfna": [[194, 223]], "Indicator: Trojan.Encoder.5883": [[224, 243]], "Indicator: BehavesLike.Win32.Worm.lt": [[274, 299]], "Indicator: W32/Trojan.ATNA-2545": [[300, 320]], "Indicator: Ransom:Win32/Apocalypse.A!bit": [[321, 350]], "Indicator: Trojan/Win32.Kangaroo.R194907": [[380, 409]], "Indicator: Trj/GdSda.A": [[410, 421]], "Indicator: Trojan.Mikey.D127AA": [[422, 441]], "Indicator: Win32/Filecoder.NIC": [[442, 461]]}, "info": {"id": "cyner2_5class_train_01001", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.AceDeciever.15 Trojan:Win32/AceDeceiver.A Trojan.Win32.Acedeceiver", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.AceDeciever.15": [[26, 47]], "Indicator: Trojan:Win32/AceDeceiver.A": [[48, 74]], "Indicator: Trojan.Win32.Acedeceiver": [[75, 99]]}, "info": {"id": "cyner2_5class_train_01002", "source": "cyner2_5class_train"}}
+{"text": "The last time I saw proshuto8.exe it was Trickbot, but these malware gangs do mix match and reuse file names and delivery methods to deliver multiple different malwares.", "spans": {"Indicator: proshuto8.exe": [[20, 33]], "Malware: Trickbot,": [[41, 50]], "Indicator: file names": [[98, 108]], "Malware: malwares.": [[160, 169]]}, "info": {"id": "cyner2_5class_train_01003", "source": "cyner2_5class_train"}}
+{"text": "The emergence of XLoader 6.0 does not only indicate that the threat actors behind it remain active ; it also holds fresh evidence of its connection to FakeSpy .", "spans": {"Malware: XLoader 6.0": [[17, 28]], "Malware: FakeSpy": [[151, 158]]}, "info": {"id": "cyner2_5class_train_01004", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PE:Malware.XPACK/RDM!5.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PE:Malware.XPACK/RDM!5.1": [[26, 50]]}, "info": {"id": "cyner2_5class_train_01005", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Dropper.ALXP Trojan.Dropper Trojan.Dropper-23429 Trojan-Dropper.Win32.Injector.hrpm Exploit.Servu!8cjzV0go40I Trojan.MulDrop.30820 Muster.c W32/Risk.XPXS-2512 TR/Expl.Servu.AK Trojan/Win32.Sasfis TrojanDropper:Win32/Apptom.B Virus.Win32.Part.a BScope.Trojan.Win32.Inject.2 Exploit.Win32.Servu", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Dropper.ALXP": [[26, 42]], "Indicator: Trojan.Dropper": [[43, 57]], "Indicator: Trojan.Dropper-23429": [[58, 78]], "Indicator: Trojan-Dropper.Win32.Injector.hrpm": [[79, 113]], "Indicator: Exploit.Servu!8cjzV0go40I": [[114, 139]], "Indicator: Trojan.MulDrop.30820": [[140, 160]], "Indicator: Muster.c": [[161, 169]], "Indicator: W32/Risk.XPXS-2512": [[170, 188]], "Indicator: TR/Expl.Servu.AK": [[189, 205]], "Indicator: Trojan/Win32.Sasfis": [[206, 225]], "Indicator: TrojanDropper:Win32/Apptom.B": [[226, 254]], "Indicator: Virus.Win32.Part.a": [[255, 273]], "Indicator: BScope.Trojan.Win32.Inject.2": [[274, 302]], "Indicator: Exploit.Win32.Servu": [[303, 322]]}, "info": {"id": "cyner2_5class_train_01006", "source": "cyner2_5class_train"}}
+{"text": "The core malware extracts the device ’ s installed app list .", "spans": {}, "info": {"id": "cyner2_5class_train_01007", "source": "cyner2_5class_train"}}
+{"text": "And , of course , remember to always be wary of unsolicited , unusual text messages and installing apps from third-party sources on your Android smartphone .", "spans": {"System: Android smartphone": [[137, 155]]}, "info": {"id": "cyner2_5class_train_01008", "source": "cyner2_5class_train"}}
+{"text": "The first variant involves social engineering the target into downloading a trojanized app .", "spans": {}, "info": {"id": "cyner2_5class_train_01009", "source": "cyner2_5class_train"}}
+{"text": "A review of the bit.ly statistics for these campaigns shows that they were at least as effective in driving end-user clicks as the Bank Austria campaign analyzed above .", "spans": {"Indicator: bit.ly": [[16, 22]], "System: Bank Austria": [[131, 143]]}, "info": {"id": "cyner2_5class_train_01010", "source": "cyner2_5class_train"}}
+{"text": "The overwriting of the data files will make it extremley difficult and costly, if not impossible, to recover the data using standard forensic methods.", "spans": {}, "info": {"id": "cyner2_5class_train_01011", "source": "cyner2_5class_train"}}
+{"text": "Android.Bankosy is a Trojan horse for Android devices that steals information from the compromised device.", "spans": {"Indicator: Android.Bankosy": [[0, 15]], "Malware: Trojan horse for": [[21, 37]], "System: Android devices": [[38, 53]], "Indicator: steals information": [[59, 77]], "System: compromised device.": [[87, 106]]}, "info": {"id": "cyner2_5class_train_01012", "source": "cyner2_5class_train"}}
+{"text": "Series of attacks mostly against Israel-based organisations.", "spans": {"Organization: Israel-based organisations.": [[33, 60]]}, "info": {"id": "cyner2_5class_train_01013", "source": "cyner2_5class_train"}}
+{"text": "The commands supported by the analyzed version of the Cerberus bot are listed below .", "spans": {"Malware: Cerberus": [[54, 62]]}, "info": {"id": "cyner2_5class_train_01014", "source": "cyner2_5class_train"}}
+{"text": "You can find a full list with short descriptions in the Appendix .", "spans": {}, "info": {"id": "cyner2_5class_train_01015", "source": "cyner2_5class_train"}}
+{"text": "On Android , an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task .", "spans": {"System: Android": [[3, 10]]}, "info": {"id": "cyner2_5class_train_01016", "source": "cyner2_5class_train"}}
+{"text": "David Manouchehri released the information about the backdoor through its own Github account ( Pastebin ) and then apparently deleted it .", "spans": {"Organization: Github": [[78, 84]], "Organization: Pastebin": [[95, 103]]}, "info": {"id": "cyner2_5class_train_01017", "source": "cyner2_5class_train"}}
+{"text": "As we ’ ve seen in last year ’ s mobile threat landscape , we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity , employing tried-and-tested techniques to lure unwitting users .", "spans": {}, "info": {"id": "cyner2_5class_train_01018", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnlineGameGLISC.Trojan W32/Mydoom.cf.dll WORM_MYDOOM.EA W32/Downloader.EZUZ-6892 Trojan.Dozer Win32/Mydoom.BS WORM_MYDOOM.EA Win.Downloader.73527-1 DDoS.Config.6 W32/Mydoom.cf.dll Trojan.Win32.Lyzapo W32/Downldr2.FZUB W32.Trojan.Worm-myDoom Trojan:Win32/Lyzapo.A Trojan/Win32.DDoS.R528 W32/MyDoom.HN.worm Win32/Lyzapo.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnlineGameGLISC.Trojan": [[26, 52]], "Indicator: W32/Mydoom.cf.dll": [[53, 70], [192, 209]], "Indicator: WORM_MYDOOM.EA": [[71, 85], [140, 154]], "Indicator: W32/Downloader.EZUZ-6892": [[86, 110]], "Indicator: Trojan.Dozer": [[111, 123]], "Indicator: Win32/Mydoom.BS": [[124, 139]], "Indicator: Win.Downloader.73527-1": [[155, 177]], "Indicator: DDoS.Config.6": [[178, 191]], "Indicator: Trojan.Win32.Lyzapo": [[210, 229]], "Indicator: W32/Downldr2.FZUB": [[230, 247]], "Indicator: W32.Trojan.Worm-myDoom": [[248, 270]], "Indicator: Trojan:Win32/Lyzapo.A": [[271, 292]], "Indicator: Trojan/Win32.DDoS.R528": [[293, 315]], "Indicator: W32/MyDoom.HN.worm": [[316, 334]], "Indicator: Win32/Lyzapo.A": [[335, 349]]}, "info": {"id": "cyner2_5class_train_01019", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Win32.Theefdl Trojan-Downloader.Win32!O Trojandownloader.Theefdl Downloader.Theefdl.Win32.5 TrojanDownloader.Win32.Theefdl W32/Theef.G@bd Downloader.Trojan Win32/TrojanDownloader.Theefdl TROJ_THEEFDL.A TrojanDownloader.Win32.Theefdl Trojan-Downloader.Win32.Theefdl TrojanDownloader.Win32.Theefdl Trojan.Win32.Theefdl.fydt Trojan.Win32.A.Downloader.81920.VZ TrojanDownloader.Win32.Theefdl TrojWare.Win32.TrojanDownloader.Theefdl Trojan.Thedl BehavesLike.Win32.Backdoor.mh Trojan-Downloader.Win32.Theefdl W32/Theef.TVQD-5666 TrojanDownloader.Theefdl Trojan[Downloader]/Win32.Theefdl TrojanDownloader:Win32/Theefdl.1_0 Trojan/Win32.Downloader.R94200 Trojan-Downloader.Win32.Theefdl TrojanDownloader.Win32.Theefdl TrojanDownloader.Theefdl Trojan.DL.Theefdl!lWNJHAF8U1M W32/Theefdl.G!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Win32.Theefdl": [[26, 56], [135, 165], [245, 275], [308, 338], [400, 430], [722, 752]], "Indicator: Trojan-Downloader.Win32!O": [[57, 82]], "Indicator: Trojandownloader.Theefdl": [[83, 107]], "Indicator: Downloader.Theefdl.Win32.5": [[108, 134]], "Indicator: W32/Theef.G@bd": [[166, 180]], "Indicator: Downloader.Trojan": [[181, 198]], "Indicator: Win32/TrojanDownloader.Theefdl": [[199, 229]], "Indicator: TROJ_THEEFDL.A": [[230, 244]], "Indicator: Trojan-Downloader.Win32.Theefdl": [[276, 307], [514, 545], [690, 721]], "Indicator: Trojan.Win32.Theefdl.fydt": [[339, 364]], "Indicator: Trojan.Win32.A.Downloader.81920.VZ": [[365, 399]], "Indicator: TrojWare.Win32.TrojanDownloader.Theefdl": [[431, 470]], "Indicator: Trojan.Thedl": [[471, 483]], "Indicator: BehavesLike.Win32.Backdoor.mh": [[484, 513]], "Indicator: W32/Theef.TVQD-5666": [[546, 565]], "Indicator: TrojanDownloader.Theefdl": [[566, 590], [753, 777]], "Indicator: Trojan[Downloader]/Win32.Theefdl": [[591, 623]], "Indicator: TrojanDownloader:Win32/Theefdl.1_0": [[624, 658]], "Indicator: Trojan/Win32.Downloader.R94200": [[659, 689]], "Indicator: Trojan.DL.Theefdl!lWNJHAF8U1M": [[778, 807]], "Indicator: W32/Theefdl.G!tr": [[808, 824]]}, "info": {"id": "cyner2_5class_train_01020", "source": "cyner2_5class_train"}}
+{"text": "Next , the dropper checks its own parent process for indications that it is running in a sandbox setup .", "spans": {}, "info": {"id": "cyner2_5class_train_01021", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.NSAnti.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Riskware.NoobyProtect.B Trojan.Win32.NobodyProtect.eviakq TrojWare.Win32.Amtar.KNB Trojan.DownLoader4.12788 BehavesLike.Win32.Pate.tc Trojan:Win32/Gee.B Dropper/Win32.PcClient.R6061 Trojan.Cryptic", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.NSAnti.1": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[42, 84]], "Indicator: Win32.Riskware.NoobyProtect.B": [[85, 114]], "Indicator: Trojan.Win32.NobodyProtect.eviakq": [[115, 148]], "Indicator: TrojWare.Win32.Amtar.KNB": [[149, 173]], "Indicator: Trojan.DownLoader4.12788": [[174, 198]], "Indicator: BehavesLike.Win32.Pate.tc": [[199, 224]], "Indicator: Trojan:Win32/Gee.B": [[225, 243]], "Indicator: Dropper/Win32.PcClient.R6061": [[244, 272]], "Indicator: Trojan.Cryptic": [[273, 287]]}, "info": {"id": "cyner2_5class_train_01022", "source": "cyner2_5class_train"}}
+{"text": "At the same time, in previous update activities, due to the setting of a specific named planned task, the researchers named it Blue Tea Action based on the name and Operation Black Ball 。", "spans": {"Organization: the researchers": [[102, 117]], "Malware: Blue Tea Action": [[127, 142]]}, "info": {"id": "cyner2_5class_train_01023", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SunimodG.Trojan Worm.Win32.Juched!O WORM_GANELP.SMIA W32.Griptolo WORM_GANELP.SMIA Win.Worm.Autorun-9195 Worm.Win32.Juched.209429 Worm.Win32.Jushed.KA Trojan.Proxy.20270 Trojan.Win32.Webprefix W32.Worm.Ganelp Worm/Win32.Juched Worm.Juched.d.kcloud Worm:Win32/Ganelp.E Trojan/Win32.Npkon.R18258 Worm.Juched Trojan.FakeJava Trojan.Win32.FakeFolder.bba", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SunimodG.Trojan": [[26, 45]], "Indicator: Worm.Win32.Juched!O": [[46, 65]], "Indicator: WORM_GANELP.SMIA": [[66, 82], [96, 112]], "Indicator: W32.Griptolo": [[83, 95]], "Indicator: Win.Worm.Autorun-9195": [[113, 134]], "Indicator: Worm.Win32.Juched.209429": [[135, 159]], "Indicator: Worm.Win32.Jushed.KA": [[160, 180]], "Indicator: Trojan.Proxy.20270": [[181, 199]], "Indicator: Trojan.Win32.Webprefix": [[200, 222]], "Indicator: W32.Worm.Ganelp": [[223, 238]], "Indicator: Worm/Win32.Juched": [[239, 256]], "Indicator: Worm.Juched.d.kcloud": [[257, 277]], "Indicator: Worm:Win32/Ganelp.E": [[278, 297]], "Indicator: Trojan/Win32.Npkon.R18258": [[298, 323]], "Indicator: Worm.Juched": [[324, 335]], "Indicator: Trojan.FakeJava": [[336, 351]], "Indicator: Trojan.Win32.FakeFolder.bba": [[352, 379]]}, "info": {"id": "cyner2_5class_train_01024", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WpechkLTD.Trojan Trojan-Spy/W32.Vskim.160256 Trojan.Mauvaise.SL1 Dropper.Dapato.Win32.16801 Trojan/Spy.POSCardStealer.k Win32.Trojan.WisdomEyes.16070401.9500.9904 Backdoor.Trojan BKDR_HESETOX.SMJ Trojan.Win32.Vskim.cqipth Backdoor.Win32.Hesetox.160260 Trojan.DownLoader8.15980 BKDR_HESETOX.SMJ BehavesLike.Win32.Dropper.ch Trojan[Dropper]/Win32.Dapato Backdoor:Win32/Hesetox.A Win-Trojan/Hesetox.160256 TrojanSpy.Vskim Backdoor.Bot.X Backdoor.Win32.Hesetox Win32/Trojan.IM.73c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WpechkLTD.Trojan": [[26, 46]], "Indicator: Trojan-Spy/W32.Vskim.160256": [[47, 74]], "Indicator: Trojan.Mauvaise.SL1": [[75, 94]], "Indicator: Dropper.Dapato.Win32.16801": [[95, 121]], "Indicator: Trojan/Spy.POSCardStealer.k": [[122, 149]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9904": [[150, 192]], "Indicator: Backdoor.Trojan": [[193, 208]], "Indicator: BKDR_HESETOX.SMJ": [[209, 225], [307, 323]], "Indicator: Trojan.Win32.Vskim.cqipth": [[226, 251]], "Indicator: Backdoor.Win32.Hesetox.160260": [[252, 281]], "Indicator: Trojan.DownLoader8.15980": [[282, 306]], "Indicator: BehavesLike.Win32.Dropper.ch": [[324, 352]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[353, 381]], "Indicator: Backdoor:Win32/Hesetox.A": [[382, 406]], "Indicator: Win-Trojan/Hesetox.160256": [[407, 432]], "Indicator: TrojanSpy.Vskim": [[433, 448]], "Indicator: Backdoor.Bot.X": [[449, 463]], "Indicator: Backdoor.Win32.Hesetox": [[464, 486]], "Indicator: Win32/Trojan.IM.73c": [[487, 506]]}, "info": {"id": "cyner2_5class_train_01025", "source": "cyner2_5class_train"}}
+{"text": "Here are some highlights .", "spans": {}, "info": {"id": "cyner2_5class_train_01026", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.4904 Trojan.Clicker.Delf.CN Trojan.Clicker.Delf.CN Trojan/Clicker.Delf.cn Trojan.Win32.Delf.ifph Trojan.Adclicker TROJ_ADCLICKE.AS Trojan-Clicker.Win32.Delf.cn Trojan.CL.Delf!GHMyZMRoBZw Trojan.Win32.Clicker.197194[h] Troj.Clicker.W32.Delf.cn!c Virus.Win32.Heur.e Trojan.Clicker.Delf.CN Backdoor.Win32.Popwin.~IQ Trojan.Clicker.Delf.CN Trojan.Dasist Trojan.Delf.Win32.8103 TROJ_ADCLICKE.AS BehavesLike.Win32.PWSZbot.cc Trojan/Delf.ab TR/Click.Delf.CN.5 Trojan[Clicker]/Win32.Delf Trojan.Clicker.Delf.CN Win-Trojan/Xema.variant Trojan:Win32/Adcliker.K TrojanClicker.Delf Win32.Trojan.Delf.Lhxa Trojan.Clicker.Delf.CN Clicker.CSA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.4904": [[26, 42]], "Indicator: Trojan.Clicker.Delf.CN": [[43, 65], [66, 88], [302, 324], [351, 373], [518, 540], [631, 653]], "Indicator: Trojan/Clicker.Delf.cn": [[89, 111]], "Indicator: Trojan.Win32.Delf.ifph": [[112, 134]], "Indicator: Trojan.Adclicker": [[135, 151]], "Indicator: TROJ_ADCLICKE.AS": [[152, 168], [411, 427]], "Indicator: Trojan-Clicker.Win32.Delf.cn": [[169, 197]], "Indicator: Trojan.CL.Delf!GHMyZMRoBZw": [[198, 224]], "Indicator: Trojan.Win32.Clicker.197194[h]": [[225, 255]], "Indicator: Troj.Clicker.W32.Delf.cn!c": [[256, 282]], "Indicator: Virus.Win32.Heur.e": [[283, 301]], "Indicator: Backdoor.Win32.Popwin.~IQ": [[325, 350]], "Indicator: Trojan.Dasist": [[374, 387]], "Indicator: Trojan.Delf.Win32.8103": [[388, 410]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[428, 456]], "Indicator: Trojan/Delf.ab": [[457, 471]], "Indicator: TR/Click.Delf.CN.5": [[472, 490]], "Indicator: Trojan[Clicker]/Win32.Delf": [[491, 517]], "Indicator: Win-Trojan/Xema.variant": [[541, 564]], "Indicator: Trojan:Win32/Adcliker.K": [[565, 588]], "Indicator: TrojanClicker.Delf": [[589, 607]], "Indicator: Win32.Trojan.Delf.Lhxa": [[608, 630]], "Indicator: Clicker.CSA": [[654, 665]]}, "info": {"id": "cyner2_5class_train_01027", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Noobot!O Backdoor.Poftsyun Backdoor.W32.Noobot.h!c Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Ecltys Backdoor.Win32.Noobot.h Trojan.Win32.Noobot.ylgzy Backdoor.Win32.A.Noobot.158756 Backdoor.Noobot.Win32.6 BehavesLike.Win32.Downloader.ch Backdoor.Win32.Ecltys W32/Trojan.SKHW-8707 Backdoor/Noobot.d BDS/Noobot.A.14 Backdoor:Win32/Poftsyun.A Backdoor.Win32.Noobot.h Trojan/Win32.Noobot.R214072 Backdoor.Noobot Trojan.Zusy.D49A6 Win32.Backdoor.Noobot.Pfts Backdoor.Noobot!KDSSDgztHWQ W32/Noobot.H!tr.bdr Win32/Trojan.231", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Noobot!O": [[26, 49]], "Indicator: Backdoor.Poftsyun": [[50, 67]], "Indicator: Backdoor.W32.Noobot.h!c": [[68, 91]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[92, 134]], "Indicator: Trojan.Ecltys": [[135, 148]], "Indicator: Backdoor.Win32.Noobot.h": [[149, 172], [389, 412]], "Indicator: Trojan.Win32.Noobot.ylgzy": [[173, 198]], "Indicator: Backdoor.Win32.A.Noobot.158756": [[199, 229]], "Indicator: Backdoor.Noobot.Win32.6": [[230, 253]], "Indicator: BehavesLike.Win32.Downloader.ch": [[254, 285]], "Indicator: Backdoor.Win32.Ecltys": [[286, 307]], "Indicator: W32/Trojan.SKHW-8707": [[308, 328]], "Indicator: Backdoor/Noobot.d": [[329, 346]], "Indicator: BDS/Noobot.A.14": [[347, 362]], "Indicator: Backdoor:Win32/Poftsyun.A": [[363, 388]], "Indicator: Trojan/Win32.Noobot.R214072": [[413, 440]], "Indicator: Backdoor.Noobot": [[441, 456]], "Indicator: Trojan.Zusy.D49A6": [[457, 474]], "Indicator: Win32.Backdoor.Noobot.Pfts": [[475, 501]], "Indicator: Backdoor.Noobot!KDSSDgztHWQ": [[502, 529]], "Indicator: W32/Noobot.H!tr.bdr": [[530, 549]], "Indicator: Win32/Trojan.231": [[550, 566]]}, "info": {"id": "cyner2_5class_train_01028", "source": "cyner2_5class_train"}}
+{"text": "Strazzere 's colleague , Jon Sawyer , suggested on Twitter that the vulnerabilities might have not been there by mistake , but rather included as intentionally coded backdoors .", "spans": {"Organization: Twitter": [[51, 58]]}, "info": {"id": "cyner2_5class_train_01029", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.ChePro.aaa WIN.MACRO.SCRIPT.IRC.WORM.Virus Trojan-Downloader.Win32.ChePro.aaa PUP/Win32.Avdownloader.C2126268", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.ChePro.aaa": [[26, 60], [93, 127]], "Indicator: WIN.MACRO.SCRIPT.IRC.WORM.Virus": [[61, 92]], "Indicator: PUP/Win32.Avdownloader.C2126268": [[128, 159]]}, "info": {"id": "cyner2_5class_train_01030", "source": "cyner2_5class_train"}}
+{"text": "Threat actors keep taking advantage of the tax season in the US, using tax-related phishing scams to US-based victims to infect systems with stealthy malware.", "spans": {"Indicator: phishing scams": [[83, 97]], "Organization: US-based victims": [[101, 117]], "System: infect systems": [[121, 135]], "Malware: malware.": [[150, 158]]}, "info": {"id": "cyner2_5class_train_01031", "source": "cyner2_5class_train"}}
+{"text": "In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199.", "spans": {"Indicator: phishing": [[18, 26]], "Indicator: RTF attachments": [[43, 58]], "Vulnerability: exploited the Microsoft Windows vulnerability": [[64, 109]], "Indicator: CVE 2017-0199.": [[123, 137]]}, "info": {"id": "cyner2_5class_train_01032", "source": "cyner2_5class_train"}}
+{"text": "Back then it was detected as Trojan-Spy.AndroidOS.SmsThief , but later versions were assigned to another family – Trojan-Banker.AndroidOS.Rotexy .", "spans": {"Malware: Trojan-Spy.AndroidOS.SmsThief": [[29, 58]], "Malware: Trojan-Banker.AndroidOS.Rotexy": [[114, 144]]}, "info": {"id": "cyner2_5class_train_01033", "source": "cyner2_5class_train"}}
+{"text": "These threats are usually exacerbated by the further abuse of legitimate tools such as PowerShell, or script automation utility AutoIt. It's thus not surprising that we discovered an information stealer employing LNK files, which our sensors detected in Israeli hospitals.", "spans": {"Malware: threats": [[6, 13]], "Indicator: legitimate tools": [[62, 78]], "Indicator: PowerShell,": [[87, 98]], "Indicator: script automation utility": [[102, 127]], "Malware: AutoIt.": [[128, 135]], "Indicator: stealer employing LNK files,": [[195, 223]], "Organization: Israeli hospitals.": [[254, 272]]}, "info": {"id": "cyner2_5class_train_01034", "source": "cyner2_5class_train"}}
+{"text": "] 251 2d108ff3a735dea1d1fdfa430f37fab2 com.psiphon3 dexlib 2.x 188.165.49 [ .", "spans": {"Indicator: 2d108ff3a735dea1d1fdfa430f37fab2": [[6, 38]], "Indicator: com.psiphon3": [[39, 51]], "Indicator: 188.165.49 [ .": [[63, 77]]}, "info": {"id": "cyner2_5class_train_01035", "source": "cyner2_5class_train"}}
+{"text": "INDEX MNEMONIC DESCRIPTION 0x0 JMP Special obfuscated conditional Jump ( always taken or always ignored ) 0x1 JMP Jump to a function ( same as opcode 0x10 ) 0x2 CALL Call to the function pointed by the internal VM value 0x3 CALL Optimized CALL function ( like the 0x1E opcode of the 32-bit VM ) 0x4 EXEC Execute code and move to the next packet 0x5 JMP Jump to an internal function 0x6 NOP No operation , move to the next packet 0x7 CALL Call an imported API ( whose address is stored in the internal VM value ) 0x8 LOAD Load a value into the VM descriptor structure * 0x9 STORE Store the internal VM value inside a register 0xA WRITE Resolve a pointer and store the value of a register in its content 0xB READ Move the value pointed by the VM internal value into a register 0xC LOAD Load a value into the VM descriptor structure ( not optimized ) 0xD CMP Compare the value pointed by the internal VM descriptor with a register 0xE CMP Compare the value pointed by the internal VM descriptor with an immediate value 0xF XCHG Exchange the value pointed by the internal VM descriptor with a register 0x10 SHL Jump to a function ( same as opcode 0x1 ) This additional virtual machine performs the same duties as the one already described but in a 64-bit environment .", "spans": {}, "info": {"id": "cyner2_5class_train_01036", "source": "cyner2_5class_train"}}
+{"text": "The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware.", "spans": {"Malware: malware": [[58, 65]], "Malware: Redline Stealer, AgentTesla, Eternity, Blackmoon": [[76, 124]], "Malware: Philadelphia Ransomware.": [[129, 153]]}, "info": {"id": "cyner2_5class_train_01037", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Otwyacal.C Win32.Trojan.WisdomEyes.16070401.9500.9748 W32.Wapomi.C!inf Win.Trojan.Vjadtre-6170948-0 Win32.HLLP.Protil.1 BehavesLike.Win32.Virut.ch W32/Jadtre.C Trojan.Symmi.D4E83 Trj/CI.A Win32/Wapomi.Z Virus.Win32.Wapomi.a Exploit.Win32.ShellCode", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Otwyacal.C": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9748": [[41, 83]], "Indicator: W32.Wapomi.C!inf": [[84, 100]], "Indicator: Win.Trojan.Vjadtre-6170948-0": [[101, 129]], "Indicator: Win32.HLLP.Protil.1": [[130, 149]], "Indicator: BehavesLike.Win32.Virut.ch": [[150, 176]], "Indicator: W32/Jadtre.C": [[177, 189]], "Indicator: Trojan.Symmi.D4E83": [[190, 208]], "Indicator: Trj/CI.A": [[209, 217]], "Indicator: Win32/Wapomi.Z": [[218, 232]], "Indicator: Virus.Win32.Wapomi.a": [[233, 253]], "Indicator: Exploit.Win32.ShellCode": [[254, 277]]}, "info": {"id": "cyner2_5class_train_01038", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Msil Trojan.Kazy.D4D672 TrojanDownloader:MSIL/Winpud.A Trojan/Win32.Inject.C149530 Win32/Trojan.a9f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Msil": [[69, 80]], "Indicator: Trojan.Kazy.D4D672": [[81, 99]], "Indicator: TrojanDownloader:MSIL/Winpud.A": [[100, 130]], "Indicator: Trojan/Win32.Inject.C149530": [[131, 158]], "Indicator: Win32/Trojan.a9f": [[159, 175]]}, "info": {"id": "cyner2_5class_train_01039", "source": "cyner2_5class_train"}}
+{"text": "Enlarge / Hummingbad/Shedun infections by Android version .", "spans": {"Malware: Hummingbad/Shedun": [[10, 27]], "System: Android": [[42, 49]]}, "info": {"id": "cyner2_5class_train_01040", "source": "cyner2_5class_train"}}
+{"text": "However, the attacks against targets in the Middle East except Israel were renewed in less than 20 days.", "spans": {"Indicator: attacks": [[13, 20]]}, "info": {"id": "cyner2_5class_train_01041", "source": "cyner2_5class_train"}}
+{"text": "rename .APK Android application package files used to install the malicious apps,", "spans": {"Indicator: rename .APK": [[0, 11]], "System: Android application package": [[12, 39]], "Indicator: files": [[40, 45]], "Malware: malicious apps,": [[66, 81]]}, "info": {"id": "cyner2_5class_train_01042", "source": "cyner2_5class_train"}}
+{"text": "Malicious code was appended to the compromised script file, which redirected a visitor.", "spans": {"Malware: Malicious code": [[0, 14]], "Indicator: compromised script file,": [[35, 59]]}, "info": {"id": "cyner2_5class_train_01043", "source": "cyner2_5class_train"}}
+{"text": "The backdoor provided an alternative foothold in several observed instances for the group and employed a few tricks like using the Intel SSE extended instruction set to avoid emulation and obscure analysis.", "spans": {"Malware: The backdoor": [[0, 12]], "Organization: group": [[84, 89]], "Vulnerability: the Intel SSE extended instruction set": [[127, 165]]}, "info": {"id": "cyner2_5class_train_01044", "source": "cyner2_5class_train"}}
+{"text": "The malware uses the Tor anonymity network for command and control C2 and does not require network connectivity to encrypt files, which complicates detection, prevention, and remediation.", "spans": {"Malware: malware": [[4, 11]], "Indicator: Tor anonymity network": [[21, 42]], "Indicator: command and control C2": [[47, 69]]}, "info": {"id": "cyner2_5class_train_01045", "source": "cyner2_5class_train"}}
+{"text": "The trojan will receive instructions from the C2 to spread .", "spans": {}, "info": {"id": "cyner2_5class_train_01046", "source": "cyner2_5class_train"}}
+{"text": "The list of vulnerable devices, as well as the logins and passwords that go with them, are stored on the server belonging to the cybercriminals.", "spans": {"Vulnerability: vulnerable devices,": [[12, 31]], "Vulnerability: logins": [[47, 53]], "Vulnerability: passwords": [[58, 67]], "System: the server": [[101, 111]]}, "info": {"id": "cyner2_5class_train_01047", "source": "cyner2_5class_train"}}
+{"text": "NexusLogger is a cloud-based keylogger that uses the Microsoft .NET Framework and has a low level of sophistication.", "spans": {"Malware: NexusLogger": [[0, 11]], "Malware: cloud-based keylogger": [[17, 38]], "System: Microsoft .NET Framework": [[53, 77]]}, "info": {"id": "cyner2_5class_train_01048", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.CC Packed.Win32.CPEX-based!O Backdoor.PePatch.Win32.2676 Trojan.Crypt.CC W32/Trojan.GQIB-3577 TrojanSpy.KeyLogger Trojan.Win32.Llac.laav Trojan.Win32.CPEXbased.oyaq Trojan.Win32.Buzus.589824[UPX] Packer.W32.CPEX-based.kZ3Y Trojan.Crypt.CC Trojan.PWS.Lineage.4319 BehavesLike.Win32.PUPXAO.dh W32/Trojan2.ANIR Trojan/Buzus.afzu TR/Dldr.Buzus.dhk Trojan[Packed]/Win32.CPEX-based TrojanDropper:Win32/Sharke.C Trojan.Crypt.CC Trojan.Win32.Llac.laav Trojan.Crypt.CC Trojan/Win32.Buzus.C22005 Trojan.Crypt.CC Trojan.Crypt.CC HackTool.Win32.Crypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.CC": [[26, 41], [96, 111], [262, 277], [444, 459], [483, 498], [525, 540], [541, 556]], "Indicator: Packed.Win32.CPEX-based!O": [[42, 67]], "Indicator: Backdoor.PePatch.Win32.2676": [[68, 95]], "Indicator: W32/Trojan.GQIB-3577": [[112, 132]], "Indicator: TrojanSpy.KeyLogger": [[133, 152]], "Indicator: Trojan.Win32.Llac.laav": [[153, 175], [460, 482]], "Indicator: Trojan.Win32.CPEXbased.oyaq": [[176, 203]], "Indicator: Trojan.Win32.Buzus.589824[UPX]": [[204, 234]], "Indicator: Packer.W32.CPEX-based.kZ3Y": [[235, 261]], "Indicator: Trojan.PWS.Lineage.4319": [[278, 301]], "Indicator: BehavesLike.Win32.PUPXAO.dh": [[302, 329]], "Indicator: W32/Trojan2.ANIR": [[330, 346]], "Indicator: Trojan/Buzus.afzu": [[347, 364]], "Indicator: TR/Dldr.Buzus.dhk": [[365, 382]], "Indicator: Trojan[Packed]/Win32.CPEX-based": [[383, 414]], "Indicator: TrojanDropper:Win32/Sharke.C": [[415, 443]], "Indicator: Trojan/Win32.Buzus.C22005": [[499, 524]], "Indicator: HackTool.Win32.Crypt": [[557, 577]]}, "info": {"id": "cyner2_5class_train_01049", "source": "cyner2_5class_train"}}
+{"text": "The URLs for Sundown requests for Flash files end in .swf, while Silverlight requests end in .xap.", "spans": {"Indicator: URLs": [[4, 8]], "Malware: Sundown": [[13, 20]], "Indicator: Flash files end in .swf,": [[34, 58]], "Malware: Silverlight": [[65, 76]], "Indicator: requests end in .xap.": [[77, 98]]}, "info": {"id": "cyner2_5class_train_01050", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Trojan Trojan.Win32.Mlw.euwoug Backdoor:Win32/DarkEnergy.A!bit Backdoor.Bot Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Trojan": [[26, 41]], "Indicator: Trojan.Win32.Mlw.euwoug": [[42, 65]], "Indicator: Backdoor:Win32/DarkEnergy.A!bit": [[66, 97]], "Indicator: Backdoor.Bot": [[98, 110]], "Indicator: Trj/GdSda.A": [[111, 122]]}, "info": {"id": "cyner2_5class_train_01051", "source": "cyner2_5class_train"}}
+{"text": "After laying low for a few years, it had a sudden resurgence last May.", "spans": {}, "info": {"id": "cyner2_5class_train_01052", "source": "cyner2_5class_train"}}
+{"text": "This archive is stored in the same host has the webviews .", "spans": {}, "info": {"id": "cyner2_5class_train_01053", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Surabaya.Worm Worm.Win32.AutoRun!O Worm.SillyShare.EE2 W32/Pitin.worm Worm.AutoRun W32.W.AutoRun.luA8 WORM_VB.DTH Win32.Trojan.VB.iy W32/Worm.BGBK W32.SillyFDC Win32/Dodaykil.B WORM_VB.DTH Win.Worm.VB-632 Worm.Win32.AutoRun.bant Trojan.Win32.AutoRun.cnwrek Trojan.Win32.Autorun.40960.R Worm.Win32.VB.~E Win32.HLLW.Autoruner.874 Virus.VB.Win32.86 BehavesLike.Win32.Dropper.ch Worm.Win32.AutoRun W32/Worm.DPLM-0673 Worm/AutoRun.tyn TR/VB.aei Worm/Win32.AutoRun Trojan.Heur.E9EB80 Worm.Win32.AutoRun.bant Worm:Win32/SillyShareCopy.E HEUR/Fakon.mwf SScope.Trojan.VBO.0348 Trj/Yabarasu.A Worm.Pitin Win32/VB.DG Trojan.Win32.Autorun.bep Worm.SillyShareCopy!GFdqFqCX45w", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Surabaya.Worm": [[26, 43]], "Indicator: Worm.Win32.AutoRun!O": [[44, 64]], "Indicator: Worm.SillyShare.EE2": [[65, 84]], "Indicator: W32/Pitin.worm": [[85, 99]], "Indicator: Worm.AutoRun": [[100, 112]], "Indicator: W32.W.AutoRun.luA8": [[113, 131]], "Indicator: WORM_VB.DTH": [[132, 143], [207, 218]], "Indicator: Win32.Trojan.VB.iy": [[144, 162]], "Indicator: W32/Worm.BGBK": [[163, 176]], "Indicator: W32.SillyFDC": [[177, 189]], "Indicator: Win32/Dodaykil.B": [[190, 206]], "Indicator: Win.Worm.VB-632": [[219, 234]], "Indicator: Worm.Win32.AutoRun.bant": [[235, 258], [508, 531]], "Indicator: Trojan.Win32.AutoRun.cnwrek": [[259, 286]], "Indicator: Trojan.Win32.Autorun.40960.R": [[287, 315]], "Indicator: Worm.Win32.VB.~E": [[316, 332]], "Indicator: Win32.HLLW.Autoruner.874": [[333, 357]], "Indicator: Virus.VB.Win32.86": [[358, 375]], "Indicator: BehavesLike.Win32.Dropper.ch": [[376, 404]], "Indicator: Worm.Win32.AutoRun": [[405, 423]], "Indicator: W32/Worm.DPLM-0673": [[424, 442]], "Indicator: Worm/AutoRun.tyn": [[443, 459]], "Indicator: TR/VB.aei": [[460, 469]], "Indicator: Worm/Win32.AutoRun": [[470, 488]], "Indicator: Trojan.Heur.E9EB80": [[489, 507]], "Indicator: Worm:Win32/SillyShareCopy.E": [[532, 559]], "Indicator: HEUR/Fakon.mwf": [[560, 574]], "Indicator: SScope.Trojan.VBO.0348": [[575, 597]], "Indicator: Trj/Yabarasu.A": [[598, 612]], "Indicator: Worm.Pitin": [[613, 623]], "Indicator: Win32/VB.DG": [[624, 635]], "Indicator: Trojan.Win32.Autorun.bep": [[636, 660]], "Indicator: Worm.SillyShareCopy!GFdqFqCX45w": [[661, 692]]}, "info": {"id": "cyner2_5class_train_01054", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Dropper.MM W97M/Dropper.x W97M/Mdropper.G W2KM_FAREIT.IAV Trojan.Script.Drop.dyxcgh Trojan-Dropper:W97M/MaliciousDoc.A Trojan.PWS.Stealer.4118 W2KM_FAREIT.IAV W97M/Mdropper.G TR/Crypt.Xpack.310779 Trojan[PSW]/Win32.Fareit TrojanPSW.Fareit possible-Threat.Embedded.ExeInOffice virus.office.qexvmc.1100", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Dropper.MM": [[26, 41]], "Indicator: W97M/Dropper.x": [[42, 56]], "Indicator: W97M/Mdropper.G": [[57, 72], [190, 205]], "Indicator: W2KM_FAREIT.IAV": [[73, 88], [174, 189]], "Indicator: Trojan.Script.Drop.dyxcgh": [[89, 114]], "Indicator: Trojan-Dropper:W97M/MaliciousDoc.A": [[115, 149]], "Indicator: Trojan.PWS.Stealer.4118": [[150, 173]], "Indicator: TR/Crypt.Xpack.310779": [[206, 227]], "Indicator: Trojan[PSW]/Win32.Fareit": [[228, 252]], "Indicator: TrojanPSW.Fareit": [[253, 269]], "Indicator: possible-Threat.Embedded.ExeInOffice": [[270, 306]], "Indicator: virus.office.qexvmc.1100": [[307, 331]]}, "info": {"id": "cyner2_5class_train_01055", "source": "cyner2_5class_train"}}
+{"text": "Operation Groundbait Russian: Прикормка, Prikormka is an ongoing cyber-surveillance", "spans": {}, "info": {"id": "cyner2_5class_train_01056", "source": "cyner2_5class_train"}}
+{"text": "This malicious app , detected by ESET as a variant of Android/Twitoor.A , can ’ t be found on any official Android app store – it probably spreads by SMS or via malicious URLs .", "spans": {"Organization: ESET": [[33, 37]], "Malware: Android/Twitoor.A": [[54, 71]], "System: Android app store": [[107, 124]]}, "info": {"id": "cyner2_5class_train_01057", "source": "cyner2_5class_train"}}
+{"text": "It has been shortened for brevity .", "spans": {}, "info": {"id": "cyner2_5class_train_01058", "source": "cyner2_5class_train"}}
+{"text": "July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in .", "spans": {"Malware: RCSAndroid": [[24, 34]]}, "info": {"id": "cyner2_5class_train_01059", "source": "cyner2_5class_train"}}
+{"text": "When reviewing the decrypted packet , it ’ s clear it has the same content as previous versions .", "spans": {}, "info": {"id": "cyner2_5class_train_01060", "source": "cyner2_5class_train"}}
+{"text": "] net .", "spans": {}, "info": {"id": "cyner2_5class_train_01061", "source": "cyner2_5class_train"}}
+{"text": "The entered data is then checked and the last four digits of the bank card number are also checked against the data sent in the C & C command .", "spans": {}, "info": {"id": "cyner2_5class_train_01062", "source": "cyner2_5class_train"}}
+{"text": "A separate app from Check Point competitor Lookout also detects the threat as a variant of the Shedun malware family .", "spans": {"Organization: Check Point": [[20, 31]], "Organization: Lookout": [[43, 50]], "Malware: Shedun": [[95, 101]]}, "info": {"id": "cyner2_5class_train_01063", "source": "cyner2_5class_train"}}
+{"text": "] com www5.zyns [ .", "spans": {"Indicator: www5.zyns [ .": [[6, 19]]}, "info": {"id": "cyner2_5class_train_01064", "source": "cyner2_5class_train"}}
+{"text": "Microsoft Defender for Endpoint on Android further enriches organizations ’ visibility into malicious activity , empowering them to comprehensively prevent , detect , and respond to against attack sprawl and cross-domain incidents .", "spans": {"System: Microsoft Defender": [[0, 18]], "System: Android": [[35, 42]]}, "info": {"id": "cyner2_5class_train_01065", "source": "cyner2_5class_train"}}
+{"text": "The next stage in device infection could be the use of exploit kits and malvertising , which would be quite effective due the many Android vulnerabilities and consumers with unpatched devices .", "spans": {"Vulnerability: Android vulnerabilities": [[131, 154]], "Vulnerability: unpatched devices": [[174, 191]]}, "info": {"id": "cyner2_5class_train_01066", "source": "cyner2_5class_train"}}
+{"text": "The developer name used , GAS Brazil , suggests the criminals behind the app targeted Brazilian users .", "spans": {}, "info": {"id": "cyner2_5class_train_01067", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.849 W97M.Downloader.BLR Troj.Downloader.Msoffice!c W97M.Downloader W2KM_HANCITOR.YYSYN VB:Trojan.Valyria.849 VB:Trojan.Valyria.849 Trojan.Script.Downloader.espmja VB:Trojan.Valyria.849 VB:Trojan.Valyria.849 W2KM_HANCITOR.YYSYN TrojanDownloader:O97M/Damatak.A VB:Trojan.Valyria.849 virus.office.qexvmc.1080", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.849": [[26, 47], [131, 152], [153, 174], [207, 228], [229, 250], [303, 324]], "Indicator: W97M.Downloader.BLR": [[48, 67]], "Indicator: Troj.Downloader.Msoffice!c": [[68, 94]], "Indicator: W97M.Downloader": [[95, 110]], "Indicator: W2KM_HANCITOR.YYSYN": [[111, 130], [251, 270]], "Indicator: Trojan.Script.Downloader.espmja": [[175, 206]], "Indicator: TrojanDownloader:O97M/Damatak.A": [[271, 302]], "Indicator: virus.office.qexvmc.1080": [[325, 349]]}, "info": {"id": "cyner2_5class_train_01068", "source": "cyner2_5class_train"}}
+{"text": "Extract data from WeChat app .", "spans": {"System: WeChat": [[18, 24]]}, "info": {"id": "cyner2_5class_train_01069", "source": "cyner2_5class_train"}}
+{"text": "Volexity has tied this attack campaign to an advanced persistent threat APT group first identified as OceanLotus by SkyEye Labs in 2015.", "spans": {"Organization: Volexity": [[0, 8]], "Organization: SkyEye Labs": [[116, 127]]}, "info": {"id": "cyner2_5class_train_01070", "source": "cyner2_5class_train"}}
+{"text": "Probably, attackers used web site vulnerabilities for placing malicious files.", "spans": {"Indicator: web site": [[25, 33]], "Vulnerability: vulnerabilities": [[34, 49]], "Indicator: malicious files.": [[62, 78]]}, "info": {"id": "cyner2_5class_train_01071", "source": "cyner2_5class_train"}}
+{"text": "Since our previous publication, we have found another, similar but different payload used to target a second organization in Saudi Arabia that was configured to wipe systems twelve days later on November 29, 2016.", "spans": {"Malware: payload": [[77, 84]], "System: wipe systems": [[161, 173]]}, "info": {"id": "cyner2_5class_train_01072", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Losya.gg Trojan-Ransom.Win32.Losya.gg Trojan-Ransom.Win32.Losya!IK Trojan.Winlock.2932 Trojan/Losya.cs Trojan:Win32/LockScreen.BA Hoax.Losya.bd Trojan-Ransom.Win32.Losya W32/Krap.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Losya.gg": [[26, 41]], "Indicator: Trojan-Ransom.Win32.Losya.gg": [[42, 70]], "Indicator: Trojan-Ransom.Win32.Losya!IK": [[71, 99]], "Indicator: Trojan.Winlock.2932": [[100, 119]], "Indicator: Trojan/Losya.cs": [[120, 135]], "Indicator: Trojan:Win32/LockScreen.BA": [[136, 162]], "Indicator: Hoax.Losya.bd": [[163, 176]], "Indicator: Trojan-Ransom.Win32.Losya": [[177, 202]], "Indicator: W32/Krap.A!tr": [[203, 216]]}, "info": {"id": "cyner2_5class_train_01073", "source": "cyner2_5class_train"}}
+{"text": "Servers of The Left in German Bundestag have been infected with malware, apparently by a state-sponsored group of Russian origin.", "spans": {"System: Servers of The Left": [[0, 19]], "Malware: malware,": [[64, 72]]}, "info": {"id": "cyner2_5class_train_01074", "source": "cyner2_5class_train"}}
+{"text": "Sakula also leverages single-byte XOR encoding to obfuscate various strings and files embedded in the resource section, which are subsequently used for User Account Control UAC bypass on both 32 and 64-bit systems.", "spans": {"Malware: Sakula": [[0, 6]], "Indicator: single-byte XOR encoding": [[22, 46]], "Indicator: obfuscate": [[50, 59]], "System: 32 and 64-bit systems.": [[192, 214]]}, "info": {"id": "cyner2_5class_train_01075", "source": "cyner2_5class_train"}}
+{"text": "Svpeng is capable of doing lots of things .", "spans": {"Malware: Svpeng": [[0, 6]]}, "info": {"id": "cyner2_5class_train_01076", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.ICQNuker.19456 Trojan.ICQNuker!jj+ciDVRnhs Hacktool.Nuker Smalltroj.EAH TROJ_ICQNUKER.A Trojan.ICQNuker Trojan.Win32.ICQNuker Trojan.Win32.ICQNuker Trojan.Win32.ICQNuker.dhzl TrojWare.Win32.ICQNuker Trojan.Win32.ICQNuker Trojan.ICQNuker TROJ_ICQNUKER.A Trojan/Win32.ICQNuker Trojan.Win32.ICQNuker.19456 Trojan.Win32.ICQNuker Win32.Trojan.ICQNuker Hacktool.Nuker", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.ICQNuker.19456": [[26, 51]], "Indicator: Trojan.ICQNuker!jj+ciDVRnhs": [[52, 79]], "Indicator: Hacktool.Nuker": [[80, 94], [384, 398]], "Indicator: Smalltroj.EAH": [[95, 108]], "Indicator: TROJ_ICQNUKER.A": [[109, 124], [274, 289]], "Indicator: Trojan.ICQNuker": [[125, 140], [258, 273]], "Indicator: Trojan.Win32.ICQNuker": [[141, 162], [163, 184], [236, 257], [340, 361]], "Indicator: Trojan.Win32.ICQNuker.dhzl": [[185, 211]], "Indicator: TrojWare.Win32.ICQNuker": [[212, 235]], "Indicator: Trojan/Win32.ICQNuker": [[290, 311]], "Indicator: Trojan.Win32.ICQNuker.19456": [[312, 339]], "Indicator: Win32.Trojan.ICQNuker": [[362, 383]]}, "info": {"id": "cyner2_5class_train_01077", "source": "cyner2_5class_train"}}
+{"text": "Linux malware is slowly becoming more popular.", "spans": {"Malware: malware": [[6, 13]]}, "info": {"id": "cyner2_5class_train_01078", "source": "cyner2_5class_train"}}
+{"text": "This porn clicker Trojan, which we detect as Android/Clicker, has once more become available for download from Play Store.", "spans": {"Malware: porn clicker Trojan,": [[5, 25]], "Indicator: Android/Clicker,": [[45, 61]], "System: Play Store.": [[111, 122]]}, "info": {"id": "cyner2_5class_train_01079", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.LoadAdv.ABV Trojan.Piptea Downloader.Small.Win32.11983 Trojan.Downloader.LoadAdv.ABV Multi.Threats.InArchive W32/Downldr2.FZLV Trojan.Dropper Win.Downloader.65024-1 Trojan-Downloader.Win32.Small.agns Trojan.Downloader.LoadAdv.ABV Trojan.Win32.Small.bcwtvk Trojan.Win32.Downloader.246584 Trojan.Downloader.LoadAdv.ABV W32/Downloader.UPFZ-7129 Trojan[Downloader]/Win32.Small Trojan:Win32/Piptea.E Trojan-Downloader.Win32.Small.agns Trojan.DL.Small!mUFJjjvpkTw Email-Worm.Win32.Joleee Win32/Trojan.8ed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.LoadAdv.ABV": [[26, 55], [99, 128], [244, 273], [331, 360]], "Indicator: Trojan.Piptea": [[56, 69]], "Indicator: Downloader.Small.Win32.11983": [[70, 98]], "Indicator: Multi.Threats.InArchive": [[129, 152]], "Indicator: W32/Downldr2.FZLV": [[153, 170]], "Indicator: Trojan.Dropper": [[171, 185]], "Indicator: Win.Downloader.65024-1": [[186, 208]], "Indicator: Trojan-Downloader.Win32.Small.agns": [[209, 243], [439, 473]], "Indicator: Trojan.Win32.Small.bcwtvk": [[274, 299]], "Indicator: Trojan.Win32.Downloader.246584": [[300, 330]], "Indicator: W32/Downloader.UPFZ-7129": [[361, 385]], "Indicator: Trojan[Downloader]/Win32.Small": [[386, 416]], "Indicator: Trojan:Win32/Piptea.E": [[417, 438]], "Indicator: Trojan.DL.Small!mUFJjjvpkTw": [[474, 501]], "Indicator: Email-Worm.Win32.Joleee": [[502, 525]], "Indicator: Win32/Trojan.8ed": [[526, 542]]}, "info": {"id": "cyner2_5class_train_01080", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Adclicker.DH Trojan-Clicker.Win32.Small!O Trojan/Clicker.Small.tc Trojan.Zusy.D730F Win32.Trojan.WisdomEyes.16070401.9500.9905 W32/Trojan.HWTO-6812 Trojan.KillAV Win32/TrojanClicker.Small.QZ TROJ_CLICKER.UU Win.Trojan.Clicker-1328 Trojan.Win32.Small.pbsu Trojan.Win32.Clicker.20480.C TrojWare.Win32.TrojanClicker.Small.QZ Trojan.PWS.Gamania.16782 Trojan.Small.Win32.16009 W32/Trojan2.AUEO TrojanClicker.Small.aps W32.Email.Worm.Silly TR/Click.Mon.1 Trojan[Clicker]/Win32.Small Dropper/Win32.Small.R41509 TrojanClicker.Small Trj/CI.A Trojan-Downloader.Win32.Small W32/CLICKER.UU!tr Win32/Trojan.d06", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Adclicker.DH": [[26, 44]], "Indicator: Trojan-Clicker.Win32.Small!O": [[45, 73]], "Indicator: Trojan/Clicker.Small.tc": [[74, 97]], "Indicator: Trojan.Zusy.D730F": [[98, 115]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9905": [[116, 158]], "Indicator: W32/Trojan.HWTO-6812": [[159, 179]], "Indicator: Trojan.KillAV": [[180, 193]], "Indicator: Win32/TrojanClicker.Small.QZ": [[194, 222]], "Indicator: TROJ_CLICKER.UU": [[223, 238]], "Indicator: Win.Trojan.Clicker-1328": [[239, 262]], "Indicator: Trojan.Win32.Small.pbsu": [[263, 286]], "Indicator: Trojan.Win32.Clicker.20480.C": [[287, 315]], "Indicator: TrojWare.Win32.TrojanClicker.Small.QZ": [[316, 353]], "Indicator: Trojan.PWS.Gamania.16782": [[354, 378]], "Indicator: Trojan.Small.Win32.16009": [[379, 403]], "Indicator: W32/Trojan2.AUEO": [[404, 420]], "Indicator: TrojanClicker.Small.aps": [[421, 444]], "Indicator: W32.Email.Worm.Silly": [[445, 465]], "Indicator: TR/Click.Mon.1": [[466, 480]], "Indicator: Trojan[Clicker]/Win32.Small": [[481, 508]], "Indicator: Dropper/Win32.Small.R41509": [[509, 535]], "Indicator: TrojanClicker.Small": [[536, 555]], "Indicator: Trj/CI.A": [[556, 564]], "Indicator: Trojan-Downloader.Win32.Small": [[565, 594]], "Indicator: W32/CLICKER.UU!tr": [[595, 612]], "Indicator: Win32/Trojan.d06": [[613, 629]]}, "info": {"id": "cyner2_5class_train_01081", "source": "cyner2_5class_train"}}
+{"text": "Another chunk is used to copy a basic Ntdll and Kernel32 import address table .", "spans": {}, "info": {"id": "cyner2_5class_train_01082", "source": "cyner2_5class_train"}}
+{"text": "Sometimes , we can attribute different apps to the same author based on a small , unique pieces of evidence that suggest similarity , such as a repetition of an exceptionally rare code snippet , asset , or a particular string in the debug logs .", "spans": {}, "info": {"id": "cyner2_5class_train_01083", "source": "cyner2_5class_train"}}
+{"text": "It seems that the people who filled these roles are key to “ Agent Smith ’ s success , yet not quite necessary for actor ’ s legitimate side of business .", "spans": {"Malware: Agent Smith": [[61, 72]]}, "info": {"id": "cyner2_5class_train_01084", "source": "cyner2_5class_train"}}
+{"text": "SpyNote RAT is capable of performing a variety of alarming functions that includes : Activating the device ’ s microphone and listening to live conversations Executing commands on the device Copying files from the device to a Command & Control ( C & C ) center Recording screen captures Viewing contacts Reading SMS messages The screenshot below shows part of the sandbox ’ s report on the SpyNote RAT ’ s signature and detected functions : The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder , which was leaked last year .", "spans": {"Malware: SpyNote RAT": [[0, 11], [390, 401], [540, 551]], "Organization: Netflix": [[450, 457]]}, "info": {"id": "cyner2_5class_train_01085", "source": "cyner2_5class_train"}}
+{"text": "The details we are releasing are to provide insight into attack methodologies being employed by sophisticated groups such as FIN7 who are consistently changing techniques between attacks to avoid detection.", "spans": {"Indicator: attack": [[57, 63]], "Indicator: attacks": [[179, 186]]}, "info": {"id": "cyner2_5class_train_01086", "source": "cyner2_5class_train"}}
+{"text": "The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document macros instead of the usual executable types, such as .exe files contained in a .zip.", "spans": {"Malware: malware dropper": [[73, 88]], "System: Microsoft Word document macros": [[100, 130]], "Indicator: .exe": [[178, 182]], "Indicator: .zip.": [[204, 209]]}, "info": {"id": "cyner2_5class_train_01087", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom_Shieldcrypt.R00WC0DEQ17 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Ransom.WTYO-5087 Ransom.Troldesh Ransom_Shieldcrypt.R00WC0DEQ17 Win32.Trojan-Ransom.Filecoder.BO Trojan.Win32.Encoder.ephyjr Trojan.Encoder.11787 Ransom:Win32/Shieldcrypt.A Trj/GdSda.A Win32.Trojan.Raas.Auto Trojan-Ransom.Shieldcrypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_Shieldcrypt.R00WC0DEQ17": [[26, 56], [137, 167]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[57, 99]], "Indicator: W32/Ransom.WTYO-5087": [[100, 120]], "Indicator: Ransom.Troldesh": [[121, 136]], "Indicator: Win32.Trojan-Ransom.Filecoder.BO": [[168, 200]], "Indicator: Trojan.Win32.Encoder.ephyjr": [[201, 228]], "Indicator: Trojan.Encoder.11787": [[229, 249]], "Indicator: Ransom:Win32/Shieldcrypt.A": [[250, 276]], "Indicator: Trj/GdSda.A": [[277, 288]], "Indicator: Win32.Trojan.Raas.Auto": [[289, 311]], "Indicator: Trojan-Ransom.Shieldcrypt": [[312, 337]]}, "info": {"id": "cyner2_5class_train_01088", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Backdoor2.DBLT WS.Reputation.1 Win32.TRVirtl HackTool.Patcher!7MmWKbVM2EE Tool.DVTPatch TR/Virtl.7341 Trojan/Virtl.b Win32.HACKTOOL.pocomail.cx.kcloud W32/Backdoor2.DBLT Trojan.Virtl.7341", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Backdoor2.DBLT": [[26, 44], [181, 199]], "Indicator: WS.Reputation.1": [[45, 60]], "Indicator: Win32.TRVirtl": [[61, 74]], "Indicator: HackTool.Patcher!7MmWKbVM2EE": [[75, 103]], "Indicator: Tool.DVTPatch": [[104, 117]], "Indicator: TR/Virtl.7341": [[118, 131]], "Indicator: Trojan/Virtl.b": [[132, 146]], "Indicator: Win32.HACKTOOL.pocomail.cx.kcloud": [[147, 180]], "Indicator: Trojan.Virtl.7341": [[200, 217]]}, "info": {"id": "cyner2_5class_train_01089", "source": "cyner2_5class_train"}}
+{"text": "IOC s for the Wildifre ransomware", "spans": {"Indicator: IOC": [[0, 3]], "Malware: Wildifre ransomware": [[14, 33]]}, "info": {"id": "cyner2_5class_train_01090", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/PinkBlocker.arw Trojan.Heloag BKDR_HELOAG.SM PUA.Packed.ASPack BDS/Heloag.A.30 BKDR_HELOAG.SM Backdoor.Win32.Heloag!IK Backdoor:Win32/Heloag.A Trojan.Heloag Backdoor.Win32.Heloag Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/PinkBlocker.arw": [[26, 48]], "Indicator: Trojan.Heloag": [[49, 62], [176, 189]], "Indicator: BKDR_HELOAG.SM": [[63, 77], [112, 126]], "Indicator: PUA.Packed.ASPack": [[78, 95]], "Indicator: BDS/Heloag.A.30": [[96, 111]], "Indicator: Backdoor.Win32.Heloag!IK": [[127, 151]], "Indicator: Backdoor:Win32/Heloag.A": [[152, 175]], "Indicator: Backdoor.Win32.Heloag": [[190, 211]], "Indicator: Trj/CI.A": [[212, 220]]}, "info": {"id": "cyner2_5class_train_01091", "source": "cyner2_5class_train"}}
+{"text": "Symantec discovered the Greenbug cyberespionage group during its investigation into previous attacks involving W32.Disttrack.B aka Shamoon.", "spans": {"Organization: Symantec": [[0, 8]], "Indicator: attacks": [[93, 100]], "Indicator: W32.Disttrack.B": [[111, 126]]}, "info": {"id": "cyner2_5class_train_01092", "source": "cyner2_5class_train"}}
+{"text": "Most of the network traffic we ’ ve observed is HTTP .", "spans": {"Indicator: HTTP": [[48, 52]]}, "info": {"id": "cyner2_5class_train_01093", "source": "cyner2_5class_train"}}
+{"text": "In this post , we show how Google Play Protect has defended against a well organized , persistent attacker and share examples of their techniques .", "spans": {"System: Google Play Protect": [[27, 46]]}, "info": {"id": "cyner2_5class_train_01094", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Rbot!O Backdoor.Rbot.20414 Win32.Trojan.WisdomEyes.16070401.9500.9964 Win.Trojan.Mybot-4324 Trojan.Win32.Rbot.cuqnmc Win32.HLLW.MyBot.based Backdoor.RBot.Win32.38765 BehavesLike.Win32.Msposer.jz Backdoor.Win32.SdBot EXP/DameWare.ggg Trojan[Backdoor]/Win32.Rbot Win32.Hack.RBotT.a.83968 Backdoor.Win32.Sdbot.yx W32/SdBot.IT!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Rbot!O": [[26, 47]], "Indicator: Backdoor.Rbot.20414": [[48, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9964": [[68, 110]], "Indicator: Win.Trojan.Mybot-4324": [[111, 132]], "Indicator: Trojan.Win32.Rbot.cuqnmc": [[133, 157]], "Indicator: Win32.HLLW.MyBot.based": [[158, 180]], "Indicator: Backdoor.RBot.Win32.38765": [[181, 206]], "Indicator: BehavesLike.Win32.Msposer.jz": [[207, 235]], "Indicator: Backdoor.Win32.SdBot": [[236, 256]], "Indicator: EXP/DameWare.ggg": [[257, 273]], "Indicator: Trojan[Backdoor]/Win32.Rbot": [[274, 301]], "Indicator: Win32.Hack.RBotT.a.83968": [[302, 326]], "Indicator: Backdoor.Win32.Sdbot.yx": [[327, 350]], "Indicator: W32/SdBot.IT!tr.bdr": [[351, 370]]}, "info": {"id": "cyner2_5class_train_01095", "source": "cyner2_5class_train"}}
+{"text": "Cylance SPEAR has uncovered a long-standing persistent threat targeting numerous major industries spread across Japan, South Korea, the United States, Europe, and several other Southeast Asian countries.", "spans": {"Organization: Cylance SPEAR": [[0, 13]], "Organization: industries": [[87, 97]]}, "info": {"id": "cyner2_5class_train_01096", "source": "cyner2_5class_train"}}
+{"text": "After obtaining the desired rights , the Trojan sets itself as the default SMS app ( by independently clicking Yes in AccessibilityService ) , before vanishing from the device screen .", "spans": {}, "info": {"id": "cyner2_5class_train_01097", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandownloader.Script Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Drop.etdypm Trojan.MulDrop7.42636 BehavesLike.Win32.Dropper.fh W32/Trojan.EURA-7093 Trojan:VBS/Sminager.D Exploit.UACSkip Trj/CI.A Exploit.UACSkip! Win32/Trojan.Downloader.251", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Script": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[50, 92]], "Indicator: Trojan.Win32.Drop.etdypm": [[93, 117]], "Indicator: Trojan.MulDrop7.42636": [[118, 139]], "Indicator: BehavesLike.Win32.Dropper.fh": [[140, 168]], "Indicator: W32/Trojan.EURA-7093": [[169, 189]], "Indicator: Trojan:VBS/Sminager.D": [[190, 211]], "Indicator: Exploit.UACSkip": [[212, 227]], "Indicator: Trj/CI.A": [[228, 236]], "Indicator: Exploit.UACSkip!": [[237, 253]], "Indicator: Win32/Trojan.Downloader.251": [[254, 281]]}, "info": {"id": "cyner2_5class_train_01098", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.424D Virus.Hupigon.Win32.5 Trojan/PSW.QQShou.is TSPY_QQSHOU.GY Win32.Trojan.WisdomEyes.16070401.9500.9956 W32/Trojan.KBAU-5151 Trojan.PWS.QQPass TSPY_QQSHOU.GY Backdoor.Win32.Hupigon.vpk Trojan.Win32.QQShou.lofh Backdoor.W32.Rbot.lgxa Backdoor.Win32.Popwin.~IQ Trojan.PWS.Gamania.5830 W32/Trojan.LGV Trojan/PSW.QQShou.eu Trojan[Backdoor]/Win32.Hupigon.vpk PWS:Win32/Whoran.A Backdoor.Win32.Hupigon.vpk Trojan.PWS.QQShou!NqwrJPeZllY W32/Hupigon.VPK!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.424D": [[26, 43]], "Indicator: Virus.Hupigon.Win32.5": [[44, 65]], "Indicator: Trojan/PSW.QQShou.is": [[66, 86]], "Indicator: TSPY_QQSHOU.GY": [[87, 101], [184, 198]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9956": [[102, 144]], "Indicator: W32/Trojan.KBAU-5151": [[145, 165]], "Indicator: Trojan.PWS.QQPass": [[166, 183]], "Indicator: Backdoor.Win32.Hupigon.vpk": [[199, 225], [414, 440]], "Indicator: Trojan.Win32.QQShou.lofh": [[226, 250]], "Indicator: Backdoor.W32.Rbot.lgxa": [[251, 273]], "Indicator: Backdoor.Win32.Popwin.~IQ": [[274, 299]], "Indicator: Trojan.PWS.Gamania.5830": [[300, 323]], "Indicator: W32/Trojan.LGV": [[324, 338]], "Indicator: Trojan/PSW.QQShou.eu": [[339, 359]], "Indicator: Trojan[Backdoor]/Win32.Hupigon.vpk": [[360, 394]], "Indicator: PWS:Win32/Whoran.A": [[395, 413]], "Indicator: Trojan.PWS.QQShou!NqwrJPeZllY": [[441, 470]], "Indicator: W32/Hupigon.VPK!tr.pws": [[471, 493]]}, "info": {"id": "cyner2_5class_train_01099", "source": "cyner2_5class_train"}}
+{"text": "SMS Billing Carriers may partner with vendors to allow users to pay for services by SMS .", "spans": {}, "info": {"id": "cyner2_5class_train_01100", "source": "cyner2_5class_train"}}
+{"text": "] com/api/s2s/tracks/ and is used for activation .", "spans": {}, "info": {"id": "cyner2_5class_train_01101", "source": "cyner2_5class_train"}}
+{"text": "In later versions , instead of the name of the command , its numerical code was transmitted .", "spans": {}, "info": {"id": "cyner2_5class_train_01102", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Rotbrow.KK6 PUP.Optional.BProtector Trojan.Bromngr.Win32.445 Win32.Adware.Bprotector.a Adware.GoonSquad Win.Adware.BProtector-1 Win32.Application.BHO.A Trojan.Win32.BGuard.cunxgw Application.Win32.bProtector.KA Adware.BGuard.47 Trojan-Dropper.Win32.Rotbrow Trojan.Bromngr.ed W32.Adware.Installbrain Trojan.Adware.BHO.Bprotector.1 TrojanDropper:Win32/Rotbrow.A W32/Bprotect.B!tr Trj/CI.A Win32/Trojan.10d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Rotbrow.KK6": [[26, 44]], "Indicator: PUP.Optional.BProtector": [[45, 68]], "Indicator: Trojan.Bromngr.Win32.445": [[69, 93]], "Indicator: Win32.Adware.Bprotector.a": [[94, 119]], "Indicator: Adware.GoonSquad": [[120, 136]], "Indicator: Win.Adware.BProtector-1": [[137, 160]], "Indicator: Win32.Application.BHO.A": [[161, 184]], "Indicator: Trojan.Win32.BGuard.cunxgw": [[185, 211]], "Indicator: Application.Win32.bProtector.KA": [[212, 243]], "Indicator: Adware.BGuard.47": [[244, 260]], "Indicator: Trojan-Dropper.Win32.Rotbrow": [[261, 289]], "Indicator: Trojan.Bromngr.ed": [[290, 307]], "Indicator: W32.Adware.Installbrain": [[308, 331]], "Indicator: Trojan.Adware.BHO.Bprotector.1": [[332, 362]], "Indicator: TrojanDropper:Win32/Rotbrow.A": [[363, 392]], "Indicator: W32/Bprotect.B!tr": [[393, 410]], "Indicator: Trj/CI.A": [[411, 419]], "Indicator: Win32/Trojan.10d": [[420, 436]]}, "info": {"id": "cyner2_5class_train_01103", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kryptik.ASES Trojan.MulDrop1.32726 Win32/Tnega.CZG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kryptik.ASES": [[26, 45]], "Indicator: Trojan.MulDrop1.32726": [[46, 67]], "Indicator: Win32/Tnega.CZG": [[68, 83]]}, "info": {"id": "cyner2_5class_train_01104", "source": "cyner2_5class_train"}}
+{"text": "What was taken The actors behind ViperRAT seem to be particularly interested in image data .", "spans": {"Malware: ViperRAT": [[33, 41]]}, "info": {"id": "cyner2_5class_train_01105", "source": "cyner2_5class_train"}}
+{"text": "Further research of the attacker ’ s infrastructure revealed more related mimicking domains .", "spans": {}, "info": {"id": "cyner2_5class_train_01106", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.Delf.AL Worm/W32.G_Spot.200704 Backdoor.G_Spot.r8 W32/Grandspot.worm!p2p Trojan.Crypt.Delf.AL W32/G_Spot.c Trojan.Win32.GSpot.dzdidh W32.HLLW.Sambut Win32/GrandSpot.C BKDR_GSPOT.15 P2P-Worm.Win32.G_Spot.c Worm.P2P.G_Spot!iWsciEZCFG4 W32.W.G_Spot.c!c Trojan-Downloader.win32.Delf.xoq Trojan.Crypt.Delf.AL Worm.Win32.GrandSpot.C Trojan.Crypt.Delf.AL WIN.WORM.Virus Worm.GSpot.Win32.1 BKDR_GSPOT.15 BehavesLike.Win32.Eggnog.ch Worm/Sramota.qs BDS/GSpot.15.Srv W32/G_Spot.C Trojan[Backdoor]/Win32.G_Spot Trojan.Crypt.Delf.AL Win32/KorGameHack.worm.200704 Worm:Win32/Gespo.C Win32/Spotbot.15 Worm.G_Spot Trojan-PWS.Win32.Lmir.mw Trojan.Crypt.Delf.AL Worm/Gspot.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.Delf.AL": [[26, 46], [112, 132], [322, 342], [366, 386], [539, 559], [663, 683]], "Indicator: Worm/W32.G_Spot.200704": [[47, 69]], "Indicator: Backdoor.G_Spot.r8": [[70, 88]], "Indicator: W32/Grandspot.worm!p2p": [[89, 111]], "Indicator: W32/G_Spot.c": [[133, 145]], "Indicator: Trojan.Win32.GSpot.dzdidh": [[146, 171]], "Indicator: W32.HLLW.Sambut": [[172, 187]], "Indicator: Win32/GrandSpot.C": [[188, 205]], "Indicator: BKDR_GSPOT.15": [[206, 219], [421, 434]], "Indicator: P2P-Worm.Win32.G_Spot.c": [[220, 243]], "Indicator: Worm.P2P.G_Spot!iWsciEZCFG4": [[244, 271]], "Indicator: W32.W.G_Spot.c!c": [[272, 288]], "Indicator: Trojan-Downloader.win32.Delf.xoq": [[289, 321]], "Indicator: Worm.Win32.GrandSpot.C": [[343, 365]], "Indicator: WIN.WORM.Virus": [[387, 401]], "Indicator: Worm.GSpot.Win32.1": [[402, 420]], "Indicator: BehavesLike.Win32.Eggnog.ch": [[435, 462]], "Indicator: Worm/Sramota.qs": [[463, 478]], "Indicator: BDS/GSpot.15.Srv": [[479, 495]], "Indicator: W32/G_Spot.C": [[496, 508]], "Indicator: Trojan[Backdoor]/Win32.G_Spot": [[509, 538]], "Indicator: Win32/KorGameHack.worm.200704": [[560, 589]], "Indicator: Worm:Win32/Gespo.C": [[590, 608]], "Indicator: Win32/Spotbot.15": [[609, 625]], "Indicator: Worm.G_Spot": [[626, 637]], "Indicator: Trojan-PWS.Win32.Lmir.mw": [[638, 662]], "Indicator: Worm/Gspot.C": [[684, 696]]}, "info": {"id": "cyner2_5class_train_01107", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Exetemp!O W32/Backdoor.GJUL-4537 TROJ_DROPER.SMJN Trojan-Dropper.Win32.Exetemp.a Troj.Dropper.W32.Exetemp.tnGD Trojan.MulDrop.30795 TROJ_DROPER.SMJN W32/Backdoor2.FAQY Backdoor/Huigezi.2009.api W32.Trojan.Exetemp Trojan[Dropper]/Win32.Exetemp TrojanDropper:Win32/Exetemp.A!bit Trojan.Graftor.D45DD Trojan-Dropper.Win32.Exetemp.a TrojanDropper.Exetemp Trojan.DL.Win32.Small.grn W32/Exetemp.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Exetemp!O": [[26, 56]], "Indicator: W32/Backdoor.GJUL-4537": [[57, 79]], "Indicator: TROJ_DROPER.SMJN": [[80, 96], [179, 195]], "Indicator: Trojan-Dropper.Win32.Exetemp.a": [[97, 127], [345, 375]], "Indicator: Troj.Dropper.W32.Exetemp.tnGD": [[128, 157]], "Indicator: Trojan.MulDrop.30795": [[158, 178]], "Indicator: W32/Backdoor2.FAQY": [[196, 214]], "Indicator: Backdoor/Huigezi.2009.api": [[215, 240]], "Indicator: W32.Trojan.Exetemp": [[241, 259]], "Indicator: Trojan[Dropper]/Win32.Exetemp": [[260, 289]], "Indicator: TrojanDropper:Win32/Exetemp.A!bit": [[290, 323]], "Indicator: Trojan.Graftor.D45DD": [[324, 344]], "Indicator: TrojanDropper.Exetemp": [[376, 397]], "Indicator: Trojan.DL.Win32.Small.grn": [[398, 423]], "Indicator: W32/Exetemp.A!tr": [[424, 440]]}, "info": {"id": "cyner2_5class_train_01108", "source": "cyner2_5class_train"}}
+{"text": "Hydrochasma, the threat actor behind this campaign, has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines.", "spans": {"Organization: industries": [[151, 161]]}, "info": {"id": "cyner2_5class_train_01109", "source": "cyner2_5class_train"}}
+{"text": "The malware is usually packaged with apps that users may download from third-party app stores.", "spans": {"Malware: The malware": [[0, 11]], "System: apps": [[37, 41]], "System: third-party app stores.": [[71, 94]]}, "info": {"id": "cyner2_5class_train_01110", "source": "cyner2_5class_train"}}
+{"text": "Analysis from cyintanalysis.com describing infrastructure of an actor using PoisonIvy and PlugX implants.", "spans": {"Organization: cyintanalysis.com": [[14, 31]], "System: infrastructure": [[43, 57]], "Malware: PoisonIvy": [[76, 85]], "Malware: PlugX implants.": [[90, 105]]}, "info": {"id": "cyner2_5class_train_01111", "source": "cyner2_5class_train"}}
+{"text": "Once infected, Mansoor's phone would have become a digital spy in his pocket, capable of employing his iPhone's camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.", "spans": {"System: phone": [[25, 30]], "System: a digital spy": [[49, 62]], "Vulnerability: iPhone's camera": [[103, 118]], "Vulnerability: microphone": [[123, 133]], "System: WhatsApp": [[200, 208]], "System: Viber calls,": [[213, 225]], "System: mobile chat apps,": [[251, 268]]}, "info": {"id": "cyner2_5class_train_01112", "source": "cyner2_5class_train"}}
+{"text": "Once installed, it hides itself and then tricks the user into typing his or her credentials into fake bank web pages that have been injected onto the device's screen.", "spans": {"Indicator: tricks": [[41, 47]], "Indicator: typing his or her credentials into fake bank web pages that have been injected": [[62, 140]], "System: the device's screen.": [[146, 166]]}, "info": {"id": "cyner2_5class_train_01113", "source": "cyner2_5class_train"}}
+{"text": "EventBot uses this permission in order to achieve persistence and run in the background as a service .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_01114", "source": "cyner2_5class_train"}}
+{"text": "As a modern Android spyware it is also capable of exfiltrating data from messaging applications ( WhatsApp , Viber , Facebook ) .", "spans": {"System: WhatsApp": [[98, 106]], "System: Viber": [[109, 114]], "System: Facebook": [[117, 125]]}, "info": {"id": "cyner2_5class_train_01115", "source": "cyner2_5class_train"}}
+{"text": "Extract information from th GMail app .", "spans": {"System: GMail": [[28, 33]]}, "info": {"id": "cyner2_5class_train_01116", "source": "cyner2_5class_train"}}
+{"text": "It requires root privileges to be installed, and relies on: A userland binary, providing an encrypted backdoor with remote code execution and proxy functionalities A lightweight Linux Loadable Kernel Module, providing an additional port-knocking service for the userland backdoor", "spans": {"Indicator: root privileges": [[12, 27]], "Malware: encrypted backdoor": [[92, 110]], "Indicator: remote code execution": [[116, 137]], "Indicator: proxy functionalities": [[142, 163]], "System: lightweight Linux Loadable Kernel Module,": [[166, 207]], "System: port-knocking service": [[232, 253]], "Malware: backdoor": [[271, 279]]}, "info": {"id": "cyner2_5class_train_01117", "source": "cyner2_5class_train"}}
+{"text": "This may imply the “ Concipit1248 ” app is still incubating .", "spans": {}, "info": {"id": "cyner2_5class_train_01118", "source": "cyner2_5class_train"}}
+{"text": "Recently, FortiGuard Labs found a phishing campaign targeting French Nationals.", "spans": {"Organization: FortiGuard Labs": [[10, 25]], "Organization: French Nationals.": [[62, 79]]}, "info": {"id": "cyner2_5class_train_01119", "source": "cyner2_5class_train"}}
+{"text": "Palo Alto Networks has discovered a previously unknown remote access Trojan RAT that has been active for over two years.", "spans": {"Organization: Palo Alto Networks": [[0, 18]], "Malware: unknown remote access Trojan RAT": [[47, 79]]}, "info": {"id": "cyner2_5class_train_01120", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 TROJ_ETERNALROM.A TROJ_ETERNALROM.A Win32.Exploit.EqEternalRomance.A Exploit.Win32.ShadowBrokers.aj Exploit.Win32.ShadowBrokers.epajub Exploit.Win32.ShadowBrokers.~ Trojan.Equation.37 Exploit.ShadowBrokers.Win32.13 Trojan.Exploit.Equation Exploit.ShadowBrokers.v W32.Hacktool.Equation TR/Eqtonex.HG Trojan[Exploit]/Win32.ShadowBrokers Uds.Dangerousobject.Multi!c Exploit.Win32.ShadowBrokers.aj Exploit:Win32/Eqtonex.A Trojan/Win32.ShadowBrokers.C1919146 Exploit.ShadowBrokers Trj/CI.A Win32/Exploit.Equation.EternalRomance.A HackTool.Win32.ShadowB.a Exploit.ShadowBrokers! Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: TROJ_ETERNALROM.A": [[46, 63], [64, 81]], "Indicator: Win32.Exploit.EqEternalRomance.A": [[82, 114]], "Indicator: Exploit.Win32.ShadowBrokers.aj": [[115, 145], [409, 439]], "Indicator: Exploit.Win32.ShadowBrokers.epajub": [[146, 180]], "Indicator: Exploit.Win32.ShadowBrokers.~": [[181, 210]], "Indicator: Trojan.Equation.37": [[211, 229]], "Indicator: Exploit.ShadowBrokers.Win32.13": [[230, 260]], "Indicator: Trojan.Exploit.Equation": [[261, 284]], "Indicator: Exploit.ShadowBrokers.v": [[285, 308]], "Indicator: W32.Hacktool.Equation": [[309, 330]], "Indicator: TR/Eqtonex.HG": [[331, 344]], "Indicator: Trojan[Exploit]/Win32.ShadowBrokers": [[345, 380]], "Indicator: Uds.Dangerousobject.Multi!c": [[381, 408]], "Indicator: Exploit:Win32/Eqtonex.A": [[440, 463]], "Indicator: Trojan/Win32.ShadowBrokers.C1919146": [[464, 499]], "Indicator: Exploit.ShadowBrokers": [[500, 521]], "Indicator: Trj/CI.A": [[522, 530]], "Indicator: Win32/Exploit.Equation.EternalRomance.A": [[531, 570]], "Indicator: HackTool.Win32.ShadowB.a": [[571, 595]], "Indicator: Exploit.ShadowBrokers!": [[596, 618]], "Indicator: Win32/Trojan.Multi.daf": [[619, 641]]}, "info": {"id": "cyner2_5class_train_01121", "source": "cyner2_5class_train"}}
+{"text": "The Corebot malware family is relatively new and was first documented by Security Intelligence.", "spans": {"Malware: The Corebot malware family": [[0, 26]], "Organization: Security Intelligence.": [[73, 95]]}, "info": {"id": "cyner2_5class_train_01122", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.Cosmu.PE Win32.Worm.VB.NZQ Trojan.Win32.Cosmu!O W32.Lamer.EL3 Downloader.VB.Win32.95 Trojan/Downloader.VB.eex Win32.Virus.VBbind.a W32.Besverit Win32/VB.JU TROJ_DLOADR.SMM Win.Trojan.Cosmu-4 Virus.Win32.Lamer.el Win32.Worm.VB.NZQ Trojan.Win32.VB.ltch Troj.Downloader.W32.VB.l4ji Worm.Win32.VB.kp Win32.Worm.VB.NZQ Win32.Worm.VB.NZQ Win32.HLLW.Autoruner.6014 TROJ_DLOADR.SMM BehavesLike.Win32.Autorun.th Trojan/Cosmu.lan Trojan.Win32.Cosmu.887991 Virus.Win32.Lamer.el Win32.Worm.VB.NZQ Win32/Lamer.D Win32.Worm.VB.NZQ SIM.Trojan.VBO.0859 Trojan.Downloader Win32/VB.NUP Worm.Win32 W32/AutoRun.RPV!worm W32/OverDoom.A Virus.Win32.Lamer.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.Cosmu.PE": [[26, 44]], "Indicator: Win32.Worm.VB.NZQ": [[45, 62], [248, 265], [332, 349], [350, 367], [503, 520], [535, 552]], "Indicator: Trojan.Win32.Cosmu!O": [[63, 83]], "Indicator: W32.Lamer.EL3": [[84, 97]], "Indicator: Downloader.VB.Win32.95": [[98, 120]], "Indicator: Trojan/Downloader.VB.eex": [[121, 145]], "Indicator: Win32.Virus.VBbind.a": [[146, 166]], "Indicator: W32.Besverit": [[167, 179]], "Indicator: Win32/VB.JU": [[180, 191]], "Indicator: TROJ_DLOADR.SMM": [[192, 207], [394, 409]], "Indicator: Win.Trojan.Cosmu-4": [[208, 226]], "Indicator: Virus.Win32.Lamer.el": [[227, 247], [482, 502]], "Indicator: Trojan.Win32.VB.ltch": [[266, 286]], "Indicator: Troj.Downloader.W32.VB.l4ji": [[287, 314]], "Indicator: Worm.Win32.VB.kp": [[315, 331]], "Indicator: Win32.HLLW.Autoruner.6014": [[368, 393]], "Indicator: BehavesLike.Win32.Autorun.th": [[410, 438]], "Indicator: Trojan/Cosmu.lan": [[439, 455]], "Indicator: Trojan.Win32.Cosmu.887991": [[456, 481]], "Indicator: Win32/Lamer.D": [[521, 534]], "Indicator: SIM.Trojan.VBO.0859": [[553, 572]], "Indicator: Trojan.Downloader": [[573, 590]], "Indicator: Win32/VB.NUP": [[591, 603]], "Indicator: Worm.Win32": [[604, 614]], "Indicator: W32/AutoRun.RPV!worm": [[615, 635]], "Indicator: W32/OverDoom.A": [[636, 650]], "Indicator: Virus.Win32.Lamer.B": [[651, 670]]}, "info": {"id": "cyner2_5class_train_01123", "source": "cyner2_5class_train"}}
+{"text": "This mechanism is similar to premium rate SMS messages but Trojans do not need to send any SMS in this case – they just need to click on a button on a web-page with WAP-billing.", "spans": {"Indicator: SMS messages": [[42, 54]], "Malware: Trojans": [[59, 66]], "Indicator: send any SMS": [[82, 94]], "Indicator: a web-page with WAP-billing.": [[149, 177]]}, "info": {"id": "cyner2_5class_train_01124", "source": "cyner2_5class_train"}}
+{"text": "The stages of the FinFisher multi-layered protection mechanisms Stage 0 : Dropper with custom virtual machine The main dropper implements the VM dispatcher loop and can use 32 different opcodes handlers .", "spans": {"Malware: FinFisher": [[18, 27]]}, "info": {"id": "cyner2_5class_train_01125", "source": "cyner2_5class_train"}}
+{"text": "Conclusion Gooligan has breached over a million Google accounts .", "spans": {"Malware: Gooligan": [[11, 19]], "Organization: Google": [[48, 54]]}, "info": {"id": "cyner2_5class_train_01126", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Keylogger.88 Win32.Backdoor.Ciadoor.13.y.2.Pack Backdoor/Ciadoor.13 Backdoor.Ciadoor!4PAHfVwkIvk W32/BackdoorX.FCC Backdoor.Ciadoor Win32/Ciadoor.J BKDR_CIADOOR.E Win32.Stration Backdoor.Win32.Ciadoor.cia Trojan.Keylogger.88 Backdoor.Win32.Ciadoor.13 Trojan.Keylogger.88 Trojan.DownLoader.62487 BDS/Ciadoor.13.A BKDR_CIADOOR.E Backdoor.Win32.Ciadoor!IK Backdoor/Ciadoor.az Backdoor/Win32.Ciadoor VirTool:Win32/VB.L Backdoor.Win32.Ciadoor.60726 Trojan.Keylogger.88 W32/BackdoorX.FCC OScope.Backdoor.VB Win32/Ciadoor.13 Backdoor.Win32.Ciadoor W32/Ciadoor.13!tr.bdr BackDoor.Ciadoor.3.AH Bck/Ciadoor.FQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Keylogger.88": [[26, 45], [238, 257], [284, 303], [477, 496]], "Indicator: Win32.Backdoor.Ciadoor.13.y.2.Pack": [[46, 80]], "Indicator: Backdoor/Ciadoor.13": [[81, 100]], "Indicator: Backdoor.Ciadoor!4PAHfVwkIvk": [[101, 129]], "Indicator: W32/BackdoorX.FCC": [[130, 147], [497, 514]], "Indicator: Backdoor.Ciadoor": [[148, 164]], "Indicator: Win32/Ciadoor.J": [[165, 180]], "Indicator: BKDR_CIADOOR.E": [[181, 195], [345, 359]], "Indicator: Win32.Stration": [[196, 210]], "Indicator: Backdoor.Win32.Ciadoor.cia": [[211, 237]], "Indicator: Backdoor.Win32.Ciadoor.13": [[258, 283]], "Indicator: Trojan.DownLoader.62487": [[304, 327]], "Indicator: BDS/Ciadoor.13.A": [[328, 344]], "Indicator: Backdoor.Win32.Ciadoor!IK": [[360, 385]], "Indicator: Backdoor/Ciadoor.az": [[386, 405]], "Indicator: Backdoor/Win32.Ciadoor": [[406, 428]], "Indicator: VirTool:Win32/VB.L": [[429, 447]], "Indicator: Backdoor.Win32.Ciadoor.60726": [[448, 476]], "Indicator: OScope.Backdoor.VB": [[515, 533]], "Indicator: Win32/Ciadoor.13": [[534, 550]], "Indicator: Backdoor.Win32.Ciadoor": [[551, 573]], "Indicator: W32/Ciadoor.13!tr.bdr": [[574, 595]], "Indicator: BackDoor.Ciadoor.3.AH": [[596, 617]], "Indicator: Bck/Ciadoor.FQ": [[618, 632]]}, "info": {"id": "cyner2_5class_train_01127", "source": "cyner2_5class_train"}}
+{"text": "Indicators for the TripleNine backdoor used by an actor.", "spans": {"Indicator: Indicators": [[0, 10]], "Malware: TripleNine backdoor": [[19, 38]]}, "info": {"id": "cyner2_5class_train_01128", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pakes Troj.W32.Pakes!c Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.ZCVD-4026 Trojan.Win32.Encoder.euxeay Trojan.Encoder.15133 Trojan.Pakes.Win32.41830 Trojan.Win32.Injector Backdoor.Backboot.s TR/Crypt.Xpack.frnur W32/Injector.DSRQ!tr Trojan.Graftor.D67C49 Ransom:Win32/Criakl.D Backdoor.Backboot Ransom.FileCryptor Trj/GdSda.A Trojan.Pakes!3sBO8Lnk+/0 Win32/Trojan.7d4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pakes": [[26, 38]], "Indicator: Troj.W32.Pakes!c": [[39, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[56, 98]], "Indicator: W32/Trojan.ZCVD-4026": [[99, 119]], "Indicator: Trojan.Win32.Encoder.euxeay": [[120, 147]], "Indicator: Trojan.Encoder.15133": [[148, 168]], "Indicator: Trojan.Pakes.Win32.41830": [[169, 193]], "Indicator: Trojan.Win32.Injector": [[194, 215]], "Indicator: Backdoor.Backboot.s": [[216, 235]], "Indicator: TR/Crypt.Xpack.frnur": [[236, 256]], "Indicator: W32/Injector.DSRQ!tr": [[257, 277]], "Indicator: Trojan.Graftor.D67C49": [[278, 299]], "Indicator: Ransom:Win32/Criakl.D": [[300, 321]], "Indicator: Backdoor.Backboot": [[322, 339]], "Indicator: Ransom.FileCryptor": [[340, 358]], "Indicator: Trj/GdSda.A": [[359, 370]], "Indicator: Trojan.Pakes!3sBO8Lnk+/0": [[371, 395]], "Indicator: Win32/Trojan.7d4": [[396, 412]]}, "info": {"id": "cyner2_5class_train_01129", "source": "cyner2_5class_train"}}
+{"text": "Some of the stolen Skype databases included chat history going back to 2012 and activity as recent as January 2014", "spans": {"System: Skype databases": [[19, 34]]}, "info": {"id": "cyner2_5class_train_01130", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Rootkit.Win32.Xanfpezes!O Trojan.Rootkitdrv Rootkit.Xanfpezes.Win32.13 Trojan/Xanfpezes.bru Trojan.Symmi.DC01B Win32.Trojan.WisdomEyes.16070401.9500.9873 W32/Trojan.VQCP-2977 Win32/Rootkit.KX RTKT_HIDEPROC.BB Win.Trojan.Hideproc-77 Rootkit.Win32.Xanfpezes.bru Riskware.Win32.HideProc.crvalg Trojan.Fakealert.28173 RTKT_HIDEPROC.BB BehavesLike.Win32.PUP.wc Downloader.Delphi TrojanDropper.Delf.cdq RiskWare[RiskTool]/Win32.HideProc Win32.Hack.Rootkit.kcloud Rootkit.Win32.Xanfpezes.bru Backdoor/Win32.Xanfpezes.C131817 TrojanDownloader.Banload HackTool.Win32.ProcHide.ad Rootkit.Xanfpezes!kqbV3Mm24ww", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Rootkit.Win32.Xanfpezes!O": [[26, 51]], "Indicator: Trojan.Rootkitdrv": [[52, 69]], "Indicator: Rootkit.Xanfpezes.Win32.13": [[70, 96]], "Indicator: Trojan/Xanfpezes.bru": [[97, 117]], "Indicator: Trojan.Symmi.DC01B": [[118, 136]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9873": [[137, 179]], "Indicator: W32/Trojan.VQCP-2977": [[180, 200]], "Indicator: Win32/Rootkit.KX": [[201, 217]], "Indicator: RTKT_HIDEPROC.BB": [[218, 234], [340, 356]], "Indicator: Win.Trojan.Hideproc-77": [[235, 257]], "Indicator: Rootkit.Win32.Xanfpezes.bru": [[258, 285], [483, 510]], "Indicator: Riskware.Win32.HideProc.crvalg": [[286, 316]], "Indicator: Trojan.Fakealert.28173": [[317, 339]], "Indicator: BehavesLike.Win32.PUP.wc": [[357, 381]], "Indicator: Downloader.Delphi": [[382, 399]], "Indicator: TrojanDropper.Delf.cdq": [[400, 422]], "Indicator: RiskWare[RiskTool]/Win32.HideProc": [[423, 456]], "Indicator: Win32.Hack.Rootkit.kcloud": [[457, 482]], "Indicator: Backdoor/Win32.Xanfpezes.C131817": [[511, 543]], "Indicator: TrojanDownloader.Banload": [[544, 568]], "Indicator: HackTool.Win32.ProcHide.ad": [[569, 595]], "Indicator: Rootkit.Xanfpezes!kqbV3Mm24ww": [[596, 625]]}, "info": {"id": "cyner2_5class_train_01131", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Nsis.Ocna.eqkruk Trojan.InstallCoreCRTD.Win32.3467 Win32/RA-based.AB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Nsis.Ocna.eqkruk": [[26, 49]], "Indicator: Trojan.InstallCoreCRTD.Win32.3467": [[50, 83]], "Indicator: Win32/RA-based.AB": [[84, 101]]}, "info": {"id": "cyner2_5class_train_01132", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Mariofev.O Win32.Worm.Mariofev.O WORM_MARIOFEV.TO Win32.Trojan.WisdomEyes.16070401.9500.9961 W32/Backdoor2.CSNQ W32.Spamuzle WORM_MARIOFEV.TO Win.Spyware.53855-2 Worm.Win32.Pinit.piv Win32.Worm.Mariofev.O Trojan.Win32.Pinit.bmcqcd W32.W.Pinit.piv!c Win32.Worm.Pinit.Ljul Win32.Worm.Mariofev.O Win32.Worm.Mariofev.O BackDoor.Zapinit.81 BehavesLike.Win32.VTFlooder.nc Trojan-Ransom.HydraCrypt W32/Backdoor.CNPZ-8382 TrojanDropper:Win32/Mariofev.H Worm.Win32.Pinit.piv Worm.Pinit Worm.Mariofev!HCn84tcMG2k", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Mariofev.O": [[26, 47], [48, 69], [220, 241], [308, 329], [330, 351]], "Indicator: WORM_MARIOFEV.TO": [[70, 86], [162, 178]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9961": [[87, 129]], "Indicator: W32/Backdoor2.CSNQ": [[130, 148]], "Indicator: W32.Spamuzle": [[149, 161]], "Indicator: Win.Spyware.53855-2": [[179, 198]], "Indicator: Worm.Win32.Pinit.piv": [[199, 219], [482, 502]], "Indicator: Trojan.Win32.Pinit.bmcqcd": [[242, 267]], "Indicator: W32.W.Pinit.piv!c": [[268, 285]], "Indicator: Win32.Worm.Pinit.Ljul": [[286, 307]], "Indicator: BackDoor.Zapinit.81": [[352, 371]], "Indicator: BehavesLike.Win32.VTFlooder.nc": [[372, 402]], "Indicator: Trojan-Ransom.HydraCrypt": [[403, 427]], "Indicator: W32/Backdoor.CNPZ-8382": [[428, 450]], "Indicator: TrojanDropper:Win32/Mariofev.H": [[451, 481]], "Indicator: Worm.Pinit": [[503, 513]], "Indicator: Worm.Mariofev!HCn84tcMG2k": [[514, 539]]}, "info": {"id": "cyner2_5class_train_01133", "source": "cyner2_5class_train"}}
+{"text": "This capability was confirmed when the Android permission , called android.permission.RECORD_AUDIO , was being requested along with code found in the app .", "spans": {"System: Android": [[39, 46]], "Indicator: android.permission.RECORD_AUDIO": [[67, 98]]}, "info": {"id": "cyner2_5class_train_01134", "source": "cyner2_5class_train"}}
+{"text": "Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components.", "spans": {"Malware: malware": [[124, 131]]}, "info": {"id": "cyner2_5class_train_01135", "source": "cyner2_5class_train"}}
+{"text": "The fake applications are built using WebView , a popular extension of Android ’ s View class that lets the developer show a webpage .", "spans": {"System: WebView": [[38, 45]], "System: Android": [[71, 78]]}, "info": {"id": "cyner2_5class_train_01136", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Novel.DOS.1 PSW.Novel TROJ_PSWNOVEL.A Trojan-PSW.DOS.Novel Trojan.Dos.Novel.fnqs DOS.S.PSWNovel.7120 Troj.PSW.DOS.Novel!c TrojWare.PSW.Novel TROJ_PSWNOVEL.A Trojan/PSW.Novel TR/PSW.Novel Trojan[PSW]/DOS.Novel Trojan-PSW.DOS.Novel Login.7120 Dos.Trojan-qqpass.Qqrob.Aenr W32/HLLW_NewStory.A!tr.pws Win32/Trojan.99d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Novel.DOS.1": [[26, 44]], "Indicator: PSW.Novel": [[45, 54]], "Indicator: TROJ_PSWNOVEL.A": [[55, 70], [174, 189]], "Indicator: Trojan-PSW.DOS.Novel": [[71, 91], [242, 262]], "Indicator: Trojan.Dos.Novel.fnqs": [[92, 113]], "Indicator: DOS.S.PSWNovel.7120": [[114, 133]], "Indicator: Troj.PSW.DOS.Novel!c": [[134, 154]], "Indicator: TrojWare.PSW.Novel": [[155, 173]], "Indicator: Trojan/PSW.Novel": [[190, 206]], "Indicator: TR/PSW.Novel": [[207, 219]], "Indicator: Trojan[PSW]/DOS.Novel": [[220, 241]], "Indicator: Login.7120": [[263, 273]], "Indicator: Dos.Trojan-qqpass.Qqrob.Aenr": [[274, 302]], "Indicator: W32/HLLW_NewStory.A!tr.pws": [[303, 329]], "Indicator: Win32/Trojan.99d": [[330, 346]]}, "info": {"id": "cyner2_5class_train_01137", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Losicoa.S18597 Trojan.Zusy.D39F92 TrojanDownloader:Win32/Qdownb.A Trojan.Win32.BHO Win32/Trojan.cb1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Losicoa.S18597": [[26, 47]], "Indicator: Trojan.Zusy.D39F92": [[48, 66]], "Indicator: TrojanDownloader:Win32/Qdownb.A": [[67, 98]], "Indicator: Trojan.Win32.BHO": [[99, 115]], "Indicator: Win32/Trojan.cb1": [[116, 132]]}, "info": {"id": "cyner2_5class_train_01138", "source": "cyner2_5class_train"}}
+{"text": "The group effectively controls an arsenal of over 85 million mobile devices around the world.", "spans": {"System: mobile devices": [[61, 75]]}, "info": {"id": "cyner2_5class_train_01139", "source": "cyner2_5class_train"}}
+{"text": "Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent attack against San Francisco Municipal Transport Agency SFMTA.", "spans": {"Malware: variant": [[98, 105]], "Indicator: attack": [[134, 140]], "Organization: San Francisco Municipal Transport Agency SFMTA.": [[149, 196]]}, "info": {"id": "cyner2_5class_train_01140", "source": "cyner2_5class_train"}}
+{"text": "Retrieve the browsing history and bookmarks from Chrome and SBrowser ( the browser shipped with Samsung phones ) .", "spans": {"System: Chrome": [[49, 55]], "System: SBrowser": [[60, 68]], "Organization: Samsung": [[96, 103]]}, "info": {"id": "cyner2_5class_train_01141", "source": "cyner2_5class_train"}}
+{"text": "Interestingly , \" mundizza '' is typical of Calabria , a region in the south of Italy , and more specifically it appears to be language native of the city of Catanzaro .", "spans": {}, "info": {"id": "cyner2_5class_train_01142", "source": "cyner2_5class_train"}}
+{"text": "We observed 3 squatting domain registrations related to a victim in the media sector.", "spans": {"Indicator: domain": [[24, 30]], "Organization: victim": [[58, 64]], "Organization: the media sector.": [[68, 85]]}, "info": {"id": "cyner2_5class_train_01143", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D1558E Win32.Trojan.WisdomEyes.16070401.9500.9566 Trojan.MSIL.Crypt W32/Trojan.UXDY-5009 TR/Kryptik.udtxo TrojanDropper:MSIL/Vibes.A Trj/GdSda.A MSIL/Kryptik.GXI!tr Win32/Trojan.855", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D1558E": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9566": [[45, 87]], "Indicator: Trojan.MSIL.Crypt": [[88, 105]], "Indicator: W32/Trojan.UXDY-5009": [[106, 126]], "Indicator: TR/Kryptik.udtxo": [[127, 143]], "Indicator: TrojanDropper:MSIL/Vibes.A": [[144, 170]], "Indicator: Trj/GdSda.A": [[171, 182]], "Indicator: MSIL/Kryptik.GXI!tr": [[183, 202]], "Indicator: Win32/Trojan.855": [[203, 219]]}, "info": {"id": "cyner2_5class_train_01144", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 PowerShell.DownLoader.36 BehavesLike.Win32.Trojan.dh Trojan-Dropper.PowerShell.Ploty W32/Trojan.ZKDA-3628 TrojanDropper:PowerShell/Ploty.C Trj/CI.A JS/Psdl.A!tr.dldr Win32/Trojan.f31", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: PowerShell.DownLoader.36": [[69, 93]], "Indicator: BehavesLike.Win32.Trojan.dh": [[94, 121]], "Indicator: Trojan-Dropper.PowerShell.Ploty": [[122, 153]], "Indicator: W32/Trojan.ZKDA-3628": [[154, 174]], "Indicator: TrojanDropper:PowerShell/Ploty.C": [[175, 207]], "Indicator: Trj/CI.A": [[208, 216]], "Indicator: JS/Psdl.A!tr.dldr": [[217, 234]], "Indicator: Win32/Trojan.f31": [[235, 251]]}, "info": {"id": "cyner2_5class_train_01145", "source": "cyner2_5class_train"}}
+{"text": "Analysis of HackingTeam Android malware", "spans": {"Organization: HackingTeam": [[12, 23]], "Malware: Android malware": [[24, 39]]}, "info": {"id": "cyner2_5class_train_01146", "source": "cyner2_5class_train"}}
+{"text": "We refer to this backdoor as T9000, which is a newer variant of the T5000 malware family, also known as Plat1.", "spans": {"Malware: backdoor": [[17, 25]], "Malware: T9000,": [[29, 35]], "Malware: variant": [[53, 60]], "Malware: T5000 malware family,": [[68, 89]], "Malware: Plat1.": [[104, 110]]}, "info": {"id": "cyner2_5class_train_01147", "source": "cyner2_5class_train"}}
+{"text": "In 2016 , these services protected over 1.4 billion devices , making Google one of the largest providers of on-device security services in the world : Identify PHAs using people , systems in the cloud , and data sent to us from devices Warn users about or blocking users from installing PHAs Continually scan devices for PHAs and other harmful threats Additionally , we are providing detailed technical information to help the security industry in our collective work against PHAs .", "spans": {"Organization: Google": [[69, 75]]}, "info": {"id": "cyner2_5class_train_01148", "source": "cyner2_5class_train"}}
+{"text": "Check Point Software So far , HummingBad has been observed using its highly privileged status only to engage in click fraud , display pop-up ads , tamper with Google Play , and install additional apps that do more of the same .", "spans": {"Organization: Check Point Software": [[0, 20]], "Malware: HummingBad": [[30, 40]], "System: Google Play": [[159, 170]]}, "info": {"id": "cyner2_5class_train_01149", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Pottieq Win32.Trojan.WisdomEyes.16070401.9500.9786 Trojan.Win32.Aura.evxqqg Trojan.Encoder.2667 BehavesLike.Win32.BadFile.th TrojanDropper.FrauDrop.annq Trojan[Ransom]/Win32.Aura Ransom:Win32/Pottieq.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Pottieq": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9786": [[41, 83]], "Indicator: Trojan.Win32.Aura.evxqqg": [[84, 108]], "Indicator: Trojan.Encoder.2667": [[109, 128]], "Indicator: BehavesLike.Win32.BadFile.th": [[129, 157]], "Indicator: TrojanDropper.FrauDrop.annq": [[158, 185]], "Indicator: Trojan[Ransom]/Win32.Aura": [[186, 211]], "Indicator: Ransom:Win32/Pottieq.A": [[212, 234]]}, "info": {"id": "cyner2_5class_train_01150", "source": "cyner2_5class_train"}}
+{"text": "] 6 2020-02-29 http : //themoil [ .", "spans": {"Indicator: http : //themoil [ .": [[15, 35]]}, "info": {"id": "cyner2_5class_train_01151", "source": "cyner2_5class_train"}}
+{"text": "The Trapwot malware family is considered scareware or rogue antivirus because it attempts to mislead victims into believing their machine is infected with malware.", "spans": {"Malware: Trapwot malware family": [[4, 26]], "Malware: scareware": [[41, 50]], "Malware: rogue antivirus": [[54, 69]], "System: machine": [[130, 137]]}, "info": {"id": "cyner2_5class_train_01152", "source": "cyner2_5class_train"}}
+{"text": "In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.", "spans": {"System: Microsoft Exchange servers": [[88, 114]], "Malware: custom backdoor": [[123, 138]], "Malware: credential logger.": [[143, 161]]}, "info": {"id": "cyner2_5class_train_01153", "source": "cyner2_5class_train"}}
+{"text": "The malware sets a registry value ( whose name is read from the configuration file ) to “ C : \\Windows\\system32\\rundll32.exe c : \\ProgramData\\AuditApp\\d3d9.dll , Control_Run ” .", "spans": {"Indicator: C : \\Windows\\system32\\rundll32.exe": [[90, 124]], "Indicator: c : \\ProgramData\\AuditApp\\d3d9.dll ,": [[125, 161]], "Indicator: Control_Run": [[162, 173]]}, "info": {"id": "cyner2_5class_train_01154", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer Win32.Trojan.WisdomEyes.16070401.9500.9999 MSIL.Packed.Skaldring.D Win32.Trojan.Fsysna.Hwwo Trojan.DownLoader14.15241 BehavesLike.Win32.Trojan.cc Trojan.Crypt TR/Dropper.MSIL.rpjh Trojan.Barys.DCAFA Trojan:Win32/Bshan.A Trojan.Fsysna! MSIL/Injector.PKZ!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[41, 83]], "Indicator: MSIL.Packed.Skaldring.D": [[84, 107]], "Indicator: Win32.Trojan.Fsysna.Hwwo": [[108, 132]], "Indicator: Trojan.DownLoader14.15241": [[133, 158]], "Indicator: BehavesLike.Win32.Trojan.cc": [[159, 186]], "Indicator: Trojan.Crypt": [[187, 199]], "Indicator: TR/Dropper.MSIL.rpjh": [[200, 220]], "Indicator: Trojan.Barys.DCAFA": [[221, 239]], "Indicator: Trojan:Win32/Bshan.A": [[240, 260]], "Indicator: Trojan.Fsysna!": [[261, 275]], "Indicator: MSIL/Injector.PKZ!tr": [[276, 296]], "Indicator: Trj/GdSda.A": [[297, 308]]}, "info": {"id": "cyner2_5class_train_01155", "source": "cyner2_5class_train"}}
+{"text": "Yamato Transport - One of Japan 's largest door-to-door delivery service companies , also in Tokyo .", "spans": {"Organization: Yamato Transport": [[0, 16]]}, "info": {"id": "cyner2_5class_train_01156", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Alien Trojan.Zusy.D3E06C Win32.Trojan.WisdomEyes.16070401.9500.9952 Worm.Win32.Alien.oe W32/Trojan.RDLO-7674 WORM/Alien.ugxeq TrojanDownloader:VBS/Kaloki.A Worm.Win32.Alien.oe Trj/CI.A Win32/Trojan.9de", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Alien": [[26, 36]], "Indicator: Trojan.Zusy.D3E06C": [[37, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9952": [[56, 98]], "Indicator: Worm.Win32.Alien.oe": [[99, 118], [187, 206]], "Indicator: W32/Trojan.RDLO-7674": [[119, 139]], "Indicator: WORM/Alien.ugxeq": [[140, 156]], "Indicator: TrojanDownloader:VBS/Kaloki.A": [[157, 186]], "Indicator: Trj/CI.A": [[207, 215]], "Indicator: Win32/Trojan.9de": [[216, 232]]}, "info": {"id": "cyner2_5class_train_01157", "source": "cyner2_5class_train"}}
+{"text": "The malware was included as an attachment intended to trick the user into opening the malware.", "spans": {"Malware: malware": [[4, 11]], "Malware: malware.": [[86, 94]]}, "info": {"id": "cyner2_5class_train_01158", "source": "cyner2_5class_train"}}
+{"text": "Cybercriminals, however, are equal opportunity exploiters, so just recently an interesting targeted malware campaign was found to be using another document vulnerability.", "spans": {"Vulnerability: vulnerability.": [[156, 170]]}, "info": {"id": "cyner2_5class_train_01159", "source": "cyner2_5class_train"}}
+{"text": "The backdoor code was found between Display Widgets version 2.6.1 released June 30 and version 2.6.3 released September 2.", "spans": {"Indicator: The backdoor code": [[0, 17]], "Indicator: Display Widgets version 2.6.1": [[36, 65]], "Indicator: version 2.6.3": [[87, 100]]}, "info": {"id": "cyner2_5class_train_01160", "source": "cyner2_5class_train"}}
+{"text": "Most devices can be controlled by Xiaomi ’ s “ MiHome ” Android app , which is available on Google Play with between 1,000,000 and 5,000,000 downloads .", "spans": {"Organization: Xiaomi": [[34, 40]], "System: MiHome": [[47, 53]], "System: Android": [[56, 63]], "System: Google Play": [[92, 103]]}, "info": {"id": "cyner2_5class_train_01161", "source": "cyner2_5class_train"}}
+{"text": "However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33.", "spans": {}, "info": {"id": "cyner2_5class_train_01162", "source": "cyner2_5class_train"}}
+{"text": "Because all the URLs used in this campaign have the form of hxxp : //yyyyyyyy [ .", "spans": {"Indicator: hxxp : //yyyyyyyy [ .": [[60, 81]]}, "info": {"id": "cyner2_5class_train_01163", "source": "cyner2_5class_train"}}
+{"text": "If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands.", "spans": {"Indicator: unique identifier": [[56, 73]], "Indicator: C&C server": [[106, 116]]}, "info": {"id": "cyner2_5class_train_01164", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Avosim Backdoor.Trojan W32/Trojan.BPEV-1033 BDS/Avosim.azmiq W32/ISMdoor.5E1D!tr Trj/GdSda.A Win32/Backdoor.ed0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Avosim": [[26, 41]], "Indicator: Backdoor.Trojan": [[42, 57]], "Indicator: W32/Trojan.BPEV-1033": [[58, 78]], "Indicator: BDS/Avosim.azmiq": [[79, 95]], "Indicator: W32/ISMdoor.5E1D!tr": [[96, 115]], "Indicator: Trj/GdSda.A": [[116, 127]], "Indicator: Win32/Backdoor.ed0": [[128, 146]]}, "info": {"id": "cyner2_5class_train_01165", "source": "cyner2_5class_train"}}
+{"text": "run a malicious DEX file without notification,", "spans": {"Malware: malicious": [[6, 15]], "Indicator: DEX file": [[16, 24]]}, "info": {"id": "cyner2_5class_train_01166", "source": "cyner2_5class_train"}}
+{"text": "As this approach was not a great success , their last attempt was to quickly create a World Cup app and this time distribute it to Israeli citizens , not just soldiers .", "spans": {}, "info": {"id": "cyner2_5class_train_01167", "source": "cyner2_5class_train"}}
+{"text": "A further blog by FireEye titled Acknowledgement of Attacks Leveraging Microsoft Zero-Day provided additional useful information.", "spans": {"Organization: FireEye": [[18, 25]], "Indicator: Attacks": [[52, 59]], "Vulnerability: Leveraging Microsoft Zero-Day": [[60, 89]]}, "info": {"id": "cyner2_5class_train_01168", "source": "cyner2_5class_train"}}
+{"text": "The Trojan uses this counter to activate the bot - if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe .", "spans": {}, "info": {"id": "cyner2_5class_train_01169", "source": "cyner2_5class_train"}}
+{"text": "The Sage ransomware variant appears to have been out of circulation for a while in the malware scene.", "spans": {"Malware: The Sage ransomware variant": [[0, 27]], "Malware: malware": [[87, 94]]}, "info": {"id": "cyner2_5class_train_01170", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PDF/Trojan.PGPW-0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PDF/Trojan.PGPW-0": [[26, 43]]}, "info": {"id": "cyner2_5class_train_01171", "source": "cyner2_5class_train"}}
+{"text": "After further research, we found the malware has been repackaged into several pirated iOS apps that are available for download via multiple channels.", "spans": {"Malware: malware": [[37, 44]], "Indicator: pirated iOS apps": [[78, 94]], "Indicator: multiple channels.": [[131, 149]]}, "info": {"id": "cyner2_5class_train_01172", "source": "cyner2_5class_train"}}
+{"text": "Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis.", "spans": {"Malware: Crypt0l0cker": [[0, 12]], "Malware: malware": [[95, 102]]}, "info": {"id": "cyner2_5class_train_01173", "source": "cyner2_5class_train"}}
+{"text": "These attacks are only becoming more common , with one third of all malware now targeting mobile endpoints .", "spans": {}, "info": {"id": "cyner2_5class_train_01174", "source": "cyner2_5class_train"}}
+{"text": "Handover from initial module to the main payload As mentioned , the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config .", "spans": {}, "info": {"id": "cyner2_5class_train_01175", "source": "cyner2_5class_train"}}
+{"text": "Let ’ s take a closer look at the suspicious file .", "spans": {}, "info": {"id": "cyner2_5class_train_01176", "source": "cyner2_5class_train"}}
+{"text": "The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia.", "spans": {}, "info": {"id": "cyner2_5class_train_01177", "source": "cyner2_5class_train"}}
+{"text": "Even harder is when you do not receive telemetry data from products that contains information about infected machines.", "spans": {"Indicator: telemetry data": [[39, 53]], "System: infected machines.": [[100, 118]]}, "info": {"id": "cyner2_5class_train_01178", "source": "cyner2_5class_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_01179", "source": "cyner2_5class_train"}}
+{"text": "What is more, they are tied to the attacked applications, which creates an illusion that they are legitimate and belong to the corresponding software.", "spans": {"Indicator: attacked": [[35, 43]], "System: applications,": [[44, 57]], "Indicator: illusion": [[75, 83]], "Indicator: legitimate": [[98, 108]], "Indicator: belong to the corresponding software.": [[113, 150]]}, "info": {"id": "cyner2_5class_train_01180", "source": "cyner2_5class_train"}}
+{"text": "However, there are several good reasons for an attacker to use this particular feature.", "spans": {"Vulnerability: feature.": [[79, 87]]}, "info": {"id": "cyner2_5class_train_01181", "source": "cyner2_5class_train"}}
+{"text": "NCC Group is monitoring a number of OOXML and RTF techniques our red team has been using since September 2016, which uncovered multiple malicious documents from around August 2017.", "spans": {"Organization: NCC Group": [[0, 9]], "Indicator: OOXML": [[36, 41]], "Indicator: RTF techniques": [[46, 60]], "Organization: red team": [[65, 73]], "Indicator: multiple malicious documents": [[127, 155]]}, "info": {"id": "cyner2_5class_train_01182", "source": "cyner2_5class_train"}}
+{"text": "“ Agent Smith ” will replace the original application ’ s activities with an in-house SDK ’ s activity , which will show the banner received from the server .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner2_5class_train_01183", "source": "cyner2_5class_train"}}
+{"text": "It has modular architecture implemented in the form of plugins , or it can receive new .NET source code , which will be compiled on the device in runtime .", "spans": {"System: .NET": [[87, 91]]}, "info": {"id": "cyner2_5class_train_01184", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Sality!O Tool.Transmit.Win32.60 Win32.Trojan.WisdomEyes.16070401.9500.9549 not-a-virus:NetTool.Win32.Transmit.a Riskware.Win32.Transmit.exlakv Trojan.Win32.Z.Transmit.67795 Backdoor.Win32.VanBot.24 Tool.Transmit BehavesLike.Win32.VirRansom.kc Trojan/Pakes.emd not-a-virus:NetTool.Win32.Transmit.a Trj/CI.A Trojan.TenThief.DNFTrojan.tnh", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Sality!O": [[26, 46]], "Indicator: Tool.Transmit.Win32.60": [[47, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9549": [[70, 112]], "Indicator: not-a-virus:NetTool.Win32.Transmit.a": [[113, 149], [298, 334]], "Indicator: Riskware.Win32.Transmit.exlakv": [[150, 180]], "Indicator: Trojan.Win32.Z.Transmit.67795": [[181, 210]], "Indicator: Backdoor.Win32.VanBot.24": [[211, 235]], "Indicator: Tool.Transmit": [[236, 249]], "Indicator: BehavesLike.Win32.VirRansom.kc": [[250, 280]], "Indicator: Trojan/Pakes.emd": [[281, 297]], "Indicator: Trj/CI.A": [[335, 343]], "Indicator: Trojan.TenThief.DNFTrojan.tnh": [[344, 373]]}, "info": {"id": "cyner2_5class_train_01185", "source": "cyner2_5class_train"}}
+{"text": "The attacks leveraged a malware named EyePyramid to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.", "spans": {"Indicator: attacks": [[4, 11]], "Malware: malware": [[24, 31]], "Malware: EyePyramid": [[38, 48]], "Organization: politicians, bankers, prominent freemasons": [[67, 109]], "Organization: law enforcement personalities": [[114, 143]]}, "info": {"id": "cyner2_5class_train_01186", "source": "cyner2_5class_train"}}
+{"text": "Recently, we've seen a number of reports related to 9002 remote access Trojan RAT.", "spans": {"Malware: 9002 remote access Trojan RAT.": [[52, 82]]}, "info": {"id": "cyner2_5class_train_01187", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kadena.B4 Trojan.Ipatre.1 Win32.Trojan.Kryptik.lx TROJ_UPATRE.SMX7 Win32.Trojan.Kryptik.CI Trojan.Win32.Kryptik.expevv Trojan.Win32.Z.Upatre.71168.AI TrojWare.Win32.TrojanDownloader.Upatre.EMD Trojan.DownLoader26.15470 TROJ_UPATRE.SMX7 W32/Trojan.DPWC-8231 TR/Crypt.ZPACK.karjs Trojan/Win32.Upatre.R160419 Trojan-Downloader.Win32.Waski W32/Kryptic.ABGK!tr Win32/Trojan.8c5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kadena.B4": [[26, 42]], "Indicator: Trojan.Ipatre.1": [[43, 58]], "Indicator: Win32.Trojan.Kryptik.lx": [[59, 82]], "Indicator: TROJ_UPATRE.SMX7": [[83, 99], [252, 268]], "Indicator: Win32.Trojan.Kryptik.CI": [[100, 123]], "Indicator: Trojan.Win32.Kryptik.expevv": [[124, 151]], "Indicator: Trojan.Win32.Z.Upatre.71168.AI": [[152, 182]], "Indicator: TrojWare.Win32.TrojanDownloader.Upatre.EMD": [[183, 225]], "Indicator: Trojan.DownLoader26.15470": [[226, 251]], "Indicator: W32/Trojan.DPWC-8231": [[269, 289]], "Indicator: TR/Crypt.ZPACK.karjs": [[290, 310]], "Indicator: Trojan/Win32.Upatre.R160419": [[311, 338]], "Indicator: Trojan-Downloader.Win32.Waski": [[339, 368]], "Indicator: W32/Kryptic.ABGK!tr": [[369, 388]], "Indicator: Win32/Trojan.8c5": [[389, 405]]}, "info": {"id": "cyner2_5class_train_01188", "source": "cyner2_5class_train"}}
+{"text": "Under these conditions , the app continues executing and the intent of targeting Xiaomi devices and users could be inferred , however poorly written code results in execution in more environments than perhaps intended ; further checks are made to ascertain whether the app is running on an emulator , perhaps to evade researcher analysis environments .", "spans": {"Organization: Xiaomi": [[81, 87]]}, "info": {"id": "cyner2_5class_train_01189", "source": "cyner2_5class_train"}}
+{"text": "EventBot Updated library naming convention EventBot New library naming convention .", "spans": {"Malware: EventBot": [[43, 51]]}, "info": {"id": "cyner2_5class_train_01190", "source": "cyner2_5class_train"}}
+{"text": "When clicked it launches an infection chain made up of JavaScript, and a final shellcode payload that makes use of DNS to load additional shellcode from a remote command and control server.", "spans": {"Indicator: JavaScript,": [[55, 66]], "Indicator: final shellcode payload": [[73, 96]], "System: DNS": [[115, 118]], "Malware: shellcode": [[138, 147]], "Indicator: a remote command and control server.": [[153, 189]]}, "info": {"id": "cyner2_5class_train_01191", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.IRC.MRAK.A Virus.Win32.Mkar!O W32.Mkar.A4 Backdoor.IRC.MRAK.A Virus.Mkar.Win32.5 Backdoor.IRC.MRAK.A Win32.Trojan.WisdomEyes.16070401.9500.9981 W32/Mkar.C W32.Marak PE_MKAR.A.DAM Win.Trojan.Mkar-3 Virus.Win32.Mkar.a Backdoor.IRC.MRAK.A Virus.Win32.Mkar.cyau Backdoor.IRC.MRAK.A Win32.Mkar.A Backdoor.IRC.MRAK.A Win32.HLLP.Mrak.9 PE_MKAR.A.DAM BehavesLike.Win32.Koobface.mc W32/Mkar.LNJG-1026 WORM/Mkar.A Backdoor:Win32/Mkar.A Win32.Mrak.A Virus.Win32.Mkar.a Backdoor.IRC.MRAK.A Malware/Win32.Mkar.C408081 Win32/Mkar.A Win32.Mkar.E Virus.Win32.Mkar W32/Mkar.D W32/Mkar.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.IRC.MRAK.A": [[26, 45], [77, 96], [116, 135], [251, 270], [293, 312], [326, 345], [493, 512]], "Indicator: Virus.Win32.Mkar!O": [[46, 64]], "Indicator: W32.Mkar.A4": [[65, 76]], "Indicator: Virus.Mkar.Win32.5": [[97, 115]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9981": [[136, 178]], "Indicator: W32/Mkar.C": [[179, 189]], "Indicator: W32.Marak": [[190, 199]], "Indicator: PE_MKAR.A.DAM": [[200, 213], [364, 377]], "Indicator: Win.Trojan.Mkar-3": [[214, 231]], "Indicator: Virus.Win32.Mkar.a": [[232, 250], [474, 492]], "Indicator: Virus.Win32.Mkar.cyau": [[271, 292]], "Indicator: Win32.Mkar.A": [[313, 325]], "Indicator: Win32.HLLP.Mrak.9": [[346, 363]], "Indicator: BehavesLike.Win32.Koobface.mc": [[378, 407]], "Indicator: W32/Mkar.LNJG-1026": [[408, 426]], "Indicator: WORM/Mkar.A": [[427, 438]], "Indicator: Backdoor:Win32/Mkar.A": [[439, 460]], "Indicator: Win32.Mrak.A": [[461, 473]], "Indicator: Malware/Win32.Mkar.C408081": [[513, 539]], "Indicator: Win32/Mkar.A": [[540, 552]], "Indicator: Win32.Mkar.E": [[553, 565]], "Indicator: Virus.Win32.Mkar": [[566, 582]], "Indicator: W32/Mkar.D": [[583, 593]], "Indicator: W32/Mkar.E": [[594, 604]]}, "info": {"id": "cyner2_5class_train_01192", "source": "cyner2_5class_train"}}
+{"text": "CrowdStrike Services Inc., our Incident Response group, was called by the Democratic National Committee DNC, the formal governing body for the US Democratic Party, to respond to a suspected breach.", "spans": {"Organization: CrowdStrike Services Inc.,": [[0, 26]], "Organization: the Democratic National Committee": [[70, 103]], "Organization: formal governing body": [[113, 134]], "Organization: US Democratic Party,": [[143, 163]], "Indicator: suspected breach.": [[180, 197]]}, "info": {"id": "cyner2_5class_train_01193", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Buzus.32878.D TrojanDownloader.Small.grk Trojan/Downloader.Small.grk Trojan.DL.Small.ALEE Win32/SlhBack.B W32/Downldr2.BDIE W32/DLoader.DZIA Trojan.Downloader-20119 Trojan-Downloader.Win32.Small.grk Trojan.Downloader.Delf.OJS Backdoor.Win32.SlhBack.B Trojan.Downloader.Delf.OJS Trojan.DownLoader.50258 TR/Dldr.Small.grk.24 TROJ_DELF.HXO Heuristic.BehavesLike.Win32.Backdoor.H Win32/SillyDl.ETL W32/Downldr2.BDIE TrojanDownloader.Small.zhn Trojan-PWS.Win32.OnLineGames!IK TrojanDownloader:Win32/Small.AAAL Trojan.Win32.Downloader.35496 Trojan.Downloader.Delf.OJS Win-Trojan/Downloader.32877 Trojan-Downloader.Win32.Small.grk Trojan.DL.Small.AJEZ Trojan.DL.Win32.Small.grk Trojan-PWS.Win32.OnLineGames W32/Small.GRK!tr Trj/Downloader.REB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Buzus.32878.D": [[26, 50]], "Indicator: TrojanDownloader.Small.grk": [[51, 77]], "Indicator: Trojan/Downloader.Small.grk": [[78, 105]], "Indicator: Trojan.DL.Small.ALEE": [[106, 126]], "Indicator: Win32/SlhBack.B": [[127, 142]], "Indicator: W32/Downldr2.BDIE": [[143, 160], [431, 448]], "Indicator: W32/DLoader.DZIA": [[161, 177]], "Indicator: Trojan.Downloader-20119": [[178, 201]], "Indicator: Trojan-Downloader.Win32.Small.grk": [[202, 235], [627, 660]], "Indicator: Trojan.Downloader.Delf.OJS": [[236, 262], [288, 314], [572, 598]], "Indicator: Backdoor.Win32.SlhBack.B": [[263, 287]], "Indicator: Trojan.DownLoader.50258": [[315, 338]], "Indicator: TR/Dldr.Small.grk.24": [[339, 359]], "Indicator: TROJ_DELF.HXO": [[360, 373]], "Indicator: Heuristic.BehavesLike.Win32.Backdoor.H": [[374, 412]], "Indicator: Win32/SillyDl.ETL": [[413, 430]], "Indicator: TrojanDownloader.Small.zhn": [[449, 475]], "Indicator: Trojan-PWS.Win32.OnLineGames!IK": [[476, 507]], "Indicator: TrojanDownloader:Win32/Small.AAAL": [[508, 541]], "Indicator: Trojan.Win32.Downloader.35496": [[542, 571]], "Indicator: Win-Trojan/Downloader.32877": [[599, 626]], "Indicator: Trojan.DL.Small.AJEZ": [[661, 681]], "Indicator: Trojan.DL.Win32.Small.grk": [[682, 707]], "Indicator: Trojan-PWS.Win32.OnLineGames": [[708, 736]], "Indicator: W32/Small.GRK!tr": [[737, 753]], "Indicator: Trj/Downloader.REB": [[754, 772]]}, "info": {"id": "cyner2_5class_train_01194", "source": "cyner2_5class_train"}}
+{"text": "The C & C server IP addresses used also appear to be disparate , as they were located in many European countries like Russia , France , Holland , and Germany .", "spans": {}, "info": {"id": "cyner2_5class_train_01195", "source": "cyner2_5class_train"}}
+{"text": "The McAfee Labs research team has tracked an advanced persistent threat for the past couple of months.", "spans": {"Organization: McAfee Labs research team": [[4, 29]]}, "info": {"id": "cyner2_5class_train_01196", "source": "cyner2_5class_train"}}
+{"text": "Install a mobile security solution to secure your device from threats .", "spans": {}, "info": {"id": "cyner2_5class_train_01197", "source": "cyner2_5class_train"}}
+{"text": "This means that the malware can be remotely eliminated by an SMS message .", "spans": {}, "info": {"id": "cyner2_5class_train_01198", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Vilsel!O BackDoor-EZO.a Trojan/Bewymids.a Trojan.Vilsel!fjBL+ssgwjs Infostealer.Hoardy Win.Trojan.Vilsel-265 Trojan.Win32.Vilsel.aybc Trojan.Win32.Vilsel.djwjt Trojan.Win32.S.Vilsel.61544[h] Trojan.DownLoader2.44985 Trojan.Vilsel.Win32.20666 BehavesLike.Win32.Downloader.km Trojan/Vilsel.uxx TR/Bewymids.A.2 Trojan/Win32.Vilsel Win32.Troj.Vilsel.kcloud Trojan:Win32/Bewymids.A Trojan/Win32.Vilsel Spyware.Infostealer.Flea.APT Trojan.Vilsel Win32.Trojan.Vilsel.Phqe Trojan.Win32.Vilsel W32/Vilsel.AYBC!tr Trojan.Win32.Bewymids.BA Win32/Trojan.bab", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Vilsel!O": [[26, 47]], "Indicator: BackDoor-EZO.a": [[48, 62]], "Indicator: Trojan/Bewymids.a": [[63, 80]], "Indicator: Trojan.Vilsel!fjBL+ssgwjs": [[81, 106]], "Indicator: Infostealer.Hoardy": [[107, 125]], "Indicator: Win.Trojan.Vilsel-265": [[126, 147]], "Indicator: Trojan.Win32.Vilsel.aybc": [[148, 172]], "Indicator: Trojan.Win32.Vilsel.djwjt": [[173, 198]], "Indicator: Trojan.Win32.S.Vilsel.61544[h]": [[199, 229]], "Indicator: Trojan.DownLoader2.44985": [[230, 254]], "Indicator: Trojan.Vilsel.Win32.20666": [[255, 280]], "Indicator: BehavesLike.Win32.Downloader.km": [[281, 312]], "Indicator: Trojan/Vilsel.uxx": [[313, 330]], "Indicator: TR/Bewymids.A.2": [[331, 346]], "Indicator: Trojan/Win32.Vilsel": [[347, 366], [416, 435]], "Indicator: Win32.Troj.Vilsel.kcloud": [[367, 391]], "Indicator: Trojan:Win32/Bewymids.A": [[392, 415]], "Indicator: Spyware.Infostealer.Flea.APT": [[436, 464]], "Indicator: Trojan.Vilsel": [[465, 478]], "Indicator: Win32.Trojan.Vilsel.Phqe": [[479, 503]], "Indicator: Trojan.Win32.Vilsel": [[504, 523]], "Indicator: W32/Vilsel.AYBC!tr": [[524, 542]], "Indicator: Trojan.Win32.Bewymids.BA": [[543, 567]], "Indicator: Win32/Trojan.bab": [[568, 584]]}, "info": {"id": "cyner2_5class_train_01199", "source": "cyner2_5class_train"}}
+{"text": "As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.", "spans": {"Indicator: attack": [[7, 13], [79, 85]], "Organization: visitors.": [[109, 118]]}, "info": {"id": "cyner2_5class_train_01200", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Stegvob.C9 Win32.Trojan-Downloader.Delf.c WORM_TOPHOS.BKD Trojan.Win32.Dropper.aas Win32.HLLW.Tophos.1 WORM_TOPHOS.BKD Trojan.Symmi.DD7FE Worm:Win32/Tophos.B BScope.Worm.Tophos.2612 Backdoor.Bot Virus.Win32.Sality W32/Tophos.AAA!tr Win32/Trojan.278", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Stegvob.C9": [[26, 53]], "Indicator: Win32.Trojan-Downloader.Delf.c": [[54, 84]], "Indicator: WORM_TOPHOS.BKD": [[85, 100], [146, 161]], "Indicator: Trojan.Win32.Dropper.aas": [[101, 125]], "Indicator: Win32.HLLW.Tophos.1": [[126, 145]], "Indicator: Trojan.Symmi.DD7FE": [[162, 180]], "Indicator: Worm:Win32/Tophos.B": [[181, 200]], "Indicator: BScope.Worm.Tophos.2612": [[201, 224]], "Indicator: Backdoor.Bot": [[225, 237]], "Indicator: Virus.Win32.Sality": [[238, 256]], "Indicator: W32/Tophos.AAA!tr": [[257, 274]], "Indicator: Win32/Trojan.278": [[275, 291]]}, "info": {"id": "cyner2_5class_train_01201", "source": "cyner2_5class_train"}}
+{"text": "The most affected countries were India , Brazil , and Indonesia .", "spans": {}, "info": {"id": "cyner2_5class_train_01202", "source": "cyner2_5class_train"}}
+{"text": "Aside from stealing keystrokes, passwords, Bitcoins, system information, and files on disk, NionSpy also known as Mewsei and MewsSpy can record video using the webcam, audio using the microphone, take screenshots, and use infected machines as a proxy tunnel to connect to other machines within the network.", "spans": {"Malware: NionSpy": [[92, 99]], "Malware: Mewsei": [[114, 120]], "Malware: MewsSpy": [[125, 132]], "System: machines": [[231, 239], [278, 286]], "Indicator: proxy tunnel": [[245, 257]], "System: network.": [[298, 306]]}, "info": {"id": "cyner2_5class_train_01203", "source": "cyner2_5class_train"}}
+{"text": "The actors behind this adware utilize a simple yet effective approach – they download a popular, legitimate Android application, decompile it, add their malicious routines, then repackage the Android application package APK.", "spans": {"Malware: adware": [[23, 29]], "System: Android application,": [[108, 128]], "Malware: malicious routines,": [[153, 172]], "System: the Android application package APK.": [[188, 224]]}, "info": {"id": "cyner2_5class_train_01204", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.FlyStudio.Win32.19742 Trojan/FlyStudio.ooa Trojan.Zusy.D38745 Win32.Trojan.FlyStudio.we Win32.Application.PUPStudio.B Trojan.Win32.Dwn.eeopgy Trojan.DownLoader24.6094 Trojan.Win32.Antavmu TR/Winder.sbcde Trojan[Dropper]/Win32.Sysn Trojan:Win32/Winder.A RiskWare.GameHack Backdoor.Farfli!+OYA++JJfG8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Trojan.FlyStudio.Win32.19742": [[46, 74]], "Indicator: Trojan/FlyStudio.ooa": [[75, 95]], "Indicator: Trojan.Zusy.D38745": [[96, 114]], "Indicator: Win32.Trojan.FlyStudio.we": [[115, 140]], "Indicator: Win32.Application.PUPStudio.B": [[141, 170]], "Indicator: Trojan.Win32.Dwn.eeopgy": [[171, 194]], "Indicator: Trojan.DownLoader24.6094": [[195, 219]], "Indicator: Trojan.Win32.Antavmu": [[220, 240]], "Indicator: TR/Winder.sbcde": [[241, 256]], "Indicator: Trojan[Dropper]/Win32.Sysn": [[257, 283]], "Indicator: Trojan:Win32/Winder.A": [[284, 305]], "Indicator: RiskWare.GameHack": [[306, 323]], "Indicator: Backdoor.Farfli!+OYA++JJfG8": [[324, 351]]}, "info": {"id": "cyner2_5class_train_01205", "source": "cyner2_5class_train"}}
+{"text": "#ISMDoor impersonates ZAHRANI an electrical equipment and engineering company in Saudi Arabia and ThetaRay.", "spans": {"Malware: #ISMDoor": [[0, 8]], "Organization: ZAHRANI": [[22, 29]], "Organization: electrical equipment": [[33, 53]], "Organization: engineering company": [[58, 77]], "Organization: ThetaRay.": [[98, 107]]}, "info": {"id": "cyner2_5class_train_01206", "source": "cyner2_5class_train"}}
+{"text": "In the third intrusion, the Mandiant Incident Response team was contacted after UNC961 had compromised the victim and transferred access to UNC3966.", "spans": {"Organization: the Mandiant Incident Response team": [[24, 59]]}, "info": {"id": "cyner2_5class_train_01207", "source": "cyner2_5class_train"}}
+{"text": "Modification of KBOT from the Carberp leak.", "spans": {"Malware: KBOT": [[16, 20]], "Malware: Carberp": [[30, 37]]}, "info": {"id": "cyner2_5class_train_01208", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Lossymem MSIL/Filecoder.LI Ransom_LTML.THAOJH Trojan.Win32.Ransom.ewugaq Ransom_LTML.THAOJH Trojan-Ransom.FileCoder W32/Trojan.QFKV-3532 TR/Ransom.xaclx Trojan/Win32.Ransom.C2353444 Trojan.Ransom.LongTermMemoryLoss Trj/GdSda.A MSIL.Trojan-Ransom.LTML.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Lossymem": [[26, 41]], "Indicator: MSIL/Filecoder.LI": [[42, 59]], "Indicator: Ransom_LTML.THAOJH": [[60, 78], [106, 124]], "Indicator: Trojan.Win32.Ransom.ewugaq": [[79, 105]], "Indicator: Trojan-Ransom.FileCoder": [[125, 148]], "Indicator: W32/Trojan.QFKV-3532": [[149, 169]], "Indicator: TR/Ransom.xaclx": [[170, 185]], "Indicator: Trojan/Win32.Ransom.C2353444": [[186, 214]], "Indicator: Trojan.Ransom.LongTermMemoryLoss": [[215, 247]], "Indicator: Trj/GdSda.A": [[248, 259]], "Indicator: MSIL.Trojan-Ransom.LTML.A": [[260, 285]]}, "info": {"id": "cyner2_5class_train_01209", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Floxif.S1578425 Trojan.Rozena.Win32.59165 BKDR_CCHACK.A W32/CChack.A Trojan.Ccleaner BKDR_CCHACK.A Win.Spyware.CCBkdr-6336251-2 Win32.Backdoor.Forpivast.B Backdoor.Win32.InfeCleaner.a Trojan.PRForm.A Trojan.Win32.Floxif.estdxt Trojan.Win32.Z.Floxif.5000118 Trojan.PRForm.A Trojan.CCleaner.2 BehavesLike.Win32.Dropper.rc Backdoor.Hacked.CCleaner W32/CChack.SQBY-7641 Trojan[FakeAV]/Win32.CCleaner Backdoor.Win32.InfeCleaner.a Win-Trojan/Floxif.9791816 Backdoor.InfeCleaner Trj/CI.A Trojan.PRForm.A Win32.Backdoor.Infecleaner.Lkns Win32/Trojan.54c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Floxif.S1578425": [[26, 48]], "Indicator: Trojan.Rozena.Win32.59165": [[49, 74]], "Indicator: BKDR_CCHACK.A": [[75, 88], [118, 131]], "Indicator: W32/CChack.A": [[89, 101]], "Indicator: Trojan.Ccleaner": [[102, 117]], "Indicator: Win.Spyware.CCBkdr-6336251-2": [[132, 160]], "Indicator: Win32.Backdoor.Forpivast.B": [[161, 187]], "Indicator: Backdoor.Win32.InfeCleaner.a": [[188, 216], [429, 457]], "Indicator: Trojan.PRForm.A": [[217, 232], [290, 305], [514, 529]], "Indicator: Trojan.Win32.Floxif.estdxt": [[233, 259]], "Indicator: Trojan.Win32.Z.Floxif.5000118": [[260, 289]], "Indicator: Trojan.CCleaner.2": [[306, 323]], "Indicator: BehavesLike.Win32.Dropper.rc": [[324, 352]], "Indicator: Backdoor.Hacked.CCleaner": [[353, 377]], "Indicator: W32/CChack.SQBY-7641": [[378, 398]], "Indicator: Trojan[FakeAV]/Win32.CCleaner": [[399, 428]], "Indicator: Win-Trojan/Floxif.9791816": [[458, 483]], "Indicator: Backdoor.InfeCleaner": [[484, 504]], "Indicator: Trj/CI.A": [[505, 513]], "Indicator: Win32.Backdoor.Infecleaner.Lkns": [[530, 561]], "Indicator: Win32/Trojan.54c": [[562, 578]]}, "info": {"id": "cyner2_5class_train_01210", "source": "cyner2_5class_train"}}
+{"text": "Additionally , we have determined that though original reports of this story attribute this surveillanceware tool to Hamas , this may not be the case , as we demonstrate below .", "spans": {"Organization: Hamas": [[117, 122]]}, "info": {"id": "cyner2_5class_train_01211", "source": "cyner2_5class_train"}}
+{"text": "Malicious codes are embedded in apps that the operators repackaged from legitimate applications .", "spans": {}, "info": {"id": "cyner2_5class_train_01212", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exp.OLE.CVE-2015-1641.E Trojan.Mdropper Win32/Exploit.CVE-2015-1641.V TROJ_MDROP.YYSRH TROJ_MDROP.YYSRH RTF/Trojan.BTCC-93 Trojan[Exploit]/Win32.CVE-2015-1641 Exploit.CVE-2015-1641 Exploit.CVE-2015-1641", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exp.OLE.CVE-2015-1641.E": [[26, 49]], "Indicator: Trojan.Mdropper": [[50, 65]], "Indicator: Win32/Exploit.CVE-2015-1641.V": [[66, 95]], "Indicator: TROJ_MDROP.YYSRH": [[96, 112], [113, 129]], "Indicator: RTF/Trojan.BTCC-93": [[130, 148]], "Indicator: Trojan[Exploit]/Win32.CVE-2015-1641": [[149, 184]], "Indicator: Exploit.CVE-2015-1641": [[185, 206], [207, 228]]}, "info": {"id": "cyner2_5class_train_01213", "source": "cyner2_5class_train"}}
+{"text": "eSurv ’ s public marketing is centered around video surveillance software and image recognition systems , but there are a number of individuals claiming to be mobile security researchers working at the company , including one who has publically made claims to be developing a mobile surveillance agent .", "spans": {"Organization: eSurv": [[0, 5]]}, "info": {"id": "cyner2_5class_train_01214", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Downloader.CXJ O97M.Drop.P W97M.Downloader.CXJ VBA.Trojan.Obfuscated.u VBA/Obfuscated.C W2KM_GOLROTED.AGG W97M.Downloader.CXJ W97M.Downloader.CXJ Trojan.Ole2.Vbs-heuristic.druvzi W97M.Downloader.CXJ W97M.Downloader.CXJ W97M.DownLoader.1033 W2KM_GOLROTED.AGG W97M.Downloader.CXJ WM/Obfuscated.C!tr virus.office.obfuscated.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Downloader.CXJ": [[26, 45], [58, 77], [137, 156], [157, 176], [210, 229], [230, 249], [289, 308]], "Indicator: O97M.Drop.P": [[46, 57]], "Indicator: VBA.Trojan.Obfuscated.u": [[78, 101]], "Indicator: VBA/Obfuscated.C": [[102, 118]], "Indicator: W2KM_GOLROTED.AGG": [[119, 136], [271, 288]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[177, 209]], "Indicator: W97M.DownLoader.1033": [[250, 270]], "Indicator: WM/Obfuscated.C!tr": [[309, 327]], "Indicator: virus.office.obfuscated.1": [[328, 353]]}, "info": {"id": "cyner2_5class_train_01215", "source": "cyner2_5class_train"}}
+{"text": "A new custom backdoor used by the Mustang Panda APT group is targeting a governmental institution in Taiwan, according to ESET researchers who have analyzed samples of MQsTTang, a new type of malware.", "spans": {"Malware: new custom backdoor": [[2, 21]], "Organization: a governmental institution": [[71, 97]], "Organization: ESET researchers": [[122, 138]], "Malware: MQsTTang,": [[168, 177]], "Malware: malware.": [[192, 200]]}, "info": {"id": "cyner2_5class_train_01216", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9970 Backdoor.Trojan.B Win.Trojan.10430800-1 Trojan.Win32.Pugeshe.ctexqh BDS/Pugeshe.A.2 Trj/Ziyang.A Win32.Backdoor.Pugeshe.Phzt Trojan.Ziyanzho!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9970": [[26, 68]], "Indicator: Backdoor.Trojan.B": [[69, 86]], "Indicator: Win.Trojan.10430800-1": [[87, 108]], "Indicator: Trojan.Win32.Pugeshe.ctexqh": [[109, 136]], "Indicator: BDS/Pugeshe.A.2": [[137, 152]], "Indicator: Trj/Ziyang.A": [[153, 165]], "Indicator: Win32.Backdoor.Pugeshe.Phzt": [[166, 193]], "Indicator: Trojan.Ziyanzho!": [[194, 210]]}, "info": {"id": "cyner2_5class_train_01217", "source": "cyner2_5class_train"}}
+{"text": "The original code of BankBot was divulged on a Russian forum in late 2016, and you can read more about that here.", "spans": {"Malware: The original code": [[0, 17]], "Malware: BankBot": [[21, 28]]}, "info": {"id": "cyner2_5class_train_01218", "source": "cyner2_5class_train"}}
+{"text": "Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work.", "spans": {"System: infrastructure,": [[25, 40]], "Indicator: code,": [[62, 67]], "Malware: agent,": [[138, 144]]}, "info": {"id": "cyner2_5class_train_01219", "source": "cyner2_5class_train"}}
+{"text": "‘ SimBad ’ comes with a respected list of capabilities on the user ’ s device , such as removing the icon from the launcher , thus making it harder for the user to uninstall , start to display background ads and open a browser with a given URL .", "spans": {"Malware: SimBad": [[2, 8]]}, "info": {"id": "cyner2_5class_train_01220", "source": "cyner2_5class_train"}}
+{"text": "The malware contains an old school exclusion list that performs extremely rapid double word comparisons rather than the slower but far more common string comparisons to identify which process to ignore, and internally validates the identified account data through an implementation of the Luhn algorithm.", "spans": {"Malware: malware": [[4, 11]], "Indicator: old school exclusion list": [[24, 49]], "Indicator: rapid double word comparisons": [[74, 103]], "Indicator: common string comparisons": [[140, 165]], "Indicator: the Luhn algorithm.": [[285, 304]]}, "info": {"id": "cyner2_5class_train_01221", "source": "cyner2_5class_train"}}
+{"text": "While our systems are great at automatically detecting and protecting against PHAs , we believe the best security comes from the combination of automated scanning and skilled human review .", "spans": {}, "info": {"id": "cyner2_5class_train_01222", "source": "cyner2_5class_train"}}
+{"text": "Symantec's latest whitepaper documents multiple Black Vine operations that have been occurring since 2012.", "spans": {"Organization: Symantec's": [[0, 10]]}, "info": {"id": "cyner2_5class_train_01223", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HT_BLADABINDI_GL190001.UVPM HT_BLADABINDI_GL190001.UVPM Backdoor.MSIL.Bladabindi.alfk Trojan.Win32.Bladabindi.exqcus Ht.Bladabindi.Gl190001!c BehavesLike.Win32.Dropper.wc Trojan:Win32/Trogle.A Backdoor.MSIL.Bladabindi.alfk Trj/CI.A Msil.Backdoor.Bladabindi.Tbsy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HT_BLADABINDI_GL190001.UVPM": [[26, 53], [54, 81]], "Indicator: Backdoor.MSIL.Bladabindi.alfk": [[82, 111], [219, 248]], "Indicator: Trojan.Win32.Bladabindi.exqcus": [[112, 142]], "Indicator: Ht.Bladabindi.Gl190001!c": [[143, 167]], "Indicator: BehavesLike.Win32.Dropper.wc": [[168, 196]], "Indicator: Trojan:Win32/Trogle.A": [[197, 218]], "Indicator: Trj/CI.A": [[249, 257]], "Indicator: Msil.Backdoor.Bladabindi.Tbsy": [[258, 287]]}, "info": {"id": "cyner2_5class_train_01224", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: Backdoor.Linux.Tsunami.A Linux.Kaiten.B ELF_KAITEN.SMK Trojan.Tsunami.excyez Linux.BackDoor.Tsunami.123 ELF_KAITEN.SMK ELF/Backdoor.MRMO- LINUX/Tsunami.ojldj Trojan.Backdoor.Linux.Tsunami.1 Backdoor.Linux.Tsunami!c Linux.Backdoor.Tsunami.Wrpx", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Linux.Tsunami.A": [[43, 67]], "Indicator: Linux.Kaiten.B": [[68, 82]], "Indicator: ELF_KAITEN.SMK": [[83, 97], [147, 161]], "Indicator: Trojan.Tsunami.excyez": [[98, 119]], "Indicator: Linux.BackDoor.Tsunami.123": [[120, 146]], "Indicator: ELF/Backdoor.MRMO-": [[162, 180]], "Indicator: LINUX/Tsunami.ojldj": [[181, 200]], "Indicator: Trojan.Backdoor.Linux.Tsunami.1": [[201, 232]], "Indicator: Backdoor.Linux.Tsunami!c": [[233, 257]], "Indicator: Linux.Backdoor.Tsunami.Wrpx": [[258, 285]]}, "info": {"id": "cyner2_5class_train_01225", "source": "cyner2_5class_train"}}
+{"text": "Yes , we are talking about SuperMarioRun , which was recently launched by Nintendo only for iOS users .", "spans": {"System: SuperMarioRun": [[27, 40]], "Organization: Nintendo": [[74, 82]], "System: iOS": [[92, 95]]}, "info": {"id": "cyner2_5class_train_01226", "source": "cyner2_5class_train"}}
+{"text": "This version has some small modifications which seems to be unused , as the malware behaviour is the same as the previous version .", "spans": {}, "info": {"id": "cyner2_5class_train_01227", "source": "cyner2_5class_train"}}
+{"text": "August contains stealing functionality targeting credentials and sensitive documents from the infected computer.", "spans": {"Malware: August": [[0, 6]], "Indicator: stealing": [[16, 24]], "Indicator: credentials": [[49, 60]], "Indicator: sensitive documents": [[65, 84]], "System: infected computer.": [[94, 112]]}, "info": {"id": "cyner2_5class_train_01228", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan/VB.htj Trojan.Heur.RX.ED14C7A Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.VB-8430 Trojan-Dropper.Win32.Daws.enmy Troj.Downloader.W32.VB.ldQ2 TrojWare.Win32.Trojan.VB.~DQ Trojan.VB.Win32.6994 BehavesLike.Win32.Trojan.nm Trojan.Win32.VB Trojan/VB.fgm Backdoor:Win32/Lordly.A Trojan-Dropper.Win32.Daws.enmy Trojan/Win32.Downloader.R12171 Trojan.VB!jnJsu+mHRvk W32/VB.JHO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.VB!O": [[26, 43]], "Indicator: Trojan/VB.htj": [[44, 57]], "Indicator: Trojan.Heur.RX.ED14C7A": [[58, 80]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[81, 123]], "Indicator: Backdoor.Trojan": [[124, 139]], "Indicator: Win.Trojan.VB-8430": [[140, 158]], "Indicator: Trojan-Dropper.Win32.Daws.enmy": [[159, 189], [350, 380]], "Indicator: Troj.Downloader.W32.VB.ldQ2": [[190, 217]], "Indicator: TrojWare.Win32.Trojan.VB.~DQ": [[218, 246]], "Indicator: Trojan.VB.Win32.6994": [[247, 267]], "Indicator: BehavesLike.Win32.Trojan.nm": [[268, 295]], "Indicator: Trojan.Win32.VB": [[296, 311]], "Indicator: Trojan/VB.fgm": [[312, 325]], "Indicator: Backdoor:Win32/Lordly.A": [[326, 349]], "Indicator: Trojan/Win32.Downloader.R12171": [[381, 411]], "Indicator: Trojan.VB!jnJsu+mHRvk": [[412, 433]], "Indicator: W32/VB.JHO!tr": [[434, 447]]}, "info": {"id": "cyner2_5class_train_01229", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Revetrat Trojan:MSIL/Starter.I Trj/GdSda.A Win32/Trojan.db5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Revetrat": [[69, 84]], "Indicator: Trojan:MSIL/Starter.I": [[85, 106]], "Indicator: Trj/GdSda.A": [[107, 118]], "Indicator: Win32/Trojan.db5": [[119, 135]]}, "info": {"id": "cyner2_5class_train_01230", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Z.Pemalform.45056.A W32.W.Otwycal.l4av TrojanDownloader:Win32/Raemnk.A Win32/RiskWare.PEMalform.E Win32/Trojan.444", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Z.Pemalform.45056.A": [[26, 58]], "Indicator: W32.W.Otwycal.l4av": [[59, 77]], "Indicator: TrojanDownloader:Win32/Raemnk.A": [[78, 109]], "Indicator: Win32/RiskWare.PEMalform.E": [[110, 136]], "Indicator: Win32/Trojan.444": [[137, 153]]}, "info": {"id": "cyner2_5class_train_01231", "source": "cyner2_5class_train"}}
+{"text": "If the mobile operator does n't enforce proper client isolation , it is possible that the infected devices are also exposed to the rest of the cellular network .", "spans": {}, "info": {"id": "cyner2_5class_train_01232", "source": "cyner2_5class_train"}}
+{"text": "The targets were then further narrowed to those that were running the Mac OS X operating system, had not previously visited the website, and had specific browser versions.", "spans": {"System: the Mac OS X operating system,": [[66, 96]], "Indicator: the website,": [[124, 136]], "System: browser versions.": [[154, 171]]}, "info": {"id": "cyner2_5class_train_01233", "source": "cyner2_5class_train"}}
+{"text": "HummingBad sends notifications to Umeng , a tracking and analytics service attackers use to manage their campaign .", "spans": {"Malware: HummingBad": [[0, 10]]}, "info": {"id": "cyner2_5class_train_01234", "source": "cyner2_5class_train"}}
+{"text": "] comupload101 [ .", "spans": {"Indicator: [ .": [[15, 18]]}, "info": {"id": "cyner2_5class_train_01235", "source": "cyner2_5class_train"}}
+{"text": "The sample ’ s first appearance seems to be May 15 , 2018 , when it was uploaded to VirusTotal , but it ’ s unclear how the tainted sample is disseminated .", "spans": {"Organization: VirusTotal": [[84, 94]]}, "info": {"id": "cyner2_5class_train_01236", "source": "cyner2_5class_train"}}
+{"text": "Ginp embeds the following set of features , allowing it to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( local overlays obtained from the C2 ) SMS harvesting : SMS listing SMS harvesting : SMS forwarding Contact list collection Application listing Overlaying : Targets list update SMS : Sending Calls : Call forwarding C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Update 10/03/2020 At the end of February the actors behind Ginp added screen capture capabilities to their Trojan .", "spans": {"Malware: Ginp": [[0, 4], [560, 564]]}, "info": {"id": "cyner2_5class_train_01237", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Grozlex.A3 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_GROZLEX.SMA Win.Spyware.Grozlex-1 TSPY_GROZLEX.SMA PWS:MSIL/Mintluks.A Trojan.PasswordStealer.MSIL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Grozlex.A3": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[47, 89]], "Indicator: TSPY_GROZLEX.SMA": [[90, 106], [129, 145]], "Indicator: Win.Spyware.Grozlex-1": [[107, 128]], "Indicator: PWS:MSIL/Mintluks.A": [[146, 165]], "Indicator: Trojan.PasswordStealer.MSIL": [[166, 193]]}, "info": {"id": "cyner2_5class_train_01238", "source": "cyner2_5class_train"}}
+{"text": "] top/ These permutations of TLDs and canonical domains incorporating the legitimate domain expected by the targeted banking customers exemplifies recent trends in social engineering by threat actors .", "spans": {}, "info": {"id": "cyner2_5class_train_01239", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ArtemisPuty.Trojan Trojan.Modputty.A5 Trojan.Puty.Win32.1 Trojan/MalPutty.a W32/Trojan.SHOY-1500 Win.Trojan.Stealzilla-1 Trojan-PSW.Win32.Puty.a Trojan.Win32.Puty.dsnaim Troj.PSW32.W.Puty.tnaX Win32.Trojan-qqpass.Qqrob.Llhf BackDoor.DaVinci.18 BehavesLike.Win32.BadFile.hh Trojan.Win32.Modputty Trojan/PSW.Puty.a Trojan:Win32/Modputty.A Trojan-PSW.Win32.Puty.a Trojan/Win32.Modputty.C862836 TrojanPSW.Puty Trojan.PWS.Puty! W32/MalPutty.A!tr Trj/Fakeputty.A Win32/Trojan.Spy.b9b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ArtemisPuty.Trojan": [[26, 48]], "Indicator: Trojan.Modputty.A5": [[49, 67]], "Indicator: Trojan.Puty.Win32.1": [[68, 87]], "Indicator: Trojan/MalPutty.a": [[88, 105]], "Indicator: W32/Trojan.SHOY-1500": [[106, 126]], "Indicator: Win.Trojan.Stealzilla-1": [[127, 150]], "Indicator: Trojan-PSW.Win32.Puty.a": [[151, 174], [367, 390]], "Indicator: Trojan.Win32.Puty.dsnaim": [[175, 199]], "Indicator: Troj.PSW32.W.Puty.tnaX": [[200, 222]], "Indicator: Win32.Trojan-qqpass.Qqrob.Llhf": [[223, 253]], "Indicator: BackDoor.DaVinci.18": [[254, 273]], "Indicator: BehavesLike.Win32.BadFile.hh": [[274, 302]], "Indicator: Trojan.Win32.Modputty": [[303, 324]], "Indicator: Trojan/PSW.Puty.a": [[325, 342]], "Indicator: Trojan:Win32/Modputty.A": [[343, 366]], "Indicator: Trojan/Win32.Modputty.C862836": [[391, 420]], "Indicator: TrojanPSW.Puty": [[421, 435]], "Indicator: Trojan.PWS.Puty!": [[436, 452]], "Indicator: W32/MalPutty.A!tr": [[453, 470]], "Indicator: Trj/Fakeputty.A": [[471, 486]], "Indicator: Win32/Trojan.Spy.b9b": [[487, 507]]}, "info": {"id": "cyner2_5class_train_01240", "source": "cyner2_5class_train"}}
+{"text": "” social ” – this command that starts the ‘ AndroidMDMSupport ’ service – this allows the files of any other installed application to be grabbed .", "spans": {}, "info": {"id": "cyner2_5class_train_01241", "source": "cyner2_5class_train"}}
+{"text": "We have analyzed the samples to determine the author's ultimate goal and have named this malware KeyRaider", "spans": {"Malware: malware KeyRaider": [[89, 106]]}, "info": {"id": "cyner2_5class_train_01242", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VBS/Downldr.HM VBS.Downloader.B VBS_LOCKY.DLDSARF Win.Trojan.Locky-6360731-0 Trojan.Script.ExpKit.etmlqw Troj.Downloader.Script!c VBS.DownLoader.1006 VBS_LOCKY.DLDSARF VBS/Downldr.HM Trojan/VBS.downloder TrojanDownloader:VBS/Locky.A VBS/Obfus.S8 Trojan-Ransom.Script.Locky virus.vbs.qexvmc.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VBS/Downldr.HM": [[26, 40], [194, 208]], "Indicator: VBS.Downloader.B": [[41, 57]], "Indicator: VBS_LOCKY.DLDSARF": [[58, 75], [176, 193]], "Indicator: Win.Trojan.Locky-6360731-0": [[76, 102]], "Indicator: Trojan.Script.ExpKit.etmlqw": [[103, 130]], "Indicator: Troj.Downloader.Script!c": [[131, 155]], "Indicator: VBS.DownLoader.1006": [[156, 175]], "Indicator: Trojan/VBS.downloder": [[209, 229]], "Indicator: TrojanDownloader:VBS/Locky.A": [[230, 258]], "Indicator: VBS/Obfus.S8": [[259, 271]], "Indicator: Trojan-Ransom.Script.Locky": [[272, 298]], "Indicator: virus.vbs.qexvmc.1": [[299, 317]]}, "info": {"id": "cyner2_5class_train_01243", "source": "cyner2_5class_train"}}
+{"text": "In this blog post , we do not differentiate between the rooting component and the component that abuses root : we refer to them interchangeably as Zen .", "spans": {"Malware: Zen": [[147, 150]]}, "info": {"id": "cyner2_5class_train_01244", "source": "cyner2_5class_train"}}
+{"text": "It uses insidious injection and other sophisticated and stealthy methods.", "spans": {"Indicator: insidious injection": [[8, 27]], "Indicator: sophisticated": [[38, 51]], "Indicator: stealthy methods.": [[56, 73]]}, "info": {"id": "cyner2_5class_train_01245", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Sasser.D Win32.Trojan.WisdomEyes.16070401.9500.9679 W32.Sasser.D Win32/Sasser.D Win.Worm.Sasser-2 Net-Worm.Win32.Sasser.c Trojan.Win32.Sasser.fvek Worm.Win32.Sasser.16384 W32.W.Sasser.kZ72 W32/Sasser.worm.d I-Worm/Sasser.d WORM/Sasser.D Worm[Net]/Win32.Sasser Net-Worm.Win32.Sasser.c Worm:Win32/Sasser.dam W32/Sasser.worm.d Worm.Sasser W32/Sasser.D.worm Email-Worm.Win32.Plexus W32/Sasser.C!worm.im", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Sasser.D": [[26, 38], [82, 94]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9679": [[39, 81]], "Indicator: Win32/Sasser.D": [[95, 109]], "Indicator: Win.Worm.Sasser-2": [[110, 127]], "Indicator: Net-Worm.Win32.Sasser.c": [[128, 151], [290, 313]], "Indicator: Trojan.Win32.Sasser.fvek": [[152, 176]], "Indicator: Worm.Win32.Sasser.16384": [[177, 200]], "Indicator: W32.W.Sasser.kZ72": [[201, 218]], "Indicator: W32/Sasser.worm.d": [[219, 236], [336, 353]], "Indicator: I-Worm/Sasser.d": [[237, 252]], "Indicator: WORM/Sasser.D": [[253, 266]], "Indicator: Worm[Net]/Win32.Sasser": [[267, 289]], "Indicator: Worm:Win32/Sasser.dam": [[314, 335]], "Indicator: Worm.Sasser": [[354, 365]], "Indicator: W32/Sasser.D.worm": [[366, 383]], "Indicator: Email-Worm.Win32.Plexus": [[384, 407]], "Indicator: W32/Sasser.C!worm.im": [[408, 428]]}, "info": {"id": "cyner2_5class_train_01246", "source": "cyner2_5class_train"}}
+{"text": "Full remote access capabilities is a dream tool for the black hat community, and are highly sought after.", "spans": {"Malware: remote access": [[5, 18]], "Malware: tool": [[43, 47]]}, "info": {"id": "cyner2_5class_train_01247", "source": "cyner2_5class_train"}}
+{"text": "The purpose of using such a design is likely to make understanding and analyzing the malware's code flow more difficult for researchers.", "spans": {"Organization: researchers.": [[124, 136]]}, "info": {"id": "cyner2_5class_train_01248", "source": "cyner2_5class_train"}}
+{"text": "This routine is a form of generic and variable generator of DLL side-loading combinations .", "spans": {}, "info": {"id": "cyner2_5class_train_01249", "source": "cyner2_5class_train"}}
+{"text": "Recently, I've been investigating malware utilizing PowerShell and have spent a considerable amount of time refining ways to identify new variants of attacks as they appear.", "spans": {"Malware: malware": [[34, 41]], "System: PowerShell": [[52, 62]], "Malware: variants": [[138, 146]], "Indicator: attacks": [[150, 157]]}, "info": {"id": "cyner2_5class_train_01250", "source": "cyner2_5class_train"}}
+{"text": "The following screenshot shows the command execution functionality in action : The paramString parameter shown in the above screenshot can be any command received from C & C .", "spans": {}, "info": {"id": "cyner2_5class_train_01251", "source": "cyner2_5class_train"}}
+{"text": "As proof of its popularity, certain government officials are said to employ this application for communication purposes in the office.", "spans": {}, "info": {"id": "cyner2_5class_train_01252", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Turla.ar Trojan.Asprox.B Trojan.MulDrop7.18901 BehavesLike.Win32.Downloader.dc Trojan:Win32/Regin.D!dha Trj/Chgt.J Win32/Turla.AR Trojan.Turla!gdUjdZ2fM5A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Turla.ar": [[26, 41]], "Indicator: Trojan.Asprox.B": [[42, 57]], "Indicator: Trojan.MulDrop7.18901": [[58, 79]], "Indicator: BehavesLike.Win32.Downloader.dc": [[80, 111]], "Indicator: Trojan:Win32/Regin.D!dha": [[112, 136]], "Indicator: Trj/Chgt.J": [[137, 147]], "Indicator: Win32/Turla.AR": [[148, 162]], "Indicator: Trojan.Turla!gdUjdZ2fM5A": [[163, 187]]}, "info": {"id": "cyner2_5class_train_01253", "source": "cyner2_5class_train"}}
+{"text": "Now, three months after the source code was published, we decided to have a look at what has changed in the banking malware landscape.", "spans": {"Indicator: the source code": [[24, 39]], "Malware: the banking malware": [[104, 123]]}, "info": {"id": "cyner2_5class_train_01254", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt Trojan.Crypt.RI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.RI": [[26, 41], [42, 57], [58, 73], [74, 89], [90, 105], [106, 121], [135, 150]], "Indicator: Trojan.Crypt": [[122, 134]]}, "info": {"id": "cyner2_5class_train_01255", "source": "cyner2_5class_train"}}
+{"text": "More technically inclined people can detect infections by seeing if a device connects to a control server located at app.blinkingcamera.com .", "spans": {"Indicator: app.blinkingcamera.com": [[117, 139]]}, "info": {"id": "cyner2_5class_train_01256", "source": "cyner2_5class_train"}}
+{"text": "Infection chain The threat actors behind this version used several fake websites as their host — copying that of a Japanese mobile phone operator ’ s website in particular — to trick users into downloading the fake security Android application package ( APK ) .", "spans": {"System: Android": [[224, 231]]}, "info": {"id": "cyner2_5class_train_01257", "source": "cyner2_5class_train"}}
+{"text": "Sysget malware was delivered both directly via phishing emails, as well as in Rich Text Format RTF documents exploiting the CVE-2015-1641 vulnerability patched in MS15-033 that in turn leveraged a very unique shellcode.", "spans": {"Malware: Sysget malware": [[0, 14]], "Indicator: phishing emails,": [[47, 63]], "Indicator: Rich Text Format RTF documents": [[78, 108]], "Vulnerability: exploiting": [[109, 119]], "Indicator: CVE-2015-1641": [[124, 137]], "Vulnerability: vulnerability": [[138, 151]], "Indicator: a very unique shellcode.": [[195, 219]]}, "info": {"id": "cyner2_5class_train_01258", "source": "cyner2_5class_train"}}
+{"text": "All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L .", "spans": {"Organization: Connexxa S.R.L .": [[105, 121]]}, "info": {"id": "cyner2_5class_train_01259", "source": "cyner2_5class_train"}}
+{"text": "Indicators about Sakula and multiple RATs that are being used across multiple intrusions.", "spans": {"Malware: Sakula": [[17, 23]], "Malware: multiple RATs": [[28, 41]], "Indicator: intrusions.": [[78, 89]]}, "info": {"id": "cyner2_5class_train_01260", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Tofsee.B Trojan-Proxy.Win32.Xorpix.m Trojan.Win32.Xorpix.zybt Trojan.Win32.Proxy.12800.C Trojan.DownLoader.19108 Trojan.Small.Win32.39831 TrojanProxy.Xorpix.k Troj.Proxy.W32!c Trojan-Proxy.Win32.Xorpix.m Trojan/Win32.Xorpix.R72000 Win32/Small.NCN Win32.Trojan-proxy.Xorpix.Amci Trojan.Win32.Small Bck/Xorpix.AG Win32/Trojan.Proxy.211", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Win32/Tofsee.B": [[69, 83]], "Indicator: Trojan-Proxy.Win32.Xorpix.m": [[84, 111], [251, 278]], "Indicator: Trojan.Win32.Xorpix.zybt": [[112, 136]], "Indicator: Trojan.Win32.Proxy.12800.C": [[137, 163]], "Indicator: Trojan.DownLoader.19108": [[164, 187]], "Indicator: Trojan.Small.Win32.39831": [[188, 212]], "Indicator: TrojanProxy.Xorpix.k": [[213, 233]], "Indicator: Troj.Proxy.W32!c": [[234, 250]], "Indicator: Trojan/Win32.Xorpix.R72000": [[279, 305]], "Indicator: Win32/Small.NCN": [[306, 321]], "Indicator: Win32.Trojan-proxy.Xorpix.Amci": [[322, 352]], "Indicator: Trojan.Win32.Small": [[353, 371]], "Indicator: Bck/Xorpix.AG": [[372, 385]], "Indicator: Win32/Trojan.Proxy.211": [[386, 408]]}, "info": {"id": "cyner2_5class_train_01261", "source": "cyner2_5class_train"}}
+{"text": "Mobile monetization platforms create software libraries that authors can embed into their apps to start earning money quickly.", "spans": {"Organization: Mobile monetization platforms": [[0, 29]], "System: software libraries": [[37, 55]], "System: apps": [[90, 94]]}, "info": {"id": "cyner2_5class_train_01262", "source": "cyner2_5class_train"}}
+{"text": "Many of these servers are control panels for video surveillance systems developed by the Italian company eSurv , based in Catanzaro , in Calabria , Italy .", "spans": {}, "info": {"id": "cyner2_5class_train_01263", "source": "cyner2_5class_train"}}
+{"text": "It required other means to be deployed on targeted organizations' networks and is configured with previously stolen credentials.", "spans": {}, "info": {"id": "cyner2_5class_train_01264", "source": "cyner2_5class_train"}}
+{"text": "Figure 2 : Bit.ly statistics for a phishing landing page targeting Bank Austria customers The actor appears to have recently begun using “ .top ” top-level domains ( TLDs ) for their phishing landing pages and have implemented a consistent naming structure as shown below .", "spans": {"Indicator: Bit.ly": [[11, 17]], "System: Bank Austria": [[67, 79]]}, "info": {"id": "cyner2_5class_train_01265", "source": "cyner2_5class_train"}}
+{"text": "To catch these threats , security solutions used heuristics that focused on detecting this behavior .", "spans": {}, "info": {"id": "cyner2_5class_train_01266", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Heur.Corrupt.PE TrojanDownloader:Win32/WarezSet.dam#2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Heur.Corrupt.PE": [[48, 63]], "Indicator: TrojanDownloader:Win32/WarezSet.dam#2": [[64, 101]]}, "info": {"id": "cyner2_5class_train_01267", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.KloggerQKA.Trojan Trojan-Downloader.Win32.Delf!O Backdoor.Gobot Downloader.Delf.Win32.70 Backdoor.W32.Gobot.lfDt Trojan/Downloader.Delf.bm Win32.Trojan.WisdomEyes.16070401.9500.9965 W32/Avokado.SIKN-9031 W32.Gobot.A Backdoor.Gobot Win32/Gobot.B WORM_GOBOT.G Win.Downloader.Delf-144 Trojan.Win32.Delf.gvzc Trojan.Win32.Delf.47087 Win32.HLLW.Ghostbot WORM_GOBOT.G BehavesLike.Win32.Kudj.pc Backdoor.Win32.Gobot W32/Avokado.B@bd TrojanDownloader.Delf.pgr TR/Dldr.Delf.BM Trojan[Backdoor]/Win32.Gobot Backdoor:Win32/Gobot.A Worm/Win32.IRCBot.R29095 Bck/Gotob.AA Trojan.Delf.BM Win32/TrojanDownloader.Delf.BM Trojan.DL.Delf!UOW7nlBxiow", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.KloggerQKA.Trojan": [[26, 47]], "Indicator: Trojan-Downloader.Win32.Delf!O": [[48, 78]], "Indicator: Backdoor.Gobot": [[79, 93], [246, 260]], "Indicator: Downloader.Delf.Win32.70": [[94, 118]], "Indicator: Backdoor.W32.Gobot.lfDt": [[119, 142]], "Indicator: Trojan/Downloader.Delf.bm": [[143, 168]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9965": [[169, 211]], "Indicator: W32/Avokado.SIKN-9031": [[212, 233]], "Indicator: W32.Gobot.A": [[234, 245]], "Indicator: Win32/Gobot.B": [[261, 274]], "Indicator: WORM_GOBOT.G": [[275, 287], [379, 391]], "Indicator: Win.Downloader.Delf-144": [[288, 311]], "Indicator: Trojan.Win32.Delf.gvzc": [[312, 334]], "Indicator: Trojan.Win32.Delf.47087": [[335, 358]], "Indicator: Win32.HLLW.Ghostbot": [[359, 378]], "Indicator: BehavesLike.Win32.Kudj.pc": [[392, 417]], "Indicator: Backdoor.Win32.Gobot": [[418, 438]], "Indicator: W32/Avokado.B@bd": [[439, 455]], "Indicator: TrojanDownloader.Delf.pgr": [[456, 481]], "Indicator: TR/Dldr.Delf.BM": [[482, 497]], "Indicator: Trojan[Backdoor]/Win32.Gobot": [[498, 526]], "Indicator: Backdoor:Win32/Gobot.A": [[527, 549]], "Indicator: Worm/Win32.IRCBot.R29095": [[550, 574]], "Indicator: Bck/Gotob.AA": [[575, 587]], "Indicator: Trojan.Delf.BM": [[588, 602]], "Indicator: Win32/TrojanDownloader.Delf.BM": [[603, 633]], "Indicator: Trojan.DL.Delf!UOW7nlBxiow": [[634, 660]]}, "info": {"id": "cyner2_5class_train_01268", "source": "cyner2_5class_train"}}
+{"text": "Since it becomes a part of the boot partition , formatting the device will not solve the problem .", "spans": {}, "info": {"id": "cyner2_5class_train_01269", "source": "cyner2_5class_train"}}
+{"text": "The greater worry is that these situations may sometimes not be simple mistakes .", "spans": {}, "info": {"id": "cyner2_5class_train_01270", "source": "cyner2_5class_train"}}
+{"text": "In recent weeks, Unit 42 has discovered three documents crafted to exploit the InPage program.", "spans": {"Organization: Unit 42": [[17, 24]], "Indicator: three documents crafted": [[40, 63]], "Malware: exploit": [[67, 74]], "System: InPage program.": [[79, 94]]}, "info": {"id": "cyner2_5class_train_01271", "source": "cyner2_5class_train"}}
+{"text": "The malware families identified at this time are DarkComet, LuminosityLink RAT, Pony, ImmenentMonitor, and some multiple variations of shellcode.", "spans": {"Malware: The malware families": [[0, 20]], "Malware: DarkComet, LuminosityLink RAT, Pony, ImmenentMonitor,": [[49, 102]], "Malware: variations of shellcode.": [[121, 145]]}, "info": {"id": "cyner2_5class_train_01272", "source": "cyner2_5class_train"}}
+{"text": "Call Service Figure 5 : Code for the calls service As seen above , the calls service stores incoming call details in .mp3 format in the /sdcard/DCIM/.dat/ directory with file name appended with \" In_ '' for incoming calls and \" Out_ '' for outgoing calls .", "spans": {}, "info": {"id": "cyner2_5class_train_01273", "source": "cyner2_5class_train"}}
+{"text": "Despite the 2016 Olympics coming to a close, cybercriminals remain relentless in using the sporting event as a social engineering hook to distribute a banking Trojan.", "spans": {"Organization: Olympics": [[17, 25]], "Malware: banking Trojan.": [[151, 166]]}, "info": {"id": "cyner2_5class_train_01274", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Program.Optimizer.12 TrojanDownloader:Win32/Javsisxep.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Program.Optimizer.12": [[26, 46]], "Indicator: TrojanDownloader:Win32/Javsisxep.A": [[47, 81]], "Indicator: Trj/CI.A": [[82, 90]]}, "info": {"id": "cyner2_5class_train_01275", "source": "cyner2_5class_train"}}
+{"text": "We believe the initial versions of this malware were created at least three years ago – at the end of 2014 .", "spans": {}, "info": {"id": "cyner2_5class_train_01276", "source": "cyner2_5class_train"}}
+{"text": "One of its most notable routines is capturing voice calls in real time by hooking into the “ mediaserver ” system service .", "spans": {}, "info": {"id": "cyner2_5class_train_01277", "source": "cyner2_5class_train"}}
+{"text": "Call Command Figure 9 : The calling functionality .", "spans": {}, "info": {"id": "cyner2_5class_train_01278", "source": "cyner2_5class_train"}}
+{"text": "After landing on the victim ’ s phone , the RuMMS apps will request device administrator privileges , remove their icons to hide themselves from users , and remain running in the background to perform a series of malicious behaviors .", "spans": {"Malware: RuMMS": [[44, 49]]}, "info": {"id": "cyner2_5class_train_01279", "source": "cyner2_5class_train"}}
+{"text": "Of note, this is three years earlier than the oldest Elise sample we have found, suggesting this group has been active longer than previously documented.", "spans": {"Malware: Elise": [[53, 58]]}, "info": {"id": "cyner2_5class_train_01280", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TSPY_KILLAV_BK2200FA.TOMC Trojan.Win32.NtRootKit.dgaent Troj.GameThief.W32.OnLineGames.l7iy Trojan.DownLoad3.35430 Trojan.KillAV.Win32.9854 TSPY_KILLAV_BK2200FA.TOMC TR/Killav.OI.2 Trojan/Win32.Unknown Trojan.Graftor.D3B65 Trojan:WinNT/Killav.E Trojan/Win32.KillAV.R32978 Trojan.Win32.KillAV.aal W32/KillAV.NKC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TSPY_KILLAV_BK2200FA.TOMC": [[26, 51], [166, 191]], "Indicator: Trojan.Win32.NtRootKit.dgaent": [[52, 81]], "Indicator: Troj.GameThief.W32.OnLineGames.l7iy": [[82, 117]], "Indicator: Trojan.DownLoad3.35430": [[118, 140]], "Indicator: Trojan.KillAV.Win32.9854": [[141, 165]], "Indicator: TR/Killav.OI.2": [[192, 206]], "Indicator: Trojan/Win32.Unknown": [[207, 227]], "Indicator: Trojan.Graftor.D3B65": [[228, 248]], "Indicator: Trojan:WinNT/Killav.E": [[249, 270]], "Indicator: Trojan/Win32.KillAV.R32978": [[271, 297]], "Indicator: Trojan.Win32.KillAV.aal": [[298, 321]], "Indicator: W32/KillAV.NKC!tr": [[322, 339]]}, "info": {"id": "cyner2_5class_train_01281", "source": "cyner2_5class_train"}}
+{"text": "Users do not see those SMS because they are processed not by the SMS app , but by the app that has initiated the transaction — e.g a free-to-play game .", "spans": {}, "info": {"id": "cyner2_5class_train_01282", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrjnDwnldr.Banload.FC.2467 Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.FOJF-1615 Ransom_Blocker.R004C0DAM18 Win.Trojan.12504345-1 Trojan-Ransom.Win32.Blocker.kqil Troj.Ransom.W32.Blocker!c Trojan.DownLoader13.59179 Ransom_Blocker.R004C0DAM18 Trojan/Blocker.kir TR/Spy.Banker.37888.6 Trojan[Ransom]/Win32.Blocker Trojan.Kazy.D81FF3 Trojan-Ransom.Win32.Blocker.kqil TrojanSpy:MSIL/Banker.M Trojan/Win32.MDA.C931868 Hoax.Blocker Trojan.Banker.WHS Win32.Trojan.Blocker.Pgmu Trojan.Blocker!RxWDop6Ua70 Trojan.MSIL.PSW Win32/Trojan.Spy.d2d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrjnDwnldr.Banload.FC.2467": [[26, 52]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[53, 95]], "Indicator: W32/Trojan.FOJF-1615": [[96, 116]], "Indicator: Ransom_Blocker.R004C0DAM18": [[117, 143], [251, 277]], "Indicator: Win.Trojan.12504345-1": [[144, 165]], "Indicator: Trojan-Ransom.Win32.Blocker.kqil": [[166, 198], [367, 399]], "Indicator: Troj.Ransom.W32.Blocker!c": [[199, 224]], "Indicator: Trojan.DownLoader13.59179": [[225, 250]], "Indicator: Trojan/Blocker.kir": [[278, 296]], "Indicator: TR/Spy.Banker.37888.6": [[297, 318]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[319, 347]], "Indicator: Trojan.Kazy.D81FF3": [[348, 366]], "Indicator: TrojanSpy:MSIL/Banker.M": [[400, 423]], "Indicator: Trojan/Win32.MDA.C931868": [[424, 448]], "Indicator: Hoax.Blocker": [[449, 461]], "Indicator: Trojan.Banker.WHS": [[462, 479]], "Indicator: Win32.Trojan.Blocker.Pgmu": [[480, 505]], "Indicator: Trojan.Blocker!RxWDop6Ua70": [[506, 532]], "Indicator: Trojan.MSIL.PSW": [[533, 548]], "Indicator: Win32/Trojan.Spy.d2d": [[549, 569]]}, "info": {"id": "cyner2_5class_train_01283", "source": "cyner2_5class_train"}}
+{"text": "\" This malware employs several tactics to keep its activity hidden , meaning users might be unaware of its existence on their device .", "spans": {}, "info": {"id": "cyner2_5class_train_01284", "source": "cyner2_5class_train"}}
+{"text": "Through this entry, in which we take a closer look at an individual who we believe might be connected to the Winnti group, we hope to give both ordinary users and organizations better insights into some of the tools – notably the server infrastructures- these kinds of threat actors use, as well as the scale in which they operate.", "spans": {"Organization: individual": [[57, 67]], "Organization: ordinary users": [[144, 158]], "Organization: organizations": [[163, 176]], "Malware: tools": [[210, 215]], "System: the server infrastructures-": [[226, 253]]}, "info": {"id": "cyner2_5class_train_01285", "source": "cyner2_5class_train"}}
+{"text": "Also , command communications with the malware are parsed with a function named “ chuli ( ) ” prior to POSTing stolen data to the command-and-control server .", "spans": {}, "info": {"id": "cyner2_5class_train_01286", "source": "cyner2_5class_train"}}
+{"text": "“ tk1 ” will disable all the effects of the “ tk0 ” command , while “ input keyevent 3 ” is the shell command that simulates the pressing of the ‘ home ’ button so all the current activities will be minimized and the user won ’ t suspect anything .", "spans": {}, "info": {"id": "cyner2_5class_train_01287", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dinwod!O W32.Virut.Cur1 W32.Virut.CF Win32/Virut.17408!corrupt WORM_OTORUN.SMN1 Trojan-Dropper.Win32.Dinwod.by Trojan.Win32.Dinwod.cooobe Troj.Dropper.W32.Dinwod.mmkC Virus.Win32.Virut.ua Virus.Win32.Virut.CE Trojan.MulDrop3.51046 WORM_OTORUN.SMN1 Win32/Virut.bv TR/VB.Inject.qopannv Trojan[Dropper]/Win32.Dinwod Win32.Virut.cr.61440 Trojan.Zusy.D423D8 Dropper.Dinwod.151552 Trojan-Dropper.Win32.Dinwod.by Worm:Win32/Rortoti.A HEUR/Fakon.mwf TScope.Trojan.VB Trojan.FileLock I-Worm.Filecoder.A Win32/Virut.NBP Trojan-Dropper.Win32.Dinwod W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Dinwod!O": [[26, 55]], "Indicator: W32.Virut.Cur1": [[56, 70]], "Indicator: W32.Virut.CF": [[71, 83]], "Indicator: Win32/Virut.17408!corrupt": [[84, 109]], "Indicator: WORM_OTORUN.SMN1": [[110, 126], [278, 294]], "Indicator: Trojan-Dropper.Win32.Dinwod.by": [[127, 157], [422, 452]], "Indicator: Trojan.Win32.Dinwod.cooobe": [[158, 184]], "Indicator: Troj.Dropper.W32.Dinwod.mmkC": [[185, 213]], "Indicator: Virus.Win32.Virut.ua": [[214, 234]], "Indicator: Virus.Win32.Virut.CE": [[235, 255]], "Indicator: Trojan.MulDrop3.51046": [[256, 277]], "Indicator: Win32/Virut.bv": [[295, 309]], "Indicator: TR/VB.Inject.qopannv": [[310, 330]], "Indicator: Trojan[Dropper]/Win32.Dinwod": [[331, 359]], "Indicator: Win32.Virut.cr.61440": [[360, 380]], "Indicator: Trojan.Zusy.D423D8": [[381, 399]], "Indicator: Dropper.Dinwod.151552": [[400, 421]], "Indicator: Worm:Win32/Rortoti.A": [[453, 473]], "Indicator: HEUR/Fakon.mwf": [[474, 488]], "Indicator: TScope.Trojan.VB": [[489, 505]], "Indicator: Trojan.FileLock": [[506, 521]], "Indicator: I-Worm.Filecoder.A": [[522, 540]], "Indicator: Win32/Virut.NBP": [[541, 556]], "Indicator: Trojan-Dropper.Win32.Dinwod": [[557, 584]], "Indicator: W32/Sality.AO": [[585, 598]]}, "info": {"id": "cyner2_5class_train_01288", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ursu.D1347A Win32.Trojan.WisdomEyes.16070401.9500.9990 Trojan.MulDrop7.48244 Trojan-Ransom.Rantest W32.Ransomsimulation TR/StartPage.wgude Trojan/MSIL.Miner RiskWare.RansomSimulator Trj/GdSda.A Trojan.StartPage!pRfC+LclTxM Win32/Trojan.7c5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ursu.D1347A": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[45, 87]], "Indicator: Trojan.MulDrop7.48244": [[88, 109]], "Indicator: Trojan-Ransom.Rantest": [[110, 131]], "Indicator: W32.Ransomsimulation": [[132, 152]], "Indicator: TR/StartPage.wgude": [[153, 171]], "Indicator: Trojan/MSIL.Miner": [[172, 189]], "Indicator: RiskWare.RansomSimulator": [[190, 214]], "Indicator: Trj/GdSda.A": [[215, 226]], "Indicator: Trojan.StartPage!pRfC+LclTxM": [[227, 255]], "Indicator: Win32/Trojan.7c5": [[256, 272]]}, "info": {"id": "cyner2_5class_train_01289", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.WebSearch W32/Application.KWFL-8070 Trojan.Win32.WebSearch.ak Trojan.Win32.WebSearch.ommdf Trojan.Win32.Z.Websearch.263168 Troj.W32.Websearch!c TR/WebSearch.V Trojan:Win32/WebSearch.F Trojan.Win32.WebSearch.ak Trj/CI.A Win32.Trojan.Websearch.Lmap Trojan.WebSearch!GWyPJuQViZY Win32/Trojan.3ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.WebSearch": [[26, 42]], "Indicator: W32/Application.KWFL-8070": [[43, 68]], "Indicator: Trojan.Win32.WebSearch.ak": [[69, 94], [217, 242]], "Indicator: Trojan.Win32.WebSearch.ommdf": [[95, 123]], "Indicator: Trojan.Win32.Z.Websearch.263168": [[124, 155]], "Indicator: Troj.W32.Websearch!c": [[156, 176]], "Indicator: TR/WebSearch.V": [[177, 191]], "Indicator: Trojan:Win32/WebSearch.F": [[192, 216]], "Indicator: Trj/CI.A": [[243, 251]], "Indicator: Win32.Trojan.Websearch.Lmap": [[252, 279]], "Indicator: Trojan.WebSearch!GWyPJuQViZY": [[280, 308]], "Indicator: Win32/Trojan.3ff": [[309, 325]]}, "info": {"id": "cyner2_5class_train_01290", "source": "cyner2_5class_train"}}
+{"text": "Locky is a ransomware that can be installed when you open an attachment, usually as a Word file from a spam email.", "spans": {"Malware: Locky": [[0, 5]], "Malware: ransomware": [[11, 21]], "Indicator: open an attachment,": [[53, 72]], "Indicator: Word file": [[86, 95]], "Indicator: a spam email.": [[101, 114]]}, "info": {"id": "cyner2_5class_train_01291", "source": "cyner2_5class_train"}}
+{"text": "We are seeing a bit of an uptick of emails containing java adwind or Java Jacksbot attachments.", "spans": {"Indicator: emails": [[36, 42]], "Indicator: java": [[54, 58]], "Malware: adwind": [[59, 65]], "Indicator: Java": [[69, 73]], "Malware: Jacksbot": [[74, 82]], "Indicator: attachments.": [[83, 95]]}, "info": {"id": "cyner2_5class_train_01292", "source": "cyner2_5class_train"}}
+{"text": "It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload .", "spans": {}, "info": {"id": "cyner2_5class_train_01293", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Dropper.ANAB TROJ_DROPPER.SMW Packed.Win32.Krap.ap Trojan.Winlock.587 TROJ_DROPPER.SMW BehavesLike.Win32.FakeAlertSecurityTool.fc W32/Risk.VFHY-0574 Trojan[Packed]/Win32.Krap Packed.Win32.Krap.ap Dropper/Win32.Smiscer.R13962 Trojan.DR.Procesemes!WkidsgpO+Do Packed.Win32.Krap", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[26, 68]], "Indicator: W32/Dropper.ANAB": [[69, 85]], "Indicator: TROJ_DROPPER.SMW": [[86, 102], [143, 159]], "Indicator: Packed.Win32.Krap.ap": [[103, 123], [248, 268]], "Indicator: Trojan.Winlock.587": [[124, 142]], "Indicator: BehavesLike.Win32.FakeAlertSecurityTool.fc": [[160, 202]], "Indicator: W32/Risk.VFHY-0574": [[203, 221]], "Indicator: Trojan[Packed]/Win32.Krap": [[222, 247]], "Indicator: Dropper/Win32.Smiscer.R13962": [[269, 297]], "Indicator: Trojan.DR.Procesemes!WkidsgpO+Do": [[298, 330]], "Indicator: Packed.Win32.Krap": [[331, 348]]}, "info": {"id": "cyner2_5class_train_01294", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.BitCoinMiner.jz Trojan.Win32.BitCoinMiner.euxcee Win32.Trojan.Bitcoinminer.Wrgk Trojan.DownLoader25.54215 Trojan.CoinMiner.Win32.6503 Trojan/Win32.BitCoinMiner Trojan.Win32.BitCoinMiner.jz TrojanDownloader:MSIL/CoinMiner.A!bit Trojan.BitCoinMiner Trojan.BitCoinMiner Trj/GdSda.A Trojan.BitCoinMiner!x6PcA/gbW/U W32/BitCoinMiner.JZ!tr Win32/Trojan.5d5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.BitCoinMiner.jz": [[26, 54], [199, 227]], "Indicator: Trojan.Win32.BitCoinMiner.euxcee": [[55, 87]], "Indicator: Win32.Trojan.Bitcoinminer.Wrgk": [[88, 118]], "Indicator: Trojan.DownLoader25.54215": [[119, 144]], "Indicator: Trojan.CoinMiner.Win32.6503": [[145, 172]], "Indicator: Trojan/Win32.BitCoinMiner": [[173, 198]], "Indicator: TrojanDownloader:MSIL/CoinMiner.A!bit": [[228, 265]], "Indicator: Trojan.BitCoinMiner": [[266, 285], [286, 305]], "Indicator: Trj/GdSda.A": [[306, 317]], "Indicator: Trojan.BitCoinMiner!x6PcA/gbW/U": [[318, 349]], "Indicator: W32/BitCoinMiner.JZ!tr": [[350, 372]], "Indicator: Win32/Trojan.5d5": [[373, 389]]}, "info": {"id": "cyner2_5class_train_01295", "source": "cyner2_5class_train"}}
+{"text": "A few weeks ago, we observed new activity from ChessMaster, with notable evolutions in terms of new tools and tactics that weren't present in the initial attacks.", "spans": {"Malware: ChessMaster,": [[47, 59]], "Malware: tools": [[100, 105]], "Indicator: the initial attacks.": [[142, 162]]}, "info": {"id": "cyner2_5class_train_01296", "source": "cyner2_5class_train"}}
+{"text": "It abuses the legitimate and popular open source framework DroidPlugin which allows an app to dynamically launch any apps as plugins without installing them in the system.", "spans": {"Vulnerability: abuses": [[3, 9]], "Vulnerability: open source framework DroidPlugin": [[37, 70]], "Vulnerability: allows an app to dynamically launch any apps as plugins": [[77, 132]], "System: system.": [[164, 171]]}, "info": {"id": "cyner2_5class_train_01297", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.StartPage.e.Trojan Trojan.Startpage TROJ_STARTPAGE_FD050152.UVPM Trojan.Win32.Z.Startpage.4001399 TROJ_STARTPAGE_FD050152.UVPM TR/StartPage.sdjtv W32/STARTPAGE_FD050152.UVPM!tr Win32/Trojan.41b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.StartPage.e.Trojan": [[26, 54]], "Indicator: Trojan.Startpage": [[55, 71]], "Indicator: TROJ_STARTPAGE_FD050152.UVPM": [[72, 100], [134, 162]], "Indicator: Trojan.Win32.Z.Startpage.4001399": [[101, 133]], "Indicator: TR/StartPage.sdjtv": [[163, 181]], "Indicator: W32/STARTPAGE_FD050152.UVPM!tr": [[182, 212]], "Indicator: Win32/Trojan.41b": [[213, 229]]}, "info": {"id": "cyner2_5class_train_01298", "source": "cyner2_5class_train"}}
+{"text": "Application launch When launching for the first time , the Trojan checks if it is being launched in an emulation environment , and in which country it is being launched .", "spans": {}, "info": {"id": "cyner2_5class_train_01299", "source": "cyner2_5class_train"}}
+{"text": "] infoacount-manager [ .", "spans": {"Indicator: [ .": [[21, 24]]}, "info": {"id": "cyner2_5class_train_01300", "source": "cyner2_5class_train"}}
+{"text": "THREAT ANALYSIS Infection Vector : Smishing Your Device Thus far , FakeSpy campaigns are characterized by SMS phishing ( a.k.a .", "spans": {"Malware: FakeSpy": [[67, 74]]}, "info": {"id": "cyner2_5class_train_01301", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB Trojan/VB.bmd Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.ZJNQ-3376 TROJ_VB.FVH Win.Trojan.VB-3241 Trojan.Win32.VB.bmd Trojan.Win32.VB.crkyqv Troj.W32.Vb!c Trojan.Win32.VB.aae Trojan.SimSun Trojan.VB.Win32.1599 TROJ_VB.FVH BehavesLike.Win32.PJTbinder.qz Trojan.Win32.Elkmil W32/Trojan2.YLV W32/VB.QRB!tr Trojan/Win32.VB Win32.Troj.VB.kcloud Trojan.Heur.E1F0CA Trojan.Win32.VB.28672.K Trojan.Win32.VB.bmd Trojan/Win32.Xema.R125410 TScope.Trojan.VB Trj/QQPass.AWP Virus.Win32.HideDoc.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.VB!O": [[26, 43]], "Indicator: Trojan.VB": [[44, 53]], "Indicator: Trojan/VB.bmd": [[54, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[68, 110]], "Indicator: W32/Trojan.ZJNQ-3376": [[111, 131]], "Indicator: TROJ_VB.FVH": [[132, 143], [275, 286]], "Indicator: Win.Trojan.VB-3241": [[144, 162]], "Indicator: Trojan.Win32.VB.bmd": [[163, 182], [448, 467]], "Indicator: Trojan.Win32.VB.crkyqv": [[183, 205]], "Indicator: Troj.W32.Vb!c": [[206, 219]], "Indicator: Trojan.Win32.VB.aae": [[220, 239]], "Indicator: Trojan.SimSun": [[240, 253]], "Indicator: Trojan.VB.Win32.1599": [[254, 274]], "Indicator: BehavesLike.Win32.PJTbinder.qz": [[287, 317]], "Indicator: Trojan.Win32.Elkmil": [[318, 337]], "Indicator: W32/Trojan2.YLV": [[338, 353]], "Indicator: W32/VB.QRB!tr": [[354, 367]], "Indicator: Trojan/Win32.VB": [[368, 383]], "Indicator: Win32.Troj.VB.kcloud": [[384, 404]], "Indicator: Trojan.Heur.E1F0CA": [[405, 423]], "Indicator: Trojan.Win32.VB.28672.K": [[424, 447]], "Indicator: Trojan/Win32.Xema.R125410": [[468, 493]], "Indicator: TScope.Trojan.VB": [[494, 510]], "Indicator: Trj/QQPass.AWP": [[511, 525]], "Indicator: Virus.Win32.HideDoc.C": [[526, 547]]}, "info": {"id": "cyner2_5class_train_01302", "source": "cyner2_5class_train"}}
+{"text": "] orgmary-crawley [ .", "spans": {"Indicator: [ .": [[18, 21]]}, "info": {"id": "cyner2_5class_train_01303", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.PPdoor.159232 Backdoor.Win32.PPdoor!O Win32.Trojan.WisdomEyes.16070401.9500.9989 Backdoor.Trojan BKDR_PPDOOR.AL Win.Trojan.PPDoor-3 Backdoor.Win32.PPdoor.bo Trojan.Win32.PPdoor.qstx Backdoor.Win32.PPdoor.A BackDoor.Srvlite BKDR_PPDOOR.AL BehavesLike.Win32.Pykse.ch W32/PPdoor.GR Backdoor/PPdoor.bo DR/Pere.103936.E.2 Trojan[Backdoor]/Win32.PPdoor Backdoor:Win32/Ppdoor.AJ Backdoor.Win32.PPdoor.bo Trojan/Win32.Ppdoor.C139757 Virus.Win32.Bayan-based Backdoor.PPdoor!lYc+pVWanGQ Backdoor.Win32.PPdoor Trj/PPDoor.FD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.PPdoor.159232": [[26, 52]], "Indicator: Backdoor.Win32.PPdoor!O": [[53, 76]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[77, 119]], "Indicator: Backdoor.Trojan": [[120, 135]], "Indicator: BKDR_PPDOOR.AL": [[136, 150], [262, 276]], "Indicator: Win.Trojan.PPDoor-3": [[151, 170]], "Indicator: Backdoor.Win32.PPdoor.bo": [[171, 195], [411, 435]], "Indicator: Trojan.Win32.PPdoor.qstx": [[196, 220]], "Indicator: Backdoor.Win32.PPdoor.A": [[221, 244]], "Indicator: BackDoor.Srvlite": [[245, 261]], "Indicator: BehavesLike.Win32.Pykse.ch": [[277, 303]], "Indicator: W32/PPdoor.GR": [[304, 317]], "Indicator: Backdoor/PPdoor.bo": [[318, 336]], "Indicator: DR/Pere.103936.E.2": [[337, 355]], "Indicator: Trojan[Backdoor]/Win32.PPdoor": [[356, 385]], "Indicator: Backdoor:Win32/Ppdoor.AJ": [[386, 410]], "Indicator: Trojan/Win32.Ppdoor.C139757": [[436, 463]], "Indicator: Virus.Win32.Bayan-based": [[464, 487]], "Indicator: Backdoor.PPdoor!lYc+pVWanGQ": [[488, 515]], "Indicator: Backdoor.Win32.PPdoor": [[516, 537]], "Indicator: Trj/PPDoor.FD": [[538, 551]]}, "info": {"id": "cyner2_5class_train_01304", "source": "cyner2_5class_train"}}
+{"text": "Check Point Mobile Threat Prevention has detected a new, unknown mobile malware that targeted two customer Android devices belonging to employees at a large financial services institution.", "spans": {"Organization: Check Point Mobile Threat Prevention": [[0, 36]], "Malware: unknown": [[57, 64]], "System: Android devices": [[107, 122]], "Organization: employees": [[136, 145]], "Organization: large financial services institution.": [[151, 188]]}, "info": {"id": "cyner2_5class_train_01305", "source": "cyner2_5class_train"}}
+{"text": "This is further corroborated by some older and unobfuscated samples from 2016 , whose primary classes are named CheckValidTarget .", "spans": {}, "info": {"id": "cyner2_5class_train_01306", "source": "cyner2_5class_train"}}
+{"text": "FireEye recommends that Microsoft Office users apply the patch from Microsoft.", "spans": {"Organization: FireEye": [[0, 7]], "System: Microsoft Office": [[24, 40]], "Organization: Microsoft.": [[68, 78]]}, "info": {"id": "cyner2_5class_train_01307", "source": "cyner2_5class_train"}}
+{"text": "It is very easy to trick victims to fall for such attacks .", "spans": {}, "info": {"id": "cyner2_5class_train_01308", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hacktool.Flystudio.16558 TSPY_AKSULA_CA083865.TOMC Win32.Trojan-PSW.Alipay.a TSPY_AKSULA_CA083865.TOMC Trojan-PSW.Win32.Alipay.peq Troj.Downloader.W32.BaiDload.lhQG TR/Aksula.jqeqy Trojan:Win32/Aksula.A Trojan.Mikey.D906C Trojan-PSW.Win32.Alipay.peq Trojan/Win32.Aksula.R27086 Win32.Trojan-qqpass.Qqrob.Phqe", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Flystudio.16558": [[26, 50]], "Indicator: TSPY_AKSULA_CA083865.TOMC": [[51, 76], [103, 128]], "Indicator: Win32.Trojan-PSW.Alipay.a": [[77, 102]], "Indicator: Trojan-PSW.Win32.Alipay.peq": [[129, 156], [248, 275]], "Indicator: Troj.Downloader.W32.BaiDload.lhQG": [[157, 190]], "Indicator: TR/Aksula.jqeqy": [[191, 206]], "Indicator: Trojan:Win32/Aksula.A": [[207, 228]], "Indicator: Trojan.Mikey.D906C": [[229, 247]], "Indicator: Trojan/Win32.Aksula.R27086": [[276, 302]], "Indicator: Win32.Trojan-qqpass.Qqrob.Phqe": [[303, 333]]}, "info": {"id": "cyner2_5class_train_01309", "source": "cyner2_5class_train"}}
+{"text": "IOCs C & C IP addresses : 155.133.82.181 155.133.82.240 155.133.82.244 185.234.218.59 195.22.126.160 195.22.126.163 195.22.126.80 195.22.126.81 5.45.73.24 5.45.74.130 IP addresses from which the Trojan was downloaded : 185.174.173.31 185.234.218.59 188.166.156.110 195.22.126.160 195.22.126.80 195.22.126.81 195.22.126.82 195.22.126.83 SHA256 : 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637 df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8 c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184 d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c 31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951 eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101 Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker May 12 , 2016 Mohit Kumar How to Hack an Android device ? It is possibly one of the most frequently asked questions on the Internet .", "spans": {"Indicator: 155.133.82.181": [[26, 40]], "Indicator: 155.133.82.240": [[41, 55]], "Indicator: 155.133.82.244": [[56, 70]], "Indicator: 185.234.218.59": [[71, 85], [234, 248]], "Indicator: 195.22.126.160": [[86, 100], [265, 279]], "Indicator: 195.22.126.163": [[101, 115]], "Indicator: 195.22.126.80": [[116, 129], [280, 293]], "Indicator: 195.22.126.81": [[130, 143], [294, 307]], "Indicator: 5.45.73.24": [[144, 154]], "Indicator: 5.45.74.130 IP addresses": [[155, 179]], "Indicator: 185.174.173.31": [[219, 233]], "Indicator: 188.166.156.110": [[249, 264]], "Indicator: 195.22.126.82": [[308, 321]], "Indicator: 195.22.126.83": [[322, 335]], "Indicator: 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67": [[345, 409]], "Indicator: 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d": [[410, 474]], "Indicator: f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637": [[475, 539]], "Indicator: df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8": [[540, 604]], "Indicator: c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184": [[605, 669]], "Indicator: d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514": [[670, 734]], "Indicator: 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9": [[735, 799]], "Indicator: 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c": [[800, 864]], "Indicator: 31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d": [[865, 929]], "Indicator: 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951": [[930, 994]], "Indicator: eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101": [[995, 1059]], "System: ARM": [[1120, 1123]], "System: Android": [[1171, 1178]]}, "info": {"id": "cyner2_5class_train_01310", "source": "cyner2_5class_train"}}
+{"text": "All born in the 90s, these neophytes are not afraid to get caught, carelessly leaving a trail of traceable contact details online.", "spans": {"Indicator: a trail of traceable contact details": [[86, 122]]}, "info": {"id": "cyner2_5class_train_01311", "source": "cyner2_5class_train"}}
+{"text": "] 975685 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_01312", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DefayliLTO.Trojan Trojan.Win32.Cosmu!O Trojan.Hosts Trojan.Cosmu.Win32.8116 Win32.Trojan.Qhost.y W32/Trojan2.OIIF Trojan.Qhosts TROJ_COSMU_000001b.TOMA Win.Trojan.Cosmu-1352 Trojan.Win32.Hosts2.wog Trojan.Win32.Drop.rqzxb Troj.W32.Hosts2.toz0 Virus.Win32.Virut.ua TrojWare.Win32.Qhost.rqj Trojan.MulDrop3.7647 TROJ_COSMU_000001b.TOMA BehavesLike.Win32.PUPXAN.tz W32/Trojan.VWTG-6346 Win32/Virut.bv TR/Cosmu.oiqea Trojan/Win32.Cosmu Worm:Win32/Makc.A Trojan.Graftor.D2333 Trojan.Win32.A.Cosmu.577633 Trojan.Win32.Hosts2.wog HEUR/Fakon.mwf BScope.Trojan.IRCbot Win32/Qhost.ONX Trojan.Cosmu!mnslE6bxKwc Worm.Win32.AutoIt W32/Qhost.ONX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DefayliLTO.Trojan": [[26, 47]], "Indicator: Trojan.Win32.Cosmu!O": [[48, 68]], "Indicator: Trojan.Hosts": [[69, 81]], "Indicator: Trojan.Cosmu.Win32.8116": [[82, 105]], "Indicator: Win32.Trojan.Qhost.y": [[106, 126]], "Indicator: W32/Trojan2.OIIF": [[127, 143]], "Indicator: Trojan.Qhosts": [[144, 157]], "Indicator: TROJ_COSMU_000001b.TOMA": [[158, 181], [340, 363]], "Indicator: Win.Trojan.Cosmu-1352": [[182, 203]], "Indicator: Trojan.Win32.Hosts2.wog": [[204, 227], [529, 552]], "Indicator: Trojan.Win32.Drop.rqzxb": [[228, 251]], "Indicator: Troj.W32.Hosts2.toz0": [[252, 272]], "Indicator: Virus.Win32.Virut.ua": [[273, 293]], "Indicator: TrojWare.Win32.Qhost.rqj": [[294, 318]], "Indicator: Trojan.MulDrop3.7647": [[319, 339]], "Indicator: BehavesLike.Win32.PUPXAN.tz": [[364, 391]], "Indicator: W32/Trojan.VWTG-6346": [[392, 412]], "Indicator: Win32/Virut.bv": [[413, 427]], "Indicator: TR/Cosmu.oiqea": [[428, 442]], "Indicator: Trojan/Win32.Cosmu": [[443, 461]], "Indicator: Worm:Win32/Makc.A": [[462, 479]], "Indicator: Trojan.Graftor.D2333": [[480, 500]], "Indicator: Trojan.Win32.A.Cosmu.577633": [[501, 528]], "Indicator: HEUR/Fakon.mwf": [[553, 567]], "Indicator: BScope.Trojan.IRCbot": [[568, 588]], "Indicator: Win32/Qhost.ONX": [[589, 604]], "Indicator: Trojan.Cosmu!mnslE6bxKwc": [[605, 629]], "Indicator: Worm.Win32.AutoIt": [[630, 647]], "Indicator: W32/Qhost.ONX!tr": [[648, 664]]}, "info": {"id": "cyner2_5class_train_01313", "source": "cyner2_5class_train"}}
+{"text": "As soon as a user tries to open the app , it launches a fake notification and soon the notification as well as the app icon disappears .", "spans": {}, "info": {"id": "cyner2_5class_train_01314", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Gezak Trojan.Vir.HLL Trojan.Heur.ED5CCE WORM_GEZAK.A W32/Risk.GNIP-0600 W32.Osapex Win32/Gezak.A WORM_GEZAK.A Win.Trojan.Gezak-1 Virus.Win32.HLLW.Gezak Virus.Win32.HLLW.gjmh W32.HLLW.Gezak!c Win32.HLLW.Gezak Win32.HLLW.Osapex Virus.Gezak.Win32.1 W32/Osapex.b.worm Win32/HLLW.Gezak Virus/Win32.Gezak Win32.HLLW.kcloud Virus.Win32.HLLW.Gezak Win32/Osapex.worm.31744 W32/Osapex.b.worm Trojan.Worm Univ.AP.K Win32/HLLW.Gezak Win32.Virus.Hllw.Hnbi Win32.HLLW.Gezak Virus.Win32.HLLW W32/Gezak.A!worm Win32/Worm.fc8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Gezak": [[26, 35]], "Indicator: Trojan.Vir.HLL": [[36, 50]], "Indicator: Trojan.Heur.ED5CCE": [[51, 69]], "Indicator: WORM_GEZAK.A": [[70, 82], [127, 139]], "Indicator: W32/Risk.GNIP-0600": [[83, 101]], "Indicator: W32.Osapex": [[102, 112]], "Indicator: Win32/Gezak.A": [[113, 126]], "Indicator: Win.Trojan.Gezak-1": [[140, 158]], "Indicator: Virus.Win32.HLLW.Gezak": [[159, 181], [347, 369]], "Indicator: Virus.Win32.HLLW.gjmh": [[182, 203]], "Indicator: W32.HLLW.Gezak!c": [[204, 220]], "Indicator: Win32.HLLW.Gezak": [[221, 237], [473, 489]], "Indicator: Win32.HLLW.Osapex": [[238, 255]], "Indicator: Virus.Gezak.Win32.1": [[256, 275]], "Indicator: W32/Osapex.b.worm": [[276, 293], [394, 411]], "Indicator: Win32/HLLW.Gezak": [[294, 310], [434, 450]], "Indicator: Virus/Win32.Gezak": [[311, 328]], "Indicator: Win32.HLLW.kcloud": [[329, 346]], "Indicator: Win32/Osapex.worm.31744": [[370, 393]], "Indicator: Trojan.Worm": [[412, 423]], "Indicator: Univ.AP.K": [[424, 433]], "Indicator: Win32.Virus.Hllw.Hnbi": [[451, 472]], "Indicator: Virus.Win32.HLLW": [[490, 506]], "Indicator: W32/Gezak.A!worm": [[507, 523]], "Indicator: Win32/Worm.fc8": [[524, 538]]}, "info": {"id": "cyner2_5class_train_01315", "source": "cyner2_5class_train"}}
+{"text": "Some examples are email messages claiming to be in regards to an overdue bill or invoice, utilizing such terminology in the subject line and given file name, such as invoice.zip or payment_doc_298427.zip", "spans": {"Indicator: overdue bill": [[65, 77]], "Indicator: invoice,": [[81, 89]], "Indicator: terminology": [[105, 116]], "Indicator: subject line": [[124, 136]], "Indicator: given file name,": [[141, 157]], "Indicator: invoice.zip": [[166, 177]], "Indicator: payment_doc_298427.zip": [[181, 203]]}, "info": {"id": "cyner2_5class_train_01316", "source": "cyner2_5class_train"}}
+{"text": "Figure 13 : Popup asking for a credit card number The application also supports stealing credit card verification information ( Figures 14 and 15 ) .", "spans": {}, "info": {"id": "cyner2_5class_train_01317", "source": "cyner2_5class_train"}}
+{"text": "It is important to note that the activity conducted by the malware is not borderline advertising , but definitely an illegitimate use of the users ’ mobile devices for generating fraudulent clicks , benefiting the attackers .", "spans": {}, "info": {"id": "cyner2_5class_train_01318", "source": "cyner2_5class_train"}}
+{"text": "We haven't seen Locky for a long time, so I was quite surprised to see this one.", "spans": {}, "info": {"id": "cyner2_5class_train_01319", "source": "cyner2_5class_train"}}
+{"text": "Zen 's rooting trojan apps target a specific device model with a very specific system image .", "spans": {"Malware: Zen": [[0, 3]]}, "info": {"id": "cyner2_5class_train_01320", "source": "cyner2_5class_train"}}
+{"text": "WHO IS BEHIND FAKESPY ’ S SMISHING CAMPAIGNS ? The Cybereason Nocturnus team suspects that the malware operators and authors are Chinese speakers .", "spans": {"Malware: FAKESPY": [[14, 21]], "Organization: Cybereason Nocturnus": [[51, 71]]}, "info": {"id": "cyner2_5class_train_01321", "source": "cyner2_5class_train"}}
+{"text": "It was hosting an Adobe Flash exploit targeting one of the newly disclosed vulnerabilities from the Hacking Team data breach, CVE-2015-5122.", "spans": {"System: Adobe Flash": [[18, 29]], "Malware: exploit": [[30, 37]], "Vulnerability: vulnerabilities": [[75, 90]], "Organization: Hacking Team": [[100, 112]], "Indicator: CVE-2015-5122.": [[126, 140]]}, "info": {"id": "cyner2_5class_train_01322", "source": "cyner2_5class_train"}}
+{"text": "After that it ’ s necessary to send “ stop_blocker ” to the same number – this will disable the display of HTML pages that extort money and block the screen .", "spans": {}, "info": {"id": "cyner2_5class_train_01323", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.14848.GD Trojan.Win32.Small!O Trojan/Small.cnp Trojan.Conjar.8 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Ransomlock TROJ_IKYTOK.SMI Trojan.Win32.Small.djdxj TROJ_IKYTOK.SMI Trojan/Small.kgz TR/Zapchast.I Trojan:Win32/Ikytoky.A Trojan.Win32.A.Small.14848 Trojan/Win32.Menti.R9065 Trojan.Karagany Trojan.Downloader.MB Trj/Hexas.HEU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.14848.GD": [[26, 51]], "Indicator: Trojan.Win32.Small!O": [[52, 72]], "Indicator: Trojan/Small.cnp": [[73, 89]], "Indicator: Trojan.Conjar.8": [[90, 105]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[106, 148]], "Indicator: Trojan.Ransomlock": [[149, 166]], "Indicator: TROJ_IKYTOK.SMI": [[167, 182], [208, 223]], "Indicator: Trojan.Win32.Small.djdxj": [[183, 207]], "Indicator: Trojan/Small.kgz": [[224, 240]], "Indicator: TR/Zapchast.I": [[241, 254]], "Indicator: Trojan:Win32/Ikytoky.A": [[255, 277]], "Indicator: Trojan.Win32.A.Small.14848": [[278, 304]], "Indicator: Trojan/Win32.Menti.R9065": [[305, 329]], "Indicator: Trojan.Karagany": [[330, 345]], "Indicator: Trojan.Downloader.MB": [[346, 366]], "Indicator: Trj/Hexas.HEU": [[367, 380]]}, "info": {"id": "cyner2_5class_train_01324", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Injector.dtxv TROJ_INJECTOR_HA010038.UVPM Win32.Trojan-PSW.Fareit.a W32/Injector.GBX TROJ_INJECTOR_HA010038.UVPM Win.Trojan.Fareit-403 Riskware.Win32.Stealer.evlqpt Trojan.PWS.Stealer.18592 Trojan.Ekstak.Win32.3539 W32/Injector.ELVO-4299 DR/Delphi.rghyi Trojan/Win32.Ekstak.R214290 Backdoor.Androm Trojan.Injector Win32/PSW.Fareit.A Trojan.Win32.Injector W32/Kryptik.GCFM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Injector.dtxv": [[26, 46]], "Indicator: TROJ_INJECTOR_HA010038.UVPM": [[47, 74], [118, 145]], "Indicator: Win32.Trojan-PSW.Fareit.a": [[75, 100]], "Indicator: W32/Injector.GBX": [[101, 117]], "Indicator: Win.Trojan.Fareit-403": [[146, 167]], "Indicator: Riskware.Win32.Stealer.evlqpt": [[168, 197]], "Indicator: Trojan.PWS.Stealer.18592": [[198, 222]], "Indicator: Trojan.Ekstak.Win32.3539": [[223, 247]], "Indicator: W32/Injector.ELVO-4299": [[248, 270]], "Indicator: DR/Delphi.rghyi": [[271, 286]], "Indicator: Trojan/Win32.Ekstak.R214290": [[287, 314]], "Indicator: Backdoor.Androm": [[315, 330]], "Indicator: Trojan.Injector": [[331, 346]], "Indicator: Win32/PSW.Fareit.A": [[347, 365]], "Indicator: Trojan.Win32.Injector": [[366, 387]], "Indicator: W32/Kryptik.GCFM!tr": [[388, 407]]}, "info": {"id": "cyner2_5class_train_01325", "source": "cyner2_5class_train"}}
+{"text": "] site/gate_cb8a5aea1ab302f0_c online 208.91.197 [ .", "spans": {"Indicator: 208.91.197 [ .": [[38, 52]]}, "info": {"id": "cyner2_5class_train_01326", "source": "cyner2_5class_train"}}
+{"text": "Many domains in this report are compromised domains - traffic to them may not be malicious.", "spans": {"Indicator: Many domains": [[0, 12]], "Indicator: compromised domains": [[32, 51]]}, "info": {"id": "cyner2_5class_train_01327", "source": "cyner2_5class_train"}}
+{"text": "The tweet stated that TrickBot , a well-known banking Trojan owned by an organized cybercrime gang , uses man-in-the-browser ( MITB ) web injects in online banking sessions to ask infected users for their mobile phone number and device type .", "spans": {"Malware: TrickBot": [[22, 30]]}, "info": {"id": "cyner2_5class_train_01328", "source": "cyner2_5class_train"}}
+{"text": "Figure 14 .", "spans": {}, "info": {"id": "cyner2_5class_train_01329", "source": "cyner2_5class_train"}}
+{"text": "It can not act independently and operates strictly in accordance with commands received from the C & C server .", "spans": {}, "info": {"id": "cyner2_5class_train_01330", "source": "cyner2_5class_train"}}
+{"text": "Analysis of TG-3390's operations, targeting, and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China.", "spans": {"Malware: tools": [[49, 54]], "Organization: CTU": [[59, 62]]}, "info": {"id": "cyner2_5class_train_01331", "source": "cyner2_5class_train"}}
+{"text": "In January 2016 Forcepoint Security Labs reported an email campaign delivering the Ursnif banking Trojan which used the Range' feature within its initial HTTP requests to avoid detection.", "spans": {"Organization: Forcepoint Security Labs": [[16, 40]], "Malware: Ursnif banking Trojan": [[83, 104]], "Indicator: HTTP requests": [[154, 167]]}, "info": {"id": "cyner2_5class_train_01332", "source": "cyner2_5class_train"}}
+{"text": "The Lazarus group, which has been identified as the backbone of the report, has been active in the past, and Novetta's research is helping to preemptively counteract and prevent Lazarus attacks around the world.", "spans": {"Organization: Novetta's research": [[109, 127]], "Indicator: attacks": [[186, 193]]}, "info": {"id": "cyner2_5class_train_01333", "source": "cyner2_5class_train"}}
+{"text": "While vertical targeting varies, we observed a significant focus on Financial Services.", "spans": {"Organization: Financial Services.": [[68, 87]]}, "info": {"id": "cyner2_5class_train_01334", "source": "cyner2_5class_train"}}
+{"text": "Figure 6 : bit.ly statistics for the fake Bank Austria Android app download link From this small sample , we see that 7 % of visitors clicked through to download the application , which is actually a version of the Marcher banking Trojan named “ BankAustria.apk ” , continuing the fraudulent use of the bank ’ s branding to fool potential victims .", "spans": {"Indicator: bit.ly": [[11, 17]], "System: Bank Austria Android app": [[42, 66]], "Malware: Marcher banking Trojan": [[215, 237]], "Indicator: BankAustria.apk": [[246, 261]]}, "info": {"id": "cyner2_5class_train_01335", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.LRSgzengelSvrA.Trojan Trojan/W32.Rootkit.78592 Trojan.Festi.C6 Trojan/Tent.cow Trojan.Rootkit.1 RTKT_FESTI.SM Win32.Trojan.WisdomEyes.16070401.9500.9989 Trojan.Festi RTKT_FESTI.SM Win.Trojan.Rootkit-4345 Trojan.Win32.Tent.ddfje Trojan.NtRootKit.12267 Rootkit.Tent.Win32.134 Rootkit.Tent.fc RKIT/Tent.aui Trojan[Rootkit]/Win32.Tent Backdoor:WinNT/Festi.C Win-Trojan/Festi.78592 TScope.Malware-Cryptor.SB Trj/CI.A Win32.Exploit.Tent.cmvx", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.LRSgzengelSvrA.Trojan": [[26, 51]], "Indicator: Trojan/W32.Rootkit.78592": [[52, 76]], "Indicator: Trojan.Festi.C6": [[77, 92]], "Indicator: Trojan/Tent.cow": [[93, 108]], "Indicator: Trojan.Rootkit.1": [[109, 125]], "Indicator: RTKT_FESTI.SM": [[126, 139], [196, 209]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[140, 182]], "Indicator: Trojan.Festi": [[183, 195]], "Indicator: Win.Trojan.Rootkit-4345": [[210, 233]], "Indicator: Trojan.Win32.Tent.ddfje": [[234, 257]], "Indicator: Trojan.NtRootKit.12267": [[258, 280]], "Indicator: Rootkit.Tent.Win32.134": [[281, 303]], "Indicator: Rootkit.Tent.fc": [[304, 319]], "Indicator: RKIT/Tent.aui": [[320, 333]], "Indicator: Trojan[Rootkit]/Win32.Tent": [[334, 360]], "Indicator: Backdoor:WinNT/Festi.C": [[361, 383]], "Indicator: Win-Trojan/Festi.78592": [[384, 406]], "Indicator: TScope.Malware-Cryptor.SB": [[407, 432]], "Indicator: Trj/CI.A": [[433, 441]], "Indicator: Win32.Exploit.Tent.cmvx": [[442, 465]]}, "info": {"id": "cyner2_5class_train_01336", "source": "cyner2_5class_train"}}
+{"text": "In order to simulate this technique , we took two videos side by side of how FakeSpy ( the Royal Mail sample ) behaves differently on a physical device versus an emulator .", "spans": {"Malware: FakeSpy": [[77, 84]], "Organization: Royal Mail": [[91, 101]]}, "info": {"id": "cyner2_5class_train_01337", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.downCN.Adware Trojan-Downloader.Win32.Petus!O Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_DLDR.SMIH Trojan.Win32.Petus.efjtuk Trojan.Win32.A.Downloader.69153 Troj.Dropper.W32.StartPage.lmCy Trojan.DownLoader4.54937 Downloader.Petus.Win32.9 TROJ_DLDR.SMIH Trojan-Downloader.Win32.Petus Trojan[Downloader]/Win32.Petus TrojanDownloader:Win32/Petus.C Trojan/Win32.Petus.R4023 Win32/Trojan.c81", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.downCN.Adware": [[26, 43]], "Indicator: Trojan-Downloader.Win32.Petus!O": [[44, 75]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[76, 118]], "Indicator: TROJ_DLDR.SMIH": [[119, 133], [274, 288]], "Indicator: Trojan.Win32.Petus.efjtuk": [[134, 159]], "Indicator: Trojan.Win32.A.Downloader.69153": [[160, 191]], "Indicator: Troj.Dropper.W32.StartPage.lmCy": [[192, 223]], "Indicator: Trojan.DownLoader4.54937": [[224, 248]], "Indicator: Downloader.Petus.Win32.9": [[249, 273]], "Indicator: Trojan-Downloader.Win32.Petus": [[289, 318]], "Indicator: Trojan[Downloader]/Win32.Petus": [[319, 349]], "Indicator: TrojanDownloader:Win32/Petus.C": [[350, 380]], "Indicator: Trojan/Win32.Petus.R4023": [[381, 405]], "Indicator: Win32/Trojan.c81": [[406, 422]]}, "info": {"id": "cyner2_5class_train_01338", "source": "cyner2_5class_train"}}
+{"text": "The Android malware Android.Oldboot is almost impossible to remove , not even with formatting your device .", "spans": {"System: Android": [[4, 11]], "Malware: Android.Oldboot": [[20, 35]]}, "info": {"id": "cyner2_5class_train_01339", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.Cosmu.PE Win32.Worm.VB.NZQ Trojan.Win32.Cosmu!O W32.Lamer.EL3 Trojan.Downloader Worm.VB.Win32.26804 Trojan/VB.nup Win32.Virus.VBbind.a W32.Besverit Win32/VB.JU TROJ_DLOADR.SMM Win.Trojan.Cosmu-4 Virus.Win32.Lamer.el Win32.Worm.VB.NZQ Trojan.Win32.VB.ltch Trojan.Win32.Cosmu.887991 Worm.Win32.VB.kp Win32.Worm.VB.NZQ Win32.Worm.VB.NZQ Win32.HLLW.Autoruner.6014 TROJ_DLOADR.SMM BehavesLike.Win32.Autorun.vh Worm.Win32.VB Trojan/Cosmu.lan Win32.Worm.VB.NZQ Troj.Downloader.W32.VB.l4ji Virus.Win32.Lamer.el Win32.Worm.VB.NZQ Win32/Lamer.D Win32.Worm.VB.NZQ SIM.Trojan.VBO.0859 Win32/VB.NUP W32/AutoRun.RPV!worm W32/OverDoom.A Virus.Win32.Lamer.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.Cosmu.PE": [[26, 44]], "Indicator: Win32.Worm.VB.NZQ": [[45, 62], [252, 269], [334, 351], [352, 369], [472, 489], [539, 556], [571, 588]], "Indicator: Trojan.Win32.Cosmu!O": [[63, 83]], "Indicator: W32.Lamer.EL3": [[84, 97]], "Indicator: Trojan.Downloader": [[98, 115]], "Indicator: Worm.VB.Win32.26804": [[116, 135]], "Indicator: Trojan/VB.nup": [[136, 149]], "Indicator: Win32.Virus.VBbind.a": [[150, 170]], "Indicator: W32.Besverit": [[171, 183]], "Indicator: Win32/VB.JU": [[184, 195]], "Indicator: TROJ_DLOADR.SMM": [[196, 211], [396, 411]], "Indicator: Win.Trojan.Cosmu-4": [[212, 230]], "Indicator: Virus.Win32.Lamer.el": [[231, 251], [518, 538]], "Indicator: Trojan.Win32.VB.ltch": [[270, 290]], "Indicator: Trojan.Win32.Cosmu.887991": [[291, 316]], "Indicator: Worm.Win32.VB.kp": [[317, 333]], "Indicator: Win32.HLLW.Autoruner.6014": [[370, 395]], "Indicator: BehavesLike.Win32.Autorun.vh": [[412, 440]], "Indicator: Worm.Win32.VB": [[441, 454]], "Indicator: Trojan/Cosmu.lan": [[455, 471]], "Indicator: Troj.Downloader.W32.VB.l4ji": [[490, 517]], "Indicator: Win32/Lamer.D": [[557, 570]], "Indicator: SIM.Trojan.VBO.0859": [[589, 608]], "Indicator: Win32/VB.NUP": [[609, 621]], "Indicator: W32/AutoRun.RPV!worm": [[622, 642]], "Indicator: W32/OverDoom.A": [[643, 657]], "Indicator: Virus.Win32.Lamer.B": [[658, 677]]}, "info": {"id": "cyner2_5class_train_01340", "source": "cyner2_5class_train"}}
+{"text": "In early 2015, FIN1 updated their toolset to include a utility that modifies the legitimate system Volume Boot Record VBR and hijacks the system boot process to begin loading Nemesis components before the Windows operating system code.", "spans": {"Vulnerability: modifies": [[68, 76]], "Indicator: the legitimate system Volume Boot Record VBR": [[77, 121]], "Indicator: hijacks": [[126, 133]], "Indicator: the": [[134, 137]], "Indicator: system": [[138, 144]], "Indicator: boot": [[145, 149]], "Indicator: process": [[150, 157]], "Malware: Nemesis components": [[175, 193]], "System: Windows operating system": [[205, 229]], "Indicator: code.": [[230, 235]]}, "info": {"id": "cyner2_5class_train_01341", "source": "cyner2_5class_train"}}
+{"text": "The precautions you take online have been covered extensively in almost all of our blogs ; even so , we believe this information bears repeating .", "spans": {}, "info": {"id": "cyner2_5class_train_01342", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.Java.CVE20130422.crcqcf Exploit:Java/CVE-2013-0422.A heur:Exploit.CVE-2013-0422 Exploit:Java/Obfuscator.AS Trojan.Java.Downloader virus.java.bot.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.Java.CVE20130422.crcqcf": [[26, 57]], "Indicator: Exploit:Java/CVE-2013-0422.A": [[58, 86]], "Indicator: heur:Exploit.CVE-2013-0422": [[87, 113]], "Indicator: Exploit:Java/Obfuscator.AS": [[114, 140]], "Indicator: Trojan.Java.Downloader": [[141, 163]], "Indicator: virus.java.bot.a": [[164, 180]]}, "info": {"id": "cyner2_5class_train_01343", "source": "cyner2_5class_train"}}
+{"text": "All encrypted archives can be divided into two groups : the first comprises Game321.res , Game322.res , Game323.res and Game642.res – and these are used in the initial phase of infection , while the second group : Game324.res and Game644.res , are used in the main phase .", "spans": {"Indicator: Game321.res": [[76, 87]], "Indicator: Game322.res": [[90, 101]], "Indicator: Game323.res": [[104, 115]], "Indicator: Game642.res": [[120, 131]], "Indicator: Game324.res": [[214, 225]], "Indicator: Game644.res": [[230, 241]]}, "info": {"id": "cyner2_5class_train_01344", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.PasistA.Worm Worm.Sfone.A3 Worm.Sform Worm.Sfone W32/Worm.BLGI W32.SillyWNSE Win32/Sfone.A BehavesLike.Win32.Trojan.ch W32/Worm.KOKR-0749 Worm:Win32/Sfone.A Worm.Sfone.A W32/WinSxsBot.A.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.PasistA.Worm": [[26, 42]], "Indicator: Worm.Sfone.A3": [[43, 56]], "Indicator: Worm.Sform": [[57, 67]], "Indicator: Worm.Sfone": [[68, 78]], "Indicator: W32/Worm.BLGI": [[79, 92]], "Indicator: W32.SillyWNSE": [[93, 106]], "Indicator: Win32/Sfone.A": [[107, 120]], "Indicator: BehavesLike.Win32.Trojan.ch": [[121, 148]], "Indicator: W32/Worm.KOKR-0749": [[149, 167]], "Indicator: Worm:Win32/Sfone.A": [[168, 186]], "Indicator: Worm.Sfone.A": [[187, 199]], "Indicator: W32/WinSxsBot.A.worm": [[200, 220]]}, "info": {"id": "cyner2_5class_train_01345", "source": "cyner2_5class_train"}}
+{"text": "Malicious iOS profile In the case of Apple devices , the downloaded malicious iOS profile gathers the following : Unique device identifier ( UDID ) International Mobile Equipment Identity ( IMEI ) Integrated Circuit Card ID ( ICCID ) Mobile equipment identifier ( MEID ) Version number Product number The profile installations differ depending on the iOS .", "spans": {"System: iOS": [[10, 13], [78, 81], [351, 354]], "System: Apple": [[37, 42]]}, "info": {"id": "cyner2_5class_train_01346", "source": "cyner2_5class_train"}}
+{"text": "] com Counter Measures Use an up to date anti-malware software that is capable of identifying this threat .", "spans": {}, "info": {"id": "cyner2_5class_train_01347", "source": "cyner2_5class_train"}}
+{"text": "Communicates via TOR", "spans": {"Indicator: Communicates": [[0, 12]], "System: TOR": [[17, 20]]}, "info": {"id": "cyner2_5class_train_01348", "source": "cyner2_5class_train"}}
+{"text": "ONLINE – send information about Trojan ’ s current status to C & C : whether it has device administrator privileges , which HTML page is currently displayed , whether screen is on or off , etc .", "spans": {}, "info": {"id": "cyner2_5class_train_01349", "source": "cyner2_5class_train"}}
+{"text": "Without the use of SSL interception traditional IDS/IPS systems could cease to detect compromised systems.", "spans": {"Indicator: SSL interception": [[19, 35]], "System: IDS/IPS systems": [[48, 63]], "System: compromised systems.": [[86, 106]]}, "info": {"id": "cyner2_5class_train_01350", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Theals W32/Theals.dam Worm.Theals.Win32.2 Win32.Trojan.WisdomEyes.16070401.9500.9975 Win32/VB.VOMRAe Win.Exploit.DCOM-5 Net-Worm.Win32.Theals.c Virus.Win32.Theals.vvbf Net.Worm.W32!c Virus.Win32.Theals_re.c Win32.Zombie.4214 BehavesLike.Win32.Virut.ch Worm/Theals.i W32/Theals.D Win32.Theals.bd.8704 Net-Worm.Win32.Theals.c Worm/Win32.Theals.C1456665 Virus.Win32.Stealth.c W32/Theals.C!worm.im Win32/Trojan.529", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Theals": [[26, 37]], "Indicator: W32/Theals.dam": [[38, 52]], "Indicator: Worm.Theals.Win32.2": [[53, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9975": [[73, 115]], "Indicator: Win32/VB.VOMRAe": [[116, 131]], "Indicator: Win.Exploit.DCOM-5": [[132, 150]], "Indicator: Net-Worm.Win32.Theals.c": [[151, 174], [331, 354]], "Indicator: Virus.Win32.Theals.vvbf": [[175, 198]], "Indicator: Net.Worm.W32!c": [[199, 213]], "Indicator: Virus.Win32.Theals_re.c": [[214, 237]], "Indicator: Win32.Zombie.4214": [[238, 255]], "Indicator: BehavesLike.Win32.Virut.ch": [[256, 282]], "Indicator: Worm/Theals.i": [[283, 296]], "Indicator: W32/Theals.D": [[297, 309]], "Indicator: Win32.Theals.bd.8704": [[310, 330]], "Indicator: Worm/Win32.Theals.C1456665": [[355, 381]], "Indicator: Virus.Win32.Stealth.c": [[382, 403]], "Indicator: W32/Theals.C!worm.im": [[404, 424]], "Indicator: Win32/Trojan.529": [[425, 441]]}, "info": {"id": "cyner2_5class_train_01351", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Delf.S10 Trojan.Delf.Win32.63014 Troj.W32.Bcex.tnto Win32.Trojan.Delf.ah Downloader.Ponik Win.Trojan.Delf-33216 Win32.Trojan-Dropper.FakeDoc.B Trojan.Win32.Broskod.rb Trojan.Win32.Delf.cqqvkh TrojWare.Win32.Delf.DHHK BehavesLike.Win32.AdwareDealPly.ch Worm.Win32.Takc Trojan/Win32.Unknown Worm:Win32/Takc.A Trojan.Win32.Broskod.rb Hoax.Blocker Win32.Virus.Delf.Wsjq Trojan.Delf!8gjXiSoqNjg W32/Delf.NBJ!tr Win32/Trojan.Delf.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Delf.S10": [[26, 38]], "Indicator: Trojan.Delf.Win32.63014": [[39, 62]], "Indicator: Troj.W32.Bcex.tnto": [[63, 81]], "Indicator: Win32.Trojan.Delf.ah": [[82, 102]], "Indicator: Downloader.Ponik": [[103, 119]], "Indicator: Win.Trojan.Delf-33216": [[120, 141]], "Indicator: Win32.Trojan-Dropper.FakeDoc.B": [[142, 172]], "Indicator: Trojan.Win32.Broskod.rb": [[173, 196], [337, 360]], "Indicator: Trojan.Win32.Delf.cqqvkh": [[197, 221]], "Indicator: TrojWare.Win32.Delf.DHHK": [[222, 246]], "Indicator: BehavesLike.Win32.AdwareDealPly.ch": [[247, 281]], "Indicator: Worm.Win32.Takc": [[282, 297]], "Indicator: Trojan/Win32.Unknown": [[298, 318]], "Indicator: Worm:Win32/Takc.A": [[319, 336]], "Indicator: Hoax.Blocker": [[361, 373]], "Indicator: Win32.Virus.Delf.Wsjq": [[374, 395]], "Indicator: Trojan.Delf!8gjXiSoqNjg": [[396, 419]], "Indicator: W32/Delf.NBJ!tr": [[420, 435]], "Indicator: Win32/Trojan.Delf.I": [[436, 455]]}, "info": {"id": "cyner2_5class_train_01352", "source": "cyner2_5class_train"}}
+{"text": "A very unique technique is being used to inject this Trojan into an Android system where an attacker places a component of it into the boot partition of the file system and modify the 'init ' script ( initialize the operating system ) to re-load the malware as you switch on your android .", "spans": {"System: Android": [[68, 75]], "System: android": [[280, 287]]}, "info": {"id": "cyner2_5class_train_01353", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Apollo Ransom.Apollo Ransom_Apollo.R058C0TLR17 Win32.Trojan.WisdomEyes.16070401.9500.9925 W32/Trojan.MNOB-4766 Ransom_Apollo.R058C0TLR17 Win32.Trojan-Ransom.ApolloLocker.A Trojan.Win32.Crypted.ewmuiu W32.Troj.Ransom!c Ransom.Win32.Apollo Ransom:Win32/Apollo.A Trj/CI.A Win32/Trojan.160", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Apollo": [[26, 39], [40, 53]], "Indicator: Ransom_Apollo.R058C0TLR17": [[54, 79], [144, 169]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9925": [[80, 122]], "Indicator: W32/Trojan.MNOB-4766": [[123, 143]], "Indicator: Win32.Trojan-Ransom.ApolloLocker.A": [[170, 204]], "Indicator: Trojan.Win32.Crypted.ewmuiu": [[205, 232]], "Indicator: W32.Troj.Ransom!c": [[233, 250]], "Indicator: Ransom.Win32.Apollo": [[251, 270]], "Indicator: Ransom:Win32/Apollo.A": [[271, 292]], "Indicator: Trj/CI.A": [[293, 301]], "Indicator: Win32/Trojan.160": [[302, 318]]}, "info": {"id": "cyner2_5class_train_01354", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.JobLaunch.ODB Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Memsyl TROJ_NECURS.SMJ10 Trojan.Win32.Crypted.dgzzxe Trojan.DownLoader11.38598 TROJ_NECURS.SMJ10 W32/Trojan.TVCC-2701 TrojanDropper.Injector.atzu Trojan.Zusy.D1B5A0 Dropper/Win32.Necurs.R121870 TrojanDropper.Injector Trojan.MSIL.Inject MSIL/Injector.FWI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.JobLaunch.ODB": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[47, 89]], "Indicator: Backdoor.Memsyl": [[90, 105]], "Indicator: TROJ_NECURS.SMJ10": [[106, 123], [178, 195]], "Indicator: Trojan.Win32.Crypted.dgzzxe": [[124, 151]], "Indicator: Trojan.DownLoader11.38598": [[152, 177]], "Indicator: W32/Trojan.TVCC-2701": [[196, 216]], "Indicator: TrojanDropper.Injector.atzu": [[217, 244]], "Indicator: Trojan.Zusy.D1B5A0": [[245, 263]], "Indicator: Dropper/Win32.Necurs.R121870": [[264, 292]], "Indicator: TrojanDropper.Injector": [[293, 315]], "Indicator: Trojan.MSIL.Inject": [[316, 334]], "Indicator: MSIL/Injector.FWI!tr": [[335, 355]]}, "info": {"id": "cyner2_5class_train_01355", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.C675 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.IUJL SecurityRisk.Downldr Trojan.DownLoad.42343 W32.Malware.Downloader Trojan.Kelios.1 TScope.Malware-Cryptor.SB Trojan.Win32.Dogrobot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.C675": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[43, 85]], "Indicator: W32/Trojan2.IUJL": [[86, 102]], "Indicator: SecurityRisk.Downldr": [[103, 123]], "Indicator: Trojan.DownLoad.42343": [[124, 145]], "Indicator: W32.Malware.Downloader": [[146, 168]], "Indicator: Trojan.Kelios.1": [[169, 184]], "Indicator: TScope.Malware-Cryptor.SB": [[185, 210]], "Indicator: Trojan.Win32.Dogrobot": [[211, 232]]}, "info": {"id": "cyner2_5class_train_01356", "source": "cyner2_5class_train"}}
+{"text": "Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today.", "spans": {"Organization: the D-30 122mm towed howitzer,": [[74, 104]], "Organization: artillery weapon": [[108, 124]]}, "info": {"id": "cyner2_5class_train_01357", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9772 Win.Trojan.Adwind-9 W32/Trojan.YEAY-3186 W32.Dropper.Java Trj/CI.A Win32/Application.22f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9772": [[26, 68]], "Indicator: Win.Trojan.Adwind-9": [[69, 88]], "Indicator: W32/Trojan.YEAY-3186": [[89, 109]], "Indicator: W32.Dropper.Java": [[110, 126]], "Indicator: Trj/CI.A": [[127, 135]], "Indicator: Win32/Application.22f": [[136, 157]]}, "info": {"id": "cyner2_5class_train_01358", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.38CB Virus.Win32.Virut", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.38CB": [[26, 42]], "Indicator: Virus.Win32.Virut": [[43, 60]]}, "info": {"id": "cyner2_5class_train_01359", "source": "cyner2_5class_train"}}
+{"text": "This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures , including masquerading as popular apps , cracked games , or video players .", "spans": {}, "info": {"id": "cyner2_5class_train_01360", "source": "cyner2_5class_train"}}
+{"text": "Until now, it was widely believed the actor's activities had largely subsided in 2013, following numerous public disclosures and detailed analyses of their backdoors.", "spans": {"Malware: backdoors.": [[156, 166]]}, "info": {"id": "cyner2_5class_train_01361", "source": "cyner2_5class_train"}}
+{"text": "Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok.", "spans": {"System: macOS": [[76, 81]], "Malware: malware": [[82, 89]], "Malware: OSX/Dok.": [[97, 105]]}, "info": {"id": "cyner2_5class_train_01362", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Symmi.DEFF7 W32.Extrat Win.Trojan.B-471 BackDoor.Cybergate.4022 BehavesLike.Win32.Backdoor.gc Troj.W32.Scar.lByG Trojan.Win32.Xtrat.ldu Backdoor/Win32.Poison.R139029 Trojan.Xtrat Trojan.Win32.Remtasu", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Symmi.DEFF7": [[26, 44]], "Indicator: W32.Extrat": [[45, 55]], "Indicator: Win.Trojan.B-471": [[56, 72]], "Indicator: BackDoor.Cybergate.4022": [[73, 96]], "Indicator: BehavesLike.Win32.Backdoor.gc": [[97, 126]], "Indicator: Troj.W32.Scar.lByG": [[127, 145]], "Indicator: Trojan.Win32.Xtrat.ldu": [[146, 168]], "Indicator: Backdoor/Win32.Poison.R139029": [[169, 198]], "Indicator: Trojan.Xtrat": [[199, 211]], "Indicator: Trojan.Win32.Remtasu": [[212, 232]]}, "info": {"id": "cyner2_5class_train_01363", "source": "cyner2_5class_train"}}
+{"text": "If that doesn ’ t work , they try to use queryUsageStats : When the malware invokes queryUsageStats , it asks for the list of applications that ran in the last 1 million milliseconds ( 16 minutes and 40 seconds ) .", "spans": {}, "info": {"id": "cyner2_5class_train_01364", "source": "cyner2_5class_train"}}
+{"text": "The Trojan may send the following information to one of the remote locations: Computer name", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: remote locations: Computer name": [[60, 91]]}, "info": {"id": "cyner2_5class_train_01365", "source": "cyner2_5class_train"}}
+{"text": "Mobile implant evolution timeline However , some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection .", "spans": {}, "info": {"id": "cyner2_5class_train_01366", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.DoS.751104 DoS.Win32.Delf!O Trojan/DOS.Delf.j DoS.Delf!7331ealGHQM W32/Worm.ATZ Hacktool.Flooder TROJ_DELF.FOE DoS.Delf DoS.Win32.Delf.j Trojan.Win32.Delf.hdtu PE:Hack.DDoSer.Win32.Delf.j!1074949418 Tool.Delf.Win32.630 TROJ_DELF.FOE BehavesLike.Win32.Trojan.bh W32/Worm.OXOE-7458 Trojan/DDoS.Delf.f DDOS/Delf.J.4 HackTool[DoS]/Win32.Delf Win32.Hack.Delf.j.kcloud Trojan.Win32.Dos-Delf.626688[h] Win-Trojan/Xema.variant DoS.Delf Trojan.Win32.Delf.j Win32.Trojan.Delf.brp Trojan-Dropper.Delf W32/Delf.A!tr DoS.BRY Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.DoS.751104": [[26, 47]], "Indicator: DoS.Win32.Delf!O": [[48, 64]], "Indicator: Trojan/DOS.Delf.j": [[65, 82]], "Indicator: DoS.Delf!7331ealGHQM": [[83, 103]], "Indicator: W32/Worm.ATZ": [[104, 116]], "Indicator: Hacktool.Flooder": [[117, 133]], "Indicator: TROJ_DELF.FOE": [[134, 147], [256, 269]], "Indicator: DoS.Delf": [[148, 156], [456, 464]], "Indicator: DoS.Win32.Delf.j": [[157, 173]], "Indicator: Trojan.Win32.Delf.hdtu": [[174, 196]], "Indicator: PE:Hack.DDoSer.Win32.Delf.j!1074949418": [[197, 235]], "Indicator: Tool.Delf.Win32.630": [[236, 255]], "Indicator: BehavesLike.Win32.Trojan.bh": [[270, 297]], "Indicator: W32/Worm.OXOE-7458": [[298, 316]], "Indicator: Trojan/DDoS.Delf.f": [[317, 335]], "Indicator: DDOS/Delf.J.4": [[336, 349]], "Indicator: HackTool[DoS]/Win32.Delf": [[350, 374]], "Indicator: Win32.Hack.Delf.j.kcloud": [[375, 399]], "Indicator: Trojan.Win32.Dos-Delf.626688[h]": [[400, 431]], "Indicator: Win-Trojan/Xema.variant": [[432, 455]], "Indicator: Trojan.Win32.Delf.j": [[465, 484]], "Indicator: Win32.Trojan.Delf.brp": [[485, 506]], "Indicator: Trojan-Dropper.Delf": [[507, 526]], "Indicator: W32/Delf.A!tr": [[527, 540]], "Indicator: DoS.BRY": [[541, 548]], "Indicator: Win32/Trojan.2ff": [[549, 565]]}, "info": {"id": "cyner2_5class_train_01367", "source": "cyner2_5class_train"}}
+{"text": "In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself.", "spans": {"Indicator: attacks": [[79, 86]], "Vulnerability: zero-day exploits": [[98, 115]], "System: Microsoft Office, Oracle Sun Java, Adobe Flash Player": [[119, 172]], "System: Windows": [[177, 184]]}, "info": {"id": "cyner2_5class_train_01368", "source": "cyner2_5class_train"}}
+{"text": "A new variant of the notorious ransomware Petya is back - again - and with yet another James Bond reference for a name: Goldeneye.", "spans": {"Malware: new variant": [[2, 13]], "Malware: ransomware Petya": [[31, 47]], "Malware: Goldeneye.": [[120, 130]]}, "info": {"id": "cyner2_5class_train_01369", "source": "cyner2_5class_train"}}
+{"text": "This particular HenBox variant , as listed in Table 3 above , harvests data from two popular messaging and social media apps : Voxer Walkie Talkie Messenger ( com.rebelvox.voxer ) and Tencent ’ s WeChat ( com.tencent.mm ) .", "spans": {"Malware: HenBox": [[16, 22]], "System: Voxer": [[127, 132]], "System: Walkie Talkie": [[133, 146]], "System: Messenger": [[147, 156]], "Indicator: com.rebelvox.voxer": [[159, 177]], "Organization: Tencent": [[184, 191]], "System: WeChat": [[196, 202]], "Indicator: com.tencent.mm": [[205, 219]]}, "info": {"id": "cyner2_5class_train_01370", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Cridex Trojan.Win64.Kryptik.exmlew Trojan.Win32.Z.Mikey.577536.K Trojan.Kryptik.Win64.1541 Trojan.Win64.Crypt W64/Trojan.WNTM-1890 TR/Crypt.ZPACK.fzarm Trojan/Win64.Dridex Trojan.Mikey.D123A2 Backdoor.NanoCore Trj/CI.A Win32.Trojan.Mikey.Szbg Win32/Trojan.4d2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[26, 68]], "Indicator: Trojan.Cridex": [[69, 82]], "Indicator: Trojan.Win64.Kryptik.exmlew": [[83, 110]], "Indicator: Trojan.Win32.Z.Mikey.577536.K": [[111, 140]], "Indicator: Trojan.Kryptik.Win64.1541": [[141, 166]], "Indicator: Trojan.Win64.Crypt": [[167, 185]], "Indicator: W64/Trojan.WNTM-1890": [[186, 206]], "Indicator: TR/Crypt.ZPACK.fzarm": [[207, 227]], "Indicator: Trojan/Win64.Dridex": [[228, 247]], "Indicator: Trojan.Mikey.D123A2": [[248, 267]], "Indicator: Backdoor.NanoCore": [[268, 285]], "Indicator: Trj/CI.A": [[286, 294]], "Indicator: Win32.Trojan.Mikey.Szbg": [[295, 318]], "Indicator: Win32/Trojan.4d2": [[319, 335]]}, "info": {"id": "cyner2_5class_train_01371", "source": "cyner2_5class_train"}}
+{"text": "REQUEST_INSTALL_PACKAGES - make a request to install packages .", "spans": {}, "info": {"id": "cyner2_5class_train_01372", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.PePatch.Win32.108052 Trojan.Razy.D2AD35 Win32.Trojan.WisdomEyes.16070401.9500.9515 Trojan.Win32.Wencho.eqsozv Backdoor.Win32.Wencho Backdoor:Win32/Wencho.A Downloader/Win32.Paph.C1961981 TrojanDownloader.Paph Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.PePatch.Win32.108052": [[26, 55]], "Indicator: Trojan.Razy.D2AD35": [[56, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9515": [[75, 117]], "Indicator: Trojan.Win32.Wencho.eqsozv": [[118, 144]], "Indicator: Backdoor.Win32.Wencho": [[145, 166]], "Indicator: Backdoor:Win32/Wencho.A": [[167, 190]], "Indicator: Downloader/Win32.Paph.C1961981": [[191, 221]], "Indicator: TrojanDownloader.Paph": [[222, 243]], "Indicator: Trj/GdSda.A": [[244, 255]]}, "info": {"id": "cyner2_5class_train_01373", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Exploit/W32.IMG-WMF.23552.O Trojan-GameThief.Win32.OnLineGames!O Exploit.IMG.Win32.498 Trojan/Exploit.IMG-WMF.axd TROJ_BEHAV.FL Win32.Trojan.WisdomEyes.16070401.9500.9981 TROJ_BEHAV.FL Win.Trojan.Exploit-289 Exploit.Win32.IMGWMF.bekdjb Exploit.W32.IMG-WMF.loBk TrojWare.Win32.GameThief.Magania.~EV Trojan.DownLoad.15186 BehavesLike.Win32.Worm.mc Exploit.IMG-WMF.agp Rootkit.Small Trojan.Win32.KillAv.hd Exploit.Win32.IMG-WMF Win32/Trojan.Exploit.a54", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Exploit/W32.IMG-WMF.23552.O": [[26, 60]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[61, 97]], "Indicator: Exploit.IMG.Win32.498": [[98, 119]], "Indicator: Trojan/Exploit.IMG-WMF.axd": [[120, 146]], "Indicator: TROJ_BEHAV.FL": [[147, 160], [204, 217]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9981": [[161, 203]], "Indicator: Win.Trojan.Exploit-289": [[218, 240]], "Indicator: Exploit.Win32.IMGWMF.bekdjb": [[241, 268]], "Indicator: Exploit.W32.IMG-WMF.loBk": [[269, 293]], "Indicator: TrojWare.Win32.GameThief.Magania.~EV": [[294, 330]], "Indicator: Trojan.DownLoad.15186": [[331, 352]], "Indicator: BehavesLike.Win32.Worm.mc": [[353, 378]], "Indicator: Exploit.IMG-WMF.agp": [[379, 398]], "Indicator: Rootkit.Small": [[399, 412]], "Indicator: Trojan.Win32.KillAv.hd": [[413, 435]], "Indicator: Exploit.Win32.IMG-WMF": [[436, 457]], "Indicator: Win32/Trojan.Exploit.a54": [[458, 482]]}, "info": {"id": "cyner2_5class_train_01374", "source": "cyner2_5class_train"}}
+{"text": "While Google did not share with us the total number of infected devices , they confirmed that one of these malicious apps collected over 350 installations through the Play Store , while other variants collected few dozens each , and that all infections were located in Italy .", "spans": {"System: Play Store": [[167, 177]]}, "info": {"id": "cyner2_5class_train_01375", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Delf Trojan.Heur.iO0au4aNrMf Win32.Trojan.WisdomEyes.16070401.9500.9705 W32/Trojan.UNZI-1320 W32.Datom.Worm Trojan.Win32.Delf.enaz Trojan.Win32.Datom.euwmlv Worm.Win32.Datom.A~1 Win32.HLLW.Datom BehavesLike.Win32.Sality.cc Virus.Worm.Datom Trojan.Win32.Delf.enaz Trojan/Win32.Buzus.C104859 Trojan.Delf Win32.Trojan.Delf.Swlf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Delf": [[26, 37], [323, 334]], "Indicator: Trojan.Heur.iO0au4aNrMf": [[38, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9705": [[62, 104]], "Indicator: W32/Trojan.UNZI-1320": [[105, 125]], "Indicator: W32.Datom.Worm": [[126, 140]], "Indicator: Trojan.Win32.Delf.enaz": [[141, 163], [273, 295]], "Indicator: Trojan.Win32.Datom.euwmlv": [[164, 189]], "Indicator: Worm.Win32.Datom.A~1": [[190, 210]], "Indicator: Win32.HLLW.Datom": [[211, 227]], "Indicator: BehavesLike.Win32.Sality.cc": [[228, 255]], "Indicator: Virus.Worm.Datom": [[256, 272]], "Indicator: Trojan/Win32.Buzus.C104859": [[296, 322]], "Indicator: Win32.Trojan.Delf.Swlf": [[335, 357]]}, "info": {"id": "cyner2_5class_train_01376", "source": "cyner2_5class_train"}}
+{"text": "The keylogger can track three different events ( Figure 5 ) : TYPE_VIEW_CLICKED Represents the event of clicking on a View-like Button , CompoundButton , etc .", "spans": {}, "info": {"id": "cyner2_5class_train_01377", "source": "cyner2_5class_train"}}
+{"text": "This allows the source process to trace the target .", "spans": {}, "info": {"id": "cyner2_5class_train_01378", "source": "cyner2_5class_train"}}
+{"text": "SANS has published a new blog regarding a tax filing service that has been compromised.", "spans": {"Organization: SANS": [[0, 4]], "System: a tax filing service": [[40, 60]], "Vulnerability: compromised.": [[75, 87]]}, "info": {"id": "cyner2_5class_train_01379", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.NirSoft.PSPassView.C PSWTool.Win32.PassView!O HackTool.Pspv.SD4 W32/PWS.IMQI-4038 Hacktool.PStorRevealer Application.NirSoft.PSPassView.C not-a-virus:PSWTool.Win32.PassView.iv Application.NirSoft.PSPassView.C Riskware.Win32.PassView.exmcew Application.NirSoft.PSPassView.C ApplicUnsaf.Win32.PSWTool.PassView.A Tool.PassView Tool.PassView.Win32.6 W32/PWStealer.CAT PSWTool.PassView.k Trojan[PSWTool]/Win32.PassView Application.NirSoft.PSPassView.C not-a-virus:PSWTool.Win32.PassView.iv TScope.Malware-Cryptor.SB PUP.Optional.PassView Trj/CI.A HackTool.IcqSmiley.A not-a-virus:PSWTool.Win32.PassView Win32/Application.40e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.NirSoft.PSPassView.C": [[26, 58], [143, 175], [214, 246], [278, 310], [452, 484]], "Indicator: PSWTool.Win32.PassView!O": [[59, 83]], "Indicator: HackTool.Pspv.SD4": [[84, 101]], "Indicator: W32/PWS.IMQI-4038": [[102, 119]], "Indicator: Hacktool.PStorRevealer": [[120, 142]], "Indicator: not-a-virus:PSWTool.Win32.PassView.iv": [[176, 213], [485, 522]], "Indicator: Riskware.Win32.PassView.exmcew": [[247, 277]], "Indicator: ApplicUnsaf.Win32.PSWTool.PassView.A": [[311, 347]], "Indicator: Tool.PassView": [[348, 361]], "Indicator: Tool.PassView.Win32.6": [[362, 383]], "Indicator: W32/PWStealer.CAT": [[384, 401]], "Indicator: PSWTool.PassView.k": [[402, 420]], "Indicator: Trojan[PSWTool]/Win32.PassView": [[421, 451]], "Indicator: TScope.Malware-Cryptor.SB": [[523, 548]], "Indicator: PUP.Optional.PassView": [[549, 570]], "Indicator: Trj/CI.A": [[571, 579]], "Indicator: HackTool.IcqSmiley.A": [[580, 600]], "Indicator: not-a-virus:PSWTool.Win32.PassView": [[601, 635]], "Indicator: Win32/Application.40e": [[636, 657]]}, "info": {"id": "cyner2_5class_train_01380", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Afghanistan in China.", "spans": {"Organization: Unit 42": [[0, 7]], "Indicator: targeted attack": [[30, 45]], "Organization: individual working": [[57, 75]], "Organization: the Foreign Ministry of Afghanistan": [[80, 115]]}, "info": {"id": "cyner2_5class_train_01381", "source": "cyner2_5class_train"}}
+{"text": "What we found were several other fake apps developed using the SpyNote builder , which should come as a warning to Android users .", "spans": {"Malware: SpyNote": [[63, 70]], "System: Android": [[115, 122]]}, "info": {"id": "cyner2_5class_train_01382", "source": "cyner2_5class_train"}}
+{"text": "This threat targets Russians but the apps are accessible worldwide.", "spans": {"Malware: threat": [[5, 11]], "System: apps": [[37, 41]], "Indicator: accessible worldwide.": [[46, 67]]}, "info": {"id": "cyner2_5class_train_01383", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Qhost.Win32.10597 Trojan/Qhost.pdq Trojan.Zusy.D5AFC Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Hosts.bgaqwt Troj.Banker.W32.Qhost.lE9S Trojan.Hosts.5268 Trojan.Win32.Hider Trojan/Win32.Unknown Trojan:WinNT/QHosts.B Win32/Qhost.PDQ Trojan.Qhost!QXppfUGnhzI W32/Kryptic.QHS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Qhost.Win32.10597": [[26, 50]], "Indicator: Trojan/Qhost.pdq": [[51, 67]], "Indicator: Trojan.Zusy.D5AFC": [[68, 85]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[86, 128]], "Indicator: Trojan.Win32.Hosts.bgaqwt": [[129, 154]], "Indicator: Troj.Banker.W32.Qhost.lE9S": [[155, 181]], "Indicator: Trojan.Hosts.5268": [[182, 199]], "Indicator: Trojan.Win32.Hider": [[200, 218]], "Indicator: Trojan/Win32.Unknown": [[219, 239]], "Indicator: Trojan:WinNT/QHosts.B": [[240, 261]], "Indicator: Win32/Qhost.PDQ": [[262, 277]], "Indicator: Trojan.Qhost!QXppfUGnhzI": [[278, 302]], "Indicator: W32/Kryptic.QHS!tr": [[303, 321]]}, "info": {"id": "cyner2_5class_train_01384", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Spymel.A4 Trojan.ReconycCRTD.Win32.8402 Trojan.Zusy.D1E1BE Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Reconyc.inec Trojan.DownLoader13.49710 Trojan/Win32.Reconyc Backdoor:MSIL/Moidirat.A Trojan.Win32.Reconyc.inec Trojan.MSIL.Spy Win32/Backdoor.a11", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Spymel.A4": [[26, 42]], "Indicator: Trojan.ReconycCRTD.Win32.8402": [[43, 72]], "Indicator: Trojan.Zusy.D1E1BE": [[73, 91]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[92, 134]], "Indicator: Trojan.Win32.Reconyc.inec": [[135, 160], [233, 258]], "Indicator: Trojan.DownLoader13.49710": [[161, 186]], "Indicator: Trojan/Win32.Reconyc": [[187, 207]], "Indicator: Backdoor:MSIL/Moidirat.A": [[208, 232]], "Indicator: Trojan.MSIL.Spy": [[259, 274]], "Indicator: Win32/Backdoor.a11": [[275, 293]]}, "info": {"id": "cyner2_5class_train_01385", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Nymaim.561152 Trojan.NymaimCS.S1199370 TROJ_NYMAIM.SMR2 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_NYMAIM.SMR2 Trojan.Win32.Nymaim.eqlfnf TrojWare.Win32.Nymaim.CH Trojan.Nymaim.143 BehavesLike.Win32.MultiPlug.hh Trojan-Downloader.Nymaim Trojan.Nymaim.czv TR/Crypt.Xpack.owrka Trojan/Win32.Nymaim Win32.Trojan.Nymaim.M Trojan/Win32.Nymaim.C2027429 Trojan.Nymaim Trojan.Nymaim Win32/TrojanDownloader.Nymaim.BA Trojan.Nymaim!ovdfLq+hmM4 W32/Nymaim.BA!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Nymaim.561152": [[26, 50]], "Indicator: Trojan.NymaimCS.S1199370": [[51, 75]], "Indicator: TROJ_NYMAIM.SMR2": [[76, 92], [136, 152]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[93, 135]], "Indicator: Trojan.Win32.Nymaim.eqlfnf": [[153, 179]], "Indicator: TrojWare.Win32.Nymaim.CH": [[180, 204]], "Indicator: Trojan.Nymaim.143": [[205, 222]], "Indicator: BehavesLike.Win32.MultiPlug.hh": [[223, 253]], "Indicator: Trojan-Downloader.Nymaim": [[254, 278]], "Indicator: Trojan.Nymaim.czv": [[279, 296]], "Indicator: TR/Crypt.Xpack.owrka": [[297, 317]], "Indicator: Trojan/Win32.Nymaim": [[318, 337]], "Indicator: Win32.Trojan.Nymaim.M": [[338, 359]], "Indicator: Trojan/Win32.Nymaim.C2027429": [[360, 388]], "Indicator: Trojan.Nymaim": [[389, 402], [403, 416]], "Indicator: Win32/TrojanDownloader.Nymaim.BA": [[417, 449]], "Indicator: Trojan.Nymaim!ovdfLq+hmM4": [[450, 475]], "Indicator: W32/Nymaim.BA!tr": [[476, 492]], "Indicator: Trj/GdSda.A": [[493, 504]]}, "info": {"id": "cyner2_5class_train_01386", "source": "cyner2_5class_train"}}
+{"text": "In this case we found traces of dx/dexmerge compilers , which means that , this time , the attackers just imported the original source code into an Android IDE ( such as Android Studio , for instance ) and compiled it with their own modifications .", "spans": {"System: Android": [[148, 155]], "System: Android Studio": [[170, 184]]}, "info": {"id": "cyner2_5class_train_01387", "source": "cyner2_5class_train"}}
+{"text": "On installation , the app requests the user to provide SMS storage access and high Android privileges such as Device Admin .", "spans": {"System: Android": [[83, 90]]}, "info": {"id": "cyner2_5class_train_01388", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Java.Downloader.1096 BehavesLike.Win32.Trojan.vc Java.Obfus", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Java.Downloader.1096": [[69, 89]], "Indicator: BehavesLike.Win32.Trojan.vc": [[90, 117]], "Indicator: Java.Obfus": [[118, 128]]}, "info": {"id": "cyner2_5class_train_01389", "source": "cyner2_5class_train"}}
+{"text": "By comparison , the DataLust ransomware demanded merely $ 15 .", "spans": {"Malware: DataLust": [[20, 28]]}, "info": {"id": "cyner2_5class_train_01390", "source": "cyner2_5class_train"}}
+{"text": "Microsoft Publisher is included and installed by default in Office 365.", "spans": {"Organization: Microsoft Publisher": [[0, 19]], "System: Office 365.": [[60, 71]]}, "info": {"id": "cyner2_5class_train_01391", "source": "cyner2_5class_train"}}
+{"text": "Kaspersky Lab began this ongoing research in the autumn of 2011.", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Organization: research": [[33, 41]]}, "info": {"id": "cyner2_5class_train_01392", "source": "cyner2_5class_train"}}
+{"text": "In this post we will review the research results of Votiro Labs and ClearSky, the weaponized documents and campaign infrastructure.", "spans": {"Organization: Votiro Labs": [[52, 63]], "Organization: ClearSky,": [[68, 77]], "Indicator: the weaponized documents": [[78, 102]], "System: campaign infrastructure.": [[107, 131]]}, "info": {"id": "cyner2_5class_train_01393", "source": "cyner2_5class_train"}}
+{"text": "At the same time , it hides an icon and starts background services to hide further actions from the user .", "spans": {}, "info": {"id": "cyner2_5class_train_01394", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.TP.ED1233C Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Z.Starter.204271 Trojan.Win32.Starter Exploit.ShellCode Trojan:Win32/Starter.P Trojan.Win32.Starter Trj/CI.A Win32.Trojan.Crypt.Dzkb Win32/Trojan.6f7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.TP.ED1233C": [[26, 48]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[49, 91]], "Indicator: Trojan.Win32.Z.Starter.204271": [[92, 121]], "Indicator: Trojan.Win32.Starter": [[122, 142], [184, 204]], "Indicator: Exploit.ShellCode": [[143, 160]], "Indicator: Trojan:Win32/Starter.P": [[161, 183]], "Indicator: Trj/CI.A": [[205, 213]], "Indicator: Win32.Trojan.Crypt.Dzkb": [[214, 237]], "Indicator: Win32/Trojan.6f7": [[238, 254]]}, "info": {"id": "cyner2_5class_train_01395", "source": "cyner2_5class_train"}}
+{"text": "DustySky called NeD Worm by its developer is a multi-stage malware in use since May 2015.", "spans": {"Malware: DustySky": [[0, 8]], "Malware: NeD Worm": [[16, 24]], "Malware: multi-stage malware": [[47, 66]]}, "info": {"id": "cyner2_5class_train_01396", "source": "cyner2_5class_train"}}
+{"text": "When a user opens the .zip file and double clicks the JavaScript, the default browser Internet Explorer, Mozilla, etc. opens and executes JavaScript.", "spans": {"Organization: user": [[7, 11]], "Indicator: .zip file": [[22, 31]], "Indicator: double clicks the JavaScript,": [[36, 65]], "System: Internet Explorer, Mozilla,": [[86, 113]], "Indicator: executes JavaScript.": [[129, 149]]}, "info": {"id": "cyner2_5class_train_01397", "source": "cyner2_5class_train"}}
+{"text": "We have identified a new distribution campaign which took place on 4th July.", "spans": {}, "info": {"id": "cyner2_5class_train_01398", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Minxer Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Trojan.CFWS-6788 Win32.Application.Bitcoinminer.W Riskware.Win64.BtcMine.eiegeg Trojan.BtcMine.604 Worm.WBNA.Win32.419008 W32.Trojan.Minxer Trojan.Razy.D197C7 Trojan.BitCoinMiner Trj/CI.A Riskware.BitCoinMiner! Win32/Trojan.582", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Minxer": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[40, 82]], "Indicator: W32/Trojan.CFWS-6788": [[83, 103]], "Indicator: Win32.Application.Bitcoinminer.W": [[104, 136]], "Indicator: Riskware.Win64.BtcMine.eiegeg": [[137, 166]], "Indicator: Trojan.BtcMine.604": [[167, 185]], "Indicator: Worm.WBNA.Win32.419008": [[186, 208]], "Indicator: W32.Trojan.Minxer": [[209, 226]], "Indicator: Trojan.Razy.D197C7": [[227, 245]], "Indicator: Trojan.BitCoinMiner": [[246, 265]], "Indicator: Trj/CI.A": [[266, 274]], "Indicator: Riskware.BitCoinMiner!": [[275, 297]], "Indicator: Win32/Trojan.582": [[298, 314]]}, "info": {"id": "cyner2_5class_train_01399", "source": "cyner2_5class_train"}}
+{"text": "Linux.Rekoobe variant", "spans": {"Indicator: Linux.Rekoobe": [[0, 13]], "Malware: variant": [[14, 21]]}, "info": {"id": "cyner2_5class_train_01400", "source": "cyner2_5class_train"}}
+{"text": "Sex sells, and nowhere is that more true than the Chinese mobile landscape.", "spans": {}, "info": {"id": "cyner2_5class_train_01401", "source": "cyner2_5class_train"}}
+{"text": "BAIJIU's goal in this attack was to deploy a set of espionage tools through a downloader we call TYPHOON and a set of backdoors we call LIONROCK.", "spans": {"Indicator: attack": [[22, 28]], "Malware: espionage tools": [[52, 67]], "Malware: downloader": [[78, 88]], "Malware: TYPHOON": [[97, 104]], "Malware: backdoors": [[118, 127]], "Malware: LIONROCK.": [[136, 145]]}, "info": {"id": "cyner2_5class_train_01402", "source": "cyner2_5class_train"}}
+{"text": "Adding AV exceptions", "spans": {"System: AV": [[7, 9]], "Indicator: exceptions": [[10, 20]]}, "info": {"id": "cyner2_5class_train_01403", "source": "cyner2_5class_train"}}
+{"text": "The first one is used to receive a list of logins and passwords, the second one—for operation of the SOCKS proxy server.", "spans": {"Indicator: logins": [[43, 49]], "Indicator: passwords,": [[54, 64]], "System: the SOCKS proxy server.": [[97, 120]]}, "info": {"id": "cyner2_5class_train_01404", "source": "cyner2_5class_train"}}
+{"text": "Variants of H-Worm, primarily connecting to command and control servers located in Algeria.", "spans": {"Malware: Variants": [[0, 8]], "Malware: H-Worm,": [[12, 19]], "Indicator: command and control servers": [[44, 71]]}, "info": {"id": "cyner2_5class_train_01405", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.ShipUp.90112 W32.VisuDir.A3 Trojan.Zusy.D2CF33 PE_SHIPUP.A Win32.Worm.ShipUp.h Win32/Gamarue.ISACBfC PE_SHIPUP.A Trojan.Win32.ShipUp.futk TrojWare.Win32.ShipUp.AR Trojan.KillFiles.28137 Worm.Win32.ShipUp Worm:Win32/Lecna.A!dha Trojan.Win32.ShipUp.futk Trojan/Win32.Cossta.R120893 Trojan.FakeDoc Trojan.Win32.Csyr.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.ShipUp.90112": [[26, 49]], "Indicator: W32.VisuDir.A3": [[50, 64]], "Indicator: Trojan.Zusy.D2CF33": [[65, 83]], "Indicator: PE_SHIPUP.A": [[84, 95], [138, 149]], "Indicator: Win32.Worm.ShipUp.h": [[96, 115]], "Indicator: Win32/Gamarue.ISACBfC": [[116, 137]], "Indicator: Trojan.Win32.ShipUp.futk": [[150, 174], [264, 288]], "Indicator: TrojWare.Win32.ShipUp.AR": [[175, 199]], "Indicator: Trojan.KillFiles.28137": [[200, 222]], "Indicator: Worm.Win32.ShipUp": [[223, 240]], "Indicator: Worm:Win32/Lecna.A!dha": [[241, 263]], "Indicator: Trojan/Win32.Cossta.R120893": [[289, 316]], "Indicator: Trojan.FakeDoc": [[317, 331]], "Indicator: Trojan.Win32.Csyr.A": [[332, 351]]}, "info": {"id": "cyner2_5class_train_01406", "source": "cyner2_5class_train"}}
+{"text": "Some recent campaigns against other bank customers also used “ .gdn ” TLDs .", "spans": {}, "info": {"id": "cyner2_5class_train_01407", "source": "cyner2_5class_train"}}
+{"text": "The malicious macro inside the Office document is obfuscated as shown in the code snapshot below -Recently [Kaspersky] came across a new family of cross-platform backdoors for desktop environments.", "spans": {"Vulnerability: malicious macro": [[4, 19]], "Indicator: the Office document": [[27, 46]], "Malware: code snapshot": [[77, 90]], "Organization: [Kaspersky]": [[107, 118]], "Malware: family of cross-platform backdoors": [[137, 171]], "System: desktop": [[176, 183]], "System: environments.": [[184, 197]]}, "info": {"id": "cyner2_5class_train_01408", "source": "cyner2_5class_train"}}
+{"text": "The user needs to press the \" close '' button to finish the installation .", "spans": {}, "info": {"id": "cyner2_5class_train_01409", "source": "cyner2_5class_train"}}
+{"text": "Typhon is an info stealer first that was reported in mid-2022 for the first time.", "spans": {"Malware: Typhon": [[0, 6]], "Malware: stealer": [[18, 25]]}, "info": {"id": "cyner2_5class_train_01410", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Trojan.Win32.Pigeon.cxszod Uds.Dangerousobject.Multi!c Win32.Trojan.Mikey.Swlc BackDoor.Pigeon.8805 Backdoor.Hupigon.Win32.185096 Trojan.Mikey.D9181 HackTool:Win32/Goldoseri.A Win32/HackTool.DoSer.AE BackDoor.Pigeon! Win32/Trojan.6bf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zenshirsh.SL7": [[26, 46]], "Indicator: Trojan.Win32.Pigeon.cxszod": [[47, 73]], "Indicator: Uds.Dangerousobject.Multi!c": [[74, 101]], "Indicator: Win32.Trojan.Mikey.Swlc": [[102, 125]], "Indicator: BackDoor.Pigeon.8805": [[126, 146]], "Indicator: Backdoor.Hupigon.Win32.185096": [[147, 176]], "Indicator: Trojan.Mikey.D9181": [[177, 195]], "Indicator: HackTool:Win32/Goldoseri.A": [[196, 222]], "Indicator: Win32/HackTool.DoSer.AE": [[223, 246]], "Indicator: BackDoor.Pigeon!": [[247, 263]], "Indicator: Win32/Trojan.6bf": [[264, 280]]}, "info": {"id": "cyner2_5class_train_01411", "source": "cyner2_5class_train"}}
+{"text": "On July 6, 2017, RSA FirstWatch noted renewed MONSOON APT campaign activity submitted from a community user in India to Virus Total.", "spans": {"Organization: RSA FirstWatch": [[17, 31]], "Organization: community user": [[93, 107]], "Organization: Virus Total.": [[120, 132]]}, "info": {"id": "cyner2_5class_train_01412", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: RDN/BackDoor-AWQ.b Heur.Corrupt.PE Backdoor.Win32.Hupigon TrojanDropper:Win32/Arbinder.B.dam#2 Backdoor/Win32.Graybird.C194482", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RDN/BackDoor-AWQ.b": [[26, 44]], "Indicator: Heur.Corrupt.PE": [[45, 60]], "Indicator: Backdoor.Win32.Hupigon": [[61, 83]], "Indicator: TrojanDropper:Win32/Arbinder.B.dam#2": [[84, 120]], "Indicator: Backdoor/Win32.Graybird.C194482": [[121, 152]]}, "info": {"id": "cyner2_5class_train_01413", "source": "cyner2_5class_train"}}
+{"text": "Overlay attack Ginp uses the Accessibility Service to check which application runs is the foreground .", "spans": {}, "info": {"id": "cyner2_5class_train_01414", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Hacktool.Flooder BehavesLike.Win32.RAHack.xc Trojan-DDoS.Win32.Resod TrojanDDoS.Resod.g TR/DDoS.Maker.11.B Trojan[DDoS]/Win32.Resod DDoS:Win32/Resod.dam#2 Win32/Trojan.DDoS.835", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zenshirsh.SL7": [[26, 46]], "Indicator: Hacktool.Flooder": [[47, 63]], "Indicator: BehavesLike.Win32.RAHack.xc": [[64, 91]], "Indicator: Trojan-DDoS.Win32.Resod": [[92, 115]], "Indicator: TrojanDDoS.Resod.g": [[116, 134]], "Indicator: TR/DDoS.Maker.11.B": [[135, 153]], "Indicator: Trojan[DDoS]/Win32.Resod": [[154, 178]], "Indicator: DDoS:Win32/Resod.dam#2": [[179, 201]], "Indicator: Win32/Trojan.DDoS.835": [[202, 223]]}, "info": {"id": "cyner2_5class_train_01415", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy Masquerades as Postal Service Apps Around the World July 1 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy , an Android mobile malware that emerged around October 2017 .", "spans": {"Malware: FakeSpy": [[0, 7], [159, 166]], "Organization: Cybereason Nocturnus": [[91, 111]], "System: Android": [[172, 179]]}, "info": {"id": "cyner2_5class_train_01416", "source": "cyner2_5class_train"}}
+{"text": "60 % of devices containing or accessing enterprise data are mobile , and mobile devices tend to include a significant amount of personal and business data , assuming the organization has a bring-your-own-device policy in place .", "spans": {}, "info": {"id": "cyner2_5class_train_01417", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Wurmark.A@mm Win32.Wurmark.A@mm W32/Mugly.h@MM W32.W.Wurmark.g!c W32/Wurmark.g Win32.Wurmark.A@mm Win32.Wurmark.E90817 I-Worm.Wurmark!utsCc3R91ZU W32/Wurmark.F W32.Mugly.G@mm Win32/Wurmark.G WORM_MUGLY.H Worm.Wurmark.G Email-Worm.Win32.Wurmark.g Trojan.Win32.Wurmark.fsml Virus.Win32.Heur.c Win32.Wurmark.A@mm Worm.Win32.Wurmark.G Win32.Wurmark.A@mm Worm.Wurmark.Win32.11 WORM_MUGLY.H BehavesLike.Win32.VBObfus.fc W32/Wurmark.JPAN-1543 I-Worm.Wurmark.a WORM/Uglatad.2 Worm[Email]/Win32.Wurmark Worm:Win32/Mugly.H@mm Win32/Mugly.worm.351744 Win32.Wurmark.A@mm Win32/Mugly.G Worm.Wurmark Win32.Wurmark.A@mm Virus.Win32.QQRob.AS W32/Mugly.H@mm I-Worm/Wurmark.E Worm.Win32.Wurmark.AGmW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Wurmark.A@mm": [[26, 44], [45, 63], [111, 129], [323, 341], [363, 381], [572, 590], [618, 636]], "Indicator: W32/Mugly.h@MM": [[64, 78]], "Indicator: W32.W.Wurmark.g!c": [[79, 96]], "Indicator: W32/Wurmark.g": [[97, 110]], "Indicator: Win32.Wurmark.E90817": [[130, 150]], "Indicator: I-Worm.Wurmark!utsCc3R91ZU": [[151, 177]], "Indicator: W32/Wurmark.F": [[178, 191]], "Indicator: W32.Mugly.G@mm": [[192, 206]], "Indicator: Win32/Wurmark.G": [[207, 222]], "Indicator: WORM_MUGLY.H": [[223, 235], [404, 416]], "Indicator: Worm.Wurmark.G": [[236, 250]], "Indicator: Email-Worm.Win32.Wurmark.g": [[251, 277]], "Indicator: Trojan.Win32.Wurmark.fsml": [[278, 303]], "Indicator: Virus.Win32.Heur.c": [[304, 322]], "Indicator: Worm.Win32.Wurmark.G": [[342, 362]], "Indicator: Worm.Wurmark.Win32.11": [[382, 403]], "Indicator: BehavesLike.Win32.VBObfus.fc": [[417, 445]], "Indicator: W32/Wurmark.JPAN-1543": [[446, 467]], "Indicator: I-Worm.Wurmark.a": [[468, 484]], "Indicator: WORM/Uglatad.2": [[485, 499]], "Indicator: Worm[Email]/Win32.Wurmark": [[500, 525]], "Indicator: Worm:Win32/Mugly.H@mm": [[526, 547]], "Indicator: Win32/Mugly.worm.351744": [[548, 571]], "Indicator: Win32/Mugly.G": [[591, 604]], "Indicator: Worm.Wurmark": [[605, 617]], "Indicator: Virus.Win32.QQRob.AS": [[637, 657]], "Indicator: W32/Mugly.H@mm": [[658, 672]], "Indicator: I-Worm/Wurmark.E": [[673, 689]], "Indicator: Worm.Win32.Wurmark.AGmW": [[690, 713]]}, "info": {"id": "cyner2_5class_train_01418", "source": "cyner2_5class_train"}}
+{"text": "Device admin policies Looking at the policy 's definition , we can see that it lists all the available policies even if most of them are deprecated on Android 10.0 and their usage results in a security exception .", "spans": {"System: Android 10.0": [[151, 163]]}, "info": {"id": "cyner2_5class_train_01419", "source": "cyner2_5class_train"}}
+{"text": "Darkhotel APT attacks dated 2014 and earlier are characterized by the misuse of stolen certificates, the deployment of .hta files with multiple techniques, and the use of unusual methods like the infiltration of hotel Wi-Fi to place backdoors in targets' systems.", "spans": {"Indicator: misuse of stolen certificates,": [[70, 100]], "Indicator: .hta files": [[119, 129]], "Indicator: infiltration of hotel Wi-Fi": [[196, 223]], "Malware: backdoors": [[233, 242]], "System: targets' systems.": [[246, 263]]}, "info": {"id": "cyner2_5class_train_01420", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Symmi.D11236 Win32.Trojan.WisdomEyes.16070401.9500.9993 DLOADER.Trojan Trojan-Downloader.Win32.Small Trojan/Win32.Rozepads.R172444 BScope.Trojan.Win32.Inject.2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Symmi.D11236": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[46, 88]], "Indicator: DLOADER.Trojan": [[89, 103]], "Indicator: Trojan-Downloader.Win32.Small": [[104, 133]], "Indicator: Trojan/Win32.Rozepads.R172444": [[134, 163]], "Indicator: BScope.Trojan.Win32.Inject.2": [[164, 192]]}, "info": {"id": "cyner2_5class_train_01421", "source": "cyner2_5class_train"}}
+{"text": "Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China .", "spans": {}, "info": {"id": "cyner2_5class_train_01422", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Androm.1289728 Trojan.Skeeyah Backdoor.Bot Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan.UWVT-1669 W32.Golroted TROJ_INJECTOR_FE31022B.UVPM Backdoor.Win32.Androm.hjzg Trojan.PWS.Stealer.13025 TROJ_INJECTOR_FE31022B.UVPM BehavesLike.Win32.Trojan.tc W32/Trojan2.PTAY Backdoor/Androm.gyi Trojan[Backdoor]/Win32.Androm Trojan.MSIL.Androm.9 Backdoor.Win32.Androm.hjzg Trojan:MSIL/Loksec.A Trojan/Win32.Inject.R140951 Backdoor.Androm Trojan.Injector Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Androm.1289728": [[26, 53]], "Indicator: Trojan.Skeeyah": [[54, 68]], "Indicator: Backdoor.Bot": [[69, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[82, 124]], "Indicator: W32/Trojan.UWVT-1669": [[125, 145]], "Indicator: W32.Golroted": [[146, 158]], "Indicator: TROJ_INJECTOR_FE31022B.UVPM": [[159, 186], [239, 266]], "Indicator: Backdoor.Win32.Androm.hjzg": [[187, 213], [383, 409]], "Indicator: Trojan.PWS.Stealer.13025": [[214, 238]], "Indicator: BehavesLike.Win32.Trojan.tc": [[267, 294]], "Indicator: W32/Trojan2.PTAY": [[295, 311]], "Indicator: Backdoor/Androm.gyi": [[312, 331]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[332, 361]], "Indicator: Trojan.MSIL.Androm.9": [[362, 382]], "Indicator: Trojan:MSIL/Loksec.A": [[410, 430]], "Indicator: Trojan/Win32.Inject.R140951": [[431, 458]], "Indicator: Backdoor.Androm": [[459, 474]], "Indicator: Trojan.Injector": [[475, 490]], "Indicator: Trj/CI.A": [[491, 499]]}, "info": {"id": "cyner2_5class_train_01423", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Dropper.Delf.bl TROJ_DROPPER.IPJ W32/Risk.CLFC-1497 Backdoor.Acropolis TrojanDropper.Delf TROJ_DROPPER.IPJ Win.Trojan.Acropolis-1 Trojan-Dropper.Win32.Delf.bl Trojan.Win32.Delf.ffej Dropper.Delf.972288 Troj.Dropper.W32.Delf.bl!c TrojWare.Win32.TrojanDropper.Delf.BL BackDoor.Acropolis.10 Dropper.Delf.Win32.1638 Trojan-Dropper.Win32.Delf W32/Dropper.HL TrojanDropper.Delf.cj W32.Trojan.Dropper-Tetris BDS/Acropolis.3 Trojan[Dropper]/Win32.Delf Win32.Troj.Delf.bl.kcloud Backdoor:Win32/Tetris.A Trojan.Graftor.D2B929 Trojan-Dropper.Win32.Delf.bl Win32/TrojanDropper.Delf.BL Win32.Trojan-dropper.Delf.Efao TrojanDropper.Delf!n6JtRIRZLjo W32/Acrop.A!tr.bdr Win32/Trojan.Dropper.605", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Dropper.Delf.bl": [[26, 48]], "Indicator: TROJ_DROPPER.IPJ": [[49, 65], [123, 139]], "Indicator: W32/Risk.CLFC-1497": [[66, 84]], "Indicator: Backdoor.Acropolis": [[85, 103]], "Indicator: TrojanDropper.Delf": [[104, 122]], "Indicator: Win.Trojan.Acropolis-1": [[140, 162]], "Indicator: Trojan-Dropper.Win32.Delf.bl": [[163, 191], [549, 577]], "Indicator: Trojan.Win32.Delf.ffej": [[192, 214]], "Indicator: Dropper.Delf.972288": [[215, 234]], "Indicator: Troj.Dropper.W32.Delf.bl!c": [[235, 261]], "Indicator: TrojWare.Win32.TrojanDropper.Delf.BL": [[262, 298]], "Indicator: BackDoor.Acropolis.10": [[299, 320]], "Indicator: Dropper.Delf.Win32.1638": [[321, 344]], "Indicator: Trojan-Dropper.Win32.Delf": [[345, 370]], "Indicator: W32/Dropper.HL": [[371, 385]], "Indicator: TrojanDropper.Delf.cj": [[386, 407]], "Indicator: W32.Trojan.Dropper-Tetris": [[408, 433]], "Indicator: BDS/Acropolis.3": [[434, 449]], "Indicator: Trojan[Dropper]/Win32.Delf": [[450, 476]], "Indicator: Win32.Troj.Delf.bl.kcloud": [[477, 502]], "Indicator: Backdoor:Win32/Tetris.A": [[503, 526]], "Indicator: Trojan.Graftor.D2B929": [[527, 548]], "Indicator: Win32/TrojanDropper.Delf.BL": [[578, 605]], "Indicator: Win32.Trojan-dropper.Delf.Efao": [[606, 636]], "Indicator: TrojanDropper.Delf!n6JtRIRZLjo": [[637, 667]], "Indicator: W32/Acrop.A!tr.bdr": [[668, 686]], "Indicator: Win32/Trojan.Dropper.605": [[687, 711]]}, "info": {"id": "cyner2_5class_train_01424", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Backdoor.Win32.Nucleroot!O Win32.Trojan.WisdomEyes.16070401.9500.9750 Adware.Lop Win32/Talpalk.C Win.Trojan.Maha-2 Backdoor.Win32.Nucleroot.c Trojan.Win32.Maha.gubp Packer.W32.PePatch.l5Ml Packed.Win32.Klone.~KE Trojan.Maya BehavesLike.Win32.Ipamor.ch Trojan-Dropper.Delf Backdoor/Nucleroot.fk Trojan[PSW]/Win32.Maha Backdoor.Win32.A.Nucleroot.130560 Backdoor.Win32.Nucleroot.c PWS:Win32/Bividon.A Backdoor.Nucleroot W32/Nucleroot.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Backdoor.Win32.Nucleroot!O": [[48, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9750": [[75, 117]], "Indicator: Adware.Lop": [[118, 128]], "Indicator: Win32/Talpalk.C": [[129, 144]], "Indicator: Win.Trojan.Maha-2": [[145, 162]], "Indicator: Backdoor.Win32.Nucleroot.c": [[163, 189], [399, 425]], "Indicator: Trojan.Win32.Maha.gubp": [[190, 212]], "Indicator: Packer.W32.PePatch.l5Ml": [[213, 236]], "Indicator: Packed.Win32.Klone.~KE": [[237, 259]], "Indicator: Trojan.Maya": [[260, 271]], "Indicator: BehavesLike.Win32.Ipamor.ch": [[272, 299]], "Indicator: Trojan-Dropper.Delf": [[300, 319]], "Indicator: Backdoor/Nucleroot.fk": [[320, 341]], "Indicator: Trojan[PSW]/Win32.Maha": [[342, 364]], "Indicator: Backdoor.Win32.A.Nucleroot.130560": [[365, 398]], "Indicator: PWS:Win32/Bividon.A": [[426, 445]], "Indicator: Backdoor.Nucleroot": [[446, 464]], "Indicator: W32/Nucleroot.C!tr": [[465, 483]]}, "info": {"id": "cyner2_5class_train_01425", "source": "cyner2_5class_train"}}
+{"text": "Earlier this year , the actor used “ .pw ” TLDs while the Bank Austria scheme highlighted above used “ .info ” .", "spans": {"System: Bank Austria": [[58, 70]]}, "info": {"id": "cyner2_5class_train_01426", "source": "cyner2_5class_train"}}
+{"text": "Security researchers have identified and identified a new type of malware, which they believe is being developed by threat actors operating from North, East and South-East Asia, and is capable of being fully undetectable.", "spans": {"Organization: Security researchers": [[0, 20]], "Malware: malware,": [[66, 74]]}, "info": {"id": "cyner2_5class_train_01427", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Zbot Backdoor.Win32.DarkKomet.zvj Trojan.Win32.DarkKomet.dklzqc Trojan-Dropper.Win32.Injector Trojan[Backdoor]/Win32.DarkKomet Trojan.MSIL.Krypt.3 Backdoor.Win32.DarkKomet.zvj PWS:MSIL/Skonpri.A Backdoor/Win32.DarkKomet.R90638 Backdoor.DarkKomet Trj/CI.A Trojan.Krypt!XrXGvmn0xR4 W32/DarkKomet.FZ!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: Trojan.Zbot": [[69, 80]], "Indicator: Backdoor.Win32.DarkKomet.zvj": [[81, 109], [223, 251]], "Indicator: Trojan.Win32.DarkKomet.dklzqc": [[110, 139]], "Indicator: Trojan-Dropper.Win32.Injector": [[140, 169]], "Indicator: Trojan[Backdoor]/Win32.DarkKomet": [[170, 202]], "Indicator: Trojan.MSIL.Krypt.3": [[203, 222]], "Indicator: PWS:MSIL/Skonpri.A": [[252, 270]], "Indicator: Backdoor/Win32.DarkKomet.R90638": [[271, 302]], "Indicator: Backdoor.DarkKomet": [[303, 321]], "Indicator: Trj/CI.A": [[322, 330]], "Indicator: Trojan.Krypt!XrXGvmn0xR4": [[331, 355]], "Indicator: W32/DarkKomet.FZ!tr.bdr": [[356, 379]]}, "info": {"id": "cyner2_5class_train_01428", "source": "cyner2_5class_train"}}
+{"text": "The main goal of the xDedic forum is to facilitate the buying and selling of credentials for hacked servers which are available through RDP.", "spans": {"System: hacked servers": [[93, 107]], "System: RDP.": [[136, 140]]}, "info": {"id": "cyner2_5class_train_01429", "source": "cyner2_5class_train"}}
+{"text": "This report is the first to detail the attack against strategic US interests to China.", "spans": {}, "info": {"id": "cyner2_5class_train_01430", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Archbomb.ZIP Trojan-ArcBomb.ZIP.Bubl.b Trojan.Zip.Arch-Bomb.yngkq BehavesLike.Win32.Trojan.dh Trojan.Archbomb BOMB/ArcBomb.O Trojan-ArcBomb.ZIP.Bubl.b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Archbomb.ZIP": [[69, 81]], "Indicator: Trojan-ArcBomb.ZIP.Bubl.b": [[82, 107], [194, 219]], "Indicator: Trojan.Zip.Arch-Bomb.yngkq": [[108, 134]], "Indicator: BehavesLike.Win32.Trojan.dh": [[135, 162]], "Indicator: Trojan.Archbomb": [[163, 178]], "Indicator: BOMB/ArcBomb.O": [[179, 193]]}, "info": {"id": "cyner2_5class_train_01431", "source": "cyner2_5class_train"}}
+{"text": "The threat actors registered at least seven subdomains through the hosting provider , each consisting of eight random-looking characters ( asdfgjcr , cacama18 , cacamadf , konkonq2 , mmsmtsh5 , riveroer , and sdfkjhl2 .", "spans": {"Indicator: asdfgjcr": [[139, 147]], "Indicator: cacama18": [[150, 158]], "Indicator: cacamadf": [[161, 169]], "Indicator: konkonq2": [[172, 180]], "Indicator: mmsmtsh5": [[183, 191]], "Indicator: riveroer": [[194, 202]], "Indicator: sdfkjhl2": [[209, 217]]}, "info": {"id": "cyner2_5class_train_01432", "source": "cyner2_5class_train"}}
+{"text": "The abuse of shortcut LNK files is steadily gaining traction among cybercriminals.", "spans": {"Indicator: abuse": [[4, 9]], "Indicator: shortcut LNK files": [[13, 31]]}, "info": {"id": "cyner2_5class_train_01433", "source": "cyner2_5class_train"}}
+{"text": "Initially, we've called it Matrix Banker based on its command and control C2 login panel, but it seems that Matrix Admin is a template available for the Bootstrap web framework.", "spans": {"Malware: Matrix Banker": [[27, 40]], "Indicator: command and control C2 login panel,": [[54, 89]], "Indicator: Matrix Admin": [[108, 120]], "System: the Bootstrap web framework.": [[149, 177]]}, "info": {"id": "cyner2_5class_train_01434", "source": "cyner2_5class_train"}}
+{"text": "Visually , this can be represented as follows : Android ID When combined with our analysis of indexed directories on C2 infrastructure , we were able to easily automate the generation of the password used by each device and , in turn , successfully decompress all exfiltrated content from compromised devices .", "spans": {"System: Android": [[48, 55]]}, "info": {"id": "cyner2_5class_train_01435", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Shuq.B W32/Shuq.g I-Worm.Shuq!TBLjXfxv+A8 W32.SillyFDC Win32/Shuq.NAA TROJ_ANGEL.F Worm.Shuq.B Email-Worm.Win32.Shuq.g Trojan.Win32.Shuq.epjd Trojan.Win32.S.HDC.66048[h] W32.W.Shuq.g!c Backdoor.Win32.Shuq.NAA BackDoor.HSV.1013 Worm.Shuq.Win32.5 TROJ_ANGEL.F W32/Risk.OPXF-7688 Worm/Sramota.aws W32/ANGEL.G@mm Worm[Email]/Win32.Shuq Trojan/Win32.HDC Backdoor:Win32/Shuq.A Worm.Shuq Win32.Worm-email.Shuq.Eerm Email-Worm.Win32.Shuq I-Worm/Shuqing.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Shuq.B": [[26, 38]], "Indicator: W32/Shuq.g": [[39, 49]], "Indicator: I-Worm.Shuq!TBLjXfxv+A8": [[50, 73]], "Indicator: W32.SillyFDC": [[74, 86]], "Indicator: Win32/Shuq.NAA": [[87, 101]], "Indicator: TROJ_ANGEL.F": [[102, 114], [277, 289]], "Indicator: Worm.Shuq.B": [[115, 126]], "Indicator: Email-Worm.Win32.Shuq.g": [[127, 150]], "Indicator: Trojan.Win32.Shuq.epjd": [[151, 173]], "Indicator: Trojan.Win32.S.HDC.66048[h]": [[174, 201]], "Indicator: W32.W.Shuq.g!c": [[202, 216]], "Indicator: Backdoor.Win32.Shuq.NAA": [[217, 240]], "Indicator: BackDoor.HSV.1013": [[241, 258]], "Indicator: Worm.Shuq.Win32.5": [[259, 276]], "Indicator: W32/Risk.OPXF-7688": [[290, 308]], "Indicator: Worm/Sramota.aws": [[309, 325]], "Indicator: W32/ANGEL.G@mm": [[326, 340]], "Indicator: Worm[Email]/Win32.Shuq": [[341, 363]], "Indicator: Trojan/Win32.HDC": [[364, 380]], "Indicator: Backdoor:Win32/Shuq.A": [[381, 402]], "Indicator: Worm.Shuq": [[403, 412]], "Indicator: Win32.Worm-email.Shuq.Eerm": [[413, 439]], "Indicator: Email-Worm.Win32.Shuq": [[440, 461]], "Indicator: I-Worm/Shuqing.E": [[462, 478]]}, "info": {"id": "cyner2_5class_train_01436", "source": "cyner2_5class_train"}}
+{"text": "Update as of July 23 , 2015 1:00 AM PDT ( UTC-7 ) We have added a link to a previous report discussing this threat .", "spans": {}, "info": {"id": "cyner2_5class_train_01437", "source": "cyner2_5class_train"}}
+{"text": "Reasons for Taiwan being targeted range from being one of the sovereign states of the disputed South China Sea region to its emerging economy and growth with Taiwan being one of the most innovative countries in the High-Tech industry in Asia.", "spans": {"Organization: High-Tech industry": [[215, 233]]}, "info": {"id": "cyner2_5class_train_01438", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.DipNet.139264 W32/DipNet.f Trojan.Win32.DipNet.emkm W32/Dipnet.F Trojan.Netdepix.B Win32/Dipnet.NAD Net-Worm.Win32.DipNet.f Worm.DipNet!vTuZ7jF3dLw Worm.Win32.DipNet.139264[h] W32.W.DipNet.f!c Virus.Win32.Part.a Worm.Win32.Dipnet.NAD BackDoor.Xdoor.351 Worm.DipNet.Win32.8 BehavesLike.Win32.Trojan.ch W32/Dipnet.XULH-0302 Worm/DipNet.a WORM/DipNet.b W32/Netdepix.B!worm Worm[Net]/Win32.DipNet Win32/Dipnet.worm.139264 Worm:Win32/DipNet.H Win32/Oddbob.E Net-Worm.DipNet W32/Oddbob.E.worm Backdoor.Win32.Xdoor Worm/Dipnet.M Worm.Win32.DipNet.aMVE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.DipNet.139264": [[26, 48]], "Indicator: W32/DipNet.f": [[49, 61]], "Indicator: Trojan.Win32.DipNet.emkm": [[62, 86]], "Indicator: W32/Dipnet.F": [[87, 99]], "Indicator: Trojan.Netdepix.B": [[100, 117]], "Indicator: Win32/Dipnet.NAD": [[118, 134]], "Indicator: Net-Worm.Win32.DipNet.f": [[135, 158]], "Indicator: Worm.DipNet!vTuZ7jF3dLw": [[159, 182]], "Indicator: Worm.Win32.DipNet.139264[h]": [[183, 210]], "Indicator: W32.W.DipNet.f!c": [[211, 227]], "Indicator: Virus.Win32.Part.a": [[228, 246]], "Indicator: Worm.Win32.Dipnet.NAD": [[247, 268]], "Indicator: BackDoor.Xdoor.351": [[269, 287]], "Indicator: Worm.DipNet.Win32.8": [[288, 307]], "Indicator: BehavesLike.Win32.Trojan.ch": [[308, 335]], "Indicator: W32/Dipnet.XULH-0302": [[336, 356]], "Indicator: Worm/DipNet.a": [[357, 370]], "Indicator: WORM/DipNet.b": [[371, 384]], "Indicator: W32/Netdepix.B!worm": [[385, 404]], "Indicator: Worm[Net]/Win32.DipNet": [[405, 427]], "Indicator: Win32/Dipnet.worm.139264": [[428, 452]], "Indicator: Worm:Win32/DipNet.H": [[453, 472]], "Indicator: Win32/Oddbob.E": [[473, 487]], "Indicator: Net-Worm.DipNet": [[488, 503]], "Indicator: W32/Oddbob.E.worm": [[504, 521]], "Indicator: Backdoor.Win32.Xdoor": [[522, 542]], "Indicator: Worm/Dipnet.M": [[543, 556]], "Indicator: Worm.Win32.DipNet.aMVE": [[557, 579]]}, "info": {"id": "cyner2_5class_train_01439", "source": "cyner2_5class_train"}}
+{"text": "RECEIVE_SMS - allow the application to receive text messages .", "spans": {}, "info": {"id": "cyner2_5class_train_01440", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DL.VB.IHEW Trojan-Spy.Win32.Bancos.alh!IK Trojan-Downloader.Win32.VB.tbx TR/Spy.65536.194 TSPY_ZBOT.SMDM Trojan.Spy.65536.194 TrojanDownloader.VB.vhu TrojanSpy:Win32/Bancos.KY Trojan-Downloader.Win32.VB.tbx Trojan-Spy.Win32.Bancos.alh", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DL.VB.IHEW": [[26, 43]], "Indicator: Trojan-Spy.Win32.Bancos.alh!IK": [[44, 74]], "Indicator: Trojan-Downloader.Win32.VB.tbx": [[75, 105], [209, 239]], "Indicator: TR/Spy.65536.194": [[106, 122]], "Indicator: TSPY_ZBOT.SMDM": [[123, 137]], "Indicator: Trojan.Spy.65536.194": [[138, 158]], "Indicator: TrojanDownloader.VB.vhu": [[159, 182]], "Indicator: TrojanSpy:Win32/Bancos.KY": [[183, 208]], "Indicator: Trojan-Spy.Win32.Bancos.alh": [[240, 267]]}, "info": {"id": "cyner2_5class_train_01441", "source": "cyner2_5class_train"}}
+{"text": "On July 5, 2015 an unknown hacker publicly announced on Twitter that he had breached the internal network of Hacking Team – an Italian pentesting company known to purchase 0-day exploits and produce their own trojans.", "spans": {"Organization: Twitter": [[56, 63]], "Indicator: breached": [[76, 84]], "Indicator: internal network": [[89, 105]], "Organization: Hacking Team": [[109, 121]], "Organization: pentesting company": [[135, 153]], "Malware: 0-day exploits": [[172, 186]], "Malware: trojans.": [[209, 217]]}, "info": {"id": "cyner2_5class_train_01442", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Harnig!O Win32.Trojan-Downloader.Harnig.cu Trojan.Gobrena TROJ_HARNIG.FC Trojan-Downloader.Win32.Harnig.cu Trojan.Win32.Harnig.dpsezu PE:Trojan.DL.Tibs.fxl!1074175505 Trojan.DownLoader.13549 Downloader.Harnig.Win32.2 TROJ_HARNIG.FC TrojanDownloader.Harnig.alh TR/Dldr.Small.dib.6 Trojan[Downloader]/Win32.Harnig.cu Win32.TrojDownloader.Harnig.co.kcloud Trojan/Win32.Harnig Trojan-Downloader.Revelation.Tibs.B Trojan-Downloader.Win32.Harnig.cr W32/Harnig.CU!tr.dldr Downloader.Harnig.AP Trojan.Win32.Harnig.Aj", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Harnig!O": [[26, 58]], "Indicator: Win32.Trojan-Downloader.Harnig.cu": [[59, 92]], "Indicator: Trojan.Gobrena": [[93, 107]], "Indicator: TROJ_HARNIG.FC": [[108, 122], [267, 281]], "Indicator: Trojan-Downloader.Win32.Harnig.cu": [[123, 156]], "Indicator: Trojan.Win32.Harnig.dpsezu": [[157, 183]], "Indicator: PE:Trojan.DL.Tibs.fxl!1074175505": [[184, 216]], "Indicator: Trojan.DownLoader.13549": [[217, 240]], "Indicator: Downloader.Harnig.Win32.2": [[241, 266]], "Indicator: TrojanDownloader.Harnig.alh": [[282, 309]], "Indicator: TR/Dldr.Small.dib.6": [[310, 329]], "Indicator: Trojan[Downloader]/Win32.Harnig.cu": [[330, 364]], "Indicator: Win32.TrojDownloader.Harnig.co.kcloud": [[365, 402]], "Indicator: Trojan/Win32.Harnig": [[403, 422]], "Indicator: Trojan-Downloader.Revelation.Tibs.B": [[423, 458]], "Indicator: Trojan-Downloader.Win32.Harnig.cr": [[459, 492]], "Indicator: W32/Harnig.CU!tr.dldr": [[493, 514]], "Indicator: Downloader.Harnig.AP": [[515, 535]], "Indicator: Trojan.Win32.Harnig.Aj": [[536, 558]]}, "info": {"id": "cyner2_5class_train_01443", "source": "cyner2_5class_train"}}
+{"text": "Receiver was involved in receiving commands from the Server and the main functionality of Sender was to send all the data collected to the C & C over Wi-Fi .", "spans": {}, "info": {"id": "cyner2_5class_train_01444", "source": "cyner2_5class_train"}}
+{"text": "Every one of these campaigns involved a Windows version of Derusbi.", "spans": {"System: Windows version": [[40, 55]], "Malware: Derusbi.": [[59, 67]]}, "info": {"id": "cyner2_5class_train_01445", "source": "cyner2_5class_train"}}
+{"text": "On October 10, 2017, Kaspersky Lab's advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers.", "spans": {"Organization: Kaspersky Lab's": [[21, 36]], "System: advanced exploit prevention systems": [[37, 72]], "Vulnerability: Adobe Flash zero day": [[90, 110]], "Malware: exploit": [[111, 118]], "Organization: customers.": [[148, 158]]}, "info": {"id": "cyner2_5class_train_01446", "source": "cyner2_5class_train"}}
+{"text": "The service offers a binder tool that allows users to masquerade their malware as legitimate software.", "spans": {"Malware: binder tool": [[21, 32]], "Indicator: masquerade": [[54, 64]], "Malware: malware": [[71, 78]], "Indicator: legitimate software.": [[82, 102]]}, "info": {"id": "cyner2_5class_train_01447", "source": "cyner2_5class_train"}}
+{"text": "] com ( and third-levels of this domain ) www3.mefound [ .", "spans": {"Indicator: www3.mefound [ .": [[42, 58]]}, "info": {"id": "cyner2_5class_train_01448", "source": "cyner2_5class_train"}}
+{"text": "Malwarebytes has been observing a surge in drive-by download attacks since the recent Flash zero-day now patched.", "spans": {"Organization: Malwarebytes": [[0, 12]], "Indicator: drive-by download attacks": [[43, 68]], "Vulnerability: Flash zero-day": [[86, 100]]}, "info": {"id": "cyner2_5class_train_01449", "source": "cyner2_5class_train"}}
+{"text": "Android remains a prime target for malicious attacks .", "spans": {"System: Android": [[0, 7]]}, "info": {"id": "cyner2_5class_train_01450", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanAPT.BrowsPass.ST3 Trojan.MSIL.Ubibila.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 MSIL.Trojan.Pinject.A Trojan-Dropper.Win32.Sysn.bgns Trojan.Win32.MailPassView.dzxrgp Tool.MailPassView.236 BehavesLike.Win32.Trojan.gc Trojan.PSW.Fareit.te TR/Dropper.MSIL.sbcsg Trojan:MSIL/Golbla.B Trojan-Dropper.Win32.Sysn.bgns Trojan/Win32.Golbla.C1246680 Trj/CI.A Win32.Trojan-dropper.Sysn.Akyi Trojan.Inject MSIL/Injector.MRD!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanAPT.BrowsPass.ST3": [[26, 49]], "Indicator: Trojan.MSIL.Ubibila.1": [[50, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[72, 114]], "Indicator: MSIL.Trojan.Pinject.A": [[115, 136]], "Indicator: Trojan-Dropper.Win32.Sysn.bgns": [[137, 167], [315, 345]], "Indicator: Trojan.Win32.MailPassView.dzxrgp": [[168, 200]], "Indicator: Tool.MailPassView.236": [[201, 222]], "Indicator: BehavesLike.Win32.Trojan.gc": [[223, 250]], "Indicator: Trojan.PSW.Fareit.te": [[251, 271]], "Indicator: TR/Dropper.MSIL.sbcsg": [[272, 293]], "Indicator: Trojan:MSIL/Golbla.B": [[294, 314]], "Indicator: Trojan/Win32.Golbla.C1246680": [[346, 374]], "Indicator: Trj/CI.A": [[375, 383]], "Indicator: Win32.Trojan-dropper.Sysn.Akyi": [[384, 414]], "Indicator: Trojan.Inject": [[415, 428]], "Indicator: MSIL/Injector.MRD!tr": [[429, 449]]}, "info": {"id": "cyner2_5class_train_01451", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AutorunXjyv.Worm Trojan.Dropper.VIO Trojan/W32.Chydo.569344.E Trojan.KillAv.DR Trojan.Chydo Win32.Worm.Autorun.j Win32/Pykspa.C WORM_MESSEN.SMF Trojan.Dropper.VIO Worm.Win32.AutoRun.iea Trojan.Dropper.VIO Trojan.Win32.Chydo.eahreo Trojan.Win32.Chydo.516096.B Trojan.Dropper.VIO Trojan.MulDrop5.14836 Worm.AutoRun.Win32.116380 WORM_MESSEN.SMF BehavesLike.Win32.Backdoor.hc Trojan/Chydo.bj Trojan.Dropper.VIO Worm.Win32.AutoRun.iea TrojanDropper:Win32/Pykspa.A Trojan/Win32.Chydo.R40147 Trojan.Dropper.VIO Trojan.Chydo Trojan.Win32.FakeAlert.ate Trojan.Win32.KillAV.Y", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AutorunXjyv.Worm": [[26, 46]], "Indicator: Trojan.Dropper.VIO": [[47, 65], [174, 192], [216, 234], [289, 307], [418, 436], [515, 533]], "Indicator: Trojan/W32.Chydo.569344.E": [[66, 91]], "Indicator: Trojan.KillAv.DR": [[92, 108]], "Indicator: Trojan.Chydo": [[109, 121], [534, 546]], "Indicator: Win32.Worm.Autorun.j": [[122, 142]], "Indicator: Win32/Pykspa.C": [[143, 157]], "Indicator: WORM_MESSEN.SMF": [[158, 173], [356, 371]], "Indicator: Worm.Win32.AutoRun.iea": [[193, 215], [437, 459]], "Indicator: Trojan.Win32.Chydo.eahreo": [[235, 260]], "Indicator: Trojan.Win32.Chydo.516096.B": [[261, 288]], "Indicator: Trojan.MulDrop5.14836": [[308, 329]], "Indicator: Worm.AutoRun.Win32.116380": [[330, 355]], "Indicator: BehavesLike.Win32.Backdoor.hc": [[372, 401]], "Indicator: Trojan/Chydo.bj": [[402, 417]], "Indicator: TrojanDropper:Win32/Pykspa.A": [[460, 488]], "Indicator: Trojan/Win32.Chydo.R40147": [[489, 514]], "Indicator: Trojan.Win32.FakeAlert.ate": [[547, 573]], "Indicator: Trojan.Win32.KillAV.Y": [[574, 595]]}, "info": {"id": "cyner2_5class_train_01452", "source": "cyner2_5class_train"}}
+{"text": "In this post, we will be pulling apart and dissecting the Rambo backdoor and discussing several of its evasion techniques.", "spans": {"Malware: the Rambo backdoor": [[54, 72]]}, "info": {"id": "cyner2_5class_train_01453", "source": "cyner2_5class_train"}}
+{"text": "DarkKomet variant, often dropped as patcher.exe", "spans": {"Malware: DarkKomet variant,": [[0, 18]], "Indicator: patcher.exe": [[36, 47]]}, "info": {"id": "cyner2_5class_train_01454", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodee5.Trojan.2bfc Trojan.Proxy.Wopla.Q Trojan-Proxy/W32.Wopla.20992.D Trojan.Wopla.Win32.59 Trojan/Proxy.Wopla.q Trojan.PR.Wopla!heGrkrdKLNg Trojan.Tannick.B Win32/Pokier.V TSPY_WOPLA.Q Trojan.Proxy.Wopla.Q Trojan-Proxy.Win32.Wopla.q Trojan.Proxy.Wopla.Q Trojan.Win32.Wopla.csuaej PE:Trojan.Proxy.Wopla.ay!100004534 Trojan.Proxy.Wopla.Q TrojWare.Win32.TrojanDownloader.Small.AA Trojan.Proxy.Wopla.Q TSPY_WOPLA.Q BehavesLike.Win32.Downloader.mc W32/Trojan.AXS TrojanProxy.Wopla.d TR/Proxy.Wopla.Q.4 Win32.Troj.Wopla.q.kcloud Trojan.Proxy.Wopla.Q Win-Trojan/Wopla.20992 TrojanProxy.Wopla Trj/Alpiok.A Trojan-Proxy.Win32.Wopla.Q Multidr.J!tr Proxy.BKA.dropper Trojan.Win32.Wopla.AdJ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodee5.Trojan.2bfc": [[26, 49]], "Indicator: Trojan.Proxy.Wopla.Q": [[50, 70], [218, 238], [266, 286], [348, 368], [410, 430], [556, 576]], "Indicator: Trojan-Proxy/W32.Wopla.20992.D": [[71, 101]], "Indicator: Trojan.Wopla.Win32.59": [[102, 123]], "Indicator: Trojan/Proxy.Wopla.q": [[124, 144]], "Indicator: Trojan.PR.Wopla!heGrkrdKLNg": [[145, 172]], "Indicator: Trojan.Tannick.B": [[173, 189]], "Indicator: Win32/Pokier.V": [[190, 204]], "Indicator: TSPY_WOPLA.Q": [[205, 217], [431, 443]], "Indicator: Trojan-Proxy.Win32.Wopla.q": [[239, 265]], "Indicator: Trojan.Win32.Wopla.csuaej": [[287, 312]], "Indicator: PE:Trojan.Proxy.Wopla.ay!100004534": [[313, 347]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.AA": [[369, 409]], "Indicator: BehavesLike.Win32.Downloader.mc": [[444, 475]], "Indicator: W32/Trojan.AXS": [[476, 490]], "Indicator: TrojanProxy.Wopla.d": [[491, 510]], "Indicator: TR/Proxy.Wopla.Q.4": [[511, 529]], "Indicator: Win32.Troj.Wopla.q.kcloud": [[530, 555]], "Indicator: Win-Trojan/Wopla.20992": [[577, 599]], "Indicator: TrojanProxy.Wopla": [[600, 617]], "Indicator: Trj/Alpiok.A": [[618, 630]], "Indicator: Trojan-Proxy.Win32.Wopla.Q": [[631, 657]], "Indicator: Multidr.J!tr": [[658, 670]], "Indicator: Proxy.BKA.dropper": [[671, 688]], "Indicator: Trojan.Win32.Wopla.AdJ": [[689, 711]]}, "info": {"id": "cyner2_5class_train_01455", "source": "cyner2_5class_train"}}
+{"text": "We rapidly determined that this spam campaign was attempting to broadly deliver TeslaCrypt 4.1A to individuals.", "spans": {"Malware: TeslaCrypt 4.1A": [[80, 95]], "Organization: individuals.": [[99, 111]]}, "info": {"id": "cyner2_5class_train_01456", "source": "cyner2_5class_train"}}
+{"text": "The red fields are used as the shortcode and keyword for SMS billing .", "spans": {}, "info": {"id": "cyner2_5class_train_01457", "source": "cyner2_5class_train"}}
+{"text": "This appears to be necessary to determine the number of banks the victim may use .", "spans": {}, "info": {"id": "cyner2_5class_train_01458", "source": "cyner2_5class_train"}}
+{"text": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations.", "spans": {"Organization: FireEye Threat Intelligence": [[0, 27]], "Organization: media organizations.": [[127, 147]]}, "info": {"id": "cyner2_5class_train_01459", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: DoS.Small W32/VirTool.OH Bloodhound.W32.EP DoS.Win32.Small.e Trojan.Win32.Small.dosb Flooder.Upsend W32/Tool.GNXW-3960 DoS.Small.c HackTool[DoS]/Win32.Small DoS:Win32/Small.E DoS.Win32.Small.e DoS.Small Win32.Trojan.Small.Lnoh DoS.Win32.Small W32/Small.E!dos", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: DoS.Small": [[26, 35], [219, 228]], "Indicator: W32/VirTool.OH": [[36, 50]], "Indicator: Bloodhound.W32.EP": [[51, 68]], "Indicator: DoS.Win32.Small.e": [[69, 86], [201, 218]], "Indicator: Trojan.Win32.Small.dosb": [[87, 110]], "Indicator: Flooder.Upsend": [[111, 125]], "Indicator: W32/Tool.GNXW-3960": [[126, 144]], "Indicator: DoS.Small.c": [[145, 156]], "Indicator: HackTool[DoS]/Win32.Small": [[157, 182]], "Indicator: DoS:Win32/Small.E": [[183, 200]], "Indicator: Win32.Trojan.Small.Lnoh": [[229, 252]], "Indicator: DoS.Win32.Small": [[253, 268]], "Indicator: W32/Small.E!dos": [[269, 284]]}, "info": {"id": "cyner2_5class_train_01460", "source": "cyner2_5class_train"}}
+{"text": "Code snippet showing GolfSpy generating UUID The value of % is in the range of 1-9 or a-j .", "spans": {"Malware: GolfSpy": [[21, 28]]}, "info": {"id": "cyner2_5class_train_01461", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.UsernameReimuatH.Trojan Worm/W32.WBNA.294912.AU Trojan.Win32.Diple!O Trojan.Beebone.D Trojan/VBObfus.fz Win32.Worm.Pronny.d Win32/VB.KXfdHDB WORM_VOBFUS.SM37 Win.Packer.VBCrypt-5731517-0 Worm.Win32.Vobfus.erof Trojan.Win32.Vobfus.enwdjc Win32.Worm.Vobfus.Wvay Win32.HLLW.Autoruner2.18084 WORM_VOBFUS.SM37 BehavesLike.Win32.Autorun.dh Win32.Virut.ce.57344 Trojan.Symmi.D13A73 Trojan.Win32.A.Diple.299008.BAT Worm.Win32.Vobfus.erof Worm/Win32.WBNA.R108353 TScope.Trojan.VB Worm.Win32.Vobfus", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.UsernameReimuatH.Trojan": [[26, 53]], "Indicator: Worm/W32.WBNA.294912.AU": [[54, 77]], "Indicator: Trojan.Win32.Diple!O": [[78, 98]], "Indicator: Trojan.Beebone.D": [[99, 115]], "Indicator: Trojan/VBObfus.fz": [[116, 133]], "Indicator: Win32.Worm.Pronny.d": [[134, 153]], "Indicator: Win32/VB.KXfdHDB": [[154, 170]], "Indicator: WORM_VOBFUS.SM37": [[171, 187], [318, 334]], "Indicator: Win.Packer.VBCrypt-5731517-0": [[188, 216]], "Indicator: Worm.Win32.Vobfus.erof": [[217, 239], [437, 459]], "Indicator: Trojan.Win32.Vobfus.enwdjc": [[240, 266]], "Indicator: Win32.Worm.Vobfus.Wvay": [[267, 289]], "Indicator: Win32.HLLW.Autoruner2.18084": [[290, 317]], "Indicator: BehavesLike.Win32.Autorun.dh": [[335, 363]], "Indicator: Win32.Virut.ce.57344": [[364, 384]], "Indicator: Trojan.Symmi.D13A73": [[385, 404]], "Indicator: Trojan.Win32.A.Diple.299008.BAT": [[405, 436]], "Indicator: Worm/Win32.WBNA.R108353": [[460, 483]], "Indicator: TScope.Trojan.VB": [[484, 500]], "Indicator: Worm.Win32.Vobfus": [[501, 518]]}, "info": {"id": "cyner2_5class_train_01462", "source": "cyner2_5class_train"}}
+{"text": "The source process tries to determine the location of dlopen , dlsym , and dlclose functions in the target process .", "spans": {}, "info": {"id": "cyner2_5class_train_01463", "source": "cyner2_5class_train"}}
+{"text": "The capabilities remained unchanged , but a new endpoint was added to the Trojan C2 allowing it to handle the generic card grabber overlay and specific target overlays ( banking apps ) separately .", "spans": {}, "info": {"id": "cyner2_5class_train_01464", "source": "cyner2_5class_train"}}
+{"text": "Once OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including communication encrypted by SSL.", "spans": {"Malware: OSX/Dok": [[5, 12]], "Indicator: gain complete access": [[50, 70]], "Indicator: victim communication, including communication encrypted by SSL.": [[78, 141]]}, "info": {"id": "cyner2_5class_train_01465", "source": "cyner2_5class_train"}}
+{"text": "By going on the offensive and hunting the attackers , our team was able to unearth the early stages of what may be a very dangerous mobile malware .", "spans": {}, "info": {"id": "cyner2_5class_train_01466", "source": "cyner2_5class_train"}}
+{"text": "Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.", "spans": {"Indicator: /var/lib/man.cy,": [[48, 64]], "Malware: infected ISO.": [[81, 94]]}, "info": {"id": "cyner2_5class_train_01467", "source": "cyner2_5class_train"}}
+{"text": "At a high level, Romberik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre.", "spans": {"Malware: At": [[0, 2]], "Malware: Romberik": [[17, 25]], "Malware: malware": [[48, 55]], "Indicator: hook into the user's browser": [[76, 104]], "Indicator: read credentials": [[108, 124]], "Indicator: sensitive information": [[135, 156]], "Malware: Dyre.": [[219, 224]]}, "info": {"id": "cyner2_5class_train_01468", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.Avisa.69632 Trojan-PSW.Win32!O W32/Inttest.worm PWS-Inttest.B TROJ_AVISA.B Win32.Trojan.WisdomEyes.16070401.9500.9757 W32/Risk.CNKX-3667 Infostealer.Avisa Win32/PSW.Cript.B Trojan-PSW.Win32.Deintel Trojan.Win32.Avisa-Psw.fdrj Trojan.Win32.Avisa.69632 Trojan.Avisa.Win32.2 BehavesLike.Win32.PJTbinder.km Worm.Pws.Inttest Trojan/PSW.Avisa Trojan[PSW]/Win32.Deintel Trojan-PSW.Win32.Deintel Trojan/Win32.HDC.C89238 TrojanPSW.Deintel Trj/PSW.Intetest Win32/PSW.Avisa.A Win32.Trojan-qqpass.Qqrob.Sxoe Trojan.PSW.Avisa W32/Avisa.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.Avisa.69632": [[26, 52]], "Indicator: Trojan-PSW.Win32!O": [[53, 71]], "Indicator: W32/Inttest.worm": [[72, 88]], "Indicator: PWS-Inttest.B": [[89, 102]], "Indicator: TROJ_AVISA.B": [[103, 115]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9757": [[116, 158]], "Indicator: W32/Risk.CNKX-3667": [[159, 177]], "Indicator: Infostealer.Avisa": [[178, 195]], "Indicator: Win32/PSW.Cript.B": [[196, 213]], "Indicator: Trojan-PSW.Win32.Deintel": [[214, 238], [404, 428]], "Indicator: Trojan.Win32.Avisa-Psw.fdrj": [[239, 266]], "Indicator: Trojan.Win32.Avisa.69632": [[267, 291]], "Indicator: Trojan.Avisa.Win32.2": [[292, 312]], "Indicator: BehavesLike.Win32.PJTbinder.km": [[313, 343]], "Indicator: Worm.Pws.Inttest": [[344, 360]], "Indicator: Trojan/PSW.Avisa": [[361, 377]], "Indicator: Trojan[PSW]/Win32.Deintel": [[378, 403]], "Indicator: Trojan/Win32.HDC.C89238": [[429, 452]], "Indicator: TrojanPSW.Deintel": [[453, 470]], "Indicator: Trj/PSW.Intetest": [[471, 487]], "Indicator: Win32/PSW.Avisa.A": [[488, 505]], "Indicator: Win32.Trojan-qqpass.Qqrob.Sxoe": [[506, 536]], "Indicator: Trojan.PSW.Avisa": [[537, 553]], "Indicator: W32/Avisa.A!tr": [[554, 568]]}, "info": {"id": "cyner2_5class_train_01469", "source": "cyner2_5class_train"}}
+{"text": "This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow .", "spans": {}, "info": {"id": "cyner2_5class_train_01470", "source": "cyner2_5class_train"}}
+{"text": "To maximize profit , variants with “ MinSDK ” or “ OTA ” SDK are present to further infect victims with other adware families .", "spans": {}, "info": {"id": "cyner2_5class_train_01471", "source": "cyner2_5class_train"}}
+{"text": "Related insfrastructure shows another suspicious looking domain that mimics the Court of Arbitration for Sport", "spans": {"System: insfrastructure": [[8, 23]], "Indicator: domain": [[57, 63]], "Organization: the Court of Arbitration for Sport": [[76, 110]]}, "info": {"id": "cyner2_5class_train_01472", "source": "cyner2_5class_train"}}
+{"text": "Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "spans": {"Organization: foreign": [[71, 78]], "Organization: security policy": [[83, 98]]}, "info": {"id": "cyner2_5class_train_01473", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Bifrose Trojan.Win32.Small.cup Trojan.Win32.Buzus.rbpz Trojan.Win32.Buzus.86895 Trojan.MulDrop.18143 BehavesLike.Win32.Backdoor.hc Trojan/Buzus.fcx Virus.Trojan.Win32.Buzus.acj W32/Trojan2.AGMZ Trojan/Buzus.cf TrojanDropper:Win32/Buzus.B W32.W.Ridnu.ls5O Trojan.Win32.Small.cup Trojan/Win32.Buzus.C71809 Trojan.Buzus W32/Kryptix.KZB!tr Win32/Trojan.6a2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: Backdoor.Bifrose": [[69, 85]], "Indicator: Trojan.Win32.Small.cup": [[86, 108], [333, 355]], "Indicator: Trojan.Win32.Buzus.rbpz": [[109, 132]], "Indicator: Trojan.Win32.Buzus.86895": [[133, 157]], "Indicator: Trojan.MulDrop.18143": [[158, 178]], "Indicator: BehavesLike.Win32.Backdoor.hc": [[179, 208]], "Indicator: Trojan/Buzus.fcx": [[209, 225]], "Indicator: Virus.Trojan.Win32.Buzus.acj": [[226, 254]], "Indicator: W32/Trojan2.AGMZ": [[255, 271]], "Indicator: Trojan/Buzus.cf": [[272, 287]], "Indicator: TrojanDropper:Win32/Buzus.B": [[288, 315]], "Indicator: W32.W.Ridnu.ls5O": [[316, 332]], "Indicator: Trojan/Win32.Buzus.C71809": [[356, 381]], "Indicator: Trojan.Buzus": [[382, 394]], "Indicator: W32/Kryptix.KZB!tr": [[395, 413]], "Indicator: Win32/Trojan.6a2": [[414, 430]]}, "info": {"id": "cyner2_5class_train_01474", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.771B Ransom.Cerber.A4 Ransom.Cerber Trojan.Symmi.D13E52 Ransom_HPCERBER.SM3 Win32.Trojan.Kryptik.avs Ransom_HPCERBER.SM3 Trojan-Ransom.Win32.Rack.hly Trojan.Win32.Rack.evkhfe Trojan.Encoder.761 BehavesLike.Win32.Ransomware.gh Ransom.Win32.Teerac Trojan.Rack.dk Trojan-Ransom.Win32.Rack.hly Trojan.Menti Trj/GdSda.A W32/Kryptik.FSUS!tr Win32/Trojan.Ransom.7c1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.771B": [[26, 42]], "Indicator: Ransom.Cerber.A4": [[43, 59]], "Indicator: Ransom.Cerber": [[60, 73]], "Indicator: Trojan.Symmi.D13E52": [[74, 93]], "Indicator: Ransom_HPCERBER.SM3": [[94, 113], [139, 158]], "Indicator: Win32.Trojan.Kryptik.avs": [[114, 138]], "Indicator: Trojan-Ransom.Win32.Rack.hly": [[159, 187], [299, 327]], "Indicator: Trojan.Win32.Rack.evkhfe": [[188, 212]], "Indicator: Trojan.Encoder.761": [[213, 231]], "Indicator: BehavesLike.Win32.Ransomware.gh": [[232, 263]], "Indicator: Ransom.Win32.Teerac": [[264, 283]], "Indicator: Trojan.Rack.dk": [[284, 298]], "Indicator: Trojan.Menti": [[328, 340]], "Indicator: Trj/GdSda.A": [[341, 352]], "Indicator: W32/Kryptik.FSUS!tr": [[353, 372]], "Indicator: Win32/Trojan.Ransom.7c1": [[373, 396]]}, "info": {"id": "cyner2_5class_train_01475", "source": "cyner2_5class_train"}}
+{"text": "Coronavirus Update App Leads to Project Spy Android and iOS Spyware We discovered a cyberespionage campaign we have named Project Spy infecting Android and iOS devices with spyware by using the coronavirus disease ( Covid-19 ) as a lure .", "spans": {"System: Coronavirus Update App": [[0, 22]], "Malware: Project Spy": [[32, 43], [122, 133]], "System: Android": [[44, 51], [144, 151]], "System: iOS": [[56, 59], [156, 159]]}, "info": {"id": "cyner2_5class_train_01476", "source": "cyner2_5class_train"}}
+{"text": "In addition to the feature base it already possesses and the money that can be made from the rental , it could evolve to compete with the mightiest Android banking Trojans .", "spans": {"System: Android": [[148, 155]]}, "info": {"id": "cyner2_5class_train_01477", "source": "cyner2_5class_train"}}
+{"text": "For example , the botnet Trojan-SMS.AndroidOS.Opfake.a , in addition to its own activity , also spread Backdoor.AndroidOS.Obad.a by sending spam containing a link to the malware to the victim ’ s list of contacts .", "spans": {"Malware: Trojan-SMS.AndroidOS.Opfake.a": [[25, 54]], "Malware: Backdoor.AndroidOS.Obad.a": [[103, 128]]}, "info": {"id": "cyner2_5class_train_01478", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Yafive.A.mue Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan-Downloader.Win32.QQHelper.air Troj.Spy.W32.Zbot.kYVW TrojWare.Win32.TrojanDownloader.Tiny.~CA BackDoor.Update.293 Win32.Hack.XComp.a.410674 TrojanDownloader:Win32/Yafive.A Trojan-Downloader.Win32.QQHelper.air TrojanDownloader.QQHelper Trojan-Downloader.Win32.QQHelper", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Yafive.A.mue": [[26, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[56, 98]], "Indicator: Trojan-Downloader.Win32.QQHelper.air": [[99, 135], [278, 314]], "Indicator: Troj.Spy.W32.Zbot.kYVW": [[136, 158]], "Indicator: TrojWare.Win32.TrojanDownloader.Tiny.~CA": [[159, 199]], "Indicator: BackDoor.Update.293": [[200, 219]], "Indicator: Win32.Hack.XComp.a.410674": [[220, 245]], "Indicator: TrojanDownloader:Win32/Yafive.A": [[246, 277]], "Indicator: TrojanDownloader.QQHelper": [[315, 340]], "Indicator: Trojan-Downloader.Win32.QQHelper": [[341, 373]]}, "info": {"id": "cyner2_5class_train_01479", "source": "cyner2_5class_train"}}
+{"text": "Malware Features Android According to the observed samples and their signatures , early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since .", "spans": {"System: Android": [[17, 24], [105, 112]]}, "info": {"id": "cyner2_5class_train_01480", "source": "cyner2_5class_train"}}
+{"text": "It recently resurfaced in November 2016 W32.Disttrack.B, again attacking targets in Saudi Arabia.", "spans": {"Indicator: W32.Disttrack.B,": [[40, 56]], "Organization: Saudi Arabia.": [[84, 97]]}, "info": {"id": "cyner2_5class_train_01481", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Yodo.A@mm Worm/W32.Yodo.1273856 W32/Yodo.a Win32.Yodo.E90817 WORM_YODO.F W32.Yodo@mm Win32/Yodo.D WORM_YODO.F Win32.Yodo.A@mm Email-Worm.Win32.Yodo.a Win32.Yodo.A@mm Trojan.Win32.Yodo.bdnumu W32.W.Yodo.a!c Win32.Yodo.A@mm Worm.Win32.Yodo.B.Dropper Win32.Yodo.A@mm Trojan.MulDrop.572 Worm.Yodo.Win32.1 BehavesLike.Win32.VBObfus.tm W32/Risk.OQBD-6759 Worm/Yodo.b Worm:Win32/Yodo.B.dr WORM/Yodo.A.1 Worm[Email]/Win32.Yodo Worm.Yodo.a.kcloud Worm:Win32/Yodo.B.dr Email-Worm.Win32.Yodo.a Worm.Yodo Win32/Yodo.B.Dropper Win32.Worm-email.Yodo.Eddu I-Worm.Yodo!uEen0717POE W32/Yodo.A!worm Win32/Worm.bde", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Yodo.A@mm": [[26, 41], [142, 157], [182, 197], [238, 253], [280, 295]], "Indicator: Worm/W32.Yodo.1273856": [[42, 63]], "Indicator: W32/Yodo.a": [[64, 74]], "Indicator: Win32.Yodo.E90817": [[75, 92]], "Indicator: WORM_YODO.F": [[93, 104], [130, 141]], "Indicator: W32.Yodo@mm": [[105, 116]], "Indicator: Win32/Yodo.D": [[117, 129]], "Indicator: Email-Worm.Win32.Yodo.a": [[158, 181], [491, 514]], "Indicator: Trojan.Win32.Yodo.bdnumu": [[198, 222]], "Indicator: W32.W.Yodo.a!c": [[223, 237]], "Indicator: Worm.Win32.Yodo.B.Dropper": [[254, 279]], "Indicator: Trojan.MulDrop.572": [[296, 314]], "Indicator: Worm.Yodo.Win32.1": [[315, 332]], "Indicator: BehavesLike.Win32.VBObfus.tm": [[333, 361]], "Indicator: W32/Risk.OQBD-6759": [[362, 380]], "Indicator: Worm/Yodo.b": [[381, 392]], "Indicator: Worm:Win32/Yodo.B.dr": [[393, 413], [470, 490]], "Indicator: WORM/Yodo.A.1": [[414, 427]], "Indicator: Worm[Email]/Win32.Yodo": [[428, 450]], "Indicator: Worm.Yodo.a.kcloud": [[451, 469]], "Indicator: Worm.Yodo": [[515, 524]], "Indicator: Win32/Yodo.B.Dropper": [[525, 545]], "Indicator: Win32.Worm-email.Yodo.Eddu": [[546, 572]], "Indicator: I-Worm.Yodo!uEen0717POE": [[573, 596]], "Indicator: W32/Yodo.A!worm": [[597, 612]], "Indicator: Win32/Worm.bde": [[613, 627]]}, "info": {"id": "cyner2_5class_train_01482", "source": "cyner2_5class_train"}}
+{"text": "We don't have the statistics of devices vulnerable to both issues at the same time.", "spans": {"Vulnerability: devices vulnerable": [[32, 50]]}, "info": {"id": "cyner2_5class_train_01483", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Krypt.8 TROJ_TDSS.SMA Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_TDSS.SMA Packed.Win32.TDSS.aa Trojan.Win32.Tdss.btyvr Win32.PkdTdss Trojan.Packed.2936 BehavesLike.Win32.Adware.kc TrojanDropper:Win32/Sudiet.A Packer.W32.Tdss!c Packed.Win32.TDSS.aa Trojan/Win32.ADH.R21764 Trojan.TDSS.01414 Win32.Packed.Tdss.Akox Packer.Win32.Tdss W32/PackTDss.K!tr Win32/Trojan.5b8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Krypt.8": [[26, 40]], "Indicator: TROJ_TDSS.SMA": [[41, 54], [98, 111]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[55, 97]], "Indicator: Packed.Win32.TDSS.aa": [[112, 132], [265, 285]], "Indicator: Trojan.Win32.Tdss.btyvr": [[133, 156]], "Indicator: Win32.PkdTdss": [[157, 170]], "Indicator: Trojan.Packed.2936": [[171, 189]], "Indicator: BehavesLike.Win32.Adware.kc": [[190, 217]], "Indicator: TrojanDropper:Win32/Sudiet.A": [[218, 246]], "Indicator: Packer.W32.Tdss!c": [[247, 264]], "Indicator: Trojan/Win32.ADH.R21764": [[286, 309]], "Indicator: Trojan.TDSS.01414": [[310, 327]], "Indicator: Win32.Packed.Tdss.Akox": [[328, 350]], "Indicator: Packer.Win32.Tdss": [[351, 368]], "Indicator: W32/PackTDss.K!tr": [[369, 386]], "Indicator: Win32/Trojan.5b8": [[387, 403]]}, "info": {"id": "cyner2_5class_train_01484", "source": "cyner2_5class_train"}}
+{"text": "But Dvmap is very special rooting malware .", "spans": {"Malware: Dvmap": [[4, 9]]}, "info": {"id": "cyner2_5class_train_01485", "source": "cyner2_5class_train"}}
+{"text": "Potential targets The actors behind FrozenCell used an online service that geolocates mobile devices based on nearby cell towers to track targets .", "spans": {"Malware: FrozenCell": [[36, 46]]}, "info": {"id": "cyner2_5class_train_01486", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Bundpil.d Win32.Worm.Resparc.B Trojan:Win32/Lodbak.A Trojan/Win32.Lodbak.R151670 Trj/Gamarue.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Bundpil.d": [[26, 46]], "Indicator: Win32.Worm.Resparc.B": [[47, 67]], "Indicator: Trojan:Win32/Lodbak.A": [[68, 89]], "Indicator: Trojan/Win32.Lodbak.R151670": [[90, 117]], "Indicator: Trj/Gamarue.A": [[118, 131]]}, "info": {"id": "cyner2_5class_train_01487", "source": "cyner2_5class_train"}}
+{"text": "Intrusions began as early as 1996.", "spans": {"Indicator: Intrusions": [[0, 10]]}, "info": {"id": "cyner2_5class_train_01488", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Scrop.exbmlp BehavesLike.Win32.AdwareConvertAd.fh W32/Trojan.YEZU-6096 TrojanDropper.Scrop.ns Trojan[Dropper]/Win32.Scrop Backdoor:Win32/Blopod.A!bit Trojan.Symmi.D13661 Dropper/Win32.Scrop.C2319178 TrojanDropper.Scrop Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Scrop.exbmlp": [[26, 51]], "Indicator: BehavesLike.Win32.AdwareConvertAd.fh": [[52, 88]], "Indicator: W32/Trojan.YEZU-6096": [[89, 109]], "Indicator: TrojanDropper.Scrop.ns": [[110, 132]], "Indicator: Trojan[Dropper]/Win32.Scrop": [[133, 160]], "Indicator: Backdoor:Win32/Blopod.A!bit": [[161, 188]], "Indicator: Trojan.Symmi.D13661": [[189, 208]], "Indicator: Dropper/Win32.Scrop.C2319178": [[209, 237]], "Indicator: TrojanDropper.Scrop": [[238, 257]], "Indicator: Trj/GdSda.A": [[258, 269]]}, "info": {"id": "cyner2_5class_train_01489", "source": "cyner2_5class_train"}}
+{"text": "Data is eventually exfiltrated over a TLS connection to the Command & Control server ws.my-local-weather [ .", "spans": {"Indicator: server ws.my-local-weather [ .": [[78, 108]]}, "info": {"id": "cyner2_5class_train_01490", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Netstop.A Backdoor.Padmin Backdoor.W32.Padmin.08!c Trojan/wGet.d Backdoor.Padmin.0.8 W32/Risk.LANR-3940 Win.Trojan.Padmin-2 Backdoor.Padmin.0.8 Trojan.Netstop.A Trojan.Win32.Padmin.dyyica Backdoor.Win32.Padmin.08 Trojan.Netstop.A BackDoor-ATM.dr Backdoor/Padmin.08.Install DR/Padmin.08 BackDoor-ATM.dr Backdoor.Padmin Bck/Iroffer.BG Win32/Padmin.08.A.dropper W32/Padmin.A!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Netstop.A": [[26, 42], [177, 193], [246, 262]], "Indicator: Backdoor.Padmin": [[43, 58], [335, 350]], "Indicator: Backdoor.W32.Padmin.08!c": [[59, 83]], "Indicator: Trojan/wGet.d": [[84, 97]], "Indicator: Backdoor.Padmin.0.8": [[98, 117], [157, 176]], "Indicator: W32/Risk.LANR-3940": [[118, 136]], "Indicator: Win.Trojan.Padmin-2": [[137, 156]], "Indicator: Trojan.Win32.Padmin.dyyica": [[194, 220]], "Indicator: Backdoor.Win32.Padmin.08": [[221, 245]], "Indicator: BackDoor-ATM.dr": [[263, 278], [319, 334]], "Indicator: Backdoor/Padmin.08.Install": [[279, 305]], "Indicator: DR/Padmin.08": [[306, 318]], "Indicator: Bck/Iroffer.BG": [[351, 365]], "Indicator: Win32/Padmin.08.A.dropper": [[366, 391]], "Indicator: W32/Padmin.A!tr.bdr": [[392, 411]]}, "info": {"id": "cyner2_5class_train_01491", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Adware.Heur.cmSfNKMeS5mk WORM_AMBLER.SMI Win32.Trojan.WisdomEyes.16070401.9500.9938 WORM_AMBLER.SMI Trojan.Win32.BHO.bmciwr Trojan.PWS.Finanz.origin W32/Ambler.dll TrojanDownloader:Win32/BHO.A TrojanDownloader.BHO Trj/CI.A Win32.Trojan.Spy.Hrza TrojanSpy.Banker!l0YgZsorMww Trojan-Spy.Finanz.J W32/Ambler.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.Heur.cmSfNKMeS5mk": [[26, 50]], "Indicator: WORM_AMBLER.SMI": [[51, 66], [110, 125]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9938": [[67, 109]], "Indicator: Trojan.Win32.BHO.bmciwr": [[126, 149]], "Indicator: Trojan.PWS.Finanz.origin": [[150, 174]], "Indicator: W32/Ambler.dll": [[175, 189]], "Indicator: TrojanDownloader:Win32/BHO.A": [[190, 218]], "Indicator: TrojanDownloader.BHO": [[219, 239]], "Indicator: Trj/CI.A": [[240, 248]], "Indicator: Win32.Trojan.Spy.Hrza": [[249, 270]], "Indicator: TrojanSpy.Banker!l0YgZsorMww": [[271, 299]], "Indicator: Trojan-Spy.Finanz.J": [[300, 319]], "Indicator: W32/Ambler.A!tr": [[320, 335]]}, "info": {"id": "cyner2_5class_train_01492", "source": "cyner2_5class_train"}}
+{"text": "The app then continues to run in the background without the user ’ s knowledge .", "spans": {}, "info": {"id": "cyner2_5class_train_01493", "source": "cyner2_5class_train"}}
+{"text": "This new report is an updated dissection of the group's attacks and methodologies—something to help organizations gain a more comprehensive and current view of these processes and what can be done to defend against them.", "spans": {"Indicator: attacks": [[56, 63]], "Organization: organizations": [[100, 113]]}, "info": {"id": "cyner2_5class_train_01494", "source": "cyner2_5class_train"}}
+{"text": "The email messages used in the attacks leverage themes related to economic development and politics in Burma, which is relevant to the work of the NGO.", "spans": {"Indicator: email messages": [[4, 18]], "Indicator: attacks leverage themes related to economic development": [[31, 86]], "Indicator: politics": [[91, 99]], "Organization: NGO.": [[147, 151]]}, "info": {"id": "cyner2_5class_train_01495", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan:Win32/Vareids.A Trojan.FakeAV", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan:Win32/Vareids.A": [[26, 48]], "Indicator: Trojan.FakeAV": [[49, 62]]}, "info": {"id": "cyner2_5class_train_01496", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.VBKrypt!O Worm.Rebhip.B3 Troj.W32.Scar!c Trojan/Injector.eyu Trojan.Win32.Scar.odxb Trojan.Win32.VBKrypt.ecjqdh Trojan.Win32.A.VBKrypt.200710 TrojWare.Win32.VBKrypt.cjb Trojan.Inject.27856 Trojan.VBKrypt.Win32.39868 BehavesLike.Win32.PWSSpyeye.cc W32/Trojan.FNVH-2986 Trojan/VBKrypt.bgwm Trojan/Win32.VBKrypt Trojan.ManBat.1 Trojan.Win32.Scar.odxb Trojan/Win32.VBKrypt.C66955 PWS-Spyeye.el SScope.Malware-Cryptor.VBCR.1841 Win32.Trojan.Scar.Tccd Trojan.VBKrypt!joEshOiwspo Win32/Trojan.00c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.VBKrypt!O": [[26, 48]], "Indicator: Worm.Rebhip.B3": [[49, 63]], "Indicator: Troj.W32.Scar!c": [[64, 79]], "Indicator: Trojan/Injector.eyu": [[80, 99]], "Indicator: Trojan.Win32.Scar.odxb": [[100, 122], [364, 386]], "Indicator: Trojan.Win32.VBKrypt.ecjqdh": [[123, 150]], "Indicator: Trojan.Win32.A.VBKrypt.200710": [[151, 180]], "Indicator: TrojWare.Win32.VBKrypt.cjb": [[181, 207]], "Indicator: Trojan.Inject.27856": [[208, 227]], "Indicator: Trojan.VBKrypt.Win32.39868": [[228, 254]], "Indicator: BehavesLike.Win32.PWSSpyeye.cc": [[255, 285]], "Indicator: W32/Trojan.FNVH-2986": [[286, 306]], "Indicator: Trojan/VBKrypt.bgwm": [[307, 326]], "Indicator: Trojan/Win32.VBKrypt": [[327, 347]], "Indicator: Trojan.ManBat.1": [[348, 363]], "Indicator: Trojan/Win32.VBKrypt.C66955": [[387, 414]], "Indicator: PWS-Spyeye.el": [[415, 428]], "Indicator: SScope.Malware-Cryptor.VBCR.1841": [[429, 461]], "Indicator: Win32.Trojan.Scar.Tccd": [[462, 484]], "Indicator: Trojan.VBKrypt!joEshOiwspo": [[485, 511]], "Indicator: Win32/Trojan.00c": [[512, 528]]}, "info": {"id": "cyner2_5class_train_01497", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/VB.qtt Backdoor.Win32.Sdbot.aeua Trojan.Win32.Nifclop.bbwtga Trojan.DownLoader6.34031 TR/Nifclop.A.6 Trojan:Win32/Nifclop.A Backdoor.Win32.Sdbot.aeua Win32/VB.QTT Trojan.Win32.Nifclop Win32/Trojan.fdb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/VB.qtt": [[26, 39]], "Indicator: Backdoor.Win32.Sdbot.aeua": [[40, 65], [157, 182]], "Indicator: Trojan.Win32.Nifclop.bbwtga": [[66, 93]], "Indicator: Trojan.DownLoader6.34031": [[94, 118]], "Indicator: TR/Nifclop.A.6": [[119, 133]], "Indicator: Trojan:Win32/Nifclop.A": [[134, 156]], "Indicator: Win32/VB.QTT": [[183, 195]], "Indicator: Trojan.Win32.Nifclop": [[196, 216]], "Indicator: Win32/Trojan.fdb": [[217, 233]]}, "info": {"id": "cyner2_5class_train_01498", "source": "cyner2_5class_train"}}
+{"text": "During the last few days, we have observed a campaign redirecting visitors from large websites to the Angler EK.", "spans": {"Indicator: large websites": [[80, 94]], "Malware: Angler EK.": [[102, 112]]}, "info": {"id": "cyner2_5class_train_01499", "source": "cyner2_5class_train"}}
+{"text": "But our researchers have predicted that these small Trojans would certainly be used to download some really bad malware that can actually harm the owners of the infected devices .", "spans": {}, "info": {"id": "cyner2_5class_train_01500", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Gamarue.2!O TrojanDropper.Dexel.A5 Trojan.Blocker.Win32.18819 WORM_DEXEL.SM Win32.Trojan.WisdomEyes.16070401.9500.9869 W32/Autorun.LWDQ-2252 W32.SillyFDC Win32/Dapato.AY WORM_DEXEL.SM Trojan.Win32.Blocker.dbnfux Troj.Dropper.W32.FrauDrop.tnsr BehavesLike.Win32.Trojan.fh W32/Autorun.ABG TrojanDropper.Dapato.pgs Trojan[Dropper]/Win32.Dapato TrojanDropper:Win32/Dexel.A Trojan.Zusy.D26D16 Win32.Trojan.Dapato.B HEUR/Fakon.mwf TrojanDropper.FrauDrop Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Gamarue.2!O": [[26, 61]], "Indicator: TrojanDropper.Dexel.A5": [[62, 84]], "Indicator: Trojan.Blocker.Win32.18819": [[85, 111]], "Indicator: WORM_DEXEL.SM": [[112, 125], [220, 233]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9869": [[126, 168]], "Indicator: W32/Autorun.LWDQ-2252": [[169, 190]], "Indicator: W32.SillyFDC": [[191, 203]], "Indicator: Win32/Dapato.AY": [[204, 219]], "Indicator: Trojan.Win32.Blocker.dbnfux": [[234, 261]], "Indicator: Troj.Dropper.W32.FrauDrop.tnsr": [[262, 292]], "Indicator: BehavesLike.Win32.Trojan.fh": [[293, 320]], "Indicator: W32/Autorun.ABG": [[321, 336]], "Indicator: TrojanDropper.Dapato.pgs": [[337, 361]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[362, 390]], "Indicator: TrojanDropper:Win32/Dexel.A": [[391, 418]], "Indicator: Trojan.Zusy.D26D16": [[419, 437]], "Indicator: Win32.Trojan.Dapato.B": [[438, 459]], "Indicator: HEUR/Fakon.mwf": [[460, 474]], "Indicator: TrojanDropper.FrauDrop": [[475, 497]], "Indicator: Trj/CI.A": [[498, 506]]}, "info": {"id": "cyner2_5class_train_01501", "source": "cyner2_5class_train"}}
+{"text": "Threat actors can register subdomains through the hosting provider and use the provider ’ s services for a short-period campaign .", "spans": {}, "info": {"id": "cyner2_5class_train_01502", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SvchostVS.Trojan Worm.Moarider Trojan/Autoit.nlq Win32.Trojan.AutoIt.a Bloodhound.Malautoit WORM_SOHANAD_EH110001.UVPC Trojan.Win32.Autoit.aza Trojan.Script.AutoIt.dbycya Troj.W32.Autoit.lWNh TrojWare.Win32.Autoit.AZA Trojan.DownLoader19.27399 WORM_SOHANAD_EH110001.UVPC BehavesLike.Win32.Comame.fc Trojan.Win32.Autoit TR/BAS.Samca.1188111 Trojan:Win32/Svhoder.A Trojan.Heur.E6CE86 Trojan.Win32.Autoit.aza HEUR/Fakon.mwf Trojan.Autoit.Wirus Trojan.Autoit.NLQ Win32/Autoit.NLQ W32/Autoit.NLQ!tr W32/Sality.AH", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SvchostVS.Trojan": [[26, 46]], "Indicator: Worm.Moarider": [[47, 60]], "Indicator: Trojan/Autoit.nlq": [[61, 78]], "Indicator: Win32.Trojan.AutoIt.a": [[79, 100]], "Indicator: Bloodhound.Malautoit": [[101, 121]], "Indicator: WORM_SOHANAD_EH110001.UVPC": [[122, 148], [274, 300]], "Indicator: Trojan.Win32.Autoit.aza": [[149, 172], [412, 435]], "Indicator: Trojan.Script.AutoIt.dbycya": [[173, 200]], "Indicator: Troj.W32.Autoit.lWNh": [[201, 221]], "Indicator: TrojWare.Win32.Autoit.AZA": [[222, 247]], "Indicator: Trojan.DownLoader19.27399": [[248, 273]], "Indicator: BehavesLike.Win32.Comame.fc": [[301, 328]], "Indicator: Trojan.Win32.Autoit": [[329, 348]], "Indicator: TR/BAS.Samca.1188111": [[349, 369]], "Indicator: Trojan:Win32/Svhoder.A": [[370, 392]], "Indicator: Trojan.Heur.E6CE86": [[393, 411]], "Indicator: HEUR/Fakon.mwf": [[436, 450]], "Indicator: Trojan.Autoit.Wirus": [[451, 470]], "Indicator: Trojan.Autoit.NLQ": [[471, 488]], "Indicator: Win32/Autoit.NLQ": [[489, 505]], "Indicator: W32/Autoit.NLQ!tr": [[506, 523]], "Indicator: W32/Sality.AH": [[524, 537]]}, "info": {"id": "cyner2_5class_train_01503", "source": "cyner2_5class_train"}}
+{"text": "Summary PHA authors go to great lengths to come up with increasingly clever ways to monetize their apps .", "spans": {}, "info": {"id": "cyner2_5class_train_01504", "source": "cyner2_5class_train"}}
+{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ .", "spans": {"Indicator: 185.158.248 [ .": [[37, 52]]}, "info": {"id": "cyner2_5class_train_01505", "source": "cyner2_5class_train"}}
+{"text": "This infection is based on previously reported Gozi ISFB/Ursnif activity from March 6, 2023.", "spans": {"Malware: infection": [[5, 14]]}, "info": {"id": "cyner2_5class_train_01506", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PUP.Optional.BrSoftware Trojan.ADH Trojan-Banker.Win32.Lohmys.a Application.Win32.Midia.BR MalSign.Skodna.BRS Adware.Win32.Midia.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PUP.Optional.BrSoftware": [[26, 49]], "Indicator: Trojan.ADH": [[50, 60]], "Indicator: Trojan-Banker.Win32.Lohmys.a": [[61, 89]], "Indicator: Application.Win32.Midia.BR": [[90, 116]], "Indicator: MalSign.Skodna.BRS": [[117, 135]], "Indicator: Adware.Win32.Midia.B": [[136, 156]]}, "info": {"id": "cyner2_5class_train_01507", "source": "cyner2_5class_train"}}
+{"text": "The majority of droppers in 9Apps are games , while the rest fall into categories of adult entertainment , media player , photo utilities , and system utilities .", "spans": {"System: 9Apps": [[28, 33]]}, "info": {"id": "cyner2_5class_train_01508", "source": "cyner2_5class_train"}}
+{"text": "It is designed to steal money from unsuspecting victims right off their bank accounts without them even noticing.", "spans": {}, "info": {"id": "cyner2_5class_train_01509", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9866 W32/Trojan.IKAJ-5854 Infostealer.Banker.C Win32/Kollah.MWH Trojan.JarDrop.1 W32.Trojan.Dropper TR/Spy.ZBot.aww TrojanDropper:Win32/Jazuz.A Win32/Trojan.Spy.d85", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9866": [[26, 68]], "Indicator: W32/Trojan.IKAJ-5854": [[69, 89]], "Indicator: Infostealer.Banker.C": [[90, 110]], "Indicator: Win32/Kollah.MWH": [[111, 127]], "Indicator: Trojan.JarDrop.1": [[128, 144]], "Indicator: W32.Trojan.Dropper": [[145, 163]], "Indicator: TR/Spy.ZBot.aww": [[164, 179]], "Indicator: TrojanDropper:Win32/Jazuz.A": [[180, 207]], "Indicator: Win32/Trojan.Spy.d85": [[208, 228]]}, "info": {"id": "cyner2_5class_train_01510", "source": "cyner2_5class_train"}}
+{"text": "Indicators about some panels hosting the DDoS Blue Botnet", "spans": {"Indicator: Indicators": [[0, 10]], "Malware: DDoS Blue Botnet": [[41, 57]]}, "info": {"id": "cyner2_5class_train_01511", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //nttdocomo-qaw [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaw [ .": [[6, 32]]}, "info": {"id": "cyner2_5class_train_01512", "source": "cyner2_5class_train"}}
+{"text": "The utility can be installed on smartphones and tablets as a program named Insta Plus, Profile Checker, and Cleaner Pro.", "spans": {"System: smartphones": [[32, 43]], "System: tablets": [[48, 55]], "Indicator: program": [[61, 68]], "Indicator: Insta Plus, Profile Checker,": [[75, 103]], "Indicator: Cleaner Pro.": [[108, 120]]}, "info": {"id": "cyner2_5class_train_01513", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Minnerchek Trojan.Win32.S.Downloader.31046816 Trojan.Win32.Minnerchek Adware.Installcore Trojan:Win32/Minnerchek.A Dropper/Win32.CoinMiner.C2322242 Trj/Downloader.MEP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Minnerchek": [[26, 43]], "Indicator: Trojan.Win32.S.Downloader.31046816": [[44, 78]], "Indicator: Trojan.Win32.Minnerchek": [[79, 102]], "Indicator: Adware.Installcore": [[103, 121]], "Indicator: Trojan:Win32/Minnerchek.A": [[122, 147]], "Indicator: Dropper/Win32.CoinMiner.C2322242": [[148, 180]], "Indicator: Trj/Downloader.MEP": [[181, 199]]}, "info": {"id": "cyner2_5class_train_01514", "source": "cyner2_5class_train"}}
+{"text": "The sux library appears to be a customized super user ( su ) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user ( su ) binary in order to run privileged commands on the system .", "spans": {"Indicator: com.koushikdutta.superuser": [[94, 120]]}, "info": {"id": "cyner2_5class_train_01515", "source": "cyner2_5class_train"}}
+{"text": "The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website .", "spans": {}, "info": {"id": "cyner2_5class_train_01516", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.689E PUP.Firseria/Variant Trojan.Application.Bundler.Morstar.30 Trojan.Dropper Win32/Tnega.ZRdFDZD Win.Adware.Morstar-136 not-a-virus:Downloader.Win32.Morstar.dhp Trojan.Win32.Morstar.dmuxrd Adware.Win32.Firseria.b Trojan.DownLoader11.57090 AdWare/Solimba.h RiskWare[Downloader]/Win32.Morstar TrojanDropper:Win32/Sventore.C not-a-virus:Downloader.Win32.Morstar.dhp Win32.Application.Morstar.E PUP/Win32.Solimba.R133806 PUP.Optional.Firseria PUA.Downloader! AdWare.BundleApp Win32/Application.164", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.689E": [[26, 44]], "Indicator: PUP.Firseria/Variant": [[45, 65]], "Indicator: Trojan.Application.Bundler.Morstar.30": [[66, 103]], "Indicator: Trojan.Dropper": [[104, 118]], "Indicator: Win32/Tnega.ZRdFDZD": [[119, 138]], "Indicator: Win.Adware.Morstar-136": [[139, 161]], "Indicator: not-a-virus:Downloader.Win32.Morstar.dhp": [[162, 202], [364, 404]], "Indicator: Trojan.Win32.Morstar.dmuxrd": [[203, 230]], "Indicator: Adware.Win32.Firseria.b": [[231, 254]], "Indicator: Trojan.DownLoader11.57090": [[255, 280]], "Indicator: AdWare/Solimba.h": [[281, 297]], "Indicator: RiskWare[Downloader]/Win32.Morstar": [[298, 332]], "Indicator: TrojanDropper:Win32/Sventore.C": [[333, 363]], "Indicator: Win32.Application.Morstar.E": [[405, 432]], "Indicator: PUP/Win32.Solimba.R133806": [[433, 458]], "Indicator: PUP.Optional.Firseria": [[459, 480]], "Indicator: PUA.Downloader!": [[481, 496]], "Indicator: AdWare.BundleApp": [[497, 513]], "Indicator: Win32/Application.164": [[514, 535]]}, "info": {"id": "cyner2_5class_train_01517", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D4E7E3 Win32.Trojan.WisdomEyes.16070401.9500.9858 Trojan.Win32.CFI.eurnzt Trojan.Win32.Z.Kazy.253952.EN TrojWare.Win32.FraudPack.P Trojan.Click2.54806 W32/Trojan.JQCG-7679 PWS:Win32/Reteged.B TrojanSpy.Dibik Trojan-Spy.Reteged Adware/Win32.180solutions.BM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D4E7E3": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9858": [[45, 87]], "Indicator: Trojan.Win32.CFI.eurnzt": [[88, 111]], "Indicator: Trojan.Win32.Z.Kazy.253952.EN": [[112, 141]], "Indicator: TrojWare.Win32.FraudPack.P": [[142, 168]], "Indicator: Trojan.Click2.54806": [[169, 188]], "Indicator: W32/Trojan.JQCG-7679": [[189, 209]], "Indicator: PWS:Win32/Reteged.B": [[210, 229]], "Indicator: TrojanSpy.Dibik": [[230, 245]], "Indicator: Trojan-Spy.Reteged": [[246, 264]], "Indicator: Adware/Win32.180solutions.BM": [[265, 293]]}, "info": {"id": "cyner2_5class_train_01518", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Mlw.ewmnqj W32/Trojan.MKOX-6072 TR/Dropper.MSIL.citga Trj/CI.A Win32/Trojan.5e4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Win32.Mlw.ewmnqj": [[69, 92]], "Indicator: W32/Trojan.MKOX-6072": [[93, 113]], "Indicator: TR/Dropper.MSIL.citga": [[114, 135]], "Indicator: Trj/CI.A": [[136, 144]], "Indicator: Win32/Trojan.5e4": [[145, 161]]}, "info": {"id": "cyner2_5class_train_01519", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Cyn.18944.B Backdoor.Cyn Email-Worm.Win32.GOPworm.196 BKDR_CYN.C Backdoor.Trojan BKDR_CYN.C Backdoor.Win32.Cyn.12.a Trojan.Win32.Cyn.dotopq Backdoor.Win32.Cyn_12.EditSvr BackDoor.Cyn.12 Trojan.Cyn.Win32.1 BehavesLike.Win32.Trojan.lh W32/Risk.EBIW-7264 Backdoor/Cyn.f BDC/Cyn.12.A.EdS Backdoor:Win32/Cyn.1_02 Backdoor.Win32.Cyn.12.a Win-Trojan/Cyn_v12.18944 Email-Worm.Win32.GOPworm.196 SScope.Trojan.VBRA.3344 Bck/Cyn.12 Win32/Cyn.12 Backdoor.Cyn!pLjU0MDAXWM W32/Cyn.12!tr.bdr Win32/Backdoor.ac7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Cyn.18944.B": [[26, 50]], "Indicator: Backdoor.Cyn": [[51, 63]], "Indicator: Email-Worm.Win32.GOPworm.196": [[64, 92], [396, 424]], "Indicator: BKDR_CYN.C": [[93, 103], [120, 130]], "Indicator: Backdoor.Trojan": [[104, 119]], "Indicator: Backdoor.Win32.Cyn.12.a": [[131, 154], [347, 370]], "Indicator: Trojan.Win32.Cyn.dotopq": [[155, 178]], "Indicator: Backdoor.Win32.Cyn_12.EditSvr": [[179, 208]], "Indicator: BackDoor.Cyn.12": [[209, 224]], "Indicator: Trojan.Cyn.Win32.1": [[225, 243]], "Indicator: BehavesLike.Win32.Trojan.lh": [[244, 271]], "Indicator: W32/Risk.EBIW-7264": [[272, 290]], "Indicator: Backdoor/Cyn.f": [[291, 305]], "Indicator: BDC/Cyn.12.A.EdS": [[306, 322]], "Indicator: Backdoor:Win32/Cyn.1_02": [[323, 346]], "Indicator: Win-Trojan/Cyn_v12.18944": [[371, 395]], "Indicator: SScope.Trojan.VBRA.3344": [[425, 448]], "Indicator: Bck/Cyn.12": [[449, 459]], "Indicator: Win32/Cyn.12": [[460, 472]], "Indicator: Backdoor.Cyn!pLjU0MDAXWM": [[473, 497]], "Indicator: W32/Cyn.12!tr.bdr": [[498, 515]], "Indicator: Win32/Backdoor.ac7": [[516, 534]]}, "info": {"id": "cyner2_5class_train_01520", "source": "cyner2_5class_train"}}
+{"text": "Code snippets showing how GolfSpy monitors phone calls via register receiver ( top left ) , its actions when the device is woken up ( top right ) , and how it encrypts the stolen data ( bottom ) The malware retrieves commands from the C & C server via HTTP , and attackers can steal specific files on the infected device .", "spans": {"Malware: GolfSpy": [[26, 33]]}, "info": {"id": "cyner2_5class_train_01521", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Exxroute.A3 Ransom.Cerber Win32.Trojan.Kryptik.bjk Ransom_CERBER.SM37 Win.Ransomware.Cerber-6162277-0 Trojan.Win32.Zerber.eltxmx Troj.Ransom.W32.Zerber.toho Trojan.DownLoader23.53130 Trojan.Kryptik.Win32.1113485 Ransom_CERBER.SM37 BehavesLike.Win32.Ransom.kh Trojan.Zerber.atr Backdoor:Win32/Crugup.B W32/Kryptik.FOLJ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Exxroute.A3": [[26, 44]], "Indicator: Ransom.Cerber": [[45, 58]], "Indicator: Win32.Trojan.Kryptik.bjk": [[59, 83]], "Indicator: Ransom_CERBER.SM37": [[84, 102], [245, 263]], "Indicator: Win.Ransomware.Cerber-6162277-0": [[103, 134]], "Indicator: Trojan.Win32.Zerber.eltxmx": [[135, 161]], "Indicator: Troj.Ransom.W32.Zerber.toho": [[162, 189]], "Indicator: Trojan.DownLoader23.53130": [[190, 215]], "Indicator: Trojan.Kryptik.Win32.1113485": [[216, 244]], "Indicator: BehavesLike.Win32.Ransom.kh": [[264, 291]], "Indicator: Trojan.Zerber.atr": [[292, 309]], "Indicator: Backdoor:Win32/Crugup.B": [[310, 333]], "Indicator: W32/Kryptik.FOLJ!tr": [[334, 353]]}, "info": {"id": "cyner2_5class_train_01522", "source": "cyner2_5class_train"}}
+{"text": "Typically, these campaigns leverage spear phishing as the delivery vector and often include malicious attachments designed to bypass typical detection controls.", "spans": {"Indicator: spear phishing": [[36, 50]], "Indicator: delivery vector": [[58, 73]], "Indicator: malicious attachments": [[92, 113]]}, "info": {"id": "cyner2_5class_train_01523", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.BackdoorKasidetAF.Trojan Backdoor/W32.Kasidet.87040 Trojan.Dynamer.20568 Backdoor.W32.Kasidet.tnrA BKDR_NEUTRINO.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Kasidet.J BKDR_NEUTRINO.SM Backdoor.Win32.Kasidet.bgo Trojan.Win32.Kasidet.dpmgpp Worm.Win32.Kasidet.CAK BackDoor.Neutrino.19 Backdoor.Kasidet.Win32.519 BehavesLike.Win32.TrojanShifu.mh Worm.Win32.Kasidet W32/Kasidet.INNN-8495 Backdoor/Kasidet.by TR/Hijacker.ldiu Trojan[Backdoor]/Win32.Kasidet Backdoor:Win32/Kasidet.C Backdoor.Win32.Kasidet.bgo Trojan/Win32.Dynamer.R156738 Backdoor.Kasidet Spyware.PasswordStealer Win32/Kasidet.AB Win32.Backdoor.Kasidet.Phgi Win32/Trojan.cd8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BackdoorKasidetAF.Trojan": [[26, 54]], "Indicator: Backdoor/W32.Kasidet.87040": [[55, 81]], "Indicator: Trojan.Dynamer.20568": [[82, 102]], "Indicator: Backdoor.W32.Kasidet.tnrA": [[103, 128]], "Indicator: BKDR_NEUTRINO.SM": [[129, 145], [203, 219]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[146, 188]], "Indicator: W32/Kasidet.J": [[189, 202]], "Indicator: Backdoor.Win32.Kasidet.bgo": [[220, 246], [513, 539]], "Indicator: Trojan.Win32.Kasidet.dpmgpp": [[247, 274]], "Indicator: Worm.Win32.Kasidet.CAK": [[275, 297]], "Indicator: BackDoor.Neutrino.19": [[298, 318]], "Indicator: Backdoor.Kasidet.Win32.519": [[319, 345]], "Indicator: BehavesLike.Win32.TrojanShifu.mh": [[346, 378]], "Indicator: Worm.Win32.Kasidet": [[379, 397]], "Indicator: W32/Kasidet.INNN-8495": [[398, 419]], "Indicator: Backdoor/Kasidet.by": [[420, 439]], "Indicator: TR/Hijacker.ldiu": [[440, 456]], "Indicator: Trojan[Backdoor]/Win32.Kasidet": [[457, 487]], "Indicator: Backdoor:Win32/Kasidet.C": [[488, 512]], "Indicator: Trojan/Win32.Dynamer.R156738": [[540, 568]], "Indicator: Backdoor.Kasidet": [[569, 585]], "Indicator: Spyware.PasswordStealer": [[586, 609]], "Indicator: Win32/Kasidet.AB": [[610, 626]], "Indicator: Win32.Backdoor.Kasidet.Phgi": [[627, 654]], "Indicator: Win32/Trojan.cd8": [[655, 671]]}, "info": {"id": "cyner2_5class_train_01524", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9978 Trojan.Win32.Infospy.everjh Trojan.Infospy.13 BehavesLike.Win32.FakeAlert.lh Trojan-Dropper.Win32.Jscrpt W32.Trojan.Emotet TrojanDropper:Win32/Jscrpt.A!bit Trj/CI.A Win32/Trojan.f75", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9978": [[26, 68]], "Indicator: Trojan.Win32.Infospy.everjh": [[69, 96]], "Indicator: Trojan.Infospy.13": [[97, 114]], "Indicator: BehavesLike.Win32.FakeAlert.lh": [[115, 145]], "Indicator: Trojan-Dropper.Win32.Jscrpt": [[146, 173]], "Indicator: W32.Trojan.Emotet": [[174, 191]], "Indicator: TrojanDropper:Win32/Jscrpt.A!bit": [[192, 224]], "Indicator: Trj/CI.A": [[225, 233]], "Indicator: Win32/Trojan.f75": [[234, 250]]}, "info": {"id": "cyner2_5class_train_01525", "source": "cyner2_5class_train"}}
+{"text": "Country selection The administration console screenshots also show the ability to filter the results by country .", "spans": {}, "info": {"id": "cyner2_5class_train_01526", "source": "cyner2_5class_train"}}
+{"text": "However it ’ s unclear whether organizations that later reported on ViperRAT performed their own independent research or simply based their content on the original Israeli report .", "spans": {"Malware: ViperRAT": [[68, 76]]}, "info": {"id": "cyner2_5class_train_01527", "source": "cyner2_5class_train"}}
+{"text": "So I think that the authors are still testing this malware , because they use some techniques which can break the infected devices .", "spans": {}, "info": {"id": "cyner2_5class_train_01528", "source": "cyner2_5class_train"}}
+{"text": "This agent has two core modules , the Evidence Collector and the Event Action Trigger .", "spans": {}, "info": {"id": "cyner2_5class_train_01529", "source": "cyner2_5class_train"}}
+{"text": "Overlapping Infrastructure with eSurv Surveillance Cameras The Command & Control domain configured in several of the malicious applications found on Google Play Store , ws.my-local-weather [ .", "spans": {"System: Google Play Store": [[149, 166]], "Indicator: ws.my-local-weather [ .": [[169, 192]]}, "info": {"id": "cyner2_5class_train_01530", "source": "cyner2_5class_train"}}
+{"text": "The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015 .", "spans": {}, "info": {"id": "cyner2_5class_train_01531", "source": "cyner2_5class_train"}}
+{"text": "He matched both PDB paths as wel as behaviour to these samples, this blog describes the changed made to CryptoApp as well as the active campaign.", "spans": {"Indicator: PDB paths": [[16, 25]], "Malware: CryptoApp": [[104, 113]]}, "info": {"id": "cyner2_5class_train_01532", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanpws.Tepfer Trojan-PSW.Win32.Tepfer.psxgjz Troj.Psw.W32.Tepfer!c Trojan.MSIL.Crypt TR/Dropper.MSIL.273998 Trojan-PSW.Win32.Tepfer.psxgjz Trojan:Win32/Matta.A!gfc TrojanPSW.Tepfer Trj/GdSda.A Win32.Trojan.Falsesign.Agbe MSIL/Injector.ONL!tr Win32/Trojan.Dropper.28b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanpws.Tepfer": [[26, 42]], "Indicator: Trojan-PSW.Win32.Tepfer.psxgjz": [[43, 73], [137, 167]], "Indicator: Troj.Psw.W32.Tepfer!c": [[74, 95]], "Indicator: Trojan.MSIL.Crypt": [[96, 113]], "Indicator: TR/Dropper.MSIL.273998": [[114, 136]], "Indicator: Trojan:Win32/Matta.A!gfc": [[168, 192]], "Indicator: TrojanPSW.Tepfer": [[193, 209]], "Indicator: Trj/GdSda.A": [[210, 221]], "Indicator: Win32.Trojan.Falsesign.Agbe": [[222, 249]], "Indicator: MSIL/Injector.ONL!tr": [[250, 270]], "Indicator: Win32/Trojan.Dropper.28b": [[271, 295]]}, "info": {"id": "cyner2_5class_train_01533", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PowerShell/Rozena.AF BehavesLike.Win64.Dropper.cc Trojan/Scar.bmid", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PowerShell/Rozena.AF": [[26, 46]], "Indicator: BehavesLike.Win64.Dropper.cc": [[47, 75]], "Indicator: Trojan/Scar.bmid": [[76, 92]]}, "info": {"id": "cyner2_5class_train_01534", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.RSM.2.0 Backdoor/W32.RSM.204800 Backdoor.RSM Backdoor.RSM.2.0 Backdoor.RSM.2.0 Backdoor.Trojan Backdoor.RSM.2.0 Backdoor.Win32.RSM.20 Backdoor.RSM.2.0 Trojan.Win32.RSM.dmmg Backdoor.Win32.Z.Rsm.204800 Backdoor.W32.RSM.20!c Backdoor.RSM.2.0 Backdoor.RSM.2.0 BackDoor.RMS.20 Backdoor.RSM.Win32.4 BehavesLike.Win32.Dropper.dc Backdoor.Win32.Intruder W32/Risk.WUUC-5425 Backdoor/RSM.28.b BDS/RSM.20.2 Backdoor:Win32/RSM.2_0 Backdoor.Win32.RSM.20 Backdoor.RSM Win32/RSM.20 Win32.Backdoor.Rsm.Sysb Backdoor.RSM!gcfh+QxIfXE W32/RSM.20!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.RSM.2.0": [[26, 42], [80, 96], [97, 113], [130, 146], [169, 185], [258, 274], [275, 291]], "Indicator: Backdoor/W32.RSM.204800": [[43, 66]], "Indicator: Backdoor.RSM": [[67, 79], [477, 489]], "Indicator: Backdoor.Trojan": [[114, 129]], "Indicator: Backdoor.Win32.RSM.20": [[147, 168], [455, 476]], "Indicator: Trojan.Win32.RSM.dmmg": [[186, 207]], "Indicator: Backdoor.Win32.Z.Rsm.204800": [[208, 235]], "Indicator: Backdoor.W32.RSM.20!c": [[236, 257]], "Indicator: BackDoor.RMS.20": [[292, 307]], "Indicator: Backdoor.RSM.Win32.4": [[308, 328]], "Indicator: BehavesLike.Win32.Dropper.dc": [[329, 357]], "Indicator: Backdoor.Win32.Intruder": [[358, 381]], "Indicator: W32/Risk.WUUC-5425": [[382, 400]], "Indicator: Backdoor/RSM.28.b": [[401, 418]], "Indicator: BDS/RSM.20.2": [[419, 431]], "Indicator: Backdoor:Win32/RSM.2_0": [[432, 454]], "Indicator: Win32/RSM.20": [[490, 502]], "Indicator: Win32.Backdoor.Rsm.Sysb": [[503, 526]], "Indicator: Backdoor.RSM!gcfh+QxIfXE": [[527, 551]], "Indicator: W32/RSM.20!tr.bdr": [[552, 569]]}, "info": {"id": "cyner2_5class_train_01535", "source": "cyner2_5class_train"}}
+{"text": "Security researchers have discovered that Cl0p is now targeting Linux systems, using a new variant specifically designed for this operating system.", "spans": {"Organization: Security researchers": [[0, 20]], "Malware: Cl0p": [[42, 46]], "System: Linux systems,": [[64, 78]], "Malware: new variant": [[87, 98]], "System: operating system.": [[130, 147]]}, "info": {"id": "cyner2_5class_train_01536", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9951 Worm.BAT.Autorun.ex TrojWare.Win32.StartPage.~AO Win32.HLLW.Autoruner2.11336 Worm.AutoRun.Win32.42154 BehavesLike.Win32.Virus.cz Trojan-Dropper.Win32.Autorun Worm.BAT.al Win32.HeurC.KVM007.a.kcloud Worm.BAT.Autorun.ex TrojanDropper:Win32/Autorun.AC Worm/Win32.AutoRun.R74164 TScope.Trojan.Delf Trj/CI.A BAT/Autorun.BK Bat.Worm.Autorun.Aihw BAT/Autorun.EX!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9951": [[26, 68]], "Indicator: Worm.BAT.Autorun.ex": [[69, 88], [267, 286]], "Indicator: TrojWare.Win32.StartPage.~AO": [[89, 117]], "Indicator: Win32.HLLW.Autoruner2.11336": [[118, 145]], "Indicator: Worm.AutoRun.Win32.42154": [[146, 170]], "Indicator: BehavesLike.Win32.Virus.cz": [[171, 197]], "Indicator: Trojan-Dropper.Win32.Autorun": [[198, 226]], "Indicator: Worm.BAT.al": [[227, 238]], "Indicator: Win32.HeurC.KVM007.a.kcloud": [[239, 266]], "Indicator: TrojanDropper:Win32/Autorun.AC": [[287, 317]], "Indicator: Worm/Win32.AutoRun.R74164": [[318, 343]], "Indicator: TScope.Trojan.Delf": [[344, 362]], "Indicator: Trj/CI.A": [[363, 371]], "Indicator: BAT/Autorun.BK": [[372, 386]], "Indicator: Bat.Worm.Autorun.Aihw": [[387, 408]], "Indicator: BAT/Autorun.EX!worm": [[409, 428]]}, "info": {"id": "cyner2_5class_train_01537", "source": "cyner2_5class_train"}}
+{"text": "We have directly observed multiple copies of Exodus with more than 50 installs and we can estimate the total number of infections to amount in the several hundreds , if not a thousand or more .", "spans": {"Malware: Exodus": [[45, 51]]}, "info": {"id": "cyner2_5class_train_01538", "source": "cyner2_5class_train"}}
+{"text": "Nonetheless, we can obtain targeting information and insight into tactics from the spearphish messages used by the threat actors.", "spans": {"Indicator: spearphish messages": [[83, 102]]}, "info": {"id": "cyner2_5class_train_01539", "source": "cyner2_5class_train"}}
+{"text": "The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample .", "spans": {"Malware: HenBox": [[134, 140]]}, "info": {"id": "cyner2_5class_train_01540", "source": "cyner2_5class_train"}}
+{"text": "The idea is simple - if the infected device belongs to a real person , sooner or later this person will move around , increasing the step counter .", "spans": {}, "info": {"id": "cyner2_5class_train_01541", "source": "cyner2_5class_train"}}
+{"text": "A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team and eventually download PoisonIvy and other payloads in user systems.", "spans": {"Indicator: sites": [[51, 56]], "Vulnerability: Flash exploits": [[68, 82]], "Organization: Hacking Team": [[94, 106]], "Malware: PoisonIvy": [[131, 140]], "Malware: payloads": [[151, 159]], "System: user systems.": [[163, 176]]}, "info": {"id": "cyner2_5class_train_01542", "source": "cyner2_5class_train"}}
+{"text": "This trojanized version of PuTTY harvests credentials and relays the information back to a collection server in the same way too.", "spans": {"Malware: trojanized version of PuTTY": [[5, 32]]}, "info": {"id": "cyner2_5class_train_01543", "source": "cyner2_5class_train"}}
+{"text": "For example , this could be when the victim ’ s device connects to a Wi-Fi access point that is infected or controlled by the attackers .", "spans": {}, "info": {"id": "cyner2_5class_train_01544", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SysAntiH.Worm Worm.Win32.AutoRun!O Worm.Yeltminky.A2 Win32.Trojan.KillAV.y W32.SillyFDC Win32/SillyAutorun.BBA Trojan.Win32.AntiAV.ciuz Trojan.Win32.AutoRun.btmkp Worm.Win32.Autorun.70144.E Trojan.Win32.KillAV.tco Win32.HLLW.Autoruner.25125 BehavesLike.Win32.Backdoor.lc Trojan-PWS.Win32.Lmir Worm/AutoRun.inq Virus/Win32.Virut.ce Worm:Win32/Yeltminky.A Trojan.Win32.AntiAV.ciuz Trojan/Win32.Hupigon.C73726 MalwareScope.Trojan-PSW.Game.7 RiskWare.Tool.CK Worm.AutoRun!snJYP2M4Pvg W32/QQPass.BTC Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SysAntiH.Worm": [[26, 43]], "Indicator: Worm.Win32.AutoRun!O": [[44, 64]], "Indicator: Worm.Yeltminky.A2": [[65, 82]], "Indicator: Win32.Trojan.KillAV.y": [[83, 104]], "Indicator: W32.SillyFDC": [[105, 117]], "Indicator: Win32/SillyAutorun.BBA": [[118, 140]], "Indicator: Trojan.Win32.AntiAV.ciuz": [[141, 165], [384, 408]], "Indicator: Trojan.Win32.AutoRun.btmkp": [[166, 192]], "Indicator: Worm.Win32.Autorun.70144.E": [[193, 219]], "Indicator: Trojan.Win32.KillAV.tco": [[220, 243]], "Indicator: Win32.HLLW.Autoruner.25125": [[244, 270]], "Indicator: BehavesLike.Win32.Backdoor.lc": [[271, 300]], "Indicator: Trojan-PWS.Win32.Lmir": [[301, 322]], "Indicator: Worm/AutoRun.inq": [[323, 339]], "Indicator: Virus/Win32.Virut.ce": [[340, 360]], "Indicator: Worm:Win32/Yeltminky.A": [[361, 383]], "Indicator: Trojan/Win32.Hupigon.C73726": [[409, 436]], "Indicator: MalwareScope.Trojan-PSW.Game.7": [[437, 467]], "Indicator: RiskWare.Tool.CK": [[468, 484]], "Indicator: Worm.AutoRun!snJYP2M4Pvg": [[485, 509]], "Indicator: W32/QQPass.BTC": [[510, 524]], "Indicator: Win32/Trojan.2ff": [[525, 541]]}, "info": {"id": "cyner2_5class_train_01545", "source": "cyner2_5class_train"}}
+{"text": "When a suitable .exe file candidate is found , it is copied into the malware installation folder ( for example , C : \\ProgramData ) .", "spans": {"Indicator: C : \\ProgramData": [[113, 129]]}, "info": {"id": "cyner2_5class_train_01546", "source": "cyner2_5class_train"}}
+{"text": "This data structure is 24 bytes and is composed of some fixed fields and a variable portion that depends on the opcode .", "spans": {}, "info": {"id": "cyner2_5class_train_01547", "source": "cyner2_5class_train"}}
+{"text": "Ransomware has been responsible for many millions of dollars in damages, and CryptoWall is one of the most lucrative ransomware families in use today.", "spans": {"Malware: Ransomware": [[0, 10]], "Malware: CryptoWall": [[77, 87]], "Malware: ransomware families": [[117, 136]]}, "info": {"id": "cyner2_5class_train_01548", "source": "cyner2_5class_train"}}
+{"text": "GolfSpy ’ s infection chain GolfSpy 's Potential Impact Given GolfSpy ’ s information-stealing capabilities , this malware can effectively hijack an infected Android device .", "spans": {"Malware: GolfSpy": [[0, 7], [28, 35], [62, 69]], "System: Android": [[158, 165]]}, "info": {"id": "cyner2_5class_train_01549", "source": "cyner2_5class_train"}}
+{"text": "The MQTT connection to broker The MQTT connection to broker The MQTT communication is used primarily to update the device state and get commands from the C & C .", "spans": {}, "info": {"id": "cyner2_5class_train_01550", "source": "cyner2_5class_train"}}
+{"text": "In March 2017, FireEye observed both nation state and financially motivated actors using EPS zero day exploits assigned as CVE-2017-0261 and CVE-2017-0262, prior to Microsoft disabling EPS rendering in its Office products with an update in April 2017.", "spans": {"Organization: FireEye": [[15, 22]], "System: EPS": [[89, 92], [185, 188]], "Vulnerability: zero day exploits": [[93, 110]], "Indicator: CVE-2017-0261": [[123, 136]], "Indicator: CVE-2017-0262,": [[141, 155]], "Organization: Microsoft": [[165, 174]], "Indicator: disabling": [[175, 184]], "System: Office products": [[206, 221]]}, "info": {"id": "cyner2_5class_train_01551", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Coantor.11 Win.Trojan.Cuegoe-6336261-0 BehavesLike.Win32.Dropper.vc Trojan:Win32/Salgorea.C!dha", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Coantor.11": [[26, 43]], "Indicator: Win.Trojan.Cuegoe-6336261-0": [[44, 71]], "Indicator: BehavesLike.Win32.Dropper.vc": [[72, 100]], "Indicator: Trojan:Win32/Salgorea.C!dha": [[101, 128]]}, "info": {"id": "cyner2_5class_train_01552", "source": "cyner2_5class_train"}}
+{"text": "While some of these acquisition are performed purely through code in mike.jar , some others that require access to , for example , SQLite databases or other files in the application 's storage are performed through rootdaemon instead , which should be running with root privileges .", "spans": {"Indicator: mike.jar": [[69, 77]]}, "info": {"id": "cyner2_5class_train_01553", "source": "cyner2_5class_train"}}
+{"text": "In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank's system connected to the SWIFT network and used this to perform the transfers.", "spans": {"Organization: the Bangladesh Bank": [[31, 50]], "Indicator: compromised": [[75, 86]], "System: the bank's system": [[87, 104]], "System: the SWIFT network": [[118, 135]]}, "info": {"id": "cyner2_5class_train_01554", "source": "cyner2_5class_train"}}
+{"text": "This could be very dangerous and cause some devices to crash following the overwrite .", "spans": {}, "info": {"id": "cyner2_5class_train_01555", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodcaf.Trojan.0256 Worm/W32.Opanki.176640 W32.Allim W32/Funmov.a Win32.Trojan.WisdomEyes.151026.9950.9984 W32.Allim Win32/Opanki.R WORM_OPANKI.Q Backdoor.Win32.Aimbot.d Trojan.Win32.Aimbot.fujn Win32.Backdoor.Aimbot.Syse Worm.Win32.Opanki.R BackDoor.Oscar Worm.Opanki.Win32.38 WORM_OPANKI.Q BehavesLike.Win32.Sdbot.cc W32/Risk.ZUMS-8015 I-Worm/Opanki.b W32/Opanki.A1D5!worm Trojan[Backdoor]/Win32.Aimbot Backdoor.W32.Aimbot.d!c Win32/Funmov.worm.176640 Worm:Win32/Funmov.A Win32/Trykid.Y W32/Opanki.worm W32.Allim Bck/Sdbot.JED.worm Worm.Funmov!UUJQui2L6no Backdoor.Win32.Aimbot Worm/Opanki.N Backdoor.Win32.Aimbot.aLdg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodcaf.Trojan.0256": [[26, 49]], "Indicator: Worm/W32.Opanki.176640": [[50, 72]], "Indicator: W32.Allim": [[73, 82], [137, 146], [535, 544]], "Indicator: W32/Funmov.a": [[83, 95]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9984": [[96, 136]], "Indicator: Win32/Opanki.R": [[147, 161]], "Indicator: WORM_OPANKI.Q": [[162, 175], [308, 321]], "Indicator: Backdoor.Win32.Aimbot.d": [[176, 199]], "Indicator: Trojan.Win32.Aimbot.fujn": [[200, 224]], "Indicator: Win32.Backdoor.Aimbot.Syse": [[225, 251]], "Indicator: Worm.Win32.Opanki.R": [[252, 271]], "Indicator: BackDoor.Oscar": [[272, 286]], "Indicator: Worm.Opanki.Win32.38": [[287, 307]], "Indicator: BehavesLike.Win32.Sdbot.cc": [[322, 348]], "Indicator: W32/Risk.ZUMS-8015": [[349, 367]], "Indicator: I-Worm/Opanki.b": [[368, 383]], "Indicator: W32/Opanki.A1D5!worm": [[384, 404]], "Indicator: Trojan[Backdoor]/Win32.Aimbot": [[405, 434]], "Indicator: Backdoor.W32.Aimbot.d!c": [[435, 458]], "Indicator: Win32/Funmov.worm.176640": [[459, 483]], "Indicator: Worm:Win32/Funmov.A": [[484, 503]], "Indicator: Win32/Trykid.Y": [[504, 518]], "Indicator: W32/Opanki.worm": [[519, 534]], "Indicator: Bck/Sdbot.JED.worm": [[545, 563]], "Indicator: Worm.Funmov!UUJQui2L6no": [[564, 587]], "Indicator: Backdoor.Win32.Aimbot": [[588, 609]], "Indicator: Worm/Opanki.N": [[610, 623]], "Indicator: Backdoor.Win32.Aimbot.aLdg": [[624, 650]]}, "info": {"id": "cyner2_5class_train_01556", "source": "cyner2_5class_train"}}
+{"text": "During the past few weeks, we have received information about a new campaign of targeted ransomware attacks.", "spans": {"Indicator: targeted ransomware attacks.": [[80, 108]]}, "info": {"id": "cyner2_5class_train_01557", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoA.DAEE W32.Virut.G W32.Virut.CF Trojan.Win32.Crypt.dzf Virus.Win32.Virut.CE BehavesLike.Win32.BadFile.pt W32/Trojan.UBPC-4784 Trojan.Crypt.cm Trojan/Win32.Crypt TrojanDownloader:Win32/Dothemt.A Trojan.Win32.Crypt.dzf Trojan.Crypt W32/Sality.AO Win32/Virut.NBP Virus.Win32.Virut.ug W32/Virut.CE Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoA.DAEE": [[26, 43]], "Indicator: W32.Virut.G": [[44, 55]], "Indicator: W32.Virut.CF": [[56, 68]], "Indicator: Trojan.Win32.Crypt.dzf": [[69, 91], [231, 253]], "Indicator: Virus.Win32.Virut.CE": [[92, 112]], "Indicator: BehavesLike.Win32.BadFile.pt": [[113, 141]], "Indicator: W32/Trojan.UBPC-4784": [[142, 162]], "Indicator: Trojan.Crypt.cm": [[163, 178]], "Indicator: Trojan/Win32.Crypt": [[179, 197]], "Indicator: TrojanDownloader:Win32/Dothemt.A": [[198, 230]], "Indicator: Trojan.Crypt": [[254, 266]], "Indicator: W32/Sality.AO": [[267, 280]], "Indicator: Win32/Virut.NBP": [[281, 296]], "Indicator: Virus.Win32.Virut.ug": [[297, 317]], "Indicator: W32/Virut.CE": [[318, 330]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[331, 361]]}, "info": {"id": "cyner2_5class_train_01558", "source": "cyner2_5class_train"}}
+{"text": "The actor also built solid backend infrastructures which can handle high volume concurrent requests .", "spans": {}, "info": {"id": "cyner2_5class_train_01559", "source": "cyner2_5class_train"}}
+{"text": "Japan Post - A private Japanese post , logistics and courier headquartered in Tokyo .", "spans": {"Organization: Japan Post": [[0, 10]]}, "info": {"id": "cyner2_5class_train_01560", "source": "cyner2_5class_train"}}
+{"text": "] 144 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_01561", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9962 Trojan.Win32.Graftor.dcgcrd TrojWare.Win32.Kryptik.~NT Trojan-Downloader.Win32.Banload Trojan:Win32/BrobanAda.A TScope.Trojan.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9962": [[26, 68]], "Indicator: Trojan.Win32.Graftor.dcgcrd": [[69, 96]], "Indicator: TrojWare.Win32.Kryptik.~NT": [[97, 123]], "Indicator: Trojan-Downloader.Win32.Banload": [[124, 155]], "Indicator: Trojan:Win32/BrobanAda.A": [[156, 180]], "Indicator: TScope.Trojan.Delf": [[181, 199]]}, "info": {"id": "cyner2_5class_train_01562", "source": "cyner2_5class_train"}}
+{"text": "They represent features and can be turned on and off from the command-and-control ( C & C ) server or by an SMS message , effectively instructing the malware to execute certain tasks .", "spans": {}, "info": {"id": "cyner2_5class_train_01563", "source": "cyner2_5class_train"}}
+{"text": "Package names for infected apps typically contain a common naming structure that includes com.XXXXXXXXX.camera , for example com.bird.sky.whale.camera ( app name : Whale Camera ) , com.color.rainbow.camera ( Rainbow Camera ) , and com.fishing.when.orangecamera ( Orange Camera ) .", "spans": {"Indicator: com.XXXXXXXXX.camera": [[90, 110]], "Indicator: com.bird.sky.whale.camera": [[125, 150]], "System: Whale Camera": [[164, 176]], "Indicator: com.color.rainbow.camera": [[181, 205]], "System: Rainbow Camera": [[208, 222]], "Indicator: com.fishing.when.orangecamera": [[231, 260]], "System: Orange Camera": [[263, 276]]}, "info": {"id": "cyner2_5class_train_01564", "source": "cyner2_5class_train"}}
+{"text": "Apart from including the country ’ s name , the app ’ s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia .", "spans": {"System: GAS Tecnologia": [[140, 154]]}, "info": {"id": "cyner2_5class_train_01565", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.BadApp!O TrojanDownloader.Small.AGT4 PWS-Mmorpg.e TSPY_RUNAE.SM Infostealer.Gampass Win32/AdClicker.DZX Win.Trojan.Toopu-1 Trojan.Win32.Dwn.bxzwi Backdoor.Win32.A.Rbot.65536 TrojWare.Win32.TrojanDownloader.Nirava.~clj Trojan.DownLoader1.38650 Adware.FloodAd.Win32.2 PWS-Mmorpg.e Trojan/Win32.Unknown Win32.Troj.Undef.kcloud TrojanClicker:Win32/Runae.A Trojan/Win32.OnlineGameHack.R1804 Adware.FloodAd Win32/Adware.FloodAd.AA Trojan.Win32.Clicker.sa W32/FLOODAD.SM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.BadApp!O": [[26, 47]], "Indicator: TrojanDownloader.Small.AGT4": [[48, 75]], "Indicator: PWS-Mmorpg.e": [[76, 88], [305, 317]], "Indicator: TSPY_RUNAE.SM": [[89, 102]], "Indicator: Infostealer.Gampass": [[103, 122]], "Indicator: Win32/AdClicker.DZX": [[123, 142]], "Indicator: Win.Trojan.Toopu-1": [[143, 161]], "Indicator: Trojan.Win32.Dwn.bxzwi": [[162, 184]], "Indicator: Backdoor.Win32.A.Rbot.65536": [[185, 212]], "Indicator: TrojWare.Win32.TrojanDownloader.Nirava.~clj": [[213, 256]], "Indicator: Trojan.DownLoader1.38650": [[257, 281]], "Indicator: Adware.FloodAd.Win32.2": [[282, 304]], "Indicator: Trojan/Win32.Unknown": [[318, 338]], "Indicator: Win32.Troj.Undef.kcloud": [[339, 362]], "Indicator: TrojanClicker:Win32/Runae.A": [[363, 390]], "Indicator: Trojan/Win32.OnlineGameHack.R1804": [[391, 424]], "Indicator: Adware.FloodAd": [[425, 439]], "Indicator: Win32/Adware.FloodAd.AA": [[440, 463]], "Indicator: Trojan.Win32.Clicker.sa": [[464, 487]], "Indicator: W32/FLOODAD.SM!tr": [[488, 505]]}, "info": {"id": "cyner2_5class_train_01566", "source": "cyner2_5class_train"}}
+{"text": "These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions.", "spans": {"Indicator: targeted attacks": [[77, 93]]}, "info": {"id": "cyner2_5class_train_01567", "source": "cyner2_5class_train"}}
+{"text": "One of Strider's targets had also previously been infected by Regin.", "spans": {"Malware: Strider's": [[7, 16]], "Malware: Regin.": [[62, 68]]}, "info": {"id": "cyner2_5class_train_01568", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dyname TROJ_WOONIKY.B TROJ_WOONIKY.B W32/Trojan.TZVR-6635 TR/Kazy.196035.1 Trojan.MSIL.Krypt.2 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dyname": [[26, 39]], "Indicator: TROJ_WOONIKY.B": [[40, 54], [55, 69]], "Indicator: W32/Trojan.TZVR-6635": [[70, 90]], "Indicator: TR/Kazy.196035.1": [[91, 107]], "Indicator: Trojan.MSIL.Krypt.2": [[108, 127]], "Indicator: Trj/CI.A": [[128, 136]]}, "info": {"id": "cyner2_5class_train_01569", "source": "cyner2_5class_train"}}
+{"text": "When DualToy began to spread in January 2015 , it was only capable of infecting Android devices .", "spans": {"Malware: DualToy": [[5, 12]], "System: Android": [[80, 87]]}, "info": {"id": "cyner2_5class_train_01570", "source": "cyner2_5class_train"}}
+{"text": "Check Point ’ s Analysis and Response Team ( ART ) disclosed the finding to Android ’ s Security team who took the appropriate security steps to remove the infected app and added the malware to Android ’ s built-in protection mechanisms .", "spans": {"Organization: Check Point": [[0, 11]], "System: Android": [[76, 83], [194, 201]]}, "info": {"id": "cyner2_5class_train_01571", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.KowinPC.Worm Win32.Trojan.WisdomEyes.16070401.9500.9820 W32.Kaxela.A Win32/Pipown.KJ Win.Worm.Autorun-2398 Worm.Win32.AutoRun.zt Trojan.Win32.ARSleep.gcbz W32.W.AutoRun.yo!c TrojWare.Win32.Magania.~L Trojan.Popwin.651 Worm.AutoRun.Win32.11126 BehavesLike.Win32.Dropper.lc Trojan/DiskAutorun.px BDS/Exaal.45056 Worm/Win32.AutoRun Win32.Troj.OnlineGames.w.kcloud Trojan.Win32.Autorun.21043 Worm.Win32.AutoRun.zt Trojan:Win32/Malamiko.A Worm.AutoRun Trojan/Win32.lssj.2cc.rgrk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.KowinPC.Worm": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9820": [[43, 85]], "Indicator: W32.Kaxela.A": [[86, 98]], "Indicator: Win32/Pipown.KJ": [[99, 114]], "Indicator: Win.Worm.Autorun-2398": [[115, 136]], "Indicator: Worm.Win32.AutoRun.zt": [[137, 158], [418, 439]], "Indicator: Trojan.Win32.ARSleep.gcbz": [[159, 184]], "Indicator: W32.W.AutoRun.yo!c": [[185, 203]], "Indicator: TrojWare.Win32.Magania.~L": [[204, 229]], "Indicator: Trojan.Popwin.651": [[230, 247]], "Indicator: Worm.AutoRun.Win32.11126": [[248, 272]], "Indicator: BehavesLike.Win32.Dropper.lc": [[273, 301]], "Indicator: Trojan/DiskAutorun.px": [[302, 323]], "Indicator: BDS/Exaal.45056": [[324, 339]], "Indicator: Worm/Win32.AutoRun": [[340, 358]], "Indicator: Win32.Troj.OnlineGames.w.kcloud": [[359, 390]], "Indicator: Trojan.Win32.Autorun.21043": [[391, 417]], "Indicator: Trojan:Win32/Malamiko.A": [[440, 463]], "Indicator: Worm.AutoRun": [[464, 476]], "Indicator: Trojan/Win32.lssj.2cc.rgrk": [[477, 503]]}, "info": {"id": "cyner2_5class_train_01572", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.SdBoter.28496 I-Worm.SdBoter.r2 Worm.SdBoter!97XSxLq3xLE W32/Sdbot.GFWC-1787 Win32/SdBoter.J WORM_SDBOTER.J Worm.W32.SdBoter.J Net-Worm.Win32.SdBoter.j Trojan.Win32.SdBoter.oxfz W32.W.SdBoter.j!c Win32.Worm-net.Sdboter.Star Worm.Win32.SdBoter.J BackDoor.IRC.Sdbot Worm.SdBoter.Win32.7 WORM_SDBOTER.J BehavesLike.Win32.Worm.mc W32/Sdbot.DMQ WORM/NetBot.A.2 W32/KWBOT.H Worm[Net]/Win32.SdBoter Win32/IRCBot.worm.28496 Worm:Win32/Sdboter.J W32/Sdbot.XT.worm Net-Worm.Win32.SdBoter.I IRC/BackDoor.SdBot.24.AC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.SdBoter.28496": [[26, 48]], "Indicator: I-Worm.SdBoter.r2": [[49, 66]], "Indicator: Worm.SdBoter!97XSxLq3xLE": [[67, 91]], "Indicator: W32/Sdbot.GFWC-1787": [[92, 111]], "Indicator: Win32/SdBoter.J": [[112, 127]], "Indicator: WORM_SDBOTER.J": [[128, 142], [320, 334]], "Indicator: Worm.W32.SdBoter.J": [[143, 161]], "Indicator: Net-Worm.Win32.SdBoter.j": [[162, 186]], "Indicator: Trojan.Win32.SdBoter.oxfz": [[187, 212]], "Indicator: W32.W.SdBoter.j!c": [[213, 230]], "Indicator: Win32.Worm-net.Sdboter.Star": [[231, 258]], "Indicator: Worm.Win32.SdBoter.J": [[259, 279]], "Indicator: BackDoor.IRC.Sdbot": [[280, 298]], "Indicator: Worm.SdBoter.Win32.7": [[299, 319]], "Indicator: BehavesLike.Win32.Worm.mc": [[335, 360]], "Indicator: W32/Sdbot.DMQ": [[361, 374]], "Indicator: WORM/NetBot.A.2": [[375, 390]], "Indicator: W32/KWBOT.H": [[391, 402]], "Indicator: Worm[Net]/Win32.SdBoter": [[403, 426]], "Indicator: Win32/IRCBot.worm.28496": [[427, 450]], "Indicator: Worm:Win32/Sdboter.J": [[451, 471]], "Indicator: W32/Sdbot.XT.worm": [[472, 489]], "Indicator: Net-Worm.Win32.SdBoter.I": [[490, 514]], "Indicator: IRC/BackDoor.SdBot.24.AC": [[515, 539]]}, "info": {"id": "cyner2_5class_train_01573", "source": "cyner2_5class_train"}}
+{"text": "During our investigation we found several backdoors that the HDRoot bootkit used for infecting operating systems.", "spans": {"Malware: backdoors": [[42, 51]], "Malware: HDRoot bootkit": [[61, 75]], "System: operating systems.": [[95, 113]]}, "info": {"id": "cyner2_5class_train_01574", "source": "cyner2_5class_train"}}
+{"text": "We labeled this new variant XLoader version 7.0 , because of the different deployment method and its use of the native code to load the payload and hide in Instagram and Tumblr profiles .", "spans": {"Malware: XLoader": [[28, 35]], "Organization: Instagram": [[156, 165]], "Organization: Tumblr": [[170, 176]]}, "info": {"id": "cyner2_5class_train_01575", "source": "cyner2_5class_train"}}
+{"text": "One of the top targets is the Japan Pension Service, but the list of targeted industries includes government and government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and so on.", "spans": {"Organization: Japan Pension Service,": [[30, 52]], "Organization: industries": [[78, 88]], "Organization: government": [[98, 108]], "Organization: government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation": [[113, 428]]}, "info": {"id": "cyner2_5class_train_01576", "source": "cyner2_5class_train"}}
+{"text": "Another interesting feature in FakeSpy ’ s code is the collection of the device 's IMEI ( International Mobile Station Equipment Identity ) number and all installed applications using the function upAppinfos .", "spans": {"Malware: FakeSpy": [[31, 38]]}, "info": {"id": "cyner2_5class_train_01577", "source": "cyner2_5class_train"}}
+{"text": "Our security app allows us to transmit this sensitive data encrypted to you , thus increasing the security that you will not suffer any financial loss .", "spans": {}, "info": {"id": "cyner2_5class_train_01578", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Email-Flooder.Win32.DaMailer!O Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Damailer-4 Email-Flooder.Win32.DaMailer.119 TrojWare.Win32.Flooder.DarkMail Flooder.Damail Tool.DaMailer.Win32.2 BehavesLike.Win32.BadFile.th Email-Flooder.DaMailer.d Email-Flooder.Win32.DaMailer.119 Trojan/Win32.HDC.C123509 EmailFlooder.DaMailer Trj/CI.A Win32/Flooder.DarkMail Win32.Trojan.Damailer.Htwm Flooder.DaMailer!LiHdaVOdIDQ Email-Flooder.Win32.DaMailer", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Email-Flooder.Win32.DaMailer!O": [[26, 56]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[57, 99]], "Indicator: Win.Trojan.Damailer-4": [[100, 121]], "Indicator: Email-Flooder.Win32.DaMailer.119": [[122, 154], [278, 310]], "Indicator: TrojWare.Win32.Flooder.DarkMail": [[155, 186]], "Indicator: Flooder.Damail": [[187, 201]], "Indicator: Tool.DaMailer.Win32.2": [[202, 223]], "Indicator: BehavesLike.Win32.BadFile.th": [[224, 252]], "Indicator: Email-Flooder.DaMailer.d": [[253, 277]], "Indicator: Trojan/Win32.HDC.C123509": [[311, 335]], "Indicator: EmailFlooder.DaMailer": [[336, 357]], "Indicator: Trj/CI.A": [[358, 366]], "Indicator: Win32/Flooder.DarkMail": [[367, 389]], "Indicator: Win32.Trojan.Damailer.Htwm": [[390, 416]], "Indicator: Flooder.DaMailer!LiHdaVOdIDQ": [[417, 445]], "Indicator: Email-Flooder.Win32.DaMailer": [[446, 474]]}, "info": {"id": "cyner2_5class_train_01579", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Hamer.B!utility Trojan-Dropper/W32.Hamer_Packed.700928 Dropper.Hamer.Win32.41 Trojan/Dropper.Hamer.20 Trojan.DR.Hammer!WTBuq6wvib0 W32/Hamer.B@tool Backdoor.Beasty.Family Win32/TrojanDropper.Hamer.20 TROJ_HAMER.R Trojan.Downloader.Small-12 Trojan-Dropper.Win32.Hamer.20 Trojan.Win32.Hamer.dztpdb Dropper.A.Hamer.700928[h] Troj.Dropper.W32.Hamer.20!c TrojWare.Win32.TrojanDropper.Hamer.20 Trojan.DownLoader.225 Backdoor.Beasty.Family TROJ_HAMER.R BehavesLike.Win32.Dropper.jc W32/Hamer.PMZI-8206 TrojanDropper.Hammer.20 TR/Drop.Hamer.20 W32/Hamer.20!tr Trojan[Dropper]/Win32.Hamer Dropper/Hamer.700928 Backdoor.Beasty.Family TrojanDropper.Hamer Trojan.Win32.Dropper.20 Win32.Trojan-dropper.Hamer.Pkra Trojan-Dropper.Win32.Delf Dropper.Hamer.B Win32/Trojan.ece", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Hamer.B!utility": [[26, 47]], "Indicator: Trojan-Dropper/W32.Hamer_Packed.700928": [[48, 86]], "Indicator: Dropper.Hamer.Win32.41": [[87, 109]], "Indicator: Trojan/Dropper.Hamer.20": [[110, 133]], "Indicator: Trojan.DR.Hammer!WTBuq6wvib0": [[134, 162]], "Indicator: W32/Hamer.B@tool": [[163, 179]], "Indicator: Backdoor.Beasty.Family": [[180, 202], [442, 464], [633, 655]], "Indicator: Win32/TrojanDropper.Hamer.20": [[203, 231]], "Indicator: TROJ_HAMER.R": [[232, 244], [465, 477]], "Indicator: Trojan.Downloader.Small-12": [[245, 271]], "Indicator: Trojan-Dropper.Win32.Hamer.20": [[272, 301]], "Indicator: Trojan.Win32.Hamer.dztpdb": [[302, 327]], "Indicator: Dropper.A.Hamer.700928[h]": [[328, 353]], "Indicator: Troj.Dropper.W32.Hamer.20!c": [[354, 381]], "Indicator: TrojWare.Win32.TrojanDropper.Hamer.20": [[382, 419]], "Indicator: Trojan.DownLoader.225": [[420, 441]], "Indicator: BehavesLike.Win32.Dropper.jc": [[478, 506]], "Indicator: W32/Hamer.PMZI-8206": [[507, 526]], "Indicator: TrojanDropper.Hammer.20": [[527, 550]], "Indicator: TR/Drop.Hamer.20": [[551, 567]], "Indicator: W32/Hamer.20!tr": [[568, 583]], "Indicator: Trojan[Dropper]/Win32.Hamer": [[584, 611]], "Indicator: Dropper/Hamer.700928": [[612, 632]], "Indicator: TrojanDropper.Hamer": [[656, 675]], "Indicator: Trojan.Win32.Dropper.20": [[676, 699]], "Indicator: Win32.Trojan-dropper.Hamer.Pkra": [[700, 731]], "Indicator: Trojan-Dropper.Win32.Delf": [[732, 757]], "Indicator: Dropper.Hamer.B": [[758, 773]], "Indicator: Win32/Trojan.ece": [[774, 790]]}, "info": {"id": "cyner2_5class_train_01580", "source": "cyner2_5class_train"}}
+{"text": "One involves drive-by downloads , possibly on booby-trapped porn sites .", "spans": {}, "info": {"id": "cyner2_5class_train_01581", "source": "cyner2_5class_train"}}
+{"text": "If it finds apps on its prey list ( hard-coded or sent from C & C server ) , it will extract the base APK of the target innocent app on the device , patch the APK with malicious ads modules , install the APK back and replace the original one as if it is an update .", "spans": {}, "info": {"id": "cyner2_5class_train_01582", "source": "cyner2_5class_train"}}
+{"text": "Before doing this , the malware makes a screenshot of the screen and displays it on top of all other windows for few seconds .", "spans": {"System: windows": [[101, 108]]}, "info": {"id": "cyner2_5class_train_01583", "source": "cyner2_5class_train"}}
+{"text": "Security solutions can detect it in countless combinations with other suspicious permissions and functions , or malicious functionalities – but when faced with no additional functionality nor permission , all failed to trigger any alarm on DEFENSOR ID .", "spans": {"Malware: DEFENSOR ID": [[240, 251]]}, "info": {"id": "cyner2_5class_train_01584", "source": "cyner2_5class_train"}}
+{"text": "We covered this attack in detail in our blog titled Shamoon 2: Return of the Disttrack Wiper, which targeted a single organization in Saudi Arabia and was set to wipe systems on November 17, 2016.", "spans": {"Indicator: attack": [[16, 22]], "Malware: Shamoon": [[52, 59]], "Malware: Disttrack Wiper,": [[77, 93]], "Organization: single organization": [[111, 130]], "Indicator: wipe systems": [[162, 174]]}, "info": {"id": "cyner2_5class_train_01585", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Zombam!O Win32.Backdoor.Zombam.b W32/Zombam.BWLR-3283 Backdoor.Zombam.B Win.Trojan.Small-4082 Backdoor.Win32.Zombam.m Trojan.Win32.Zombam.mpym Backdoor.Win32.Zombam.M BackDoor.Httprat.2 Backdoor.Zombam.Win32.32 BehavesLike.Win32.Rontokbro.nc Backdoor.Win32.Zombam.m W32/Zombam.N@bd Backdoor/Zombam.m BDS/Zombam.L.1 Trojan[Backdoor]/Win32.Zombam Backdoor:Win32/Zombam.L Backdoor.Win32.Zombam.31444 Backdoor.Win32.Zombam.m Backdoor.Zombam Win32/Zombam.M Backdoor.Zombam!rqjS+1zkQfU W32/Zombam.M!tr.bdr Win32/Backdoor.009", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Zombam!O": [[26, 49]], "Indicator: Win32.Backdoor.Zombam.b": [[50, 73]], "Indicator: W32/Zombam.BWLR-3283": [[74, 94]], "Indicator: Backdoor.Zombam.B": [[95, 112]], "Indicator: Win.Trojan.Small-4082": [[113, 134]], "Indicator: Backdoor.Win32.Zombam.m": [[135, 158], [283, 306], [438, 461]], "Indicator: Trojan.Win32.Zombam.mpym": [[159, 183]], "Indicator: Backdoor.Win32.Zombam.M": [[184, 207]], "Indicator: BackDoor.Httprat.2": [[208, 226]], "Indicator: Backdoor.Zombam.Win32.32": [[227, 251]], "Indicator: BehavesLike.Win32.Rontokbro.nc": [[252, 282]], "Indicator: W32/Zombam.N@bd": [[307, 322]], "Indicator: Backdoor/Zombam.m": [[323, 340]], "Indicator: BDS/Zombam.L.1": [[341, 355]], "Indicator: Trojan[Backdoor]/Win32.Zombam": [[356, 385]], "Indicator: Backdoor:Win32/Zombam.L": [[386, 409]], "Indicator: Backdoor.Win32.Zombam.31444": [[410, 437]], "Indicator: Backdoor.Zombam": [[462, 477]], "Indicator: Win32/Zombam.M": [[478, 492]], "Indicator: Backdoor.Zombam!rqjS+1zkQfU": [[493, 520]], "Indicator: W32/Zombam.M!tr.bdr": [[521, 540]], "Indicator: Win32/Backdoor.009": [[541, 559]]}, "info": {"id": "cyner2_5class_train_01586", "source": "cyner2_5class_train"}}
+{"text": "The examples below show the plaintext key “ TEST ” to decrypt encoded hexadecimal strings ( jUtils.decrypt ( ) ) .", "spans": {}, "info": {"id": "cyner2_5class_train_01587", "source": "cyner2_5class_train"}}
+{"text": "In this case, though, running the troubleshooter leads to the installation of LatentBot, a well-documented modular bot used for surveillance, information stealing, and remote access.", "spans": {"System: troubleshooter": [[34, 48]], "Malware: LatentBot,": [[78, 88]], "Malware: bot": [[115, 118]], "Indicator: for surveillance, information stealing,": [[124, 163]], "Indicator: remote access.": [[168, 182]]}, "info": {"id": "cyner2_5class_train_01588", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9705 Trojan.Win32.SchoolBoy.bhk Troj.Banker.W32.Qadars.mtwx Win32.Trojan.Schoolboy.Hvtb Trojan.MulDrop4.3547 BehavesLike.Win32.RAHack.nc Trojan.Heur.GM.D439A5C Trojan.Win32.SchoolBoy.bhk Trojan.Win32.PSW W32/SchoolBoy.BHK!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9705": [[26, 68]], "Indicator: Trojan.Win32.SchoolBoy.bhk": [[69, 95], [224, 250]], "Indicator: Troj.Banker.W32.Qadars.mtwx": [[96, 123]], "Indicator: Win32.Trojan.Schoolboy.Hvtb": [[124, 151]], "Indicator: Trojan.MulDrop4.3547": [[152, 172]], "Indicator: BehavesLike.Win32.RAHack.nc": [[173, 200]], "Indicator: Trojan.Heur.GM.D439A5C": [[201, 223]], "Indicator: Trojan.Win32.PSW": [[251, 267]], "Indicator: W32/SchoolBoy.BHK!tr": [[268, 288]], "Indicator: Trj/CI.A": [[289, 297]]}, "info": {"id": "cyner2_5class_train_01589", "source": "cyner2_5class_train"}}
+{"text": "Bookworm's functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42.", "spans": {"Malware: Bookworm's": [[0, 10]], "Malware: PlugX": [[55, 60]], "System: architecture": [[93, 105]], "Organization: Unit 42.": [[144, 152]]}, "info": {"id": "cyner2_5class_train_01590", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9973 Backdoor.Truebot Win.Trojan.Silence-6367671-0 W32/Trojan.JFGA-0175 Backdoor:Win32/Truebot.A Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9973": [[26, 68]], "Indicator: Backdoor.Truebot": [[69, 85]], "Indicator: Win.Trojan.Silence-6367671-0": [[86, 114]], "Indicator: W32/Trojan.JFGA-0175": [[115, 135]], "Indicator: Backdoor:Win32/Truebot.A": [[136, 160]], "Indicator: Trj/GdSda.A": [[161, 172]]}, "info": {"id": "cyner2_5class_train_01591", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Antilam.gzgw Backdoor.Trojan Antilam.FE BKDR_ANTILAM.A Backdoor.Win32.Antilam.20.b Backdoor.Antilam!vJ4jD43D2/o NORMAL:Trojan.SERVER_3!27802 Backdoor.Win32.Antilam.dfer BackDoor.AntiLame.23 BKDR_ANTILAM.A BehavesLike.Win32.Backdoor.cc W32/Risk.BTKH-4955 Backdoor/Antilam.20.ao BDS/Antilam.20.C Trojan[Backdoor]/Win32.Antilam Backdoor:Win32/Antilam.20.B Trojan/Win32.Xema Backdoor.AntiLamer Win32/Antilam.20.B Backdoor.Win32.Antilam W32/Antilam.B!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Antilam.gzgw": [[26, 51]], "Indicator: Backdoor.Trojan": [[52, 67]], "Indicator: Antilam.FE": [[68, 78]], "Indicator: BKDR_ANTILAM.A": [[79, 93], [229, 243]], "Indicator: Backdoor.Win32.Antilam.20.b": [[94, 121]], "Indicator: Backdoor.Antilam!vJ4jD43D2/o": [[122, 150]], "Indicator: NORMAL:Trojan.SERVER_3!27802": [[151, 179]], "Indicator: Backdoor.Win32.Antilam.dfer": [[180, 207]], "Indicator: BackDoor.AntiLame.23": [[208, 228]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[244, 273]], "Indicator: W32/Risk.BTKH-4955": [[274, 292]], "Indicator: Backdoor/Antilam.20.ao": [[293, 315]], "Indicator: BDS/Antilam.20.C": [[316, 332]], "Indicator: Trojan[Backdoor]/Win32.Antilam": [[333, 363]], "Indicator: Backdoor:Win32/Antilam.20.B": [[364, 391]], "Indicator: Trojan/Win32.Xema": [[392, 409]], "Indicator: Backdoor.AntiLamer": [[410, 428]], "Indicator: Win32/Antilam.20.B": [[429, 447]], "Indicator: Backdoor.Win32.Antilam": [[448, 470]], "Indicator: W32/Antilam.B!tr.bdr": [[471, 491]]}, "info": {"id": "cyner2_5class_train_01592", "source": "cyner2_5class_train"}}
+{"text": "It ’ s a messaging object that can be used to request an action from another app component .", "spans": {}, "info": {"id": "cyner2_5class_train_01593", "source": "cyner2_5class_train"}}
+{"text": "FortiGuard Labs decided to analyze some of them, and in this report, I will discuss its evolution over the past 10 months.", "spans": {"Organization: FortiGuard Labs": [[0, 15]]}, "info": {"id": "cyner2_5class_train_01594", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Exploit.ShellCode.a Trojan.Mdropper.C TROJ_SAMSA.H Trojan-Dropper.MSWord.1Table.ai Exploit.OleMacroPrj.CVE-2003-0347.cezzve DOC.Z.CVE-2003-0347.75864 Win32.Trojan-Dropper.1table.swy BackDoor.Mask TROJ_SAMSA.H Troj.Dropper.Msword!c Trojan-Dropper.MSWord.1Table.ai Trojan-Dropper.MSWord.1Table.ai possible-Threat.Embedded.ExeInOffice", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Exploit.ShellCode.a": [[26, 51]], "Indicator: Trojan.Mdropper.C": [[52, 69]], "Indicator: TROJ_SAMSA.H": [[70, 82], [228, 240]], "Indicator: Trojan-Dropper.MSWord.1Table.ai": [[83, 114], [263, 294], [295, 326]], "Indicator: Exploit.OleMacroPrj.CVE-2003-0347.cezzve": [[115, 155]], "Indicator: DOC.Z.CVE-2003-0347.75864": [[156, 181]], "Indicator: Win32.Trojan-Dropper.1table.swy": [[182, 213]], "Indicator: BackDoor.Mask": [[214, 227]], "Indicator: Troj.Dropper.Msword!c": [[241, 262]], "Indicator: possible-Threat.Embedded.ExeInOffice": [[327, 363]]}, "info": {"id": "cyner2_5class_train_01595", "source": "cyner2_5class_train"}}
+{"text": "Something that makes Ginp special is that all of its overlay screens for banking apps are consist of multiple steps , first stealing the victim ’ s login credentials , then stealing the credit card details ( to “ validate ” the user identity ) , as shown in the screenshots hereafter : The following code snippet shows that after the second overlay is filled-in and validated , it disappears and the targeted application is added to the list of packages names to be ignored for future overlays attacks .", "spans": {"Malware: Ginp": [[21, 25]]}, "info": {"id": "cyner2_5class_train_01596", "source": "cyner2_5class_train"}}
+{"text": "The cyberattacks against the Ukrainian electric power industry continue.", "spans": {"Indicator: cyberattacks": [[4, 16]], "Organization: the Ukrainian electric power industry": [[25, 62]]}, "info": {"id": "cyner2_5class_train_01597", "source": "cyner2_5class_train"}}
+{"text": "Researchers from the IBM X-Force Incident Response and Intelligence Services IRIS team identified a missing link in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organizations.", "spans": {"Organization: Researchers": [[0, 11]], "Organization: IBM X-Force Incident Response": [[21, 50]], "Organization: Intelligence Services IRIS team": [[55, 86]], "Indicator: missing link": [[100, 112]], "Malware: Shamoon malware": [[168, 183]], "Indicator: attacks": [[184, 191]], "Organization: organizations.": [[211, 225]]}, "info": {"id": "cyner2_5class_train_01598", "source": "cyner2_5class_train"}}
+{"text": "RuMMS Code Analysis All RuMMS samples share the same behaviors , major parts of which are shown in Figure 1 .", "spans": {"Malware: RuMMS": [[0, 5], [24, 29]]}, "info": {"id": "cyner2_5class_train_01599", "source": "cyner2_5class_train"}}
+{"text": "We recently noted the non-linear growth of ransomware variants and now a new type has emerged, dubbed MarsJoke.", "spans": {"Malware: ransomware variants": [[43, 62]], "Malware: MarsJoke.": [[102, 111]]}, "info": {"id": "cyner2_5class_train_01600", "source": "cyner2_5class_train"}}
+{"text": "Analysis of the malware shows that it uses the common string obfuscation of character replacement ( Figure 7 ) : Figure 7 : Encoded Marcher Strings Figure 8 : Decoded Marcher Strings As noted , the application requests extensive permissions during installation ; Figure 9 shows the request to act as device administrator , a particular permission that should very rarely be granted to an app .", "spans": {"Malware: Marcher": [[132, 139], [167, 174]]}, "info": {"id": "cyner2_5class_train_01601", "source": "cyner2_5class_train"}}
+{"text": "It has a very low volume in this two-year period, totaling roughly 27 total samples.", "spans": {"Malware: samples.": [[76, 84]]}, "info": {"id": "cyner2_5class_train_01602", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Scar!O Trojan.Scar Win32.Trojan.WisdomEyes.16070401.9500.9982 Trojan.Win32.Scar.bwre Trojan.Win32.VB.etyztu Trojan.Win32.Z.Scar.3042496 Troj.Downloader.W32.VB.l4ji Trojan.DownLoader25.47210 Trojan.Scar.Win32.27021 BehavesLike.Win32.Autorun.vm Trojan.Heur.VB.EDB7EC Trojan.Win32.Scar.bwre Worm:Win32/Sowndegg.B Trojan/Win32.VB.C16539 Trojan.Scar Trj/CI.A Win32/VB.SNU Win32.Trojan.Scar.Pgcp Trojan.Scar!yxP8tXFqxTQ Trojan-Downloader.Win32.VB W32/VB.SNU!tr Win32/Trojan.1c6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Scar!O": [[26, 45]], "Indicator: Trojan.Scar": [[46, 57], [372, 383]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[58, 100]], "Indicator: Trojan.Win32.Scar.bwre": [[101, 123], [304, 326]], "Indicator: Trojan.Win32.VB.etyztu": [[124, 146]], "Indicator: Trojan.Win32.Z.Scar.3042496": [[147, 174]], "Indicator: Troj.Downloader.W32.VB.l4ji": [[175, 202]], "Indicator: Trojan.DownLoader25.47210": [[203, 228]], "Indicator: Trojan.Scar.Win32.27021": [[229, 252]], "Indicator: BehavesLike.Win32.Autorun.vm": [[253, 281]], "Indicator: Trojan.Heur.VB.EDB7EC": [[282, 303]], "Indicator: Worm:Win32/Sowndegg.B": [[327, 348]], "Indicator: Trojan/Win32.VB.C16539": [[349, 371]], "Indicator: Trj/CI.A": [[384, 392]], "Indicator: Win32/VB.SNU": [[393, 405]], "Indicator: Win32.Trojan.Scar.Pgcp": [[406, 428]], "Indicator: Trojan.Scar!yxP8tXFqxTQ": [[429, 452]], "Indicator: Trojan-Downloader.Win32.VB": [[453, 479]], "Indicator: W32/VB.SNU!tr": [[480, 493]], "Indicator: Win32/Trojan.1c6": [[494, 510]]}, "info": {"id": "cyner2_5class_train_01603", "source": "cyner2_5class_train"}}
+{"text": "The objective of this blog is to highlight some of the capabilities of this new RAT family and the impact seen so far.", "spans": {"Malware: RAT family": [[80, 90]]}, "info": {"id": "cyner2_5class_train_01604", "source": "cyner2_5class_train"}}
+{"text": "The leaked RCSAndroid code is a commercial weapon now in the wild .", "spans": {"Malware: RCSAndroid code": [[11, 26]]}, "info": {"id": "cyner2_5class_train_01605", "source": "cyner2_5class_train"}}
+{"text": "Since mid-2014, the Kudelski Security Cyber Fusion Center has been monitoring and investigating Sphinx Moth.", "spans": {"Organization: Kudelski Security Cyber Fusion Center": [[20, 57]]}, "info": {"id": "cyner2_5class_train_01606", "source": "cyner2_5class_train"}}
+{"text": "But Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it from your android successfully , the component imei_chk will persist in a protected boot memory area and hence will reinstall itself on next boot and continuously infect the Smartphone .", "spans": {"Malware: Android.Oldboot": [[4, 19]], "System: android": [[118, 125]], "Indicator: imei_chk": [[155, 163]]}, "info": {"id": "cyner2_5class_train_01607", "source": "cyner2_5class_train"}}
+{"text": "Espionage and Asymmetric Operation Targeting", "spans": {}, "info": {"id": "cyner2_5class_train_01608", "source": "cyner2_5class_train"}}
+{"text": "SWC campaign impacted global aerospace, government, and technology organizations Uses .via extension", "spans": {"Organization: global aerospace, government,": [[22, 51]], "Organization: technology organizations": [[56, 80]], "Indicator: .via extension": [[86, 100]]}, "info": {"id": "cyner2_5class_train_01609", "source": "cyner2_5class_train"}}
+{"text": "There are a lot of small Trojans for Android capable of leveraging access privileges , in other words — gaining root access .", "spans": {"System: Android": [[37, 44]]}, "info": {"id": "cyner2_5class_train_01610", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.17AD Trojan/W32.KRDDoS.950784 TROJ_DIDKR.A Win32.Trojan.WisdomEyes.16070401.9500.9770 Downloader.Castov TROJ_DIDKR.A Trojan.DownLoader9.34810 trojan.win32.miuref.c BehavesLike.Win32.Miuref.dc Trojan.Spy TR/Spy.950784.12 W32/KRDNSDDoS.A!tr TrojanDownloader:Win32/Simkor.A Win-Trojan/Ddkr.950784 Trj/CI.A Win32.Trojan.Spy.Hrpb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.17AD": [[26, 43]], "Indicator: Trojan/W32.KRDDoS.950784": [[44, 68]], "Indicator: TROJ_DIDKR.A": [[69, 81], [143, 155]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9770": [[82, 124]], "Indicator: Downloader.Castov": [[125, 142]], "Indicator: Trojan.DownLoader9.34810": [[156, 180]], "Indicator: trojan.win32.miuref.c": [[181, 202]], "Indicator: BehavesLike.Win32.Miuref.dc": [[203, 230]], "Indicator: Trojan.Spy": [[231, 241]], "Indicator: TR/Spy.950784.12": [[242, 258]], "Indicator: W32/KRDNSDDoS.A!tr": [[259, 277]], "Indicator: TrojanDownloader:Win32/Simkor.A": [[278, 309]], "Indicator: Win-Trojan/Ddkr.950784": [[310, 332]], "Indicator: Trj/CI.A": [[333, 341]], "Indicator: Win32.Trojan.Spy.Hrpb": [[342, 363]]}, "info": {"id": "cyner2_5class_train_01611", "source": "cyner2_5class_train"}}
+{"text": "The second method uses intents , broadcasts , and receivers to execute HenBox code .", "spans": {}, "info": {"id": "cyner2_5class_train_01612", "source": "cyner2_5class_train"}}
+{"text": "The Trojan named Linux.PNScan.1 can infect devices with ARM, MIPS, or PowerPC architectures.", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: Linux.PNScan.1": [[17, 31]], "System: ARM, MIPS,": [[56, 66]], "System: PowerPC architectures.": [[70, 92]]}, "info": {"id": "cyner2_5class_train_01613", "source": "cyner2_5class_train"}}
+{"text": "We have investigated the malware to identify how it spreads, the techniques it uses and its impact.", "spans": {}, "info": {"id": "cyner2_5class_train_01614", "source": "cyner2_5class_train"}}
+{"text": "Currently Running Applications Banking Trojans that rely on the overlay mechanism to steal information need to know what application is in the foreground .", "spans": {}, "info": {"id": "cyner2_5class_train_01615", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.R2D2!O Backdoor.R2d2 Backdoor.R2D2 BKDR_R2D2.SMR Backdoor.Win32.R2D2.a Trojan.Win32.R2D2.esyktw Backdoor.Win32.R2D2.360448[UPX] Backdoor.W32.R2D2!c Backdoor.Win32.R2D2.~B1 BackDoor.RTwoDTwo.1 BKDR_R2D2.SMR BehavesLike.Win32.Fake.cc Backdoor.Win32.R2D2 Backdoor/R2D2.b TR/GruenFink.1 Backdoor.Win32.R2D2.a Backdoor:Win32/R2d2.A Trj/Bundestrojaner.A Win32/R2D2.A Win32.Backdoor.R2d2.Sudy Backdoor.R2D2!w/vENfl9bd8 W32/R2D2.A!tr.bdr Win32/Trojan.fd5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.R2D2!O": [[26, 47]], "Indicator: Backdoor.R2d2": [[48, 61]], "Indicator: Backdoor.R2D2": [[62, 75]], "Indicator: BKDR_R2D2.SMR": [[76, 89], [233, 246]], "Indicator: Backdoor.Win32.R2D2.a": [[90, 111], [324, 345]], "Indicator: Trojan.Win32.R2D2.esyktw": [[112, 136]], "Indicator: Backdoor.Win32.R2D2.360448[UPX]": [[137, 168]], "Indicator: Backdoor.W32.R2D2!c": [[169, 188]], "Indicator: Backdoor.Win32.R2D2.~B1": [[189, 212]], "Indicator: BackDoor.RTwoDTwo.1": [[213, 232]], "Indicator: BehavesLike.Win32.Fake.cc": [[247, 272]], "Indicator: Backdoor.Win32.R2D2": [[273, 292]], "Indicator: Backdoor/R2D2.b": [[293, 308]], "Indicator: TR/GruenFink.1": [[309, 323]], "Indicator: Backdoor:Win32/R2d2.A": [[346, 367]], "Indicator: Trj/Bundestrojaner.A": [[368, 388]], "Indicator: Win32/R2D2.A": [[389, 401]], "Indicator: Win32.Backdoor.R2d2.Sudy": [[402, 426]], "Indicator: Backdoor.R2D2!w/vENfl9bd8": [[427, 452]], "Indicator: W32/R2D2.A!tr.bdr": [[453, 470]], "Indicator: Win32/Trojan.fd5": [[471, 487]]}, "info": {"id": "cyner2_5class_train_01616", "source": "cyner2_5class_train"}}
+{"text": "The name Carbanak comes from Carberp, a banking Trojan whose source code was leaked, and Anunak, a custom Trojan that has evolved over the years.", "spans": {"Malware: Carbanak": [[9, 17]], "Malware: Carberp,": [[29, 37]], "Malware: banking Trojan": [[40, 54]], "Malware: source code": [[61, 72]], "Malware: Anunak,": [[89, 96]], "Malware: custom Trojan": [[99, 112]]}, "info": {"id": "cyner2_5class_train_01617", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OverlayUPXDPM.PE W32.Lamer.FG8 PE_SILLY.T Win32.Virus.Lamer.f W32/SillyP2P.BO W32.SillyP2P Win32/Xolxo.A PE_SILLY.T Win.Worm.Delf-13898 Virus.Win32.Lamer.fg Trojan.Win32.Delf.oxkq Win32.BagarBubba.A W32.W.AutoRun.kYNN TrojWare.Win32.Pincav.AV Win32.HLLP.Bagar Worm.Delf.Win32.340 BehavesLike.Win32.Fesber.tm W32/Delf.aj W32/P2P_Worm.WULF-7526 Worm/Delf.vm Worm:Win32/Xolxo.A Virus.Win32.Lamer.fg W32/HLLP.11042 Worm.Delf Win32/Delf.NAY Virus.Win32.Lamer.fg Worm.SillyP2P!Dqe8+ZFutPA P2P-Worm.Win32.Delf.aj Virus.Win32.Viking.LG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OverlayUPXDPM.PE": [[26, 46]], "Indicator: W32.Lamer.FG8": [[47, 60]], "Indicator: PE_SILLY.T": [[61, 71], [135, 145]], "Indicator: Win32.Virus.Lamer.f": [[72, 91]], "Indicator: W32/SillyP2P.BO": [[92, 107]], "Indicator: W32.SillyP2P": [[108, 120]], "Indicator: Win32/Xolxo.A": [[121, 134]], "Indicator: Win.Worm.Delf-13898": [[146, 165]], "Indicator: Virus.Win32.Lamer.fg": [[166, 186], [405, 425], [466, 486]], "Indicator: Trojan.Win32.Delf.oxkq": [[187, 209]], "Indicator: Win32.BagarBubba.A": [[210, 228]], "Indicator: W32.W.AutoRun.kYNN": [[229, 247]], "Indicator: TrojWare.Win32.Pincav.AV": [[248, 272]], "Indicator: Win32.HLLP.Bagar": [[273, 289]], "Indicator: Worm.Delf.Win32.340": [[290, 309]], "Indicator: BehavesLike.Win32.Fesber.tm": [[310, 337]], "Indicator: W32/Delf.aj": [[338, 349]], "Indicator: W32/P2P_Worm.WULF-7526": [[350, 372]], "Indicator: Worm/Delf.vm": [[373, 385]], "Indicator: Worm:Win32/Xolxo.A": [[386, 404]], "Indicator: W32/HLLP.11042": [[426, 440]], "Indicator: Worm.Delf": [[441, 450]], "Indicator: Win32/Delf.NAY": [[451, 465]], "Indicator: Worm.SillyP2P!Dqe8+ZFutPA": [[487, 512]], "Indicator: P2P-Worm.Win32.Delf.aj": [[513, 535]], "Indicator: Virus.Win32.Viking.LG": [[536, 557]]}, "info": {"id": "cyner2_5class_train_01618", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Shutit.A Trojandownloader.Shutit Trojan.Downloader.Shutit.A Downloader.Shutit.Win32.4 Troj.Downloader.W32.Shutit.10!c Trojan/Downloader.Shutit.10 Trojan.Downloader.Shutit.A Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Risk.EKPI-0804 Win32/DlShut.A TROJ_SHUTIT.10.A Win.Trojan.Revell-1 Trojan.Downloader.Shutit.A Trojan-Downloader.Win32.Shutit.10 Trojan.Downloader.Shutit.A Trojan.Win32.Shutit.vmoy Trojan.Downloader.Shutit.A Trojan.Aphex.10 TROJ_SHUTIT.10.A BehavesLike.Win32.Downloader.zt Trojan-Downloader.Win32.Aphex TrojanDownloader.Shutit.10 TR/Shutit.10.A Trojan[Downloader]/Win32.Shutit Win32.Troj.Downloader.b.kcloud TrojanDownloader:Win32/Shutit.1_0 Trojan-Downloader.Win32.Shutit.10 TrojanDownloader.Shutit Trj/Dwn.Shutit.10 Win32/TrojanDownloader.Shutit.10 Win32.Trojan-downloader.Shutit.Ahxq Trojan.DL.Small!IxJNSrLVynM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Shutit.A": [[26, 52], [77, 103], [190, 216], [331, 357], [392, 418], [444, 470]], "Indicator: Trojandownloader.Shutit": [[53, 76]], "Indicator: Downloader.Shutit.Win32.4": [[104, 129]], "Indicator: Troj.Downloader.W32.Shutit.10!c": [[130, 161]], "Indicator: Trojan/Downloader.Shutit.10": [[162, 189]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[217, 259]], "Indicator: W32/Risk.EKPI-0804": [[260, 278]], "Indicator: Win32/DlShut.A": [[279, 293]], "Indicator: TROJ_SHUTIT.10.A": [[294, 310], [487, 503]], "Indicator: Win.Trojan.Revell-1": [[311, 330]], "Indicator: Trojan-Downloader.Win32.Shutit.10": [[358, 391], [705, 738]], "Indicator: Trojan.Win32.Shutit.vmoy": [[419, 443]], "Indicator: Trojan.Aphex.10": [[471, 486]], "Indicator: BehavesLike.Win32.Downloader.zt": [[504, 535]], "Indicator: Trojan-Downloader.Win32.Aphex": [[536, 565]], "Indicator: TrojanDownloader.Shutit.10": [[566, 592]], "Indicator: TR/Shutit.10.A": [[593, 607]], "Indicator: Trojan[Downloader]/Win32.Shutit": [[608, 639]], "Indicator: Win32.Troj.Downloader.b.kcloud": [[640, 670]], "Indicator: TrojanDownloader:Win32/Shutit.1_0": [[671, 704]], "Indicator: TrojanDownloader.Shutit": [[739, 762]], "Indicator: Trj/Dwn.Shutit.10": [[763, 780]], "Indicator: Win32/TrojanDownloader.Shutit.10": [[781, 813]], "Indicator: Win32.Trojan-downloader.Shutit.Ahxq": [[814, 849]], "Indicator: Trojan.DL.Small!IxJNSrLVynM": [[850, 877]]}, "info": {"id": "cyner2_5class_train_01619", "source": "cyner2_5class_train"}}
+{"text": "However, Bookworm expands on its capabilities through its ability to load additional modules directly from its command and control C2 server.", "spans": {"Malware: Bookworm": [[9, 17]], "Indicator: command and control C2 server.": [[111, 141]]}, "info": {"id": "cyner2_5class_train_01620", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.FakeMS Trojan.Win32.XPACK.bdmoql WS.Reputation.1 W32/Swisyn.CB Packed.Win32.Cryptcf.A Trojan.DownLoader7.26386 Packed.Multi.dlw Win32.Hack.Packed.f.kcloud Backdoor:Win32/Racdr.A BScope.Trojan.SvcHorse.01643 Backdoor.Win32.BlackHole W32/Multi.E!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.FakeMS": [[26, 39]], "Indicator: Trojan.Win32.XPACK.bdmoql": [[40, 65]], "Indicator: WS.Reputation.1": [[66, 81]], "Indicator: W32/Swisyn.CB": [[82, 95]], "Indicator: Packed.Win32.Cryptcf.A": [[96, 118]], "Indicator: Trojan.DownLoader7.26386": [[119, 143]], "Indicator: Packed.Multi.dlw": [[144, 160]], "Indicator: Win32.Hack.Packed.f.kcloud": [[161, 187]], "Indicator: Backdoor:Win32/Racdr.A": [[188, 210]], "Indicator: BScope.Trojan.SvcHorse.01643": [[211, 239]], "Indicator: Backdoor.Win32.BlackHole": [[240, 264]], "Indicator: W32/Multi.E!tr": [[265, 279]], "Indicator: Trj/CI.A": [[280, 288]]}, "info": {"id": "cyner2_5class_train_01621", "source": "cyner2_5class_train"}}
+{"text": "As we ’ ve mentioned earlier , Triada is downloaded by smaller Trojans that have leveraged the access privileges .", "spans": {"Malware: Triada": [[31, 37]]}, "info": {"id": "cyner2_5class_train_01622", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: JS:Trojan.JS.Likejack.A JS.Faceliker.NC JS/Faceliker.a JS/Faceliker.A!Eldorado JS:Trojan.JS.Likejack.A JS:Trojan.JS.Likejack.A TrojWare.JS.TrojanClicker.FbLiker.A JS:Trojan.JS.Likejack.A JS/Faceliker.a JS/Faceliker.A!Eldorado JS/FBJack.I!tr JS:Trojan.JS.Likejack.A TrojanClicker:JS/Faceliker.S Trojan-Clicker.JS.Faceliker Script.Trojan.JSClicker.A trojan.js.likejack.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: JS:Trojan.JS.Likejack.A": [[26, 49], [105, 128], [129, 152], [189, 212], [267, 290]], "Indicator: JS.Faceliker.NC": [[50, 65]], "Indicator: JS/Faceliker.a": [[66, 80], [213, 227]], "Indicator: JS/Faceliker.A!Eldorado": [[81, 104], [228, 251]], "Indicator: TrojWare.JS.TrojanClicker.FbLiker.A": [[153, 188]], "Indicator: JS/FBJack.I!tr": [[252, 266]], "Indicator: TrojanClicker:JS/Faceliker.S": [[291, 319]], "Indicator: Trojan-Clicker.JS.Faceliker": [[320, 347]], "Indicator: Script.Trojan.JSClicker.A": [[348, 373]], "Indicator: trojan.js.likejack.a": [[374, 394]]}, "info": {"id": "cyner2_5class_train_01623", "source": "cyner2_5class_train"}}
+{"text": "The report details how many seemingly unrelated cyber attacks may, in fact, be part of a broader offensive fueled by a shared development and logistics infrastructure — a finding that suggests some targets are facing a more organized menace than they realize.", "spans": {"Indicator: cyber attacks": [[48, 61]], "System: logistics infrastructure": [[142, 166]]}, "info": {"id": "cyner2_5class_train_01624", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 HT_GM_GL290013.UVPM Trojan.Heur.Win32.10174 HT_GM_GL290013.UVPM BehavesLike.Win32.Trojan.vh Trojan.Heur.GM.D5FC4D76 Trojan/Win32.Buzus.R1005 Trojan.Win32.Tiggre", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[26, 68]], "Indicator: HT_GM_GL290013.UVPM": [[69, 88], [113, 132]], "Indicator: Trojan.Heur.Win32.10174": [[89, 112]], "Indicator: BehavesLike.Win32.Trojan.vh": [[133, 160]], "Indicator: Trojan.Heur.GM.D5FC4D76": [[161, 184]], "Indicator: Trojan/Win32.Buzus.R1005": [[185, 209]], "Indicator: Trojan.Win32.Tiggre": [[210, 229]]}, "info": {"id": "cyner2_5class_train_01625", "source": "cyner2_5class_train"}}
+{"text": "We refer to these attacks as MuddyWater due to the confusion in attributing these attacks.", "spans": {"Indicator: attacks": [[18, 25]], "Indicator: attacks.": [[82, 90]]}, "info": {"id": "cyner2_5class_train_01626", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Bot Packed.Win32.Klone.bn TrojWare.Win32.VB.oks Win32.Hack.Klone.bn.kcloud Backdoor:Win32/Blohi.B Packed/Win32.Klone Backdoor.Win32.Blohi W32/VB.QIK!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Bot": [[26, 38]], "Indicator: Packed.Win32.Klone.bn": [[39, 60]], "Indicator: TrojWare.Win32.VB.oks": [[61, 82]], "Indicator: Win32.Hack.Klone.bn.kcloud": [[83, 109]], "Indicator: Backdoor:Win32/Blohi.B": [[110, 132]], "Indicator: Packed/Win32.Klone": [[133, 151]], "Indicator: Backdoor.Win32.Blohi": [[152, 172]], "Indicator: W32/VB.QIK!tr": [[173, 186]], "Indicator: Trj/CI.A": [[187, 195]]}, "info": {"id": "cyner2_5class_train_01627", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 has collected multiple spear phishing emails, weaponized document files, and payloads all targeting various offices of the Mongolian government and deployed between August 2015 and February 2016.", "spans": {"Organization: Unit 42": [[0, 7]], "Indicator: emails, weaponized document files, and payloads": [[46, 93]], "Organization: offices of the Mongolian government": [[116, 151]]}, "info": {"id": "cyner2_5class_train_01628", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Miancha.r5 Trojan.PR.Preshin!uX45uZVdtBM Backdoor.Readomesa Backdoor.Win32.Miancha.f Trojan.Win32.Miancha.dfftbq Trojan.Starter.3690 Backdoor.Miancha.Win32.5 Backdoor/Miancha.c TR/Cudofows.A.1 W32/Miancha.F!tr.bdr Trojan[Backdoor]/Win32.Miancha Trojan.Inject.28 Trojan:Win32/Cudofows.A Backdoor.Miancha Trj/CI.A Backdoor.Win32.Miancha Proxy.BEPF Win32/Trojan.b2e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Miancha.r5": [[26, 45]], "Indicator: Trojan.PR.Preshin!uX45uZVdtBM": [[46, 75]], "Indicator: Backdoor.Readomesa": [[76, 94]], "Indicator: Backdoor.Win32.Miancha.f": [[95, 119]], "Indicator: Trojan.Win32.Miancha.dfftbq": [[120, 147]], "Indicator: Trojan.Starter.3690": [[148, 167]], "Indicator: Backdoor.Miancha.Win32.5": [[168, 192]], "Indicator: Backdoor/Miancha.c": [[193, 211]], "Indicator: TR/Cudofows.A.1": [[212, 227]], "Indicator: W32/Miancha.F!tr.bdr": [[228, 248]], "Indicator: Trojan[Backdoor]/Win32.Miancha": [[249, 279]], "Indicator: Trojan.Inject.28": [[280, 296]], "Indicator: Trojan:Win32/Cudofows.A": [[297, 320]], "Indicator: Backdoor.Miancha": [[321, 337]], "Indicator: Trj/CI.A": [[338, 346]], "Indicator: Backdoor.Win32.Miancha": [[347, 369]], "Indicator: Proxy.BEPF": [[370, 380]], "Indicator: Win32/Trojan.b2e": [[381, 397]]}, "info": {"id": "cyner2_5class_train_01629", "source": "cyner2_5class_train"}}
+{"text": "Recently, we came across an email exploit attempt, aimed at a European Point of Sales POS vendor.", "spans": {"Malware: email exploit": [[28, 41]], "System: European Point of Sales POS vendor.": [[62, 97]]}, "info": {"id": "cyner2_5class_train_01630", "source": "cyner2_5class_train"}}
+{"text": "The Bergard Trojan and the C0d0so group that made it famous with the November 2014 watering hole attack via Forbes.com have received renewed attention recently, with other researchers potentially linking emerging tools and recent attacks to the group.", "spans": {"Malware: The Bergard Trojan": [[0, 18]], "Indicator: watering hole attack": [[83, 103]], "Indicator: Forbes.com": [[108, 118]], "Organization: researchers": [[172, 183]], "Malware: tools": [[213, 218]], "Indicator: attacks": [[230, 237]]}, "info": {"id": "cyner2_5class_train_01631", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.Mist.111104 Troj.PSW32.W.Mist.a!c Win32.Trojan.WisdomEyes.16070401.9500.9977 Trojan-PSW.Win32.Mist.a Trojan.Win32.Mist.dboecq Trojan.DownLoad3.33938 Trojan-PSW.Win32.Mist W32.Malware.Heur PWS:Win32/Steam.J Trojan-PSW.Win32.Mist.a TrojanPSW.Mist Win32.Trojan-qqpass.Qqrob.Ajli Trojan.PWS.Mist! W32/Mist.A!tr.pws Win32/Trojan.PSW.db7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.Mist.111104": [[26, 52]], "Indicator: Troj.PSW32.W.Mist.a!c": [[53, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9977": [[75, 117]], "Indicator: Trojan-PSW.Win32.Mist.a": [[118, 141], [247, 270]], "Indicator: Trojan.Win32.Mist.dboecq": [[142, 166]], "Indicator: Trojan.DownLoad3.33938": [[167, 189]], "Indicator: Trojan-PSW.Win32.Mist": [[190, 211]], "Indicator: W32.Malware.Heur": [[212, 228]], "Indicator: PWS:Win32/Steam.J": [[229, 246]], "Indicator: TrojanPSW.Mist": [[271, 285]], "Indicator: Win32.Trojan-qqpass.Qqrob.Ajli": [[286, 316]], "Indicator: Trojan.PWS.Mist!": [[317, 333]], "Indicator: W32/Mist.A!tr.pws": [[334, 351]], "Indicator: Win32/Trojan.PSW.db7": [[352, 372]]}, "info": {"id": "cyner2_5class_train_01632", "source": "cyner2_5class_train"}}
+{"text": "Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called DealersChoice in use by the Sofacy group AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit.", "spans": {"Organization: Palo Alto Networks Unit 42": [[10, 36]], "Vulnerability: exploitation platform that": [[55, 81]]}, "info": {"id": "cyner2_5class_train_01633", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Collti Adware.ShandaAdd!DlXR6+5TT0o WS.Reputation.1 TR/Collti.A.24 Heuristic.BehavesLike.Win32.ModifiedUPX.C Trojan:Win32/Collti.A Trojan.Win32.Collti Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Collti": [[26, 39]], "Indicator: Adware.ShandaAdd!DlXR6+5TT0o": [[40, 68]], "Indicator: WS.Reputation.1": [[69, 84]], "Indicator: TR/Collti.A.24": [[85, 99]], "Indicator: Heuristic.BehavesLike.Win32.ModifiedUPX.C": [[100, 141]], "Indicator: Trojan:Win32/Collti.A": [[142, 163]], "Indicator: Trojan.Win32.Collti": [[164, 183]], "Indicator: Trj/CI.A": [[184, 192]]}, "info": {"id": "cyner2_5class_train_01634", "source": "cyner2_5class_train"}}
+{"text": "This process is defined in the app ’ s AndroidManifest.xml config file , as shown in the following snippet .", "spans": {}, "info": {"id": "cyner2_5class_train_01635", "source": "cyner2_5class_train"}}
+{"text": "The dropper automatically decrypts and installs its core malware APK which later conducts malicious patching and app updates .", "spans": {}, "info": {"id": "cyner2_5class_train_01636", "source": "cyner2_5class_train"}}
+{"text": "TrendMicro recently came across a variant of the BIFROSE malware that has been rewritten for UNIX and UNIX-like systems.", "spans": {"Organization: TrendMicro": [[0, 10]], "Malware: BIFROSE malware": [[49, 64]], "System: UNIX": [[93, 97]], "System: UNIX-like systems.": [[102, 120]]}, "info": {"id": "cyner2_5class_train_01637", "source": "cyner2_5class_train"}}
+{"text": "The code is not only obfuscated but also packed .", "spans": {}, "info": {"id": "cyner2_5class_train_01638", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Banker/W32.Banbra.186368 Trojan/ProxyChanger.g Win32.Trojan.WisdomEyes.16070401.9500.9844 Trojan-Banker.Win32.Banbra.tnul Win32.Trojan-banker.Banbra.Wtxw Trojan-Downloader.Win32.Murlo W32/Trojan.IUVC-7922 TR/StealthProxy.B.11 Trojan[Downloader]/Win32.Banload Win32.Troj.Undef.kcloud Trojan-Banker.Win32.Banbra.tnul Trojan:Win32/StealthProxy.B Trojan/Win32.Scar.R17882 Trojan.ProxyChanger!31A84p0+A4o W32/ProxyChanger.NM!tr Trj/CI.A Win32/Trojan.Proxy.d23", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Banker/W32.Banbra.186368": [[26, 50]], "Indicator: Trojan/ProxyChanger.g": [[51, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9844": [[73, 115]], "Indicator: Trojan-Banker.Win32.Banbra.tnul": [[116, 147], [309, 340]], "Indicator: Win32.Trojan-banker.Banbra.Wtxw": [[148, 179]], "Indicator: Trojan-Downloader.Win32.Murlo": [[180, 209]], "Indicator: W32/Trojan.IUVC-7922": [[210, 230]], "Indicator: TR/StealthProxy.B.11": [[231, 251]], "Indicator: Trojan[Downloader]/Win32.Banload": [[252, 284]], "Indicator: Win32.Troj.Undef.kcloud": [[285, 308]], "Indicator: Trojan:Win32/StealthProxy.B": [[341, 368]], "Indicator: Trojan/Win32.Scar.R17882": [[369, 393]], "Indicator: Trojan.ProxyChanger!31A84p0+A4o": [[394, 425]], "Indicator: W32/ProxyChanger.NM!tr": [[426, 448]], "Indicator: Trj/CI.A": [[449, 457]], "Indicator: Win32/Trojan.Proxy.d23": [[458, 480]]}, "info": {"id": "cyner2_5class_train_01639", "source": "cyner2_5class_train"}}
+{"text": "We collect all data about your friends and family .", "spans": {}, "info": {"id": "cyner2_5class_train_01640", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Aebot!O Backdoor.GTbot.Win32.124 Trojan/Aebot.k Win32.Backdoor.Aebot.f Win.Trojan.Sdbot-2505 Backdoor.Aebot Backdoor.Win32.GTbot.c Trojan.Win32.GTbot.craqxn TrojWare.Win32.Aebot.EF BackDoor.IRC.Sdbot.based BehavesLike.Win32.Ipamor.gz Backdoor/GTbot.bj Backdoor.Win32.GTbot.c Win32/Aebot.K Backdoor.Aebot!dwOGgEtXe1I Backdoor.Win32.Aebot.K W32/Aebot.K!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Aebot!O": [[26, 48]], "Indicator: Backdoor.GTbot.Win32.124": [[49, 73]], "Indicator: Trojan/Aebot.k": [[74, 88]], "Indicator: Win32.Backdoor.Aebot.f": [[89, 111]], "Indicator: Win.Trojan.Sdbot-2505": [[112, 133]], "Indicator: Backdoor.Aebot": [[134, 148]], "Indicator: Backdoor.Win32.GTbot.c": [[149, 171], [293, 315]], "Indicator: Trojan.Win32.GTbot.craqxn": [[172, 197]], "Indicator: TrojWare.Win32.Aebot.EF": [[198, 221]], "Indicator: BackDoor.IRC.Sdbot.based": [[222, 246]], "Indicator: BehavesLike.Win32.Ipamor.gz": [[247, 274]], "Indicator: Backdoor/GTbot.bj": [[275, 292]], "Indicator: Win32/Aebot.K": [[316, 329]], "Indicator: Backdoor.Aebot!dwOGgEtXe1I": [[330, 356]], "Indicator: Backdoor.Win32.Aebot.K": [[357, 379]], "Indicator: W32/Aebot.K!tr": [[380, 394]]}, "info": {"id": "cyner2_5class_train_01641", "source": "cyner2_5class_train"}}
+{"text": "Derkziel info stealer Steam, Opera, Yandex, ...", "spans": {"Malware: Derkziel": [[0, 8]], "System: Steam, Opera, Yandex,": [[22, 43]]}, "info": {"id": "cyner2_5class_train_01642", "source": "cyner2_5class_train"}}
+{"text": "What are Google authorization tokens ? A Google authorization token is a way to access the Google account and the related services of a user .", "spans": {"Organization: Google": [[9, 15], [41, 47], [91, 97]]}, "info": {"id": "cyner2_5class_train_01643", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mdropper TROJ_ARTIEF.CR Exploit.MSWord.CVE-2010-3333.ci Exploit.Rtf.CVE-2010-3333.hzts Exploit.Rtf.based TROJ_ARTIEF.CR TrojanDropper.RTF.b NORMAL:Hack.Exploit.Script.CVE-2010-3333.a!1609827 Data/CVE20103333.A!exploit Luhe.Exploit.RTF.CVE-2010-3333.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mdropper": [[26, 41]], "Indicator: TROJ_ARTIEF.CR": [[42, 56], [138, 152]], "Indicator: Exploit.MSWord.CVE-2010-3333.ci": [[57, 88]], "Indicator: Exploit.Rtf.CVE-2010-3333.hzts": [[89, 119]], "Indicator: Exploit.Rtf.based": [[120, 137]], "Indicator: TrojanDropper.RTF.b": [[153, 172]], "Indicator: NORMAL:Hack.Exploit.Script.CVE-2010-3333.a!1609827": [[173, 223]], "Indicator: Data/CVE20103333.A!exploit": [[224, 250]], "Indicator: Luhe.Exploit.RTF.CVE-2010-3333.A": [[251, 283]]}, "info": {"id": "cyner2_5class_train_01644", "source": "cyner2_5class_train"}}
+{"text": "With the capability to open a given URL in a browser , the actor behind ‘ SimBad ’ can generate phishing pages for multiple platforms and open them in a browser , thus performing spear-phishing attacks on the user .", "spans": {"Malware: SimBad": [[74, 80]]}, "info": {"id": "cyner2_5class_train_01645", "source": "cyner2_5class_train"}}
+{"text": "In December 2015, several researchers reported that websites hosting the Rig Exploit Kit were serving an updated version of Qbot.3 4 5 Then in January 2016, over 500 devices at a large public organisation wereinfected with Qbot.", "spans": {"Organization: researchers": [[26, 37]], "Indicator: websites hosting": [[52, 68]], "Malware: the Rig Exploit Kit": [[69, 88]], "Malware: Qbot.3 4 5": [[124, 134]], "System: devices": [[166, 173]], "Organization: large public organisation": [[179, 204]], "Malware: Qbot.": [[223, 228]]}, "info": {"id": "cyner2_5class_train_01646", "source": "cyner2_5class_train"}}
+{"text": "Monitoring efforts on this new variant revealed that the malicious websites are spread through smishing .", "spans": {}, "info": {"id": "cyner2_5class_train_01647", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SpamlesEI1.Trojan Rootkit.KillAv.B Trojan/W32.Rootkit.3712.K Trojan.Kapa.A Rootkit.W32.Small.to6t Trojan/AutoRun.AntiAV.r Rootkit.KillAv.B RTKT_SMALL.SMB Hacktool.Rootkit Win32/SillyAutorun.DCA RTKT_SMALL.SMB Rootkit.KillAv.B Rootkit.Win32.Small.sfn Rootkit.KillAv.B Trojan.Win32.NtRootKit.chvyyx Rootkit.KillAv.B TrojWare.Win32.Rootkit.Small.AA Trojan.NtRootKit.10455 Trojan:Winnt/Kapa.A Trojan:WinNT/Kapa.A Rootkit.Win32.Small.sfn Backdoor/Win32.Rootkit.R1193 Rootkit.KillAv.B Trojan.Win32.KillAV.af Worm.Orbina!Ypp8YqYGicY Trojan.WinNT.Kapa RootKit.Win32.KillAV.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SpamlesEI1.Trojan": [[26, 47]], "Indicator: Rootkit.KillAv.B": [[48, 64], [152, 168], [239, 255], [280, 296], [327, 343], [492, 508]], "Indicator: Trojan/W32.Rootkit.3712.K": [[65, 90]], "Indicator: Trojan.Kapa.A": [[91, 104]], "Indicator: Rootkit.W32.Small.to6t": [[105, 127]], "Indicator: Trojan/AutoRun.AntiAV.r": [[128, 151]], "Indicator: RTKT_SMALL.SMB": [[169, 183], [224, 238]], "Indicator: Hacktool.Rootkit": [[184, 200]], "Indicator: Win32/SillyAutorun.DCA": [[201, 223]], "Indicator: Rootkit.Win32.Small.sfn": [[256, 279], [439, 462]], "Indicator: Trojan.Win32.NtRootKit.chvyyx": [[297, 326]], "Indicator: TrojWare.Win32.Rootkit.Small.AA": [[344, 375]], "Indicator: Trojan.NtRootKit.10455": [[376, 398]], "Indicator: Trojan:Winnt/Kapa.A": [[399, 418]], "Indicator: Trojan:WinNT/Kapa.A": [[419, 438]], "Indicator: Backdoor/Win32.Rootkit.R1193": [[463, 491]], "Indicator: Trojan.Win32.KillAV.af": [[509, 531]], "Indicator: Worm.Orbina!Ypp8YqYGicY": [[532, 555]], "Indicator: Trojan.WinNT.Kapa": [[556, 573]], "Indicator: RootKit.Win32.KillAV.B": [[574, 596]]}, "info": {"id": "cyner2_5class_train_01648", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware03 Trojanspy.Banker.16710 Win32/Tnega.EcVXcGD Trojan.Win32.Small.csf Troj.W32.Small.mfSA Trojan.Starter.3499 Trojan.Small.Win32.24377 Trojan/Small.paq TR/Rogue.30781 Trojan/Win32.Small Trojan:Win32/Meicater.A!bit Trojan.Strictor.D240AB Trojan.Win32.Small.csf Trojan.Small Trojan.Small!+nCz0Wnah68 Trojan.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware03": [[26, 45]], "Indicator: Trojanspy.Banker.16710": [[46, 68]], "Indicator: Win32/Tnega.EcVXcGD": [[69, 88]], "Indicator: Trojan.Win32.Small.csf": [[89, 111], [279, 301]], "Indicator: Troj.W32.Small.mfSA": [[112, 131]], "Indicator: Trojan.Starter.3499": [[132, 151]], "Indicator: Trojan.Small.Win32.24377": [[152, 176]], "Indicator: Trojan/Small.paq": [[177, 193]], "Indicator: TR/Rogue.30781": [[194, 208]], "Indicator: Trojan/Win32.Small": [[209, 227]], "Indicator: Trojan:Win32/Meicater.A!bit": [[228, 255]], "Indicator: Trojan.Strictor.D240AB": [[256, 278]], "Indicator: Trojan.Small": [[302, 314]], "Indicator: Trojan.Small!+nCz0Wnah68": [[315, 339]], "Indicator: Trojan.Win32.Small": [[340, 358]]}, "info": {"id": "cyner2_5class_train_01649", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Mahato!O Backdoor.Bifrose.F8 Trojan/Mahato.caj Win32.Trojan.WisdomEyes.16070401.9500.9964 TROJ_CALYPS.SMUJ Win.Trojan.Mahato-1 Trojan.Win32.Mahato.caj Trojan.Win32.Mahato.ijlmo Trojan.Win32.Scar.118272[UPX] TrojWare.Win32.Mahato.A BehavesLike.Win32.Sytro.cc Trojan/Mahato.ob W32.Backdoor.Apocalypse Trojan/Win32.Mahato Win32.Troj.Scar.15.kcloud Trojan.Zusy.DAAC W32.W.AutoRun.lkXC Trojan.Win32.Mahato.caj Trojan:Win32/Lypsacop.A Trojan/Win32.Mahato.R2854 Backdoor.Bifrose Virus.Win32.Delf Trojan.Mahato", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Mahato!O": [[26, 47]], "Indicator: Backdoor.Bifrose.F8": [[48, 67]], "Indicator: Trojan/Mahato.caj": [[68, 85]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9964": [[86, 128]], "Indicator: TROJ_CALYPS.SMUJ": [[129, 145]], "Indicator: Win.Trojan.Mahato-1": [[146, 165]], "Indicator: Trojan.Win32.Mahato.caj": [[166, 189], [420, 443]], "Indicator: Trojan.Win32.Mahato.ijlmo": [[190, 215]], "Indicator: Trojan.Win32.Scar.118272[UPX]": [[216, 245]], "Indicator: TrojWare.Win32.Mahato.A": [[246, 269]], "Indicator: BehavesLike.Win32.Sytro.cc": [[270, 296]], "Indicator: Trojan/Mahato.ob": [[297, 313]], "Indicator: W32.Backdoor.Apocalypse": [[314, 337]], "Indicator: Trojan/Win32.Mahato": [[338, 357]], "Indicator: Win32.Troj.Scar.15.kcloud": [[358, 383]], "Indicator: Trojan.Zusy.DAAC": [[384, 400]], "Indicator: W32.W.AutoRun.lkXC": [[401, 419]], "Indicator: Trojan:Win32/Lypsacop.A": [[444, 467]], "Indicator: Trojan/Win32.Mahato.R2854": [[468, 493]], "Indicator: Backdoor.Bifrose": [[494, 510]], "Indicator: Virus.Win32.Delf": [[511, 527]], "Indicator: Trojan.Mahato": [[528, 541]]}, "info": {"id": "cyner2_5class_train_01650", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware10 Trojan.Mauvaise.SL1 TROJ_NITOL.SMD Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan2.PAML TROJ_NITOL.SMD Win32.Trojan-DDoS.Yoddos.A Trojan-Dropper.Win32.Dinwod.wkn Trojan.Win32.Staser.demkhd Troj.Dropper.W32.Dinwod.toj0 TrojWare.Win32.Nitol.KA DDoS.Attack.384 Trojan.Staser.Win32.2253 BehavesLike.Win32.Downloader.nm Trojan.Win32.Yoddos W32/Trojan.QEFN-2077 Trojan/Staser.le TR/Dropper.cgytn Trojan-Dropper.Win32.Dinwod.wkn Trojan:Win32/Wepiall.A Backdoor/Win32.Farfli.R119148 Trojan.Staser Trj/CI.A Win32/Yoddos.BW Trojan.Win32.Staser.anbya W32/Yoddos.BW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware10": [[26, 45]], "Indicator: Trojan.Mauvaise.SL1": [[46, 65]], "Indicator: TROJ_NITOL.SMD": [[66, 80], [141, 155]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[81, 123]], "Indicator: W32/Trojan2.PAML": [[124, 140]], "Indicator: Win32.Trojan-DDoS.Yoddos.A": [[156, 182]], "Indicator: Trojan-Dropper.Win32.Dinwod.wkn": [[183, 214], [443, 474]], "Indicator: Trojan.Win32.Staser.demkhd": [[215, 241]], "Indicator: Troj.Dropper.W32.Dinwod.toj0": [[242, 270]], "Indicator: TrojWare.Win32.Nitol.KA": [[271, 294]], "Indicator: DDoS.Attack.384": [[295, 310]], "Indicator: Trojan.Staser.Win32.2253": [[311, 335]], "Indicator: BehavesLike.Win32.Downloader.nm": [[336, 367]], "Indicator: Trojan.Win32.Yoddos": [[368, 387]], "Indicator: W32/Trojan.QEFN-2077": [[388, 408]], "Indicator: Trojan/Staser.le": [[409, 425]], "Indicator: TR/Dropper.cgytn": [[426, 442]], "Indicator: Trojan:Win32/Wepiall.A": [[475, 497]], "Indicator: Backdoor/Win32.Farfli.R119148": [[498, 527]], "Indicator: Trojan.Staser": [[528, 541]], "Indicator: Trj/CI.A": [[542, 550]], "Indicator: Win32/Yoddos.BW": [[551, 566]], "Indicator: Trojan.Win32.Staser.anbya": [[567, 592]], "Indicator: W32/Yoddos.BW!tr": [[593, 609]]}, "info": {"id": "cyner2_5class_train_01651", "source": "cyner2_5class_train"}}
+{"text": "For testing purposes we inserted a fake contacts list to our Android Emulator and observed resultant behavior .", "spans": {"System: Android": [[61, 68]]}, "info": {"id": "cyner2_5class_train_01652", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.1167 O97M.Downloader.4967 VB:Trojan.Valyria.1167 VB:Trojan.Valyria.1167 Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.Valyria.1167 VB:Trojan.Valyria.1167 HEUR.VBA.Trojan.e W97M.Downloader.GOX virus.office.qexvmc.1085", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.1167": [[26, 48], [70, 92], [93, 115], [149, 171], [172, 194]], "Indicator: O97M.Downloader.4967": [[49, 69]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[116, 148]], "Indicator: HEUR.VBA.Trojan.e": [[195, 212]], "Indicator: W97M.Downloader.GOX": [[213, 232]], "Indicator: virus.office.qexvmc.1085": [[233, 257]]}, "info": {"id": "cyner2_5class_train_01653", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: Backdoor.Linux.Tsunami.A Linux.Backdoor.Kaiten ELF_KAITEN.SM HEUR:Backdoor.Linux.Tsunami.bh Trojan.Tsunami.exnldy Backdoor.Linux.Tsunami!c Linux.BackDoor.Tsunami.761 ELF_KAITEN.SM ELF/Backdoor.EWHJ- Backdoor.Linux.aego LINUX/Tsunami.bkdwv Trojan[Backdoor]/Linux.Tsunami.bh Trojan.Backdoor.Linux.Tsunami.1 HEUR:Backdoor.Linux.Tsunami.bh Backdoor.Linux.Tsunami.b Trojan.Linux.Tsunami ELF/Tsunami.NBV!tr Win32/Trojan.fba", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Linux.Tsunami.A": [[43, 67]], "Indicator: Linux.Backdoor.Kaiten": [[68, 89]], "Indicator: ELF_KAITEN.SM": [[90, 103], [209, 222]], "Indicator: HEUR:Backdoor.Linux.Tsunami.bh": [[104, 134], [348, 378]], "Indicator: Trojan.Tsunami.exnldy": [[135, 156]], "Indicator: Backdoor.Linux.Tsunami!c": [[157, 181]], "Indicator: Linux.BackDoor.Tsunami.761": [[182, 208]], "Indicator: ELF/Backdoor.EWHJ-": [[223, 241]], "Indicator: Backdoor.Linux.aego": [[242, 261]], "Indicator: LINUX/Tsunami.bkdwv": [[262, 281]], "Indicator: Trojan[Backdoor]/Linux.Tsunami.bh": [[282, 315]], "Indicator: Trojan.Backdoor.Linux.Tsunami.1": [[316, 347]], "Indicator: Backdoor.Linux.Tsunami.b": [[379, 403]], "Indicator: Trojan.Linux.Tsunami": [[404, 424]], "Indicator: ELF/Tsunami.NBV!tr": [[425, 443]], "Indicator: Win32/Trojan.fba": [[444, 460]]}, "info": {"id": "cyner2_5class_train_01654", "source": "cyner2_5class_train"}}
+{"text": "This sample is similar to those presented in other recent Marcher analyses [ 1 ] [ 2 ] .", "spans": {"Malware: Marcher": [[58, 65]]}, "info": {"id": "cyner2_5class_train_01655", "source": "cyner2_5class_train"}}
+{"text": "Recently we detected a more sophisticated technique that a handful of countries across Asia are actively using to infect systems with RATs. This new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state.", "spans": {"Indicator: sophisticated technique": [[28, 51]], "System: infect systems": [[114, 128]], "Malware: RATs.": [[134, 139]], "Malware: payload/file": [[176, 188]], "Vulnerability: memory": [[200, 206]], "Indicator: de-encrypted state.": [[259, 278]]}, "info": {"id": "cyner2_5class_train_01656", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Cossta!O Trojan.Cossta Trojan.Win32.Cossta.vjk Trojan.Win32.Drop.dxlfgu Trojan.Win32.Cossta.49152 Trojan.KillFiles.18641 Trojan/Cossta.ett Trojan/Win32.Cossta Worm:Win32/Vobirue.A W32.W.AutoRun.l6mI Trojan.Win32.Cossta.vjk HEUR/Fakon.mwf Win32/VB.OPD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Cossta!O": [[26, 47]], "Indicator: Trojan.Cossta": [[48, 61]], "Indicator: Trojan.Win32.Cossta.vjk": [[62, 85], [238, 261]], "Indicator: Trojan.Win32.Drop.dxlfgu": [[86, 110]], "Indicator: Trojan.Win32.Cossta.49152": [[111, 136]], "Indicator: Trojan.KillFiles.18641": [[137, 159]], "Indicator: Trojan/Cossta.ett": [[160, 177]], "Indicator: Trojan/Win32.Cossta": [[178, 197]], "Indicator: Worm:Win32/Vobirue.A": [[198, 218]], "Indicator: W32.W.AutoRun.l6mI": [[219, 237]], "Indicator: HEUR/Fakon.mwf": [[262, 276]], "Indicator: Win32/VB.OPD": [[277, 289]]}, "info": {"id": "cyner2_5class_train_01657", "source": "cyner2_5class_train"}}
+{"text": "With this latest report, we have now identified at least 21 cases in Mexico of abusive, improper targeting with NSO Group's Pegasus spyware", "spans": {"Malware: Pegasus spyware": [[124, 139]]}, "info": {"id": "cyner2_5class_train_01658", "source": "cyner2_5class_train"}}
+{"text": "However , many users are in no hurry to update the operating systems of their products .", "spans": {}, "info": {"id": "cyner2_5class_train_01659", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.FakeAlert.TK Rootkit.Win32.Clbd!O Trojan/Clbd.dt Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.FakeAlert.TK Trojan.FakeAlert.TK Trojan.Win32.Clbd.oyzd Trojan.Win32.Z.Clbd.68100 Trojan.FakeAlert.TK Trojan.FakeAlert.TK Rootkit.Clbd.Win32.6 BehavesLike.Win32.VirRansom.kc Trojan.Win32.Waledac Rootkit.Clbd.av Trojan.FakeAlert.TK TrojanDropper:Win32/Pasich.A Trojan/Win32.Bredlab.R17 Trojan.FakeAlert.TK MalwareScope.Worm.Nuwar-Glowa.1 Rootkit.Clbd!+/k5iv7h7q8 Win32/Trojan.df3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.FakeAlert.TK": [[26, 45], [125, 144], [145, 164], [214, 233], [234, 253], [343, 362], [417, 436]], "Indicator: Rootkit.Win32.Clbd!O": [[46, 66]], "Indicator: Trojan/Clbd.dt": [[67, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[82, 124]], "Indicator: Trojan.Win32.Clbd.oyzd": [[165, 187]], "Indicator: Trojan.Win32.Z.Clbd.68100": [[188, 213]], "Indicator: Rootkit.Clbd.Win32.6": [[254, 274]], "Indicator: BehavesLike.Win32.VirRansom.kc": [[275, 305]], "Indicator: Trojan.Win32.Waledac": [[306, 326]], "Indicator: Rootkit.Clbd.av": [[327, 342]], "Indicator: TrojanDropper:Win32/Pasich.A": [[363, 391]], "Indicator: Trojan/Win32.Bredlab.R17": [[392, 416]], "Indicator: MalwareScope.Worm.Nuwar-Glowa.1": [[437, 468]], "Indicator: Rootkit.Clbd!+/k5iv7h7q8": [[469, 493]], "Indicator: Win32/Trojan.df3": [[494, 510]]}, "info": {"id": "cyner2_5class_train_01660", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Veil.5 W32/Trojan.UYPJ-5875 Ruby/Rozena.H Trojan.Win32.Ruby.emhncx Trojan.SkypeSpam.11018 TR/AD.Rozena.uidpc Trojan.Win32.Z.Veil.654486.A Trojan.SkypeSpam! Trojan.Ruby.Rozena Win32/Trojan.34d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Veil.5": [[26, 39]], "Indicator: W32/Trojan.UYPJ-5875": [[40, 60]], "Indicator: Ruby/Rozena.H": [[61, 74]], "Indicator: Trojan.Win32.Ruby.emhncx": [[75, 99]], "Indicator: Trojan.SkypeSpam.11018": [[100, 122]], "Indicator: TR/AD.Rozena.uidpc": [[123, 141]], "Indicator: Trojan.Win32.Z.Veil.654486.A": [[142, 170]], "Indicator: Trojan.SkypeSpam!": [[171, 188]], "Indicator: Trojan.Ruby.Rozena": [[189, 207]], "Indicator: Win32/Trojan.34d": [[208, 224]]}, "info": {"id": "cyner2_5class_train_01661", "source": "cyner2_5class_train"}}
+{"text": "Apart from infecting systems with it, we also spotted instances where common lateral movement tools were detected around the same time they were actively compromising the endpoint with MajikPOS.", "spans": {"System: infecting systems": [[11, 28]], "Malware: MajikPOS.": [[185, 194]]}, "info": {"id": "cyner2_5class_train_01662", "source": "cyner2_5class_train"}}
+{"text": "The malicious code only makes for a small part of the app, making it difficult to detect.", "spans": {}, "info": {"id": "cyner2_5class_train_01663", "source": "cyner2_5class_train"}}
+{"text": "Starting content observers and the main task loop to receive remote commands and exfiltrate data The app uses six techniques to collect user data : Repeated commands : use alarms to periodically repeat actions on the device to expose data , including gathering location data .", "spans": {}, "info": {"id": "cyner2_5class_train_01664", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Trojan.FakeInst.BD Android.Opfake.E Android.Trojan.FakeInst.BD AndroidOS/Opfake.AR ANDROIDOS_SMSUPDATE.C Andr.Trojan.Opfake-4 Android.Trojan.FakeInst.BD HEUR:Trojan-SMS.AndroidOS.Opfake.a A.H.Pay.ApuAte Trojan.Android.Opfake.emekxt Trojan:Android/Fakeinst.CG Android.SmsSend.2293 ANDROIDOS_SMSUPDATE.C AndroidOS/Opfake.AR Trojan/AndroidOS.r Trojan[SMS]/Android.Opfake Android.Troj.Opfake.b.kcloud Android.Trojan.FakeInst.BD HEUR:Trojan-SMS.AndroidOS.Opfake.a Android-Trojan/FakeInst.1b13 Trojan.AndroidOS.Opfake.A Trojan.Android.FakeInstall.p Trojan-SMS.AndroidOS.Opfake", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.FakeInst.BD": [[26, 52], [70, 96], [160, 186], [431, 457]], "Indicator: Android.Opfake.E": [[53, 69]], "Indicator: AndroidOS/Opfake.AR": [[97, 116], [336, 355]], "Indicator: ANDROIDOS_SMSUPDATE.C": [[117, 138], [314, 335]], "Indicator: Andr.Trojan.Opfake-4": [[139, 159]], "Indicator: HEUR:Trojan-SMS.AndroidOS.Opfake.a": [[187, 221], [458, 492]], "Indicator: A.H.Pay.ApuAte": [[222, 236]], "Indicator: Trojan.Android.Opfake.emekxt": [[237, 265]], "Indicator: Trojan:Android/Fakeinst.CG": [[266, 292]], "Indicator: Android.SmsSend.2293": [[293, 313]], "Indicator: Trojan/AndroidOS.r": [[356, 374]], "Indicator: Trojan[SMS]/Android.Opfake": [[375, 401]], "Indicator: Android.Troj.Opfake.b.kcloud": [[402, 430]], "Indicator: Android-Trojan/FakeInst.1b13": [[493, 521]], "Indicator: Trojan.AndroidOS.Opfake.A": [[522, 547]], "Indicator: Trojan.Android.FakeInstall.p": [[548, 576]], "Indicator: Trojan-SMS.AndroidOS.Opfake": [[577, 604]]}, "info": {"id": "cyner2_5class_train_01665", "source": "cyner2_5class_train"}}
+{"text": "They only compromise specific high-value targets and once inside the company networks, move laterally to hosts that can be monetized.", "spans": {"Indicator: compromise": [[10, 20]], "System: company networks,": [[69, 86]], "System: hosts": [[105, 110]]}, "info": {"id": "cyner2_5class_train_01666", "source": "cyner2_5class_train"}}
+{"text": "Moreover , there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks .", "spans": {"Malware: SpyNote": [[44, 51]]}, "info": {"id": "cyner2_5class_train_01667", "source": "cyner2_5class_train"}}
+{"text": "Our analysis indicates that this trojan is in its testing stage but given its potential , every mobile user should be aware of GPlayed .", "spans": {"Malware: GPlayed": [[127, 134]]}, "info": {"id": "cyner2_5class_train_01668", "source": "cyner2_5class_train"}}
+{"text": "We've recently discussed Corebot malware and its possible ties to btcshop.cc, a site selling stolen data.", "spans": {"Malware: Corebot malware": [[25, 40]], "Indicator: btcshop.cc,": [[66, 77]], "Indicator: site": [[80, 84]]}, "info": {"id": "cyner2_5class_train_01669", "source": "cyner2_5class_train"}}
+{"text": "We are continuing to watch it closely .", "spans": {}, "info": {"id": "cyner2_5class_train_01670", "source": "cyner2_5class_train"}}
+{"text": "The Makop ransomware gang is still using the same tools used in their first operations in 2020, according to a recent investigation by Lifars security team, which has identified four of the gang's tools.", "spans": {"Malware: tools": [[50, 55]], "Organization: Lifars security team,": [[135, 156]], "Organization: the gang's": [[186, 196]], "Malware: tools.": [[197, 203]]}, "info": {"id": "cyner2_5class_train_01671", "source": "cyner2_5class_train"}}
+{"text": "] comuseraccount [ .", "spans": {}, "info": {"id": "cyner2_5class_train_01672", "source": "cyner2_5class_train"}}
+{"text": "This mobile malware masquerades as legitimate , trusted postal service applications so that it can gain the users trust .", "spans": {}, "info": {"id": "cyner2_5class_train_01673", "source": "cyner2_5class_train"}}
+{"text": "If the value of this field failed to arrive from the C & C , it was selected from the file data.db using a pseudo-random algorithm .", "spans": {"Indicator: data.db": [[91, 98]]}, "info": {"id": "cyner2_5class_train_01674", "source": "cyner2_5class_train"}}
+{"text": "It listens to events like TYPE_VIEW_TEXT_CHANGED .", "spans": {}, "info": {"id": "cyner2_5class_train_01675", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9531 Win.Trojan.AutoIT-6333854-0 AutoIt/injector.E AutoIt/injector.E Win32/Injector.Autoit.DFJ Trojan.Win32.Injector", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9531": [[26, 68]], "Indicator: Win.Trojan.AutoIT-6333854-0": [[69, 96]], "Indicator: AutoIt/injector.E": [[97, 114], [115, 132]], "Indicator: Win32/Injector.Autoit.DFJ": [[133, 158]], "Indicator: Trojan.Win32.Injector": [[159, 180]]}, "info": {"id": "cyner2_5class_train_01676", "source": "cyner2_5class_train"}}
+{"text": "Port 6209 : Telegram extraction service .", "spans": {"Indicator: Port 6209": [[0, 9]], "System: Telegram": [[12, 20]]}, "info": {"id": "cyner2_5class_train_01677", "source": "cyner2_5class_train"}}
+{"text": "However , due to the absence of certification centers verifying the digital signatures of Android programs , nothing prevents criminals from adding their own signature .", "spans": {}, "info": {"id": "cyner2_5class_train_01678", "source": "cyner2_5class_train"}}
+{"text": "This file contained embedded macro code that executed a commonly observed PowerShell command to download and execute a file.", "spans": {"Malware: embedded macro code": [[20, 39]], "System: PowerShell command": [[74, 92]], "Indicator: file.": [[119, 124]]}, "info": {"id": "cyner2_5class_train_01679", "source": "cyner2_5class_train"}}
+{"text": "MONSOON is the name given to the Forcepoint Security Labs", "spans": {"Organization: MONSOON": [[0, 7]], "Organization: the Forcepoint Security Labs": [[29, 57]]}, "info": {"id": "cyner2_5class_train_01680", "source": "cyner2_5class_train"}}
+{"text": "In some cases , malicious components are dynamically downloaded onto a device after an infected app is installed .", "spans": {}, "info": {"id": "cyner2_5class_train_01681", "source": "cyner2_5class_train"}}
+{"text": "Myanmar is a country currently engaged in an important political process.", "spans": {}, "info": {"id": "cyner2_5class_train_01682", "source": "cyner2_5class_train"}}
+{"text": "] today admin [ .databit [ .today cendata [ .", "spans": {"Indicator: admin [ .databit [ .today": [[8, 33]], "Indicator: cendata [ .": [[34, 45]]}, "info": {"id": "cyner2_5class_train_01683", "source": "cyner2_5class_train"}}
+{"text": "The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware, including:", "spans": {"Malware: FormBook malware,": [[131, 148]]}, "info": {"id": "cyner2_5class_train_01684", "source": "cyner2_5class_train"}}
+{"text": "CryptoWall is a type of malware known as ransomware, which encrypts a victim's files and subsequently demands payment in exchange for the decryption key.", "spans": {"Malware: CryptoWall": [[0, 10]], "Malware: malware": [[24, 31]], "Malware: ransomware,": [[41, 52]], "Indicator: encrypts": [[59, 67]], "Indicator: victim's files": [[70, 84]], "Indicator: demands payment": [[102, 117]], "Indicator: exchange for the decryption key.": [[121, 153]]}, "info": {"id": "cyner2_5class_train_01685", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.Win32.MS04-028!O Trojan.Diztakun W32.W.Ridnu.ls5O Trojan/Exploit.MS04-028.g Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/HideinPic.A Win.Trojan.Ag-1 Trojan.Win32.Diztakun.xnd Exploit.Win32.MS04028.lhyh Trojan.MulDrop3.32325 Exploit.MS04.Win32.105 BehavesLike.Win32.Vilsel.qc Trojan-Banker.Win32.Bancos Exploit.MS04-028.h Trojan[Exploit]/Win32.MS04-028 Trojan:Win32/Greener.A Trojan.Win32.Diztakun.xnd Trojan/Win32.Xema.C6210 Exploit.MS04028 Trojan.Heur.dmHfrf5Ccil Win32/Greener.A Win32.Virus.Greener.Pdct Worm.Kilada.A W32/Greener.A!tr Win32/Trojan.cae", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.Win32.MS04-028!O": [[26, 50]], "Indicator: Trojan.Diztakun": [[51, 66]], "Indicator: W32.W.Ridnu.ls5O": [[67, 83]], "Indicator: Trojan/Exploit.MS04-028.g": [[84, 109]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[110, 152]], "Indicator: Win32/HideinPic.A": [[153, 170]], "Indicator: Win.Trojan.Ag-1": [[171, 186]], "Indicator: Trojan.Win32.Diztakun.xnd": [[187, 212], [413, 438]], "Indicator: Exploit.Win32.MS04028.lhyh": [[213, 239]], "Indicator: Trojan.MulDrop3.32325": [[240, 261]], "Indicator: Exploit.MS04.Win32.105": [[262, 284]], "Indicator: BehavesLike.Win32.Vilsel.qc": [[285, 312]], "Indicator: Trojan-Banker.Win32.Bancos": [[313, 339]], "Indicator: Exploit.MS04-028.h": [[340, 358]], "Indicator: Trojan[Exploit]/Win32.MS04-028": [[359, 389]], "Indicator: Trojan:Win32/Greener.A": [[390, 412]], "Indicator: Trojan/Win32.Xema.C6210": [[439, 462]], "Indicator: Exploit.MS04028": [[463, 478]], "Indicator: Trojan.Heur.dmHfrf5Ccil": [[479, 502]], "Indicator: Win32/Greener.A": [[503, 518]], "Indicator: Win32.Virus.Greener.Pdct": [[519, 543]], "Indicator: Worm.Kilada.A": [[544, 557]], "Indicator: W32/Greener.A!tr": [[558, 574]], "Indicator: Win32/Trojan.cae": [[575, 591]]}, "info": {"id": "cyner2_5class_train_01686", "source": "cyner2_5class_train"}}
+{"text": "In fact, this concept is nothing novel – we already saw many ransomware families that can do the same.", "spans": {}, "info": {"id": "cyner2_5class_train_01687", "source": "cyner2_5class_train"}}
+{"text": "This malware has the capability to overwrite a victim host's master boot record MBR and all data files.", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "cyner2_5class_train_01688", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Barys.DD90F Trojan:Win32/Rozena.D!bit Trojan.PowerShell.Rozena", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Barys.DD90F": [[26, 44]], "Indicator: Trojan:Win32/Rozena.D!bit": [[45, 70]], "Indicator: Trojan.PowerShell.Rozena": [[71, 95]]}, "info": {"id": "cyner2_5class_train_01689", "source": "cyner2_5class_train"}}
+{"text": "Pro PoS is simple-to-use PoS malware that is available for purchase, enabling multiple threat actors to easily take advantage of this malware to target businesses.", "spans": {"Malware: Pro PoS": [[0, 7]], "Malware: PoS malware": [[25, 36]], "Malware: malware": [[134, 141]], "Organization: target businesses.": [[145, 163]]}, "info": {"id": "cyner2_5class_train_01690", "source": "cyner2_5class_train"}}
+{"text": "Lookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted mobile attacks against governments and business is a real problem .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: ViperRAT": [[23, 31]]}, "info": {"id": "cyner2_5class_train_01691", "source": "cyner2_5class_train"}}
+{"text": "HenBox is not running as a system app ) , another ELF library is loaded to aid with executing super-user commands .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "cyner2_5class_train_01692", "source": "cyner2_5class_train"}}
+{"text": "For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy aka PIVY RAT.", "spans": {"Malware: malware": [[45, 52]], "Malware: Poison Ivy": [[112, 122]], "Malware: PIVY RAT.": [[127, 136]]}, "info": {"id": "cyner2_5class_train_01693", "source": "cyner2_5class_train"}}
+{"text": "Content observers : use Android 's ContentObserver framework to gather changes in SMS , Calendar , Contacts , Cell info , Email , WhatsApp , Facebook , Twitter , Kakao , Viber , and Skype .", "spans": {"System: Android": [[24, 31]], "System: SMS": [[82, 85]], "System: Calendar": [[88, 96]], "System: Contacts": [[99, 107]], "System: Cell info": [[110, 119]], "System: Email": [[122, 127]], "System: WhatsApp": [[130, 138]], "System: Facebook": [[141, 149]], "System: Twitter": [[152, 159]], "System: Kakao": [[162, 167]], "System: Viber": [[170, 175]], "System: Skype": [[182, 187]]}, "info": {"id": "cyner2_5class_train_01694", "source": "cyner2_5class_train"}}
+{"text": "Following discovery, we alerted our customers and began working with Microsoft through the responsible disclosure process.", "spans": {}, "info": {"id": "cyner2_5class_train_01695", "source": "cyner2_5class_train"}}
+{"text": "On July 8, 2015, Unit 42 used the AutoFocus Threat Intelligence service to locate and investigate activity consistent with a spear-phishing attack targeting the US Government.", "spans": {"Organization: Unit 42": [[17, 24]], "Organization: AutoFocus Threat Intelligence service": [[34, 71]], "Indicator: spear-phishing attack": [[125, 146]], "Organization: US Government.": [[161, 175]]}, "info": {"id": "cyner2_5class_train_01696", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Banker/W32.Alreay.639100 TrojanSpy.Banker.SW4 Trojan.Banswift Win.Trojan.BBSwift-4 Trojan-Banker.Win32.Alreay.b Trojan.Win32.Alreay.eigudw Win32.Trojan-banker.Alreay.Edxl Trojan.Swifter.1 Trojan.Banker.Alreay.f W32/Alreay.ADAQ!tr Troj.Banker.W32!c Trojan-Banker.Win32.Alreay.b Trojan:Win32/Tokser.A Trojan/Win32.Alreay.C1768016 Spyware.Banker.Alreay TrojanBanker.Alreay Win32/Spy.Banker.ADAQ Trj/GdSda.A Win32/Trojan.c8b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Banker/W32.Alreay.639100": [[26, 50]], "Indicator: TrojanSpy.Banker.SW4": [[51, 71]], "Indicator: Trojan.Banswift": [[72, 87]], "Indicator: Win.Trojan.BBSwift-4": [[88, 108]], "Indicator: Trojan-Banker.Win32.Alreay.b": [[109, 137], [274, 302]], "Indicator: Trojan.Win32.Alreay.eigudw": [[138, 164]], "Indicator: Win32.Trojan-banker.Alreay.Edxl": [[165, 196]], "Indicator: Trojan.Swifter.1": [[197, 213]], "Indicator: Trojan.Banker.Alreay.f": [[214, 236]], "Indicator: W32/Alreay.ADAQ!tr": [[237, 255]], "Indicator: Troj.Banker.W32!c": [[256, 273]], "Indicator: Trojan:Win32/Tokser.A": [[303, 324]], "Indicator: Trojan/Win32.Alreay.C1768016": [[325, 353]], "Indicator: Spyware.Banker.Alreay": [[354, 375]], "Indicator: TrojanBanker.Alreay": [[376, 395]], "Indicator: Win32/Spy.Banker.ADAQ": [[396, 417]], "Indicator: Trj/GdSda.A": [[418, 429]], "Indicator: Win32/Trojan.c8b": [[430, 446]]}, "info": {"id": "cyner2_5class_train_01697", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Infostealer.Gampass Trojan.DownLoad1.59715 Trojan-Downloader.Win32.Adload!IK Trojan/Win32.Adload Trojan-Spy.Win32.Filka.ld Trojan-PSW.Gampass Trojan-Downloader.Win32.Adload Trj/Lineage.BZE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Infostealer.Gampass": [[26, 45]], "Indicator: Trojan.DownLoad1.59715": [[46, 68]], "Indicator: Trojan-Downloader.Win32.Adload!IK": [[69, 102]], "Indicator: Trojan/Win32.Adload": [[103, 122]], "Indicator: Trojan-Spy.Win32.Filka.ld": [[123, 148]], "Indicator: Trojan-PSW.Gampass": [[149, 167]], "Indicator: Trojan-Downloader.Win32.Adload": [[168, 198]], "Indicator: Trj/Lineage.BZE": [[199, 214]]}, "info": {"id": "cyner2_5class_train_01698", "source": "cyner2_5class_train"}}
+{"text": "Cybercriminals also exploit the Master Key vulnerability and have learned to embed unsigned executable files in Android installation packages .", "spans": {"Vulnerability: Master Key vulnerability": [[32, 56]], "System: Android": [[112, 119]]}, "info": {"id": "cyner2_5class_train_01699", "source": "cyner2_5class_train"}}
+{"text": "Each of the phishing sites contained links to a distribution manifest , which contained metadata such as the application name , version , icon , and a URL for the IPA file .", "spans": {}, "info": {"id": "cyner2_5class_train_01700", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Clicker.BHO.ncs Win32.Trojan.WisdomEyes.16070401.9500.9639 Win32/TrojanClicker.BHO.NCS Win32.Trojan.Spnr.Pfjg TrojWare.Win32.TrojanClicker.BHO.NCS Dropper.BHO.Win32.500 TrojanDropper.BHO.pj TR/Rogue.kdv.655157 Trojan[Dropper]/Win32.BHO Trojan.Zusy.Elzob.D1C26 TrojanDropper:Win32/Hufysk.A Dropper/Win32.BHO.R25331 TrojanDropper.BHO Trojan-Dropper.Win32.Hufysk W32/TrojanClicker_BHO.NCS Trj/CI.A Win32/Trojan.a73", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Clicker.BHO.ncs": [[26, 48]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9639": [[49, 91]], "Indicator: Win32/TrojanClicker.BHO.NCS": [[92, 119]], "Indicator: Win32.Trojan.Spnr.Pfjg": [[120, 142]], "Indicator: TrojWare.Win32.TrojanClicker.BHO.NCS": [[143, 179]], "Indicator: Dropper.BHO.Win32.500": [[180, 201]], "Indicator: TrojanDropper.BHO.pj": [[202, 222]], "Indicator: TR/Rogue.kdv.655157": [[223, 242]], "Indicator: Trojan[Dropper]/Win32.BHO": [[243, 268]], "Indicator: Trojan.Zusy.Elzob.D1C26": [[269, 292]], "Indicator: TrojanDropper:Win32/Hufysk.A": [[293, 321]], "Indicator: Dropper/Win32.BHO.R25331": [[322, 346]], "Indicator: TrojanDropper.BHO": [[347, 364]], "Indicator: Trojan-Dropper.Win32.Hufysk": [[365, 392]], "Indicator: W32/TrojanClicker_BHO.NCS": [[393, 418]], "Indicator: Trj/CI.A": [[419, 427]], "Indicator: Win32/Trojan.a73": [[428, 444]]}, "info": {"id": "cyner2_5class_train_01701", "source": "cyner2_5class_train"}}
+{"text": "Overall , it has a fairly common feature list , but it is expected to expand in future updates .", "spans": {}, "info": {"id": "cyner2_5class_train_01702", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Msil.H Trojan-Downloader.Win32.FraudLoad!O Win32/SillyDl.YBL Win.Downloader.134626-1 Trojan.Downloader.Msil.H Trojan-Downloader.Win32.FraudLoad.iei Trojan.Downloader.Msil.H Trojan.Win32.A.Downloader.229376.FL Trojan.Downloader.Msil.H Win32.HLLW.Myscan.1 BehavesLike.Win32.BadFile.pm Trojan[Downloader]/Win32.FraudLoad TrojanDownloader:Win32/Hesto.A Trojan-Downloader.Win32.FraudLoad.iei Trojan.Downloader.Msil.H TrojanDownloader.FraudLoad Trojan.Downloader.Msil.H", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Msil.H": [[26, 50], [129, 153], [192, 216], [253, 277], [431, 455], [483, 507]], "Indicator: Trojan-Downloader.Win32.FraudLoad!O": [[51, 86]], "Indicator: Win32/SillyDl.YBL": [[87, 104]], "Indicator: Win.Downloader.134626-1": [[105, 128]], "Indicator: Trojan-Downloader.Win32.FraudLoad.iei": [[154, 191], [393, 430]], "Indicator: Trojan.Win32.A.Downloader.229376.FL": [[217, 252]], "Indicator: Win32.HLLW.Myscan.1": [[278, 297]], "Indicator: BehavesLike.Win32.BadFile.pm": [[298, 326]], "Indicator: Trojan[Downloader]/Win32.FraudLoad": [[327, 361]], "Indicator: TrojanDownloader:Win32/Hesto.A": [[362, 392]], "Indicator: TrojanDownloader.FraudLoad": [[456, 482]]}, "info": {"id": "cyner2_5class_train_01703", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packed.Win32.TDSS!O Win32.Trojan.WisdomEyes.16070401.9500.9885 Trojan.Win32.Drop.dajhso Trojan.MulDrop5.32960 Trojan/PSW.LdPinch.adoe Backdoor:Win32/Nosrawec.A Trojan.Delf.279 Backdoor.W32.Beastdoor.l7a6 Trojan/Win32.Nosrawec.R198886 RiskWare.Tool.CK", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packed.Win32.TDSS!O": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9885": [[46, 88]], "Indicator: Trojan.Win32.Drop.dajhso": [[89, 113]], "Indicator: Trojan.MulDrop5.32960": [[114, 135]], "Indicator: Trojan/PSW.LdPinch.adoe": [[136, 159]], "Indicator: Backdoor:Win32/Nosrawec.A": [[160, 185]], "Indicator: Trojan.Delf.279": [[186, 201]], "Indicator: Backdoor.W32.Beastdoor.l7a6": [[202, 229]], "Indicator: Trojan/Win32.Nosrawec.R198886": [[230, 259]], "Indicator: RiskWare.Tool.CK": [[260, 276]]}, "info": {"id": "cyner2_5class_train_01704", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SasfisQKC.Fam.Trojan Trojan/W32.PornoBlocker.60928.F TrojanDropper.Bamital.I3 Trojan/PornoBlocker.hhu TROJ_BAMITAL.SM2 Win32.Trojan.Kryptik.ct TROJ_BAMITAL.SM2 Win.Trojan.Ransom-740 Trojan-Ransom.Win32.PornoBlocker.hts Trojan.Win32.PornoBlocker.bwvwe Trojan.Hottrend Trojan.PornoBlocker.Win32.1248 Trojan/PornoBlocker.axt TR/Qhost.60928 Trojan[Ransom]/Win32.PornoBlocker Trojan.VIZ.1 Trojan:Win32/Bamital.I Trojan.SB.01742 Bck/Qbot.AO Win32/Bamital.FA Win32.Trojan.Pornoblocker.Lkxy Trojan.PornoBlocker!v14Do0CXdgA Win32/Trojan.3c3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SasfisQKC.Fam.Trojan": [[26, 50]], "Indicator: Trojan/W32.PornoBlocker.60928.F": [[51, 82]], "Indicator: TrojanDropper.Bamital.I3": [[83, 107]], "Indicator: Trojan/PornoBlocker.hhu": [[108, 131]], "Indicator: TROJ_BAMITAL.SM2": [[132, 148], [173, 189]], "Indicator: Win32.Trojan.Kryptik.ct": [[149, 172]], "Indicator: Win.Trojan.Ransom-740": [[190, 211]], "Indicator: Trojan-Ransom.Win32.PornoBlocker.hts": [[212, 248]], "Indicator: Trojan.Win32.PornoBlocker.bwvwe": [[249, 280]], "Indicator: Trojan.Hottrend": [[281, 296]], "Indicator: Trojan.PornoBlocker.Win32.1248": [[297, 327]], "Indicator: Trojan/PornoBlocker.axt": [[328, 351]], "Indicator: TR/Qhost.60928": [[352, 366]], "Indicator: Trojan[Ransom]/Win32.PornoBlocker": [[367, 400]], "Indicator: Trojan.VIZ.1": [[401, 413]], "Indicator: Trojan:Win32/Bamital.I": [[414, 436]], "Indicator: Trojan.SB.01742": [[437, 452]], "Indicator: Bck/Qbot.AO": [[453, 464]], "Indicator: Win32/Bamital.FA": [[465, 481]], "Indicator: Win32.Trojan.Pornoblocker.Lkxy": [[482, 512]], "Indicator: Trojan.PornoBlocker!v14Do0CXdgA": [[513, 544]], "Indicator: Win32/Trojan.3c3": [[545, 561]]}, "info": {"id": "cyner2_5class_train_01705", "source": "cyner2_5class_train"}}
+{"text": "Adware commonly found on Play collects profits from ad networks , but mobile ransomware inflicts direct harm to users .", "spans": {}, "info": {"id": "cyner2_5class_train_01706", "source": "cyner2_5class_train"}}
+{"text": "ATM malware is not new, back in 2013 and 2014 threats like Ploutus or PadPin Tyupkin were used to empty ATMs in Mexico, Russia and other countries, but SUCEFUL offers a new twist by targeting the cardholders.", "spans": {"Malware: ATM malware": [[0, 11]], "Malware: Ploutus": [[59, 66]], "Malware: PadPin Tyupkin": [[70, 84]], "System: ATMs": [[104, 108]], "Organization: cardholders.": [[196, 208]]}, "info": {"id": "cyner2_5class_train_01707", "source": "cyner2_5class_train"}}
+{"text": "] 172 cdncool [ .", "spans": {"Indicator: cdncool [ .": [[6, 17]]}, "info": {"id": "cyner2_5class_train_01708", "source": "cyner2_5class_train"}}
+{"text": "As an active threat under development, we decided to take a closer look at this RAT to understand some of its inner workings and capabilities.", "spans": {"Malware: active threat": [[6, 19]], "Malware: RAT": [[80, 83]]}, "info": {"id": "cyner2_5class_train_01709", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9980 Trojan.Win32.Zusy.rjrdd TrojWare.Win32.TrojanDownloader.Murlo.~JH2 Trojan.Sasfis.Win32.30609 Trojan/Sasfis.xqr TR/Zusy.3171.28 Trojan/Win32.Sasfis Trojan.Zusy.DC63 Backdoor:Win32/Usinec.A Trojan/Win32.Sasfis.C97816 Trojan.Sasfis Trojan.Sasfis!LKZhl2Eyglg Trojan.Win32.Sasfis", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9980": [[26, 68]], "Indicator: Trojan.Win32.Zusy.rjrdd": [[69, 92]], "Indicator: TrojWare.Win32.TrojanDownloader.Murlo.~JH2": [[93, 135]], "Indicator: Trojan.Sasfis.Win32.30609": [[136, 161]], "Indicator: Trojan/Sasfis.xqr": [[162, 179]], "Indicator: TR/Zusy.3171.28": [[180, 195]], "Indicator: Trojan/Win32.Sasfis": [[196, 215]], "Indicator: Trojan.Zusy.DC63": [[216, 232]], "Indicator: Backdoor:Win32/Usinec.A": [[233, 256]], "Indicator: Trojan/Win32.Sasfis.C97816": [[257, 283]], "Indicator: Trojan.Sasfis": [[284, 297]], "Indicator: Trojan.Sasfis!LKZhl2Eyglg": [[298, 323]], "Indicator: Trojan.Win32.Sasfis": [[324, 343]]}, "info": {"id": "cyner2_5class_train_01710", "source": "cyner2_5class_train"}}
+{"text": "Although state-sponsored attacks against the United States by Chinese threat actors have decreased dramatically since the signing of the US-China Cyber Agreement in 2016, Proofpoint researchers have continued to observe advanced persistent threat APT activity associated with Chinese actors targeting other regions.", "spans": {"Indicator: state-sponsored attacks": [[9, 32]], "Organization: US-China Cyber Agreement in": [[137, 164]], "Organization: Proofpoint researchers": [[171, 193]]}, "info": {"id": "cyner2_5class_train_01711", "source": "cyner2_5class_train"}}
+{"text": "They mentioned an Android , iOS and Windows remote access tool ( RAT ) .", "spans": {"System: Android": [[18, 25]], "System: iOS": [[28, 31]], "System: Windows": [[36, 43]]}, "info": {"id": "cyner2_5class_train_01712", "source": "cyner2_5class_train"}}
+{"text": "With each new version , the malware adds new features like dynamic library loading , encryption , and adjustments to different locales and manufacturers .", "spans": {}, "info": {"id": "cyner2_5class_train_01713", "source": "cyner2_5class_train"}}
+{"text": "Over the past year or so, we have seen numerous techniques and tactics employed by this campaign, such as the use of an iOS espionage app, and the inclusion of new targets like the White House.", "spans": {"Malware: campaign,": [[88, 97]], "Malware: iOS espionage app,": [[120, 138]], "Organization: the White House.": [[177, 193]]}, "info": {"id": "cyner2_5class_train_01714", "source": "cyner2_5class_train"}}
+{"text": "Cknife is a Chinese cross-platform compatible Java web shell framework — that operates more like a RAT for web servers — based on China Chopper.", "spans": {"Malware: Cknife": [[0, 6]], "Malware: Chinese cross-platform compatible Java web shell framework": [[12, 70]], "Malware: RAT": [[99, 102]], "System: web servers": [[107, 118]], "Malware: China Chopper.": [[130, 144]]}, "info": {"id": "cyner2_5class_train_01715", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Menti.184320.T Trojan.Graftor.D557F Win32.Trojan.Farfli.ai Trojan.DownLoader6.3217 BehavesLike.Win32.BadFile.cm Trojan.Win32.MMM Trojan/Win32.Menti PWS:Win32/Quopax.A!dll Trojan.Win32.A.Menti.184320.YN BScope.Trojan.SvcHorse.01643 Backdoor.Win32.Gh0st.EB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Menti.184320.T": [[26, 51]], "Indicator: Trojan.Graftor.D557F": [[52, 72]], "Indicator: Win32.Trojan.Farfli.ai": [[73, 95]], "Indicator: Trojan.DownLoader6.3217": [[96, 119]], "Indicator: BehavesLike.Win32.BadFile.cm": [[120, 148]], "Indicator: Trojan.Win32.MMM": [[149, 165]], "Indicator: Trojan/Win32.Menti": [[166, 184]], "Indicator: PWS:Win32/Quopax.A!dll": [[185, 207]], "Indicator: Trojan.Win32.A.Menti.184320.YN": [[208, 238]], "Indicator: BScope.Trojan.SvcHorse.01643": [[239, 267]], "Indicator: Backdoor.Win32.Gh0st.EB": [[268, 291]]}, "info": {"id": "cyner2_5class_train_01716", "source": "cyner2_5class_train"}}
+{"text": "For the entry point, this Locky variant uses spam emails with .ZIP file attachments that contain WSF files.", "spans": {"Indicator: entry point,": [[8, 20]], "Malware: Locky variant": [[26, 39]], "Indicator: spam emails with .ZIP file attachments": [[45, 83]], "Indicator: contain WSF files.": [[89, 107]]}, "info": {"id": "cyner2_5class_train_01717", "source": "cyner2_5class_train"}}
+{"text": "In late August, WildFire Locker disappeared after the organizations behind NoMoreRansom.org were able to seize control of the ransomware s Command Control servers.", "spans": {"Malware: WildFire Locker": [[16, 31]], "Organization: organizations": [[54, 67]], "Indicator: NoMoreRansom.org": [[75, 91]], "Malware: ransomware": [[126, 136]], "Indicator: Command Control servers.": [[139, 163]]}, "info": {"id": "cyner2_5class_train_01718", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanspy.Smetsb.FC.4036 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.MSIL.Krypt.4 Trojan/Win32.ZBot.R155926 Trojan.InfoStealer.KL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanspy.Smetsb.FC.4036": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[51, 93]], "Indicator: Trojan.MSIL.Krypt.4": [[94, 113]], "Indicator: Trojan/Win32.ZBot.R155926": [[114, 139]], "Indicator: Trojan.InfoStealer.KL": [[140, 161]]}, "info": {"id": "cyner2_5class_train_01719", "source": "cyner2_5class_train"}}
+{"text": "This version masquerades as CryptoWall.", "spans": {"Malware: CryptoWall.": [[28, 39]]}, "info": {"id": "cyner2_5class_train_01720", "source": "cyner2_5class_train"}}
+{"text": "It ’ s also worth noting that both campaigns repackage apps that are commonly used in their target ’ s countries , such as Telegram , Kik , and Plus messaging apps .", "spans": {"System: Telegram": [[123, 131]], "System: Kik": [[134, 137]], "System: Plus": [[144, 148]]}, "info": {"id": "cyner2_5class_train_01721", "source": "cyner2_5class_train"}}
+{"text": "Tick's most recent attacks have concentrated on the technology, aquatic engineering, and broadcasting sectors in Japan.", "spans": {"Malware: Tick's": [[0, 6]], "Indicator: attacks": [[19, 26]], "Organization: the technology, aquatic engineering,": [[48, 84]], "Organization: broadcasting sectors": [[89, 109]]}, "info": {"id": "cyner2_5class_train_01722", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.OnionDuke W32/Trojan3.XZO Trojan.Cozer.B BKDR_COZER.LP Backdoor.Win32.MiniDuke.cb Trojan.Win32.AD.ekdqnf Win32.Backdoor.Miniduke.Lplm BackDoor.CozyDuke.49 BehavesLike.Win32.RansomwareLocky.gh W32/Trojan.QFCN-8527 Backdoor.MiniDuke.av TR/AD.OnionDuke.trltr Backdoor.Win32.MiniDuke.cb Backdoor.MiniDuke", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.OnionDuke": [[26, 44]], "Indicator: W32/Trojan3.XZO": [[45, 60]], "Indicator: Trojan.Cozer.B": [[61, 75]], "Indicator: BKDR_COZER.LP": [[76, 89]], "Indicator: Backdoor.Win32.MiniDuke.cb": [[90, 116], [291, 317]], "Indicator: Trojan.Win32.AD.ekdqnf": [[117, 139]], "Indicator: Win32.Backdoor.Miniduke.Lplm": [[140, 168]], "Indicator: BackDoor.CozyDuke.49": [[169, 189]], "Indicator: BehavesLike.Win32.RansomwareLocky.gh": [[190, 226]], "Indicator: W32/Trojan.QFCN-8527": [[227, 247]], "Indicator: Backdoor.MiniDuke.av": [[248, 268]], "Indicator: TR/AD.OnionDuke.trltr": [[269, 290]], "Indicator: Backdoor.MiniDuke": [[318, 335]]}, "info": {"id": "cyner2_5class_train_01723", "source": "cyner2_5class_train"}}
+{"text": "FIN4 is a financially motivated threat actor which has consistently targeted this population.", "spans": {}, "info": {"id": "cyner2_5class_train_01724", "source": "cyner2_5class_train"}}
+{"text": "To lure the victims to download the malware , threat actors use SMS phishing – sending a short SMS message containing a malicious URL to the potential victims .", "spans": {}, "info": {"id": "cyner2_5class_train_01725", "source": "cyner2_5class_train"}}
+{"text": "The kill switch can also be turned on by SMS .", "spans": {}, "info": {"id": "cyner2_5class_train_01726", "source": "cyner2_5class_train"}}
+{"text": "The newly discovered campaign targets the Indian Ministry of Defense using malicious documents as lures", "spans": {"Organization: the Indian Ministry of Defense": [[38, 68]], "Indicator: malicious documents": [[75, 94]]}, "info": {"id": "cyner2_5class_train_01727", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Recyl Trojan.Injector.Win32.557110 Worm.Win32.Recyl.afr BehavesLike.Win32.Dropper.rc Worm.Recyl.v TrojanDropper:Win32/Injector.D Worm.Win32.Recyl.afr Worm/Win32.Recyl.R213857 MalwareScope.Trojan-PSW.Game.16 Worm.Recyl!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Recyl": [[26, 36]], "Indicator: Trojan.Injector.Win32.557110": [[37, 65]], "Indicator: Worm.Win32.Recyl.afr": [[66, 86], [160, 180]], "Indicator: BehavesLike.Win32.Dropper.rc": [[87, 115]], "Indicator: Worm.Recyl.v": [[116, 128]], "Indicator: TrojanDropper:Win32/Injector.D": [[129, 159]], "Indicator: Worm/Win32.Recyl.R213857": [[181, 205]], "Indicator: MalwareScope.Trojan-PSW.Game.16": [[206, 237]], "Indicator: Worm.Recyl!": [[238, 249]]}, "info": {"id": "cyner2_5class_train_01728", "source": "cyner2_5class_train"}}
+{"text": "Instead of embedding core malware payload in droppers , the actor switches to a more low-key SDK approach .", "spans": {}, "info": {"id": "cyner2_5class_train_01729", "source": "cyner2_5class_train"}}
+{"text": "This most recent FakeSpy campaign appears to target users of postal services around the world .", "spans": {"Malware: FakeSpy": [[17, 24]]}, "info": {"id": "cyner2_5class_train_01730", "source": "cyner2_5class_train"}}
+{"text": "Malware code showing handover from initial module to main payload Figure 13 .", "spans": {}, "info": {"id": "cyner2_5class_train_01731", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Uztuby.11 Trojan.Uztuby.11 Trojan.Uztuby.11 Trojan.Uztuby.11 Trojan.Win32.Delphi.elmrxd Trojan.Uztuby.11 Trojan.Uztuby.11 backdoor.win32.fynloski.a Backdoor/Win32.fynloski.pwi Trojan.GUSX-6 TR/AD.AVKiller.reish Win32/Remtasu.AI Backdoor.NanoBot! Trojan.Win32.Remtasu Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Uztuby.11": [[26, 42], [43, 59], [60, 76], [77, 93], [121, 137], [138, 154]], "Indicator: Trojan.Win32.Delphi.elmrxd": [[94, 120]], "Indicator: backdoor.win32.fynloski.a": [[155, 180]], "Indicator: Backdoor/Win32.fynloski.pwi": [[181, 208]], "Indicator: Trojan.GUSX-6": [[209, 222]], "Indicator: TR/AD.AVKiller.reish": [[223, 243]], "Indicator: Win32/Remtasu.AI": [[244, 260]], "Indicator: Backdoor.NanoBot!": [[261, 278]], "Indicator: Trojan.Win32.Remtasu": [[279, 299]], "Indicator: Trj/CI.A": [[300, 308]]}, "info": {"id": "cyner2_5class_train_01732", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Small!O Hacktool.Hashenfill Trojan.Small.Win32.19365 Trojan.Win32.Small.cpa Trojan.Win32.Small.cwxrxw Troj.W32.Small.cpa!c Trojan.Hooker.21682 BehavesLike.Win32.FakeAlert.xh Trojan/Small.ouz HackTool:Win32/Hashenfill.A Trojan.Win32.Small.cpa Trojan/Win32.Connapts.C256359 Trojan.Small Win32.Trojan.Small.Dxcs Trojan.Small!tZ/zbi7RotE Win32/Trojan.d54", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Small!O": [[26, 46]], "Indicator: Hacktool.Hashenfill": [[47, 66]], "Indicator: Trojan.Small.Win32.19365": [[67, 91]], "Indicator: Trojan.Win32.Small.cpa": [[92, 114], [258, 280]], "Indicator: Trojan.Win32.Small.cwxrxw": [[115, 140]], "Indicator: Troj.W32.Small.cpa!c": [[141, 161]], "Indicator: Trojan.Hooker.21682": [[162, 181]], "Indicator: BehavesLike.Win32.FakeAlert.xh": [[182, 212]], "Indicator: Trojan/Small.ouz": [[213, 229]], "Indicator: HackTool:Win32/Hashenfill.A": [[230, 257]], "Indicator: Trojan/Win32.Connapts.C256359": [[281, 310]], "Indicator: Trojan.Small": [[311, 323]], "Indicator: Win32.Trojan.Small.Dxcs": [[324, 347]], "Indicator: Trojan.Small!tZ/zbi7RotE": [[348, 372]], "Indicator: Win32/Trojan.d54": [[373, 389]]}, "info": {"id": "cyner2_5class_train_01733", "source": "cyner2_5class_train"}}
+{"text": "It appears the entity behind this campaign took steps to make reverse engineering more difficult and chose the use of Cisco's AnyConnect Client as a lure to trick victims into installing the malware.", "spans": {"System: Cisco's AnyConnect Client": [[118, 143]], "Malware: malware.": [[191, 199]]}, "info": {"id": "cyner2_5class_train_01734", "source": "cyner2_5class_train"}}
+{"text": "Sample 2 , has the package name cn.android.setting masquerading as Android ’ s Settings app , which has a similar package name ( com.android.settings ) .", "spans": {"Indicator: cn.android.setting": [[32, 50]], "System: Settings app": [[79, 91]], "Indicator: com.android.settings": [[129, 149]]}, "info": {"id": "cyner2_5class_train_01735", "source": "cyner2_5class_train"}}
+{"text": "A new stealer with keylogging and clipper capabilities is making the rounds on cybercrime forums, according to research by Uptycs threat research team and Shilpesh Trivedi and Tejaswini Sandapolla.", "spans": {"Malware: stealer with keylogging": [[6, 29]], "Organization: Uptycs threat research team": [[123, 150]], "Organization: Shilpesh Trivedi": [[155, 171]], "Organization: Tejaswini Sandapolla.": [[176, 197]]}, "info": {"id": "cyner2_5class_train_01736", "source": "cyner2_5class_train"}}
+{"text": "Our team went ahead and hunted for samples of the app and analyzed it in our labs .", "spans": {}, "info": {"id": "cyner2_5class_train_01737", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9828 Trojan.Win32.Fsysna.csibjc Trojan.DownLoader9.58423 BehavesLike.Win32.BadFile.mh Trojan/Fsysna.anj TR/Terzib.wrdas Trojan:Win32/Terzib.A Worm/Win32.Stration.R523 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9828": [[26, 68]], "Indicator: Trojan.Win32.Fsysna.csibjc": [[69, 95]], "Indicator: Trojan.DownLoader9.58423": [[96, 120]], "Indicator: BehavesLike.Win32.BadFile.mh": [[121, 149]], "Indicator: Trojan/Fsysna.anj": [[150, 167]], "Indicator: TR/Terzib.wrdas": [[168, 183]], "Indicator: Trojan:Win32/Terzib.A": [[184, 205]], "Indicator: Worm/Win32.Stration.R523": [[206, 230]], "Indicator: Trj/GdSda.A": [[231, 242]]}, "info": {"id": "cyner2_5class_train_01738", "source": "cyner2_5class_train"}}
+{"text": "android.intent.action.PACKAGE_INSTALL System notification that the download and eventual installation of an app package is happening ( this is deprecated ) android.intent.action.PACKAGE_ADDED System notification that a new app package has been installed on the device , including the name of said package .", "spans": {"Indicator: android.intent.action.PACKAGE_INSTALL": [[0, 37]], "Indicator: android.intent.action.PACKAGE_ADDED": [[156, 191]]}, "info": {"id": "cyner2_5class_train_01739", "source": "cyner2_5class_train"}}
+{"text": "As the team at Scandinavian security group CSIS describes , malware known as MazarBOT is being distributed via SMS in Denmark and is likely to also be encountered in other countries .", "spans": {"Organization: CSIS": [[43, 47]], "Malware: MazarBOT": [[77, 85]]}, "info": {"id": "cyner2_5class_train_01740", "source": "cyner2_5class_train"}}
+{"text": "TUESDAY , APRIL 9 , 2019 Gustuff banking botnet targets Australia EXECUTIVE SUMMARY Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions .", "spans": {"Malware: Gustuff": [[25, 32]], "Organization: Cisco Talos": [[84, 95]], "System: Android-based": [[116, 129]]}, "info": {"id": "cyner2_5class_train_01741", "source": "cyner2_5class_train"}}
+{"text": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky.", "spans": {"Malware: El Machete": [[0, 10]], "Malware: threats": [[27, 34]], "Organization: Kaspersky.": [[82, 92]]}, "info": {"id": "cyner2_5class_train_01742", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Lamer.K8 Trojan.Kryptik.Win32.801927 Trojan/Delf.nlr Win32.Trojan.WisdomEyes.16070401.9500.9998 WORM_GATE_GE2300D6.UVPA Win.Trojan.Fileinfector-76 Trojan.Win32.Delphi.danila Worm.Win32.Delf.DA WORM_GATE_GE2300D6.UVPA BehavesLike.Win32.Gate.tc W32.Infector Worm/Win32.Unknown Worm:Win32/Gate.A W32.Lamer.lwJ1 Spyware/Win32.Delf.C43787 W32/Gate.worm Trojan.Cosmu Win32/Delf.NLR Worm.Delf!2LR1nmaG85k Trojan-PWS.Win32.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Lamer.K8": [[26, 38]], "Indicator: Trojan.Kryptik.Win32.801927": [[39, 66]], "Indicator: Trojan/Delf.nlr": [[67, 82]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[83, 125]], "Indicator: WORM_GATE_GE2300D6.UVPA": [[126, 149], [223, 246]], "Indicator: Win.Trojan.Fileinfector-76": [[150, 176]], "Indicator: Trojan.Win32.Delphi.danila": [[177, 203]], "Indicator: Worm.Win32.Delf.DA": [[204, 222]], "Indicator: BehavesLike.Win32.Gate.tc": [[247, 272]], "Indicator: W32.Infector": [[273, 285]], "Indicator: Worm/Win32.Unknown": [[286, 304]], "Indicator: Worm:Win32/Gate.A": [[305, 322]], "Indicator: W32.Lamer.lwJ1": [[323, 337]], "Indicator: Spyware/Win32.Delf.C43787": [[338, 363]], "Indicator: W32/Gate.worm": [[364, 377]], "Indicator: Trojan.Cosmu": [[378, 390]], "Indicator: Win32/Delf.NLR": [[391, 405]], "Indicator: Worm.Delf!2LR1nmaG85k": [[406, 427]], "Indicator: Trojan-PWS.Win32.Delf": [[428, 449]]}, "info": {"id": "cyner2_5class_train_01743", "source": "cyner2_5class_train"}}
+{"text": "On May 12, at the onset of the WannaCry attack, Cyphort Labs researchers have seen a similar SMB attack to one of our honeypot servers.", "spans": {"Malware: WannaCry": [[31, 39]], "Indicator: attack,": [[40, 47]], "Organization: Cyphort Labs researchers": [[48, 72]], "Indicator: SMB attack": [[93, 103]], "System: our honeypot servers.": [[114, 135]]}, "info": {"id": "cyner2_5class_train_01744", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Mramak.A W32.Mkar.A4 Win32.Mramak.A Win32.Mramak.A Win32.Trojan.WisdomEyes.16070401.9500.9981 W32/Mkar.PJKY-3509 W32.Marak Win.Trojan.Mkar-3 Win32.Mramak.A Virus.Win32.Mkar.b Win32.Mramak.A Virus.Win32.Packed.deljve Win32.Mrak.A Win32.Mramak.A Win32.HLLP.Mrak.10 BehavesLike.Win32.Dropper.mc W32/Mkar.L W32/Mkar.b.Dropper Worm:Win32/Mkar.B Virus.Win32.Mkar.b Malware/Win32.Mkar.C408081 Win32/Mkar.B Win32.Virus.Mkar.Agle", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Mramak.A": [[26, 40], [53, 67], [68, 82], [173, 187], [207, 221], [261, 275]], "Indicator: W32.Mkar.A4": [[41, 52]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9981": [[83, 125]], "Indicator: W32/Mkar.PJKY-3509": [[126, 144]], "Indicator: W32.Marak": [[145, 154]], "Indicator: Win.Trojan.Mkar-3": [[155, 172]], "Indicator: Virus.Win32.Mkar.b": [[188, 206], [372, 390]], "Indicator: Virus.Win32.Packed.deljve": [[222, 247]], "Indicator: Win32.Mrak.A": [[248, 260]], "Indicator: Win32.HLLP.Mrak.10": [[276, 294]], "Indicator: BehavesLike.Win32.Dropper.mc": [[295, 323]], "Indicator: W32/Mkar.L": [[324, 334]], "Indicator: W32/Mkar.b.Dropper": [[335, 353]], "Indicator: Worm:Win32/Mkar.B": [[354, 371]], "Indicator: Malware/Win32.Mkar.C408081": [[391, 417]], "Indicator: Win32/Mkar.B": [[418, 430]], "Indicator: Win32.Virus.Mkar.Agle": [[431, 452]]}, "info": {"id": "cyner2_5class_train_01745", "source": "cyner2_5class_train"}}
+{"text": "Based on the evolution of Ginp it is clear that it isn ’ t based on Anubis , but rather reuses some of its code .", "spans": {"Malware: Ginp": [[26, 30]], "Malware: Anubis": [[68, 74]]}, "info": {"id": "cyner2_5class_train_01746", "source": "cyner2_5class_train"}}
+{"text": "Screenshots from this developer ’ s YouTube video shows history of checking Ashas adware on Google Play ESET telemetry Figure 15 .", "spans": {"System: YouTube": [[36, 43]], "Malware: Ashas": [[76, 81]], "System: Google Play": [[92, 103]], "Organization: ESET": [[104, 108]]}, "info": {"id": "cyner2_5class_train_01747", "source": "cyner2_5class_train"}}
+{"text": "Fraud Both of the billing methods detailed above provide device verification , but not user verification .", "spans": {}, "info": {"id": "cyner2_5class_train_01748", "source": "cyner2_5class_train"}}
+{"text": "The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.", "spans": {"Indicator: attack": [[4, 10]], "Organization: the site operator and ad network": [[131, 163]]}, "info": {"id": "cyner2_5class_train_01749", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: JS:Trojan.JS.Downloader.HZQ Trojan.JS.Downloader.2455.A JS/Nemucod.tm JS/Downldr.HX2!Eldorado JS.Downloader JS/TrojanDownloader.Nemucod.DFV JS_NEMUCOD.ELDSAUHG JS:Trojan.JS.Downloader.HZQ JS:Trojan.JS.Downloader.HZQ Trojan.Script.Heuristic-js.iacgm JS.S.Downloader.1658 JS:Trojan.JS.Downloader.HZQ JS:Trojan.JS.Downloader.HZQ Trojan.DownLoader25.3813 JS_NEMUCOD.ELDSAUHG JS/Nemucod.tm JS/Downldr.HX2!Eldorado Trojan[Downloader]/JS.Nemucod.dfv JS:Trojan.JS.Downloader.HZQ JS/Obfus.S237 Trojan-Dowloader.JS.Nemucod JS/Nemucod.DFV!tr.dldr Win32/Trojan.Downloader.50a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: JS:Trojan.JS.Downloader.HZQ": [[26, 53], [186, 213], [214, 241], [296, 323], [324, 351], [469, 496]], "Indicator: Trojan.JS.Downloader.2455.A": [[54, 81]], "Indicator: JS/Nemucod.tm": [[82, 95], [397, 410]], "Indicator: JS/Downldr.HX2!Eldorado": [[96, 119], [411, 434]], "Indicator: JS.Downloader": [[120, 133]], "Indicator: JS/TrojanDownloader.Nemucod.DFV": [[134, 165]], "Indicator: JS_NEMUCOD.ELDSAUHG": [[166, 185], [377, 396]], "Indicator: Trojan.Script.Heuristic-js.iacgm": [[242, 274]], "Indicator: JS.S.Downloader.1658": [[275, 295]], "Indicator: Trojan.DownLoader25.3813": [[352, 376]], "Indicator: Trojan[Downloader]/JS.Nemucod.dfv": [[435, 468]], "Indicator: JS/Obfus.S237": [[497, 510]], "Indicator: Trojan-Dowloader.JS.Nemucod": [[511, 538]], "Indicator: JS/Nemucod.DFV!tr.dldr": [[539, 561]], "Indicator: Win32/Trojan.Downloader.50a": [[562, 589]]}, "info": {"id": "cyner2_5class_train_01750", "source": "cyner2_5class_train"}}
+{"text": "The said exploits will root the device and install a shell backdoor .", "spans": {}, "info": {"id": "cyner2_5class_train_01751", "source": "cyner2_5class_train"}}
+{"text": "However , this time , the permission is actually used .", "spans": {}, "info": {"id": "cyner2_5class_train_01752", "source": "cyner2_5class_train"}}
+{"text": "It allocates and fills four chunks of memory inside the service process .", "spans": {}, "info": {"id": "cyner2_5class_train_01753", "source": "cyner2_5class_train"}}
+{"text": "MITRE TAGS Action Tag ID App auto-start at device boot T1402 Input prompt T1411 Capture SMS messages T1412 Application discovery T1418 Capture audio T1429 Location tracking T1430 Access contact list T1432 Access call log T1433 Commonly used port T1436 Standard application layer protocol T1437 Masquerage as legitimate application T1444 Suppress application icon T1508 Capture camera T1512 Screen capture T1513 Foreground persistence T1541 DualToy : New Windows Trojan Sideloads Risky Apps to Android and iOS Devices By Claud Xiao September 13 , 2016 at 5:00 AM Over the past two years , we ’ ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices .", "spans": {"Organization: MITRE": [[0, 5]], "Malware: DualToy": [[440, 447]], "System: Windows": [[454, 461]], "System: Android": [[493, 500]], "System: iOS": [[505, 508]], "System: Microsoft Windows": [[619, 636]], "System: Apple iOS": [[641, 650]]}, "info": {"id": "cyner2_5class_train_01754", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSILInject.A4 TROJ_NECURS.SMJ6 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win32/Inject.fcAMLbC TROJ_NECURS.SMJ6 Trojan.MSIL.Inject.aqjr Trojan.Win32.Inject.ddhqep Troj.Dropper.W32.Injector.m7mC TrojWare.Win32.Zusy.XYN Trojan.Inject1.44093 Trojan.Win32.Inject TR/Zusy.xynynabm Trojan/Win32.Inject Trojan.Zusy.D1889E Trojan.MSIL.Inject.aqjr Trojan:MSIL/Injector.P Dropper/Win32.Necurs.R121870 Trojan.Inject Trojan.Injector Trojan.Injector!AbCu/r2al/E MSIL/Injector.ERR!tr Win32/Trojan.304", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSILInject.A4": [[26, 46]], "Indicator: TROJ_NECURS.SMJ6": [[47, 63], [144, 160]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[64, 106]], "Indicator: Backdoor.Trojan": [[107, 122]], "Indicator: Win32/Inject.fcAMLbC": [[123, 143]], "Indicator: Trojan.MSIL.Inject.aqjr": [[161, 184], [364, 387]], "Indicator: Trojan.Win32.Inject.ddhqep": [[185, 211]], "Indicator: Troj.Dropper.W32.Injector.m7mC": [[212, 242]], "Indicator: TrojWare.Win32.Zusy.XYN": [[243, 266]], "Indicator: Trojan.Inject1.44093": [[267, 287]], "Indicator: Trojan.Win32.Inject": [[288, 307]], "Indicator: TR/Zusy.xynynabm": [[308, 324]], "Indicator: Trojan/Win32.Inject": [[325, 344]], "Indicator: Trojan.Zusy.D1889E": [[345, 363]], "Indicator: Trojan:MSIL/Injector.P": [[388, 410]], "Indicator: Dropper/Win32.Necurs.R121870": [[411, 439]], "Indicator: Trojan.Inject": [[440, 453]], "Indicator: Trojan.Injector": [[454, 469]], "Indicator: Trojan.Injector!AbCu/r2al/E": [[470, 497]], "Indicator: MSIL/Injector.ERR!tr": [[498, 518]], "Indicator: Win32/Trojan.304": [[519, 535]]}, "info": {"id": "cyner2_5class_train_01755", "source": "cyner2_5class_train"}}
+{"text": "This targeting is also consistent with previous attacker TTPs; Ke3chang historically targeted the Ministry of Affairs, and also conducted several prior campaigns against India.", "spans": {"Malware: Ke3chang": [[63, 71]], "Organization: the Ministry of Affairs,": [[94, 118]]}, "info": {"id": "cyner2_5class_train_01756", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pws.Gadu.L Trojan-PSW.Win32.Gadu!O TrojanPWS.Gadu Trojan/PSW.Gadu.l W32/PWStealer.FCG Backdoor.Trojan Win.Spyware.8306-2 Trojan.Pws.Gadu.L Trojan-PSW.Win32.Gadu.l Trojan.Pws.Gadu.L Trojan.Win32.Gadu.wwgc Trojan.Win32.PSWGadu.197820 Troj.Psw.W32!c Trojan.Pws.Gadu.L Trojan.PWS.Gadu Trojan.Gadu.Win32.1 BehavesLike.Win32.Trojan.cc W32/PWS.FWUF-5609 Trojan/PSW.Gadu.a Trojan[PSW]/Win32.Gadu Win32.PSWTroj.Gadu.g.kcloud Trojan.Pws.Gadu.L Trojan-PSW.Win32.Gadu.l PWS:Win32/Gadu.H Trojan/Win32.Xema.C89273 TrojanPSW.Gadu Trojan.Pws.Gadu.L Trojan.Pws.Gadu.L Bck/Gadu.Q Win32/PSW.Delf.OQP Win32.Trojan-qqpass.Qqrob.Wxrk Trojan.PWS.Gadu!8+g7gjB8P1Q Trojan-PWS.Win32.Gadu W32/Gadu.L!tr.pws Win32/Trojan.3ea", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pws.Gadu.L": [[26, 43], [154, 171], [196, 213], [280, 297], [449, 466], [548, 565], [566, 583]], "Indicator: Trojan-PSW.Win32.Gadu!O": [[44, 67]], "Indicator: TrojanPWS.Gadu": [[68, 82]], "Indicator: Trojan/PSW.Gadu.l": [[83, 100]], "Indicator: W32/PWStealer.FCG": [[101, 118]], "Indicator: Backdoor.Trojan": [[119, 134]], "Indicator: Win.Spyware.8306-2": [[135, 153]], "Indicator: Trojan-PSW.Win32.Gadu.l": [[172, 195], [467, 490]], "Indicator: Trojan.Win32.Gadu.wwgc": [[214, 236]], "Indicator: Trojan.Win32.PSWGadu.197820": [[237, 264]], "Indicator: Troj.Psw.W32!c": [[265, 279]], "Indicator: Trojan.PWS.Gadu": [[298, 313]], "Indicator: Trojan.Gadu.Win32.1": [[314, 333]], "Indicator: BehavesLike.Win32.Trojan.cc": [[334, 361]], "Indicator: W32/PWS.FWUF-5609": [[362, 379]], "Indicator: Trojan/PSW.Gadu.a": [[380, 397]], "Indicator: Trojan[PSW]/Win32.Gadu": [[398, 420]], "Indicator: Win32.PSWTroj.Gadu.g.kcloud": [[421, 448]], "Indicator: PWS:Win32/Gadu.H": [[491, 507]], "Indicator: Trojan/Win32.Xema.C89273": [[508, 532]], "Indicator: TrojanPSW.Gadu": [[533, 547]], "Indicator: Bck/Gadu.Q": [[584, 594]], "Indicator: Win32/PSW.Delf.OQP": [[595, 613]], "Indicator: Win32.Trojan-qqpass.Qqrob.Wxrk": [[614, 644]], "Indicator: Trojan.PWS.Gadu!8+g7gjB8P1Q": [[645, 672]], "Indicator: Trojan-PWS.Win32.Gadu": [[673, 694]], "Indicator: W32/Gadu.L!tr.pws": [[695, 712]], "Indicator: Win32/Trojan.3ea": [[713, 729]]}, "info": {"id": "cyner2_5class_train_01757", "source": "cyner2_5class_train"}}
+{"text": "Figure 7 lists the IP addresses of these C2 servers , the number of RuMMS apps that connect to each of them , and the example URL used as the first parameter of the HttpPost operation ( used in the code of Figure 3 ) .", "spans": {"Malware: RuMMS": [[68, 73]]}, "info": {"id": "cyner2_5class_train_01758", "source": "cyner2_5class_train"}}
+{"text": "We are constantly on the lookout for new threats and we are expanding our protections .", "spans": {}, "info": {"id": "cyner2_5class_train_01759", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: MSIL/Filecoder.EO Trojan-Ransom.FileCoder MSIL/Filecoder.EO!tr Trojan.Ransom.MSIL.1 Trojan.Ransom.SureRansom MSIL.Trojan-Ransom.SureRansom.A Win32/Trojan.Ransom.935", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: MSIL/Filecoder.EO": [[26, 43]], "Indicator: Trojan-Ransom.FileCoder": [[44, 67]], "Indicator: MSIL/Filecoder.EO!tr": [[68, 88]], "Indicator: Trojan.Ransom.MSIL.1": [[89, 109]], "Indicator: Trojan.Ransom.SureRansom": [[110, 134]], "Indicator: MSIL.Trojan-Ransom.SureRansom.A": [[135, 166]], "Indicator: Win32/Trojan.Ransom.935": [[167, 190]]}, "info": {"id": "cyner2_5class_train_01760", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O Win32.Trojan.WisdomEyes.16070401.9500.9960 Trojan.Malcol Win32/Tnega.bcLXSH Trojan.Win32.Slym.cufsch Troj.Rogue.lC4c Backdoor.Win32.Hupigon.rgqw Trojan.DownLoader11.11699 BehavesLike.Win32.Backdoor.vh TR/Rogue.kdv.679349 Packed.Win32.MalPackedSN Win32.Application.PUPStudio.A Unwanted/Win32.HackTool.R40115 Spyware.OnlineGames", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Hupigon!O": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9960": [[51, 93]], "Indicator: Trojan.Malcol": [[94, 107]], "Indicator: Win32/Tnega.bcLXSH": [[108, 126]], "Indicator: Trojan.Win32.Slym.cufsch": [[127, 151]], "Indicator: Troj.Rogue.lC4c": [[152, 167]], "Indicator: Backdoor.Win32.Hupigon.rgqw": [[168, 195]], "Indicator: Trojan.DownLoader11.11699": [[196, 221]], "Indicator: BehavesLike.Win32.Backdoor.vh": [[222, 251]], "Indicator: TR/Rogue.kdv.679349": [[252, 271]], "Indicator: Packed.Win32.MalPackedSN": [[272, 296]], "Indicator: Win32.Application.PUPStudio.A": [[297, 326]], "Indicator: Unwanted/Win32.HackTool.R40115": [[327, 357]], "Indicator: Spyware.OnlineGames": [[358, 377]]}, "info": {"id": "cyner2_5class_train_01761", "source": "cyner2_5class_train"}}
+{"text": "In the course of further research , we found a number of related samples that point to a long-term development process .", "spans": {}, "info": {"id": "cyner2_5class_train_01762", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ShizNHm.Trojan Ransom.TeslaCrypt.WR4 Trojan/Spy.Shiz.nct Ransom_HPLOCKY.SM1 Win32.Trojan.WisdomEyes.16070401.9500.9998 Ransom_HPLOCKY.SM1 Win.Trojan.Blocker-380 Trojan.Win32.Shifu.jt Trojan.Win32.Blocker.dxvhyb Packer.W32.Tpyn.toCt Trojan.DownLoader17.27888 Trojan.Blocker.Win32.32151 BehavesLike.Win32.Ransomware.hz Trojan.Win32.Pariham Trojan.Blocker.iv TR/Crypt.Xpack.whza Trojan[Ransom]/Win32.Blocker Ransom.Locky/Variant Trojan.Win32.Shifu.jt Trojan:Win32/Pariham.A Hoax.Blocker Trojan.Shifu Win32/Spy.Shiz.NCT Win32.Trojan.Shifu.Eehh Trojan.Blocker!epDzUGNGGeo W32/Kryptik.EFAD!tr Win32/Trojan.ff4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ShizNHm.Trojan": [[26, 50]], "Indicator: Ransom.TeslaCrypt.WR4": [[51, 72]], "Indicator: Trojan/Spy.Shiz.nct": [[73, 92]], "Indicator: Ransom_HPLOCKY.SM1": [[93, 111], [155, 173]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[112, 154]], "Indicator: Win.Trojan.Blocker-380": [[174, 196]], "Indicator: Trojan.Win32.Shifu.jt": [[197, 218], [462, 483]], "Indicator: Trojan.Win32.Blocker.dxvhyb": [[219, 246]], "Indicator: Packer.W32.Tpyn.toCt": [[247, 267]], "Indicator: Trojan.DownLoader17.27888": [[268, 293]], "Indicator: Trojan.Blocker.Win32.32151": [[294, 320]], "Indicator: BehavesLike.Win32.Ransomware.hz": [[321, 352]], "Indicator: Trojan.Win32.Pariham": [[353, 373]], "Indicator: Trojan.Blocker.iv": [[374, 391]], "Indicator: TR/Crypt.Xpack.whza": [[392, 411]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[412, 440]], "Indicator: Ransom.Locky/Variant": [[441, 461]], "Indicator: Trojan:Win32/Pariham.A": [[484, 506]], "Indicator: Hoax.Blocker": [[507, 519]], "Indicator: Trojan.Shifu": [[520, 532]], "Indicator: Win32/Spy.Shiz.NCT": [[533, 551]], "Indicator: Win32.Trojan.Shifu.Eehh": [[552, 575]], "Indicator: Trojan.Blocker!epDzUGNGGeo": [[576, 602]], "Indicator: W32/Kryptik.EFAD!tr": [[603, 622]], "Indicator: Win32/Trojan.ff4": [[623, 639]]}, "info": {"id": "cyner2_5class_train_01763", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Rackcrypt Trojan.Graftor.D5D262 Ransom_Rackcrypt.R002C0DKE17 Trojan.Win32.Z.Graftor.1886447 Ransom_Rackcrypt.R002C0DKE17 BehavesLike.Win32.FakeAlertSecurityTool.tc Virus.Win32.Vundo Trojan[Spy]/Win32.KeyLogger.dwl Ransom:Win32/Rackcrypt.A Trj/CI.A Win32.Trojan.Dropper.Wsjz", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Rackcrypt": [[26, 42]], "Indicator: Trojan.Graftor.D5D262": [[43, 64]], "Indicator: Ransom_Rackcrypt.R002C0DKE17": [[65, 93], [125, 153]], "Indicator: Trojan.Win32.Z.Graftor.1886447": [[94, 124]], "Indicator: BehavesLike.Win32.FakeAlertSecurityTool.tc": [[154, 196]], "Indicator: Virus.Win32.Vundo": [[197, 214]], "Indicator: Trojan[Spy]/Win32.KeyLogger.dwl": [[215, 246]], "Indicator: Ransom:Win32/Rackcrypt.A": [[247, 271]], "Indicator: Trj/CI.A": [[272, 280]], "Indicator: Win32.Trojan.Dropper.Wsjz": [[281, 306]]}, "info": {"id": "cyner2_5class_train_01764", "source": "cyner2_5class_train"}}
+{"text": "Dump data from the IMO messenger app .", "spans": {"System: messenger": [[23, 32]]}, "info": {"id": "cyner2_5class_train_01765", "source": "cyner2_5class_train"}}
+{"text": "It sends all of this data to the C2 server using the URL ending with /servlet/AppInfos .", "spans": {"Indicator: /servlet/AppInfos": [[69, 86]]}, "info": {"id": "cyner2_5class_train_01766", "source": "cyner2_5class_train"}}
+{"text": "JS/Nemucod usually arrives on an infected machine through malicious spam emails with .zip extensions.", "spans": {"Indicator: JS/Nemucod": [[0, 10]], "System: machine": [[42, 49]], "Indicator: malicious spam emails with .zip extensions.": [[58, 101]]}, "info": {"id": "cyner2_5class_train_01767", "source": "cyner2_5class_train"}}
+{"text": "Money then disappears from the victim ’ s account and is cashed in without the owner ’ s knowledge .", "spans": {}, "info": {"id": "cyner2_5class_train_01768", "source": "cyner2_5class_train"}}
+{"text": "Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead.", "spans": {"Indicator: RSA-2048": [[42, 50]], "Indicator: symmetric AES": [[89, 102]]}, "info": {"id": "cyner2_5class_train_01769", "source": "cyner2_5class_train"}}
+{"text": "Once archive is loaded , the application uses reflection api to call methods from the class names specified in the json .", "spans": {}, "info": {"id": "cyner2_5class_train_01770", "source": "cyner2_5class_train"}}
+{"text": "The malware performs malicious activities such as reading login credentials, accessing files, keylogging, remote desktop control, and remote control of compromised machines.", "spans": {"Malware: The malware": [[0, 11]], "Malware: malicious activities": [[21, 41]], "Indicator: reading login credentials, accessing files, keylogging, remote desktop control, and remote control": [[50, 148]], "System: compromised machines.": [[152, 173]]}, "info": {"id": "cyner2_5class_train_01771", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod14e.Trojan.9d88 Irc.Worm.Golember.V Worm/W32.Golember.34816 I-Worm.Golember.v.n3 Worm.Golember.Win32.8 Trojan/Golember.v Worm.Golember!SM/OEFSeEEs W32/Golember.P IRC-Worm.Win32.Golember.v Irc.Worm.Golember.V Trojan.Win32.Golember.furx Irc.Worm.Golember.V Worm.Win32.Golember.V Irc.Worm.Golember.V BehavesLike.Win32.Dropper.nc W32/Golember.YQQU-9034 I-Worm/Golember.e Worm/Irc.Golember.V Worm[IRC]/Win32.Golember Worm.Golember.v.kcloud Worm:Win32/Flip.A Irc.Worm.Golember.V Win32/Golember.worm.34816 IRCWorm.Golember Win32/Golember.V Win32.Worm-irc.Golember.Aojg IRC/ROSYA.V!worm IRC-Worm/Golember.O Worm.Win32.Golember.AxNU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod14e.Trojan.9d88": [[26, 49]], "Indicator: Irc.Worm.Golember.V": [[50, 69], [222, 241], [269, 288], [311, 330], [487, 506]], "Indicator: Worm/W32.Golember.34816": [[70, 93]], "Indicator: I-Worm.Golember.v.n3": [[94, 114]], "Indicator: Worm.Golember.Win32.8": [[115, 136]], "Indicator: Trojan/Golember.v": [[137, 154]], "Indicator: Worm.Golember!SM/OEFSeEEs": [[155, 180]], "Indicator: W32/Golember.P": [[181, 195]], "Indicator: IRC-Worm.Win32.Golember.v": [[196, 221]], "Indicator: Trojan.Win32.Golember.furx": [[242, 268]], "Indicator: Worm.Win32.Golember.V": [[289, 310]], "Indicator: BehavesLike.Win32.Dropper.nc": [[331, 359]], "Indicator: W32/Golember.YQQU-9034": [[360, 382]], "Indicator: I-Worm/Golember.e": [[383, 400]], "Indicator: Worm/Irc.Golember.V": [[401, 420]], "Indicator: Worm[IRC]/Win32.Golember": [[421, 445]], "Indicator: Worm.Golember.v.kcloud": [[446, 468]], "Indicator: Worm:Win32/Flip.A": [[469, 486]], "Indicator: Win32/Golember.worm.34816": [[507, 532]], "Indicator: IRCWorm.Golember": [[533, 549]], "Indicator: Win32/Golember.V": [[550, 566]], "Indicator: Win32.Worm-irc.Golember.Aojg": [[567, 595]], "Indicator: IRC/ROSYA.V!worm": [[596, 612]], "Indicator: IRC-Worm/Golember.O": [[613, 632]], "Indicator: Worm.Win32.Golember.AxNU": [[633, 657]]}, "info": {"id": "cyner2_5class_train_01772", "source": "cyner2_5class_train"}}
+{"text": "To be distributed outside the app store , an IPA package must contain a mobile provisioning profile with an enterprise ’ s certificate .", "spans": {}, "info": {"id": "cyner2_5class_train_01773", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HEUR_PDF.D2 PDF/Trojan.SHCJ-8 possible-Threat.PDF.Acmd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HEUR_PDF.D2": [[26, 37]], "Indicator: PDF/Trojan.SHCJ-8": [[38, 55]], "Indicator: possible-Threat.PDF.Acmd": [[56, 80]]}, "info": {"id": "cyner2_5class_train_01774", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Mintal.309248 W32/Mintal.003 Trojan.Win32.Mintal.hgbj W32.Mintal.Worm Win32/Howeem.A Email-Worm.Win32.Mintal.003 I-Worm.Mintal!SHAyifSwe/s I-Worm.Win32.A.Mintal.309248[h] Worm.Win32.Howeem.A Win32.HLLM.Hwm.3 Worm.Mintal.Win32.1 W32/Howeem.worm W32/Risk.CCZK-5590 I-Worm/Mintal.003 WORM/Mintal.003.A Worm[Email]/Win32.Mintal W32.W.Mintal.003!c Win32/Mintal.worm.309248 Worm:Win32/Mintal.A@mm W32/Howeem.worm Worm.Mintal Worm.Win32.Mintal.Ao Win32.Worm-email.Mintal.Hxqd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Mintal.309248": [[26, 48]], "Indicator: W32/Mintal.003": [[49, 63]], "Indicator: Trojan.Win32.Mintal.hgbj": [[64, 88]], "Indicator: W32.Mintal.Worm": [[89, 104]], "Indicator: Win32/Howeem.A": [[105, 119]], "Indicator: Email-Worm.Win32.Mintal.003": [[120, 147]], "Indicator: I-Worm.Mintal!SHAyifSwe/s": [[148, 173]], "Indicator: I-Worm.Win32.A.Mintal.309248[h]": [[174, 205]], "Indicator: Worm.Win32.Howeem.A": [[206, 225]], "Indicator: Win32.HLLM.Hwm.3": [[226, 242]], "Indicator: Worm.Mintal.Win32.1": [[243, 262]], "Indicator: W32/Howeem.worm": [[263, 278], [426, 441]], "Indicator: W32/Risk.CCZK-5590": [[279, 297]], "Indicator: I-Worm/Mintal.003": [[298, 315]], "Indicator: WORM/Mintal.003.A": [[316, 333]], "Indicator: Worm[Email]/Win32.Mintal": [[334, 358]], "Indicator: W32.W.Mintal.003!c": [[359, 377]], "Indicator: Win32/Mintal.worm.309248": [[378, 402]], "Indicator: Worm:Win32/Mintal.A@mm": [[403, 425]], "Indicator: Worm.Mintal": [[442, 453]], "Indicator: Worm.Win32.Mintal.Ao": [[454, 474]], "Indicator: Win32.Worm-email.Mintal.Hxqd": [[475, 503]]}, "info": {"id": "cyner2_5class_train_01775", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Lizarbot.FC.2716 Backdoor.IRCBot BKDR_LIZARBOT.SMVJ18 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.QJOG-5659 Backdoor.IRC.Bot BKDR_LIZARBOT.SMVJ18 Win.Trojan.Lizarbot-1 MSIL.Trojan.IRCBot.I Trojan.DownLoader24.64862 Trojan.Zusy.D3A924 Backdoor:MSIL/Lizarbot.A Trojan/Win32.Bladabindi.C230655 Trj/CI.A Trojan.MSIL.IRCBot Win32/Trojan.158", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Lizarbot.FC.2716": [[26, 51]], "Indicator: Backdoor.IRCBot": [[52, 67]], "Indicator: BKDR_LIZARBOT.SMVJ18": [[68, 88], [170, 190]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[89, 131]], "Indicator: W32/Trojan.QJOG-5659": [[132, 152]], "Indicator: Backdoor.IRC.Bot": [[153, 169]], "Indicator: Win.Trojan.Lizarbot-1": [[191, 212]], "Indicator: MSIL.Trojan.IRCBot.I": [[213, 233]], "Indicator: Trojan.DownLoader24.64862": [[234, 259]], "Indicator: Trojan.Zusy.D3A924": [[260, 278]], "Indicator: Backdoor:MSIL/Lizarbot.A": [[279, 303]], "Indicator: Trojan/Win32.Bladabindi.C230655": [[304, 335]], "Indicator: Trj/CI.A": [[336, 344]], "Indicator: Trojan.MSIL.IRCBot": [[345, 363]], "Indicator: Win32/Trojan.158": [[364, 380]]}, "info": {"id": "cyner2_5class_train_01776", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.FA61 Trojan.Zonidel Win32.Trojan.WisdomEyes.16070401.9500.9990 Backdoor.Trojan Win32/TrojanDownloader.Wauchos.CY BKDR_ANDROM.YYSMQH Trojan.Win32.Zonidel.bko Trojan.Win32.Wauchos.eujxed Win32.Trojan.Zonidel.Agux Trojan.DownLoader25.48331 BehavesLike.Win32.Backdoor.fm W32/Trojan.EGNB-8448 Malicious_Behavior.SB Trojan/Win32.Zonidel Trojan.Win32.Zonidel.bko Trojan:Win32/Koneqzu.A Trojan/Win32.Zonidel.C2210520 Trojan.PasswordStealer Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.FA61": [[26, 43]], "Indicator: Trojan.Zonidel": [[44, 58]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[59, 101]], "Indicator: Backdoor.Trojan": [[102, 117]], "Indicator: Win32/TrojanDownloader.Wauchos.CY": [[118, 151]], "Indicator: BKDR_ANDROM.YYSMQH": [[152, 170]], "Indicator: Trojan.Win32.Zonidel.bko": [[171, 195], [370, 394]], "Indicator: Trojan.Win32.Wauchos.eujxed": [[196, 223]], "Indicator: Win32.Trojan.Zonidel.Agux": [[224, 249]], "Indicator: Trojan.DownLoader25.48331": [[250, 275]], "Indicator: BehavesLike.Win32.Backdoor.fm": [[276, 305]], "Indicator: W32/Trojan.EGNB-8448": [[306, 326]], "Indicator: Malicious_Behavior.SB": [[327, 348]], "Indicator: Trojan/Win32.Zonidel": [[349, 369]], "Indicator: Trojan:Win32/Koneqzu.A": [[395, 417]], "Indicator: Trojan/Win32.Zonidel.C2210520": [[418, 447]], "Indicator: Trojan.PasswordStealer": [[448, 470]], "Indicator: Trj/CI.A": [[471, 479]]}, "info": {"id": "cyner2_5class_train_01777", "source": "cyner2_5class_train"}}
+{"text": "Bart has a payment screen like Locky but encrypts files without first connecting to a command and control C C server.", "spans": {"Malware: Bart": [[0, 4]], "Indicator: payment screen": [[11, 25]], "Malware: Locky": [[31, 36]], "Indicator: encrypts files without first connecting to a command and control C C server.": [[41, 117]]}, "info": {"id": "cyner2_5class_train_01778", "source": "cyner2_5class_train"}}
+{"text": "The transaction would only be authorized after the client enters the TAN into the online banking website in their browser .", "spans": {}, "info": {"id": "cyner2_5class_train_01779", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.27 Win32.Trojan.WisdomEyes.16070401.9500.9997 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.A Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg PE_VIRUX.A BehavesLike.Win32.AdwareYTBlock.mh Trojan-Downloader.Win32.Dldwp Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.nf.53248 Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.06 Win32.Virut.E Virus.Win32.Virut.tt W32/Virut.CE W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: Virus.Virut.Win32.27": [[73, 93]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[94, 136]], "Indicator: W32.Virut.CF": [[137, 149]], "Indicator: Win32/Virut.17408": [[150, 167]], "Indicator: PE_VIRUX.A": [[168, 178], [223, 233]], "Indicator: Virus.Win32.Virut.ce": [[179, 199], [356, 376]], "Indicator: Virus.Win32.Virut.hpeg": [[200, 222]], "Indicator: BehavesLike.Win32.AdwareYTBlock.mh": [[234, 268]], "Indicator: Trojan-Downloader.Win32.Dldwp": [[269, 298]], "Indicator: Win32/Virut.bn": [[299, 313]], "Indicator: Virus/Win32.Virut.ce": [[314, 334]], "Indicator: Win32.Virut.nf.53248": [[335, 355]], "Indicator: Win32/Virut.F": [[377, 390]], "Indicator: Virus.Virut.06": [[391, 405]], "Indicator: Win32.Virut.E": [[406, 419]], "Indicator: Virus.Win32.Virut.tt": [[420, 440]], "Indicator: W32/Virut.CE": [[441, 453]], "Indicator: W32/Sality.AO": [[454, 467]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[468, 498]]}, "info": {"id": "cyner2_5class_train_01780", "source": "cyner2_5class_train"}}
+{"text": "'' Package permissions The trojan declares numerous permissions in the manifest , from which we should highlight the BIND_DEVICE_ADMIN , which provides nearly full control of the device to the trojan .", "spans": {}, "info": {"id": "cyner2_5class_train_01781", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Risk.VHAX-4717 Backdoor.NetBus.svr Win.Trojan.NBSpy-2 Backdoor.Win32.NBSpy.b Trojan.Win32.Inject.cwlwfo Backdoor.W32.NBSpy.b!c BackDoor.NetBus Backdoor.Win32.Netbus BDS/Netbus.20.F Trojan[Backdoor]/Win32.NBSpy Backdoor:Win32/Netbus.C Backdoor.Win32.NBSpy.b TrojanDropper.Injector Trj/CI.A Win32/Netbus.20.C W32/Netbus.20C!tr Win32/Backdoor.55f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Risk.VHAX-4717": [[26, 44]], "Indicator: Backdoor.NetBus.svr": [[45, 64]], "Indicator: Win.Trojan.NBSpy-2": [[65, 83]], "Indicator: Backdoor.Win32.NBSpy.b": [[84, 106], [264, 286]], "Indicator: Trojan.Win32.Inject.cwlwfo": [[107, 133]], "Indicator: Backdoor.W32.NBSpy.b!c": [[134, 156]], "Indicator: BackDoor.NetBus": [[157, 172]], "Indicator: Backdoor.Win32.Netbus": [[173, 194]], "Indicator: BDS/Netbus.20.F": [[195, 210]], "Indicator: Trojan[Backdoor]/Win32.NBSpy": [[211, 239]], "Indicator: Backdoor:Win32/Netbus.C": [[240, 263]], "Indicator: TrojanDropper.Injector": [[287, 309]], "Indicator: Trj/CI.A": [[310, 318]], "Indicator: Win32/Netbus.20.C": [[319, 336]], "Indicator: W32/Netbus.20C!tr": [[337, 354]], "Indicator: Win32/Backdoor.55f": [[355, 373]]}, "info": {"id": "cyner2_5class_train_01782", "source": "cyner2_5class_train"}}
+{"text": "] it Bologna server1bs.exodus.connexxa [ .", "spans": {"Indicator: server1bs.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner2_5class_train_01783", "source": "cyner2_5class_train"}}
+{"text": "The server replies with the actual malicious payload , which includes JavaScript code , a user-agent string and URLs controlled by the malware author .", "spans": {}, "info": {"id": "cyner2_5class_train_01784", "source": "cyner2_5class_train"}}
+{"text": "Emulator and location conditions for the malware ’ s activity Check Point Mobile Threat Prevention customers are protected from Charger and similar malware .", "spans": {"Organization: Check Point": [[62, 73]], "Malware: Charger": [[128, 135]]}, "info": {"id": "cyner2_5class_train_01785", "source": "cyner2_5class_train"}}
+{"text": "The Korean malware Wroba , in addition to the traditional vector of infection via file-sharing services , spreads via alternative app stores .", "spans": {"Malware: Wroba": [[19, 24]]}, "info": {"id": "cyner2_5class_train_01786", "source": "cyner2_5class_train"}}
+{"text": "While there have been several Suckfly campaigns that infected organizations with the group's custom malware Backdoor.Nidiran, the Indian targets show a greater amount of post-infection activity than targets in other regions.", "spans": {"Organization: organizations": [[62, 75]], "Malware: custom malware": [[93, 107]], "Indicator: Backdoor.Nidiran,": [[108, 125]]}, "info": {"id": "cyner2_5class_train_01787", "source": "cyner2_5class_train"}}
+{"text": "EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware", "spans": {"Indicator: HoeflerText": [[8, 19]], "System: Google Chrome": [[37, 50]], "Organization: Users": [[51, 56]], "Malware: Push RAT Malware": [[61, 77]]}, "info": {"id": "cyner2_5class_train_01788", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/ZAccess.zmv Win.Trojan.Autoit-452 Trojan.Win32.Inject.eyew Trojan.Packed.23726 Trojan.Win32.Inject.eyew Win32/Injector.Autoit.DG W32/Autoit.DG!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/ZAccess.zmv": [[26, 46]], "Indicator: Win.Trojan.Autoit-452": [[47, 68]], "Indicator: Trojan.Win32.Inject.eyew": [[69, 93], [114, 138]], "Indicator: Trojan.Packed.23726": [[94, 113]], "Indicator: Win32/Injector.Autoit.DG": [[139, 163]], "Indicator: W32/Autoit.DG!tr": [[164, 180]]}, "info": {"id": "cyner2_5class_train_01789", "source": "cyner2_5class_train"}}
+{"text": "Happy belated birthday to RIG exploit kit! First seen around April 2014, RIG has been in the news several times over the past year.", "spans": {"Malware: RIG exploit kit!": [[26, 42]], "Malware: RIG": [[73, 76]]}, "info": {"id": "cyner2_5class_train_01790", "source": "cyner2_5class_train"}}
+{"text": "As recorded in several other Ursnif campaigns reported since April 2017, this Word document contains several obfuscated VBS files which load malicious DLLs through WMI.", "spans": {"Indicator: Word document": [[78, 91]], "Indicator: VBS files": [[120, 129]], "Organization: load malicious DLLs through WMI.": [[136, 168]]}, "info": {"id": "cyner2_5class_train_01791", "source": "cyner2_5class_train"}}
+{"text": "Describing this additional piece of code in detail is outside the scope of this analysis and may require a new dedicated blog post .", "spans": {"System: scope": [[66, 71]]}, "info": {"id": "cyner2_5class_train_01792", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VidroKDI.Worm Trojan-Dropper.Win32.Vidro!O Trojan.Vidro.S978560 Dropper.Vedro.Win32.4 Trojan/Dropper.Vidro.aei TROJ_KRYPTIK.SM Win32.Trojan-Downloader.Small.e W32/Trojan2.NPXJ Win32/Vidro.A TROJ_KRYPTIK.SM Win.Trojan.Vidro-11 Trojan.Win32.Vidro.bcqjb Trojan.Win32.Inject.dc Trojan.Inject.8798 BehavesLike.Win32.PWSZbot.qh Trojan-Dropper.Win32.Vidro W32/Trojan.SIZW-6937 TrojanDropper.Vidro.ko Trojan/Win32.Diple TrojanDropper:Win32/Vidro.C Trojan.Heur.ED30AD Dropper.Vidro.32768 Win-Trojan/Vidro.60416.B Trojan.Ahent.0322 Trojan.Vidro Trojan.Vidro Win32/TrojanDownloader.Small.OXH Trojan.Diple!gc4cFvq58+U W32/P2PWorm.HO.worm Backdoor.Win32.Vidro.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VidroKDI.Worm": [[26, 43]], "Indicator: Trojan-Dropper.Win32.Vidro!O": [[44, 72]], "Indicator: Trojan.Vidro.S978560": [[73, 93]], "Indicator: Dropper.Vedro.Win32.4": [[94, 115]], "Indicator: Trojan/Dropper.Vidro.aei": [[116, 140]], "Indicator: TROJ_KRYPTIK.SM": [[141, 156], [220, 235]], "Indicator: Win32.Trojan-Downloader.Small.e": [[157, 188]], "Indicator: W32/Trojan2.NPXJ": [[189, 205]], "Indicator: Win32/Vidro.A": [[206, 219]], "Indicator: Win.Trojan.Vidro-11": [[236, 255]], "Indicator: Trojan.Win32.Vidro.bcqjb": [[256, 280]], "Indicator: Trojan.Win32.Inject.dc": [[281, 303]], "Indicator: Trojan.Inject.8798": [[304, 322]], "Indicator: BehavesLike.Win32.PWSZbot.qh": [[323, 351]], "Indicator: Trojan-Dropper.Win32.Vidro": [[352, 378]], "Indicator: W32/Trojan.SIZW-6937": [[379, 399]], "Indicator: TrojanDropper.Vidro.ko": [[400, 422]], "Indicator: Trojan/Win32.Diple": [[423, 441]], "Indicator: TrojanDropper:Win32/Vidro.C": [[442, 469]], "Indicator: Trojan.Heur.ED30AD": [[470, 488]], "Indicator: Dropper.Vidro.32768": [[489, 508]], "Indicator: Win-Trojan/Vidro.60416.B": [[509, 533]], "Indicator: Trojan.Ahent.0322": [[534, 551]], "Indicator: Trojan.Vidro": [[552, 564], [565, 577]], "Indicator: Win32/TrojanDownloader.Small.OXH": [[578, 610]], "Indicator: Trojan.Diple!gc4cFvq58+U": [[611, 635]], "Indicator: W32/P2PWorm.HO.worm": [[636, 655]], "Indicator: Backdoor.Win32.Vidro.A": [[656, 678]]}, "info": {"id": "cyner2_5class_train_01793", "source": "cyner2_5class_train"}}
+{"text": "We recently observed a new sample Detected by Trend Micro as TROJ_CVE20170199.JVU exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before.", "spans": {"Malware: sample": [[27, 33]], "Organization: Trend Micro": [[46, 57]], "Indicator: TROJ_CVE20170199.JVU": [[61, 81]], "Vulnerability: exploiting": [[82, 92]], "Indicator: CVE-2017-0199": [[93, 106]], "System: PowerPoint Slide Show—the": [[138, 163]]}, "info": {"id": "cyner2_5class_train_01794", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Starter.49160 Trojan.Win32.Starter!O Trojan.Mauvaise.SL1 Trojan/Starter.ast Win32.Trojan.FakeMicro.d Win32/Chekafe.N TROJ_STRTER.SMUK Win.Trojan.Starter-293 Trojan.Win32.Starter.trq Trojan.Win32.Starter.brvob Trojan.Win32.Starter.65536.C TrojWare.Win32.Starter.clj Trojan.Starter.1524 Trojan.Starter.Win32.261 TROJ_STRTER.SMUK Trojan/Starter.fd TR/Starter.TV Trojan/Win32.Starter Trojan.Starter.1 Trojan.Win32.Starter.trq Trojan:Win32/Chekafev.C Trojan/Win32.Starter.R1734 Trojan.Starter Win32/Spy.Chekafev.AA Trojan.Starter!lzYxQhoD/t8 Trojan.Win32.Starter", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Starter.49160": [[26, 50]], "Indicator: Trojan.Win32.Starter!O": [[51, 73]], "Indicator: Trojan.Mauvaise.SL1": [[74, 93]], "Indicator: Trojan/Starter.ast": [[94, 112]], "Indicator: Win32.Trojan.FakeMicro.d": [[113, 137]], "Indicator: Win32/Chekafe.N": [[138, 153]], "Indicator: TROJ_STRTER.SMUK": [[154, 170], [347, 363]], "Indicator: Win.Trojan.Starter-293": [[171, 193]], "Indicator: Trojan.Win32.Starter.trq": [[194, 218], [434, 458]], "Indicator: Trojan.Win32.Starter.brvob": [[219, 245]], "Indicator: Trojan.Win32.Starter.65536.C": [[246, 274]], "Indicator: TrojWare.Win32.Starter.clj": [[275, 301]], "Indicator: Trojan.Starter.1524": [[302, 321]], "Indicator: Trojan.Starter.Win32.261": [[322, 346]], "Indicator: Trojan/Starter.fd": [[364, 381]], "Indicator: TR/Starter.TV": [[382, 395]], "Indicator: Trojan/Win32.Starter": [[396, 416]], "Indicator: Trojan.Starter.1": [[417, 433]], "Indicator: Trojan:Win32/Chekafev.C": [[459, 482]], "Indicator: Trojan/Win32.Starter.R1734": [[483, 509]], "Indicator: Trojan.Starter": [[510, 524]], "Indicator: Win32/Spy.Chekafev.AA": [[525, 546]], "Indicator: Trojan.Starter!lzYxQhoD/t8": [[547, 573]], "Indicator: Trojan.Win32.Starter": [[574, 594]]}, "info": {"id": "cyner2_5class_train_01795", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper Waledac.M Win32.Waledac.b Trojan.Win32.Meredrop!IK Win32/Xema.worm.31232.I Trojan.Win32.Meredrop W32/Waledac.B!tr Injector.CD Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper": [[26, 40]], "Indicator: Waledac.M": [[41, 50]], "Indicator: Win32.Waledac.b": [[51, 66]], "Indicator: Trojan.Win32.Meredrop!IK": [[67, 91]], "Indicator: Win32/Xema.worm.31232.I": [[92, 115]], "Indicator: Trojan.Win32.Meredrop": [[116, 137]], "Indicator: W32/Waledac.B!tr": [[138, 154]], "Indicator: Injector.CD": [[155, 166]], "Indicator: Trj/Downloader.MDW": [[167, 185]]}, "info": {"id": "cyner2_5class_train_01796", "source": "cyner2_5class_train"}}
+{"text": "UPDATE_PATTERNS – reregister in the administration panel .", "spans": {}, "info": {"id": "cyner2_5class_train_01797", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Crowti.MUE.A6 Ransom.Cerber Trojan.Zusy.D3175D Ransom.CryptXXX!g17 Ransom_HPCRYPMIC.SM4 Trojan.Win32.Z.Zusy.92672.FP Trojan.Encoder.5047 Ransom_HPCRYPMIC.SM4 TR/Crypt.Xpack.pzdls Ransom:Win32/Tovicrypt.A Trojan/Win32.CryptXXX.R185958 Trojan-Ransom.Locky Win32/Trojan.f15", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Crowti.MUE.A6": [[26, 46]], "Indicator: Ransom.Cerber": [[47, 60]], "Indicator: Trojan.Zusy.D3175D": [[61, 79]], "Indicator: Ransom.CryptXXX!g17": [[80, 99]], "Indicator: Ransom_HPCRYPMIC.SM4": [[100, 120], [170, 190]], "Indicator: Trojan.Win32.Z.Zusy.92672.FP": [[121, 149]], "Indicator: Trojan.Encoder.5047": [[150, 169]], "Indicator: TR/Crypt.Xpack.pzdls": [[191, 211]], "Indicator: Ransom:Win32/Tovicrypt.A": [[212, 236]], "Indicator: Trojan/Win32.CryptXXX.R185958": [[237, 266]], "Indicator: Trojan-Ransom.Locky": [[267, 286]], "Indicator: Win32/Trojan.f15": [[287, 303]]}, "info": {"id": "cyner2_5class_train_01798", "source": "cyner2_5class_train"}}
+{"text": "The code responsible for this verification is shown in the following snippet : How it works When the malware is first started on the device it will begin by hiding its icon from the application drawer .", "spans": {}, "info": {"id": "cyner2_5class_train_01799", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Uds.Dangerousobject.Multi!c W32/Trojan.YSQI-3970 Trojan.Symmi.D3C9A Backdoor:Win32/Touasper.A Win32.Trojan.Spy.Efvi W32/Injector.AQM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[39, 81]], "Indicator: Backdoor.Trojan": [[82, 97]], "Indicator: Uds.Dangerousobject.Multi!c": [[98, 125]], "Indicator: W32/Trojan.YSQI-3970": [[126, 146]], "Indicator: Trojan.Symmi.D3C9A": [[147, 165]], "Indicator: Backdoor:Win32/Touasper.A": [[166, 191]], "Indicator: Win32.Trojan.Spy.Efvi": [[192, 213]], "Indicator: W32/Injector.AQM!tr": [[214, 233]]}, "info": {"id": "cyner2_5class_train_01800", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D3C7E6 Win32.Trojan.WisdomEyes.16070401.9500.9953 BehavesLike.Win32.Trojan.jm Trojan:Win32/Ceatrg.A Trojan/Win32.RemoteAdmin.C2229526 Trojan.MSIL.Bladabindi Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D3C7E6": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9953": [[45, 87]], "Indicator: BehavesLike.Win32.Trojan.jm": [[88, 115]], "Indicator: Trojan:Win32/Ceatrg.A": [[116, 137]], "Indicator: Trojan/Win32.RemoteAdmin.C2229526": [[138, 171]], "Indicator: Trojan.MSIL.Bladabindi": [[172, 194]], "Indicator: Trj/CI.A": [[195, 203]]}, "info": {"id": "cyner2_5class_train_01801", "source": "cyner2_5class_train"}}
+{"text": "The attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Internet Explorer Microsoft Internet Explorer Remote Memory Corruption Vulnerability CVE-2015-2502.", "spans": {"Vulnerability: compromised": [[14, 25]], "Indicator: website": [[30, 37], [166, 173]], "Organization: Evangelical Lutheran Church": [[45, 72]], "Malware: malicious": [[112, 121]], "Indicator: iFrame": [[122, 128]], "Malware: exploit": [[185, 192]], "System: Internet Explorer Microsoft Internet Explorer": [[200, 245]], "Vulnerability: Remote Memory Corruption Vulnerability": [[246, 284]], "Indicator: CVE-2015-2502.": [[285, 299]]}, "info": {"id": "cyner2_5class_train_01802", "source": "cyner2_5class_train"}}
+{"text": "This action changes the original file size of the DEX file , which makes the malicious resources a part of the DEX file , a section that is ignored by the signature validation process .", "spans": {}, "info": {"id": "cyner2_5class_train_01803", "source": "cyner2_5class_train"}}
+{"text": "Detected as TROJ_WERDLOD, this new malware has been causing problems in the country since December 2014 with more than 400 confirmed victims.", "spans": {"Indicator: TROJ_WERDLOD,": [[12, 25]], "Malware: malware": [[35, 42]]}, "info": {"id": "cyner2_5class_train_01804", "source": "cyner2_5class_train"}}
+{"text": "In a root broken device , security is a fairy tale .", "spans": {}, "info": {"id": "cyner2_5class_train_01805", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Joiner!O Worm.Rebhip.A8 Trojan/Dropper.Joiner.k TROJ_MULTIDROP.Q W32/Dropper.ANIA Backdoor.Colfusion Win32/TheJoiner.15x.C TROJ_MULTIDROP.Q Trojan-Dropper.Win32.Joiner.k Trojan.Win32.Joiner.epmz Trojan.Win32.Z.Joiner.417292 Backdoor.W32.l8Tn TrojWare.Win32.TrojanDropper.Joiner.K Trojan.MulDrop.32 Dropper.Joiner.Win32.430 BehavesLike.Win32.Downloader.gc Trojan-Dropper.Win32.Joiner W32/Risk.SFJA-2732 TrojanDropper.Win32.Joiner.k Trojan/Win32.Llac.cxsz Trojan-Dropper.Win32.Joiner.k Trojan.Llac Trj/Runner.Joiner.K Win32/TrojanDropper.Joiner.K Win32.Trojan-dropper.Joiner.Lkdg Trojan.DR.Joiner!ZtouwF9CQqA RAT.CyberGate W32/SkyRat.DLE!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Joiner!O": [[26, 55]], "Indicator: Worm.Rebhip.A8": [[56, 70]], "Indicator: Trojan/Dropper.Joiner.k": [[71, 94]], "Indicator: TROJ_MULTIDROP.Q": [[95, 111], [170, 186]], "Indicator: W32/Dropper.ANIA": [[112, 128]], "Indicator: Backdoor.Colfusion": [[129, 147]], "Indicator: Win32/TheJoiner.15x.C": [[148, 169]], "Indicator: Trojan-Dropper.Win32.Joiner.k": [[187, 216], [501, 530]], "Indicator: Trojan.Win32.Joiner.epmz": [[217, 241]], "Indicator: Trojan.Win32.Z.Joiner.417292": [[242, 270]], "Indicator: Backdoor.W32.l8Tn": [[271, 288]], "Indicator: TrojWare.Win32.TrojanDropper.Joiner.K": [[289, 326]], "Indicator: Trojan.MulDrop.32": [[327, 344]], "Indicator: Dropper.Joiner.Win32.430": [[345, 369]], "Indicator: BehavesLike.Win32.Downloader.gc": [[370, 401]], "Indicator: Trojan-Dropper.Win32.Joiner": [[402, 429]], "Indicator: W32/Risk.SFJA-2732": [[430, 448]], "Indicator: TrojanDropper.Win32.Joiner.k": [[449, 477]], "Indicator: Trojan/Win32.Llac.cxsz": [[478, 500]], "Indicator: Trojan.Llac": [[531, 542]], "Indicator: Trj/Runner.Joiner.K": [[543, 562]], "Indicator: Win32/TrojanDropper.Joiner.K": [[563, 591]], "Indicator: Win32.Trojan-dropper.Joiner.Lkdg": [[592, 624]], "Indicator: Trojan.DR.Joiner!ZtouwF9CQqA": [[625, 653]], "Indicator: RAT.CyberGate": [[654, 667]], "Indicator: W32/SkyRat.DLE!tr": [[668, 685]]}, "info": {"id": "cyner2_5class_train_01806", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Flood.Vb.DN Trojan/W32.Flooder.20992.B Trojan.Flood.Vb.DN Trojan/VB.dn Trojan.Flood.Vb.DN W32/VirTool.GZ Hacktool.Flooder Win32/Flooder.VB.DN Win.Trojan.Nudgema-1 IM-Flooder.Win32.VB.dn Trojan.Win32.VB.mdnh Win32.Trojan.Vb.Wrhd Trojan.Flood.Vb.DN TrojWare.Win32.Flooder.VB.DN Trojan.Flood.Vb.DN FDOS.IM.451 Tool.VB.Win32.1591 BehavesLike.Win32.Trojan.mh W32/Tool.QSEE-8541 IM-Flooder.VB.fg TR/Flood.VB.DN.1 HackTool[Flooder]/Win32.VB HackTool:Win32/Aflooder.D Trojan.Flood.Vb.DN IM-Flooder.W32.VB.dn!c Trojan.Flood.Vb.DN Trojan/Win32.Xema.N61964869 IMFlooder.VB Trojan-PWS.Win32.Executant.d Malware_fam.gw Flooder.LZ Flooder/Nudge.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Flood.Vb.DN": [[26, 44], [72, 90], [104, 122], [261, 279], [309, 327], [493, 511], [535, 553]], "Indicator: Trojan/W32.Flooder.20992.B": [[45, 71]], "Indicator: Trojan/VB.dn": [[91, 103]], "Indicator: W32/VirTool.GZ": [[123, 137]], "Indicator: Hacktool.Flooder": [[138, 154]], "Indicator: Win32/Flooder.VB.DN": [[155, 174]], "Indicator: Win.Trojan.Nudgema-1": [[175, 195]], "Indicator: IM-Flooder.Win32.VB.dn": [[196, 218]], "Indicator: Trojan.Win32.VB.mdnh": [[219, 239]], "Indicator: Win32.Trojan.Vb.Wrhd": [[240, 260]], "Indicator: TrojWare.Win32.Flooder.VB.DN": [[280, 308]], "Indicator: FDOS.IM.451": [[328, 339]], "Indicator: Tool.VB.Win32.1591": [[340, 358]], "Indicator: BehavesLike.Win32.Trojan.mh": [[359, 386]], "Indicator: W32/Tool.QSEE-8541": [[387, 405]], "Indicator: IM-Flooder.VB.fg": [[406, 422]], "Indicator: TR/Flood.VB.DN.1": [[423, 439]], "Indicator: HackTool[Flooder]/Win32.VB": [[440, 466]], "Indicator: HackTool:Win32/Aflooder.D": [[467, 492]], "Indicator: IM-Flooder.W32.VB.dn!c": [[512, 534]], "Indicator: Trojan/Win32.Xema.N61964869": [[554, 581]], "Indicator: IMFlooder.VB": [[582, 594]], "Indicator: Trojan-PWS.Win32.Executant.d": [[595, 623]], "Indicator: Malware_fam.gw": [[624, 638]], "Indicator: Flooder.LZ": [[639, 649]], "Indicator: Flooder/Nudge.B": [[650, 665]]}, "info": {"id": "cyner2_5class_train_01807", "source": "cyner2_5class_train"}}
+{"text": "In mid-October 2016, he received an unexpected phone call.", "spans": {}, "info": {"id": "cyner2_5class_train_01808", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MoonLight.Trojan Win32.Emailworm.LW Worm.Lightmoon.MF.213 Win32.Emailworm.LW Worm.VB.Win32.314 W32/VB.by Win32.Emailworm.LW Win32.Worm.VB.a W32/Worm.CIPA-1476 W32.Rontokbro@mm Win32/Lightmoon.D WORM_VB.VV Email-Worm.Win32.VB.by Trojan.Win32.VB.dyztaz I-Worm.Win32.VB.35176 W32.W.VBNA.mhOD Worm.Win32.NoonLight.F BehavesLike.Win32.Trojan.nc W32/EmailWorm.LW Worm.VB.gi TR/BAS.Samca.12113913 Worm:Win32/Lightmoon.H Win32.Emailworm.LW Email-Worm.Win32.VB.by Win32.Emailworm.LW HEUR/Fakon.mwf Win32.Emailworm.LW W32/Moonlight.B.worm I-Worm.NoonLight.F Win32/NoonLight.F Win32.Worm-email.Vb.Hssm I-Worm.VB.WEI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MoonLight.Trojan": [[26, 46]], "Indicator: Win32.Emailworm.LW": [[47, 65], [88, 106], [135, 153], [443, 461], [485, 503], [519, 537]], "Indicator: Worm.Lightmoon.MF.213": [[66, 87]], "Indicator: Worm.VB.Win32.314": [[107, 124]], "Indicator: W32/VB.by": [[125, 134]], "Indicator: Win32.Worm.VB.a": [[154, 169]], "Indicator: W32/Worm.CIPA-1476": [[170, 188]], "Indicator: W32.Rontokbro@mm": [[189, 205]], "Indicator: Win32/Lightmoon.D": [[206, 223]], "Indicator: WORM_VB.VV": [[224, 234]], "Indicator: Email-Worm.Win32.VB.by": [[235, 257], [462, 484]], "Indicator: Trojan.Win32.VB.dyztaz": [[258, 280]], "Indicator: I-Worm.Win32.VB.35176": [[281, 302]], "Indicator: W32.W.VBNA.mhOD": [[303, 318]], "Indicator: Worm.Win32.NoonLight.F": [[319, 341]], "Indicator: BehavesLike.Win32.Trojan.nc": [[342, 369]], "Indicator: W32/EmailWorm.LW": [[370, 386]], "Indicator: Worm.VB.gi": [[387, 397]], "Indicator: TR/BAS.Samca.12113913": [[398, 419]], "Indicator: Worm:Win32/Lightmoon.H": [[420, 442]], "Indicator: HEUR/Fakon.mwf": [[504, 518]], "Indicator: W32/Moonlight.B.worm": [[538, 558]], "Indicator: I-Worm.NoonLight.F": [[559, 577]], "Indicator: Win32/NoonLight.F": [[578, 595]], "Indicator: Win32.Worm-email.Vb.Hssm": [[596, 620]], "Indicator: I-Worm.VB.WEI": [[621, 634]]}, "info": {"id": "cyner2_5class_train_01809", "source": "cyner2_5class_train"}}
+{"text": "One of those binaries was initially thought to be a new variant of the Padpin ATM malware family.", "spans": {"Indicator: binaries": [[13, 21]], "Malware: variant": [[56, 63]], "Malware: the Padpin ATM malware family.": [[67, 97]]}, "info": {"id": "cyner2_5class_train_01810", "source": "cyner2_5class_train"}}
+{"text": "Accessing the “ Cmd ” folder in the attacker ’ s email box Moreover , it can send a specified file or all the gathered data from the victim device via email .", "spans": {}, "info": {"id": "cyner2_5class_train_01811", "source": "cyner2_5class_train"}}
+{"text": "First , we launched a banking app and entered the credentials there .", "spans": {}, "info": {"id": "cyner2_5class_train_01812", "source": "cyner2_5class_train"}}
+{"text": "It turns out , however , that other security researchers noticed suspicious and faulty code on BLU devices as early as March 2015 , and it has taken nearly that long to remove it from the company 's devices .", "spans": {"Organization: BLU": [[95, 98]]}, "info": {"id": "cyner2_5class_train_01813", "source": "cyner2_5class_train"}}
+{"text": "The Trojan displays a fake HTML update page ( update.html ) that blocks the device ’ s screen for a long period of time .", "spans": {"Indicator: update.html": [[46, 57]]}, "info": {"id": "cyner2_5class_train_01814", "source": "cyner2_5class_train"}}
+{"text": "The infection chain is slightly more roundabout in the case of Apple devices .", "spans": {"System: Apple": [[63, 68]]}, "info": {"id": "cyner2_5class_train_01815", "source": "cyner2_5class_train"}}
+{"text": "The infection has not spread very widely at the time of writing , but we ’ ve seen that many users have already received its SMS content .", "spans": {}, "info": {"id": "cyner2_5class_train_01816", "source": "cyner2_5class_train"}}
+{"text": "The attacks use Domain Name System ( DNS ) cache poisoning/DNS spoofing , possibly through infringement techniques such as brute-force or dictionary attacks , to distribute and install malicious Android apps .", "spans": {"System: Android": [[195, 202]]}, "info": {"id": "cyner2_5class_train_01817", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9786 TROJ_ONKODS.SMFF Trojan.DownLoader13.29927 TROJ_ONKODS.SMFF TrojanDownloader:Win32/Cerber.A Trojan.Zbot.188 Trojan/Win32.Fakeavlock.R144660 Trojan-Downloader.Win32.Tiny", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9786": [[26, 68]], "Indicator: TROJ_ONKODS.SMFF": [[69, 85], [112, 128]], "Indicator: Trojan.DownLoader13.29927": [[86, 111]], "Indicator: TrojanDownloader:Win32/Cerber.A": [[129, 160]], "Indicator: Trojan.Zbot.188": [[161, 176]], "Indicator: Trojan/Win32.Fakeavlock.R144660": [[177, 208]], "Indicator: Trojan-Downloader.Win32.Tiny": [[209, 237]]}, "info": {"id": "cyner2_5class_train_01818", "source": "cyner2_5class_train"}}
+{"text": "These solutions are typical in enterprise environments.", "spans": {"System: enterprise environments.": [[31, 55]]}, "info": {"id": "cyner2_5class_train_01819", "source": "cyner2_5class_train"}}
+{"text": "Installing apps on the system partition makes it harder for the user to remove the app .", "spans": {}, "info": {"id": "cyner2_5class_train_01820", "source": "cyner2_5class_train"}}
+{"text": "The ransomware is designed to infect Microsoft Windows computers.", "spans": {"Malware: ransomware": [[4, 14]], "System: Microsoft Windows computers.": [[37, 65]]}, "info": {"id": "cyner2_5class_train_01821", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Delf.NGA Worm.Win32.Delf!O Worm.Delf Win32.Worm.Delf.NGA Win32.Worm.Delf.bd W32/Trojan2.MIZZ W32.Screentief Win32/Screentief.A WORM_AUTORUN.GKP Worm.Win32.Delf.vn Win32.Worm.Delf.NGA Win32.Worm.Delf.clov Win32.Worm.Delf.NGA TrojWare.Win32.PSW.OnLineGames.~LDK Win32.Worm.Delf.NGA Trojan.DownLoader4.55571 WORM_AUTORUN.GKP W32/Trojan.DZCT-6244 Worm:Win32/Screenthif.A Worm/Win32.Delf Worm:Win32/ScreenThif.A Win32.Worm.Delf.NGA Trojan.Win32.Scar.702464 Worm.Win32.Delf.vn Win32.Worm.Delf.NGA HEUR/Fakon.mwf Win32.Delf Win32/Delf.NQC W32/Delf.NQC!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Delf.NGA": [[26, 45], [74, 93], [200, 219], [241, 260], [297, 316], [444, 463], [508, 527]], "Indicator: Worm.Win32.Delf!O": [[46, 63]], "Indicator: Worm.Delf": [[64, 73]], "Indicator: Win32.Worm.Delf.bd": [[94, 112]], "Indicator: W32/Trojan2.MIZZ": [[113, 129]], "Indicator: W32.Screentief": [[130, 144]], "Indicator: Win32/Screentief.A": [[145, 163]], "Indicator: WORM_AUTORUN.GKP": [[164, 180], [342, 358]], "Indicator: Worm.Win32.Delf.vn": [[181, 199], [489, 507]], "Indicator: Win32.Worm.Delf.clov": [[220, 240]], "Indicator: TrojWare.Win32.PSW.OnLineGames.~LDK": [[261, 296]], "Indicator: Trojan.DownLoader4.55571": [[317, 341]], "Indicator: W32/Trojan.DZCT-6244": [[359, 379]], "Indicator: Worm:Win32/Screenthif.A": [[380, 403]], "Indicator: Worm/Win32.Delf": [[404, 419]], "Indicator: Worm:Win32/ScreenThif.A": [[420, 443]], "Indicator: Trojan.Win32.Scar.702464": [[464, 488]], "Indicator: HEUR/Fakon.mwf": [[528, 542]], "Indicator: Win32.Delf": [[543, 553]], "Indicator: Win32/Delf.NQC": [[554, 568]], "Indicator: W32/Delf.NQC!worm": [[569, 586]]}, "info": {"id": "cyner2_5class_train_01822", "source": "cyner2_5class_train"}}
+{"text": "The seller , known as \" bestoffer , '' was , at some point , expelled from the forum .", "spans": {}, "info": {"id": "cyner2_5class_train_01823", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DontovoF.Trojan Trojan.Hacktool.Httptunnel.A Trojan/W32.HackTool.36864.I Trojan.Hacktool.Httptunnel.A Tool.HTTPTunnel.Win32.1 Trojan/Hacktool.HTTPTunnel Trojan.Hacktool.Httptunnel.A Trojan.Hacktool.Httptunnel.A W32/Tool.UFFD-0015 TROJ_HTTPTUNE.A Trojan.Hacktool.Httptunnel.A HackTool.Win32.HTTPTunnel Riskware.Win32.HTTPTunnel.hskj HackTool.W32.HTTPTunnel!c Trojan.Hacktool.Httptunnel.A Application.Win32.HackTool.HTTPTunnel BehavesLike.Win32.PUP.nz W32/HackTool.EG Hacktool.HttpTunnel W32.Hack.Tool HackTool/Win32.HTTPTunnel HackTool.Win32.HTTPTunnel Win32/HackTool.HTTPTunnel Win32.Hacktool.Httptunnel.Ljul", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DontovoF.Trojan": [[26, 45]], "Indicator: Trojan.Hacktool.Httptunnel.A": [[46, 74], [103, 131], [183, 211], [212, 240], [276, 304], [388, 416]], "Indicator: Trojan/W32.HackTool.36864.I": [[75, 102]], "Indicator: Tool.HTTPTunnel.Win32.1": [[132, 155]], "Indicator: Trojan/Hacktool.HTTPTunnel": [[156, 182]], "Indicator: W32/Tool.UFFD-0015": [[241, 259]], "Indicator: TROJ_HTTPTUNE.A": [[260, 275]], "Indicator: HackTool.Win32.HTTPTunnel": [[305, 330], [556, 581]], "Indicator: Riskware.Win32.HTTPTunnel.hskj": [[331, 361]], "Indicator: HackTool.W32.HTTPTunnel!c": [[362, 387]], "Indicator: Application.Win32.HackTool.HTTPTunnel": [[417, 454]], "Indicator: BehavesLike.Win32.PUP.nz": [[455, 479]], "Indicator: W32/HackTool.EG": [[480, 495]], "Indicator: Hacktool.HttpTunnel": [[496, 515]], "Indicator: W32.Hack.Tool": [[516, 529]], "Indicator: HackTool/Win32.HTTPTunnel": [[530, 555]], "Indicator: Win32/HackTool.HTTPTunnel": [[582, 607]], "Indicator: Win32.Hacktool.Httptunnel.Ljul": [[608, 638]]}, "info": {"id": "cyner2_5class_train_01824", "source": "cyner2_5class_train"}}
+{"text": "“ In the future , we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks ” , states ESET ’ s researcher .", "spans": {"System: Facebook": [[74, 82]], "System: LinkedIn": [[102, 110]], "Organization: ESET": [[148, 152]]}, "info": {"id": "cyner2_5class_train_01825", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Trojan.KGEI-2537 Trojan-Spy.Win32.Alinaos.as Trojan.Win32.Z.Zusy.575488.M BehavesLike.Win32.Trojan.hc Trojan.MSIL.Krypt Trojan.Zusy.D3371D Trojan/Win32.Inject.C1647442 Trojan-Spy.Win32.Alinaos.as Trojan:MSIL/Proseus.A!bit Trj/CI.A Msil.Trojan.Dropper.Sxdx Win32/Trojan.Dropper.6f6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.KGEI-2537": [[26, 46]], "Indicator: Trojan-Spy.Win32.Alinaos.as": [[47, 74], [198, 225]], "Indicator: Trojan.Win32.Z.Zusy.575488.M": [[75, 103]], "Indicator: BehavesLike.Win32.Trojan.hc": [[104, 131]], "Indicator: Trojan.MSIL.Krypt": [[132, 149]], "Indicator: Trojan.Zusy.D3371D": [[150, 168]], "Indicator: Trojan/Win32.Inject.C1647442": [[169, 197]], "Indicator: Trojan:MSIL/Proseus.A!bit": [[226, 251]], "Indicator: Trj/CI.A": [[252, 260]], "Indicator: Msil.Trojan.Dropper.Sxdx": [[261, 285]], "Indicator: Win32/Trojan.Dropper.6f6": [[286, 310]]}, "info": {"id": "cyner2_5class_train_01826", "source": "cyner2_5class_train"}}
+{"text": "In a three-month period from August to October 2018 , it launched over 70,000 attacks against users located primarily in Russia .", "spans": {}, "info": {"id": "cyner2_5class_train_01827", "source": "cyner2_5class_train"}}
+{"text": "These attacks caused significant financial impact for major cryptocurrency markets, with one cryptocurrency cloud provider losing over $12 million in assets, allegedly to ITG03.", "spans": {"Indicator: attacks": [[6, 13]], "Organization: cryptocurrency markets,": [[60, 83]], "Organization: cryptocurrency cloud provider": [[93, 122]]}, "info": {"id": "cyner2_5class_train_01828", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Delf!O Worm.Zorin W32.Looked.P Win32/Looked.C PE_LEOX.A Worm.Win32.Zorin.a Trojan.Win32.Zorin.wmfe W32.W.Viking.l3Va Virus.Win32.Zorin.a Win32.HLLW.Looked Virus.Delf.Win32.16 PE_LEOX.A BehavesLike.Win32.Backdoor.lh Worm.Win32.Viking W32/Zorin.A Worm/Zorin.a Virus/Win32.Delf.dpee Worm.Logo.f.67072 Worm:Win32/Zorin.A Worm.Win32.A.Zorin.67072 Worm.Win32.Zorin.a Win32/Zorin.67072 Trojan.Delf.62976 Win32/Viking.NAI Worm.Zorin.A W32/Zorin.A.worm Win32/Worm.Zorin.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Delf!O": [[26, 44]], "Indicator: Worm.Zorin": [[45, 55]], "Indicator: W32.Looked.P": [[56, 68]], "Indicator: Win32/Looked.C": [[69, 83]], "Indicator: PE_LEOX.A": [[84, 93], [213, 222]], "Indicator: Worm.Win32.Zorin.a": [[94, 112], [380, 398]], "Indicator: Trojan.Win32.Zorin.wmfe": [[113, 136]], "Indicator: W32.W.Viking.l3Va": [[137, 154]], "Indicator: Virus.Win32.Zorin.a": [[155, 174]], "Indicator: Win32.HLLW.Looked": [[175, 192]], "Indicator: Virus.Delf.Win32.16": [[193, 212]], "Indicator: BehavesLike.Win32.Backdoor.lh": [[223, 252]], "Indicator: Worm.Win32.Viking": [[253, 270]], "Indicator: W32/Zorin.A": [[271, 282]], "Indicator: Worm/Zorin.a": [[283, 295]], "Indicator: Virus/Win32.Delf.dpee": [[296, 317]], "Indicator: Worm.Logo.f.67072": [[318, 335]], "Indicator: Worm:Win32/Zorin.A": [[336, 354]], "Indicator: Worm.Win32.A.Zorin.67072": [[355, 379]], "Indicator: Win32/Zorin.67072": [[399, 416]], "Indicator: Trojan.Delf.62976": [[417, 434]], "Indicator: Win32/Viking.NAI": [[435, 451]], "Indicator: Worm.Zorin.A": [[452, 464]], "Indicator: W32/Zorin.A.worm": [[465, 481]], "Indicator: Win32/Worm.Zorin.A": [[482, 500]]}, "info": {"id": "cyner2_5class_train_01829", "source": "cyner2_5class_train"}}
+{"text": "The focus of the Android banking malware in Google Play is different from any other Android malware we have investigated.", "spans": {"Malware: Android banking malware": [[17, 40]], "System: Google Play": [[44, 55]], "Malware: Android malware": [[84, 99]]}, "info": {"id": "cyner2_5class_train_01830", "source": "cyner2_5class_train"}}
+{"text": "EventBot Sending the pin code back to the C2 Sending the pin code back to the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_01831", "source": "cyner2_5class_train"}}
+{"text": "Actually, this is not the first ransomware to come out of Brazil.", "spans": {"Malware: ransomware": [[32, 42]]}, "info": {"id": "cyner2_5class_train_01832", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.12356.C TrojanPSW.OnLineGames.gyv Trojan.DL.Hover!hoKEWysDbsk W32/Packed_Upack.A Trojan.Onlinegames-2021 Trojan-Downloader.Win32.Hover.ae Heur.Packed.Unknown Trojan.AVKill.425 TR/CHover.AE Trojan/PSW.OnLineGames.aogk TrojanDownloader:Win32/Idicaf.C Win-Trojan/OnlineGameHack.12356.D Trojan-PSW.Win32.OnLineGames.alse HeurEngine.ZeroDayThreat W32/OnLineGames.ALSE!tr.pws PSW.OnlineGames.ATXK Trj/Lineage.KMQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.12356.C": [[26, 56]], "Indicator: TrojanPSW.OnLineGames.gyv": [[57, 82]], "Indicator: Trojan.DL.Hover!hoKEWysDbsk": [[83, 110]], "Indicator: W32/Packed_Upack.A": [[111, 129]], "Indicator: Trojan.Onlinegames-2021": [[130, 153]], "Indicator: Trojan-Downloader.Win32.Hover.ae": [[154, 186]], "Indicator: Heur.Packed.Unknown": [[187, 206]], "Indicator: Trojan.AVKill.425": [[207, 224]], "Indicator: TR/CHover.AE": [[225, 237]], "Indicator: Trojan/PSW.OnLineGames.aogk": [[238, 265]], "Indicator: TrojanDownloader:Win32/Idicaf.C": [[266, 297]], "Indicator: Win-Trojan/OnlineGameHack.12356.D": [[298, 331]], "Indicator: Trojan-PSW.Win32.OnLineGames.alse": [[332, 365]], "Indicator: HeurEngine.ZeroDayThreat": [[366, 390]], "Indicator: W32/OnLineGames.ALSE!tr.pws": [[391, 418]], "Indicator: PSW.OnlineGames.ATXK": [[419, 439]], "Indicator: Trj/Lineage.KMQ": [[440, 455]]}, "info": {"id": "cyner2_5class_train_01833", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Nsis.hgnwk TROJ_SPNR.07JB11 Trj/CI.A Win32.Troj.DeepScan.x.kcloud Trojan:Win32/Sinis.C W32/Bfr.CV!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Nsis.hgnwk": [[26, 49]], "Indicator: TROJ_SPNR.07JB11": [[50, 66]], "Indicator: Trj/CI.A": [[67, 75]], "Indicator: Win32.Troj.DeepScan.x.kcloud": [[76, 104]], "Indicator: Trojan:Win32/Sinis.C": [[105, 125]], "Indicator: W32/Bfr.CV!tr": [[126, 139]]}, "info": {"id": "cyner2_5class_train_01834", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 has uncovered a new campaign from the CozyDuke threat actors, aka CozyCar leveraging malware that appears to be related to the Seaduke malware described earlier this week by Symantec.", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: malware": [[93, 100]], "Malware: Seaduke malware": [[135, 150]], "Organization: Symantec.": [[182, 191]]}, "info": {"id": "cyner2_5class_train_01835", "source": "cyner2_5class_train"}}
+{"text": "There is no way to access the original app again even if victims terminate the overlay process and reopen app , until credit card ( name , number , expiry date , security code ) and/or bank information ( PIN , VBV passcode , date of birth , etc .", "spans": {}, "info": {"id": "cyner2_5class_train_01836", "source": "cyner2_5class_train"}}
+{"text": "It leaves a ransom note with the following filename: !!! how to decrypt files !!!.txt", "spans": {"Malware: ransom": [[12, 18]], "Indicator: filename: !!! how to decrypt files !!!.txt": [[43, 85]]}, "info": {"id": "cyner2_5class_train_01837", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader/W32.Mutant.32128 TrojanDownloader.Mutant.aim Trojan.DR.Wigon.K Win32/Wigon.CK W32/Trojan3.GG Trojan.Pandex W32/DLoader.JDXM Trojan.Downloader-55828 Trojan-Downloader.Win32.Mutant.aim Trojan.Downloader.Wigon.A TrojWare.Win32.Wigon.CK Trojan-Downloader.Win32.Mutant.aim Trojan.Rntm.10 Win32/Wigon.CK W32/Trojan3.GG TrojanDropper:Win32/Cutwail.AG Trojan.Downloader.Wigon.A Trojan.Pandex.ILG Trojan.Win32.Undef.qqp Trojan-Dropper.Cutwail BackDoor.Ntrootkit Trj/BedeTres.R", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader/W32.Mutant.32128": [[26, 60]], "Indicator: TrojanDownloader.Mutant.aim": [[61, 88]], "Indicator: Trojan.DR.Wigon.K": [[89, 106]], "Indicator: Win32/Wigon.CK": [[107, 121], [327, 341]], "Indicator: W32/Trojan3.GG": [[122, 136], [342, 356]], "Indicator: Trojan.Pandex": [[137, 150]], "Indicator: W32/DLoader.JDXM": [[151, 167]], "Indicator: Trojan.Downloader-55828": [[168, 191]], "Indicator: Trojan-Downloader.Win32.Mutant.aim": [[192, 226], [277, 311]], "Indicator: Trojan.Downloader.Wigon.A": [[227, 252], [388, 413]], "Indicator: TrojWare.Win32.Wigon.CK": [[253, 276]], "Indicator: Trojan.Rntm.10": [[312, 326]], "Indicator: TrojanDropper:Win32/Cutwail.AG": [[357, 387]], "Indicator: Trojan.Pandex.ILG": [[414, 431]], "Indicator: Trojan.Win32.Undef.qqp": [[432, 454]], "Indicator: Trojan-Dropper.Cutwail": [[455, 477]], "Indicator: BackDoor.Ntrootkit": [[478, 496]], "Indicator: Trj/BedeTres.R": [[497, 511]]}, "info": {"id": "cyner2_5class_train_01838", "source": "cyner2_5class_train"}}
+{"text": "To prevent this , Android ’ s engineers regularly release updates that contain bug fixes designed to prevent apps from getting the list of currently running apps without explicit permission .", "spans": {"System: Android": [[18, 25]]}, "info": {"id": "cyner2_5class_train_01839", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropped:Trojan.Spy.Delf.PY Backdoor.Win32.Swz!O Backdoor/Swz.c Trojan.Spy.Delf.PY Win32.Trojan.WisdomEyes.16070401.9500.9990 W32/Trojan.XFMU-4902 TSPY_DELF.EGM Win.Spyware.3595-2 Backdoor.Win32.Swz.c Dropped:Trojan.Spy.Delf.PY Trojan.Win32.Swz.bcbdrt Dropped:Trojan.Spy.Delf.PY TrojWare.Win32.Dialer.LA Dropped:Trojan.Spy.Delf.PY Trojan.DownLoader.18593 TSPY_DELF.EGM BehavesLike.Win32.HLLP.dh Trojan-Dropper.Delf W32/Trojan.YLD Backdoor/Delf.sn Trojan[Backdoor]/Win32.Swz Backdoor.Win32.Hupigon.159240 Backdoor.Win32.Swz.c Dropped:Trojan.Spy.Delf.PY Trojan/Win32.Llac.R36500 Dropped:Trojan.Spy.Delf.PY Backdoor.Win32.Hupigon.axbc TrojanSpy.Delf!ehn0gq0J77k", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Trojan.Spy.Delf.PY": [[26, 52], [226, 252], [277, 303], [329, 355], [550, 576], [602, 628]], "Indicator: Backdoor.Win32.Swz!O": [[53, 73]], "Indicator: Backdoor/Swz.c": [[74, 88]], "Indicator: Trojan.Spy.Delf.PY": [[89, 107]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[108, 150]], "Indicator: W32/Trojan.XFMU-4902": [[151, 171]], "Indicator: TSPY_DELF.EGM": [[172, 185], [380, 393]], "Indicator: Win.Spyware.3595-2": [[186, 204]], "Indicator: Backdoor.Win32.Swz.c": [[205, 225], [529, 549]], "Indicator: Trojan.Win32.Swz.bcbdrt": [[253, 276]], "Indicator: TrojWare.Win32.Dialer.LA": [[304, 328]], "Indicator: Trojan.DownLoader.18593": [[356, 379]], "Indicator: BehavesLike.Win32.HLLP.dh": [[394, 419]], "Indicator: Trojan-Dropper.Delf": [[420, 439]], "Indicator: W32/Trojan.YLD": [[440, 454]], "Indicator: Backdoor/Delf.sn": [[455, 471]], "Indicator: Trojan[Backdoor]/Win32.Swz": [[472, 498]], "Indicator: Backdoor.Win32.Hupigon.159240": [[499, 528]], "Indicator: Trojan/Win32.Llac.R36500": [[577, 601]], "Indicator: Backdoor.Win32.Hupigon.axbc": [[629, 656]], "Indicator: TrojanSpy.Delf!ehn0gq0J77k": [[657, 683]]}, "info": {"id": "cyner2_5class_train_01840", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9955 BKDR_ZEGOST.SM17 Trojan.Win32.FBOK.exmdmr TR/Crypt.Xpack.drajw Trojan.Johnnie.D15B42 Trojan:Win32/Redosdru.AB Trj/GdSda.A Win32/Backdoor.d55", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9955": [[26, 68]], "Indicator: BKDR_ZEGOST.SM17": [[69, 85]], "Indicator: Trojan.Win32.FBOK.exmdmr": [[86, 110]], "Indicator: TR/Crypt.Xpack.drajw": [[111, 131]], "Indicator: Trojan.Johnnie.D15B42": [[132, 153]], "Indicator: Trojan:Win32/Redosdru.AB": [[154, 178]], "Indicator: Trj/GdSda.A": [[179, 190]], "Indicator: Win32/Backdoor.d55": [[191, 209]]}, "info": {"id": "cyner2_5class_train_01841", "source": "cyner2_5class_train"}}
+{"text": "A Mumblehard infected server opens a backdoor for the cybercriminals that allows them full control of the system by running arbitrary code.", "spans": {"Malware: Mumblehard": [[2, 12]], "Indicator: opens a backdoor": [[29, 45]], "Indicator: full control": [[86, 98]], "Vulnerability: arbitrary code.": [[124, 139]]}, "info": {"id": "cyner2_5class_train_01842", "source": "cyner2_5class_train"}}
+{"text": "The app then uses JavaScript injection to create a new script in the carrier ’ s web page to run the new function .", "spans": {}, "info": {"id": "cyner2_5class_train_01843", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah Worm.EternalRocks Win32.Trojan.WisdomEyes.16070401.9500.9972 W32.Eternalrocks Win.Trojan.EternalRocks-6320096-0 Worm.EternalRocks.t Trojan/Win32.Fsysna Trojan:Win32/Eterock.A Win-Trojan/MDA.630F094C Trojan.Fsysna Worm.DoomsDay W32/Eterocks.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah": [[26, 40]], "Indicator: Worm.EternalRocks": [[41, 58]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9972": [[59, 101]], "Indicator: W32.Eternalrocks": [[102, 118]], "Indicator: Win.Trojan.EternalRocks-6320096-0": [[119, 152]], "Indicator: Worm.EternalRocks.t": [[153, 172]], "Indicator: Trojan/Win32.Fsysna": [[173, 192]], "Indicator: Trojan:Win32/Eterock.A": [[193, 215]], "Indicator: Win-Trojan/MDA.630F094C": [[216, 239]], "Indicator: Trojan.Fsysna": [[240, 253]], "Indicator: Worm.DoomsDay": [[254, 267]], "Indicator: W32/Eterocks.B!tr": [[268, 285]]}, "info": {"id": "cyner2_5class_train_01844", "source": "cyner2_5class_train"}}
+{"text": "The fields it collects are : Mobile - The phone number which sent the SMS Content - The message body Sender - The contact name who sent the message Time - The time the message was received onReceive function used to intercept incoming SMS messages .", "spans": {}, "info": {"id": "cyner2_5class_train_01845", "source": "cyner2_5class_train"}}
+{"text": "In addition to the commoditized EKs, this exploit code has been leveraged in numerous one-shot and gated web-exploitation campaigns, delivered through a mix of the usual malvertising networks and compromised websites.", "spans": {"Malware: EKs,": [[32, 36]], "Indicator: exploit code": [[42, 54]], "Indicator: malvertising networks": [[170, 191]], "Indicator: compromised websites.": [[196, 217]]}, "info": {"id": "cyner2_5class_train_01846", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah.8391 Trojan.Win32.Drop.bbwlfj Trojan.MulDrop4.627 TR/MiniMal.A.120 Trojan.Graftor.D4750 W32/Redosdru.BED!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah.8391": [[26, 45]], "Indicator: Trojan.Win32.Drop.bbwlfj": [[46, 70]], "Indicator: Trojan.MulDrop4.627": [[71, 90]], "Indicator: TR/MiniMal.A.120": [[91, 107]], "Indicator: Trojan.Graftor.D4750": [[108, 128]], "Indicator: W32/Redosdru.BED!tr": [[129, 148]]}, "info": {"id": "cyner2_5class_train_01847", "source": "cyner2_5class_train"}}
+{"text": "Zen requires root to work correctly on the Android operating system .", "spans": {"Malware: Zen": [[0, 3]], "System: Android": [[43, 50]]}, "info": {"id": "cyner2_5class_train_01848", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Tinyloader Trojan.Zusy.D258DB Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Tiny.dztpub Trojan.Win32.Tiny TrojanDownloader:Win32/Tinyloader.D Trj/CI.A Win32.Trojan.Crypt.Wrqf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Tinyloader": [[26, 53]], "Indicator: Trojan.Zusy.D258DB": [[54, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[73, 115]], "Indicator: Trojan.Win32.Tiny.dztpub": [[116, 140]], "Indicator: Trojan.Win32.Tiny": [[141, 158]], "Indicator: TrojanDownloader:Win32/Tinyloader.D": [[159, 194]], "Indicator: Trj/CI.A": [[195, 203]], "Indicator: Win32.Trojan.Crypt.Wrqf": [[204, 227]]}, "info": {"id": "cyner2_5class_train_01849", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Orbus.S11689 Trojan.Zusy.DE453 W32/Trojan2.OGNI Backdoor.Salgorea Win32/Tnega.WCBBKMB TROJ_CUEGOE.SM Win.Trojan.Cuegoe-6336261-0 Application.Win32.Amonetize.NE TROJ_CUEGOE.SM W32/Trojan.WOEU-3966 TR/Zusy.htd.1 Trojan.Dropper Trojan.Zusy!G5SenpWt4dI W32/Salgorea.C!tr Backdoor.Win32.OceanLotus.X", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Orbus.S11689": [[26, 45]], "Indicator: Trojan.Zusy.DE453": [[46, 63]], "Indicator: W32/Trojan2.OGNI": [[64, 80]], "Indicator: Backdoor.Salgorea": [[81, 98]], "Indicator: Win32/Tnega.WCBBKMB": [[99, 118]], "Indicator: TROJ_CUEGOE.SM": [[119, 133], [193, 207]], "Indicator: Win.Trojan.Cuegoe-6336261-0": [[134, 161]], "Indicator: Application.Win32.Amonetize.NE": [[162, 192]], "Indicator: W32/Trojan.WOEU-3966": [[208, 228]], "Indicator: TR/Zusy.htd.1": [[229, 242]], "Indicator: Trojan.Dropper": [[243, 257]], "Indicator: Trojan.Zusy!G5SenpWt4dI": [[258, 281]], "Indicator: W32/Salgorea.C!tr": [[282, 299]], "Indicator: Backdoor.Win32.OceanLotus.X": [[300, 327]]}, "info": {"id": "cyner2_5class_train_01850", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.AutoIt.Zbot.S Win32.Trojan.WisdomEyes.16070401.9500.9823 W32/Trojan.FKJB-3819 Trojan.Win32.Autoit.abnef BehavesLike.Win32.Dropper.bh DR/Autoit.dhgia TrojanDownloader:VBS/Banload.BEP Trojan.Win32.Autoit.abnef Trj/CI.A W32/Injector.DMUI!tr Win32/Trojan.3cd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.AutoIt.Zbot.S": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9823": [[50, 92]], "Indicator: W32/Trojan.FKJB-3819": [[93, 113]], "Indicator: Trojan.Win32.Autoit.abnef": [[114, 139], [218, 243]], "Indicator: BehavesLike.Win32.Dropper.bh": [[140, 168]], "Indicator: DR/Autoit.dhgia": [[169, 184]], "Indicator: TrojanDownloader:VBS/Banload.BEP": [[185, 217]], "Indicator: Trj/CI.A": [[244, 252]], "Indicator: W32/Injector.DMUI!tr": [[253, 273]], "Indicator: Win32/Trojan.3cd": [[274, 290]]}, "info": {"id": "cyner2_5class_train_01851", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: MSIL.Trojan.Injector.q TrojWare.MSIL.Injector.AB Trojan.Starter.4871 BehavesLike.Win32.Ransomware.ch W32/Trojan.QQTT-3117 Trojan:MSIL/Ranos.A Trojan.Msil Win32/Trojan.ead", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: MSIL.Trojan.Injector.q": [[26, 48]], "Indicator: TrojWare.MSIL.Injector.AB": [[49, 74]], "Indicator: Trojan.Starter.4871": [[75, 94]], "Indicator: BehavesLike.Win32.Ransomware.ch": [[95, 126]], "Indicator: W32/Trojan.QQTT-3117": [[127, 147]], "Indicator: Trojan:MSIL/Ranos.A": [[148, 167]], "Indicator: Trojan.Msil": [[168, 179]], "Indicator: Win32/Trojan.ead": [[180, 196]]}, "info": {"id": "cyner2_5class_train_01852", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D1BC52 Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Memsyl Trojan.Win32.Inject1.dkmaoo Trojan.Inject1.45689 Trojan.Injector.Win32.256336 Trojan.MSIL.Inject Trojan[Dropper]/Win32.Injector Dropper/Win32.Necurs.R121870 Trojan.JobLaunch.ODB Trj/CI.A Trojan.Injector!pUXRB6SMd/g", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D1BC52": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[45, 87]], "Indicator: Backdoor.Memsyl": [[88, 103]], "Indicator: Trojan.Win32.Inject1.dkmaoo": [[104, 131]], "Indicator: Trojan.Inject1.45689": [[132, 152]], "Indicator: Trojan.Injector.Win32.256336": [[153, 181]], "Indicator: Trojan.MSIL.Inject": [[182, 200]], "Indicator: Trojan[Dropper]/Win32.Injector": [[201, 231]], "Indicator: Dropper/Win32.Necurs.R121870": [[232, 260]], "Indicator: Trojan.JobLaunch.ODB": [[261, 281]], "Indicator: Trj/CI.A": [[282, 290]], "Indicator: Trojan.Injector!pUXRB6SMd/g": [[291, 318]]}, "info": {"id": "cyner2_5class_train_01853", "source": "cyner2_5class_train"}}
+{"text": "Alibaba researchers then posted an analysis report on the malware, giving it the name XcodeGhost.", "spans": {"Organization: Alibaba researchers": [[0, 19]], "Malware: malware,": [[58, 66]], "Malware: XcodeGhost.": [[86, 97]]}, "info": {"id": "cyner2_5class_train_01854", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.Bayrob.c W32/Trojan.RXRB-1881 Trojan.Win32.Dwn.eeedhz Trojan.Win32.Z.Bayrob.1075712.R Trojan.DownLoader22.1800 BehavesLike.Win32.Trojan.tc TR/Nivdort.knzgo Trojan:Win32/Nivdort.A Trojan.Kazy.DC0934 Trojan/Win32.Nivdort.C1321145 Trojan.Win32.Bayrob W32/Bayrob.BL!tr Win32/Trojan.f19", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Bayrob.c": [[26, 47]], "Indicator: W32/Trojan.RXRB-1881": [[48, 68]], "Indicator: Trojan.Win32.Dwn.eeedhz": [[69, 92]], "Indicator: Trojan.Win32.Z.Bayrob.1075712.R": [[93, 124]], "Indicator: Trojan.DownLoader22.1800": [[125, 149]], "Indicator: BehavesLike.Win32.Trojan.tc": [[150, 177]], "Indicator: TR/Nivdort.knzgo": [[178, 194]], "Indicator: Trojan:Win32/Nivdort.A": [[195, 217]], "Indicator: Trojan.Kazy.DC0934": [[218, 236]], "Indicator: Trojan/Win32.Nivdort.C1321145": [[237, 266]], "Indicator: Trojan.Win32.Bayrob": [[267, 286]], "Indicator: W32/Bayrob.BL!tr": [[287, 303]], "Indicator: Win32/Trojan.f19": [[304, 320]]}, "info": {"id": "cyner2_5class_train_01855", "source": "cyner2_5class_train"}}
+{"text": "FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261, and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege EOP zero-day CVE-2017-0263.", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: EPS zero-day": [[107, 119], [166, 178]], "Indicator: CVE-2017-0261,": [[120, 134]], "Indicator: CVE-2017-0262": [[179, 192]], "Vulnerability: Escalation of Privilege EOP zero-day": [[210, 246]], "Indicator: CVE-2017-0263.": [[247, 261]]}, "info": {"id": "cyner2_5class_train_01856", "source": "cyner2_5class_train"}}
+{"text": "However , the persistent presence of Italian language both on the Google Play Store pages as well as inside the spyware code was a clear sign that an Italian actor was behind the creation of this platform .", "spans": {"System: Google Play": [[66, 77]]}, "info": {"id": "cyner2_5class_train_01857", "source": "cyner2_5class_train"}}
+{"text": "Microsoft ’ s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks , as well as provide more tools to detect and respond to threats across domains and across platforms .", "spans": {"Organization: Microsoft": [[0, 9]]}, "info": {"id": "cyner2_5class_train_01858", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9946 Trojan.Win32.Shifu.aoc Packed.Win32.TDSS.~AA Packed:W32/PeCan.A FDOS.Chalcol BehavesLike.Win32.Virut.cc Dos.Chalcol.a DoS:Win32/Chalcol.A Trojan.Win32.Shifu.aoc DoS.Chalcol Win32/DoS.Chalcol.A Win32.Trojan.Chalcol.Wpsv DoS.Win32.Chalcol Win32/Trojan.DoS.0cc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9946": [[26, 68]], "Indicator: Trojan.Win32.Shifu.aoc": [[69, 91], [207, 229]], "Indicator: Packed.Win32.TDSS.~AA": [[92, 113]], "Indicator: Packed:W32/PeCan.A": [[114, 132]], "Indicator: FDOS.Chalcol": [[133, 145]], "Indicator: BehavesLike.Win32.Virut.cc": [[146, 172]], "Indicator: Dos.Chalcol.a": [[173, 186]], "Indicator: DoS:Win32/Chalcol.A": [[187, 206]], "Indicator: DoS.Chalcol": [[230, 241]], "Indicator: Win32/DoS.Chalcol.A": [[242, 261]], "Indicator: Win32.Trojan.Chalcol.Wpsv": [[262, 287]], "Indicator: DoS.Win32.Chalcol": [[288, 305]], "Indicator: Win32/Trojan.DoS.0cc": [[306, 326]]}, "info": {"id": "cyner2_5class_train_01859", "source": "cyner2_5class_train"}}
+{"text": "Figure 5 : core module mixes malicious payload with the original application While decompiling the original app , “ Agent Smith ” has the opportunity to modify the methods inside , replace some of the methods in the original application that handles advertisement with its own code and focus on methods communicating with ‘ AdMob ’ , ‘ Facebook ’ , ‘ MoPub ’ and ‘ Unity Ads ’ .", "spans": {"Malware: Agent Smith": [[116, 127]], "System: AdMob": [[324, 329]], "System: Facebook": [[336, 344]], "System: MoPub": [[351, 356]], "System: Unity Ads": [[365, 374]]}, "info": {"id": "cyner2_5class_train_01860", "source": "cyner2_5class_train"}}
+{"text": "Extract the address book .", "spans": {"System: address book": [[12, 24]]}, "info": {"id": "cyner2_5class_train_01861", "source": "cyner2_5class_train"}}
+{"text": "The developers of Charger gave it everything they had to boost its evasion capabilities and so it could stay hidden on Google Play for as long as possible .", "spans": {"Malware: Charger": [[18, 25]], "System: Google Play": [[119, 130]]}, "info": {"id": "cyner2_5class_train_01862", "source": "cyner2_5class_train"}}
+{"text": "However , the security of these stores and the apps they sell aren ’ t always verified .", "spans": {}, "info": {"id": "cyner2_5class_train_01863", "source": "cyner2_5class_train"}}
+{"text": "After getting a command from the C & C , the app is able to download a malicious payload in the form of a .dex file that is being dynamically loaded adding the additional malicious capabilities .", "spans": {}, "info": {"id": "cyner2_5class_train_01864", "source": "cyner2_5class_train"}}
+{"text": "Then , it will add the result of the public method localDate.getTime ( ) , which simply gets the current date .", "spans": {}, "info": {"id": "cyner2_5class_train_01865", "source": "cyner2_5class_train"}}
+{"text": "This vulnerability allows an attacker to escape the Internet Explorer sandbox with a VBScript script and execute an arbitrary binary file downloaded from the Internet.", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Indicator: attacker": [[29, 37]], "System: Internet Explorer sandbox": [[52, 77]], "Indicator: VBScript script": [[85, 100]], "Malware: arbitrary binary file": [[116, 137]]}, "info": {"id": "cyner2_5class_train_01866", "source": "cyner2_5class_train"}}
+{"text": "Since first writing about the discovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved.", "spans": {"Malware: HDDCryptor": [[43, 53]], "Malware: ransomware": [[100, 110]]}, "info": {"id": "cyner2_5class_train_01867", "source": "cyner2_5class_train"}}
+{"text": "In a previous campaign reported by JPCERT , mobile users were alerted by phishy messages containing “ delivery updates ” purportedly from Sagawa Express .", "spans": {"Organization: JPCERT": [[35, 41]], "Organization: Sagawa Express": [[138, 152]]}, "info": {"id": "cyner2_5class_train_01868", "source": "cyner2_5class_train"}}
+{"text": "Figure 11 : ‘ Agent Smith ’ uses man-in-disk to install the malicious update Technical Analysis – Boot Module The “ boot ” module is basically another “ loader ” module , but this time it ’ s executed in the infected application .", "spans": {"Malware: Agent Smith": [[14, 25]], "Vulnerability: man-in-disk": [[33, 44]]}, "info": {"id": "cyner2_5class_train_01869", "source": "cyner2_5class_train"}}
+{"text": "While there are many distinct malware families that scrape unencrypted process memory to obtain cards, some of these malware capabilities overlap with generic information stealing trojans such as Flokibot that obtain and exfiltrate HTTPS GET and POST data and other materials from compromised machines.", "spans": {"Malware: malware families": [[30, 46]], "Vulnerability: unencrypted process memory": [[59, 85]], "Malware: malware": [[117, 124]], "Malware: trojans": [[180, 187]], "Malware: Flokibot": [[196, 204]], "Indicator: exfiltrate HTTPS GET and POST data": [[221, 255]], "System: compromised machines.": [[281, 302]]}, "info": {"id": "cyner2_5class_train_01870", "source": "cyner2_5class_train"}}
+{"text": "Magnitude EK is notorious for distributing the Cerber ransomware specifically to certain geolocations, and in particular South Korea, via its own gate, called Magnigate.", "spans": {"Malware: Magnitude EK": [[0, 12]], "Malware: the Cerber ransomware": [[43, 64]], "Organization: Magnigate.": [[159, 169]]}, "info": {"id": "cyner2_5class_train_01871", "source": "cyner2_5class_train"}}
+{"text": "In the native library , it stores the strings to access the SMS API .", "spans": {}, "info": {"id": "cyner2_5class_train_01872", "source": "cyner2_5class_train"}}
+{"text": "During our extended threat hunting , we uncovered 11 apps on the Google Play store that contain a malicious yet dormant SDK related to “ Agent Smith ” actor .", "spans": {"System: Google Play store": [[65, 82]], "Malware: Agent Smith": [[137, 148]]}, "info": {"id": "cyner2_5class_train_01873", "source": "cyner2_5class_train"}}
+{"text": "Office 365 ATP blocks unsafe attachments , malicious links , and linked-to files using time-of-click protection .", "spans": {"System: Office 365 ATP": [[0, 14]]}, "info": {"id": "cyner2_5class_train_01874", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Bepush.H3 Dropper.Dapato.Win32.26115 Win32.Trojan.WisdomEyes.16070401.9500.9850 TROJ_BEPUSH_EK040412.UVPM Trojan.Win32.Dapato.dzszpp Trojan.Win32.Z.Bepush.943616.C Trojan.DownLoader14.14903 TROJ_BEPUSH_EK040412.UVPM BehavesLike.Win32.Backdoor.dh Trojan.Win32.Bepush TR/Dropper.A.7849 MSIL/Dropper.UTIT!tr Trojan[Dropper]/Win32.Dapato Trojan.Zusy.D262FF Trojan:MSIL/Bepush.H TrojanDropper.Dapato Win32.Trojan-dropper.Dapato.Hsik Trojan.DR.Dapato!MYHy5uvhZGg Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Bepush.H3": [[26, 42]], "Indicator: Dropper.Dapato.Win32.26115": [[43, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9850": [[70, 112]], "Indicator: TROJ_BEPUSH_EK040412.UVPM": [[113, 138], [223, 248]], "Indicator: Trojan.Win32.Dapato.dzszpp": [[139, 165]], "Indicator: Trojan.Win32.Z.Bepush.943616.C": [[166, 196]], "Indicator: Trojan.DownLoader14.14903": [[197, 222]], "Indicator: BehavesLike.Win32.Backdoor.dh": [[249, 278]], "Indicator: Trojan.Win32.Bepush": [[279, 298]], "Indicator: TR/Dropper.A.7849": [[299, 316]], "Indicator: MSIL/Dropper.UTIT!tr": [[317, 337]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[338, 366]], "Indicator: Trojan.Zusy.D262FF": [[367, 385]], "Indicator: Trojan:MSIL/Bepush.H": [[386, 406]], "Indicator: TrojanDropper.Dapato": [[407, 427]], "Indicator: Win32.Trojan-dropper.Dapato.Hsik": [[428, 460]], "Indicator: Trojan.DR.Dapato!MYHy5uvhZGg": [[461, 489]], "Indicator: Trj/CI.A": [[490, 498]]}, "info": {"id": "cyner2_5class_train_01875", "source": "cyner2_5class_train"}}
+{"text": "Talos first analyzed this threat in our 2020 blog post, highlighting its large repertoire of modules, multiple methods of spreading, and continuous development.", "spans": {"Organization: Talos": [[0, 5]], "Malware: threat": [[26, 32]], "Malware: repertoire of modules,": [[79, 101]], "Indicator: methods of spreading,": [[111, 132]]}, "info": {"id": "cyner2_5class_train_01876", "source": "cyner2_5class_train"}}
+{"text": "Error when trying to debug the malware using the Android Studio IDE .", "spans": {"System: Android Studio IDE": [[49, 67]]}, "info": {"id": "cyner2_5class_train_01877", "source": "cyner2_5class_train"}}
+{"text": "In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization SEO to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus Panda banking Trojan.", "spans": {"System: Search Engine Optimization SEO": [[89, 119]], "Organization: users": [[212, 217]], "Malware: the Zeus Panda banking Trojan.": [[223, 253]]}, "info": {"id": "cyner2_5class_train_01878", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9976 Trojan.Farfli Win32/Covesmer.AT TROJ_FARFLI.XM Html.Trojan.RootkitVimponey-1 TrojanDownloader:Win32/Vimponey.A Trojan.Win32.Downloader.56320.BV Trojan.NtRootKit.2772 TROJ_FARFLI.XM Trojan.Graftor.D2B9F3 TScope.Malware-Cryptor.SB Win32/Trojan.d21", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9976": [[26, 68]], "Indicator: Trojan.Farfli": [[69, 82]], "Indicator: Win32/Covesmer.AT": [[83, 100]], "Indicator: TROJ_FARFLI.XM": [[101, 115], [235, 249]], "Indicator: Html.Trojan.RootkitVimponey-1": [[116, 145]], "Indicator: TrojanDownloader:Win32/Vimponey.A": [[146, 179]], "Indicator: Trojan.Win32.Downloader.56320.BV": [[180, 212]], "Indicator: Trojan.NtRootKit.2772": [[213, 234]], "Indicator: Trojan.Graftor.D2B9F3": [[250, 271]], "Indicator: TScope.Malware-Cryptor.SB": [[272, 297]], "Indicator: Win32/Trojan.d21": [[298, 314]]}, "info": {"id": "cyner2_5class_train_01879", "source": "cyner2_5class_train"}}
+{"text": "In the end, I bring considerations and reflections on OTP Tokens effectiveness as a second factor authentication solution.", "spans": {}, "info": {"id": "cyner2_5class_train_01880", "source": "cyner2_5class_train"}}
+{"text": "We have discovered apps using AES , Blowfish , and DES as well as combinations of these to encrypt their strings .", "spans": {}, "info": {"id": "cyner2_5class_train_01881", "source": "cyner2_5class_train"}}
+{"text": "The chat details , WhatsApp records , messengers and SMSs of the world carry some sensitive information which people often forget when communicating with their devices .", "spans": {"System: WhatsApp": [[19, 27]]}, "info": {"id": "cyner2_5class_train_01882", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper.Interlac.1.0.B Trojan-Dropper.Win32.Interlac.10!O TrojanDropper.Interlac Dropper.Interlac.Win32.61 Trojan/Dropper.Interlac.10.b TROJ_INTERLAC.B W32/Trojan.PMPA-6139 Win32/Interlaced.10.B Win.Dropper.Delf-619 Backdoor.Bifrose Backdoor.Win32.Bifrose.te Trojan.Dropper.Interlac.1.0.B Trojan.Win32.Delf.hitv Backdoor.Win32.Bifrose.23040.R TrojWare.Win32.TrojanDropper.Interlac.B Trojan.KillFiles Trojan-Dropper.Win32.Interlac.B W32/Trojan.FIF TrojanDropper.Interlac.10.b TR/Drop.Inte.10.b.3 Trojan[Backdoor]/MSIL.Bladabindi.as TrojanDropper:Win32/Interlac.B Trojan.Dropper.Interlac.1.0.B Backdoor.Win32.Bifrose.te Trojan.Dropper.Interlac.1.0.B Trojan/Win32.KillFiles.C37985 Trojan.Dropper.Interlac.1.0.B Trojan.Dropper.Interlac.1.0.B Trj/Interlac.A Win32/TrojanDropper.Interlac.10.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.Interlac.1.0.B": [[26, 55], [292, 321], [595, 624], [651, 680], [711, 740], [741, 770]], "Indicator: Trojan-Dropper.Win32.Interlac.10!O": [[56, 90]], "Indicator: TrojanDropper.Interlac": [[91, 113]], "Indicator: Dropper.Interlac.Win32.61": [[114, 139]], "Indicator: Trojan/Dropper.Interlac.10.b": [[140, 168]], "Indicator: TROJ_INTERLAC.B": [[169, 184]], "Indicator: W32/Trojan.PMPA-6139": [[185, 205]], "Indicator: Win32/Interlaced.10.B": [[206, 227]], "Indicator: Win.Dropper.Delf-619": [[228, 248]], "Indicator: Backdoor.Bifrose": [[249, 265]], "Indicator: Backdoor.Win32.Bifrose.te": [[266, 291], [625, 650]], "Indicator: Trojan.Win32.Delf.hitv": [[322, 344]], "Indicator: Backdoor.Win32.Bifrose.23040.R": [[345, 375]], "Indicator: TrojWare.Win32.TrojanDropper.Interlac.B": [[376, 415]], "Indicator: Trojan.KillFiles": [[416, 432]], "Indicator: Trojan-Dropper.Win32.Interlac.B": [[433, 464]], "Indicator: W32/Trojan.FIF": [[465, 479]], "Indicator: TrojanDropper.Interlac.10.b": [[480, 507]], "Indicator: TR/Drop.Inte.10.b.3": [[508, 527]], "Indicator: Trojan[Backdoor]/MSIL.Bladabindi.as": [[528, 563]], "Indicator: TrojanDropper:Win32/Interlac.B": [[564, 594]], "Indicator: Trojan/Win32.KillFiles.C37985": [[681, 710]], "Indicator: Trj/Interlac.A": [[771, 785]], "Indicator: Win32/TrojanDropper.Interlac.10.B": [[786, 819]]}, "info": {"id": "cyner2_5class_train_01883", "source": "cyner2_5class_train"}}
+{"text": "It turns out , that Trojans behave quite the same way .", "spans": {}, "info": {"id": "cyner2_5class_train_01884", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Rycii.Worm Worm/W32.Nency.229376 Worm.Win32.VB!O Worm.VB.Win32.295 Trojan.Heur.EE8D5F Win32.Trojan.WisdomEyes.16070401.9500.9987 Win32/Shur.A WORM_VB.FNX Worm.Win32.VB.cj Trojan.Win32.VB.ntmf Worm.Win32.VB.229376.D Worm.Win32.VB.~FF Win32.HLLW.Brontok WORM_VB.FNX BehavesLike.Win32.Vilsel.dm Worm.Win32.VB Worm/VB.ca WORM/Bugus.A Worm/Win32.VB.cj Worm.VB.cj.kcloud Trojan:Win32/Brontok.A Worm.Win32.VB.cj Trojan.VBRA.08344 I-Worm.VB.CJ Win32.Worm.Vb.Pkhb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Rycii.Worm": [[26, 40]], "Indicator: Worm/W32.Nency.229376": [[41, 62]], "Indicator: Worm.Win32.VB!O": [[63, 78]], "Indicator: Worm.VB.Win32.295": [[79, 96]], "Indicator: Trojan.Heur.EE8D5F": [[97, 115]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[116, 158]], "Indicator: Win32/Shur.A": [[159, 171]], "Indicator: WORM_VB.FNX": [[172, 183], [282, 293]], "Indicator: Worm.Win32.VB.cj": [[184, 200], [418, 434]], "Indicator: Trojan.Win32.VB.ntmf": [[201, 221]], "Indicator: Worm.Win32.VB.229376.D": [[222, 244]], "Indicator: Worm.Win32.VB.~FF": [[245, 262]], "Indicator: Win32.HLLW.Brontok": [[263, 281]], "Indicator: BehavesLike.Win32.Vilsel.dm": [[294, 321]], "Indicator: Worm.Win32.VB": [[322, 335]], "Indicator: Worm/VB.ca": [[336, 346]], "Indicator: WORM/Bugus.A": [[347, 359]], "Indicator: Worm/Win32.VB.cj": [[360, 376]], "Indicator: Worm.VB.cj.kcloud": [[377, 394]], "Indicator: Trojan:Win32/Brontok.A": [[395, 417]], "Indicator: Trojan.VBRA.08344": [[435, 452]], "Indicator: I-Worm.VB.CJ": [[453, 465]], "Indicator: Win32.Worm.Vb.Pkhb": [[466, 484]]}, "info": {"id": "cyner2_5class_train_01885", "source": "cyner2_5class_train"}}
+{"text": "Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish Fake Update JavaScript packages.", "spans": {"Indicator: increase in the quantity of injection": [[19, 56]], "Malware: payloads": [[79, 87]], "Malware: the standard SocGholish Fake Update JavaScript packages.": [[103, 159]]}, "info": {"id": "cyner2_5class_train_01886", "source": "cyner2_5class_train"}}
+{"text": "In addition we were also able to resolve the hosting IP 212.192.14.3 as well as the ASN AS39144 located in the United Kingdom to all registered domains.", "spans": {"Indicator: the hosting IP 212.192.14.3": [[41, 68]], "Indicator: ASN AS39144": [[84, 95]], "Indicator: registered domains.": [[133, 152]]}, "info": {"id": "cyner2_5class_train_01887", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9526 Win.Worm.VB-698 BehavesLike.Win32.Autorun.dt W32.W.Otwycal.l4av Win32/RiskWare.PEMalform.E Trojan-Banker.Win32.Bancos", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9526": [[26, 68]], "Indicator: Win.Worm.VB-698": [[69, 84]], "Indicator: BehavesLike.Win32.Autorun.dt": [[85, 113]], "Indicator: W32.W.Otwycal.l4av": [[114, 132]], "Indicator: Win32/RiskWare.PEMalform.E": [[133, 159]], "Indicator: Trojan-Banker.Win32.Bancos": [[160, 186]]}, "info": {"id": "cyner2_5class_train_01888", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Opanki.worm Backdoor.SDBot W32.W.Pakes!c Win32.Trojan.WisdomEyes.16070401.9500.9915 W32/Opanki.AY Backdoor.Sdbot Win.Trojan.Pakes-927 Backdoor.Win32.IRCBot.cq Trojan.Win32.Pakes.flbf Worm.Win32.IM-Pakes.150528 Worm.Win32.Oscarbot.BL BackDoor.IRC.Sdbot.170 Worm.Pakes.Win32.1 BehavesLike.Win32.Sdbot.cc W32/Opanki.NEXW-4186 Backdoor/IRCBot.etu WORM/Pakes.A Worm.Pakes.kcloud Backdoor.Win32.IRCBot.cq Worm/Win32.IRCBot.C2420 SScope.Backdoor.Sdbot Backdoor.SDBot Trj/Pakes.EB Win32/Oscarbot.BL Win32.Worm-im.Pakes.Aexo Worm.IRCBot!NcS/fGqoMio Backdoor.Win32.Aimbot W32/Opanki!worm.im", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Opanki.worm": [[26, 41]], "Indicator: Backdoor.SDBot": [[42, 56], [475, 489]], "Indicator: W32.W.Pakes!c": [[57, 70]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9915": [[71, 113]], "Indicator: W32/Opanki.AY": [[114, 127]], "Indicator: Backdoor.Sdbot": [[128, 142]], "Indicator: Win.Trojan.Pakes-927": [[143, 163]], "Indicator: Backdoor.Win32.IRCBot.cq": [[164, 188], [404, 428]], "Indicator: Trojan.Win32.Pakes.flbf": [[189, 212]], "Indicator: Worm.Win32.IM-Pakes.150528": [[213, 239]], "Indicator: Worm.Win32.Oscarbot.BL": [[240, 262]], "Indicator: BackDoor.IRC.Sdbot.170": [[263, 285]], "Indicator: Worm.Pakes.Win32.1": [[286, 304]], "Indicator: BehavesLike.Win32.Sdbot.cc": [[305, 331]], "Indicator: W32/Opanki.NEXW-4186": [[332, 352]], "Indicator: Backdoor/IRCBot.etu": [[353, 372]], "Indicator: WORM/Pakes.A": [[373, 385]], "Indicator: Worm.Pakes.kcloud": [[386, 403]], "Indicator: Worm/Win32.IRCBot.C2420": [[429, 452]], "Indicator: SScope.Backdoor.Sdbot": [[453, 474]], "Indicator: Trj/Pakes.EB": [[490, 502]], "Indicator: Win32/Oscarbot.BL": [[503, 520]], "Indicator: Win32.Worm-im.Pakes.Aexo": [[521, 545]], "Indicator: Worm.IRCBot!NcS/fGqoMio": [[546, 569]], "Indicator: Backdoor.Win32.Aimbot": [[570, 591]], "Indicator: W32/Opanki!worm.im": [[592, 610]]}, "info": {"id": "cyner2_5class_train_01889", "source": "cyner2_5class_train"}}
+{"text": "At the time of that discovery, the latest versions we had seen were 1.5.x, months before.", "spans": {}, "info": {"id": "cyner2_5class_train_01890", "source": "cyner2_5class_train"}}
+{"text": "Once this malware was detected on a device , Mobile Threat Prevention adjusted security policies on the Mobile Device Management solution ( MobileIron ) managing the affected devices automatically , thereby blocking enterprise access from the infected devices .", "spans": {"System: Mobile Threat Prevention": [[45, 69]]}, "info": {"id": "cyner2_5class_train_01891", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/PSW.Sagic.15.d Win32/PSW.Sagic.15.D W32/Packed_Mew.C TSPY_SAGIC.X Win32.Stration Trojan.Spy-6657 TrojWare.Win32.PSW.Sagic.D Trojan.DownLoader.5739 TR/PSW.Sagic.F Win32/Sagic.F PWS:Win32/Sagic.F Trojan.PSW.Sagic.15.e W32/Sagic.D!tr.pws Trj/Sagic.L", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/PSW.Sagic.15.d": [[26, 47]], "Indicator: Win32/PSW.Sagic.15.D": [[48, 68]], "Indicator: W32/Packed_Mew.C": [[69, 85]], "Indicator: TSPY_SAGIC.X": [[86, 98]], "Indicator: Win32.Stration": [[99, 113]], "Indicator: Trojan.Spy-6657": [[114, 129]], "Indicator: TrojWare.Win32.PSW.Sagic.D": [[130, 156]], "Indicator: Trojan.DownLoader.5739": [[157, 179]], "Indicator: TR/PSW.Sagic.F": [[180, 194]], "Indicator: Win32/Sagic.F": [[195, 208]], "Indicator: PWS:Win32/Sagic.F": [[209, 226]], "Indicator: Trojan.PSW.Sagic.15.e": [[227, 248]], "Indicator: W32/Sagic.D!tr.pws": [[249, 267]], "Indicator: Trj/Sagic.L": [[268, 279]]}, "info": {"id": "cyner2_5class_train_01892", "source": "cyner2_5class_train"}}
+{"text": "The WebView-based overlay is loading an HTML page provided by the C2 in response to the package name provided by the bot .", "spans": {}, "info": {"id": "cyner2_5class_train_01893", "source": "cyner2_5class_train"}}
+{"text": "This is the first time that we have seen Cerber distributed via the use of WSFs.", "spans": {"Malware: Cerber": [[41, 47]], "Indicator: via the use of WSFs.": [[60, 80]]}, "info": {"id": "cyner2_5class_train_01894", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Goicu.A BackDoor-ANF.cli BKDR_NETTROJAN.A BKDR_NETTROJAN.A Win.Trojan.Nettrojan-1 Backdoor.Goicu.A Backdoor.Win32.NetTrojan Backdoor.Goicu.A Trojan.Win32.NetTrojan.bhgtue Backdoor.Win32.NetTrojan.518144 Backdoor.W32.NetTroj!c Backdoor.Goicu.A Backdoor.Win32.DNetTrojan.A Backdoor.Goicu.A Backdoor.NetTrojan.Win32.4 BackDoor-ANF.cli W32/Risk.VTVG-6810 Trojan/NetTrojan.c BDC/NetTrojan.Cli Trojan[Backdoor]/Win32.NetTrojan Backdoor.Goicu.A Backdoor.Win32.NetTrojan Backdoor.Goicu.A Win32/DNetTrojan.A Win32.Backdoor.Nettrojan.Tcmd Backdoor.ANF.A W32/BDoor.NetTrojan!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Goicu.A": [[26, 42], [117, 133], [159, 175], [261, 277], [306, 322], [456, 472], [498, 514]], "Indicator: BackDoor-ANF.cli": [[43, 59], [350, 366]], "Indicator: BKDR_NETTROJAN.A": [[60, 76], [77, 93]], "Indicator: Win.Trojan.Nettrojan-1": [[94, 116]], "Indicator: Backdoor.Win32.NetTrojan": [[134, 158], [473, 497]], "Indicator: Trojan.Win32.NetTrojan.bhgtue": [[176, 205]], "Indicator: Backdoor.Win32.NetTrojan.518144": [[206, 237]], "Indicator: Backdoor.W32.NetTroj!c": [[238, 260]], "Indicator: Backdoor.Win32.DNetTrojan.A": [[278, 305]], "Indicator: Backdoor.NetTrojan.Win32.4": [[323, 349]], "Indicator: W32/Risk.VTVG-6810": [[367, 385]], "Indicator: Trojan/NetTrojan.c": [[386, 404]], "Indicator: BDC/NetTrojan.Cli": [[405, 422]], "Indicator: Trojan[Backdoor]/Win32.NetTrojan": [[423, 455]], "Indicator: Win32/DNetTrojan.A": [[515, 533]], "Indicator: Win32.Backdoor.Nettrojan.Tcmd": [[534, 563]], "Indicator: Backdoor.ANF.A": [[564, 578]], "Indicator: W32/BDoor.NetTrojan!tr": [[579, 601]]}, "info": {"id": "cyner2_5class_train_01895", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D36A22 Win32.Trojan.WisdomEyes.16070401.9500.9942 Backdoor:MSIL/Draliz.A Trj/GdSda.A PUA.MSIL.NetSeal", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D36A22": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9942": [[45, 87]], "Indicator: Backdoor:MSIL/Draliz.A": [[88, 110]], "Indicator: Trj/GdSda.A": [[111, 122]], "Indicator: PUA.MSIL.NetSeal": [[123, 139]]}, "info": {"id": "cyner2_5class_train_01896", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.KotispaLTL.Trojan Trojan/Glupteba.ao W32/Trojan2.PAMI HT_GLUPTEBA_GA310456.UVPM Win32.Trojan-Downloader.Glupteba.A Trojan.Win32.Glupteba.egxnjb Trojan.Glupteba.Win32.3453 HT_GLUPTEBA_GA310456.UVPM W32/Trojan.NEJE-6779 TrojanProxy.Glupteba.vg TR/ATRAPS.hbngn Trojan[Proxy]/Win32.Glupteba Trojan.Zusy.D33746 Trojan/Win32.Glupteba.C1592487 TrojanProxy.Glupteba Trj/GdSda.A Trojan.PR.Glupteba! Trojan.Win32.Glupteba W32/Glupteba.AO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.KotispaLTL.Trojan": [[26, 47]], "Indicator: Trojan/Glupteba.ao": [[48, 66]], "Indicator: W32/Trojan2.PAMI": [[67, 83]], "Indicator: HT_GLUPTEBA_GA310456.UVPM": [[84, 109], [201, 226]], "Indicator: Win32.Trojan-Downloader.Glupteba.A": [[110, 144]], "Indicator: Trojan.Win32.Glupteba.egxnjb": [[145, 173]], "Indicator: Trojan.Glupteba.Win32.3453": [[174, 200]], "Indicator: W32/Trojan.NEJE-6779": [[227, 247]], "Indicator: TrojanProxy.Glupteba.vg": [[248, 271]], "Indicator: TR/ATRAPS.hbngn": [[272, 287]], "Indicator: Trojan[Proxy]/Win32.Glupteba": [[288, 316]], "Indicator: Trojan.Zusy.D33746": [[317, 335]], "Indicator: Trojan/Win32.Glupteba.C1592487": [[336, 366]], "Indicator: TrojanProxy.Glupteba": [[367, 387]], "Indicator: Trj/GdSda.A": [[388, 399]], "Indicator: Trojan.PR.Glupteba!": [[400, 419]], "Indicator: Trojan.Win32.Glupteba": [[420, 441]], "Indicator: W32/Glupteba.AO!tr": [[442, 460]]}, "info": {"id": "cyner2_5class_train_01897", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Sabresac.A5 Adware.Elex Trojan.Sabres.Win32.1 Troj.W32.Excalibur.tnrv Trojan/Sabresac.a Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Sabres.h TrojWare.Win32.Excalibur.A BehavesLike.Win32.Adware.fm Adware.Elex/Variant Trojan.Win32.Sabres.h Trojan.Excalibur Trj/GdSda.A Trojan.Zusy.D2E5F4 Win32.Trojan.Sabres.Aenw Trojan.Win32.Sabresac Win32/Trojan.6a0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Sabresac.A5": [[26, 44]], "Indicator: Adware.Elex": [[45, 56]], "Indicator: Trojan.Sabres.Win32.1": [[57, 78]], "Indicator: Troj.W32.Excalibur.tnrv": [[79, 102]], "Indicator: Trojan/Sabresac.a": [[103, 120]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[121, 163]], "Indicator: Trojan.Win32.Sabres.h": [[164, 185], [261, 282]], "Indicator: TrojWare.Win32.Excalibur.A": [[186, 212]], "Indicator: BehavesLike.Win32.Adware.fm": [[213, 240]], "Indicator: Adware.Elex/Variant": [[241, 260]], "Indicator: Trojan.Excalibur": [[283, 299]], "Indicator: Trj/GdSda.A": [[300, 311]], "Indicator: Trojan.Zusy.D2E5F4": [[312, 330]], "Indicator: Win32.Trojan.Sabres.Aenw": [[331, 355]], "Indicator: Trojan.Win32.Sabresac": [[356, 377]], "Indicator: Win32/Trojan.6a0": [[378, 394]]}, "info": {"id": "cyner2_5class_train_01898", "source": "cyner2_5class_train"}}
+{"text": "As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.", "spans": {"Malware: malware": [[43, 50]]}, "info": {"id": "cyner2_5class_train_01899", "source": "cyner2_5class_train"}}
+{"text": "In recent years, the AgentTesla secret-stealing Trojan has continued to be active, and Antiy CERT has repeatedly monitored attacks targeting domestic government, enterprise institutions, and colleges and universities to deliver this secret-stealing Trojan.", "spans": {"Malware: the AgentTesla secret-stealing Trojan": [[17, 54]], "Organization: Antiy CERT": [[87, 97]], "Indicator: attacks": [[123, 130]], "Organization: domestic government, enterprise institutions,": [[141, 186]], "Organization: colleges": [[191, 199]], "Organization: universities": [[204, 216]], "Malware: secret-stealing Trojan.": [[233, 256]]}, "info": {"id": "cyner2_5class_train_01900", "source": "cyner2_5class_train"}}
+{"text": "Click fraud apps The authors ' tactics evolved from advertisement spam to real PHA ( Click Fraud ) .", "spans": {}, "info": {"id": "cyner2_5class_train_01901", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1938 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.Q Win.Trojan.Virut-377 Virus.Win32.Virut.q Virus.Win32.Virut.hpeg W32.Virut.l5he Virus.Win32.Virut.Ce Win32.Virut.5 PE_VIRUX.Q Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.cr.61440 Virus:Win32/Virut.BN Virus.Win32.Virut.q Win32/Virut.F Virus.Virut.13 Win32/Virut.NBP Backdoor.Win32.DsBot W32/Virut.CE W32/Sality.AO Win32/Virus.VirutChangeEntry.H", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: Virus.Virut.Win32.1938": [[73, 95]], "Indicator: W32.Virut.CF": [[96, 108]], "Indicator: Win32/Virut.17408": [[109, 126]], "Indicator: PE_VIRUX.Q": [[127, 137], [252, 262]], "Indicator: Win.Trojan.Virut-377": [[138, 158]], "Indicator: Virus.Win32.Virut.q": [[159, 178], [341, 360]], "Indicator: Virus.Win32.Virut.hpeg": [[179, 201]], "Indicator: W32.Virut.l5he": [[202, 216]], "Indicator: Virus.Win32.Virut.Ce": [[217, 237]], "Indicator: Win32.Virut.5": [[238, 251]], "Indicator: Win32/Virut.bn": [[263, 277]], "Indicator: Virus/Win32.Virut.ce": [[278, 298]], "Indicator: Win32.Virut.cr.61440": [[299, 319]], "Indicator: Virus:Win32/Virut.BN": [[320, 340]], "Indicator: Win32/Virut.F": [[361, 374]], "Indicator: Virus.Virut.13": [[375, 389]], "Indicator: Win32/Virut.NBP": [[390, 405]], "Indicator: Backdoor.Win32.DsBot": [[406, 426]], "Indicator: W32/Virut.CE": [[427, 439]], "Indicator: W32/Sality.AO": [[440, 453]], "Indicator: Win32/Virus.VirutChangeEntry.H": [[454, 484]]}, "info": {"id": "cyner2_5class_train_01902", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MspassHDK.Trojan Abuse-Worry/W32.Messen.64000 PSWTool.Win32.Messen!O Trojan.Passviewc Win32.Trojan.WisdomEyes.16070401.9500.9571 W32/Trojan.RJEU-3073 not-a-virus:HEUR:PSWTool.Win32.PassView.c Riskware.Win32.Messen.wcor Trojan.Inject1.34913 Tool.Messen.Win32.113 W32/Trojan2.GXAC TrojanDropper.Injector.bilf Trojan[PSWTool]/Win32.Messen Application.Heur.ED65B4 Trojan.Win32.PSWIMMultiPass.61996 not-a-virus:HEUR:PSWTool.Win32.PassView.c Unwanted/Win32.Messenpass.R46038 PUP.Optional.MessenPass Riskware.PSWTool! Win32/Application.BO.08a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MspassHDK.Trojan": [[26, 46]], "Indicator: Abuse-Worry/W32.Messen.64000": [[47, 75]], "Indicator: PSWTool.Win32.Messen!O": [[76, 98]], "Indicator: Trojan.Passviewc": [[99, 115]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9571": [[116, 158]], "Indicator: W32/Trojan.RJEU-3073": [[159, 179]], "Indicator: not-a-virus:HEUR:PSWTool.Win32.PassView.c": [[180, 221], [424, 465]], "Indicator: Riskware.Win32.Messen.wcor": [[222, 248]], "Indicator: Trojan.Inject1.34913": [[249, 269]], "Indicator: Tool.Messen.Win32.113": [[270, 291]], "Indicator: W32/Trojan2.GXAC": [[292, 308]], "Indicator: TrojanDropper.Injector.bilf": [[309, 336]], "Indicator: Trojan[PSWTool]/Win32.Messen": [[337, 365]], "Indicator: Application.Heur.ED65B4": [[366, 389]], "Indicator: Trojan.Win32.PSWIMMultiPass.61996": [[390, 423]], "Indicator: Unwanted/Win32.Messenpass.R46038": [[466, 498]], "Indicator: PUP.Optional.MessenPass": [[499, 522]], "Indicator: Riskware.PSWTool!": [[523, 540]], "Indicator: Win32/Application.BO.08a": [[541, 565]]}, "info": {"id": "cyner2_5class_train_01903", "source": "cyner2_5class_train"}}
+{"text": "The code to load the main module dynamically can also be seen statically .", "spans": {}, "info": {"id": "cyner2_5class_train_01904", "source": "cyner2_5class_train"}}
+{"text": "Keep in mind that while this case is about TANs , it can be any OTP , depending on which bank is being targeted .", "spans": {}, "info": {"id": "cyner2_5class_train_01905", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesLT031012KGHN.Worm Worm.Win32.AutoRun!O Trojan.Finodes.BB5 W32/Autorun.worm.ht Worm.AutoRun Worm.AutoRun.Win32.46218 Trojan.Strictor.DEE4 W32.SillyFDC Win.Worm.Autorun-10000 Worm.Win32.AutoRun.cxps Trojan.Win32.AutoRun.rfaml Worm.Win32.A.AutoRun.117760.W Trojan.Win32.FakeFolder.bbc Win32.HLLW.Autoruner1.889 BehavesLike.Win32.PWSZbot.dz Worm/AutoRun.ahpl TR/Finodes.B.406 Worm/Win32.AutoRun Trojan:Win32/Finodes.B Worm.Win32.AutoRun.cxps Worm/Win32.AutoRun.R22156 Worm.AutoRun Trojan.Zusy Worm.AutoRun!7DcK6jk8E7A Worm.Win32.AutoRun W32/Autorun.CXP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLT031012KGHN.Worm": [[26, 54]], "Indicator: Worm.Win32.AutoRun!O": [[55, 75]], "Indicator: Trojan.Finodes.BB5": [[76, 94]], "Indicator: W32/Autorun.worm.ht": [[95, 114]], "Indicator: Worm.AutoRun": [[115, 127], [501, 513]], "Indicator: Worm.AutoRun.Win32.46218": [[128, 152]], "Indicator: Trojan.Strictor.DEE4": [[153, 173]], "Indicator: W32.SillyFDC": [[174, 186]], "Indicator: Win.Worm.Autorun-10000": [[187, 209]], "Indicator: Worm.Win32.AutoRun.cxps": [[210, 233], [451, 474]], "Indicator: Trojan.Win32.AutoRun.rfaml": [[234, 260]], "Indicator: Worm.Win32.A.AutoRun.117760.W": [[261, 290]], "Indicator: Trojan.Win32.FakeFolder.bbc": [[291, 318]], "Indicator: Win32.HLLW.Autoruner1.889": [[319, 344]], "Indicator: BehavesLike.Win32.PWSZbot.dz": [[345, 373]], "Indicator: Worm/AutoRun.ahpl": [[374, 391]], "Indicator: TR/Finodes.B.406": [[392, 408]], "Indicator: Worm/Win32.AutoRun": [[409, 427]], "Indicator: Trojan:Win32/Finodes.B": [[428, 450]], "Indicator: Worm/Win32.AutoRun.R22156": [[475, 500]], "Indicator: Trojan.Zusy": [[514, 525]], "Indicator: Worm.AutoRun!7DcK6jk8E7A": [[526, 550]], "Indicator: Worm.Win32.AutoRun": [[551, 569]], "Indicator: W32/Autorun.CXP!tr": [[570, 588]]}, "info": {"id": "cyner2_5class_train_01906", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.P2P.Tibick.D W32/Tibick.d Worm.P2P.Tibick!vdEsmQVVXQU W32/Tibick.C@p2p W32.Tibick W32/Tibick.C Win32/Tibick.E WORM_TIBICK.F P2P-Worm.Win32.Tibick.d Win32.Worm.P2P.Tibick.D Worm.Win32.Tibick.36222 Worm.Win32.Tibick.D Win32.Worm.P2P.Tibick.D Win32.HLLW.Tibic Worm/Tibick.d WORM_TIBICK.F P2P-Worm.Win32.Tibick.D!IK Worm/P2P.Tibick.c Worm:Win32/Tibick.D Win32.Worm.P2P.Tibick.D W32/Tibick.C@p2p Win32/Tibick.worm.36248 Win32/Tibick.D Worm.P2p.Tibick.f P2P-Worm.Win32.Tibick.D W32/Tibick.C!worm.p2p Worm/Tibick.E W32/Tibick.B.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.P2P.Tibick.D": [[26, 49], [185, 208], [253, 276], [387, 410]], "Indicator: W32/Tibick.d": [[50, 62]], "Indicator: Worm.P2P.Tibick!vdEsmQVVXQU": [[63, 90]], "Indicator: W32/Tibick.C@p2p": [[91, 107], [411, 427]], "Indicator: W32.Tibick": [[108, 118]], "Indicator: W32/Tibick.C": [[119, 131]], "Indicator: Win32/Tibick.E": [[132, 146]], "Indicator: WORM_TIBICK.F": [[147, 160], [308, 321]], "Indicator: P2P-Worm.Win32.Tibick.d": [[161, 184]], "Indicator: Worm.Win32.Tibick.36222": [[209, 232]], "Indicator: Worm.Win32.Tibick.D": [[233, 252]], "Indicator: Win32.HLLW.Tibic": [[277, 293]], "Indicator: Worm/Tibick.d": [[294, 307]], "Indicator: P2P-Worm.Win32.Tibick.D!IK": [[322, 348]], "Indicator: Worm/P2P.Tibick.c": [[349, 366]], "Indicator: Worm:Win32/Tibick.D": [[367, 386]], "Indicator: Win32/Tibick.worm.36248": [[428, 451]], "Indicator: Win32/Tibick.D": [[452, 466]], "Indicator: Worm.P2p.Tibick.f": [[467, 484]], "Indicator: P2P-Worm.Win32.Tibick.D": [[485, 508]], "Indicator: W32/Tibick.C!worm.p2p": [[509, 530]], "Indicator: Worm/Tibick.E": [[531, 544]], "Indicator: W32/Tibick.B.worm": [[545, 562]]}, "info": {"id": "cyner2_5class_train_01907", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnlineGameWRAL.Trojan Win32.Trojan.WisdomEyes.16070401.9500.9976 W32/Trojan.PUJS-2392 Win32/Cropo.A Win.Trojan.Small-7581 Trojan.KillProc.1539 W32/Trojan.BXFW Trj/SmallProxy.AB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnlineGameWRAL.Trojan": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9976": [[52, 94]], "Indicator: W32/Trojan.PUJS-2392": [[95, 115]], "Indicator: Win32/Cropo.A": [[116, 129]], "Indicator: Win.Trojan.Small-7581": [[130, 151]], "Indicator: Trojan.KillProc.1539": [[152, 172]], "Indicator: W32/Trojan.BXFW": [[173, 188]], "Indicator: Trj/SmallProxy.AB": [[189, 206]]}, "info": {"id": "cyner2_5class_train_01908", "source": "cyner2_5class_train"}}
+{"text": "This email was then forwarded to several people, with the malicious Excel file attached.", "spans": {"Indicator: email": [[5, 10]], "Indicator: forwarded": [[20, 29]], "Organization: several people,": [[33, 48]], "Malware: malicious": [[58, 67]], "Indicator: Excel file": [[68, 78]]}, "info": {"id": "cyner2_5class_train_01909", "source": "cyner2_5class_train"}}
+{"text": "It is interesting to observe that the actual target list contains : 7 French banking apps 7 U.S. banking apps 1 Japanese banking app 15 non-banking apps This uncommon target list might either be the result of specific customer demand , or due to some actors having partially reused an existing target list .", "spans": {}, "info": {"id": "cyner2_5class_train_01910", "source": "cyner2_5class_train"}}
+{"text": "It is noteworthy that BusyGasper supports the IRC protocol which is rarely seen among Android malware .", "spans": {"Malware: BusyGasper": [[22, 32]], "System: Android": [[86, 93]]}, "info": {"id": "cyner2_5class_train_01911", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.CB0B Backdoor.RCServ Backdoor.RCServ.Win32.44 Backdoor.W32.Rcserv!c Backdoor/RCServ.c Backdoor.RCServ Win.Trojan.RCServ-1 Backdoor.RCServ Backdoor.Win32.RCServ.c Trojan.Win32.RCServ.dmhw Backdoor.Win32.A.RCServ.404480[UPX] BackDoor.RC BehavesLike.Win32.Downloader.cc Backdoor:Win32/RCServ.C Backdoor.Win32.RCServ.c Bck/RCServ.L Win32.Backdoor.Rcserv.Lohl Backdoor.RCServ!QJAExtCJ+QQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.CB0B": [[26, 42]], "Indicator: Backdoor.RCServ": [[43, 58], [124, 139], [160, 175]], "Indicator: Backdoor.RCServ.Win32.44": [[59, 83]], "Indicator: Backdoor.W32.Rcserv!c": [[84, 105]], "Indicator: Backdoor/RCServ.c": [[106, 123]], "Indicator: Win.Trojan.RCServ-1": [[140, 159]], "Indicator: Backdoor.Win32.RCServ.c": [[176, 199], [329, 352]], "Indicator: Trojan.Win32.RCServ.dmhw": [[200, 224]], "Indicator: Backdoor.Win32.A.RCServ.404480[UPX]": [[225, 260]], "Indicator: BackDoor.RC": [[261, 272]], "Indicator: BehavesLike.Win32.Downloader.cc": [[273, 304]], "Indicator: Backdoor:Win32/RCServ.C": [[305, 328]], "Indicator: Bck/RCServ.L": [[353, 365]], "Indicator: Win32.Backdoor.Rcserv.Lohl": [[366, 392]], "Indicator: Backdoor.RCServ!QJAExtCJ+QQ": [[393, 420]]}, "info": {"id": "cyner2_5class_train_01912", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.PDF.AC Exp.SWF.CVE-2012-0754 Exploit.PDF.AC Trojan.Pidief SWF/Exploit.CVE-2011-0611.C TROJ_PIDIEF.SMBD Exploit.JS.Pdfka.dqw Exploit.PDF.AC PDF.Z.CVE-2011-0611.411562.A[h] Exploit.SWF.CVE-2011-0611.t Exploit.PDF.AC Exploit.PDF.AC Exploit.PDF.2177 HEUR_SWFEXP.W Exploit.CVE-2011-0611.g EXP/CVE-2011-0611.F Trojan[Exploit]/SWF.CVE-2011-0611.s Exploit:SWF/CVE-2011-0611.I Exploit.JS.Pdfka.dqw!c Exploit.JS.Pdfka.dqw Exploit.PDF.AC Exploit.PDF.AC Exploit.CVE2011-0611 Exploit.JS.Pdfka SWF/CVE20110611.fam!exploit Exploit_c.UAO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.PDF.AC": [[26, 40], [63, 77], [158, 172], [233, 247], [248, 262], [446, 460], [461, 475]], "Indicator: Exp.SWF.CVE-2012-0754": [[41, 62]], "Indicator: Trojan.Pidief": [[78, 91]], "Indicator: SWF/Exploit.CVE-2011-0611.C": [[92, 119]], "Indicator: TROJ_PIDIEF.SMBD": [[120, 136]], "Indicator: Exploit.JS.Pdfka.dqw": [[137, 157], [425, 445]], "Indicator: PDF.Z.CVE-2011-0611.411562.A[h]": [[173, 204]], "Indicator: Exploit.SWF.CVE-2011-0611.t": [[205, 232]], "Indicator: Exploit.PDF.2177": [[263, 279]], "Indicator: HEUR_SWFEXP.W": [[280, 293]], "Indicator: Exploit.CVE-2011-0611.g": [[294, 317]], "Indicator: EXP/CVE-2011-0611.F": [[318, 337]], "Indicator: Trojan[Exploit]/SWF.CVE-2011-0611.s": [[338, 373]], "Indicator: Exploit:SWF/CVE-2011-0611.I": [[374, 401]], "Indicator: Exploit.JS.Pdfka.dqw!c": [[402, 424]], "Indicator: Exploit.CVE2011-0611": [[476, 496]], "Indicator: Exploit.JS.Pdfka": [[497, 513]], "Indicator: SWF/CVE20110611.fam!exploit": [[514, 541]], "Indicator: Exploit_c.UAO": [[542, 555]]}, "info": {"id": "cyner2_5class_train_01913", "source": "cyner2_5class_train"}}
+{"text": "To protect itself from being removed , Svpeng uses a previously unknown vulnerability in Android .", "spans": {"Malware: Svpeng": [[39, 45]], "System: Android": [[89, 96]]}, "info": {"id": "cyner2_5class_train_01914", "source": "cyner2_5class_train"}}
+{"text": ") , and less screen real estate for victims to identify potential indicators of a threat .", "spans": {}, "info": {"id": "cyner2_5class_train_01915", "source": "cyner2_5class_train"}}
+{"text": "Dyre is configured to defraud the customers of more than 1,000 banks and other companies worldwide.", "spans": {"Malware: Dyre": [[0, 4]], "Organization: customers": [[34, 43]], "Organization: banks": [[63, 68]], "Organization: companies": [[79, 88]]}, "info": {"id": "cyner2_5class_train_01916", "source": "cyner2_5class_train"}}
+{"text": "This bootkit is not the first of this kind .", "spans": {}, "info": {"id": "cyner2_5class_train_01917", "source": "cyner2_5class_train"}}
+{"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner2_5class_train_01918", "source": "cyner2_5class_train"}}
+{"text": "We previously outlined a spam campaign that delivered FAKEGLOBE and CERBER ransomwares.", "spans": {"Malware: FAKEGLOBE": [[54, 63]], "Malware: CERBER ransomwares.": [[68, 87]]}, "info": {"id": "cyner2_5class_train_01919", "source": "cyner2_5class_train"}}
+{"text": "Among the various features we discuss in this post , we believe that TrickMo ’ s most significant novelty is an app recording feature , which gives it the ability to overcome the newer pushTAN app validations used by German banks .", "spans": {"Malware: TrickMo": [[69, 76]]}, "info": {"id": "cyner2_5class_train_01920", "source": "cyner2_5class_train"}}
+{"text": "It is likely the vulnerability will be documented in full detail over the coming days.", "spans": {"Vulnerability: vulnerability": [[17, 30]]}, "info": {"id": "cyner2_5class_train_01921", "source": "cyner2_5class_train"}}
+{"text": "It contains encrypted java archive “ start.ogg ” in the assets directory and dynamically loads code with dalvik.system.DexClassLoader .", "spans": {"Indicator: start.ogg": [[37, 46]], "Indicator: dalvik.system.DexClassLoader": [[105, 133]]}, "info": {"id": "cyner2_5class_train_01922", "source": "cyner2_5class_train"}}
+{"text": "Back in February, the ThreatConnect team conducted an in-depth independent analysis of the Anthem breach, finding connections to amorphous Chinese APT activity.", "spans": {"Organization: ThreatConnect team": [[22, 40]], "Indicator: Anthem breach,": [[91, 105]], "Indicator: connections": [[114, 125]]}, "info": {"id": "cyner2_5class_train_01923", "source": "cyner2_5class_train"}}
+{"text": "Haima exactly does that, and more.", "spans": {"Malware: Haima": [[0, 5]]}, "info": {"id": "cyner2_5class_train_01924", "source": "cyner2_5class_train"}}
+{"text": "] cendata [ .", "spans": {}, "info": {"id": "cyner2_5class_train_01925", "source": "cyner2_5class_train"}}
+{"text": "This study on an active campaign delves into the structure, goals, and requirements of the organizations involved, and provides an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures.", "spans": {"Organization: organizations": [[91, 104]]}, "info": {"id": "cyner2_5class_train_01926", "source": "cyner2_5class_train"}}
+{"text": "Static analysis tools like IDA may not be useful in analyzing custom code that is interpreted and executed through a VM and a new set of instructions .", "spans": {}, "info": {"id": "cyner2_5class_train_01927", "source": "cyner2_5class_train"}}
+{"text": "Initializing the BroadcastReceiver against system events From this point on , the malware execution is driven by callback functions that are triggered on system events like connectivity change , unlocking the phone , elapsed time interval , and others .", "spans": {}, "info": {"id": "cyner2_5class_train_01928", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O TrojanDownloader.Tearsp.AA2 Trojan/Downloader.Small.ahu Win32/Startpage.MF TROJ_SMALL_00000cc.TOMA Win.Trojan.Startpage-37 Trojan-Notifier.Win32.Small.a Trojan.Win32.Small.vkiie Trojan.Win32.A.Downloader.56724 TrojWare.Win32.TrojanDownloader.Small.AHU Trojan.MulDrop2.15120 Downloader.Small.Win32.40751 BehavesLike.Win32.Downloader.qt TrojanDownloader.Small.mmb W32.Trojan.Downloader.Small TR/StartPage.sc Trojan[Downloader]/Win32.Small Trojan:Win32/Symesta.B Downloader/Win32.Small.R5459 Trojan.Win32.Small.102210 Trj/Downloader.ABR Win32/TrojanDownloader.Small.AHU W32/Small.AHU!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Small!O": [[26, 57]], "Indicator: TrojanDownloader.Tearsp.AA2": [[58, 85]], "Indicator: Trojan/Downloader.Small.ahu": [[86, 113]], "Indicator: Win32/Startpage.MF": [[114, 132]], "Indicator: TROJ_SMALL_00000cc.TOMA": [[133, 156]], "Indicator: Win.Trojan.Startpage-37": [[157, 180]], "Indicator: Trojan-Notifier.Win32.Small.a": [[181, 210]], "Indicator: Trojan.Win32.Small.vkiie": [[211, 235]], "Indicator: Trojan.Win32.A.Downloader.56724": [[236, 267]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.AHU": [[268, 309]], "Indicator: Trojan.MulDrop2.15120": [[310, 331]], "Indicator: Downloader.Small.Win32.40751": [[332, 360]], "Indicator: BehavesLike.Win32.Downloader.qt": [[361, 392]], "Indicator: TrojanDownloader.Small.mmb": [[393, 419]], "Indicator: W32.Trojan.Downloader.Small": [[420, 447]], "Indicator: TR/StartPage.sc": [[448, 463]], "Indicator: Trojan[Downloader]/Win32.Small": [[464, 494]], "Indicator: Trojan:Win32/Symesta.B": [[495, 517]], "Indicator: Downloader/Win32.Small.R5459": [[518, 546]], "Indicator: Trojan.Win32.Small.102210": [[547, 572]], "Indicator: Trj/Downloader.ABR": [[573, 591]], "Indicator: Win32/TrojanDownloader.Small.AHU": [[592, 624]], "Indicator: W32/Small.AHU!tr.dldr": [[625, 646]]}, "info": {"id": "cyner2_5class_train_01929", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Bandok.61952 Backdoor.Trojan Win32/Banbot.A Trojan.Bandook Backdoor.Win32.Bandok.h Backdoor.Win32.Bandok!IK Backdoor.Win32.Bandok.H Trojan.DownLoader.4293 Backdoor/Bandok.d Backdoor:Win32/Bandok.E Win-Trojan/Bandok.61952 Win32/Bandok.H Backdoor.Win32.Bandok.h Backdoor.Win32.Bandok W32/Bandok.H!tr.bdr BackDoor.Bandok.F Bck/Bandok.R", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Bandok.61952": [[26, 51]], "Indicator: Backdoor.Trojan": [[52, 67]], "Indicator: Win32/Banbot.A": [[68, 82]], "Indicator: Trojan.Bandook": [[83, 97]], "Indicator: Backdoor.Win32.Bandok.h": [[98, 121], [275, 298]], "Indicator: Backdoor.Win32.Bandok!IK": [[122, 146]], "Indicator: Backdoor.Win32.Bandok.H": [[147, 170]], "Indicator: Trojan.DownLoader.4293": [[171, 193]], "Indicator: Backdoor/Bandok.d": [[194, 211]], "Indicator: Backdoor:Win32/Bandok.E": [[212, 235]], "Indicator: Win-Trojan/Bandok.61952": [[236, 259]], "Indicator: Win32/Bandok.H": [[260, 274]], "Indicator: Backdoor.Win32.Bandok": [[299, 320]], "Indicator: W32/Bandok.H!tr.bdr": [[321, 340]], "Indicator: BackDoor.Bandok.F": [[341, 358]], "Indicator: Bck/Bandok.R": [[359, 371]]}, "info": {"id": "cyner2_5class_train_01930", "source": "cyner2_5class_train"}}
+{"text": "VENOM features similar mechanisms to the tools used during the Freenode intrusion in 2014 external link.", "spans": {"Malware: VENOM": [[0, 5]], "Malware: tools": [[41, 46]], "Indicator: external link.": [[90, 104]]}, "info": {"id": "cyner2_5class_train_01931", "source": "cyner2_5class_train"}}
+{"text": "The user visits the URL to complete the payment and enters their phone number .", "spans": {}, "info": {"id": "cyner2_5class_train_01932", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Trojan.WisdomEyes.16070401.9500.9932 Trojan.MulDrop.2729 BehavesLike.Win32.Worm.dc TrojanDropper.Delf.cge TrojanBanker.Banker Trojan-Downloader.Win32.Delf W32/Banker.AFJ!tr Win32/Trojan.6cc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9932": [[48, 90]], "Indicator: Trojan.MulDrop.2729": [[91, 110]], "Indicator: BehavesLike.Win32.Worm.dc": [[111, 136]], "Indicator: TrojanDropper.Delf.cge": [[137, 159]], "Indicator: TrojanBanker.Banker": [[160, 179]], "Indicator: Trojan-Downloader.Win32.Delf": [[180, 208]], "Indicator: W32/Banker.AFJ!tr": [[209, 226]], "Indicator: Win32/Trojan.6cc": [[227, 243]]}, "info": {"id": "cyner2_5class_train_01933", "source": "cyner2_5class_train"}}
+{"text": "\" Mundizza '' is a dialectal word , a derivative of the proper Italian word \" immondizia '' that translates to \" trash '' or \" garbage '' in English .", "spans": {}, "info": {"id": "cyner2_5class_train_01934", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SoaloaE.Trojan Trojan/W32.Buzus.239324 Trojan.VBCrypt.MF.75 Trojan/Injector.bggr Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.SUAD-6922 Trojan.Win32.Buzus.osiq Trojan.Win32.Buzus.ebkods Win32.Trojan.Buzus.Lneb Trojan.PWS.Panda.4624 Trojan.Buzus.Win32.120917 BehavesLike.Win32.PWSZbot.dc Trojan/Buzus.bopu TR/Dropper.VB.ssypj W32/Injector.BJHT!tr Trojan/Win32.Buzus Trojan.Ransom.28 Trojan.Win32.Buzus.osiq Dropper/Win32.Necurs.R110132 Trojan.Crypt.NKN Trojan.Buzus!+gYkRxVVqlQ Trojan.Win32.Scarsi Trojan.Buzus", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SoaloaE.Trojan": [[26, 44]], "Indicator: Trojan/W32.Buzus.239324": [[45, 68]], "Indicator: Trojan.VBCrypt.MF.75": [[69, 89]], "Indicator: Trojan/Injector.bggr": [[90, 110]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[111, 153]], "Indicator: W32/Trojan.SUAD-6922": [[154, 174]], "Indicator: Trojan.Win32.Buzus.osiq": [[175, 198], [421, 444]], "Indicator: Trojan.Win32.Buzus.ebkods": [[199, 224]], "Indicator: Win32.Trojan.Buzus.Lneb": [[225, 248]], "Indicator: Trojan.PWS.Panda.4624": [[249, 270]], "Indicator: Trojan.Buzus.Win32.120917": [[271, 296]], "Indicator: BehavesLike.Win32.PWSZbot.dc": [[297, 325]], "Indicator: Trojan/Buzus.bopu": [[326, 343]], "Indicator: TR/Dropper.VB.ssypj": [[344, 363]], "Indicator: W32/Injector.BJHT!tr": [[364, 384]], "Indicator: Trojan/Win32.Buzus": [[385, 403]], "Indicator: Trojan.Ransom.28": [[404, 420]], "Indicator: Dropper/Win32.Necurs.R110132": [[445, 473]], "Indicator: Trojan.Crypt.NKN": [[474, 490]], "Indicator: Trojan.Buzus!+gYkRxVVqlQ": [[491, 515]], "Indicator: Trojan.Win32.Scarsi": [[516, 535]], "Indicator: Trojan.Buzus": [[536, 548]]}, "info": {"id": "cyner2_5class_train_01935", "source": "cyner2_5class_train"}}
+{"text": "Update your device : Keep your device up-to-date with the latest security patches .", "spans": {}, "info": {"id": "cyner2_5class_train_01936", "source": "cyner2_5class_train"}}
+{"text": "These backdoors are described in this part of the article.", "spans": {"Malware: backdoors": [[6, 15]]}, "info": {"id": "cyner2_5class_train_01937", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Regiskazi.a TROJ_SPNR.11AG15 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_SPNR.11AG15 Trojan.Win32.Regiskazi.dmdtgx Trojan.DownLoader12.16045 BehavesLike.Win32.Worm.hh Trojan.Heur2.JP.E61E47 Backdoor:Win32/Regiskazi.A Trojan/Win32.Downloader.C45921 Trj/CI.A Trojan.Regiskazi! Trojan.Win32.Regiskazi W32/Regiskazi.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Regiskazi.a": [[26, 44]], "Indicator: TROJ_SPNR.11AG15": [[45, 61], [105, 121]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[62, 104]], "Indicator: Trojan.Win32.Regiskazi.dmdtgx": [[122, 151]], "Indicator: Trojan.DownLoader12.16045": [[152, 177]], "Indicator: BehavesLike.Win32.Worm.hh": [[178, 203]], "Indicator: Trojan.Heur2.JP.E61E47": [[204, 226]], "Indicator: Backdoor:Win32/Regiskazi.A": [[227, 253]], "Indicator: Trojan/Win32.Downloader.C45921": [[254, 284]], "Indicator: Trj/CI.A": [[285, 293]], "Indicator: Trojan.Regiskazi!": [[294, 311]], "Indicator: Trojan.Win32.Regiskazi": [[312, 334]], "Indicator: W32/Regiskazi.A!tr": [[335, 353]]}, "info": {"id": "cyner2_5class_train_01938", "source": "cyner2_5class_train"}}
+{"text": "Discovery T1418 Application Discovery Sends list of installed apps on device .", "spans": {}, "info": {"id": "cyner2_5class_train_01939", "source": "cyner2_5class_train"}}
+{"text": "Currently this banker only have targets in Poland.", "spans": {}, "info": {"id": "cyner2_5class_train_01940", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.CVE-2014-1761.C Exp.RTF.CVE-2012-0158.A Exploit-CVE2012-0158.n Win32.Exploit.CVE-2012-0158.i Trojan.ZHPA-6 Trojan.Mdropper TROJ_ARTIEF.UK Exploit.CVE-2014-1761.C Exploit.Win32.CVE-2012-0158.j Exploit.CVE-2014-1761.C Exploit.Rtf.Heuristic-rtf.dinbqn Exploit.S.CVE-2012-1761.619765 Exploit.MSWord.CVE-2014-1761.k!c Exploit.CVE-2014-1761.C Exploit.CVE-2014-1761.7 Exploit.CVE.MacroWord.257 TROJ_ARTIEF.UK Exploit-CVE2012-0158.n Exploit.CVE-2012-0158.c EXP/CVE-2014-1761.C.619765 Trojan[Exploit]/Office.CVE-2012-0158 Exploit.CVE-2014-1761.C Exploit.CVE-2014-1761.C Word.Exploit.Cve-2014-1761.Dwsn Trojan.Exploit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.CVE-2014-1761.C": [[26, 49], [172, 195], [226, 249], [347, 370], [547, 570], [571, 594]], "Indicator: Exp.RTF.CVE-2012-0158.A": [[50, 73]], "Indicator: Exploit-CVE2012-0158.n": [[74, 96], [436, 458]], "Indicator: Win32.Exploit.CVE-2012-0158.i": [[97, 126]], "Indicator: Trojan.ZHPA-6": [[127, 140]], "Indicator: Trojan.Mdropper": [[141, 156]], "Indicator: TROJ_ARTIEF.UK": [[157, 171], [421, 435]], "Indicator: Exploit.Win32.CVE-2012-0158.j": [[196, 225]], "Indicator: Exploit.Rtf.Heuristic-rtf.dinbqn": [[250, 282]], "Indicator: Exploit.S.CVE-2012-1761.619765": [[283, 313]], "Indicator: Exploit.MSWord.CVE-2014-1761.k!c": [[314, 346]], "Indicator: Exploit.CVE-2014-1761.7": [[371, 394]], "Indicator: Exploit.CVE.MacroWord.257": [[395, 420]], "Indicator: Exploit.CVE-2012-0158.c": [[459, 482]], "Indicator: EXP/CVE-2014-1761.C.619765": [[483, 509]], "Indicator: Trojan[Exploit]/Office.CVE-2012-0158": [[510, 546]], "Indicator: Word.Exploit.Cve-2014-1761.Dwsn": [[595, 626]], "Indicator: Trojan.Exploit": [[627, 641]]}, "info": {"id": "cyner2_5class_train_01941", "source": "cyner2_5class_train"}}
+{"text": "Given that this is an active threat , we ’ ve been working behind-the-scenes with our customers to ensure both personal and enterprise customers are protected from this threat and only decided to come forward with this information after the research team at Kaspersky released a report earlier today .", "spans": {"Organization: Kaspersky": [[258, 267]]}, "info": {"id": "cyner2_5class_train_01942", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 for the past three months has been tracking a banking Trojan targeting victims in Brazil and the United States.", "spans": {"Malware: banking Trojan": [[54, 68]]}, "info": {"id": "cyner2_5class_train_01943", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.TsagaaSAJ.Trojan Worm.AutoRun.FLD Trojan/AutoRun.VB.bfc Trojan.Heur.E08AD6 Win32.Worm.AutoRun.bz W32.SillyFDC Worm.Win32.AutoRun.HMT Win32.HLLW.Autoruner2.18557 Worm.Win32.AutoRun TR/Razy.xdwer HackTool:Win32/Virledi.A Trojan/Win32.Zbot.C401270 W32/VB.BFC!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TsagaaSAJ.Trojan": [[26, 46]], "Indicator: Worm.AutoRun.FLD": [[47, 63]], "Indicator: Trojan/AutoRun.VB.bfc": [[64, 85]], "Indicator: Trojan.Heur.E08AD6": [[86, 104]], "Indicator: Win32.Worm.AutoRun.bz": [[105, 126]], "Indicator: W32.SillyFDC": [[127, 139]], "Indicator: Worm.Win32.AutoRun.HMT": [[140, 162]], "Indicator: Win32.HLLW.Autoruner2.18557": [[163, 190]], "Indicator: Worm.Win32.AutoRun": [[191, 209]], "Indicator: TR/Razy.xdwer": [[210, 223]], "Indicator: HackTool:Win32/Virledi.A": [[224, 248]], "Indicator: Trojan/Win32.Zbot.C401270": [[249, 274]], "Indicator: W32/VB.BFC!worm": [[275, 290]]}, "info": {"id": "cyner2_5class_train_01944", "source": "cyner2_5class_train"}}
+{"text": "For example , the password of the WiFi network used by the phone was stored in the folder /storage/emulated/0/.lost+found/0BBDA068-9D27-4B55-B226-299FCF2B4242/ using the following file name format DD_MM_2019_HH_mm_ss_XXXXXXXXXXXXX.txt.crypt ( the datetime followed by the IMEI ) .", "spans": {"Indicator: /storage/emulated/0/.lost+found/0BBDA068-9D27-4B55-B226-299FCF2B4242/": [[90, 159]], "Indicator: DD_MM_2019_HH_mm_ss_XXXXXXXXXXXXX.txt.crypt": [[197, 240]]}, "info": {"id": "cyner2_5class_train_01945", "source": "cyner2_5class_train"}}
+{"text": "This can result in brand degradation , loss of individual reputation , or loss of consumer trust .", "spans": {}, "info": {"id": "cyner2_5class_train_01946", "source": "cyner2_5class_train"}}
+{"text": "Users are recommended to install apps from authorized stores such as Google Play , disable installation of apps from 'Unknown Sources ' and for a better security install a reputed security application .", "spans": {"System: Google Play": [[69, 80]]}, "info": {"id": "cyner2_5class_train_01947", "source": "cyner2_5class_train"}}
+{"text": "The Trojan displays the extortion page ( extortionist.html ) that blocks the device and demands a ransom for unblocking it .", "spans": {"Indicator: extortionist.html": [[41, 58]]}, "info": {"id": "cyner2_5class_train_01948", "source": "cyner2_5class_train"}}
+{"text": "Nowadays , script kiddies can build a piece of malware that can create real havoc .", "spans": {}, "info": {"id": "cyner2_5class_train_01949", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.CpqEasyBttn.Worm Dropped:Win32.Worm.VB.NRV Email-Worm.Win32.VB!O Worm.Flewon.S349523 Win32.Worm.VB.ji Hacktool.Spammer Win32/Flewon.E WORM_VB.DHQ Win.Worm.Liamo-1 Dropped:Win32.Worm.VB.NRV Email-Worm.Win32.VB.cb Dropped:Win32.Worm.VB.NRV Trojan.Win32.VB.hpnv W32.W.AutoRun.l6mI Win32.Worm-email.Vb.Wqda Dropped:Win32.Worm.VB.NRV Dropped:Win32.Worm.VB.NRV Trojan.PWS.Asterie Worm.VB.Win32.303 WORM_VB.DHQ BehavesLike.Win32.VBObfus.ch TrojanClicker.Qihai.aq TR/Spy.Vwealer.KZ.33 Worm[Email]/Win32.VB Win32.Worm.VB.NRV I-Worm.Win32.VB.94208.E Email-Worm.Win32.VB.cb Worm:Win32/Flewon.A HEUR/Fakon.mwf Dropped:Win32.Worm.VB.NRV Trojan.VBRA.010583 Win32/VB.NGN I-Worm.VB.XYH Email-Worm.Win32.VB.cb W32/VB.CB@mm W32/MadCoffee.B.worm Win32/Trojan.Spy.bc3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CpqEasyBttn.Worm": [[26, 46]], "Indicator: Dropped:Win32.Worm.VB.NRV": [[47, 72], [193, 218], [242, 267], [333, 358], [359, 384], [628, 653]], "Indicator: Email-Worm.Win32.VB!O": [[73, 94]], "Indicator: Worm.Flewon.S349523": [[95, 114]], "Indicator: Win32.Worm.VB.ji": [[115, 131]], "Indicator: Hacktool.Spammer": [[132, 148]], "Indicator: Win32/Flewon.E": [[149, 163]], "Indicator: WORM_VB.DHQ": [[164, 175], [422, 433]], "Indicator: Win.Worm.Liamo-1": [[176, 192]], "Indicator: Email-Worm.Win32.VB.cb": [[219, 241], [570, 592], [700, 722]], "Indicator: Trojan.Win32.VB.hpnv": [[268, 288]], "Indicator: W32.W.AutoRun.l6mI": [[289, 307]], "Indicator: Win32.Worm-email.Vb.Wqda": [[308, 332]], "Indicator: Trojan.PWS.Asterie": [[385, 403]], "Indicator: Worm.VB.Win32.303": [[404, 421]], "Indicator: BehavesLike.Win32.VBObfus.ch": [[434, 462]], "Indicator: TrojanClicker.Qihai.aq": [[463, 485]], "Indicator: TR/Spy.Vwealer.KZ.33": [[486, 506]], "Indicator: Worm[Email]/Win32.VB": [[507, 527]], "Indicator: Win32.Worm.VB.NRV": [[528, 545]], "Indicator: I-Worm.Win32.VB.94208.E": [[546, 569]], "Indicator: Worm:Win32/Flewon.A": [[593, 612]], "Indicator: HEUR/Fakon.mwf": [[613, 627]], "Indicator: Trojan.VBRA.010583": [[654, 672]], "Indicator: Win32/VB.NGN": [[673, 685]], "Indicator: I-Worm.VB.XYH": [[686, 699]], "Indicator: W32/VB.CB@mm": [[723, 735]], "Indicator: W32/MadCoffee.B.worm": [[736, 756]], "Indicator: Win32/Trojan.Spy.bc3": [[757, 777]]}, "info": {"id": "cyner2_5class_train_01950", "source": "cyner2_5class_train"}}
+{"text": "We 've seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps , specifically on Facebook .", "spans": {"System: Facebook": [[131, 139]]}, "info": {"id": "cyner2_5class_train_01951", "source": "cyner2_5class_train"}}
+{"text": "The content of the HTTP POST data is telemetry data in a json format about the device the malware is running on .", "spans": {"Indicator: HTTP": [[19, 23]]}, "info": {"id": "cyner2_5class_train_01952", "source": "cyner2_5class_train"}}
+{"text": "Even sophisticated actors are using lower cost , less technologically impressive means like phishing to spread their malware because it 's cheap and very effective , especially on mobile devices where there are more ways to interact with a victim ( messaging apps , social media apps , etc .", "spans": {}, "info": {"id": "cyner2_5class_train_01953", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware08 Backdoor.Lecna.Q5 Trojan.SelfDelete Win32.Worm.ShipUp.h W32/Trojan-Gypikon-based.DM2!Ma Trojan.Win32.CFI.ddcdum TrojWare.Win32.ShipUp.AR Trojan.KillFiles.16512 BehavesLike.Win32.MultiPlug.dz W32/Trojan-Gypikon-based.DM2!Ma BDS/Taranis.4032 Backdoor:Win32/Lecna.Q!dha W32.W.AutoRun.m652 Trojan/Win32.Cossta.R120893 Win32/ShipUp.B Worm.Win32.ShipUp", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware08": [[26, 45]], "Indicator: Backdoor.Lecna.Q5": [[46, 63]], "Indicator: Trojan.SelfDelete": [[64, 81]], "Indicator: Win32.Worm.ShipUp.h": [[82, 101]], "Indicator: W32/Trojan-Gypikon-based.DM2!Ma": [[102, 133], [237, 268]], "Indicator: Trojan.Win32.CFI.ddcdum": [[134, 157]], "Indicator: TrojWare.Win32.ShipUp.AR": [[158, 182]], "Indicator: Trojan.KillFiles.16512": [[183, 205]], "Indicator: BehavesLike.Win32.MultiPlug.dz": [[206, 236]], "Indicator: BDS/Taranis.4032": [[269, 285]], "Indicator: Backdoor:Win32/Lecna.Q!dha": [[286, 312]], "Indicator: W32.W.AutoRun.m652": [[313, 331]], "Indicator: Trojan/Win32.Cossta.R120893": [[332, 359]], "Indicator: Win32/ShipUp.B": [[360, 374]], "Indicator: Worm.Win32.ShipUp": [[375, 392]]}, "info": {"id": "cyner2_5class_train_01954", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Soul.ag Trojan.Heur.EEED6D Win32.Trojan.WisdomEyes.16070401.9500.9993 Win.Trojan.Crypted-3 Trojan.Win32.Pincav.bqfmw Trojan.Win32.Invader.blqtgb Win32.Trojan.Pincav.Dygr Trojan.Xispy Trojan.Xispy Trojan.Small.gr TR/Xispy.E.8 Troj.W32.Pincav.bqfmw!c Trojan.Win32.Pincav.bqfmw Trojan/Win32.IRCBot.C221390 Trojan.Soul!ykk6w7k8W/s Trj/Soul.I Win32/Trojan.Spy.620", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Soul.ag": [[26, 40]], "Indicator: Trojan.Heur.EEED6D": [[41, 59]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[60, 102]], "Indicator: Win.Trojan.Crypted-3": [[103, 123]], "Indicator: Trojan.Win32.Pincav.bqfmw": [[124, 149], [282, 307]], "Indicator: Trojan.Win32.Invader.blqtgb": [[150, 177]], "Indicator: Win32.Trojan.Pincav.Dygr": [[178, 202]], "Indicator: Trojan.Xispy": [[203, 215], [216, 228]], "Indicator: Trojan.Small.gr": [[229, 244]], "Indicator: TR/Xispy.E.8": [[245, 257]], "Indicator: Troj.W32.Pincav.bqfmw!c": [[258, 281]], "Indicator: Trojan/Win32.IRCBot.C221390": [[308, 335]], "Indicator: Trojan.Soul!ykk6w7k8W/s": [[336, 359]], "Indicator: Trj/Soul.I": [[360, 370]], "Indicator: Win32/Trojan.Spy.620": [[371, 391]]}, "info": {"id": "cyner2_5class_train_01955", "source": "cyner2_5class_train"}}
+{"text": "It is by no means a new threat, but it is still actively used and developed and worthy of a breakdown in an effort to defend against it.", "spans": {}, "info": {"id": "cyner2_5class_train_01956", "source": "cyner2_5class_train"}}
+{"text": "In this article we will describe the process of extracting the final payload out of it's cover.", "spans": {}, "info": {"id": "cyner2_5class_train_01957", "source": "cyner2_5class_train"}}
+{"text": "Since March 2016, the group has appeared to mostly focus on organizations in Hong Kong, sending malicious emails to targets as recently as August 4, and attempting to spread within compromised networks in order to steal information.", "spans": {"Organization: organizations": [[60, 73]], "Indicator: sending malicious emails": [[88, 112]], "System: compromised networks": [[181, 201]], "Indicator: steal information.": [[214, 232]]}, "info": {"id": "cyner2_5class_train_01958", "source": "cyner2_5class_train"}}
+{"text": "Linux Trojan is designed to set up a SOCKS5 proxy server on the infected computer on the basis of the freeware source codes of the Satanic Socks Server.", "spans": {"System: Linux": [[0, 5]], "Malware: Trojan": [[6, 12]], "System: SOCKS5 proxy server": [[37, 56]], "System: infected computer": [[64, 81]], "System: the Satanic Socks Server.": [[127, 152]]}, "info": {"id": "cyner2_5class_train_01959", "source": "cyner2_5class_train"}}
+{"text": "From early 2018 prior to May , “ Agent Smith ” hackers started to experiment with Bundle Feng Shui , the key tool which gives “ Agent Smith ” malware family capabilities to infect innocent apps on the device .", "spans": {"Malware: Agent Smith": [[33, 44], [128, 139]]}, "info": {"id": "cyner2_5class_train_01960", "source": "cyner2_5class_train"}}
+{"text": "Since HackingTeam implants are built on-demand for each target, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.", "spans": {}, "info": {"id": "cyner2_5class_train_01961", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PUA.Remadmin.S141625 Win32.Trojan.WisdomEyes.16070401.9500.9757 not-a-virus:RemoteAdmin.Win32.RMS.pr Trojan.Win32.RemoteAdmin.ekeqcb Trojan.MulDrop7.11923 BehavesLike.Win32.BadFile.th Trojan.Win32.RA W32/Trojan.BHMN-7604 W32.Rms.Pr TR/AD.RATBackdoor.fustx RiskWare[RemoteAdmin]/Win32.RMS.nd not-a-virus:RemoteAdmin.Win32.RMS.pr Backdoor.RMS Win32/RA-based.NFV Riskware.RemoteAdmin.DJ Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PUA.Remadmin.S141625": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9757": [[47, 89]], "Indicator: not-a-virus:RemoteAdmin.Win32.RMS.pr": [[90, 126], [317, 353]], "Indicator: Trojan.Win32.RemoteAdmin.ekeqcb": [[127, 158]], "Indicator: Trojan.MulDrop7.11923": [[159, 180]], "Indicator: BehavesLike.Win32.BadFile.th": [[181, 209]], "Indicator: Trojan.Win32.RA": [[210, 225]], "Indicator: W32/Trojan.BHMN-7604": [[226, 246]], "Indicator: W32.Rms.Pr": [[247, 257]], "Indicator: TR/AD.RATBackdoor.fustx": [[258, 281]], "Indicator: RiskWare[RemoteAdmin]/Win32.RMS.nd": [[282, 316]], "Indicator: Backdoor.RMS": [[354, 366]], "Indicator: Win32/RA-based.NFV": [[367, 385]], "Indicator: Riskware.RemoteAdmin.DJ": [[386, 409]], "Indicator: Trj/CI.A": [[410, 418]]}, "info": {"id": "cyner2_5class_train_01962", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MiadheardLTS.Trojan Rootkit.Mask.A Trojan.Seedna Backdoor.Weevil.B BKDR_CARETO.A Rootkit.Mask.A Trojan.Win32.SGH.ay Rootkit.Mask.A Trojan.Win32.Heap.ctohpz Troj.W32.SGH.ay!c Win32.Trojan.Sgh.Pbpi Rootkit.Mask.A Backdoor:W32/Mask.A Trojan.SGH.Win32.2 BKDR_CARETO.A Backdoor.Mask W32/Backdoor.TAHG-4259 Trojan.Win32.c W32.Trojan.Careto TR/Heap.A.3 Trojan/Win32.SGH Rootkit.Mask.A Trojan.Win32.SGH.ay Trojan:WinNT/Seedna.A Trojan/Win32.Careto.R97384 Backdoor.Mask Trj/CI.A Win32/Appetite.C Trojan.SGH! Win32/Trojan.fa7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MiadheardLTS.Trojan": [[26, 49]], "Indicator: Rootkit.Mask.A": [[50, 64], [111, 125], [146, 160], [226, 240], [393, 407]], "Indicator: Trojan.Seedna": [[65, 78]], "Indicator: Backdoor.Weevil.B": [[79, 96]], "Indicator: BKDR_CARETO.A": [[97, 110], [280, 293]], "Indicator: Trojan.Win32.SGH.ay": [[126, 145], [408, 427]], "Indicator: Trojan.Win32.Heap.ctohpz": [[161, 185]], "Indicator: Troj.W32.SGH.ay!c": [[186, 203]], "Indicator: Win32.Trojan.Sgh.Pbpi": [[204, 225]], "Indicator: Backdoor:W32/Mask.A": [[241, 260]], "Indicator: Trojan.SGH.Win32.2": [[261, 279]], "Indicator: Backdoor.Mask": [[294, 307], [477, 490]], "Indicator: W32/Backdoor.TAHG-4259": [[308, 330]], "Indicator: Trojan.Win32.c": [[331, 345]], "Indicator: W32.Trojan.Careto": [[346, 363]], "Indicator: TR/Heap.A.3": [[364, 375]], "Indicator: Trojan/Win32.SGH": [[376, 392]], "Indicator: Trojan:WinNT/Seedna.A": [[428, 449]], "Indicator: Trojan/Win32.Careto.R97384": [[450, 476]], "Indicator: Trj/CI.A": [[491, 499]], "Indicator: Win32/Appetite.C": [[500, 516]], "Indicator: Trojan.SGH!": [[517, 528]], "Indicator: Win32/Trojan.fa7": [[529, 545]]}, "info": {"id": "cyner2_5class_train_01963", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: I-Worm.Naked.A Worm/W32.Naked.73728 Email-Worm.Win32!O W32.Naked I-Worm.Naked.A Worm.Naked.Win32.1 I-Worm.Naked.A W32/Nakedwife.A@mm W32.Naked@mm WORM_NAKED.A Win.Worm.Naked-1 I-Worm.Naked.A Email-Worm.Win32.Naked I-Worm.Naked.A Trojan.Win32.Naked.hbai I-Worm.Win32.Naked I-Worm.Naked.A Win32.HLLW.Naked WORM_NAKED.A Worm.Win32.Naked W32/Nakedwife.A@mm Worm:Win32/Naked.B@mm Email-Worm.Win32.Naked Worm.Naked Win32.Worm-email.Naked.Pdmp I-Worm.Naked.A Win32/Trojan.fc6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: I-Worm.Naked.A": [[26, 40], [91, 105], [125, 139], [202, 216], [240, 254], [298, 312], [463, 477]], "Indicator: Worm/W32.Naked.73728": [[41, 61]], "Indicator: Email-Worm.Win32!O": [[62, 80]], "Indicator: W32.Naked": [[81, 90]], "Indicator: Worm.Naked.Win32.1": [[106, 124]], "Indicator: W32/Nakedwife.A@mm": [[140, 158], [360, 378]], "Indicator: W32.Naked@mm": [[159, 171]], "Indicator: WORM_NAKED.A": [[172, 184], [330, 342]], "Indicator: Win.Worm.Naked-1": [[185, 201]], "Indicator: Email-Worm.Win32.Naked": [[217, 239], [401, 423]], "Indicator: Trojan.Win32.Naked.hbai": [[255, 278]], "Indicator: I-Worm.Win32.Naked": [[279, 297]], "Indicator: Win32.HLLW.Naked": [[313, 329]], "Indicator: Worm.Win32.Naked": [[343, 359]], "Indicator: Worm:Win32/Naked.B@mm": [[379, 400]], "Indicator: Worm.Naked": [[424, 434]], "Indicator: Win32.Worm-email.Naked.Pdmp": [[435, 462]], "Indicator: Win32/Trojan.fc6": [[478, 494]]}, "info": {"id": "cyner2_5class_train_01964", "source": "cyner2_5class_train"}}
+{"text": "Next , the malware enumerates all .exe programs in the % System % folder and looks for an original signed Windows binary that imports from at least one KnownDll and from a library that is not in the KnownDll directory .", "spans": {"System: Windows": [[106, 113]]}, "info": {"id": "cyner2_5class_train_01965", "source": "cyner2_5class_train"}}
+{"text": "Those targeted include applications like Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more .", "spans": {"System: Paypal Business": [[41, 56]], "System: Revolut": [[59, 66]], "System: Barclays": [[69, 77]], "System: UniCredit": [[80, 89]], "System: CapitalOne UK": [[92, 105]], "System: HSBC UK": [[108, 115]], "System: Santander UK": [[118, 130]], "System: TransferWise": [[133, 145]], "System: Coinbase": [[148, 156]], "System: paysafecard": [[159, 170]]}, "info": {"id": "cyner2_5class_train_01966", "source": "cyner2_5class_train"}}
+{"text": "It uses “ 185.51.201 [ .", "spans": {"Indicator: 185.51.201 [ .": [[10, 24]]}, "info": {"id": "cyner2_5class_train_01967", "source": "cyner2_5class_train"}}
+{"text": "Third-party app stores are ubiquitous in China for a number of reasons including : evermore powerful Chinese Original Equipment Manufacturers ( OEM ) , a lack of an official Chinese Google Play app store , and a growing smartphone market .", "spans": {"Organization: Chinese Original Equipment Manufacturers ( OEM )": [[101, 149]], "System: Google Play": [[182, 193]]}, "info": {"id": "cyner2_5class_train_01968", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Flystudio.100458 Win32.Trojan.FlyStudio.oj Win.Worm.Bingd-1 Trojan.Win32.Vilsel.dfmi Trojan.Win32.Winlock.c Worm.Win32.Dropper.RA BackDoor.Pigeon.64233 Packed.Vemply.aph TR/Ransom.MBRLock.usvpx Trojan.Win32.Vilsel.dfmi Backdoor.Hupigon Win32.Outbreak W32/MBRlock.AQ!tr Trojan.Win32.Made.J", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Flystudio.100458": [[26, 49]], "Indicator: Win32.Trojan.FlyStudio.oj": [[50, 75]], "Indicator: Win.Worm.Bingd-1": [[76, 92]], "Indicator: Trojan.Win32.Vilsel.dfmi": [[93, 117], [227, 251]], "Indicator: Trojan.Win32.Winlock.c": [[118, 140]], "Indicator: Worm.Win32.Dropper.RA": [[141, 162]], "Indicator: BackDoor.Pigeon.64233": [[163, 184]], "Indicator: Packed.Vemply.aph": [[185, 202]], "Indicator: TR/Ransom.MBRLock.usvpx": [[203, 226]], "Indicator: Backdoor.Hupigon": [[252, 268]], "Indicator: Win32.Outbreak": [[269, 283]], "Indicator: W32/MBRlock.AQ!tr": [[284, 301]], "Indicator: Trojan.Win32.Made.J": [[302, 321]]}, "info": {"id": "cyner2_5class_train_01969", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: TrojanDropper.Linux.Elknot.Y Backdoor.Linux.Mayday!c Linux/Elknot.A Backdoor.Linux.Mayday.g Trojan.Unix.DDoS.dncljq Linux.DDoS.7 Downloader.OpenConnection.JS.96932 ELF/Trojan.CNXM-8 Backdoor/Linux.hx LINUX/Elknot.iyani Linux/Mayday.1128800.E Backdoor.Linux.Mayday.g backdoor.linux.mayday.g Backdoor.Linux.Mayday", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Linux.Elknot.Y": [[43, 71]], "Indicator: Backdoor.Linux.Mayday!c": [[72, 95]], "Indicator: Linux/Elknot.A": [[96, 110]], "Indicator: Backdoor.Linux.Mayday.g": [[111, 134], [285, 308]], "Indicator: Trojan.Unix.DDoS.dncljq": [[135, 158]], "Indicator: Linux.DDoS.7": [[159, 171]], "Indicator: Downloader.OpenConnection.JS.96932": [[172, 206]], "Indicator: ELF/Trojan.CNXM-8": [[207, 224]], "Indicator: Backdoor/Linux.hx": [[225, 242]], "Indicator: LINUX/Elknot.iyani": [[243, 261]], "Indicator: Linux/Mayday.1128800.E": [[262, 284]], "Indicator: backdoor.linux.mayday.g": [[309, 332]], "Indicator: Backdoor.Linux.Mayday": [[333, 354]]}, "info": {"id": "cyner2_5class_train_01970", "source": "cyner2_5class_train"}}
+{"text": "The group extensively uses long-running strategic web compromises SWCs, and relies on whitelists to deliver payloads to select victims.", "spans": {"Indicator: long-running strategic web compromises SWCs,": [[27, 71]], "Malware: payloads": [[108, 116]]}, "info": {"id": "cyner2_5class_train_01971", "source": "cyner2_5class_train"}}
+{"text": "Attackers can send SMS with certain messages to activate the agent and trigger corresponding action .", "spans": {}, "info": {"id": "cyner2_5class_train_01972", "source": "cyner2_5class_train"}}
+{"text": "The loader first dynamically rebuilds a simple import address table ( IAT ) , resolving all the API needed from Kernel32 and NtDll libraries .", "spans": {}, "info": {"id": "cyner2_5class_train_01973", "source": "cyner2_5class_train"}}
+{"text": "UPDATE – download APK file from C & C and install it .", "spans": {}, "info": {"id": "cyner2_5class_train_01974", "source": "cyner2_5class_train"}}
+{"text": "In this case the persistence is achieved by loading the original explorer.exe from its startup location and , using DLL side-loading , passing the execution control to the stage 4 malware ( discussed in next section ) .", "spans": {"Indicator: explorer.exe": [[65, 77]]}, "info": {"id": "cyner2_5class_train_01975", "source": "cyner2_5class_train"}}
+{"text": "This tactic is very common among malware developers to ensure the malware is not killed by the Android OS or by any other means .", "spans": {"System: Android": [[95, 102]]}, "info": {"id": "cyner2_5class_train_01976", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropped:Trojan.Zapchas.F IRC/Flood.ev IRC.Zapchast.AQ REG/Zapchast.A W32/Zapchast.CS IRC.Zapchast Backdoor.IRC.Zapchast Dropped:Trojan.Zapchas.F Application.Win32.RiskWare.mIRC.~BAAA Trojan.Zapchas.F IRC.Flood SPR/mIRC-1790464.A.5 REG_ZAPCHAST.BV Riskware.Client-IRC.Win32.mIRC!IK Trojan.IRC.ah Backdoor/IRC.IRC Dropped:Trojan.Zapchas.F REG/Zapchast.A Backdoor.IRC.Zapchast.a IRC/Cloner.AT not-a-virus:Client-IRC.Win32.mIRC REG/Zapchast.4D53!tr.bdr IRC/BackDoor.Flood Bck/MIRCBased.BI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Trojan.Zapchas.F": [[26, 50], [146, 170], [338, 362]], "Indicator: IRC/Flood.ev": [[51, 63]], "Indicator: IRC.Zapchast.AQ": [[64, 79]], "Indicator: REG/Zapchast.A": [[80, 94], [363, 377]], "Indicator: W32/Zapchast.CS": [[95, 110]], "Indicator: IRC.Zapchast": [[111, 123]], "Indicator: Backdoor.IRC.Zapchast": [[124, 145]], "Indicator: Application.Win32.RiskWare.mIRC.~BAAA": [[171, 208]], "Indicator: Trojan.Zapchas.F": [[209, 225]], "Indicator: IRC.Flood": [[226, 235]], "Indicator: SPR/mIRC-1790464.A.5": [[236, 256]], "Indicator: REG_ZAPCHAST.BV": [[257, 272]], "Indicator: Riskware.Client-IRC.Win32.mIRC!IK": [[273, 306]], "Indicator: Trojan.IRC.ah": [[307, 320]], "Indicator: Backdoor/IRC.IRC": [[321, 337]], "Indicator: Backdoor.IRC.Zapchast.a": [[378, 401]], "Indicator: IRC/Cloner.AT": [[402, 415]], "Indicator: not-a-virus:Client-IRC.Win32.mIRC": [[416, 449]], "Indicator: REG/Zapchast.4D53!tr.bdr": [[450, 474]], "Indicator: IRC/BackDoor.Flood": [[475, 493]], "Indicator: Bck/MIRCBased.BI": [[494, 510]]}, "info": {"id": "cyner2_5class_train_01977", "source": "cyner2_5class_train"}}
+{"text": "Follow the instructions at the bottom of this page .", "spans": {}, "info": {"id": "cyner2_5class_train_01978", "source": "cyner2_5class_train"}}
+{"text": "Throughout an attack campaign, actors will continue to develop their tools in an attempt to remain undetected and to carry out multiple attacks without having to completely retool.", "spans": {"Malware: tools": [[69, 74]], "Indicator: attacks": [[136, 143]], "Malware: retool.": [[173, 180]]}, "info": {"id": "cyner2_5class_train_01979", "source": "cyner2_5class_train"}}
+{"text": "With North Korea becoming increasingly isolated from the world economy the likelihood that it will use its cyber capabilities for financial gain grows.", "spans": {"Organization: world economy": [[57, 70]], "Indicator: its cyber capabilities": [[103, 125]]}, "info": {"id": "cyner2_5class_train_01980", "source": "cyner2_5class_train"}}
+{"text": "This campaign seems to be old but still running although my infection wasn't being manually controlled at the time.", "spans": {}, "info": {"id": "cyner2_5class_train_01981", "source": "cyner2_5class_train"}}
+{"text": "Because a user interacting with an ad often leads to a higher chance of the user purchasing something , ad networks often \" pay per click '' to developers who host their ads .", "spans": {}, "info": {"id": "cyner2_5class_train_01982", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Spam-Mailbot.m Trojan.Banker.Win32.7151 Backdoor.Trojan Win.Trojan.Banker-16870 Trojan.Packed.515 Trojan/Banker.xd Trojan.ZPACK!RjBLf3GsBZY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Spam-Mailbot.m": [[26, 40]], "Indicator: Trojan.Banker.Win32.7151": [[41, 65]], "Indicator: Backdoor.Trojan": [[66, 81]], "Indicator: Win.Trojan.Banker-16870": [[82, 105]], "Indicator: Trojan.Packed.515": [[106, 123]], "Indicator: Trojan/Banker.xd": [[124, 140]], "Indicator: Trojan.ZPACK!RjBLf3GsBZY": [[141, 165]]}, "info": {"id": "cyner2_5class_train_01983", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Downloader.a!bm3 Trojan/Downloader.Hacyayu.ahz Trojan.DL.Hacyayu!hNU/seEqyqU W32/Shiz.AK TROJ_SHIZ.SMP6 Trojan-Downloader.Win32.Hacyayu.alt Trojan.Packed.20771 TROJ_SHIZ.SMP6 Downloader.a!bm3 TrojanDownloader.Hacyayu.t Win32.TrojDownloader.Hacyayu.kcloud TrojanDownloader:Win32/Hacyayu.A Trojan.Win32.A.Downloader.39157 W32/Shiz.AK TrojanDownloader.Hacyayu.afi Trojan-Downloader.Win32.Hacyayu W32/Shiz.NCF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.a!bm3": [[26, 42], [201, 217]], "Indicator: Trojan/Downloader.Hacyayu.ahz": [[43, 72]], "Indicator: Trojan.DL.Hacyayu!hNU/seEqyqU": [[73, 102]], "Indicator: W32/Shiz.AK": [[103, 114], [346, 357]], "Indicator: TROJ_SHIZ.SMP6": [[115, 129], [186, 200]], "Indicator: Trojan-Downloader.Win32.Hacyayu.alt": [[130, 165]], "Indicator: Trojan.Packed.20771": [[166, 185]], "Indicator: TrojanDownloader.Hacyayu.t": [[218, 244]], "Indicator: Win32.TrojDownloader.Hacyayu.kcloud": [[245, 280]], "Indicator: TrojanDownloader:Win32/Hacyayu.A": [[281, 313]], "Indicator: Trojan.Win32.A.Downloader.39157": [[314, 345]], "Indicator: TrojanDownloader.Hacyayu.afi": [[358, 386]], "Indicator: Trojan-Downloader.Win32.Hacyayu": [[387, 418]], "Indicator: W32/Shiz.NCF!tr": [[419, 434]]}, "info": {"id": "cyner2_5class_train_01984", "source": "cyner2_5class_train"}}
+{"text": "Project Spy uses the ongoing coronavirus pandemic as a lure , posing as an app called Coronavirus Updates .", "spans": {"Malware: Project Spy": [[0, 11]]}, "info": {"id": "cyner2_5class_train_01985", "source": "cyner2_5class_train"}}
+{"text": "Recently, Antiy CERT has captured a batch of active hoze mining Trojan horse samples through the wind-catching honeypot system.", "spans": {"Organization: Antiy CERT": [[10, 20]], "Malware: Trojan": [[64, 70]], "System: the wind-catching honeypot system.": [[93, 127]]}, "info": {"id": "cyner2_5class_train_01986", "source": "cyner2_5class_train"}}
+{"text": "The Trojan requests Device Administrator rights The Trojan requests permission to use AccessibilityService After installation , the Trojan starts communicating with the cybercriminals ’ C & C server .", "spans": {}, "info": {"id": "cyner2_5class_train_01987", "source": "cyner2_5class_train"}}
+{"text": "] comrose-sturat [ .", "spans": {"Indicator: [ .": [[17, 20]]}, "info": {"id": "cyner2_5class_train_01988", "source": "cyner2_5class_train"}}
+{"text": "The Trend Micro Forward Looking Threat Research team recently obtained samples of a new rootkit family from one of our trusted partners.", "spans": {"Organization: Trend Micro": [[4, 15]], "Malware: rootkit family": [[88, 102]], "Organization: trusted partners.": [[119, 136]]}, "info": {"id": "cyner2_5class_train_01989", "source": "cyner2_5class_train"}}
+{"text": "Files Description CMDS * .txt Text files with commands to execute supersu.apk SuperSU ( eu.chainfire.supersu , https : //play.google.com/store/apps/details ? id=eu.chainfire.supersu ) tool 246.us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk Corrupted archive privapp.txt Looks like a list of system applications ( including spyware components ) from the infected device run-as.x run-as.y Run-as tool ELF file SuperSU config fragment for implant components and the busybox tool supersu.cfg : This config allows the implant to use all root features silently .", "spans": {"Indicator: supersu.apk": [[66, 77]], "Indicator: eu.chainfire.supersu": [[88, 108]], "Indicator: https : //play.google.com/store/apps/details ? id=eu.chainfire.supersu": [[111, 181]], "Indicator: 246.us": [[189, 195]], "Indicator: us.x": [[196, 200]], "Indicator: supersu.cfg": [[222, 233], [837, 848]], "Indicator: supersu.cfg.ju": [[234, 248]], "Indicator: supersu.cfg.old": [[249, 264]], "Indicator: bb.txt": [[310, 316]], "Indicator: bdata.xml": [[342, 351]], "System: Android": [[402, 409]], "Indicator: bdatas.apk": [[437, 447]], "Indicator: com.android.network.irc.apk": [[468, 495]], "Indicator: MobileManagerService.apk": [[517, 541]], "Organization: ASUS": [[542, 546]], "Indicator: mobilemanager.apk": [[583, 600]], "Indicator: privapp.txt": [[619, 630]], "Indicator: run-as.x": [[730, 738]], "Indicator: run-as.y": [[739, 747]]}, "info": {"id": "cyner2_5class_train_01990", "source": "cyner2_5class_train"}}
+{"text": "As has been previously reported , some versions of the Android malware were present in the Google Play Store .", "spans": {"System: Android": [[55, 62]], "System: Google Play Store": [[91, 108]]}, "info": {"id": "cyner2_5class_train_01991", "source": "cyner2_5class_train"}}
+{"text": "One of the most significant features TrickMo possesses is the app recording feature , which is what gives TrickBot the ability to overcome the newer pushTAN app validations deployed by banks .", "spans": {"Malware: TrickMo": [[37, 44]], "Malware: TrickBot": [[106, 114]]}, "info": {"id": "cyner2_5class_train_01992", "source": "cyner2_5class_train"}}
+{"text": "The phishing pages shown in the overlay use Ajax calls to communicate with a PHP back-end which stores all user input .", "spans": {}, "info": {"id": "cyner2_5class_train_01993", "source": "cyner2_5class_train"}}
+{"text": "The primary samples examined appear in the wild with filenames mimicking that of Adobe s Content Management System and offers a range of commands typical of Remote Access Tools: file upload, file download, file execution, and command execution.", "spans": {"Indicator: filenames mimicking": [[53, 72]], "System: Adobe s Content Management System": [[81, 114]], "Indicator: commands typical of Remote Access Tools: file upload, file download, file execution,": [[137, 221]], "Indicator: command execution.": [[226, 244]]}, "info": {"id": "cyner2_5class_train_01994", "source": "cyner2_5class_train"}}
+{"text": "The PDF lists dates of birth , gender , passport numbers , and names .", "spans": {}, "info": {"id": "cyner2_5class_train_01995", "source": "cyner2_5class_train"}}
+{"text": "] comlagertha-lothbrok [ .", "spans": {}, "info": {"id": "cyner2_5class_train_01996", "source": "cyner2_5class_train"}}
+{"text": "] cc/3 * * * * * 1 ” .", "spans": {}, "info": {"id": "cyner2_5class_train_01997", "source": "cyner2_5class_train"}}
+{"text": "On May 18, the authors of XData ransomware ran the massive attack against Ukrainian users supposedly leveraging the EternalBlue exploit as well as an ordinary spearphishing email delivery method.", "spans": {"Malware: XData ransomware": [[26, 42]], "Indicator: massive attack": [[51, 65]], "Organization: Ukrainian users": [[74, 89]], "Malware: the EternalBlue exploit": [[112, 135]], "Indicator: ordinary spearphishing email delivery method.": [[150, 195]]}, "info": {"id": "cyner2_5class_train_01998", "source": "cyner2_5class_train"}}
+{"text": "Dubsmash is a mobile app to create short selfie videos dubbed with famous sounds.", "spans": {"System: Dubsmash": [[0, 8]], "System: mobile app": [[14, 24]]}, "info": {"id": "cyner2_5class_train_01999", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Win32.VBKrypt.1!O Trojan/Dropper.VB.nxw Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Pws.BCWZ Win.Spyware.47661-2 Trojan-Dropper.Win32.Dorifel.atjn Win32.Trojan-dropper.Dorifel.Akos TrojWare.Win32.VB.fmmu Trojan.DownLoader9.62284 BehavesLike.Win32.Trojan.gh Trojan-Dropper.Win32.Duon W32/PWS.IDDR-8868 Trojan.Heur.E019B0 Trojan-Dropper.Win32.Dorifel.atjn Malware-Dropper.VB.WLCrypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Win32.VBKrypt.1!O": [[26, 48]], "Indicator: Trojan/Dropper.VB.nxw": [[49, 70]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[71, 113]], "Indicator: W32/Pws.BCWZ": [[114, 126]], "Indicator: Win.Spyware.47661-2": [[127, 146]], "Indicator: Trojan-Dropper.Win32.Dorifel.atjn": [[147, 180], [354, 387]], "Indicator: Win32.Trojan-dropper.Dorifel.Akos": [[181, 214]], "Indicator: TrojWare.Win32.VB.fmmu": [[215, 237]], "Indicator: Trojan.DownLoader9.62284": [[238, 262]], "Indicator: BehavesLike.Win32.Trojan.gh": [[263, 290]], "Indicator: Trojan-Dropper.Win32.Duon": [[291, 316]], "Indicator: W32/PWS.IDDR-8868": [[317, 334]], "Indicator: Trojan.Heur.E019B0": [[335, 353]], "Indicator: Malware-Dropper.VB.WLCrypt": [[388, 414]]}, "info": {"id": "cyner2_5class_train_02000", "source": "cyner2_5class_train"}}
+{"text": "Malware authors in the past have often coded a “ safety net ” into their malware to prevent them from accidentally infecting their own computers and devices .", "spans": {}, "info": {"id": "cyner2_5class_train_02001", "source": "cyner2_5class_train"}}
+{"text": "Some of the C2 servers are located in Thailand .", "spans": {}, "info": {"id": "cyner2_5class_train_02002", "source": "cyner2_5class_train"}}
+{"text": "An example of the string which is sent to the command-and-control would be “ phone 26.03.2013 ” .", "spans": {}, "info": {"id": "cyner2_5class_train_02003", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Script.SWF.Cxx+.C173 SWF.Kit.Angler.G Exploit-SWF.x Bloodhound.Flash.31 SWF/Exploit.CVE-2015-3090.A SWF_EKSPLOYT.ED Swf.Packer.Angle-1 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Exploit.SWF.438 SWF_EKSPLOYT.ED BehavesLike.Flash.Exploit.kb EXP/CVE-2015-3090.AU Exploit:SWF/Netis.B Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 SWF.Win32.Script.800529 Exploit.SWF SWF/ExKit.AQ!exploit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Script.SWF.Cxx+.C173": [[26, 46], [161, 181], [182, 202], [203, 223], [224, 244], [347, 367], [368, 388]], "Indicator: SWF.Kit.Angler.G": [[47, 63]], "Indicator: Exploit-SWF.x": [[64, 77]], "Indicator: Bloodhound.Flash.31": [[78, 97]], "Indicator: SWF/Exploit.CVE-2015-3090.A": [[98, 125]], "Indicator: SWF_EKSPLOYT.ED": [[126, 141], [261, 276]], "Indicator: Swf.Packer.Angle-1": [[142, 160]], "Indicator: Exploit.SWF.438": [[245, 260]], "Indicator: BehavesLike.Flash.Exploit.kb": [[277, 305]], "Indicator: EXP/CVE-2015-3090.AU": [[306, 326]], "Indicator: Exploit:SWF/Netis.B": [[327, 346]], "Indicator: SWF.Win32.Script.800529": [[389, 412]], "Indicator: Exploit.SWF": [[413, 424]], "Indicator: SWF/ExKit.AQ!exploit": [[425, 445]]}, "info": {"id": "cyner2_5class_train_02004", "source": "cyner2_5class_train"}}
+{"text": "This article will discuss the malware delivered from that exploit kit.", "spans": {"Malware: malware": [[30, 37]], "Malware: exploit kit.": [[58, 70]]}, "info": {"id": "cyner2_5class_train_02005", "source": "cyner2_5class_train"}}
+{"text": "] it Milano server2rc.exodus.connexxa [ .", "spans": {"Indicator: server2rc.exodus.connexxa [ .": [[12, 41]]}, "info": {"id": "cyner2_5class_train_02006", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.VBNA.bvts Trojan.Win32.VB.exmtrp Win32.Worm.Vbna.Wqdi Trojan.MSILPerseus.D2341B Worm.Win32.VBNA.bvts Worm:Win32/Esfury.T TScope.Trojan.MSIL Trj/CI.A Win32/Trojan.Dropper.6ac", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.VBNA.bvts": [[26, 46], [117, 137]], "Indicator: Trojan.Win32.VB.exmtrp": [[47, 69]], "Indicator: Win32.Worm.Vbna.Wqdi": [[70, 90]], "Indicator: Trojan.MSILPerseus.D2341B": [[91, 116]], "Indicator: Worm:Win32/Esfury.T": [[138, 157]], "Indicator: TScope.Trojan.MSIL": [[158, 176]], "Indicator: Trj/CI.A": [[177, 185]], "Indicator: Win32/Trojan.Dropper.6ac": [[186, 210]]}, "info": {"id": "cyner2_5class_train_02007", "source": "cyner2_5class_train"}}
+{"text": "An old banking Trojan has been operating in Europe on a low level has spiked in activity after migrating to Japan.", "spans": {"Malware: banking Trojan": [[7, 21]]}, "info": {"id": "cyner2_5class_train_02008", "source": "cyner2_5class_train"}}
+{"text": "This article revolves around the macro tricks it uses to stall analysts, and new commands that it utilizes to better persist on infected devices.", "spans": {"Malware: macro": [[33, 38]], "Indicator: commands": [[81, 89]], "System: infected devices.": [[128, 145]]}, "info": {"id": "cyner2_5class_train_02009", "source": "cyner2_5class_train"}}
+{"text": "Recently we were able to observe these actors making modifications to their ClaySlide delivery documents in an attempt to evade antivirus detection.", "spans": {}, "info": {"id": "cyner2_5class_train_02010", "source": "cyner2_5class_train"}}
+{"text": "After building an initial rapport with targets , the actors behind these social media accounts would instruct victims to install an additional app for easier communication .", "spans": {}, "info": {"id": "cyner2_5class_train_02011", "source": "cyner2_5class_train"}}
+{"text": "If an unsuspecting user grants these permissions ( see Figure 4 ) , the trojan can read any text displayed in any app the user may launch – and send it to the attackers .", "spans": {}, "info": {"id": "cyner2_5class_train_02012", "source": "cyner2_5class_train"}}
+{"text": "Within this blog post, a payload containing a function named forkmeiamfamous' was mentioned.", "spans": {"Malware: payload": [[25, 32]], "Indicator: forkmeiamfamous'": [[61, 77]]}, "info": {"id": "cyner2_5class_train_02013", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Lewor.B@mm Win32.Lewor.B@mm Worm.Lewor.Win32.28 W32/Lewor.b Win32.Lewor.E2C45E Win32.Trojan.WisdomEyes.16070401.9500.9944 W32.HLLW.Leox Win32.Lewor.B@mm Win32.Lewor.B@mm Trojan.Win32.Lewor.gptp W32.W.Lewor.b!c Win32.Lewor.B@mm Win32.Lewor.B@mm Trojan.PWS.Legmir BehavesLike.Win32.Pykse.kc I-Worm/Lewor.b Worm:Win32/Lewor.B@mm W32/Lewor.AP.worm Worm.Lewor!B42TpjAm9iw Trojan-Banker.Win32.Banker W32/GamePSW.B@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Lewor.B@mm": [[26, 42], [43, 59], [168, 184], [185, 201], [242, 258], [259, 275]], "Indicator: Worm.Lewor.Win32.28": [[60, 79]], "Indicator: W32/Lewor.b": [[80, 91]], "Indicator: Win32.Lewor.E2C45E": [[92, 110]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9944": [[111, 153]], "Indicator: W32.HLLW.Leox": [[154, 167]], "Indicator: Trojan.Win32.Lewor.gptp": [[202, 225]], "Indicator: W32.W.Lewor.b!c": [[226, 241]], "Indicator: Trojan.PWS.Legmir": [[276, 293]], "Indicator: BehavesLike.Win32.Pykse.kc": [[294, 320]], "Indicator: I-Worm/Lewor.b": [[321, 335]], "Indicator: Worm:Win32/Lewor.B@mm": [[336, 357]], "Indicator: W32/Lewor.AP.worm": [[358, 375]], "Indicator: Worm.Lewor!B42TpjAm9iw": [[376, 398]], "Indicator: Trojan-Banker.Win32.Banker": [[399, 425]], "Indicator: W32/GamePSW.B@mm": [[426, 442]]}, "info": {"id": "cyner2_5class_train_02014", "source": "cyner2_5class_train"}}
+{"text": "These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population .", "spans": {}, "info": {"id": "cyner2_5class_train_02015", "source": "cyner2_5class_train"}}
+{"text": "The exploit has since been added into the Angler Exploit Kit and integrated into Metasploit.", "spans": {"Malware: The exploit": [[0, 11]], "Malware: Angler Exploit Kit": [[42, 60]], "Malware: Metasploit.": [[81, 92]]}, "info": {"id": "cyner2_5class_train_02016", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandownloader.Kagayab Trojan.Razy.D18A59 Win32.Trojan.WisdomEyes.16070401.9500.9998 BehavesLike.Win32.Dropper.mm W32/Trojan.GGCJ-3154 TrojanDownloader:Win32/Kagayab.A Trj/GdSda.A Win32/Trojan.a98", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Kagayab": [[26, 50]], "Indicator: Trojan.Razy.D18A59": [[51, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[70, 112]], "Indicator: BehavesLike.Win32.Dropper.mm": [[113, 141]], "Indicator: W32/Trojan.GGCJ-3154": [[142, 162]], "Indicator: TrojanDownloader:Win32/Kagayab.A": [[163, 195]], "Indicator: Trj/GdSda.A": [[196, 207]], "Indicator: Win32/Trojan.a98": [[208, 224]]}, "info": {"id": "cyner2_5class_train_02017", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.12BD Trojanspy.Babar Trojan.Badbar Win32.Trojan.Babar.A Trojan-Spy.Win32.Babar.a Trojan.Win32.Babar.dqhfcx Troj.Spy.W32!c Trojan.Babar.1 Trojan.Babar.Win32.3 BehavesLike.Win32.Trojan.fc TrojanSpy.Babar.c TR/AD.Babar.royis Trojan.Zusy.D42EE8 PWS:Win32/Babar.A!dha Trj/GdSda.A Win32.Trojan-spy.Babar.Dwsy Win32/Trojan.Spy.8fc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.12BD": [[26, 43]], "Indicator: Trojanspy.Babar": [[44, 59]], "Indicator: Trojan.Badbar": [[60, 73]], "Indicator: Win32.Trojan.Babar.A": [[74, 94]], "Indicator: Trojan-Spy.Win32.Babar.a": [[95, 119]], "Indicator: Trojan.Win32.Babar.dqhfcx": [[120, 145]], "Indicator: Troj.Spy.W32!c": [[146, 160]], "Indicator: Trojan.Babar.1": [[161, 175]], "Indicator: Trojan.Babar.Win32.3": [[176, 196]], "Indicator: BehavesLike.Win32.Trojan.fc": [[197, 224]], "Indicator: TrojanSpy.Babar.c": [[225, 242]], "Indicator: TR/AD.Babar.royis": [[243, 260]], "Indicator: Trojan.Zusy.D42EE8": [[261, 279]], "Indicator: PWS:Win32/Babar.A!dha": [[280, 301]], "Indicator: Trj/GdSda.A": [[302, 313]], "Indicator: Win32.Trojan-spy.Babar.Dwsy": [[314, 341]], "Indicator: Win32/Trojan.Spy.8fc": [[342, 362]]}, "info": {"id": "cyner2_5class_train_02018", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DaltetoD.Trojan Trojan/Fbphotofake.b Win32.Trojan.WisdomEyes.16070401.9500.9992 HV_CARDPAY_CA222928.TOMC Win.Trojan.Ag-4254306-1 Trojan-Dropper.Win32.FrauDrop.cth Trojan.Win32.Drop.mssht TrojWare.Win32.Downloader.Fraudload.AB Trojan.AVKill.14860 Dropper.FrauDrop.Win32.3001 BehavesLike.Win32.PWSZbot.fc Trojan.Win32.Fifesock W32.Malware.Downloader Trojan[Dropper]/Win32.FrauDrop Trojan-Dropper.Win32.FrauDrop.cth Trojan/Win32.CardPay.R21713 TrojanDropper.FrauDrop", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DaltetoD.Trojan": [[26, 45]], "Indicator: Trojan/Fbphotofake.b": [[46, 66]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[67, 109]], "Indicator: HV_CARDPAY_CA222928.TOMC": [[110, 134]], "Indicator: Win.Trojan.Ag-4254306-1": [[135, 158]], "Indicator: Trojan-Dropper.Win32.FrauDrop.cth": [[159, 192], [409, 442]], "Indicator: Trojan.Win32.Drop.mssht": [[193, 216]], "Indicator: TrojWare.Win32.Downloader.Fraudload.AB": [[217, 255]], "Indicator: Trojan.AVKill.14860": [[256, 275]], "Indicator: Dropper.FrauDrop.Win32.3001": [[276, 303]], "Indicator: BehavesLike.Win32.PWSZbot.fc": [[304, 332]], "Indicator: Trojan.Win32.Fifesock": [[333, 354]], "Indicator: W32.Malware.Downloader": [[355, 377]], "Indicator: Trojan[Dropper]/Win32.FrauDrop": [[378, 408]], "Indicator: Trojan/Win32.CardPay.R21713": [[443, 470]], "Indicator: TrojanDropper.FrauDrop": [[471, 493]]}, "info": {"id": "cyner2_5class_train_02019", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Ddosaz.elmrbx TrojWare.Win32.ServStart.DQ Trojan.DownLoader23.31518 BehavesLike.Win32.Backdoor.kh Trojan.Graftor.D53379 Trojan:Win32/Ddosaz.A BScope.TrojanDDoS.Macri Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[46, 88]], "Indicator: Trojan.Win32.Ddosaz.elmrbx": [[89, 115]], "Indicator: TrojWare.Win32.ServStart.DQ": [[116, 143]], "Indicator: Trojan.DownLoader23.31518": [[144, 169]], "Indicator: BehavesLike.Win32.Backdoor.kh": [[170, 199]], "Indicator: Trojan.Graftor.D53379": [[200, 221]], "Indicator: Trojan:Win32/Ddosaz.A": [[222, 243]], "Indicator: BScope.TrojanDDoS.Macri": [[244, 267]], "Indicator: Trj/GdSda.A": [[268, 279]]}, "info": {"id": "cyner2_5class_train_02020", "source": "cyner2_5class_train"}}
+{"text": "This was used to bypass 2FA methods by intercepting the SMS messages coming from the bank and stealing the mTANs without the victim ’ s knowledge .", "spans": {}, "info": {"id": "cyner2_5class_train_02021", "source": "cyner2_5class_train"}}
+{"text": "Palo Alto Networks has observed a recent high-threat spam campaign that is serving malicious macro documents used to execute PowerShell scripts which injects malware similar to the Ursnif family directly into memory.", "spans": {"Organization: Palo Alto Networks": [[0, 18]], "Malware: high-threat": [[41, 52]], "Malware: malicious macro": [[83, 98]], "Indicator: documents": [[99, 108]], "Indicator: PowerShell scripts": [[125, 143]], "Malware: malware": [[158, 165]], "Malware: Ursnif family": [[181, 194]], "Vulnerability: directly into memory.": [[195, 216]]}, "info": {"id": "cyner2_5class_train_02022", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WintaskLTE.Trojan Win32/Bancos.ABHY Trojan.Phisher.G Trojan.Dynamer.D9 Trojan.Phisher.G Troj.PSW.PHP.AccPhish.lstI Win32.Trojan.WisdomEyes.16070401.9500.9987 PHP/PSW.Phishack.AT Trojan.Phisher.G Trojan.Phisher.G Trojan.PWS.Stealer.895 BehavesLike.Win32.PWSMmorpg.vc Trojan/PSW.VKont.pq TR/Spy.PHP.psb Trojan[PSW]/PHP.AccPhish.rr Trojan.Phisher.G Trojan:Win32/Phishacco.A Trojan.Phisher.G Trj/CI.A Php.Trojan-qqpass.Qqrob.Sxxq Trojan.PHP.PSW W32/AccPhish.EU!tr.pws Win32/Trojan.d71", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WintaskLTE.Trojan": [[26, 47]], "Indicator: Win32/Bancos.ABHY": [[48, 65]], "Indicator: Trojan.Phisher.G": [[66, 82], [101, 117], [208, 224], [225, 241], [359, 375], [401, 417]], "Indicator: Trojan.Dynamer.D9": [[83, 100]], "Indicator: Troj.PSW.PHP.AccPhish.lstI": [[118, 144]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[145, 187]], "Indicator: PHP/PSW.Phishack.AT": [[188, 207]], "Indicator: Trojan.PWS.Stealer.895": [[242, 264]], "Indicator: BehavesLike.Win32.PWSMmorpg.vc": [[265, 295]], "Indicator: Trojan/PSW.VKont.pq": [[296, 315]], "Indicator: TR/Spy.PHP.psb": [[316, 330]], "Indicator: Trojan[PSW]/PHP.AccPhish.rr": [[331, 358]], "Indicator: Trojan:Win32/Phishacco.A": [[376, 400]], "Indicator: Trj/CI.A": [[418, 426]], "Indicator: Php.Trojan-qqpass.Qqrob.Sxxq": [[427, 455]], "Indicator: Trojan.PHP.PSW": [[456, 470]], "Indicator: W32/AccPhish.EU!tr.pws": [[471, 493]], "Indicator: Win32/Trojan.d71": [[494, 510]]}, "info": {"id": "cyner2_5class_train_02023", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.TenoesaASN.Trojan Worm/W32.WBNA.102405 Win32.Trojan.WisdomEyes.16070401.9500.9978 Worm.Win32.WBNA.oaw Downloader.VB.Win32.98815 BehavesLike.Win32.Downloader.cm Win32.Sality TR/AD.Maywidmzi.brqly TrojanDownloader:Win32/Maywidmzi.A Worm.Win32.WBNA.oaw Worm/Win32.WBNA.C1716518 Worm.WBNA Trj/GdSda.A Win32/TrojanDownloader.VB.QXP Win32.Worm.Wbna.Ects Trojan.DL.VB!tTzkeI6oupQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TenoesaASN.Trojan": [[26, 47]], "Indicator: Worm/W32.WBNA.102405": [[48, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9978": [[69, 111]], "Indicator: Worm.Win32.WBNA.oaw": [[112, 131], [260, 279]], "Indicator: Downloader.VB.Win32.98815": [[132, 157]], "Indicator: BehavesLike.Win32.Downloader.cm": [[158, 189]], "Indicator: Win32.Sality": [[190, 202]], "Indicator: TR/AD.Maywidmzi.brqly": [[203, 224]], "Indicator: TrojanDownloader:Win32/Maywidmzi.A": [[225, 259]], "Indicator: Worm/Win32.WBNA.C1716518": [[280, 304]], "Indicator: Worm.WBNA": [[305, 314]], "Indicator: Trj/GdSda.A": [[315, 326]], "Indicator: Win32/TrojanDownloader.VB.QXP": [[327, 356]], "Indicator: Win32.Worm.Wbna.Ects": [[357, 377]], "Indicator: Trojan.DL.VB!tTzkeI6oupQ": [[378, 402]]}, "info": {"id": "cyner2_5class_train_02024", "source": "cyner2_5class_train"}}
+{"text": "Login details are sent to attackers using an HTTP GET connection ONLY once.", "spans": {"Indicator: HTTP GET connection": [[45, 64]]}, "info": {"id": "cyner2_5class_train_02025", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Lodap Trojan/Exploit.CVE-2010-2568.f TROJ_STUXNET.DX W32.Stuxnet TROJ_STUXNET.DX Win.Trojan.Stuxnet-36 Exploit.Win32.CVE-2010-2568.b Exploit.Win32.CVE20102568f.bkuia Exploit.W32.CVE-2010-2568.f!c Win32.Exploit.Cve-2010-2568.Wopr Exploit.CVE.Win32.14 Trojan.Win32.Exploit Trojan[Exploit]/Win32.CVE-2010-2568 Exploit.Win32.CVE-2010-2568.b Exploit.Stuxnet Trj/ChymineLNK.A Win32/Exploit.CVE-2010-2568 Win32/Trojan.Exploit.406", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Lodap": [[26, 38]], "Indicator: Trojan/Exploit.CVE-2010-2568.f": [[39, 69]], "Indicator: TROJ_STUXNET.DX": [[70, 85], [98, 113]], "Indicator: W32.Stuxnet": [[86, 97]], "Indicator: Win.Trojan.Stuxnet-36": [[114, 135]], "Indicator: Exploit.Win32.CVE-2010-2568.b": [[136, 165], [340, 369]], "Indicator: Exploit.Win32.CVE20102568f.bkuia": [[166, 198]], "Indicator: Exploit.W32.CVE-2010-2568.f!c": [[199, 228]], "Indicator: Win32.Exploit.Cve-2010-2568.Wopr": [[229, 261]], "Indicator: Exploit.CVE.Win32.14": [[262, 282]], "Indicator: Trojan.Win32.Exploit": [[283, 303]], "Indicator: Trojan[Exploit]/Win32.CVE-2010-2568": [[304, 339]], "Indicator: Exploit.Stuxnet": [[370, 385]], "Indicator: Trj/ChymineLNK.A": [[386, 402]], "Indicator: Win32/Exploit.CVE-2010-2568": [[403, 430]], "Indicator: Win32/Trojan.Exploit.406": [[431, 455]]}, "info": {"id": "cyner2_5class_train_02026", "source": "cyner2_5class_train"}}
+{"text": "MrWhite can profile the victim systems for the presence of running POS software before dropping further POS payloads.", "spans": {"Malware: MrWhite": [[0, 7]], "Indicator: profile": [[12, 19]], "System: victim systems": [[24, 38]], "Indicator: presence": [[47, 55]], "System: POS software": [[67, 79]], "Malware: POS payloads.": [[104, 117]]}, "info": {"id": "cyner2_5class_train_02027", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.48F3 Trojan.Kazy.D8696E Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_CRYPCTB.SME Troj.Downloader.W32.FraudLoad.kYSC TROJ_CRYPCTB.SME BehavesLike.Win32.Upatre.tc Trojan:Win32/Triflearch.B Trojan.FakeAV.01657 Win32.Trojan.Crypt.Dzag Trojan.Win32.Crypt Win32/Trojan.8cf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.48F3": [[26, 42]], "Indicator: Trojan.Kazy.D8696E": [[43, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[62, 104]], "Indicator: TROJ_CRYPCTB.SME": [[105, 121], [157, 173]], "Indicator: Troj.Downloader.W32.FraudLoad.kYSC": [[122, 156]], "Indicator: BehavesLike.Win32.Upatre.tc": [[174, 201]], "Indicator: Trojan:Win32/Triflearch.B": [[202, 227]], "Indicator: Trojan.FakeAV.01657": [[228, 247]], "Indicator: Win32.Trojan.Crypt.Dzag": [[248, 271]], "Indicator: Trojan.Win32.Crypt": [[272, 290]], "Indicator: Win32/Trojan.8cf": [[291, 307]]}, "info": {"id": "cyner2_5class_train_02028", "source": "cyner2_5class_train"}}
+{"text": "Malicious code identified, simple UDP DDoS attacks recorded.", "spans": {"Malware: Malicious code": [[0, 14]], "Indicator: simple UDP DDoS attacks": [[27, 50]]}, "info": {"id": "cyner2_5class_train_02029", "source": "cyner2_5class_train"}}
+{"text": "If you follow the military analogy — those are the scouts .", "spans": {}, "info": {"id": "cyner2_5class_train_02030", "source": "cyner2_5class_train"}}
+{"text": "At line 5 , local variable v4 specifies the first parameter url , which can be changed by the remote C2 server later .", "spans": {}, "info": {"id": "cyner2_5class_train_02031", "source": "cyner2_5class_train"}}
+{"text": "It steals sensitive information, such as cryptocurrency wallet data, from different applications and uses a file grabber for collecting a predefined list of file types, then exfiltrates them via Telegram.", "spans": {"Indicator: steals sensitive information,": [[3, 32]], "System: cryptocurrency wallet": [[41, 62]], "System: applications": [[84, 96]], "System: file grabber": [[108, 120]], "Indicator: file types,": [[157, 168]], "System: Telegram.": [[195, 204]]}, "info": {"id": "cyner2_5class_train_02032", "source": "cyner2_5class_train"}}
+{"text": "Forcepoint Security Labs™ have observed today a major malicious email campaign from the Necurs botnet spreading a new ransomware which appears to call itself Jaff peaking within our telemetry at nearly 5m emails per hour.", "spans": {"Organization: Forcepoint Security Labs™": [[0, 25]], "Malware: the Necurs botnet": [[84, 101]], "Malware: ransomware": [[118, 128]], "Malware: Jaff": [[158, 162]], "System: telemetry": [[182, 191]], "Indicator: nearly 5m emails per hour.": [[195, 221]]}, "info": {"id": "cyner2_5class_train_02033", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Downloader.Dapato.cjt Trojan.Kryptik!UYVcX29KF20 W32/Krypt.DZ Trojan.Win32.Cleaman!IK TrojWare.Win32.Kryptik.ZLB Trojan.DownLoad2.49842 TR/FakeAV.bzqra TrojanDownloader.Dapato.ace TrojanDownloader:Win32/Cred.B Trojan/Win32.Menti TrojanDownloader.Dapato.cfq Trojan.Win32.Cleaman W32/Kryptik.ACD!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.Dapato.cjt": [[26, 54]], "Indicator: Trojan.Kryptik!UYVcX29KF20": [[55, 81]], "Indicator: W32/Krypt.DZ": [[82, 94]], "Indicator: Trojan.Win32.Cleaman!IK": [[95, 118]], "Indicator: TrojWare.Win32.Kryptik.ZLB": [[119, 145]], "Indicator: Trojan.DownLoad2.49842": [[146, 168]], "Indicator: TR/FakeAV.bzqra": [[169, 184]], "Indicator: TrojanDownloader.Dapato.ace": [[185, 212]], "Indicator: TrojanDownloader:Win32/Cred.B": [[213, 242]], "Indicator: Trojan/Win32.Menti": [[243, 261]], "Indicator: TrojanDownloader.Dapato.cfq": [[262, 289]], "Indicator: Trojan.Win32.Cleaman": [[290, 310]], "Indicator: W32/Kryptik.ACD!tr": [[311, 329]]}, "info": {"id": "cyner2_5class_train_02034", "source": "cyner2_5class_train"}}
+{"text": "It 's restarted in the next cycle independently based on if WhatsApp is running .", "spans": {"System: WhatsApp": [[60, 68]]}, "info": {"id": "cyner2_5class_train_02035", "source": "cyner2_5class_train"}}
+{"text": "Machine translation of this tweet reads : “ Watch out for online banking : Emotet reloads TrickBot .", "spans": {"Malware: Emotet": [[75, 81]], "Malware: TrickBot": [[90, 98]]}, "info": {"id": "cyner2_5class_train_02036", "source": "cyner2_5class_train"}}
+{"text": "PwC's cyber security practice has worked closely with BAE Systems and other members of the security community, along with the UK's National Cyber Security Centre NCSC, to uncover and disrupt what is thought to be one of the largest ever sustained global cyber espionage campaigns in an operation referred to as Operation Cloud Hopper'.", "spans": {"Organization: PwC's cyber security": [[0, 20]], "Organization: BAE Systems": [[54, 65]], "Organization: the security community,": [[87, 110]], "Organization: the UK's National Cyber Security Centre NCSC,": [[122, 167]]}, "info": {"id": "cyner2_5class_train_02037", "source": "cyner2_5class_train"}}
+{"text": "If some malware samples remain simple see my previous diary, others try to install malicious files in a smooth way to the victim computers.", "spans": {"Malware: malware": [[8, 15]], "Indicator: malicious files": [[83, 98]], "System: the victim computers.": [[118, 139]]}, "info": {"id": "cyner2_5class_train_02038", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D55679 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Starter.cuyepr Trojan.Starter.2890 BehavesLike.Win32.Trojan.vm Trojan.Dropper MSIL/Injector.WSX!tr Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D55679": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[45, 87]], "Indicator: Trojan.Win32.Starter.cuyepr": [[88, 115]], "Indicator: Trojan.Starter.2890": [[116, 135]], "Indicator: BehavesLike.Win32.Trojan.vm": [[136, 163]], "Indicator: Trojan.Dropper": [[164, 178]], "Indicator: MSIL/Injector.WSX!tr": [[179, 199]], "Indicator: Win32/Trojan.e6d": [[200, 216]]}, "info": {"id": "cyner2_5class_train_02039", "source": "cyner2_5class_train"}}
+{"text": "The malware is not really advanced and is based on a lot of copy/paste from public sources available on the Internet .", "spans": {}, "info": {"id": "cyner2_5class_train_02040", "source": "cyner2_5class_train"}}
+{"text": "Among their most notable presumed targets are the American Democratic National Committee, the German parliament and the French television network TV5Monde.", "spans": {"Organization: the American Democratic National Committee, the German parliament": [[46, 111]], "Organization: the French television network TV5Monde.": [[116, 155]]}, "info": {"id": "cyner2_5class_train_02041", "source": "cyner2_5class_train"}}
+{"text": "] today svcws [ .", "spans": {"Indicator: svcws [ .": [[8, 17]]}, "info": {"id": "cyner2_5class_train_02042", "source": "cyner2_5class_train"}}
+{"text": "Enterprise and government employees all use these devices in their day-to-day work , which means IT and security leaders within these organizations must prioritize mobile in their security strategies .", "spans": {}, "info": {"id": "cyner2_5class_train_02043", "source": "cyner2_5class_train"}}
+{"text": "BlackEnergy is a Trojan that was created by a hacker known as Cr4sh.", "spans": {"Malware: Trojan": [[17, 23]]}, "info": {"id": "cyner2_5class_train_02044", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Sylavriu BKDR_SYLAVRIU.SM Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Zbot BKDR_SYLAVRIU.SM Win.Trojan.Torct-1 W32.Trojan.Torct Trojan/MSIL.Crypt Trojan.MSIL.Krypt.2 Backdoor:MSIL/Sylavriu.A Dropper/Win32.Adminuser.R118179 Trojan.MSIL.Crypt Trojan.Crypt!ZlAnMaNuAFw Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Sylavriu": [[26, 43]], "Indicator: BKDR_SYLAVRIU.SM": [[44, 60], [116, 132]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[61, 103]], "Indicator: Trojan.Zbot": [[104, 115]], "Indicator: Win.Trojan.Torct-1": [[133, 151]], "Indicator: W32.Trojan.Torct": [[152, 168]], "Indicator: Trojan/MSIL.Crypt": [[169, 186]], "Indicator: Trojan.MSIL.Krypt.2": [[187, 206]], "Indicator: Backdoor:MSIL/Sylavriu.A": [[207, 231]], "Indicator: Dropper/Win32.Adminuser.R118179": [[232, 263]], "Indicator: Trojan.MSIL.Crypt": [[264, 281]], "Indicator: Trojan.Crypt!ZlAnMaNuAFw": [[282, 306]], "Indicator: Trj/CI.A": [[307, 315]]}, "info": {"id": "cyner2_5class_train_02045", "source": "cyner2_5class_train"}}
+{"text": "However , a few PHA authors spend substantial effort , time , and money to create and install their harmful app on one or a very small number of devices .", "spans": {}, "info": {"id": "cyner2_5class_train_02046", "source": "cyner2_5class_train"}}
+{"text": "In addition , it collects identifiers and some data from the device .", "spans": {}, "info": {"id": "cyner2_5class_train_02047", "source": "cyner2_5class_train"}}
+{"text": "Tricky Configurations TrickMo uses the shared preferences mechanism to store settings and data that the malware uses at runtime .", "spans": {"Malware: TrickMo": [[22, 29]]}, "info": {"id": "cyner2_5class_train_02048", "source": "cyner2_5class_train"}}
+{"text": "It uses the base Dalvik User-Agent string for the device it ’ s running on .", "spans": {}, "info": {"id": "cyner2_5class_train_02049", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Redsip!O Trojandropper.Redsip Backdoor.Redsip.k Backdoor.Redsip.Win32.8 Backdoor/Redsip.k Win32.Trojan.WisdomEyes.16070401.9500.9970 W32/Backdoor2.HIOH Hacktool.Keylogger Win32/Redsip.A Backdoor.Win32.Redsip.a Trojan.Win32.Redsip.dcevd Backdoor.Win32.A.Redsip.159744 Backdoor.W32.Redsip.k!c BehavesLike.Win32.Ramnit.ct W32/Backdoor.VDXS-0842 BDS/Redsip.B W32/Redsip.A!tr Trojan[Backdoor]/Win32.Redsip Backdoor.Win32.Redsip.a TrojanDropper:Win32/Redsip.B Trojan/Win32.Redsip.C245513 Backdoor.Redsip Win32/Redsip.AA Win32.Backdoor.Redsip.Amvr Backdoor.Win32.Redsip", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Redsip!O": [[26, 49]], "Indicator: Trojandropper.Redsip": [[50, 70]], "Indicator: Backdoor.Redsip.k": [[71, 88]], "Indicator: Backdoor.Redsip.Win32.8": [[89, 112]], "Indicator: Backdoor/Redsip.k": [[113, 130]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9970": [[131, 173]], "Indicator: W32/Backdoor2.HIOH": [[174, 192]], "Indicator: Hacktool.Keylogger": [[193, 211]], "Indicator: Win32/Redsip.A": [[212, 226]], "Indicator: Backdoor.Win32.Redsip.a": [[227, 250], [442, 465]], "Indicator: Trojan.Win32.Redsip.dcevd": [[251, 276]], "Indicator: Backdoor.Win32.A.Redsip.159744": [[277, 307]], "Indicator: Backdoor.W32.Redsip.k!c": [[308, 331]], "Indicator: BehavesLike.Win32.Ramnit.ct": [[332, 359]], "Indicator: W32/Backdoor.VDXS-0842": [[360, 382]], "Indicator: BDS/Redsip.B": [[383, 395]], "Indicator: W32/Redsip.A!tr": [[396, 411]], "Indicator: Trojan[Backdoor]/Win32.Redsip": [[412, 441]], "Indicator: TrojanDropper:Win32/Redsip.B": [[466, 494]], "Indicator: Trojan/Win32.Redsip.C245513": [[495, 522]], "Indicator: Backdoor.Redsip": [[523, 538]], "Indicator: Win32/Redsip.AA": [[539, 554]], "Indicator: Win32.Backdoor.Redsip.Amvr": [[555, 581]], "Indicator: Backdoor.Win32.Redsip": [[582, 603]]}, "info": {"id": "cyner2_5class_train_02050", "source": "cyner2_5class_train"}}
+{"text": "Phony Tech Support Scams Now Target Macs", "spans": {"Indicator: Scams": [[19, 24]], "System: Macs": [[36, 40]]}, "info": {"id": "cyner2_5class_train_02051", "source": "cyner2_5class_train"}}
+{"text": "This sample only includes Dalvik bytecode and resources without any native libraries .", "spans": {}, "info": {"id": "cyner2_5class_train_02052", "source": "cyner2_5class_train"}}
+{"text": "The first table contains 205 devices with some Linux properties ; the second contains the specific memory addresses associated with them that are needed for successful exploitation .", "spans": {"System: Linux": [[47, 52]]}, "info": {"id": "cyner2_5class_train_02053", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Hexzone.bdlvxl Adware.Margoc MalCrypt.Indus! VirTool.Win32.Obfuscator.a Trojan:Win32/Procesemes.A.dll Trojan/Win32.Xema Adware.Margoc!rem", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Hexzone.bdlvxl": [[26, 53]], "Indicator: Adware.Margoc": [[54, 67]], "Indicator: MalCrypt.Indus!": [[68, 83]], "Indicator: VirTool.Win32.Obfuscator.a": [[84, 110]], "Indicator: Trojan:Win32/Procesemes.A.dll": [[111, 140]], "Indicator: Trojan/Win32.Xema": [[141, 158]], "Indicator: Adware.Margoc!rem": [[159, 176]]}, "info": {"id": "cyner2_5class_train_02054", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Urausy.E4 Ransom_Urausy.R038C0CB418 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Ransomlock.Q Ransom_Urausy.R038C0CB418 Trojan.Win32.Winlock.crahoz TrojWare.Win32.FakeAv.ASC Trojan.Winlock.9260 Trojan/Foreign.shn Ransom:Win32/Urausy.E Trojan.Zusy.D10991 Trojan/Win32.Foreign.R84961 SScope.Malware-Cryptor.Hlux Win32/LockScreen.AQD Trojan.Win32.Urausy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Urausy.E4": [[26, 42]], "Indicator: Ransom_Urausy.R038C0CB418": [[43, 68], [132, 157]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[69, 111]], "Indicator: Trojan.Ransomlock.Q": [[112, 131]], "Indicator: Trojan.Win32.Winlock.crahoz": [[158, 185]], "Indicator: TrojWare.Win32.FakeAv.ASC": [[186, 211]], "Indicator: Trojan.Winlock.9260": [[212, 231]], "Indicator: Trojan/Foreign.shn": [[232, 250]], "Indicator: Ransom:Win32/Urausy.E": [[251, 272]], "Indicator: Trojan.Zusy.D10991": [[273, 291]], "Indicator: Trojan/Win32.Foreign.R84961": [[292, 319]], "Indicator: SScope.Malware-Cryptor.Hlux": [[320, 347]], "Indicator: Win32/LockScreen.AQD": [[348, 368]], "Indicator: Trojan.Win32.Urausy": [[369, 388]]}, "info": {"id": "cyner2_5class_train_02055", "source": "cyner2_5class_train"}}
+{"text": "In addition, HummingBad installs fraudulent apps to increase the revenue stream for the fraudster.", "spans": {"Malware: HummingBad": [[13, 23]], "Indicator: fraudulent apps": [[33, 48]]}, "info": {"id": "cyner2_5class_train_02056", "source": "cyner2_5class_train"}}
+{"text": "This can be packaged and \" sold '' in many different ways to customers .", "spans": {}, "info": {"id": "cyner2_5class_train_02057", "source": "cyner2_5class_train"}}
+{"text": "It can save an SMS message on the device , marking with “ internal ” in the phone number field .", "spans": {}, "info": {"id": "cyner2_5class_train_02058", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/SillyDl.XXJ!packed Trojan-Dropper.Win32.Dorifel.acvt Trojan.DownLoader1.46415 BehavesLike.Win32.Adware.cc TrojanDownloader:Win32/Plingky.A Trojan.Heur.EDD31E Trojan-Dropper.Win32.Dorifel.acvt Trojan-Downloader.Win32.Small W32/Dorifel.ACVT!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/SillyDl.XXJ!packed": [[26, 50]], "Indicator: Trojan-Dropper.Win32.Dorifel.acvt": [[51, 84], [190, 223]], "Indicator: Trojan.DownLoader1.46415": [[85, 109]], "Indicator: BehavesLike.Win32.Adware.cc": [[110, 137]], "Indicator: TrojanDownloader:Win32/Plingky.A": [[138, 170]], "Indicator: Trojan.Heur.EDD31E": [[171, 189]], "Indicator: Trojan-Downloader.Win32.Small": [[224, 253]], "Indicator: W32/Dorifel.ACVT!tr": [[254, 273]]}, "info": {"id": "cyner2_5class_train_02059", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Clicker.BHO.ncx Trojan.Zbot Win32/TrojanClicker.BHO.NCX TROJ_SPNR.30BB13 Trojan.Win32.Starter.amcr Trojan.Win32.Starter.dzdloa Win32.Trojan.Starter.Suef TROJ_SPNR.30BB13 BehavesLike.Win32.Downloader.gh TR/Lickore.B.7 W32/TrojanClicker_BHO.NCX PUP/Win32.Msbuyn.N640533768 Trojan:Win32/Lickore.B Win32/Lickore.B Trojan-Clicker.BAHK Clicker.BAHK", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Clicker.BHO.ncx": [[26, 48]], "Indicator: Trojan.Zbot": [[49, 60]], "Indicator: Win32/TrojanClicker.BHO.NCX": [[61, 88]], "Indicator: TROJ_SPNR.30BB13": [[89, 105], [186, 202]], "Indicator: Trojan.Win32.Starter.amcr": [[106, 131]], "Indicator: Trojan.Win32.Starter.dzdloa": [[132, 159]], "Indicator: Win32.Trojan.Starter.Suef": [[160, 185]], "Indicator: BehavesLike.Win32.Downloader.gh": [[203, 234]], "Indicator: TR/Lickore.B.7": [[235, 249]], "Indicator: W32/TrojanClicker_BHO.NCX": [[250, 275]], "Indicator: PUP/Win32.Msbuyn.N640533768": [[276, 303]], "Indicator: Trojan:Win32/Lickore.B": [[304, 326]], "Indicator: Win32/Lickore.B": [[327, 342]], "Indicator: Trojan-Clicker.BAHK": [[343, 362]], "Indicator: Clicker.BAHK": [[363, 375]]}, "info": {"id": "cyner2_5class_train_02060", "source": "cyner2_5class_train"}}
+{"text": "The command and control C&C communications for new variants use the same AES256 encryption for any traffic to the attacker's server; in previous variants, only Base64 encoding was used.", "spans": {"Indicator: command and control C&C communications": [[4, 42]], "Malware: variants": [[51, 59]], "Indicator: AES256 encryption": [[73, 90]], "System: server;": [[125, 132]], "Indicator: Base64 encoding": [[160, 175]]}, "info": {"id": "cyner2_5class_train_02061", "source": "cyner2_5class_train"}}
+{"text": "Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials.", "spans": {"Malware: Disttrack": [[0, 9]], "Malware: tool": [[28, 32]], "Malware: worm-like": [[47, 56]], "System: systems": [[99, 106]], "System: local network": [[112, 125]], "Indicator: stolen administrator credentials.": [[132, 165]]}, "info": {"id": "cyner2_5class_train_02062", "source": "cyner2_5class_train"}}
+{"text": "Since the beginning of January 2017, the BSI, as the national cyber security agency, has been in close contact with the German Bundestag, due to the network traffic of the German Bundestag.", "spans": {"Organization: BSI,": [[41, 45]], "Organization: the national cyber security agency,": [[49, 84]], "Organization: the German Bundestag,": [[116, 137]], "System: network traffic": [[149, 164]], "Organization: the German Bundestag.": [[168, 189]]}, "info": {"id": "cyner2_5class_train_02063", "source": "cyner2_5class_train"}}
+{"text": "Additionally, when we searched for the decoded string value we found a single search engine result that pointed to a Pastebin page.", "spans": {"Indicator: decoded string value": [[39, 59]], "System: search engine": [[78, 91]], "Indicator: a Pastebin page.": [[115, 131]]}, "info": {"id": "cyner2_5class_train_02064", "source": "cyner2_5class_train"}}
+{"text": "First, Winnti uses Cobalt Strike to collect credentials and move laterally.", "spans": {}, "info": {"id": "cyner2_5class_train_02065", "source": "cyner2_5class_train"}}
+{"text": "At the time of investigation this malware was not correctly detected by any existing antivirus engines, and domains / IP s were not found in any commercial threat intelligence feeds.", "spans": {"Malware: At": [[0, 2]], "Malware: malware": [[34, 41]], "System: antivirus engines,": [[85, 103]], "Indicator: domains": [[108, 115]], "Indicator: IP": [[118, 120]], "Organization: commercial threat intelligence feeds.": [[145, 182]]}, "info": {"id": "cyner2_5class_train_02066", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D31A9 Win32.Trojan.WisdomEyes.16070401.9500.9960 TROJ_HOYGUNER.SM Trojan.Win32.Drop.dhxynu TROJ_HOYGUNER.SM Virus.MSIL W32.Trojan.Dropper Trojan:MSIL/Hoygunver.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D31A9": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9960": [[44, 86]], "Indicator: TROJ_HOYGUNER.SM": [[87, 103], [129, 145]], "Indicator: Trojan.Win32.Drop.dhxynu": [[104, 128]], "Indicator: Virus.MSIL": [[146, 156]], "Indicator: W32.Trojan.Dropper": [[157, 175]], "Indicator: Trojan:MSIL/Hoygunver.B": [[176, 199]]}, "info": {"id": "cyner2_5class_train_02067", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DeadBeef.Worm Worm/W32.AutoRun.175104 Worm.Win32.AutoRun!O Worm.AutoRun.Win32.8121 W32/AutoRun.pv W32.SillyFDC Win32/Wainlas.A WORM_AUTORUN_000002c.TOMA Win.Worm.Autorun-1414 Worm.Win32.AutoRun.pv Trojan.Win32.AutoRun.ltul Win32.Worm.Autorun.Tbim Worm.Win32.AutoRun.~MAA Win32.HLLW.Autoruner.748 WORM_AUTORUN_000002c.TOMA Worm/AutoRun.bhu TR/Drop.AutoRun.BM Worm/Win32.AutoRun Worm.Win32.Autorun.12728 Worm.Win32.AutoRun.pv Worm/Win32.AutoRun.R16694 Worm.AutoRun Worm.Win32.AutoRun W32/AutoRun.NTQ!worm Trj/Debat.A Trojan.PSW.Win32.QQPass.CF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DeadBeef.Worm": [[26, 43]], "Indicator: Worm/W32.AutoRun.175104": [[44, 67]], "Indicator: Worm.Win32.AutoRun!O": [[68, 88]], "Indicator: Worm.AutoRun.Win32.8121": [[89, 112]], "Indicator: W32/AutoRun.pv": [[113, 127]], "Indicator: W32.SillyFDC": [[128, 140]], "Indicator: Win32/Wainlas.A": [[141, 156]], "Indicator: WORM_AUTORUN_000002c.TOMA": [[157, 182], [326, 351]], "Indicator: Win.Worm.Autorun-1414": [[183, 204]], "Indicator: Worm.Win32.AutoRun.pv": [[205, 226], [432, 453]], "Indicator: Trojan.Win32.AutoRun.ltul": [[227, 252]], "Indicator: Win32.Worm.Autorun.Tbim": [[253, 276]], "Indicator: Worm.Win32.AutoRun.~MAA": [[277, 300]], "Indicator: Win32.HLLW.Autoruner.748": [[301, 325]], "Indicator: Worm/AutoRun.bhu": [[352, 368]], "Indicator: TR/Drop.AutoRun.BM": [[369, 387]], "Indicator: Worm/Win32.AutoRun": [[388, 406]], "Indicator: Worm.Win32.Autorun.12728": [[407, 431]], "Indicator: Worm/Win32.AutoRun.R16694": [[454, 479]], "Indicator: Worm.AutoRun": [[480, 492]], "Indicator: Worm.Win32.AutoRun": [[493, 511]], "Indicator: W32/AutoRun.NTQ!worm": [[512, 532]], "Indicator: Trj/Debat.A": [[533, 544]], "Indicator: Trojan.PSW.Win32.QQPass.CF": [[545, 571]]}, "info": {"id": "cyner2_5class_train_02068", "source": "cyner2_5class_train"}}
+{"text": "During the WannaCry pandemic attack, CyphortLabs discovered that other threat actors have been using the same EternalBlue exploit to deliver other malware.", "spans": {"Malware: WannaCry": [[11, 19]], "Indicator: pandemic attack,": [[20, 36]], "Organization: CyphortLabs": [[37, 48]], "Organization: threat actors": [[71, 84]], "Malware: same EternalBlue exploit": [[105, 129]], "Malware: malware.": [[147, 155]]}, "info": {"id": "cyner2_5class_train_02069", "source": "cyner2_5class_train"}}
+{"text": "Although bitcoin miners have been used by cybercriminals before as a way to monetize their malicious activities, this recent sample MD5: 522f8ba8b2dec299cc64c0ccf5a68000 caught our attention because it is unusually heavy, persistent, and obfuscated.", "spans": {"Malware: bitcoin miners": [[9, 23]], "Indicator: malicious activities,": [[91, 112]], "Indicator: MD5: 522f8ba8b2dec299cc64c0ccf5a68000": [[132, 169]]}, "info": {"id": "cyner2_5class_train_02070", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.kowinHA.Worm Backdoor.Win32.Popwin!O Trojan.Heur.amuaxSBiYpji Win32.Trojan.WisdomEyes.16070401.9500.9769 W32.Popwin Win32/Pipown.NW TROJ_NSPAK.A Trojan.Win32.Popwin.jgms Constructor.W32.VB.lgxd Backdoor.Win32.Popwin.~IQ Trojan.Popwin TROJ_NSPAK.A BehavesLike.Win32.Downloader.lc Trojan/PSW.GamePass.pjs Worm:Win32/Winko.A Backdoor.Popwin Worm.Win32.AutoRun W32/Winko.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.kowinHA.Worm": [[26, 42]], "Indicator: Backdoor.Win32.Popwin!O": [[43, 66]], "Indicator: Trojan.Heur.amuaxSBiYpji": [[67, 91]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9769": [[92, 134]], "Indicator: W32.Popwin": [[135, 145]], "Indicator: Win32/Pipown.NW": [[146, 161]], "Indicator: TROJ_NSPAK.A": [[162, 174], [264, 276]], "Indicator: Trojan.Win32.Popwin.jgms": [[175, 199]], "Indicator: Constructor.W32.VB.lgxd": [[200, 223]], "Indicator: Backdoor.Win32.Popwin.~IQ": [[224, 249]], "Indicator: Trojan.Popwin": [[250, 263]], "Indicator: BehavesLike.Win32.Downloader.lc": [[277, 308]], "Indicator: Trojan/PSW.GamePass.pjs": [[309, 332]], "Indicator: Worm:Win32/Winko.A": [[333, 351]], "Indicator: Backdoor.Popwin": [[352, 367]], "Indicator: Worm.Win32.AutoRun": [[368, 386]], "Indicator: W32/Winko.A!tr": [[387, 401]]}, "info": {"id": "cyner2_5class_train_02071", "source": "cyner2_5class_train"}}
+{"text": "The two 0-days in question targeted Adobe Flash and were subsequently labeled CVE-2015-5119 and CVE-2015-5122.", "spans": {"Vulnerability: 0-days": [[8, 14]], "System: Adobe Flash": [[36, 47]], "Indicator: CVE-2015-5119": [[78, 91]], "Indicator: CVE-2015-5122.": [[96, 110]]}, "info": {"id": "cyner2_5class_train_02072", "source": "cyner2_5class_train"}}
+{"text": "TrickMo ’ s Persistence Capabilities When it comes to Android-based devices , many applications must find a way to run on the device after a system reboot .", "spans": {"Malware: TrickMo": [[0, 7]], "System: Android-based": [[54, 67]]}, "info": {"id": "cyner2_5class_train_02073", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Fakedos.A Backdoor.Fakedos!ktjmxmN20Kc W32/Backdoor.MDB Backdoor.Trojan BKDR_BACKDOOR4.B Backdoor.Win32.Fakedos.a Backdoor.Fakedos.A Backdoor.Fakedos.A Backdoor.Fakedos.A Email-Worm.Win32.GOPworm.196 BDS/Fakedos.A.1 BKDR_BACKDOOR4.B Win32.Hack.Fakedos.a.kcloud Backdoor.Fakedos.A W32/Backdoor.CVVK-7742 Win-Trojan/Fakedos.94208 TScope.Trojan.VB PE:Backdoor.Fakedos.a!1073830334 BackDoor.Fakedos.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Fakedos.A": [[26, 44], [149, 167], [168, 186], [187, 205], [296, 314]], "Indicator: Backdoor.Fakedos!ktjmxmN20Kc": [[45, 73]], "Indicator: W32/Backdoor.MDB": [[74, 90]], "Indicator: Backdoor.Trojan": [[91, 106]], "Indicator: BKDR_BACKDOOR4.B": [[107, 123], [251, 267]], "Indicator: Backdoor.Win32.Fakedos.a": [[124, 148]], "Indicator: Email-Worm.Win32.GOPworm.196": [[206, 234]], "Indicator: BDS/Fakedos.A.1": [[235, 250]], "Indicator: Win32.Hack.Fakedos.a.kcloud": [[268, 295]], "Indicator: W32/Backdoor.CVVK-7742": [[315, 337]], "Indicator: Win-Trojan/Fakedos.94208": [[338, 362]], "Indicator: TScope.Trojan.VB": [[363, 379]], "Indicator: PE:Backdoor.Fakedos.a!1073830334": [[380, 412]], "Indicator: BackDoor.Fakedos.C": [[413, 431]]}, "info": {"id": "cyner2_5class_train_02074", "source": "cyner2_5class_train"}}
+{"text": "Check Point Software Hummingbad/Shedun infections by Android version .", "spans": {"Organization: Check Point Software": [[0, 20]], "Malware: Hummingbad/Shedun": [[21, 38]], "System: Android": [[53, 60]]}, "info": {"id": "cyner2_5class_train_02075", "source": "cyner2_5class_train"}}
+{"text": "Example of traffic from an early version of Asacub ( 2015 ) The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard .", "spans": {"Malware: Asacub": [[44, 50]]}, "info": {"id": "cyner2_5class_train_02076", "source": "cyner2_5class_train"}}
+{"text": "It opens a socket on the victim ’ s machine and connects with a server-side component of the implant located at 54.67.109.199:6500 .", "spans": {"Indicator: 54.67.109.199:6500": [[112, 130]]}, "info": {"id": "cyner2_5class_train_02077", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.44AD Win32.Virus.Downloader.Aojh Trojan-Downloader.Win32.Cekar W32/Noia.B Trj/CI.A Win32/Trojan.dd1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.44AD": [[26, 43]], "Indicator: Win32.Virus.Downloader.Aojh": [[44, 71]], "Indicator: Trojan-Downloader.Win32.Cekar": [[72, 101]], "Indicator: W32/Noia.B": [[102, 112]], "Indicator: Trj/CI.A": [[113, 121]], "Indicator: Win32/Trojan.dd1": [[122, 138]]}, "info": {"id": "cyner2_5class_train_02078", "source": "cyner2_5class_train"}}
+{"text": "Used in Pawn Storm to target certain foreign affairs ministries, the vulnerability identified as CVE-2015-7645 represents a significant change in tactics from previous exploits.", "spans": {"Organization: foreign affairs ministries,": [[37, 64]], "Vulnerability: vulnerability": [[69, 82]], "Indicator: CVE-2015-7645": [[97, 110]], "Vulnerability: exploits.": [[168, 177]]}, "info": {"id": "cyner2_5class_train_02079", "source": "cyner2_5class_train"}}
+{"text": "Based on infrastructure overlaps and leaked information , we assess with high confidence that the malware we identified and present in this paper is linked to Wolf Research .", "spans": {"Organization: Wolf Research": [[159, 172]]}, "info": {"id": "cyner2_5class_train_02080", "source": "cyner2_5class_train"}}
+{"text": "Then the application downloads java archive from the URL specified in json , dynamically loads it with class loader API .", "spans": {}, "info": {"id": "cyner2_5class_train_02081", "source": "cyner2_5class_train"}}
+{"text": "However , a simple Google search for the adware package name returned a “ TestDelete ” project that had been available in his repository at some point The malicious developer also has apps in Apple ’ s App Store .", "spans": {"Organization: Google": [[19, 25]], "Organization: Apple": [[192, 197]], "System: App Store": [[202, 211]]}, "info": {"id": "cyner2_5class_train_02082", "source": "cyner2_5class_train"}}
+{"text": "Both of these types of fraud take advantage of mobile billing techniques involving the user ’ s carrier .", "spans": {}, "info": {"id": "cyner2_5class_train_02083", "source": "cyner2_5class_train"}}
+{"text": "The Evidence Collector module is responsible for the spying routines outlined above .", "spans": {}, "info": {"id": "cyner2_5class_train_02084", "source": "cyner2_5class_train"}}
+{"text": "Figure 7 – C2 As seen in Figure 8 , this version of Anubis is built to run on several iterations of the Android operating system , dating back to version 4.0.3 , which was released in 2012 .", "spans": {"Malware: Anubis": [[52, 58]], "System: Android": [[104, 111]]}, "info": {"id": "cyner2_5class_train_02085", "source": "cyner2_5class_train"}}
+{"text": "So far , the attackers relied entirely on social engineering to infect the targets .", "spans": {}, "info": {"id": "cyner2_5class_train_02086", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.D995 Virus.Win32.Sality!O Backdoor.PMax Trojan.Win32.PMax.deplgs Backdoor.Win32.PMax.atcf MULDROP.Trojan BehavesLike.Win32.Downloader.mc W32/Poweliks.A!tr Trojan.Zusy.D19DC7 Trojan/Win32.VBKrypt Trojan:Win32/Powessere.A Backdoor.PMax Trojan.Poweliks Trojan.Win32.Poweliks.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.D995": [[26, 42]], "Indicator: Virus.Win32.Sality!O": [[43, 63]], "Indicator: Backdoor.PMax": [[64, 77], [258, 271]], "Indicator: Trojan.Win32.PMax.deplgs": [[78, 102]], "Indicator: Backdoor.Win32.PMax.atcf": [[103, 127]], "Indicator: MULDROP.Trojan": [[128, 142]], "Indicator: BehavesLike.Win32.Downloader.mc": [[143, 174]], "Indicator: W32/Poweliks.A!tr": [[175, 192]], "Indicator: Trojan.Zusy.D19DC7": [[193, 211]], "Indicator: Trojan/Win32.VBKrypt": [[212, 232]], "Indicator: Trojan:Win32/Powessere.A": [[233, 257]], "Indicator: Trojan.Poweliks": [[272, 287]], "Indicator: Trojan.Win32.Poweliks.B": [[288, 311]]}, "info": {"id": "cyner2_5class_train_02087", "source": "cyner2_5class_train"}}
+{"text": "Over the past few months, the tr1adx team has been tracking a Threat Actor which we codenamed TelePort Crew.", "spans": {"Organization: tr1adx team": [[30, 41]]}, "info": {"id": "cyner2_5class_train_02088", "source": "cyner2_5class_train"}}
+{"text": "One method , which was popular in Germany , is known as mobile TAN ( mTAN ) .", "spans": {}, "info": {"id": "cyner2_5class_train_02089", "source": "cyner2_5class_train"}}
+{"text": "The campaign ’ s attack vector is also interesting .", "spans": {}, "info": {"id": "cyner2_5class_train_02090", "source": "cyner2_5class_train"}}
+{"text": "The infection vector was a drive-by download attack, and the Check Points Threat-Cloud indicates some adult content sites served the malicious payload.", "spans": {"Vulnerability: The infection vector": [[0, 20]], "Indicator: drive-by download attack,": [[27, 52]], "Organization: the Check Points Threat-Cloud": [[57, 86]], "Indicator: adult content sites": [[102, 121]], "Malware: malicious payload.": [[133, 151]]}, "info": {"id": "cyner2_5class_train_02091", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Motd.A Backdoor.Motd.A Trojan.Win32.Malware.a Backdoor.Trojan Backdoor.Motd.A Backdoor.Win32.MOTD Backdoor.Motd.A Trojan.Win32.MOTD.glgl Troj.Spy.W32.Delf.mczC Backdoor.Motd.A Backdoor.Motd.A BackDoor.Motd Backdoor.MOTD.Win32.1 BehavesLike.Win32.Ipamor.hh Backdoor.Win32.Y3KRat Trojan[Backdoor]/Win32.MOTD Backdoor.Motd.A Backdoor.Win32.MOTD Trojan.Win32.Malware.a Backdoor.MOTD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Motd.A": [[26, 41], [42, 57], [97, 112], [133, 148], [195, 210], [211, 226], [341, 356]], "Indicator: Trojan.Win32.Malware.a": [[58, 80], [377, 399]], "Indicator: Backdoor.Trojan": [[81, 96]], "Indicator: Backdoor.Win32.MOTD": [[113, 132], [357, 376]], "Indicator: Trojan.Win32.MOTD.glgl": [[149, 171]], "Indicator: Troj.Spy.W32.Delf.mczC": [[172, 194]], "Indicator: BackDoor.Motd": [[227, 240]], "Indicator: Backdoor.MOTD.Win32.1": [[241, 262]], "Indicator: BehavesLike.Win32.Ipamor.hh": [[263, 290]], "Indicator: Backdoor.Win32.Y3KRat": [[291, 312]], "Indicator: Trojan[Backdoor]/Win32.MOTD": [[313, 340]], "Indicator: Backdoor.MOTD": [[400, 413]]}, "info": {"id": "cyner2_5class_train_02092", "source": "cyner2_5class_train"}}
+{"text": "CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data.", "spans": {"Malware: CloudDuke": [[0, 9]], "Organization: Duke group's": [[38, 50]], "System: Microsoft's OneDrive,": [[97, 118]], "Indicator: command and control": [[141, 160]], "Indicator: exfiltration of stolen data.": [[176, 204]]}, "info": {"id": "cyner2_5class_train_02093", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.CG Downloader.Vidlo.Win32.11 Backdoor.W32.IRCBot.mA1F Trojan.Crypt.CG Win32.Trojan.WisdomEyes.16070401.9500.9959 W32/Downloader.PQKB-6890 Win32/InjectDown.B TROJ_DLOADER.JR Win.Downloader.Small-886 Trojan-Downloader.Win32.Vidlo.k Trojan.Crypt.CG Trojan.Crypt.CG TrojWare.Win32.TrojanDownloader.Vidlo.K Trojan.Crypt.CG Trojan.DownLoader.3548 TROJ_DLOADER.JR Packer.Win32.Mondera W32/Downloader.BEC TrojanDownloader.Small.zu TR/Dldr.Vidlo.K Trojan[Downloader]/Win32.Vidlo Win32.Troj.Vidlo.k.kcloud TrojanDownloader:Win32/Vidlo.I Trojan.Win32.A.Downloader.3584.CB Trojan-Downloader.Win32.Vidlo.k Trojan.Crypt.CG Trojan.Crypt.CG TScope.Malware-Cryptor.SB Win32/TrojanDownloader.Vidlo.K", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.CG": [[26, 41], [93, 108], [269, 284], [285, 300], [341, 356], [632, 647], [648, 663]], "Indicator: Downloader.Vidlo.Win32.11": [[42, 67]], "Indicator: Backdoor.W32.IRCBot.mA1F": [[68, 92]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9959": [[109, 151]], "Indicator: W32/Downloader.PQKB-6890": [[152, 176]], "Indicator: Win32/InjectDown.B": [[177, 195]], "Indicator: TROJ_DLOADER.JR": [[196, 211], [380, 395]], "Indicator: Win.Downloader.Small-886": [[212, 236]], "Indicator: Trojan-Downloader.Win32.Vidlo.k": [[237, 268], [600, 631]], "Indicator: TrojWare.Win32.TrojanDownloader.Vidlo.K": [[301, 340]], "Indicator: Trojan.DownLoader.3548": [[357, 379]], "Indicator: Packer.Win32.Mondera": [[396, 416]], "Indicator: W32/Downloader.BEC": [[417, 435]], "Indicator: TrojanDownloader.Small.zu": [[436, 461]], "Indicator: TR/Dldr.Vidlo.K": [[462, 477]], "Indicator: Trojan[Downloader]/Win32.Vidlo": [[478, 508]], "Indicator: Win32.Troj.Vidlo.k.kcloud": [[509, 534]], "Indicator: TrojanDownloader:Win32/Vidlo.I": [[535, 565]], "Indicator: Trojan.Win32.A.Downloader.3584.CB": [[566, 599]], "Indicator: TScope.Malware-Cryptor.SB": [[664, 689]], "Indicator: Win32/TrojanDownloader.Vidlo.K": [[690, 720]]}, "info": {"id": "cyner2_5class_train_02094", "source": "cyner2_5class_train"}}
+{"text": "All the text is then copied and - again hidden in the background - sent to a foreign server.", "spans": {}, "info": {"id": "cyner2_5class_train_02095", "source": "cyner2_5class_train"}}
+{"text": "Just like the old-school mail worms that used the victim 's address book to select the next victims , this banking trojan 's activation cycle includes the exfiltration of the victim 's address book .", "spans": {"System: address book": [[60, 72]]}, "info": {"id": "cyner2_5class_train_02096", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Black.r5 Trojan.Win32.Black.deckbe Backdoor.Vinself.C Win32/Leouncia.D TROJ_ORCARAT.A Packed.Win32.Black.d Packed.Win32.Aspack.AB Trojan.DownLoader11.40855 Trojan.Packed.Win32.43496 TROJ_ORCARAT.A BehavesLike.Win32.Dropper.fc W32/Trojan.QUXL-7354 Packed.Black.ahku W32/Black.D!tr Trojan.Heur.wuXa774c9jj Packer.W32.Black.d!c VirTool:Win32/Obfuscator.XY Win32.Packed.Black.Ebzx Trojan-Downloader.Win32.Banload Trojan.Win32.Black.d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Black.r5": [[26, 41]], "Indicator: Trojan.Win32.Black.deckbe": [[42, 67]], "Indicator: Backdoor.Vinself.C": [[68, 86]], "Indicator: Win32/Leouncia.D": [[87, 103]], "Indicator: TROJ_ORCARAT.A": [[104, 118], [215, 229]], "Indicator: Packed.Win32.Black.d": [[119, 139]], "Indicator: Packed.Win32.Aspack.AB": [[140, 162]], "Indicator: Trojan.DownLoader11.40855": [[163, 188]], "Indicator: Trojan.Packed.Win32.43496": [[189, 214]], "Indicator: BehavesLike.Win32.Dropper.fc": [[230, 258]], "Indicator: W32/Trojan.QUXL-7354": [[259, 279]], "Indicator: Packed.Black.ahku": [[280, 297]], "Indicator: W32/Black.D!tr": [[298, 312]], "Indicator: Trojan.Heur.wuXa774c9jj": [[313, 336]], "Indicator: Packer.W32.Black.d!c": [[337, 357]], "Indicator: VirTool:Win32/Obfuscator.XY": [[358, 385]], "Indicator: Win32.Packed.Black.Ebzx": [[386, 409]], "Indicator: Trojan-Downloader.Win32.Banload": [[410, 441]], "Indicator: Trojan.Win32.Black.d": [[442, 462]]}, "info": {"id": "cyner2_5class_train_02097", "source": "cyner2_5class_train"}}
+{"text": "Upon successful exploitation, a new process is created with the PE file embedded in the uploadpref.dat file.", "spans": {"Malware: exploitation,": [[16, 29]], "Indicator: PE file embedded": [[64, 80]], "Indicator: uploadpref.dat file.": [[88, 108]]}, "info": {"id": "cyner2_5class_train_02098", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.ScriptKD.6648 Trojan.Tiggre Trojan.ScriptKD.6648 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Downloader.VBS.Small.l Trojan.Script.Small.dczplj Trojan.ScriptKD.6648 Tool.BtcMine.1036 BehavesLike.Win32.AdwareLinkury.hc W32/Trojan.LHYZ-8303 Trojan[Downloader]/Win32.Betload TrojanDownloader:Win32/Streamto.A Zum.BitCoinMiner.1 Trojan-Downloader.VBS.Small.l Zum.BitCoinMiner.1 Trojan.ScriptKD.6648 Trojan.ScriptKD.6648 Trj/CI.A Trojan.Bitcoinminer Vbs.Trojan-downloader.Small.Stty Trojan-Downloader.VBS.Small.L Win32/Trojan.f11", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.ScriptKD.6648": [[26, 46], [61, 81], [182, 202], [412, 432], [433, 453]], "Indicator: Trojan.Tiggre": [[47, 60]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[82, 124]], "Indicator: Trojan-Downloader.VBS.Small.l": [[125, 154], [363, 392]], "Indicator: Trojan.Script.Small.dczplj": [[155, 181]], "Indicator: Tool.BtcMine.1036": [[203, 220]], "Indicator: BehavesLike.Win32.AdwareLinkury.hc": [[221, 255]], "Indicator: W32/Trojan.LHYZ-8303": [[256, 276]], "Indicator: Trojan[Downloader]/Win32.Betload": [[277, 309]], "Indicator: TrojanDownloader:Win32/Streamto.A": [[310, 343]], "Indicator: Zum.BitCoinMiner.1": [[344, 362], [393, 411]], "Indicator: Trj/CI.A": [[454, 462]], "Indicator: Trojan.Bitcoinminer": [[463, 482]], "Indicator: Vbs.Trojan-downloader.Small.Stty": [[483, 515]], "Indicator: Trojan-Downloader.VBS.Small.L": [[516, 545]], "Indicator: Win32/Trojan.f11": [[546, 562]]}, "info": {"id": "cyner2_5class_train_02099", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/Bifrose.sxu Win32.Trojan.WisdomEyes.16070401.9500.9583 W32/Backdoor.BVIJ-4494 BKDR_BIFROSE_0000025.TOMA Win.Trojan.Bifrose-3481 Trojan.Win32.Bifrose.isow Backdoor.Win32.A.Bifrose.51712.B[h] Trojan.MulDrop.16295 Backdoor.Bifrose.Win32.79774 W32/Backdoor2.BVUS Backdoor/SdBot.ees WORM/IrcBot.353792 Trojan[Backdoor]/Win32.Bifrose Trojan:Win32/Mdrop.A Backdoor/Win32.Bifrose.C64544 Backdoor.Bifrose!Gi2ynDtXmII Backdoor.Win32.Bifrose", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/Bifrose.sxu": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9583": [[47, 89]], "Indicator: W32/Backdoor.BVIJ-4494": [[90, 112]], "Indicator: BKDR_BIFROSE_0000025.TOMA": [[113, 138]], "Indicator: Win.Trojan.Bifrose-3481": [[139, 162]], "Indicator: Trojan.Win32.Bifrose.isow": [[163, 188]], "Indicator: Backdoor.Win32.A.Bifrose.51712.B[h]": [[189, 224]], "Indicator: Trojan.MulDrop.16295": [[225, 245]], "Indicator: Backdoor.Bifrose.Win32.79774": [[246, 274]], "Indicator: W32/Backdoor2.BVUS": [[275, 293]], "Indicator: Backdoor/SdBot.ees": [[294, 312]], "Indicator: WORM/IrcBot.353792": [[313, 331]], "Indicator: Trojan[Backdoor]/Win32.Bifrose": [[332, 362]], "Indicator: Trojan:Win32/Mdrop.A": [[363, 383]], "Indicator: Backdoor/Win32.Bifrose.C64544": [[384, 413]], "Indicator: Backdoor.Bifrose!Gi2ynDtXmII": [[414, 442]], "Indicator: Backdoor.Win32.Bifrose": [[443, 465]]}, "info": {"id": "cyner2_5class_train_02100", "source": "cyner2_5class_train"}}
+{"text": "With the malware now in place , a number of actions can be performed , including allowing attackers to secretly monitor and control smartphones via a backdoor , send messages to premium-rate numbers , and intercept two-factor authentication codes sent by online banking apps and the like .", "spans": {}, "info": {"id": "cyner2_5class_train_02101", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PDF.Phishing.UX Trojan.PDF.Phish.ve Trojan.PDF.Phishing.UX Trojan.PDF.Phishing.UX EXP/Pidief.EB.523 Trojan.PDF.Phishing.UX Trojan.PDF.Phish.ve Trojan.PDF.Phishing.UX Trojan.PDF.Phishing.UX", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PDF.Phishing.UX": [[26, 48], [69, 91], [92, 114], [133, 155], [176, 198], [199, 221]], "Indicator: Trojan.PDF.Phish.ve": [[49, 68], [156, 175]], "Indicator: EXP/Pidief.EB.523": [[115, 132]]}, "info": {"id": "cyner2_5class_train_02102", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Worm/W32.Small.6084.H Email-Worm.Win32.Zhelatin!O Email-Worm.Win32.Zhelatin.h W32.W.Zhelatin.l03u TrojWare.Win32.Small.DBY Worm.Zhelatin.Win32.4001 Downloader-BAI.dam Worm/Zhelatin.ok TR/Small.DBY.Y Worm[Email]/Win32.Zhelatin Email-Worm.Win32.Zhelatin.h Win32/Luder.O Downloader-BAI.dam Email-Worm.Win32.Zhelatin W32/DldBAI.H!dam Trj/Alanchum.PH", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Worm/W32.Small.6084.H": [[48, 69]], "Indicator: Email-Worm.Win32.Zhelatin!O": [[70, 97]], "Indicator: Email-Worm.Win32.Zhelatin.h": [[98, 125], [274, 301]], "Indicator: W32.W.Zhelatin.l03u": [[126, 145]], "Indicator: TrojWare.Win32.Small.DBY": [[146, 170]], "Indicator: Worm.Zhelatin.Win32.4001": [[171, 195]], "Indicator: Downloader-BAI.dam": [[196, 214], [316, 334]], "Indicator: Worm/Zhelatin.ok": [[215, 231]], "Indicator: TR/Small.DBY.Y": [[232, 246]], "Indicator: Worm[Email]/Win32.Zhelatin": [[247, 273]], "Indicator: Win32/Luder.O": [[302, 315]], "Indicator: Email-Worm.Win32.Zhelatin": [[335, 360]], "Indicator: W32/DldBAI.H!dam": [[361, 377]], "Indicator: Trj/Alanchum.PH": [[378, 393]]}, "info": {"id": "cyner2_5class_train_02103", "source": "cyner2_5class_train"}}
+{"text": "The Locky ransomware has been very active since its return which we documented in a previous blog post.", "spans": {"Malware: The Locky ransomware": [[0, 20]]}, "info": {"id": "cyner2_5class_train_02104", "source": "cyner2_5class_train"}}
+{"text": "About two-thirds of these apps show some kind of malicious behavior, including displaying ads and downloading apps without the user's consent.", "spans": {"Malware: two-thirds": [[6, 16]], "Malware: apps": [[26, 30]], "Malware: malicious behavior,": [[49, 68]], "Indicator: displaying ads": [[79, 93]], "Indicator: downloading apps without the user's consent.": [[98, 142]]}, "info": {"id": "cyner2_5class_train_02105", "source": "cyner2_5class_train"}}
+{"text": "However, we just recently found new Sage samples that, while they appear to still be Sage 2.2, now have added tricks focused on anti-analysis and privilege escalation.", "spans": {"Malware: Sage samples": [[36, 48]], "Malware: Sage 2.2,": [[85, 94]], "Vulnerability: privilege escalation.": [[146, 167]]}, "info": {"id": "cyner2_5class_train_02106", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Spamtool.Y Trojan.Dropper Win32/Mendrem.A Win.Trojan.Proxy-4705 Troj.Proxy.W32!c Trojan.MulDrop.4012 BehavesLike.Win32.Backdoor.cm Trojan-Downloader.Win32.LoadAdv W32/Spamtool.LPPN-6055 Spammer:Win32/Kukunefo.A TScope.Malware-Cryptor.SB Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Spamtool.Y": [[26, 40]], "Indicator: Trojan.Dropper": [[41, 55]], "Indicator: Win32/Mendrem.A": [[56, 71]], "Indicator: Win.Trojan.Proxy-4705": [[72, 93]], "Indicator: Troj.Proxy.W32!c": [[94, 110]], "Indicator: Trojan.MulDrop.4012": [[111, 130]], "Indicator: BehavesLike.Win32.Backdoor.cm": [[131, 160]], "Indicator: Trojan-Downloader.Win32.LoadAdv": [[161, 192]], "Indicator: W32/Spamtool.LPPN-6055": [[193, 215]], "Indicator: Spammer:Win32/Kukunefo.A": [[216, 240]], "Indicator: TScope.Malware-Cryptor.SB": [[241, 266]], "Indicator: Trj/CI.A": [[267, 275]]}, "info": {"id": "cyner2_5class_train_02107", "source": "cyner2_5class_train"}}
+{"text": "When the files are encrypted they DO NOT change file name or extensions and appear normal to the victim until you try to open them.", "spans": {"Indicator: files": [[9, 14]], "Indicator: file name": [[48, 57]], "Indicator: extensions": [[61, 71]]}, "info": {"id": "cyner2_5class_train_02108", "source": "cyner2_5class_train"}}
+{"text": "Based on our detection statistics , the main infection vector is the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers .", "spans": {}, "info": {"id": "cyner2_5class_train_02109", "source": "cyner2_5class_train"}}
+{"text": "During the installation , the malware asks for the following permissions : READ_PHONE_STATE - Allows read-only access to the phone state , including the current cellular network information , the status of any ongoing calls , and a list of any PhoneAccounts registered on the device .", "spans": {}, "info": {"id": "cyner2_5class_train_02110", "source": "cyner2_5class_train"}}
+{"text": "If the malware determines that is not running on an emulator , it then performs additional checks to ensure that it wo n't be detected .", "spans": {}, "info": {"id": "cyner2_5class_train_02111", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.NForwarded.401408.F Trojan.Beaugrit.A.mue Trojan/Spy.Banhguo.a Win32.Trojan-Spy.Banhguo.a Trojan.Win32.KillFiles.dmlrmm Trojan.Win32.PSWIGames.401408.J TrojWare.Win32.Lmir.RL Trojan.KillFiles.17459 Backdoor.PePatch.Win32.55641 BehavesLike.Win32.Dropper.fc TR/Banhguo.aone Trojan.Symmi.DBA11 Trojan/Win32.OnLineGames.R127640 W32/Banhguo.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.NForwarded.401408.F": [[26, 56]], "Indicator: Trojan.Beaugrit.A.mue": [[57, 78]], "Indicator: Trojan/Spy.Banhguo.a": [[79, 99]], "Indicator: Win32.Trojan-Spy.Banhguo.a": [[100, 126]], "Indicator: Trojan.Win32.KillFiles.dmlrmm": [[127, 156]], "Indicator: Trojan.Win32.PSWIGames.401408.J": [[157, 188]], "Indicator: TrojWare.Win32.Lmir.RL": [[189, 211]], "Indicator: Trojan.KillFiles.17459": [[212, 234]], "Indicator: Backdoor.PePatch.Win32.55641": [[235, 263]], "Indicator: BehavesLike.Win32.Dropper.fc": [[264, 292]], "Indicator: TR/Banhguo.aone": [[293, 308]], "Indicator: Trojan.Symmi.DBA11": [[309, 327]], "Indicator: Trojan/Win32.OnLineGames.R127640": [[328, 360]], "Indicator: W32/Banhguo.A!tr": [[361, 377]]}, "info": {"id": "cyner2_5class_train_02112", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Virus.W32.Hupigon.Fqm!c BehavesLike.Win32.RAHack.fc KIT/Mac.Walrus.121 HackTool[Constructor]/Win32.Walrus Constructor:W97M/Walrus.1_21.dam#2 Trj/CI.A Win32/Trojan.488", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Virus.W32.Hupigon.Fqm!c": [[48, 71]], "Indicator: BehavesLike.Win32.RAHack.fc": [[72, 99]], "Indicator: KIT/Mac.Walrus.121": [[100, 118]], "Indicator: HackTool[Constructor]/Win32.Walrus": [[119, 153]], "Indicator: Constructor:W97M/Walrus.1_21.dam#2": [[154, 188]], "Indicator: Trj/CI.A": [[189, 197]], "Indicator: Win32/Trojan.488": [[198, 214]]}, "info": {"id": "cyner2_5class_train_02113", "source": "cyner2_5class_train"}}
+{"text": "This information can give the attacker access to personal and business bank accounts , personal and business data , and more .", "spans": {}, "info": {"id": "cyner2_5class_train_02114", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Uds.Dangerousobject.Multi!c Win32.Trojan.WisdomEyes.151026.9950.9988 Heur.AdvML.C Trojan.Win32.MulDrop5.dbmdce BehavesLike.Win32.BrowseFox.nh W32/CoinMiner.QR!tr Trojan.Zusy.D17C80 PUP/Win32.BitCoinMiner.C350160 Trojan:Win32/Figyek.A Win32.Trojan.Adware.Wnmi Trojan.CoinMiner CoinMiner.BLK Trojan.Win32.CoinMiner.QR Win32/Trojan.713", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Uds.Dangerousobject.Multi!c": [[26, 53]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9988": [[54, 94]], "Indicator: Heur.AdvML.C": [[95, 107]], "Indicator: Trojan.Win32.MulDrop5.dbmdce": [[108, 136]], "Indicator: BehavesLike.Win32.BrowseFox.nh": [[137, 167]], "Indicator: W32/CoinMiner.QR!tr": [[168, 187]], "Indicator: Trojan.Zusy.D17C80": [[188, 206]], "Indicator: PUP/Win32.BitCoinMiner.C350160": [[207, 237]], "Indicator: Trojan:Win32/Figyek.A": [[238, 259]], "Indicator: Win32.Trojan.Adware.Wnmi": [[260, 284]], "Indicator: Trojan.CoinMiner": [[285, 301]], "Indicator: CoinMiner.BLK": [[302, 315]], "Indicator: Trojan.Win32.CoinMiner.QR": [[316, 341]], "Indicator: Win32/Trojan.713": [[342, 358]]}, "info": {"id": "cyner2_5class_train_02115", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Packed.Krap.b.3 Packer.Malware.NSAnti.1 Trojan:Win32/Inhoo.A Packer.Malware.NSAnti.1 Trojan-GameThief.Win32.Magania.aigw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Packed.Krap.b.3": [[26, 47]], "Indicator: Packer.Malware.NSAnti.1": [[48, 71], [93, 116]], "Indicator: Trojan:Win32/Inhoo.A": [[72, 92]], "Indicator: Trojan-GameThief.Win32.Magania.aigw": [[117, 152]]}, "info": {"id": "cyner2_5class_train_02116", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper.Axesoft.A Trojan-Dropper/W32.Axesoft.800094 Trojandropper.Axesoft Trojan.Dropper.Axesoft.A Trojan/Dropper.Axesoft TROJ_AXESOFT.A TROJ_AXESOFT.A Trojan.Dropper.Axesoft.A Trojan-Dropper.Win32.Axesoft Trojan.Dropper.Axesoft.A Trojan.Win32.Axesoft-Drp.fdro Troj.Dropper.W32.Axesoft!c Trojan.Dropper.Axesoft.A Trojan.Dropper.Axesoft.A Trojan.MulDrop.216 Dropper.Axesoft.Win32.2 BehavesLike.Win32.Dropper.bc Trojan-PWS.Win32.QQPass W32/Trojan.RHJF-8903 TrojanDropper.Axesoft W32.Trojan.Dropper-AxeSoft BDS/GWGirl.12.C Trojan.Dropper.Axesoft.A Trojan-Dropper.Win32.Axesoft BackDoor-SP.dr TrojanDropper.Axesoft Win32/TrojanDropper.Axesoft Win32.Trojan-dropper.Axesoft.Apde Trojan.DR.Axesoft!crjcgQTkDRg W32/Bdoor.SP!tr Win32/Trojan.Dropper.d68", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.Axesoft.A": [[26, 50], [107, 131], [185, 209], [239, 263], [321, 345], [346, 370], [553, 577]], "Indicator: Trojan-Dropper/W32.Axesoft.800094": [[51, 84]], "Indicator: Trojandropper.Axesoft": [[85, 106]], "Indicator: Trojan/Dropper.Axesoft": [[132, 154]], "Indicator: TROJ_AXESOFT.A": [[155, 169], [170, 184]], "Indicator: Trojan-Dropper.Win32.Axesoft": [[210, 238], [578, 606]], "Indicator: Trojan.Win32.Axesoft-Drp.fdro": [[264, 293]], "Indicator: Troj.Dropper.W32.Axesoft!c": [[294, 320]], "Indicator: Trojan.MulDrop.216": [[371, 389]], "Indicator: Dropper.Axesoft.Win32.2": [[390, 413]], "Indicator: BehavesLike.Win32.Dropper.bc": [[414, 442]], "Indicator: Trojan-PWS.Win32.QQPass": [[443, 466]], "Indicator: W32/Trojan.RHJF-8903": [[467, 487]], "Indicator: TrojanDropper.Axesoft": [[488, 509], [622, 643]], "Indicator: W32.Trojan.Dropper-AxeSoft": [[510, 536]], "Indicator: BDS/GWGirl.12.C": [[537, 552]], "Indicator: BackDoor-SP.dr": [[607, 621]], "Indicator: Win32/TrojanDropper.Axesoft": [[644, 671]], "Indicator: Win32.Trojan-dropper.Axesoft.Apde": [[672, 705]], "Indicator: Trojan.DR.Axesoft!crjcgQTkDRg": [[706, 735]], "Indicator: W32/Bdoor.SP!tr": [[736, 751]], "Indicator: Win32/Trojan.Dropper.d68": [[752, 776]]}, "info": {"id": "cyner2_5class_train_02117", "source": "cyner2_5class_train"}}
+{"text": "Initial reports of a new variant of ransomware called LockCrypt started in June of this year.", "spans": {"Malware: new variant": [[21, 32]], "Malware: ransomware": [[36, 46]], "Malware: LockCrypt": [[54, 63]]}, "info": {"id": "cyner2_5class_train_02118", "source": "cyner2_5class_train"}}
+{"text": "But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint.", "spans": {"Organization: 3rd ASEAN-United States Summit": [[8, 38]]}, "info": {"id": "cyner2_5class_train_02119", "source": "cyner2_5class_train"}}
+{"text": "The cybercriminals then send this money to a digital wallet or to a premium number and cash it in .", "spans": {}, "info": {"id": "cyner2_5class_train_02120", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesLT180912HKGHAAI.Trojan Trojan-Downloader.Win32.Losabel!O Downloader.Losabel.Win32.540 Trojan/Downloader.Losabel.nx Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Popwin BehavesLike.Win32.Trojan.fh TrojanDownloader.Losabel.cx Trojan[Downloader]/Win32.Losabel TrojanDropper:Win32/Idicaf.A Trojan/Win32.OnlineGameHack.C187141 Trojan.DL.Losabel!C2fG9tSV6gk Trj/Pupack.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLT180912HKGHAAI.Trojan": [[26, 59]], "Indicator: Trojan-Downloader.Win32.Losabel!O": [[60, 93]], "Indicator: Downloader.Losabel.Win32.540": [[94, 122]], "Indicator: Trojan/Downloader.Losabel.nx": [[123, 151]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[152, 194]], "Indicator: Trojan.Popwin": [[195, 208]], "Indicator: BehavesLike.Win32.Trojan.fh": [[209, 236]], "Indicator: TrojanDownloader.Losabel.cx": [[237, 264]], "Indicator: Trojan[Downloader]/Win32.Losabel": [[265, 297]], "Indicator: TrojanDropper:Win32/Idicaf.A": [[298, 326]], "Indicator: Trojan/Win32.OnlineGameHack.C187141": [[327, 362]], "Indicator: Trojan.DL.Losabel!C2fG9tSV6gk": [[363, 392]], "Indicator: Trj/Pupack.A": [[393, 405]]}, "info": {"id": "cyner2_5class_train_02121", "source": "cyner2_5class_train"}}
+{"text": "The Intent object carries a string value as “ action ” parameter .", "spans": {}, "info": {"id": "cyner2_5class_train_02122", "source": "cyner2_5class_train"}}
+{"text": "Among the over 1.4 billion devices protected by Verify Apps , we observed fewer than 3 dozen installs of Chrysaor on victim devices .", "spans": {"System: Verify Apps": [[48, 59]], "Malware: Chrysaor": [[105, 113]]}, "info": {"id": "cyner2_5class_train_02123", "source": "cyner2_5class_train"}}
+{"text": "It appears to be run by a Russian-speaking group of hackers.", "spans": {}, "info": {"id": "cyner2_5class_train_02124", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D54BC4 Win32.Trojan.WisdomEyes.16070401.9500.9993 Tool.PassView.859 Trojan/Blocker.jhq Win32.Troj.Foxhiex.a.kcloud Trojan/Win32.Zbot.C284570 Trojan.MSIL.CryptoObfuscator Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D54BC4": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[45, 87]], "Indicator: Tool.PassView.859": [[88, 105]], "Indicator: Trojan/Blocker.jhq": [[106, 124]], "Indicator: Win32.Troj.Foxhiex.a.kcloud": [[125, 152]], "Indicator: Trojan/Win32.Zbot.C284570": [[153, 178]], "Indicator: Trojan.MSIL.CryptoObfuscator": [[179, 207]], "Indicator: Trj/GdSda.A": [[208, 219]]}, "info": {"id": "cyner2_5class_train_02125", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: P2P-Worm.Win32.Krepper!O Worm.Krepper.A.mue Worm.Krepper.Win32.1 W32/Krepper.c W32.IRCBot Win32/Sndc.A WORM_SHAREBOT.A Win.Worm.Poom-1 P2P-Worm.Win32.Krepper.c Trojan.Win32.Krepper.dqeaqt Troj.GameThief.W32.OnLineGames.lgKp Win32.Worm-p2p.Krepper.Ljjq Worm.Win32.Krepper.C Win32.HLLW.Krepper WORM_SHAREBOT.A BehavesLike.Win32.PUPXAX.lz W32/Pcbot.A@p2p Trojan/Krepper.ad WORM/Krepper.C Worm[P2P]/Win32.Krepper Worm:Win32/Krepper.B Trojan.Win32.Krepper.11808 P2P-Worm.Win32.Krepper.c Worm.Krepper I-Worm.Krepper.C Win32/Krepper.C Worm.P2P.Krepper!dcAWP425Bzk P2P-Worm.Win32.Krepper W32/Krepper.C!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: P2P-Worm.Win32.Krepper!O": [[26, 50]], "Indicator: Worm.Krepper.A.mue": [[51, 69]], "Indicator: Worm.Krepper.Win32.1": [[70, 90]], "Indicator: W32/Krepper.c": [[91, 104]], "Indicator: W32.IRCBot": [[105, 115]], "Indicator: Win32/Sndc.A": [[116, 128]], "Indicator: WORM_SHAREBOT.A": [[129, 144], [318, 333]], "Indicator: Win.Worm.Poom-1": [[145, 160]], "Indicator: P2P-Worm.Win32.Krepper.c": [[161, 185], [483, 507]], "Indicator: Trojan.Win32.Krepper.dqeaqt": [[186, 213]], "Indicator: Troj.GameThief.W32.OnLineGames.lgKp": [[214, 249]], "Indicator: Win32.Worm-p2p.Krepper.Ljjq": [[250, 277]], "Indicator: Worm.Win32.Krepper.C": [[278, 298]], "Indicator: Win32.HLLW.Krepper": [[299, 317]], "Indicator: BehavesLike.Win32.PUPXAX.lz": [[334, 361]], "Indicator: W32/Pcbot.A@p2p": [[362, 377]], "Indicator: Trojan/Krepper.ad": [[378, 395]], "Indicator: WORM/Krepper.C": [[396, 410]], "Indicator: Worm[P2P]/Win32.Krepper": [[411, 434]], "Indicator: Worm:Win32/Krepper.B": [[435, 455]], "Indicator: Trojan.Win32.Krepper.11808": [[456, 482]], "Indicator: Worm.Krepper": [[508, 520]], "Indicator: I-Worm.Krepper.C": [[521, 537]], "Indicator: Win32/Krepper.C": [[538, 553]], "Indicator: Worm.P2P.Krepper!dcAWP425Bzk": [[554, 582]], "Indicator: P2P-Worm.Win32.Krepper": [[583, 605]], "Indicator: W32/Krepper.C!worm": [[606, 624]]}, "info": {"id": "cyner2_5class_train_02126", "source": "cyner2_5class_train"}}
+{"text": "Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means .", "spans": {}, "info": {"id": "cyner2_5class_train_02127", "source": "cyner2_5class_train"}}
+{"text": "Worryingly , some of the modifications enforced by the spyware might expose the infected devices to further compromise or data tampering .", "spans": {}, "info": {"id": "cyner2_5class_train_02128", "source": "cyner2_5class_train"}}
+{"text": "This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries .", "spans": {"System: Python": [[31, 37], [100, 106]], "System: Windows": [[58, 65]]}, "info": {"id": "cyner2_5class_train_02129", "source": "cyner2_5class_train"}}
+{"text": "Through our on-going investigation and monitoring of this targeted attack campaign, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java now identified by Oracle as CVE-2015-2590.", "spans": {"Indicator: suspicious URLs": [[93, 108]], "Vulnerability: zero-day exploit": [[140, 156]], "System: Java": [[160, 164]], "Organization: Oracle": [[183, 189]], "Indicator: CVE-2015-2590.": [[193, 207]]}, "info": {"id": "cyner2_5class_train_02130", "source": "cyner2_5class_train"}}
+{"text": "The campaign was identified starting with the registration on 2023-04-05 16:04:51 up to the latest registration on 2023-04-10 08:33:28.", "spans": {}, "info": {"id": "cyner2_5class_train_02131", "source": "cyner2_5class_train"}}
+{"text": "It has been attacking Iranian users.", "spans": {}, "info": {"id": "cyner2_5class_train_02132", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Makecall.20484 Trojan.Makecall Trojan.Makecall.Win32.5 TROJ_MAKECALL.A W32/MalwareF.VJTB W32.Makecall.Trojan TROJ_MAKECALL.A Trojan.Win32.Makecall.a Trojan.Win32.Makecall.fkdu Trojan.Win32.S.Makecall.20484 Troj.W32.Makecall.a!c Trojan.MulDrop.717 BehavesLike.Win32.VBObfus.mz W32/Risk.QDBN-9051 Trojan/MakeCall.d TR/Makecall.a Trojan/Win32.Makecall Trojan:Win32/Makecall.A Trojan.Win32.Makecall.a Trojan/Win32.Makecall.R109087 SScope.Trojan.VBRA.3284 Win32/Makecall.A Win32.Trojan.Makecall.Ecul Trojan.Makecall!Hu8pme7fStI Trojan.Win32.Makecall W32/Makecall.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Makecall.20484": [[26, 51]], "Indicator: Trojan.Makecall": [[52, 67]], "Indicator: Trojan.Makecall.Win32.5": [[68, 91]], "Indicator: TROJ_MAKECALL.A": [[92, 107], [146, 161]], "Indicator: W32/MalwareF.VJTB": [[108, 125]], "Indicator: W32.Makecall.Trojan": [[126, 145]], "Indicator: Trojan.Win32.Makecall.a": [[162, 185], [410, 433]], "Indicator: Trojan.Win32.Makecall.fkdu": [[186, 212]], "Indicator: Trojan.Win32.S.Makecall.20484": [[213, 242]], "Indicator: Troj.W32.Makecall.a!c": [[243, 264]], "Indicator: Trojan.MulDrop.717": [[265, 283]], "Indicator: BehavesLike.Win32.VBObfus.mz": [[284, 312]], "Indicator: W32/Risk.QDBN-9051": [[313, 331]], "Indicator: Trojan/MakeCall.d": [[332, 349]], "Indicator: TR/Makecall.a": [[350, 363]], "Indicator: Trojan/Win32.Makecall": [[364, 385]], "Indicator: Trojan:Win32/Makecall.A": [[386, 409]], "Indicator: Trojan/Win32.Makecall.R109087": [[434, 463]], "Indicator: SScope.Trojan.VBRA.3284": [[464, 487]], "Indicator: Win32/Makecall.A": [[488, 504]], "Indicator: Win32.Trojan.Makecall.Ecul": [[505, 531]], "Indicator: Trojan.Makecall!Hu8pme7fStI": [[532, 559]], "Indicator: Trojan.Win32.Makecall": [[560, 581]], "Indicator: W32/Makecall.A!tr": [[582, 599]]}, "info": {"id": "cyner2_5class_train_02133", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Sipay.ADV Trojan.Crypt.GU Trojan/W32.Small.15872.S Trojan.Small.Win32.4658 Trojan/Small.xut Trojan.Win32.Small.glefu Win32/TrojanDownloader.FakeAlert.JI WORM_SMALL.MDA Trojan.Small-8598 Trojan.Crypt.GU Trojan.Crypt.GU Trojan.Small!AZKO6qCeQTg Trojan.Win32.Small.15872.Q[h] Trojan.Dropper/AdobeFake Trojan.Crypt.GU TrojWare.Win32.Small.~YE Trojan.Crypt.GU Trojan.DownLoader10.48865 WORM_SMALL.MDA W32/Trojan2.EQHY Trojan/Small.fnb Trojan/Win32.Small Win32.Troj.Small.kcloud Trojan.Crypt.GU Win-Trojan/Downloader.15872.GU TrojanDownloader:Win32/Bofang.C Trojan.Crypt.GU Trojan.Small Trojan-Downloader.HG W32/FakeAlert.JI!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Sipay.ADV": [[26, 41]], "Indicator: Trojan.Crypt.GU": [[42, 57], [218, 233], [234, 249], [330, 345], [371, 386], [505, 520], [584, 599]], "Indicator: Trojan/W32.Small.15872.S": [[58, 82]], "Indicator: Trojan.Small.Win32.4658": [[83, 106]], "Indicator: Trojan/Small.xut": [[107, 123]], "Indicator: Trojan.Win32.Small.glefu": [[124, 148]], "Indicator: Win32/TrojanDownloader.FakeAlert.JI": [[149, 184]], "Indicator: WORM_SMALL.MDA": [[185, 199], [413, 427]], "Indicator: Trojan.Small-8598": [[200, 217]], "Indicator: Trojan.Small!AZKO6qCeQTg": [[250, 274]], "Indicator: Trojan.Win32.Small.15872.Q[h]": [[275, 304]], "Indicator: Trojan.Dropper/AdobeFake": [[305, 329]], "Indicator: TrojWare.Win32.Small.~YE": [[346, 370]], "Indicator: Trojan.DownLoader10.48865": [[387, 412]], "Indicator: W32/Trojan2.EQHY": [[428, 444]], "Indicator: Trojan/Small.fnb": [[445, 461]], "Indicator: Trojan/Win32.Small": [[462, 480]], "Indicator: Win32.Troj.Small.kcloud": [[481, 504]], "Indicator: Win-Trojan/Downloader.15872.GU": [[521, 551]], "Indicator: TrojanDownloader:Win32/Bofang.C": [[552, 583]], "Indicator: Trojan.Small": [[600, 612]], "Indicator: Trojan-Downloader.HG": [[613, 633]], "Indicator: W32/FakeAlert.JI!tr.dldr": [[634, 658]]}, "info": {"id": "cyner2_5class_train_02134", "source": "cyner2_5class_train"}}
+{"text": "In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS messages, and parse SMS messages for mTANs Mobile Transaction Authentication Number from banks.", "spans": {"Malware: Xbot": [[13, 17]], "Indicator: steal all SMS messages": [[23, 45]], "Indicator: contact information,": [[50, 70]], "Indicator: SMS messages,": [[89, 102]], "Indicator: SMS messages for mTANs Mobile Transaction Authentication Number": [[113, 176]], "Organization: banks.": [[182, 188]]}, "info": {"id": "cyner2_5class_train_02135", "source": "cyner2_5class_train"}}
+{"text": "Using both the Elknot and BillGates DDoS malware, these attackers have continued to infect vulnerable Elasticsearch servers in order to enhance their DDoS capabilities.", "spans": {"Malware: Elknot": [[15, 21]], "Malware: BillGates DDoS malware,": [[26, 49]], "Vulnerability: vulnerable": [[91, 101]], "System: Elasticsearch servers": [[102, 123]], "Indicator: DDoS": [[150, 154]]}, "info": {"id": "cyner2_5class_train_02136", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/KillAV.a TROJ_SPNR.38J614 Backdoor.Trojan TROJ_SPNR.38J614 Uds.Dangerousobject.Multi!c Trojan.Patched.Win64.2566 W64/Trojan.HLJR-4976 Trojan.KillAV!apRF/prfUvc Trojan.Win64.Killav W64/KillAV.A!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/KillAV.a": [[26, 41]], "Indicator: TROJ_SPNR.38J614": [[42, 58], [75, 91]], "Indicator: Backdoor.Trojan": [[59, 74]], "Indicator: Uds.Dangerousobject.Multi!c": [[92, 119]], "Indicator: Trojan.Patched.Win64.2566": [[120, 145]], "Indicator: W64/Trojan.HLJR-4976": [[146, 166]], "Indicator: Trojan.KillAV!apRF/prfUvc": [[167, 192]], "Indicator: Trojan.Win64.Killav": [[193, 212]], "Indicator: W64/KillAV.A!tr": [[213, 228]], "Indicator: Trj/CI.A": [[229, 237]]}, "info": {"id": "cyner2_5class_train_02137", "source": "cyner2_5class_train"}}
+{"text": "It now appears to be in the league of full-blown banking trojans such as Dyreza, Neverquest/Vawtrak, Zeus, etc.", "spans": {"Malware: banking trojans": [[49, 64]], "Malware: Dyreza, Neverquest/Vawtrak, Zeus,": [[73, 106]]}, "info": {"id": "cyner2_5class_train_02138", "source": "cyner2_5class_train"}}
+{"text": "DIMNIE is a modular information stealer profiled earlier this year by security researchers at PaloAlto s Unit 42, who found the malware in targeted phishing attacks against open-source developers.", "spans": {"Malware: DIMNIE": [[0, 6]], "Indicator: modular information stealer": [[12, 39]], "Organization: security researchers": [[70, 90]], "Organization: PaloAlto": [[94, 102]], "Organization: Unit 42,": [[105, 113]], "Malware: malware": [[128, 135]], "Indicator: targeted phishing attacks": [[139, 164]], "Organization: open-source developers.": [[173, 196]]}, "info": {"id": "cyner2_5class_train_02139", "source": "cyner2_5class_train"}}
+{"text": "History has shown us that , in time , these attacks will use zero-day vulnerabilities , exploits or a combination of techniques .", "spans": {"Vulnerability: zero-day vulnerabilities": [[61, 85]]}, "info": {"id": "cyner2_5class_train_02140", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.UserinitWininit.Trojan Trojan.Delf.QEO Trojan.Bancteian.CB4 Trojan.Delf.QEO Trojan/Spy.Delf.qgs Trojan.Delf.QEO Win32.Virus.Delf.c W32/Delf.UD TROJ_BANCTEIAN.SM Win.Trojan.Bancteian-0-6418983-0 Trojan.Delf.QEO Trojan.Delf.QEO Trojan.Win32.Delf.3301398 Trojan.Delf.QEO Backdoor.Win32.Delf.~DD Trojan.Delf.QEO Adware.BrowseFox.Win32.220566 TROJ_BANCTEIAN.SM BehavesLike.Win32.Trojan.wh Trojan.Win32.Bancteian W32/Delf.CERT-0413 Trojan.Reconyc.apf W32.Trojan.Delf TR/BAS.Samca.lsswh Trojan/Win32.Delf.nbw Trojan:Win32/Bancteian.B Trojan/Win32.Bancteian.R174475 Trojan.Reconyc Trojan.Win32.Delf.qgs W32/Delf.QGS!tr.spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.UserinitWininit.Trojan": [[26, 52]], "Indicator: Trojan.Delf.QEO": [[53, 68], [90, 105], [126, 141], [224, 239], [240, 255], [282, 297], [322, 337]], "Indicator: Trojan.Bancteian.CB4": [[69, 89]], "Indicator: Trojan/Spy.Delf.qgs": [[106, 125]], "Indicator: Win32.Virus.Delf.c": [[142, 160]], "Indicator: W32/Delf.UD": [[161, 172]], "Indicator: TROJ_BANCTEIAN.SM": [[173, 190], [368, 385]], "Indicator: Win.Trojan.Bancteian-0-6418983-0": [[191, 223]], "Indicator: Trojan.Win32.Delf.3301398": [[256, 281]], "Indicator: Backdoor.Win32.Delf.~DD": [[298, 321]], "Indicator: Adware.BrowseFox.Win32.220566": [[338, 367]], "Indicator: BehavesLike.Win32.Trojan.wh": [[386, 413]], "Indicator: Trojan.Win32.Bancteian": [[414, 436]], "Indicator: W32/Delf.CERT-0413": [[437, 455]], "Indicator: Trojan.Reconyc.apf": [[456, 474]], "Indicator: W32.Trojan.Delf": [[475, 490]], "Indicator: TR/BAS.Samca.lsswh": [[491, 509]], "Indicator: Trojan/Win32.Delf.nbw": [[510, 531]], "Indicator: Trojan:Win32/Bancteian.B": [[532, 556]], "Indicator: Trojan/Win32.Bancteian.R174475": [[557, 587]], "Indicator: Trojan.Reconyc": [[588, 602]], "Indicator: Trojan.Win32.Delf.qgs": [[603, 624]], "Indicator: W32/Delf.QGS!tr.spy": [[625, 644]]}, "info": {"id": "cyner2_5class_train_02141", "source": "cyner2_5class_train"}}
+{"text": "Depending on the intent triggered , one of two Receivers would be called , in this instance they are called Boot or Time but the name is somewhat immaterial .", "spans": {}, "info": {"id": "cyner2_5class_train_02142", "source": "cyner2_5class_train"}}
+{"text": "Text message and call logs were transmitted every 72 hours to the Shanghai server , and once a day for other personally identifiable data , the company says .", "spans": {}, "info": {"id": "cyner2_5class_train_02143", "source": "cyner2_5class_train"}}
+{"text": "Until now , we haven ’ t seen targeted attacks against mobile phones , although we ’ ve seen indications that these were in development .", "spans": {}, "info": {"id": "cyner2_5class_train_02144", "source": "cyner2_5class_train"}}
+{"text": "In one of our previous blog entries, we covered how the threat actor known as Winnti was using GitHub to spread malware – a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming, pharmaceutical, and telecommunications companies.", "spans": {"System: GitHub": [[95, 101]], "Malware: malware": [[112, 119]], "Indicator: new attack methods": [[191, 209]], "Indicator: attacks": [[259, 266]], "Organization: gaming, pharmaceutical,": [[275, 298]], "Organization: telecommunications companies.": [[303, 332]]}, "info": {"id": "cyner2_5class_train_02145", "source": "cyner2_5class_train"}}
+{"text": "The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device .", "spans": {}, "info": {"id": "cyner2_5class_train_02146", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.Downloader.AD Trojan.MSIL.Downloader.AD Trojan.MSIL.Downloader.AD Trojan.MSIL.Downloader.AD Trojan.Win32.Inject.ewmdhe Troj.MSIL.Disfa.mCrY Trojan.MSIL.Downloader.AD TrojWare.MSIL.Inject.TEQ Trojan.MSIL.Downloader.AD TR/Inject.xbeihg TrojanDownloader:MSIL/Datsup.A Trojan.MSIL.Downloader.AD Trj/CI.A MSIL/Dloader.AWE!tr Win32/Trojan.cd2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.Downloader.AD": [[26, 51], [52, 77], [78, 103], [104, 129], [178, 203], [229, 254], [303, 328]], "Indicator: Trojan.Win32.Inject.ewmdhe": [[130, 156]], "Indicator: Troj.MSIL.Disfa.mCrY": [[157, 177]], "Indicator: TrojWare.MSIL.Inject.TEQ": [[204, 228]], "Indicator: TR/Inject.xbeihg": [[255, 271]], "Indicator: TrojanDownloader:MSIL/Datsup.A": [[272, 302]], "Indicator: Trj/CI.A": [[329, 337]], "Indicator: MSIL/Dloader.AWE!tr": [[338, 357]], "Indicator: Win32/Trojan.cd2": [[358, 374]]}, "info": {"id": "cyner2_5class_train_02147", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exp.RTF.CVE-2017-8759.D Trojan.Mdropper Win32/Exploit.CVE-2017-8759.A TROJ_ARTIEF.JEJOWP Rtf.Downloader.CVE_2017-6336326-3 Exploit.MSOffice.CVE-2017-8759.a Exploit.Ole2.CVE-2017-8759.estduh RTF.S.Exploit.44738 Exploit.Msoffice.Cve!c Exploit.CVE-2017-8759.5 TROJ_ARTIEF.JEJOWP RTF/Trojan.BGKX-2 HEUR:Exploit.MSOffice.CVE-2017-8759.a Exploit.CVE-2017-8759 Office.Exploit.Cve-2017-8759.Ajle Trojan.Win32.Exploit Malicious_Behavior.SB Win32/Trojan.Exploit.024", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exp.RTF.CVE-2017-8759.D": [[26, 49]], "Indicator: Trojan.Mdropper": [[50, 65]], "Indicator: Win32/Exploit.CVE-2017-8759.A": [[66, 95]], "Indicator: TROJ_ARTIEF.JEJOWP": [[96, 114], [283, 301]], "Indicator: Rtf.Downloader.CVE_2017-6336326-3": [[115, 148]], "Indicator: Exploit.MSOffice.CVE-2017-8759.a": [[149, 181]], "Indicator: Exploit.Ole2.CVE-2017-8759.estduh": [[182, 215]], "Indicator: RTF.S.Exploit.44738": [[216, 235]], "Indicator: Exploit.Msoffice.Cve!c": [[236, 258]], "Indicator: Exploit.CVE-2017-8759.5": [[259, 282]], "Indicator: RTF/Trojan.BGKX-2": [[302, 319]], "Indicator: HEUR:Exploit.MSOffice.CVE-2017-8759.a": [[320, 357]], "Indicator: Exploit.CVE-2017-8759": [[358, 379]], "Indicator: Office.Exploit.Cve-2017-8759.Ajle": [[380, 413]], "Indicator: Trojan.Win32.Exploit": [[414, 434]], "Indicator: Malicious_Behavior.SB": [[435, 456]], "Indicator: Win32/Trojan.Exploit.024": [[457, 481]]}, "info": {"id": "cyner2_5class_train_02148", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Farfly.L Multi.Threats.InArchive W32/Risk.NCBB-0700 Trojan.Farfli Win.Trojan.Downloader-2275 Trojan.Downloader.Farfly.L Trojan.Downloader.Farfly.L Trojan.Win32.Crypted.dkwpfn Trojan.Win32.Z.Downloader.266845 Trojan.Downloader.Farfly.L Trojan.DownLoader4.59614 Downloader.Selvice.Win32.747 TROJ_DLOADR.SMQ Trojan-Downloader.Win32.Selvice W32/MalwareS.ASNW Trojan.Downloader.Farfly.L TrojanDownloader:Win32/Caxnet.B Worm.WhiteIce Trojan.Downloader.Farfly.L Trojan.Downloader.Farfly.L Trojan.DL.Selvice!qQfZyIPcdpU Win32/Trojan.Downloader.6fb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Farfly.L": [[26, 52], [137, 163], [164, 190], [252, 278], [399, 425], [472, 498], [499, 525]], "Indicator: Multi.Threats.InArchive": [[53, 76]], "Indicator: W32/Risk.NCBB-0700": [[77, 95]], "Indicator: Trojan.Farfli": [[96, 109]], "Indicator: Win.Trojan.Downloader-2275": [[110, 136]], "Indicator: Trojan.Win32.Crypted.dkwpfn": [[191, 218]], "Indicator: Trojan.Win32.Z.Downloader.266845": [[219, 251]], "Indicator: Trojan.DownLoader4.59614": [[279, 303]], "Indicator: Downloader.Selvice.Win32.747": [[304, 332]], "Indicator: TROJ_DLOADR.SMQ": [[333, 348]], "Indicator: Trojan-Downloader.Win32.Selvice": [[349, 380]], "Indicator: W32/MalwareS.ASNW": [[381, 398]], "Indicator: TrojanDownloader:Win32/Caxnet.B": [[426, 457]], "Indicator: Worm.WhiteIce": [[458, 471]], "Indicator: Trojan.DL.Selvice!qQfZyIPcdpU": [[526, 555]], "Indicator: Win32/Trojan.Downloader.6fb": [[556, 583]]}, "info": {"id": "cyner2_5class_train_02149", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Hijacker.kvdpi TROJ_DYER.BMC Trojan.Enfal-7 HEUR:Trojan.Win32.Invader Trojan.Hijacker!h2YIjU+BiQU Trojan.DownLoader7.14277 TROJ_DYER.BMC Trojan/Invader.exe W32/Bfr.2!tr Trojan[:HEUR]/Win32.Invader Win-Trojan/Inject.16896.IT Win32.Trojan.Hijacker.Ebqw Trojan.Win32.Sanpec Win32/Trojan.1da", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Hijacker.kvdpi": [[26, 53]], "Indicator: TROJ_DYER.BMC": [[54, 67], [162, 175]], "Indicator: Trojan.Enfal-7": [[68, 82]], "Indicator: HEUR:Trojan.Win32.Invader": [[83, 108]], "Indicator: Trojan.Hijacker!h2YIjU+BiQU": [[109, 136]], "Indicator: Trojan.DownLoader7.14277": [[137, 161]], "Indicator: Trojan/Invader.exe": [[176, 194]], "Indicator: W32/Bfr.2!tr": [[195, 207]], "Indicator: Trojan[:HEUR]/Win32.Invader": [[208, 235]], "Indicator: Win-Trojan/Inject.16896.IT": [[236, 262]], "Indicator: Win32.Trojan.Hijacker.Ebqw": [[263, 289]], "Indicator: Trojan.Win32.Sanpec": [[290, 309]], "Indicator: Win32/Trojan.1da": [[310, 326]]}, "info": {"id": "cyner2_5class_train_02150", "source": "cyner2_5class_train"}}
+{"text": "The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes.", "spans": {"Indicator: attacks": [[4, 11]], "Organization: Uyghur and Tibetan activists": [[66, 94]]}, "info": {"id": "cyner2_5class_train_02151", "source": "cyner2_5class_train"}}
+{"text": "This new threat also uses a macro to infect the target's computer, but rather than retrieving a binary payload, it relies on various scripts to maintain its presence and to communicate via hacked websites, acting as proxies for the command and control server.", "spans": {"Malware: new threat": [[5, 15]], "Malware: macro": [[28, 33]], "Malware: infect": [[37, 43]], "System: the target's computer,": [[44, 66]], "Malware: binary payload,": [[96, 111]], "Indicator: communicate": [[173, 184]], "Indicator: hacked websites,": [[189, 205]], "Indicator: proxies": [[216, 223]], "Indicator: the command and control server.": [[228, 259]]}, "info": {"id": "cyner2_5class_train_02152", "source": "cyner2_5class_train"}}
+{"text": "After the next run of the infected application , the “ boot ” module will run the “ patch ” module , which hooks the methods from known ad SDKs to its own implementation .", "spans": {}, "info": {"id": "cyner2_5class_train_02153", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Downloader.Myxa.Win32.113 Trojan/Downloader.Myxa.cit Trojan.Kazy.D6034 TROJ_MONKIF.SMKP Win32.Trojan.WisdomEyes.16070401.9500.9999 Downloader.Monkif TROJ_MONKIF.SMKP Win.Downloader.100478-1 Trojan.Win32.Myxa.bqhvc Trojan.Win32.A.Downloader.22672.B Trojan.DownLoad3.32720 Trojan-Downloader.Win32.Myxa TrojanDownloader.Myxa.cx TrojanDownloader:Win32/Monkif.T Downloader/Win32.Monkif.R1925 TrojanDownloader.Myxa Trj/Myxa.A Trojan.DL.Myxa!oB3ehXmv9m8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.Myxa.Win32.113": [[26, 51]], "Indicator: Trojan/Downloader.Myxa.cit": [[52, 78]], "Indicator: Trojan.Kazy.D6034": [[79, 96]], "Indicator: TROJ_MONKIF.SMKP": [[97, 113], [175, 191]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[114, 156]], "Indicator: Downloader.Monkif": [[157, 174]], "Indicator: Win.Downloader.100478-1": [[192, 215]], "Indicator: Trojan.Win32.Myxa.bqhvc": [[216, 239]], "Indicator: Trojan.Win32.A.Downloader.22672.B": [[240, 273]], "Indicator: Trojan.DownLoad3.32720": [[274, 296]], "Indicator: Trojan-Downloader.Win32.Myxa": [[297, 325]], "Indicator: TrojanDownloader.Myxa.cx": [[326, 350]], "Indicator: TrojanDownloader:Win32/Monkif.T": [[351, 382]], "Indicator: Downloader/Win32.Monkif.R1925": [[383, 412]], "Indicator: TrojanDownloader.Myxa": [[413, 434]], "Indicator: Trj/Myxa.A": [[435, 445]], "Indicator: Trojan.DL.Myxa!oB3ehXmv9m8": [[446, 472]]}, "info": {"id": "cyner2_5class_train_02154", "source": "cyner2_5class_train"}}
+{"text": "When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.", "spans": {}, "info": {"id": "cyner2_5class_train_02155", "source": "cyner2_5class_train"}}
+{"text": "His repository proves that he is indeed an Android developer , but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost .", "spans": {"System: Android": [[43, 50]], "Malware: Ashas": [[114, 119]]}, "info": {"id": "cyner2_5class_train_02156", "source": "cyner2_5class_train"}}
+{"text": "This macro comes into users' systems through a spam email with subjects such as My Resume, Openings, Internship, etc.", "spans": {"Malware: macro": [[5, 10]], "System: users' systems": [[22, 36]], "Indicator: spam email": [[47, 57]], "Indicator: subjects": [[63, 71]], "Indicator: My Resume, Openings, Internship,": [[80, 112]]}, "info": {"id": "cyner2_5class_train_02157", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.FakeToken.B A.H.Pay.Erop.YG Android.Trojan.SMSBot.B AndroidOS/FakeToken.B HEUR:Trojan-Banker.AndroidOS.Faketoken.a Android.Trojan.SMSBot.B Trojan.Android.SMSBot.b Android.Malware.Trojan Trojan:Android/SmsSpy.K Android.SmsSend.419.origin AndroidOS/FakeToken.B Trojan[Banker]/Android.Faketoken Android.Troj.at_Stealer.g.kcloud HEUR:Trojan-Banker.AndroidOS.Faketoken.a Android.Trojan.SMSBot.B Trojan.AndroidOS.SendSMS Android/FkToken.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.FakeToken.B": [[26, 45]], "Indicator: A.H.Pay.Erop.YG": [[46, 61]], "Indicator: Android.Trojan.SMSBot.B": [[62, 85], [149, 172], [400, 423]], "Indicator: AndroidOS/FakeToken.B": [[86, 107], [271, 292]], "Indicator: HEUR:Trojan-Banker.AndroidOS.Faketoken.a": [[108, 148], [359, 399]], "Indicator: Trojan.Android.SMSBot.b": [[173, 196]], "Indicator: Android.Malware.Trojan": [[197, 219]], "Indicator: Trojan:Android/SmsSpy.K": [[220, 243]], "Indicator: Android.SmsSend.419.origin": [[244, 270]], "Indicator: Trojan[Banker]/Android.Faketoken": [[293, 325]], "Indicator: Android.Troj.at_Stealer.g.kcloud": [[326, 358]], "Indicator: Trojan.AndroidOS.SendSMS": [[424, 448]], "Indicator: Android/FkToken.B": [[449, 466]]}, "info": {"id": "cyner2_5class_train_02158", "source": "cyner2_5class_train"}}
+{"text": "The actor can even take his malicious activities to the next level by installing a remote application from a designated server , thus allowing him to install new malware once it is required .", "spans": {}, "info": {"id": "cyner2_5class_train_02159", "source": "cyner2_5class_train"}}
+{"text": "Android malware creators have recently been mixing business with play.", "spans": {}, "info": {"id": "cyner2_5class_train_02160", "source": "cyner2_5class_train"}}
+{"text": "DNS is an ideal fit for frequently exporting small chunks of custom encoded data i.e. credit card track 1 and track 2 data to an external, remote location.", "spans": {"System: DNS": [[0, 3]], "Indicator: custom encoded data": [[61, 80]], "Indicator: credit card": [[86, 97]]}, "info": {"id": "cyner2_5class_train_02161", "source": "cyner2_5class_train"}}
+{"text": "We have recently encountered very aggressive jabber spam campaign, advertising the Philadelphia ransomware.", "spans": {"Malware: the Philadelphia ransomware.": [[79, 107]]}, "info": {"id": "cyner2_5class_train_02162", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D39A16 Win32.Trojan.WisdomEyes.16070401.9500.9800 Backdoor.Trojan TSPY_REALTIME.A Trojan.RealSpy TSPY_REALTIME.A W32/Risk.KQTT-6320 Trojan/Win32.HDC.C24097", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D39A16": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9800": [[45, 87]], "Indicator: Backdoor.Trojan": [[88, 103]], "Indicator: TSPY_REALTIME.A": [[104, 119], [135, 150]], "Indicator: Trojan.RealSpy": [[120, 134]], "Indicator: W32/Risk.KQTT-6320": [[151, 169]], "Indicator: Trojan/Win32.HDC.C24097": [[170, 193]]}, "info": {"id": "cyner2_5class_train_02163", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Downloader.Delf.quw Win32.Trojan.WisdomEyes.16070401.9500.9770 Win.Trojan.Downloader-57555 Trojan.DownLoad2.37645 BehavesLike.Win32.PUPXAS.ch Trojan.Graftor.D1EFD7 TrojanDownloader:Win32/Blortios.C Trojan/Win32.Downloader.R18903 Win32/Trojan.88b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.Delf.quw": [[26, 52]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9770": [[53, 95]], "Indicator: Win.Trojan.Downloader-57555": [[96, 123]], "Indicator: Trojan.DownLoad2.37645": [[124, 146]], "Indicator: BehavesLike.Win32.PUPXAS.ch": [[147, 174]], "Indicator: Trojan.Graftor.D1EFD7": [[175, 196]], "Indicator: TrojanDownloader:Win32/Blortios.C": [[197, 230]], "Indicator: Trojan/Win32.Downloader.R18903": [[231, 261]], "Indicator: Win32/Trojan.88b": [[262, 278]]}, "info": {"id": "cyner2_5class_train_02164", "source": "cyner2_5class_train"}}
+{"text": "In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks.", "spans": {"Organization: Unit 42": [[17, 24]], "Indicator: spear-phishing attacks": [[71, 93]], "Malware: custom downloader": [[106, 123]], "Indicator: cyber espionage attacks.": [[132, 156]]}, "info": {"id": "cyner2_5class_train_02165", "source": "cyner2_5class_train"}}
+{"text": "But over the past week, while performing research using Palo Alto Networks AutoFocus, we noticed a large uptick in the delivery of the Hancitor malware family as they shifted away from H1N1 to distribute Pony and Vawtrak executables.", "spans": {"Organization: Palo Alto Networks": [[56, 74]], "System: AutoFocus,": [[75, 85]], "Malware: the Hancitor malware family": [[131, 158]], "Malware: H1N1": [[185, 189]], "Malware: Pony": [[204, 208]], "Malware: Vawtrak executables.": [[213, 233]]}, "info": {"id": "cyner2_5class_train_02166", "source": "cyner2_5class_train"}}
+{"text": "Ransomware sure has had an uptick the past years; more and more variants appear while some have been leading the pack for the past years.", "spans": {"Malware: Ransomware": [[0, 10]], "Malware: variants": [[64, 72]]}, "info": {"id": "cyner2_5class_train_02167", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Clicker.Small.ht Win32/TrojanClicker.Small.HT W32/TrojanX.MXY Smalltroj.BDN Win32.Small.ht Trojan-Clicker.Win32.Small.ht Trojan.Clicker.Small.HT TrojWare.Win32.TrojanClicker.Small.HT Trojan-Clicker.Win32.Small.ht Win32/TrojanClicker.Small.HT TR/Click.Small.HT W32/TrojanX.MXY Trojan-Downloader.Win32.Small!IK Trojan.Click.Small.HT TrojanClicker:Win32/Small.BB Trojan.Clicker.Small.HT Win-Trojan/Downloader.120895 Trojan-Clicker.Win32.Small.ht Trojan-Clicker.Small.HT Trojan-Clicker.Small.HT Trojan.Clicker.Autoit Trojan-Downloader.Win32.Small W32/Small.HT!tr Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Clicker.Small.ht": [[26, 49]], "Indicator: Win32/TrojanClicker.Small.HT": [[50, 78], [246, 274]], "Indicator: W32/TrojanX.MXY": [[79, 94], [293, 308]], "Indicator: Smalltroj.BDN": [[95, 108]], "Indicator: Win32.Small.ht": [[109, 123]], "Indicator: Trojan-Clicker.Win32.Small.ht": [[124, 153], [216, 245], [446, 475]], "Indicator: Trojan.Clicker.Small.HT": [[154, 177], [393, 416]], "Indicator: TrojWare.Win32.TrojanClicker.Small.HT": [[178, 215]], "Indicator: TR/Click.Small.HT": [[275, 292]], "Indicator: Trojan-Downloader.Win32.Small!IK": [[309, 341]], "Indicator: Trojan.Click.Small.HT": [[342, 363]], "Indicator: TrojanClicker:Win32/Small.BB": [[364, 392]], "Indicator: Win-Trojan/Downloader.120895": [[417, 445]], "Indicator: Trojan-Clicker.Small.HT": [[476, 499], [500, 523]], "Indicator: Trojan.Clicker.Autoit": [[524, 545]], "Indicator: Trojan-Downloader.Win32.Small": [[546, 575]], "Indicator: W32/Small.HT!tr": [[576, 591]], "Indicator: Trj/Downloader.MDW": [[592, 610]]}, "info": {"id": "cyner2_5class_train_02168", "source": "cyner2_5class_train"}}
+{"text": "The source process looks at its own memory to calculate the offset between the beginning of the libc library and the mmap address .", "spans": {}, "info": {"id": "cyner2_5class_train_02169", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Badur!O Win32.Trojan.WisdomEyes.16070401.9500.9996 TR/Rogue.1517892 Trojan/Win32.Badur TrojanDownloader:MSIL/Balamid.A Trojan.Zusy.D13D03 Trojan.Badur Trojan.Badur!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Badur!O": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[47, 89]], "Indicator: TR/Rogue.1517892": [[90, 106]], "Indicator: Trojan/Win32.Badur": [[107, 125]], "Indicator: TrojanDownloader:MSIL/Balamid.A": [[126, 157]], "Indicator: Trojan.Zusy.D13D03": [[158, 176]], "Indicator: Trojan.Badur": [[177, 189]], "Indicator: Trojan.Badur!": [[190, 203]]}, "info": {"id": "cyner2_5class_train_02170", "source": "cyner2_5class_train"}}
+{"text": "The company later released a whitepaper which described Qbot version 910 in great detail.", "spans": {"Organization: company": [[4, 11]], "Malware: Qbot version 910": [[56, 72]]}, "info": {"id": "cyner2_5class_train_02171", "source": "cyner2_5class_train"}}
+{"text": "The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware.", "spans": {"Indicator: supply chain-focused attack": [[26, 53]], "Malware: at": [[54, 56]], "Malware: M.E.Doc software": [[57, 73]], "Malware: payload": [[103, 110]], "Malware: ransomware.": [[124, 135]]}, "info": {"id": "cyner2_5class_train_02172", "source": "cyner2_5class_train"}}
+{"text": "There were several things that struck us as both interesting and concerning about the details; a threat actor known to operate in South East Asia is now using secure sockets layer SSL encryption in their malware.", "spans": {"Indicator: secure sockets layer": [[159, 179]], "Indicator: SSL": [[180, 183]], "Indicator: encryption": [[184, 194]], "Malware: malware.": [[204, 212]]}, "info": {"id": "cyner2_5class_train_02173", "source": "cyner2_5class_train"}}
+{"text": "The path that is used for the uploads is : http : // /apps/d/p/op.php The communication looks like this : First Phase The first phase of the app ’ s attack flow collects device information and a list of apps installed on the device .", "spans": {"Indicator: http : // /apps/d/p/op.php": [[43, 69]]}, "info": {"id": "cyner2_5class_train_02174", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Downloader.Banload.10000 Trojan.Banker Win32.Trojan.WisdomEyes.16070401.9500.9955 Trojan.DownLoader13.22599 W32/Banker.ABCU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.Banload.10000": [[26, 50]], "Indicator: Trojan.Banker": [[51, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9955": [[65, 107]], "Indicator: Trojan.DownLoader13.22599": [[108, 133]], "Indicator: W32/Banker.ABCU!tr": [[134, 152]]}, "info": {"id": "cyner2_5class_train_02175", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Braidupdate.C Trojan.Downloader.Braidupdate.C Trojan.Win32.Braidupdate.frhy W32/Downloader.AAJ Adware.BrowserAid Win32/TrojanDownloader.Braidupdate.C TROJ_BRAIDUPDT.C Worm.WinUpToDate Trojan-Downloader.Win32.Braidupdate.c Trojan.Downloader.Braidupdate.C Trojan.DL.Braidupdate!ucpSRQWfQfk Win32.Trojan-downloader.Braidupdate.Tayo Trojan.Downloader.Braidupdate.C TrojWare.Win32.TrojanDownloader.Braidupdate.C Trojan.Downloader.Braidupdate.C Trojan.Braid Downloader.Braidupdate.Win32.3 TROJ_BRAIDUPDT.C W32/Downloader.IZKY-4160 TR/Dldr.Braidupda.C W32/Braidupdate.C!tr.dldr Trojan[Downloader]/Win32.Braidupdate Trojan.Downloader.Braidupdate.C Troj.Downloader.W32.Braidupdate.c!c Trojan/Win32.Braidupdate TrojanDownloader:Win32/Braidupdate.C Trojan.Downloader.Braidupdate.C TrojanDownloader.Braidupdate not-a-virus:AdWare.Win32.Cash Trojan.Downloader.Braidupdate.C Downloader.Braidupdate.C Win32/Trojan.Downloader.2d9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Braidupdate.C": [[26, 57], [58, 89], [266, 297], [373, 404], [451, 482], [652, 683], [782, 813], [873, 904]], "Indicator: Trojan.Win32.Braidupdate.frhy": [[90, 119]], "Indicator: W32/Downloader.AAJ": [[120, 138]], "Indicator: Adware.BrowserAid": [[139, 156]], "Indicator: Win32/TrojanDownloader.Braidupdate.C": [[157, 193]], "Indicator: TROJ_BRAIDUPDT.C": [[194, 210], [527, 543]], "Indicator: Worm.WinUpToDate": [[211, 227]], "Indicator: Trojan-Downloader.Win32.Braidupdate.c": [[228, 265]], "Indicator: Trojan.DL.Braidupdate!ucpSRQWfQfk": [[298, 331]], "Indicator: Win32.Trojan-downloader.Braidupdate.Tayo": [[332, 372]], "Indicator: TrojWare.Win32.TrojanDownloader.Braidupdate.C": [[405, 450]], "Indicator: Trojan.Braid": [[483, 495]], "Indicator: Downloader.Braidupdate.Win32.3": [[496, 526]], "Indicator: W32/Downloader.IZKY-4160": [[544, 568]], "Indicator: TR/Dldr.Braidupda.C": [[569, 588]], "Indicator: W32/Braidupdate.C!tr.dldr": [[589, 614]], "Indicator: Trojan[Downloader]/Win32.Braidupdate": [[615, 651]], "Indicator: Troj.Downloader.W32.Braidupdate.c!c": [[684, 719]], "Indicator: Trojan/Win32.Braidupdate": [[720, 744]], "Indicator: TrojanDownloader:Win32/Braidupdate.C": [[745, 781]], "Indicator: TrojanDownloader.Braidupdate": [[814, 842]], "Indicator: not-a-virus:AdWare.Win32.Cash": [[843, 872]], "Indicator: Downloader.Braidupdate.C": [[905, 929]], "Indicator: Win32/Trojan.Downloader.2d9": [[930, 957]]}, "info": {"id": "cyner2_5class_train_02176", "source": "cyner2_5class_train"}}
+{"text": "The Angler Exploti Kit has integrated CVE-2015-5119 leaked from HackingTeam.", "spans": {"Malware: Angler Exploti Kit": [[4, 22]], "Indicator: CVE-2015-5119": [[38, 51]], "Organization: HackingTeam.": [[64, 76]]}, "info": {"id": "cyner2_5class_train_02177", "source": "cyner2_5class_train"}}
+{"text": "Although something had already been published , we decided to do something different with the data we acquired .", "spans": {}, "info": {"id": "cyner2_5class_train_02178", "source": "cyner2_5class_train"}}
+{"text": "From a technical point of view , the sample is a unique spy implant with stand-out features such as device sensors listeners , including motion detectors that have been implemented with a degree of originality .", "spans": {}, "info": {"id": "cyner2_5class_train_02179", "source": "cyner2_5class_train"}}
+{"text": "The cyber industry of mobile malware is becoming more focused on making profits more effectively , i.e. , mobile phishing , theft of credit card information , money transfers from bank cards to mobile phones and from phones to the criminalas ’ e-wallets .", "spans": {}, "info": {"id": "cyner2_5class_train_02180", "source": "cyner2_5class_train"}}
+{"text": "Google Cloud Messaging is designed to send short message ( up to 4 KB ) to mobile devices via Google services .", "spans": {"System: Google Cloud Messaging": [[0, 22]], "Organization: Google": [[94, 100]]}, "info": {"id": "cyner2_5class_train_02181", "source": "cyner2_5class_train"}}
+{"text": "Gafgyt botnet attacking Netcore routers", "spans": {"Malware: Gafgyt botnet": [[0, 13]], "System: Netcore routers": [[24, 39]]}, "info": {"id": "cyner2_5class_train_02182", "source": "cyner2_5class_train"}}
+{"text": "During our continued research on Sofacy's Komplex Trojan, we have found a sample of a backdoor Trojan that we believe the Sofacy group uses when targeting individuals running macOS systems.", "spans": {"Malware: Komplex": [[42, 49]], "Malware: Trojan, we": [[50, 60]], "Malware: sample": [[74, 80]], "Malware: backdoor Trojan": [[86, 101]], "Organization: individuals": [[155, 166]], "System: macOS systems.": [[175, 189]]}, "info": {"id": "cyner2_5class_train_02183", "source": "cyner2_5class_train"}}
+{"text": "There are two variations of the emails: one is an order confirmation from a Japanese equipment supplier and the other pretends to come from a local printing company.", "spans": {"Indicator: emails:": [[32, 39]], "Indicator: order confirmation from a Japanese equipment supplier": [[50, 103]], "Indicator: a local printing company.": [[140, 165]]}, "info": {"id": "cyner2_5class_train_02184", "source": "cyner2_5class_train"}}
+{"text": "It is issued by Google once a user successfully logged into this account .", "spans": {"Organization: Google": [[16, 22]]}, "info": {"id": "cyner2_5class_train_02185", "source": "cyner2_5class_train"}}
+{"text": "To surface its ransom note , it uses a series of techniques that take advantage of the following components on Android : The “ call ” notification , among several categories of notifications that Android supports , which requires immediate user attention .", "spans": {"System: Android": [[111, 118], [196, 203]]}, "info": {"id": "cyner2_5class_train_02186", "source": "cyner2_5class_train"}}
+{"text": "This post will start to explore some of these obfuscations to get a better understanding of how FormBook works.", "spans": {}, "info": {"id": "cyner2_5class_train_02187", "source": "cyner2_5class_train"}}
+{"text": "[Zscaler] has covered Dridex Banking Trojan being delivered via various campaigns involving Office documents with malicious VBA macros in the past.", "spans": {"Organization: [Zscaler]": [[0, 9]], "Malware: Dridex Banking Trojan": [[22, 43]], "Indicator: Office documents": [[92, 108]], "Vulnerability: malicious VBA macros": [[114, 134]]}, "info": {"id": "cyner2_5class_train_02188", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Win32.Trojan.WisdomEyes.16070401.9500.9987 Trojan.Drondog Win.Downloader.29758-2 Worm.Win32.Downloader.bldi Trojan.Win32.MLW.xzlu W32.W.Downloader.hq!c Trojan.MulDrop.15154 Trojan.Win32.KillAV Worm/Downloader.fd TR/Sorri.O Worm/Win32.Downloader Win32.Troj.DownLoaderT.hu.147456 Trojan:Win32/Wiessy.A Worm/Win32.Downloader.R2522", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[26, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[63, 105]], "Indicator: Trojan.Drondog": [[106, 120]], "Indicator: Win.Downloader.29758-2": [[121, 143]], "Indicator: Worm.Win32.Downloader.bldi": [[144, 170]], "Indicator: Trojan.Win32.MLW.xzlu": [[171, 192]], "Indicator: W32.W.Downloader.hq!c": [[193, 214]], "Indicator: Trojan.MulDrop.15154": [[215, 235]], "Indicator: Trojan.Win32.KillAV": [[236, 255]], "Indicator: Worm/Downloader.fd": [[256, 274]], "Indicator: TR/Sorri.O": [[275, 285]], "Indicator: Worm/Win32.Downloader": [[286, 307]], "Indicator: Win32.Troj.DownLoaderT.hu.147456": [[308, 340]], "Indicator: Trojan:Win32/Wiessy.A": [[341, 362]], "Indicator: Worm/Win32.Downloader.R2522": [[363, 390]]}, "info": {"id": "cyner2_5class_train_02189", "source": "cyner2_5class_train"}}
+{"text": "A \" Tracking tool '' or an \" Admin tool '' are often cited for these kinds of tools for \" commercial '' or \" enterprise '' usage .", "spans": {}, "info": {"id": "cyner2_5class_train_02190", "source": "cyner2_5class_train"}}
+{"text": "The malware is able to control banking transactions conducted using Internet Explorer, and harvest email credentials, which are in turn used to spread the malware further.", "spans": {"Malware: malware": [[4, 11], [155, 162]], "Indicator: control banking transactions": [[23, 51]], "System: Internet Explorer,": [[68, 86]], "Indicator: harvest email credentials,": [[91, 117]]}, "info": {"id": "cyner2_5class_train_02191", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DownLoader4.13271", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoader4.13271": [[26, 50]]}, "info": {"id": "cyner2_5class_train_02192", "source": "cyner2_5class_train"}}
+{"text": "Tap Menu > Play Protect .", "spans": {}, "info": {"id": "cyner2_5class_train_02193", "source": "cyner2_5class_train"}}
+{"text": "Other variants use other names and logos , as described later .", "spans": {}, "info": {"id": "cyner2_5class_train_02194", "source": "cyner2_5class_train"}}
+{"text": "However , Proofpoint researchers have recently observed phishing attacks that incorporate all of these elements in a single , multistep scheme involving the Marcher Android banking Trojan targeting customers of large Austrian banks .", "spans": {"Organization: Proofpoint": [[10, 20]], "Malware: Marcher": [[157, 164]]}, "info": {"id": "cyner2_5class_train_02195", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DelfiDelfi.Win32.301 Trojan.Win32.DelfiDelfi.cho Trojan.Win32.DelfiDelfi.etgljb W32/Trojan.AITA-6805 Trojan.Win32.DelfiDelfi.cho TrojanDownloader:Win32/Banavkill.A Trj/GdSda.A Trojan.DelfiDelfi! W32/Banker.AEAY!tr.spy Win32/Trojan.af4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DelfiDelfi.Win32.301": [[26, 53]], "Indicator: Trojan.Win32.DelfiDelfi.cho": [[54, 81], [134, 161]], "Indicator: Trojan.Win32.DelfiDelfi.etgljb": [[82, 112]], "Indicator: W32/Trojan.AITA-6805": [[113, 133]], "Indicator: TrojanDownloader:Win32/Banavkill.A": [[162, 196]], "Indicator: Trj/GdSda.A": [[197, 208]], "Indicator: Trojan.DelfiDelfi!": [[209, 227]], "Indicator: W32/Banker.AEAY!tr.spy": [[228, 250]], "Indicator: Win32/Trojan.af4": [[251, 267]]}, "info": {"id": "cyner2_5class_train_02196", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.37860.B Trojan-PSW.Win32.Yahu.YPager!O Trojan/PSW.Yahu.YPager.r Trojan.Kazy.D15AC9 Win32.Trojan.WisdomEyes.16070401.9500.9973 W32/Pws.BHSA Win32/YPager.D Trojan.Win32.Scar.kjpu Troj.W32.Scar!c TrojWare.Win32.PSW.YahooPager.R0 Trojan.DownLoader6.48717 Trojan.Yahoo.Win32.38 BehavesLike.Win32.Virus.nt Trojan-PWS.Win32.Yahoo W32/PWS.TYKP-7651 Trojan/PSW.Yahu.y Trojan[PSW]/Win32.Yahu Trojan.Win32.Scar.kjpu Trojan/Win32.Jorik.C1078 Win32/PSW.Yahoo.YPager.R Win32.Trojan.Scar.Pfsz W32/Yahoo_YPager.R!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.37860.B": [[26, 56]], "Indicator: Trojan-PSW.Win32.Yahu.YPager!O": [[57, 87]], "Indicator: Trojan/PSW.Yahu.YPager.r": [[88, 112]], "Indicator: Trojan.Kazy.D15AC9": [[113, 131]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9973": [[132, 174]], "Indicator: W32/Pws.BHSA": [[175, 187]], "Indicator: Win32/YPager.D": [[188, 202]], "Indicator: Trojan.Win32.Scar.kjpu": [[203, 225], [431, 453]], "Indicator: Troj.W32.Scar!c": [[226, 241]], "Indicator: TrojWare.Win32.PSW.YahooPager.R0": [[242, 274]], "Indicator: Trojan.DownLoader6.48717": [[275, 299]], "Indicator: Trojan.Yahoo.Win32.38": [[300, 321]], "Indicator: BehavesLike.Win32.Virus.nt": [[322, 348]], "Indicator: Trojan-PWS.Win32.Yahoo": [[349, 371]], "Indicator: W32/PWS.TYKP-7651": [[372, 389]], "Indicator: Trojan/PSW.Yahu.y": [[390, 407]], "Indicator: Trojan[PSW]/Win32.Yahu": [[408, 430]], "Indicator: Trojan/Win32.Jorik.C1078": [[454, 478]], "Indicator: Win32/PSW.Yahoo.YPager.R": [[479, 503]], "Indicator: Win32.Trojan.Scar.Pfsz": [[504, 526]], "Indicator: W32/Yahoo_YPager.R!tr.pws": [[527, 552]]}, "info": {"id": "cyner2_5class_train_02197", "source": "cyner2_5class_train"}}
+{"text": "The samples we identified target the ATM vendor Diebold.", "spans": {"System: ATM vendor Diebold.": [[37, 56]]}, "info": {"id": "cyner2_5class_train_02198", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Taob.ag Trojan.DR.Taob!NlMVsECgQGE Trojan.MulDrop4.3634 TR/PSW.OnlineGames.wtog TrojanDropper.Taob.o Win32.Troj.Taob.ag.kcloud Trojan:Win32/Cortheaper.A Trojan-GameThief.Win32.OnLineGames", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Taob.ag": [[26, 54]], "Indicator: Trojan.DR.Taob!NlMVsECgQGE": [[55, 81]], "Indicator: Trojan.MulDrop4.3634": [[82, 102]], "Indicator: TR/PSW.OnlineGames.wtog": [[103, 126]], "Indicator: TrojanDropper.Taob.o": [[127, 147]], "Indicator: Win32.Troj.Taob.ag.kcloud": [[148, 173]], "Indicator: Trojan:Win32/Cortheaper.A": [[174, 199]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[200, 234]]}, "info": {"id": "cyner2_5class_train_02199", "source": "cyner2_5class_train"}}
+{"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner2_5class_train_02200", "source": "cyner2_5class_train"}}
+{"text": "At the time it was removed, the plugin was installed on more than 200,00 sites, albeit we cannot be sure how many of these were updated to a version that included the malicious behavior.", "spans": {}, "info": {"id": "cyner2_5class_train_02201", "source": "cyner2_5class_train"}}
+{"text": "Finished ! * * * End translation * * * Referring again to bit.ly , we can see click statistics for this campaign ( Figure 6 ) .", "spans": {"Indicator: bit.ly": [[58, 64]]}, "info": {"id": "cyner2_5class_train_02202", "source": "cyner2_5class_train"}}
+{"text": "Following are some examples of the decoys used by these droppers : The purpose of Exodus One seems to be to collect some basic identifying information about the device ( namely the IMEI code and the phone number ) and send it to the Command & Control server .", "spans": {"Malware: Exodus One": [[82, 92]]}, "info": {"id": "cyner2_5class_train_02203", "source": "cyner2_5class_train"}}
+{"text": "Twitter user @hkashfi posted a Tweet saying that one of his friends received a file US Travel Docs Information.jar from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland notice the i between travel and docs .", "spans": {"Organization: Twitter": [[0, 7]], "Organization: user @hkashfi": [[8, 21]], "Indicator: file US Travel Docs Information.jar": [[79, 114]], "Indicator: USTRAVELDOCS.COM": [[138, 154]], "Indicator: the Skype account ustravelidocs-switzerland notice the i between travel and docs .": [[179, 261]]}, "info": {"id": "cyner2_5class_train_02204", "source": "cyner2_5class_train"}}
+{"text": "Successful exploitation typically results in malware calling back to one or more Uyghur themed domain names.", "spans": {"Vulnerability: exploitation": [[11, 23]], "Malware: malware": [[45, 52]], "Organization: Uyghur": [[81, 87]], "Indicator: domain names.": [[95, 108]]}, "info": {"id": "cyner2_5class_train_02205", "source": "cyner2_5class_train"}}
+{"text": "Banking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads.", "spans": {"Malware: Banking Trojans": [[0, 15]], "Malware: ransomware": [[144, 154]], "Malware: payloads.": [[165, 174]]}, "info": {"id": "cyner2_5class_train_02206", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Vburses Trojan.Win32.Vburses", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Vburses": [[26, 40]], "Indicator: Trojan.Win32.Vburses": [[41, 61]]}, "info": {"id": "cyner2_5class_train_02207", "source": "cyner2_5class_train"}}
+{"text": "The role of ANDROIDOS_HTBENEWS.A and the malicious APK mentioned in the first method is to exploit a local privilege escalation vulnerability in Android devices .", "spans": {"Malware: ANDROIDOS_HTBENEWS.A": [[12, 32]], "Vulnerability: local privilege escalation vulnerability": [[101, 141]]}, "info": {"id": "cyner2_5class_train_02208", "source": "cyner2_5class_train"}}
+{"text": "If a smartphone or tablet was released more than a year ago , it is probably no longer supported by the manufacturer and patching of vulnerabilities is no longer provided .", "spans": {}, "info": {"id": "cyner2_5class_train_02209", "source": "cyner2_5class_train"}}
+{"text": "In this analysis , we get into the capabilities of the new variant and what we found to be a “ kill switch ” that can eliminate the malware remotely from an infected device .", "spans": {}, "info": {"id": "cyner2_5class_train_02210", "source": "cyner2_5class_train"}}
+{"text": "During the operation, the malware was used to dox 400,000 members of Vietnam Airlines.", "spans": {"Malware: malware": [[26, 33]], "Indicator: dox": [[46, 49]], "Organization: Vietnam Airlines.": [[69, 86]]}, "info": {"id": "cyner2_5class_train_02211", "source": "cyner2_5class_train"}}
+{"text": "The Trojan deletes Volume Shadow Copies.", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: deletes Volume Shadow Copies.": [[11, 40]]}, "info": {"id": "cyner2_5class_train_02212", "source": "cyner2_5class_train"}}
+{"text": "Since the class does not exist at startup , the application does not run on the debugger .", "spans": {}, "info": {"id": "cyner2_5class_train_02213", "source": "cyner2_5class_train"}}
+{"text": "The MuddyWater attacks are primarily against Middle Eastern nations.", "spans": {"Indicator: attacks": [[15, 22]]}, "info": {"id": "cyner2_5class_train_02214", "source": "cyner2_5class_train"}}
+{"text": "It is important to note that the data won ’ t be uploaded to C & C server automatically .", "spans": {}, "info": {"id": "cyner2_5class_train_02215", "source": "cyner2_5class_train"}}
+{"text": "Elirks, less widely known than PlugX, is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems.", "spans": {"Malware: Elirks,": [[0, 7]], "Malware: PlugX,": [[31, 37]], "Malware: basic backdoor Trojan,": [[43, 65]], "Indicator: steal information": [[118, 135]], "System: compromised systems.": [[141, 161]]}, "info": {"id": "cyner2_5class_train_02216", "source": "cyner2_5class_train"}}
+{"text": "Through our research on the Windows KLRD keylogger from the Odinaff report, we were able to discover several new keyloggers.", "spans": {"Malware: Windows KLRD keylogger": [[28, 50]], "Organization: Odinaff": [[60, 67]], "Malware: keyloggers.": [[113, 124]]}, "info": {"id": "cyner2_5class_train_02217", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hacktool.Mapiget W32/MalwareF.HUIZ Trojan.Badname HackTool.Win32.MapiGet.a Trojan.Win32.MapiGet.cwwjwt Hacktool.W32.Mapiget!c Trojan.KeyLogger.28306 Tool.MapiGet.Win32.1 W32/Risk.LFSI-6446 HackTool.MapiGet.a Misc.HackTool.MailLogger TR/Spy.Mail.G HackTool/Win32.MapiGet Trojan.Graftor.D3C87F HackTool.Win32.MapiGet.a Win32.Hacktool.Mapiget.Iso TrojanSpy.Mail!RGqYbEAheeQ HackTool.Win32.MapiGet Win32/Trojan.Hacktool.eb5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Mapiget": [[26, 42]], "Indicator: W32/MalwareF.HUIZ": [[43, 60]], "Indicator: Trojan.Badname": [[61, 75]], "Indicator: HackTool.Win32.MapiGet.a": [[76, 100], [318, 342]], "Indicator: Trojan.Win32.MapiGet.cwwjwt": [[101, 128]], "Indicator: Hacktool.W32.Mapiget!c": [[129, 151]], "Indicator: Trojan.KeyLogger.28306": [[152, 174]], "Indicator: Tool.MapiGet.Win32.1": [[175, 195]], "Indicator: W32/Risk.LFSI-6446": [[196, 214]], "Indicator: HackTool.MapiGet.a": [[215, 233]], "Indicator: Misc.HackTool.MailLogger": [[234, 258]], "Indicator: TR/Spy.Mail.G": [[259, 272]], "Indicator: HackTool/Win32.MapiGet": [[273, 295]], "Indicator: Trojan.Graftor.D3C87F": [[296, 317]], "Indicator: Win32.Hacktool.Mapiget.Iso": [[343, 369]], "Indicator: TrojanSpy.Mail!RGqYbEAheeQ": [[370, 396]], "Indicator: HackTool.Win32.MapiGet": [[397, 419]], "Indicator: Win32/Trojan.Hacktool.eb5": [[420, 445]]}, "info": {"id": "cyner2_5class_train_02218", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor-FHS.dr Trojan/Witthy.a Trojan.Win32.Clicker.crbxjx Trojan.Click2.48783 BehavesLike.Win32.VirRansom.cc Trojan.Win32.Merlos TR/Rogue.7786243 Trj/CI.A Win32/Witthy.A W32/Witthy.A!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor-FHS.dr": [[26, 41]], "Indicator: Trojan/Witthy.a": [[42, 57]], "Indicator: Trojan.Win32.Clicker.crbxjx": [[58, 85]], "Indicator: Trojan.Click2.48783": [[86, 105]], "Indicator: BehavesLike.Win32.VirRansom.cc": [[106, 136]], "Indicator: Trojan.Win32.Merlos": [[137, 156]], "Indicator: TR/Rogue.7786243": [[157, 173]], "Indicator: Trj/CI.A": [[174, 182]], "Indicator: Win32/Witthy.A": [[183, 197]], "Indicator: W32/Witthy.A!tr.bdr": [[198, 217]]}, "info": {"id": "cyner2_5class_train_02219", "source": "cyner2_5class_train"}}
+{"text": "Recent samples of the malware have now included the ability to use Google services for command-and-control C&C communication.", "spans": {"Malware: malware": [[22, 29]], "System: Google services": [[67, 82]], "Indicator: command-and-control C&C communication.": [[87, 125]]}, "info": {"id": "cyner2_5class_train_02220", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_RAMDO.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_RAMDO.SM0 BehavesLike.Win32.Virut.fh Trojan.Win32.Ramdo Trojan.Ramdo.1 Trojan:Win32/Ramdo.H Backdoor/Win32.Necurs.R100690 Malware-Cryptor.Limpopo Trj/Dtcontx.K Win32/Redyms.AF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_RAMDO.SM0": [[26, 40], [84, 98]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[41, 83]], "Indicator: BehavesLike.Win32.Virut.fh": [[99, 125]], "Indicator: Trojan.Win32.Ramdo": [[126, 144]], "Indicator: Trojan.Ramdo.1": [[145, 159]], "Indicator: Trojan:Win32/Ramdo.H": [[160, 180]], "Indicator: Backdoor/Win32.Necurs.R100690": [[181, 210]], "Indicator: Malware-Cryptor.Limpopo": [[211, 234]], "Indicator: Trj/Dtcontx.K": [[235, 248]], "Indicator: Win32/Redyms.AF": [[249, 264]]}, "info": {"id": "cyner2_5class_train_02221", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.3AEC Win32.Trojan.WisdomEyes.16070401.9500.9901 Trojan.Win32.Inject.ctprfv W32.Sality.l8GK Trojan.KillProc.28723 Trojan/Nimnul.b Trojan[Ransom]/Win32.PornoAsset Ransom:Win32/Dircrypt.C Trojan.Graftor.D199D8 Trojan.Crypt Trojan.Win32.VB Trj/Dtcontx.G", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.3AEC": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9901": [[43, 85]], "Indicator: Trojan.Win32.Inject.ctprfv": [[86, 112]], "Indicator: W32.Sality.l8GK": [[113, 128]], "Indicator: Trojan.KillProc.28723": [[129, 150]], "Indicator: Trojan/Nimnul.b": [[151, 166]], "Indicator: Trojan[Ransom]/Win32.PornoAsset": [[167, 198]], "Indicator: Ransom:Win32/Dircrypt.C": [[199, 222]], "Indicator: Trojan.Graftor.D199D8": [[223, 244]], "Indicator: Trojan.Crypt": [[245, 257]], "Indicator: Trojan.Win32.VB": [[258, 273]], "Indicator: Trj/Dtcontx.G": [[274, 287]]}, "info": {"id": "cyner2_5class_train_02222", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.Delf.AL Trojan-Downloader.Win32.Banload!O Downloader.Banload.Win32.27568 TROJ_DELF.NOR Win32.Trojan.WisdomEyes.16070401.9500.9934 W32/Downldr2.ATJF Backdoor.Trojan Win32/Pigeon.AYDG Win.Downloader.20057-1 Trojan.Crypt.Delf.AL Trojan-Downloader.Win32.Banload.evb Trojan.Crypt.Delf.AL Trojan.Win32.Drop.dzdiyr Trojan.Win32.A.Downloader.214016.H Troj.Downloader.W32.Banload!c Trojan.Crypt.Delf.AL Backdoor.Win32.Remote.~N Trojan.Crypt.Delf.AL Trojan.MulDrop.12358 BehavesLike.Win32.Worm.dc Trojan/Downloader.Banload.evb TrojanDownloader.Banload.jwv TR/Delf.18944 Trojan[Backdoor]/Win32.Ceckno Trojan.Crypt.Delf.AL Trojan-Downloader.Win32.Banload.evb Trojan.Crypt.Delf.AL TrojanDownloader.Delf Bck/Hupigon.KPG Win32/Delf.NXK Win32.Trojan-downloader.Banload.Dxnj Backdoor.Ceckno!iv4t9tSa5f0 Trojan-Dropper.Delf W32/Delf.NIP!tr.bdr Win32/Trojan.823", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.Delf.AL": [[26, 46], [244, 264], [301, 321], [412, 432], [458, 478], [629, 649], [686, 706]], "Indicator: Trojan-Downloader.Win32.Banload!O": [[47, 80]], "Indicator: Downloader.Banload.Win32.27568": [[81, 111]], "Indicator: TROJ_DELF.NOR": [[112, 125]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9934": [[126, 168]], "Indicator: W32/Downldr2.ATJF": [[169, 186]], "Indicator: Backdoor.Trojan": [[187, 202]], "Indicator: Win32/Pigeon.AYDG": [[203, 220]], "Indicator: Win.Downloader.20057-1": [[221, 243]], "Indicator: Trojan-Downloader.Win32.Banload.evb": [[265, 300], [650, 685]], "Indicator: Trojan.Win32.Drop.dzdiyr": [[322, 346]], "Indicator: Trojan.Win32.A.Downloader.214016.H": [[347, 381]], "Indicator: Troj.Downloader.W32.Banload!c": [[382, 411]], "Indicator: Backdoor.Win32.Remote.~N": [[433, 457]], "Indicator: Trojan.MulDrop.12358": [[479, 499]], "Indicator: BehavesLike.Win32.Worm.dc": [[500, 525]], "Indicator: Trojan/Downloader.Banload.evb": [[526, 555]], "Indicator: TrojanDownloader.Banload.jwv": [[556, 584]], "Indicator: TR/Delf.18944": [[585, 598]], "Indicator: Trojan[Backdoor]/Win32.Ceckno": [[599, 628]], "Indicator: TrojanDownloader.Delf": [[707, 728]], "Indicator: Bck/Hupigon.KPG": [[729, 744]], "Indicator: Win32/Delf.NXK": [[745, 759]], "Indicator: Win32.Trojan-downloader.Banload.Dxnj": [[760, 796]], "Indicator: Backdoor.Ceckno!iv4t9tSa5f0": [[797, 824]], "Indicator: Trojan-Dropper.Delf": [[825, 844]], "Indicator: W32/Delf.NIP!tr.bdr": [[845, 864]], "Indicator: Win32/Trojan.823": [[865, 881]]}, "info": {"id": "cyner2_5class_train_02223", "source": "cyner2_5class_train"}}
+{"text": "Beaconing information The ID is generated for each installation of the malware , while the token remains unique .", "spans": {}, "info": {"id": "cyner2_5class_train_02224", "source": "cyner2_5class_train"}}
+{"text": "Bitter APT is a South Asian threat group that commonly targets energy and government sectors; they have been known to target Pakistan, China, Bangladesh, and Saudi Arabia.", "spans": {"Organization: energy": [[63, 69]], "Organization: government sectors;": [[74, 93]]}, "info": {"id": "cyner2_5class_train_02225", "source": "cyner2_5class_train"}}
+{"text": "The following are the DBs created and maintained by the RAT .", "spans": {}, "info": {"id": "cyner2_5class_train_02226", "source": "cyner2_5class_train"}}
+{"text": "] 122:28855 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner2_5class_train_02227", "source": "cyner2_5class_train"}}
+{"text": "As we know from our investigation , traces of the first development activities were found at the end of 2016 , but the main distribution campaign began in 2018 ( end of 2017 ) .", "spans": {}, "info": {"id": "cyner2_5class_train_02228", "source": "cyner2_5class_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_02229", "source": "cyner2_5class_train"}}
+{"text": "Take a screenshot of any app in foreground .", "spans": {}, "info": {"id": "cyner2_5class_train_02230", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke.Melter.A Win32.Trojan.WisdomEyes.16070401.9500.9752 W32/Joke.SXAT-7954 Joke.Melter.A Joke.Melter.A Joke.Melter.A Heur.Corrupt.PE Joke.Melter.A Joke.Finger.5 not-a-virus:BadJoke.Win32.Melter W32/Joke.BY Joke.Melter.A Joke:Win32/Melter.dam#4 Joke.Melter.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke.Melter.A": [[26, 39], [102, 115], [116, 129], [130, 143], [160, 173], [233, 246], [271, 284]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9752": [[40, 82]], "Indicator: W32/Joke.SXAT-7954": [[83, 101]], "Indicator: Heur.Corrupt.PE": [[144, 159]], "Indicator: Joke.Finger.5": [[174, 187]], "Indicator: not-a-virus:BadJoke.Win32.Melter": [[188, 220]], "Indicator: W32/Joke.BY": [[221, 232]], "Indicator: Joke:Win32/Melter.dam#4": [[247, 270]], "Indicator: Trj/CI.A": [[285, 293]]}, "info": {"id": "cyner2_5class_train_02231", "source": "cyner2_5class_train"}}
+{"text": "Prometei, a highly modular botnet with worm-like capabilities that primarily deploys the Monero cryptocurrency miner, has been continuously improved and updated since it was first seen in 2016, posing a persistent threat to organizations.", "spans": {"Malware: Prometei,": [[0, 9]], "Malware: botnet": [[27, 33]], "Malware: the Monero cryptocurrency miner,": [[85, 117]], "Indicator: persistent threat": [[203, 220]], "Organization: organizations.": [[224, 238]]}, "info": {"id": "cyner2_5class_train_02232", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: Possible_BASHLITE.SMLBN1 Unix.Trojan.Mirai-5607483-0 Linux.Trojan.Gafgyt.A HEUR:Backdoor.Linux.Gafgyt.y Trojan.Unix.Gafgyt.eikqfj Backdoor.Linux.Gafgyt!c Linux.BackDoor.Fgt.44 Possible_BASHLITE.SMLBN1 Backdoor.Linux.hxx LINUX/Gafgyt.klnbe Trojan.Backdoor.Linux.Gafgyt.1 HEUR:Backdoor.Linux.Gafgyt.y backdoor.linux.gafgyt.y Trojan.Linux.Gafgyt ELF/Gafgyt.WN!tr.bdr Win32/Backdoor.3e0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Possible_BASHLITE.SMLBN1": [[43, 67], [219, 243]], "Indicator: Unix.Trojan.Mirai-5607483-0": [[68, 95]], "Indicator: Linux.Trojan.Gafgyt.A": [[96, 117]], "Indicator: HEUR:Backdoor.Linux.Gafgyt.y": [[118, 146], [313, 341]], "Indicator: Trojan.Unix.Gafgyt.eikqfj": [[147, 172]], "Indicator: Backdoor.Linux.Gafgyt!c": [[173, 196]], "Indicator: Linux.BackDoor.Fgt.44": [[197, 218]], "Indicator: Backdoor.Linux.hxx": [[244, 262]], "Indicator: LINUX/Gafgyt.klnbe": [[263, 281]], "Indicator: Trojan.Backdoor.Linux.Gafgyt.1": [[282, 312]], "Indicator: backdoor.linux.gafgyt.y": [[342, 365]], "Indicator: Trojan.Linux.Gafgyt": [[366, 385]], "Indicator: ELF/Gafgyt.WN!tr.bdr": [[386, 406]], "Indicator: Win32/Backdoor.3e0": [[407, 425]]}, "info": {"id": "cyner2_5class_train_02233", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Feedel.28672 Trojan.Feedel Troj.W32.Feedel!c Trojan.Feedel.f TR/RedCap.ocnbv Trojan/Win32.Feedel Trj/CI.A Win32.Trojan.Feedel.Ecjy Win32/Trojan.ada", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Feedel.28672": [[26, 49]], "Indicator: Trojan.Feedel": [[50, 63]], "Indicator: Troj.W32.Feedel!c": [[64, 81]], "Indicator: Trojan.Feedel.f": [[82, 97]], "Indicator: TR/RedCap.ocnbv": [[98, 113]], "Indicator: Trojan/Win32.Feedel": [[114, 133]], "Indicator: Trj/CI.A": [[134, 142]], "Indicator: Win32.Trojan.Feedel.Ecjy": [[143, 167]], "Indicator: Win32/Trojan.ada": [[168, 184]]}, "info": {"id": "cyner2_5class_train_02234", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OscoleF.Trojan Trojan.AutoIT.Injector.AP Trojan/W32.Cossta.95232.B Trojan.Napolar.A1 Trojan.Cossta.Win32.8040 Win32.Trojan.Napolar.b Infostealer.Napolar Win32/Tnega.dYPTOW BKDR_NAPOLAR.SM0 Win32.Backdoor.Napolar.B Trojan.AutoIT.Injector.AP Trojan.Win32.Cossta.cqikyo Trojan.AutoIT.Injector.AP TrojWare.Win32.Kryptik.BLGK Trojan:W32/Napolar.A Trojan.Hottrend.355 BKDR_NAPOLAR.SM0 BehavesLike.Win32.Trojan.nh Trojan.Win32.Napolar TrojanDropper.Dapato.nxc TR/BAS.Zusy.2144567 Trojan/Win32.Cossta Trojan.AutoIT.Injector.AP Trojan:Win32/Napolar.A Trojan/Win32.Cossta.C211827 Trojan.AutoIT.Injector.AP TScope.Malware-Cryptor.SB Trojan.Napolar Trj/Napolar.A Win32/Napolar.A Trojan.Win32.Cossta.a W32/Cossta.A!tr Win32/Trojan.235", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OscoleF.Trojan": [[26, 44]], "Indicator: Trojan.AutoIT.Injector.AP": [[45, 70], [244, 269], [297, 322], [523, 548], [600, 625]], "Indicator: Trojan/W32.Cossta.95232.B": [[71, 96]], "Indicator: Trojan.Napolar.A1": [[97, 114]], "Indicator: Trojan.Cossta.Win32.8040": [[115, 139]], "Indicator: Win32.Trojan.Napolar.b": [[140, 162]], "Indicator: Infostealer.Napolar": [[163, 182]], "Indicator: Win32/Tnega.dYPTOW": [[183, 201]], "Indicator: BKDR_NAPOLAR.SM0": [[202, 218], [392, 408]], "Indicator: Win32.Backdoor.Napolar.B": [[219, 243]], "Indicator: Trojan.Win32.Cossta.cqikyo": [[270, 296]], "Indicator: TrojWare.Win32.Kryptik.BLGK": [[323, 350]], "Indicator: Trojan:W32/Napolar.A": [[351, 371]], "Indicator: Trojan.Hottrend.355": [[372, 391]], "Indicator: BehavesLike.Win32.Trojan.nh": [[409, 436]], "Indicator: Trojan.Win32.Napolar": [[437, 457]], "Indicator: TrojanDropper.Dapato.nxc": [[458, 482]], "Indicator: TR/BAS.Zusy.2144567": [[483, 502]], "Indicator: Trojan/Win32.Cossta": [[503, 522]], "Indicator: Trojan:Win32/Napolar.A": [[549, 571]], "Indicator: Trojan/Win32.Cossta.C211827": [[572, 599]], "Indicator: TScope.Malware-Cryptor.SB": [[626, 651]], "Indicator: Trojan.Napolar": [[652, 666]], "Indicator: Trj/Napolar.A": [[667, 680]], "Indicator: Win32/Napolar.A": [[681, 696]], "Indicator: Trojan.Win32.Cossta.a": [[697, 718]], "Indicator: W32/Cossta.A!tr": [[719, 734]], "Indicator: Win32/Trojan.235": [[735, 751]]}, "info": {"id": "cyner2_5class_train_02235", "source": "cyner2_5class_train"}}
+{"text": "A longstanding cyberespionage campaign has been targeting mainly Japanese organizations with its own, custom-developed, malware Backdoor.Daserf.", "spans": {"Organization: Japanese organizations": [[65, 87]], "Malware: malware": [[120, 127]], "Indicator: Backdoor.Daserf.": [[128, 144]]}, "info": {"id": "cyner2_5class_train_02236", "source": "cyner2_5class_train"}}
+{"text": "JPCERT/CC has been observing malicious shortcut files that are sent as email attachments to a limited range of organisations since around October 2015.", "spans": {"Organization: JPCERT/CC": [[0, 9]], "Malware: malicious shortcut files": [[29, 53]], "Indicator: email attachments": [[71, 88]], "Organization: since": [[125, 130]]}, "info": {"id": "cyner2_5class_train_02237", "source": "cyner2_5class_train"}}
+{"text": "Devices infected by these malicious programs usually form a kind of advertising botnet via which advertising Trojans distribute each other as well as the advertised apps.", "spans": {"System: Devices": [[0, 7]], "Malware: malicious programs": [[26, 44]], "Indicator: advertising botnet": [[68, 86]], "Indicator: advertising Trojans distribute": [[97, 127]], "Indicator: advertised apps.": [[154, 170]]}, "info": {"id": "cyner2_5class_train_02238", "source": "cyner2_5class_train"}}
+{"text": "Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: FrozenCell": [[75, 85]]}, "info": {"id": "cyner2_5class_train_02239", "source": "cyner2_5class_train"}}
+{"text": "MainService has the following capabilities : Steal SMS messages Send SMS messages Steal the victim 's location Capture photos Execute commands Capture screenshots Call phone numbers Initiate other apps Steal Facebook credentials , etc All of the above functionalities take place on the basis of commands sent by the attacker .", "spans": {"System: Facebook": [[208, 216]]}, "info": {"id": "cyner2_5class_train_02240", "source": "cyner2_5class_train"}}
+{"text": "We have named this tool that generates these documents DealersChoice.", "spans": {"Malware: tool": [[19, 23]], "Malware: DealersChoice.": [[55, 69]]}, "info": {"id": "cyner2_5class_train_02241", "source": "cyner2_5class_train"}}
+{"text": "As it continues to evolve and develop, Proofpoint researchers have detected it distributing a new remote access Trojan RAT.", "spans": {"Organization: Proofpoint researchers": [[39, 61]], "Malware: remote access Trojan RAT.": [[98, 123]]}, "info": {"id": "cyner2_5class_train_02242", "source": "cyner2_5class_train"}}
+{"text": "Port 6210 : SBrowser extraction service .", "spans": {"Indicator: Port 6210": [[0, 9]], "System: SBrowser": [[12, 20]]}, "info": {"id": "cyner2_5class_train_02243", "source": "cyner2_5class_train"}}
+{"text": "This blog dives into the specifics of the ransomware used by the gang, as well as some information regarding their victim naming and shaming website, filled with non-paying victims and stolen data.", "spans": {"Malware: ransomware": [[42, 52]], "Indicator: shaming website,": [[133, 149]]}, "info": {"id": "cyner2_5class_train_02244", "source": "cyner2_5class_train"}}
+{"text": "Qakbot has been around for years, but it's nothing to be complacent about.", "spans": {"Malware: Qakbot": [[0, 6]]}, "info": {"id": "cyner2_5class_train_02245", "source": "cyner2_5class_train"}}
+{"text": "Retrieve media exchanged through WhatsApp .", "spans": {"System: WhatsApp": [[33, 41]]}, "info": {"id": "cyner2_5class_train_02246", "source": "cyner2_5class_train"}}
+{"text": "In 2019, Cl0p Ransomware surfaced as a Ransomware-as-a-Service RaaS model and became notorious due to its advanced techniques.", "spans": {"Malware: Cl0p Ransomware": [[9, 24]], "Malware: Ransomware-as-a-Service RaaS model": [[39, 73]]}, "info": {"id": "cyner2_5class_train_02247", "source": "cyner2_5class_train"}}
+{"text": "The Zen trojan uses its root privileges to turn on accessibility service ( a service used to allow Android users with disabilities to use their devices ) for itself by writing to a system-wide setting value enabled_accessibility_services .", "spans": {"Malware: Zen": [[4, 7]], "System: Android": [[99, 106]]}, "info": {"id": "cyner2_5class_train_02248", "source": "cyner2_5class_train"}}
+{"text": "These indicator include the use of the same infrastructure for the attacks, similar Tactics, Techniques and Procedures TTPs, the targeting of demographically similar victims and operating geographically within the Indian Subcontinent", "spans": {"Indicator: indicator": [[6, 15]], "System: infrastructure": [[44, 58]], "Indicator: attacks,": [[67, 75]]}, "info": {"id": "cyner2_5class_train_02249", "source": "cyner2_5class_train"}}
+{"text": "The email message test : the message as written ( left ) and as available in the database ( right ) Third , we documented the trojan retrieving the Google Authenticator 2FA code .", "spans": {"System: Google Authenticator": [[148, 168]]}, "info": {"id": "cyner2_5class_train_02250", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VAsidBackup.Worm Worm.Win32.AutoRun!O Worm.Hupigon Win32.Trojan.WisdomEyes.16070401.9500.9977 Worm.Win32.AutoRun.hht Backdoor.W32.IRCBot.lebE Trojan.Packed.650 Trojan.Sasfis.Win32.3750 Backdoor.Win32.Hupigon Worm/AutoRun.kwf Worm/Win32.AutoRun Win32.Virut.ce.57344 Worm.Win32.AutoRun.hht Worm:Win32/Hupigon.D HEUR/Fakon.mwf TScope.Malware-Cryptor.SB W32/Sohanat.JC Win32/AutoRun.Hupigon.L Win32.Worm.Autorun.Dxcn Worm.AutoRun!oW5oVN0v9nU W32/Packed.2D18!tr Win32/Trojan.ce1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VAsidBackup.Worm": [[26, 46]], "Indicator: Worm.Win32.AutoRun!O": [[47, 67]], "Indicator: Worm.Hupigon": [[68, 80]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9977": [[81, 123]], "Indicator: Worm.Win32.AutoRun.hht": [[124, 146], [295, 317]], "Indicator: Backdoor.W32.IRCBot.lebE": [[147, 171]], "Indicator: Trojan.Packed.650": [[172, 189]], "Indicator: Trojan.Sasfis.Win32.3750": [[190, 214]], "Indicator: Backdoor.Win32.Hupigon": [[215, 237]], "Indicator: Worm/AutoRun.kwf": [[238, 254]], "Indicator: Worm/Win32.AutoRun": [[255, 273]], "Indicator: Win32.Virut.ce.57344": [[274, 294]], "Indicator: Worm:Win32/Hupigon.D": [[318, 338]], "Indicator: HEUR/Fakon.mwf": [[339, 353]], "Indicator: TScope.Malware-Cryptor.SB": [[354, 379]], "Indicator: W32/Sohanat.JC": [[380, 394]], "Indicator: Win32/AutoRun.Hupigon.L": [[395, 418]], "Indicator: Win32.Worm.Autorun.Dxcn": [[419, 442]], "Indicator: Worm.AutoRun!oW5oVN0v9nU": [[443, 467]], "Indicator: W32/Packed.2D18!tr": [[468, 486]], "Indicator: Win32/Trojan.ce1": [[487, 503]]}, "info": {"id": "cyner2_5class_train_02251", "source": "cyner2_5class_train"}}
+{"text": "When you start your device , this script loads the Trojan 'imei_chk ' ( detects it as Android.Oldboot.1 ) which extract two files libgooglekernel.so ( Android.Oldboot.2 ) and GoogleKernel.apk ( Android.Oldboot.1.origin ) , copy them respectively in /system/lib and /system/app .", "spans": {"Indicator: Android.Oldboot.1": [[86, 103]], "Indicator: libgooglekernel.so": [[130, 148]], "Indicator: Android.Oldboot.2": [[151, 168]], "Indicator: GoogleKernel.apk": [[175, 191]], "Indicator: Android.Oldboot.1.origin": [[194, 218]], "Indicator: /system/lib and /system/app": [[249, 276]]}, "info": {"id": "cyner2_5class_train_02252", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AutorunSubot.Worm HackTool.Hoylecann Win.Trojan.HackTool-55 HackTool:Win32/Hoylecann.B Trojan/Win32.HackTool.C178639 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AutorunSubot.Worm": [[26, 47]], "Indicator: HackTool.Hoylecann": [[48, 66]], "Indicator: Win.Trojan.HackTool-55": [[67, 89]], "Indicator: HackTool:Win32/Hoylecann.B": [[90, 116]], "Indicator: Trojan/Win32.HackTool.C178639": [[117, 146]], "Indicator: Trj/CI.A": [[147, 155]]}, "info": {"id": "cyner2_5class_train_02253", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mbro Ransom_Molock.R004C0DAU18 Ransom_Molock.R004C0DAU18 Trojan-Ransom.Win32.Mbro.bbjy Trojan.Win32.Wecod.eoemqo Trojan.Win32.Z.Wecod.2575498 Win32.Trojan.Mbro.Wnwf BackDoor.Bifrost.30406 Trojan.Magania.Win32.70995 PUA.DRMSoft Trojan.Inject.zdn TR/Ransom.Molock.dkaaw Trojan/Win32.Wecod Ransom:Win32/Molock.A!bit Trojan-Ransom.Win32.Mbro.bbjy Trojan/Win32.Mbro.C2386226 TScope.Trojan.Delf Trojan.PWS.Magania!koUXbeUVt9s", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mbro": [[26, 37]], "Indicator: Ransom_Molock.R004C0DAU18": [[38, 63], [64, 89]], "Indicator: Trojan-Ransom.Win32.Mbro.bbjy": [[90, 119], [346, 375]], "Indicator: Trojan.Win32.Wecod.eoemqo": [[120, 145]], "Indicator: Trojan.Win32.Z.Wecod.2575498": [[146, 174]], "Indicator: Win32.Trojan.Mbro.Wnwf": [[175, 197]], "Indicator: BackDoor.Bifrost.30406": [[198, 220]], "Indicator: Trojan.Magania.Win32.70995": [[221, 247]], "Indicator: PUA.DRMSoft": [[248, 259]], "Indicator: Trojan.Inject.zdn": [[260, 277]], "Indicator: TR/Ransom.Molock.dkaaw": [[278, 300]], "Indicator: Trojan/Win32.Wecod": [[301, 319]], "Indicator: Ransom:Win32/Molock.A!bit": [[320, 345]], "Indicator: Trojan/Win32.Mbro.C2386226": [[376, 402]], "Indicator: TScope.Trojan.Delf": [[403, 421]], "Indicator: Trojan.PWS.Magania!koUXbeUVt9s": [[422, 452]]}, "info": {"id": "cyner2_5class_train_02254", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Maudi.41880 Trojan.Maudi.ahd Trojan/Maudi.ahd Trojan.Win32.Obfuscated.bbgart Celesign.A Trojan.Win32.Maudi.ahi Trojan.Win32.A.Maudi.41880 Trojan.Obfuscated.based.1 TR/Maudi.C Trojan/Maudi.f Trojan:Win32/Tusmed.A Trojan/Win32.Maudi Trojan.Maudi Trojan.Win32.Tusmed W32/Maudi.AHD!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Maudi.41880": [[26, 48]], "Indicator: Trojan.Maudi.ahd": [[49, 65]], "Indicator: Trojan/Maudi.ahd": [[66, 82]], "Indicator: Trojan.Win32.Obfuscated.bbgart": [[83, 113]], "Indicator: Celesign.A": [[114, 124]], "Indicator: Trojan.Win32.Maudi.ahi": [[125, 147]], "Indicator: Trojan.Win32.A.Maudi.41880": [[148, 174]], "Indicator: Trojan.Obfuscated.based.1": [[175, 200]], "Indicator: TR/Maudi.C": [[201, 211]], "Indicator: Trojan/Maudi.f": [[212, 226]], "Indicator: Trojan:Win32/Tusmed.A": [[227, 248]], "Indicator: Trojan/Win32.Maudi": [[249, 267]], "Indicator: Trojan.Maudi": [[268, 280]], "Indicator: Trojan.Win32.Tusmed": [[281, 300]], "Indicator: W32/Maudi.AHD!tr": [[301, 317]]}, "info": {"id": "cyner2_5class_train_02255", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Barkiofork Trojan/Barkiofork.b Trojan.Zusy.D14CE BKDR_INJECT.SMA Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Barkiofork BKDR_INJECT.SMA BackDoor.WebDor.55 TR/Barkiofork.A.28 Trojan:Win32/Barkiofork.A Trojan/Win32.Dllbot.R92635", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Barkiofork": [[26, 43]], "Indicator: Trojan/Barkiofork.b": [[44, 63]], "Indicator: Trojan.Zusy.D14CE": [[64, 81]], "Indicator: BKDR_INJECT.SMA": [[82, 97], [161, 176]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[98, 140]], "Indicator: Backdoor.Barkiofork": [[141, 160]], "Indicator: BackDoor.WebDor.55": [[177, 195]], "Indicator: TR/Barkiofork.A.28": [[196, 214]], "Indicator: Trojan:Win32/Barkiofork.A": [[215, 240]], "Indicator: Trojan/Win32.Dllbot.R92635": [[241, 267]]}, "info": {"id": "cyner2_5class_train_02256", "source": "cyner2_5class_train"}}
+{"text": "These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.", "spans": {"Indicator: malicious Excel files": [[6, 27]]}, "info": {"id": "cyner2_5class_train_02257", "source": "cyner2_5class_train"}}
+{"text": "Displaying HTML pages We ’ ll now look at the HTML pages that Rotexy displays and the actions performed with them .", "spans": {"Malware: Rotexy": [[62, 68]]}, "info": {"id": "cyner2_5class_train_02258", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D3DB80 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Ursu.exohow BehavesLike.Win32.Backdoor.jm TR/Dropper.MSIL.hfzet Trojan:MSIL/CeeInject.AE!bit Win-Trojan/MSILKrypt02.Exp Trj/GdSda.A Win32.Trojan.Inject.Auto Trojan.MSIL.Injector MSIL/Injector.QGP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D3DB80": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Trojan.Win32.Ursu.exohow": [[88, 112]], "Indicator: BehavesLike.Win32.Backdoor.jm": [[113, 142]], "Indicator: TR/Dropper.MSIL.hfzet": [[143, 164]], "Indicator: Trojan:MSIL/CeeInject.AE!bit": [[165, 193]], "Indicator: Win-Trojan/MSILKrypt02.Exp": [[194, 220]], "Indicator: Trj/GdSda.A": [[221, 232]], "Indicator: Win32.Trojan.Inject.Auto": [[233, 257]], "Indicator: Trojan.MSIL.Injector": [[258, 278]], "Indicator: MSIL/Injector.QGP!tr": [[279, 299]]}, "info": {"id": "cyner2_5class_train_02259", "source": "cyner2_5class_train"}}
+{"text": "Recently , the ThreatLabZ research team came across a fake Netflix app , which turned out to be a new variant of SpyNote RAT ( Remote Access Trojan ) .", "spans": {"Organization: ThreatLabZ": [[15, 25]], "System: fake Netflix app": [[54, 70]], "Malware: SpyNote RAT": [[113, 124]]}, "info": {"id": "cyner2_5class_train_02260", "source": "cyner2_5class_train"}}
+{"text": "The first version of Project Spy ( detected by Trend Micro as AndroidOS_SpyAgent.HRXB ) had the following capabilities : Collect device and system information ( i.e. , IMEI , device ID , manufacturer , model and phone number ) , location information , contacts stored , and call logs Collect and send SMS Take pictures via the camera Upload recorded MP4 files Monitor calls Searching further , we also found another sample that could be the second version of Project Spy .", "spans": {"Malware: Project Spy": [[21, 32]], "Organization: Trend Micro": [[47, 58]], "Indicator: AndroidOS_SpyAgent.HRXB": [[62, 85]]}, "info": {"id": "cyner2_5class_train_02261", "source": "cyner2_5class_train"}}
+{"text": "The Trojan also hit users from Ukraine , Turkey , Germany , Belarus , Poland , Armenia , Kazakhstan , the US , and other countries .", "spans": {}, "info": {"id": "cyner2_5class_train_02262", "source": "cyner2_5class_train"}}
+{"text": "In addition , these out-of-the-box hosting services usually provide better infrastructure than the attackers could manage to construct ( or compromise ) themselves .", "spans": {}, "info": {"id": "cyner2_5class_train_02263", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod8eb.Trojan.3030 Trojan.Downloader.Clisser.B Trojan.Downloader.Clisser.B Downloader.Clisser.Win32.1 Trojan/Downloader.Clisser.b Win32.Trojan.WisdomEyes.151026.9950.9999 W32/Downldr2.BOY Heur.AdvML.C Win32/TrojanDownloader.Clisser.B Trojan-Downloader.Win32.Clisser.b Trojan.Downloader.Clisser.B Trojan.Win32.Clisser.ddmj Trojan.Win32.Downloader.54784.AO[h] Troj.Downloader.W32.Clisser.b!c Trojan.Downloader.Clisser.B TrojWare.Win32.TrojanDownloader.Clisser.B Trojan.Downloader.Clisser.B BehavesLike.Win32.AdwareTopMoxie.qh W32/Downloader.TUUE-5046 TrojanDownloader.Clisser.b TR/Dldr.Clisser.B.1 W32/Clisser.B!tr.dldr Trojan[Downloader]/Win32.Clisser Trojan.Downloader.Clisser.B Trojan/Win32.Clisser.N2115772 TrojanDownloader:Win32/Clisser.B Trojan.Downloader.Clisser.B TrojanDownloader.Clisser Win32.Trojan-downloader.Clisser.Sxeg Trojan.DL.Clisser!glWq8gdbz3E Trojan-Downloader.Win32.Clisser Trojan.Downloader.Clisser.B Downloader.Clisser.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod8eb.Trojan.3030": [[26, 49]], "Indicator: Trojan.Downloader.Clisser.B": [[50, 77], [78, 105], [299, 326], [421, 448], [491, 518], [682, 709], [773, 800], [925, 952]], "Indicator: Downloader.Clisser.Win32.1": [[106, 132]], "Indicator: Trojan/Downloader.Clisser.b": [[133, 160]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9999": [[161, 201]], "Indicator: W32/Downldr2.BOY": [[202, 218]], "Indicator: Heur.AdvML.C": [[219, 231]], "Indicator: Win32/TrojanDownloader.Clisser.B": [[232, 264]], "Indicator: Trojan-Downloader.Win32.Clisser.b": [[265, 298]], "Indicator: Trojan.Win32.Clisser.ddmj": [[327, 352]], "Indicator: Trojan.Win32.Downloader.54784.AO[h]": [[353, 388]], "Indicator: Troj.Downloader.W32.Clisser.b!c": [[389, 420]], "Indicator: TrojWare.Win32.TrojanDownloader.Clisser.B": [[449, 490]], "Indicator: BehavesLike.Win32.AdwareTopMoxie.qh": [[519, 554]], "Indicator: W32/Downloader.TUUE-5046": [[555, 579]], "Indicator: TrojanDownloader.Clisser.b": [[580, 606]], "Indicator: TR/Dldr.Clisser.B.1": [[607, 626]], "Indicator: W32/Clisser.B!tr.dldr": [[627, 648]], "Indicator: Trojan[Downloader]/Win32.Clisser": [[649, 681]], "Indicator: Trojan/Win32.Clisser.N2115772": [[710, 739]], "Indicator: TrojanDownloader:Win32/Clisser.B": [[740, 772]], "Indicator: TrojanDownloader.Clisser": [[801, 825]], "Indicator: Win32.Trojan-downloader.Clisser.Sxeg": [[826, 862]], "Indicator: Trojan.DL.Clisser!glWq8gdbz3E": [[863, 892]], "Indicator: Trojan-Downloader.Win32.Clisser": [[893, 924]], "Indicator: Downloader.Clisser.A": [[953, 973]]}, "info": {"id": "cyner2_5class_train_02264", "source": "cyner2_5class_train"}}
+{"text": "The Italian language email had a weird attachment: ordine_065.js it would be Order Form in English which appeared quite malicious to me.", "spans": {"Indicator: email": [[21, 26]], "Indicator: weird attachment: ordine_065.js": [[33, 64]], "Malware: malicious": [[120, 129]]}, "info": {"id": "cyner2_5class_train_02265", "source": "cyner2_5class_train"}}
+{"text": "The malware may download and execute other binaries.", "spans": {"Malware: malware": [[4, 11]], "Indicator: execute other binaries.": [[29, 52]]}, "info": {"id": "cyner2_5class_train_02266", "source": "cyner2_5class_train"}}
+{"text": "List of available commands The command names are self-explanatory .", "spans": {}, "info": {"id": "cyner2_5class_train_02267", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: NetTool.Tor Backdoor.Bot Tool.Tor.Win32.4 Win32.Trojan.WisdomEyes.16070401.9500.9989 Backdoor.Trojan not-a-virus:NetTool.Win32.Tor.f Trojan.Win32.MLW.dbcsxd Trojan.DownLoader8.56801 Sefnit.ag W32/Trojan.OTFO-7506 HackTool[NetTool]/Win32.Tor TrojanDropper:Win32/Sefnit.A not-a-virus:NetTool.Win32.Tor.f TrojanDropper.Sefnit Riskware.NetTool! Win32/Trojan.07c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: NetTool.Tor": [[26, 37]], "Indicator: Backdoor.Bot": [[38, 50]], "Indicator: Tool.Tor.Win32.4": [[51, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[68, 110]], "Indicator: Backdoor.Trojan": [[111, 126]], "Indicator: not-a-virus:NetTool.Win32.Tor.f": [[127, 158], [296, 327]], "Indicator: Trojan.Win32.MLW.dbcsxd": [[159, 182]], "Indicator: Trojan.DownLoader8.56801": [[183, 207]], "Indicator: Sefnit.ag": [[208, 217]], "Indicator: W32/Trojan.OTFO-7506": [[218, 238]], "Indicator: HackTool[NetTool]/Win32.Tor": [[239, 266]], "Indicator: TrojanDropper:Win32/Sefnit.A": [[267, 295]], "Indicator: TrojanDropper.Sefnit": [[328, 348]], "Indicator: Riskware.NetTool!": [[349, 366]], "Indicator: Win32/Trojan.07c": [[367, 383]]}, "info": {"id": "cyner2_5class_train_02268", "source": "cyner2_5class_train"}}
+{"text": "Never forget to update your system .", "spans": {}, "info": {"id": "cyner2_5class_train_02269", "source": "cyner2_5class_train"}}
+{"text": "Samples uploaded to VirusTotal To encourage further research in the security community , we ’ ve uploaded these sample Chrysaor apps to Virus Total .", "spans": {"Organization: VirusTotal": [[20, 30]], "Malware: Chrysaor": [[119, 127]], "Organization: Virus Total": [[136, 147]]}, "info": {"id": "cyner2_5class_train_02270", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Floxif.A W32.Pioneer.CZ1 Virus.W32.Pioneer!c PE_FLOXIF.E Win32.Virus.Floxif.a W32/Floxif.B W32.Fixflo.B!inf Win32.Floxif.F PE_FLOXIF.E Win32.Floxif.A Virus.Win32.Pioneer.cz Win32.Floxif.A Virus.Win32.Pioneer.bvrqhu Win32.Floxif.A Virus.Win32.Floxif.A Win32.FloodFix.7 Virus.Floxif.Win32.1 W32/Floxif.B Win32/Pioneer.l Virus/Win32.Pioneer.cz TrojanDropper:Win32/Floxif.A Virus.Win32.Pioneer.cz Win32.Floxif.A Virus.Pioneer.4129 W32/Floxif.A Win32.Floxif.A Win32/Floxif.H Virus.Win32.Pionner.tt W32/Pioneer.CZ!tr Virus.Win32.Pioneer.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Floxif.A": [[26, 40], [167, 181], [205, 219], [247, 261], [425, 439], [472, 486]], "Indicator: W32.Pioneer.CZ1": [[41, 56]], "Indicator: Virus.W32.Pioneer!c": [[57, 76]], "Indicator: PE_FLOXIF.E": [[77, 88], [155, 166]], "Indicator: Win32.Virus.Floxif.a": [[89, 109]], "Indicator: W32/Floxif.B": [[110, 122], [321, 333]], "Indicator: W32.Fixflo.B!inf": [[123, 139]], "Indicator: Win32.Floxif.F": [[140, 154]], "Indicator: Virus.Win32.Pioneer.cz": [[182, 204], [402, 424]], "Indicator: Virus.Win32.Pioneer.bvrqhu": [[220, 246]], "Indicator: Virus.Win32.Floxif.A": [[262, 282]], "Indicator: Win32.FloodFix.7": [[283, 299]], "Indicator: Virus.Floxif.Win32.1": [[300, 320]], "Indicator: Win32/Pioneer.l": [[334, 349]], "Indicator: Virus/Win32.Pioneer.cz": [[350, 372]], "Indicator: TrojanDropper:Win32/Floxif.A": [[373, 401]], "Indicator: Virus.Pioneer.4129": [[440, 458]], "Indicator: W32/Floxif.A": [[459, 471]], "Indicator: Win32/Floxif.H": [[487, 501]], "Indicator: Virus.Win32.Pionner.tt": [[502, 524]], "Indicator: W32/Pioneer.CZ!tr": [[525, 542]], "Indicator: Virus.Win32.Pioneer.C": [[543, 564]]}, "info": {"id": "cyner2_5class_train_02271", "source": "cyner2_5class_train"}}
+{"text": "] comgooogel [ .", "spans": {"Indicator: [ .": [[13, 16]]}, "info": {"id": "cyner2_5class_train_02272", "source": "cyner2_5class_train"}}
+{"text": "The latter implements the entire spyware program .", "spans": {}, "info": {"id": "cyner2_5class_train_02273", "source": "cyner2_5class_train"}}
+{"text": "On top of all this , one of the malicious developer ’ s YouTube videos – a tutorial on developing an “ Instant Game ” for Facebook – serves as an example of operational security completely ignored .", "spans": {"System: YouTube": [[56, 63]], "Organization: Facebook": [[122, 130]]}, "info": {"id": "cyner2_5class_train_02274", "source": "cyner2_5class_train"}}
+{"text": "We see WolfRAT specifically targeting a highly popular encrypted chat app in Asia , Line , which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it 's prying eyes .", "spans": {"Malware: WolfRAT": [[7, 14], [217, 224]], "System: Line": [[84, 88]]}, "info": {"id": "cyner2_5class_train_02275", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware11 Trojan.Inject.Small.C Hacktool.Radinject Trojan.Inject.Small.C Trojan.Inject.Small.C Win32.Trojan.WisdomEyes.16070401.9500.9926 Trojan.Inject.Small.C W32.Cabanas.lmfo Trojan.Inject.Small.C W32/Trojan2.MAPI Trojan/Win32.Inject.R14211 Trojan.Inject.Small.C Trj/CI.A Trojan.Hijacker Win32/Trojan.913", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware11": [[26, 45]], "Indicator: Trojan.Inject.Small.C": [[46, 67], [87, 108], [109, 130], [174, 195], [213, 234], [279, 300]], "Indicator: Hacktool.Radinject": [[68, 86]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9926": [[131, 173]], "Indicator: W32.Cabanas.lmfo": [[196, 212]], "Indicator: W32/Trojan2.MAPI": [[235, 251]], "Indicator: Trojan/Win32.Inject.R14211": [[252, 278]], "Indicator: Trj/CI.A": [[301, 309]], "Indicator: Trojan.Hijacker": [[310, 325]], "Indicator: Win32/Trojan.913": [[326, 342]]}, "info": {"id": "cyner2_5class_train_02276", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Morkus.73728 Trojan.Gambee.BB3 Trojan.Kazy.D13FF6 Trojan.Win32.Morkus.bcz Win32.Trojan.Morkus.Tayq TrojWare.Win32.TrojanClicker.VB.IDP Trojan.DownLoader5.64540 BehavesLike.Win32.Trojan.lt TR/VB.Click.idpmnua Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Gambee.A Trojan.Win32.Morkus.bcz Trojan/Win32.OnlineGameHack.R30007 Win32/TrojanClicker.VB.NYI Trojan-Clicker.Win32.VB W32/VBClicker.NY!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Morkus.73728": [[26, 49]], "Indicator: Trojan.Gambee.BB3": [[50, 67]], "Indicator: Trojan.Kazy.D13FF6": [[68, 86]], "Indicator: Trojan.Win32.Morkus.bcz": [[87, 110], [301, 324]], "Indicator: Win32.Trojan.Morkus.Tayq": [[111, 135]], "Indicator: TrojWare.Win32.TrojanClicker.VB.IDP": [[136, 171]], "Indicator: Trojan.DownLoader5.64540": [[172, 196]], "Indicator: BehavesLike.Win32.Trojan.lt": [[197, 224]], "Indicator: TR/VB.Click.idpmnua": [[225, 244]], "Indicator: Win32.Troj.Undef.kcloud": [[245, 268]], "Indicator: TrojanDownloader:Win32/Gambee.A": [[269, 300]], "Indicator: Trojan/Win32.OnlineGameHack.R30007": [[325, 359]], "Indicator: Win32/TrojanClicker.VB.NYI": [[360, 386]], "Indicator: Trojan-Clicker.Win32.VB": [[387, 410]], "Indicator: W32/VBClicker.NY!tr": [[411, 430]]}, "info": {"id": "cyner2_5class_train_02277", "source": "cyner2_5class_train"}}
+{"text": "Malicious APK Like its previous versions , XLoader 6.0 abuses social media user profiles to hide its real C & C addresses , but this time its threat actors chose the social media platform Twitter , which was never used in previous attacks .", "spans": {"Malware: XLoader 6.0": [[43, 54]], "Organization: Twitter": [[188, 195]]}, "info": {"id": "cyner2_5class_train_02278", "source": "cyner2_5class_train"}}
+{"text": "After the installation , an application named “ Conference ” appears on the desktop : If the victim launches this app , he will see text which “ enlightens ” the information about the upcoming event : The full text reads follows .", "spans": {}, "info": {"id": "cyner2_5class_train_02279", "source": "cyner2_5class_train"}}
+{"text": "This ransomware is currently being spread by a social engineering exploit kit to trick the user in downloading a malicious executable.", "spans": {"Malware: ransomware": [[5, 15]], "Malware: social engineering exploit kit": [[47, 77]], "Malware: malicious executable.": [[113, 134]]}, "info": {"id": "cyner2_5class_train_02280", "source": "cyner2_5class_train"}}
+{"text": "The group's activities show that foreign and domestic espionage and influence on geopolitics are the group's main motives, and not financial gain.", "spans": {"Organization: geopolitics": [[81, 92]]}, "info": {"id": "cyner2_5class_train_02281", "source": "cyner2_5class_train"}}
+{"text": "Recently Bedep has been observed as the payload dropped by the Anger EK in a series of malvertising campaigns.", "spans": {"Malware: Bedep": [[9, 14]], "Malware: payload dropped": [[40, 55]], "Malware: Anger EK": [[63, 71]]}, "info": {"id": "cyner2_5class_train_02282", "source": "cyner2_5class_train"}}
+{"text": "Finally , since publishing the 9002 blog , Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure .", "spans": {"Malware: 9002": [[31, 35], [84, 88]], "Malware: Poison Ivy": [[102, 112]]}, "info": {"id": "cyner2_5class_train_02283", "source": "cyner2_5class_train"}}
+{"text": "It has the same functionality as the one described above but contains different text .", "spans": {}, "info": {"id": "cyner2_5class_train_02284", "source": "cyner2_5class_train"}}
+{"text": "We are able to send commands to the service such as dumpmsgdb or getkey ( which dumps the tgnet.dat file ) .", "spans": {"Indicator: tgnet.dat file": [[90, 104]]}, "info": {"id": "cyner2_5class_train_02285", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke.Kokegift JOKE_GESCHENK.A W32/Trojan4.EDF Joke.Geschenk JOKE_GESCHENK.A Win.Joke.CokeGift-2 Riskware.Win32.Geschenk.bdflz Joke.Geschenk BehavesLike.Win32.FakeAlertSecurityTool.cc Trojan-Spy.Win32.Zbot W32/Trojan.OREK-1496 JOKE/CokeGift.1 Joke:Win32/Kokegift.A Joke.Geschenk Win32.Trojan.Geschenk.Wvkp Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke.Kokegift": [[26, 39]], "Indicator: JOKE_GESCHENK.A": [[40, 55], [86, 101]], "Indicator: W32/Trojan4.EDF": [[56, 71]], "Indicator: Joke.Geschenk": [[72, 85], [152, 165], [290, 303]], "Indicator: Win.Joke.CokeGift-2": [[102, 121]], "Indicator: Riskware.Win32.Geschenk.bdflz": [[122, 151]], "Indicator: BehavesLike.Win32.FakeAlertSecurityTool.cc": [[166, 208]], "Indicator: Trojan-Spy.Win32.Zbot": [[209, 230]], "Indicator: W32/Trojan.OREK-1496": [[231, 251]], "Indicator: JOKE/CokeGift.1": [[252, 267]], "Indicator: Joke:Win32/Kokegift.A": [[268, 289]], "Indicator: Win32.Trojan.Geschenk.Wvkp": [[304, 330]], "Indicator: Win32/Trojan.2ff": [[331, 347]]}, "info": {"id": "cyner2_5class_train_02286", "source": "cyner2_5class_train"}}
+{"text": "A recently disclosed data breach suffered by Mexican fast food restaurant Chipotle was carried out by hackers linked to a group known as FIN7 or Carbanak Group, CyberScoop has learned.", "spans": {"Organization: Mexican fast food restaurant Chipotle": [[45, 82]], "Organization: CyberScoop": [[161, 171]]}, "info": {"id": "cyner2_5class_train_02287", "source": "cyner2_5class_train"}}
+{"text": "After an infected app is installed , it sends data about the device to the campaign ’ s Command and Control ( C & C ) server .", "spans": {}, "info": {"id": "cyner2_5class_train_02288", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.IEPassVH.Trojan Tool.NetPass.Win32.6782 not-a-virus:PSWTool.Win32.NetPass.wkh Riskware.Win32.NetPass.sphcx Win32.PSWTool.NetPass.~BAAD Program.PwdFind.5 Packed.PePatch.uw Trojan[PSWTool]/Win32.NetPass Application.Heur.cmKfbOVNU5lO not-a-virus:PSWTool.Win32.NetPass.wkh Riskware.PSWTool! not-a-virus:PSWTool.Win32.NetPass", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.IEPassVH.Trojan": [[26, 45]], "Indicator: Tool.NetPass.Win32.6782": [[46, 69]], "Indicator: not-a-virus:PSWTool.Win32.NetPass.wkh": [[70, 107], [261, 298]], "Indicator: Riskware.Win32.NetPass.sphcx": [[108, 136]], "Indicator: Win32.PSWTool.NetPass.~BAAD": [[137, 164]], "Indicator: Program.PwdFind.5": [[165, 182]], "Indicator: Packed.PePatch.uw": [[183, 200]], "Indicator: Trojan[PSWTool]/Win32.NetPass": [[201, 230]], "Indicator: Application.Heur.cmKfbOVNU5lO": [[231, 260]], "Indicator: Riskware.PSWTool!": [[299, 316]], "Indicator: not-a-virus:PSWTool.Win32.NetPass": [[317, 350]]}, "info": {"id": "cyner2_5class_train_02289", "source": "cyner2_5class_train"}}
+{"text": "The domain ‘ addroider [ .", "spans": {"Indicator: addroider [ .": [[13, 26]]}, "info": {"id": "cyner2_5class_train_02290", "source": "cyner2_5class_train"}}
+{"text": "As can be seen , the possibilities offered by the bot are pretty common .", "spans": {}, "info": {"id": "cyner2_5class_train_02291", "source": "cyner2_5class_train"}}
+{"text": "Recently we detected new samples and Infrastructure of ISMAgent, a trojan in use by Iranian Threat Group GreenBug.", "spans": {"Malware: samples": [[25, 32]], "System: Infrastructure of ISMAgent,": [[37, 64]], "Malware: trojan": [[67, 73]]}, "info": {"id": "cyner2_5class_train_02292", "source": "cyner2_5class_train"}}
+{"text": "Searching its name or one of its aliases Bebloh or Shiotob reveals a good deal of press from that time period along with a few technical analyses in 2009 2012 and 2013", "spans": {}, "info": {"id": "cyner2_5class_train_02293", "source": "cyner2_5class_train"}}
+{"text": "This posting is a follow-up of my previous work on this subject in Pulling Back the Curtains on EncodedCommand PowerShell Attacks", "spans": {"Indicator: subject": [[56, 63]], "Indicator: EncodedCommand PowerShell Attacks": [[96, 129]]}, "info": {"id": "cyner2_5class_train_02294", "source": "cyner2_5class_train"}}
+{"text": "It also includes SSL certificate checking aka SSL pinning, allowing it to evade scenarios in which an SSL man-in-the-middle is present.", "spans": {"Indicator: SSL certificate checking": [[17, 41]], "Indicator: SSL pinning,": [[46, 58]], "Indicator: evade scenarios": [[74, 89]], "Indicator: SSL man-in-the-middle": [[102, 123]]}, "info": {"id": "cyner2_5class_train_02295", "source": "cyner2_5class_train"}}
+{"text": "ThreatLabZ has been keeping an eye on RIG and in this post we will cover an example of a full RIG infection cycle.", "spans": {"Organization: ThreatLabZ": [[0, 10]], "Malware: RIG": [[38, 41]], "Indicator: RIG infection cycle.": [[94, 114]]}, "info": {"id": "cyner2_5class_train_02296", "source": "cyner2_5class_train"}}
+{"text": "The Check Point research team identified a new mobile malware targeting millions of Android users.", "spans": {"Organization: Check Point research team": [[4, 29]], "Malware: new mobile malware": [[43, 61]], "Organization: Android users.": [[84, 98]]}, "info": {"id": "cyner2_5class_train_02297", "source": "cyner2_5class_train"}}
+{"text": "The target is CERT in the military domain.", "spans": {"Organization: CERT": [[14, 18]], "Organization: the military domain.": [[22, 42]]}, "info": {"id": "cyner2_5class_train_02298", "source": "cyner2_5class_train"}}
+{"text": "To illustrate the level of threat the DEFENSOR ID app posed , we performed three tests .", "spans": {"Malware: DEFENSOR ID": [[38, 49]]}, "info": {"id": "cyner2_5class_train_02299", "source": "cyner2_5class_train"}}
+{"text": "However , this situation will not last long : given the cybercriminals ’ interest in user bank accounts , the activity of mobile banking Trojans is expected to grow in other countries in 2014 .", "spans": {}, "info": {"id": "cyner2_5class_train_02300", "source": "cyner2_5class_train"}}
+{"text": "The FakeSpy malware has been found to masquerade as any of the following companies : United States Postal Service - An independent agency of the executive branch of the United States federal government .", "spans": {"Malware: FakeSpy": [[4, 11]], "Organization: United States Postal Service": [[85, 113]]}, "info": {"id": "cyner2_5class_train_02301", "source": "cyner2_5class_train"}}
+{"text": "We have found evidence that the actors use a combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network.", "spans": {"Malware: tools": [[71, 76]], "Malware: Disttrack payload": [[109, 126]], "Indicator: hostnames": [[130, 139]], "System: the targeted network.": [[175, 196]]}, "info": {"id": "cyner2_5class_train_02302", "source": "cyner2_5class_train"}}
+{"text": "The first webview overlay is created on step 6 of the activation cycle .", "spans": {}, "info": {"id": "cyner2_5class_train_02303", "source": "cyner2_5class_train"}}
+{"text": "Eventually , the screen PIN preferences will be saved to an additional XML file in the shared preferences folder .", "spans": {}, "info": {"id": "cyner2_5class_train_02304", "source": "cyner2_5class_train"}}
+{"text": "The beaconing only starts after the application is installed and removed from the running tasks .", "spans": {}, "info": {"id": "cyner2_5class_train_02305", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.JSTL TrojanDownloader.Mabjet Trojan.Downloader.JSTL Backdoor.W32.PcClient.lpjJ Trojan/Downloader.FlyStudio.az Trojan.Downloader.JSTL Win.Trojan.Flystudio-2191 Trojan.Downloader.JSTL Trojan.Downloader.JSTL Trojan.Win32.FlyStudio.cxpswl Trojan.Downloader.JSTL Adware.Downware.4022 Downloader.FlyStudio.Win32.2885 Trojan-Downloader.Flystudio TR/Dldr.FlyStudio.AZ Win32.Trojan.Fakeapp.Dvfy Win32/Trojan.51f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.JSTL": [[26, 48], [73, 95], [154, 176], [203, 225], [226, 248], [279, 301]], "Indicator: TrojanDownloader.Mabjet": [[49, 72]], "Indicator: Backdoor.W32.PcClient.lpjJ": [[96, 122]], "Indicator: Trojan/Downloader.FlyStudio.az": [[123, 153]], "Indicator: Win.Trojan.Flystudio-2191": [[177, 202]], "Indicator: Trojan.Win32.FlyStudio.cxpswl": [[249, 278]], "Indicator: Adware.Downware.4022": [[302, 322]], "Indicator: Downloader.FlyStudio.Win32.2885": [[323, 354]], "Indicator: Trojan-Downloader.Flystudio": [[355, 382]], "Indicator: TR/Dldr.FlyStudio.AZ": [[383, 403]], "Indicator: Win32.Trojan.Fakeapp.Dvfy": [[404, 429]], "Indicator: Win32/Trojan.51f": [[430, 446]]}, "info": {"id": "cyner2_5class_train_02306", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Emotet.CD Trojan/W32.Dovs.159744.B Win32.Malware!Drop Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.KZPI-4363 Trojan.Emotet TSPY_EMOTET.THAOIAL Win.Trojan.Emotet-6421984-0 Trojan.Win32.Dovs.frh Trojan.Emotet.CD Trojan.Win32.Dovs.exinig Win32.Trojan.Dovs.Wwnx Trojan.Emotet.CD Trojan.Emotet.CD TSPY_EMOTET.THAOIAL BehavesLike.Win32.Upatre.ch Trojan.Dovs.bke TR/Crypt.ZPACK.blsak W32/Kryptik.GBTT!tr Trojan.Emotet.CD Trojan.Win32.Z.Emotet.159744.B Trojan.Win32.Dovs.frh Trojan/Win32.Dovs.C2353482 Trojan.Emotet.CD Win32.Malware!Drop Trojan.Emotet Win32/Emotet.AZ Trojan-Banker.Emotet PE.Heur.InvalidSig Win32.Trojan-Spy.Emotet.KA Trj/RnkBend.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Emotet.CD": [[26, 42], [235, 251], [300, 316], [317, 333], [439, 455], [536, 552]], "Indicator: Trojan/W32.Dovs.159744.B": [[43, 67]], "Indicator: Win32.Malware!Drop": [[68, 86], [553, 571]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[87, 129]], "Indicator: W32/Trojan.KZPI-4363": [[130, 150]], "Indicator: Trojan.Emotet": [[151, 164], [572, 585]], "Indicator: TSPY_EMOTET.THAOIAL": [[165, 184], [334, 353]], "Indicator: Win.Trojan.Emotet-6421984-0": [[185, 212]], "Indicator: Trojan.Win32.Dovs.frh": [[213, 234], [487, 508]], "Indicator: Trojan.Win32.Dovs.exinig": [[252, 276]], "Indicator: Win32.Trojan.Dovs.Wwnx": [[277, 299]], "Indicator: BehavesLike.Win32.Upatre.ch": [[354, 381]], "Indicator: Trojan.Dovs.bke": [[382, 397]], "Indicator: TR/Crypt.ZPACK.blsak": [[398, 418]], "Indicator: W32/Kryptik.GBTT!tr": [[419, 438]], "Indicator: Trojan.Win32.Z.Emotet.159744.B": [[456, 486]], "Indicator: Trojan/Win32.Dovs.C2353482": [[509, 535]], "Indicator: Win32/Emotet.AZ": [[586, 601]], "Indicator: Trojan-Banker.Emotet": [[602, 622]], "Indicator: PE.Heur.InvalidSig": [[623, 641]], "Indicator: Win32.Trojan-Spy.Emotet.KA": [[642, 668]], "Indicator: Trj/RnkBend.A": [[669, 682]]}, "info": {"id": "cyner2_5class_train_02307", "source": "cyner2_5class_train"}}
+{"text": "While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user.", "spans": {"Malware: threats": [[55, 62]], "Malware: Dridex, Upatre,": [[71, 86]], "Malware: Cryptowall,": [[91, 102]], "Indicator: format of the message": [[161, 182]], "Organization: targeted user.": [[206, 220]]}, "info": {"id": "cyner2_5class_train_02308", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.AB1B MemScan:Trojan.Spy.Togfer.S Trojan-Dropper/W32.Small.45568.F TrojanDropper.Small Dropper.Small.Win32.1780 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Wingua.B Backdoor.Trojan MemScan:Trojan.Spy.Togfer.S Trojan-Dropper.Win32.Small.ep MemScan:Trojan.Spy.Togfer.S Trojan.Win32.Small.unzq Trojan.Win32.Z.Small.45568.Z Troj.Dropper.W32.Small.ep!c MemScan:Trojan.Spy.Togfer.S TrojWare.Win32.TrojanDropper.Small.EP MemScan:Trojan.Spy.Togfer.S Trojan.MulDrop.752 TROJ_SMALL.EP BehavesLike.Win32.Sdbot.pc Trojan/Dropper.Small.ep Worm.Win32.Randex.a W32/Wingua.TBPD-6936 Packed.Morphine.a DR/Small.EP.1 Trojan[Dropper]/Win32.Small Trojan.Spy.Togfer.S Trojan-Dropper.Win32.Small.ep MemScan:Trojan.Spy.Togfer.S TrojanSpy.Tofger Trj/Small.A Win32/TrojanDropper.Small.EP Win32.Trojan-dropper.Small.Amvx Trojan.DR.Small!QLjE4qGURJY W32/Small.EP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.AB1B": [[26, 42]], "Indicator: MemScan:Trojan.Spy.Togfer.S": [[43, 70], [221, 248], [279, 306], [388, 415], [454, 481], [717, 744]], "Indicator: Trojan-Dropper/W32.Small.45568.F": [[71, 103]], "Indicator: TrojanDropper.Small": [[104, 123]], "Indicator: Dropper.Small.Win32.1780": [[124, 148]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[149, 191]], "Indicator: W32/Wingua.B": [[192, 204]], "Indicator: Backdoor.Trojan": [[205, 220]], "Indicator: Trojan-Dropper.Win32.Small.ep": [[249, 278], [687, 716]], "Indicator: Trojan.Win32.Small.unzq": [[307, 330]], "Indicator: Trojan.Win32.Z.Small.45568.Z": [[331, 359]], "Indicator: Troj.Dropper.W32.Small.ep!c": [[360, 387]], "Indicator: TrojWare.Win32.TrojanDropper.Small.EP": [[416, 453]], "Indicator: Trojan.MulDrop.752": [[482, 500]], "Indicator: TROJ_SMALL.EP": [[501, 514]], "Indicator: BehavesLike.Win32.Sdbot.pc": [[515, 541]], "Indicator: Trojan/Dropper.Small.ep": [[542, 565]], "Indicator: Worm.Win32.Randex.a": [[566, 585]], "Indicator: W32/Wingua.TBPD-6936": [[586, 606]], "Indicator: Packed.Morphine.a": [[607, 624]], "Indicator: DR/Small.EP.1": [[625, 638]], "Indicator: Trojan[Dropper]/Win32.Small": [[639, 666]], "Indicator: Trojan.Spy.Togfer.S": [[667, 686]], "Indicator: TrojanSpy.Tofger": [[745, 761]], "Indicator: Trj/Small.A": [[762, 773]], "Indicator: Win32/TrojanDropper.Small.EP": [[774, 802]], "Indicator: Win32.Trojan-dropper.Small.Amvx": [[803, 834]], "Indicator: Trojan.DR.Small!QLjE4qGURJY": [[835, 862]], "Indicator: W32/Small.EP!tr": [[863, 878]]}, "info": {"id": "cyner2_5class_train_02309", "source": "cyner2_5class_train"}}
+{"text": "At the time of writing , to our knowledge no other third-party app stores , nor the official Google Play store , were or are hosting this malicious HenBox variant masquerading as DroidVPN .", "spans": {"System: Google Play": [[93, 104]], "Malware: HenBox": [[148, 154]], "Indicator: DroidVPN": [[179, 187]]}, "info": {"id": "cyner2_5class_train_02310", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Delf.Win32.49957 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Adclicker Trojan-Spy.Win32.Delf.tr TrojWare.Win32.PSW.QQPass.~HYJ Trojan.DownLoader.origin BehavesLike.Win32.Dropper.lc Trojan-Dropper.Delf Trojan[Spy]/Win32.Delf Trojan-Spy.Win32.Delf.tr Trojan/Win32.OnlineGameHack.R233 Trojan.PWS.Ceekat!HLFjv+sb6fY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Delf.Win32.49957": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[50, 92]], "Indicator: Trojan.Adclicker": [[93, 109]], "Indicator: Trojan-Spy.Win32.Delf.tr": [[110, 134], [263, 287]], "Indicator: TrojWare.Win32.PSW.QQPass.~HYJ": [[135, 165]], "Indicator: Trojan.DownLoader.origin": [[166, 190]], "Indicator: BehavesLike.Win32.Dropper.lc": [[191, 219]], "Indicator: Trojan-Dropper.Delf": [[220, 239]], "Indicator: Trojan[Spy]/Win32.Delf": [[240, 262]], "Indicator: Trojan/Win32.OnlineGameHack.R233": [[288, 320]], "Indicator: Trojan.PWS.Ceekat!HLFjv+sb6fY": [[321, 350]]}, "info": {"id": "cyner2_5class_train_02311", "source": "cyner2_5class_train"}}
+{"text": "Researchers with Tencent Security recently disclosed details about Swearing Trojan, a mobile banking malware that attacked users in China.", "spans": {"Organization: Researchers": [[0, 11]], "Organization: Tencent Security": [[17, 33]], "Malware: Swearing Trojan,": [[67, 83]], "Malware: mobile banking malware": [[86, 108]], "Indicator: attacked": [[114, 122]], "Organization: users": [[123, 128]]}, "info": {"id": "cyner2_5class_train_02312", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Dolan.fam Backdoor/W32.Dolan.20480.D Backdoor.Dolan.fam Backdoor.Aoldoor Dolan.AA BKDR_AOLDOOR.A Backdoor.Win32.Dolan Backdoor.Dolan.G Backdoor.Win32.A.Dolan.20480[h] PE:Backdoor.Dolan.b!1173745952 Backdoor.Dolan.fam Backdoor.Win32.Dolan Backdoor.Dolan.fam BackDoor.Dolan Backdoor.Dolan.Win32.52 BKDR_AOLDOOR.A W32/Risk.PEXC-1723 BDS/Dolan.A.27 Trojan[Backdoor]/Win32.Dolan Backdoor.Dolan.fam Win-Trojan/Dolan.20480.D Backdoor.Dolan.fam Trojan.VBRA.01573 Backdoor.Win32.Dolan W32/Bdoor.ARY!tr.bdr BackDoor.Dolan.S Backdoor.Win32.Dolan.Alrb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Dolan.fam": [[26, 44], [72, 90], [233, 251], [273, 291], [409, 427], [453, 471]], "Indicator: Backdoor/W32.Dolan.20480.D": [[45, 71]], "Indicator: Backdoor.Aoldoor": [[91, 107]], "Indicator: Dolan.AA": [[108, 116]], "Indicator: BKDR_AOLDOOR.A": [[117, 131], [331, 345]], "Indicator: Backdoor.Win32.Dolan": [[132, 152], [252, 272], [490, 510]], "Indicator: Backdoor.Dolan.G": [[153, 169]], "Indicator: Backdoor.Win32.A.Dolan.20480[h]": [[170, 201]], "Indicator: PE:Backdoor.Dolan.b!1173745952": [[202, 232]], "Indicator: BackDoor.Dolan": [[292, 306]], "Indicator: Backdoor.Dolan.Win32.52": [[307, 330]], "Indicator: W32/Risk.PEXC-1723": [[346, 364]], "Indicator: BDS/Dolan.A.27": [[365, 379]], "Indicator: Trojan[Backdoor]/Win32.Dolan": [[380, 408]], "Indicator: Win-Trojan/Dolan.20480.D": [[428, 452]], "Indicator: Trojan.VBRA.01573": [[472, 489]], "Indicator: W32/Bdoor.ARY!tr.bdr": [[511, 531]], "Indicator: BackDoor.Dolan.S": [[532, 548]], "Indicator: Backdoor.Win32.Dolan.Alrb": [[549, 574]]}, "info": {"id": "cyner2_5class_train_02313", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.AlLight.1.0.A Trojan-PWS/W32.AlLight.140800 PWS-LamLite.cfg Trojan.AlLight.Win32.34 Trojan/PSW.AlLight.10.a TROJ_LAMLITE.A TROJ_LAMLITE.A Trojan.PWS.AlLight.1.0.A Trojan-PSW.Win32.AlLight.10.a Trojan.PWS.AlLight.1.0.A Trojan.Win32.AlLight.dbgt Trojan.Win32.PSWAlLight.140800 Troj.PSW32.W.AlLight.10.a!c Trojan.PWS.AlLight.1.0.A TrojWare.Win32.PSW.AlLight.A Trojan.PWS.AlLight.1.0.A BackDoor.AntiLame.10 BehavesLike.Win32.Dropper.cc W32/Risk.CXII-8326 Backdoor/Antilam.10 W32.Trojan.Phisher-LamLite TR/PSW.AlLight.10.A Trojan[PSW]/Win32.AlLight Trojan.PWS.AlLight.1.0.A Trojan-PSW.Win32.AlLight.10.a PWS:Win32/LammerLight.B Backdoor.RAT.AntiLamer TrojanPSW.AlLight Win32/PSW.AlLight.10.A Win32.Trojan-qqpass.Qqrob.Pjxn Trojan.PWS.AlLight!3dq9kq5oal8 Backdoor.Win32.Antilam W32/EQSteal.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.AlLight.1.0.A": [[26, 50], [175, 199], [230, 254], [340, 364], [394, 418], [581, 605]], "Indicator: Trojan-PWS/W32.AlLight.140800": [[51, 80]], "Indicator: PWS-LamLite.cfg": [[81, 96]], "Indicator: Trojan.AlLight.Win32.34": [[97, 120]], "Indicator: Trojan/PSW.AlLight.10.a": [[121, 144]], "Indicator: TROJ_LAMLITE.A": [[145, 159], [160, 174]], "Indicator: Trojan-PSW.Win32.AlLight.10.a": [[200, 229], [606, 635]], "Indicator: Trojan.Win32.AlLight.dbgt": [[255, 280]], "Indicator: Trojan.Win32.PSWAlLight.140800": [[281, 311]], "Indicator: Troj.PSW32.W.AlLight.10.a!c": [[312, 339]], "Indicator: TrojWare.Win32.PSW.AlLight.A": [[365, 393]], "Indicator: BackDoor.AntiLame.10": [[419, 439]], "Indicator: BehavesLike.Win32.Dropper.cc": [[440, 468]], "Indicator: W32/Risk.CXII-8326": [[469, 487]], "Indicator: Backdoor/Antilam.10": [[488, 507]], "Indicator: W32.Trojan.Phisher-LamLite": [[508, 534]], "Indicator: TR/PSW.AlLight.10.A": [[535, 554]], "Indicator: Trojan[PSW]/Win32.AlLight": [[555, 580]], "Indicator: PWS:Win32/LammerLight.B": [[636, 659]], "Indicator: Backdoor.RAT.AntiLamer": [[660, 682]], "Indicator: TrojanPSW.AlLight": [[683, 700]], "Indicator: Win32/PSW.AlLight.10.A": [[701, 723]], "Indicator: Win32.Trojan-qqpass.Qqrob.Pjxn": [[724, 754]], "Indicator: Trojan.PWS.AlLight!3dq9kq5oal8": [[755, 785]], "Indicator: Backdoor.Win32.Antilam": [[786, 808]], "Indicator: W32/EQSteal.A!tr": [[809, 825]]}, "info": {"id": "cyner2_5class_train_02314", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.FlyStudio.Win32.14198 Trojan/FlyStudio.onh Win32/Oflwr.A!crypt Win32.Trojan.FlyStudio.F Riskware.Win32.ProcPatcher.djqzww Trojan.Win32.Z.Zusy.1400832.C Trojan.NtRootKit.18405 W32/Trojan.VHRL-9383 Variant.Zusy.hm RiskWare[RiskTool]/Win32.ProcPatcher.a Trojan.Zusy.D1CA4C TrojanDownloader:Win32/Nefhop.A Trj/CI.A Riskware.ProcPatcher! Win32/Trojan.Spy.6da", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.FlyStudio.Win32.14198": [[26, 54]], "Indicator: Trojan/FlyStudio.onh": [[55, 75]], "Indicator: Win32/Oflwr.A!crypt": [[76, 95]], "Indicator: Win32.Trojan.FlyStudio.F": [[96, 120]], "Indicator: Riskware.Win32.ProcPatcher.djqzww": [[121, 154]], "Indicator: Trojan.Win32.Z.Zusy.1400832.C": [[155, 184]], "Indicator: Trojan.NtRootKit.18405": [[185, 207]], "Indicator: W32/Trojan.VHRL-9383": [[208, 228]], "Indicator: Variant.Zusy.hm": [[229, 244]], "Indicator: RiskWare[RiskTool]/Win32.ProcPatcher.a": [[245, 283]], "Indicator: Trojan.Zusy.D1CA4C": [[284, 302]], "Indicator: TrojanDownloader:Win32/Nefhop.A": [[303, 334]], "Indicator: Trj/CI.A": [[335, 343]], "Indicator: Riskware.ProcPatcher!": [[344, 365]], "Indicator: Win32/Trojan.Spy.6da": [[366, 386]]}, "info": {"id": "cyner2_5class_train_02315", "source": "cyner2_5class_train"}}
+{"text": "The Dyre financial Trojan has emerged over the past year to become one of the most potent financial fraud tools in operation.", "spans": {"Malware: Dyre financial Trojan": [[4, 25]], "Malware: financial fraud tools": [[90, 111]]}, "info": {"id": "cyner2_5class_train_02316", "source": "cyner2_5class_train"}}
+{"text": "For all registered domains we could identify NameCheap, Inc. as the registrar based in the United States.", "spans": {"Organization: NameCheap, Inc.": [[45, 60]]}, "info": {"id": "cyner2_5class_train_02317", "source": "cyner2_5class_train"}}
+{"text": "The timestamp seems valid and close to the documented infection timeline.", "spans": {}, "info": {"id": "cyner2_5class_train_02318", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TR/Dropper.MSIL.fdxny PWS:MSIL/Stimilina.R!bit Trojan/Win32.Bladabindi.R203992 Spyware.PasswordStealer Trojan.MSIL.Spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TR/Dropper.MSIL.fdxny": [[26, 47]], "Indicator: PWS:MSIL/Stimilina.R!bit": [[48, 72]], "Indicator: Trojan/Win32.Bladabindi.R203992": [[73, 104]], "Indicator: Spyware.PasswordStealer": [[105, 128]], "Indicator: Trojan.MSIL.Spy": [[129, 144]]}, "info": {"id": "cyner2_5class_train_02319", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9986 BackDoor.Msft.1 BehavesLike.Win32.SoftPulse.dc Virus.Win32.Virut Trojan.Zusy.D2EADF Worm:Win32/Chir.D@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9986": [[26, 68]], "Indicator: BackDoor.Msft.1": [[69, 84]], "Indicator: BehavesLike.Win32.SoftPulse.dc": [[85, 115]], "Indicator: Virus.Win32.Virut": [[116, 133]], "Indicator: Trojan.Zusy.D2EADF": [[134, 152]], "Indicator: Worm:Win32/Chir.D@mm": [[153, 173]]}, "info": {"id": "cyner2_5class_train_02320", "source": "cyner2_5class_train"}}
+{"text": "Keep Google Play Protect on .", "spans": {"System: Google Play Protect": [[5, 24]]}, "info": {"id": "cyner2_5class_train_02321", "source": "cyner2_5class_train"}}
+{"text": "In the future , it will be invoked by malicious SDK during banner ads display .", "spans": {}, "info": {"id": "cyner2_5class_train_02322", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.Dybalom!O Trojan/Downloader.Small.almj W32/Downldr2.GCMU Win32/SillyPWS.T Win.Downloader.74007-1 Trojan-PSW.Win32.Dybalom.g Trojan.Win32.Small.vtda Trojan.Win32.Downloader.20992.MH TrojWare.Win32.TrojanDownloader.Small.~ZBL Trojan.DownLoad.41539 Downloader.Small.Win32.13741 W32/Downloader.UMUW-8666 TR/Dldr.Small.almk Trojan[PSW]/Win32.Dybalom Trojan-PSW.Win32.Dybalom.g PWS:Win32/Strpasseal.B Trojan/Win32.Downloader.R17920 TrojanPSW.Dybalom Win32.Trojan-qqpass.Qqrob.Pcsc Trojan.PWS.Strpasseal.P Trojan-Downloader.Win32.Small W32/Dybalom.SMA!tr Win32/Trojan.PSW.99c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.Dybalom!O": [[26, 52]], "Indicator: Trojan/Downloader.Small.almj": [[53, 81]], "Indicator: W32/Downldr2.GCMU": [[82, 99]], "Indicator: Win32/SillyPWS.T": [[100, 116]], "Indicator: Win.Downloader.74007-1": [[117, 139]], "Indicator: Trojan-PSW.Win32.Dybalom.g": [[140, 166], [388, 414]], "Indicator: Trojan.Win32.Small.vtda": [[167, 190]], "Indicator: Trojan.Win32.Downloader.20992.MH": [[191, 223]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.~ZBL": [[224, 266]], "Indicator: Trojan.DownLoad.41539": [[267, 288]], "Indicator: Downloader.Small.Win32.13741": [[289, 317]], "Indicator: W32/Downloader.UMUW-8666": [[318, 342]], "Indicator: TR/Dldr.Small.almk": [[343, 361]], "Indicator: Trojan[PSW]/Win32.Dybalom": [[362, 387]], "Indicator: PWS:Win32/Strpasseal.B": [[415, 437]], "Indicator: Trojan/Win32.Downloader.R17920": [[438, 468]], "Indicator: TrojanPSW.Dybalom": [[469, 486]], "Indicator: Win32.Trojan-qqpass.Qqrob.Pcsc": [[487, 517]], "Indicator: Trojan.PWS.Strpasseal.P": [[518, 541]], "Indicator: Trojan-Downloader.Win32.Small": [[542, 571]], "Indicator: W32/Dybalom.SMA!tr": [[572, 590]], "Indicator: Win32/Trojan.PSW.99c": [[591, 611]]}, "info": {"id": "cyner2_5class_train_02323", "source": "cyner2_5class_train"}}
+{"text": "This service , along with the API , was fully decommissioned in March 2019 .", "spans": {}, "info": {"id": "cyner2_5class_train_02324", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.9AE7 Trojan.Regrun TROJ_DDOS.SMA Win.Trojan.VBDos-1 Trojan.Win32.Regrun.zft Trojan.Win32.Regrun.ewhpgb Trojan.DownLoader5.32190 TROJ_DDOS.SMA BehavesLike.Win32.Adware.dc Trojan.Regrun.aj Trojan/Win32.Regrun Trojan:Win32/Tocofob.A Trojan.Win32.Regrun.zft Trojan/Win32.Buzus.C23616 SScope.Trojan.VBRA.11870 Trojan.Heur.VP2.E3BBE8 Trojan.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.9AE7": [[26, 42]], "Indicator: Trojan.Regrun": [[43, 56]], "Indicator: TROJ_DDOS.SMA": [[57, 70], [166, 179]], "Indicator: Win.Trojan.VBDos-1": [[71, 89]], "Indicator: Trojan.Win32.Regrun.zft": [[90, 113], [268, 291]], "Indicator: Trojan.Win32.Regrun.ewhpgb": [[114, 140]], "Indicator: Trojan.DownLoader5.32190": [[141, 165]], "Indicator: BehavesLike.Win32.Adware.dc": [[180, 207]], "Indicator: Trojan.Regrun.aj": [[208, 224]], "Indicator: Trojan/Win32.Regrun": [[225, 244]], "Indicator: Trojan:Win32/Tocofob.A": [[245, 267]], "Indicator: Trojan/Win32.Buzus.C23616": [[292, 317]], "Indicator: SScope.Trojan.VBRA.11870": [[318, 342]], "Indicator: Trojan.Heur.VP2.E3BBE8": [[343, 365]], "Indicator: Trojan.Win32.VB": [[366, 381]]}, "info": {"id": "cyner2_5class_train_02325", "source": "cyner2_5class_train"}}
+{"text": "As such, FastPOS's update does not come as a surprise—in time for the oncoming retail season to boot.", "spans": {"Malware: FastPOS's": [[9, 18]], "Organization: retail": [[79, 85]]}, "info": {"id": "cyner2_5class_train_02326", "source": "cyner2_5class_train"}}
+{"text": "Triada steals the money either from the users — if they haven ’ t succeeded in purchasing whatever they wanted , or from the app developers , in case the user has completed the purchase successfully .", "spans": {"Malware: Triada": [[0, 6]]}, "info": {"id": "cyner2_5class_train_02327", "source": "cyner2_5class_train"}}
+{"text": "Some malicious files associated with these samples were titled the following : Council_of_ministres_decision Minutes of the Geneva Meeting on Troops Summary of today 's meetings.doc.exe The most important points of meeting the memory of the late President Abu Omar may Allah have mercy on him - Paper No .", "spans": {"Indicator: meetings.doc.exe": [[169, 185]]}, "info": {"id": "cyner2_5class_train_02328", "source": "cyner2_5class_train"}}
+{"text": "From what I can tell its still under development, this article will tell the story of this ransomware.", "spans": {}, "info": {"id": "cyner2_5class_train_02329", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Bloodhound.Morphine BehavesLike.Win32.RAHack.qc Trojan.Win32.Hrup Packed.Morphine.a Backdoor:Win32/Wurdux.A.dll Trj/CI.A Packed/Morphine.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Bloodhound.Morphine": [[69, 88]], "Indicator: BehavesLike.Win32.RAHack.qc": [[89, 116]], "Indicator: Trojan.Win32.Hrup": [[117, 134]], "Indicator: Packed.Morphine.a": [[135, 152]], "Indicator: Backdoor:Win32/Wurdux.A.dll": [[153, 180]], "Indicator: Trj/CI.A": [[181, 189]], "Indicator: Packed/Morphine.B": [[190, 207]]}, "info": {"id": "cyner2_5class_train_02330", "source": "cyner2_5class_train"}}
+{"text": "The Postal Group is active since at least 2013 and was responsible for multiple different malware", "spans": {"Organization: The Postal Group": [[0, 16]], "Malware: malware": [[90, 97]]}, "info": {"id": "cyner2_5class_train_02331", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan.OTQR-6881 Backdoor.Win32.Elirks.o Trojan.Win32.Elirks.evicnk Trojan.Win32.Z.Zbot.5650944 Trojan.DownLoader25.56963 Backdoor.Elirks.Win32.6 Trojan.Zbot.7 Backdoor.Win32.Elirks.o Trojan:Win32/Ralminey.A Backdoor.Elirks Win32/Trojan.BO.56e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[26, 68]], "Indicator: W32/Trojan.OTQR-6881": [[69, 89]], "Indicator: Backdoor.Win32.Elirks.o": [[90, 113], [233, 256]], "Indicator: Trojan.Win32.Elirks.evicnk": [[114, 140]], "Indicator: Trojan.Win32.Z.Zbot.5650944": [[141, 168]], "Indicator: Trojan.DownLoader25.56963": [[169, 194]], "Indicator: Backdoor.Elirks.Win32.6": [[195, 218]], "Indicator: Trojan.Zbot.7": [[219, 232]], "Indicator: Trojan:Win32/Ralminey.A": [[257, 280]], "Indicator: Backdoor.Elirks": [[281, 296]], "Indicator: Win32/Trojan.BO.56e": [[297, 316]]}, "info": {"id": "cyner2_5class_train_02332", "source": "cyner2_5class_train"}}
+{"text": "Analysis of the malicious iOS profile also revealed further connections , as the profile can also be downloaded from a website that FakeSpy deployed early this year .", "spans": {"System: iOS": [[26, 29]], "Malware: FakeSpy": [[132, 139]]}, "info": {"id": "cyner2_5class_train_02333", "source": "cyner2_5class_train"}}
+{"text": "Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims ; and a hash of the APK involved ( Android application ) was tagged in our sample feed for inspection .", "spans": {"Organization: Kaspersky": [[0, 9]], "System: Android": [[130, 137]]}, "info": {"id": "cyner2_5class_train_02334", "source": "cyner2_5class_train"}}
+{"text": "This blogpost reveals many details about the Diskcoder.C aka ExPetr, PetrWrap, Petya, or NotPetya outbreak and related information about previously unpublished attacks.", "spans": {"Indicator: Diskcoder.C": [[45, 56]], "Malware: ExPetr, PetrWrap, Petya,": [[61, 85]], "Malware: NotPetya": [[89, 97]], "Indicator: attacks.": [[160, 168]]}, "info": {"id": "cyner2_5class_train_02335", "source": "cyner2_5class_train"}}
+{"text": "What ’ s innovative about this ransomware is how it displays its ransom note .", "spans": {}, "info": {"id": "cyner2_5class_train_02336", "source": "cyner2_5class_train"}}
+{"text": "The group has access to zero-day exploits, most likely obtained through the Elderwood framework, and uses custom-developed back door malware.", "spans": {"Vulnerability: zero-day exploits,": [[24, 42]], "Malware: back door malware.": [[123, 141]]}, "info": {"id": "cyner2_5class_train_02337", "source": "cyner2_5class_train"}}
+{"text": "The group behind this operation has been launching targeted and possibly politically-motivated attacks to spy on individuals.", "spans": {"Indicator: politically-motivated attacks": [[73, 102]], "Indicator: spy": [[106, 109]]}, "info": {"id": "cyner2_5class_train_02338", "source": "cyner2_5class_train"}}
+{"text": "In October 2016 Forcepoint Security Labs™ discovered new versions of the MM Core backdoor being used in targeted attacks.", "spans": {"Organization: Forcepoint Security Labs™": [[16, 41]], "Malware: versions": [[57, 65]], "Malware: MM Core backdoor": [[73, 89]], "Indicator: attacks.": [[113, 121]]}, "info": {"id": "cyner2_5class_train_02339", "source": "cyner2_5class_train"}}
+{"text": "These samples all displayed their typical respective malware characteristics and contacted known command and control C2 servers from those families.", "spans": {"Malware: malware": [[53, 60]], "Indicator: command and control C2 servers": [[97, 127]]}, "info": {"id": "cyner2_5class_train_02340", "source": "cyner2_5class_train"}}
+{"text": "Back in July 2015, a new ransomware as a service named Encryptor RaaS detected by Trend Micro as RANSOM_CRYPRAAS.SM entered the threat scene, rivaling or at least expecting to succeed the likes of similar get-rich-quick schemes from Tox and ORX Locker.", "spans": {"Malware: ransomware": [[25, 35]], "Malware: Encryptor RaaS": [[55, 69]], "Organization: Trend Micro": [[82, 93]], "Indicator: RANSOM_CRYPRAAS.SM": [[97, 115]], "Malware: threat": [[128, 134]], "Malware: at": [[154, 156]], "Malware: Tox": [[233, 236]], "Malware: ORX Locker.": [[241, 252]]}, "info": {"id": "cyner2_5class_train_02341", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Banker/W32.Bancos.688128 Trojan.Bancos W32/Trojan.VUPB-6515 Trojan-Banker.Win32.Bancos.vdfd W32.Virut.mACM Win32.HLLW.Autoruner2.26648 Dropper.Daws.Win32.12598 Trojan.Banker.Bancos.sn Trojan[Dropper]/Win32.Daws Trojan-Banker.Win32.Bancos.vdfd Trj/CI.A Trojan.Daws Win32.Worm.Autorun.Pepg Trojan.DR.Daws!WW+h/Y0MkUk Worm.Win32.WBNA Win32/Trojan.355", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Banker/W32.Bancos.688128": [[26, 50]], "Indicator: Trojan.Bancos": [[51, 64]], "Indicator: W32/Trojan.VUPB-6515": [[65, 85]], "Indicator: Trojan-Banker.Win32.Bancos.vdfd": [[86, 117], [237, 268]], "Indicator: W32.Virut.mACM": [[118, 132]], "Indicator: Win32.HLLW.Autoruner2.26648": [[133, 160]], "Indicator: Dropper.Daws.Win32.12598": [[161, 185]], "Indicator: Trojan.Banker.Bancos.sn": [[186, 209]], "Indicator: Trojan[Dropper]/Win32.Daws": [[210, 236]], "Indicator: Trj/CI.A": [[269, 277]], "Indicator: Trojan.Daws": [[278, 289]], "Indicator: Win32.Worm.Autorun.Pepg": [[290, 313]], "Indicator: Trojan.DR.Daws!WW+h/Y0MkUk": [[314, 340]], "Indicator: Worm.Win32.WBNA": [[341, 356]], "Indicator: Win32/Trojan.355": [[357, 373]]}, "info": {"id": "cyner2_5class_train_02342", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Webtoolbar.Dealply Trojan.FakeAV not-a-virus:HEUR:WebToolbar.Win32.DealPly.heur Riskware.Win32.Estapa.ewzewu Trojan.Win32.Z.Dealply.1110121 Trojan.MulDrop7.57701 BehavesLike.Win32.BadFile.tc ADWARE/DealPly.rlhsh Ransom:MSIL/Hasadcrypt.A not-a-virus:HEUR:WebToolbar.Win32.Estapa.heur Trojan/Win32.Fakeav.C939114 BScope.Trojan.DiskWriter Trj/GdSda.A Trojan-Downloader.Win32.IstBar", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Webtoolbar.Dealply": [[26, 44]], "Indicator: Trojan.FakeAV": [[45, 58]], "Indicator: not-a-virus:HEUR:WebToolbar.Win32.DealPly.heur": [[59, 105]], "Indicator: Riskware.Win32.Estapa.ewzewu": [[106, 134]], "Indicator: Trojan.Win32.Z.Dealply.1110121": [[135, 165]], "Indicator: Trojan.MulDrop7.57701": [[166, 187]], "Indicator: BehavesLike.Win32.BadFile.tc": [[188, 216]], "Indicator: ADWARE/DealPly.rlhsh": [[217, 237]], "Indicator: Ransom:MSIL/Hasadcrypt.A": [[238, 262]], "Indicator: not-a-virus:HEUR:WebToolbar.Win32.Estapa.heur": [[263, 308]], "Indicator: Trojan/Win32.Fakeav.C939114": [[309, 336]], "Indicator: BScope.Trojan.DiskWriter": [[337, 361]], "Indicator: Trj/GdSda.A": [[362, 373]], "Indicator: Trojan-Downloader.Win32.IstBar": [[374, 404]]}, "info": {"id": "cyner2_5class_train_02343", "source": "cyner2_5class_train"}}
+{"text": "Going one step further , these substrings are sometimes scattered throughout the code , retrieved from static variables and method calls .", "spans": {}, "info": {"id": "cyner2_5class_train_02344", "source": "cyner2_5class_train"}}
+{"text": "Static analysis of the code reveals that the malware downloads the overlay template to use against any of the bank ( s ) it is targeting .", "spans": {}, "info": {"id": "cyner2_5class_train_02345", "source": "cyner2_5class_train"}}
+{"text": "The malware creates a global event named 0x0A7F1FFAB12BB2 and drops some files under a folder located in C : \\ProgramData or in the user application data folder .", "spans": {"Indicator: 0x0A7F1FFAB12BB2": [[41, 57]], "Indicator: C : \\ProgramData": [[105, 121]]}, "info": {"id": "cyner2_5class_train_02346", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.Wofopey.A4 Trojan.Bodegun.1 TSPY_AUTORUN_CD1027DD.RDXN Win32.Worm.AutoRun.ek W32/Worm.BLGL W32.SillyDC TSPY_AUTORUN_CD1027DD.RDXN Win.Trojan.Clicker-4047 Trojan.Win32.Fsysna.dilg Trojan.Win32.AutoRun.buecr Worm.Win32.A.AutoRun.329559 W32.W.AutoRun.lnZm Win32.HLLW.Autoruner.57463 BehavesLike.Win32.Virut.cz W32/Worm.PEBZ-4739 Worm/Win32.AutoRun Worm:Win32/Wofopey.A Trojan.Win32.Fsysna.dilg Worm/Win32.AutoRun.R1864 Trojan-Dropper.Serv.21221 W32/Autorun.KBE Win32/AutoRun.AEZ Win32.Trojan.Fsysna.Wqmj Worm.AutoRun!UZZkfeUh6N8 Win32/Trojan.c29", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.AutoRun!O": [[26, 46]], "Indicator: Worm.Wofopey.A4": [[47, 62]], "Indicator: Trojan.Bodegun.1": [[63, 79]], "Indicator: TSPY_AUTORUN_CD1027DD.RDXN": [[80, 106], [155, 181]], "Indicator: Win32.Worm.AutoRun.ek": [[107, 128]], "Indicator: W32/Worm.BLGL": [[129, 142]], "Indicator: W32.SillyDC": [[143, 154]], "Indicator: Win.Trojan.Clicker-4047": [[182, 205]], "Indicator: Trojan.Win32.Fsysna.dilg": [[206, 230], [418, 442]], "Indicator: Trojan.Win32.AutoRun.buecr": [[231, 257]], "Indicator: Worm.Win32.A.AutoRun.329559": [[258, 285]], "Indicator: W32.W.AutoRun.lnZm": [[286, 304]], "Indicator: Win32.HLLW.Autoruner.57463": [[305, 331]], "Indicator: BehavesLike.Win32.Virut.cz": [[332, 358]], "Indicator: W32/Worm.PEBZ-4739": [[359, 377]], "Indicator: Worm/Win32.AutoRun": [[378, 396]], "Indicator: Worm:Win32/Wofopey.A": [[397, 417]], "Indicator: Worm/Win32.AutoRun.R1864": [[443, 467]], "Indicator: Trojan-Dropper.Serv.21221": [[468, 493]], "Indicator: W32/Autorun.KBE": [[494, 509]], "Indicator: Win32/AutoRun.AEZ": [[510, 527]], "Indicator: Win32.Trojan.Fsysna.Wqmj": [[528, 552]], "Indicator: Worm.AutoRun!UZZkfeUh6N8": [[553, 577]], "Indicator: Win32/Trojan.c29": [[578, 594]]}, "info": {"id": "cyner2_5class_train_02347", "source": "cyner2_5class_train"}}
+{"text": "Its authors claim that it was used for private operations for two years preceding the start of the rental .", "spans": {}, "info": {"id": "cyner2_5class_train_02348", "source": "cyner2_5class_train"}}
+{"text": "However , since the archive that is downloaded into the device has all the necessary information and the malicious actor has access to the device via SMS , the malicious operator can keep its activity even without the C2 infrastructure .", "spans": {}, "info": {"id": "cyner2_5class_train_02349", "source": "cyner2_5class_train"}}
+{"text": "The document contains a malicious macro, which attempts to download the same executable file 65g3f4.exe from multiple remote locations.", "spans": {"Indicator: document": [[4, 12]], "Malware: malicious macro,": [[24, 40]], "Indicator: executable file 65g3f4.exe": [[77, 103]], "Indicator: remote locations.": [[118, 135]]}, "info": {"id": "cyner2_5class_train_02350", "source": "cyner2_5class_train"}}
+{"text": "] com w3.changeip [ .", "spans": {"Indicator: w3.changeip [ .": [[6, 21]]}, "info": {"id": "cyner2_5class_train_02351", "source": "cyner2_5class_train"}}
+{"text": "The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset.", "spans": {"Vulnerability: zero-day": [[31, 39]], "Malware: modular toolset.": [[103, 119]]}, "info": {"id": "cyner2_5class_train_02352", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Sdbot.AE4 RDN/Sdbot.worm!cc Backdoor.SDBot Win32.Trojan.WisdomEyes.16070401.9500.9979 RDN/Sdbot.worm!cc Trojan[Backdoor]/Win32.Sdbot Trojan.Zusy.D1B318 Backdoor:MSIL/Getob.D Backdoor.SDBot Msil.Worm.Arcdoor.Pgda Worm.MSIL.Arcdoor W32/SDBot.DPZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Sdbot.AE4": [[26, 44]], "Indicator: RDN/Sdbot.worm!cc": [[45, 62], [121, 138]], "Indicator: Backdoor.SDBot": [[63, 77], [209, 223]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9979": [[78, 120]], "Indicator: Trojan[Backdoor]/Win32.Sdbot": [[139, 167]], "Indicator: Trojan.Zusy.D1B318": [[168, 186]], "Indicator: Backdoor:MSIL/Getob.D": [[187, 208]], "Indicator: Msil.Worm.Arcdoor.Pgda": [[224, 246]], "Indicator: Worm.MSIL.Arcdoor": [[247, 264]], "Indicator: W32/SDBot.DPZ!tr": [[265, 281]]}, "info": {"id": "cyner2_5class_train_02353", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Malware.Bucaspys.A W32.Malware.Bucaspys!c Trojan.PWS.Banker1.23491 BehavesLike.Win32.BadFile.rh W32/Trojan.MCYT-4284 Trojan:Win32/Bypass.D!bit Trj/GdSda.A W32/Banker.ADYA!tr.spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Malware.Bucaspys.A": [[26, 50]], "Indicator: W32.Malware.Bucaspys!c": [[51, 73]], "Indicator: Trojan.PWS.Banker1.23491": [[74, 98]], "Indicator: BehavesLike.Win32.BadFile.rh": [[99, 127]], "Indicator: W32/Trojan.MCYT-4284": [[128, 148]], "Indicator: Trojan:Win32/Bypass.D!bit": [[149, 174]], "Indicator: Trj/GdSda.A": [[175, 186]], "Indicator: W32/Banker.ADYA!tr.spy": [[187, 209]]}, "info": {"id": "cyner2_5class_train_02354", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.Win32.Nuker!O W32/Trojan.Divine Win.Trojan.Nuker-3 Exploit.Win32.Nuker.Divine Exploit.Win32.Nuker.htqe Trojan.Divine Exploit.Nuker.Win32.284 W32/Trojan.Divine TR/Nuker.Divine Trojan[Exploit]/Win32.Nuker Exploit.Win32.Nuker.Divine Exploit.Nuker Nuker.Win32.Divine W32/Divine.3AD2!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.Win32.Nuker!O": [[26, 47]], "Indicator: W32/Trojan.Divine": [[48, 65], [175, 192]], "Indicator: Win.Trojan.Nuker-3": [[66, 84]], "Indicator: Exploit.Win32.Nuker.Divine": [[85, 111], [237, 263]], "Indicator: Exploit.Win32.Nuker.htqe": [[112, 136]], "Indicator: Trojan.Divine": [[137, 150]], "Indicator: Exploit.Nuker.Win32.284": [[151, 174]], "Indicator: TR/Nuker.Divine": [[193, 208]], "Indicator: Trojan[Exploit]/Win32.Nuker": [[209, 236]], "Indicator: Exploit.Nuker": [[264, 277]], "Indicator: Nuker.Win32.Divine": [[278, 296]], "Indicator: W32/Divine.3AD2!tr": [[297, 315]]}, "info": {"id": "cyner2_5class_train_02355", "source": "cyner2_5class_train"}}
+{"text": "At different times , we have seen three or more active variants using different approaches or targeting different carriers .", "spans": {}, "info": {"id": "cyner2_5class_train_02356", "source": "cyner2_5class_train"}}
+{"text": "PassiveTotal New discovered infrastructure from the Satellite Turla actor.", "spans": {"Organization: PassiveTotal": [[0, 12]], "System: infrastructure": [[28, 42]]}, "info": {"id": "cyner2_5class_train_02357", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VBCrypt.MF.66 Trojan.Razy.D15523 Win32.Trojan.VB.iw W32/VBTrojan.Downloader.1D!Maxi Troj.Dropper.W32.Dinwod.mmkC TrojWare.Win32.Rimod.JO Trojan.MulDrop4.62548 Trojan.Win32.Scar W32/VBTrojan.Downloader.1D!Maxi Trojan:Win32/Bewter.A HEUR/Fakon.mwf Win32/VB.RBU Win32/Trojan.741", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VBCrypt.MF.66": [[26, 46]], "Indicator: Trojan.Razy.D15523": [[47, 65]], "Indicator: Win32.Trojan.VB.iw": [[66, 84]], "Indicator: W32/VBTrojan.Downloader.1D!Maxi": [[85, 116], [210, 241]], "Indicator: Troj.Dropper.W32.Dinwod.mmkC": [[117, 145]], "Indicator: TrojWare.Win32.Rimod.JO": [[146, 169]], "Indicator: Trojan.MulDrop4.62548": [[170, 191]], "Indicator: Trojan.Win32.Scar": [[192, 209]], "Indicator: Trojan:Win32/Bewter.A": [[242, 263]], "Indicator: HEUR/Fakon.mwf": [[264, 278]], "Indicator: Win32/VB.RBU": [[279, 291]], "Indicator: Win32/Trojan.741": [[292, 308]]}, "info": {"id": "cyner2_5class_train_02358", "source": "cyner2_5class_train"}}
+{"text": "Selling the ad traffic directly or displaying ads from other sources in a very large volume can provide direct profit to the app author from the advertisers .", "spans": {}, "info": {"id": "cyner2_5class_train_02359", "source": "cyner2_5class_train"}}
+{"text": "With the ability to hide its icon from the launcher and hijack popular existing apps on a device , there are endless possibilities to harm a user ’ s digital even physical security .", "spans": {}, "info": {"id": "cyner2_5class_train_02360", "source": "cyner2_5class_train"}}
+{"text": "] net svcws [ .", "spans": {"Indicator: svcws [ .": [[6, 15]]}, "info": {"id": "cyner2_5class_train_02361", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Spyware.Zbot.ED WS.Reputation.1 Krypt.GB TROJ_SIGEKAF.SM Trojan:W32/Kamala.A Trojan:Win32/Hilasy.B BScope.TrojanPSW.Zbot.2716 Trojan.Win32.Hilasy W32/ZBOT.HL!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Spyware.Zbot.ED": [[26, 41]], "Indicator: WS.Reputation.1": [[42, 57]], "Indicator: Krypt.GB": [[58, 66]], "Indicator: TROJ_SIGEKAF.SM": [[67, 82]], "Indicator: Trojan:W32/Kamala.A": [[83, 102]], "Indicator: Trojan:Win32/Hilasy.B": [[103, 124]], "Indicator: BScope.TrojanPSW.Zbot.2716": [[125, 151]], "Indicator: Trojan.Win32.Hilasy": [[152, 171]], "Indicator: W32/ZBOT.HL!tr": [[172, 186]], "Indicator: Trj/CI.A": [[187, 195]]}, "info": {"id": "cyner2_5class_train_02362", "source": "cyner2_5class_train"}}
+{"text": "This iteration is targeted towards victims in Vietnam and still maintains extremely low AV detection almost a year after it was first discovered.", "spans": {"System: AV": [[88, 90]]}, "info": {"id": "cyner2_5class_train_02363", "source": "cyner2_5class_train"}}
+{"text": "Resistance to anti-malware protection The ability of malicious software to operate continuously on the victim ’ s mobile device is an important aspect of its development .", "spans": {}, "info": {"id": "cyner2_5class_train_02364", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Sality.PE Win32.Sality.3 Virus/W32.Sality.D Worm.Win32.AutoIt!O W32.Sality.U W32/Autorun.worm.bcb Win32.Sality.3 PE_SALITY.RL W32/Autorun.TX W32.Harakit Win32/Sality.AA PE_SALITY.RL Win.Trojan.Autoit-150 Worm.Win32.AutoIt.aei Win32.Sality.3 Virus.Win32.Sality.beygb Trojan.Win32.FakeFolder.avr Win32.Sality.3 Win32.Sector.30 Virus.Sality.Win32.25 BehavesLike.Win32.Evasion.jc W32/Autorun.OHSM-3021 Win32/HLLP.Kuku.poly2 W32/Sality.AT Worm:Win32/Katar.A W32.Virut.lns0 Worm.Win32.AutoIt.aei Win32.Virus.Sality.A HEUR/Fakon.mwf Win32.Sality.3 Virus.Win32.Sality.bakc Win32/Sality.NBA Win32.Sality.BL Worm.Win32.Passma W32/Sality.AA Virus.Win32.Sality.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Sality.PE": [[26, 39]], "Indicator: Win32.Sality.3": [[40, 54], [128, 142], [256, 270], [324, 338], [556, 570]], "Indicator: Virus/W32.Sality.D": [[55, 73]], "Indicator: Worm.Win32.AutoIt!O": [[74, 93]], "Indicator: W32.Sality.U": [[94, 106]], "Indicator: W32/Autorun.worm.bcb": [[107, 127]], "Indicator: PE_SALITY.RL": [[143, 155], [199, 211]], "Indicator: W32/Autorun.TX": [[156, 170]], "Indicator: W32.Harakit": [[171, 182]], "Indicator: Win32/Sality.AA": [[183, 198]], "Indicator: Win.Trojan.Autoit-150": [[212, 233]], "Indicator: Worm.Win32.AutoIt.aei": [[234, 255], [498, 519]], "Indicator: Virus.Win32.Sality.beygb": [[271, 295]], "Indicator: Trojan.Win32.FakeFolder.avr": [[296, 323]], "Indicator: Win32.Sector.30": [[339, 354]], "Indicator: Virus.Sality.Win32.25": [[355, 376]], "Indicator: BehavesLike.Win32.Evasion.jc": [[377, 405]], "Indicator: W32/Autorun.OHSM-3021": [[406, 427]], "Indicator: Win32/HLLP.Kuku.poly2": [[428, 449]], "Indicator: W32/Sality.AT": [[450, 463]], "Indicator: Worm:Win32/Katar.A": [[464, 482]], "Indicator: W32.Virut.lns0": [[483, 497]], "Indicator: Win32.Virus.Sality.A": [[520, 540]], "Indicator: HEUR/Fakon.mwf": [[541, 555]], "Indicator: Virus.Win32.Sality.bakc": [[571, 594]], "Indicator: Win32/Sality.NBA": [[595, 611]], "Indicator: Win32.Sality.BL": [[612, 627]], "Indicator: Worm.Win32.Passma": [[628, 645]], "Indicator: W32/Sality.AA": [[646, 659]], "Indicator: Virus.Win32.Sality.I": [[660, 680]]}, "info": {"id": "cyner2_5class_train_02365", "source": "cyner2_5class_train"}}
+{"text": "We assess it is highly likely that these attacks were conducted by a Chinese cyberespionage actor related to the Operation Soft Cell campaign.", "spans": {"Indicator: attacks": [[41, 48]]}, "info": {"id": "cyner2_5class_train_02366", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Riskware.Win32.MyBeeSearch.euqqpm Adware.Mybeesearch.17920 Adware.MyBeeSearch.Win32.35 W32/Trojan.ZETF-8401 ADWARE/MyBeeSearch.yttss Adware.BeeSearch/Variant Trj/GdSda.A Msil.Adware.Mybeesearch.Ednu PUA.MyBeeSearch! AdWare.MSIL.Mybeesearch", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Riskware.Win32.MyBeeSearch.euqqpm": [[26, 59]], "Indicator: Adware.Mybeesearch.17920": [[60, 84]], "Indicator: Adware.MyBeeSearch.Win32.35": [[85, 112]], "Indicator: W32/Trojan.ZETF-8401": [[113, 133]], "Indicator: ADWARE/MyBeeSearch.yttss": [[134, 158]], "Indicator: Adware.BeeSearch/Variant": [[159, 183]], "Indicator: Trj/GdSda.A": [[184, 195]], "Indicator: Msil.Adware.Mybeesearch.Ednu": [[196, 224]], "Indicator: PUA.MyBeeSearch!": [[225, 241]], "Indicator: AdWare.MSIL.Mybeesearch": [[242, 265]]}, "info": {"id": "cyner2_5class_train_02367", "source": "cyner2_5class_train"}}
+{"text": "Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets.", "spans": {"Vulnerability: Exploitation": [[0, 12]], "Indicator: spear phishing": [[56, 70]], "Indicator: malicious attachments": [[82, 103]], "Organization: targets.": [[107, 115]]}, "info": {"id": "cyner2_5class_train_02368", "source": "cyner2_5class_train"}}
+{"text": "It spreads within networks through PsExec and WMIC commands, using credentials stolen by a tool similiar to Mimikatz.", "spans": {"System: networks": [[18, 26]], "System: PsExec": [[35, 41]], "System: WMIC commands,": [[46, 60]], "Indicator: credentials stolen": [[67, 85]], "Malware: tool": [[91, 95]], "Malware: Mimikatz.": [[108, 117]]}, "info": {"id": "cyner2_5class_train_02369", "source": "cyner2_5class_train"}}
+{"text": "The installer files contained custom action commands which used PowerShell to download and execute payloads Redline Stealer, Ursnif, etc. hosted on legitimate websites.", "spans": {"Indicator: custom action commands": [[30, 52]], "System: PowerShell": [[64, 74]], "Indicator: download and execute": [[78, 98]], "Malware: payloads Redline Stealer, Ursnif,": [[99, 132]], "Indicator: legitimate websites.": [[148, 168]]}, "info": {"id": "cyner2_5class_train_02370", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Dropper.Zyon.1 Trojan.Win32.Dropper.Zyon.1 TROJ_ZYON.A TROJ_ZYON.A Trojan-Dropper.Win32.Zyon Trojan.Win32.Dropper.Zyon.1 Trojan.Win32.Zyon.hmat Troj.Dropper.W32.Zyon!c Trojan.Win32.Dropper.Zyon.1 TrojWare.Win32.Runner.Zyon Trojan.Win32.Dropper.Zyon.1 Trojan.MulDrop.103 Dropper.Zyon.Win32.4 BehavesLike.Win32.Dropper.dc W32/Trojan.AJWD-0098 TrojanDropper.Win32.Zyon W32/Zyon.A!tr Trojan[Dropper]/Win32.Zyon Trojan.Win32.Dropper.Zyon.1 Constructor/Zyon.261120 MultiDropper.cfg Win32/Runner.Zyon Win32.Trojan-dropper.Zyon.Lhdl Trojan.DR.Zyon!KwrmMz3+t6M Trojan.Win32.Runner Trojan.Win32.Dropper.Zyon.1 Dropper.Zyon.C Win32/Trojan.769", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Dropper.Zyon.1": [[26, 53], [54, 81], [132, 159], [207, 234], [262, 289], [446, 473], [611, 638]], "Indicator: TROJ_ZYON.A": [[82, 93], [94, 105]], "Indicator: Trojan-Dropper.Win32.Zyon": [[106, 131]], "Indicator: Trojan.Win32.Zyon.hmat": [[160, 182]], "Indicator: Troj.Dropper.W32.Zyon!c": [[183, 206]], "Indicator: TrojWare.Win32.Runner.Zyon": [[235, 261]], "Indicator: Trojan.MulDrop.103": [[290, 308]], "Indicator: Dropper.Zyon.Win32.4": [[309, 329]], "Indicator: BehavesLike.Win32.Dropper.dc": [[330, 358]], "Indicator: W32/Trojan.AJWD-0098": [[359, 379]], "Indicator: TrojanDropper.Win32.Zyon": [[380, 404]], "Indicator: W32/Zyon.A!tr": [[405, 418]], "Indicator: Trojan[Dropper]/Win32.Zyon": [[419, 445]], "Indicator: Constructor/Zyon.261120": [[474, 497]], "Indicator: MultiDropper.cfg": [[498, 514]], "Indicator: Win32/Runner.Zyon": [[515, 532]], "Indicator: Win32.Trojan-dropper.Zyon.Lhdl": [[533, 563]], "Indicator: Trojan.DR.Zyon!KwrmMz3+t6M": [[564, 590]], "Indicator: Trojan.Win32.Runner": [[591, 610]], "Indicator: Dropper.Zyon.C": [[639, 653]], "Indicator: Win32/Trojan.769": [[654, 670]]}, "info": {"id": "cyner2_5class_train_02371", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exp.SWF.DC Exp.Flash.Pubenush.E!c Trojan.Swifi SWF/Exploit.ExKit.A Swf.Exploit.Angler-6 Exploit.Swf.CVE20130634.efwsmo Exploit.SWF.1232 HEUR_SWFDEC.SC2 BehavesLike.Flash.Exploit.nb Trojan[Exploit]/SWF.Neclu Exploit.SWF Win32/Trojan.a4a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exp.SWF.DC": [[26, 36]], "Indicator: Exp.Flash.Pubenush.E!c": [[37, 59]], "Indicator: Trojan.Swifi": [[60, 72]], "Indicator: SWF/Exploit.ExKit.A": [[73, 92]], "Indicator: Swf.Exploit.Angler-6": [[93, 113]], "Indicator: Exploit.Swf.CVE20130634.efwsmo": [[114, 144]], "Indicator: Exploit.SWF.1232": [[145, 161]], "Indicator: HEUR_SWFDEC.SC2": [[162, 177]], "Indicator: BehavesLike.Flash.Exploit.nb": [[178, 206]], "Indicator: Trojan[Exploit]/SWF.Neclu": [[207, 232]], "Indicator: Exploit.SWF": [[233, 244]], "Indicator: Win32/Trojan.a4a": [[245, 261]]}, "info": {"id": "cyner2_5class_train_02372", "source": "cyner2_5class_train"}}
+{"text": "It is an email with the subject of Copy of Invoice 79898702coming or pretending to come from noreply@random email addresses with a semi-random named zip attachment in the format of 79898702.zip random 8 digits The zip matches the subject.", "spans": {"Indicator: email": [[9, 14]], "Indicator: subject": [[24, 31]], "Indicator: Copy of Invoice 79898702coming or pretending to come from noreply@random email addresses with a semi-random named zip attachment": [[35, 163]], "Indicator: format of 79898702.zip": [[171, 193]], "Indicator: random 8 digits": [[194, 209]], "Indicator: zip matches the subject.": [[214, 238]]}, "info": {"id": "cyner2_5class_train_02373", "source": "cyner2_5class_train"}}
+{"text": "Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps .", "spans": {"Malware: Bread": [[0, 5]]}, "info": {"id": "cyner2_5class_train_02374", "source": "cyner2_5class_train"}}
+{"text": "Overall , Cerberus has a pretty common feature list and although the malware seems to have been written from scratch there does not seem to be any innovative functionality at this time .", "spans": {"Malware: Cerberus": [[10, 18]]}, "info": {"id": "cyner2_5class_train_02375", "source": "cyner2_5class_train"}}
+{"text": "The .js file in the email attachment is a PowerShell script and there are no other files involved.", "spans": {"Indicator: .js file": [[4, 12]], "Indicator: the email attachment": [[16, 36]], "Indicator: PowerShell script": [[42, 59]], "Indicator: files": [[83, 88]]}, "info": {"id": "cyner2_5class_train_02376", "source": "cyner2_5class_train"}}
+{"text": "XLoader can also hijack accounts linked to financial or game-related apps installed on the affected device .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner2_5class_train_02377", "source": "cyner2_5class_train"}}
+{"text": "] today This is the first version that shows the code organization evolution that will continue to be used on all other functions throughout this malware .", "spans": {}, "info": {"id": "cyner2_5class_train_02378", "source": "cyner2_5class_train"}}
+{"text": "Malware, or CHM, disguised as a North Korea-related questionnaire is being distributed by the Kimsuky group, which is believed to have created and distributed the same type of malware.", "spans": {"Malware: Malware,": [[0, 8]], "Malware: CHM,": [[12, 16]], "Indicator: North Korea-related questionnaire": [[32, 65]], "Malware: malware.": [[176, 184]]}, "info": {"id": "cyner2_5class_train_02379", "source": "cyner2_5class_train"}}
+{"text": "A TrickMo Kill Switch One of the most interesting features of the TrickMo malware is having its own kill switch .", "spans": {"Malware: TrickMo": [[2, 9]], "Malware: TrickMo malware": [[66, 81]]}, "info": {"id": "cyner2_5class_train_02380", "source": "cyner2_5class_train"}}
+{"text": "The authors were probably trying to make a joke by referencing the act of getting infected with ransomware, hinting that it is uninvited and unavoidable, just like fate.", "spans": {}, "info": {"id": "cyner2_5class_train_02381", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Poison!IK W32/Smallworm.EEA BKDR_POISON.OM W32.SillyFDC Backdoor.Win32.Poison Dropper.VB.3.AX", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Poison!IK": [[26, 50]], "Indicator: W32/Smallworm.EEA": [[51, 68]], "Indicator: BKDR_POISON.OM": [[69, 83]], "Indicator: W32.SillyFDC": [[84, 96]], "Indicator: Backdoor.Win32.Poison": [[97, 118]], "Indicator: Dropper.VB.3.AX": [[119, 134]]}, "info": {"id": "cyner2_5class_train_02382", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Sisproc.A Trojan.Sisproc Adware.Antivirus2008.Win32.13 Trojan/Jorik.Vobfus.fodz Win32.Trojan.Kryptik.gz Trojan.Malcol Win32/Tnega.cTBOJZC TROJ_REDONC_EK030008.UVPM Trojan.Win32.Antivirus2008.babyvq Trojan.DownLoader6.50299 TROJ_REDONC_EK030008.UVPM BehavesLike.Win32.Downloader.qc Trojan/Jorik.esyb Trojan/Win32.Vobfus TrojanDownloader:Win32/Redonc.D Trojan.Heur.D.E8DF45 Adware.Antivirus2008!VhbgDcClaWU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Sisproc.A": [[26, 42]], "Indicator: Trojan.Sisproc": [[43, 57]], "Indicator: Adware.Antivirus2008.Win32.13": [[58, 87]], "Indicator: Trojan/Jorik.Vobfus.fodz": [[88, 112]], "Indicator: Win32.Trojan.Kryptik.gz": [[113, 136]], "Indicator: Trojan.Malcol": [[137, 150]], "Indicator: Win32/Tnega.cTBOJZC": [[151, 170]], "Indicator: TROJ_REDONC_EK030008.UVPM": [[171, 196], [256, 281]], "Indicator: Trojan.Win32.Antivirus2008.babyvq": [[197, 230]], "Indicator: Trojan.DownLoader6.50299": [[231, 255]], "Indicator: BehavesLike.Win32.Downloader.qc": [[282, 313]], "Indicator: Trojan/Jorik.esyb": [[314, 331]], "Indicator: Trojan/Win32.Vobfus": [[332, 351]], "Indicator: TrojanDownloader:Win32/Redonc.D": [[352, 383]], "Indicator: Trojan.Heur.D.E8DF45": [[384, 404]], "Indicator: Adware.Antivirus2008!VhbgDcClaWU": [[405, 437]]}, "info": {"id": "cyner2_5class_train_02383", "source": "cyner2_5class_train"}}
+{"text": "Then , it sends it to the C2 server using the URL that ends with /servlet/ContactUpload .", "spans": {"Indicator: /servlet/ContactUpload": [[65, 87]]}, "info": {"id": "cyner2_5class_train_02384", "source": "cyner2_5class_train"}}
+{"text": "] 191 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_02385", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W64.Crypt.785568 Trojan.YarripCS.S244731 Trojan/Kryptik.bbq TROJ_KRYPTIK_FF070297.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_KRYPTIK_FF070297.UVPM Trojan.Win64.Crypt.gp Trojan.Win64.Kryptik.euskem Trojan.Win32.Z.Crypt.785568 Troj.Win64.Crypt!c Trojan.Crypt.Win64.20 Trojan.Crypt.ld Trojan.Win64.Crypt.gp Trojan.Bedep Trj/CI.A Win64.Trojan.Crypt.Wnms Trojan.Crypt!D766Elbq30w Trojan.Win64.Bedep", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W64.Crypt.785568": [[26, 49]], "Indicator: Trojan.YarripCS.S244731": [[50, 73]], "Indicator: Trojan/Kryptik.bbq": [[74, 92]], "Indicator: TROJ_KRYPTIK_FF070297.UVPM": [[93, 119], [163, 189]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[120, 162]], "Indicator: Trojan.Win64.Crypt.gp": [[190, 211], [325, 346]], "Indicator: Trojan.Win64.Kryptik.euskem": [[212, 239]], "Indicator: Trojan.Win32.Z.Crypt.785568": [[240, 267]], "Indicator: Troj.Win64.Crypt!c": [[268, 286]], "Indicator: Trojan.Crypt.Win64.20": [[287, 308]], "Indicator: Trojan.Crypt.ld": [[309, 324]], "Indicator: Trojan.Bedep": [[347, 359]], "Indicator: Trj/CI.A": [[360, 368]], "Indicator: Win64.Trojan.Crypt.Wnms": [[369, 392]], "Indicator: Trojan.Crypt!D766Elbq30w": [[393, 417]], "Indicator: Trojan.Win64.Bedep": [[418, 436]]}, "info": {"id": "cyner2_5class_train_02386", "source": "cyner2_5class_train"}}
+{"text": "An Android backdoor also known as: Trojan.MAC.Dok.E MacOS/Aptordoc.A HEUR:Trojan-Spy.OSX.Aptordoc.b Trojan.MAC.Dok.E Trojan.Mac.Mlw.eowttl Troj.Spy.Osx!c Win32.Trojan-spy.Aptordoc.Syhr Trojan.MAC.Dok.E Mac.BackDoor.Dok.5 Trojan.Aptordoc.OSX.7 MacOS/Aptordoc.A OSX/Spy.Aptordoc.jlgtm HEUR:Trojan-Spy.OSX.Aptordoc.b Trojan.MAC.Dok.E OSX/Spy.Dok.A Trojan-Banker.OSX.Aptordoc", "spans": {"Malware: backdoor": [[11, 19]], "Indicator: Trojan.MAC.Dok.E": [[35, 51], [100, 116], [185, 201], [314, 330]], "Indicator: MacOS/Aptordoc.A": [[52, 68], [243, 259]], "Indicator: HEUR:Trojan-Spy.OSX.Aptordoc.b": [[69, 99], [283, 313]], "Indicator: Trojan.Mac.Mlw.eowttl": [[117, 138]], "Indicator: Troj.Spy.Osx!c": [[139, 153]], "Indicator: Win32.Trojan-spy.Aptordoc.Syhr": [[154, 184]], "Indicator: Mac.BackDoor.Dok.5": [[202, 220]], "Indicator: Trojan.Aptordoc.OSX.7": [[221, 242]], "Indicator: OSX/Spy.Aptordoc.jlgtm": [[260, 282]], "Indicator: OSX/Spy.Dok.A": [[331, 344]], "Indicator: Trojan-Banker.OSX.Aptordoc": [[345, 371]]}, "info": {"id": "cyner2_5class_train_02387", "source": "cyner2_5class_train"}}
+{"text": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years.", "spans": {"Organization: Talos": [[0, 5]], "Malware: unknown Remote Administration Tool": [[24, 58]]}, "info": {"id": "cyner2_5class_train_02388", "source": "cyner2_5class_train"}}
+{"text": "Windows 10 S devices are naturally protected against FinFisher and other threats thanks to the strong code integrity policies that don ’ t allow unknown unsigned binaries to run ( thus stopping FinFisher ’ s PE installer ) or loaded ( blocking FinFisher ’ s DLL persistence ) .", "spans": {"System: Windows 10": [[0, 10]], "Malware: FinFisher": [[53, 62], [194, 203], [244, 253]]}, "info": {"id": "cyner2_5class_train_02389", "source": "cyner2_5class_train"}}
+{"text": "In this respect, Vawtrak now has a 2-tier C2 discovery infrastructure.", "spans": {"Malware: Vawtrak": [[17, 24]], "Indicator: 2-tier C2 discovery": [[35, 54]], "System: infrastructure.": [[55, 70]]}, "info": {"id": "cyner2_5class_train_02390", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanproxy.Hioles.19337 Trojan.Graftor.D4C0E TSPY_PROXY_BK082A47.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9968 TSPY_PROXY_BK082A47.TOMC Trojan.Proxy.23012 TrojanProxy:Win32/Hioles.B Troj.W32.Scar.lrnw Win32/TrojanProxy.Hioles.AA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanproxy.Hioles.19337": [[26, 50]], "Indicator: Trojan.Graftor.D4C0E": [[51, 71]], "Indicator: TSPY_PROXY_BK082A47.TOMC": [[72, 96], [140, 164]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9968": [[97, 139]], "Indicator: Trojan.Proxy.23012": [[165, 183]], "Indicator: TrojanProxy:Win32/Hioles.B": [[184, 210]], "Indicator: Troj.W32.Scar.lrnw": [[211, 229]], "Indicator: Win32/TrojanProxy.Hioles.AA": [[230, 257]]}, "info": {"id": "cyner2_5class_train_02391", "source": "cyner2_5class_train"}}
+{"text": "However , there is also an English version of the DEFENSOR ID app ( see Figure 3 ) besides the Portuguese one , and that app has neither geographical nor language restrictions .", "spans": {"Malware: DEFENSOR ID": [[50, 61]]}, "info": {"id": "cyner2_5class_train_02392", "source": "cyner2_5class_train"}}
+{"text": "The IP belongs to the free Russian web hosting service Ucoz .", "spans": {}, "info": {"id": "cyner2_5class_train_02393", "source": "cyner2_5class_train"}}
+{"text": "Zen uses root permissions on a device to automatically enable a service that creates fake Google accounts .", "spans": {"Malware: Zen": [[0, 3]], "Organization: Google": [[90, 96]]}, "info": {"id": "cyner2_5class_train_02394", "source": "cyner2_5class_train"}}
+{"text": "In the beginning of April 2016, we found evidence that the attacks against Israel have been renewed as well.", "spans": {"Indicator: attacks": [[59, 66]]}, "info": {"id": "cyner2_5class_train_02395", "source": "cyner2_5class_train"}}
+{"text": "The Turla group use a range of tools and techniques, many of which are custom.", "spans": {"Malware: tools": [[31, 36]]}, "info": {"id": "cyner2_5class_train_02396", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D64E1 Win32.Trojan.WisdomEyes.16070401.9500.9929 Adware.Iefeats Trojan.Win32.Yabector.ddsrdc Adware.Yabector/Variant Heur.Packed.Unknown Adware.Adon Trj/CI.A Win32.Trojan.Kazy.Alij Trojan.CL.Yabector!M4hXuPydivM Win32/Trojan.e93", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D64E1": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9929": [[44, 86]], "Indicator: Adware.Iefeats": [[87, 101]], "Indicator: Trojan.Win32.Yabector.ddsrdc": [[102, 130]], "Indicator: Adware.Yabector/Variant": [[131, 154]], "Indicator: Heur.Packed.Unknown": [[155, 174]], "Indicator: Adware.Adon": [[175, 186]], "Indicator: Trj/CI.A": [[187, 195]], "Indicator: Win32.Trojan.Kazy.Alij": [[196, 218]], "Indicator: Trojan.CL.Yabector!M4hXuPydivM": [[219, 249]], "Indicator: Win32/Trojan.e93": [[250, 266]]}, "info": {"id": "cyner2_5class_train_02397", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Sicil.AA3 Win32.Trojan.WisdomEyes.151026.9950.9999 W32/Sicil.A TROJ_SICIL_0000009.TOMA Trojan-Dropper.MSIL.Smaba.sg Trojan.Win32.Click1.ctoram BehavesLike.Win32.Dropper.zt W32/Sicil.YGNC-5779 W32/Malware_fam.NB Trojan.Buzy.D8E9 Trojan:MSIL/Sicil.A Trojan.Msil PSW.ILUSpy Trj/CI.A Win32/Trojan.132", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Sicil.AA3": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9999": [[43, 83]], "Indicator: W32/Sicil.A": [[84, 95]], "Indicator: TROJ_SICIL_0000009.TOMA": [[96, 119]], "Indicator: Trojan-Dropper.MSIL.Smaba.sg": [[120, 148]], "Indicator: Trojan.Win32.Click1.ctoram": [[149, 175]], "Indicator: BehavesLike.Win32.Dropper.zt": [[176, 204]], "Indicator: W32/Sicil.YGNC-5779": [[205, 224]], "Indicator: W32/Malware_fam.NB": [[225, 243]], "Indicator: Trojan.Buzy.D8E9": [[244, 260]], "Indicator: Trojan:MSIL/Sicil.A": [[261, 280]], "Indicator: Trojan.Msil": [[281, 292]], "Indicator: PSW.ILUSpy": [[293, 303]], "Indicator: Trj/CI.A": [[304, 312]], "Indicator: Win32/Trojan.132": [[313, 329]]}, "info": {"id": "cyner2_5class_train_02398", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Z.Shellcode.403968 Troj.W32.Tpyn!c BehavesLike.Win32.PWSZbot.fh Backdoor.Win32.Kbotrep W32/Trojan.FHRX-8606 Trojan.Heur.LP.E7F983 Backdoor:Win32/Kbotrep.A Trj/CI.A Win32.Trojan.Hijacker.Hzj Win32/Trojan.e04", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Z.Shellcode.403968": [[26, 57]], "Indicator: Troj.W32.Tpyn!c": [[58, 73]], "Indicator: BehavesLike.Win32.PWSZbot.fh": [[74, 102]], "Indicator: Backdoor.Win32.Kbotrep": [[103, 125]], "Indicator: W32/Trojan.FHRX-8606": [[126, 146]], "Indicator: Trojan.Heur.LP.E7F983": [[147, 168]], "Indicator: Backdoor:Win32/Kbotrep.A": [[169, 193]], "Indicator: Trj/CI.A": [[194, 202]], "Indicator: Win32.Trojan.Hijacker.Hzj": [[203, 228]], "Indicator: Win32/Trojan.e04": [[229, 245]]}, "info": {"id": "cyner2_5class_train_02399", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.B36E Application.Bundler.DomaIQ.Q PUP.Optional.BundleInstaller Adware.DomaIQ.Win32.132 Adware.DomaIQ/Variant Application.Bundler.DomaIQ.Q Win32.Adware.DomnIQ.b Infostealer.Limitail Win32/DomainIQ.eOTUWS Win.Adware.Domaiq-1 not-a-virus:AdWare.MSIL.DomaIQ.clek Application.Bundler.DomaIQ.Q Trojan.Win32.DomaIQ.ctadmg Adware.Win32.Lollipop.f Application.Bundler.DomaIQ.Q Application.Win32.DomaIQ.URT Trojan.DownLoader9.21779 AdWare/MSIL.ps Pua.Tuguu GrayWare[AdWare]/MSIL.DomaIQ TrojanDownloader:Win32/Tugspay.A not-a-virus:AdWare.MSIL.DomaIQ.clek Win32.Application.DomalQ.G PUP/Win32.DomaIQ.R99208 BScope.Downware.DomaIQ PUA.DomaIQ! Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.B36E": [[26, 44]], "Indicator: Application.Bundler.DomaIQ.Q": [[45, 73], [149, 177], [299, 327], [379, 407]], "Indicator: PUP.Optional.BundleInstaller": [[74, 102]], "Indicator: Adware.DomaIQ.Win32.132": [[103, 126]], "Indicator: Adware.DomaIQ/Variant": [[127, 148]], "Indicator: Win32.Adware.DomnIQ.b": [[178, 199]], "Indicator: Infostealer.Limitail": [[200, 220]], "Indicator: Win32/DomainIQ.eOTUWS": [[221, 242]], "Indicator: Win.Adware.Domaiq-1": [[243, 262]], "Indicator: not-a-virus:AdWare.MSIL.DomaIQ.clek": [[263, 298], [549, 584]], "Indicator: Trojan.Win32.DomaIQ.ctadmg": [[328, 354]], "Indicator: Adware.Win32.Lollipop.f": [[355, 378]], "Indicator: Application.Win32.DomaIQ.URT": [[408, 436]], "Indicator: Trojan.DownLoader9.21779": [[437, 461]], "Indicator: AdWare/MSIL.ps": [[462, 476]], "Indicator: Pua.Tuguu": [[477, 486]], "Indicator: GrayWare[AdWare]/MSIL.DomaIQ": [[487, 515]], "Indicator: TrojanDownloader:Win32/Tugspay.A": [[516, 548]], "Indicator: Win32.Application.DomalQ.G": [[585, 611]], "Indicator: PUP/Win32.DomaIQ.R99208": [[612, 635]], "Indicator: BScope.Downware.DomaIQ": [[636, 658]], "Indicator: PUA.DomaIQ!": [[659, 670]], "Indicator: Trj/CI.A": [[671, 679]]}, "info": {"id": "cyner2_5class_train_02400", "source": "cyner2_5class_train"}}
+{"text": "The app also creates hooks to prevent the phone from rebooting , going to sleep or allowing the user from pressing hardware buttons during the account creation process .", "spans": {}, "info": {"id": "cyner2_5class_train_02401", "source": "cyner2_5class_train"}}
+{"text": "In the analysis that follows , we describe in detail the capabilities of this new variant and a “ kill switch ” that can remotely eliminate the malware from a mobile device .", "spans": {}, "info": {"id": "cyner2_5class_train_02402", "source": "cyner2_5class_train"}}
+{"text": "Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion.", "spans": {"Organization: the Mandiant Managed Defense and Incident Response teams": [[37, 93]], "Organization: organizations": [[144, 157]]}, "info": {"id": "cyner2_5class_train_02403", "source": "cyner2_5class_train"}}
+{"text": "Thanks to this data leak , we were able to confirm that the malware really worked as designed : the attacker had access to the victims ’ entered credentials , displayed or written emails and messages , etc .", "spans": {}, "info": {"id": "cyner2_5class_train_02404", "source": "cyner2_5class_train"}}
+{"text": "Stealing SMS The Gxextsxms command is responsible for fetching all the SMS messages from the victim 's device and sending it over to the C & C server .", "spans": {}, "info": {"id": "cyner2_5class_train_02405", "source": "cyner2_5class_train"}}
+{"text": "The VM dispatcher loop routine ends with a JMP to another routine .", "spans": {}, "info": {"id": "cyner2_5class_train_02406", "source": "cyner2_5class_train"}}
+{"text": "When the user tries to open one of these legitimate apps, the malware replaces the genuine app window with a phishing window that asks for banking information.", "spans": {"Organization: user": [[9, 13]], "System: legitimate apps,": [[41, 57]], "Malware: malware": [[62, 69]], "Indicator: replaces": [[70, 78]], "Indicator: genuine": [[83, 90]], "Indicator: window": [[95, 101], [118, 124]], "Indicator: phishing": [[109, 117]], "Indicator: asks for banking information.": [[130, 159]]}, "info": {"id": "cyner2_5class_train_02407", "source": "cyner2_5class_train"}}
+{"text": "Infrastructure The infrastructure supporting this malware is rather complex .", "spans": {}, "info": {"id": "cyner2_5class_train_02408", "source": "cyner2_5class_train"}}
+{"text": "In the past , we have seen other activity groups like LEAD employ a similar attacker technique named “ proxy-library ” to achieve persistence , but not with this professionalism .", "spans": {}, "info": {"id": "cyner2_5class_train_02409", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.TikoraxaDSB.Trojan Trojandownloader.Script W32/Snojan.OHXS-3777 VBS/TrojanDownloader.Small.NGH Trojan.Win32.Mlw.evnleg Troj.Downloader.Script!c BehavesLike.Win32.Downloader.dh Trojan-Downloader.VBS.Small W32/Snojan.Q Trojan.Pincav.aer VBS/Dldr.Small.vxbdh Trojan.DL.Alien! Trojan.Snojan Trj/CI.A Script/Virus.72d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TikoraxaDSB.Trojan": [[26, 48]], "Indicator: Trojandownloader.Script": [[49, 72]], "Indicator: W32/Snojan.OHXS-3777": [[73, 93]], "Indicator: VBS/TrojanDownloader.Small.NGH": [[94, 124]], "Indicator: Trojan.Win32.Mlw.evnleg": [[125, 148]], "Indicator: Troj.Downloader.Script!c": [[149, 173]], "Indicator: BehavesLike.Win32.Downloader.dh": [[174, 205]], "Indicator: Trojan-Downloader.VBS.Small": [[206, 233]], "Indicator: W32/Snojan.Q": [[234, 246]], "Indicator: Trojan.Pincav.aer": [[247, 264]], "Indicator: VBS/Dldr.Small.vxbdh": [[265, 285]], "Indicator: Trojan.DL.Alien!": [[286, 302]], "Indicator: Trojan.Snojan": [[303, 316]], "Indicator: Trj/CI.A": [[317, 325]], "Indicator: Script/Virus.72d": [[326, 342]]}, "info": {"id": "cyner2_5class_train_02410", "source": "cyner2_5class_train"}}
+{"text": "Lookout uncovered nine secondary payload applications : * These apps have not been previously reported and were discovered using data from the Lookout global sensor network , which collects app and device information from over 100 million sensors to provide researchers and customers with a holistic look at the mobile threat ecosystem today .", "spans": {"Organization: Lookout": [[0, 7], [143, 150]]}, "info": {"id": "cyner2_5class_train_02411", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DownLoadRiniLTN.Trojan Trojan.Win32.Scar!O Trojan.Popureb.B4 Trojan/Scar.ejkj Trojan.Zusy.D2E760 TROJ_POPUREB.SM Win32.Trojan.Scar.i Win32/Scar.ZF TROJ_POPUREB.SM Win.Trojan.Scar-8452 Trojan.Win32.Scar.bccuvv Trojan.Win32.A.Scar.86016.F Backdoor.Win32.Popwin.~IT Trojan.DownLoader11.5691 Trojan.Scar.Win32.75436 BehavesLike.Win32.Dropper.mm Backdoor.Win32.Poison TR/Popureb.B.20 Trojan/Win32.Scar Win32.Troj.Poison.b.29696 Trojan:Win32/Popureb.B Trojan/Win32.PbBot.R3997 Trojan.Scar Trojan.Scar Trojan.Win32.Scar.tgh Trojan.Ghodow!qzMoVFGUIfc W32/Scar.ENA!tr Win32/Trojan.285", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DownLoadRiniLTN.Trojan": [[26, 52]], "Indicator: Trojan.Win32.Scar!O": [[53, 72]], "Indicator: Trojan.Popureb.B4": [[73, 90]], "Indicator: Trojan/Scar.ejkj": [[91, 107]], "Indicator: Trojan.Zusy.D2E760": [[108, 126]], "Indicator: TROJ_POPUREB.SM": [[127, 142], [177, 192]], "Indicator: Win32.Trojan.Scar.i": [[143, 162]], "Indicator: Win32/Scar.ZF": [[163, 176]], "Indicator: Win.Trojan.Scar-8452": [[193, 213]], "Indicator: Trojan.Win32.Scar.bccuvv": [[214, 238]], "Indicator: Trojan.Win32.A.Scar.86016.F": [[239, 266]], "Indicator: Backdoor.Win32.Popwin.~IT": [[267, 292]], "Indicator: Trojan.DownLoader11.5691": [[293, 317]], "Indicator: Trojan.Scar.Win32.75436": [[318, 341]], "Indicator: BehavesLike.Win32.Dropper.mm": [[342, 370]], "Indicator: Backdoor.Win32.Poison": [[371, 392]], "Indicator: TR/Popureb.B.20": [[393, 408]], "Indicator: Trojan/Win32.Scar": [[409, 426]], "Indicator: Win32.Troj.Poison.b.29696": [[427, 452]], "Indicator: Trojan:Win32/Popureb.B": [[453, 475]], "Indicator: Trojan/Win32.PbBot.R3997": [[476, 500]], "Indicator: Trojan.Scar": [[501, 512], [513, 524]], "Indicator: Trojan.Win32.Scar.tgh": [[525, 546]], "Indicator: Trojan.Ghodow!qzMoVFGUIfc": [[547, 572]], "Indicator: W32/Scar.ENA!tr": [[573, 588]], "Indicator: Win32/Trojan.285": [[589, 605]]}, "info": {"id": "cyner2_5class_train_02412", "source": "cyner2_5class_train"}}
+{"text": "In the past, we investigated TorLocker and its flawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal.", "spans": {"Malware: TorLocker": [[29, 38]], "Vulnerability: flawed encryption,": [[47, 65]]}, "info": {"id": "cyner2_5class_train_02413", "source": "cyner2_5class_train"}}
+{"text": "The Trojan itself is well known and contained x32 and x64 rootkits.", "spans": {"Malware: Trojan": [[4, 10]], "System: x32": [[46, 49]], "System: x64": [[54, 57]], "Malware: rootkits.": [[58, 67]]}, "info": {"id": "cyner2_5class_train_02414", "source": "cyner2_5class_train"}}
+{"text": "The multiple downloads is probably a redundancy measure in case some sources are taken down.", "spans": {}, "info": {"id": "cyner2_5class_train_02415", "source": "cyner2_5class_train"}}
+{"text": "In this case it capitalized on the recent terrorist attack in New York City.", "spans": {"Indicator: terrorist attack": [[42, 58]]}, "info": {"id": "cyner2_5class_train_02416", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor-CYK.srv Backdoor/VB.alk Backdoor.VB!XZJVRUVgqYg W32/Backdoor.LPS TROJ_MALKZR.A Backdoor.Win32.VB.alk Backdoor.Win32.VB.37168 Backdoor.Win32.VB!IK Backdoor.Win32.Delf.~EC TROJ_MALKZR.A Heuristic.BehavesLike.Win32.Downloader.D Backdoor/VB.rj Backdoor:Win32/Norachs.A W32/Backdoor.LPS Win-Trojan/Xema.variant Trojan.Win32.VB.ALK Win32/VB.ALK Backdoor.Win32.VB W32/VB.ALK!tr BackDoor.VB.FLP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor-CYK.srv": [[26, 42]], "Indicator: Backdoor/VB.alk": [[43, 58]], "Indicator: Backdoor.VB!XZJVRUVgqYg": [[59, 82]], "Indicator: W32/Backdoor.LPS": [[83, 99], [300, 316]], "Indicator: TROJ_MALKZR.A": [[100, 113], [205, 218]], "Indicator: Backdoor.Win32.VB.alk": [[114, 135]], "Indicator: Backdoor.Win32.VB.37168": [[136, 159]], "Indicator: Backdoor.Win32.VB!IK": [[160, 180]], "Indicator: Backdoor.Win32.Delf.~EC": [[181, 204]], "Indicator: Heuristic.BehavesLike.Win32.Downloader.D": [[219, 259]], "Indicator: Backdoor/VB.rj": [[260, 274]], "Indicator: Backdoor:Win32/Norachs.A": [[275, 299]], "Indicator: Win-Trojan/Xema.variant": [[317, 340]], "Indicator: Trojan.Win32.VB.ALK": [[341, 360]], "Indicator: Win32/VB.ALK": [[361, 373]], "Indicator: Backdoor.Win32.VB": [[374, 391]], "Indicator: W32/VB.ALK!tr": [[392, 405]], "Indicator: BackDoor.VB.FLP": [[406, 421]]}, "info": {"id": "cyner2_5class_train_02417", "source": "cyner2_5class_train"}}
+{"text": "Our analysis reveals connections between these attacks, recent strategic web compromises against Burmese government websites, and previous campaigns targeting groups in the Tibetan community.", "spans": {"Indicator: attacks,": [[47, 55]], "Indicator: web compromises": [[73, 88]], "Indicator: Burmese government websites,": [[97, 125]]}, "info": {"id": "cyner2_5class_train_02418", "source": "cyner2_5class_train"}}
+{"text": "In past revivals, the botnet has been distributed through malicious emails containing attachments or links to compromised websites hosting exploit kit content.", "spans": {"Malware: the botnet": [[18, 28]], "Indicator: malicious emails containing attachments": [[58, 97]], "Indicator: links to compromised websites": [[101, 130]], "Malware: exploit kit": [[139, 150]]}, "info": {"id": "cyner2_5class_train_02419", "source": "cyner2_5class_train"}}
+{"text": "This was probably done for debugging purposes , indicating the malware may be an early prototype version .", "spans": {}, "info": {"id": "cyner2_5class_train_02420", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PWS-Xema.dr PWS-Xema.dr Trojan.Win32.Malware.4 W32/Smalltroj.IUNZ Win32.TRCrypt.XPACK Trojan.Win32.Pincav.cay Trojan.MulDrop.29150 Trojan:Win32/Cinject.B Win-Trojan/Ristix.8192 Trojan.Win32.Pincav.cay Packer.Win32.UnkPacker.a Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PWS-Xema.dr": [[26, 37], [38, 49]], "Indicator: Trojan.Win32.Malware.4": [[50, 72]], "Indicator: W32/Smalltroj.IUNZ": [[73, 91]], "Indicator: Win32.TRCrypt.XPACK": [[92, 111]], "Indicator: Trojan.Win32.Pincav.cay": [[112, 135], [203, 226]], "Indicator: Trojan.MulDrop.29150": [[136, 156]], "Indicator: Trojan:Win32/Cinject.B": [[157, 179]], "Indicator: Win-Trojan/Ristix.8192": [[180, 202]], "Indicator: Packer.Win32.UnkPacker.a": [[227, 251]], "Indicator: Trj/Downloader.MDW": [[252, 270]]}, "info": {"id": "cyner2_5class_train_02421", "source": "cyner2_5class_train"}}
+{"text": "However, after reverse analysis, we found that it to be part of a brand new family, which we called Alice.", "spans": {"Malware: family,": [[76, 83]], "Malware: Alice.": [[100, 106]]}, "info": {"id": "cyner2_5class_train_02422", "source": "cyner2_5class_train"}}
+{"text": "] it server1fi.exodus.connexxa [ .", "spans": {"Indicator: server1fi.exodus.connexxa [ .": [[5, 34]]}, "info": {"id": "cyner2_5class_train_02423", "source": "cyner2_5class_train"}}
+{"text": "] it ( \" attiva '' is the Italian for \" activate '' ) .", "spans": {}, "info": {"id": "cyner2_5class_train_02424", "source": "cyner2_5class_train"}}
+{"text": "App Swap Per Device Avg .", "spans": {}, "info": {"id": "cyner2_5class_train_02425", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameZLEU.Worm Trojan.Reval.28280 TROJ_SPNR.05AD13 TROJ_SPNR.05AD13 Worm.MSIL.Autorun Trojan/MSIL.hcf TR/BAS.Samca.22510458 Trojan/MSIL.Hor Trojan:MSIL/Reval.A Trojan.Zusy.D53EB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameZLEU.Worm": [[26, 45]], "Indicator: Trojan.Reval.28280": [[46, 64]], "Indicator: TROJ_SPNR.05AD13": [[65, 81], [82, 98]], "Indicator: Worm.MSIL.Autorun": [[99, 116]], "Indicator: Trojan/MSIL.hcf": [[117, 132]], "Indicator: TR/BAS.Samca.22510458": [[133, 154]], "Indicator: Trojan/MSIL.Hor": [[155, 170]], "Indicator: Trojan:MSIL/Reval.A": [[171, 190]], "Indicator: Trojan.Zusy.D53EB": [[191, 208]]}, "info": {"id": "cyner2_5class_train_02426", "source": "cyner2_5class_train"}}
+{"text": "These analysts were linked by their coverage of the telecommunications industry, making this targeting very similar to, and likely a continuation of, activity described in our In Pursuit of Optical Fibers and Troop Intel blog.", "spans": {}, "info": {"id": "cyner2_5class_train_02427", "source": "cyner2_5class_train"}}
+{"text": "Perhaps the most interesting aspect of the Snake Wine group is the number of techniques used to obscure attribution.", "spans": {}, "info": {"id": "cyner2_5class_train_02428", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dumpy.A6 Trojan.Zusy.DFB8F W32.Dompie WORM_DUMPY.SM23 Trojan.Win32.Hesv.apqe Trojan.Win32.AVKill.dqemmh Troj.W32.Scar.tnl2 TrojWare.Win32.Injector.XYNZ Trojan.AVKill.33151 WORM_DUMPY.SM23 WORM/Taranis.2225 Trojan.Win32.Hesv.apqe HEUR/Fakon.mwf Trojan.Scar Worm.AutoRun Worm.Win32.Dumpy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dumpy.A6": [[26, 41]], "Indicator: Trojan.Zusy.DFB8F": [[42, 59]], "Indicator: W32.Dompie": [[60, 70]], "Indicator: WORM_DUMPY.SM23": [[71, 86], [205, 220]], "Indicator: Trojan.Win32.Hesv.apqe": [[87, 109], [239, 261]], "Indicator: Trojan.Win32.AVKill.dqemmh": [[110, 136]], "Indicator: Troj.W32.Scar.tnl2": [[137, 155]], "Indicator: TrojWare.Win32.Injector.XYNZ": [[156, 184]], "Indicator: Trojan.AVKill.33151": [[185, 204]], "Indicator: WORM/Taranis.2225": [[221, 238]], "Indicator: HEUR/Fakon.mwf": [[262, 276]], "Indicator: Trojan.Scar": [[277, 288]], "Indicator: Worm.AutoRun": [[289, 301]], "Indicator: Worm.Win32.Dumpy": [[302, 318]]}, "info": {"id": "cyner2_5class_train_02429", "source": "cyner2_5class_train"}}
+{"text": "SEND_SMS - Allows the application to send SMS messages .", "spans": {}, "info": {"id": "cyner2_5class_train_02430", "source": "cyner2_5class_train"}}
+{"text": "It mainly targets Chinese users, but has also successfully affected people and organizations in the United States, United Kingdom, Thailand, Spain, and Ireland.", "spans": {"Organization: Chinese users,": [[18, 32]], "Organization: people": [[68, 74]], "Organization: organizations": [[79, 92]]}, "info": {"id": "cyner2_5class_train_02431", "source": "cyner2_5class_train"}}
+{"text": "If rooting is successful , the attacker has full control of the device and can execute privileged commands remotely .", "spans": {}, "info": {"id": "cyner2_5class_train_02432", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Swisyn!O VirTool.VBInject.DZ Trojan.Swisyn.Win32.11562 Troj.W32.Swisyn.lsGr Win32.Worm.IRCBot.ad W32/MalwareS.BHPN Win32/Swisyn.DJ TROJ_SWISYN.SMK Trojan.Win32.Swisyn.ahwe Trojan.Win32.Swisyn.btyha Trojan.Win32.A.Swisyn.327680 Trojan.VbCrypt.68 TROJ_SWISYN.SMK BehavesLike.Win32.VBObfus.fm Trojan.Win32.Swisyn Trojan/Swisyn.lxc Trojan.Symmi.D2474 Trojan.Win32.Swisyn.ahwe Trojan/Win32.Swisyn.R2925 Trojan.VBRA.03646 W32/Swisyn.F.worm Win32/AutoRun.IRCBot.FL Virus.Win32.Virut.ue Win32/RootKit.Rootkit.7e5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Swisyn!O": [[26, 47]], "Indicator: VirTool.VBInject.DZ": [[48, 67]], "Indicator: Trojan.Swisyn.Win32.11562": [[68, 93]], "Indicator: Troj.W32.Swisyn.lsGr": [[94, 114]], "Indicator: Win32.Worm.IRCBot.ad": [[115, 135]], "Indicator: W32/MalwareS.BHPN": [[136, 153]], "Indicator: Win32/Swisyn.DJ": [[154, 169]], "Indicator: TROJ_SWISYN.SMK": [[170, 185], [284, 299]], "Indicator: Trojan.Win32.Swisyn.ahwe": [[186, 210], [386, 410]], "Indicator: Trojan.Win32.Swisyn.btyha": [[211, 236]], "Indicator: Trojan.Win32.A.Swisyn.327680": [[237, 265]], "Indicator: Trojan.VbCrypt.68": [[266, 283]], "Indicator: BehavesLike.Win32.VBObfus.fm": [[300, 328]], "Indicator: Trojan.Win32.Swisyn": [[329, 348]], "Indicator: Trojan/Swisyn.lxc": [[349, 366]], "Indicator: Trojan.Symmi.D2474": [[367, 385]], "Indicator: Trojan/Win32.Swisyn.R2925": [[411, 436]], "Indicator: Trojan.VBRA.03646": [[437, 454]], "Indicator: W32/Swisyn.F.worm": [[455, 472]], "Indicator: Win32/AutoRun.IRCBot.FL": [[473, 496]], "Indicator: Virus.Win32.Virut.ue": [[497, 517]], "Indicator: Win32/RootKit.Rootkit.7e5": [[518, 543]]}, "info": {"id": "cyner2_5class_train_02433", "source": "cyner2_5class_train"}}
+{"text": "In our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples , or domain registrant overlap with those C2 domains .", "spans": {"Malware: 9002": [[7, 11]], "Malware: Poison Ivy": [[88, 98]]}, "info": {"id": "cyner2_5class_train_02434", "source": "cyner2_5class_train"}}
+{"text": ") You should also avoid the temptation to play games from sources other than legitimate app stores ; such games are not safe and may bring harm to your reputation and your bank account .", "spans": {}, "info": {"id": "cyner2_5class_train_02435", "source": "cyner2_5class_train"}}
+{"text": "The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades.", "spans": {"Malware: The malware": [[0, 11]], "Indicator: steal user credentials, provide shell access,": [[33, 78]], "Indicator: persist through firmware upgrades.": [[83, 117]]}, "info": {"id": "cyner2_5class_train_02436", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Zum.Razy.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Zum.Razy.1 Zum.Razy.1 BehavesLike.Win32.Trojan.dh Zum.Razy.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Zum.Razy.1": [[26, 36], [80, 90], [91, 101], [130, 140]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[37, 79]], "Indicator: BehavesLike.Win32.Trojan.dh": [[102, 129]]}, "info": {"id": "cyner2_5class_train_02437", "source": "cyner2_5class_train"}}
+{"text": "Agent Smith : A New Species of Mobile Malware July 10 , 2019 Check Point Researchers recently discovered a new variant of mobile malware that quietly infected around 25 million devices , while the user remains completely unaware .", "spans": {"Malware: Agent Smith": [[0, 11]], "Organization: Check Point": [[61, 72]]}, "info": {"id": "cyner2_5class_train_02438", "source": "cyner2_5class_train"}}
+{"text": "However , thanks to the infrastructure sharing and forgotten panel names , we assess with high confidence that this actor is still active , it is still developing malware and has been using it from mid-June to today .", "spans": {}, "info": {"id": "cyner2_5class_train_02439", "source": "cyner2_5class_train"}}
+{"text": "These malware pose as legitimate Facebook or Chrome applications .", "spans": {"System: Facebook": [[33, 41]], "System: Chrome": [[45, 51]]}, "info": {"id": "cyner2_5class_train_02440", "source": "cyner2_5class_train"}}
+{"text": "This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window .", "spans": {}, "info": {"id": "cyner2_5class_train_02441", "source": "cyner2_5class_train"}}
+{"text": "According to our telemetry , that was the year the distribution campaign was at its most active .", "spans": {}, "info": {"id": "cyner2_5class_train_02442", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.NSIS.NeksMiner.A WORM_CO.331300D2 Win32.Trojan.WisdomEyes.16070401.9500.9766 W32/Adware.DEZV-3749 Trojan.Coinbitminer WORM_CO.331300D2 Win.Trojan.Virtob-1633 Worm.NSIS.BitMin.d Trojan.Win32.BitCoinMiner.ddjqfi Trojan.BtcMine.1665 BehavesLike.Win32.TrojanCoinMiner.vc Trojan-PSW.Win32.Tepfer W32/Adware.ALRW RiskTool.BitCoinMiner.bf Trojan[PSW]/Win32.Tepfer Worm:Win32/NeksMiner.A Trojan.Strictor.D1B5F4 Worm.NSIS.BitMin.d Trojan/Win32.BitCoinMiner.C931392 TScope.Malware-Cryptor.SB RiskWare.BitCoinMiner NSIS/CoinMiner.T Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.NSIS.NeksMiner.A": [[26, 47]], "Indicator: WORM_CO.331300D2": [[48, 64], [149, 165]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9766": [[65, 107]], "Indicator: W32/Adware.DEZV-3749": [[108, 128]], "Indicator: Trojan.Coinbitminer": [[129, 148]], "Indicator: Win.Trojan.Virtob-1633": [[166, 188]], "Indicator: Worm.NSIS.BitMin.d": [[189, 207], [434, 452]], "Indicator: Trojan.Win32.BitCoinMiner.ddjqfi": [[208, 240]], "Indicator: Trojan.BtcMine.1665": [[241, 260]], "Indicator: BehavesLike.Win32.TrojanCoinMiner.vc": [[261, 297]], "Indicator: Trojan-PSW.Win32.Tepfer": [[298, 321]], "Indicator: W32/Adware.ALRW": [[322, 337]], "Indicator: RiskTool.BitCoinMiner.bf": [[338, 362]], "Indicator: Trojan[PSW]/Win32.Tepfer": [[363, 387]], "Indicator: Worm:Win32/NeksMiner.A": [[388, 410]], "Indicator: Trojan.Strictor.D1B5F4": [[411, 433]], "Indicator: Trojan/Win32.BitCoinMiner.C931392": [[453, 486]], "Indicator: TScope.Malware-Cryptor.SB": [[487, 512]], "Indicator: RiskWare.BitCoinMiner": [[513, 534]], "Indicator: NSIS/CoinMiner.T": [[535, 551]], "Indicator: Trj/CI.A": [[552, 560]]}, "info": {"id": "cyner2_5class_train_02443", "source": "cyner2_5class_train"}}
+{"text": "In addition to official banking applications , the target list includes 111 other global financial applications for banking and credit card management , money transfers , and cryptocurrency wallets and exchanges .", "spans": {}, "info": {"id": "cyner2_5class_train_02444", "source": "cyner2_5class_train"}}
+{"text": "Like all of Microsoft ’ s security solutions , these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats .", "spans": {"Organization: Microsoft": [[12, 21]]}, "info": {"id": "cyner2_5class_train_02445", "source": "cyner2_5class_train"}}
+{"text": "Recently observed initial threat activities targeting the telecommunication sector.", "spans": {"Malware: threat activities": [[26, 43]], "Organization: the telecommunication sector.": [[54, 83]]}, "info": {"id": "cyner2_5class_train_02446", "source": "cyner2_5class_train"}}
+{"text": "We decided to check the original plugin package and, to our surprise, found the file in the source! We also discovered that we were not the only ones that found this file although people on the forum seemed to believe that the file was just vulnerable .", "spans": {}, "info": {"id": "cyner2_5class_train_02447", "source": "cyner2_5class_train"}}
+{"text": "Late last year , after receiving a list of suspicious package names from Lookout , we discovered that a few dozen Android devices may have installed an application related to Pegasus , which we named Chrysaor .", "spans": {"Organization: Lookout": [[73, 80]], "System: Android": [[114, 121]], "Malware: Pegasus": [[175, 182]], "Malware: Chrysaor": [[200, 208]]}, "info": {"id": "cyner2_5class_train_02448", "source": "cyner2_5class_train"}}
+{"text": "It is interesting to see that the group has expanded their operation to other regions , such as the United States and Europe .", "spans": {}, "info": {"id": "cyner2_5class_train_02449", "source": "cyner2_5class_train"}}
+{"text": "This way, the HTA effectively serves as a wrapper to try and slip passed traditional file type-based scanning in the network as well as anti-spam services.", "spans": {"Malware: HTA": [[14, 17]], "Indicator: traditional file type-based scanning": [[73, 109]], "System: network": [[117, 124]], "System: as anti-spam services.": [[133, 155]]}, "info": {"id": "cyner2_5class_train_02450", "source": "cyner2_5class_train"}}
+{"text": "In addition to the look and feel of DroidVPN , this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset , which could be compared to a resource item within a Windows Portable Executable ( PE ) file .", "spans": {"Indicator: DroidVPN": [[36, 44], [95, 103]], "Malware: HenBox": [[52, 58]], "System: Windows Portable Executable": [[197, 224]]}, "info": {"id": "cyner2_5class_train_02451", "source": "cyner2_5class_train"}}
+{"text": "ESET researchers discovered a campaign that we attribute with high confidence to the APT group Tick.", "spans": {"Organization: ESET researchers": [[0, 16]]}, "info": {"id": "cyner2_5class_train_02452", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Small.eivvce Trojan.Inject2.21676 BehavesLike.Win64.BadFile.wc PUA.Zzinfor TrojanDropper.Dinwod.aml Dropper/Win32.Dinwod.C1833968 Trojan.Mikey.D1229E Rootkit.Small!LMZdSa8k9cE Win32/Trojan.45a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Small.eivvce": [[26, 51]], "Indicator: Trojan.Inject2.21676": [[52, 72]], "Indicator: BehavesLike.Win64.BadFile.wc": [[73, 101]], "Indicator: PUA.Zzinfor": [[102, 113]], "Indicator: TrojanDropper.Dinwod.aml": [[114, 138]], "Indicator: Dropper/Win32.Dinwod.C1833968": [[139, 168]], "Indicator: Trojan.Mikey.D1229E": [[169, 188]], "Indicator: Rootkit.Small!LMZdSa8k9cE": [[189, 214]], "Indicator: Win32/Trojan.45a": [[215, 231]]}, "info": {"id": "cyner2_5class_train_02453", "source": "cyner2_5class_train"}}
+{"text": "The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data, then loading it in memory only.", "spans": {"Indicator: The injected DLL": [[0, 16]], "Malware: fileless Gootkit": [[36, 52]], "Indicator: registry": [[73, 81]], "Indicator: binary data,": [[85, 97]], "Indicator: memory": [[117, 123]]}, "info": {"id": "cyner2_5class_train_02454", "source": "cyner2_5class_train"}}
+{"text": "On April 3 , 2016 , we still observed new RuMMS samples emerging in the wild .", "spans": {"Malware: RuMMS": [[42, 47]]}, "info": {"id": "cyner2_5class_train_02455", "source": "cyner2_5class_train"}}
+{"text": "This article mainly analyzes the controlling end, the generator and Windows and Linux variants in controlled end of this tool and makes a display of the homologous analysis and network infection of these samples.", "spans": {"System: Windows": [[68, 75]], "System: Linux": [[80, 85]], "Malware: tool": [[121, 125]], "Indicator: network infection": [[177, 194]]}, "info": {"id": "cyner2_5class_train_02456", "source": "cyner2_5class_train"}}
+{"text": "By monitoring the package installation broadcast event , XLoader can start their packages .", "spans": {"Malware: XLoader": [[57, 64]]}, "info": {"id": "cyner2_5class_train_02457", "source": "cyner2_5class_train"}}
+{"text": "Distribution of victims .", "spans": {}, "info": {"id": "cyner2_5class_train_02458", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zlob Adware.NetAdware.BD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zlob": [[26, 37]], "Indicator: Adware.NetAdware.BD": [[38, 57]]}, "info": {"id": "cyner2_5class_train_02459", "source": "cyner2_5class_train"}}
+{"text": "If brother.apk application is removed , mcpef.apk reinstalls brother.apk from assets .", "spans": {"System: brother.apk": [[3, 14], [61, 72]], "System: mcpef.apk": [[40, 49]]}, "info": {"id": "cyner2_5class_train_02460", "source": "cyner2_5class_train"}}
+{"text": "Command to change the beaconing changeArchive : The final command of the activation cycle is the download of an archive .", "spans": {}, "info": {"id": "cyner2_5class_train_02461", "source": "cyner2_5class_train"}}
+{"text": "The figure below shows a fragment of encrypted JAR stored in .rodata section of a shared object shipped with the APK as well as the XOR key used for decryption .", "spans": {}, "info": {"id": "cyner2_5class_train_02462", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeSvchostXKRB.Trojan Trojan-Downloader.Win32.Geral!O Downloader.Dogrobot.20415 Win32/SillyDl.QAC Trojan-Dropper.Win32.Injector.paib Trojan.Win32.Vilsel.iini Troj.Downloader.W32.Geral.kYTA Trojan.Win32.Downloader.wzh BackDoor.Guan.14 Downloader.Geral.Win32.1376 BehavesLike.Win32.StartPage.lm W32.Malware.Downloader Trojan[Dropper]/Win32.Injector Trojan.Win32.Downloader.16384.BHH Trojan-Dropper.Win32.Injector.paib TrojanDownloader:Win32/Dogrobot.D Trojan.Win32.Qhost", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeSvchostXKRB.Trojan": [[26, 52]], "Indicator: Trojan-Downloader.Win32.Geral!O": [[53, 84]], "Indicator: Downloader.Dogrobot.20415": [[85, 110]], "Indicator: Win32/SillyDl.QAC": [[111, 128]], "Indicator: Trojan-Dropper.Win32.Injector.paib": [[129, 163], [412, 446]], "Indicator: Trojan.Win32.Vilsel.iini": [[164, 188]], "Indicator: Troj.Downloader.W32.Geral.kYTA": [[189, 219]], "Indicator: Trojan.Win32.Downloader.wzh": [[220, 247]], "Indicator: BackDoor.Guan.14": [[248, 264]], "Indicator: Downloader.Geral.Win32.1376": [[265, 292]], "Indicator: BehavesLike.Win32.StartPage.lm": [[293, 323]], "Indicator: W32.Malware.Downloader": [[324, 346]], "Indicator: Trojan[Dropper]/Win32.Injector": [[347, 377]], "Indicator: Trojan.Win32.Downloader.16384.BHH": [[378, 411]], "Indicator: TrojanDownloader:Win32/Dogrobot.D": [[447, 480]], "Indicator: Trojan.Win32.Qhost": [[481, 499]]}, "info": {"id": "cyner2_5class_train_02463", "source": "cyner2_5class_train"}}
+{"text": "The /proc filesystem is now mounted with a hidepid=2 parameter , which means that the process can not access other process /proc/ [ pid ] directory .", "spans": {"Indicator: /proc": [[4, 9]], "Indicator: /proc/ [ pid ]": [[123, 137]]}, "info": {"id": "cyner2_5class_train_02464", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Dialer!O Trojan.Zenshirsh.SL7 Trojan.Dialer Win32.Trojan.WisdomEyes.16070401.9500.9746 Win32/Startpage.RT TROJ_CJ.A Win.Trojan.Dialer-61 Trojan.Win32.Dialer.cj Trojan.Win32.MLW.wvye Troj.W32.Diamin.l3NB TrojWare.Win32.Dialer.A Dialer.Virgilio TROJ_CJ.A Trojan/Dialer.cio Trojan/Win32.Dialer Trojan.Win32.Dialer.cj Trojan/Win32.Dialer.R2306 MalwareScope.Dialer.Small.1 Dialer.LBU Win32.Trojan.Dialer.Pgxd Trojan.Win32.Dialer.cj", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Dialer!O": [[26, 47]], "Indicator: Trojan.Zenshirsh.SL7": [[48, 68]], "Indicator: Trojan.Dialer": [[69, 82]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9746": [[83, 125]], "Indicator: Win32/Startpage.RT": [[126, 144]], "Indicator: TROJ_CJ.A": [[145, 154], [282, 291]], "Indicator: Win.Trojan.Dialer-61": [[155, 175]], "Indicator: Trojan.Win32.Dialer.cj": [[176, 198], [330, 352], [443, 465]], "Indicator: Trojan.Win32.MLW.wvye": [[199, 220]], "Indicator: Troj.W32.Diamin.l3NB": [[221, 241]], "Indicator: TrojWare.Win32.Dialer.A": [[242, 265]], "Indicator: Dialer.Virgilio": [[266, 281]], "Indicator: Trojan/Dialer.cio": [[292, 309]], "Indicator: Trojan/Win32.Dialer": [[310, 329]], "Indicator: Trojan/Win32.Dialer.R2306": [[353, 378]], "Indicator: MalwareScope.Dialer.Small.1": [[379, 406]], "Indicator: Dialer.LBU": [[407, 417]], "Indicator: Win32.Trojan.Dialer.Pgxd": [[418, 442]]}, "info": {"id": "cyner2_5class_train_02465", "source": "cyner2_5class_train"}}
+{"text": "Thanks to Bulwarkz for additional Forensic Analysis: - Clears the windows event log - Clears the journal log - Drops executables to the windows directory and starts them - Shows the ability to spread by using its contained functionality to enumerate network shares of other attached devices - Uses shutdown.exe to shutdown or reboot the system - Contains functionality to register a low level keyboard hook - Contains functionality to infect the boot sector.", "spans": {"Organization: Bulwarkz": [[10, 18]], "Indicator: windows event log": [[66, 83]], "Indicator: Clears the journal log": [[86, 108]], "Indicator: Drops executables to the windows directory": [[111, 153]], "Indicator: spread by using its contained functionality to enumerate network shares of other attached devices": [[193, 290]], "Indicator: Uses shutdown.exe to shutdown or reboot the system": [[293, 343]], "Indicator: register a low level keyboard hook": [[372, 406]], "Indicator: functionality to infect the boot sector.": [[418, 458]]}, "info": {"id": "cyner2_5class_train_02466", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9894 Trojan.Win32.CsDown.bdcfvq Trojan.CsDown.25 TrojanDropper:Win32/Waltrodock.B Trojan.Graftor.D4ACD Trojan.CsNowDown!qDe+BhsdQ1Y W32/WDockDrp.A!tr Trj/CI.A Win32/Trojan.8ea", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9894": [[26, 68]], "Indicator: Trojan.Win32.CsDown.bdcfvq": [[69, 95]], "Indicator: Trojan.CsDown.25": [[96, 112]], "Indicator: TrojanDropper:Win32/Waltrodock.B": [[113, 145]], "Indicator: Trojan.Graftor.D4ACD": [[146, 166]], "Indicator: Trojan.CsNowDown!qDe+BhsdQ1Y": [[167, 195]], "Indicator: W32/WDockDrp.A!tr": [[196, 213]], "Indicator: Trj/CI.A": [[214, 222]], "Indicator: Win32/Trojan.8ea": [[223, 239]]}, "info": {"id": "cyner2_5class_train_02467", "source": "cyner2_5class_train"}}
+{"text": "The decoy documents and filenames used in the attacks suggest the intended targets include organisations with political interests or influence in Israel and Palestine.", "spans": {"Indicator: decoy documents and filenames": [[4, 33]], "Indicator: attacks": [[46, 53]]}, "info": {"id": "cyner2_5class_train_02468", "source": "cyner2_5class_train"}}
+{"text": "A lot of additional anti-sandbox checks are performed in this exact order : Check that the malware is not executed under the root folder of a drive Check that the malware file is readable from an external source Check that the hash of base path is not 3D6D62AF1A7C8053DBC8E110A530C679 Check that the full malware path contains only human readable characters ( “ a-z ” , “ A-Z ” , and “ 0-9 ” ) Check that no node in the full path contains the MD5 string of the malware file Fingerprint the system and check the following registry values : HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid should not be “ 6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 ” HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId should not be “ 55274-649-6478953-23109 ” , “ A22-00001 ” , or “ 47220 ” HARDWARE\\Description\\System\\SystemBiosDate should not contain “ 01/02/03 ” Check that the mutex WininetStartupMutex0 does not already exist Check that no DLL whose base name has hash value of 0xC9CEF3E4 is mapped into the malware address space The hashes in these checks are most likely correspond to sandbox or security products that the FinFisher authors want to avoid .", "spans": {"Indicator: 3D6D62AF1A7C8053DBC8E110A530C679": [[252, 284]], "Indicator: HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid": [[539, 587]], "Indicator: 6ba1d002-21ed-4dbe-afb5-08cf8b81ca32": [[604, 640]], "Indicator: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId": [[643, 709]], "Indicator: 55274-649-6478953-23109": [[726, 749]], "Indicator: A22-00001": [[756, 765]], "Indicator: 47220": [[775, 780]], "Indicator: HARDWARE\\Description\\System\\SystemBiosDate": [[783, 825]], "Indicator: 0xC9CEF3E4": [[975, 985]], "Malware: FinFisher": [[1122, 1131]]}, "info": {"id": "cyner2_5class_train_02469", "source": "cyner2_5class_train"}}
+{"text": "Halloween is still a month from now and yet Android users are already being haunted by the previously reported Ghost Push malware, which roots devices and makes them download unwanted ads and apps.", "spans": {"System: Android users": [[44, 57]], "Malware: Ghost Push malware,": [[111, 130]], "System: roots devices": [[137, 150]], "Indicator: download unwanted ads and apps.": [[166, 197]]}, "info": {"id": "cyner2_5class_train_02470", "source": "cyner2_5class_train"}}
+{"text": "Last March, we reported on Operation C-Major, an active information theft campaign that was able to steal sensitive information from high profile targets in India.", "spans": {"Indicator: steal sensitive information": [[100, 127]], "Organization: high profile targets": [[133, 153]]}, "info": {"id": "cyner2_5class_train_02471", "source": "cyner2_5class_train"}}
+{"text": "Custom Content Type Manager CCTM is a relatively popular plugin with three years of development, 10,000+ active installs, and a satisfaction rating of 4.8. It helps create custom post types.", "spans": {"Organization: Custom Content Type Manager CCTM": [[0, 32]], "System: plugin": [[57, 63]]}, "info": {"id": "cyner2_5class_train_02472", "source": "cyner2_5class_train"}}
+{"text": "The extent of information that these kinds of threats can steal is also significant , as it lets attackers virtually take over a compromised device .", "spans": {}, "info": {"id": "cyner2_5class_train_02473", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.AutoIT.13 Win32/Fynloski.STBTHUD Trojan.Win32.DarkKomet.dokuem Trojan.DownLoader12.11337 Trojan.Script.abcv Trojan:Win32/Manger.A Trojan.Autoit.Wirus Win32/TrojanDropper.Autoit.IC Win32/Trojan.Script.ed4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.AutoIT.13": [[26, 47]], "Indicator: Win32/Fynloski.STBTHUD": [[48, 70]], "Indicator: Trojan.Win32.DarkKomet.dokuem": [[71, 100]], "Indicator: Trojan.DownLoader12.11337": [[101, 126]], "Indicator: Trojan.Script.abcv": [[127, 145]], "Indicator: Trojan:Win32/Manger.A": [[146, 167]], "Indicator: Trojan.Autoit.Wirus": [[168, 187]], "Indicator: Win32/TrojanDropper.Autoit.IC": [[188, 217]], "Indicator: Win32/Trojan.Script.ed4": [[218, 241]]}, "info": {"id": "cyner2_5class_train_02474", "source": "cyner2_5class_train"}}
+{"text": "Moreover, the Sednit group has a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics", "spans": {"Organization: individuals": [[96, 107]], "Organization: organizations": [[112, 125]]}, "info": {"id": "cyner2_5class_train_02475", "source": "cyner2_5class_train"}}
+{"text": "This virus ransomware arrives via email in a malicious attachment or by usurping an Adobe Flash Player installation.", "spans": {"Malware: virus ransomware": [[5, 21]], "Indicator: email": [[34, 39]], "Indicator: malicious attachment": [[45, 65]], "Indicator: usurping": [[72, 80]], "Indicator: Adobe Flash Player installation.": [[84, 116]]}, "info": {"id": "cyner2_5class_train_02476", "source": "cyner2_5class_train"}}
+{"text": "Within a few minutes of installing one of these Trojans, all other active malware on the network is enabled on the victim's device.", "spans": {"Malware: Trojans,": [[48, 56]], "Malware: malware": [[74, 81]], "System: victim's device.": [[115, 131]]}, "info": {"id": "cyner2_5class_train_02477", "source": "cyner2_5class_train"}}
+{"text": "This particular application/game from Google Play Store is certainly not a system application, as the name seems intended to suggest.", "spans": {"System: application/game": [[16, 32]], "System: Google Play Store": [[38, 55]], "System: system application,": [[75, 94]]}, "info": {"id": "cyner2_5class_train_02478", "source": "cyner2_5class_train"}}
+{"text": "The bank then shared indicators of compromise IOCs with other institutions and a number of other institutions confirmed that they too had been compromised.", "spans": {"Organization: The bank": [[0, 8]], "Indicator: indicators of compromise IOCs": [[21, 50]], "Organization: institutions": [[62, 74], [97, 109]], "Indicator: compromised.": [[143, 155]]}, "info": {"id": "cyner2_5class_train_02479", "source": "cyner2_5class_train"}}
+{"text": "Windows Defender ATP timeline can pinpoint the service DLL side-loading trick ( in this example , using fltlib.dll ) .", "spans": {"System: Windows Defender ATP": [[0, 20]], "Indicator: fltlib.dll": [[104, 114]]}, "info": {"id": "cyner2_5class_train_02480", "source": "cyner2_5class_train"}}
+{"text": "A few of these organizations have specifically been targeted by OceanLotus since early 2015.", "spans": {"Organization: organizations": [[15, 28]], "Organization: OceanLotus": [[64, 74]]}, "info": {"id": "cyner2_5class_train_02481", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MurLoDll1.Trojan Trojan-Downloader.Win32.Murlo!O Downloader.Murlo.Win32.5244 Trojan/Downloader.Murlo.nn TROJ_MURLO.BA Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Downloader.EKMU-1740 Win32/TrojanDownloader.Murlo.NN TROJ_MURLO.BA Win.Trojan.Murlo-7 Trojan-Downloader.Win32.Murlo.nn Trojan.Win32.Murlo.cpwkr Trojan.Win32.Downloader.5632.AY Trojan.DownLoader.62110 Trojan-Downloader.Win32.Murlo W32/Downldr2.CIAF TrojanDownloader.Murlo.hb Trojan[Downloader]/Win32.Murlo TrojanDownloader:Win32/Almanahe.A Trojan-Downloader.Win32.Murlo.nn Win32/SillyDl.EPI TrojanDownloader.Murlo W32/Murlo.NN!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MurLoDll1.Trojan": [[26, 46]], "Indicator: Trojan-Downloader.Win32.Murlo!O": [[47, 78]], "Indicator: Downloader.Murlo.Win32.5244": [[79, 106]], "Indicator: Trojan/Downloader.Murlo.nn": [[107, 133]], "Indicator: TROJ_MURLO.BA": [[134, 147], [248, 261]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[148, 190]], "Indicator: W32/Downloader.EKMU-1740": [[191, 215]], "Indicator: Win32/TrojanDownloader.Murlo.NN": [[216, 247]], "Indicator: Win.Trojan.Murlo-7": [[262, 280]], "Indicator: Trojan-Downloader.Win32.Murlo.nn": [[281, 313], [534, 566]], "Indicator: Trojan.Win32.Murlo.cpwkr": [[314, 338]], "Indicator: Trojan.Win32.Downloader.5632.AY": [[339, 370]], "Indicator: Trojan.DownLoader.62110": [[371, 394]], "Indicator: Trojan-Downloader.Win32.Murlo": [[395, 424]], "Indicator: W32/Downldr2.CIAF": [[425, 442]], "Indicator: TrojanDownloader.Murlo.hb": [[443, 468]], "Indicator: Trojan[Downloader]/Win32.Murlo": [[469, 499]], "Indicator: TrojanDownloader:Win32/Almanahe.A": [[500, 533]], "Indicator: Win32/SillyDl.EPI": [[567, 584]], "Indicator: TrojanDownloader.Murlo": [[585, 607]], "Indicator: W32/Murlo.NN!tr.dldr": [[608, 628]]}, "info": {"id": "cyner2_5class_train_02482", "source": "cyner2_5class_train"}}
+{"text": "Attackers are growing smarter , targeting individuals through the devices and the services they use most .", "spans": {}, "info": {"id": "cyner2_5class_train_02483", "source": "cyner2_5class_train"}}
+{"text": "Recently , we have come across another variant of this app portraying itself as TikTok Pro , but this is a full-fledged spyware with premium features to spy on victim with ease .", "spans": {"System: TikTok Pro": [[80, 90]]}, "info": {"id": "cyner2_5class_train_02484", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Wabbin Win32.Trojan.WisdomEyes.16070401.9500.9773 W32.Wabbin Win.Worm.Wabbin-1 Email-Worm.Win32.Wabbin Trojan.Win32.Wabbin.eoih Email.Worm.W32!c IM-Worm.Win32.VB W32/Trojan.TLKW-6882 Worm[Email]/Win32.Wabbin Trojan.Heur.VP.E513A3 Email-Worm.Win32.Wabbin Worm:Win32/Wabbin.A@mm Worm.Wabbin Trj/CI.A Win32.Worm-email.Wabbin.Dxnb Worm.Wabbin! W32/Wabbin.A@mm Win32/Trojan.97a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Wabbin": [[26, 37], [308, 319]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9773": [[38, 80]], "Indicator: W32.Wabbin": [[81, 91]], "Indicator: Win.Worm.Wabbin-1": [[92, 109]], "Indicator: Email-Worm.Win32.Wabbin": [[110, 133], [261, 284]], "Indicator: Trojan.Win32.Wabbin.eoih": [[134, 158]], "Indicator: Email.Worm.W32!c": [[159, 175]], "Indicator: IM-Worm.Win32.VB": [[176, 192]], "Indicator: W32/Trojan.TLKW-6882": [[193, 213]], "Indicator: Worm[Email]/Win32.Wabbin": [[214, 238]], "Indicator: Trojan.Heur.VP.E513A3": [[239, 260]], "Indicator: Worm:Win32/Wabbin.A@mm": [[285, 307]], "Indicator: Trj/CI.A": [[320, 328]], "Indicator: Win32.Worm-email.Wabbin.Dxnb": [[329, 357]], "Indicator: Worm.Wabbin!": [[358, 370]], "Indicator: W32/Wabbin.A@mm": [[371, 386]], "Indicator: Win32/Trojan.97a": [[387, 403]]}, "info": {"id": "cyner2_5class_train_02485", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: I-Worm.Music.C W32/Music.40960.B Music.H WORM_MUSIC.B Email-Worm.Win32.Music.B Worm.Win32.Email-Worm.Music.B BACKDOOR.Trojan WORM_MUSIC.B W32/Music.40960.B I-Worm/Music.b WORM/Music.B Worm:Win32/Music.C@mm I-Worm.Win32.Music.B[h] W32/Music.B Win32/Music.B Email-Worm.Win32.Music.A W32/Music.B@mm Worm.Win32.Music.Abh", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: I-Worm.Music.C": [[26, 40]], "Indicator: W32/Music.40960.B": [[41, 58], [164, 181]], "Indicator: Music.H": [[59, 66]], "Indicator: WORM_MUSIC.B": [[67, 79], [151, 163]], "Indicator: Email-Worm.Win32.Music.B": [[80, 104]], "Indicator: Worm.Win32.Email-Worm.Music.B": [[105, 134]], "Indicator: BACKDOOR.Trojan": [[135, 150]], "Indicator: I-Worm/Music.b": [[182, 196]], "Indicator: WORM/Music.B": [[197, 209]], "Indicator: Worm:Win32/Music.C@mm": [[210, 231]], "Indicator: I-Worm.Win32.Music.B[h]": [[232, 255]], "Indicator: W32/Music.B": [[256, 267]], "Indicator: Win32/Music.B": [[268, 281]], "Indicator: Email-Worm.Win32.Music.A": [[282, 306]], "Indicator: W32/Music.B@mm": [[307, 321]], "Indicator: Worm.Win32.Music.Abh": [[322, 342]]}, "info": {"id": "cyner2_5class_train_02486", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Hijack.356352.M VirTool.DelfInject Trojan.DelfInject Dropper.Injector.Win32.25443 Trojan/Dropper.Injector.dyha Win32.Trojan.Delf.k TROJ_NEOJIT.SMAR Trojan.Win32.Buzus.rfedr Trojan.DownLoader6.1239 TROJ_NEOJIT.SMAR BehavesLike.Win32.Worm.fh TrojanDropper.Injector.taw Trojan/Win32.Buzus TrojanDownloader:Win32/Neojit.A Trojan/Win32.Injector.R23295 BScope.Trojan-Dropper.Injector Win32/Delf.OEN Trojan-Downloader.Win32.Neojit Win32/Trojan.dee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Hijack.356352.M": [[26, 52]], "Indicator: VirTool.DelfInject": [[53, 71]], "Indicator: Trojan.DelfInject": [[72, 89]], "Indicator: Dropper.Injector.Win32.25443": [[90, 118]], "Indicator: Trojan/Dropper.Injector.dyha": [[119, 147]], "Indicator: Win32.Trojan.Delf.k": [[148, 167]], "Indicator: TROJ_NEOJIT.SMAR": [[168, 184], [234, 250]], "Indicator: Trojan.Win32.Buzus.rfedr": [[185, 209]], "Indicator: Trojan.DownLoader6.1239": [[210, 233]], "Indicator: BehavesLike.Win32.Worm.fh": [[251, 276]], "Indicator: TrojanDropper.Injector.taw": [[277, 303]], "Indicator: Trojan/Win32.Buzus": [[304, 322]], "Indicator: TrojanDownloader:Win32/Neojit.A": [[323, 354]], "Indicator: Trojan/Win32.Injector.R23295": [[355, 383]], "Indicator: BScope.Trojan-Dropper.Injector": [[384, 414]], "Indicator: Win32/Delf.OEN": [[415, 429]], "Indicator: Trojan-Downloader.Win32.Neojit": [[430, 460]], "Indicator: Win32/Trojan.dee": [[461, 477]]}, "info": {"id": "cyner2_5class_train_02487", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.MTX.B@mm W95.MTX Win32.MTX.B@mm W32/MTX@M.dll WORM_MTX.D W32/MTX.9244.B WORM_MTX.D Win.Trojan.MTX-5 Win32.MTX.B@mm Email-Worm.Win32.MTX.D Win32.MTX.B@mm Virus.Win32.MTX.hfxi Win32.MTX Win32.MTX.B@mm Win32.MTX.B@mm Win95.Matrix.9307 W95/MTX.dll@M W32/MTX.9244.B I-Worm/MTX.d W95/Mtx.B Win32.MTX.E2C45E Email-Worm.Win32.MTX.D Worm:Win32/MTX.B.dll W95/MTX.dll@M W32/MTX.D!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.MTX.B@mm": [[26, 40], [49, 63], [132, 146], [170, 184], [216, 230], [231, 245]], "Indicator: W95.MTX": [[41, 48]], "Indicator: W32/MTX@M.dll": [[64, 77]], "Indicator: WORM_MTX.D": [[78, 88], [104, 114]], "Indicator: W32/MTX.9244.B": [[89, 103], [278, 292]], "Indicator: Win.Trojan.MTX-5": [[115, 131]], "Indicator: Email-Worm.Win32.MTX.D": [[147, 169], [333, 355]], "Indicator: Virus.Win32.MTX.hfxi": [[185, 205]], "Indicator: Win32.MTX": [[206, 215]], "Indicator: Win95.Matrix.9307": [[246, 263]], "Indicator: W95/MTX.dll@M": [[264, 277], [377, 390]], "Indicator: I-Worm/MTX.d": [[293, 305]], "Indicator: W95/Mtx.B": [[306, 315]], "Indicator: Win32.MTX.E2C45E": [[316, 332]], "Indicator: Worm:Win32/MTX.B.dll": [[356, 376]], "Indicator: W32/MTX.D!worm": [[391, 405]]}, "info": {"id": "cyner2_5class_train_02488", "source": "cyner2_5class_train"}}
+{"text": "A fake alert will notify and urge the user to access the malicious domain and download XLoader .", "spans": {"Malware: XLoader": [[87, 94]]}, "info": {"id": "cyner2_5class_train_02489", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.9728.KQ Win32.Trojan.WisdomEyes.16070401.9500.9990 Backdoor.Teambot Win.Trojan.Zapchast-130 Trojan.Win32.TeamBot.ctspsr BackDoor.TeamBot.60 Trojan/Zapchast.exm W32/Sheldor.NAB!tr Win32.Troj.Undef.kcloud Trojan.Graftor.Elzob.950 Troj.W32.Zapchast.lhAn Trojan:Win32/Availmetre.B Trojan/Win32.Zapchast.R17936 SScope.Backdoor.Mudak Trojan.Win32.Availmetre", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.9728.KQ": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[51, 93]], "Indicator: Backdoor.Teambot": [[94, 110]], "Indicator: Win.Trojan.Zapchast-130": [[111, 134]], "Indicator: Trojan.Win32.TeamBot.ctspsr": [[135, 162]], "Indicator: BackDoor.TeamBot.60": [[163, 182]], "Indicator: Trojan/Zapchast.exm": [[183, 202]], "Indicator: W32/Sheldor.NAB!tr": [[203, 221]], "Indicator: Win32.Troj.Undef.kcloud": [[222, 245]], "Indicator: Trojan.Graftor.Elzob.950": [[246, 270]], "Indicator: Troj.W32.Zapchast.lhAn": [[271, 293]], "Indicator: Trojan:Win32/Availmetre.B": [[294, 319]], "Indicator: Trojan/Win32.Zapchast.R17936": [[320, 348]], "Indicator: SScope.Backdoor.Mudak": [[349, 370]], "Indicator: Trojan.Win32.Availmetre": [[371, 394]]}, "info": {"id": "cyner2_5class_train_02490", "source": "cyner2_5class_train"}}
+{"text": "Sending text “ confirm 1 ” will include proof of payment .", "spans": {}, "info": {"id": "cyner2_5class_train_02491", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32!O Backdoor.Small.MUE.A11 RiskWare.SpySoft Trojan.Udr.Win32.1 W32/BackdoorX.GMX Backdoor.Trojan Win32/BackMan.A BKDR_NEWHEUR.IZ Win.Trojan.Udr-1 Backdoor.Win32.Udr.a Trojan.Win32.Udr.csnpza Backdoor.Win32.Udr.aa BackDoor.Udr.1 BKDR_NEWHEUR.IZ BehavesLike.Win32.Backdoor.fc W32/Backdoor.COLY-8496 Backdoor/Udr.d BDS/Udr.A Trojan[Backdoor]/Win32.Udr Win32.Hack.Udr.B5.kcloud Backdoor.Win32.Udr.692018 Backdoor.Win32.Udr.a Trojan/Win32.Udr.R577 OScope.Backdoor.Udr Backdoor.JYfi Backdoor.Udr!EwW5NHJTxmo Backdoor.Win32.Udr W32/Udr.A!tr.bdr Dialer.CKP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32!O": [[26, 42]], "Indicator: Backdoor.Small.MUE.A11": [[43, 65]], "Indicator: RiskWare.SpySoft": [[66, 82]], "Indicator: Trojan.Udr.Win32.1": [[83, 101]], "Indicator: W32/BackdoorX.GMX": [[102, 119]], "Indicator: Backdoor.Trojan": [[120, 135]], "Indicator: Win32/BackMan.A": [[136, 151]], "Indicator: BKDR_NEWHEUR.IZ": [[152, 167], [267, 282]], "Indicator: Win.Trojan.Udr-1": [[168, 184]], "Indicator: Backdoor.Win32.Udr.a": [[185, 205], [439, 459]], "Indicator: Trojan.Win32.Udr.csnpza": [[206, 229]], "Indicator: Backdoor.Win32.Udr.aa": [[230, 251]], "Indicator: BackDoor.Udr.1": [[252, 266]], "Indicator: BehavesLike.Win32.Backdoor.fc": [[283, 312]], "Indicator: W32/Backdoor.COLY-8496": [[313, 335]], "Indicator: Backdoor/Udr.d": [[336, 350]], "Indicator: BDS/Udr.A": [[351, 360]], "Indicator: Trojan[Backdoor]/Win32.Udr": [[361, 387]], "Indicator: Win32.Hack.Udr.B5.kcloud": [[388, 412]], "Indicator: Backdoor.Win32.Udr.692018": [[413, 438]], "Indicator: Trojan/Win32.Udr.R577": [[460, 481]], "Indicator: OScope.Backdoor.Udr": [[482, 501]], "Indicator: Backdoor.JYfi": [[502, 515]], "Indicator: Backdoor.Udr!EwW5NHJTxmo": [[516, 540]], "Indicator: Backdoor.Win32.Udr": [[541, 559]], "Indicator: W32/Udr.A!tr.bdr": [[560, 576]], "Indicator: Dialer.CKP": [[577, 587]]}, "info": {"id": "cyner2_5class_train_02492", "source": "cyner2_5class_train"}}
+{"text": "It also has a general purpose-proxy and a module for sending spam messages.", "spans": {"Organization: general": [[14, 21]], "Indicator: module for sending spam messages.": [[42, 75]]}, "info": {"id": "cyner2_5class_train_02493", "source": "cyner2_5class_train"}}
+{"text": "The attackers attempted to steal $951m, of which $81m is still unaccounted for.", "spans": {"Indicator: steal": [[27, 32]]}, "info": {"id": "cyner2_5class_train_02494", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9828 Win32.Trojan.Kriskynote.Ozic Trojan.Win32.Kriskynote Backdoor:Win32/Kriskynote.A BScope.Trojan.SvcHorse.01643 W32/Dropper.TMP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9828": [[26, 68]], "Indicator: Win32.Trojan.Kriskynote.Ozic": [[69, 97]], "Indicator: Trojan.Win32.Kriskynote": [[98, 121]], "Indicator: Backdoor:Win32/Kriskynote.A": [[122, 149]], "Indicator: BScope.Trojan.SvcHorse.01643": [[150, 178]], "Indicator: W32/Dropper.TMP!tr": [[179, 197]]}, "info": {"id": "cyner2_5class_train_02495", "source": "cyner2_5class_train"}}
+{"text": "] net www [ .", "spans": {"Indicator: www [ .": [[6, 13]]}, "info": {"id": "cyner2_5class_train_02496", "source": "cyner2_5class_train"}}
+{"text": "Before that patch was released, the groups launched phishing campaigns against multiple companies in the aerospace and defense, construction and engineering, education, energy, health and biotechnology, high tech, non-profit, telecommunications, and transportation industries.", "spans": {"Organization: multiple companies": [[79, 97]], "Organization: aerospace": [[105, 114]], "Organization: defense,": [[119, 127]], "Organization: engineering, education, energy, health": [[145, 183]], "Organization: biotechnology, high tech, non-profit, telecommunications,": [[188, 245]], "Organization: transportation industries.": [[250, 276]]}, "info": {"id": "cyner2_5class_train_02497", "source": "cyner2_5class_train"}}
+{"text": "Figure 3 : Loading core malicious code into the benign application Once the “ core ” module is extracted and loaded , the “ loader ” uses the reflection technique to initialize and start the “ core ” module .", "spans": {}, "info": {"id": "cyner2_5class_train_02498", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ollexos Win32.Trojan.Heur.Lhdl Trojan.Heur.Win32.9371 BehavesLike.Win32.Spyware.jc TR/RedCap.xrytt Trojan.Heur.OmNfrrOwGgmOh Trojan.Win32.Z.Redcap.655360 Trojan:Win32/Ollexos.A Win32/Trojan.7b0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ollexos": [[26, 40]], "Indicator: Win32.Trojan.Heur.Lhdl": [[41, 63]], "Indicator: Trojan.Heur.Win32.9371": [[64, 86]], "Indicator: BehavesLike.Win32.Spyware.jc": [[87, 115]], "Indicator: TR/RedCap.xrytt": [[116, 131]], "Indicator: Trojan.Heur.OmNfrrOwGgmOh": [[132, 157]], "Indicator: Trojan.Win32.Z.Redcap.655360": [[158, 186]], "Indicator: Trojan:Win32/Ollexos.A": [[187, 209]], "Indicator: Win32/Trojan.7b0": [[210, 226]]}, "info": {"id": "cyner2_5class_train_02499", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesHEXW32AH.Trojan Trojan.Win32.Scar!O BackDoor.Boomie.A3 Trojan.Scar.Win32.63773 Trojan/Scar.fvka Win32.Trojan.Scar.d Win.Trojan.Scar-895 Trojan.Win32.Scar.fvka Trojan.Win32.Scar.bbmdmf Troj.W32.Scar.fvka!c Trojan.Win32.Scar.ft Trojan.DownLoad2.52794 Backdoor.Win32.Boomie Trojan/Scar.azbo Trojan/Win32.Scar Backdoor:Win32/Boomie.A Trojan.Win32.Scar.fvka Win-Trojan/Boomie.40960 Trojan.Scar!AGwL0r/7hW4 Win32/Trojan.Spy.81b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesHEXW32AH.Trojan": [[26, 52]], "Indicator: Trojan.Win32.Scar!O": [[53, 72]], "Indicator: BackDoor.Boomie.A3": [[73, 91]], "Indicator: Trojan.Scar.Win32.63773": [[92, 115]], "Indicator: Trojan/Scar.fvka": [[116, 132]], "Indicator: Win32.Trojan.Scar.d": [[133, 152]], "Indicator: Win.Trojan.Scar-895": [[153, 172]], "Indicator: Trojan.Win32.Scar.fvka": [[173, 195], [367, 389]], "Indicator: Trojan.Win32.Scar.bbmdmf": [[196, 220]], "Indicator: Troj.W32.Scar.fvka!c": [[221, 241]], "Indicator: Trojan.Win32.Scar.ft": [[242, 262]], "Indicator: Trojan.DownLoad2.52794": [[263, 285]], "Indicator: Backdoor.Win32.Boomie": [[286, 307]], "Indicator: Trojan/Scar.azbo": [[308, 324]], "Indicator: Trojan/Win32.Scar": [[325, 342]], "Indicator: Backdoor:Win32/Boomie.A": [[343, 366]], "Indicator: Win-Trojan/Boomie.40960": [[390, 413]], "Indicator: Trojan.Scar!AGwL0r/7hW4": [[414, 437]], "Indicator: Win32/Trojan.Spy.81b": [[438, 458]]}, "info": {"id": "cyner2_5class_train_02500", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Shamoon.A Trojan/W32.Shamoon.192000 Trojan.Depriz Trojan/DistTrack.d Trojan.Shamoon.A Win32.Trojan.WisdomEyes.16070401.9500.9987 W32.Disttrack.B TROJ64_DISTTRACK.D Win.Malware.DistTrack-5743117-1 Trojan.Shamoon.A Trojan.Shamoon.A Trojan.Win64.DistTrack.elcfal Trojan.Win32.Z.Disttrack.192000 Trojan.Shamoon.A Trojan.Shamoon.A Trojan.DistTrack.Win32.9 TROJ64_DISTTRACK.D W64/Trojan.BOAO-0112 Trojan:Win64/Depriz.E!dha Trojan.DistTrack.A Trj/CI.A W64/DistTrack.D!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Shamoon.A": [[26, 42], [102, 118], [229, 245], [246, 262], [325, 341], [342, 358]], "Indicator: Trojan/W32.Shamoon.192000": [[43, 68]], "Indicator: Trojan.Depriz": [[69, 82]], "Indicator: Trojan/DistTrack.d": [[83, 101]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[119, 161]], "Indicator: W32.Disttrack.B": [[162, 177]], "Indicator: TROJ64_DISTTRACK.D": [[178, 196], [384, 402]], "Indicator: Win.Malware.DistTrack-5743117-1": [[197, 228]], "Indicator: Trojan.Win64.DistTrack.elcfal": [[263, 292]], "Indicator: Trojan.Win32.Z.Disttrack.192000": [[293, 324]], "Indicator: Trojan.DistTrack.Win32.9": [[359, 383]], "Indicator: W64/Trojan.BOAO-0112": [[403, 423]], "Indicator: Trojan:Win64/Depriz.E!dha": [[424, 449]], "Indicator: Trojan.DistTrack.A": [[450, 468]], "Indicator: Trj/CI.A": [[469, 477]], "Indicator: W64/DistTrack.D!tr": [[478, 496]]}, "info": {"id": "cyner2_5class_train_02501", "source": "cyner2_5class_train"}}
+{"text": "FastPOS was true to its moniker—pilfer data as fast as possible, as much as it can, even at the expense of stealth.", "spans": {"Malware: FastPOS": [[0, 7]], "Indicator: moniker—pilfer data": [[24, 43]]}, "info": {"id": "cyner2_5class_train_02502", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Banload!O Trojan/Downloader.Banload.qku Trojan.Graftor.D3222 Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan.DownLoad2.52025 Downloader.Banload.Win32.37297 Trojan.Win32.Spy TrojanDownloader:Win32/Spycos.B TrojanDownloader.Banload", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Banload!O": [[26, 59]], "Indicator: Trojan/Downloader.Banload.qku": [[60, 89]], "Indicator: Trojan.Graftor.D3222": [[90, 110]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[111, 153]], "Indicator: Trojan.DownLoad2.52025": [[154, 176]], "Indicator: Downloader.Banload.Win32.37297": [[177, 207]], "Indicator: Trojan.Win32.Spy": [[208, 224]], "Indicator: TrojanDownloader:Win32/Spycos.B": [[225, 256]], "Indicator: TrojanDownloader.Banload": [[257, 281]]}, "info": {"id": "cyner2_5class_train_02503", "source": "cyner2_5class_train"}}
+{"text": "Within this time period , we identified close to 300 samples belonging to this family ( all sample hashes are listed in the Appendix ) .", "spans": {}, "info": {"id": "cyner2_5class_train_02504", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.KVM.B Backdoor/W32.KWM.70656 PWS-Susanin.dr Backdoor.KVM.B Trojan.KWM.B2 Infostealer.KMW.B KWM.B Win32/PSW.KWM.B BKDR_KWM.B Backdoor.Win32.KWM.b Trojan.Win32.KWM.baukx PE:Trojan.KWM.b!1073777723 Backdoor.KVM.B TrojWare.Win32.PSW.Susanin.B Backdoor.KVM.B BackDoor.KWM Backdoor.KWM.Win32.11 BKDR_KWM.B PWS-Susanin.dr W32/Risk.SBUI-3175 Backdoor/KWM.b TR/WebMoney.2 Trojan[Backdoor]/Win32.KWM Win32.Hack.KWM.b.kcloud PWS:Win32/Susanin.B Backdoor.Win32.KWM.70656[h] Win-Trojan/KWM.70656 Backdoor.KVM.B Backdoor.KVM.B Dropper.PSW.Liz.17 Trj/PSW.Susanin Win32/PSW.Susanin.B Backdoor.Win32.Kwm.B W32/Contract.B!tr.bdr PSW.Susanin Backdoor.Win32.KWM.aWbC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.KVM.B": [[26, 40], [79, 93], [230, 244], [274, 288], [518, 532], [533, 547]], "Indicator: Backdoor/W32.KWM.70656": [[41, 63]], "Indicator: PWS-Susanin.dr": [[64, 78], [335, 349]], "Indicator: Trojan.KWM.B2": [[94, 107]], "Indicator: Infostealer.KMW.B": [[108, 125]], "Indicator: KWM.B": [[126, 131]], "Indicator: Win32/PSW.KWM.B": [[132, 147]], "Indicator: BKDR_KWM.B": [[148, 158], [324, 334]], "Indicator: Backdoor.Win32.KWM.b": [[159, 179]], "Indicator: Trojan.Win32.KWM.baukx": [[180, 202]], "Indicator: PE:Trojan.KWM.b!1073777723": [[203, 229]], "Indicator: TrojWare.Win32.PSW.Susanin.B": [[245, 273]], "Indicator: BackDoor.KWM": [[289, 301]], "Indicator: Backdoor.KWM.Win32.11": [[302, 323]], "Indicator: W32/Risk.SBUI-3175": [[350, 368]], "Indicator: Backdoor/KWM.b": [[369, 383]], "Indicator: TR/WebMoney.2": [[384, 397]], "Indicator: Trojan[Backdoor]/Win32.KWM": [[398, 424]], "Indicator: Win32.Hack.KWM.b.kcloud": [[425, 448]], "Indicator: PWS:Win32/Susanin.B": [[449, 468]], "Indicator: Backdoor.Win32.KWM.70656[h]": [[469, 496]], "Indicator: Win-Trojan/KWM.70656": [[497, 517]], "Indicator: Dropper.PSW.Liz.17": [[548, 566]], "Indicator: Trj/PSW.Susanin": [[567, 582]], "Indicator: Win32/PSW.Susanin.B": [[583, 602]], "Indicator: Backdoor.Win32.Kwm.B": [[603, 623]], "Indicator: W32/Contract.B!tr.bdr": [[624, 645]], "Indicator: PSW.Susanin": [[646, 657]], "Indicator: Backdoor.Win32.KWM.aWbC": [[658, 681]]}, "info": {"id": "cyner2_5class_train_02505", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Raxlogon.Trojan Worm.Win32.AutoRun!O Worm.Autorun.ZI8 Worm.AutoRun.Win32.22949 Win32.Worm.FakeFolder.b Win32/QQPass.NNE Worm.AutoRun Worm.Win32.AutoRun.hit Trojan.Win32.AutoRun.uaado Worm.Win32.Autorun.81108 Worm.Win32.Pronny.BL Trojan.PWS.Qqpass.5627 BackDoor-CCT.dll Worm/AutoRun.wxz Trojan:Win32/Hideproc.E Trojan[Monitor]/Win32.ActualSpy Win32.Troj.Undef.kcloud HEUR/Fakon.mwf Trojan.AVKill W32/Autorun.KBC Trojan.Win32.FakeFolder.pb Worm.AutoRun!PDL9JmhYC4g Backdoor.Win32.DarkMoon", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Raxlogon.Trojan": [[26, 45]], "Indicator: Worm.Win32.AutoRun!O": [[46, 66]], "Indicator: Worm.Autorun.ZI8": [[67, 83]], "Indicator: Worm.AutoRun.Win32.22949": [[84, 108]], "Indicator: Win32.Worm.FakeFolder.b": [[109, 132]], "Indicator: Win32/QQPass.NNE": [[133, 149]], "Indicator: Worm.AutoRun": [[150, 162]], "Indicator: Worm.Win32.AutoRun.hit": [[163, 185]], "Indicator: Trojan.Win32.AutoRun.uaado": [[186, 212]], "Indicator: Worm.Win32.Autorun.81108": [[213, 237]], "Indicator: Worm.Win32.Pronny.BL": [[238, 258]], "Indicator: Trojan.PWS.Qqpass.5627": [[259, 281]], "Indicator: BackDoor-CCT.dll": [[282, 298]], "Indicator: Worm/AutoRun.wxz": [[299, 315]], "Indicator: Trojan:Win32/Hideproc.E": [[316, 339]], "Indicator: Trojan[Monitor]/Win32.ActualSpy": [[340, 371]], "Indicator: Win32.Troj.Undef.kcloud": [[372, 395]], "Indicator: HEUR/Fakon.mwf": [[396, 410]], "Indicator: Trojan.AVKill": [[411, 424]], "Indicator: W32/Autorun.KBC": [[425, 440]], "Indicator: Trojan.Win32.FakeFolder.pb": [[441, 467]], "Indicator: Worm.AutoRun!PDL9JmhYC4g": [[468, 492]], "Indicator: Backdoor.Win32.DarkMoon": [[493, 516]]}, "info": {"id": "cyner2_5class_train_02506", "source": "cyner2_5class_train"}}
+{"text": "New campaign involving PoSeidon/FindPOS point of sale malware", "spans": {"Malware: campaign": [[4, 12]], "Indicator: PoSeidon/FindPOS": [[23, 39]], "Malware: point of sale malware": [[40, 61]]}, "info": {"id": "cyner2_5class_train_02507", "source": "cyner2_5class_train"}}
+{"text": "This morning Mozilla released security updates that fix the vulnerability.", "spans": {"Organization: Mozilla": [[13, 20]], "Vulnerability: vulnerability.": [[60, 74]]}, "info": {"id": "cyner2_5class_train_02508", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Notepices Win32.Trojan.WisdomEyes.16070401.9500.9871 not-a-virus:AdWare.Win32.ICLoader.alpu Riskware.Win32.Hpdefender.ekfhpl Trojan.StartPage1.28867 Trojan.Win32.Notepices Pua.Downloader GrayWare[AdWare]/Win32.Hpdefender not-a-virus:AdWare.Win32.ICLoader.alpu Adware.HPDefender Win32/Adware.HPDefender.JG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Notepices": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9871": [[43, 85]], "Indicator: not-a-virus:AdWare.Win32.ICLoader.alpu": [[86, 124], [254, 292]], "Indicator: Riskware.Win32.Hpdefender.ekfhpl": [[125, 157]], "Indicator: Trojan.StartPage1.28867": [[158, 181]], "Indicator: Trojan.Win32.Notepices": [[182, 204]], "Indicator: Pua.Downloader": [[205, 219]], "Indicator: GrayWare[AdWare]/Win32.Hpdefender": [[220, 253]], "Indicator: Adware.HPDefender": [[293, 310]], "Indicator: Win32/Adware.HPDefender.JG": [[311, 337]]}, "info": {"id": "cyner2_5class_train_02509", "source": "cyner2_5class_train"}}
+{"text": "Standard browser search history Standard browser bookmarks Device handset metadata ; such as brand , display , hardware , manufacturer , product , serial , radio version , and SDK .", "spans": {}, "info": {"id": "cyner2_5class_train_02510", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.RsLpTTc.Worm Ransom.Lyposit.S3755 W32.Sality.lak4 Trojan/Lyposit.a Trojan.Zusy.D382F1 Ransom_Lyposit.R002C0CAT18 Win32.Trojan.WisdomEyes.16070401.9500.9902 Ransom_Lyposit.R002C0CAT18 Win.Trojan.Updays-1 Trojan.Win32.Clicker.efvwpu TrojWare.Win32.Lyposit.C Trojan.Click2.50933 Trojan.Lyposit.Win32.25 Trojan-Ransom.Lyposit Ransom:Win32/Lyposit.B Trojan/Win32.Lyposit.R188188 W32/Lyposit.A70!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.RsLpTTc.Worm": [[26, 48]], "Indicator: Ransom.Lyposit.S3755": [[49, 69]], "Indicator: W32.Sality.lak4": [[70, 85]], "Indicator: Trojan/Lyposit.a": [[86, 102]], "Indicator: Trojan.Zusy.D382F1": [[103, 121]], "Indicator: Ransom_Lyposit.R002C0CAT18": [[122, 148], [192, 218]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9902": [[149, 191]], "Indicator: Win.Trojan.Updays-1": [[219, 238]], "Indicator: Trojan.Win32.Clicker.efvwpu": [[239, 266]], "Indicator: TrojWare.Win32.Lyposit.C": [[267, 291]], "Indicator: Trojan.Click2.50933": [[292, 311]], "Indicator: Trojan.Lyposit.Win32.25": [[312, 335]], "Indicator: Trojan-Ransom.Lyposit": [[336, 357]], "Indicator: Ransom:Win32/Lyposit.B": [[358, 380]], "Indicator: Trojan/Win32.Lyposit.R188188": [[381, 409]], "Indicator: W32/Lyposit.A70!tr": [[410, 428]]}, "info": {"id": "cyner2_5class_train_02511", "source": "cyner2_5class_train"}}
+{"text": "The malware used in email campaigns is often ransomware or banking malware.", "spans": {"Malware: malware": [[4, 11]], "Malware: ransomware": [[45, 55]], "Malware: banking malware.": [[59, 75]]}, "info": {"id": "cyner2_5class_train_02512", "source": "cyner2_5class_train"}}
+{"text": "It collects information about the smartphone ( IMEI , country , service provider , operating system language ) and sends it to the host via the HTTP POST request .", "spans": {}, "info": {"id": "cyner2_5class_train_02513", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Injector.AutoIt Trojan.StartPage1.24074 TrojanClicker:Win32/Rubalotalow.A Win32/Trojan.ab1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Injector.AutoIt": [[26, 48]], "Indicator: Trojan.StartPage1.24074": [[49, 72]], "Indicator: TrojanClicker:Win32/Rubalotalow.A": [[73, 106]], "Indicator: Win32/Trojan.ab1": [[107, 123]]}, "info": {"id": "cyner2_5class_train_02514", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32.Trojan.WisdomEyes.16070401.9500.9989 Win.Trojan.Zusy-6041926-0 Trojan.Win32.Scar.okvf Win32.Trojan.Scar.Wwek Trojan.DownLoader24.19336 Trojan.Scar.kws Trojan/Win32.Cosmu PWS:Win32/Sapbexts.B Trojan.Win32.Scar.okvf Trojan/Win32.Cosmu.R214802 Trojan.Vilsel Trojan.Cosmu!F9mC6Li+PNw Win32/Trojan.Scar.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Virus.Win32.Sality!O": [[44, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[65, 107]], "Indicator: Win.Trojan.Zusy-6041926-0": [[108, 133]], "Indicator: Trojan.Win32.Scar.okvf": [[134, 156], [262, 284]], "Indicator: Win32.Trojan.Scar.Wwek": [[157, 179]], "Indicator: Trojan.DownLoader24.19336": [[180, 205]], "Indicator: Trojan.Scar.kws": [[206, 221]], "Indicator: Trojan/Win32.Cosmu": [[222, 240]], "Indicator: PWS:Win32/Sapbexts.B": [[241, 261]], "Indicator: Trojan/Win32.Cosmu.R214802": [[285, 311]], "Indicator: Trojan.Vilsel": [[312, 325]], "Indicator: Trojan.Cosmu!F9mC6Li+PNw": [[326, 350]], "Indicator: Win32/Trojan.Scar.C": [[351, 370]]}, "info": {"id": "cyner2_5class_train_02515", "source": "cyner2_5class_train"}}
+{"text": "You may mistakenly download and run TrojanDropper:Win32/Gepys.A, thinking it is an update for Java.", "spans": {"Indicator: download and run TrojanDropper:Win32/Gepys.A,": [[19, 64]], "Indicator: an update for Java.": [[80, 99]]}, "info": {"id": "cyner2_5class_train_02516", "source": "cyner2_5class_train"}}
+{"text": "Spaghetti and junk codes make common analyst tools ineffective In analyzing FinFisher , the first obfuscation problem that requires a solution is the removal of junk instructions and “ spaghetti code ” , which is a technique that aims to confuse disassembly programs .", "spans": {"Malware: FinFisher": [[76, 85]]}, "info": {"id": "cyner2_5class_train_02517", "source": "cyner2_5class_train"}}
+{"text": "If the attack succeeds, the malware changes the addresses of the DNS servers in the router's settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals such an attack is also known as DNS-hijacking.", "spans": {"Indicator: attack": [[7, 13], [225, 231]], "Malware: malware": [[28, 35]], "Indicator: addresses": [[48, 57]], "System: DNS servers": [[65, 76]], "System: router's settings,": [[84, 102]], "Indicator: rerouting": [[111, 120]], "System: DNS queries": [[125, 136]], "System: devices": [[142, 149]], "Indicator: attacked": [[157, 165]], "System: Wi-Fi network": [[166, 179]], "System: servers": [[187, 194]], "Indicator: DNS-hijacking.": [[249, 263]]}, "info": {"id": "cyner2_5class_train_02518", "source": "cyner2_5class_train"}}
+{"text": "It means the phone can be unblocked in some cases when it has been blocked by one of the above HTML pages .", "spans": {}, "info": {"id": "cyner2_5class_train_02519", "source": "cyner2_5class_train"}}
+{"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products .", "spans": {"Organization: Cisco": [[80, 85]]}, "info": {"id": "cyner2_5class_train_02520", "source": "cyner2_5class_train"}}
+{"text": "Each time a rented malware reaches the end of its life it provides the opportunity for other actors a to take over the malware rental market-share .", "spans": {}, "info": {"id": "cyner2_5class_train_02521", "source": "cyner2_5class_train"}}
+{"text": "Interestingly, the attackers camouflage one of their delivery domains by redirecting visitors to El Universal, a major Mexican newspaper.", "spans": {"Indicator: delivery domains": [[53, 69]], "Organization: El Universal, a major Mexican newspaper.": [[97, 137]]}, "info": {"id": "cyner2_5class_train_02522", "source": "cyner2_5class_train"}}
+{"text": "These emails are mainly sent to Colombians who may work in the accounting or finance departments of various-sized organizations.", "spans": {}, "info": {"id": "cyner2_5class_train_02523", "source": "cyner2_5class_train"}}
+{"text": "A Communication Channel via Stolen SMS In addition , TrickMo has an automatic mechanism to send SMS messages to its C & C server .", "spans": {"Malware: TrickMo": [[53, 60]]}, "info": {"id": "cyner2_5class_train_02524", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader Trojan/Downloader.Boaxxe.aa Win32.TRDldr.JeRips TR/Dldr.JeRips.A W32/Boaxxe.AB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader": [[26, 43]], "Indicator: Trojan/Downloader.Boaxxe.aa": [[44, 71]], "Indicator: Win32.TRDldr.JeRips": [[72, 91]], "Indicator: TR/Dldr.JeRips.A": [[92, 108]], "Indicator: W32/Boaxxe.AB!tr": [[109, 125]]}, "info": {"id": "cyner2_5class_train_02525", "source": "cyner2_5class_train"}}
+{"text": "Service Name Purpose AndroidAlarmManager Uploading last recorded .amr audio AndroidSystemService Audio recording AndroidSystemQueues Location tracking with movement detection ClearSystems GSM tracking ( CID , LAC , PSC ) ClipService Clipboard stealing AndroidFileManager Uploading all exfiltrated data AndroidPush XMPP С & C protocol ( url.plus:5223 ) RegistrationService Registration on C & C via HTTP ( url.plus/app/pro/ ) Interestingly , a self-protection feature was implemented in almost every service .", "spans": {"System: GSM": [[188, 191]], "Indicator: url.plus:5223": [[336, 349]], "Indicator: url.plus/app/pro/": [[405, 422]]}, "info": {"id": "cyner2_5class_train_02526", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.MulDrop5.40693 TR/Downloader.A.7912 Trojan[Ransom]/Win32.Blocker Trojan:MSIL/Dubfot.A Trojan.FakeMS Trojan.MSIL.IRCBot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[26, 68]], "Indicator: Trojan.MulDrop5.40693": [[69, 90]], "Indicator: TR/Downloader.A.7912": [[91, 111]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[112, 140]], "Indicator: Trojan:MSIL/Dubfot.A": [[141, 161]], "Indicator: Trojan.FakeMS": [[162, 175]], "Indicator: Trojan.MSIL.IRCBot": [[176, 194]]}, "info": {"id": "cyner2_5class_train_02527", "source": "cyner2_5class_train"}}
+{"text": "Data was always sent to the C & C server via HTTP in the body of a POST request in encrypted form to the relative address /something/index.php .", "spans": {"Indicator: /something/index.php": [[122, 142]]}, "info": {"id": "cyner2_5class_train_02528", "source": "cyner2_5class_train"}}
+{"text": "The placement of the decoy functionality is likely designed to confuse the malware researchers .", "spans": {}, "info": {"id": "cyner2_5class_train_02529", "source": "cyner2_5class_train"}}
+{"text": "New ransomware using the .ipygh extension.", "spans": {"Malware: ransomware": [[4, 14]], "Indicator: .ipygh extension.": [[25, 42]]}, "info": {"id": "cyner2_5class_train_02530", "source": "cyner2_5class_train"}}
+{"text": "How do you know if your Google account is breached ? You can check if your account is compromised by accessing the following web site that we created : https : //gooligan.checkpoint.com/ .", "spans": {"Organization: Google": [[24, 30]], "Indicator: https : //gooligan.checkpoint.com/": [[152, 186]]}, "info": {"id": "cyner2_5class_train_02531", "source": "cyner2_5class_train"}}
+{"text": "BLOCKER_BANKING_START – display phishing HTML page for entry of bank card details .", "spans": {}, "info": {"id": "cyner2_5class_train_02532", "source": "cyner2_5class_train"}}
+{"text": "The most recently discovered Microsoft SQL server being used as Escalar infrastructure contained records of 1660 infections that all connected in a two-day time frame.", "spans": {"System: Microsoft SQL server": [[29, 49]], "Malware: Escalar": [[64, 71]], "System: infrastructure": [[72, 86]]}, "info": {"id": "cyner2_5class_train_02533", "source": "cyner2_5class_train"}}
+{"text": "Later on, we found evidence of the same attack perpetrated on May 3.", "spans": {"Indicator: attack": [[40, 46]]}, "info": {"id": "cyner2_5class_train_02534", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Lemoor.A Worm/W32.Lemoor.1981 Trojan-Downloader.Win32.Small!O Win32.Worm.Lemoor.A Worm.Lemoor.Win32.2 W32.W.Lemoor.a!c W32/Lemoor.a Win32.Worm.Lemoor.A WORM_LEMOOR.D Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Lemoor.A W32.Lemoor.A WORM_LEMOOR.D Win.Worm.Lemoor-3 Win32.Worm.Lemoor.A Worm.Win32.Lemoor.a Win32.Worm.Lemoor.A Win32.Worm.Lemoor.A Worm.Win32.Lemoor.B Win32.Worm.Lemoor.A Win32.Ephem.24 W32/Lemoor.JDMS-3575 I-Worm/Lemoor.a WORM/Lemoor.A Worm/Win32.Lemoor Worm.Win32.Lemoor.a Worm/Win32.Lemoor.R37765 Worm.Lemoor W32/Lemoor.B.worm Win32/Lemoor.B Win32.Worm.Lemoor.Ahos Worm.Lemoor!V5CZ/YV1RTs Worm.Win32.Lemoor W32/Lemoor.A!worm Win32/Worm.857", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Lemoor.A": [[26, 45], [99, 118], [169, 188], [304, 323], [344, 363], [364, 383], [404, 423]], "Indicator: Worm/W32.Lemoor.1981": [[46, 66]], "Indicator: Trojan-Downloader.Win32.Small!O": [[67, 98]], "Indicator: Worm.Lemoor.Win32.2": [[119, 138]], "Indicator: W32.W.Lemoor.a!c": [[139, 155]], "Indicator: W32/Lemoor.a": [[156, 168]], "Indicator: WORM_LEMOOR.D": [[189, 202], [272, 285]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[203, 245]], "Indicator: W32/Lemoor.A": [[246, 258]], "Indicator: W32.Lemoor.A": [[259, 271]], "Indicator: Win.Worm.Lemoor-3": [[286, 303]], "Indicator: Worm.Win32.Lemoor.a": [[324, 343], [508, 527]], "Indicator: Worm.Win32.Lemoor.B": [[384, 403]], "Indicator: Win32.Ephem.24": [[424, 438]], "Indicator: W32/Lemoor.JDMS-3575": [[439, 459]], "Indicator: I-Worm/Lemoor.a": [[460, 475]], "Indicator: WORM/Lemoor.A": [[476, 489]], "Indicator: Worm/Win32.Lemoor": [[490, 507]], "Indicator: Worm/Win32.Lemoor.R37765": [[528, 552]], "Indicator: Worm.Lemoor": [[553, 564]], "Indicator: W32/Lemoor.B.worm": [[565, 582]], "Indicator: Win32/Lemoor.B": [[583, 597]], "Indicator: Win32.Worm.Lemoor.Ahos": [[598, 620]], "Indicator: Worm.Lemoor!V5CZ/YV1RTs": [[621, 644]], "Indicator: Worm.Win32.Lemoor": [[645, 662]], "Indicator: W32/Lemoor.A!worm": [[663, 680]], "Indicator: Win32/Worm.857": [[681, 695]]}, "info": {"id": "cyner2_5class_train_02535", "source": "cyner2_5class_train"}}
+{"text": "User-agent: Go-http-client/1.1", "spans": {"Indicator: User-agent: Go-http-client/1.1": [[0, 30]]}, "info": {"id": "cyner2_5class_train_02536", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah Trojan.KillDisk.Win32.208 Trojan/KillDisk.nbh Win32.Trojan.WisdomEyes.16070401.9500.9834 Trojan.Disakil Win.Trojan.KillDisk-3 Trojan.Win32.KillDisk.fw Win32.Trojan.Killdisk.Pgmq Trojan:Win32/KillDisk.N!dha Trojan.KillDisk.1 Trojan.Win32.KillDisk.fw Trojan/Win32.KillDisk.C1706046 Trojan.KillDisk Win32/KillDisk.NBH Trojan.KillDisk!B1yc+Gvh2zs Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah": [[26, 40]], "Indicator: Trojan.KillDisk.Win32.208": [[41, 66]], "Indicator: Trojan/KillDisk.nbh": [[67, 86]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9834": [[87, 129]], "Indicator: Trojan.Disakil": [[130, 144]], "Indicator: Win.Trojan.KillDisk-3": [[145, 166]], "Indicator: Trojan.Win32.KillDisk.fw": [[167, 191], [265, 289]], "Indicator: Win32.Trojan.Killdisk.Pgmq": [[192, 218]], "Indicator: Trojan:Win32/KillDisk.N!dha": [[219, 246]], "Indicator: Trojan.KillDisk.1": [[247, 264]], "Indicator: Trojan/Win32.KillDisk.C1706046": [[290, 320]], "Indicator: Trojan.KillDisk": [[321, 336]], "Indicator: Win32/KillDisk.NBH": [[337, 355]], "Indicator: Trojan.KillDisk!B1yc+Gvh2zs": [[356, 383]], "Indicator: Trj/CI.A": [[384, 392]]}, "info": {"id": "cyner2_5class_train_02537", "source": "cyner2_5class_train"}}
+{"text": "Most of the samples we found date from the last half of 2017 , fewer samples date from 2016 , and a handful date back to 2015 .", "spans": {}, "info": {"id": "cyner2_5class_train_02538", "source": "cyner2_5class_train"}}
+{"text": "The normal lifecycle of an Office exploit starts with the initial use in targeted attacks.", "spans": {"Vulnerability: an Office exploit": [[24, 41]], "Indicator: attacks.": [[82, 90]]}, "info": {"id": "cyner2_5class_train_02539", "source": "cyner2_5class_train"}}
+{"text": "Emergency SMS commands .", "spans": {}, "info": {"id": "cyner2_5class_train_02540", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.LdPinch!O TrojanPWS.Ldpinch Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/Tnega.YML TSPY_LDPINCH_DD3005CF.UVPA Trojan-PSW.Win32.LdPinch.guf Trojan.Win32.LdPinch.crgdkw Trojan.LdPinch.Win32.5281 BehavesLike.Win32.Trojan.fz Trojan.Win32.Vilsel W32/Trojan.JQPI-8861 Trojan/PSW.LdPinch.pxf Trojan[PSW]/Win32.LdPinch Trojan.Heur.E4E165 Troj.Psw.W32.Ldpinch!c Trojan-PSW.Win32.LdPinch.guf PWS:Win32/Phorex.A Trojan/Win32.LdPinch.R68731 Trojan.PWS.LdPinch!MPU8gCWOSOw W32/LdPinch.GUF!tr.pws TrojanPSW.Pinch Win32/Trojan.PSW.b93", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.LdPinch!O": [[26, 52]], "Indicator: TrojanPWS.Ldpinch": [[53, 70]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[71, 113]], "Indicator: Win32/Tnega.YML": [[114, 129]], "Indicator: TSPY_LDPINCH_DD3005CF.UVPA": [[130, 156]], "Indicator: Trojan-PSW.Win32.LdPinch.guf": [[157, 185], [400, 428]], "Indicator: Trojan.Win32.LdPinch.crgdkw": [[186, 213]], "Indicator: Trojan.LdPinch.Win32.5281": [[214, 239]], "Indicator: BehavesLike.Win32.Trojan.fz": [[240, 267]], "Indicator: Trojan.Win32.Vilsel": [[268, 287]], "Indicator: W32/Trojan.JQPI-8861": [[288, 308]], "Indicator: Trojan/PSW.LdPinch.pxf": [[309, 331]], "Indicator: Trojan[PSW]/Win32.LdPinch": [[332, 357]], "Indicator: Trojan.Heur.E4E165": [[358, 376]], "Indicator: Troj.Psw.W32.Ldpinch!c": [[377, 399]], "Indicator: PWS:Win32/Phorex.A": [[429, 447]], "Indicator: Trojan/Win32.LdPinch.R68731": [[448, 475]], "Indicator: Trojan.PWS.LdPinch!MPU8gCWOSOw": [[476, 506]], "Indicator: W32/LdPinch.GUF!tr.pws": [[507, 529]], "Indicator: TrojanPSW.Pinch": [[530, 545]], "Indicator: Win32/Trojan.PSW.b93": [[546, 566]]}, "info": {"id": "cyner2_5class_train_02541", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.QQRob.NBU Trojan-PSW.Win32.QQPass!O PSW.QQPass.13953 Trojan.PWS.QQRob.NBU Trojan/PSW.QQPass.ban Win32.Worm.Autorun.ar Infostealer.QQRob.A WORM_AUTORUN.EDD Win.Trojan.QQPass-84 Trojan.PWS.QQRob.NBU Trojan-PSW.Win32.QQPass.ban Trojan.PWS.QQRob.NBU Trojan.Win32.QQPass.btqyi Trojan.Win32.Z.Qqpass.73427 Trojan.Tencent/Variant Trojan.PWS.QQRob.NBU TrojWare.Win32.PSW.QQPass.~GK Trojan.PWS.Qqpass.1364 WORM_AUTORUN.EDD BehavesLike.Win32.PWSQQGame.lh W32/Pws.VYB Trojan/PSW.QQPass.bhp Win32.Troj.QQPswT.bs.116858 Trojan.PWS.QQRob.NBU Troj.Psw.W32.Qqpass!c Trojan-PSW.Win32.QQPass.ban MalwareScope.Trojan-PSW.Game.7 Trj/QQPass.AOI Win32.Trojan-qqpass.Qqrob.Pcsk Trojan-Dropper.Win32.Delf W32/Dropper.DLF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.QQRob.NBU": [[26, 46], [90, 110], [213, 233], [262, 282], [360, 380], [544, 564]], "Indicator: Trojan-PSW.Win32.QQPass!O": [[47, 72]], "Indicator: PSW.QQPass.13953": [[73, 89]], "Indicator: Trojan/PSW.QQPass.ban": [[111, 132]], "Indicator: Win32.Worm.Autorun.ar": [[133, 154]], "Indicator: Infostealer.QQRob.A": [[155, 174]], "Indicator: WORM_AUTORUN.EDD": [[175, 191], [434, 450]], "Indicator: Win.Trojan.QQPass-84": [[192, 212]], "Indicator: Trojan-PSW.Win32.QQPass.ban": [[234, 261], [587, 614]], "Indicator: Trojan.Win32.QQPass.btqyi": [[283, 308]], "Indicator: Trojan.Win32.Z.Qqpass.73427": [[309, 336]], "Indicator: Trojan.Tencent/Variant": [[337, 359]], "Indicator: TrojWare.Win32.PSW.QQPass.~GK": [[381, 410]], "Indicator: Trojan.PWS.Qqpass.1364": [[411, 433]], "Indicator: BehavesLike.Win32.PWSQQGame.lh": [[451, 481]], "Indicator: W32/Pws.VYB": [[482, 493]], "Indicator: Trojan/PSW.QQPass.bhp": [[494, 515]], "Indicator: Win32.Troj.QQPswT.bs.116858": [[516, 543]], "Indicator: Troj.Psw.W32.Qqpass!c": [[565, 586]], "Indicator: MalwareScope.Trojan-PSW.Game.7": [[615, 645]], "Indicator: Trj/QQPass.AOI": [[646, 660]], "Indicator: Win32.Trojan-qqpass.Qqrob.Pcsk": [[661, 691]], "Indicator: Trojan-Dropper.Win32.Delf": [[692, 717]], "Indicator: W32/Dropper.DLF!tr": [[718, 736]]}, "info": {"id": "cyner2_5class_train_02542", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.BHO.89848 Trojan/BHO.gzx TSPY_BZUB.CN Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.FNXB TSPY_BZUB.CN Win.Trojan.Bho-4826 Trojan.Win32.BHO.gzx Trojan.Win32.BHO.cqlbw TrojWare.Win32.BHO.SR Trojan.MulDrop.20001 Trojan.BHO.Win32.3053 BehavesLike.Win32.Backdoor.mc W32/Trojan.RKCQ-8049 Trojan/BHO.csn Win32.Troj.BHO.kcloud Trojan.Heur.RP.E89CDE Trojan.Win32.BHO.gzx PWS:Win32/Cimuz.J Trojan/Win32.Inject.C94649 Trojan.BHO Win32/Spy.BZub.NFS Trojan.BHO!Tkmwppjy1xw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.BHO.89848": [[26, 46]], "Indicator: Trojan/BHO.gzx": [[47, 61]], "Indicator: TSPY_BZUB.CN": [[62, 74], [135, 147]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[75, 117]], "Indicator: W32/Trojan2.FNXB": [[118, 134]], "Indicator: Win.Trojan.Bho-4826": [[148, 167]], "Indicator: Trojan.Win32.BHO.gzx": [[168, 188], [387, 407]], "Indicator: Trojan.Win32.BHO.cqlbw": [[189, 211]], "Indicator: TrojWare.Win32.BHO.SR": [[212, 233]], "Indicator: Trojan.MulDrop.20001": [[234, 254]], "Indicator: Trojan.BHO.Win32.3053": [[255, 276]], "Indicator: BehavesLike.Win32.Backdoor.mc": [[277, 306]], "Indicator: W32/Trojan.RKCQ-8049": [[307, 327]], "Indicator: Trojan/BHO.csn": [[328, 342]], "Indicator: Win32.Troj.BHO.kcloud": [[343, 364]], "Indicator: Trojan.Heur.RP.E89CDE": [[365, 386]], "Indicator: PWS:Win32/Cimuz.J": [[408, 425]], "Indicator: Trojan/Win32.Inject.C94649": [[426, 452]], "Indicator: Trojan.BHO": [[453, 463]], "Indicator: Win32/Spy.BZub.NFS": [[464, 482]], "Indicator: Trojan.BHO!Tkmwppjy1xw": [[483, 505]]}, "info": {"id": "cyner2_5class_train_02543", "source": "cyner2_5class_train"}}
+{"text": "Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout .", "spans": {"Malware: Chrysaor": [[0, 8]], "Malware: Pegasus": [[42, 49]], "System: iOS": [[87, 90]], "Organization: Citizen Lab": [[107, 118]], "Organization: Lookout": [[123, 130]]}, "info": {"id": "cyner2_5class_train_02544", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.VB!O TrojanDownloader.VB Troj.Banker.W32.Bancos.lgUF Trojan/Downloader.VB.iro Win32.Trojan.WisdomEyes.16070401.9500.9935 Win32/SillyDl.GEF Win.Trojan.Downloader-37507 Trojan-Downloader.Win32.VB.iro Trojan.Win32.VB.vrga Trojan.Win32.Downloader.69122.B TrojWare.Win32.Banker.etk74 Trojan.Show.34817 Downloader.VB.Win32.114 WORM_IRCBOT.SMOK BehavesLike.Win32.YahLover.ct TrojanDownloader.VB.gvh Trojan[Downloader]/Win32.VB Trojan-Downloader.Win32.VB.iro DoS:Win32/Pokanti.A Downloader/Win32.VB.R6537 TScope.Trojan.VB Win32.Trojan-downloader.Vb.Pdmc Trojan.DL.VB!zHigarbFEUc Trojan-Downloader.Win32.VB Win32/Trojan.Downloader.b8b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.VB!O": [[26, 54]], "Indicator: TrojanDownloader.VB": [[55, 74]], "Indicator: Troj.Banker.W32.Bancos.lgUF": [[75, 102]], "Indicator: Trojan/Downloader.VB.iro": [[103, 127]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9935": [[128, 170]], "Indicator: Win32/SillyDl.GEF": [[171, 188]], "Indicator: Win.Trojan.Downloader-37507": [[189, 216]], "Indicator: Trojan-Downloader.Win32.VB.iro": [[217, 247], [470, 500]], "Indicator: Trojan.Win32.VB.vrga": [[248, 268]], "Indicator: Trojan.Win32.Downloader.69122.B": [[269, 300]], "Indicator: TrojWare.Win32.Banker.etk74": [[301, 328]], "Indicator: Trojan.Show.34817": [[329, 346]], "Indicator: Downloader.VB.Win32.114": [[347, 370]], "Indicator: WORM_IRCBOT.SMOK": [[371, 387]], "Indicator: BehavesLike.Win32.YahLover.ct": [[388, 417]], "Indicator: TrojanDownloader.VB.gvh": [[418, 441]], "Indicator: Trojan[Downloader]/Win32.VB": [[442, 469]], "Indicator: DoS:Win32/Pokanti.A": [[501, 520]], "Indicator: Downloader/Win32.VB.R6537": [[521, 546]], "Indicator: TScope.Trojan.VB": [[547, 563]], "Indicator: Win32.Trojan-downloader.Vb.Pdmc": [[564, 595]], "Indicator: Trojan.DL.VB!zHigarbFEUc": [[596, 620]], "Indicator: Trojan-Downloader.Win32.VB": [[621, 647]], "Indicator: Win32/Trojan.Downloader.b8b": [[648, 675]]}, "info": {"id": "cyner2_5class_train_02545", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Dropper.GO W97M/Downloader.aho W2KM_DLOADE.VHC Trojan.Script.MLW.dsmnja W2KM_DLOADE.VHC W97M/Downloader.aho HEUR.VBA.Trojan macro.ole.encodedownload.g", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Dropper.GO": [[26, 41]], "Indicator: W97M/Downloader.aho": [[42, 61], [119, 138]], "Indicator: W2KM_DLOADE.VHC": [[62, 77], [103, 118]], "Indicator: Trojan.Script.MLW.dsmnja": [[78, 102]], "Indicator: HEUR.VBA.Trojan": [[139, 154]], "Indicator: macro.ole.encodedownload.g": [[155, 181]]}, "info": {"id": "cyner2_5class_train_02546", "source": "cyner2_5class_train"}}
+{"text": "Even though we could not find indications of being in use , two stand out .", "spans": {}, "info": {"id": "cyner2_5class_train_02547", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.PornoBlocker!O Trojan/PornoBlocker.adki Win32.Virus.Krap.a HV_RANSOM_CA222F78.TOMC Win.Trojan.Kryptik-1359 Trojan-Ransom.Win32.PornoBlocker.adki Trojan.Win32.Butirat.wyaex Trojan.Win32.A.PornoBlocker.197120.B ApplicUnwnt.Win32.Hoax.ArchSMS.SG BackDoor.Butirat.51 BehavesLike.Win32.PUPXAG.ch Trojan/PornoBlocker.chv Trojan[Ransom]/Win32.PornoBlocker Trojan.Kazy.DCA1D Trojan-Ransom.Win32.PornoBlocker.adki Trojan:Win32/Waprox.A Trojan/Win32.PornoBlocker.C156437 Hoax.PornoBlocker Trj/Pacrypt.D Trojan.PornoBlocker!0B81yxGeAIw Trojan.Win32.Waprox W32/Zbot.RO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.PornoBlocker!O": [[26, 60]], "Indicator: Trojan/PornoBlocker.adki": [[61, 85]], "Indicator: Win32.Virus.Krap.a": [[86, 104]], "Indicator: HV_RANSOM_CA222F78.TOMC": [[105, 128]], "Indicator: Win.Trojan.Kryptik-1359": [[129, 152]], "Indicator: Trojan-Ransom.Win32.PornoBlocker.adki": [[153, 190], [413, 450]], "Indicator: Trojan.Win32.Butirat.wyaex": [[191, 217]], "Indicator: Trojan.Win32.A.PornoBlocker.197120.B": [[218, 254]], "Indicator: ApplicUnwnt.Win32.Hoax.ArchSMS.SG": [[255, 288]], "Indicator: BackDoor.Butirat.51": [[289, 308]], "Indicator: BehavesLike.Win32.PUPXAG.ch": [[309, 336]], "Indicator: Trojan/PornoBlocker.chv": [[337, 360]], "Indicator: Trojan[Ransom]/Win32.PornoBlocker": [[361, 394]], "Indicator: Trojan.Kazy.DCA1D": [[395, 412]], "Indicator: Trojan:Win32/Waprox.A": [[451, 472]], "Indicator: Trojan/Win32.PornoBlocker.C156437": [[473, 506]], "Indicator: Hoax.PornoBlocker": [[507, 524]], "Indicator: Trj/Pacrypt.D": [[525, 538]], "Indicator: Trojan.PornoBlocker!0B81yxGeAIw": [[539, 570]], "Indicator: Trojan.Win32.Waprox": [[571, 590]], "Indicator: W32/Zbot.RO!tr": [[591, 605]]}, "info": {"id": "cyner2_5class_train_02548", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VBS.UAJ Trojan.VBS.UAJ Win32.Trojan.WisdomEyes.16070401.9500.9853 Trojan.VBS.UAJ Vbs.Trojan.Vbs.Ljjs Trojan.VBS.UAJ Trojan.VBS.UAJ Trojan.DownLoader19.25627 BehavesLike.Win32.Downloader.qh Trojan.Barys Trojan.MSIL.amcc Trojan.VBS.UAJ Trojan.VBS.UAJ Trojan.MSIL.Zapchast VBS/Shutdown.NAH", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VBS.UAJ": [[26, 40], [41, 55], [99, 113], [134, 148], [149, 163], [252, 266], [267, 281]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9853": [[56, 98]], "Indicator: Vbs.Trojan.Vbs.Ljjs": [[114, 133]], "Indicator: Trojan.DownLoader19.25627": [[164, 189]], "Indicator: BehavesLike.Win32.Downloader.qh": [[190, 221]], "Indicator: Trojan.Barys": [[222, 234]], "Indicator: Trojan.MSIL.amcc": [[235, 251]], "Indicator: Trojan.MSIL.Zapchast": [[282, 302]], "Indicator: VBS/Shutdown.NAH": [[303, 319]]}, "info": {"id": "cyner2_5class_train_02549", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: RTKT_SMALL.NLA RTKT_SMALL.NLA Trojan.Win32.Small.dplckv Adware.AdLoad.Win32.8710 BehavesLike.Win32.PUPXAX.lc Trojan.Zusy.D2BE63 Rootkit.Small!rTi0K4xzlKc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RTKT_SMALL.NLA": [[26, 40], [41, 55]], "Indicator: Trojan.Win32.Small.dplckv": [[56, 81]], "Indicator: Adware.AdLoad.Win32.8710": [[82, 106]], "Indicator: BehavesLike.Win32.PUPXAX.lc": [[107, 134]], "Indicator: Trojan.Zusy.D2BE63": [[135, 153]], "Indicator: Rootkit.Small!rTi0K4xzlKc": [[154, 179]]}, "info": {"id": "cyner2_5class_train_02550", "source": "cyner2_5class_train"}}
+{"text": "This sample is clearly a mix between the two .", "spans": {}, "info": {"id": "cyner2_5class_train_02551", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VodyDmpA.Worm Trojan/W32.Small.9265 RiskWare.Tool.CK Trojan/Pakes.c Win32.Trojan.WisdomEyes.151026.9950.9983 W32/Trojan.WZX TROJ_PAKES.JV Virus.Win32.Xorer.a Trojan.Win32.Pakes.bovph Trojan.Win32.Pakes.9261[h] Trojan.Dropper/Packed Win32.Virus.Xorer.Pkqs TrojWare.Win32.Patched.KSU Trojan.Rox Virus.Xorer.Win32.101 TROJ_PAKES.JV BehavesLike.Win32.Downloader.zc W32/Trojan.YUJV-5997 W32/Pakes.C!tr W32.Xorer.a!c Win-Trojan/Pakes.9265 Trojan.Pakes Virus.Win32.Xorer Clicker.BEHT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VodyDmpA.Worm": [[26, 43]], "Indicator: Trojan/W32.Small.9265": [[44, 65]], "Indicator: RiskWare.Tool.CK": [[66, 82]], "Indicator: Trojan/Pakes.c": [[83, 97]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9983": [[98, 138]], "Indicator: W32/Trojan.WZX": [[139, 153]], "Indicator: TROJ_PAKES.JV": [[154, 167], [345, 358]], "Indicator: Virus.Win32.Xorer.a": [[168, 187]], "Indicator: Trojan.Win32.Pakes.bovph": [[188, 212]], "Indicator: Trojan.Win32.Pakes.9261[h]": [[213, 239]], "Indicator: Trojan.Dropper/Packed": [[240, 261]], "Indicator: Win32.Virus.Xorer.Pkqs": [[262, 284]], "Indicator: TrojWare.Win32.Patched.KSU": [[285, 311]], "Indicator: Trojan.Rox": [[312, 322]], "Indicator: Virus.Xorer.Win32.101": [[323, 344]], "Indicator: BehavesLike.Win32.Downloader.zc": [[359, 390]], "Indicator: W32/Trojan.YUJV-5997": [[391, 411]], "Indicator: W32/Pakes.C!tr": [[412, 426]], "Indicator: W32.Xorer.a!c": [[427, 440]], "Indicator: Win-Trojan/Pakes.9265": [[441, 462]], "Indicator: Trojan.Pakes": [[463, 475]], "Indicator: Virus.Win32.Xorer": [[476, 493]], "Indicator: Clicker.BEHT": [[494, 506]]}, "info": {"id": "cyner2_5class_train_02552", "source": "cyner2_5class_train"}}
+{"text": "One representative sample Chrysaor app that we analyzed was tailored to devices running Jellybean ( 4.3 ) or earlier .", "spans": {"Malware: Chrysaor": [[26, 34]], "System: Jellybean ( 4.3 )": [[88, 105]]}, "info": {"id": "cyner2_5class_train_02553", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.GamesonTBDll1.Trojan Trojan.PWS.OnlineGames.ZLU Trojan-PWS/W32.WebGame.229376.BS Trojan.Tilcun.B7 Trojan.PWS.OnlineGames.ZLU Trojan/OnLineGames.arus TSPY_ONLINEG.FGF Win32.Trojan-PSW.OLGames.cc Infostealer.Gampass TSPY_ONLINEG.FGF Win.Spyware.45047-2 Trojan.PWS.OnlineGames.ZLU Trojan.PWS.OnlineGames.ZLU Trojan.Win32.OnLineGames.bemmm Trojan.Win32.PSWIGames.229376.Q Trojan.PWS.OnlineGames.ZLU TrojWare.Win32.PSW.OnLineGames.NOA Trojan.PWS.OnlineGames.ZLU Trojan.PWS.Gamania.11506 BehavesLike.Win32.Downloader.dh Trojan.Win32.Tilcun TR/Tilcun.B Win32.Troj.OnlineGameT.na.218624 Trojan.PWS.OnlineGames.ZLU Troj.GameThief.W32.OnLineGames.arus!c Trojan/Win32.OnlineGameHack.R2107 PWS-OnlineGames.br BScope.Trojan-PSW.Gomex.22 Win32/PSW.OnLineGames.NOA Win32.GamePsw.OnlineGame.bscx W32/OnLineGames.AKLO!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.GamesonTBDll1.Trojan": [[26, 50]], "Indicator: Trojan.PWS.OnlineGames.ZLU": [[51, 77], [128, 154], [281, 307], [308, 334], [398, 424], [460, 486], [609, 635]], "Indicator: Trojan-PWS/W32.WebGame.229376.BS": [[78, 110]], "Indicator: Trojan.Tilcun.B7": [[111, 127]], "Indicator: Trojan/OnLineGames.arus": [[155, 178]], "Indicator: TSPY_ONLINEG.FGF": [[179, 195], [244, 260]], "Indicator: Win32.Trojan-PSW.OLGames.cc": [[196, 223]], "Indicator: Infostealer.Gampass": [[224, 243]], "Indicator: Win.Spyware.45047-2": [[261, 280]], "Indicator: Trojan.Win32.OnLineGames.bemmm": [[335, 365]], "Indicator: Trojan.Win32.PSWIGames.229376.Q": [[366, 397]], "Indicator: TrojWare.Win32.PSW.OnLineGames.NOA": [[425, 459]], "Indicator: Trojan.PWS.Gamania.11506": [[487, 511]], "Indicator: BehavesLike.Win32.Downloader.dh": [[512, 543]], "Indicator: Trojan.Win32.Tilcun": [[544, 563]], "Indicator: TR/Tilcun.B": [[564, 575]], "Indicator: Win32.Troj.OnlineGameT.na.218624": [[576, 608]], "Indicator: Troj.GameThief.W32.OnLineGames.arus!c": [[636, 673]], "Indicator: Trojan/Win32.OnlineGameHack.R2107": [[674, 707]], "Indicator: PWS-OnlineGames.br": [[708, 726]], "Indicator: BScope.Trojan-PSW.Gomex.22": [[727, 753]], "Indicator: Win32/PSW.OnLineGames.NOA": [[754, 779]], "Indicator: Win32.GamePsw.OnlineGame.bscx": [[780, 809]], "Indicator: W32/OnLineGames.AKLO!tr.pws": [[810, 837]]}, "info": {"id": "cyner2_5class_train_02554", "source": "cyner2_5class_train"}}
+{"text": "] it Brescia server1cs.exodus.connexxa [ .", "spans": {"Indicator: server1cs.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner2_5class_train_02555", "source": "cyner2_5class_train"}}
+{"text": "BlackMoon Trojan is a banking trojan that is designed to phish user credentials from various South Korean banking institutions.", "spans": {"Malware: BlackMoon Trojan": [[0, 16]], "Malware: banking trojan": [[22, 36]], "Indicator: phish user credentials": [[57, 79]], "Organization: banking institutions.": [[106, 127]]}, "info": {"id": "cyner2_5class_train_02556", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Script.9271 BAT.Trojan.KillFiles.h Win.Worm.530490-1 BAT.Conwonk BehavesLike.Win64.Downloader.qh BAT/KillWin.NAR Trojan.BAT.KillWin BAT/KillWin.NAR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Script.9271": [[26, 44]], "Indicator: BAT.Trojan.KillFiles.h": [[45, 67]], "Indicator: Win.Worm.530490-1": [[68, 85]], "Indicator: BAT.Conwonk": [[86, 97]], "Indicator: BehavesLike.Win64.Downloader.qh": [[98, 129]], "Indicator: BAT/KillWin.NAR": [[130, 145]], "Indicator: Trojan.BAT.KillWin": [[146, 164]], "Indicator: BAT/KillWin.NAR!tr": [[165, 183]]}, "info": {"id": "cyner2_5class_train_02557", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Patched.Shopperz.1 Trojan.DllPatcher.A6 PTCH64_NOPLE.SM Trojan.Mentono!inf PTCH64_NOPLE.SM Trojan.Patched.Shopperz.1 Trojan.Win64.Patched.qw Trojan.Patched.Shopperz.1 Trojan.Patched.Shopperz.1 Trojan.Hosts.37524 Trojan.Patched.Shopperz Trojan/Win64.Patched.ap Trojan.Patched.Shopperz.1 Trojan.Win64.Patched.qw W64/Patched.AP!tr Win32/Trojan.133", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Patched.Shopperz.1": [[26, 51], [124, 149], [174, 199], [200, 225], [293, 318]], "Indicator: Trojan.DllPatcher.A6": [[52, 72]], "Indicator: PTCH64_NOPLE.SM": [[73, 88], [108, 123]], "Indicator: Trojan.Mentono!inf": [[89, 107]], "Indicator: Trojan.Win64.Patched.qw": [[150, 173], [319, 342]], "Indicator: Trojan.Hosts.37524": [[226, 244]], "Indicator: Trojan.Patched.Shopperz": [[245, 268]], "Indicator: Trojan/Win64.Patched.ap": [[269, 292]], "Indicator: W64/Patched.AP!tr": [[343, 360]], "Indicator: Win32/Trojan.133": [[361, 377]]}, "info": {"id": "cyner2_5class_train_02558", "source": "cyner2_5class_train"}}
+{"text": "A malicious Word document targeting Mac users.", "spans": {"Indicator: malicious Word document": [[2, 25]], "System: Mac users.": [[36, 46]]}, "info": {"id": "cyner2_5class_train_02559", "source": "cyner2_5class_train"}}
+{"text": "It also targets Ahnlab by killing processes and deleting files specific to the software.", "spans": {"Organization: Ahnlab": [[16, 22]], "Indicator: killing processes": [[26, 43]], "Indicator: deleting files": [[48, 62]], "System: software.": [[79, 88]]}, "info": {"id": "cyner2_5class_train_02560", "source": "cyner2_5class_train"}}
+{"text": "BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.", "spans": {}, "info": {"id": "cyner2_5class_train_02561", "source": "cyner2_5class_train"}}
+{"text": "Even threats like DNS cache poisoning employ social engineering , so users should also be more prudent against suspicious or unknown messages that have telltale signs of malware .", "spans": {}, "info": {"id": "cyner2_5class_train_02562", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Affpach.A4 Trojan.Graftor.D6130 Win32.Trojan.StartPage.a W32/Trojan2.NTSB TROJ_SPNR.30BF13 Trojan.Win32.AVKill.bfnuts Trojan.Win32.Inject.tja Trojan.AVKill.27746 TROJ_SPNR.30BF13 W32/Trojan.ZXAC-7369 Variant.Graftor.xm Win32/StartPage.OKV Trojan.StartPage!m0gBcMRinXU Trojan.Hijacker W32/StartPage.OKV!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Affpach.A4": [[26, 43]], "Indicator: Trojan.Graftor.D6130": [[44, 64]], "Indicator: Win32.Trojan.StartPage.a": [[65, 89]], "Indicator: W32/Trojan2.NTSB": [[90, 106]], "Indicator: TROJ_SPNR.30BF13": [[107, 123], [195, 211]], "Indicator: Trojan.Win32.AVKill.bfnuts": [[124, 150]], "Indicator: Trojan.Win32.Inject.tja": [[151, 174]], "Indicator: Trojan.AVKill.27746": [[175, 194]], "Indicator: W32/Trojan.ZXAC-7369": [[212, 232]], "Indicator: Variant.Graftor.xm": [[233, 251]], "Indicator: Win32/StartPage.OKV": [[252, 271]], "Indicator: Trojan.StartPage!m0gBcMRinXU": [[272, 300]], "Indicator: Trojan.Hijacker": [[301, 316]], "Indicator: W32/StartPage.OKV!tr": [[317, 337]]}, "info": {"id": "cyner2_5class_train_02563", "source": "cyner2_5class_train"}}
+{"text": "Threat Actors TAs employ sophisticated techniques to create phishing websites that are designed to appear legitimate and attractive to users.", "spans": {"Indicator: create phishing websites": [[53, 77]]}, "info": {"id": "cyner2_5class_train_02564", "source": "cyner2_5class_train"}}
+{"text": "BianLian continues to exhibit a high level of operational security and skill in network penetration, seeming to have also found their stride in the pace of their operations.", "spans": {}, "info": {"id": "cyner2_5class_train_02565", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VEX8687.Webshell Backdoor.PHP.RST.H HTML.BackDoor.A Backdoor.Php.Rst!c PHP.Backdoor.WebShell.al PHP/Rst.H PHP.RSTBackdoor PHP/Small.NAL PHP_R57SHELL.SM Win.Trojan.R57-2 Script.Trojan.PHPShellRST.A Backdoor.PHP.RST.H Trojan.Html.Rst.bgzarv PHP.S.Rst.87741 Backdoor.PHP.RST.H Backdoor.PHP.Rst.~BBA Backdoor.PHP.RST.H PHP.R57Shell.12 PHP_R57SHELL.SM PHP/Rst.H PHP/Rst.H.95982 Backdoor.PHP.RST.H PHP/Rst.A Backdoor.PHP.r57Shell.A BPX.Shell Backdoor.PHP.Rst.ai Php.Backdoor.Rst.Ssgx PHP.RST.G Trojan.PHP.Rst PHP/Rst.AI!tr php.script.c99shell.6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VEX8687.Webshell": [[26, 42]], "Indicator: Backdoor.PHP.RST.H": [[43, 61], [223, 241], [281, 299], [322, 340], [399, 417]], "Indicator: HTML.BackDoor.A": [[62, 77]], "Indicator: Backdoor.Php.Rst!c": [[78, 96]], "Indicator: PHP.Backdoor.WebShell.al": [[97, 121]], "Indicator: PHP/Rst.H": [[122, 131], [373, 382]], "Indicator: PHP.RSTBackdoor": [[132, 147]], "Indicator: PHP/Small.NAL": [[148, 161]], "Indicator: PHP_R57SHELL.SM": [[162, 177], [357, 372]], "Indicator: Win.Trojan.R57-2": [[178, 194]], "Indicator: Script.Trojan.PHPShellRST.A": [[195, 222]], "Indicator: Trojan.Html.Rst.bgzarv": [[242, 264]], "Indicator: PHP.S.Rst.87741": [[265, 280]], "Indicator: Backdoor.PHP.Rst.~BBA": [[300, 321]], "Indicator: PHP.R57Shell.12": [[341, 356]], "Indicator: PHP/Rst.H.95982": [[383, 398]], "Indicator: PHP/Rst.A": [[418, 427]], "Indicator: Backdoor.PHP.r57Shell.A": [[428, 451]], "Indicator: BPX.Shell": [[452, 461]], "Indicator: Backdoor.PHP.Rst.ai": [[462, 481]], "Indicator: Php.Backdoor.Rst.Ssgx": [[482, 503]], "Indicator: PHP.RST.G": [[504, 513]], "Indicator: Trojan.PHP.Rst": [[514, 528]], "Indicator: PHP/Rst.AI!tr": [[529, 542]], "Indicator: php.script.c99shell.6": [[543, 564]]}, "info": {"id": "cyner2_5class_train_02566", "source": "cyner2_5class_train"}}
+{"text": "Symantec first reported on this group back in January 2017, detailing their operations and using a custom information stealing Trojan called ISMDoor.", "spans": {"Organization: Symantec": [[0, 8]], "Indicator: custom information stealing": [[99, 126]], "Malware: Trojan": [[127, 133]], "Malware: ISMDoor.": [[141, 149]]}, "info": {"id": "cyner2_5class_train_02567", "source": "cyner2_5class_train"}}
+{"text": "Design In the manifest , the malware requests a large number of permissions .", "spans": {}, "info": {"id": "cyner2_5class_train_02568", "source": "cyner2_5class_train"}}
+{"text": "Some apps have started with clean versions , in an attempt to grow user bases and build the developer accounts ’ reputations .", "spans": {}, "info": {"id": "cyner2_5class_train_02569", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Adware.AMRL Trojan.DownLoader22.55869 BehavesLike.Win32.Worm.th W32/Adware.OAXQ-2836 Worm:Win32/Imafly.AC Trojan.Strictor.D19956 Trojan/Win32.Cosmu.R158790 Win32/Autoit.LH Worm.Win32.AutoIt W32/Autoit.EQP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Adware.AMRL": [[26, 41]], "Indicator: Trojan.DownLoader22.55869": [[42, 67]], "Indicator: BehavesLike.Win32.Worm.th": [[68, 93]], "Indicator: W32/Adware.OAXQ-2836": [[94, 114]], "Indicator: Worm:Win32/Imafly.AC": [[115, 135]], "Indicator: Trojan.Strictor.D19956": [[136, 158]], "Indicator: Trojan/Win32.Cosmu.R158790": [[159, 185]], "Indicator: Win32/Autoit.LH": [[186, 201]], "Indicator: Worm.Win32.AutoIt": [[202, 219]], "Indicator: W32/Autoit.EQP!tr": [[220, 237]]}, "info": {"id": "cyner2_5class_train_02570", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Worm.Goldrv.A7 Trojan-Ransom.Win32.Blocker.jaic Trojan.Win32.Dapato.dbzcxx W32.Virut.lMey Trojan.Win32.Dapato.a TrojWare.Win32.Dapato.DFS Trojan.DownLoader11.18798 Trojan-Dropper.Win32.Dapato TrojanDropper.Dapato.peb Trojan[Dropper]/Win32.Dapato Worm:Win32/Goldrv.A Trojan-Ransom.Win32.Blocker.jaic HEUR/Fakon.mwf Trojan-Ransom.Blocker Backdoor.Bot W32/Dapato.EDU!tr Win32/Trojan.df8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeW7Folder.Fam.Trojan": [[26, 53]], "Indicator: Worm.Goldrv.A7": [[54, 68]], "Indicator: Trojan-Ransom.Win32.Blocker.jaic": [[69, 101], [320, 352]], "Indicator: Trojan.Win32.Dapato.dbzcxx": [[102, 128]], "Indicator: W32.Virut.lMey": [[129, 143]], "Indicator: Trojan.Win32.Dapato.a": [[144, 165]], "Indicator: TrojWare.Win32.Dapato.DFS": [[166, 191]], "Indicator: Trojan.DownLoader11.18798": [[192, 217]], "Indicator: Trojan-Dropper.Win32.Dapato": [[218, 245]], "Indicator: TrojanDropper.Dapato.peb": [[246, 270]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[271, 299]], "Indicator: Worm:Win32/Goldrv.A": [[300, 319]], "Indicator: HEUR/Fakon.mwf": [[353, 367]], "Indicator: Trojan-Ransom.Blocker": [[368, 389]], "Indicator: Backdoor.Bot": [[390, 402]], "Indicator: W32/Dapato.EDU!tr": [[403, 420]], "Indicator: Win32/Trojan.df8": [[421, 437]]}, "info": {"id": "cyner2_5class_train_02571", "source": "cyner2_5class_train"}}
+{"text": "The malware used in this campaign has similar features to that distributed earlier in 2017 with the following changes: A new decoy document copy/pasted from an article published on the 3rd of July by Yonhap News Agency in Korea;", "spans": {"Malware: malware": [[4, 11]], "Indicator: A new decoy document copy/pasted": [[119, 151]], "Organization: Yonhap News Agency": [[200, 218]]}, "info": {"id": "cyner2_5class_train_02572", "source": "cyner2_5class_train"}}
+{"text": "The malicious application sends a request to choose a network account , a specific account that can only be processed by authentication services exported by the malicious application .", "spans": {}, "info": {"id": "cyner2_5class_train_02573", "source": "cyner2_5class_train"}}
+{"text": "It leverages webinjects and SMS reading capabilities to bypass two-factor authentication , and is clearly targeting financial applications .", "spans": {}, "info": {"id": "cyner2_5class_train_02574", "source": "cyner2_5class_train"}}
+{"text": "The Computer Incident Response Center Luxembourg CIRCL has recently uncovered malicious files attached to an email through the use of Pandora Document and File Analysis.", "spans": {"Organization: The Computer Incident Response Center Luxembourg CIRCL": [[0, 54]], "Indicator: malicious files": [[78, 93]], "Indicator: email": [[109, 114]], "Indicator: Pandora Document": [[134, 150]], "Indicator: File Analysis.": [[155, 169]]}, "info": {"id": "cyner2_5class_train_02575", "source": "cyner2_5class_train"}}
+{"text": "New variant of the Android rootnik malware that disguises itself as a legal app.", "spans": {"Malware: variant": [[4, 11]], "Malware: Android rootnik malware": [[19, 42]], "System: legal app.": [[70, 80]]}, "info": {"id": "cyner2_5class_train_02576", "source": "cyner2_5class_train"}}
+{"text": "Using google translate, I found that the language is Armenian and translates to The Law on Banks and Banking 27.07.2015.doc VirusTotal intelligence spotted the decoy in the wild as an email attachment with the subject name Law changes which gave me a suspicion that the attempt was made to specifically target the employees of Central bank of Armenia.", "spans": {"System: google translate,": [[6, 23]], "Indicator: The Law on Banks and Banking 27.07.2015.doc": [[80, 123]], "Organization: VirusTotal intelligence": [[124, 147]], "Indicator: decoy": [[160, 165]], "Indicator: email attachment": [[184, 200]], "Indicator: subject": [[210, 217]], "Indicator: Law changes": [[223, 234]], "Organization: employees": [[314, 323]], "Organization: Central bank of Armenia.": [[327, 351]]}, "info": {"id": "cyner2_5class_train_02577", "source": "cyner2_5class_train"}}
+{"text": "It appears that the attackers are somewhat familiar with the language and mountain-trekking culture of the targets – the meaning of “ chuli ” is “ summit ” : The command-and-control server and parameters can be easily seen in the decompiled source code : Command and control server interaction code Throughout the code , the attackers log all important actions , which include various messages in Chinese .", "spans": {}, "info": {"id": "cyner2_5class_train_02578", "source": "cyner2_5class_train"}}
+{"text": "Everything started from a well edited Italian language email given to me from a colleague of mine, thank you Luca! reaching out many Italian companies.", "spans": {"Indicator: well edited Italian language email": [[26, 60]], "Organization: Italian companies.": [[133, 151]]}, "info": {"id": "cyner2_5class_train_02579", "source": "cyner2_5class_train"}}
+{"text": "BEBLOH is a banking Trojan that has been around since as early as 2009.", "spans": {"Malware: BEBLOH": [[0, 6]], "Malware: banking Trojan": [[12, 26]]}, "info": {"id": "cyner2_5class_train_02580", "source": "cyner2_5class_train"}}
+{"text": "The actor utilizes spear phishing campaigns to deliver NetTraveler, also known as TravNet.", "spans": {"Malware: NetTraveler,": [[55, 67]], "Malware: TravNet.": [[82, 90]]}, "info": {"id": "cyner2_5class_train_02581", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.PcClient.409260 Trojan.Pincav.9356 Backdoor.PcClient.Win32.5 Backdoor/PcClient.alqk Trojan.Buzy.D10B5 W32/Backdoor.MMJP-0040 Backdoor.Trojan Trojan.Win32.PcClient.ihgd Trojan.MulDrop3.45818 Backdoor.Win32.PcClient W32/Backdoor2.FUIH Trojan:Win32/Wisp.A BDS/Pcclient.alqk Trojan[Backdoor]/Win32.PcClient Backdoor.Win32.A.PcClient.386732 Trojan/Win32.PcClient.R55121 Backdoor.PcClient Backdoor.PcClient!4LPCxDv4AHg Win32/Backdoor.851", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.PcClient.409260": [[26, 54]], "Indicator: Trojan.Pincav.9356": [[55, 73]], "Indicator: Backdoor.PcClient.Win32.5": [[74, 99]], "Indicator: Backdoor/PcClient.alqk": [[100, 122]], "Indicator: Trojan.Buzy.D10B5": [[123, 140]], "Indicator: W32/Backdoor.MMJP-0040": [[141, 163]], "Indicator: Backdoor.Trojan": [[164, 179]], "Indicator: Trojan.Win32.PcClient.ihgd": [[180, 206]], "Indicator: Trojan.MulDrop3.45818": [[207, 228]], "Indicator: Backdoor.Win32.PcClient": [[229, 252]], "Indicator: W32/Backdoor2.FUIH": [[253, 271]], "Indicator: Trojan:Win32/Wisp.A": [[272, 291]], "Indicator: BDS/Pcclient.alqk": [[292, 309]], "Indicator: Trojan[Backdoor]/Win32.PcClient": [[310, 341]], "Indicator: Backdoor.Win32.A.PcClient.386732": [[342, 374]], "Indicator: Trojan/Win32.PcClient.R55121": [[375, 403]], "Indicator: Backdoor.PcClient": [[404, 421]], "Indicator: Backdoor.PcClient!4LPCxDv4AHg": [[422, 451]], "Indicator: Win32/Backdoor.851": [[452, 470]]}, "info": {"id": "cyner2_5class_train_02582", "source": "cyner2_5class_train"}}
+{"text": "Gustuff advertising screenshot The companies advertised in the image above were from Australia , which matches up with the campaign we researched .", "spans": {"Malware: Gustuff": [[0, 7]]}, "info": {"id": "cyner2_5class_train_02583", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 BehavesLike.Win64.MysticCompressor.ch Trojan:Win64/Jifcapi.A Win32/Trojan.03e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: BehavesLike.Win64.MysticCompressor.ch": [[46, 83]], "Indicator: Trojan:Win64/Jifcapi.A": [[84, 106]], "Indicator: Win32/Trojan.03e": [[107, 123]]}, "info": {"id": "cyner2_5class_train_02584", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.PWS.Steam.12700 BehavesLike.Win32.Trojan.bc TR/Dropper.MSIL.dhgqe Spyware.AzorUlt Trj/GdSda.A Trojan.MSIL.Krypt MSIL/Kryptik.MPY!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.PWS.Steam.12700": [[69, 91]], "Indicator: BehavesLike.Win32.Trojan.bc": [[92, 119]], "Indicator: TR/Dropper.MSIL.dhgqe": [[120, 141]], "Indicator: Spyware.AzorUlt": [[142, 157]], "Indicator: Trj/GdSda.A": [[158, 169]], "Indicator: Trojan.MSIL.Krypt": [[170, 187]], "Indicator: MSIL/Kryptik.MPY!tr": [[188, 207]]}, "info": {"id": "cyner2_5class_train_02585", "source": "cyner2_5class_train"}}
+{"text": "Those are not the only system functions Triada modifies .", "spans": {"Malware: Triada": [[40, 46]]}, "info": {"id": "cyner2_5class_train_02586", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AlustinH.Trojan Trojan.Diacam.KL3 Trojan.VB.Win32.96905 Trojan/VB.qms TROJ_DIACAM_BK0846C6.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9992 TROJ_DIACAM_BK0846C6.TOMC Win.Trojan.Mokes-11 Trojan.Win32.Dwn.coomze TrojWare.Win32.VB.QMS Trojan.DownLoader6.45576 Trojan/Jorik.glae Trojan/Win32.Mokes Trojan:Win32/Diacam.A Trojan.Symmi.D23C3 Win32.Trojan.VB.BE Trojan/Win32.VBKrypt.C161437 Trojan.Mokes Win32/VB.QMS Win32.VBCrypt W32/VBKrypt.MBSX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AlustinH.Trojan": [[26, 45]], "Indicator: Trojan.Diacam.KL3": [[46, 63]], "Indicator: Trojan.VB.Win32.96905": [[64, 85]], "Indicator: Trojan/VB.qms": [[86, 99]], "Indicator: TROJ_DIACAM_BK0846C6.TOMC": [[100, 125], [169, 194]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[126, 168]], "Indicator: Win.Trojan.Mokes-11": [[195, 214]], "Indicator: Trojan.Win32.Dwn.coomze": [[215, 238]], "Indicator: TrojWare.Win32.VB.QMS": [[239, 260]], "Indicator: Trojan.DownLoader6.45576": [[261, 285]], "Indicator: Trojan/Jorik.glae": [[286, 303]], "Indicator: Trojan/Win32.Mokes": [[304, 322]], "Indicator: Trojan:Win32/Diacam.A": [[323, 344]], "Indicator: Trojan.Symmi.D23C3": [[345, 363]], "Indicator: Win32.Trojan.VB.BE": [[364, 382]], "Indicator: Trojan/Win32.VBKrypt.C161437": [[383, 411]], "Indicator: Trojan.Mokes": [[412, 424]], "Indicator: Win32/VB.QMS": [[425, 437]], "Indicator: Win32.VBCrypt": [[438, 451]], "Indicator: W32/VBKrypt.MBSX!tr": [[452, 471]]}, "info": {"id": "cyner2_5class_train_02587", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Packed.16 Win32/Pigeon.AZTT Win.Trojan.Packed-77 Backdoor.Win32.Hupigon.oqk Trojan.Win32.Crypt.mkur Backdoor.Win32.Hupigon.412672.K Win32.Backdoor.Hupigon.cuda Packed.Win32.Klone.~KMF BackDoor.Pigeon.20533 Backdoor.Hupigon.Win32.100099 BehavesLike.Win32.Fujacks.fc Backdoor/Hupigon.af Win32.Troj.Klone.ab.389660 Trojan/Win32.Malpacked5.R134022 Trojan-Dropper.Kaos Trojan.Win32.Pincav", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Packed.16": [[69, 85]], "Indicator: Win32/Pigeon.AZTT": [[86, 103]], "Indicator: Win.Trojan.Packed-77": [[104, 124]], "Indicator: Backdoor.Win32.Hupigon.oqk": [[125, 151]], "Indicator: Trojan.Win32.Crypt.mkur": [[152, 175]], "Indicator: Backdoor.Win32.Hupigon.412672.K": [[176, 207]], "Indicator: Win32.Backdoor.Hupigon.cuda": [[208, 235]], "Indicator: Packed.Win32.Klone.~KMF": [[236, 259]], "Indicator: BackDoor.Pigeon.20533": [[260, 281]], "Indicator: Backdoor.Hupigon.Win32.100099": [[282, 311]], "Indicator: BehavesLike.Win32.Fujacks.fc": [[312, 340]], "Indicator: Backdoor/Hupigon.af": [[341, 360]], "Indicator: Win32.Troj.Klone.ab.389660": [[361, 387]], "Indicator: Trojan/Win32.Malpacked5.R134022": [[388, 419]], "Indicator: Trojan-Dropper.Kaos": [[420, 439]], "Indicator: Trojan.Win32.Pincav": [[440, 459]]}, "info": {"id": "cyner2_5class_train_02588", "source": "cyner2_5class_train"}}
+{"text": "In some cases, it appeared to be a single use domain shadowing which is incredibly difficult to stop by using blacklisting.", "spans": {"Indicator: domain shadowing": [[46, 62]]}, "info": {"id": "cyner2_5class_train_02589", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.VP.ED105D0 Win32.Trojan.WisdomEyes.16070401.9500.9911 Trojan.MulDrop4.19536 BehavesLike.Win32.VBObfus.nt TR/Spy.36864.1691 Win32/VB.OIX", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.VP.ED105D0": [[26, 48]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9911": [[49, 91]], "Indicator: Trojan.MulDrop4.19536": [[92, 113]], "Indicator: BehavesLike.Win32.VBObfus.nt": [[114, 142]], "Indicator: TR/Spy.36864.1691": [[143, 160]], "Indicator: Win32/VB.OIX": [[161, 173]]}, "info": {"id": "cyner2_5class_train_02590", "source": "cyner2_5class_train"}}
+{"text": "Since our first published analysis of the OilRig campaign in May 2016 Unit42 has continued to monitor this group for new activity.", "spans": {"Organization: Unit42": [[70, 76]]}, "info": {"id": "cyner2_5class_train_02591", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dapato!O Trojan.Symmi.D6404 Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan-Dropper.Win32.Dapato.buqu Trojan.Win32.Dapato.bcmajb Trojan.DownLoader7.19485 BehavesLike.Win32.BadFile.mm W32/Trojan.IAVK-8796 TrojanDropper.Dapato.mbp TR/Dapato.AG Win32.Troj.Dapato.bu.kcloud Trojan:Win32/Omdork.A Trojan-Dropper.Win32.Dapato.buqu Trojan/Win32.Inject.R46970 Trojan.Win32.Swisyn W32/Dapato.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Dapato!O": [[26, 55]], "Indicator: Trojan.Symmi.D6404": [[56, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[75, 117]], "Indicator: Trojan-Dropper.Win32.Dapato.buqu": [[118, 150], [341, 373]], "Indicator: Trojan.Win32.Dapato.bcmajb": [[151, 177]], "Indicator: Trojan.DownLoader7.19485": [[178, 202]], "Indicator: BehavesLike.Win32.BadFile.mm": [[203, 231]], "Indicator: W32/Trojan.IAVK-8796": [[232, 252]], "Indicator: TrojanDropper.Dapato.mbp": [[253, 277]], "Indicator: TR/Dapato.AG": [[278, 290]], "Indicator: Win32.Troj.Dapato.bu.kcloud": [[291, 318]], "Indicator: Trojan:Win32/Omdork.A": [[319, 340]], "Indicator: Trojan/Win32.Inject.R46970": [[374, 400]], "Indicator: Trojan.Win32.Swisyn": [[401, 420]], "Indicator: W32/Dapato.B!tr": [[421, 436]]}, "info": {"id": "cyner2_5class_train_02592", "source": "cyner2_5class_train"}}
+{"text": "More and more we've been seeing references to a malware family known as FormBook.", "spans": {"Malware: a malware family": [[46, 62]], "Malware: FormBook.": [[72, 81]]}, "info": {"id": "cyner2_5class_train_02593", "source": "cyner2_5class_train"}}
+{"text": "] net , negg1.ddns [ .", "spans": {"Indicator: negg1.ddns [ .": [[8, 22]]}, "info": {"id": "cyner2_5class_train_02594", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.6632 PUP.Optional.Nosibay TROJ_GE.FF4D51A5 Adware.Downware.11318 virus.win32.sality.at PUA/BubbleDock.A PUP.Nosibay/Variant NSIS.Application.SilentInstaller.A Win32.Trojan.Bubbledock.Huzb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.6632": [[26, 44]], "Indicator: PUP.Optional.Nosibay": [[45, 65]], "Indicator: TROJ_GE.FF4D51A5": [[66, 82]], "Indicator: Adware.Downware.11318": [[83, 104]], "Indicator: virus.win32.sality.at": [[105, 126]], "Indicator: PUA/BubbleDock.A": [[127, 143]], "Indicator: PUP.Nosibay/Variant": [[144, 163]], "Indicator: NSIS.Application.SilentInstaller.A": [[164, 198]], "Indicator: Win32.Trojan.Bubbledock.Huzb": [[199, 227]]}, "info": {"id": "cyner2_5class_train_02595", "source": "cyner2_5class_train"}}
+{"text": "As soon as the user picks up the device , the implant will detect a motion event and execute the “ tk1 ” and “ input keyevent 3 ” commands .", "spans": {}, "info": {"id": "cyner2_5class_train_02596", "source": "cyner2_5class_train"}}
+{"text": "Anti-emulator code .", "spans": {}, "info": {"id": "cyner2_5class_train_02597", "source": "cyner2_5class_train"}}
+{"text": "Several days ago , the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates .", "spans": {}, "info": {"id": "cyner2_5class_train_02598", "source": "cyner2_5class_train"}}
+{"text": "These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.", "spans": {"System: Google Play store,": [[37, 55]]}, "info": {"id": "cyner2_5class_train_02599", "source": "cyner2_5class_train"}}
+{"text": "Our eyes fell on the latest version of the Trojan , which is designed to steal money from owners of Android devices connected to the mobile banking service of one of Russia ’ s largest banks .", "spans": {"System: Android": [[100, 107]]}, "info": {"id": "cyner2_5class_train_02600", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.PWS.Banker1.23807 TR/Crypt.ZPACK.qkbzo Trojan:Win32/Ahriynoteemo.A Trojan-Spy.Win32.Noon Trj/CI.A Win32/Trojan.1fa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Trojan.PWS.Banker1.23807": [[44, 68]], "Indicator: TR/Crypt.ZPACK.qkbzo": [[69, 89]], "Indicator: Trojan:Win32/Ahriynoteemo.A": [[90, 117]], "Indicator: Trojan-Spy.Win32.Noon": [[118, 139]], "Indicator: Trj/CI.A": [[140, 148]], "Indicator: Win32/Trojan.1fa": [[149, 165]]}, "info": {"id": "cyner2_5class_train_02601", "source": "cyner2_5class_train"}}
+{"text": "Traces of its previous uses in the wild were found inside the configuration file : It was configured to use a Command-and-control ( C & C ) server in the United States ; however , the server was bought from a host service provider and is now unavailable .", "spans": {}, "info": {"id": "cyner2_5class_train_02602", "source": "cyner2_5class_train"}}
+{"text": "Even now , this is still not enough .", "spans": {}, "info": {"id": "cyner2_5class_train_02603", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan.Mauvaise.SL1 Trojan.Skeeyah W32.SillyFDC Trojan.Win32.Bulknet.eljnif TrojWare.Win32.Imwee.A Trojan.DownLoader11.19812 Trojan.Zusy.D38629 TrojanDownloader:Win32/Gratem.A HEUR/Fakon.mwf Trj/Downloader.WKR", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeW7Folder.Fam.Trojan": [[26, 53]], "Indicator: Trojan.Mauvaise.SL1": [[54, 73]], "Indicator: Trojan.Skeeyah": [[74, 88]], "Indicator: W32.SillyFDC": [[89, 101]], "Indicator: Trojan.Win32.Bulknet.eljnif": [[102, 129]], "Indicator: TrojWare.Win32.Imwee.A": [[130, 152]], "Indicator: Trojan.DownLoader11.19812": [[153, 178]], "Indicator: Trojan.Zusy.D38629": [[179, 197]], "Indicator: TrojanDownloader:Win32/Gratem.A": [[198, 229]], "Indicator: HEUR/Fakon.mwf": [[230, 244]], "Indicator: Trj/Downloader.WKR": [[245, 263]]}, "info": {"id": "cyner2_5class_train_02604", "source": "cyner2_5class_train"}}
+{"text": "A worm Madang infects files across all drives, and installs itself as serverx.exe", "spans": {"Malware: worm Madang": [[2, 13]], "Indicator: infects files": [[14, 27]], "System: drives,": [[39, 46]], "Indicator: serverx.exe": [[70, 81]]}, "info": {"id": "cyner2_5class_train_02605", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MosquitoQKB.Fam.Trojan Trojan.Kryptik.Win32.93516 Trojan/Kryptik.kuf BKDR_QAKBOT.SMG Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_QAKBOT.SMG Win.Trojan.5453446-1 Trojan-Ransom.Win32.Gimemo.dtt Trojan.Win32.Crypted.efbdjj Trojan.Packed.21485 BehavesLike.Win32.HLLP.dc Trojan:Win32/Dishigy.B Trojan-Ransom.Win32.Gimemo.dtt Trojan/Win32.Zbot.R2835 Trojan.Flasher.xr Worm.Win32.Slenfbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MosquitoQKB.Fam.Trojan": [[26, 52]], "Indicator: Trojan.Kryptik.Win32.93516": [[53, 79]], "Indicator: Trojan/Kryptik.kuf": [[80, 98]], "Indicator: BKDR_QAKBOT.SMG": [[99, 114], [158, 173]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[115, 157]], "Indicator: Win.Trojan.5453446-1": [[174, 194]], "Indicator: Trojan-Ransom.Win32.Gimemo.dtt": [[195, 225], [323, 353]], "Indicator: Trojan.Win32.Crypted.efbdjj": [[226, 253]], "Indicator: Trojan.Packed.21485": [[254, 273]], "Indicator: BehavesLike.Win32.HLLP.dc": [[274, 299]], "Indicator: Trojan:Win32/Dishigy.B": [[300, 322]], "Indicator: Trojan/Win32.Zbot.R2835": [[354, 377]], "Indicator: Trojan.Flasher.xr": [[378, 395]], "Indicator: Worm.Win32.Slenfbot": [[396, 415]]}, "info": {"id": "cyner2_5class_train_02606", "source": "cyner2_5class_train"}}
+{"text": "This attack was specifically targeting a well-known financial services firm.", "spans": {"Indicator: attack": [[5, 11]], "Organization: financial services firm.": [[52, 76]]}, "info": {"id": "cyner2_5class_train_02607", "source": "cyner2_5class_train"}}
+{"text": "Cmstar was named for the log message CM**' used by the downloader.", "spans": {"Malware: Cmstar": [[0, 6]], "Malware: downloader.": [[55, 66]]}, "info": {"id": "cyner2_5class_train_02608", "source": "cyner2_5class_train"}}
+{"text": "] 6 , was previously hosting the domain next.nextuptravel [ .", "spans": {"Indicator: domain next.nextuptravel [ .": [[33, 61]]}, "info": {"id": "cyner2_5class_train_02609", "source": "cyner2_5class_train"}}
+{"text": "Uploading any incoming SMS messages ( including the balance inquiry results ) to the remote C2 server .", "spans": {}, "info": {"id": "cyner2_5class_train_02610", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.ASP.Ace.B Backdoor.ASP.Ace.B ASP/Ace.C Backdoor.Trojan Ace.B HTML_Haiyasp.a Backdoor.ASP.Ace.b Backdoor.ASP.Ace.B Backdoor.ASP.Ace.b Backdoor.ASP.Ace.B BDS/ASP.Ace.E HTML_Haiyasp.a Backdoor/ASP.Ace.b Backdoor/ASP.Ace Backdoor:ASP/Ace.B Backdoor.ASP.Ace.B ASP/Ace.C Backdoor.ASP.Ace.b Backdoor.Trojan ASP/Ace.B Script.haiyang.a Bck/Ace.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.ASP.Ace.B": [[26, 44], [45, 63], [130, 148], [168, 186], [271, 289]], "Indicator: ASP/Ace.C": [[64, 73], [290, 299]], "Indicator: Backdoor.Trojan": [[74, 89], [319, 334]], "Indicator: Ace.B": [[90, 95]], "Indicator: HTML_Haiyasp.a": [[96, 110], [201, 215]], "Indicator: Backdoor.ASP.Ace.b": [[111, 129], [149, 167], [300, 318]], "Indicator: BDS/ASP.Ace.E": [[187, 200]], "Indicator: Backdoor/ASP.Ace.b": [[216, 234]], "Indicator: Backdoor/ASP.Ace": [[235, 251]], "Indicator: Backdoor:ASP/Ace.B": [[252, 270]], "Indicator: ASP/Ace.B": [[335, 344]], "Indicator: Script.haiyang.a": [[345, 361]], "Indicator: Bck/Ace.B": [[362, 371]]}, "info": {"id": "cyner2_5class_train_02611", "source": "cyner2_5class_train"}}
+{"text": "The trojan implements three accessibility services directed at different Android API levels and uses these accessibility services , chosen by checking the operating system version , to create new Google accounts .", "spans": {"System: Android API": [[73, 84]], "Organization: Google": [[196, 202]]}, "info": {"id": "cyner2_5class_train_02612", "source": "cyner2_5class_train"}}
+{"text": "This research gives a rare look into the process improvements malware authors make when optimizing before launch .", "spans": {}, "info": {"id": "cyner2_5class_train_02613", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.NtRootKit.bozxzq TrojWare.Win32.Rootkit.Festi.AA Trojan.NtRootKit.15667 BehavesLike.Win32.Dropper.mm Trojan.Win32.Rootkit Trojan[Rootkit]/Win32.Tent TrojanDropper:Win32/Festi.C SScope.Trojan.CLR.18907 W32/Rootkit_Festi.AA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Win32.NtRootKit.bozxzq": [[69, 98]], "Indicator: TrojWare.Win32.Rootkit.Festi.AA": [[99, 130]], "Indicator: Trojan.NtRootKit.15667": [[131, 153]], "Indicator: BehavesLike.Win32.Dropper.mm": [[154, 182]], "Indicator: Trojan.Win32.Rootkit": [[183, 203]], "Indicator: Trojan[Rootkit]/Win32.Tent": [[204, 230]], "Indicator: TrojanDropper:Win32/Festi.C": [[231, 258]], "Indicator: SScope.Trojan.CLR.18907": [[259, 282]], "Indicator: W32/Rootkit_Festi.AA": [[283, 303]]}, "info": {"id": "cyner2_5class_train_02614", "source": "cyner2_5class_train"}}
+{"text": "In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilized a cryptographic algorithm called RC4 with a very similar 50 byte base key.", "spans": {"System: APK": [[42, 45]], "Malware: Android variant of X-Agent,": [[59, 86]], "Indicator: command and control protocol": [[91, 119]], "System: Windows": [[151, 158]], "Malware: variants of X-Agent,": [[159, 179]], "Indicator: cryptographic algorithm": [[195, 218]], "Indicator: RC4": [[226, 229]], "Indicator: 50 byte base key.": [[250, 267]]}, "info": {"id": "cyner2_5class_train_02615", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.Cidox!O Trojan/Cidox.bpa TROJ_VUNDO.SMFQ Win32.Trojan.WisdomEyes.16070401.9500.9988 TROJ_VUNDO.SMFQ Trojan.Win32.Mayachok.esnzar Trojan.Mayachok.1 Dropper.Cidox.Win32.14633 BehavesLike.Win32.PUPXDR.ph Trojan-Dropper.Win32.Cidox Trojan.Symmi.DD688 TrojanDownloader:Win32/Vundo.HIY Trojan/Win32.Cidox.R20237 Trojan-Ransom.Cidox.1212 Win32/Trojan.1b7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.Cidox!O": [[26, 53]], "Indicator: Trojan/Cidox.bpa": [[54, 70]], "Indicator: TROJ_VUNDO.SMFQ": [[71, 86], [130, 145]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[87, 129]], "Indicator: Trojan.Win32.Mayachok.esnzar": [[146, 174]], "Indicator: Trojan.Mayachok.1": [[175, 192]], "Indicator: Dropper.Cidox.Win32.14633": [[193, 218]], "Indicator: BehavesLike.Win32.PUPXDR.ph": [[219, 246]], "Indicator: Trojan-Dropper.Win32.Cidox": [[247, 273]], "Indicator: Trojan.Symmi.DD688": [[274, 292]], "Indicator: TrojanDownloader:Win32/Vundo.HIY": [[293, 325]], "Indicator: Trojan/Win32.Cidox.R20237": [[326, 351]], "Indicator: Trojan-Ransom.Cidox.1212": [[352, 376]], "Indicator: Win32/Trojan.1b7": [[377, 393]]}, "info": {"id": "cyner2_5class_train_02616", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Virut.G W32/Trojan3.ATP W32.Virut.CF W32/Virut.BS Win32/Virut.17408 PE_VIRUX.A-3 Virus.Win32.Virut.ce Win32.Virut.AM Virus.Win32.Virut.Ce Win32.Virut.56 PE_VIRUX.A-3 Heuristic.BehavesLike.Win32.ModifiedUPX.J Win32/Virut.bn Win32.Virut.nd.53248 Virus:Win32/Virut.BN Win32/Virut.F W32/Trojan3.ATP Virus.Virut.06 Win32/Virut.NBP Win32.Obduran.a W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.G": [[26, 37]], "Indicator: W32/Trojan3.ATP": [[38, 53], [309, 324]], "Indicator: W32.Virut.CF": [[54, 66]], "Indicator: W32/Virut.BS": [[67, 79]], "Indicator: Win32/Virut.17408": [[80, 97]], "Indicator: PE_VIRUX.A-3": [[98, 110], [183, 195]], "Indicator: Virus.Win32.Virut.ce": [[111, 131]], "Indicator: Win32.Virut.AM": [[132, 146]], "Indicator: Virus.Win32.Virut.Ce": [[147, 167]], "Indicator: Win32.Virut.56": [[168, 182]], "Indicator: Heuristic.BehavesLike.Win32.ModifiedUPX.J": [[196, 237]], "Indicator: Win32/Virut.bn": [[238, 252]], "Indicator: Win32.Virut.nd.53248": [[253, 273]], "Indicator: Virus:Win32/Virut.BN": [[274, 294]], "Indicator: Win32/Virut.F": [[295, 308]], "Indicator: Virus.Virut.06": [[325, 339]], "Indicator: Win32/Virut.NBP": [[340, 355]], "Indicator: Win32.Obduran.a": [[356, 371]], "Indicator: W32/Sality.AO": [[372, 385]]}, "info": {"id": "cyner2_5class_train_02617", "source": "cyner2_5class_train"}}
+{"text": "It then uses open-sourced Android root exploit tools to gain root access on an Android device.", "spans": {"Malware: Android root exploit tools": [[26, 52]], "Vulnerability: gain root access": [[56, 72]], "System: Android device.": [[79, 94]]}, "info": {"id": "cyner2_5class_train_02618", "source": "cyner2_5class_train"}}
+{"text": "The actors weaponized the delivery document to install a variant of the 9002' Trojan called 3102' that heavily relies on plugins to provide functionality needed by the actors to carry out on their objectives.", "spans": {"Malware: Trojan": [[78, 84]], "Malware: 3102'": [[92, 97]], "Indicator: plugins": [[121, 128]]}, "info": {"id": "cyner2_5class_train_02619", "source": "cyner2_5class_train"}}
+{"text": "Spearphishes impersonating RAND", "spans": {"Indicator: Spearphishes": [[0, 12]], "Organization: RAND": [[27, 31]]}, "info": {"id": "cyner2_5class_train_02620", "source": "cyner2_5class_train"}}
+{"text": "KeyRaider targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China.", "spans": {"Malware: KeyRaider": [[0, 9]], "Vulnerability: jailbroken": [[18, 28]], "System: iOS devices": [[29, 40]], "System: Cydia repositories": [[80, 98]]}, "info": {"id": "cyner2_5class_train_02621", "source": "cyner2_5class_train"}}
+{"text": "The malware, dubbed CopyCat by researchers, uses a novel technique to generate and steal ad revenues.", "spans": {"Malware: malware,": [[4, 12]], "Malware: CopyCat": [[20, 27]], "Organization: researchers,": [[31, 43]]}, "info": {"id": "cyner2_5class_train_02622", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[6, 31]]}, "info": {"id": "cyner2_5class_train_02623", "source": "cyner2_5class_train"}}
+{"text": "The criminal gangs of the Carbanak/FIN7 syndicate have been attributed to numerous intrusions in the banking, hospitality, retail and other industrial verticals, collecting financial information of all kinds.", "spans": {"Indicator: intrusions": [[83, 93]], "Organization: the banking, hospitality, retail": [[97, 129]], "Organization: other industrial verticals,": [[134, 161]]}, "info": {"id": "cyner2_5class_train_02624", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 LNK/Trojan.XMFH-4 Worm.Win32.AutoIt.aku Worm.W32.Autoit!c LNK_DORKBOT.SMF Trojan/Win32.Autoit Trojan.Autoit.DHZ Worm.Win32.AutoIt.aku Trojan:Win32/Chinqincin.A Win32.Worm.Autoit.Lndx Trj/CI.A Win32/Trojan.1e1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: LNK/Trojan.XMFH-4": [[69, 86]], "Indicator: Worm.Win32.AutoIt.aku": [[87, 108], [181, 202]], "Indicator: Worm.W32.Autoit!c": [[109, 126]], "Indicator: LNK_DORKBOT.SMF": [[127, 142]], "Indicator: Trojan/Win32.Autoit": [[143, 162]], "Indicator: Trojan.Autoit.DHZ": [[163, 180]], "Indicator: Trojan:Win32/Chinqincin.A": [[203, 228]], "Indicator: Win32.Worm.Autoit.Lndx": [[229, 251]], "Indicator: Trj/CI.A": [[252, 260]], "Indicator: Win32/Trojan.1e1": [[261, 277]]}, "info": {"id": "cyner2_5class_train_02625", "source": "cyner2_5class_train"}}
+{"text": "'' This security hole is currently present in every operating system image for A83T , H3 or H8 devices that rely on kernel 3.4 , he added .", "spans": {"System: A83T": [[79, 83]], "System: H3": [[86, 88]], "System: H8": [[92, 94]], "System: kernel 3.4": [[116, 126]]}, "info": {"id": "cyner2_5class_train_02626", "source": "cyner2_5class_train"}}
+{"text": "However, only the Georgian language portion of the website was impacted and used in an effort to distribute malware.", "spans": {"Indicator: the Georgian language": [[14, 35]], "Indicator: the website": [[47, 58]], "Malware: malware.": [[108, 116]]}, "info": {"id": "cyner2_5class_train_02627", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Win32.Veebee.1!O Trojan.Dyname.r3 Trojan.Dropper Trojan.VB.Win32.118717 Trojan.VB!K6eQMCc/nZg Trojan.Win32.VB.ckbb Worm.Win32.WBNA.ROC TR/Dynamer.dtc.17594 W32/Trojan.MKPV-4364 Trojan/Win32.VB Trojan.VB Win32/AutoRun.VB.BDM Trojan-Banker.Win32.Bancos W32/VB.CKBB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Win32.Veebee.1!O": [[26, 47]], "Indicator: Trojan.Dyname.r3": [[48, 64]], "Indicator: Trojan.Dropper": [[65, 79]], "Indicator: Trojan.VB.Win32.118717": [[80, 102]], "Indicator: Trojan.VB!K6eQMCc/nZg": [[103, 124]], "Indicator: Trojan.Win32.VB.ckbb": [[125, 145]], "Indicator: Worm.Win32.WBNA.ROC": [[146, 165]], "Indicator: TR/Dynamer.dtc.17594": [[166, 186]], "Indicator: W32/Trojan.MKPV-4364": [[187, 207]], "Indicator: Trojan/Win32.VB": [[208, 223]], "Indicator: Trojan.VB": [[224, 233]], "Indicator: Win32/AutoRun.VB.BDM": [[234, 254]], "Indicator: Trojan-Banker.Win32.Bancos": [[255, 281]], "Indicator: W32/VB.CKBB!tr": [[282, 296]]}, "info": {"id": "cyner2_5class_train_02628", "source": "cyner2_5class_train"}}
+{"text": "] today www [ .", "spans": {"Indicator: www [ .": [[8, 15]]}, "info": {"id": "cyner2_5class_train_02629", "source": "cyner2_5class_train"}}
+{"text": "] net The overlaps between the Henbox , PlugX , Zupdax , and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below : 59.188.196 [ .", "spans": {"Malware: Henbox": [[31, 37]], "Malware: PlugX": [[40, 45]], "Malware: Zupdax": [[48, 54]], "Malware: Poison Ivy": [[61, 71]], "Indicator: 59.188.196 [ .": [[165, 179]]}, "info": {"id": "cyner2_5class_train_02630", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan/W32.Cobalt.196608 Trojan.Conbea Win.Tool.CobaltStrike-6336852-0 HackTool.Win32.Cobalt.k Trojan.Win32.Cobalt.egtrej BackDoor.Meterpreter.42 BehavesLike.Win32.Backdoor.ch HackTool.CobaltStrike HackTool/Win32.Cobalt Trojan.Application.HackTool.CobaltStrike.1 HackTool.Win32.Cobalt.k HackTool/Win32.Cobalt.R197271 TrojanDownloader.Agresbeak RiskWare.HackTool Riskware.HackTool!t96XHdFe7u4 W32/CobaltStrike_Beacon.A!tr Win32/Application.Hacktool.e79", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Trojan/W32.Cobalt.196608": [[44, 68]], "Indicator: Trojan.Conbea": [[69, 82]], "Indicator: Win.Tool.CobaltStrike-6336852-0": [[83, 114]], "Indicator: HackTool.Win32.Cobalt.k": [[115, 138], [307, 330]], "Indicator: Trojan.Win32.Cobalt.egtrej": [[139, 165]], "Indicator: BackDoor.Meterpreter.42": [[166, 189]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[190, 219]], "Indicator: HackTool.CobaltStrike": [[220, 241]], "Indicator: HackTool/Win32.Cobalt": [[242, 263]], "Indicator: Trojan.Application.HackTool.CobaltStrike.1": [[264, 306]], "Indicator: HackTool/Win32.Cobalt.R197271": [[331, 360]], "Indicator: TrojanDownloader.Agresbeak": [[361, 387]], "Indicator: RiskWare.HackTool": [[388, 405]], "Indicator: Riskware.HackTool!t96XHdFe7u4": [[406, 435]], "Indicator: W32/CobaltStrike_Beacon.A!tr": [[436, 464]], "Indicator: Win32/Application.Hacktool.e79": [[465, 495]]}, "info": {"id": "cyner2_5class_train_02631", "source": "cyner2_5class_train"}}
+{"text": "Email Security can block malicious emails sent by threat actors as part of their campaign .", "spans": {}, "info": {"id": "cyner2_5class_train_02632", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D1A90 Win32.Trojan.Kryptik.afz Trojan.Proxy2.1039 BehavesLike.Win32.BadFile.lc Trojan-Dropper.Win32.Injector TR/Obfuscated.sarli Trojan:Win32/Riern.M TScope.Malware-Cryptor.SB Win32/Trojan.Downloader.9c1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D1A90": [[26, 46]], "Indicator: Win32.Trojan.Kryptik.afz": [[47, 71]], "Indicator: Trojan.Proxy2.1039": [[72, 90]], "Indicator: BehavesLike.Win32.BadFile.lc": [[91, 119]], "Indicator: Trojan-Dropper.Win32.Injector": [[120, 149]], "Indicator: TR/Obfuscated.sarli": [[150, 169]], "Indicator: Trojan:Win32/Riern.M": [[170, 190]], "Indicator: TScope.Malware-Cryptor.SB": [[191, 216]], "Indicator: Win32/Trojan.Downloader.9c1": [[217, 244]]}, "info": {"id": "cyner2_5class_train_02633", "source": "cyner2_5class_train"}}
+{"text": "Talos has named this malware KONNI.", "spans": {"Organization: Talos": [[0, 5]], "Malware: malware KONNI.": [[21, 35]]}, "info": {"id": "cyner2_5class_train_02634", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.MiniFtp.A Server-FTP.Win32.MiniFTP!O Backdoor.Banito.Win32.283 Backdoor/Banito.nk Application.MiniFtp.A Win32.Trojan.WisdomEyes.16070401.9500.9964 W32/VirTool.CJ Win.Trojan.Miniftp-1 Application.MiniFtp.A not-a-virus:Server-FTP.Win32.MiniFTP.c Application.MiniFtp.A Trojan.Win32.Banito.xnaq Backdoor.Win32.Banito.81920[h] Application.MiniFtp.A Backdoor.Win32.Banito.nk0 BackDoor.Bandito.2207 W32/Tool.XUIH-6856 Hacktool.Miniftp APPL/MiniFTP.A RiskWare[Server-FTP]/Win32.MiniFTP.c Backdoor.W32.Banito.lx25 Backdoor:Win32/Shesmi.A Unwanted/Win32.MiniFTP.R63415 Backdoor.Sdbot!9v31gLa9+gE Backdoor.Win32.Formador.b W32/FTPMini.A!tr Bck/Formador.B Win32/Backdoor.662", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.MiniFtp.A": [[26, 47], [120, 141], [221, 242], [282, 303], [360, 381]], "Indicator: Server-FTP.Win32.MiniFTP!O": [[48, 74]], "Indicator: Backdoor.Banito.Win32.283": [[75, 100]], "Indicator: Backdoor/Banito.nk": [[101, 119]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9964": [[142, 184]], "Indicator: W32/VirTool.CJ": [[185, 199]], "Indicator: Win.Trojan.Miniftp-1": [[200, 220]], "Indicator: not-a-virus:Server-FTP.Win32.MiniFTP.c": [[243, 281]], "Indicator: Trojan.Win32.Banito.xnaq": [[304, 328]], "Indicator: Backdoor.Win32.Banito.81920[h]": [[329, 359]], "Indicator: Backdoor.Win32.Banito.nk0": [[382, 407]], "Indicator: BackDoor.Bandito.2207": [[408, 429]], "Indicator: W32/Tool.XUIH-6856": [[430, 448]], "Indicator: Hacktool.Miniftp": [[449, 465]], "Indicator: APPL/MiniFTP.A": [[466, 480]], "Indicator: RiskWare[Server-FTP]/Win32.MiniFTP.c": [[481, 517]], "Indicator: Backdoor.W32.Banito.lx25": [[518, 542]], "Indicator: Backdoor:Win32/Shesmi.A": [[543, 566]], "Indicator: Unwanted/Win32.MiniFTP.R63415": [[567, 596]], "Indicator: Backdoor.Sdbot!9v31gLa9+gE": [[597, 623]], "Indicator: Backdoor.Win32.Formador.b": [[624, 649]], "Indicator: W32/FTPMini.A!tr": [[650, 666]], "Indicator: Bck/Formador.B": [[667, 681]], "Indicator: Win32/Backdoor.662": [[682, 700]]}, "info": {"id": "cyner2_5class_train_02635", "source": "cyner2_5class_train"}}
+{"text": "Table 5 describes the latest variant seen in AutoFocus .", "spans": {}, "info": {"id": "cyner2_5class_train_02636", "source": "cyner2_5class_train"}}
+{"text": "This pulse includes indicators from this analysis, and indicators from other campaigns that employ related malware.", "spans": {"Organization: pulse": [[5, 10]], "Indicator: indicators": [[20, 30], [55, 65]], "Malware: malware.": [[107, 115]]}, "info": {"id": "cyner2_5class_train_02637", "source": "cyner2_5class_train"}}
+{"text": "READ_SMS - Allows the application to read text messages .", "spans": {}, "info": {"id": "cyner2_5class_train_02638", "source": "cyner2_5class_train"}}
+{"text": "We refer to this group of attackers as Moonlight, after the name the attackers chose for one of their command-and-control domains.", "spans": {"Indicator: command-and-control domains.": [[102, 130]]}, "info": {"id": "cyner2_5class_train_02639", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Endowerpo Win32.Trojan.WisdomEyes.16070401.9500.9987 Backdoor.Industroyer Win32.Backdoor.Industroyer.F Trojan.Win32.Industroyer.c Trojan.Win32.Industroyer.136704.A Trojan.Industroyer.5 Trojan.Industroyer.Win32.3 Trojan.Industroyer.b Trojan.Win32.Industroyer.c Trojan:Win32/CrashOverride.A Trojan/Win32.Industroyer.R202380 Trojan.Industroyer Trojan.Industroyer!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Endowerpo": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[43, 85]], "Indicator: Backdoor.Industroyer": [[86, 106]], "Indicator: Win32.Backdoor.Industroyer.F": [[107, 135]], "Indicator: Trojan.Win32.Industroyer.c": [[136, 162], [266, 292]], "Indicator: Trojan.Win32.Industroyer.136704.A": [[163, 196]], "Indicator: Trojan.Industroyer.5": [[197, 217]], "Indicator: Trojan.Industroyer.Win32.3": [[218, 244]], "Indicator: Trojan.Industroyer.b": [[245, 265]], "Indicator: Trojan:Win32/CrashOverride.A": [[293, 321]], "Indicator: Trojan/Win32.Industroyer.R202380": [[322, 354]], "Indicator: Trojan.Industroyer": [[355, 373]], "Indicator: Trojan.Industroyer!": [[374, 393]]}, "info": {"id": "cyner2_5class_train_02640", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Delf.RAN Downloader.Delf.Win32.2328 Trojan.Downloader.Delf.RAN W32/Trojan2.JVAP Downloader.MisleadApp Win.Trojan.Adpclient-2 Trojan.Downloader.Delf.RAN Trojan.Win32.Delf.crqcbd Troj.Downloader.W32.Delf.spu!c Trojan.Downloader.Delf.RAN TrojWare.Win32.TrojanDownloader.Murlo.~JH2 Trojan.Downloader.Delf.RAN Trojan.DownLoad.32205 Trojan.Win32.Adpclient Trojan.Downloader.Delf.RAN Trojan/Win32.Xema.C73230 Trojan.Downloader.Delf.RAN Trojan.DL.Delf!ywDF9K4Uqh8 Trojan/Win32.lssj.2cc.rgrk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Delf.RAN": [[26, 52], [80, 106], [169, 195], [252, 278], [322, 348], [394, 420], [446, 472]], "Indicator: Downloader.Delf.Win32.2328": [[53, 79]], "Indicator: W32/Trojan2.JVAP": [[107, 123]], "Indicator: Downloader.MisleadApp": [[124, 145]], "Indicator: Win.Trojan.Adpclient-2": [[146, 168]], "Indicator: Trojan.Win32.Delf.crqcbd": [[196, 220]], "Indicator: Troj.Downloader.W32.Delf.spu!c": [[221, 251]], "Indicator: TrojWare.Win32.TrojanDownloader.Murlo.~JH2": [[279, 321]], "Indicator: Trojan.DownLoad.32205": [[349, 370]], "Indicator: Trojan.Win32.Adpclient": [[371, 393]], "Indicator: Trojan/Win32.Xema.C73230": [[421, 445]], "Indicator: Trojan.DL.Delf!ywDF9K4Uqh8": [[473, 499]], "Indicator: Trojan/Win32.lssj.2cc.rgrk": [[500, 526]]}, "info": {"id": "cyner2_5class_train_02641", "source": "cyner2_5class_train"}}
+{"text": "The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.", "spans": {"Malware: The SLocker family": [[0, 18]], "Malware: oldest mobile lock screen and file-encrypting ransomware": [[33, 89]], "Organization: enforcement agencies": [[118, 138]]}, "info": {"id": "cyner2_5class_train_02642", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BAT/Runner.AV BehavesLike.Win32.Downloader.hh", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: BAT/Runner.AV": [[69, 82]], "Indicator: BehavesLike.Win32.Downloader.hh": [[83, 114]]}, "info": {"id": "cyner2_5class_train_02643", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader:MSIL/Faksost.B!bit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader:MSIL/Faksost.B!bit": [[26, 61]]}, "info": {"id": "cyner2_5class_train_02644", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.Win32.Servu!O Exploit.Win32.Servu.ab Exploit.Win32.Servu.dxeal Exploit.W32.Servu.ab!c Win32.Trojan.Inject.Auto Trojan.Starter.973 Exploit.Servu.Win32.15 Muster.c Trojan:Win32/Cryptrun.A W32/ServU.AB!exploit Trojan[Exploit]/Win32.Servu Trojan.Win32.Exploit.45056[h] Exploit.Win32.Servu.ab Trojan:Win32/Cryptrun.A Muster.c Exploit.Servu Exploit.Servu!ffzFcMCTx/E Exploit.Win32.Servu Exploit.DUB Trj/ServU.GM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.Win32.Servu!O": [[26, 47]], "Indicator: Exploit.Win32.Servu.ab": [[48, 70], [299, 321]], "Indicator: Exploit.Win32.Servu.dxeal": [[71, 96]], "Indicator: Exploit.W32.Servu.ab!c": [[97, 119]], "Indicator: Win32.Trojan.Inject.Auto": [[120, 144]], "Indicator: Trojan.Starter.973": [[145, 163]], "Indicator: Exploit.Servu.Win32.15": [[164, 186]], "Indicator: Muster.c": [[187, 195], [346, 354]], "Indicator: Trojan:Win32/Cryptrun.A": [[196, 219], [322, 345]], "Indicator: W32/ServU.AB!exploit": [[220, 240]], "Indicator: Trojan[Exploit]/Win32.Servu": [[241, 268]], "Indicator: Trojan.Win32.Exploit.45056[h]": [[269, 298]], "Indicator: Exploit.Servu": [[355, 368]], "Indicator: Exploit.Servu!ffzFcMCTx/E": [[369, 394]], "Indicator: Exploit.Win32.Servu": [[395, 414]], "Indicator: Exploit.DUB": [[415, 426]], "Indicator: Trj/ServU.GM": [[427, 439]]}, "info": {"id": "cyner2_5class_train_02645", "source": "cyner2_5class_train"}}
+{"text": "From there , infected phones display illegitimate ads and install fraudulent apps after certain events , such as rebooting , the screen turning on or off , a detection that the user is present , or a change in Internet connectivity .", "spans": {}, "info": {"id": "cyner2_5class_train_02646", "source": "cyner2_5class_train"}}
+{"text": "We analysed the XData code and found two host-based kill-switches one of them is about detecting an antivirus running on an infected machine.", "spans": {"Malware: XData code": [[16, 26]], "Indicator: host-based kill-switches": [[41, 65]], "System: antivirus": [[100, 109]], "System: infected machine.": [[124, 141]]}, "info": {"id": "cyner2_5class_train_02647", "source": "cyner2_5class_train"}}
+{"text": "There's no vulnerability involved.", "spans": {}, "info": {"id": "cyner2_5class_train_02648", "source": "cyner2_5class_train"}}
+{"text": "More recently, we have also seen an increase in activity targeting Ukraine.", "spans": {}, "info": {"id": "cyner2_5class_train_02649", "source": "cyner2_5class_train"}}
+{"text": "The victims include establishments in the United States, Canada, Europe, Middle East, and Latin America.", "spans": {}, "info": {"id": "cyner2_5class_train_02650", "source": "cyner2_5class_train"}}
+{"text": "These attacks, which occurred in November 2016 and January 2017, reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states.", "spans": {"Indicator: attacks,": [[6, 14]], "System: computers": [[98, 107]], "Organization: government": [[124, 134]], "Organization: civil organizations": [[139, 158]]}, "info": {"id": "cyner2_5class_train_02651", "source": "cyner2_5class_train"}}
+{"text": "Our findings show that Rocket Kitten is still active, retains a growing level of persistence, and acts ever more aggressively in terms of attack method.", "spans": {"Indicator: attack method.": [[138, 152]]}, "info": {"id": "cyner2_5class_train_02652", "source": "cyner2_5class_train"}}
+{"text": "However , analysts may not always see the indicators of compromise in the server ’ s response .", "spans": {}, "info": {"id": "cyner2_5class_train_02653", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.StartPage.311296.F Trojan.Senphiv.A W32/MalwareS.ZPG VBDloader.E TROJ_DLOAD.SMT Trojan.Win32.StartPage.fss TrojWare.Win32.Pincav.IAD TROJ_DLOAD.SMT TrojanDownloader:Win32/Senphiv.A Downloader/Win32.VB W32/Risk.QGTQ-7423 Trojan-Downloader.Win32.Senphiv W32/StartPage.CTK!tr Trj/StartPage.DAW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.StartPage.311296.F": [[26, 55]], "Indicator: Trojan.Senphiv.A": [[56, 72]], "Indicator: W32/MalwareS.ZPG": [[73, 89]], "Indicator: VBDloader.E": [[90, 101]], "Indicator: TROJ_DLOAD.SMT": [[102, 116], [170, 184]], "Indicator: Trojan.Win32.StartPage.fss": [[117, 143]], "Indicator: TrojWare.Win32.Pincav.IAD": [[144, 169]], "Indicator: TrojanDownloader:Win32/Senphiv.A": [[185, 217]], "Indicator: Downloader/Win32.VB": [[218, 237]], "Indicator: W32/Risk.QGTQ-7423": [[238, 256]], "Indicator: Trojan-Downloader.Win32.Senphiv": [[257, 288]], "Indicator: W32/StartPage.CTK!tr": [[289, 309]], "Indicator: Trj/StartPage.DAW": [[310, 327]]}, "info": {"id": "cyner2_5class_train_02654", "source": "cyner2_5class_train"}}
+{"text": "In earlier versions , the something part of the relative path was a partially intelligible , yet random mix of words and short combinations of letters and numbers separated by an underscore , for example , “ bee_bomb ” or “ my_te2_mms ” .", "spans": {}, "info": {"id": "cyner2_5class_train_02655", "source": "cyner2_5class_train"}}
+{"text": "] 87:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "cyner2_5class_train_02656", "source": "cyner2_5class_train"}}
+{"text": "Category: Unit 42 Tags: CVE-2012-0158, Downloader, QuasarRAT, Subaat", "spans": {"Organization: Unit 42": [[10, 17]], "Indicator: CVE-2012-0158,": [[24, 38]], "Malware: Downloader, QuasarRAT, Subaat": [[39, 68]]}, "info": {"id": "cyner2_5class_train_02657", "source": "cyner2_5class_train"}}
+{"text": "This means that the only thing possible in this case is to replace its DEX file .", "spans": {}, "info": {"id": "cyner2_5class_train_02658", "source": "cyner2_5class_train"}}
+{"text": "Analysis of this malware is presented to provide the computer network defense CND community with indicators of this malware.", "spans": {"Malware: malware": [[17, 24]], "Organization: computer network defense CND community": [[53, 91]], "Indicator: indicators": [[97, 107]], "Malware: malware.": [[116, 124]]}, "info": {"id": "cyner2_5class_train_02659", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hoax.Win32.BadJoke!O W32/Cietas.B@MM Win.Joke.Bomov-1 Hoax.Win32.BadJoke.Cierrame Riskware.Win32.Cierrame.hpzm Joke.Win32.Cierrame.A Trojan.Tetas Backdoor.PePatch.Win32.18825 not-virus:Joke.Win32.Cierrame HackTool[Hoax]/Win32.Cierrame Win32.Joke.Cierrame.kcloud Hoax.Win32.BadJoke.Cierrame Win-AppCare/Badjoke.274432 Win32/Cierrame.A Win32.Trojan-psw.Badjoke.Ajbz Hoax.Win32.BadJoke.Cierrame", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hoax.Win32.BadJoke!O": [[26, 46]], "Indicator: W32/Cietas.B@MM": [[47, 62]], "Indicator: Win.Joke.Bomov-1": [[63, 79]], "Indicator: Hoax.Win32.BadJoke.Cierrame": [[80, 107], [288, 315], [390, 417]], "Indicator: Riskware.Win32.Cierrame.hpzm": [[108, 136]], "Indicator: Joke.Win32.Cierrame.A": [[137, 158]], "Indicator: Trojan.Tetas": [[159, 171]], "Indicator: Backdoor.PePatch.Win32.18825": [[172, 200]], "Indicator: not-virus:Joke.Win32.Cierrame": [[201, 230]], "Indicator: HackTool[Hoax]/Win32.Cierrame": [[231, 260]], "Indicator: Win32.Joke.Cierrame.kcloud": [[261, 287]], "Indicator: Win-AppCare/Badjoke.274432": [[316, 342]], "Indicator: Win32/Cierrame.A": [[343, 359]], "Indicator: Win32.Trojan-psw.Badjoke.Ajbz": [[360, 389]]}, "info": {"id": "cyner2_5class_train_02660", "source": "cyner2_5class_train"}}
+{"text": "Operation Armageddon, active since at least mid-2013, exposes a cyber espionage campaign devised to provide a military advantage to Russian leadership by targeting Ukrainian government, law enforcement, and military officials in order to steal information that can provide insight into near term Ukrainian intentions and plans.", "spans": {"Malware: at": [[35, 37]], "Indicator: cyber espionage campaign": [[64, 88]], "Organization: Russian leadership": [[132, 150]], "Organization: Ukrainian government, law enforcement, and military officials": [[164, 225]], "Indicator: steal": [[238, 243]], "Indicator: information": [[244, 255]]}, "info": {"id": "cyner2_5class_train_02661", "source": "cyner2_5class_train"}}
+{"text": "That method relied on enterprise certificates from Apple—which are costly, since the certificates needed are changed very frequently.", "spans": {"Indicator: method": [[5, 11]], "Indicator: enterprise": [[22, 32]], "Organization: Apple—which": [[51, 62]]}, "info": {"id": "cyner2_5class_train_02662", "source": "cyner2_5class_train"}}
+{"text": "They are distributed from polluted DNS domains that send a notification to an unknowing victim ’ s device .", "spans": {}, "info": {"id": "cyner2_5class_train_02663", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.316D Trojan/Buzus.yca W32/Trojan2.EHHN Win.Trojan.Buzus-3134 Trojan.Win32.Buzus.bohnlg Trojan.Packed.650 BehavesLike.Win32.Ramnit.tc W32/Trojan.ACNM-2721 Troj.W32.Buzus.yca!c Trojan/Win32.Buzus.C104217 Trojan-PWS.Win32.IMMultiPass Win32/Application.1b1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.316D": [[26, 43]], "Indicator: Trojan/Buzus.yca": [[44, 60]], "Indicator: W32/Trojan2.EHHN": [[61, 77]], "Indicator: Win.Trojan.Buzus-3134": [[78, 99]], "Indicator: Trojan.Win32.Buzus.bohnlg": [[100, 125]], "Indicator: Trojan.Packed.650": [[126, 143]], "Indicator: BehavesLike.Win32.Ramnit.tc": [[144, 171]], "Indicator: W32/Trojan.ACNM-2721": [[172, 192]], "Indicator: Troj.W32.Buzus.yca!c": [[193, 213]], "Indicator: Trojan/Win32.Buzus.C104217": [[214, 240]], "Indicator: Trojan-PWS.Win32.IMMultiPass": [[241, 269]], "Indicator: Win32/Application.1b1": [[270, 291]]}, "info": {"id": "cyner2_5class_train_02664", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Application.Alphaeon.4 Win32.Trojan.WisdomEyes.16070401.9500.9952 Trojan.Proxy2.1030 BehavesLike.Win32.AdwareConvertAd.gh Trojan:Win32/Vkhost.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Application.Alphaeon.4": [[26, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9952": [[56, 98]], "Indicator: Trojan.Proxy2.1030": [[99, 117]], "Indicator: BehavesLike.Win32.AdwareConvertAd.gh": [[118, 154]], "Indicator: Trojan:Win32/Vkhost.B": [[155, 176]]}, "info": {"id": "cyner2_5class_train_02665", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HaluosysLTU.Trojan Trojan-Spy/W32.ZBot.358400.V Trojan.Buzus.Win32.114137 Trojan/Spy.Zbot.aao Win32.Trojan.WisdomEyes.16070401.9500.9607 Trojan.Win32.Winlock.cqkdnb TrojWare.Win32.Injector.AHSP Trojan.Winlock.8004 TrojanSpy.Zbot.diqw Trojan/Win32.Buzus TrojanDownloader:Win32/Dimegup.A Trojan/Win32.Zbot.R69076 TScope.Malware-Cryptor.SB Win32/Spy.Zbot.AAO TrojanSpy.Zbot!SJBAuE7A31M Trojan.Win32.Ransom", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HaluosysLTU.Trojan": [[26, 48]], "Indicator: Trojan-Spy/W32.ZBot.358400.V": [[49, 77]], "Indicator: Trojan.Buzus.Win32.114137": [[78, 103]], "Indicator: Trojan/Spy.Zbot.aao": [[104, 123]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9607": [[124, 166]], "Indicator: Trojan.Win32.Winlock.cqkdnb": [[167, 194]], "Indicator: TrojWare.Win32.Injector.AHSP": [[195, 223]], "Indicator: Trojan.Winlock.8004": [[224, 243]], "Indicator: TrojanSpy.Zbot.diqw": [[244, 263]], "Indicator: Trojan/Win32.Buzus": [[264, 282]], "Indicator: TrojanDownloader:Win32/Dimegup.A": [[283, 315]], "Indicator: Trojan/Win32.Zbot.R69076": [[316, 340]], "Indicator: TScope.Malware-Cryptor.SB": [[341, 366]], "Indicator: Win32/Spy.Zbot.AAO": [[367, 385]], "Indicator: TrojanSpy.Zbot!SJBAuE7A31M": [[386, 412]], "Indicator: Trojan.Win32.Ransom": [[413, 432]]}, "info": {"id": "cyner2_5class_train_02666", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small.aggy Trojan-Downloader.Win32.Small.aggy DLOADER.Trojan TrojanDownloader:Win32/Yellsob.A Trojan.PSW.Win32.GameOL.tbi", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Small.aggy": [[26, 60], [61, 95]], "Indicator: DLOADER.Trojan": [[96, 110]], "Indicator: TrojanDownloader:Win32/Yellsob.A": [[111, 143]], "Indicator: Trojan.PSW.Win32.GameOL.tbi": [[144, 171]]}, "info": {"id": "cyner2_5class_train_02667", "source": "cyner2_5class_train"}}
+{"text": "Following we can see an example of a connection to port 6209 which is used to extract data from the Telegram app .", "spans": {"Indicator: port 6209": [[51, 60]], "System: Telegram": [[100, 108]]}, "info": {"id": "cyner2_5class_train_02668", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Perseus.MSIL Trojan.Ransomcrypt.AE TR/Samas.orhr Trojan.MSILPerseus.D4B2D Ransom:MSIL/Samas.A Trj/GdSda.A Trojan.MSIL.Filecoder", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Perseus.MSIL": [[26, 45]], "Indicator: Trojan.Ransomcrypt.AE": [[46, 67]], "Indicator: TR/Samas.orhr": [[68, 81]], "Indicator: Trojan.MSILPerseus.D4B2D": [[82, 106]], "Indicator: Ransom:MSIL/Samas.A": [[107, 126]], "Indicator: Trj/GdSda.A": [[127, 138]], "Indicator: Trojan.MSIL.Filecoder": [[139, 160]]}, "info": {"id": "cyner2_5class_train_02669", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.KryptikCRTD.Win32.11290 Trojan.Dropper.166 Win32.Trojan.WisdomEyes.16070401.9500.9769 Trojan.Win32.Dapato.enqgpq Win32.Trojan.Kryptik.Pdwn TrojWare.Win32.Spy.Tewgol.A BackDoor.Radmin.150 W32.Trojan.Dropper TR/Fuery.znvrd Dropper/Win32.Dapato.C1935389 Malware-Cryptor.Limpopo Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.KryptikCRTD.Win32.11290": [[26, 56]], "Indicator: Trojan.Dropper.166": [[57, 75]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9769": [[76, 118]], "Indicator: Trojan.Win32.Dapato.enqgpq": [[119, 145]], "Indicator: Win32.Trojan.Kryptik.Pdwn": [[146, 171]], "Indicator: TrojWare.Win32.Spy.Tewgol.A": [[172, 199]], "Indicator: BackDoor.Radmin.150": [[200, 219]], "Indicator: W32.Trojan.Dropper": [[220, 238]], "Indicator: TR/Fuery.znvrd": [[239, 253]], "Indicator: Dropper/Win32.Dapato.C1935389": [[254, 283]], "Indicator: Malware-Cryptor.Limpopo": [[284, 307]], "Indicator: Trj/CI.A": [[308, 316]]}, "info": {"id": "cyner2_5class_train_02670", "source": "cyner2_5class_train"}}
+{"text": "WithSecure has revealed the latest details of the DUCKTAIL malware operation, which was previously described by Deep Instinct Threat Lab as a strategic threat that was being tested to avoid detection.", "spans": {"Organization: WithSecure": [[0, 10]], "Malware: the DUCKTAIL malware": [[46, 66]], "Organization: Deep Instinct Threat Lab": [[112, 136]], "Malware: threat": [[152, 158]]}, "info": {"id": "cyner2_5class_train_02671", "source": "cyner2_5class_train"}}
+{"text": "This organization is also working on interception technology .", "spans": {}, "info": {"id": "cyner2_5class_train_02672", "source": "cyner2_5class_train"}}
+{"text": "Website owners find the classical blog format too restrictive, use the plugin to add custom elements to their posts.", "spans": {}, "info": {"id": "cyner2_5class_train_02673", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.SennaOneMaker!O TROJ_SENNAONEMAKER_0000000.TOMA Win32.Trojan.RSP.b W32/Trojan.FIW Backdoor.SubSeven Win32/RSP.A TROJ_SENNAONEMAKER_0000000.TOMA Win.Trojan.Win-52 Trojan.Win32.SennaOneMaker.dxcclv Backdoor.Win32.HostCtrl.253674 TrojWare.Win32.RSP.A Trojan.MulDrop.8 W32/Trojan.UUJQ-7044 TrojanDropper.Win32.RSP.a TR/Multidropper.A Trojan[Dropper]/Win32.SennaOneMaker Win32.Troj.RSP.a.kcloud Troj.Dropper.W32.SennaOneMaker.lcEu TrojanDropper:Win32/SennaOneMaker.A Dropper/SennaOneMaker.6556 TrojanDropper.SennaOneMaker Trj/Sennaonemaker.B Trojan.DR.SennaOneMaker!laIkEqmRI+A W32/SennaOneMaker.V20!tr.dr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.SennaOneMaker!O": [[26, 62]], "Indicator: TROJ_SENNAONEMAKER_0000000.TOMA": [[63, 94], [159, 190]], "Indicator: Win32.Trojan.RSP.b": [[95, 113]], "Indicator: W32/Trojan.FIW": [[114, 128]], "Indicator: Backdoor.SubSeven": [[129, 146]], "Indicator: Win32/RSP.A": [[147, 158]], "Indicator: Win.Trojan.Win-52": [[191, 208]], "Indicator: Trojan.Win32.SennaOneMaker.dxcclv": [[209, 242]], "Indicator: Backdoor.Win32.HostCtrl.253674": [[243, 273]], "Indicator: TrojWare.Win32.RSP.A": [[274, 294]], "Indicator: Trojan.MulDrop.8": [[295, 311]], "Indicator: W32/Trojan.UUJQ-7044": [[312, 332]], "Indicator: TrojanDropper.Win32.RSP.a": [[333, 358]], "Indicator: TR/Multidropper.A": [[359, 376]], "Indicator: Trojan[Dropper]/Win32.SennaOneMaker": [[377, 412]], "Indicator: Win32.Troj.RSP.a.kcloud": [[413, 436]], "Indicator: Troj.Dropper.W32.SennaOneMaker.lcEu": [[437, 472]], "Indicator: TrojanDropper:Win32/SennaOneMaker.A": [[473, 508]], "Indicator: Dropper/SennaOneMaker.6556": [[509, 535]], "Indicator: TrojanDropper.SennaOneMaker": [[536, 563]], "Indicator: Trj/Sennaonemaker.B": [[564, 583]], "Indicator: Trojan.DR.SennaOneMaker!laIkEqmRI+A": [[584, 619]], "Indicator: W32/SennaOneMaker.V20!tr.dr": [[620, 647]]}, "info": {"id": "cyner2_5class_train_02674", "source": "cyner2_5class_train"}}
+{"text": "Further research revealed a connection between these attacks and members of the so-called Gaza Hackers Team. We refer to this campaign as Molerats.", "spans": {}, "info": {"id": "cyner2_5class_train_02675", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: virus.office.qexvmc.1075", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: virus.office.qexvmc.1075": [[26, 50]]}, "info": {"id": "cyner2_5class_train_02676", "source": "cyner2_5class_train"}}
+{"text": "The trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device .", "spans": {"System: Android Accessibility": [[20, 41]]}, "info": {"id": "cyner2_5class_train_02677", "source": "cyner2_5class_train"}}
+{"text": "Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS and send them to the required number .", "spans": {}, "info": {"id": "cyner2_5class_train_02678", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/VB.aaa W32/MalwareF.JYOH Spyware.Keylogger Trojan.Win32.VB.butwpn W32.W.VB.aaa!c Win32.Worm-im.Vb.Pbfr W32/Retomo.worm W32/Risk.KAPY-3991 Trojan:Win32/Kxhack.B WORM/VB.aaa Trojan:Win32/Kxhack.B W32/Retomo.worm Worm.VB!zIluMBtcaN8 IM-Worm.Win32.VB W32/Retomo.AAA!worm.im Win32/Worm.cc6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/VB.aaa": [[26, 36]], "Indicator: W32/MalwareF.JYOH": [[37, 54]], "Indicator: Spyware.Keylogger": [[55, 72]], "Indicator: Trojan.Win32.VB.butwpn": [[73, 95]], "Indicator: W32.W.VB.aaa!c": [[96, 110]], "Indicator: Win32.Worm-im.Vb.Pbfr": [[111, 132]], "Indicator: W32/Retomo.worm": [[133, 148], [224, 239]], "Indicator: W32/Risk.KAPY-3991": [[149, 167]], "Indicator: Trojan:Win32/Kxhack.B": [[168, 189], [202, 223]], "Indicator: WORM/VB.aaa": [[190, 201]], "Indicator: Worm.VB!zIluMBtcaN8": [[240, 259]], "Indicator: IM-Worm.Win32.VB": [[260, 276]], "Indicator: W32/Retomo.AAA!worm.im": [[277, 299]], "Indicator: Win32/Worm.cc6": [[300, 314]]}, "info": {"id": "cyner2_5class_train_02679", "source": "cyner2_5class_train"}}
+{"text": "Conclusion This trojan shows a new path for threats to evolve .", "spans": {}, "info": {"id": "cyner2_5class_train_02680", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesLT250912NLAJIR.Trojan Rootkit.Win32.TDSS!O Trojan.Fsysna Trojan/TDSS.rhu TSPY_DOWNLOADER_BK220264.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Gampass TSPY_DOWNLOADER_BK220264.TOMC Win.Downloader.Pangu-2 Trojan.Win32.Fsysna.epjv Trojan.Win32.TDSS.bkqey Trojan.Win32.Tdss.37888.H Troj.W32.Fsysna!c BackDoor.Tdss.3314 Rootkit.TDSS.Win32.3904 BehavesLike.Win32.Msposer.nh Trojan/DDos.af W32.Malware.Downloader Trojan[Rootkit]/Win32.TDSS Win32.TrojDownloader.wk.kcloud Trojan.Symmi.D1492 Trojan.Win32.Fsysna.epjv TrojanDownloader:Win32/Mypo.A Trojan/Win32.Tdss.C50395 Rootkit.TDSS Win32.Trojan.Fsysna.Hros Rootkit.TDSS!r3YXF8ZrJBY W32/TDSS.RHU!tr.rkit Win32/Trojan.f75", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLT250912NLAJIR.Trojan": [[26, 58]], "Indicator: Rootkit.Win32.TDSS!O": [[59, 79]], "Indicator: Trojan.Fsysna": [[80, 93]], "Indicator: Trojan/TDSS.rhu": [[94, 109]], "Indicator: TSPY_DOWNLOADER_BK220264.TOMC": [[110, 139], [203, 232]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[140, 182]], "Indicator: Infostealer.Gampass": [[183, 202]], "Indicator: Win.Downloader.Pangu-2": [[233, 255]], "Indicator: Trojan.Win32.Fsysna.epjv": [[256, 280], [536, 560]], "Indicator: Trojan.Win32.TDSS.bkqey": [[281, 304]], "Indicator: Trojan.Win32.Tdss.37888.H": [[305, 330]], "Indicator: Troj.W32.Fsysna!c": [[331, 348]], "Indicator: BackDoor.Tdss.3314": [[349, 367]], "Indicator: Rootkit.TDSS.Win32.3904": [[368, 391]], "Indicator: BehavesLike.Win32.Msposer.nh": [[392, 420]], "Indicator: Trojan/DDos.af": [[421, 435]], "Indicator: W32.Malware.Downloader": [[436, 458]], "Indicator: Trojan[Rootkit]/Win32.TDSS": [[459, 485]], "Indicator: Win32.TrojDownloader.wk.kcloud": [[486, 516]], "Indicator: Trojan.Symmi.D1492": [[517, 535]], "Indicator: TrojanDownloader:Win32/Mypo.A": [[561, 590]], "Indicator: Trojan/Win32.Tdss.C50395": [[591, 615]], "Indicator: Rootkit.TDSS": [[616, 628]], "Indicator: Win32.Trojan.Fsysna.Hros": [[629, 653]], "Indicator: Rootkit.TDSS!r3YXF8ZrJBY": [[654, 678]], "Indicator: W32/TDSS.RHU!tr.rkit": [[679, 699]], "Indicator: Win32/Trojan.f75": [[700, 716]]}, "info": {"id": "cyner2_5class_train_02681", "source": "cyner2_5class_train"}}
+{"text": "In the 2016 version , the value of the User-Agent header changed , as did the method of generating the relative path in the URL : now the part before /index.php is a mix of a pronounceable ( if not entirely meaningful ) word and random letters and numbers , for example , “ muromec280j9tqeyjy5sm1qy71 ” or “ parabbelumf8jgybdd6w0qa0 ” .", "spans": {"Indicator: muromec280j9tqeyjy5sm1qy71": [[274, 300]], "Indicator: parabbelumf8jgybdd6w0qa0": [[308, 332]]}, "info": {"id": "cyner2_5class_train_02682", "source": "cyner2_5class_train"}}
+{"text": "Instead of ALL American spam recipients receiving the malware, however, only those whose email ends in the country code .us received this malware.", "spans": {"Indicator: spam": [[24, 28]], "Indicator: recipients": [[29, 39]], "Malware: malware,": [[54, 62]], "Indicator: only those whose email ends in the country code .us": [[72, 123]], "Malware: malware.": [[138, 146]]}, "info": {"id": "cyner2_5class_train_02683", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WsExplorer.Worm Virus.Win32.VB!O W32/Autorun.worm.h Win32.Trojan.VB.c Infostealer.Gampass Win32/Jampork.D WORM_VB.DVP Virus.Win32.VB.bu Virus.Win32.VB.unsvo Trojan.Win32.PSWIGames.36864.M Virus.VB.Win32.87 WORM_VB.DVP BehavesLike.Win32.VBObfus.cz Trojan/PSW.Jianghu.ei W32/VB.BU Virus/Win32.VB.bu Trojan.Heur.EED21E7 W32.VB.tngk Virus.Win32.VB.bu Worm:Win32/Jampork.A Trojan/Win32.OnlineGameHack.R868 TScope.Trojan.VB W32/VB.ADO Trojan.Win32.VB.mss Virus.Win32.VB.bu W32/VB.BU!tr Win32/Worm.VB.V", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WsExplorer.Worm": [[26, 45]], "Indicator: Virus.Win32.VB!O": [[46, 62]], "Indicator: W32/Autorun.worm.h": [[63, 81]], "Indicator: Win32.Trojan.VB.c": [[82, 99]], "Indicator: Infostealer.Gampass": [[100, 119]], "Indicator: Win32/Jampork.D": [[120, 135]], "Indicator: WORM_VB.DVP": [[136, 147], [236, 247]], "Indicator: Virus.Win32.VB.bu": [[148, 165], [359, 376], [479, 496]], "Indicator: Virus.Win32.VB.unsvo": [[166, 186]], "Indicator: Trojan.Win32.PSWIGames.36864.M": [[187, 217]], "Indicator: Virus.VB.Win32.87": [[218, 235]], "Indicator: BehavesLike.Win32.VBObfus.cz": [[248, 276]], "Indicator: Trojan/PSW.Jianghu.ei": [[277, 298]], "Indicator: W32/VB.BU": [[299, 308]], "Indicator: Virus/Win32.VB.bu": [[309, 326]], "Indicator: Trojan.Heur.EED21E7": [[327, 346]], "Indicator: W32.VB.tngk": [[347, 358]], "Indicator: Worm:Win32/Jampork.A": [[377, 397]], "Indicator: Trojan/Win32.OnlineGameHack.R868": [[398, 430]], "Indicator: TScope.Trojan.VB": [[431, 447]], "Indicator: W32/VB.ADO": [[448, 458]], "Indicator: Trojan.Win32.VB.mss": [[459, 478]], "Indicator: W32/VB.BU!tr": [[497, 509]], "Indicator: Win32/Worm.VB.V": [[510, 525]]}, "info": {"id": "cyner2_5class_train_02684", "source": "cyner2_5class_train"}}
+{"text": "Artifacts During the research , we found plenty of traces of the developers and those doing the maintaining .", "spans": {}, "info": {"id": "cyner2_5class_train_02685", "source": "cyner2_5class_train"}}
+{"text": "Cybercriminals have become obsessed by this method of illegal earnings : at the beginning of the year we knew only 67 banking Trojans , but by the end of the year there were already 1321 unique samples .", "spans": {}, "info": {"id": "cyner2_5class_train_02686", "source": "cyner2_5class_train"}}
+{"text": "If the device gets locked , the malware can ’ t unlock it .", "spans": {}, "info": {"id": "cyner2_5class_train_02687", "source": "cyner2_5class_train"}}
+{"text": "In order to upload the file , the app uses a basic REST communication with the server , checking if the file exists and uploading it if it isn ’ t .", "spans": {}, "info": {"id": "cyner2_5class_train_02688", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32/TrojanDownloader.AutoHK.AN BackDoor.Bladabindi.13678 BehavesLike.Win32.Downloader.fc Trojan-Downloader.Win32.Autohk Trojan.Reconyc.eur TR/AD.AhkDldr.tstej Trojan/MSIL.Disfa TrojanDownloader:Win32/AutoHK.A!bit Trojan.Cossta", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Virus.Win32.Sality!O": [[44, 64]], "Indicator: Win32/TrojanDownloader.AutoHK.AN": [[65, 97]], "Indicator: BackDoor.Bladabindi.13678": [[98, 123]], "Indicator: BehavesLike.Win32.Downloader.fc": [[124, 155]], "Indicator: Trojan-Downloader.Win32.Autohk": [[156, 186]], "Indicator: Trojan.Reconyc.eur": [[187, 205]], "Indicator: TR/AD.AhkDldr.tstej": [[206, 225]], "Indicator: Trojan/MSIL.Disfa": [[226, 243]], "Indicator: TrojanDownloader:Win32/AutoHK.A!bit": [[244, 279]], "Indicator: Trojan.Cossta": [[280, 293]]}, "info": {"id": "cyner2_5class_train_02689", "source": "cyner2_5class_train"}}
+{"text": "This could be an indicator of the massive cyber attack preparation before the National Holidays in Ukraine.", "spans": {"Indicator: indicator": [[17, 26]], "Indicator: cyber attack": [[42, 54]], "Organization: the National Holidays": [[74, 95]]}, "info": {"id": "cyner2_5class_train_02690", "source": "cyner2_5class_train"}}
+{"text": "Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "spans": {"Indicator: embedded code": [[38, 51]], "Indicator: stealing data": [[92, 105]], "Malware: installing ransomware": [[109, 130]], "System: victims' systems.": [[134, 151]]}, "info": {"id": "cyner2_5class_train_02691", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.IRCBot W32.Spybot.Worm Win.Exploit.Fnstenv_mov-1 BehavesLike.Win32.Downloader.mc W32.Hack.Tool EXP/MS06-040.B HackTool:Win32/Lpdexpl.A Backdoor.IRCBot Trj/CI.A Exploit.MS05-017!2vyTKSxF9zk Win32/Trojan.Exploit.8b7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.IRCBot": [[26, 41], [170, 185]], "Indicator: W32.Spybot.Worm": [[42, 57]], "Indicator: Win.Exploit.Fnstenv_mov-1": [[58, 83]], "Indicator: BehavesLike.Win32.Downloader.mc": [[84, 115]], "Indicator: W32.Hack.Tool": [[116, 129]], "Indicator: EXP/MS06-040.B": [[130, 144]], "Indicator: HackTool:Win32/Lpdexpl.A": [[145, 169]], "Indicator: Trj/CI.A": [[186, 194]], "Indicator: Exploit.MS05-017!2vyTKSxF9zk": [[195, 223]], "Indicator: Win32/Trojan.Exploit.8b7": [[224, 248]]}, "info": {"id": "cyner2_5class_train_02692", "source": "cyner2_5class_train"}}
+{"text": "Security firm Kaspersky has published a new blog regarding a backdoor that was deployed through the supply chain attack on 3CX, in combination with an info-stealer.", "spans": {"Organization: Security firm Kaspersky": [[0, 23]], "Malware: backdoor": [[61, 69]], "Indicator: the supply chain attack": [[96, 119]], "Organization: 3CX,": [[123, 127]], "Malware: info-stealer.": [[151, 164]]}, "info": {"id": "cyner2_5class_train_02693", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.TisroparLTAAH.Trojan Trojan.Ruandmel Trojan.Heur.FU.E2E781 Win32.Trojan.WisdomEyes.16070401.9500.9922 TROJ_GAUDOX.SM TrojWare.Win32.Ruandmel.AG Trojan.Inject2.57861 TROJ_GAUDOX.SM BehavesLike.Win32.Trojan.kh TrojanDropper.Injector.bkgu Trojan:Win32/Ruandmel.A!bit Trojan/Win32.Dynamer.C1318203 Hoax.Blocker Trojan.MalPack Trojan.Blocker!KJVutD4QUXc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TisroparLTAAH.Trojan": [[26, 50]], "Indicator: Trojan.Ruandmel": [[51, 66]], "Indicator: Trojan.Heur.FU.E2E781": [[67, 88]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9922": [[89, 131]], "Indicator: TROJ_GAUDOX.SM": [[132, 146], [195, 209]], "Indicator: TrojWare.Win32.Ruandmel.AG": [[147, 173]], "Indicator: Trojan.Inject2.57861": [[174, 194]], "Indicator: BehavesLike.Win32.Trojan.kh": [[210, 237]], "Indicator: TrojanDropper.Injector.bkgu": [[238, 265]], "Indicator: Trojan:Win32/Ruandmel.A!bit": [[266, 293]], "Indicator: Trojan/Win32.Dynamer.C1318203": [[294, 323]], "Indicator: Hoax.Blocker": [[324, 336]], "Indicator: Trojan.MalPack": [[337, 351]], "Indicator: Trojan.Blocker!KJVutD4QUXc": [[352, 378]]}, "info": {"id": "cyner2_5class_train_02694", "source": "cyner2_5class_train"}}
+{"text": "Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python.", "spans": {"Malware: SeaDuke": [[10, 17]], "Malware: trojan": [[30, 36]], "System: Python.": [[87, 94]]}, "info": {"id": "cyner2_5class_train_02695", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.RepakMiner.94720 Trojan.CoinMiner.Win32.220 Trojan/CoinMiner.ej Win32.Trojan.WisdomEyes.16070401.9500.9936 Trojan.Win32.RepakMiner.pgm Trojan.Win32.RepakMiner.csnwjo Win32.Trojan.Repakminer.Pezd Trojan.BtcMine.119 Trojan/RepakMiner.c Trojan/Win32.RepakMiner Trojan:Win32/Tarcloin.G Trojan.Zusy.DEA69 Trojan.Win32.RepakMiner.pgm Trojan/Win32.RepakMiner.C189719 Trojan.RepakMiner Win32/CoinMiner.EJ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.RepakMiner.94720": [[26, 53]], "Indicator: Trojan.CoinMiner.Win32.220": [[54, 80]], "Indicator: Trojan/CoinMiner.ej": [[81, 100]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9936": [[101, 143]], "Indicator: Trojan.Win32.RepakMiner.pgm": [[144, 171], [337, 364]], "Indicator: Trojan.Win32.RepakMiner.csnwjo": [[172, 202]], "Indicator: Win32.Trojan.Repakminer.Pezd": [[203, 231]], "Indicator: Trojan.BtcMine.119": [[232, 250]], "Indicator: Trojan/RepakMiner.c": [[251, 270]], "Indicator: Trojan/Win32.RepakMiner": [[271, 294]], "Indicator: Trojan:Win32/Tarcloin.G": [[295, 318]], "Indicator: Trojan.Zusy.DEA69": [[319, 336]], "Indicator: Trojan/Win32.RepakMiner.C189719": [[365, 396]], "Indicator: Trojan.RepakMiner": [[397, 414]], "Indicator: Win32/CoinMiner.EJ": [[415, 433]]}, "info": {"id": "cyner2_5class_train_02696", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_GE.B172C45D Win.Trojan.Autorun-15347 Worm.Win32.AutoRun.cgfw Trojan.Win32.AutoRun.gzlvd Worm.W32.Autorun!c Trojan.MulDrop4.47 TROJ_GE.B172C45D BehavesLike.Win32.Dropper.tc Worm.Win32.Honditost Worm/AutoRun.allw Worm/Win32.AutoRun Worm:Win32/Honditost.A Worm.Win32.AutoRun.cgfw Worm.AutoRun Worm.AutoRun!5JHcPe4YmAc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: TROJ_GE.B172C45D": [[69, 85], [200, 216]], "Indicator: Win.Trojan.Autorun-15347": [[86, 110]], "Indicator: Worm.Win32.AutoRun.cgfw": [[111, 134], [327, 350]], "Indicator: Trojan.Win32.AutoRun.gzlvd": [[135, 161]], "Indicator: Worm.W32.Autorun!c": [[162, 180]], "Indicator: Trojan.MulDrop4.47": [[181, 199]], "Indicator: BehavesLike.Win32.Dropper.tc": [[217, 245]], "Indicator: Worm.Win32.Honditost": [[246, 266]], "Indicator: Worm/AutoRun.allw": [[267, 284]], "Indicator: Worm/Win32.AutoRun": [[285, 303]], "Indicator: Worm:Win32/Honditost.A": [[304, 326]], "Indicator: Worm.AutoRun": [[351, 363]], "Indicator: Worm.AutoRun!5JHcPe4YmAc": [[364, 388]]}, "info": {"id": "cyner2_5class_train_02697", "source": "cyner2_5class_train"}}
+{"text": "Previous versions were storing config values within the variables of a class , while the latest version is using SharedPreferences with some of the keys being identical to those used by Anubis : isAccessibility time_work time_start_permission url_inj Conclusion Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be able to trick victims into delivering personal information .", "spans": {"System: Anubis": [[186, 192]], "Malware: Ginp": [[262, 266]]}, "info": {"id": "cyner2_5class_train_02698", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.P2p.Vance.A Worm.Vance.Win32.2 W32/Vance.a WORM_VANCE.T Win32.Trojan.WisdomEyes.16070401.9500.9978 W32/P2PWorm.DU W32.SillyP2P WORM_VANCE.T Worm.P2p.Vance.A P2P-Worm.Win32.Vance.a Worm.P2p.Vance.A Trojan.Win32.Vance.eofq W32.W.Vance.a!c Worm.P2p.Vance.A Worm.P2p.Vance.A Win32.HLLW.Vance Worm.Win32.Vance W32/P2P_Worm.XQZJ-6276 Worm/Vance.c Worm:Win32/Vance.A WORM/Vance.A Worm[P2P]/Win32.Vance Worm.P2p.Vance.A P2P-Worm.Win32.Vance.a Worm:Win32/Vance.A Worm.P2p.Vance.A Worm.Vance Trj/CI.A Win32/Vance.A Win32.Worm-p2p.Vance.Svrm Worm.P2P.Vance!6yBrY3ioCyI W32/Vance.A!worm.p2p", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.P2p.Vance.A": [[26, 42], [171, 187], [211, 227], [268, 284], [285, 301], [426, 442], [485, 501]], "Indicator: Worm.Vance.Win32.2": [[43, 61]], "Indicator: W32/Vance.a": [[62, 73]], "Indicator: WORM_VANCE.T": [[74, 86], [158, 170]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9978": [[87, 129]], "Indicator: W32/P2PWorm.DU": [[130, 144]], "Indicator: W32.SillyP2P": [[145, 157]], "Indicator: P2P-Worm.Win32.Vance.a": [[188, 210], [443, 465]], "Indicator: Trojan.Win32.Vance.eofq": [[228, 251]], "Indicator: W32.W.Vance.a!c": [[252, 267]], "Indicator: Win32.HLLW.Vance": [[302, 318]], "Indicator: Worm.Win32.Vance": [[319, 335]], "Indicator: W32/P2P_Worm.XQZJ-6276": [[336, 358]], "Indicator: Worm/Vance.c": [[359, 371]], "Indicator: Worm:Win32/Vance.A": [[372, 390], [466, 484]], "Indicator: WORM/Vance.A": [[391, 403]], "Indicator: Worm[P2P]/Win32.Vance": [[404, 425]], "Indicator: Worm.Vance": [[502, 512]], "Indicator: Trj/CI.A": [[513, 521]], "Indicator: Win32/Vance.A": [[522, 535]], "Indicator: Win32.Worm-p2p.Vance.Svrm": [[536, 561]], "Indicator: Worm.P2P.Vance!6yBrY3ioCyI": [[562, 588]], "Indicator: W32/Vance.A!worm.p2p": [[589, 609]]}, "info": {"id": "cyner2_5class_train_02699", "source": "cyner2_5class_train"}}
+{"text": "The operation is very quick and quiet.", "spans": {}, "info": {"id": "cyner2_5class_train_02700", "source": "cyner2_5class_train"}}
+{"text": "EXECUTIVE SUMMARY Cisco Talos has discovered a new Android malware based on a leak of the DenDroid malware family .", "spans": {"Organization: Cisco Talos": [[18, 29]], "Malware: DenDroid": [[90, 98]]}, "info": {"id": "cyner2_5class_train_02701", "source": "cyner2_5class_train"}}
+{"text": "Bedep was known to be the notorious ad fraud malware and vawtrak is a banking trojan following the success of Zeus.", "spans": {"Malware: Bedep": [[0, 5]], "Malware: fraud malware": [[39, 52]], "Malware: vawtrak": [[57, 64]], "Malware: banking trojan": [[70, 84]], "Malware: Zeus.": [[110, 115]]}, "info": {"id": "cyner2_5class_train_02702", "source": "cyner2_5class_train"}}
+{"text": "So far, the malware primarily affects iOS users in mainland China and Taiwan.", "spans": {"Malware: malware": [[12, 19]], "Organization: iOS users": [[38, 47]]}, "info": {"id": "cyner2_5class_train_02703", "source": "cyner2_5class_train"}}
+{"text": "A Trojan for Linux that was named Linux.Mirai has several predecessors.", "spans": {"System: Linux": [[13, 18]], "Indicator: Linux.Mirai": [[34, 45]]}, "info": {"id": "cyner2_5class_train_02704", "source": "cyner2_5class_train"}}
+{"text": "This spambot, commonly downloaded by the Andromeda malware, has been observed delivering pharmaceutical industry spam as well as further propagating the main Andromeda bot.", "spans": {"Malware: spambot,": [[5, 13]], "Malware: Andromeda malware,": [[41, 59]], "Organization: pharmaceutical industry": [[89, 112]], "Indicator: spam": [[113, 117]], "Malware: Andromeda bot.": [[158, 172]]}, "info": {"id": "cyner2_5class_train_02705", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Delf!O Backdoor.Delf.Win32.12791 W32/Backdoor.ZRKL-8278 Backdoor.Trojan Trojan.Win32.Delf.iuqg Win32.Backdoor.Delf.Sxnw Trojan.PWS.Banker.26677 Trojan-Spy.Banker W32/Backdoor2.CTBF Backdoor/Delf.hfo Trojan[Backdoor]/Win32.Delf Trojan:Win32/Braba.D Trojan.UserStartup.EB690C Trojan/Win32.Delf.R104794 TScope.Trojan.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Delf!O": [[26, 47]], "Indicator: Backdoor.Delf.Win32.12791": [[48, 73]], "Indicator: W32/Backdoor.ZRKL-8278": [[74, 96]], "Indicator: Backdoor.Trojan": [[97, 112]], "Indicator: Trojan.Win32.Delf.iuqg": [[113, 135]], "Indicator: Win32.Backdoor.Delf.Sxnw": [[136, 160]], "Indicator: Trojan.PWS.Banker.26677": [[161, 184]], "Indicator: Trojan-Spy.Banker": [[185, 202]], "Indicator: W32/Backdoor2.CTBF": [[203, 221]], "Indicator: Backdoor/Delf.hfo": [[222, 239]], "Indicator: Trojan[Backdoor]/Win32.Delf": [[240, 267]], "Indicator: Trojan:Win32/Braba.D": [[268, 288]], "Indicator: Trojan.UserStartup.EB690C": [[289, 314]], "Indicator: Trojan/Win32.Delf.R104794": [[315, 340]], "Indicator: TScope.Trojan.Delf": [[341, 359]]}, "info": {"id": "cyner2_5class_train_02706", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Downloader.ALJ Pua.Downloader Win32.Trojan.WisdomEyes.16070401.9500.9999 Application.Downloader.ALJ Application.Downloader.ALJ Trojan.Win32.Z.Downloader.179560 Application.Downloader.ALJ BehavesLike.Win32.Downloader.ch Application.Downloader.ALJ Application.Downloader.Alj!c Trj/CI.A Win32/Application.Downloader.dad", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Downloader.ALJ": [[26, 52], [111, 137], [138, 164], [198, 224], [257, 283]], "Indicator: Pua.Downloader": [[53, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[68, 110]], "Indicator: Trojan.Win32.Z.Downloader.179560": [[165, 197]], "Indicator: BehavesLike.Win32.Downloader.ch": [[225, 256]], "Indicator: Application.Downloader.Alj!c": [[284, 312]], "Indicator: Trj/CI.A": [[313, 321]], "Indicator: Win32/Application.Downloader.dad": [[322, 354]]}, "info": {"id": "cyner2_5class_train_02707", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.Foreign!O Trojan.Foreign Win32.Trojan.WisdomEyes.16070401.9500.9823 Win32/Ransom.ANJ Ransom_Foreign.R039C0DKF17 Trojan-Ransom.Win32.Foreign.wy Troj.Ransom.W32!c Win32.Trojan.Foreign.Wqdm Trojan.DownLoad2.55226 Trojan.Foreign.Win32.208 Ransom_Foreign.R039C0DKF17 BehavesLike.Win32.Dropper.cc Trojan.Foreign.ays Trojan[Ransom]/Win32.Foreign Trojan.Graftor.D35EB Trojan.Win32.A.Foreign.142848[UPX] Trojan-Ransom.Win32.Foreign.wy Trojan:Win32/Ransirac.A Trojan/Win32.Foreign.R20679 Hoax.Foreign Trojan.Foreign!cDyTfOA7GhM Win32/Trojan.7b3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.Foreign!O": [[26, 55]], "Indicator: Trojan.Foreign": [[56, 70]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9823": [[71, 113]], "Indicator: Win32/Ransom.ANJ": [[114, 130]], "Indicator: Ransom_Foreign.R039C0DKF17": [[131, 157], [281, 307]], "Indicator: Trojan-Ransom.Win32.Foreign.wy": [[158, 188], [441, 471]], "Indicator: Troj.Ransom.W32!c": [[189, 206]], "Indicator: Win32.Trojan.Foreign.Wqdm": [[207, 232]], "Indicator: Trojan.DownLoad2.55226": [[233, 255]], "Indicator: Trojan.Foreign.Win32.208": [[256, 280]], "Indicator: BehavesLike.Win32.Dropper.cc": [[308, 336]], "Indicator: Trojan.Foreign.ays": [[337, 355]], "Indicator: Trojan[Ransom]/Win32.Foreign": [[356, 384]], "Indicator: Trojan.Graftor.D35EB": [[385, 405]], "Indicator: Trojan.Win32.A.Foreign.142848[UPX]": [[406, 440]], "Indicator: Trojan:Win32/Ransirac.A": [[472, 495]], "Indicator: Trojan/Win32.Foreign.R20679": [[496, 523]], "Indicator: Hoax.Foreign": [[524, 536]], "Indicator: Trojan.Foreign!cDyTfOA7GhM": [[537, 563]], "Indicator: Win32/Trojan.7b3": [[564, 580]]}, "info": {"id": "cyner2_5class_train_02708", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Trojan.Spy.Eawf BehavesLike.Win32.Trojan.qm W32/Trojan.NEXM-1236 Trojan.MSILKrypt.4 TrojanSpy:MSIL/Fitin.A Trojan.MSIL.Spy Trj/GdSda.A Win32/Trojan.948", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Win32.Trojan.Spy.Eawf": [[69, 90]], "Indicator: BehavesLike.Win32.Trojan.qm": [[91, 118]], "Indicator: W32/Trojan.NEXM-1236": [[119, 139]], "Indicator: Trojan.MSILKrypt.4": [[140, 158]], "Indicator: TrojanSpy:MSIL/Fitin.A": [[159, 181]], "Indicator: Trojan.MSIL.Spy": [[182, 197]], "Indicator: Trj/GdSda.A": [[198, 209]], "Indicator: Win32/Trojan.948": [[210, 226]]}, "info": {"id": "cyner2_5class_train_02709", "source": "cyner2_5class_train"}}
+{"text": "The Scarcruft Group aka APT37, a North Korean APT group, is believed to have been active since 2016 and continues to carry out attacks against institutions and political organizations around the world until 2023.", "spans": {"Indicator: attacks": [[127, 134]], "Organization: institutions": [[143, 155]], "Organization: political organizations": [[160, 183]]}, "info": {"id": "cyner2_5class_train_02710", "source": "cyner2_5class_train"}}
+{"text": "Further details in it reflect characteristics of Exodus ( such as the bypass of power managers we described from Exodus One , and more ) : Indicators of Compromise Exodus One 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f 26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898 5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b Exodus One Package Names com.phonecarrier.linecheck rm.rf operatore.italia it.offertetelefonicheperte it.servizipremium assistenza.sim assistenza.linea.riattiva assistenza.linea it.promofferte Exodus Two 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e Exodus Two ELF Utilities 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f Command & Controls ad1.fbsba [ .", "spans": {"Malware: Exodus": [[49, 55]], "Malware: Exodus One": [[113, 123], [164, 174], [1085, 1095]], "Indicator: 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820": [[175, 239]], "Indicator: 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5": [[240, 304]], "Indicator: 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f": [[305, 369]], "Indicator: 26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55": [[370, 434]], "Indicator: 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802": [[435, 499]], "Indicator: 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba": [[500, 564]], "Indicator: 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898": [[565, 629]], "Indicator: 5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149": [[630, 694]], "Indicator: 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0": [[695, 759]], "Indicator: 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62": [[760, 824]], "Indicator: 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884": [[825, 889]], "Indicator: a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f": [[890, 954]], "Indicator: db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f": [[955, 1019]], "Indicator: e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b": [[1020, 1084]], "Indicator: com.phonecarrier.linecheck rm.rf": [[1110, 1142]], "Indicator: operatore.italia it.offertetelefonicheperte": [[1143, 1186]], "Indicator: it.servizipremium": [[1187, 1204]], "Indicator: assistenza.sim": [[1205, 1219]], "Indicator: assistenza.linea.riattiva": [[1220, 1245]], "Indicator: assistenza.linea": [[1246, 1262]], "Indicator: it.promofferte": [[1263, 1277]], "Malware: Exodus Two": [[1278, 1288], [1419, 1429]], "Indicator: 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b": [[1289, 1353]], "Indicator: a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e": [[1354, 1418]], "Indicator: 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4": [[1444, 1508]], "Indicator: 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59": [[1509, 1573]], "Indicator: 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6": [[1574, 1638]], "Indicator: 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33": [[1639, 1703]], "Indicator: 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5": [[1704, 1768]], "Indicator: 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8": [[1769, 1833]], "Indicator: 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88": [[1834, 1898]], "Indicator: 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a": [[1899, 1963]], "Indicator: b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7": [[1964, 2028]], "Indicator: c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658": [[2029, 2093]], "Indicator: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": [[2094, 2158]], "Indicator: e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f": [[2159, 2223]], "Indicator: ad1.fbsba [ .": [[2243, 2256]]}, "info": {"id": "cyner2_5class_train_02711", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy is under active development and is evolving rapidly ; new versions are released every week with additional evasion techniques and capabilities .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner2_5class_train_02712", "source": "cyner2_5class_train"}}
+{"text": "LOWBALL abuses the Dropbox cloud storage service for command and control CnC.", "spans": {"Malware: LOWBALL": [[0, 7]], "Vulnerability: Dropbox cloud storage service": [[19, 48]], "Indicator: command and control CnC.": [[53, 77]]}, "info": {"id": "cyner2_5class_train_02713", "source": "cyner2_5class_train"}}
+{"text": "Malware data leak When we analyzed the sample , we realized that the malware operators left the remote database with some of the victims ’ data freely accessible , without any authentication .", "spans": {}, "info": {"id": "cyner2_5class_train_02714", "source": "cyner2_5class_train"}}
+{"text": "The initial infection vector in this attack is not clear, but it results in installing the Downeks downloader, which in turn infects the victim computer with the Quasar RAT.", "spans": {"Indicator: infection vector": [[12, 28]], "Indicator: attack": [[37, 43]], "Malware: the Downeks downloader,": [[87, 110]], "System: computer": [[144, 152]], "Malware: the Quasar RAT.": [[158, 173]]}, "info": {"id": "cyner2_5class_train_02715", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper.NSIS Trojan.Zbot.Win32.160494 Win32.Trojan.WisdomEyes.16070401.9500.9957 TROJ_SPNR.15AE15 Trojan-Spy.Win32.Zbot.sbfu Trojan.Win32.Zbot.dtpiom TrojWare.Win32.CnzzBot.DAQ Trojan.Fakealert.47485 TROJ_SPNR.15AE15 Trojan[Spy]/Win32.Zbot.sbfu Trojan-Spy.Win32.Zbot.sbfu TrojanSpy.Zbot W32/CnzzBot.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.NSIS": [[26, 45]], "Indicator: Trojan.Zbot.Win32.160494": [[46, 70]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9957": [[71, 113]], "Indicator: TROJ_SPNR.15AE15": [[114, 130], [233, 249]], "Indicator: Trojan-Spy.Win32.Zbot.sbfu": [[131, 157], [278, 304]], "Indicator: Trojan.Win32.Zbot.dtpiom": [[158, 182]], "Indicator: TrojWare.Win32.CnzzBot.DAQ": [[183, 209]], "Indicator: Trojan.Fakealert.47485": [[210, 232]], "Indicator: Trojan[Spy]/Win32.Zbot.sbfu": [[250, 277]], "Indicator: TrojanSpy.Zbot": [[305, 319]], "Indicator: W32/CnzzBot.A!tr": [[320, 336]]}, "info": {"id": "cyner2_5class_train_02716", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameXEA.Trojan Trojan.Dropper.TJD Trojan.Dropper.TJD Trojan.Dropper.TJD Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Dropper.AYXX Trojan.Dropper.TJD Worm.Win32.AutoRun.gpog Trojan.Dropper.TJD Trojan.Dropper.TJD Trojan.Win32.Wimpixo Trojan:Win32/Wimpixo.B Trojan:Win32/Wimpixo.B Worm.Win32.AutoRun.gpog BScope.Trojan-Spy.Zbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameXEA.Trojan": [[26, 46]], "Indicator: Trojan.Dropper.TJD": [[47, 65], [66, 84], [85, 103], [164, 182], [207, 225], [226, 244]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[104, 146]], "Indicator: W32/Dropper.AYXX": [[147, 163]], "Indicator: Worm.Win32.AutoRun.gpog": [[183, 206], [312, 335]], "Indicator: Trojan.Win32.Wimpixo": [[245, 265]], "Indicator: Trojan:Win32/Wimpixo.B": [[266, 288], [289, 311]], "Indicator: BScope.Trojan-Spy.Zbot": [[336, 358]]}, "info": {"id": "cyner2_5class_train_02717", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Win32.Trojan.WisdomEyes.16070401.9500.9995 Win.Trojan.Mono-15 Trojan.Win32.OnLineGames.fcdid TrojWare.Win32.TrojanSpy.Pophot.d Trojan.PWS.Gamania.5803 BehavesLike.Win32.Ransom.lc Trojan/PSW.OnLineGames.kdn Win32.Hack.UpackT.a.15981 Trojan.Graftor.Elzob.D185D Troj.Heur.bmLerbcan7diu.moF3 Trj/Pupack.A Trojan.Win32.PSW Win32/Trojan.d9e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[26, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[63, 105]], "Indicator: Win.Trojan.Mono-15": [[106, 124]], "Indicator: Trojan.Win32.OnLineGames.fcdid": [[125, 155]], "Indicator: TrojWare.Win32.TrojanSpy.Pophot.d": [[156, 189]], "Indicator: Trojan.PWS.Gamania.5803": [[190, 213]], "Indicator: BehavesLike.Win32.Ransom.lc": [[214, 241]], "Indicator: Trojan/PSW.OnLineGames.kdn": [[242, 268]], "Indicator: Win32.Hack.UpackT.a.15981": [[269, 294]], "Indicator: Trojan.Graftor.Elzob.D185D": [[295, 321]], "Indicator: Troj.Heur.bmLerbcan7diu.moF3": [[322, 350]], "Indicator: Trj/Pupack.A": [[351, 363]], "Indicator: Trojan.Win32.PSW": [[364, 380]], "Indicator: Win32/Trojan.d9e": [[381, 397]]}, "info": {"id": "cyner2_5class_train_02718", "source": "cyner2_5class_train"}}
+{"text": "CONNECTION TO CHINA Chinese server infrastructure : FakeSpy applications send stolen information to C2 domains with .club TLDs and URLs ending with /servlet/ [ C2 Command ] ( mentioned above in the “ Stealing Sensitive Information ” section ) .", "spans": {"Malware: FakeSpy": [[52, 59]], "Indicator: .club TLDs": [[116, 126]], "Indicator: /servlet/ [ C2 Command ]": [[148, 172]]}, "info": {"id": "cyner2_5class_train_02719", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Elzob!O Trojan.Crastic.B Trojan.Heur.BmGfrb243Kiib W32.Imaut Trojan.Win32.Popuper.bfzygk Trojan.Popuper.42424 W32.Infostealer.Zeus HEUR/Fakon.mwf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Elzob!O": [[26, 46]], "Indicator: Trojan.Crastic.B": [[47, 63]], "Indicator: Trojan.Heur.BmGfrb243Kiib": [[64, 89]], "Indicator: W32.Imaut": [[90, 99]], "Indicator: Trojan.Win32.Popuper.bfzygk": [[100, 127]], "Indicator: Trojan.Popuper.42424": [[128, 148]], "Indicator: W32.Infostealer.Zeus": [[149, 169]], "Indicator: HEUR/Fakon.mwf": [[170, 184]]}, "info": {"id": "cyner2_5class_train_02720", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Trojan.NFEP-4133 Trojan.DownLoader9.29630 DDoS:MSIL/Webxahr.A DDoS.MSIL.Webxahr W32/DoSAttack.C!tr Win32/RootKit.Rootkit.7e5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.NFEP-4133": [[26, 46]], "Indicator: Trojan.DownLoader9.29630": [[47, 71]], "Indicator: DDoS:MSIL/Webxahr.A": [[72, 91]], "Indicator: DDoS.MSIL.Webxahr": [[92, 109]], "Indicator: W32/DoSAttack.C!tr": [[110, 128]], "Indicator: Win32/RootKit.Rootkit.7e5": [[129, 154]]}, "info": {"id": "cyner2_5class_train_02721", "source": "cyner2_5class_train"}}
+{"text": "Clicking the SMS link brings the user to a fake website that prompts them to download and install the FakeSpy APK , which is masquerading as a local postal service app .", "spans": {"Malware: FakeSpy": [[102, 109]]}, "info": {"id": "cyner2_5class_train_02722", "source": "cyner2_5class_train"}}
+{"text": "Dridex has evolved, and now Dridex V4 uses Atom Bombing to perform process injection.", "spans": {"Malware: Dridex": [[0, 6]], "Malware: Dridex V4": [[28, 37]], "Indicator: Atom Bombing to perform process injection.": [[43, 85]]}, "info": {"id": "cyner2_5class_train_02723", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Exploit.Vb.R Exploit.Vb Exploit.VB.Win32.18 Trojan.Exploit.Vb.R Win32/Exploit.VB.R TROJ_VB.JUC Trojan.Exploit.Vb.R Exploit.Win32.VB.r Trojan.Exploit.Vb.R Exploit.W32.VB.r!c Trojan.Exploit.Vb.R Trojan.Exploit.Vb.R Trojan.Win32.Exploit Hacktool.SQL.54NB.a TR/Expl.VB.R Trojan[Exploit]/Win32.VB HackTool:Win32/Echoload.A Exploit.Win32.VB.r Trojan.Exploit.Vb.R Exploit.VB Win32.Exploit.Vb.Wsjr Exploit.VB!P1jmyBXhN28 W32/VB.R!exploit Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Exploit.Vb.R": [[26, 45], [77, 96], [128, 147], [167, 186], [206, 225], [226, 245], [370, 389]], "Indicator: Exploit.Vb": [[46, 56]], "Indicator: Exploit.VB.Win32.18": [[57, 76]], "Indicator: Win32/Exploit.VB.R": [[97, 115]], "Indicator: TROJ_VB.JUC": [[116, 127]], "Indicator: Exploit.Win32.VB.r": [[148, 166], [351, 369]], "Indicator: Exploit.W32.VB.r!c": [[187, 205]], "Indicator: Trojan.Win32.Exploit": [[246, 266]], "Indicator: Hacktool.SQL.54NB.a": [[267, 286]], "Indicator: TR/Expl.VB.R": [[287, 299]], "Indicator: Trojan[Exploit]/Win32.VB": [[300, 324]], "Indicator: HackTool:Win32/Echoload.A": [[325, 350]], "Indicator: Exploit.VB": [[390, 400]], "Indicator: Win32.Exploit.Vb.Wsjr": [[401, 422]], "Indicator: Exploit.VB!P1jmyBXhN28": [[423, 445]], "Indicator: W32/VB.R!exploit": [[446, 462]], "Indicator: Win32/Trojan.2ff": [[463, 479]]}, "info": {"id": "cyner2_5class_train_02724", "source": "cyner2_5class_train"}}
+{"text": "The second parameter is a constant string “ POST ” , and the third parameter is a series of key-value pairs to be sent , assembled at runtime .", "spans": {}, "info": {"id": "cyner2_5class_train_02725", "source": "cyner2_5class_train"}}
+{"text": "To get around this challenge , TrickMo ’ s developers added some new features to steal TANs using screen video recording and screen data scraping .", "spans": {"Malware: TrickMo": [[31, 38]]}, "info": {"id": "cyner2_5class_train_02726", "source": "cyner2_5class_train"}}
+{"text": "The Winter Vivern Advanced Persistent Threat APT is a pro-Russian cyber-espionage group that targets government and private businesses, including those involved in the ongoing war in Ukraine.", "spans": {"Organization: government": [[101, 111]], "Organization: private businesses,": [[116, 135]], "Organization: war": [[176, 179]]}, "info": {"id": "cyner2_5class_train_02727", "source": "cyner2_5class_train"}}
+{"text": "One of the command and control C2 servers that had been dormant for quite some time had suddenly woken up and started distributing what looks to be a new PoS malware family we're calling LockPoS.", "spans": {"Indicator: the command and control C2 servers": [[7, 41]], "Malware: new PoS malware family": [[150, 172]], "Malware: LockPoS.": [[187, 195]]}, "info": {"id": "cyner2_5class_train_02728", "source": "cyner2_5class_train"}}
+{"text": "These stores are an attractive alternative to Google Play because many of their apps are free , or offer free versions of paid apps .", "spans": {"System: Google Play": [[46, 57]]}, "info": {"id": "cyner2_5class_train_02729", "source": "cyner2_5class_train"}}
+{"text": "Check if chat apps are running In the above example , the malware is searching for Line , Facebook Messenger and WhatsApp activities .", "spans": {"System: Facebook Messenger": [[90, 108]], "System: WhatsApp": [[113, 121]]}, "info": {"id": "cyner2_5class_train_02730", "source": "cyner2_5class_train"}}
+{"text": "Geopolitical analysts have suggested that the United States may have its own interests that involve thwarting Chinese ambitions in the region.", "spans": {"Organization: Geopolitical analysts": [[0, 21]], "Organization: Chinese ambitions": [[110, 127]]}, "info": {"id": "cyner2_5class_train_02731", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Kryptik.kqs Win32.Trojan.WisdomEyes.16070401.9500.9996 Tool.PassView.1838 Trojan.Kryptik.Win32.1246441 Worm.MSIL.Autorun Trojan.MSIL.Bladabindi.1 Trojan.MSIL.DOTHETUK Trj/CI.A Win32/Trojan.62b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Kryptik.kqs": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[45, 87]], "Indicator: Tool.PassView.1838": [[88, 106]], "Indicator: Trojan.Kryptik.Win32.1246441": [[107, 135]], "Indicator: Worm.MSIL.Autorun": [[136, 153]], "Indicator: Trojan.MSIL.Bladabindi.1": [[154, 178]], "Indicator: Trojan.MSIL.DOTHETUK": [[179, 199]], "Indicator: Trj/CI.A": [[200, 208]], "Indicator: Win32/Trojan.62b": [[209, 225]]}, "info": {"id": "cyner2_5class_train_02732", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.DarkKomet.Win32.23088 Trojan.Strictor.DF4F5 Win32.Trojan.WisdomEyes.16070401.9500.9970 Trojan.Win32.Zbot.deisvu Trojan.Hottrend.435 TR/Dropper.xzclg Trojan[Backdoor]/Win32.DarkKomet Trojan:Win32/Rombertik.C Backdoor.DarkKomet Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.DarkKomet.Win32.23088": [[26, 56]], "Indicator: Trojan.Strictor.DF4F5": [[57, 78]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9970": [[79, 121]], "Indicator: Trojan.Win32.Zbot.deisvu": [[122, 146]], "Indicator: Trojan.Hottrend.435": [[147, 166]], "Indicator: TR/Dropper.xzclg": [[167, 183]], "Indicator: Trojan[Backdoor]/Win32.DarkKomet": [[184, 216]], "Indicator: Trojan:Win32/Rombertik.C": [[217, 241]], "Indicator: Backdoor.DarkKomet": [[242, 260]], "Indicator: Trj/CI.A": [[261, 269]]}, "info": {"id": "cyner2_5class_train_02733", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ocna Trojan.Win32.Ocna.k Trojan.OcnaCRTD.Win32.4895 TR/RemoteAdmin.tkpmq TrojanDropper:Win32/Jowbaki.A Trojan.Win32.Ocna.k Trojan.Ocna Trj/CI.A Win32/RA-based.AB Win32.Trojan.Ocna.Pgmm Win32/Trojan.388", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ocna": [[26, 37], [156, 167]], "Indicator: Trojan.Win32.Ocna.k": [[38, 57], [136, 155]], "Indicator: Trojan.OcnaCRTD.Win32.4895": [[58, 84]], "Indicator: TR/RemoteAdmin.tkpmq": [[85, 105]], "Indicator: TrojanDropper:Win32/Jowbaki.A": [[106, 135]], "Indicator: Trj/CI.A": [[168, 176]], "Indicator: Win32/RA-based.AB": [[177, 194]], "Indicator: Win32.Trojan.Ocna.Pgmm": [[195, 217]], "Indicator: Win32/Trojan.388": [[218, 234]]}, "info": {"id": "cyner2_5class_train_02734", "source": "cyner2_5class_train"}}
+{"text": "The dates on the “ x ” axis show the dates when we first saw these apps in the wild .", "spans": {}, "info": {"id": "cyner2_5class_train_02735", "source": "cyner2_5class_train"}}
+{"text": "I started by trying to find the sample that the blog post analyzed and I was able to find it submitted to the great sandboxing site of Hybrid Analysis Big Shutout to @PayloadSecurity for the great service.", "spans": {"Malware: sample": [[32, 38]], "Indicator: the great sandboxing site": [[106, 131]], "Organization: Hybrid Analysis": [[135, 150]], "Organization: @PayloadSecurity": [[166, 182]]}, "info": {"id": "cyner2_5class_train_02736", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.ScriptKD.4274 Trojan.ScriptKD.4274 Trojan/Remtasu.f Win32.Trojan.WisdomEyes.16070401.9500.9859 W32/Trojan.QQOQ-8191 Trojan.ScriptKD.4274 Trojan.ScriptKD.4274 BehavesLike.Win32.Trojan.wc W64/Coinminer.N Trojan/Win32.Swisyn Trojan.ScriptKD.D10B2 Win32/CoinMiner.AFZ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.ScriptKD.4274": [[26, 46], [47, 67], [149, 169], [170, 190]], "Indicator: Trojan/Remtasu.f": [[68, 84]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9859": [[85, 127]], "Indicator: W32/Trojan.QQOQ-8191": [[128, 148]], "Indicator: BehavesLike.Win32.Trojan.wc": [[191, 218]], "Indicator: W64/Coinminer.N": [[219, 234]], "Indicator: Trojan/Win32.Swisyn": [[235, 254]], "Indicator: Trojan.ScriptKD.D10B2": [[255, 276]], "Indicator: Win32/CoinMiner.AFZ": [[277, 296]]}, "info": {"id": "cyner2_5class_train_02737", "source": "cyner2_5class_train"}}
+{"text": "The malware encrypts files and the boot record of hard disks, leaving behind a ransomware note.", "spans": {"Malware: malware": [[4, 11]], "Indicator: encrypts files": [[12, 26]], "Indicator: boot record of hard disks,": [[35, 61]], "Malware: ransomware": [[79, 89]], "Indicator: note.": [[90, 95]]}, "info": {"id": "cyner2_5class_train_02738", "source": "cyner2_5class_train"}}
+{"text": "This is done by opening the Google account creation process and parsing the current view .", "spans": {"Organization: Google": [[28, 34]]}, "info": {"id": "cyner2_5class_train_02739", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.EquationDrug Troj.W32.Equationdrug!c Win32.Trojan.WisdomEyes.16070401.9500.9689 Trojan.Win32.EquationDrug.evztli Trojan.Win32.Z.Equationdrug.102912 Trojan.EquationDrug.85 W32/Trojan.DLSV-8631 W32.Trojan.Equdrug TR/Dropper.bkecf Trojan/Win32.EquationDrug Trojan.EquationDrug.4 Trj/GdSda.A Win32.Trojan.Equationdrug.Pgmi Trojan.EquationDrug! Trojan.Win32.Equdrug Win32/Trojan.6ba", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.EquationDrug": [[26, 45]], "Indicator: Troj.W32.Equationdrug!c": [[46, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9689": [[70, 112]], "Indicator: Trojan.Win32.EquationDrug.evztli": [[113, 145]], "Indicator: Trojan.Win32.Z.Equationdrug.102912": [[146, 180]], "Indicator: Trojan.EquationDrug.85": [[181, 203]], "Indicator: W32/Trojan.DLSV-8631": [[204, 224]], "Indicator: W32.Trojan.Equdrug": [[225, 243]], "Indicator: TR/Dropper.bkecf": [[244, 260]], "Indicator: Trojan/Win32.EquationDrug": [[261, 286]], "Indicator: Trojan.EquationDrug.4": [[287, 308]], "Indicator: Trj/GdSda.A": [[309, 320]], "Indicator: Win32.Trojan.Equationdrug.Pgmi": [[321, 351]], "Indicator: Trojan.EquationDrug!": [[352, 372]], "Indicator: Trojan.Win32.Equdrug": [[373, 393]], "Indicator: Win32/Trojan.6ba": [[394, 410]]}, "info": {"id": "cyner2_5class_train_02740", "source": "cyner2_5class_train"}}
+{"text": "In February, the source code was reportedly leaked online, which likely spurred some of the recent changes we've observed in the kit.", "spans": {"Malware: kit.": [[129, 133]]}, "info": {"id": "cyner2_5class_train_02741", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9872 Bloodhound.Malautoit TR/AD.DelfInject.twazy Trojan:Win32/Regub.A Zum.Locky.1 Zum.Locky.1 Zum.Locky.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9872": [[26, 68]], "Indicator: Bloodhound.Malautoit": [[69, 89]], "Indicator: TR/AD.DelfInject.twazy": [[90, 112]], "Indicator: Trojan:Win32/Regub.A": [[113, 133]], "Indicator: Zum.Locky.1": [[134, 145], [146, 157], [158, 169]]}, "info": {"id": "cyner2_5class_train_02742", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Cossta.icp Trojan.Mikey.D12734 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Banker-13888 Virus.Win32.Lamer.kh Trojan.Win32.A.Cossta.65536.D Win32.Trojan.Cossta.bwce Trojan.DownLoader4.46980 BehavesLike.Win32.Downloader.ch Trojan/Cossta.bii Trojan/Win32.Cossta Win32.RabbitTail.b.2098552 Virus.Win32.Lamer.kh Trojan/Win32.Cossta.R23559 Trojan.Cossta Trojan.Win32.Cossta Win32/Trojan.ed9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Cossta.icp": [[26, 43]], "Indicator: Trojan.Mikey.D12734": [[44, 63]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[64, 106]], "Indicator: Win.Trojan.Banker-13888": [[107, 130]], "Indicator: Virus.Win32.Lamer.kh": [[131, 151], [329, 349]], "Indicator: Trojan.Win32.A.Cossta.65536.D": [[152, 181]], "Indicator: Win32.Trojan.Cossta.bwce": [[182, 206]], "Indicator: Trojan.DownLoader4.46980": [[207, 231]], "Indicator: BehavesLike.Win32.Downloader.ch": [[232, 263]], "Indicator: Trojan/Cossta.bii": [[264, 281]], "Indicator: Trojan/Win32.Cossta": [[282, 301]], "Indicator: Win32.RabbitTail.b.2098552": [[302, 328]], "Indicator: Trojan/Win32.Cossta.R23559": [[350, 376]], "Indicator: Trojan.Cossta": [[377, 390]], "Indicator: Trojan.Win32.Cossta": [[391, 410]], "Indicator: Win32/Trojan.ed9": [[411, 427]]}, "info": {"id": "cyner2_5class_train_02743", "source": "cyner2_5class_train"}}
+{"text": "This allowed NoMoreRansom to gain access to many of the decryption keys for the ransomware s victims.", "spans": {"Organization: NoMoreRansom": [[13, 25]], "Indicator: decryption keys": [[56, 71]], "Malware: ransomware": [[80, 90]], "Organization: victims.": [[93, 101]]}, "info": {"id": "cyner2_5class_train_02744", "source": "cyner2_5class_train"}}
+{"text": "To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia.", "spans": {"Malware: Sowbug": [[9, 15]], "Organization: government": [[48, 58]], "Organization: organizations": [[124, 137]]}, "info": {"id": "cyner2_5class_train_02745", "source": "cyner2_5class_train"}}
+{"text": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we've named SpyDealer which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature.", "spans": {"Organization: Palo Alto Networks researchers": [[10, 40]], "Malware: advanced Android malware": [[55, 79]], "Malware: SpyDealer": [[92, 101]], "System: apps": [[151, 155], [205, 209]], "Vulnerability: abusing the Android accessibility service feature.": [[213, 263]]}, "info": {"id": "cyner2_5class_train_02746", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Trojan.ArchSMS.Win32.178 Win32/FakeInstall.BH Win.Trojan.Archsms-882 HEUR:Hoax.Win32.ArchSMS.HEUR Riskware.Win32.ArchSMS.dqovc ApplicUnwnt.Win32.Hoax.ArchSMS.E Tool.SMSSend.117 Trojan-Banker.Win32.Banbra TR/Zen.C HackTool[Hoax]/Win32.ArchSMS Win32.Troj.Hoax.kcloud Trojan:Win32/Moxtrarch.A HEUR:Hoax.Win32.ArchSMS.HEUR Adware.VPets.121105 Hoax.ArchSMS!DSd5P3jaerI W32/ArchSMS.EF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hoax.Win32.ArchSMS!O": [[26, 46]], "Indicator: Trojan.ArchSMS.Win32.178": [[47, 71]], "Indicator: Win32/FakeInstall.BH": [[72, 92]], "Indicator: Win.Trojan.Archsms-882": [[93, 115]], "Indicator: HEUR:Hoax.Win32.ArchSMS.HEUR": [[116, 144], [337, 365]], "Indicator: Riskware.Win32.ArchSMS.dqovc": [[145, 173]], "Indicator: ApplicUnwnt.Win32.Hoax.ArchSMS.E": [[174, 206]], "Indicator: Tool.SMSSend.117": [[207, 223]], "Indicator: Trojan-Banker.Win32.Banbra": [[224, 250]], "Indicator: TR/Zen.C": [[251, 259]], "Indicator: HackTool[Hoax]/Win32.ArchSMS": [[260, 288]], "Indicator: Win32.Troj.Hoax.kcloud": [[289, 311]], "Indicator: Trojan:Win32/Moxtrarch.A": [[312, 336]], "Indicator: Adware.VPets.121105": [[366, 385]], "Indicator: Hoax.ArchSMS!DSd5P3jaerI": [[386, 410]], "Indicator: W32/ArchSMS.EF!tr": [[411, 428]]}, "info": {"id": "cyner2_5class_train_02747", "source": "cyner2_5class_train"}}
+{"text": "The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose.", "spans": {"Malware: The Rilide stealer": [[0, 18]], "Malware: malicious browser extensions": [[74, 102]]}, "info": {"id": "cyner2_5class_train_02748", "source": "cyner2_5class_train"}}
+{"text": "The oldest sample we've seen up to now is from November 2013.", "spans": {}, "info": {"id": "cyner2_5class_train_02749", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hacktool.Koobface Win32/Koobface.AKJ Trojan.Win32.Facebfr.cvvcfx Tool.Facebfr BehavesLike.Win32.Swisyn.kh SPR/HackFacebo.A Trojan.Kazy.DA8A0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Koobface": [[26, 43]], "Indicator: Win32/Koobface.AKJ": [[44, 62]], "Indicator: Trojan.Win32.Facebfr.cvvcfx": [[63, 90]], "Indicator: Tool.Facebfr": [[91, 103]], "Indicator: BehavesLike.Win32.Swisyn.kh": [[104, 131]], "Indicator: SPR/HackFacebo.A": [[132, 148]], "Indicator: Trojan.Kazy.DA8A0": [[149, 166]]}, "info": {"id": "cyner2_5class_train_02750", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Winupnemsys.Trojan Worm.Win32.Mefir!O Win32.Trojan.WisdomEyes.16070401.9500.9998 W32.SillyFDC Win32/Mefir.A Win.Worm.Autorun-316 Worm.Win32.Mefir.a Trojan.Win32.MLW.uvszt Worm.Win32.A.Mefir.143360 Win32.Virus.Mefir.Ectu Worm.Win32.Mefir.B Win32.HLLW.Autoruner.216 Worm.Mefir.Win32.3 Worm/Mefir.f Worm:Win32/Mefir.A Worm:Win32/Mefir.A Worm.Win32.Mefir.a W32/Mefir.A.worm Worm.Mefir!BwUbuvfvViU Worm.Win32.Mefir.a Win32/Trojan.d06", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Winupnemsys.Trojan": [[26, 48]], "Indicator: Worm.Win32.Mefir!O": [[49, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[68, 110]], "Indicator: W32.SillyFDC": [[111, 123]], "Indicator: Win32/Mefir.A": [[124, 137]], "Indicator: Win.Worm.Autorun-316": [[138, 158]], "Indicator: Worm.Win32.Mefir.a": [[159, 177], [364, 382], [423, 441]], "Indicator: Trojan.Win32.MLW.uvszt": [[178, 200]], "Indicator: Worm.Win32.A.Mefir.143360": [[201, 226]], "Indicator: Win32.Virus.Mefir.Ectu": [[227, 249]], "Indicator: Worm.Win32.Mefir.B": [[250, 268]], "Indicator: Win32.HLLW.Autoruner.216": [[269, 293]], "Indicator: Worm.Mefir.Win32.3": [[294, 312]], "Indicator: Worm/Mefir.f": [[313, 325]], "Indicator: Worm:Win32/Mefir.A": [[326, 344], [345, 363]], "Indicator: W32/Mefir.A.worm": [[383, 399]], "Indicator: Worm.Mefir!BwUbuvfvViU": [[400, 422]], "Indicator: Win32/Trojan.d06": [[442, 458]]}, "info": {"id": "cyner2_5class_train_02751", "source": "cyner2_5class_train"}}
+{"text": "In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings.", "spans": {"Organization: anti-virus vendors": [[29, 47]], "Organization: security researchers": [[52, 72]], "Malware: threat,": [[102, 109]]}, "info": {"id": "cyner2_5class_train_02752", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Trojan BKDR_MANGZAMEL.B Trojan.Mangzamel.Win32.11 BKDR_MANGZAMEL.B BDS/Vedratve.zgxnw Backdoor:Win32/Vedratve.A!dha Trj/CI.A Win32/Backdoor.f40", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Trojan": [[26, 41]], "Indicator: BKDR_MANGZAMEL.B": [[42, 58], [85, 101]], "Indicator: Trojan.Mangzamel.Win32.11": [[59, 84]], "Indicator: BDS/Vedratve.zgxnw": [[102, 120]], "Indicator: Backdoor:Win32/Vedratve.A!dha": [[121, 150]], "Indicator: Trj/CI.A": [[151, 159]], "Indicator: Win32/Backdoor.f40": [[160, 178]]}, "info": {"id": "cyner2_5class_train_02753", "source": "cyner2_5class_train"}}
+{"text": "Based on our culprit ’ s email address , we were able to find his GitHub repository .", "spans": {"Organization: GitHub": [[66, 72]]}, "info": {"id": "cyner2_5class_train_02754", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Symmi.D13C10 Win32.Trojan.WisdomEyes.16070401.9500.9915 Trojan.Win32.Ekstak.ddqe Trojan.Win32.Ekstak.exahds Trojan.InstallCube.2631 PUA.ICLoader Pua.Downloadmgr Trojan:Win32/Spiltderp.A Trojan.Win32.Ekstak.ddqe Trojan/Win32.Ekstak.R217792 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Symmi.D13C10": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9915": [[46, 88]], "Indicator: Trojan.Win32.Ekstak.ddqe": [[89, 113], [219, 243]], "Indicator: Trojan.Win32.Ekstak.exahds": [[114, 140]], "Indicator: Trojan.InstallCube.2631": [[141, 164]], "Indicator: PUA.ICLoader": [[165, 177]], "Indicator: Pua.Downloadmgr": [[178, 193]], "Indicator: Trojan:Win32/Spiltderp.A": [[194, 218]], "Indicator: Trojan/Win32.Ekstak.R217792": [[244, 271]], "Indicator: Trj/CI.A": [[272, 280]]}, "info": {"id": "cyner2_5class_train_02755", "source": "cyner2_5class_train"}}
+{"text": "Upload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2 .", "spans": {"Indicator: HTTP": [[43, 47]]}, "info": {"id": "cyner2_5class_train_02756", "source": "cyner2_5class_train"}}
+{"text": "Figure 19 : C & C infrastructure diagram The Infection Landscape “ Agent Smith ” droppers show a very greedy infection tactic .", "spans": {"Malware: Agent Smith": [[67, 78]]}, "info": {"id": "cyner2_5class_train_02757", "source": "cyner2_5class_train"}}
+{"text": "Reusing our deobfuscation tool and some other tricks , we have been able to reverse and analyze these opcodes and map them to a finite list that can be used later to automate the analysis process with some scripting .", "spans": {}, "info": {"id": "cyner2_5class_train_02758", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817465 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id8817465 [ .": [[21, 65]]}, "info": {"id": "cyner2_5class_train_02759", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exp.OLE.CVE-2009-3129.A Exploit.MSExcel.CVE-2009-3129.ccxskf Exploit.Excel.CVE-2009-3129 Downloader.OLE.HiddenEXE MSExcel/CVE_2009_3129.A!exploit Win32/Trojan.Exploit.19f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exp.OLE.CVE-2009-3129.A": [[26, 49]], "Indicator: Exploit.MSExcel.CVE-2009-3129.ccxskf": [[50, 86]], "Indicator: Exploit.Excel.CVE-2009-3129": [[87, 114]], "Indicator: Downloader.OLE.HiddenEXE": [[115, 139]], "Indicator: MSExcel/CVE_2009_3129.A!exploit": [[140, 171]], "Indicator: Win32/Trojan.Exploit.19f": [[172, 196]]}, "info": {"id": "cyner2_5class_train_02760", "source": "cyner2_5class_train"}}
+{"text": "A second version 2.1-LNK with the network tag StrangeLove was discovered shortly after.", "spans": {"Malware: 2.1-LNK": [[17, 24]], "Malware: StrangeLove": [[46, 57]]}, "info": {"id": "cyner2_5class_train_02761", "source": "cyner2_5class_train"}}
+{"text": "Appendix Samples Some of the latest Ginp samples found in the wild : App name Package name SHA-256 hash Google Play Verificator sing.guide.false 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5 Google Play Verificator park.rather.dance 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7 Adobe Flash Player ethics.unknown.during 5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f Adobe Flash Player solution.rail.forward 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea Adobe Flash Player com.pubhny.hekzhgjty 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c Adobe Flash Player sentence.fancy.humble 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212 Target list The current list of apps observed to be targeted by Ginp contains a total of 24 unique applications as seen below .", "spans": {"Malware: Ginp": [[36, 40], [804, 808]], "System: Google Play Verificator": [[104, 127], [210, 233]], "Indicator: sing.guide.false": [[128, 144]], "Indicator: 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5": [[145, 209]], "System: park.rather.dance": [[234, 251]], "Indicator: 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7": [[252, 316]], "System: Adobe Flash Player": [[317, 335], [423, 441], [529, 547], [634, 652]], "Indicator: ethics.unknown.during": [[336, 357]], "Indicator: 5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f": [[358, 422]], "Indicator: solution.rail.forward": [[442, 463]], "Indicator: 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea": [[464, 528]], "Indicator: com.pubhny.hekzhgjty": [[548, 568]], "Indicator: 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c": [[569, 633]], "Indicator: sentence.fancy.humble": [[653, 674]], "Indicator: 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212": [[675, 739]]}, "info": {"id": "cyner2_5class_train_02762", "source": "cyner2_5class_train"}}
+{"text": "We typically see techniques at this level by well-resourced, well-funded, motivated adversaries.", "spans": {}, "info": {"id": "cyner2_5class_train_02763", "source": "cyner2_5class_train"}}
+{"text": "Additionally, in all cases, the theft took place using normal cash withdrawals from various ATM terminal locations outside the bank's originating country.", "spans": {}, "info": {"id": "cyner2_5class_train_02764", "source": "cyner2_5class_train"}}
+{"text": "It ’ s interesting that Triout , which is detected by Bitdefender ’ s machine learning algorithms , was first submitted from Russia , and most scans/reports came from Israel .", "spans": {"Malware: Triout": [[24, 30]], "Organization: Bitdefender": [[54, 65]]}, "info": {"id": "cyner2_5class_train_02765", "source": "cyner2_5class_train"}}
+{"text": "These improvements render FakeSpy one of the most powerful information stealers on the market .", "spans": {"Malware: FakeSpy": [[26, 33]]}, "info": {"id": "cyner2_5class_train_02766", "source": "cyner2_5class_train"}}
+{"text": "In 2013 , Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans .", "spans": {"Organization: Kaspersky Lab": [[10, 23]]}, "info": {"id": "cyner2_5class_train_02767", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit-MSExcel.p Trojan.Mdropper.AA TROJ_MDROP.AH Exploit.MSExcel.CVE-2008-0081.ccxsez Exploit.Excel.1 TROJ_MDROP.AH Exploit-MSExcel.p EXP/Excel.CVE-2008-0081 MSExcel/UDDesc.A!exploit.M20080081 Win32/Trojan.Exploit.903", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit-MSExcel.p": [[26, 43], [144, 161]], "Indicator: Trojan.Mdropper.AA": [[44, 62]], "Indicator: TROJ_MDROP.AH": [[63, 76], [130, 143]], "Indicator: Exploit.MSExcel.CVE-2008-0081.ccxsez": [[77, 113]], "Indicator: Exploit.Excel.1": [[114, 129]], "Indicator: EXP/Excel.CVE-2008-0081": [[162, 185]], "Indicator: MSExcel/UDDesc.A!exploit.M20080081": [[186, 220]], "Indicator: Win32/Trojan.Exploit.903": [[221, 245]]}, "info": {"id": "cyner2_5class_train_02768", "source": "cyner2_5class_train"}}
+{"text": "The dropper is a repacked legitimate application which contains an additional piece of code – “ loader ” .", "spans": {}, "info": {"id": "cyner2_5class_train_02769", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heuristic.LooksLike.Trojan.Dropper.I TrojanDropper:Win32/Datunif.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heuristic.LooksLike.Trojan.Dropper.I": [[26, 62]], "Indicator: TrojanDropper:Win32/Datunif.A": [[63, 92]]}, "info": {"id": "cyner2_5class_train_02770", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Emotet TSPY_EMOTET.SMZD172 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_EMOTET.SMZD172 Trojan.Packed2.40646 Trojan.Dovs.Win32.2068 BehavesLike.Win32.Backdoor.ch W32.Trojan.Emotet Trojan:Win32/Emotet.R!bit Trojan.Razy.D36CE4 Trojan/Win32.Emotet.R215266 Trojan.Win32.Emotet", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Emotet": [[26, 39]], "Indicator: TSPY_EMOTET.SMZD172": [[40, 59], [103, 122]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[60, 102]], "Indicator: Trojan.Packed2.40646": [[123, 143]], "Indicator: Trojan.Dovs.Win32.2068": [[144, 166]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[167, 196]], "Indicator: W32.Trojan.Emotet": [[197, 214]], "Indicator: Trojan:Win32/Emotet.R!bit": [[215, 240]], "Indicator: Trojan.Razy.D36CE4": [[241, 259]], "Indicator: Trojan/Win32.Emotet.R215266": [[260, 287]], "Indicator: Trojan.Win32.Emotet": [[288, 307]]}, "info": {"id": "cyner2_5class_train_02771", "source": "cyner2_5class_train"}}
+{"text": "Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia.", "spans": {"Organization: journalists, political advisors,": [[33, 65]], "Organization: organizations": [[70, 83]], "Organization: political activism": [[100, 118]]}, "info": {"id": "cyner2_5class_train_02772", "source": "cyner2_5class_train"}}
+{"text": "However, initial static analysis revealed that all of these samples appear to be identical on the surface, leading us to believe that we had discovered a new loader.", "spans": {}, "info": {"id": "cyner2_5class_train_02773", "source": "cyner2_5class_train"}}
+{"text": "It has been active for around one month .", "spans": {}, "info": {"id": "cyner2_5class_train_02774", "source": "cyner2_5class_train"}}
+{"text": "Some of the apps we discovered resided on Google Play for several years , but all were recently updated .", "spans": {"System: Google Play": [[42, 53]]}, "info": {"id": "cyner2_5class_train_02775", "source": "cyner2_5class_train"}}
+{"text": "Dvmap : the first Android malware with code injection 08 JUN 2017 In April 2017 we started observing new rooting malware being distributed through the Google Play Store .", "spans": {"Malware: Dvmap": [[0, 5]], "System: Android": [[18, 25]], "System: Google Play Store": [[151, 168]]}, "info": {"id": "cyner2_5class_train_02776", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Rimecud.1!O Trojan.Rimecud.U TROJ_RIMECUD.SMX Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_RIMECUD.SMX Trojan.Win32.Fsysna.eqph TrojWare.Win32.Kryptik.AMMN BehavesLike.Win32.PWSZbot.ch Virus.Win32.Cryptor Ransom:Win32/Grymegat.A Trojan.Kazy.D16E7F Trojan.Win32.Fsysna.eqph Trojan/Win32.Jorik.R40701 Trj/Rimecud.f W32/Rimecud.GRC!tr Win32/Trojan.801", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Rimecud.1!O": [[26, 50]], "Indicator: Trojan.Rimecud.U": [[51, 67]], "Indicator: TROJ_RIMECUD.SMX": [[68, 84], [128, 144]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[85, 127]], "Indicator: Trojan.Win32.Fsysna.eqph": [[145, 169], [290, 314]], "Indicator: TrojWare.Win32.Kryptik.AMMN": [[170, 197]], "Indicator: BehavesLike.Win32.PWSZbot.ch": [[198, 226]], "Indicator: Virus.Win32.Cryptor": [[227, 246]], "Indicator: Ransom:Win32/Grymegat.A": [[247, 270]], "Indicator: Trojan.Kazy.D16E7F": [[271, 289]], "Indicator: Trojan/Win32.Jorik.R40701": [[315, 340]], "Indicator: Trj/Rimecud.f": [[341, 354]], "Indicator: W32/Rimecud.GRC!tr": [[355, 373]], "Indicator: Win32/Trojan.801": [[374, 390]]}, "info": {"id": "cyner2_5class_train_02777", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Exploit/W32.Nuker.203264 Exploit.Nuker Tool.Vai.Win32.1 Exploit.W32.Nuker!c W32/Trojan2.EKA Win.Tool.W32-65 Exploit.Win32.Nuker.Vai.c Exploit.Win32.Nuker-Vai.htmm TrojWare.Win32.Nuker.Vai.C FDOS.VTG.201 W32/Trojan.LISQ-8951 Nuke/Win32.Vai.c Trojan:Win32/VAI.C SPR/DDoS.ICMP.Vait10 Trojan[Exploit]/Win32.Nuker Trojan:Win32/VAI.C Exploit.Win32.Nuker.Vai.c Nuker.Vai Win32/Nuker.Vai.C Win32.Exploit.Nuker.Efbk W32/Nuker_Vai.C!tr Win32/Trojan.Exploit.237", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Exploit/W32.Nuker.203264": [[26, 57]], "Indicator: Exploit.Nuker": [[58, 71]], "Indicator: Tool.Vai.Win32.1": [[72, 88]], "Indicator: Exploit.W32.Nuker!c": [[89, 108]], "Indicator: W32/Trojan2.EKA": [[109, 124]], "Indicator: Win.Tool.W32-65": [[125, 140]], "Indicator: Exploit.Win32.Nuker.Vai.c": [[141, 166], [361, 386]], "Indicator: Exploit.Win32.Nuker-Vai.htmm": [[167, 195]], "Indicator: TrojWare.Win32.Nuker.Vai.C": [[196, 222]], "Indicator: FDOS.VTG.201": [[223, 235]], "Indicator: W32/Trojan.LISQ-8951": [[236, 256]], "Indicator: Nuke/Win32.Vai.c": [[257, 273]], "Indicator: Trojan:Win32/VAI.C": [[274, 292], [342, 360]], "Indicator: SPR/DDoS.ICMP.Vait10": [[293, 313]], "Indicator: Trojan[Exploit]/Win32.Nuker": [[314, 341]], "Indicator: Nuker.Vai": [[387, 396]], "Indicator: Win32/Nuker.Vai.C": [[397, 414]], "Indicator: Win32.Exploit.Nuker.Efbk": [[415, 439]], "Indicator: W32/Nuker_Vai.C!tr": [[440, 458]], "Indicator: Win32/Trojan.Exploit.237": [[459, 483]]}, "info": {"id": "cyner2_5class_train_02778", "source": "cyner2_5class_train"}}
+{"text": "60 % of devices containing or accessing enterprise data are mobile .", "spans": {}, "info": {"id": "cyner2_5class_train_02779", "source": "cyner2_5class_train"}}
+{"text": "These malicious Office documents are being spread as an attachment using spear phishing emails as described here.", "spans": {"Indicator: malicious Office documents": [[6, 32]], "Indicator: attachment": [[56, 66]], "Indicator: spear phishing emails": [[73, 94]]}, "info": {"id": "cyner2_5class_train_02780", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.AutoIt.Pistolar.A Worm.AutoIt.Win32.16752 Trojan.Heur.rmLfrvwRR2pib TROJ_SPNR.03BL13 Win32.Trojan.AutoIt.a TROJ_SPNR.03BL13 Trojan.KillFiles.61768 BehavesLike.Win32.VirRansom.dc Troj.W32.Autoit.lWNh HEUR/Fakon.mwf Win32/Autoit.MB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.AutoIt.Pistolar.A": [[26, 50]], "Indicator: Worm.AutoIt.Win32.16752": [[51, 74]], "Indicator: Trojan.Heur.rmLfrvwRR2pib": [[75, 100]], "Indicator: TROJ_SPNR.03BL13": [[101, 117], [140, 156]], "Indicator: Win32.Trojan.AutoIt.a": [[118, 139]], "Indicator: Trojan.KillFiles.61768": [[157, 179]], "Indicator: BehavesLike.Win32.VirRansom.dc": [[180, 210]], "Indicator: Troj.W32.Autoit.lWNh": [[211, 231]], "Indicator: HEUR/Fakon.mwf": [[232, 246]], "Indicator: Win32/Autoit.MB": [[247, 262]]}, "info": {"id": "cyner2_5class_train_02781", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Infostealer.Limitail Trojan.Win32.Sourtoff.dshygu Trojan.Yakes.Win32.34007 BehavesLike.Win32.Backdoor.fc Trojan/Injector.cbpj Trojan.Win32.Boaxxe TrojanDropper.Injector.awup TR/Crypt.Xpack.8996 Trojan/Win32.Sourtoff Trojan.Zboter.5 Trojan/Win32.Ransomcrypt.R151582 Trojan.Yakes Trojan.Yakes!LiL7XolSsr0 Win32/Trojan.34b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Infostealer.Limitail": [[26, 46]], "Indicator: Trojan.Win32.Sourtoff.dshygu": [[47, 75]], "Indicator: Trojan.Yakes.Win32.34007": [[76, 100]], "Indicator: BehavesLike.Win32.Backdoor.fc": [[101, 130]], "Indicator: Trojan/Injector.cbpj": [[131, 151]], "Indicator: Trojan.Win32.Boaxxe": [[152, 171]], "Indicator: TrojanDropper.Injector.awup": [[172, 199]], "Indicator: TR/Crypt.Xpack.8996": [[200, 219]], "Indicator: Trojan/Win32.Sourtoff": [[220, 241]], "Indicator: Trojan.Zboter.5": [[242, 257]], "Indicator: Trojan/Win32.Ransomcrypt.R151582": [[258, 290]], "Indicator: Trojan.Yakes": [[291, 303]], "Indicator: Trojan.Yakes!LiL7XolSsr0": [[304, 328]], "Indicator: Win32/Trojan.34b": [[329, 345]]}, "info": {"id": "cyner2_5class_train_02782", "source": "cyner2_5class_train"}}
+{"text": "With the four “ sms_send ” commands , the messages as specified in the key “ text ” will be sent immediately to the specified short numbers .", "spans": {}, "info": {"id": "cyner2_5class_train_02783", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.AutoIt Worm.AutoIt.Win32.13406 Win32.Trojan.WisdomEyes.16070401.9500.9999 Worm.Win32.AutoIt.qaw Trojan.Win32.AutoIt.ewujea W32.W.WBNA.lJwt Trojan.MulDrop5.8834 BehavesLike.Win32.Trojan.cz Worm.Win32.AutoRun W32/Trojan.WOLP-1815 Worm/Win32.AutoIt Worm:Win32/Selfita.A Worm.Win32.AutoIt.qaw Worm.AutoIt Win32/AutoRun.VB.BEZ Win32.Worm.Autoit.Pgmr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.AutoIt": [[26, 37], [320, 331]], "Indicator: Worm.AutoIt.Win32.13406": [[38, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[62, 104]], "Indicator: Worm.Win32.AutoIt.qaw": [[105, 126], [298, 319]], "Indicator: Trojan.Win32.AutoIt.ewujea": [[127, 153]], "Indicator: W32.W.WBNA.lJwt": [[154, 169]], "Indicator: Trojan.MulDrop5.8834": [[170, 190]], "Indicator: BehavesLike.Win32.Trojan.cz": [[191, 218]], "Indicator: Worm.Win32.AutoRun": [[219, 237]], "Indicator: W32/Trojan.WOLP-1815": [[238, 258]], "Indicator: Worm/Win32.AutoIt": [[259, 276]], "Indicator: Worm:Win32/Selfita.A": [[277, 297]], "Indicator: Win32/AutoRun.VB.BEZ": [[332, 352]], "Indicator: Win32.Worm.Autoit.Pgmr": [[353, 375]]}, "info": {"id": "cyner2_5class_train_02784", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodd7a.Trojan.d028 Trojan-Downloader/W32.Lemmy.65536.B Downloader.Lemmy.Win32.31 Troj.Downloader.W32.Lemmy.u!c Trojan/Downloader.Lemmy.q W32/Lemmy.AO Adware.Roimoi Win32/TrojanDownloader.Lemmy.AA TROJ_LEMMY.L Win.Downloader.71376-1 Trojan-Downloader.Win32.Lemmy.u Trojan.Win32.Lemmy.gugs Trojan.Win32.Downloader.65536.IK[h] TrojWare.Win32.TrojanDownloader.Lemmy.u0 Adware.MediaMotor.130 TROJ_LEMMY.L BehavesLike.Win32.Trojan.kt W32/Lemmy.RFEY-5815 TrojanDownloader.Lemmy.f TR/Dldr.Lemmy.Q.2 W32/Dloader.X!tr Trojan[Downloader]/Win32.Lemmy Win32.Troj.Lemmy.o.kcloud Trojan/Win32.HDC.C89215 TrojanDownloader:Win32/Lemmy.U TScope.Trojan.VB Win32.Trojan-downloader.Lemmy.Egoh Trojan.DL.Lemmy!fetCOQguJic Trojan-Downloader.Win32.Lemmy.q", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodd7a.Trojan.d028": [[26, 49]], "Indicator: Trojan-Downloader/W32.Lemmy.65536.B": [[50, 85]], "Indicator: Downloader.Lemmy.Win32.31": [[86, 111]], "Indicator: Troj.Downloader.W32.Lemmy.u!c": [[112, 141]], "Indicator: Trojan/Downloader.Lemmy.q": [[142, 167]], "Indicator: W32/Lemmy.AO": [[168, 180]], "Indicator: Adware.Roimoi": [[181, 194]], "Indicator: Win32/TrojanDownloader.Lemmy.AA": [[195, 226]], "Indicator: TROJ_LEMMY.L": [[227, 239], [418, 430]], "Indicator: Win.Downloader.71376-1": [[240, 262]], "Indicator: Trojan-Downloader.Win32.Lemmy.u": [[263, 294]], "Indicator: Trojan.Win32.Lemmy.gugs": [[295, 318]], "Indicator: Trojan.Win32.Downloader.65536.IK[h]": [[319, 354]], "Indicator: TrojWare.Win32.TrojanDownloader.Lemmy.u0": [[355, 395]], "Indicator: Adware.MediaMotor.130": [[396, 417]], "Indicator: BehavesLike.Win32.Trojan.kt": [[431, 458]], "Indicator: W32/Lemmy.RFEY-5815": [[459, 478]], "Indicator: TrojanDownloader.Lemmy.f": [[479, 503]], "Indicator: TR/Dldr.Lemmy.Q.2": [[504, 521]], "Indicator: W32/Dloader.X!tr": [[522, 538]], "Indicator: Trojan[Downloader]/Win32.Lemmy": [[539, 569]], "Indicator: Win32.Troj.Lemmy.o.kcloud": [[570, 595]], "Indicator: Trojan/Win32.HDC.C89215": [[596, 619]], "Indicator: TrojanDownloader:Win32/Lemmy.U": [[620, 650]], "Indicator: TScope.Trojan.VB": [[651, 667]], "Indicator: Win32.Trojan-downloader.Lemmy.Egoh": [[668, 702]], "Indicator: Trojan.DL.Lemmy!fetCOQguJic": [[703, 730]], "Indicator: Trojan-Downloader.Win32.Lemmy.q": [[731, 762]]}, "info": {"id": "cyner2_5class_train_02785", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: WS.Reputation.1 PWS:Win32/Yaludle.D Trojan-PWS.Win32.Yaludle", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WS.Reputation.1": [[26, 41]], "Indicator: PWS:Win32/Yaludle.D": [[42, 61]], "Indicator: Trojan-PWS.Win32.Yaludle": [[62, 86]]}, "info": {"id": "cyner2_5class_train_02786", "source": "cyner2_5class_train"}}
+{"text": "Manufacturers should be keeping close tabs on what software ends up on their devices .", "spans": {}, "info": {"id": "cyner2_5class_train_02787", "source": "cyner2_5class_train"}}
+{"text": "But I never received such files from their command and control server .", "spans": {}, "info": {"id": "cyner2_5class_train_02788", "source": "cyner2_5class_train"}}
+{"text": "Today, we noticed CVE-2015-5119 the identifier for this vulnerability being used in a rather unusual attack pattern.", "spans": {"Indicator: CVE-2015-5119": [[18, 31]], "Indicator: unusual attack pattern.": [[93, 116]]}, "info": {"id": "cyner2_5class_train_02789", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom_Necne.R002C0DAU18 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_Necne.R002C0DAU18 Trojan.Win32.Filecoder.eximhz Trojan.Win32.Z.Kelios.56320 Trojan.Encoder.24408 Trojan.Filecoder.Win32.7015 BehavesLike.Win32.Backdoor.qh Trojan-Ransom.FileCoder W32/Trojan.TPMK-1866 TR/AD.Petya.muyif Ransom.Filecoder/Variant Trojan.Encoder Ransom.FileCryptor Trj/GdSda.A W32/Filecoder.FV!tr Win32/Trojan.4af", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_Necne.R002C0DAU18": [[26, 50], [94, 118]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[51, 93]], "Indicator: Trojan.Win32.Filecoder.eximhz": [[119, 148]], "Indicator: Trojan.Win32.Z.Kelios.56320": [[149, 176]], "Indicator: Trojan.Encoder.24408": [[177, 197]], "Indicator: Trojan.Filecoder.Win32.7015": [[198, 225]], "Indicator: BehavesLike.Win32.Backdoor.qh": [[226, 255]], "Indicator: Trojan-Ransom.FileCoder": [[256, 279]], "Indicator: W32/Trojan.TPMK-1866": [[280, 300]], "Indicator: TR/AD.Petya.muyif": [[301, 318]], "Indicator: Ransom.Filecoder/Variant": [[319, 343]], "Indicator: Trojan.Encoder": [[344, 358]], "Indicator: Ransom.FileCryptor": [[359, 377]], "Indicator: Trj/GdSda.A": [[378, 389]], "Indicator: W32/Filecoder.FV!tr": [[390, 409]], "Indicator: Win32/Trojan.4af": [[410, 426]]}, "info": {"id": "cyner2_5class_train_02790", "source": "cyner2_5class_train"}}
+{"text": "Everyday users can do the same by checking the router ’ s DNS settings if they ’ ve been modified .", "spans": {}, "info": {"id": "cyner2_5class_train_02791", "source": "cyner2_5class_train"}}
+{"text": "In the attached paper we will focus on two exploits which at the time of discovery in the Hacking Team archives were unpatched.", "spans": {"Malware: exploits": [[43, 51]], "Organization: Hacking Team": [[90, 102]], "Vulnerability: unpatched.": [[117, 127]]}, "info": {"id": "cyner2_5class_train_02792", "source": "cyner2_5class_train"}}
+{"text": "Apps of the Android/AdDisplay.Ashas family reported to Google by ESET Figure 2 .", "spans": {"Malware: Android/AdDisplay.Ashas": [[12, 35]], "Organization: ESET": [[65, 69]]}, "info": {"id": "cyner2_5class_train_02793", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mikey.DDFDA Ransom_PETYA.SM2 Win32.Trojan.WisdomEyes.16070401.9500.9986 Ransom_PETYA.SM2 Trojan.Win32.AD.epiohw BehavesLike.Win32.Ransom.cc Ransom.Petya Win32/Diskcoder.Petya.E Trojan.Diskcoder! Trojan-Ransom.GoldenEye W32/Petya.E!tr.ransom", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mikey.DDFDA": [[26, 44]], "Indicator: Ransom_PETYA.SM2": [[45, 61], [105, 121]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9986": [[62, 104]], "Indicator: Trojan.Win32.AD.epiohw": [[122, 144]], "Indicator: BehavesLike.Win32.Ransom.cc": [[145, 172]], "Indicator: Ransom.Petya": [[173, 185]], "Indicator: Win32/Diskcoder.Petya.E": [[186, 209]], "Indicator: Trojan.Diskcoder!": [[210, 227]], "Indicator: Trojan-Ransom.GoldenEye": [[228, 251]], "Indicator: W32/Petya.E!tr.ransom": [[252, 273]]}, "info": {"id": "cyner2_5class_train_02794", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan-Downloader.MSIL.Small.vii Trojan.Win32.Clicker.dckckw Trojan[Downloader]/MSIL.Small Win32.TrojDownloader.MSIL.kcloud Trojan.Kazy.D17F7F Trojan-Downloader.MSIL.Small.vii Trojan:MSIL/Keywsec.B Trojan.Clicker Trojan.Keywsec!MUZFw6FSjt8 Win32/Trojan.419", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: Trojan-Downloader.MSIL.Small.vii": [[69, 101], [212, 244]], "Indicator: Trojan.Win32.Clicker.dckckw": [[102, 129]], "Indicator: Trojan[Downloader]/MSIL.Small": [[130, 159]], "Indicator: Win32.TrojDownloader.MSIL.kcloud": [[160, 192]], "Indicator: Trojan.Kazy.D17F7F": [[193, 211]], "Indicator: Trojan:MSIL/Keywsec.B": [[245, 266]], "Indicator: Trojan.Clicker": [[267, 281]], "Indicator: Trojan.Keywsec!MUZFw6FSjt8": [[282, 308]], "Indicator: Win32/Trojan.419": [[309, 325]]}, "info": {"id": "cyner2_5class_train_02795", "source": "cyner2_5class_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_02796", "source": "cyner2_5class_train"}}
+{"text": "During the last weeks there have been several cases of international brand names being used by malware authors to propagate malware through phishing emails.", "spans": {"Organization: international brand": [[55, 74]], "Malware: malware": [[124, 131]], "Indicator: phishing emails.": [[140, 156]]}, "info": {"id": "cyner2_5class_train_02797", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: Exploit.Linux.Vmsplice.A Exploit.Lotoor.Linux.131 HEUR:Exploit.Linux.Lotoor.bh Exploit.Unix.Lotoor.exdfpk Exploit.Linux.Lotoor!c Linux.Exploit.Local.147 Exploit.Linux.auf LINUX/Lotoor.qcvrg Trojan[Exploit]/Linux.Lotoor.bh HEUR:Exploit.Linux.Lotoor.bh Linux.Exploit.Lotoor.Htmf Trojan.Linux.Exploit Linux/Vmsplice.K!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.Linux.Vmsplice.A": [[43, 67]], "Indicator: Exploit.Lotoor.Linux.131": [[68, 92]], "Indicator: HEUR:Exploit.Linux.Lotoor.bh": [[93, 121], [265, 293]], "Indicator: Exploit.Unix.Lotoor.exdfpk": [[122, 148]], "Indicator: Exploit.Linux.Lotoor!c": [[149, 171]], "Indicator: Linux.Exploit.Local.147": [[172, 195]], "Indicator: Exploit.Linux.auf": [[196, 213]], "Indicator: LINUX/Lotoor.qcvrg": [[214, 232]], "Indicator: Trojan[Exploit]/Linux.Lotoor.bh": [[233, 264]], "Indicator: Linux.Exploit.Lotoor.Htmf": [[294, 319]], "Indicator: Trojan.Linux.Exploit": [[320, 340]], "Indicator: Linux/Vmsplice.K!tr": [[341, 360]]}, "info": {"id": "cyner2_5class_train_02798", "source": "cyner2_5class_train"}}
+{"text": "The attackers used different command and control servers C2s for each malware family, a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone.", "spans": {"Indicator: command and control servers C2s": [[29, 60]], "Malware: each malware family,": [[65, 85]], "Indicator: attacks": [[146, 153]], "System: infrastructure": [[169, 183]]}, "info": {"id": "cyner2_5class_train_02799", "source": "cyner2_5class_train"}}
+{"text": "This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a fake Delivery Status Notification, failed to deliver email bounce message.", "spans": {"Indicator: email attachment": [[29, 45]], "Indicator: zip": [[57, 60], [70, 73]], "Indicator: .js file": [[97, 105]], "Indicator: fake Delivery Status Notification, failed to deliver email bounce message.": [[111, 185]]}, "info": {"id": "cyner2_5class_train_02800", "source": "cyner2_5class_train"}}
+{"text": "Attacks using BigBoss appear likely to have occurred since mid-2015, whereas SillyGoose appears to have been distributed since September 2016.", "spans": {"Indicator: Attacks": [[0, 7]], "Malware: BigBoss": [[14, 21]], "Malware: SillyGoose": [[77, 87]]}, "info": {"id": "cyner2_5class_train_02801", "source": "cyner2_5class_train"}}
+{"text": "The first method, dubbed proxy-changing is commonly used for HTTP packets inspections.", "spans": {"Indicator: dubbed proxy-changing": [[18, 39]], "Indicator: HTTP packets inspections.": [[61, 86]]}, "info": {"id": "cyner2_5class_train_02802", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.LovGate.W@mm W32.LovGate.W Win32.LovGate.W@mm Spyware.PasswordStealer W32/Lovgate.W@M Win32.LovGate.E8C19A WORM_LOVGATE.BJ Win32.Trojan.WisdomEyes.16070401.9500.9982 W32/Lovgate.W@mm W32.HLLW.Lovgate.I@mm Win32/Lovgate.AX WORM_LOVGATE.BJ Win.Worm.Lovgate-35 Win32.LovGate.W@mm Trojan.Win32.MultiPacked.dgpeeo Win32.Worm-email.Lovgate.Dwsv Win32.HLLM.Lovgate.based Worm.LovGate.Win32.79 BehavesLike.Win32.PWSZbot.cc W32/Lovgate.W@mm I-Worm/Supkp.a WORM/Lovgate.BK Worm[Email]/Win32.LovGate Worm:Win32/Lovgate.W@mm W32.W.LovGate.kYPD Win32.LovGate.W@mm Win32/LovGate.worm.179200 W32/Lovgate.w@M Worm.Lovgate I-Worm.Lovgate.AP Win32/Lovgate.AP I-Worm.Lovgate.BI Worm.Win32.Lovgate Win32.LovGate.W@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.LovGate.W@mm": [[26, 44], [59, 77], [290, 308], [564, 582], [710, 728]], "Indicator: W32.LovGate.W": [[45, 58]], "Indicator: Spyware.PasswordStealer": [[78, 101]], "Indicator: W32/Lovgate.W@M": [[102, 117]], "Indicator: Win32.LovGate.E8C19A": [[118, 138]], "Indicator: WORM_LOVGATE.BJ": [[139, 154], [254, 269]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[155, 197]], "Indicator: W32/Lovgate.W@mm": [[198, 214], [447, 463]], "Indicator: W32.HLLW.Lovgate.I@mm": [[215, 236]], "Indicator: Win32/Lovgate.AX": [[237, 253]], "Indicator: Win.Worm.Lovgate-35": [[270, 289]], "Indicator: Trojan.Win32.MultiPacked.dgpeeo": [[309, 340]], "Indicator: Win32.Worm-email.Lovgate.Dwsv": [[341, 370]], "Indicator: Win32.HLLM.Lovgate.based": [[371, 395]], "Indicator: Worm.LovGate.Win32.79": [[396, 417]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[418, 446]], "Indicator: I-Worm/Supkp.a": [[464, 478]], "Indicator: WORM/Lovgate.BK": [[479, 494]], "Indicator: Worm[Email]/Win32.LovGate": [[495, 520]], "Indicator: Worm:Win32/Lovgate.W@mm": [[521, 544]], "Indicator: W32.W.LovGate.kYPD": [[545, 563]], "Indicator: Win32/LovGate.worm.179200": [[583, 608]], "Indicator: W32/Lovgate.w@M": [[609, 624]], "Indicator: Worm.Lovgate": [[625, 637]], "Indicator: I-Worm.Lovgate.AP": [[638, 655]], "Indicator: Win32/Lovgate.AP": [[656, 672]], "Indicator: I-Worm.Lovgate.BI": [[673, 690]], "Indicator: Worm.Win32.Lovgate": [[691, 709]]}, "info": {"id": "cyner2_5class_train_02803", "source": "cyner2_5class_train"}}
+{"text": "During installation , Riltok asks the user for permission to use special features in AccessibilityService by displaying a fake warning : If the user ignores or declines the request , the window keeps opening ad infinitum .", "spans": {"Malware: Riltok": [[22, 28]]}, "info": {"id": "cyner2_5class_train_02804", "source": "cyner2_5class_train"}}
+{"text": "According to public records it appears that eSurv began to also develop intrusion software in 2016 .", "spans": {"Organization: eSurv": [[44, 49]]}, "info": {"id": "cyner2_5class_train_02805", "source": "cyner2_5class_train"}}
+{"text": "Figure 20 : dropper app category distribution Among the vast number of variants , the top 5 most infectious droppers alone have been downloaded more than 7.8 million times of the infection operations against innocent applications : Figure 21 : Top 5 most infectious droppers The “ Agent Smith ” campaign is primarily targeted at Indian users , who represent 59 % of the impacted population .", "spans": {"Malware: Agent Smith": [[281, 292]]}, "info": {"id": "cyner2_5class_train_02806", "source": "cyner2_5class_train"}}
+{"text": "Definition of populateConfigMap , which loads the map with values Correlating the last two steps , one can observe that the malware payload receives the configuration for the following properties : number – The default number to be send to the server ( in case the number is not available from the device ) api – The API key url – The URL to be used in WebView to display on the ransom note The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers .", "spans": {}, "info": {"id": "cyner2_5class_train_02807", "source": "cyner2_5class_train"}}
+{"text": "The Trojan may download and execute the following potentially malicious file: %Temp%\\[RANDOM CHARACTERS].dll", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: download and execute": [[15, 35]], "Indicator: malicious file: %Temp%\\[RANDOM CHARACTERS].dll": [[62, 108]]}, "info": {"id": "cyner2_5class_train_02808", "source": "cyner2_5class_train"}}
+{"text": "When a victim tries to access the URL in the SMS body , the C2 will check if the mobile device meets the criteria to receive the malware ( see infrastructure section ) .", "spans": {}, "info": {"id": "cyner2_5class_train_02809", "source": "cyner2_5class_train"}}
+{"text": "This means that , unless victims lock their devices via the hardware button , the timer provides plenty of time for the malware to remotely perform malicious , in-app operations .", "spans": {}, "info": {"id": "cyner2_5class_train_02810", "source": "cyner2_5class_train"}}
+{"text": "Code to check the existence of SafetyNet Google API It also checks if the Android SafetyNet is active and reporting back to the C2 .", "spans": {"System: Google API": [[41, 51]], "System: Android": [[74, 81]]}, "info": {"id": "cyner2_5class_train_02811", "source": "cyner2_5class_train"}}
+{"text": "We determined that this chunk of data contains an array of opcode instructions ready to be interpreted by a custom virtual machine program ( from this point on referenced generically as “ VM ” ) implemented by FinFisher authors .", "spans": {"Malware: FinFisher": [[210, 219]]}, "info": {"id": "cyner2_5class_train_02812", "source": "cyner2_5class_train"}}
+{"text": "Given the many artifacts we discovered in the malware code , as well as infrastructure analysis , we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions , just like HackingTeam .", "spans": {"Malware: Skygofree": [[148, 157]], "Organization: HackingTeam": [[241, 252]]}, "info": {"id": "cyner2_5class_train_02813", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9711 Spyware.Keylogger BehavesLike.Win32.Fake.lc Trojan-Proxy.Win32.Glukelira Trojan/Win32.Glukelira.R10186", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9711": [[26, 68]], "Indicator: Spyware.Keylogger": [[69, 86]], "Indicator: BehavesLike.Win32.Fake.lc": [[87, 112]], "Indicator: Trojan-Proxy.Win32.Glukelira": [[113, 141]], "Indicator: Trojan/Win32.Glukelira.R10186": [[142, 171]]}, "info": {"id": "cyner2_5class_train_02814", "source": "cyner2_5class_train"}}
+{"text": "MALWARE TECHNICAL DETAILS During our investigation , researchers uncovered a malware known as \" Gustuff. '' .", "spans": {"Malware: Gustuff.": [[96, 104]]}, "info": {"id": "cyner2_5class_train_02815", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.909D Downloader.AdloadCRT.Win32.596 Win.Trojan.Downloader-65968 not-a-virus:Downloader.Win32.AdLoad.rbbv Trojan.Win32.AdLoad.dvwwyc Adware.Downloadadmin.85624 Trojan.Vittalia.12437 not-a-virus:Downloader.DownloAdmin Pua.Downloadmanager RiskWare[Downloader]/Win32.AdLoad.rbbv Trojan.Application.Bundler.DownloadAdmin.3 PUP.DownloadAdmin/Variant not-a-virus:Downloader.Win32.AdLoad.rbbv PUP/Win32.DownloadAdmin.R162593 Downloader.DownloAdmin Trj/Downloader.WOL Win32/Application.d3c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.909D": [[26, 44]], "Indicator: Downloader.AdloadCRT.Win32.596": [[45, 75]], "Indicator: Win.Trojan.Downloader-65968": [[76, 103]], "Indicator: not-a-virus:Downloader.Win32.AdLoad.rbbv": [[104, 144], [384, 424]], "Indicator: Trojan.Win32.AdLoad.dvwwyc": [[145, 171]], "Indicator: Adware.Downloadadmin.85624": [[172, 198]], "Indicator: Trojan.Vittalia.12437": [[199, 220]], "Indicator: not-a-virus:Downloader.DownloAdmin": [[221, 255]], "Indicator: Pua.Downloadmanager": [[256, 275]], "Indicator: RiskWare[Downloader]/Win32.AdLoad.rbbv": [[276, 314]], "Indicator: Trojan.Application.Bundler.DownloadAdmin.3": [[315, 357]], "Indicator: PUP.DownloadAdmin/Variant": [[358, 383]], "Indicator: PUP/Win32.DownloadAdmin.R162593": [[425, 456]], "Indicator: Downloader.DownloAdmin": [[457, 479]], "Indicator: Trj/Downloader.WOL": [[480, 498]], "Indicator: Win32/Application.d3c": [[499, 520]]}, "info": {"id": "cyner2_5class_train_02816", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Inject Trojan.Bublik.Win32.19217 W32/Trojan.NHBC-1750 BKDR_BMDOOR.SMZAEK-A Trojan.Win32.Inject.wavu Trojan.Win32.Androm.dlcdpz Win32.Trojan.Inject.Duwc BKDR_BMDOOR.SMZAEK-A Trojan.Inject.gwc Trojan/Win32.Inject Trojan.Win32.Inject.wavu Trojan.Inject Trojan.Inject!zWOSv6fC2j0 Win32/Trojan.ae0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject": [[26, 39], [269, 282]], "Indicator: Trojan.Bublik.Win32.19217": [[40, 65]], "Indicator: W32/Trojan.NHBC-1750": [[66, 86]], "Indicator: BKDR_BMDOOR.SMZAEK-A": [[87, 107], [185, 205]], "Indicator: Trojan.Win32.Inject.wavu": [[108, 132], [244, 268]], "Indicator: Trojan.Win32.Androm.dlcdpz": [[133, 159]], "Indicator: Win32.Trojan.Inject.Duwc": [[160, 184]], "Indicator: Trojan.Inject.gwc": [[206, 223]], "Indicator: Trojan/Win32.Inject": [[224, 243]], "Indicator: Trojan.Inject!zWOSv6fC2j0": [[283, 308]], "Indicator: Win32/Trojan.ae0": [[309, 325]]}, "info": {"id": "cyner2_5class_train_02817", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Virut.1!O Hacktool.Virledi Win32.Worm.AutoRun.bz W32/Virut.AI PE_VIRUX.A-1 Worm.Win32.WBNA.roc Virus.Win32.Virut.hpeg Virus.Win32.Virut.CE Win32.HLLW.Autoruner2.15607 PE_VIRUX.A-1 W32/Virut.AI Win32/Virut.bt Virus/Win32.Virut.ce Worm:Win32/Virledi.A Worm.Win32.WBNA.roc Trojan/Win32.Zbot.C401270 Virus.Virut.06 Worm.AutoRun.FLD Win32.Virut.E Trojan-Downloader.Win32.VB Trj/Dtcontx.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Virut.1!O": [[26, 47]], "Indicator: Hacktool.Virledi": [[48, 64]], "Indicator: Win32.Worm.AutoRun.bz": [[65, 86]], "Indicator: W32/Virut.AI": [[87, 99], [218, 230]], "Indicator: PE_VIRUX.A-1": [[100, 112], [205, 217]], "Indicator: Worm.Win32.WBNA.roc": [[113, 132], [288, 307]], "Indicator: Virus.Win32.Virut.hpeg": [[133, 155]], "Indicator: Virus.Win32.Virut.CE": [[156, 176]], "Indicator: Win32.HLLW.Autoruner2.15607": [[177, 204]], "Indicator: Win32/Virut.bt": [[231, 245]], "Indicator: Virus/Win32.Virut.ce": [[246, 266]], "Indicator: Worm:Win32/Virledi.A": [[267, 287]], "Indicator: Trojan/Win32.Zbot.C401270": [[308, 333]], "Indicator: Virus.Virut.06": [[334, 348]], "Indicator: Worm.AutoRun.FLD": [[349, 365]], "Indicator: Win32.Virut.E": [[366, 379]], "Indicator: Trojan-Downloader.Win32.VB": [[380, 406]], "Indicator: Trj/Dtcontx.M": [[407, 420]]}, "info": {"id": "cyner2_5class_train_02818", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.ProxyChanger.144352 Trojan.ProxyChanger Trojan/ProxyChanger.to Win32.Trojan.WisdomEyes.16070401.9500.9857 Trojan.Win32.ProxyChanger.mx Trojan.Win32.Z.Proxychanger.144352 Trojan.Proxy.27390 Trojan.ProxyChanger.Win32.985 Trojan.Win32.ProxyChanger W32/Trojan.WVYD-3840 TrojanDownloader.Cabby.ug TR/Crypt.ZPACK.137306 Trojan/Win32.ProxyChanger Trojan.Win32.ProxyChanger.mx Trojan:Win32/Tepoyx.K Trojan/Win32.Cryptolocker.R145008 Trojan.ProxyChanger Win32/ProxyChanger.TO Trojan.ProxyChanger!ZhCr5dI6SeY W32/Kryptik.DEQP!tr Win32/Trojan.0f5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.ProxyChanger.144352": [[26, 56]], "Indicator: Trojan.ProxyChanger": [[57, 76], [462, 481]], "Indicator: Trojan/ProxyChanger.to": [[77, 99]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9857": [[100, 142]], "Indicator: Trojan.Win32.ProxyChanger.mx": [[143, 171], [377, 405]], "Indicator: Trojan.Win32.Z.Proxychanger.144352": [[172, 206]], "Indicator: Trojan.Proxy.27390": [[207, 225]], "Indicator: Trojan.ProxyChanger.Win32.985": [[226, 255]], "Indicator: Trojan.Win32.ProxyChanger": [[256, 281]], "Indicator: W32/Trojan.WVYD-3840": [[282, 302]], "Indicator: TrojanDownloader.Cabby.ug": [[303, 328]], "Indicator: TR/Crypt.ZPACK.137306": [[329, 350]], "Indicator: Trojan/Win32.ProxyChanger": [[351, 376]], "Indicator: Trojan:Win32/Tepoyx.K": [[406, 427]], "Indicator: Trojan/Win32.Cryptolocker.R145008": [[428, 461]], "Indicator: Win32/ProxyChanger.TO": [[482, 503]], "Indicator: Trojan.ProxyChanger!ZhCr5dI6SeY": [[504, 535]], "Indicator: W32/Kryptik.DEQP!tr": [[536, 555]], "Indicator: Win32/Trojan.0f5": [[556, 572]]}, "info": {"id": "cyner2_5class_train_02819", "source": "cyner2_5class_train"}}
+{"text": "The company develops mobile apps for both Android and iOS platforms .", "spans": {"System: Android": [[42, 49]], "System: iOS": [[54, 57]]}, "info": {"id": "cyner2_5class_train_02820", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.GZ.E0D821 Ransom_Blocker.R004C0DK917 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_Blocker.R004C0DK917 Trojan-Ransom.Win32.Blocker.kklp Backdoor.Win32.Zelug.ER BehavesLike.Win32.BadFile.mt TR/Barys.796 Trojan[Downloader]/Win32.Dapato Backdoor:Win32/Zelug.B Trojan-Ransom.Win32.Blocker.kklp TScope.Malware-Cryptor.SB W32/Dapato.A!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.GZ.E0D821": [[26, 47]], "Indicator: Ransom_Blocker.R004C0DK917": [[48, 74], [118, 144]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[75, 117]], "Indicator: Trojan-Ransom.Win32.Blocker.kklp": [[145, 177], [299, 331]], "Indicator: Backdoor.Win32.Zelug.ER": [[178, 201]], "Indicator: BehavesLike.Win32.BadFile.mt": [[202, 230]], "Indicator: TR/Barys.796": [[231, 243]], "Indicator: Trojan[Downloader]/Win32.Dapato": [[244, 275]], "Indicator: Backdoor:Win32/Zelug.B": [[276, 298]], "Indicator: TScope.Malware-Cryptor.SB": [[332, 357]], "Indicator: W32/Dapato.A!tr.dldr": [[358, 378]]}, "info": {"id": "cyner2_5class_train_02821", "source": "cyner2_5class_train"}}
+{"text": "For now , we observe only one payload version for following the ARM CPUs : arm64-v8a , armeabi , armeabi-v7a .", "spans": {"System: ARM": [[64, 67]], "System: arm64-v8a": [[75, 84]], "System: armeabi": [[87, 94]], "System: armeabi-v7a": [[97, 108]]}, "info": {"id": "cyner2_5class_train_02822", "source": "cyner2_5class_train"}}
+{"text": "The backdoor has been analyzed previously and is a robust tool associated with this group, likely being used as an early stage reconnaissance tool.", "spans": {"Malware: backdoor": [[4, 12]], "Malware: tool": [[58, 62]], "Malware: tool.": [[142, 147]]}, "info": {"id": "cyner2_5class_train_02823", "source": "cyner2_5class_train"}}
+{"text": "It has frequently been used to spread cryptocurrency mining malware, perhaps indicating an evolution towards direct monetization.", "spans": {"Indicator: spread": [[31, 37]], "Malware: cryptocurrency mining malware,": [[38, 68]]}, "info": {"id": "cyner2_5class_train_02824", "source": "cyner2_5class_train"}}
+{"text": "Based on emails leaked in the dump , a number of Czech firms appear to be in business with the Hacking team , including a major IT partner in the Olympic Games .", "spans": {}, "info": {"id": "cyner2_5class_train_02825", "source": "cyner2_5class_train"}}
+{"text": "It seems , “ Agent Smith ” prey list does not only have popular yet Janus vulnerable apps to ensure high proliferation , but also contain competitor apps of actor ’ s legitimate business arm to suppress competition .", "spans": {"Malware: Agent Smith": [[13, 24]], "Vulnerability: Janus": [[68, 73]]}, "info": {"id": "cyner2_5class_train_02826", "source": "cyner2_5class_train"}}
+{"text": "The basic idea is to hook the voice call process in mediaserver .", "spans": {}, "info": {"id": "cyner2_5class_train_02827", "source": "cyner2_5class_train"}}
+{"text": "Due to these two layers, we use the name TwoFace to track this webshell.", "spans": {"Indicator: two layers,": [[13, 24]], "Malware: TwoFace": [[41, 48]], "Malware: webshell.": [[63, 72]]}, "info": {"id": "cyner2_5class_train_02828", "source": "cyner2_5class_train"}}
+{"text": "Because of the active investigation, I cannot reveal C&C domains used in the samples.", "spans": {"Indicator: C&C domains": [[53, 64]]}, "info": {"id": "cyner2_5class_train_02829", "source": "cyner2_5class_train"}}
+{"text": "The discovered Javascript code runs hidden in the browser and activates when text is entered on a payment page.", "spans": {"Indicator: Javascript code": [[15, 30]], "System: browser": [[50, 57]]}, "info": {"id": "cyner2_5class_train_02830", "source": "cyner2_5class_train"}}
+{"text": "These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank.", "spans": {"Organization: Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank.": [[15, 312]]}, "info": {"id": "cyner2_5class_train_02831", "source": "cyner2_5class_train"}}
+{"text": "This particular family of information stealers has been around since 2011", "spans": {}, "info": {"id": "cyner2_5class_train_02832", "source": "cyner2_5class_train"}}
+{"text": "For contacting C & C , the spyware was found to be using free DNS services , as shown in the screenshot below : SpyNote RAT uses an unusual trick to make sure that it remains up and running and that the spying does not stop .", "spans": {"Indicator: DNS": [[62, 65]], "Malware: SpyNote RAT": [[112, 123]]}, "info": {"id": "cyner2_5class_train_02833", "source": "cyner2_5class_train"}}
+{"text": "] net : Nam Phrik Num Somtum [ .", "spans": {"Indicator: Somtum [ .": [[22, 32]]}, "info": {"id": "cyner2_5class_train_02834", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Sohanad.NGW Ransom/W32.Blocker.3009335 Trojan.Musta Win32.Worm.Sohanad.NGW TROJ_ZAPCHAST.BN Win32/Tnega.SdcSccB TROJ_ZAPCHAST.BN Trojan-Ransom.Win32.Blocker.kock Win32.Worm.Sohanad.NGW Trojan.Win32.Blocker.ewkvvx Troj.Ransom.W32.Blocker!c Win32.Trojan.Blocker.Ahon Win32.Worm.Sohanad.NGW W32/Trojan.VZLV-7504 TR/Autoit.ezxix Trojan:Win32/Musta.A Win32.Worm.Sohanad.NGW Trojan-Ransom.Win32.Blocker.kock Win32.Worm.Sohanad.NGW Trojan/Win32.Zapchast.R109977 Trojan-Ransom.Blocker Win32/Autoit.KE Worm.Win32.AutoIt Trj/CI.A Win32/Worm.f95", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Sohanad.NGW": [[26, 48], [89, 111], [199, 221], [302, 324], [383, 405], [439, 461]], "Indicator: Ransom/W32.Blocker.3009335": [[49, 75]], "Indicator: Trojan.Musta": [[76, 88]], "Indicator: TROJ_ZAPCHAST.BN": [[112, 128], [149, 165]], "Indicator: Win32/Tnega.SdcSccB": [[129, 148]], "Indicator: Trojan-Ransom.Win32.Blocker.kock": [[166, 198], [406, 438]], "Indicator: Trojan.Win32.Blocker.ewkvvx": [[222, 249]], "Indicator: Troj.Ransom.W32.Blocker!c": [[250, 275]], "Indicator: Win32.Trojan.Blocker.Ahon": [[276, 301]], "Indicator: W32/Trojan.VZLV-7504": [[325, 345]], "Indicator: TR/Autoit.ezxix": [[346, 361]], "Indicator: Trojan:Win32/Musta.A": [[362, 382]], "Indicator: Trojan/Win32.Zapchast.R109977": [[462, 491]], "Indicator: Trojan-Ransom.Blocker": [[492, 513]], "Indicator: Win32/Autoit.KE": [[514, 529]], "Indicator: Worm.Win32.AutoIt": [[530, 547]], "Indicator: Trj/CI.A": [[548, 556]], "Indicator: Win32/Worm.f95": [[557, 571]]}, "info": {"id": "cyner2_5class_train_02835", "source": "cyner2_5class_train"}}
+{"text": "+86.01078456689 The command-and-control server is hosting an index page which also serves an APK file : The referenced “ Document.apk ” is 333583 bytes in size , MD5 : c4c4077e9449147d754afd972e247efc .", "spans": {"Indicator: Document.apk": [[121, 133]], "Indicator: c4c4077e9449147d754afd972e247efc": [[168, 200]]}, "info": {"id": "cyner2_5class_train_02836", "source": "cyner2_5class_train"}}
+{"text": "BankBot is particularly risky because it disguises itself as legitimate banking apps, typically using fake overlay screens to mimic existing banking apps and steal user credentials.", "spans": {"Malware: BankBot": [[0, 7]], "System: banking apps,": [[72, 85]], "System: banking apps": [[141, 153]], "System: steal user credentials.": [[158, 181]]}, "info": {"id": "cyner2_5class_train_02837", "source": "cyner2_5class_train"}}
+{"text": "The dropper includes a 64 bit version of KONNI;", "spans": {"Malware: dropper": [[4, 11]], "System: 64 bit version": [[23, 37]], "Malware: KONNI;": [[41, 47]]}, "info": {"id": "cyner2_5class_train_02838", "source": "cyner2_5class_train"}}
+{"text": "The C2 infrastructure contains a lack of sophistication such as open panels , reuse of old servers publicly tagged as malicious… So what ? After being publicly denounced by CSIS Group — a threat intelligence company in Denmark — Wolf Research was closed and a new organization named LokD was created .", "spans": {"Organization: CSIS Group": [[173, 183]], "Organization: Wolf Research": [[229, 242]], "Organization: LokD": [[283, 287]]}, "info": {"id": "cyner2_5class_train_02839", "source": "cyner2_5class_train"}}
+{"text": "Interestingly , one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon .", "spans": {"System: Android": [[87, 94]]}, "info": {"id": "cyner2_5class_train_02840", "source": "cyner2_5class_train"}}
+{"text": "This is due to the fact that the implant needs to escalate privileges before performing social payload actions .", "spans": {}, "info": {"id": "cyner2_5class_train_02841", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.186 W97M/Downloader.c Trojan.OBLD-0 O97M_BOGAVERT.A VB:Trojan.Valyria.186 VB:Trojan.Valyria.186 VB:Trojan.Valyria.186 VB:Trojan.Valyria.186 W97M.DownLoader.110 O97M_BOGAVERT.A W97M/Downloader.c W97M/Dldr.Bogavert.xehvk TrojanDownloader:O97M/Bogavert.A HEUR.VBA.Trojan.e VB:Trojan.Valyria.186 Trojan-Downloader.O97M.Bogavert heur.macro.drop.fa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.186": [[26, 47], [96, 117], [118, 139], [140, 161], [162, 183], [314, 335]], "Indicator: W97M/Downloader.c": [[48, 65], [220, 237]], "Indicator: Trojan.OBLD-0": [[66, 79]], "Indicator: O97M_BOGAVERT.A": [[80, 95], [204, 219]], "Indicator: W97M.DownLoader.110": [[184, 203]], "Indicator: W97M/Dldr.Bogavert.xehvk": [[238, 262]], "Indicator: TrojanDownloader:O97M/Bogavert.A": [[263, 295]], "Indicator: HEUR.VBA.Trojan.e": [[296, 313]], "Indicator: Trojan-Downloader.O97M.Bogavert": [[336, 367]], "Indicator: heur.macro.drop.fa": [[368, 386]]}, "info": {"id": "cyner2_5class_train_02842", "source": "cyner2_5class_train"}}
+{"text": "How did Gooligan emerge ? Our researchers first encountered Gooligan ’ s code in the malicious SnapPea app last year .", "spans": {"Malware: Gooligan": [[8, 16], [60, 68]], "Malware: SnapPea": [[95, 102]]}, "info": {"id": "cyner2_5class_train_02843", "source": "cyner2_5class_train"}}
+{"text": "What makes this malware extremely powerful is the capability to adapt after it 's deployed .", "spans": {}, "info": {"id": "cyner2_5class_train_02844", "source": "cyner2_5class_train"}}
+{"text": "Recent variants drop distinctively named malware such as KingKong.dll.", "spans": {"Malware: variants": [[7, 15]], "Malware: malware": [[41, 48]], "Indicator: KingKong.dll.": [[57, 70]]}, "info": {"id": "cyner2_5class_train_02845", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint researchers are tracking an espionage actor targeting organizations and high-value targets in defense and government.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Organization: organizations": [[65, 78]], "Organization: high-value targets": [[83, 101]], "Organization: defense": [[105, 112]], "Organization: government.": [[117, 128]]}, "info": {"id": "cyner2_5class_train_02846", "source": "cyner2_5class_train"}}
+{"text": "However , his study results are out of the scope of our research .", "spans": {}, "info": {"id": "cyner2_5class_train_02847", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper.Wolfst.A Trojan-Dropper.Win32!O TrojanDropper.Wolfst Trojan/Dropper.Wolfst TROJ_WOLFST.DRP Win32.Trojan.WisdomEyes.16070401.9500.9858 Trojan.Dropper TROJ_WOLFST.DRP Trojan.Dropper.Wolfst.A Trojan-Dropper.Win32.Wolfst Trojan.Dropper.Wolfst.A Trojan.Win32.Wolfst.ejqa Dropper.Wolfst.26146 Trojan.Dropper.Wolfst.A Trojan.Dropper.Wolfst.A Trojan.MulDrop.385 Dropper.Wolfst.Win32.8 BehavesLike.Win32.Dropper.tc W32/Trojan.DTTZ-6513 TrojanDropper.PeStaple.t RiskWare[RemoteAdmin]/Win32.RMS Trojan.Dropper.Wolfst.A W32.W.Bybz.lwoN Trojan-Dropper.Win32.Wolfst Dropper/Win32.Wolfst.R141816 Trojan.Dropper.Wolfst.A TScope.Trojan.Delf Trojan.DR.Wolfst!967kQq5cZ1Q Trojan-Dropper.Win32.Wolfst", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.Wolfst.A": [[26, 49], [206, 229], [258, 281], [328, 351], [352, 375], [525, 548], [622, 645]], "Indicator: Trojan-Dropper.Win32!O": [[50, 72]], "Indicator: TrojanDropper.Wolfst": [[73, 93]], "Indicator: Trojan/Dropper.Wolfst": [[94, 115]], "Indicator: TROJ_WOLFST.DRP": [[116, 131], [190, 205]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9858": [[132, 174]], "Indicator: Trojan.Dropper": [[175, 189]], "Indicator: Trojan-Dropper.Win32.Wolfst": [[230, 257], [565, 592], [694, 721]], "Indicator: Trojan.Win32.Wolfst.ejqa": [[282, 306]], "Indicator: Dropper.Wolfst.26146": [[307, 327]], "Indicator: Trojan.MulDrop.385": [[376, 394]], "Indicator: Dropper.Wolfst.Win32.8": [[395, 417]], "Indicator: BehavesLike.Win32.Dropper.tc": [[418, 446]], "Indicator: W32/Trojan.DTTZ-6513": [[447, 467]], "Indicator: TrojanDropper.PeStaple.t": [[468, 492]], "Indicator: RiskWare[RemoteAdmin]/Win32.RMS": [[493, 524]], "Indicator: W32.W.Bybz.lwoN": [[549, 564]], "Indicator: Dropper/Win32.Wolfst.R141816": [[593, 621]], "Indicator: TScope.Trojan.Delf": [[646, 664]], "Indicator: Trojan.DR.Wolfst!967kQq5cZ1Q": [[665, 693]]}, "info": {"id": "cyner2_5class_train_02848", "source": "cyner2_5class_train"}}
+{"text": "Also , when an SMS arrives , the Trojan puts the phone into silent mode and switches off the screen so the user doesn ’ t notice that a new SMS has arrived .", "spans": {}, "info": {"id": "cyner2_5class_train_02849", "source": "cyner2_5class_train"}}
+{"text": "For more information, see information on the EITest campaign in the Unit 42 blog titled: Decline in Rig Exploit Kit.", "spans": {"Organization: the Unit 42": [[64, 75]], "Malware: Rig Exploit Kit.": [[100, 116]]}, "info": {"id": "cyner2_5class_train_02850", "source": "cyner2_5class_train"}}
+{"text": "While some of the legitimate apps HenBox use as decoys can be found on Google Play , HenBox apps themselves have only been found on third-party ( non-Google Play ) app stores .", "spans": {"Malware: HenBox": [[34, 40], [85, 91]], "System: Google Play": [[71, 82]], "System: Play": [[157, 161]]}, "info": {"id": "cyner2_5class_train_02851", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.IlamMak.Trojan Trojan.Win32.Delf!O Trojan.Delf Trojan.Delf.Win32.9224 Win32.Trojan.Delf.ii W32/Trojan.HGGE-3556 Infostealer.Yahmali Win32/Yahmali.C TSPY_YAHMALI.B Trojan.Win32.Delf.aam Trojan.Win32.Delf.dxmnga TSPY_YAHMALI.B Trojan-GameThief.Win32.Nilage W32/Trojan2.OXXZ Trojan/Delf.ia TR/Delf.aam.35 Trojan/Win32.Delf Win32.Virut.ce.57344 PWS:Win32/Yahmali.A Trojan.Win32.A.Delf.104448 Trojan.Win32.Delf.aam Trojan/Win32.Yahmali.R25760 Trojan.Autorun.Havijak.1 Trojan.PasswordStealer W32/FolderToEXE.A.worm Win32/Delf.AAM Trojan.Delf!QRjoRop97so", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.IlamMak.Trojan": [[26, 44]], "Indicator: Trojan.Win32.Delf!O": [[45, 64]], "Indicator: Trojan.Delf": [[65, 76]], "Indicator: Trojan.Delf.Win32.9224": [[77, 99]], "Indicator: Win32.Trojan.Delf.ii": [[100, 120]], "Indicator: W32/Trojan.HGGE-3556": [[121, 141]], "Indicator: Infostealer.Yahmali": [[142, 161]], "Indicator: Win32/Yahmali.C": [[162, 177]], "Indicator: TSPY_YAHMALI.B": [[178, 192], [240, 254]], "Indicator: Trojan.Win32.Delf.aam": [[193, 214], [418, 439]], "Indicator: Trojan.Win32.Delf.dxmnga": [[215, 239]], "Indicator: Trojan-GameThief.Win32.Nilage": [[255, 284]], "Indicator: W32/Trojan2.OXXZ": [[285, 301]], "Indicator: Trojan/Delf.ia": [[302, 316]], "Indicator: TR/Delf.aam.35": [[317, 331]], "Indicator: Trojan/Win32.Delf": [[332, 349]], "Indicator: Win32.Virut.ce.57344": [[350, 370]], "Indicator: PWS:Win32/Yahmali.A": [[371, 390]], "Indicator: Trojan.Win32.A.Delf.104448": [[391, 417]], "Indicator: Trojan/Win32.Yahmali.R25760": [[440, 467]], "Indicator: Trojan.Autorun.Havijak.1": [[468, 492]], "Indicator: Trojan.PasswordStealer": [[493, 515]], "Indicator: W32/FolderToEXE.A.worm": [[516, 538]], "Indicator: Win32/Delf.AAM": [[539, 553]], "Indicator: Trojan.Delf!QRjoRop97so": [[554, 577]]}, "info": {"id": "cyner2_5class_train_02852", "source": "cyner2_5class_train"}}
+{"text": "The Elf.BillGates version targets Linux operating system.", "spans": {"Indicator: Elf.BillGates": [[4, 17]], "System: Linux operating system.": [[34, 57]]}, "info": {"id": "cyner2_5class_train_02853", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[26, 68]]}, "info": {"id": "cyner2_5class_train_02854", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9933 Trojan.Win32.Pincav.dxbist Trojan.Win32.Z.Zusy.618496.BJ Trojan.DownLoader22.56304 BehavesLike.Win32.AdwareConvertAd.jh TR/AD.Corebot.mgjun Trojan.Zusy.D27BC8 Trojan:Win32/Corebot.A Trojan.Downloader Win32/Trojan.BO.918", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9933": [[26, 68]], "Indicator: Trojan.Win32.Pincav.dxbist": [[69, 95]], "Indicator: Trojan.Win32.Z.Zusy.618496.BJ": [[96, 125]], "Indicator: Trojan.DownLoader22.56304": [[126, 151]], "Indicator: BehavesLike.Win32.AdwareConvertAd.jh": [[152, 188]], "Indicator: TR/AD.Corebot.mgjun": [[189, 208]], "Indicator: Trojan.Zusy.D27BC8": [[209, 227]], "Indicator: Trojan:Win32/Corebot.A": [[228, 250]], "Indicator: Trojan.Downloader": [[251, 268]], "Indicator: Win32/Trojan.BO.918": [[269, 288]]}, "info": {"id": "cyner2_5class_train_02855", "source": "cyner2_5class_train"}}
+{"text": "Since then, it has evolved fairly rapidly and has added new capabilities, as reported.", "spans": {}, "info": {"id": "cyner2_5class_train_02856", "source": "cyner2_5class_train"}}
+{"text": "Then , using POST requests to the relative address report.php , it sends data about the device ( IMEI , phone number , country , mobile operator , phone model , availability of root rights , OS version ) , list of contacts , list of installed apps , incoming SMS , and other information .", "spans": {"Indicator: report.php": [[51, 61]]}, "info": {"id": "cyner2_5class_train_02857", "source": "cyner2_5class_train"}}
+{"text": "The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations .", "spans": {}, "info": {"id": "cyner2_5class_train_02858", "source": "cyner2_5class_train"}}
+{"text": "Lookout notified Google of the potential threat shortly after it was discovered .", "spans": {"Organization: Lookout": [[0, 7]], "Organization: Google": [[17, 23]]}, "info": {"id": "cyner2_5class_train_02859", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Inject.Win32.237373 Troj.W32.Inject!c W32/Trojan.JMPH-3101 Trojan.Win32.Inject.aeryd Trojan.Win32.Banbra.elzzqd Trojan.MulDrop7.31178 BehavesLike.Win32.PUPXBY.dh Trojan.Inject.vwf TR/Sfuzuan.jhmvt Trojan.Ursu.D4870 Trojan.Win32.Inject.aeryd Trojan:Win32/Sfuzuan.B!bit Trj/GdSda.A Win32.Trojan.Inject.Wklz Trojan.PWS.Banbra!c5Sww8Szjr0 Trojan.Win32.Sfuzuan", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Trojan.Inject.Win32.237373": [[46, 72]], "Indicator: Troj.W32.Inject!c": [[73, 90]], "Indicator: W32/Trojan.JMPH-3101": [[91, 111]], "Indicator: Trojan.Win32.Inject.aeryd": [[112, 137], [268, 293]], "Indicator: Trojan.Win32.Banbra.elzzqd": [[138, 164]], "Indicator: Trojan.MulDrop7.31178": [[165, 186]], "Indicator: BehavesLike.Win32.PUPXBY.dh": [[187, 214]], "Indicator: Trojan.Inject.vwf": [[215, 232]], "Indicator: TR/Sfuzuan.jhmvt": [[233, 249]], "Indicator: Trojan.Ursu.D4870": [[250, 267]], "Indicator: Trojan:Win32/Sfuzuan.B!bit": [[294, 320]], "Indicator: Trj/GdSda.A": [[321, 332]], "Indicator: Win32.Trojan.Inject.Wklz": [[333, 357]], "Indicator: Trojan.PWS.Banbra!c5Sww8Szjr0": [[358, 387]], "Indicator: Trojan.Win32.Sfuzuan": [[388, 408]]}, "info": {"id": "cyner2_5class_train_02860", "source": "cyner2_5class_train"}}
+{"text": "Users may be required the help of their device manufacturer to get support for firmware flashing .", "spans": {}, "info": {"id": "cyner2_5class_train_02861", "source": "cyner2_5class_train"}}
+{"text": "Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets.", "spans": {"Vulnerability: vulnerability": [[45, 58]], "Indicator: attack": [[156, 162]]}, "info": {"id": "cyner2_5class_train_02862", "source": "cyner2_5class_train"}}
+{"text": "This special exception handler is needed to manage some memory buffers protection and special exceptions that are used to provide more stealthy execution .", "spans": {}, "info": {"id": "cyner2_5class_train_02863", "source": "cyner2_5class_train"}}
+{"text": "This malware has been reported to have been used in high profile breaches like the ones at Wellpoint/Anthem, VAE Inc, USIS and Mitsubishi Heavy Industries.", "spans": {"Malware: malware": [[5, 12]], "Organization: high profile": [[52, 64]], "Organization: Wellpoint/Anthem, VAE Inc, USIS": [[91, 122]], "Organization: Mitsubishi Heavy Industries.": [[127, 155]]}, "info": {"id": "cyner2_5class_train_02864", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_DLDR.SMI Win32.Trojan.WisdomEyes.16070401.9500.9976 Trojan.Adclicker TROJ_DLDR.SMI Trojan.Win32.CcKrizCry.dpsxlj Troj.Downloader.W32.Helminthos.kZDa Downloader.KrizCry.Win32.252 BehavesLike.Win32.Backdoor.dm TR/Malushka.umxne Trojan[Downloader]/Win32.CcKrizCry TrojanDownloader:Win32/Malushka.T Trojan/Win32.Cckrizcry.R7632 Win32.Trojan.Dldr.Lscd W32/KrizCry.M!tr.dldr Win32/Trojan.3f8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_DLDR.SMI": [[26, 39], [100, 113]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9976": [[40, 82]], "Indicator: Trojan.Adclicker": [[83, 99]], "Indicator: Trojan.Win32.CcKrizCry.dpsxlj": [[114, 143]], "Indicator: Troj.Downloader.W32.Helminthos.kZDa": [[144, 179]], "Indicator: Downloader.KrizCry.Win32.252": [[180, 208]], "Indicator: BehavesLike.Win32.Backdoor.dm": [[209, 238]], "Indicator: TR/Malushka.umxne": [[239, 256]], "Indicator: Trojan[Downloader]/Win32.CcKrizCry": [[257, 291]], "Indicator: TrojanDownloader:Win32/Malushka.T": [[292, 325]], "Indicator: Trojan/Win32.Cckrizcry.R7632": [[326, 354]], "Indicator: Win32.Trojan.Dldr.Lscd": [[355, 377]], "Indicator: W32/KrizCry.M!tr.dldr": [[378, 399]], "Indicator: Win32/Trojan.3f8": [[400, 416]]}, "info": {"id": "cyner2_5class_train_02865", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.R Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Worm.GBYU-0953 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.R Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Worm.Win32.Delf.579072 Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 Virus.Win32.Ramnit W32/Worm.APDA Win32/Virut.bt Virus/Win32.Virut.ce W32.Virut.lJ4T Virus.Win32.Virut.ce HEUR/Fakon.mwf Virus.Virut.14 W32/Sality.AO Virus.Win32.Virut.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: PE_VIRUX.R": [[73, 83], [177, 187]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[84, 126]], "Indicator: W32/Worm.GBYU-0953": [[127, 145]], "Indicator: W32.Virut.CF": [[146, 158]], "Indicator: Win32/Virut.17408": [[159, 176]], "Indicator: Virus.Win32.Virut.ce": [[188, 208], [398, 418]], "Indicator: Virus.Win32.Virut.hpeg": [[209, 231]], "Indicator: Worm.Win32.Delf.579072": [[232, 254]], "Indicator: Virus.Win32.Virut.CE": [[255, 275]], "Indicator: Win32.Virut.56": [[276, 290]], "Indicator: Virus.Virut.Win32.1938": [[291, 313]], "Indicator: Virus.Win32.Ramnit": [[314, 332]], "Indicator: W32/Worm.APDA": [[333, 346]], "Indicator: Win32/Virut.bt": [[347, 361]], "Indicator: Virus/Win32.Virut.ce": [[362, 382]], "Indicator: W32.Virut.lJ4T": [[383, 397]], "Indicator: HEUR/Fakon.mwf": [[419, 433]], "Indicator: Virus.Virut.14": [[434, 448]], "Indicator: W32/Sality.AO": [[449, 462]], "Indicator: Virus.Win32.Virut.M": [[463, 482]]}, "info": {"id": "cyner2_5class_train_02866", "source": "cyner2_5class_train"}}
+{"text": "The in-depth report provides an analysis of technology, impact, possible attribution – and a signature to detect the malware.", "spans": {"Indicator: technology, impact, possible attribution": [[44, 84]], "Indicator: signature": [[93, 102]], "Indicator: detect": [[106, 112]], "Malware: malware.": [[117, 125]]}, "info": {"id": "cyner2_5class_train_02867", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Trojan-Downloader.Win32.VB.aohd Trojan.Win32.VB.ecbrdj Trojan.DownLoad2.47277 BehavesLike.Win32.BadFile.nm TrojanDownloader.VB.dkqk Trojan-Downloader.Win32.VB.aohd TrojanDownloader:Win32/Vbload.J", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[26, 68]], "Indicator: Trojan-Downloader.Win32.VB.aohd": [[69, 100], [201, 232]], "Indicator: Trojan.Win32.VB.ecbrdj": [[101, 123]], "Indicator: Trojan.DownLoad2.47277": [[124, 146]], "Indicator: BehavesLike.Win32.BadFile.nm": [[147, 175]], "Indicator: TrojanDownloader.VB.dkqk": [[176, 200]], "Indicator: TrojanDownloader:Win32/Vbload.J": [[233, 264]]}, "info": {"id": "cyner2_5class_train_02868", "source": "cyner2_5class_train"}}
+{"text": "Those targeted include Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more .", "spans": {"System: Paypal Business": [[23, 38]], "System: Revolut": [[41, 48]], "System: Barclays": [[51, 59]], "System: UniCredit": [[62, 71]], "System: CapitalOne UK": [[74, 87]], "System: HSBC UK": [[90, 97]], "System: Santander UK": [[100, 112]], "System: TransferWise": [[115, 127]], "System: Coinbase": [[130, 138]], "System: paysafecard": [[141, 152]]}, "info": {"id": "cyner2_5class_train_02869", "source": "cyner2_5class_train"}}
+{"text": "BadRabbit is distributed as a fake flash update, and reportedly using Mimikatz, the Eternal Romance exploit, and a list of passwords to spread via SMB in a worm-like fashion.", "spans": {"Malware: BadRabbit": [[0, 9]], "Indicator: a fake flash update,": [[28, 48]], "Malware: Mimikatz, the Eternal Romance exploit,": [[70, 108]], "System: SMB": [[147, 150]], "Indicator: worm-like fashion.": [[156, 174]]}, "info": {"id": "cyner2_5class_train_02870", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Bitsto BKDR_BISCUIT.A Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/TrojanX.EGVY BKDR_BISCUIT.A Trojan.Win32.Click.dsvjap Trojan.Click.31006 BehavesLike.Win32.RAHack.nc W32/Trojan.RGTL-7538 Backdoor:Win32/Bitsto.A Adware/Win32.NaviPromo.R36681", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Bitsto": [[26, 41]], "Indicator: BKDR_BISCUIT.A": [[42, 56], [117, 131]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[57, 99]], "Indicator: W32/TrojanX.EGVY": [[100, 116]], "Indicator: Trojan.Win32.Click.dsvjap": [[132, 157]], "Indicator: Trojan.Click.31006": [[158, 176]], "Indicator: BehavesLike.Win32.RAHack.nc": [[177, 204]], "Indicator: W32/Trojan.RGTL-7538": [[205, 225]], "Indicator: Backdoor:Win32/Bitsto.A": [[226, 249]], "Indicator: Adware/Win32.NaviPromo.R36681": [[250, 279]]}, "info": {"id": "cyner2_5class_train_02871", "source": "cyner2_5class_train"}}
+{"text": "The VPN package is no longer present , further reinforcing our conclusion that it was not in use .", "spans": {}, "info": {"id": "cyner2_5class_train_02872", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: RiskWare.Tool.CK Trojan.Tool!qSvNdOK1TCo Riskware.Win32.ASEye.cjxuqg Virus.Win32.Heur.c Tool.ASEye.2 BehavesLike.Win32.ToolTPatch.lm Unwanted/Win32.Patch Hacktool.Win32.TPE.BA Trojan.Feutel.AV", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RiskWare.Tool.CK": [[26, 42]], "Indicator: Trojan.Tool!qSvNdOK1TCo": [[43, 66]], "Indicator: Riskware.Win32.ASEye.cjxuqg": [[67, 94]], "Indicator: Virus.Win32.Heur.c": [[95, 113]], "Indicator: Tool.ASEye.2": [[114, 126]], "Indicator: BehavesLike.Win32.ToolTPatch.lm": [[127, 158]], "Indicator: Unwanted/Win32.Patch": [[159, 179]], "Indicator: Hacktool.Win32.TPE.BA": [[180, 201]], "Indicator: Trojan.Feutel.AV": [[202, 218]]}, "info": {"id": "cyner2_5class_train_02873", "source": "cyner2_5class_train"}}
+{"text": "It had again cloned a different legitimate Japanese website to host its malicious app , similar to what FakeSpy had also done before .", "spans": {"Malware: FakeSpy": [[104, 111]]}, "info": {"id": "cyner2_5class_train_02874", "source": "cyner2_5class_train"}}
+{"text": "We estimate that through the malware s malicious activities, the perpetrators behind it gained over $1.5 million over the course of two months.", "spans": {"Malware: malware": [[29, 36]], "Indicator: malicious activities,": [[39, 60]]}, "info": {"id": "cyner2_5class_train_02875", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.FC.6901 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Diztakun.dbjduc Win32.Trojan.Spy.Sudw BehavesLike.Win32.Trojan.dh Trojan.Win32.Diztakun W32/Trojan.IYBN-7194 Trojan.Kazy.D82509 Trojan:MSIL/Diztakun.A!bit Trojan/Win32.Diztakun.C2318558 Trj/GdSda.A Win32/Trojan.c81", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.FC.6901": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[46, 88]], "Indicator: Trojan.Win32.Diztakun.dbjduc": [[89, 117]], "Indicator: Win32.Trojan.Spy.Sudw": [[118, 139]], "Indicator: BehavesLike.Win32.Trojan.dh": [[140, 167]], "Indicator: Trojan.Win32.Diztakun": [[168, 189]], "Indicator: W32/Trojan.IYBN-7194": [[190, 210]], "Indicator: Trojan.Kazy.D82509": [[211, 229]], "Indicator: Trojan:MSIL/Diztakun.A!bit": [[230, 256]], "Indicator: Trojan/Win32.Diztakun.C2318558": [[257, 287]], "Indicator: Trj/GdSda.A": [[288, 299]], "Indicator: Win32/Trojan.c81": [[300, 316]]}, "info": {"id": "cyner2_5class_train_02876", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/StartPage.axk Trojan.Startpage Win.Trojan.Startpage-757 Trojan.MSIL.StartPage.bo Trojan.Win32.StartPage.eaqxl Trojan.StartPage.22255 Trojan/StartPage.ajy TR/StartPage.axk.2 Trojan:MSIL/Startpage.A Trojan.MSIL.StartPage.bo Trojan/Win32.StartPage.C59843 Trj/CI.A MSIL/StartPage.A Win32.Trojan.Startpage.cduj Trojan.StartPage!8fKymuz2/+o Trojan.Win32.StartPage W32/StartPage.PL!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/StartPage.axk": [[26, 46]], "Indicator: Trojan.Startpage": [[47, 63]], "Indicator: Win.Trojan.Startpage-757": [[64, 88]], "Indicator: Trojan.MSIL.StartPage.bo": [[89, 113], [230, 254]], "Indicator: Trojan.Win32.StartPage.eaqxl": [[114, 142]], "Indicator: Trojan.StartPage.22255": [[143, 165]], "Indicator: Trojan/StartPage.ajy": [[166, 186]], "Indicator: TR/StartPage.axk.2": [[187, 205]], "Indicator: Trojan:MSIL/Startpage.A": [[206, 229]], "Indicator: Trojan/Win32.StartPage.C59843": [[255, 284]], "Indicator: Trj/CI.A": [[285, 293]], "Indicator: MSIL/StartPage.A": [[294, 310]], "Indicator: Win32.Trojan.Startpage.cduj": [[311, 338]], "Indicator: Trojan.StartPage!8fKymuz2/+o": [[339, 367]], "Indicator: Trojan.Win32.StartPage": [[368, 390]], "Indicator: W32/StartPage.PL!tr": [[391, 410]]}, "info": {"id": "cyner2_5class_train_02877", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Morto.dll.b Trojan/Morto.l WORM_MORTO.SM2 Worm.Win32.Morto!IK Worm.Win32.Morto.~dln Worm/Morto.dlnam WORM_MORTO.SM2 W32/Morto.dll.b Worm:Win32/Morto.D Worm/Win32.Morto Worm.Win32.Morto.h Worm.Win32.Morto W32/Morto.A!tr Worm/Morto.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Morto.dll.b": [[26, 41], [146, 161]], "Indicator: Trojan/Morto.l": [[42, 56]], "Indicator: WORM_MORTO.SM2": [[57, 71], [131, 145]], "Indicator: Worm.Win32.Morto!IK": [[72, 91]], "Indicator: Worm.Win32.Morto.~dln": [[92, 113]], "Indicator: Worm/Morto.dlnam": [[114, 130]], "Indicator: Worm:Win32/Morto.D": [[162, 180]], "Indicator: Worm/Win32.Morto": [[181, 197]], "Indicator: Worm.Win32.Morto.h": [[198, 216]], "Indicator: Worm.Win32.Morto": [[217, 233]], "Indicator: W32/Morto.A!tr": [[234, 248]], "Indicator: Worm/Morto.D": [[249, 261]]}, "info": {"id": "cyner2_5class_train_02878", "source": "cyner2_5class_train"}}
+{"text": "Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network.", "spans": {"Malware: JexBoss,": [[38, 46]], "Indicator: open source tool for testing and exploiting": [[50, 93]], "System: JBoss application servers,": [[94, 120]], "Indicator: network.": [[147, 155]]}, "info": {"id": "cyner2_5class_train_02879", "source": "cyner2_5class_train"}}
+{"text": "However , it could easily be used for far more intrusive and harmful purposes such as banking credential theft .", "spans": {}, "info": {"id": "cyner2_5class_train_02880", "source": "cyner2_5class_train"}}
+{"text": "In this case, Proofpoint researchers discovered an infected Android version of the newly released mobile game Pokemon GO", "spans": {"Organization: Proofpoint researchers": [[14, 36]], "System: Android version": [[60, 75]], "System: mobile game Pokemon GO": [[98, 120]]}, "info": {"id": "cyner2_5class_train_02881", "source": "cyner2_5class_train"}}
+{"text": "Upon loading the rtf document, it will drop a base64 encoded powershellscript in the following location:%TEMP%\\log.ps1", "spans": {"Indicator: the rtf document,": [[13, 30]], "Indicator: base64 encoded powershellscript": [[46, 77]], "Indicator: location:%TEMP%\\log.ps1": [[95, 118]]}, "info": {"id": "cyner2_5class_train_02882", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Detrahere Trojan.Midie.DA596 TROJ_KRYPTIK_HA22006D.UVPM Trojan.Win32.DownLoad3.exdqqe Trojan.DownLoad3.64586 Trojan.Kryptik.Win32.1347406 TROJ_KRYPTIK_HA22006D.UVPM Trojan.MSIL.ikyj TR/Crypt.ZPACK.hgndb Trojan:Win32/Detrahere.E Trojan/Win32.Tiggre.R216587 Trojan.Crypt Win32/Trojan.daa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Detrahere": [[26, 42]], "Indicator: Trojan.Midie.DA596": [[43, 61]], "Indicator: TROJ_KRYPTIK_HA22006D.UVPM": [[62, 88], [171, 197]], "Indicator: Trojan.Win32.DownLoad3.exdqqe": [[89, 118]], "Indicator: Trojan.DownLoad3.64586": [[119, 141]], "Indicator: Trojan.Kryptik.Win32.1347406": [[142, 170]], "Indicator: Trojan.MSIL.ikyj": [[198, 214]], "Indicator: TR/Crypt.ZPACK.hgndb": [[215, 235]], "Indicator: Trojan:Win32/Detrahere.E": [[236, 260]], "Indicator: Trojan/Win32.Tiggre.R216587": [[261, 288]], "Indicator: Trojan.Crypt": [[289, 301]], "Indicator: Win32/Trojan.daa": [[302, 318]]}, "info": {"id": "cyner2_5class_train_02883", "source": "cyner2_5class_train"}}
+{"text": "Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.", "spans": {"Vulnerability: vulnerability": [[42, 55]], "System: Microsoft Server Message Block SMB protocol": [[59, 102]], "Indicator: Backdoor.Nitol": [[129, 143]], "Malware: Trojan Gh0st RAT.": [[148, 165]]}, "info": {"id": "cyner2_5class_train_02884", "source": "cyner2_5class_train"}}
+{"text": "When a user enters an Internet banking site on a computer infected by banking malware ( ZeuS , Citadel ) , a request about the smartphone number and type of operating system is injected into the code of the authentication page .", "spans": {"Malware: ZeuS": [[88, 92]], "Malware: Citadel": [[95, 102]]}, "info": {"id": "cyner2_5class_train_02885", "source": "cyner2_5class_train"}}
+{"text": "Specifically, the format resembles custom virtual machine code, where numeric hexadecimal identifiers present in the configuration file make the stealer run desired functions.", "spans": {"System: virtual machine": [[42, 57]], "Indicator: numeric hexadecimal": [[70, 89]], "Indicator: configuration file": [[117, 135]], "Malware: stealer run": [[145, 156]]}, "info": {"id": "cyner2_5class_train_02886", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Stration.DDA@mm Win32.Stration.DDA@mm I-Worm.Warezov.r3 Win32.Stration.DDA@mm Trojan.Win32.Warezov.ehypz W32/Worm.ARBW W32.Stration@mm Win32.Stration.DDA@mm I-Worm.Opnis!V3KJQVovhbU I-Worm.Win32.Warezov.20480.AW[h] Win32.Worm-email.Warezov.Lpvc Win32.Stration.DDA@mm Worm.Win32.Warezov.~AD Win32.Stration.DDA@mm Win32.HLLM.Limar.3939 Worm.Warezov.Win32.123 W32/Worm.IQCC-3677 I-Worm.Warezov.bu WORM/Warezov.2048.1 W32/Stration.KG!tr Worm[Email]/Win32.Warezov Win32.Stration.E878FD Worm:Win32/Stration.ST Win32/Stration.AHP Worm.Win32.Warezov.aK Worm.Win32.Warezov Win32.Stration.DDA@mm Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Stration.DDA@mm": [[26, 47], [48, 69], [88, 109], [167, 188], [277, 298], [322, 343], [596, 617]], "Indicator: I-Worm.Warezov.r3": [[70, 87]], "Indicator: Trojan.Win32.Warezov.ehypz": [[110, 136]], "Indicator: W32/Worm.ARBW": [[137, 150]], "Indicator: W32.Stration@mm": [[151, 166]], "Indicator: I-Worm.Opnis!V3KJQVovhbU": [[189, 213]], "Indicator: I-Worm.Win32.Warezov.20480.AW[h]": [[214, 246]], "Indicator: Win32.Worm-email.Warezov.Lpvc": [[247, 276]], "Indicator: Worm.Win32.Warezov.~AD": [[299, 321]], "Indicator: Win32.HLLM.Limar.3939": [[344, 365]], "Indicator: Worm.Warezov.Win32.123": [[366, 388]], "Indicator: W32/Worm.IQCC-3677": [[389, 407]], "Indicator: I-Worm.Warezov.bu": [[408, 425]], "Indicator: WORM/Warezov.2048.1": [[426, 445]], "Indicator: W32/Stration.KG!tr": [[446, 464]], "Indicator: Worm[Email]/Win32.Warezov": [[465, 490]], "Indicator: Win32.Stration.E878FD": [[491, 512]], "Indicator: Worm:Win32/Stration.ST": [[513, 535]], "Indicator: Win32/Stration.AHP": [[536, 554]], "Indicator: Worm.Win32.Warezov.aK": [[555, 576]], "Indicator: Worm.Win32.Warezov": [[577, 595]], "Indicator: Trj/CI.A": [[618, 626]]}, "info": {"id": "cyner2_5class_train_02887", "source": "cyner2_5class_train"}}
+{"text": "Figure 1 : ‘ Agent Smith ’ s modular structure Technical Analysis – Loader Module The “ loader ” module , as stated above , extracts and runs the “ core ” module .", "spans": {"Malware: Agent Smith": [[13, 24]]}, "info": {"id": "cyner2_5class_train_02888", "source": "cyner2_5class_train"}}
+{"text": "Table 4 below lists the intents that are statically registered in this HenBox variant ’ s AndroidManifest.xml config file , together with a description of what that intent does , and when it would be used .", "spans": {"Malware: HenBox": [[71, 77]]}, "info": {"id": "cyner2_5class_train_02889", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.E38E91 Win32.Trojan.WisdomEyes.16070401.9500.9982 WORM_AMBLER.SMZ Trojan-Spy.Win32.Amber.zdc Trojan.Win32.Amber.etbxtl Win32.Trojan-spy.Amber.Wskc Trojan-Spy.Win32.Ambler WORM_AMBLER.SMZ BehavesLike.Win32.Virut.qc Trojan-Dropper.Win32.Ambler W32/Trojan.MMWY-8251 TrojanSpy:Win32/Ambler.D Trojan-Spy.Win32.Ambler Win32/AutoRun.Spy.Ambler.NAW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.E38E91": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[45, 87]], "Indicator: WORM_AMBLER.SMZ": [[88, 103], [209, 224]], "Indicator: Trojan-Spy.Win32.Amber.zdc": [[104, 130]], "Indicator: Trojan.Win32.Amber.etbxtl": [[131, 156]], "Indicator: Win32.Trojan-spy.Amber.Wskc": [[157, 184]], "Indicator: Trojan-Spy.Win32.Ambler": [[185, 208], [326, 349]], "Indicator: BehavesLike.Win32.Virut.qc": [[225, 251]], "Indicator: Trojan-Dropper.Win32.Ambler": [[252, 279]], "Indicator: W32/Trojan.MMWY-8251": [[280, 300]], "Indicator: TrojanSpy:Win32/Ambler.D": [[301, 325]], "Indicator: Win32/AutoRun.Spy.Ambler.NAW": [[350, 378]]}, "info": {"id": "cyner2_5class_train_02890", "source": "cyner2_5class_train"}}
+{"text": "In green , we can see the references to the SMS API .", "spans": {}, "info": {"id": "cyner2_5class_train_02891", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Keylogger.Win32.19936 Trojan/Spy.nut Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.DownLoader6.20458 Trojan/Win32.Graftor.R31665 TrojanSpy.KeyLogger!VshB9boiuX0 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Keylogger.Win32.19936": [[26, 54]], "Indicator: Trojan/Spy.nut": [[55, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[70, 112]], "Indicator: Trojan.DownLoader6.20458": [[113, 137]], "Indicator: Trojan/Win32.Graftor.R31665": [[138, 165]], "Indicator: TrojanSpy.KeyLogger!VshB9boiuX0": [[166, 197]], "Indicator: Trj/CI.A": [[198, 206]]}, "info": {"id": "cyner2_5class_train_02892", "source": "cyner2_5class_train"}}
+{"text": "Chunghwa Post - The government-owned corporation Chunghwa is the official postal service of Taiwan .", "spans": {"Organization: Chunghwa Post": [[0, 13]], "Organization: Chunghwa": [[49, 57]]}, "info": {"id": "cyner2_5class_train_02893", "source": "cyner2_5class_train"}}
+{"text": "With that inclusion, companies running on those systems will also be at risk.", "spans": {}, "info": {"id": "cyner2_5class_train_02894", "source": "cyner2_5class_train"}}
+{"text": "The main infection vector is a phishing attack using SMS/MMS .", "spans": {}, "info": {"id": "cyner2_5class_train_02895", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: RemoteAdmin.Win32.RAT!O Backdoor.Daromec Backdoor.Breut not-a-virus:RemoteAdmin.Win32.RAT.a Trojan.Win32.MLW.dbyfty BackDoor.Comet.21 Trojan[RemoteAdmin]/Win32.RAT not-a-virus:RemoteAdmin.Win32.RAT.a Backdoor:Win32/Daromec.A RiskWare.RemoteAdmin Trojan.MiniUPnP!L9xsRhGGfN0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RemoteAdmin.Win32.RAT!O": [[26, 49]], "Indicator: Backdoor.Daromec": [[50, 66]], "Indicator: Backdoor.Breut": [[67, 81]], "Indicator: not-a-virus:RemoteAdmin.Win32.RAT.a": [[82, 117], [190, 225]], "Indicator: Trojan.Win32.MLW.dbyfty": [[118, 141]], "Indicator: BackDoor.Comet.21": [[142, 159]], "Indicator: Trojan[RemoteAdmin]/Win32.RAT": [[160, 189]], "Indicator: Backdoor:Win32/Daromec.A": [[226, 250]], "Indicator: RiskWare.RemoteAdmin": [[251, 271]], "Indicator: Trojan.MiniUPnP!L9xsRhGGfN0": [[272, 299]]}, "info": {"id": "cyner2_5class_train_02896", "source": "cyner2_5class_train"}}
+{"text": "More data is appearing daily , leading us to believe the actors are still highly active .", "spans": {}, "info": {"id": "cyner2_5class_train_02897", "source": "cyner2_5class_train"}}
+{"text": "That domain still hosts the malicious Flash file CVE-2015-7645 that it previously used in standalone attacks.", "spans": {"Indicator: That domain": [[0, 11]], "Malware: malicious": [[28, 37]], "System: Flash": [[38, 43]], "Indicator: file CVE-2015-7645": [[44, 62]], "Indicator: standalone attacks.": [[90, 109]]}, "info": {"id": "cyner2_5class_train_02898", "source": "cyner2_5class_train"}}
+{"text": "On August 4, 2016, the Gmail account of an unknown individual was compromised in order to conduct spearphishing campaigns against a diverse set of targets related to Iran.", "spans": {"System: Gmail account": [[23, 36]], "Organization: unknown individual": [[43, 61]], "Indicator: compromised": [[66, 77]]}, "info": {"id": "cyner2_5class_train_02899", "source": "cyner2_5class_train"}}
+{"text": "The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.", "spans": {"Indicator: attack": [[4, 10]], "Organization: trend": [[24, 29]], "Indicator: communicating with legitimate web services": [[77, 119]], "Indicator: social networking": [[128, 145]], "Indicator: cloud storage sites": [[150, 169]]}, "info": {"id": "cyner2_5class_train_02900", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Program.Hadsruda Trojan.Razy.D2C7F5 Win32.Trojan-Downloader.Adload.aa Win.Malware.Zusy-5689722-0 Riskware.Win32.AdLoad.epwtbh Adware.Oxypumper.159236 Application.Win32.OxyPumper.ADA Trojan.DownLoader26.15650 Adware.OxyPumper.Win32.616 BehavesLike.Win32.Trojan.cc W32/Trojan.TQZU-9354 Adware.Adload.cqi ADWARE/OxyPumper.vgssx GrayWare[AdWare]/Win32.AdLoad Adware.OxyPumper/Variant Trojan.Downloader Trj/GdSda.A Win32.Trojan.Razy.Lmkk PUA.AdLoad! PUA.OxyPumper Win32/Trojan.4e9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Program.Hadsruda": [[26, 42]], "Indicator: Trojan.Razy.D2C7F5": [[43, 61]], "Indicator: Win32.Trojan-Downloader.Adload.aa": [[62, 95]], "Indicator: Win.Malware.Zusy-5689722-0": [[96, 122]], "Indicator: Riskware.Win32.AdLoad.epwtbh": [[123, 151]], "Indicator: Adware.Oxypumper.159236": [[152, 175]], "Indicator: Application.Win32.OxyPumper.ADA": [[176, 207]], "Indicator: Trojan.DownLoader26.15650": [[208, 233]], "Indicator: Adware.OxyPumper.Win32.616": [[234, 260]], "Indicator: BehavesLike.Win32.Trojan.cc": [[261, 288]], "Indicator: W32/Trojan.TQZU-9354": [[289, 309]], "Indicator: Adware.Adload.cqi": [[310, 327]], "Indicator: ADWARE/OxyPumper.vgssx": [[328, 350]], "Indicator: GrayWare[AdWare]/Win32.AdLoad": [[351, 380]], "Indicator: Adware.OxyPumper/Variant": [[381, 405]], "Indicator: Trojan.Downloader": [[406, 423]], "Indicator: Trj/GdSda.A": [[424, 435]], "Indicator: Win32.Trojan.Razy.Lmkk": [[436, 458]], "Indicator: PUA.AdLoad!": [[459, 470]], "Indicator: PUA.OxyPumper": [[471, 484]], "Indicator: Win32/Trojan.4e9": [[485, 501]]}, "info": {"id": "cyner2_5class_train_02901", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.A5 Win32.Trojan.WisdomEyes.16070401.9500.9603 not-a-virus:NetTool.Win64.RPCHook.a BehavesLike.Win32.Downloader.vc TrojanDownloader.Paph.ds Trojan[Downloader]/Win32.Betload Trojan.Jaike.DD8D Troj.W32.Inject.tnKf not-a-virus:NetTool.Win64.RPCHook.a Trojan-Downloader.Win32.Moure Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.A5": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9603": [[44, 86]], "Indicator: not-a-virus:NetTool.Win64.RPCHook.a": [[87, 122], [252, 287]], "Indicator: BehavesLike.Win32.Downloader.vc": [[123, 154]], "Indicator: TrojanDownloader.Paph.ds": [[155, 179]], "Indicator: Trojan[Downloader]/Win32.Betload": [[180, 212]], "Indicator: Trojan.Jaike.DD8D": [[213, 230]], "Indicator: Troj.W32.Inject.tnKf": [[231, 251]], "Indicator: Trojan-Downloader.Win32.Moure": [[288, 317]], "Indicator: Trj/CI.A": [[318, 326]]}, "info": {"id": "cyner2_5class_train_02902", "source": "cyner2_5class_train"}}
+{"text": "We previously reported on SamSam ransomware charging high ransoms for infected servers.", "spans": {"Malware: SamSam ransomware": [[26, 43]], "System: infected servers.": [[70, 87]]}, "info": {"id": "cyner2_5class_train_02903", "source": "cyner2_5class_train"}}
+{"text": "We believe that an industry-wide collaboration and information-sharing is important in defending customers against this complex piece of malware .", "spans": {}, "info": {"id": "cyner2_5class_train_02904", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.S_Gamma.Trojan Trojan/W32.Obfuscated.770368 Trojan.Win32.Obfuscated!O Trojan.VBCrypt.MF.137 WORM_IRCBOT.BXN Win32.Worm.VB.rx W32/VB.Worm.A W32.Mibling Win32/Malinbot.A WORM_IRCBOT.BXN Trojan.Win32.Obfuscated.aiiz Trojan.Win32.Obfuscated.700736 Troj.W32.Obfuscated.l2p6 Trojan.Click.43851 BehavesLike.Win32.Ramnit.bc W32/VB.Worm.A Worm:Win32/Lamin.A Worm:Win32/Lamin.A Trojan.Win32.Obfuscated.aiiz Trojan.Obfuscator Trj/Dropper.AJT Win32/VB.NRJ Trojan.Obfuscated.AHVV", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.S_Gamma.Trojan": [[26, 44]], "Indicator: Trojan/W32.Obfuscated.770368": [[45, 73]], "Indicator: Trojan.Win32.Obfuscated!O": [[74, 99]], "Indicator: Trojan.VBCrypt.MF.137": [[100, 121]], "Indicator: WORM_IRCBOT.BXN": [[122, 137], [198, 213]], "Indicator: Win32.Worm.VB.rx": [[138, 154]], "Indicator: W32/VB.Worm.A": [[155, 168], [346, 359]], "Indicator: W32.Mibling": [[169, 180]], "Indicator: Win32/Malinbot.A": [[181, 197]], "Indicator: Trojan.Win32.Obfuscated.aiiz": [[214, 242], [398, 426]], "Indicator: Trojan.Win32.Obfuscated.700736": [[243, 273]], "Indicator: Troj.W32.Obfuscated.l2p6": [[274, 298]], "Indicator: Trojan.Click.43851": [[299, 317]], "Indicator: BehavesLike.Win32.Ramnit.bc": [[318, 345]], "Indicator: Worm:Win32/Lamin.A": [[360, 378], [379, 397]], "Indicator: Trojan.Obfuscator": [[427, 444]], "Indicator: Trj/Dropper.AJT": [[445, 460]], "Indicator: Win32/VB.NRJ": [[461, 473]], "Indicator: Trojan.Obfuscated.AHVV": [[474, 496]]}, "info": {"id": "cyner2_5class_train_02905", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/PSW.Katalog Trojan-PWS/W32.Katalog.61440 Trojan/PSW.Katalog Trojan.PWS.Katalog!pK2Uo9nMTKQ TROJ_KATALOG.A Trojan-PSW.Win32.Katalog Trojan.Win32.Katalog-Psw.fjsg Trojan.Win32.A.PSW-Katalog.61440[h] TrojWare.Win32.PSW.Katalog TROJ_KATALOG.A W32/Trojan.XHBZ-0001 Trojan/PSW.Katalog TR/Katalog.PSW W32/Katalog.A!tr.pws Trojan[PSW]/Win32.Katalog Win32.Troj.pswKatalog.kcloud Downloader/Win32.VB TrojanPSW.Katalog Trj/PSW.Katalog Trojan.Win32.InfoStealer.Ahg Win32/Trojan.PSW.b74", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/PSW.Katalog": [[26, 43]], "Indicator: Trojan-PWS/W32.Katalog.61440": [[44, 72]], "Indicator: Trojan/PSW.Katalog": [[73, 91], [292, 310]], "Indicator: Trojan.PWS.Katalog!pK2Uo9nMTKQ": [[92, 122]], "Indicator: TROJ_KATALOG.A": [[123, 137], [256, 270]], "Indicator: Trojan-PSW.Win32.Katalog": [[138, 162]], "Indicator: Trojan.Win32.Katalog-Psw.fjsg": [[163, 192]], "Indicator: Trojan.Win32.A.PSW-Katalog.61440[h]": [[193, 228]], "Indicator: TrojWare.Win32.PSW.Katalog": [[229, 255]], "Indicator: W32/Trojan.XHBZ-0001": [[271, 291]], "Indicator: TR/Katalog.PSW": [[311, 325]], "Indicator: W32/Katalog.A!tr.pws": [[326, 346]], "Indicator: Trojan[PSW]/Win32.Katalog": [[347, 372]], "Indicator: Win32.Troj.pswKatalog.kcloud": [[373, 401]], "Indicator: Downloader/Win32.VB": [[402, 421]], "Indicator: TrojanPSW.Katalog": [[422, 439]], "Indicator: Trj/PSW.Katalog": [[440, 455]], "Indicator: Trojan.Win32.InfoStealer.Ahg": [[456, 484]], "Indicator: Win32/Trojan.PSW.b74": [[485, 505]]}, "info": {"id": "cyner2_5class_train_02906", "source": "cyner2_5class_train"}}
+{"text": "The Dark Power ransomware gang is new on the block, and is trying to make a name for itself.", "spans": {}, "info": {"id": "cyner2_5class_train_02907", "source": "cyner2_5class_train"}}
+{"text": "The description is based on analysis of the sample described in Table 3 below , which was of interest given its C2 domain mefound [ .", "spans": {"Indicator: domain mefound [ .": [[115, 133]]}, "info": {"id": "cyner2_5class_train_02908", "source": "cyner2_5class_train"}}
+{"text": "The collection of basic device information .", "spans": {}, "info": {"id": "cyner2_5class_train_02909", "source": "cyner2_5class_train"}}
+{"text": "] 141 2020-04-26 In the course of the investigation , the team discovered a potential link to an additional Android infostealer .", "spans": {"Malware: Android infostealer": [[108, 127]]}, "info": {"id": "cyner2_5class_train_02910", "source": "cyner2_5class_train"}}
+{"text": "During patching , the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip .", "spans": {"Indicator: /system/bin/ip": [[115, 129]]}, "info": {"id": "cyner2_5class_train_02911", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Dropper.Grizl.kp W32/Dropper.ANGS Infostealer.Gampass TSPY_ONLINEG.SMA Trojan-GameThief.Win32.Lmir!IK TrojWare.Win32.PSW.OnLineGames.NYT0 Trojan.PWS.Gamania.22629 TSPY_ONLINEG.SMA TrojanDropper:Win32/Lolyda.F W32/Dropper.ANGS Trojan/Win32.Lmir TrojanPSW.Lmir.jfz Win32/PSW.OnLineGames.NYT Trojan.PSW.Win32.GameOnline.gcv Trojan-GameThief.Win32.Lmir W32/Grizl.GA!tr.dldr PSW.OnlineGames3.WPS Trj/Krap.Y", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Dropper.Grizl.kp": [[26, 49]], "Indicator: W32/Dropper.ANGS": [[50, 66], [242, 258]], "Indicator: Infostealer.Gampass": [[67, 86]], "Indicator: TSPY_ONLINEG.SMA": [[87, 103], [196, 212]], "Indicator: Trojan-GameThief.Win32.Lmir!IK": [[104, 134]], "Indicator: TrojWare.Win32.PSW.OnLineGames.NYT0": [[135, 170]], "Indicator: Trojan.PWS.Gamania.22629": [[171, 195]], "Indicator: TrojanDropper:Win32/Lolyda.F": [[213, 241]], "Indicator: Trojan/Win32.Lmir": [[259, 276]], "Indicator: TrojanPSW.Lmir.jfz": [[277, 295]], "Indicator: Win32/PSW.OnLineGames.NYT": [[296, 321]], "Indicator: Trojan.PSW.Win32.GameOnline.gcv": [[322, 353]], "Indicator: Trojan-GameThief.Win32.Lmir": [[354, 381]], "Indicator: W32/Grizl.GA!tr.dldr": [[382, 402]], "Indicator: PSW.OnlineGames3.WPS": [[403, 423]], "Indicator: Trj/Krap.Y": [[424, 434]]}, "info": {"id": "cyner2_5class_train_02912", "source": "cyner2_5class_train"}}
+{"text": "] com also resolved to the same IP address , suggesting that these two domains are associated with the same threat actors .", "spans": {}, "info": {"id": "cyner2_5class_train_02913", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.BHE Ransom.Petya.S19638 Trojan.Ransom.BHE W32/GoldenEye.SONR-5498 Ransom.Goldeneye Ransom_PETYA.SM1 Trojan.Ransom.BHE Trojan.Win32.MBRlock.epgnaf Trojan.Ransom.BHE Trojan.MBRlock.265 Trojan-Ransom.GoldenEye W32/GoldenEye.D Trojan.DiskWriter.bp W32/Petya.D!tr.ransom Trojan.Ransom.BHE Trojan/Win32.Petr.C1697437 Trojan.Ransom.BHE Ransom.Petya Trojan.Petya Hoax.Petr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.BHE": [[26, 43], [64, 81], [140, 157], [186, 203], [306, 323], [351, 368]], "Indicator: Ransom.Petya.S19638": [[44, 63]], "Indicator: W32/GoldenEye.SONR-5498": [[82, 105]], "Indicator: Ransom.Goldeneye": [[106, 122]], "Indicator: Ransom_PETYA.SM1": [[123, 139]], "Indicator: Trojan.Win32.MBRlock.epgnaf": [[158, 185]], "Indicator: Trojan.MBRlock.265": [[204, 222]], "Indicator: Trojan-Ransom.GoldenEye": [[223, 246]], "Indicator: W32/GoldenEye.D": [[247, 262]], "Indicator: Trojan.DiskWriter.bp": [[263, 283]], "Indicator: W32/Petya.D!tr.ransom": [[284, 305]], "Indicator: Trojan/Win32.Petr.C1697437": [[324, 350]], "Indicator: Ransom.Petya": [[369, 381]], "Indicator: Trojan.Petya": [[382, 394]], "Indicator: Hoax.Petr": [[395, 404]]}, "info": {"id": "cyner2_5class_train_02914", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.AB21 Trojan-Downloader.Win32.Firu!O Troj.Downloader.W32!c Trojan/Downloader.Firu.bp Win32.Trojan.WisdomEyes.16070401.9500.9958 Trojan-Downloader.Win32.Firu.bp Trojan.Packed.418 BehavesLike.Win32.Dropper.mc Trojan-Downloader.Win32.Firu.bp W32/Trojan.BNRM-7642 TrojanDownloader.Firu.t Trojan:Win32/Bohmini.A Trojan-Downloader.Win32.Firu.bp Trojan/Win32.Xema.C57004 TrojanDownloader.Firu Trj/Downloader.VMH Win32.Trojan-downloader.Firu.Tcmb Win32/Trojan.Downloader.d1e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.AB21": [[26, 42]], "Indicator: Trojan-Downloader.Win32.Firu!O": [[43, 73]], "Indicator: Troj.Downloader.W32!c": [[74, 95]], "Indicator: Trojan/Downloader.Firu.bp": [[96, 121]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9958": [[122, 164]], "Indicator: Trojan-Downloader.Win32.Firu.bp": [[165, 196], [244, 275], [344, 375]], "Indicator: Trojan.Packed.418": [[197, 214]], "Indicator: BehavesLike.Win32.Dropper.mc": [[215, 243]], "Indicator: W32/Trojan.BNRM-7642": [[276, 296]], "Indicator: TrojanDownloader.Firu.t": [[297, 320]], "Indicator: Trojan:Win32/Bohmini.A": [[321, 343]], "Indicator: Trojan/Win32.Xema.C57004": [[376, 400]], "Indicator: TrojanDownloader.Firu": [[401, 422]], "Indicator: Trj/Downloader.VMH": [[423, 441]], "Indicator: Win32.Trojan-downloader.Firu.Tcmb": [[442, 475]], "Indicator: Win32/Trojan.Downloader.d1e": [[476, 503]]}, "info": {"id": "cyner2_5class_train_02915", "source": "cyner2_5class_train"}}
+{"text": "Recently, we spotted a new attack where PowerShell was abused to deliver a FAREIT variant.", "spans": {"Indicator: attack": [[27, 33]], "System: PowerShell": [[40, 50]], "Vulnerability: abused": [[55, 61]], "Malware: FAREIT variant.": [[75, 90]]}, "info": {"id": "cyner2_5class_train_02916", "source": "cyner2_5class_train"}}
+{"text": "] it Catania server1fermo.exodus.connexxa [ .", "spans": {"Indicator: server1fermo.exodus.connexxa [ .": [[13, 45]]}, "info": {"id": "cyner2_5class_train_02917", "source": "cyner2_5class_train"}}
+{"text": "The newly discovered samples show new capabilities not previously documented.", "spans": {}, "info": {"id": "cyner2_5class_train_02918", "source": "cyner2_5class_train"}}
+{"text": "It is not common to use this program to distribute malware , although there have been past cases where malware authors have done so .", "spans": {}, "info": {"id": "cyner2_5class_train_02919", "source": "cyner2_5class_train"}}
+{"text": "As the code snippet shows , the malware creates a notification builder and then does the following : setCategory ( “ call ” ) – This means that the notification is built as a very important notification that needs special privilege .", "spans": {}, "info": {"id": "cyner2_5class_train_02920", "source": "cyner2_5class_train"}}
+{"text": "What is most interesting about this group's more recent activity however, is their focus on users of encryption tools, peaking this summer.", "spans": {"Malware: encryption tools,": [[101, 118]]}, "info": {"id": "cyner2_5class_train_02921", "source": "cyner2_5class_train"}}
+{"text": "Using intel from this research , we have made Office 365 ATP more resistant to FinFisher ’ s anti-sandbox checks .", "spans": {"System: Office 365 ATP": [[46, 60]], "Malware: FinFisher": [[79, 88]]}, "info": {"id": "cyner2_5class_train_02922", "source": "cyner2_5class_train"}}
+{"text": "Once the malware is installed on the victim's device, it opens a back door, collects a list of system-specific information, and sends it to the command and control C&C server to register the device and then get a unique identifier for the infected device.", "spans": {"Malware: malware": [[9, 16]], "System: victim's device,": [[37, 53]], "Malware: back door,": [[65, 75]], "Indicator: system-specific information,": [[95, 123]], "Indicator: command and control C&C server": [[144, 174]], "System: the device": [[187, 197]], "Indicator: unique identifier": [[213, 230]], "System: the infected device.": [[235, 255]]}, "info": {"id": "cyner2_5class_train_02923", "source": "cyner2_5class_train"}}
+{"text": "We believe the use of the Retadup malware family is limited to a very small set of threat actors.", "spans": {"Malware: Retadup malware family": [[26, 48]]}, "info": {"id": "cyner2_5class_train_02924", "source": "cyner2_5class_train"}}
+{"text": "On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry.", "spans": {"System: honeypots": [[16, 25]], "Indicator: attack": [[45, 51]], "Vulnerability: vulnerability,": [[83, 97]], "Malware: payload": [[106, 113]], "Malware: exploit": [[122, 129]], "Malware: Trojan-Crypt": [[161, 173]], "Malware: EternalBlue": [[183, 194]], "Malware: WannaCry.": [[199, 208]]}, "info": {"id": "cyner2_5class_train_02925", "source": "cyner2_5class_train"}}
+{"text": "Generally , after an application gets banned from an official app store , such as Google Play , users try to find alternative ways to download the app .", "spans": {"System: Google Play": [[82, 93]]}, "info": {"id": "cyner2_5class_train_02926", "source": "cyner2_5class_train"}}
+{"text": "Conclusion Although not yet mature enough to provide the equivalent of a full-blown set of Android banking malware features ( such as RAT , RAT with ATS ( Automated Transaction Script ) , back-connect proxy , media streaming ) , or providing an exhaustive target list , Cerberus should not be taken lightly .", "spans": {"System: Android": [[91, 98]], "Malware: Cerberus": [[270, 278]]}, "info": {"id": "cyner2_5class_train_02927", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.Rogue.bjbo W32/Trojan.AMVM-7843 TR/Rogue.7932483 Trojan.Graftor.DBF88 Backdoor/Win32.Etso.R61020 Trojan.Win32.Webprefix Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Rogue.bjbo": [[26, 49]], "Indicator: W32/Trojan.AMVM-7843": [[50, 70]], "Indicator: TR/Rogue.7932483": [[71, 87]], "Indicator: Trojan.Graftor.DBF88": [[88, 108]], "Indicator: Backdoor/Win32.Etso.R61020": [[109, 135]], "Indicator: Trojan.Win32.Webprefix": [[136, 158]], "Indicator: Win32/Trojan.Multi.daf": [[159, 181]]}, "info": {"id": "cyner2_5class_train_02928", "source": "cyner2_5class_train"}}
+{"text": "The Carbanak team does not just blindly compromise large numbers of computers and try to milk the cow' as other actors do, instead they act like a mature APT-group.", "spans": {"System: computers": [[68, 77]]}, "info": {"id": "cyner2_5class_train_02929", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9831 Bloodhound.Gampass.E Trojan.Win32.Patched.ox Trojan.Win32.PatchedDll.C BehavesLike.Win32.BadFile.cm Virus.Win32.Crypted Trojan/PSW.OnLineGames.ckdm Trojan/Win32.Patched.ox PWS:Win32/Cuepilini.A Trojan.Win32.Patched.ox Trojan.Win32.Patched.b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9831": [[26, 68]], "Indicator: Bloodhound.Gampass.E": [[69, 89]], "Indicator: Trojan.Win32.Patched.ox": [[90, 113], [263, 286]], "Indicator: Trojan.Win32.PatchedDll.C": [[114, 139]], "Indicator: BehavesLike.Win32.BadFile.cm": [[140, 168]], "Indicator: Virus.Win32.Crypted": [[169, 188]], "Indicator: Trojan/PSW.OnLineGames.ckdm": [[189, 216]], "Indicator: Trojan/Win32.Patched.ox": [[217, 240]], "Indicator: PWS:Win32/Cuepilini.A": [[241, 262]], "Indicator: Trojan.Win32.Patched.b": [[287, 309]]}, "info": {"id": "cyner2_5class_train_02930", "source": "cyner2_5class_train"}}
+{"text": "Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.", "spans": {"Organization: VirusTotal": [[9, 19]], "Indicator: malicious documents content,": [[29, 57]], "Organization: victims": [[68, 75]], "Organization: organizations": [[93, 106]]}, "info": {"id": "cyner2_5class_train_02931", "source": "cyner2_5class_train"}}
+{"text": "It includes information about the smartphone model , the OS version , the mobile operator , and the Trojan version .", "spans": {}, "info": {"id": "cyner2_5class_train_02932", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Jorik.Crix!O Win32.Trojan.WisdomEyes.16070401.9500.9992 Trojan.Win32.Dwn.sbard Trojan.Win32.A.Inject.129544 Trojan.DownLoader5.50729 Win32.Malware Trojan/Lebag.auv TrojanDownloader:Win32/Beshades.A Trojan/Win32.Inject.R29920 BScope.Malware-Cryptor.4112 Trj/CI.A Trojan.DL.Injecter!F6PQPalmepA W32/Injecter.AA!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Jorik.Crix!O": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[52, 94]], "Indicator: Trojan.Win32.Dwn.sbard": [[95, 117]], "Indicator: Trojan.Win32.A.Inject.129544": [[118, 146]], "Indicator: Trojan.DownLoader5.50729": [[147, 171]], "Indicator: Win32.Malware": [[172, 185]], "Indicator: Trojan/Lebag.auv": [[186, 202]], "Indicator: TrojanDownloader:Win32/Beshades.A": [[203, 236]], "Indicator: Trojan/Win32.Inject.R29920": [[237, 263]], "Indicator: BScope.Malware-Cryptor.4112": [[264, 291]], "Indicator: Trj/CI.A": [[292, 300]], "Indicator: Trojan.DL.Injecter!F6PQPalmepA": [[301, 331]], "Indicator: W32/Injecter.AA!tr.dldr": [[332, 355]]}, "info": {"id": "cyner2_5class_train_02933", "source": "cyner2_5class_train"}}
+{"text": "xDedic is a trading platform where cybercriminals can purchase any of over 70,000 hacked servers from all around the internet.", "spans": {"System: hacked servers": [[82, 96]]}, "info": {"id": "cyner2_5class_train_02934", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9889 Trojan.Sniff BehavesLike.Win32.BadFile.mc PWS:Win32/Finsgra.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9889": [[26, 68]], "Indicator: Trojan.Sniff": [[69, 81]], "Indicator: BehavesLike.Win32.BadFile.mc": [[82, 110]], "Indicator: PWS:Win32/Finsgra.A": [[111, 130]]}, "info": {"id": "cyner2_5class_train_02935", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand.", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: Bookworm": [[67, 75]], "Indicator: attacks": [[115, 122]], "Organization: government": [[151, 161]]}, "info": {"id": "cyner2_5class_train_02936", "source": "cyner2_5class_train"}}
+{"text": "Sending information about the affected device The app receives configuration data from the C & C server , needed for displaying ads , and for stealth and resilience .", "spans": {}, "info": {"id": "cyner2_5class_train_02937", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Elitespyz.A Backdoor/W32.EliteSpyz.1687552 Backdoor.Elitespyz Backdoor.Elitespyz.A Backdoor.Elitespyz.A W32/Risk.FRAF-2715 Backdoor.Trojan BKDR_ELITESPYZ.A Backdoor.Elitespyz.A Backdoor.Win32.EliteSpyz.4 Backdoor.Elitespyz.A Trojan.Win32.EliteSpyz.dgpj Backdoor.Win32.EliteSpyz.1687552 Backdoor.W32.EliteSpyz.4!c Backdoor.Elitespyz.A Backdoor.Win32.EliteSpyz.04 Backdoor.Elitespyz.A BackDoor.EliteSpyz.4 Backdoor.EliteSpyz.Win32.1 BKDR_ELITESPYZ.A Trojan.Win32.Elitespyz Backdoor/EliteSpyz.4 W32.Hack.Tool BDS/EliteSpyz.4 Trojan[Backdoor]/Win32.EliteSpyz Backdoor.Win32.EliteSpyz.4 Backdoor.EliteSpyz Win32/EliteSpyz.04 Win32.Backdoor.Elitespyz.Wrgi Backdoor.EliteSpyz!8lwaYNdDuBo W32/EliteSpy.A!tr.bdr Win32/Backdoor.Spy.754", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Elitespyz.A": [[26, 46], [97, 117], [118, 138], [191, 211], [239, 259], [348, 368], [397, 417]], "Indicator: Backdoor/W32.EliteSpyz.1687552": [[47, 77]], "Indicator: Backdoor.Elitespyz": [[78, 96]], "Indicator: W32/Risk.FRAF-2715": [[139, 157]], "Indicator: Backdoor.Trojan": [[158, 173]], "Indicator: BKDR_ELITESPYZ.A": [[174, 190], [466, 482]], "Indicator: Backdoor.Win32.EliteSpyz.4": [[212, 238], [590, 616]], "Indicator: Trojan.Win32.EliteSpyz.dgpj": [[260, 287]], "Indicator: Backdoor.Win32.EliteSpyz.1687552": [[288, 320]], "Indicator: Backdoor.W32.EliteSpyz.4!c": [[321, 347]], "Indicator: Backdoor.Win32.EliteSpyz.04": [[369, 396]], "Indicator: BackDoor.EliteSpyz.4": [[418, 438]], "Indicator: Backdoor.EliteSpyz.Win32.1": [[439, 465]], "Indicator: Trojan.Win32.Elitespyz": [[483, 505]], "Indicator: Backdoor/EliteSpyz.4": [[506, 526]], "Indicator: W32.Hack.Tool": [[527, 540]], "Indicator: BDS/EliteSpyz.4": [[541, 556]], "Indicator: Trojan[Backdoor]/Win32.EliteSpyz": [[557, 589]], "Indicator: Backdoor.EliteSpyz": [[617, 635]], "Indicator: Win32/EliteSpyz.04": [[636, 654]], "Indicator: Win32.Backdoor.Elitespyz.Wrgi": [[655, 684]], "Indicator: Backdoor.EliteSpyz!8lwaYNdDuBo": [[685, 715]], "Indicator: W32/EliteSpy.A!tr.bdr": [[716, 737]], "Indicator: Win32/Backdoor.Spy.754": [[738, 760]]}, "info": {"id": "cyner2_5class_train_02938", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Uncrre TR/RedCap.wfhca Trojan.Win32.Z.Uncrre.3584 Trojan:Win32/Uncrre.A Trojan.Win32.Uncrre Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Uncrre": [[26, 39]], "Indicator: TR/RedCap.wfhca": [[40, 55]], "Indicator: Trojan.Win32.Z.Uncrre.3584": [[56, 82]], "Indicator: Trojan:Win32/Uncrre.A": [[83, 104]], "Indicator: Trojan.Win32.Uncrre": [[105, 124]], "Indicator: Trj/GdSda.A": [[125, 136]]}, "info": {"id": "cyner2_5class_train_02939", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Ruskill.143360 Backdoor.Win32.Ruskill!O Worm.Ainslot.A Backdoor.Ruskill.Win32.42 Backdoor.W32.Ruskill.fi!c Backdoor/Ruskill.fi TROJ_DROPR.SMIO Worm.Win32.Ngrbot.dfk Trojan.Win32.StartPage.cjvsv Trojan.Win32.Menti.98304 TrojWare.Win32.Injector.GWW BackDoor.IRC.Bot.892 TROJ_DROPR.SMIO Trojan.Win32.Buzus Backdoor/Ruskill.da W32/Injector.HCR!tr Worm/Win32.Ngrbot Worm.Win32.Ngrbot.dfk Worm/Win32.AutoRun.R6237 Worm.Ngrbot Win32.Trojan.Inject.Auto Backdoor.Ruskill!/ah4op3yVOE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Ruskill.143360": [[26, 53]], "Indicator: Backdoor.Win32.Ruskill!O": [[54, 78]], "Indicator: Worm.Ainslot.A": [[79, 93]], "Indicator: Backdoor.Ruskill.Win32.42": [[94, 119]], "Indicator: Backdoor.W32.Ruskill.fi!c": [[120, 145]], "Indicator: Backdoor/Ruskill.fi": [[146, 165]], "Indicator: TROJ_DROPR.SMIO": [[166, 181], [307, 322]], "Indicator: Worm.Win32.Ngrbot.dfk": [[182, 203], [400, 421]], "Indicator: Trojan.Win32.StartPage.cjvsv": [[204, 232]], "Indicator: Trojan.Win32.Menti.98304": [[233, 257]], "Indicator: TrojWare.Win32.Injector.GWW": [[258, 285]], "Indicator: BackDoor.IRC.Bot.892": [[286, 306]], "Indicator: Trojan.Win32.Buzus": [[323, 341]], "Indicator: Backdoor/Ruskill.da": [[342, 361]], "Indicator: W32/Injector.HCR!tr": [[362, 381]], "Indicator: Worm/Win32.Ngrbot": [[382, 399]], "Indicator: Worm/Win32.AutoRun.R6237": [[422, 446]], "Indicator: Worm.Ngrbot": [[447, 458]], "Indicator: Win32.Trojan.Inject.Auto": [[459, 483]], "Indicator: Backdoor.Ruskill!/ah4op3yVOE": [[484, 512]]}, "info": {"id": "cyner2_5class_train_02940", "source": "cyner2_5class_train"}}
+{"text": "Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant.", "spans": {"Indicator: compromised": [[57, 68]], "Organization: U.S.": [[69, 73]], "Organization: international organizations": [[78, 105]], "Malware: Royal ransomware": [[113, 129]]}, "info": {"id": "cyner2_5class_train_02941", "source": "cyner2_5class_train"}}
+{"text": "The new payload is decrypted , remapped , and executed in memory , and represents the installation and persistence stage of the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_02942", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Dropper.H W97M.Dropper.CB W97M/Dropper.m Troj.Downloader.Msword!c W97M/Dropexe.A W97M.Dropper.H W97M.Dropper.H W97M.Dropper.H W97M.Dropper.H W97M/Dropper.m W97M/Dropexe.A HEUR/Macro.Dropper HEUR.VBA.Trojan.d W97M.Dropper.H macro.ole.encodedownload.f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Dropper.H": [[26, 40], [112, 126], [127, 141], [142, 156], [157, 171], [239, 253]], "Indicator: W97M.Dropper.CB": [[41, 56]], "Indicator: W97M/Dropper.m": [[57, 71], [172, 186]], "Indicator: Troj.Downloader.Msword!c": [[72, 96]], "Indicator: W97M/Dropexe.A": [[97, 111], [187, 201]], "Indicator: HEUR/Macro.Dropper": [[202, 220]], "Indicator: HEUR.VBA.Trojan.d": [[221, 238]], "Indicator: macro.ole.encodedownload.f": [[254, 280]]}, "info": {"id": "cyner2_5class_train_02943", "source": "cyner2_5class_train"}}
+{"text": "In all cases , the ads are used to convince users to install other apps from different developer accounts , but written by the same group .", "spans": {}, "info": {"id": "cyner2_5class_train_02944", "source": "cyner2_5class_train"}}
+{"text": "It has outlived several competitors including Zeus, and SpyEye.", "spans": {"Malware: Zeus,": [[46, 51]], "Malware: SpyEye.": [[56, 63]]}, "info": {"id": "cyner2_5class_train_02945", "source": "cyner2_5class_train"}}
+{"text": "Dyre employed the spambot Gophe to send thousands of randomized documents hashes and file names per spam campaign", "spans": {"Malware: Dyre": [[0, 4]], "Malware: spambot Gophe": [[18, 31]], "Indicator: send thousands of randomized documents": [[35, 73]]}, "info": {"id": "cyner2_5class_train_02946", "source": "cyner2_5class_train"}}
+{"text": "Throughout 2015 and 2016, Android banking Trojans were primarily distributed outside the Google Play Store by using SMSishing, phishing e-mails and rogue websites, often dropping APKs related to Adobe Flash Player.", "spans": {"Malware: Android banking Trojans": [[26, 49]], "System: the Google Play Store": [[85, 106]], "Indicator: SMSishing, phishing e-mails": [[116, 143]], "Indicator: rogue websites,": [[148, 163]], "System: APKs": [[179, 183]], "System: Adobe Flash Player.": [[195, 214]]}, "info": {"id": "cyner2_5class_train_02947", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9935 TrojanDownloader:Win32/Leodon.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9935": [[26, 68]], "Indicator: TrojanDownloader:Win32/Leodon.D": [[69, 100]]}, "info": {"id": "cyner2_5class_train_02948", "source": "cyner2_5class_train"}}
+{"text": "On June 14th, 2017, a new variant of ZXShell appears to have been uploaded from the Marmara region of Turkey.", "spans": {"Malware: variant": [[26, 33]], "Malware: ZXShell": [[37, 44]]}, "info": {"id": "cyner2_5class_train_02949", "source": "cyner2_5class_train"}}
+{"text": "BootComplete starts the AutoStartup service and the AutoStartup service makes sure that MainActivity is always running .", "spans": {}, "info": {"id": "cyner2_5class_train_02950", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D3E075 Trojan.MSIL.Crypt.gbqy BehavesLike.Win32.Trojan.gc Trojan.MSIL.Crypt TR/Kryptik.psxte Backdoor:Win32/Dodiw.A Trojan.MSIL.Crypt.gbqy Trj/GdSda.A MSIL/Kryptik.MQQ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D3E075": [[26, 44]], "Indicator: Trojan.MSIL.Crypt.gbqy": [[45, 67], [154, 176]], "Indicator: BehavesLike.Win32.Trojan.gc": [[68, 95]], "Indicator: Trojan.MSIL.Crypt": [[96, 113]], "Indicator: TR/Kryptik.psxte": [[114, 130]], "Indicator: Backdoor:Win32/Dodiw.A": [[131, 153]], "Indicator: Trj/GdSda.A": [[177, 188]], "Indicator: MSIL/Kryptik.MQQ!tr": [[189, 208]]}, "info": {"id": "cyner2_5class_train_02951", "source": "cyner2_5class_train"}}
+{"text": "Tick also uses a range of hacktools to map the victim's network and attempt to escalate privileges further.", "spans": {"Malware: hacktools": [[26, 35]], "Indicator: map the victim's network": [[39, 63]], "Indicator: escalate privileges": [[79, 98]]}, "info": {"id": "cyner2_5class_train_02952", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 Trojan.Win32.KrServ.rq Trojan.Win32.JackServn.exlgil Trojan.Win32.Z.Jackservn.306688 Trojan.DownLoader26.11701 Trojan.Win64.Jackservn TR/JackServn.sphdt Trojan.Downloader.184 Trojan.Win32.KrServ.rq Trj/CI.A W32/JackServn.K!tr Win32/Trojan.Downloader.369", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[26, 68]], "Indicator: Trojan.Win32.KrServ.rq": [[69, 91], [244, 266]], "Indicator: Trojan.Win32.JackServn.exlgil": [[92, 121]], "Indicator: Trojan.Win32.Z.Jackservn.306688": [[122, 153]], "Indicator: Trojan.DownLoader26.11701": [[154, 179]], "Indicator: Trojan.Win64.Jackservn": [[180, 202]], "Indicator: TR/JackServn.sphdt": [[203, 221]], "Indicator: Trojan.Downloader.184": [[222, 243]], "Indicator: Trj/CI.A": [[267, 275]], "Indicator: W32/JackServn.K!tr": [[276, 294]], "Indicator: Win32/Trojan.Downloader.369": [[295, 322]]}, "info": {"id": "cyner2_5class_train_02953", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodeb4.Trojan.8496 Trojan/W32.Scar.350208.E W32/Autorun.worm.bcd Worm.Autorun Trojan/Scar.dyfr W32/MalwareS.BDRB W32.Huanot Virut.A[gs] Win32/Huanot.A WORM_HUANOT.SMIA Trojan.Scar-846 Trojan.Win32.Scar.bvisc Trojan.Win32.A.Scar.350208 Trojan.Copyself.101 TR/Scar.ccwl WORM_HUANOT.SMIA W32/Autorun.worm.bcd Trojan/Scar.pkp Worm:Win32/Huanot.A Trojan/Win32.Scar W32/Risk.JTAZ-7050 Virus.Win32.Heur.l W32/Autorun.JXD PE:Malware.FakeFolder@CV!1.6AA9 Worm.Win32.Huanot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodeb4.Trojan.8496": [[26, 49]], "Indicator: Trojan/W32.Scar.350208.E": [[50, 74]], "Indicator: W32/Autorun.worm.bcd": [[75, 95], [316, 336]], "Indicator: Worm.Autorun": [[96, 108]], "Indicator: Trojan/Scar.dyfr": [[109, 125]], "Indicator: W32/MalwareS.BDRB": [[126, 143]], "Indicator: W32.Huanot": [[144, 154]], "Indicator: Virut.A[gs]": [[155, 166]], "Indicator: Win32/Huanot.A": [[167, 181]], "Indicator: WORM_HUANOT.SMIA": [[182, 198], [299, 315]], "Indicator: Trojan.Scar-846": [[199, 214]], "Indicator: Trojan.Win32.Scar.bvisc": [[215, 238]], "Indicator: Trojan.Win32.A.Scar.350208": [[239, 265]], "Indicator: Trojan.Copyself.101": [[266, 285]], "Indicator: TR/Scar.ccwl": [[286, 298]], "Indicator: Trojan/Scar.pkp": [[337, 352]], "Indicator: Worm:Win32/Huanot.A": [[353, 372]], "Indicator: Trojan/Win32.Scar": [[373, 390]], "Indicator: W32/Risk.JTAZ-7050": [[391, 409]], "Indicator: Virus.Win32.Heur.l": [[410, 428]], "Indicator: W32/Autorun.JXD": [[429, 444]], "Indicator: PE:Malware.FakeFolder@CV!1.6AA9": [[445, 476]], "Indicator: Worm.Win32.Huanot": [[477, 494]]}, "info": {"id": "cyner2_5class_train_02954", "source": "cyner2_5class_train"}}
+{"text": "New versions of FakeSpy masquerade as government post office apps and transportation services apps .", "spans": {"Malware: FakeSpy": [[16, 23]]}, "info": {"id": "cyner2_5class_train_02955", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Virut.Cur1 W32/Manex.worm Trojan.Zusy.D62E9 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Dropper.BBXI Win.Trojan.Cosmu-1044 Trojan.Win32.Scar.ojal Trojan.Win32.AutoRun.cgsnz Worm.Win32.A.AutoRun.310273 W32.W.AutoRun.cikl!c Win32.HLLW.Autoruner.27598 Trojan.Cosmu.Win32.3832 W32/Manex.worm W32/Risk.SOOH-5229 Trojan/Cosmu.dxm Trojan/Win32.Cosmu Worm:Win32/Vestgo.A Trojan.Win32.Scar.ojal HEUR/Fakon.mwf Worm.AutoRun Win32.Trojan.Scar.Dxwy Trojan.Scar!/4mh5woJZa8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.Cur1": [[26, 40]], "Indicator: W32/Manex.worm": [[41, 55], [306, 320]], "Indicator: Trojan.Zusy.D62E9": [[56, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[74, 116]], "Indicator: W32/Dropper.BBXI": [[117, 133]], "Indicator: Win.Trojan.Cosmu-1044": [[134, 155]], "Indicator: Trojan.Win32.Scar.ojal": [[156, 178], [396, 418]], "Indicator: Trojan.Win32.AutoRun.cgsnz": [[179, 205]], "Indicator: Worm.Win32.A.AutoRun.310273": [[206, 233]], "Indicator: W32.W.AutoRun.cikl!c": [[234, 254]], "Indicator: Win32.HLLW.Autoruner.27598": [[255, 281]], "Indicator: Trojan.Cosmu.Win32.3832": [[282, 305]], "Indicator: W32/Risk.SOOH-5229": [[321, 339]], "Indicator: Trojan/Cosmu.dxm": [[340, 356]], "Indicator: Trojan/Win32.Cosmu": [[357, 375]], "Indicator: Worm:Win32/Vestgo.A": [[376, 395]], "Indicator: HEUR/Fakon.mwf": [[419, 433]], "Indicator: Worm.AutoRun": [[434, 446]], "Indicator: Win32.Trojan.Scar.Dxwy": [[447, 469]], "Indicator: Trojan.Scar!/4mh5woJZa8": [[470, 493]]}, "info": {"id": "cyner2_5class_train_02956", "source": "cyner2_5class_train"}}
+{"text": "] comfeteh-asefa [ .", "spans": {}, "info": {"id": "cyner2_5class_train_02957", "source": "cyner2_5class_train"}}
+{"text": "Deutsche Post - Deutsche Post DHL Group , a German multinational package delivery and supply chain management company headquartered in Bonn .", "spans": {"Organization: Deutsche Post": [[0, 13]], "Organization: DHL Group": [[30, 39]]}, "info": {"id": "cyner2_5class_train_02958", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.CDB.C8b2 TrojanBanker.Banker.awoc Trojan.Win32.Banker.bdicvp W32/MalwareF.FQTI Infostealer.Bancos Trojan-Banker.Win32.Banker.awoc Trojan.PWS.Banker!/1rqiSjn+V4 TrojWare.Win32.Spy.Banker.awoc Trojan-Banker.Win32.Banker TR/Banker.Banker.awoc Trojan/Banker.Banker.kbj Trojan:Win32/Sawmabs.A W32/Risk.BGBM-2797 Trojan-GameThief.Magania Trj/Thed.E Win32/Spy.Delf.NZK Trojan-Banker.Win32.Banker W32/Banker.AWOC!tr PSW.Banker5.BFQR Trojan.Win32.Delf.amo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.CDB.C8b2": [[26, 39]], "Indicator: TrojanBanker.Banker.awoc": [[40, 64]], "Indicator: Trojan.Win32.Banker.bdicvp": [[65, 91]], "Indicator: W32/MalwareF.FQTI": [[92, 109]], "Indicator: Infostealer.Bancos": [[110, 128]], "Indicator: Trojan-Banker.Win32.Banker.awoc": [[129, 160]], "Indicator: Trojan.PWS.Banker!/1rqiSjn+V4": [[161, 190]], "Indicator: TrojWare.Win32.Spy.Banker.awoc": [[191, 221]], "Indicator: Trojan-Banker.Win32.Banker": [[222, 248], [393, 419]], "Indicator: TR/Banker.Banker.awoc": [[249, 270]], "Indicator: Trojan/Banker.Banker.kbj": [[271, 295]], "Indicator: Trojan:Win32/Sawmabs.A": [[296, 318]], "Indicator: W32/Risk.BGBM-2797": [[319, 337]], "Indicator: Trojan-GameThief.Magania": [[338, 362]], "Indicator: Trj/Thed.E": [[363, 373]], "Indicator: Win32/Spy.Delf.NZK": [[374, 392]], "Indicator: W32/Banker.AWOC!tr": [[420, 438]], "Indicator: PSW.Banker5.BFQR": [[439, 455]], "Indicator: Trojan.Win32.Delf.amo": [[456, 477]]}, "info": {"id": "cyner2_5class_train_02959", "source": "cyner2_5class_train"}}
+{"text": "Infection During installation , depending on the version of the Trojan , Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService .", "spans": {"Malware: Asacub": [[73, 79]]}, "info": {"id": "cyner2_5class_train_02960", "source": "cyner2_5class_train"}}
+{"text": "The attack against Anthem resulted in the largest known healthcare data breach to date, with 80 million patient records exposed.", "spans": {"Indicator: attack": [[4, 10]], "Organization: Anthem": [[19, 25]], "Indicator: healthcare data breach": [[56, 78]], "Indicator: patient records exposed.": [[104, 128]]}, "info": {"id": "cyner2_5class_train_02961", "source": "cyner2_5class_train"}}
+{"text": "ITG08 also has gained initial access by targeting specific employees with LinkedIn and spear-phishing emails to deliver the More_eggs backdoor.", "spans": {"Organization: specific employees with LinkedIn": [[50, 82]], "Indicator: spear-phishing emails": [[87, 108]], "Malware: the More_eggs backdoor.": [[120, 143]]}, "info": {"id": "cyner2_5class_train_02962", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Constructor.Xploitzomshc.A Constructor/W32.XploitZomShc.253952 Hacktool.Zomshc Trojan/Constructor.XploitZomShc.a Trojan.Constructor.Xploitzomshc.A W32/TrojanX.GSC Construction.Kit Trojan.Constructor.Xploitzomshc.A Constructor.Win32.XploitZomShc.a Trojan.Constructor.Xploitzomshc.A Riskware.Win32.XploitZomShc.hrxx Constructor.XploitZomShc.253952 Constructor.W32.XploitZomShc.a!c Win32.Trojan.Xploitzomshc.Wqwm Trojan.Constructor.Xploitzomshc.A Trojan.Constructor.Xploitzomshc.A VirusConstructor.Shc Tool.XploitZomShc.Win32.1 BehavesLike.Win32.Dropper.dc Trojan.Constructor.Xploitzomshc W32/Trojan.KXHA-5736 Constructor.XploitZomShc.b W32.Hack.Tool KIT/XploitZomShc.A HackTool[Constructor]/Win32.XploitZomShc VTool.XploitZomShc.a.kcloud Constructor.Win32.XploitZomShc.a Trojan.Constructor.Xploitzomshc.A Constructor.XploitZomShc W32/XploitZomShc.A!tr Win32/Constructor.96c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Constructor.Xploitzomshc.A": [[26, 59], [146, 179], [213, 246], [280, 313], [443, 476], [477, 510], [802, 835]], "Indicator: Constructor/W32.XploitZomShc.253952": [[60, 95]], "Indicator: Hacktool.Zomshc": [[96, 111]], "Indicator: Trojan/Constructor.XploitZomShc.a": [[112, 145]], "Indicator: W32/TrojanX.GSC": [[180, 195]], "Indicator: Construction.Kit": [[196, 212]], "Indicator: Constructor.Win32.XploitZomShc.a": [[247, 279], [769, 801]], "Indicator: Riskware.Win32.XploitZomShc.hrxx": [[314, 346]], "Indicator: Constructor.XploitZomShc.253952": [[347, 378]], "Indicator: Constructor.W32.XploitZomShc.a!c": [[379, 411]], "Indicator: Win32.Trojan.Xploitzomshc.Wqwm": [[412, 442]], "Indicator: VirusConstructor.Shc": [[511, 531]], "Indicator: Tool.XploitZomShc.Win32.1": [[532, 557]], "Indicator: BehavesLike.Win32.Dropper.dc": [[558, 586]], "Indicator: Trojan.Constructor.Xploitzomshc": [[587, 618]], "Indicator: W32/Trojan.KXHA-5736": [[619, 639]], "Indicator: Constructor.XploitZomShc.b": [[640, 666]], "Indicator: W32.Hack.Tool": [[667, 680]], "Indicator: KIT/XploitZomShc.A": [[681, 699]], "Indicator: HackTool[Constructor]/Win32.XploitZomShc": [[700, 740]], "Indicator: VTool.XploitZomShc.a.kcloud": [[741, 768]], "Indicator: Constructor.XploitZomShc": [[836, 860]], "Indicator: W32/XploitZomShc.A!tr": [[861, 882]], "Indicator: Win32/Constructor.96c": [[883, 904]]}, "info": {"id": "cyner2_5class_train_02963", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9986 Trojan-Downloader.Win32.Hover2.n TrojWare.Win32.TrojanDownloader.Small.NZK Trojan.DownLoader.45214 Trojan-Downloader.Win32.Hover2.n Win32/TrojanDownloader.Small.NZK", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9986": [[26, 68]], "Indicator: Trojan-Downloader.Win32.Hover2.n": [[69, 101], [168, 200]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.NZK": [[102, 143]], "Indicator: Trojan.DownLoader.45214": [[144, 167]], "Indicator: Win32/TrojanDownloader.Small.NZK": [[201, 233]]}, "info": {"id": "cyner2_5class_train_02964", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanSpy.MSIL.r3 Trojan.Dropper Troj.PSW.MSIL.NetPass Trojan/Clicker.nai TrojanSpy.KeyLogger!3foOCbTDOkQ Spyware.ADH MSIL/TrojanClicker.NAI Trojan.Msil-382 Trojan-Spy.MSIL.KeyLogger.bybj Trojan.Win32.NetPass.dcndda Msil.Trojan-spy.Keylogger.Lhxb Trojan.MulDrop1.48625 Trojan/PSW.MSIL.oy W32/Dx.SUK!tr Trojan[PSW]/MSIL.NetPass Trojan.MSIL.Krypt.1 Trojan/Win32.Infostealer TrojanClicker:MSIL/Lnkhit.A MSIL.TrojanClicker Virus.MSIL Trojan.MSIL.KeyLogger.bybj Win32/Trojan.bee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanSpy.MSIL.r3": [[26, 43]], "Indicator: Trojan.Dropper": [[44, 58]], "Indicator: Troj.PSW.MSIL.NetPass": [[59, 80]], "Indicator: Trojan/Clicker.nai": [[81, 99]], "Indicator: TrojanSpy.KeyLogger!3foOCbTDOkQ": [[100, 131]], "Indicator: Spyware.ADH": [[132, 143]], "Indicator: MSIL/TrojanClicker.NAI": [[144, 166]], "Indicator: Trojan.Msil-382": [[167, 182]], "Indicator: Trojan-Spy.MSIL.KeyLogger.bybj": [[183, 213]], "Indicator: Trojan.Win32.NetPass.dcndda": [[214, 241]], "Indicator: Msil.Trojan-spy.Keylogger.Lhxb": [[242, 272]], "Indicator: Trojan.MulDrop1.48625": [[273, 294]], "Indicator: Trojan/PSW.MSIL.oy": [[295, 313]], "Indicator: W32/Dx.SUK!tr": [[314, 327]], "Indicator: Trojan[PSW]/MSIL.NetPass": [[328, 352]], "Indicator: Trojan.MSIL.Krypt.1": [[353, 372]], "Indicator: Trojan/Win32.Infostealer": [[373, 397]], "Indicator: TrojanClicker:MSIL/Lnkhit.A": [[398, 425]], "Indicator: MSIL.TrojanClicker": [[426, 444]], "Indicator: Virus.MSIL": [[445, 455]], "Indicator: Trojan.MSIL.KeyLogger.bybj": [[456, 482]], "Indicator: Win32/Trojan.bee": [[483, 499]]}, "info": {"id": "cyner2_5class_train_02965", "source": "cyner2_5class_train"}}
+{"text": "If the malware successfully became the default SMS app , it sends the words “ the app has been replaced ” in Russian .", "spans": {}, "info": {"id": "cyner2_5class_train_02966", "source": "cyner2_5class_train"}}
+{"text": "Kill switches are used by many malware authors to remove traces from a device after a successful operation .", "spans": {}, "info": {"id": "cyner2_5class_train_02967", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win.Trojan.Shell-426 Backdoor:Win32/Sensode.G Trj/GdSda.A Win32/Trojan.75c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win.Trojan.Shell-426": [[26, 46]], "Indicator: Backdoor:Win32/Sensode.G": [[47, 71]], "Indicator: Trj/GdSda.A": [[72, 83]], "Indicator: Win32/Trojan.75c": [[84, 100]]}, "info": {"id": "cyner2_5class_train_02968", "source": "cyner2_5class_train"}}
+{"text": "The domain was registered on March 8th , 2013 : Registration Service Provided By : SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD. Domain Name : DLMDOCUMENTSEXCHANGE.COM Registration Date : 08-Mar-2013 Expiration Date : 08-Mar-2014 Status : LOCKED The domain registration data indicates the following owner : Registrant Contact Details : peng jia peng jia ( bdoufwke123010 @ gmail.com ) beijingshiahiidienquc.d beijingshi beijing,100000 CN Tel .", "spans": {"Organization: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD.": [[83, 146]], "Indicator: DLMDOCUMENTSEXCHANGE.COM": [[161, 185]], "Indicator: bdoufwke123010 @ gmail.com": [[374, 400]], "Indicator: beijingshiahiidienquc.d": [[403, 426]]}, "info": {"id": "cyner2_5class_train_02969", "source": "cyner2_5class_train"}}
+{"text": "The desktop components of this attack , previously discovered by Palo Alto Network , are known as KasperAgent and Micropsia .", "spans": {"Organization: Palo Alto Network": [[65, 82]], "Malware: KasperAgent": [[98, 109]], "Malware: Micropsia": [[114, 123]]}, "info": {"id": "cyner2_5class_train_02970", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Win32.Poison.C12016", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Win32.Poison.C12016": [[26, 52]]}, "info": {"id": "cyner2_5class_train_02971", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Payreen Trojan.Ransom.TechSupportScam Trojan.Win32.Payreen.evwzbn W32/Trojan.JXJF-8565 TR/Payreen.exevx SupportScam:MSIL/Payreen.A Trojan.TechSupportScam Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Payreen": [[26, 40]], "Indicator: Trojan.Ransom.TechSupportScam": [[41, 70]], "Indicator: Trojan.Win32.Payreen.evwzbn": [[71, 98]], "Indicator: W32/Trojan.JXJF-8565": [[99, 119]], "Indicator: TR/Payreen.exevx": [[120, 136]], "Indicator: SupportScam:MSIL/Payreen.A": [[137, 163]], "Indicator: Trojan.TechSupportScam": [[164, 186]], "Indicator: Trj/GdSda.A": [[187, 198]]}, "info": {"id": "cyner2_5class_train_02972", "source": "cyner2_5class_train"}}
+{"text": "Python/Agent.F is a worm that spreads via removable media.", "spans": {"Indicator: Python/Agent.F": [[0, 14]], "Malware: worm": [[20, 24]], "System: removable media.": [[42, 58]]}, "info": {"id": "cyner2_5class_train_02973", "source": "cyner2_5class_train"}}
+{"text": "This post intends to share the findings of the FortiGuard Lion Team on BlackMoon's prevalence and its latest code updates.", "spans": {"Organization: FortiGuard Lion Team": [[47, 67]], "Malware: BlackMoon's": [[71, 82]]}, "info": {"id": "cyner2_5class_train_02974", "source": "cyner2_5class_train"}}
+{"text": "The Trojan may download files from the following remote location: [http://]bit.ly/2k4[REMOVED]", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: files": [[24, 29]], "Indicator: remote location: [http://]bit.ly/2k4[REMOVED]": [[49, 94]]}, "info": {"id": "cyner2_5class_train_02975", "source": "cyner2_5class_train"}}
+{"text": "The server then sends a reply that contains instructions on further actions to be taken .", "spans": {}, "info": {"id": "cyner2_5class_train_02976", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit/W32.CVE-2014-4114.I JS.Swabfex.QZ Exploit.CVE-2014-4114.A Troj.W32.Autoit!c Trojan.PPDropper TROJ_CVE20144114.G Trojan.Win32.Autoit.ezc Trojan.Win32.Autoit.efjbnz PPT.S.Exploit.1116160 TROJ_CVE20144114.G Trojan[Exploit]/OLE.CVE-2014-6352 Win32.Trojan.Autoit.Dwsw Trojan.Win32.BitcoinMiner virus.exp.20144114", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit/W32.CVE-2014-4114.I": [[26, 53]], "Indicator: JS.Swabfex.QZ": [[54, 67]], "Indicator: Exploit.CVE-2014-4114.A": [[68, 91]], "Indicator: Troj.W32.Autoit!c": [[92, 109]], "Indicator: Trojan.PPDropper": [[110, 126]], "Indicator: TROJ_CVE20144114.G": [[127, 145], [219, 237]], "Indicator: Trojan.Win32.Autoit.ezc": [[146, 169]], "Indicator: Trojan.Win32.Autoit.efjbnz": [[170, 196]], "Indicator: PPT.S.Exploit.1116160": [[197, 218]], "Indicator: Trojan[Exploit]/OLE.CVE-2014-6352": [[238, 271]], "Indicator: Win32.Trojan.Autoit.Dwsw": [[272, 296]], "Indicator: Trojan.Win32.BitcoinMiner": [[297, 322]], "Indicator: virus.exp.20144114": [[323, 341]]}, "info": {"id": "cyner2_5class_train_02977", "source": "cyner2_5class_train"}}
+{"text": "As root , the application copies su binary to /system/bin directory and silently downloads apk file from the server .", "spans": {}, "info": {"id": "cyner2_5class_train_02978", "source": "cyner2_5class_train"}}
+{"text": "The first are games of very low quality that mimic the experience of popular mobile games .", "spans": {}, "info": {"id": "cyner2_5class_train_02979", "source": "cyner2_5class_train"}}
+{"text": "This is a bit more complicated since the SMS commands are encrypted and encoded with base64 .", "spans": {}, "info": {"id": "cyner2_5class_train_02980", "source": "cyner2_5class_train"}}
+{"text": "Several of the main components of RuMMS are shown in Figure 2 .", "spans": {"Malware: RuMMS": [[34, 39]]}, "info": {"id": "cyner2_5class_train_02981", "source": "cyner2_5class_train"}}
+{"text": "Android malware has drastically lower rates of success when app installations outside of Google Play are barred .", "spans": {"System: Android": [[0, 7]], "System: Google Play": [[89, 100]]}, "info": {"id": "cyner2_5class_train_02982", "source": "cyner2_5class_train"}}
+{"text": "Zygote is a daemon whose goal is to launch apps on Android, and injecting code into it allows the malware to intervene in any activity on the device.", "spans": {"Malware: Zygote": [[0, 6]], "System: daemon": [[12, 18]], "Indicator: launch apps on": [[36, 50]], "System: Android,": [[51, 59]], "Indicator: injecting code": [[64, 78]], "Malware: malware": [[98, 105]], "System: device.": [[142, 149]]}, "info": {"id": "cyner2_5class_train_02983", "source": "cyner2_5class_train"}}
+{"text": "Having analyzed a few variants of the malware , we noticed that the private key was exposed in the code and did not change .", "spans": {}, "info": {"id": "cyner2_5class_train_02984", "source": "cyner2_5class_train"}}
+{"text": "This came on Friday 12th May when it was bundled with ransomware called WanaCrypt0r and let loose.", "spans": {"Malware: ransomware": [[54, 64]], "Malware: WanaCrypt0r": [[72, 83]]}, "info": {"id": "cyner2_5class_train_02985", "source": "cyner2_5class_train"}}
+{"text": "In the quadrant , the smaller boxes in blue-gray represent particular apps in the RuMMS family , while the bigger boxes in deep-blue represent C2 servers used by some RuMMS apps .", "spans": {"Malware: RuMMS": [[82, 87], [167, 172]]}, "info": {"id": "cyner2_5class_train_02986", "source": "cyner2_5class_train"}}
+{"text": "If the command and control ( C2 ) server is taken down , the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices .", "spans": {}, "info": {"id": "cyner2_5class_train_02987", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint researchers conducted a historical analysis of samples related to this research and uncovered new malware variants and likely origins and methods of infection.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: malware": [[109, 116]], "Indicator: methods of infection.": [[149, 170]]}, "info": {"id": "cyner2_5class_train_02988", "source": "cyner2_5class_train"}}
+{"text": "Manifest activity declaration Class list inside the dex file The main malware classes are packed , to a point where the class defined in the manifest has a handler for the MAIN category that does not exist in the DEX file .", "spans": {}, "info": {"id": "cyner2_5class_train_02989", "source": "cyner2_5class_train"}}
+{"text": "Mitigations Stay protected from mobile malware by taking these precautions : Do not download apps from unfamiliar sites Only install apps from trusted sources Pay close attention to the permissions requested by apps Install a suitable mobile security app , such as SEP Mobile or Norton , to protect your device and data Keep your operating system up to date Make frequent backups of important data Indicators of Compromise ( IoCs ) Package names : anew.football.cup.world.com.worldcup com.coder.glancelove com.winkchat APK SHA2 : 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47 d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7 1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2 Loaded DEX SHA2 : afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e Domain/IP : goldncup [ .", "spans": {"Indicator: anew.football.cup.world.com.worldcup": [[448, 484]], "Indicator: com.coder.glancelove com.winkchat": [[485, 518]], "Indicator: 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a": [[530, 594]], "Indicator: b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47": [[595, 659]], "Indicator: d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9": [[660, 724]], "Indicator: 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc": [[725, 789]], "Indicator: 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7": [[790, 854]], "Indicator: 1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2": [[855, 919]], "Indicator: afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e": [[938, 1002]], "Indicator: goldncup [ .": [[1015, 1027]]}, "info": {"id": "cyner2_5class_train_02990", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //nttdocomo-qat [ .", "spans": {"Indicator: hxxp : //nttdocomo-qat [ .": [[6, 32]]}, "info": {"id": "cyner2_5class_train_02991", "source": "cyner2_5class_train"}}
+{"text": "Within the past couple years there were several major incidents that cited the use of Windows backdoors being ported to Linux.", "spans": {"System: Windows": [[86, 93]], "Malware: backdoors": [[94, 103]], "System: Linux.": [[120, 126]]}, "info": {"id": "cyner2_5class_train_02992", "source": "cyner2_5class_train"}}
+{"text": "Malware authors can sometimes be creative in order to manipulate their human targets on the one hand and to circumvent security products, too.", "spans": {}, "info": {"id": "cyner2_5class_train_02993", "source": "cyner2_5class_train"}}
+{"text": "] comakashipro [ .", "spans": {}, "info": {"id": "cyner2_5class_train_02994", "source": "cyner2_5class_train"}}
+{"text": "In regard to the attack lifecycle, development of tools occurs in the weaponization/staging phase that precedes the delivery phase, of which is typically the first opportunity we see the actors' activities as they interact directly with their target.", "spans": {}, "info": {"id": "cyner2_5class_train_02995", "source": "cyner2_5class_train"}}
+{"text": "ThreatTrack Security Labs researchers have confirmed the credential-stealing Trojan Dyre is using a new dropper — and a valid digital certificate — to carry out its dirty work over HTTPS connections.", "spans": {"Organization: ThreatTrack Security Labs": [[0, 25]], "Indicator: credential-stealing": [[57, 76]], "Malware: Trojan Dyre": [[77, 88]], "Malware: dropper": [[104, 111]], "Indicator: HTTPS connections.": [[181, 199]]}, "info": {"id": "cyner2_5class_train_02996", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Adclicker.HB Trojan-Dropper/W32.Dapato.114688.C Trojan-Dropper.Win32.Dapato!O Trojan.Adclicker.HB Dropper.Dapato.Win32.9811 Trojan/Dropper.Dapato.axil Trojan.Adclicker.HB TROJ_WEVARM.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_WEVARM.SM Win.Trojan.Dapato-938 TrojanDropper.Dapato Trojan.Win32.Dapato.ctxtcy Trojan.DownLoader6.77 Trojan-Clicker.AXPC TrojanDropper.Dapato.fxa Win32.Troj.Dapato.kcloud TrojanDownloader:Win32/Obvod.K Trojan.Adclicker.HB Trojan.Adclicker.HB Dropper/Win32.Dapato.R27056 Trojan.Adclicker.HB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Adclicker.HB": [[26, 45], [111, 130], [184, 203], [470, 489], [490, 509], [538, 557]], "Indicator: Trojan-Dropper/W32.Dapato.114688.C": [[46, 80]], "Indicator: Trojan-Dropper.Win32.Dapato!O": [[81, 110]], "Indicator: Dropper.Dapato.Win32.9811": [[131, 156]], "Indicator: Trojan/Dropper.Dapato.axil": [[157, 183]], "Indicator: TROJ_WEVARM.SM": [[204, 218], [262, 276]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[219, 261]], "Indicator: Win.Trojan.Dapato-938": [[277, 298]], "Indicator: TrojanDropper.Dapato": [[299, 319]], "Indicator: Trojan.Win32.Dapato.ctxtcy": [[320, 346]], "Indicator: Trojan.DownLoader6.77": [[347, 368]], "Indicator: Trojan-Clicker.AXPC": [[369, 388]], "Indicator: TrojanDropper.Dapato.fxa": [[389, 413]], "Indicator: Win32.Troj.Dapato.kcloud": [[414, 438]], "Indicator: TrojanDownloader:Win32/Obvod.K": [[439, 469]], "Indicator: Dropper/Win32.Dapato.R27056": [[510, 537]]}, "info": {"id": "cyner2_5class_train_02997", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Damatak Trojan.Heur.JP.EEC131 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Poison.eqxekp Trojan.Chanitor.26 BehavesLike.Win32.Injector.km Backdoor:Win32/Damatak.A Backdoor.W32.Hupigon.kYZB Heur.Trojan.Hlux Trj/CI.A Win32.Trojan.Dlder.Tayr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Damatak": [[26, 42]], "Indicator: Trojan.Heur.JP.EEC131": [[43, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[65, 107]], "Indicator: Trojan.Win32.Poison.eqxekp": [[108, 134]], "Indicator: Trojan.Chanitor.26": [[135, 153]], "Indicator: BehavesLike.Win32.Injector.km": [[154, 183]], "Indicator: Backdoor:Win32/Damatak.A": [[184, 208]], "Indicator: Backdoor.W32.Hupigon.kYZB": [[209, 234]], "Indicator: Heur.Trojan.Hlux": [[235, 251]], "Indicator: Trj/CI.A": [[252, 260]], "Indicator: Win32.Trojan.Dlder.Tayr": [[261, 284]]}, "info": {"id": "cyner2_5class_train_02998", "source": "cyner2_5class_train"}}
+{"text": "The email was supposedly sent by the head of a US-based terrorist monitoring group.", "spans": {"Indicator: email": [[4, 9]], "Organization: head": [[37, 41]], "Organization: US-based terrorist monitoring group.": [[47, 83]]}, "info": {"id": "cyner2_5class_train_02999", "source": "cyner2_5class_train"}}
+{"text": "Again , this package source code is publicly available and can be found here .", "spans": {}, "info": {"id": "cyner2_5class_train_03000", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BDS/Iroffer.1221.5 Backdoor.Iroffer.AM W32/Iroffer.BC Trojan.Ioffer Backdoor.Win32.Iroffer.1221 Backdoor.Iroffer.1.2.2.1 W32/Iroffer.AM@bd BackDoor.Iroffer.1221 Backdoor.Win32.Iroffer.1221 W32/Iroffer.AM@bd Backdoor.Iroffer.1221.4098 Backdoor:Win32/Iroffer.1_221 Backdoor.Iroffer.1221 Win32/Iroffer.1222 Backdoor.Win32.Iroffer.1221 BackDoor.Iroffer.AD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BDS/Iroffer.1221.5": [[26, 44]], "Indicator: Backdoor.Iroffer.AM": [[45, 64]], "Indicator: W32/Iroffer.BC": [[65, 79]], "Indicator: Trojan.Ioffer": [[80, 93]], "Indicator: Backdoor.Win32.Iroffer.1221": [[94, 121], [187, 214], [330, 357]], "Indicator: Backdoor.Iroffer.1.2.2.1": [[122, 146]], "Indicator: W32/Iroffer.AM@bd": [[147, 164], [215, 232]], "Indicator: BackDoor.Iroffer.1221": [[165, 186]], "Indicator: Backdoor.Iroffer.1221.4098": [[233, 259]], "Indicator: Backdoor:Win32/Iroffer.1_221": [[260, 288]], "Indicator: Backdoor.Iroffer.1221": [[289, 310]], "Indicator: Win32/Iroffer.1222": [[311, 329]], "Indicator: BackDoor.Iroffer.AD": [[358, 377]]}, "info": {"id": "cyner2_5class_train_03001", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.LoadAdv.ABW Trojan.Downloader.LoadAdv.ABW Win32.Trojan.WisdomEyes.16070401.9500.9971 Trojan.Downloader.LoadAdv.ABW Trojan.Downloader.LoadAdv.ABW Trojan.Downloader.LoadAdv.ABW Trojan.Packed.359 Trojan:Win32/Piptea.E Email-Worm.Win32.Joleee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.LoadAdv.ABW": [[26, 55], [56, 85], [129, 158], [159, 188], [189, 218]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9971": [[86, 128]], "Indicator: Trojan.Packed.359": [[219, 236]], "Indicator: Trojan:Win32/Piptea.E": [[237, 258]], "Indicator: Email-Worm.Win32.Joleee": [[259, 282]]}, "info": {"id": "cyner2_5class_train_03002", "source": "cyner2_5class_train"}}
+{"text": "Pay-per-infection is an underground business model where criminals are paying other criminals to distribute their malware", "spans": {"Malware: Pay-per-infection": [[0, 17]], "Malware: malware": [[114, 121]]}, "info": {"id": "cyner2_5class_train_03003", "source": "cyner2_5class_train"}}
+{"text": "A number of tools and previously unknown exploits were discovered in the trove of data posted online.", "spans": {"Malware: tools": [[12, 17]], "Malware: unknown exploits": [[33, 49]]}, "info": {"id": "cyner2_5class_train_03004", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DesticosLTG.Trojan Worm.Delf.Win32.2144 Worm.Win32.Delf.aai Trojan.Win32.Delf.ejergb Win32.Worm.Delf.Pkqt Trojan.MulDrop6.34757 BehavesLike.Win32.Dropper.vc W32/Trojan.ZKLJ-7196 Worm.Delf.ah Trojan:Win32/Chamolyon.A Trojan.Zusy.D2E11A Worm.Win32.Delf.aai Worm.Delf!YSxowO1fm1s Trojan-Downloader.Win32.Banload Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DesticosLTG.Trojan": [[26, 48]], "Indicator: Worm.Delf.Win32.2144": [[49, 69]], "Indicator: Worm.Win32.Delf.aai": [[70, 89], [265, 284]], "Indicator: Trojan.Win32.Delf.ejergb": [[90, 114]], "Indicator: Win32.Worm.Delf.Pkqt": [[115, 135]], "Indicator: Trojan.MulDrop6.34757": [[136, 157]], "Indicator: BehavesLike.Win32.Dropper.vc": [[158, 186]], "Indicator: W32/Trojan.ZKLJ-7196": [[187, 207]], "Indicator: Worm.Delf.ah": [[208, 220]], "Indicator: Trojan:Win32/Chamolyon.A": [[221, 245]], "Indicator: Trojan.Zusy.D2E11A": [[246, 264]], "Indicator: Worm.Delf!YSxowO1fm1s": [[285, 306]], "Indicator: Trojan-Downloader.Win32.Banload": [[307, 338]], "Indicator: Trj/CI.A": [[339, 347]]}, "info": {"id": "cyner2_5class_train_03005", "source": "cyner2_5class_train"}}
+{"text": "Name MD5 Purpose msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module , reverse shell network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging wow.exe 16311b16fd48c1c87c6476a455093e7a Screenshot capturing skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3 All modules , except skype_sync2.exe , are written in Python and packed to binary files via the Py2exe tool .", "spans": {"Indicator: msconf.exe": [[17, 27]], "Indicator: 55fb01048b6287eadcbd9a0f86d21adf": [[28, 60]], "Indicator: network.exe": [[89, 100]], "Indicator: f673bb1d519138ced7659484c0b66c5b": [[101, 133]], "Indicator: system.exe": [[159, 169]], "Indicator: d3baa45ed342fbc5a56d974d36d5f73f": [[170, 202]], "Indicator: update.exe": [[238, 248]], "Indicator: 395f9f87df728134b5e3c1ca4d48e9fa": [[249, 281]], "Indicator: wow.exe": [[293, 300]], "Indicator: 16311b16fd48c1c87c6476a455093e7a": [[301, 333]], "Indicator: skype_sync2.exe": [[355, 370], [453, 468]], "Indicator: 6bcc3559d7405f25ea403317353d905f": [[371, 403]], "System: Skype": [[404, 409]], "System: Python": [[486, 492]], "System: Py2exe": [[528, 534]]}, "info": {"id": "cyner2_5class_train_03006", "source": "cyner2_5class_train"}}
+{"text": "Inside the SDK The malware resides within the ‘ RXDrioder ’ Software Development Kit ( SDK ) , which is provided by ‘ addroider [ .", "spans": {"Indicator: addroider [ .": [[118, 131]]}, "info": {"id": "cyner2_5class_train_03007", "source": "cyner2_5class_train"}}
+{"text": "Upon opening the file , the user is asked to enable “ Google Play Protect ” as shown in Figure 2 .", "spans": {"System: Google Play": [[54, 65]]}, "info": {"id": "cyner2_5class_train_03008", "source": "cyner2_5class_train"}}
+{"text": "The loader ’ s anti-debugger code is based on the following three methods : The first call aims to destroy the debugger connection : NOTE : This call completely stops the execution of WinDbg and other debuggers The second call tries to detect the presence of a debugger : The final call tries to destroy the possibility of adding software breakpoint : Finally , if the loader is happy with all the checks done so far , based on the victim operating system ( 32 or 64-bit ) it proceeds to decrypt a set of fake bitmap resources ( stage 2 ) embedded in the executable and prepares the execution of a new layer of VM decoding .", "spans": {}, "info": {"id": "cyner2_5class_train_03009", "source": "cyner2_5class_train"}}
+{"text": "Commodity Remote Access Trojans RATs -- which are designed, productized and sold to the casual and experienced hacker alike -- put powerful remote access capabilities into the hands of criminals.", "spans": {"Malware: Commodity Remote Access Trojans RATs": [[0, 36]], "Malware: remote access": [[140, 153]]}, "info": {"id": "cyner2_5class_train_03010", "source": "cyner2_5class_train"}}
+{"text": "A couple of months later , in August 2019 , a new version was released with additional banking-specific features .", "spans": {}, "info": {"id": "cyner2_5class_train_03011", "source": "cyner2_5class_train"}}
+{"text": "The phishing page is translated in Korean , Japanese , Chinese , and English , which are hardcoded in the payload .", "spans": {}, "info": {"id": "cyner2_5class_train_03012", "source": "cyner2_5class_train"}}
+{"text": "RuMMS samples , hosting sites , C2 servers from Jan. 2016 to Mar .", "spans": {"Malware: RuMMS": [[0, 5]]}, "info": {"id": "cyner2_5class_train_03013", "source": "cyner2_5class_train"}}
+{"text": "In advance of any official release, cybercriminals have already released their own Mario-related apps.", "spans": {"Malware: own Mario-related apps.": [[79, 102]]}, "info": {"id": "cyner2_5class_train_03014", "source": "cyner2_5class_train"}}
+{"text": "This implant was deployed in less than 10 machines only.", "spans": {"Malware: implant": [[5, 12]], "System: 10 machines": [[39, 50]]}, "info": {"id": "cyner2_5class_train_03015", "source": "cyner2_5class_train"}}
+{"text": "This campaign started on July 9, a few days after the Hacking Team announced it was hacked.", "spans": {"Organization: Hacking Team": [[54, 66]], "Indicator: hacked.": [[84, 91]]}, "info": {"id": "cyner2_5class_train_03016", "source": "cyner2_5class_train"}}
+{"text": "Most of the organizations attacked were vendors of industrial automation solutions and system support contractors.", "spans": {"Organization: organizations": [[12, 25]], "Indicator: attacked": [[26, 34]], "Organization: vendors": [[40, 47]], "Organization: industrial automation solutions": [[51, 82]], "Organization: system support contractors.": [[87, 114]]}, "info": {"id": "cyner2_5class_train_03017", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.18432.Y Trojan-PSW.Win32.Maran!O Trojan/PSW.Maran.ij W32/Pws.QZP Infostealer.Phax TSPY_MARAN.ANC Trojan-PSW.Win32.Maran.sv Trojan.Win32.Maran.jzdr Trojan.Win32.Z.Maran.18432.A Troj.GameThief.W32.OnLineGames.l9d5 TrojWare.Win32.PSW.Maran.NAH Trojan.PWS.Maran.591 Trojan.Win32.6BC1FBA9 TSPY_MARAN.ANC BehavesLike.Win32.SpywareLyndra.lh Trojan/PSW.Maran.ej Trojan[PSW]/Win32.Maran Trojan.Graftor.D18418 Trojan-PSW.Win32.Maran.sv PWS:Win32/Maran.M Trojan/Win32.Magania.C87823 TrojanPSW.Maran Trj/Maran.BK Win32/PSW.Maran.NAH Trojan.PWS.Maran!SDdAAxRuS44 Trojan-GameThief.Win32.OnLineGames W32/MARAN.SV!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.18432.Y": [[26, 56]], "Indicator: Trojan-PSW.Win32.Maran!O": [[57, 81]], "Indicator: Trojan/PSW.Maran.ij": [[82, 101]], "Indicator: W32/Pws.QZP": [[102, 113]], "Indicator: Infostealer.Phax": [[114, 130]], "Indicator: TSPY_MARAN.ANC": [[131, 145], [333, 347]], "Indicator: Trojan-PSW.Win32.Maran.sv": [[146, 171], [449, 474]], "Indicator: Trojan.Win32.Maran.jzdr": [[172, 195]], "Indicator: Trojan.Win32.Z.Maran.18432.A": [[196, 224]], "Indicator: Troj.GameThief.W32.OnLineGames.l9d5": [[225, 260]], "Indicator: TrojWare.Win32.PSW.Maran.NAH": [[261, 289]], "Indicator: Trojan.PWS.Maran.591": [[290, 310]], "Indicator: Trojan.Win32.6BC1FBA9": [[311, 332]], "Indicator: BehavesLike.Win32.SpywareLyndra.lh": [[348, 382]], "Indicator: Trojan/PSW.Maran.ej": [[383, 402]], "Indicator: Trojan[PSW]/Win32.Maran": [[403, 426]], "Indicator: Trojan.Graftor.D18418": [[427, 448]], "Indicator: PWS:Win32/Maran.M": [[475, 492]], "Indicator: Trojan/Win32.Magania.C87823": [[493, 520]], "Indicator: TrojanPSW.Maran": [[521, 536]], "Indicator: Trj/Maran.BK": [[537, 549]], "Indicator: Win32/PSW.Maran.NAH": [[550, 569]], "Indicator: Trojan.PWS.Maran!SDdAAxRuS44": [[570, 598]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[599, 633]], "Indicator: W32/MARAN.SV!tr": [[634, 649]]}, "info": {"id": "cyner2_5class_train_03018", "source": "cyner2_5class_train"}}
+{"text": "MainActivity registers BootComplete with a boot event , so that whenever the device is booted , BootComplete gets triggered .", "spans": {}, "info": {"id": "cyner2_5class_train_03019", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win-Trojan/MSILKrypt02.Exp Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Win-Trojan/MSILKrypt02.Exp": [[69, 95]], "Indicator: Trj/GdSda.A": [[96, 107]]}, "info": {"id": "cyner2_5class_train_03020", "source": "cyner2_5class_train"}}
+{"text": "Sakula is a well known malware variant linked to several significant targeted intrusion campaigns over the past 2-3 years.", "spans": {"Malware: Sakula": [[0, 6]], "Malware: malware": [[23, 30]]}, "info": {"id": "cyner2_5class_train_03021", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9964 BehavesLike.Win32.Trojan.mz Trojan/Win32.LockScreen.C1515946", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9964": [[26, 68]], "Indicator: BehavesLike.Win32.Trojan.mz": [[69, 96]], "Indicator: Trojan/Win32.LockScreen.C1515946": [[97, 129]]}, "info": {"id": "cyner2_5class_train_03022", "source": "cyner2_5class_train"}}
+{"text": "Also, the samples analyzed have the ability detect the presence of a virtual machine to ensure it's not being analyzed in a network sandbox.", "spans": {"System: virtual machine": [[69, 84]], "System: network sandbox.": [[124, 140]]}, "info": {"id": "cyner2_5class_train_03023", "source": "cyner2_5class_train"}}
+{"text": "Cybereason classifies EventBot as a mobile banking trojan and infostealer based on the stealing features discussed in this research .", "spans": {"Organization: Cybereason": [[0, 10]], "Malware: EventBot": [[22, 30]]}, "info": {"id": "cyner2_5class_train_03024", "source": "cyner2_5class_train"}}
+{"text": "While doing our investigation we were able to identify other malware packages with different names .", "spans": {}, "info": {"id": "cyner2_5class_train_03025", "source": "cyner2_5class_train"}}
+{"text": "Below are some of the elements showing the relation .", "spans": {}, "info": {"id": "cyner2_5class_train_03026", "source": "cyner2_5class_train"}}
+{"text": "The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host.", "spans": {"Malware: malware": [[27, 34]], "Indicator: steal files, keystrokes, perform screenshots,": [[58, 103]], "Indicator: execute arbitrary code": [[108, 130]], "System: the infected host.": [[134, 152]]}, "info": {"id": "cyner2_5class_train_03027", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D39D3F Trojan.Win32.KillProc.hd Trojan.BtcMine.2050 Trojan/Win32.KillProc TrojanDownloader:MSIL/Taily.A!bit RiskWare.BitCoinMiner Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D39D3F": [[26, 44]], "Indicator: Trojan.Win32.KillProc.hd": [[45, 69]], "Indicator: Trojan.BtcMine.2050": [[70, 89]], "Indicator: Trojan/Win32.KillProc": [[90, 111]], "Indicator: TrojanDownloader:MSIL/Taily.A!bit": [[112, 145]], "Indicator: RiskWare.BitCoinMiner": [[146, 167]], "Indicator: Trj/GdSda.A": [[168, 179]]}, "info": {"id": "cyner2_5class_train_03028", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Trojan.AHSJ-4985 Ransom_HC7.R002C0DAA18 Trojan.Win32.RedCap.ewxmze Virus.Ransom.Pycl.A!c TR/RedCap.qcvri Trojan/Win32.Ransom.C2347549 Trojan.Ransom.PyCL Ransom.FileLocker Trojan.DownLoader! Ransom.Win32 Trojan-Ransom.Crypren Trj/CI.A Win32/Trojan.Ransom.97f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.AHSJ-4985": [[26, 46]], "Indicator: Ransom_HC7.R002C0DAA18": [[47, 69]], "Indicator: Trojan.Win32.RedCap.ewxmze": [[70, 96]], "Indicator: Virus.Ransom.Pycl.A!c": [[97, 118]], "Indicator: TR/RedCap.qcvri": [[119, 134]], "Indicator: Trojan/Win32.Ransom.C2347549": [[135, 163]], "Indicator: Trojan.Ransom.PyCL": [[164, 182]], "Indicator: Ransom.FileLocker": [[183, 200]], "Indicator: Trojan.DownLoader!": [[201, 219]], "Indicator: Ransom.Win32": [[220, 232]], "Indicator: Trojan-Ransom.Crypren": [[233, 254]], "Indicator: Trj/CI.A": [[255, 263]], "Indicator: Win32/Trojan.Ransom.97f": [[264, 287]]}, "info": {"id": "cyner2_5class_train_03029", "source": "cyner2_5class_train"}}
+{"text": "It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals .", "spans": {}, "info": {"id": "cyner2_5class_train_03030", "source": "cyner2_5class_train"}}
+{"text": "] it The rise of mobile banker Asacub 28 AUG 2018 We encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015 , when the first versions of the malware were detected , analyzed , and found to be more adept at spying than stealing funds .", "spans": {"Malware: Asacub": [[31, 37]], "Malware: Trojan-Banker.AndroidOS.Asacub": [[69, 99]]}, "info": {"id": "cyner2_5class_train_03031", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Limitail Trojan.DownLoader26.6005 BehavesLike.Win32.Trojan.cm Trojan.MSIL.Injector Trojan.MSIL.Bladabindi.1 Trojan/Win32.RatTool.R208188 Trj/GdSda.A MSIL/SpyPSW.AVQ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Infostealer.Limitail": [[69, 89]], "Indicator: Trojan.DownLoader26.6005": [[90, 114]], "Indicator: BehavesLike.Win32.Trojan.cm": [[115, 142]], "Indicator: Trojan.MSIL.Injector": [[143, 163]], "Indicator: Trojan.MSIL.Bladabindi.1": [[164, 188]], "Indicator: Trojan/Win32.RatTool.R208188": [[189, 217]], "Indicator: Trj/GdSda.A": [[218, 229]], "Indicator: MSIL/SpyPSW.AVQ!tr": [[230, 248]]}, "info": {"id": "cyner2_5class_train_03032", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Strictor.D1B6BC BKDR_HPKELIHOS.SM4 Win32.Trojan.WisdomEyes.16070401.9500.9990 BKDR_HPKELIHOS.SM4 BehavesLike.Win32.Expiro.ch Trojan.WPCracker.u Trojan.Win32.Boaxxe W32/Injector.DDXZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Strictor.D1B6BC": [[26, 48]], "Indicator: BKDR_HPKELIHOS.SM4": [[49, 67], [111, 129]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[68, 110]], "Indicator: BehavesLike.Win32.Expiro.ch": [[130, 157]], "Indicator: Trojan.WPCracker.u": [[158, 176]], "Indicator: Trojan.Win32.Boaxxe": [[177, 196]], "Indicator: W32/Injector.DDXZ!tr": [[197, 217]]}, "info": {"id": "cyner2_5class_train_03033", "source": "cyner2_5class_train"}}
+{"text": "RIG Exploit Kit - May 2015", "spans": {"Malware: RIG Exploit Kit": [[0, 15]]}, "info": {"id": "cyner2_5class_train_03034", "source": "cyner2_5class_train"}}
+{"text": "Compared to other adversary groups, C0d0so0 has shown the use of more sophisticated tactics and tools and has been linked to leveraging zero-day exploits on numerous occasions in combination with watering hole and spear phishing attacks.", "spans": {"Malware: tools": [[96, 101]], "Vulnerability: zero-day exploits": [[136, 153]], "Indicator: watering hole": [[196, 209]], "Indicator: spear phishing attacks.": [[214, 237]]}, "info": {"id": "cyner2_5class_train_03035", "source": "cyner2_5class_train"}}
+{"text": "Although Unit 42 cannot provide a full picture of the details surrounding the delivery of these samples, we are confident this activity targets Korean language speakers who use Samsung devices.", "spans": {"Organization: Unit 42": [[9, 16]], "Malware: samples,": [[96, 104]], "Organization: Korean language speakers": [[144, 168]], "System: Samsung devices.": [[177, 193]]}, "info": {"id": "cyner2_5class_train_03036", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Cosmu.aqmz Trojan.Win32.Cosmu.divg Trojan.Win32.Z.Cosmu.1849214 W32.Dzan.l3Vn Trojan.DownLoader19.64657 Trojan.Cosmu.Win32.7698 Trojan-Dropper.Win32.Injector Trojan/Cosmu.mih Trojan[Downloader]/Win32.Wren Trojan.Win32.Cosmu.divg Trojan.Cosmu Trj/CI.A Win32.Trojan.Cosmu.Dypy W32/Malicious_Behavior.VEX Win32/Worm.15b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Cosmu.aqmz": [[26, 43]], "Indicator: Trojan.Win32.Cosmu.divg": [[44, 67], [238, 261]], "Indicator: Trojan.Win32.Z.Cosmu.1849214": [[68, 96]], "Indicator: W32.Dzan.l3Vn": [[97, 110]], "Indicator: Trojan.DownLoader19.64657": [[111, 136]], "Indicator: Trojan.Cosmu.Win32.7698": [[137, 160]], "Indicator: Trojan-Dropper.Win32.Injector": [[161, 190]], "Indicator: Trojan/Cosmu.mih": [[191, 207]], "Indicator: Trojan[Downloader]/Win32.Wren": [[208, 237]], "Indicator: Trojan.Cosmu": [[262, 274]], "Indicator: Trj/CI.A": [[275, 283]], "Indicator: Win32.Trojan.Cosmu.Dypy": [[284, 307]], "Indicator: W32/Malicious_Behavior.VEX": [[308, 334]], "Indicator: Win32/Worm.15b": [[335, 349]]}, "info": {"id": "cyner2_5class_train_03037", "source": "cyner2_5class_train"}}
+{"text": "The attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers.", "spans": {"Indicator: attacks": [[4, 11]], "Organization: bank": [[33, 37]], "Malware: unknown malware": [[70, 85]], "System: computers.": [[113, 123]]}, "info": {"id": "cyner2_5class_train_03038", "source": "cyner2_5class_train"}}
+{"text": "On each system several tools were used to find, encrypt, and delete the original files as well as any backups.", "spans": {"System: system": [[8, 14]], "Malware: tools": [[23, 28]], "Indicator: encrypt,": [[48, 56]], "Indicator: delete the original files": [[61, 86]]}, "info": {"id": "cyner2_5class_train_03039", "source": "cyner2_5class_train"}}
+{"text": "The \" source process '' refers to the Zen trojan running as root , while the \" target process '' refers to the process to which the code is injected and [ pid ] refers to the target process pid value .", "spans": {"Malware: Zen": [[38, 41]]}, "info": {"id": "cyner2_5class_train_03040", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 researchers have uncovered a malware distribution campaign that is delivering the LokiBot information stealer via business email compromise BEC phishing emails", "spans": {"Organization: Unit 42 researchers": [[0, 19]], "Malware: LokiBot information stealer": [[90, 117]], "Indicator: business email compromise BEC phishing emails": [[122, 167]]}, "info": {"id": "cyner2_5class_train_03041", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Qhost.724992 Trojan.Win32.Qhost!O Trojan.BeeVry Trojan.Qhost Worm.AutoRun.Win32.64118 Win32.Worm.Autorun.ah W32/Trojan2.OFIZ W32.SillyFDC WORM_YAHLOVER.SM Trojan.Win32.Qhost.afes Trojan.Win32.Qhost.boicaq Trojan.Win32.A.Qhost.724992 Trojan.MulDrop3.42831 WORM_YAHLOVER.SM BehavesLike.Win32.Autorun.bt W32/Trojan.RWER-6321 Trojan/Qhost.gez Trojan/Win32.Qhost Troj.W32.Qhost.tn9x Trojan.Win32.Qhost.afes HEUR/Fakon.mwf W32/Autorun.worm.aadm Trojan.Qhost Trojan.Qhost Win32/AutoRun.VB.AVY Trojan.Qhost!hFnYX0CfRwA Worm.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Qhost.724992": [[26, 49]], "Indicator: Trojan.Win32.Qhost!O": [[50, 70]], "Indicator: Trojan.BeeVry": [[71, 84]], "Indicator: Trojan.Qhost": [[85, 97], [476, 488], [489, 501]], "Indicator: Worm.AutoRun.Win32.64118": [[98, 122]], "Indicator: Win32.Worm.Autorun.ah": [[123, 144]], "Indicator: W32/Trojan2.OFIZ": [[145, 161]], "Indicator: W32.SillyFDC": [[162, 174]], "Indicator: WORM_YAHLOVER.SM": [[175, 191], [292, 308]], "Indicator: Trojan.Win32.Qhost.afes": [[192, 215], [415, 438]], "Indicator: Trojan.Win32.Qhost.boicaq": [[216, 241]], "Indicator: Trojan.Win32.A.Qhost.724992": [[242, 269]], "Indicator: Trojan.MulDrop3.42831": [[270, 291]], "Indicator: BehavesLike.Win32.Autorun.bt": [[309, 337]], "Indicator: W32/Trojan.RWER-6321": [[338, 358]], "Indicator: Trojan/Qhost.gez": [[359, 375]], "Indicator: Trojan/Win32.Qhost": [[376, 394]], "Indicator: Troj.W32.Qhost.tn9x": [[395, 414]], "Indicator: HEUR/Fakon.mwf": [[439, 453]], "Indicator: W32/Autorun.worm.aadm": [[454, 475]], "Indicator: Win32/AutoRun.VB.AVY": [[502, 522]], "Indicator: Trojan.Qhost!hFnYX0CfRwA": [[523, 547]], "Indicator: Worm.Win32.VB": [[548, 561]]}, "info": {"id": "cyner2_5class_train_03042", "source": "cyner2_5class_train"}}
+{"text": "The numbering seems to have started anew after the version 9 .", "spans": {}, "info": {"id": "cyner2_5class_train_03043", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DownloadDAB.Trojan Worm.MSIL.Arcdoor!O Worm.Arcdoor.ae3 Worm.Arcdoor.Win32.1086 Trojan/Arcdoor.ae MSIL.Worm.Arcdoor.b W32/Trojan2.NFSU Backdoor.Trojan Win32/Pontoeb.A BKDR_PONTOEB.SMHA Win.Trojan.Worm-74 Worm.MSIL.Arcdoor.ae Trojan.Win32.Arcdoor.ctsdhw Msil.Worm.Arcdoor.Lknq BKDR_PONTOEB.SMHA Worm.MSIL W32/Trojan.LEEP-1569 Worm.MSIL.fi WORM/MSIL.Arcdo.aea Worm/MSIL.Arcdoor Backdoor:MSIL/Pontoeb.G Trojan.Win32.Z.Arcdoor.26624 Worm.MSIL.Arcdoor.ae Worm/Win32.Arcdoor.R11889 MSIL/Arcdoor.AE MSIL/AntiVM.V!tr Win32/Worm.bed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DownloadDAB.Trojan": [[26, 48]], "Indicator: Worm.MSIL.Arcdoor!O": [[49, 68]], "Indicator: Worm.Arcdoor.ae3": [[69, 85]], "Indicator: Worm.Arcdoor.Win32.1086": [[86, 109]], "Indicator: Trojan/Arcdoor.ae": [[110, 127]], "Indicator: MSIL.Worm.Arcdoor.b": [[128, 147]], "Indicator: W32/Trojan2.NFSU": [[148, 164]], "Indicator: Backdoor.Trojan": [[165, 180]], "Indicator: Win32/Pontoeb.A": [[181, 196]], "Indicator: BKDR_PONTOEB.SMHA": [[197, 214], [306, 323]], "Indicator: Win.Trojan.Worm-74": [[215, 233]], "Indicator: Worm.MSIL.Arcdoor.ae": [[234, 254], [459, 479]], "Indicator: Trojan.Win32.Arcdoor.ctsdhw": [[255, 282]], "Indicator: Msil.Worm.Arcdoor.Lknq": [[283, 305]], "Indicator: Worm.MSIL": [[324, 333]], "Indicator: W32/Trojan.LEEP-1569": [[334, 354]], "Indicator: Worm.MSIL.fi": [[355, 367]], "Indicator: WORM/MSIL.Arcdo.aea": [[368, 387]], "Indicator: Worm/MSIL.Arcdoor": [[388, 405]], "Indicator: Backdoor:MSIL/Pontoeb.G": [[406, 429]], "Indicator: Trojan.Win32.Z.Arcdoor.26624": [[430, 458]], "Indicator: Worm/Win32.Arcdoor.R11889": [[480, 505]], "Indicator: MSIL/Arcdoor.AE": [[506, 521]], "Indicator: MSIL/AntiVM.V!tr": [[522, 538]], "Indicator: Win32/Worm.bed": [[539, 553]]}, "info": {"id": "cyner2_5class_train_03044", "source": "cyner2_5class_train"}}
+{"text": "The overlays are activated by the malicious operator using the command changeActivity , as seen on step 5 of the activation cycle .", "spans": {}, "info": {"id": "cyner2_5class_train_03045", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.LoadMoney.eprnxa PUP.LoadMoney/Variant Trojan.LoadMoney.2303 PUA.SearchGo ADWARE/SearchGo.avskt PUP/Win32.Searchgo.R201982 Adware.SearchGo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.LoadMoney.eprnxa": [[26, 55]], "Indicator: PUP.LoadMoney/Variant": [[56, 77]], "Indicator: Trojan.LoadMoney.2303": [[78, 99]], "Indicator: PUA.SearchGo": [[100, 112]], "Indicator: ADWARE/SearchGo.avskt": [[113, 134]], "Indicator: PUP/Win32.Searchgo.R201982": [[135, 161]], "Indicator: Adware.SearchGo": [[162, 177]]}, "info": {"id": "cyner2_5class_train_03046", "source": "cyner2_5class_train"}}
+{"text": "The widespread use of telnet, along with a list of factory default usernames and passwords, result in botnets with sizes that is beyond imagination.", "spans": {"Malware: telnet,": [[22, 29]], "Vulnerability: factory default usernames and passwords,": [[51, 91]], "Malware: botnets": [[102, 109]]}, "info": {"id": "cyner2_5class_train_03047", "source": "cyner2_5class_train"}}
+{"text": "are designed to resemble tracking e-mails from different post offices around the world.", "spans": {"Indicator: tracking e-mails": [[25, 41]], "Organization: post offices": [[57, 69]]}, "info": {"id": "cyner2_5class_train_03048", "source": "cyner2_5class_train"}}
+{"text": "The beaconing will only start after the application is removed from the background , ultimately stopping it .", "spans": {}, "info": {"id": "cyner2_5class_train_03049", "source": "cyner2_5class_train"}}
+{"text": "The first section aims to analyze the malware's capabilities e.g.: c2 connectivity, encoding mechanisms and overall system activity.", "spans": {}, "info": {"id": "cyner2_5class_train_03050", "source": "cyner2_5class_train"}}
+{"text": "This RAT looks new to us; hence we suspected that it may either be a new RAT family or a custom RAT that was developed for a specific attacker hacker", "spans": {"Malware: RAT": [[5, 8], [73, 76]], "Malware: custom RAT": [[89, 99]]}, "info": {"id": "cyner2_5class_train_03051", "source": "cyner2_5class_train"}}
+{"text": "Related Github account contains forked Conversations repository Summarizing all the found clues , we have the following attribution flow : Conclusion The operation of ViceLeaker is still ongoing , as is our research .", "spans": {"Organization: Github": [[8, 14]], "Malware: ViceLeaker": [[167, 177]]}, "info": {"id": "cyner2_5class_train_03052", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod3a9.Trojan.e28b Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Trojan trojan.win32.skeeyah.a!rfn W32/Trojan.FVPV-5651 TR/Crypt.ZPACK.mwex TrojanDropper:Win32/Barlaiy.A!dha Trojan-Downloader.Win32.FraudLoad Trj/CI.A Win32/Trojan.0e6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod3a9.Trojan.e28b": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[50, 92]], "Indicator: Backdoor.Trojan": [[93, 108]], "Indicator: trojan.win32.skeeyah.a!rfn": [[109, 135]], "Indicator: W32/Trojan.FVPV-5651": [[136, 156]], "Indicator: TR/Crypt.ZPACK.mwex": [[157, 176]], "Indicator: TrojanDropper:Win32/Barlaiy.A!dha": [[177, 210]], "Indicator: Trojan-Downloader.Win32.FraudLoad": [[211, 244]], "Indicator: Trj/CI.A": [[245, 253]], "Indicator: Win32/Trojan.0e6": [[254, 270]]}, "info": {"id": "cyner2_5class_train_03053", "source": "cyner2_5class_train"}}
+{"text": "This cyber-espionage group was dubbed Rocket Kitten,' and remains active as of this writing, with reported attacks as recent as October 2015.", "spans": {"Malware: attacks": [[107, 114]]}, "info": {"id": "cyner2_5class_train_03054", "source": "cyner2_5class_train"}}
+{"text": "Late last week Talos researchers noticed a drastic uptick in Angler Exploit Kit activity.", "spans": {"Organization: Talos researchers": [[15, 32]], "Malware: Angler Exploit Kit": [[61, 79]]}, "info": {"id": "cyner2_5class_train_03055", "source": "cyner2_5class_train"}}
+{"text": "This blog presents our analysis of one of the latest malware variants targeting individuals in Taiwan, which exhibits some interesting characteristics that can be useful for detecting and defending against the threat – including the creation of an obese file, weighing in at 500MB, as part of its execution.", "spans": {"Malware: malware variants": [[53, 69]], "Indicator: detecting": [[174, 183]], "Indicator: defending": [[188, 197]], "Malware: threat": [[210, 216]], "Indicator: creation of an obese file, weighing in at 500MB, as part of its execution.": [[233, 307]]}, "info": {"id": "cyner2_5class_train_03056", "source": "cyner2_5class_train"}}
+{"text": "RECEIVE_BOOT_COMPLETED - Allows the application to receive a broadcast after the system finishes booting .", "spans": {}, "info": {"id": "cyner2_5class_train_03057", "source": "cyner2_5class_train"}}
+{"text": "Regardless of the parameters , it returns a json containing a link for APK file .", "spans": {}, "info": {"id": "cyner2_5class_train_03058", "source": "cyner2_5class_train"}}
+{"text": "CitizenLab connect the infrastructure used in the campaign to previous malware operations targeting a Tibetan radio station and the Thai government.", "spans": {"Organization: CitizenLab": [[0, 10]], "System: infrastructure": [[23, 37]], "Malware: malware operations": [[71, 89]], "Organization: Tibetan radio station": [[102, 123]], "Organization: the Thai government.": [[128, 148]]}, "info": {"id": "cyner2_5class_train_03059", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zlob.60259 Trojan.NSIS.StartPage.Q Trojan.Zlob.60259 Win32/SillyDl.YHD Win.Trojan.NSIS-38 Trojan-Downloader.Win32.NSIS.io Trojan.Zlob.60259 Riskware.Nsis.Adw.cxexqq Troj.Downloader.W32.Lipler.lkqh Trojan.Zlob.60259 Trojan.Fakealert.26734 BehavesLike.Win32.AdwareSearchProtect.kc TrojanDownloader:Win32/Gabeerf.A Trojan.Zlob.DEB63 Trojan.Win32.Banker.140384 Trojan.Zlob.60259 Trojan/Win32.StartPage.R26935 Trojan.NSIS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zlob.60259": [[26, 43], [68, 85], [155, 172], [230, 247], [390, 407]], "Indicator: Trojan.NSIS.StartPage.Q": [[44, 67]], "Indicator: Win32/SillyDl.YHD": [[86, 103]], "Indicator: Win.Trojan.NSIS-38": [[104, 122]], "Indicator: Trojan-Downloader.Win32.NSIS.io": [[123, 154]], "Indicator: Riskware.Nsis.Adw.cxexqq": [[173, 197]], "Indicator: Troj.Downloader.W32.Lipler.lkqh": [[198, 229]], "Indicator: Trojan.Fakealert.26734": [[248, 270]], "Indicator: BehavesLike.Win32.AdwareSearchProtect.kc": [[271, 311]], "Indicator: TrojanDownloader:Win32/Gabeerf.A": [[312, 344]], "Indicator: Trojan.Zlob.DEB63": [[345, 362]], "Indicator: Trojan.Win32.Banker.140384": [[363, 389]], "Indicator: Trojan/Win32.StartPage.R26935": [[408, 437]], "Indicator: Trojan.NSIS": [[438, 449]]}, "info": {"id": "cyner2_5class_train_03060", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AutoRunLUL.Worm Trojan.Downloader.Bredolab.AA Packed.Win32.Tadym!O Trojan.Tadym Downloader-BTR.a Trojan.Downloader.Bredolab.AA TROJ_BREDLAB.SMB Win32.Trojan.WisdomEyes.16070401.9500.9994 TROJ_BREDLAB.SMB Win.Trojan.Bredolab-4616 Packed.Win32.Tadym.b Trojan.Downloader.Bredolab.AA Trojan.Win32.Tadym.deqzho Win32.Packed.Tadym.Pdmb Trojan.Downloader.Bredolab.AA TrojWare.Win32.TrojanDropper.HDrop.B Trojan.Downloader.Bredolab.AA Win32.HLLW.Autoruner.6644 Backdoor.CPEX.Win32.27835 BehavesLike.Win32.RAHack.mc Worm/AutoRun.nlq Trojan[Packed]/Win32.Tadym TrojanDropper:Win32/Emold.C Troj.W32.Vaklik.l3JH Packed.Win32.Tadym.b Trojan.Downloader.Bredolab.AA Trojan.Downloader.Bredolab.AA BScope.Trojan.Ballast Worm.AutoRun!kxuXEtVXF84 Trojan.Win32.Bredolab", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AutoRunLUL.Worm": [[26, 45]], "Indicator: Trojan.Downloader.Bredolab.AA": [[46, 75], [127, 156], [280, 309], [360, 389], [427, 456], [651, 680], [681, 710]], "Indicator: Packed.Win32.Tadym!O": [[76, 96]], "Indicator: Trojan.Tadym": [[97, 109]], "Indicator: Downloader-BTR.a": [[110, 126]], "Indicator: TROJ_BREDLAB.SMB": [[157, 173], [217, 233]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[174, 216]], "Indicator: Win.Trojan.Bredolab-4616": [[234, 258]], "Indicator: Packed.Win32.Tadym.b": [[259, 279], [630, 650]], "Indicator: Trojan.Win32.Tadym.deqzho": [[310, 335]], "Indicator: Win32.Packed.Tadym.Pdmb": [[336, 359]], "Indicator: TrojWare.Win32.TrojanDropper.HDrop.B": [[390, 426]], "Indicator: Win32.HLLW.Autoruner.6644": [[457, 482]], "Indicator: Backdoor.CPEX.Win32.27835": [[483, 508]], "Indicator: BehavesLike.Win32.RAHack.mc": [[509, 536]], "Indicator: Worm/AutoRun.nlq": [[537, 553]], "Indicator: Trojan[Packed]/Win32.Tadym": [[554, 580]], "Indicator: TrojanDropper:Win32/Emold.C": [[581, 608]], "Indicator: Troj.W32.Vaklik.l3JH": [[609, 629]], "Indicator: BScope.Trojan.Ballast": [[711, 732]], "Indicator: Worm.AutoRun!kxuXEtVXF84": [[733, 757]], "Indicator: Trojan.Win32.Bredolab": [[758, 779]]}, "info": {"id": "cyner2_5class_train_03061", "source": "cyner2_5class_train"}}
+{"text": "InPage is a word processor program that supports languages such as Urdu, Persian, Pashto, and Arabic.", "spans": {"System: InPage": [[0, 6]], "System: word processor program": [[12, 34]]}, "info": {"id": "cyner2_5class_train_03062", "source": "cyner2_5class_train"}}
+{"text": "This operation is another example of a threat actor using just enough technical sophistication to exploit a target.", "spans": {"Vulnerability: exploit": [[98, 105]]}, "info": {"id": "cyner2_5class_train_03063", "source": "cyner2_5class_train"}}
+{"text": "update.exe module and Keylogger by ‘ El3ct71k ’ code comparison Xenotix Python Keylogger including specified mutex ‘ mutex_var_xboz ’ .", "spans": {"Indicator: update.exe": [[0, 10]], "System: Xenotix Python Keylogger": [[64, 88]]}, "info": {"id": "cyner2_5class_train_03064", "source": "cyner2_5class_train"}}
+{"text": "However , no command is received from the C2 until the inactiveTime field ( see beaconing information image above ) has at least the value of 2000000 .", "spans": {}, "info": {"id": "cyner2_5class_train_03065", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Kazy.D765A4 Heur.Corrupt.PE BehavesLike.Win32.PWSGamania.dc HackTool.Win32.QQExplorer HackTool/Win32.QQExplorer HackTool:Win32/QQExplorer.1_26.dam#2 HackTool/Win32.QQExplorer.C1530039 Trj/CI.A Win32/Trojan.dd5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Trojan.Kazy.D765A4": [[48, 66]], "Indicator: Heur.Corrupt.PE": [[67, 82]], "Indicator: BehavesLike.Win32.PWSGamania.dc": [[83, 114]], "Indicator: HackTool.Win32.QQExplorer": [[115, 140]], "Indicator: HackTool/Win32.QQExplorer": [[141, 166]], "Indicator: HackTool:Win32/QQExplorer.1_26.dam#2": [[167, 203]], "Indicator: HackTool/Win32.QQExplorer.C1530039": [[204, 238]], "Indicator: Trj/CI.A": [[239, 247]], "Indicator: Win32/Trojan.dd5": [[248, 264]]}, "info": {"id": "cyner2_5class_train_03066", "source": "cyner2_5class_train"}}
+{"text": "A Bootkit is a rootkit malware variant which infects the device at start-up and may encrypt disk or steal data , remove the application , open connection for Command and controller .", "spans": {}, "info": {"id": "cyner2_5class_train_03067", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Locky.D6 Trojan.Barys.DD3B9 W32.Pilleuz Win32.Trojan-Downloader.Kryptik.ER Trojan.Win32.Inject.ebobum Trojan.Win32.Z.Injector.119812 BackDoor.Andromeda.1478 Dropper.Injector.Win32.77187 BehavesLike.Win32.PWSZbot.ch W32/Trojan.LSBE-5509 TrojanDropper.Injector.bhwe Backdoor:Win32/Wondufi.A TrojanDropper.Injector Trj/GdSda.A Trojan.DR.Injector!1yj9x8ODPcQ W32/Kryptik.FIKL!tr Win32/Trojan.02c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Locky.D6": [[26, 41]], "Indicator: Trojan.Barys.DD3B9": [[42, 60]], "Indicator: W32.Pilleuz": [[61, 72]], "Indicator: Win32.Trojan-Downloader.Kryptik.ER": [[73, 107]], "Indicator: Trojan.Win32.Inject.ebobum": [[108, 134]], "Indicator: Trojan.Win32.Z.Injector.119812": [[135, 165]], "Indicator: BackDoor.Andromeda.1478": [[166, 189]], "Indicator: Dropper.Injector.Win32.77187": [[190, 218]], "Indicator: BehavesLike.Win32.PWSZbot.ch": [[219, 247]], "Indicator: W32/Trojan.LSBE-5509": [[248, 268]], "Indicator: TrojanDropper.Injector.bhwe": [[269, 296]], "Indicator: Backdoor:Win32/Wondufi.A": [[297, 321]], "Indicator: TrojanDropper.Injector": [[322, 344]], "Indicator: Trj/GdSda.A": [[345, 356]], "Indicator: Trojan.DR.Injector!1yj9x8ODPcQ": [[357, 387]], "Indicator: W32/Kryptik.FIKL!tr": [[388, 407]], "Indicator: Win32/Trojan.02c": [[408, 424]]}, "info": {"id": "cyner2_5class_train_03068", "source": "cyner2_5class_train"}}
+{"text": "Some of the more interesting commands include : SMS Control Update the address of the C & C server — SMS starting with “ http : // ” Send AES-encrypted SMS message back to sender — SMS starting with “ sms : // ” Update service wake-up interval — “ 2 ” Kill switch — “ 4 ” C & C Control Update the address of the C & C server — “ 1 ” Update service wake-up interval — “ 2 ” Lock the screen — “ 5 ” Display a picture in a WebView from an arbitrary URL — “ 11 ” Send an arbitrary SMS message — “ 8 ” Steal images saved on the device — “ 12 ” and “ 13 ” Use the accessibility service to become the default SMS app — “ 6 ” Enable recording of other apps — “ 15 ” Kill switch — “ 4 ” The Lockdown Screen Most thieves don ’ t want to be caught red-handed as they steal — they want to buy some time to get away with the loot .", "spans": {}, "info": {"id": "cyner2_5class_train_03069", "source": "cyner2_5class_train"}}
+{"text": "Many of these samples have not been discussed publicly and several have very little or no anti-virus coverage.", "spans": {}, "info": {"id": "cyner2_5class_train_03070", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Lithium.38400 Backdoor.Lithium.F Win32/Lithium.102 Backdoor.Trojan W32/LithBack.1_02 BKDR_LITH.102.A Win32.Lithium.102.a Backdoor.Win32.Lithium.102 Backdoor.Lithium.1.0.2 Backdoor.Win32.Lithium.102!IK Backdoor.Win32.Lithium.102 Backdoor.Lithium.1.0.2 BackDoor.Lithium.102 BDS/Lithium.102.Srv BKDR_LITH.102.A Win32/Lithium.D Backdoor/Lithium.102 Backdoor:Win32/Lithium.1_02 Backdoor.Win32.Lithium_102.38400 Backdoor.Lithium.1.0.2 Win-Trojan/Lithium.38400 Backdoor.Lithium.102 Backdoor.Trojan Backdoor.Lithium.102.b Backdoor.Win32.Lithium.102 W32/Lithium!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Lithium.38400": [[26, 52]], "Indicator: Backdoor.Lithium.F": [[53, 71]], "Indicator: Win32/Lithium.102": [[72, 89]], "Indicator: Backdoor.Trojan": [[90, 105], [514, 529]], "Indicator: W32/LithBack.1_02": [[106, 123]], "Indicator: BKDR_LITH.102.A": [[124, 139], [331, 346]], "Indicator: Win32.Lithium.102.a": [[140, 159]], "Indicator: Backdoor.Win32.Lithium.102": [[160, 186], [240, 266], [553, 579]], "Indicator: Backdoor.Lithium.1.0.2": [[187, 209], [267, 289], [445, 467]], "Indicator: Backdoor.Win32.Lithium.102!IK": [[210, 239]], "Indicator: BackDoor.Lithium.102": [[290, 310]], "Indicator: BDS/Lithium.102.Srv": [[311, 330]], "Indicator: Win32/Lithium.D": [[347, 362]], "Indicator: Backdoor/Lithium.102": [[363, 383]], "Indicator: Backdoor:Win32/Lithium.1_02": [[384, 411]], "Indicator: Backdoor.Win32.Lithium_102.38400": [[412, 444]], "Indicator: Win-Trojan/Lithium.38400": [[468, 492]], "Indicator: Backdoor.Lithium.102": [[493, 513]], "Indicator: Backdoor.Lithium.102.b": [[530, 552]], "Indicator: W32/Lithium!tr.bdr": [[580, 598]]}, "info": {"id": "cyner2_5class_train_03071", "source": "cyner2_5class_train"}}
+{"text": "It saves the messages ’ metadata and content , filters the information by fields , and sends them to the C2 server using the URL /servlet/SendMassage2 .", "spans": {"Indicator: /servlet/SendMassage2": [[129, 150]]}, "info": {"id": "cyner2_5class_train_03072", "source": "cyner2_5class_train"}}
+{"text": "For Google , Android security issues - even if not in the core operating code - are a reputation threat , and for Amazon , a product quality issue .", "spans": {"Organization: Google": [[4, 10]], "Organization: Amazon": [[114, 120]]}, "info": {"id": "cyner2_5class_train_03073", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Admedia Multi.Threats.InArchive Trojan.Dropper Win32/Donnic.D Win.Downloader.Small-3527 Trojan-Downloader.Win32.QQHelper.va Trojan.Win32.QQHelper.ybwad Troj.Downloader.W32!c Trojan.DownLoader.14343 Backdoor.CPEX.Win32.15449 BehavesLike.Win32.Backdoor.tc Trojan-Downloader.Win32.QQHelper TrojanDownloader.VB.lr TR/Dldr.Harnig.5 Trojan[Downloader]/Win32.QQHelper Trojan:Win32/Zaptusk.A Trojan-Downloader.Win32.QQHelper.va Worm.WhiteIce Trj/Multidropper.BQE Win32.Trojan-downloader.Qqhelper.Dzaq Win32/Trojan.Downloader.c98", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Admedia": [[26, 50]], "Indicator: Multi.Threats.InArchive": [[51, 74]], "Indicator: Trojan.Dropper": [[75, 89]], "Indicator: Win32/Donnic.D": [[90, 104]], "Indicator: Win.Downloader.Small-3527": [[105, 130]], "Indicator: Trojan-Downloader.Win32.QQHelper.va": [[131, 166], [427, 462]], "Indicator: Trojan.Win32.QQHelper.ybwad": [[167, 194]], "Indicator: Troj.Downloader.W32!c": [[195, 216]], "Indicator: Trojan.DownLoader.14343": [[217, 240]], "Indicator: Backdoor.CPEX.Win32.15449": [[241, 266]], "Indicator: BehavesLike.Win32.Backdoor.tc": [[267, 296]], "Indicator: Trojan-Downloader.Win32.QQHelper": [[297, 329]], "Indicator: TrojanDownloader.VB.lr": [[330, 352]], "Indicator: TR/Dldr.Harnig.5": [[353, 369]], "Indicator: Trojan[Downloader]/Win32.QQHelper": [[370, 403]], "Indicator: Trojan:Win32/Zaptusk.A": [[404, 426]], "Indicator: Worm.WhiteIce": [[463, 476]], "Indicator: Trj/Multidropper.BQE": [[477, 497]], "Indicator: Win32.Trojan-downloader.Qqhelper.Dzaq": [[498, 535]], "Indicator: Win32/Trojan.Downloader.c98": [[536, 563]]}, "info": {"id": "cyner2_5class_train_03074", "source": "cyner2_5class_train"}}
+{"text": "After spending more time analyzing the proxy, we realized that the requests we were receiving were not related to ad-fraud activity as we initially suspected but instead appeared to be for some sort of VPN service.", "spans": {"Indicator: ad-fraud": [[114, 122]], "System: VPN service.": [[202, 214]]}, "info": {"id": "cyner2_5class_train_03075", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: AutoIt.Trojan.Injector.bq Trojan.Autoit W32/Injector.COJ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AutoIt.Trojan.Injector.bq": [[26, 51]], "Indicator: Trojan.Autoit": [[52, 65]], "Indicator: W32/Injector.COJ!tr": [[66, 85]]}, "info": {"id": "cyner2_5class_train_03076", "source": "cyner2_5class_train"}}
+{"text": "Thanks to Allwinner , a Chinese ARM system-on-a-chip maker , which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in backdoor .", "spans": {"Organization: Allwinner": [[10, 19]], "System: ARM": [[32, 35]], "System: Linux": [[114, 119]]}, "info": {"id": "cyner2_5class_train_03077", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Obfuscated.KU Trojan.Win32.Inject!O Trojan.Inject.Win32.41934 Trojan/Inject.bsb Win32.Trojan.WisdomEyes.16070401.9500.9746 Win.Trojan.Inject-12484 Trojan.Obfuscated.KU Trojan.Obfuscated.KU Trojan.Win32.Inject.cwlvrx AdWare.W32.Cinmus.kYTY Trojan.Obfuscated.KU Trojan.DownLoader1.2110 Trojan.Win32.Malware.a Trojan.Rootkit Trojan/Win32.Inject Win32.Adware.CinmusT.lm.230980 Trojan.Obfuscated.KU Trojan:Win32/Cinmus.K Trojan/Win32.Inject.C140611 Trojan.Obfuscated.KU Trojan.Win32.Malware.a SScope.Trojan.Cinmus.39 Win32.Trojan.Inject.bidk Trojan.Inject!Lqw/iuX+8xA W32/Malware_fam.NB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Obfuscated.KU": [[26, 46], [180, 200], [201, 221], [272, 292], [406, 426], [477, 497]], "Indicator: Trojan.Win32.Inject!O": [[47, 68]], "Indicator: Trojan.Inject.Win32.41934": [[69, 94]], "Indicator: Trojan/Inject.bsb": [[95, 112]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9746": [[113, 155]], "Indicator: Win.Trojan.Inject-12484": [[156, 179]], "Indicator: Trojan.Win32.Inject.cwlvrx": [[222, 248]], "Indicator: AdWare.W32.Cinmus.kYTY": [[249, 271]], "Indicator: Trojan.DownLoader1.2110": [[293, 316]], "Indicator: Trojan.Win32.Malware.a": [[317, 339], [498, 520]], "Indicator: Trojan.Rootkit": [[340, 354]], "Indicator: Trojan/Win32.Inject": [[355, 374]], "Indicator: Win32.Adware.CinmusT.lm.230980": [[375, 405]], "Indicator: Trojan:Win32/Cinmus.K": [[427, 448]], "Indicator: Trojan/Win32.Inject.C140611": [[449, 476]], "Indicator: SScope.Trojan.Cinmus.39": [[521, 544]], "Indicator: Win32.Trojan.Inject.bidk": [[545, 569]], "Indicator: Trojan.Inject!Lqw/iuX+8xA": [[570, 595]], "Indicator: W32/Malware_fam.NB": [[596, 614]]}, "info": {"id": "cyner2_5class_train_03078", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Trojan.Foreign.Win32.57563 Trojan.Johnnie.D12DD3 Trojan-Ransom.Win32.Foreign.nxyh Trojan.Win32.Panda.exmste Trojan.Win32.Z.Johnnie.582144 Trojan.PWS.Panda.12917 BehavesLike.Win32.Backdoor.hc Trojan.Win32.Crypt W32/Trojan.MEZF-9098 TR/AD.PepaBot.pabel TrojanDropper:Win32/Ropest.A Trojan-Ransom.Win32.Foreign.nxyh TrojanPSW.Panda Trj/GdSda.A W32/Kryptik.FQTY!tr Win32/Trojan.acd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Trojan.Foreign.Win32.57563": [[39, 65]], "Indicator: Trojan.Johnnie.D12DD3": [[66, 87]], "Indicator: Trojan-Ransom.Win32.Foreign.nxyh": [[88, 120], [319, 351]], "Indicator: Trojan.Win32.Panda.exmste": [[121, 146]], "Indicator: Trojan.Win32.Z.Johnnie.582144": [[147, 176]], "Indicator: Trojan.PWS.Panda.12917": [[177, 199]], "Indicator: BehavesLike.Win32.Backdoor.hc": [[200, 229]], "Indicator: Trojan.Win32.Crypt": [[230, 248]], "Indicator: W32/Trojan.MEZF-9098": [[249, 269]], "Indicator: TR/AD.PepaBot.pabel": [[270, 289]], "Indicator: TrojanDropper:Win32/Ropest.A": [[290, 318]], "Indicator: TrojanPSW.Panda": [[352, 367]], "Indicator: Trj/GdSda.A": [[368, 379]], "Indicator: W32/Kryptik.FQTY!tr": [[380, 399]], "Indicator: Win32/Trojan.acd": [[400, 416]]}, "info": {"id": "cyner2_5class_train_03079", "source": "cyner2_5class_train"}}
+{"text": "Dozens of targets may receive the exact same message.", "spans": {}, "info": {"id": "cyner2_5class_train_03080", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Dialer.10624 Trojan.Dialer.AY Trojan/Dialer.ay Trojan.Dialer.AU1 W32/Qdialer.J Dialer.DialPlatform Win32/SilentCaller.D TROJ_MALQES.A Trojan.Win32.Dialer.ay Trojan.Dialer.AY Trojan.Win32.Dialer.ay!IK TrojWare.Win32.Dialer.NAD Dialer.Silent TR/Drop.Delf.DJ.3 TROJ_MALQES.A Trojan/Dialer.ay Trojan:Win32/Adialer.AX Trojan.Win32.Dialer.10656 Win-AppCare/Dialer.10624 Trojan.Dialer.AY W32/Qdialer.J OScope.Dialer.VL Win32/Dialer.NAD Trojan.Win32.Dialer.ay Dialer.8.AP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Dialer.10624": [[26, 49]], "Indicator: Trojan.Dialer.AY": [[50, 66], [194, 210], [401, 417]], "Indicator: Trojan/Dialer.ay": [[67, 83], [309, 325]], "Indicator: Trojan.Dialer.AU1": [[84, 101]], "Indicator: W32/Qdialer.J": [[102, 115], [418, 431]], "Indicator: Dialer.DialPlatform": [[116, 135]], "Indicator: Win32/SilentCaller.D": [[136, 156]], "Indicator: TROJ_MALQES.A": [[157, 170], [295, 308]], "Indicator: Trojan.Win32.Dialer.ay": [[171, 193], [466, 488]], "Indicator: Trojan.Win32.Dialer.ay!IK": [[211, 236]], "Indicator: TrojWare.Win32.Dialer.NAD": [[237, 262]], "Indicator: Dialer.Silent": [[263, 276]], "Indicator: TR/Drop.Delf.DJ.3": [[277, 294]], "Indicator: Trojan:Win32/Adialer.AX": [[326, 349]], "Indicator: Trojan.Win32.Dialer.10656": [[350, 375]], "Indicator: Win-AppCare/Dialer.10624": [[376, 400]], "Indicator: OScope.Dialer.VL": [[432, 448]], "Indicator: Win32/Dialer.NAD": [[449, 465]], "Indicator: Dialer.8.AP": [[489, 500]]}, "info": {"id": "cyner2_5class_train_03081", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Inject.68935 Packed.Win32.TDSS!O Trojan/Inject.oc Win32.Trojan.WisdomEyes.16070401.9500.9868 Backdoor.Trojan Trojan.Win32.Inject.oc Trojan.Win32.Inject.wpzg Troj.W32.Inject.oc!c BackDoor.Exte BehavesLike.Win32.Backdoor.kc Net-Worm.Win32.Mofeir Trojan/Inject.amwy Trojan/Win32.Inject Trojan:Win32/Oexsi.A Trojan.Win32.Inject.oc Trojan/Win32.Inject.C27812 Trojan.Inject Trojan.Downloader W32/BanLoader.AAAC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Inject.68935": [[26, 49]], "Indicator: Packed.Win32.TDSS!O": [[50, 69]], "Indicator: Trojan/Inject.oc": [[70, 86]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9868": [[87, 129]], "Indicator: Backdoor.Trojan": [[130, 145]], "Indicator: Trojan.Win32.Inject.oc": [[146, 168], [341, 363]], "Indicator: Trojan.Win32.Inject.wpzg": [[169, 193]], "Indicator: Troj.W32.Inject.oc!c": [[194, 214]], "Indicator: BackDoor.Exte": [[215, 228]], "Indicator: BehavesLike.Win32.Backdoor.kc": [[229, 258]], "Indicator: Net-Worm.Win32.Mofeir": [[259, 280]], "Indicator: Trojan/Inject.amwy": [[281, 299]], "Indicator: Trojan/Win32.Inject": [[300, 319]], "Indicator: Trojan:Win32/Oexsi.A": [[320, 340]], "Indicator: Trojan/Win32.Inject.C27812": [[364, 390]], "Indicator: Trojan.Inject": [[391, 404]], "Indicator: Trojan.Downloader": [[405, 422]], "Indicator: W32/BanLoader.AAAC!tr": [[423, 444]]}, "info": {"id": "cyner2_5class_train_03082", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_KREP.D Trojan.DownLoad3.10695 Trojan.Swisyn.Win32.8140 TROJ_KREP.D Trojan/Swisyn.jnt Trojan:Win32/Trixpi.A Trojan-Downloader.win32.Delf.xoq W32/Mdrop.CQO!tr Trojan.Win32.Trixpi.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_KREP.D": [[26, 37], [86, 97]], "Indicator: Trojan.DownLoad3.10695": [[38, 60]], "Indicator: Trojan.Swisyn.Win32.8140": [[61, 85]], "Indicator: Trojan/Swisyn.jnt": [[98, 115]], "Indicator: Trojan:Win32/Trixpi.A": [[116, 137]], "Indicator: Trojan-Downloader.win32.Delf.xoq": [[138, 170]], "Indicator: W32/Mdrop.CQO!tr": [[171, 187]], "Indicator: Trojan.Win32.Trixpi.A": [[188, 209]]}, "info": {"id": "cyner2_5class_train_03083", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.SdBot.25088.Q Backdoor/Afbot.a BKDR_POEBOT.DK Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_POEBOT.DK Backdoor.Win32.Afbot.a Trojan.Win32.Afbot.daze Backdoor.Win32.S.Afbot.25088 Backdoor.W32.Afbot.a!c Backdoor.Win32.Afbot.~A BackDoor.IRC.Afbot Backdoor.Afbot.Win32.1 Backdoor/Afbot.a Trojan[Backdoor]/Win32.Afbot Backdoor:Win32/Afbot.A Backdoor.Win32.Afbot.a Backdoor.Afbot Bck/Iroffer.BG Win32.Backdoor.Afbot.Szbp Backdoor.Afbot!ktevPrMqQWw W32/Afbot.A!tr.bdr Win32/Backdoor.BO.3c4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.SdBot.25088.Q": [[26, 52]], "Indicator: Backdoor/Afbot.a": [[53, 69], [324, 340]], "Indicator: BKDR_POEBOT.DK": [[70, 84], [144, 158]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[85, 127]], "Indicator: Backdoor.Trojan": [[128, 143]], "Indicator: Backdoor.Win32.Afbot.a": [[159, 181], [393, 415]], "Indicator: Trojan.Win32.Afbot.daze": [[182, 205]], "Indicator: Backdoor.Win32.S.Afbot.25088": [[206, 234]], "Indicator: Backdoor.W32.Afbot.a!c": [[235, 257]], "Indicator: Backdoor.Win32.Afbot.~A": [[258, 281]], "Indicator: BackDoor.IRC.Afbot": [[282, 300]], "Indicator: Backdoor.Afbot.Win32.1": [[301, 323]], "Indicator: Trojan[Backdoor]/Win32.Afbot": [[341, 369]], "Indicator: Backdoor:Win32/Afbot.A": [[370, 392]], "Indicator: Backdoor.Afbot": [[416, 430]], "Indicator: Bck/Iroffer.BG": [[431, 445]], "Indicator: Win32.Backdoor.Afbot.Szbp": [[446, 471]], "Indicator: Backdoor.Afbot!ktevPrMqQWw": [[472, 498]], "Indicator: W32/Afbot.A!tr.bdr": [[499, 517]], "Indicator: Win32/Backdoor.BO.3c4": [[518, 539]]}, "info": {"id": "cyner2_5class_train_03084", "source": "cyner2_5class_train"}}
+{"text": "We were also able to confirm that the phone number he provided to the domain registrar was genuine .", "spans": {}, "info": {"id": "cyner2_5class_train_03085", "source": "cyner2_5class_train"}}
+{"text": "When installed on a device , apps containing adware may , among other things : Annoy users with intrusive advertisements , including scam ads Waste the device ’ s battery resources Generate increased network traffic Gather users ’ personal information Hide their presence on the affected device to achieve persistence Generate revenue for their operator without any user interaction Conclusion Based solely on open source intelligence , we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps .", "spans": {"Malware: Ashas": [[480, 485]]}, "info": {"id": "cyner2_5class_train_03086", "source": "cyner2_5class_train"}}
+{"text": "These SQL servers are also used for command and control C2 functionality.", "spans": {"System: SQL servers": [[6, 17]], "Indicator: command and control C2": [[36, 58]]}, "info": {"id": "cyner2_5class_train_03087", "source": "cyner2_5class_train"}}
+{"text": "Figure 4 shows MyReceiver in action where it eventually calls the MainService service .", "spans": {}, "info": {"id": "cyner2_5class_train_03088", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Cosmu!O Worm.NadIote Trojan.Cosmu.Win32.2079 Win32.Worm.VB.pf W32/Risk.BXNI-0011 Win32/VB.AZL Trojan.Win32.Cosmu.ist Trojan.Win32.Cosmu.cojafm Win32.Trojan.Cosmu.Eehn Worm.Win32.Pronny.BL Win32.HLLW.Autoruner.14654 BehavesLike.Win32.VBObfus.fm W32/MalwareS.AKRW Trojan/Cosmu.pri Trojan/Win32.Cosmu Trojan.Win32.Cosmu.315392.A Trojan.Win32.Cosmu.ist HEUR/Fakon.mwf Trojan.VBO.05376 Trojan.Cosmu Win32/AutoRun.Spy.VB.E Trojan.Cosmu!52KOHqBZvHU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Cosmu!O": [[26, 46]], "Indicator: Worm.NadIote": [[47, 59]], "Indicator: Trojan.Cosmu.Win32.2079": [[60, 83]], "Indicator: Win32.Worm.VB.pf": [[84, 100]], "Indicator: W32/Risk.BXNI-0011": [[101, 119]], "Indicator: Win32/VB.AZL": [[120, 132]], "Indicator: Trojan.Win32.Cosmu.ist": [[133, 155], [365, 387]], "Indicator: Trojan.Win32.Cosmu.cojafm": [[156, 181]], "Indicator: Win32.Trojan.Cosmu.Eehn": [[182, 205]], "Indicator: Worm.Win32.Pronny.BL": [[206, 226]], "Indicator: Win32.HLLW.Autoruner.14654": [[227, 253]], "Indicator: BehavesLike.Win32.VBObfus.fm": [[254, 282]], "Indicator: W32/MalwareS.AKRW": [[283, 300]], "Indicator: Trojan/Cosmu.pri": [[301, 317]], "Indicator: Trojan/Win32.Cosmu": [[318, 336]], "Indicator: Trojan.Win32.Cosmu.315392.A": [[337, 364]], "Indicator: HEUR/Fakon.mwf": [[388, 402]], "Indicator: Trojan.VBO.05376": [[403, 419]], "Indicator: Trojan.Cosmu": [[420, 432]], "Indicator: Win32/AutoRun.Spy.VB.E": [[433, 455]], "Indicator: Trojan.Cosmu!52KOHqBZvHU": [[456, 480]]}, "info": {"id": "cyner2_5class_train_03089", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9950 Backdoor.Noknef TSPY_KONNI.A Trojan.Win32.Graftor.eoiwlz Dropper.S.Konni.266752 Trojan.MulDrop7.31720 TSPY_KONNI.A BehavesLike.Win32.Fake.dm W32/Trojan.NPTT-8320 TR/Graftor.266752.17 Trojan:Win32/Konny.A Backdoor.Noknef Backdoor.Win32.Hupigon Malicious_Behavior.SB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9950": [[46, 88]], "Indicator: Backdoor.Noknef": [[89, 104], [293, 308]], "Indicator: TSPY_KONNI.A": [[105, 117], [191, 203]], "Indicator: Trojan.Win32.Graftor.eoiwlz": [[118, 145]], "Indicator: Dropper.S.Konni.266752": [[146, 168]], "Indicator: Trojan.MulDrop7.31720": [[169, 190]], "Indicator: BehavesLike.Win32.Fake.dm": [[204, 229]], "Indicator: W32/Trojan.NPTT-8320": [[230, 250]], "Indicator: TR/Graftor.266752.17": [[251, 271]], "Indicator: Trojan:Win32/Konny.A": [[272, 292]], "Indicator: Backdoor.Win32.Hupigon": [[309, 331]], "Indicator: Malicious_Behavior.SB": [[332, 353]]}, "info": {"id": "cyner2_5class_train_03090", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur2.FU.E930ED Backdoor.Trojan Adware.Mutabaha.1206 Trojan:Win32/Winnti.V!dha Trojan.Win32.Z.Svchorse.725184 BScope.Trojan.SvcHorse.01643 PossibleThreat.SB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur2.FU.E930ED": [[26, 48]], "Indicator: Backdoor.Trojan": [[49, 64]], "Indicator: Adware.Mutabaha.1206": [[65, 85]], "Indicator: Trojan:Win32/Winnti.V!dha": [[86, 111]], "Indicator: Trojan.Win32.Z.Svchorse.725184": [[112, 142]], "Indicator: BScope.Trojan.SvcHorse.01643": [[143, 171]], "Indicator: PossibleThreat.SB!tr": [[172, 192]]}, "info": {"id": "cyner2_5class_train_03091", "source": "cyner2_5class_train"}}
+{"text": "Wild Neutron hit the spotlight in 2013, when it successfully infected companies such as Apple, Facebook, Twitter and Microsoft.", "spans": {"Malware: Wild Neutron": [[0, 12]], "Organization: companies": [[70, 79]], "Organization: Apple, Facebook, Twitter": [[88, 112]], "Organization: Microsoft.": [[117, 127]]}, "info": {"id": "cyner2_5class_train_03092", "source": "cyner2_5class_train"}}
+{"text": "Triggers ET rules for: RadminRMS, XPCSpyPro, RemoteAdmin.RemoteUtilities.C", "spans": {"Indicator: Triggers": [[0, 8]], "Malware: RadminRMS,": [[23, 33]], "Malware: XPCSpyPro,": [[34, 44]], "Malware: RemoteAdmin.RemoteUtilities.C": [[45, 74]]}, "info": {"id": "cyner2_5class_train_03093", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Mudrop!O Win32.Trojan.WisdomEyes.16070401.9500.9756 Win.Trojan.VB-472 Trojan-Dropper.Win32.Mudrop.bq Trojan.MulDrop.5694 Downloader.VB.Win32.99231 BehavesLike.Win32.RAHack.hh TrojanDropper.Mudrop.dv Trojan[Dropper]/Win32.Mudrop TrojanDropper:Win32/Popuper.N Trojan.Downloader-SysMon Trojan-Dropper.Win32.Mudrop.bq TScope.Malware-Cryptor.SB Trojan-Dropper.Win32.Mudrop", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Mudrop!O": [[26, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9756": [[56, 98]], "Indicator: Win.Trojan.VB-472": [[99, 116]], "Indicator: Trojan-Dropper.Win32.Mudrop.bq": [[117, 147], [330, 360]], "Indicator: Trojan.MulDrop.5694": [[148, 167]], "Indicator: Downloader.VB.Win32.99231": [[168, 193]], "Indicator: BehavesLike.Win32.RAHack.hh": [[194, 221]], "Indicator: TrojanDropper.Mudrop.dv": [[222, 245]], "Indicator: Trojan[Dropper]/Win32.Mudrop": [[246, 274]], "Indicator: TrojanDropper:Win32/Popuper.N": [[275, 304]], "Indicator: Trojan.Downloader-SysMon": [[305, 329]], "Indicator: TScope.Malware-Cryptor.SB": [[361, 386]], "Indicator: Trojan-Dropper.Win32.Mudrop": [[387, 414]]}, "info": {"id": "cyner2_5class_train_03094", "source": "cyner2_5class_train"}}
+{"text": "These include domains, file names, Java package names, and Facebook activity.", "spans": {"Indicator: domains, file names, Java package names, and Facebook activity.": [[14, 77]]}, "info": {"id": "cyner2_5class_train_03095", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Inject.Win32.243804 Trojan.Win32.Delphi.ewuekh Trojan[Backdoor]/MSIL.NanoBot Trojan/Win32.Injector.R217510 Trojan.Symmi.D14210", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject.Win32.243804": [[26, 52]], "Indicator: Trojan.Win32.Delphi.ewuekh": [[53, 79]], "Indicator: Trojan[Backdoor]/MSIL.NanoBot": [[80, 109]], "Indicator: Trojan/Win32.Injector.R217510": [[110, 139]], "Indicator: Trojan.Symmi.D14210": [[140, 159]]}, "info": {"id": "cyner2_5class_train_03096", "source": "cyner2_5class_train"}}
+{"text": "After flashing , the bootkit will be removed .", "spans": {}, "info": {"id": "cyner2_5class_train_03097", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Loselove.A Backdoor.Loselove.A Trojan.Win32.Loselove.makvn Backdoor.Trojan BKDR_LOSELOVE.A Win32.Trojan Backdoor.Win32.Loselove Backdoor.Loselove.A Backdoor.Loselove.B Backdoor.Win32.Loselove.765952 Backdoor.Win32.Loselove.10 Backdoor.Loselove.A BackDoor.Loselove BDC/Loselove.1 BKDR_LOSELOVE.A Backdoor/LostLove.Client Win32.Hack.Loselove.kcloud Win-Trojan/Loselove.765952 Backdoor.Loselove.A Backdoor.Trojan Win32/Loselove.10 Backdoor.Win32.Loselove W32/Loselove.A!tr.bdr BackDoor.Loselove.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Loselove.A": [[26, 45], [46, 65], [163, 182], [261, 280], [409, 428]], "Indicator: Trojan.Win32.Loselove.makvn": [[66, 93]], "Indicator: Backdoor.Trojan": [[94, 109], [429, 444]], "Indicator: BKDR_LOSELOVE.A": [[110, 125], [314, 329]], "Indicator: Win32.Trojan": [[126, 138]], "Indicator: Backdoor.Win32.Loselove": [[139, 162], [463, 486]], "Indicator: Backdoor.Loselove.B": [[183, 202]], "Indicator: Backdoor.Win32.Loselove.765952": [[203, 233]], "Indicator: Backdoor.Win32.Loselove.10": [[234, 260]], "Indicator: BackDoor.Loselove": [[281, 298]], "Indicator: BDC/Loselove.1": [[299, 313]], "Indicator: Backdoor/LostLove.Client": [[330, 354]], "Indicator: Win32.Hack.Loselove.kcloud": [[355, 381]], "Indicator: Win-Trojan/Loselove.765952": [[382, 408]], "Indicator: Win32/Loselove.10": [[445, 462]], "Indicator: W32/Loselove.A!tr.bdr": [[487, 508]], "Indicator: BackDoor.Loselove.A": [[509, 528]]}, "info": {"id": "cyner2_5class_train_03098", "source": "cyner2_5class_train"}}
+{"text": "Potential infrastructure used to launch phishing attacks against the Macron presidential campaign.", "spans": {"System: infrastructure": [[10, 24]], "Indicator: phishing attacks": [[40, 56]], "Organization: the Macron presidential campaign.": [[65, 98]]}, "info": {"id": "cyner2_5class_train_03099", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DownLoader24.49714 TR/Crypt.Xpack.enmvj Trojan/Win32.Invader Trojan.Graftor.D5A2C5 TrojanDownloader:Win32/Furs.A Trojan.Inject Trj/CI.A Win32/Trojan.223", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoader24.49714": [[26, 51]], "Indicator: TR/Crypt.Xpack.enmvj": [[52, 72]], "Indicator: Trojan/Win32.Invader": [[73, 93]], "Indicator: Trojan.Graftor.D5A2C5": [[94, 115]], "Indicator: TrojanDownloader:Win32/Furs.A": [[116, 145]], "Indicator: Trojan.Inject": [[146, 159]], "Indicator: Trj/CI.A": [[160, 168]], "Indicator: Win32/Trojan.223": [[169, 185]]}, "info": {"id": "cyner2_5class_train_03100", "source": "cyner2_5class_train"}}
+{"text": "McAfee Labs has found that the latest Rovnix downloader now comes with the capability to check for the sinkholing of its control servers.", "spans": {"Organization: McAfee Labs": [[0, 11]], "Malware: Rovnix downloader": [[38, 55]], "Organization: check": [[89, 94]], "Indicator: sinkholing": [[103, 113]], "Indicator: control servers.": [[121, 137]]}, "info": {"id": "cyner2_5class_train_03101", "source": "cyner2_5class_train"}}
+{"text": "Xiaomi , a privately owned Chinese electronics and software company , is the 5th largest smart phone manufacturer in the world and also manufactures IoT devices for the home .", "spans": {"Organization: Xiaomi": [[0, 6]]}, "info": {"id": "cyner2_5class_train_03102", "source": "cyner2_5class_train"}}
+{"text": "At the same time , the lack of encryption , use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_03103", "source": "cyner2_5class_train"}}
+{"text": "Perkele intercepts mTANs ( confirmation codes for banking operations ) sent by the bank via text message .", "spans": {"Malware: Perkele": [[0, 7]]}, "info": {"id": "cyner2_5class_train_03104", "source": "cyner2_5class_train"}}
+{"text": "MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call POWERSTATS", "spans": {"Indicator: attacks": [[11, 18]], "System: PowerShell-based": [[69, 85]], "Malware: backdoor": [[98, 106]], "Malware: POWERSTATS": [[115, 125]]}, "info": {"id": "cyner2_5class_train_03105", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Alaveensee Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Trojan.YNOK-2169 Trojan.DownLoader10.48462 Trojan.Graftor.D1D3B0 Backdoor:Win32/Alaveensee.AC!bit Trojan.DownLoader!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Alaveensee": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[46, 88]], "Indicator: W32/Trojan.YNOK-2169": [[89, 109]], "Indicator: Trojan.DownLoader10.48462": [[110, 135]], "Indicator: Trojan.Graftor.D1D3B0": [[136, 157]], "Indicator: Backdoor:Win32/Alaveensee.AC!bit": [[158, 190]], "Indicator: Trojan.DownLoader!": [[191, 209]]}, "info": {"id": "cyner2_5class_train_03106", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Dellogkbms.Trojan Trojan/W32.Small.40960.JU Trojan.Win32.ShipUp!O Trojan.Shipup.H5 Trojan.ShipUp.Win32.175 Trojan/ShipUp.nak Trojan.Zusy.DAD3 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_SHIPUP_CA080195.TOMC Win.Trojan.Shipup-7 Trojan.Win32.ShipUp.fufz Trojan.Win32.ShipUp.ijffr Win32.Trojan.Shipup.Isq TrojWare.Win32.ShipUp.NAK Trojan.Shipup.192 TSPY_SHIPUP_CA080195.TOMC Trojan.Win32.ShipUp Trojan.ShipUp.ar TR/Offend.46438158 Trojan/Win32.ShipUp Trojan:Win32/Shipup.H Trojan.Win32.A.ShipUp.40960.EO Trojan.Win32.ShipUp.fufz Trojan/Win32.Shipup.R27635 Trojan.ShipUp Trojan.Dropper.FW Trojan.ShipUp!FM//sdnjcwM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Dellogkbms.Trojan": [[26, 47]], "Indicator: Trojan/W32.Small.40960.JU": [[48, 73]], "Indicator: Trojan.Win32.ShipUp!O": [[74, 95]], "Indicator: Trojan.Shipup.H5": [[96, 112]], "Indicator: Trojan.ShipUp.Win32.175": [[113, 136]], "Indicator: Trojan/ShipUp.nak": [[137, 154]], "Indicator: Trojan.Zusy.DAD3": [[155, 171]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[172, 214]], "Indicator: TSPY_SHIPUP_CA080195.TOMC": [[215, 240], [380, 405]], "Indicator: Win.Trojan.Shipup-7": [[241, 260]], "Indicator: Trojan.Win32.ShipUp.fufz": [[261, 285], [535, 559]], "Indicator: Trojan.Win32.ShipUp.ijffr": [[286, 311]], "Indicator: Win32.Trojan.Shipup.Isq": [[312, 335]], "Indicator: TrojWare.Win32.ShipUp.NAK": [[336, 361]], "Indicator: Trojan.Shipup.192": [[362, 379]], "Indicator: Trojan.Win32.ShipUp": [[406, 425]], "Indicator: Trojan.ShipUp.ar": [[426, 442]], "Indicator: TR/Offend.46438158": [[443, 461]], "Indicator: Trojan/Win32.ShipUp": [[462, 481]], "Indicator: Trojan:Win32/Shipup.H": [[482, 503]], "Indicator: Trojan.Win32.A.ShipUp.40960.EO": [[504, 534]], "Indicator: Trojan/Win32.Shipup.R27635": [[560, 586]], "Indicator: Trojan.ShipUp": [[587, 600]], "Indicator: Trojan.Dropper.FW": [[601, 618]], "Indicator: Trojan.ShipUp!FM//sdnjcwM": [[619, 644]]}, "info": {"id": "cyner2_5class_train_03107", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Trojan.Ursnif Trojan.Ransom.99 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_HPCRYPMIC.SM2 Ransom_HPCRYPMIC.SM2 BehavesLike.Win32.Ransom.cc Trojan.Win32.Filecoder Trojan:Win32/Wirond.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zenshirsh.SL7": [[26, 46]], "Indicator: Trojan.Ursnif": [[47, 60]], "Indicator: Trojan.Ransom.99": [[61, 77]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[78, 120]], "Indicator: Ransom_HPCRYPMIC.SM2": [[121, 141], [142, 162]], "Indicator: BehavesLike.Win32.Ransom.cc": [[163, 190]], "Indicator: Trojan.Win32.Filecoder": [[191, 213]], "Indicator: Trojan:Win32/Wirond.A": [[214, 235]]}, "info": {"id": "cyner2_5class_train_03108", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameJ9KFZDll.Trojan Adware.Heur.E313D2 Win32.Trojan.WisdomEyes.16070401.9500.9834 Trojan.Adclicker ApplicUnwnt.Win32.Adware.Boran._0 Trojan.DownLoad.6111 not-a-virus:AdWare.Win32.Boran Trojan:Win32/Fexacer.A ADSPY/Superid.A Trojan:Win32/Fexacer.A Trojan/Win32.Popwin.R61755 AdWare.Boran Win32/Adware.Boran", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameJ9KFZDll.Trojan": [[26, 51]], "Indicator: Adware.Heur.E313D2": [[52, 70]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9834": [[71, 113]], "Indicator: Trojan.Adclicker": [[114, 130]], "Indicator: ApplicUnwnt.Win32.Adware.Boran._0": [[131, 164]], "Indicator: Trojan.DownLoad.6111": [[165, 185]], "Indicator: not-a-virus:AdWare.Win32.Boran": [[186, 216]], "Indicator: Trojan:Win32/Fexacer.A": [[217, 239], [256, 278]], "Indicator: ADSPY/Superid.A": [[240, 255]], "Indicator: Trojan/Win32.Popwin.R61755": [[279, 305]], "Indicator: AdWare.Boran": [[306, 318]], "Indicator: Win32/Adware.Boran": [[319, 337]]}, "info": {"id": "cyner2_5class_train_03109", "source": "cyner2_5class_train"}}
+{"text": "Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.", "spans": {"Indicator: waterholing": [[25, 36]]}, "info": {"id": "cyner2_5class_train_03110", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Trojan.Xorist Ransom_Xorist.R029C0DLN17 Win32.Trojan.Filecoder.p W32/Ransom.GEQX-2455 Ransom_Xorist.R029C0DLN17 Trojan-Ransom.Win32.Xorist.lr Trojan.Win32.Xorist.ewkyne Trojan.Win32.Z.Xorist.3077 Troj.Ransom.W32!c Trojan.Win32.Xorist.b Trojan.Encoder.4210 Trojan.Xorist.Win32.1605 Trojan-Ransom.FileCoder Trojan.Xorist.wdr Trojan-Ransom.Win32.Xorist.lr Trojan:Win32/Eksor.A Worm/Win32.Zhelatin.C112256 Hoax.Xorist Trj/CI.A Win32/Filecoder.NFV W32/Filecoder.NFV!tr Win32/Trojan.Xorist.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Virus.Win32.Sality!O": [[44, 64]], "Indicator: Trojan.Xorist": [[65, 78]], "Indicator: Ransom_Xorist.R029C0DLN17": [[79, 104], [151, 176]], "Indicator: Win32.Trojan.Filecoder.p": [[105, 129]], "Indicator: W32/Ransom.GEQX-2455": [[130, 150]], "Indicator: Trojan-Ransom.Win32.Xorist.lr": [[177, 206], [388, 417]], "Indicator: Trojan.Win32.Xorist.ewkyne": [[207, 233]], "Indicator: Trojan.Win32.Z.Xorist.3077": [[234, 260]], "Indicator: Troj.Ransom.W32!c": [[261, 278]], "Indicator: Trojan.Win32.Xorist.b": [[279, 300]], "Indicator: Trojan.Encoder.4210": [[301, 320]], "Indicator: Trojan.Xorist.Win32.1605": [[321, 345]], "Indicator: Trojan-Ransom.FileCoder": [[346, 369]], "Indicator: Trojan.Xorist.wdr": [[370, 387]], "Indicator: Trojan:Win32/Eksor.A": [[418, 438]], "Indicator: Worm/Win32.Zhelatin.C112256": [[439, 466]], "Indicator: Hoax.Xorist": [[467, 478]], "Indicator: Trj/CI.A": [[479, 487]], "Indicator: Win32/Filecoder.NFV": [[488, 507]], "Indicator: W32/Filecoder.NFV!tr": [[508, 528]], "Indicator: Win32/Trojan.Xorist.A": [[529, 550]]}, "info": {"id": "cyner2_5class_train_03111", "source": "cyner2_5class_train"}}
+{"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Whitelists the application to allow it to ignore battery optimizations .", "spans": {}, "info": {"id": "cyner2_5class_train_03112", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Onion.A Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.JIQA-6859 Ransom_.97182692 Trojan.Win32.CZOF.ejtmuo Trojan.Inject2.23490 Ransom_.97182692 BehavesLike.Win32.Ransom.cc TrojanDropper:Win32/Cerber.A Trojan/Win32.Cerber.R182622 Win32/Filecoder.Cerber.B Trojan.Injector!tlnazaf/C8k W32/Injector.DAJC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Onion.A": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[41, 83]], "Indicator: W32/Trojan.JIQA-6859": [[84, 104]], "Indicator: Ransom_.97182692": [[105, 121], [168, 184]], "Indicator: Trojan.Win32.CZOF.ejtmuo": [[122, 146]], "Indicator: Trojan.Inject2.23490": [[147, 167]], "Indicator: BehavesLike.Win32.Ransom.cc": [[185, 212]], "Indicator: TrojanDropper:Win32/Cerber.A": [[213, 241]], "Indicator: Trojan/Win32.Cerber.R182622": [[242, 269]], "Indicator: Win32/Filecoder.Cerber.B": [[270, 294]], "Indicator: Trojan.Injector!tlnazaf/C8k": [[295, 322]], "Indicator: W32/Injector.DAJC!tr": [[323, 343]]}, "info": {"id": "cyner2_5class_train_03113", "source": "cyner2_5class_train"}}
+{"text": "Security firm ThreatFabric has discovered a new variant of the Xenomorph malware family, which it describes as the most advanced and dangerous Android banking trojans in circulation, and which has new features.", "spans": {"Organization: Security firm ThreatFabric": [[0, 26]], "Malware: variant": [[48, 55]], "Malware: the Xenomorph malware family,": [[59, 88]], "Malware: dangerous Android banking trojans": [[133, 166]]}, "info": {"id": "cyner2_5class_train_03114", "source": "cyner2_5class_train"}}
+{"text": "The current attack took advantage of the compromise of a high-profile Tibetan activist .", "spans": {}, "info": {"id": "cyner2_5class_train_03115", "source": "cyner2_5class_train"}}
+{"text": "After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform's CIMPLICITY HMI solution suite.", "spans": {"Malware: malware samples": [[53, 68]], "Indicator: domains,": [[73, 81]], "Organization: SCADA-centric victims": [[154, 175]], "Organization: GE Intelligent Platform's": [[190, 215]], "System: CIMPLICITY HMI solution suite.": [[216, 246]]}, "info": {"id": "cyner2_5class_train_03116", "source": "cyner2_5class_train"}}
+{"text": "In the observed campaign, the attackers abuse a feature in Windows called the Windows Troubleshooting Platform WTP, intended for troubleshooting problems, to socially engineer the recipients into executing malware.", "spans": {"Vulnerability: abuse": [[40, 45]], "System: Windows": [[59, 66]], "Vulnerability: Windows Troubleshooting Platform WTP,": [[78, 115]], "Vulnerability: troubleshooting problems,": [[129, 154]]}, "info": {"id": "cyner2_5class_train_03117", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Yunsip.A5 W32.Yunsip Win32/Tnega.XWcDLN WORM_YUNSIP.SMR Trojan.Win32.FakeMS.tpd Trojan.PWS.Spy.20716 WORM_YUNSIP.SMR TR/PSW.Yunsip.axyza Trojan.Zusy.D56F7 Trojan.Win32.PSWIGames.191268 PWS:Win32/Yunsip.A Trojan/Win32.Infostealer.R758 TScope.Malware-Cryptor.SB Backdoor.Win32.Inject Trj/CI.A Trojan.Win32.FakeUsp10.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Yunsip.A5": [[26, 45]], "Indicator: W32.Yunsip": [[46, 56]], "Indicator: Win32/Tnega.XWcDLN": [[57, 75]], "Indicator: WORM_YUNSIP.SMR": [[76, 91], [137, 152]], "Indicator: Trojan.Win32.FakeMS.tpd": [[92, 115]], "Indicator: Trojan.PWS.Spy.20716": [[116, 136]], "Indicator: TR/PSW.Yunsip.axyza": [[153, 172]], "Indicator: Trojan.Zusy.D56F7": [[173, 190]], "Indicator: Trojan.Win32.PSWIGames.191268": [[191, 220]], "Indicator: PWS:Win32/Yunsip.A": [[221, 239]], "Indicator: Trojan/Win32.Infostealer.R758": [[240, 269]], "Indicator: TScope.Malware-Cryptor.SB": [[270, 295]], "Indicator: Backdoor.Win32.Inject": [[296, 317]], "Indicator: Trj/CI.A": [[318, 326]], "Indicator: Trojan.Win32.FakeUsp10.B": [[327, 351]]}, "info": {"id": "cyner2_5class_train_03118", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.5316 Trojan.Iframeexec Exploit.Html.Iframe.udgq BehavesLike.Win32.Dropper.wc W32/Trojan.MRKD-5424", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.5316": [[26, 42]], "Indicator: Trojan.Iframeexec": [[43, 60]], "Indicator: Exploit.Html.Iframe.udgq": [[61, 85]], "Indicator: BehavesLike.Win32.Dropper.wc": [[86, 114]], "Indicator: W32/Trojan.MRKD-5424": [[115, 135]]}, "info": {"id": "cyner2_5class_train_03119", "source": "cyner2_5class_train"}}
+{"text": "No other significant changes were observed in the Trojan ’ s network behavior .", "spans": {}, "info": {"id": "cyner2_5class_train_03120", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.FC.316 MSIL.Backdoor.Orcus.A Trojan.DownLoader24.65022 Win-Trojan/OrcusRAT.Exp", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.FC.316": [[26, 47]], "Indicator: MSIL.Backdoor.Orcus.A": [[48, 69]], "Indicator: Trojan.DownLoader24.65022": [[70, 95]], "Indicator: Win-Trojan/OrcusRAT.Exp": [[96, 119]]}, "info": {"id": "cyner2_5class_train_03121", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Paranoia.240640 Application.Badjoke Riskware.Win32.Paranoia.cckyo JOKE_PARANOIA.A Joke.Paranoia Joke.Paranoia!EAb1BDrutFU Joke.Paranoia Trojan.Win32.E3E61A09 JOKE_PARANOIA.A JOKE/Paranoia.A Win-Trojan/Paranoia.240640 Hacktool.Win32.Paranoia.BA Win32/Joke.13f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Paranoia.240640": [[26, 52]], "Indicator: Application.Badjoke": [[53, 72]], "Indicator: Riskware.Win32.Paranoia.cckyo": [[73, 102]], "Indicator: JOKE_PARANOIA.A": [[103, 118], [195, 210]], "Indicator: Joke.Paranoia": [[119, 132], [159, 172]], "Indicator: Joke.Paranoia!EAb1BDrutFU": [[133, 158]], "Indicator: Trojan.Win32.E3E61A09": [[173, 194]], "Indicator: JOKE/Paranoia.A": [[211, 226]], "Indicator: Win-Trojan/Paranoia.240640": [[227, 253]], "Indicator: Hacktool.Win32.Paranoia.BA": [[254, 280]], "Indicator: Win32/Joke.13f": [[281, 295]]}, "info": {"id": "cyner2_5class_train_03122", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Hacktool.Mimikatz Win64.Riskware.Mimikatz.B Trojan.Win32.Meterpreter.ewppjl Tool.Mimikatz.88 BehavesLike.Win32.Worm.fh HackTool.Win32.Meterpreter HackTool/Win32.Meterpreter Unwanted/Win32.Mimikatz.R175513 Trj/GdSda.A Win32.Hacktool.Meterpreter.Pbfr Win32/Trojan.Hacktool.8d0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Hacktool.Mimikatz": [[46, 63]], "Indicator: Win64.Riskware.Mimikatz.B": [[64, 89]], "Indicator: Trojan.Win32.Meterpreter.ewppjl": [[90, 121]], "Indicator: Tool.Mimikatz.88": [[122, 138]], "Indicator: BehavesLike.Win32.Worm.fh": [[139, 164]], "Indicator: HackTool.Win32.Meterpreter": [[165, 191]], "Indicator: HackTool/Win32.Meterpreter": [[192, 218]], "Indicator: Unwanted/Win32.Mimikatz.R175513": [[219, 250]], "Indicator: Trj/GdSda.A": [[251, 262]], "Indicator: Win32.Hacktool.Meterpreter.Pbfr": [[263, 294]], "Indicator: Win32/Trojan.Hacktool.8d0": [[295, 320]]}, "info": {"id": "cyner2_5class_train_03123", "source": "cyner2_5class_train"}}
+{"text": "It is likely that the analyzed samples were created using the private version, as they are designed to run on modern 64-bit systems, although they could have been built based on sold, leaked or stolen source code.", "spans": {"System: modern 64-bit systems,": [[110, 132]], "Indicator: leaked": [[184, 190]], "Indicator: stolen source code.": [[194, 213]]}, "info": {"id": "cyner2_5class_train_03124", "source": "cyner2_5class_train"}}
+{"text": "In this blog, FireEye Labs dissects this new ATM malware that we have dubbed RIPPER due to the project name ATMRIPPER identified in the sample and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand.", "spans": {"Organization: FireEye Labs": [[14, 26]], "Malware: ATM malware": [[45, 56]], "Malware: RIPPER": [[77, 83]], "Malware: ATMRIPPER": [[108, 117]], "Malware: malware": [[204, 211]], "Organization: ATMs": [[246, 250]], "Organization: banks": [[254, 259]]}, "info": {"id": "cyner2_5class_train_03125", "source": "cyner2_5class_train"}}
+{"text": "The domain name , language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs .", "spans": {}, "info": {"id": "cyner2_5class_train_03126", "source": "cyner2_5class_train"}}
+{"text": "However, beginning on September 22, 2016, we detected the first large-scale email campaign distributing MarsJoke.", "spans": {"Malware: MarsJoke.": [[104, 113]]}, "info": {"id": "cyner2_5class_train_03127", "source": "cyner2_5class_train"}}
+{"text": "EventBot is under active development and is evolving rapidly ; new versions are released every few days with improvements and new capabilities .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_03128", "source": "cyner2_5class_train"}}
+{"text": "Exploit kits often integrate new or zero-day exploits in the hopes of getting a larger number of victims with systems that may not be as up-to-date with their patches.", "spans": {"Malware: Exploit kits": [[0, 12]], "Vulnerability: zero-day exploits": [[36, 53]], "System: systems": [[110, 117]]}, "info": {"id": "cyner2_5class_train_03129", "source": "cyner2_5class_train"}}
+{"text": "In 2013 , 3,905,502 installation packages were used by cybercriminals to distribute mobile malware .", "spans": {}, "info": {"id": "cyner2_5class_train_03130", "source": "cyner2_5class_train"}}
+{"text": "upAppinfos function used for obtaining the device IMEI and all of its installed applications .", "spans": {}, "info": {"id": "cyner2_5class_train_03131", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TjnSpy.Golroted.S1819456 Trojan.Omaneat.Win32.266 Trojan/Injector.dkxl TSPY_FAREIT.SMBD W32/Omaneat.XICE-5093 TSPY_FAREIT.SMBD Trojan-Spy.MSIL.Omaneat.awa Trojan.Win32.Omaneat.eliuzg BehavesLike.Win32.Trojan.tc Trojan.Win32.Injector W32/Omaneat.Y Trojan[Spy]/MSIL.Omaneat TrojanSpy:MSIL/Golroted.B Trojan.Heur.E613EE Trojan-Spy.MSIL.Omaneat.awa Spyware/Win32.Omaneat.R194942 TrojanSpy.MSIL.Omaneat Trojan.Omaneat Win32/VB.OSK TrojanSpy.Omaneat! W32/Injector.DKXL!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TjnSpy.Golroted.S1819456": [[26, 50]], "Indicator: Trojan.Omaneat.Win32.266": [[51, 75]], "Indicator: Trojan/Injector.dkxl": [[76, 96]], "Indicator: TSPY_FAREIT.SMBD": [[97, 113], [136, 152]], "Indicator: W32/Omaneat.XICE-5093": [[114, 135]], "Indicator: Trojan-Spy.MSIL.Omaneat.awa": [[153, 180], [343, 370]], "Indicator: Trojan.Win32.Omaneat.eliuzg": [[181, 208]], "Indicator: BehavesLike.Win32.Trojan.tc": [[209, 236]], "Indicator: Trojan.Win32.Injector": [[237, 258]], "Indicator: W32/Omaneat.Y": [[259, 272]], "Indicator: Trojan[Spy]/MSIL.Omaneat": [[273, 297]], "Indicator: TrojanSpy:MSIL/Golroted.B": [[298, 323]], "Indicator: Trojan.Heur.E613EE": [[324, 342]], "Indicator: Spyware/Win32.Omaneat.R194942": [[371, 400]], "Indicator: TrojanSpy.MSIL.Omaneat": [[401, 423]], "Indicator: Trojan.Omaneat": [[424, 438]], "Indicator: Win32/VB.OSK": [[439, 451]], "Indicator: TrojanSpy.Omaneat!": [[452, 470]], "Indicator: W32/Injector.DKXL!tr": [[471, 491]]}, "info": {"id": "cyner2_5class_train_03132", "source": "cyner2_5class_train"}}
+{"text": "Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a job recruitment theme.", "spans": {"Organization: Mandiant": [[47, 55]], "Indicator: intrusions": [[86, 96]], "Organization: U.S.": [[107, 111]], "Organization: European Media organizations": [[116, 144]], "Indicator: spear-phishing": [[153, 167]], "Indicator: a job recruitment theme.": [[178, 202]]}, "info": {"id": "cyner2_5class_train_03133", "source": "cyner2_5class_train"}}
+{"text": "The conditionally injected script redirects to the Afraidgate campaign, which in turns pushes the Neutrino exploit kit.", "spans": {"Indicator: injected script": [[18, 33]], "Malware: Neutrino exploit kit.": [[98, 119]]}, "info": {"id": "cyner2_5class_train_03134", "source": "cyner2_5class_train"}}
+{"text": "An investigation of Chrysaor Malware on Android 03 April 2017 Google is constantly working to improve our systems that protect users from Potentially Harmful Applications ( PHAs ) .", "spans": {"Malware: Chrysaor": [[20, 28]], "System: Android": [[40, 47]], "Organization: Google": [[62, 68]]}, "info": {"id": "cyner2_5class_train_03135", "source": "cyner2_5class_train"}}
+{"text": "A recent tweet mentioned that a new banking malware called Nuclear Bot has started to appear for sale on underground marketplaces.", "spans": {"Malware: new banking malware": [[32, 51]], "Malware: Nuclear Bot": [[59, 70]]}, "info": {"id": "cyner2_5class_train_03136", "source": "cyner2_5class_train"}}
+{"text": "Table 4 HenBox variant 's Intents and Receivers Most of the intents registered in the AndroidManifest.xml file , or loaded during run-time , are commonly found in malicious Android apps .", "spans": {"Malware: HenBox": [[8, 14]], "System: Android": [[173, 180]]}, "info": {"id": "cyner2_5class_train_03137", "source": "cyner2_5class_train"}}
+{"text": "The type of data corresponding to the value coded in GolfSpy Figure 5 shows the code snippets that are involved in monitoring and recording the device ’ s phone call .", "spans": {"Malware: GolfSpy": [[53, 60]]}, "info": {"id": "cyner2_5class_train_03138", "source": "cyner2_5class_train"}}
+{"text": "While the sample is a typical memory scraper, it appears to be hand rolled assembly language and comes in at only 5120 bytes.", "spans": {"Malware: memory scraper,": [[30, 45]], "System: assembly language": [[75, 92]], "Indicator: 5120 bytes.": [[114, 125]]}, "info": {"id": "cyner2_5class_train_03139", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.SMSHoax.DT Hoax.Win32.ArchSMS!O Hoax.ArchSMS Joke-ArchSMS.a Hoax.ArchSMS Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/SMShoax.A Win32/SMSSend.A Win.Trojan.Hoax-12 Hoax.Win32.ArchSMS.hzpg Application.SMSHoax.DT Riskware.Win32.Archsms.fuais Win32.Trojan-psw.Archsms.Wrqa Application.SMSHoax.DT Application.SMSHoax.DT Trojan.SMSSend.146 Trojan.ArchSMS.Win32.13 Joke-ArchSMS.a W32/SMShoax.FGEV-2767 JOKE/ArchSMS.A HackTool[Hoax]/Win32.ArchSMS Application.SMSHoax.DT Hoax.Win32.ArchSMS.hzpg Trojan:Win32/Zipparch.F Adware/Win32.SMSHoax.R15838 Trojan.SMS.23205 Application.SMSHoax.B Hoax.Win32.ArchSMS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.SMSHoax.DT": [[26, 48], [227, 249], [309, 331], [332, 354], [479, 501]], "Indicator: Hoax.Win32.ArchSMS!O": [[49, 69]], "Indicator: Hoax.ArchSMS": [[70, 82], [98, 110]], "Indicator: Joke-ArchSMS.a": [[83, 97], [398, 412]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[111, 153]], "Indicator: W32/SMShoax.A": [[154, 167]], "Indicator: Win32/SMSSend.A": [[168, 183]], "Indicator: Win.Trojan.Hoax-12": [[184, 202]], "Indicator: Hoax.Win32.ArchSMS.hzpg": [[203, 226], [502, 525]], "Indicator: Riskware.Win32.Archsms.fuais": [[250, 278]], "Indicator: Win32.Trojan-psw.Archsms.Wrqa": [[279, 308]], "Indicator: Trojan.SMSSend.146": [[355, 373]], "Indicator: Trojan.ArchSMS.Win32.13": [[374, 397]], "Indicator: W32/SMShoax.FGEV-2767": [[413, 434]], "Indicator: JOKE/ArchSMS.A": [[435, 449]], "Indicator: HackTool[Hoax]/Win32.ArchSMS": [[450, 478]], "Indicator: Trojan:Win32/Zipparch.F": [[526, 549]], "Indicator: Adware/Win32.SMSHoax.R15838": [[550, 577]], "Indicator: Trojan.SMS.23205": [[578, 594]], "Indicator: Application.SMSHoax.B": [[595, 616]], "Indicator: Hoax.Win32.ArchSMS": [[617, 635]]}, "info": {"id": "cyner2_5class_train_03140", "source": "cyner2_5class_train"}}
+{"text": "In previous instances, Cyble Research and Intelligence Labs CRIL has exposed numerous phishing websites that have been used to steal sensitive data by utilizing a range of malware types, such as stealers, RATs, and bots.", "spans": {"Organization: Cyble Research": [[23, 37]], "Organization: Intelligence Labs CRIL": [[42, 64]], "Indicator: phishing websites": [[86, 103]], "Indicator: sensitive data": [[133, 147]], "Malware: malware": [[172, 179]], "Malware: stealers, RATs,": [[195, 210]], "Malware: bots.": [[215, 220]]}, "info": {"id": "cyner2_5class_train_03141", "source": "cyner2_5class_train"}}
+{"text": "These website names are generated according to a clear algorithm : the first few letters are suggestive of popular classified ad services , followed by a random string of characters , followed by a two-letter top-level domain .", "spans": {}, "info": {"id": "cyner2_5class_train_03142", "source": "cyner2_5class_train"}}
+{"text": "The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading .", "spans": {}, "info": {"id": "cyner2_5class_train_03143", "source": "cyner2_5class_train"}}
+{"text": "Early last month, a new variant of mobile ransomware SLocker detected by Trend Micro as ANDROIDOS_SLOCKER.OPST was detected, copying the GUI of the now-infamous WannaCry.", "spans": {"Malware: mobile ransomware SLocker": [[35, 60]], "Organization: Trend Micro": [[73, 84]], "Indicator: ANDROIDOS_SLOCKER.OPST": [[88, 110]], "Malware: the now-infamous WannaCry.": [[144, 170]]}, "info": {"id": "cyner2_5class_train_03144", "source": "cyner2_5class_train"}}
+{"text": "The Sundown exploit kit is a recent addition to the field of EKs, and analysis indicates that it is still in development by its creator.", "spans": {"Malware: Sundown exploit kit": [[4, 23]], "Malware: EKs,": [[61, 65]]}, "info": {"id": "cyner2_5class_train_03145", "source": "cyner2_5class_train"}}
+{"text": "Apart from Banker, there are reports indicating that other banking Trojans, are doing the same thing.", "spans": {"Malware: Banker,": [[11, 18]], "Malware: banking Trojans,": [[59, 75]]}, "info": {"id": "cyner2_5class_train_03146", "source": "cyner2_5class_train"}}
+{"text": "The app checks if the device ’ s network matches one of those provided by the server .", "spans": {}, "info": {"id": "cyner2_5class_train_03147", "source": "cyner2_5class_train"}}
+{"text": "These more recent developments indicate that XLoader is still evolving .", "spans": {"Malware: XLoader": [[45, 52]]}, "info": {"id": "cyner2_5class_train_03148", "source": "cyner2_5class_train"}}
+{"text": "Allows an application to use SIP service .", "spans": {}, "info": {"id": "cyner2_5class_train_03149", "source": "cyner2_5class_train"}}
+{"text": "SamSam is manually deployed ransomware.", "spans": {"Malware: SamSam": [[0, 6]], "Malware: ransomware.": [[28, 39]]}, "info": {"id": "cyner2_5class_train_03150", "source": "cyner2_5class_train"}}
+{"text": "The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.", "spans": {"Organization: Japanese government, education, and commerce": [[26, 70]], "Indicator: attack": [[182, 188]], "System: infrastructure.": [[189, 204]]}, "info": {"id": "cyner2_5class_train_03151", "source": "cyner2_5class_train"}}
+{"text": "USPS is the most well-known branch of the US government and provides a publicly funded postal service .", "spans": {"Organization: USPS": [[0, 4]]}, "info": {"id": "cyner2_5class_train_03152", "source": "cyner2_5class_train"}}
+{"text": "With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers.", "spans": {"System: Mac device": [[60, 70]], "Organization: owner": [[87, 92]], "System: machine": [[131, 138]]}, "info": {"id": "cyner2_5class_train_03153", "source": "cyner2_5class_train"}}
+{"text": "We call the malware PowerSniff.", "spans": {"Malware: malware PowerSniff.": [[12, 31]]}, "info": {"id": "cyner2_5class_train_03154", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Funsoul.A Worm/W32.Funsoul.45568 W32/Funpo.worm I-Worm.Funsoul!LToVDiOSu1I W32.Funsoul@mm WORM_FUNSOUL.A Email-Worm.Win32.Funsoul Trojan.Win32.Funsoul.empb I-Worm.Win32.S.Funsoul.45568[h] Win32.Worm-email.Funsoul.Lizy Worm.Win32.Funpo.A Worm.Funsoul.Win32.1 WORM_FUNSOUL.A W32/Funpo.worm W32/Risk.JJPZ-6561 Worm:Win32/Funsoul.C W32.W.Funsoul!c Trojan/Win32.HDC Worm.Funsoul Win32/Funpo.A W32/Funsoul.A!worm Win32/Worm.724", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Funsoul.A": [[26, 41]], "Indicator: Worm/W32.Funsoul.45568": [[42, 64]], "Indicator: W32/Funpo.worm": [[65, 79], [305, 319]], "Indicator: I-Worm.Funsoul!LToVDiOSu1I": [[80, 106]], "Indicator: W32.Funsoul@mm": [[107, 121]], "Indicator: WORM_FUNSOUL.A": [[122, 136], [290, 304]], "Indicator: Email-Worm.Win32.Funsoul": [[137, 161]], "Indicator: Trojan.Win32.Funsoul.empb": [[162, 187]], "Indicator: I-Worm.Win32.S.Funsoul.45568[h]": [[188, 219]], "Indicator: Win32.Worm-email.Funsoul.Lizy": [[220, 249]], "Indicator: Worm.Win32.Funpo.A": [[250, 268]], "Indicator: Worm.Funsoul.Win32.1": [[269, 289]], "Indicator: W32/Risk.JJPZ-6561": [[320, 338]], "Indicator: Worm:Win32/Funsoul.C": [[339, 359]], "Indicator: W32.W.Funsoul!c": [[360, 375]], "Indicator: Trojan/Win32.HDC": [[376, 392]], "Indicator: Worm.Funsoul": [[393, 405]], "Indicator: Win32/Funpo.A": [[406, 419]], "Indicator: W32/Funsoul.A!worm": [[420, 438]], "Indicator: Win32/Worm.724": [[439, 453]]}, "info": {"id": "cyner2_5class_train_03155", "source": "cyner2_5class_train"}}
+{"text": "Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel XLSM documents.", "spans": {"Malware: macro-enabled": [[47, 60]], "Indicator: Microsoft Excel XLSM documents.": [[61, 92]]}, "info": {"id": "cyner2_5class_train_03156", "source": "cyner2_5class_train"}}
+{"text": "The Trojan has evolved since then , aided by a large-scale distribution campaign by its creators ( in spring-summer 2017 ) , helping Asacub to claim top spots in last year ’ s ranking by number of attacks among mobile banking Trojans , outperforming other families such as Svpeng and Faketoken .", "spans": {"Malware: Asacub": [[133, 139]], "Malware: Svpeng": [[273, 279]], "Malware: Faketoken": [[284, 293]]}, "info": {"id": "cyner2_5class_train_03157", "source": "cyner2_5class_train"}}
+{"text": "Its main targets are armed forces, the defense industry, news media, politicians, and dissidents.", "spans": {"Organization: armed forces, the defense industry, news media, politicians,": [[21, 81]], "Organization: dissidents.": [[86, 97]]}, "info": {"id": "cyner2_5class_train_03158", "source": "cyner2_5class_train"}}
+{"text": "The Trojan may connect to and send infection reports to the following remote location: [http://]46.45.138.138/pw/gate[REMOVED]", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: remote location: [http://]46.45.138.138/pw/gate[REMOVED]": [[70, 126]]}, "info": {"id": "cyner2_5class_train_03159", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Downldr2.FRFU Backdoor.Trojan BackDoor.Calla.5 W32/Downloader.KWLG-4153 Backdoor:Win32/Matchaldru.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: W32/Downldr2.FRFU": [[69, 86]], "Indicator: Backdoor.Trojan": [[87, 102]], "Indicator: BackDoor.Calla.5": [[103, 119]], "Indicator: W32/Downloader.KWLG-4153": [[120, 144]], "Indicator: Backdoor:Win32/Matchaldru.B": [[145, 172]]}, "info": {"id": "cyner2_5class_train_03160", "source": "cyner2_5class_train"}}
+{"text": "] 117:8080/api/v1/report/records.php hxxp : //88.99.227 [ .", "spans": {"Indicator: hxxp : //88.99.227 [ .": [[37, 59]]}, "info": {"id": "cyner2_5class_train_03161", "source": "cyner2_5class_train"}}
+{"text": "ESET detections of Android/AdDisplay.Ashas on Android devices by country Is adware harmful ? Because the real nature of apps containing adware is usually hidden to the user , these apps and their developers should be considered untrustworthy .", "spans": {"Organization: ESET": [[0, 4]], "Malware: Android/AdDisplay.Ashas": [[19, 42]]}, "info": {"id": "cyner2_5class_train_03162", "source": "cyner2_5class_train"}}
+{"text": "] 711231 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_03163", "source": "cyner2_5class_train"}}
+{"text": "There is a function called \" performGlobalAction '' with the description below .", "spans": {}, "info": {"id": "cyner2_5class_train_03164", "source": "cyner2_5class_train"}}
+{"text": "Stealing Facebook credentials using fake Facebook activity is something we did n't observe in Spynote/Spymax versions but was seen in this spyware .", "spans": {"Organization: Facebook": [[9, 17], [41, 49]], "Malware: Spynote/Spymax": [[94, 108]]}, "info": {"id": "cyner2_5class_train_03165", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TR/AD.Fogels.hochw Trojan.Kazy.D161B6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: TR/AD.Fogels.hochw": [[69, 87]], "Indicator: Trojan.Kazy.D161B6": [[88, 106]]}, "info": {"id": "cyner2_5class_train_03166", "source": "cyner2_5class_train"}}
+{"text": "Creation date is a week before the start of the tournament .", "spans": {}, "info": {"id": "cyner2_5class_train_03167", "source": "cyner2_5class_train"}}
+{"text": "The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# C Sharp Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family.", "spans": {"Malware: malware": [[4, 11]], "Malware: downloader": [[67, 77]], "Malware: Carp": [[93, 97]], "Malware: malicious macros": [[103, 119]], "Indicator: Microsoft Excel documents to compile embedded C# C Sharp Programming Language source code": [[123, 212]], "Indicator: executable": [[221, 231]], "Indicator: run": [[248, 251]], "Indicator: deploy": [[255, 261]], "Malware: the Cardinal RAT malware family.": [[262, 294]]}, "info": {"id": "cyner2_5class_train_03168", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.QuintesLTU.Trojan Win32.Klez.E@mm Worm/W32.Klez.114688 Email-Worm.Win32.Klez!O W32.Klez.E W32/Klez.e@MM Worm.Klez Worm.Klez.Win32.2 Worm.Klez W32/Klez.E@MM Win32.Worm.Klez.a W32/Klez.E@mm W32.Klez.E@mm Win32/Klez.E Win.Worm.Klez-2 Trojan.Win32.Staser.bqjn Win32.Klez.E@mm Trojan.Win32.Klez.gleq Win32.Klez.E@mm Worm.Win32.Klez.E Win32.HLLM.Klez.1 BehavesLike.Win32.Klez.cm Email-Worm.Win32.Klez.E W32/Klez.E@mm Worm/Klez.l W32.Worm.Klez WORM/Klez.E Worm[Email]/Win32.Klez.k Worm:Win32/Klez.E@mm Win32.Klez.EA8AF7 W32.W.Klez.l5N7 Trojan.Win32.Staser.bqjn Win32.Klez.E@mm Win32/Klez.worm.E Win32.Klez.E@mm Win32.HLLW.Klez.e I-Worm.Klez.E Win32/Klez.E I-Worm.Klez!qHFMVAGctoI W32/Klez.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.QuintesLTU.Trojan": [[26, 47]], "Indicator: Win32.Klez.E@mm": [[48, 63], [286, 301], [325, 340], [584, 599], [618, 633]], "Indicator: Worm/W32.Klez.114688": [[64, 84]], "Indicator: Email-Worm.Win32.Klez!O": [[85, 108]], "Indicator: W32.Klez.E": [[109, 119]], "Indicator: W32/Klez.e@MM": [[120, 133]], "Indicator: Worm.Klez": [[134, 143], [162, 171]], "Indicator: Worm.Klez.Win32.2": [[144, 161]], "Indicator: W32/Klez.E@MM": [[172, 185]], "Indicator: Win32.Worm.Klez.a": [[186, 203]], "Indicator: W32/Klez.E@mm": [[204, 217], [427, 440]], "Indicator: W32.Klez.E@mm": [[218, 231]], "Indicator: Win32/Klez.E": [[232, 244], [666, 678]], "Indicator: Win.Worm.Klez-2": [[245, 260]], "Indicator: Trojan.Win32.Staser.bqjn": [[261, 285], [559, 583]], "Indicator: Trojan.Win32.Klez.gleq": [[302, 324]], "Indicator: Worm.Win32.Klez.E": [[341, 358]], "Indicator: Win32.HLLM.Klez.1": [[359, 376]], "Indicator: BehavesLike.Win32.Klez.cm": [[377, 402]], "Indicator: Email-Worm.Win32.Klez.E": [[403, 426]], "Indicator: Worm/Klez.l": [[441, 452]], "Indicator: W32.Worm.Klez": [[453, 466]], "Indicator: WORM/Klez.E": [[467, 478]], "Indicator: Worm[Email]/Win32.Klez.k": [[479, 503]], "Indicator: Worm:Win32/Klez.E@mm": [[504, 524]], "Indicator: Win32.Klez.EA8AF7": [[525, 542]], "Indicator: W32.W.Klez.l5N7": [[543, 558]], "Indicator: Win32/Klez.worm.E": [[600, 617]], "Indicator: Win32.HLLW.Klez.e": [[634, 651]], "Indicator: I-Worm.Klez.E": [[652, 665]], "Indicator: I-Worm.Klez!qHFMVAGctoI": [[679, 702]], "Indicator: W32/Klez.F": [[703, 713]]}, "info": {"id": "cyner2_5class_train_03169", "source": "cyner2_5class_train"}}
+{"text": "The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015.", "spans": {"Malware: RAT,": [[4, 8]]}, "info": {"id": "cyner2_5class_train_03170", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1938 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.R Win.Trojan.VB-48987 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.ltLS Win32.Virut.56 PE_VIRUX.R Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.dd.368640 Virus.Win32.Virut.ce Win32.Virus.Virut.U Win32/Virut.F Virus.Virut.14 Win32/Virut.NBP Virus.Win32.Virut W32/Sality.AO Virus.Win32.Virut.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: Virus.Virut.Win32.1938": [[73, 95]], "Indicator: W32.Virut.CF": [[96, 108]], "Indicator: Win32/Virut.17408": [[109, 126]], "Indicator: PE_VIRUX.R": [[127, 137], [232, 242]], "Indicator: Win.Trojan.VB-48987": [[138, 157]], "Indicator: Virus.Win32.Virut.ce": [[158, 178], [301, 321]], "Indicator: Virus.Win32.Virut.hpeg": [[179, 201]], "Indicator: W32.Virut.ltLS": [[202, 216]], "Indicator: Win32.Virut.56": [[217, 231]], "Indicator: Win32/Virut.bt": [[243, 257]], "Indicator: Virus/Win32.Virut.ce": [[258, 278]], "Indicator: Win32.Virut.dd.368640": [[279, 300]], "Indicator: Win32.Virus.Virut.U": [[322, 341]], "Indicator: Win32/Virut.F": [[342, 355]], "Indicator: Virus.Virut.14": [[356, 370]], "Indicator: Win32/Virut.NBP": [[371, 386]], "Indicator: Virus.Win32.Virut": [[387, 404]], "Indicator: W32/Sality.AO": [[405, 418]], "Indicator: Virus.Win32.Virut.M": [[419, 438]]}, "info": {"id": "cyner2_5class_train_03171", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Icefog Backdoor.Trojan Backdoor.Win32.Icefog.as Backdoor.W32.Icefog!c BackDoor.Apper.1 BehavesLike.Win32.Downloader.hh W32/Trojan.KWYX-5577 Backdoor.Icefog.a Trojan[Backdoor]/Win32.Icefog Trojan.Johnnie.D5485 Backdoor.Win32.Icefog.as Trj/GdSda.A Win32.Backdoor.Icefog.Hmrl Win32/Trojan.db2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Icefog": [[26, 41]], "Indicator: Backdoor.Trojan": [[42, 57]], "Indicator: Backdoor.Win32.Icefog.as": [[58, 82], [244, 268]], "Indicator: Backdoor.W32.Icefog!c": [[83, 104]], "Indicator: BackDoor.Apper.1": [[105, 121]], "Indicator: BehavesLike.Win32.Downloader.hh": [[122, 153]], "Indicator: W32/Trojan.KWYX-5577": [[154, 174]], "Indicator: Backdoor.Icefog.a": [[175, 192]], "Indicator: Trojan[Backdoor]/Win32.Icefog": [[193, 222]], "Indicator: Trojan.Johnnie.D5485": [[223, 243]], "Indicator: Trj/GdSda.A": [[269, 280]], "Indicator: Win32.Backdoor.Icefog.Hmrl": [[281, 307]], "Indicator: Win32/Trojan.db2": [[308, 324]]}, "info": {"id": "cyner2_5class_train_03172", "source": "cyner2_5class_train"}}
+{"text": "One of the purposes of the exfiltration of the contact list is to use them to attack other victims using SMS as an initial vector .", "spans": {}, "info": {"id": "cyner2_5class_train_03173", "source": "cyner2_5class_train"}}
+{"text": "ESET presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen.", "spans": {"Organization: ESET": [[0, 4]], "Indicator: Win32/Potao": [[63, 74]], "Malware: malware family": [[75, 89]], "Organization: CCCC": [[106, 110]]}, "info": {"id": "cyner2_5class_train_03174", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Adware.YVXR-5520 Trojan.Win32.SMSSend.dqubwq Trojan.Win32.Z.Archsms.1443328 Win32.Risk.Hoax.Alsz ApplicUnwnt.Win32.Hoax.ArchSMS.ACW Trojan.SMSSend.4307 Trojan.ArchSMS.Win32.17489 BehavesLike.Win32.PUP.tc Trojan.Win32.Clustinex Trojan/Win32.Unknown Win32.Troj.Undef.kcloud Trojan.Adware.SMSHoax.105 Trojan/Win32.ArchSMS.R77161 Hoax.ArchSMS!QwEIC3yXiN8 W32/ArchSMS.ACL!tr Win32/Trojan.a32", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Adware.YVXR-5520": [[26, 46]], "Indicator: Trojan.Win32.SMSSend.dqubwq": [[47, 74]], "Indicator: Trojan.Win32.Z.Archsms.1443328": [[75, 105]], "Indicator: Win32.Risk.Hoax.Alsz": [[106, 126]], "Indicator: ApplicUnwnt.Win32.Hoax.ArchSMS.ACW": [[127, 161]], "Indicator: Trojan.SMSSend.4307": [[162, 181]], "Indicator: Trojan.ArchSMS.Win32.17489": [[182, 208]], "Indicator: BehavesLike.Win32.PUP.tc": [[209, 233]], "Indicator: Trojan.Win32.Clustinex": [[234, 256]], "Indicator: Trojan/Win32.Unknown": [[257, 277]], "Indicator: Win32.Troj.Undef.kcloud": [[278, 301]], "Indicator: Trojan.Adware.SMSHoax.105": [[302, 327]], "Indicator: Trojan/Win32.ArchSMS.R77161": [[328, 355]], "Indicator: Hoax.ArchSMS!QwEIC3yXiN8": [[356, 380]], "Indicator: W32/ArchSMS.ACL!tr": [[381, 399]], "Indicator: Win32/Trojan.a32": [[400, 416]]}, "info": {"id": "cyner2_5class_train_03175", "source": "cyner2_5class_train"}}
+{"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ .", "spans": {"Indicator: 31.214.157 [ .": [[38, 52]]}, "info": {"id": "cyner2_5class_train_03176", "source": "cyner2_5class_train"}}
+{"text": "This spyware sample communicates over dynamic DNS .", "spans": {}, "info": {"id": "cyner2_5class_train_03177", "source": "cyner2_5class_train"}}
+{"text": "The attackers are using social engineering tactics, such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus, to lure the end user into downloading and installing the malicious payload.", "spans": {"Indicator: social engineering tactics,": [[24, 51]], "Indicator: offering coupon vouchers": [[60, 84]], "System: free software applications": [[89, 115]], "System: WhatsApp": [[121, 129]], "System: Avast antivirus,": [[134, 150]], "Malware: malicious payload.": [[208, 226]]}, "info": {"id": "cyner2_5class_train_03178", "source": "cyner2_5class_train"}}
+{"text": "] net is not awfully well maintained or updated to the latest apps available .", "spans": {}, "info": {"id": "cyner2_5class_train_03179", "source": "cyner2_5class_train"}}
+{"text": "Floki Bot is a new malware variant that has recently been offered for sale on various darknet markets.", "spans": {"Malware: Floki Bot": [[0, 9]], "Malware: malware variant": [[19, 34]]}, "info": {"id": "cyner2_5class_train_03180", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WinfarotLTSAAAM.Adware Trojan.SalityStub.F Heur.Trojan.Win32.Small.1!O Trojan.Peels.A Trojan/Small.aljd Trojan.SalityStub.F Win32.Trojan.Small.a W32.Sality!dam TROJ_SALSTUB.SMA Win.Trojan.Small-13502 Trojan.Win32.Small.cpd Trojan.SalityStub.F Trojan.Win32.SalityNHost.99328 Trojan.SalityStub.F TrojWare.Win32.Salrenmetie.A Trojan.SalityStub.F Win32.Sector TROJ_SALSTUB.SMA BehavesLike.Win32.PWSZbot.nm Trojan/Win32.Small.cpd Trojan:Win32/Salrenmetie.A Troj.W32.Small.mzKi Trojan.Win32.Small.cpd Trojan.SalityStub.F Trojan/Win32.Small.R10023 Trojan.SalityStub.F TrojanSpy.Zbot!8p0pyjPs4nM Trojan.Win32.Salrenmetie Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WinfarotLTSAAAM.Adware": [[26, 52]], "Indicator: Trojan.SalityStub.F": [[53, 72], [134, 153], [253, 272], [304, 323], [353, 372], [525, 544], [571, 590]], "Indicator: Heur.Trojan.Win32.Small.1!O": [[73, 100]], "Indicator: Trojan.Peels.A": [[101, 115]], "Indicator: Trojan/Small.aljd": [[116, 133]], "Indicator: Win32.Trojan.Small.a": [[154, 174]], "Indicator: W32.Sality!dam": [[175, 189]], "Indicator: TROJ_SALSTUB.SMA": [[190, 206], [386, 402]], "Indicator: Win.Trojan.Small-13502": [[207, 229]], "Indicator: Trojan.Win32.Small.cpd": [[230, 252], [502, 524]], "Indicator: Trojan.Win32.SalityNHost.99328": [[273, 303]], "Indicator: TrojWare.Win32.Salrenmetie.A": [[324, 352]], "Indicator: Win32.Sector": [[373, 385]], "Indicator: BehavesLike.Win32.PWSZbot.nm": [[403, 431]], "Indicator: Trojan/Win32.Small.cpd": [[432, 454]], "Indicator: Trojan:Win32/Salrenmetie.A": [[455, 481]], "Indicator: Troj.W32.Small.mzKi": [[482, 501]], "Indicator: Trojan/Win32.Small.R10023": [[545, 570]], "Indicator: TrojanSpy.Zbot!8p0pyjPs4nM": [[591, 617]], "Indicator: Trojan.Win32.Salrenmetie": [[618, 642]], "Indicator: Trj/CI.A": [[643, 651]]}, "info": {"id": "cyner2_5class_train_03181", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Logger WS.Reputation.1 Trojan-Spy.MSIL.KeyLogger.qle TrojanSpy.KeyLogger!Do8qrKyq4l4 TrojanSpy.MSIL.gka TrojanSpy:MSIL/Keylogger.O Trojan.Spy.Keylogger!4B6E MSIL/Keylogger.BBA!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Logger": [[26, 39]], "Indicator: WS.Reputation.1": [[40, 55]], "Indicator: Trojan-Spy.MSIL.KeyLogger.qle": [[56, 85]], "Indicator: TrojanSpy.KeyLogger!Do8qrKyq4l4": [[86, 117]], "Indicator: TrojanSpy.MSIL.gka": [[118, 136]], "Indicator: TrojanSpy:MSIL/Keylogger.O": [[137, 163]], "Indicator: Trojan.Spy.Keylogger!4B6E": [[164, 189]], "Indicator: MSIL/Keylogger.BBA!tr": [[190, 211]], "Indicator: Trj/CI.A": [[212, 220]]}, "info": {"id": "cyner2_5class_train_03182", "source": "cyner2_5class_train"}}
+{"text": "Usually, Android banking malware is spread with the goal to convince users to install it based on the top rated app name and icon such as Super Mario Run Flash Player or WhatsApp", "spans": {"Malware: Android banking malware": [[9, 32]], "System: app": [[112, 115]], "Malware: Super Mario Run": [[138, 153]], "System: Flash Player": [[154, 166]], "System: WhatsApp": [[170, 178]]}, "info": {"id": "cyner2_5class_train_03183", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.Davobevix!O Worm.Wahrecks.A8 Trojan/AutoRun.Delf.et Win32.Worm.Autorun.i Win32/Tnega.BQFWNFC Worm.Win32.AutoRun.gzzs Trojan.Win32.Davobevix.crigwr Worm.Win32.Delf.fc Worm:W32/Autorun.OI Win32.HLLW.Autoruner.26228 Worm/Win32.Davobevix Worm:Win32/Wahrecks.A Worm.Win32.AutoRun.gzzs Worm.Win32.Autorun.aee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.Davobevix!O": [[26, 48]], "Indicator: Worm.Wahrecks.A8": [[49, 65]], "Indicator: Trojan/AutoRun.Delf.et": [[66, 88]], "Indicator: Win32.Worm.Autorun.i": [[89, 109]], "Indicator: Win32/Tnega.BQFWNFC": [[110, 129]], "Indicator: Worm.Win32.AutoRun.gzzs": [[130, 153], [293, 316]], "Indicator: Trojan.Win32.Davobevix.crigwr": [[154, 183]], "Indicator: Worm.Win32.Delf.fc": [[184, 202]], "Indicator: Worm:W32/Autorun.OI": [[203, 222]], "Indicator: Win32.HLLW.Autoruner.26228": [[223, 249]], "Indicator: Worm/Win32.Davobevix": [[250, 270]], "Indicator: Worm:Win32/Wahrecks.A": [[271, 292]], "Indicator: Worm.Win32.Autorun.aee": [[317, 339]]}, "info": {"id": "cyner2_5class_train_03184", "source": "cyner2_5class_train"}}
+{"text": "Poseidon, also known as FindPOS, is a malware family designed for Windows point-of-sale systems.", "spans": {"Malware: Poseidon,": [[0, 9]], "Malware: FindPOS,": [[24, 32]], "Malware: malware": [[38, 45]], "System: Windows point-of-sale systems.": [[66, 96]]}, "info": {"id": "cyner2_5class_train_03185", "source": "cyner2_5class_train"}}
+{"text": "Odin comes after a slight dip over the weekend in the number of samples we saw hitting our classifier so perhaps the authors took a break to pull in some changes.", "spans": {"Malware: Odin": [[0, 4]]}, "info": {"id": "cyner2_5class_train_03186", "source": "cyner2_5class_train"}}
+{"text": "[Warning] infection of new Linux / Mayhem malware via Wordpress attacks", "spans": {"Indicator: infection": [[10, 19]], "System: Linux": [[27, 32]], "Malware: Mayhem malware": [[35, 49]], "Indicator: Wordpress attacks": [[54, 71]]}, "info": {"id": "cyner2_5class_train_03187", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanpws.Qqpass.16554 W32/Risk.TFVJ-6880 BehavesLike.Dropper.dc W32/MalwareF.IAIQ Trojan.Win32.Orsam", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanpws.Qqpass.16554": [[26, 48]], "Indicator: W32/Risk.TFVJ-6880": [[49, 67]], "Indicator: BehavesLike.Dropper.dc": [[68, 90]], "Indicator: W32/MalwareF.IAIQ": [[91, 108]], "Indicator: Trojan.Win32.Orsam": [[109, 127]]}, "info": {"id": "cyner2_5class_train_03188", "source": "cyner2_5class_train"}}
+{"text": "Many of the functionalities seen in this spyware are similar to Spynote and Spymax based on the samples we analyzed with some modifications .", "spans": {"Malware: Spynote": [[64, 71]], "Malware: Spymax": [[76, 82]]}, "info": {"id": "cyner2_5class_train_03189", "source": "cyner2_5class_train"}}
+{"text": "All of the victims are located in Italy .", "spans": {}, "info": {"id": "cyner2_5class_train_03190", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.W.Burn.loBw Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor2.DCBA Win32.Botgor.1 BehavesLike.Win32.Backdoor.gz BehavesLike.Win32.ProcessHijack W32/Backdoor.RIAO-7334 Backdoor:Win32/Botgor.B Win32.Virus.Botgor.Pgwk W32/Botgor.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.W.Burn.loBw": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[42, 84]], "Indicator: W32/Backdoor2.DCBA": [[85, 103]], "Indicator: Win32.Botgor.1": [[104, 118]], "Indicator: BehavesLike.Win32.Backdoor.gz": [[119, 148]], "Indicator: BehavesLike.Win32.ProcessHijack": [[149, 180]], "Indicator: W32/Backdoor.RIAO-7334": [[181, 203]], "Indicator: Backdoor:Win32/Botgor.B": [[204, 227]], "Indicator: Win32.Virus.Botgor.Pgwk": [[228, 251]], "Indicator: W32/Botgor.C": [[252, 264]]}, "info": {"id": "cyner2_5class_train_03191", "source": "cyner2_5class_train"}}
+{"text": "When an authorization token is stolen by a hacker , they can use this token to access all the Google services related to the user , including Google Play , Gmail , Google Docs , Google Drive , and Google Photos .", "spans": {"Organization: Google": [[94, 100]], "System: Google Play": [[142, 153]], "System: Gmail": [[156, 161]], "System: Google Docs": [[164, 175]], "System: Google Drive": [[178, 190]], "System: Google Photos": [[197, 210]]}, "info": {"id": "cyner2_5class_train_03192", "source": "cyner2_5class_train"}}
+{"text": "The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files .", "spans": {}, "info": {"id": "cyner2_5class_train_03193", "source": "cyner2_5class_train"}}
+{"text": "This means the attackers can steal the victim ’ s credentials for logging into apps , SMS and email messages , displayed cryptocurrency private keys , and even software-generated 2FA codes .", "spans": {}, "info": {"id": "cyner2_5class_train_03194", "source": "cyner2_5class_train"}}
+{"text": "Also, the executable file is encoded in the Word document as an icon, and when it is executed it infects the system with a malware called ChChes.", "spans": {"Indicator: executable": [[10, 20]], "Indicator: the Word document": [[40, 57]], "Indicator: icon,": [[64, 69]], "System: system": [[109, 115]], "Malware: malware": [[123, 130]], "Malware: ChChes.": [[138, 145]]}, "info": {"id": "cyner2_5class_train_03195", "source": "cyner2_5class_train"}}
+{"text": "Some versions of the Skygofree feature the self-protection ability exclusively for Huawei devices .", "spans": {"Malware: Skygofree": [[21, 30]], "Organization: Huawei": [[83, 89]]}, "info": {"id": "cyner2_5class_train_03196", "source": "cyner2_5class_train"}}
+{"text": "This malicious app, a variant of Android/Twitoor.A, can't be found on any official Android app store – it probably spreads by SMS or via malicious URLs. It impersonates a porn player app or MMS application but without having their functionality.", "spans": {"Malware: malicious app,": [[5, 19]], "Indicator: Android/Twitoor.A,": [[33, 51]], "System: official Android app store": [[74, 100]], "Indicator: spreads": [[115, 122]], "Indicator: SMS": [[126, 129]], "Indicator: malicious URLs.": [[137, 152]], "Indicator: impersonates": [[156, 168]], "Indicator: porn player app or MMS application": [[171, 205]]}, "info": {"id": "cyner2_5class_train_03197", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan-GameThief.Lmir.a Heur:Trojan/PSW.WOW TrojanDownloader:Win32/Catinea.B Trojan.Graftor.D45818 Win32.Trojan.Graftor.Fig Trojan.Graftor!27RnMnK6sVU Trojan-GameThief.Win32.WOW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan-GameThief.Lmir.a": [[26, 55]], "Indicator: Heur:Trojan/PSW.WOW": [[56, 75]], "Indicator: TrojanDownloader:Win32/Catinea.B": [[76, 108]], "Indicator: Trojan.Graftor.D45818": [[109, 130]], "Indicator: Win32.Trojan.Graftor.Fig": [[131, 155]], "Indicator: Trojan.Graftor!27RnMnK6sVU": [[156, 182]], "Indicator: Trojan-GameThief.Win32.WOW": [[183, 209]]}, "info": {"id": "cyner2_5class_train_03198", "source": "cyner2_5class_train"}}
+{"text": "As of October 29, their technical team identified the problem and addressed the issue.", "spans": {"Organization: technical team": [[24, 38]]}, "info": {"id": "cyner2_5class_train_03199", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Llac.302593 TrojanPWS.Bropaler Trojan/Delf.opy Win32.Trojan.WisdomEyes.16070401.9500.9990 Trojan.Win32.Llac.kruq Trojan.Win32.Dwn.dzxxnb Troj.W32.Llac!c Trojan.DownLoader14.35508 Trojan.Llac.Win32.55406 BehavesLike.Win32.Worm.dc Trojan.Win32.PSW W32/Trojan.DQFT-9080 Trojan.Llac.bxm Trojan/Win32.Llac Trojan.Inject.2 Trojan.Win32.Llac.kruq PWS:Win32/Bropaler.A!bit Trojan.Llac Trj/GdSda.A Win32.Trojan.Llac.Sudw Trojan.Llac!VJVBvKAFEGg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Llac.302593": [[26, 48]], "Indicator: TrojanPWS.Bropaler": [[49, 67]], "Indicator: Trojan/Delf.opy": [[68, 83]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[84, 126]], "Indicator: Trojan.Win32.Llac.kruq": [[127, 149], [354, 376]], "Indicator: Trojan.Win32.Dwn.dzxxnb": [[150, 173]], "Indicator: Troj.W32.Llac!c": [[174, 189]], "Indicator: Trojan.DownLoader14.35508": [[190, 215]], "Indicator: Trojan.Llac.Win32.55406": [[216, 239]], "Indicator: BehavesLike.Win32.Worm.dc": [[240, 265]], "Indicator: Trojan.Win32.PSW": [[266, 282]], "Indicator: W32/Trojan.DQFT-9080": [[283, 303]], "Indicator: Trojan.Llac.bxm": [[304, 319]], "Indicator: Trojan/Win32.Llac": [[320, 337]], "Indicator: Trojan.Inject.2": [[338, 353]], "Indicator: PWS:Win32/Bropaler.A!bit": [[377, 401]], "Indicator: Trojan.Llac": [[402, 413]], "Indicator: Trj/GdSda.A": [[414, 425]], "Indicator: Win32.Trojan.Llac.Sudw": [[426, 448]], "Indicator: Trojan.Llac!VJVBvKAFEGg": [[449, 472]]}, "info": {"id": "cyner2_5class_train_03200", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Indicator: large-scale malvertising attack": [[43, 74]], "Malware: Kovter ad fraud malware": [[136, 159]], "Malware: Kovter": [[214, 220]]}, "info": {"id": "cyner2_5class_train_03201", "source": "cyner2_5class_train"}}
+{"text": "Cisco Talos discovered a new malicious campaign from the well known actor Group 74 aka Tsar Team, Sofacy, APT28, Fancy Bear….", "spans": {"Organization: Cisco Talos": [[0, 11]]}, "info": {"id": "cyner2_5class_train_03202", "source": "cyner2_5class_train"}}
+{"text": "It maintained a heavy offensive focus on Myanmar, Vietnam, Singapore, the Philippines, Malaysia, and Laos.", "spans": {}, "info": {"id": "cyner2_5class_train_03203", "source": "cyner2_5class_train"}}
+{"text": "A Chinese advanced persistent threat APT compromised Forbes.com to set up a watering hole style web-based drive-by attack against US Defense and Financial Services firms in late November 2014.", "spans": {"Indicator: Forbes.com": [[53, 63]], "Vulnerability: watering hole style web-based drive-by attack": [[76, 121]], "Organization: US Defense": [[130, 140]], "Organization: Financial Services firms": [[145, 169]]}, "info": {"id": "cyner2_5class_train_03204", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor:Win64/Warood.A BDoor.FCXN!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor:Win64/Warood.A": [[26, 49]], "Indicator: BDoor.FCXN!tr.bdr": [[50, 67]]}, "info": {"id": "cyner2_5class_train_03205", "source": "cyner2_5class_train"}}
+{"text": "This precedent setting legal case would be followed by many Southeast Asian nations, as well as others around the globe.", "spans": {}, "info": {"id": "cyner2_5class_train_03206", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Uds.Dangerousobject.Multi!c Trojan.Graftor.D3CA6C Trojan.Meciv! Win32/Meciv.G W32/Trojan.PSSM-5626 TR/Meciv.15872 Trojan.Win32.Z.Meciv.15872[h] Win32.Trojan.Strat.Ebgt Trojan.Win32.Meciv W32/Meciv.G!tr Trojan.Win32.Meciv.G", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Uds.Dangerousobject.Multi!c": [[26, 53]], "Indicator: Trojan.Graftor.D3CA6C": [[54, 75]], "Indicator: Trojan.Meciv!": [[76, 89]], "Indicator: Win32/Meciv.G": [[90, 103]], "Indicator: W32/Trojan.PSSM-5626": [[104, 124]], "Indicator: TR/Meciv.15872": [[125, 139]], "Indicator: Trojan.Win32.Z.Meciv.15872[h]": [[140, 169]], "Indicator: Win32.Trojan.Strat.Ebgt": [[170, 193]], "Indicator: Trojan.Win32.Meciv": [[194, 212]], "Indicator: W32/Meciv.G!tr": [[213, 227]], "Indicator: Trojan.Win32.Meciv.G": [[228, 248]]}, "info": {"id": "cyner2_5class_train_03207", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Other.Virus.[Trj]!c Trojan.O97M.Phish", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Other.Virus.[Trj]!c": [[26, 45]], "Indicator: Trojan.O97M.Phish": [[46, 63]]}, "info": {"id": "cyner2_5class_train_03208", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.F820 Trojan.AVKiller.AW Trojan/W32.Packer.24576.CE Trojan.Pakes Trojan.AVKiller.AW Trojan.AVKiller.AW Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.AVKiller.AW Trojan.Win32.Pakes.blv Trojan.AVKiller.AW Trojan.AVKiller.AW TrojWare.Win32.TrojanSpy.SpyEyes.B Trojan.MulDrop.8347 BehavesLike.Win32.RAHack.mc Backdoor.Win32.Kbot.aq Trojan.Pakes.bgg Trojan/Win32.Pakes Win32.Hack.RCryptor.a.10301 Trojan.Win32.Pakes.blv SScope.Malware-Cryptor.Hlux Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.F820": [[26, 43]], "Indicator: Trojan.AVKiller.AW": [[44, 62], [103, 121], [122, 140], [184, 202], [226, 244], [245, 263]], "Indicator: Trojan/W32.Packer.24576.CE": [[63, 89]], "Indicator: Trojan.Pakes": [[90, 102]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[141, 183]], "Indicator: Trojan.Win32.Pakes.blv": [[203, 225], [434, 456]], "Indicator: TrojWare.Win32.TrojanSpy.SpyEyes.B": [[264, 298]], "Indicator: Trojan.MulDrop.8347": [[299, 318]], "Indicator: BehavesLike.Win32.RAHack.mc": [[319, 346]], "Indicator: Backdoor.Win32.Kbot.aq": [[347, 369]], "Indicator: Trojan.Pakes.bgg": [[370, 386]], "Indicator: Trojan/Win32.Pakes": [[387, 405]], "Indicator: Win32.Hack.RCryptor.a.10301": [[406, 433]], "Indicator: SScope.Malware-Cryptor.Hlux": [[457, 484]], "Indicator: Trj/CI.A": [[485, 493]]}, "info": {"id": "cyner2_5class_train_03209", "source": "cyner2_5class_train"}}
+{"text": "] today somtum [ .", "spans": {"Indicator: somtum [ .": [[8, 18]]}, "info": {"id": "cyner2_5class_train_03210", "source": "cyner2_5class_train"}}
+{"text": "Cyber criminals continue to use exploit kits to infect victims with ransomware but they also use MALSPAM emails to lure possible victims – a key vector into an enterprise environment that lacks the proper security controls, and one with insufficient information security training for end users.", "spans": {"Malware: exploit kits": [[32, 44]], "Malware: ransomware": [[68, 78]], "Indicator: MALSPAM emails": [[97, 111]], "Vulnerability: key vector": [[141, 151]], "Organization: enterprise environment": [[160, 182]], "Indicator: lacks the proper security controls,": [[188, 223]], "Indicator: insufficient information security training": [[237, 279]], "System: end users.": [[284, 294]]}, "info": {"id": "cyner2_5class_train_03211", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Axload!O TrojanDownloader.Axload Trojan/Downloader.Axload.o TROJ_FRAUDLOA.TT Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Downldr2.DOEJ TROJ_FRAUDLOA.TT Win.Downloader.66976-1 Trojan-Downloader.Win32.Axload.az Trojan.Win32.Axload.vqczl Trojan.Win32.Downloader.134456 TrojWare.Win32.Trojan.DNSChanger.~CRSE Trojan.DownLoader.59074 BehavesLike.Win32.Injector.ch W32/Downloader.HFNI-1674 TrojanDownloader.AxLoad.r SPR/Fake.C Trojan[Downloader]/Win32.Axload Troj.Downloader.W32.Axload.o!c Trojan-Downloader.Win32.Axload.az TrojanDownloader:Win32/Axload.A Trojan.BHORA.012841 Win32.Trojan-downloader.Axload.Dun Trojan.DL.Renos!Exa/gyOk4i0 Trojan-Downloader.Win32.Renos.AQ Win32/Trojan.Downloader.9f3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Axload!O": [[26, 58]], "Indicator: TrojanDownloader.Axload": [[59, 82]], "Indicator: Trojan/Downloader.Axload.o": [[83, 109]], "Indicator: TROJ_FRAUDLOA.TT": [[110, 126], [188, 204]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[127, 169]], "Indicator: W32/Downldr2.DOEJ": [[170, 187]], "Indicator: Win.Downloader.66976-1": [[205, 227]], "Indicator: Trojan-Downloader.Win32.Axload.az": [[228, 261], [537, 570]], "Indicator: Trojan.Win32.Axload.vqczl": [[262, 287]], "Indicator: Trojan.Win32.Downloader.134456": [[288, 318]], "Indicator: TrojWare.Win32.Trojan.DNSChanger.~CRSE": [[319, 357]], "Indicator: Trojan.DownLoader.59074": [[358, 381]], "Indicator: BehavesLike.Win32.Injector.ch": [[382, 411]], "Indicator: W32/Downloader.HFNI-1674": [[412, 436]], "Indicator: TrojanDownloader.AxLoad.r": [[437, 462]], "Indicator: SPR/Fake.C": [[463, 473]], "Indicator: Trojan[Downloader]/Win32.Axload": [[474, 505]], "Indicator: Troj.Downloader.W32.Axload.o!c": [[506, 536]], "Indicator: TrojanDownloader:Win32/Axload.A": [[571, 602]], "Indicator: Trojan.BHORA.012841": [[603, 622]], "Indicator: Win32.Trojan-downloader.Axload.Dun": [[623, 657]], "Indicator: Trojan.DL.Renos!Exa/gyOk4i0": [[658, 685]], "Indicator: Trojan-Downloader.Win32.Renos.AQ": [[686, 718]], "Indicator: Win32/Trojan.Downloader.9f3": [[719, 746]]}, "info": {"id": "cyner2_5class_train_03212", "source": "cyner2_5class_train"}}
+{"text": "The Cybereason Nocturnus team is monitoring multiple underground platforms in an attempt to identify chatter relating to EventBot .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[121, 129]]}, "info": {"id": "cyner2_5class_train_03213", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.CoinMiner.S Trojan-Downloader.Win32.SetupFactory!O Trojan.Miner Application.CoinMiner.S Trojan.Win32.Z.Coinminer.938434 Troj.W32.Miner!c Application.CoinMiner.S Application.CoinMiner.S Tool.BtcMine.1149 W32/Trojan.FXQE-8469 Trojan/Win32.Vehidis Trojan:Win64/Stratumine.B Trojan.Vehidis Trj/CI.A Win32.Trojan.Miner.Alsn Win32/Trojan.Ransom.7fc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.CoinMiner.S": [[26, 49], [102, 125], [175, 198], [199, 222]], "Indicator: Trojan-Downloader.Win32.SetupFactory!O": [[50, 88]], "Indicator: Trojan.Miner": [[89, 101]], "Indicator: Trojan.Win32.Z.Coinminer.938434": [[126, 157]], "Indicator: Troj.W32.Miner!c": [[158, 174]], "Indicator: Tool.BtcMine.1149": [[223, 240]], "Indicator: W32/Trojan.FXQE-8469": [[241, 261]], "Indicator: Trojan/Win32.Vehidis": [[262, 282]], "Indicator: Trojan:Win64/Stratumine.B": [[283, 308]], "Indicator: Trojan.Vehidis": [[309, 323]], "Indicator: Trj/CI.A": [[324, 332]], "Indicator: Win32.Trojan.Miner.Alsn": [[333, 356]], "Indicator: Win32/Trojan.Ransom.7fc": [[357, 380]]}, "info": {"id": "cyner2_5class_train_03214", "source": "cyner2_5class_train"}}
+{"text": "Malicious module “ ip ” This file will be executed by the patched system library .", "spans": {}, "info": {"id": "cyner2_5class_train_03215", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.Cerber.FA Ransom/W32.Cerber.561843.B Ransom.Cerber.S363870 Trojan.Ransom.Cerber.FA Trojan.Ransom.Cerber.FA Win32.Trojan.Kryptik.bin Ransom_HPCERBER.SMALY5A Win.Ransomware.Cerber-5970079-0 Trojan.Ransom.Cerber.FA Trojan.Ransom.Cerber.FA Trojan.Win32.Kryptik.eljryo Trojan.Ransom.Cerber.FA Trojan.Encoder.7453 Trojan.Kryptik.Win32.998775 Ransom_HPCERBER.SMALY5A BehavesLike.Win32.Ransomware.hh Trojan-Ransom.Cerber Trojan.Zerber.amh TR/Crypt.ZPACK.mblws Trojan[Ransom]/Win32.Zerber Trojan.Menti Ransom.Cerber Trojan.Zerber! Win32/Trojan.e14", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.Cerber.FA": [[26, 49], [99, 122], [123, 146], [228, 251], [252, 275], [304, 327]], "Indicator: Ransom/W32.Cerber.561843.B": [[50, 76]], "Indicator: Ransom.Cerber.S363870": [[77, 98]], "Indicator: Win32.Trojan.Kryptik.bin": [[147, 171]], "Indicator: Ransom_HPCERBER.SMALY5A": [[172, 195], [376, 399]], "Indicator: Win.Ransomware.Cerber-5970079-0": [[196, 227]], "Indicator: Trojan.Win32.Kryptik.eljryo": [[276, 303]], "Indicator: Trojan.Encoder.7453": [[328, 347]], "Indicator: Trojan.Kryptik.Win32.998775": [[348, 375]], "Indicator: BehavesLike.Win32.Ransomware.hh": [[400, 431]], "Indicator: Trojan-Ransom.Cerber": [[432, 452]], "Indicator: Trojan.Zerber.amh": [[453, 470]], "Indicator: TR/Crypt.ZPACK.mblws": [[471, 491]], "Indicator: Trojan[Ransom]/Win32.Zerber": [[492, 519]], "Indicator: Trojan.Menti": [[520, 532]], "Indicator: Ransom.Cerber": [[533, 546]], "Indicator: Trojan.Zerber!": [[547, 561]], "Indicator: Win32/Trojan.e14": [[562, 578]]}, "info": {"id": "cyner2_5class_train_03216", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9771 Win.Worm.VBMania-1 Win32.Trojan.Visal.A Trojan.Win32.Swisyn.ajwe TrojWare.Win32.VB.YNB Trojan.MulDrop6.48042 Trojan/Swisyn.kkp Worm:Win32/Visal.A Trojan.Win32.Swisyn.ajwe Virus.Win32.Vbinder", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9771": [[26, 68]], "Indicator: Win.Worm.VBMania-1": [[69, 87]], "Indicator: Win32.Trojan.Visal.A": [[88, 108]], "Indicator: Trojan.Win32.Swisyn.ajwe": [[109, 133], [215, 239]], "Indicator: TrojWare.Win32.VB.YNB": [[134, 155]], "Indicator: Trojan.MulDrop6.48042": [[156, 177]], "Indicator: Trojan/Swisyn.kkp": [[178, 195]], "Indicator: Worm:Win32/Visal.A": [[196, 214]], "Indicator: Virus.Win32.Vbinder": [[240, 259]]}, "info": {"id": "cyner2_5class_train_03217", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Downloader.VB.Win32.85130 TrojanDownloader.VB Trojan-Downloader.Win32.VB.bkxc Trojan.DownLoader9.27791 TrojanDownloader.VB.dikm TrojanDownloader:Win32/Gurip.A Trojan.Heur.EE8DE0 Trojan-Downloader.Win32.VB.bkxc Trojan.Downloader.VB Trojan.DL.VB!q71Z8AF5llY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.VB.Win32.85130": [[26, 51]], "Indicator: TrojanDownloader.VB": [[52, 71]], "Indicator: Trojan-Downloader.Win32.VB.bkxc": [[72, 103], [204, 235]], "Indicator: Trojan.DownLoader9.27791": [[104, 128]], "Indicator: TrojanDownloader.VB.dikm": [[129, 153]], "Indicator: TrojanDownloader:Win32/Gurip.A": [[154, 184]], "Indicator: Trojan.Heur.EE8DE0": [[185, 203]], "Indicator: Trojan.Downloader.VB": [[236, 256]], "Indicator: Trojan.DL.VB!q71Z8AF5llY": [[257, 281]]}, "info": {"id": "cyner2_5class_train_03218", "source": "cyner2_5class_train"}}
+{"text": "The message was sent from an account created under her name on lesser known email provider 1 1's Mail.com, a common tactic in recent months, with a link to a file hosted on Dropbox and an additional credential phishing attempt.", "spans": {"Indicator: message": [[4, 11]], "Indicator: account": [[29, 36]], "Indicator: name": [[55, 59]], "System: email provider": [[76, 90]], "Indicator: 1 1's Mail.com,": [[91, 106]], "Organization: Dropbox": [[173, 180]]}, "info": {"id": "cyner2_5class_train_03219", "source": "cyner2_5class_train"}}
+{"text": "Update Jul 11 2016 8:32 : On Monday , a Checkpoint representative disputed Lookout 's contention and pointed to this blog post from security firm Eleven Paths as support .", "spans": {"Organization: Checkpoint": [[40, 50]], "Organization: Lookout": [[75, 82]], "Organization: Eleven Paths": [[146, 158]]}, "info": {"id": "cyner2_5class_train_03220", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.TaskmanMispD.Trojan Worm/W32.Vobfus.217088 Worm.Win32.Vobfus!O Worm.Raideloz.A3 W32/Autorun.worm.aaeh W32/Vobfus.ahox WORM_VOBFUS.SMJA Win32.Worm.Pronny.dn WORM_VOBFUS.SMJA Win.Worm.Vobfus-12049 Worm.Win32.WBNA.ipa Trojan.Win32.Vobfus.cinarv Worm.Win32.A.Vobfus.155648.F WIN.Troj.Vobfus.lEaX Worm.Win32.Vobfus.AJR Win32.HLLW.Autoruner1.29632 BehavesLike.Win32.VBObfus.dm Worm/Vobfus.mos Worm:Win32/Raideloz.A Trojan.Barys.DA54 Worm.Win32.WBNA.ipa Worm/Win32.Vobfus.R43029 Worm.Vobfus Worm.Win32.Raideloz W32/VBObfus.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TaskmanMispD.Trojan": [[26, 49]], "Indicator: Worm/W32.Vobfus.217088": [[50, 72]], "Indicator: Worm.Win32.Vobfus!O": [[73, 92]], "Indicator: Worm.Raideloz.A3": [[93, 109]], "Indicator: W32/Autorun.worm.aaeh": [[110, 131]], "Indicator: W32/Vobfus.ahox": [[132, 147]], "Indicator: WORM_VOBFUS.SMJA": [[148, 164], [186, 202]], "Indicator: Win32.Worm.Pronny.dn": [[165, 185]], "Indicator: Win.Worm.Vobfus-12049": [[203, 224]], "Indicator: Worm.Win32.WBNA.ipa": [[225, 244], [457, 476]], "Indicator: Trojan.Win32.Vobfus.cinarv": [[245, 271]], "Indicator: Worm.Win32.A.Vobfus.155648.F": [[272, 300]], "Indicator: WIN.Troj.Vobfus.lEaX": [[301, 321]], "Indicator: Worm.Win32.Vobfus.AJR": [[322, 343]], "Indicator: Win32.HLLW.Autoruner1.29632": [[344, 371]], "Indicator: BehavesLike.Win32.VBObfus.dm": [[372, 400]], "Indicator: Worm/Vobfus.mos": [[401, 416]], "Indicator: Worm:Win32/Raideloz.A": [[417, 438]], "Indicator: Trojan.Barys.DA54": [[439, 456]], "Indicator: Worm/Win32.Vobfus.R43029": [[477, 501]], "Indicator: Worm.Vobfus": [[502, 513]], "Indicator: Worm.Win32.Raideloz": [[514, 533]], "Indicator: W32/VBObfus.C!tr": [[534, 550]]}, "info": {"id": "cyner2_5class_train_03221", "source": "cyner2_5class_train"}}
+{"text": "Figure 8 .", "spans": {}, "info": {"id": "cyner2_5class_train_03222", "source": "cyner2_5class_train"}}
+{"text": "This report expands the Mexican investigation and shows how 10 Mexican journalists and human rights defenders, one minor child, and one United States citizen, were targeted with NSO's Exploit Framework.", "spans": {"Organization: the Mexican investigation": [[20, 45]], "Organization: Mexican journalists": [[63, 82]], "Organization: human rights defenders, one minor child,": [[87, 127]], "Organization: one United States citizen,": [[132, 158]], "Malware: NSO's Exploit Framework.": [[178, 202]]}, "info": {"id": "cyner2_5class_train_03223", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.KillAV Worm.Win32.Delf.ag Packed.Win32.Klone.~KE Trojan.DownLoader.origin Trojan-Downloader.Win32.Delf!IK Trojan-Downloader.Win32.Delf W32/PEMask.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.KillAV": [[26, 39]], "Indicator: Worm.Win32.Delf.ag": [[40, 58]], "Indicator: Packed.Win32.Klone.~KE": [[59, 81]], "Indicator: Trojan.DownLoader.origin": [[82, 106]], "Indicator: Trojan-Downloader.Win32.Delf!IK": [[107, 138]], "Indicator: Trojan-Downloader.Win32.Delf": [[139, 167]], "Indicator: W32/PEMask.B!tr": [[168, 183]]}, "info": {"id": "cyner2_5class_train_03224", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke/W32.BadJoke.20500 Hoax.Vb Hoax.Win32.BadJoke.VB.d Riskware.Win32.Anywork.hrys Joke.Miracle Tool.BadJoke.Win32.176 BehavesLike.Win32.PUP.mz Hoax.Win32.BadJoke.VB Hoax.BadJoke.djv HackTool[Hoax]/Win32.VB Win32.Joke.WorkJoke.a.kcloud Hoax.Win32.BadJoke.VB.d Joke:Win32/Small.NAO Unwanted/Win32.Badjoke.R100207 BadJoke.Win32.VB.d Trojan.VBRA.02296 Win32.Trojan-psw.Badjoke.Plui", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke/W32.BadJoke.20500": [[26, 48]], "Indicator: Hoax.Vb": [[49, 56]], "Indicator: Hoax.Win32.BadJoke.VB.d": [[57, 80], [262, 285]], "Indicator: Riskware.Win32.Anywork.hrys": [[81, 108]], "Indicator: Joke.Miracle": [[109, 121]], "Indicator: Tool.BadJoke.Win32.176": [[122, 144]], "Indicator: BehavesLike.Win32.PUP.mz": [[145, 169]], "Indicator: Hoax.Win32.BadJoke.VB": [[170, 191]], "Indicator: Hoax.BadJoke.djv": [[192, 208]], "Indicator: HackTool[Hoax]/Win32.VB": [[209, 232]], "Indicator: Win32.Joke.WorkJoke.a.kcloud": [[233, 261]], "Indicator: Joke:Win32/Small.NAO": [[286, 306]], "Indicator: Unwanted/Win32.Badjoke.R100207": [[307, 337]], "Indicator: BadJoke.Win32.VB.d": [[338, 356]], "Indicator: Trojan.VBRA.02296": [[357, 374]], "Indicator: Win32.Trojan-psw.Badjoke.Plui": [[375, 404]]}, "info": {"id": "cyner2_5class_train_03225", "source": "cyner2_5class_train"}}
+{"text": "Fake tax spam leads to malware:", "spans": {"Indicator: Fake tax spam": [[0, 13]], "Malware: malware:": [[23, 31]]}, "info": {"id": "cyner2_5class_train_03226", "source": "cyner2_5class_train"}}
+{"text": "The short URL redirects to the application page at Google Play .", "spans": {"System: Google Play": [[51, 62]]}, "info": {"id": "cyner2_5class_train_03227", "source": "cyner2_5class_train"}}
+{"text": "Written by Jagadeesh Chandraiah JULY 23 , 2018 SophosLabs has uncovered a mobile malware distribution campaign that uses advertising placement to distribute the Red Alert Trojan , linking counterfeit branding of well-known apps to Web pages that deliver an updated , 2.0 version of this bank credential thief .", "spans": {"Organization: SophosLabs": [[47, 57]], "Malware: Red Alert Trojan": [[161, 177]]}, "info": {"id": "cyner2_5class_train_03228", "source": "cyner2_5class_train"}}
+{"text": "On April 7th 2017 Haifei Li published on the McAfee blog1 about a Critical Office Zero-Day in the wild.", "spans": {"Organization: Haifei Li": [[18, 27]], "Organization: McAfee": [[45, 51]], "Vulnerability: Critical Office Zero-Day": [[66, 90]]}, "info": {"id": "cyner2_5class_train_03229", "source": "cyner2_5class_train"}}
+{"text": "Notice notice the use of the mistaken “ Word ” instead of “ World ” : “ On behalf of all at the Word Uyghur Congress ( WUC ) , the Unrepresented Nations and Peoples Organization ( UNPO ) and the Society for Threatened Peoples ( STP ) , Human Rights in China : Implications for East Turkestan , Tibet and Southern Mongolia In what was an unprecedented coming-together of leading Uyghur , Mongolian , Tibetan and Chinese activists , as well as other leading international experts , we were greatly humbled by the great enthusiasm , contribution and desire from all in attendance to make this occasion something meaningful , the outcome of which produced some concrete , action-orientated solutions to our shared grievances .", "spans": {"Organization: Word Uyghur Congress ( WUC )": [[96, 124]], "Organization: Unrepresented Nations and Peoples Organization ( UNPO )": [[131, 186]], "Organization: Society for Threatened Peoples ( STP )": [[195, 233]]}, "info": {"id": "cyner2_5class_train_03230", "source": "cyner2_5class_train"}}
+{"text": "In February 2017, we found a new Ebury sample, that introduces a significant number of new features.", "spans": {"Malware: Ebury": [[33, 38]]}, "info": {"id": "cyner2_5class_train_03231", "source": "cyner2_5class_train"}}
+{"text": "We first discussed them in April 2015 when we witnessed them targeting a number of organizations in Japan.", "spans": {"Organization: organizations": [[83, 96]]}, "info": {"id": "cyner2_5class_train_03232", "source": "cyner2_5class_train"}}
+{"text": "It is important to note that Adobe has released the bulletin APSB15-27 to address this vulnerability; the latest version of Flash 19.0.0.226 is no longer vulnerable.", "spans": {"Organization: Adobe": [[29, 34]], "Indicator: APSB15-27": [[61, 70]], "Vulnerability: vulnerability;": [[87, 101]], "System: Flash 19.0.0.226": [[124, 140]]}, "info": {"id": "cyner2_5class_train_03233", "source": "cyner2_5class_train"}}
+{"text": "The overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples ; the first IP below is used for more than half of the HenBox samples we have seen to date : 47.90.81 [ .", "spans": {"Malware: HenBox": [[24, 30], [179, 185]], "Malware: 9002": [[35, 39]], "Indicator: 47.90.81 [ .": [[217, 229]]}, "info": {"id": "cyner2_5class_train_03234", "source": "cyner2_5class_train"}}
+{"text": "Kaspersky Lab reported the Trojan to Google , and it has now been removed from the store .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Organization: Google": [[37, 43]]}, "info": {"id": "cyner2_5class_train_03235", "source": "cyner2_5class_train"}}
+{"text": "September 08 , 2020 TikTok Spyware A detailed analysis of spyware masquerading as TikTok A recent threat to ban TikTok in the United States has taken the internet by storm and received mixed reactions from social media and internet users .", "spans": {"System: TikTok": [[20, 26], [82, 88], [112, 118]]}, "info": {"id": "cyner2_5class_train_03236", "source": "cyner2_5class_train"}}
+{"text": "Interestingly , we found other DNS records mostly from 2017 that follow a similar pattern and appear to contain two-letters codes for districts in Italy : Server City server1bo.exodus.connexxa [ .", "spans": {"Indicator: server1bo.exodus.connexxa [ .": [[167, 196]]}, "info": {"id": "cyner2_5class_train_03237", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Turla.aj BKDR_TAVDIG.ZGEJ-A Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Wipbot BKDR_TAVDIG.ZGEJ-A Troj.W32.Epiccosplay!c Win32.Backdoor.Wipbot.Ehhy BackDoor.Turla.52 Trojan.Turla.Win32.35 BehavesLike.Win32.Ramnit.cc Trojan.Win32.Turla BDS/WipBot.B.1 Trojan.Kazy.D6CC04 Backdoor:Win32/WipBot.B Trojan/Win32.Tavdig.C561133 Trojan.Turla!36kTMhU81bU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Turla.aj": [[26, 41]], "Indicator: BKDR_TAVDIG.ZGEJ-A": [[42, 60], [118, 136]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[61, 103]], "Indicator: Trojan.Wipbot": [[104, 117]], "Indicator: Troj.W32.Epiccosplay!c": [[137, 159]], "Indicator: Win32.Backdoor.Wipbot.Ehhy": [[160, 186]], "Indicator: BackDoor.Turla.52": [[187, 204]], "Indicator: Trojan.Turla.Win32.35": [[205, 226]], "Indicator: BehavesLike.Win32.Ramnit.cc": [[227, 254]], "Indicator: Trojan.Win32.Turla": [[255, 273]], "Indicator: BDS/WipBot.B.1": [[274, 288]], "Indicator: Trojan.Kazy.D6CC04": [[289, 307]], "Indicator: Backdoor:Win32/WipBot.B": [[308, 331]], "Indicator: Trojan/Win32.Tavdig.C561133": [[332, 359]], "Indicator: Trojan.Turla!36kTMhU81bU": [[360, 384]]}, "info": {"id": "cyner2_5class_train_03238", "source": "cyner2_5class_train"}}
+{"text": "However , given the way the trojan is built , it is highly customizable , meaning that adapting it to a different language would be extremely easy .", "spans": {}, "info": {"id": "cyner2_5class_train_03239", "source": "cyner2_5class_train"}}
+{"text": "This variation of the Trojan was also mentioned in the 2013 FireEye blogs about the Sunshop campaign 3 and operation ephemeral hydra 4.", "spans": {"Malware: Trojan": [[22, 28]], "Organization: FireEye": [[60, 67]]}, "info": {"id": "cyner2_5class_train_03240", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.JSLP Trojan.Downloader.JSLP Adware.AdPeak Trojan/Downloader.Rottentu.a Trojan.Downloader.JSLP Win32.Trojan.WisdomEyes.151026.9950.9980 Adware.Crossid Win32/Tnega.LUdScAC not-a-virus:AdWare.Win32.AdPeak.dn Adware.W32.Adpeak!c Trojan.Downloader.JSLP Trojan.Downloader.JSLP Trojan.DownLoader16.16196 backdoor.win32.prorat.ah BehavesLike.Win32.Downloader.tc AdWare/AdPeak.ab GrayWare[AdWare:not-a-virus]/Win32.AdPeak Trojan.Downloader.JSLP TrojanDownloader:Win32/Tordow.A Adware/Win32.AdPeak.N1435735988 AdWare.AdPeak Trojan.Downloader.JSLP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.JSLP": [[26, 48], [49, 71], [115, 137], [269, 291], [292, 314], [457, 479], [558, 580]], "Indicator: Adware.AdPeak": [[72, 85]], "Indicator: Trojan/Downloader.Rottentu.a": [[86, 114]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9980": [[138, 178]], "Indicator: Adware.Crossid": [[179, 193]], "Indicator: Win32/Tnega.LUdScAC": [[194, 213]], "Indicator: not-a-virus:AdWare.Win32.AdPeak.dn": [[214, 248]], "Indicator: Adware.W32.Adpeak!c": [[249, 268]], "Indicator: Trojan.DownLoader16.16196": [[315, 340]], "Indicator: backdoor.win32.prorat.ah": [[341, 365]], "Indicator: BehavesLike.Win32.Downloader.tc": [[366, 397]], "Indicator: AdWare/AdPeak.ab": [[398, 414]], "Indicator: GrayWare[AdWare:not-a-virus]/Win32.AdPeak": [[415, 456]], "Indicator: TrojanDownloader:Win32/Tordow.A": [[480, 511]], "Indicator: Adware/Win32.AdPeak.N1435735988": [[512, 543]], "Indicator: AdWare.AdPeak": [[544, 557]]}, "info": {"id": "cyner2_5class_train_03241", "source": "cyner2_5class_train"}}
+{"text": "There are several different Locky campaigns going on at the same time, the largest being the one from affiliate ID 3 which comes with malicious ZIP containing .VBS or .JS attachments.", "spans": {"Indicator: malicious ZIP": [[134, 147]], "Indicator: .VBS": [[159, 163]], "Indicator: .JS attachments.": [[167, 183]]}, "info": {"id": "cyner2_5class_train_03242", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packed.Win32.TDSS!O RiskWare.Tool.CK Win32.Trojan.WisdomEyes.16070401.9500.9900 W32/PWStealerX.EGK TSPY_RAVEN.A Trojan-PSW.Win32.Raven.b Trojan.Win32.Raven.ewlguc TrojWare.Win32.Patched.KSU BackDoor.Uragan TSPY_RAVEN.A BehavesLike.Win32.Ransomware.nc W32/PWS.PQHC-6858 Trojan/PSW.Ravenpass.a PWS:Win32/Raven.C Trojan-PSW.Win32.Raven.b TrojanPSW.Raven Trojan.PWS.Raven!jl2h2OWvUG8 Trojan-Spy.Win32.Hsow", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packed.Win32.TDSS!O": [[26, 45]], "Indicator: RiskWare.Tool.CK": [[46, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9900": [[63, 105]], "Indicator: W32/PWStealerX.EGK": [[106, 124]], "Indicator: TSPY_RAVEN.A": [[125, 137], [232, 244]], "Indicator: Trojan-PSW.Win32.Raven.b": [[138, 162], [336, 360]], "Indicator: Trojan.Win32.Raven.ewlguc": [[163, 188]], "Indicator: TrojWare.Win32.Patched.KSU": [[189, 215]], "Indicator: BackDoor.Uragan": [[216, 231]], "Indicator: BehavesLike.Win32.Ransomware.nc": [[245, 276]], "Indicator: W32/PWS.PQHC-6858": [[277, 294]], "Indicator: Trojan/PSW.Ravenpass.a": [[295, 317]], "Indicator: PWS:Win32/Raven.C": [[318, 335]], "Indicator: TrojanPSW.Raven": [[361, 376]], "Indicator: Trojan.PWS.Raven!jl2h2OWvUG8": [[377, 405]], "Indicator: Trojan-Spy.Win32.Hsow": [[406, 427]]}, "info": {"id": "cyner2_5class_train_03243", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Cendelf.A8 WS.Reputation.1 Delf.PVUB Win32/Tnega.CTAcCXD PE:Malware.Delf!6.F BackDoor.Bulknet.1078 TR/Spy.Browse.14364 Trojan/Win32.Cendelf Trojan-Dropper.Delf W32/Delff.RJH!tr Delf.ALTK", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Cendelf.A8": [[26, 43]], "Indicator: WS.Reputation.1": [[44, 59]], "Indicator: Delf.PVUB": [[60, 69]], "Indicator: Win32/Tnega.CTAcCXD": [[70, 89]], "Indicator: PE:Malware.Delf!6.F": [[90, 109]], "Indicator: BackDoor.Bulknet.1078": [[110, 131]], "Indicator: TR/Spy.Browse.14364": [[132, 151]], "Indicator: Trojan/Win32.Cendelf": [[152, 172]], "Indicator: Trojan-Dropper.Delf": [[173, 192]], "Indicator: W32/Delff.RJH!tr": [[193, 209]], "Indicator: Delf.ALTK": [[210, 219]]}, "info": {"id": "cyner2_5class_train_03244", "source": "cyner2_5class_train"}}
+{"text": "Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialization that achieves an economy of scale.", "spans": {}, "info": {"id": "cyner2_5class_train_03245", "source": "cyner2_5class_train"}}
+{"text": "It turned out that they are also atypical by many means.", "spans": {}, "info": {"id": "cyner2_5class_train_03246", "source": "cyner2_5class_train"}}
+{"text": "We've identified 9,215 samples tagged Banload in AutoFocus since December 2013.", "spans": {"Malware: samples": [[23, 30]], "Malware: Banload": [[38, 45]], "System: AutoFocus": [[49, 58]]}, "info": {"id": "cyner2_5class_train_03247", "source": "cyner2_5class_train"}}
+{"text": "Talos has observed a small email campaign leveraging the use of Microsoft Publisher files.", "spans": {"Indicator: Microsoft Publisher files.": [[64, 90]]}, "info": {"id": "cyner2_5class_train_03248", "source": "cyner2_5class_train"}}
+{"text": "Chinese APK names : Some of FakeSpy ’ s APK package names contain anglicized Chinese ( Mandarin ) words that might be related to Chinese songs and lyrics , food , provinces , etc .", "spans": {"Malware: FakeSpy": [[28, 35]]}, "info": {"id": "cyner2_5class_train_03249", "source": "cyner2_5class_train"}}
+{"text": "While it can be used anywhere and target any bank or region , at this time , we are seeing it deployed specifically in Germany .", "spans": {}, "info": {"id": "cyner2_5class_train_03250", "source": "cyner2_5class_train"}}
+{"text": "In the latest implant versions there are 48 different commands .", "spans": {}, "info": {"id": "cyner2_5class_train_03251", "source": "cyner2_5class_train"}}
+{"text": "This IOC contains indicators detailed in the whitepaper Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group's Obfuscation Tactic", "spans": {"Organization: FireEye": [[79, 86]], "Organization: Microsoft": [[91, 100]]}, "info": {"id": "cyner2_5class_train_03252", "source": "cyner2_5class_train"}}
+{"text": "Stumbled upon another one of the FakeAV's, its called Internet Security", "spans": {"Malware: FakeAV's,": [[33, 42]], "Malware: Internet Security": [[54, 71]]}, "info": {"id": "cyner2_5class_train_03253", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Mauthy.g3 Win32.Trojan.WisdomEyes.151026.9950.9998 Heur.AdvML.C Trojan.Win32.DownLoader1.dklsld Trojan.Win32.Z.Kazy.1108582[h] Trojan.DownLoader4.60407 BehavesLike.Win32.SoftPulse.tc Trojan.Kazy.D103DE PWS:MSIL/Mauthy.A Trojan-PWS.MSIL PSW.ILUSpy Trj/CI.A Win32/Trojan.7d3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Mauthy.g3": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9998": [[46, 86]], "Indicator: Heur.AdvML.C": [[87, 99]], "Indicator: Trojan.Win32.DownLoader1.dklsld": [[100, 131]], "Indicator: Trojan.Win32.Z.Kazy.1108582[h]": [[132, 162]], "Indicator: Trojan.DownLoader4.60407": [[163, 187]], "Indicator: BehavesLike.Win32.SoftPulse.tc": [[188, 218]], "Indicator: Trojan.Kazy.D103DE": [[219, 237]], "Indicator: PWS:MSIL/Mauthy.A": [[238, 255]], "Indicator: Trojan-PWS.MSIL": [[256, 271]], "Indicator: PSW.ILUSpy": [[272, 282]], "Indicator: Trj/CI.A": [[283, 291]], "Indicator: Win32/Trojan.7d3": [[292, 308]]}, "info": {"id": "cyner2_5class_train_03254", "source": "cyner2_5class_train"}}
+{"text": "] com/ ) : This server provides APK files with advertising network .", "spans": {}, "info": {"id": "cyner2_5class_train_03255", "source": "cyner2_5class_train"}}
+{"text": "These .pub files are normally used for the publishing of documents such as newsletters, allowing users to create such documents using familiar office functions such as mail merging.", "spans": {"Indicator: .pub files": [[6, 16]], "Organization: newsletters,": [[75, 87]], "Organization: documents": [[118, 127]], "System: mail merging.": [[168, 181]]}, "info": {"id": "cyner2_5class_train_03256", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9869 BackDoor.BlackEnergy.80 Worm:Win32/Phdet.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9869": [[26, 68]], "Indicator: BackDoor.BlackEnergy.80": [[69, 92]], "Indicator: Worm:Win32/Phdet.B": [[93, 111]]}, "info": {"id": "cyner2_5class_train_03257", "source": "cyner2_5class_train"}}
+{"text": "By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.", "spans": {"Malware: fileless infection chain, the malware": [[26, 63]], "System: sandbox,": [[106, 114]], "Organization: anti-malware engineers": [[144, 166]]}, "info": {"id": "cyner2_5class_train_03258", "source": "cyner2_5class_train"}}
+{"text": "In cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild.", "spans": {"Organization: WeipTech,": [[20, 29]], "Malware: iOS malware family": [[69, 87]]}, "info": {"id": "cyner2_5class_train_03259", "source": "cyner2_5class_train"}}
+{"text": "RetroTetris can be installed in Android versions starting from 2.3 Gingrebread while Brain Test can be installed in versions starting from 2.2 Froyo.", "spans": {"Malware: RetroTetris": [[0, 11]], "System: Android versions": [[32, 48]], "System: 2.3 Gingrebread": [[63, 78]], "Malware: Brain Test": [[85, 95]], "System: 2.2 Froyo.": [[139, 149]]}, "info": {"id": "cyner2_5class_train_03260", "source": "cyner2_5class_train"}}
+{"text": "A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization 's system where the victim works .", "spans": {}, "info": {"id": "cyner2_5class_train_03261", "source": "cyner2_5class_train"}}
+{"text": "] net/mms.apk to view the message ” Once the APK package is downloaded , potential victims are urged to grant the malicious app a wide range of permissions on their Android device : App permissions SEND_SMS RECEIVE_BOOT_COMPLETED INTERNET SYSTEM_ALERT_WINDOW WRITE_SMS ACCESS_NETWORK_STATE WAKE_LOCK GET_TASKS CALL_PHONE RECEIVE_SMS READ_PHONE_STATE READ_SMS ERASE_PHONE Once installed , MazarBOT downloads a copy of Tor onto users ’ Android smartphones and uses it to connect anonymously to the net before sending a text message containing the victim ’ s location to an Iranian mobile phone number .", "spans": {"Malware: MazarBOT": [[388, 396]], "System: Tor": [[417, 420]], "System: Android": [[434, 441]]}, "info": {"id": "cyner2_5class_train_03262", "source": "cyner2_5class_train"}}
+{"text": "The malware mostly targets European users.", "spans": {"Malware: malware": [[4, 11]], "Organization: European users.": [[27, 42]]}, "info": {"id": "cyner2_5class_train_03263", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9988 Trojan.Win32.Geratid.dklqgw Trojan.Msil Backdoor:MSIL/Geratid.A!dll", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[26, 68]], "Indicator: Trojan.Win32.Geratid.dklqgw": [[69, 96]], "Indicator: Trojan.Msil": [[97, 108]], "Indicator: Backdoor:MSIL/Geratid.A!dll": [[109, 136]]}, "info": {"id": "cyner2_5class_train_03264", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87726 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id87726 [ .": [[21, 63]]}, "info": {"id": "cyner2_5class_train_03265", "source": "cyner2_5class_train"}}
+{"text": "CONCLUSION In this research , the Nocturnus team has dissected a rapidly evolving Android malware in the making .", "spans": {"Organization: Nocturnus": [[34, 43]], "Malware: Android": [[82, 89]]}, "info": {"id": "cyner2_5class_train_03266", "source": "cyner2_5class_train"}}
+{"text": "Since Ginp is already using some code from the Anubis Trojan , it is quite likely that other , more advanced features from Anubis or other malware , such as a back-connect proxy , screen-streaming and RAT will also be added in the future .", "spans": {"Malware: Anubis": [[47, 53]], "System: Anubis": [[123, 129]]}, "info": {"id": "cyner2_5class_train_03267", "source": "cyner2_5class_train"}}
+{"text": "It was discovered in early 2014 and was named after a debug string, BlackMoon that was present in its code.", "spans": {"Malware: BlackMoon": [[68, 77]], "Indicator: code.": [[102, 107]]}, "info": {"id": "cyner2_5class_train_03268", "source": "cyner2_5class_train"}}
+{"text": "Volexity recently identified a breach to the website of a well regarded media outlet in the country of Georgia.", "spans": {"Organization: Volexity": [[0, 8]], "Indicator: the website": [[41, 52]]}, "info": {"id": "cyner2_5class_train_03269", "source": "cyner2_5class_train"}}
+{"text": "From the latter half of May until June 10, there was a relative lull in TorrentLocker-related emails.", "spans": {"Indicator: TorrentLocker-related": [[72, 93]]}, "info": {"id": "cyner2_5class_train_03270", "source": "cyner2_5class_train"}}
+{"text": "This was an original spyware program , designed to exfiltrate almost all accessible information .", "spans": {}, "info": {"id": "cyner2_5class_train_03271", "source": "cyner2_5class_train"}}
+{"text": "Lookout said in its own blog post published Wednesday that its threat detection network has recently observed a surge of Shedun attacks , indicating the scourge wo n't be going away any time soon .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: Shedun": [[121, 127]]}, "info": {"id": "cyner2_5class_train_03272", "source": "cyner2_5class_train"}}
+{"text": "When enabled , it makes a screenshot every 25 seconds nggstart_key nggstop_key Enable/disable keylogging module nggstart_rec nggstop_rec Enable/disable surrounding sounds recording module ngg_status Send components status to the C & C socket * any other * Execute received command via Python ’ s subprocess.Popen ( ) , output result will be sent to the C & C socket .", "spans": {"System: Python": [[285, 291]]}, "info": {"id": "cyner2_5class_train_03273", "source": "cyner2_5class_train"}}
+{"text": "This technique is being used to allow the attackers to conceal their secondary payloads, bypassing different AV products.", "spans": {"Malware: attackers": [[42, 51]], "Malware: payloads,": [[79, 88]], "System: AV": [[109, 111]]}, "info": {"id": "cyner2_5class_train_03274", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Nuclear Win32.Trojan.WisdomEyes.16070401.9500.9871 Trojan.Win32.Nuclear.baxsh Backdoor.Win32.Nuclear.182272 Backdoor.Win32.Nuclear.CU BackDoor.Nuclearat.452 Backdoor.Nuclear.Win32.1045 Backdoor.Win32.Nuclear Backdoor/Nuclear.yt Trojan[Backdoor]/Win32.Nuclear Backdoor.Nuclear Trojan.Zusy.Elzob.493 Win32/Nuclear.CU Backdoor.Nuclear!tPH0Q8Q37CQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Nuclear": [[26, 42], [294, 310]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9871": [[43, 85]], "Indicator: Trojan.Win32.Nuclear.baxsh": [[86, 112]], "Indicator: Backdoor.Win32.Nuclear.182272": [[113, 142]], "Indicator: Backdoor.Win32.Nuclear.CU": [[143, 168]], "Indicator: BackDoor.Nuclearat.452": [[169, 191]], "Indicator: Backdoor.Nuclear.Win32.1045": [[192, 219]], "Indicator: Backdoor.Win32.Nuclear": [[220, 242]], "Indicator: Backdoor/Nuclear.yt": [[243, 262]], "Indicator: Trojan[Backdoor]/Win32.Nuclear": [[263, 293]], "Indicator: Trojan.Zusy.Elzob.493": [[311, 332]], "Indicator: Win32/Nuclear.CU": [[333, 349]], "Indicator: Backdoor.Nuclear!tPH0Q8Q37CQ": [[350, 378]]}, "info": {"id": "cyner2_5class_train_03275", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Viking.GY TrojWare.Win32.Magania.~AD Trojan/Win32.Hupigon Trojan-PWS.Win32.Hangame.cl", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Viking.GY": [[26, 35]], "Indicator: TrojWare.Win32.Magania.~AD": [[36, 62]], "Indicator: Trojan/Win32.Hupigon": [[63, 83]], "Indicator: Trojan-PWS.Win32.Hangame.cl": [[84, 111]]}, "info": {"id": "cyner2_5class_train_03276", "source": "cyner2_5class_train"}}
+{"text": "Most recently, we observed several relatively large email campaigns distributing the Kronos banking Trojan.", "spans": {"Malware: Kronos banking Trojan.": [[85, 107]]}, "info": {"id": "cyner2_5class_train_03277", "source": "cyner2_5class_train"}}
+{"text": "This domain has been previously reported as an lSMAgent C2.", "spans": {"Indicator: domain": [[5, 11]], "Indicator: an lSMAgent C2.": [[44, 59]]}, "info": {"id": "cyner2_5class_train_03278", "source": "cyner2_5class_train"}}
+{"text": "'' The report said HummingBad apps are developed by Yingmob , a Chinese mobile ad server company that other researchers claim is behind the Yinspector iOS malware .", "spans": {"Malware: HummingBad": [[19, 29]], "Organization: Yingmob": [[52, 59]], "Malware: Yinspector": [[140, 150]], "System: iOS": [[151, 154]]}, "info": {"id": "cyner2_5class_train_03279", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.CommInet.70741 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Exdis Trojan.Win32.Small.dqjffo MalCrypt.Indus! BackDoor.HangUp.44052 BehavesLike.Win32.Backdoor.kh Trojan[Backdoor]/Win32.CommInet Win32.Hack.Small.ak.kcloud Backdoor:Win32/Easydor.D Bck/CommInet.V Win32.Backdoor.Comminet.dbwh Backdoor.Win32.CommInet Exdis.A!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.CommInet.70741": [[26, 53]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[54, 96]], "Indicator: Backdoor.Exdis": [[97, 111]], "Indicator: Trojan.Win32.Small.dqjffo": [[112, 137]], "Indicator: MalCrypt.Indus!": [[138, 153]], "Indicator: BackDoor.HangUp.44052": [[154, 175]], "Indicator: BehavesLike.Win32.Backdoor.kh": [[176, 205]], "Indicator: Trojan[Backdoor]/Win32.CommInet": [[206, 237]], "Indicator: Win32.Hack.Small.ak.kcloud": [[238, 264]], "Indicator: Backdoor:Win32/Easydor.D": [[265, 289]], "Indicator: Bck/CommInet.V": [[290, 304]], "Indicator: Win32.Backdoor.Comminet.dbwh": [[305, 333]], "Indicator: Backdoor.Win32.CommInet": [[334, 357]], "Indicator: Exdis.A!tr.bdr": [[358, 372]]}, "info": {"id": "cyner2_5class_train_03280", "source": "cyner2_5class_train"}}
+{"text": "* * * End translation * * * The phishing template then presents additional instructions for installing the fake security application ( Figure 5 ) : Figure 5 : Additional instructions telling the victim to give the app the requested permissions ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Step 2 : Allow installation Open your device 's settings , select Security or Applications ( depending on the device ) , and check Unknown sources .", "spans": {}, "info": {"id": "cyner2_5class_train_03281", "source": "cyner2_5class_train"}}
+{"text": "If a user visits the profile host website and allows the installer to download , the iOS system will go directly to the “ Install Profile ” page ( which shows a verified safety certificate ) , and then request the users ’ passcode for the last step of installation .", "spans": {"System: iOS": [[85, 88]]}, "info": {"id": "cyner2_5class_train_03282", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.RevengeRat.2 TROJ_REVETRAT.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Revetrat TROJ_REVETRAT.SM Win.Trojan.RevengeRat-6344273-0 BackDoor.RevetRat.2 BehavesLike.Win32.Trojan.lm W32/Trojan.VQKC-8396 Backdoor:MSIL/Revetrat.A!bit Backdoor.RevetRat Trj/GdSda.A Win32/Trojan.961", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.RevengeRat.2": [[26, 45]], "Indicator: TROJ_REVETRAT.SM": [[46, 62], [122, 138]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[63, 105]], "Indicator: Trojan.Revetrat": [[106, 121]], "Indicator: Win.Trojan.RevengeRat-6344273-0": [[139, 170]], "Indicator: BackDoor.RevetRat.2": [[171, 190]], "Indicator: BehavesLike.Win32.Trojan.lm": [[191, 218]], "Indicator: W32/Trojan.VQKC-8396": [[219, 239]], "Indicator: Backdoor:MSIL/Revetrat.A!bit": [[240, 268]], "Indicator: Backdoor.RevetRat": [[269, 286]], "Indicator: Trj/GdSda.A": [[287, 298]], "Indicator: Win32/Trojan.961": [[299, 315]]}, "info": {"id": "cyner2_5class_train_03283", "source": "cyner2_5class_train"}}
+{"text": "That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking .", "spans": {}, "info": {"id": "cyner2_5class_train_03284", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.StartPage.87040.B Trojan.Searmapxp.FC.384 Trojan.StartPage.MSIL Win32.Trojan.StartPage.ck Win.Trojan.Startpage-6834 Trojan.Win32.Startpage.fsfn Trojan.Win32.StartPage.dztahb Trojan.Win32.Z.Startpage.87040.FS Troj.W32.Startpage!c Win32.Trojan.Startpage.Szvb TrojWare.Win32.Startpage.KAX Trojan.Click3.12428 Trojan/StartPage.qbi Pua.Secure.Installer ADWARE/IERedirector.87040 Trojan/Win32.Startpage Trojan:Win32/Searmapxp.A!bit Trojan.Win32.Startpage.fsfn Adware/Win32.StartPage.R160955 Trojan.StartPage Trj/CI.A Trojan.Click!GCNxubkcTZg AdWare.IERedirector MSIL/StartPage.MI!tr Win32/Virus.Adware.007", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.StartPage.87040.B": [[26, 54]], "Indicator: Trojan.Searmapxp.FC.384": [[55, 78]], "Indicator: Trojan.StartPage.MSIL": [[79, 100]], "Indicator: Win32.Trojan.StartPage.ck": [[101, 126]], "Indicator: Win.Trojan.Startpage-6834": [[127, 152]], "Indicator: Trojan.Win32.Startpage.fsfn": [[153, 180], [463, 490]], "Indicator: Trojan.Win32.StartPage.dztahb": [[181, 210]], "Indicator: Trojan.Win32.Z.Startpage.87040.FS": [[211, 244]], "Indicator: Troj.W32.Startpage!c": [[245, 265]], "Indicator: Win32.Trojan.Startpage.Szvb": [[266, 293]], "Indicator: TrojWare.Win32.Startpage.KAX": [[294, 322]], "Indicator: Trojan.Click3.12428": [[323, 342]], "Indicator: Trojan/StartPage.qbi": [[343, 363]], "Indicator: Pua.Secure.Installer": [[364, 384]], "Indicator: ADWARE/IERedirector.87040": [[385, 410]], "Indicator: Trojan/Win32.Startpage": [[411, 433]], "Indicator: Trojan:Win32/Searmapxp.A!bit": [[434, 462]], "Indicator: Adware/Win32.StartPage.R160955": [[491, 521]], "Indicator: Trojan.StartPage": [[522, 538]], "Indicator: Trj/CI.A": [[539, 547]], "Indicator: Trojan.Click!GCNxubkcTZg": [[548, 572]], "Indicator: AdWare.IERedirector": [[573, 592]], "Indicator: MSIL/StartPage.MI!tr": [[593, 613]], "Indicator: Win32/Virus.Adware.007": [[614, 636]]}, "info": {"id": "cyner2_5class_train_03285", "source": "cyner2_5class_train"}}
+{"text": "Therefore , “ Agent Smith ” decompiles both the original application and the malicious payload and fuses them together .", "spans": {"Malware: Agent Smith": [[14, 25]]}, "info": {"id": "cyner2_5class_train_03286", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VBOverlayD.PE Trojan.Win32.Swisyn!O Trojan.Mofksys.A W32/Swisyn.ag Trojan/Swisyn.bner PE_MOFKSYS.A W32.Gosys Win32/VB.BOP PE_MOFKSYS.A Win.Virus.Sality:1-6335700-1 Troj.W32.Swisyn.tnEM Trojan/Swisyn.rmj Trojan/Win32.Swisyn.bner Trojan.Win32.Swisyn.bner Trojan/Win32.Swisyn.R1452 Trojan.Swisyn Trojan.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VBOverlayD.PE": [[26, 43]], "Indicator: Trojan.Win32.Swisyn!O": [[44, 65]], "Indicator: Trojan.Mofksys.A": [[66, 82]], "Indicator: W32/Swisyn.ag": [[83, 96]], "Indicator: Trojan/Swisyn.bner": [[97, 115]], "Indicator: PE_MOFKSYS.A": [[116, 128], [152, 164]], "Indicator: W32.Gosys": [[129, 138]], "Indicator: Win32/VB.BOP": [[139, 151]], "Indicator: Win.Virus.Sality:1-6335700-1": [[165, 193]], "Indicator: Troj.W32.Swisyn.tnEM": [[194, 214]], "Indicator: Trojan/Swisyn.rmj": [[215, 232]], "Indicator: Trojan/Win32.Swisyn.bner": [[233, 257]], "Indicator: Trojan.Win32.Swisyn.bner": [[258, 282]], "Indicator: Trojan/Win32.Swisyn.R1452": [[283, 308]], "Indicator: Trojan.Swisyn": [[309, 322]], "Indicator: Trojan.Win32.VB": [[323, 338]]}, "info": {"id": "cyner2_5class_train_03287", "source": "cyner2_5class_train"}}
+{"text": "The targets of these attacks appear to primarily be companies in the video games industry, although other targets may exist outside of our telemetry.", "spans": {"Indicator: attacks": [[21, 28]], "Organization: companies": [[52, 61]], "Organization: video games industry,": [[69, 90]], "Organization: telemetry.": [[139, 149]]}, "info": {"id": "cyner2_5class_train_03288", "source": "cyner2_5class_train"}}
+{"text": "Many of the default strings in this application are in Arabic , including the name .", "spans": {}, "info": {"id": "cyner2_5class_train_03289", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 has observed a new version of Hworm or Houdini being used within multiple attacks.", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: Hworm": [[38, 43]], "Malware: Houdini": [[47, 54]], "Indicator: multiple attacks.": [[73, 90]]}, "info": {"id": "cyner2_5class_train_03290", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HEUR:Trojan.AndroidOS.Piom.dzu Trojan.Android.Piom.expmgs a.privacy.dingwe Android.Spy.422.origin ANDROID/Piom.otvgv Trojan/Android.Piom HEUR:Trojan.AndroidOS.Piom.dzu Trojan.AndroidOS.Spy.D Trojan.AndroidOS.Dingwe Android/Fyec.DZS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HEUR:Trojan.AndroidOS.Piom.dzu": [[26, 56], [163, 193]], "Indicator: Trojan.Android.Piom.expmgs": [[57, 83]], "Indicator: a.privacy.dingwe": [[84, 100]], "Indicator: Android.Spy.422.origin": [[101, 123]], "Indicator: ANDROID/Piom.otvgv": [[124, 142]], "Indicator: Trojan/Android.Piom": [[143, 162]], "Indicator: Trojan.AndroidOS.Spy.D": [[194, 216]], "Indicator: Trojan.AndroidOS.Dingwe": [[217, 240]], "Indicator: Android/Fyec.DZS!tr": [[241, 260]]}, "info": {"id": "cyner2_5class_train_03291", "source": "cyner2_5class_train"}}
+{"text": "Samples and command and control hosts associated with the Imminent Monitor RAT", "spans": {"Indicator: command and control": [[12, 31]], "System: hosts": [[32, 37]], "Malware: Imminent Monitor RAT": [[58, 78]]}, "info": {"id": "cyner2_5class_train_03292", "source": "cyner2_5class_train"}}
+{"text": "Finally , a new Windows service is created with the service path pointing to the candidate .exe located in this new directory together with the freshly created , benign-looking DLL .", "spans": {"System: Windows": [[16, 23]]}, "info": {"id": "cyner2_5class_train_03293", "source": "cyner2_5class_train"}}
+{"text": "This strange behavior consisted of a large amount of peculiar files being written into sensitive system directories.", "spans": {"Indicator: sensitive system directories.": [[87, 116]]}, "info": {"id": "cyner2_5class_train_03294", "source": "cyner2_5class_train"}}
+{"text": "It uses a variety of new techniques , but the most interesting thing is that it injects malicious code into the system libraries – libdmv.so or libandroid_runtime.so .", "spans": {"Indicator: libdmv.so": [[131, 140]], "Indicator: libandroid_runtime.so": [[144, 165]]}, "info": {"id": "cyner2_5class_train_03295", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.CoinMinerSimY.Worm Trojan.Multi Backdoor.Graybird TROJ_COINMINE.THAOIO Trojan.Win32.Miner.tidx Trojan.Win32.Miner.exakqc Trojan.Win32.S.CoinMiner.1312256 Uds.Dangerousobject.Multi!c Trojan.BtcMine.2100 TROJ_COINMINE.THAOIO BehavesLike.Win32.MultiPlug.tc PUA.EnigmaProtector Trojan.Miner.axs W32.Miner.Smominru TR/Crypt.Xpack.vknzu Trojan.Win32.Miner.tidx Trojan:Win32/Smominru.A Unwanted/Win32.BitCoinMiner.C2352839 Misc.Riskware.MoneroMiner Trojan.Miner RiskWare.BitCoinMiner Trj/CI.A Win32/CoinMiner.ALB Win32.Trojan.Miner.Dxct W32/CoinMiner.ALB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CoinMinerSimY.Worm": [[26, 48]], "Indicator: Trojan.Multi": [[49, 61]], "Indicator: Backdoor.Graybird": [[62, 79]], "Indicator: TROJ_COINMINE.THAOIO": [[80, 100], [232, 252]], "Indicator: Trojan.Win32.Miner.tidx": [[101, 124], [361, 384]], "Indicator: Trojan.Win32.Miner.exakqc": [[125, 150]], "Indicator: Trojan.Win32.S.CoinMiner.1312256": [[151, 183]], "Indicator: Uds.Dangerousobject.Multi!c": [[184, 211]], "Indicator: Trojan.BtcMine.2100": [[212, 231]], "Indicator: BehavesLike.Win32.MultiPlug.tc": [[253, 283]], "Indicator: PUA.EnigmaProtector": [[284, 303]], "Indicator: Trojan.Miner.axs": [[304, 320]], "Indicator: W32.Miner.Smominru": [[321, 339]], "Indicator: TR/Crypt.Xpack.vknzu": [[340, 360]], "Indicator: Trojan:Win32/Smominru.A": [[385, 408]], "Indicator: Unwanted/Win32.BitCoinMiner.C2352839": [[409, 445]], "Indicator: Misc.Riskware.MoneroMiner": [[446, 471]], "Indicator: Trojan.Miner": [[472, 484]], "Indicator: RiskWare.BitCoinMiner": [[485, 506]], "Indicator: Trj/CI.A": [[507, 515]], "Indicator: Win32/CoinMiner.ALB": [[516, 535]], "Indicator: Win32.Trojan.Miner.Dxct": [[536, 559]], "Indicator: W32/CoinMiner.ALB!tr": [[560, 580]]}, "info": {"id": "cyner2_5class_train_03296", "source": "cyner2_5class_train"}}
+{"text": "] 26/html2/arc92/au483x.zip hxxp : //94.130.106 [ .", "spans": {"Indicator: hxxp : //94.130.106 [ .": [[28, 51]]}, "info": {"id": "cyner2_5class_train_03297", "source": "cyner2_5class_train"}}
+{"text": "Windows We have found multiple components that form an entire spyware system for the Windows platform .", "spans": {"System: Windows": [[0, 7], [85, 92]]}, "info": {"id": "cyner2_5class_train_03298", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanClicker.MSIL Trojan.Win32.Clicker!BT TrojWare.MSIL.TrojanClicker.Lasdoma.NRJ Trojan.Click3.24925 Trojan.MSIL.TrojanClicker TrojanClicker.MSIL.mr TR/ATRAPS.hsvhb Trojan.Johnnie.DE2DE TrojanClicker:MSIL/Lasdoma.A!bit Win-Trojan/ADM01.Exp Trojan.Win32.Clicker!BT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanClicker.MSIL": [[26, 44]], "Indicator: Trojan.Win32.Clicker!BT": [[45, 68], [268, 291]], "Indicator: TrojWare.MSIL.TrojanClicker.Lasdoma.NRJ": [[69, 108]], "Indicator: Trojan.Click3.24925": [[109, 128]], "Indicator: Trojan.MSIL.TrojanClicker": [[129, 154]], "Indicator: TrojanClicker.MSIL.mr": [[155, 176]], "Indicator: TR/ATRAPS.hsvhb": [[177, 192]], "Indicator: Trojan.Johnnie.DE2DE": [[193, 213]], "Indicator: TrojanClicker:MSIL/Lasdoma.A!bit": [[214, 246]], "Indicator: Win-Trojan/ADM01.Exp": [[247, 267]]}, "info": {"id": "cyner2_5class_train_03299", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pakes Trojan/Pakes.cxg Trojan.Heur.EAB04F Win32.Trojan.WisdomEyes.16070401.9500.9965 W32/Trojan2.BBCZ Win.Trojan.Pakes-1891 Trojan.Win32.Pakes.cxg Trojan.Win32.Pakes.buyldp Troj.W32.Pakes.cxg!c Trojan.DownLoader.61691 Trojan.Pakes.Win32.5440 BehavesLike.Win32.Dropper.lc Trojan.Win32.Crypt W32/Trojan.VJUA-2101 Trojan/Pakes.bvs Trojan/Win32.Pakes Win32.Troj.Unknown.kcloud Trojan.Win32.Pakes.cxg BScope.Trojan.MTA.01233 Trj/Pakes.EB Win32.Trojan.Pakes.Dygy Trojan.Pakes!elDwpuVaGqk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pakes": [[26, 38]], "Indicator: Trojan/Pakes.cxg": [[39, 55]], "Indicator: Trojan.Heur.EAB04F": [[56, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9965": [[75, 117]], "Indicator: W32/Trojan2.BBCZ": [[118, 134]], "Indicator: Win.Trojan.Pakes-1891": [[135, 156]], "Indicator: Trojan.Win32.Pakes.cxg": [[157, 179], [406, 428]], "Indicator: Trojan.Win32.Pakes.buyldp": [[180, 205]], "Indicator: Troj.W32.Pakes.cxg!c": [[206, 226]], "Indicator: Trojan.DownLoader.61691": [[227, 250]], "Indicator: Trojan.Pakes.Win32.5440": [[251, 274]], "Indicator: BehavesLike.Win32.Dropper.lc": [[275, 303]], "Indicator: Trojan.Win32.Crypt": [[304, 322]], "Indicator: W32/Trojan.VJUA-2101": [[323, 343]], "Indicator: Trojan/Pakes.bvs": [[344, 360]], "Indicator: Trojan/Win32.Pakes": [[361, 379]], "Indicator: Win32.Troj.Unknown.kcloud": [[380, 405]], "Indicator: BScope.Trojan.MTA.01233": [[429, 452]], "Indicator: Trj/Pakes.EB": [[453, 465]], "Indicator: Win32.Trojan.Pakes.Dygy": [[466, 489]], "Indicator: Trojan.Pakes!elDwpuVaGqk": [[490, 514]]}, "info": {"id": "cyner2_5class_train_03300", "source": "cyner2_5class_train"}}
+{"text": "One of the most interesting and active specimens to date was a mobile Trojan from the Rotexy family .", "spans": {"Malware: Rotexy": [[86, 92]]}, "info": {"id": "cyner2_5class_train_03301", "source": "cyner2_5class_train"}}
+{"text": "W32.Futurax is a worm that spreads via removable drives and network shares.", "spans": {"Indicator: W32.Futurax": [[0, 11]], "Malware: worm": [[17, 21]], "System: removable drives": [[39, 55]], "System: network shares.": [[60, 75]]}, "info": {"id": "cyner2_5class_train_03302", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win.Trojan.Dapato-413 Trojan.Win32.Dapato.bewyzt BackDoor.Cool.362 TR/Spy.289792.56 Win32.Troj.Undef.kcloud Dropper/Win32.Dapato Trojan-Downloader.win32.Delf.xoq Trojan-Dropper.Dapato.bauk Win32/Delf.OJW Trojan-Dropper.Win32.Dapato Delf.AJUR", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win.Trojan.Dapato-413": [[26, 47]], "Indicator: Trojan.Win32.Dapato.bewyzt": [[48, 74]], "Indicator: BackDoor.Cool.362": [[75, 92]], "Indicator: TR/Spy.289792.56": [[93, 109]], "Indicator: Win32.Troj.Undef.kcloud": [[110, 133]], "Indicator: Dropper/Win32.Dapato": [[134, 154]], "Indicator: Trojan-Downloader.win32.Delf.xoq": [[155, 187]], "Indicator: Trojan-Dropper.Dapato.bauk": [[188, 214]], "Indicator: Win32/Delf.OJW": [[215, 229]], "Indicator: Trojan-Dropper.Win32.Dapato": [[230, 257]], "Indicator: Delf.AJUR": [[258, 267]]}, "info": {"id": "cyner2_5class_train_03303", "source": "cyner2_5class_train"}}
+{"text": "The Trojan works by creating an overlay whenever the user launches the banking application .", "spans": {}, "info": {"id": "cyner2_5class_train_03304", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O BehavesLike.Win32.BadFile.fc Trojan-Spy.Win32.AutoHK TR/Dldr.AutoHK.rguvg TrojanDownloader:MSIL/AutoHK.B!bit TrojanSpy.AutoHK Win32/TrojanDownloader.AutoHK.BC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Virus.Win32.Sality!O": [[44, 64]], "Indicator: BehavesLike.Win32.BadFile.fc": [[65, 93]], "Indicator: Trojan-Spy.Win32.AutoHK": [[94, 117]], "Indicator: TR/Dldr.AutoHK.rguvg": [[118, 138]], "Indicator: TrojanDownloader:MSIL/AutoHK.B!bit": [[139, 173]], "Indicator: TrojanSpy.AutoHK": [[174, 190]], "Indicator: Win32/TrojanDownloader.AutoHK.BC": [[191, 223]]}, "info": {"id": "cyner2_5class_train_03305", "source": "cyner2_5class_train"}}
+{"text": "For the Trojan to install , the user must allow installation of apps from unknown sources in the device settings .", "spans": {}, "info": {"id": "cyner2_5class_train_03306", "source": "cyner2_5class_train"}}
+{"text": "( Have a look here and here .", "spans": {}, "info": {"id": "cyner2_5class_train_03307", "source": "cyner2_5class_train"}}
+{"text": "Pony will infect the victim computer and download an additional malware.", "spans": {"Malware: Pony": [[0, 4]], "System: computer": [[28, 36]], "Malware: additional malware.": [[53, 72]]}, "info": {"id": "cyner2_5class_train_03308", "source": "cyner2_5class_train"}}
+{"text": "This and following versions were masquerading as fake “ Adobe Flash Player ” apps .", "spans": {"System: Adobe Flash Player": [[56, 74]]}, "info": {"id": "cyner2_5class_train_03309", "source": "cyner2_5class_train"}}
+{"text": "Indeed , the Trojan explicitly targets Russian-speaking users .", "spans": {}, "info": {"id": "cyner2_5class_train_03310", "source": "cyner2_5class_train"}}
+{"text": "We discuss these changes and its effect on Android and Apple devices .", "spans": {"System: Android": [[43, 50]], "System: Apple": [[55, 60]]}, "info": {"id": "cyner2_5class_train_03311", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Chekafe.A TROJ_DLOADR.SMOK Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Donloz.AQU TROJ_DLOADR.SMOK Trojan.Win32.Downloader.14836 Trojan.DownLoad2.12418 BehavesLike.Win32.Backdoor.lm Trojan-Downloader.Win32.Chekafe Win32.TrojDownloader.tb.kcloud TrojanDownloader:Win32/Chekafe.C BScope.Trojan.SvcHorse.01643", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Chekafe.A": [[26, 42]], "Indicator: TROJ_DLOADR.SMOK": [[43, 59], [120, 136]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[60, 102]], "Indicator: Win32/Donloz.AQU": [[103, 119]], "Indicator: Trojan.Win32.Downloader.14836": [[137, 166]], "Indicator: Trojan.DownLoad2.12418": [[167, 189]], "Indicator: BehavesLike.Win32.Backdoor.lm": [[190, 219]], "Indicator: Trojan-Downloader.Win32.Chekafe": [[220, 251]], "Indicator: Win32.TrojDownloader.tb.kcloud": [[252, 282]], "Indicator: TrojanDownloader:Win32/Chekafe.C": [[283, 315]], "Indicator: BScope.Trojan.SvcHorse.01643": [[316, 344]]}, "info": {"id": "cyner2_5class_train_03312", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.4102 TrojWare.Win32.CoinMiner.IEGT W32/Trojan.QGMZ-7351 Trojan.Heur.FU.EE0BC8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.4102": [[26, 42]], "Indicator: TrojWare.Win32.CoinMiner.IEGT": [[43, 72]], "Indicator: W32/Trojan.QGMZ-7351": [[73, 93]], "Indicator: Trojan.Heur.FU.EE0BC8": [[94, 115]]}, "info": {"id": "cyner2_5class_train_03313", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Sality!O W32/Trojan.HAUX-5531 Trojan.Win32.Fsysna.erxi Variant.Symmi.mCm9 BehavesLike.Win32.Downloader.tc Trojan/Blocker.idi TR/IRCBot.hjsna Trojan.Barys.DE0A3 Trojan.Win32.Z.Ircbot.1304576 Trojan.Win32.Fsysna.erxi Trojan:Win32/Fenibot.A Trojan/Win32.Inject.C860331 Win32/IRCBot.NIM Trojan.Kazy W32/IRCBot.NIM!tr Trj/CI.A Win32/Trojan.2d1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Sality!O": [[26, 46]], "Indicator: W32/Trojan.HAUX-5531": [[47, 67]], "Indicator: Trojan.Win32.Fsysna.erxi": [[68, 92], [228, 252]], "Indicator: Variant.Symmi.mCm9": [[93, 111]], "Indicator: BehavesLike.Win32.Downloader.tc": [[112, 143]], "Indicator: Trojan/Blocker.idi": [[144, 162]], "Indicator: TR/IRCBot.hjsna": [[163, 178]], "Indicator: Trojan.Barys.DE0A3": [[179, 197]], "Indicator: Trojan.Win32.Z.Ircbot.1304576": [[198, 227]], "Indicator: Trojan:Win32/Fenibot.A": [[253, 275]], "Indicator: Trojan/Win32.Inject.C860331": [[276, 303]], "Indicator: Win32/IRCBot.NIM": [[304, 320]], "Indicator: Trojan.Kazy": [[321, 332]], "Indicator: W32/IRCBot.NIM!tr": [[333, 350]], "Indicator: Trj/CI.A": [[351, 359]], "Indicator: Win32/Trojan.2d1": [[360, 376]]}, "info": {"id": "cyner2_5class_train_03314", "source": "cyner2_5class_train"}}
+{"text": "Giving an attacker access to a mobile device can have severe business consequences , especially if the end user is using their mobile device to discuss sensitive business topics or access enterprise financial information .", "spans": {}, "info": {"id": "cyner2_5class_train_03315", "source": "cyner2_5class_train"}}
+{"text": "CONTACTS – send text received from C & C to all user contacts .", "spans": {}, "info": {"id": "cyner2_5class_train_03316", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Fareit.FC.2719 Trojan.Zusy.D33BC8 Win32.Trojan.WisdomEyes.16070401.9500.9992 BehavesLike.Win32.Trojan.vc Trojan/Win32.Inject.C1663733 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Fareit.FC.2719": [[26, 50]], "Indicator: Trojan.Zusy.D33BC8": [[51, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[70, 112]], "Indicator: BehavesLike.Win32.Trojan.vc": [[113, 140]], "Indicator: Trojan/Win32.Inject.C1663733": [[141, 169]], "Indicator: Trj/GdSda.A": [[170, 181]]}, "info": {"id": "cyner2_5class_train_03317", "source": "cyner2_5class_train"}}
+{"text": "The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads .", "spans": {}, "info": {"id": "cyner2_5class_train_03318", "source": "cyner2_5class_train"}}
+{"text": "By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry.", "spans": {"System: infrastructure": [[23, 37]], "Organization: the gaming industry.": [[127, 147]]}, "info": {"id": "cyner2_5class_train_03319", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MyDoomI.Kr Win32/Mydoom.BT W32.Dozer Win32/Lyzapo.A WORM_MYDOOM.EA Win.Trojan.Dozer-1 Trojan.Dozer.1 WORM_MYDOOM.EA BehavesLike.Win32.Mydoom.fc W32/Backdoor.VQLJ-7986 Win32.Troj.Undef.kcloud TrojanDropper:Win32/Lyzapo.A Dropper/Win32.DDoS.N19798743 W32/Mydoom.cf Trojan.DR.Lyzapo!rpJ9Iphh7tw W32/Dozzer.A!tr W32/MyDoom.HN.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MyDoomI.Kr": [[26, 40]], "Indicator: Win32/Mydoom.BT": [[41, 56]], "Indicator: W32.Dozer": [[57, 66]], "Indicator: Win32/Lyzapo.A": [[67, 81]], "Indicator: WORM_MYDOOM.EA": [[82, 96], [131, 145]], "Indicator: Win.Trojan.Dozer-1": [[97, 115]], "Indicator: Trojan.Dozer.1": [[116, 130]], "Indicator: BehavesLike.Win32.Mydoom.fc": [[146, 173]], "Indicator: W32/Backdoor.VQLJ-7986": [[174, 196]], "Indicator: Win32.Troj.Undef.kcloud": [[197, 220]], "Indicator: TrojanDropper:Win32/Lyzapo.A": [[221, 249]], "Indicator: Dropper/Win32.DDoS.N19798743": [[250, 278]], "Indicator: W32/Mydoom.cf": [[279, 292]], "Indicator: Trojan.DR.Lyzapo!rpJ9Iphh7tw": [[293, 321]], "Indicator: W32/Dozzer.A!tr": [[322, 337]], "Indicator: W32/MyDoom.HN.worm": [[338, 356]]}, "info": {"id": "cyner2_5class_train_03320", "source": "cyner2_5class_train"}}
+{"text": "] Once launched , the app starts to communicate with its C & C server ( whose IP address is base64-encoded in the app ) .", "spans": {}, "info": {"id": "cyner2_5class_train_03321", "source": "cyner2_5class_train"}}
+{"text": "Split of exfiltrated data Some noteworthy files identified in content taken from compromised devices include passport photos , audio recordings of calls , other images , and a PDF document with data on 484 individuals .", "spans": {}, "info": {"id": "cyner2_5class_train_03322", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader Trojan.DownLoader6.50414 BehavesLike.Win32.Trojan.tm TR/Dldr.Megone.cwqt Trj/CI.A Win32/Trojan.9b4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader": [[26, 43]], "Indicator: Trojan.DownLoader6.50414": [[44, 68]], "Indicator: BehavesLike.Win32.Trojan.tm": [[69, 96]], "Indicator: TR/Dldr.Megone.cwqt": [[97, 116]], "Indicator: Trj/CI.A": [[117, 125]], "Indicator: Win32/Trojan.9b4": [[126, 142]]}, "info": {"id": "cyner2_5class_train_03323", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.123904.BJ Trojan-GameThief.Win32.Magania!O Backdoor.Zegost.29476 Trojan/Magania.gxtv Trojan.Zusy.Elzob.DD23 Win32.Trojan.Farfli.ai HV_MAGANIA_CA22396F.TOMC Win.Trojan.Magania-15913 Trojan.Win32.Magania.thvzy Troj.GameThief.W32.Magania.l8gE Trojan.KeyLogger.13111 Trojan.Magania.Win32.50884 BehavesLike.Win32.Dropper.ch P2P-Worm.Win32.Palevo Trojan[GameThief]/Win32.Magania Win32.Troj.Transport.b.kcloud Trojan:DOS/Killmbr.dr Trojan.Win32.A.PSW-Magania.285696.A Trojan/Win32.Magania.R41109 BScope.P2P-Worm.Palevo Trojan.Farfli!+e4pBtKCbqs", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.123904.BJ": [[26, 58]], "Indicator: Trojan-GameThief.Win32.Magania!O": [[59, 91]], "Indicator: Backdoor.Zegost.29476": [[92, 113]], "Indicator: Trojan/Magania.gxtv": [[114, 133]], "Indicator: Trojan.Zusy.Elzob.DD23": [[134, 156]], "Indicator: Win32.Trojan.Farfli.ai": [[157, 179]], "Indicator: HV_MAGANIA_CA22396F.TOMC": [[180, 204]], "Indicator: Win.Trojan.Magania-15913": [[205, 229]], "Indicator: Trojan.Win32.Magania.thvzy": [[230, 256]], "Indicator: Troj.GameThief.W32.Magania.l8gE": [[257, 288]], "Indicator: Trojan.KeyLogger.13111": [[289, 311]], "Indicator: Trojan.Magania.Win32.50884": [[312, 338]], "Indicator: BehavesLike.Win32.Dropper.ch": [[339, 367]], "Indicator: P2P-Worm.Win32.Palevo": [[368, 389]], "Indicator: Trojan[GameThief]/Win32.Magania": [[390, 421]], "Indicator: Win32.Troj.Transport.b.kcloud": [[422, 451]], "Indicator: Trojan:DOS/Killmbr.dr": [[452, 473]], "Indicator: Trojan.Win32.A.PSW-Magania.285696.A": [[474, 509]], "Indicator: Trojan/Win32.Magania.R41109": [[510, 537]], "Indicator: BScope.P2P-Worm.Palevo": [[538, 560]], "Indicator: Trojan.Farfli!+e4pBtKCbqs": [[561, 586]]}, "info": {"id": "cyner2_5class_train_03324", "source": "cyner2_5class_train"}}
+{"text": "Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments.", "spans": {"Organization: government, defense organizations": [[65, 98]], "Organization: Eastern European governments.": [[111, 140]]}, "info": {"id": "cyner2_5class_train_03325", "source": "cyner2_5class_train"}}
+{"text": "FrozenCell is part of a very successful , multi-platform surveillance campaign .", "spans": {"Malware: FrozenCell": [[0, 10]]}, "info": {"id": "cyner2_5class_train_03326", "source": "cyner2_5class_train"}}
+{"text": "JS/Nemucod is a JavaScript downloader trojan that targets users through malware spam campaigns.", "spans": {"Indicator: JS/Nemucod": [[0, 10]], "Malware: JavaScript downloader trojan": [[16, 44]], "Indicator: malware spam campaigns.": [[72, 95]]}, "info": {"id": "cyner2_5class_train_03327", "source": "cyner2_5class_train"}}
+{"text": "This same attacker is also reported to have targeted various military installations in Central Asia in the past", "spans": {"Organization: military installations": [[61, 83]]}, "info": {"id": "cyner2_5class_train_03328", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.F222 Backdoor.Bedep.10384 BKDR_BEDEP.SMX Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_BEDEP.SMX Trojan.Win32.Yakes.dsmtzi Trojan.Bedep.62 BehavesLike.Win32.Spyware.cc Trojan.Win32.Crypt Backdoor/Bedep.v TR/Crypt.ZPACK.147808 Trojan[Backdoor]/Win32.Bedep Trojan.Kazy.D9859B Backdoor/Win32.Bedep.R154894 Backdoor.Bedep! W32/Bedep.D!tr Win32/Trojan.a60", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.F222": [[26, 42]], "Indicator: Backdoor.Bedep.10384": [[43, 63]], "Indicator: BKDR_BEDEP.SMX": [[64, 78], [122, 136]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[79, 121]], "Indicator: Trojan.Win32.Yakes.dsmtzi": [[137, 162]], "Indicator: Trojan.Bedep.62": [[163, 178]], "Indicator: BehavesLike.Win32.Spyware.cc": [[179, 207]], "Indicator: Trojan.Win32.Crypt": [[208, 226]], "Indicator: Backdoor/Bedep.v": [[227, 243]], "Indicator: TR/Crypt.ZPACK.147808": [[244, 265]], "Indicator: Trojan[Backdoor]/Win32.Bedep": [[266, 294]], "Indicator: Trojan.Kazy.D9859B": [[295, 313]], "Indicator: Backdoor/Win32.Bedep.R154894": [[314, 342]], "Indicator: Backdoor.Bedep!": [[343, 358]], "Indicator: W32/Bedep.D!tr": [[359, 373]], "Indicator: Win32/Trojan.a60": [[374, 390]]}, "info": {"id": "cyner2_5class_train_03329", "source": "cyner2_5class_train"}}
+{"text": "The Lazarus group is tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks.", "spans": {"Indicator: attack": [[38, 44]], "Organization: Sony Pictures Entertainment": [[48, 75]], "Indicator: DarkSeoul attacks.": [[89, 107]]}, "info": {"id": "cyner2_5class_train_03330", "source": "cyner2_5class_train"}}
+{"text": "It is unclear how long the malicious code existed inside the apps , hence the actual spread of the malware remains unknown .", "spans": {}, "info": {"id": "cyner2_5class_train_03331", "source": "cyner2_5class_train"}}
+{"text": "No Chrysaor apps were on Google Play .", "spans": {"Malware: Chrysaor": [[3, 11]], "System: Google Play": [[25, 36]]}, "info": {"id": "cyner2_5class_train_03332", "source": "cyner2_5class_train"}}
+{"text": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus.", "spans": {"Organization: The Callisto Group": [[0, 18]], "Organization: military personnel, government officials, think tanks,": [[75, 129]], "Organization: journalists": [[134, 145]]}, "info": {"id": "cyner2_5class_train_03333", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9901 TROJ_GRAFTOR_GG3102DA.UVPM TrojWare.Win32.TrojanDownloader.Stantinko.CB Trojan.Kbdmai.83 TROJ_GRAFTOR_GG3102DA.UVPM TR/Downloader.amdkv TrojanDownloader:Win32/Stantinko.A!bit Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9901": [[26, 68]], "Indicator: TROJ_GRAFTOR_GG3102DA.UVPM": [[69, 95], [158, 184]], "Indicator: TrojWare.Win32.TrojanDownloader.Stantinko.CB": [[96, 140]], "Indicator: Trojan.Kbdmai.83": [[141, 157]], "Indicator: TR/Downloader.amdkv": [[185, 204]], "Indicator: TrojanDownloader:Win32/Stantinko.A!bit": [[205, 243]], "Indicator: Trj/GdSda.A": [[244, 255]]}, "info": {"id": "cyner2_5class_train_03334", "source": "cyner2_5class_train"}}
+{"text": "In this figure we have 11 RuMMS samples , all of which were hosted on the website as shown in the “ y ” axis .", "spans": {"Malware: RuMMS": [[26, 31]]}, "info": {"id": "cyner2_5class_train_03335", "source": "cyner2_5class_train"}}
+{"text": "However , it does n't request permissions like BIND_ADMIN .", "spans": {}, "info": {"id": "cyner2_5class_train_03336", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Virut.low6 Trojan.Graftor.D295ED Win32.Trojan.WisdomEyes.16070401.9500.9753 Win.Adware.Downware-564 Trojan/Win32.Unknown Trojan:Win32/Vercuser.A Worm/Win32.VB.R47661 Backdoor.Bot Trj/CI.A I-Worm.Vercuser.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.low6": [[26, 40]], "Indicator: Trojan.Graftor.D295ED": [[41, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9753": [[63, 105]], "Indicator: Win.Adware.Downware-564": [[106, 129]], "Indicator: Trojan/Win32.Unknown": [[130, 150]], "Indicator: Trojan:Win32/Vercuser.A": [[151, 174]], "Indicator: Worm/Win32.VB.R47661": [[175, 195]], "Indicator: Backdoor.Bot": [[196, 208]], "Indicator: Trj/CI.A": [[209, 217]], "Indicator: I-Worm.Vercuser.A": [[218, 235]]}, "info": {"id": "cyner2_5class_train_03337", "source": "cyner2_5class_train"}}
+{"text": "Over the course of 2016 — and particularly intensifying towards the end of the year — several individuals known to Amnesty International were approached via email and through social media by Safeena Malik seemingly an enthusiastic activist with a strong interest in human rights.", "spans": {"Organization: Amnesty International": [[115, 136]], "Indicator: email": [[157, 162]], "Organization: social media": [[175, 187]], "Organization: Safeena Malik": [[191, 204]], "Organization: enthusiastic activist": [[218, 239]], "Organization: human rights.": [[266, 279]]}, "info": {"id": "cyner2_5class_train_03338", "source": "cyner2_5class_train"}}
+{"text": "The New York Times reported on Nov. 15 that Kryptowire , a mobile enterprise security company , discovered the code on a lower-end smartphone made by BLU Products of Doral , Fla .", "spans": {"Organization: New York Times": [[4, 18]], "Organization: Kryptowire": [[44, 54]], "Organization: BLU": [[150, 153]]}, "info": {"id": "cyner2_5class_train_03339", "source": "cyner2_5class_train"}}
+{"text": "New FakeSpy campaign applications leveraging fake postal services apps .", "spans": {"Malware: FakeSpy": [[4, 11]]}, "info": {"id": "cyner2_5class_train_03340", "source": "cyner2_5class_train"}}
+{"text": "These intents are typically defined statically in the app ’ s AndroidManifest.xml config file ; some HenBox variants register further intents from their code at run-time .", "spans": {"Malware: HenBox": [[101, 107]]}, "info": {"id": "cyner2_5class_train_03341", "source": "cyner2_5class_train"}}
+{"text": "As Talos is constantly monitoring changes across the threat landscape to ensure that our customers remain protected as threats continue to evolve, we took a deep dive into this malware variant to determine the technical capabilities and characteristics of Floki Bot.", "spans": {"Organization: Talos": [[3, 8]], "Organization: customers": [[89, 98]], "Malware: threats": [[119, 126]], "Malware: malware variant": [[177, 192]], "Malware: Floki Bot.": [[256, 266]]}, "info": {"id": "cyner2_5class_train_03342", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Malware.1 Win32.HEURCrypted Trojan.DownLoad.31887 TR/Spy.197632.C Heuristic.BehavesLike.Win32.Packed.C W32/Tibs.WA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Malware.1": [[26, 48]], "Indicator: Win32.HEURCrypted": [[49, 66]], "Indicator: Trojan.DownLoad.31887": [[67, 88]], "Indicator: TR/Spy.197632.C": [[89, 104]], "Indicator: Heuristic.BehavesLike.Win32.Packed.C": [[105, 141]], "Indicator: W32/Tibs.WA!tr": [[142, 156]]}, "info": {"id": "cyner2_5class_train_03343", "source": "cyner2_5class_train"}}
+{"text": "According to the public information, cfm.com.ua domain belongs to the «Crystal Finance Millennium» software developer.", "spans": {"Indicator: the public information, cfm.com.ua domain": [[13, 54]], "Organization: the «Crystal Finance Millennium» software developer.": [[66, 118]]}, "info": {"id": "cyner2_5class_train_03344", "source": "cyner2_5class_train"}}
+{"text": "Although early versions had some basic code and string obfuscation , protection of the third version of the malware was enhanced with the use of payload obfuscation .", "spans": {}, "info": {"id": "cyner2_5class_train_03345", "source": "cyner2_5class_train"}}
+{"text": "Quick Sunday morning blog post, analysis of an unknown rtf file.", "spans": {"Indicator: unknown rtf file.": [[47, 64]]}, "info": {"id": "cyner2_5class_train_03346", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.JP.E5BA68 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Trojan.Win32.9728.ikjtj Trojan.DownLoader3.22821 Trojan.Win32.Swisyn TR/Dldr.Quillo.A Trojan/Win32.Unknown TrojanDownloader:Win32/Quillo.A Trojan/Win32.HDC.C3028 Trojan.DL.Quillo!tw5+WNEhU5A W32/Downloader_x.FYF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.JP.E5BA68": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[48, 90]], "Indicator: Backdoor.Trojan": [[91, 106]], "Indicator: Trojan.Win32.9728.ikjtj": [[107, 130]], "Indicator: Trojan.DownLoader3.22821": [[131, 155]], "Indicator: Trojan.Win32.Swisyn": [[156, 175]], "Indicator: TR/Dldr.Quillo.A": [[176, 192]], "Indicator: Trojan/Win32.Unknown": [[193, 213]], "Indicator: TrojanDownloader:Win32/Quillo.A": [[214, 245]], "Indicator: Trojan/Win32.HDC.C3028": [[246, 268]], "Indicator: Trojan.DL.Quillo!tw5+WNEhU5A": [[269, 297]], "Indicator: W32/Downloader_x.FYF!tr": [[298, 321]]}, "info": {"id": "cyner2_5class_train_03347", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Blouiroet Trojan.Win32.Blouiroet.dx Trojan.Win32.Strictor.ewsjhc Troj.W32.Blouiroet!c Trojan.Blouiroet.Win32.43 BehavesLike.Win32.DlHelper.tc Trojan.Blouiroet.an TR/Blouiroet.shppj Trojan/Win32.Blouiroet Trojan.Zusy.D3860E Trojan.Win32.Z.Zusy.1282560 Trojan.Win32.Blouiroet.dx Trojan.Win32.Delf Trj/CI.A Win32/Trojan.c62", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Blouiroet": [[26, 42]], "Indicator: Trojan.Win32.Blouiroet.dx": [[43, 68], [284, 309]], "Indicator: Trojan.Win32.Strictor.ewsjhc": [[69, 97]], "Indicator: Troj.W32.Blouiroet!c": [[98, 118]], "Indicator: Trojan.Blouiroet.Win32.43": [[119, 144]], "Indicator: BehavesLike.Win32.DlHelper.tc": [[145, 174]], "Indicator: Trojan.Blouiroet.an": [[175, 194]], "Indicator: TR/Blouiroet.shppj": [[195, 213]], "Indicator: Trojan/Win32.Blouiroet": [[214, 236]], "Indicator: Trojan.Zusy.D3860E": [[237, 255]], "Indicator: Trojan.Win32.Z.Zusy.1282560": [[256, 283]], "Indicator: Trojan.Win32.Delf": [[310, 327]], "Indicator: Trj/CI.A": [[328, 336]], "Indicator: Win32/Trojan.c62": [[337, 353]]}, "info": {"id": "cyner2_5class_train_03348", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Lebreat.18944 Worm.Lebreat.Win32.18 W32/Lebreat.l Trojan.Win32.Lebreat.emyp W32/Breatle.L@mm W32.Spybot.Worm Win32/Lebreat.R Worm.Lebreat.D Net-Worm.Win32.Lebreat.l W32.W.Lebreat.l!c Worm.Win32.Lebreat.R Win32.HLLW.Breat BehavesLike.Win32.Backdoor.lc W32/Breatle.VJCM-5821 I-Worm/Lebreat.a DcomRpc.G!exploit Worm[Net]/Win32.Lebreat Win32/Lebreat.worm.18944.B Worm:Win32/Reatle.L@mm Worm.Lebreat Win32.Worm-net.Lebreat.Hugg Worm.Win32.Lebreat.l", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Lebreat.18944": [[26, 48]], "Indicator: Worm.Lebreat.Win32.18": [[49, 70]], "Indicator: W32/Lebreat.l": [[71, 84]], "Indicator: Trojan.Win32.Lebreat.emyp": [[85, 110]], "Indicator: W32/Breatle.L@mm": [[111, 127]], "Indicator: W32.Spybot.Worm": [[128, 143]], "Indicator: Win32/Lebreat.R": [[144, 159]], "Indicator: Worm.Lebreat.D": [[160, 174]], "Indicator: Net-Worm.Win32.Lebreat.l": [[175, 199]], "Indicator: W32.W.Lebreat.l!c": [[200, 217]], "Indicator: Worm.Win32.Lebreat.R": [[218, 238]], "Indicator: Win32.HLLW.Breat": [[239, 255]], "Indicator: BehavesLike.Win32.Backdoor.lc": [[256, 285]], "Indicator: W32/Breatle.VJCM-5821": [[286, 307]], "Indicator: I-Worm/Lebreat.a": [[308, 324]], "Indicator: DcomRpc.G!exploit": [[325, 342]], "Indicator: Worm[Net]/Win32.Lebreat": [[343, 366]], "Indicator: Win32/Lebreat.worm.18944.B": [[367, 393]], "Indicator: Worm:Win32/Reatle.L@mm": [[394, 416]], "Indicator: Worm.Lebreat": [[417, 429]], "Indicator: Win32.Worm-net.Lebreat.Hugg": [[430, 457]], "Indicator: Worm.Win32.Lebreat.l": [[458, 478]]}, "info": {"id": "cyner2_5class_train_03349", "source": "cyner2_5class_train"}}
+{"text": "They range from the recreational apps like games, skins, and themes to phone optimization boosters.", "spans": {}, "info": {"id": "cyner2_5class_train_03350", "source": "cyner2_5class_train"}}
+{"text": "We have found another instance of malware posing as the Super Mario Run Android app , and this time it has taken the form of DroidJack RAT ( remote access trojan ) .", "spans": {"System: Super Mario Run": [[56, 71]], "System: Android": [[72, 79]], "Malware: DroidJack RAT": [[125, 138]]}, "info": {"id": "cyner2_5class_train_03351", "source": "cyner2_5class_train"}}
+{"text": "The AlienVault team has researched and added more IOC s found in the OTX portal.", "spans": {"Organization: The AlienVault team": [[0, 19]], "Indicator: IOC": [[50, 53]], "System: the OTX portal.": [[65, 80]]}, "info": {"id": "cyner2_5class_train_03352", "source": "cyner2_5class_train"}}
+{"text": "The Conversations modified samples differ from the original one in the getKnownHosts method that was modified to replace the main XMPP host with the attackers ’ C2 server : It appears that the attackers were using a specific C2 for the use of that app .", "spans": {"System: XMPP": [[130, 134]]}, "info": {"id": "cyner2_5class_train_03353", "source": "cyner2_5class_train"}}
+{"text": "EventBot appears to be a completely new malware in the early stages of development , giving us an interesting view into how attackers create and test their malware .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_03354", "source": "cyner2_5class_train"}}
+{"text": "During this period , malware samples display some typical adware characteristics such as unnecessary permission requirements and pop-up windows .", "spans": {"System: windows": [[136, 143]]}, "info": {"id": "cyner2_5class_train_03355", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.Teamspy.34816.C TrojanSpy.Skeeyah Win32.Trojan.WisdomEyes.16070401.9500.9565 Backdoor.Noknef TSPY_KONNI.A Trojan-Spy.Win32.Teamspy.jb Trojan.Win32.Teamspy.eojkym Troj.Spy.W32!c Trojan.DownLoader25.6499 TSPY_KONNI.A W32/Trojan.TMQM-1890 TrojanSpy.Teamspy.al TR/Taranis.4651 Trojan[Spy]/Win32.TeamSpy Trojan-Spy.Win32.Teamspy.jb Backdoor:Win32/Konny.A Spyware.Infostealer.86016 TrojanSpy.Teamspy Trojan.PasswordStealer Win32.Trojan-spy.Teamspy.Phgj TrojanSpy.Teamspy!7hsJ3qOc7gU Trojan.Taranis Trj/GdSda.A Win32/Trojan.6af", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.Teamspy.34816.C": [[26, 56]], "Indicator: TrojanSpy.Skeeyah": [[57, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9565": [[75, 117]], "Indicator: Backdoor.Noknef": [[118, 133]], "Indicator: TSPY_KONNI.A": [[134, 146], [243, 255]], "Indicator: Trojan-Spy.Win32.Teamspy.jb": [[147, 174], [340, 367]], "Indicator: Trojan.Win32.Teamspy.eojkym": [[175, 202]], "Indicator: Troj.Spy.W32!c": [[203, 217]], "Indicator: Trojan.DownLoader25.6499": [[218, 242]], "Indicator: W32/Trojan.TMQM-1890": [[256, 276]], "Indicator: TrojanSpy.Teamspy.al": [[277, 297]], "Indicator: TR/Taranis.4651": [[298, 313]], "Indicator: Trojan[Spy]/Win32.TeamSpy": [[314, 339]], "Indicator: Backdoor:Win32/Konny.A": [[368, 390]], "Indicator: Spyware.Infostealer.86016": [[391, 416]], "Indicator: TrojanSpy.Teamspy": [[417, 434]], "Indicator: Trojan.PasswordStealer": [[435, 457]], "Indicator: Win32.Trojan-spy.Teamspy.Phgj": [[458, 487]], "Indicator: TrojanSpy.Teamspy!7hsJ3qOc7gU": [[488, 517]], "Indicator: Trojan.Taranis": [[518, 532]], "Indicator: Trj/GdSda.A": [[533, 544]], "Indicator: Win32/Trojan.6af": [[545, 561]]}, "info": {"id": "cyner2_5class_train_03356", "source": "cyner2_5class_train"}}
+{"text": "In mid-2022, Mandiant, in collaboration with Fortinet, investigated the exploitation and deployment of malware across multiple Fortinet solutions including FortiGate firewall, FortiManager centralized management solution, and FortiAnalyzer log management, analytics, and reporting platform.", "spans": {"Organization: Mandiant,": [[13, 22]], "Organization: Fortinet,": [[45, 54]], "Malware: exploitation": [[72, 84]], "Malware: malware": [[103, 110]], "Organization: Fortinet": [[127, 135]], "System: FortiGate firewall, FortiManager centralized management solution,": [[156, 221]], "System: FortiAnalyzer log management, analytics, and reporting platform.": [[226, 290]]}, "info": {"id": "cyner2_5class_train_03357", "source": "cyner2_5class_train"}}
+{"text": "This malware can intercept the user's personal data, such as SMS messages, MMS messages, and USSD requests.", "spans": {"Malware: malware": [[5, 12]], "Organization: user's personal data,": [[31, 52]], "Indicator: SMS": [[61, 64]], "Indicator: MMS": [[75, 78]], "Indicator: USSD requests.": [[93, 107]]}, "info": {"id": "cyner2_5class_train_03358", "source": "cyner2_5class_train"}}
+{"text": "HummingWhale , by contrast , managed to sneak its way into about 20 Google Play apps that were downloaded from 2 million to 12 million times , according to researchers from Check Point , the security company that has been closely following the malware family for almost a year .", "spans": {"Malware: HummingWhale": [[0, 12]], "System: Google Play": [[68, 79]], "Organization: Check Point": [[173, 184]]}, "info": {"id": "cyner2_5class_train_03359", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Supermm.1.0.B Backdoor/W32.SuperMM.251764 Backdoor.Win32.SuperMM.10!O BackDoor-ACL.dll Backdoor/SuperMM.10.b W32/Backdoor.MRCA-2263 Backdoor.Trojan Backdoor.Supermm.1.0.B Backdoor.Win32.SuperMM.10.b Backdoor.Supermm.1.0.B Trojan.Win32.SuperMM-10.gtre Backdoor.Win32.Z.Supermm.251764 Backdoor.W32.Supermm!c Backdoor.Supermm.1.0.B Backdoor.Win32.SuperMM.10.B Backdoor.Supermm.1.0.B BackDoor.SuperMM.10 Backdoor.SuperMM.Win32.7 BackDoor-ACL.dll Trojan/PSW.Oicqmm98.Dll Trojan[Backdoor]/Win32.SuperMM Backdoor.Supermm.1.0.B Backdoor.Win32.SuperMM.10.b Backdoor:Win32/SuperMM.B Backdoor.Supermm.1.0.B Backdoor.SuperMM Win32/SuperMM.10.B Win32.Backdoor.Supermm.Tayo Trojan.Win32.Supermm BDoor.ACL!tr.bdr Win32/Backdoor.831", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Supermm.1.0.B": [[26, 48], [183, 205], [234, 256], [341, 363], [392, 414], [532, 554], [608, 630]], "Indicator: Backdoor/W32.SuperMM.251764": [[49, 76]], "Indicator: Backdoor.Win32.SuperMM.10!O": [[77, 104]], "Indicator: BackDoor-ACL.dll": [[105, 121], [460, 476]], "Indicator: Backdoor/SuperMM.10.b": [[122, 143]], "Indicator: W32/Backdoor.MRCA-2263": [[144, 166]], "Indicator: Backdoor.Trojan": [[167, 182]], "Indicator: Backdoor.Win32.SuperMM.10.b": [[206, 233], [555, 582]], "Indicator: Trojan.Win32.SuperMM-10.gtre": [[257, 285]], "Indicator: Backdoor.Win32.Z.Supermm.251764": [[286, 317]], "Indicator: Backdoor.W32.Supermm!c": [[318, 340]], "Indicator: Backdoor.Win32.SuperMM.10.B": [[364, 391]], "Indicator: BackDoor.SuperMM.10": [[415, 434]], "Indicator: Backdoor.SuperMM.Win32.7": [[435, 459]], "Indicator: Trojan/PSW.Oicqmm98.Dll": [[477, 500]], "Indicator: Trojan[Backdoor]/Win32.SuperMM": [[501, 531]], "Indicator: Backdoor:Win32/SuperMM.B": [[583, 607]], "Indicator: Backdoor.SuperMM": [[631, 647]], "Indicator: Win32/SuperMM.10.B": [[648, 666]], "Indicator: Win32.Backdoor.Supermm.Tayo": [[667, 694]], "Indicator: Trojan.Win32.Supermm": [[695, 715]], "Indicator: BDoor.ACL!tr.bdr": [[716, 732]], "Indicator: Win32/Backdoor.831": [[733, 751]]}, "info": {"id": "cyner2_5class_train_03360", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Truvasys TSPY_LIMITAIL.XXUDN Trojan.Win32.StrongPity.ekmtaw Troj.W32.Strongpity!c TSPY_LIMITAIL.XXUDN Trojan.StrongPity.j TR/StrongPity.vtcv Trojan/Win32.StrongPity Backdoor:Win32/Truvasys.A!dha PUP/Win32.DealPly.C2030575 Trojan.StrongPity! Trojan.StrongPity Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Truvasys": [[26, 43]], "Indicator: TSPY_LIMITAIL.XXUDN": [[44, 63], [117, 136]], "Indicator: Trojan.Win32.StrongPity.ekmtaw": [[64, 94]], "Indicator: Troj.W32.Strongpity!c": [[95, 116]], "Indicator: Trojan.StrongPity.j": [[137, 156]], "Indicator: TR/StrongPity.vtcv": [[157, 175]], "Indicator: Trojan/Win32.StrongPity": [[176, 199]], "Indicator: Backdoor:Win32/Truvasys.A!dha": [[200, 229]], "Indicator: PUP/Win32.DealPly.C2030575": [[230, 256]], "Indicator: Trojan.StrongPity!": [[257, 275]], "Indicator: Trojan.StrongPity": [[276, 293]], "Indicator: Trj/GdSda.A": [[294, 305]]}, "info": {"id": "cyner2_5class_train_03361", "source": "cyner2_5class_train"}}
+{"text": "The adware Trojan in fact potentially allows full remote access to the infected device.", "spans": {"Malware: The adware Trojan": [[0, 17]], "Indicator: full remote access": [[45, 63]], "System: the infected device.": [[67, 87]]}, "info": {"id": "cyner2_5class_train_03362", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Bublik!O Trojan.Bublik.Win32.6109 W32.W.AutoRun.l0qv Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.VB.xswue BehavesLike.Win32.Emotet.dh Trojan/Bublik.ccj Trojan/Win32.Bublik Trojan.Barys.D7D1 Trojan:Win32/Klovbot.B Trojan/Win32.VBNA.R146461 Trj/CI.A Trojan.Bublik!ZPZ98Vxhajk W32/VBKrypt.CFFF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Bublik!O": [[26, 47]], "Indicator: Trojan.Bublik.Win32.6109": [[48, 72]], "Indicator: W32.W.AutoRun.l0qv": [[73, 91]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[92, 134]], "Indicator: Trojan.Win32.VB.xswue": [[135, 156]], "Indicator: BehavesLike.Win32.Emotet.dh": [[157, 184]], "Indicator: Trojan/Bublik.ccj": [[185, 202]], "Indicator: Trojan/Win32.Bublik": [[203, 222]], "Indicator: Trojan.Barys.D7D1": [[223, 240]], "Indicator: Trojan:Win32/Klovbot.B": [[241, 263]], "Indicator: Trojan/Win32.VBNA.R146461": [[264, 289]], "Indicator: Trj/CI.A": [[290, 298]], "Indicator: Trojan.Bublik!ZPZ98Vxhajk": [[299, 324]], "Indicator: W32/VBKrypt.CFFF!tr": [[325, 344]]}, "info": {"id": "cyner2_5class_train_03363", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Backdoor.Win32.Androm.oyzg Trojan.Win32.Androm.exrcqp Trojan.DownLoader26.14208 BehavesLike.Win32.Trojan.cc Trojan.MSIL.Crypt TR/Dropper.MSIL.ruzhp Backdoor.Win32.Androm.oyzg Trj/GdSda.A Win32.Backdoor.Androm.Ajls MSIL/Kryptik.BLU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[26, 68]], "Indicator: Backdoor.Win32.Androm.oyzg": [[69, 95], [217, 243]], "Indicator: Trojan.Win32.Androm.exrcqp": [[96, 122]], "Indicator: Trojan.DownLoader26.14208": [[123, 148]], "Indicator: BehavesLike.Win32.Trojan.cc": [[149, 176]], "Indicator: Trojan.MSIL.Crypt": [[177, 194]], "Indicator: TR/Dropper.MSIL.ruzhp": [[195, 216]], "Indicator: Trj/GdSda.A": [[244, 255]], "Indicator: Win32.Backdoor.Androm.Ajls": [[256, 282]], "Indicator: MSIL/Kryptik.BLU!tr": [[283, 302]]}, "info": {"id": "cyner2_5class_train_03364", "source": "cyner2_5class_train"}}
+{"text": "But the apps , with their many millions of users , have captured the attention of the bad actors , too , who are exploiting the popularity of Netflix to spread malware .", "spans": {"Organization: Netflix": [[142, 149]]}, "info": {"id": "cyner2_5class_train_03365", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanspy.Enkalogs TSPY_KEYLOG.AUSJOZ Win32.Trojan.WisdomEyes.16070401.9500.9994 TSPY_KEYLOG.AUSJOZ Trojan.Win32.Keylogger.evqveo Trojan.Win32.Z.Kazy.30722 W32/Application.BPVK-3177 Trojan.Kazy.D8E58F TrojanSpy:MSIL/Enkalogs.A Trj/GdSda.A MSIL/Keylogger.II!tr.spy Win32/Trojan.40d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanspy.Enkalogs": [[26, 44]], "Indicator: TSPY_KEYLOG.AUSJOZ": [[45, 63], [107, 125]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[64, 106]], "Indicator: Trojan.Win32.Keylogger.evqveo": [[126, 155]], "Indicator: Trojan.Win32.Z.Kazy.30722": [[156, 181]], "Indicator: W32/Application.BPVK-3177": [[182, 207]], "Indicator: Trojan.Kazy.D8E58F": [[208, 226]], "Indicator: TrojanSpy:MSIL/Enkalogs.A": [[227, 252]], "Indicator: Trj/GdSda.A": [[253, 264]], "Indicator: MSIL/Keylogger.II!tr.spy": [[265, 289]], "Indicator: Win32/Trojan.40d": [[290, 306]]}, "info": {"id": "cyner2_5class_train_03366", "source": "cyner2_5class_train"}}
+{"text": "CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine.", "spans": {"Organization: CyberX": [[0, 6]], "Organization: targets": [[99, 106]]}, "info": {"id": "cyner2_5class_train_03367", "source": "cyner2_5class_train"}}
+{"text": "At this stage , the analysis can only continue by manually investigating the individual code blocks and opcode handlers , which are highly obfuscated ( also using spaghetti code ) .", "spans": {}, "info": {"id": "cyner2_5class_train_03368", "source": "cyner2_5class_train"}}
+{"text": "Infection The user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service .", "spans": {}, "info": {"id": "cyner2_5class_train_03369", "source": "cyner2_5class_train"}}
+{"text": "Figure 8 – Android requirements Android malware has been around for many years and will be with us for the foreseeable future .", "spans": {"System: Android": [[11, 18], [32, 39]]}, "info": {"id": "cyner2_5class_train_03370", "source": "cyner2_5class_train"}}
+{"text": "Since the plugin development pattern is generic and the plugin SDK can be easily embedded, the plugin architecture could be a trend among Android malware in the future.", "spans": {"Indicator: plugin development pattern": [[10, 36]], "System: plugin SDK": [[56, 66]], "System: plugin architecture": [[95, 114]], "Malware: Android malware": [[138, 153]]}, "info": {"id": "cyner2_5class_train_03371", "source": "cyner2_5class_train"}}
+{"text": "A commercially available RAT.", "spans": {"Malware: RAT.": [[25, 29]]}, "info": {"id": "cyner2_5class_train_03372", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.JPIS Trojan.Downloader.JPIS Trojan.Downloader.JPIS TROJ_DALBOT.SMRR Win32.Trojan.WisdomEyes.16070401.9500.9750 TROJ_DALBOT.SMRR Win.Trojan.Leepload-1 Trojan.Downloader.JPIS Trojan.Downloader.JPIS Trojan.Win32.DloadrDOI.sxvve Trojan.Win32.A.Downloader.73728.ABY Trojan.Downloader.JPIS Trojan.DownLoader6.34186 W32/Trojan.USUV-7153 Trojan/Win32.Unknown TrojanDownloader:Win32/Dalbot.A Win-Trojan/Dalbot.73728 Win32/Trojan.b77", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.JPIS": [[26, 48], [49, 71], [72, 94], [194, 216], [217, 239], [305, 327]], "Indicator: TROJ_DALBOT.SMRR": [[95, 111], [155, 171]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9750": [[112, 154]], "Indicator: Win.Trojan.Leepload-1": [[172, 193]], "Indicator: Trojan.Win32.DloadrDOI.sxvve": [[240, 268]], "Indicator: Trojan.Win32.A.Downloader.73728.ABY": [[269, 304]], "Indicator: Trojan.DownLoader6.34186": [[328, 352]], "Indicator: W32/Trojan.USUV-7153": [[353, 373]], "Indicator: Trojan/Win32.Unknown": [[374, 394]], "Indicator: TrojanDownloader:Win32/Dalbot.A": [[395, 426]], "Indicator: Win-Trojan/Dalbot.73728": [[427, 450]], "Indicator: Win32/Trojan.b77": [[451, 467]]}, "info": {"id": "cyner2_5class_train_03373", "source": "cyner2_5class_train"}}
+{"text": "We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today", "spans": {"Organization: Adobe": [[28, 33]], "Indicator: CVE-2017-11292": [[50, 64]]}, "info": {"id": "cyner2_5class_train_03374", "source": "cyner2_5class_train"}}
+{"text": "Figure 3 : Step two of the credential phish asking for the victim ’ s email address and phone number Having stolen the victim ’ s account and personal information , the scammer introduces a social engineering scheme , informing users that they currently do not have the “ Bank Austria Security App ” installed on their smartphone and must download it to proceed .", "spans": {"System: Bank Austria Security App": [[272, 297]]}, "info": {"id": "cyner2_5class_train_03375", "source": "cyner2_5class_train"}}
+{"text": "This particular application is signed with a fake certificate : Owner : CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Issuer CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Serial : 1c9157d7 Validity : 11/02/2017 00:16:46 03/20/2045 00:16:46 MD5 Hash : A8:55:46:32:15 : A9 : D5:95 : A9:91 : C2:91:77:5D:30 : F6 SHA1 Hash : 32:17 : E9:7E:06 : FE:5D:84 : BE:7C:14:0C : C6:2B:12:85 : E7:03:9A:5F The app requests extensive permissions during installation that enable a range of activities supported by the malware .", "spans": {"Indicator: A8:55:46:32:15 : A9 : D5:95 : A9:91 : C2:91:77:5D:30 : F6": [[305, 362]], "Indicator: 32:17 : E9:7E:06 : FE:5D:84 : BE:7C:14:0C : C6:2B:12:85 : E7:03:9A:5F": [[375, 444]]}, "info": {"id": "cyner2_5class_train_03376", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Autorun.VX Trojan/W32.Cosmu.214528.B Trojan.Win32.Cosmu!O Worm.Nenebra.AP8 Win32.Worm.Delf.ca W32/Cosmu.C W32.SillyFDC Win32/Cosmu.AO Win.Trojan.Cosmu-268 Win32.Worm.Autorun.VX Trojan-Ransom.Win32.Blocker.iwkz Win32.Worm.Autorun.VX Trojan.Win32.Cosmu.vifkp Trojan.Win32.A.Cosmu.212480[UPX] Win32.Trojan.Blocker.Wnme Win32.Worm.Autorun.VX Win32.Worm.Autorun.VX Win32.HLLW.Autoruner.57682 Trojan.Cosmu.Win32.9114 W32/Cosmu.KVSE-8775 Trojan/Cosmu.gje WORM/Nenebra.A Trojan/Win32.Cosmu Win32.Worm.Autorun.VX Troj.Ransom.W32.Blocker!c Worm:Win32/Nenebra.A Win32.Worm.Autorun.VX TScope.Trojan.Delf Worm.AutoRun Trojan.Cosmu Win32/AutoRun.Delf.HF Trojan.Cosmu!gKBhUwtv5Oc Trojan-Downloader.Win32.Banload W32/Cosmu.XXS!tr W32/Autorun.JYX Win32/Worm.00b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Autorun.VX": [[26, 47], [192, 213], [247, 268], [353, 374], [375, 396], [519, 540], [588, 609]], "Indicator: Trojan/W32.Cosmu.214528.B": [[48, 73]], "Indicator: Trojan.Win32.Cosmu!O": [[74, 94]], "Indicator: Worm.Nenebra.AP8": [[95, 111]], "Indicator: Win32.Worm.Delf.ca": [[112, 130]], "Indicator: W32/Cosmu.C": [[131, 142]], "Indicator: W32.SillyFDC": [[143, 155]], "Indicator: Win32/Cosmu.AO": [[156, 170]], "Indicator: Win.Trojan.Cosmu-268": [[171, 191]], "Indicator: Trojan-Ransom.Win32.Blocker.iwkz": [[214, 246]], "Indicator: Trojan.Win32.Cosmu.vifkp": [[269, 293]], "Indicator: Trojan.Win32.A.Cosmu.212480[UPX]": [[294, 326]], "Indicator: Win32.Trojan.Blocker.Wnme": [[327, 352]], "Indicator: Win32.HLLW.Autoruner.57682": [[397, 423]], "Indicator: Trojan.Cosmu.Win32.9114": [[424, 447]], "Indicator: W32/Cosmu.KVSE-8775": [[448, 467]], "Indicator: Trojan/Cosmu.gje": [[468, 484]], "Indicator: WORM/Nenebra.A": [[485, 499]], "Indicator: Trojan/Win32.Cosmu": [[500, 518]], "Indicator: Troj.Ransom.W32.Blocker!c": [[541, 566]], "Indicator: Worm:Win32/Nenebra.A": [[567, 587]], "Indicator: TScope.Trojan.Delf": [[610, 628]], "Indicator: Worm.AutoRun": [[629, 641]], "Indicator: Trojan.Cosmu": [[642, 654]], "Indicator: Win32/AutoRun.Delf.HF": [[655, 676]], "Indicator: Trojan.Cosmu!gKBhUwtv5Oc": [[677, 701]], "Indicator: Trojan-Downloader.Win32.Banload": [[702, 733]], "Indicator: W32/Cosmu.XXS!tr": [[734, 750]], "Indicator: W32/Autorun.JYX": [[751, 766]], "Indicator: Win32/Worm.00b": [[767, 781]]}, "info": {"id": "cyner2_5class_train_03377", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D2ECF0 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader26.14415 BehavesLike.Win32.Trojan.cc W32/Trojan.UDBU-2080 TR/Crypt.Xpack.dmslo Backdoor/Win32.Androm.C2026756 Trj/GdSda.A Trojan.Win32.Injector Win32/Trojan.bd4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D2ECF0": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Trojan.DownLoader26.14415": [[88, 113]], "Indicator: BehavesLike.Win32.Trojan.cc": [[114, 141]], "Indicator: W32/Trojan.UDBU-2080": [[142, 162]], "Indicator: TR/Crypt.Xpack.dmslo": [[163, 183]], "Indicator: Backdoor/Win32.Androm.C2026756": [[184, 214]], "Indicator: Trj/GdSda.A": [[215, 226]], "Indicator: Trojan.Win32.Injector": [[227, 248]], "Indicator: Win32/Trojan.bd4": [[249, 265]]}, "info": {"id": "cyner2_5class_train_03378", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Runner.T Trojan/W32.Runner.2560.C Trojan.Win32.Runner!O Trojan.Runner.T W32/Runner.A Trojan.Runner.T Trojan.Win32.Runner.s Trojan.Runner.T Trojan.Runner.T Trojan.Win32.Runner W32/Runner.A Trojan/PSW.Almat.xs Trojan:Win32/Runner.D Troj.Dropper.W32.Small.kZ2V Trojan.Win32.Runner.s Trojan/Win32.Runner.C82211 Trojan.Runner.T HEUR/QVM39.1.CC7B.Trojan.Win32.Runner", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Runner.T": [[26, 41], [89, 104], [118, 133], [156, 171], [172, 187], [340, 355]], "Indicator: Trojan/W32.Runner.2560.C": [[42, 66]], "Indicator: Trojan.Win32.Runner!O": [[67, 88]], "Indicator: W32/Runner.A": [[105, 117], [208, 220]], "Indicator: Trojan.Win32.Runner.s": [[134, 155], [291, 312]], "Indicator: Trojan.Win32.Runner": [[188, 207]], "Indicator: Trojan/PSW.Almat.xs": [[221, 240]], "Indicator: Trojan:Win32/Runner.D": [[241, 262]], "Indicator: Troj.Dropper.W32.Small.kZ2V": [[263, 290]], "Indicator: Trojan/Win32.Runner.C82211": [[313, 339]], "Indicator: HEUR/QVM39.1.CC7B.Trojan.Win32.Runner": [[356, 393]]}, "info": {"id": "cyner2_5class_train_03379", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.FC.6901 Trojan.Zusy.D1C473 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win64.Miner.re Trojan.Win32.Diztakun.dbjduc Trojan.Win32.Z.Zusy.37376.CM BehavesLike.Win32.PWSZbot.nm Trojan.Win32.Diztakun Trojan/Win64.Miner TrojanSpy:MSIL/Logstel.A Trojan.Win64.Miner.re Trj/GdSda.A Win64.Trojan.Miner.Dxwy Win32/Trojan.Spy.8ab", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.FC.6901": [[26, 45]], "Indicator: Trojan.Zusy.D1C473": [[46, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[65, 107]], "Indicator: Trojan.Win64.Miner.re": [[108, 129], [283, 304]], "Indicator: Trojan.Win32.Diztakun.dbjduc": [[130, 158]], "Indicator: Trojan.Win32.Z.Zusy.37376.CM": [[159, 187]], "Indicator: BehavesLike.Win32.PWSZbot.nm": [[188, 216]], "Indicator: Trojan.Win32.Diztakun": [[217, 238]], "Indicator: Trojan/Win64.Miner": [[239, 257]], "Indicator: TrojanSpy:MSIL/Logstel.A": [[258, 282]], "Indicator: Trj/GdSda.A": [[305, 316]], "Indicator: Win64.Trojan.Miner.Dxwy": [[317, 340]], "Indicator: Win32/Trojan.Spy.8ab": [[341, 361]]}, "info": {"id": "cyner2_5class_train_03380", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Hamaetot.A3 Trojan.Razy.D176F BKDR_HAMAETOT.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_HAMAETOT.SM Win.Trojan.Stainz-1 Trojan.DownLoader9.62446 BehavesLike.Win32.Trojan.mm Backdoor/MSIL.vh Trojan/Win32.MSILBot Backdoor:MSIL/Hamaetot.A Win32.Outbreak", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Hamaetot.A3": [[26, 46]], "Indicator: Trojan.Razy.D176F": [[47, 64]], "Indicator: BKDR_HAMAETOT.SM": [[65, 81], [125, 141]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[82, 124]], "Indicator: Win.Trojan.Stainz-1": [[142, 161]], "Indicator: Trojan.DownLoader9.62446": [[162, 186]], "Indicator: BehavesLike.Win32.Trojan.mm": [[187, 214]], "Indicator: Backdoor/MSIL.vh": [[215, 231]], "Indicator: Trojan/Win32.MSILBot": [[232, 252]], "Indicator: Backdoor:MSIL/Hamaetot.A": [[253, 277]], "Indicator: Win32.Outbreak": [[278, 292]]}, "info": {"id": "cyner2_5class_train_03381", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Small.eftzxb TrojWare.MSIL.Tiny.HA Trojan.PWS.Stealer.18264 Trojan.MSIL.Small PWS:MSIL/OnLineGames.NW!bit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Small.eftzxb": [[26, 51]], "Indicator: TrojWare.MSIL.Tiny.HA": [[52, 73]], "Indicator: Trojan.PWS.Stealer.18264": [[74, 98]], "Indicator: Trojan.MSIL.Small": [[99, 116]], "Indicator: PWS:MSIL/OnLineGames.NW!bit": [[117, 144]]}, "info": {"id": "cyner2_5class_train_03382", "source": "cyner2_5class_train"}}
+{"text": "] 31 162.243.172 [ .", "spans": {"Indicator: 162.243.172 [ .": [[5, 20]]}, "info": {"id": "cyner2_5class_train_03383", "source": "cyner2_5class_train"}}
+{"text": "] today shop [ .", "spans": {"Indicator: shop [ .": [[8, 16]]}, "info": {"id": "cyner2_5class_train_03384", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.90AF Win32.Trojan.WisdomEyes.16070401.9500.9998 Packed.Win32.Katusha.o Trojan.Win32.Waledac Trojan.Heur.TDss.EF7F42 Packed.Win32.Katusha.o BScope.Trojan.MTA.0795", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.90AF": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[43, 85]], "Indicator: Packed.Win32.Katusha.o": [[86, 108], [154, 176]], "Indicator: Trojan.Win32.Waledac": [[109, 129]], "Indicator: Trojan.Heur.TDss.EF7F42": [[130, 153]], "Indicator: BScope.Trojan.MTA.0795": [[177, 199]]}, "info": {"id": "cyner2_5class_train_03385", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.VBKrypt!O VBObfus.m Trojan/VBKrypt.cyuv Trojan.VBKrypt.55 Win32.Worm.Autorun.l W32.Changeup WORM_VOBFUS.SMHF Win.Trojan.Changeup-6169544-0 Worm.Win32.WBNA.ipa Trojan.Win32.WBNA.dxinid Troj.PSW32.W.VB.lPYN Win32.HLLW.Autoruner.49334 WORM_VOBFUS.SMHF BehavesLike.Win32.VBObfus.dm TR/VBKrypt.cyuv.30 Worm:Win32/Vbnoet.A Trojan.Win32.A.VBKrypt.258048 Worm.Win32.WBNA.ipa Trojan/Win32.VBKrypt.R5059 Trojan-Dropper.Krumkach.11521", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.VBKrypt!O": [[26, 48]], "Indicator: VBObfus.m": [[49, 58]], "Indicator: Trojan/VBKrypt.cyuv": [[59, 78]], "Indicator: Trojan.VBKrypt.55": [[79, 96]], "Indicator: Win32.Worm.Autorun.l": [[97, 117]], "Indicator: W32.Changeup": [[118, 130]], "Indicator: WORM_VOBFUS.SMHF": [[131, 147], [271, 287]], "Indicator: Win.Trojan.Changeup-6169544-0": [[148, 177]], "Indicator: Worm.Win32.WBNA.ipa": [[178, 197], [386, 405]], "Indicator: Trojan.Win32.WBNA.dxinid": [[198, 222]], "Indicator: Troj.PSW32.W.VB.lPYN": [[223, 243]], "Indicator: Win32.HLLW.Autoruner.49334": [[244, 270]], "Indicator: BehavesLike.Win32.VBObfus.dm": [[288, 316]], "Indicator: TR/VBKrypt.cyuv.30": [[317, 335]], "Indicator: Worm:Win32/Vbnoet.A": [[336, 355]], "Indicator: Trojan.Win32.A.VBKrypt.258048": [[356, 385]], "Indicator: Trojan/Win32.VBKrypt.R5059": [[406, 432]], "Indicator: Trojan-Dropper.Krumkach.11521": [[433, 462]]}, "info": {"id": "cyner2_5class_train_03386", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.MSIL Trojan.Win32.Z.Razy.20992.AYN Troj.Downloader.Msil!c Trojan.DownLoader25.50379 W32/Trojan.SKRD-4085 TrojanDownloader.MSIL.pxb Trojan.Razy.D361CA Backdoor:MSIL/Quasarat.A!bit Trj/GdSda.A Trojan.FOIG!tr Win32/Trojan.116", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.MSIL": [[26, 47]], "Indicator: Trojan.Win32.Z.Razy.20992.AYN": [[48, 77]], "Indicator: Troj.Downloader.Msil!c": [[78, 100]], "Indicator: Trojan.DownLoader25.50379": [[101, 126]], "Indicator: W32/Trojan.SKRD-4085": [[127, 147]], "Indicator: TrojanDownloader.MSIL.pxb": [[148, 173]], "Indicator: Trojan.Razy.D361CA": [[174, 192]], "Indicator: Backdoor:MSIL/Quasarat.A!bit": [[193, 221]], "Indicator: Trj/GdSda.A": [[222, 233]], "Indicator: Trojan.FOIG!tr": [[234, 248]], "Indicator: Win32/Trojan.116": [[249, 265]]}, "info": {"id": "cyner2_5class_train_03387", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL Ransom.FileCryptor Troj.Ransom.Msil!c Win32.Trojan.WisdomEyes.16070401.9500.9811 W32/Ransom.TAAZ-2840 Trojan.Win32.Ransom.ewmfpk Trojan.Encoder.5035 BehavesLike.Win32.Trojan.pc Trojan-Ransom.FileCoder Trojan.MSIL.hyys TR/Ransom.cgaxa Trj/GdSda.A Win32.Trojan.Raas.Auto MSIL/Filecoder.AC!tr Win32/Trojan.Ransom.568", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL": [[26, 37]], "Indicator: Ransom.FileCryptor": [[38, 56]], "Indicator: Troj.Ransom.Msil!c": [[57, 75]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9811": [[76, 118]], "Indicator: W32/Ransom.TAAZ-2840": [[119, 139]], "Indicator: Trojan.Win32.Ransom.ewmfpk": [[140, 166]], "Indicator: Trojan.Encoder.5035": [[167, 186]], "Indicator: BehavesLike.Win32.Trojan.pc": [[187, 214]], "Indicator: Trojan-Ransom.FileCoder": [[215, 238]], "Indicator: Trojan.MSIL.hyys": [[239, 255]], "Indicator: TR/Ransom.cgaxa": [[256, 271]], "Indicator: Trj/GdSda.A": [[272, 283]], "Indicator: Win32.Trojan.Raas.Auto": [[284, 306]], "Indicator: MSIL/Filecoder.AC!tr": [[307, 327]], "Indicator: Win32/Trojan.Ransom.568": [[328, 351]]}, "info": {"id": "cyner2_5class_train_03388", "source": "cyner2_5class_train"}}
+{"text": "Moroever, the vawtrak sample we got downloads a new memory scraping malware that scans for credit card data in memory.", "spans": {"Malware: vawtrak": [[14, 21]], "Malware: memory scraping malware": [[52, 75]], "Indicator: for credit card data in memory.": [[87, 118]]}, "info": {"id": "cyner2_5class_train_03389", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanpws.Cosratu TrojWare.MSIL.Cosratu.QOA Trojan.PWS.Stealer.20141 TR/Downloader.aymho PWS:MSIL/Cosratu.A!bit Trj/GdSda.A Trojan.Razy.D36F19 Trojan.MSIL.PSW Win32/Trojan.480", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanpws.Cosratu": [[26, 43]], "Indicator: TrojWare.MSIL.Cosratu.QOA": [[44, 69]], "Indicator: Trojan.PWS.Stealer.20141": [[70, 94]], "Indicator: TR/Downloader.aymho": [[95, 114]], "Indicator: PWS:MSIL/Cosratu.A!bit": [[115, 137]], "Indicator: Trj/GdSda.A": [[138, 149]], "Indicator: Trojan.Razy.D36F19": [[150, 168]], "Indicator: Trojan.MSIL.PSW": [[169, 184]], "Indicator: Win32/Trojan.480": [[185, 201]]}, "info": {"id": "cyner2_5class_train_03390", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojannotifier.Phinot Trojan/Phinot.120 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor.HHE Backdoor.Trojan Win32/Small.BX TROJ_PHINOT.A Trojan-Notifier.Win32.Phinot.120 Trojan.Win32.Phinot.hkgh Trojan.Popon Trojan.Phinot.Win32.1 Trojan.Win32.DNSChanger W32/Backdoor.HEXL-8738 Trojan/Delf.Phinot.a Trojan[Notifier]/Win32.Phinot Win32.Troj.Phinot.12.kcloud Trojan.Heur.GZ.E38D33 Troj.Notifier.W32.Phinot.120!c Trojan-Notifier.Win32.Phinot.120 Win32.Trojan.Phinot.Wstw Trojan.Phinot!Cq2wyKHab1w W32/Phinot.120!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojannotifier.Phinot": [[26, 47]], "Indicator: Trojan/Phinot.120": [[48, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[66, 108]], "Indicator: W32/Backdoor.HHE": [[109, 125]], "Indicator: Backdoor.Trojan": [[126, 141]], "Indicator: Win32/Small.BX": [[142, 156]], "Indicator: TROJ_PHINOT.A": [[157, 170]], "Indicator: Trojan-Notifier.Win32.Phinot.120": [[171, 203], [443, 475]], "Indicator: Trojan.Win32.Phinot.hkgh": [[204, 228]], "Indicator: Trojan.Popon": [[229, 241]], "Indicator: Trojan.Phinot.Win32.1": [[242, 263]], "Indicator: Trojan.Win32.DNSChanger": [[264, 287]], "Indicator: W32/Backdoor.HEXL-8738": [[288, 310]], "Indicator: Trojan/Delf.Phinot.a": [[311, 331]], "Indicator: Trojan[Notifier]/Win32.Phinot": [[332, 361]], "Indicator: Win32.Troj.Phinot.12.kcloud": [[362, 389]], "Indicator: Trojan.Heur.GZ.E38D33": [[390, 411]], "Indicator: Troj.Notifier.W32.Phinot.120!c": [[412, 442]], "Indicator: Win32.Trojan.Phinot.Wstw": [[476, 500]], "Indicator: Trojan.Phinot!Cq2wyKHab1w": [[501, 526]], "Indicator: W32/Phinot.120!tr": [[527, 544]]}, "info": {"id": "cyner2_5class_train_03391", "source": "cyner2_5class_train"}}
+{"text": "Evidence suggests that the tool is being used as part of a very targeted campaign, focused on Chinese nationals in commercial organizations.", "spans": {"Indicator: targeted campaign,": [[64, 82]], "Organization: Chinese nationals": [[94, 111]], "Organization: commercial organizations.": [[115, 140]]}, "info": {"id": "cyner2_5class_train_03392", "source": "cyner2_5class_train"}}
+{"text": "Reports emerged just over a week ago of a new cyber-enabled bank heist in Asia.", "spans": {"Indicator: new cyber-enabled bank heist": [[42, 70]]}, "info": {"id": "cyner2_5class_train_03393", "source": "cyner2_5class_train"}}
+{"text": "These attacks are highly targeted, appear to re-purpose legitimate content in decoy documents, and had very low antivirus AV detection rates at the time they were deployed.", "spans": {}, "info": {"id": "cyner2_5class_train_03394", "source": "cyner2_5class_train"}}
+{"text": "As for the Ashas family , one of the associated promotional videos , “ Head Soccer World Champion 2018 – Android , ios ” was viewed almost three million times and two others reached hundreds of thousands of views , as seen in Figure 11 .", "spans": {"Malware: Ashas": [[11, 16]], "System: Android": [[105, 112]], "System: ios": [[115, 118]]}, "info": {"id": "cyner2_5class_train_03395", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Hupigon.516096.L Downloader.Small.11945 Win32.Trojan.WisdomEyes.16070401.9500.9812 Win32/Citeary.B HV_DOWN.98AC8B50 Win.Trojan.Small-20870 Trojan-Dropper.Win32.Small.hms Trojan.Win32.Small.dlprwb Trojan.DownLoader3.7934 TrojanDropper.Small.fam Trojan[Downloader]/Win32.Small Trojan-Dropper.Win32.Small.hms Win32/TrojanDownloader.Small.PJP Win32.Trojan-dropper.Small.Taow Trojan.DR.Small!DUb+rE11TVI W32/Small.HMS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Hupigon.516096.L": [[26, 55]], "Indicator: Downloader.Small.11945": [[56, 78]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9812": [[79, 121]], "Indicator: Win32/Citeary.B": [[122, 137]], "Indicator: HV_DOWN.98AC8B50": [[138, 154]], "Indicator: Win.Trojan.Small-20870": [[155, 177]], "Indicator: Trojan-Dropper.Win32.Small.hms": [[178, 208], [314, 344]], "Indicator: Trojan.Win32.Small.dlprwb": [[209, 234]], "Indicator: Trojan.DownLoader3.7934": [[235, 258]], "Indicator: TrojanDropper.Small.fam": [[259, 282]], "Indicator: Trojan[Downloader]/Win32.Small": [[283, 313]], "Indicator: Win32/TrojanDownloader.Small.PJP": [[345, 377]], "Indicator: Win32.Trojan-dropper.Small.Taow": [[378, 409]], "Indicator: Trojan.DR.Small!DUb+rE11TVI": [[410, 437]], "Indicator: W32/Small.HMS!tr": [[438, 454]]}, "info": {"id": "cyner2_5class_train_03396", "source": "cyner2_5class_train"}}
+{"text": "We have named this Ransomware KeRanger. The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014.", "spans": {"Malware: Ransomware KeRanger.": [[19, 39]], "Malware: ransomware": [[58, 68]], "System: OS X": [[73, 77]], "Malware: FileCoder,": [[97, 107]], "Organization: Kaspersky Lab": [[122, 135]]}, "info": {"id": "cyner2_5class_train_03397", "source": "cyner2_5class_train"}}
+{"text": "Each instance had between 100,000 and 500,000 downloads according to Google Play statistics , reaching an aggregated infection rate of between 200,000 and 1 million users .", "spans": {"System: Google Play": [[69, 80]]}, "info": {"id": "cyner2_5class_train_03398", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.BhoSearcher.B Trojan.BhoSearcher.B Trojan.BhoSearcher.B Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_DURSG.A Trojan.BhoSearcher.B Trojan.BhoSearcher.B Trojan.BhoSearcher.B Trojan.BhoSearcher.10 TROJ_DURSG.A BehavesLike.Win32.Injector.nt Trojan-Downloader.Win32.ConHook Trojan:Win32/Dursg.A Trojan/Win32.ConHook.C286311 Trojan.Dursg!2KwSbji4syo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BhoSearcher.B": [[26, 46], [47, 67], [68, 88], [145, 165], [166, 186], [187, 207]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[89, 131]], "Indicator: TROJ_DURSG.A": [[132, 144], [230, 242]], "Indicator: Trojan.BhoSearcher.10": [[208, 229]], "Indicator: BehavesLike.Win32.Injector.nt": [[243, 272]], "Indicator: Trojan-Downloader.Win32.ConHook": [[273, 304]], "Indicator: Trojan:Win32/Dursg.A": [[305, 325]], "Indicator: Trojan/Win32.ConHook.C286311": [[326, 354]], "Indicator: Trojan.Dursg!2KwSbji4syo": [[355, 379]]}, "info": {"id": "cyner2_5class_train_03399", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.7E63 Trojan.Win32.Patched!O Trojan.Patched.LI Win32.Trojan.WisdomEyes.16070401.9500.9933 Troj.W32.Patched.lm1y Virus.Win32.Loader.q Trojan.Patched.Win32.43121 Possible_HackToolPatched.UNP BehavesLike.Win32.NGVCK.dh Win32/PatchFile.gc TR/Patched.LI.1 HackTool:Win32/Patched.Y Win-Trojan/Patched.4095 Trojan.Win32.Patched W32/Patched.AW Win32/Trojan.bc4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.7E63": [[26, 43]], "Indicator: Trojan.Win32.Patched!O": [[44, 66]], "Indicator: Trojan.Patched.LI": [[67, 84]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9933": [[85, 127]], "Indicator: Troj.W32.Patched.lm1y": [[128, 149]], "Indicator: Virus.Win32.Loader.q": [[150, 170]], "Indicator: Trojan.Patched.Win32.43121": [[171, 197]], "Indicator: Possible_HackToolPatched.UNP": [[198, 226]], "Indicator: BehavesLike.Win32.NGVCK.dh": [[227, 253]], "Indicator: Win32/PatchFile.gc": [[254, 272]], "Indicator: TR/Patched.LI.1": [[273, 288]], "Indicator: HackTool:Win32/Patched.Y": [[289, 313]], "Indicator: Win-Trojan/Patched.4095": [[314, 337]], "Indicator: Trojan.Win32.Patched": [[338, 358]], "Indicator: W32/Patched.AW": [[359, 373]], "Indicator: Win32/Trojan.bc4": [[374, 390]]}, "info": {"id": "cyner2_5class_train_03400", "source": "cyner2_5class_train"}}
+{"text": "The link resolves to a URL designed to appear legitimate , with a canonical domain of sicher97140 [ .", "spans": {"Indicator: sicher97140 [ .": [[86, 101]]}, "info": {"id": "cyner2_5class_train_03401", "source": "cyner2_5class_train"}}
+{"text": "It is under constant development, with several updated versions appearing since the original samples were observed in June 2017.", "spans": {}, "info": {"id": "cyner2_5class_train_03402", "source": "cyner2_5class_train"}}
+{"text": "FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: exploiting": [[38, 48]], "Indicator: CVE-2017-0199": [[49, 62]], "Malware: malware payloads": [[89, 105]], "Malware: malware families.": [[132, 149]]}, "info": {"id": "cyner2_5class_train_03403", "source": "cyner2_5class_train"}}
+{"text": "Within each variant , the malicious code present in each sample may look nearly identical with only one evasion technique changed .", "spans": {}, "info": {"id": "cyner2_5class_train_03404", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom_Foreign.R002C0DKO17 W32/Trojan.ZJNJ-1589 Ransom_Foreign.R002C0DKO17 Trojan-Ransom.Win32.Foreign.nhnn Trojan.Win32.Kovter.ehmnac Trojan.ForeignCRTD.Win32.4896 W32/Trojan3.XSL Trojan.Adware.a TR/Crypt.ZPACK.gnual Trojan[Ransom]/Win32.Foreign Trojan-Ransom.Win32.Foreign.nhnn Trojan/Win32.Foreign.C1610813 BScope.Trojan-Banker.Buhtrap Trj/CI.A Trojan.Foreign Win32/TrojanDownloader.Small.ASE Win32.Trojan.Foreign.Lknk Trojan.Foreign!RxgoGgLK0WM PUA.Adstantinko W32/Small.ASE!tr Win32/Trojan.f8a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_Foreign.R002C0DKO17": [[26, 52], [74, 100]], "Indicator: W32/Trojan.ZJNJ-1589": [[53, 73]], "Indicator: Trojan-Ransom.Win32.Foreign.nhnn": [[101, 133], [273, 305]], "Indicator: Trojan.Win32.Kovter.ehmnac": [[134, 160]], "Indicator: Trojan.ForeignCRTD.Win32.4896": [[161, 190]], "Indicator: W32/Trojan3.XSL": [[191, 206]], "Indicator: Trojan.Adware.a": [[207, 222]], "Indicator: TR/Crypt.ZPACK.gnual": [[223, 243]], "Indicator: Trojan[Ransom]/Win32.Foreign": [[244, 272]], "Indicator: Trojan/Win32.Foreign.C1610813": [[306, 335]], "Indicator: BScope.Trojan-Banker.Buhtrap": [[336, 364]], "Indicator: Trj/CI.A": [[365, 373]], "Indicator: Trojan.Foreign": [[374, 388]], "Indicator: Win32/TrojanDownloader.Small.ASE": [[389, 421]], "Indicator: Win32.Trojan.Foreign.Lknk": [[422, 447]], "Indicator: Trojan.Foreign!RxgoGgLK0WM": [[448, 474]], "Indicator: PUA.Adstantinko": [[475, 490]], "Indicator: W32/Small.ASE!tr": [[491, 507]], "Indicator: Win32/Trojan.f8a": [[508, 524]]}, "info": {"id": "cyner2_5class_train_03405", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Nuker.216576 Tool.WinNuke.Win32.3 Trojan/WinNuke.a Exploit.Win32.Nuker-WinNuke.htmy W32/TrojanX.ACD Nuker.IE Exploit.Win32.Nuker.WinNuke.a Win32.Exploit.Nuker.bhro TrojWare.Win32.Nuker.WinNuke Nuke.WinNuke W32/Trojan.GJZE-2894 Nuke/WinNuke.a TR/WinNuke.A Trojan[Exploit]/Win32.Nuker Win32.Hack.WinNuke.a.kcloud Trojan:Win16/WinNuke.A Win-Trojan/Winnuke.216576 Nuker.WinNuke Win32/Nuker.WinNuke Nuker.Win32.WinNuke W32/WinNuke.A!tr Nuker.DL Win32/Trojan.750", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Nuker.216576": [[26, 49]], "Indicator: Tool.WinNuke.Win32.3": [[50, 70]], "Indicator: Trojan/WinNuke.a": [[71, 87]], "Indicator: Exploit.Win32.Nuker-WinNuke.htmy": [[88, 120]], "Indicator: W32/TrojanX.ACD": [[121, 136]], "Indicator: Nuker.IE": [[137, 145]], "Indicator: Exploit.Win32.Nuker.WinNuke.a": [[146, 175]], "Indicator: Win32.Exploit.Nuker.bhro": [[176, 200]], "Indicator: TrojWare.Win32.Nuker.WinNuke": [[201, 229]], "Indicator: Nuke.WinNuke": [[230, 242]], "Indicator: W32/Trojan.GJZE-2894": [[243, 263]], "Indicator: Nuke/WinNuke.a": [[264, 278]], "Indicator: TR/WinNuke.A": [[279, 291]], "Indicator: Trojan[Exploit]/Win32.Nuker": [[292, 319]], "Indicator: Win32.Hack.WinNuke.a.kcloud": [[320, 347]], "Indicator: Trojan:Win16/WinNuke.A": [[348, 370]], "Indicator: Win-Trojan/Winnuke.216576": [[371, 396]], "Indicator: Nuker.WinNuke": [[397, 410]], "Indicator: Win32/Nuker.WinNuke": [[411, 430]], "Indicator: Nuker.Win32.WinNuke": [[431, 450]], "Indicator: W32/WinNuke.A!tr": [[451, 467]], "Indicator: Nuker.DL": [[468, 476]], "Indicator: Win32/Trojan.750": [[477, 493]]}, "info": {"id": "cyner2_5class_train_03406", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Small Trojan.Graftor.D1F62C BKDR_ZIYANG.A Backdoor.Trojan.B BKDR_ZIYANG.A Backdoor.Win32.Small.liq Trojan.Win32.Small.cusdaj Backdoor.W32.Small!c Trojan[Backdoor]/Win32.Small HackTool:Win32/Dlhs.B Backdoor.Win32.Small.liq Trj/Ziyang.A Backdoor.Win32.Small W32/BackDoor.A!tr Win32/Backdoor.d0c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Small": [[26, 40]], "Indicator: Trojan.Graftor.D1F62C": [[41, 62]], "Indicator: BKDR_ZIYANG.A": [[63, 76], [95, 108]], "Indicator: Backdoor.Trojan.B": [[77, 94]], "Indicator: Backdoor.Win32.Small.liq": [[109, 133], [232, 256]], "Indicator: Trojan.Win32.Small.cusdaj": [[134, 159]], "Indicator: Backdoor.W32.Small!c": [[160, 180]], "Indicator: Trojan[Backdoor]/Win32.Small": [[181, 209]], "Indicator: HackTool:Win32/Dlhs.B": [[210, 231]], "Indicator: Trj/Ziyang.A": [[257, 269]], "Indicator: Backdoor.Win32.Small": [[270, 290]], "Indicator: W32/BackDoor.A!tr": [[291, 308]], "Indicator: Win32/Backdoor.d0c": [[309, 327]]}, "info": {"id": "cyner2_5class_train_03407", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Uztuby.5 Script.Trojan.Malautoit.E Trojan.Uztuby.5 Trojan.Uztuby.5 Trojan.Uztuby.5 W32/ObfusInjectBot.a Zum.Ciusky.3 Trojan/Win32.Zbot.C311341 Trojan.Uztuby.5 W32/MalitRar.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Uztuby.5": [[26, 41], [68, 83], [84, 99], [100, 115], [176, 191]], "Indicator: Script.Trojan.Malautoit.E": [[42, 67]], "Indicator: W32/ObfusInjectBot.a": [[116, 136]], "Indicator: Zum.Ciusky.3": [[137, 149]], "Indicator: Trojan/Win32.Zbot.C311341": [[150, 175]], "Indicator: W32/MalitRar.B!tr": [[192, 209]]}, "info": {"id": "cyner2_5class_train_03408", "source": "cyner2_5class_train"}}
+{"text": "Figure 9 shows the number of RuMMS infections recorded in the last four months .", "spans": {"Malware: RuMMS": [[29, 34]]}, "info": {"id": "cyner2_5class_train_03409", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Small.xpm TrojanDownloader:Win32/Sagnusnagta.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Small.xpm": [[26, 52]], "Indicator: TrojanDownloader:Win32/Sagnusnagta.A": [[53, 89]]}, "info": {"id": "cyner2_5class_train_03410", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanAPT.Infostealer.H4 Win32.Trojan.WisdomEyes.16070401.9500.9983 Trojan.Win32.ke3chang.f TrojWare.Win32.PSW.Delf.~JHN Trojan.DownLoader9.45552 BehavesLike.Win32.BadFile.gz Trojan.Win32.ke3chang.f Trojan/Win32.Infostealer.R91040", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanAPT.Infostealer.H4": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9983": [[51, 93]], "Indicator: Trojan.Win32.ke3chang.f": [[94, 117], [201, 224]], "Indicator: TrojWare.Win32.PSW.Delf.~JHN": [[118, 146]], "Indicator: Trojan.DownLoader9.45552": [[147, 171]], "Indicator: BehavesLike.Win32.BadFile.gz": [[172, 200]], "Indicator: Trojan/Win32.Infostealer.R91040": [[225, 256]]}, "info": {"id": "cyner2_5class_train_03411", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/AutoRun.dqkk TROJ_SPNR.35CC13 Worm.Autorun-6695 Worm.Win32.AutoRun.eemt Trojan.Win32.Cromptui.bbwocj Worm.Win32.A.AutoRun.32768.Y[h] PE:Worm.VBInjectEx!1.99E6[F1] Trojan.DownLoader4.54145 TROJ_SPNR.35CC13 BehavesLike.Win32.Dropper.nm W32/Trojan.MOJM-1187 Worm/AutoRun.aboz TR/Spy.100048 Trojan.Heur.EF62DD Trojan/Win32.HDC TrojanDownloader:Win32/Kimiki.A Worm.AutoRun Win32.Worm.Autorun.Edef Trojan-Downloader.Win32.Kimiki Worm.Win32.AutoRun.eemt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/AutoRun.dqkk": [[26, 42]], "Indicator: TROJ_SPNR.35CC13": [[43, 59], [218, 234]], "Indicator: Worm.Autorun-6695": [[60, 77]], "Indicator: Worm.Win32.AutoRun.eemt": [[78, 101], [453, 476]], "Indicator: Trojan.Win32.Cromptui.bbwocj": [[102, 130]], "Indicator: Worm.Win32.A.AutoRun.32768.Y[h]": [[131, 162]], "Indicator: PE:Worm.VBInjectEx!1.99E6[F1]": [[163, 192]], "Indicator: Trojan.DownLoader4.54145": [[193, 217]], "Indicator: BehavesLike.Win32.Dropper.nm": [[235, 263]], "Indicator: W32/Trojan.MOJM-1187": [[264, 284]], "Indicator: Worm/AutoRun.aboz": [[285, 302]], "Indicator: TR/Spy.100048": [[303, 316]], "Indicator: Trojan.Heur.EF62DD": [[317, 335]], "Indicator: Trojan/Win32.HDC": [[336, 352]], "Indicator: TrojanDownloader:Win32/Kimiki.A": [[353, 384]], "Indicator: Worm.AutoRun": [[385, 397]], "Indicator: Win32.Worm.Autorun.Edef": [[398, 421]], "Indicator: Trojan-Downloader.Win32.Kimiki": [[422, 452]]}, "info": {"id": "cyner2_5class_train_03412", "source": "cyner2_5class_train"}}
+{"text": "In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks.", "spans": {"Indicator: email": [[32, 37]], "Indicator: legitimate email conversation between several employees, even containing contact details of employees from several banks.": [[55, 176]]}, "info": {"id": "cyner2_5class_train_03413", "source": "cyner2_5class_train"}}
+{"text": "It is also possible that this functionality is under development , making this placeholder code incomplete .", "spans": {}, "info": {"id": "cyner2_5class_train_03414", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.QueryexXM.Worm HackTool.Wpakill HackTool.WpaKill W32/Risk.JBSX-2163 Trojan.ADH.2 Win.Trojan.Swrort-5988 Crack-WindowsWGA.a HackTool.Win32.Wpakill W32/MalwareF.XIWY Trojan/Win32.Buzus HackTool:MSIL/Wpakill.A Crack-WindowsWGA.a HackTool.Wpakill!EXR6p6S0Jr0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.QueryexXM.Worm": [[26, 44]], "Indicator: HackTool.Wpakill": [[45, 61]], "Indicator: HackTool.WpaKill": [[62, 78]], "Indicator: W32/Risk.JBSX-2163": [[79, 97]], "Indicator: Trojan.ADH.2": [[98, 110]], "Indicator: Win.Trojan.Swrort-5988": [[111, 133]], "Indicator: Crack-WindowsWGA.a": [[134, 152], [237, 255]], "Indicator: HackTool.Win32.Wpakill": [[153, 175]], "Indicator: W32/MalwareF.XIWY": [[176, 193]], "Indicator: Trojan/Win32.Buzus": [[194, 212]], "Indicator: HackTool:MSIL/Wpakill.A": [[213, 236]], "Indicator: HackTool.Wpakill!EXR6p6S0Jr0": [[256, 284]]}, "info": {"id": "cyner2_5class_train_03415", "source": "cyner2_5class_train"}}
+{"text": "EventBot Dropped XML configuration files Dropped XML configuration files on the device .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_03416", "source": "cyner2_5class_train"}}
+{"text": "Xavier's impact has been widespread.", "spans": {}, "info": {"id": "cyner2_5class_train_03417", "source": "cyner2_5class_train"}}
+{"text": "The below code snippet is currently isolated and dormant .", "spans": {}, "info": {"id": "cyner2_5class_train_03418", "source": "cyner2_5class_train"}}
+{"text": "In the wild , these are only distributed as a direct download from unofficial Web pages ( “ third-party ” app ) and not through legitimate app stores .", "spans": {}, "info": {"id": "cyner2_5class_train_03419", "source": "cyner2_5class_train"}}
+{"text": "But I know your email for sure it's not that one.", "spans": {}, "info": {"id": "cyner2_5class_train_03420", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Raleka.14880.C Worm.Raleka.e.n3 W32/Raleka.worm Worm.Raleka.Win32.17 W32/Raleka.worm Worm.Raleka!sd8qYJWRVVk W32/Raleka.E W32.HLLW.Raleka Raleka.E Win32/Raleka.D Net-Worm.Win32.Raleka.e Trojan.Win32.Raleka.enog Worm.Win32.Raleka.H BehavesLike.Win32.Downloader.lc W32/Raleka.RXXM-3755 Worm/Raleka.k Worm/Raleka.E.2 Worm[Net]/Win32.Raleka Worm.Raleka.e.kcloud Worm:Win32/Raleka.G Trojan/Win32.Downloader Worm.Raleka W32/Kelar.B Win32/Raleka.H Win32.Worm-net.Raleka.Egog Net-Worm.Win32.Raleka.e W32/Raleka.B!worm Worm/Raleka.D Worm.Win32.Raleka.aTW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Raleka.14880.C": [[26, 49]], "Indicator: Worm.Raleka.e.n3": [[50, 66]], "Indicator: W32/Raleka.worm": [[67, 82], [104, 119]], "Indicator: Worm.Raleka.Win32.17": [[83, 103]], "Indicator: Worm.Raleka!sd8qYJWRVVk": [[120, 143]], "Indicator: W32/Raleka.E": [[144, 156]], "Indicator: W32.HLLW.Raleka": [[157, 172]], "Indicator: Raleka.E": [[173, 181]], "Indicator: Win32/Raleka.D": [[182, 196]], "Indicator: Net-Worm.Win32.Raleka.e": [[197, 220], [503, 526]], "Indicator: Trojan.Win32.Raleka.enog": [[221, 245]], "Indicator: Worm.Win32.Raleka.H": [[246, 265]], "Indicator: BehavesLike.Win32.Downloader.lc": [[266, 297]], "Indicator: W32/Raleka.RXXM-3755": [[298, 318]], "Indicator: Worm/Raleka.k": [[319, 332]], "Indicator: Worm/Raleka.E.2": [[333, 348]], "Indicator: Worm[Net]/Win32.Raleka": [[349, 371]], "Indicator: Worm.Raleka.e.kcloud": [[372, 392]], "Indicator: Worm:Win32/Raleka.G": [[393, 412]], "Indicator: Trojan/Win32.Downloader": [[413, 436]], "Indicator: Worm.Raleka": [[437, 448]], "Indicator: W32/Kelar.B": [[449, 460]], "Indicator: Win32/Raleka.H": [[461, 475]], "Indicator: Win32.Worm-net.Raleka.Egog": [[476, 502]], "Indicator: W32/Raleka.B!worm": [[527, 544]], "Indicator: Worm/Raleka.D": [[545, 558]], "Indicator: Worm.Win32.Raleka.aTW": [[559, 580]]}, "info": {"id": "cyner2_5class_train_03421", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Trojan/ArchSMS.hqni TROJ_FAKEALERT_CD1031EC.RDXN Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Tnega.BTJDDdC TROJ_FAKEALERT_CD1031EC.RDXN Trojan.Win32.SMSSend.bddqwl Trojan.SMSSend.517 Tool.ArchSMS.Win32.277 Hoax.Win32.ArchSMS Hoax.ArchSMS.mn HackTool[Hoax]/Win32.ArchSMS Win32.Troj.Hoax.kcloud Trojan:Win32/Ninunarch.A Trojan/Win32.ArchSMS.R68018 Hoax.ArchSMS.hq Win32/Hoax.ArchSMS.JS Trojan.ArchSMS!V0Eag+i949w", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hoax.Win32.ArchSMS!O": [[26, 46]], "Indicator: Trojan/ArchSMS.hqni": [[47, 66]], "Indicator: TROJ_FAKEALERT_CD1031EC.RDXN": [[67, 95], [159, 187]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[96, 138]], "Indicator: Win32/Tnega.BTJDDdC": [[139, 158]], "Indicator: Trojan.Win32.SMSSend.bddqwl": [[188, 215]], "Indicator: Trojan.SMSSend.517": [[216, 234]], "Indicator: Tool.ArchSMS.Win32.277": [[235, 257]], "Indicator: Hoax.Win32.ArchSMS": [[258, 276]], "Indicator: Hoax.ArchSMS.mn": [[277, 292]], "Indicator: HackTool[Hoax]/Win32.ArchSMS": [[293, 321]], "Indicator: Win32.Troj.Hoax.kcloud": [[322, 344]], "Indicator: Trojan:Win32/Ninunarch.A": [[345, 369]], "Indicator: Trojan/Win32.ArchSMS.R68018": [[370, 397]], "Indicator: Hoax.ArchSMS.hq": [[398, 413]], "Indicator: Win32/Hoax.ArchSMS.JS": [[414, 435]], "Indicator: Trojan.ArchSMS!V0Eag+i949w": [[436, 462]]}, "info": {"id": "cyner2_5class_train_03422", "source": "cyner2_5class_train"}}
+{"text": "Spora got some hype of being a ransomware that can encrypt files offline.", "spans": {"Malware: Spora": [[0, 5]], "Malware: a ransomware": [[29, 41]], "Indicator: encrypt files offline.": [[51, 73]]}, "info": {"id": "cyner2_5class_train_03423", "source": "cyner2_5class_train"}}
+{"text": "] com glancelove [ .", "spans": {"Indicator: glancelove [ .": [[6, 20]]}, "info": {"id": "cyner2_5class_train_03424", "source": "cyner2_5class_train"}}
+{"text": "We believe that this method is engineered to avoid trivial detection of process injection using the well-detected CreateRemoteThread or ZwQueueApcThread API .", "spans": {"Indicator: CreateRemoteThread": [[114, 132]], "Indicator: ZwQueueApcThread": [[136, 152]]}, "info": {"id": "cyner2_5class_train_03425", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Downloader.Win32.Sysdrop.lm Trojan.Win32.Sysdrop.esnrws Downloader.Sysdrop.Win32.33 TR/Zusy.ugkcf Trojan.Zusy.D3C19C Trojan-Downloader.Win32.Sysdrop.lm Downloader/Win32.Sysdrop.C2035975 TrojanDownloader.Sysdrop Trj/GdSda.A Trojan.DL.Sysdrop! Trojan-Downloader.Win32.Sysdrop", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan-Downloader.Win32.Sysdrop.lm": [[69, 103], [193, 227]], "Indicator: Trojan.Win32.Sysdrop.esnrws": [[104, 131]], "Indicator: Downloader.Sysdrop.Win32.33": [[132, 159]], "Indicator: TR/Zusy.ugkcf": [[160, 173]], "Indicator: Trojan.Zusy.D3C19C": [[174, 192]], "Indicator: Downloader/Win32.Sysdrop.C2035975": [[228, 261]], "Indicator: TrojanDownloader.Sysdrop": [[262, 286]], "Indicator: Trj/GdSda.A": [[287, 298]], "Indicator: Trojan.DL.Sysdrop!": [[299, 317]], "Indicator: Trojan-Downloader.Win32.Sysdrop": [[318, 349]]}, "info": {"id": "cyner2_5class_train_03426", "source": "cyner2_5class_train"}}
+{"text": "Herein we release our analysis of a previously undocumented backdoor that has been targetedagainst embassies and consulates around the world leads us to attribute it, with high confidence,to the Turla group.", "spans": {"Malware: backdoor": [[60, 68]], "Organization: embassies": [[99, 108]], "Organization: consulates": [[113, 123]]}, "info": {"id": "cyner2_5class_train_03427", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Tiny.S40745 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Tiny.elmbme MalCrypt.Indus! BehavesLike.Win32.Backdoor.zz TR/Tiny.lsfum Trojan.Zusy.D32039 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tiny.S40745": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[45, 87]], "Indicator: Trojan.Win32.Tiny.elmbme": [[88, 112]], "Indicator: MalCrypt.Indus!": [[113, 128]], "Indicator: BehavesLike.Win32.Backdoor.zz": [[129, 158]], "Indicator: TR/Tiny.lsfum": [[159, 172]], "Indicator: Trojan.Zusy.D32039": [[173, 191]], "Indicator: Trj/GdSda.A": [[192, 203]]}, "info": {"id": "cyner2_5class_train_03428", "source": "cyner2_5class_train"}}
+{"text": "Turla is a notorious group that has been targeting governments, government officials and diplomats for years.", "spans": {"Organization: governments, government officials": [[51, 84]], "Organization: diplomats": [[89, 98]]}, "info": {"id": "cyner2_5class_train_03429", "source": "cyner2_5class_train"}}
+{"text": "TrendMicro first discovered MalumPoS, a new attack tool that threat actors can reconfigure to breach any PoS system they wish to target.", "spans": {"Organization: TrendMicro": [[0, 10]], "Malware: MalumPoS,": [[28, 37]], "Malware: attack tool": [[44, 55]], "Indicator: can reconfigure to breach": [[75, 100]], "System: PoS system": [[105, 115]]}, "info": {"id": "cyner2_5class_train_03430", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.Seftad!O Trojan.Seftad Trojan.MBRlock.Win32.1 Trojan/Seftad.a Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Risk.HXYU-7341 Trojan.Bootlock Win32/RansomSeftad.A Trojan-Ransom.Win32.Seftad.a Trojan.Win32.Seftad.bsiwp Troj.Ransom.W32.Seftad.tn9Q Trojan.MBRlock.1 Trojan-Ransom.Win32.Seftad W32/MalwareF.RQPA Trojan/Seftad.a BOO/Seftad.A Trojan[Ransom]/Win32.Seftad Trojan:Win32/Seftad.A Trojan-Ransom.Win32.Seftad.a Trojan/Win32.Seftad.R111206 Trojan-Ransom.Seftad Win32/MBRlock.A Trojan.Seftad!+WmSfnLYKGo W32/Seftad.A!tr Trj/SeftadMBR.A.Crypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.Seftad!O": [[26, 54]], "Indicator: Trojan.Seftad": [[55, 68]], "Indicator: Trojan.MBRlock.Win32.1": [[69, 91]], "Indicator: Trojan/Seftad.a": [[92, 107], [352, 367]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[108, 150]], "Indicator: W32/Risk.HXYU-7341": [[151, 169]], "Indicator: Trojan.Bootlock": [[170, 185]], "Indicator: Win32/RansomSeftad.A": [[186, 206]], "Indicator: Trojan-Ransom.Win32.Seftad.a": [[207, 235], [431, 459]], "Indicator: Trojan.Win32.Seftad.bsiwp": [[236, 261]], "Indicator: Troj.Ransom.W32.Seftad.tn9Q": [[262, 289]], "Indicator: Trojan.MBRlock.1": [[290, 306]], "Indicator: Trojan-Ransom.Win32.Seftad": [[307, 333]], "Indicator: W32/MalwareF.RQPA": [[334, 351]], "Indicator: BOO/Seftad.A": [[368, 380]], "Indicator: Trojan[Ransom]/Win32.Seftad": [[381, 408]], "Indicator: Trojan:Win32/Seftad.A": [[409, 430]], "Indicator: Trojan/Win32.Seftad.R111206": [[460, 487]], "Indicator: Trojan-Ransom.Seftad": [[488, 508]], "Indicator: Win32/MBRlock.A": [[509, 524]], "Indicator: Trojan.Seftad!+WmSfnLYKGo": [[525, 550]], "Indicator: W32/Seftad.A!tr": [[551, 566]], "Indicator: Trj/SeftadMBR.A.Crypt": [[567, 588]]}, "info": {"id": "cyner2_5class_train_03431", "source": "cyner2_5class_train"}}
+{"text": "Unknown threats may evade signature-based detection, but can be blocked by other detection tools which identify malicious behavior.", "spans": {"Malware: Unknown threats": [[0, 15]], "Indicator: signature-based detection,": [[26, 52]], "Indicator: detection tools": [[81, 96]], "Malware: malicious behavior.": [[112, 131]]}, "info": {"id": "cyner2_5class_train_03432", "source": "cyner2_5class_train"}}
+{"text": "Regin is a multi-purpose data collection tool which dates back several years.", "spans": {"Malware: Regin": [[0, 5]]}, "info": {"id": "cyner2_5class_train_03433", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod4c3.Trojan.53a7 Win32.P2P.Mua.E@mm Win32.P2P.Mua.E@mm Worm.Mua.Win32.3 W32/Mua.e Worm.P2P.Mua!6PD7raLqpvw W32.HLLW.Mua Win32/Mua.B BKDR_BRABOT.B P2P-Worm.Win32.Mua.e Win32.P2P.Mua.E@mm Trojan.Win32.Mua.hfob Worm.Win32.A.P2P-Mua.15147 Win32.P2P.Mua.E@mm Win32.P2P.Mua.E@mm BKDR_BRABOT.B BehavesLike.Win32.Sality.lh W32/Risk.FPWU-1321 Worm[P2P]/Win32.Mua Worm.Mua.e.kcloud Worm:Win32/Mua.C Win32.P2P.Mua.E@mm Win32/Mua.worm.15152.C Worm.Mua Worm.Win32.Mua.AhDz Win32/Mua.E Win32.Worm-P2P.Mua.dopm P2P-Worm.Win32.Mua.c W32/Shower.L Worm/Mua.E Win32/Trojan.bfd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod4c3.Trojan.53a7": [[26, 49]], "Indicator: Win32.P2P.Mua.E@mm": [[50, 68], [69, 87], [200, 218], [268, 286], [287, 305], [422, 440]], "Indicator: Worm.Mua.Win32.3": [[88, 104]], "Indicator: W32/Mua.e": [[105, 114]], "Indicator: Worm.P2P.Mua!6PD7raLqpvw": [[115, 139]], "Indicator: W32.HLLW.Mua": [[140, 152]], "Indicator: Win32/Mua.B": [[153, 164]], "Indicator: BKDR_BRABOT.B": [[165, 178], [306, 319]], "Indicator: P2P-Worm.Win32.Mua.e": [[179, 199]], "Indicator: Trojan.Win32.Mua.hfob": [[219, 240]], "Indicator: Worm.Win32.A.P2P-Mua.15147": [[241, 267]], "Indicator: BehavesLike.Win32.Sality.lh": [[320, 347]], "Indicator: W32/Risk.FPWU-1321": [[348, 366]], "Indicator: Worm[P2P]/Win32.Mua": [[367, 386]], "Indicator: Worm.Mua.e.kcloud": [[387, 404]], "Indicator: Worm:Win32/Mua.C": [[405, 421]], "Indicator: Win32/Mua.worm.15152.C": [[441, 463]], "Indicator: Worm.Mua": [[464, 472]], "Indicator: Worm.Win32.Mua.AhDz": [[473, 492]], "Indicator: Win32/Mua.E": [[493, 504]], "Indicator: Win32.Worm-P2P.Mua.dopm": [[505, 528]], "Indicator: P2P-Worm.Win32.Mua.c": [[529, 549]], "Indicator: W32/Shower.L": [[550, 562]], "Indicator: Worm/Mua.E": [[563, 573]], "Indicator: Win32/Trojan.bfd": [[574, 590]]}, "info": {"id": "cyner2_5class_train_03434", "source": "cyner2_5class_train"}}
+{"text": "I had found very few examples of non-targeted malspam using this RAT.", "spans": {"Indicator: non-targeted malspam": [[33, 53]], "Malware: RAT.": [[65, 69]]}, "info": {"id": "cyner2_5class_train_03435", "source": "cyner2_5class_train"}}
+{"text": "\" BLU said they had no security department when I emailed them .", "spans": {"Organization: BLU": [[2, 5]]}, "info": {"id": "cyner2_5class_train_03436", "source": "cyner2_5class_train"}}
+{"text": "We recently spotted Neutrino being used to deliver a zero-detection Zeus variant and are sharing some brief indicators here.", "spans": {"Malware: Neutrino": [[20, 28]], "Malware: Zeus variant": [[68, 80]], "Indicator: indicators": [[108, 118]]}, "info": {"id": "cyner2_5class_train_03437", "source": "cyner2_5class_train"}}
+{"text": "Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file.", "spans": {"Malware: Reaver": [[0, 6]], "Malware: final payload": [[52, 65]], "Indicator: a Control panel item,": [[84, 105]], "Indicator: CPL file.": [[109, 118]]}, "info": {"id": "cyner2_5class_train_03438", "source": "cyner2_5class_train"}}
+{"text": "The Turla group is known to target government, military, technology, energy and commercial organisations.", "spans": {"Organization: government, military, technology, energy": [[35, 75]], "Organization: commercial organisations.": [[80, 105]]}, "info": {"id": "cyner2_5class_train_03439", "source": "cyner2_5class_train"}}
+{"text": "This report aims to uncover at least some undertakings of that group and to connect different attacks across the globe.", "spans": {"Indicator: attacks": [[94, 101]]}, "info": {"id": "cyner2_5class_train_03440", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Adware.RuKomaCRTD.Win32.4797 PUP.LoadMoney/Variant Trojan.Adware.Rukometa.Mikey.8 HT_RUKOMA_GA2700D5.UVPM HT_RUKOMA_GA2700D5.UVPM Trojan.Win32.Dwn.ehjpxo Trojan.DownLoader22.51269 Trojan.Scar.hqw Adware/Win32.Updater.C1575400 Adware.Zusy PUA.RuKoma! PUA.RuKoma", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Adware.RuKomaCRTD.Win32.4797": [[46, 74]], "Indicator: PUP.LoadMoney/Variant": [[75, 96]], "Indicator: Trojan.Adware.Rukometa.Mikey.8": [[97, 127]], "Indicator: HT_RUKOMA_GA2700D5.UVPM": [[128, 151], [152, 175]], "Indicator: Trojan.Win32.Dwn.ehjpxo": [[176, 199]], "Indicator: Trojan.DownLoader22.51269": [[200, 225]], "Indicator: Trojan.Scar.hqw": [[226, 241]], "Indicator: Adware/Win32.Updater.C1575400": [[242, 271]], "Indicator: Adware.Zusy": [[272, 283]], "Indicator: PUA.RuKoma!": [[284, 295]], "Indicator: PUA.RuKoma": [[296, 306]]}, "info": {"id": "cyner2_5class_train_03441", "source": "cyner2_5class_train"}}
+{"text": "In February 2016, Check Point researchers first discovered HummingBad, a malware that establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps.", "spans": {"Organization: Check Point researchers": [[18, 41]], "Malware: HummingBad,": [[59, 70]], "Malware: malware": [[73, 80]], "Malware: rootkit": [[111, 118]], "System: Android devices,": [[122, 138]], "Indicator: installs additional fraudulent apps.": [[176, 212]]}, "info": {"id": "cyner2_5class_train_03442", "source": "cyner2_5class_train"}}
+{"text": "Unusual domains , the use of URL shorteners , and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware .", "spans": {}, "info": {"id": "cyner2_5class_train_03443", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Winsecsrv Trojan.Winsecsrv.Win64.325 Trojan.Win64.Winsecsrv TR/Winsecsrv.imeno Trojan:Win64/Winsecsrv.B!bit Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Winsecsrv": [[26, 42]], "Indicator: Trojan.Winsecsrv.Win64.325": [[43, 69]], "Indicator: Trojan.Win64.Winsecsrv": [[70, 92]], "Indicator: TR/Winsecsrv.imeno": [[93, 111]], "Indicator: Trojan:Win64/Winsecsrv.B!bit": [[112, 140]], "Indicator: Trj/CI.A": [[141, 149]]}, "info": {"id": "cyner2_5class_train_03444", "source": "cyner2_5class_train"}}
+{"text": "The C2 address , as stored in samples we ’ ve seen , comprise both an IP address and port number ; So far , all the samples we ’ ve tested attempted to contact an IP address on port 7878/tcp .", "spans": {"Indicator: port 7878/tcp": [[177, 190]]}, "info": {"id": "cyner2_5class_train_03445", "source": "cyner2_5class_train"}}
+{"text": "Fighting organized crime in your phone One of the main problems with Triada is that it can potentially hurt a LOT of people .", "spans": {"Malware: Triada": [[69, 75]]}, "info": {"id": "cyner2_5class_train_03446", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Yakes.303104 Trojan.Win32.Yakes!O Ransom.Tobfy.S5080 Trojan.Yakes.Win32.7333 Trojan/Yakes.bitd Trojan.Symmi.D1319B Win32.Trojan.VB.kf Trojan.Ransomlock.K Ransom_TOBFY.SM Win.Trojan.Yakes-628 Trojan.Win32.Yakes.bitd Trojan.Win32.Yakes.cojazo TrojWare.Win32.Injector.XFR Ransom_TOBFY.SM BehavesLike.Win32.PWSZbot.dt Trojan/Yakes.kjh Trojan/Win32.Yakes Trojan.Win32.A.Yakes.303104.D Trojan.Win32.Yakes.bitd Trojan/Win32.VBKrypt.R40134 Trojan.Yakes Trojan.Injector Win32/VB.QMS Trojan.Win32.Tobfy W32/Injector.YWH!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Yakes.303104": [[26, 49]], "Indicator: Trojan.Win32.Yakes!O": [[50, 70]], "Indicator: Ransom.Tobfy.S5080": [[71, 89]], "Indicator: Trojan.Yakes.Win32.7333": [[90, 113]], "Indicator: Trojan/Yakes.bitd": [[114, 131]], "Indicator: Trojan.Symmi.D1319B": [[132, 151]], "Indicator: Win32.Trojan.VB.kf": [[152, 170]], "Indicator: Trojan.Ransomlock.K": [[171, 190]], "Indicator: Ransom_TOBFY.SM": [[191, 206], [306, 321]], "Indicator: Win.Trojan.Yakes-628": [[207, 227]], "Indicator: Trojan.Win32.Yakes.bitd": [[228, 251], [417, 440]], "Indicator: Trojan.Win32.Yakes.cojazo": [[252, 277]], "Indicator: TrojWare.Win32.Injector.XFR": [[278, 305]], "Indicator: BehavesLike.Win32.PWSZbot.dt": [[322, 350]], "Indicator: Trojan/Yakes.kjh": [[351, 367]], "Indicator: Trojan/Win32.Yakes": [[368, 386]], "Indicator: Trojan.Win32.A.Yakes.303104.D": [[387, 416]], "Indicator: Trojan/Win32.VBKrypt.R40134": [[441, 468]], "Indicator: Trojan.Yakes": [[469, 481]], "Indicator: Trojan.Injector": [[482, 497]], "Indicator: Win32/VB.QMS": [[498, 510]], "Indicator: Trojan.Win32.Tobfy": [[511, 529]], "Indicator: W32/Injector.YWH!tr": [[530, 549]]}, "info": {"id": "cyner2_5class_train_03447", "source": "cyner2_5class_train"}}
+{"text": "The hosting locations seen for some HenBox samples , together with the nature of some embedded apps including : those targeted at extremist groups , those who use VPN or other privacy-enabling apps , and those who speak the Uyghur language , highlights the victim profile the threat actors were seeking to attack .", "spans": {"Malware: HenBox": [[36, 42]]}, "info": {"id": "cyner2_5class_train_03448", "source": "cyner2_5class_train"}}
+{"text": "The malicious attachment, which offered salacious spoilers and video clips, attempted to install a 9002 remote access Trojan RAT historically used by state-sponsored actors.", "spans": {"Indicator: The malicious attachment,": [[0, 25]], "Indicator: spoilers": [[50, 58]], "Indicator: video clips,": [[63, 75]], "Malware: a 9002 remote access Trojan RAT": [[97, 128]]}, "info": {"id": "cyner2_5class_train_03449", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Barys.DD949 Win32.Trojan.WisdomEyes.16070401.9500.9860 Trojan:Win32/Grenam.B!inf Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Barys.DD949": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9860": [[45, 87]], "Indicator: Trojan:Win32/Grenam.B!inf": [[88, 113]], "Indicator: Trj/GdSda.A": [[114, 125]]}, "info": {"id": "cyner2_5class_train_03450", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Malware.1 Trojan.Rootkit.GGA Backdoor:W32/PcClient.ALE BACKDOOR.Trojan Backdoor:Win32/Xinia.C Trojan.Rootkit.GGA RootKit.Win32.Undef.ru W32/Rootkit.A SHeur.CPFS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Malware.1": [[26, 48]], "Indicator: Trojan.Rootkit.GGA": [[49, 67], [133, 151]], "Indicator: Backdoor:W32/PcClient.ALE": [[68, 93]], "Indicator: BACKDOOR.Trojan": [[94, 109]], "Indicator: Backdoor:Win32/Xinia.C": [[110, 132]], "Indicator: RootKit.Win32.Undef.ru": [[152, 174]], "Indicator: W32/Rootkit.A": [[175, 188]], "Indicator: SHeur.CPFS": [[189, 199]]}, "info": {"id": "cyner2_5class_train_03451", "source": "cyner2_5class_train"}}
+{"text": "Hancitor also known as Tordal and Chanitor and Ruckguv have reappeared in campaigns distributing Pony and Vawtrak with significant updates and increased functionality.", "spans": {"Malware: Hancitor": [[0, 8]], "Malware: Tordal": [[23, 29]], "Malware: Chanitor": [[34, 42]], "Malware: Ruckguv": [[47, 54]], "Malware: Pony": [[97, 101]], "Malware: Vawtrak": [[106, 113]]}, "info": {"id": "cyner2_5class_train_03452", "source": "cyner2_5class_train"}}
+{"text": "This time resets every time the user performs some activity .", "spans": {}, "info": {"id": "cyner2_5class_train_03453", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Flooder.MSN.Chiller.A Trojan/W32.Flooder.135168.E Trojan.Flooder.MSN.Chiller.A Tool.Chiller.Win32.1 Trojan.Flooder.MSN.Chiller.A Flooder.Chiller!cPnYwu6r4qI Win32/Flooder.MSN.Chiller.10 TROJ_MSN.CHILLER IM-Flooder.Win32.Chiller Trojan.Win32.Chiller.ddka IM-Flooder.W32.Chiller!c Trojan.Flooder.MSN.Chiller.A TrojWare.Win32.Flooder.MSN.10 Trojan.Flooder.MSN.Chiller.A FDOS.Children TROJ_MSN.CHILLER W32/Risk.BSWW-2789 Flooder.MSN.Chiller HackTool[Flooder]/Win32.Chiller Trojan.Flooder.MSN.Chiller.A IMFlooder.Chiller Flooder.MSN.Chiller IM-Flooder.Win32.Chiller Trojan.Flooder.MSN.Chiller.A Flooder.AZF Trojan.Win32.IMFlooder.aa Win32/Trojan.Flooder.cc8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Flooder.MSN.Chiller.A": [[26, 54], [83, 111], [133, 161], [312, 340], [371, 399], [502, 530], [594, 622]], "Indicator: Trojan/W32.Flooder.135168.E": [[55, 82]], "Indicator: Tool.Chiller.Win32.1": [[112, 132]], "Indicator: Flooder.Chiller!cPnYwu6r4qI": [[162, 189]], "Indicator: Win32/Flooder.MSN.Chiller.10": [[190, 218]], "Indicator: TROJ_MSN.CHILLER": [[219, 235], [414, 430]], "Indicator: IM-Flooder.Win32.Chiller": [[236, 260], [569, 593]], "Indicator: Trojan.Win32.Chiller.ddka": [[261, 286]], "Indicator: IM-Flooder.W32.Chiller!c": [[287, 311]], "Indicator: TrojWare.Win32.Flooder.MSN.10": [[341, 370]], "Indicator: FDOS.Children": [[400, 413]], "Indicator: W32/Risk.BSWW-2789": [[431, 449]], "Indicator: Flooder.MSN.Chiller": [[450, 469], [549, 568]], "Indicator: HackTool[Flooder]/Win32.Chiller": [[470, 501]], "Indicator: IMFlooder.Chiller": [[531, 548]], "Indicator: Flooder.AZF": [[623, 634]], "Indicator: Trojan.Win32.IMFlooder.aa": [[635, 660]], "Indicator: Win32/Trojan.Flooder.cc8": [[661, 685]]}, "info": {"id": "cyner2_5class_train_03454", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R VBA.Trojan.Obfuscated.at VBA/Obfuscated.P Doc.Macro.Obfuscation-6360615-0 VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R Trojan.Script.MLW.ehjqnz VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R W97M/Downloader.bkw HEUR.VBA.Trojan.e TrojanDownloader:O97M/Shelmock.A!dha W97M/Downloader.bkw Trojan.VBA.Obfuscated heur.macro.powershell.x", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.VBA.Downloader.R": [[26, 52], [53, 79], [154, 180], [181, 207], [233, 259], [260, 286]], "Indicator: VBA.Trojan.Obfuscated.at": [[80, 104]], "Indicator: VBA/Obfuscated.P": [[105, 121]], "Indicator: Doc.Macro.Obfuscation-6360615-0": [[122, 153]], "Indicator: Trojan.Script.MLW.ehjqnz": [[208, 232]], "Indicator: W97M/Downloader.bkw": [[287, 306], [362, 381]], "Indicator: HEUR.VBA.Trojan.e": [[307, 324]], "Indicator: TrojanDownloader:O97M/Shelmock.A!dha": [[325, 361]], "Indicator: Trojan.VBA.Obfuscated": [[382, 403]], "Indicator: heur.macro.powershell.x": [[404, 427]]}, "info": {"id": "cyner2_5class_train_03455", "source": "cyner2_5class_train"}}
+{"text": "This relatively new technique makes it difficult to detect the malware—especially on behavior-based malware detection systems.", "spans": {"System: behavior-based malware detection systems.": [[85, 126]]}, "info": {"id": "cyner2_5class_train_03456", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mehm.B Trojan/W32.CGIScan.333312 Aplicacion/CGIScan.40 Trojan.Mehm.B Trojan.Cgiscan!ODpuR5Z5bgo W32/HackTool.CNH Hacktool.Flooder Win.Trojan.Cgiscan not-a-virus:NetTool.Win32.CGIScan.40 Riskware.Win32.CGIScan.byaea NetTool.CGIScan.333312[h] Trojan.Mehm.B Trojan.Mehm.B Trojan.DownLoader.9414 Tool.CGIScan.Win32.1 W32/Tool.MGCU-4799 TR/Mehm.B W32/Cgiscan.A!tr Trojan.Mehm.B Win-Trojan/Mehm.333312 Trojan:Win32/Cgiscan.A Trojan.Mehm.B Hacktool.Win32.CGIScan.40 Win32.Trojan.Spnr.Wqmq not-a-virus:NetTool.Win32.CGIScan Trojan.Mehm.B HackTool/CgiScan.A Win32/Virus.NetTool.902", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mehm.B": [[26, 39], [88, 101], [274, 287], [288, 301], [392, 405], [452, 465], [549, 562]], "Indicator: Trojan/W32.CGIScan.333312": [[40, 65]], "Indicator: Aplicacion/CGIScan.40": [[66, 87]], "Indicator: Trojan.Cgiscan!ODpuR5Z5bgo": [[102, 128]], "Indicator: W32/HackTool.CNH": [[129, 145]], "Indicator: Hacktool.Flooder": [[146, 162]], "Indicator: Win.Trojan.Cgiscan": [[163, 181]], "Indicator: not-a-virus:NetTool.Win32.CGIScan.40": [[182, 218]], "Indicator: Riskware.Win32.CGIScan.byaea": [[219, 247]], "Indicator: NetTool.CGIScan.333312[h]": [[248, 273]], "Indicator: Trojan.DownLoader.9414": [[302, 324]], "Indicator: Tool.CGIScan.Win32.1": [[325, 345]], "Indicator: W32/Tool.MGCU-4799": [[346, 364]], "Indicator: TR/Mehm.B": [[365, 374]], "Indicator: W32/Cgiscan.A!tr": [[375, 391]], "Indicator: Win-Trojan/Mehm.333312": [[406, 428]], "Indicator: Trojan:Win32/Cgiscan.A": [[429, 451]], "Indicator: Hacktool.Win32.CGIScan.40": [[466, 491]], "Indicator: Win32.Trojan.Spnr.Wqmq": [[492, 514]], "Indicator: not-a-virus:NetTool.Win32.CGIScan": [[515, 548]], "Indicator: HackTool/CgiScan.A": [[563, 581]], "Indicator: Win32/Virus.NetTool.902": [[582, 605]]}, "info": {"id": "cyner2_5class_train_03457", "source": "cyner2_5class_train"}}
+{"text": "We will refer to the gang behind the malware as TeleBots.", "spans": {"Malware: malware": [[37, 44]]}, "info": {"id": "cyner2_5class_train_03458", "source": "cyner2_5class_train"}}
+{"text": "They then distribute the trojanized application using their own, Russian-language-targeted Android Application sites.", "spans": {"Malware: trojanized application": [[25, 47]], "Indicator: Russian-language-targeted Android Application sites.": [[65, 117]]}, "info": {"id": "cyner2_5class_train_03459", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanpws.Qqpass.20916 Trojan.Adware.Graftor.D9426 Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Onlinegame TSPY_ONLINEG.JW Win.Spyware.28080-1 Trojan-GameThief.Win32.OnLineGames.akyyi Trojan.Win32.Nilage.bstxe Trojan.PWS.Gamania.8978 TSPY_ONLINEG.JW BehavesLike.Win32.RAHack.dc Trojan/PSW.OnLineGames.xyc Trojan[GameThief]/Win32.WOW.gic Trojan:Win32/Ordpea.A Trojan-GameThief.Win32.OnLineGames.akyyi MalwareScope.Trojan-PSW.Game.7 Trj/Lineage.HKT Trojan.Win32.OnlineGames.pjf Trojan.PWS.OnlineGames.GFA Trojan-GameThief.Win32.OnLineGames", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanpws.Qqpass.20916": [[26, 48]], "Indicator: Trojan.Adware.Graftor.D9426": [[49, 76]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[77, 119]], "Indicator: Infostealer.Onlinegame": [[120, 142]], "Indicator: TSPY_ONLINEG.JW": [[143, 158], [270, 285]], "Indicator: Win.Spyware.28080-1": [[159, 178]], "Indicator: Trojan-GameThief.Win32.OnLineGames.akyyi": [[179, 219], [395, 435]], "Indicator: Trojan.Win32.Nilage.bstxe": [[220, 245]], "Indicator: Trojan.PWS.Gamania.8978": [[246, 269]], "Indicator: BehavesLike.Win32.RAHack.dc": [[286, 313]], "Indicator: Trojan/PSW.OnLineGames.xyc": [[314, 340]], "Indicator: Trojan[GameThief]/Win32.WOW.gic": [[341, 372]], "Indicator: Trojan:Win32/Ordpea.A": [[373, 394]], "Indicator: MalwareScope.Trojan-PSW.Game.7": [[436, 466]], "Indicator: Trj/Lineage.HKT": [[467, 482]], "Indicator: Trojan.Win32.OnlineGames.pjf": [[483, 511]], "Indicator: Trojan.PWS.OnlineGames.GFA": [[512, 538]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[539, 573]]}, "info": {"id": "cyner2_5class_train_03460", "source": "cyner2_5class_train"}}
+{"text": "We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months.", "spans": {"Malware: FormBook malware": [[32, 48]], "Organization: Aerospace, Defense Contractor,": [[96, 126]], "Organization: Manufacturing sectors": [[131, 152]]}, "info": {"id": "cyner2_5class_train_03461", "source": "cyner2_5class_train"}}
+{"text": "If the privileges are revoked successfully , the Trojan relaunches the cycle of requesting administrator privileges .", "spans": {}, "info": {"id": "cyner2_5class_train_03462", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanspy.Coinsteal TROJ_GE.0352184D Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_GE.0352184D Trojan.MSIL.PSW TrojanSpy:MSIL/CoinSteal.B!bit Spyware/Win32.Quasar.C2001029 Trojan.FakeMS Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanspy.Coinsteal": [[26, 45]], "Indicator: TROJ_GE.0352184D": [[46, 62], [106, 122]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[63, 105]], "Indicator: Trojan.MSIL.PSW": [[123, 138]], "Indicator: TrojanSpy:MSIL/CoinSteal.B!bit": [[139, 169]], "Indicator: Spyware/Win32.Quasar.C2001029": [[170, 199]], "Indicator: Trojan.FakeMS": [[200, 213]], "Indicator: Trj/CI.A": [[214, 222]]}, "info": {"id": "cyner2_5class_train_03463", "source": "cyner2_5class_train"}}
+{"text": "The database contained the last activity performed on around 60 compromised devices .", "spans": {}, "info": {"id": "cyner2_5class_train_03464", "source": "cyner2_5class_train"}}
+{"text": "This post opens the lock up and takes a look inside.", "spans": {}, "info": {"id": "cyner2_5class_train_03465", "source": "cyner2_5class_train"}}
+{"text": "With email subject lines such as, bank account record annual report and company database we believe that attackers are possibly targeting companies.", "spans": {"Indicator: email subject lines such as, bank account record": [[5, 53]], "Indicator: annual report": [[54, 67]], "Indicator: company database": [[72, 88]], "Organization: companies.": [[138, 148]]}, "info": {"id": "cyner2_5class_train_03466", "source": "cyner2_5class_train"}}
+{"text": "It shows a web phishing page whenever the affected device receives a broadcast event ( i.e. , if a new package is installed or if the device ’ s screen is on ) to steal personal data , such as those keyed in for banking apps .", "spans": {}, "info": {"id": "cyner2_5class_train_03467", "source": "cyner2_5class_train"}}
+{"text": "Gary Warners's blog also reported on this and similar campaigns, indicating that a well-known botnet, Kelihos, is responsible for distributing this spam.", "spans": {"Organization: Gary Warners's blog": [[0, 19]], "Malware: botnet, Kelihos,": [[94, 110]], "Indicator: spam.": [[148, 153]]}, "info": {"id": "cyner2_5class_train_03468", "source": "cyner2_5class_train"}}
+{"text": "However, not to be out done, APT attackers have also started leveraging the exploit in targeted spear phishing attacks as well.", "spans": {"Malware: exploit": [[76, 83]], "Indicator: spear phishing attacks": [[96, 118]]}, "info": {"id": "cyner2_5class_train_03469", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.1490 Trojan.Heur.RP.E99DCA WORM_FLYSTUDI.B Win32.Trojan.WisdomEyes.16070401.9500.9998 WORM_FLYSTUDI.B Win.Worm.FlyStudio-34 Trojan.MulDrop6.9267 Trojan.Black.Win32.8293 BehavesLike.Win32.Autorun.vc TrojanDropper.Flystud Win32.Trojan.Ecode.Wwel Trojan.Win32.FlyStudio", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.1490": [[26, 42]], "Indicator: Trojan.Heur.RP.E99DCA": [[43, 64]], "Indicator: WORM_FLYSTUDI.B": [[65, 80], [124, 139]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[81, 123]], "Indicator: Win.Worm.FlyStudio-34": [[140, 161]], "Indicator: Trojan.MulDrop6.9267": [[162, 182]], "Indicator: Trojan.Black.Win32.8293": [[183, 206]], "Indicator: BehavesLike.Win32.Autorun.vc": [[207, 235]], "Indicator: TrojanDropper.Flystud": [[236, 257]], "Indicator: Win32.Trojan.Ecode.Wwel": [[258, 281]], "Indicator: Trojan.Win32.FlyStudio": [[282, 304]]}, "info": {"id": "cyner2_5class_train_03470", "source": "cyner2_5class_train"}}
+{"text": "For now , the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail .", "spans": {}, "info": {"id": "cyner2_5class_train_03471", "source": "cyner2_5class_train"}}
+{"text": "n the past, we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website.", "spans": {"Indicator: breach": [[89, 95]], "Indicator: the Umbro website.": [[99, 117]]}, "info": {"id": "cyner2_5class_train_03472", "source": "cyner2_5class_train"}}
+{"text": "] 132:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner2_5class_train_03473", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Maesorn!O Trojan/Maesorn.g Backdoor.Graybird Win.Trojan.OnlineGames-1999 Trojan.Win32.Maesorn.innuf Trojan.Win32.A.Maesorn.563216[ASPack] Trojan.PWS.Panda.980 BehavesLike.Win32.MultiPlug.hc Trojan/Maesorn.a TR/Maesorn.psa Trojan/Win32.Unknown Trojan.Maesorn.1 Trojan:Win32/Maesorn.A Trojan/Win32.Maesorn.C288249 TScope.Malware-Cryptor.SB Win32.Trojan.Maesorn.Lmax Trojan.Maesorn!i+tWu8HStQI Win32/Trojan.227", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Maesorn!O": [[26, 48]], "Indicator: Trojan/Maesorn.g": [[49, 65]], "Indicator: Backdoor.Graybird": [[66, 83]], "Indicator: Win.Trojan.OnlineGames-1999": [[84, 111]], "Indicator: Trojan.Win32.Maesorn.innuf": [[112, 138]], "Indicator: Trojan.Win32.A.Maesorn.563216[ASPack]": [[139, 176]], "Indicator: Trojan.PWS.Panda.980": [[177, 197]], "Indicator: BehavesLike.Win32.MultiPlug.hc": [[198, 228]], "Indicator: Trojan/Maesorn.a": [[229, 245]], "Indicator: TR/Maesorn.psa": [[246, 260]], "Indicator: Trojan/Win32.Unknown": [[261, 281]], "Indicator: Trojan.Maesorn.1": [[282, 298]], "Indicator: Trojan:Win32/Maesorn.A": [[299, 321]], "Indicator: Trojan/Win32.Maesorn.C288249": [[322, 350]], "Indicator: TScope.Malware-Cryptor.SB": [[351, 376]], "Indicator: Win32.Trojan.Maesorn.Lmax": [[377, 402]], "Indicator: Trojan.Maesorn!i+tWu8HStQI": [[403, 429]], "Indicator: Win32/Trojan.227": [[430, 446]]}, "info": {"id": "cyner2_5class_train_03474", "source": "cyner2_5class_train"}}
+{"text": "WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER ! TURNING OFF YOUR PHONE IS MEANINGLESS , ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS ! WE STILL CAN SELLING IT FOR SPAM , FAKE , BANK CRIME etc… We collect and download all of your personal data .", "spans": {}, "info": {"id": "cyner2_5class_train_03475", "source": "cyner2_5class_train"}}
+{"text": "The information is written into a file on the device .", "spans": {}, "info": {"id": "cyner2_5class_train_03476", "source": "cyner2_5class_train"}}
+{"text": "Geography of Rotexy attacks According to our data , 98 % of all Rotexy attacks target users in Russia .", "spans": {"Malware: Rotexy": [[13, 19], [64, 70]]}, "info": {"id": "cyner2_5class_train_03477", "source": "cyner2_5class_train"}}
+{"text": "Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits.", "spans": {"Malware: ransomware, SamSam": [[12, 30]], "Vulnerability: attack vectors,": [[64, 79]], "Malware: exploit kits.": [[111, 124]]}, "info": {"id": "cyner2_5class_train_03478", "source": "cyner2_5class_train"}}
+{"text": "In the injected payload , the module implements the method ‘ callActivityOnCreate ’ .", "spans": {}, "info": {"id": "cyner2_5class_train_03479", "source": "cyner2_5class_train"}}
+{"text": "In April 2017, in collaboration with Clearsky, Palo Alto Networks Unit 42 published an article about our research into targeted attacks in the Middle East.", "spans": {"Organization: Clearsky,": [[37, 46]], "Organization: Palo Alto Networks Unit 42": [[47, 73]], "Indicator: attacks": [[128, 135]]}, "info": {"id": "cyner2_5class_train_03480", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.85E5 Downloader.Small.Win32.16916 Trojan/Downloader.Small.eqn Win32.Trojan.WisdomEyes.16070401.9500.9998 Win32/Matcash.AQ TROJ_DLOADER.KGM Win.Downloader.12076-1 Trojan-Downloader.Win32.Small.eqn Trojan.Win32.Small.pnkq Trojan.Win32.Downloader.9806 TrojWare.Win32.TrojanDownloader.Small.AP Trojan.DownLoader.26881 TROJ_DLOADER.KGM BehavesLike.Win32.Backdoor.zh TrojanDownloader.Small.cgx Trojan[Downloader]/Win32.Small TrojanDownloader:Win32/Matcash.A Trojan/Win32.Downloader.R162197 Trj/Downloader.PNC Win32.Trojan-downloader.Small.Agut Trojan.DL.Small!SbF3EFAX1gY Trojan-Downloader.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.85E5": [[26, 42]], "Indicator: Downloader.Small.Win32.16916": [[43, 71]], "Indicator: Trojan/Downloader.Small.eqn": [[72, 99]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[100, 142]], "Indicator: Win32/Matcash.AQ": [[143, 159]], "Indicator: TROJ_DLOADER.KGM": [[160, 176], [352, 368]], "Indicator: Win.Downloader.12076-1": [[177, 199]], "Indicator: Trojan-Downloader.Win32.Small.eqn": [[200, 233]], "Indicator: Trojan.Win32.Small.pnkq": [[234, 257]], "Indicator: Trojan.Win32.Downloader.9806": [[258, 286]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.AP": [[287, 327]], "Indicator: Trojan.DownLoader.26881": [[328, 351]], "Indicator: BehavesLike.Win32.Backdoor.zh": [[369, 398]], "Indicator: TrojanDownloader.Small.cgx": [[399, 425]], "Indicator: Trojan[Downloader]/Win32.Small": [[426, 456]], "Indicator: TrojanDownloader:Win32/Matcash.A": [[457, 489]], "Indicator: Trojan/Win32.Downloader.R162197": [[490, 521]], "Indicator: Trj/Downloader.PNC": [[522, 540]], "Indicator: Win32.Trojan-downloader.Small.Agut": [[541, 575]], "Indicator: Trojan.DL.Small!SbF3EFAX1gY": [[576, 603]], "Indicator: Trojan-Downloader.Win32.Small": [[604, 633]]}, "info": {"id": "cyner2_5class_train_03481", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "cyner2_5class_train_03482", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.3D2A Trojan.Razy.DF5C4 Win32.Trojan.WisdomEyes.16070401.9500.9773 not-a-virus:RiskTool.Win32.Gamehack.zae Trojan.PWS.Banker1.20175 Trojan.Win32.PSW W32/Trojan.WGYB-0329 RiskTool.Gamehack.iw TR/Taranis.2867 not-a-virus:RiskTool.Win32.Gamehack.zae MalwareScope.Trojan-PSW.Game.16 Riskware.Gamehack! Win32/Trojan.fe9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.3D2A": [[26, 42]], "Indicator: Trojan.Razy.DF5C4": [[43, 60]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9773": [[61, 103]], "Indicator: not-a-virus:RiskTool.Win32.Gamehack.zae": [[104, 143], [244, 283]], "Indicator: Trojan.PWS.Banker1.20175": [[144, 168]], "Indicator: Trojan.Win32.PSW": [[169, 185]], "Indicator: W32/Trojan.WGYB-0329": [[186, 206]], "Indicator: RiskTool.Gamehack.iw": [[207, 227]], "Indicator: TR/Taranis.2867": [[228, 243]], "Indicator: MalwareScope.Trojan-PSW.Game.16": [[284, 315]], "Indicator: Riskware.Gamehack!": [[316, 334]], "Indicator: Win32/Trojan.fe9": [[335, 351]]}, "info": {"id": "cyner2_5class_train_03483", "source": "cyner2_5class_train"}}
+{"text": "However, minimal code change to Ploutus-D would greatly expand its ATM vendor targets since Kalignite Platform runs on 40 different ATM vendors in 80 countries.", "spans": {"Malware: Ploutus-D": [[32, 41]], "Organization: ATM vendor": [[67, 77]], "System: Kalignite Platform": [[92, 110]], "System: ATM vendors": [[132, 143]]}, "info": {"id": "cyner2_5class_train_03484", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.Dropper.Msil!c Trojan.Zusy.D3F4E2 Win32.Trojan.WisdomEyes.16070401.9500.9901 Trojan.Coinbitminer TROJ_COINMINER_HA220058.UVPM Trojan.DownLoader25.65376 Trojan.CoinMiner.Win32.6726 TROJ_COINMINER_HA220058.UVPM Trojan:MSIL/CoinMiner.KA!bit Trojan/Win32.Tiggre.R218036 Misc.Riskware.BitCoinMiner Trj/GdSda.A Trojan.MinerBot Win32/Trojan.Dropper.bc3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.Dropper.Msil!c": [[26, 45]], "Indicator: Trojan.Zusy.D3F4E2": [[46, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9901": [[65, 107]], "Indicator: Trojan.Coinbitminer": [[108, 127]], "Indicator: TROJ_COINMINER_HA220058.UVPM": [[128, 156], [211, 239]], "Indicator: Trojan.DownLoader25.65376": [[157, 182]], "Indicator: Trojan.CoinMiner.Win32.6726": [[183, 210]], "Indicator: Trojan:MSIL/CoinMiner.KA!bit": [[240, 268]], "Indicator: Trojan/Win32.Tiggre.R218036": [[269, 296]], "Indicator: Misc.Riskware.BitCoinMiner": [[297, 323]], "Indicator: Trj/GdSda.A": [[324, 335]], "Indicator: Trojan.MinerBot": [[336, 351]], "Indicator: Win32/Trojan.Dropper.bc3": [[352, 376]]}, "info": {"id": "cyner2_5class_train_03485", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Jiwerks.A8 Trojan/Downloader.Delf.quc Trojan.Graftor.D451A Trojan.Win32.Dwn.wpldc Win32.Worm.Qqshare.crbf TrojWare.Win32.TrojanDownloader.Delf.QUC Trojan.DownLoader6.2772 Trojan-Ransom.Win32.Foreign Trojan/Win32.Unknown TrojanDownloader:Win32/Jiwerks.C Trojan/Win32.Banload.R28382 Trojan.DL.Delf!amQyVfM1aVU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Jiwerks.A8": [[26, 53]], "Indicator: Trojan/Downloader.Delf.quc": [[54, 80]], "Indicator: Trojan.Graftor.D451A": [[81, 101]], "Indicator: Trojan.Win32.Dwn.wpldc": [[102, 124]], "Indicator: Win32.Worm.Qqshare.crbf": [[125, 148]], "Indicator: TrojWare.Win32.TrojanDownloader.Delf.QUC": [[149, 189]], "Indicator: Trojan.DownLoader6.2772": [[190, 213]], "Indicator: Trojan-Ransom.Win32.Foreign": [[214, 241]], "Indicator: Trojan/Win32.Unknown": [[242, 262]], "Indicator: TrojanDownloader:Win32/Jiwerks.C": [[263, 295]], "Indicator: Trojan/Win32.Banload.R28382": [[296, 323]], "Indicator: Trojan.DL.Delf!amQyVfM1aVU": [[324, 350]]}, "info": {"id": "cyner2_5class_train_03486", "source": "cyner2_5class_train"}}
+{"text": "This action registers code components to get notified when certain system events happen .", "spans": {}, "info": {"id": "cyner2_5class_train_03487", "source": "cyner2_5class_train"}}
+{"text": "During this time it has managed to avoid scrutiny by the security community.", "spans": {"Organization: the security community.": [[53, 76]]}, "info": {"id": "cyner2_5class_train_03488", "source": "cyner2_5class_train"}}
+{"text": "In separate isolated incidents,we also noticed the deployment of MajikPOS via PsExec, a command-line tool that can be used to remotely execute processes on other systems.", "spans": {"Malware: MajikPOS": [[65, 73]], "Malware: PsExec,": [[78, 85]], "Malware: command-line tool": [[88, 105]], "Indicator: remotely execute processes": [[126, 152]], "System: systems.": [[162, 170]]}, "info": {"id": "cyner2_5class_train_03489", "source": "cyner2_5class_train"}}
+{"text": "The attacks point to extensive knowledge of the targets' activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors.", "spans": {"Indicator: attacks": [[4, 11]], "Organization: targets' activities,": [[48, 68]], "System: share infrastructure": [[73, 93]]}, "info": {"id": "cyner2_5class_train_03490", "source": "cyner2_5class_train"}}
+{"text": "A big chunk of data is extracted from the portable executable ( PE ) file itself and decrypted two times using a custom XOR algorithm .", "spans": {}, "info": {"id": "cyner2_5class_train_03491", "source": "cyner2_5class_train"}}
+{"text": "We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software.", "spans": {"Indicator: .cim": [[37, 41]], "Indicator: .bcl files": [[46, 56]], "System: CIMPLICITY software.": [[117, 137]]}, "info": {"id": "cyner2_5class_train_03492", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.FC.1842 W32/Msil.AOXS-4373 TSPY_HPCUBESTLR.SM Win.Packed.Confuser-6042561-0 not-a-virus:PSWTool.Win32.MessengerPass.n Trojan.Win32.Stealer.emdjaa Troj.W32.Jorik.Shakblades.lBRs Packed:MSIL/SmartIL.A Trojan.PWS.Stealer.13008 TSPY_HPCUBESTLR.SM BehavesLike.Win32.CryptDoma.fc HackTool.Win32.BrowserPassview W32/Msil.O TrojanSpy.MSIL.ewm Win32.Troj.Undef.kcloud Trj/CI.A Win32/Trojan.cb4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.FC.1842": [[26, 48]], "Indicator: W32/Msil.AOXS-4373": [[49, 67]], "Indicator: TSPY_HPCUBESTLR.SM": [[68, 86], [265, 283]], "Indicator: Win.Packed.Confuser-6042561-0": [[87, 116]], "Indicator: not-a-virus:PSWTool.Win32.MessengerPass.n": [[117, 158]], "Indicator: Trojan.Win32.Stealer.emdjaa": [[159, 186]], "Indicator: Troj.W32.Jorik.Shakblades.lBRs": [[187, 217]], "Indicator: Packed:MSIL/SmartIL.A": [[218, 239]], "Indicator: Trojan.PWS.Stealer.13008": [[240, 264]], "Indicator: BehavesLike.Win32.CryptDoma.fc": [[284, 314]], "Indicator: HackTool.Win32.BrowserPassview": [[315, 345]], "Indicator: W32/Msil.O": [[346, 356]], "Indicator: TrojanSpy.MSIL.ewm": [[357, 375]], "Indicator: Win32.Troj.Undef.kcloud": [[376, 399]], "Indicator: Trj/CI.A": [[400, 408]], "Indicator: Win32/Trojan.cb4": [[409, 425]]}, "info": {"id": "cyner2_5class_train_03493", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.G.Door.C Backdoor/W32.GDoor.334848 Backdoor.G.Door.C BKDR_DOOR.LG W32/Backdoor2.DZPI Backdoor.Trojan BKDR_DOOR.LG Win.Trojan.GGDoor-4 Backdoor.G.Door.C Backdoor.Win32.G_Door.c Backdoor.G.Door.C Trojan.Win32.GDoor.beknpm Backdoor.Win32.G_Door.334848 Backdoor.W32.G_Door.c!c Backdoor.G.Door.C Backdoor.G.Door.C Trojan.MulDrop.141 BehavesLike.Win32.Trojan.fc Backdoor/G_Door.c Backdoor.Win32.G_Door.C W32/Backdoor.VMMA-7325 Backdoor/G_Door.c BDS/G_door.C.17 Trojan[Backdoor]/Win32.G_Door Backdoor:Win32/G_Door.C Backdoor.Win32.G_Door.c Backdoor.G.Door.C Backdoor.G_Door Bck/Ggdoor.I Win32/G_Door.C Win32.Backdoor.G_door.Svhk Backdoor.G_Door!JC6xcbYSKHg Win32/Backdoor.b76", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.G.Door.C": [[26, 43], [70, 87], [169, 186], [211, 228], [308, 325], [326, 343], [568, 585]], "Indicator: Backdoor/W32.GDoor.334848": [[44, 69]], "Indicator: BKDR_DOOR.LG": [[88, 100], [136, 148]], "Indicator: W32/Backdoor2.DZPI": [[101, 119]], "Indicator: Backdoor.Trojan": [[120, 135]], "Indicator: Win.Trojan.GGDoor-4": [[149, 168]], "Indicator: Backdoor.Win32.G_Door.c": [[187, 210], [544, 567]], "Indicator: Trojan.Win32.GDoor.beknpm": [[229, 254]], "Indicator: Backdoor.Win32.G_Door.334848": [[255, 283]], "Indicator: Backdoor.W32.G_Door.c!c": [[284, 307]], "Indicator: Trojan.MulDrop.141": [[344, 362]], "Indicator: BehavesLike.Win32.Trojan.fc": [[363, 390]], "Indicator: Backdoor/G_Door.c": [[391, 408], [456, 473]], "Indicator: Backdoor.Win32.G_Door.C": [[409, 432]], "Indicator: W32/Backdoor.VMMA-7325": [[433, 455]], "Indicator: BDS/G_door.C.17": [[474, 489]], "Indicator: Trojan[Backdoor]/Win32.G_Door": [[490, 519]], "Indicator: Backdoor:Win32/G_Door.C": [[520, 543]], "Indicator: Backdoor.G_Door": [[586, 601]], "Indicator: Bck/Ggdoor.I": [[602, 614]], "Indicator: Win32/G_Door.C": [[615, 629]], "Indicator: Win32.Backdoor.G_door.Svhk": [[630, 656]], "Indicator: Backdoor.G_Door!JC6xcbYSKHg": [[657, 684]], "Indicator: Win32/Backdoor.b76": [[685, 703]]}, "info": {"id": "cyner2_5class_train_03494", "source": "cyner2_5class_train"}}
+{"text": "The original version of Nokoyawa ransomware was introduced in February 2022 and written in the C programming language.", "spans": {"Malware: Nokoyawa ransomware": [[24, 43]], "System: the C programming language.": [[91, 118]]}, "info": {"id": "cyner2_5class_train_03495", "source": "cyner2_5class_train"}}
+{"text": "It also disables Play Protect ( Google ’ s preinstalled antivirus solution ) to prevent its discovery and deletion in the future .", "spans": {"System: Play Protect": [[17, 29]], "Organization: Google": [[32, 38]]}, "info": {"id": "cyner2_5class_train_03496", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.FU.EF8E10 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Risk.CCTW-9250 Trojan.Win32.Jascript.cvmxnk Dropper.Jascript.Win32.59 Trojan-Ransom.Win32.Gimemo W32/MalwareF.OGBH TrojanDropper.Jascript.ao TR/Drop.Jascript.bbo Trojan:Win32/Thetatic.A Dropper/Win32.Xema.C95872 Win32.Trojan-dropper.Jascript.Syrq Trojan.DR.Jascript!LiiZWXoHPPQ W32/Jascript.BBO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.FU.EF8E10": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[48, 90]], "Indicator: W32/Risk.CCTW-9250": [[91, 109]], "Indicator: Trojan.Win32.Jascript.cvmxnk": [[110, 138]], "Indicator: Dropper.Jascript.Win32.59": [[139, 164]], "Indicator: Trojan-Ransom.Win32.Gimemo": [[165, 191]], "Indicator: W32/MalwareF.OGBH": [[192, 209]], "Indicator: TrojanDropper.Jascript.ao": [[210, 235]], "Indicator: TR/Drop.Jascript.bbo": [[236, 256]], "Indicator: Trojan:Win32/Thetatic.A": [[257, 280]], "Indicator: Dropper/Win32.Xema.C95872": [[281, 306]], "Indicator: Win32.Trojan-dropper.Jascript.Syrq": [[307, 341]], "Indicator: Trojan.DR.Jascript!LiiZWXoHPPQ": [[342, 372]], "Indicator: W32/Jascript.BBO!tr": [[373, 392]]}, "info": {"id": "cyner2_5class_train_03497", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.DebrisB.Worm Trojan/W32.Csyr.3584.C Worm.Win32.Debris!O W32/Csyr.A!Eldorado Win32/Tnega.FeZbcZD WORM_GAMARUE.SMB Win.Adware.Downware-239 Worm.Win32.Debris.p Trojan.Win32.Drop.brprwz Worm.Win32.Bundpil.T Trojan.MulDrop4.25343 WORM_GAMARUE.SMB BehavesLike.Win32.Worm.zz W32/Csyr.A!Eldorado Trojan/Csyr.a TR/Zusy.358421 Trojan/Win32.Csyr Trojan.Zusy.DA717 Worm.Gamarue Worm.Win32.Debris.p Trojan:Win32/Topini.A Worm/Win32.Bundpil.R63957 Worm.Gamarue Trj/Zbot.M Trojan.Win32.Csyr.A W32/Bundpil.T!worm Worm.Win32.Gamarue.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.DebrisB.Worm": [[26, 48]], "Indicator: Trojan/W32.Csyr.3584.C": [[49, 71]], "Indicator: Worm.Win32.Debris!O": [[72, 91]], "Indicator: W32/Csyr.A!Eldorado": [[92, 111], [304, 323]], "Indicator: Win32/Tnega.FeZbcZD": [[112, 131]], "Indicator: WORM_GAMARUE.SMB": [[132, 148], [261, 277]], "Indicator: Win.Adware.Downware-239": [[149, 172]], "Indicator: Worm.Win32.Debris.p": [[173, 192], [402, 421]], "Indicator: Trojan.Win32.Drop.brprwz": [[193, 217]], "Indicator: Worm.Win32.Bundpil.T": [[218, 238]], "Indicator: Trojan.MulDrop4.25343": [[239, 260]], "Indicator: BehavesLike.Win32.Worm.zz": [[278, 303]], "Indicator: Trojan/Csyr.a": [[324, 337]], "Indicator: TR/Zusy.358421": [[338, 352]], "Indicator: Trojan/Win32.Csyr": [[353, 370]], "Indicator: Trojan.Zusy.DA717": [[371, 388]], "Indicator: Worm.Gamarue": [[389, 401], [470, 482]], "Indicator: Trojan:Win32/Topini.A": [[422, 443]], "Indicator: Worm/Win32.Bundpil.R63957": [[444, 469]], "Indicator: Trj/Zbot.M": [[483, 493]], "Indicator: Trojan.Win32.Csyr.A": [[494, 513]], "Indicator: W32/Bundpil.T!worm": [[514, 532]], "Indicator: Worm.Win32.Gamarue.E": [[533, 553]]}, "info": {"id": "cyner2_5class_train_03498", "source": "cyner2_5class_train"}}
+{"text": "Payload deployment Once the static block execution is complete , the Android Lifecycle callback transfers the control to the OnCreate method of the main class .", "spans": {"System: Android Lifecycle": [[69, 86]]}, "info": {"id": "cyner2_5class_train_03499", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: RemoteAdmin.Win32.eSurveiller!O Trojan.VB.Win32.68501 Trojan/VB.nqz TSPY_ESURVEILLER_DC07000D.UVPA Spyware.ESurveiller TSPY_ESURVEILLER_DC07000D.UVPA Win.Trojan.Infostealer-5 Backdoor.Win32.VB.ppb Trojan.Win32.Dwn.ssuio Trojan.Win32.VB.1452000 Troj.Infostealer.lDrj Trojan.DownLoader1.64229 not-a-virus:RemoteAdmin.Win32.eSurveiller Trojan.Strictor.D2473 Backdoor.Win32.VB.ppb Unwanted/Win32.Radmin.R25253 Backdoor.VB Trj/CI.A Trojan.Infostealer Win32.Backdoor.Vb.Lnns Trojan.DownLoader!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RemoteAdmin.Win32.eSurveiller!O": [[26, 57]], "Indicator: Trojan.VB.Win32.68501": [[58, 79]], "Indicator: Trojan/VB.nqz": [[80, 93]], "Indicator: TSPY_ESURVEILLER_DC07000D.UVPA": [[94, 124], [145, 175]], "Indicator: Spyware.ESurveiller": [[125, 144]], "Indicator: Win.Trojan.Infostealer-5": [[176, 200]], "Indicator: Backdoor.Win32.VB.ppb": [[201, 222], [381, 402]], "Indicator: Trojan.Win32.Dwn.ssuio": [[223, 245]], "Indicator: Trojan.Win32.VB.1452000": [[246, 269]], "Indicator: Troj.Infostealer.lDrj": [[270, 291]], "Indicator: Trojan.DownLoader1.64229": [[292, 316]], "Indicator: not-a-virus:RemoteAdmin.Win32.eSurveiller": [[317, 358]], "Indicator: Trojan.Strictor.D2473": [[359, 380]], "Indicator: Unwanted/Win32.Radmin.R25253": [[403, 431]], "Indicator: Backdoor.VB": [[432, 443]], "Indicator: Trj/CI.A": [[444, 452]], "Indicator: Trojan.Infostealer": [[453, 471]], "Indicator: Win32.Backdoor.Vb.Lnns": [[472, 494]], "Indicator: Trojan.DownLoader!": [[495, 513]]}, "info": {"id": "cyner2_5class_train_03500", "source": "cyner2_5class_train"}}
+{"text": "Infrastructure FTP server The attackers used ftp : //213.174.157 [ .", "spans": {"Indicator: ftp : //213.174.157 [ .": [[45, 68]]}, "info": {"id": "cyner2_5class_train_03501", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Delf.Inject.Z Trojan-Dropper.Win32.Mudrop!O Hacktool.Passview Trojan.Delf.Inject.Z Trojan/Dropper.Mudrop.ew TROJ_DROPPER.HVW Win32.Worm.AutoRun.ij W32/Risk.BDUN-6545 TROJ_DROPPER.HVW Win.Trojan.Delf-3744 Trojan.Delf.Inject.Z Trojan-Dropper.Win32.Mudrop.ew Trojan.Delf.Inject.Z Trojan.Win32.Mudrop.crqisw Trojan.Win32.MulDrop.1431634 Trojan.Delf.Inject.Z TrojWare.Win32.TrojanDropper.Mudrop.~RA Trojan.Delf.Inject.Z Trojan.MulDrop.12722 Dropper.Mudrop.Win32.77 BehavesLike.Win32.PUP.tc W32/Dropper.GWJ TrojanDropper.Mudrop.fy TR/Spy.Ftput.C Trojan[PSW]/Win32.LdPinch Trojan.Delf.Inject.Z Trojan-Dropper.Win32.Mudrop.ew PWS:Win32/Sounli.A Dropper/Win32.Mudrop.C138252 TrojanPSW.Pinch Trojan.PWS.LdPinch!Csxdj/6mZgk Trojan-Dropper.Win32.Mudrop", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Delf.Inject.Z": [[26, 46], [95, 115], [237, 257], [289, 309], [366, 386], [427, 447], [599, 619]], "Indicator: Trojan-Dropper.Win32.Mudrop!O": [[47, 76]], "Indicator: Hacktool.Passview": [[77, 94]], "Indicator: Trojan/Dropper.Mudrop.ew": [[116, 140]], "Indicator: TROJ_DROPPER.HVW": [[141, 157], [199, 215]], "Indicator: Win32.Worm.AutoRun.ij": [[158, 179]], "Indicator: W32/Risk.BDUN-6545": [[180, 198]], "Indicator: Win.Trojan.Delf-3744": [[216, 236]], "Indicator: Trojan-Dropper.Win32.Mudrop.ew": [[258, 288], [620, 650]], "Indicator: Trojan.Win32.Mudrop.crqisw": [[310, 336]], "Indicator: Trojan.Win32.MulDrop.1431634": [[337, 365]], "Indicator: TrojWare.Win32.TrojanDropper.Mudrop.~RA": [[387, 426]], "Indicator: Trojan.MulDrop.12722": [[448, 468]], "Indicator: Dropper.Mudrop.Win32.77": [[469, 492]], "Indicator: BehavesLike.Win32.PUP.tc": [[493, 517]], "Indicator: W32/Dropper.GWJ": [[518, 533]], "Indicator: TrojanDropper.Mudrop.fy": [[534, 557]], "Indicator: TR/Spy.Ftput.C": [[558, 572]], "Indicator: Trojan[PSW]/Win32.LdPinch": [[573, 598]], "Indicator: PWS:Win32/Sounli.A": [[651, 669]], "Indicator: Dropper/Win32.Mudrop.C138252": [[670, 698]], "Indicator: TrojanPSW.Pinch": [[699, 714]], "Indicator: Trojan.PWS.LdPinch!Csxdj/6mZgk": [[715, 745]], "Indicator: Trojan-Dropper.Win32.Mudrop": [[746, 773]]}, "info": {"id": "cyner2_5class_train_03502", "source": "cyner2_5class_train"}}
+{"text": "RedLine Stealer's evasive spear-phishing campaign targets the hospitality industry.", "spans": {"Organization: the hospitality industry.": [[58, 83]]}, "info": {"id": "cyner2_5class_train_03503", "source": "cyner2_5class_train"}}
+{"text": "Web application vulnerabilities are like doorways: you never know who or what will walk through.", "spans": {"Vulnerability: Web application vulnerabilities": [[0, 31]]}, "info": {"id": "cyner2_5class_train_03504", "source": "cyner2_5class_train"}}
+{"text": "Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years.", "spans": {"Organization: governments": [[62, 73]], "Organization: civil society organizations": [[78, 105]]}, "info": {"id": "cyner2_5class_train_03505", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9984 TR/AD.Corinrat.sejyy Trojan.Application.MSILPerseus.D535 Ransom:MSIL/PentagonRat.A Trj/GdSda.A Win32/Application.478", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[26, 68]], "Indicator: TR/AD.Corinrat.sejyy": [[69, 89]], "Indicator: Trojan.Application.MSILPerseus.D535": [[90, 125]], "Indicator: Ransom:MSIL/PentagonRat.A": [[126, 151]], "Indicator: Trj/GdSda.A": [[152, 163]], "Indicator: Win32/Application.478": [[164, 185]]}, "info": {"id": "cyner2_5class_train_03506", "source": "cyner2_5class_train"}}
+{"text": "Runtastic sample permission prompt Runtastic sample permission prompt Checking foreground app Marcher is one of the few Android banking Trojans to use the AndroidProcesses library , which enables the application to obtain the name of the Android package that is currently running in the foreground .", "spans": {"System: Runtastic": [[0, 9], [35, 44]], "Malware: Marcher": [[94, 101]], "System: Android": [[238, 245]]}, "info": {"id": "cyner2_5class_train_03507", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Win32.VBKrypt.3!O Trojan.Vbot.S15507 Downloader.VB.Win32.107566 Trojan/AntiAV.out Win32.Trojan.WisdomEyes.16070401.9500.9933 Trojan.Win32.AntiAV.cqff Trojan.Win32.AntiAV.bbnaxd Trojan.MulDrop3.35749 Trojan.AntiAV.abe TR/Offend.7084277.1 Trojan:Win32/Vbot.T Trojan.Win32.AntiAV.cqff Downloader/Win32.VB.C136965 Trojan.AntiAV Win32.Trojan.Antiav.Wmiq Trojan.AntiAV!kRLKkhVQepY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Win32.VBKrypt.3!O": [[26, 48]], "Indicator: Trojan.Vbot.S15507": [[49, 67]], "Indicator: Downloader.VB.Win32.107566": [[68, 94]], "Indicator: Trojan/AntiAV.out": [[95, 112]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9933": [[113, 155]], "Indicator: Trojan.Win32.AntiAV.cqff": [[156, 180], [288, 312]], "Indicator: Trojan.Win32.AntiAV.bbnaxd": [[181, 207]], "Indicator: Trojan.MulDrop3.35749": [[208, 229]], "Indicator: Trojan.AntiAV.abe": [[230, 247]], "Indicator: TR/Offend.7084277.1": [[248, 267]], "Indicator: Trojan:Win32/Vbot.T": [[268, 287]], "Indicator: Downloader/Win32.VB.C136965": [[313, 340]], "Indicator: Trojan.AntiAV": [[341, 354]], "Indicator: Win32.Trojan.Antiav.Wmiq": [[355, 379]], "Indicator: Trojan.AntiAV!kRLKkhVQepY": [[380, 405]]}, "info": {"id": "cyner2_5class_train_03508", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.RazyNHmA.Trojan Trojan.Waldek Trojan.Symmi.D100C4 WORM_HPKASIDET.SM0 Win32.Trojan.Kryptik.aio WORM_HPKASIDET.SM0 Win.Trojan.Betabot-5 Trojan.Win32.NgrBot.evigbp BackDoor.IRC.NgrBot.566 BehavesLike.Win32.MultiPlug.cm W32/Trojan.HZWF-1490 TR/Crypt.Xpack.tsufk Trojan:Win32/Radonskra.B Trojan/Win32.Upbot.C1483736 Trj/GdSda.A Trojan-Ransom.Raa W32/Kryptik.FACF!tr Win32/Trojan.a93", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.RazyNHmA.Trojan": [[26, 51]], "Indicator: Trojan.Waldek": [[52, 65]], "Indicator: Trojan.Symmi.D100C4": [[66, 85]], "Indicator: WORM_HPKASIDET.SM0": [[86, 104], [130, 148]], "Indicator: Win32.Trojan.Kryptik.aio": [[105, 129]], "Indicator: Win.Trojan.Betabot-5": [[149, 169]], "Indicator: Trojan.Win32.NgrBot.evigbp": [[170, 196]], "Indicator: BackDoor.IRC.NgrBot.566": [[197, 220]], "Indicator: BehavesLike.Win32.MultiPlug.cm": [[221, 251]], "Indicator: W32/Trojan.HZWF-1490": [[252, 272]], "Indicator: TR/Crypt.Xpack.tsufk": [[273, 293]], "Indicator: Trojan:Win32/Radonskra.B": [[294, 318]], "Indicator: Trojan/Win32.Upbot.C1483736": [[319, 346]], "Indicator: Trj/GdSda.A": [[347, 358]], "Indicator: Trojan-Ransom.Raa": [[359, 376]], "Indicator: W32/Kryptik.FACF!tr": [[377, 396]], "Indicator: Win32/Trojan.a93": [[397, 413]]}, "info": {"id": "cyner2_5class_train_03509", "source": "cyner2_5class_train"}}
+{"text": "Attackers are continually trying to find new ways to target users with malware sent via email.", "spans": {"Organization: users": [[60, 65]], "Malware: malware": [[71, 78]], "Indicator: sent via email.": [[79, 94]]}, "info": {"id": "cyner2_5class_train_03510", "source": "cyner2_5class_train"}}
+{"text": "Security experts have long warned of the ability of advanced adversaries to subvert hardware and software supply chains .", "spans": {}, "info": {"id": "cyner2_5class_train_03511", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Win32.Trojan.WisdomEyes.16070401.9500.9999 Zum.Rastarby.4 Trojan.Win32.Miner.tfkd Zum.Rastarby.4 Riskware.Win64.BtcMine.dugwfh Uds.Dangerousobject.Multi!c Win32.Trojan.Miner.Dux BehavesLike.Win32.AdwareLinkury.tc Zum.Rastarby.4 Trojan.Win32.Miner.tfkd Trojan:Win64/HelaMiner.A Trojan.Miner BAT/CoinMiner.YJ Trj/CI.A Win32/Trojan.769", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[39, 81]], "Indicator: Zum.Rastarby.4": [[82, 96], [121, 135], [252, 266]], "Indicator: Trojan.Win32.Miner.tfkd": [[97, 120], [267, 290]], "Indicator: Riskware.Win64.BtcMine.dugwfh": [[136, 165]], "Indicator: Uds.Dangerousobject.Multi!c": [[166, 193]], "Indicator: Win32.Trojan.Miner.Dux": [[194, 216]], "Indicator: BehavesLike.Win32.AdwareLinkury.tc": [[217, 251]], "Indicator: Trojan:Win64/HelaMiner.A": [[291, 315]], "Indicator: Trojan.Miner": [[316, 328]], "Indicator: BAT/CoinMiner.YJ": [[329, 345]], "Indicator: Trj/CI.A": [[346, 354]], "Indicator: Win32/Trojan.769": [[355, 371]]}, "info": {"id": "cyner2_5class_train_03512", "source": "cyner2_5class_train"}}
+{"text": "The Janus vulnerability , which allows the actor to replace any application with an infected version .", "spans": {"Vulnerability: Janus": [[4, 9]]}, "info": {"id": "cyner2_5class_train_03513", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.ZXShell BKDR_ZXSHELL.D Backdoor.Win32.ZXShell.v Backdoor.W32.Zxshell!c BKDR_ZXSHELL.D BDS/ZXShell.999712 W32/ZxShell.D!tr Trojan.Kazy.DB0C8D Backdoor:Win32/Zxshell.A!dha Backdoor/Win32.ZXShell.N1663696022 Win32.Backdoor.Zxshell.Pfjm Trojan.Win32.Zxshell Win32/Backdoor.6e4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.ZXShell": [[26, 42]], "Indicator: BKDR_ZXSHELL.D": [[43, 57], [106, 120]], "Indicator: Backdoor.Win32.ZXShell.v": [[58, 82]], "Indicator: Backdoor.W32.Zxshell!c": [[83, 105]], "Indicator: BDS/ZXShell.999712": [[121, 139]], "Indicator: W32/ZxShell.D!tr": [[140, 156]], "Indicator: Trojan.Kazy.DB0C8D": [[157, 175]], "Indicator: Backdoor:Win32/Zxshell.A!dha": [[176, 204]], "Indicator: Backdoor/Win32.ZXShell.N1663696022": [[205, 239]], "Indicator: Win32.Backdoor.Zxshell.Pfjm": [[240, 267]], "Indicator: Trojan.Win32.Zxshell": [[268, 288]], "Indicator: Win32/Backdoor.6e4": [[289, 307]]}, "info": {"id": "cyner2_5class_train_03514", "source": "cyner2_5class_train"}}
+{"text": "the worm was back, and it was both more and less effective.", "spans": {"Malware: worm": [[4, 8]]}, "info": {"id": "cyner2_5class_train_03515", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.BitCoinMiner Riskware.Win32.BtcMine.exrhsn Trojan.Win32.Z.Strictor.1934848 Win32.Trojan.Strictor.Akpc Tool.BtcMine.982 BehavesLike.Win32.BadFile.tc Trojan.Win32.CoinMiner TR/CoinMiner.vctqx Trojan.Strictor.D2613C Trojan.Win64.BitCoinMiner W32/CoinMiner.AZU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BitCoinMiner": [[26, 45]], "Indicator: Riskware.Win32.BtcMine.exrhsn": [[46, 75]], "Indicator: Trojan.Win32.Z.Strictor.1934848": [[76, 107]], "Indicator: Win32.Trojan.Strictor.Akpc": [[108, 134]], "Indicator: Tool.BtcMine.982": [[135, 151]], "Indicator: BehavesLike.Win32.BadFile.tc": [[152, 180]], "Indicator: Trojan.Win32.CoinMiner": [[181, 203]], "Indicator: TR/CoinMiner.vctqx": [[204, 222]], "Indicator: Trojan.Strictor.D2613C": [[223, 245]], "Indicator: Trojan.Win64.BitCoinMiner": [[246, 271]], "Indicator: W32/CoinMiner.AZU!tr": [[272, 292]]}, "info": {"id": "cyner2_5class_train_03516", "source": "cyner2_5class_train"}}
+{"text": "The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim's system regardless whether macros are enabled.", "spans": {"System: DDE": [[11, 14]], "System: PowerShell": [[20, 30]], "Indicator: execute arbitrary code": [[53, 75]], "System: a victim's system": [[79, 96]], "Malware: macros": [[116, 122]]}, "info": {"id": "cyner2_5class_train_03517", "source": "cyner2_5class_train"}}
+{"text": "] org Ties to previous activity The registrant of cdncool [ .", "spans": {"Indicator: cdncool [ .": [[50, 61]]}, "info": {"id": "cyner2_5class_train_03518", "source": "cyner2_5class_train"}}
+{"text": "In addition to Chipotle, the hackers appears to be targeting national restaurant franchises Baja Fresh and Ruby Tuesday, according to malware samples and other evidence CyberScoop obtained.", "spans": {"Organization: Chipotle,": [[15, 24]], "Organization: national restaurant franchises Baja Fresh and Ruby Tuesday,": [[61, 120]], "Malware: malware": [[134, 141]], "Organization: CyberScoop": [[169, 179]]}, "info": {"id": "cyner2_5class_train_03519", "source": "cyner2_5class_train"}}
+{"text": "ThreatLabz has determined that Nevada shares significant code with the Rust-based variant of Nokoyawa.", "spans": {"Organization: ThreatLabz": [[0, 10]], "Malware: Nevada": [[31, 37]], "Malware: the Rust-based variant of Nokoyawa.": [[67, 102]]}, "info": {"id": "cyner2_5class_train_03520", "source": "cyner2_5class_train"}}
+{"text": "This past week, our team has identified a group of malware samples that matched behavioral heuristics for multiple known malware families.", "spans": {"Organization: team": [[20, 24]], "Malware: group of malware": [[42, 58]], "Malware: malware families.": [[121, 138]]}, "info": {"id": "cyner2_5class_train_03521", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ShellKillUnixOSPtv.Worm Trojan.Script.BXM Trojan.VBS.Kofornix.A Trojan.KillDisk.MBR Troj.W32.EraseMBR.d!c Trojan.Jokra Win32/DarkSeoul.AA UNIX_KILLMBR.A Trojan.Win32.EraseMBR.d Trojan.Script.BXM Trojan.Script.EraseMBR.bxxrlr Trojan.Script.BXM Trojan.Script.BXM Trojan.KillMBR.168 BASH/Kast.A!tr Trojan.Script.BXM Trojan.Win32.EraseMBR.d Trojan:SH/Kofornix.A Trojan.SH.KilMBR Win32.Trojan.Erasembr.Wtnk Trojan.Win32.EraseMBR Trojan.Script.BXM Win32/Trojan.6f6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ShellKillUnixOSPtv.Worm": [[26, 53]], "Indicator: Trojan.Script.BXM": [[54, 71], [207, 224], [255, 272], [273, 290], [325, 342], [454, 471]], "Indicator: Trojan.VBS.Kofornix.A": [[72, 93]], "Indicator: Trojan.KillDisk.MBR": [[94, 113]], "Indicator: Troj.W32.EraseMBR.d!c": [[114, 135]], "Indicator: Trojan.Jokra": [[136, 148]], "Indicator: Win32/DarkSeoul.AA": [[149, 167]], "Indicator: UNIX_KILLMBR.A": [[168, 182]], "Indicator: Trojan.Win32.EraseMBR.d": [[183, 206], [343, 366]], "Indicator: Trojan.Script.EraseMBR.bxxrlr": [[225, 254]], "Indicator: Trojan.KillMBR.168": [[291, 309]], "Indicator: BASH/Kast.A!tr": [[310, 324]], "Indicator: Trojan:SH/Kofornix.A": [[367, 387]], "Indicator: Trojan.SH.KilMBR": [[388, 404]], "Indicator: Win32.Trojan.Erasembr.Wtnk": [[405, 431]], "Indicator: Trojan.Win32.EraseMBR": [[432, 453]], "Indicator: Win32/Trojan.6f6": [[472, 488]]}, "info": {"id": "cyner2_5class_train_03522", "source": "cyner2_5class_train"}}
+{"text": "] 27 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_03523", "source": "cyner2_5class_train"}}
+{"text": "It encodes strings into binary arrays , making it hard to inspect them .", "spans": {}, "info": {"id": "cyner2_5class_train_03524", "source": "cyner2_5class_train"}}
+{"text": "Like many original equipment manufacturers , it uses software components from other developers .", "spans": {}, "info": {"id": "cyner2_5class_train_03525", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: I-Worm.Plesa.r3 Trojan/Plesa.a IRC-Worm.Plesa!VraGnsrR3Es W32/Plesa.A@p2p W32.SillyP2P IRC/Plesa.A WORM_PLESA.B Worm.IRC.Plesa.A IRC-Worm.Win32.Plesa.a Trojan.Win32.Plesa.fuyf Worm.Win32.A.IRC-Plesa.34304[h] Worm.IRC.Plesa.A Win32.HLLW.Plesa Worm.Plesa.Win32.1 WORM_PLESA.B BehavesLike.Win32.Sality.nc W32/Plesa.BXPQ-5568 I-Worm/Plesa.a WORM/Irc.Plesa.A.2 W32/Plesa.A!worm.irc Worm[IRC]/Win32.Plesa W32.W.Plesa.a!c Win32/Plesa.worm.34304 Worm:Win32/Plesa.A Win32.Worm-irc.Plesa.Svqx IRC-Worm/Plesa.A Worm.Win32.Plesa.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: I-Worm.Plesa.r3": [[26, 41]], "Indicator: Trojan/Plesa.a": [[42, 56]], "Indicator: IRC-Worm.Plesa!VraGnsrR3Es": [[57, 83]], "Indicator: W32/Plesa.A@p2p": [[84, 99]], "Indicator: W32.SillyP2P": [[100, 112]], "Indicator: IRC/Plesa.A": [[113, 124]], "Indicator: WORM_PLESA.B": [[125, 137], [287, 299]], "Indicator: Worm.IRC.Plesa.A": [[138, 154], [234, 250]], "Indicator: IRC-Worm.Win32.Plesa.a": [[155, 177]], "Indicator: Trojan.Win32.Plesa.fuyf": [[178, 201]], "Indicator: Worm.Win32.A.IRC-Plesa.34304[h]": [[202, 233]], "Indicator: Win32.HLLW.Plesa": [[251, 267]], "Indicator: Worm.Plesa.Win32.1": [[268, 286]], "Indicator: BehavesLike.Win32.Sality.nc": [[300, 327]], "Indicator: W32/Plesa.BXPQ-5568": [[328, 347]], "Indicator: I-Worm/Plesa.a": [[348, 362]], "Indicator: WORM/Irc.Plesa.A.2": [[363, 381]], "Indicator: W32/Plesa.A!worm.irc": [[382, 402]], "Indicator: Worm[IRC]/Win32.Plesa": [[403, 424]], "Indicator: W32.W.Plesa.a!c": [[425, 440]], "Indicator: Win32/Plesa.worm.34304": [[441, 463]], "Indicator: Worm:Win32/Plesa.A": [[464, 482]], "Indicator: Win32.Worm-irc.Plesa.Svqx": [[483, 508]], "Indicator: IRC-Worm/Plesa.A": [[509, 525]], "Indicator: Worm.Win32.Plesa.a": [[526, 544]]}, "info": {"id": "cyner2_5class_train_03526", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Spybot.Worm W32/Packed_Packman.A Virus.Win32.Heur.c Backdoor.Rbot!IK Win32.HLLW.MyBot.based Backdoor.Rbot BackDoor.RBot.IA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Spybot.Worm": [[26, 41]], "Indicator: W32/Packed_Packman.A": [[42, 62]], "Indicator: Virus.Win32.Heur.c": [[63, 81]], "Indicator: Backdoor.Rbot!IK": [[82, 98]], "Indicator: Win32.HLLW.MyBot.based": [[99, 121]], "Indicator: Backdoor.Rbot": [[122, 135]], "Indicator: BackDoor.RBot.IA": [[136, 152]]}, "info": {"id": "cyner2_5class_train_03527", "source": "cyner2_5class_train"}}
+{"text": "Allows an application to read or write the system settings .", "spans": {}, "info": {"id": "cyner2_5class_train_03528", "source": "cyner2_5class_train"}}
+{"text": "In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization.", "spans": {"Organization: Palo Alto Networks Unit 42": [[13, 39]], "Malware: small": [[53, 58]], "Organization: a government organization.": [[95, 121]]}, "info": {"id": "cyner2_5class_train_03529", "source": "cyner2_5class_train"}}
+{"text": "Many top providers in Russia offer cheap prices for their shared hosting services , and some even provide free 30-day trial periods .", "spans": {}, "info": {"id": "cyner2_5class_train_03530", "source": "cyner2_5class_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_03531", "source": "cyner2_5class_train"}}
+{"text": "] it Firenze server1gioiat.exodus.connexxa [ .", "spans": {"Indicator: server1gioiat.exodus.connexxa [ .": [[13, 46]]}, "info": {"id": "cyner2_5class_train_03532", "source": "cyner2_5class_train"}}
+{"text": "What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants' rights in Qatar and Nepal.", "spans": {"Indicator: phishing attacks": [[64, 80]], "Indicator: steal credentials": [[93, 110]], "Organization: journalists, human rights defenders, trade unions": [[148, 197]], "Organization: labour rights activists,": [[202, 226]]}, "info": {"id": "cyner2_5class_train_03533", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.Coced.2.4.6 Trojan.PWS.Coced.2.4.6 Trojan.PWS.Coced.2.4.6 Trojan.Win32.Coced.bhwfkh Hacktool.PWSteal Naebi.246 Trojan-PSW.Win32.Coced.246 Trojan.PWS.Coced!FBVVvUBVA1M Trojan.PWS.Coced.2.4.6 TrojWare.Win32.PSW.Coced.246 Trojan.PWS.Coced.2.4.6 Trojan.PWS.Coced.246 Trojan.Coced.Win32.158 W32/Risk.HJYL-5906 Trojan/PSW.Coced.246 TR/PSW.Coced.246 Trojan[PSW]/Win32.Coced Win32.PSWTroj.Coced.kcloud PWS:Win32/Coced.2_46 Win-Trojan/Coced.19456 Trojan.PWS.Coced.2.4.6 Trojan.PWS.Coced.2.4.6 TrojanPSW.Coced Win32/PSW.Coced.246 Win32.Init.QQRob.dkwv W32/Coced.246!tr.pws PSW.Coced Trojan.Win32.InfoStealer.AYJO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.Coced.2.4.6": [[26, 48], [49, 71], [72, 94], [204, 226], [256, 278], [475, 497], [498, 520]], "Indicator: Trojan.Win32.Coced.bhwfkh": [[95, 120]], "Indicator: Hacktool.PWSteal": [[121, 137]], "Indicator: Naebi.246": [[138, 147]], "Indicator: Trojan-PSW.Win32.Coced.246": [[148, 174]], "Indicator: Trojan.PWS.Coced!FBVVvUBVA1M": [[175, 203]], "Indicator: TrojWare.Win32.PSW.Coced.246": [[227, 255]], "Indicator: Trojan.PWS.Coced.246": [[279, 299]], "Indicator: Trojan.Coced.Win32.158": [[300, 322]], "Indicator: W32/Risk.HJYL-5906": [[323, 341]], "Indicator: Trojan/PSW.Coced.246": [[342, 362]], "Indicator: TR/PSW.Coced.246": [[363, 379]], "Indicator: Trojan[PSW]/Win32.Coced": [[380, 403]], "Indicator: Win32.PSWTroj.Coced.kcloud": [[404, 430]], "Indicator: PWS:Win32/Coced.2_46": [[431, 451]], "Indicator: Win-Trojan/Coced.19456": [[452, 474]], "Indicator: TrojanPSW.Coced": [[521, 536]], "Indicator: Win32/PSW.Coced.246": [[537, 556]], "Indicator: Win32.Init.QQRob.dkwv": [[557, 578]], "Indicator: W32/Coced.246!tr.pws": [[579, 599]], "Indicator: PSW.Coced": [[600, 609]], "Indicator: Trojan.Win32.InfoStealer.AYJO": [[610, 639]]}, "info": {"id": "cyner2_5class_train_03534", "source": "cyner2_5class_train"}}
+{"text": "It ’ s worth noting however , about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps .", "spans": {"Malware: HenBox": [[53, 59]]}, "info": {"id": "cyner2_5class_train_03535", "source": "cyner2_5class_train"}}
+{"text": "Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal.", "spans": {"Malware: Duqu infections": [[26, 41]], "Indicator: P5+1 events": [[60, 71]]}, "info": {"id": "cyner2_5class_train_03536", "source": "cyner2_5class_train"}}
+{"text": "This local port is used by Exodus Two to execute various commands on the Android device , such as enabling or disabling certain services , or parsing app databases .", "spans": {"Malware: Exodus Two": [[27, 37]], "System: Android": [[73, 80]]}, "info": {"id": "cyner2_5class_train_03537", "source": "cyner2_5class_train"}}
+{"text": "This latest attack potentially materially impacts one of the primary countermeasures employed against wiper attacks: Virtual Desktop Interface snapshots.", "spans": {"Indicator: attack": [[12, 18]], "Malware: wiper": [[102, 107]], "Indicator: attacks:": [[108, 116]], "System: Virtual Desktop Interface snapshots.": [[117, 153]]}, "info": {"id": "cyner2_5class_train_03538", "source": "cyner2_5class_train"}}
+{"text": "One is CVE-2012-1856, reinvigorated with a novel ROP chain to bypass ASLR and deliver the uWarrior payload.", "spans": {"Indicator: CVE-2012-1856,": [[7, 21]], "Indicator: ROP chain": [[49, 58]], "Malware: uWarrior payload.": [[90, 107]]}, "info": {"id": "cyner2_5class_train_03539", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packer.YodaBased.B Packer.YodaBased.B Packer.YodaBased.B Win32.Trojan.WisdomEyes.16070401.9500.9994 Packer.YodaBased.B Trojan.Win32.AutoRun.omxo Packer.YodaBased.B Packed.Win32.Klone.~KE Packer.YodaBased.B BackDoor.Attacker BehavesLike.Win32.Downloader.pc Backdoor.Win32.Hupigon Trojan/PSW.GamePass.msl TrojanDownloader:Win32/Murka.A Worm.Win32.Autorun.45568.I Packer.YodaBased.B TScope.Malware-Cryptor.SB Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packer.YodaBased.B": [[26, 44], [45, 63], [64, 82], [126, 144], [171, 189], [213, 231], [387, 405]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[83, 125]], "Indicator: Trojan.Win32.AutoRun.omxo": [[145, 170]], "Indicator: Packed.Win32.Klone.~KE": [[190, 212]], "Indicator: BackDoor.Attacker": [[232, 249]], "Indicator: BehavesLike.Win32.Downloader.pc": [[250, 281]], "Indicator: Backdoor.Win32.Hupigon": [[282, 304]], "Indicator: Trojan/PSW.GamePass.msl": [[305, 328]], "Indicator: TrojanDownloader:Win32/Murka.A": [[329, 359]], "Indicator: Worm.Win32.Autorun.45568.I": [[360, 386]], "Indicator: TScope.Malware-Cryptor.SB": [[406, 431]], "Indicator: Trj/CI.A": [[432, 440]]}, "info": {"id": "cyner2_5class_train_03540", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader-72360 Adware.BDSearch.1 Trojan.DownLoad.40686 Win32/Jhee.H Adware.Rugo Trojan:Win32/Jhee.G Adware.BDSearch.1 Adware.WSearch.O Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader-72360": [[26, 49]], "Indicator: Adware.BDSearch.1": [[50, 67], [135, 152]], "Indicator: Trojan.DownLoad.40686": [[68, 89]], "Indicator: Win32/Jhee.H": [[90, 102]], "Indicator: Adware.Rugo": [[103, 114]], "Indicator: Trojan:Win32/Jhee.G": [[115, 134]], "Indicator: Adware.WSearch.O": [[153, 169]], "Indicator: Trj/CI.A": [[170, 178]]}, "info": {"id": "cyner2_5class_train_03541", "source": "cyner2_5class_train"}}
+{"text": "As we know from the FTP dump analysis , there was a firmware component from ASUS firmware , indicating the attacker ’ s interest in ASUS devices , which explains the victim file name that mentions “ ASUS ” .", "spans": {"Organization: ASUS": [[76, 80], [132, 136]]}, "info": {"id": "cyner2_5class_train_03542", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodfa8.Trojan.1d71 Trojan.Keylogger.NAD Trojan.Tuma.r4 Trojan.Keylogger.NAD Trojan/Spy.oop Trojan.Keylogger.NAD backdoor.win32.hupigon.fn W32/Trojan3.KYS Trojan.Win32.Tuma.deaiow Trojan.Win32.Z.Keylogger.20480.K[h] Troj.Keylogger.Nad!c Trojan.Keylogger.NAD Trojan.Keylogger.NAD Trojan.Keylogger.Win32.35586 W32/Trojan.GLTF-2077 TR/Tuma.A W32/Keylog.A!tr.spy Trojan.Keylogger.NAD Trojan:Win32/Tuma.A TrojanSpy.KeyLogger!6zo304KOTCM Trojan.Win32.Spy Trojan.Keylogger.NAD PSW.KeyLogger.CUC Win32/Trojan.Keylog.761", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodfa8.Trojan.1d71": [[26, 49]], "Indicator: Trojan.Keylogger.NAD": [[50, 70], [86, 106], [122, 142], [267, 287], [288, 308], [389, 409], [479, 499]], "Indicator: Trojan.Tuma.r4": [[71, 85]], "Indicator: Trojan/Spy.oop": [[107, 121]], "Indicator: backdoor.win32.hupigon.fn": [[143, 168]], "Indicator: W32/Trojan3.KYS": [[169, 184]], "Indicator: Trojan.Win32.Tuma.deaiow": [[185, 209]], "Indicator: Trojan.Win32.Z.Keylogger.20480.K[h]": [[210, 245]], "Indicator: Troj.Keylogger.Nad!c": [[246, 266]], "Indicator: Trojan.Keylogger.Win32.35586": [[309, 337]], "Indicator: W32/Trojan.GLTF-2077": [[338, 358]], "Indicator: TR/Tuma.A": [[359, 368]], "Indicator: W32/Keylog.A!tr.spy": [[369, 388]], "Indicator: Trojan:Win32/Tuma.A": [[410, 429]], "Indicator: TrojanSpy.KeyLogger!6zo304KOTCM": [[430, 461]], "Indicator: Trojan.Win32.Spy": [[462, 478]], "Indicator: PSW.KeyLogger.CUC": [[500, 517]], "Indicator: Win32/Trojan.Keylog.761": [[518, 541]]}, "info": {"id": "cyner2_5class_train_03543", "source": "cyner2_5class_train"}}
+{"text": "In the last month Trustwave was engaged by two separate hospitality clients, and one restaurant chain for investigations by an unknown attacker or attackers.", "spans": {"Organization: Trustwave": [[18, 27]], "Organization: hospitality clients,": [[56, 76]], "Organization: restaurant chain": [[85, 101]]}, "info": {"id": "cyner2_5class_train_03544", "source": "cyner2_5class_train"}}
+{"text": "Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems.", "spans": {"Malware: tools": [[72, 77]], "System: host-": [[125, 130]], "System: network-based detection systems.": [[135, 167]]}, "info": {"id": "cyner2_5class_train_03545", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 researchers recently observed an unusually clever spambot's attempts to increase delivery efficacy by abusing reputation blacklist service APIs. Rather than sending spam as soon as the host is infected, the bot checks common blacklists to confirm its e-mails will actually be delivered, and if not, shuts itself down.", "spans": {"Organization: Unit 42 researchers": [[0, 19]], "Indicator: spambot's attempts": [[58, 76]], "Vulnerability: abusing reputation blacklist service APIs.": [[110, 152]], "Indicator: spam": [[173, 177]], "System: host": [[193, 197]], "Malware: bot": [[215, 218]], "Indicator: e-mails": [[259, 266]]}, "info": {"id": "cyner2_5class_train_03546", "source": "cyner2_5class_train"}}
+{"text": "Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East.", "spans": {"Organization: Kaspersky Lab": [[28, 41]], "Indicator: wiper attacks": [[65, 78]]}, "info": {"id": "cyner2_5class_train_03547", "source": "cyner2_5class_train"}}
+{"text": "Lookout has shared information about this family with Apple , and they have revoked the affected certificates .", "spans": {"Organization: Lookout": [[0, 7]], "Organization: Apple": [[54, 59]]}, "info": {"id": "cyner2_5class_train_03548", "source": "cyner2_5class_train"}}
+{"text": "No traces were left on affected systems apart from files from the exploit process if the target machine wasn't interesting to the Lurk operators.", "spans": {"Indicator: No traces": [[0, 9]], "System: affected systems": [[23, 39]], "Indicator: files": [[51, 56]], "Vulnerability: the exploit process": [[62, 81]], "System: machine": [[96, 103]]}, "info": {"id": "cyner2_5class_train_03549", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.Disfa.hfpj.FC.4367 Win32.Trojan.WisdomEyes.16070401.9500.9998 Exploit.Win32.Strictor.etpuwg Win32.Trojan.Fakedoc.Auto Trojan.Injector.Win32.565843 W32/Trojan.BKGU-8860 Trojan.Strictor.D1A871 Ransom.HiddenTear Trojan.Injector!WLrriQRdMeM Trj/GdSda.A Win32/Trojan.97a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.Disfa.hfpj.FC.4367": [[26, 56]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[57, 99]], "Indicator: Exploit.Win32.Strictor.etpuwg": [[100, 129]], "Indicator: Win32.Trojan.Fakedoc.Auto": [[130, 155]], "Indicator: Trojan.Injector.Win32.565843": [[156, 184]], "Indicator: W32/Trojan.BKGU-8860": [[185, 205]], "Indicator: Trojan.Strictor.D1A871": [[206, 228]], "Indicator: Ransom.HiddenTear": [[229, 246]], "Indicator: Trojan.Injector!WLrriQRdMeM": [[247, 274]], "Indicator: Trj/GdSda.A": [[275, 286]], "Indicator: Win32/Trojan.97a": [[287, 303]]}, "info": {"id": "cyner2_5class_train_03550", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.JS.Downloader.IDO Trojan.Downloader.JS.3612 Trojan.JS.Downloader.IDO Trojan.Malscript!html JS_BADRABBIT.A Trojan.JS.Downloader.IDO Js.Trojan.Js.Wrgf Trojan.JS.Downloader.IDO JS_BADRABBIT.A Trojan.FLCY-1 TrojanDownloader:JS/Tibbar.A Trojan.JS.Downloader.IDO Trojan.JS.Downloader.IDO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.JS.Downloader.IDO": [[26, 50], [77, 101], [139, 163], [182, 206], [265, 289], [290, 314]], "Indicator: Trojan.Downloader.JS.3612": [[51, 76]], "Indicator: Trojan.Malscript!html": [[102, 123]], "Indicator: JS_BADRABBIT.A": [[124, 138], [207, 221]], "Indicator: Js.Trojan.Js.Wrgf": [[164, 181]], "Indicator: Trojan.FLCY-1": [[222, 235]], "Indicator: TrojanDownloader:JS/Tibbar.A": [[236, 264]]}, "info": {"id": "cyner2_5class_train_03551", "source": "cyner2_5class_train"}}
+{"text": "FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28.", "spans": {"Organization: FireEye": [[0, 7]], "Organization: hospitality sector": [[62, 80]]}, "info": {"id": "cyner2_5class_train_03552", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Adware.Virtumonde Win32/Adware.Virtumonde Trojan:Win32/Iceroe.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Adware.Virtumonde": [[26, 49], [50, 73]], "Indicator: Trojan:Win32/Iceroe.C": [[74, 95]]}, "info": {"id": "cyner2_5class_train_03553", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_JORIK_0000023.TOMA Trojan.Win32.Snojan.gi Trojan.Win32.Autoruner1.wcikr MULDROP.Trojan BehavesLike.Win32.Downloader.mz Trojan/Win32.FirstInj TrojanDownloader:Win32/Bleyr.A Trojan.Zusy.D8B2B Win-Trojan/Patched.25600.B BScope.Trojan.SvcHorse.01643 Win32/AntiAV.NIA Trojan.FirstInj!zbN/akDwH70 Trojan.Win32.Jorik W32/FirstInj.KAP!tr.bdr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: TROJ_JORIK_0000023.TOMA": [[69, 92]], "Indicator: Trojan.Win32.Snojan.gi": [[93, 115]], "Indicator: Trojan.Win32.Autoruner1.wcikr": [[116, 145]], "Indicator: MULDROP.Trojan": [[146, 160]], "Indicator: BehavesLike.Win32.Downloader.mz": [[161, 192]], "Indicator: Trojan/Win32.FirstInj": [[193, 214]], "Indicator: TrojanDownloader:Win32/Bleyr.A": [[215, 245]], "Indicator: Trojan.Zusy.D8B2B": [[246, 263]], "Indicator: Win-Trojan/Patched.25600.B": [[264, 290]], "Indicator: BScope.Trojan.SvcHorse.01643": [[291, 319]], "Indicator: Win32/AntiAV.NIA": [[320, 336]], "Indicator: Trojan.FirstInj!zbN/akDwH70": [[337, 364]], "Indicator: Trojan.Win32.Jorik": [[365, 383]], "Indicator: W32/FirstInj.KAP!tr.bdr": [[384, 407]], "Indicator: Trj/CI.A": [[408, 416]]}, "info": {"id": "cyner2_5class_train_03554", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: MSIL.Trojan.Kryptik.k W32/Trojan.IINR-0738 BehavesLike.Win32.Trojan.vc Trojan:Win32/Gielclas.A!gfc Trj/CI.A Trojan.Injector!QI3sWN009L0 Trojan.MSIL.Injector", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: MSIL.Trojan.Kryptik.k": [[26, 47]], "Indicator: W32/Trojan.IINR-0738": [[48, 68]], "Indicator: BehavesLike.Win32.Trojan.vc": [[69, 96]], "Indicator: Trojan:Win32/Gielclas.A!gfc": [[97, 124]], "Indicator: Trj/CI.A": [[125, 133]], "Indicator: Trojan.Injector!QI3sWN009L0": [[134, 161]], "Indicator: Trojan.MSIL.Injector": [[162, 182]]}, "info": {"id": "cyner2_5class_train_03555", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Trojan.Win32.BQHK0411.dfyyqz Uds.Dangerousobject.Multi!c Win32.Trojan.Strictor.Wvar Trojan.Strictor.DCD3E SpamTool.Skype! MSIL/SpamTool_Skype.L!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Trojan.Win32.BQHK0411.dfyyqz": [[39, 67]], "Indicator: Uds.Dangerousobject.Multi!c": [[68, 95]], "Indicator: Win32.Trojan.Strictor.Wvar": [[96, 122]], "Indicator: Trojan.Strictor.DCD3E": [[123, 144]], "Indicator: SpamTool.Skype!": [[145, 160]], "Indicator: MSIL/SpamTool_Skype.L!tr": [[161, 185]]}, "info": {"id": "cyner2_5class_train_03556", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Email-Worm.Win32!O Happy99.Worm W32/Ska.exe.worm Win32.Trojan.WisdomEyes.16070401.9500.9919 Happy99.Worm Win32/Happy99.10000!Dropper Win.Trojan.Happy99-2 Email-Worm.Win32.Happy Win95.Spanska.10000 TR/Happy.69 Trojan.Heur.E705EC Email-Worm.Win32.Happy Worm:Win32/Ska.A@m Win32.Worm-email.Happy.Wrqu Win32.Ska.A Email-Worm.Win32.Happy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Email-Worm.Win32!O": [[26, 44]], "Indicator: Happy99.Worm": [[45, 57], [118, 130]], "Indicator: W32/Ska.exe.worm": [[58, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9919": [[75, 117]], "Indicator: Win32/Happy99.10000!Dropper": [[131, 158]], "Indicator: Win.Trojan.Happy99-2": [[159, 179]], "Indicator: Email-Worm.Win32.Happy": [[180, 202], [254, 276], [336, 358]], "Indicator: Win95.Spanska.10000": [[203, 222]], "Indicator: TR/Happy.69": [[223, 234]], "Indicator: Trojan.Heur.E705EC": [[235, 253]], "Indicator: Worm:Win32/Ska.A@m": [[277, 295]], "Indicator: Win32.Worm-email.Happy.Wrqu": [[296, 323]], "Indicator: Win32.Ska.A": [[324, 335]]}, "info": {"id": "cyner2_5class_train_03557", "source": "cyner2_5class_train"}}
+{"text": "However , the keylogger needs to be specifically enabled by a command sent from the C2 server .", "spans": {}, "info": {"id": "cyner2_5class_train_03558", "source": "cyner2_5class_train"}}
+{"text": "An interesting feature of this family of banking Trojans is the simultaneous use of three command sources : Google Cloud Messaging ( GCM ) service – used to send small messages in JSON format to a mobile device via Google servers ; malicious C & C server ; incoming SMS messages .", "spans": {}, "info": {"id": "cyner2_5class_train_03559", "source": "cyner2_5class_train"}}
+{"text": "The app then clicks the appropriate buttons , scrollbars , and other UI elements to go through account sign-up without user intervention .", "spans": {}, "info": {"id": "cyner2_5class_train_03560", "source": "cyner2_5class_train"}}
+{"text": "] website updatemobapp [ .", "spans": {"Indicator: updatemobapp [ .": [[10, 26]]}, "info": {"id": "cyner2_5class_train_03561", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Nabony.AP3 Worm.AutoRun Trojan.Heur.PT.EEF50D Win32.Trojan.WisdomEyes.16070401.9500.9996 W32.SillyFDC Win32/Xema.H TSPY_AUTORUN_BJ022DBF.TOMC Win.Worm.Autorun-8605 Trojan.Win32.MLW.rupxe Win32.Worm.Autorun.Akyt Worm.Win32.Nabony.A TSPY_AUTORUN_BJ022DBF.TOMC BehavesLike.Win32.Dropper.cz WORM/Autorun.YD Worm:Win32/Nabony.A Trojan.Win32.A.Scar.1183299 Trojan/Win32.HDC.C12022 Hoax.Blocker W32/AutoRun.YD!tr Win32/Worm.0fe", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Nabony.AP3": [[26, 41]], "Indicator: Worm.AutoRun": [[42, 54]], "Indicator: Trojan.Heur.PT.EEF50D": [[55, 76]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[77, 119]], "Indicator: W32.SillyFDC": [[120, 132]], "Indicator: Win32/Xema.H": [[133, 145]], "Indicator: TSPY_AUTORUN_BJ022DBF.TOMC": [[146, 172], [262, 288]], "Indicator: Win.Worm.Autorun-8605": [[173, 194]], "Indicator: Trojan.Win32.MLW.rupxe": [[195, 217]], "Indicator: Win32.Worm.Autorun.Akyt": [[218, 241]], "Indicator: Worm.Win32.Nabony.A": [[242, 261]], "Indicator: BehavesLike.Win32.Dropper.cz": [[289, 317]], "Indicator: WORM/Autorun.YD": [[318, 333]], "Indicator: Worm:Win32/Nabony.A": [[334, 353]], "Indicator: Trojan.Win32.A.Scar.1183299": [[354, 381]], "Indicator: Trojan/Win32.HDC.C12022": [[382, 405]], "Indicator: Hoax.Blocker": [[406, 418]], "Indicator: W32/AutoRun.YD!tr": [[419, 436]], "Indicator: Win32/Worm.0fe": [[437, 451]]}, "info": {"id": "cyner2_5class_train_03562", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9988 MSIL/Filecoder.FF Ransom_Vortex.R004C0DKT17 Trojan.Win32.Filecoder.evqvnb Ransom_Vortex.R004C0DKT17 BehavesLike.Win32.Trojan.nc W32/Trojan.METU-7441 TrojanSpy.MSIL.nar TR/Dropper.MSIL.bpldq MSIL/Filecoder.FF!tr Ransom:MSIL/Vortex.A Trojan/Win32.Ransomlock.C2275506 Trojan.Ransom.Vortex Ransom.Vortex Trojan-Ransom.FileCoder Trj/GdSda.A Win32/Trojan.Dropper.62b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL": [[26, 37]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[38, 80]], "Indicator: MSIL/Filecoder.FF": [[81, 98]], "Indicator: Ransom_Vortex.R004C0DKT17": [[99, 124], [155, 180]], "Indicator: Trojan.Win32.Filecoder.evqvnb": [[125, 154]], "Indicator: BehavesLike.Win32.Trojan.nc": [[181, 208]], "Indicator: W32/Trojan.METU-7441": [[209, 229]], "Indicator: TrojanSpy.MSIL.nar": [[230, 248]], "Indicator: TR/Dropper.MSIL.bpldq": [[249, 270]], "Indicator: MSIL/Filecoder.FF!tr": [[271, 291]], "Indicator: Ransom:MSIL/Vortex.A": [[292, 312]], "Indicator: Trojan/Win32.Ransomlock.C2275506": [[313, 345]], "Indicator: Trojan.Ransom.Vortex": [[346, 366]], "Indicator: Ransom.Vortex": [[367, 380]], "Indicator: Trojan-Ransom.FileCoder": [[381, 404]], "Indicator: Trj/GdSda.A": [[405, 416]], "Indicator: Win32/Trojan.Dropper.62b": [[417, 441]]}, "info": {"id": "cyner2_5class_train_03563", "source": "cyner2_5class_train"}}
+{"text": "In the era of APT's, it feels like something is amiss when there is a forum of governments and no malware arises.", "spans": {"Organization: governments": [[79, 90]], "Malware: malware": [[98, 105]]}, "info": {"id": "cyner2_5class_train_03564", "source": "cyner2_5class_train"}}
+{"text": "At the time of writing , the dropper supports aepic.dll , sspisrv.dll , ftllib.dll , and userenv.dll to host the malicious FinFisher payload .", "spans": {"Indicator: aepic.dll": [[46, 55]], "Indicator: sspisrv.dll": [[58, 69]], "Indicator: ftllib.dll": [[72, 82]], "Indicator: userenv.dll": [[89, 100]], "Malware: FinFisher": [[123, 132]]}, "info": {"id": "cyner2_5class_train_03565", "source": "cyner2_5class_train"}}
+{"text": "Ursnif is a data stealer and a downloader with a lot of abilities to steal data from installed browsers and other applications such as Microsoft Outlook.", "spans": {"Malware: Ursnif": [[0, 6]], "Malware: data stealer": [[12, 24]], "Malware: downloader": [[31, 41]], "Indicator: steal data": [[69, 79]], "Vulnerability: installed browsers": [[85, 103]], "System: Microsoft Outlook.": [[135, 153]]}, "info": {"id": "cyner2_5class_train_03566", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanpws.Trah Trojan[PSW]/Win32.Trah PWS:Win32/Trah.B PUA.DealPly.Da", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanpws.Trah": [[26, 40]], "Indicator: Trojan[PSW]/Win32.Trah": [[41, 63]], "Indicator: PWS:Win32/Trah.B": [[64, 80]], "Indicator: PUA.DealPly.Da": [[81, 95]]}, "info": {"id": "cyner2_5class_train_03567", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Chepdu.R Troj.W32.BHO.liE5 Win32.Trojan.WisdomEyes.16070401.9500.9828 TrojWare.Win32.BHO.SC Win32.HLLW.Lime.2312 BehavesLike.Win32.BadFile.dm Trojan-Downloader.Win32.Banload TR/Chepdu.IA Trojan.Graftor.D1A2F Trojan:Win32/Comquab.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Chepdu.R": [[26, 41]], "Indicator: Troj.W32.BHO.liE5": [[42, 59]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9828": [[60, 102]], "Indicator: TrojWare.Win32.BHO.SC": [[103, 124]], "Indicator: Win32.HLLW.Lime.2312": [[125, 145]], "Indicator: BehavesLike.Win32.BadFile.dm": [[146, 174]], "Indicator: Trojan-Downloader.Win32.Banload": [[175, 206]], "Indicator: TR/Chepdu.IA": [[207, 219]], "Indicator: Trojan.Graftor.D1A2F": [[220, 240]], "Indicator: Trojan:Win32/Comquab.B": [[241, 263]]}, "info": {"id": "cyner2_5class_train_03568", "source": "cyner2_5class_train"}}
+{"text": "It was only a matter of time, however, for other cybercriminals to follow suit.", "spans": {}, "info": {"id": "cyner2_5class_train_03569", "source": "cyner2_5class_train"}}
+{"text": "The malware also sends regular telemetry back to its C2 server about the infected device in the form of an HTTP POST to its C2 server .", "spans": {"Indicator: HTTP": [[107, 111]]}, "info": {"id": "cyner2_5class_train_03570", "source": "cyner2_5class_train"}}
+{"text": "It seems , however , if the same victim has more than one device the malware can be reused since the IMEI is sent along with each data exfiltration .", "spans": {}, "info": {"id": "cyner2_5class_train_03571", "source": "cyner2_5class_train"}}
+{"text": "In this blog post, we will describe the way this threat enters the system and maintains its presence while constantly communicating with its command and control server.", "spans": {"Malware: threat": [[49, 55]], "System: system": [[67, 73]], "Indicator: constantly communicating": [[107, 131]], "Indicator: command and control server.": [[141, 168]]}, "info": {"id": "cyner2_5class_train_03572", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.DoS.119296 DoS.Win32.Nenet Trojan.Win32.Nenet.dinmxr Backdoor.W32.Singu.lhbk FDOS.Nenet.32768 Tool.Win32.69ACF863 Backdoor.Win32.Rbot DDOS/Nenet.A DoS.Win32.Nenet DoS.Nenet DoS/Nenet.B Win32/Virus.DDoS.672", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.DoS.119296": [[26, 47]], "Indicator: DoS.Win32.Nenet": [[48, 63], [184, 199]], "Indicator: Trojan.Win32.Nenet.dinmxr": [[64, 89]], "Indicator: Backdoor.W32.Singu.lhbk": [[90, 113]], "Indicator: FDOS.Nenet.32768": [[114, 130]], "Indicator: Tool.Win32.69ACF863": [[131, 150]], "Indicator: Backdoor.Win32.Rbot": [[151, 170]], "Indicator: DDOS/Nenet.A": [[171, 183]], "Indicator: DoS.Nenet": [[200, 209]], "Indicator: DoS/Nenet.B": [[210, 221]], "Indicator: Win32/Virus.DDoS.672": [[222, 242]]}, "info": {"id": "cyner2_5class_train_03573", "source": "cyner2_5class_train"}}
+{"text": "That 's because the malware roots most of the phones it infects , a process that subverts key security mechanisms built into Android .", "spans": {"System: Android": [[125, 132]]}, "info": {"id": "cyner2_5class_train_03574", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Icbot.FC.848 Troj.Spy.Msil.Keylogger!c Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan-Spy.MSIL.Keylogger.cfle Trojan.Win32.IRCBot.efyfpt TrojWare.MSIL.IRCBOT.B Trojan.MSIL.IRCBot TrojanSpy.MSIL.usk MSIL/IRCBot.BK!tr Trojan[Spy]/MSIL.IrcGhost Trojan.Razy.DFC68 Trojan.Win32.Z.Ircbot.77312.A Trojan-Spy.MSIL.Keylogger.cfle Trojan:MSIL/Icbot.A!bit Msil.Trojan-spy.Keylogger.Hssn TrojanSpy.Keylogger!yn+qYVv4uIw Trj/GdSda.A Win32/Trojan.Spy.00e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Icbot.FC.848": [[26, 45]], "Indicator: Troj.Spy.Msil.Keylogger!c": [[46, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[72, 114]], "Indicator: Trojan-Spy.MSIL.Keylogger.cfle": [[115, 145], [326, 356]], "Indicator: Trojan.Win32.IRCBot.efyfpt": [[146, 172]], "Indicator: TrojWare.MSIL.IRCBOT.B": [[173, 195]], "Indicator: Trojan.MSIL.IRCBot": [[196, 214]], "Indicator: TrojanSpy.MSIL.usk": [[215, 233]], "Indicator: MSIL/IRCBot.BK!tr": [[234, 251]], "Indicator: Trojan[Spy]/MSIL.IrcGhost": [[252, 277]], "Indicator: Trojan.Razy.DFC68": [[278, 295]], "Indicator: Trojan.Win32.Z.Ircbot.77312.A": [[296, 325]], "Indicator: Trojan:MSIL/Icbot.A!bit": [[357, 380]], "Indicator: Msil.Trojan-spy.Keylogger.Hssn": [[381, 411]], "Indicator: TrojanSpy.Keylogger!yn+qYVv4uIw": [[412, 443]], "Indicator: Trj/GdSda.A": [[444, 455]], "Indicator: Win32/Trojan.Spy.00e": [[456, 476]]}, "info": {"id": "cyner2_5class_train_03575", "source": "cyner2_5class_train"}}
+{"text": "Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4.", "spans": {"Malware: CryptoWall 4.": [[166, 179]]}, "info": {"id": "cyner2_5class_train_03576", "source": "cyner2_5class_train"}}
+{"text": "In its most recent campaign, Tick employed spear-phishing emails and compromised a number of Japanese websites in order to infect a new wave of victims.", "spans": {"Indicator: compromised": [[69, 80]], "Indicator: Japanese websites": [[93, 110]]}, "info": {"id": "cyner2_5class_train_03577", "source": "cyner2_5class_train"}}
+{"text": "The overlay window is often indistinguishable from the expected screen ( such as a login screen for a banking app ) and is used to steal the victim ’ s banking credentials .", "spans": {}, "info": {"id": "cyner2_5class_train_03578", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "cyner2_5class_train_03579", "source": "cyner2_5class_train"}}
+{"text": "We named the attack BITTER based on the network communication header used by the latest variant of remote access tool RAT used.", "spans": {"Indicator: attack BITTER": [[13, 26]], "Indicator: network communication": [[40, 61]], "Malware: variant": [[88, 95]], "Malware: remote access tool RAT": [[99, 121]]}, "info": {"id": "cyner2_5class_train_03580", "source": "cyner2_5class_train"}}
+{"text": "'' This is a trojan with many built-in capabilities .", "spans": {}, "info": {"id": "cyner2_5class_train_03581", "source": "cyner2_5class_train"}}
+{"text": "Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.", "spans": {"System: compromised systems": [[12, 31]], "Malware: Bookworm": [[56, 64]], "Indicator: C2 servers": [[65, 75]]}, "info": {"id": "cyner2_5class_train_03582", "source": "cyner2_5class_train"}}
+{"text": "The life span of Android banking malware is limited to either the will of its author ( s ) to support it or the arrest of those actors .", "spans": {"System: Android": [[17, 24]]}, "info": {"id": "cyner2_5class_train_03583", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanpws.Mimikatz Win32.Trojan.WisdomEyes.16070401.9500.9886 Trojan.Win32.Mimikatz.eoptjl Troj.Psw.W32.Mimikatz!c BehavesLike.Win32.PUPXAB.jh W32/Application.SMPV-5402 Trojan.PSW.Mimikatz.sw Trojan[PSW]/Win32.Mimikatz Application.Mimikatz.2 HackTool:Win32/WDigest.A Trj/GdSda.A Win32.Trojan-qqpass.Qqrob.Eaxn hacktool.mimikatz Win32/Application.IM.f6f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanpws.Mimikatz": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9886": [[45, 87]], "Indicator: Trojan.Win32.Mimikatz.eoptjl": [[88, 116]], "Indicator: Troj.Psw.W32.Mimikatz!c": [[117, 140]], "Indicator: BehavesLike.Win32.PUPXAB.jh": [[141, 168]], "Indicator: W32/Application.SMPV-5402": [[169, 194]], "Indicator: Trojan.PSW.Mimikatz.sw": [[195, 217]], "Indicator: Trojan[PSW]/Win32.Mimikatz": [[218, 244]], "Indicator: Application.Mimikatz.2": [[245, 267]], "Indicator: HackTool:Win32/WDigest.A": [[268, 292]], "Indicator: Trj/GdSda.A": [[293, 304]], "Indicator: Win32.Trojan-qqpass.Qqrob.Eaxn": [[305, 335]], "Indicator: hacktool.mimikatz": [[336, 353]], "Indicator: Win32/Application.IM.f6f": [[354, 378]]}, "info": {"id": "cyner2_5class_train_03584", "source": "cyner2_5class_train"}}
+{"text": "The newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy .", "spans": {"Malware: FakeSpy": [[21, 28], [85, 92]]}, "info": {"id": "cyner2_5class_train_03585", "source": "cyner2_5class_train"}}
+{"text": "Dynamic code loading makes it impossible to state what kind of PHA it was .", "spans": {}, "info": {"id": "cyner2_5class_train_03586", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Banker.Win32.BestaFera.annq Trojan.Win32.Demp.bozwca BehavesLike.Win32.Injector.th TR/Avgesi.B.1 Trojan:Win32/Avgesi.B Trojan-Banker.Win32.BestaFera.annq Win32.Trojan-dropper.Demp.Lnxz Trojan-Downloader.Win32.Pher W32/Demp.PJN!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Banker.Win32.BestaFera.annq": [[26, 60], [152, 186]], "Indicator: Trojan.Win32.Demp.bozwca": [[61, 85]], "Indicator: BehavesLike.Win32.Injector.th": [[86, 115]], "Indicator: TR/Avgesi.B.1": [[116, 129]], "Indicator: Trojan:Win32/Avgesi.B": [[130, 151]], "Indicator: Win32.Trojan-dropper.Demp.Lnxz": [[187, 217]], "Indicator: Trojan-Downloader.Win32.Pher": [[218, 246]], "Indicator: W32/Demp.PJN!tr": [[247, 262]]}, "info": {"id": "cyner2_5class_train_03587", "source": "cyner2_5class_train"}}
+{"text": "While the malware attack has not been exclusively targeting the region, it has been focusing on the South Korean manufacturing industry.", "spans": {"Indicator: malware attack": [[10, 24]], "Organization: manufacturing industry.": [[113, 136]]}, "info": {"id": "cyner2_5class_train_03588", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.C0FB Trojan.Dovs TSPY_EMOTET.AUSYYON Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Emotet TSPY_EMOTET.AUSYYON Win.Trojan.Emotet-6410462-0 Win32.Trojan-Spy.Emotet.IT Trojan.Win32.Dovs.esh Trojan.Win32.Dovs.ewnrtt Troj.W32.Dovs!c BehavesLike.Win32.PWSZbot.cc W32.Trojan.Emotet TR/Crypt.ZPACK.sbdbq Trojan/Win32.Dovs Trojan.Win32.Dovs.esh Trojan/Win32.Emotet.R216875 Trojan.Emotet Trj/RnkBend.A Win32.Trojan.Dovs.Szuw Trojan.Win32.Crypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.C0FB": [[26, 42]], "Indicator: Trojan.Dovs": [[43, 54]], "Indicator: TSPY_EMOTET.AUSYYON": [[55, 74], [132, 151]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[75, 117]], "Indicator: Trojan.Emotet": [[118, 131], [406, 419]], "Indicator: Win.Trojan.Emotet-6410462-0": [[152, 179]], "Indicator: Win32.Trojan-Spy.Emotet.IT": [[180, 206]], "Indicator: Trojan.Win32.Dovs.esh": [[207, 228], [356, 377]], "Indicator: Trojan.Win32.Dovs.ewnrtt": [[229, 253]], "Indicator: Troj.W32.Dovs!c": [[254, 269]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[270, 298]], "Indicator: W32.Trojan.Emotet": [[299, 316]], "Indicator: TR/Crypt.ZPACK.sbdbq": [[317, 337]], "Indicator: Trojan/Win32.Dovs": [[338, 355]], "Indicator: Trojan/Win32.Emotet.R216875": [[378, 405]], "Indicator: Trj/RnkBend.A": [[420, 433]], "Indicator: Win32.Trojan.Dovs.Szuw": [[434, 456]], "Indicator: Trojan.Win32.Crypt": [[457, 475]]}, "info": {"id": "cyner2_5class_train_03589", "source": "cyner2_5class_train"}}
+{"text": "] 87:28855 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "cyner2_5class_train_03590", "source": "cyner2_5class_train"}}
+{"text": "Today, we are looking at an exploit kit that we have not seen before.", "spans": {"Malware: exploit kit": [[28, 39]]}, "info": {"id": "cyner2_5class_train_03591", "source": "cyner2_5class_train"}}
+{"text": "This vulnerability is mostly known as SambaCry after the famous WannaCry attack targeting Windows systems vulnerable to EternalBlue SMB exploit.", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Malware: SambaCry": [[38, 46]], "Malware: WannaCry": [[64, 72]], "System: Windows systems": [[90, 105]], "Vulnerability: vulnerable": [[106, 116]], "Malware: EternalBlue SMB exploit.": [[120, 144]]}, "info": {"id": "cyner2_5class_train_03592", "source": "cyner2_5class_train"}}
+{"text": "Families like Poweliks, which abuse Microsoft's PowerShell, have emerged in recent years and have garnered extensive attention due to their ability to compromise a system while leaving little or no trace of their presence to traditional forensic techniques.", "spans": {"Malware: Families": [[0, 8]], "Malware: Poweliks,": [[14, 23]], "Vulnerability: abuse Microsoft's PowerShell,": [[30, 59]], "Vulnerability: compromise": [[151, 161]], "System: system": [[164, 170]], "Indicator: little or no trace of their presence": [[185, 221]], "Indicator: traditional forensic techniques.": [[225, 257]]}, "info": {"id": "cyner2_5class_train_03593", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VBS.Shutdown TrojanDownloader:Win32/Tembatch.A Trojan.Jacard.D636D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VBS.Shutdown": [[26, 45]], "Indicator: TrojanDownloader:Win32/Tembatch.A": [[46, 79]], "Indicator: Trojan.Jacard.D636D": [[80, 99]]}, "info": {"id": "cyner2_5class_train_03594", "source": "cyner2_5class_train"}}
+{"text": "The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.", "spans": {"System: actor-controlled infrastructure,": [[45, 77]], "Malware: payloads,": [[105, 114]]}, "info": {"id": "cyner2_5class_train_03595", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id58729 [ .": [[21, 63]]}, "info": {"id": "cyner2_5class_train_03596", "source": "cyner2_5class_train"}}
+{"text": "The \" porn kr sex '' APK connects to a malicious website that runs XLoader in the background .", "spans": {"Malware: XLoader": [[67, 74]]}, "info": {"id": "cyner2_5class_train_03597", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Proxy.Small.E Trojan-Proxy/W32.Small.4096.C TrojanProxy.Small Trojan/Proxy.Small.e Win32.Trojan.WisdomEyes.16070401.9500.9933 Win32/Slarp.B BKDR_SALAR.A Win.Trojan.Proxy-3663 Trojan.Proxy.Small.E Trojan-Proxy.Win32.Small.e Trojan.Proxy.Small.E Trojan.Win32.Small.dosc Troj.Proxy.W32.Small.e!c Win32.Trojan-proxy.Small.Ozsg Trojan.Proxy.Small.E Trojan.Proxy.Small.E Trojan.Proxy.1698 Trojan.Small.Win32.2849 BKDR_SALAR.A W32/Risk.RVLO-8598 TrojanProxy.Small.aeu Win32.Troj.Small.e.kcloud Trojan.Proxy.Small.E Trojan-Proxy.Win32.Small.e TrojanProxy:Win32/Small.E Trojan.Proxy.Small.E BScope.Trojan.Jackz.a Win32/TrojanProxy.Small.NEQ Trojan.PR.Small!jIc3Mh2dhO0 W32/Bdoor.A!tr.bdr Bck/Salar.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Trojan.Proxy.Small.E": [[48, 68], [230, 250], [278, 298], [378, 398], [399, 419], [542, 562], [616, 636]], "Indicator: Trojan-Proxy/W32.Small.4096.C": [[69, 98]], "Indicator: TrojanProxy.Small": [[99, 116]], "Indicator: Trojan/Proxy.Small.e": [[117, 137]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9933": [[138, 180]], "Indicator: Win32/Slarp.B": [[181, 194]], "Indicator: BKDR_SALAR.A": [[195, 207], [462, 474]], "Indicator: Win.Trojan.Proxy-3663": [[208, 229]], "Indicator: Trojan-Proxy.Win32.Small.e": [[251, 277], [563, 589]], "Indicator: Trojan.Win32.Small.dosc": [[299, 322]], "Indicator: Troj.Proxy.W32.Small.e!c": [[323, 347]], "Indicator: Win32.Trojan-proxy.Small.Ozsg": [[348, 377]], "Indicator: Trojan.Proxy.1698": [[420, 437]], "Indicator: Trojan.Small.Win32.2849": [[438, 461]], "Indicator: W32/Risk.RVLO-8598": [[475, 493]], "Indicator: TrojanProxy.Small.aeu": [[494, 515]], "Indicator: Win32.Troj.Small.e.kcloud": [[516, 541]], "Indicator: TrojanProxy:Win32/Small.E": [[590, 615]], "Indicator: BScope.Trojan.Jackz.a": [[637, 658]], "Indicator: Win32/TrojanProxy.Small.NEQ": [[659, 686]], "Indicator: Trojan.PR.Small!jIc3Mh2dhO0": [[687, 714]], "Indicator: W32/Bdoor.A!tr.bdr": [[715, 733]], "Indicator: Bck/Salar.A": [[734, 745]]}, "info": {"id": "cyner2_5class_train_03598", "source": "cyner2_5class_train"}}
+{"text": "The longer a Trojan “ lives ” on a smartphone , the more money it will make for the owner .", "spans": {}, "info": {"id": "cyner2_5class_train_03599", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M/Downloader.cew Trojan.Phisherly TROJ_PHISHERLY.ZQEJ-A TROJ_PHISHERLY.ZQEJ-A W97M/Downloader.cew ZIP/Trojan.YBQC-0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M/Downloader.cew": [[26, 45], [107, 126]], "Indicator: Trojan.Phisherly": [[46, 62]], "Indicator: TROJ_PHISHERLY.ZQEJ-A": [[63, 84], [85, 106]], "Indicator: ZIP/Trojan.YBQC-0": [[127, 144]]}, "info": {"id": "cyner2_5class_train_03600", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DumtoxXAX.Trojan Worm.Win32.VB!O Trojan.Comisproc.AZ3 Trojan.VB.Win32.56251 Trojan/VB.peu Trojan.Heur.EE2DE0 WORM_VOBFUS.NER Win32.Trojan.VB.je WORM_VOBFUS.NER Worm.Win32.VB.fer Trojan.Win32.VB.epyowu BehavesLike.Win32.VBObfus.cz Worm.Win32.VB Worm/VB.pcc Worm/Win32.VB.fer Worm.Win32.A.VB.176128.AR Worm.Win32.VB.fer Worm/Win32.AutoRun.R49416 W32/Autorun.worm.aacy TScope.Trojan.VB Win32/VB.PEU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DumtoxXAX.Trojan": [[26, 46]], "Indicator: Worm.Win32.VB!O": [[47, 62]], "Indicator: Trojan.Comisproc.AZ3": [[63, 83]], "Indicator: Trojan.VB.Win32.56251": [[84, 105]], "Indicator: Trojan/VB.peu": [[106, 119]], "Indicator: Trojan.Heur.EE2DE0": [[120, 138]], "Indicator: WORM_VOBFUS.NER": [[139, 154], [174, 189]], "Indicator: Win32.Trojan.VB.je": [[155, 173]], "Indicator: Worm.Win32.VB.fer": [[190, 207], [330, 347]], "Indicator: Trojan.Win32.VB.epyowu": [[208, 230]], "Indicator: BehavesLike.Win32.VBObfus.cz": [[231, 259]], "Indicator: Worm.Win32.VB": [[260, 273]], "Indicator: Worm/VB.pcc": [[274, 285]], "Indicator: Worm/Win32.VB.fer": [[286, 303]], "Indicator: Worm.Win32.A.VB.176128.AR": [[304, 329]], "Indicator: Worm/Win32.AutoRun.R49416": [[348, 373]], "Indicator: W32/Autorun.worm.aacy": [[374, 395]], "Indicator: TScope.Trojan.VB": [[396, 412]], "Indicator: Win32/VB.PEU": [[413, 425]]}, "info": {"id": "cyner2_5class_train_03601", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Racvacs.AA2 Trojan.Cosmu.Win32.3454 Trojan/Scar.atyl Win32.Trojan.IRCBot.b Win32/IRCBot.JZK TROJ_PAM_000001074B.T3 Trojan.Win32.MLW.stwkl Troj.W32.Cosmu.ldLk Worm.Win32.Autorun.lbe Win32.HLLW.Autoruner1.11201 BehavesLike.Win32.Downloader.lm Trojan/Scar.bqi Worm:Win32/Ircbot.D Trojan/Win32.Unknown Win32.Troj.Undef.kcloud Worm:Win32/IRCbot.D Worm/Win32.AutoRun.R2912 W32/Autorun.worm.bbx BScope.Trojan-Spy.Zbot Trojan.Win32.Cosmu", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Racvacs.AA2": [[26, 42]], "Indicator: Trojan.Cosmu.Win32.3454": [[43, 66]], "Indicator: Trojan/Scar.atyl": [[67, 83]], "Indicator: Win32.Trojan.IRCBot.b": [[84, 105]], "Indicator: Win32/IRCBot.JZK": [[106, 122]], "Indicator: TROJ_PAM_000001074B.T3": [[123, 145]], "Indicator: Trojan.Win32.MLW.stwkl": [[146, 168]], "Indicator: Troj.W32.Cosmu.ldLk": [[169, 188]], "Indicator: Worm.Win32.Autorun.lbe": [[189, 211]], "Indicator: Win32.HLLW.Autoruner1.11201": [[212, 239]], "Indicator: BehavesLike.Win32.Downloader.lm": [[240, 271]], "Indicator: Trojan/Scar.bqi": [[272, 287]], "Indicator: Worm:Win32/Ircbot.D": [[288, 307]], "Indicator: Trojan/Win32.Unknown": [[308, 328]], "Indicator: Win32.Troj.Undef.kcloud": [[329, 352]], "Indicator: Worm:Win32/IRCbot.D": [[353, 372]], "Indicator: Worm/Win32.AutoRun.R2912": [[373, 397]], "Indicator: W32/Autorun.worm.bbx": [[398, 418]], "Indicator: BScope.Trojan-Spy.Zbot": [[419, 441]], "Indicator: Trojan.Win32.Cosmu": [[442, 460]]}, "info": {"id": "cyner2_5class_train_03602", "source": "cyner2_5class_train"}}
+{"text": "All of its capabilities are discussed later in this blog .", "spans": {}, "info": {"id": "cyner2_5class_train_03603", "source": "cyner2_5class_train"}}
+{"text": "If the targeted device is not vulnerable to these exploits , then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges .", "spans": {"Indicator: /system/csk": [[127, 138]]}, "info": {"id": "cyner2_5class_train_03604", "source": "cyner2_5class_train"}}
+{"text": "One of the uses the malware gives to this package is the execution of the command \" dumpsys '' to determine if certain activities are running .", "spans": {}, "info": {"id": "cyner2_5class_train_03605", "source": "cyner2_5class_train"}}
+{"text": "Of course , not all the opcodes are can be easily read and understood due to additional steps that the authors have taken to make analysis extremely complicated .", "spans": {}, "info": {"id": "cyner2_5class_train_03606", "source": "cyner2_5class_train"}}
+{"text": "The owners of Trojans such as Leech, Ztorg, Gorpo as well as the new malware family Trojan.AndroidOS.Iop are working together.", "spans": {"Malware: Trojans": [[14, 21]], "Malware: Leech, Ztorg, Gorpo": [[30, 49]], "Malware: malware family Trojan.AndroidOS.Iop": [[69, 104]]}, "info": {"id": "cyner2_5class_train_03607", "source": "cyner2_5class_train"}}
+{"text": "However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices.", "spans": {"Malware: IoT bot": [[76, 83]], "System: Windows devices.": [[109, 125]]}, "info": {"id": "cyner2_5class_train_03608", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Nadostarch Trojan:Win32/Nadostarch.A Trojan.Win32.Nadostarch", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Nadostarch": [[26, 43]], "Indicator: Trojan:Win32/Nadostarch.A": [[44, 69]], "Indicator: Trojan.Win32.Nadostarch": [[70, 93]]}, "info": {"id": "cyner2_5class_train_03609", "source": "cyner2_5class_train"}}
+{"text": "EventBot mobile banking applications targetedApplications targeted by EventBot .", "spans": {"Malware: EventBot": [[0, 8], [70, 78]]}, "info": {"id": "cyner2_5class_train_03610", "source": "cyner2_5class_train"}}
+{"text": "The “ onUserLeaveHint ( ) ” callback method of the Android Activity ( i.e. , the typical GUI screen the user sees ) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice , for example , when the user presses the Home key .", "spans": {"System: Android Activity": [[51, 67]]}, "info": {"id": "cyner2_5class_train_03611", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.HLLW.Autoruner.6669 Worm:Win32/Mofeir.P", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.HLLW.Autoruner.6669": [[26, 51]], "Indicator: Worm:Win32/Mofeir.P": [[52, 71]]}, "info": {"id": "cyner2_5class_train_03612", "source": "cyner2_5class_train"}}
+{"text": "It sends a smishing message to the entire contact list of the infected device along with the malicious link to the FakeSpy installation page .", "spans": {"Malware: FakeSpy": [[115, 122]]}, "info": {"id": "cyner2_5class_train_03613", "source": "cyner2_5class_train"}}
+{"text": "To make the fake report appear even more scary, the malware displays your IP address and a picture of you.", "spans": {"Indicator: fake report appear": [[12, 30]], "Malware: malware": [[52, 59]], "Indicator: IP address": [[74, 84]], "Indicator: picture of you.": [[91, 106]]}, "info": {"id": "cyner2_5class_train_03614", "source": "cyner2_5class_train"}}
+{"text": "You can also try to re-flash your device with its original ROM .", "spans": {}, "info": {"id": "cyner2_5class_train_03615", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Email-Worm.Zhelatin.pk W32/Zhelatin.pk Trojan.Win32.Zhelatin.mqtc Trojan.Peacomm Tibs.BFZS Win32/Sintun.AV TROJ_NUWAR.UP Trojan.Zhelatin Email-Worm.Win32.Zhelatin.pk I-Worm.Win32.Zhelatin.142336 EmailWorm.Win32.Zhelatin.pk0 Trojan.Spambot.2386 TROJ_NUWAR.UP Worm.Zhelatin.pk.kcloud Backdoor:Win32/Nuwar.A Worm/Win32.Zhelatin BScope.Zhelatin.con Trojan.Peacomm!rem Virus.Win32.Zhelatin W32/Tibs.G@mm I-Worm/Nuwar.N Trj/Spammer.AFG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Email-Worm.Zhelatin.pk": [[26, 54]], "Indicator: W32/Zhelatin.pk": [[55, 70]], "Indicator: Trojan.Win32.Zhelatin.mqtc": [[71, 97]], "Indicator: Trojan.Peacomm": [[98, 112]], "Indicator: Tibs.BFZS": [[113, 122]], "Indicator: Win32/Sintun.AV": [[123, 138]], "Indicator: TROJ_NUWAR.UP": [[139, 152], [276, 289]], "Indicator: Trojan.Zhelatin": [[153, 168]], "Indicator: Email-Worm.Win32.Zhelatin.pk": [[169, 197]], "Indicator: I-Worm.Win32.Zhelatin.142336": [[198, 226]], "Indicator: EmailWorm.Win32.Zhelatin.pk0": [[227, 255]], "Indicator: Trojan.Spambot.2386": [[256, 275]], "Indicator: Worm.Zhelatin.pk.kcloud": [[290, 313]], "Indicator: Backdoor:Win32/Nuwar.A": [[314, 336]], "Indicator: Worm/Win32.Zhelatin": [[337, 356]], "Indicator: BScope.Zhelatin.con": [[357, 376]], "Indicator: Trojan.Peacomm!rem": [[377, 395]], "Indicator: Virus.Win32.Zhelatin": [[396, 416]], "Indicator: W32/Tibs.G@mm": [[417, 430]], "Indicator: I-Worm/Nuwar.N": [[431, 445]], "Indicator: Trj/Spammer.AFG": [[446, 461]]}, "info": {"id": "cyner2_5class_train_03616", "source": "cyner2_5class_train"}}
+{"text": "Allows applications to change Wi-Fi connectivity state .", "spans": {}, "info": {"id": "cyner2_5class_train_03617", "source": "cyner2_5class_train"}}
+{"text": "“ Agent Smith ” needs to be updated/installed without the user ’ s consent .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner2_5class_train_03618", "source": "cyner2_5class_train"}}
+{"text": "Further assets are decrypted and deployed , including another Dalvik DEX code file , which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages , loading another ELF library that includes a version of BusyBox - a package containing various stripped-down Unix tools useful for administering such systems – and , interestingly , is capable of turning off the sound played when the device ’ s cameras take pictures .", "spans": {"System: BusyBox": [[271, 278]]}, "info": {"id": "cyner2_5class_train_03619", "source": "cyner2_5class_train"}}
+{"text": "Given the DroidVPN look and feel being used by this variant of HenBox , it ’ s highly likely the uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[10, 18]], "Malware: HenBox": [[63, 69]], "Indicator: uyghurapps [ .": [[97, 111]]}, "info": {"id": "cyner2_5class_train_03620", "source": "cyner2_5class_train"}}
+{"text": "Just don ’ t forget that the scan does not run automatically in the free version .", "spans": {}, "info": {"id": "cyner2_5class_train_03621", "source": "cyner2_5class_train"}}
+{"text": "Cerber has previously been seen distributed via exploit kits and over e-mail using DOC files with macros.", "spans": {"Malware: Cerber": [[0, 6]], "Malware: exploit kits": [[48, 60]], "Indicator: over e-mail using DOC files with macros.": [[65, 105]]}, "info": {"id": "cyner2_5class_train_03622", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.4252 Backdoor.Hupigon.148473 Backdoor.Hupigon.148473 Backdoor.Hupigon.D243F9 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Hupigon.148473 Backdoor.Hupigon.148473 Backdoor.Hupigon.148473 BackDoor.Pigeon1.3852 Win32.Hack.Huigezi.n.kcloud Backdoor:Win32/Tenpeq.C Backdoor.Hupigon.148473 MalwareScope.Trojan-PSW.Game.16 Trojan.Hupigon!iPBnzuR7b40 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.4252": [[26, 42]], "Indicator: Backdoor.Hupigon.148473": [[43, 66], [67, 90], [158, 181], [182, 205], [206, 229], [304, 327]], "Indicator: Backdoor.Hupigon.D243F9": [[91, 114]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[115, 157]], "Indicator: BackDoor.Pigeon1.3852": [[230, 251]], "Indicator: Win32.Hack.Huigezi.n.kcloud": [[252, 279]], "Indicator: Backdoor:Win32/Tenpeq.C": [[280, 303]], "Indicator: MalwareScope.Trojan-PSW.Game.16": [[328, 359]], "Indicator: Trojan.Hupigon!iPBnzuR7b40": [[360, 386]], "Indicator: Trj/CI.A": [[387, 395]]}, "info": {"id": "cyner2_5class_train_03623", "source": "cyner2_5class_train"}}
+{"text": "Since then, several examples of malware created by Animal Farm have been found and publicly documented, in particular:", "spans": {"Malware: malware": [[32, 39]]}, "info": {"id": "cyner2_5class_train_03624", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58712 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id58712 [ .": [[21, 63]]}, "info": {"id": "cyner2_5class_train_03625", "source": "cyner2_5class_train"}}
+{"text": "He most probably did so to restore his reputation on a number of hacker forums: earlier, he had been promoting his development so aggressively and behaving so erratically that he was eventually suspected of being a scammer.", "spans": {}, "info": {"id": "cyner2_5class_train_03626", "source": "cyner2_5class_train"}}
+{"text": "Comparison of code of Asset file before and after decryption Figure 11 .", "spans": {}, "info": {"id": "cyner2_5class_train_03627", "source": "cyner2_5class_train"}}
+{"text": "Loading the decrypted .dex file into memory and triggering the main payload Main payload When the main payload is loaded into memory , the initial detonator hands over the control to the main payload by invoking the method XoqF ( which we renamed to triggerInfection during analysis ) from the gvmthHtyN class ( renamed to PayloadEntry ) .", "spans": {}, "info": {"id": "cyner2_5class_train_03628", "source": "cyner2_5class_train"}}
+{"text": "If /sdcard/MemosForNotes was present on the device , the Chrysaor app removes itself from the device .", "spans": {"Indicator: /sdcard/MemosForNotes": [[3, 24]], "Malware: Chrysaor": [[57, 65]]}, "info": {"id": "cyner2_5class_train_03629", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.Ngrbot!O Worm.Ngrbot Trojan.Zbot.Win32.51206 Trojan/Spy.Zbot.dcar Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/Trojan.IPQV-8835 Win.Trojan.Zbot-52317 Worm.Win32.Ngrbot.kie Troj.W32.Qhost.lkwM BehavesLike.Win32.ZBot.dc Trojan-Dropper.Win32.VB Worm/Win32.Ngrbot Worm.Win32.Ngrbot.kie Worm/Win32.Ngrbot.R62747 Worm.Ngrbot Trojan.Zbot TrojanSpy.Zbot!FbLT0Cb2klI W32/VBInjector.W!tr Win32/Trojan.BO.255", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.Ngrbot!O": [[26, 45]], "Indicator: Worm.Ngrbot": [[46, 57], [346, 357]], "Indicator: Trojan.Zbot.Win32.51206": [[58, 81]], "Indicator: Trojan/Spy.Zbot.dcar": [[82, 102]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[103, 145]], "Indicator: W32/Trojan.IPQV-8835": [[146, 166]], "Indicator: Win.Trojan.Zbot-52317": [[167, 188]], "Indicator: Worm.Win32.Ngrbot.kie": [[189, 210], [299, 320]], "Indicator: Troj.W32.Qhost.lkwM": [[211, 230]], "Indicator: BehavesLike.Win32.ZBot.dc": [[231, 256]], "Indicator: Trojan-Dropper.Win32.VB": [[257, 280]], "Indicator: Worm/Win32.Ngrbot": [[281, 298]], "Indicator: Worm/Win32.Ngrbot.R62747": [[321, 345]], "Indicator: Trojan.Zbot": [[358, 369]], "Indicator: TrojanSpy.Zbot!FbLT0Cb2klI": [[370, 396]], "Indicator: W32/VBInjector.W!tr": [[397, 416]], "Indicator: Win32/Trojan.BO.255": [[417, 436]]}, "info": {"id": "cyner2_5class_train_03630", "source": "cyner2_5class_train"}}
+{"text": "While the malware is capable of facilitating various cyber-criminal goals , our team confirmed it ’ s currently installing additional apps on infected devices .", "spans": {}, "info": {"id": "cyner2_5class_train_03631", "source": "cyner2_5class_train"}}
+{"text": "10 million Android phones infected by all-powerful auto-rooting apps First detected in November , Shedun/HummingBad infections are surging .", "spans": {"System: Android": [[11, 18]], "Malware: Shedun/HummingBad": [[98, 115]]}, "info": {"id": "cyner2_5class_train_03632", "source": "cyner2_5class_train"}}
+{"text": "] commydriveweb [ .", "spans": {"Indicator: [ .": [[16, 19]]}, "info": {"id": "cyner2_5class_train_03633", "source": "cyner2_5class_train"}}
+{"text": "During one session , the C2 server commanded our emulated device to send four different SMS messages to four different phone numbers , all of which were associated with Russian financial institutions .", "spans": {}, "info": {"id": "cyner2_5class_train_03634", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Downloader.Adload.tml Trojan.Buzy.D8FA TSPY_DOWNLOADER_CD1002E2.RDXN Win32.Trojan.WisdomEyes.16070401.9500.9973 TROJ_PAM_0000010534.T3 Win.Trojan.Adload-3700 Trojan.Win32.Snojan.ccxx Trojan.Win32.Adload.cpqwy TrojWare.Win32.TrojanDownloader.Adload.tmm Trojan.DownLoader1.22512 BehavesLike.Win32.Backdoor.rc Trojan-Downloader.Win32.Adload TrojanDownloader.Adload.naf TrojanDownloader:Win32/Neup.A Trojan.Win32.Snojan.ccxx Downloader/Win32.Adload.R11798 PUP.Optional.Funshion Win32.Trojan.Adclicker.Sxoq Trojan.DL.Adload.MGR Win32/Trojan.56c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.Adload.tml": [[26, 54]], "Indicator: Trojan.Buzy.D8FA": [[55, 71]], "Indicator: TSPY_DOWNLOADER_CD1002E2.RDXN": [[72, 101]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9973": [[102, 144]], "Indicator: TROJ_PAM_0000010534.T3": [[145, 167]], "Indicator: Win.Trojan.Adload-3700": [[168, 190]], "Indicator: Trojan.Win32.Snojan.ccxx": [[191, 215], [429, 453]], "Indicator: Trojan.Win32.Adload.cpqwy": [[216, 241]], "Indicator: TrojWare.Win32.TrojanDownloader.Adload.tmm": [[242, 284]], "Indicator: Trojan.DownLoader1.22512": [[285, 309]], "Indicator: BehavesLike.Win32.Backdoor.rc": [[310, 339]], "Indicator: Trojan-Downloader.Win32.Adload": [[340, 370]], "Indicator: TrojanDownloader.Adload.naf": [[371, 398]], "Indicator: TrojanDownloader:Win32/Neup.A": [[399, 428]], "Indicator: Downloader/Win32.Adload.R11798": [[454, 484]], "Indicator: PUP.Optional.Funshion": [[485, 506]], "Indicator: Win32.Trojan.Adclicker.Sxoq": [[507, 534]], "Indicator: Trojan.DL.Adload.MGR": [[535, 555]], "Indicator: Win32/Trojan.56c": [[556, 572]]}, "info": {"id": "cyner2_5class_train_03635", "source": "cyner2_5class_train"}}
+{"text": "Coralco Tech 's services description .", "spans": {}, "info": {"id": "cyner2_5class_train_03636", "source": "cyner2_5class_train"}}
+{"text": "Several months ago, we discovered and exposed RETADUP malware in Israeli hospitals.", "spans": {"Malware: RETADUP malware": [[46, 61]], "Organization: Israeli hospitals.": [[65, 83]]}, "info": {"id": "cyner2_5class_train_03637", "source": "cyner2_5class_train"}}
+{"text": "EVENTBOT THREAT ACTORS As a part of this investigation , the Cybereason Nocturnus team has attempted to identify the threat actors behind the development of EventBot .", "spans": {"Malware: EVENTBOT": [[0, 8]], "Organization: Cybereason Nocturnus": [[61, 81]], "Malware: EventBot": [[157, 165]]}, "info": {"id": "cyner2_5class_train_03638", "source": "cyner2_5class_train"}}
+{"text": "This malicious program attacks only Raspberry Pi minicomputers.", "spans": {"Malware: malicious": [[5, 14]], "Indicator: attacks": [[23, 30]], "System: Raspberry Pi minicomputers.": [[36, 63]]}, "info": {"id": "cyner2_5class_train_03639", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Clicker.Win32.VB!O Win32/Adclicker.DSU Trojan-Clicker.Win32.VB.isz Trojan.Win32.VB.bcvse Trojan.Click1.25507 BehavesLike.Win32.Dropper.qt Trojan.Crypt TrojanClicker.VB.kho Trojan.Heur.ZGY.5 W32.W.Hawawi.lmFq Trojan-Clicker.Win32.VB.isz TrojanClicker:Win32/Refpron.A Trojan/Win32.Xema.R155513", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Clicker.Win32.VB!O": [[26, 51]], "Indicator: Win32/Adclicker.DSU": [[52, 71]], "Indicator: Trojan-Clicker.Win32.VB.isz": [[72, 99], [241, 268]], "Indicator: Trojan.Win32.VB.bcvse": [[100, 121]], "Indicator: Trojan.Click1.25507": [[122, 141]], "Indicator: BehavesLike.Win32.Dropper.qt": [[142, 170]], "Indicator: Trojan.Crypt": [[171, 183]], "Indicator: TrojanClicker.VB.kho": [[184, 204]], "Indicator: Trojan.Heur.ZGY.5": [[205, 222]], "Indicator: W32.W.Hawawi.lmFq": [[223, 240]], "Indicator: TrojanClicker:Win32/Refpron.A": [[269, 298]], "Indicator: Trojan/Win32.Xema.R155513": [[299, 324]]}, "info": {"id": "cyner2_5class_train_03640", "source": "cyner2_5class_train"}}
+{"text": "This would be a very unusual coincidence .", "spans": {}, "info": {"id": "cyner2_5class_train_03641", "source": "cyner2_5class_train"}}
+{"text": "In some samples analyzed by CTU researchers, the attachment was an obfuscated VBScript .vbs file that downloads and installs AdWind, or the email message just included a link to download and install the malware.", "spans": {"Organization: CTU researchers,": [[28, 44]], "Indicator: attachment": [[49, 59]], "Indicator: obfuscated VBScript .vbs": [[67, 91]], "Malware: AdWind,": [[125, 132]], "Indicator: link to download and install the malware.": [[170, 211]]}, "info": {"id": "cyner2_5class_train_03642", "source": "cyner2_5class_train"}}
+{"text": "It's these same teens that are causing a surge in mobile ransomware in the Chinese underground market.", "spans": {"System: mobile": [[50, 56]], "Malware: ransomware": [[57, 67]]}, "info": {"id": "cyner2_5class_train_03643", "source": "cyner2_5class_train"}}
+{"text": "\" I tried reaching out to Adups and never heard back , '' Strazzere tells Information Security Media Group .", "spans": {"Organization: Adups": [[26, 31]], "Organization: Information Security Media Group": [[74, 106]]}, "info": {"id": "cyner2_5class_train_03644", "source": "cyner2_5class_train"}}
+{"text": "The response contains some basic HTML and JavaScript .", "spans": {}, "info": {"id": "cyner2_5class_train_03645", "source": "cyner2_5class_train"}}
+{"text": "The more complex the obfuscation , the longer it will take an antivirus solution to neutralize the malicious code .", "spans": {}, "info": {"id": "cyner2_5class_train_03646", "source": "cyner2_5class_train"}}
+{"text": "In 2017 and 2018, ITG03 actors stole over $534 million from cryptocurrency exchange attacks, according to security firm Group IB.", "spans": {"Indicator: attacks,": [[84, 92]], "Organization: security firm Group IB.": [[106, 129]]}, "info": {"id": "cyner2_5class_train_03647", "source": "cyner2_5class_train"}}
+{"text": "Users can not rely on the official app stores for their safety , and should implement advanced security protections capable of detecting and blocking zero-day mobile malware .", "spans": {}, "info": {"id": "cyner2_5class_train_03648", "source": "cyner2_5class_train"}}
+{"text": "This blunder made by the company has been frustrating to many developers .", "spans": {}, "info": {"id": "cyner2_5class_train_03649", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Hacktool.Bendor.C Trojan/W32.HackTool.20480.O Hacktool.Bendor Trojan.Hacktool.Bendor.C Tool.Bendor.Win32.1 Trojan/Hacktool.Bendor Trojan.Hacktool.Bendor.C BKDR_BANDOR.A Win32.Trojan.WisdomEyes.16070401.9500.9602 W32/Trojan.VSQ BKDR_BANDOR.A Trojan.Hacktool.Bendor.C HackTool.Win32.Bendor Trojan.Hacktool.Bendor.C Riskware.Win32.Bendor.hrie HackTool.Bendor.20480 HackTool.W32.Bendor!c Trojan.Hacktool.Bendor.C TrojWare.Win32.HackTool.Bendor.A Trojan.Hacktool.Bendor.C W32/Trojan.ULWX-3793 HackTool/Bendor.a W32.Hack.Tool HackTool/Win32.Bendor HackTool.Win32.Bendor Trj/Legmir.AJQ Win32/HackTool.Bendor.A Win32.Hacktool.Bendor.Lkdj HackTool.Bendor!+3jB7Bxnt10 Malware_fam.gw Win32/Trojan.Hacktool.5e9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Hacktool.Bendor.C": [[26, 50], [95, 119], [163, 187], [274, 298], [321, 345], [417, 441], [475, 499]], "Indicator: Trojan/W32.HackTool.20480.O": [[51, 78]], "Indicator: Hacktool.Bendor": [[79, 94]], "Indicator: Tool.Bendor.Win32.1": [[120, 139]], "Indicator: Trojan/Hacktool.Bendor": [[140, 162]], "Indicator: BKDR_BANDOR.A": [[188, 201], [260, 273]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9602": [[202, 244]], "Indicator: W32/Trojan.VSQ": [[245, 259]], "Indicator: HackTool.Win32.Bendor": [[299, 320], [575, 596]], "Indicator: Riskware.Win32.Bendor.hrie": [[346, 372]], "Indicator: HackTool.Bendor.20480": [[373, 394]], "Indicator: HackTool.W32.Bendor!c": [[395, 416]], "Indicator: TrojWare.Win32.HackTool.Bendor.A": [[442, 474]], "Indicator: W32/Trojan.ULWX-3793": [[500, 520]], "Indicator: HackTool/Bendor.a": [[521, 538]], "Indicator: W32.Hack.Tool": [[539, 552]], "Indicator: HackTool/Win32.Bendor": [[553, 574]], "Indicator: Trj/Legmir.AJQ": [[597, 611]], "Indicator: Win32/HackTool.Bendor.A": [[612, 635]], "Indicator: Win32.Hacktool.Bendor.Lkdj": [[636, 662]], "Indicator: HackTool.Bendor!+3jB7Bxnt10": [[663, 690]], "Indicator: Malware_fam.gw": [[691, 705]], "Indicator: Win32/Trojan.Hacktool.5e9": [[706, 731]]}, "info": {"id": "cyner2_5class_train_03650", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Graftor.eruomq Trojan.Proxy2.754 Trojan.Proxy.1 Trj/GdSda.A Win32/Trojan.2c0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Graftor.eruomq": [[26, 53]], "Indicator: Trojan.Proxy2.754": [[54, 71]], "Indicator: Trojan.Proxy.1": [[72, 86]], "Indicator: Trj/GdSda.A": [[87, 98]], "Indicator: Win32/Trojan.2c0": [[99, 115]]}, "info": {"id": "cyner2_5class_train_03651", "source": "cyner2_5class_train"}}
+{"text": "Split Strings Encrypted strings can be a signal that the code is trying to hide something .", "spans": {}, "info": {"id": "cyner2_5class_train_03652", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9723 Trojan.MSIL.Krypt.2 Trojan:MSIL/Remdobe.C TrojanDropper.FrauDrop Trj/CI.A Trojan.Win32.Jorik Win32/Trojan.7c5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9723": [[26, 68]], "Indicator: Trojan.MSIL.Krypt.2": [[69, 88]], "Indicator: Trojan:MSIL/Remdobe.C": [[89, 110]], "Indicator: TrojanDropper.FrauDrop": [[111, 133]], "Indicator: Trj/CI.A": [[134, 142]], "Indicator: Trojan.Win32.Jorik": [[143, 161]], "Indicator: Win32/Trojan.7c5": [[162, 178]]}, "info": {"id": "cyner2_5class_train_03653", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32.Trojan.WisdomEyes.16070401.9500.9876 Trojan.DownLoader.22765 BehavesLike.Win32.PWSZbot.mc Backdoor.Win32.Rbot TrojanDownloader:Win32/Wudoo.A Win32/Adware.Toolbar.Baidu", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Virus.Win32.Sality!O": [[44, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9876": [[65, 107]], "Indicator: Trojan.DownLoader.22765": [[108, 131]], "Indicator: BehavesLike.Win32.PWSZbot.mc": [[132, 160]], "Indicator: Backdoor.Win32.Rbot": [[161, 180]], "Indicator: TrojanDownloader:Win32/Wudoo.A": [[181, 211]], "Indicator: Win32/Adware.Toolbar.Baidu": [[212, 238]]}, "info": {"id": "cyner2_5class_train_03654", "source": "cyner2_5class_train"}}
+{"text": "2013 in figures A total of 143,211 new modifications of malicious programs targeting mobile devices were detected in all of 2013 ( as of January 1 , 2014 ) .", "spans": {}, "info": {"id": "cyner2_5class_train_03655", "source": "cyner2_5class_train"}}
+{"text": "and were signed using the name of an engineer who appears to hold equity in Connexxa .", "spans": {"Organization: Connexxa": [[76, 84]]}, "info": {"id": "cyner2_5class_train_03656", "source": "cyner2_5class_train"}}
+{"text": "The response can either be a simple \" OK , '' or can be a request to perform some action on the device .", "spans": {}, "info": {"id": "cyner2_5class_train_03657", "source": "cyner2_5class_train"}}
+{"text": "This remote access toolkit has been publicly examined multiple times by the threat intelligence community.", "spans": {"Malware: remote access toolkit": [[5, 26]], "Organization: threat intelligence community.": [[76, 106]]}, "info": {"id": "cyner2_5class_train_03658", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MulDrop5.13033 HackTool.MSIL.ccp W32.Hack.Tool HackTool.Win32.AutoKMS Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MulDrop5.13033": [[26, 47]], "Indicator: HackTool.MSIL.ccp": [[48, 65]], "Indicator: W32.Hack.Tool": [[66, 79]], "Indicator: HackTool.Win32.AutoKMS": [[80, 102]], "Indicator: Trj/GdSda.A": [[103, 114]]}, "info": {"id": "cyner2_5class_train_03659", "source": "cyner2_5class_train"}}
+{"text": "Icons of the apps that Bouncing Golf ’ s operators repackaged ( top ) and a comparison of packages between the original legitimate app ( bottom left ) and GolfSpy ( bottom right ) Figure 3 .", "spans": {"Malware: Bouncing Golf": [[23, 36]], "Malware: GolfSpy": [[155, 162]]}, "info": {"id": "cyner2_5class_train_03660", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.BaragoneE.Trojan Trojan.Win32.Cosmu!O Trojan.Cosmu.Win32.14181 TROJ_COSMU.SMJ0 Win32/Cosmu.OP TROJ_COSMU.SMJ0 Win.Trojan.Mybot-8550 Trojan.Win32.Bot.ercyne TrojWare.Win32.Phishbank.DA Trojan.Click1.57939 BehavesLike.Win32.Downloader.ch Trojan/Win32.Cosmu.awlb Trojan:Win32/Phishbank.A W32.W.Mydoom.kZJ8 TScope.Malware-Cryptor.SB Trojan.Win32.Sisron Trojan.Win32.Phishbank.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BaragoneE.Trojan": [[26, 46]], "Indicator: Trojan.Win32.Cosmu!O": [[47, 67]], "Indicator: Trojan.Cosmu.Win32.14181": [[68, 92]], "Indicator: TROJ_COSMU.SMJ0": [[93, 108], [124, 139]], "Indicator: Win32/Cosmu.OP": [[109, 123]], "Indicator: Win.Trojan.Mybot-8550": [[140, 161]], "Indicator: Trojan.Win32.Bot.ercyne": [[162, 185]], "Indicator: TrojWare.Win32.Phishbank.DA": [[186, 213]], "Indicator: Trojan.Click1.57939": [[214, 233]], "Indicator: BehavesLike.Win32.Downloader.ch": [[234, 265]], "Indicator: Trojan/Win32.Cosmu.awlb": [[266, 289]], "Indicator: Trojan:Win32/Phishbank.A": [[290, 314]], "Indicator: W32.W.Mydoom.kZJ8": [[315, 332]], "Indicator: TScope.Malware-Cryptor.SB": [[333, 358]], "Indicator: Trojan.Win32.Sisron": [[359, 378]], "Indicator: Trojan.Win32.Phishbank.A": [[379, 403]]}, "info": {"id": "cyner2_5class_train_03661", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware03 AdWare.W32.Gamevance.m6Qo Trojan/Downloader.Stantinko.n Win32.Trojan.Xpack.a Win32.Trojan-Downloader.Stantinko.A TrojWare.Win32.TrojanDownloader.Stantinko.D BehavesLike.Win32.Downloader.ch Trojan.Graftor Trojan:Win32/Fiya.E Win32/TrojanDownloader.Stantinko.N W32/Stantinko.S!tr.dldr Win32/Trojan.Stantinko.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware03": [[26, 45]], "Indicator: AdWare.W32.Gamevance.m6Qo": [[46, 71]], "Indicator: Trojan/Downloader.Stantinko.n": [[72, 101]], "Indicator: Win32.Trojan.Xpack.a": [[102, 122]], "Indicator: Win32.Trojan-Downloader.Stantinko.A": [[123, 158]], "Indicator: TrojWare.Win32.TrojanDownloader.Stantinko.D": [[159, 202]], "Indicator: BehavesLike.Win32.Downloader.ch": [[203, 234]], "Indicator: Trojan.Graftor": [[235, 249]], "Indicator: Trojan:Win32/Fiya.E": [[250, 269]], "Indicator: Win32/TrojanDownloader.Stantinko.N": [[270, 304]], "Indicator: W32/Stantinko.S!tr.dldr": [[305, 328]], "Indicator: Win32/Trojan.Stantinko.A": [[329, 353]]}, "info": {"id": "cyner2_5class_train_03662", "source": "cyner2_5class_train"}}
+{"text": "The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal.", "spans": {"Malware: malware payload": [[27, 42]], "Organization: VirusTotal.": [[105, 116]]}, "info": {"id": "cyner2_5class_train_03663", "source": "cyner2_5class_train"}}
+{"text": "Once we looked into the file , we quickly found out that the inner-workings of the APK included a malicious payload , embedded in the original code of the application .", "spans": {}, "info": {"id": "cyner2_5class_train_03664", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VBMailSpam.B Trojan/W32.Flooder.577024.B Trojan/Delf.a TROJ_SPAMMER.A W32/Worm.FSFK-2238 Hacktool.Spammer Win32/Spadelf.C TROJ_SPAMMER.A Trojan.VBMailSpam.B Email-Flooder.Win32.Delf.a Trojan.VBMailSpam.B Trojan.Win32.Delf.ifpg Spyware.Email-Flooder.Delf.577024 Email-Flooder.W32.Delf.a!c Trojan.VBMailSpam.B TrojWare.Win32.Flooder.MailSpam.A Trojan.VBMailSpam.B Flooder.Mailbomb.6 Tool.Delf.Win32.442 W32/Worm.FVM Flooder.MailSpam.Delvs TR/VBMailSpam.B.1 HackTool[Flooder]/Win32.Delf Win32.Hack.Delf.a.kcloud Trojan.VBMailSpam.B Email-Flooder.Win32.Delf.a Spammer:Win32/Delf.A Trojan.VBMailSpam.B EmailFlooder.Delf Win32/Flooder.MailSpam.Delf.A Flooder.Delf!YEHm2HeU39s Trojan.Win32.Flooder Malware_fam.gw Win32/Trojan.fd6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VBMailSpam.B": [[26, 45], [170, 189], [217, 236], [321, 340], [375, 394], [542, 561], [610, 629]], "Indicator: Trojan/W32.Flooder.577024.B": [[46, 73]], "Indicator: Trojan/Delf.a": [[74, 87]], "Indicator: TROJ_SPAMMER.A": [[88, 102], [155, 169]], "Indicator: W32/Worm.FSFK-2238": [[103, 121]], "Indicator: Hacktool.Spammer": [[122, 138]], "Indicator: Win32/Spadelf.C": [[139, 154]], "Indicator: Email-Flooder.Win32.Delf.a": [[190, 216], [562, 588]], "Indicator: Trojan.Win32.Delf.ifpg": [[237, 259]], "Indicator: Spyware.Email-Flooder.Delf.577024": [[260, 293]], "Indicator: Email-Flooder.W32.Delf.a!c": [[294, 320]], "Indicator: TrojWare.Win32.Flooder.MailSpam.A": [[341, 374]], "Indicator: Flooder.Mailbomb.6": [[395, 413]], "Indicator: Tool.Delf.Win32.442": [[414, 433]], "Indicator: W32/Worm.FVM": [[434, 446]], "Indicator: Flooder.MailSpam.Delvs": [[447, 469]], "Indicator: TR/VBMailSpam.B.1": [[470, 487]], "Indicator: HackTool[Flooder]/Win32.Delf": [[488, 516]], "Indicator: Win32.Hack.Delf.a.kcloud": [[517, 541]], "Indicator: Spammer:Win32/Delf.A": [[589, 609]], "Indicator: EmailFlooder.Delf": [[630, 647]], "Indicator: Win32/Flooder.MailSpam.Delf.A": [[648, 677]], "Indicator: Flooder.Delf!YEHm2HeU39s": [[678, 702]], "Indicator: Trojan.Win32.Flooder": [[703, 723]], "Indicator: Malware_fam.gw": [[724, 738]], "Indicator: Win32/Trojan.fd6": [[739, 755]]}, "info": {"id": "cyner2_5class_train_03665", "source": "cyner2_5class_train"}}
+{"text": "This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.", "spans": {"Malware: Prikormka malware family": [[49, 73]], "Indicator: spreading mechanisms,": [[82, 103]]}, "info": {"id": "cyner2_5class_train_03666", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Win32!O Win32.Trojan.WisdomEyes.16070401.9500.9867 Win.Tool.Hotfreezer-2 Trojan.Win32.Refroso.csjta TrojWare.Win32.HackTool.Homac Tool.Homac BehavesLike.Win32.Mydoom.pz Trojan/Refroso.ulh Trojan[Backdoor]/Win32.Shark HackTool:Win32/Homac.A HackTool.Homac Win32/HackTool.Homac Hacktool.Homac.A HackTool.Win32.Homac", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Win32!O": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9867": [[43, 85]], "Indicator: Win.Tool.Hotfreezer-2": [[86, 107]], "Indicator: Trojan.Win32.Refroso.csjta": [[108, 134]], "Indicator: TrojWare.Win32.HackTool.Homac": [[135, 164]], "Indicator: Tool.Homac": [[165, 175]], "Indicator: BehavesLike.Win32.Mydoom.pz": [[176, 203]], "Indicator: Trojan/Refroso.ulh": [[204, 222]], "Indicator: Trojan[Backdoor]/Win32.Shark": [[223, 251]], "Indicator: HackTool:Win32/Homac.A": [[252, 274]], "Indicator: HackTool.Homac": [[275, 289]], "Indicator: Win32/HackTool.Homac": [[290, 310]], "Indicator: Hacktool.Homac.A": [[311, 327]], "Indicator: HackTool.Win32.Homac": [[328, 348]]}, "info": {"id": "cyner2_5class_train_03667", "source": "cyner2_5class_train"}}
+{"text": "Just like the previous modules , it contains multiple strings in Italian .", "spans": {}, "info": {"id": "cyner2_5class_train_03668", "source": "cyner2_5class_train"}}
+{"text": "Hancitor is a popular dropper used in phishing campaigns.", "spans": {"Malware: Hancitor": [[0, 8]], "Malware: dropper": [[22, 29]]}, "info": {"id": "cyner2_5class_train_03669", "source": "cyner2_5class_train"}}
+{"text": "A reputable, high-profile ad network provides traffers with access to higher-quality traffic, and the more reputable an ad network appears, the easier it is for traffers to reach this target traffic.", "spans": {"Organization: high-profile ad network": [[13, 36]], "Indicator: traffers": [[46, 54]], "Indicator: traffic,": [[85, 93]], "Organization: ad network": [[120, 130]], "Indicator: target traffic.": [[184, 199]]}, "info": {"id": "cyner2_5class_train_03670", "source": "cyner2_5class_train"}}
+{"text": "In other cases, spear phish directs users to websites that would otherwise be trusted but actually have been compromised by threat actors seeking greater access to fulfill their actions and objectives.", "spans": {"Indicator: spear phish": [[16, 27]], "Indicator: websites": [[45, 53]], "Indicator: compromised": [[109, 120]]}, "info": {"id": "cyner2_5class_train_03671", "source": "cyner2_5class_train"}}
+{"text": "Cybercriminals are using local brand names such as local ISP providers and legitimate looking addresses to fool users into downloading malware that can steal information by monitoring browsers, file transfer protocol FTP clients, and mail clients.", "spans": {"Vulnerability: local": [[25, 30]], "Indicator: local ISP providers": [[51, 70]], "Indicator: addresses": [[94, 103]], "Malware: malware": [[135, 142]], "Indicator: monitoring browsers, file transfer protocol FTP clients,": [[173, 229]], "Indicator: mail clients.": [[234, 247]]}, "info": {"id": "cyner2_5class_train_03672", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 has been tracking a new Remote Access Trojan RAT being sold for $40 USD since April 2016, known as Orcus", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: Remote Access Trojan RAT": [[32, 56]], "Malware: Orcus": [[107, 112]]}, "info": {"id": "cyner2_5class_train_03673", "source": "cyner2_5class_train"}}
+{"text": "During our tests the spyware was upgraded to the second stage on our test device immediately after the first check-ins .", "spans": {}, "info": {"id": "cyner2_5class_train_03674", "source": "cyner2_5class_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_03675", "source": "cyner2_5class_train"}}
+{"text": "As a result of the long-term development process , there are multiple , exceptional capabilities : usage of multiple exploits for gaining root privileges , a complex payload structure , never-before-seen surveillance features such as recording surrounding audio in specified locations .", "spans": {}, "info": {"id": "cyner2_5class_train_03676", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Scar.15360.P Trojan.Win32.Scar!O Win32.Trojan.WisdomEyes.16070401.9500.9973 W32/Trojan.WBMR-2019 Win.Trojan.Merong-1 Trojan.Win32.Scar.dcrm Trojan.Win32.Scar.chxtv Trojan.Win32.A.Scar.15360 Troj.W32.Scar.dcrm!c Trojan.DownLoader5.8015 Trojan.Scar.Win32.48783 Trojan.Win32.Scar W32/Trojan3.YUH W32.Trojan.Scar Trojan/Win32.Scar Trojan.Win32.Scar.dcrm Trojan:Win32/Sluegot.A Trojan/Win32.Scar.R81257 Trojan.Scar Win32.Trojan.Scar.bove Trojan.Scar!69cHD7mX3A8 W32/Scar.DCM!tr.dldr Win32/Trojan.17a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Scar.15360.P": [[26, 49]], "Indicator: Trojan.Win32.Scar!O": [[50, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9973": [[70, 112]], "Indicator: W32/Trojan.WBMR-2019": [[113, 133]], "Indicator: Win.Trojan.Merong-1": [[134, 153]], "Indicator: Trojan.Win32.Scar.dcrm": [[154, 176], [364, 386]], "Indicator: Trojan.Win32.Scar.chxtv": [[177, 200]], "Indicator: Trojan.Win32.A.Scar.15360": [[201, 226]], "Indicator: Troj.W32.Scar.dcrm!c": [[227, 247]], "Indicator: Trojan.DownLoader5.8015": [[248, 271]], "Indicator: Trojan.Scar.Win32.48783": [[272, 295]], "Indicator: Trojan.Win32.Scar": [[296, 313]], "Indicator: W32/Trojan3.YUH": [[314, 329]], "Indicator: W32.Trojan.Scar": [[330, 345]], "Indicator: Trojan/Win32.Scar": [[346, 363]], "Indicator: Trojan:Win32/Sluegot.A": [[387, 409]], "Indicator: Trojan/Win32.Scar.R81257": [[410, 434]], "Indicator: Trojan.Scar": [[435, 446]], "Indicator: Win32.Trojan.Scar.bove": [[447, 469]], "Indicator: Trojan.Scar!69cHD7mX3A8": [[470, 493]], "Indicator: W32/Scar.DCM!tr.dldr": [[494, 514]], "Indicator: Win32/Trojan.17a": [[515, 531]]}, "info": {"id": "cyner2_5class_train_03677", "source": "cyner2_5class_train"}}
+{"text": "] com www [ .", "spans": {"Indicator: www [ .": [[6, 13]]}, "info": {"id": "cyner2_5class_train_03678", "source": "cyner2_5class_train"}}
+{"text": "In the latest version , a layer of obfuscation was added , perhaps taking the malware one step closer to being fully operational .", "spans": {}, "info": {"id": "cyner2_5class_train_03679", "source": "cyner2_5class_train"}}
+{"text": "Indicators related to the CryptFile2 ransomware", "spans": {"Indicator: Indicators": [[0, 10]], "Malware: CryptFile2 ransomware": [[26, 47]]}, "info": {"id": "cyner2_5class_train_03680", "source": "cyner2_5class_train"}}
+{"text": "It will also take a photo using the device ’ s front camera when the user wakes the device .", "spans": {}, "info": {"id": "cyner2_5class_train_03681", "source": "cyner2_5class_train"}}
+{"text": "And our researchers estimate that in every 10 Android users 1 was attacked by either one or several of those Trojans during the second half of 2015 , so there are millions of devices with a huge possibility of being infected with Triada .", "spans": {"System: Android": [[46, 53]], "Malware: Triada": [[230, 236]]}, "info": {"id": "cyner2_5class_train_03682", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Proxy/W32.Thunker.14848.B Trojan/Proxy.Thunker.a TROJ_THUNKER.A Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Espy.OUZC-2697 Backdoor.Thunker Win32/Knooth.C TROJ_THUNKER.A Trojan-Proxy.Win32.Thunker.a Trojan.Win32.Thunker.gtlj Trojan.Win32.Proxy.14848.F Troj.Proxy.W32.Thunker.a!c TrojWare.Win32.TrojanProxy.Thunker.B Trojan.Thunker Trojan.Thunker.Win32.5 Trojan-Proxy.Win32.Thunker W32/Espy.A TrojanProxy.Thunker.b TR/Thunker.DLL Trojan[Proxy]/Win32.Thunker Win32.Troj.Thunker.a.kcloud Trojan-Proxy.Win32.Thunker.a Win32/TrojanProxy.Thunker.B Win32.Trojan-proxy.Thunker.Ajlv Trojan.Thunker.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Proxy/W32.Thunker.14848.B": [[26, 58]], "Indicator: Trojan/Proxy.Thunker.a": [[59, 81]], "Indicator: TROJ_THUNKER.A": [[82, 96], [191, 205]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[97, 139]], "Indicator: W32/Espy.OUZC-2697": [[140, 158]], "Indicator: Backdoor.Thunker": [[159, 175]], "Indicator: Win32/Knooth.C": [[176, 190]], "Indicator: Trojan-Proxy.Win32.Thunker.a": [[206, 234], [521, 549]], "Indicator: Trojan.Win32.Thunker.gtlj": [[235, 260]], "Indicator: Trojan.Win32.Proxy.14848.F": [[261, 287]], "Indicator: Troj.Proxy.W32.Thunker.a!c": [[288, 314]], "Indicator: TrojWare.Win32.TrojanProxy.Thunker.B": [[315, 351]], "Indicator: Trojan.Thunker": [[352, 366]], "Indicator: Trojan.Thunker.Win32.5": [[367, 389]], "Indicator: Trojan-Proxy.Win32.Thunker": [[390, 416]], "Indicator: W32/Espy.A": [[417, 427]], "Indicator: TrojanProxy.Thunker.b": [[428, 449]], "Indicator: TR/Thunker.DLL": [[450, 464]], "Indicator: Trojan[Proxy]/Win32.Thunker": [[465, 492]], "Indicator: Win32.Troj.Thunker.a.kcloud": [[493, 520]], "Indicator: Win32/TrojanProxy.Thunker.B": [[550, 577]], "Indicator: Win32.Trojan-proxy.Thunker.Ajlv": [[578, 609]], "Indicator: Trojan.Thunker.A": [[610, 626]]}, "info": {"id": "cyner2_5class_train_03683", "source": "cyner2_5class_train"}}
+{"text": "Qianxin dissects a new malicious campaign by the SideCopy APT group.", "spans": {"Organization: Qianxin": [[0, 7]]}, "info": {"id": "cyner2_5class_train_03684", "source": "cyner2_5class_train"}}
+{"text": "The abuse of the WebSocket protocol provides XLoader with a persistent connection between clients and servers where data can be transported any time .", "spans": {"Malware: XLoader": [[45, 52]]}, "info": {"id": "cyner2_5class_train_03685", "source": "cyner2_5class_train"}}
+{"text": "Suspect You ’ re Infected ? The following SMS message can be used to kill the sample analyzed in this research and all other variants that use the same private key : HrLbpr3x/htAVnAgYepBuH2xmFDb68TYTt7FwGn0ddGlQJv/hqsctL57ocFU0Oz3L+uhLcOGG7GVBAfHKL1TBQ== Sending this SMS will trigger TrickMo ’ s kill switch by sending the string “ 4 ” encrypted with the generated RSA public key and base64 encoded .", "spans": {"Malware: TrickMo": [[285, 292]]}, "info": {"id": "cyner2_5class_train_03686", "source": "cyner2_5class_train"}}
+{"text": "Timebombs , Dynamic Code Loading and Reflection If Google Bouncer was not detected , the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours .", "spans": {"System: Google Bouncer": [[51, 65]]}, "info": {"id": "cyner2_5class_train_03687", "source": "cyner2_5class_train"}}
+{"text": "Corporations can protect themselves from these side-channel attacks by deploying client-based two-factor authentication , such as Duo Security .", "spans": {"System: Duo Security": [[130, 142]]}, "info": {"id": "cyner2_5class_train_03688", "source": "cyner2_5class_train"}}
+{"text": "Email is one of the favorite methods used by attackers to infect systems.", "spans": {"Indicator: Email": [[0, 5]], "Indicator: methods": [[29, 36]], "System: infect systems.": [[58, 73]]}, "info": {"id": "cyner2_5class_train_03689", "source": "cyner2_5class_train"}}
+{"text": "Another tie between the activity is the C2 jackhex.md5c [ .", "spans": {"Indicator: jackhex.md5c [ .": [[43, 59]]}, "info": {"id": "cyner2_5class_train_03690", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Strictor.D22A4D W32/Trojan.ZZSK-0144 Win.Exploit.Fnstenv_mov-1 BehavesLike.Win32.Multiplug.wc Backdoor/Win32.Wingbird.R209335 W32/Injector.DNRG!tr Trj/GdSda.A Win32/Trojan.Spy.c28", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Strictor.D22A4D": [[26, 48]], "Indicator: W32/Trojan.ZZSK-0144": [[49, 69]], "Indicator: Win.Exploit.Fnstenv_mov-1": [[70, 95]], "Indicator: BehavesLike.Win32.Multiplug.wc": [[96, 126]], "Indicator: Backdoor/Win32.Wingbird.R209335": [[127, 158]], "Indicator: W32/Injector.DNRG!tr": [[159, 179]], "Indicator: Trj/GdSda.A": [[180, 191]], "Indicator: Win32/Trojan.Spy.c28": [[192, 212]]}, "info": {"id": "cyner2_5class_train_03691", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.ForShare.WmiBit Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Trojan.DownLoader24.53357 Trojan/Win32.PcClient.R191990 Win32/RootKit.Rootkit.7e5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.ForShare.WmiBit": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[51, 93]], "Indicator: Backdoor.Trojan": [[94, 109]], "Indicator: Trojan.DownLoader24.53357": [[110, 135]], "Indicator: Trojan/Win32.PcClient.R191990": [[136, 165]], "Indicator: Win32/RootKit.Rootkit.7e5": [[166, 191]]}, "info": {"id": "cyner2_5class_train_03692", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.VB!O Worm.VB Worm.VB.Win32.2956 W32/VB.bhj Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_PSVR_0000001.TOMA Win.Worm.VB-71919 Worm.Win32.VB.bhj Trojan.Win32.VB.dxohtw BackDoor.Poison.686 BKDR_PSVR_0000001.TOMA Trojan-Dropper.Vb Trojan.Razy.D3A7C4 Worm.Win32.A.VB.168516 Worm.Win32.VB.bhj Worm/Win32.VB.C142786 W32/VBKrypt.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.VB!O": [[26, 41]], "Indicator: Worm.VB": [[42, 49]], "Indicator: Worm.VB.Win32.2956": [[50, 68]], "Indicator: W32/VB.bhj": [[69, 79]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[80, 122]], "Indicator: BKDR_PSVR_0000001.TOMA": [[123, 145], [225, 247]], "Indicator: Win.Worm.VB-71919": [[146, 163]], "Indicator: Worm.Win32.VB.bhj": [[164, 181], [308, 325]], "Indicator: Trojan.Win32.VB.dxohtw": [[182, 204]], "Indicator: BackDoor.Poison.686": [[205, 224]], "Indicator: Trojan-Dropper.Vb": [[248, 265]], "Indicator: Trojan.Razy.D3A7C4": [[266, 284]], "Indicator: Worm.Win32.A.VB.168516": [[285, 307]], "Indicator: Worm/Win32.VB.C142786": [[326, 347]], "Indicator: W32/VBKrypt.C!tr": [[348, 364]]}, "info": {"id": "cyner2_5class_train_03693", "source": "cyner2_5class_train"}}
+{"text": "The domain was registered on August 4, 2015, under a presumably false name, and we suspect that the attack started on the same day.", "spans": {"Indicator: domain": [[4, 10]], "Indicator: attack": [[100, 106]]}, "info": {"id": "cyner2_5class_train_03694", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.TrosdanpomLTAA.Trojan Backdoor.Laserv.B Backdoor.Win32.Laserv!O Backdoor.Laserv.A4 Backdoor/Laserv.b W32/Backdoor.NWE Backdoor.Lassrv.B Win32/Lassrv.B BKDR_LASSRV.B Win.Trojan.Laserv-1 Backdoor.Laserv.B Backdoor.Win32.Laserv.b Backdoor.Laserv.B Trojan.Win32.Laserv.csyvps Trojan.Win32.Equation.132608 Backdoor.Laserv.B Backdoor.Laserv.B Backdoor.Laserv.Win32.8 BKDR_LASSRV.B BehavesLike.Win32.Downloader.ch W32/Backdoor.ZYMS-3992 BDS/Laserv.B.2 Trojan[Backdoor]/Win32.Laserv Backdoor.Laserv.B Backdoor.W32.Laserv!c Backdoor.Win32.Laserv.b Backdoor:Win32/Salsnit.A Win-Trojan/Equation.132623 Backdoor.Laserv.B Trojan.EquationLaser Win32.Backdoor.Laserv.Dvzs Backdoor.Laserv!QkthHIoGFGU Backdoor.Win32.Laserv W32/Laserv.C!tr Win32/Backdoor.21d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TrosdanpomLTAA.Trojan": [[26, 51]], "Indicator: Backdoor.Laserv.B": [[52, 69], [215, 232], [257, 274], [331, 348], [349, 366], [505, 522], [621, 638]], "Indicator: Backdoor.Win32.Laserv!O": [[70, 93]], "Indicator: Backdoor.Laserv.A4": [[94, 112]], "Indicator: Backdoor/Laserv.b": [[113, 130]], "Indicator: W32/Backdoor.NWE": [[131, 147]], "Indicator: Backdoor.Lassrv.B": [[148, 165]], "Indicator: Win32/Lassrv.B": [[166, 180]], "Indicator: BKDR_LASSRV.B": [[181, 194], [391, 404]], "Indicator: Win.Trojan.Laserv-1": [[195, 214]], "Indicator: Backdoor.Win32.Laserv.b": [[233, 256], [545, 568]], "Indicator: Trojan.Win32.Laserv.csyvps": [[275, 301]], "Indicator: Trojan.Win32.Equation.132608": [[302, 330]], "Indicator: Backdoor.Laserv.Win32.8": [[367, 390]], "Indicator: BehavesLike.Win32.Downloader.ch": [[405, 436]], "Indicator: W32/Backdoor.ZYMS-3992": [[437, 459]], "Indicator: BDS/Laserv.B.2": [[460, 474]], "Indicator: Trojan[Backdoor]/Win32.Laserv": [[475, 504]], "Indicator: Backdoor.W32.Laserv!c": [[523, 544]], "Indicator: Backdoor:Win32/Salsnit.A": [[569, 593]], "Indicator: Win-Trojan/Equation.132623": [[594, 620]], "Indicator: Trojan.EquationLaser": [[639, 659]], "Indicator: Win32.Backdoor.Laserv.Dvzs": [[660, 686]], "Indicator: Backdoor.Laserv!QkthHIoGFGU": [[687, 714]], "Indicator: Backdoor.Win32.Laserv": [[715, 736]], "Indicator: W32/Laserv.C!tr": [[737, 752]], "Indicator: Win32/Backdoor.21d": [[753, 771]]}, "info": {"id": "cyner2_5class_train_03695", "source": "cyner2_5class_train"}}
+{"text": "This group has evolved a lot in sophistication and evasion techniques to defeat detection by security products.", "spans": {}, "info": {"id": "cyner2_5class_train_03696", "source": "cyner2_5class_train"}}
+{"text": "The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.", "spans": {}, "info": {"id": "cyner2_5class_train_03697", "source": "cyner2_5class_train"}}
+{"text": "For example , one commercial obfuscator , which cost €350 , was used for Trojans and Opfak.bo Obad.a Android vulnerabilities are used by criminals for three reasons : to bypass the code integrity check when installing an application ( vulnerability Master Key ) ; to enhance the rights of malicious applications , considerably extending their capabilities ; and to make it more difficult to remove malware .", "spans": {"Malware: Opfak.bo Obad.a": [[85, 100]]}, "info": {"id": "cyner2_5class_train_03698", "source": "cyner2_5class_train"}}
+{"text": "From early April , hackers started to build a new major update to the “ Agent Smith ” campaign under the name “ leechsdk ” .", "spans": {"Malware: Agent Smith": [[72, 83]]}, "info": {"id": "cyner2_5class_train_03699", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dembr Trojan.MBR.Killer Trojan/KillDisk.nas TROJ_KILLMBR.SM Win32.Trojan.WisdomEyes.16070401.9500.9964 W32/Jokra.DWCJ-4354 Trojan.Jokra Win32/Tnega.ASFM TROJ_KILLMBR.SM Trojan.Win32.EraseMBR.b Trojan.Win32.EraseMBR.cqzdgw Trojan.Win32.S.KillMBR.24576 Troj.W32.EraseMBR.b!c Trojan.KillFiles.10563 Trojan.EraseMBR.Win32.4 W32/Jokra.A Trojan/EraseMBR.h TR/KillMBR.Y.2 Trojan/Win32.EraseMBR Trojan.Win32.EraseMBR.b Trojan:Win32/Dembr.A Trojan.KillDisk.MBR OScope.Trojan.KillMBR.2113 Trojan.KillDisk.NAS Win32/KillDisk.NAS Trojan.Win32.DataWiper.b Trojan.EraseMBR!+80n0qBNT48 Trojan.Win32.EraseMBR W32/Kast.A!tr Win32/Trojan.c81", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dembr": [[26, 38]], "Indicator: Trojan.MBR.Killer": [[39, 56]], "Indicator: Trojan/KillDisk.nas": [[57, 76]], "Indicator: TROJ_KILLMBR.SM": [[77, 92], [186, 201]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9964": [[93, 135]], "Indicator: W32/Jokra.DWCJ-4354": [[136, 155]], "Indicator: Trojan.Jokra": [[156, 168]], "Indicator: Win32/Tnega.ASFM": [[169, 185]], "Indicator: Trojan.Win32.EraseMBR.b": [[202, 225], [420, 443]], "Indicator: Trojan.Win32.EraseMBR.cqzdgw": [[226, 254]], "Indicator: Trojan.Win32.S.KillMBR.24576": [[255, 283]], "Indicator: Troj.W32.EraseMBR.b!c": [[284, 305]], "Indicator: Trojan.KillFiles.10563": [[306, 328]], "Indicator: Trojan.EraseMBR.Win32.4": [[329, 352]], "Indicator: W32/Jokra.A": [[353, 364]], "Indicator: Trojan/EraseMBR.h": [[365, 382]], "Indicator: TR/KillMBR.Y.2": [[383, 397]], "Indicator: Trojan/Win32.EraseMBR": [[398, 419]], "Indicator: Trojan:Win32/Dembr.A": [[444, 464]], "Indicator: Trojan.KillDisk.MBR": [[465, 484]], "Indicator: OScope.Trojan.KillMBR.2113": [[485, 511]], "Indicator: Trojan.KillDisk.NAS": [[512, 531]], "Indicator: Win32/KillDisk.NAS": [[532, 550]], "Indicator: Trojan.Win32.DataWiper.b": [[551, 575]], "Indicator: Trojan.EraseMBR!+80n0qBNT48": [[576, 603]], "Indicator: Trojan.Win32.EraseMBR": [[604, 625]], "Indicator: W32/Kast.A!tr": [[626, 639]], "Indicator: Win32/Trojan.c81": [[640, 656]]}, "info": {"id": "cyner2_5class_train_03700", "source": "cyner2_5class_train"}}
+{"text": "What makes the Turla group special is not just the complexity of its tools, which include the Uroboros rootkit, aka Snake as well as mechanisms designed to bypass air gaps through multi-stage proxy networks inside LANs, but the exquisite satellite-based C C mechanism used in the latter stages of the attack.", "spans": {"Malware: tools,": [[69, 75]], "Malware: Uroboros rootkit,": [[94, 111]], "Malware: Snake": [[116, 121]], "Indicator: bypass air gaps through multi-stage proxy networks": [[156, 206]], "System: LANs,": [[214, 219]], "Indicator: satellite-based C C mechanism": [[238, 267]], "Indicator: attack.": [[301, 308]]}, "info": {"id": "cyner2_5class_train_03701", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Trojan.WisdomEyes.16070401.9500.9647 Heur.Corrupt.PE Trojan.MulDrop3.4445 TrojanDownloader:Win32/Cordmix.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9647": [[48, 90]], "Indicator: Heur.Corrupt.PE": [[91, 106]], "Indicator: Trojan.MulDrop3.4445": [[107, 127]], "Indicator: TrojanDownloader:Win32/Cordmix.A": [[128, 160]]}, "info": {"id": "cyner2_5class_train_03702", "source": "cyner2_5class_train"}}
+{"text": "All the malicious Dvmap apps had the same functionality .", "spans": {"Malware: Dvmap": [[18, 23]]}, "info": {"id": "cyner2_5class_train_03703", "source": "cyner2_5class_train"}}
+{"text": "CSIS provided a ( sanitised ) version of a typical message to warn users what to look out for : “ You have received a multimedia message from + [ country code ] [ sender number ] Follow the link http : //www.mmsforyou [ .", "spans": {"Organization: CSIS": [[0, 4]], "Indicator: http : //www.mmsforyou [ .": [[195, 221]]}, "info": {"id": "cyner2_5class_train_03704", "source": "cyner2_5class_train"}}
+{"text": "To achieve persistence, the malware creates a Run key Registry entry on the system.", "spans": {"Malware: malware": [[28, 35]], "Indicator: Run key Registry entry": [[46, 68]], "System: system.": [[76, 83]]}, "info": {"id": "cyner2_5class_train_03705", "source": "cyner2_5class_train"}}
+{"text": "Skygofree : Following in the footsteps of HackingTeam 16 JAN 2018 At the beginning of October 2017 , we discovered new Android spyware with several features previously unseen in the wild .", "spans": {"Malware: Skygofree": [[0, 9]], "Organization: HackingTeam": [[42, 53]], "System: Android": [[119, 126]]}, "info": {"id": "cyner2_5class_train_03706", "source": "cyner2_5class_train"}}
+{"text": "This industry initiative was created to share information and potentially disrupt the infrastructure and tools from an actor named the Lazarus Group.", "spans": {"Organization: industry": [[5, 13]], "System: infrastructure": [[86, 100]], "Malware: tools": [[105, 110]]}, "info": {"id": "cyner2_5class_train_03707", "source": "cyner2_5class_train"}}
+{"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "cyner2_5class_train_03708", "source": "cyner2_5class_train"}}
+{"text": "Primarily targets South Korea.", "spans": {"Organization: targets": [[10, 17]]}, "info": {"id": "cyner2_5class_train_03709", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Inject.79360.B Trojan.Jinto Trojan/Inject.nzs Trojan.Heur.TP.EDF4BE Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.IJVQ TROJ_INJECT.AQT Trojan.Win32.Inject.79360 Troj.W32.Inject.nzs!c TrojWare.Win32.Inject.nzs Win32.HLLW.Recycler.8 Trojan.Inject.Win32.2004 TROJ_INJECT.AQT BehavesLike.Win32.PWSZbot.lh W32/Trojan.PLGK-4123 Trojan/Inject.dyx Win32.Troj.Inject.kcloud Trojan:WinNT/Jinto.A BScope.P2P-Worm.Palevo Trojan.Win32.Tdss Win32/Trojan.c68", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Inject.79360.B": [[26, 51]], "Indicator: Trojan.Jinto": [[52, 64]], "Indicator: Trojan/Inject.nzs": [[65, 82]], "Indicator: Trojan.Heur.TP.EDF4BE": [[83, 104]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[105, 147]], "Indicator: W32/Trojan2.IJVQ": [[148, 164]], "Indicator: TROJ_INJECT.AQT": [[165, 180], [302, 317]], "Indicator: Trojan.Win32.Inject.79360": [[181, 206]], "Indicator: Troj.W32.Inject.nzs!c": [[207, 228]], "Indicator: TrojWare.Win32.Inject.nzs": [[229, 254]], "Indicator: Win32.HLLW.Recycler.8": [[255, 276]], "Indicator: Trojan.Inject.Win32.2004": [[277, 301]], "Indicator: BehavesLike.Win32.PWSZbot.lh": [[318, 346]], "Indicator: W32/Trojan.PLGK-4123": [[347, 367]], "Indicator: Trojan/Inject.dyx": [[368, 385]], "Indicator: Win32.Troj.Inject.kcloud": [[386, 410]], "Indicator: Trojan:WinNT/Jinto.A": [[411, 431]], "Indicator: BScope.P2P-Worm.Palevo": [[432, 454]], "Indicator: Trojan.Win32.Tdss": [[455, 472]], "Indicator: Win32/Trojan.c68": [[473, 489]]}, "info": {"id": "cyner2_5class_train_03710", "source": "cyner2_5class_train"}}
+{"text": "] net svc [ .", "spans": {"Indicator: svc [ .": [[6, 13]]}, "info": {"id": "cyner2_5class_train_03711", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.NSIS.FraudLoad.hd BackDoor.RMS.111 BehavesLike.Win32.Dropper.vc W32/Trojan.KGYI-2902 TR/RedCap.ntnqc Backdoor:Win32/Kitpolap.A Trojan-Downloader.NSIS.FraudLoad.hd Trojan/Win32.Downloader.C2123311 Trj/CI.A NSIS/Radmin.B Win32.Trojan.Ratenjay.Umsg Riskware.RemoteAdmin!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.NSIS.FraudLoad.hd": [[26, 61], [171, 206]], "Indicator: BackDoor.RMS.111": [[62, 78]], "Indicator: BehavesLike.Win32.Dropper.vc": [[79, 107]], "Indicator: W32/Trojan.KGYI-2902": [[108, 128]], "Indicator: TR/RedCap.ntnqc": [[129, 144]], "Indicator: Backdoor:Win32/Kitpolap.A": [[145, 170]], "Indicator: Trojan/Win32.Downloader.C2123311": [[207, 239]], "Indicator: Trj/CI.A": [[240, 248]], "Indicator: NSIS/Radmin.B": [[249, 262]], "Indicator: Win32.Trojan.Ratenjay.Umsg": [[263, 289]], "Indicator: Riskware.RemoteAdmin!": [[290, 311]]}, "info": {"id": "cyner2_5class_train_03712", "source": "cyner2_5class_train"}}
+{"text": "This domain is similar to the one the malware author used for his adware C & C communication , minigameshouse [ .", "spans": {"Indicator: minigameshouse [ .": [[95, 113]]}, "info": {"id": "cyner2_5class_train_03713", "source": "cyner2_5class_train"}}
+{"text": "] netupload404 [ .", "spans": {"Indicator: [ .": [[15, 18]]}, "info": {"id": "cyner2_5class_train_03714", "source": "cyner2_5class_train"}}
+{"text": "For now , users can make the best of the knowledge they have now to significantly reduce the effectivity of such malware .", "spans": {}, "info": {"id": "cyner2_5class_train_03715", "source": "cyner2_5class_train"}}
+{"text": "Two chunks are filled with an asynchronous procedure call ( APC ) routine code and a stub .", "spans": {}, "info": {"id": "cyner2_5class_train_03716", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware00 Backdoor.Sharat TROJ_TROXEN.CHU Win32.Trojan.WisdomEyes.16070401.9500.9995 TROJ_TROXEN.CHU Win.Trojan.Downbot-3 Trojan.DownLoader5.18587 Trojan.Heur.RP.EA89AF Downloader/Win32.Small.R1708 Win32/Sharat.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware00": [[26, 45]], "Indicator: Backdoor.Sharat": [[46, 61]], "Indicator: TROJ_TROXEN.CHU": [[62, 77], [121, 136]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[78, 120]], "Indicator: Win.Trojan.Downbot-3": [[137, 157]], "Indicator: Trojan.DownLoader5.18587": [[158, 182]], "Indicator: Trojan.Heur.RP.EA89AF": [[183, 204]], "Indicator: Downloader/Win32.Small.R1708": [[205, 233]], "Indicator: Win32/Sharat.A": [[234, 248]]}, "info": {"id": "cyner2_5class_train_03717", "source": "cyner2_5class_train"}}
+{"text": "C2 servers are shared by multiple samples .", "spans": {}, "info": {"id": "cyner2_5class_train_03718", "source": "cyner2_5class_train"}}
+{"text": "Talos has found a new SPAM campaign that is using multiple layers of obfuscation to attempt to evade detection.", "spans": {"Organization: Talos": [[0, 5]], "Indicator: multiple layers of obfuscation": [[50, 80]]}, "info": {"id": "cyner2_5class_train_03719", "source": "cyner2_5class_train"}}
+{"text": "Package Name App Name com.whatsapp WhatsApp Messenger com.pugna.magiccall n/a org.telegram.messenger Telegram com.facebook.katana Facebook com.twitter.android Twitter jp.naver.line.android LINE : Free Calls & Messages com.instanza.cocovoice Coco com.beetalk BeeTalk com.gtomato.talkbox TalkBox Voice Messenger - PTT com.viber.voip Viber Messenger com.immomo.momo MOMO陌陌 com.facebook.orca Messenger – Text and Video Chat for Free com.skype.rover Skype ; 3rd party stores only Most of these apps are well established and available on Google Play , however , com.skype.rover appears to be available only on third-party app stores .", "spans": {"Indicator: com.whatsapp": [[22, 34]], "System: WhatsApp": [[35, 43]], "System: Messenger": [[44, 53], [300, 309], [337, 346], [388, 397]], "Indicator: com.pugna.magiccall": [[54, 73]], "Indicator: org.telegram.messenger": [[78, 100]], "System: Telegram": [[101, 109]], "Indicator: com.facebook.katana": [[110, 129]], "System: Facebook": [[130, 138]], "Indicator: com.twitter.android": [[139, 158]], "System: Twitter": [[159, 166]], "Indicator: jp.naver.line.android": [[167, 188]], "System: LINE": [[189, 193]], "Indicator: com.instanza.cocovoice": [[218, 240]], "Indicator: com.beetalk": [[246, 257]], "System: BeeTalk": [[258, 265]], "Indicator: com.gtomato.talkbox": [[266, 285]], "System: TalkBox": [[286, 293]], "Indicator: com.viber.voip": [[316, 330]], "System: Viber": [[331, 336]], "Indicator: com.immomo.momo": [[347, 362]], "System: MOMO陌陌": [[363, 369]], "Indicator: com.facebook.orca": [[370, 387]], "Indicator: com.skype.rover": [[429, 444], [556, 571]], "System: Skype": [[445, 450]], "System: Google Play": [[532, 543]]}, "info": {"id": "cyner2_5class_train_03720", "source": "cyner2_5class_train"}}
+{"text": "The spear-phishing campaigns we detected use links to RAR-compressed executables and Microsoft Word attachments that exploit the CVE-2012-0158 vulnerability.", "spans": {"Indicator: links": [[45, 50]], "Indicator: RAR-compressed executables": [[54, 80]], "Indicator: Microsoft Word attachments": [[85, 111]], "Malware: exploit": [[117, 124]], "Indicator: CVE-2012-0158": [[129, 142]], "Vulnerability: vulnerability.": [[143, 157]]}, "info": {"id": "cyner2_5class_train_03721", "source": "cyner2_5class_train"}}
+{"text": "Our research team has found infected apps on third-party app stores , but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages .", "spans": {"System: Android": [[107, 114]]}, "info": {"id": "cyner2_5class_train_03722", "source": "cyner2_5class_train"}}
+{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus, dubbed Ploutus-D, that interacts with KAL's Kalignite multivendor ATM platform.", "spans": {"Organization: FireEye Labs": [[0, 12]], "Malware: Ploutus,": [[68, 76]], "Malware: Ploutus-D,": [[84, 94]], "Organization: KAL's": [[115, 120]], "System: Kalignite multivendor ATM platform.": [[121, 156]]}, "info": {"id": "cyner2_5class_train_03723", "source": "cyner2_5class_train"}}
+{"text": "This feature was enabled only in newer versions of TrickMo that were tailored specifically for German banks and use a special application for implementing TAN-based 2FA .", "spans": {"Malware: TrickMo": [[51, 58]]}, "info": {"id": "cyner2_5class_train_03724", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.6E79 Application.Bundler.InstallBrain.A Application.Bundler.InstallBrain.A Win32.Adware.InstallBrain.d Win.Adware.Installbrain-35 Win32.Application.InstallBrain.B not-a-virus:AdWare.Win32.BrainInst.u Application.Bundler.InstallBrain.A Trojan.Win32.Adw.crasga Application.Bundler.InstallBrain.A Application.Win32.InstallBrain.BL Trojan:W32/InstallBrain.A Adware.Downware.1295 Adware.BrainInst.Win32.32 AdWare.Win32.InstallBrain AdWare/BrainInst.dz W32.Adware.Installbrain GrayWare[AdWare:not-a-virus]/Win32.BrainInst.u TrojanDownloader:Win32/Brantall.B PUP.InstallBrain/Variant not-a-virus:AdWare.Win32.BrainInst.u AdWare.BrainInst PUP.Optional.InstallBrain Win32.Adware.Braininst.Wvas Adware.BrainInst!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.6E79": [[26, 44]], "Indicator: Application.Bundler.InstallBrain.A": [[45, 79], [80, 114], [240, 274], [299, 333]], "Indicator: Win32.Adware.InstallBrain.d": [[115, 142]], "Indicator: Win.Adware.Installbrain-35": [[143, 169]], "Indicator: Win32.Application.InstallBrain.B": [[170, 202]], "Indicator: not-a-virus:AdWare.Win32.BrainInst.u": [[203, 239], [617, 653]], "Indicator: Trojan.Win32.Adw.crasga": [[275, 298]], "Indicator: Application.Win32.InstallBrain.BL": [[334, 367]], "Indicator: Trojan:W32/InstallBrain.A": [[368, 393]], "Indicator: Adware.Downware.1295": [[394, 414]], "Indicator: Adware.BrainInst.Win32.32": [[415, 440]], "Indicator: AdWare.Win32.InstallBrain": [[441, 466]], "Indicator: AdWare/BrainInst.dz": [[467, 486]], "Indicator: W32.Adware.Installbrain": [[487, 510]], "Indicator: GrayWare[AdWare:not-a-virus]/Win32.BrainInst.u": [[511, 557]], "Indicator: TrojanDownloader:Win32/Brantall.B": [[558, 591]], "Indicator: PUP.InstallBrain/Variant": [[592, 616]], "Indicator: AdWare.BrainInst": [[654, 670]], "Indicator: PUP.Optional.InstallBrain": [[671, 696]], "Indicator: Win32.Adware.Braininst.Wvas": [[697, 724]], "Indicator: Adware.BrainInst!": [[725, 742]]}, "info": {"id": "cyner2_5class_train_03725", "source": "cyner2_5class_train"}}
+{"text": "In an e-mail , a Lookout representative stood by its analysis and said company researchers planned to publish an in-depth response in the coming days .", "spans": {"Organization: Lookout": [[17, 24]]}, "info": {"id": "cyner2_5class_train_03726", "source": "cyner2_5class_train"}}
+{"text": "Beyond the Android app itself , other components such as the aforementioned ELF libraries have additional data-stealing capabilities .", "spans": {"System: Android": [[11, 18]]}, "info": {"id": "cyner2_5class_train_03727", "source": "cyner2_5class_train"}}
+{"text": "This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime , and it has been downloaded from the Google Play Store more than 50,000 times .", "spans": {"Malware: Dvmap": [[11, 16]], "System: Android": [[27, 34]], "System: Google Play Store": [[146, 163]]}, "info": {"id": "cyner2_5class_train_03728", "source": "cyner2_5class_train"}}
+{"text": "The C & C address and the encryption key ( one for different modifications in versions 4.x and 5.x , and distinct for different C & Cs in later versions ) are stitched into the body of the Trojan .", "spans": {}, "info": {"id": "cyner2_5class_train_03729", "source": "cyner2_5class_train"}}
+{"text": "Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe.", "spans": {"Malware: malware": [[54, 61]], "Indicator: a base64 digital certificate": [[78, 106]], "Indicator: decoded": [[111, 118]], "Indicator: certutil.exe.": [[123, 136]]}, "info": {"id": "cyner2_5class_train_03730", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Backdoor.Zegost.B.5 Trojan/Redosdru.aw Backdoor.Bapkri TrojWare.Win32.GameThief.Magania.~NWABI Dialer.Bjlog Backdoor.Win32.Zegost!IK Backdoor/Win32.Bapkri Backdoor.Win32.Drwolf.fep Backdoor.Win32.Zegost W32/Bjlog.SMC!tr PSW.OnlineGames3.WQF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Backdoor.Zegost.B.5": [[26, 51]], "Indicator: Trojan/Redosdru.aw": [[52, 70]], "Indicator: Backdoor.Bapkri": [[71, 86]], "Indicator: TrojWare.Win32.GameThief.Magania.~NWABI": [[87, 126]], "Indicator: Dialer.Bjlog": [[127, 139]], "Indicator: Backdoor.Win32.Zegost!IK": [[140, 164]], "Indicator: Backdoor/Win32.Bapkri": [[165, 186]], "Indicator: Backdoor.Win32.Drwolf.fep": [[187, 212]], "Indicator: Backdoor.Win32.Zegost": [[213, 234]], "Indicator: W32/Bjlog.SMC!tr": [[235, 251]], "Indicator: PSW.OnlineGames3.WQF": [[252, 272]]}, "info": {"id": "cyner2_5class_train_03731", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Banload.bppx Trojan.Win32.A.Downloader.279193 Trojan.Qhost.3874 Downloader.Banload.Win32.43263 Trojan[Downloader]/Win32.Banload Trojan-Downloader.Win32.Banload.bppx TrojanDownloader:Win32/Servi.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Banload.bppx": [[26, 62], [178, 214]], "Indicator: Trojan.Win32.A.Downloader.279193": [[63, 95]], "Indicator: Trojan.Qhost.3874": [[96, 113]], "Indicator: Downloader.Banload.Win32.43263": [[114, 144]], "Indicator: Trojan[Downloader]/Win32.Banload": [[145, 177]], "Indicator: TrojanDownloader:Win32/Servi.A": [[215, 245]]}, "info": {"id": "cyner2_5class_train_03732", "source": "cyner2_5class_train"}}
+{"text": "'' We determined that the \" eCommon '' file contains support code and structures that are platform independent .", "spans": {}, "info": {"id": "cyner2_5class_train_03733", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.Kryptik.qb Trojan:Win32/Sopinar.D SScope.Malware-Cryptor.Drixed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Kryptik.qb": [[26, 49]], "Indicator: Trojan:Win32/Sopinar.D": [[50, 72]], "Indicator: SScope.Malware-Cryptor.Drixed": [[73, 102]]}, "info": {"id": "cyner2_5class_train_03734", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.FakeGom.13314 Backdoor.Miancha.r5 Backdoor.Miancha! W32/Backdoor2.HTKG Backdoor.Miancha TROJ_DROPPR.YZ Backdoor.Win32.Miancha.b Trojan.Win32.Miancha.dxrsks Backdoor.W32.Miancha.b!c Win32.Backdoor.Miancha.Jcq Backdoor:W32/Miancha.A BackDoor.Miancha.1 Backdoor.Miancha.Win32.4 TROJ_DROPPR.YZ W32/Backdoor.IZWZ-3837 Backdoor/Miancha.a TR/Miancha.A.1 Trojan:Win32/Miancha.A Backdoor.Miancha Backdoor.Win32.Miancha Backdoor.Win32.Miancha.b Win32/Backdoor.3e8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.FakeGom.13314": [[26, 50]], "Indicator: Backdoor.Miancha.r5": [[51, 70]], "Indicator: Backdoor.Miancha!": [[71, 88]], "Indicator: W32/Backdoor2.HTKG": [[89, 107]], "Indicator: Backdoor.Miancha": [[108, 124], [407, 423]], "Indicator: TROJ_DROPPR.YZ": [[125, 139], [312, 326]], "Indicator: Backdoor.Win32.Miancha.b": [[140, 164], [447, 471]], "Indicator: Trojan.Win32.Miancha.dxrsks": [[165, 192]], "Indicator: Backdoor.W32.Miancha.b!c": [[193, 217]], "Indicator: Win32.Backdoor.Miancha.Jcq": [[218, 244]], "Indicator: Backdoor:W32/Miancha.A": [[245, 267]], "Indicator: BackDoor.Miancha.1": [[268, 286]], "Indicator: Backdoor.Miancha.Win32.4": [[287, 311]], "Indicator: W32/Backdoor.IZWZ-3837": [[327, 349]], "Indicator: Backdoor/Miancha.a": [[350, 368]], "Indicator: TR/Miancha.A.1": [[369, 383]], "Indicator: Trojan:Win32/Miancha.A": [[384, 406]], "Indicator: Backdoor.Win32.Miancha": [[424, 446]], "Indicator: Win32/Backdoor.3e8": [[472, 490]]}, "info": {"id": "cyner2_5class_train_03735", "source": "cyner2_5class_train"}}
+{"text": "To evade detection, this app was concealed as a legitimate app.", "spans": {}, "info": {"id": "cyner2_5class_train_03736", "source": "cyner2_5class_train"}}
+{"text": "In recent months, Unit 42 has observed a number of attacks that we attribute to this group.", "spans": {"Indicator: attacks": [[51, 58]], "Organization: group.": [[85, 91]]}, "info": {"id": "cyner2_5class_train_03737", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.System3YM.Worm Worm.Win32.AutoRun!O Worm.Tupym.A5 W32/Tupym.worm Worm.AutoRun.FLD Worm.Autorun.Win32.63738 Trojan.Heur.AutoIT.2 Win32.Trojan.WisdomEyes.16070401.9500.9892 W32.Svich Win32/Yahlover.PT WORM_SOHAND.SM Win.Worm.Autorun-313 Worm.Win32.AutoRun.fnc Trojan.Script.Autorun.ddaffd W32.W.AutoRun.llU2 TrojWare.Win32.Injector.XEM Trojan.StartPage.31354 WORM_SOHAND.SM BehavesLike.Win32.Tupym.tz Worm.Win32.AutoRun Worm:Win32/Tupym.A Worm:Win32/Tupym.A Worm.Win32.AutoRun.fnc HEUR/Fakon.mwf Worm.Win32.Autorun.fnc Trojan.Autorun!VgV/xk+eV94 W32/AutoVt.AAAD!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.System3YM.Worm": [[26, 44]], "Indicator: Worm.Win32.AutoRun!O": [[45, 65]], "Indicator: Worm.Tupym.A5": [[66, 79]], "Indicator: W32/Tupym.worm": [[80, 94]], "Indicator: Worm.AutoRun.FLD": [[95, 111]], "Indicator: Worm.Autorun.Win32.63738": [[112, 136]], "Indicator: Trojan.Heur.AutoIT.2": [[137, 157]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9892": [[158, 200]], "Indicator: W32.Svich": [[201, 210]], "Indicator: Win32/Yahlover.PT": [[211, 228]], "Indicator: WORM_SOHAND.SM": [[229, 243], [387, 401]], "Indicator: Win.Worm.Autorun-313": [[244, 264]], "Indicator: Worm.Win32.AutoRun.fnc": [[265, 287], [486, 508]], "Indicator: Trojan.Script.Autorun.ddaffd": [[288, 316]], "Indicator: W32.W.AutoRun.llU2": [[317, 335]], "Indicator: TrojWare.Win32.Injector.XEM": [[336, 363]], "Indicator: Trojan.StartPage.31354": [[364, 386]], "Indicator: BehavesLike.Win32.Tupym.tz": [[402, 428]], "Indicator: Worm.Win32.AutoRun": [[429, 447]], "Indicator: Worm:Win32/Tupym.A": [[448, 466], [467, 485]], "Indicator: HEUR/Fakon.mwf": [[509, 523]], "Indicator: Worm.Win32.Autorun.fnc": [[524, 546]], "Indicator: Trojan.Autorun!VgV/xk+eV94": [[547, 573]], "Indicator: W32/AutoVt.AAAD!tr": [[574, 592]]}, "info": {"id": "cyner2_5class_train_03738", "source": "cyner2_5class_train"}}
+{"text": "Like previously added functionality , the code is borrowed from the leaked Anubis Trojan source code .", "spans": {"Malware: Anubis": [[75, 81]]}, "info": {"id": "cyner2_5class_train_03739", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.G.Door.2.0 Backdoor/W32.Hupigon.495616.Q Backdoor.G.Door.2.0 Backdoor/G_Door.20 Backdoor.G.Door.2.0 Trojan.Win32.GDoor.dhmh W32/GDoor.HMGD-8120 Backdoor.Trojan Win32/G_Door.A BKDR_GLACIER.A Trojan.G_Door.E Backdoor.Win32.G_Door.83 Backdoor.G_Door!J6XAtZWeqBw Backdoor.Win32.G-Door_20.Svr[h] Backdoor.W32.G_Door.20!c Backdoor.G.Door.2.0 Backdoor.Win32.G_Door.A Backdoor.G.Door.2.0 BackDoor.GDoor.20 Backdoor.GDoor.Win32.23 BKDR_GLACIER.A BackDoor-FR.svr W32/GDoor.D TR/GDoor.Srv W32/Gdoor.F!tr.bdr Trojan[Backdoor]/Win32.G_Door Backdoor.G.Door.2.0 BackDoor-FR.svr Backdoor.G_Door Bck/G_Door.I Win32.Backdoor.G_door.Szbj Backdoor.Win32.G_Door Backdoor.G.Door.2.0 Backdoor.Win32.G_Door.83 Win32/Trojan.a6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.G.Door.2.0": [[26, 45], [76, 95], [115, 134], [351, 370], [395, 414], [562, 581], [676, 695]], "Indicator: Backdoor/W32.Hupigon.495616.Q": [[46, 75]], "Indicator: Backdoor/G_Door.20": [[96, 114]], "Indicator: Trojan.Win32.GDoor.dhmh": [[135, 158]], "Indicator: W32/GDoor.HMGD-8120": [[159, 178]], "Indicator: Backdoor.Trojan": [[179, 194]], "Indicator: Win32/G_Door.A": [[195, 209]], "Indicator: BKDR_GLACIER.A": [[210, 224], [457, 471]], "Indicator: Trojan.G_Door.E": [[225, 240]], "Indicator: Backdoor.Win32.G_Door.83": [[241, 265], [696, 720]], "Indicator: Backdoor.G_Door!J6XAtZWeqBw": [[266, 293]], "Indicator: Backdoor.Win32.G-Door_20.Svr[h]": [[294, 325]], "Indicator: Backdoor.W32.G_Door.20!c": [[326, 350]], "Indicator: Backdoor.Win32.G_Door.A": [[371, 394]], "Indicator: BackDoor.GDoor.20": [[415, 432]], "Indicator: Backdoor.GDoor.Win32.23": [[433, 456]], "Indicator: BackDoor-FR.svr": [[472, 487], [582, 597]], "Indicator: W32/GDoor.D": [[488, 499]], "Indicator: TR/GDoor.Srv": [[500, 512]], "Indicator: W32/Gdoor.F!tr.bdr": [[513, 531]], "Indicator: Trojan[Backdoor]/Win32.G_Door": [[532, 561]], "Indicator: Backdoor.G_Door": [[598, 613]], "Indicator: Bck/G_Door.I": [[614, 626]], "Indicator: Win32.Backdoor.G_door.Szbj": [[627, 653]], "Indicator: Backdoor.Win32.G_Door": [[654, 675]], "Indicator: Win32/Trojan.a6d": [[721, 737]]}, "info": {"id": "cyner2_5class_train_03740", "source": "cyner2_5class_train"}}
+{"text": "Before we start dishing the details, there is going to be one main takeaway from this blog post: If you haven't already, update/patch your Adobe Flash now.", "spans": {"System: Adobe Flash": [[139, 150]]}, "info": {"id": "cyner2_5class_train_03741", "source": "cyner2_5class_train"}}
+{"text": "Charger , however , uses a heavy packing approach which it harder for the malware to stay hidden , so it must compensate with other means .", "spans": {"Malware: Charger": [[0, 7]]}, "info": {"id": "cyner2_5class_train_03742", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit/W97.CVE-2012-0158 Exp.OLE.CVE-2012-0158.E Win32.Exploit.CVE-2012-0158.l Doc.Exploit.CVE_2012_0158-17 Exploit.MSWord.CVE-2012-0158.de Exploit.ComObj.CVE-2012-0158.hzuf Exploit.WORD.CVE-2012-0158.A EXPL_MSCOMCTL.A Trojan.EKOP-3 EXP/CVE-2012-0158.hgyuv Trojan[Exploit]/MSWord.CVE-2012-0158.de Exploit.MSWord.CVE-2012-0158.de Exploit.CVE-2012-0158 MSWord/Toolbar.A!exploit virus.exp.20120158", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit/W97.CVE-2012-0158": [[26, 51]], "Indicator: Exp.OLE.CVE-2012-0158.E": [[52, 75]], "Indicator: Win32.Exploit.CVE-2012-0158.l": [[76, 105]], "Indicator: Doc.Exploit.CVE_2012_0158-17": [[106, 134]], "Indicator: Exploit.MSWord.CVE-2012-0158.de": [[135, 166], [324, 355]], "Indicator: Exploit.ComObj.CVE-2012-0158.hzuf": [[167, 200]], "Indicator: Exploit.WORD.CVE-2012-0158.A": [[201, 229]], "Indicator: EXPL_MSCOMCTL.A": [[230, 245]], "Indicator: Trojan.EKOP-3": [[246, 259]], "Indicator: EXP/CVE-2012-0158.hgyuv": [[260, 283]], "Indicator: Trojan[Exploit]/MSWord.CVE-2012-0158.de": [[284, 323]], "Indicator: Exploit.CVE-2012-0158": [[356, 377]], "Indicator: MSWord/Toolbar.A!exploit": [[378, 402]], "Indicator: virus.exp.20120158": [[403, 421]]}, "info": {"id": "cyner2_5class_train_03743", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Banito.AQ Backdoor.Banito.ae.n3 Backdoor/Banito.aq Backdoor.Banito!msfCf/FWzGs W32/Banito.AI BKDR_BANITO.BE Backdoor.Win32.Banito.bt Backdoor.Banito.AQ Backdoor.Win32.Banito Backdoor.Banito.AQ BackDoor.Faggoty BKDR_BANITO.BE Backdoor.Win32.Banito!IK Backdoor/Banito.ao Backdoor:Win32/Banito.D Backdoor.Win32.Banito.54784.F[UPX] Backdoor.Banito.AQ Win-Trojan/Banito.54784.D OScope.Backdoor.Banito.1 Backdoor.Win32.Banito W32/Banito.AJ!tr.bdr Bck/Banito.AT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Banito.AQ": [[26, 44], [168, 186], [209, 227], [363, 381]], "Indicator: Backdoor.Banito.ae.n3": [[45, 66]], "Indicator: Backdoor/Banito.aq": [[67, 85]], "Indicator: Backdoor.Banito!msfCf/FWzGs": [[86, 113]], "Indicator: W32/Banito.AI": [[114, 127]], "Indicator: BKDR_BANITO.BE": [[128, 142], [245, 259]], "Indicator: Backdoor.Win32.Banito.bt": [[143, 167]], "Indicator: Backdoor.Win32.Banito": [[187, 208], [433, 454]], "Indicator: BackDoor.Faggoty": [[228, 244]], "Indicator: Backdoor.Win32.Banito!IK": [[260, 284]], "Indicator: Backdoor/Banito.ao": [[285, 303]], "Indicator: Backdoor:Win32/Banito.D": [[304, 327]], "Indicator: Backdoor.Win32.Banito.54784.F[UPX]": [[328, 362]], "Indicator: Win-Trojan/Banito.54784.D": [[382, 407]], "Indicator: OScope.Backdoor.Banito.1": [[408, 432]], "Indicator: W32/Banito.AJ!tr.bdr": [[455, 475]], "Indicator: Bck/Banito.AT": [[476, 489]]}, "info": {"id": "cyner2_5class_train_03744", "source": "cyner2_5class_train"}}
+{"text": "W32/NionSpy is a family of malware that steals information from infected machines and replicates to new machines over networks and removable thumb drives.", "spans": {"Indicator: W32/NionSpy": [[0, 11]], "Malware: malware": [[27, 34]], "Indicator: steals information": [[40, 58]], "System: machines": [[73, 81], [104, 112]], "System: removable thumb drives.": [[131, 154]]}, "info": {"id": "cyner2_5class_train_03745", "source": "cyner2_5class_train"}}
+{"text": "Domain names registered by the Fancy Bear actor", "spans": {"Indicator: Domain": [[0, 6]]}, "info": {"id": "cyner2_5class_train_03746", "source": "cyner2_5class_train"}}
+{"text": "Early in March, while studying the ChinaZ threat, it became readily apparent that default passwords were being used for more than just a supplementary attack vector.", "spans": {"Indicator: default passwords were being used": [[82, 115]], "Indicator: supplementary attack vector.": [[137, 165]]}, "info": {"id": "cyner2_5class_train_03747", "source": "cyner2_5class_train"}}
+{"text": "The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context.", "spans": {"Vulnerability: vulnerability": [[4, 17]], "Vulnerability: arbitrary code": [[51, 65]], "Malware: exploit": [[74, 81]], "Vulnerability: JavaScript": [[103, 113]], "Malware: payload": [[114, 121]], "Indicator: local file context.": [[131, 150]]}, "info": {"id": "cyner2_5class_train_03748", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Multi.Moridin!O W32.Moridin.B PE_MORIDIN.A Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Morodi.A PE_MORIDIN.A Win.Trojan.Morid-5 Virus.Multi.Moridin.b Win32.Moridin.A Virus.Multi.Moridin!c Heur.Packed.Unknown Win32.Moridin Virus.Moridin.Win32.2 BehavesLike.Win32.Ipamor.cm W32/Trojan.BIOB-8512 TR/Moridin.B.2 Win32.Multi.b.106496 Trojan.Heur.FU.EB24AD Virus.Multi.Moridin.b Virus.Multi.Moridin W32/Moridin.72192 Win32.Virus.Moridin.Dzkb IRC.Moridin.B Trojan-Dropper.Win32.Loring W32/Moridin.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Multi.Moridin!O": [[26, 47]], "Indicator: W32.Moridin.B": [[48, 61]], "Indicator: PE_MORIDIN.A": [[62, 74], [131, 143]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[75, 117]], "Indicator: W32.Morodi.A": [[118, 130]], "Indicator: Win.Trojan.Morid-5": [[144, 162]], "Indicator: Virus.Multi.Moridin.b": [[163, 184], [386, 407]], "Indicator: Win32.Moridin.A": [[185, 200]], "Indicator: Virus.Multi.Moridin!c": [[201, 222]], "Indicator: Heur.Packed.Unknown": [[223, 242]], "Indicator: Win32.Moridin": [[243, 256]], "Indicator: Virus.Moridin.Win32.2": [[257, 278]], "Indicator: BehavesLike.Win32.Ipamor.cm": [[279, 306]], "Indicator: W32/Trojan.BIOB-8512": [[307, 327]], "Indicator: TR/Moridin.B.2": [[328, 342]], "Indicator: Win32.Multi.b.106496": [[343, 363]], "Indicator: Trojan.Heur.FU.EB24AD": [[364, 385]], "Indicator: Virus.Multi.Moridin": [[408, 427]], "Indicator: W32/Moridin.72192": [[428, 445]], "Indicator: Win32.Virus.Moridin.Dzkb": [[446, 470]], "Indicator: IRC.Moridin.B": [[471, 484]], "Indicator: Trojan-Dropper.Win32.Loring": [[485, 512]], "Indicator: W32/Moridin.B": [[513, 526]]}, "info": {"id": "cyner2_5class_train_03749", "source": "cyner2_5class_train"}}
+{"text": "Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals.", "spans": {"Malware: Regin": [[21, 26]], "Organization: corporations, institutions, academics,": [[69, 107]], "Organization: individuals.": [[112, 124]]}, "info": {"id": "cyner2_5class_train_03750", "source": "cyner2_5class_train"}}
+{"text": "System application installed by mcpef.apk .", "spans": {"Indicator: mcpef.apk": [[32, 41]]}, "info": {"id": "cyner2_5class_train_03751", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod90c.Trojan.0a13 Trojan.BHO.ODS Trojan-Clicker/W32.BHO.20480.L TrojanDropper.Nonaco Trojan.BHO Riskware.Win32.E404.fyxw W32/Downldr2.HQQK Win32/Puper.RK Trojan.BHO.ODS Adware.BHO!Ut7EPOdXbSM Adware.E404.20480.B Trojan.BHO.ODS Trojan.BHO.ODS Trojan.Popuper.43732 Spyware[AdWare:not-a-virus]/Win32.BHO TrojanDropper:Win32/Nonaco.C Trojan.BHO.ODS W32/Downloader.GJMR-1771 Trojan.Win32.Dbg AdWare.Win32.BHO.aNN Win32/BHO.NHP not-a-virus:AdWare.Win32.E404", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod90c.Trojan.0a13": [[26, 49]], "Indicator: Trojan.BHO.ODS": [[50, 64], [186, 200], [244, 258], [259, 273], [362, 376]], "Indicator: Trojan-Clicker/W32.BHO.20480.L": [[65, 95]], "Indicator: TrojanDropper.Nonaco": [[96, 116]], "Indicator: Trojan.BHO": [[117, 127]], "Indicator: Riskware.Win32.E404.fyxw": [[128, 152]], "Indicator: W32/Downldr2.HQQK": [[153, 170]], "Indicator: Win32/Puper.RK": [[171, 185]], "Indicator: Adware.BHO!Ut7EPOdXbSM": [[201, 223]], "Indicator: Adware.E404.20480.B": [[224, 243]], "Indicator: Trojan.Popuper.43732": [[274, 294]], "Indicator: Spyware[AdWare:not-a-virus]/Win32.BHO": [[295, 332]], "Indicator: TrojanDropper:Win32/Nonaco.C": [[333, 361]], "Indicator: W32/Downloader.GJMR-1771": [[377, 401]], "Indicator: Trojan.Win32.Dbg": [[402, 418]], "Indicator: AdWare.Win32.BHO.aNN": [[419, 439]], "Indicator: Win32/BHO.NHP": [[440, 453]], "Indicator: not-a-virus:AdWare.Win32.E404": [[454, 483]]}, "info": {"id": "cyner2_5class_train_03752", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.RazyNHmA.Trojan Win32.Trojan.Kryptik.ayq TSPY_HPZBOT.SM1 TrojWare.Win32.DorkBot.LB TSPY_HPZBOT.SM1 BehavesLike.Win32.RansomTescrypt.ch Trojan.Win32.Crypt TR/Crypt.Xpack.itdny Trojan.Symmi.D1129F Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.RazyNHmA.Trojan": [[26, 51]], "Indicator: Win32.Trojan.Kryptik.ayq": [[52, 76]], "Indicator: TSPY_HPZBOT.SM1": [[77, 92], [119, 134]], "Indicator: TrojWare.Win32.DorkBot.LB": [[93, 118]], "Indicator: BehavesLike.Win32.RansomTescrypt.ch": [[135, 170]], "Indicator: Trojan.Win32.Crypt": [[171, 189]], "Indicator: TR/Crypt.Xpack.itdny": [[190, 210]], "Indicator: Trojan.Symmi.D1129F": [[211, 230]], "Indicator: Trj/GdSda.A": [[231, 242]]}, "info": {"id": "cyner2_5class_train_03753", "source": "cyner2_5class_train"}}
+{"text": "Based on our research that we will further outline below, attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.", "spans": {"Organization: power facilities": [[94, 110]], "Indicator: attacks": [[159, 166]], "Organization: mining company": [[177, 191]], "Organization: railway operator": [[204, 220]]}, "info": {"id": "cyner2_5class_train_03754", "source": "cyner2_5class_train"}}
+{"text": "The group behind these attacks is known as Dragonfly.", "spans": {"Indicator: attacks": [[23, 30]]}, "info": {"id": "cyner2_5class_train_03755", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.iStartSurf.1 Application.iStartSurf.1 Win32.Trojan.WisdomEyes.16070401.9500.9915 NSIS/TrojanDownloader.Adload.AQ not-a-virus:HEUR:AdWare.Win32.AdLoad.heur Application.iStartSurf.1 Riskware.Nsis.Adload.dtchzc Adware.W32.Adload!c Trojan.Vittalia.1482 BehavesLike.Win32.AdwareAdload.tc TR/Dldr.Adload.1839597.7 TrojanDownloader:Win32/Quireap.A not-a-virus:HEUR:AdWare.Win32.AdLoad.heur PUP/Win32.Adload.R155445 Trj/CI.A NSIS.Adware.Adload.V", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.iStartSurf.1": [[26, 50], [51, 75], [193, 217]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9915": [[76, 118]], "Indicator: NSIS/TrojanDownloader.Adload.AQ": [[119, 150]], "Indicator: not-a-virus:HEUR:AdWare.Win32.AdLoad.heur": [[151, 192], [379, 420]], "Indicator: Riskware.Nsis.Adload.dtchzc": [[218, 245]], "Indicator: Adware.W32.Adload!c": [[246, 265]], "Indicator: Trojan.Vittalia.1482": [[266, 286]], "Indicator: BehavesLike.Win32.AdwareAdload.tc": [[287, 320]], "Indicator: TR/Dldr.Adload.1839597.7": [[321, 345]], "Indicator: TrojanDownloader:Win32/Quireap.A": [[346, 378]], "Indicator: PUP/Win32.Adload.R155445": [[421, 445]], "Indicator: Trj/CI.A": [[446, 454]], "Indicator: NSIS.Adware.Adload.V": [[455, 475]]}, "info": {"id": "cyner2_5class_train_03756", "source": "cyner2_5class_train"}}
+{"text": "We have seen multiple Elirks variants using Japanese blog services for the last couple of years.", "spans": {"Malware: Elirks variants": [[22, 37]], "Indicator: Japanese blog services": [[44, 66]]}, "info": {"id": "cyner2_5class_train_03757", "source": "cyner2_5class_train"}}
+{"text": "Its data-stealing capabilities include collecting SMSs after receiving an SMS-related broadcast event and covertly recording phone calls .", "spans": {}, "info": {"id": "cyner2_5class_train_03758", "source": "cyner2_5class_train"}}
+{"text": "C & C communications The default C & C address is hardwired in the Rotexy code : The relative address to which the Trojan will send information from the device is generated in a pseudo-random manner .", "spans": {"Malware: Rotexy": [[67, 73]]}, "info": {"id": "cyner2_5class_train_03759", "source": "cyner2_5class_train"}}
+{"text": "Symantec telemetry revealed an exploit hosted on the compromised site, which was used to infect visitors with the Korplug back door detected by Symantec as Backdoor.Korplug.", "spans": {"Organization: Symantec": [[0, 8], [144, 152]], "System: telemetry": [[9, 18]], "Malware: exploit": [[31, 38]], "Vulnerability: compromised": [[53, 64]], "Indicator: site,": [[65, 70]], "Malware: the Korplug back door": [[110, 131]], "Indicator: Backdoor.Korplug.": [[156, 173]]}, "info": {"id": "cyner2_5class_train_03760", "source": "cyner2_5class_train"}}
+{"text": "This campaign uses obfuscated variants of the HTTPBrowser tool that use DNS as a control channel.", "spans": {"Malware: HTTPBrowser tool": [[46, 62]], "Indicator: DNS": [[72, 75]], "Indicator: control channel.": [[81, 97]]}, "info": {"id": "cyner2_5class_train_03761", "source": "cyner2_5class_train"}}
+{"text": "Apart from injecting code to read the CAPTCHA , the app also injects its own code into the system_server process , which requires root privileges .", "spans": {}, "info": {"id": "cyner2_5class_train_03762", "source": "cyner2_5class_train"}}
+{"text": "STRONTIUM has been active since at least 2007.", "spans": {}, "info": {"id": "cyner2_5class_train_03763", "source": "cyner2_5class_train"}}
+{"text": "Figure 12 : Fake Bank Austria Security application icon In addition to operating as a banking Trojan , overlaying a legitimate banking app with an indistinguishable credential theft page , the malware also asks for credit card information from the user when they open applications such as the Google Play store .", "spans": {"System: Fake Bank Austria Security application": [[12, 50]], "System: Google Play": [[293, 304]]}, "info": {"id": "cyner2_5class_train_03764", "source": "cyner2_5class_train"}}
+{"text": "Check Point informed the Google Security team about the apps, which were then removed from Google Play.", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google Security team": [[25, 45]], "System: apps,": [[56, 61]], "Organization: Google Play.": [[91, 103]]}, "info": {"id": "cyner2_5class_train_03765", "source": "cyner2_5class_train"}}
+{"text": "Finally, this variant also contains an interesting piece of comment by the malware author written in the macro code, which made us feel obliged to take a closer look in the first place.", "spans": {}, "info": {"id": "cyner2_5class_train_03766", "source": "cyner2_5class_train"}}
+{"text": "The JavaScript code locates the targeted ads by searching for iframes which contain ads from Google ads infrastructure , as shown in the image below : The fraudulent clicks generate a large revenue for the perpetrators , especially since the malware reached a presumably wide spread .", "spans": {"System: Google ads": [[93, 103]]}, "info": {"id": "cyner2_5class_train_03767", "source": "cyner2_5class_train"}}
+{"text": "APT groups from multiple countries - including China - have been known to target organizations of strategic interest with aggressive malware-based espionage campaigns.", "spans": {"Organization: organizations": [[81, 94]]}, "info": {"id": "cyner2_5class_train_03768", "source": "cyner2_5class_train"}}
+{"text": "Back then, MELANI already took appropriate action together with the affected financial institutions and ISPs in Switzerland to mitigate the threat.", "spans": {"Organization: MELANI": [[11, 17]], "Organization: financial institutions": [[77, 99]], "Organization: ISPs": [[104, 108]]}, "info": {"id": "cyner2_5class_train_03769", "source": "cyner2_5class_train"}}
+{"text": "The credentials were immediately available in the leaky database – see Figure 6 .", "spans": {}, "info": {"id": "cyner2_5class_train_03770", "source": "cyner2_5class_train"}}
+{"text": "Arsenal is currently developing a detailed case study related to our analysis of computers essential to the Odatv case in Turkey.", "spans": {"Organization: Arsenal": [[0, 7]]}, "info": {"id": "cyner2_5class_train_03771", "source": "cyner2_5class_train"}}
+{"text": "Another day, another ransomware gang.", "spans": {}, "info": {"id": "cyner2_5class_train_03772", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9780 BehavesLike.Win32.StartPage.th Trojan-Dropper.Win32.Autoit Trojan.AutoIT.7 TrojanDropper.Autit Autoit.Trojan.Heur.Sxyf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9780": [[26, 68]], "Indicator: BehavesLike.Win32.StartPage.th": [[69, 99]], "Indicator: Trojan-Dropper.Win32.Autoit": [[100, 127]], "Indicator: Trojan.AutoIT.7": [[128, 143]], "Indicator: TrojanDropper.Autit": [[144, 163]], "Indicator: Autoit.Trojan.Heur.Sxyf": [[164, 187]]}, "info": {"id": "cyner2_5class_train_03773", "source": "cyner2_5class_train"}}
+{"text": "This is the exact scenario we witnessed this week during an incident response procedure and that is detailed in this diary.", "spans": {}, "info": {"id": "cyner2_5class_train_03774", "source": "cyner2_5class_train"}}
+{"text": "How it works When the malware is first started on the device it will begin by removing its icon from the app drawer , hiding from the end user .", "spans": {}, "info": {"id": "cyner2_5class_train_03775", "source": "cyner2_5class_train"}}
+{"text": "Buckeye also known as APT3, Gothic Panda, UPS Team, and TG-0110 is a cyberespionage group that is believed to have been operating for well over half a decade.", "spans": {}, "info": {"id": "cyner2_5class_train_03776", "source": "cyner2_5class_train"}}
+{"text": "Looking at the characteristics of the tool, we suspect that it has been prepared for the purpose of corporate espionage.", "spans": {"Malware: tool,": [[38, 43]]}, "info": {"id": "cyner2_5class_train_03777", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoA.29F2 Backdoor.Win32.Poison!O TrojanDropper.VB BKDR_POISON.IRE Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win32/IRCBot.ACS BKDR_POISON.IRE Trojan-Dropper.Win32.VB.cwek Trojan.Win32.Poison.cqxwv Backdoor.Win32.Poison.146621 Backdoor.W32.Poison.bfjd!c Backdoor.Win32.Poison.fh Trojan.VbCrypt.68 Backdoor.Poison.Win32.31435 BehavesLike.Win32.Autorun.ch Backdoor/Poison.goa Trojan[Backdoor]/Win32.Poison Trojan-Dropper.Win32.VB.cwek Worm:Win32/Neubreku.C SIM.Trojan.VBO.02298 Bck/Poison.AK Win32.Trojan-dropper.Vb.Aenv Backdoor.Win32.Bifrose W32/VBInjector.W!tr Win32/Trojan.Dropper.b73", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoA.29F2": [[26, 43]], "Indicator: Backdoor.Win32.Poison!O": [[44, 67]], "Indicator: TrojanDropper.VB": [[68, 84]], "Indicator: BKDR_POISON.IRE": [[85, 100], [177, 192]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[101, 143]], "Indicator: Backdoor.Trojan": [[144, 159]], "Indicator: Win32/IRCBot.ACS": [[160, 176]], "Indicator: Trojan-Dropper.Win32.VB.cwek": [[193, 221], [454, 482]], "Indicator: Trojan.Win32.Poison.cqxwv": [[222, 247]], "Indicator: Backdoor.Win32.Poison.146621": [[248, 276]], "Indicator: Backdoor.W32.Poison.bfjd!c": [[277, 303]], "Indicator: Backdoor.Win32.Poison.fh": [[304, 328]], "Indicator: Trojan.VbCrypt.68": [[329, 346]], "Indicator: Backdoor.Poison.Win32.31435": [[347, 374]], "Indicator: BehavesLike.Win32.Autorun.ch": [[375, 403]], "Indicator: Backdoor/Poison.goa": [[404, 423]], "Indicator: Trojan[Backdoor]/Win32.Poison": [[424, 453]], "Indicator: Worm:Win32/Neubreku.C": [[483, 504]], "Indicator: SIM.Trojan.VBO.02298": [[505, 525]], "Indicator: Bck/Poison.AK": [[526, 539]], "Indicator: Win32.Trojan-dropper.Vb.Aenv": [[540, 568]], "Indicator: Backdoor.Win32.Bifrose": [[569, 591]], "Indicator: W32/VBInjector.W!tr": [[592, 611]], "Indicator: Win32/Trojan.Dropper.b73": [[612, 636]]}, "info": {"id": "cyner2_5class_train_03778", "source": "cyner2_5class_train"}}
+{"text": "RATs, such as H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind and others, hold special interest for the Threat Research Team at Fidelis Cybersecurity.", "spans": {"Malware: RATs,": [[0, 5]], "Malware: H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind": [[14, 93]], "Organization: the Threat Research Team": [[132, 156]], "Organization: Fidelis Cybersecurity.": [[160, 182]]}, "info": {"id": "cyner2_5class_train_03779", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Trojan.RootSmart.A Android.GGSmart.A Android.Malware.Trojan A.H.Rog.RootSmart.B Android.Trojan.GGSmart.d AndroidOS/GGSmart.A AndroidOS_RootSmart.D Android.Trojan.RootSmart.A HEUR:Backdoor.AndroidOS.RootSmart.a Android.Trojan.RootSmart.A Trojan.Android.RootSmart.bdbwsm Riskware.Android.FakeInstall.jab Trojan-Downloader:Android/RootSmart.A Android.Smart.4.origin AndroidOS_RootSmart.D AndroidOS/GGSmart.A Backdoor/AndroidOS.erl ANDROID/GGSmart.D.4 Trojan[Backdoor]/Android.RootSmart Android.Troj.GacBlocker.a.kcloud Android.Trojan.RootSmart.A HEUR:Backdoor.AndroidOS.RootSmart.a Android-Backdoor/RootSmart.1bb6 Android/GGSmart.D Trojan.AndroidOS.GGSmart Android/GGSmart.D!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.RootSmart.A": [[26, 52], [181, 207], [244, 270], [550, 576]], "Indicator: Android.GGSmart.A": [[53, 70]], "Indicator: Android.Malware.Trojan": [[71, 93]], "Indicator: A.H.Rog.RootSmart.B": [[94, 113]], "Indicator: Android.Trojan.GGSmart.d": [[114, 138]], "Indicator: AndroidOS/GGSmart.A": [[139, 158], [419, 438]], "Indicator: AndroidOS_RootSmart.D": [[159, 180], [397, 418]], "Indicator: HEUR:Backdoor.AndroidOS.RootSmart.a": [[208, 243], [577, 612]], "Indicator: Trojan.Android.RootSmart.bdbwsm": [[271, 302]], "Indicator: Riskware.Android.FakeInstall.jab": [[303, 335]], "Indicator: Trojan-Downloader:Android/RootSmart.A": [[336, 373]], "Indicator: Android.Smart.4.origin": [[374, 396]], "Indicator: Backdoor/AndroidOS.erl": [[439, 461]], "Indicator: ANDROID/GGSmart.D.4": [[462, 481]], "Indicator: Trojan[Backdoor]/Android.RootSmart": [[482, 516]], "Indicator: Android.Troj.GacBlocker.a.kcloud": [[517, 549]], "Indicator: Android-Backdoor/RootSmart.1bb6": [[613, 644]], "Indicator: Android/GGSmart.D": [[645, 662]], "Indicator: Trojan.AndroidOS.GGSmart": [[663, 687]], "Indicator: Android/GGSmart.D!tr": [[688, 708]]}, "info": {"id": "cyner2_5class_train_03780", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exp.XML.CVE-2017-8570 W97M.Downloader Win32/Exploit.CVE-2017-8570.A TROJ_CVE20170199.JEJOPP Exploit.Xml.CVE-2017-0199.equmby PPT.S.Exploit.1356909 TROJ_CVE20170199.JEJOPP ZIP/Trojan.CGYR-2 XML/Dloader.S2 Exploit.CVE-2017-8570 MSOffice/Dloader!exploit.CVE20170199", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exp.XML.CVE-2017-8570": [[26, 47]], "Indicator: W97M.Downloader": [[48, 63]], "Indicator: Win32/Exploit.CVE-2017-8570.A": [[64, 93]], "Indicator: TROJ_CVE20170199.JEJOPP": [[94, 117], [173, 196]], "Indicator: Exploit.Xml.CVE-2017-0199.equmby": [[118, 150]], "Indicator: PPT.S.Exploit.1356909": [[151, 172]], "Indicator: ZIP/Trojan.CGYR-2": [[197, 214]], "Indicator: XML/Dloader.S2": [[215, 229]], "Indicator: Exploit.CVE-2017-8570": [[230, 251]], "Indicator: MSOffice/Dloader!exploit.CVE20170199": [[252, 288]]}, "info": {"id": "cyner2_5class_train_03781", "source": "cyner2_5class_train"}}
+{"text": "No instances of these apps were found in Google Play .", "spans": {"System: Google Play": [[41, 52]]}, "info": {"id": "cyner2_5class_train_03782", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PasswordStealer Trojan.Win32.Ric.exqwlt Trojan.Win32.Z.Evrial.35328.F Trojan.MulDrop7.60168 Trojan.MSIL.PSW TrojanSpy:MSIL/Evrial.A!bit TScope.Trojan.MSIL Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PasswordStealer": [[26, 48]], "Indicator: Trojan.Win32.Ric.exqwlt": [[49, 72]], "Indicator: Trojan.Win32.Z.Evrial.35328.F": [[73, 102]], "Indicator: Trojan.MulDrop7.60168": [[103, 124]], "Indicator: Trojan.MSIL.PSW": [[125, 140]], "Indicator: TrojanSpy:MSIL/Evrial.A!bit": [[141, 168]], "Indicator: TScope.Trojan.MSIL": [[169, 187]], "Indicator: Trj/GdSda.A": [[188, 199]]}, "info": {"id": "cyner2_5class_train_03783", "source": "cyner2_5class_train"}}
+{"text": "Some emulators build their phone number out of the default number created in the emulator software and the port number : 5554. getMachine function using anti-emulator technique .", "spans": {"Indicator: port number : 5554.": [[107, 126]]}, "info": {"id": "cyner2_5class_train_03784", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Abuse-Worry/W32.NetPass.466944 Trojanspy.Vlogger.A3 Trojan/Spy.VB.nwb Trojan.Heur.RX.EB6D33 Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/VBInject.Stub Trojan.Win32.Diss.susqi Tool.NetPass.Win32.2684 Trojan[PSWTool]/Win32.NetPass PWS:Win32/Sifre.A Trojan.Win32.Diss.susqi Trojan/Win32.Sifre.R148157 Win32.Trojan.Diss.Lplb Riskware.PSWTool! Trojan.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Abuse-Worry/W32.NetPass.466944": [[26, 56]], "Indicator: Trojanspy.Vlogger.A3": [[57, 77]], "Indicator: Trojan/Spy.VB.nwb": [[78, 95]], "Indicator: Trojan.Heur.RX.EB6D33": [[96, 117]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[118, 160]], "Indicator: Win32/VBInject.Stub": [[161, 180]], "Indicator: Trojan.Win32.Diss.susqi": [[181, 204], [277, 300]], "Indicator: Tool.NetPass.Win32.2684": [[205, 228]], "Indicator: Trojan[PSWTool]/Win32.NetPass": [[229, 258]], "Indicator: PWS:Win32/Sifre.A": [[259, 276]], "Indicator: Trojan/Win32.Sifre.R148157": [[301, 327]], "Indicator: Win32.Trojan.Diss.Lplb": [[328, 350]], "Indicator: Riskware.PSWTool!": [[351, 368]], "Indicator: Trojan.Win32.VB": [[369, 384]]}, "info": {"id": "cyner2_5class_train_03785", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit-CVE2012-0158.u Trojan.Mdropper TROJ_CVE20120158.MESD Exploit.Win32.CVE-2012-0158.aw Exploit.ComObj.CVE-2012-0158.hzuf Exploit.W32.Cve!c Exploit.Mht.1 TROJ_CVE20120158.MESD Trojan:Win32/Knonyme.CS!dha Exploit.WORD.CVE-2012-0158 Exploit.MSWord.CVE-2012-0158 Win32/Trojan.Exploit.a11", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit-CVE2012-0158.u": [[26, 48]], "Indicator: Trojan.Mdropper": [[49, 64]], "Indicator: TROJ_CVE20120158.MESD": [[65, 86], [184, 205]], "Indicator: Exploit.Win32.CVE-2012-0158.aw": [[87, 117]], "Indicator: Exploit.ComObj.CVE-2012-0158.hzuf": [[118, 151]], "Indicator: Exploit.W32.Cve!c": [[152, 169]], "Indicator: Exploit.Mht.1": [[170, 183]], "Indicator: Trojan:Win32/Knonyme.CS!dha": [[206, 233]], "Indicator: Exploit.WORD.CVE-2012-0158": [[234, 260]], "Indicator: Exploit.MSWord.CVE-2012-0158": [[261, 289]], "Indicator: Win32/Trojan.Exploit.a11": [[290, 314]]}, "info": {"id": "cyner2_5class_train_03786", "source": "cyner2_5class_train"}}
+{"text": "As 2016 comes to a close, we observe the same thing happening to another of Nintendo's game properties: Super Mario.", "spans": {"Organization: Nintendo's": [[76, 86]], "System: game properties: Super Mario.": [[87, 116]]}, "info": {"id": "cyner2_5class_train_03787", "source": "cyner2_5class_train"}}
+{"text": "According to SimilarWeb, these sites have a combined total of at least 50 million visitors per month.", "spans": {}, "info": {"id": "cyner2_5class_train_03788", "source": "cyner2_5class_train"}}
+{"text": "These emails contain misleading links that download malicious Zip files, which, in turn, contain a JavaScript file that downloads the TorrentLocker ransomware.", "spans": {"Indicator: emails": [[6, 12]], "Indicator: links": [[32, 37]], "Indicator: download malicious Zip files,": [[43, 72]], "Indicator: JavaScript file": [[99, 114]], "Malware: TorrentLocker ransomware.": [[134, 159]]}, "info": {"id": "cyner2_5class_train_03789", "source": "cyner2_5class_train"}}
+{"text": "At this time , the Trojan also began actively using different methods of obfuscation .", "spans": {}, "info": {"id": "cyner2_5class_train_03790", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 has discovered a new cluster of malware samples, which targets Samsung devices and Korean language speakers, with relationships to the malware used in Operation Blockbuster.", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: malware": [[40, 47]], "System: Samsung devices": [[71, 86]], "Organization: Korean language speakers,": [[91, 116]], "Malware: the malware": [[139, 150]]}, "info": {"id": "cyner2_5class_train_03791", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win.Trojan.Secrar-3 W32.W.Otwycal.l4av PUA.RiskWare.PEMalform Trojan:Win32/Secrar.A Win32/RiskWare.PEMalform.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win.Trojan.Secrar-3": [[26, 45]], "Indicator: W32.W.Otwycal.l4av": [[46, 64]], "Indicator: PUA.RiskWare.PEMalform": [[65, 87]], "Indicator: Trojan:Win32/Secrar.A": [[88, 109]], "Indicator: Win32/RiskWare.PEMalform.E": [[110, 136]]}, "info": {"id": "cyner2_5class_train_03792", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Scache.A Trojan.Scache.A Trojan.Scache.A Trojan.Scache.A Trojan.Dos.Scache.fnss TROJ_SCACHE.A Trojan.DOS.Scache Troj.DOS.Scache!c Trojan.Scache.A TrojWare.DOS.Scache Trojan.Scache.A Trojan.Cashe Trojan.Scache.DOS.2 TROJ_SCACHE.A TR/Scache.A W32/Scache.A!tr Trojan/DOS.Scache Trojan.Scache.A Dos.Trojan.Scache.Aguy Trojan.Scache.A Trojan.DOS.Scache.aa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Scache.A": [[26, 41], [42, 57], [58, 73], [74, 89], [163, 178], [199, 214], [308, 323], [347, 362]], "Indicator: Trojan.Dos.Scache.fnss": [[90, 112]], "Indicator: TROJ_SCACHE.A": [[113, 126], [248, 261]], "Indicator: Trojan.DOS.Scache": [[127, 144]], "Indicator: Troj.DOS.Scache!c": [[145, 162]], "Indicator: TrojWare.DOS.Scache": [[179, 198]], "Indicator: Trojan.Cashe": [[215, 227]], "Indicator: Trojan.Scache.DOS.2": [[228, 247]], "Indicator: TR/Scache.A": [[262, 273]], "Indicator: W32/Scache.A!tr": [[274, 289]], "Indicator: Trojan/DOS.Scache": [[290, 307]], "Indicator: Dos.Trojan.Scache.Aguy": [[324, 346]], "Indicator: Trojan.DOS.Scache.aa": [[363, 383]]}, "info": {"id": "cyner2_5class_train_03793", "source": "cyner2_5class_train"}}
+{"text": "One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS.", "spans": {"Malware: malware": [[34, 41]], "Indicator: C2 address": [[67, 77]], "Indicator: microblog service": [[108, 125]], "System: SNS.": [[129, 133]]}, "info": {"id": "cyner2_5class_train_03794", "source": "cyner2_5class_train"}}
+{"text": "This makes it a powerful tool for attackers.", "spans": {}, "info": {"id": "cyner2_5class_train_03795", "source": "cyner2_5class_train"}}
+{"text": "Call an attacker-specified number Uninstall apps Check if a device is rooted Hide its icon Retrieve list of files on external storage If running on a Huawei device it will attempt to add itself to the protected list of apps able to run with the screen off Encrypts some exfiltrated data Desert Scorpion 's second stage masquerades as a generic \" settings '' application .", "spans": {"Malware: Desert Scorpion": [[287, 302]]}, "info": {"id": "cyner2_5class_train_03796", "source": "cyner2_5class_train"}}
+{"text": "The calls are almost certainly a pro-Russia propaganda effort designed to create negative political content about those who have spoken out against Russian President Vladimir Putin and, in the last year, opposed Russia's invasion of Ukraine.", "spans": {"Organization: Russian President Vladimir Putin": [[148, 180]]}, "info": {"id": "cyner2_5class_train_03797", "source": "cyner2_5class_train"}}
+{"text": "While these attacks were covered extensively in the media, how the attackers stole these credentials and introduced W32.Disttrack on targeted organizations' networks remains a mystery.", "spans": {"Indicator: attacks": [[12, 19]], "Indicator: stole": [[77, 82]], "Indicator: credentials": [[89, 100]], "Indicator: W32.Disttrack": [[116, 129]], "Organization: organizations' networks": [[142, 165]]}, "info": {"id": "cyner2_5class_train_03798", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9990 W32.Sand.12300 Virus.Win32.HLLP.Alcaul.c Virus.Win32.HLLP.Alcaul.D Win32.HLLP.Alcopaul.12296 Win32.NGVCK.TTD Win32/HLLP.Alcaul.c W32/Alcaul.D Virus.Win32.HLLP.Alcaul.c Worm:Win32/Lopy.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[26, 68]], "Indicator: W32.Sand.12300": [[69, 83]], "Indicator: Virus.Win32.HLLP.Alcaul.c": [[84, 109], [211, 236]], "Indicator: Virus.Win32.HLLP.Alcaul.D": [[110, 135]], "Indicator: Win32.HLLP.Alcopaul.12296": [[136, 161]], "Indicator: Win32.NGVCK.TTD": [[162, 177]], "Indicator: Win32/HLLP.Alcaul.c": [[178, 197]], "Indicator: W32/Alcaul.D": [[198, 210]], "Indicator: Worm:Win32/Lopy.A": [[237, 254]]}, "info": {"id": "cyner2_5class_train_03799", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Nioupale Trojan/Daserf.b Trojan.Heur.PT.E6A39B BKDR_DASERF.ZCEG-A Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_DASERF.ZCEG-A Trojan.Win32.Scar.hnib Trojan.Win32.Invader.ervtpc Troj.Dropper.W32.Small.kZ2V Trojan.Inject1.18880 BehavesLike.Win32.Backdoor.kh W32/Trojan.MWNM-9354 Trojan/Win32.Scar Backdoor:Win32/Nioupale.A Trojan.Win32.Scar.hnib Trojan/Win32.Scar.R68534 Trojan.Scar Win32.Trojan.Scar.Llhd W32/Scar.HNIB!tr Win32/Trojan.97a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Nioupale": [[26, 43]], "Indicator: Trojan/Daserf.b": [[44, 59]], "Indicator: Trojan.Heur.PT.E6A39B": [[60, 81]], "Indicator: BKDR_DASERF.ZCEG-A": [[82, 100], [144, 162]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[101, 143]], "Indicator: Trojan.Win32.Scar.hnib": [[163, 185], [358, 380]], "Indicator: Trojan.Win32.Invader.ervtpc": [[186, 213]], "Indicator: Troj.Dropper.W32.Small.kZ2V": [[214, 241]], "Indicator: Trojan.Inject1.18880": [[242, 262]], "Indicator: BehavesLike.Win32.Backdoor.kh": [[263, 292]], "Indicator: W32/Trojan.MWNM-9354": [[293, 313]], "Indicator: Trojan/Win32.Scar": [[314, 331]], "Indicator: Backdoor:Win32/Nioupale.A": [[332, 357]], "Indicator: Trojan/Win32.Scar.R68534": [[381, 405]], "Indicator: Trojan.Scar": [[406, 417]], "Indicator: Win32.Trojan.Scar.Llhd": [[418, 440]], "Indicator: W32/Scar.HNIB!tr": [[441, 457]], "Indicator: Win32/Trojan.97a": [[458, 474]]}, "info": {"id": "cyner2_5class_train_03800", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: MemScan:Backdoor.Hupigon.APH Win32.Backdoor.Hupigon.axbr.10 Backdoor.Graybird BKDR_HUPIGON.ASJ Backdoor.Win32.Hupigon.aha MemScan:Backdoor.Hupigon.APH MemScan:Backdoor.Hupigon.APH BackDoor.Pigeon.194 BKDR_HUPIGON.ASJ Backdoor.Win32.Hupigon!IK MemScan:Backdoor.Hupigon.APH Backdoor.Win32.Hupigon.cmpw Backdoor.Win32.Gpigeon2008.acj Backdoor.Win32.Hupigon BackDoor.Hupigon5.ARLC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: MemScan:Backdoor.Hupigon.APH": [[26, 54], [148, 176], [177, 205], [269, 297]], "Indicator: Win32.Backdoor.Hupigon.axbr.10": [[55, 85]], "Indicator: Backdoor.Graybird": [[86, 103]], "Indicator: BKDR_HUPIGON.ASJ": [[104, 120], [226, 242]], "Indicator: Backdoor.Win32.Hupigon.aha": [[121, 147]], "Indicator: BackDoor.Pigeon.194": [[206, 225]], "Indicator: Backdoor.Win32.Hupigon!IK": [[243, 268]], "Indicator: Backdoor.Win32.Hupigon.cmpw": [[298, 325]], "Indicator: Backdoor.Win32.Gpigeon2008.acj": [[326, 356]], "Indicator: Backdoor.Win32.Hupigon": [[357, 379]], "Indicator: BackDoor.Hupigon5.ARLC": [[380, 402]]}, "info": {"id": "cyner2_5class_train_03801", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: WS.Reputation.1 Trojan.Strictor.D148BF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WS.Reputation.1": [[26, 41]], "Indicator: Trojan.Strictor.D148BF": [[42, 64]]}, "info": {"id": "cyner2_5class_train_03802", "source": "cyner2_5class_train"}}
+{"text": "It steals SMS messages and information about voice calls .", "spans": {}, "info": {"id": "cyner2_5class_train_03803", "source": "cyner2_5class_train"}}
+{"text": "It says those were sent in the report to the FBI.", "spans": {}, "info": {"id": "cyner2_5class_train_03804", "source": "cyner2_5class_train"}}
+{"text": "The experts of G DATA's SecurityLabs analyzed a specially crafted Microsoft Word document the attackers used to install a rather famous banking Trojan called Dridex.", "spans": {"Organization: G DATA's SecurityLabs": [[15, 36]], "System: Microsoft Word document": [[66, 89]], "Malware: banking Trojan": [[136, 150]], "Malware: Dridex.": [[158, 165]]}, "info": {"id": "cyner2_5class_train_03805", "source": "cyner2_5class_train"}}
+{"text": "Decompiled exploit function code fragment run_with_mmap function from the android-rooting-tools project As can be seen from the comparison , there are similar strings and also a unique comment in Italian , so it looks like the attackers created this exploit payload based on android-rooting-tools project source code .", "spans": {"System: android-rooting-tools": [[74, 95], [275, 296]]}, "info": {"id": "cyner2_5class_train_03806", "source": "cyner2_5class_train"}}
+{"text": "Attackers, regardless of their skills and motives, often attempt to wrap malicious code in a way that will seem innocuous to practitioners and security products.", "spans": {"Malware: malicious code": [[73, 87]], "Organization: practitioners": [[125, 138]], "System: security products.": [[143, 161]]}, "info": {"id": "cyner2_5class_train_03807", "source": "cyner2_5class_train"}}
+{"text": "The vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents.", "spans": {"Vulnerability: vulnerability bypassed": [[4, 26]], "Organization: FireEye": [[82, 89]], "Indicator: email": [[90, 95]], "System: network products": [[100, 116]], "Indicator: the malicious documents.": [[126, 150]]}, "info": {"id": "cyner2_5class_train_03808", "source": "cyner2_5class_train"}}
+{"text": "This incident happened on an Android 6.0.1 device, owned by one of the company's Vice Presidents.", "spans": {"System: Android 6.0.1 device,": [[29, 50]], "Organization: the company's Vice Presidents.": [[67, 97]]}, "info": {"id": "cyner2_5class_train_03809", "source": "cyner2_5class_train"}}
+{"text": "Morphisec researchers began investigating the attacks on April 24 and continue to uncover more details.", "spans": {"Organization: Morphisec researchers": [[0, 21]], "Malware: attacks": [[46, 53]]}, "info": {"id": "cyner2_5class_train_03810", "source": "cyner2_5class_train"}}
+{"text": "This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site.", "spans": {"Indicator: a phishing website": [[34, 52]], "Indicator: phishing site.": [[95, 109]]}, "info": {"id": "cyner2_5class_train_03811", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PSWTool.Win32.Ophcrack!O Tool.Ophcrack.Win32.15 W32/MalwareF.MTNL not-a-virus:PSWTool.Win32.Ophcrack.a Application.PassView.BE Tool.PassSteel.1076 BehavesLike.Win32.Dropper.rc W32/Risk.YHKN-9333 RiskWare[PSWTool]/Win32.PWDump.at Application.PassView.BE not-a-virus:PSWTool.Win32.Ophcrack.a Application.PassView.BE Trojan.PSWTool!8KQf3yAIaxc not-a-virus.PSWTool.ophCrack", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PSWTool.Win32.Ophcrack!O": [[26, 50]], "Indicator: Tool.Ophcrack.Win32.15": [[51, 73]], "Indicator: W32/MalwareF.MTNL": [[74, 91]], "Indicator: not-a-virus:PSWTool.Win32.Ophcrack.a": [[92, 128], [279, 315]], "Indicator: Application.PassView.BE": [[129, 152], [255, 278], [316, 339]], "Indicator: Tool.PassSteel.1076": [[153, 172]], "Indicator: BehavesLike.Win32.Dropper.rc": [[173, 201]], "Indicator: W32/Risk.YHKN-9333": [[202, 220]], "Indicator: RiskWare[PSWTool]/Win32.PWDump.at": [[221, 254]], "Indicator: Trojan.PSWTool!8KQf3yAIaxc": [[340, 366]], "Indicator: not-a-virus.PSWTool.ophCrack": [[367, 395]]}, "info": {"id": "cyner2_5class_train_03812", "source": "cyner2_5class_train"}}
+{"text": "] 204 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_03813", "source": "cyner2_5class_train"}}
+{"text": "A university class student list including the C & C domain registrant Due to poor privacy practices on the part of our culprit ’ s university , we now know his date of birth ( probably : he seemingly used his birth year as part of his Gmail address , as further partial confirmation ) , we know that he was a student and what university he attended .", "spans": {"System: Gmail": [[235, 240]]}, "info": {"id": "cyner2_5class_train_03814", "source": "cyner2_5class_train"}}
+{"text": "The ransom note contains the following text:", "spans": {}, "info": {"id": "cyner2_5class_train_03815", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Corrupt.PE Worm:Win32/Fanta@mm.dam#2 Worm.Win32.Fanta", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Corrupt.PE": [[26, 41]], "Indicator: Worm:Win32/Fanta@mm.dam#2": [[42, 67]], "Indicator: Worm.Win32.Fanta": [[68, 84]]}, "info": {"id": "cyner2_5class_train_03816", "source": "cyner2_5class_train"}}
+{"text": "Dridex is a banking trojan, which is a bot that communicates with a C&C server through HTTP.", "spans": {"Malware: Dridex": [[0, 6]], "Malware: banking trojan,": [[12, 27]], "Malware: bot": [[39, 42]], "Indicator: C&C server through HTTP.": [[68, 92]]}, "info": {"id": "cyner2_5class_train_03817", "source": "cyner2_5class_train"}}
+{"text": "When popular applications come under fire and are featured prominently in the news , hackers get excited as these newsworthy apps can become their latest target .", "spans": {}, "info": {"id": "cyner2_5class_train_03818", "source": "cyner2_5class_train"}}
+{"text": "URL Status IP Domain registration date http : //ora.studiolegalebasili [ .", "spans": {"Indicator: http : //ora.studiolegalebasili [ .": [[39, 74]]}, "info": {"id": "cyner2_5class_train_03819", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Virut.G W32/Trojan2.MPL W32.Virut.CF W32/Virut.GE Virus.Win32.Virut.ce Win32.Virut.AM Trojan.Opclose TR/VB.EWS Worm.Win32.SillyFDC!IK Worm/Kolab.jfi Virus:Win32/Virut.BN Win32/Virut.F W32/Trojan2.MPL Virus.Virut.13 Win32.Virut.dz Worm.Win32.SillyFDC W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.G": [[26, 37]], "Indicator: W32/Trojan2.MPL": [[38, 53], [214, 229]], "Indicator: W32.Virut.CF": [[54, 66]], "Indicator: W32/Virut.GE": [[67, 79]], "Indicator: Virus.Win32.Virut.ce": [[80, 100]], "Indicator: Win32.Virut.AM": [[101, 115]], "Indicator: Trojan.Opclose": [[116, 130]], "Indicator: TR/VB.EWS": [[131, 140]], "Indicator: Worm.Win32.SillyFDC!IK": [[141, 163]], "Indicator: Worm/Kolab.jfi": [[164, 178]], "Indicator: Virus:Win32/Virut.BN": [[179, 199]], "Indicator: Win32/Virut.F": [[200, 213]], "Indicator: Virus.Virut.13": [[230, 244]], "Indicator: Win32.Virut.dz": [[245, 259]], "Indicator: Worm.Win32.SillyFDC": [[260, 279]], "Indicator: W32/Sality.AO": [[280, 293]]}, "info": {"id": "cyner2_5class_train_03820", "source": "cyner2_5class_train"}}
+{"text": "After further investigation, we realized that its infrastructure for exfiltrating credentials was still operational and that Ebury was still being actively used by the Windigo gang.", "spans": {"System: infrastructure": [[50, 64]], "Indicator: exfiltrating credentials": [[69, 93]], "Malware: Ebury": [[125, 130]]}, "info": {"id": "cyner2_5class_train_03821", "source": "cyner2_5class_train"}}
+{"text": "The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past.", "spans": {"Indicator: compromised": [[14, 25]], "Indicator: legitimate Thai websites": [[30, 54]], "Indicator: host": [[58, 62]], "Malware: malware,": [[67, 75]]}, "info": {"id": "cyner2_5class_train_03822", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.SMSHoax Dropper.Dapato.Win32.20900 Win32.Trojan.WisdomEyes.16070401.9500.9953 TROJ_GE.CFDA1E9F Win.Trojan.Inject-14546 Trojan.Win32.InstallMonster.cxzobk Win.Troj.mzIo TrojWare.Win32.Injector.BCBA Trojan.InstallMonster.120 TROJ_GE.CFDA1E9F BehavesLike.Win32.Backdoor.rc Hoax.Win32.ArchSMS Trojan/Inject.awic TR/Rogue.11221316.14 Win32.Troj.Undef.kcloud Trojan.Injector!UXjGJT5Czj8 W32/Injector.BCBB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.SMSHoax": [[26, 40]], "Indicator: Dropper.Dapato.Win32.20900": [[41, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9953": [[68, 110]], "Indicator: TROJ_GE.CFDA1E9F": [[111, 127], [256, 272]], "Indicator: Win.Trojan.Inject-14546": [[128, 151]], "Indicator: Trojan.Win32.InstallMonster.cxzobk": [[152, 186]], "Indicator: Win.Troj.mzIo": [[187, 200]], "Indicator: TrojWare.Win32.Injector.BCBA": [[201, 229]], "Indicator: Trojan.InstallMonster.120": [[230, 255]], "Indicator: BehavesLike.Win32.Backdoor.rc": [[273, 302]], "Indicator: Hoax.Win32.ArchSMS": [[303, 321]], "Indicator: Trojan/Inject.awic": [[322, 340]], "Indicator: TR/Rogue.11221316.14": [[341, 361]], "Indicator: Win32.Troj.Undef.kcloud": [[362, 385]], "Indicator: Trojan.Injector!UXjGJT5Czj8": [[386, 413]], "Indicator: W32/Injector.BCBB!tr": [[414, 434]]}, "info": {"id": "cyner2_5class_train_03823", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Small.AIA4 Trojan.Buzy.518 TROJ_DLOADR.SMUS Win32/Small.QR TROJ_DLOADR.SMUS Trojan.DownLoader6.35083 BehavesLike.Win32.RansomWannaCry.mz Trojan.Win32.Malex TrojanDownloader:Win32/Onitab.B Trojan/Win32.Downloader.R33065 Trj/CI.A Win32/TrojanDownloader.Small.PAL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Small.AIA4": [[26, 53]], "Indicator: Trojan.Buzy.518": [[54, 69]], "Indicator: TROJ_DLOADR.SMUS": [[70, 86], [102, 118]], "Indicator: Win32/Small.QR": [[87, 101]], "Indicator: Trojan.DownLoader6.35083": [[119, 143]], "Indicator: BehavesLike.Win32.RansomWannaCry.mz": [[144, 179]], "Indicator: Trojan.Win32.Malex": [[180, 198]], "Indicator: TrojanDownloader:Win32/Onitab.B": [[199, 230]], "Indicator: Trojan/Win32.Downloader.R33065": [[231, 261]], "Indicator: Trj/CI.A": [[262, 270]], "Indicator: Win32/TrojanDownloader.Small.PAL": [[271, 303]]}, "info": {"id": "cyner2_5class_train_03824", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Scar.499712.C Trojan-Ransom.Win32.Blocker!O TrojanDropper.Dwonk.A Trojan/Chydo.cdh TROJ_RENOS.SM Win32.Worm.AutoRun.bj W32/Trojan2.JXKJ Win32/SillyAutorun.CCQ TROJ_RENOS.SM Trojan-Ransom.Win32.Blocker.ckeq Trojan.Win32.Drop.ihult Trojan.Win32.Chydo.1032192 TrojWare.Win32.Scar.AB Trojan.MulDrop.46689 Backdoor.Klon.Win32.955 BehavesLike.Win32.Backdoor.gc Trojan.Win32.Chydo W32/Trojan.GFJX-4360 Trojan/Scar.cym Trojan/Win32.Scar Trojan-Ransom.Win32.Blocker.ckeq TrojanDropper:Win32/Dwonk.A Trojan/Win32.Chydo.R3468 Trojan.Chudik.28205 Trojan-ransom.Win32.Blocker.ckeq Trojan.Chydo!nNe8FVSDJ+I Win32/Trojan.16c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Scar.499712.C": [[26, 50]], "Indicator: Trojan-Ransom.Win32.Blocker!O": [[51, 80]], "Indicator: TrojanDropper.Dwonk.A": [[81, 102]], "Indicator: Trojan/Chydo.cdh": [[103, 119]], "Indicator: TROJ_RENOS.SM": [[120, 133], [196, 209]], "Indicator: Win32.Worm.AutoRun.bj": [[134, 155]], "Indicator: W32/Trojan2.JXKJ": [[156, 172]], "Indicator: Win32/SillyAutorun.CCQ": [[173, 195]], "Indicator: Trojan-Ransom.Win32.Blocker.ckeq": [[210, 242], [466, 498]], "Indicator: Trojan.Win32.Drop.ihult": [[243, 266]], "Indicator: Trojan.Win32.Chydo.1032192": [[267, 293]], "Indicator: TrojWare.Win32.Scar.AB": [[294, 316]], "Indicator: Trojan.MulDrop.46689": [[317, 337]], "Indicator: Backdoor.Klon.Win32.955": [[338, 361]], "Indicator: BehavesLike.Win32.Backdoor.gc": [[362, 391]], "Indicator: Trojan.Win32.Chydo": [[392, 410]], "Indicator: W32/Trojan.GFJX-4360": [[411, 431]], "Indicator: Trojan/Scar.cym": [[432, 447]], "Indicator: Trojan/Win32.Scar": [[448, 465]], "Indicator: TrojanDropper:Win32/Dwonk.A": [[499, 526]], "Indicator: Trojan/Win32.Chydo.R3468": [[527, 551]], "Indicator: Trojan.Chudik.28205": [[552, 571]], "Indicator: Trojan-ransom.Win32.Blocker.ckeq": [[572, 604]], "Indicator: Trojan.Chydo!nNe8FVSDJ+I": [[605, 629]], "Indicator: Win32/Trojan.16c": [[630, 646]]}, "info": {"id": "cyner2_5class_train_03825", "source": "cyner2_5class_train"}}
+{"text": "We also uncovered ViperRAT in a billiards game , an Israeli Love Songs player , and a Move To iOS app .", "spans": {"Malware: ViperRAT": [[18, 26]], "System: iOS": [[94, 97]]}, "info": {"id": "cyner2_5class_train_03826", "source": "cyner2_5class_train"}}
+{"text": "The second phase is when an attachment from the malspam retrieves ransomware from a web server.", "spans": {"Indicator: an attachment": [[25, 38]], "Indicator: malspam": [[48, 55]], "Malware: ransomware": [[66, 76]], "System: a web server.": [[82, 95]]}, "info": {"id": "cyner2_5class_train_03827", "source": "cyner2_5class_train"}}
+{"text": "These malicious installers were then uploaded to Baidu's cloud file sharing service for used by Chinese iOS/OS X developers.", "spans": {"Malware: malicious installers": [[6, 26]], "System: Baidu's cloud file sharing service": [[49, 83]], "Organization: Chinese iOS/OS X developers.": [[96, 124]]}, "info": {"id": "cyner2_5class_train_03828", "source": "cyner2_5class_train"}}
+{"text": "As a reminder , it is always a good practice to download apps only from trusted app stores such as Google Play .", "spans": {"System: Google Play": [[99, 110]]}, "info": {"id": "cyner2_5class_train_03829", "source": "cyner2_5class_train"}}
+{"text": "( It is specified in the interception template whether a reply must be sent , and which text should be sent to which address .", "spans": {}, "info": {"id": "cyner2_5class_train_03830", "source": "cyner2_5class_train"}}
+{"text": "The Trojan waits for incoming SMS messages ( the “ alarmReceiver.class ” ) and checks whether these messages contain one of the following commands : “ sms ” , “ contact ” , “ location ” , “ other ” .", "spans": {"Indicator: alarmReceiver.class": [[51, 70]]}, "info": {"id": "cyner2_5class_train_03831", "source": "cyner2_5class_train"}}
+{"text": "This addition is seen in Figure 5 .", "spans": {}, "info": {"id": "cyner2_5class_train_03832", "source": "cyner2_5class_train"}}
+{"text": "The technical details of the attack have yet to be made public, however we've recently identified tools uploaded to online malware repositories that we believe are linked to the heist.", "spans": {"Indicator: attack": [[29, 35]], "Malware: tools": [[98, 103]], "Malware: online malware repositories": [[116, 143]]}, "info": {"id": "cyner2_5class_train_03833", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Visel.41946 Backdoor.Visel.Win32.404 Backdoor.W32.Visel.asz!c Backdoor/Visel.asd Win32.Trojan.WisdomEyes.16070401.9500.9969 Backdoor.Trojan Trojan-GameThief.Win32.Magania.tqse Trojan.Win32.Visel.bqjxis BackDoor.Darkshell.270 BehavesLike.Win32.Downloader.ph Backdoor.Win32.Visel Backdoor/Visel.sw TR/Drop.Strigy.A.2 Trojan[Backdoor]/Win32.Visel TrojanDropper:Win32/Strigy.A Backdoor.Win32.A.Visel.39424 Trojan-GameThief.Win32.Magania.tqse Backdoor/Win32.CSon.R885 Win32.Trojan-gamethief.Magania.Pfju Trojan.DR.Strigy!SJEu21JfMbU W32/Visel.ASZ!tr.bdr Trj/ByShell.C Win32/Trojan.b7f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Visel.41946": [[26, 50]], "Indicator: Backdoor.Visel.Win32.404": [[51, 75]], "Indicator: Backdoor.W32.Visel.asz!c": [[76, 100]], "Indicator: Backdoor/Visel.asd": [[101, 119]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9969": [[120, 162]], "Indicator: Backdoor.Trojan": [[163, 178]], "Indicator: Trojan-GameThief.Win32.Magania.tqse": [[179, 214], [441, 476]], "Indicator: Trojan.Win32.Visel.bqjxis": [[215, 240]], "Indicator: BackDoor.Darkshell.270": [[241, 263]], "Indicator: BehavesLike.Win32.Downloader.ph": [[264, 295]], "Indicator: Backdoor.Win32.Visel": [[296, 316]], "Indicator: Backdoor/Visel.sw": [[317, 334]], "Indicator: TR/Drop.Strigy.A.2": [[335, 353]], "Indicator: Trojan[Backdoor]/Win32.Visel": [[354, 382]], "Indicator: TrojanDropper:Win32/Strigy.A": [[383, 411]], "Indicator: Backdoor.Win32.A.Visel.39424": [[412, 440]], "Indicator: Backdoor/Win32.CSon.R885": [[477, 501]], "Indicator: Win32.Trojan-gamethief.Magania.Pfju": [[502, 537]], "Indicator: Trojan.DR.Strigy!SJEu21JfMbU": [[538, 566]], "Indicator: W32/Visel.ASZ!tr.bdr": [[567, 587]], "Indicator: Trj/ByShell.C": [[588, 601]], "Indicator: Win32/Trojan.b7f": [[602, 618]]}, "info": {"id": "cyner2_5class_train_03834", "source": "cyner2_5class_train"}}
+{"text": "Given the lack of indicators of compromise , we decided to check to see if this was the same malware we had been researching .", "spans": {}, "info": {"id": "cyner2_5class_train_03835", "source": "cyner2_5class_train"}}
+{"text": "In 2016, from September through November, an APT campaign known as menuPass targeted Japanese academics working in several areas of science, along with Japanese pharmaceutical and a US-based subsidiary of a Japanese manufacturing organizations.", "spans": {"Organization: Japanese academics": [[85, 103]], "Organization: Japanese pharmaceutical": [[152, 175]], "Organization: US-based subsidiary of a Japanese manufacturing organizations.": [[182, 244]]}, "info": {"id": "cyner2_5class_train_03836", "source": "cyner2_5class_train"}}
+{"text": "Attacks originating from this threat group have not ceased since our previous report from April of 2017 and have continued through July of 2017.", "spans": {"Indicator: Attacks": [[0, 7]], "Organization: threat group": [[30, 42]]}, "info": {"id": "cyner2_5class_train_03837", "source": "cyner2_5class_train"}}
+{"text": "It searches the Android and Google Chrome browsers for stored sensitive information.", "spans": {"System: Android": [[16, 23]], "System: Google Chrome browsers": [[28, 50]], "Indicator: stored sensitive information.": [[55, 84]]}, "info": {"id": "cyner2_5class_train_03838", "source": "cyner2_5class_train"}}
+{"text": "At that time , Ginp was a simple SMS stealer whose purpose was only to send a copy of incoming and outgoing SMS messages to the C2 server .", "spans": {"Malware: Ginp": [[15, 19]]}, "info": {"id": "cyner2_5class_train_03839", "source": "cyner2_5class_train"}}
+{"text": "The malicious capabilities observed in the second stage include the following : Upload attacker-specified files to C2 servers Get list of installed applications Get device metadata Inspect itself to get a list of launchable activities Retrieves PDF , txt , doc , xls , xlsx , ppt , pptx files found on external storage Send SMS Retrieve text messages Track device location Handle limited attacker commands via out of band text messages Record surrounding audio Record calls Record video Retrieve account information such as email addresses Retrieve contacts Removes copies of itself if any additional APKs are downloaded to external storage .", "spans": {}, "info": {"id": "cyner2_5class_train_03840", "source": "cyner2_5class_train"}}
+{"text": "However , it has begun to target users all around the world , especially users in countries like China , Taiwan , France , Switzerland , Germany , United Kingdom , United States , and others .", "spans": {}, "info": {"id": "cyner2_5class_train_03841", "source": "cyner2_5class_train"}}
+{"text": "] net linkdatax [ .", "spans": {"Indicator: linkdatax [ .": [[6, 19]]}, "info": {"id": "cyner2_5class_train_03842", "source": "cyner2_5class_train"}}
+{"text": "It steals logins and passwords to online banking accounts by substituting he window displayed by the bank application .", "spans": {}, "info": {"id": "cyner2_5class_train_03843", "source": "cyner2_5class_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_03844", "source": "cyner2_5class_train"}}
+{"text": "] coupload202 [ .", "spans": {"Indicator: [ .": [[14, 17]]}, "info": {"id": "cyner2_5class_train_03845", "source": "cyner2_5class_train"}}
+{"text": "This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other , unclear purposes .", "spans": {"Malware: ViceLeaker": [[88, 98]]}, "info": {"id": "cyner2_5class_train_03846", "source": "cyner2_5class_train"}}
+{"text": "Royal Mail - British postal service and courier company .", "spans": {"Organization: Royal Mail": [[0, 10]]}, "info": {"id": "cyner2_5class_train_03847", "source": "cyner2_5class_train"}}
+{"text": "The functionality of Pro PoS seems fairly extensive according to recent press releases.", "spans": {"Malware: Pro PoS": [[21, 28]]}, "info": {"id": "cyner2_5class_train_03848", "source": "cyner2_5class_train"}}
+{"text": "] com/ hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[7, 23]]}, "info": {"id": "cyner2_5class_train_03849", "source": "cyner2_5class_train"}}
+{"text": "The summer months dawn on us and the financial year comes to a close.", "spans": {}, "info": {"id": "cyner2_5class_train_03850", "source": "cyner2_5class_train"}}
+{"text": "Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyberespionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software.", "spans": {"Malware: Potao malware": [[51, 64]], "Malware: backdoor": [[167, 175]], "Malware: the TrueCrypt encryption software.": [[213, 247]]}, "info": {"id": "cyner2_5class_train_03851", "source": "cyner2_5class_train"}}
+{"text": "Dropped by the Nuclear exploit kit, further investigation showed that the malware was a new Trojan called Thanatos by its developers and that we refer to internally as Alphabot", "spans": {"Malware: Nuclear exploit kit,": [[15, 35]], "Malware: malware": [[74, 81]], "Malware: Trojan": [[92, 98]], "Malware: Thanatos": [[106, 114]]}, "info": {"id": "cyner2_5class_train_03852", "source": "cyner2_5class_train"}}
+{"text": "The second stealing function is the onStartCommand , which steals infected device data and additional information .", "spans": {}, "info": {"id": "cyner2_5class_train_03853", "source": "cyner2_5class_train"}}
+{"text": "A newly patched zero-day vulnerability in Internet Explorer has already been exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong.", "spans": {"Vulnerability: zero-day vulnerability": [[16, 38]], "System: Internet Explorer": [[42, 59]], "Indicator: exploited": [[77, 86]], "Indicator: attacks": [[90, 97]], "Indicator: compromised website": [[110, 129]], "Organization: evangelical church": [[146, 164]]}, "info": {"id": "cyner2_5class_train_03854", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod748.Trojan.b154 Trojan.DR.Cutwail!zuYZ2Zvwu1k Trojan.Zlob PE:Trojan.Win32.DNSChanger.drb!1075148351 TrojWare.Win32.Trojan.DNSChanger.~CRSD Trojan.Packed.194 Win32.Troj.DNSChangerT.dx.14848 Trojan:Win32/Zlob.AS Trojan/Win32.Monder Virus.Win32.Heur.c Trojan.Inject Downloader.Tiny.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod748.Trojan.b154": [[26, 49]], "Indicator: Trojan.DR.Cutwail!zuYZ2Zvwu1k": [[50, 79]], "Indicator: Trojan.Zlob": [[80, 91]], "Indicator: PE:Trojan.Win32.DNSChanger.drb!1075148351": [[92, 133]], "Indicator: TrojWare.Win32.Trojan.DNSChanger.~CRSD": [[134, 172]], "Indicator: Trojan.Packed.194": [[173, 190]], "Indicator: Win32.Troj.DNSChangerT.dx.14848": [[191, 222]], "Indicator: Trojan:Win32/Zlob.AS": [[223, 243]], "Indicator: Trojan/Win32.Monder": [[244, 263]], "Indicator: Virus.Win32.Heur.c": [[264, 282]], "Indicator: Trojan.Inject": [[283, 296]], "Indicator: Downloader.Tiny.D": [[297, 314]]}, "info": {"id": "cyner2_5class_train_03855", "source": "cyner2_5class_train"}}
+{"text": "Webinjects : According to the bot ’ s configuration , if a webinject is set for a given application , it will be executed .", "spans": {}, "info": {"id": "cyner2_5class_train_03856", "source": "cyner2_5class_train"}}
+{"text": "Indeed, the past few months seem to be quite busy for the Andromeda botnet and its recent activity indicates intent in the United States.", "spans": {"Malware: Andromeda botnet": [[58, 74]]}, "info": {"id": "cyner2_5class_train_03857", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Symmi.D13DDA Win.Trojan.Delf-6394424-2 Trojan-Downloader.Win32.Delf.krvg Trojan.Win32.Delf.evdbqw BehavesLike.Win32.BadFile.th Trojan-Downloader.Win32.Delf TR/Downloader.sfpmb Trojan-Downloader.Win32.Delf.krvg Trojan/Win32.Tiggre.C2290717 Trj/GdSda.A W32/Delf.CGH!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Symmi.D13DDA": [[26, 45]], "Indicator: Win.Trojan.Delf-6394424-2": [[46, 71]], "Indicator: Trojan-Downloader.Win32.Delf.krvg": [[72, 105], [209, 242]], "Indicator: Trojan.Win32.Delf.evdbqw": [[106, 130]], "Indicator: BehavesLike.Win32.BadFile.th": [[131, 159]], "Indicator: Trojan-Downloader.Win32.Delf": [[160, 188]], "Indicator: TR/Downloader.sfpmb": [[189, 208]], "Indicator: Trojan/Win32.Tiggre.C2290717": [[243, 271]], "Indicator: Trj/GdSda.A": [[272, 283]], "Indicator: W32/Delf.CGH!tr.dldr": [[284, 304]]}, "info": {"id": "cyner2_5class_train_03858", "source": "cyner2_5class_train"}}
+{"text": "These artifacts indicate that FakeSpy 's campaign is still live and under development .", "spans": {"Malware: FakeSpy": [[30, 37]]}, "info": {"id": "cyner2_5class_train_03859", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.BindEx.A3 Trojan.MSIL.BindEx.a Win32.Risk.Malware.Szbo Trojan.InstallCube.49 Trojan.Zusy.D3BCBB Trojan.MSIL.BindEx.a Trojan:MSIL/Torwofun.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.BindEx.A3": [[26, 47]], "Indicator: Trojan.MSIL.BindEx.a": [[48, 68], [134, 154]], "Indicator: Win32.Risk.Malware.Szbo": [[69, 92]], "Indicator: Trojan.InstallCube.49": [[93, 114]], "Indicator: Trojan.Zusy.D3BCBB": [[115, 133]], "Indicator: Trojan:MSIL/Torwofun.A": [[155, 177]], "Indicator: Trj/CI.A": [[178, 186]]}, "info": {"id": "cyner2_5class_train_03860", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Qhost.pml Win32/Jeefo.A Virus.Win32.Hidrag.a Win32.Jeefo.B Virus.Win32.Hidrag.clfcen Win32.Jeefo.B Win32.HLLP.Jeefo.36352 Trojan:Win32/Vb.At W32/Hidrag.E Virus/Win32.Hidrag.a Win32.Jeefo.B Virus.Win32.Hidrag.a Win32.Jeefo.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Qhost.pml": [[26, 42]], "Indicator: Win32/Jeefo.A": [[43, 56]], "Indicator: Virus.Win32.Hidrag.a": [[57, 77], [222, 242]], "Indicator: Win32.Jeefo.B": [[78, 91], [118, 131], [208, 221], [243, 256]], "Indicator: Virus.Win32.Hidrag.clfcen": [[92, 117]], "Indicator: Win32.HLLP.Jeefo.36352": [[132, 154]], "Indicator: Trojan:Win32/Vb.At": [[155, 173]], "Indicator: W32/Hidrag.E": [[174, 186]], "Indicator: Virus/Win32.Hidrag.a": [[187, 207]]}, "info": {"id": "cyner2_5class_train_03861", "source": "cyner2_5class_train"}}
+{"text": "This feature is designed to block one application from accessing the data of other applications without rooting the device .", "spans": {}, "info": {"id": "cyner2_5class_train_03862", "source": "cyner2_5class_train"}}
+{"text": "The identification of cyber crime actors, particularly Nigerian 419 scam operators, attempting to exploit CVE-2014-4114 demonstrates how quickly cyber criminals are trying to exploit a vulnerability previously associated with espionage actors, using similar tactics, techniques, and procedures TTP to maximize their chances of success, with additional innovation as seen with these samples.", "spans": {"Vulnerability: exploit": [[98, 105], [175, 182]], "Indicator: CVE-2014-4114": [[106, 119]], "Vulnerability: vulnerability": [[185, 198]]}, "info": {"id": "cyner2_5class_train_03863", "source": "cyner2_5class_train"}}
+{"text": "This assessment is supported by both previous X-Force research and open source reporting on ITG08, although X-Force lacks definitive data that verifies this was the initial access vector.", "spans": {"Organization: research": [[54, 62]], "Organization: open source reporting": [[67, 88]], "Organization: X-Force": [[108, 115]]}, "info": {"id": "cyner2_5class_train_03864", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Winlogonxe.Trojan Trojan-PSW.Win32.Papras!O Trojan.Fsysna Win32.Trojan.WisdomEyes.16070401.9500.9984 Trojan.Win32.Fsysna.dikb Trojan.Win32.Papras.bsmtj Trojan.Win32.A.PSW-Papras.39982 Troj.PSW32.W.QQPass.l2mO Trojan.DownLoader.origin Trojan.OnLineGames.Win32.77881 BehavesLike.Win32.SpywareLyndra.nh Backdoor.Win32.DarkMoon Trojan/PSW.Papras.ut Trojan[PSW]/Win32.Papras Win32.PSWTroj.Papras.kcloud Trojan.Win32.Fsysna.dikb Backdoor:Win32/Votwup.B Trojan/Win32.Papras.R7955 Win32.Trojan.Fsysna.Edxa Win32/Trojan.b7e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Winlogonxe.Trojan": [[26, 47]], "Indicator: Trojan-PSW.Win32.Papras!O": [[48, 73]], "Indicator: Trojan.Fsysna": [[74, 87]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[88, 130]], "Indicator: Trojan.Win32.Fsysna.dikb": [[131, 155], [428, 452]], "Indicator: Trojan.Win32.Papras.bsmtj": [[156, 181]], "Indicator: Trojan.Win32.A.PSW-Papras.39982": [[182, 213]], "Indicator: Troj.PSW32.W.QQPass.l2mO": [[214, 238]], "Indicator: Trojan.DownLoader.origin": [[239, 263]], "Indicator: Trojan.OnLineGames.Win32.77881": [[264, 294]], "Indicator: BehavesLike.Win32.SpywareLyndra.nh": [[295, 329]], "Indicator: Backdoor.Win32.DarkMoon": [[330, 353]], "Indicator: Trojan/PSW.Papras.ut": [[354, 374]], "Indicator: Trojan[PSW]/Win32.Papras": [[375, 399]], "Indicator: Win32.PSWTroj.Papras.kcloud": [[400, 427]], "Indicator: Backdoor:Win32/Votwup.B": [[453, 476]], "Indicator: Trojan/Win32.Papras.R7955": [[477, 502]], "Indicator: Win32.Trojan.Fsysna.Edxa": [[503, 527]], "Indicator: Win32/Trojan.b7e": [[528, 544]]}, "info": {"id": "cyner2_5class_train_03865", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D26B7F Win32.Trojan.WisdomEyes.16070401.9500.9941 W32/Trojan.ITVV-3454 Trojan.MulDrop4.59905 BehavesLike.Win32.Trojan.fh Trojan:Win32/Yangxiay.A Win32/Trojan.6f6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D26B7F": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9941": [[45, 87]], "Indicator: W32/Trojan.ITVV-3454": [[88, 108]], "Indicator: Trojan.MulDrop4.59905": [[109, 130]], "Indicator: BehavesLike.Win32.Trojan.fh": [[131, 158]], "Indicator: Trojan:Win32/Yangxiay.A": [[159, 182]], "Indicator: Win32/Trojan.6f6": [[183, 199]]}, "info": {"id": "cyner2_5class_train_03866", "source": "cyner2_5class_train"}}
+{"text": "GET_TASKS - Allows the application to get information about current or recently run tasks .", "spans": {}, "info": {"id": "cyner2_5class_train_03867", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah.5634 Trojan.Zusy.D38734 TROJ_FASTREK.SM Win32.Trojan.WisdomEyes.16070401.9500.9982 TROJ_FASTREK.SM Trojan.Win32.Dwn.dqtjmk Trojan.DownLoader12.58274 W32/Trojan.UUJD-8445 Worm:Win32/Pemtaka.A Win32/Trojan.562", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah.5634": [[26, 45]], "Indicator: Trojan.Zusy.D38734": [[46, 64]], "Indicator: TROJ_FASTREK.SM": [[65, 80], [124, 139]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[81, 123]], "Indicator: Trojan.Win32.Dwn.dqtjmk": [[140, 163]], "Indicator: Trojan.DownLoader12.58274": [[164, 189]], "Indicator: W32/Trojan.UUJD-8445": [[190, 210]], "Indicator: Worm:Win32/Pemtaka.A": [[211, 231]], "Indicator: Win32/Trojan.562": [[232, 248]]}, "info": {"id": "cyner2_5class_train_03868", "source": "cyner2_5class_train"}}
+{"text": "Recall that the malware hooked the RansomActivity intent with the notification that was created as a “ call ” type notification .", "spans": {}, "info": {"id": "cyner2_5class_train_03869", "source": "cyner2_5class_train"}}
+{"text": "EventBot Listening to TYPE_VIEW_TEXT_CHANGED accessibility event Listening to TYPE_VIEW_TEXT_CHANGED accessibility event .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_03870", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod9fb.Trojan.3b9b Joke.MoveDesktop W32/MoveDesktop.A TROJ_SPNR.04CJ11 Joke.Slidescreen.4 JOKE/MoveDesktop.A TROJ_SPNR.04CJ11 Win32.Troj.Hoax.kcloud Joke:Win32/Crazyscr.A Joke.Win32.Metro Trj/CI.A Win32/Joke.SlideScreen Joke.Win32.ShakeScreen.b Virus.Win32.BHO Joke.BR Trojan.Win32.BadJoke.Ar", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod9fb.Trojan.3b9b": [[26, 49]], "Indicator: Joke.MoveDesktop": [[50, 66]], "Indicator: W32/MoveDesktop.A": [[67, 84]], "Indicator: TROJ_SPNR.04CJ11": [[85, 101], [140, 156]], "Indicator: Joke.Slidescreen.4": [[102, 120]], "Indicator: JOKE/MoveDesktop.A": [[121, 139]], "Indicator: Win32.Troj.Hoax.kcloud": [[157, 179]], "Indicator: Joke:Win32/Crazyscr.A": [[180, 201]], "Indicator: Joke.Win32.Metro": [[202, 218]], "Indicator: Trj/CI.A": [[219, 227]], "Indicator: Win32/Joke.SlideScreen": [[228, 250]], "Indicator: Joke.Win32.ShakeScreen.b": [[251, 275]], "Indicator: Virus.Win32.BHO": [[276, 291]], "Indicator: Joke.BR": [[292, 299]], "Indicator: Trojan.Win32.BadJoke.Ar": [[300, 323]]}, "info": {"id": "cyner2_5class_train_03871", "source": "cyner2_5class_train"}}
+{"text": "On October 26, 2015, Cyphort Labs discovered that psychcentral[.]com has been compromised and is currently infecting visitors via drive-by-download malwares.", "spans": {"Organization: Cyphort Labs": [[21, 33]], "Indicator: psychcentral[.]com": [[50, 68]], "Indicator: compromised": [[78, 89]], "Malware: drive-by-download malwares.": [[130, 157]]}, "info": {"id": "cyner2_5class_train_03872", "source": "cyner2_5class_train"}}
+{"text": "READ_SMS - allow the application to read text messages .", "spans": {}, "info": {"id": "cyner2_5class_train_03873", "source": "cyner2_5class_train"}}
+{"text": "In earlier versions , it operated with shell commands like this : Stealing WhatsApp encryption key with Busybox Social payload Actually , this is not a standalone payload file – in all the observed versions its code was compiled with exploit payload in one file ( ‘ poc_perm ’ , ‘ arrs_put_user ’ , ‘ arrs_put_user.o ’ ) .", "spans": {"Malware: Busybox Social payload": [[104, 126]]}, "info": {"id": "cyner2_5class_train_03874", "source": "cyner2_5class_train"}}
+{"text": "Although the applications were never available in Google Play , we immediately identified the scope of the problem by using Verify Apps .", "spans": {"System: Google Play": [[50, 61]], "System: Verify Apps": [[124, 135]]}, "info": {"id": "cyner2_5class_train_03875", "source": "cyner2_5class_train"}}
+{"text": "A previously unknown group called Strider has been conducting cyberespionage-style attacks against selected targets in Russia, China, Sweden, and Belgium.", "spans": {"Indicator: cyberespionage-style attacks": [[62, 90]]}, "info": {"id": "cyner2_5class_train_03876", "source": "cyner2_5class_train"}}
+{"text": "The bootkit Android.Oldboot has infected more than 350,000 android users in China , Spain , Italy , Germany , Russia , Brazil , the USA and some Southeast Asian countries .", "spans": {"Malware: Android.Oldboot": [[12, 27]], "System: android": [[59, 66]]}, "info": {"id": "cyner2_5class_train_03877", "source": "cyner2_5class_train"}}
+{"text": "Terracotta's network of 1500+ VPN nodes throughout the world are primarily obtained by hacking into inadequately protected Windows servers in legitimate organizations, without the victim's knowledge or permission.", "spans": {"System: VPN nodes": [[30, 39]], "Organization: hacking": [[87, 94]], "System: Windows servers": [[123, 138]]}, "info": {"id": "cyner2_5class_train_03878", "source": "cyner2_5class_train"}}
+{"text": "Unwary users who click the seemingly innocuous link will have their device infected with RuMMS malware .", "spans": {"Malware: RuMMS": [[89, 94]]}, "info": {"id": "cyner2_5class_train_03879", "source": "cyner2_5class_train"}}
+{"text": "In this second version , the developer ’ s name listed was “ concipit1248 ” in Google Play , and may have been active between May 2019 to February 2020 .", "spans": {"System: Google Play": [[79, 90]]}, "info": {"id": "cyner2_5class_train_03880", "source": "cyner2_5class_train"}}
+{"text": "There , they are prompted to download a new version of the mobile app , under which guise the Trojan is hidden .", "spans": {}, "info": {"id": "cyner2_5class_train_03881", "source": "cyner2_5class_train"}}
+{"text": "Multiple owners of Github repositories received phishing emails.", "spans": {"Organization: owners": [[9, 15]], "System: Github repositories": [[19, 38]], "Indicator: phishing emails.": [[48, 64]]}, "info": {"id": "cyner2_5class_train_03882", "source": "cyner2_5class_train"}}
+{"text": "Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn ’ t present on their device .", "spans": {}, "info": {"id": "cyner2_5class_train_03883", "source": "cyner2_5class_train"}}
+{"text": "Also of note is Bouncing Golf ’ s possible connection to a previously reported mobile cyberespionage campaign that researchers named Domestic Kitten .", "spans": {"Malware: Bouncing Golf": [[16, 29]], "Malware: Domestic Kitten": [[133, 148]]}, "info": {"id": "cyner2_5class_train_03884", "source": "cyner2_5class_train"}}
+{"text": "A quick search produced results about a personal page and , what is more interesting , a GitHub account that contains a forked Conversation repository .", "spans": {"Organization: GitHub": [[89, 95]]}, "info": {"id": "cyner2_5class_train_03885", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Kryptik.UMVM-2214 TrojWare.MSIL.Kryptik.ACD Trojan.KillProc.49202 BehavesLike.Win32.Trojan.fh W32/Kryptik.PD Trojan.Zusy.D33DFF Trojan/Win32.Dynamer.C2272217 Trojan.ScreenLocker Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: W32/Kryptik.UMVM-2214": [[69, 90]], "Indicator: TrojWare.MSIL.Kryptik.ACD": [[91, 116]], "Indicator: Trojan.KillProc.49202": [[117, 138]], "Indicator: BehavesLike.Win32.Trojan.fh": [[139, 166]], "Indicator: W32/Kryptik.PD": [[167, 181]], "Indicator: Trojan.Zusy.D33DFF": [[182, 200]], "Indicator: Trojan/Win32.Dynamer.C2272217": [[201, 230]], "Indicator: Trojan.ScreenLocker": [[231, 250]], "Indicator: Trj/GdSda.A": [[251, 262]]}, "info": {"id": "cyner2_5class_train_03886", "source": "cyner2_5class_train"}}
+{"text": "] 26/html2/new-inj-135-3-white.html hxxp : //facebook-photos-au [ .", "spans": {"Indicator: hxxp : //facebook-photos-au [ .": [[36, 67]]}, "info": {"id": "cyner2_5class_train_03887", "source": "cyner2_5class_train"}}
+{"text": "A few days ago I got a message on Facebook from a person I very rarely speak to, and I knew that something fishy was going on.", "spans": {"Organization: Facebook": [[34, 42]]}, "info": {"id": "cyner2_5class_train_03888", "source": "cyner2_5class_train"}}
+{"text": "We found two vulnerabilities that were now being targeted by exploit kits, with one being the recent Pawn Storm Flash zero-day.", "spans": {"Vulnerability: two vulnerabilities": [[9, 28]], "Malware: exploit kits,": [[61, 74]], "Vulnerability: Flash zero-day.": [[112, 127]]}, "info": {"id": "cyner2_5class_train_03889", "source": "cyner2_5class_train"}}
+{"text": "Even without capabilities to exploit a device , the packages were able to exfiltrate the following types of data using documented APIs : Contacts Audio recordings Photos Videos GPS location Device information In addition , the packages offered a feature to perform remote audio recording .", "spans": {"System: GPS": [[177, 180]]}, "info": {"id": "cyner2_5class_train_03890", "source": "cyner2_5class_train"}}
+{"text": "While we do not have complete targeting , information associated with these Poison Ivy samples , several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures .", "spans": {"Malware: Poison Ivy": [[76, 86]]}, "info": {"id": "cyner2_5class_train_03891", "source": "cyner2_5class_train"}}
+{"text": "The malware was distributed from infected devices via SMS in the form “ % USERNAME % , I ’ ll buy under a secure transaction .", "spans": {}, "info": {"id": "cyner2_5class_train_03892", "source": "cyner2_5class_train"}}
+{"text": "Continuing with the never ending series of malware email attachments is an email with the subject of payment slip coming or pretending to come from random companies, names and email addresses with an ACE attachment ACE files are a sort of zip file that normally needs special software to extract.", "spans": {"Malware: malware": [[43, 50]], "Indicator: email attachments": [[51, 68]], "Indicator: email": [[75, 80]], "Indicator: subject": [[90, 97]], "Indicator: payment slip coming": [[101, 120]], "Indicator: random companies, names and email addresses": [[148, 191]], "Indicator: ACE attachment": [[200, 214]], "Indicator: ACE files": [[215, 224]], "Indicator: zip file": [[239, 247]]}, "info": {"id": "cyner2_5class_train_03893", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97m.Downloader.GBT W97M.Downloader.BHA W97M.Downloader W2KM_POWLOAD.AUSJQU W97m.Downloader.GBT W97m.Downloader.GBT Trojan.Ole2.Vbs-heuristic.druvzi W97m.Downloader.GBT W97m.Downloader.GBT W2KM_POWLOAD.AUSJQU HEUR.VBA.Trojan.e virus.office.qexvmc.1095", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97m.Downloader.GBT": [[26, 45], [102, 121], [122, 141], [175, 194], [195, 214]], "Indicator: W97M.Downloader.BHA": [[46, 65]], "Indicator: W97M.Downloader": [[66, 81]], "Indicator: W2KM_POWLOAD.AUSJQU": [[82, 101], [215, 234]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[142, 174]], "Indicator: HEUR.VBA.Trojan.e": [[235, 252]], "Indicator: virus.office.qexvmc.1095": [[253, 277]]}, "info": {"id": "cyner2_5class_train_03894", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.E388 Trojan.Zusy.D3675 Backdoor.Trojan Win32/Talwadig.A Spammer:Win32/Talwadig.A W32/Talwadig.SPM!tr Win32/Trojan.49c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.E388": [[26, 43]], "Indicator: Trojan.Zusy.D3675": [[44, 61]], "Indicator: Backdoor.Trojan": [[62, 77]], "Indicator: Win32/Talwadig.A": [[78, 94]], "Indicator: Spammer:Win32/Talwadig.A": [[95, 119]], "Indicator: W32/Talwadig.SPM!tr": [[120, 139]], "Indicator: Win32/Trojan.49c": [[140, 156]]}, "info": {"id": "cyner2_5class_train_03895", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Spy.Burda.vq W32/Trojan2.LHHI Trojan-Spy.Win32.Burda.bun TrojWare.Win32.Spy.Burda.A Trojan.Packed.1027 TROJ_BURDA.SM Win32/SinoMBR.A W32/Trojan2.LHHI Virus.Win32.SinoMBR!IK Trojan:Win32/Riggin.B Trojan-Spy.Win32.Burda.r Virus.Win32.SinoMBR Downloader.Small.61.BV", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Spy.Burda.vq": [[26, 45]], "Indicator: W32/Trojan2.LHHI": [[46, 62], [166, 182]], "Indicator: Trojan-Spy.Win32.Burda.bun": [[63, 89]], "Indicator: TrojWare.Win32.Spy.Burda.A": [[90, 116]], "Indicator: Trojan.Packed.1027": [[117, 135]], "Indicator: TROJ_BURDA.SM": [[136, 149]], "Indicator: Win32/SinoMBR.A": [[150, 165]], "Indicator: Virus.Win32.SinoMBR!IK": [[183, 205]], "Indicator: Trojan:Win32/Riggin.B": [[206, 227]], "Indicator: Trojan-Spy.Win32.Burda.r": [[228, 252]], "Indicator: Virus.Win32.SinoMBR": [[253, 272]], "Indicator: Downloader.Small.61.BV": [[273, 295]]}, "info": {"id": "cyner2_5class_train_03896", "source": "cyner2_5class_train"}}
+{"text": "The recent vulnerability of MS15-093 revealed that attackers were using it distribute the Korplug/Plugx RAT.", "spans": {"Vulnerability: vulnerability": [[11, 24]], "Vulnerability: MS15-093": [[28, 36]], "Indicator: attackers": [[51, 60]], "Indicator: Korplug/Plugx": [[90, 103]], "Malware: RAT.": [[104, 108]]}, "info": {"id": "cyner2_5class_train_03897", "source": "cyner2_5class_train"}}
+{"text": "All data is transmitted in JSON format ( after decryption ) .", "spans": {}, "info": {"id": "cyner2_5class_train_03898", "source": "cyner2_5class_train"}}
+{"text": "If these files successfully gain root rights , the Trojan will install several tools into the system .", "spans": {}, "info": {"id": "cyner2_5class_train_03899", "source": "cyner2_5class_train"}}
+{"text": "HenBox Roosts HenBox has evolved over the past three years , and of the almost two hundred HenBox apps in AutoFocus , the vast majority contain several native libraries as well as other components in order to achieve their objective .", "spans": {"Malware: HenBox": [[0, 6], [14, 20], [91, 97]]}, "info": {"id": "cyner2_5class_train_03900", "source": "cyner2_5class_train"}}
+{"text": "The brazen attack used chained 0-days against Adobe Flash and Microsoft Internet Explorer 9 to attempt to gain access to internal networks at these companies.", "spans": {"Vulnerability: brazen attack": [[4, 17]], "Vulnerability: chained 0-days": [[23, 37]], "System: Adobe Flash": [[46, 57]], "System: Microsoft Internet Explorer 9": [[62, 91]]}, "info": {"id": "cyner2_5class_train_03901", "source": "cyner2_5class_train"}}
+{"text": "It mainly targets Chinese users , but has also successfully affected people and organizations in the United States , United Kingdom , Thailand , Spain , and Ireland .", "spans": {}, "info": {"id": "cyner2_5class_train_03902", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.MSIL.1 Win32.Trojan.WisdomEyes.16070401.9500.9592 Ransom_HEROPOINT.A Trojan.Win32.Ransom.ewrnqz Trojan.Win32.S.Ransom.29184.B Ransom_HEROPOINT.A Trojan-Ransom.Heropoint Trojan.MSIL.ieap TR/Ransom.gohtu Ransom:MSIL/Crypute.C Trojan.Ransom.Filecoder Trj/GdSda.A Win32/Trojan.Ransom.935", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.MSIL.1": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9592": [[47, 89]], "Indicator: Ransom_HEROPOINT.A": [[90, 108], [166, 184]], "Indicator: Trojan.Win32.Ransom.ewrnqz": [[109, 135]], "Indicator: Trojan.Win32.S.Ransom.29184.B": [[136, 165]], "Indicator: Trojan-Ransom.Heropoint": [[185, 208]], "Indicator: Trojan.MSIL.ieap": [[209, 225]], "Indicator: TR/Ransom.gohtu": [[226, 241]], "Indicator: Ransom:MSIL/Crypute.C": [[242, 263]], "Indicator: Trojan.Ransom.Filecoder": [[264, 287]], "Indicator: Trj/GdSda.A": [[288, 299]], "Indicator: Win32/Trojan.Ransom.935": [[300, 323]]}, "info": {"id": "cyner2_5class_train_03903", "source": "cyner2_5class_train"}}
+{"text": "We expect this list to grow given that this actor has changed its infrastructure numerous times in 2017 .", "spans": {}, "info": {"id": "cyner2_5class_train_03904", "source": "cyner2_5class_train"}}
+{"text": "However , as mentioned earlier , an analysis of this new variant showed some changes in its code in line with its new deployment method .", "spans": {}, "info": {"id": "cyner2_5class_train_03905", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Kryptik.myh Win32.Trojan.WisdomEyes.16070401.9500.9688 Trojan.Win32.Click1.cpofr Trojan.Click1.34698 TR/Taranis.3998 Win32.TrojDownloader.Unknown.kcloud TrojanDownloader:Win32/Mimho.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Kryptik.myh": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9688": [[45, 87]], "Indicator: Trojan.Win32.Click1.cpofr": [[88, 113]], "Indicator: Trojan.Click1.34698": [[114, 133]], "Indicator: TR/Taranis.3998": [[134, 149]], "Indicator: Win32.TrojDownloader.Unknown.kcloud": [[150, 185]], "Indicator: TrojanDownloader:Win32/Mimho.A": [[186, 216]], "Indicator: Trj/CI.A": [[217, 225]]}, "info": {"id": "cyner2_5class_train_03906", "source": "cyner2_5class_train"}}
+{"text": "The txt message uses social engineering to dupe unsuspecting users into clicking on a link to a downloadable Android application .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "cyner2_5class_train_03907", "source": "cyner2_5class_train"}}
+{"text": "The worst affected were companies in the smelting, electric power generation and transmission, construction, and engineering industries.", "spans": {"Organization: companies": [[24, 33]], "Organization: the smelting, electric power generation": [[37, 76]], "Organization: transmission, construction,": [[81, 108]], "Organization: engineering industries.": [[113, 136]]}, "info": {"id": "cyner2_5class_train_03908", "source": "cyner2_5class_train"}}
+{"text": "Record surroundings using the built-in microphone in 3gp format .", "spans": {}, "info": {"id": "cyner2_5class_train_03909", "source": "cyner2_5class_train"}}
+{"text": "Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim's computer.", "spans": {"Indicator: hacked": [[11, 17]], "System: Aeria games": [[18, 29]], "Indicator: unofficial websites,": [[41, 61]], "Malware: malware": [[74, 81]], "Malware: malicious code": [[127, 141]], "System: the victim's computer.": [[145, 167]]}, "info": {"id": "cyner2_5class_train_03910", "source": "cyner2_5class_train"}}
+{"text": "WebView JavaScript Interface Continuing on the theme of cross-language bridges , Bread has also tried out some obfuscation methods utilizing JavaScript in WebViews .", "spans": {"Malware: Bread": [[81, 86]]}, "info": {"id": "cyner2_5class_train_03911", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Emotet.MUE.A5 Backdoor.PePatch.Win32.40158 Trojan/Urelas.u Win32.Trojan.Urelas.a Backdoor.Graybird TROJ_URELAS.SMC Win.Trojan.Urelas-212 Trojan.Win32.demmsd.eaqemx Ransom.Win32.CryLock.a Trojan.AVKill.33464 TROJ_URELAS.SMC BehavesLike.Win32.Gupboot.hc Trojan.Win32.Toga Backdoor/Plite.ah Trojan.Zusy.D1C63F Trojan/Win32.Urelas.R92523 BScope.Backdoor.Gulf Trojan.Urelas.U Trojan.Urelas!2wQyqHhm58c W32/Urelas.AB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Emotet.MUE.A5": [[26, 46]], "Indicator: Backdoor.PePatch.Win32.40158": [[47, 75]], "Indicator: Trojan/Urelas.u": [[76, 91]], "Indicator: Win32.Trojan.Urelas.a": [[92, 113]], "Indicator: Backdoor.Graybird": [[114, 131]], "Indicator: TROJ_URELAS.SMC": [[132, 147], [240, 255]], "Indicator: Win.Trojan.Urelas-212": [[148, 169]], "Indicator: Trojan.Win32.demmsd.eaqemx": [[170, 196]], "Indicator: Ransom.Win32.CryLock.a": [[197, 219]], "Indicator: Trojan.AVKill.33464": [[220, 239]], "Indicator: BehavesLike.Win32.Gupboot.hc": [[256, 284]], "Indicator: Trojan.Win32.Toga": [[285, 302]], "Indicator: Backdoor/Plite.ah": [[303, 320]], "Indicator: Trojan.Zusy.D1C63F": [[321, 339]], "Indicator: Trojan/Win32.Urelas.R92523": [[340, 366]], "Indicator: BScope.Backdoor.Gulf": [[367, 387]], "Indicator: Trojan.Urelas.U": [[388, 403]], "Indicator: Trojan.Urelas!2wQyqHhm58c": [[404, 429]], "Indicator: W32/Urelas.AB!tr": [[430, 446]]}, "info": {"id": "cyner2_5class_train_03912", "source": "cyner2_5class_train"}}
+{"text": "The analysis starts with a Microsoft Word document named 2017 Q4 Work Plan.docx with a hash of 292843976600e8ad2130224d70356bfc, which was created on 2017-10-11 by a user called Admin'', and first uploaded to VirusTotal, a website and file scanning service, on the same day, by a user in South Africa.", "spans": {"Indicator: Microsoft Word document named 2017 Q4 Work Plan.docx": [[27, 79]], "Indicator: hash": [[87, 91]], "Indicator: 292843976600e8ad2130224d70356bfc,": [[95, 128]], "Indicator: user called Admin'',": [[166, 186]], "Organization: VirusTotal,": [[209, 220]], "Indicator: website": [[223, 230]], "Indicator: file scanning service,": [[235, 257]], "Organization: user": [[280, 284]]}, "info": {"id": "cyner2_5class_train_03913", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Estiwir.S21079 Trojan.Win32.Estiwir Trojan:Win32/Estiwir.A Trj/CI.A Win32/Trojan.87b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Estiwir.S21079": [[26, 47]], "Indicator: Trojan.Win32.Estiwir": [[48, 68]], "Indicator: Trojan:Win32/Estiwir.A": [[69, 91]], "Indicator: Trj/CI.A": [[92, 100]], "Indicator: Win32/Trojan.87b": [[101, 117]]}, "info": {"id": "cyner2_5class_train_03914", "source": "cyner2_5class_train"}}
+{"text": "We also learned that an Android malware known as GhostCtrl was stored in their infrastructure, which might be used for cyberespionage or cybercrime.", "spans": {"Malware: an Android malware": [[21, 39]], "Malware: GhostCtrl": [[49, 58]], "System: infrastructure,": [[79, 94]]}, "info": {"id": "cyner2_5class_train_03915", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameExQSJKAH.Trojan Backdoor.Pahador.Win32.1 Backdoor/Pahador.t BKDR_PAHADOR.AB Win32.Trojan.WisdomEyes.16070401.9500.9967 W32/Backdoor.QCR Win32/Spybot.AEZ BKDR_PAHADOR.AB Win.Trojan.Delf-939 Trojan.Win32.Fsysna.dhnu Trojan.Win32.Pahador.dkwu Backdoor.Win32.Pahador.801128 Troj.W32.Fsysna!c Backdoor.Win32.Pahador.T Program.Vskeylogger Backdoor.Win32.Pahador W32/Backdoor.PLOG-4776 Backdoor/Pahador.ai Trojan[Backdoor]/Win32.Pahador Win32.Hack.Pahador.t.kcloud Backdoor.Pahador Trojan.Win32.Fsysna.dhnu Trojan/Win32.Pahador.R2394 TScope.Trojan.Delf Win32/Pahador.T Win32.Trojan.Fsysna.Dyzz Backdoor.Pahador!aVEw4P0RDQo W32/Sfmybd.C3E3!tr Win32/Trojan.05c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameExQSJKAH.Trojan": [[26, 51]], "Indicator: Backdoor.Pahador.Win32.1": [[52, 76]], "Indicator: Backdoor/Pahador.t": [[77, 95]], "Indicator: BKDR_PAHADOR.AB": [[96, 111], [189, 204]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9967": [[112, 154]], "Indicator: W32/Backdoor.QCR": [[155, 171]], "Indicator: Win32/Spybot.AEZ": [[172, 188]], "Indicator: Win.Trojan.Delf-939": [[205, 224]], "Indicator: Trojan.Win32.Fsysna.dhnu": [[225, 249], [511, 535]], "Indicator: Trojan.Win32.Pahador.dkwu": [[250, 275]], "Indicator: Backdoor.Win32.Pahador.801128": [[276, 305]], "Indicator: Troj.W32.Fsysna!c": [[306, 323]], "Indicator: Backdoor.Win32.Pahador.T": [[324, 348]], "Indicator: Program.Vskeylogger": [[349, 368]], "Indicator: Backdoor.Win32.Pahador": [[369, 391]], "Indicator: W32/Backdoor.PLOG-4776": [[392, 414]], "Indicator: Backdoor/Pahador.ai": [[415, 434]], "Indicator: Trojan[Backdoor]/Win32.Pahador": [[435, 465]], "Indicator: Win32.Hack.Pahador.t.kcloud": [[466, 493]], "Indicator: Backdoor.Pahador": [[494, 510]], "Indicator: Trojan/Win32.Pahador.R2394": [[536, 562]], "Indicator: TScope.Trojan.Delf": [[563, 581]], "Indicator: Win32/Pahador.T": [[582, 597]], "Indicator: Win32.Trojan.Fsysna.Dyzz": [[598, 622]], "Indicator: Backdoor.Pahador!aVEw4P0RDQo": [[623, 651]], "Indicator: W32/Sfmybd.C3E3!tr": [[652, 670]], "Indicator: Win32/Trojan.05c": [[671, 687]]}, "info": {"id": "cyner2_5class_train_03916", "source": "cyner2_5class_train"}}
+{"text": "] com ’ was registered via GoDaddy , and uses privacy protection service .", "spans": {"Organization: GoDaddy": [[27, 34]]}, "info": {"id": "cyner2_5class_train_03917", "source": "cyner2_5class_train"}}
+{"text": "However, getting 83 pieces in one shot is way too generous by any account and it surely peaked the interest of our researchers.", "spans": {}, "info": {"id": "cyner2_5class_train_03918", "source": "cyner2_5class_train"}}
+{"text": "Look for information about the status of your device .", "spans": {}, "info": {"id": "cyner2_5class_train_03919", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Adware.TOVus.Win32.1 HT_TOVKATER_GC31024C.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9998 HT_TOVKATER_GC31024C.UVPM AdWare.TOVus Trojan.Win32.Tovkater.emvdzi Trojan.InstallMonster.2420 Pua.Downloadmanager TrojanDownloader:Win32/Katerav.A!bit Trojan.Zusy.D37F51 PUP.Optional.BundleInstaller Win32/TrojanDownloader.Tovkater.D Trojan-Downloader.Win32.Tovkater W32/Tovkater.F!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Adware.TOVus.Win32.1": [[46, 66]], "Indicator: HT_TOVKATER_GC31024C.UVPM": [[67, 92], [136, 161]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[93, 135]], "Indicator: AdWare.TOVus": [[162, 174]], "Indicator: Trojan.Win32.Tovkater.emvdzi": [[175, 203]], "Indicator: Trojan.InstallMonster.2420": [[204, 230]], "Indicator: Pua.Downloadmanager": [[231, 250]], "Indicator: TrojanDownloader:Win32/Katerav.A!bit": [[251, 287]], "Indicator: Trojan.Zusy.D37F51": [[288, 306]], "Indicator: PUP.Optional.BundleInstaller": [[307, 335]], "Indicator: Win32/TrojanDownloader.Tovkater.D": [[336, 369]], "Indicator: Trojan-Downloader.Win32.Tovkater": [[370, 402]], "Indicator: W32/Tovkater.F!tr.dldr": [[403, 425]]}, "info": {"id": "cyner2_5class_train_03920", "source": "cyner2_5class_train"}}
+{"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "cyner2_5class_train_03921", "source": "cyner2_5class_train"}}
+{"text": "1 Fadi Alsalamin scandal with an Israeli officer - exclusive - watched before the deletion - Fadi Elsalameen The details of the assassination of President Arafat_06-12-2016_docx Quds.rar Many of these executables are associated with various short links created using Bit.ly , a URL shortening service .", "spans": {"Indicator: Quds.rar": [[178, 186]], "System: Bit.ly": [[267, 273]]}, "info": {"id": "cyner2_5class_train_03922", "source": "cyner2_5class_train"}}
+{"text": "In March , it peaked at 1,169 infections .", "spans": {}, "info": {"id": "cyner2_5class_train_03923", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Bindo.worm W32/Malas.LPWD-1696 W32.Linkfars Win.Worm.AutoRun-1 P2P-Worm.Win32.Malas.r Heur.Corrupt.PE P2P-Worm:W32/Malas.A W32/Bindo.worm W32/Malas.A WORM/Khanani.A Worm:Win32/Malas.A P2P-Worm.Win32.Malas.r W32/Nahkos.D.worm P2P-Worm.Win32.Malas W32/Malas.R!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Bindo.worm": [[26, 40], [153, 167]], "Indicator: W32/Malas.LPWD-1696": [[41, 60]], "Indicator: W32.Linkfars": [[61, 73]], "Indicator: Win.Worm.AutoRun-1": [[74, 92]], "Indicator: P2P-Worm.Win32.Malas.r": [[93, 115], [214, 236]], "Indicator: Heur.Corrupt.PE": [[116, 131]], "Indicator: P2P-Worm:W32/Malas.A": [[132, 152]], "Indicator: W32/Malas.A": [[168, 179]], "Indicator: WORM/Khanani.A": [[180, 194]], "Indicator: Worm:Win32/Malas.A": [[195, 213]], "Indicator: W32/Nahkos.D.worm": [[237, 254]], "Indicator: P2P-Worm.Win32.Malas": [[255, 275]], "Indicator: W32/Malas.R!worm": [[276, 292]]}, "info": {"id": "cyner2_5class_train_03924", "source": "cyner2_5class_train"}}
+{"text": "To be installed , it needs the victim to allow installation of apps from unknown sources in the device settings .", "spans": {}, "info": {"id": "cyner2_5class_train_03925", "source": "cyner2_5class_train"}}
+{"text": "Toll Billing Carriers may also provide payment endpoints over a web page .", "spans": {}, "info": {"id": "cyner2_5class_train_03926", "source": "cyner2_5class_train"}}
+{"text": "If granted , the ransomware locks the device and displays a message demanding payment : You need to pay for us , otherwise we will sell portion of your personal information on black market every 30 minutes .", "spans": {}, "info": {"id": "cyner2_5class_train_03927", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL Trojan.MSILPerseus.DE1E5 Trojan.MSIL.Fakesupport W32/Trojan.VUDL-1796 Trojan.MSIL.idlr W32.Bsodscam.Locker SupportScam:MSIL/TechscamBSOD.A PUP/Win32.FakeBSOD.R192454 Trojan.TechSupportScam", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL": [[26, 37]], "Indicator: Trojan.MSILPerseus.DE1E5": [[38, 62]], "Indicator: Trojan.MSIL.Fakesupport": [[63, 86]], "Indicator: W32/Trojan.VUDL-1796": [[87, 107]], "Indicator: Trojan.MSIL.idlr": [[108, 124]], "Indicator: W32.Bsodscam.Locker": [[125, 144]], "Indicator: SupportScam:MSIL/TechscamBSOD.A": [[145, 176]], "Indicator: PUP/Win32.FakeBSOD.R192454": [[177, 203]], "Indicator: Trojan.TechSupportScam": [[204, 226]]}, "info": {"id": "cyner2_5class_train_03928", "source": "cyner2_5class_train"}}
+{"text": "This implies they have made considerable investments .", "spans": {}, "info": {"id": "cyner2_5class_train_03929", "source": "cyner2_5class_train"}}
+{"text": "The operation seems to originate from Saudi Arabia mostly; seeing its C2 IP is a home IP address and njRat does not support proxying C2 communciations over infectees.", "spans": {"Indicator: C2 IP": [[70, 75]], "Indicator: home IP address": [[81, 96]], "Malware: njRat": [[101, 106]]}, "info": {"id": "cyner2_5class_train_03930", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9802 Trojan.Win32.VkHost.aeys Trojan.Win32.Delf.wgpjk Troj.W32.Vkhost!c Win32.Trojan.Vkhost.Wtxk Trojan.PWS.Spy.14811 BehavesLike.Win32.BadFile.fh W32/Trojan.HSNN-1750 Trojanspy:Win32/Fitmu.A BDS/Delf.aegx W32/VkHost.AEYS!tr Trojan[Backdoor]/Win32.Delf Trojan.Graftor.D754C Trojan.Win32.Z.Graftor.401229 Trojan.Win32.VkHost.aeys Trojan:Win32/Kuta.A Trojan/Win32.Delf.C161449 Backdoor.Delf Win32/Bicololo.D Backdoor.Win32.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9802": [[26, 68]], "Indicator: Trojan.Win32.VkHost.aeys": [[69, 93], [368, 392]], "Indicator: Trojan.Win32.Delf.wgpjk": [[94, 117]], "Indicator: Troj.W32.Vkhost!c": [[118, 135]], "Indicator: Win32.Trojan.Vkhost.Wtxk": [[136, 160]], "Indicator: Trojan.PWS.Spy.14811": [[161, 181]], "Indicator: BehavesLike.Win32.BadFile.fh": [[182, 210]], "Indicator: W32/Trojan.HSNN-1750": [[211, 231]], "Indicator: Trojanspy:Win32/Fitmu.A": [[232, 255]], "Indicator: BDS/Delf.aegx": [[256, 269]], "Indicator: W32/VkHost.AEYS!tr": [[270, 288]], "Indicator: Trojan[Backdoor]/Win32.Delf": [[289, 316]], "Indicator: Trojan.Graftor.D754C": [[317, 337]], "Indicator: Trojan.Win32.Z.Graftor.401229": [[338, 367]], "Indicator: Trojan:Win32/Kuta.A": [[393, 412]], "Indicator: Trojan/Win32.Delf.C161449": [[413, 438]], "Indicator: Backdoor.Delf": [[439, 452]], "Indicator: Win32/Bicololo.D": [[453, 469]], "Indicator: Backdoor.Win32.Delf": [[470, 489]]}, "info": {"id": "cyner2_5class_train_03931", "source": "cyner2_5class_train"}}
+{"text": "We first learned of Locky through Invincea and expanded on qualifying this threat with the help of PhishMe. Locky has also gained enough traction to find its way onto Dynamoo's Blog and Reddit.", "spans": {"Malware: Locky": [[20, 25], [108, 113]], "Malware: threat": [[75, 81]], "Organization: PhishMe.": [[99, 107]], "Organization: Dynamoo's Blog": [[167, 181]], "Organization: Reddit.": [[186, 193]]}, "info": {"id": "cyner2_5class_train_03932", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9638 Trojan.Dropper Win32/SillyDl.XVX Win.Trojan.Msupdater-1 Trojan-Ransom.Win32.Blocker.cfzl Trojan.Win32.Inject.cmocx Trojan.MulDrop3.62588 Trojan.Blocker.Win32.31495 BehavesLike.Win32.Backdoor.cc Trojan[Ransom]/Win32.Blocker Trojan-Ransom.Win32.Blocker.cfzl Trojan:Win32/Ovoxual.B Trojan.Che.xc Win32.Trojan.Blocker.Stua Trojan.Blocker!XrooD1Mdx9Q Win32/Trojan.Dropper.cd7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9638": [[26, 68]], "Indicator: Trojan.Dropper": [[69, 83]], "Indicator: Win32/SillyDl.XVX": [[84, 101]], "Indicator: Win.Trojan.Msupdater-1": [[102, 124]], "Indicator: Trojan-Ransom.Win32.Blocker.cfzl": [[125, 157], [292, 324]], "Indicator: Trojan.Win32.Inject.cmocx": [[158, 183]], "Indicator: Trojan.MulDrop3.62588": [[184, 205]], "Indicator: Trojan.Blocker.Win32.31495": [[206, 232]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[233, 262]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[263, 291]], "Indicator: Trojan:Win32/Ovoxual.B": [[325, 347]], "Indicator: Trojan.Che.xc": [[348, 361]], "Indicator: Win32.Trojan.Blocker.Stua": [[362, 387]], "Indicator: Trojan.Blocker!XrooD1Mdx9Q": [[388, 414]], "Indicator: Win32/Trojan.Dropper.cd7": [[415, 439]]}, "info": {"id": "cyner2_5class_train_03933", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Corrupt.PE HackTool[DoS]/Win32.Fedup DoS:Win32/Fedup.2_0.dam Hoax.Win32.BadJoke.FakeDel", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Corrupt.PE": [[26, 41]], "Indicator: HackTool[DoS]/Win32.Fedup": [[42, 67]], "Indicator: DoS:Win32/Fedup.2_0.dam": [[68, 91]], "Indicator: Hoax.Win32.BadJoke.FakeDel": [[92, 118]]}, "info": {"id": "cyner2_5class_train_03934", "source": "cyner2_5class_train"}}
+{"text": "After escalating privileges , the app immediately protects itself and starts to collect data , by : Installing itself on the /system partition to persist across factory resets Removing Samsung 's system update app ( com.sec.android.fotaclient ) and disabling auto-updates to maintain persistence ( sets Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0 ) Deleting WAP push messages and changing WAP message settings , possibly for anti-forensic purpose .", "spans": {"Organization: Samsung": [[185, 192]], "Indicator: com.sec.android.fotaclient": [[216, 242]], "Indicator: Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0": [[303, 351]]}, "info": {"id": "cyner2_5class_train_03935", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Vbs.Trojan.Qhost.Lpbo Trojan/Bicololo.a Win32.Trojan.WisdomEyes.16070401.9500.9869 Trojan.VBS.Qhost.gc Trojan.Script.Qhost.dbtszl TrojWare.Win32.Bicololo.DI Trojan.Hosts.6838 W32.Trojan.Bat.Qhost Trojan:BAT/Qhost.AF Trojan.SMHeist.1 Trojan.VBS.Qhost.gc Trojan/Win32.Bicololo.R82150 Win32/Bicololo.A Trojan.BAT.Qhost W32/Bicololo.A!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Vbs.Trojan.Qhost.Lpbo": [[26, 47]], "Indicator: Trojan/Bicololo.a": [[48, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9869": [[66, 108]], "Indicator: Trojan.VBS.Qhost.gc": [[109, 128], [259, 278]], "Indicator: Trojan.Script.Qhost.dbtszl": [[129, 155]], "Indicator: TrojWare.Win32.Bicololo.DI": [[156, 182]], "Indicator: Trojan.Hosts.6838": [[183, 200]], "Indicator: W32.Trojan.Bat.Qhost": [[201, 221]], "Indicator: Trojan:BAT/Qhost.AF": [[222, 241]], "Indicator: Trojan.SMHeist.1": [[242, 258]], "Indicator: Trojan/Win32.Bicololo.R82150": [[279, 307]], "Indicator: Win32/Bicololo.A": [[308, 324]], "Indicator: Trojan.BAT.Qhost": [[325, 341]], "Indicator: W32/Bicololo.A!tr": [[342, 359]], "Indicator: Trj/CI.A": [[360, 368]]}, "info": {"id": "cyner2_5class_train_03936", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Plutor!O Worm.Plutor W32/Lutor.b Virus.W32.Plutor!c PE_PLUTOR.A Win32.Trojan.WisdomEyes.16070401.9500.9838 W32.Lutor PE_PLUTOR.A Win.Trojan.Win-25 Virus.Win32.Plutor.b Trojan.Win32.Plutor.cxgc BackDoor.Jeff Virus.Plutor.Win32.2 BehavesLike.Win32.Virus.bh Trojan-Dropper.Win32.Joiner W32/Trojan.RQNC-0214 TR/Win32.HDDKill Virus/Win32.Plutor Backdoor:Win32/Plutor.B Virus.Win32.Plutor.b Virus.Win32.Plutor.b W32/Plutor.B Win32/Plutor.B Win32.Virus.Plutor.Htby Worm.Plutor!yPZ/v8ChneU W32/Plutor.B Win32/Trojan.3db", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Plutor!O": [[26, 46]], "Indicator: Worm.Plutor": [[47, 58]], "Indicator: W32/Lutor.b": [[59, 70]], "Indicator: Virus.W32.Plutor!c": [[71, 89]], "Indicator: PE_PLUTOR.A": [[90, 101], [155, 166]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9838": [[102, 144]], "Indicator: W32.Lutor": [[145, 154]], "Indicator: Win.Trojan.Win-25": [[167, 184]], "Indicator: Virus.Win32.Plutor.b": [[185, 205], [402, 422], [423, 443]], "Indicator: Trojan.Win32.Plutor.cxgc": [[206, 230]], "Indicator: BackDoor.Jeff": [[231, 244]], "Indicator: Virus.Plutor.Win32.2": [[245, 265]], "Indicator: BehavesLike.Win32.Virus.bh": [[266, 292]], "Indicator: Trojan-Dropper.Win32.Joiner": [[293, 320]], "Indicator: W32/Trojan.RQNC-0214": [[321, 341]], "Indicator: TR/Win32.HDDKill": [[342, 358]], "Indicator: Virus/Win32.Plutor": [[359, 377]], "Indicator: Backdoor:Win32/Plutor.B": [[378, 401]], "Indicator: W32/Plutor.B": [[444, 456], [520, 532]], "Indicator: Win32/Plutor.B": [[457, 471]], "Indicator: Win32.Virus.Plutor.Htby": [[472, 495]], "Indicator: Worm.Plutor!yPZ/v8ChneU": [[496, 519]], "Indicator: Win32/Trojan.3db": [[533, 549]]}, "info": {"id": "cyner2_5class_train_03937", "source": "cyner2_5class_train"}}
+{"text": "EventBot permissions EventBot ’ s permissions as seen in the manifest file .", "spans": {"Malware: EventBot": [[0, 8], [21, 29]]}, "info": {"id": "cyner2_5class_train_03938", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.Gamarue.29491 HT_GAMARUE_GI0705DA.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan3.FQX W32.Shadesrat HT_GAMARUE_GI0705DA.UVPM Trojan.Win32.Inject.bxpwvz W32.W.Palevo.lJR8 Trojan.DownLoader5.4594 Backdoor.DarkKomet.Win32.11962 W32/Trojan.FEOJ-4670 TR/Drop.Gamarue.J TrojanDropper:Win32/Gamarue.I Trojan.Symmi.D5EBC Backdoor/Win32.DarkKomet.R72424 SScope.Malware-Cryptor.Winlock.1513 Trojan.Injector!eYQevBEYEJs Trojan-PWS.Win32.Zbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Trojan.Gamarue.29491": [[44, 64]], "Indicator: HT_GAMARUE_GI0705DA.UVPM": [[65, 89], [163, 187]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[90, 132]], "Indicator: W32/Trojan3.FQX": [[133, 148]], "Indicator: W32.Shadesrat": [[149, 162]], "Indicator: Trojan.Win32.Inject.bxpwvz": [[188, 214]], "Indicator: W32.W.Palevo.lJR8": [[215, 232]], "Indicator: Trojan.DownLoader5.4594": [[233, 256]], "Indicator: Backdoor.DarkKomet.Win32.11962": [[257, 287]], "Indicator: W32/Trojan.FEOJ-4670": [[288, 308]], "Indicator: TR/Drop.Gamarue.J": [[309, 326]], "Indicator: TrojanDropper:Win32/Gamarue.I": [[327, 356]], "Indicator: Trojan.Symmi.D5EBC": [[357, 375]], "Indicator: Backdoor/Win32.DarkKomet.R72424": [[376, 407]], "Indicator: SScope.Malware-Cryptor.Winlock.1513": [[408, 443]], "Indicator: Trojan.Injector!eYQevBEYEJs": [[444, 471]], "Indicator: Trojan-PWS.Win32.Zbot": [[472, 493]]}, "info": {"id": "cyner2_5class_train_03939", "source": "cyner2_5class_train"}}
+{"text": "This activity resembles previous campaigns such as Gooligan , HummingBad and CopyCat .", "spans": {"Malware: Gooligan": [[51, 59]], "Malware: HummingBad": [[62, 72]], "Malware: CopyCat": [[77, 84]]}, "info": {"id": "cyner2_5class_train_03940", "source": "cyner2_5class_train"}}
+{"text": "Lookout customers are protected against this threat and additionally we have included a list of IOCs at the end of this report .", "spans": {"Organization: Lookout": [[0, 7]]}, "info": {"id": "cyner2_5class_train_03941", "source": "cyner2_5class_train"}}
+{"text": "A recent whois of “ goldncup.com ” .", "spans": {"Indicator: goldncup.com": [[20, 32]]}, "info": {"id": "cyner2_5class_train_03942", "source": "cyner2_5class_train"}}
+{"text": "The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East.", "spans": {"Indicator: multiple emails": [[19, 34]], "Indicator: macro-enabled XLS files": [[46, 69]], "Organization: employees": [[73, 82]], "Organization: the banking sector": [[94, 112]]}, "info": {"id": "cyner2_5class_train_03943", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Opus.175136 Trojan.Win32.Opus!O Trojan.Opus.Win32.6 Trojan/Opus.gd Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Opus-1 Trojan-Dropper.Win32.Dinwod.aeuh Trojan.Win32.Opus.iiuoo W32.W.AutoRun.l6Zu BehavesLike.Win32.Ransomware.ch Trojan.Win32.Opus Trojan/Opus.e Trojan/Win32.Opus Trojan.Zusy.D53A5 Trojan-Dropper.Win32.Dinwod.aeuh Trojan.Opus Win32/Swimnag.B Trojan.Opus!SLndS2cINJM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Opus.175136": [[26, 48]], "Indicator: Trojan.Win32.Opus!O": [[49, 68]], "Indicator: Trojan.Opus.Win32.6": [[69, 88]], "Indicator: Trojan/Opus.gd": [[89, 103]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[104, 146]], "Indicator: Win.Trojan.Opus-1": [[147, 164]], "Indicator: Trojan-Dropper.Win32.Dinwod.aeuh": [[165, 197], [341, 373]], "Indicator: Trojan.Win32.Opus.iiuoo": [[198, 221]], "Indicator: W32.W.AutoRun.l6Zu": [[222, 240]], "Indicator: BehavesLike.Win32.Ransomware.ch": [[241, 272]], "Indicator: Trojan.Win32.Opus": [[273, 290]], "Indicator: Trojan/Opus.e": [[291, 304]], "Indicator: Trojan/Win32.Opus": [[305, 322]], "Indicator: Trojan.Zusy.D53A5": [[323, 340]], "Indicator: Trojan.Opus": [[374, 385]], "Indicator: Win32/Swimnag.B": [[386, 401]], "Indicator: Trojan.Opus!SLndS2cINJM": [[402, 425]]}, "info": {"id": "cyner2_5class_train_03944", "source": "cyner2_5class_train"}}
+{"text": "Contacting the C2 server for instructions .", "spans": {}, "info": {"id": "cyner2_5class_train_03945", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: not-a-virus:AdWare.Win32.BHO.bgvh Riskware.Win32.BHO.ewirij Adware.Spigot.139 ADWARE/BrowserIO.nylnh GrayWare[AdWare]/Win32.BHO Trojan.Razy.D36397 not-a-virus:AdWare.Win32.BHO.bgvh PUP.Optional.SearchBar", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: not-a-virus:AdWare.Win32.BHO.bgvh": [[26, 59], [173, 206]], "Indicator: Riskware.Win32.BHO.ewirij": [[60, 85]], "Indicator: Adware.Spigot.139": [[86, 103]], "Indicator: ADWARE/BrowserIO.nylnh": [[104, 126]], "Indicator: GrayWare[AdWare]/Win32.BHO": [[127, 153]], "Indicator: Trojan.Razy.D36397": [[154, 172]], "Indicator: PUP.Optional.SearchBar": [[207, 229]]}, "info": {"id": "cyner2_5class_train_03946", "source": "cyner2_5class_train"}}
+{"text": "] xyzdebra-morgan [ .", "spans": {"Indicator: [ .": [[18, 21]]}, "info": {"id": "cyner2_5class_train_03947", "source": "cyner2_5class_train"}}
+{"text": "] us domain : the phone number registered with this domain is the same as the phone number appearing on the Facebook page .", "spans": {"Organization: Facebook": [[108, 116]]}, "info": {"id": "cyner2_5class_train_03948", "source": "cyner2_5class_train"}}
+{"text": "It has been operating since November 2016 at least.", "spans": {}, "info": {"id": "cyner2_5class_train_03949", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Tandfuy Trojan.Symmi.DA610 BehavesLike.Win32.Dropper.lt Trojan-Downloader.Win32.Tandfuy W32/Trojan.ZKSQ-8249 TR/Bipamid.dnrhz TrojanDownloader:Win32/Tandfuy.B Trojan/Win32.AVKill.R107811 Trj/GdSda.A Win32/Bipamid.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Tandfuy": [[26, 50]], "Indicator: Trojan.Symmi.DA610": [[51, 69]], "Indicator: BehavesLike.Win32.Dropper.lt": [[70, 98]], "Indicator: Trojan-Downloader.Win32.Tandfuy": [[99, 130]], "Indicator: W32/Trojan.ZKSQ-8249": [[131, 151]], "Indicator: TR/Bipamid.dnrhz": [[152, 168]], "Indicator: TrojanDownloader:Win32/Tandfuy.B": [[169, 201]], "Indicator: Trojan/Win32.AVKill.R107811": [[202, 229]], "Indicator: Trj/GdSda.A": [[230, 241]], "Indicator: Win32/Bipamid.C": [[242, 257]]}, "info": {"id": "cyner2_5class_train_03950", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Cuegoe.18812 Trojan.Dropper Win.Trojan.Cuegoe-6336261-0 Application.Win32.Amonetize.NE BehavesLike.Win32.BrowseFox.gc Trojan/Win32.Unknown Trojan.Zusy.D41B27 Trojan/Win32.Cuegoe.R208534 TrojanDropper.Cuegoe Win32/Trojan.85a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Cuegoe.18812": [[26, 45]], "Indicator: Trojan.Dropper": [[46, 60]], "Indicator: Win.Trojan.Cuegoe-6336261-0": [[61, 88]], "Indicator: Application.Win32.Amonetize.NE": [[89, 119]], "Indicator: BehavesLike.Win32.BrowseFox.gc": [[120, 150]], "Indicator: Trojan/Win32.Unknown": [[151, 171]], "Indicator: Trojan.Zusy.D41B27": [[172, 190]], "Indicator: Trojan/Win32.Cuegoe.R208534": [[191, 218]], "Indicator: TrojanDropper.Cuegoe": [[219, 239]], "Indicator: Win32/Trojan.85a": [[240, 256]]}, "info": {"id": "cyner2_5class_train_03951", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.VB.1 Trojan/W32.Cospet.81730 Trojan.Win32.Cospet!O TrojanPWS.VB.CX Trojan.Cospet.Win32.97 Backdoor.VB.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Spy.VB.NFL Backdoor.VB.1 Trojan.Win32.Cospet.ha Backdoor.VB.1 Trojan.Win32.Cospet.bjyzt Trojan.Win32.A.Cospet.81728[UPX] Troj.PSW32.W.QQPass.l9CX Backdoor.VB.1 TrojWare.Win32.Spy.VB.NFL0 Backdoor.VB.1 Win32.HLLW.Autoruner.46782 BehavesLike.Win32.Trojan.lc Trojan/Cospet.gz Trojan.Win32.Cospet Trojan/Cospet.av Trojan/Win32.Cospet Trojan/Win32.Cospet.R2764 Trojan.Win32.Cospet.ha Backdoor.VB.1 Trojan.Cospet!9xWgZWamXaI RAT.LostDoor W32/Cospet.HA!tr Win32/Backdoor.4a9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.VB.1": [[26, 39], [125, 138], [199, 212], [236, 249], [334, 347], [375, 388], [567, 580]], "Indicator: Trojan/W32.Cospet.81730": [[40, 63]], "Indicator: Trojan.Win32.Cospet!O": [[64, 85]], "Indicator: TrojanPWS.VB.CX": [[86, 101]], "Indicator: Trojan.Cospet.Win32.97": [[102, 124]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[139, 181]], "Indicator: Win32/Spy.VB.NFL": [[182, 198]], "Indicator: Trojan.Win32.Cospet.ha": [[213, 235], [544, 566]], "Indicator: Trojan.Win32.Cospet.bjyzt": [[250, 275]], "Indicator: Trojan.Win32.A.Cospet.81728[UPX]": [[276, 308]], "Indicator: Troj.PSW32.W.QQPass.l9CX": [[309, 333]], "Indicator: TrojWare.Win32.Spy.VB.NFL0": [[348, 374]], "Indicator: Win32.HLLW.Autoruner.46782": [[389, 415]], "Indicator: BehavesLike.Win32.Trojan.lc": [[416, 443]], "Indicator: Trojan/Cospet.gz": [[444, 460]], "Indicator: Trojan.Win32.Cospet": [[461, 480]], "Indicator: Trojan/Cospet.av": [[481, 497]], "Indicator: Trojan/Win32.Cospet": [[498, 517]], "Indicator: Trojan/Win32.Cospet.R2764": [[518, 543]], "Indicator: Trojan.Cospet!9xWgZWamXaI": [[581, 606]], "Indicator: RAT.LostDoor": [[607, 619]], "Indicator: W32/Cospet.HA!tr": [[620, 636]], "Indicator: Win32/Backdoor.4a9": [[637, 655]]}, "info": {"id": "cyner2_5class_train_03952", "source": "cyner2_5class_train"}}
+{"text": "It uses a flash exploit that targets the recent vulnerability in Adobe flash.", "spans": {"Vulnerability: flash exploit": [[10, 23]], "Vulnerability: vulnerability": [[48, 61]], "System: Adobe flash.": [[65, 77]]}, "info": {"id": "cyner2_5class_train_03953", "source": "cyner2_5class_train"}}
+{"text": "Credential phishing and an Android banking Trojan combine in Austrian mobile attacks NOVEMBER 03 , 2017 Overview Credential phishing , banking Trojans , and credit card phishing schemes are common threats that we regularly observe both at scale and in more targeted attacks .", "spans": {"System: Android": [[27, 34]]}, "info": {"id": "cyner2_5class_train_03954", "source": "cyner2_5class_train"}}
+{"text": "The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware .", "spans": {"Malware: RuMMS": [[11, 16]]}, "info": {"id": "cyner2_5class_train_03955", "source": "cyner2_5class_train"}}
+{"text": "If one of the applications is deleted , the second application downloads and re-installs the removed one .", "spans": {}, "info": {"id": "cyner2_5class_train_03956", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Rootkit.TDss.F Win32.Trojan.WisdomEyes.16070401.9500.9996 Rootkit.TDss.F Packed.Win32.Krap.e Rootkit.TDss.F Rootkit.TDss.F Rootkit.TDss.F Win32.Troj.Krap.c.35328 Rootkit.TDss.F Packed.Win32.Krap.e Trojan/Win32.Alureon.R61580 Rootkit.TDss.F W32/PackTdss.Y!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Rootkit.TDss.F": [[26, 40], [84, 98], [119, 133], [134, 148], [149, 163], [188, 202], [251, 265]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[41, 83]], "Indicator: Packed.Win32.Krap.e": [[99, 118], [203, 222]], "Indicator: Win32.Troj.Krap.c.35328": [[164, 187]], "Indicator: Trojan/Win32.Alureon.R61580": [[223, 250]], "Indicator: W32/PackTdss.Y!tr": [[266, 283]]}, "info": {"id": "cyner2_5class_train_03957", "source": "cyner2_5class_train"}}
+{"text": "This lead us to estimate there to be over 2.8 billion infections in total , on around 25 Million unique devices , meaning that on average , each victim would have suffered roughly 112 swaps of innocent applications .", "spans": {}, "info": {"id": "cyner2_5class_train_03958", "source": "cyner2_5class_train"}}
+{"text": "Cybercriminals are cashing in on advertising and installing legitimate applications.", "spans": {"Indicator: advertising": [[33, 44]], "Indicator: legitimate applications.": [[60, 84]]}, "info": {"id": "cyner2_5class_train_03959", "source": "cyner2_5class_train"}}
+{"text": "We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection.", "spans": {"Malware: KeyBoy": [[32, 38]], "System: antivirus detection.": [[95, 115]]}, "info": {"id": "cyner2_5class_train_03960", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Tinba.WR4 Trojan/Tinba.be Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Tinba.dqteol TrojWare.Win32.Roitamit.BE Trojan.PWS.Tinba.153 Trojan.Tinba.Win32.1916 TR/Crypt.ZPACK.137753 Trojan/Win32.Skeeyah.R216296 Trojan.Tinba Win32/Tinba.BE Trojan.Tinba!GN4G+jbMfD0 Trojan.Win32.Tinba W32/Tinba.BE!tr Win32/Trojan.6ed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tinba.WR4": [[26, 42]], "Indicator: Trojan/Tinba.be": [[43, 58]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[59, 101]], "Indicator: Trojan.Win32.Tinba.dqteol": [[102, 127]], "Indicator: TrojWare.Win32.Roitamit.BE": [[128, 154]], "Indicator: Trojan.PWS.Tinba.153": [[155, 175]], "Indicator: Trojan.Tinba.Win32.1916": [[176, 199]], "Indicator: TR/Crypt.ZPACK.137753": [[200, 221]], "Indicator: Trojan/Win32.Skeeyah.R216296": [[222, 250]], "Indicator: Trojan.Tinba": [[251, 263]], "Indicator: Win32/Tinba.BE": [[264, 278]], "Indicator: Trojan.Tinba!GN4G+jbMfD0": [[279, 303]], "Indicator: Trojan.Win32.Tinba": [[304, 322]], "Indicator: W32/Tinba.BE!tr": [[323, 338]], "Indicator: Win32/Trojan.6ed": [[339, 355]]}, "info": {"id": "cyner2_5class_train_03961", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D167A7 Win32.Trojan.WisdomEyes.16070401.9500.9977 TrojWare.Win32.TrojanDownloader.Small.SGE Trojan.Yakes.uzd Trojan/Win32.Yakes.C2360515 Trojan.Yakes Win32.Trojan.Yakes.Pgcz Win32/Trojan.483", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D167A7": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9977": [[45, 87]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.SGE": [[88, 129]], "Indicator: Trojan.Yakes.uzd": [[130, 146]], "Indicator: Trojan/Win32.Yakes.C2360515": [[147, 174]], "Indicator: Trojan.Yakes": [[175, 187]], "Indicator: Win32.Trojan.Yakes.Pgcz": [[188, 211]], "Indicator: Win32/Trojan.483": [[212, 228]]}, "info": {"id": "cyner2_5class_train_03962", "source": "cyner2_5class_train"}}
+{"text": "One ELF library , libloc4d.so , handles amongst other things the loading of the app-decoded ELF library file “ sux ” , as well as handling connectivity to the C2 .", "spans": {"Indicator: libloc4d.so": [[18, 29]]}, "info": {"id": "cyner2_5class_train_03963", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesGNOLAH.Trojan Worm.Win32.VB!O Trojan.Jinra.A3 Worm.VB.Win32.2511 W32/VB.bem Win32.Worm.VB.kz W32.SillyFDC Win32/SillyAutorun.CKX WORM_VB.JSE Worm.Win32.VB.bem Trojan.Win32.VB.csfhed W32.W.VB.tnRc Win32.Worm.Vb.Szvd WORM_VB.JSE Worm/VB.pbz Worm/Win32.VB Worm:Win32/Jinra.A Trojan.Symmi.D5113 Worm.Win32.A.VB.184320 Worm.Win32.VB.bem Worm/Win32.VB.R125768 Trojan.VBRA.010736 Worm.Email Win32/VB.NUR Worm.VB!cXQoycDN5vU Worm.Win32.AutoRun", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesGNOLAH.Trojan": [[26, 50]], "Indicator: Worm.Win32.VB!O": [[51, 66]], "Indicator: Trojan.Jinra.A3": [[67, 82]], "Indicator: Worm.VB.Win32.2511": [[83, 101]], "Indicator: W32/VB.bem": [[102, 112]], "Indicator: Win32.Worm.VB.kz": [[113, 129]], "Indicator: W32.SillyFDC": [[130, 142]], "Indicator: Win32/SillyAutorun.CKX": [[143, 165]], "Indicator: WORM_VB.JSE": [[166, 177], [252, 263]], "Indicator: Worm.Win32.VB.bem": [[178, 195], [351, 368]], "Indicator: Trojan.Win32.VB.csfhed": [[196, 218]], "Indicator: W32.W.VB.tnRc": [[219, 232]], "Indicator: Win32.Worm.Vb.Szvd": [[233, 251]], "Indicator: Worm/VB.pbz": [[264, 275]], "Indicator: Worm/Win32.VB": [[276, 289]], "Indicator: Worm:Win32/Jinra.A": [[290, 308]], "Indicator: Trojan.Symmi.D5113": [[309, 327]], "Indicator: Worm.Win32.A.VB.184320": [[328, 350]], "Indicator: Worm/Win32.VB.R125768": [[369, 390]], "Indicator: Trojan.VBRA.010736": [[391, 409]], "Indicator: Worm.Email": [[410, 420]], "Indicator: Win32/VB.NUR": [[421, 433]], "Indicator: Worm.VB!cXQoycDN5vU": [[434, 453]], "Indicator: Worm.Win32.AutoRun": [[454, 472]]}, "info": {"id": "cyner2_5class_train_03964", "source": "cyner2_5class_train"}}
+{"text": "If the Trojan cannot find this file, it attempts to register itself in autorun.", "spans": {"Malware: Trojan": [[7, 13]], "Indicator: file,": [[31, 36]], "Indicator: register itself in autorun.": [[52, 79]]}, "info": {"id": "cyner2_5class_train_03965", "source": "cyner2_5class_train"}}
+{"text": "] 132:28855 GoldenCup : New Cyber Threat Targeting World Cup Fans As the World Cup launches , so does a new threat Officials from the Israeli Defense Force recently uncovered an Android Spyware campaign targeting Israeli soldiers and orchestrated by \" Hamas .", "spans": {"Malware: GoldenCup": [[12, 21]], "Organization: Israeli Defense Force": [[134, 155]], "System: Android": [[178, 185]], "Organization: Hamas": [[252, 257]]}, "info": {"id": "cyner2_5class_train_03966", "source": "cyner2_5class_train"}}
+{"text": "Called HummingBad, this malware establishes a persistent rootkit with the objective to generate fraudulent ad revenue for its perpetrator, similar to the Brain Test app discovered by Check Point earlier this year.", "spans": {"Malware: HummingBad,": [[7, 18]], "Malware: malware": [[24, 31]], "Malware: rootkit": [[57, 64]], "Indicator: fraudulent ad revenue": [[96, 117]], "Organization: perpetrator,": [[126, 138]], "System: Brain Test app": [[154, 168]], "Organization: Check Point": [[183, 194]]}, "info": {"id": "cyner2_5class_train_03967", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9564 Trojan.Razy.D37E6E TrojanDownloader:Win32/Aentdwn.B!bit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9564": [[26, 68]], "Indicator: Trojan.Razy.D37E6E": [[69, 87]], "Indicator: TrojanDownloader:Win32/Aentdwn.B!bit": [[88, 124]]}, "info": {"id": "cyner2_5class_train_03968", "source": "cyner2_5class_train"}}
+{"text": "On Aug.23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before.", "spans": {"Organization: FireEye": [[17, 24]], "Malware: ATM malware": [[52, 63]]}, "info": {"id": "cyner2_5class_train_03969", "source": "cyner2_5class_train"}}
+{"text": "on Feb 28 , 2016 .", "spans": {}, "info": {"id": "cyner2_5class_train_03970", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.JKVR Trojan.Win32.Scar!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Downloader-56615 Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Click2.2601 Trojan.Scar.Win32.55928 BehavesLike.Win32.Backdoor.kh Trojan.Win32.Scar TR/Dldr.Pingbed.A.33 TrojanDownloader:Win32/Pingbed.A Trojan.Scar Trojan.Downloader.JKVR W32/Nutiliers.AA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.JKVR": [[26, 48], [140, 162], [163, 185], [186, 208], [209, 231], [389, 411]], "Indicator: Trojan.Win32.Scar!O": [[49, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[69, 111]], "Indicator: Win.Trojan.Downloader-56615": [[112, 139]], "Indicator: Trojan.Click2.2601": [[232, 250]], "Indicator: Trojan.Scar.Win32.55928": [[251, 274]], "Indicator: BehavesLike.Win32.Backdoor.kh": [[275, 304]], "Indicator: Trojan.Win32.Scar": [[305, 322]], "Indicator: TR/Dldr.Pingbed.A.33": [[323, 343]], "Indicator: TrojanDownloader:Win32/Pingbed.A": [[344, 376]], "Indicator: Trojan.Scar": [[377, 388]], "Indicator: W32/Nutiliers.AA!tr": [[412, 431]]}, "info": {"id": "cyner2_5class_train_03971", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817461 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id8817461 [ .": [[21, 65]]}, "info": {"id": "cyner2_5class_train_03972", "source": "cyner2_5class_train"}}
+{"text": "The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen , so it waits for the targeted application to be launched and then parses all nodes to find text messages : Note that the implant needs special permission to use the Accessibility Service API , but there is a command that performs a request with a phishing text displayed to the user to obtain such permission .", "spans": {"System: Android": [[21, 28]]}, "info": {"id": "cyner2_5class_train_03973", "source": "cyner2_5class_train"}}
+{"text": "The FBI and Cuba's Infrastructure Security Agency CISA have issued a joint cybersecurity advisory, warning about the threat posed by Cuba's cyber actors and the #StopRansomware.", "spans": {"Organization: The FBI": [[0, 7]], "Organization: Cuba's Infrastructure Security Agency CISA": [[12, 54]], "Indicator: joint cybersecurity advisory,": [[69, 98]], "Malware: threat": [[117, 123]]}, "info": {"id": "cyner2_5class_train_03974", "source": "cyner2_5class_train"}}
+{"text": "It performs a privilege check once every second ; if unavailable , the Trojan starts requesting them from the user in an infinite loop : If the user agrees and gives the application the requested privileges , another stub page is displayed , and the app hides its icon : If the Trojan detects an attempt to revoke its administrator privileges , it starts periodically switching off the phone screen , trying to stop the user actions .", "spans": {}, "info": {"id": "cyner2_5class_train_03975", "source": "cyner2_5class_train"}}
+{"text": "This encryption algorithm is an extra security layer for communicating with the C2 , an improvement over the previous version of a plain RC4 encryption .", "spans": {}, "info": {"id": "cyner2_5class_train_03976", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Win32/Jorik.KJ Trojan.Win32.Lofumin.exefpy Trojan.MulDrop7.58418 BehavesLike.Win32.Dropper.tc PUA.CoinMiner TR/AD.Lofumin.zzzlc Trojan:Win32/Lofumin.A Trojan.MulDrop Trj/CI.A BAT/CoinMiner.YC BAT/CoinMiner.YC!tr Win32/Trojan.9b2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Win32/Jorik.KJ": [[39, 53]], "Indicator: Trojan.Win32.Lofumin.exefpy": [[54, 81]], "Indicator: Trojan.MulDrop7.58418": [[82, 103]], "Indicator: BehavesLike.Win32.Dropper.tc": [[104, 132]], "Indicator: PUA.CoinMiner": [[133, 146]], "Indicator: TR/AD.Lofumin.zzzlc": [[147, 166]], "Indicator: Trojan:Win32/Lofumin.A": [[167, 189]], "Indicator: Trojan.MulDrop": [[190, 204]], "Indicator: Trj/CI.A": [[205, 213]], "Indicator: BAT/CoinMiner.YC": [[214, 230]], "Indicator: BAT/CoinMiner.YC!tr": [[231, 250]], "Indicator: Win32/Trojan.9b2": [[251, 267]]}, "info": {"id": "cyner2_5class_train_03977", "source": "cyner2_5class_train"}}
+{"text": "Desert Scorpion 's second stage is capable of installing another non-malicious application ( included in the second stage ) which is highly specific to the Fatah political party and supports the targeting theory .", "spans": {"Malware: Desert Scorpion": [[0, 15]], "Organization: Fatah": [[156, 161]]}, "info": {"id": "cyner2_5class_train_03978", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Sality.PE Win32.Sality.OG Win32.Sality.OG Trojan.Win32.Krap.1!O W32.Sality.R W32/Autorun.worm.zzh Trojan.Win32.AutoRun.wazcf W32.SillyFDC AutoRun.BI Win32/Sality.AA WORM_AUTORUN.SMZ Worm.Autorun-1783 Win32.Sality.OG Win32.Sality.L Virus.Win32.TuTu.A.200000 Win32.Sality.OG Win32.Sality.OG Win32.HLLW.Autoruner.6138 Virus.Sality.Win32.15 WORM_AUTORUN.SMZ BehavesLike.Win32.Sality.fm W32/Sality.AA Win32.Sality.ab.173464 Worm:Win32/Hikjav.A Win32/Kashu.B Win32.Sality.OG Virus.Win32.Sality.baka Virus.Win32.Heur W32/AutoRun.FT!tr Win32/Sality.AJ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Sality.PE": [[26, 39]], "Indicator: Win32.Sality.OG": [[40, 55], [56, 71], [230, 245], [287, 302], [303, 318], [483, 498]], "Indicator: Trojan.Win32.Krap.1!O": [[72, 93]], "Indicator: W32.Sality.R": [[94, 106]], "Indicator: W32/Autorun.worm.zzh": [[107, 127]], "Indicator: Trojan.Win32.AutoRun.wazcf": [[128, 154]], "Indicator: W32.SillyFDC": [[155, 167]], "Indicator: AutoRun.BI": [[168, 178]], "Indicator: Win32/Sality.AA": [[179, 194]], "Indicator: WORM_AUTORUN.SMZ": [[195, 211], [367, 383]], "Indicator: Worm.Autorun-1783": [[212, 229]], "Indicator: Win32.Sality.L": [[246, 260]], "Indicator: Virus.Win32.TuTu.A.200000": [[261, 286]], "Indicator: Win32.HLLW.Autoruner.6138": [[319, 344]], "Indicator: Virus.Sality.Win32.15": [[345, 366]], "Indicator: BehavesLike.Win32.Sality.fm": [[384, 411]], "Indicator: W32/Sality.AA": [[412, 425]], "Indicator: Win32.Sality.ab.173464": [[426, 448]], "Indicator: Worm:Win32/Hikjav.A": [[449, 468]], "Indicator: Win32/Kashu.B": [[469, 482]], "Indicator: Virus.Win32.Sality.baka": [[499, 522]], "Indicator: Virus.Win32.Heur": [[523, 539]], "Indicator: W32/AutoRun.FT!tr": [[540, 557]], "Indicator: Win32/Sality.AJ": [[558, 573]]}, "info": {"id": "cyner2_5class_train_03979", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VotwupD.fam.Trojan Trojan.Downloader.JNGS Trojan.Win32.Krap.3!O Trojan.Bredolab.AA Trojan.LdPinch.Win32.14316 Trojan/PSW.LdPinch.apfl TROJ_BURNIX.SMEP Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.NKYP Trojan.Bubnix TROJ_BURNIX.SMEP Win.Trojan.Downloader-36570 Trojan.Downloader.JNGS Packed.Win32.Krap.ao Trojan.Downloader.JNGS Trojan.Win32.Krap.dccehe Troj.PSW32.W.LdPinch.apfl!c TrojWare.Win32.PkdKrap.AO Trojan.Downloader.JNGS Trojan.DownLoader1.19419 W32/Trojan.DTIT-2576 Trojan/PSW.LdPinch.wcs W32.Trojan.Trojan-Downloader.Ge Trojan[Packed]/Win32.Krap Trojan.Downloader.JNGS Packed.Win32.Krap.ao TrojanDownloader:Win32/Bubnix.A Win-Trojan/Bredolab.55808 Trojan-Downloader.Ver54 Trojan.Downloader.JNGS Trojan.Downloader.JNGS Trojan.Downloader Win32.Packed.Krap.Efao Trojan.DL.JNGS!S940SQYc1R4 W32/Krap.AON!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VotwupD.fam.Trojan": [[26, 48]], "Indicator: Trojan.Downloader.JNGS": [[49, 71], [300, 322], [344, 366], [446, 468], [596, 618], [722, 744], [745, 767]], "Indicator: Trojan.Win32.Krap.3!O": [[72, 93]], "Indicator: Trojan.Bredolab.AA": [[94, 112]], "Indicator: Trojan.LdPinch.Win32.14316": [[113, 139]], "Indicator: Trojan/PSW.LdPinch.apfl": [[140, 163]], "Indicator: TROJ_BURNIX.SMEP": [[164, 180], [255, 271]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[181, 223]], "Indicator: W32/Trojan2.NKYP": [[224, 240]], "Indicator: Trojan.Bubnix": [[241, 254]], "Indicator: Win.Trojan.Downloader-36570": [[272, 299]], "Indicator: Packed.Win32.Krap.ao": [[323, 343], [619, 639]], "Indicator: Trojan.Win32.Krap.dccehe": [[367, 391]], "Indicator: Troj.PSW32.W.LdPinch.apfl!c": [[392, 419]], "Indicator: TrojWare.Win32.PkdKrap.AO": [[420, 445]], "Indicator: Trojan.DownLoader1.19419": [[469, 493]], "Indicator: W32/Trojan.DTIT-2576": [[494, 514]], "Indicator: Trojan/PSW.LdPinch.wcs": [[515, 537]], "Indicator: W32.Trojan.Trojan-Downloader.Ge": [[538, 569]], "Indicator: Trojan[Packed]/Win32.Krap": [[570, 595]], "Indicator: TrojanDownloader:Win32/Bubnix.A": [[640, 671]], "Indicator: Win-Trojan/Bredolab.55808": [[672, 697]], "Indicator: Trojan-Downloader.Ver54": [[698, 721]], "Indicator: Trojan.Downloader": [[768, 785]], "Indicator: Win32.Packed.Krap.Efao": [[786, 808]], "Indicator: Trojan.DL.JNGS!S940SQYc1R4": [[809, 835]], "Indicator: W32/Krap.AON!tr": [[836, 851]]}, "info": {"id": "cyner2_5class_train_03980", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke/W32.BadJoke.63153 JOKE_BADGAME.A Joke.Badgame JOKE_BADGAME.A Win.Worm.BadGameA-1 Hoax.Win32.BadJoke.Badgame Riskware.Win32.Badgame.hxed Joke.Win32.FakeFormat.63153 Joke.Win32.BadGame Joke.BadGame W32/Joke.XWVG-6884 HackTool[Hoax]/Win32.Badgame Win32.Joke.Badgame.kcloud Hoax.W32.BadJoke.Badgame!c Hoax.Win32.BadJoke.Badgame Win-Joke/FFormat.63488 Win32.Trojan-psw.Badjoke.Apdb Joke.Badgame.A not-a-virus:BadJoke.Win32.Badgame", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke/W32.BadJoke.63153": [[26, 48]], "Indicator: JOKE_BADGAME.A": [[49, 63], [77, 91]], "Indicator: Joke.Badgame": [[64, 76]], "Indicator: Win.Worm.BadGameA-1": [[92, 111]], "Indicator: Hoax.Win32.BadJoke.Badgame": [[112, 138], [328, 354]], "Indicator: Riskware.Win32.Badgame.hxed": [[139, 166]], "Indicator: Joke.Win32.FakeFormat.63153": [[167, 194]], "Indicator: Joke.Win32.BadGame": [[195, 213]], "Indicator: Joke.BadGame": [[214, 226]], "Indicator: W32/Joke.XWVG-6884": [[227, 245]], "Indicator: HackTool[Hoax]/Win32.Badgame": [[246, 274]], "Indicator: Win32.Joke.Badgame.kcloud": [[275, 300]], "Indicator: Hoax.W32.BadJoke.Badgame!c": [[301, 327]], "Indicator: Win-Joke/FFormat.63488": [[355, 377]], "Indicator: Win32.Trojan-psw.Badjoke.Apdb": [[378, 407]], "Indicator: Joke.Badgame.A": [[408, 422]], "Indicator: not-a-virus:BadJoke.Win32.Badgame": [[423, 456]]}, "info": {"id": "cyner2_5class_train_03981", "source": "cyner2_5class_train"}}
+{"text": "When we found the exploit it appeared to be under development and evidence suggests it was deployed in Georgia.", "spans": {"Vulnerability: exploit": [[18, 25]]}, "info": {"id": "cyner2_5class_train_03982", "source": "cyner2_5class_train"}}
+{"text": "Dridex utilizes an improved version of GoZ's peer-to-peer architecture to protect its command-and-control C2 servers against detection by security researchers and law enforcement.", "spans": {"Malware: Dridex": [[0, 6]], "Malware: GoZ's": [[39, 44]], "System: peer-to-peer architecture": [[45, 70]], "Indicator: command-and-control C2 servers": [[86, 116]], "Organization: security researchers": [[138, 158]], "Organization: law enforcement.": [[163, 179]]}, "info": {"id": "cyner2_5class_train_03983", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VariantBarysR.Trojan Troj.Zeleffo.Sma!c TROJ_ZELEFFO.SMA Trojan.Win32.Nitol.115301 Trojan.Zeleffo.Win32.2 TROJ_ZELEFFO.SMA Trojan.Win32.Nitol Trojan:Win32/Nitol.C SScope.Trojan-Downloader.16517", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VariantBarysR.Trojan": [[26, 50]], "Indicator: Troj.Zeleffo.Sma!c": [[51, 69]], "Indicator: TROJ_ZELEFFO.SMA": [[70, 86], [136, 152]], "Indicator: Trojan.Win32.Nitol.115301": [[87, 112]], "Indicator: Trojan.Zeleffo.Win32.2": [[113, 135]], "Indicator: Trojan.Win32.Nitol": [[153, 171]], "Indicator: Trojan:Win32/Nitol.C": [[172, 192]], "Indicator: SScope.Trojan-Downloader.16517": [[193, 223]]}, "info": {"id": "cyner2_5class_train_03984", "source": "cyner2_5class_train"}}
+{"text": "Latest Trickbot's module called shareDll32 used for malware spreading in network shares.", "spans": {"Malware: Trickbot's": [[7, 17]], "Malware: shareDll32": [[32, 42]], "Malware: malware": [[52, 59]], "System: network shares.": [[73, 88]]}, "info": {"id": "cyner2_5class_train_03985", "source": "cyner2_5class_train"}}
+{"text": "All archives from this phase contain the same files except for one called “ common ” .", "spans": {}, "info": {"id": "cyner2_5class_train_03986", "source": "cyner2_5class_train"}}
+{"text": "Some of the settings are Boolean values that act as switches .", "spans": {}, "info": {"id": "cyner2_5class_train_03987", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PUA.Packed.ASPack Trojan/Win32.HDC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PUA.Packed.ASPack": [[26, 43]], "Indicator: Trojan/Win32.HDC": [[44, 60]]}, "info": {"id": "cyner2_5class_train_03988", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DoS.Doraah.A Trojan/W32.DoS.959488 Trojan.DoS.Doraah.A DoS.Doraah!A/vo/IPDx2c W32/Rado.A@bd Backdoor.Trojan Smalldoor.BASU DoS.Win32.Doraah Trojan.Win32.Doraah.dgjf Trojan.DoS.Doraah.A DoS.Win32.Doraah Trojan.DoS.Doraah.A BackDoor.IRC.Dostan Tool.Doraah.Win32.4 W32/Rado.SFME-6858 DDoS.Doraah DDOS/Doraah.A.1 HackTool[DoS]/Win32.Doraah Win32.Hack.Doraah.kcloud Win-Trojan/Doraah.959488 Trojan.DoS.Doraah.A Trojan.DoS.Doraah.A DoS.Doraah Win32/DoS.Doraah.A Win32.Trojan.Doraah.Egyh W32/Murscat.A!tr DoS.HX Trojan.Win32.Doraah.aa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DoS.Doraah.A": [[26, 45], [68, 87], [198, 217], [235, 254], [419, 438], [439, 458]], "Indicator: Trojan/W32.DoS.959488": [[46, 67]], "Indicator: DoS.Doraah!A/vo/IPDx2c": [[88, 110]], "Indicator: W32/Rado.A@bd": [[111, 124]], "Indicator: Backdoor.Trojan": [[125, 140]], "Indicator: Smalldoor.BASU": [[141, 155]], "Indicator: DoS.Win32.Doraah": [[156, 172], [218, 234]], "Indicator: Trojan.Win32.Doraah.dgjf": [[173, 197]], "Indicator: BackDoor.IRC.Dostan": [[255, 274]], "Indicator: Tool.Doraah.Win32.4": [[275, 294]], "Indicator: W32/Rado.SFME-6858": [[295, 313]], "Indicator: DDoS.Doraah": [[314, 325]], "Indicator: DDOS/Doraah.A.1": [[326, 341]], "Indicator: HackTool[DoS]/Win32.Doraah": [[342, 368]], "Indicator: Win32.Hack.Doraah.kcloud": [[369, 393]], "Indicator: Win-Trojan/Doraah.959488": [[394, 418]], "Indicator: DoS.Doraah": [[459, 469]], "Indicator: Win32/DoS.Doraah.A": [[470, 488]], "Indicator: Win32.Trojan.Doraah.Egyh": [[489, 513]], "Indicator: W32/Murscat.A!tr": [[514, 530]], "Indicator: DoS.HX": [[531, 537]], "Indicator: Trojan.Win32.Doraah.aa": [[538, 560]]}, "info": {"id": "cyner2_5class_train_03989", "source": "cyner2_5class_train"}}
+{"text": "The Tick group has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan for several years.", "spans": {"Indicator: attacks": [[45, 52]], "Organization: organizations": [[61, 74]]}, "info": {"id": "cyner2_5class_train_03990", "source": "cyner2_5class_train"}}
+{"text": "Coralco Tech is an organization located in Cyprus and providing interception tools .", "spans": {"Organization: Coralco Tech": [[0, 12]]}, "info": {"id": "cyner2_5class_train_03991", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.16032.D Trojan-PSW.Win32.Mapler!O PWS.OnLineGames.MY65 PWS-OnlineGames.lf Trojan/PSW.Mapler.vm Win32.Trojan-PSW.OLGames.bx HV_ONLINEGAMES_CI194C7D.RDXN Trojan.Win32.Mapler.tpzmc Trojan.Win32.PSWIGames.16032.G Trojan.NtRootKit.13695 Trojan.Mapler.Win32.112 PWS-OnlineGames.lf Trojan-PWS.OnlineGames Trojan/PSW.Mapler.fj Trojan[PSW]/Win32.Mapler PWS:WinNT/OnLineGames.E TrojanPSW.Mapler Win32/PSW.OnLineGames.QDG Trojan.PWS.Mapler!9tj8NfYyp+s", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.16032.D": [[26, 56]], "Indicator: Trojan-PSW.Win32.Mapler!O": [[57, 82]], "Indicator: PWS.OnLineGames.MY65": [[83, 103]], "Indicator: PWS-OnlineGames.lf": [[104, 122], [305, 323]], "Indicator: Trojan/PSW.Mapler.vm": [[123, 143]], "Indicator: Win32.Trojan-PSW.OLGames.bx": [[144, 171]], "Indicator: HV_ONLINEGAMES_CI194C7D.RDXN": [[172, 200]], "Indicator: Trojan.Win32.Mapler.tpzmc": [[201, 226]], "Indicator: Trojan.Win32.PSWIGames.16032.G": [[227, 257]], "Indicator: Trojan.NtRootKit.13695": [[258, 280]], "Indicator: Trojan.Mapler.Win32.112": [[281, 304]], "Indicator: Trojan-PWS.OnlineGames": [[324, 346]], "Indicator: Trojan/PSW.Mapler.fj": [[347, 367]], "Indicator: Trojan[PSW]/Win32.Mapler": [[368, 392]], "Indicator: PWS:WinNT/OnLineGames.E": [[393, 416]], "Indicator: TrojanPSW.Mapler": [[417, 433]], "Indicator: Win32/PSW.OnLineGames.QDG": [[434, 459]], "Indicator: Trojan.PWS.Mapler!9tj8NfYyp+s": [[460, 489]]}, "info": {"id": "cyner2_5class_train_03992", "source": "cyner2_5class_train"}}
+{"text": "Capture real-time voice calls in any network or app by hooking into the “ mediaserver ” system service RCSAndroid in the Wild Our analysis reveals that this RCSAndroid ( AndroidOS_RCSAgent.HRX ) has been in the wild since 2012 .", "spans": {"Malware: RCSAndroid": [[103, 113], [157, 167]], "Indicator: AndroidOS_RCSAgent.HRX": [[170, 192]]}, "info": {"id": "cyner2_5class_train_03993", "source": "cyner2_5class_train"}}
+{"text": "After encrypting popular file types with the AES-256 encryption algorithm, TeslaCrypt holds the files for a ransom of $250 to $1000.", "spans": {"Indicator: AES-256 encryption algorithm,": [[45, 74]], "Malware: TeslaCrypt": [[75, 85]], "Indicator: ransom of $250 to $1000.": [[108, 132]]}, "info": {"id": "cyner2_5class_train_03994", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Autoit.Stampado.A Trojan.Blocker.Win32.37081 Ransom_Stampado.R055C0DAS18 Trojan.Encoder.10337 Ransom_Stampado.R055C0DAS18 BehavesLike.Win32.Ransom.fc W32/Trojan.ULQL-2410 Ransom:Win32/Stampado.A Trojan/Win32.Blocker.C1763564 Worm.Win32.Filecoder", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Autoit.Stampado.A": [[26, 50]], "Indicator: Trojan.Blocker.Win32.37081": [[51, 77]], "Indicator: Ransom_Stampado.R055C0DAS18": [[78, 105], [127, 154]], "Indicator: Trojan.Encoder.10337": [[106, 126]], "Indicator: BehavesLike.Win32.Ransom.fc": [[155, 182]], "Indicator: W32/Trojan.ULQL-2410": [[183, 203]], "Indicator: Ransom:Win32/Stampado.A": [[204, 227]], "Indicator: Trojan/Win32.Blocker.C1763564": [[228, 257]], "Indicator: Worm.Win32.Filecoder": [[258, 278]]}, "info": {"id": "cyner2_5class_train_03995", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.CVE-2016-0034 Trojan.Crypt.RV Exploit.CVE.Win32.1627 Trojan/Exploit.CVE-2016-0034.p Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Packed2.37654 W32/CVE160034.OKEY-4732 Exploit.CVE-2016-0034.d EXP/Silverlight.AN Trojan[Exploit]/Win32.CVE-2016-0034 Trojan/Win32.MSIL.C1374172 Exploit.CVE20160034 Trj/GdSda.A Win32/Exploit.CVE-2016-0034.P Exploit.CVE-2016-0034!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.CVE-2016-0034": [[26, 47]], "Indicator: Trojan.Crypt.RV": [[48, 63]], "Indicator: Exploit.CVE.Win32.1627": [[64, 86]], "Indicator: Trojan/Exploit.CVE-2016-0034.p": [[87, 117]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[118, 160]], "Indicator: Trojan.Packed2.37654": [[161, 181]], "Indicator: W32/CVE160034.OKEY-4732": [[182, 205]], "Indicator: Exploit.CVE-2016-0034.d": [[206, 229]], "Indicator: EXP/Silverlight.AN": [[230, 248]], "Indicator: Trojan[Exploit]/Win32.CVE-2016-0034": [[249, 284]], "Indicator: Trojan/Win32.MSIL.C1374172": [[285, 311]], "Indicator: Exploit.CVE20160034": [[312, 331]], "Indicator: Trj/GdSda.A": [[332, 343]], "Indicator: Win32/Exploit.CVE-2016-0034.P": [[344, 373]], "Indicator: Exploit.CVE-2016-0034!": [[374, 396]]}, "info": {"id": "cyner2_5class_train_03996", "source": "cyner2_5class_train"}}
+{"text": "The Trojan sends these digits to the C & C , which in turn sends a command to display a fake data entry window to check the four digits .", "spans": {}, "info": {"id": "cyner2_5class_train_03997", "source": "cyner2_5class_train"}}
+{"text": "This brand new malware has real potential to become the next big mobile malware , as it is under constant iterative improvements , abuses a critical operating system feature , and targets financial applications .", "spans": {}, "info": {"id": "cyner2_5class_train_03998", "source": "cyner2_5class_train"}}
+{"text": "As many people use their mobile devices for online shopping and even to manage their bank accounts , the mobile arena became increasingly profitable for cyber criminals .", "spans": {}, "info": {"id": "cyner2_5class_train_03999", "source": "cyner2_5class_train"}}
+{"text": "The first copying of the exploit code we spotted was from the Sundown exploit kit EK, followed closely by Magnitude and a resurgent KaiXin EK.", "spans": {"Indicator: exploit code": [[25, 37]], "Malware: Sundown exploit kit EK,": [[62, 85]], "Malware: Magnitude": [[106, 115]], "Malware: resurgent KaiXin EK.": [[122, 142]]}, "info": {"id": "cyner2_5class_train_04000", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Graybird Win.Trojan.HackersDoor-6351576-1 Backdoor:Win64/Hackdoor.A!dll Backdoor/Win32.Hackdoor.R28108 Trj/CI.A Win32/Backdoor.14f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Graybird": [[26, 43]], "Indicator: Win.Trojan.HackersDoor-6351576-1": [[44, 76]], "Indicator: Backdoor:Win64/Hackdoor.A!dll": [[77, 106]], "Indicator: Backdoor/Win32.Hackdoor.R28108": [[107, 137]], "Indicator: Trj/CI.A": [[138, 146]], "Indicator: Win32/Backdoor.14f": [[147, 165]]}, "info": {"id": "cyner2_5class_train_04001", "source": "cyner2_5class_train"}}
+{"text": "This delay means that a typical testing procedure , which takes less than 10 minutes , will not detect any unwanted behavior .", "spans": {}, "info": {"id": "cyner2_5class_train_04002", "source": "cyner2_5class_train"}}
+{"text": "Note that the affected sites have consistent followers given the nature of their content.", "spans": {}, "info": {"id": "cyner2_5class_train_04003", "source": "cyner2_5class_train"}}
+{"text": "Aside from the inescapable irony of disguising a security-reducing Trojan as an ostensibly security-enhancing app , and the righteous affront to the whole concept of a VPN ’ s purpose a Trojan so disguised inspires , this represents an escalation in the variety of app types targeted by this campaign of bankbots in disguise .", "spans": {}, "info": {"id": "cyner2_5class_train_04004", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.NTPacker Trojan.NTPacker Trojan.NTPacker Win32.Trojan.WisdomEyes.16070401.9500.9936 Bloodhound.NTPacker Win.Trojan.Hydraq-9 Packed.Win32.PolyCrypt.b Trojan.NTPacker Trojan.NTPacker TrojWare.Win32.TrojanDropper.ErPack Trojan.NTPacker BackDoor.Ser.4 Trojan/PSW.QQPass.fk TrojanDropper:Win32/MultiDropper.B Packed.Win32.PolyCrypt.b Trojan.NTPacker Trojan/Win32.Delf.R33596 TScope.Malware-Cryptor.SB Win32.Packed.Polycrypt.Lndy W32/PolyCrypt.B!tr Win32/Trojan.267", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.NTPacker": [[26, 41], [42, 57], [58, 73], [182, 197], [198, 213], [250, 265], [362, 377]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9936": [[74, 116]], "Indicator: Bloodhound.NTPacker": [[117, 136]], "Indicator: Win.Trojan.Hydraq-9": [[137, 156]], "Indicator: Packed.Win32.PolyCrypt.b": [[157, 181], [337, 361]], "Indicator: TrojWare.Win32.TrojanDropper.ErPack": [[214, 249]], "Indicator: BackDoor.Ser.4": [[266, 280]], "Indicator: Trojan/PSW.QQPass.fk": [[281, 301]], "Indicator: TrojanDropper:Win32/MultiDropper.B": [[302, 336]], "Indicator: Trojan/Win32.Delf.R33596": [[378, 402]], "Indicator: TScope.Malware-Cryptor.SB": [[403, 428]], "Indicator: Win32.Packed.Polycrypt.Lndy": [[429, 456]], "Indicator: W32/PolyCrypt.B!tr": [[457, 475]], "Indicator: Win32/Trojan.267": [[476, 492]]}, "info": {"id": "cyner2_5class_train_04005", "source": "cyner2_5class_train"}}
+{"text": "This suggests that the operators of the Command & Control are not enforcing a validation of the targets .", "spans": {}, "info": {"id": "cyner2_5class_train_04006", "source": "cyner2_5class_train"}}
+{"text": "IOCs for today Jaff ransomware run", "spans": {"Indicator: IOCs": [[0, 4]], "Malware: Jaff ransomware": [[15, 30]]}, "info": {"id": "cyner2_5class_train_04007", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mjaka.A4 TROJ_MJAKA.C Win32.Trojan.WisdomEyes.16070401.9500.9762 TROJ_MJAKA.C Trojan.Win32.FC.euumqd W32/Trojan.EEMC-0397 Trojan:MSIL/Mjaka.A Spyware.InfoStealer Trj/Mjaka.A Win32/Trojan.9a1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mjaka.A4": [[26, 41]], "Indicator: TROJ_MJAKA.C": [[42, 54], [98, 110]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9762": [[55, 97]], "Indicator: Trojan.Win32.FC.euumqd": [[111, 133]], "Indicator: W32/Trojan.EEMC-0397": [[134, 154]], "Indicator: Trojan:MSIL/Mjaka.A": [[155, 174]], "Indicator: Spyware.InfoStealer": [[175, 194]], "Indicator: Trj/Mjaka.A": [[195, 206]], "Indicator: Win32/Trojan.9a1": [[207, 223]]}, "info": {"id": "cyner2_5class_train_04008", "source": "cyner2_5class_train"}}
+{"text": "Reverse shell payload The payload is started by the main module with a specified host and port as a parameter that is hardcoded to ‘ 54.67.109.199 ’ and ‘ 30010 ’ in some versions : Alternatively , they could be hardcoded directly into the payload code : We also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path .", "spans": {"Indicator: 54.67.109.199": [[133, 146]], "Indicator: 30010": [[155, 160]]}, "info": {"id": "cyner2_5class_train_04009", "source": "cyner2_5class_train"}}
+{"text": "There have also been cases of users in Ukraine , Germany , Turkey and several other countries being affected .", "spans": {}, "info": {"id": "cyner2_5class_train_04010", "source": "cyner2_5class_train"}}
+{"text": "( Researchers have been aware of this suite as early as 2014 .", "spans": {}, "info": {"id": "cyner2_5class_train_04011", "source": "cyner2_5class_train"}}
+{"text": "These malicious modules report to the attackers about every step they are going to make .", "spans": {}, "info": {"id": "cyner2_5class_train_04012", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: JS.Exploit.ShellCode.c Backdoor.Chches PowerShell/Kryptik.A BKDR_ChChes.SMZJEA-A BKDR_ChChes.SMZJEA-A Trojan.UPLT-5 Trojan:Win32/Posploi.A JS.S.Exploit.121732 Trojan.Win32.Chches Win32/Trojan.76d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: JS.Exploit.ShellCode.c": [[26, 48]], "Indicator: Backdoor.Chches": [[49, 64]], "Indicator: PowerShell/Kryptik.A": [[65, 85]], "Indicator: BKDR_ChChes.SMZJEA-A": [[86, 106], [107, 127]], "Indicator: Trojan.UPLT-5": [[128, 141]], "Indicator: Trojan:Win32/Posploi.A": [[142, 164]], "Indicator: JS.S.Exploit.121732": [[165, 184]], "Indicator: Trojan.Win32.Chches": [[185, 204]], "Indicator: Win32/Trojan.76d": [[205, 221]]}, "info": {"id": "cyner2_5class_train_04013", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.Banker.902656.L Trojan.Win32.Malware.1 Win32/PSW.Delf.NUI Banker.FEDD Trojan-Banker.Win32.Banker.aqtj Win32.HLLM.Sowsat.92 Win32/SillyDl.PVN Backdoor.Win32.Rbot!IK Trojan-Banker.Win32.Banker.aqtj Backdoor.Win32.Rbot PSW.Delf.EFZ Trj/Banker.FWD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.Banker.902656.L": [[26, 56]], "Indicator: Trojan.Win32.Malware.1": [[57, 79]], "Indicator: Win32/PSW.Delf.NUI": [[80, 98]], "Indicator: Banker.FEDD": [[99, 110]], "Indicator: Trojan-Banker.Win32.Banker.aqtj": [[111, 142], [205, 236]], "Indicator: Win32.HLLM.Sowsat.92": [[143, 163]], "Indicator: Win32/SillyDl.PVN": [[164, 181]], "Indicator: Backdoor.Win32.Rbot!IK": [[182, 204]], "Indicator: Backdoor.Win32.Rbot": [[237, 256]], "Indicator: PSW.Delf.EFZ": [[257, 269]], "Indicator: Trj/Banker.FWD": [[270, 284]]}, "info": {"id": "cyner2_5class_train_04014", "source": "cyner2_5class_train"}}
+{"text": "] com .", "spans": {}, "info": {"id": "cyner2_5class_train_04015", "source": "cyner2_5class_train"}}
+{"text": "Logcat logs show FakeSpy uses libmsy.so to execute the malicious packed mycode.jar file .", "spans": {"Malware: FakeSpy": [[17, 24]], "Indicator: libmsy.so": [[30, 39]], "Indicator: mycode.jar file": [[72, 87]]}, "info": {"id": "cyner2_5class_train_04016", "source": "cyner2_5class_train"}}
+{"text": "Here are just some of them : ngglobal – FirebaseCloudMessaging topic name Issuer : CN = negg – from several certificates negg.ddns [ .", "spans": {"Indicator: negg.ddns [ .": [[121, 134]]}, "info": {"id": "cyner2_5class_train_04017", "source": "cyner2_5class_train"}}
+{"text": "The attack exploited an Adobe Flash vulnerability that stems from the zero-day vulnerabilities exposed from this month's Hacking Team data breach.", "spans": {"Vulnerability: Adobe Flash vulnerability": [[24, 49]], "Vulnerability: zero-day vulnerabilities": [[70, 94]], "Organization: Hacking Team": [[121, 133]], "Indicator: data breach.": [[134, 146]]}, "info": {"id": "cyner2_5class_train_04018", "source": "cyner2_5class_train"}}
+{"text": "In addition, our data showed that there had been a high volume of spam runs during the weekdays and then a decreased volume during the weekends.", "spans": {"Indicator: high volume of spam": [[51, 70]]}, "info": {"id": "cyner2_5class_train_04019", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Downloader.CZH O97M.Downloader.DI W97M.Downloader.CZH W97M.Downloader.CZH W97M.Downloader.CZH W97M.Downloader.CZH HEUR_VBA.CN TrojanDownloader:W97M/Ursnif.A W97M.Downloader.CZH W97M.Downloader.CZH virus.office.qexvmc.1100", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Downloader.CZH": [[26, 45], [65, 84], [85, 104], [105, 124], [125, 144], [188, 207], [208, 227]], "Indicator: O97M.Downloader.DI": [[46, 64]], "Indicator: HEUR_VBA.CN": [[145, 156]], "Indicator: TrojanDownloader:W97M/Ursnif.A": [[157, 187]], "Indicator: virus.office.qexvmc.1100": [[228, 252]]}, "info": {"id": "cyner2_5class_train_04020", "source": "cyner2_5class_train"}}
+{"text": "This list is expected to expand : Package name Application name com.android.vending Play Market com.boursorama.android.clients Boursorama Banque com.caisseepargne.android.mobilebanking Banque com.chase.sig.android Chase Mobile com.clairmail.fth Fifth Third Mobile Banking com.connectivityapps.hotmail Connect for Hotmail com.google.android.gm Gmail com.imo.android.imoim imo free video calls and chat com.infonow.bofa Bank of America Mobile Banking com.IngDirectAndroid ING com.instagram.android Instagram com.konylabs.capitalone Capital One® Mobile com.mail.mobile.android.mail mail.com mail com.microsoft.office.outlook Microsoft Outlook com.snapchat.android Snapchat com.tencent.mm WeChat com.twitter.android Twitter com.ubercab Uber com.usaa.mobile.android.usaa USAA Mobile com.usbank.mobilebanking U.S. Bank - Inspired by customers com.viber.voip Viber com.wf.wellsfargomobile Wells Fargo Mobile com.whatsapp WhatsApp com.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email fr.banquepopulaire.cyberplus Banque Populaire fr.creditagricole.androidapp Ma Banque jp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ mobi.societegenerale.mobile.lappli L ’ Appli Société Générale net.bnpparibas.mescomptes Mes Comptes BNP Paribas org.telegram.messenger Telegram Triout - Spyware Framework for Android with Extensive Surveillance Capabilities August 20 , 2018 No operating system is safe from malware , as cyber criminals will always want to steal , spy or tamper with your data .", "spans": {"Indicator: com.android.vending": [[64, 83]], "System: Play Market": [[84, 95]], "Indicator: com.boursorama.android.clients Boursorama": [[96, 137]], "System: Banque": [[138, 144], [185, 191], [1018, 1024]], "Indicator: com.caisseepargne.android.mobilebanking": [[145, 184]], "Indicator: com.chase.sig.android": [[192, 213]], "System: Chase Mobile": [[214, 226]], "Indicator: com.clairmail.fth": [[227, 244]], "System: Fifth Third Mobile Banking": [[245, 271]], "Indicator: com.connectivityapps.hotmail": [[272, 300]], "System: Connect for Hotmail": [[301, 320]], "Indicator: com.google.android.gm": [[321, 342]], "System: Gmail": [[343, 348]], "Indicator: com.imo.android.imoim": [[349, 370]], "System: imo": [[371, 374]], "Indicator: com.infonow.bofa": [[401, 417]], "System: Bank of America Mobile Banking": [[418, 448]], "Indicator: com.IngDirectAndroid": [[449, 469]], "Indicator: com.instagram.android Instagram": [[474, 505]], "Indicator: com.konylabs.capitalone": [[506, 529]], "System: Capital One® Mobile": [[530, 549]], "Indicator: com.mail.mobile.android.mail mail.com": [[550, 587]], "System: mail": [[588, 592]], "Indicator: com.microsoft.office.outlook": [[593, 621]], "System: Microsoft Outlook": [[622, 639]], "Indicator: com.snapchat.android": [[640, 660]], "System: Snapchat": [[661, 669]], "Indicator: com.tencent.mm": [[670, 684]], "System: WeChat": [[685, 691]], "Indicator: com.twitter.android": [[692, 711]], "System: Twitter": [[712, 719]], "Indicator: com.ubercab": [[720, 731]], "Organization: Uber": [[732, 736]], "Indicator: com.usaa.mobile.android.usaa": [[737, 765]], "System: USAA Mobile": [[766, 777]], "Indicator: com.usbank.mobilebanking U.S.": [[778, 807]], "Indicator: com.viber.voip": [[837, 851]], "System: Viber": [[852, 857]], "Indicator: com.wf.wellsfargomobile": [[858, 881]], "System: Wells Fargo Mobile": [[882, 900]], "Indicator: com.whatsapp": [[901, 913]], "System: WhatsApp": [[914, 922]], "Indicator: com.yahoo.mobile.client.android.mail": [[923, 959]], "System: Yahoo Mail": [[960, 970]], "Indicator: fr.banquepopulaire.cyberplus": [[989, 1017]], "Indicator: fr.creditagricole.androidapp": [[1035, 1063]], "System: Ma Banque": [[1064, 1073]], "Indicator: jp.co.rakuten_bank.rakutenbank": [[1074, 1104]], "Indicator: mobi.societegenerale.mobile.lappli": [[1123, 1157]], "Indicator: net.bnpparibas.mescomptes": [[1185, 1210]], "Indicator: org.telegram.messenger Telegram": [[1235, 1266]], "Malware: Triout": [[1267, 1273]], "System: Android": [[1298, 1305]]}, "info": {"id": "cyner2_5class_train_04021", "source": "cyner2_5class_train"}}
+{"text": "Developed by ksoft, Uploader! allows its user to upload files to the internet via FTP.", "spans": {"Organization: ksoft,": [[13, 19]], "System: Uploader!": [[20, 29]], "Indicator: FTP.": [[82, 86]]}, "info": {"id": "cyner2_5class_train_04022", "source": "cyner2_5class_train"}}
+{"text": "In some cases , sophisticated web injects were used to trick victims into entering their 2FA codes directly into the web forms controlled by the malware to eliminate the need for the mobile malware component .", "spans": {}, "info": {"id": "cyner2_5class_train_04023", "source": "cyner2_5class_train"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04024", "source": "cyner2_5class_train"}}
+{"text": "The modus operandi for all three investigations were very similar and appear to be a new Carbanak gang attack methodology, focused on the hospitality industry.", "spans": {"Indicator: attack": [[103, 109]], "Organization: hospitality industry.": [[138, 159]]}, "info": {"id": "cyner2_5class_train_04025", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojWare.Win32.TrojanDownloader.Tibs.1 Riskware.PSWTool.Win32.IEPassView.m!IK not-a-virus:PSWTool.Win32.IEPassView.m", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojWare.Win32.TrojanDownloader.Tibs.1": [[26, 64]], "Indicator: Riskware.PSWTool.Win32.IEPassView.m!IK": [[65, 103]], "Indicator: not-a-virus:PSWTool.Win32.IEPassView.m": [[104, 142]]}, "info": {"id": "cyner2_5class_train_04026", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Injector.Win32.400028 Trojan.Johnnie.D3FAD Trojan.Win32.Kovter.rky Trojan.Win32.Kovter.efkdwr Troj.Dropper.W32.Nail.ldEa Trojan.Kovter.297 PUA.Win32.Dlhelper Trojan.Kovter.axf Trojan:Win32/Kometage.A Trojan.Win32.Kovter.rky Trojan/Win32.Kovter.R186277 Trojan.Kovter Trojan.Kovter!DsLwWELZUiM W32/Injector.DDXC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Injector.Win32.400028": [[26, 54]], "Indicator: Trojan.Johnnie.D3FAD": [[55, 75]], "Indicator: Trojan.Win32.Kovter.rky": [[76, 99], [233, 256]], "Indicator: Trojan.Win32.Kovter.efkdwr": [[100, 126]], "Indicator: Troj.Dropper.W32.Nail.ldEa": [[127, 153]], "Indicator: Trojan.Kovter.297": [[154, 171]], "Indicator: PUA.Win32.Dlhelper": [[172, 190]], "Indicator: Trojan.Kovter.axf": [[191, 208]], "Indicator: Trojan:Win32/Kometage.A": [[209, 232]], "Indicator: Trojan/Win32.Kovter.R186277": [[257, 284]], "Indicator: Trojan.Kovter": [[285, 298]], "Indicator: Trojan.Kovter!DsLwWELZUiM": [[299, 324]], "Indicator: W32/Injector.DDXC!tr": [[325, 345]]}, "info": {"id": "cyner2_5class_train_04027", "source": "cyner2_5class_train"}}
+{"text": "Project Spy routine At the end of March 2020 , we came across an app masquerading as a coronavirus update app , which we named Project Spy based on the login page of its backend server .", "spans": {"Malware: Project Spy": [[0, 11], [127, 138]]}, "info": {"id": "cyner2_5class_train_04028", "source": "cyner2_5class_train"}}
+{"text": "So far, no AV has given any meaningful identification to this malware—it is detected under generic names.", "spans": {"System: AV": [[11, 13]], "Malware: malware—it": [[62, 72]]}, "info": {"id": "cyner2_5class_train_04029", "source": "cyner2_5class_train"}}
+{"text": "In early February 2015, Dell SecureWorks Counter Threat UnitTM CTU researchers investigated a new file-encrypting ransomware family named TeslaCrypt, which was distributed by the popular Angler browser exploit kit.", "spans": {"Organization: Dell SecureWorks Counter Threat UnitTM CTU researchers": [[24, 78]], "Malware: file-encrypting ransomware family": [[98, 131]], "Malware: TeslaCrypt,": [[138, 149]], "Malware: Angler browser exploit kit.": [[187, 214]]}, "info": {"id": "cyner2_5class_train_04030", "source": "cyner2_5class_train"}}
+{"text": "] ru/7 * * * * * 3 ” or “ % USERNAME % , accept 25,000 on Youla youla-protect [ .", "spans": {"Indicator: youla-protect [ .": [[64, 81]]}, "info": {"id": "cyner2_5class_train_04031", "source": "cyner2_5class_train"}}
+{"text": "A complete list of sample hashes is available here .", "spans": {}, "info": {"id": "cyner2_5class_train_04032", "source": "cyner2_5class_train"}}
+{"text": "We believe that the main goal of attackers using these tools is cybersabotage.", "spans": {"Malware: tools": [[55, 60]]}, "info": {"id": "cyner2_5class_train_04033", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9955 Win.Trojan.Alina-5 Trojan.Win32.Alinaos.ewvxne BehavesLike.Win32.Dropper.qc Trojan.Win32.Alinaos W32/Trojan.ZTVS-0655 TrojanSpy:Win32/Alinaos.G Trojan.Win32.Z.Alinaos.57344 Win32.Worm.Alinaos.C Trj/GdSda.A Win32/Trojan.3de", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9955": [[26, 68]], "Indicator: Win.Trojan.Alina-5": [[69, 87]], "Indicator: Trojan.Win32.Alinaos.ewvxne": [[88, 115]], "Indicator: BehavesLike.Win32.Dropper.qc": [[116, 144]], "Indicator: Trojan.Win32.Alinaos": [[145, 165]], "Indicator: W32/Trojan.ZTVS-0655": [[166, 186]], "Indicator: TrojanSpy:Win32/Alinaos.G": [[187, 212]], "Indicator: Trojan.Win32.Z.Alinaos.57344": [[213, 241]], "Indicator: Win32.Worm.Alinaos.C": [[242, 262]], "Indicator: Trj/GdSda.A": [[263, 274]], "Indicator: Win32/Trojan.3de": [[275, 291]]}, "info": {"id": "cyner2_5class_train_04034", "source": "cyner2_5class_train"}}
+{"text": "We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign, a campaign Unit 42 has been following since May 2016.", "spans": {"Organization: Unit 42": [[153, 160]]}, "info": {"id": "cyner2_5class_train_04035", "source": "cyner2_5class_train"}}
+{"text": "Here are some of the most notable : ‘ geofence ’ – this command adds a specified location to the implant ’ s internal database and when it matches a device ’ s current location the malware triggers and begins to record surrounding audio .", "spans": {}, "info": {"id": "cyner2_5class_train_04036", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanAPT.DarkHotel.A5 Trojan/Inexsmar.b Win32.Trojan.WisdomEyes.16070401.9500.9940 W32/Trojan.WHDF-1534 Trojan.Munidub TROJ_ASRUEX.B Trojan.Win32.Zapchast.ahgo Trojan.Win32.Zapchast.eavzfr Troj.W32.Zapchast!c TrojWare.Win32.UMal.chn Trojan.Inexsmar.Win32.1 TROJ_ASRUEX.B BehavesLike.Win32.Downloader.th Trojan.Zapchast.x Trojan/Win32.Zapchast Trojan.Zusy.D2AD58 Trojan.Win32.Zapchast.ahgo Trojan/Win32.Asruex.R175438 Trojan.Zapchast.pk Trojan.Zapchast Trj/GdSda.A Win32/Inexsmar.B Trojan.Zapchast!JP2wAgi6V+c Trojan.Win32.Inexsmar Win32/Trojan.2cb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanAPT.DarkHotel.A5": [[26, 48]], "Indicator: Trojan/Inexsmar.b": [[49, 66]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9940": [[67, 109]], "Indicator: W32/Trojan.WHDF-1534": [[110, 130]], "Indicator: Trojan.Munidub": [[131, 145]], "Indicator: TROJ_ASRUEX.B": [[146, 159], [284, 297]], "Indicator: Trojan.Win32.Zapchast.ahgo": [[160, 186], [389, 415]], "Indicator: Trojan.Win32.Zapchast.eavzfr": [[187, 215]], "Indicator: Troj.W32.Zapchast!c": [[216, 235]], "Indicator: TrojWare.Win32.UMal.chn": [[236, 259]], "Indicator: Trojan.Inexsmar.Win32.1": [[260, 283]], "Indicator: BehavesLike.Win32.Downloader.th": [[298, 329]], "Indicator: Trojan.Zapchast.x": [[330, 347]], "Indicator: Trojan/Win32.Zapchast": [[348, 369]], "Indicator: Trojan.Zusy.D2AD58": [[370, 388]], "Indicator: Trojan/Win32.Asruex.R175438": [[416, 443]], "Indicator: Trojan.Zapchast.pk": [[444, 462]], "Indicator: Trojan.Zapchast": [[463, 478]], "Indicator: Trj/GdSda.A": [[479, 490]], "Indicator: Win32/Inexsmar.B": [[491, 507]], "Indicator: Trojan.Zapchast!JP2wAgi6V+c": [[508, 535]], "Indicator: Trojan.Win32.Inexsmar": [[536, 557]], "Indicator: Win32/Trojan.2cb": [[558, 574]]}, "info": {"id": "cyner2_5class_train_04037", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9923 Backdoor.MSIL TR/Ticker.A Trojan/Win32.Unknown Trojan:MSIL/Ticker.A Trojan.Ticker!i0gQR/g7sH4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9923": [[26, 68]], "Indicator: Backdoor.MSIL": [[69, 82]], "Indicator: TR/Ticker.A": [[83, 94]], "Indicator: Trojan/Win32.Unknown": [[95, 115]], "Indicator: Trojan:MSIL/Ticker.A": [[116, 136]], "Indicator: Trojan.Ticker!i0gQR/g7sH4": [[137, 162]]}, "info": {"id": "cyner2_5class_train_04038", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Y3krat.25 Backdoor/W32.Y3krat.236032 Backdoor/Y3KRat.25 Backdoor.Y3krat.25 Trojan.Win32.Y3KRat.fqmw W32/Backdoor.CMH Backdoor.Trojan Win32/Y3KRat.25 BKDR_GQ.B Trojan.Y3K-3 Backdoor.Win32.Y3KRat.25 Backdoor.Y3KRat.AS!AU Backdoor.Win32.Y3KRat.236032[h] Win32.Backdoor.Y3krat.Ambw Backdoor.Y3krat.25 Backdoor.Win32.Y3KRat.25 Backdoor.Y3krat.25 BackDoor.Y3krat.18 Backdoor.Y3KRat.Win32.115 BKDR_GQ.B BehavesLike.Win32.Dropper.dc W32/Backdoor.PBIC-7717 Backdoor/Y3KRat.25.a BDS/Y3kRat.25.5 W32/Y3krat.25!tr.bdr Trojan[Backdoor]/Win32.Y3KRat Backdoor.Y3krat.25 Backdoor.W32.Y3KRat.25!c Win-Trojan/Y3KRat.236032 Backdoor:Win32/Y3KRat.2_5 Backdoor.RAT.Y3Backdoor.RAT.V1.8.a Backdoor.Y3KRat Bck/Y3KRat.H Backdoor.Win32.Y3KRat Backdoor.Y3krat.25 Backdoor.Win32.Y3KRat.25", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Y3krat.25": [[26, 44], [91, 109], [313, 331], [357, 375], [571, 589], [752, 770]], "Indicator: Backdoor/W32.Y3krat.236032": [[45, 71]], "Indicator: Backdoor/Y3KRat.25": [[72, 90]], "Indicator: Trojan.Win32.Y3KRat.fqmw": [[110, 134]], "Indicator: W32/Backdoor.CMH": [[135, 151]], "Indicator: Backdoor.Trojan": [[152, 167]], "Indicator: Win32/Y3KRat.25": [[168, 183]], "Indicator: BKDR_GQ.B": [[184, 193], [421, 430]], "Indicator: Trojan.Y3K-3": [[194, 206]], "Indicator: Backdoor.Win32.Y3KRat.25": [[207, 231], [332, 356], [771, 795]], "Indicator: Backdoor.Y3KRat.AS!AU": [[232, 253]], "Indicator: Backdoor.Win32.Y3KRat.236032[h]": [[254, 285]], "Indicator: Win32.Backdoor.Y3krat.Ambw": [[286, 312]], "Indicator: BackDoor.Y3krat.18": [[376, 394]], "Indicator: Backdoor.Y3KRat.Win32.115": [[395, 420]], "Indicator: BehavesLike.Win32.Dropper.dc": [[431, 459]], "Indicator: W32/Backdoor.PBIC-7717": [[460, 482]], "Indicator: Backdoor/Y3KRat.25.a": [[483, 503]], "Indicator: BDS/Y3kRat.25.5": [[504, 519]], "Indicator: W32/Y3krat.25!tr.bdr": [[520, 540]], "Indicator: Trojan[Backdoor]/Win32.Y3KRat": [[541, 570]], "Indicator: Backdoor.W32.Y3KRat.25!c": [[590, 614]], "Indicator: Win-Trojan/Y3KRat.236032": [[615, 639]], "Indicator: Backdoor:Win32/Y3KRat.2_5": [[640, 665]], "Indicator: Backdoor.RAT.Y3Backdoor.RAT.V1.8.a": [[666, 700]], "Indicator: Backdoor.Y3KRat": [[701, 716]], "Indicator: Bck/Y3KRat.H": [[717, 729]], "Indicator: Backdoor.Win32.Y3KRat": [[730, 751]]}, "info": {"id": "cyner2_5class_train_04039", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.161447 TrojanPSW.OnLineGames.adem Trojan-PSW.Win32.OnLineGames.adem Win32/PSW.OnLineGames.NNU Trojan.Packed.NsAnti Trojan.Spy-35117 Packer.Malware.NSAnti.1 TrojWare.Win32.PSW.OnLineGames.NNU Trojan.PWS.Gamania.9247 Win32/PSW.OnLineGames.NNU Packer.Malware.NSAnti.AL!IK Worm:Win32/Taterf.B Packer.Malware.NSAnti.1 Packer.Win32.Mian007.a Packer.Malware.NSAnti.AL W32/OnLineGames.fam!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.161447": [[26, 55]], "Indicator: TrojanPSW.OnLineGames.adem": [[56, 82]], "Indicator: Trojan-PSW.Win32.OnLineGames.adem": [[83, 116]], "Indicator: Win32/PSW.OnLineGames.NNU": [[117, 142], [264, 289]], "Indicator: Trojan.Packed.NsAnti": [[143, 163]], "Indicator: Trojan.Spy-35117": [[164, 180]], "Indicator: Packer.Malware.NSAnti.1": [[181, 204], [338, 361]], "Indicator: TrojWare.Win32.PSW.OnLineGames.NNU": [[205, 239]], "Indicator: Trojan.PWS.Gamania.9247": [[240, 263]], "Indicator: Packer.Malware.NSAnti.AL!IK": [[290, 317]], "Indicator: Worm:Win32/Taterf.B": [[318, 337]], "Indicator: Packer.Win32.Mian007.a": [[362, 384]], "Indicator: Packer.Malware.NSAnti.AL": [[385, 409]], "Indicator: W32/OnLineGames.fam!tr.pws": [[410, 436]]}, "info": {"id": "cyner2_5class_train_04040", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Vundo Win.Downloader.8632-1 MalwareScope.Trojan-PSW.Pinch.1 Trojan.Click.4067 BehavesLike.Win32.Dropper.lc Trojan/Win32.QQPass.R1885", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Vundo": [[26, 38]], "Indicator: Win.Downloader.8632-1": [[39, 60]], "Indicator: MalwareScope.Trojan-PSW.Pinch.1": [[61, 92]], "Indicator: Trojan.Click.4067": [[93, 110]], "Indicator: BehavesLike.Win32.Dropper.lc": [[111, 139]], "Indicator: Trojan/Win32.QQPass.R1885": [[140, 165]]}, "info": {"id": "cyner2_5class_train_04041", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Exploit.DCom.naf Exploit.Win32.DCom.khbzi Win.Trojan.Dcom-2 Trojan.Peed!mca6fnIo2DU Exploit.DCom.6 Exploit.DCom.Win32.185 EXP/DCom.Y.13 Win-Trojan/Berbew.51712 Exploit:Win32/Dcom.Y Exploit.DCom Trj/CI.A Net-Worm.Win32.Kolab Exploit.DCOM.RPC Trojan.Win32.DCom.NAF Win32/Trojan.Exploit.3e3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Exploit.DCom.naf": [[26, 49]], "Indicator: Exploit.Win32.DCom.khbzi": [[50, 74]], "Indicator: Win.Trojan.Dcom-2": [[75, 92]], "Indicator: Trojan.Peed!mca6fnIo2DU": [[93, 116]], "Indicator: Exploit.DCom.6": [[117, 131]], "Indicator: Exploit.DCom.Win32.185": [[132, 154]], "Indicator: EXP/DCom.Y.13": [[155, 168]], "Indicator: Win-Trojan/Berbew.51712": [[169, 192]], "Indicator: Exploit:Win32/Dcom.Y": [[193, 213]], "Indicator: Exploit.DCom": [[214, 226]], "Indicator: Trj/CI.A": [[227, 235]], "Indicator: Net-Worm.Win32.Kolab": [[236, 256]], "Indicator: Exploit.DCOM.RPC": [[257, 273]], "Indicator: Trojan.Win32.DCom.NAF": [[274, 295]], "Indicator: Win32/Trojan.Exploit.3e3": [[296, 320]]}, "info": {"id": "cyner2_5class_train_04042", "source": "cyner2_5class_train"}}
+{"text": "Technical Analysis The malware consists of 2 applications : The Dropper : Brain Test ( Unpacked – com.mile.brain , Packed – com.zmhitlte.brain ) This is installed from Google Play and downloads an exploit pack from the server to obtain root access on a device .", "spans": {"Indicator: com.mile.brain": [[98, 112]], "Indicator: com.zmhitlte.brain": [[124, 142]], "System: Google Play": [[168, 179]]}, "info": {"id": "cyner2_5class_train_04043", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win64 Win32.Trojan.WisdomEyes.16070401.9500.9643 W64/Trojan.JENW-7287 Trojan.Uboat BKDR64_UBOAT.A BKDR64_UBOAT.A Backdoor:Win64/UBoatRAT.A Trj/CI.A Backdoor.Rat.UBoatRat", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win64": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9643": [[41, 83]], "Indicator: W64/Trojan.JENW-7287": [[84, 104]], "Indicator: Trojan.Uboat": [[105, 117]], "Indicator: BKDR64_UBOAT.A": [[118, 132], [133, 147]], "Indicator: Backdoor:Win64/UBoatRAT.A": [[148, 173]], "Indicator: Trj/CI.A": [[174, 182]], "Indicator: Backdoor.Rat.UBoatRat": [[183, 204]]}, "info": {"id": "cyner2_5class_train_04044", "source": "cyner2_5class_train"}}
+{"text": "The Gh0st malware is a widely used remote administration tool RAT that originated in China in the early 2000s.", "spans": {"Malware: The Gh0st malware": [[0, 17]], "Malware: remote administration tool RAT": [[35, 65]]}, "info": {"id": "cyner2_5class_train_04045", "source": "cyner2_5class_train"}}
+{"text": "A popular mobile messaging application, LINE was used as a bait to lure targets in a targeted attack which hit Taiwan government.", "spans": {"Organization: LINE": [[40, 44]], "Organization: Taiwan government.": [[111, 129]]}, "info": {"id": "cyner2_5class_train_04046", "source": "cyner2_5class_train"}}
+{"text": "The number continues to rise at an additional 13,000 breached devices each day .", "spans": {}, "info": {"id": "cyner2_5class_train_04047", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Karba.24576 TrojanAPT.Garveep.DL4 Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Win32.Karba.ai Trojan.Win32.DownLoad3.cztnhk Win32.Trojan.Karba.Pdvp TrojWare.Win32.Dialer.AFXP Trojan.DownLoad3.18105 Trojan.Karba.Win32.9 W32/Trojan.DWPP-4593 TR/Spy.mulkf Trojan.DarkHotel.23 Trojan.Win32.Karba.ai Win32/Trojan.7fa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Karba.24576": [[26, 48]], "Indicator: TrojanAPT.Garveep.DL4": [[49, 70]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[71, 113]], "Indicator: Trojan.Win32.Karba.ai": [[114, 135], [315, 336]], "Indicator: Trojan.Win32.DownLoad3.cztnhk": [[136, 165]], "Indicator: Win32.Trojan.Karba.Pdvp": [[166, 189]], "Indicator: TrojWare.Win32.Dialer.AFXP": [[190, 216]], "Indicator: Trojan.DownLoad3.18105": [[217, 239]], "Indicator: Trojan.Karba.Win32.9": [[240, 260]], "Indicator: W32/Trojan.DWPP-4593": [[261, 281]], "Indicator: TR/Spy.mulkf": [[282, 294]], "Indicator: Trojan.DarkHotel.23": [[295, 314]], "Indicator: Win32/Trojan.7fa": [[337, 353]]}, "info": {"id": "cyner2_5class_train_04048", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.TDss.ET Trojan.TDSS Trojan.TDss.ET WORM_TDSS.SMY Win32.Trojan.WisdomEyes.16070401.9500.9999 WORM_TDSS.SMY Trojan.TDss.ET Packed.Win32.TDSS.f Trojan.TDss.ET Trojan.Win32.Tdss.btyvr Trojan.Win32.Z.Tdss.23552.A Packer.W32.Tdss.kYT0 Trojan.TDss.ET Win32.PkdTdss Trojan.Packed.365 Trojan.Kryptik.Win32.1293691 BehavesLike.Win32.FakeAlert.mh Trojan.Win32.Alureon Trojan[Packed]/Win32.TDSS Win32.Troj.TdssT.jr.102400 Trojan.TDss.ET Packed.Win32.TDSS.f TrojanDownloader:Win32/Rugzip.A Packed/Win32.Tdss.C53201 Trojan.TDSS.01414 Win32.Packed.Tdss.Pgdn W32/PackTDssfilter.I!tr Win32/Trojan.d9b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.TDss.ET": [[26, 40], [53, 67], [139, 153], [174, 188], [262, 276], [443, 457]], "Indicator: Trojan.TDSS": [[41, 52]], "Indicator: WORM_TDSS.SMY": [[68, 81], [125, 138]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[82, 124]], "Indicator: Packed.Win32.TDSS.f": [[154, 173], [458, 477]], "Indicator: Trojan.Win32.Tdss.btyvr": [[189, 212]], "Indicator: Trojan.Win32.Z.Tdss.23552.A": [[213, 240]], "Indicator: Packer.W32.Tdss.kYT0": [[241, 261]], "Indicator: Win32.PkdTdss": [[277, 290]], "Indicator: Trojan.Packed.365": [[291, 308]], "Indicator: Trojan.Kryptik.Win32.1293691": [[309, 337]], "Indicator: BehavesLike.Win32.FakeAlert.mh": [[338, 368]], "Indicator: Trojan.Win32.Alureon": [[369, 389]], "Indicator: Trojan[Packed]/Win32.TDSS": [[390, 415]], "Indicator: Win32.Troj.TdssT.jr.102400": [[416, 442]], "Indicator: TrojanDownloader:Win32/Rugzip.A": [[478, 509]], "Indicator: Packed/Win32.Tdss.C53201": [[510, 534]], "Indicator: Trojan.TDSS.01414": [[535, 552]], "Indicator: Win32.Packed.Tdss.Pgdn": [[553, 575]], "Indicator: W32/PackTDssfilter.I!tr": [[576, 599]], "Indicator: Win32/Trojan.d9b": [[600, 616]]}, "info": {"id": "cyner2_5class_train_04049", "source": "cyner2_5class_train"}}
+{"text": "Not long after this variant was public , newer variants of HenBox were seen , and some had significant increases in the number of targeted apps .", "spans": {"Malware: HenBox": [[59, 65]]}, "info": {"id": "cyner2_5class_train_04050", "source": "cyner2_5class_train"}}
+{"text": "The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity .", "spans": {}, "info": {"id": "cyner2_5class_train_04051", "source": "cyner2_5class_train"}}
+{"text": "On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries.", "spans": {"Indicator: a new cyberattack": [[26, 43]], "System: computer systems": [[53, 69]]}, "info": {"id": "cyner2_5class_train_04052", "source": "cyner2_5class_train"}}
+{"text": "The stolen data fields are : Mobile - The infected device phone number Machine - The device model ( in our example : Google Pixel 2 ) Sversion - The OS version Bank - Checks if there are any banking-related or cryptocurrency trading apps Provider - The telecommunication provider ( IMSI value in device settings ) npki - Checks if the folder named NPKI ( National Public Key Infrastructure ) might contain authentication certificates related to financial transactions onStartCommand function for stealing device information and additional sensitive data .", "spans": {"System: Google Pixel 2": [[117, 131]]}, "info": {"id": "cyner2_5class_train_04053", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RansomeDNZ.Trojan Ransom/W32.crysis.94720 Ransom.Crysis.S162740 Trojan/Filecoder.Crysis.l Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Wadhrama.B Win32.Trojan-Ransom.VirusEncoder.A Trojan-Ransom.Win32.Crusis.to Trojan.Win32.Filecoder.emdnxn Trojan.Win32.Ransom.94720.F Troj.Ransom.W32.Crusis.tpcS TrojWare.Win32.Crysis.D Trojan.Encoder.3953 Trojan.Crusis.Win32.806 BehavesLike.Win32.Ransom.nc Trojan-Ransom.Crysis W32/Trojan.ILHO-9216 Trojan.Crypren.ic Trojan.Ransom.Crysis.6 Ransom.Crysis/Variant Trojan-Ransom.Win32.Crusis.to Trojan.Ransom.Crysis Hoax.Crusis Trj/GdSda.A Trojan-Ransom.Win32.Crysis.a W32/Crysis.L!tr.ransom Win32/Trojan.Ransom.f44", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RansomeDNZ.Trojan": [[26, 47]], "Indicator: Ransom/W32.crysis.94720": [[48, 71]], "Indicator: Ransom.Crysis.S162740": [[72, 93]], "Indicator: Trojan/Filecoder.Crysis.l": [[94, 119]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[120, 162]], "Indicator: W32/Wadhrama.B": [[163, 177]], "Indicator: Win32.Trojan-Ransom.VirusEncoder.A": [[178, 212]], "Indicator: Trojan-Ransom.Win32.Crusis.to": [[213, 242], [530, 559]], "Indicator: Trojan.Win32.Filecoder.emdnxn": [[243, 272]], "Indicator: Trojan.Win32.Ransom.94720.F": [[273, 300]], "Indicator: Troj.Ransom.W32.Crusis.tpcS": [[301, 328]], "Indicator: TrojWare.Win32.Crysis.D": [[329, 352]], "Indicator: Trojan.Encoder.3953": [[353, 372]], "Indicator: Trojan.Crusis.Win32.806": [[373, 396]], "Indicator: BehavesLike.Win32.Ransom.nc": [[397, 424]], "Indicator: Trojan-Ransom.Crysis": [[425, 445]], "Indicator: W32/Trojan.ILHO-9216": [[446, 466]], "Indicator: Trojan.Crypren.ic": [[467, 484]], "Indicator: Trojan.Ransom.Crysis.6": [[485, 507]], "Indicator: Ransom.Crysis/Variant": [[508, 529]], "Indicator: Trojan.Ransom.Crysis": [[560, 580]], "Indicator: Hoax.Crusis": [[581, 592]], "Indicator: Trj/GdSda.A": [[593, 604]], "Indicator: Trojan-Ransom.Win32.Crysis.a": [[605, 633]], "Indicator: W32/Crysis.L!tr.ransom": [[634, 656]], "Indicator: Win32/Trojan.Ransom.f44": [[657, 680]]}, "info": {"id": "cyner2_5class_train_04054", "source": "cyner2_5class_train"}}
+{"text": "It sets particular parameters in relation to call details and a further service named calls takes the control as seen in Figure 5 .", "spans": {}, "info": {"id": "cyner2_5class_train_04055", "source": "cyner2_5class_train"}}
+{"text": "This module injects code into running Google Play or GMS ( Google Mobile Services ) to mimic user behavior so Gooligan can avoid detection , a technique first seen with the mobile malware HummingBad .", "spans": {"System: Google Play": [[38, 49]], "System: GMS ( Google Mobile Services )": [[53, 83]], "Malware: Gooligan": [[110, 118]], "Malware: HummingBad": [[188, 198]]}, "info": {"id": "cyner2_5class_train_04056", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Nagoot.FC.161 MSIL.Trojan.Injector.l W32/Trojan.MIPO-0322 Downloader.Ponik Trojan.Win32.Inject1.exqnlv Trojan.Win32.Z.Nagoot.68608.A Trojan.Inject1.54664 Trojan.MSIL.Nagoot TR/Dropper.MSIL.rjbya Trojan.MSIL.Bladabindi.1 Trojan:MSIL/Nagoot.A Trojan.PasswordStealer Trj/GdSda.A MSIL/Injector.IFP!tr Win32/Trojan.62b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Nagoot.FC.161": [[26, 46]], "Indicator: MSIL.Trojan.Injector.l": [[47, 69]], "Indicator: W32/Trojan.MIPO-0322": [[70, 90]], "Indicator: Downloader.Ponik": [[91, 107]], "Indicator: Trojan.Win32.Inject1.exqnlv": [[108, 135]], "Indicator: Trojan.Win32.Z.Nagoot.68608.A": [[136, 165]], "Indicator: Trojan.Inject1.54664": [[166, 186]], "Indicator: Trojan.MSIL.Nagoot": [[187, 205]], "Indicator: TR/Dropper.MSIL.rjbya": [[206, 227]], "Indicator: Trojan.MSIL.Bladabindi.1": [[228, 252]], "Indicator: Trojan:MSIL/Nagoot.A": [[253, 273]], "Indicator: Trojan.PasswordStealer": [[274, 296]], "Indicator: Trj/GdSda.A": [[297, 308]], "Indicator: MSIL/Injector.IFP!tr": [[309, 329]], "Indicator: Win32/Trojan.62b": [[330, 346]]}, "info": {"id": "cyner2_5class_train_04057", "source": "cyner2_5class_train"}}
+{"text": "This malware-life-cycle has been observed to reoccur every few years , bringing new malware families into light .", "spans": {}, "info": {"id": "cyner2_5class_train_04058", "source": "cyner2_5class_train"}}
+{"text": "In recent years , some malicious Android applications abused these accessibility services in various attack scenarios .", "spans": {"System: Android": [[33, 40]]}, "info": {"id": "cyner2_5class_train_04059", "source": "cyner2_5class_train"}}
+{"text": "Allows an application to read from external storage .", "spans": {}, "info": {"id": "cyner2_5class_train_04060", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.XhglJIK1DLL.Rootkit Trojan/W32.Cariez.32768.AU BackDoor-DTL.a Trojan.Cariez.Win32.270 Trojan/Koutodoor.dx TROJ_CARIEZ.SMA Win32.Trojan.WisdomEyes.16070401.9500.9997 TROJ_CARIEZ.SMA Win.Trojan.Cariez-189 Trojan.Win32.Cariez.a Trojan.Win32.Cariez.byufu TrojWare.Win32.Zybr.A Trojan.RKDoor.59 BackDoor-DTL.a Trojan.Win32.Cariez Trojan/Win32.Cariez Adware.Heur.E02D22 Trojan.Win32.Cariez.a Trojan:Win32/Cariez.A Backdoor/Win32.Koutodoor.R1208 TScope.Malware-Cryptor.SB Trj/Cariez.A Trojan.Win32.Cariez.bhg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.XhglJIK1DLL.Rootkit": [[26, 49]], "Indicator: Trojan/W32.Cariez.32768.AU": [[50, 76]], "Indicator: BackDoor-DTL.a": [[77, 91], [320, 334]], "Indicator: Trojan.Cariez.Win32.270": [[92, 115]], "Indicator: Trojan/Koutodoor.dx": [[116, 135]], "Indicator: TROJ_CARIEZ.SMA": [[136, 151], [195, 210]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[152, 194]], "Indicator: Win.Trojan.Cariez-189": [[211, 232]], "Indicator: Trojan.Win32.Cariez.a": [[233, 254], [394, 415]], "Indicator: Trojan.Win32.Cariez.byufu": [[255, 280]], "Indicator: TrojWare.Win32.Zybr.A": [[281, 302]], "Indicator: Trojan.RKDoor.59": [[303, 319]], "Indicator: Trojan.Win32.Cariez": [[335, 354]], "Indicator: Trojan/Win32.Cariez": [[355, 374]], "Indicator: Adware.Heur.E02D22": [[375, 393]], "Indicator: Trojan:Win32/Cariez.A": [[416, 437]], "Indicator: Backdoor/Win32.Koutodoor.R1208": [[438, 468]], "Indicator: TScope.Malware-Cryptor.SB": [[469, 494]], "Indicator: Trj/Cariez.A": [[495, 507]], "Indicator: Trojan.Win32.Cariez.bhg": [[508, 531]]}, "info": {"id": "cyner2_5class_train_04061", "source": "cyner2_5class_train"}}
+{"text": "While Japan is still the most heavily targeted geographic region by this particular actor, we also observed instances where individuals or organizations in Taiwan, Tibet, and Russia also may have been targeted.", "spans": {"Organization: individuals": [[124, 135]], "Organization: organizations": [[139, 152]]}, "info": {"id": "cyner2_5class_train_04062", "source": "cyner2_5class_train"}}
+{"text": "This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil.", "spans": {"Malware: malware,": [[35, 43]]}, "info": {"id": "cyner2_5class_train_04063", "source": "cyner2_5class_train"}}
+{"text": "This blog links this recent activity with previous isolated public reporting on similar attacks we believe are related.", "spans": {}, "info": {"id": "cyner2_5class_train_04064", "source": "cyner2_5class_train"}}
+{"text": "Collection of payloads being delivered via the Apache Struts vulnerability - CVE-2017-5638", "spans": {"Malware: payloads": [[14, 22]], "Vulnerability: the Apache Struts vulnerability": [[43, 74]], "Indicator: CVE-2017-5638": [[77, 90]]}, "info": {"id": "cyner2_5class_train_04065", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Gargamel.A Backdoor.Gargamel.A Backdoor.Trojan BKDR_GARGAM.A Backdoor.Win32.Gargamel.a Backdoor.Gargamel.A Backdoor.Gargamel!8hABCfPKz0o Backdoor.Win32.Gargamel.Downloader Backdoor.Gargamel.A BackDoor.Gargamel BDS/Gargamel.A.10 BKDR_GARGAM.A Win-Trojan/Gargamel.17717 Backdoor.Gargamel.A Backdoor.Trojan Win32/Gargamel.Downloader Backdoor.Win32.Gargamel W32/Uploade.B!tr.bdr BackDoor.Gargamel.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Gargamel.A": [[26, 45], [46, 65], [122, 141], [207, 226], [303, 322]], "Indicator: Backdoor.Trojan": [[66, 81], [323, 338]], "Indicator: BKDR_GARGAM.A": [[82, 95], [263, 276]], "Indicator: Backdoor.Win32.Gargamel.a": [[96, 121]], "Indicator: Backdoor.Gargamel!8hABCfPKz0o": [[142, 171]], "Indicator: Backdoor.Win32.Gargamel.Downloader": [[172, 206]], "Indicator: BackDoor.Gargamel": [[227, 244]], "Indicator: BDS/Gargamel.A.10": [[245, 262]], "Indicator: Win-Trojan/Gargamel.17717": [[277, 302]], "Indicator: Win32/Gargamel.Downloader": [[339, 364]], "Indicator: Backdoor.Win32.Gargamel": [[365, 388]], "Indicator: W32/Uploade.B!tr.bdr": [[389, 409]], "Indicator: BackDoor.Gargamel.B": [[410, 429]]}, "info": {"id": "cyner2_5class_train_04066", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: KillCMOS.K Trojan.KillCMOS.O Trojan.KillCMOS.O Trojan.KillCMOS.O Trojan.KillCMOS.O TROJ_KILLCMOS.L Win.Trojan.KillCMOS-14 Trojan.KillCMOS.O Trojan.DOS.KillCMOS.k Trojan.Dos.KillCMOS.blmit Troj.DOS.KillCMOS.k!c Trojan.KillCMOS.O Trojan.KillCMOS.O TROJ_KILLCMOS.L KillCMOS.h TR/KillCMOS.J Trojan:DOS/KillCMOS.remnants Trojan.DOS.KillCMOS.k KillCMOS.h Dos.Trojan.Killcmos.Ebgc Trojan.KillCMOS Trj/KillCMOS.K Win32/Trojan.8f3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: KillCMOS.K": [[26, 36]], "Indicator: Trojan.KillCMOS.O": [[37, 54], [55, 72], [73, 90], [91, 108], [148, 165], [236, 253], [254, 271]], "Indicator: TROJ_KILLCMOS.L": [[109, 124], [272, 287]], "Indicator: Win.Trojan.KillCMOS-14": [[125, 147]], "Indicator: Trojan.DOS.KillCMOS.k": [[166, 187], [342, 363]], "Indicator: Trojan.Dos.KillCMOS.blmit": [[188, 213]], "Indicator: Troj.DOS.KillCMOS.k!c": [[214, 235]], "Indicator: KillCMOS.h": [[288, 298], [364, 374]], "Indicator: TR/KillCMOS.J": [[299, 312]], "Indicator: Trojan:DOS/KillCMOS.remnants": [[313, 341]], "Indicator: Dos.Trojan.Killcmos.Ebgc": [[375, 399]], "Indicator: Trojan.KillCMOS": [[400, 415]], "Indicator: Trj/KillCMOS.K": [[416, 430]], "Indicator: Win32/Trojan.8f3": [[431, 447]]}, "info": {"id": "cyner2_5class_train_04067", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Downloader.DF HEUR.VBA.Trojan.e W2KM_DLOADR.YYSQD Trojan-Dropper:W97M/MaliciousMacro.B W2KM_DLOADR.YYSQD TrojanDropper:W97M/Miskip.B!dha Trojan-Dropper.W97M.Miskip heur.macro.infect.l", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Downloader.DF": [[26, 44]], "Indicator: HEUR.VBA.Trojan.e": [[45, 62]], "Indicator: W2KM_DLOADR.YYSQD": [[63, 80], [118, 135]], "Indicator: Trojan-Dropper:W97M/MaliciousMacro.B": [[81, 117]], "Indicator: TrojanDropper:W97M/Miskip.B!dha": [[136, 167]], "Indicator: Trojan-Dropper.W97M.Miskip": [[168, 194]], "Indicator: heur.macro.infect.l": [[195, 214]]}, "info": {"id": "cyner2_5class_train_04068", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameELIYTAAD.Trojan Trojan-Ransom.Win32.Blocker!O Backdoor.Bustem.A5 Trojan.BCMiner Troj.Ransom.W32.Blocker!c Trojan.Johnnie.D545 TSPY_DOWNLOADER_CA0827C3.TOMC Trojan-Ransom.Win32.Blocker.jcku Trojan.Win32.AVKill.dqatba Trojan.Win32.A.Scar.118272.A Trojan.AVKill.11731 TSPY_DOWNLOADER_CA0827C3.TOMC BehavesLike.Win32.LoadMoney.ch Backdoor.Win32.Bustem Trojan/Win32.Unknown Backdoor:Win32/Bustem.A Trojan-Ransom.Win32.Blocker.jcku Trojan/Win32.Downloader.R14675 Hoax.Blocker Trojan-ransom.Win32.Blocker.cwfe Win32/RootKit.Rootkit.7e5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameELIYTAAD.Trojan": [[26, 51]], "Indicator: Trojan-Ransom.Win32.Blocker!O": [[52, 81]], "Indicator: Backdoor.Bustem.A5": [[82, 100]], "Indicator: Trojan.BCMiner": [[101, 115]], "Indicator: Troj.Ransom.W32.Blocker!c": [[116, 141]], "Indicator: Trojan.Johnnie.D545": [[142, 161]], "Indicator: TSPY_DOWNLOADER_CA0827C3.TOMC": [[162, 191], [301, 330]], "Indicator: Trojan-Ransom.Win32.Blocker.jcku": [[192, 224], [429, 461]], "Indicator: Trojan.Win32.AVKill.dqatba": [[225, 251]], "Indicator: Trojan.Win32.A.Scar.118272.A": [[252, 280]], "Indicator: Trojan.AVKill.11731": [[281, 300]], "Indicator: BehavesLike.Win32.LoadMoney.ch": [[331, 361]], "Indicator: Backdoor.Win32.Bustem": [[362, 383]], "Indicator: Trojan/Win32.Unknown": [[384, 404]], "Indicator: Backdoor:Win32/Bustem.A": [[405, 428]], "Indicator: Trojan/Win32.Downloader.R14675": [[462, 492]], "Indicator: Hoax.Blocker": [[493, 505]], "Indicator: Trojan-ransom.Win32.Blocker.cwfe": [[506, 538]], "Indicator: Win32/RootKit.Rootkit.7e5": [[539, 564]]}, "info": {"id": "cyner2_5class_train_04069", "source": "cyner2_5class_train"}}
+{"text": "The growing number of samples demonstrate that criminals are actively adopting this malware.", "spans": {"Malware: malware.": [[84, 92]]}, "info": {"id": "cyner2_5class_train_04070", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hoax.Win32.BadJoke!O W32/Joke.O Joke.Irritan JOKE_IRRITAN.A Hoax.Win32.BadJoke.Irritan Riskware.Win32.Irritan.hrfs Joke.Win32.Irritan.A FDOS.Winskill Backdoor.PePatch.Win32.34151 JOKE_IRRITAN.A W32/Joke.ASXP-0124 not-virus:Joke.Win32.Irritan JOKE/Irritan.A HackTool[Hoax]/Win32.Irritan Win32.Joke.Irritan.kcloud Win-AppCare/Irritan.248877 Trojan.Win32.BadJoke.AD Win32/Irritan.A Hoax.Win32.BadJoke.Irritan Win32/Joke.bee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hoax.Win32.BadJoke!O": [[26, 46]], "Indicator: W32/Joke.O": [[47, 57]], "Indicator: Joke.Irritan": [[58, 70]], "Indicator: JOKE_IRRITAN.A": [[71, 85], [205, 219]], "Indicator: Hoax.Win32.BadJoke.Irritan": [[86, 112], [405, 431]], "Indicator: Riskware.Win32.Irritan.hrfs": [[113, 140]], "Indicator: Joke.Win32.Irritan.A": [[141, 161]], "Indicator: FDOS.Winskill": [[162, 175]], "Indicator: Backdoor.PePatch.Win32.34151": [[176, 204]], "Indicator: W32/Joke.ASXP-0124": [[220, 238]], "Indicator: not-virus:Joke.Win32.Irritan": [[239, 267]], "Indicator: JOKE/Irritan.A": [[268, 282]], "Indicator: HackTool[Hoax]/Win32.Irritan": [[283, 311]], "Indicator: Win32.Joke.Irritan.kcloud": [[312, 337]], "Indicator: Win-AppCare/Irritan.248877": [[338, 364]], "Indicator: Trojan.Win32.BadJoke.AD": [[365, 388]], "Indicator: Win32/Irritan.A": [[389, 404]], "Indicator: Win32/Joke.bee": [[432, 446]]}, "info": {"id": "cyner2_5class_train_04071", "source": "cyner2_5class_train"}}
+{"text": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.", "spans": {"System: Microsoft OneNote's": [[38, 57]], "Indicator: embed files": [[69, 80]], "Indicator: phishing emails": [[128, 143]], "Indicator: OneNote document,": [[165, 182]], "Malware: malicious files.": [[230, 246]]}, "info": {"id": "cyner2_5class_train_04072", "source": "cyner2_5class_train"}}
+{"text": "The pushTAN method has a clear advantage : It improves security by mitigating the risk of SIM swapping attacks and SMS stealers .", "spans": {}, "info": {"id": "cyner2_5class_train_04073", "source": "cyner2_5class_train"}}
+{"text": "As this is a complex process , we recommend powering off your device and approaching a certified technician , or your mobile service provider , to request that your device be “ re-flashed. ” Change your Google account passwords immediately after this process .", "spans": {"Organization: Google": [[203, 209]]}, "info": {"id": "cyner2_5class_train_04074", "source": "cyner2_5class_train"}}
+{"text": "With this group being active for roughly one year, we decided to revisit this threat to determine what, if any, changes had been made to their toolset.", "spans": {"Organization: group": [[10, 15]], "Malware: threat": [[78, 84]], "Malware: toolset.": [[143, 151]]}, "info": {"id": "cyner2_5class_train_04075", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper/W32.Stabs.90045 TrojanDropper.Stabs.cvo Trojan/Dropper.Stabs.dka Win32/Bifrose.NDU W32/Trojan2.HEAS W32/Smalltroj.QFFP BKDR_BIFROSE.SMC BackDoor.IRC.Sdbot.3713 BKDR_BIFROSE.SMC Trojan-Downloader.Win32.Buzus!IK W32/Trojan2.HEAS TrojanDownloader:Win32/Buzus.F Trojan-Downloader.Win32.Buzus W32/Injector.IA!tr Trj/Buzus.AH", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper/W32.Stabs.90045": [[26, 56]], "Indicator: TrojanDropper.Stabs.cvo": [[57, 80]], "Indicator: Trojan/Dropper.Stabs.dka": [[81, 105]], "Indicator: Win32/Bifrose.NDU": [[106, 123]], "Indicator: W32/Trojan2.HEAS": [[124, 140], [251, 267]], "Indicator: W32/Smalltroj.QFFP": [[141, 159]], "Indicator: BKDR_BIFROSE.SMC": [[160, 176], [201, 217]], "Indicator: BackDoor.IRC.Sdbot.3713": [[177, 200]], "Indicator: Trojan-Downloader.Win32.Buzus!IK": [[218, 250]], "Indicator: TrojanDownloader:Win32/Buzus.F": [[268, 298]], "Indicator: Trojan-Downloader.Win32.Buzus": [[299, 328]], "Indicator: W32/Injector.IA!tr": [[329, 347]], "Indicator: Trj/Buzus.AH": [[348, 360]]}, "info": {"id": "cyner2_5class_train_04076", "source": "cyner2_5class_train"}}
+{"text": "These components include a unique loader, downloader, and not one but two different trojan components.", "spans": {"Malware: loader, downloader,": [[34, 53]], "Malware: trojan": [[84, 90]]}, "info": {"id": "cyner2_5class_train_04077", "source": "cyner2_5class_train"}}
+{"text": "ALLCONTACTS – send all contacts from phone memory to C & C .", "spans": {}, "info": {"id": "cyner2_5class_train_04078", "source": "cyner2_5class_train"}}
+{"text": "URL — update C & C address .", "spans": {}, "info": {"id": "cyner2_5class_train_04079", "source": "cyner2_5class_train"}}
+{"text": "] com are or were intended for malicious use .", "spans": {}, "info": {"id": "cyner2_5class_train_04080", "source": "cyner2_5class_train"}}
+{"text": "**Dump Domain Registration Patterns:*From about 2015 to at least October 2018 possibly longer, IBM X-Force assesses that ITG08's POS malware used the same notable domain naming convention: all known dump domains used by FrameworkPOS and GratefulPOS contained the same base name -akamaitechnologies.com. In fact, all said domains are nearly identical looking to a legitimate Akamai content delivery network CDN domain, differing only by a single character replacing a .' with - .", "spans": {"Organization: **Dump Domain Registration Patterns:*From": [[0, 41]], "Organization: IBM X-Force": [[95, 106]], "Malware: ITG08's POS malware": [[121, 140]], "Indicator: domain naming convention:": [[163, 188]], "Malware: FrameworkPOS": [[220, 232]], "Malware: GratefulPOS": [[237, 248]], "Indicator: -akamaitechnologies.com.": [[278, 302]], "Indicator: domains": [[321, 328]], "Indicator: legitimate Akamai": [[363, 380]], "System: content delivery network CDN": [[381, 409]], "Indicator: domain,": [[410, 417]], "Indicator: a single character replacing a .' with - .": [[436, 478]]}, "info": {"id": "cyner2_5class_train_04081", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Script.SWF.C603 Exp.SWF.Rig.EK.4476 Exploit.SWF.Downloader SWF_EXKIT.THAAEH Script.SWF.C603 Script.SWF.C603 SWF.S.Exploit.13894 Script.SWF.C603 Script.SWF.C603 Exploit.SWF.1232 SWF_EXKIT.THAAEH SWF/Exploit-Rig.h SWF/Trojan.VJFQ-3 Script.SWF.C603 SWF/Exploit-Rig.h Trojan.SWF.Exploit swf.cve-2015-8651.rig.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Script.SWF.C603": [[26, 41], [102, 117], [118, 133], [154, 169], [170, 185], [256, 271]], "Indicator: Exp.SWF.Rig.EK.4476": [[42, 61]], "Indicator: Exploit.SWF.Downloader": [[62, 84]], "Indicator: SWF_EXKIT.THAAEH": [[85, 101], [203, 219]], "Indicator: SWF.S.Exploit.13894": [[134, 153]], "Indicator: Exploit.SWF.1232": [[186, 202]], "Indicator: SWF/Exploit-Rig.h": [[220, 237], [272, 289]], "Indicator: SWF/Trojan.VJFQ-3": [[238, 255]], "Indicator: Trojan.SWF.Exploit": [[290, 308]], "Indicator: swf.cve-2015-8651.rig.a": [[309, 332]]}, "info": {"id": "cyner2_5class_train_04082", "source": "cyner2_5class_train"}}
+{"text": "Adobe independently patched the vulnerability CVE-2015-3043 in APSB15-06.", "spans": {"Organization: Adobe": [[0, 5]], "Vulnerability: vulnerability CVE-2015-3043": [[32, 59]]}, "info": {"id": "cyner2_5class_train_04083", "source": "cyner2_5class_train"}}
+{"text": "INTERNET - Allows the application to open network sockets .", "spans": {}, "info": {"id": "cyner2_5class_train_04084", "source": "cyner2_5class_train"}}
+{"text": "In fact , the applications are designed to download the autorun.inf file , an icon file and the win32-Trojan file , which the mobile malicious program locates in the root directory of an SD card .", "spans": {"Indicator: autorun.inf file": [[56, 72]], "System: win32-Trojan": [[96, 108]], "System: SD card": [[187, 194]]}, "info": {"id": "cyner2_5class_train_04085", "source": "cyner2_5class_train"}}
+{"text": "The KOVTER malware embeds a JavaScript into the registry and executes a PowerShell script which eventually loads the main KOVTER binaries.", "spans": {"Malware: The KOVTER malware": [[0, 18]], "Indicator: JavaScript": [[28, 38]], "Indicator: PowerShell script": [[72, 89]], "Indicator: loads the main KOVTER binaries.": [[107, 138]]}, "info": {"id": "cyner2_5class_train_04086", "source": "cyner2_5class_train"}}
+{"text": "It indicates perhaps an interesting trend which is exploiting the trust relationships between the two communities .", "spans": {}, "info": {"id": "cyner2_5class_train_04087", "source": "cyner2_5class_train"}}
+{"text": "CSIS has been informed about a number of targeted spear phishing attacks against Danish chiropractors.", "spans": {"Organization: CSIS": [[0, 4]], "Indicator: spear phishing attacks": [[50, 72]], "Organization: Danish chiropractors.": [[81, 102]]}, "info": {"id": "cyner2_5class_train_04088", "source": "cyner2_5class_train"}}
+{"text": "The attackers send fake text messages to lure the victims to click on a malicious link .", "spans": {}, "info": {"id": "cyner2_5class_train_04089", "source": "cyner2_5class_train"}}
+{"text": "The developer of the code , Shanghai Adups Technology Co. , has apologized , contending that the code was intended for another one of its clients who requested better blocking of junk text messages and marketing calls .", "spans": {"Organization: Shanghai Adups Technology Co.": [[28, 57]]}, "info": {"id": "cyner2_5class_train_04090", "source": "cyner2_5class_train"}}
+{"text": "The group focuses on companies that have intellectual property or sensitive information like those in the Defense and High-Tech industries.", "spans": {"Organization: companies": [[21, 30]], "Organization: the Defense": [[102, 113]], "Organization: High-Tech industries.": [[118, 139]]}, "info": {"id": "cyner2_5class_train_04091", "source": "cyner2_5class_train"}}
+{"text": "If the phone is attached to a bank card , commands are sent from the C & C server with instructions to transfer money from the user ’ s bank account to his/her mobile account .", "spans": {}, "info": {"id": "cyner2_5class_train_04092", "source": "cyner2_5class_train"}}
+{"text": "Users of iOS can remove the malicious profile using the Apple Configurator 2 , Apple ’ s official iOS helper app for managing Apple devices .", "spans": {"System: iOS": [[9, 12], [98, 101]], "Organization: Apple": [[56, 61], [79, 84], [126, 131]]}, "info": {"id": "cyner2_5class_train_04093", "source": "cyner2_5class_train"}}
+{"text": "However , Talos has identified that was used at least since November 2018 .", "spans": {"Organization: Talos": [[10, 15]]}, "info": {"id": "cyner2_5class_train_04094", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TjnDownldr.SmaCod.S162507 Downloader.Tiny.Win32.8086 Win32.Trojan.WisdomEyes.16070401.9500.9968 Trojan.Win32.Tiny.elyeva TrojWare.Win32.TrojanDownloader.Tiny.NNO Trojan-Downloader.Win32.Tiny Trojan.Mikey.DECAC Trojan/Win32.Downloader.R193768 OScope.Trojan.0216 W32/Tiny.NNO!tr Win32/Trojan.823", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TjnDownldr.SmaCod.S162507": [[26, 51]], "Indicator: Downloader.Tiny.Win32.8086": [[52, 78]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9968": [[79, 121]], "Indicator: Trojan.Win32.Tiny.elyeva": [[122, 146]], "Indicator: TrojWare.Win32.TrojanDownloader.Tiny.NNO": [[147, 187]], "Indicator: Trojan-Downloader.Win32.Tiny": [[188, 216]], "Indicator: Trojan.Mikey.DECAC": [[217, 235]], "Indicator: Trojan/Win32.Downloader.R193768": [[236, 267]], "Indicator: OScope.Trojan.0216": [[268, 286]], "Indicator: W32/Tiny.NNO!tr": [[287, 302]], "Indicator: Win32/Trojan.823": [[303, 319]]}, "info": {"id": "cyner2_5class_train_04095", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Uds.Dangerousobject.Multi!c Win32.Trojan.WisdomEyes.16070401.9500.9999 TR/Downloader.A.2357 Trojan.Kazy.D60565 TrojanDownloader:MSIL/Muxtart.A Win32.Trojan.Downloader.Szlu", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Uds.Dangerousobject.Multi!c": [[26, 53]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[54, 96]], "Indicator: TR/Downloader.A.2357": [[97, 117]], "Indicator: Trojan.Kazy.D60565": [[118, 136]], "Indicator: TrojanDownloader:MSIL/Muxtart.A": [[137, 168]], "Indicator: Win32.Trojan.Downloader.Szlu": [[169, 197]]}, "info": {"id": "cyner2_5class_train_04096", "source": "cyner2_5class_train"}}
+{"text": "Despite having a reputation of evolution, there doesn't seem to be very many recent updates on this malware family though.", "spans": {}, "info": {"id": "cyner2_5class_train_04097", "source": "cyner2_5class_train"}}
+{"text": "The latest round of attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit.", "spans": {"Indicator: stolen code signing certificate": [[43, 74]], "Organization: Taiwanese electronics maker Acer": [[88, 120]], "Malware: unknown Flash Player exploit.": [[128, 157]]}, "info": {"id": "cyner2_5class_train_04098", "source": "cyner2_5class_train"}}
+{"text": "However, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO spearphishing, and the deployment of a 0day from Hacking Team.", "spans": {"Malware: malicious": [[40, 49]], "Indicator: .hta,": [[50, 55]], "Indicator: .rar attachments": [[77, 93]], "Indicator: RTLO spearphishing,": [[99, 118]], "Vulnerability: 0day": [[143, 147]], "Organization: Hacking Team.": [[153, 166]]}, "info": {"id": "cyner2_5class_train_04099", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware14 Win32.Malware!Drop Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan-Downloader.Win32.Upatre.gqes Trojan.Win32.KillProc.expayv TrojWare.Win32.GozNym.AA Trojan.KillProc.54838 Downloader.Upatre.Win32.65195 Trojan.Win32.Tofsee Trojan.Banker.GozNym.gs TR/Crypt.Xpack.sqizh Backdoor:Win32/Tofsee.T Trojan-Downloader.Win32.Upatre.gqes Win32.Malware!Drop Backdoor.PasswordStealer Trj/GdSda.A Win32/Tofsee.BJ W32/Kryptik.GCVH!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware14": [[26, 45]], "Indicator: Win32.Malware!Drop": [[46, 64], [375, 393]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[65, 107]], "Indicator: Trojan-Downloader.Win32.Upatre.gqes": [[108, 143], [339, 374]], "Indicator: Trojan.Win32.KillProc.expayv": [[144, 172]], "Indicator: TrojWare.Win32.GozNym.AA": [[173, 197]], "Indicator: Trojan.KillProc.54838": [[198, 219]], "Indicator: Downloader.Upatre.Win32.65195": [[220, 249]], "Indicator: Trojan.Win32.Tofsee": [[250, 269]], "Indicator: Trojan.Banker.GozNym.gs": [[270, 293]], "Indicator: TR/Crypt.Xpack.sqizh": [[294, 314]], "Indicator: Backdoor:Win32/Tofsee.T": [[315, 338]], "Indicator: Backdoor.PasswordStealer": [[394, 418]], "Indicator: Trj/GdSda.A": [[419, 430]], "Indicator: Win32/Tofsee.BJ": [[431, 446]], "Indicator: W32/Kryptik.GCVH!tr": [[447, 466]]}, "info": {"id": "cyner2_5class_train_04100", "source": "cyner2_5class_train"}}
+{"text": "The attack leveraged malware we called BlackLambert', which was used to target a high profile organization in Europe.", "spans": {"Malware: malware": [[21, 28]], "Malware: BlackLambert',": [[39, 53]], "Organization: high profile organization": [[81, 106]]}, "info": {"id": "cyner2_5class_train_04101", "source": "cyner2_5class_train"}}
+{"text": "Bluetooth — which allows the interaction with the Bluetooth interface , and net/deacon — which implements a beaconing system based on UDP .", "spans": {}, "info": {"id": "cyner2_5class_train_04102", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BDS/Flood.IRC.2 MemScan:Trojan.Flooder.I IRC.Flood Trojan.Flood BackDoor.Ircbot.BCV IRC.Flood IRC.Flood Trojan.Backdoor.Flood.IRC.2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BDS/Flood.IRC.2": [[26, 41]], "Indicator: MemScan:Trojan.Flooder.I": [[42, 66]], "Indicator: IRC.Flood": [[67, 76], [110, 119], [120, 129]], "Indicator: Trojan.Flood": [[77, 89]], "Indicator: BackDoor.Ircbot.BCV": [[90, 109]], "Indicator: Trojan.Backdoor.Flood.IRC.2": [[130, 157]]}, "info": {"id": "cyner2_5class_train_04103", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Scar.28672.J Win32.Trojan.Scar.aeru.4.Pack Trojan/Scar.aeru Trojan.Scar.AEY W32/Tibs.DOHY Trojan.Win32.Scar.aeru TrojWare.Win32.Scar.BA Win32/SillyAutorun.CVZ Trojan/Scar.axz Trojan/Win32.Scar Trojan.Win32.Scar!IK TrojanDownloader:Win32/Yibohbin.A Trojan.Win32.Scar.28672.I Win-Trojan/Scar.28672.AH Trojan.Win32.Scar.aeru Trojan.DL.Win32.Tiny.bug Trojan.Win32.Scar Trj/Scar.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Scar.28672.J": [[26, 49]], "Indicator: Win32.Trojan.Scar.aeru.4.Pack": [[50, 79]], "Indicator: Trojan/Scar.aeru": [[80, 96]], "Indicator: Trojan.Scar.AEY": [[97, 112]], "Indicator: W32/Tibs.DOHY": [[113, 126]], "Indicator: Trojan.Win32.Scar.aeru": [[127, 149], [336, 358]], "Indicator: TrojWare.Win32.Scar.BA": [[150, 172]], "Indicator: Win32/SillyAutorun.CVZ": [[173, 195]], "Indicator: Trojan/Scar.axz": [[196, 211]], "Indicator: Trojan/Win32.Scar": [[212, 229]], "Indicator: Trojan.Win32.Scar!IK": [[230, 250]], "Indicator: TrojanDownloader:Win32/Yibohbin.A": [[251, 284]], "Indicator: Trojan.Win32.Scar.28672.I": [[285, 310]], "Indicator: Win-Trojan/Scar.28672.AH": [[311, 335]], "Indicator: Trojan.DL.Win32.Tiny.bug": [[359, 383]], "Indicator: Trojan.Win32.Scar": [[384, 401]], "Indicator: Trj/Scar.A": [[402, 412]]}, "info": {"id": "cyner2_5class_train_04104", "source": "cyner2_5class_train"}}
+{"text": "This is usually done in order to validate the target of a new infection .", "spans": {}, "info": {"id": "cyner2_5class_train_04105", "source": "cyner2_5class_train"}}
+{"text": "This fake notification tactic is used to redirect the user 's attention , meanwhile the app hides itself , making the user believe the app to be faulty .", "spans": {}, "info": {"id": "cyner2_5class_train_04106", "source": "cyner2_5class_train"}}
+{"text": "First , it will get the “ nativenumber ” variable from the “ telmark ” value of “ AndroidManifest.xml ” .", "spans": {"System: AndroidManifest.xml": [[82, 101]]}, "info": {"id": "cyner2_5class_train_04107", "source": "cyner2_5class_train"}}
+{"text": "Figure 4 – Checking for installed apps Based on a thorough analysis of the code , the most interesting technical capabilities include : Capturing screenshots Enabling or changing administration settings Opening and visiting any URL Disabling Play Protect Recording audio Making phone calls Stealing the contact list Controlling the device via VNC Sending , receiving and deleting SMS Locking the device Encrypting files on the device and external drives Searching for files Retrieving the GPS location Capturing remote control commands from Twitter and Telegram Pushing overlays Reading the device ID The malware includes a keylogger that works in every app installed on the Android device .", "spans": {"System: Twitter": [[541, 548]], "System: Telegram": [[553, 561]], "System: Android": [[675, 682]]}, "info": {"id": "cyner2_5class_train_04108", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Trojan.WipeLocker.A Android.Habey.A Trojan.Wipelock..1 A.H.Fra.Elite Android.Trojan.Wipelock.b Android/Wipelock.A HEUR:Trojan.AndroidOS.Soceng.f Android.Trojan.WipeLocker.A Trojan.Android.Elite.dmubjt Troj.Androidos.Habey!c Trojan-Spy:Android/SmsSpy.FW Android.Elite.1.origin ANDROID/Elite.A Android/Wipelock.A!tr Trojan/Android.Habey Android.Trojan.WipeLocker.A HEUR:Trojan.AndroidOS.Soceng.f Android-Trojan/WipeLocker.8493 Trojan.Android.Locker.c Trojan.AndroidOS.Wipelock Android.Trojan.WipeLocker.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.WipeLocker.A": [[26, 53], [179, 206], [369, 396], [509, 536]], "Indicator: Android.Habey.A": [[54, 69]], "Indicator: Trojan.Wipelock..1": [[70, 88]], "Indicator: A.H.Fra.Elite": [[89, 102]], "Indicator: Android.Trojan.Wipelock.b": [[103, 128]], "Indicator: Android/Wipelock.A": [[129, 147]], "Indicator: HEUR:Trojan.AndroidOS.Soceng.f": [[148, 178], [397, 427]], "Indicator: Trojan.Android.Elite.dmubjt": [[207, 234]], "Indicator: Troj.Androidos.Habey!c": [[235, 257]], "Indicator: Trojan-Spy:Android/SmsSpy.FW": [[258, 286]], "Indicator: Android.Elite.1.origin": [[287, 309]], "Indicator: ANDROID/Elite.A": [[310, 325]], "Indicator: Android/Wipelock.A!tr": [[326, 347]], "Indicator: Trojan/Android.Habey": [[348, 368]], "Indicator: Android-Trojan/WipeLocker.8493": [[428, 458]], "Indicator: Trojan.Android.Locker.c": [[459, 482]], "Indicator: Trojan.AndroidOS.Wipelock": [[483, 508]]}, "info": {"id": "cyner2_5class_train_04109", "source": "cyner2_5class_train"}}
+{"text": "One of the samples we looked at SHA256:e154e62c1936f62aeaf55a41a386dbc293050acec8c4616d16f75395884c9090 contained a family of backdoor that hasn't been referenced in public documents.", "spans": {"Indicator: SHA256:e154e62c1936f62aeaf55a41a386dbc293050acec8c4616d16f75395884c9090": [[32, 103]], "Malware: family of": [[116, 125]], "Malware: backdoor": [[126, 134]]}, "info": {"id": "cyner2_5class_train_04110", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.KRBanker.615936 Trojan.Sehijak.A7 Adware.Kraddare Adware.Kraddare.Win32.3892 Trojan.Zusy.D2CF65 W32/Banki.A Backdoor.Win32.Servidor.ac Trojan.Win32.RDN.eatfup Win32.Backdoor.Servidor.Pboq TrojWare.Win32.Sehijak.DA Trojan.DownLoader21.32804 BehavesLike.Win32.MultiPlug.jc W32/Banki.DFFU-6658 Backdoor.Servidor.b Trojan:Win32/Sehijak.A Backdoor.Win32.Servidor.ac Trojan/Win32.Banki.R175311 Backdoor.Servidor Win32/Adware.Kraddare.LP PUA.Kraddare! PUA.Kraddare W32/Servidor.AC!tr.bdr Win32/Backdoor.c5c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.KRBanker.615936": [[26, 52]], "Indicator: Trojan.Sehijak.A7": [[53, 70]], "Indicator: Adware.Kraddare": [[71, 86]], "Indicator: Adware.Kraddare.Win32.3892": [[87, 113]], "Indicator: Trojan.Zusy.D2CF65": [[114, 132]], "Indicator: W32/Banki.A": [[133, 144]], "Indicator: Backdoor.Win32.Servidor.ac": [[145, 171], [371, 397]], "Indicator: Trojan.Win32.RDN.eatfup": [[172, 195]], "Indicator: Win32.Backdoor.Servidor.Pboq": [[196, 224]], "Indicator: TrojWare.Win32.Sehijak.DA": [[225, 250]], "Indicator: Trojan.DownLoader21.32804": [[251, 276]], "Indicator: BehavesLike.Win32.MultiPlug.jc": [[277, 307]], "Indicator: W32/Banki.DFFU-6658": [[308, 327]], "Indicator: Backdoor.Servidor.b": [[328, 347]], "Indicator: Trojan:Win32/Sehijak.A": [[348, 370]], "Indicator: Trojan/Win32.Banki.R175311": [[398, 424]], "Indicator: Backdoor.Servidor": [[425, 442]], "Indicator: Win32/Adware.Kraddare.LP": [[443, 467]], "Indicator: PUA.Kraddare!": [[468, 481]], "Indicator: PUA.Kraddare": [[482, 494]], "Indicator: W32/Servidor.AC!tr.bdr": [[495, 517]], "Indicator: Win32/Backdoor.c5c": [[518, 536]]}, "info": {"id": "cyner2_5class_train_04111", "source": "cyner2_5class_train"}}
+{"text": "CrowdStrike has released two blog posts detailing Sakula campaigns and continues to investigate its usage.", "spans": {"Organization: CrowdStrike": [[0, 11]]}, "info": {"id": "cyner2_5class_train_04112", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9978 Trojan.Win32.ExtenBro.evtqgw Trojan.MSIL.ExtenBro Trojan/MSIL.fqcj TR/ExtenBro.vezgg Trojan:MSIL/ExtenBro.A Trj/GdSda.A Win32/Trojan.444", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9978": [[26, 68]], "Indicator: Trojan.Win32.ExtenBro.evtqgw": [[69, 97]], "Indicator: Trojan.MSIL.ExtenBro": [[98, 118]], "Indicator: Trojan/MSIL.fqcj": [[119, 135]], "Indicator: TR/ExtenBro.vezgg": [[136, 153]], "Indicator: Trojan:MSIL/ExtenBro.A": [[154, 176]], "Indicator: Trj/GdSda.A": [[177, 188]], "Indicator: Win32/Trojan.444": [[189, 205]]}, "info": {"id": "cyner2_5class_train_04113", "source": "cyner2_5class_train"}}
+{"text": "Escelar originally surfaced in January of this year, and has since had roughly 100,000 instances of attempted infections.", "spans": {"Malware: Escelar": [[0, 7]], "Indicator: infections.": [[110, 121]]}, "info": {"id": "cyner2_5class_train_04114", "source": "cyner2_5class_train"}}
+{"text": "At the same time, the group has been improving their ability to operate the business side of a ransomware organization.", "spans": {}, "info": {"id": "cyner2_5class_train_04115", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BehavesLike.Win32.BackdoorNJRat.qm Trojan.Kazy.DEF49 Trojan/Win32.Llac.R18525", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.BackdoorNJRat.qm": [[26, 60]], "Indicator: Trojan.Kazy.DEF49": [[61, 78]], "Indicator: Trojan/Win32.Llac.R18525": [[79, 103]]}, "info": {"id": "cyner2_5class_train_04116", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DLDrop.NSIS Trojan.Injector.Win32.385163 Trojan/Injector.cuom Trojan.Razy.D7CE0 W32/Injector.AKD Trojan.Win32.CUOM.ebfhyw W32/Injector.OIMQ-3591 TR/AD.Enestedel.ubzhk Ransom:Win32/Enestedel.B!rsm Trj/GdSda.A Win32/Injector.CUOM Trojan.Injector!1PtHxYGwvhY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DLDrop.NSIS": [[26, 44]], "Indicator: Trojan.Injector.Win32.385163": [[45, 73]], "Indicator: Trojan/Injector.cuom": [[74, 94]], "Indicator: Trojan.Razy.D7CE0": [[95, 112]], "Indicator: W32/Injector.AKD": [[113, 129]], "Indicator: Trojan.Win32.CUOM.ebfhyw": [[130, 154]], "Indicator: W32/Injector.OIMQ-3591": [[155, 177]], "Indicator: TR/AD.Enestedel.ubzhk": [[178, 199]], "Indicator: Ransom:Win32/Enestedel.B!rsm": [[200, 228]], "Indicator: Trj/GdSda.A": [[229, 240]], "Indicator: Win32/Injector.CUOM": [[241, 260]], "Indicator: Trojan.Injector!1PtHxYGwvhY": [[261, 288]]}, "info": {"id": "cyner2_5class_train_04117", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9829 Backdoor.Ehdoor", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9829": [[26, 68]], "Indicator: Backdoor.Ehdoor": [[69, 84]]}, "info": {"id": "cyner2_5class_train_04118", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dorifel!O Trojan.FakeMS.ED Trojan/Dropper.Dorifel.eav Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.GTVK-8195 W32.IRCBot.NG Trojan.MSIL.Crypt.fqbo Trojan.DownLoader6.25796 Dropper.Dorifel.Win32.1316 TrojanDropper.Dorifel.afo Trojan[Dropper]/Win32.Dorifel Win32.Troj.Dorifel.kcloud Trojan.Zusy.D115D1 Trojan.MSIL.Crypt.fqbo Trojan:MSIL/Belfusba.A TrojanDropper.Dorifel Trj/CI.A MSIL/Selenium.A Trojan.Kryptik!LBVVyRsvO34 MSIL/Selenium.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Dorifel!O": [[26, 56]], "Indicator: Trojan.FakeMS.ED": [[57, 73]], "Indicator: Trojan/Dropper.Dorifel.eav": [[74, 100]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[101, 143]], "Indicator: W32/Trojan.GTVK-8195": [[144, 164]], "Indicator: W32.IRCBot.NG": [[165, 178]], "Indicator: Trojan.MSIL.Crypt.fqbo": [[179, 201], [355, 377]], "Indicator: Trojan.DownLoader6.25796": [[202, 226]], "Indicator: Dropper.Dorifel.Win32.1316": [[227, 253]], "Indicator: TrojanDropper.Dorifel.afo": [[254, 279]], "Indicator: Trojan[Dropper]/Win32.Dorifel": [[280, 309]], "Indicator: Win32.Troj.Dorifel.kcloud": [[310, 335]], "Indicator: Trojan.Zusy.D115D1": [[336, 354]], "Indicator: Trojan:MSIL/Belfusba.A": [[378, 400]], "Indicator: TrojanDropper.Dorifel": [[401, 422]], "Indicator: Trj/CI.A": [[423, 431]], "Indicator: MSIL/Selenium.A": [[432, 447]], "Indicator: Trojan.Kryptik!LBVVyRsvO34": [[448, 474]], "Indicator: MSIL/Selenium.A!tr": [[475, 493]]}, "info": {"id": "cyner2_5class_train_04119", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.W32.Virus!c Trojan/Spy.KeyLogger.au Trojan.Raw.KeyLog.epwywq BehavesLike.Win32.Cutwail.tc Trojan.Shelma.bbh Trojan/Win32.Shelma Trojan:Win32/Ronohu.A Trj/CI.A Python/Spy.KeyLogger.V Trojan.Python.Spy Python/KeyLogger.V!tr.spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.W32.Virus!c": [[26, 43]], "Indicator: Trojan/Spy.KeyLogger.au": [[44, 67]], "Indicator: Trojan.Raw.KeyLog.epwywq": [[68, 92]], "Indicator: BehavesLike.Win32.Cutwail.tc": [[93, 121]], "Indicator: Trojan.Shelma.bbh": [[122, 139]], "Indicator: Trojan/Win32.Shelma": [[140, 159]], "Indicator: Trojan:Win32/Ronohu.A": [[160, 181]], "Indicator: Trj/CI.A": [[182, 190]], "Indicator: Python/Spy.KeyLogger.V": [[191, 213]], "Indicator: Trojan.Python.Spy": [[214, 231]], "Indicator: Python/KeyLogger.V!tr.spy": [[232, 257]]}, "info": {"id": "cyner2_5class_train_04120", "source": "cyner2_5class_train"}}
+{"text": "Usually, these are done via HTTP or other TCP/IP connections.", "spans": {"Indicator: HTTP": [[28, 32]], "Indicator: TCP/IP connections.": [[42, 61]]}, "info": {"id": "cyner2_5class_train_04121", "source": "cyner2_5class_train"}}
+{"text": "Infection Chain As with our earlier reports in late March , the attack chain involves diverting internet traffic to attacker-specified domains by compromising and overwriting the router ’ s DNS settings .", "spans": {}, "info": {"id": "cyner2_5class_train_04122", "source": "cyner2_5class_train"}}
+{"text": "Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation.", "spans": {"Organization: security vendor Akamai,": [[41, 64]]}, "info": {"id": "cyner2_5class_train_04123", "source": "cyner2_5class_train"}}
+{"text": "The forum provides members with tools to patch RDP Remote Desktop Protocol servers to support multiple user logins, as well as other hacking tools, such as proxy installers and sysinfo collectors.", "spans": {"Malware: tools": [[32, 37]], "System: RDP Remote Desktop Protocol servers": [[47, 82]], "Malware: hacking tools,": [[133, 147]], "System: proxy": [[156, 161]], "System: sysinfo": [[177, 184]]}, "info": {"id": "cyner2_5class_train_04124", "source": "cyner2_5class_train"}}
+{"text": "] com , points to the IP address 54.69.156.31 which serves a self-signed TLS certificate with the certificate common name MyCert and fingerprint 11:41:45:2F : A7:07:23:54 : AE:9A : CE : F4 : FE:56 : AE : AC : B1 : C2:15:9F:6A : FC:1E : CC:7D : F8:61 : E3:25:26:73:6A .", "spans": {"Indicator: 54.69.156.31": [[33, 45]], "Indicator: 11:41:45:2F : A7:07:23:54": [[145, 170]], "Indicator: AE:9A : CE : F4 : FE:56 : AE : AC": [[173, 206]], "Indicator: B1 : C2:15:9F:6A : FC:1E : CC:7D": [[209, 241]], "Indicator: : F8:61 : E3:25:26:73:6A": [[242, 266]]}, "info": {"id": "cyner2_5class_train_04125", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.KRSign.810456 Win32.Trojan.WisdomEyes.16070401.9500.9958 Spyware.BL Trojan.ZxShellCRTD.Win32.10098 Backdoor:Win32/Zxshell.A!dha Win32/Backdoor.c4c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.KRSign.810456": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9958": [[51, 93]], "Indicator: Spyware.BL": [[94, 104]], "Indicator: Trojan.ZxShellCRTD.Win32.10098": [[105, 135]], "Indicator: Backdoor:Win32/Zxshell.A!dha": [[136, 164]], "Indicator: Win32/Backdoor.c4c": [[165, 183]]}, "info": {"id": "cyner2_5class_train_04126", "source": "cyner2_5class_train"}}
+{"text": "Petya is a form of ransomware that overwrites the master boot record MBR in order to block access to both the user's files and operating system.", "spans": {"Malware: Petya": [[0, 5]], "Malware: ransomware": [[19, 29]], "Indicator: overwrites": [[35, 45]], "System: master boot record MBR": [[50, 72]], "Indicator: block access": [[85, 97]], "Indicator: user's files": [[110, 122]], "System: operating system.": [[127, 144]]}, "info": {"id": "cyner2_5class_train_04127", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.7F39 Trojan.Podjot.A Trojan.Kazy.D2D8D TROJ_PODJOT.SM1 Win32.Trojan.WisdomEyes.16070401.9500.9924 TROJ_PODJOT.SM1 MalCrypt.Indus! Trojan:Win32/Podjot.A Trojan/Win32.Zapchast.R21212 Virus.Win32.Cryptor", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.7F39": [[26, 42]], "Indicator: Trojan.Podjot.A": [[43, 58]], "Indicator: Trojan.Kazy.D2D8D": [[59, 76]], "Indicator: TROJ_PODJOT.SM1": [[77, 92], [136, 151]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9924": [[93, 135]], "Indicator: MalCrypt.Indus!": [[152, 167]], "Indicator: Trojan:Win32/Podjot.A": [[168, 189]], "Indicator: Trojan/Win32.Zapchast.R21212": [[190, 218]], "Indicator: Virus.Win32.Cryptor": [[219, 238]]}, "info": {"id": "cyner2_5class_train_04128", "source": "cyner2_5class_train"}}
+{"text": "Figure 5 .", "spans": {}, "info": {"id": "cyner2_5class_train_04129", "source": "cyner2_5class_train"}}
+{"text": "EventBot VirusTotal search for the malicious IP address VirusTotal search for the malicious IP address .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_04130", "source": "cyner2_5class_train"}}
+{"text": "The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks.", "spans": {"Malware: Duqu": [[24, 28]]}, "info": {"id": "cyner2_5class_train_04131", "source": "cyner2_5class_train"}}
+{"text": "The attackers behind this campaign went to some lengths to disguise their activities, including using domains names disguised as antivirus AV company websites for their command and control C C servers.", "spans": {"Indicator: domains names disguised as antivirus AV company websites": [[102, 158]], "Indicator: command and control C C servers.": [[169, 201]]}, "info": {"id": "cyner2_5class_train_04132", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Injector!O Trojan.Zusy.D2081E W32/MalwareS.BJCG Backdoor.Vinself.B Win32/Fuwu.A BKDR_COMFOO.SME Win.Trojan.Rootkit-9875 Trojan-Dropper.Win32.Injector.jndt Trojan.Win32.DPD.dxvfcr Trojan.PWS.DPD.5 BKDR_COMFOO.SME BehavesLike.Win32.RansomWannaCry.ch Trojan.Win32.Spy W32/Risk.KUNB-3887 Trojan:Win32/Netnam.B Trojan-Dropper.Win32.Injector.jndt Trj/Zbot.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Injector!O": [[26, 57]], "Indicator: Trojan.Zusy.D2081E": [[58, 76]], "Indicator: W32/MalwareS.BJCG": [[77, 94]], "Indicator: Backdoor.Vinself.B": [[95, 113]], "Indicator: Win32/Fuwu.A": [[114, 126]], "Indicator: BKDR_COMFOO.SME": [[127, 142], [243, 258]], "Indicator: Win.Trojan.Rootkit-9875": [[143, 166]], "Indicator: Trojan-Dropper.Win32.Injector.jndt": [[167, 201], [353, 387]], "Indicator: Trojan.Win32.DPD.dxvfcr": [[202, 225]], "Indicator: Trojan.PWS.DPD.5": [[226, 242]], "Indicator: BehavesLike.Win32.RansomWannaCry.ch": [[259, 294]], "Indicator: Trojan.Win32.Spy": [[295, 311]], "Indicator: W32/Risk.KUNB-3887": [[312, 330]], "Indicator: Trojan:Win32/Netnam.B": [[331, 352]], "Indicator: Trj/Zbot.M": [[388, 398]]}, "info": {"id": "cyner2_5class_train_04133", "source": "cyner2_5class_train"}}
+{"text": "This one-time cost provides a malicious customer with access to all the data on the server and endless other possibilities, such as using the access to launch further attacks.", "spans": {"System: server": [[84, 90]], "Indicator: using the access to launch further attacks.": [[132, 175]]}, "info": {"id": "cyner2_5class_train_04134", "source": "cyner2_5class_train"}}
+{"text": "Instead, they first attempt to gain access to the machine, most likely through a more targeted attack or exploit, before manually triggering and executing the malware.", "spans": {"Indicator: gain access": [[31, 42]], "System: machine,": [[50, 58]], "Indicator: attack": [[95, 101]], "Malware: exploit,": [[105, 113]], "Malware: malware.": [[159, 167]]}, "info": {"id": "cyner2_5class_train_04135", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Stimilani.FC.1099 Trojan.Zusy.D2F64E HackTool:MSIL/Stimilani.A Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Stimilani.FC.1099": [[26, 52]], "Indicator: Trojan.Zusy.D2F64E": [[53, 71]], "Indicator: HackTool:MSIL/Stimilani.A": [[72, 97]], "Indicator: Trj/GdSda.A": [[98, 109]]}, "info": {"id": "cyner2_5class_train_04136", "source": "cyner2_5class_train"}}
+{"text": "During the last hours, ESET researchers noticed that Eltima, the makers of the Elmedia Player software, have been distributing a version of their application trojanized with the OSX/Proton malware on their official website.", "spans": {"Organization: ESET researchers": [[23, 39]], "Organization: Eltima,": [[53, 60]], "System: the Elmedia Player software,": [[75, 103]], "System: application": [[146, 157]], "Malware: OSX/Proton malware": [[178, 196]], "Indicator: official website.": [[206, 223]]}, "info": {"id": "cyner2_5class_train_04137", "source": "cyner2_5class_train"}}
+{"text": "It appears that these threat actors have begun using Palo Alto Networks upcoming Cyber Security Summit hosted on November 3, 2016 in Jakarta, Indonesia as a lure to compromise targeted individuals.", "spans": {"Organization: Palo Alto Networks": [[53, 71]], "Organization: Cyber Security Summit": [[81, 102]]}, "info": {"id": "cyner2_5class_train_04138", "source": "cyner2_5class_train"}}
+{"text": "After rendering the ad on the screen , the app tries to identify the part of the advertisement website to click .", "spans": {}, "info": {"id": "cyner2_5class_train_04139", "source": "cyner2_5class_train"}}
+{"text": "Afterward , it will start several timers to execute different tasks .", "spans": {}, "info": {"id": "cyner2_5class_train_04140", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.DoS.26816 DDOS_DEPCHARG.11 Win32.Trojan.WisdomEyes.16070401.9500.9967 W32/Trojan.ROMV-7068 DDOS_DEPCHARG.11 Win.Trojan.Chubby-2 Trojan-DDoS.Win32.DepthCharge.c Trojan.Win32.DepthCharge.dfzl Trojan.Win32.Chubby.26816 Troj.W32.Chubby.11!c Trojan.Chubby.11 Trojan.Chubby.Win32.2 BehavesLike.Win32.Fake.mc Backdoor/VB.dc TR/Chubby.11 Trojan[DDoS]/Win32.DepthCharge Trojan.Heur.VB.bmLfcmhTrPni Trojan-DDoS.Win32.DepthCharge.c TrojanDDoS.DepthCharge Win32/Chubby.11 Win32.Trojan-ddos.Depthcharge.Lpbl Trojan.DDoS.DepthCharge!wR+hD336kwM Trojan-DDoS.Win32.DepthCharge W32/Chubby.11!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.DoS.26816": [[26, 46]], "Indicator: DDOS_DEPCHARG.11": [[47, 63], [128, 144]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9967": [[64, 106]], "Indicator: W32/Trojan.ROMV-7068": [[107, 127]], "Indicator: Win.Trojan.Chubby-2": [[145, 164]], "Indicator: Trojan-DDoS.Win32.DepthCharge.c": [[165, 196], [426, 457]], "Indicator: Trojan.Win32.DepthCharge.dfzl": [[197, 226]], "Indicator: Trojan.Win32.Chubby.26816": [[227, 252]], "Indicator: Troj.W32.Chubby.11!c": [[253, 273]], "Indicator: Trojan.Chubby.11": [[274, 290]], "Indicator: Trojan.Chubby.Win32.2": [[291, 312]], "Indicator: BehavesLike.Win32.Fake.mc": [[313, 338]], "Indicator: Backdoor/VB.dc": [[339, 353]], "Indicator: TR/Chubby.11": [[354, 366]], "Indicator: Trojan[DDoS]/Win32.DepthCharge": [[367, 397]], "Indicator: Trojan.Heur.VB.bmLfcmhTrPni": [[398, 425]], "Indicator: TrojanDDoS.DepthCharge": [[458, 480]], "Indicator: Win32/Chubby.11": [[481, 496]], "Indicator: Win32.Trojan-ddos.Depthcharge.Lpbl": [[497, 531]], "Indicator: Trojan.DDoS.DepthCharge!wR+hD336kwM": [[532, 567]], "Indicator: Trojan-DDoS.Win32.DepthCharge": [[568, 597]], "Indicator: W32/Chubby.11!tr": [[598, 614]]}, "info": {"id": "cyner2_5class_train_04141", "source": "cyner2_5class_train"}}
+{"text": "In addition , the use of shared-hosting providers adds flexibility to the threat actor ’ s campaign and makes it harder for defending parties to track these moving targets .", "spans": {}, "info": {"id": "cyner2_5class_train_04142", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Small!O Trojan.Vbcrypt Spyware.Zbot Dropper.Small.Win32.2729 Trojan/Dropper.Small.dil Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Droplet.GN Win.Trojan.VB-9953 Trojan-Dropper.Win32.Small.dil Trojan.Win32.Small.wfby TrojWare.Win32.TrojanDropper.Small.dil0 Trojan.MulDrop.30852 BehavesLike.Win32.Downloader.mc Trojan-Dropper.Win32.Delf Trojan[Spy]/Win32.Zbot Trojan.Heur.E2A3DF Dropper.Small.86866 Trojan-Dropper.Win32.Small.dil Trojan/Win32.Batat.R4771 W32/Dropper.DIL!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Small!O": [[26, 54]], "Indicator: Trojan.Vbcrypt": [[55, 69]], "Indicator: Spyware.Zbot": [[70, 82]], "Indicator: Dropper.Small.Win32.2729": [[83, 107]], "Indicator: Trojan/Dropper.Small.dil": [[108, 132]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[133, 175]], "Indicator: Win32/Droplet.GN": [[176, 192]], "Indicator: Win.Trojan.VB-9953": [[193, 211]], "Indicator: Trojan-Dropper.Win32.Small.dil": [[212, 242], [448, 478]], "Indicator: Trojan.Win32.Small.wfby": [[243, 266]], "Indicator: TrojWare.Win32.TrojanDropper.Small.dil0": [[267, 306]], "Indicator: Trojan.MulDrop.30852": [[307, 327]], "Indicator: BehavesLike.Win32.Downloader.mc": [[328, 359]], "Indicator: Trojan-Dropper.Win32.Delf": [[360, 385]], "Indicator: Trojan[Spy]/Win32.Zbot": [[386, 408]], "Indicator: Trojan.Heur.E2A3DF": [[409, 427]], "Indicator: Dropper.Small.86866": [[428, 447]], "Indicator: Trojan/Win32.Batat.R4771": [[479, 503]], "Indicator: W32/Dropper.DIL!tr": [[504, 522]]}, "info": {"id": "cyner2_5class_train_04143", "source": "cyner2_5class_train"}}
+{"text": "Package Name SHA256 digest SHA1 certificate com.network.android ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.network.android 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86 516f8f516cc0fd8db53785a48c0a86554f75c3ba Additional digests with links to Chrysaor As a result of our investigation we have identified these additional Chrysaor-related apps .", "spans": {"Indicator: com.network.android": [[44, 63], [170, 189]], "Indicator: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5": [[64, 128]], "Indicator: 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d": [[129, 169]], "Indicator: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86": [[190, 254]], "Indicator: 516f8f516cc0fd8db53785a48c0a86554f75c3ba": [[255, 295]], "Malware: Chrysaor": [[329, 337]], "Malware: Chrysaor-related": [[407, 423]]}, "info": {"id": "cyner2_5class_train_04144", "source": "cyner2_5class_train"}}
+{"text": "The commands are self-explanatory and show the features included in the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_04145", "source": "cyner2_5class_train"}}
+{"text": "The attacking IP addresses originated from very distinctive network ranges mostly associated with Chinese Internet service providers.", "spans": {"Indicator: The attacking IP addresses": [[0, 26]], "Organization: Chinese Internet service providers.": [[98, 133]]}, "info": {"id": "cyner2_5class_train_04146", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Trojan.Win32.Inject.exdppy Trojan.Win32.Z.Kryptik.258107 Troj.W32.Virtumonde.mCBt Trojan.Inject.60399 Trojan.Kryptik.Win32.1344676 BehavesLike.Win32.Worm.dc Trojan:Win32/Kexject.A Spyware/Win32.Zbot.C145539 Trj/CI.A Win32.Trojan.Inject.Auto", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Trojan.Win32.Inject.exdppy": [[39, 65]], "Indicator: Trojan.Win32.Z.Kryptik.258107": [[66, 95]], "Indicator: Troj.W32.Virtumonde.mCBt": [[96, 120]], "Indicator: Trojan.Inject.60399": [[121, 140]], "Indicator: Trojan.Kryptik.Win32.1344676": [[141, 169]], "Indicator: BehavesLike.Win32.Worm.dc": [[170, 195]], "Indicator: Trojan:Win32/Kexject.A": [[196, 218]], "Indicator: Spyware/Win32.Zbot.C145539": [[219, 245]], "Indicator: Trj/CI.A": [[246, 254]], "Indicator: Win32.Trojan.Inject.Auto": [[255, 279]]}, "info": {"id": "cyner2_5class_train_04147", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Hekdor.88576 Backdoor/Hekdor.a Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Risk.EEXH-5977 Win32/Hekdor.A BKDR_HEKDOR.A Win.Trojan.HackersDoor-6351576-1 Backdoor.Win32.Hackdoor.12 Trojan.Win32.Hekdor.gtcj Backdoor.Win32.Hackdoor.88576 Backdoor.W32.Hackdoor.f!c Backdoor.Win32.Hackdoor.~dy001 BackDoor.Hackdoor.22 Backdoor.Hekdor.Win32.1 BehavesLike.Win32.Virut.mh Trojan.Win32.Hekdor Trojan[Backdoor]/Win32.Hackdoor Win32.Hack.Hekdor.a.kcloud Trojan.Graftor.Elzob.D2551 Backdoor.Win32.Hackdoor.12 Backdoor/Win32.Hackdoor.R101239 Bck/Iroffer.BG Win32.Backdoor.Hackdoor.Pegb Backdoor.Hekdor.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Hekdor.88576": [[26, 51]], "Indicator: Backdoor/Hekdor.a": [[52, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[70, 112]], "Indicator: W32/Risk.EEXH-5977": [[113, 131]], "Indicator: Win32/Hekdor.A": [[132, 146]], "Indicator: BKDR_HEKDOR.A": [[147, 160]], "Indicator: Win.Trojan.HackersDoor-6351576-1": [[161, 193]], "Indicator: Backdoor.Win32.Hackdoor.12": [[194, 220], [511, 537]], "Indicator: Trojan.Win32.Hekdor.gtcj": [[221, 245]], "Indicator: Backdoor.Win32.Hackdoor.88576": [[246, 275]], "Indicator: Backdoor.W32.Hackdoor.f!c": [[276, 301]], "Indicator: Backdoor.Win32.Hackdoor.~dy001": [[302, 332]], "Indicator: BackDoor.Hackdoor.22": [[333, 353]], "Indicator: Backdoor.Hekdor.Win32.1": [[354, 377]], "Indicator: BehavesLike.Win32.Virut.mh": [[378, 404]], "Indicator: Trojan.Win32.Hekdor": [[405, 424]], "Indicator: Trojan[Backdoor]/Win32.Hackdoor": [[425, 456]], "Indicator: Win32.Hack.Hekdor.a.kcloud": [[457, 483]], "Indicator: Trojan.Graftor.Elzob.D2551": [[484, 510]], "Indicator: Backdoor/Win32.Hackdoor.R101239": [[538, 569]], "Indicator: Bck/Iroffer.BG": [[570, 584]], "Indicator: Win32.Backdoor.Hackdoor.Pegb": [[585, 613]], "Indicator: Backdoor.Hekdor.A": [[614, 631]]}, "info": {"id": "cyner2_5class_train_04148", "source": "cyner2_5class_train"}}
+{"text": "They find and share readily available code and use those to make their own malware.", "spans": {}, "info": {"id": "cyner2_5class_train_04149", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/Win32.AutoRun", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/Win32.AutoRun": [[26, 44]]}, "info": {"id": "cyner2_5class_train_04150", "source": "cyner2_5class_train"}}
+{"text": "This payload is also used by the earlier versions of the implant .", "spans": {}, "info": {"id": "cyner2_5class_train_04151", "source": "cyner2_5class_train"}}
+{"text": "Lookout customers are also protected from this threat on both Android and iOS .", "spans": {"Organization: Lookout": [[0, 7]], "System: Android": [[62, 69]], "System: iOS": [[74, 77]]}, "info": {"id": "cyner2_5class_train_04152", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Clicker.cysqcu Trojan.Click2.41012 TR/Storup.D.158 Trojan:Win32/Storup.D Trojan.Graftor.DA5F2 TrojanSpy.Gaxfid!V9zv1PzO78E Trojan.Win32.Spy Trj/CI.A Win32/Trojan.b34", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Clicker.cysqcu": [[26, 53]], "Indicator: Trojan.Click2.41012": [[54, 73]], "Indicator: TR/Storup.D.158": [[74, 89]], "Indicator: Trojan:Win32/Storup.D": [[90, 111]], "Indicator: Trojan.Graftor.DA5F2": [[112, 132]], "Indicator: TrojanSpy.Gaxfid!V9zv1PzO78E": [[133, 161]], "Indicator: Trojan.Win32.Spy": [[162, 178]], "Indicator: Trj/CI.A": [[179, 187]], "Indicator: Win32/Trojan.b34": [[188, 204]]}, "info": {"id": "cyner2_5class_train_04153", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packer.W32.Katusha!c Win32.Trojan.WisdomEyes.16070401.9500.9997 TROJ_TRACUR.SMVB Packed.Win32.Katusha.ac Trojan.Win32.Tracur.csqtnd Trojan.Win32.Z.Tracur.476672 TrojWare.Win32.Kryptik.BJLP TROJ_TRACUR.SMVB TR/Tracur.ujeuv Trojan/Win32.Diple Trojan.Mikey.D823E Packed.Win32.Katusha.ac Trojan/Win32.Tracur.R87716 Trojan.Tracur Win32/Boaxxe.BB Win32.Packed.Katusha.Aljh Trojan.Win32.Boaxxe Win32/Trojan.2ed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packer.W32.Katusha!c": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[47, 89]], "Indicator: TROJ_TRACUR.SMVB": [[90, 106], [215, 231]], "Indicator: Packed.Win32.Katusha.ac": [[107, 130], [286, 309]], "Indicator: Trojan.Win32.Tracur.csqtnd": [[131, 157]], "Indicator: Trojan.Win32.Z.Tracur.476672": [[158, 186]], "Indicator: TrojWare.Win32.Kryptik.BJLP": [[187, 214]], "Indicator: TR/Tracur.ujeuv": [[232, 247]], "Indicator: Trojan/Win32.Diple": [[248, 266]], "Indicator: Trojan.Mikey.D823E": [[267, 285]], "Indicator: Trojan/Win32.Tracur.R87716": [[310, 336]], "Indicator: Trojan.Tracur": [[337, 350]], "Indicator: Win32/Boaxxe.BB": [[351, 366]], "Indicator: Win32.Packed.Katusha.Aljh": [[367, 392]], "Indicator: Trojan.Win32.Boaxxe": [[393, 412]], "Indicator: Win32/Trojan.2ed": [[413, 429]]}, "info": {"id": "cyner2_5class_train_04154", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DownloaderLTB.Trojan Trojan.Win32.Scar!O Trojan.Scar.20261 Trojan/Scar.gfdd Trojan.Graftor.Elzob.D3707 TROJ_DLOADE.SMEP Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Win32/SillyDl.HER TROJ_DLOADE.SMEP Win.Trojan.Scar-864 Virus.Win32.Lamer.vpqnl Trojan.DownLoader22.5119 TR/Taranis.2688 Trojan/Win32.Scar Trojan.Win32.A.Scar.100616 Trojan/Win32.Scar.R4127 Trojan.Scar Trojan.Win32.Sisproc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DownloaderLTB.Trojan": [[26, 50]], "Indicator: Trojan.Win32.Scar!O": [[51, 70]], "Indicator: Trojan.Scar.20261": [[71, 88]], "Indicator: Trojan/Scar.gfdd": [[89, 105]], "Indicator: Trojan.Graftor.Elzob.D3707": [[106, 132]], "Indicator: TROJ_DLOADE.SMEP": [[133, 149], [226, 242]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[150, 192]], "Indicator: Trojan.Dropper": [[193, 207]], "Indicator: Win32/SillyDl.HER": [[208, 225]], "Indicator: Win.Trojan.Scar-864": [[243, 262]], "Indicator: Virus.Win32.Lamer.vpqnl": [[263, 286]], "Indicator: Trojan.DownLoader22.5119": [[287, 311]], "Indicator: TR/Taranis.2688": [[312, 327]], "Indicator: Trojan/Win32.Scar": [[328, 345]], "Indicator: Trojan.Win32.A.Scar.100616": [[346, 372]], "Indicator: Trojan/Win32.Scar.R4127": [[373, 396]], "Indicator: Trojan.Scar": [[397, 408]], "Indicator: Trojan.Win32.Sisproc": [[409, 429]]}, "info": {"id": "cyner2_5class_train_04155", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Cadlotcorg Trojan.DistTrack.stdr BKDR_DISTTRACK.E Win.Malware.StoneDrill-6012379-0 Trojan.Win32.Inject.wmyt Trojan.Win32.Inject.ekcbzj Trojan.Win32.Z.Inject.195072 Troj.W32.Inject!c Trojan.Stoned.5 Trojan.StoneDrill.Win32.2 BKDR_DISTTRACK.E W32/Trojan.CWLD-3265 Trojan.Inject.uoh TR/Injector.sgcfh Trojan/Win32.Inject Trojan.Razy.D1AF37 Trojan.Win32.Inject.wmyt Trojan:Win32/Cadlotcorg.A!dha Trojan/Win32.Injector.C1695778 Trojan.DiskWriter Trj/CI.A Win32/StoneDrill.A Win32.Trojan.Inject.Eddh Trojan.Inject!MGtoNAyL21Q Trojan.Win32.Cadlotcorg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Cadlotcorg": [[26, 43]], "Indicator: Trojan.DistTrack.stdr": [[44, 65]], "Indicator: BKDR_DISTTRACK.E": [[66, 82], [257, 273]], "Indicator: Win.Malware.StoneDrill-6012379-0": [[83, 115]], "Indicator: Trojan.Win32.Inject.wmyt": [[116, 140], [370, 394]], "Indicator: Trojan.Win32.Inject.ekcbzj": [[141, 167]], "Indicator: Trojan.Win32.Z.Inject.195072": [[168, 196]], "Indicator: Troj.W32.Inject!c": [[197, 214]], "Indicator: Trojan.Stoned.5": [[215, 230]], "Indicator: Trojan.StoneDrill.Win32.2": [[231, 256]], "Indicator: W32/Trojan.CWLD-3265": [[274, 294]], "Indicator: Trojan.Inject.uoh": [[295, 312]], "Indicator: TR/Injector.sgcfh": [[313, 330]], "Indicator: Trojan/Win32.Inject": [[331, 350]], "Indicator: Trojan.Razy.D1AF37": [[351, 369]], "Indicator: Trojan:Win32/Cadlotcorg.A!dha": [[395, 424]], "Indicator: Trojan/Win32.Injector.C1695778": [[425, 455]], "Indicator: Trojan.DiskWriter": [[456, 473]], "Indicator: Trj/CI.A": [[474, 482]], "Indicator: Win32/StoneDrill.A": [[483, 501]], "Indicator: Win32.Trojan.Inject.Eddh": [[502, 526]], "Indicator: Trojan.Inject!MGtoNAyL21Q": [[527, 552]], "Indicator: Trojan.Win32.Cadlotcorg": [[553, 576]]}, "info": {"id": "cyner2_5class_train_04156", "source": "cyner2_5class_train"}}
+{"text": "HummingBad also has the ability to inject code into Google Play to tamper with its ratings and statistics .", "spans": {"Malware: HummingBad": [[0, 10]], "System: Google Play": [[52, 63]]}, "info": {"id": "cyner2_5class_train_04157", "source": "cyner2_5class_train"}}
+{"text": "This functionality can be seen in Figure 1 .", "spans": {}, "info": {"id": "cyner2_5class_train_04158", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BehavesLike.Win32.VirRansom.pc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.VirRansom.pc": [[26, 56]]}, "info": {"id": "cyner2_5class_train_04159", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Iframer.77312 Trojan.Iframer.aa Trojan.Win32.Iframer.aa Trojan/Iframer.aa Trojan.Iframer.X W32/DLoader.OAFQ Trojan.Win32.Iframer.aa TrojWare.Win32.Iframer.aa Trojan.Win32.Iframer.aa Trojan/Iframer.b Trojan.Win32.Iframer!IK Trojan:Win32/Ifrasif.A Trojan.Win32.Iframer.aa Trojan.Win32.Iframer", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Iframer.77312": [[26, 50]], "Indicator: Trojan.Iframer.aa": [[51, 68]], "Indicator: Trojan.Win32.Iframer.aa": [[69, 92], [145, 168], [195, 218], [283, 306]], "Indicator: Trojan/Iframer.aa": [[93, 110]], "Indicator: Trojan.Iframer.X": [[111, 127]], "Indicator: W32/DLoader.OAFQ": [[128, 144]], "Indicator: TrojWare.Win32.Iframer.aa": [[169, 194]], "Indicator: Trojan/Iframer.b": [[219, 235]], "Indicator: Trojan.Win32.Iframer!IK": [[236, 259]], "Indicator: Trojan:Win32/Ifrasif.A": [[260, 282]], "Indicator: Trojan.Win32.Iframer": [[307, 327]]}, "info": {"id": "cyner2_5class_train_04160", "source": "cyner2_5class_train"}}
+{"text": "Highlights Samples of the malicious code found in BrainTest have been found on Google Play , and its creator has used multiple methods to evade detection by Google including Bypassing Google Bouncer by detecting if the malware is being run from an IP or domain mapped to Google Bouncer and , if so , it will not perform its intended malicious activities .", "spans": {"Malware: BrainTest": [[50, 59]], "System: Google Play": [[79, 90]], "Organization: Google": [[157, 163]], "System: Google Bouncer": [[184, 198], [271, 285]]}, "info": {"id": "cyner2_5class_train_04161", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D1DA5C Win32.Trojan.WisdomEyes.16070401.9500.9993 Trojan.Win32.Steam.cwybnb TrojWare.Win32.PSW.Steathie.B2 Trojan.PWS.Steam.292 TR/PSW.Steathie.B PWS:MSIL/Pasdael.A W32/Sc!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D1DA5C": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[45, 87]], "Indicator: Trojan.Win32.Steam.cwybnb": [[88, 113]], "Indicator: TrojWare.Win32.PSW.Steathie.B2": [[114, 144]], "Indicator: Trojan.PWS.Steam.292": [[145, 165]], "Indicator: TR/PSW.Steathie.B": [[166, 183]], "Indicator: PWS:MSIL/Pasdael.A": [[184, 202]], "Indicator: W32/Sc!tr.pws": [[203, 216]]}, "info": {"id": "cyner2_5class_train_04162", "source": "cyner2_5class_train"}}
+{"text": "When analyzing the Ginp ’ s recent samples , ThreatFabric analysts found some similarities with the famous Android banking Trojan .", "spans": {"Malware: Ginp": [[19, 23]], "System: ThreatFabric": [[45, 57]]}, "info": {"id": "cyner2_5class_train_04163", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PSW.Vorbeld.B Trojan/W32.Ikmet.307200 Trojan.PSW.Vorbeld.B Troj.IM.W32.Ikmet.e!c Trojan/Ikmet.e Trojan.PSW.Vorbeld.B TROJ_VORBELD.B TROJ_VORBELD.B Trojan.PSW.Vorbeld.B Trojan-IM.Win32.Ikmet.e Trojan.PSW.Vorbeld.B Trojan.Win32.Ikmet.diag Win32.Trojan-im.Ikmet.Lfzq Trojan.PSW.Vorbeld.B TrojWare.Win32.PSW.Vorbeld.B Trojan.PSW.Vorbeld.B Trojan.PWS.Special.11 Trojan.Ikmet.Win32.2 BehavesLike.Win32.Fareit.fz W32/Risk.ZFPE-4855 Trojan/PSW.Vorbeld.b TR/PSW.Vorbeld.b Trojan[IM]/Win32.Ikmet Win32.Troj.Vorbeld.b.kcloud PWS:Win32/Vorbeld.B Trojan-IM.Win32.Ikmet.e TScope.Trojan.VB Win32/PSW.Vorbeld.B Trojan.Ikmet!CCqyhhL0iag Backdoor.VB W32/Vorbeld.E!tr Win32/Trojan.IM.00b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PSW.Vorbeld.B": [[26, 46], [71, 91], [129, 149], [180, 200], [225, 245], [297, 317], [347, 367]], "Indicator: Trojan/W32.Ikmet.307200": [[47, 70]], "Indicator: Troj.IM.W32.Ikmet.e!c": [[92, 113]], "Indicator: Trojan/Ikmet.e": [[114, 128]], "Indicator: TROJ_VORBELD.B": [[150, 164], [165, 179]], "Indicator: Trojan-IM.Win32.Ikmet.e": [[201, 224], [567, 590]], "Indicator: Trojan.Win32.Ikmet.diag": [[246, 269]], "Indicator: Win32.Trojan-im.Ikmet.Lfzq": [[270, 296]], "Indicator: TrojWare.Win32.PSW.Vorbeld.B": [[318, 346]], "Indicator: Trojan.PWS.Special.11": [[368, 389]], "Indicator: Trojan.Ikmet.Win32.2": [[390, 410]], "Indicator: BehavesLike.Win32.Fareit.fz": [[411, 438]], "Indicator: W32/Risk.ZFPE-4855": [[439, 457]], "Indicator: Trojan/PSW.Vorbeld.b": [[458, 478]], "Indicator: TR/PSW.Vorbeld.b": [[479, 495]], "Indicator: Trojan[IM]/Win32.Ikmet": [[496, 518]], "Indicator: Win32.Troj.Vorbeld.b.kcloud": [[519, 546]], "Indicator: PWS:Win32/Vorbeld.B": [[547, 566]], "Indicator: TScope.Trojan.VB": [[591, 607]], "Indicator: Win32/PSW.Vorbeld.B": [[608, 627]], "Indicator: Trojan.Ikmet!CCqyhhL0iag": [[628, 652]], "Indicator: Backdoor.VB": [[653, 664]], "Indicator: W32/Vorbeld.E!tr": [[665, 681]], "Indicator: Win32/Trojan.IM.00b": [[682, 701]]}, "info": {"id": "cyner2_5class_train_04164", "source": "cyner2_5class_train"}}
+{"text": "EventBot Obfuscated class names Obfuscated class names using letters of the alphabet .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_04165", "source": "cyner2_5class_train"}}
+{"text": "In particular , these apps try to add an additional method called statistics ( ) into the Activity class .", "spans": {}, "info": {"id": "cyner2_5class_train_04166", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.OnlineGames.AAGG Trojan.Magania.19302 Trojan.PWS.OnlineGames.AAGG TSPY_ONLINEG.IGO Win32.Trojan.WisdomEyes.16070401.9500.9932 Infostealer.Onlinegame Win32/Frethog.CIL TSPY_ONLINEG.IGO Win.Spyware.59235-2 Trojan-GameThief.Win32.OnLineGames.txbo Trojan.PWS.OnlineGames.AAGG Trojan.Win32.OnLineGames.lhee Troj.PSW32.W.QQPass.lpXN Trojan.PWS.OnlineGames.AAGG TrojWare.Win32.Trojan.Inject.~II Trojan.PWS.OnlineGames.AAGG Trojan.MulDrop4.15206 PWS-OnlineGames.co Trojan/PSW.OnLineGames.auru Trojan[GameThief]/Win32.WOW.gic Win32.Troj.OnlineGames.sd.kcloud Trojan.PWS.OnlineGames.AAGG Trojan.Win32.PSWIGames.11924.B Trojan.PWS.OnlineGames.AAGG Trojan/Win32.OnlineGameHack.C909 TrojanPSW.OnLineGames.nr Trojan-Spy.OnLineGames", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.OnlineGames.AAGG": [[26, 53], [75, 102], [281, 308], [364, 391], [425, 452], [587, 614], [646, 673]], "Indicator: Trojan.Magania.19302": [[54, 74]], "Indicator: TSPY_ONLINEG.IGO": [[103, 119], [204, 220]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9932": [[120, 162]], "Indicator: Infostealer.Onlinegame": [[163, 185]], "Indicator: Win32/Frethog.CIL": [[186, 203]], "Indicator: Win.Spyware.59235-2": [[221, 240]], "Indicator: Trojan-GameThief.Win32.OnLineGames.txbo": [[241, 280]], "Indicator: Trojan.Win32.OnLineGames.lhee": [[309, 338]], "Indicator: Troj.PSW32.W.QQPass.lpXN": [[339, 363]], "Indicator: TrojWare.Win32.Trojan.Inject.~II": [[392, 424]], "Indicator: Trojan.MulDrop4.15206": [[453, 474]], "Indicator: PWS-OnlineGames.co": [[475, 493]], "Indicator: Trojan/PSW.OnLineGames.auru": [[494, 521]], "Indicator: Trojan[GameThief]/Win32.WOW.gic": [[522, 553]], "Indicator: Win32.Troj.OnlineGames.sd.kcloud": [[554, 586]], "Indicator: Trojan.Win32.PSWIGames.11924.B": [[615, 645]], "Indicator: Trojan/Win32.OnlineGameHack.C909": [[674, 706]], "Indicator: TrojanPSW.OnLineGames.nr": [[707, 731]], "Indicator: Trojan-Spy.OnLineGames": [[732, 754]]}, "info": {"id": "cyner2_5class_train_04167", "source": "cyner2_5class_train"}}
+{"text": "Cyphort has been monitoring how threat actors are exploiting computing resources from compromised victims to mine various crypto currencies.", "spans": {"Organization: Cyphort": [[0, 7]], "System: exploiting computing": [[50, 70]], "Indicator: mine various crypto currencies.": [[109, 140]]}, "info": {"id": "cyner2_5class_train_04168", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.Toxic.a BehavesLike.Win32.BadFile.jc Trojan.Win32.Ransom.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.Toxic.a": [[26, 53]], "Indicator: BehavesLike.Win32.BadFile.jc": [[54, 82]], "Indicator: Trojan.Win32.Ransom.a": [[83, 104]]}, "info": {"id": "cyner2_5class_train_04169", "source": "cyner2_5class_train"}}
+{"text": "“ These communication channels are hard to discover and even harder to block entirely .", "spans": {}, "info": {"id": "cyner2_5class_train_04170", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanRansom.Blocker Ransom_Blocker.R0C1C0DHU17 Win32.Trojan.WisdomEyes.16070401.9500.9605 Ransom_Blocker.R0C1C0DHU17 Trojan-Ransom.Win32.Blocker.kgrm Troj.Ransom.W32.Blocker!c BehavesLike.Win32.RansomCerber.gh W32/Trojan.DOGS-7123 W32.Trojan.Backdoor TR/Crypt.ZPACK.hmkaa Trojan-Ransom.Win32.Blocker.kgrm Trojan/Win32.Dapato.C1720332 Hoax.Blocker Trojan.Dropper Trj/CI.A Win32.Trojan.Blocker.Akzg Trojan.Blocker!U13z+V78Arg Win32/Trojan.Ransom.acc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanRansom.Blocker": [[26, 46]], "Indicator: Ransom_Blocker.R0C1C0DHU17": [[47, 73], [117, 143]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9605": [[74, 116]], "Indicator: Trojan-Ransom.Win32.Blocker.kgrm": [[144, 176], [299, 331]], "Indicator: Troj.Ransom.W32.Blocker!c": [[177, 202]], "Indicator: BehavesLike.Win32.RansomCerber.gh": [[203, 236]], "Indicator: W32/Trojan.DOGS-7123": [[237, 257]], "Indicator: W32.Trojan.Backdoor": [[258, 277]], "Indicator: TR/Crypt.ZPACK.hmkaa": [[278, 298]], "Indicator: Trojan/Win32.Dapato.C1720332": [[332, 360]], "Indicator: Hoax.Blocker": [[361, 373]], "Indicator: Trojan.Dropper": [[374, 388]], "Indicator: Trj/CI.A": [[389, 397]], "Indicator: Win32.Trojan.Blocker.Akzg": [[398, 423]], "Indicator: Trojan.Blocker!U13z+V78Arg": [[424, 450]], "Indicator: Win32/Trojan.Ransom.acc": [[451, 474]]}, "info": {"id": "cyner2_5class_train_04171", "source": "cyner2_5class_train"}}
+{"text": "Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context.", "spans": {"Organization: Kaspersky researchers": [[49, 70]], "Organization: the international community": [[75, 102]], "Indicator: cyberattacks": [[152, 164]]}, "info": {"id": "cyner2_5class_train_04172", "source": "cyner2_5class_train"}}
+{"text": "network.exe submitting to the server code snippet Code similarities We found some code similarities between the implant for Windows and other public accessible projects .", "spans": {"Indicator: network.exe": [[0, 11]], "System: Windows": [[124, 131]]}, "info": {"id": "cyner2_5class_train_04173", "source": "cyner2_5class_train"}}
+{"text": "In the image below , we see a log TrickMo sent to the attacker upon becoming the default SMS app .", "spans": {"Malware: TrickMo": [[34, 41]]}, "info": {"id": "cyner2_5class_train_04174", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win.Trojan.Dadobra-446 Trojan-Downloader.Win32.Banload.bnlx Trojan.Win32.Downloader.337408.M TrojWare.Win32.TrojanDownloader.Dadobra.~JK Trojan.DownLoader5.10443 Trojan-Downloader.Win32.Banload TrojanDownloader.Banload.bhs Trojan[Downloader]/Win32.Banload Trojan-Downloader.Win32.Banload.bnlx Trojan:Win32/Banload.A Downloader/Win32.Banload.C108589 Win32/Spy.Banker.WNS Win32.Trojan-downloader.Banload.Ebhk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win.Trojan.Dadobra-446": [[26, 48]], "Indicator: Trojan-Downloader.Win32.Banload.bnlx": [[49, 85], [282, 318]], "Indicator: Trojan.Win32.Downloader.337408.M": [[86, 118]], "Indicator: TrojWare.Win32.TrojanDownloader.Dadobra.~JK": [[119, 162]], "Indicator: Trojan.DownLoader5.10443": [[163, 187]], "Indicator: Trojan-Downloader.Win32.Banload": [[188, 219]], "Indicator: TrojanDownloader.Banload.bhs": [[220, 248]], "Indicator: Trojan[Downloader]/Win32.Banload": [[249, 281]], "Indicator: Trojan:Win32/Banload.A": [[319, 341]], "Indicator: Downloader/Win32.Banload.C108589": [[342, 374]], "Indicator: Win32/Spy.Banker.WNS": [[375, 395]], "Indicator: Win32.Trojan-downloader.Banload.Ebhk": [[396, 432]]}, "info": {"id": "cyner2_5class_train_04175", "source": "cyner2_5class_train"}}
+{"text": "Dropper variants are usually barely functioning photo utility , games , or sex related apps .", "spans": {}, "info": {"id": "cyner2_5class_train_04176", "source": "cyner2_5class_train"}}
+{"text": "SMS messages .", "spans": {}, "info": {"id": "cyner2_5class_train_04177", "source": "cyner2_5class_train"}}
+{"text": "Let's examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT.", "spans": {}, "info": {"id": "cyner2_5class_train_04178", "source": "cyner2_5class_train"}}
+{"text": "] 16 lala513.gicp [ .", "spans": {"Indicator: lala513.gicp [ .": [[5, 21]]}, "info": {"id": "cyner2_5class_train_04179", "source": "cyner2_5class_train"}}
+{"text": "SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010.", "spans": {"Malware: SunOrcal": [[0, 8]], "System: the C2s,": [[98, 106]]}, "info": {"id": "cyner2_5class_train_04180", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TSPY_MALUMPOS.SM TSPY_MALUMPOS.SM Win.Trojan.MalumPOS-1 TR/AD.Siaacsia.ielmw Trojan:Win32/Malumpos.A Trojan/Win32.Malumpos.C1727078 Trojan-Spy.MalumPOS Win32/Trojan.Spy.958", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TSPY_MALUMPOS.SM": [[26, 42], [43, 59]], "Indicator: Win.Trojan.MalumPOS-1": [[60, 81]], "Indicator: TR/AD.Siaacsia.ielmw": [[82, 102]], "Indicator: Trojan:Win32/Malumpos.A": [[103, 126]], "Indicator: Trojan/Win32.Malumpos.C1727078": [[127, 157]], "Indicator: Trojan-Spy.MalumPOS": [[158, 177]], "Indicator: Win32/Trojan.Spy.958": [[178, 198]]}, "info": {"id": "cyner2_5class_train_04181", "source": "cyner2_5class_train"}}
+{"text": "] net app store was replaced with the malicious HenBox app ; however , some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system .", "spans": {"Malware: HenBox": [[48, 54]], "System: Windows": [[161, 168]]}, "info": {"id": "cyner2_5class_train_04182", "source": "cyner2_5class_train"}}
+{"text": "An aside: the rootkit does appear to be named after the Pokémon of the same name.", "spans": {"Malware: rootkit": [[14, 21]]}, "info": {"id": "cyner2_5class_train_04183", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Hacktool.EH Trojan/W32.HackTool.215552 Trojan.Mauvaise.SL1 Win.Tool.Wincred-6333920-0 Application.Hacktool.EH HackTool.Win64.WinCred.c Application.Hacktool.EH Application.Hacktool.EH Tool.WinCred.1 BehavesLike.Win64.BrowseFox.dh W64/Application.WFWG-6345 Application.Hacktool.EH HackTool.Win64.WinCred.c Application.Hacktool.EH HackTool.Win64 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Hacktool.EH": [[26, 49], [124, 147], [173, 196], [197, 220], [293, 316], [342, 365]], "Indicator: Trojan/W32.HackTool.215552": [[50, 76]], "Indicator: Trojan.Mauvaise.SL1": [[77, 96]], "Indicator: Win.Tool.Wincred-6333920-0": [[97, 123]], "Indicator: HackTool.Win64.WinCred.c": [[148, 172], [317, 341]], "Indicator: Tool.WinCred.1": [[221, 235]], "Indicator: BehavesLike.Win64.BrowseFox.dh": [[236, 266]], "Indicator: W64/Application.WFWG-6345": [[267, 292]], "Indicator: HackTool.Win64": [[366, 380]], "Indicator: Trj/CI.A": [[381, 389]]}, "info": {"id": "cyner2_5class_train_04184", "source": "cyner2_5class_train"}}
+{"text": "Similarly , there are many crucial commands that further allow this spyware to perform additional functionality , such as executing commands sent by the C & C , clicking photos , capturing screenshots , stealing location information , and more .", "spans": {}, "info": {"id": "cyner2_5class_train_04185", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper/W32.Dapato.26112 Trojan-Dropper.Win32.Dapato!O BackdoorAPT.Hikiti.G4 Win32.Trojan.WisdomEyes.16070401.9500.9983 Backdoor.Trojan BKDR_FEXEL.MM Backdoor.Win32.Fexel.b Trojan.Win32.Dapato.ceuzkz Trojan.DownLoader10.12491 BehavesLike.Win32.Downloader.mc Trojan.Win32.Farfli W32/Backdoor.QCOF-8324 Trojan[Dropper]/Win32.Dapato Trojan.Heur.E97E22 Troj.Dropper.W32.Dapato.dawi!c Backdoor.Win32.Fexel.b Backdoor:Win32/Hikiti.G!dha Dropper/Win32.Dapato.C199271 Win32.Backdoor.Fexel.Wvkt Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper/W32.Dapato.26112": [[26, 57]], "Indicator: Trojan-Dropper.Win32.Dapato!O": [[58, 87]], "Indicator: BackdoorAPT.Hikiti.G4": [[88, 109]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9983": [[110, 152]], "Indicator: Backdoor.Trojan": [[153, 168]], "Indicator: BKDR_FEXEL.MM": [[169, 182]], "Indicator: Backdoor.Win32.Fexel.b": [[183, 205], [413, 435]], "Indicator: Trojan.Win32.Dapato.ceuzkz": [[206, 232]], "Indicator: Trojan.DownLoader10.12491": [[233, 258]], "Indicator: BehavesLike.Win32.Downloader.mc": [[259, 290]], "Indicator: Trojan.Win32.Farfli": [[291, 310]], "Indicator: W32/Backdoor.QCOF-8324": [[311, 333]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[334, 362]], "Indicator: Trojan.Heur.E97E22": [[363, 381]], "Indicator: Troj.Dropper.W32.Dapato.dawi!c": [[382, 412]], "Indicator: Backdoor:Win32/Hikiti.G!dha": [[436, 463]], "Indicator: Dropper/Win32.Dapato.C199271": [[464, 492]], "Indicator: Win32.Backdoor.Fexel.Wvkt": [[493, 518]], "Indicator: Trj/CI.A": [[519, 527]]}, "info": {"id": "cyner2_5class_train_04186", "source": "cyner2_5class_train"}}
+{"text": "The legitimate version of this app is also available on Google Play .", "spans": {"System: Google Play": [[56, 67]]}, "info": {"id": "cyner2_5class_train_04187", "source": "cyner2_5class_train"}}
+{"text": "It is assumed that actors using the malware are targeting small- to medium-sized businesses given the malware's focus on VNC applications.", "spans": {"Malware: malware": [[36, 43]], "Organization: small- to medium-sized businesses": [[58, 91]], "Malware: malware's": [[102, 111]], "System: VNC applications.": [[121, 138]]}, "info": {"id": "cyner2_5class_train_04188", "source": "cyner2_5class_train"}}
+{"text": "In spite of these commonalities, we have not identified any firm links between the two groups.", "spans": {}, "info": {"id": "cyner2_5class_train_04189", "source": "cyner2_5class_train"}}
+{"text": "The source process changes the registers in the target process so that PC register points directly to the shellcode .", "spans": {}, "info": {"id": "cyner2_5class_train_04190", "source": "cyner2_5class_train"}}
+{"text": "This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", "spans": {"Indicator: attacks": [[17, 24]], "System: infrastructure": [[44, 58]]}, "info": {"id": "cyner2_5class_train_04191", "source": "cyner2_5class_train"}}
+{"text": "This is done using the ptrace syscall .", "spans": {}, "info": {"id": "cyner2_5class_train_04192", "source": "cyner2_5class_train"}}
+{"text": "“ The takeaway ? Internet users should keep on securing their activities with good security solutions for both computers and mobile devices. ” Hashes : E5212D4416486AF42E7ED1F58A526AEF77BE89BE A9891222232145581FE8D0D483EDB4B18836BCFC AFF9F39A6CA5D68C599B30012D79DA29E2672C6E Insidious Android malware gives up all malicious features but one to gain stealth ESET researchers detect a new way of misusing Accessibility Service , the Achilles ’ heel of Android security 22 May 2020 - 03:00PM ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions , notably wiping out the victim ’ s bank account or cryptocurrency wallet and taking over their email or social media accounts .", "spans": {"Indicator: E5212D4416486AF42E7ED1F58A526AEF77BE89BE": [[152, 192]], "Indicator: A9891222232145581FE8D0D483EDB4B18836BCFC": [[193, 233]], "Indicator: AFF9F39A6CA5D68C599B30012D79DA29E2672C6E": [[234, 274]], "System: Android": [[285, 292], [450, 457], [543, 550]], "Organization: ESET": [[357, 361], [489, 493]]}, "info": {"id": "cyner2_5class_train_04193", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.ArchSMS!Tf0HkXJW05g Hoax.Win32.ArchSMS.hqqg Hoax.ArchSMS.hqqg SecurityRisk.PremiumSMSScam Hoax.Win32.ArchSMS Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.ArchSMS!Tf0HkXJW05g": [[26, 52]], "Indicator: Hoax.Win32.ArchSMS.hqqg": [[53, 76]], "Indicator: Hoax.ArchSMS.hqqg": [[77, 94]], "Indicator: SecurityRisk.PremiumSMSScam": [[95, 122]], "Indicator: Hoax.Win32.ArchSMS": [[123, 141]], "Indicator: Trj/CI.A": [[142, 150]]}, "info": {"id": "cyner2_5class_train_04194", "source": "cyner2_5class_train"}}
+{"text": "The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used.", "spans": {"Malware: family": [[8, 14]]}, "info": {"id": "cyner2_5class_train_04195", "source": "cyner2_5class_train"}}
+{"text": "BLOCKER_STOP – block display of all HTML pages .", "spans": {}, "info": {"id": "cyner2_5class_train_04196", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Koutodoor!IK Backdoor:Win32/Koutodoor.B Backdoor.Win32.Koutodoor.da SHeur2.AIKX", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Koutodoor!IK": [[26, 53]], "Indicator: Backdoor:Win32/Koutodoor.B": [[54, 80]], "Indicator: Backdoor.Win32.Koutodoor.da": [[81, 108]], "Indicator: SHeur2.AIKX": [[109, 120]]}, "info": {"id": "cyner2_5class_train_04197", "source": "cyner2_5class_train"}}
+{"text": "It specifically targets financial banking applications across the United States and Europe , including Italy , the UK , Spain , Switzerland , France , and Germany .", "spans": {}, "info": {"id": "cyner2_5class_train_04198", "source": "cyner2_5class_train"}}
+{"text": "The StreamEx family has the ability to access and modify the user's file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands.", "spans": {"Malware: The StreamEx family": [[0, 19]], "System: user's file system,": [[61, 80]], "System: system": [[109, 115], [148, 154]], "System: network": [[178, 185]], "System: firewall products": [[245, 262]], "System: antivirus products,": [[267, 286]], "Indicator: security settings,": [[302, 320]], "Indicator: remotely execute commands.": [[325, 351]]}, "info": {"id": "cyner2_5class_train_04199", "source": "cyner2_5class_train"}}
+{"text": "Hide Icon Figure 3 : Code showing the hiding icon and starting service .", "spans": {}, "info": {"id": "cyner2_5class_train_04200", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Comfold Trojan:Win32/Comfold.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Comfold": [[26, 40]], "Indicator: Trojan:Win32/Comfold.A": [[41, 63]]}, "info": {"id": "cyner2_5class_train_04201", "source": "cyner2_5class_train"}}
+{"text": "Third-party marketplaces or some other attacker-controlled domains are likely used to host the sample .", "spans": {}, "info": {"id": "cyner2_5class_train_04202", "source": "cyner2_5class_train"}}
+{"text": "Indicators of Compromise SHA256 Package App label 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425 ufD.wykyx.vlhvh SEX kr porn 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588 ufD.wyjyx.vahvh 佐川急便 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b com.dhp.ozqh Facebook 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8 ufD.wyjyx.vahvh Anshin Scan a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511 com.aqyh.xolo 佐川急便 cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7 jp.co.sagawa.SagawaOfficialApp 佐川急便 Malicious URLs : hxxp : //38 [ .", "spans": {"Indicator: 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425": [[50, 114]], "Indicator: ufD.wykyx.vlhvh": [[115, 130]], "Indicator: 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588": [[143, 207]], "Indicator: ufD.wyjyx.vahvh": [[208, 223], [381, 396]], "Indicator: 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b": [[229, 293]], "Indicator: com.dhp.ozqh": [[294, 306]], "Organization: Facebook": [[307, 315]], "Indicator: 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8": [[316, 380]], "Indicator: a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511": [[409, 473]], "Indicator: com.aqyh.xolo": [[474, 487]], "Indicator: cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7": [[493, 557]], "Indicator: jp.co.sagawa.SagawaOfficialApp": [[558, 588]], "Indicator: hxxp : //38 [ .": [[611, 626]]}, "info": {"id": "cyner2_5class_train_04203", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.AutoRun.Win32.132231 Win32.Trojan.ServStart.a Win.Trojan.Qhost-160 Trojan.Win32.AutoRun.cvpwhj Trojan.DownLoader4.40333 BehavesLike.Win32.Ipamor.lm TR/Dldr.JKCN Trojan/Win32.Downloader.C40577 Trojan.Win32.Wc Win32/AutoRun.PT Trojan-Proxy.Win32.Ranky", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.AutoRun!O": [[26, 46]], "Indicator: Worm.AutoRun.Win32.132231": [[47, 72]], "Indicator: Win32.Trojan.ServStart.a": [[73, 97]], "Indicator: Win.Trojan.Qhost-160": [[98, 118]], "Indicator: Trojan.Win32.AutoRun.cvpwhj": [[119, 146]], "Indicator: Trojan.DownLoader4.40333": [[147, 171]], "Indicator: BehavesLike.Win32.Ipamor.lm": [[172, 199]], "Indicator: TR/Dldr.JKCN": [[200, 212]], "Indicator: Trojan/Win32.Downloader.C40577": [[213, 243]], "Indicator: Trojan.Win32.Wc": [[244, 259]], "Indicator: Win32/AutoRun.PT": [[260, 276]], "Indicator: Trojan-Proxy.Win32.Ranky": [[277, 301]]}, "info": {"id": "cyner2_5class_train_04204", "source": "cyner2_5class_train"}}
+{"text": "The handful of malicious features densely packed in this new malware also includes the ability to drop other malware.", "spans": {"Malware: malicious": [[15, 24]], "Malware: malware": [[61, 68]], "Malware: malware.": [[109, 117]]}, "info": {"id": "cyner2_5class_train_04205", "source": "cyner2_5class_train"}}
+{"text": "] net – C & C servers NG SuperShell – string from the reverse shell payload ngg – prefix in commands names of the implant for Windows Signature with specific issuer Whois records and IP relationships provide many interesting insights as well .", "spans": {"System: Windows": [[126, 133]]}, "info": {"id": "cyner2_5class_train_04206", "source": "cyner2_5class_train"}}
+{"text": "DOWNLOAD AND UPDATE THE TARGET CONFIGURATION FILE By analyzing and decoding the HTTP packets in EventBot Version 0.0.0.1 , we can see that EventBot downloads and updates a configuration file with almost 200 different financial application targets .", "spans": {"Malware: EventBot": [[96, 104], [139, 147]]}, "info": {"id": "cyner2_5class_train_04207", "source": "cyner2_5class_train"}}
+{"text": "Once the malware can use accessibility services , it has the ability to operate as a keylogger and can retrieve notifications about other installed applications and content of open windows .", "spans": {}, "info": {"id": "cyner2_5class_train_04208", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ShipBHQc.Trojan Trojan.Win32.ShipUp!O TrojanPWS.Zbot.Y Trojan/Kryptik.awzk Trojan.Razy.D3C5B TROJ_KRYPTK.SML3 Win.Trojan.Redirect-6055402-0 Trojan.Win32.ShipUp.brmnrc Trojan.Redirect.140 Trojan.ShipUp.Win32.1152 TROJ_KRYPTK.SML3 BehavesLike.Win32.PWSZbot.dh Trojan.Win32.ShipUp Trojan/ShipUp.ix TR/Rogue.kdz.11287.3 Trojan/Win32.ShipUp TrojanDropper:Win32/Gepys.A Troj.W32.ShipUp.lINm Trojan/Win32.Shipup.R58491 TScope.Malware-Cryptor.SB Trojan.FakeMS.ED W32/Kryptik.AYTK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ShipBHQc.Trojan": [[26, 51]], "Indicator: Trojan.Win32.ShipUp!O": [[52, 73]], "Indicator: TrojanPWS.Zbot.Y": [[74, 90]], "Indicator: Trojan/Kryptik.awzk": [[91, 110]], "Indicator: Trojan.Razy.D3C5B": [[111, 128]], "Indicator: TROJ_KRYPTK.SML3": [[129, 145], [248, 264]], "Indicator: Win.Trojan.Redirect-6055402-0": [[146, 175]], "Indicator: Trojan.Win32.ShipUp.brmnrc": [[176, 202]], "Indicator: Trojan.Redirect.140": [[203, 222]], "Indicator: Trojan.ShipUp.Win32.1152": [[223, 247]], "Indicator: BehavesLike.Win32.PWSZbot.dh": [[265, 293]], "Indicator: Trojan.Win32.ShipUp": [[294, 313]], "Indicator: Trojan/ShipUp.ix": [[314, 330]], "Indicator: TR/Rogue.kdz.11287.3": [[331, 351]], "Indicator: Trojan/Win32.ShipUp": [[352, 371]], "Indicator: TrojanDropper:Win32/Gepys.A": [[372, 399]], "Indicator: Troj.W32.ShipUp.lINm": [[400, 420]], "Indicator: Trojan/Win32.Shipup.R58491": [[421, 447]], "Indicator: TScope.Malware-Cryptor.SB": [[448, 473]], "Indicator: Trojan.FakeMS.ED": [[474, 490]], "Indicator: W32/Kryptik.AYTK!tr": [[491, 510]]}, "info": {"id": "cyner2_5class_train_04209", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy.Win32.Tibia!O Win32.Trojan.WisdomEyes.16070401.9500.9963 Trojan.Win32.Drop.cbndjf Trojan.MulDrop3.1226 BehavesLike.Win32.BadFile.rc Trojan-Dropper.Win32.Monya TR/Drop.Tibdef.B Trojan.Raldhep.1 TrojanDropper:Win32/Tibdef.B W32/Dropper.AAAI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy.Win32.Tibia!O": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9963": [[51, 93]], "Indicator: Trojan.Win32.Drop.cbndjf": [[94, 118]], "Indicator: Trojan.MulDrop3.1226": [[119, 139]], "Indicator: BehavesLike.Win32.BadFile.rc": [[140, 168]], "Indicator: Trojan-Dropper.Win32.Monya": [[169, 195]], "Indicator: TR/Drop.Tibdef.B": [[196, 212]], "Indicator: Trojan.Raldhep.1": [[213, 229]], "Indicator: TrojanDropper:Win32/Tibdef.B": [[230, 258]], "Indicator: W32/Dropper.AAAI!tr": [[259, 278]]}, "info": {"id": "cyner2_5class_train_04210", "source": "cyner2_5class_train"}}
+{"text": "It is in use by the Molerats aka Gaza cybergang, a politically motivated group whose main objective, we believe, is intelligence gathering.", "spans": {"Indicator: intelligence gathering.": [[116, 139]]}, "info": {"id": "cyner2_5class_train_04211", "source": "cyner2_5class_train"}}
+{"text": "The Magnitude exploit kit has been using an XML configuration file critical to retrieving the malware payload Cerber for several months already.", "spans": {"Malware: The Magnitude exploit kit": [[0, 25]], "Indicator: XML configuration": [[44, 61]], "Malware: the malware payload Cerber": [[90, 116]]}, "info": {"id": "cyner2_5class_train_04212", "source": "cyner2_5class_train"}}
+{"text": "Here is Forcepoint Security Labs we have seen a number of changes and improvements over the last few months.", "spans": {"Organization: Forcepoint Security Labs": [[8, 32]]}, "info": {"id": "cyner2_5class_train_04213", "source": "cyner2_5class_train"}}
+{"text": "The actors compromised the sites of a local television network, educational organizations, a religious institute, and a known political party in Taiwan; and a popular news site in Hong Kong.", "spans": {"Indicator: compromised the sites": [[11, 32]], "Organization: local television network, educational organizations, a religious institute,": [[38, 113]], "Organization: a known political party": [[118, 141]], "Organization: a popular news site": [[157, 176]]}, "info": {"id": "cyner2_5class_train_04214", "source": "cyner2_5class_train"}}
+{"text": "One of the first changes that stands out is that the screen recording feature mentioned in the previous sample has been removed .", "spans": {}, "info": {"id": "cyner2_5class_train_04215", "source": "cyner2_5class_train"}}
+{"text": "List of package names of apps on events from which the Trojan opens a fake Google Play window ( for the Russian version of the Trojan ) Example of Trojan screen overlapping other apps When bank card details are entered in the fake window , Riltok performs basic validation checks : card validity period , number checksum , CVC length , whether the number is in the denylist sewn into the Trojan code : Examples of phishing pages imitating mobile banks At the time of writing , the functionality of most of the Western versions of Riltok was somewhat pared down compared to the Russian one .", "spans": {"System: Google Play": [[75, 86]]}, "info": {"id": "cyner2_5class_train_04216", "source": "cyner2_5class_train"}}
+{"text": "This disallows apps to be installed on your device from unknown sources .", "spans": {}, "info": {"id": "cyner2_5class_train_04217", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.O W32/Trojan2.OALA W32.Virut.CF Win32/Virut.17408 PE_VIRUX.O Win32.Virus.Virut.Q Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 BehavesLike.Win32.Virut.cc W32/Trojan.JXET-3602 Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.cr.61440 W32.Virut.lM6H Virus.Win32.Virut.ce TrojanClicker:MSIL/Xobnff.A Win32/Virut.F Virus.Virut.14 W32/Sality.AO Win32/Virut.NBP Virus.Win32.Virut W32/Virut.CE Virus.Win32.Virut.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: PE_VIRUX.O": [[73, 83], [132, 142]], "Indicator: W32/Trojan2.OALA": [[84, 100]], "Indicator: W32.Virut.CF": [[101, 113]], "Indicator: Win32/Virut.17408": [[114, 131]], "Indicator: Win32.Virus.Virut.Q": [[143, 162]], "Indicator: Virus.Win32.Virut.ce": [[163, 183], [386, 406]], "Indicator: Virus.Win32.Virut.hpeg": [[184, 206]], "Indicator: Virus.Win32.Virut.CE": [[207, 227]], "Indicator: Win32.Virut.56": [[228, 242]], "Indicator: Virus.Virut.Win32.1938": [[243, 265]], "Indicator: BehavesLike.Win32.Virut.cc": [[266, 292]], "Indicator: W32/Trojan.JXET-3602": [[293, 313]], "Indicator: Win32/Virut.bt": [[314, 328]], "Indicator: Virus/Win32.Virut.ce": [[329, 349]], "Indicator: Win32.Virut.cr.61440": [[350, 370]], "Indicator: W32.Virut.lM6H": [[371, 385]], "Indicator: TrojanClicker:MSIL/Xobnff.A": [[407, 434]], "Indicator: Win32/Virut.F": [[435, 448]], "Indicator: Virus.Virut.14": [[449, 463]], "Indicator: W32/Sality.AO": [[464, 477]], "Indicator: Win32/Virut.NBP": [[478, 493]], "Indicator: Virus.Win32.Virut": [[494, 511]], "Indicator: W32/Virut.CE": [[512, 524]], "Indicator: Virus.Win32.Virut.M": [[525, 544]]}, "info": {"id": "cyner2_5class_train_04218", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Zegost.FC.2167 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.DownLoader22.48526 BehavesLike.Win32.Trojan.cc Trojan.MSIL.Bladabindi.1 MSIL/Injector.PJG!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Zegost.FC.2167": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[50, 92]], "Indicator: Trojan.DownLoader22.48526": [[93, 118]], "Indicator: BehavesLike.Win32.Trojan.cc": [[119, 146]], "Indicator: Trojan.MSIL.Bladabindi.1": [[147, 171]], "Indicator: MSIL/Injector.PJG!tr": [[172, 192]], "Indicator: Trj/GdSda.A": [[193, 204]]}, "info": {"id": "cyner2_5class_train_04219", "source": "cyner2_5class_train"}}
+{"text": "This analysis dissects FakeSpy ’ s Chunghwa Post app version , which emerged in April 2020 .", "spans": {"Malware: FakeSpy": [[23, 30]]}, "info": {"id": "cyner2_5class_train_04220", "source": "cyner2_5class_train"}}
+{"text": "Such references would be in line with FrozenCell 's phishing tactics in which they used file names to lure people associated with the political party to open malicious documents .", "spans": {"Malware: FrozenCell": [[38, 48]]}, "info": {"id": "cyner2_5class_train_04221", "source": "cyner2_5class_train"}}
+{"text": "Sinkhole data explained below shows just how quickly this campaign is impacting victims.", "spans": {"Indicator: Sinkhole data": [[0, 13]]}, "info": {"id": "cyner2_5class_train_04222", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Netstop.A Trojan.Netstop.A Backdoor.Trojan Win32/Noshare.N TROJ_NETSTOPA.A Trojan.Netstop.A Trojan.Win32.Netstop.dyylkw Win32.Trojan-spy.Gc.Hsii Trojan.Netstop.A Worm.Win32.SpyBot.GC Trojan.Netstop.A Email-Worm.Win32.GOPworm.196 TROJ_NETSTOPA.A TR/Netstop.A Trojan.Netstop.A Trojan.Netstop.A Email-Worm.Win32.GOPworm.196 Win32/SpyBot.GC Worm.SpyBot!FiFtixQJKm8 W32/Netstop.A!tr Bck/Secur.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Netstop.A": [[26, 42], [43, 59], [108, 124], [178, 194], [216, 232], [291, 307], [308, 324]], "Indicator: Backdoor.Trojan": [[60, 75]], "Indicator: Win32/Noshare.N": [[76, 91]], "Indicator: TROJ_NETSTOPA.A": [[92, 107], [262, 277]], "Indicator: Trojan.Win32.Netstop.dyylkw": [[125, 152]], "Indicator: Win32.Trojan-spy.Gc.Hsii": [[153, 177]], "Indicator: Worm.Win32.SpyBot.GC": [[195, 215]], "Indicator: Email-Worm.Win32.GOPworm.196": [[233, 261], [325, 353]], "Indicator: TR/Netstop.A": [[278, 290]], "Indicator: Win32/SpyBot.GC": [[354, 369]], "Indicator: Worm.SpyBot!FiFtixQJKm8": [[370, 393]], "Indicator: W32/Netstop.A!tr": [[394, 410]], "Indicator: Bck/Secur.A": [[411, 422]]}, "info": {"id": "cyner2_5class_train_04223", "source": "cyner2_5class_train"}}
+{"text": "FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.", "spans": {"Organization: FireEye": [[0, 7]], "Malware: malware,": [[71, 79]], "Malware: tools,": [[123, 129]]}, "info": {"id": "cyner2_5class_train_04224", "source": "cyner2_5class_train"}}
+{"text": "android.intent.action.restart A legacy intent used to indicate a system restart .", "spans": {"Indicator: android.intent.action.restart": [[0, 29]]}, "info": {"id": "cyner2_5class_train_04225", "source": "cyner2_5class_train"}}
+{"text": "The list of banks targeted by Red Alert 2.0 includes NatWest , Barclays , Westpac , and Citibank .", "spans": {"Malware: Red Alert 2.0": [[30, 43]], "Organization: Barclays": [[63, 71]]}, "info": {"id": "cyner2_5class_train_04226", "source": "cyner2_5class_train"}}
+{"text": "In recent years, the detention and interrogation of members of online communities has been publicized by state media for propaganda purposes.", "spans": {"Organization: members": [[52, 59]], "Organization: online communities": [[63, 81]], "Organization: state media": [[105, 116]]}, "info": {"id": "cyner2_5class_train_04227", "source": "cyner2_5class_train"}}
+{"text": "PaloAlto Unit 42 researchers have observed a new Remote Access Tool RAT constructed by an unknown actor of Italian origin.", "spans": {"Organization: PaloAlto Unit 42 researchers": [[0, 28]], "Malware: Remote Access Tool RAT": [[49, 71]]}, "info": {"id": "cyner2_5class_train_04228", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Inject.IA Trojan.Skeeyah.8818 Infostealer.Kegotip!gm TSPY_KEGOTIP.SMA Trojan.Inject.IA Trojan-PSW.Win32.Minari.a Trojan.Inject.IA Trojan.Inject.IA Trojan.Inject.IA Trojan.PWS.Stealer.2518 TSPY_KEGOTIP.SMA BehavesLike.Win32.Backdoor.ch Trojan[PSW]/Win32.Minari Trojan.Inject.IA Trojan-PSW.Win32.Minari.a Trojan/Win32.PWS.R100577 Trojan.Inject.IA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject.IA": [[26, 42], [103, 119], [146, 162], [163, 179], [180, 196], [293, 309], [361, 377]], "Indicator: Trojan.Skeeyah.8818": [[43, 62]], "Indicator: Infostealer.Kegotip!gm": [[63, 85]], "Indicator: TSPY_KEGOTIP.SMA": [[86, 102], [221, 237]], "Indicator: Trojan-PSW.Win32.Minari.a": [[120, 145], [310, 335]], "Indicator: Trojan.PWS.Stealer.2518": [[197, 220]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[238, 267]], "Indicator: Trojan[PSW]/Win32.Minari": [[268, 292]], "Indicator: Trojan/Win32.PWS.R100577": [[336, 360]]}, "info": {"id": "cyner2_5class_train_04229", "source": "cyner2_5class_train"}}
+{"text": "Conclusion Threats are better prevented than cured , so do not follow suspicious links in SMS , and be sure to install apps only from official sources and check what permissions you are granting during installation .", "spans": {}, "info": {"id": "cyner2_5class_train_04230", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Mutopy!O Trojan.Mutopy.A TROJ_MUTOPY.SMYN Win32.Trojan.WisdomEyes.16070401.9500.9995 TROJ_MUTOPY.SMYN Win.Trojan.Multi-6413508-0 Troj.Dropper.W32.Dapato.lCcB Trojan.MulDrop4.10927 BehavesLike.Win32.Downloader.hh TR/Kazy.34213.jh Trojan:Win32/Mutopy.A Trojan.Naffy.1 Trojan/Win32.HDC.C53646 TScope.Malware-Cryptor.SB Trojan.Win32.Jorik W32/Rodecap.AS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Mutopy!O": [[26, 49]], "Indicator: Trojan.Mutopy.A": [[50, 65]], "Indicator: TROJ_MUTOPY.SMYN": [[66, 82], [126, 142]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[83, 125]], "Indicator: Win.Trojan.Multi-6413508-0": [[143, 169]], "Indicator: Troj.Dropper.W32.Dapato.lCcB": [[170, 198]], "Indicator: Trojan.MulDrop4.10927": [[199, 220]], "Indicator: BehavesLike.Win32.Downloader.hh": [[221, 252]], "Indicator: TR/Kazy.34213.jh": [[253, 269]], "Indicator: Trojan:Win32/Mutopy.A": [[270, 291]], "Indicator: Trojan.Naffy.1": [[292, 306]], "Indicator: Trojan/Win32.HDC.C53646": [[307, 330]], "Indicator: TScope.Malware-Cryptor.SB": [[331, 356]], "Indicator: Trojan.Win32.Jorik": [[357, 375]], "Indicator: W32/Rodecap.AS!tr": [[376, 393]]}, "info": {"id": "cyner2_5class_train_04231", "source": "cyner2_5class_train"}}
+{"text": "Cybereason Mobile Detecting EventBotCybereason Mobile detecting EventBot .", "spans": {"Organization: Cybereason Mobile": [[0, 17]], "Malware: EventBot": [[64, 72]]}, "info": {"id": "cyner2_5class_train_04232", "source": "cyner2_5class_train"}}
+{"text": "The method is a well-known trick used by penetration testers that was automated and generalized by FinFisher The procedure starts by enumerating the KnownDlls object directory and then scanning for section objects of the cached system DLLs .", "spans": {"Malware: FinFisher": [[99, 108]]}, "info": {"id": "cyner2_5class_train_04233", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.W32.Androm.toYX Trojan/Injector.drgl Win32.Trojan.WisdomEyes.16070401.9500.9978 Win.Trojan.WillExec-6356235-0 Backdoor.Androm.sdz Trojan.Zusy.D3FE2C Trojan:Win32/Lethic.Q!bit Backdoor.Androm Trj/GdSda.A W32/Injector.DQID!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.W32.Androm.toYX": [[26, 50]], "Indicator: Trojan/Injector.drgl": [[51, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9978": [[72, 114]], "Indicator: Win.Trojan.WillExec-6356235-0": [[115, 144]], "Indicator: Backdoor.Androm.sdz": [[145, 164]], "Indicator: Trojan.Zusy.D3FE2C": [[165, 183]], "Indicator: Trojan:Win32/Lethic.Q!bit": [[184, 209]], "Indicator: Backdoor.Androm": [[210, 225]], "Indicator: Trj/GdSda.A": [[226, 237]], "Indicator: W32/Injector.DQID!tr": [[238, 258]]}, "info": {"id": "cyner2_5class_train_04234", "source": "cyner2_5class_train"}}
+{"text": "Samples uploaded to public repositories indicate that the new version of Typhon Reborn has been in the wild since December 2022.", "spans": {"Malware: Samples": [[0, 7]], "System: public repositories": [[20, 39]], "Malware: Typhon Reborn": [[73, 86]]}, "info": {"id": "cyner2_5class_train_04235", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.RHUU-4415 MSIL.Trojan.Packed.G Trojan-Dropper.Win32.Scrop.ccm Trojan.Win32.Inject.dzszva Trojan.PWS.Multi.1690 BehavesLike.Win32.Trojan.tc TrojanDropper.Sysn.arw TR/Injector.drydq Trojan/MSIL.Inject Trojan:MSIL/Plimrost.B Trojan.Kazy.DAD984 Trojan-Dropper.Win32.Scrop.ccm Trojan/Win32.Injector.C952834 Trj/CI.A Trojan.MSIL.Injector MSIL/Kryptik.DDP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: W32/Trojan.RHUU-4415": [[69, 89]], "Indicator: MSIL.Trojan.Packed.G": [[90, 110]], "Indicator: Trojan-Dropper.Win32.Scrop.ccm": [[111, 141], [321, 351]], "Indicator: Trojan.Win32.Inject.dzszva": [[142, 168]], "Indicator: Trojan.PWS.Multi.1690": [[169, 190]], "Indicator: BehavesLike.Win32.Trojan.tc": [[191, 218]], "Indicator: TrojanDropper.Sysn.arw": [[219, 241]], "Indicator: TR/Injector.drydq": [[242, 259]], "Indicator: Trojan/MSIL.Inject": [[260, 278]], "Indicator: Trojan:MSIL/Plimrost.B": [[279, 301]], "Indicator: Trojan.Kazy.DAD984": [[302, 320]], "Indicator: Trojan/Win32.Injector.C952834": [[352, 381]], "Indicator: Trj/CI.A": [[382, 390]], "Indicator: Trojan.MSIL.Injector": [[391, 411]], "Indicator: MSIL/Kryptik.DDP!tr": [[412, 431]]}, "info": {"id": "cyner2_5class_train_04236", "source": "cyner2_5class_train"}}
+{"text": "Zcrypt uses the Nullsoft Scriptable Install System, which works like a Zip file, decompressing and loading the content while running.", "spans": {"Malware: Zcrypt": [[0, 6]], "System: the Nullsoft Scriptable Install System,": [[12, 51]]}, "info": {"id": "cyner2_5class_train_04237", "source": "cyner2_5class_train"}}
+{"text": "The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012.", "spans": {"Malware: malware": [[4, 11]], "Indicator: attacks": [[28, 35]], "Malware: variant": [[42, 49]], "Malware: Shamoon worm": [[66, 78]], "Organization: Saudi Aramco": [[93, 105]], "Organization: Rasgas": [[110, 116]]}, "info": {"id": "cyner2_5class_train_04238", "source": "cyner2_5class_train"}}
+{"text": "This malware is simplistic in comparison to some modern-day Android malware .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyner2_5class_train_04239", "source": "cyner2_5class_train"}}
+{"text": "Some of these might have been used on old campaigns or were already prepared for new campaigns .", "spans": {}, "info": {"id": "cyner2_5class_train_04240", "source": "cyner2_5class_train"}}
+{"text": "Again , the concept is that new victims are more likely to install the malware if the SMS comes from someone they know .", "spans": {}, "info": {"id": "cyner2_5class_train_04241", "source": "cyner2_5class_train"}}
+{"text": "This technical note discusses a relatively undocumented implant used by the APT10 group.", "spans": {}, "info": {"id": "cyner2_5class_train_04242", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_STARTPA.NSS W32/Backdoor2.HTGN Win32/Wysotot.GJVbdHD TROJ_STARTPA.NSS Win32.Trojan-Hijacker.Wysotot.A Trojan.Win32.AdLoad.eizvbn Adware.Mutabaha.255 Adware.MutabahaCRTD.Win32.1189 BehavesLike.Win32.ICLoader.gc Backdoor.Win32.ZAccess W32/Backdoor.SAIZ-5729 Trojan/Win32.StartPage Trojan.Adware.Zusy.D1584D PUP.Elex/Variant Downloader/Win32.Adware.R86759 Trojan.StartPage PUP.Optional.Elex Trj/CI.A Trojan.StartPage!B6aZ1c5P97Y", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_STARTPA.NSS": [[26, 42], [84, 100]], "Indicator: W32/Backdoor2.HTGN": [[43, 61]], "Indicator: Win32/Wysotot.GJVbdHD": [[62, 83]], "Indicator: Win32.Trojan-Hijacker.Wysotot.A": [[101, 132]], "Indicator: Trojan.Win32.AdLoad.eizvbn": [[133, 159]], "Indicator: Adware.Mutabaha.255": [[160, 179]], "Indicator: Adware.MutabahaCRTD.Win32.1189": [[180, 210]], "Indicator: BehavesLike.Win32.ICLoader.gc": [[211, 240]], "Indicator: Backdoor.Win32.ZAccess": [[241, 263]], "Indicator: W32/Backdoor.SAIZ-5729": [[264, 286]], "Indicator: Trojan/Win32.StartPage": [[287, 309]], "Indicator: Trojan.Adware.Zusy.D1584D": [[310, 335]], "Indicator: PUP.Elex/Variant": [[336, 352]], "Indicator: Downloader/Win32.Adware.R86759": [[353, 383]], "Indicator: Trojan.StartPage": [[384, 400]], "Indicator: PUP.Optional.Elex": [[401, 418]], "Indicator: Trj/CI.A": [[419, 427]], "Indicator: Trojan.StartPage!B6aZ1c5P97Y": [[428, 456]]}, "info": {"id": "cyner2_5class_train_04243", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.Crypt.gauf Trojan.Starter.7472 Trojan.MSIL.ilny TR/AD.Binderon.roatv Trojan.Ursu.D13D6D Trojan.MSIL.Crypt.gauf PWS:AutoIt/Passup.A Win32/Spy.Autoit.BY Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.Crypt.gauf": [[26, 48], [126, 148]], "Indicator: Trojan.Starter.7472": [[49, 68]], "Indicator: Trojan.MSIL.ilny": [[69, 85]], "Indicator: TR/AD.Binderon.roatv": [[86, 106]], "Indicator: Trojan.Ursu.D13D6D": [[107, 125]], "Indicator: PWS:AutoIt/Passup.A": [[149, 168]], "Indicator: Win32/Spy.Autoit.BY": [[169, 188]], "Indicator: Trj/GdSda.A": [[189, 200]]}, "info": {"id": "cyner2_5class_train_04244", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.1BC9 Trojan.Banavkill Trojan-Banker.Win32.Banbra.wjem Trojan.Win32.Banbra.exnyzm TR/Spy.Banker.ohxzm Trojan.Ursu.D10A45 Trojan-Banker.Win32.Banbra.wjem Trojan:Win32/Banavkill.A Trojan/Win32.Banbra.C2352559 Trojan-Banker.Banbra Trj/GdSda.A Win32.Trojan.Falsesign.Htma Win32/Trojan.f8b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.1BC9": [[26, 42]], "Indicator: Trojan.Banavkill": [[43, 59]], "Indicator: Trojan-Banker.Win32.Banbra.wjem": [[60, 91], [158, 189]], "Indicator: Trojan.Win32.Banbra.exnyzm": [[92, 118]], "Indicator: TR/Spy.Banker.ohxzm": [[119, 138]], "Indicator: Trojan.Ursu.D10A45": [[139, 157]], "Indicator: Trojan:Win32/Banavkill.A": [[190, 214]], "Indicator: Trojan/Win32.Banbra.C2352559": [[215, 243]], "Indicator: Trojan-Banker.Banbra": [[244, 264]], "Indicator: Trj/GdSda.A": [[265, 276]], "Indicator: Win32.Trojan.Falsesign.Htma": [[277, 304]], "Indicator: Win32/Trojan.f8b": [[305, 321]]}, "info": {"id": "cyner2_5class_train_04245", "source": "cyner2_5class_train"}}
+{"text": "We are providing a detailed analysis of the rootkit, and also making the samples available to the industry to help others block this threat.", "spans": {"Malware: rootkit,": [[44, 52]], "Organization: industry": [[98, 106]], "Malware: threat.": [[133, 140]]}, "info": {"id": "cyner2_5class_train_04246", "source": "cyner2_5class_train"}}
+{"text": "The Flash zero-day exploit ( CVE-2015-5119 ) was added into the Angler Exploit Kit and Nuclear Exploit Pack .", "spans": {"System: Flash": [[4, 9]], "Vulnerability: CVE-2015-5119": [[29, 42]], "Malware: Angler Exploit Kit": [[64, 82]], "Malware: Nuclear Exploit Pack": [[87, 107]]}, "info": {"id": "cyner2_5class_train_04247", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesLT180912HKGHAAI.Trojan Trojan.PWS.OnlineGames.ZON Trojan.PWS.OnlineGames.ZON Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Gampass TSPY_ONLINEG.FGF Win.Trojan.Onlinegames-44 Trojan.PWS.OnlineGames.ZON Trojan.PWS.OnlineGames.ZON Trojan.Win32.OnLineGames.rzwt Troj.PSW32.W.OnLineGames.aoem!c Trojan.PWS.OnlineGames.ZON Packed.Win32.MUPACK.~KW Trojan.PWS.OnlineGames.ZON Trojan.PWS.Wsgame.5652 Trojan.OnLineGames.Win32.160328 TSPY_ONLINEG.FGF BehavesLike.Win32.Sdbot.cz Trojan/PSW.OnLineGames.akkc TrojanDropper:Win32/Tilcun.E Trojan/Win32.MalPack.C60090 Trojan.PWS.OnlineGames.ZON BScope.Trojan-PSW.Gomex.22 Trj/Pupack.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLT180912HKGHAAI.Trojan": [[26, 59]], "Indicator: Trojan.PWS.OnlineGames.ZON": [[60, 86], [87, 113], [220, 246], [247, 273], [336, 362], [387, 413], [598, 624]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[114, 156]], "Indicator: Infostealer.Gampass": [[157, 176]], "Indicator: TSPY_ONLINEG.FGF": [[177, 193], [469, 485]], "Indicator: Win.Trojan.Onlinegames-44": [[194, 219]], "Indicator: Trojan.Win32.OnLineGames.rzwt": [[274, 303]], "Indicator: Troj.PSW32.W.OnLineGames.aoem!c": [[304, 335]], "Indicator: Packed.Win32.MUPACK.~KW": [[363, 386]], "Indicator: Trojan.PWS.Wsgame.5652": [[414, 436]], "Indicator: Trojan.OnLineGames.Win32.160328": [[437, 468]], "Indicator: BehavesLike.Win32.Sdbot.cz": [[486, 512]], "Indicator: Trojan/PSW.OnLineGames.akkc": [[513, 540]], "Indicator: TrojanDropper:Win32/Tilcun.E": [[541, 569]], "Indicator: Trojan/Win32.MalPack.C60090": [[570, 597]], "Indicator: BScope.Trojan-PSW.Gomex.22": [[625, 651]], "Indicator: Trj/Pupack.A": [[652, 664]]}, "info": {"id": "cyner2_5class_train_04248", "source": "cyner2_5class_train"}}
+{"text": "The infamous Remote Access Trojan RAT Poison Ivy hereafter referred to as PIVY has resurfaced recently, and exhibits some new behaviors.", "spans": {"Malware: The infamous Remote Access Trojan RAT Poison Ivy": [[0, 48]], "Malware: PIVY": [[74, 78]]}, "info": {"id": "cyner2_5class_train_04249", "source": "cyner2_5class_train"}}
+{"text": "However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C C server.", "spans": {"Malware: botnet": [[35, 41]], "System: an FTP server": [[75, 88]], "Indicator: a C C server.": [[114, 127]]}, "info": {"id": "cyner2_5class_train_04250", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Small.40960.BX TROJ_FAKEAV.ASI W32/Backdoor2.HASV Backdoor.Trojan.B Win32/Wonip.A TROJ_FAKEAV.ASI Trojan.PWS.Sniftp.15 W32/Backdoor.YSEB-6778 BDS/Wonip.A Backdoor:Win32/Wonip.A Trojan/Win32.Xema.C82592 W32/Backdr.FB!tr Win32/Backdoor.435", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Small.40960.BX": [[26, 53]], "Indicator: TROJ_FAKEAV.ASI": [[54, 69], [121, 136]], "Indicator: W32/Backdoor2.HASV": [[70, 88]], "Indicator: Backdoor.Trojan.B": [[89, 106]], "Indicator: Win32/Wonip.A": [[107, 120]], "Indicator: Trojan.PWS.Sniftp.15": [[137, 157]], "Indicator: W32/Backdoor.YSEB-6778": [[158, 180]], "Indicator: BDS/Wonip.A": [[181, 192]], "Indicator: Backdoor:Win32/Wonip.A": [[193, 215]], "Indicator: Trojan/Win32.Xema.C82592": [[216, 240]], "Indicator: W32/Backdr.FB!tr": [[241, 257]], "Indicator: Win32/Backdoor.435": [[258, 276]]}, "info": {"id": "cyner2_5class_train_04251", "source": "cyner2_5class_train"}}
+{"text": "Since we published our article on Sage 2.0 last February, and the discovery of version 2.2 in March, the FortiGuard Labs team hasn't seen significant activity with this malware for over six months.", "spans": {"Malware: Sage 2.0": [[34, 42]], "Malware: version 2.2": [[79, 90]], "Organization: the FortiGuard Labs team": [[101, 125]], "Malware: malware": [[169, 176]]}, "info": {"id": "cyner2_5class_train_04252", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Qhosts Trojan.Win32.Z.Redcap.1251647 TR/RedCap.ymgda", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Qhosts": [[26, 39]], "Indicator: Trojan.Win32.Z.Redcap.1251647": [[40, 69]], "Indicator: TR/RedCap.ymgda": [[70, 85]]}, "info": {"id": "cyner2_5class_train_04253", "source": "cyner2_5class_train"}}
+{"text": "Reverse shell payload The reverse shell module is an external ELF file compiled by the attackers to run on Android .", "spans": {"System: Android": [[107, 114]]}, "info": {"id": "cyner2_5class_train_04254", "source": "cyner2_5class_train"}}
+{"text": "We identified one specific spear phishing campaign launched against targets within Palestine, and specifically against Palestinian law enforcement agencies.", "spans": {"Organization: Palestinian law enforcement agencies.": [[119, 156]]}, "info": {"id": "cyner2_5class_train_04255", "source": "cyner2_5class_train"}}
+{"text": "At the time of writing this article , no other significant changes in Asacub ’ s network behavior had been observed : The origin of Asacub It is fairly safe to say that the Asacub family evolved from Trojan-SMS.AndroidOS.Smaps .", "spans": {"Malware: Asacub": [[70, 76], [132, 138], [173, 179]], "Indicator: Trojan-SMS.AndroidOS.Smaps": [[200, 226]]}, "info": {"id": "cyner2_5class_train_04256", "source": "cyner2_5class_train"}}
+{"text": "Once installed on a device FrozenCell is capable of : Recording calls Retrieving generic phone metadata ( e.g. , cell location , mobile country code , mobile network code ) Geolocating a device Extracting SMS messages Retrieving a victim 's accounts Exfiltrating images Downloading and installing additional applications Searching for and exfiltrating pdf , doc , docx , ppt , pptx , xls , and xlsx file types Retrieving contacts The graph below represents a split of the types of data from only one misconfigured command and control server ( out of over 37 servers ) .", "spans": {"Malware: FrozenCell": [[27, 37]]}, "info": {"id": "cyner2_5class_train_04257", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Yurist.Win32.37 Win32.Trojan.WisdomEyes.16070401.9500.9992 Backdoor.Win32.Yurist.cy Trojan.Win32.XFlash.bodumo Backdoor.W32.Yurist.cp!c Heur.Packed.Unknown BackDoor.XFlash BehavesLike.Win32.Backdoor.ph Backdoor/Yurist.z BDS/Yurist.K Backdoor:Win32/Yurist.K Trojan.Graftor.D45274 Backdoor.Win32.Yurist.cy Trojan/Win32.LdPinch.C27294 Win32.Backdoor.Yurist.Eads Backdoor.Yurist!9F5bediy4gg Backdoor.Win32.Yurist Trj/CI.A Win32/Backdoor.c62", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Yurist.Win32.37": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[51, 93]], "Indicator: Backdoor.Win32.Yurist.cy": [[94, 118], [314, 338]], "Indicator: Trojan.Win32.XFlash.bodumo": [[119, 145]], "Indicator: Backdoor.W32.Yurist.cp!c": [[146, 170]], "Indicator: Heur.Packed.Unknown": [[171, 190]], "Indicator: BackDoor.XFlash": [[191, 206]], "Indicator: BehavesLike.Win32.Backdoor.ph": [[207, 236]], "Indicator: Backdoor/Yurist.z": [[237, 254]], "Indicator: BDS/Yurist.K": [[255, 267]], "Indicator: Backdoor:Win32/Yurist.K": [[268, 291]], "Indicator: Trojan.Graftor.D45274": [[292, 313]], "Indicator: Trojan/Win32.LdPinch.C27294": [[339, 366]], "Indicator: Win32.Backdoor.Yurist.Eads": [[367, 393]], "Indicator: Backdoor.Yurist!9F5bediy4gg": [[394, 421]], "Indicator: Backdoor.Win32.Yurist": [[422, 443]], "Indicator: Trj/CI.A": [[444, 452]], "Indicator: Win32/Backdoor.c62": [[453, 471]]}, "info": {"id": "cyner2_5class_train_04258", "source": "cyner2_5class_train"}}
+{"text": "If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.", "spans": {"System: system": [[57, 63]], "Indicator: same phishing document": [[77, 99]], "System: Outlook inbox.": [[128, 142]]}, "info": {"id": "cyner2_5class_train_04259", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BKDR_BAYROB.SM4 Win32.Trojan.WisdomEyes.16070401.9500.9948 BKDR_BAYROB.SM4 TrojWare.Win32.Bayrob.A Trojan.Kelios.1 Trojan:Win32/Horkremoz.A W32/Bayrob.O!tr Win32/Trojan.4af", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BKDR_BAYROB.SM4": [[26, 41], [85, 100]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9948": [[42, 84]], "Indicator: TrojWare.Win32.Bayrob.A": [[101, 124]], "Indicator: Trojan.Kelios.1": [[125, 140]], "Indicator: Trojan:Win32/Horkremoz.A": [[141, 165]], "Indicator: W32/Bayrob.O!tr": [[166, 181]], "Indicator: Win32/Trojan.4af": [[182, 198]]}, "info": {"id": "cyner2_5class_train_04260", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.TDSS!O Backdoor.TDSS.Win32.7367 Trojan/Olmarik.akn Trojan.TDss.58 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_ALUREON_CD102969.RDXN Win.Trojan.Tdss-302 Backdoor.Win32.TDSS.dtx Trojan.Win32.TDSS.cdwoi Backdoor.Win32.A.Tdss.63488.B TrojWare.Win32.Olmarik.AME Trojan.DownLoader1.46896 TSPY_ALUREON_CD102969.RDXN BehavesLike.Win32.VBObfus.kh Backdoor.Win32.TDSS Backdoor/TDSS.apn Trojan[Backdoor]/Win32.TDSS Win32.Hack.TDSS.d.kcloud Backdoor.Win32.TDSS.dtx Trojan/Win32.Tdss.R1603 DNSChanger.ca Trojan.FakeAlert Win32/Olmarik.AKN Backdoor.TDSS!fzuavqQuzWg W32/DNSChanger.CA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.TDSS!O": [[26, 47]], "Indicator: Backdoor.TDSS.Win32.7367": [[48, 72]], "Indicator: Trojan/Olmarik.akn": [[73, 91]], "Indicator: Trojan.TDss.58": [[92, 106]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[107, 149]], "Indicator: TSPY_ALUREON_CD102969.RDXN": [[150, 176], [327, 353]], "Indicator: Win.Trojan.Tdss-302": [[177, 196]], "Indicator: Backdoor.Win32.TDSS.dtx": [[197, 220], [474, 497]], "Indicator: Trojan.Win32.TDSS.cdwoi": [[221, 244]], "Indicator: Backdoor.Win32.A.Tdss.63488.B": [[245, 274]], "Indicator: TrojWare.Win32.Olmarik.AME": [[275, 301]], "Indicator: Trojan.DownLoader1.46896": [[302, 326]], "Indicator: BehavesLike.Win32.VBObfus.kh": [[354, 382]], "Indicator: Backdoor.Win32.TDSS": [[383, 402]], "Indicator: Backdoor/TDSS.apn": [[403, 420]], "Indicator: Trojan[Backdoor]/Win32.TDSS": [[421, 448]], "Indicator: Win32.Hack.TDSS.d.kcloud": [[449, 473]], "Indicator: Trojan/Win32.Tdss.R1603": [[498, 521]], "Indicator: DNSChanger.ca": [[522, 535]], "Indicator: Trojan.FakeAlert": [[536, 552]], "Indicator: Win32/Olmarik.AKN": [[553, 570]], "Indicator: Backdoor.TDSS!fzuavqQuzWg": [[571, 596]], "Indicator: W32/DNSChanger.CA!tr": [[597, 617]]}, "info": {"id": "cyner2_5class_train_04261", "source": "cyner2_5class_train"}}
+{"text": "It ’ s possible the threat actors use this list to find running antivirus or banking applications .", "spans": {}, "info": {"id": "cyner2_5class_train_04262", "source": "cyner2_5class_train"}}
+{"text": "This, combined with its focus on a specific region, makes this threat interesting from the malware researchers' perspective.", "spans": {"Malware: threat": [[63, 69]], "Organization: malware researchers'": [[91, 111]]}, "info": {"id": "cyner2_5class_train_04263", "source": "cyner2_5class_train"}}
+{"text": "Once they obtained access to the server, the attackers infected the system with two malicious payloads.", "spans": {"Indicator: access": [[19, 25]], "System: server,": [[33, 40]], "System: system": [[68, 74]], "Malware: malicious payloads.": [[84, 103]]}, "info": {"id": "cyner2_5class_train_04264", "source": "cyner2_5class_train"}}
+{"text": "Standard Encryption Frequently , Bread apps take advantage of standard crypto libraries in ` java.util.crypto ` .", "spans": {"Indicator: java.util.crypto": [[93, 109]]}, "info": {"id": "cyner2_5class_train_04265", "source": "cyner2_5class_train"}}
+{"text": "A typical Lurk infection uses browser exploits to deliver non-persistent payloads to potential victims, probing their targets before deploying additional malware.", "spans": {"Vulnerability: browser exploits": [[30, 46]], "Malware: non-persistent payloads": [[58, 81]], "Organization: potential victims,": [[85, 103]], "Malware: deploying additional malware.": [[133, 162]]}, "info": {"id": "cyner2_5class_train_04266", "source": "cyner2_5class_train"}}
+{"text": "Backdoored Conversations C2 server analysis During the analysis of the Smali injected apps and their C2 server infrastructure we hadn ’ t found any interesting clues , but things changed when we looked at the C2 server of the linked Conversations messenger .", "spans": {}, "info": {"id": "cyner2_5class_train_04267", "source": "cyner2_5class_train"}}
+{"text": "Some of the popular Android applications that Ewind targets include GTA Vice City, AVG cleaner, Minecraft – Pocket Edition, Avast! Ransomware Removal, VKontakte, and Opera Mobile.", "spans": {"System: Android applications": [[20, 40]], "Malware: Ewind": [[46, 51]], "System: GTA Vice City, AVG cleaner, Minecraft – Pocket Edition, Avast! Ransomware Removal, VKontakte,": [[68, 161]], "System: Opera Mobile.": [[166, 179]]}, "info": {"id": "cyner2_5class_train_04268", "source": "cyner2_5class_train"}}
+{"text": "For example , it could be used to display unwanted and annoying advertisements on a device , or potentially , to download and deploy a payload that steals credentials from an infected device .", "spans": {}, "info": {"id": "cyner2_5class_train_04269", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy Chunghwa Post version installation process and application UI .", "spans": {"Malware: FakeSpy": [[0, 7]], "Organization: Chunghwa Post": [[8, 21]]}, "info": {"id": "cyner2_5class_train_04270", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Strictor.D1F9FA Trojan.Win32.BuhTrap.c Trojan.YakesCRTD.Win32.4839 Trojan/Win32.BuhTrap.c Backdoor:Win32/Buhtrap.A!dha Trojan.Win32.BuhTrap.c Trj/GdSda.A Backdoor.Win32.Buhtrap W32/Delf.QJL!tr Win32/Trojan.5c7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Strictor.D1F9FA": [[26, 48]], "Indicator: Trojan.Win32.BuhTrap.c": [[49, 71], [152, 174]], "Indicator: Trojan.YakesCRTD.Win32.4839": [[72, 99]], "Indicator: Trojan/Win32.BuhTrap.c": [[100, 122]], "Indicator: Backdoor:Win32/Buhtrap.A!dha": [[123, 151]], "Indicator: Trj/GdSda.A": [[175, 186]], "Indicator: Backdoor.Win32.Buhtrap": [[187, 209]], "Indicator: W32/Delf.QJL!tr": [[210, 225]], "Indicator: Win32/Trojan.5c7": [[226, 242]]}, "info": {"id": "cyner2_5class_train_04271", "source": "cyner2_5class_train"}}
+{"text": "Instead of being controlled by a traditional command-and-control server , it receives instructions via tweets .", "spans": {}, "info": {"id": "cyner2_5class_train_04272", "source": "cyner2_5class_train"}}
+{"text": "Malware code showing loading of decrypted dex file Figure 12 .", "spans": {}, "info": {"id": "cyner2_5class_train_04273", "source": "cyner2_5class_train"}}
+{"text": "We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware .", "spans": {"System: Google Play": [[61, 72]], "Malware: Ashas adware": [[112, 124]]}, "info": {"id": "cyner2_5class_train_04274", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Etap.d Win32.Trojan.WisdomEyes.16070401.9500.9826 Trojan.GootKit!gm BehavesLike.Win32.Injector.fh Trojan.Barys.D1A48", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Etap.d": [[26, 36]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9826": [[37, 79]], "Indicator: Trojan.GootKit!gm": [[80, 97]], "Indicator: BehavesLike.Win32.Injector.fh": [[98, 127]], "Indicator: Trojan.Barys.D1A48": [[128, 146]]}, "info": {"id": "cyner2_5class_train_04275", "source": "cyner2_5class_train"}}
+{"text": "We believe this spyware platform is developed by an Italian company called eSurv , which primarily operates in the business of video surveillance .", "spans": {"Organization: eSurv": [[75, 80]]}, "info": {"id": "cyner2_5class_train_04276", "source": "cyner2_5class_train"}}
+{"text": "That's why we refer to this malware as Shakti Trojan.", "spans": {"Malware: malware": [[28, 35]], "Malware: Shakti Trojan.": [[39, 53]]}, "info": {"id": "cyner2_5class_train_04277", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Klone.bz W32/MUPX.A Packed.Win32.Klone.bz BackDoor.IRC.Rxbot.69 Backdoor.Win32.Rbot!IK Win32.Hack.Klone.bz.kcloud Packed/Win32.Klone Backdoor.IRCbot!312D Backdoor.Win32.Rbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Klone.bz": [[26, 41]], "Indicator: W32/MUPX.A": [[42, 52]], "Indicator: Packed.Win32.Klone.bz": [[53, 74]], "Indicator: BackDoor.IRC.Rxbot.69": [[75, 96]], "Indicator: Backdoor.Win32.Rbot!IK": [[97, 119]], "Indicator: Win32.Hack.Klone.bz.kcloud": [[120, 146]], "Indicator: Packed/Win32.Klone": [[147, 165]], "Indicator: Backdoor.IRCbot!312D": [[166, 186]], "Indicator: Backdoor.Win32.Rbot": [[187, 206]]}, "info": {"id": "cyner2_5class_train_04278", "source": "cyner2_5class_train"}}
+{"text": "Attackers also used the name of the top-ranking official associated with Minister of Home affairs in the signature of the email, this is to make it look like the email was sent by a high-ranking Government official associated with Ministry of Home Affairs MHA.", "spans": {"Indicator: used": [[15, 19]], "Indicator: the top-ranking official": [[32, 56]], "Organization: Minister of Home affairs": [[73, 97]], "Indicator: signature": [[105, 114]], "Indicator: email,": [[122, 128]], "Indicator: email": [[162, 167]], "Indicator: sent by a high-ranking Government official": [[172, 214]], "Organization: Ministry of Home Affairs MHA.": [[231, 260]]}, "info": {"id": "cyner2_5class_train_04279", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.GH Trojan.Crypt.GH Trojan.Crypt.GH Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Gampass TROJ_PUKISH.A Trojan.Crypt.GH Win32.Trojan-dropper.Drob.Pdmj Trojan.Crypt.GH Trojan.Crypt.GH Trojan.MulDrop7.42417 TROJ_PUKISH.A Trojan-Dropper.Win32.Drob W32/Trojan.SPVB-8287 Win32.Infect.a.124448 TrojanDropper:Win32/Pukish.A Trojan.Crypt.GH Trj/CI.A Win32/Trojan.f42", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.GH": [[26, 41], [42, 57], [58, 73], [151, 166], [198, 213], [214, 229], [364, 379]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[74, 116]], "Indicator: Infostealer.Gampass": [[117, 136]], "Indicator: TROJ_PUKISH.A": [[137, 150], [252, 265]], "Indicator: Win32.Trojan-dropper.Drob.Pdmj": [[167, 197]], "Indicator: Trojan.MulDrop7.42417": [[230, 251]], "Indicator: Trojan-Dropper.Win32.Drob": [[266, 291]], "Indicator: W32/Trojan.SPVB-8287": [[292, 312]], "Indicator: Win32.Infect.a.124448": [[313, 334]], "Indicator: TrojanDropper:Win32/Pukish.A": [[335, 363]], "Indicator: Trj/CI.A": [[380, 388]], "Indicator: Win32/Trojan.f42": [[389, 405]]}, "info": {"id": "cyner2_5class_train_04280", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.W.CodeRed.l11t Exploit:Win32/CVE-2006-3942.A Exploit.Win32.CVE-2006-3942", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.W.CodeRed.l11t": [[26, 44]], "Indicator: Exploit:Win32/CVE-2006-3942.A": [[45, 74]], "Indicator: Exploit.Win32.CVE-2006-3942": [[75, 102]]}, "info": {"id": "cyner2_5class_train_04281", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.W32.Havex!c Win32.Trojan.WisdomEyes.16070401.9500.9950 Trojan.Win32.Havex.tm Trojan.Proxy2.1026 BehavesLike.Win32.Dropper.gh Trojan.Havex.w TR/Havex.fbdyv Trojan.Win32.Havex.tm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.W32.Havex!c": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9950": [[43, 85]], "Indicator: Trojan.Win32.Havex.tm": [[86, 107], [186, 207]], "Indicator: Trojan.Proxy2.1026": [[108, 126]], "Indicator: BehavesLike.Win32.Dropper.gh": [[127, 155]], "Indicator: Trojan.Havex.w": [[156, 170]], "Indicator: TR/Havex.fbdyv": [[171, 185]]}, "info": {"id": "cyner2_5class_train_04282", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.P2P.Puce.G Worm/W32.Kapucen.106496.EK I-Worm.Kapucen.b.n4 W32/Kapucen.b Trojan.Win32.Kapucen.qyzel Win32/Puce.D WORM_KAPUCEN.B Worm.Puce.E P2P-Worm.Win32.Kapucen.b Win32.Worm.P2P.Puce.G Worm.Kapucen.A Worm.Win32.P2P-Kapucen.106496.C Worm.Win32.Kapucen.B Win32.Worm.P2P.Puce.G Win32.HLLW.Puce Worm/Puce.D.90 WORM_KAPUCEN.B Worm/P2P.Kapcen.b Worm:Win32/Puce.D Win32.Worm.P2P.Puce.G Worm/Win32.Kapucen Trojan.Win32.Kapucen.B Win32/Kapucen.B P2P-Worm.Win32.Kapucen.b W32/Kapucen.fam!worm.p2p Win32/Puce.C W32/Puce.E.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.P2P.Puce.G": [[26, 47], [201, 222], [291, 312], [395, 416]], "Indicator: Worm/W32.Kapucen.106496.EK": [[48, 74]], "Indicator: I-Worm.Kapucen.b.n4": [[75, 94]], "Indicator: W32/Kapucen.b": [[95, 108]], "Indicator: Trojan.Win32.Kapucen.qyzel": [[109, 135]], "Indicator: Win32/Puce.D": [[136, 148]], "Indicator: WORM_KAPUCEN.B": [[149, 163], [344, 358]], "Indicator: Worm.Puce.E": [[164, 175]], "Indicator: P2P-Worm.Win32.Kapucen.b": [[176, 200], [475, 499]], "Indicator: Worm.Kapucen.A": [[223, 237]], "Indicator: Worm.Win32.P2P-Kapucen.106496.C": [[238, 269]], "Indicator: Worm.Win32.Kapucen.B": [[270, 290]], "Indicator: Win32.HLLW.Puce": [[313, 328]], "Indicator: Worm/Puce.D.90": [[329, 343]], "Indicator: Worm/P2P.Kapcen.b": [[359, 376]], "Indicator: Worm:Win32/Puce.D": [[377, 394]], "Indicator: Worm/Win32.Kapucen": [[417, 435]], "Indicator: Trojan.Win32.Kapucen.B": [[436, 458]], "Indicator: Win32/Kapucen.B": [[459, 474]], "Indicator: W32/Kapucen.fam!worm.p2p": [[500, 524]], "Indicator: Win32/Puce.C": [[525, 537]], "Indicator: W32/Puce.E.worm": [[538, 553]]}, "info": {"id": "cyner2_5class_train_04283", "source": "cyner2_5class_train"}}
+{"text": "On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199.", "spans": {"Indicator: malicious document": [[32, 50]], "Organization: VirusTotal": [[54, 64]], "Vulnerability: exploiting": [[65, 75]], "Indicator: CVE-2017-0199.": [[76, 90]]}, "info": {"id": "cyner2_5class_train_04284", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packed.Win32.Klone!O Backdoor.SkSocket Backdoor.Trojan Trojan.Win32.SkSocket.uwlqa Backdoor.Win32.SkSocket.109_t0 BackDoor.Sksock Virus.Win32.SkSocket.C Backdoor/SkSocket.o BDS/SkSocket.109 Win-Trojan/SkSocket.40960 Trj/CI.A Win32/SkSocket.109 Win32.Backdoor.Sksocket.Dyqp Trojan/Win32.lssj.2cc.rgrk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packed.Win32.Klone!O": [[26, 46]], "Indicator: Backdoor.SkSocket": [[47, 64]], "Indicator: Backdoor.Trojan": [[65, 80]], "Indicator: Trojan.Win32.SkSocket.uwlqa": [[81, 108]], "Indicator: Backdoor.Win32.SkSocket.109_t0": [[109, 139]], "Indicator: BackDoor.Sksock": [[140, 155]], "Indicator: Virus.Win32.SkSocket.C": [[156, 178]], "Indicator: Backdoor/SkSocket.o": [[179, 198]], "Indicator: BDS/SkSocket.109": [[199, 215]], "Indicator: Win-Trojan/SkSocket.40960": [[216, 241]], "Indicator: Trj/CI.A": [[242, 250]], "Indicator: Win32/SkSocket.109": [[251, 269]], "Indicator: Win32.Backdoor.Sksocket.Dyqp": [[270, 298]], "Indicator: Trojan/Win32.lssj.2cc.rgrk": [[299, 325]]}, "info": {"id": "cyner2_5class_train_04285", "source": "cyner2_5class_train"}}
+{"text": "Initial indicators of compromise from todays WannaCry ransomware outbreak.", "spans": {"Indicator: indicators of compromise": [[8, 32]], "Malware: WannaCry ransomware": [[45, 64]]}, "info": {"id": "cyner2_5class_train_04286", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9971 Win.Spyware.1756-2 BehavesLike.Win32.Autorun.dc Trojan/Win32.Xema.C73573", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9971": [[26, 68]], "Indicator: Win.Spyware.1756-2": [[69, 87]], "Indicator: BehavesLike.Win32.Autorun.dc": [[88, 116]], "Indicator: Trojan/Win32.Xema.C73573": [[117, 141]]}, "info": {"id": "cyner2_5class_train_04287", "source": "cyner2_5class_train"}}
+{"text": "Icons used for EventBot masqueraded as legitimate with these icons.application .", "spans": {"Malware: EventBot": [[15, 23]]}, "info": {"id": "cyner2_5class_train_04288", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod62e.Trojan.18e2 Win32.Trojan.WisdomEyes.16070401.9500.9922 Trojan.Kasperbogi W32/Trojan.PRNK-2932 TR/Golroted.jumln Trojan.Strictor.D16D8E Trojan:Win32/Parsky.A!bit Trj/GdSda.A Win32/Trojan.cfd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod62e.Trojan.18e2": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9922": [[50, 92]], "Indicator: Trojan.Kasperbogi": [[93, 110]], "Indicator: W32/Trojan.PRNK-2932": [[111, 131]], "Indicator: TR/Golroted.jumln": [[132, 149]], "Indicator: Trojan.Strictor.D16D8E": [[150, 172]], "Indicator: Trojan:Win32/Parsky.A!bit": [[173, 198]], "Indicator: Trj/GdSda.A": [[199, 210]], "Indicator: Win32/Trojan.cfd": [[211, 227]]}, "info": {"id": "cyner2_5class_train_04289", "source": "cyner2_5class_train"}}
+{"text": "A recent investigation by security firm CTI has identified a new wave of malware delivered to the MaaS and PPI service providers in the underground black markets, including a controversial piece of code linked to North-Korean hackers.", "spans": {"Organization: security firm CTI": [[26, 43]], "Malware: malware": [[73, 80]], "Organization: MaaS and PPI service providers": [[98, 128]]}, "info": {"id": "cyner2_5class_train_04290", "source": "cyner2_5class_train"}}
+{"text": "The phone number is fetched from a response from the C & C server and is stored in str3 variable , which further is utilized using the tel : function .", "spans": {}, "info": {"id": "cyner2_5class_train_04291", "source": "cyner2_5class_train"}}
+{"text": "The payload, distributed disguised as antivirus, is a variant of Korplug RAT aka PlugX – a spyware with former associations with Chinese APT groups, and known from targeted attacks at important institutions of various countries.", "spans": {"Malware: payload,": [[4, 12]], "System: antivirus,": [[38, 48]], "Malware: Korplug RAT": [[65, 76]], "Malware: PlugX": [[81, 86]], "Malware: spyware": [[91, 98]], "Indicator: targeted attacks": [[164, 180]], "Malware: at": [[181, 183]], "Organization: institutions": [[194, 206]]}, "info": {"id": "cyner2_5class_train_04292", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PUP.Optional.FilePile.A PE:PUF.FilePile!1.9E19", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PUP.Optional.FilePile.A": [[26, 49]], "Indicator: PE:PUF.FilePile!1.9E19": [[50, 72]]}, "info": {"id": "cyner2_5class_train_04293", "source": "cyner2_5class_train"}}
+{"text": "The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page.", "spans": {"Indicator: site": [[4, 8]], "Organization: visitors": [[25, 33]], "Malware: malware": [[41, 48]], "Indicator: compromised OpenX Ad server injecting": [[59, 96]], "Indicator: malicious iframe": [[99, 115]]}, "info": {"id": "cyner2_5class_train_04294", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.Ad.Pdms Trojan.InstallCube.412 Variant.Kazy.apq TR/AD.Fakruce.M.2 Trojan.Kazy.DBFFE0 Trojan.Win32.Z.Kazy.2435953 Trojan:Win32/Fakruce.B Trojan.Kazy!YZdrjH6xcT8 Trj/CI.A Win32/Trojan.824", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Ad.Pdms": [[26, 46]], "Indicator: Trojan.InstallCube.412": [[47, 69]], "Indicator: Variant.Kazy.apq": [[70, 86]], "Indicator: TR/AD.Fakruce.M.2": [[87, 104]], "Indicator: Trojan.Kazy.DBFFE0": [[105, 123]], "Indicator: Trojan.Win32.Z.Kazy.2435953": [[124, 151]], "Indicator: Trojan:Win32/Fakruce.B": [[152, 174]], "Indicator: Trojan.Kazy!YZdrjH6xcT8": [[175, 198]], "Indicator: Trj/CI.A": [[199, 207]], "Indicator: Win32/Trojan.824": [[208, 224]]}, "info": {"id": "cyner2_5class_train_04295", "source": "cyner2_5class_train"}}
+{"text": "The main purpose of this module is to exfiltrate Skype call recordings .", "spans": {"System: Skype": [[49, 54]]}, "info": {"id": "cyner2_5class_train_04296", "source": "cyner2_5class_train"}}
+{"text": "Shamoon W32.Disttrack first made headlines in 2012 when it was used in attacks against energy companies in Saudi Arabia.", "spans": {"Malware: Shamoon": [[0, 7]], "Indicator: W32.Disttrack": [[8, 21]], "Indicator: attacks": [[71, 78]], "Organization: energy companies": [[87, 103]]}, "info": {"id": "cyner2_5class_train_04297", "source": "cyner2_5class_train"}}
+{"text": "In recent years , online activity has gradually been shifting from personal computers to mobile devices .", "spans": {}, "info": {"id": "cyner2_5class_train_04298", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Rootkit.Koutodoor.a TrojWare.Win32.Zybr.A W32.Trojan.Koutodoor.E Trojan:Win32/Koutodoor.F Trojan.Zusy.D41F3C Trojan.Win32.koutodoor.i Trojan.Rootkit RootKit.Win32.Koutodoor.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Rootkit.Koutodoor.a": [[26, 51]], "Indicator: TrojWare.Win32.Zybr.A": [[52, 73]], "Indicator: W32.Trojan.Koutodoor.E": [[74, 96]], "Indicator: Trojan:Win32/Koutodoor.F": [[97, 121]], "Indicator: Trojan.Zusy.D41F3C": [[122, 140]], "Indicator: Trojan.Win32.koutodoor.i": [[141, 165]], "Indicator: Trojan.Rootkit": [[166, 180]], "Indicator: RootKit.Win32.Koutodoor.I": [[181, 206]]}, "info": {"id": "cyner2_5class_train_04299", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.NSIS Win32.Trojan.WisdomEyes.16070401.9500.9623 TR/AD.Trochilus.illau Backdoor:Win32/Trochil.A.dll!dha Win32/Korplug.KA Win32/Trojan.d66", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.NSIS": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9623": [[40, 82]], "Indicator: TR/AD.Trochilus.illau": [[83, 104]], "Indicator: Backdoor:Win32/Trochil.A.dll!dha": [[105, 137]], "Indicator: Win32/Korplug.KA": [[138, 154]], "Indicator: Win32/Trojan.d66": [[155, 171]]}, "info": {"id": "cyner2_5class_train_04300", "source": "cyner2_5class_train"}}
+{"text": "The imports reveal the use of a second DLL called \" eCommon.dll .", "spans": {"Indicator: eCommon.dll": [[52, 63]]}, "info": {"id": "cyner2_5class_train_04301", "source": "cyner2_5class_train"}}
+{"text": "While the “ core ” module resides inside the APK file , it is encrypted and disguised as a JPG file – the first two bytes are actually the magic header of JPG files , while the rest of the data is encoded with an XOR cipher .", "spans": {}, "info": {"id": "cyner2_5class_train_04302", "source": "cyner2_5class_train"}}
+{"text": "From troubleshooting machines across countries to observing employees across rooms, RAT solutions have become widely used tools for remote maintenance and monitoring.", "spans": {"System: machines": [[21, 29]], "Organization: employees": [[60, 69]], "Malware: RAT": [[84, 87]]}, "info": {"id": "cyner2_5class_train_04303", "source": "cyner2_5class_train"}}
+{"text": "All information about your social networks , Bank accounts , Credit Cards .", "spans": {}, "info": {"id": "cyner2_5class_train_04304", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.AntiAV.1355776.B Trojan.Win32.Vilsel!O Worm.Pykspa.C3 Worm.SkypeBot Trojan.Pykspa.1 Win32.Worm.Autorun.o W32.Pykspa.D Win32/Vilsel.CE WORM_VILSEL.SMC Win.Worm.Pykspa-1 Trojan-Ransom.Win32.Blocker.jcen Backdoor.W32.Zepfod.lohV Worm.Win32.Pykspa.a WORM_VILSEL.SMC BehavesLike.Win32.Pykse.tz Trojan/Blocker.lhz Trojan/Win32.AntiAV Trojan-Ransom.Win32.Blocker.jcen Trojan/Win32.Zepfod.R4378 Trojan.ChidikSun.28205 Trojan.Pykspa Trojan.Win32.Spy Trj/Vilsel.B Worm.Win32.Pykse.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.AntiAV.1355776.B": [[26, 53]], "Indicator: Trojan.Win32.Vilsel!O": [[54, 75]], "Indicator: Worm.Pykspa.C3": [[76, 90]], "Indicator: Worm.SkypeBot": [[91, 104]], "Indicator: Trojan.Pykspa.1": [[105, 120]], "Indicator: Win32.Worm.Autorun.o": [[121, 141]], "Indicator: W32.Pykspa.D": [[142, 154]], "Indicator: Win32/Vilsel.CE": [[155, 170]], "Indicator: WORM_VILSEL.SMC": [[171, 186], [283, 298]], "Indicator: Win.Worm.Pykspa-1": [[187, 204]], "Indicator: Trojan-Ransom.Win32.Blocker.jcen": [[205, 237], [365, 397]], "Indicator: Backdoor.W32.Zepfod.lohV": [[238, 262]], "Indicator: Worm.Win32.Pykspa.a": [[263, 282]], "Indicator: BehavesLike.Win32.Pykse.tz": [[299, 325]], "Indicator: Trojan/Blocker.lhz": [[326, 344]], "Indicator: Trojan/Win32.AntiAV": [[345, 364]], "Indicator: Trojan/Win32.Zepfod.R4378": [[398, 423]], "Indicator: Trojan.ChidikSun.28205": [[424, 446]], "Indicator: Trojan.Pykspa": [[447, 460]], "Indicator: Trojan.Win32.Spy": [[461, 477]], "Indicator: Trj/Vilsel.B": [[478, 490]], "Indicator: Worm.Win32.Pykse.A": [[491, 509]]}, "info": {"id": "cyner2_5class_train_04305", "source": "cyner2_5class_train"}}
+{"text": "Mobile malware's disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data.", "spans": {"Malware: Mobile malware's": [[0, 16]], "System: mobile devices": [[94, 108]]}, "info": {"id": "cyner2_5class_train_04306", "source": "cyner2_5class_train"}}
+{"text": "Morphick responded to a Kronos phishing campaign that involved a document with a malicious macro that downloaded the Kronos banking malware.", "spans": {"Organization: Morphick": [[0, 8]], "Indicator: document": [[65, 73]], "Malware: malicious macro": [[81, 96]], "Malware: Kronos banking malware.": [[117, 140]]}, "info": {"id": "cyner2_5class_train_04307", "source": "cyner2_5class_train"}}
+{"text": "First of all the new package name is com.google.services , which can easily be confused with a legitimate Google service .", "spans": {"Indicator: com.google.services": [[37, 56]], "Organization: Google": [[106, 112]]}, "info": {"id": "cyner2_5class_train_04308", "source": "cyner2_5class_train"}}
+{"text": "Its dropper family finished integration with Bundle Feng Shui and campaign C & C infrastructure was shifted to AWS cloud .", "spans": {"System: AWS": [[111, 114]]}, "info": {"id": "cyner2_5class_train_04309", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D13264 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.DownLoad3.euzkrf Trojan.Win32.Z.Graftor.605184.A Trojan.DownLoad3.23753 BehavesLike.Win32.Trojan.hh Trojan.Win32.CoinMiner Trojan/Win32.Unknown Trojan:Win32/Herxmin.A Trojan.CoinMiner!kUww8sDe3p0 W32/CoinMiner.CE!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D13264": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[48, 90]], "Indicator: Trojan.Win32.DownLoad3.euzkrf": [[91, 120]], "Indicator: Trojan.Win32.Z.Graftor.605184.A": [[121, 152]], "Indicator: Trojan.DownLoad3.23753": [[153, 175]], "Indicator: BehavesLike.Win32.Trojan.hh": [[176, 203]], "Indicator: Trojan.Win32.CoinMiner": [[204, 226]], "Indicator: Trojan/Win32.Unknown": [[227, 247]], "Indicator: Trojan:Win32/Herxmin.A": [[248, 270]], "Indicator: Trojan.CoinMiner!kUww8sDe3p0": [[271, 299]], "Indicator: W32/CoinMiner.CE!tr": [[300, 319]]}, "info": {"id": "cyner2_5class_train_04310", "source": "cyner2_5class_train"}}
+{"text": "“ Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet. ” “ Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet , ” says Lukáš Štefanko , the ESET malware researcher who discovered the malicious app .", "spans": {"System: Twitter": [[8, 15]], "System: Android": [[93, 100], [204, 211]], "Organization: Twitter": [[119, 126]], "Organization: ESET": [[249, 253]]}, "info": {"id": "cyner2_5class_train_04311", "source": "cyner2_5class_train"}}
+{"text": "The overall motivation of this campaign is unclear at this time.", "spans": {}, "info": {"id": "cyner2_5class_train_04312", "source": "cyner2_5class_train"}}
+{"text": "In fact, they have been using them since at least 2014 with very few variations in their modus operandi.", "spans": {}, "info": {"id": "cyner2_5class_train_04313", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Info_InstallNA128.Trojan Trojan/W32.Buzus.61952.BP Trojan.Bulta Win32.Trojan.WisdomEyes.16070401.9500.9891 W32/MalwareS.FWD Win32/Tnega.AUFK Trojan.Win32.Drop.cuupf Trojan.Win32.Buzus.61952.D Trojan.Inject.63252 Trojan.Buzus.Win32.27194 BehavesLike.Win32.Backdoor.kh W32/Risk.CHGA-0655 Trojan/Buzus.svw Trojan/Win32.Buzus Backdoor:Win32/Gaertob.A Troj.W32.Buzus.tnoM Trojan/Win32.Buzus.R42500 BScope.Trojan.Palevo.012 Trojan.Buzus Trojan.Buzus!iqgr48px8nU Virus.Win32.Injector W32/Injector.fam!tr Win32/Trojan.203", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Info_InstallNA128.Trojan": [[26, 54]], "Indicator: Trojan/W32.Buzus.61952.BP": [[55, 80]], "Indicator: Trojan.Bulta": [[81, 93]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9891": [[94, 136]], "Indicator: W32/MalwareS.FWD": [[137, 153]], "Indicator: Win32/Tnega.AUFK": [[154, 170]], "Indicator: Trojan.Win32.Drop.cuupf": [[171, 194]], "Indicator: Trojan.Win32.Buzus.61952.D": [[195, 221]], "Indicator: Trojan.Inject.63252": [[222, 241]], "Indicator: Trojan.Buzus.Win32.27194": [[242, 266]], "Indicator: BehavesLike.Win32.Backdoor.kh": [[267, 296]], "Indicator: W32/Risk.CHGA-0655": [[297, 315]], "Indicator: Trojan/Buzus.svw": [[316, 332]], "Indicator: Trojan/Win32.Buzus": [[333, 351]], "Indicator: Backdoor:Win32/Gaertob.A": [[352, 376]], "Indicator: Troj.W32.Buzus.tnoM": [[377, 396]], "Indicator: Trojan/Win32.Buzus.R42500": [[397, 422]], "Indicator: BScope.Trojan.Palevo.012": [[423, 447]], "Indicator: Trojan.Buzus": [[448, 460]], "Indicator: Trojan.Buzus!iqgr48px8nU": [[461, 485]], "Indicator: Virus.Win32.Injector": [[486, 506]], "Indicator: W32/Injector.fam!tr": [[507, 526]], "Indicator: Win32/Trojan.203": [[527, 543]]}, "info": {"id": "cyner2_5class_train_04314", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FadobesLTA.Trojan Trojan.Nixofro.A3 Trojan/Downloader.VB.qjf W32/Backdoor.VMXK-0114 Win32/TrojanDownloader.VB.QJF TROJ_SPNR.35CD14 Trojan.Win32.Foreign.ctjhyf Trojan.Win32.Z.Foreign.1078272.B[h] Troj.Ransom.W32.Foreign.kcme!c Trojan:W32/Kilim.P Trojan.Guncelle.2 Trojan.Foreign.Win32.41642 TROJ_SPNR.35CD14 BehavesLike.Win32.Trojan.tm W32/Backdoor2.HUDC TR/Kazy.323825.8 W32/Foreign.KCME!tr Trojan[Ransom]/Win32.Foreign Win32.Troj.Undef.kcloud Trojan.Symmi.D97A6 Trojan:Win32/Nixofro.A Hoax.Foreign Win32.Trojan.Foreign.Htmh Trojan.Win32.Nixofro", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FadobesLTA.Trojan": [[26, 47]], "Indicator: Trojan.Nixofro.A3": [[48, 65]], "Indicator: Trojan/Downloader.VB.qjf": [[66, 90]], "Indicator: W32/Backdoor.VMXK-0114": [[91, 113]], "Indicator: Win32/TrojanDownloader.VB.QJF": [[114, 143]], "Indicator: TROJ_SPNR.35CD14": [[144, 160], [320, 336]], "Indicator: Trojan.Win32.Foreign.ctjhyf": [[161, 188]], "Indicator: Trojan.Win32.Z.Foreign.1078272.B[h]": [[189, 224]], "Indicator: Troj.Ransom.W32.Foreign.kcme!c": [[225, 255]], "Indicator: Trojan:W32/Kilim.P": [[256, 274]], "Indicator: Trojan.Guncelle.2": [[275, 292]], "Indicator: Trojan.Foreign.Win32.41642": [[293, 319]], "Indicator: BehavesLike.Win32.Trojan.tm": [[337, 364]], "Indicator: W32/Backdoor2.HUDC": [[365, 383]], "Indicator: TR/Kazy.323825.8": [[384, 400]], "Indicator: W32/Foreign.KCME!tr": [[401, 420]], "Indicator: Trojan[Ransom]/Win32.Foreign": [[421, 449]], "Indicator: Win32.Troj.Undef.kcloud": [[450, 473]], "Indicator: Trojan.Symmi.D97A6": [[474, 492]], "Indicator: Trojan:Win32/Nixofro.A": [[493, 515]], "Indicator: Hoax.Foreign": [[516, 528]], "Indicator: Win32.Trojan.Foreign.Htmh": [[529, 554]], "Indicator: Trojan.Win32.Nixofro": [[555, 575]]}, "info": {"id": "cyner2_5class_train_04315", "source": "cyner2_5class_train"}}
+{"text": "If the text is retrieved successfully , the app uses JavaScript injection again to submit the HTML form with the captcha answer .", "spans": {}, "info": {"id": "cyner2_5class_train_04316", "source": "cyner2_5class_train"}}
+{"text": "Figure 10 : The algorithm of the malicious update , while “ Agent Smith ” updates application If all that has failed , “ Agent Smith ” turns to Man-in-the-Disk vulnerability for ‘ SHAREit ’ or ‘ Xender ’ applications .", "spans": {"Malware: Agent Smith": [[60, 71], [121, 132]], "Vulnerability: Man-in-the-Disk": [[144, 159]], "System: SHAREit": [[180, 187]], "System: Xender": [[195, 201]]}, "info": {"id": "cyner2_5class_train_04317", "source": "cyner2_5class_train"}}
+{"text": "This was developed as an alternative to [Telnet]https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/, which sends information in plaintext, which is clearly a problem, especially when [passwords]https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-1-principles-technologies-0156136/ are involved.", "spans": {"Malware: [Telnet]https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/,": [[40, 154]], "Indicator: sends information in plaintext,": [[161, 192]]}, "info": {"id": "cyner2_5class_train_04318", "source": "cyner2_5class_train"}}
+{"text": "The Red Alert Payload Once installed , the malware requests Device Administrator privileges .", "spans": {"Malware: Red Alert Payload": [[4, 21]]}, "info": {"id": "cyner2_5class_train_04319", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Tiny.S22205 Win32.Trojan.WisdomEyes.16070401.9500.9981 TrojanDownloader.TinyLoader.c TR/Crypt.Xpack.xhbzp Trojan:Win32/Anobato.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tiny.S22205": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9981": [[45, 87]], "Indicator: TrojanDownloader.TinyLoader.c": [[88, 117]], "Indicator: TR/Crypt.Xpack.xhbzp": [[118, 138]], "Indicator: Trojan:Win32/Anobato.A": [[139, 161]]}, "info": {"id": "cyner2_5class_train_04320", "source": "cyner2_5class_train"}}
+{"text": "root9B discovered an advanced, targeted PoS intrusion focused on harvesting payment card information for exfiltration.", "spans": {"Malware: root9B": [[0, 6]], "Indicator: advanced, targeted PoS intrusion": [[21, 53]], "Indicator: harvesting payment card information for exfiltration.": [[65, 118]]}, "info": {"id": "cyner2_5class_train_04321", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.FD30 Backdoor.Win32.Delf!O Backdoor.Delf.Win32.7383 Win32.Worm.Delf.cq W32.Minudazash Win.Trojan.Delf-10643 Backdoor.Win32.Delf.oqi Trojan.Win32.Delf.culgk Backdoor.Win32.Delf.308224.E Win32.HLLW.Autoruner1.11184 BehavesLike.Win32.Fake.fc Virus.Win32.Virut Backdoor/Delf.ode Trojan[Backdoor]/Win32.Delf Worm:Win32/Scafros.A Backdoor.Win32.Delf.oqi Win32/FakeMS.WOCR Backdoor.Delf W32/Banker.LWD Backdoor.Delf!0+it/723aCk W32/Delf.OQI!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.FD30": [[26, 43]], "Indicator: Backdoor.Win32.Delf!O": [[44, 65]], "Indicator: Backdoor.Delf.Win32.7383": [[66, 90]], "Indicator: Win32.Worm.Delf.cq": [[91, 109]], "Indicator: W32.Minudazash": [[110, 124]], "Indicator: Win.Trojan.Delf-10643": [[125, 146]], "Indicator: Backdoor.Win32.Delf.oqi": [[147, 170], [363, 386]], "Indicator: Trojan.Win32.Delf.culgk": [[171, 194]], "Indicator: Backdoor.Win32.Delf.308224.E": [[195, 223]], "Indicator: Win32.HLLW.Autoruner1.11184": [[224, 251]], "Indicator: BehavesLike.Win32.Fake.fc": [[252, 277]], "Indicator: Virus.Win32.Virut": [[278, 295]], "Indicator: Backdoor/Delf.ode": [[296, 313]], "Indicator: Trojan[Backdoor]/Win32.Delf": [[314, 341]], "Indicator: Worm:Win32/Scafros.A": [[342, 362]], "Indicator: Win32/FakeMS.WOCR": [[387, 404]], "Indicator: Backdoor.Delf": [[405, 418]], "Indicator: W32/Banker.LWD": [[419, 433]], "Indicator: Backdoor.Delf!0+it/723aCk": [[434, 459]], "Indicator: W32/Delf.OQI!tr.bdr": [[460, 479]]}, "info": {"id": "cyner2_5class_train_04322", "source": "cyner2_5class_train"}}
+{"text": "Asset file before and after decryption Once the encrypted executable is decrypted and dropped in the storage , the malware has the definitions for all the components it declared in the manifest file .", "spans": {}, "info": {"id": "cyner2_5class_train_04323", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dukescamlock Trojan.TechSupportScam Ransom_DukescamLock.R002C0TK817 Win32.Trojan.WisdomEyes.16070401.9500.9553 W32.Golroted Ransom_DukescamLock.R002C0TK817 Trojan-FakeAV.MSIL.FakeSupport.d Trojan.KillProc.49845 Ransom.MSIL.DukescamLock TR/FakeSupport.gixtd Ransom:MSIL/DukescamLock.A Trojan-FakeAV.MSIL.FakeSupport.d Trj/GdSda.A MSIL/FakeSupport.AZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dukescamlock": [[26, 45]], "Indicator: Trojan.TechSupportScam": [[46, 68]], "Indicator: Ransom_DukescamLock.R002C0TK817": [[69, 100], [157, 188]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9553": [[101, 143]], "Indicator: W32.Golroted": [[144, 156]], "Indicator: Trojan-FakeAV.MSIL.FakeSupport.d": [[189, 221], [317, 349]], "Indicator: Trojan.KillProc.49845": [[222, 243]], "Indicator: Ransom.MSIL.DukescamLock": [[244, 268]], "Indicator: TR/FakeSupport.gixtd": [[269, 289]], "Indicator: Ransom:MSIL/DukescamLock.A": [[290, 316]], "Indicator: Trj/GdSda.A": [[350, 361]], "Indicator: MSIL/FakeSupport.AZ!tr": [[362, 384]]}, "info": {"id": "cyner2_5class_train_04324", "source": "cyner2_5class_train"}}
+{"text": "The malicious developer ’ s apps published on the App Store which don ’ t contain the Ashas adware Searching further for the malicious developer ’ s activities , we also discovered his Youtube channel propagating the Ashas adware and his other projects .", "spans": {"Malware: Ashas": [[86, 91], [217, 222]], "System: Youtube": [[185, 192]]}, "info": {"id": "cyner2_5class_train_04325", "source": "cyner2_5class_train"}}
+{"text": "ESET researchers have discovered a new sneaky malware threat named Joao, targeting gamers worldwide.", "spans": {"Organization: ESET researchers": [[0, 16]], "Malware: new sneaky malware threat": [[35, 60]], "Malware: Joao,": [[67, 72]]}, "info": {"id": "cyner2_5class_train_04326", "source": "cyner2_5class_train"}}
+{"text": "CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3.", "spans": {"Malware: CryptoWall": [[0, 10]], "Malware: ransomware variant": [[18, 36]], "Malware: CryptoWall 2": [[94, 106]], "Malware: Cryptowall 3.": [[111, 124]]}, "info": {"id": "cyner2_5class_train_04327", "source": "cyner2_5class_train"}}
+{"text": "Yesterday January 19th we discovered a new wave of these attacks, where a number of electricity distribution companies in Ukraine were targeted again following the power outages in December.", "spans": {"Indicator: attacks,": [[57, 65]], "Organization: electricity distribution companies": [[84, 118]]}, "info": {"id": "cyner2_5class_train_04328", "source": "cyner2_5class_train"}}
+{"text": "We reported the apps to the Google security team and they were swiftly removed .", "spans": {}, "info": {"id": "cyner2_5class_train_04329", "source": "cyner2_5class_train"}}
+{"text": "Case in point: the emergence of UIWIX ransomware detected by Trend Micro as RANSOM_UIWIX.A and one notable Trojan our sensors detected.", "spans": {"Malware: UIWIX ransomware": [[32, 48]], "Organization: Trend Micro": [[61, 72]], "Indicator: RANSOM_UIWIX.A": [[76, 90]], "Malware: Trojan": [[107, 113]]}, "info": {"id": "cyner2_5class_train_04330", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.Patched.JJ Trojan.Patched.JJ Trojan.Patched.JJ Win32.Trojan.WisdomEyes.16070401.9500.9925 Backdoor.Graybird Trojan.Patched.JJ Trojan.Patched.JJ Trojan.Patched.JJ BehavesLike.Win32.BadFile.gh W32.Trojan.Patched Trojan:Win32/Jaku.C!dha Trojan.Patched.JJ Trojan.Win32.Jaku", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Trojan.Patched.JJ": [[44, 61], [62, 79], [80, 97], [159, 176], [177, 194], [195, 212], [285, 302]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9925": [[98, 140]], "Indicator: Backdoor.Graybird": [[141, 158]], "Indicator: BehavesLike.Win32.BadFile.gh": [[213, 241]], "Indicator: W32.Trojan.Patched": [[242, 260]], "Indicator: Trojan:Win32/Jaku.C!dha": [[261, 284]], "Indicator: Trojan.Win32.Jaku": [[303, 320]]}, "info": {"id": "cyner2_5class_train_04331", "source": "cyner2_5class_train"}}
+{"text": "The library that uses tinyML is not yet wired to the malware ’ s functionalities , but its presence in the malware code indicates the intention to do so in future variants .", "spans": {"System: tinyML": [[22, 28]]}, "info": {"id": "cyner2_5class_train_04332", "source": "cyner2_5class_train"}}
+{"text": "In at least one case, an app used for jailbreaking was available via this third-party app store.", "spans": {"Vulnerability: jailbreaking": [[38, 50]], "System: third-party app store.": [[74, 96]]}, "info": {"id": "cyner2_5class_train_04333", "source": "cyner2_5class_train"}}
+{"text": "FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used Zeon as a loader.", "spans": {"Organization: FBI": [[0, 3]], "Organization: CISA": [[8, 12]], "Malware: variant,": [[26, 34]], "Indicator: own custom-made file encryption program,": [[50, 90]], "Malware: Zeon": [[133, 137]], "Malware: loader.": [[143, 150]]}, "info": {"id": "cyner2_5class_train_04334", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.AntiAV.105984 Trojan.Win32.AntiAV!O Trojan.FakeMS.ED Win32.Trojan.ImPatch.a Trojan.KillAV Win32/Gosht.AY Trojan.Win32.PcClient.zvjt Trojan.Win32.AntiAV.105984.B TrojWare.Win32.Magania.~AAD BehavesLike.Win32.Backdoor.ch Trojan/AntiAV.acg Trojan/Win32.AntiAV Trojan:Win32/Scelp.A Trojan/Win32.OnlineGameHack.R1939 Trojan.AntiAV Trj/Redbind.C Backdoor.Win32.Gh0st.g Trojan.AntiAV!x/J77uxYhp4 Backdoor.Win32.FirstInj W32/Farfli.DZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.AntiAV.105984": [[26, 50]], "Indicator: Trojan.Win32.AntiAV!O": [[51, 72]], "Indicator: Trojan.FakeMS.ED": [[73, 89]], "Indicator: Win32.Trojan.ImPatch.a": [[90, 112]], "Indicator: Trojan.KillAV": [[113, 126]], "Indicator: Win32/Gosht.AY": [[127, 141]], "Indicator: Trojan.Win32.PcClient.zvjt": [[142, 168]], "Indicator: Trojan.Win32.AntiAV.105984.B": [[169, 197]], "Indicator: TrojWare.Win32.Magania.~AAD": [[198, 225]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[226, 255]], "Indicator: Trojan/AntiAV.acg": [[256, 273]], "Indicator: Trojan/Win32.AntiAV": [[274, 293]], "Indicator: Trojan:Win32/Scelp.A": [[294, 314]], "Indicator: Trojan/Win32.OnlineGameHack.R1939": [[315, 348]], "Indicator: Trojan.AntiAV": [[349, 362]], "Indicator: Trj/Redbind.C": [[363, 376]], "Indicator: Backdoor.Win32.Gh0st.g": [[377, 399]], "Indicator: Trojan.AntiAV!x/J77uxYhp4": [[400, 425]], "Indicator: Backdoor.Win32.FirstInj": [[426, 449]], "Indicator: W32/Farfli.DZ!tr": [[450, 466]]}, "info": {"id": "cyner2_5class_train_04335", "source": "cyner2_5class_train"}}
+{"text": "Linux.MulDrop.14 changes the password on the devices it infects, unpacks and launches a miner, and then, in an infinite loop, starts searching for network nodes with an open port 22.", "spans": {"Indicator: Linux.MulDrop.14": [[0, 16]], "Indicator: password": [[29, 37]], "System: devices": [[45, 52]], "Malware: miner,": [[88, 94]], "System: network nodes": [[147, 160]], "Indicator: an open port 22.": [[166, 182]]}, "info": {"id": "cyner2_5class_train_04336", "source": "cyner2_5class_train"}}
+{"text": "Based on the type of targets, on Gaza being the source of the attacks, and on the type of information the attackers are after - we estimate with medium-high certainty that the Hamas terrorist organization is behind these attacks.", "spans": {"Indicator: attacks,": [[62, 70]], "Indicator: attacks.": [[221, 229]]}, "info": {"id": "cyner2_5class_train_04337", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.C713 Adware.KraddareCRTD.Win32.3559 W32/Adware.AKQI HT_KRADDARE_FB150035.UVPM Win.Trojan.Kraddare-257 not-a-virus:Downloader.Win32.Snojan.dvv Trojan.Win32.Dwn.cwejxs Trojan.DownLoader21.62200 HT_KRADDARE_FB150035.UVPM W32/Adware.VBKZ-4259 Variant.Strictor.ij TrojanDownloader:Win32/Kraddare.D Trojan.Strictor.D13BAE not-a-virus:Downloader.Win32.Snojan.dvv Win32.Application.RaonMedia.A Downloader.Snojan Adware.Kraddare!CDLXoCIKpSY Trojan-Downloader.Win32.Kraddare", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.C713": [[26, 44]], "Indicator: Adware.KraddareCRTD.Win32.3559": [[45, 75]], "Indicator: W32/Adware.AKQI": [[76, 91]], "Indicator: HT_KRADDARE_FB150035.UVPM": [[92, 117], [232, 257]], "Indicator: Win.Trojan.Kraddare-257": [[118, 141]], "Indicator: not-a-virus:Downloader.Win32.Snojan.dvv": [[142, 181], [356, 395]], "Indicator: Trojan.Win32.Dwn.cwejxs": [[182, 205]], "Indicator: Trojan.DownLoader21.62200": [[206, 231]], "Indicator: W32/Adware.VBKZ-4259": [[258, 278]], "Indicator: Variant.Strictor.ij": [[279, 298]], "Indicator: TrojanDownloader:Win32/Kraddare.D": [[299, 332]], "Indicator: Trojan.Strictor.D13BAE": [[333, 355]], "Indicator: Win32.Application.RaonMedia.A": [[396, 425]], "Indicator: Downloader.Snojan": [[426, 443]], "Indicator: Adware.Kraddare!CDLXoCIKpSY": [[444, 471]], "Indicator: Trojan-Downloader.Win32.Kraddare": [[472, 504]]}, "info": {"id": "cyner2_5class_train_04338", "source": "cyner2_5class_train"}}
+{"text": "This newest variant has been labeled XLoader version 6.0 ( detected as AndroidOS_XLoader.HRXD ) , following the last version discussed in a previous research on the malware family .", "spans": {"Malware: XLoader": [[37, 44]], "Indicator: AndroidOS_XLoader.HRXD": [[71, 93]]}, "info": {"id": "cyner2_5class_train_04339", "source": "cyner2_5class_train"}}
+{"text": "MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App via Authorized App Store The malware impersonates legitimate services on Google Play Persistence T1402 App Auto-Start at Device Boot An Android application can listen for the BOOT_COMPLETED broadcast , ensuring that the app 's functionality will be activated every time the device starts Impact T1472 Generate Fraudulent Advertising Revenue Generates revenue by automatically displaying ads The Rotexy mobile Trojan – banker and ransomware 22 NOV 2018 On the back of a surge in Trojan activity , we decided to carry out an in-depth analysis and track the evolution of some other popular malware families besides Asacub .", "spans": {"Organization: MITRE": [[0, 5]], "System: Google Play": [[169, 180]], "Malware: Rotexy": [[491, 497]], "Malware: Asacub": [[708, 714]]}, "info": {"id": "cyner2_5class_train_04340", "source": "cyner2_5class_train"}}
+{"text": "It can also create a simple HTTP server on the infected device to deceive victims .", "spans": {}, "info": {"id": "cyner2_5class_train_04341", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy behavior on physical device vs emulator ( anti-emulator ) .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner2_5class_train_04342", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Sanhotan Trojan/IRCBot.bh Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Tnega.CTXcdP TROJ_SANHOTAN.SMCC Trojan.Win32.Dwn.cwxrbq TrojWare.MSIL.IRCBot.bh Trojan.DownLoader10.23149 TROJ_SANHOTAN.SMCC Trojan.Msil BDS/MSIL.Sanhotan.A.3 Backdoor:MSIL/Sanhotan.A Trojan.Kazy.D3D12A Trojan/Win32.Strictor.C202516 Trojan.Badur Backdoor.MSIL!V0iyslQUBdw MSIL/IRCBot.AR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Sanhotan": [[26, 43]], "Indicator: Trojan/IRCBot.bh": [[44, 60]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[61, 103]], "Indicator: Win32/Tnega.CTXcdP": [[104, 122]], "Indicator: TROJ_SANHOTAN.SMCC": [[123, 141], [216, 234]], "Indicator: Trojan.Win32.Dwn.cwxrbq": [[142, 165]], "Indicator: TrojWare.MSIL.IRCBot.bh": [[166, 189]], "Indicator: Trojan.DownLoader10.23149": [[190, 215]], "Indicator: Trojan.Msil": [[235, 246]], "Indicator: BDS/MSIL.Sanhotan.A.3": [[247, 268]], "Indicator: Backdoor:MSIL/Sanhotan.A": [[269, 293]], "Indicator: Trojan.Kazy.D3D12A": [[294, 312]], "Indicator: Trojan/Win32.Strictor.C202516": [[313, 342]], "Indicator: Trojan.Badur": [[343, 355]], "Indicator: Backdoor.MSIL!V0iyslQUBdw": [[356, 381]], "Indicator: MSIL/IRCBot.AR!tr": [[382, 399]]}, "info": {"id": "cyner2_5class_train_04343", "source": "cyner2_5class_train"}}
+{"text": "Around 2014, a specific user group of BlackEnergy attackers came to our attention when they began deploying SCADA-related plugins to victims in the ICS and energy sectors around the world.", "spans": {"Indicator: SCADA-related plugins": [[108, 129]], "Organization: the ICS": [[144, 151]], "Organization: energy sectors": [[156, 170]]}, "info": {"id": "cyner2_5class_train_04344", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.PcClient!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Hacktool.Rootkit Win.Trojan.PcClient-22 Backdoor.Win32.PcClient.qz Troj.W32.Pakes.l3y1 Backdoor.Win32.PcClient.~AB BackDoor.PcClient BackDoor-CKB.sys Backdoor.Win32.PcClient Backdoor/PcShare.uu BDS/Pcclient.hp.1.C Backdoor.Win32.PcClient.qz Trojan/Win32.PcClient.R32879 BackDoor-CKB.sys", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.PcClient!O": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[52, 94]], "Indicator: Hacktool.Rootkit": [[95, 111]], "Indicator: Win.Trojan.PcClient-22": [[112, 134]], "Indicator: Backdoor.Win32.PcClient.qz": [[135, 161], [309, 335]], "Indicator: Troj.W32.Pakes.l3y1": [[162, 181]], "Indicator: Backdoor.Win32.PcClient.~AB": [[182, 209]], "Indicator: BackDoor.PcClient": [[210, 227]], "Indicator: BackDoor-CKB.sys": [[228, 244], [365, 381]], "Indicator: Backdoor.Win32.PcClient": [[245, 268]], "Indicator: Backdoor/PcShare.uu": [[269, 288]], "Indicator: BDS/Pcclient.hp.1.C": [[289, 308]], "Indicator: Trojan/Win32.PcClient.R32879": [[336, 364]]}, "info": {"id": "cyner2_5class_train_04345", "source": "cyner2_5class_train"}}
+{"text": "Bread has used a few tricks to keep strings in plaintext while preventing basic string matching .", "spans": {"Malware: Bread": [[0, 5]]}, "info": {"id": "cyner2_5class_train_04346", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.Gip.112 Trojan.PWS.Gip.EJ GIP.Trojan Gip.1_12 Win32.PSW.Gip.112 TrojWare.Win32.PSW.Gip.112 Trojan.PWS.Gip.112 TR/PWStealer.Srv TROJ_GIP.112 Heuristic.BehavesLike.Win32.Downloader.A Win32/PSW.Gip.112 Trojan/PSW.Gip.112 Trojan-PWS.Win32.Gip!IK Backdoor.Win32.GIP.45568 Win-Trojan/Gip.45990 Trojan.PSW.Gip.1_12 Trojan.PWS.Gip.EJ Trojan.PSW.Gip.112 Trojan-PWS.Win32.Gip W32/GIP.112!tr Gip.1_12", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.Gip.112": [[26, 50]], "Indicator: Trojan.PWS.Gip.EJ": [[51, 68], [351, 368]], "Indicator: GIP.Trojan": [[69, 79]], "Indicator: Gip.1_12": [[80, 88], [424, 432]], "Indicator: Win32.PSW.Gip.112": [[89, 106]], "Indicator: TrojWare.Win32.PSW.Gip.112": [[107, 133]], "Indicator: Trojan.PWS.Gip.112": [[134, 152]], "Indicator: TR/PWStealer.Srv": [[153, 169]], "Indicator: TROJ_GIP.112": [[170, 182]], "Indicator: Heuristic.BehavesLike.Win32.Downloader.A": [[183, 223]], "Indicator: Win32/PSW.Gip.112": [[224, 241]], "Indicator: Trojan/PSW.Gip.112": [[242, 260]], "Indicator: Trojan-PWS.Win32.Gip!IK": [[261, 284]], "Indicator: Backdoor.Win32.GIP.45568": [[285, 309]], "Indicator: Win-Trojan/Gip.45990": [[310, 330]], "Indicator: Trojan.PSW.Gip.1_12": [[331, 350]], "Indicator: Trojan.PSW.Gip.112": [[369, 387]], "Indicator: Trojan-PWS.Win32.Gip": [[388, 408]], "Indicator: W32/GIP.112!tr": [[409, 423]]}, "info": {"id": "cyner2_5class_train_04347", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mezzia.CV Trojan.Mezzia TrojanDropper:Win32/Pakks.A Trojan.Mezzia.CV Worm.Mail.Win32.Zhelatin.hd Dropper.Small.29.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mezzia.CV": [[26, 42], [85, 101]], "Indicator: Trojan.Mezzia": [[43, 56]], "Indicator: TrojanDropper:Win32/Pakks.A": [[57, 84]], "Indicator: Worm.Mail.Win32.Zhelatin.hd": [[102, 129]], "Indicator: Dropper.Small.29.E": [[130, 148]]}, "info": {"id": "cyner2_5class_train_04348", "source": "cyner2_5class_train"}}
+{"text": "TrendMicro has recently discovered a Trojan Android ad library called Xavier Detected by Trend Micro as ANDROIDOS_XAVIER.AXM that steals and leaks a user's information silently.", "spans": {"Organization: TrendMicro": [[0, 10]], "Malware: Trojan Android": [[37, 51]], "Malware: Xavier": [[70, 76]], "Organization: Trend Micro": [[89, 100]], "Indicator: ANDROIDOS_XAVIER.AXM": [[104, 124]]}, "info": {"id": "cyner2_5class_train_04349", "source": "cyner2_5class_train"}}
+{"text": "It downloads one more archive and dynamically loads code from it .", "spans": {}, "info": {"id": "cyner2_5class_train_04350", "source": "cyner2_5class_train"}}
+{"text": "Recently, we observed a new version of the Clayslide delivery document used to install a new custom Trojan whose developer calls it ALMA Communicator", "spans": {"Indicator: Clayslide delivery document": [[43, 70]], "Malware: custom Trojan": [[93, 106]], "Malware: ALMA Communicator": [[132, 149]]}, "info": {"id": "cyner2_5class_train_04351", "source": "cyner2_5class_train"}}
+{"text": "] top/7 * * * * * 3 ” ( Fr .", "spans": {}, "info": {"id": "cyner2_5class_train_04352", "source": "cyner2_5class_train"}}
+{"text": "BernhardPOS is named after presumably it's author who left in the build path of C:\\bernhard\\Debug\\bernhard.pdb and also uses the name Bernhard in creating the mutex OPSEC_BERNHARD", "spans": {"Malware: BernhardPOS": [[0, 11]], "Indicator: C:\\bernhard\\Debug\\bernhard.pdb": [[80, 110]], "Malware: Bernhard": [[134, 142]], "Indicator: OPSEC_BERNHARD": [[165, 179]]}, "info": {"id": "cyner2_5class_train_04353", "source": "cyner2_5class_train"}}
+{"text": "It is clear that on all stages there are at least two layers .", "spans": {}, "info": {"id": "cyner2_5class_train_04354", "source": "cyner2_5class_train"}}
+{"text": "The names used for Android components are similar : Similarities with AnubisSimilarities with Anubis When analyzing these components , similarities were found in the code of both malware families : Similarities with Anubis Another major change that indicated that the actor copied code from the Anubis Trojan is the way of handling configuration values .", "spans": {"System: Android": [[19, 26]], "Malware: Anubis": [[94, 100], [295, 301]], "System: Anubis": [[216, 222]]}, "info": {"id": "cyner2_5class_train_04355", "source": "cyner2_5class_train"}}
+{"text": "It looks like its main purpose is to get into the system and execute downloaded files with root rights .", "spans": {}, "info": {"id": "cyner2_5class_train_04356", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Autorun.worm.f Worm.VB.Win32.714 Trojan.Heur.9nKfrjYfrwgib W32/Worm.LUOA-4933 W32.SillyFDC Trojan.Win32.Coba.czqfat Worm.Win32.VB.110592 Win32.Trojan.Fakedoc.Auto BehavesLike.Win32.Trojan.tz Worm.Win32.VB W32/Worm.APSB Worm:Win32/Fakeon.A!bit HEUR/Fakon.mwf W32/ExeFolder.E.worm Worm.VB!Ly8UmpRsepM Win32/RootKit.Rootkit.7e5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Autorun.worm.f": [[26, 44]], "Indicator: Worm.VB.Win32.714": [[45, 62]], "Indicator: Trojan.Heur.9nKfrjYfrwgib": [[63, 88]], "Indicator: W32/Worm.LUOA-4933": [[89, 107]], "Indicator: W32.SillyFDC": [[108, 120]], "Indicator: Trojan.Win32.Coba.czqfat": [[121, 145]], "Indicator: Worm.Win32.VB.110592": [[146, 166]], "Indicator: Win32.Trojan.Fakedoc.Auto": [[167, 192]], "Indicator: BehavesLike.Win32.Trojan.tz": [[193, 220]], "Indicator: Worm.Win32.VB": [[221, 234]], "Indicator: W32/Worm.APSB": [[235, 248]], "Indicator: Worm:Win32/Fakeon.A!bit": [[249, 272]], "Indicator: HEUR/Fakon.mwf": [[273, 287]], "Indicator: W32/ExeFolder.E.worm": [[288, 308]], "Indicator: Worm.VB!Ly8UmpRsepM": [[309, 328]], "Indicator: Win32/RootKit.Rootkit.7e5": [[329, 354]]}, "info": {"id": "cyner2_5class_train_04357", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.AutoIT.7 Win.Trojan.Autoit-271 TR/Spy.438784.57", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.AutoIT.7": [[26, 46]], "Indicator: Win.Trojan.Autoit-271": [[47, 68]], "Indicator: TR/Spy.438784.57": [[69, 85]]}, "info": {"id": "cyner2_5class_train_04358", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom/W32.GandCrypt.229376.B Trojan.Gandcrypt Troj.Ransom.W32!c Ransom_GandCrypt.R002C0WB618 Win32.Trojan.WisdomEyes.16070401.9500.9998 Ransom_HPGANDCRAB.SMONT Trojan-Ransom.Win32.GandCrypt.bw Trojan.Win32.Kryptik.exorqv TrojWare.Win32.Ransom.GandCrypt.A BehavesLike.Win32.Trojan.dc Trojan/Win32.Magniber.C2395866 Trojan-Ransom.Win32.GandCrypt.bw W32/Injector.DVHR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom/W32.GandCrypt.229376.B": [[26, 55]], "Indicator: Trojan.Gandcrypt": [[56, 72]], "Indicator: Troj.Ransom.W32!c": [[73, 90]], "Indicator: Ransom_GandCrypt.R002C0WB618": [[91, 119]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[120, 162]], "Indicator: Ransom_HPGANDCRAB.SMONT": [[163, 186]], "Indicator: Trojan-Ransom.Win32.GandCrypt.bw": [[187, 219], [341, 373]], "Indicator: Trojan.Win32.Kryptik.exorqv": [[220, 247]], "Indicator: TrojWare.Win32.Ransom.GandCrypt.A": [[248, 281]], "Indicator: BehavesLike.Win32.Trojan.dc": [[282, 309]], "Indicator: Trojan/Win32.Magniber.C2395866": [[310, 340]], "Indicator: W32/Injector.DVHR!tr": [[374, 394]]}, "info": {"id": "cyner2_5class_train_04359", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Spyware.PasswordStealer Backdoor.Androm.Win32.48978 Uds.Dangerousobject.Multi!c Win32.Trojan.WisdomEyes.16070401.9500.9547 Backdoor.Win32.Androm.oxvy Trojan.Win32.Androm.exigvu Trojan.PWS.Banker1.24888 BehavesLike.Win32.Fareit.ft Trojan.Win32.Injector TR/Dropper.VB.hvcaz Trojan[Backdoor]/Win32.Androm Backdoor.Win32.Androm.oxvy Trojan/Win32.VBKrypt.R218732 Backdoor.Androm Trj/GdSda.A Win32.Backdoor.Androm.Wvaq W32/FareitVB.DVIL!tr Win32/Trojan.5a2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Spyware.PasswordStealer": [[39, 62]], "Indicator: Backdoor.Androm.Win32.48978": [[63, 90]], "Indicator: Uds.Dangerousobject.Multi!c": [[91, 118]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9547": [[119, 161]], "Indicator: Backdoor.Win32.Androm.oxvy": [[162, 188], [341, 367]], "Indicator: Trojan.Win32.Androm.exigvu": [[189, 215]], "Indicator: Trojan.PWS.Banker1.24888": [[216, 240]], "Indicator: BehavesLike.Win32.Fareit.ft": [[241, 268]], "Indicator: Trojan.Win32.Injector": [[269, 290]], "Indicator: TR/Dropper.VB.hvcaz": [[291, 310]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[311, 340]], "Indicator: Trojan/Win32.VBKrypt.R218732": [[368, 396]], "Indicator: Backdoor.Androm": [[397, 412]], "Indicator: Trj/GdSda.A": [[413, 424]], "Indicator: Win32.Backdoor.Androm.Wvaq": [[425, 451]], "Indicator: W32/FareitVB.DVIL!tr": [[452, 472]], "Indicator: Win32/Trojan.5a2": [[473, 489]]}, "info": {"id": "cyner2_5class_train_04360", "source": "cyner2_5class_train"}}
+{"text": "This rootkit family called Umbreon sharing the same name as the Pokémon targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.", "spans": {"Malware: rootkit family": [[5, 19]], "Malware: Umbreon": [[27, 34]], "System: Linux systems,": [[80, 94]], "System: systems": [[105, 112]], "System: Intel": [[126, 131]], "System: ARM processors,": [[136, 151]], "Malware: threat": [[180, 186]], "System: embedded devices": [[198, 214]]}, "info": {"id": "cyner2_5class_train_04361", "source": "cyner2_5class_train"}}
+{"text": "At the time of writing Lookout has observed two updates to the Dardesh application , the first on February 26 and the second on March 28 .", "spans": {"Organization: Lookout": [[23, 30]], "Malware: Dardesh": [[63, 70]]}, "info": {"id": "cyner2_5class_train_04362", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Delf!O Backdoor.Ginwui Win32.Trojan-Dropper.Delf.bc W32/Trojan2.JUQE PE_GINWUI.AP Win.Downloader.80081-1 Trojan-Downloader.Win32.Delf.ccc Trojan.Win32.Delf.uhoo Troj.Dropper.W32.Delf.li4k Win32.Trojan-downloader.Delf.Taex Trojan.DownLoad3.11310 Downloader.Delf.Win32.28823 PE_GINWUI.AP BehavesLike.Win32.Kespo.fc W32/Trojan.ZLPI-8330 TrojanDownloader.Delf.fdg TR/Ghimpe.dll Trojan[Downloader]/Win32.Delf Trojan.Graftor.D7EE4 Trojan.Win32.Downloader.54960 Trojan-Downloader.Win32.Delf.ccc Backdoor:Win32/Ginwui.D Trojan/Win32.Xema.R106631 Win32/TrojanDropper.Delf.OCT Trojan.DL.Delf!lmsXQwcGhNs Trojan-Dropper.Win32.Interlac TrojanDownloader.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Delf!O": [[26, 56]], "Indicator: Backdoor.Ginwui": [[57, 72]], "Indicator: Win32.Trojan-Dropper.Delf.bc": [[73, 101]], "Indicator: W32/Trojan2.JUQE": [[102, 118]], "Indicator: PE_GINWUI.AP": [[119, 131], [323, 335]], "Indicator: Win.Downloader.80081-1": [[132, 154]], "Indicator: Trojan-Downloader.Win32.Delf.ccc": [[155, 187], [505, 537]], "Indicator: Trojan.Win32.Delf.uhoo": [[188, 210]], "Indicator: Troj.Dropper.W32.Delf.li4k": [[211, 237]], "Indicator: Win32.Trojan-downloader.Delf.Taex": [[238, 271]], "Indicator: Trojan.DownLoad3.11310": [[272, 294]], "Indicator: Downloader.Delf.Win32.28823": [[295, 322]], "Indicator: BehavesLike.Win32.Kespo.fc": [[336, 362]], "Indicator: W32/Trojan.ZLPI-8330": [[363, 383]], "Indicator: TrojanDownloader.Delf.fdg": [[384, 409]], "Indicator: TR/Ghimpe.dll": [[410, 423]], "Indicator: Trojan[Downloader]/Win32.Delf": [[424, 453]], "Indicator: Trojan.Graftor.D7EE4": [[454, 474]], "Indicator: Trojan.Win32.Downloader.54960": [[475, 504]], "Indicator: Backdoor:Win32/Ginwui.D": [[538, 561]], "Indicator: Trojan/Win32.Xema.R106631": [[562, 587]], "Indicator: Win32/TrojanDropper.Delf.OCT": [[588, 616]], "Indicator: Trojan.DL.Delf!lmsXQwcGhNs": [[617, 643]], "Indicator: Trojan-Dropper.Win32.Interlac": [[644, 673]], "Indicator: TrojanDownloader.Delf": [[674, 695]]}, "info": {"id": "cyner2_5class_train_04363", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Tiltee TrojanDownloader:Win32/Tiltee.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Tiltee": [[26, 56]], "Indicator: TrojanDownloader:Win32/Tiltee.A": [[57, 88]]}, "info": {"id": "cyner2_5class_train_04364", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Superboy Trojan.Vir.HLL Virus.Supeboy.Win32.1 Trojan.Heur.E3C718 TROJ_SUPEBOY.A W32/Superboy.MNPI-1152 TROJ_SUPEBOY.A Win.Trojan.Supeboy-1 Virus.Win32.HLLW.Supeboy Virus.Win32.HLLW.ghqc Trojan.Win32.Downloader.11776.D W32.HLLW.Supeboy!c Win32.HLLW.Supeboy.A W32/Supeboy.worm Trojan/SuperBoy.DelRegBackup W32/HLLW.Supeboy.A Virus/Win32.Supeboy Virus.Win32.HLLW.Supeboy W32/Supeboy.worm Trojan.Worm Win32/HLLW.Supeboy.A Win32.Virus.Hllw.Akeq Win32.HLLW.Supeboy.B Virus.Win32.HLLW Win32/Virus.BO.621", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Superboy": [[26, 38]], "Indicator: Trojan.Vir.HLL": [[39, 53]], "Indicator: Virus.Supeboy.Win32.1": [[54, 75]], "Indicator: Trojan.Heur.E3C718": [[76, 94]], "Indicator: TROJ_SUPEBOY.A": [[95, 109], [133, 147]], "Indicator: W32/Superboy.MNPI-1152": [[110, 132]], "Indicator: Win.Trojan.Supeboy-1": [[148, 168]], "Indicator: Virus.Win32.HLLW.Supeboy": [[169, 193], [373, 397]], "Indicator: Virus.Win32.HLLW.ghqc": [[194, 215]], "Indicator: Trojan.Win32.Downloader.11776.D": [[216, 247]], "Indicator: W32.HLLW.Supeboy!c": [[248, 266]], "Indicator: Win32.HLLW.Supeboy.A": [[267, 287]], "Indicator: W32/Supeboy.worm": [[288, 304], [398, 414]], "Indicator: Trojan/SuperBoy.DelRegBackup": [[305, 333]], "Indicator: W32/HLLW.Supeboy.A": [[334, 352]], "Indicator: Virus/Win32.Supeboy": [[353, 372]], "Indicator: Trojan.Worm": [[415, 426]], "Indicator: Win32/HLLW.Supeboy.A": [[427, 447]], "Indicator: Win32.Virus.Hllw.Akeq": [[448, 469]], "Indicator: Win32.HLLW.Supeboy.B": [[470, 490]], "Indicator: Virus.Win32.HLLW": [[491, 507]], "Indicator: Win32/Virus.BO.621": [[508, 526]]}, "info": {"id": "cyner2_5class_train_04365", "source": "cyner2_5class_train"}}
+{"text": "We continue to monitor its progress .", "spans": {}, "info": {"id": "cyner2_5class_train_04366", "source": "cyner2_5class_train"}}
+{"text": "UNDER ACTIVE DEVELOPMENT An analysis of new FakeSpy samples to old ones showed code discrepancies and new features .", "spans": {"Malware: FakeSpy": [[44, 51]]}, "info": {"id": "cyner2_5class_train_04367", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AppdataAdobLnrC.Trojan Net-Worm.Win32.Cynic!O Worm.Cynic Worm.Cynic.Win32.96 Win32.Trojan.WisdomEyes.16070401.9500.9997 Net-Worm.Win32.Cynic.iu Trojan.Win32.Bot.crrkzb BackDoor.IRC.Bot.1244 BehavesLike.Win32.Downloader.ct TR/Zbot.var Worm[Net]/Win32.Cynic Worm:Win32/Vexral.A Trojan.Barys.657 Worm.Win32.A.Net-Cynic.95744 Net-Worm.Win32.Cynic.iu Trojan/Win32.IRCBot.R23264 Worm.Cynic Win32/AutoRun.IRCBot.II Trojan.Injector!y7pxtOpaO3Y Net-Worm.Win32.Cynic W32/Injector.HXK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AppdataAdobLnrC.Trojan": [[26, 52]], "Indicator: Net-Worm.Win32.Cynic!O": [[53, 75]], "Indicator: Worm.Cynic": [[76, 86], [403, 413]], "Indicator: Worm.Cynic.Win32.96": [[87, 106]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[107, 149]], "Indicator: Net-Worm.Win32.Cynic.iu": [[150, 173], [352, 375]], "Indicator: Trojan.Win32.Bot.crrkzb": [[174, 197]], "Indicator: BackDoor.IRC.Bot.1244": [[198, 219]], "Indicator: BehavesLike.Win32.Downloader.ct": [[220, 251]], "Indicator: TR/Zbot.var": [[252, 263]], "Indicator: Worm[Net]/Win32.Cynic": [[264, 285]], "Indicator: Worm:Win32/Vexral.A": [[286, 305]], "Indicator: Trojan.Barys.657": [[306, 322]], "Indicator: Worm.Win32.A.Net-Cynic.95744": [[323, 351]], "Indicator: Trojan/Win32.IRCBot.R23264": [[376, 402]], "Indicator: Win32/AutoRun.IRCBot.II": [[414, 437]], "Indicator: Trojan.Injector!y7pxtOpaO3Y": [[438, 465]], "Indicator: Net-Worm.Win32.Cynic": [[466, 486]], "Indicator: W32/Injector.HXK!tr": [[487, 506]]}, "info": {"id": "cyner2_5class_train_04368", "source": "cyner2_5class_train"}}
+{"text": "Like several of the newer variants of ransomware, it does not require an internet connection to encrypt the files.", "spans": {}, "info": {"id": "cyner2_5class_train_04369", "source": "cyner2_5class_train"}}
+{"text": "In a 5-month timespan , actor managed to create a Trojan from scratch which will presumably continue evolving offering new features such as keylogging , back-connect proxy or RAT capabilities .", "spans": {}, "info": {"id": "cyner2_5class_train_04370", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.QQLogger.236036.B TrojanPWS.QQthief.BI4 Trojan/Spy.QQLogger.aby Trojan.Win32.QQLogger.bdqigk Phisher.CZ Trojan.Spy-85326 Trojan-Spy.Win32.QQLogger.ado TrojanSpy.QQLogger!0FayLe3uYlk Trojan.PWS.Qqpass.6867 TrojanSpy.QQLogger.ct Win32.Troj.QQLogger.kcloud PWS:Win32/QQThief.I Spyware/Win32.QQLogger Virus.Win32.Part.a TrojanSpy.QQLogger Trojan.PSW.Win32.QQThief.j Trojan-Spy.Win32.QQLogger W32/QQLogger.CDX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.QQLogger.236036.B": [[26, 58]], "Indicator: TrojanPWS.QQthief.BI4": [[59, 80]], "Indicator: Trojan/Spy.QQLogger.aby": [[81, 104]], "Indicator: Trojan.Win32.QQLogger.bdqigk": [[105, 133]], "Indicator: Phisher.CZ": [[134, 144]], "Indicator: Trojan.Spy-85326": [[145, 161]], "Indicator: Trojan-Spy.Win32.QQLogger.ado": [[162, 191]], "Indicator: TrojanSpy.QQLogger!0FayLe3uYlk": [[192, 222]], "Indicator: Trojan.PWS.Qqpass.6867": [[223, 245]], "Indicator: TrojanSpy.QQLogger.ct": [[246, 267]], "Indicator: Win32.Troj.QQLogger.kcloud": [[268, 294]], "Indicator: PWS:Win32/QQThief.I": [[295, 314]], "Indicator: Spyware/Win32.QQLogger": [[315, 337]], "Indicator: Virus.Win32.Part.a": [[338, 356]], "Indicator: TrojanSpy.QQLogger": [[357, 375]], "Indicator: Trojan.PSW.Win32.QQThief.j": [[376, 402]], "Indicator: Trojan-Spy.Win32.QQLogger": [[403, 428]], "Indicator: W32/QQLogger.CDX!tr": [[429, 448]]}, "info": {"id": "cyner2_5class_train_04371", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropped:Backdoor.BlueFire.0.5.0 Backdoor/W32.BlueFire.593408 Backdoor.Bluefire Backdoor/BlueFire.036 BKDR_BLUEFIRE.A W32/Risk.VCME-1818 Construction.Kit BKDR_BLUEFIRE.A Win.Trojan.Bluefire-5 Backdoor.Win32.BlueFire.036 Dropped:Backdoor.BlueFire.0.5.0 Trojan.Win32.BlueFire.gaiw Backdoor.W32.BlueFire.036!c Dropped:Backdoor.BlueFire.0.5.0 Backdoor.Win32.BlueFire.036 Dropped:Backdoor.BlueFire.0.5.0 BackDoor.BlueFire.36 Backdoor.BlueFire.Win32.12 Backdoor/BlueFire.036 W32.Trojan.Backdoor-BlueFire BDS/BlueFire.50.DLL Trojan[Backdoor]/Win32.BlueFire Backdoor.BlueFire.0.5.0 Backdoor.Win32.BlueFire.036 Backdoor:Win32/BlueFire.0_36 Trojan/Win32.BlueFire.R61616 Dropped:Backdoor.BlueFire.0.5.0 Backdoor.BlueFire Win32/BlueFire.036 Win32.Backdoor.Bluefire.Tayj Backdoor.BlueFire!vtgAlnbXp+8 Backdoor.Win32.Way W32/Bdoor.UZ!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Backdoor.BlueFire.0.5.0": [[26, 57], [245, 276], [332, 363], [392, 423], [685, 716]], "Indicator: Backdoor/W32.BlueFire.593408": [[58, 86]], "Indicator: Backdoor.Bluefire": [[87, 104]], "Indicator: Backdoor/BlueFire.036": [[105, 126], [472, 493]], "Indicator: BKDR_BLUEFIRE.A": [[127, 142], [179, 194]], "Indicator: W32/Risk.VCME-1818": [[143, 161]], "Indicator: Construction.Kit": [[162, 178]], "Indicator: Win.Trojan.Bluefire-5": [[195, 216]], "Indicator: Backdoor.Win32.BlueFire.036": [[217, 244], [364, 391], [599, 626]], "Indicator: Trojan.Win32.BlueFire.gaiw": [[277, 303]], "Indicator: Backdoor.W32.BlueFire.036!c": [[304, 331]], "Indicator: BackDoor.BlueFire.36": [[424, 444]], "Indicator: Backdoor.BlueFire.Win32.12": [[445, 471]], "Indicator: W32.Trojan.Backdoor-BlueFire": [[494, 522]], "Indicator: BDS/BlueFire.50.DLL": [[523, 542]], "Indicator: Trojan[Backdoor]/Win32.BlueFire": [[543, 574]], "Indicator: Backdoor.BlueFire.0.5.0": [[575, 598]], "Indicator: Backdoor:Win32/BlueFire.0_36": [[627, 655]], "Indicator: Trojan/Win32.BlueFire.R61616": [[656, 684]], "Indicator: Backdoor.BlueFire": [[717, 734]], "Indicator: Win32/BlueFire.036": [[735, 753]], "Indicator: Win32.Backdoor.Bluefire.Tayj": [[754, 782]], "Indicator: Backdoor.BlueFire!vtgAlnbXp+8": [[783, 812]], "Indicator: Backdoor.Win32.Way": [[813, 831]], "Indicator: W32/Bdoor.UZ!tr.bdr": [[832, 851]]}, "info": {"id": "cyner2_5class_train_04372", "source": "cyner2_5class_train"}}
+{"text": "The dark ways of the Triada Once downloaded and installed , the Triada Trojan first tries to collect some information about the system — like the device model , the OS version , the amount of the SD card space , the list of the installed applications and other things .", "spans": {"Malware: Triada": [[21, 27], [64, 70]]}, "info": {"id": "cyner2_5class_train_04373", "source": "cyner2_5class_train"}}
+{"text": "] website mobilestoreupdate [ .", "spans": {"Indicator: mobilestoreupdate [ .": [[10, 31]]}, "info": {"id": "cyner2_5class_train_04374", "source": "cyner2_5class_train"}}
+{"text": "However, the attack is different in two respects: unlike other APTs, the main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan.", "spans": {"Indicator: attack": [[13, 19], [106, 112]], "Organization: Japanese organizations;": [[113, 136]], "System: C2s": [[155, 158]]}, "info": {"id": "cyner2_5class_train_04375", "source": "cyner2_5class_train"}}
+{"text": "But there 's little stopping it from doing much worse .", "spans": {}, "info": {"id": "cyner2_5class_train_04376", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.ED Dropper.Binder.Win32.1016 Trojan/Dropper.Binder.qd Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/DropperX.VWP Trojan.Crypt.ED Backdoor.Win32.Rbot.abwp Trojan.Crypt.ED Trojan.Crypt.ED BackDoor.Shell BehavesLike.Win32.Backdoor.bh W32/Risk.ZNPN-3988 TrojanDropper.Binder.ht Trojan.Crypt.ED Backdoor.Win32.Rbot.abwp Backdoor:Win32/Blackhole.U Backdoor/Win32.Hupigon.R7788 Trojan.Crypt.ED Backdoor.Shell", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.ED": [[26, 41], [153, 168], [194, 209], [210, 225], [314, 329], [411, 426]], "Indicator: Dropper.Binder.Win32.1016": [[42, 67]], "Indicator: Trojan/Dropper.Binder.qd": [[68, 92]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[93, 135]], "Indicator: W32/DropperX.VWP": [[136, 152]], "Indicator: Backdoor.Win32.Rbot.abwp": [[169, 193], [330, 354]], "Indicator: BackDoor.Shell": [[226, 240]], "Indicator: BehavesLike.Win32.Backdoor.bh": [[241, 270]], "Indicator: W32/Risk.ZNPN-3988": [[271, 289]], "Indicator: TrojanDropper.Binder.ht": [[290, 313]], "Indicator: Backdoor:Win32/Blackhole.U": [[355, 381]], "Indicator: Backdoor/Win32.Hupigon.R7788": [[382, 410]], "Indicator: Backdoor.Shell": [[427, 441]]}, "info": {"id": "cyner2_5class_train_04377", "source": "cyner2_5class_train"}}
+{"text": "Roaming Mantis is believed to be a Chinese threat actor group first discovered in April 2018 that has continuously evolved .", "spans": {"Organization: Roaming Mantis": [[0, 14]]}, "info": {"id": "cyner2_5class_train_04378", "source": "cyner2_5class_train"}}
+{"text": "A subsequent investigation revealed that the spyware has the following capabilities : Records every phone call ( literally the conversation as a media file ) , then sends it together with the caller id to the C & C ( incall3.php and outcall3.php ) Logs every incoming SMS message ( SMS body and SMS sender ) to C & C ( script3.php ) Has capability to hide self Can send all call logs ( “ content : //call_log/calls ” , info : callname , callnum , calldate , calltype , callduration ) to C & C ( calllog.php ) Whenever the user snaps a picture , either with the front or rear camera , it gets sent to the C & C ( uppc.php , fi npic.php orreqpic.php ) Can send GPS coordinates to C & C ( gps3.php ) The C & C server to which the application seems to be sending collected data appears to be operational , as of this writing , and running since May 2018 .", "spans": {"Indicator: incall3.php": [[217, 228]], "Indicator: outcall3.php": [[233, 245]], "Indicator: script3.php": [[319, 330]], "Indicator: content : //call_log/calls": [[388, 414]], "Indicator: calllog.php": [[495, 506]], "Indicator: uppc.php": [[612, 620]], "Indicator: npic.php": [[626, 634]], "Indicator: orreqpic.php": [[635, 647]], "System: GPS": [[659, 662]], "Indicator: gps3.php": [[686, 694]]}, "info": {"id": "cyner2_5class_train_04379", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Trojan.Crypt.52 TSPY_EMOTET.SMD3 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_EMOTET.SMD3 Trojan.Win32.Diple.euwotz TrojWare.Win32.Crypt.AX BehavesLike.Win32.Ramnit.dc W32.Trojan.Emotet Trojan:Win32/Diple.B!bit Trojan/Win32.Magniber.R212688 Trojan.Win32.VB Win32/Trojan.d4d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Trojan.Crypt.52": [[26, 48]], "Indicator: TSPY_EMOTET.SMD3": [[49, 65], [109, 125]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[66, 108]], "Indicator: Trojan.Win32.Diple.euwotz": [[126, 151]], "Indicator: TrojWare.Win32.Crypt.AX": [[152, 175]], "Indicator: BehavesLike.Win32.Ramnit.dc": [[176, 203]], "Indicator: W32.Trojan.Emotet": [[204, 221]], "Indicator: Trojan:Win32/Diple.B!bit": [[222, 246]], "Indicator: Trojan/Win32.Magniber.R212688": [[247, 276]], "Indicator: Trojan.Win32.VB": [[277, 292]], "Indicator: Win32/Trojan.d4d": [[293, 309]]}, "info": {"id": "cyner2_5class_train_04380", "source": "cyner2_5class_train"}}
+{"text": "ALLMSG – send C & C all SMSs received and sent by user , as stored in phone memory .", "spans": {}, "info": {"id": "cyner2_5class_train_04381", "source": "cyner2_5class_train"}}
+{"text": "Windows and winzip do not natively extract them which delivers some malware.", "spans": {"System: Windows": [[0, 7]], "System: winzip": [[12, 18]], "Malware: malware.": [[68, 76]]}, "info": {"id": "cyner2_5class_train_04382", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Halk!O Backdoor.CIA BKDR_NERTE.780 Backdoor.Win32.NerTe.780 Backdoor.Win32.Nerte_780.Inst[h] Backdoor.Win32.NerTe.780 Trojan.MulDrop.1253 BKDR_NERTE.780 W32/Risk.YHOK-6554 BDS/Nerte78.Inst Win32.Hack.NerteZip.kcloud Backdoor:Win32/Nerte.7_80.dr Bck/Iroffer.BG Win32/NerTe.78.Client W32/NerTe.V780!tr.bdr BackDoor.Nerte Backdoor.Win32.NerTe.ajn", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Halk!O": [[26, 53]], "Indicator: Backdoor.CIA": [[54, 66]], "Indicator: BKDR_NERTE.780": [[67, 81], [185, 199]], "Indicator: Backdoor.Win32.NerTe.780": [[82, 106], [140, 164]], "Indicator: Backdoor.Win32.Nerte_780.Inst[h]": [[107, 139]], "Indicator: Trojan.MulDrop.1253": [[165, 184]], "Indicator: W32/Risk.YHOK-6554": [[200, 218]], "Indicator: BDS/Nerte78.Inst": [[219, 235]], "Indicator: Win32.Hack.NerteZip.kcloud": [[236, 262]], "Indicator: Backdoor:Win32/Nerte.7_80.dr": [[263, 291]], "Indicator: Bck/Iroffer.BG": [[292, 306]], "Indicator: Win32/NerTe.78.Client": [[307, 328]], "Indicator: W32/NerTe.V780!tr.bdr": [[329, 350]], "Indicator: BackDoor.Nerte": [[351, 365]], "Indicator: Backdoor.Win32.NerTe.ajn": [[366, 390]]}, "info": {"id": "cyner2_5class_train_04383", "source": "cyner2_5class_train"}}
+{"text": "These campaigns have lead to a rapid rise in the rate of Bedep infections, with Arbour Networks observing just above 80K infections over a 3-day period.", "spans": {"Malware: Bedep": [[57, 62]], "System: Arbour Networks": [[80, 95]]}, "info": {"id": "cyner2_5class_train_04384", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.TrojanSpy.Banker.ahy.f W32/Packed_Upack.H Trojan-Banker.Win32.Banker.etk Packed.Win32.UPack Trojan.PWS.Banker.based Trojan-Banker.Win32.Banbra!IK Trojan-Banker.Win32.Banbra PSW.Banker Trj/Banker.ITS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.TrojanSpy.Banker.ahy.f": [[26, 54]], "Indicator: W32/Packed_Upack.H": [[55, 73]], "Indicator: Trojan-Banker.Win32.Banker.etk": [[74, 104]], "Indicator: Packed.Win32.UPack": [[105, 123]], "Indicator: Trojan.PWS.Banker.based": [[124, 147]], "Indicator: Trojan-Banker.Win32.Banbra!IK": [[148, 177]], "Indicator: Trojan-Banker.Win32.Banbra": [[178, 204]], "Indicator: PSW.Banker": [[205, 215]], "Indicator: Trj/Banker.ITS": [[216, 230]]}, "info": {"id": "cyner2_5class_train_04385", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HostsMsasc.Trojan Trojan.Win32.Inject!O Trojan.Zusy.D7CC Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_PAM_000002012C.T3 Win.Trojan.Inject-7728 Trojan.Win32.Inject.dcduro Trojan.Win32.A.Llac.419328 Trojan.MulDrop3.3872 Trojan.Injector.Win32.50089 Trojan-Spy.MSIL TrojanDropper.Injector.kgt TR/Jorik.AC Trojan/Win32.Shakblades TrojanSpy:MSIL/VB.M Trojan/Win32.Jorik.C97808 Worm.Shakblades Worm.Ainslot!/rTzgf3sAsw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HostsMsasc.Trojan": [[26, 47]], "Indicator: Trojan.Win32.Inject!O": [[48, 69]], "Indicator: Trojan.Zusy.D7CC": [[70, 86]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[87, 129]], "Indicator: TROJ_PAM_000002012C.T3": [[130, 152]], "Indicator: Win.Trojan.Inject-7728": [[153, 175]], "Indicator: Trojan.Win32.Inject.dcduro": [[176, 202]], "Indicator: Trojan.Win32.A.Llac.419328": [[203, 229]], "Indicator: Trojan.MulDrop3.3872": [[230, 250]], "Indicator: Trojan.Injector.Win32.50089": [[251, 278]], "Indicator: Trojan-Spy.MSIL": [[279, 294]], "Indicator: TrojanDropper.Injector.kgt": [[295, 321]], "Indicator: TR/Jorik.AC": [[322, 333]], "Indicator: Trojan/Win32.Shakblades": [[334, 357]], "Indicator: TrojanSpy:MSIL/VB.M": [[358, 377]], "Indicator: Trojan/Win32.Jorik.C97808": [[378, 403]], "Indicator: Worm.Shakblades": [[404, 419]], "Indicator: Worm.Ainslot!/rTzgf3sAsw": [[420, 444]]}, "info": {"id": "cyner2_5class_train_04386", "source": "cyner2_5class_train"}}
+{"text": "A ptrace_attach syscall is called .", "spans": {}, "info": {"id": "cyner2_5class_train_04387", "source": "cyner2_5class_train"}}
+{"text": "On July 16, 2015, the Palo Alto Networks Unit 42 threat intelligence team discovered a watering hole attack on the website of a well-known aerospace firm.", "spans": {"Organization: Palo Alto Networks Unit 42 threat intelligence team": [[22, 73]], "Indicator: watering hole attack": [[87, 107]], "Indicator: website": [[115, 122]], "Organization: aerospace firm.": [[139, 154]]}, "info": {"id": "cyner2_5class_train_04388", "source": "cyner2_5class_train"}}
+{"text": "MalumPoS was designed to be configurable.", "spans": {"Malware: MalumPoS": [[0, 8]]}, "info": {"id": "cyner2_5class_train_04389", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virtool.8944 Server-Proxy.Win32.CCProxy!O W32/HackTool.CYA not-a-virus:Server-Proxy.Win32.CCProxy.63 Virtool.8944 Riskware.Win32.CCProxy.ybka Virtool.8944 Win32.ServerProxy.CCProxy.~BAAB Program.CCProxy W32/Tool.YSPN-2643 AdWare/CCProxy.b GrayWare[Server-Proxy]/Win32.CCProxy HackTool:Win32/CCProxy.B Virtool.D22F0 not-a-virus:Server-Proxy.Win32.CCProxy.63 Virtool.8944 Win-AppCare/Ccproxy.987136 Virtool.8944 not-a-virus:Server-Proxy.Win32.CCProxy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virtool.8944": [[26, 38], [127, 139], [168, 180], [383, 395], [423, 435]], "Indicator: Server-Proxy.Win32.CCProxy!O": [[39, 67]], "Indicator: W32/HackTool.CYA": [[68, 84]], "Indicator: not-a-virus:Server-Proxy.Win32.CCProxy.63": [[85, 126], [341, 382]], "Indicator: Riskware.Win32.CCProxy.ybka": [[140, 167]], "Indicator: Win32.ServerProxy.CCProxy.~BAAB": [[181, 212]], "Indicator: Program.CCProxy": [[213, 228]], "Indicator: W32/Tool.YSPN-2643": [[229, 247]], "Indicator: AdWare/CCProxy.b": [[248, 264]], "Indicator: GrayWare[Server-Proxy]/Win32.CCProxy": [[265, 301]], "Indicator: HackTool:Win32/CCProxy.B": [[302, 326]], "Indicator: Virtool.D22F0": [[327, 340]], "Indicator: Win-AppCare/Ccproxy.987136": [[396, 422]], "Indicator: not-a-virus:Server-Proxy.Win32.CCProxy": [[436, 474]]}, "info": {"id": "cyner2_5class_train_04390", "source": "cyner2_5class_train"}}
+{"text": "The source and destination addresses are both blank without an actual email address.", "spans": {"Indicator: The source": [[0, 10]], "Indicator: destination addresses": [[15, 36]], "Indicator: actual email address.": [[63, 84]]}, "info": {"id": "cyner2_5class_train_04391", "source": "cyner2_5class_train"}}
+{"text": "EventBot has the ability to update its library or potentially even download a second library when given a command from the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_04392", "source": "cyner2_5class_train"}}
+{"text": "This file contains all HTML , CSS and PNG files necessary to create overlays .", "spans": {}, "info": {"id": "cyner2_5class_train_04393", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.", "spans": {"Organization: Unit 42": [[0, 7]], "Vulnerability: zero-day vulnerabilities": [[143, 167]], "Malware: backdoor": [[185, 193]], "Malware: Pirpi.": [[201, 207]]}, "info": {"id": "cyner2_5class_train_04394", "source": "cyner2_5class_train"}}
+{"text": "Most security vendors fail to identify the malicious code 7/55 on virustotal", "spans": {"Organization: security vendors": [[5, 21]], "Malware: malicious code": [[43, 57]], "Organization: virustotal": [[66, 76]]}, "info": {"id": "cyner2_5class_train_04395", "source": "cyner2_5class_train"}}
+{"text": "VBS malware, likely deployed as part of a red team", "spans": {"Malware: VBS malware,": [[0, 12]]}, "info": {"id": "cyner2_5class_train_04396", "source": "cyner2_5class_train"}}
+{"text": "The big first buffer is used as index for multiple concurrent threads .", "spans": {}, "info": {"id": "cyner2_5class_train_04397", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesMSIMOB.Trojan Worm.Win32.FakeFolder!O Trojan.Fakefolder.C4 Worm.FakeFolder.Win32.23 W32/FakeFolder.ADPV-1915 W32.SillyFDC Win32/SillyAutorun.FIA TSPY_FAKEALERT_BH010146.TOMC Win.Trojan.Fakefolder-76 Worm.Win32.FakeFolder.a Worm.Win32.A.FakeFolder.26624[UPX] TSPY_FAKEALERT_BH010146.TOMC BehavesLike.Win32.PWSBanker.tc Trojan.Win32.Fakefolder W32/FakeFolder.A Worm/FakeFolder.b Worm/Win32.FakeFolder Trojan:Win32/Fakefolder.C Worm.Win32.FakeFolder.a Trojan/Win32.FakeFolder.R143433 Worm.FakeFolder Win32.Worm.Fakefolder.Wmim Worm.FakeFolder!qDF5E1Kz9pU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesMSIMOB.Trojan": [[26, 50]], "Indicator: Worm.Win32.FakeFolder!O": [[51, 74]], "Indicator: Trojan.Fakefolder.C4": [[75, 95]], "Indicator: Worm.FakeFolder.Win32.23": [[96, 120]], "Indicator: W32/FakeFolder.ADPV-1915": [[121, 145]], "Indicator: W32.SillyFDC": [[146, 158]], "Indicator: Win32/SillyAutorun.FIA": [[159, 181]], "Indicator: TSPY_FAKEALERT_BH010146.TOMC": [[182, 210], [295, 323]], "Indicator: Win.Trojan.Fakefolder-76": [[211, 235]], "Indicator: Worm.Win32.FakeFolder.a": [[236, 259], [462, 485]], "Indicator: Worm.Win32.A.FakeFolder.26624[UPX]": [[260, 294]], "Indicator: BehavesLike.Win32.PWSBanker.tc": [[324, 354]], "Indicator: Trojan.Win32.Fakefolder": [[355, 378]], "Indicator: W32/FakeFolder.A": [[379, 395]], "Indicator: Worm/FakeFolder.b": [[396, 413]], "Indicator: Worm/Win32.FakeFolder": [[414, 435]], "Indicator: Trojan:Win32/Fakefolder.C": [[436, 461]], "Indicator: Trojan/Win32.FakeFolder.R143433": [[486, 517]], "Indicator: Worm.FakeFolder": [[518, 533]], "Indicator: Win32.Worm.Fakefolder.Wmim": [[534, 560]], "Indicator: Worm.FakeFolder!qDF5E1Kz9pU": [[561, 588]]}, "info": {"id": "cyner2_5class_train_04398", "source": "cyner2_5class_train"}}
+{"text": "Similar to previous attacks, the Disttrack malware used by Shamoon is just the destructive payload.", "spans": {"Indicator: attacks,": [[20, 28]], "Malware: Disttrack malware": [[33, 50]], "Malware: the destructive payload.": [[75, 99]]}, "info": {"id": "cyner2_5class_train_04399", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TjnClicker.Qaccel.S1448 Trojan.Small.Win32.31852 Trojan/Clicker.Small.ndn Trojan.Win32.Click3.erajhs TrojWare.Win32.TrojanClicker.Small.DS Trojan.Click3.21941 TR/Dropper.tstkm GrayWare[AdWare]/Win32.TrojanClicker.Small.ndn Trojan/Win32.Dynamer.R187373 Backdoor.Bot Trojan.Win32.TrojanClicker", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TjnClicker.Qaccel.S1448": [[26, 49]], "Indicator: Trojan.Small.Win32.31852": [[50, 74]], "Indicator: Trojan/Clicker.Small.ndn": [[75, 99]], "Indicator: Trojan.Win32.Click3.erajhs": [[100, 126]], "Indicator: TrojWare.Win32.TrojanClicker.Small.DS": [[127, 164]], "Indicator: Trojan.Click3.21941": [[165, 184]], "Indicator: TR/Dropper.tstkm": [[185, 201]], "Indicator: GrayWare[AdWare]/Win32.TrojanClicker.Small.ndn": [[202, 248]], "Indicator: Trojan/Win32.Dynamer.R187373": [[249, 277]], "Indicator: Backdoor.Bot": [[278, 290]], "Indicator: Trojan.Win32.TrojanClicker": [[291, 317]]}, "info": {"id": "cyner2_5class_train_04400", "source": "cyner2_5class_train"}}
+{"text": "First , there is a small dropper , then a large second stage payload that contains multiple binaries ( where most of the surveillance functionality is implemented ) , and finally a third stage which typically uses the DirtyCOW exploit ( CVE-2016-5195 ) to obtain root .", "spans": {"Vulnerability: DirtyCOW exploit": [[218, 234]], "Vulnerability: CVE-2016-5195": [[237, 250]]}, "info": {"id": "cyner2_5class_train_04401", "source": "cyner2_5class_train"}}
+{"text": "For example : Conclusions The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform .", "spans": {"Malware: Skygofree": [[30, 39]], "System: Android": [[40, 47]]}, "info": {"id": "cyner2_5class_train_04402", "source": "cyner2_5class_train"}}
+{"text": "Figure 4 shows the download prompt for this fake app ; an English translation follows .", "spans": {}, "info": {"id": "cyner2_5class_train_04403", "source": "cyner2_5class_train"}}
+{"text": "So we recommend installing an anti-virus solution on your Android device .", "spans": {}, "info": {"id": "cyner2_5class_train_04404", "source": "cyner2_5class_train"}}
+{"text": "A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against an human rights advocate.", "spans": {"System: macOS": [[2, 7]], "Malware: malware agent,": [[8, 22]], "Malware: MacDownloader,": [[29, 43]], "Organization: defense industrial base,": [[86, 110]], "Organization: an human rights advocate.": [[160, 185]]}, "info": {"id": "cyner2_5class_train_04405", "source": "cyner2_5class_train"}}
+{"text": "However , successfully installing this malicious APK requires that the user has allowed the installation of such apps as controlled in the Unknown Sources settings .", "spans": {}, "info": {"id": "cyner2_5class_train_04406", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod740.Trojan.4797 Backdoor.Bittaru!1goVteZqWDk TROJ_SPNR.15KL11 MalCrypt.Indus! BDS/Bittaru.A.4 TROJ_SPNR.15KL11 Win32.Troj.Undef.kcloud Backdoor:Win32/Bittaru.A W32/Trojan.PAFV-2148 W32/BackDoor.DPM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod740.Trojan.4797": [[26, 49]], "Indicator: Backdoor.Bittaru!1goVteZqWDk": [[50, 78]], "Indicator: TROJ_SPNR.15KL11": [[79, 95], [128, 144]], "Indicator: MalCrypt.Indus!": [[96, 111]], "Indicator: BDS/Bittaru.A.4": [[112, 127]], "Indicator: Win32.Troj.Undef.kcloud": [[145, 168]], "Indicator: Backdoor:Win32/Bittaru.A": [[169, 193]], "Indicator: W32/Trojan.PAFV-2148": [[194, 214]], "Indicator: W32/BackDoor.DPM!tr": [[215, 234]]}, "info": {"id": "cyner2_5class_train_04407", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.Disfa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.Disfa": [[26, 43]]}, "info": {"id": "cyner2_5class_train_04408", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: MemScan:Trojan.Glitch.A Trojan-Dropper.Win32.Juntador!O MemScan:Trojan.Glitch.A Trojan/Dropper.Juntador.c Trojan.Glitch.A W32/Dropper.ATCT Backdoor.IRC.Zcrew TROJ_JUNTADOR.C Win.Dropper.Juntador-12 MemScan:Trojan.Glitch.A Trojan-Dropper.Win32.Delf.hq MemScan:Trojan.Glitch.A Trojan.Win32.Juntador.diov MemScan:Trojan.Glitch.A TrojWare.Win32.TrojanDropper.Juntador.c0 MemScan:Trojan.Glitch.A BackDoor.DMoon Dropper.Juntador.Win32.230 TROJ_JUNTADOR.C BehavesLike.Win32.Dropper.hc W32/Risk.HJDZ-9373 TrojanDropper.Win32.Juntador.c TrojanDropper:Win32/Juntador.C Trojan-Dropper.Win32.Delf.hq Trojan/Win32.LdPinch.C10075 Win32/TrojanDropper.Juntador.C Win32.Trojan-dropper.Delf.Eegz Trojan-Dropper.Win32.Juntador.C Win32/Trojan.bf1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: MemScan:Trojan.Glitch.A": [[26, 49], [82, 105], [224, 247], [277, 300], [328, 351], [393, 416]], "Indicator: Trojan-Dropper.Win32.Juntador!O": [[50, 81]], "Indicator: Trojan/Dropper.Juntador.c": [[106, 131]], "Indicator: Trojan.Glitch.A": [[132, 147]], "Indicator: W32/Dropper.ATCT": [[148, 164]], "Indicator: Backdoor.IRC.Zcrew": [[165, 183]], "Indicator: TROJ_JUNTADOR.C": [[184, 199], [459, 474]], "Indicator: Win.Dropper.Juntador-12": [[200, 223]], "Indicator: Trojan-Dropper.Win32.Delf.hq": [[248, 276], [585, 613]], "Indicator: Trojan.Win32.Juntador.diov": [[301, 327]], "Indicator: TrojWare.Win32.TrojanDropper.Juntador.c0": [[352, 392]], "Indicator: BackDoor.DMoon": [[417, 431]], "Indicator: Dropper.Juntador.Win32.230": [[432, 458]], "Indicator: BehavesLike.Win32.Dropper.hc": [[475, 503]], "Indicator: W32/Risk.HJDZ-9373": [[504, 522]], "Indicator: TrojanDropper.Win32.Juntador.c": [[523, 553]], "Indicator: TrojanDropper:Win32/Juntador.C": [[554, 584]], "Indicator: Trojan/Win32.LdPinch.C10075": [[614, 641]], "Indicator: Win32/TrojanDropper.Juntador.C": [[642, 672]], "Indicator: Win32.Trojan-dropper.Delf.Eegz": [[673, 703]], "Indicator: Trojan-Dropper.Win32.Juntador.C": [[704, 735]], "Indicator: Win32/Trojan.bf1": [[736, 752]]}, "info": {"id": "cyner2_5class_train_04409", "source": "cyner2_5class_train"}}
+{"text": "Many other banking malware families followed suit and released their own Android malware components designed to steal those OTPs and TANs .", "spans": {}, "info": {"id": "cyner2_5class_train_04410", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Script.Application.CdEject.A Script.Application.Cdeject!c BehavesLike.Win32.PUPXBC.dc Joke:VBS/CDEject.D PUP.Linkury/Variant Trojan.Ejectcd.A VBS/CDEject.I Backdoor.MSIL.Bladabindi VBS/CDEject.I!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Script.Application.CdEject.A": [[69, 97]], "Indicator: Script.Application.Cdeject!c": [[98, 126]], "Indicator: BehavesLike.Win32.PUPXBC.dc": [[127, 154]], "Indicator: Joke:VBS/CDEject.D": [[155, 173]], "Indicator: PUP.Linkury/Variant": [[174, 193]], "Indicator: Trojan.Ejectcd.A": [[194, 210]], "Indicator: VBS/CDEject.I": [[211, 224]], "Indicator: Backdoor.MSIL.Bladabindi": [[225, 249]], "Indicator: VBS/CDEject.I!tr": [[250, 266]]}, "info": {"id": "cyner2_5class_train_04411", "source": "cyner2_5class_train"}}
+{"text": "Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets.", "spans": {"Organization: Symantec": [[0, 8]], "Indicator: cyber attacks": [[106, 119]], "Organization: organizations": [[128, 141]], "Organization: foreign policy institutions": [[215, 242]], "Organization: diplomatic targets.": [[247, 266]]}, "info": {"id": "cyner2_5class_train_04412", "source": "cyner2_5class_train"}}
+{"text": "This disabled the attacker's access to their victims in this campaign, provided further insight into the targets currently victimized in this operation, and enabled the notification of affected parties.", "spans": {}, "info": {"id": "cyner2_5class_train_04413", "source": "cyner2_5class_train"}}
+{"text": "Figure 2 : “ Agent Smith ’ s jpg file structure After the extraction , the “ loader ” module adds the code to the application while using the legitimate mechanism by Android to handle large DEX files .", "spans": {"Malware: Agent Smith": [[13, 24]], "System: Android": [[166, 173]]}, "info": {"id": "cyner2_5class_train_04414", "source": "cyner2_5class_train"}}
+{"text": "All the observed landing pages mimic the mobile operators ’ web pages through their domain name and web page content as well .", "spans": {}, "info": {"id": "cyner2_5class_train_04415", "source": "cyner2_5class_train"}}
+{"text": "The app that resulted in the largest number of affected users was the click fraud version , which was installed over 170,000 times at its peak in February 2018 .", "spans": {}, "info": {"id": "cyner2_5class_train_04416", "source": "cyner2_5class_train"}}
+{"text": "Finally, Doctor Web's security researchers investigated the Linux.Mirai Trojan found later that month.", "spans": {"Organization: Doctor Web's security researchers": [[9, 42]], "Indicator: Linux.Mirai": [[60, 71]], "Malware: Trojan": [[72, 78]]}, "info": {"id": "cyner2_5class_train_04417", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Sality!O Backdoor.Poison.Win32.26527 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.VBKrypt.hjcg Trojan.Win32.VB.dodqqz Troj.W32.VBKrypt.hjcg!c Trojan.MulDrop2.20812 Backdoor/Poison.eqy Trojan/Win32.VBKrypt TrojanDownloader:Win32/Tyqui.B Trojan.Win32.VBKrypt.hjcg Trj/CI.A Win32/TrojanDownloader.VB.ODM Trojan.VBKrypt!ngQI4PCHe4I Backdoor.Poison W32/Dx.TQG!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Sality!O": [[26, 46]], "Indicator: Backdoor.Poison.Win32.26527": [[47, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[75, 117]], "Indicator: Trojan.Win32.VBKrypt.hjcg": [[118, 143], [285, 310]], "Indicator: Trojan.Win32.VB.dodqqz": [[144, 166]], "Indicator: Troj.W32.VBKrypt.hjcg!c": [[167, 190]], "Indicator: Trojan.MulDrop2.20812": [[191, 212]], "Indicator: Backdoor/Poison.eqy": [[213, 232]], "Indicator: Trojan/Win32.VBKrypt": [[233, 253]], "Indicator: TrojanDownloader:Win32/Tyqui.B": [[254, 284]], "Indicator: Trj/CI.A": [[311, 319]], "Indicator: Win32/TrojanDownloader.VB.ODM": [[320, 349]], "Indicator: Trojan.VBKrypt!ngQI4PCHe4I": [[350, 376]], "Indicator: Backdoor.Poison": [[377, 392]], "Indicator: W32/Dx.TQG!tr": [[393, 406]]}, "info": {"id": "cyner2_5class_train_04418", "source": "cyner2_5class_train"}}
+{"text": "As of this writing , all the domains were registered recently and some are already offline .", "spans": {}, "info": {"id": "cyner2_5class_train_04419", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PERL/Shellbot.B Backdoor.Perl.Shellbot.B Perl/Shellbot.PR Perl.Backdoor.Shellbot.f Unix/ShellBot.AH IRC.Backdoor.Trojan Perl/Shellbot.NAI PERL_SHELBOT.SMO Win.Trojan.Perlbot-1 Backdoor.Perl.IRCBot.ij Backdoor.Perl.Shellbot.B Backdoor.Perl.Ircbot!c Perl.Backdoor.Ircbot.Akpo Backdoor.Perl.Shellbot.B Backdoor.Perl.Shellbot.B Perl.Ircbot.93 PERL_SHELBOT.SMO Unix/ShellBot.AH PERL/Shellbot.aa Perl/IRCBot.I!tr Backdoor.Perl.Shellbot.B Backdoor.Perl.IRCBot.ij Backdoor:Perl/Shellbot.Z Backdoor.Perl.Shellbot.B Perl.Shellbot.I Trojan.Perl.Shellbot Backdoor.Perl.Shellbot.B Win32/Trojan.BO.811", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PERL/Shellbot.B": [[26, 41]], "Indicator: Backdoor.Perl.Shellbot.B": [[42, 66], [226, 250], [300, 324], [325, 349], [433, 457], [507, 531], [569, 593]], "Indicator: Perl/Shellbot.PR": [[67, 83]], "Indicator: Perl.Backdoor.Shellbot.f": [[84, 108]], "Indicator: Unix/ShellBot.AH": [[109, 125], [382, 398]], "Indicator: IRC.Backdoor.Trojan": [[126, 145]], "Indicator: Perl/Shellbot.NAI": [[146, 163]], "Indicator: PERL_SHELBOT.SMO": [[164, 180], [365, 381]], "Indicator: Win.Trojan.Perlbot-1": [[181, 201]], "Indicator: Backdoor.Perl.IRCBot.ij": [[202, 225], [458, 481]], "Indicator: Backdoor.Perl.Ircbot!c": [[251, 273]], "Indicator: Perl.Backdoor.Ircbot.Akpo": [[274, 299]], "Indicator: Perl.Ircbot.93": [[350, 364]], "Indicator: PERL/Shellbot.aa": [[399, 415]], "Indicator: Perl/IRCBot.I!tr": [[416, 432]], "Indicator: Backdoor:Perl/Shellbot.Z": [[482, 506]], "Indicator: Perl.Shellbot.I": [[532, 547]], "Indicator: Trojan.Perl.Shellbot": [[548, 568]], "Indicator: Win32/Trojan.BO.811": [[594, 613]]}, "info": {"id": "cyner2_5class_train_04420", "source": "cyner2_5class_train"}}
+{"text": "Then , the APK is installed as system application and registers listener on USER_PRESENT event .", "spans": {}, "info": {"id": "cyner2_5class_train_04421", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9928 W32/Trojan.GELV-4208 Backdoor.MSIL.Bladabindi.akrb Trojan.Win32.Bladabindi.extavb Backdoor.Msil.Bladabindi!c Msil.Backdoor.Bladabindi.Wmjd BackDoor.Bladabindi.13678 Backdoor.Bladabindi.Win32.8723 Trojan.MSIL.Injector Trojan:Win32/Vb.At TR/Crypt.fkm.udrkf Trojan[Backdoor]/MSIL.Bladabindi Trojan.MSIL.Bladabindi.1 Trojan.Win32.Z.Bladabindi.192000.A Backdoor.MSIL.Bladabindi.akrb Trojan:MSIL/Inmalsal.A MSIL/Kryptik.GJY!tr Trj/GdSda.A Win32/Trojan.BO.610", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.MSIL": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9928": [[40, 82]], "Indicator: W32/Trojan.GELV-4208": [[83, 103]], "Indicator: Backdoor.MSIL.Bladabindi.akrb": [[104, 133], [431, 460]], "Indicator: Trojan.Win32.Bladabindi.extavb": [[134, 164]], "Indicator: Backdoor.Msil.Bladabindi!c": [[165, 191]], "Indicator: Msil.Backdoor.Bladabindi.Wmjd": [[192, 221]], "Indicator: BackDoor.Bladabindi.13678": [[222, 247]], "Indicator: Backdoor.Bladabindi.Win32.8723": [[248, 278]], "Indicator: Trojan.MSIL.Injector": [[279, 299]], "Indicator: Trojan:Win32/Vb.At": [[300, 318]], "Indicator: TR/Crypt.fkm.udrkf": [[319, 337]], "Indicator: Trojan[Backdoor]/MSIL.Bladabindi": [[338, 370]], "Indicator: Trojan.MSIL.Bladabindi.1": [[371, 395]], "Indicator: Trojan.Win32.Z.Bladabindi.192000.A": [[396, 430]], "Indicator: Trojan:MSIL/Inmalsal.A": [[461, 483]], "Indicator: MSIL/Kryptik.GJY!tr": [[484, 503]], "Indicator: Trj/GdSda.A": [[504, 515]], "Indicator: Win32/Trojan.BO.610": [[516, 535]]}, "info": {"id": "cyner2_5class_train_04422", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Constructor.Win32.Houndhack!O Backdoor.Venik.MUE.J2 Trojan/Farfli.bwm BKDR_VENIK_EL150010.UVPM Constructor.Win32.Houndhack.a Riskware.Win32.Houndhack.erbccv Trojan.DownLoader17.62076 BKDR_VENIK_EL150010.UVPM BehavesLike.Win32.Backdoor.dc HackTool[Constructor]/Win32.Houndhack Trojan.Zusy.D35C86 Constructor.Win32.Houndhack.a Backdoor:Win32/Venik.J Backdoor/Win32.Venik.R169912 Constructor.Houndhack Constructor.Houndhack! Trojan.Constructor", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Constructor.Win32.Houndhack!O": [[26, 55]], "Indicator: Backdoor.Venik.MUE.J2": [[56, 77]], "Indicator: Trojan/Farfli.bwm": [[78, 95]], "Indicator: BKDR_VENIK_EL150010.UVPM": [[96, 120], [209, 233]], "Indicator: Constructor.Win32.Houndhack.a": [[121, 150], [321, 350]], "Indicator: Riskware.Win32.Houndhack.erbccv": [[151, 182]], "Indicator: Trojan.DownLoader17.62076": [[183, 208]], "Indicator: BehavesLike.Win32.Backdoor.dc": [[234, 263]], "Indicator: HackTool[Constructor]/Win32.Houndhack": [[264, 301]], "Indicator: Trojan.Zusy.D35C86": [[302, 320]], "Indicator: Backdoor:Win32/Venik.J": [[351, 373]], "Indicator: Backdoor/Win32.Venik.R169912": [[374, 402]], "Indicator: Constructor.Houndhack": [[403, 424]], "Indicator: Constructor.Houndhack!": [[425, 447]], "Indicator: Trojan.Constructor": [[448, 466]]}, "info": {"id": "cyner2_5class_train_04423", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.BitCoinMiner.ZM Trojan.BitMiner Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.BitCoinMiner.agl Riskware.Win64.BitMiner.ewyekq BehavesLike.Win32.AdwareLinkury.vc PUA/CoinMiner.B Trojan/Win32.BitCoinMiner Trojan.Win32.BitCoinMiner.agl Trojan.Win32.BitcoinMiner", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.BitCoinMiner.ZM": [[26, 53]], "Indicator: Trojan.BitMiner": [[54, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[70, 112]], "Indicator: Trojan.Win32.BitCoinMiner.agl": [[113, 142], [251, 280]], "Indicator: Riskware.Win64.BitMiner.ewyekq": [[143, 173]], "Indicator: BehavesLike.Win32.AdwareLinkury.vc": [[174, 208]], "Indicator: PUA/CoinMiner.B": [[209, 224]], "Indicator: Trojan/Win32.BitCoinMiner": [[225, 250]], "Indicator: Trojan.Win32.BitcoinMiner": [[281, 306]]}, "info": {"id": "cyner2_5class_train_04424", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Small!O Trojan.Maptsc Trojan.Small.Win32.19366 Trojan.Heur.RP.EAC7EB TROJ_SMALL.NHQ Trojan.Win32.Small.cpb Trojan.Win32.Small.ebpbhy Troj.W32.Small.cpb!c Trojan.Click2.55177 TROJ_SMALL.NHQ Trojan.Win32.Small W32/Trojan.ZWIN-6050 Trojan/Small.ovd TR/Spy.6656.172 Trojan/Win32.Small Trojan:Win32/Maptsc.A Trojan.Win32.Small.cpb Trojan/Win32.Connapts.C256364 Trojan.Small.cpb Trojan.Small Win32.Trojan.Small.Edod Trojan.Click!cGVrs+boA6s Win32/Trojan.4c4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Small!O": [[26, 46]], "Indicator: Trojan.Maptsc": [[47, 60]], "Indicator: Trojan.Small.Win32.19366": [[61, 85]], "Indicator: Trojan.Heur.RP.EAC7EB": [[86, 107]], "Indicator: TROJ_SMALL.NHQ": [[108, 122], [213, 227]], "Indicator: Trojan.Win32.Small.cpb": [[123, 145], [342, 364]], "Indicator: Trojan.Win32.Small.ebpbhy": [[146, 171]], "Indicator: Troj.W32.Small.cpb!c": [[172, 192]], "Indicator: Trojan.Click2.55177": [[193, 212]], "Indicator: Trojan.Win32.Small": [[228, 246]], "Indicator: W32/Trojan.ZWIN-6050": [[247, 267]], "Indicator: Trojan/Small.ovd": [[268, 284]], "Indicator: TR/Spy.6656.172": [[285, 300]], "Indicator: Trojan/Win32.Small": [[301, 319]], "Indicator: Trojan:Win32/Maptsc.A": [[320, 341]], "Indicator: Trojan/Win32.Connapts.C256364": [[365, 394]], "Indicator: Trojan.Small.cpb": [[395, 411]], "Indicator: Trojan.Small": [[412, 424]], "Indicator: Win32.Trojan.Small.Edod": [[425, 448]], "Indicator: Trojan.Click!cGVrs+boA6s": [[449, 473]], "Indicator: Win32/Trojan.4c4": [[474, 490]]}, "info": {"id": "cyner2_5class_train_04425", "source": "cyner2_5class_train"}}
+{"text": "We found 280 such apps in the past three months .", "spans": {}, "info": {"id": "cyner2_5class_train_04426", "source": "cyner2_5class_train"}}
+{"text": "The evidence above suggests that EventBot is still in the development stage , and as such , is not likely to have been used for large attack campaigns thus far .", "spans": {"Malware: EventBot": [[33, 41]]}, "info": {"id": "cyner2_5class_train_04427", "source": "cyner2_5class_train"}}
+{"text": "At the time of writing , the content served at the given URL on uyghurapps [ .", "spans": {"Indicator: uyghurapps [ .": [[64, 78]]}, "info": {"id": "cyner2_5class_train_04428", "source": "cyner2_5class_train"}}
+{"text": "READ_CONTACTS - Allows the application to read the user 's contacts data .", "spans": {}, "info": {"id": "cyner2_5class_train_04429", "source": "cyner2_5class_train"}}
+{"text": "More information from PWC about Sofacy Bedep malware using DGA CozyDuke aka CozyBear, CozyCar or Office Monkeys is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets.", "spans": {"Organization: PWC": [[22, 25]], "Malware: Sofacy Bedep malware": [[32, 52]]}, "info": {"id": "cyner2_5class_train_04430", "source": "cyner2_5class_train"}}
+{"text": "Though different versions of the app vary in structure , malicious code was initialized at application launch without the user ’ s knowledge , and a number of timers were setup to gather and upload data periodically .", "spans": {}, "info": {"id": "cyner2_5class_train_04431", "source": "cyner2_5class_train"}}
+{"text": "Moreover , eSurv was a business unit of Connexxa and was leased to eSurv S.R.L in 2014 .", "spans": {"Organization: eSurv": [[11, 16]], "Organization: Connexxa": [[40, 48]], "Organization: eSurv S.R.L": [[67, 78]]}, "info": {"id": "cyner2_5class_train_04432", "source": "cyner2_5class_train"}}
+{"text": "It ’ s not a definite correlation , but Bouncing Golf also seems to have a connection with Domestic Kitten due to similarities we found in their code .", "spans": {"Malware: Bouncing Golf": [[40, 53]], "Malware: Domestic Kitten": [[91, 106]]}, "info": {"id": "cyner2_5class_train_04433", "source": "cyner2_5class_train"}}
+{"text": "In the email screenshot with our added machine translation from Russian, notice the subject line and message body text reflecting a business customer upset about extra charges on his credit card social engineering theme.", "spans": {"Indicator: email": [[7, 12]], "System: added machine translation": [[33, 58]], "Indicator: subject": [[84, 91]], "Organization: a business customer": [[130, 149]], "Indicator: credit card social engineering theme.": [[183, 220]]}, "info": {"id": "cyner2_5class_train_04434", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.GarusenV.Trojan Worm/W32.Vobfus.225280 Worm.Win32.Vobfus!O W32/Vobfus.io Trojan.Barys.950 WORM_VOBFUS.SM02 Win32.Trojan.VBObfus.f WORM_VOBFUS.SM02 Win.Trojan.Vobfus-28 Worm.Win32.Vobfus.biec Trojan.Win32.WBNA.cihuhh Worm.Win32.A.Vobfus.225280 TrojWare.Win32.Pronny.EE Trojan.VbCrypt.60 BehavesLike.Win32.VBObfus.dm Worm.Win32.Vobfus Worm/WBNA.dfdh WORM/Vobfus.dbmnua Worm.Win32.Vobfus.biec Trojan/Win32.Vobfus.R36953 BScope.Trojan.Diple Win32/Pronny.EJ W32/Vobfus.GEW.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.GarusenV.Trojan": [[26, 45]], "Indicator: Worm/W32.Vobfus.225280": [[46, 68]], "Indicator: Worm.Win32.Vobfus!O": [[69, 88]], "Indicator: W32/Vobfus.io": [[89, 102]], "Indicator: Trojan.Barys.950": [[103, 119]], "Indicator: WORM_VOBFUS.SM02": [[120, 136], [160, 176]], "Indicator: Win32.Trojan.VBObfus.f": [[137, 159]], "Indicator: Win.Trojan.Vobfus-28": [[177, 197]], "Indicator: Worm.Win32.Vobfus.biec": [[198, 220], [397, 419]], "Indicator: Trojan.Win32.WBNA.cihuhh": [[221, 245]], "Indicator: Worm.Win32.A.Vobfus.225280": [[246, 272]], "Indicator: TrojWare.Win32.Pronny.EE": [[273, 297]], "Indicator: Trojan.VbCrypt.60": [[298, 315]], "Indicator: BehavesLike.Win32.VBObfus.dm": [[316, 344]], "Indicator: Worm.Win32.Vobfus": [[345, 362]], "Indicator: Worm/WBNA.dfdh": [[363, 377]], "Indicator: WORM/Vobfus.dbmnua": [[378, 396]], "Indicator: Trojan/Win32.Vobfus.R36953": [[420, 446]], "Indicator: BScope.Trojan.Diple": [[447, 466]], "Indicator: Win32/Pronny.EJ": [[467, 482]], "Indicator: W32/Vobfus.GEW.worm": [[483, 502]]}, "info": {"id": "cyner2_5class_train_04435", "source": "cyner2_5class_train"}}
+{"text": "However , in 2013 , autonomous mobile banking Trojans developed further .", "spans": {}, "info": {"id": "cyner2_5class_train_04436", "source": "cyner2_5class_train"}}
+{"text": "For instance , in the case of the “ Execute ” opcode ( 0x17 ) , the 32-bit code to run is stored entirely into the variable section with the value at offset 5 specifying the number of bytes to be copied and executed .", "spans": {}, "info": {"id": "cyner2_5class_train_04437", "source": "cyner2_5class_train"}}
+{"text": "These have been the attacks on Saudi Arabian companies where a destructive malware known as Disttrack was deployed.", "spans": {"Indicator: attacks": [[20, 27]], "Organization: Saudi Arabian companies": [[31, 54]], "Malware: destructive malware": [[63, 82]], "Malware: Disttrack": [[92, 101]]}, "info": {"id": "cyner2_5class_train_04438", "source": "cyner2_5class_train"}}
+{"text": "In addition, we found that the infrastructure used in this case overlaps with FindPOS/PoSeidon as well as Chanitor and sits amidst a cluster of largely indiscriminate malicious activity.", "spans": {"Malware: FindPOS/PoSeidon": [[78, 94]], "Malware: Chanitor": [[106, 114]]}, "info": {"id": "cyner2_5class_train_04439", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Chifrax.150357 Trojan.Chifrax.rw5 Trojan/Chifrax.a BKDR_POISON.VA W32/Poison.AX Backdoor.Odivy Win32/Poison.AAE BKDR_POISON.VA Win.Trojan.Poison-11 Trojan.Win32.Chifrax.a Trojan.Win32.Chifrax.fwpet Trojan.DownLoader9.38925 Trojan.Chifrax.Win32.1349 BehavesLike.Win32.Dropper.cc W32/Poison.HQGF-3018 Trojan/Chifrax.epp TR/Drop.PoisonIvy.C.1 W32/Chifrax.A!tr Trojan/Win32.Chifrax Troj.W32.Chifrax.a!c TrojanDropper:Win32/Poisonivy.C Win-Trojan/Poisonivy.150357 Trojan.Chifrax Win32/Poison.NGS Win32.Trojan.Chifrax.Wskn Trojan.Chifrax!Xo07JnrMN1M Trojan.Win32.Chifrax Trj/Chifrax.C Win32/Trojan.954", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Chifrax.150357": [[26, 51]], "Indicator: Trojan.Chifrax.rw5": [[52, 70]], "Indicator: Trojan/Chifrax.a": [[71, 87]], "Indicator: BKDR_POISON.VA": [[88, 102], [149, 163]], "Indicator: W32/Poison.AX": [[103, 116]], "Indicator: Backdoor.Odivy": [[117, 131]], "Indicator: Win32/Poison.AAE": [[132, 148]], "Indicator: Win.Trojan.Poison-11": [[164, 184]], "Indicator: Trojan.Win32.Chifrax.a": [[185, 207]], "Indicator: Trojan.Win32.Chifrax.fwpet": [[208, 234]], "Indicator: Trojan.DownLoader9.38925": [[235, 259]], "Indicator: Trojan.Chifrax.Win32.1349": [[260, 285]], "Indicator: BehavesLike.Win32.Dropper.cc": [[286, 314]], "Indicator: W32/Poison.HQGF-3018": [[315, 335]], "Indicator: Trojan/Chifrax.epp": [[336, 354]], "Indicator: TR/Drop.PoisonIvy.C.1": [[355, 376]], "Indicator: W32/Chifrax.A!tr": [[377, 393]], "Indicator: Trojan/Win32.Chifrax": [[394, 414]], "Indicator: Troj.W32.Chifrax.a!c": [[415, 435]], "Indicator: TrojanDropper:Win32/Poisonivy.C": [[436, 467]], "Indicator: Win-Trojan/Poisonivy.150357": [[468, 495]], "Indicator: Trojan.Chifrax": [[496, 510]], "Indicator: Win32/Poison.NGS": [[511, 527]], "Indicator: Win32.Trojan.Chifrax.Wskn": [[528, 553]], "Indicator: Trojan.Chifrax!Xo07JnrMN1M": [[554, 580]], "Indicator: Trojan.Win32.Chifrax": [[581, 601]], "Indicator: Trj/Chifrax.C": [[602, 615]], "Indicator: Win32/Trojan.954": [[616, 632]]}, "info": {"id": "cyner2_5class_train_04440", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: AIT:Trojan.Autoit.CLU Win32.Trojan-Dropper.Autoit.l W32/Trojan.TWFF-1697 AIT:Trojan.Autoit.CLU Trojan.Win32.Beast.exaenx AIT:Trojan.Autoit.CLU BackDoor.Beast BehavesLike.Win32.PUPXAI.dh AIT:Trojan.Autoit.CLU Trojan.Autoit.F AIT:Trojan.Autoit.CLU AIT:Trojan.Autoit.CLU Trj/CI.A Win32/Trojan.0fc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AIT:Trojan.Autoit.CLU": [[26, 47], [99, 120], [147, 168], [212, 233], [250, 271], [272, 293]], "Indicator: Win32.Trojan-Dropper.Autoit.l": [[48, 77]], "Indicator: W32/Trojan.TWFF-1697": [[78, 98]], "Indicator: Trojan.Win32.Beast.exaenx": [[121, 146]], "Indicator: BackDoor.Beast": [[169, 183]], "Indicator: BehavesLike.Win32.PUPXAI.dh": [[184, 211]], "Indicator: Trojan.Autoit.F": [[234, 249]], "Indicator: Trj/CI.A": [[294, 302]], "Indicator: Win32/Trojan.0fc": [[303, 319]]}, "info": {"id": "cyner2_5class_train_04441", "source": "cyner2_5class_train"}}
+{"text": "Chikdos is a malware that targeted MySQL servers to make them conduct distributed denial-of-service DDoS attacks against other websites.", "spans": {"Malware: Chikdos": [[0, 7]], "Malware: malware": [[13, 20]], "Indicator: targeted": [[26, 34]], "System: MySQL servers": [[35, 48]], "Indicator: distributed denial-of-service DDoS attacks": [[70, 112]]}, "info": {"id": "cyner2_5class_train_04442", "source": "cyner2_5class_train"}}
+{"text": "Exfiltrated device information and additional sensitive data sent to the C2 server .", "spans": {}, "info": {"id": "cyner2_5class_train_04443", "source": "cyner2_5class_train"}}
+{"text": "In addition , it monitors to verify if com.android.music.helper package is removed .", "spans": {"Indicator: com.android.music.helper": [[39, 63]]}, "info": {"id": "cyner2_5class_train_04444", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Tartober BKDR_TARTOBER.A Win32.Trojan.WisdomEyes.16070401.9500.9999 BScope.Trojan-Spy.Zbot BKDR_TARTOBER.A Trojan.Win32.Wisp.zraky BackDoor.Wisp.11 BehavesLike.Win32.Trojan.dc W32/Trojan.TTYH-5266 Trojan.Zusy.Elzob.D39B5 Backdoor:Win32/Tartober.A Trj/CI.A Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Tartober": [[26, 43]], "Indicator: BKDR_TARTOBER.A": [[44, 59], [126, 141]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[60, 102]], "Indicator: BScope.Trojan-Spy.Zbot": [[103, 125]], "Indicator: Trojan.Win32.Wisp.zraky": [[142, 165]], "Indicator: BackDoor.Wisp.11": [[166, 182]], "Indicator: BehavesLike.Win32.Trojan.dc": [[183, 210]], "Indicator: W32/Trojan.TTYH-5266": [[211, 231]], "Indicator: Trojan.Zusy.Elzob.D39B5": [[232, 255]], "Indicator: Backdoor:Win32/Tartober.A": [[256, 281]], "Indicator: Trj/CI.A": [[282, 290]], "Indicator: Win32/Trojan.e6d": [[291, 307]]}, "info": {"id": "cyner2_5class_train_04445", "source": "cyner2_5class_train"}}
+{"text": "This could indicate that actor already has plans in expanding the targets to applications from different countries and regions .", "spans": {}, "info": {"id": "cyner2_5class_train_04446", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom/W32.WannaCry.5267459.F Ransom.Zenshirsh.SL8 Ransom.WannaCrypt Trojan/Exploit.CVE-2017-0147.a Win32.Worm.Rbot.a Ransom.Wannacry Ransom_WCRY.SMJ Win.Ransomware.WannaCry-6313787-0 Win32.Exploit.CVE-2017-0147.A Trojan-Ransom.Win32.Wanna.m Trojan.Win32.Wanna.epxkni Trojan.Win32.WannaCry.5267459 Troj.Ransom.W32.Wanna.toP0 Trojan.Encoder.11432 Trojan.Wanna.Win32.98 Ransom_WCRY.SMJ BehavesLike.Win32.RansomWannaCry.tt Trojan.Wanna.k TR/WannaCrypt.ahdyg Trojan[Ransom]/Win32.Wanna Trojan:Win32/Eqtonex.F!dha Trojan-Ransom.Win32.Wanna.m Trojan/Win32.WannaCryptor.R200894 Hoax.Wanna Trj/GdSda.A Win32/Exploit.CVE-2017-0147.A Exploit.CVE-2017-0147! Trojan.Win32.Exploit W32/Wanna.M!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom/W32.WannaCry.5267459.F": [[26, 55]], "Indicator: Ransom.Zenshirsh.SL8": [[56, 76]], "Indicator: Ransom.WannaCrypt": [[77, 94]], "Indicator: Trojan/Exploit.CVE-2017-0147.a": [[95, 125]], "Indicator: Win32.Worm.Rbot.a": [[126, 143]], "Indicator: Ransom.Wannacry": [[144, 159]], "Indicator: Ransom_WCRY.SMJ": [[160, 175], [394, 409]], "Indicator: Win.Ransomware.WannaCry-6313787-0": [[176, 209]], "Indicator: Win32.Exploit.CVE-2017-0147.A": [[210, 239]], "Indicator: Trojan-Ransom.Win32.Wanna.m": [[240, 267], [535, 562]], "Indicator: Trojan.Win32.Wanna.epxkni": [[268, 293]], "Indicator: Trojan.Win32.WannaCry.5267459": [[294, 323]], "Indicator: Troj.Ransom.W32.Wanna.toP0": [[324, 350]], "Indicator: Trojan.Encoder.11432": [[351, 371]], "Indicator: Trojan.Wanna.Win32.98": [[372, 393]], "Indicator: BehavesLike.Win32.RansomWannaCry.tt": [[410, 445]], "Indicator: Trojan.Wanna.k": [[446, 460]], "Indicator: TR/WannaCrypt.ahdyg": [[461, 480]], "Indicator: Trojan[Ransom]/Win32.Wanna": [[481, 507]], "Indicator: Trojan:Win32/Eqtonex.F!dha": [[508, 534]], "Indicator: Trojan/Win32.WannaCryptor.R200894": [[563, 596]], "Indicator: Hoax.Wanna": [[597, 607]], "Indicator: Trj/GdSda.A": [[608, 619]], "Indicator: Win32/Exploit.CVE-2017-0147.A": [[620, 649]], "Indicator: Exploit.CVE-2017-0147!": [[650, 672]], "Indicator: Trojan.Win32.Exploit": [[673, 693]], "Indicator: W32/Wanna.M!tr": [[694, 708]]}, "info": {"id": "cyner2_5class_train_04447", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.TrojanPigax Trojan-Downloader.Win32.Small.akrf Trojan-Downloader.Win32.Small.akrf TR/Dldr.Small.akrf Trojan.Dldr.Small.akrf Trojan-Downloader.Win32.Small.akrf Trojan-Downloader.Win32.Small W32/Small.AKRF!tr.dldr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.TrojanPigax": [[26, 43]], "Indicator: Trojan-Downloader.Win32.Small.akrf": [[44, 78], [79, 113], [156, 190]], "Indicator: TR/Dldr.Small.akrf": [[114, 132]], "Indicator: Trojan.Dldr.Small.akrf": [[133, 155]], "Indicator: Trojan-Downloader.Win32.Small": [[191, 220]], "Indicator: W32/Small.AKRF!tr.dldr": [[221, 243]], "Indicator: Trj/CI.A": [[244, 252]]}, "info": {"id": "cyner2_5class_train_04448", "source": "cyner2_5class_train"}}
+{"text": "Locate your device : Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA .", "spans": {"System: Android Device Manager": [[55, 77]]}, "info": {"id": "cyner2_5class_train_04449", "source": "cyner2_5class_train"}}
+{"text": "REDBALDKNIGHT, also known as BRONZE BUTLER and Tick, is a cyberespionage group known to target Japanese organizations such as government agencies including defense as well as those in biotechnology, electronics manufacturing, and industrial chemistry.", "spans": {"Organization: Japanese organizations": [[95, 117]], "Organization: government agencies": [[126, 145]], "Organization: biotechnology, electronics manufacturing,": [[184, 225]], "Organization: industrial chemistry.": [[230, 251]]}, "info": {"id": "cyner2_5class_train_04450", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.NaviPromo.3 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Lipler.B!packed TROJ_SKINTRI.SMC Trojan.Win32.Hrup.aah Troj.Downloader.W32.Lipler.lcwl TROJ_SKINTRI.SMC Trojan/Win32.Hrup Trojan:Win32/Skintrim.C Trojan.Win32.Hrup.aah Win32.Trojan.Hrup.Ajvd Trojan.Win32.Skintrim W32/Skintrim.CG!tr Win32/Trojan.IM.c6f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.NaviPromo.3": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Win32/Lipler.B!packed": [[88, 109]], "Indicator: TROJ_SKINTRI.SMC": [[110, 126], [181, 197]], "Indicator: Trojan.Win32.Hrup.aah": [[127, 148], [240, 261]], "Indicator: Troj.Downloader.W32.Lipler.lcwl": [[149, 180]], "Indicator: Trojan/Win32.Hrup": [[198, 215]], "Indicator: Trojan:Win32/Skintrim.C": [[216, 239]], "Indicator: Win32.Trojan.Hrup.Ajvd": [[262, 284]], "Indicator: Trojan.Win32.Skintrim": [[285, 306]], "Indicator: W32/Skintrim.CG!tr": [[307, 325]], "Indicator: Win32/Trojan.IM.c6f": [[326, 345]]}, "info": {"id": "cyner2_5class_train_04451", "source": "cyner2_5class_train"}}
+{"text": "Ursnif campaigns against EU and mainly Italy spreaded by a JScript", "spans": {"System: JScript": [[59, 66]]}, "info": {"id": "cyner2_5class_train_04452", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Autorun.Worm.aaeh Win32.Trojan.WisdomEyes.16070401.9500.9867 TSPY_TEPFER.GB Trojan.Win32.VBTrojan.bvufrt TrojWare.Win32.VB.HR Trojan.DownLoader10.21377 TSPY_TEPFER.GB BehavesLike.Win32.Swisyn.cc Trojan:Win32/Beelog.C Trojan.Win32.Jorik.28672.A Trojan/Win32.Jorik.R44838 Trj/CI.A Win32/Trojan.Downloader.f2c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Autorun.Worm.aaeh": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9867": [[48, 90]], "Indicator: TSPY_TEPFER.GB": [[91, 105], [182, 196]], "Indicator: Trojan.Win32.VBTrojan.bvufrt": [[106, 134]], "Indicator: TrojWare.Win32.VB.HR": [[135, 155]], "Indicator: Trojan.DownLoader10.21377": [[156, 181]], "Indicator: BehavesLike.Win32.Swisyn.cc": [[197, 224]], "Indicator: Trojan:Win32/Beelog.C": [[225, 246]], "Indicator: Trojan.Win32.Jorik.28672.A": [[247, 273]], "Indicator: Trojan/Win32.Jorik.R44838": [[274, 299]], "Indicator: Trj/CI.A": [[300, 308]], "Indicator: Win32/Trojan.Downloader.f2c": [[309, 336]]}, "info": {"id": "cyner2_5class_train_04453", "source": "cyner2_5class_train"}}
+{"text": "If a device isn ’ t rooted , it downloads from the server an exploit pack and executes it to obtain root on device .", "spans": {}, "info": {"id": "cyner2_5class_train_04454", "source": "cyner2_5class_train"}}
+{"text": "To bypass Google Play Store security checks , the malware creators used a very interesting method : they uploaded a clean app to the store at the end of March , 2017 , and would then update it with a malicious version for short period of time .", "spans": {"System: Google Play Store": [[10, 27]]}, "info": {"id": "cyner2_5class_train_04455", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Yaha.S W32/Yaha.aa@MM Trojan.Heur.ED1374C Win32.Trojan.WisdomEyes.16070401.9500.9777 W32.Yaha.AE@mm Win32/Yaha.Y Win.Worm.Yaha-8 Email-Worm.Win32.Lentin.s Trojan.Win32.Lentin.emzf I-Worm.Win32.Yaha.60304 Win32.Worm-email.Lentin.Wvki TrojWare.Win32.Patched.KSU Win32.HLLM.Yaha.7 W32/Yaha.aa@MM WORM/Lentin.S Worm[Email]/Win32.Lentin Worm:Win32/Yaha.AA@mm Backdoor.W32.Bifrose.l4Wh Email-Worm.Win32.Lentin.s Trojan.Win32.Rbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Yaha.S": [[26, 36]], "Indicator: W32/Yaha.aa@MM": [[37, 51], [308, 322]], "Indicator: Trojan.Heur.ED1374C": [[52, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9777": [[72, 114]], "Indicator: W32.Yaha.AE@mm": [[115, 129]], "Indicator: Win32/Yaha.Y": [[130, 142]], "Indicator: Win.Worm.Yaha-8": [[143, 158]], "Indicator: Email-Worm.Win32.Lentin.s": [[159, 184], [410, 435]], "Indicator: Trojan.Win32.Lentin.emzf": [[185, 209]], "Indicator: I-Worm.Win32.Yaha.60304": [[210, 233]], "Indicator: Win32.Worm-email.Lentin.Wvki": [[234, 262]], "Indicator: TrojWare.Win32.Patched.KSU": [[263, 289]], "Indicator: Win32.HLLM.Yaha.7": [[290, 307]], "Indicator: WORM/Lentin.S": [[323, 336]], "Indicator: Worm[Email]/Win32.Lentin": [[337, 361]], "Indicator: Worm:Win32/Yaha.AA@mm": [[362, 383]], "Indicator: Backdoor.W32.Bifrose.l4Wh": [[384, 409]], "Indicator: Trojan.Win32.Rbot": [[436, 453]]}, "info": {"id": "cyner2_5class_train_04456", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Win32.Veebee.1!O Trojan.VB.rw3 Trojan.Happili Trojan.Inject!SEi/RTfcvEo W32/Backdoor2.HUHI TROJ_SPNR.0BD714 Trojan.Win32.Inject.kxez Trojan.Win32.Inject.cwbjpa Trojan.Boaxxe.2 Trojan.Inject.Win32.72022 TR/Dropper.VB.6820 TROJ_SPNR.0BD714 Trojan/Win32.Inject Win32.Troj.Inject.kx.kcloud W32/Backdoor.PZSO-6760 TScope.Trojan.VB Trj/WLT.A Win32/Boaxxe.BL Win32.Trojan.Inject.Sxek Virus.Win32.VBInject W32/Zbot.RZIM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Win32.Veebee.1!O": [[26, 47]], "Indicator: Trojan.VB.rw3": [[48, 61]], "Indicator: Trojan.Happili": [[62, 76]], "Indicator: Trojan.Inject!SEi/RTfcvEo": [[77, 102]], "Indicator: W32/Backdoor2.HUHI": [[103, 121]], "Indicator: TROJ_SPNR.0BD714": [[122, 138], [252, 268]], "Indicator: Trojan.Win32.Inject.kxez": [[139, 163]], "Indicator: Trojan.Win32.Inject.cwbjpa": [[164, 190]], "Indicator: Trojan.Boaxxe.2": [[191, 206]], "Indicator: Trojan.Inject.Win32.72022": [[207, 232]], "Indicator: TR/Dropper.VB.6820": [[233, 251]], "Indicator: Trojan/Win32.Inject": [[269, 288]], "Indicator: Win32.Troj.Inject.kx.kcloud": [[289, 316]], "Indicator: W32/Backdoor.PZSO-6760": [[317, 339]], "Indicator: TScope.Trojan.VB": [[340, 356]], "Indicator: Trj/WLT.A": [[357, 366]], "Indicator: Win32/Boaxxe.BL": [[367, 382]], "Indicator: Win32.Trojan.Inject.Sxek": [[383, 407]], "Indicator: Virus.Win32.VBInject": [[408, 428]], "Indicator: W32/Zbot.RZIM!tr": [[429, 445]]}, "info": {"id": "cyner2_5class_train_04457", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.Hukle.157044 Trojan.Hukle.Win32.18 Trojan/PSW.Hukle.o Trojan.PWS.Hukle!uPlO8aKf2dU W32/Trojan2.GWXZ Infostealer.Hukle TROJ_HUKLE.O Win.Trojan.Hukle-16 Trojan-PSW.Win32.Hukle.o Trojan.Win32.Hukle.dhvf Troj.PSW32.W.Hukle.o!c TrojWare.Win32.PSW.Hukle.~R Trojan.PWS.Hukle.145 TROJ_HUKLE.O BehavesLike.Win32.PWSZbot.ch W32/Trojan.TBYH-4941 Trojan/Hiddukel.t W32/Hukle.O!tr.pws Trojan[PSW]/Win32.Hukle Trojan.Zusy.Elzob.D3190 Win-Trojan/Hukle.151040 PWS:Win32/Hukle.O Trojan-PWS.Win32.Hukle Trojan.Win32.InfoStealer.o", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.Hukle.157044": [[26, 53]], "Indicator: Trojan.Hukle.Win32.18": [[54, 75]], "Indicator: Trojan/PSW.Hukle.o": [[76, 94]], "Indicator: Trojan.PWS.Hukle!uPlO8aKf2dU": [[95, 123]], "Indicator: W32/Trojan2.GWXZ": [[124, 140]], "Indicator: Infostealer.Hukle": [[141, 158]], "Indicator: TROJ_HUKLE.O": [[159, 171], [313, 325]], "Indicator: Win.Trojan.Hukle-16": [[172, 191]], "Indicator: Trojan-PSW.Win32.Hukle.o": [[192, 216]], "Indicator: Trojan.Win32.Hukle.dhvf": [[217, 240]], "Indicator: Troj.PSW32.W.Hukle.o!c": [[241, 263]], "Indicator: TrojWare.Win32.PSW.Hukle.~R": [[264, 291]], "Indicator: Trojan.PWS.Hukle.145": [[292, 312]], "Indicator: BehavesLike.Win32.PWSZbot.ch": [[326, 354]], "Indicator: W32/Trojan.TBYH-4941": [[355, 375]], "Indicator: Trojan/Hiddukel.t": [[376, 393]], "Indicator: W32/Hukle.O!tr.pws": [[394, 412]], "Indicator: Trojan[PSW]/Win32.Hukle": [[413, 436]], "Indicator: Trojan.Zusy.Elzob.D3190": [[437, 460]], "Indicator: Win-Trojan/Hukle.151040": [[461, 484]], "Indicator: PWS:Win32/Hukle.O": [[485, 502]], "Indicator: Trojan-PWS.Win32.Hukle": [[503, 525]], "Indicator: Trojan.Win32.InfoStealer.o": [[526, 552]]}, "info": {"id": "cyner2_5class_train_04458", "source": "cyner2_5class_train"}}
+{"text": "The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation the same origin policy and Firefox's PDF Viewer.", "spans": {"Vulnerability: vulnerability": [[4, 17]], "Vulnerability: JavaScript": [[76, 86]], "System: Firefox's PDF Viewer.": [[133, 154]]}, "info": {"id": "cyner2_5class_train_04459", "source": "cyner2_5class_train"}}
+{"text": "ACCESS_NETWORK_STATE - allow the app to access information about networks .", "spans": {}, "info": {"id": "cyner2_5class_train_04460", "source": "cyner2_5class_train"}}
+{"text": "] somtum [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04461", "source": "cyner2_5class_train"}}
+{"text": "The email message and the lure document are written in Hebrew, Arabic or English – depending on the target audience.", "spans": {"Indicator: email message": [[4, 17]], "Indicator: the lure document are written in Hebrew, Arabic": [[22, 69]], "Organization: English": [[73, 80]]}, "info": {"id": "cyner2_5class_train_04462", "source": "cyner2_5class_train"}}
+{"text": "The adversary's campaign has active and operational Command and Control C2 servers.", "spans": {"Indicator: Command and Control C2 servers.": [[52, 83]]}, "info": {"id": "cyner2_5class_train_04463", "source": "cyner2_5class_train"}}
+{"text": "As the research progressed , it started to reveal unique characteristics which made us believe we were looking at an all-new malware campaign found in the wild .", "spans": {}, "info": {"id": "cyner2_5class_train_04464", "source": "cyner2_5class_train"}}
+{"text": "] today www [ .", "spans": {"Indicator: www [ .": [[8, 15]]}, "info": {"id": "cyner2_5class_train_04465", "source": "cyner2_5class_train"}}
+{"text": "A one-man cybercriminal operation that uses point-of-salePoS malware has stolen more than 22,000 unique credit card numbers from terminals in Brazil,Canada, and the United States in a span of just one month.", "spans": {"Malware: point-of-salePoS malware": [[44, 68]], "Indicator: stolen": [[73, 79]], "Indicator: credit card numbers": [[104, 123]]}, "info": {"id": "cyner2_5class_train_04466", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/OnlineGames.LWBP Worm.Autorun-4618 Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R Trojan.PWS.Wsgame.22668 Win32/Oflwr.A!crypt Heur:Trojan/PSW.OnlineGames BScope.HackTool.Sniffer.WpePro Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/OnlineGames.LWBP": [[26, 46]], "Indicator: Worm.Autorun-4618": [[47, 64]], "Indicator: Worm.Win32.Dropper.RA": [[65, 86]], "Indicator: Trojan:W32/DelfInject.R": [[87, 110]], "Indicator: Trojan.PWS.Wsgame.22668": [[111, 134]], "Indicator: Win32/Oflwr.A!crypt": [[135, 154]], "Indicator: Heur:Trojan/PSW.OnlineGames": [[155, 182]], "Indicator: BScope.HackTool.Sniffer.WpePro": [[183, 213]], "Indicator: Trj/CI.A": [[214, 222]]}, "info": {"id": "cyner2_5class_train_04467", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakelsasLTD1.Trojan Trojan.Win32.Small!O Trojan.Upatre.S1164383 Trojan/Downloader.Small.aab Win32.Trojan.Inject.bm W32/Trojan.TBSZ-0334 Win32/Upatre.Q TROJ_BANLOAD.KAV Win.Trojan.Rubinurd-67 Trojan.Win32.Small.cpl Trojan.Win32.Small.ciwsuw TrojWare.Win32.Injector.AH Trojan.DownLoad3.28161 Trojan.Bublik.Win32.12106 TROJ_BANLOAD.KAV BehavesLike.Win32.PWSZbot.dh Backdoor.Win32.Androm W32/Trojan3.GBH Trojan/Small.oxi Trojan/Win32.Bublik Trojan.Win32.Small.cpl Trojan:Win32/Dorv.D!rfn Worm/Win32.Palevo.C199836 Trojan.Small Trojan.Email.FA Trojan.Small.AAB Win32/TrojanDownloader.Small.AAB Trojan.Bublik!BrbaRvXyIc8 W32/Bublik.AAB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakelsasLTD1.Trojan": [[26, 49]], "Indicator: Trojan.Win32.Small!O": [[50, 70]], "Indicator: Trojan.Upatre.S1164383": [[71, 93]], "Indicator: Trojan/Downloader.Small.aab": [[94, 121]], "Indicator: Win32.Trojan.Inject.bm": [[122, 144]], "Indicator: W32/Trojan.TBSZ-0334": [[145, 165]], "Indicator: Win32/Upatre.Q": [[166, 180]], "Indicator: TROJ_BANLOAD.KAV": [[181, 197], [346, 362]], "Indicator: Win.Trojan.Rubinurd-67": [[198, 220]], "Indicator: Trojan.Win32.Small.cpl": [[221, 243], [467, 489]], "Indicator: Trojan.Win32.Small.ciwsuw": [[244, 269]], "Indicator: TrojWare.Win32.Injector.AH": [[270, 296]], "Indicator: Trojan.DownLoad3.28161": [[297, 319]], "Indicator: Trojan.Bublik.Win32.12106": [[320, 345]], "Indicator: BehavesLike.Win32.PWSZbot.dh": [[363, 391]], "Indicator: Backdoor.Win32.Androm": [[392, 413]], "Indicator: W32/Trojan3.GBH": [[414, 429]], "Indicator: Trojan/Small.oxi": [[430, 446]], "Indicator: Trojan/Win32.Bublik": [[447, 466]], "Indicator: Trojan:Win32/Dorv.D!rfn": [[490, 513]], "Indicator: Worm/Win32.Palevo.C199836": [[514, 539]], "Indicator: Trojan.Small": [[540, 552]], "Indicator: Trojan.Email.FA": [[553, 568]], "Indicator: Trojan.Small.AAB": [[569, 585]], "Indicator: Win32/TrojanDownloader.Small.AAB": [[586, 618]], "Indicator: Trojan.Bublik!BrbaRvXyIc8": [[619, 644]], "Indicator: W32/Bublik.AAB!tr": [[645, 662]]}, "info": {"id": "cyner2_5class_train_04468", "source": "cyner2_5class_train"}}
+{"text": "Custom Encryption Other variants have used custom-implemented encryption algorithms .", "spans": {}, "info": {"id": "cyner2_5class_train_04469", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Backdoor.80", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Backdoor.80": [[26, 44]]}, "info": {"id": "cyner2_5class_train_04470", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Exxroute.A3 Trojan.Ransom.Lukitos.1 Ransom_CERBER.SM37 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Ramnit!dr Ransom_CERBER.SM37 Trojan.PWS.Sphinx.2 BehavesLike.Win32.Ransomware.cc Trojan:Win32/CeeInject.MJ!bit Trojan/Win32.Fareit.R189070 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Exxroute.A3": [[26, 44]], "Indicator: Trojan.Ransom.Lukitos.1": [[45, 68]], "Indicator: Ransom_CERBER.SM37": [[69, 87], [145, 163]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[88, 130]], "Indicator: W32.Ramnit!dr": [[131, 144]], "Indicator: Trojan.PWS.Sphinx.2": [[164, 183]], "Indicator: BehavesLike.Win32.Ransomware.cc": [[184, 215]], "Indicator: Trojan:Win32/CeeInject.MJ!bit": [[216, 245]], "Indicator: Trojan/Win32.Fareit.R189070": [[246, 273]], "Indicator: Trj/GdSda.A": [[274, 285]]}, "info": {"id": "cyner2_5class_train_04471", "source": "cyner2_5class_train"}}
+{"text": "Currently , the Twitoor trojan has been downloading several versions of mobile banking malware .", "spans": {"Malware: Twitoor": [[16, 23]]}, "info": {"id": "cyner2_5class_train_04472", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WisdwslD.Trojan TrojanDownloader.Esaprof.A4 Trojan.Strictor.D542D Trojan.Esaprof Win32/SillyDL.YTP TROJ_ESAPROF_EK2501B4.UVPM SWF.Plicker.1 TROJ_ESAPROF_EK2501B4.UVPM BehavesLike.Win32.Dropper.wc TrojanDownloader:SWF/Esaprof.B Trojan.Win32.Downloader.3514368[UPX] Trojan.Downloader Trj/CI.A SWF/TrojanDownloader.Esaprof.A Trojan.Patched", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WisdwslD.Trojan": [[26, 45]], "Indicator: TrojanDownloader.Esaprof.A4": [[46, 73]], "Indicator: Trojan.Strictor.D542D": [[74, 95]], "Indicator: Trojan.Esaprof": [[96, 110]], "Indicator: Win32/SillyDL.YTP": [[111, 128]], "Indicator: TROJ_ESAPROF_EK2501B4.UVPM": [[129, 155], [170, 196]], "Indicator: SWF.Plicker.1": [[156, 169]], "Indicator: BehavesLike.Win32.Dropper.wc": [[197, 225]], "Indicator: TrojanDownloader:SWF/Esaprof.B": [[226, 256]], "Indicator: Trojan.Win32.Downloader.3514368[UPX]": [[257, 293]], "Indicator: Trojan.Downloader": [[294, 311]], "Indicator: Trj/CI.A": [[312, 320]], "Indicator: SWF/TrojanDownloader.Esaprof.A": [[321, 351]], "Indicator: Trojan.Patched": [[352, 366]]}, "info": {"id": "cyner2_5class_train_04473", "source": "cyner2_5class_train"}}
+{"text": "The Windows kernel vulnerability ( CVE-2015-2387 ) existed in the open type font manager module ( ATMFD.dll ) and can be exploited to bypass the sandbox mitigation mechanism .", "spans": {"Vulnerability: Windows kernel vulnerability": [[4, 32]], "Vulnerability: CVE-2015-2387": [[35, 48]], "Indicator: ATMFD.dll": [[98, 107]]}, "info": {"id": "cyner2_5class_train_04474", "source": "cyner2_5class_train"}}
+{"text": "A spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan who is likely based in Beijing, China.", "spans": {"Indicator: spear-phishing email": [[2, 22]], "Organization: diplomat of the Embassy of Uzbekistan": [[37, 74]]}, "info": {"id": "cyner2_5class_train_04475", "source": "cyner2_5class_train"}}
+{"text": "In aggregate , the type of information stolen could let an attacker know where a person is , with whom they are associated ( including contacts ’ profile photos ) , the messages they are sending , the websites they visit and search history , screenshots that reveal data from other apps on the device , the conversations they have in the presence of the device , and a myriad of images including anything at which device ’ s camera is pointed .", "spans": {}, "info": {"id": "cyner2_5class_train_04476", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SocksT.Trojan Worm.Win32.Socks!O Trojan.Zbot.EO4 Worm.Socks.Win32.38 W32.W.Socks.tnAV W32/Socks.ey TROJ_SPNR.14DL13 Win32.Trojan.Kryptik.el Win32/Tnega.McRJca TROJ_SPNR.14DL13 Win.Trojan.Ag-4254306-1 Worm.Win32.Socks.ey Trojan.Win32.Socks.wtnjo Worm.Win32.Socks.791340 BackDoor.FireOn.221 BehavesLike.Win32.VirRansom.tc Trojan-Spy.Zbot.BE Trojan/PSW.Almat.dwk W32.Infostealer.Zeus Worm/Win32.Socks Worm.Socks.ey.kcloud Worm.Socks Worm.Win32.Socks.ey Worm/Win32.Socks.C35688 Virus.Socks.ey Worm.Socks!MDTxLrvAMvg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SocksT.Trojan": [[26, 43]], "Indicator: Worm.Win32.Socks!O": [[44, 62]], "Indicator: Trojan.Zbot.EO4": [[63, 78]], "Indicator: Worm.Socks.Win32.38": [[79, 98]], "Indicator: W32.W.Socks.tnAV": [[99, 115]], "Indicator: W32/Socks.ey": [[116, 128]], "Indicator: TROJ_SPNR.14DL13": [[129, 145], [189, 205]], "Indicator: Win32.Trojan.Kryptik.el": [[146, 169]], "Indicator: Win32/Tnega.McRJca": [[170, 188]], "Indicator: Win.Trojan.Ag-4254306-1": [[206, 229]], "Indicator: Worm.Win32.Socks.ey": [[230, 249], [460, 479]], "Indicator: Trojan.Win32.Socks.wtnjo": [[250, 274]], "Indicator: Worm.Win32.Socks.791340": [[275, 298]], "Indicator: BackDoor.FireOn.221": [[299, 318]], "Indicator: BehavesLike.Win32.VirRansom.tc": [[319, 349]], "Indicator: Trojan-Spy.Zbot.BE": [[350, 368]], "Indicator: Trojan/PSW.Almat.dwk": [[369, 389]], "Indicator: W32.Infostealer.Zeus": [[390, 410]], "Indicator: Worm/Win32.Socks": [[411, 427]], "Indicator: Worm.Socks.ey.kcloud": [[428, 448]], "Indicator: Worm.Socks": [[449, 459]], "Indicator: Worm/Win32.Socks.C35688": [[480, 503]], "Indicator: Virus.Socks.ey": [[504, 518]], "Indicator: Worm.Socks!MDTxLrvAMvg": [[519, 541]]}, "info": {"id": "cyner2_5class_train_04477", "source": "cyner2_5class_train"}}
+{"text": "Turla, which has been targeting governments, government officials and diplomats for years – see, as an example, this recent paper – is still using watering hole techniques to redirect potentially interesting victims to their C C infrastructure.", "spans": {"Organization: governments, government officials": [[32, 65]], "Organization: diplomats": [[70, 79]], "Indicator: watering hole techniques": [[147, 171]], "System: C C infrastructure.": [[225, 244]]}, "info": {"id": "cyner2_5class_train_04478", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DostoxaLTB.Trojan Trojan.Mogoogwi.A3 WORM_MOGOOGWI.SMHA Win32.Trojan.WisdomEyes.16070401.9500.9996 WORM_MOGOOGWI.SMHA Trojan-Dropper.MSIL Trojan:MSIL/Mogoogwi.A Trojan.Barys.DC996 Trojan/Win32.Zusy.R154407 Trj/CI.A Win32/Trojan.65a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DostoxaLTB.Trojan": [[26, 47]], "Indicator: Trojan.Mogoogwi.A3": [[48, 66]], "Indicator: WORM_MOGOOGWI.SMHA": [[67, 85], [129, 147]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[86, 128]], "Indicator: Trojan-Dropper.MSIL": [[148, 167]], "Indicator: Trojan:MSIL/Mogoogwi.A": [[168, 190]], "Indicator: Trojan.Barys.DC996": [[191, 209]], "Indicator: Trojan/Win32.Zusy.R154407": [[210, 235]], "Indicator: Trj/CI.A": [[236, 244]], "Indicator: Win32/Trojan.65a": [[245, 261]]}, "info": {"id": "cyner2_5class_train_04479", "source": "cyner2_5class_train"}}
+{"text": "READ_EXTERNAL_STORAGE - Allows the application to read from external storage .", "spans": {}, "info": {"id": "cyner2_5class_train_04480", "source": "cyner2_5class_train"}}
+{"text": "However , this wo n't close the application , it will send it to the background , instead .", "spans": {}, "info": {"id": "cyner2_5class_train_04481", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.A8 Trojan.Ransom.Globe Win32.Trojan.WisdomEyes.16070401.9500.9595 Ransom.Purge Ransom_PURGE.SM1 Win32.Trojan-Ransom.Globe.A Trojan-Ransom.Win32.Purga.v Win32.Trojan.Purga.Hvjx Trojan.Encoder.6182 BehavesLike.Win32.Sytro.kc W32/Trojan.DXHE-6024 Trojan.CryFile.co Trojan[Ransom]/Win32.CryFile Troj.Ransom.W32!c Trojan-Ransom.Win32.Purga.v Ransom:Win32/Contentocrypt.A Trojan/Win32.CryFile.R186838 TrojanDropper.Dapato Ransom.Globe Trojan.Filecoder!iQ4fX8DOQ4o Trj/GdSda.A Win32/Trojan.Ransom.524", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.A8": [[26, 43]], "Indicator: Trojan.Ransom.Globe": [[44, 63]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9595": [[64, 106]], "Indicator: Ransom.Purge": [[107, 119]], "Indicator: Ransom_PURGE.SM1": [[120, 136]], "Indicator: Win32.Trojan-Ransom.Globe.A": [[137, 164]], "Indicator: Trojan-Ransom.Win32.Purga.v": [[165, 192], [350, 377]], "Indicator: Win32.Trojan.Purga.Hvjx": [[193, 216]], "Indicator: Trojan.Encoder.6182": [[217, 236]], "Indicator: BehavesLike.Win32.Sytro.kc": [[237, 263]], "Indicator: W32/Trojan.DXHE-6024": [[264, 284]], "Indicator: Trojan.CryFile.co": [[285, 302]], "Indicator: Trojan[Ransom]/Win32.CryFile": [[303, 331]], "Indicator: Troj.Ransom.W32!c": [[332, 349]], "Indicator: Ransom:Win32/Contentocrypt.A": [[378, 406]], "Indicator: Trojan/Win32.CryFile.R186838": [[407, 435]], "Indicator: TrojanDropper.Dapato": [[436, 456]], "Indicator: Ransom.Globe": [[457, 469]], "Indicator: Trojan.Filecoder!iQ4fX8DOQ4o": [[470, 498]], "Indicator: Trj/GdSda.A": [[499, 510]], "Indicator: Win32/Trojan.Ransom.524": [[511, 534]]}, "info": {"id": "cyner2_5class_train_04482", "source": "cyner2_5class_train"}}
+{"text": "Taiwan has long been subjected to persistent targeting from espionage motivated threat actors.", "spans": {}, "info": {"id": "cyner2_5class_train_04483", "source": "cyner2_5class_train"}}
+{"text": "This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers.", "spans": {"Indicator: attack": [[5, 11]], "Indicator: victims": [[48, 55]], "Indicator: a fake browser update scheme": [[130, 158]], "System: Windows web browsers.": [[190, 211]]}, "info": {"id": "cyner2_5class_train_04484", "source": "cyner2_5class_train"}}
+{"text": "Our investigation into these attacks has unearthed more details into the method by which the threat actors delivered the Disttrack payload.", "spans": {"Indicator: attacks": [[29, 36]], "Malware: Disttrack payload.": [[121, 139]]}, "info": {"id": "cyner2_5class_train_04485", "source": "cyner2_5class_train"}}
+{"text": "We re constantly following, detecting and monitoring the lifecycle of these RATs as they appear, disappear and often reappear under a new moniker.", "spans": {}, "info": {"id": "cyner2_5class_train_04486", "source": "cyner2_5class_train"}}
+{"text": "Shipping companies and medical laboratories in Asia are being targeted in a likely intelligence-gathering campaign that relies exclusively on publicly available and living-off-the-land tools.", "spans": {"Organization: Shipping companies": [[0, 18]], "Organization: medical laboratories": [[23, 43]]}, "info": {"id": "cyner2_5class_train_04487", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.Small.8704.J Trojan-Spy.Win32.Small!O TrojanDownloader.Dielel Troj.Spy.W32.Small.jzk!c TROJ_GOGLOAD.A Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan.IOOK-0066 TROJ_GOGLOAD.A Trojan-Spy.Win32.Small.jzk DLOADER.Trojan Trojan.Win32.Spy DangerousObject.Multi.bcf W32/Small.JZK!tr Trojan[Spy]/Win32.Small Win32.Troj.small.j.kcloud Trojan.Heur.LP.EEE6A9 Trojan-Spy.Win32.Small.jzk TrojanDownloader:Win32/Dielel.A TrojanSpy.Small Win32.Trojan-spy.Small.Iit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.Small.8704.J": [[26, 53]], "Indicator: Trojan-Spy.Win32.Small!O": [[54, 78]], "Indicator: TrojanDownloader.Dielel": [[79, 102]], "Indicator: Troj.Spy.W32.Small.jzk!c": [[103, 127]], "Indicator: TROJ_GOGLOAD.A": [[128, 142], [207, 221]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[143, 185]], "Indicator: W32/Trojan.IOOK-0066": [[186, 206]], "Indicator: Trojan-Spy.Win32.Small.jzk": [[222, 248], [396, 422]], "Indicator: DLOADER.Trojan": [[249, 263]], "Indicator: Trojan.Win32.Spy": [[264, 280]], "Indicator: DangerousObject.Multi.bcf": [[281, 306]], "Indicator: W32/Small.JZK!tr": [[307, 323]], "Indicator: Trojan[Spy]/Win32.Small": [[324, 347]], "Indicator: Win32.Troj.small.j.kcloud": [[348, 373]], "Indicator: Trojan.Heur.LP.EEE6A9": [[374, 395]], "Indicator: TrojanDownloader:Win32/Dielel.A": [[423, 454]], "Indicator: TrojanSpy.Small": [[455, 470]], "Indicator: Win32.Trojan-spy.Small.Iit": [[471, 497]]}, "info": {"id": "cyner2_5class_train_04488", "source": "cyner2_5class_train"}}
+{"text": "Over time , this campaign will also infect the same device , repeatedly , with the latest malicious patches .", "spans": {}, "info": {"id": "cyner2_5class_train_04489", "source": "cyner2_5class_train"}}
+{"text": "This technique reminds us of a combination between ages old war strategies “ Divide et impera ” and “ By way of deception ” .", "spans": {}, "info": {"id": "cyner2_5class_train_04490", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: Trojan.Linux.MiraiDDoS.BI Downloader.Mirai.Linux.8 Troj.Downloader.Linux!c ELF_MIRAI.A HEUR:Trojan-Downloader.Linux.Mirai.b Trojan.Linux.MiraiDDoS.BI Trojan.Mlw.ektbyu Trojan.Linux.MiraiDDoS.BI Trojan.Linux.MiraiDDoS.BI Linux.DownLoader.289 ELF_MIRAI.A LINUX/Dldr.Mirai.qqlgv Trojan[Downloader]/Linux.Gafgyt.b Trojan.Linux.MiraiDDoS.BI Linux.S.Mirai.1204 HEUR:Trojan-Downloader.Linux.Mirai.b TrojanDownloader:Linux/Mirai.A Backdoor.Linux.Mirai Linux.Trojan-downloader.Gafgyt.Amlt Trojan-Downloader.Linux.Mirai Trojan.Linux.MiraiDDoS.BI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Linux.MiraiDDoS.BI": [[43, 68], [167, 192], [211, 236], [237, 262], [353, 378], [553, 578]], "Indicator: Downloader.Mirai.Linux.8": [[69, 93]], "Indicator: Troj.Downloader.Linux!c": [[94, 117]], "Indicator: ELF_MIRAI.A": [[118, 129], [284, 295]], "Indicator: HEUR:Trojan-Downloader.Linux.Mirai.b": [[130, 166], [398, 434]], "Indicator: Trojan.Mlw.ektbyu": [[193, 210]], "Indicator: Linux.DownLoader.289": [[263, 283]], "Indicator: LINUX/Dldr.Mirai.qqlgv": [[296, 318]], "Indicator: Trojan[Downloader]/Linux.Gafgyt.b": [[319, 352]], "Indicator: Linux.S.Mirai.1204": [[379, 397]], "Indicator: TrojanDownloader:Linux/Mirai.A": [[435, 465]], "Indicator: Backdoor.Linux.Mirai": [[466, 486]], "Indicator: Linux.Trojan-downloader.Gafgyt.Amlt": [[487, 522]], "Indicator: Trojan-Downloader.Linux.Mirai": [[523, 552]]}, "info": {"id": "cyner2_5class_train_04491", "source": "cyner2_5class_train"}}
+{"text": "May 2018 to April 2019 : This is the actual mature stage of “ Agent Smith ” campaign .", "spans": {"Malware: Agent Smith": [[62, 73]]}, "info": {"id": "cyner2_5class_train_04492", "source": "cyner2_5class_train"}}
+{"text": "This payload will then attempt to instantiate a remote reverse /system/bin/sh shell to the Command & Control ws.my-local-weather [ .", "spans": {"Indicator: /system/bin/sh": [[63, 77]], "Indicator: ws.my-local-weather [ .": [[109, 132]]}, "info": {"id": "cyner2_5class_train_04493", "source": "cyner2_5class_train"}}
+{"text": "FrozenCell is the mobile component of a multi-platform attack we 've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 , '' use to spy on victims through compromised mobile devices and desktops .", "spans": {"Malware: FrozenCell": [[0, 10]], "Malware: Two-tailed Scorpion/APT-C-23": [[100, 128]]}, "info": {"id": "cyner2_5class_train_04494", "source": "cyner2_5class_train"}}
+{"text": "Kryptowire says the code , which it found on a BLU R1 HD devices , transmitted fine-grained location information and allowed for the remote installation of other apps .", "spans": {"Organization: Kryptowire": [[0, 10]], "Organization: BLU": [[47, 50]]}, "info": {"id": "cyner2_5class_train_04495", "source": "cyner2_5class_train"}}
+{"text": "Cybereason 's investigation shows that the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed \" Roaming Mantis '' , a group that has led similar campaigns .", "spans": {"Organization: Cybereason": [[0, 10]], "Malware: FakeSpy": [[67, 74]], "Organization: Roaming Mantis": [[121, 135]]}, "info": {"id": "cyner2_5class_train_04496", "source": "cyner2_5class_train"}}
+{"text": "Version # 2 : June - Aug. 2019 — Domain : somtum [ .", "spans": {"Indicator: somtum [ .": [[42, 52]]}, "info": {"id": "cyner2_5class_train_04497", "source": "cyner2_5class_train"}}
+{"text": "Others like transferbot , promptupdate and promptuninstall are meant to help the operator manage the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_04498", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Verauto.A Win32.Worm.Verauto.A Trojan/VB.oda Win32.Worm.Verauto.A W32/VB.OO Virus.Win32.VB.b Win32.Worm.Verauto.A Virus.Win32.VB.gixe W32.VB.b!c Win32.Virus.Vb.Swum Win32.Worm.Verauto.A Virus.Win32.VB.b Win32.Worm.Verauto.A Win32.HLLW.Verauto Virus.VB.Win32.76 worm.win32.vobfus.cf W32/VB.YYAQ-1388 WORM/Verauto.A Virus/Win32.VB Worm:Win32/SillyVB.B Win32.Worm.Verauto.A Trojan.VB Win32/VB.ODA .Virus.EICAR_BOOV Worm.Win32.VB W32/VB.B!tr Win32/VB.BM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Verauto.A": [[26, 46], [47, 67], [82, 102], [130, 150], [202, 222], [240, 260], [387, 407]], "Indicator: Trojan/VB.oda": [[68, 81]], "Indicator: W32/VB.OO": [[103, 112]], "Indicator: Virus.Win32.VB.b": [[113, 129], [223, 239]], "Indicator: Virus.Win32.VB.gixe": [[151, 170]], "Indicator: W32.VB.b!c": [[171, 181]], "Indicator: Win32.Virus.Vb.Swum": [[182, 201]], "Indicator: Win32.HLLW.Verauto": [[261, 279]], "Indicator: Virus.VB.Win32.76": [[280, 297]], "Indicator: worm.win32.vobfus.cf": [[298, 318]], "Indicator: W32/VB.YYAQ-1388": [[319, 335]], "Indicator: WORM/Verauto.A": [[336, 350]], "Indicator: Virus/Win32.VB": [[351, 365]], "Indicator: Worm:Win32/SillyVB.B": [[366, 386]], "Indicator: Trojan.VB": [[408, 417]], "Indicator: Win32/VB.ODA": [[418, 430]], "Indicator: .Virus.EICAR_BOOV": [[431, 448]], "Indicator: Worm.Win32.VB": [[449, 462]], "Indicator: W32/VB.B!tr": [[463, 474]], "Indicator: Win32/VB.BM": [[475, 486]]}, "info": {"id": "cyner2_5class_train_04499", "source": "cyner2_5class_train"}}
+{"text": "The iOS versions were available outside the app store , through phishing sites , and abused the Apple Developer Enterprise program .", "spans": {"System: iOS": [[4, 7]], "System: app store": [[44, 53]], "Organization: Apple Developer Enterprise": [[96, 122]]}, "info": {"id": "cyner2_5class_train_04500", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanSpy.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9866 Trojan.Win32.Downeks.exeslg Troj.Spy.Msil.Downeks!c Trojan.MSILPerseus.D21B6F TrojanSpy:MSIL/Tinclex.A Riskware.Confuser! Trj/GdSda.A Win32/Trojan.Spy.7a8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanSpy.MSIL": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9866": [[41, 83]], "Indicator: Trojan.Win32.Downeks.exeslg": [[84, 111]], "Indicator: Troj.Spy.Msil.Downeks!c": [[112, 135]], "Indicator: Trojan.MSILPerseus.D21B6F": [[136, 161]], "Indicator: TrojanSpy:MSIL/Tinclex.A": [[162, 186]], "Indicator: Riskware.Confuser!": [[187, 205]], "Indicator: Trj/GdSda.A": [[206, 217]], "Indicator: Win32/Trojan.Spy.7a8": [[218, 238]]}, "info": {"id": "cyner2_5class_train_04501", "source": "cyner2_5class_train"}}
+{"text": "By comparing the sizes of the encrypted asset file tong.luo vs the decrypted JAR file mycode.jar , it is interesting to note that it is the same file ( almost the same size ) .", "spans": {"Indicator: tong.luo": [[51, 59]], "Indicator: mycode.jar": [[86, 96]]}, "info": {"id": "cyner2_5class_train_04502", "source": "cyner2_5class_train"}}
+{"text": "The malware, which has been identified by many vendors on VirusTotal, has been labeled by our researchers as Trojan.Chinad or just Chinad as an alternative short label.", "spans": {"Malware: malware,": [[4, 12]], "Organization: VirusTotal,": [[58, 69]], "Indicator: Trojan.Chinad": [[109, 122]], "Malware: Chinad": [[131, 137]]}, "info": {"id": "cyner2_5class_train_04503", "source": "cyner2_5class_train"}}
+{"text": "The group behind the attacks is possibly associated with the Russian government and has been active since at least 2007.", "spans": {"Organization: Russian government": [[61, 79]]}, "info": {"id": "cyner2_5class_train_04504", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.BCDE Backdoor.Baceed Backdoor.Hupigon.Win32.11548 Backdoor.W32.Hupigon.torp W32/Backdoor2.EVBN Backdoor.Trojan Win.Trojan.Hupigon-27433 Backdoor.Win32.Hupigon.gklq Trojan.Win32.Hupigon.wnxa Backdoor.Win32.Hupigon.163840.I Backdoor.Win32.Hupigon.gklqo BackDoor.Pigeon1.8593 W32/Backdoor.ECNM-9194 Backdoor/Hupigon.jmk W32.Backdoor.Hupigon BDS/Baceed.hrhsh Trojan[Backdoor]/Win32.Hupigon Backdoor:Win32/Baceed.A!bit Backdoor.Win32.Hupigon.gklq Trojan/Win32.Hupigon.R42586 TScope.Malware-Cryptor.SB Win32.Backdoor.Hupigon.Pavs Backdoor.Win32.Hupigon Win32/Trojan.aab", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.BCDE": [[26, 43]], "Indicator: Backdoor.Baceed": [[44, 59]], "Indicator: Backdoor.Hupigon.Win32.11548": [[60, 88]], "Indicator: Backdoor.W32.Hupigon.torp": [[89, 114]], "Indicator: W32/Backdoor2.EVBN": [[115, 133]], "Indicator: Backdoor.Trojan": [[134, 149]], "Indicator: Win.Trojan.Hupigon-27433": [[150, 174]], "Indicator: Backdoor.Win32.Hupigon.gklq": [[175, 202], [453, 480]], "Indicator: Trojan.Win32.Hupigon.wnxa": [[203, 228]], "Indicator: Backdoor.Win32.Hupigon.163840.I": [[229, 260]], "Indicator: Backdoor.Win32.Hupigon.gklqo": [[261, 289]], "Indicator: BackDoor.Pigeon1.8593": [[290, 311]], "Indicator: W32/Backdoor.ECNM-9194": [[312, 334]], "Indicator: Backdoor/Hupigon.jmk": [[335, 355]], "Indicator: W32.Backdoor.Hupigon": [[356, 376]], "Indicator: BDS/Baceed.hrhsh": [[377, 393]], "Indicator: Trojan[Backdoor]/Win32.Hupigon": [[394, 424]], "Indicator: Backdoor:Win32/Baceed.A!bit": [[425, 452]], "Indicator: Trojan/Win32.Hupigon.R42586": [[481, 508]], "Indicator: TScope.Malware-Cryptor.SB": [[509, 534]], "Indicator: Win32.Backdoor.Hupigon.Pavs": [[535, 562]], "Indicator: Backdoor.Win32.Hupigon": [[563, 585]], "Indicator: Win32/Trojan.aab": [[586, 602]]}, "info": {"id": "cyner2_5class_train_04505", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.Crypt12 Ransom.Kristina Ransom_CRYPTWELVE.B Win32.Trojan.WisdomEyes.16070401.9500.9562 Ransom.CryptXXX Ransom_CRYPTWELVE.B Win.Ransomware.Kristina-6367716-1 MSIL.Trojan-Ransom.Crypt12.B Trojan.Win32.Encoder.evktgv Trojan.Win32.Z.Ransom.124928.G Trojan.Encoder.15080 Trojan.Filecoder.Win32.6738 Ransom.MSIL.Natiris W32/Trojan.ERVC-5011 TR/RedCap.khogd Ransom:MSIL/Natiris.A Trojan/Win32.Ransom.C2247299 Trj/GdSda.A Win32/Trojan.Ransom.15c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.Crypt12": [[26, 47]], "Indicator: Ransom.Kristina": [[48, 63]], "Indicator: Ransom_CRYPTWELVE.B": [[64, 83], [143, 162]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9562": [[84, 126]], "Indicator: Ransom.CryptXXX": [[127, 142]], "Indicator: Win.Ransomware.Kristina-6367716-1": [[163, 196]], "Indicator: MSIL.Trojan-Ransom.Crypt12.B": [[197, 225]], "Indicator: Trojan.Win32.Encoder.evktgv": [[226, 253]], "Indicator: Trojan.Win32.Z.Ransom.124928.G": [[254, 284]], "Indicator: Trojan.Encoder.15080": [[285, 305]], "Indicator: Trojan.Filecoder.Win32.6738": [[306, 333]], "Indicator: Ransom.MSIL.Natiris": [[334, 353]], "Indicator: W32/Trojan.ERVC-5011": [[354, 374]], "Indicator: TR/RedCap.khogd": [[375, 390]], "Indicator: Ransom:MSIL/Natiris.A": [[391, 412]], "Indicator: Trojan/Win32.Ransom.C2247299": [[413, 441]], "Indicator: Trj/GdSda.A": [[442, 453]], "Indicator: Win32/Trojan.Ransom.15c": [[454, 477]]}, "info": {"id": "cyner2_5class_train_04506", "source": "cyner2_5class_train"}}
+{"text": "Wolf Research claimed to shut down their operations but we clearly see that their previous work continues under another guise .", "spans": {}, "info": {"id": "cyner2_5class_train_04507", "source": "cyner2_5class_train"}}
+{"text": "First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too.", "spans": {"System: Linux variant,": [[17, 31]], "Malware: binary,": [[72, 79]], "System: Windows desktops,": [[117, 134]]}, "info": {"id": "cyner2_5class_train_04508", "source": "cyner2_5class_train"}}
+{"text": "However , although the “ Concipit1248 ” app requested permissions to open the device camera and read photos , the code only can upload a self-contained PNG file to a remote sever .", "spans": {}, "info": {"id": "cyner2_5class_train_04509", "source": "cyner2_5class_train"}}
+{"text": "https : //github.com/El3ct71k/Keylogger/ It appears the developers have copied the functional part of the keylogger module from this project .", "spans": {"Indicator: https : //github.com/El3ct71k/Keylogger/": [[0, 40]]}, "info": {"id": "cyner2_5class_train_04510", "source": "cyner2_5class_train"}}
+{"text": "Each value represents a different type of data to steal from the device : Value Data Type 1 Accounts 2 Installed APP list 3 Running processes list 4 Battery status 5 Browser bookmarks and histories 6 Call logs 7 Clipboard 8 Contacts 9 Mobile operator information a File list on SD card b Location c Image list d Audio list e Video list f Storage and memory information g Connection information h Sensors information i SMS messages j VCard format contacts Table 1 .", "spans": {}, "info": {"id": "cyner2_5class_train_04511", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Esacel Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Kryptik.exqpjd Trojan.Kryptik.Win32.1351348 W32/Trojan.MCPS-3536 TR/Crypt.ZPACK.ocodu Trojan.Esacel Trj/CI.A Trojan.Kryptik!MH3d/6dQFBI Trojan.Inject Malicious_Behavior.SB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Esacel": [[26, 39], [182, 195]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[40, 82]], "Indicator: Trojan.Win32.Kryptik.exqpjd": [[83, 110]], "Indicator: Trojan.Kryptik.Win32.1351348": [[111, 139]], "Indicator: W32/Trojan.MCPS-3536": [[140, 160]], "Indicator: TR/Crypt.ZPACK.ocodu": [[161, 181]], "Indicator: Trj/CI.A": [[196, 204]], "Indicator: Trojan.Kryptik!MH3d/6dQFBI": [[205, 231]], "Indicator: Trojan.Inject": [[232, 245]], "Indicator: Malicious_Behavior.SB": [[246, 267]]}, "info": {"id": "cyner2_5class_train_04512", "source": "cyner2_5class_train"}}
+{"text": "Any app can ask for accessibility permissions and implement features such as screen reading , changing sizes and colors of objects , hearing enhancements , replacing touch with other forms of control and more .", "spans": {}, "info": {"id": "cyner2_5class_train_04513", "source": "cyner2_5class_train"}}
+{"text": "At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate source and display it within the main web page – embedded in a PE binary Portable Executable Binary, or .exe.", "spans": {"Malware: At": [[0, 2]], "Organization: FireEye Labs,": [[3, 16]], "Vulnerability: infection vector": [[111, 127]], "Indicator: iFRAME inline frame": [[146, 165]], "Indicator: an HTML document embedded inside another HTML document": [[168, 222]], "Organization: web": [[228, 231]], "Indicator: PE binary Portable Executable Binary,": [[355, 392]], "Indicator: .exe.": [[396, 401]]}, "info": {"id": "cyner2_5class_train_04514", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.QHost.ACI Trojan.Win32.Qhost!O Trojan.QHost.ACI TROJ_RENOS.TU Win32.Trojan.WisdomEyes.16070401.9500.9838 W32/Trojan.YCCB-6079 Trojan.Dropper TROJ_RENOS.TU Win.Trojan.Small-4579 Trojan.Win32.Qhost.abh Trojan.QHost.ACI Trojan.Win32.Qhost.slro Trojan.QHost.ACI TrojWare.Win32.TrojanDownloader.FakeAlert.G Trojan.QHost.ACI Trojan.Fakealert.399 BehavesLike.Win32.Dropper.nc W32/Trojan2.CMAE Trojan/Qhost.tf Trojan:Win32/Wantvi.C Trojan.Win32.Qhost.abh Trojan.QHost.ACI Trojan/Win32.Qhost.R34501 Trojan.QHost.ACI OScope.Hoax.Win32.FakeAlert Trojan.Qhost Win32/TrojanDownloader.FakeAlert.G Trojan.Qhost.EP Trojan.Win32.Qhost.abh W32/Qhost.ABH!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.QHost.ACI": [[26, 42], [64, 80], [233, 249], [274, 290], [335, 351], [480, 496], [523, 539]], "Indicator: Trojan.Win32.Qhost!O": [[43, 63]], "Indicator: TROJ_RENOS.TU": [[81, 94], [174, 187]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9838": [[95, 137]], "Indicator: W32/Trojan.YCCB-6079": [[138, 158]], "Indicator: Trojan.Dropper": [[159, 173]], "Indicator: Win.Trojan.Small-4579": [[188, 209]], "Indicator: Trojan.Win32.Qhost.abh": [[210, 232], [457, 479], [632, 654]], "Indicator: Trojan.Win32.Qhost.slro": [[250, 273]], "Indicator: TrojWare.Win32.TrojanDownloader.FakeAlert.G": [[291, 334]], "Indicator: Trojan.Fakealert.399": [[352, 372]], "Indicator: BehavesLike.Win32.Dropper.nc": [[373, 401]], "Indicator: W32/Trojan2.CMAE": [[402, 418]], "Indicator: Trojan/Qhost.tf": [[419, 434]], "Indicator: Trojan:Win32/Wantvi.C": [[435, 456]], "Indicator: Trojan/Win32.Qhost.R34501": [[497, 522]], "Indicator: OScope.Hoax.Win32.FakeAlert": [[540, 567]], "Indicator: Trojan.Qhost": [[568, 580]], "Indicator: Win32/TrojanDownloader.FakeAlert.G": [[581, 615]], "Indicator: Trojan.Qhost.EP": [[616, 631]], "Indicator: W32/Qhost.ABH!tr": [[655, 671]]}, "info": {"id": "cyner2_5class_train_04515", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Mediket.CD Troj.Downloader.W32.Mediket.cd!c Trojan/Downloader.Mediket.cd Win32.Trojan.WisdomEyes.16070401.9500.9810 W32/Downloader.JJGI-8097 Win32/SillyDl.FL Trojan-Downloader.Win32.Mediket.cd Trojan.Win32.Mediket.dkal Trojan.Win32.Downloader.10240.ES Trojan.DownLoader.7470 Downloader.Mediket.Win32.64 Trojan-Downloader.Win32.Mediket.bl W32/DldrX.DHK TrojanDownloader.Mediket.fv TR/Dldr.Mediket.S.2 Trojan[Downloader]/Win32.Mediket Trojan.Heur.amGfYI3rB7li Trojan-Downloader.Win32.Mediket.cd Trojan/Win32.Small.C140121 Trojan-Downloader.Win32.Mediket.ca Trojan-Downloader.Mediket.CD Win32.Trojan-downloader.Mediket.Ajvz W32/Dloader.CD!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Mediket.CD": [[26, 54], [599, 627]], "Indicator: Troj.Downloader.W32.Mediket.cd!c": [[55, 87]], "Indicator: Trojan/Downloader.Mediket.cd": [[88, 116]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9810": [[117, 159]], "Indicator: W32/Downloader.JJGI-8097": [[160, 184]], "Indicator: Win32/SillyDl.FL": [[185, 201]], "Indicator: Trojan-Downloader.Win32.Mediket.cd": [[202, 236], [502, 536]], "Indicator: Trojan.Win32.Mediket.dkal": [[237, 262]], "Indicator: Trojan.Win32.Downloader.10240.ES": [[263, 295]], "Indicator: Trojan.DownLoader.7470": [[296, 318]], "Indicator: Downloader.Mediket.Win32.64": [[319, 346]], "Indicator: Trojan-Downloader.Win32.Mediket.bl": [[347, 381]], "Indicator: W32/DldrX.DHK": [[382, 395]], "Indicator: TrojanDownloader.Mediket.fv": [[396, 423]], "Indicator: TR/Dldr.Mediket.S.2": [[424, 443]], "Indicator: Trojan[Downloader]/Win32.Mediket": [[444, 476]], "Indicator: Trojan.Heur.amGfYI3rB7li": [[477, 501]], "Indicator: Trojan/Win32.Small.C140121": [[537, 563]], "Indicator: Trojan-Downloader.Win32.Mediket.ca": [[564, 598]], "Indicator: Win32.Trojan-downloader.Mediket.Ajvz": [[628, 664]], "Indicator: W32/Dloader.CD!tr.dldr": [[665, 687]]}, "info": {"id": "cyner2_5class_train_04516", "source": "cyner2_5class_train"}}
+{"text": "A particular focus appears to have been placed on the healthcare industry.", "spans": {}, "info": {"id": "cyner2_5class_train_04517", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.6656.AAX Trojan.Win32.Small!O Trojan.Tosct Trojan.Heur.RP.EF49A0 TROJ_DLOADER.FAV Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.MPRY-6149 TROJ_DLOADER.FAV Trojan.Win32.Small.coy Trojan.Win32.Small.cwxndz Trojan.Click2.56220 Trojan.Small.Win32.19363 Trojan.Win32.Tosct Trojan/Small.ovb TR/Spy.6656.106 Trojan/Win32.Small Win32.Troj.Undef.kcloud Trojan.Win32.Small.coy Trojan:Win32/Tosct.A Trojan/Win32.Connapts.C256364 Trojan.Small.coy Trojan.Small Win32.Trojan.Small.Aiik Trojan.Small!nYMaRKVOefk W32/Dloader.FAV!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.6656.AAX": [[26, 51]], "Indicator: Trojan.Win32.Small!O": [[52, 72]], "Indicator: Trojan.Tosct": [[73, 85]], "Indicator: Trojan.Heur.RP.EF49A0": [[86, 107]], "Indicator: TROJ_DLOADER.FAV": [[108, 124], [189, 205]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[125, 167]], "Indicator: W32/Trojan.MPRY-6149": [[168, 188]], "Indicator: Trojan.Win32.Small.coy": [[206, 228], [395, 417]], "Indicator: Trojan.Win32.Small.cwxndz": [[229, 254]], "Indicator: Trojan.Click2.56220": [[255, 274]], "Indicator: Trojan.Small.Win32.19363": [[275, 299]], "Indicator: Trojan.Win32.Tosct": [[300, 318]], "Indicator: Trojan/Small.ovb": [[319, 335]], "Indicator: TR/Spy.6656.106": [[336, 351]], "Indicator: Trojan/Win32.Small": [[352, 370]], "Indicator: Win32.Troj.Undef.kcloud": [[371, 394]], "Indicator: Trojan:Win32/Tosct.A": [[418, 438]], "Indicator: Trojan/Win32.Connapts.C256364": [[439, 468]], "Indicator: Trojan.Small.coy": [[469, 485]], "Indicator: Trojan.Small": [[486, 498]], "Indicator: Win32.Trojan.Small.Aiik": [[499, 522]], "Indicator: Trojan.Small!nYMaRKVOefk": [[523, 547]], "Indicator: W32/Dloader.FAV!tr": [[548, 566]]}, "info": {"id": "cyner2_5class_train_04518", "source": "cyner2_5class_train"}}
+{"text": "In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate", "spans": {"Indicator: websites": [[9, 17]], "Malware: malware": [[30, 37]], "Malware: stolen code": [[85, 96]], "Indicator: signing certificate": [[97, 116]]}, "info": {"id": "cyner2_5class_train_04519", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Hybris.B@mm Email-Worm.Win32.Hybris!O Worm.Hybris W32/Hybris.dll@MM W95.Hybris.PI.msOW W32/Hybris.dll@MM WORM_HYBRIS.F Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Hybris.worm.B W95.Hybris.worm WORM_HYBRIS.F Win.Trojan.Hybris-10 Win32.Hybris.B@mm Email-Worm.Win32.Hybris.plugin Win32.Hybris.B@mm Trojan.Win32.Hybris.upukw Win32.Hybris Win32.Hybris.B@mm EmailWorm.Win32.Hybris.lki Win98.Vecna.23040 Worm.Hybris.Win32.8 BehavesLike.Win32.Virut.pm W32/Hybris.worm.B Worm/Hybris.c Worm[Email]/Win32.Hybris Worm:Win32/Hybris.C@mm Email-Worm.Win32.Hybris.plugin I-Worm/Hybris.Variant Win32.Hybris.B@mm W32/Hybris.Wsock Win32.Hybris.E2C45E Win32/Hybris.dll Win32.Worm-email.Hybris.Wuqu I-Worm.Hybris Email-Worm.Win32.Hybris.Based W32/Hybris.dll@mm Win32/Worm.Email-Worm.47d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Hybris.B@mm": [[26, 43], [263, 280], [312, 329], [369, 386], [612, 629]], "Indicator: Email-Worm.Win32.Hybris!O": [[44, 69]], "Indicator: Worm.Hybris": [[70, 81]], "Indicator: W32/Hybris.dll@MM": [[82, 99], [119, 136]], "Indicator: W95.Hybris.PI.msOW": [[100, 118]], "Indicator: WORM_HYBRIS.F": [[137, 150], [228, 241]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[151, 193]], "Indicator: W32/Hybris.worm.B": [[194, 211], [479, 496]], "Indicator: W95.Hybris.worm": [[212, 227]], "Indicator: Win.Trojan.Hybris-10": [[242, 262]], "Indicator: Email-Worm.Win32.Hybris.plugin": [[281, 311], [559, 589]], "Indicator: Trojan.Win32.Hybris.upukw": [[330, 355]], "Indicator: Win32.Hybris": [[356, 368]], "Indicator: EmailWorm.Win32.Hybris.lki": [[387, 413]], "Indicator: Win98.Vecna.23040": [[414, 431]], "Indicator: Worm.Hybris.Win32.8": [[432, 451]], "Indicator: BehavesLike.Win32.Virut.pm": [[452, 478]], "Indicator: Worm/Hybris.c": [[497, 510]], "Indicator: Worm[Email]/Win32.Hybris": [[511, 535]], "Indicator: Worm:Win32/Hybris.C@mm": [[536, 558]], "Indicator: I-Worm/Hybris.Variant": [[590, 611]], "Indicator: W32/Hybris.Wsock": [[630, 646]], "Indicator: Win32.Hybris.E2C45E": [[647, 666]], "Indicator: Win32/Hybris.dll": [[667, 683]], "Indicator: Win32.Worm-email.Hybris.Wuqu": [[684, 712]], "Indicator: I-Worm.Hybris": [[713, 726]], "Indicator: Email-Worm.Win32.Hybris.Based": [[727, 756]], "Indicator: W32/Hybris.dll@mm": [[757, 774]], "Indicator: Win32/Worm.Email-Worm.47d": [[775, 800]]}, "info": {"id": "cyner2_5class_train_04520", "source": "cyner2_5class_train"}}
+{"text": "Who is behind Judy ? The malicious apps are all developed by a Korean company named Kiniwini , registered on Google Play as ENISTUDIO corp .", "spans": {"Malware: Judy": [[14, 18]], "Organization: Kiniwini": [[84, 92]], "System: Google Play": [[109, 120]], "Organization: ENISTUDIO corp": [[124, 138]]}, "info": {"id": "cyner2_5class_train_04521", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.8BE3 Win32.Neveg.C@mm Worm/W32.Neveg.52294.B W32/Neveg.c@MM W32/Neveg.c Win32.Neveg.C@mm Trojan.Win32.Neveg.iclu W32/Neveg.D@mm W32.Neveg.C@mm Win32/Neveg.C WORM_NEVEG.C Worm.Neveg.C.4 Email-Worm.Win32.Neveg.c I-Worm.Neveg!ysm95GgJE50 I-Worm.Win32.Neveg.52294.C[h] W32.W.Neveg.c!c Win32.Neveg.C@mm Worm.Win32.Neveg.C Win32.Neveg.C@mm Win32.HLLM.Peerage Worm.Neveg.Win32.1 WORM_NEVEG.C BehavesLike.Win32.Ramnit.qc W32/Neveg.URKR-8484 Worm[Email]/Win32.Neveg Win32.Neveg.EB4884 Worm/Win32.MyDoom Worm:Win32/Neveng.C@mm Win32.Neveg.C@mm Worm.Neveg W32/Neveg.D.worm Win32.Worm-email.Neveg.Lpbl Email-Worm.Win32.Neveg.C Win32.Neveg.C@mm I-Worm/Neveg.C Worm.Win32.Neveg.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.8BE3": [[26, 42]], "Indicator: Win32.Neveg.C@mm": [[43, 59], [110, 126], [319, 335], [355, 371], [555, 571], [653, 669]], "Indicator: Worm/W32.Neveg.52294.B": [[60, 82]], "Indicator: W32/Neveg.c@MM": [[83, 97]], "Indicator: W32/Neveg.c": [[98, 109]], "Indicator: Trojan.Win32.Neveg.iclu": [[127, 150]], "Indicator: W32/Neveg.D@mm": [[151, 165]], "Indicator: W32.Neveg.C@mm": [[166, 180]], "Indicator: Win32/Neveg.C": [[181, 194]], "Indicator: WORM_NEVEG.C": [[195, 207], [410, 422]], "Indicator: Worm.Neveg.C.4": [[208, 222]], "Indicator: Email-Worm.Win32.Neveg.c": [[223, 247]], "Indicator: I-Worm.Neveg!ysm95GgJE50": [[248, 272]], "Indicator: I-Worm.Win32.Neveg.52294.C[h]": [[273, 302]], "Indicator: W32.W.Neveg.c!c": [[303, 318]], "Indicator: Worm.Win32.Neveg.C": [[336, 354], [685, 703]], "Indicator: Win32.HLLM.Peerage": [[372, 390]], "Indicator: Worm.Neveg.Win32.1": [[391, 409]], "Indicator: BehavesLike.Win32.Ramnit.qc": [[423, 450]], "Indicator: W32/Neveg.URKR-8484": [[451, 470]], "Indicator: Worm[Email]/Win32.Neveg": [[471, 494]], "Indicator: Win32.Neveg.EB4884": [[495, 513]], "Indicator: Worm/Win32.MyDoom": [[514, 531]], "Indicator: Worm:Win32/Neveng.C@mm": [[532, 554]], "Indicator: Worm.Neveg": [[572, 582]], "Indicator: W32/Neveg.D.worm": [[583, 599]], "Indicator: Win32.Worm-email.Neveg.Lpbl": [[600, 627]], "Indicator: Email-Worm.Win32.Neveg.C": [[628, 652]], "Indicator: I-Worm/Neveg.C": [[670, 684]]}, "info": {"id": "cyner2_5class_train_04522", "source": "cyner2_5class_train"}}
+{"text": "Below are descriptions of some of the most interesting .", "spans": {}, "info": {"id": "cyner2_5class_train_04523", "source": "cyner2_5class_train"}}
+{"text": "Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates UAE, and recipient of the Martin Ennals Award sometimes referred to as a Nobel Prize for human rights .", "spans": {"Organization: Ahmed Mansoor": [[0, 13]], "Organization: human rights defender,": [[47, 69]]}, "info": {"id": "cyner2_5class_train_04524", "source": "cyner2_5class_train"}}
+{"text": "All of the URLs reference the file “ mms.apk ” and all use the domain “ XXXX.ru ” , which belongs to a top five shared hosting platform in Russia ( the domain itself has been obfuscated to anonymize the provider ) .", "spans": {"Indicator: mms.apk": [[37, 44]], "Indicator: XXXX.ru": [[72, 79]]}, "info": {"id": "cyner2_5class_train_04525", "source": "cyner2_5class_train"}}
+{"text": "Allows an application to send SMS messages .", "spans": {}, "info": {"id": "cyner2_5class_train_04526", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Trojan.MOBS-7437 Win.Trojan.B-474 Virus.Win32.Virut.CE Trojan.Heur.LP.EE1B95 Backdoor:Win32/Liudoor.B!dha Backdoor/Win32.Liudoor.R192527 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.MOBS-7437": [[26, 46]], "Indicator: Win.Trojan.B-474": [[47, 63]], "Indicator: Virus.Win32.Virut.CE": [[64, 84]], "Indicator: Trojan.Heur.LP.EE1B95": [[85, 106]], "Indicator: Backdoor:Win32/Liudoor.B!dha": [[107, 135]], "Indicator: Backdoor/Win32.Liudoor.R192527": [[136, 166]], "Indicator: Trj/CI.A": [[167, 175]]}, "info": {"id": "cyner2_5class_train_04527", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDropper.Dorkbot.II4 Backdoor.Bifrose.Win32.18816 Backdoor.Bifrose Trojan/Midgare.advf TROJ_DROPPER.SMS Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Win32/Bifrose.KJ TROJ_DROPPER.SMS Win.Trojan.Bifrose-9522 Trojan.Win32.Midgare.bqxuse BackDoor.Bifrost.26217 BehavesLike.Win32.Downloader.kc Backdoor/Bifrose.ovy TR/Midgare.adjf Trojan[Backdoor]/Win32.Bifrose Win32.Hack.MnlessT.lo.88519 TrojanDropper:Win32/Dooxud.A Trojan.Graftor.D46F7 Backdoor.Win32.Bifrose.77824.N Trojan/Win32.Bifrose.R3685 Backdoor.Bifrose VirTool.Injector!nUBzjCDRby4 Trojan.Win32.Midgare", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Dorkbot.II4": [[26, 51]], "Indicator: Backdoor.Bifrose.Win32.18816": [[52, 80]], "Indicator: Backdoor.Bifrose": [[81, 97], [538, 554]], "Indicator: Trojan/Midgare.advf": [[98, 117]], "Indicator: TROJ_DROPPER.SMS": [[118, 134], [210, 226]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[135, 177]], "Indicator: Trojan.Dropper": [[178, 192]], "Indicator: Win32/Bifrose.KJ": [[193, 209]], "Indicator: Win.Trojan.Bifrose-9522": [[227, 250]], "Indicator: Trojan.Win32.Midgare.bqxuse": [[251, 278]], "Indicator: BackDoor.Bifrost.26217": [[279, 301]], "Indicator: BehavesLike.Win32.Downloader.kc": [[302, 333]], "Indicator: Backdoor/Bifrose.ovy": [[334, 354]], "Indicator: TR/Midgare.adjf": [[355, 370]], "Indicator: Trojan[Backdoor]/Win32.Bifrose": [[371, 401]], "Indicator: Win32.Hack.MnlessT.lo.88519": [[402, 429]], "Indicator: TrojanDropper:Win32/Dooxud.A": [[430, 458]], "Indicator: Trojan.Graftor.D46F7": [[459, 479]], "Indicator: Backdoor.Win32.Bifrose.77824.N": [[480, 510]], "Indicator: Trojan/Win32.Bifrose.R3685": [[511, 537]], "Indicator: VirTool.Injector!nUBzjCDRby4": [[555, 583]], "Indicator: Trojan.Win32.Midgare": [[584, 604]]}, "info": {"id": "cyner2_5class_train_04528", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint researchers originally discovered the Panda Banker malware in February, 2016.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: the Panda Banker malware": [[45, 69]]}, "info": {"id": "cyner2_5class_train_04529", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9961 Trojan.Win32.Bladabindi.esnxij Trojan.Win32.Z.Bladabindi.116224.CW Worm.MSIL.Autorun Trojan.MSIL.Bladabindi.1 TrojanDownloader:MSIL/Prardrukat.A Trj/GdSda.A Win32.Trojan.Atraps.Taew Win32/Trojan.62b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9961": [[26, 68]], "Indicator: Trojan.Win32.Bladabindi.esnxij": [[69, 99]], "Indicator: Trojan.Win32.Z.Bladabindi.116224.CW": [[100, 135]], "Indicator: Worm.MSIL.Autorun": [[136, 153]], "Indicator: Trojan.MSIL.Bladabindi.1": [[154, 178]], "Indicator: TrojanDownloader:MSIL/Prardrukat.A": [[179, 213]], "Indicator: Trj/GdSda.A": [[214, 225]], "Indicator: Win32.Trojan.Atraps.Taew": [[226, 250]], "Indicator: Win32/Trojan.62b": [[251, 267]]}, "info": {"id": "cyner2_5class_train_04530", "source": "cyner2_5class_train"}}
+{"text": "Beginning on October 30, 2015, Palo Alto Networks began seeing instances of this new version of CryptoWall, which some researchers have begun calling version 4.", "spans": {"Organization: Palo Alto Networks": [[31, 49]], "Malware: CryptoWall,": [[96, 107]], "Organization: researchers": [[119, 130]], "Malware: version 4.": [[150, 160]]}, "info": {"id": "cyner2_5class_train_04531", "source": "cyner2_5class_train"}}
+{"text": "Table 2 below lists some of these apps with their respective metadata .", "spans": {}, "info": {"id": "cyner2_5class_train_04532", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeFolderDAS.Trojan Backdoor.Win32.BlackHole!O Worm.RussoTuristo Worm.RussoTuristo.Win32.83 Trojan.Heur.E54A1B Win32/Russo.A Worm.Win32.RussoTuristo.f Trojan.Win32.Amorale.crsxml Worm.Win32.RussoTuristo.53326 Trojan.Win32.FakeFolder.pb Win32.HLLW.Amorale BehavesLike.Win32.Adware.qh Backdoor/Blackhole.bmv Worm/Win32.RussoTuristo Worm.Win32.RussoTuristo.f Worm/Win32.RussoTuristo.R58000 Worm.TycKa.K Worm.Win32.RussoTuristo Worm.Win32.FakeFolder.CI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeFolderDAS.Trojan": [[26, 50]], "Indicator: Backdoor.Win32.BlackHole!O": [[51, 77]], "Indicator: Worm.RussoTuristo": [[78, 95]], "Indicator: Worm.RussoTuristo.Win32.83": [[96, 122]], "Indicator: Trojan.Heur.E54A1B": [[123, 141]], "Indicator: Win32/Russo.A": [[142, 155]], "Indicator: Worm.Win32.RussoTuristo.f": [[156, 181], [361, 386]], "Indicator: Trojan.Win32.Amorale.crsxml": [[182, 209]], "Indicator: Worm.Win32.RussoTuristo.53326": [[210, 239]], "Indicator: Trojan.Win32.FakeFolder.pb": [[240, 266]], "Indicator: Win32.HLLW.Amorale": [[267, 285]], "Indicator: BehavesLike.Win32.Adware.qh": [[286, 313]], "Indicator: Backdoor/Blackhole.bmv": [[314, 336]], "Indicator: Worm/Win32.RussoTuristo": [[337, 360]], "Indicator: Worm/Win32.RussoTuristo.R58000": [[387, 417]], "Indicator: Worm.TycKa.K": [[418, 430]], "Indicator: Worm.Win32.RussoTuristo": [[431, 454]], "Indicator: Worm.Win32.FakeFolder.CI": [[455, 479]]}, "info": {"id": "cyner2_5class_train_04533", "source": "cyner2_5class_train"}}
+{"text": "In the past weeks on 6 August 2016, Cyberkov Security Incident Response Team CSIRT received a numerous Android malwares operating in different areas in Libya especially in Tripoli and Benghazi.", "spans": {"Organization: Cyberkov Security Incident Response Team CSIRT": [[36, 82]], "Malware: Android malwares": [[103, 119]]}, "info": {"id": "cyner2_5class_train_04534", "source": "cyner2_5class_train"}}
+{"text": "Since January 2016, discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organizations worldwide.", "spans": {"Malware: malware called": [[49, 63]], "Indicator: Trojan.Odinaff": [[64, 78]], "Organization: financial organizations worldwide.": [[105, 139]]}, "info": {"id": "cyner2_5class_train_04535", "source": "cyner2_5class_train"}}
+{"text": "The campaign Talos analysed focused on Brazilian users and also attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine.", "spans": {"Organization: Talos": [[13, 18]], "Organization: Brazilian users": [[39, 54]], "System: the victim machine.": [[159, 178]]}, "info": {"id": "cyner2_5class_train_04536", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Syamcrog Trojan.Ursu.D1107 Win.Trojan.Bifrose-10939 Trojan.Win32.Tiny.etjahi TR/Downloader.wgueo Trojan:Win32/Syamcrog.A Trojan.Refroso Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Syamcrog": [[26, 41]], "Indicator: Trojan.Ursu.D1107": [[42, 59]], "Indicator: Win.Trojan.Bifrose-10939": [[60, 84]], "Indicator: Trojan.Win32.Tiny.etjahi": [[85, 109]], "Indicator: TR/Downloader.wgueo": [[110, 129]], "Indicator: Trojan:Win32/Syamcrog.A": [[130, 153]], "Indicator: Trojan.Refroso": [[154, 168]], "Indicator: Trj/GdSda.A": [[169, 180]]}, "info": {"id": "cyner2_5class_train_04537", "source": "cyner2_5class_train"}}
+{"text": "Unfortunately, the ransomware developers were not apprehended and it now appears they have been biding their time before releasing a new ransomware.", "spans": {"Malware: ransomware.": [[137, 148]]}, "info": {"id": "cyner2_5class_train_04538", "source": "cyner2_5class_train"}}
+{"text": "This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6 , which has technical improvements compared to the previous Android versions to prevent such attacks .", "spans": {"System: Android 6": [[136, 145]], "System: Android": [[206, 213]]}, "info": {"id": "cyner2_5class_train_04539", "source": "cyner2_5class_train"}}
+{"text": "Meanwhile, we have informed the Google Play security team about the RetroTetris app and are awaiting their response.", "spans": {"Organization: Google Play security team": [[32, 57]], "Malware: RetroTetris app": [[68, 83]]}, "info": {"id": "cyner2_5class_train_04540", "source": "cyner2_5class_train"}}
+{"text": "Adobe released a patch for the vulnerability on July 8, 2015.", "spans": {"Organization: Adobe": [[0, 5]], "Vulnerability: vulnerability": [[31, 44]]}, "info": {"id": "cyner2_5class_train_04541", "source": "cyner2_5class_train"}}
+{"text": "Evolution of Rotexy 2014–2015 Since the malicious program was detected in 2014 , its main functions and propagation method have not changed : Rotexy spreads via links sent in phishing SMSs that prompt the user to install an app .", "spans": {"Malware: Rotexy": [[13, 19], [142, 148]]}, "info": {"id": "cyner2_5class_train_04542", "source": "cyner2_5class_train"}}
+{"text": "The malware payloads observed to be associated with the Uyghur themed C2 domains so far consist of PlugX, Gh0st RAT, and Saker/Xbox, although there may be others that are yet to be discovered.", "spans": {"Malware: The malware payloads": [[0, 20]], "Organization: Uyghur": [[56, 62]], "Indicator: themed C2 domains": [[63, 80]], "Malware: PlugX, Gh0st RAT,": [[99, 116]], "Malware: Saker/Xbox,": [[121, 132]]}, "info": {"id": "cyner2_5class_train_04543", "source": "cyner2_5class_train"}}
+{"text": "The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store , combined with social engineering delivered via social media platforms like Facebook , requires minimal investment in comparison to premium tooling like Pegasus or FinFisher .", "spans": {"System: Google Play Store": [[171, 188]], "Organization: Facebook": [[266, 274]], "Malware: Pegasus": [[343, 350]], "Malware: FinFisher": [[354, 363]]}, "info": {"id": "cyner2_5class_train_04544", "source": "cyner2_5class_train"}}
+{"text": "However , this method may not work if the threat actors react quickly to an attempt to remove the Trojan .", "spans": {}, "info": {"id": "cyner2_5class_train_04545", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor.RevetRat.2 BehavesLike.Win32.Trojan.cc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor.RevetRat.2": [[26, 45]], "Indicator: BehavesLike.Win32.Trojan.cc": [[46, 73]]}, "info": {"id": "cyner2_5class_train_04546", "source": "cyner2_5class_train"}}
+{"text": "Not only that, but the Windows version was additionally equipped with a valid code signing signature.", "spans": {"System: Windows version": [[23, 38]], "Indicator: valid code signing signature.": [[72, 101]]}, "info": {"id": "cyner2_5class_train_04547", "source": "cyner2_5class_train"}}
+{"text": "This was followed by another great blog by McAfee on the same subject but my focus will be on a specific aspect mentioned in the RSA blog which is the exploit used. FireEye discovered a malicious docx exploiting a zero day vulnerability in Microsoft's Encapsulated Postscript EPS filter, in the summer of 2015.", "spans": {"Organization: McAfee": [[43, 49]], "Organization: RSA": [[129, 132]], "Malware: exploit": [[151, 158]], "Organization: FireEye": [[165, 172]], "Indicator: malicious docx": [[186, 200]], "Vulnerability: exploiting a zero day vulnerability": [[201, 236]], "Indicator: Microsoft's Encapsulated Postscript EPS filter,": [[240, 287]]}, "info": {"id": "cyner2_5class_train_04548", "source": "cyner2_5class_train"}}
+{"text": "The malware can execute a variety of arbitrary commands , including ( for example ) intercepting or sending text messages without the user ’ s knowledge , obtaining a copy of the victim ’ s Address Book , or call or text message logs , or sending phone network feature codes ( also known as USSD codes ) .", "spans": {"System: Address Book": [[190, 202]]}, "info": {"id": "cyner2_5class_train_04549", "source": "cyner2_5class_train"}}
+{"text": "Most of them are almost harmless — all they did until recently was injecting tons of ads and downloading others of their kind .", "spans": {}, "info": {"id": "cyner2_5class_train_04550", "source": "cyner2_5class_train"}}
+{"text": "Care and concern both for using a mobile device and for securing a mobile device is critical , especially for those organizations that allow bring-your-own-devices .", "spans": {}, "info": {"id": "cyner2_5class_train_04551", "source": "cyner2_5class_train"}}
+{"text": "In some cases , TrickMo may use this feature to intercept SMS messages without the knowledge of the user by activating the lockdown screen and intercepting SMS messages in the background .", "spans": {"Malware: TrickMo": [[16, 23]]}, "info": {"id": "cyner2_5class_train_04552", "source": "cyner2_5class_train"}}
+{"text": "The first trace of this tool in our telemetry data dates back to late 2015.", "spans": {"Malware: tool": [[24, 28]], "System: telemetry data": [[36, 50]]}, "info": {"id": "cyner2_5class_train_04553", "source": "cyner2_5class_train"}}
+{"text": "This report is a comprehensive description of the JSocket Remote Access Tool RAT, and its significant capability to control PCs, Linux machines, Macs and Android devices.", "spans": {"Malware: JSocket Remote Access Tool RAT,": [[50, 81]], "Indicator: control PCs,": [[116, 128]], "System: Linux machines, Macs": [[129, 149]], "System: Android devices.": [[154, 170]]}, "info": {"id": "cyner2_5class_train_04554", "source": "cyner2_5class_train"}}
+{"text": "Earlier this month, FortiGuard Labs researchers published findings about a malware campaign exploiting a PowerPoint vulnerability.", "spans": {"Organization: FortiGuard Labs researchers": [[20, 47]], "Vulnerability: exploiting a PowerPoint vulnerability.": [[92, 130]]}, "info": {"id": "cyner2_5class_train_04555", "source": "cyner2_5class_train"}}
+{"text": "While the cyber-world was still shaking under the destructive ExPetr/Petya attack that hit on June 27, another ransomware attack targeting Ukraine at the same time went almost unnoticed.", "spans": {"Malware: ExPetr/Petya": [[62, 74]], "Indicator: attack": [[75, 81]], "Indicator: ransomware attack": [[111, 128]]}, "info": {"id": "cyner2_5class_train_04556", "source": "cyner2_5class_train"}}
+{"text": "Cybereason Mobile detects EventBot and provides the user with immediate actions .", "spans": {"System: Cybereason Mobile": [[0, 17]], "Malware: EventBot": [[26, 34]]}, "info": {"id": "cyner2_5class_train_04557", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Johnnie.DB3AF Trojan.Win32.Clicker!BT W32/Trojan.IUSC-1586 TrojanClicker:MSIL/Youclick.A Trojan.Win32.Clicker!BT Trojan-Clicker.MSIL.Youclick", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Johnnie.DB3AF": [[26, 46]], "Indicator: Trojan.Win32.Clicker!BT": [[47, 70], [122, 145]], "Indicator: W32/Trojan.IUSC-1586": [[71, 91]], "Indicator: TrojanClicker:MSIL/Youclick.A": [[92, 121]], "Indicator: Trojan-Clicker.MSIL.Youclick": [[146, 174]]}, "info": {"id": "cyner2_5class_train_04558", "source": "cyner2_5class_train"}}
+{"text": "These included the use of certificate pinning and public key encryption for C2 communications , geo-restrictions imposed by the C2 when delivering the second stage , and the comprehensive and well implemented suite of surveillance features .", "spans": {}, "info": {"id": "cyner2_5class_train_04559", "source": "cyner2_5class_train"}}
+{"text": "Recently, while researching attacks on targets in Thailand, Unit 42 discovered a tool that initially appeared to be a variant of the well-known PlugX RAT based on similar observed behavior such as the usage of DLL side-loading and a shellcode file.", "spans": {"Indicator: attacks": [[28, 35]], "Organization: Unit 42": [[60, 67]], "Malware: tool": [[81, 85]], "Malware: variant": [[118, 125]], "Malware: PlugX RAT": [[144, 153]], "Indicator: usage of DLL side-loading": [[201, 226]], "Indicator: shellcode file.": [[233, 248]]}, "info": {"id": "cyner2_5class_train_04560", "source": "cyner2_5class_train"}}
+{"text": "We sourced the over 561MB of exfiltrated data from this domain alone , all of which we found to be 7z compressed and password protected .", "spans": {}, "info": {"id": "cyner2_5class_train_04561", "source": "cyner2_5class_train"}}
+{"text": "YOUR PERSONAL ID: Personal ID of your computer, for example: 4df7065b1d049d098526344faaabf3f8", "spans": {"Indicator: YOUR PERSONAL ID: Personal ID of your computer, for example: 4df7065b1d049d098526344faaabf3f8": [[0, 93]]}, "info": {"id": "cyner2_5class_train_04562", "source": "cyner2_5class_train"}}
+{"text": "Threat data from endpoints are combined with signals from email and data , identities , and apps in Microsoft 365 Defender ( previously Microsoft Threat Protection ) , which orchestrates detection , prevention , investigation , and response across domains , providing coordinated defense .", "spans": {"System: Microsoft 365 Defender": [[100, 122]], "System: Microsoft Threat Protection": [[136, 163]]}, "info": {"id": "cyner2_5class_train_04563", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Sality.lak4 Trojan.Heur.EFE584 Win32.Trojan.WisdomEyes.16070401.9500.9961 Backdoor.Trojan Trojan-PSW.Win32.LdPinch.zie Trojan.DownLoader.origin BehavesLike.Win32.Virut.nt Trojan-PSW.Win32.LdPinch.zie", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Sality.lak4": [[26, 41]], "Indicator: Trojan.Heur.EFE584": [[42, 60]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9961": [[61, 103]], "Indicator: Backdoor.Trojan": [[104, 119]], "Indicator: Trojan-PSW.Win32.LdPinch.zie": [[120, 148], [201, 229]], "Indicator: Trojan.DownLoader.origin": [[149, 173]], "Indicator: BehavesLike.Win32.Virut.nt": [[174, 200]]}, "info": {"id": "cyner2_5class_train_04564", "source": "cyner2_5class_train"}}
+{"text": ") Technical Analysis App Name : TikTok Pro Hash : 9fed52ee7312e217bd10d6a156c8b988 Package Name : com.example.dat.a8andoserverx Upon installation , the spyware portrays itself as TikTok using the name TikTok Pro .", "spans": {"System: TikTok Pro": [[32, 42], [201, 211]], "Indicator: 9fed52ee7312e217bd10d6a156c8b988": [[50, 82]], "Indicator: com.example.dat.a8andoserverx": [[98, 127]], "System: TikTok": [[179, 185]]}, "info": {"id": "cyner2_5class_train_04565", "source": "cyner2_5class_train"}}
+{"text": "] us .", "spans": {}, "info": {"id": "cyner2_5class_train_04566", "source": "cyner2_5class_train"}}
+{"text": "The international investigation into the 2014 Iguala Mass Disappearance was targeted with infection attempts using spyware developed by the NSO group, an Israeli cyber warfare company", "spans": {"Organization: Iguala Mass": [[46, 57]], "Indicator: infection attempts": [[90, 108]], "Malware: spyware": [[115, 122]], "Organization: the NSO group,": [[136, 150]], "Organization: Israeli cyber warfare": [[154, 175]]}, "info": {"id": "cyner2_5class_train_04567", "source": "cyner2_5class_train"}}
+{"text": "In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.", "spans": {"Indicator: attacks": [[10, 17]], "Indicator: fake VPN Web Portal": [[32, 51]], "Organization: IT vendors,": [[87, 98]], "Organization: financial institutes,": [[107, 128]], "Organization: Israeli Post Office.": [[137, 157]]}, "info": {"id": "cyner2_5class_train_04568", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.VBA.Downloader.BU X97M.Petya.A VB:Trojan.VBA.Downloader.BU X2KM_GOLDENEYE.B Xls.Dropper.Goldeneye-3 VB:Trojan.VBA.Downloader.BU Trojan.Script.DnlrObj.ejzqyq Troj.Downloader.Script!c VB:Trojan.VBA.Downloader.BU VB:Trojan.VBA.Downloader.BU X2KM_GOLDENEYE.B X97M/Downloader.au VB:Trojan.VBA.Downloader.BU Trojan:O97M/Goldeneye.A X97M/Downloader.au Trojan-Ransom.VBA.GoldenEye Macro.Trojan-Dropper.Petya.R O97M/Dropper.ALI virus.office.obfuscated.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.VBA.Downloader.BU": [[26, 53], [67, 94], [136, 163], [218, 245], [246, 273], [310, 337]], "Indicator: X97M.Petya.A": [[54, 66]], "Indicator: X2KM_GOLDENEYE.B": [[95, 111], [274, 290]], "Indicator: Xls.Dropper.Goldeneye-3": [[112, 135]], "Indicator: Trojan.Script.DnlrObj.ejzqyq": [[164, 192]], "Indicator: Troj.Downloader.Script!c": [[193, 217]], "Indicator: X97M/Downloader.au": [[291, 309], [362, 380]], "Indicator: Trojan:O97M/Goldeneye.A": [[338, 361]], "Indicator: Trojan-Ransom.VBA.GoldenEye": [[381, 408]], "Indicator: Macro.Trojan-Dropper.Petya.R": [[409, 437]], "Indicator: O97M/Dropper.ALI": [[438, 454]], "Indicator: virus.office.obfuscated.1": [[455, 480]]}, "info": {"id": "cyner2_5class_train_04569", "source": "cyner2_5class_train"}}
+{"text": "The finding , in part , shows the risk that can come in opting for less expensive smartphones , whose manufacturers may not diligently fix security vulnerabilities .", "spans": {"Vulnerability: security vulnerabilities": [[139, 163]]}, "info": {"id": "cyner2_5class_train_04570", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Haed!O Trojan/Dropper.Haed.co TROJ_DROP.SMUS1 W32/Dropper.BJGT Backdoor.Trojan TROJ_DROP.SMUS1 Win.Trojan.Haed-1 Trojan-Dropper.Win32.Haed.eno Trojan.Win32.Drop.mqlso Troj.Dropper.W32.Haed.eno!c TrojWare.Win32.Kryptik.BAN Trojan.Click1.57099 Dropper.Haed.Win32.381 virus.win32.ramnit.j W32/Risk.OLFU-0240 TR/Drop.He4Hook.B W32/Haed.A!tr.dldr Trojan[Dropper]/Win32.Haed Trojan.Heur.JP.E9E07C Dropper/Win32.Haed.N349364692 AdWare.AdPlus Win32.Trojan-Dropper.Haed.cfsr Trojan-Downloader.Win32.Frethog", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Haed!O": [[26, 53]], "Indicator: Trojan/Dropper.Haed.co": [[54, 76]], "Indicator: TROJ_DROP.SMUS1": [[77, 92], [126, 141]], "Indicator: W32/Dropper.BJGT": [[93, 109]], "Indicator: Backdoor.Trojan": [[110, 125]], "Indicator: Win.Trojan.Haed-1": [[142, 159]], "Indicator: Trojan-Dropper.Win32.Haed.eno": [[160, 189]], "Indicator: Trojan.Win32.Drop.mqlso": [[190, 213]], "Indicator: Troj.Dropper.W32.Haed.eno!c": [[214, 241]], "Indicator: TrojWare.Win32.Kryptik.BAN": [[242, 268]], "Indicator: Trojan.Click1.57099": [[269, 288]], "Indicator: Dropper.Haed.Win32.381": [[289, 311]], "Indicator: virus.win32.ramnit.j": [[312, 332]], "Indicator: W32/Risk.OLFU-0240": [[333, 351]], "Indicator: TR/Drop.He4Hook.B": [[352, 369]], "Indicator: W32/Haed.A!tr.dldr": [[370, 388]], "Indicator: Trojan[Dropper]/Win32.Haed": [[389, 415]], "Indicator: Trojan.Heur.JP.E9E07C": [[416, 437]], "Indicator: Dropper/Win32.Haed.N349364692": [[438, 467]], "Indicator: AdWare.AdPlus": [[468, 481]], "Indicator: Win32.Trojan-Dropper.Haed.cfsr": [[482, 512]], "Indicator: Trojan-Downloader.Win32.Frethog": [[513, 544]]}, "info": {"id": "cyner2_5class_train_04571", "source": "cyner2_5class_train"}}
+{"text": "In most cases , these click fraud apps were uninstalled by the users , probably due to the low quality of the apps .", "spans": {}, "info": {"id": "cyner2_5class_train_04572", "source": "cyner2_5class_train"}}
+{"text": "Fortunately , FireEye Mobile Threat Prevention platform can recognize the malicious SMS and networking behaviors used by these RuMMS samples , and help us quickly identify the threat .", "spans": {"System: FireEye Mobile Threat Prevention": [[14, 46]], "Malware: RuMMS": [[127, 132]]}, "info": {"id": "cyner2_5class_train_04573", "source": "cyner2_5class_train"}}
+{"text": "During the account sign-up process , Google may flag the account creation attempt as suspicious and prompt the app to solve a CAPTCHA .", "spans": {"Organization: Google": [[37, 43]]}, "info": {"id": "cyner2_5class_train_04574", "source": "cyner2_5class_train"}}
+{"text": "The APC routine creates a thread in the context of the svchost.exe process that will map and execute the stage 5 malware into the winlogon.exe process .", "spans": {"Indicator: svchost.exe": [[55, 66]], "Indicator: winlogon.exe": [[130, 142]]}, "info": {"id": "cyner2_5class_train_04575", "source": "cyner2_5class_train"}}
+{"text": "In recent months, the malware used in the EITest campaign has been ransomware such as Spora and Mole.", "spans": {"Malware: the malware": [[18, 29]], "Malware: ransomware": [[67, 77]], "Malware: Spora": [[86, 91]], "Malware: Mole.": [[96, 101]]}, "info": {"id": "cyner2_5class_train_04576", "source": "cyner2_5class_train"}}
+{"text": "Example note:Please follow the instructions Send $300 worth of Bitcoin to following address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX", "spans": {"Indicator: Example note:Please follow the instructions Send $300 worth of Bitcoin to following address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX": [[0, 127]]}, "info": {"id": "cyner2_5class_train_04577", "source": "cyner2_5class_train"}}
+{"text": "This specific APK was modified to include the malicious remote access tool RAT called DroidJack also known as SandroRAT, which would virtually give an attacker full control over a victim's phone.", "spans": {"System: APK": [[14, 17]], "Malware: malicious remote access tool RAT called DroidJack": [[46, 95]], "Malware: SandroRAT,": [[110, 120]], "Organization: victim's phone.": [[180, 195]]}, "info": {"id": "cyner2_5class_train_04578", "source": "cyner2_5class_train"}}
+{"text": "While performing some research online, Unit 42 was able to identify the following sample, which is being labeled as Trojan.Win32.Seadask' by a number of anti-virus companies.", "spans": {"Organization: Unit 42": [[39, 46]], "Indicator: Trojan.Win32.Seadask'": [[116, 137]], "Organization: anti-virus companies.": [[153, 174]]}, "info": {"id": "cyner2_5class_train_04579", "source": "cyner2_5class_train"}}
+{"text": "Truth be told, these are all likely just improvements by the author to fix bugs or simply a shift in approach to make signature matching more difficult rather then a completely new variant.", "spans": {}, "info": {"id": "cyner2_5class_train_04580", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_INJECT.YYTS Win32.Trojan.WisdomEyes.16070401.9500.9953 Infostealer.Limitail TROJ_INJECT.YYTS Trojan.Win32.Inject.dkhjux Trojan/Scarsi.uz W32.Tepfer.Uqxl TR/MailPassStlr.A.87 Trojan[Dropper]/Win32.FrauDrop Trojan:MSIL/Limitless.A Trojan/Win32.DarkKomet.C641651 TrojanDropper.Injector Trj/CI.A Trojan.Injector!yje4mrhO7hs", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_INJECT.YYTS": [[26, 42], [107, 123]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9953": [[43, 85]], "Indicator: Infostealer.Limitail": [[86, 106]], "Indicator: Trojan.Win32.Inject.dkhjux": [[124, 150]], "Indicator: Trojan/Scarsi.uz": [[151, 167]], "Indicator: W32.Tepfer.Uqxl": [[168, 183]], "Indicator: TR/MailPassStlr.A.87": [[184, 204]], "Indicator: Trojan[Dropper]/Win32.FrauDrop": [[205, 235]], "Indicator: Trojan:MSIL/Limitless.A": [[236, 259]], "Indicator: Trojan/Win32.DarkKomet.C641651": [[260, 290]], "Indicator: TrojanDropper.Injector": [[291, 313]], "Indicator: Trj/CI.A": [[314, 322]], "Indicator: Trojan.Injector!yje4mrhO7hs": [[323, 350]]}, "info": {"id": "cyner2_5class_train_04581", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.SWF.CVE-2012-0754.B Exploit/W32.CVE-2012-0754 Exp.SWF.CVE-2012-0754 Exploit.CVE-2012-0754 Exploit.SWF.CVE-2012-0754.a!c Trojan.Mdropper SWF/Exploit.CVE-2012-0754.A SWF_EXPLCVE.A Exploit.SWF.CVE-2012-0754.B Exploit.SWF.CVE-2012-0754.a Exploit.SWF.CVE-2012-0754.B Exploit.S.D-Encrypted.106604 Exploit.SWF.CVE-2012-0754.B Exploit.SWF.CVE-2012-0754.B Exploit.CVE-2012-0754.1 SWF_EXPLCVE.A Exploit-MSWord.o DOC/SWFDropper.A!Camelot TrojanDownloader.SWF.t Trojan[Exploit]/SWF.CVE-2012-0754.a Exploit:Win32/CVE-2012-0754.A Exploit.SWF.CVE-2012-0754.B Exploit.SWF.CVE-2012-0754.a Exploit-MSWord.o Exploit.SWF.CVE-2012-0754.a Win32.Exploit.Cve-2012-0754.Ajli Exploit.CVE-2012-0754.A Exploit.SWF.CVE-2012-0754 W32/SWFExp.AS!tr Win32/Trojan.Exploit.6a5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.SWF.CVE-2012-0754.B": [[26, 53], [212, 239], [268, 295], [325, 352], [353, 380], [550, 577]], "Indicator: Exploit/W32.CVE-2012-0754": [[54, 79]], "Indicator: Exp.SWF.CVE-2012-0754": [[80, 101]], "Indicator: Exploit.CVE-2012-0754": [[102, 123]], "Indicator: Exploit.SWF.CVE-2012-0754.a!c": [[124, 153]], "Indicator: Trojan.Mdropper": [[154, 169]], "Indicator: SWF/Exploit.CVE-2012-0754.A": [[170, 197]], "Indicator: SWF_EXPLCVE.A": [[198, 211], [405, 418]], "Indicator: Exploit.SWF.CVE-2012-0754.a": [[240, 267], [578, 605], [623, 650]], "Indicator: Exploit.S.D-Encrypted.106604": [[296, 324]], "Indicator: Exploit.CVE-2012-0754.1": [[381, 404]], "Indicator: Exploit-MSWord.o": [[419, 435], [606, 622]], "Indicator: DOC/SWFDropper.A!Camelot": [[436, 460]], "Indicator: TrojanDownloader.SWF.t": [[461, 483]], "Indicator: Trojan[Exploit]/SWF.CVE-2012-0754.a": [[484, 519]], "Indicator: Exploit:Win32/CVE-2012-0754.A": [[520, 549]], "Indicator: Win32.Exploit.Cve-2012-0754.Ajli": [[651, 683]], "Indicator: Exploit.CVE-2012-0754.A": [[684, 707]], "Indicator: Exploit.SWF.CVE-2012-0754": [[708, 733]], "Indicator: W32/SWFExp.AS!tr": [[734, 750]], "Indicator: Win32/Trojan.Exploit.6a5": [[751, 775]]}, "info": {"id": "cyner2_5class_train_04582", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.BHO!O TrojanDownloader.Gamup Trojan/BHO.obt Trojan.Zusy.D42D95 TROJ_STARTP.SML2 Win32.Trojan.BHO.n TROJ_STARTP.SML2 Win.Trojan.OnlineGames-65 Trojan-Downloader.Win32.Gamup.qjl Trojan.Win32.Gamup.ciurh Trojan.Win32.A.Downloader.409816[UPX] Troj.Downloader.W32.Gamup!c Trojan.DownLoad2.34122 Downloader.Gamup.Win32.146 BehavesLike.Win32.Backdoor.cc Trojan.Win32.StartPage TR/BHO.efkmnb Trojan[Downloader]/Win32.Gamup Trojan-Downloader.Win32.Gamup.qjl TrojanDownloader.Gamup Win32.Trojan-downloader.Gamup.Ebhc Win32/Trojan.f4f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.BHO!O": [[26, 44]], "Indicator: TrojanDownloader.Gamup": [[45, 67], [488, 510]], "Indicator: Trojan/BHO.obt": [[68, 82]], "Indicator: Trojan.Zusy.D42D95": [[83, 101]], "Indicator: TROJ_STARTP.SML2": [[102, 118], [138, 154]], "Indicator: Win32.Trojan.BHO.n": [[119, 137]], "Indicator: Win.Trojan.OnlineGames-65": [[155, 180]], "Indicator: Trojan-Downloader.Win32.Gamup.qjl": [[181, 214], [454, 487]], "Indicator: Trojan.Win32.Gamup.ciurh": [[215, 239]], "Indicator: Trojan.Win32.A.Downloader.409816[UPX]": [[240, 277]], "Indicator: Troj.Downloader.W32.Gamup!c": [[278, 305]], "Indicator: Trojan.DownLoad2.34122": [[306, 328]], "Indicator: Downloader.Gamup.Win32.146": [[329, 355]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[356, 385]], "Indicator: Trojan.Win32.StartPage": [[386, 408]], "Indicator: TR/BHO.efkmnb": [[409, 422]], "Indicator: Trojan[Downloader]/Win32.Gamup": [[423, 453]], "Indicator: Win32.Trojan-downloader.Gamup.Ebhc": [[511, 545]], "Indicator: Win32/Trojan.f4f": [[546, 562]]}, "info": {"id": "cyner2_5class_train_04583", "source": "cyner2_5class_train"}}
+{"text": "During the past few weeks there has been an increase in malvertising attacks, for example via a series of compromises of open source Revive ad servers which is still continuing.", "spans": {"Indicator: malvertising attacks,": [[56, 77]], "Indicator: compromises": [[106, 117]], "System: open source Revive ad servers": [[121, 150]]}, "info": {"id": "cyner2_5class_train_04584", "source": "cyner2_5class_train"}}
+{"text": "In the third version spotted in the wild , the author introduced parts of the source code of the infamous Anubis Trojan ( which was leaked earlier in 2019 ) .", "spans": {"Malware: Anubis": [[106, 112]]}, "info": {"id": "cyner2_5class_train_04585", "source": "cyner2_5class_train"}}
+{"text": "Utilizing AutoIT within a payload is unique because it is a legitimate management tool.", "spans": {"Malware: AutoIT": [[10, 16]], "Malware: payload": [[26, 33]], "System: legitimate management tool.": [[60, 87]]}, "info": {"id": "cyner2_5class_train_04586", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Batman.B Trojan/W32.Batman.24576 Trojan.Batman.B Trojan/Batman.b Trojan.Batman.B W32.BatmanTroj Win32/Batman.B TROJ_BATMAN.B Dos.Trojan.an-1 Trojan.Win32.Batman.b Trojan.Win32.Batman.dcuw Trojan.Win32.S.Batman.24576[h] Win32.Trojan.Batman.Efkt Trojan.Batman.B TrojWare.Win32.Batman.B0 Trojan.Batman.B Trojan.Batman.24576 Trojan.Batman.Win32.2 TROJ_BATMAN.B W32/Trojan.DVOK-6663 Trojan/Win32.Batman.b TR/Batman.B W32/Batman.B!tr Trojan/Win32.Batman Trojan.Batman.B Troj.W32.Batman.b!c Trojan:Win32/Batman.B Trojan/Win32.Batman.N15760 Trojan.Batman Trojan.Batman!bY5LWYbvsHM Trojan.Win32.Batman Trojan.Batman.B Trj/Batman.B Win32/Trojan.022", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Batman.B": [[26, 41], [66, 81], [98, 113], [277, 292], [318, 333], [481, 496], [626, 641]], "Indicator: Trojan/W32.Batman.24576": [[42, 65]], "Indicator: Trojan/Batman.b": [[82, 97]], "Indicator: W32.BatmanTroj": [[114, 128]], "Indicator: Win32/Batman.B": [[129, 143]], "Indicator: TROJ_BATMAN.B": [[144, 157], [376, 389]], "Indicator: Dos.Trojan.an-1": [[158, 173]], "Indicator: Trojan.Win32.Batman.b": [[174, 195]], "Indicator: Trojan.Win32.Batman.dcuw": [[196, 220]], "Indicator: Trojan.Win32.S.Batman.24576[h]": [[221, 251]], "Indicator: Win32.Trojan.Batman.Efkt": [[252, 276]], "Indicator: TrojWare.Win32.Batman.B0": [[293, 317]], "Indicator: Trojan.Batman.24576": [[334, 353]], "Indicator: Trojan.Batman.Win32.2": [[354, 375]], "Indicator: W32/Trojan.DVOK-6663": [[390, 410]], "Indicator: Trojan/Win32.Batman.b": [[411, 432]], "Indicator: TR/Batman.B": [[433, 444]], "Indicator: W32/Batman.B!tr": [[445, 460]], "Indicator: Trojan/Win32.Batman": [[461, 480]], "Indicator: Troj.W32.Batman.b!c": [[497, 516]], "Indicator: Trojan:Win32/Batman.B": [[517, 538]], "Indicator: Trojan/Win32.Batman.N15760": [[539, 565]], "Indicator: Trojan.Batman": [[566, 579]], "Indicator: Trojan.Batman!bY5LWYbvsHM": [[580, 605]], "Indicator: Trojan.Win32.Batman": [[606, 625]], "Indicator: Trj/Batman.B": [[642, 654]], "Indicator: Win32/Trojan.022": [[655, 671]]}, "info": {"id": "cyner2_5class_train_04587", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TrojWare.MSIL.Injector.AOX BackDoor.Blackshades.2 Trojan/Foreign.axc Trojan[Ransom]/Win32.Foreign Trojan:MSIL/Parpwuts.C Win32/Trojan.74b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: TrojWare.MSIL.Injector.AOX": [[69, 95]], "Indicator: BackDoor.Blackshades.2": [[96, 118]], "Indicator: Trojan/Foreign.axc": [[119, 137]], "Indicator: Trojan[Ransom]/Win32.Foreign": [[138, 166]], "Indicator: Trojan:MSIL/Parpwuts.C": [[167, 189]], "Indicator: Win32/Trojan.74b": [[190, 206]]}, "info": {"id": "cyner2_5class_train_04588", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Daws!O TrojanDropper.Daws Win32.Worm.VB.sk W32.SillyFDC Trojan-Dropper.Win32.Daws.bkbb Trojan.Win32.Daws.dwunho Trojan.MulDrop4.55506 Dropper.Daws.Win32.11917 BehavesLike.Win32.VBObfus.vz Win32/Virut.bv Trojan[Dropper]/Win32.Daws TrojanDropper:Win32/Vimdop.A!bit Trojan.Razy.D1F32 Trojan-Dropper.Win32.Daws.bkbb Dropper/Win32.Daws.R88727 TScope.Trojan.VB Win32.Trojan-dropper.Daws.Wsug Trojan.DR.Daws!i7I48rjdKf8 Trojan.VB2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Daws!O": [[26, 53]], "Indicator: TrojanDropper.Daws": [[54, 72]], "Indicator: Win32.Worm.VB.sk": [[73, 89]], "Indicator: W32.SillyFDC": [[90, 102]], "Indicator: Trojan-Dropper.Win32.Daws.bkbb": [[103, 133], [328, 358]], "Indicator: Trojan.Win32.Daws.dwunho": [[134, 158]], "Indicator: Trojan.MulDrop4.55506": [[159, 180]], "Indicator: Dropper.Daws.Win32.11917": [[181, 205]], "Indicator: BehavesLike.Win32.VBObfus.vz": [[206, 234]], "Indicator: Win32/Virut.bv": [[235, 249]], "Indicator: Trojan[Dropper]/Win32.Daws": [[250, 276]], "Indicator: TrojanDropper:Win32/Vimdop.A!bit": [[277, 309]], "Indicator: Trojan.Razy.D1F32": [[310, 327]], "Indicator: Dropper/Win32.Daws.R88727": [[359, 384]], "Indicator: TScope.Trojan.VB": [[385, 401]], "Indicator: Win32.Trojan-dropper.Daws.Wsug": [[402, 432]], "Indicator: Trojan.DR.Daws!i7I48rjdKf8": [[433, 459]], "Indicator: Trojan.VB2": [[460, 470]]}, "info": {"id": "cyner2_5class_train_04589", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.66136.T Trojan-GameThief.Win32.OnLineGames!O PWS.Zhengtu.BB3 Trojan/OnLineGames.ajcfn Trojan.Zusy.D2717 Win32.Trojan-PSW.OLGames.cm Infostealer.Onlinegame Win.Trojan.Onlinegames-14906 Trojan.Win32.OnLineGames.vtdwn Troj.GameThief.W32.OnLineGames.lulb TrojWare.Win32.GameThief.Magania.~NWABZ Trojan.PWS.Wsgame.34942 Trojan.OnLineGames.Win32.120767 BehavesLike.Win32.Vundo.kh Heur:Trojan/PSW.OnLineGames Trojan[GameThief]/Win32.OnLineGames PWS:Win32/Zhengtu.B!dll Trojan/Win32.OnlineGameHack.R23439 PWS-OnlineGames.ld TrojanPSW.OnLineGames.ai Trojan.Win32.OnlineGames.zt Trojan.PWS.OnLineGames!atUPCfHrrdw Trojan-Spy.OnLineGames W32/Onlinegames.WXA!tr Trojan.PSW.Win32.GameOnline.EN", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.66136.T": [[26, 56]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[57, 93]], "Indicator: PWS.Zhengtu.BB3": [[94, 109]], "Indicator: Trojan/OnLineGames.ajcfn": [[110, 134]], "Indicator: Trojan.Zusy.D2717": [[135, 152]], "Indicator: Win32.Trojan-PSW.OLGames.cm": [[153, 180]], "Indicator: Infostealer.Onlinegame": [[181, 203]], "Indicator: Win.Trojan.Onlinegames-14906": [[204, 232]], "Indicator: Trojan.Win32.OnLineGames.vtdwn": [[233, 263]], "Indicator: Troj.GameThief.W32.OnLineGames.lulb": [[264, 299]], "Indicator: TrojWare.Win32.GameThief.Magania.~NWABZ": [[300, 339]], "Indicator: Trojan.PWS.Wsgame.34942": [[340, 363]], "Indicator: Trojan.OnLineGames.Win32.120767": [[364, 395]], "Indicator: BehavesLike.Win32.Vundo.kh": [[396, 422]], "Indicator: Heur:Trojan/PSW.OnLineGames": [[423, 450]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[451, 486]], "Indicator: PWS:Win32/Zhengtu.B!dll": [[487, 510]], "Indicator: Trojan/Win32.OnlineGameHack.R23439": [[511, 545]], "Indicator: PWS-OnlineGames.ld": [[546, 564]], "Indicator: TrojanPSW.OnLineGames.ai": [[565, 589]], "Indicator: Trojan.Win32.OnlineGames.zt": [[590, 617]], "Indicator: Trojan.PWS.OnLineGames!atUPCfHrrdw": [[618, 652]], "Indicator: Trojan-Spy.OnLineGames": [[653, 675]], "Indicator: W32/Onlinegames.WXA!tr": [[676, 698]], "Indicator: Trojan.PSW.Win32.GameOnline.EN": [[699, 729]]}, "info": {"id": "cyner2_5class_train_04590", "source": "cyner2_5class_train"}}
+{"text": "Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet for rent .", "spans": {"Malware: Gustuff": [[56, 63]], "Indicator: Exploit.in": [[96, 106]]}, "info": {"id": "cyner2_5class_train_04591", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crypt.Delf.E Trojan.Crypt.Delf.E Trojan/Downloader.Dadobra.as Trojan.Crypt.Delf.E Trojan.DL.Dadobra!9AHkQxAvV1E W32/Bancos.APF Downloader.Trojan TSPY_BANKER.UV Trojan-Downloader.Win32.Dadobra.af Trojan.Crypt.Delf.E Trojan.Win32.Dadobra.cmicp Trojan.Win32.Downloader.375808.K[h] Trojan.Crypt.Delf.E Trojan.Crypt.Delf.E Trojan.DownLoader.2321 Downloader.Dadobra.Win32.410 TSPY_BANKER.UV TrojanDownloader.Dadobra.as Trojan[Downloader]/Win32.Dadobra TrojanDownloader:Win32/Dadobra.BM Troj.Downloader.W32.Dadobra.as!c Trojan/Win32.Dadobra Trojan.Crypt.Delf.E Trojan.Win32.Dadobra.af Trojan-Dropper.Delf W32/Delf.DOA!tr.dldr PSW.Banker.33.BG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.Delf.E": [[26, 45], [46, 65], [95, 114], [228, 247], [311, 330], [331, 350], [567, 586]], "Indicator: Trojan/Downloader.Dadobra.as": [[66, 94]], "Indicator: Trojan.DL.Dadobra!9AHkQxAvV1E": [[115, 144]], "Indicator: W32/Bancos.APF": [[145, 159]], "Indicator: Downloader.Trojan": [[160, 177]], "Indicator: TSPY_BANKER.UV": [[178, 192], [403, 417]], "Indicator: Trojan-Downloader.Win32.Dadobra.af": [[193, 227]], "Indicator: Trojan.Win32.Dadobra.cmicp": [[248, 274]], "Indicator: Trojan.Win32.Downloader.375808.K[h]": [[275, 310]], "Indicator: Trojan.DownLoader.2321": [[351, 373]], "Indicator: Downloader.Dadobra.Win32.410": [[374, 402]], "Indicator: TrojanDownloader.Dadobra.as": [[418, 445]], "Indicator: Trojan[Downloader]/Win32.Dadobra": [[446, 478]], "Indicator: TrojanDownloader:Win32/Dadobra.BM": [[479, 512]], "Indicator: Troj.Downloader.W32.Dadobra.as!c": [[513, 545]], "Indicator: Trojan/Win32.Dadobra": [[546, 566]], "Indicator: Trojan.Win32.Dadobra.af": [[587, 610]], "Indicator: Trojan-Dropper.Delf": [[611, 630]], "Indicator: W32/Delf.DOA!tr.dldr": [[631, 651]], "Indicator: PSW.Banker.33.BG": [[652, 668]]}, "info": {"id": "cyner2_5class_train_04592", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VariantNetvat.Trojan Trojan.Netvat Backdoor.Trojan Trojan.Win32.Netvat.45056 Worm.Win32.Tenavt.A Trojan.DownLoader11.42361 BehavesLike.Win32.Downloader.pt W32/Trojan.SSPB-9075 Trojan:Win32/Netvat.E!Dll Trojan.Graftor.D29A7D Trojan/Win32.Menti.R124411 Win32.Trojan.Dropper.Heur Worm.Tenavt!JDujK3yXihg W32/Kryptik.DTAI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VariantNetvat.Trojan": [[26, 50]], "Indicator: Trojan.Netvat": [[51, 64]], "Indicator: Backdoor.Trojan": [[65, 80]], "Indicator: Trojan.Win32.Netvat.45056": [[81, 106]], "Indicator: Worm.Win32.Tenavt.A": [[107, 126]], "Indicator: Trojan.DownLoader11.42361": [[127, 152]], "Indicator: BehavesLike.Win32.Downloader.pt": [[153, 184]], "Indicator: W32/Trojan.SSPB-9075": [[185, 205]], "Indicator: Trojan:Win32/Netvat.E!Dll": [[206, 231]], "Indicator: Trojan.Graftor.D29A7D": [[232, 253]], "Indicator: Trojan/Win32.Menti.R124411": [[254, 280]], "Indicator: Win32.Trojan.Dropper.Heur": [[281, 306]], "Indicator: Worm.Tenavt!JDujK3yXihg": [[307, 330]], "Indicator: W32/Kryptik.DTAI!tr": [[331, 350]]}, "info": {"id": "cyner2_5class_train_04593", "source": "cyner2_5class_train"}}
+{"text": "On the other side , ByteDance has filed a lawsuit suing the Trump administration .", "spans": {"Organization: ByteDance": [[20, 29]]}, "info": {"id": "cyner2_5class_train_04594", "source": "cyner2_5class_train"}}
+{"text": "However it's important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016.", "spans": {"Malware: toolset": [[60, 67]], "Indicator: attacks": [[149, 156]]}, "info": {"id": "cyner2_5class_train_04595", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9906 Trojan.Win32.PeaceDuke.gfb Trojan.Win32.Z.Peaceduke.3126830 Win32.Trojan.Peaceduke.Taow BehavesLike.Win32.Worm.vc TR/PeaceDuke.wuwtd Backdoor:Win32/Cozer.A!dha Trojan.Win32.PeaceDuke.gfb Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9906": [[26, 68]], "Indicator: Trojan.Win32.PeaceDuke.gfb": [[69, 95], [229, 255]], "Indicator: Trojan.Win32.Z.Peaceduke.3126830": [[96, 128]], "Indicator: Win32.Trojan.Peaceduke.Taow": [[129, 156]], "Indicator: BehavesLike.Win32.Worm.vc": [[157, 182]], "Indicator: TR/PeaceDuke.wuwtd": [[183, 201]], "Indicator: Backdoor:Win32/Cozer.A!dha": [[202, 228]], "Indicator: Trj/CI.A": [[256, 264]]}, "info": {"id": "cyner2_5class_train_04596", "source": "cyner2_5class_train"}}
+{"text": "It opens the service thread of the service process and uses the ZwQueueApcThread native API to inject an APC .", "spans": {"Indicator: ZwQueueApcThread": [[64, 80]]}, "info": {"id": "cyner2_5class_train_04597", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/RiskWare.PEMalform.E W32.W.Otwycal.l4av Tool.YahooCrack HackTool.YahoCrack.21 HackTool:Win32/Yacra.2_1 HackTool.Win32.Yacra", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/RiskWare.PEMalform.E": [[26, 52]], "Indicator: W32.W.Otwycal.l4av": [[53, 71]], "Indicator: Tool.YahooCrack": [[72, 87]], "Indicator: HackTool.YahoCrack.21": [[88, 109]], "Indicator: HackTool:Win32/Yacra.2_1": [[110, 134]], "Indicator: HackTool.Win32.Yacra": [[135, 155]]}, "info": {"id": "cyner2_5class_train_04598", "source": "cyner2_5class_train"}}
+{"text": "Phishing page from the French version of the Trojan Communication with C & C Riltok actively communicates with its C & C server .", "spans": {"Malware: Riltok": [[77, 83]]}, "info": {"id": "cyner2_5class_train_04599", "source": "cyner2_5class_train"}}
+{"text": "The Trojan encrypts files on the compromised computer and adds the following prefix before file names: ISHTAR-", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: encrypts files": [[11, 25]], "System: compromised computer": [[33, 53]], "Indicator: prefix": [[77, 83]], "Indicator: file names: ISHTAR-": [[91, 110]]}, "info": {"id": "cyner2_5class_train_04600", "source": "cyner2_5class_train"}}
+{"text": "APK files will not natively open in an environment other than an Android device .", "spans": {"System: Android": [[65, 72]]}, "info": {"id": "cyner2_5class_train_04601", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Nethief.XP Backdoor/W32.Nethief.78611 Backdoor.Win32.Nethief!O Backdoor/Nethief.XP.a Win32.Trojan.WisdomEyes.16070401.9500.9612 W32/Nethief.K@bd Backdoor.Trojan Win32/Nethief.XP.A.Server BKDR_NETHIEFXP.A Backdoor.Nethief.XP Backdoor.Win32.Nethief.ek Backdoor.Nethief.XP Trojan.Win32.Nethief.dknn Backdoor.Win32.A.Nethief.78611[UPX] Win32.Backdoor.Nethief.Aiim Backdoor.Nethief.XP Backdoor.Win32.Nethief.XP.Server Backdoor.Nethief.XP BackDoor.NethiefXP Backdoor.Nethief.Win32.139 BKDR_NETHIEFXP.A BehavesLike.Win32.Virut.lc W32/Nethief.HBZO-6955 Backdoor/Nethief.XP BDS/Nethief.XP.A Trojan[Backdoor]/Win32.Nethief Win32.Hack.Nethief.XP.kcloud Backdoor.Nethief.XP Backdoor.W32.Nethief!c Backdoor.Win32.Nethief.ek Backdoor:Win32/NetThief_XP.B Trojan/Win32.HDC.C762 Backdoor.Nethief.XP Backdoor.Nethief Backdoor.Nethief!0mFzAwzISB0 Backdoor.Win32.Ceckno W32/Nethief.EK!tr.bdr Win32/Backdoor.048", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Nethief.XP": [[26, 45], [239, 258], [285, 304], [395, 414], [448, 467], [677, 696], [797, 816]], "Indicator: Backdoor/W32.Nethief.78611": [[46, 72]], "Indicator: Backdoor.Win32.Nethief!O": [[73, 97]], "Indicator: Backdoor/Nethief.XP.a": [[98, 119]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9612": [[120, 162]], "Indicator: W32/Nethief.K@bd": [[163, 179]], "Indicator: Backdoor.Trojan": [[180, 195]], "Indicator: Win32/Nethief.XP.A.Server": [[196, 221]], "Indicator: BKDR_NETHIEFXP.A": [[222, 238], [514, 530]], "Indicator: Backdoor.Win32.Nethief.ek": [[259, 284], [720, 745]], "Indicator: Trojan.Win32.Nethief.dknn": [[305, 330]], "Indicator: Backdoor.Win32.A.Nethief.78611[UPX]": [[331, 366]], "Indicator: Win32.Backdoor.Nethief.Aiim": [[367, 394]], "Indicator: Backdoor.Win32.Nethief.XP.Server": [[415, 447]], "Indicator: BackDoor.NethiefXP": [[468, 486]], "Indicator: Backdoor.Nethief.Win32.139": [[487, 513]], "Indicator: BehavesLike.Win32.Virut.lc": [[531, 557]], "Indicator: W32/Nethief.HBZO-6955": [[558, 579]], "Indicator: Backdoor/Nethief.XP": [[580, 599]], "Indicator: BDS/Nethief.XP.A": [[600, 616]], "Indicator: Trojan[Backdoor]/Win32.Nethief": [[617, 647]], "Indicator: Win32.Hack.Nethief.XP.kcloud": [[648, 676]], "Indicator: Backdoor.W32.Nethief!c": [[697, 719]], "Indicator: Backdoor:Win32/NetThief_XP.B": [[746, 774]], "Indicator: Trojan/Win32.HDC.C762": [[775, 796]], "Indicator: Backdoor.Nethief": [[817, 833]], "Indicator: Backdoor.Nethief!0mFzAwzISB0": [[834, 862]], "Indicator: Backdoor.Win32.Ceckno": [[863, 884]], "Indicator: W32/Nethief.EK!tr.bdr": [[885, 906]], "Indicator: Win32/Backdoor.048": [[907, 925]]}, "info": {"id": "cyner2_5class_train_04602", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy first targeted South Korean and Japanese speakers .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner2_5class_train_04603", "source": "cyner2_5class_train"}}
+{"text": "The distribution of rooting malware through Google Play is not a new thing .", "spans": {"System: Google Play": [[44, 55]]}, "info": {"id": "cyner2_5class_train_04604", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL Dropper/Win32.Injector", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL": [[26, 37]], "Indicator: Dropper/Win32.Injector": [[38, 60]]}, "info": {"id": "cyner2_5class_train_04605", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9593 Trojan.Evrial!G1 Trojan.Win32.Stealer.exjasr Trojan.PWS.Stealer.21117 BehavesLike.Win32.Backdoor.ch TR/PSW.CoinStealer.nvgeg Trojan.Win32.Z.Razy.139264.GJ Trojan:MSIL/Evrial.B MSIL.Packed.Kryptik.JH Trj/GdSda.A Win32/Trojan.322", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Trojan.MSIL": [[48, 59]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9593": [[60, 102]], "Indicator: Trojan.Evrial!G1": [[103, 119]], "Indicator: Trojan.Win32.Stealer.exjasr": [[120, 147]], "Indicator: Trojan.PWS.Stealer.21117": [[148, 172]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[173, 202]], "Indicator: TR/PSW.CoinStealer.nvgeg": [[203, 227]], "Indicator: Trojan.Win32.Z.Razy.139264.GJ": [[228, 257]], "Indicator: Trojan:MSIL/Evrial.B": [[258, 278]], "Indicator: MSIL.Packed.Kryptik.JH": [[279, 301]], "Indicator: Trj/GdSda.A": [[302, 313]], "Indicator: Win32/Trojan.322": [[314, 330]]}, "info": {"id": "cyner2_5class_train_04606", "source": "cyner2_5class_train"}}
+{"text": "Using an FTP server has some advantages.", "spans": {"Indicator: FTP server": [[9, 19]]}, "info": {"id": "cyner2_5class_train_04607", "source": "cyner2_5class_train"}}
+{"text": "Versions 5.X.X-8.X.X were active in 2016 , and versions 9.X.X-1.X.X in 2017 .", "spans": {}, "info": {"id": "cyner2_5class_train_04608", "source": "cyner2_5class_train"}}
+{"text": "The threat group continually updated the Nemesis malware during their ongoing access to the victim environment, deploying several different variants of the same tools and adding functionality between iterations.", "spans": {"Malware: Nemesis malware": [[41, 56]]}, "info": {"id": "cyner2_5class_train_04609", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.RedZone.406528 Trojan/PSW.RedZone.41 Win32/PSW.RedZone.41 TSPY_REDZONE.E Win.Spyware.62275-2 Trojan-PSW.Win32.RedZone.41 Trojan.Win32.RedZone.fqhw Trojan.Win32.A.PSW-RedZone.406528[h] Troj.PSW32.W.RedZone.41!c Win32.Trojan-qqpass.Qqrob.Dyzy TrojWare.Win32.PSW.RedZone.41 Trojan.PWS.RedZone.41 Trojan.RedZone.Win32.21 W32/Risk.MXEM-1318 Trojan/PSW.RedZone.41 TR/PSW.RedZone.41 Malware_fam.gw Trojan[PSW]/Win32.RedZone PWS:Win32/Redzone.4_1 TrojanPSW.RedZone Trojan.PWS.RedZone!tcLid0irw8w Trojan.Win32.PSW Win32/Trojan.PSW.087", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.RedZone.406528": [[26, 55]], "Indicator: Trojan/PSW.RedZone.41": [[56, 77], [377, 398]], "Indicator: Win32/PSW.RedZone.41": [[78, 98]], "Indicator: TSPY_REDZONE.E": [[99, 113]], "Indicator: Win.Spyware.62275-2": [[114, 133]], "Indicator: Trojan-PSW.Win32.RedZone.41": [[134, 161]], "Indicator: Trojan.Win32.RedZone.fqhw": [[162, 187]], "Indicator: Trojan.Win32.A.PSW-RedZone.406528[h]": [[188, 224]], "Indicator: Troj.PSW32.W.RedZone.41!c": [[225, 250]], "Indicator: Win32.Trojan-qqpass.Qqrob.Dyzy": [[251, 281]], "Indicator: TrojWare.Win32.PSW.RedZone.41": [[282, 311]], "Indicator: Trojan.PWS.RedZone.41": [[312, 333]], "Indicator: Trojan.RedZone.Win32.21": [[334, 357]], "Indicator: W32/Risk.MXEM-1318": [[358, 376]], "Indicator: TR/PSW.RedZone.41": [[399, 416]], "Indicator: Malware_fam.gw": [[417, 431]], "Indicator: Trojan[PSW]/Win32.RedZone": [[432, 457]], "Indicator: PWS:Win32/Redzone.4_1": [[458, 479]], "Indicator: TrojanPSW.RedZone": [[480, 497]], "Indicator: Trojan.PWS.RedZone!tcLid0irw8w": [[498, 528]], "Indicator: Trojan.Win32.PSW": [[529, 545]], "Indicator: Win32/Trojan.PSW.087": [[546, 566]]}, "info": {"id": "cyner2_5class_train_04610", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Sality.PE Trojan.Dropper.UYL Virus/W32.Sality.D W32.Sality.U Trojan.Dropper.UYL Virus.Sality.Win32.25 Trojan.Dropper.UYL W32.SillyFDC Win32/Sality.AA WORM_SILLY.SMRP Trojan.Dropper.UYL Trojan.Win32.Crypted.cqxgku Trojan.Win32.Dropper.abl Trojan.Dropper.UYL Trojan.Dropper.UYL Win32.Sector.30 WORM_SILLY.SMRP BehavesLike.Win32.Sality.th Win32/HLLP.Kuku.poly2 W32/Sality.AT Worm:Win32/Enosch.A Win32.Virus.Sality.A HEUR/Fakon.mwf Virus.Win32.Sality.bakc Trojan.DataStealer.B Win32/Sality.NBA Win32.Sality.BL Trojan.Win32.Enosch W32/DataStealer.B!tr W32/Sality.AA Virus.Win32.Sality.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Sality.PE": [[26, 39]], "Indicator: Trojan.Dropper.UYL": [[40, 58], [91, 109], [132, 150], [196, 214], [268, 286], [287, 305]], "Indicator: Virus/W32.Sality.D": [[59, 77]], "Indicator: W32.Sality.U": [[78, 90]], "Indicator: Virus.Sality.Win32.25": [[110, 131]], "Indicator: W32.SillyFDC": [[151, 163]], "Indicator: Win32/Sality.AA": [[164, 179]], "Indicator: WORM_SILLY.SMRP": [[180, 195], [322, 337]], "Indicator: Trojan.Win32.Crypted.cqxgku": [[215, 242]], "Indicator: Trojan.Win32.Dropper.abl": [[243, 267]], "Indicator: Win32.Sector.30": [[306, 321]], "Indicator: BehavesLike.Win32.Sality.th": [[338, 365]], "Indicator: Win32/HLLP.Kuku.poly2": [[366, 387]], "Indicator: W32/Sality.AT": [[388, 401]], "Indicator: Worm:Win32/Enosch.A": [[402, 421]], "Indicator: Win32.Virus.Sality.A": [[422, 442]], "Indicator: HEUR/Fakon.mwf": [[443, 457]], "Indicator: Virus.Win32.Sality.bakc": [[458, 481]], "Indicator: Trojan.DataStealer.B": [[482, 502]], "Indicator: Win32/Sality.NBA": [[503, 519]], "Indicator: Win32.Sality.BL": [[520, 535]], "Indicator: Trojan.Win32.Enosch": [[536, 555]], "Indicator: W32/DataStealer.B!tr": [[556, 576]], "Indicator: W32/Sality.AA": [[577, 590]], "Indicator: Virus.Win32.Sality.I": [[591, 611]]}, "info": {"id": "cyner2_5class_train_04611", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.BLA.FC.3019 Variant.Kazy.msZ5 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.MulDrop4.60646 Trojan-PWS.MSIL PWS:MSIL/Mintluks.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.BLA.FC.3019": [[26, 46]], "Indicator: Variant.Kazy.msZ5": [[47, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[65, 107]], "Indicator: Trojan.MulDrop4.60646": [[108, 129]], "Indicator: Trojan-PWS.MSIL": [[130, 145]], "Indicator: PWS:MSIL/Mintluks.A": [[146, 165]]}, "info": {"id": "cyner2_5class_train_04612", "source": "cyner2_5class_train"}}
+{"text": "This attack is particularly effective since execution of WTP is not accompanied by a security warning and users have been conditioned to run the troubleshooter when it appears in Windows.", "spans": {"Indicator: attack": [[5, 11]], "Vulnerability: WTP": [[57, 60]], "System: Windows.": [[179, 187]]}, "info": {"id": "cyner2_5class_train_04613", "source": "cyner2_5class_train"}}
+{"text": "During ISSP Labs daily threat activity monitoring a new virus distribution campaign with a unique malware sample was discovered.", "spans": {"Organization: ISSP Labs": [[7, 16]], "Malware: malware": [[98, 105]]}, "info": {"id": "cyner2_5class_train_04614", "source": "cyner2_5class_train"}}
+{"text": "The attacks likely were initially delivered via spear-phishing e-mails, or as demonstrated by C0d0so0 in the past, legitimate websites that had been previously compromised then used as watering holes for the selected victims.", "spans": {"Indicator: attacks": [[4, 11]], "Indicator: spear-phishing e-mails,": [[48, 71]], "Indicator: legitimate websites": [[115, 134]], "Indicator: previously compromised": [[149, 171]], "Indicator: watering holes": [[185, 199]]}, "info": {"id": "cyner2_5class_train_04615", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Bendis.AU X97M.Dropper.ID W97M.Bendis.AU W97M.Downloader X2KM_DROPPER.NEZ W97M.Bendis.AU Trojan.Ole2.Vbs-heuristic.druvzi W97M.Bendis.AU W97M.Bendis.AU X2KM_DROPPER.NEZ X97M/Dropper.c HEUR.VBA.Trojan.d TrojanDropper:O97M/Credoor.A X97M/Dropper.d W97M.Bendis W97M.Bendis.AU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Bendis.AU": [[26, 40], [57, 71], [105, 119], [153, 167], [168, 182], [289, 303]], "Indicator: X97M.Dropper.ID": [[41, 56]], "Indicator: W97M.Downloader": [[72, 87]], "Indicator: X2KM_DROPPER.NEZ": [[88, 104], [183, 199]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[120, 152]], "Indicator: X97M/Dropper.c": [[200, 214]], "Indicator: HEUR.VBA.Trojan.d": [[215, 232]], "Indicator: TrojanDropper:O97M/Credoor.A": [[233, 261]], "Indicator: X97M/Dropper.d": [[262, 276]], "Indicator: W97M.Bendis": [[277, 288]]}, "info": {"id": "cyner2_5class_train_04616", "source": "cyner2_5class_train"}}
+{"text": "Indicators related to a group of attackers that have been targeting Japan for a few years and are responsible for recent breaches against Japanese targets", "spans": {"Indicator: Indicators": [[0, 10]], "Organization: Japanese targets": [[138, 154]]}, "info": {"id": "cyner2_5class_train_04617", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Rovnix.Win64.17 Troj.Win64.Rovnix!c Trojan.Win64.Rovnix.au Trojan.Win64.Mayachok.dsethy Trojan.Mayachok.19009 Trojan/Rovnix.f W32.Rovnix TR/Rovnix.I Trojan/Win64.Rovnix Trojan.Win64.Rovnix.au Trojan/Win64.Rovnix.R175307 Trojan.Rovnix Trj/Rovnix.B Win64.Trojan.Rovnix.Pdmr Trojan.Rovnix!6RUsEoDKtkI Trojan.Win64.Rovnix Win32/Trojan.52f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Rovnix.Win64.17": [[26, 48]], "Indicator: Troj.Win64.Rovnix!c": [[49, 68]], "Indicator: Trojan.Win64.Rovnix.au": [[69, 91], [202, 224]], "Indicator: Trojan.Win64.Mayachok.dsethy": [[92, 120]], "Indicator: Trojan.Mayachok.19009": [[121, 142]], "Indicator: Trojan/Rovnix.f": [[143, 158]], "Indicator: W32.Rovnix": [[159, 169]], "Indicator: TR/Rovnix.I": [[170, 181]], "Indicator: Trojan/Win64.Rovnix": [[182, 201]], "Indicator: Trojan/Win64.Rovnix.R175307": [[225, 252]], "Indicator: Trojan.Rovnix": [[253, 266]], "Indicator: Trj/Rovnix.B": [[267, 279]], "Indicator: Win64.Trojan.Rovnix.Pdmr": [[280, 304]], "Indicator: Trojan.Rovnix!6RUsEoDKtkI": [[305, 330]], "Indicator: Trojan.Win64.Rovnix": [[331, 350]], "Indicator: Win32/Trojan.52f": [[351, 367]]}, "info": {"id": "cyner2_5class_train_04618", "source": "cyner2_5class_train"}}
+{"text": "These .jar files are most often identified as Adwind.", "spans": {"Indicator: .jar files": [[6, 16]], "Malware: Adwind.": [[46, 53]]}, "info": {"id": "cyner2_5class_train_04619", "source": "cyner2_5class_train"}}
+{"text": "A new Android banking trojan called Nexus has been promoted via a Malware-as-Service subscription service, but is still in its early stages, suggests security researcher Cleafy's analysis.", "spans": {"Malware: Android banking trojan": [[6, 28]], "Malware: Nexus": [[36, 41]], "Malware: a Malware-as-Service subscription service,": [[64, 106]], "Organization: security researcher Cleafy's analysis.": [[150, 188]]}, "info": {"id": "cyner2_5class_train_04620", "source": "cyner2_5class_train"}}
+{"text": "Next , if they indicate that they use an Android-based device , the Trojan , impersonating their bank with web injections , fools the victim into installing a fake security app .", "spans": {"System: Android-based": [[41, 54]]}, "info": {"id": "cyner2_5class_train_04621", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as:", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_5class_train_04622", "source": "cyner2_5class_train"}}
+{"text": "The following code shows EventBot parsing instructions sent from the C2 .", "spans": {"Malware: EventBot": [[25, 33]]}, "info": {"id": "cyner2_5class_train_04623", "source": "cyner2_5class_train"}}
+{"text": "We used a sample app named “ org.starsizew ” with an MD5 of d8caad151e07025fdbf5f3c26e3ceaff to analyze RuMMS ’ s code .", "spans": {"Indicator: org.starsizew": [[29, 42]], "Indicator: d8caad151e07025fdbf5f3c26e3ceaff": [[60, 92]], "Malware: RuMMS": [[104, 109]]}, "info": {"id": "cyner2_5class_train_04624", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.AIG Trojan/W32.Xorist.13312.E Trojan-Ransom.Win32.Xorist!O Trojan.Ransom.FO4 Trojan.Ransom.AIG Win32.Trojan.Filecoder.g Ransom.CryptoTorLocker Ransom_XORIST.SMA Win.Trojan.CryptoTorLocker2015-1 Trojan.Ransom.AIG Trojan-Ransom.Win32.Xorist.lk Trojan.Ransom.AIG Trojan.Win32.Xorist.dxuuhl Trojan.Win32.A.Xorist.1268736 Trojan.Ransom.AIG TrojWare.Win32.Kryptik.ER Trojan.Encoder.94 Ransom_XORIST.SMA Trojan/Xorist.at TR/Ransom.Xorist.EJ Trojan[Ransom]/Win32.Xorist Trojan.Ransom.AIG Troj.Ransom.W32.Xorist.tnPf Trojan-Ransom.Win32.Xorist.lk Ransom:Win32/Sorikrypt.A Trojan/Win32.Xorist.R21676 Hoax.Xorist Ransom.FileCryptor Trj/RansomXor.A Trojan.Win32.CryptoTorLocker2015.a Trojan-Ransom.CryptoTorLocker215 Win32/Trojan.1ee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.AIG": [[26, 43], [117, 134], [234, 251], [282, 299], [357, 374], [502, 519]], "Indicator: Trojan/W32.Xorist.13312.E": [[44, 69]], "Indicator: Trojan-Ransom.Win32.Xorist!O": [[70, 98]], "Indicator: Trojan.Ransom.FO4": [[99, 116]], "Indicator: Win32.Trojan.Filecoder.g": [[135, 159]], "Indicator: Ransom.CryptoTorLocker": [[160, 182]], "Indicator: Ransom_XORIST.SMA": [[183, 200], [419, 436]], "Indicator: Win.Trojan.CryptoTorLocker2015-1": [[201, 233]], "Indicator: Trojan-Ransom.Win32.Xorist.lk": [[252, 281], [548, 577]], "Indicator: Trojan.Win32.Xorist.dxuuhl": [[300, 326]], "Indicator: Trojan.Win32.A.Xorist.1268736": [[327, 356]], "Indicator: TrojWare.Win32.Kryptik.ER": [[375, 400]], "Indicator: Trojan.Encoder.94": [[401, 418]], "Indicator: Trojan/Xorist.at": [[437, 453]], "Indicator: TR/Ransom.Xorist.EJ": [[454, 473]], "Indicator: Trojan[Ransom]/Win32.Xorist": [[474, 501]], "Indicator: Troj.Ransom.W32.Xorist.tnPf": [[520, 547]], "Indicator: Ransom:Win32/Sorikrypt.A": [[578, 602]], "Indicator: Trojan/Win32.Xorist.R21676": [[603, 629]], "Indicator: Hoax.Xorist": [[630, 641]], "Indicator: Ransom.FileCryptor": [[642, 660]], "Indicator: Trj/RansomXor.A": [[661, 676]], "Indicator: Trojan.Win32.CryptoTorLocker2015.a": [[677, 711]], "Indicator: Trojan-Ransom.CryptoTorLocker215": [[712, 744]], "Indicator: Win32/Trojan.1ee": [[745, 761]]}, "info": {"id": "cyner2_5class_train_04625", "source": "cyner2_5class_train"}}
+{"text": "I am not sure what these are but am guessing at possibly Emotet banking Trojan", "spans": {"Malware: Emotet banking Trojan": [[57, 78]]}, "info": {"id": "cyner2_5class_train_04626", "source": "cyner2_5class_train"}}
+{"text": "While most of the interest still lies in the public sector, more recent attacks were found targeting the following industries:Aviation Broadcasting Energy Financial Non-governmental organizations NGO Pharmaceutical Public sector Publishing Software", "spans": {"Organization: public sector,": [[45, 59]], "Indicator: attacks": [[72, 79]], "Organization: industries:Aviation Broadcasting Energy Financial Non-governmental organizations NGO Pharmaceutical Public sector Publishing Software": [[115, 248]]}, "info": {"id": "cyner2_5class_train_04627", "source": "cyner2_5class_train"}}
+{"text": "ESET contacted Eltima as soon as the situation was confirmed.", "spans": {"Organization: ESET": [[0, 4]], "Organization: Eltima": [[15, 21]]}, "info": {"id": "cyner2_5class_train_04628", "source": "cyner2_5class_train"}}
+{"text": "Connexxa was a company also from Catanzaro .", "spans": {}, "info": {"id": "cyner2_5class_train_04629", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MalPack Trojan.Graftor.D69EE1 Win32.Trojan.Kryptik.pd Ransom_LOCKY.SMXA Trojan.Win32.Kryptik.evdsll Ransom_LOCKY.SMXA BehavesLike.Win32.Upatre.qh TrojanDownloader:Win32/Brucryp.G Trj/GdSda.A W32/Kryptik.EXPV!tr Win32/Trojan.160", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MalPack": [[26, 40]], "Indicator: Trojan.Graftor.D69EE1": [[41, 62]], "Indicator: Win32.Trojan.Kryptik.pd": [[63, 86]], "Indicator: Ransom_LOCKY.SMXA": [[87, 104], [133, 150]], "Indicator: Trojan.Win32.Kryptik.evdsll": [[105, 132]], "Indicator: BehavesLike.Win32.Upatre.qh": [[151, 178]], "Indicator: TrojanDownloader:Win32/Brucryp.G": [[179, 211]], "Indicator: Trj/GdSda.A": [[212, 223]], "Indicator: W32/Kryptik.EXPV!tr": [[224, 243]], "Indicator: Win32/Trojan.160": [[244, 260]]}, "info": {"id": "cyner2_5class_train_04630", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Script.473379 Trojan/W32.Clicker.349278 Trojan.Clicker.r5 Trojan.Script.473379 Trojan.Win32.MLW.lvntl W32/MalwareF.CARP Trojan.ADH Trojan.Win32.Clicker.hd Trojan.Win32.S.Clicker.349278[h] Trojan.Script.473379 Trojan.Script.473379 Trojan.DownLoader6.110 BehavesLike.Win32.Dropper.fc W32/Risk.VMFK-0127 Trojan/Clicker.je Trojan.Script.D73923 Trojan:Win32/Gleishug.C Trojan.Script.473379 Trj/CI.A Win32.Trojan.Clicker.Hoye AdWare.FTat Trojan.Script.473379", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Script.473379": [[26, 46], [91, 111], [221, 241], [242, 262], [397, 417], [465, 485]], "Indicator: Trojan/W32.Clicker.349278": [[47, 72]], "Indicator: Trojan.Clicker.r5": [[73, 90]], "Indicator: Trojan.Win32.MLW.lvntl": [[112, 134]], "Indicator: W32/MalwareF.CARP": [[135, 152]], "Indicator: Trojan.ADH": [[153, 163]], "Indicator: Trojan.Win32.Clicker.hd": [[164, 187]], "Indicator: Trojan.Win32.S.Clicker.349278[h]": [[188, 220]], "Indicator: Trojan.DownLoader6.110": [[263, 285]], "Indicator: BehavesLike.Win32.Dropper.fc": [[286, 314]], "Indicator: W32/Risk.VMFK-0127": [[315, 333]], "Indicator: Trojan/Clicker.je": [[334, 351]], "Indicator: Trojan.Script.D73923": [[352, 372]], "Indicator: Trojan:Win32/Gleishug.C": [[373, 396]], "Indicator: Trj/CI.A": [[418, 426]], "Indicator: Win32.Trojan.Clicker.Hoye": [[427, 452]], "Indicator: AdWare.FTat": [[453, 464]]}, "info": {"id": "cyner2_5class_train_04631", "source": "cyner2_5class_train"}}
+{"text": "In late 2014, ESET presented an attack campaign that had been observed over a period of time targeting Russia and other Russian speaking nations, dubbed Roaming Tiger", "spans": {"Organization: ESET": [[14, 18]], "Organization: Russian speaking nations,": [[120, 145]]}, "info": {"id": "cyner2_5class_train_04632", "source": "cyner2_5class_train"}}
+{"text": "Its different modifications target mobile devices of Russian users from February 2015.", "spans": {"System: mobile devices": [[35, 49]], "Organization: Russian users": [[53, 66]]}, "info": {"id": "cyner2_5class_train_04633", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MasendosA.Trojan Worm.Win32.AutoRun!O Trojan.Tofsee.1 Win32.Trojan.WisdomEyes.16070401.9500.9997 Win.Worm.Autorun-6961 P2P-Worm.Win32.Palevo.idwe Trojan.Win32.Graz.vhpfw Worm.Win32.A.AutoRun.90112 TrojWare.Win32.Kryptik.JIU Win32.HLLM.Graz Worm.AutoRun.Win32.31130 BehavesLike.Win32.Downloader.kc Worm.Win32.Wergimog Worm/AutoRun.agqt TR/Offend.5523698 Worm[P2P]/Win32.Palevo Worm:Win32/Wergimog.A P2P-Worm.Win32.Palevo.idwe Worm/Win32.Cynic.R5955 Worm.AutoRun Win32/AutoRun.IRCBot.HL Win32.Worm-p2p.Palevo.Swub Worm.AutoRun!FV4PXQUzhXU Win32/Trojan.515", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MasendosA.Trojan": [[26, 46]], "Indicator: Worm.Win32.AutoRun!O": [[47, 67]], "Indicator: Trojan.Tofsee.1": [[68, 83]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[84, 126]], "Indicator: Win.Worm.Autorun-6961": [[127, 148]], "Indicator: P2P-Worm.Win32.Palevo.idwe": [[149, 175], [428, 454]], "Indicator: Trojan.Win32.Graz.vhpfw": [[176, 199]], "Indicator: Worm.Win32.A.AutoRun.90112": [[200, 226]], "Indicator: TrojWare.Win32.Kryptik.JIU": [[227, 253]], "Indicator: Win32.HLLM.Graz": [[254, 269]], "Indicator: Worm.AutoRun.Win32.31130": [[270, 294]], "Indicator: BehavesLike.Win32.Downloader.kc": [[295, 326]], "Indicator: Worm.Win32.Wergimog": [[327, 346]], "Indicator: Worm/AutoRun.agqt": [[347, 364]], "Indicator: TR/Offend.5523698": [[365, 382]], "Indicator: Worm[P2P]/Win32.Palevo": [[383, 405]], "Indicator: Worm:Win32/Wergimog.A": [[406, 427]], "Indicator: Worm/Win32.Cynic.R5955": [[455, 477]], "Indicator: Worm.AutoRun": [[478, 490]], "Indicator: Win32/AutoRun.IRCBot.HL": [[491, 514]], "Indicator: Win32.Worm-p2p.Palevo.Swub": [[515, 541]], "Indicator: Worm.AutoRun!FV4PXQUzhXU": [[542, 566]], "Indicator: Win32/Trojan.515": [[567, 583]]}, "info": {"id": "cyner2_5class_train_04634", "source": "cyner2_5class_train"}}
+{"text": "Over the past few months there has been a lot of research and press coverage on the Shamoon campaigns.", "spans": {}, "info": {"id": "cyner2_5class_train_04635", "source": "cyner2_5class_train"}}
+{"text": "For versions 11.0 and 11.4 , the installation is straightforward .", "spans": {}, "info": {"id": "cyner2_5class_train_04636", "source": "cyner2_5class_train"}}
+{"text": "Each of these behaviors is under the control of the remote C2 server .", "spans": {}, "info": {"id": "cyner2_5class_train_04637", "source": "cyner2_5class_train"}}
+{"text": "A sophisticated hacking group with suspected ties to cybercrime gangs operating in Eastern Europe is now actively targeting and breaching prominent, brand name restaurants in the U.S.", "spans": {"Organization: restaurants": [[160, 171]]}, "info": {"id": "cyner2_5class_train_04638", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.Win64 Exploit.Win64.Apolmy.ewzxbo Trojan.Win64.Dianti TR/Apolmy.paocz Trojan:Win64/Apolmy.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.Win64": [[26, 39]], "Indicator: Exploit.Win64.Apolmy.ewzxbo": [[40, 67]], "Indicator: Trojan.Win64.Dianti": [[68, 87]], "Indicator: TR/Apolmy.paocz": [[88, 103]], "Indicator: Trojan:Win64/Apolmy.A": [[104, 125]], "Indicator: Trj/CI.A": [[126, 134]]}, "info": {"id": "cyner2_5class_train_04639", "source": "cyner2_5class_train"}}
+{"text": "This EPS exploit was assigned CVE-2015-2545.", "spans": {"Malware: EPS exploit": [[5, 16]], "Indicator: CVE-2015-2545.": [[30, 44]]}, "info": {"id": "cyner2_5class_train_04640", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Sality.mBZF Trojan.Win32.Clicker.bcgwsn Trojan.Click2.33988 Trojan.Win32.Alyak W32/Trojan.WWZX-6000 TR/Graftor.27537.200 Trojan/Win32.Unknown Backdoor:Win32/Kanav.D BScope.Trojan.Win32.Inject.2 Trj/CI.A Trojan.Symmi.DB644 Win32/Trojan.070", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Sality.mBZF": [[26, 41]], "Indicator: Trojan.Win32.Clicker.bcgwsn": [[42, 69]], "Indicator: Trojan.Click2.33988": [[70, 89]], "Indicator: Trojan.Win32.Alyak": [[90, 108]], "Indicator: W32/Trojan.WWZX-6000": [[109, 129]], "Indicator: TR/Graftor.27537.200": [[130, 150]], "Indicator: Trojan/Win32.Unknown": [[151, 171]], "Indicator: Backdoor:Win32/Kanav.D": [[172, 194]], "Indicator: BScope.Trojan.Win32.Inject.2": [[195, 223]], "Indicator: Trj/CI.A": [[224, 232]], "Indicator: Trojan.Symmi.DB644": [[233, 251]], "Indicator: Win32/Trojan.070": [[252, 268]]}, "info": {"id": "cyner2_5class_train_04641", "source": "cyner2_5class_train"}}
+{"text": "The official “ Golden Cup ” Facebook page .", "spans": {"Malware: Golden Cup": [[15, 25]], "System: Facebook": [[28, 36]]}, "info": {"id": "cyner2_5class_train_04642", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Clicker.Delf.JK Trojan-Clicker.Win32.Delf!O Trojan.Clicker.Delf.JK Win32.Trojan-Downloader.Delf.bq Win32/Bancos.QQM TROJ_CLICKER.ATG Win.Trojan.Delf-2308 Trojan-Clicker.Win32.Delf.ih Trojan.Clicker.Delf.JK Trojan.Win32.Delf.dxqhln Win32.Trojan.Delf.Eamx Trojan.Clicker.Delf.JK Trojan.Clicker.Delf.JK Trojan.Badjoke TROJ_CLICKER.ATG TrojanClicker.Delf.fq TR/Clicker.Delf.IH Trojan[Clicker]/Win32.Delf Trojan.Win32.Clicker.475648 Trojan-Clicker.Win32.Delf.ih Trojan.Clicker.Delf.JK Trojan/Win32.AdClicker.R5452 Trojan.Clicker.Delf.JK TrojanClicker.Delf Win32/TrojanDownloader.Delf.OVE Trojan.CL.Delf.BJTO Trojan-Dropper.Delf W32/Delf.YS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Clicker.Delf.JK": [[26, 48], [77, 99], [216, 238], [287, 309], [310, 332], [490, 512], [542, 564]], "Indicator: Trojan-Clicker.Win32.Delf!O": [[49, 76]], "Indicator: Win32.Trojan-Downloader.Delf.bq": [[100, 131]], "Indicator: Win32/Bancos.QQM": [[132, 148]], "Indicator: TROJ_CLICKER.ATG": [[149, 165], [348, 364]], "Indicator: Win.Trojan.Delf-2308": [[166, 186]], "Indicator: Trojan-Clicker.Win32.Delf.ih": [[187, 215], [461, 489]], "Indicator: Trojan.Win32.Delf.dxqhln": [[239, 263]], "Indicator: Win32.Trojan.Delf.Eamx": [[264, 286]], "Indicator: Trojan.Badjoke": [[333, 347]], "Indicator: TrojanClicker.Delf.fq": [[365, 386]], "Indicator: TR/Clicker.Delf.IH": [[387, 405]], "Indicator: Trojan[Clicker]/Win32.Delf": [[406, 432]], "Indicator: Trojan.Win32.Clicker.475648": [[433, 460]], "Indicator: Trojan/Win32.AdClicker.R5452": [[513, 541]], "Indicator: TrojanClicker.Delf": [[565, 583]], "Indicator: Win32/TrojanDownloader.Delf.OVE": [[584, 615]], "Indicator: Trojan.CL.Delf.BJTO": [[616, 635]], "Indicator: Trojan-Dropper.Delf": [[636, 655]], "Indicator: W32/Delf.YS!tr": [[656, 670]]}, "info": {"id": "cyner2_5class_train_04643", "source": "cyner2_5class_train"}}
+{"text": "The steps implemented include : Load a URL in a WebView Run JavaScript in WebView Toggle WiFi state Toggle mobile data state Read/modify SMS inbox Solve captchas Captchas One of the more interesting states implements the ability to solve basic captchas ( obscured letters and numbers ) .", "spans": {}, "info": {"id": "cyner2_5class_train_04644", "source": "cyner2_5class_train"}}
+{"text": "The value used to replace GET_IMG_OBJECT comes from the JSON configuration .", "spans": {}, "info": {"id": "cyner2_5class_train_04645", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.MultiJoiner!O Troj.Dropper.W32.Pincher.lfij Trojan.Heur.GM.11400100A0 Win32.Trojan.WisdomEyes.16070401.9500.9992 Win32/MicroJoiner.A TROJ_MULTIJOIN.A Trojan-Dropper.Win32.Microjoin.ap TrojWare.Win32.Spy.Zbot.AAT Trojan.MulDrop.613 BehavesLike.Win32.Trojan.vc Trojan-PWS.Win32.LdPinch TrojanDropper.MultiJoiner.13.b Win32.Troj.GaoPSGet.49893 TrojanDropper:Win32/MultiJoiner.A Trojan-Dropper.Win32.Microjoin.ap Dropper/Win32.Microjoin.C70525 Trj/Multijoiner.A Win32/TrojanDropper.MultiJoiner.13.B Trojan.DR.MultiJoiner.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.MultiJoiner!O": [[26, 60]], "Indicator: Troj.Dropper.W32.Pincher.lfij": [[61, 90]], "Indicator: Trojan.Heur.GM.11400100A0": [[91, 116]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[117, 159]], "Indicator: Win32/MicroJoiner.A": [[160, 179]], "Indicator: TROJ_MULTIJOIN.A": [[180, 196]], "Indicator: Trojan-Dropper.Win32.Microjoin.ap": [[197, 230], [422, 455]], "Indicator: TrojWare.Win32.Spy.Zbot.AAT": [[231, 258]], "Indicator: Trojan.MulDrop.613": [[259, 277]], "Indicator: BehavesLike.Win32.Trojan.vc": [[278, 305]], "Indicator: Trojan-PWS.Win32.LdPinch": [[306, 330]], "Indicator: TrojanDropper.MultiJoiner.13.b": [[331, 361]], "Indicator: Win32.Troj.GaoPSGet.49893": [[362, 387]], "Indicator: TrojanDropper:Win32/MultiJoiner.A": [[388, 421]], "Indicator: Dropper/Win32.Microjoin.C70525": [[456, 486]], "Indicator: Trj/Multijoiner.A": [[487, 504]], "Indicator: Win32/TrojanDropper.MultiJoiner.13.B": [[505, 541]], "Indicator: Trojan.DR.MultiJoiner.D": [[542, 565]]}, "info": {"id": "cyner2_5class_train_04646", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O Downloader.Small.16212 Win32.Trojan.WisdomEyes.16070401.9500.9891 Win32/Kotan.20.A Trojan-Downloader.Win32.Small.fbn Trojan.Win32.Kotan.hadu Troj.Downloader.W32.Small.fbn!c Win32.Trojan-Downloader.Small.cmak TrojWare.Win32.TrojanDownloader.Kotan Trojan.Kaotan Downloader.Small.Win32.3682 TrojanDownloader.Kotan.b W32.Malware.Downloader Win32.Troj.Kotan.kcloud TrojanDownloader:Win32/Kotan.A Trojan-Downloader.Win32.Small.fbn Trojan/Win32.HDC.C69071 TrojanDownloader.Small Win32/TrojanDownloader.Kotan Trojan.DL.Small!ILxLTxTzCnE Trojan-Downloader.Win32.Kotan", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Small!O": [[26, 57]], "Indicator: Downloader.Small.16212": [[58, 80]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9891": [[81, 123]], "Indicator: Win32/Kotan.20.A": [[124, 140]], "Indicator: Trojan-Downloader.Win32.Small.fbn": [[141, 174], [449, 482]], "Indicator: Trojan.Win32.Kotan.hadu": [[175, 198]], "Indicator: Troj.Downloader.W32.Small.fbn!c": [[199, 230]], "Indicator: Win32.Trojan-Downloader.Small.cmak": [[231, 265]], "Indicator: TrojWare.Win32.TrojanDownloader.Kotan": [[266, 303]], "Indicator: Trojan.Kaotan": [[304, 317]], "Indicator: Downloader.Small.Win32.3682": [[318, 345]], "Indicator: TrojanDownloader.Kotan.b": [[346, 370]], "Indicator: W32.Malware.Downloader": [[371, 393]], "Indicator: Win32.Troj.Kotan.kcloud": [[394, 417]], "Indicator: TrojanDownloader:Win32/Kotan.A": [[418, 448]], "Indicator: Trojan/Win32.HDC.C69071": [[483, 506]], "Indicator: TrojanDownloader.Small": [[507, 529]], "Indicator: Win32/TrojanDownloader.Kotan": [[530, 558]], "Indicator: Trojan.DL.Small!ILxLTxTzCnE": [[559, 586]], "Indicator: Trojan-Downloader.Win32.Kotan": [[587, 616]]}, "info": {"id": "cyner2_5class_train_04647", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesLT180912HKGHAAI.Trojan Trojan-GameThief.Win32.OnLineGames!O Trojan/Dropper.Killav.lt Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Fiala.A Win.Trojan.Geral-941 Trojan-Dropper.Win32.Killav.lt Trojan.Win32.Killav.dqiwur Troj.Dropper.W32.Killav.lt!c Win32.Trojan-dropper.Killav.Sunr Backdoor.Win32.Popwin.~IT Trojan.KillProc.13934 Dropper.Killav.Win32.187 BehavesLike.Win32.PWSOnlineGames.mc Trojan-Downloader.Win32.Geral Trojan/PSW.Magania.amzf Trojan[Downloader]/Win32.Geral TrojanDownloader:Win32/Dogkild.S Trojan/Win32.OnlineGameHack.R38048 BScope.Trojan.SvcHorse.01643 Trj/Pupack.A Win32/AutoRun.KillAV.I Trojan.DR.Killav!1BWU2jDjRDE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLT180912HKGHAAI.Trojan": [[26, 59]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[60, 96]], "Indicator: Trojan/Dropper.Killav.lt": [[97, 121]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[122, 164]], "Indicator: W32.Fiala.A": [[165, 176]], "Indicator: Win.Trojan.Geral-941": [[177, 197]], "Indicator: Trojan-Dropper.Win32.Killav.lt": [[198, 228]], "Indicator: Trojan.Win32.Killav.dqiwur": [[229, 255]], "Indicator: Troj.Dropper.W32.Killav.lt!c": [[256, 284]], "Indicator: Win32.Trojan-dropper.Killav.Sunr": [[285, 317]], "Indicator: Backdoor.Win32.Popwin.~IT": [[318, 343]], "Indicator: Trojan.KillProc.13934": [[344, 365]], "Indicator: Dropper.Killav.Win32.187": [[366, 390]], "Indicator: BehavesLike.Win32.PWSOnlineGames.mc": [[391, 426]], "Indicator: Trojan-Downloader.Win32.Geral": [[427, 456]], "Indicator: Trojan/PSW.Magania.amzf": [[457, 480]], "Indicator: Trojan[Downloader]/Win32.Geral": [[481, 511]], "Indicator: TrojanDownloader:Win32/Dogkild.S": [[512, 544]], "Indicator: Trojan/Win32.OnlineGameHack.R38048": [[545, 579]], "Indicator: BScope.Trojan.SvcHorse.01643": [[580, 608]], "Indicator: Trj/Pupack.A": [[609, 621]], "Indicator: Win32/AutoRun.KillAV.I": [[622, 644]], "Indicator: Trojan.DR.Killav!1BWU2jDjRDE": [[645, 673]]}, "info": {"id": "cyner2_5class_train_04648", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan.Mauvaise.SL1 Trojan.Badur.Win32.8423 Trojan.Win32.Badur.dgkukl Win32.Trojan.Fakedoc.Auto TrojWare.Win32.Imwee.A BackDoor.Bulknet.1486 TR/Dldr.Imwee Trojan/Win32.Badur Trojan.Zusy.D39D62 Backdoor/Win32.Trojan.C753557 Win32/Trojan.IM.66a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeW7Folder.Fam.Trojan": [[26, 53]], "Indicator: Trojan.Mauvaise.SL1": [[54, 73]], "Indicator: Trojan.Badur.Win32.8423": [[74, 97]], "Indicator: Trojan.Win32.Badur.dgkukl": [[98, 123]], "Indicator: Win32.Trojan.Fakedoc.Auto": [[124, 149]], "Indicator: TrojWare.Win32.Imwee.A": [[150, 172]], "Indicator: BackDoor.Bulknet.1486": [[173, 194]], "Indicator: TR/Dldr.Imwee": [[195, 208]], "Indicator: Trojan/Win32.Badur": [[209, 227]], "Indicator: Trojan.Zusy.D39D62": [[228, 246]], "Indicator: Backdoor/Win32.Trojan.C753557": [[247, 276]], "Indicator: Win32/Trojan.IM.66a": [[277, 296]]}, "info": {"id": "cyner2_5class_train_04649", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: JS/Iframe.DGS Script.Trojan-Downloader.IFrame.AE Trojan-Downloader.JS.Iframe.deg Trojan.Script.Expack.bvtkmp PDF.DownLoader.3 BehavesLike.PDF.BadFile.db JS/BlacoleRef.CZ.29 Trojan[Downloader]/JS.Iframe.deg Trojan-Downloader.JS.Iframe.deg JS/Moat.241E54F!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: JS/Iframe.DGS": [[26, 39]], "Indicator: Script.Trojan-Downloader.IFrame.AE": [[40, 74]], "Indicator: Trojan-Downloader.JS.Iframe.deg": [[75, 106], [232, 263]], "Indicator: Trojan.Script.Expack.bvtkmp": [[107, 134]], "Indicator: PDF.DownLoader.3": [[135, 151]], "Indicator: BehavesLike.PDF.BadFile.db": [[152, 178]], "Indicator: JS/BlacoleRef.CZ.29": [[179, 198]], "Indicator: Trojan[Downloader]/JS.Iframe.deg": [[199, 231]], "Indicator: JS/Moat.241E54F!tr": [[264, 282]]}, "info": {"id": "cyner2_5class_train_04650", "source": "cyner2_5class_train"}}
+{"text": "Fileless threats and ransomware aren't new, but a malware that incorporates a combination of their characteristics can be dangerous.", "spans": {"Malware: Fileless threats": [[0, 16]], "Malware: ransomware": [[21, 31]], "Malware: malware": [[50, 57]], "Indicator: combination": [[78, 89]], "Indicator: characteristics": [[99, 114]]}, "info": {"id": "cyner2_5class_train_04651", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.Skillis.a W32/Trojan.PYDC-5827 W32.SillyFDC Win32/Oflwr.A!crypt Win32.Application.PUPStudio.A Trojan.Win32.Skillis.cqimdi Trojan.DownLoader21.39298 Trojan.Skillis.Win32.2785 TR/Drop.KillAV.A.69 Trojan/Win32.Unknown TrojanDropper:Win32/Killav.A Trojan/Win32.Backdoor.R142720 Trojan.Skillis Trojan.Win32.Skillis.aaa Trojan.PWS.Banbra!0kkWPO51+fM Win32.Outbreak W32/QQPass.ELG!tr.pws Win32/Trojan.7d3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Skillis.a": [[26, 48]], "Indicator: W32/Trojan.PYDC-5827": [[49, 69]], "Indicator: W32.SillyFDC": [[70, 82]], "Indicator: Win32/Oflwr.A!crypt": [[83, 102]], "Indicator: Win32.Application.PUPStudio.A": [[103, 132]], "Indicator: Trojan.Win32.Skillis.cqimdi": [[133, 160]], "Indicator: Trojan.DownLoader21.39298": [[161, 186]], "Indicator: Trojan.Skillis.Win32.2785": [[187, 212]], "Indicator: TR/Drop.KillAV.A.69": [[213, 232]], "Indicator: Trojan/Win32.Unknown": [[233, 253]], "Indicator: TrojanDropper:Win32/Killav.A": [[254, 282]], "Indicator: Trojan/Win32.Backdoor.R142720": [[283, 312]], "Indicator: Trojan.Skillis": [[313, 327]], "Indicator: Trojan.Win32.Skillis.aaa": [[328, 352]], "Indicator: Trojan.PWS.Banbra!0kkWPO51+fM": [[353, 382]], "Indicator: Win32.Outbreak": [[383, 397]], "Indicator: W32/QQPass.ELG!tr.pws": [[398, 419]], "Indicator: Win32/Trojan.7d3": [[420, 436]]}, "info": {"id": "cyner2_5class_train_04652", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.DAD1ED Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.ESEG-0989 Trojan.MSIL.Crypt.fpoa Trojan.Win32.Crypt.evvrmx BackDoor.Tordev.976 BehavesLike.Win32.Trojan.fc TR/Dropper.MSIL.lfcge Trojan:Win32/Rebhip.AA!bit Trojan.MSIL.Crypt.fpoa Trj/GdSda.A Msil.Trojan.Crypt.Hfp Trojan.MSIL.Injector MSIL/Injector.LHM!tr Win32/Trojan.658", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.DAD1ED": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[45, 87]], "Indicator: W32/Trojan.ESEG-0989": [[88, 108]], "Indicator: Trojan.MSIL.Crypt.fpoa": [[109, 131], [255, 277]], "Indicator: Trojan.Win32.Crypt.evvrmx": [[132, 157]], "Indicator: BackDoor.Tordev.976": [[158, 177]], "Indicator: BehavesLike.Win32.Trojan.fc": [[178, 205]], "Indicator: TR/Dropper.MSIL.lfcge": [[206, 227]], "Indicator: Trojan:Win32/Rebhip.AA!bit": [[228, 254]], "Indicator: Trj/GdSda.A": [[278, 289]], "Indicator: Msil.Trojan.Crypt.Hfp": [[290, 311]], "Indicator: Trojan.MSIL.Injector": [[312, 332]], "Indicator: MSIL/Injector.LHM!tr": [[333, 353]], "Indicator: Win32/Trojan.658": [[354, 370]]}, "info": {"id": "cyner2_5class_train_04653", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Infostealer.Jackpos BKDR_JACKPOS.SM BKDR_JACKPOS.SM BehavesLike.Win32.Dropper.ch Trojan.Win32.Jinupd W32/Trojan.RTKE-0140 Trojan:Win32/Jinupd.B Trojan/Win32.HDC.C743594 Trj/JackPos.A Win32/Trojan.2d8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Infostealer.Jackpos": [[26, 45]], "Indicator: BKDR_JACKPOS.SM": [[46, 61], [62, 77]], "Indicator: BehavesLike.Win32.Dropper.ch": [[78, 106]], "Indicator: Trojan.Win32.Jinupd": [[107, 126]], "Indicator: W32/Trojan.RTKE-0140": [[127, 147]], "Indicator: Trojan:Win32/Jinupd.B": [[148, 169]], "Indicator: Trojan/Win32.HDC.C743594": [[170, 194]], "Indicator: Trj/JackPos.A": [[195, 208]], "Indicator: Win32/Trojan.2d8": [[209, 225]]}, "info": {"id": "cyner2_5class_train_04654", "source": "cyner2_5class_train"}}
+{"text": "First observed in July 2014, Dridex, a financial banking Trojan, is considered the successor to the GameOver ZeuS GoZ malware.", "spans": {"Malware: Dridex,": [[29, 36]], "Malware: financial banking Trojan,": [[39, 64]], "Malware: GameOver ZeuS GoZ malware.": [[100, 126]]}, "info": {"id": "cyner2_5class_train_04655", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Sdbot Backdoor/SdBot.zj Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Sdbot.MAM W32.Spybot.Worm Win32/Dopbot.B WORM_SDBOT.CGE Win.Trojan.SdBot-3536 Backdoor.Win32.SdBot.zj Trojan.Win32.SdBot.esce Backdoor.Win32.SdBot.28160.B Backdoor.W32.SdBot.zj!c BackDoor.IRC.Veritas Backdoor.SdBot.Win32.2281 WORM_SDBOT.CGE BehavesLike.Win32.Backdoor.mc Packed.Morphine.a WORM/IrcBot.28160.1 Trojan[Backdoor]/Win32.SdBot Backdoor.Win32.SdBot.zj BScope.Trojan-PSW.Gomex.8 W32/Gaobot.FCZ.worm IRC/SdBot.DWM Win32.Backdoor.Sdbot.Pavs Worm.SdBot!xpvJkAbKgi0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Sdbot": [[26, 40]], "Indicator: Backdoor/SdBot.zj": [[41, 58]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[59, 101]], "Indicator: W32/Sdbot.MAM": [[102, 115]], "Indicator: W32.Spybot.Worm": [[116, 131]], "Indicator: Win32/Dopbot.B": [[132, 146]], "Indicator: WORM_SDBOT.CGE": [[147, 161], [332, 346]], "Indicator: Win.Trojan.SdBot-3536": [[162, 183]], "Indicator: Backdoor.Win32.SdBot.zj": [[184, 207], [444, 467]], "Indicator: Trojan.Win32.SdBot.esce": [[208, 231]], "Indicator: Backdoor.Win32.SdBot.28160.B": [[232, 260]], "Indicator: Backdoor.W32.SdBot.zj!c": [[261, 284]], "Indicator: BackDoor.IRC.Veritas": [[285, 305]], "Indicator: Backdoor.SdBot.Win32.2281": [[306, 331]], "Indicator: BehavesLike.Win32.Backdoor.mc": [[347, 376]], "Indicator: Packed.Morphine.a": [[377, 394]], "Indicator: WORM/IrcBot.28160.1": [[395, 414]], "Indicator: Trojan[Backdoor]/Win32.SdBot": [[415, 443]], "Indicator: BScope.Trojan-PSW.Gomex.8": [[468, 493]], "Indicator: W32/Gaobot.FCZ.worm": [[494, 513]], "Indicator: IRC/SdBot.DWM": [[514, 527]], "Indicator: Win32.Backdoor.Sdbot.Pavs": [[528, 553]], "Indicator: Worm.SdBot!xpvJkAbKgi0": [[554, 576]]}, "info": {"id": "cyner2_5class_train_04656", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.MultiUnwrapper Win32.Trojan.WisdomEyes.16070401.9500.9852 Infostealer.Gampass Win.Trojan.736804-1 HackTool.Win32.MultiUnwrapper Trojan[Dropper]/Win32.Dapato Trj/CI.A Riskware.HackTool!LCoXxVEhnjI Win32/Trojan.03f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.MultiUnwrapper": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9852": [[50, 92]], "Indicator: Infostealer.Gampass": [[93, 112]], "Indicator: Win.Trojan.736804-1": [[113, 132]], "Indicator: HackTool.Win32.MultiUnwrapper": [[133, 162]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[163, 191]], "Indicator: Trj/CI.A": [[192, 200]], "Indicator: Riskware.HackTool!LCoXxVEhnjI": [[201, 230]], "Indicator: Win32/Trojan.03f": [[231, 247]]}, "info": {"id": "cyner2_5class_train_04657", "source": "cyner2_5class_train"}}
+{"text": "APT-C-36, also known as Blind Eagle, has been actively targeting organizations in Colombia and Ecuador since at least 2019.", "spans": {"Organization: organizations": [[65, 78]]}, "info": {"id": "cyner2_5class_train_04658", "source": "cyner2_5class_train"}}
+{"text": "Unpacker thread decrypt java archive from assets directory “ start.ogg ” , and dynamically loads it and calls the method “ a.a.a.b ” from this archive .", "spans": {"Indicator: start.ogg": [[61, 70]]}, "info": {"id": "cyner2_5class_train_04659", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Adware.Rugo Trojan.Win32.BHO.fie AdWare.Win32.BHO.cdg Trojan.MulDrop.15726 TR/BHO.fie TrojanDropper:Win32/Jhee.V Trojan.Win32.BHO.fie Adware.WSearch.O Trojan.Win32.Jhee.V Trojan.BHO.fie", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.Rugo": [[26, 37]], "Indicator: Trojan.Win32.BHO.fie": [[38, 58], [139, 159]], "Indicator: AdWare.Win32.BHO.cdg": [[59, 79]], "Indicator: Trojan.MulDrop.15726": [[80, 100]], "Indicator: TR/BHO.fie": [[101, 111]], "Indicator: TrojanDropper:Win32/Jhee.V": [[112, 138]], "Indicator: Adware.WSearch.O": [[160, 176]], "Indicator: Trojan.Win32.Jhee.V": [[177, 196]], "Indicator: Trojan.BHO.fie": [[197, 211]]}, "info": {"id": "cyner2_5class_train_04660", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Cabby Trojan/Filecoder.MaktubLocker.c Win32.Trojan.WisdomEyes.16070401.9500.9999 RANSOM_CRYPMAKTUBLOCKER_GC3101B5.UVPM Trojan.Win32.Banpak.bbb Trojan.Win32.Cabby.emrzuq W32.Virut.lyDR Trojan.DownLoader24.13143 Downloader.Cabby.Win32.1871 RANSOM_CRYPMAKTUBLOCKER_GC3101B5.UVPM TrojanDownloader.Cabby.cpa TR/Crypt.Xpack.wgudg Trojan[Downloader]/Win32.Cabby Trojan.Razy.D255EB Trojan.Win32.Ransom.59904.R Trojan.Win32.Banpak.bbb Trojan/Win32.Locky.R197360 TrojanDownloader.Cabby Win32/Filecoder.MaktubLocker.C Trojan.Filecoder!sTyUXy4/Qig", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Cabby": [[26, 48], [496, 518]], "Indicator: Trojan/Filecoder.MaktubLocker.c": [[49, 80]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[81, 123]], "Indicator: RANSOM_CRYPMAKTUBLOCKER_GC3101B5.UVPM": [[124, 161], [281, 318]], "Indicator: Trojan.Win32.Banpak.bbb": [[162, 185], [445, 468]], "Indicator: Trojan.Win32.Cabby.emrzuq": [[186, 211]], "Indicator: W32.Virut.lyDR": [[212, 226]], "Indicator: Trojan.DownLoader24.13143": [[227, 252]], "Indicator: Downloader.Cabby.Win32.1871": [[253, 280]], "Indicator: TrojanDownloader.Cabby.cpa": [[319, 345]], "Indicator: TR/Crypt.Xpack.wgudg": [[346, 366]], "Indicator: Trojan[Downloader]/Win32.Cabby": [[367, 397]], "Indicator: Trojan.Razy.D255EB": [[398, 416]], "Indicator: Trojan.Win32.Ransom.59904.R": [[417, 444]], "Indicator: Trojan/Win32.Locky.R197360": [[469, 495]], "Indicator: Win32/Filecoder.MaktubLocker.C": [[519, 549]], "Indicator: Trojan.Filecoder!sTyUXy4/Qig": [[550, 578]]}, "info": {"id": "cyner2_5class_train_04661", "source": "cyner2_5class_train"}}
+{"text": "Delimiters Another technique to obfuscate unencrypted strings uses repeated delimiters .", "spans": {}, "info": {"id": "cyner2_5class_train_04662", "source": "cyner2_5class_train"}}
+{"text": "Such app stores are so-called because they are not officially supported by Android , nor are they provided by Google , unlike the Play Store .", "spans": {"System: Android": [[75, 82]], "Organization: Google": [[110, 116]], "System: Play Store": [[130, 140]]}, "info": {"id": "cyner2_5class_train_04663", "source": "cyner2_5class_train"}}
+{"text": "Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device .", "spans": {}, "info": {"id": "cyner2_5class_train_04664", "source": "cyner2_5class_train"}}
+{"text": "The Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of tools they use in attacks; in this case, targeting individuals in the aerospace industry running the OS X operating system.", "spans": {"Malware: tools": [[110, 115]], "Indicator: attacks;": [[128, 136]], "Organization: individuals": [[161, 172]], "Organization: aerospace industry": [[180, 198]], "System: OS X operating system.": [[211, 233]]}, "info": {"id": "cyner2_5class_train_04665", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Androm.266082.B Trojandownloader.Macdowpay Trojan.Win32.Godzilla.ephbuw Trojan.Encoder.11909 Backdoor.Androm.Win32.43313 BehavesLike.Win32.Backdoor.dc Trojan.Yakes.vjn Trojan.Backdoor.Quakbot TR/Fuery.shpvm TrojanDownloader:Win32/Macdowpay.A Trojan.Razy.D2B7A8 Trojan/Win32.Locky.R201696 Backdoor.Androm Backdoor.Andromeda Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Androm.266082.B": [[26, 54]], "Indicator: Trojandownloader.Macdowpay": [[55, 81]], "Indicator: Trojan.Win32.Godzilla.ephbuw": [[82, 110]], "Indicator: Trojan.Encoder.11909": [[111, 131]], "Indicator: Backdoor.Androm.Win32.43313": [[132, 159]], "Indicator: BehavesLike.Win32.Backdoor.dc": [[160, 189]], "Indicator: Trojan.Yakes.vjn": [[190, 206]], "Indicator: Trojan.Backdoor.Quakbot": [[207, 230]], "Indicator: TR/Fuery.shpvm": [[231, 245]], "Indicator: TrojanDownloader:Win32/Macdowpay.A": [[246, 280]], "Indicator: Trojan.Razy.D2B7A8": [[281, 299]], "Indicator: Trojan/Win32.Locky.R201696": [[300, 326]], "Indicator: Backdoor.Androm": [[327, 342]], "Indicator: Backdoor.Andromeda": [[343, 361]], "Indicator: Trj/CI.A": [[362, 370]]}, "info": {"id": "cyner2_5class_train_04666", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Horst Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Downloader.OMUB-6519 Trojan-Proxy.Win32.Horst.av Trojan.Win32.Horst.dqlqvp Trojan.DownLoader.9121 W32/Downloader.YSQ Trojan[Proxy]/Win32.Horst Trojan-Proxy.Win32.Horst.av TrojanProxy.Horst", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Horst": [[26, 38]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[39, 81]], "Indicator: W32/Downloader.OMUB-6519": [[82, 106]], "Indicator: Trojan-Proxy.Win32.Horst.av": [[107, 134], [229, 256]], "Indicator: Trojan.Win32.Horst.dqlqvp": [[135, 160]], "Indicator: Trojan.DownLoader.9121": [[161, 183]], "Indicator: W32/Downloader.YSQ": [[184, 202]], "Indicator: Trojan[Proxy]/Win32.Horst": [[203, 228]], "Indicator: TrojanProxy.Horst": [[257, 274]]}, "info": {"id": "cyner2_5class_train_04667", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan-PSW.OLGames.bp W32.Rontokbro@mm Trojan.Win32.Krap.dazptt Trojan.Win32.Z.Onlinegames.25088.A Trojan.Click3.21708 BehavesLike.Win32.PWSOnlineGames.mc W32/Trojan.UITW-4840 Trojan/PSW.OnLineGames2.dg PWS:Win32/Zakahic.A Win32.Trojan.Dropper.Heur Trojan.Win32.OnlineGames.daq Trojan-GameThief.Win32.OnLineGames W32/Onlinegames.PYY!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan-PSW.OLGames.bp": [[26, 53]], "Indicator: W32.Rontokbro@mm": [[54, 70]], "Indicator: Trojan.Win32.Krap.dazptt": [[71, 95]], "Indicator: Trojan.Win32.Z.Onlinegames.25088.A": [[96, 130]], "Indicator: Trojan.Click3.21708": [[131, 150]], "Indicator: BehavesLike.Win32.PWSOnlineGames.mc": [[151, 186]], "Indicator: W32/Trojan.UITW-4840": [[187, 207]], "Indicator: Trojan/PSW.OnLineGames2.dg": [[208, 234]], "Indicator: PWS:Win32/Zakahic.A": [[235, 254]], "Indicator: Win32.Trojan.Dropper.Heur": [[255, 280]], "Indicator: Trojan.Win32.OnlineGames.daq": [[281, 309]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[310, 344]], "Indicator: W32/Onlinegames.PYY!tr": [[345, 367]]}, "info": {"id": "cyner2_5class_train_04668", "source": "cyner2_5class_train"}}
+{"text": "We found two functions : The first function is http : //s.psserviceonline [ .", "spans": {"Indicator: http : //s.psserviceonline [ .": [[47, 77]]}, "info": {"id": "cyner2_5class_train_04669", "source": "cyner2_5class_train"}}
+{"text": "First , the app creates a JavaScript function to call a Java method , getImageBase64 , exposed to WebView using addJavascriptInterface .", "spans": {}, "info": {"id": "cyner2_5class_train_04670", "source": "cyner2_5class_train"}}
+{"text": "This new threat actor we are naming YoroTrooper has been targeting governments across Eastern Europe since at least June 2022, and Cisco Talos has found three different activity clusters with overlapping infrastructure that are all linked to the same threat actor.", "spans": {"Organization: governments": [[67, 78]], "Malware: at": [[107, 109]], "Organization: Cisco Talos": [[131, 142]], "System: infrastructure": [[204, 218]]}, "info": {"id": "cyner2_5class_train_04671", "source": "cyner2_5class_train"}}
+{"text": "The code contains multiple comments in Italian , here is the most noteworthy example : “ Receive commands from the remote server , here you can set the key commands to command the virus ” Here are the available commands : Name Description cd Change current directory to specified quit Close the socket nggexe Execute received command via Python ’ s subprocess.Popen ( ) without outputs ngguploads Upload specified file to the specified URL nggdownloads Download content from the specified URLs and save to specified file nggfilesystem Dump file structure of the C : path , save it to the file in json format and zip it nggstart_screen nggstop_screen Enable/disable screenshot module .", "spans": {"System: Python": [[338, 344]]}, "info": {"id": "cyner2_5class_train_04672", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/SillyPWS.CT Trojan-Spy.MSIL!IK Trojan.MulDrop1.16499 TrojanSpy.MSIL.acx PWS:MSIL/VB.B Trojan-Spy.MSIL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/SillyPWS.CT": [[26, 43]], "Indicator: Trojan-Spy.MSIL!IK": [[44, 62]], "Indicator: Trojan.MulDrop1.16499": [[63, 84]], "Indicator: TrojanSpy.MSIL.acx": [[85, 103]], "Indicator: PWS:MSIL/VB.B": [[104, 117]], "Indicator: Trojan-Spy.MSIL": [[118, 133]]}, "info": {"id": "cyner2_5class_train_04673", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9994 Trojan.Win32.Waldek.aqji Trojan.Win32.Dwn.dzdxxu BackDoor.PlugX.7 Dropper.Dapato.Win32.27346 BehavesLike.Win32.MultiPlug.fh TrojanDropper.Dapato.snz TR/AD.Plugx.M.6 Trojan[Dropper]/Win32.Dapato Trojan.Win32.Waldek.aqji Backdoor:Win32/Plugx.L!dha Trj/GdSda.A Win32.Trojan.Waldek.Wrgj Trojan.Win32.Crypt W32/Kryptik.DGGW!tr TrojanDropper.Dapato Win32/Trojan.bdb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[26, 68]], "Indicator: Trojan.Win32.Waldek.aqji": [[69, 93], [263, 287]], "Indicator: Trojan.Win32.Dwn.dzdxxu": [[94, 117]], "Indicator: BackDoor.PlugX.7": [[118, 134]], "Indicator: Dropper.Dapato.Win32.27346": [[135, 161]], "Indicator: BehavesLike.Win32.MultiPlug.fh": [[162, 192]], "Indicator: TrojanDropper.Dapato.snz": [[193, 217]], "Indicator: TR/AD.Plugx.M.6": [[218, 233]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[234, 262]], "Indicator: Backdoor:Win32/Plugx.L!dha": [[288, 314]], "Indicator: Trj/GdSda.A": [[315, 326]], "Indicator: Win32.Trojan.Waldek.Wrgj": [[327, 351]], "Indicator: Trojan.Win32.Crypt": [[352, 370]], "Indicator: W32/Kryptik.DGGW!tr": [[371, 390]], "Indicator: TrojanDropper.Dapato": [[391, 411]], "Indicator: Win32/Trojan.bdb": [[412, 428]]}, "info": {"id": "cyner2_5class_train_04674", "source": "cyner2_5class_train"}}
+{"text": "Unfortunately, malware authors often utilize these same capabilities to compromise systems.", "spans": {"System: compromise systems.": [[72, 91]]}, "info": {"id": "cyner2_5class_train_04675", "source": "cyner2_5class_train"}}
+{"text": "Interestingly , there is a domain which used to point there , “ DlmDocumentsExchange.com ” .", "spans": {"Indicator: DlmDocumentsExchange.com": [[64, 88]]}, "info": {"id": "cyner2_5class_train_04676", "source": "cyner2_5class_train"}}
+{"text": "This notable characteristic made this attack worthy of further analysis.", "spans": {}, "info": {"id": "cyner2_5class_train_04677", "source": "cyner2_5class_train"}}
+{"text": "Talos found 189 logos from banks to cryptocurrency exchanges inside the archive , all of which could be targeted .", "spans": {}, "info": {"id": "cyner2_5class_train_04678", "source": "cyner2_5class_train"}}
+{"text": "] it Napoli server1rc.exodus.connexxa [ .", "spans": {"Indicator: server1rc.exodus.connexxa [ .": [[12, 41]]}, "info": {"id": "cyner2_5class_train_04679", "source": "cyner2_5class_train"}}
+{"text": "] biz adminloader [ .", "spans": {"Indicator: adminloader [ .": [[6, 21]]}, "info": {"id": "cyner2_5class_train_04680", "source": "cyner2_5class_train"}}
+{"text": "First, this domain pattern looks just like the extremely prevalent, yet benign Akamai CDN domain.", "spans": {"Indicator: domain pattern": [[12, 26]], "Organization: Akamai": [[79, 85]], "System: CDN": [[86, 89]], "Indicator: domain.": [[90, 97]]}, "info": {"id": "cyner2_5class_train_04681", "source": "cyner2_5class_train"}}
+{"text": "With the increased use of Android phones in business environments , it is important to defend against these threats by ensuring devices are kept current with the latest updates .", "spans": {"System: Android": [[26, 33]]}, "info": {"id": "cyner2_5class_train_04682", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: WORM_DORKBOT.SMA Win32.Trojan.WisdomEyes.16070401.9500.9989 Trojan.FakeAV WORM_DORKBOT.SMA Packed.Win32.Katusha.o Trojan.Win32.Katusha.exnjhu BehavesLike.Win32.PWSZbot.qc Packed.Katusha.agmk Trojan.Downloader.126 Packed.Win32.Katusha.o Win32.Worm.Autorun.E Trojan/Win32.Cosmu.C71744 W32/Crypt.AAAI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WORM_DORKBOT.SMA": [[26, 42], [100, 116]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[43, 85]], "Indicator: Trojan.FakeAV": [[86, 99]], "Indicator: Packed.Win32.Katusha.o": [[117, 139], [239, 261]], "Indicator: Trojan.Win32.Katusha.exnjhu": [[140, 167]], "Indicator: BehavesLike.Win32.PWSZbot.qc": [[168, 196]], "Indicator: Packed.Katusha.agmk": [[197, 216]], "Indicator: Trojan.Downloader.126": [[217, 238]], "Indicator: Win32.Worm.Autorun.E": [[262, 282]], "Indicator: Trojan/Win32.Cosmu.C71744": [[283, 308]], "Indicator: W32/Crypt.AAAI!tr": [[309, 326]]}, "info": {"id": "cyner2_5class_train_04683", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Udsdangerousobject.Multi Trojan.Waldek.Win32.5328 Uds.Dangerousobject.Multi!c BKDR_REMCOS.DRQW Trojan.Win32.Waldek.akql Trojan.Win32.Waldek.etvwxi Trojan.Win32.Z.Highconfidence.731416 BKDR_REMCOS.DRQW Trojan.Win32.Waldek W32/Trojan.CSQN-6734 W32.Waldek.Akql TR/Waldek.rludr Trojan/Win32.Waldek Trojan:Win32/Vonocksu.A Trojan.Win32.Waldek.akql Trojan/Win32.Waldek.C2216962 Trj/GdSda.A Win32.Trojan.Waldek.Htvv W32/REMCOS.DRQW!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Udsdangerousobject.Multi": [[26, 50]], "Indicator: Trojan.Waldek.Win32.5328": [[51, 75]], "Indicator: Uds.Dangerousobject.Multi!c": [[76, 103]], "Indicator: BKDR_REMCOS.DRQW": [[104, 120], [210, 226]], "Indicator: Trojan.Win32.Waldek.akql": [[121, 145], [344, 368]], "Indicator: Trojan.Win32.Waldek.etvwxi": [[146, 172]], "Indicator: Trojan.Win32.Z.Highconfidence.731416": [[173, 209]], "Indicator: Trojan.Win32.Waldek": [[227, 246]], "Indicator: W32/Trojan.CSQN-6734": [[247, 267]], "Indicator: W32.Waldek.Akql": [[268, 283]], "Indicator: TR/Waldek.rludr": [[284, 299]], "Indicator: Trojan/Win32.Waldek": [[300, 319]], "Indicator: Trojan:Win32/Vonocksu.A": [[320, 343]], "Indicator: Trojan/Win32.Waldek.C2216962": [[369, 397]], "Indicator: Trj/GdSda.A": [[398, 409]], "Indicator: Win32.Trojan.Waldek.Htvv": [[410, 434]], "Indicator: W32/REMCOS.DRQW!tr.bdr": [[435, 457]]}, "info": {"id": "cyner2_5class_train_04684", "source": "cyner2_5class_train"}}
+{"text": "Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features.", "spans": {"Malware: ATM malware families, Alice": [[13, 40]], "Malware: ATMs;": [[85, 90]]}, "info": {"id": "cyner2_5class_train_04685", "source": "cyner2_5class_train"}}
+{"text": "This behavior negatively impacts advertisement networks and their clients because advertising budget is spent without acquiring real customers , and impacts user experience by consuming their data plan resources .", "spans": {}, "info": {"id": "cyner2_5class_train_04686", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Malware.1 W32.Mailbancos@mm Win32.Mailbancos@mm W32.Mailbancos@mm SHeur2.XWF Trj/Banbra.GGU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Malware.1": [[26, 48]], "Indicator: W32.Mailbancos@mm": [[49, 66], [87, 104]], "Indicator: Win32.Mailbancos@mm": [[67, 86]], "Indicator: SHeur2.XWF": [[105, 115]], "Indicator: Trj/Banbra.GGU": [[116, 130]]}, "info": {"id": "cyner2_5class_train_04687", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.A13D Backdoor.Sinowal.BC Backdoor/W32.Sinowal.335872.B Backdoor.Sinowal.Win32.471 Backdoor.Sinowal.BC Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Mebroot Win.Trojan.Sinowal-1209 Backdoor.Sinowal.BC Backdoor.Win32.Sinowal.eee Backdoor.Sinowal.BC Trojan.Win32.Sinowal.bfkka Backdoor.Win32.Sinowal.335872 Backdoor.W32.Sinowal!c Backdoor.Sinowal.BC Backdoor.Win32.Sinowal.~CRSB Trojan.Packed.2355 BehavesLike.Win32.Sality.fc Backdoor.Win32.Sinowal W32/Backdoor2.EHUE Backdoor/Sinowal.gje RKIT/MBR.Sinowal.W Trojan[Backdoor]/Win32.Sinowal Win32.Hack.SinowalT.bg.339968 Backdoor.Win32.Sinowal.eee Backdoor.Sinowal.BC Backdoor.Sinowal Win32.Backdoor.Sinowal.Liqd W32/SINOWAL.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.A13D": [[26, 42]], "Indicator: Backdoor.Sinowal.BC": [[43, 62], [120, 139], [222, 241], [269, 288], [369, 388], [635, 654]], "Indicator: Backdoor/W32.Sinowal.335872.B": [[63, 92]], "Indicator: Backdoor.Sinowal.Win32.471": [[93, 119]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[140, 182]], "Indicator: Trojan.Mebroot": [[183, 197]], "Indicator: Win.Trojan.Sinowal-1209": [[198, 221]], "Indicator: Backdoor.Win32.Sinowal.eee": [[242, 268], [608, 634]], "Indicator: Trojan.Win32.Sinowal.bfkka": [[289, 315]], "Indicator: Backdoor.Win32.Sinowal.335872": [[316, 345]], "Indicator: Backdoor.W32.Sinowal!c": [[346, 368]], "Indicator: Backdoor.Win32.Sinowal.~CRSB": [[389, 417]], "Indicator: Trojan.Packed.2355": [[418, 436]], "Indicator: BehavesLike.Win32.Sality.fc": [[437, 464]], "Indicator: Backdoor.Win32.Sinowal": [[465, 487]], "Indicator: W32/Backdoor2.EHUE": [[488, 506]], "Indicator: Backdoor/Sinowal.gje": [[507, 527]], "Indicator: RKIT/MBR.Sinowal.W": [[528, 546]], "Indicator: Trojan[Backdoor]/Win32.Sinowal": [[547, 577]], "Indicator: Win32.Hack.SinowalT.bg.339968": [[578, 607]], "Indicator: Backdoor.Sinowal": [[655, 671]], "Indicator: Win32.Backdoor.Sinowal.Liqd": [[672, 699]], "Indicator: W32/SINOWAL.A!tr": [[700, 716]]}, "info": {"id": "cyner2_5class_train_04688", "source": "cyner2_5class_train"}}
+{"text": "However , the existence of threats like ViperRAT and Pegasus , the most sophisticated piece of mobile surveillanceware we ’ ve seen to date , are evidence that attackers are targeting mobile devices .", "spans": {"Malware: ViperRAT": [[40, 48]], "Malware: Pegasus": [[53, 60]]}, "info": {"id": "cyner2_5class_train_04689", "source": "cyner2_5class_train"}}
+{"text": "What makes this interesting is how the dated botnet and macro malware trick are used together.", "spans": {"Malware: botnet": [[45, 51]], "Malware: macro malware": [[56, 69]]}, "info": {"id": "cyner2_5class_train_04690", "source": "cyner2_5class_train"}}
+{"text": "This weekend saw multiple reports a new zero-day vulnerability that affected all versions of Microsoft Word.", "spans": {"Vulnerability: zero-day vulnerability": [[40, 62]], "System: Microsoft Word.": [[93, 108]]}, "info": {"id": "cyner2_5class_train_04691", "source": "cyner2_5class_train"}}
+{"text": "A 17-year-old vulnerability in Microsoft Office Equation Editor is now confirmed to be exploited by the Cobalt Group.", "spans": {"Vulnerability: A 17-year-old vulnerability": [[0, 27]], "System: Microsoft Office Equation Editor": [[31, 63]], "Vulnerability: exploited": [[87, 96]]}, "info": {"id": "cyner2_5class_train_04692", "source": "cyner2_5class_train"}}
+{"text": "In recent months, Kaspersky observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware.", "spans": {"Organization: Kaspersky": [[18, 27]], "Organization: Google Advertising": [[95, 113]], "Malware: malware.": [[156, 164]]}, "info": {"id": "cyner2_5class_train_04693", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_BHO.SMK Win32.Trojan.WisdomEyes.16070401.9500.9922 W32/MalwareS.AXKH TROJ_BHO.SMK Trojan.DownLoader7.50629 BehavesLike.Win32.PWSZbot.dm Backdoor.WinNT.PcClient W32/Risk.AWDS-7973", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_BHO.SMK": [[26, 38], [100, 112]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9922": [[39, 81]], "Indicator: W32/MalwareS.AXKH": [[82, 99]], "Indicator: Trojan.DownLoader7.50629": [[113, 137]], "Indicator: BehavesLike.Win32.PWSZbot.dm": [[138, 166]], "Indicator: Backdoor.WinNT.PcClient": [[167, 190]], "Indicator: W32/Risk.AWDS-7973": [[191, 209]]}, "info": {"id": "cyner2_5class_train_04694", "source": "cyner2_5class_train"}}
+{"text": "Initially, only the Windows version of ROKRAT was used, but the Android version of the malware was later identified.", "spans": {"System: the Windows version": [[16, 35]], "Malware: ROKRAT": [[39, 45]], "System: Android version": [[64, 79]], "Malware: malware": [[87, 94]]}, "info": {"id": "cyner2_5class_train_04695", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.F73E Backdoor/W32.Xhaker.593920 Backdoor.Xhaker.b.n7 Backdoor.Xhaker.Win32.49 Backdoor/Xhaker.b Trojan.Win32.Xhaker.cbfde W32/BackdoorX.BNHA Backdoor.Trojan Smalldoor.BKPC Backdoor.Win32.Xhaker.b Backdoor.Xhaker!qYrnZt9Kncc PE:Backdoor.Win32.VB.bnx!1075029071 BackDoor.Caverns.79 BehavesLike.Win32.Ramnit.hc W32/Backdoor.IYKC-7331 Backdoor/Xhaker.l Win32.Hack.Xhaker.b.kcloud Win32.Backdoor.Xhaker.doln W32/Xhaker.B!tr.bdr Backdoor.Win32.Xhaker.b Win32/Backdoor.bee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.F73E": [[26, 42]], "Indicator: Backdoor/W32.Xhaker.593920": [[43, 69]], "Indicator: Backdoor.Xhaker.b.n7": [[70, 90]], "Indicator: Backdoor.Xhaker.Win32.49": [[91, 115]], "Indicator: Backdoor/Xhaker.b": [[116, 133]], "Indicator: Trojan.Win32.Xhaker.cbfde": [[134, 159]], "Indicator: W32/BackdoorX.BNHA": [[160, 178]], "Indicator: Backdoor.Trojan": [[179, 194]], "Indicator: Smalldoor.BKPC": [[195, 209]], "Indicator: Backdoor.Win32.Xhaker.b": [[210, 233], [461, 484]], "Indicator: Backdoor.Xhaker!qYrnZt9Kncc": [[234, 261]], "Indicator: PE:Backdoor.Win32.VB.bnx!1075029071": [[262, 297]], "Indicator: BackDoor.Caverns.79": [[298, 317]], "Indicator: BehavesLike.Win32.Ramnit.hc": [[318, 345]], "Indicator: W32/Backdoor.IYKC-7331": [[346, 368]], "Indicator: Backdoor/Xhaker.l": [[369, 386]], "Indicator: Win32.Hack.Xhaker.b.kcloud": [[387, 413]], "Indicator: Win32.Backdoor.Xhaker.doln": [[414, 440]], "Indicator: W32/Xhaker.B!tr.bdr": [[441, 460]], "Indicator: Win32/Backdoor.bee": [[485, 503]]}, "info": {"id": "cyner2_5class_train_04696", "source": "cyner2_5class_train"}}
+{"text": "We recently uncovered a coordinated campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization.", "spans": {"System: Internet infrastructure": [[55, 78]], "Organization: providers,": [[79, 89]], "Organization: media organization, a financial services company,": [[92, 141]], "Organization: Asian government organization.": [[149, 179]]}, "info": {"id": "cyner2_5class_train_04697", "source": "cyner2_5class_train"}}
+{"text": "XLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control ( C & C ) server , as shown below : Here ’ s a list of the modules and their functions : sendSms — send SMS/MMS to a specified address setWifi — enable or disable Wi-Fi connection gcont — collect all the device ’ s contacts lock — currently just an input lock status in the settings ( pref ) file , but may be used as a screenlocking ransomware bc — collect all contacts from the Android device and SIM card setForward — currently not implemented , but can be used to hijack the infected device getForward — currently not implemented , but can be used to hijack the infected device hasPkg — check the device whether a specified app is installed or not setRingerMode — set the device ’ s ringer mode setRecEnable — set the device ’ s ringer mode as silent reqState — get a detailed phone connection status , which includes activated network and Wi-Fi ( with or without password ) showHome — force the device ’ s back to the home screen getnpki : get files/content from the folder named NPKI ( contains certificates related to financial transactions ) http — access a specified network using HttpURLConnection onRecordAction — simulate a number-dialed tone call — call a specified number get_apps — get all the apps installed on the device show_fs_float_window — show a full-screen window for phishing Of note is XLoader ’ s abuse of the WebSocket protocol ( supported in many browsers and web applications ) via ws ( WebSockets ) or wss ( WebSockets over SSL/TLS ) to communicate with its C & C servers .", "spans": {"Malware: XLoader": [[0, 7], [1428, 1435]], "System: Android": [[497, 504]]}, "info": {"id": "cyner2_5class_train_04698", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AutorunMI.Worm Trojan-Downloader.Win32.Flux!O Worm.AutoRun Trojan/Dropper.aiv Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Autorun-973 Worm.Win32.AutoRun.lt Trojan.Win32.AutoRun.18461 Constructor.W32.VB.lgxd Backdoor.Win32.Popwin.~IQ Trojan.Popwin Worm/Win32.AutoRun Worm.AutoRunsT.ot.18432 Worm.Win32.AutoRun.lt Worm.Winko", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AutorunMI.Worm": [[26, 44]], "Indicator: Trojan-Downloader.Win32.Flux!O": [[45, 75]], "Indicator: Worm.AutoRun": [[76, 88]], "Indicator: Trojan/Dropper.aiv": [[89, 107]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[108, 150]], "Indicator: Win.Trojan.Autorun-973": [[151, 173]], "Indicator: Worm.Win32.AutoRun.lt": [[174, 195], [330, 351]], "Indicator: Trojan.Win32.AutoRun.18461": [[196, 222]], "Indicator: Constructor.W32.VB.lgxd": [[223, 246]], "Indicator: Backdoor.Win32.Popwin.~IQ": [[247, 272]], "Indicator: Trojan.Popwin": [[273, 286]], "Indicator: Worm/Win32.AutoRun": [[287, 305]], "Indicator: Worm.AutoRunsT.ot.18432": [[306, 329]], "Indicator: Worm.Winko": [[352, 362]]}, "info": {"id": "cyner2_5class_train_04699", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.SmalBHQc.Trojan Trojan.Zenshirsh.SL7 PUP.AdLoad/Variant not-a-virus:Downloader.Win32.AdLoad.syjh Trojan.Win32.Kazy.dydcdw Trojan.Vittalia.800 BehavesLike.Win32.Downloader.lc Variant.Kazy.ds PUA/IStartSurf.chew GrayWare[Adware]/Win32.istartsurf.a Trojan.Application.Bundler.Outbrowse.16 not-a-virus:Downloader.Win32.AdLoad.syjh TrojanDownloader:Win32/Subroate.A!bit Downloader.AdLoad PUA.Downloader!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.SmalBHQc.Trojan": [[26, 51]], "Indicator: Trojan.Zenshirsh.SL7": [[52, 72]], "Indicator: PUP.AdLoad/Variant": [[73, 91]], "Indicator: not-a-virus:Downloader.Win32.AdLoad.syjh": [[92, 132], [322, 362]], "Indicator: Trojan.Win32.Kazy.dydcdw": [[133, 157]], "Indicator: Trojan.Vittalia.800": [[158, 177]], "Indicator: BehavesLike.Win32.Downloader.lc": [[178, 209]], "Indicator: Variant.Kazy.ds": [[210, 225]], "Indicator: PUA/IStartSurf.chew": [[226, 245]], "Indicator: GrayWare[Adware]/Win32.istartsurf.a": [[246, 281]], "Indicator: Trojan.Application.Bundler.Outbrowse.16": [[282, 321]], "Indicator: TrojanDownloader:Win32/Subroate.A!bit": [[363, 400]], "Indicator: Downloader.AdLoad": [[401, 418]], "Indicator: PUA.Downloader!": [[419, 434]]}, "info": {"id": "cyner2_5class_train_04700", "source": "cyner2_5class_train"}}
+{"text": "In this report, we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan.", "spans": {"Malware: exploit": [[57, 64]], "Indicator: CVE-2012-0158": [[65, 78]], "Malware: NetTraveler Trojan.": [[94, 113]]}, "info": {"id": "cyner2_5class_train_04701", "source": "cyner2_5class_train"}}
+{"text": "Interestingly, it utilizes a pseudorandom number generator PRNG used in Vawtrak s loader.", "spans": {"Indicator: pseudorandom number generator PRNG": [[29, 63]], "Malware: Vawtrak s loader.": [[72, 89]]}, "info": {"id": "cyner2_5class_train_04702", "source": "cyner2_5class_train"}}
+{"text": "It was also used in limited attacks in Korea and Japan .", "spans": {}, "info": {"id": "cyner2_5class_train_04703", "source": "cyner2_5class_train"}}
+{"text": "The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader.", "spans": {"Indicator: The iframe": [[0, 10]], "Malware: Angler EK": [[20, 29]], "Malware: Bedep ad-fraud": [[46, 60]], "Malware: Gootkit loader.": [[84, 99]]}, "info": {"id": "cyner2_5class_train_04704", "source": "cyner2_5class_train"}}
+{"text": "PHA authors usually try to hide their tracks , so attribution is difficult .", "spans": {}, "info": {"id": "cyner2_5class_train_04705", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D3D173 Win32.Trojan.WisdomEyes.16070401.9500.9961 Ransom_Nymaim.R002C0DAT18 Ransom_Nymaim.R002C0DAT18 Ransom:Win32/Nymaim.F Win32/Trojan.160", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D3D173": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9961": [[45, 87]], "Indicator: Ransom_Nymaim.R002C0DAT18": [[88, 113], [114, 139]], "Indicator: Ransom:Win32/Nymaim.F": [[140, 161]], "Indicator: Win32/Trojan.160": [[162, 178]]}, "info": {"id": "cyner2_5class_train_04706", "source": "cyner2_5class_train"}}
+{"text": "] nampriknum [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04707", "source": "cyner2_5class_train"}}
+{"text": "Based on our investigation, the actors behind Operation C-Major were able to keep their Android malware on Google Play for months and they advertised their apps on Facebook pages which have thousands of likes from high profile targets.", "spans": {"Malware: Android malware": [[88, 103]], "System: Google Play": [[107, 118]], "System: apps": [[156, 160]], "Organization: Facebook": [[164, 172]], "Organization: high profile targets.": [[214, 235]]}, "info": {"id": "cyner2_5class_train_04708", "source": "cyner2_5class_train"}}
+{"text": "It remains available within the source code but no method of use takes place .", "spans": {}, "info": {"id": "cyner2_5class_train_04709", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.MMTask.59905 Trojan/PSW.Mmtask.a Trojan.Heur.GM.040605A000 Win32.Trojan.WisdomEyes.16070401.9500.9759 W32/Trojan.ALHG-3475 Win.Trojan.Mmtask-1 Trojan-PSW.Win32.Mmtask.a Trojan.Win32.Mmtask.glty Trojan.Win32.MMTask.59905 Troj.PSW32.W.Mmtask.a!c TrojWare.Win32.PSW.MMTask.A Trojan.MMTask.1 BehavesLike.Win32.PWSZbot.qc Trojan/PSW.MMTask.a TR/PSW.MMTask.A1 Trojan[PSW]/Win32.Mmtask PWS:Win32/MMTask.A Trojan-PSW.Win32.Mmtask.a TrojanPSW.Mmtask Win32/PSW.MMTask.A Win32.Trojan-qqpass.Qqrob.Wuhe Trojan.PWS.Mmtask!shxUVb0b7bE Trojan-PWS.Win32.Mmtask W32/Bdoor.BG!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.MMTask.59905": [[26, 49]], "Indicator: Trojan/PSW.Mmtask.a": [[50, 69]], "Indicator: Trojan.Heur.GM.040605A000": [[70, 95]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9759": [[96, 138]], "Indicator: W32/Trojan.ALHG-3475": [[139, 159]], "Indicator: Win.Trojan.Mmtask-1": [[160, 179]], "Indicator: Trojan-PSW.Win32.Mmtask.a": [[180, 205], [435, 460]], "Indicator: Trojan.Win32.Mmtask.glty": [[206, 230]], "Indicator: Trojan.Win32.MMTask.59905": [[231, 256]], "Indicator: Troj.PSW32.W.Mmtask.a!c": [[257, 280]], "Indicator: TrojWare.Win32.PSW.MMTask.A": [[281, 308]], "Indicator: Trojan.MMTask.1": [[309, 324]], "Indicator: BehavesLike.Win32.PWSZbot.qc": [[325, 353]], "Indicator: Trojan/PSW.MMTask.a": [[354, 373]], "Indicator: TR/PSW.MMTask.A1": [[374, 390]], "Indicator: Trojan[PSW]/Win32.Mmtask": [[391, 415]], "Indicator: PWS:Win32/MMTask.A": [[416, 434]], "Indicator: TrojanPSW.Mmtask": [[461, 477]], "Indicator: Win32/PSW.MMTask.A": [[478, 496]], "Indicator: Win32.Trojan-qqpass.Qqrob.Wuhe": [[497, 527]], "Indicator: Trojan.PWS.Mmtask!shxUVb0b7bE": [[528, 557]], "Indicator: Trojan-PWS.Win32.Mmtask": [[558, 581]], "Indicator: W32/Bdoor.BG!tr": [[582, 597]]}, "info": {"id": "cyner2_5class_train_04710", "source": "cyner2_5class_train"}}
+{"text": "Usually , when users are already infected with malware like TrickBot on their desktop , they will see a web injection asking for their mobile device operating system ( OS ) type and phone number .", "spans": {"Malware: TrickBot": [[60, 68]]}, "info": {"id": "cyner2_5class_train_04711", "source": "cyner2_5class_train"}}
+{"text": "The collection of basic device information .", "spans": {}, "info": {"id": "cyner2_5class_train_04712", "source": "cyner2_5class_train"}}
+{"text": "Check code for emulators As part of its defense , the malware payload first checks for emulators to prevent analysis on sandboxes .", "spans": {}, "info": {"id": "cyner2_5class_train_04713", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Corrupt.PE W32.Backdoor.Rbot Trojan:Win32/Damingvat.A.dam#2 Backdoor/Win32.Graybird.C918907", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Corrupt.PE": [[26, 41]], "Indicator: W32.Backdoor.Rbot": [[42, 59]], "Indicator: Trojan:Win32/Damingvat.A.dam#2": [[60, 90]], "Indicator: Backdoor/Win32.Graybird.C918907": [[91, 122]]}, "info": {"id": "cyner2_5class_train_04714", "source": "cyner2_5class_train"}}
+{"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - whitelist the app to allow it to ignore battery optimizations .", "spans": {}, "info": {"id": "cyner2_5class_train_04715", "source": "cyner2_5class_train"}}
+{"text": "As Riltok shows , cybercriminals can apply the same methods of infection to victims in different countries with more or less the same success .", "spans": {"Malware: Riltok": [[3, 9]]}, "info": {"id": "cyner2_5class_train_04716", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.Banker.113430.B Heur.Win32.VBKrypt.3!O Trojan.Tinba.F3 Trojan.Tinba.Win32.1756 Trojan/Injector.bzpp Win32.Trojan.WisdomEyes.16070401.9500.9974 W32.Cridex.B TROJ_TINBA.SMH Win32.Trojan.Emotet.U Trojan.Win32.VB.dmqp Trojan.Win32.Tinba.euqtlz Troj.W32.VBKrypt.tpek Trojan.PWS.Tinba.161 TROJ_TINBA.SMH BehavesLike.Win32.Emotet.cm Trojan/Banker.Tinba.amp TR/Tinba.A.843 Trojan[Banker]/Win32.Tinba Trojan.Win32.VB.dmqp Trojan/Win32.Cridex.R197444 TrojanBanker.Tinba Trojan.PWS.Tinba! Trojan-Banker.Emotet W32/Injector.BZJE!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.Banker.113430.B": [[26, 56]], "Indicator: Heur.Win32.VBKrypt.3!O": [[57, 79]], "Indicator: Trojan.Tinba.F3": [[80, 95]], "Indicator: Trojan.Tinba.Win32.1756": [[96, 119]], "Indicator: Trojan/Injector.bzpp": [[120, 140]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9974": [[141, 183]], "Indicator: W32.Cridex.B": [[184, 196]], "Indicator: TROJ_TINBA.SMH": [[197, 211], [324, 338]], "Indicator: Win32.Trojan.Emotet.U": [[212, 233]], "Indicator: Trojan.Win32.VB.dmqp": [[234, 254], [433, 453]], "Indicator: Trojan.Win32.Tinba.euqtlz": [[255, 280]], "Indicator: Troj.W32.VBKrypt.tpek": [[281, 302]], "Indicator: Trojan.PWS.Tinba.161": [[303, 323]], "Indicator: BehavesLike.Win32.Emotet.cm": [[339, 366]], "Indicator: Trojan/Banker.Tinba.amp": [[367, 390]], "Indicator: TR/Tinba.A.843": [[391, 405]], "Indicator: Trojan[Banker]/Win32.Tinba": [[406, 432]], "Indicator: Trojan/Win32.Cridex.R197444": [[454, 481]], "Indicator: TrojanBanker.Tinba": [[482, 500]], "Indicator: Trojan.PWS.Tinba!": [[501, 518]], "Indicator: Trojan-Banker.Emotet": [[519, 539]], "Indicator: W32/Injector.BZJE!tr": [[540, 560]]}, "info": {"id": "cyner2_5class_train_04717", "source": "cyner2_5class_train"}}
+{"text": "It comes as no surprise then that many SMS-Trojans include bot functionality .", "spans": {}, "info": {"id": "cyner2_5class_train_04718", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.CD60 Downloader.Bagle.Win32.491 Trojan/Downloader.Bagle.atn Trojan.Win32.Bagle.dswqdy Troj.Downloader.W32.Bagle.atn!c Trojan.Packed.650 Trojan-Downloader.Win32.Bagle TrojanDownloader.Bagle.bfu Worm/Win32.Bagle.R767 Trojan.DL.Bagle!+mahMemQ9a4 W32/Bagle.ATN!tr.dldr Trj/CI.A Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.CD60": [[26, 43]], "Indicator: Downloader.Bagle.Win32.491": [[44, 70]], "Indicator: Trojan/Downloader.Bagle.atn": [[71, 98]], "Indicator: Trojan.Win32.Bagle.dswqdy": [[99, 124]], "Indicator: Troj.Downloader.W32.Bagle.atn!c": [[125, 156]], "Indicator: Trojan.Packed.650": [[157, 174]], "Indicator: Trojan-Downloader.Win32.Bagle": [[175, 204]], "Indicator: TrojanDownloader.Bagle.bfu": [[205, 231]], "Indicator: Worm/Win32.Bagle.R767": [[232, 253]], "Indicator: Trojan.DL.Bagle!+mahMemQ9a4": [[254, 281]], "Indicator: W32/Bagle.ATN!tr.dldr": [[282, 303]], "Indicator: Trj/CI.A": [[304, 312]], "Indicator: Win32/Trojan.2ff": [[313, 329]]}, "info": {"id": "cyner2_5class_train_04719", "source": "cyner2_5class_train"}}
+{"text": "] XXXX [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04720", "source": "cyner2_5class_train"}}
+{"text": "Although this injector is new, there are some connections to its older version sharing some similarities.", "spans": {"Malware: injector": [[14, 22]], "Indicator: some connections": [[41, 57]]}, "info": {"id": "cyner2_5class_train_04721", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint calls the two new variants recently identified Forked and Lite IcedID.", "spans": {"Organization: Proofpoint": [[0, 10]], "Malware: Lite IcedID.": [[69, 81]]}, "info": {"id": "cyner2_5class_train_04722", "source": "cyner2_5class_train"}}
+{"text": "Blackhole's author, Paunch, was arrested in October 2013 and while criminals kept using the kit for the next few months, the exploits slowly deprecated and lost value because of lack of development.", "spans": {"Malware: kit for": [[92, 99]], "Malware: exploits": [[125, 133]]}, "info": {"id": "cyner2_5class_train_04723", "source": "cyner2_5class_train"}}
+{"text": "We named this family Kemoge due to its command and control CnC domain", "spans": {"Malware: Kemoge": [[21, 27]], "Indicator: command and control CnC domain": [[39, 69]]}, "info": {"id": "cyner2_5class_train_04724", "source": "cyner2_5class_train"}}
+{"text": "According to its profile at Google Play ( see Figure 2 ) the app reached a mere 10+ downloads .", "spans": {"System: Google Play": [[28, 39]]}, "info": {"id": "cyner2_5class_train_04725", "source": "cyner2_5class_train"}}
+{"text": "Rotexy may start requesting device administrator privileges again in an infinite loop ; in that case , restart the device in safe mode and remove the malicious program .", "spans": {"Malware: Rotexy": [[0, 6]]}, "info": {"id": "cyner2_5class_train_04726", "source": "cyner2_5class_train"}}
+{"text": "A new campaign is up and running using newly improved , significantly more powerful malware as compared to previous versions .", "spans": {}, "info": {"id": "cyner2_5class_train_04727", "source": "cyner2_5class_train"}}
+{"text": "There has been significant media attention around a campaign likely by a nation-state actor targeting energy organizations in the U.S. including entities operating nuclear facilities.", "spans": {"Organization: media": [[27, 32]], "Organization: energy organizations": [[102, 122]], "Organization: entities operating nuclear facilities.": [[145, 183]]}, "info": {"id": "cyner2_5class_train_04728", "source": "cyner2_5class_train"}}
+{"text": "The strings of code , for one , are similarly structured .", "spans": {}, "info": {"id": "cyner2_5class_train_04729", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Downloader.XL W97M/Downloader.buv W97M.Downloader W2KM_DLOADER.AUSUAY Trojan.Ole2.Vbs-heuristic.druvzi W97M.S.Downloader.217088 W97M.MulDrop.158 W2KM_DLOADER.AUSUAY W97M/Downloader.buv TrojanDropper:O97M/Turla.A!dha virus.office.qexvmc.1080", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Downloader.XL": [[26, 44]], "Indicator: W97M/Downloader.buv": [[45, 64], [196, 215]], "Indicator: W97M.Downloader": [[65, 80]], "Indicator: W2KM_DLOADER.AUSUAY": [[81, 100], [176, 195]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[101, 133]], "Indicator: W97M.S.Downloader.217088": [[134, 158]], "Indicator: W97M.MulDrop.158": [[159, 175]], "Indicator: TrojanDropper:O97M/Turla.A!dha": [[216, 246]], "Indicator: virus.office.qexvmc.1080": [[247, 271]]}, "info": {"id": "cyner2_5class_train_04730", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Delfinject.18174 Win32.Trojan.WisdomEyes.16070401.9500.9930 Trojan.Win32.Banker.dnoogt Trojan.DownLoader12.55999 BehavesLike.Win32.Dropper.dm W32/Trojan.XESH-6077 TrojanDownloader.Banload.bimh TR/Dldr.Banload.ybjwz TrojanDownloader:Win32/BrobanKew.A TrojanBanker.Banker Trj/CI.A Win32/TrojanDownloader.Banload.VDB Trojan-Downloader.Win32.Banload W32/Banload.VGG!tr.dldr Win32/Trojan.994", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Delfinject.18174": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9930": [[50, 92]], "Indicator: Trojan.Win32.Banker.dnoogt": [[93, 119]], "Indicator: Trojan.DownLoader12.55999": [[120, 145]], "Indicator: BehavesLike.Win32.Dropper.dm": [[146, 174]], "Indicator: W32/Trojan.XESH-6077": [[175, 195]], "Indicator: TrojanDownloader.Banload.bimh": [[196, 225]], "Indicator: TR/Dldr.Banload.ybjwz": [[226, 247]], "Indicator: TrojanDownloader:Win32/BrobanKew.A": [[248, 282]], "Indicator: TrojanBanker.Banker": [[283, 302]], "Indicator: Trj/CI.A": [[303, 311]], "Indicator: Win32/TrojanDownloader.Banload.VDB": [[312, 346]], "Indicator: Trojan-Downloader.Win32.Banload": [[347, 378]], "Indicator: W32/Banload.VGG!tr.dldr": [[379, 402]], "Indicator: Win32/Trojan.994": [[403, 419]]}, "info": {"id": "cyner2_5class_train_04731", "source": "cyner2_5class_train"}}
+{"text": "Check Point reached out to the Google Security team immediately with information on this campaign .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google Security": [[31, 46]]}, "info": {"id": "cyner2_5class_train_04732", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9840 Trojan:Win32/ShadowPad.E!dha", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9840": [[26, 68]], "Indicator: Trojan:Win32/ShadowPad.E!dha": [[69, 97]]}, "info": {"id": "cyner2_5class_train_04733", "source": "cyner2_5class_train"}}
+{"text": "] 64 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04734", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.FakeAv.exgvmw Virus.W32.Virus!c TROJ_KRYPTIK_HA230029.UVPM Trojan.Win32.Crypt Trojan.Banker.GozNym.ey Trojan[Banker]/Win32.GozNym TrojanDownloader:Win32/Nymaim.K Trj/GdSda.A W32/Kryptik.GCCW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.FakeAv.exgvmw": [[26, 52]], "Indicator: Virus.W32.Virus!c": [[53, 70]], "Indicator: TROJ_KRYPTIK_HA230029.UVPM": [[71, 97]], "Indicator: Trojan.Win32.Crypt": [[98, 116]], "Indicator: Trojan.Banker.GozNym.ey": [[117, 140]], "Indicator: Trojan[Banker]/Win32.GozNym": [[141, 168]], "Indicator: TrojanDownloader:Win32/Nymaim.K": [[169, 200]], "Indicator: Trj/GdSda.A": [[201, 212]], "Indicator: W32/Kryptik.GCCW!tr": [[213, 232]]}, "info": {"id": "cyner2_5class_train_04735", "source": "cyner2_5class_train"}}
+{"text": "Monitoring the command and control ( C & C ) servers used by Bouncing Golf , we ’ ve so far observed more than 660 Android devices infected with GolfSpy .", "spans": {"Malware: Bouncing Golf": [[61, 74]], "System: Android": [[115, 122]], "Malware: GolfSpy": [[145, 152]]}, "info": {"id": "cyner2_5class_train_04736", "source": "cyner2_5class_train"}}
+{"text": "The current phase of the Pawn Storm attack campaign started a little over a month ago, and the overall campaign was first identified in an October 2014 report from Trend Micro PDF.", "spans": {"Organization: Trend Micro": [[164, 175]]}, "info": {"id": "cyner2_5class_train_04737", "source": "cyner2_5class_train"}}
+{"text": "We classify this 40-month period into three main stages .", "spans": {}, "info": {"id": "cyner2_5class_train_04738", "source": "cyner2_5class_train"}}
+{"text": "The Security Service of Ukraine SBU is continuously investigating this active threat, and has issued statements attributing the attacks to specific branches of the Russian Federal Security Service FSB.", "spans": {"Organization: The Security Service of Ukraine SBU": [[0, 35]], "Organization: Russian Federal Security Service": [[164, 196]]}, "info": {"id": "cyner2_5class_train_04739", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Adware.Msidebar TSPY_STARTPAGE_CD100271.RDXN Win32.Trojan.WisdomEyes.16070401.9500.9721 Trojan.ADH.2 TSPY_STARTPAGE_CD100271.RDXN not-a-virus:AdWare.Win32.Loadwar.wmx Riskware.Win32.Loadwar.epwdej Win32.Trojan.Multiple.drwj Trojan.DownLoader7.8701 BehavesLike.Win32.Dropper.cc TR/Msidebar.C.39 GrayWare[AdWare]/Win32.Loadwar not-a-virus:AdWare.Win32.Loadwar.wmx Trojan:Win32/Msidebar.C Trj/CI.A Trojan.Win32.Msidebar Win32/Trojan.1a4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.Msidebar": [[26, 41]], "Indicator: TSPY_STARTPAGE_CD100271.RDXN": [[42, 70], [127, 155]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9721": [[71, 113]], "Indicator: Trojan.ADH.2": [[114, 126]], "Indicator: not-a-virus:AdWare.Win32.Loadwar.wmx": [[156, 192], [351, 387]], "Indicator: Riskware.Win32.Loadwar.epwdej": [[193, 222]], "Indicator: Win32.Trojan.Multiple.drwj": [[223, 249]], "Indicator: Trojan.DownLoader7.8701": [[250, 273]], "Indicator: BehavesLike.Win32.Dropper.cc": [[274, 302]], "Indicator: TR/Msidebar.C.39": [[303, 319]], "Indicator: GrayWare[AdWare]/Win32.Loadwar": [[320, 350]], "Indicator: Trojan:Win32/Msidebar.C": [[388, 411]], "Indicator: Trj/CI.A": [[412, 420]], "Indicator: Trojan.Win32.Msidebar": [[421, 442]], "Indicator: Win32/Trojan.1a4": [[443, 459]]}, "info": {"id": "cyner2_5class_train_04740", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Ehdoor Trojan/Win32.Sharik.R208903 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Ehdoor": [[26, 41]], "Indicator: Trojan/Win32.Sharik.R208903": [[42, 69]], "Indicator: Trj/GdSda.A": [[70, 81]]}, "info": {"id": "cyner2_5class_train_04741", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Tool.ArchSMS.Win32.7363 Trojan/ArchSMS.otfk Trojan.Zusy.D4232C Win32.Trojan.SMSSend.a PUA.PremiumSMSScam!g14 Hoax.Win32.ArchSMS.cpmhw Riskware.Win32.galh.eaqeda Hoax.W32.Archsms!c ApplicUnwnt.Win32.Hoax.ArchSMS.TP Trojan.SMSSend.7500 BehavesLike.Win32.Dropper.vc Hoax.Win32.ArchSMS W32.Trojan.Archsms HackTool[Hoax]/Win32.ArchSMS Trojan:Win32/Tarifarch.AO Hoax.Win32.ArchSMS.cpmhw Unwanted/Win32.ArchSMS.R216870 Win32.Trojan-psw.Archsms.Htcd Trojan.ArchSMS!vRB02EvsodQ Win32/Trojan.SMS.604", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hoax.Win32.ArchSMS!O": [[26, 46]], "Indicator: Tool.ArchSMS.Win32.7363": [[47, 70]], "Indicator: Trojan/ArchSMS.otfk": [[71, 90]], "Indicator: Trojan.Zusy.D4232C": [[91, 109]], "Indicator: Win32.Trojan.SMSSend.a": [[110, 132]], "Indicator: PUA.PremiumSMSScam!g14": [[133, 155]], "Indicator: Hoax.Win32.ArchSMS.cpmhw": [[156, 180], [403, 427]], "Indicator: Riskware.Win32.galh.eaqeda": [[181, 207]], "Indicator: Hoax.W32.Archsms!c": [[208, 226]], "Indicator: ApplicUnwnt.Win32.Hoax.ArchSMS.TP": [[227, 260]], "Indicator: Trojan.SMSSend.7500": [[261, 280]], "Indicator: BehavesLike.Win32.Dropper.vc": [[281, 309]], "Indicator: Hoax.Win32.ArchSMS": [[310, 328]], "Indicator: W32.Trojan.Archsms": [[329, 347]], "Indicator: HackTool[Hoax]/Win32.ArchSMS": [[348, 376]], "Indicator: Trojan:Win32/Tarifarch.AO": [[377, 402]], "Indicator: Unwanted/Win32.ArchSMS.R216870": [[428, 458]], "Indicator: Win32.Trojan-psw.Archsms.Htcd": [[459, 488]], "Indicator: Trojan.ArchSMS!vRB02EvsodQ": [[489, 515]], "Indicator: Win32/Trojan.SMS.604": [[516, 536]]}, "info": {"id": "cyner2_5class_train_04742", "source": "cyner2_5class_train"}}
+{"text": "The app loads a URL pointing to a Bread-controlled server .", "spans": {}, "info": {"id": "cyner2_5class_train_04743", "source": "cyner2_5class_train"}}
+{"text": "Aside from a change in its deployment techniques , a few changes in its code set it apart from its previous versions .", "spans": {}, "info": {"id": "cyner2_5class_train_04744", "source": "cyner2_5class_train"}}
+{"text": "Once we reached the non-secured database , we were able to directly observe the app ’ s malicious behavior .", "spans": {}, "info": {"id": "cyner2_5class_train_04745", "source": "cyner2_5class_train"}}
+{"text": "Threat actors used different websites to host different payloads at different times .", "spans": {}, "info": {"id": "cyner2_5class_train_04746", "source": "cyner2_5class_train"}}
+{"text": "From the beginning of 2015, a malicious spear-phishing campaign dubbed Pony, has been actively luring victims.", "spans": {"Malware: Pony,": [[71, 76]]}, "info": {"id": "cyner2_5class_train_04747", "source": "cyner2_5class_train"}}
+{"text": "Adups addressed the issue in a Nov. 16 news release , writing that some products made by BLU were updated in June with a version of its FOTA that had actually been intended for other clients who had requested an ability to stop text spam .", "spans": {"Organization: Adups": [[0, 5]], "Organization: BLU": [[89, 92]], "System: FOTA": [[136, 140]]}, "info": {"id": "cyner2_5class_train_04748", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandownloader.Script W32/Trojan.EMGI-1028 Trojan.Win32.Banload.evocsm Troj.Downloader.Script!c TR/AD.Banload.jxcsg Trj/GdSda.A Win32/Trojan.Downloader.251", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Script": [[26, 49]], "Indicator: W32/Trojan.EMGI-1028": [[50, 70]], "Indicator: Trojan.Win32.Banload.evocsm": [[71, 98]], "Indicator: Troj.Downloader.Script!c": [[99, 123]], "Indicator: TR/AD.Banload.jxcsg": [[124, 143]], "Indicator: Trj/GdSda.A": [[144, 155]], "Indicator: Win32/Trojan.Downloader.251": [[156, 183]]}, "info": {"id": "cyner2_5class_train_04749", "source": "cyner2_5class_train"}}
+{"text": "] pw/6 * * * * * 5 ” ( It .", "spans": {}, "info": {"id": "cyner2_5class_train_04750", "source": "cyner2_5class_train"}}
+{"text": "When required , the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message .", "spans": {}, "info": {"id": "cyner2_5class_train_04751", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9866 Ransom.BTCware Win.Ransomware.BTCWare-6329927-0 Win32.Trojan-Ransom.BTCWare.E Trojan.Win32.Filecoder.eplmfi Trojan.Encoder.11958 BehavesLike.Win32.FDoSBEnergy.dh AdWare.ConvertAd.qjt Ransom.Filecoder/Variant Trojan/Win32.Ransom.R208332 Ransom.BTCWare Trj/GdSda.A Trojan.Win32.BTCWare.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9866": [[26, 68]], "Indicator: Ransom.BTCware": [[69, 83]], "Indicator: Win.Ransomware.BTCWare-6329927-0": [[84, 116]], "Indicator: Win32.Trojan-Ransom.BTCWare.E": [[117, 146]], "Indicator: Trojan.Win32.Filecoder.eplmfi": [[147, 176]], "Indicator: Trojan.Encoder.11958": [[177, 197]], "Indicator: BehavesLike.Win32.FDoSBEnergy.dh": [[198, 230]], "Indicator: AdWare.ConvertAd.qjt": [[231, 251]], "Indicator: Ransom.Filecoder/Variant": [[252, 276]], "Indicator: Trojan/Win32.Ransom.R208332": [[277, 304]], "Indicator: Ransom.BTCWare": [[305, 319]], "Indicator: Trj/GdSda.A": [[320, 331]], "Indicator: Trojan.Win32.BTCWare.a": [[332, 354]]}, "info": {"id": "cyner2_5class_train_04752", "source": "cyner2_5class_train"}}
+{"text": "] net app store henbox_3 Figure 2 HenBox app installed , purporting to be DroidVPN Depending on the language setting on the device , and for this particular variant of HenBox , the installed HenBox app may have the name “ Backup ” but uses the same DroidVPN logo .", "spans": {"Malware: HenBox": [[34, 40], [168, 174], [191, 197]], "Indicator: DroidVPN": [[74, 82], [249, 257]]}, "info": {"id": "cyner2_5class_train_04753", "source": "cyner2_5class_train"}}
+{"text": "It checks whether it is being run in an emulator before it starts its malicious activity .", "spans": {}, "info": {"id": "cyner2_5class_train_04754", "source": "cyner2_5class_train"}}
+{"text": "File encryption utilized asymmetric Elliptic Curve Cryptography ECC with Curve SECT233R1 a.k.a. NIST B-233 using the Tiny-ECDH open source library combined with a per file Salsa20 symmetric key.", "spans": {"Malware: File encryption": [[0, 15]], "System: Elliptic Curve Cryptography ECC": [[36, 67]], "System: Curve SECT233R1": [[73, 88]], "System: NIST B-233": [[96, 106]], "System: Tiny-ECDH open source": [[117, 138]], "System: Salsa20 symmetric key.": [[172, 194]]}, "info": {"id": "cyner2_5class_train_04755", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.kmGfrjraeapm2 W32/Trojan-Gypikon-based.DM2!Ma BehavesLike.Win32.Downloader.cc W32/Trojan-Gypikon-based.DM2!Ma Trojan/Banker.Banker.zmm Worm:Win32/Xtrat.B!A BScope.Trojan-Spy.Zbot Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.kmGfrjraeapm2": [[26, 51]], "Indicator: W32/Trojan-Gypikon-based.DM2!Ma": [[52, 83], [116, 147]], "Indicator: BehavesLike.Win32.Downloader.cc": [[84, 115]], "Indicator: Trojan/Banker.Banker.zmm": [[148, 172]], "Indicator: Worm:Win32/Xtrat.B!A": [[173, 193]], "Indicator: BScope.Trojan-Spy.Zbot": [[194, 216]], "Indicator: Trj/GdSda.A": [[217, 228]]}, "info": {"id": "cyner2_5class_train_04756", "source": "cyner2_5class_train"}}
+{"text": "The malicious application da.hao.pao.bin ( Chunghwa Post ) loads a library file libmsy.so used to execute the packed mycode.jar file .", "spans": {"Indicator: da.hao.pao.bin": [[26, 40]], "Organization: Chunghwa Post": [[43, 56]], "Indicator: libmsy.so": [[80, 89]], "Indicator: mycode.jar file": [[117, 132]]}, "info": {"id": "cyner2_5class_train_04757", "source": "cyner2_5class_train"}}
+{"text": "An unknown threat actor is leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities.", "spans": {"System: Discord": [[81, 88]], "Malware: the PureCrypter downloader": [[103, 129]], "Organization: government entities.": [[142, 162]]}, "info": {"id": "cyner2_5class_train_04758", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DroxpesLTAN.Trojan Trojan.Qhost Trojan/Qhost.niv TROJ_SPNR.0BFE11 Win32.Trojan.Qhost.d W32/Trojan2.LITU Win32/Tnega.ATUN TROJ_SPNR.0BFE11 Win.Trojan.6761663-1 Trojan.BAT.Qhost.abp Trojan.Win32.KKQP3298.dkyjvz Trojan.Win32.Z.Qhost.33750 Troj.Bat.Qhost!c Trojan.Hosts.43761 BehavesLike.Win32.BadFile.nh Trojan-Dropper.Win32.StartPage W32/Trojan.KKQP-3298 TR/Qhost.mju.53 Trojan.BAT.Qhost.abp Trojan/Win32.Qhost.R77387 Trojan.BAT.Qhost Trj/CI.A BAT/Qhost.NTH Bat.Trojan.Qhost.Lnya Trojan.Comisproc!uAYBYZyFk6g Win32/Trojan.34d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DroxpesLTAN.Trojan": [[26, 48]], "Indicator: Trojan.Qhost": [[49, 61]], "Indicator: Trojan/Qhost.niv": [[62, 78]], "Indicator: TROJ_SPNR.0BFE11": [[79, 95], [151, 167]], "Indicator: Win32.Trojan.Qhost.d": [[96, 116]], "Indicator: W32/Trojan2.LITU": [[117, 133]], "Indicator: Win32/Tnega.ATUN": [[134, 150]], "Indicator: Win.Trojan.6761663-1": [[168, 188]], "Indicator: Trojan.BAT.Qhost.abp": [[189, 209], [399, 419]], "Indicator: Trojan.Win32.KKQP3298.dkyjvz": [[210, 238]], "Indicator: Trojan.Win32.Z.Qhost.33750": [[239, 265]], "Indicator: Troj.Bat.Qhost!c": [[266, 282]], "Indicator: Trojan.Hosts.43761": [[283, 301]], "Indicator: BehavesLike.Win32.BadFile.nh": [[302, 330]], "Indicator: Trojan-Dropper.Win32.StartPage": [[331, 361]], "Indicator: W32/Trojan.KKQP-3298": [[362, 382]], "Indicator: TR/Qhost.mju.53": [[383, 398]], "Indicator: Trojan/Win32.Qhost.R77387": [[420, 445]], "Indicator: Trojan.BAT.Qhost": [[446, 462]], "Indicator: Trj/CI.A": [[463, 471]], "Indicator: BAT/Qhost.NTH": [[472, 485]], "Indicator: Bat.Trojan.Qhost.Lnya": [[486, 507]], "Indicator: Trojan.Comisproc!uAYBYZyFk6g": [[508, 536]], "Indicator: Win32/Trojan.34d": [[537, 553]]}, "info": {"id": "cyner2_5class_train_04759", "source": "cyner2_5class_train"}}
+{"text": "What Does SimBad Do ? ‘ SimBad ’ has capabilities that can be divided into three groups – Show Ads , Phishing , and Exposure to other applications .", "spans": {"Malware: SimBad": [[10, 16], [24, 30]]}, "info": {"id": "cyner2_5class_train_04760", "source": "cyner2_5class_train"}}
+{"text": "In some versions of Asacub , strings in the app are encrypted using the same algorithm as data sent to C & C , but with different keys .", "spans": {"Malware: Asacub": [[20, 26]]}, "info": {"id": "cyner2_5class_train_04761", "source": "cyner2_5class_train"}}
+{"text": "This threat actor is remarkable for two reasons : Its access to sophisticated zero-day exploits for Microsoft and Adobe software Its use of an advanced piece of government-grade surveillance spyware FinFisher , also known as FinSpy and detected by Microsoft security products as Wingbird FinFisher is such a complex piece of malware that , like other researchers , we had to devise special methods to crack it .", "spans": {"Organization: Microsoft": [[100, 109], [248, 257]], "Organization: Adobe": [[114, 119]], "Malware: FinFisher": [[199, 208], [288, 297]], "Malware: FinSpy": [[225, 231]], "Malware: Wingbird": [[279, 287]]}, "info": {"id": "cyner2_5class_train_04762", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VidemoY.Trojan Win32.Trojan.WisdomEyes.16070401.9500.9988 Backdoor.Trojan Win.Trojan.Bifrose-17928 Trojan.Win32.Bifrost.csybxh Troj.W32.Jorik.Arcdoor.bjr!c BackDoor.Bifrost.15005 Trojan.Inject.Win32.22484 Worm.Win32.Msil Trojan:MSIL/Harvbot.B TrojanDropper.Injector Trj/CI.A W32/Jorik_Arcdoor.BJR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VidemoY.Trojan": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[45, 87]], "Indicator: Backdoor.Trojan": [[88, 103]], "Indicator: Win.Trojan.Bifrose-17928": [[104, 128]], "Indicator: Trojan.Win32.Bifrost.csybxh": [[129, 156]], "Indicator: Troj.W32.Jorik.Arcdoor.bjr!c": [[157, 185]], "Indicator: BackDoor.Bifrost.15005": [[186, 208]], "Indicator: Trojan.Inject.Win32.22484": [[209, 234]], "Indicator: Worm.Win32.Msil": [[235, 250]], "Indicator: Trojan:MSIL/Harvbot.B": [[251, 272]], "Indicator: TrojanDropper.Injector": [[273, 295]], "Indicator: Trj/CI.A": [[296, 304]], "Indicator: W32/Jorik_Arcdoor.BJR!tr": [[305, 329]]}, "info": {"id": "cyner2_5class_train_04763", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.FireCrypt.A3 Ransom.BleedGreen Ransom_BleedGreen.A Win32.Trojan.WisdomEyes.16070401.9500.9560 Ransom.FireCrypt Ransom_BleedGreen.A Trojan-Ransom.Win32.Crypmodadv.xee Trojan.Win32.Z.Ransom.18432.C[h] Trojan.Encoder.10088 Trojan.Crypmodadv.Win32.90 trojanspy.msil.neos.a W32/Trojan.RPJE-7166 Trojan.Crypmodadv.en TR/Dropper.MSIL.owdes MSIL/Filecoder.DZ!tr Trojan.Ransom.HiddenTears.1 Ransom:Win32/Firecrypt.A Trojan.Ransom.FireCrypt Win32.Trojan.Crypmodadv.Pbpb Trojan.Crypmodadv! Trojan.VB.Inject Atros4.BUNV Trj/GdSda.A Win32/Trojan.Ransom.786", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.FireCrypt.A3": [[26, 45]], "Indicator: Ransom.BleedGreen": [[46, 63]], "Indicator: Ransom_BleedGreen.A": [[64, 83], [144, 163]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9560": [[84, 126]], "Indicator: Ransom.FireCrypt": [[127, 143]], "Indicator: Trojan-Ransom.Win32.Crypmodadv.xee": [[164, 198]], "Indicator: Trojan.Win32.Z.Ransom.18432.C[h]": [[199, 231]], "Indicator: Trojan.Encoder.10088": [[232, 252]], "Indicator: Trojan.Crypmodadv.Win32.90": [[253, 279]], "Indicator: trojanspy.msil.neos.a": [[280, 301]], "Indicator: W32/Trojan.RPJE-7166": [[302, 322]], "Indicator: Trojan.Crypmodadv.en": [[323, 343]], "Indicator: TR/Dropper.MSIL.owdes": [[344, 365]], "Indicator: MSIL/Filecoder.DZ!tr": [[366, 386]], "Indicator: Trojan.Ransom.HiddenTears.1": [[387, 414]], "Indicator: Ransom:Win32/Firecrypt.A": [[415, 439]], "Indicator: Trojan.Ransom.FireCrypt": [[440, 463]], "Indicator: Win32.Trojan.Crypmodadv.Pbpb": [[464, 492]], "Indicator: Trojan.Crypmodadv!": [[493, 511]], "Indicator: Trojan.VB.Inject": [[512, 528]], "Indicator: Atros4.BUNV": [[529, 540]], "Indicator: Trj/GdSda.A": [[541, 552]], "Indicator: Win32/Trojan.Ransom.786": [[553, 576]]}, "info": {"id": "cyner2_5class_train_04764", "source": "cyner2_5class_train"}}
+{"text": "SUSPECTED DETECTION TESTS BY THE THREAT ACTOR In searching for EventBot , we ’ ve identified multiple submissions from the same submitter hash , 22b3c7b0 : EventBot 22b3c7b0 submitter hash The 22b3c7b0 submitter hash that submitted most of the EventBot samples to VirusTotal .", "spans": {"Malware: EventBot": [[63, 71], [156, 164], [244, 252]], "Indicator: 22b3c7b0": [[145, 153], [165, 173], [193, 201]]}, "info": {"id": "cyner2_5class_train_04765", "source": "cyner2_5class_train"}}
+{"text": "We dubbed this campaign Operation Electric Powder", "spans": {}, "info": {"id": "cyner2_5class_train_04766", "source": "cyner2_5class_train"}}
+{"text": ") Following is the snippet of code in these older Exodus One samples showing the connection to the Command & Control : Below is the almost identical composition of the request to the Command & Control server in mike.jar ( also containing the path 7e661733-e332-429a-a7e2-23649f27690f ) : To further corroborate the connection of the Exodus spyware with eSurv , the domain attiva.exodus.esurv.it resolves to the IP 212.47.242.236 which , according to public passive DNS data , in 2017 was used to host the domain server1cs.exodus.connexxa.it .", "spans": {"Malware: Exodus One": [[50, 60]], "Indicator: mike.jar": [[211, 219]], "Malware: Exodus spyware": [[333, 347]], "Indicator: domain attiva.exodus.esurv.it": [[365, 394]], "Indicator: 212.47.242.236": [[414, 428]], "Indicator: domain server1cs.exodus.connexxa.it": [[505, 540]]}, "info": {"id": "cyner2_5class_train_04767", "source": "cyner2_5class_train"}}
+{"text": "The original leak is no longer available on github.com , but a copy can be found here .", "spans": {}, "info": {"id": "cyner2_5class_train_04768", "source": "cyner2_5class_train"}}
+{"text": "At the time this malware was reported by several security vendors , and attributed to different malware families like Ghostpush , MonkeyTest , and Xinyinhe .", "spans": {"Malware: Ghostpush": [[118, 127]], "Malware: MonkeyTest": [[130, 140]], "Malware: Xinyinhe": [[147, 155]]}, "info": {"id": "cyner2_5class_train_04769", "source": "cyner2_5class_train"}}
+{"text": "The attack comes as an email containing a malicious Google Docs link.", "spans": {"Indicator: malicious Google Docs link.": [[42, 69]]}, "info": {"id": "cyner2_5class_train_04770", "source": "cyner2_5class_train"}}
+{"text": "Even when a false flag might also be a possibility , we consider this to be unlikely .", "spans": {}, "info": {"id": "cyner2_5class_train_04771", "source": "cyner2_5class_train"}}
+{"text": "Beginning in early 2008, Iranian security entities have engaged in operations to identify and arrest administrators of illicit websites and social media groups.", "spans": {"Organization: Iranian security entities": [[25, 50]], "Indicator: illicit websites": [[119, 135]]}, "info": {"id": "cyner2_5class_train_04772", "source": "cyner2_5class_train"}}
+{"text": "The spear phishing emails had Myanmar political-themed lures and , if the 9002 C2 server responded , the Trojan sent system specific information along with the string “ jackhex ” .", "spans": {"Malware: 9002": [[74, 78]]}, "info": {"id": "cyner2_5class_train_04773", "source": "cyner2_5class_train"}}
+{"text": "The Cybereason Nocturnus team has concluded that EventBot is designed to target over 200 different banking and finance applications , the majority of which are European bank and crypto-currency exchange applications .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[49, 57]]}, "info": {"id": "cyner2_5class_train_04774", "source": "cyner2_5class_train"}}
+{"text": "to eSurv S.R.L .", "spans": {"Organization: eSurv S.R.L .": [[3, 16]]}, "info": {"id": "cyner2_5class_train_04775", "source": "cyner2_5class_train"}}
+{"text": "Musical Chairs is a multi-year campaign which recently deployed of new variant Gh0st we've named Piano Gh0st.", "spans": {"Malware: variant Gh0st": [[71, 84]], "Malware: Piano Gh0st.": [[97, 109]]}, "info": {"id": "cyner2_5class_train_04776", "source": "cyner2_5class_train"}}
+{"text": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network.", "spans": {"Malware: Odinaff": [[0, 7]], "Indicator: attack,": [[55, 62]], "System: network,": [[91, 99]], "Malware: tools": [[170, 175]], "System: network.": [[192, 200]]}, "info": {"id": "cyner2_5class_train_04777", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.VVLV-9156 MSIL.Packed.Kryptik.JH Trojan.Win32.Razy.exgpmg BehavesLike.Win32.Trojan.gc Trojan.Razy.D2685F Trojan/Win32.Randrew.C2365157 Trojan-Dropper.MSIL.Small Trj/CI.A Win32/Trojan.24d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[26, 68]], "Indicator: W32/Trojan.VVLV-9156": [[69, 89]], "Indicator: MSIL.Packed.Kryptik.JH": [[90, 112]], "Indicator: Trojan.Win32.Razy.exgpmg": [[113, 137]], "Indicator: BehavesLike.Win32.Trojan.gc": [[138, 165]], "Indicator: Trojan.Razy.D2685F": [[166, 184]], "Indicator: Trojan/Win32.Randrew.C2365157": [[185, 214]], "Indicator: Trojan-Dropper.MSIL.Small": [[215, 240]], "Indicator: Trj/CI.A": [[241, 249]], "Indicator: Win32/Trojan.24d": [[250, 266]]}, "info": {"id": "cyner2_5class_train_04778", "source": "cyner2_5class_train"}}
+{"text": "Due to TrickMo ’ s persistence implementation mentioned earlier , this lockdown screen persists after a restart and is re-initiated every time the device becomes interactive .", "spans": {"Malware: TrickMo": [[7, 14]]}, "info": {"id": "cyner2_5class_train_04779", "source": "cyner2_5class_train"}}
+{"text": "In the case of this spyware , search for app named TikTok Pro .", "spans": {"System: TikTok Pro": [[51, 61]]}, "info": {"id": "cyner2_5class_train_04780", "source": "cyner2_5class_train"}}
+{"text": "For the purpose of this report we analyze here the Exodus One sample with hash 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 which communicated with the Command & Control server at 54.71.249.137 .", "spans": {"Malware: Exodus One": [[51, 61]], "Indicator: 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884": [[79, 143]], "Indicator: 54.71.249.137": [[200, 213]]}, "info": {"id": "cyner2_5class_train_04781", "source": "cyner2_5class_train"}}
+{"text": "The payload will execute shell code to steal data from various applications .", "spans": {}, "info": {"id": "cyner2_5class_train_04782", "source": "cyner2_5class_train"}}
+{"text": "Figure 5 – Keylogger component Figure 6 shows one of the most noteworthy functions of Anubis : its ransomware module .", "spans": {"Malware: Anubis": [[86, 92]]}, "info": {"id": "cyner2_5class_train_04783", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M_DLOADR.XTRQ W97M_DLOADR.XTRQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M_DLOADR.XTRQ": [[26, 42], [43, 59]]}, "info": {"id": "cyner2_5class_train_04784", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.DC9EF Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan.QFDJ-7788 Backdoor.Trojan Trojan.DownLoader5.32593 Trojan.Small Win32.Troj.Disfa.cv.kcloud Backdoor:MSIL/Sootbot.B Trj/CI.A Win32.Trojan.Downloader.Dyzw BackDoor.WE!tr Win32/Trojan.018", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.DC9EF": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[44, 86]], "Indicator: W32/Trojan.QFDJ-7788": [[87, 107]], "Indicator: Backdoor.Trojan": [[108, 123]], "Indicator: Trojan.DownLoader5.32593": [[124, 148]], "Indicator: Trojan.Small": [[149, 161]], "Indicator: Win32.Troj.Disfa.cv.kcloud": [[162, 188]], "Indicator: Backdoor:MSIL/Sootbot.B": [[189, 212]], "Indicator: Trj/CI.A": [[213, 221]], "Indicator: Win32.Trojan.Downloader.Dyzw": [[222, 250]], "Indicator: BackDoor.WE!tr": [[251, 265]], "Indicator: Win32/Trojan.018": [[266, 282]]}, "info": {"id": "cyner2_5class_train_04785", "source": "cyner2_5class_train"}}
+{"text": "This will be the trigger for the service to start the beaconing .", "spans": {}, "info": {"id": "cyner2_5class_train_04786", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packer.FSG.A Packer.FSG.A Downloader.WebDown.Win32.23 Troj.Downloader.W32.WebDown.10!c Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Downloader.BFIA TROJ_APHER.A Win.Trojan.Small-10534 Trojan-Downloader.Win32.WebDown.10 Packer.FSG.A Trojan.Win32.WebDown.buycqa Win32.Trojan-Downloader.Webdown.bfes Packer.FSG.A Trojan.DownLoader.2103 TROJ_APHER.A W32/Downloader.MUZI-7025 Trojan/Downloader.WebDown.10 Trojan/Win32.Unknown TrojanDownloader:Win32/Aphex.2_4 Packer.FSG.A Trojan-Downloader.Win32.WebDown.10 Packer.FSG.A Win-Trojan/Apher.1312 Win32/TrojanDownloader.Apher.070 Trojan.DL.WebDown!Zgs3lnw1FbY Trojan-Downloader.Win32.WebDown Trj/Downloader.GE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packer.FSG.A": [[26, 38], [39, 51], [247, 259], [325, 337], [482, 494], [530, 542]], "Indicator: Downloader.WebDown.Win32.23": [[52, 79]], "Indicator: Troj.Downloader.W32.WebDown.10!c": [[80, 112]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[113, 155]], "Indicator: W32/Downloader.BFIA": [[156, 175]], "Indicator: TROJ_APHER.A": [[176, 188], [361, 373]], "Indicator: Win.Trojan.Small-10534": [[189, 211]], "Indicator: Trojan-Downloader.Win32.WebDown.10": [[212, 246], [495, 529]], "Indicator: Trojan.Win32.WebDown.buycqa": [[260, 287]], "Indicator: Win32.Trojan-Downloader.Webdown.bfes": [[288, 324]], "Indicator: Trojan.DownLoader.2103": [[338, 360]], "Indicator: W32/Downloader.MUZI-7025": [[374, 398]], "Indicator: Trojan/Downloader.WebDown.10": [[399, 427]], "Indicator: Trojan/Win32.Unknown": [[428, 448]], "Indicator: TrojanDownloader:Win32/Aphex.2_4": [[449, 481]], "Indicator: Win-Trojan/Apher.1312": [[543, 564]], "Indicator: Win32/TrojanDownloader.Apher.070": [[565, 597]], "Indicator: Trojan.DL.WebDown!Zgs3lnw1FbY": [[598, 627]], "Indicator: Trojan-Downloader.Win32.WebDown": [[628, 659]], "Indicator: Trj/Downloader.GE": [[660, 677]]}, "info": {"id": "cyner2_5class_train_04787", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Multi Trojan.MalPack.VB Uds.Dangerousobject.Multi!c Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Spy.Win32.SpyEyes.bdxs Trojan.Win32.Z.Fareitvb.933888 BehavesLike.Win32.BadFile.dh Trojan.VB.Crypt TR/Dropper.VB.dtffd Trojan[Spy]/Win32.SpyEyes Trojan-Spy.Win32.SpyEyes.bdxs Trojan/Win32.VBKrypt.R218990 Trj/GdSda.A Win32.Trojan.Inject.Auto Win32/Trojan.Spy.8cb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Trojan.MalPack.VB": [[39, 56]], "Indicator: Uds.Dangerousobject.Multi!c": [[57, 84]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[85, 127]], "Indicator: Trojan-Spy.Win32.SpyEyes.bdxs": [[128, 157], [280, 309]], "Indicator: Trojan.Win32.Z.Fareitvb.933888": [[158, 188]], "Indicator: BehavesLike.Win32.BadFile.dh": [[189, 217]], "Indicator: Trojan.VB.Crypt": [[218, 233]], "Indicator: TR/Dropper.VB.dtffd": [[234, 253]], "Indicator: Trojan[Spy]/Win32.SpyEyes": [[254, 279]], "Indicator: Trojan/Win32.VBKrypt.R218990": [[310, 338]], "Indicator: Trj/GdSda.A": [[339, 350]], "Indicator: Win32.Trojan.Inject.Auto": [[351, 375]], "Indicator: Win32/Trojan.Spy.8cb": [[376, 396]]}, "info": {"id": "cyner2_5class_train_04788", "source": "cyner2_5class_train"}}
+{"text": "Below is the list of all the commands catered by the C & C server .", "spans": {}, "info": {"id": "cyner2_5class_train_04789", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.StrictorCS.S483160 Trojan.Graftor.D21F45 Win32.Application.PUPStudio.A HEUR:Trojan.Win32.KillFiles Trojan.Win32.Drop.eaoavd Trojan.Win32.Z.Graftor.614400.AJ Trojan.MulDrop5.12779 Trojan.KillFiles.Win32.6511 W32/Trojan.XBKC-8948 TR/Graftor.905216.18 TrojanDownloader:Win32/WebToos.A HEUR:Trojan.Win32.KillFiles Trojan/Win32.Krap.R106509 TrojanDropper.Sysn Trj/CI.A Trojan.DownLoader! Win32/Trojan.0cb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.StrictorCS.S483160": [[26, 51]], "Indicator: Trojan.Graftor.D21F45": [[52, 73]], "Indicator: Win32.Application.PUPStudio.A": [[74, 103]], "Indicator: HEUR:Trojan.Win32.KillFiles": [[104, 131], [315, 342]], "Indicator: Trojan.Win32.Drop.eaoavd": [[132, 156]], "Indicator: Trojan.Win32.Z.Graftor.614400.AJ": [[157, 189]], "Indicator: Trojan.MulDrop5.12779": [[190, 211]], "Indicator: Trojan.KillFiles.Win32.6511": [[212, 239]], "Indicator: W32/Trojan.XBKC-8948": [[240, 260]], "Indicator: TR/Graftor.905216.18": [[261, 281]], "Indicator: TrojanDownloader:Win32/WebToos.A": [[282, 314]], "Indicator: Trojan/Win32.Krap.R106509": [[343, 368]], "Indicator: TrojanDropper.Sysn": [[369, 387]], "Indicator: Trj/CI.A": [[388, 396]], "Indicator: Trojan.DownLoader!": [[397, 415]], "Indicator: Win32/Trojan.0cb": [[416, 432]]}, "info": {"id": "cyner2_5class_train_04790", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor.Dande.52 Trojan.Dande.Win32.1 Trojan.Win32.Dande BDS/Dande.xihzl Trojan.Zusy.D3503B Win32/Dande.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor.Dande.52": [[26, 43]], "Indicator: Trojan.Dande.Win32.1": [[44, 64]], "Indicator: Trojan.Win32.Dande": [[65, 83]], "Indicator: BDS/Dande.xihzl": [[84, 99]], "Indicator: Trojan.Zusy.D3503B": [[100, 118]], "Indicator: Win32/Dande.A": [[119, 132]]}, "info": {"id": "cyner2_5class_train_04791", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandropper.Scrop TROJ_DROPPR.YYYJ Trojan-Dropper.Win32.Scrop.cxq Trojan.Win32.Autoit.euuwjs Troj.Dropper.W32.Scrop!c Trojan.DownLoader25.53180 TROJ_DROPPR.YYYJ Trojan.ECCW-6 TR/Autoit.wkswc Trojan[Exploit]/OLE.CVE-2014-6532 Trojan:O97M/Tanequalyn.A Trojan/Win32.AutoIt.C2019675 Win32.Trojan-dropper.Scrop.Pavt W32/Scrop.CO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandropper.Scrop": [[26, 45]], "Indicator: TROJ_DROPPR.YYYJ": [[46, 62], [172, 188]], "Indicator: Trojan-Dropper.Win32.Scrop.cxq": [[63, 93]], "Indicator: Trojan.Win32.Autoit.euuwjs": [[94, 120]], "Indicator: Troj.Dropper.W32.Scrop!c": [[121, 145]], "Indicator: Trojan.DownLoader25.53180": [[146, 171]], "Indicator: Trojan.ECCW-6": [[189, 202]], "Indicator: TR/Autoit.wkswc": [[203, 218]], "Indicator: Trojan[Exploit]/OLE.CVE-2014-6532": [[219, 252]], "Indicator: Trojan:O97M/Tanequalyn.A": [[253, 277]], "Indicator: Trojan/Win32.AutoIt.C2019675": [[278, 306]], "Indicator: Win32.Trojan-dropper.Scrop.Pavt": [[307, 338]], "Indicator: W32/Scrop.CO!tr": [[339, 354]]}, "info": {"id": "cyner2_5class_train_04792", "source": "cyner2_5class_train"}}
+{"text": "Interestingly enough, Sourcefire was the only security vendor directly referenced in the Powershell script.", "spans": {"Organization: Sourcefire": [[22, 32]], "Organization: only security vendor": [[41, 61]], "Indicator: the Powershell script.": [[85, 107]]}, "info": {"id": "cyner2_5class_train_04793", "source": "cyner2_5class_train"}}
+{"text": "This malware attempts to collect a user's online banking data and sends out information to a control server.", "spans": {"Malware: malware": [[5, 12]], "Indicator: collect a user's online banking data": [[25, 61]], "System: control server.": [[93, 108]]}, "info": {"id": "cyner2_5class_train_04794", "source": "cyner2_5class_train"}}
+{"text": "This is what the spear phishing e-mail looked like : In regards to the message text above , multiple activist groups have recently organized a human rights conference event in Geneva .", "spans": {}, "info": {"id": "cyner2_5class_train_04795", "source": "cyner2_5class_train"}}
+{"text": "Since the beginning of 2017, ESET researchers have been conducting an investigation into a complex threat mainly targeting Russia and Ukraine.", "spans": {"Organization: ESET researchers": [[29, 45]], "Malware: complex threat": [[91, 105]]}, "info": {"id": "cyner2_5class_train_04796", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: AdClicker-O.dr Trojan.Win32.Revop.nbqd W32/TrojanX.HJO Adware.Winpup TROJ_REVOP.A Trojan-Downloader.Win32.VB.ca Trojan.Win32.A.Revop.251830[h] TROJ_REVOP.A AdClicker-O.dr W32/Trojan.MQHB-1521 Win32/TrojanDownloader.VB.CA SPR/Commercials.1 Trojan/Win32.Revop Win32.Troj.Undef.kcloud TrojanDownloader:Win32/VB.CA TrojanDownloader.VB Trj/Multidropper.BJ Win32.Trojan.Revop.cxum Trojan-Downloader.Win32.VB.CA W32/REVOP.A!tr Downloader.VB.EC Trojan.Win32.VB.AhnP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AdClicker-O.dr": [[26, 40], [182, 196]], "Indicator: Trojan.Win32.Revop.nbqd": [[41, 64]], "Indicator: W32/TrojanX.HJO": [[65, 80]], "Indicator: Adware.Winpup": [[81, 94]], "Indicator: TROJ_REVOP.A": [[95, 107], [169, 181]], "Indicator: Trojan-Downloader.Win32.VB.ca": [[108, 137]], "Indicator: Trojan.Win32.A.Revop.251830[h]": [[138, 168]], "Indicator: W32/Trojan.MQHB-1521": [[197, 217]], "Indicator: Win32/TrojanDownloader.VB.CA": [[218, 246]], "Indicator: SPR/Commercials.1": [[247, 264]], "Indicator: Trojan/Win32.Revop": [[265, 283]], "Indicator: Win32.Troj.Undef.kcloud": [[284, 307]], "Indicator: TrojanDownloader:Win32/VB.CA": [[308, 336]], "Indicator: TrojanDownloader.VB": [[337, 356]], "Indicator: Trj/Multidropper.BJ": [[357, 376]], "Indicator: Win32.Trojan.Revop.cxum": [[377, 400]], "Indicator: Trojan-Downloader.Win32.VB.CA": [[401, 430]], "Indicator: W32/REVOP.A!tr": [[431, 445]], "Indicator: Downloader.VB.EC": [[446, 462]], "Indicator: Trojan.Win32.VB.AhnP": [[463, 483]]}, "info": {"id": "cyner2_5class_train_04797", "source": "cyner2_5class_train"}}
+{"text": "Note that we later found versions that used the domain as a C2 directly instead of the IP address .", "spans": {}, "info": {"id": "cyner2_5class_train_04798", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor-EDY.b Trojan.ExeDot.Win32.325 Trojan/ExeDot.cra Win32.Trojan.WisdomEyes.16070401.9500.9965 TROJ_EXEDOT.SMA Win.Trojan.Exedot-43 Trojan.Win32.ExeDot.dsmyq TrojWare.Win32.ExeDot.L TROJ_EXEDOT.SMA BackDoor-EDY.b Trojan/ExeDot.bs Trojan:Win32/Evadiped.A Trojan/Win32.Unknown Win32.Troj.ExeDot.kcloud Trojan.Heur.E8C832 Trojan:Win32/Evadiped.A Trojan/Win32.ExeDot.R4137 Trojan.ExeDot Trojan.BHO!WIw+XSz27Q8 Trojan.Win32.ExeDot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor-EDY.b": [[26, 40], [229, 243]], "Indicator: Trojan.ExeDot.Win32.325": [[41, 64]], "Indicator: Trojan/ExeDot.cra": [[65, 82]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9965": [[83, 125]], "Indicator: TROJ_EXEDOT.SMA": [[126, 141], [213, 228]], "Indicator: Win.Trojan.Exedot-43": [[142, 162]], "Indicator: Trojan.Win32.ExeDot.dsmyq": [[163, 188]], "Indicator: TrojWare.Win32.ExeDot.L": [[189, 212]], "Indicator: Trojan/ExeDot.bs": [[244, 260]], "Indicator: Trojan:Win32/Evadiped.A": [[261, 284], [350, 373]], "Indicator: Trojan/Win32.Unknown": [[285, 305]], "Indicator: Win32.Troj.ExeDot.kcloud": [[306, 330]], "Indicator: Trojan.Heur.E8C832": [[331, 349]], "Indicator: Trojan/Win32.ExeDot.R4137": [[374, 399]], "Indicator: Trojan.ExeDot": [[400, 413]], "Indicator: Trojan.BHO!WIw+XSz27Q8": [[414, 436]], "Indicator: Trojan.Win32.ExeDot": [[437, 456]]}, "info": {"id": "cyner2_5class_train_04799", "source": "cyner2_5class_train"}}
+{"text": "The main goal of this malware is to steal banking credentials from the victim's device.", "spans": {"Malware: malware": [[22, 29]], "Indicator: steal banking credentials": [[36, 61]], "System: the victim's device.": [[67, 87]]}, "info": {"id": "cyner2_5class_train_04800", "source": "cyner2_5class_train"}}
+{"text": "] 759383 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04801", "source": "cyner2_5class_train"}}
+{"text": "So , users should beware of certain modified Android firmware .", "spans": {"System: Android": [[45, 52]]}, "info": {"id": "cyner2_5class_train_04802", "source": "cyner2_5class_train"}}
+{"text": "Honkbox is an active threat with at least three variants and multiple components, some of which have not been previously documented.", "spans": {"Malware: Honkbox": [[0, 7]], "Malware: active threat": [[14, 27]], "Malware: variants": [[48, 56]]}, "info": {"id": "cyner2_5class_train_04803", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9985 Infostealer.Limitail TSPY_INFILOG.SM TSPY_INFILOG.SM TrojanSpy:MSIL/Grieftylo.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[26, 68]], "Indicator: Infostealer.Limitail": [[69, 89]], "Indicator: TSPY_INFILOG.SM": [[90, 105], [106, 121]], "Indicator: TrojanSpy:MSIL/Grieftylo.A": [[122, 148]]}, "info": {"id": "cyner2_5class_train_04804", "source": "cyner2_5class_train"}}
+{"text": "The iOS and Android apps for Netflix are enormously popular , effectively turning a mobile device into a television with which users can stream full movies and TV programs anytime , anywhere .", "spans": {"System: iOS": [[4, 7]], "System: Android": [[12, 19]], "Organization: Netflix": [[29, 36]]}, "info": {"id": "cyner2_5class_train_04805", "source": "cyner2_5class_train"}}
+{"text": "The actor responsible for this campaign utilized legitimate digital certificates to sign their tools and employed innovative techniques to cloak their command and control traffic.", "spans": {"Indicator: legitimate digital certificates to sign their tools": [[49, 100]]}, "info": {"id": "cyner2_5class_train_04806", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.TonersyASC.Trojan Ransom/W32.Dcryptor.2415104 Ransom.Mambretor.A5 Trojan.Dcryptor.Win32.2 Troj.Ransom.W32.Dcryptor.toNk Trojan/Filecoder.DCryptor.b Win32.Trojan.WisdomEyes.16070401.9500.9975 W32/HDD_Cryptor.A!Eldorado Ransom.HDDCryptor Win.Ransomware.HDDCryptor-2 Win32.Trojan-Ransom.Mamba.A Trojan-Ransom.Win32.Dcryptor.b Trojan.Win32.Filecoder.elaurk Trojan.Win32.Z.Dcryptor.2415104 Tool.PassView.841 Ransom_HDDCRYPTOR.SM Trojan-Ransom.Mamba W32/HDD_Cryptor.A!Eldorado Trojan.Dcryptor.a TR/FileCoder.rrsau Trojan[Ransom]/Win32.Blocker Trojan.Ransom.HDDCrypt.1 Trojan-Ransom.Win32.Dcryptor.b Ransom:Win32/Mambretor.A Trojan/Win32.Dcryptor.C1564580 Hoax.Dcryptor Ransom.HDDCryptor Trj/CI.A Win32/Filecoder.DCryptor.B Win32/Trojan.f14", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TonersyASC.Trojan": [[26, 47]], "Indicator: Ransom/W32.Dcryptor.2415104": [[48, 75]], "Indicator: Ransom.Mambretor.A5": [[76, 95]], "Indicator: Trojan.Dcryptor.Win32.2": [[96, 119]], "Indicator: Troj.Ransom.W32.Dcryptor.toNk": [[120, 149]], "Indicator: Trojan/Filecoder.DCryptor.b": [[150, 177]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9975": [[178, 220]], "Indicator: W32/HDD_Cryptor.A!Eldorado": [[221, 247], [474, 500]], "Indicator: Ransom.HDDCryptor": [[248, 265], [693, 710]], "Indicator: Win.Ransomware.HDDCryptor-2": [[266, 293]], "Indicator: Win32.Trojan-Ransom.Mamba.A": [[294, 321]], "Indicator: Trojan-Ransom.Win32.Dcryptor.b": [[322, 352], [592, 622]], "Indicator: Trojan.Win32.Filecoder.elaurk": [[353, 382]], "Indicator: Trojan.Win32.Z.Dcryptor.2415104": [[383, 414]], "Indicator: Tool.PassView.841": [[415, 432]], "Indicator: Ransom_HDDCRYPTOR.SM": [[433, 453]], "Indicator: Trojan-Ransom.Mamba": [[454, 473]], "Indicator: Trojan.Dcryptor.a": [[501, 518]], "Indicator: TR/FileCoder.rrsau": [[519, 537]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[538, 566]], "Indicator: Trojan.Ransom.HDDCrypt.1": [[567, 591]], "Indicator: Ransom:Win32/Mambretor.A": [[623, 647]], "Indicator: Trojan/Win32.Dcryptor.C1564580": [[648, 678]], "Indicator: Hoax.Dcryptor": [[679, 692]], "Indicator: Trj/CI.A": [[711, 719]], "Indicator: Win32/Filecoder.DCryptor.B": [[720, 746]], "Indicator: Win32/Trojan.f14": [[747, 763]]}, "info": {"id": "cyner2_5class_train_04807", "source": "cyner2_5class_train"}}
+{"text": "The packer , besides making the static analysis more complex , will break the standard debugger .", "spans": {}, "info": {"id": "cyner2_5class_train_04808", "source": "cyner2_5class_train"}}
+{"text": "These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX , Zupdax , 9002 , and Poison Ivy .", "spans": {"Malware: PlugX": [[112, 117]], "Malware: Zupdax": [[120, 126]], "Malware: 9002": [[129, 133]], "Malware: Poison Ivy": [[140, 150]]}, "info": {"id": "cyner2_5class_train_04809", "source": "cyner2_5class_train"}}
+{"text": "Disturbingly , the malware establishes a rootkit on the device , allowing it to download and execute any code a cybercriminal would want to run on a device .", "spans": {}, "info": {"id": "cyner2_5class_train_04810", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DL.Banload!wDurcHh4EfA Spyware.Keylogger TROJ_BANLOAD.AET Win32.TRCrypt.Fkm PUA.Packed.PECompact-1 Trojan-Downloader.Win32.Banload.blpr Trojan-Spy.Win32.Bancos!IK Trojan.DownLoader3.52680 TROJ_BANLOAD.AET TrojanDownloader.Banload.awii Downloader/Win32.Banload TrojanDownloader.Banload.blmr Spyware.Keylogger!rem Trojan-Spy.Win32.Bancos W32/Banload.BLPR!tr.dldr Downloader.Banload.BKYW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DL.Banload!wDurcHh4EfA": [[26, 55]], "Indicator: Spyware.Keylogger": [[56, 73]], "Indicator: TROJ_BANLOAD.AET": [[74, 90], [221, 237]], "Indicator: Win32.TRCrypt.Fkm": [[91, 108]], "Indicator: PUA.Packed.PECompact-1": [[109, 131]], "Indicator: Trojan-Downloader.Win32.Banload.blpr": [[132, 168]], "Indicator: Trojan-Spy.Win32.Bancos!IK": [[169, 195]], "Indicator: Trojan.DownLoader3.52680": [[196, 220]], "Indicator: TrojanDownloader.Banload.awii": [[238, 267]], "Indicator: Downloader/Win32.Banload": [[268, 292]], "Indicator: TrojanDownloader.Banload.blmr": [[293, 322]], "Indicator: Spyware.Keylogger!rem": [[323, 344]], "Indicator: Trojan-Spy.Win32.Bancos": [[345, 368]], "Indicator: W32/Banload.BLPR!tr.dldr": [[369, 393]], "Indicator: Downloader.Banload.BKYW": [[394, 417]]}, "info": {"id": "cyner2_5class_train_04811", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pugeju Trojan.Win32.Crypt.raab TrojWare.Win32.Inject.~AT BehavesLike.Win32.PUPXAC.lm Trojan-GameThief.Win32.OnLineGames Trojan/Crypt.acz Trojan/Win32.Invader Trj/CI.A Win32/Obfuscated.NBX Win32/Trojan.be7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pugeju": [[26, 39]], "Indicator: Trojan.Win32.Crypt.raab": [[40, 63]], "Indicator: TrojWare.Win32.Inject.~AT": [[64, 89]], "Indicator: BehavesLike.Win32.PUPXAC.lm": [[90, 117]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[118, 152]], "Indicator: Trojan/Crypt.acz": [[153, 169]], "Indicator: Trojan/Win32.Invader": [[170, 190]], "Indicator: Trj/CI.A": [[191, 199]], "Indicator: Win32/Obfuscated.NBX": [[200, 220]], "Indicator: Win32/Trojan.be7": [[221, 237]]}, "info": {"id": "cyner2_5class_train_04812", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Beaugrit.S16628 Trojan/Spy.Shiz.ncd Win32.Trojan-Spy.Shiz.b Backdoor.Trojan HT_SIMDA_GA310E71.UVPM Trojan.Win32.Ibank.vuhyo TrojWare.Win32.Spy.Shiz.ZV Trojan.PWS.Ibank.373 Trojan.Shiz.Win32.571 HT_SIMDA_GA310E71.UVPM BehavesLike.Win32.Backdoor.fh TR/BAS.Dorkbot.20619344 Trojan.Zusy.Elzob.D21CE PWS:Win32/Simda.K Win32/Spy.Shiz.NCD TrojanSpy.Shiz!qC77/NFCWBg Backdoor.Win32.Simda W32/Shiz.NCD!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Beaugrit.S16628": [[26, 48]], "Indicator: Trojan/Spy.Shiz.ncd": [[49, 68]], "Indicator: Win32.Trojan-Spy.Shiz.b": [[69, 92]], "Indicator: Backdoor.Trojan": [[93, 108]], "Indicator: HT_SIMDA_GA310E71.UVPM": [[109, 131], [227, 249]], "Indicator: Trojan.Win32.Ibank.vuhyo": [[132, 156]], "Indicator: TrojWare.Win32.Spy.Shiz.ZV": [[157, 183]], "Indicator: Trojan.PWS.Ibank.373": [[184, 204]], "Indicator: Trojan.Shiz.Win32.571": [[205, 226]], "Indicator: BehavesLike.Win32.Backdoor.fh": [[250, 279]], "Indicator: TR/BAS.Dorkbot.20619344": [[280, 303]], "Indicator: Trojan.Zusy.Elzob.D21CE": [[304, 327]], "Indicator: PWS:Win32/Simda.K": [[328, 345]], "Indicator: Win32/Spy.Shiz.NCD": [[346, 364]], "Indicator: TrojanSpy.Shiz!qC77/NFCWBg": [[365, 391]], "Indicator: Backdoor.Win32.Simda": [[392, 412]], "Indicator: W32/Shiz.NCD!tr": [[413, 428]]}, "info": {"id": "cyner2_5class_train_04813", "source": "cyner2_5class_train"}}
+{"text": "The cause for this uptick appears due to widespread WordPress site compromises.", "spans": {"Indicator: WordPress site compromises.": [[52, 79]]}, "info": {"id": "cyner2_5class_train_04814", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodfd4.Trojan.50bd Spyware.PasswordStealer TROJ_FRS.0NA000J416 TROJ_FRS.0NA000J416 Trojan.Win32.Z.Securityxploded.418304[h] BehavesLike.Win32.PWSZbot.gh W32/Trojan.ZJJQ-6216 Unwanted/Win32.Passview.C1588969 Riskware.Win32.PassDumper Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodfd4.Trojan.50bd": [[26, 49]], "Indicator: Spyware.PasswordStealer": [[50, 73]], "Indicator: TROJ_FRS.0NA000J416": [[74, 93], [94, 113]], "Indicator: Trojan.Win32.Z.Securityxploded.418304[h]": [[114, 154]], "Indicator: BehavesLike.Win32.PWSZbot.gh": [[155, 183]], "Indicator: W32/Trojan.ZJJQ-6216": [[184, 204]], "Indicator: Unwanted/Win32.Passview.C1588969": [[205, 237]], "Indicator: Riskware.Win32.PassDumper": [[238, 263]], "Indicator: Trj/GdSda.A": [[264, 275]]}, "info": {"id": "cyner2_5class_train_04815", "source": "cyner2_5class_train"}}
+{"text": "This malware abuses the Android accessibility feature to steal user information and is able to update its code and release new features every few days .", "spans": {"System: Android": [[24, 31]]}, "info": {"id": "cyner2_5class_train_04816", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Cloda21.Trojan.c461 DLoader.QYW Win32/SillyDl.ACS Trojan.Win32.A.Downloader.146388 Trojan.DownLoader.6702 BehavesLike.Win32.Downloader.cm TrojanDownloader:Win32/Pusrac.A Trojan.Win32.Downloader.AE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Cloda21.Trojan.c461": [[26, 49]], "Indicator: DLoader.QYW": [[50, 61]], "Indicator: Win32/SillyDl.ACS": [[62, 79]], "Indicator: Trojan.Win32.A.Downloader.146388": [[80, 112]], "Indicator: Trojan.DownLoader.6702": [[113, 135]], "Indicator: BehavesLike.Win32.Downloader.cm": [[136, 167]], "Indicator: TrojanDownloader:Win32/Pusrac.A": [[168, 199]], "Indicator: Trojan.Win32.Downloader.AE": [[200, 226]]}, "info": {"id": "cyner2_5class_train_04817", "source": "cyner2_5class_train"}}
+{"text": "Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package APK named Попр-Д30.apk' which contained a number of Russian language artifacts that were military in nature.", "spans": {"Organization: CrowdStrike Intelligence analysts": [[28, 61]], "System: Android Package APK": [[92, 111]], "Malware: Попр-Д30.apk'": [[118, 131]], "Indicator: Russian language artifacts that were military in nature.": [[160, 216]]}, "info": {"id": "cyner2_5class_train_04818", "source": "cyner2_5class_train"}}
+{"text": "This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks.", "spans": {"Malware: malware": [[5, 12]], "System: internal networks": [[44, 61]], "Indicator: compromised devices": [[68, 87]], "System: device": [[127, 133]], "System: company networks.": [[156, 173]]}, "info": {"id": "cyner2_5class_train_04819", "source": "cyner2_5class_train"}}
+{"text": "In some samples , starting from January 2016 , an algorithm has been implemented for unpacking the encrypted executable DEX file from the assets folder .", "spans": {}, "info": {"id": "cyner2_5class_train_04820", "source": "cyner2_5class_train"}}
+{"text": "Combining timebombs , dynamic code loading , and use of reflection to complicate reverse engineering of the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_04821", "source": "cyner2_5class_train"}}
+{"text": "The Trojan may perform a man-in-the-middle MitM attack on the browser installed on the compromised computer.", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: a man-in-the-middle MitM attack": [[23, 54]], "System: the browser": [[58, 69]], "System: the compromised computer.": [[83, 108]]}, "info": {"id": "cyner2_5class_train_04822", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9670 Backdoor.Felismus Trojan/Win32.Skeeyah.C1905486 Trj/GdSda.A Trojan.Win32.Tomyjery", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9670": [[26, 68]], "Indicator: Backdoor.Felismus": [[69, 86]], "Indicator: Trojan/Win32.Skeeyah.C1905486": [[87, 116]], "Indicator: Trj/GdSda.A": [[117, 128]], "Indicator: Trojan.Win32.Tomyjery": [[129, 150]]}, "info": {"id": "cyner2_5class_train_04823", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.VBKrypt.208896.AN Trojan.Win32.VBKrypt!O WORM_VOBFUS.SMIA Trojan.Packed.21297 WORM_VOBFUS.SMIA Trojan.Barys.266 Trojan/Win32.VBKrypt.R2844 Worm.Win32.Vobfus", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.VBKrypt.208896.AN": [[26, 54]], "Indicator: Trojan.Win32.VBKrypt!O": [[55, 77]], "Indicator: WORM_VOBFUS.SMIA": [[78, 94], [115, 131]], "Indicator: Trojan.Packed.21297": [[95, 114]], "Indicator: Trojan.Barys.266": [[132, 148]], "Indicator: Trojan/Win32.VBKrypt.R2844": [[149, 175]], "Indicator: Worm.Win32.Vobfus": [[176, 193]]}, "info": {"id": "cyner2_5class_train_04824", "source": "cyner2_5class_train"}}
+{"text": "Beginning in July 2015 and possibly earlier, the attack continued into August and is currently ongoing.", "spans": {}, "info": {"id": "cyner2_5class_train_04825", "source": "cyner2_5class_train"}}
+{"text": "This mistake in operational security allowed us to gain visibility into exfiltrated content for a number of devices .", "spans": {}, "info": {"id": "cyner2_5class_train_04826", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Constructor.Macro.Ultras.A Constructor.Win32.Ultras.10!O WM/Uck.kit Constructor.W32.Ultras!c Trojan/Constructor.Ultras.10.a Trojan.Constructor.Macro.Ultras.A Ultras.Kit Win.Tool.Macro-8 Trojan.Constructor.Macro.Ultras.A Constructor.Win32.Ultras.10.a Trojan.Constructor.Macro.Ultras.A Riskware.Win32.Ultras-10.hpwc Trojan.Constructor.Macro.Ultras.A Constructor.Macro.Ultras.A Trojan.Constructor.Macro.Ultras.A VirusConstructor.Ultras.2 Tool.Ultras.Win32.1 WM/Uck.kit W32/Tool.QHJM-3031 Constructor.Macro.Ultras.10 TR/ConKit.UltrasUck Constructor.Win32.Ultras.10.a HackTool/Win32.Constructor.C218755 Trojan.Constructor.Macro.Ultras.A Constructor.Ultras Win32.Trojan.Ultras.Pegg Constructor.Win32.Ultras Win32/Trojan.5bd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Constructor.Macro.Ultras.A": [[26, 59], [157, 190], [219, 252], [283, 316], [347, 380], [408, 441], [631, 664]], "Indicator: Constructor.Win32.Ultras.10!O": [[60, 89]], "Indicator: WM/Uck.kit": [[90, 100], [488, 498]], "Indicator: Constructor.W32.Ultras!c": [[101, 125]], "Indicator: Trojan/Constructor.Ultras.10.a": [[126, 156]], "Indicator: Ultras.Kit": [[191, 201]], "Indicator: Win.Tool.Macro-8": [[202, 218]], "Indicator: Constructor.Win32.Ultras.10.a": [[253, 282], [566, 595]], "Indicator: Riskware.Win32.Ultras-10.hpwc": [[317, 346]], "Indicator: Constructor.Macro.Ultras.A": [[381, 407]], "Indicator: VirusConstructor.Ultras.2": [[442, 467]], "Indicator: Tool.Ultras.Win32.1": [[468, 487]], "Indicator: W32/Tool.QHJM-3031": [[499, 517]], "Indicator: Constructor.Macro.Ultras.10": [[518, 545]], "Indicator: TR/ConKit.UltrasUck": [[546, 565]], "Indicator: HackTool/Win32.Constructor.C218755": [[596, 630]], "Indicator: Constructor.Ultras": [[665, 683]], "Indicator: Win32.Trojan.Ultras.Pegg": [[684, 708]], "Indicator: Constructor.Win32.Ultras": [[709, 733]], "Indicator: Win32/Trojan.5bd": [[734, 750]]}, "info": {"id": "cyner2_5class_train_04827", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Stration.D Win32.Worm.Stration.D Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Worm.Stration.D Email-Worm.Win32.Warezov.k Win32.Worm.Stration.D Win32.Worm.Stration.D Heur.Packed.Unknown Win32.Worm.Stration.D Win32.HLLM.Limar Backdoor.Win32.IRCBot Trojan:Win32/Stration.K Win32.Worm.Stration.D Email-Worm.Win32.Warezov.k", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Stration.D": [[26, 47], [48, 69], [113, 134], [162, 183], [184, 205], [226, 247], [311, 332]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[70, 112]], "Indicator: Email-Worm.Win32.Warezov.k": [[135, 161], [333, 359]], "Indicator: Heur.Packed.Unknown": [[206, 225]], "Indicator: Win32.HLLM.Limar": [[248, 264]], "Indicator: Backdoor.Win32.IRCBot": [[265, 286]], "Indicator: Trojan:Win32/Stration.K": [[287, 310]]}, "info": {"id": "cyner2_5class_train_04828", "source": "cyner2_5class_train"}}
+{"text": "Recently, we detected Carbanak campaigns attempting to:Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe ,Spear-phishing emails delivering URLs, macro documents, exploit documents,Use of Spy.Sekur Carbanak malware and commodity remote access Trojans RATs such as jRAT, Netwire, Cybergate and others used in support of operations.", "spans": {"Organization: high level executives in financial companies": [[62, 106]], "Organization: financial/decision-making roles": [[113, 144]], "Indicator: ,Spear-phishing emails delivering URLs, macro documents, exploit documents,Use": [[181, 259]], "Malware: Spy.Sekur Carbanak malware": [[263, 289]], "Malware: commodity remote access Trojans RATs": [[294, 330]], "Malware: jRAT, Netwire, Cybergate": [[339, 363]]}, "info": {"id": "cyner2_5class_train_04829", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.QueryexXAAF.Worm Application.Hacktool.AW Worm.Win32.Zombaque!O Worm.Zombaque.A3 WORM_BIZOME.SMD W32.Spybot.Worm Win32/Zombaque.A WORM_BIZOME.SMD Win.Worm.Zombaque-12 Application.Hacktool.AW Worm.Win32.Zombaque.a Application.Hacktool.AW Trojan.Win32.Zombaque.bzuxu Worm.Win32.Zombaque.318464.A Application.Hacktool.AW Application.Hacktool.AW Win32.HLLW.RAhack Worm.Zombaque.Win32.2 BehavesLike.Win32.Sality.fc Worm.Win32.Zombaque Worm/Zombaque.l Worm/Win32.Zombaque Worm:Win32/Zombaque.A Application.Hacktool.AW Worm.Win32.Zombaque.a Worm/Win32.Zombaque.R3338 Worm.Zombaque Win32/Zombaque.A Worm.Win32.Zombaque.a Worm.Zombaque!23w9coTlBlo W32/Zombaque.A.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.QueryexXAAF.Worm": [[26, 46]], "Indicator: Application.Hacktool.AW": [[47, 70], [196, 219], [242, 265], [323, 346], [347, 370], [517, 540]], "Indicator: Worm.Win32.Zombaque!O": [[71, 92]], "Indicator: Worm.Zombaque.A3": [[93, 109]], "Indicator: WORM_BIZOME.SMD": [[110, 125], [159, 174]], "Indicator: W32.Spybot.Worm": [[126, 141]], "Indicator: Win32/Zombaque.A": [[142, 158], [603, 619]], "Indicator: Win.Worm.Zombaque-12": [[175, 195]], "Indicator: Worm.Win32.Zombaque.a": [[220, 241], [541, 562], [620, 641]], "Indicator: Trojan.Win32.Zombaque.bzuxu": [[266, 293]], "Indicator: Worm.Win32.Zombaque.318464.A": [[294, 322]], "Indicator: Win32.HLLW.RAhack": [[371, 388]], "Indicator: Worm.Zombaque.Win32.2": [[389, 410]], "Indicator: BehavesLike.Win32.Sality.fc": [[411, 438]], "Indicator: Worm.Win32.Zombaque": [[439, 458]], "Indicator: Worm/Zombaque.l": [[459, 474]], "Indicator: Worm/Win32.Zombaque": [[475, 494]], "Indicator: Worm:Win32/Zombaque.A": [[495, 516]], "Indicator: Worm/Win32.Zombaque.R3338": [[563, 588]], "Indicator: Worm.Zombaque": [[589, 602]], "Indicator: Worm.Zombaque!23w9coTlBlo": [[642, 667]], "Indicator: W32/Zombaque.A.worm": [[668, 687]]}, "info": {"id": "cyner2_5class_train_04830", "source": "cyner2_5class_train"}}
+{"text": "Figure 12 .", "spans": {}, "info": {"id": "cyner2_5class_train_04831", "source": "cyner2_5class_train"}}
+{"text": "VERSIONING Bread has also leveraged an abuse tactic unique to app stores : versioning .", "spans": {"Malware: Bread": [[11, 16]]}, "info": {"id": "cyner2_5class_train_04832", "source": "cyner2_5class_train"}}
+{"text": "In a quick Google search you can find practically anything you need to know.", "spans": {}, "info": {"id": "cyner2_5class_train_04833", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Wdfload.89 Trojan.Win64.Wdfload Trojan.Wdfload.cqq TR/Wdfload.slana Trojan/Win64.Wdfload Trojan/Win64.Wdfload.C2364123 Trj/CI.A W32/Wdfload.AA!tr Win32/Trojan.bfd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Wdfload.89": [[26, 43]], "Indicator: Trojan.Win64.Wdfload": [[44, 64]], "Indicator: Trojan.Wdfload.cqq": [[65, 83]], "Indicator: TR/Wdfload.slana": [[84, 100]], "Indicator: Trojan/Win64.Wdfload": [[101, 121]], "Indicator: Trojan/Win64.Wdfload.C2364123": [[122, 151]], "Indicator: Trj/CI.A": [[152, 160]], "Indicator: W32/Wdfload.AA!tr": [[161, 178]], "Indicator: Win32/Trojan.bfd": [[179, 195]]}, "info": {"id": "cyner2_5class_train_04834", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader Win32.Trojan.WisdomEyes.16070401.9500.9691 Trojan-Downloader.Win32.Injecter.vxy BehavesLike.Win32.PWSZbot.fc W32/Trojan.SBIX-6310 Trojan.Heur.TP.E5F612 Trojan-Downloader.Win32.Injecter.vxy Trj/CI.A Win32/Trojan.03f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9691": [[44, 86]], "Indicator: Trojan-Downloader.Win32.Injecter.vxy": [[87, 123], [196, 232]], "Indicator: BehavesLike.Win32.PWSZbot.fc": [[124, 152]], "Indicator: W32/Trojan.SBIX-6310": [[153, 173]], "Indicator: Trojan.Heur.TP.E5F612": [[174, 195]], "Indicator: Trj/CI.A": [[233, 241]], "Indicator: Win32/Trojan.03f": [[242, 258]]}, "info": {"id": "cyner2_5class_train_04835", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pandex Heur.Packed.Unknown Trojan.DownLoad.3750 Heuristic.LooksLike.Win32.Morphine.I VirTool:Win32/Obfuscator.EK Voronezh.1600.A Packed.Morphine.C Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pandex": [[26, 39]], "Indicator: Heur.Packed.Unknown": [[40, 59]], "Indicator: Trojan.DownLoad.3750": [[60, 80]], "Indicator: Heuristic.LooksLike.Win32.Morphine.I": [[81, 117]], "Indicator: VirTool:Win32/Obfuscator.EK": [[118, 145]], "Indicator: Voronezh.1600.A": [[146, 161]], "Indicator: Packed.Morphine.C": [[162, 179]], "Indicator: Trj/CI.A": [[180, 188]]}, "info": {"id": "cyner2_5class_train_04836", "source": "cyner2_5class_train"}}
+{"text": "The threat actor leveraged the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customized for each target recipient.", "spans": {"Indicator: CVE-2017-0199": [[31, 44]], "Vulnerability: Microsoft Word Office/WordPad Remote Code Execution Vulnerability": [[45, 110]]}, "info": {"id": "cyner2_5class_train_04837", "source": "cyner2_5class_train"}}
+{"text": "The first stage would be a malicious link within the e-mail or attachment, containing malicious code, in this case Pony.", "spans": {"Indicator: malicious link": [[27, 41]], "Indicator: e-mail": [[53, 59]], "Indicator: attachment, containing malicious code,": [[63, 101]], "Malware: Pony.": [[115, 120]]}, "info": {"id": "cyner2_5class_train_04838", "source": "cyner2_5class_train"}}
+{"text": "Mobile app creators are often looking for ways to monetize their software.", "spans": {"Organization: Mobile app creators": [[0, 19]], "System: software.": [[65, 74]]}, "info": {"id": "cyner2_5class_train_04839", "source": "cyner2_5class_train"}}
+{"text": "The attackers deliver malware through topically titled spearphises, for example Energy_Data_Meeting_fall_2016.", "spans": {"Indicator: spearphises,": [[55, 67]], "Indicator: Energy_Data_Meeting_fall_2016.": [[80, 110]]}, "info": {"id": "cyner2_5class_train_04840", "source": "cyner2_5class_train"}}
+{"text": "The source code for Linux.Mirai bot was released a few weeks ago.", "spans": {"Indicator: Linux.Mirai": [[20, 31]], "Malware: bot": [[32, 35]]}, "info": {"id": "cyner2_5class_train_04841", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D27EA8 Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Expiro.hc Trojan.Win32.Scar TrojanDropper:Win32/Binko.A W32/Cbot.NCN!tr.bdr Win32/Trojan.Dropper.007", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D27EA8": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[48, 90]], "Indicator: BehavesLike.Win32.Expiro.hc": [[91, 118]], "Indicator: Trojan.Win32.Scar": [[119, 136]], "Indicator: TrojanDropper:Win32/Binko.A": [[137, 164]], "Indicator: W32/Cbot.NCN!tr.bdr": [[165, 184]], "Indicator: Win32/Trojan.Dropper.007": [[185, 209]]}, "info": {"id": "cyner2_5class_train_04842", "source": "cyner2_5class_train"}}
+{"text": "The PureCrypter campaign uses the domain of a compromised non-profit organization as a Command and Control C2 to deliver a secondary payload.", "spans": {"Indicator: domain": [[34, 40]], "Indicator: compromised": [[46, 57]], "Organization: non-profit organization": [[58, 81]], "Indicator: Command and Control C2": [[87, 109]], "Malware: secondary payload.": [[123, 141]]}, "info": {"id": "cyner2_5class_train_04843", "source": "cyner2_5class_train"}}
+{"text": "Despite recent progress, the country is subject to ongoing conflict with ethnic rebels and an ongoing civil war.", "spans": {}, "info": {"id": "cyner2_5class_train_04844", "source": "cyner2_5class_train"}}
+{"text": "The code snippet below shows part of the screen parsing process .", "spans": {}, "info": {"id": "cyner2_5class_train_04845", "source": "cyner2_5class_train"}}
+{"text": "This data , when analyzed with the number of commands to send SMSs that Talos received during the investigation , lead us to conclude that the malicious operator is aggressively spreading the malware , but that does n't seem to result in the same number of new infections .", "spans": {}, "info": {"id": "cyner2_5class_train_04846", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Bancodor.482816 Backdoor/Bancodor.b BKDR_BADCODOR.A W32/Bancodor.C@bd Backdoor.Badcodor Win32/PSWSpider.G BKDR_BADCODOR.A Win.Trojan.Bancodor-22 Backdoor.Win32.Bancodor.b Trojan.Win32.Bancodor.fzet Backdoor.Win32.A.Bancodor.455260 Backdoor.Win32.Bancodor.~B Trojan.Bancdo Backdoor.Bancodor.Win32.150 W32/Bancodor.NOXQ-3353 Backdoor/Bancodor.b BDS/Badcodor.B.6 Trojan[Backdoor]/Win32.Bancodor Win32.Hack.Bancodor.b.kcloud Backdoor:Win32/Badcodor.B Backdoor.W32.Bancodor.b!c Backdoor.Win32.Bancodor.b Backdoor/Win32.Bancodor.R145952 Backdoor.Bancodor Win32/Bancodor.B Backdoor.Badcodor.A Backdoor.Win32.Bancodor Bck/Bancodor.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Bancodor.482816": [[26, 54]], "Indicator: Backdoor/Bancodor.b": [[55, 74], [362, 381]], "Indicator: BKDR_BADCODOR.A": [[75, 90], [145, 160]], "Indicator: W32/Bancodor.C@bd": [[91, 108]], "Indicator: Backdoor.Badcodor": [[109, 126]], "Indicator: Win32/PSWSpider.G": [[127, 144]], "Indicator: Win.Trojan.Bancodor-22": [[161, 183]], "Indicator: Backdoor.Win32.Bancodor.b": [[184, 209], [512, 537]], "Indicator: Trojan.Win32.Bancodor.fzet": [[210, 236]], "Indicator: Backdoor.Win32.A.Bancodor.455260": [[237, 269]], "Indicator: Backdoor.Win32.Bancodor.~B": [[270, 296]], "Indicator: Trojan.Bancdo": [[297, 310]], "Indicator: Backdoor.Bancodor.Win32.150": [[311, 338]], "Indicator: W32/Bancodor.NOXQ-3353": [[339, 361]], "Indicator: BDS/Badcodor.B.6": [[382, 398]], "Indicator: Trojan[Backdoor]/Win32.Bancodor": [[399, 430]], "Indicator: Win32.Hack.Bancodor.b.kcloud": [[431, 459]], "Indicator: Backdoor:Win32/Badcodor.B": [[460, 485]], "Indicator: Backdoor.W32.Bancodor.b!c": [[486, 511]], "Indicator: Backdoor/Win32.Bancodor.R145952": [[538, 569]], "Indicator: Backdoor.Bancodor": [[570, 587]], "Indicator: Win32/Bancodor.B": [[588, 604]], "Indicator: Backdoor.Badcodor.A": [[605, 624]], "Indicator: Backdoor.Win32.Bancodor": [[625, 648]], "Indicator: Bck/Bancodor.I": [[649, 663]]}, "info": {"id": "cyner2_5class_train_04847", "source": "cyner2_5class_train"}}
+{"text": "The Trojan drops a PowerPoint presentation that contains details about the 2nd Myanmar Industrial Human Resource Development Symposium.", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: PowerPoint presentation": [[19, 42]], "Indicator: details": [[57, 64]], "Indicator: 2nd Myanmar Industrial Human Resource Development Symposium.": [[75, 135]]}, "info": {"id": "cyner2_5class_train_04848", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Rincux.AV Trojan.Rincux.AV Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_DLOAD.KKK Trojan.Rincux.AV Trojan.Rincux.AV BackDoor.Attack.594 TROJ_DLOAD.KKK Backdoor/Ceckno.awl W32/Downloader.L Trojan.Rincux.AV Trojan.Rincux.AV Backdoor.Ceckno!6jtmdMg8Vqs Virus.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Rincux.AV": [[26, 42], [43, 59], [118, 134], [135, 151], [224, 240], [241, 257]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[60, 102]], "Indicator: TROJ_DLOAD.KKK": [[103, 117], [172, 186]], "Indicator: BackDoor.Attack.594": [[152, 171]], "Indicator: Backdoor/Ceckno.awl": [[187, 206]], "Indicator: W32/Downloader.L": [[207, 223]], "Indicator: Backdoor.Ceckno!6jtmdMg8Vqs": [[258, 285]], "Indicator: Virus.Win32.Small": [[286, 303]]}, "info": {"id": "cyner2_5class_train_04849", "source": "cyner2_5class_train"}}
+{"text": "Recently, TrendMicro uncovered a new cyber-espionage attack by a well-funded and organized group targeting companies close to governments and in key industries mostly in Asia.", "spans": {"Organization: TrendMicro": [[10, 20]], "Indicator: cyber-espionage attack": [[37, 59]], "Organization: companies": [[107, 116]], "Organization: governments": [[126, 137]], "Organization: industries": [[149, 159]]}, "info": {"id": "cyner2_5class_train_04850", "source": "cyner2_5class_train"}}
+{"text": "The sample has a multicomponent structure and can download a payload or updates from its C & C server , which happens to be an FTP server belonging to the free Russian web hosting service Ucoz .", "spans": {}, "info": {"id": "cyner2_5class_train_04851", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/AutoRun.Delf.RF Trojan.Win32.Autoruner2.czfwpa Win32.HLLW.Autoruner2.13746 BehavesLike.Win32.Dropper.dc Trojan.Graftor.D22611 Worm:Win32/Kerm.A Worm/Win32.AutoRun.C332941 Win32.Worm.Autorun.Wted Worm.Win32.Kerm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/AutoRun.Delf.RF": [[26, 47]], "Indicator: Trojan.Win32.Autoruner2.czfwpa": [[48, 78]], "Indicator: Win32.HLLW.Autoruner2.13746": [[79, 106]], "Indicator: BehavesLike.Win32.Dropper.dc": [[107, 135]], "Indicator: Trojan.Graftor.D22611": [[136, 157]], "Indicator: Worm:Win32/Kerm.A": [[158, 175]], "Indicator: Worm/Win32.AutoRun.C332941": [[176, 202]], "Indicator: Win32.Worm.Autorun.Wted": [[203, 226]], "Indicator: Worm.Win32.Kerm": [[227, 242]]}, "info": {"id": "cyner2_5class_train_04852", "source": "cyner2_5class_train"}}
+{"text": "The Trojans designed to steal money from bank accounts pose a serious threat to Android users.", "spans": {"Malware: Trojans": [[4, 11]], "Indicator: steal money": [[24, 35]], "Organization: bank accounts": [[41, 54]], "Indicator: serious threat": [[62, 76]], "System: Android users.": [[80, 94]]}, "info": {"id": "cyner2_5class_train_04853", "source": "cyner2_5class_train"}}
+{"text": "Sending the command sh to TCP port 6200 results in a full terminal being dropped : Sending the command cmd followed by a proper terminal command will execute it and print the output ( in the example we use id which displays the identity of the system user running the issued commands ) : Doing the same as above but with command sucmd will run the terminal command as root : Other commands supported by rootdaemon on TCP port 6200 are su ( which in our tests did n't properly work ) , loadsocketpolicy , loadfilepolicy , remount and removeroot .", "spans": {"Indicator: port 6200": [[30, 39], [421, 430]]}, "info": {"id": "cyner2_5class_train_04854", "source": "cyner2_5class_train"}}
+{"text": "In this case , we can see that the HTML code of the overlay is stored in the C2 infrastructure .", "spans": {}, "info": {"id": "cyner2_5class_train_04855", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D10C13 Trojan-Downloader.Win32.Sysdrop.am Trojan.Win32.Z.Sysdrop.598528 Troj.Downloader.W32!c Trojan.DownLoader22.41648 Adware.BrowseFox.Win32.397064 W32/Trojan.VFXM-3248 TrojanDownloader.Sysdrop.h BDS/Ananlog.okrph Trojan[Downloader]/Win32.Sysdrop Backdoor:Win32/Ananlog.A Trojan-Downloader.Win32.Sysdrop.am Trj/GdSda.A Win32.Trojan-downloader.Sysdrop.Eok Trojan.DL.Sysdrop! Win32/Backdoor.773", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D10C13": [[26, 44]], "Indicator: Trojan-Downloader.Win32.Sysdrop.am": [[45, 79], [312, 346]], "Indicator: Trojan.Win32.Z.Sysdrop.598528": [[80, 109]], "Indicator: Troj.Downloader.W32!c": [[110, 131]], "Indicator: Trojan.DownLoader22.41648": [[132, 157]], "Indicator: Adware.BrowseFox.Win32.397064": [[158, 187]], "Indicator: W32/Trojan.VFXM-3248": [[188, 208]], "Indicator: TrojanDownloader.Sysdrop.h": [[209, 235]], "Indicator: BDS/Ananlog.okrph": [[236, 253]], "Indicator: Trojan[Downloader]/Win32.Sysdrop": [[254, 286]], "Indicator: Backdoor:Win32/Ananlog.A": [[287, 311]], "Indicator: Trj/GdSda.A": [[347, 358]], "Indicator: Win32.Trojan-downloader.Sysdrop.Eok": [[359, 394]], "Indicator: Trojan.DL.Sysdrop!": [[395, 413]], "Indicator: Win32/Backdoor.773": [[414, 432]]}, "info": {"id": "cyner2_5class_train_04856", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.LethicKAAB.Trojan Trojan.VB Win32.Trojan.VB.bj Trojan.KillFiles.29071 BehavesLike.Win32.VBObfus.cm Trojan.Win32.VB Trojan.Ursu.DFEE TScope.Trojan.VB Win32/VB.OCY Win32/Worm.VB.X", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.LethicKAAB.Trojan": [[26, 47]], "Indicator: Trojan.VB": [[48, 57]], "Indicator: Win32.Trojan.VB.bj": [[58, 76]], "Indicator: Trojan.KillFiles.29071": [[77, 99]], "Indicator: BehavesLike.Win32.VBObfus.cm": [[100, 128]], "Indicator: Trojan.Win32.VB": [[129, 144]], "Indicator: Trojan.Ursu.DFEE": [[145, 161]], "Indicator: TScope.Trojan.VB": [[162, 178]], "Indicator: Win32/VB.OCY": [[179, 191]], "Indicator: Win32/Worm.VB.X": [[192, 207]]}, "info": {"id": "cyner2_5class_train_04857", "source": "cyner2_5class_train"}}
+{"text": "Similar to previous malware which infiltrated Google Play , such as FalseGuide and Skinner , Judy relies on the communication with its Command and Control server ( C & C ) for its operation .", "spans": {"System: Google Play": [[46, 57]], "Malware: FalseGuide": [[68, 78]], "Malware: Skinner": [[83, 90]]}, "info": {"id": "cyner2_5class_train_04858", "source": "cyner2_5class_train"}}
+{"text": "This is done by redirecting victim traffic through a malicious proxy server.", "spans": {"Indicator: redirecting victim traffic": [[16, 42]], "System: malicious proxy server.": [[53, 76]]}, "info": {"id": "cyner2_5class_train_04859", "source": "cyner2_5class_train"}}
+{"text": "After the the first instance of BrainTest was detected , Google removed the app from Google Play .", "spans": {"Malware: BrainTest": [[32, 41]], "Organization: Google": [[57, 63]], "System: Google Play": [[85, 96]]}, "info": {"id": "cyner2_5class_train_04860", "source": "cyner2_5class_train"}}
+{"text": "After collecting the changed PIN code , it is sent back to the C2 .", "spans": {}, "info": {"id": "cyner2_5class_train_04861", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.2B84 Worm.Esjey Win32.Trojan.WisdomEyes.16070401.9500.9938 Trojan.Win32.CFI.dcbjxv Trojan.DownLoader12.30909 BehavesLike.Win32.BadFile.wh Worm:Win32/Esjey.A Trojan.Graftor.D299B4 HEUR/Fakon.mwf Virus.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.2B84": [[26, 43]], "Indicator: Worm.Esjey": [[44, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9938": [[55, 97]], "Indicator: Trojan.Win32.CFI.dcbjxv": [[98, 121]], "Indicator: Trojan.DownLoader12.30909": [[122, 147]], "Indicator: BehavesLike.Win32.BadFile.wh": [[148, 176]], "Indicator: Worm:Win32/Esjey.A": [[177, 195]], "Indicator: Trojan.Graftor.D299B4": [[196, 217]], "Indicator: HEUR/Fakon.mwf": [[218, 232]], "Indicator: Virus.Win32.VB": [[233, 247]]}, "info": {"id": "cyner2_5class_train_04862", "source": "cyner2_5class_train"}}
+{"text": "PackageInstaller shows the app ’ s permission access and asks for the user 's approval , which then installs the application .", "spans": {}, "info": {"id": "cyner2_5class_train_04863", "source": "cyner2_5class_train"}}
+{"text": "When in doubt , check the APK signature and hash in sources like VirusTotal before installing it on your device .", "spans": {"Organization: VirusTotal": [[65, 75]]}, "info": {"id": "cyner2_5class_train_04864", "source": "cyner2_5class_train"}}
+{"text": "In some cases , the decompilation process will fail , and “ Agent Smith ” will try another method for infecting the original application – A binary patch , which simply provides a binary file of the “ boot ” module of “ Agent Smith ” .", "spans": {"Malware: Agent Smith": [[60, 71], [220, 231]]}, "info": {"id": "cyner2_5class_train_04865", "source": "cyner2_5class_train"}}
+{"text": "Conclusions This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques , including patching system libraries .", "spans": {"System: Google Play Store": [[52, 69]]}, "info": {"id": "cyner2_5class_train_04866", "source": "cyner2_5class_train"}}
+{"text": "You may review your application list in “ Settings - > Apps ” , if you find one of this applications , please consider downloading an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected .", "spans": {"Organization: Check Point": [[160, 171]], "System: ZoneAlarm": [[172, 181]]}, "info": {"id": "cyner2_5class_train_04867", "source": "cyner2_5class_train"}}
+{"text": "PluginPhantom is a new class of Google Android Trojan: it is the first to use updating and to evade static detection.", "spans": {"Malware: PluginPhantom": [[0, 13]], "Malware: Google Android Trojan:": [[32, 54]]}, "info": {"id": "cyner2_5class_train_04868", "source": "cyner2_5class_train"}}
+{"text": "The encrypted body is composed of various identifiers which are joined together : doFinal ( ) is called to encrypt the device information string : The user agent string is built from the package name and IMEI number : Finally the HTTP request is sent to the server at https : //54.71.249.137/eddd0317-2bdc-4140-86cb-0e8d7047b874 .", "spans": {"Indicator: https : //54.71.249.137/eddd0317-2bdc-4140-86cb-0e8d7047b874": [[268, 328]]}, "info": {"id": "cyner2_5class_train_04869", "source": "cyner2_5class_train"}}
+{"text": "Recent blogs by the Zscaler research team explain how some variants of Android malware are exploiting the popularity of this game and tricking Android users into downloading a fake version .", "spans": {"Organization: Zscaler": [[20, 27]], "Malware: Android": [[71, 78]], "System: Android": [[143, 150]]}, "info": {"id": "cyner2_5class_train_04870", "source": "cyner2_5class_train"}}
+{"text": "This is a read only mode which can help end users remain protected from malicious document files.", "spans": {}, "info": {"id": "cyner2_5class_train_04871", "source": "cyner2_5class_train"}}
+{"text": "We suspect the updated PIN is sent to the C2 , most likely to give the malware the option to perform privileged activities on the infected device related to payments , system configuration options , etc .", "spans": {}, "info": {"id": "cyner2_5class_train_04872", "source": "cyner2_5class_train"}}
+{"text": "Although the current target list is limited to Spanish apps , it seems that the actor is taking into account that the bot should also be able to target other countries , seeing that the path used in the inject requests contains the country code of the targeted institution .", "spans": {}, "info": {"id": "cyner2_5class_train_04873", "source": "cyner2_5class_train"}}
+{"text": "User messages created by the Trojan during installation typically contain grammatical and spelling errors , and use a mixture of Cyrillic and Latin characters .", "spans": {}, "info": {"id": "cyner2_5class_train_04874", "source": "cyner2_5class_train"}}
+{"text": "Figure 4 : Alert prompting the victim to download an Android banking app ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Dear Customer , The system has detected that the Bank Austria Security App is not installed on your smartphone .", "spans": {"System: Android banking app": [[53, 72]], "System: Bank Austria Security App": [[219, 244]]}, "info": {"id": "cyner2_5class_train_04875", "source": "cyner2_5class_train"}}
+{"text": "] net app store showing the current DroidVPN app Virtual Private Network ( VPN ) tools allow connections to remote private networks , increasing the security and privacy of the user ’ s communications .", "spans": {"Indicator: DroidVPN": [[36, 44]]}, "info": {"id": "cyner2_5class_train_04876", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Delf.rdv Trojan.Win32.Qhost.afmj Trojan.AVKill.28805 TR/Rogue.kdz.976325 Trojan/Win32.Qhost Trojan.Graftor.D1154C Trojan.Win32.Qhost.afmj TrojanDownloader:Win32/Qhost.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Delf.rdv": [[26, 41]], "Indicator: Trojan.Win32.Qhost.afmj": [[42, 65], [147, 170]], "Indicator: Trojan.AVKill.28805": [[66, 85]], "Indicator: TR/Rogue.kdz.976325": [[86, 105]], "Indicator: Trojan/Win32.Qhost": [[106, 124]], "Indicator: Trojan.Graftor.D1154C": [[125, 146]], "Indicator: TrojanDownloader:Win32/Qhost.A": [[171, 201]], "Indicator: Trj/CI.A": [[202, 210]]}, "info": {"id": "cyner2_5class_train_04877", "source": "cyner2_5class_train"}}
+{"text": "Instead of implementing very basic gameplay , the authors pirated and repackaged the original game in their app and bundled with it their advertisement SDK .", "spans": {}, "info": {"id": "cyner2_5class_train_04878", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Turla.a BKDR64_TURLA.YKV Win32.Trojan.WisdomEyes.16070401.9500.9968 Backdoor.Trojan BKDR64_TURLA.YKV Win64.Rootkit.Uroburos.A Backdoor.Win64.Turla.e Trojan.Win64.Turla.dflvfq Backdoor.Win64.Turla!c Trojan:W64/Turla.B BackDoor.Turla.20 Trojan.Turla.Win64.3 BDS/Turla.OE Backdoor.Win64.Turla.e Backdoor.Turla Trj/CI.A Win64/Turla.A Win32.Trojan.Url.Xqlp Win32/Trojan.URL.5b6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Turla.a": [[26, 40]], "Indicator: BKDR64_TURLA.YKV": [[41, 57], [117, 133]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9968": [[58, 100]], "Indicator: Backdoor.Trojan": [[101, 116]], "Indicator: Win64.Rootkit.Uroburos.A": [[134, 158]], "Indicator: Backdoor.Win64.Turla.e": [[159, 181], [302, 324]], "Indicator: Trojan.Win64.Turla.dflvfq": [[182, 207]], "Indicator: Backdoor.Win64.Turla!c": [[208, 230]], "Indicator: Trojan:W64/Turla.B": [[231, 249]], "Indicator: BackDoor.Turla.20": [[250, 267]], "Indicator: Trojan.Turla.Win64.3": [[268, 288]], "Indicator: BDS/Turla.OE": [[289, 301]], "Indicator: Backdoor.Turla": [[325, 339]], "Indicator: Trj/CI.A": [[340, 348]], "Indicator: Win64/Turla.A": [[349, 362]], "Indicator: Win32.Trojan.Url.Xqlp": [[363, 384]], "Indicator: Win32/Trojan.URL.5b6": [[385, 405]]}, "info": {"id": "cyner2_5class_train_04879", "source": "cyner2_5class_train"}}
+{"text": "Detailed Malware Structure Malware Strucutre com.mile.brain ( SHA256 : 135d6acff3ca27e6e7997429e5f8051f88215d12351e4103f8344cd66611e0f3 ) : This is the main application found on Google Play .", "spans": {"Indicator: com.mile.brain": [[45, 59]], "Indicator: 135d6acff3ca27e6e7997429e5f8051f88215d12351e4103f8344cd66611e0f3": [[71, 135]], "System: Google Play": [[178, 189]]}, "info": {"id": "cyner2_5class_train_04880", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Trojan-Ransom.Cryptolocker.AB Trojan.DownLoader25.64138 W32/Trojan.QFWN-8242 TR/Injector.pegqr Trojan.Graftor.D472BE TrojanDownloader:Win32/Zdowbot.B Heur.Malware-Cryptor.Filecoder Trojan.Win32.Zlader W32/Injector.DASN!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Win32.Trojan-Ransom.Cryptolocker.AB": [[69, 104]], "Indicator: Trojan.DownLoader25.64138": [[105, 130]], "Indicator: W32/Trojan.QFWN-8242": [[131, 151]], "Indicator: TR/Injector.pegqr": [[152, 169]], "Indicator: Trojan.Graftor.D472BE": [[170, 191]], "Indicator: TrojanDownloader:Win32/Zdowbot.B": [[192, 224]], "Indicator: Heur.Malware-Cryptor.Filecoder": [[225, 255]], "Indicator: Trojan.Win32.Zlader": [[256, 275]], "Indicator: W32/Injector.DASN!tr": [[276, 296]]}, "info": {"id": "cyner2_5class_train_04881", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.BypassUAC Win.Tool.Win7Elevate-1 Exploit.Win32.BypassUAC.bfo ApplicUnsaf.Win64.Win7Elevate Exploit.BypassUAC.Win32.550 W64/Trojan.SZNL-6335 Exploit.BypassUAC.ny SPR/Welevate.A Trojan[Exploit]/Win32.BypassUAC HackTool:Win64/Welevate.A Exploit.Win32.BypassUAC.bfo HackTool/Win32.Win7Elevate.R27568 Trj/CI.A Win32.Exploit.Bypassuac.Dyqu Trojan.Win32.Webprefix", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.BypassUAC": [[26, 43]], "Indicator: Win.Tool.Win7Elevate-1": [[44, 66]], "Indicator: Exploit.Win32.BypassUAC.bfo": [[67, 94], [268, 295]], "Indicator: ApplicUnsaf.Win64.Win7Elevate": [[95, 124]], "Indicator: Exploit.BypassUAC.Win32.550": [[125, 152]], "Indicator: W64/Trojan.SZNL-6335": [[153, 173]], "Indicator: Exploit.BypassUAC.ny": [[174, 194]], "Indicator: SPR/Welevate.A": [[195, 209]], "Indicator: Trojan[Exploit]/Win32.BypassUAC": [[210, 241]], "Indicator: HackTool:Win64/Welevate.A": [[242, 267]], "Indicator: HackTool/Win32.Win7Elevate.R27568": [[296, 329]], "Indicator: Trj/CI.A": [[330, 338]], "Indicator: Win32.Exploit.Bypassuac.Dyqu": [[339, 367]], "Indicator: Trojan.Win32.Webprefix": [[368, 390]]}, "info": {"id": "cyner2_5class_train_04882", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Randex.B@mm Backdoor.IRCBot W32/Randex.worm.B Win32.Trojan.WisdomEyes.16070401.9500.9811 W32/Randex.B W32.Randex Win32/Lioten.F Win.Worm.Randex-2 Worm.Win32.Randex.b Win32.Randex.B@mm Trojan.Win32.Randex.glyj W32.W.Randex.b!c Win32.Worm.Randex.Ajbc Win32.Randex.B@mm Worm.Win32.Randex.B Win32.Randex.B@mm Win32.HLLW.Randex.45056 Worm.Randex.Win32.3 BehavesLike.Win32.PWSZbot.lc W32/Randex.B Worm/Randex.b Worm/Win32.Randex Win32.Randex.E2C45E Worm.Win32.Randex.18432 Worm.Win32.Randex.b Worm:Win32/Randex.FN Trojan/Win32.HDC.C82152 Win32.Randex.B@mm Backdoor.IRCBot Worm.Randex Win32/Randex.B Worm.Win32.Randex!jlps7ds/blM W32/Randex.B!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Randex.B@mm": [[26, 43], [198, 215], [281, 298], [319, 336], [564, 581]], "Indicator: Backdoor.IRCBot": [[44, 59], [582, 597]], "Indicator: W32/Randex.worm.B": [[60, 77]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9811": [[78, 120]], "Indicator: W32/Randex.B": [[121, 133], [410, 422]], "Indicator: W32.Randex": [[134, 144]], "Indicator: Win32/Lioten.F": [[145, 159]], "Indicator: Win.Worm.Randex-2": [[160, 177]], "Indicator: Worm.Win32.Randex.b": [[178, 197], [499, 518]], "Indicator: Trojan.Win32.Randex.glyj": [[216, 240]], "Indicator: W32.W.Randex.b!c": [[241, 257]], "Indicator: Win32.Worm.Randex.Ajbc": [[258, 280]], "Indicator: Worm.Win32.Randex.B": [[299, 318]], "Indicator: Win32.HLLW.Randex.45056": [[337, 360]], "Indicator: Worm.Randex.Win32.3": [[361, 380]], "Indicator: BehavesLike.Win32.PWSZbot.lc": [[381, 409]], "Indicator: Worm/Randex.b": [[423, 436]], "Indicator: Worm/Win32.Randex": [[437, 454]], "Indicator: Win32.Randex.E2C45E": [[455, 474]], "Indicator: Worm.Win32.Randex.18432": [[475, 498]], "Indicator: Worm:Win32/Randex.FN": [[519, 539]], "Indicator: Trojan/Win32.HDC.C82152": [[540, 563]], "Indicator: Worm.Randex": [[598, 609]], "Indicator: Win32/Randex.B": [[610, 624]], "Indicator: Worm.Win32.Randex!jlps7ds/blM": [[625, 654]], "Indicator: W32/Randex.B!worm": [[655, 672]]}, "info": {"id": "cyner2_5class_train_04883", "source": "cyner2_5class_train"}}
+{"text": "The combination of these capabilities makes JSocket a unique and serious threat to the electronic and physical security of victims.", "spans": {"Malware: JSocket": [[44, 51]], "Malware: threat": [[73, 79]], "Organization: electronic": [[87, 97]], "Organization: physical security of victims.": [[102, 131]]}, "info": {"id": "cyner2_5class_train_04884", "source": "cyner2_5class_train"}}
+{"text": "The EternalBlue exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner.", "spans": {"Malware: The EternalBlue exploit": [[0, 23]], "Indicator: MS017-010": [[24, 33]], "Malware: WannaCry ransomware": [[56, 75]], "Malware: Adylkuzz cryptocurrency miner.": [[80, 110]]}, "info": {"id": "cyner2_5class_train_04885", "source": "cyner2_5class_train"}}
+{"text": "SELECTED SAMPLES Package Name SHA-256 Digest com.rabbit.artcamera 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f org.horoscope.astrology.predict 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26 com.theforest.rotatemarswallpaper 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09 com.jspany.temp 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5 com.hua.ru.quan 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86 com.rongnea.udonood 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131 com.mbv.a.wp 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68 com.pho.nec.sg b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b Exobot ( Marcher ) - Android banking Trojan on the rise February 2017 Introduction The past months many different banking Trojans for the Android platform have received media attention .", "spans": {"Indicator: com.rabbit.artcamera": [[45, 65]], "Indicator: 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f": [[66, 130]], "Indicator: org.horoscope.astrology.predict": [[131, 162]], "Indicator: 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26": [[163, 227]], "Indicator: com.theforest.rotatemarswallpaper": [[228, 261]], "Indicator: 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09": [[262, 326]], "Indicator: com.jspany.temp": [[327, 342]], "Indicator: 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5": [[343, 407]], "Indicator: com.hua.ru.quan": [[408, 423]], "Indicator: 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86": [[424, 488]], "Indicator: com.rongnea.udonood": [[489, 508]], "Indicator: 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131": [[509, 573]], "Indicator: com.mbv.a.wp": [[574, 586]], "Indicator: 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68": [[587, 651]], "Indicator: com.pho.nec.sg": [[652, 666]], "Indicator: b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b": [[667, 731]], "Malware: Exobot": [[732, 738]], "Malware: Marcher": [[741, 748]], "System: Android": [[753, 760], [870, 877]]}, "info": {"id": "cyner2_5class_train_04886", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FilodasD.Trojan Backdoor/W32.Small.19968.AH Backdoor.Win32.Small!O Trojan.Downloader.slowblog Backdoor/Small.klk Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Small-13891 Backdoor.Win32.Small.klk Trojan.Win32.Small.reykq Backdoor.Win32.A.Small.19968 Backdoor.W32.Small.klk!c Trojan.DownLoad2.37573 Backdoor.Small.Win32.7582 BehavesLike.Win32.Downloader.lm Backdoor/Small.hcp W32/Cowsid.A!tr Trojan[Backdoor]/Win32.Small Win32.Hack.Small.kcloud Trojan.Heur.RP.E95DD0 Backdoor.Win32.Small.klk TrojanDownloader:Win32/Coswid.A Downloader/Win32.Small.C65823 Backdoor.Small Win32/TrojanDownloader.Coswid.A Backdoor.Small!nWa7meIxFMI Trojan-Downloader.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FilodasD.Trojan": [[26, 45]], "Indicator: Backdoor/W32.Small.19968.AH": [[46, 73]], "Indicator: Backdoor.Win32.Small!O": [[74, 96]], "Indicator: Trojan.Downloader.slowblog": [[97, 123]], "Indicator: Backdoor/Small.klk": [[124, 142]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[143, 185]], "Indicator: Win.Trojan.Small-13891": [[186, 208]], "Indicator: Backdoor.Win32.Small.klk": [[209, 233], [504, 528]], "Indicator: Trojan.Win32.Small.reykq": [[234, 258]], "Indicator: Backdoor.Win32.A.Small.19968": [[259, 287]], "Indicator: Backdoor.W32.Small.klk!c": [[288, 312]], "Indicator: Trojan.DownLoad2.37573": [[313, 335]], "Indicator: Backdoor.Small.Win32.7582": [[336, 361]], "Indicator: BehavesLike.Win32.Downloader.lm": [[362, 393]], "Indicator: Backdoor/Small.hcp": [[394, 412]], "Indicator: W32/Cowsid.A!tr": [[413, 428]], "Indicator: Trojan[Backdoor]/Win32.Small": [[429, 457]], "Indicator: Win32.Hack.Small.kcloud": [[458, 481]], "Indicator: Trojan.Heur.RP.E95DD0": [[482, 503]], "Indicator: TrojanDownloader:Win32/Coswid.A": [[529, 560]], "Indicator: Downloader/Win32.Small.C65823": [[561, 590]], "Indicator: Backdoor.Small": [[591, 605]], "Indicator: Win32/TrojanDownloader.Coswid.A": [[606, 637]], "Indicator: Backdoor.Small!nWa7meIxFMI": [[638, 664]], "Indicator: Trojan-Downloader.Win32.Small": [[665, 694]]}, "info": {"id": "cyner2_5class_train_04887", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Udsdangerousobject.Multi Win32.Trojan.WisdomEyes.16070401.9500.9998 BackDoor.Bulknet.780 W32/Trojan.JPON-8649 TrojanDropper:Win32/Insup.A Win32.Trojan.Spnr.Afhv Win32/Trojan.9d8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Udsdangerousobject.Multi": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[51, 93]], "Indicator: BackDoor.Bulknet.780": [[94, 114]], "Indicator: W32/Trojan.JPON-8649": [[115, 135]], "Indicator: TrojanDropper:Win32/Insup.A": [[136, 163]], "Indicator: Win32.Trojan.Spnr.Afhv": [[164, 186]], "Indicator: Win32/Trojan.9d8": [[187, 203]]}, "info": {"id": "cyner2_5class_train_04888", "source": "cyner2_5class_train"}}
+{"text": "July 11 Two new Flash zero-day vulnerabilities , CVE-2015-5122 and CVE-2015-5123 , were found in the hacking team dump .", "spans": {"Vulnerability: Flash zero-day vulnerabilities": [[16, 46]], "Vulnerability: CVE-2015-5122": [[49, 62]], "Vulnerability: CVE-2015-5123": [[67, 80]]}, "info": {"id": "cyner2_5class_train_04889", "source": "cyner2_5class_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04890", "source": "cyner2_5class_train"}}
+{"text": "However , we have noted a significantly small number of downloads of the app in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia .", "spans": {}, "info": {"id": "cyner2_5class_train_04891", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader25.45618 Trojan:Win32/Relnicar.A!dha Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.DownLoader25.45618": [[69, 94]], "Indicator: Trojan:Win32/Relnicar.A!dha": [[95, 122]], "Indicator: Trj/GdSda.A": [[123, 134]]}, "info": {"id": "cyner2_5class_train_04892", "source": "cyner2_5class_train"}}
+{"text": "Ahnlab is a popular antivirus software in South Korea.", "spans": {"Organization: Ahnlab": [[0, 6]], "System: popular antivirus software": [[12, 38]]}, "info": {"id": "cyner2_5class_train_04893", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.Cerber.1 Trojan.Ransom.Cerber.1 Trojan.Dropper Trojan.Ransom.Cerber.1 Ransom_HPCERBER.SMALY5A Win32.Trojan.Kryptik.anp Ransom_HPCERBER.SMALY5A Trojan.Ransom.Cerber.1 Trojan.Ransom.Cerber.1 Trojan.Ransom.Cerber.1 Trojan.Ransom.Cerber.1 Trojan.Ssebot.2 BehavesLike.Win32.Dropper.vc Spammer:Win32/Rowdab.A Trj/GdSda.A W32/Kryptik.EXLK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.Cerber.1": [[26, 48], [49, 71], [87, 109], [183, 205], [206, 228], [229, 251], [252, 274]], "Indicator: Trojan.Dropper": [[72, 86]], "Indicator: Ransom_HPCERBER.SMALY5A": [[110, 133], [159, 182]], "Indicator: Win32.Trojan.Kryptik.anp": [[134, 158]], "Indicator: Trojan.Ssebot.2": [[275, 290]], "Indicator: BehavesLike.Win32.Dropper.vc": [[291, 319]], "Indicator: Spammer:Win32/Rowdab.A": [[320, 342]], "Indicator: Trj/GdSda.A": [[343, 354]], "Indicator: W32/Kryptik.EXLK!tr": [[355, 374]]}, "info": {"id": "cyner2_5class_train_04894", "source": "cyner2_5class_train"}}
+{"text": "But , as we have already mentioned , the criminals could easily turn their attention to users in other countries .", "spans": {}, "info": {"id": "cyner2_5class_train_04895", "source": "cyner2_5class_train"}}
+{"text": "After the checks , the malware becomes active , but first , it goes through seven steps , each one calling a different command : uploadPhoneNumbers : Exfiltrates all phone numbers that are in the contact list .", "spans": {}, "info": {"id": "cyner2_5class_train_04896", "source": "cyner2_5class_train"}}
+{"text": "The themes of the messages used in the attacks are related to IT Infrastructure such as a log of Server Status Report or a list of Cisco Iron Port Appliance details.", "spans": {"Indicator: themes": [[4, 10]], "Indicator: messages": [[18, 26]], "Indicator: attacks": [[39, 46]], "System: IT Infrastructure": [[62, 79]], "Indicator: log of Server Status Report": [[90, 117]], "Indicator: a list of Cisco Iron Port Appliance details.": [[121, 165]]}, "info": {"id": "cyner2_5class_train_04897", "source": "cyner2_5class_train"}}
+{"text": "Last week on October 7, Raytheon | Websense® Security Labs™ noticed an interesting email campaign distributing what at first appeared to be Dridex botnet 220.", "spans": {"Organization: Raytheon": [[24, 32]], "Malware: at": [[116, 118]], "Malware: Dridex botnet 220.": [[140, 158]]}, "info": {"id": "cyner2_5class_train_04898", "source": "cyner2_5class_train"}}
+{"text": "] comaccount-manager [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04899", "source": "cyner2_5class_train"}}
+{"text": "We decided to call the operation “ ViceLeaker ” , because of strings and variables in its code .", "spans": {"Malware: ViceLeaker": [[35, 45]]}, "info": {"id": "cyner2_5class_train_04900", "source": "cyner2_5class_train"}}
+{"text": "Decompiled APK resources .", "spans": {}, "info": {"id": "cyner2_5class_train_04901", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Adware.Toolbar.Win32.2435 Trojan.Win32.Spraxeth.elldrz RemoteAdmin.Dexn.v Worm:Win32/Spraxeth.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.Toolbar.Win32.2435": [[26, 51]], "Indicator: Trojan.Win32.Spraxeth.elldrz": [[52, 80]], "Indicator: RemoteAdmin.Dexn.v": [[81, 99]], "Indicator: Worm:Win32/Spraxeth.A": [[100, 121]]}, "info": {"id": "cyner2_5class_train_04902", "source": "cyner2_5class_train"}}
+{"text": "Although the threat actor responsible for the development of EventBot is still unknown and the malware does not appear to be involved in major attacks , it is interesting to follow the early stages of mobile malware development .", "spans": {"Malware: EventBot": [[61, 69]]}, "info": {"id": "cyner2_5class_train_04903", "source": "cyner2_5class_train"}}
+{"text": "] infomavis-dracula [ .", "spans": {}, "info": {"id": "cyner2_5class_train_04904", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HT_PATCHER_FC170076.UVPA Win32.Trojan.WisdomEyes.16070401.9500.9787 Backdoor.Graybird HT_PATCHER_FC170076.UVPA Tool.Patcher.140 BehavesLike.Win32.Dropper.pm not-a-virus:RiskTool.Win32.Patcher HackTool:Win32/Patcher.D HackTool/Win32.Patcher.C862855 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HT_PATCHER_FC170076.UVPA": [[26, 50], [112, 136]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9787": [[51, 93]], "Indicator: Backdoor.Graybird": [[94, 111]], "Indicator: Tool.Patcher.140": [[137, 153]], "Indicator: BehavesLike.Win32.Dropper.pm": [[154, 182]], "Indicator: not-a-virus:RiskTool.Win32.Patcher": [[183, 217]], "Indicator: HackTool:Win32/Patcher.D": [[218, 242]], "Indicator: HackTool/Win32.Patcher.C862855": [[243, 273]], "Indicator: Trj/CI.A": [[274, 282]]}, "info": {"id": "cyner2_5class_train_04905", "source": "cyner2_5class_train"}}
+{"text": "With the capability to open market applications , such as Google Play and 9Apps , with a specific keyword search or even a single application ’ s page , the actor can gain exposure for other threat actors and increase his profits .", "spans": {"System: Google Play": [[58, 69]], "System: 9Apps": [[74, 79]]}, "info": {"id": "cyner2_5class_train_04906", "source": "cyner2_5class_train"}}
+{"text": "XLoader can also start other attacker-specified packages .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner2_5class_train_04907", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.W.Otwycal.l4av not-a-virus:NetTool.Win32.TCPScan.a Win-AppCare/Tcpscan.108750 HackTool.Win32.TCPScan.fge", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.W.Otwycal.l4av": [[26, 44]], "Indicator: not-a-virus:NetTool.Win32.TCPScan.a": [[45, 80]], "Indicator: Win-AppCare/Tcpscan.108750": [[81, 107]], "Indicator: HackTool.Win32.TCPScan.fge": [[108, 134]]}, "info": {"id": "cyner2_5class_train_04908", "source": "cyner2_5class_train"}}
+{"text": "We have notified Google of the abuse and are working with them to share additional information.", "spans": {"Organization: Google": [[17, 23]]}, "info": {"id": "cyner2_5class_train_04909", "source": "cyner2_5class_train"}}
+{"text": "Here the list of the files potentially dropped during the installation stage : FILE NAME STAGE DESCRIPTION d3d9.dll Stage 4 Malware loader used for UAC environments with limited privileges ; also protected by VM obfuscation aepic.dll , sspisrv.dll , userenv.dll Stage 4 Malware loader used in presence of administrative privileges ; executed from ( and injected into ) a fake service ; also protected by VM obfuscation msvcr90.dll Stage 5 Malware payload injected into the explorer.exe or winlogon.exe process ; also protected by VM obfuscation .cab Config Main configuration file ; encrypted setup.cab Unknown Last section of the setup executable ; content still unknown .7z Plugin Malware plugin used to spy the victim network communications wsecedit.rar Stage 6 Main malware executable After writing some of these files , the malware decides which kind of installation to perform based on the current privilege provided by the hosting process ( for example , if a Microsoft Office process was used as exploit vector ) : Installation process under UAC When running under a limited UAC account , the installer extracts d3d9.dll and creates a persistence key under HKCU\\Software\\Microsoft\\Windows\\Run .", "spans": {"Indicator: d3d9.dll": [[107, 115], [1120, 1128]], "Indicator: aepic.dll": [[224, 233]], "Indicator: sspisrv.dll": [[236, 247]], "Indicator: userenv.dll": [[250, 261]], "Indicator: msvcr90.dll": [[419, 430]], "Indicator: explorer.exe": [[473, 485]], "Indicator: winlogon.exe": [[489, 501]], "Indicator: setup.cab": [[593, 602]], "Indicator: wsecedit.rar": [[744, 756]], "System: Microsoft Office": [[967, 983]], "Indicator: HKCU\\Software\\Microsoft\\Windows\\Run": [[1165, 1200]]}, "info": {"id": "cyner2_5class_train_04910", "source": "cyner2_5class_train"}}
+{"text": "In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack.", "spans": {"Organization: Cisco Advanced Services Incident Response, Talos": [[20, 68]], "Indicator: attack.": [[107, 114]]}, "info": {"id": "cyner2_5class_train_04911", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.StartPage!O TrojanDownloader.Small.DF3 Trojan/Dropper.StartPage.bdz TROJ_FAVADD.SMI Win32.Trojan.WisdomEyes.16070401.9500.9719 TROJ_FAVADD.SMI Win.Downloader.134775-1 Win32.Trojan.Favadd.A Trojan.Win32.Alien.bnu Trojan.Win32.Zbot.dydfgj Trojan.Win32.Z.Startpage.69632.D Troj.Downloader.W32.VB.lkln TrojWare.Win32.Pasta.SAB Trojan.MulDrop1.43517 Dropper.StartPage.Win32.220 BehavesLike.Win32.VBObfus.km TrojanDropper.StartPage.ty Trojan[Downloader]/Win32.VB Trojan.Buzy.114 Trojan.Win32.Alien.bnu Trojan:Win32/Favadd.C Trojan/Win32.StartPage.R6041 Trojan.VBRA.06132 Trojan.DL.VB!NOyJWQLVTJg Win32/Trojan.835", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.StartPage!O": [[26, 58]], "Indicator: TrojanDownloader.Small.DF3": [[59, 85]], "Indicator: Trojan/Dropper.StartPage.bdz": [[86, 114]], "Indicator: TROJ_FAVADD.SMI": [[115, 130], [174, 189]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9719": [[131, 173]], "Indicator: Win.Downloader.134775-1": [[190, 213]], "Indicator: Win32.Trojan.Favadd.A": [[214, 235]], "Indicator: Trojan.Win32.Alien.bnu": [[236, 258], [520, 542]], "Indicator: Trojan.Win32.Zbot.dydfgj": [[259, 283]], "Indicator: Trojan.Win32.Z.Startpage.69632.D": [[284, 316]], "Indicator: Troj.Downloader.W32.VB.lkln": [[317, 344]], "Indicator: TrojWare.Win32.Pasta.SAB": [[345, 369]], "Indicator: Trojan.MulDrop1.43517": [[370, 391]], "Indicator: Dropper.StartPage.Win32.220": [[392, 419]], "Indicator: BehavesLike.Win32.VBObfus.km": [[420, 448]], "Indicator: TrojanDropper.StartPage.ty": [[449, 475]], "Indicator: Trojan[Downloader]/Win32.VB": [[476, 503]], "Indicator: Trojan.Buzy.114": [[504, 519]], "Indicator: Trojan:Win32/Favadd.C": [[543, 564]], "Indicator: Trojan/Win32.StartPage.R6041": [[565, 593]], "Indicator: Trojan.VBRA.06132": [[594, 611]], "Indicator: Trojan.DL.VB!NOyJWQLVTJg": [[612, 636]], "Indicator: Win32/Trojan.835": [[637, 653]]}, "info": {"id": "cyner2_5class_train_04912", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Hegel TROJ_SHIZ.SMP6 W32/Shiz.MU TROJ_SHIZ.SMP6 Trojan.Win32.A.Downloader.53760.HN Trojan.Packed.20771 BehavesLike.Win32.Cutwail.qh W32/Shiz.FQWK-1945 TrojanDownloader:Win32/Hegel.F Trojan/Win32.ADH.R23078 W32/Shiz.NCF!tr Win32/Trojan.74e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Hegel": [[26, 48]], "Indicator: TROJ_SHIZ.SMP6": [[49, 63], [76, 90]], "Indicator: W32/Shiz.MU": [[64, 75]], "Indicator: Trojan.Win32.A.Downloader.53760.HN": [[91, 125]], "Indicator: Trojan.Packed.20771": [[126, 145]], "Indicator: BehavesLike.Win32.Cutwail.qh": [[146, 174]], "Indicator: W32/Shiz.FQWK-1945": [[175, 193]], "Indicator: TrojanDownloader:Win32/Hegel.F": [[194, 224]], "Indicator: Trojan/Win32.ADH.R23078": [[225, 248]], "Indicator: W32/Shiz.NCF!tr": [[249, 264]], "Indicator: Win32/Trojan.74e": [[265, 281]]}, "info": {"id": "cyner2_5class_train_04913", "source": "cyner2_5class_train"}}
+{"text": "Android/Twitoor is a backdoor capable of downloading other malware onto an infected device. It has been active for around one month.", "spans": {"Malware: Android/Twitoor": [[0, 15]], "Malware: backdoor": [[21, 29]], "Malware: malware": [[59, 66]], "System: infected device.": [[75, 91]]}, "info": {"id": "cyner2_5class_train_04914", "source": "cyner2_5class_train"}}
+{"text": "Devices running Android 4.4 and higher are protected by Verified Boot .", "spans": {"System: Android 4.4": [[16, 27]]}, "info": {"id": "cyner2_5class_train_04915", "source": "cyner2_5class_train"}}
+{"text": "Using a publicly available rooting framework , the PHA attempts to root devices and gain persistence on them by reinstalling itself on the system partition of rooted device .", "spans": {}, "info": {"id": "cyner2_5class_train_04916", "source": "cyner2_5class_train"}}
+{"text": "RIG exploit kit sends Ramnit payloads via VBScript CVE-2016-0189", "spans": {"Malware: RIG exploit kit": [[0, 15]], "Malware: Ramnit payloads": [[22, 37]], "Indicator: VBScript CVE-2016-0189": [[42, 64]]}, "info": {"id": "cyner2_5class_train_04917", "source": "cyner2_5class_train"}}
+{"text": "Some applications rely on SMS when it comes to in-app purchases — the transaction data is transferred via a short text message .", "spans": {}, "info": {"id": "cyner2_5class_train_04918", "source": "cyner2_5class_train"}}
+{"text": "Angler began exploiting CVE-2015-3090 about two weeks after Adobe released a patch.", "spans": {"Malware: Angler": [[0, 6]], "Vulnerability: exploiting CVE-2015-3090": [[13, 37]], "Organization: Adobe": [[60, 65]]}, "info": {"id": "cyner2_5class_train_04919", "source": "cyner2_5class_train"}}
+{"text": "It checks for different kinds of emulators , including QEMU , Genymotion , BlueStacks and Bignox .", "spans": {"System: QEMU": [[55, 59]], "System: Genymotion": [[62, 72]], "System: BlueStacks": [[75, 85]], "System: Bignox": [[90, 96]]}, "info": {"id": "cyner2_5class_train_04920", "source": "cyner2_5class_train"}}
+{"text": "So let's make a level-headed assessment of what is really out there.", "spans": {}, "info": {"id": "cyner2_5class_train_04921", "source": "cyner2_5class_train"}}
+{"text": "It loads code from encrypted resources dynamically , which most detection engines can not penetrate and inspect .", "spans": {}, "info": {"id": "cyner2_5class_train_04922", "source": "cyner2_5class_train"}}
+{"text": "Three distinctive elements of BAIJIU drew and held our attention: the unusual complexity of the attack; the appropriation of web hosting service GeoCities of 1990s fame; and the use of multiple methods of obfuscation.", "spans": {"Malware: BAIJIU": [[30, 36]], "Indicator: attack;": [[96, 103]], "Indicator: web hosting service": [[125, 144]], "Organization: GeoCities": [[145, 154]]}, "info": {"id": "cyner2_5class_train_04923", "source": "cyner2_5class_train"}}
+{"text": "We assume that these two elements were chosen to trick security products.", "spans": {}, "info": {"id": "cyner2_5class_train_04924", "source": "cyner2_5class_train"}}
+{"text": "The stealer is disguised as a legitimate Google Drive extension and it can monitor browsing history, capture screenshots, and inject malicious scripts to steal funds from cryptocurrency exchanges.", "spans": {"Malware: The stealer": [[0, 11]], "System: legitimate Google Drive extension": [[30, 63]], "Indicator: monitor browsing history, capture screenshots, and inject malicious scripts": [[75, 150]], "Indicator: steal funds from cryptocurrency exchanges.": [[154, 196]]}, "info": {"id": "cyner2_5class_train_04925", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Mansabo.389120.B Win32.Trojan-Spy.Trickbot.F Trojan.Win32.Mansabo.aiu Trojan.Win32.Mansabo.evnqvj Trojan.Inject2.64433 Trojan.Mansabo.ni TR/AD.Inject.jyiec Trojan/Win32.Mansabo Trojan.Win32.Mansabo.aiu Trojan/Win32.Inject.C2278939 TScope.Trojan.VB Trojan.TrickBot Trj/GdSda.A Win32.Trojan.Mansabo.Ljab W32/Mansabo.AIU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Mansabo.389120.B": [[26, 53]], "Indicator: Win32.Trojan-Spy.Trickbot.F": [[54, 81]], "Indicator: Trojan.Win32.Mansabo.aiu": [[82, 106], [214, 238]], "Indicator: Trojan.Win32.Mansabo.evnqvj": [[107, 134]], "Indicator: Trojan.Inject2.64433": [[135, 155]], "Indicator: Trojan.Mansabo.ni": [[156, 173]], "Indicator: TR/AD.Inject.jyiec": [[174, 192]], "Indicator: Trojan/Win32.Mansabo": [[193, 213]], "Indicator: Trojan/Win32.Inject.C2278939": [[239, 267]], "Indicator: TScope.Trojan.VB": [[268, 284]], "Indicator: Trojan.TrickBot": [[285, 300]], "Indicator: Trj/GdSda.A": [[301, 312]], "Indicator: Win32.Trojan.Mansabo.Ljab": [[313, 338]], "Indicator: W32/Mansabo.AIU!tr": [[339, 357]]}, "info": {"id": "cyner2_5class_train_04926", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Exploit/W32.Pidief.6283.GLW JS/Pdfcm.AQ Exploit-PDF.sd Bloodhound.Exploit.196 EXPL_EXECOD.A Pdf.Exploit.CVE_2009_0927-1 Exploit.Win32.Pidief.bni PDF.Exploit.CVE-2009-0927.A Exploit.W32.Pidief!c Trojan-Dropper:JS/PdfDropper.A EXPL_EXECOD.A BehavesLike.PDF.Exploit.xn EXP/Pidief.arl Exploit.Win32.Pidief.bni Trojan.JS.Downloader.BEZ Exploit.Win32.Pidief.bni Win32.Exploit.Pidief.Hupr Trojan.Js.Exploit virus.pdf.pdfjs.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Exploit/W32.Pidief.6283.GLW": [[26, 60]], "Indicator: JS/Pdfcm.AQ": [[61, 72]], "Indicator: Exploit-PDF.sd": [[73, 87]], "Indicator: Bloodhound.Exploit.196": [[88, 110]], "Indicator: EXPL_EXECOD.A": [[111, 124], [258, 271]], "Indicator: Pdf.Exploit.CVE_2009_0927-1": [[125, 152]], "Indicator: Exploit.Win32.Pidief.bni": [[153, 177], [314, 338], [364, 388]], "Indicator: PDF.Exploit.CVE-2009-0927.A": [[178, 205]], "Indicator: Exploit.W32.Pidief!c": [[206, 226]], "Indicator: Trojan-Dropper:JS/PdfDropper.A": [[227, 257]], "Indicator: BehavesLike.PDF.Exploit.xn": [[272, 298]], "Indicator: EXP/Pidief.arl": [[299, 313]], "Indicator: Trojan.JS.Downloader.BEZ": [[339, 363]], "Indicator: Win32.Exploit.Pidief.Hupr": [[389, 414]], "Indicator: Trojan.Js.Exploit": [[415, 432]], "Indicator: virus.pdf.pdfjs.1": [[433, 450]]}, "info": {"id": "cyner2_5class_train_04927", "source": "cyner2_5class_train"}}
+{"text": "All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.", "spans": {"System: Firefox users": [[4, 17]], "System: Firefox 39.0.3.": [[41, 56]], "System: Firefox ESR 38.1.1.": [[90, 109]]}, "info": {"id": "cyner2_5class_train_04928", "source": "cyner2_5class_train"}}
+{"text": "The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild.", "spans": {"Malware: malware": [[4, 11], [104, 111]], "System: 64-bit,": [[54, 61]], "System: 32-bit versions": [[81, 96]]}, "info": {"id": "cyner2_5class_train_04929", "source": "cyner2_5class_train"}}
+{"text": "The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we ’ ve seen before .", "spans": {"Malware: Android": [[8, 15], [89, 96]]}, "info": {"id": "cyner2_5class_train_04930", "source": "cyner2_5class_train"}}
+{"text": "First off , it registers the infected device in the administrative panel by sending a GET request to the relative address gate.php ( in later versions gating.php ) with the ID ( device identifier generated by the setPsuedoID function in a pseudo-random way based on the device IMEI ) and screen ( shows if the device is active , possible values are “ on ” , “ off ” , “ none ” ) parameters .", "spans": {"Indicator: gate.php": [[122, 130]], "Indicator: gating.php": [[151, 161]]}, "info": {"id": "cyner2_5class_train_04931", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: TrojanXor.Linux.DDos.A Linux/DDoS-Xor.A ELF/Trojan.JWZU-2 Linux.Xorddos ELF_XORDDOS.SM Unix.Trojan.DDoS_XOR-1 HEUR:Trojan-DDoS.Linux.Xarcen.a Trojan.Unix.Xarcen.eftmox Troj.Ddos.Linux!c Linux.DDoS.Xor.4 Trojan.Xorddos.Linux.34 Linux/DDoS-Xor.A TrojanDDoS.Linux.ff LINUX/Xorddos.tmifd Trojan[DDoS]/Linux.Xarcen.a Trojan.Trojan.Linux.XorDDoS.2 Linux/Xorddos.625867 HEUR:Trojan-DDoS.Linux.Xarcen.a Trojan.Linux.XorDdos.a Trojan.Linux.DDoS ELF/DDoS.BH!tr ELF/XorDDos.A Win32/Trojan.DDoS.ee7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanXor.Linux.DDos.A": [[43, 65]], "Indicator: Linux/DDoS-Xor.A": [[66, 82], [270, 286]], "Indicator: ELF/Trojan.JWZU-2": [[83, 100]], "Indicator: Linux.Xorddos": [[101, 114]], "Indicator: ELF_XORDDOS.SM": [[115, 129]], "Indicator: Unix.Trojan.DDoS_XOR-1": [[130, 152]], "Indicator: HEUR:Trojan-DDoS.Linux.Xarcen.a": [[153, 184], [406, 437]], "Indicator: Trojan.Unix.Xarcen.eftmox": [[185, 210]], "Indicator: Troj.Ddos.Linux!c": [[211, 228]], "Indicator: Linux.DDoS.Xor.4": [[229, 245]], "Indicator: Trojan.Xorddos.Linux.34": [[246, 269]], "Indicator: TrojanDDoS.Linux.ff": [[287, 306]], "Indicator: LINUX/Xorddos.tmifd": [[307, 326]], "Indicator: Trojan[DDoS]/Linux.Xarcen.a": [[327, 354]], "Indicator: Trojan.Trojan.Linux.XorDDoS.2": [[355, 384]], "Indicator: Linux/Xorddos.625867": [[385, 405]], "Indicator: Trojan.Linux.XorDdos.a": [[438, 460]], "Indicator: Trojan.Linux.DDoS": [[461, 478]], "Indicator: ELF/DDoS.BH!tr": [[479, 493]], "Indicator: ELF/XorDDos.A": [[494, 507]], "Indicator: Win32/Trojan.DDoS.ee7": [[508, 529]]}, "info": {"id": "cyner2_5class_train_04932", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Tibrun Trojan/Kryptik.bwcw Trojan.Razy.D3CCE1 W32/Trojan2.ODQP Trojan.Bruterdep TROJ_TIBRUN.B Trojan-Spy.Win32.POSBrut.b Trojan.Win32.Crypt.ctwfbi Troj.W32.Crypt.csx!c Trojan.DownLoader9.55744 Trojan.Crypt.Win32.14169 TROJ_TIBRUN.B Trojan.Krypt-POS W32/Trojan.WWSD-0234 Trojan/Crypt.eom TR/Spy.13824.412 Trojan/Win32.Crypt.csx Trojan:Win32/Tibrun.A Trojan-Spy.Win32.POSBrut.b Trojan/Win32.Tibrun.C287165 Trojan.Crypt Trj/CI.A Win32/Kryptik.BWCW Win32.Trojan-spy.Posbrut.Sxxp Trojan.Crypt!ZT6l9g/i+CQ W32/BrutPOS.B!tr Win32/Trojan.2d6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tibrun": [[26, 39]], "Indicator: Trojan/Kryptik.bwcw": [[40, 59]], "Indicator: Trojan.Razy.D3CCE1": [[60, 78]], "Indicator: W32/Trojan2.ODQP": [[79, 95]], "Indicator: Trojan.Bruterdep": [[96, 112]], "Indicator: TROJ_TIBRUN.B": [[113, 126], [251, 264]], "Indicator: Trojan-Spy.Win32.POSBrut.b": [[127, 153], [382, 408]], "Indicator: Trojan.Win32.Crypt.ctwfbi": [[154, 179]], "Indicator: Troj.W32.Crypt.csx!c": [[180, 200]], "Indicator: Trojan.DownLoader9.55744": [[201, 225]], "Indicator: Trojan.Crypt.Win32.14169": [[226, 250]], "Indicator: Trojan.Krypt-POS": [[265, 281]], "Indicator: W32/Trojan.WWSD-0234": [[282, 302]], "Indicator: Trojan/Crypt.eom": [[303, 319]], "Indicator: TR/Spy.13824.412": [[320, 336]], "Indicator: Trojan/Win32.Crypt.csx": [[337, 359]], "Indicator: Trojan:Win32/Tibrun.A": [[360, 381]], "Indicator: Trojan/Win32.Tibrun.C287165": [[409, 436]], "Indicator: Trojan.Crypt": [[437, 449]], "Indicator: Trj/CI.A": [[450, 458]], "Indicator: Win32/Kryptik.BWCW": [[459, 477]], "Indicator: Win32.Trojan-spy.Posbrut.Sxxp": [[478, 507]], "Indicator: Trojan.Crypt!ZT6l9g/i+CQ": [[508, 532]], "Indicator: W32/BrutPOS.B!tr": [[533, 549]], "Indicator: Win32/Trojan.2d6": [[550, 566]]}, "info": {"id": "cyner2_5class_train_04933", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9846 Win32/Droplet.YK Trojan.NtRootKit.9406 TR/Horse.QWS Trj/CI.A W32/Malware_fam.NB Win32/RootKit.Rootkit.43e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9846": [[26, 68]], "Indicator: Win32/Droplet.YK": [[69, 85]], "Indicator: Trojan.NtRootKit.9406": [[86, 107]], "Indicator: TR/Horse.QWS": [[108, 120]], "Indicator: Trj/CI.A": [[121, 129]], "Indicator: W32/Malware_fam.NB": [[130, 148]], "Indicator: Win32/RootKit.Rootkit.43e": [[149, 174]]}, "info": {"id": "cyner2_5class_train_04934", "source": "cyner2_5class_train"}}
+{"text": "The infection happens in multiple stages and the dropper is very similar to many common worm that targets embedded devices from multiple architectures.", "spans": {"Indicator: infection": [[4, 13]], "Malware: dropper": [[49, 56]], "Malware: worm": [[88, 92]], "System: embedded devices": [[106, 122]], "System: multiple architectures.": [[128, 151]]}, "info": {"id": "cyner2_5class_train_04935", "source": "cyner2_5class_train"}}
+{"text": "It only has two parts , the method indicated by word “ info ” and the victim identifier .", "spans": {}, "info": {"id": "cyner2_5class_train_04936", "source": "cyner2_5class_train"}}
+{"text": "BOT UPDATES EventBot has a long method called parseCommand that can update EventBot ’ s configuration XML files , located in the shared preferences folder on the device .", "spans": {"Malware: EventBot": [[12, 20], [75, 83]]}, "info": {"id": "cyner2_5class_train_04937", "source": "cyner2_5class_train"}}
+{"text": "Answer from the C2 The C2 will check the country field , if it 's empty or if the country is not targeted , it will reply with a \" Unauthorized '' answer .", "spans": {}, "info": {"id": "cyner2_5class_train_04938", "source": "cyner2_5class_train"}}
+{"text": "Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.", "spans": {"Organization: colleagues": [[15, 25]], "Organization: Symantec": [[31, 39]]}, "info": {"id": "cyner2_5class_train_04939", "source": "cyner2_5class_train"}}
+{"text": "Before patching , the Trojan will backup the original library with a name bak_ { original name } .", "spans": {}, "info": {"id": "cyner2_5class_train_04940", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Waldek.3342336 Trojan.Mauvaise.SL1 Backdoor.Trojan Trojan.Win32.Waldek.wvv Trojan.Win32.Waldek.elvbza Troj.W32.Waldek!c Trojan.Waldek.exr Trojan:Win32/Waldek.A!bit Trojan.Win32.Waldek.wvv Backdoor.Andromeda Trj/Gamarue.A Win32/Worm.5d8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Waldek.3342336": [[26, 51]], "Indicator: Trojan.Mauvaise.SL1": [[52, 71]], "Indicator: Backdoor.Trojan": [[72, 87]], "Indicator: Trojan.Win32.Waldek.wvv": [[88, 111], [201, 224]], "Indicator: Trojan.Win32.Waldek.elvbza": [[112, 138]], "Indicator: Troj.W32.Waldek!c": [[139, 156]], "Indicator: Trojan.Waldek.exr": [[157, 174]], "Indicator: Trojan:Win32/Waldek.A!bit": [[175, 200]], "Indicator: Backdoor.Andromeda": [[225, 243]], "Indicator: Trj/Gamarue.A": [[244, 257]], "Indicator: Win32/Worm.5d8": [[258, 272]]}, "info": {"id": "cyner2_5class_train_04941", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.AutoRun.bo W32.SillyFDC Trojan.DownLoader8.34261 Worm:Win32/Metibh.A Rootkit.Ressdt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.AutoRun.bo": [[26, 47]], "Indicator: W32.SillyFDC": [[48, 60]], "Indicator: Trojan.DownLoader8.34261": [[61, 85]], "Indicator: Worm:Win32/Metibh.A": [[86, 105]], "Indicator: Rootkit.Ressdt": [[106, 120]]}, "info": {"id": "cyner2_5class_train_04942", "source": "cyner2_5class_train"}}
+{"text": "This malware also contains a screen recorder .", "spans": {}, "info": {"id": "cyner2_5class_train_04943", "source": "cyner2_5class_train"}}
+{"text": "This helps the C2 define what actions it can do before being detected on the mobile device .", "spans": {}, "info": {"id": "cyner2_5class_train_04944", "source": "cyner2_5class_train"}}
+{"text": "However the registrar NameCheap, Inc. covers a pool of 287.411.506 domains where at least 0.10% can be considered as potentially malicious.", "spans": {"Organization: NameCheap, Inc.": [[22, 37]], "Indicator: pool of 287.411.506 domains": [[47, 74]], "Malware: at": [[81, 83]], "Malware: potentially malicious.": [[117, 139]]}, "info": {"id": "cyner2_5class_train_04945", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeWinlogonXIA.Trojan Trojan.Win32.Swisyn!O Trojan.Swisyn.Win32.25583 Trojan/Swisyn.alai Win32.Worm.VB.qn W32.SillyFDC Win32/SillyAutorun.EYX TROJ_SWISYN.AJ Trojan.Win32.Swisyn.alai Trojan.Win32.Vb.btqbl Trojan.Win32.Swisyn.36864.C Trojan.KillFiles.12035 TROJ_SWISYN.AJ Trojan/Swisyn.vmn Worm/Win32.WBNA.mjv Worm:Win32/Roopirs.A Trojan.Win32.Swisyn.alai Trojan/Win32.Swisyn.R2752 Trojan.VBRA.04943 Trojan.PoorVirus I-Worm.VB.NUV Win32/VB.NUV Trojan.Win32.Swisyn", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeWinlogonXIA.Trojan": [[26, 52]], "Indicator: Trojan.Win32.Swisyn!O": [[53, 74]], "Indicator: Trojan.Swisyn.Win32.25583": [[75, 100]], "Indicator: Trojan/Swisyn.alai": [[101, 119]], "Indicator: Win32.Worm.VB.qn": [[120, 136]], "Indicator: W32.SillyFDC": [[137, 149]], "Indicator: Win32/SillyAutorun.EYX": [[150, 172]], "Indicator: TROJ_SWISYN.AJ": [[173, 187], [286, 300]], "Indicator: Trojan.Win32.Swisyn.alai": [[188, 212], [360, 384]], "Indicator: Trojan.Win32.Vb.btqbl": [[213, 234]], "Indicator: Trojan.Win32.Swisyn.36864.C": [[235, 262]], "Indicator: Trojan.KillFiles.12035": [[263, 285]], "Indicator: Trojan/Swisyn.vmn": [[301, 318]], "Indicator: Worm/Win32.WBNA.mjv": [[319, 338]], "Indicator: Worm:Win32/Roopirs.A": [[339, 359]], "Indicator: Trojan/Win32.Swisyn.R2752": [[385, 410]], "Indicator: Trojan.VBRA.04943": [[411, 428]], "Indicator: Trojan.PoorVirus": [[429, 445]], "Indicator: I-Worm.VB.NUV": [[446, 459]], "Indicator: Win32/VB.NUV": [[460, 472]], "Indicator: Trojan.Win32.Swisyn": [[473, 492]]}, "info": {"id": "cyner2_5class_train_04946", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: MemScan:Backdoor.Turkojan.BM Trojan.PWS.VKont!NjMVuhwtYR0 BKDR_TURKOJN.SMD Win32.Backdoor.Turko PUA.Packed.Themida-2 Packed.Win32.Black.a MemScan:Backdoor.Turkojan.BM Packed.Win32..Black.~A MemScan:Backdoor.Turkojan.BM Trojan.Packed.650 BKDR_TURKOJN.SMD Heuristic.BehavesLike.Win32.Fake.O Trojan:Win32/Turkojan.B!dll MemScan:Backdoor.Turkojan.BM Packed/Win32.Black Trojan.Win32.Nodef.dqw Trj/Thed.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: MemScan:Backdoor.Turkojan.BM": [[26, 54], [164, 192], [216, 244], [343, 371]], "Indicator: Trojan.PWS.VKont!NjMVuhwtYR0": [[55, 83]], "Indicator: BKDR_TURKOJN.SMD": [[84, 100], [263, 279]], "Indicator: Win32.Backdoor.Turko": [[101, 121]], "Indicator: PUA.Packed.Themida-2": [[122, 142]], "Indicator: Packed.Win32.Black.a": [[143, 163]], "Indicator: Packed.Win32..Black.~A": [[193, 215]], "Indicator: Trojan.Packed.650": [[245, 262]], "Indicator: Heuristic.BehavesLike.Win32.Fake.O": [[280, 314]], "Indicator: Trojan:Win32/Turkojan.B!dll": [[315, 342]], "Indicator: Packed/Win32.Black": [[372, 390]], "Indicator: Trojan.Win32.Nodef.dqw": [[391, 413]], "Indicator: Trj/Thed.A": [[414, 424]]}, "info": {"id": "cyner2_5class_train_04947", "source": "cyner2_5class_train"}}
+{"text": "As on the desktop , mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites .", "spans": {}, "info": {"id": "cyner2_5class_train_04948", "source": "cyner2_5class_train"}}
+{"text": "This report analyzes a campaign of targeted attacks against an NGO working on environmental issues in Southeast Asia.", "spans": {"Indicator: attacks": [[44, 51]], "Organization: NGO": [[63, 66]]}, "info": {"id": "cyner2_5class_train_04949", "source": "cyner2_5class_train"}}
+{"text": "The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator.", "spans": {"Malware: tool": [[29, 33]], "Malware: Kazuar,": [[46, 53]], "Malware: Trojan": [[65, 71]], "System: the Microsoft .NET Framework": [[86, 114]], "System: compromised systems": [[153, 172]]}, "info": {"id": "cyner2_5class_train_04950", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor-AZF.dll BKDR_BITS.B W32/Backdoor.FPJ Backdoor.Trojan Win32/Bits.A BKDR_BITS.B Backdoor.Win32.Bits Trojan.Win32.Bits.dlhcqc Backdoor.Win32.Bits.A BackDoor.Bits Backdoor.Bits.Win32.9 BackDoor-AZF.dll W32/Backdoor.SUAV-1947 Backdoor/Bits.b Backdoor:Win32/Bits.B Backdoor.Win32.Bits Bck/Bits.A Backdoor.Bits!2M7xWD4MAec", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor-AZF.dll": [[26, 42], [216, 232]], "Indicator: BKDR_BITS.B": [[43, 54], [101, 112]], "Indicator: W32/Backdoor.FPJ": [[55, 71]], "Indicator: Backdoor.Trojan": [[72, 87]], "Indicator: Win32/Bits.A": [[88, 100]], "Indicator: Backdoor.Win32.Bits": [[113, 132], [294, 313]], "Indicator: Trojan.Win32.Bits.dlhcqc": [[133, 157]], "Indicator: Backdoor.Win32.Bits.A": [[158, 179]], "Indicator: BackDoor.Bits": [[180, 193]], "Indicator: Backdoor.Bits.Win32.9": [[194, 215]], "Indicator: W32/Backdoor.SUAV-1947": [[233, 255]], "Indicator: Backdoor/Bits.b": [[256, 271]], "Indicator: Backdoor:Win32/Bits.B": [[272, 293]], "Indicator: Bck/Bits.A": [[314, 324]], "Indicator: Backdoor.Bits!2M7xWD4MAec": [[325, 350]]}, "info": {"id": "cyner2_5class_train_04951", "source": "cyner2_5class_train"}}
+{"text": "Once installed , the RAT registers the infected device as shown below .", "spans": {}, "info": {"id": "cyner2_5class_train_04952", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.B13C Trojan.Blouiroet Trojan.Win32.Blouiroet.au Trojan.Win32.Blouiroet.evaxpp Trojan.Win32.Z.Symmi.3033600 Troj.W32.Blouiroet!c Win32.Trojan.Blouiroet.Wvkk BehavesLike.Win32.Trojan.vc Trojan.Blouiroet.s Trojan.Symmi.D1371C Trojan.Win32.Blouiroet.au Trojan:Win32/Blouiroet.A Trojan/Win32.Blouiroet.C2267836 Trojan.Blouiroet Trj/CI.A Win32/Trojan.c10", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.B13C": [[26, 43]], "Indicator: Trojan.Blouiroet": [[44, 60], [345, 361]], "Indicator: Trojan.Win32.Blouiroet.au": [[61, 86], [262, 287]], "Indicator: Trojan.Win32.Blouiroet.evaxpp": [[87, 116]], "Indicator: Trojan.Win32.Z.Symmi.3033600": [[117, 145]], "Indicator: Troj.W32.Blouiroet!c": [[146, 166]], "Indicator: Win32.Trojan.Blouiroet.Wvkk": [[167, 194]], "Indicator: BehavesLike.Win32.Trojan.vc": [[195, 222]], "Indicator: Trojan.Blouiroet.s": [[223, 241]], "Indicator: Trojan.Symmi.D1371C": [[242, 261]], "Indicator: Trojan:Win32/Blouiroet.A": [[288, 312]], "Indicator: Trojan/Win32.Blouiroet.C2267836": [[313, 344]], "Indicator: Trj/CI.A": [[362, 370]], "Indicator: Win32/Trojan.c10": [[371, 387]]}, "info": {"id": "cyner2_5class_train_04953", "source": "cyner2_5class_train"}}
+{"text": "From a single instance of the encoded JavaScript discovered in one version of this malware, we pivoted on the Command and Control C2 IPv4 address discovered during static analysis and deobfuscation, using our Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload.", "spans": {"Indicator: encoded JavaScript": [[30, 48]], "Malware: malware,": [[83, 91]], "Indicator: Command and Control C2 IPv4 address": [[110, 145]], "System: Threat Intelligence Service AutoFocus,": [[209, 247]], "Malware: malware": [[284, 291]], "Malware: a credential-stealing Trojan": [[349, 377]], "Malware: the final payload.": [[381, 399]]}, "info": {"id": "cyner2_5class_train_04954", "source": "cyner2_5class_train"}}
+{"text": "We found no other information stolen from the victims to be accessible .", "spans": {}, "info": {"id": "cyner2_5class_train_04955", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VirTool.VBInject Trojan.Win32.Clicker!BT Trojan.Kazy.D6D077 Win32.Trojan.Trojan-Clicker.e Trojan.Win32.VB.dwztex Trojan.Win32.Z.Kazy.28676 Win32.HLLW.VBNA.based BehavesLike.Win32.Trojan.mz Trojan.Win32.TrojanClicker TrojanClicker.VB.fwe TR/Kazy.446583.222 TrojanClicker:Win32/Wimg.A Trojan.Win32.Clicker!BT TScope.Trojan.VB Trj/GdSda.A W32/TrojanClicker.OFQ!tr Win32/Trojan.de7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VirTool.VBInject": [[26, 42]], "Indicator: Trojan.Win32.Clicker!BT": [[43, 66], [309, 332]], "Indicator: Trojan.Kazy.D6D077": [[67, 85]], "Indicator: Win32.Trojan.Trojan-Clicker.e": [[86, 115]], "Indicator: Trojan.Win32.VB.dwztex": [[116, 138]], "Indicator: Trojan.Win32.Z.Kazy.28676": [[139, 164]], "Indicator: Win32.HLLW.VBNA.based": [[165, 186]], "Indicator: BehavesLike.Win32.Trojan.mz": [[187, 214]], "Indicator: Trojan.Win32.TrojanClicker": [[215, 241]], "Indicator: TrojanClicker.VB.fwe": [[242, 262]], "Indicator: TR/Kazy.446583.222": [[263, 281]], "Indicator: TrojanClicker:Win32/Wimg.A": [[282, 308]], "Indicator: TScope.Trojan.VB": [[333, 349]], "Indicator: Trj/GdSda.A": [[350, 361]], "Indicator: W32/TrojanClicker.OFQ!tr": [[362, 386]], "Indicator: Win32/Trojan.de7": [[387, 403]]}, "info": {"id": "cyner2_5class_train_04956", "source": "cyner2_5class_train"}}
+{"text": "The first attack vector is to compromise the out of band authentication for online banks that rely on SMS using SMS forwarding .", "spans": {}, "info": {"id": "cyner2_5class_train_04957", "source": "cyner2_5class_train"}}
+{"text": "Many of the strings in the application are XOR 'd with the key Kjk1MmphFG : After some additional requests , the dropper made a POST request to https : //54.71.249.137/56e087c9-fc56-49bb-bbd0-4fafc4acd6e1 which returned a zip file containing the second stage binaries .", "spans": {"Indicator: https : //54.71.249.137/56e087c9-fc56-49bb-bbd0-4fafc4acd6e1": [[144, 204]]}, "info": {"id": "cyner2_5class_train_04958", "source": "cyner2_5class_train"}}
+{"text": "July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System ( RCS ) agent installed in their targets ’ systems .", "spans": {"Malware: UEFI BIOS rootkit": [[81, 98]], "Malware: Remote Control System ( RCS )": [[113, 142]]}, "info": {"id": "cyner2_5class_train_04959", "source": "cyner2_5class_train"}}
+{"text": "CONCLUSION We witness actors continually using open-source platforms , code and packages to create their own software .", "spans": {}, "info": {"id": "cyner2_5class_train_04960", "source": "cyner2_5class_train"}}
+{"text": "The SpyNote RAT registers a service called AutoStartup and a broadcast receiver named BootComplete .", "spans": {"Malware: SpyNote RAT": [[4, 15]]}, "info": {"id": "cyner2_5class_train_04961", "source": "cyner2_5class_train"}}
+{"text": "These attacks are targeted, but not spear-phished.", "spans": {"Indicator: attacks": [[6, 13]], "Indicator: spear-phished.": [[36, 50]]}, "info": {"id": "cyner2_5class_train_04962", "source": "cyner2_5class_train"}}
+{"text": "CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding OLE interface of Microsoft Office to deliver malware.", "spans": {"Indicator: CVE-2017-0199": [[0, 13]], "Vulnerability: zero-day remote code execution vulnerability that": [[31, 80]], "Malware: exploit": [[102, 109]], "Malware: the Windows Object Linking and Embedding OLE": [[132, 176]], "System: Microsoft Office": [[190, 206]], "Malware: malware.": [[218, 226]]}, "info": {"id": "cyner2_5class_train_04963", "source": "cyner2_5class_train"}}
+{"text": "By performing a deep analysis of the malware , we were able to extract the unpacked JAR file mycode.jar and reveal some very interesting code .", "spans": {"Indicator: mycode.jar": [[93, 103]]}, "info": {"id": "cyner2_5class_train_04964", "source": "cyner2_5class_train"}}
+{"text": "The data targeted for theft also have similar formats .", "spans": {}, "info": {"id": "cyner2_5class_train_04965", "source": "cyner2_5class_train"}}
+{"text": "The second stage The second stage apps contain the surveillanceware capabilities .", "spans": {}, "info": {"id": "cyner2_5class_train_04966", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Triosir.682 Backdoor:Win32/Rupski.A Trojan.Triosir! AdWare.AddLyrics Win32/Virus.Adware.cd5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Triosir.682": [[26, 44]], "Indicator: Backdoor:Win32/Rupski.A": [[45, 68]], "Indicator: Trojan.Triosir!": [[69, 84]], "Indicator: AdWare.AddLyrics": [[85, 101]], "Indicator: Win32/Virus.Adware.cd5": [[102, 124]]}, "info": {"id": "cyner2_5class_train_04967", "source": "cyner2_5class_train"}}
+{"text": "sendAll function used to spread malicious messages to the contact list .", "spans": {}, "info": {"id": "cyner2_5class_train_04968", "source": "cyner2_5class_train"}}
+{"text": "It turns out that those smaller Trojans face serious problems trying to get root access on Android 4.4.4 and above , because a lot of vulnerabilities were patched in these versions .", "spans": {"System: Android 4.4.4": [[91, 104]]}, "info": {"id": "cyner2_5class_train_04969", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Win32.Injecter", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Win32.Injecter": [[26, 49]]}, "info": {"id": "cyner2_5class_train_04970", "source": "cyner2_5class_train"}}
+{"text": "He also used his email account to log into various services in the video , which identifies him as the adware domain owner , beyond any doubt .", "spans": {}, "info": {"id": "cyner2_5class_train_04971", "source": "cyner2_5class_train"}}
+{"text": "Ginp ’ s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank .", "spans": {"Malware: Ginp": [[0, 4]]}, "info": {"id": "cyner2_5class_train_04972", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanpws.Ginapass Trojan.Win32.Figina.ewevus Trojan.PWS.Figina Tool.DYAMAR.Win32.193 BehavesLike.Win32.Ransom.bc PWS:Win32/GinaPass.D Downloader.Delphi Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanpws.Ginapass": [[26, 44]], "Indicator: Trojan.Win32.Figina.ewevus": [[45, 71]], "Indicator: Trojan.PWS.Figina": [[72, 89]], "Indicator: Tool.DYAMAR.Win32.193": [[90, 111]], "Indicator: BehavesLike.Win32.Ransom.bc": [[112, 139]], "Indicator: PWS:Win32/GinaPass.D": [[140, 160]], "Indicator: Downloader.Delphi": [[161, 178]], "Indicator: Trj/CI.A": [[179, 187]]}, "info": {"id": "cyner2_5class_train_04973", "source": "cyner2_5class_train"}}
+{"text": "Stage 1 : Exodus One The first stage installed by downloading the malicious apps uploaded on Google Play Store only acts as a dropper .", "spans": {"Malware: Exodus One": [[10, 20]], "System: Google Play Store": [[93, 110]]}, "info": {"id": "cyner2_5class_train_04974", "source": "cyner2_5class_train"}}
+{"text": "They decrypt several archive files from the assets folder of the installation package , and launch an executable file from them with the name “ start. ” The interesting thing is that the Trojan supports even the 64-bit version of Android , which is very rare .", "spans": {"System: Android": [[230, 237]]}, "info": {"id": "cyner2_5class_train_04975", "source": "cyner2_5class_train"}}
+{"text": "Bitdefender Labs has issued a technical advisory to warn the public about a new wave of opportunistic attacks using a vulnerability in Zoho ManageEngine servers, which could affect tens of thousands of businesses.", "spans": {"Organization: Bitdefender Labs": [[0, 16]], "Organization: technical advisory": [[30, 48]], "Indicator: opportunistic attacks": [[88, 109]], "Vulnerability: vulnerability": [[118, 131]], "System: Zoho ManageEngine servers,": [[135, 161]], "Organization: businesses.": [[202, 213]]}, "info": {"id": "cyner2_5class_train_04976", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Clicker!BT Win32.Trojan.WisdomEyes.16070401.9500.9503 Uds.Dangerousobject.Multi!c trojanclicker.msil.fakeie.a TR/Dropper.MSIL.138467 Trojan.MSIL.Krypt.2 TrojanClicker:MSIL/FakeIE.A Trojan.Win32.Clicker!BT Downloader.MSIL.ASXS Win32/Trojan.d60", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Clicker!BT": [[26, 49], [220, 243]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9503": [[50, 92]], "Indicator: Uds.Dangerousobject.Multi!c": [[93, 120]], "Indicator: trojanclicker.msil.fakeie.a": [[121, 148]], "Indicator: TR/Dropper.MSIL.138467": [[149, 171]], "Indicator: Trojan.MSIL.Krypt.2": [[172, 191]], "Indicator: TrojanClicker:MSIL/FakeIE.A": [[192, 219]], "Indicator: Downloader.MSIL.ASXS": [[244, 264]], "Indicator: Win32/Trojan.d60": [[265, 281]]}, "info": {"id": "cyner2_5class_train_04977", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Fujacks.AB Packed.Win32.TDSS!O W32/Fujacks.s Worm.Fujack.Win32.6 W32/Fujacks.aa.2 PE_FUJACKS.EA Win32.Worm.BMW.b W32/Fujack.R W32.Fujacks.E Win32/Emerleox.CO PE_FUJACKS.EA Win.Worm.Fujack-8 Worm.Win32.Fujack.aa Win32.Worm.Fujacks.AB Trojan.Win32.Fujack.nsvf W32.W.Fujack.kZ4V Virus.Win32.Viking.a Win32.Worm.Fujacks.AB Win32.HLLP.Whboy.80 BehavesLike.Win32.MultiPlug.th W32/Fujack.R Worm/Viking.Tail TR/Drop.Hupigon.kmx Trojan[Packed]/Win32.CPEX-based Win32.WhBoy.aa.183492 Trojan:WinNT/Kangkio.A Win32.Worm.Fujacks.AB Win32.WhBoy.AJ Worm.Win32.Fujack.aa Win32.Virus.Neshta.D Win32/Dellboy.Z Win32.Worm.Fujacks.AB Win32.HLLW.Whboy RiskWare.Tool.CK Win32.Fujacks.AD Win32/Fujacks.AD Win32.HLLP.WHBoy.AP Worm.Win32.Fujack W32/BoyhW.V Virus.Win32.Viking.LB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Fujacks.AB": [[26, 47], [248, 269], [334, 355], [534, 555], [629, 650]], "Indicator: Packed.Win32.TDSS!O": [[48, 67]], "Indicator: W32/Fujacks.s": [[68, 81]], "Indicator: Worm.Fujack.Win32.6": [[82, 101]], "Indicator: W32/Fujacks.aa.2": [[102, 118]], "Indicator: PE_FUJACKS.EA": [[119, 132], [195, 208]], "Indicator: Win32.Worm.BMW.b": [[133, 149]], "Indicator: W32/Fujack.R": [[150, 162], [407, 419]], "Indicator: W32.Fujacks.E": [[163, 176]], "Indicator: Win32/Emerleox.CO": [[177, 194]], "Indicator: Win.Worm.Fujack-8": [[209, 226]], "Indicator: Worm.Win32.Fujack.aa": [[227, 247], [571, 591]], "Indicator: Trojan.Win32.Fujack.nsvf": [[270, 294]], "Indicator: W32.W.Fujack.kZ4V": [[295, 312]], "Indicator: Virus.Win32.Viking.a": [[313, 333]], "Indicator: Win32.HLLP.Whboy.80": [[356, 375]], "Indicator: BehavesLike.Win32.MultiPlug.th": [[376, 406]], "Indicator: Worm/Viking.Tail": [[420, 436]], "Indicator: TR/Drop.Hupigon.kmx": [[437, 456]], "Indicator: Trojan[Packed]/Win32.CPEX-based": [[457, 488]], "Indicator: Win32.WhBoy.aa.183492": [[489, 510]], "Indicator: Trojan:WinNT/Kangkio.A": [[511, 533]], "Indicator: Win32.WhBoy.AJ": [[556, 570]], "Indicator: Win32.Virus.Neshta.D": [[592, 612]], "Indicator: Win32/Dellboy.Z": [[613, 628]], "Indicator: Win32.HLLW.Whboy": [[651, 667]], "Indicator: RiskWare.Tool.CK": [[668, 684]], "Indicator: Win32.Fujacks.AD": [[685, 701]], "Indicator: Win32/Fujacks.AD": [[702, 718]], "Indicator: Win32.HLLP.WHBoy.AP": [[719, 738]], "Indicator: Worm.Win32.Fujack": [[739, 756]], "Indicator: W32/BoyhW.V": [[757, 768]], "Indicator: Virus.Win32.Viking.LB": [[769, 790]]}, "info": {"id": "cyner2_5class_train_04978", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.E05F81 Win32.HLLW.Autoruner2.27649 BehavesLike.Win32.Fake.dc Worm:Win32/Namepuk.A HEUR/Fakon.mwf Trojan.FKM!1pKOHJnJsdU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.E05F81": [[26, 44]], "Indicator: Win32.HLLW.Autoruner2.27649": [[45, 72]], "Indicator: BehavesLike.Win32.Fake.dc": [[73, 98]], "Indicator: Worm:Win32/Namepuk.A": [[99, 119]], "Indicator: HEUR/Fakon.mwf": [[120, 134]], "Indicator: Trojan.FKM!1pKOHJnJsdU": [[135, 157]]}, "info": {"id": "cyner2_5class_train_04979", "source": "cyner2_5class_train"}}
+{"text": "Open source reporting recently indicated new activity from the Iranian actor publicly known as Greenbug targeting Saudi Arabia.", "spans": {}, "info": {"id": "cyner2_5class_train_04980", "source": "cyner2_5class_train"}}
+{"text": "Following on from our post on Angler EK we are going to expose the mechanics behind the Bedep ad-fraud malware.", "spans": {"Malware: Angler EK": [[30, 39]], "Malware: Bedep ad-fraud malware.": [[88, 111]]}, "info": {"id": "cyner2_5class_train_04981", "source": "cyner2_5class_train"}}
+{"text": "The exploit files involved were identical to the Hacking Team's leaked exploit HTML, JavaScript, and ShockWave Flash 0-day files.", "spans": {"Malware: exploit": [[4, 11], [71, 78]], "Indicator: files": [[12, 17]], "Organization: Hacking Team's": [[49, 63]], "Indicator: HTML, JavaScript,": [[79, 96]], "Indicator: ShockWave Flash 0-day files.": [[101, 129]]}, "info": {"id": "cyner2_5class_train_04982", "source": "cyner2_5class_train"}}
+{"text": "Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly.", "spans": {"Indicator: attacks": [[42, 49]]}, "info": {"id": "cyner2_5class_train_04983", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Koutodoor!O Trojan.Koutodoor.E Win32.Rootkit.Koutodoor.a Trojan.Koutodoor TROJ_DLOADR.SMOM Backdoor.Win32.Koutodoor.aihc Trojan.Win32.RKDoor.evaszd Backdoor.Win32.Koutodoor.HC Trojan.DownLoader3.76 Trojan.Koutodoor.Win32.5401 TROJ_DLOADR.SMOM Trojan.Rootkit.Pakes W32.Backdoor.Koutodoor Trojan[Backdoor]/Win32.Koutodoor Win32.Troj.JunkcodeT.a.188672 Trojan.Koutodoor.12 Backdoor.Win32.Koutodoor.aihc TrojanDropper:Win32/Minmal.A Backdoor/Win32.Koutodoor.R1785 Trojan.PSW.Win32.OnlineGame.d Trojan.Win32.Koutodoor.AN", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Koutodoor!O": [[26, 52]], "Indicator: Trojan.Koutodoor.E": [[53, 71]], "Indicator: Win32.Rootkit.Koutodoor.a": [[72, 97]], "Indicator: Trojan.Koutodoor": [[98, 114]], "Indicator: TROJ_DLOADR.SMOM": [[115, 131], [267, 283]], "Indicator: Backdoor.Win32.Koutodoor.aihc": [[132, 161], [411, 440]], "Indicator: Trojan.Win32.RKDoor.evaszd": [[162, 188]], "Indicator: Backdoor.Win32.Koutodoor.HC": [[189, 216]], "Indicator: Trojan.DownLoader3.76": [[217, 238]], "Indicator: Trojan.Koutodoor.Win32.5401": [[239, 266]], "Indicator: Trojan.Rootkit.Pakes": [[284, 304]], "Indicator: W32.Backdoor.Koutodoor": [[305, 327]], "Indicator: Trojan[Backdoor]/Win32.Koutodoor": [[328, 360]], "Indicator: Win32.Troj.JunkcodeT.a.188672": [[361, 390]], "Indicator: Trojan.Koutodoor.12": [[391, 410]], "Indicator: TrojanDropper:Win32/Minmal.A": [[441, 469]], "Indicator: Backdoor/Win32.Koutodoor.R1785": [[470, 500]], "Indicator: Trojan.PSW.Win32.OnlineGame.d": [[501, 530]], "Indicator: Trojan.Win32.Koutodoor.AN": [[531, 556]]}, "info": {"id": "cyner2_5class_train_04984", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.MSIL Exploit.Win32.CVE20130074.eupinx W32/Trojan.QBBK-0155 Exploit.MSIL.cn EXP/CVE-2013-0074.cpsmi Exploit:MSIL/CVE-2016-0034.B Trj/GdSda.A Trojan.Win32.Exploit W32/CVE_2013_0074.GW!tr Win32/Trojan.Exploit.d89", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.MSIL": [[26, 38]], "Indicator: Exploit.Win32.CVE20130074.eupinx": [[39, 71]], "Indicator: W32/Trojan.QBBK-0155": [[72, 92]], "Indicator: Exploit.MSIL.cn": [[93, 108]], "Indicator: EXP/CVE-2013-0074.cpsmi": [[109, 132]], "Indicator: Exploit:MSIL/CVE-2016-0034.B": [[133, 161]], "Indicator: Trj/GdSda.A": [[162, 173]], "Indicator: Trojan.Win32.Exploit": [[174, 194]], "Indicator: W32/CVE_2013_0074.GW!tr": [[195, 218]], "Indicator: Win32/Trojan.Exploit.d89": [[219, 243]]}, "info": {"id": "cyner2_5class_train_04985", "source": "cyner2_5class_train"}}
+{"text": "China seems to a mass victim of this kind of malware having a 92 % share .", "spans": {}, "info": {"id": "cyner2_5class_train_04986", "source": "cyner2_5class_train"}}
+{"text": "Code snippets showing : the decoding algorithm shared by both Bouncing Golf and Domestic Kitten ( top ) , the format of data that Domestic Kitten ’ s malware targets to steal ( center ) , and how both Bouncing Golf ( bottom left ) and Domestic Kitten ( bottom right ) use \" \" as a separator in their command strings .", "spans": {"Malware: Bouncing Golf": [[62, 75], [201, 214]], "Malware: Domestic Kitten": [[80, 95], [130, 145], [235, 250]]}, "info": {"id": "cyner2_5class_train_04987", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanSpy.VBChuchelo.bk Trojan/Spy.VBChuchelo.g Trojan-Spy.Win32.VBChuchelo TrojanSpy.VBChuchelo.G Win32/Spy.KeyLogger.NDE Trojan-Downloader.Win32.Noesis.11.B!IK W32/VBTroj.WTX Trojan.VB-7191 Trojan-Spy.Win32.VBChuchelo.g Backdoor.VB.1 TrojWare.Win32.TrojanSpy.VB.~FJ Trojan-Spy.Win32.VBChuchelo.g TrojanSpy.VBChuchelo.v Backdoor.Trojan Backdoor:Win32/Zumamumy.A Trojan.Win32.VBChuchelo.106667 Backdoor.VB.1 Win-Trojan/Vbchuchelo.106658 Trojan-Spy.Win32.VBChuchelo.g Trojan-Downloader.Win32.Noesis.11.B Dropper.Tiny Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanSpy.VBChuchelo.bk": [[26, 49]], "Indicator: Trojan/Spy.VBChuchelo.g": [[50, 73]], "Indicator: Trojan-Spy.Win32.VBChuchelo": [[74, 101]], "Indicator: TrojanSpy.VBChuchelo.G": [[102, 124]], "Indicator: Win32/Spy.KeyLogger.NDE": [[125, 148]], "Indicator: Trojan-Downloader.Win32.Noesis.11.B!IK": [[149, 187]], "Indicator: W32/VBTroj.WTX": [[188, 202]], "Indicator: Trojan.VB-7191": [[203, 217]], "Indicator: Trojan-Spy.Win32.VBChuchelo.g": [[218, 247], [294, 323], [463, 492]], "Indicator: Backdoor.VB.1": [[248, 261], [420, 433]], "Indicator: TrojWare.Win32.TrojanSpy.VB.~FJ": [[262, 293]], "Indicator: TrojanSpy.VBChuchelo.v": [[324, 346]], "Indicator: Backdoor.Trojan": [[347, 362]], "Indicator: Backdoor:Win32/Zumamumy.A": [[363, 388]], "Indicator: Trojan.Win32.VBChuchelo.106667": [[389, 419]], "Indicator: Win-Trojan/Vbchuchelo.106658": [[434, 462]], "Indicator: Trojan-Downloader.Win32.Noesis.11.B": [[493, 528]], "Indicator: Dropper.Tiny": [[529, 541]], "Indicator: Trj/Downloader.MDW": [[542, 560]]}, "info": {"id": "cyner2_5class_train_04988", "source": "cyner2_5class_train"}}
+{"text": "That is actually how the bad guys decided to monetize the Trojan .", "spans": {}, "info": {"id": "cyner2_5class_train_04989", "source": "cyner2_5class_train"}}
+{"text": "The bulk of the victims were predominantly based out of Ecuador, Venezuela, Peru, Argentina, and Columbia; however, other victims were identified in Korea, the United States, the Dominican Republic, Cuba, Bolivia, Guatemala, Nicaragua, Mexico, England, Canada, Germany, Russia, and Ukraine.", "spans": {"Organization: victims": [[16, 23], [122, 129]]}, "info": {"id": "cyner2_5class_train_04990", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDropper.Yabinder.2.0 Trojan.DR.Yabinder!OrBzj5WtPwc Win32/Yabinder.20 W32/Yabinder.C W32.Slackor.dr Slacke.A TROJ_YABINDER.20 Trojan.Yabinder.20B TrojanDropper.Yabinder.2.0 TrojWare.Win32.Yabinder.20 TrojanDropper.Yabinder.2.0 Trojan.MulDrop.310 TR/Yabinder.20.B TROJ_YABINDER.20 Win32/TrojanRunner.Yab.200 W32/Yabinder.C TrojanDropper:Win32/Yabinder.2_0 Backdoor.Win32.Bifrose.168361 TrojanDropper.Yabinder.2.0 Dropper/Yabinder.9728 Backdoor.Win32.Bifrose.bco Malware.Slackor Trojan.Yabinder.a Trojan-Dropper.Win32.Yabinder.20 W32/Yabinder.C!tr Dropper.Yabinder.A Trj/Yabinder.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Yabinder.2.0": [[26, 52], [178, 204], [232, 258], [417, 443]], "Indicator: Trojan.DR.Yabinder!OrBzj5WtPwc": [[53, 83]], "Indicator: Win32/Yabinder.20": [[84, 101]], "Indicator: W32/Yabinder.C": [[102, 116], [339, 353]], "Indicator: W32.Slackor.dr": [[117, 131]], "Indicator: Slacke.A": [[132, 140]], "Indicator: TROJ_YABINDER.20": [[141, 157], [295, 311]], "Indicator: Trojan.Yabinder.20B": [[158, 177]], "Indicator: TrojWare.Win32.Yabinder.20": [[205, 231]], "Indicator: Trojan.MulDrop.310": [[259, 277]], "Indicator: TR/Yabinder.20.B": [[278, 294]], "Indicator: Win32/TrojanRunner.Yab.200": [[312, 338]], "Indicator: TrojanDropper:Win32/Yabinder.2_0": [[354, 386]], "Indicator: Backdoor.Win32.Bifrose.168361": [[387, 416]], "Indicator: Dropper/Yabinder.9728": [[444, 465]], "Indicator: Backdoor.Win32.Bifrose.bco": [[466, 492]], "Indicator: Malware.Slackor": [[493, 508]], "Indicator: Trojan.Yabinder.a": [[509, 526]], "Indicator: Trojan-Dropper.Win32.Yabinder.20": [[527, 559]], "Indicator: W32/Yabinder.C!tr": [[560, 577]], "Indicator: Dropper.Yabinder.A": [[578, 596]], "Indicator: Trj/Yabinder.A": [[597, 611]]}, "info": {"id": "cyner2_5class_train_04991", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom_YUHAK.A Trojan.MulDrop7.49600 Ransom_YUHAK.A BehavesLike.Win32.PWSZbot.dh TR/RedCap.cgaww Trojan.Heur.RP.E93A3E Ransom:Win32/Wagcrypt.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_YUHAK.A": [[26, 40], [63, 77]], "Indicator: Trojan.MulDrop7.49600": [[41, 62]], "Indicator: BehavesLike.Win32.PWSZbot.dh": [[78, 106]], "Indicator: TR/RedCap.cgaww": [[107, 122]], "Indicator: Trojan.Heur.RP.E93A3E": [[123, 144]], "Indicator: Ransom:Win32/Wagcrypt.A": [[145, 168]]}, "info": {"id": "cyner2_5class_train_04992", "source": "cyner2_5class_train"}}
+{"text": "Project Spy ’ s earlier versions Searching for the domain in our sample database , we found that the coronavirus update app appears to be the latest version of another sample that we detected in May 2019 .", "spans": {"Malware: Project Spy": [[0, 11]]}, "info": {"id": "cyner2_5class_train_04993", "source": "cyner2_5class_train"}}
+{"text": "One of these , called Marcher ( aka Exobot ) , seems to be especially active with different samples appearing on a daily basis .", "spans": {"Malware: Marcher": [[22, 29]], "Malware: Exobot": [[36, 42]]}, "info": {"id": "cyner2_5class_train_04994", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE BehavesLike.Win32.Trojan.cc Trojan[Dropper]/Win32.Gluer TrojanDropper:Win32/Gluer.dam#2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: BehavesLike.Win32.Trojan.cc": [[48, 75]], "Indicator: Trojan[Dropper]/Win32.Gluer": [[76, 103]], "Indicator: TrojanDropper:Win32/Gluer.dam#2": [[104, 135]]}, "info": {"id": "cyner2_5class_train_04995", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DOS.Filemaker.A Trojan.DOS.Filemaker.A Filemaker.b Trojan.DOS.Filemaker Trojan.DOS.Filemaker.A TrojWare.DOS.Filemaker Trojan.DOS.Filemaker.A Trojan.Filemaker TR/Filemaker.A Filemaker.b Trojan/DOS.DOS Trojan.DOS.Filemaker.A Filemaker.A Trojan.DOS.Filemaker Malware_fam.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DOS.Filemaker.A": [[26, 48], [49, 71], [105, 127], [151, 173], [233, 255]], "Indicator: Filemaker.b": [[72, 83], [206, 217]], "Indicator: Trojan.DOS.Filemaker": [[84, 104], [268, 288]], "Indicator: TrojWare.DOS.Filemaker": [[128, 150]], "Indicator: Trojan.Filemaker": [[174, 190]], "Indicator: TR/Filemaker.A": [[191, 205]], "Indicator: Trojan/DOS.DOS": [[218, 232]], "Indicator: Filemaker.A": [[256, 267]], "Indicator: Malware_fam.B": [[289, 302]]}, "info": {"id": "cyner2_5class_train_04996", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/Trojan2.OWYQ Trojan.Msil W32/Trojan.FRCA-1486 Trojan.Spacekito Trojan.Zusy.D177A1 Trojan:MSIL/Spacekito.E PUP/Win32.Vittalia.R124797 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[26, 68]], "Indicator: W32/Trojan2.OWYQ": [[69, 85]], "Indicator: Trojan.Msil": [[86, 97]], "Indicator: W32/Trojan.FRCA-1486": [[98, 118]], "Indicator: Trojan.Spacekito": [[119, 135]], "Indicator: Trojan.Zusy.D177A1": [[136, 154]], "Indicator: Trojan:MSIL/Spacekito.E": [[155, 178]], "Indicator: PUP/Win32.Vittalia.R124797": [[179, 205]], "Indicator: Trj/CI.A": [[206, 214]]}, "info": {"id": "cyner2_5class_train_04997", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DownLoader25.42759 BehavesLike.Win32.BadFile.gh", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoader25.42759": [[26, 51]], "Indicator: BehavesLike.Win32.BadFile.gh": [[52, 80]]}, "info": {"id": "cyner2_5class_train_04998", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Banker.Win32.82933 Win32.Trojan.WisdomEyes.16070401.9500.9712 Trojan.Zbot Trojan-Spy.MSIL.Banker.jc Trojan.Win32.Banker.datvyw Troj.Spy.MSIL.Banker.jc!c Trojan-Spy.MSIL.CliBanker TR/Spy.Clipug.A.11 Win32.Troj.Banker.kcloud TrojanSpy:MSIL/Clipug.A Trojan.Kazy.D5F205 Trojan-Spy.MSIL.Banker.jc Trojan/Win32.ClipBanker.C415793 Trj/Dtcontx.M Msil.Trojan-spy.Banker.Ecua Trojan.ClipBanker! MSIL/ClipBanker.A!tr Win32/Trojan.Spy.b4a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Banker.Win32.82933": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9712": [[52, 94]], "Indicator: Trojan.Zbot": [[95, 106]], "Indicator: Trojan-Spy.MSIL.Banker.jc": [[107, 132], [299, 324]], "Indicator: Trojan.Win32.Banker.datvyw": [[133, 159]], "Indicator: Troj.Spy.MSIL.Banker.jc!c": [[160, 185]], "Indicator: Trojan-Spy.MSIL.CliBanker": [[186, 211]], "Indicator: TR/Spy.Clipug.A.11": [[212, 230]], "Indicator: Win32.Troj.Banker.kcloud": [[231, 255]], "Indicator: TrojanSpy:MSIL/Clipug.A": [[256, 279]], "Indicator: Trojan.Kazy.D5F205": [[280, 298]], "Indicator: Trojan/Win32.ClipBanker.C415793": [[325, 356]], "Indicator: Trj/Dtcontx.M": [[357, 370]], "Indicator: Msil.Trojan-spy.Banker.Ecua": [[371, 398]], "Indicator: Trojan.ClipBanker!": [[399, 417]], "Indicator: MSIL/ClipBanker.A!tr": [[418, 438]], "Indicator: Win32/Trojan.Spy.b4a": [[439, 459]]}, "info": {"id": "cyner2_5class_train_04999", "source": "cyner2_5class_train"}}
+{"text": "Its main purpose is to download archives and execute the “ start ” binary from them .", "spans": {}, "info": {"id": "cyner2_5class_train_05000", "source": "cyner2_5class_train"}}
+{"text": "Calling functionality Command PHOCAs7 initiates calling functionality .", "spans": {}, "info": {"id": "cyner2_5class_train_05001", "source": "cyner2_5class_train"}}
+{"text": "] 114 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_05002", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.AutoRun Worm.W32.Autorun!c Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/MalwareF.OZHN Worm.Win32.AutoRun.bhzt Trojan.Win32.DownLoad2.dfarbo Win32.Worm.Autorun.Wvuf Trojan.DownLoad2.11039 Trojan.Patched.Win32.123715 BehavesLike.Win32.Downloader.nt W32/Risk.AVZF-7617 Worm/AutoRun.yjm Trojan.Graftor.D1B4A5 Worm.Win32.AutoRun.bhzt Worm/Win32.AutoRun.C2342249 Trojan.Meredrop!NKOc3oKULjk Worm.Win32.AutoRun W32/AutoRun.BHZT!worm Trj/CI.A Win32/Trojan.e1e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.AutoRun": [[26, 38]], "Indicator: Worm.W32.Autorun!c": [[39, 57]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[58, 100]], "Indicator: W32/MalwareF.OZHN": [[101, 118]], "Indicator: Worm.Win32.AutoRun.bhzt": [[119, 142], [338, 361]], "Indicator: Trojan.Win32.DownLoad2.dfarbo": [[143, 172]], "Indicator: Win32.Worm.Autorun.Wvuf": [[173, 196]], "Indicator: Trojan.DownLoad2.11039": [[197, 219]], "Indicator: Trojan.Patched.Win32.123715": [[220, 247]], "Indicator: BehavesLike.Win32.Downloader.nt": [[248, 279]], "Indicator: W32/Risk.AVZF-7617": [[280, 298]], "Indicator: Worm/AutoRun.yjm": [[299, 315]], "Indicator: Trojan.Graftor.D1B4A5": [[316, 337]], "Indicator: Worm/Win32.AutoRun.C2342249": [[362, 389]], "Indicator: Trojan.Meredrop!NKOc3oKULjk": [[390, 417]], "Indicator: Worm.Win32.AutoRun": [[418, 436]], "Indicator: W32/AutoRun.BHZT!worm": [[437, 458]], "Indicator: Trj/CI.A": [[459, 467]], "Indicator: Win32/Trojan.e1e": [[468, 484]]}, "info": {"id": "cyner2_5class_train_05003", "source": "cyner2_5class_train"}}
+{"text": "Once the event is triggered , it registers a timer .", "spans": {}, "info": {"id": "cyner2_5class_train_05004", "source": "cyner2_5class_train"}}
+{"text": "The report analyzed the entirety of the purported attack campaign, beginning in 2009 using a family of tools dubbed Troy'.", "spans": {"Malware: family of tools": [[93, 108]], "Malware: Troy'.": [[116, 122]]}, "info": {"id": "cyner2_5class_train_05005", "source": "cyner2_5class_train"}}
+{"text": "The payload installed in attacks using this lure is a variant of the Emissary Trojan that we have analyzed in the past, which has direct links to threat actors associated with Operation Lotus Blossom.", "spans": {"Malware: payload": [[4, 11]], "Indicator: attacks": [[25, 32]], "Malware: the Emissary Trojan": [[65, 84]]}, "info": {"id": "cyner2_5class_train_05006", "source": "cyner2_5class_train"}}
+{"text": "Strazzere advises that consumers should look at the pedigree of mobile manufacturers and take a close look at their security track record before making a decision on what device to buy .", "spans": {}, "info": {"id": "cyner2_5class_train_05007", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packed.Win32.TDSS!O Nettool.Ultrasurf Trojan/AutoRun.VB.axp Win32.Trojan.WisdomEyes.16070401.9500.9864 W32/Trojan4.MDT Win.Trojan.7355760-1 TrojWare.Win32.Patched.KSU Tool.UltraSurf.Win32.14 BehavesLike.Win32.FakeAlertSecurityTool.hc W32/Trojan.VIDV-4226 Win32.Troj.Undef.kcloud Trojan.Heur.VB.KieddGFnVEmi Trojan:Win32/Cossta.A Trojan/Win32.Cossta.C77631 Trojan.Dynamer!q0c68r1YFqw W32/VB.AXP!tr Trojan.VBRA.02198 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packed.Win32.TDSS!O": [[26, 45]], "Indicator: Nettool.Ultrasurf": [[46, 63]], "Indicator: Trojan/AutoRun.VB.axp": [[64, 85]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9864": [[86, 128]], "Indicator: W32/Trojan4.MDT": [[129, 144]], "Indicator: Win.Trojan.7355760-1": [[145, 165]], "Indicator: TrojWare.Win32.Patched.KSU": [[166, 192]], "Indicator: Tool.UltraSurf.Win32.14": [[193, 216]], "Indicator: BehavesLike.Win32.FakeAlertSecurityTool.hc": [[217, 259]], "Indicator: W32/Trojan.VIDV-4226": [[260, 280]], "Indicator: Win32.Troj.Undef.kcloud": [[281, 304]], "Indicator: Trojan.Heur.VB.KieddGFnVEmi": [[305, 332]], "Indicator: Trojan:Win32/Cossta.A": [[333, 354]], "Indicator: Trojan/Win32.Cossta.C77631": [[355, 381]], "Indicator: Trojan.Dynamer!q0c68r1YFqw": [[382, 408]], "Indicator: W32/VB.AXP!tr": [[409, 422]], "Indicator: Trojan.VBRA.02198": [[423, 440]], "Indicator: Trj/CI.A": [[441, 449]]}, "info": {"id": "cyner2_5class_train_05008", "source": "cyner2_5class_train"}}
+{"text": "With the help of the open-source Android Dynamic Binary Instrumentation Toolkit and root privilege , it is possible to intercept any function execution .", "spans": {"System: Android": [[33, 40]]}, "info": {"id": "cyner2_5class_train_05009", "source": "cyner2_5class_train"}}
+{"text": "The Cybereason Nocturnus team will continue to monitor EventBot ’ s development .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[55, 63]]}, "info": {"id": "cyner2_5class_train_05010", "source": "cyner2_5class_train"}}
+{"text": "Activation cycle As we have explained above , the malware has several defence mechanisms .", "spans": {}, "info": {"id": "cyner2_5class_train_05011", "source": "cyner2_5class_train"}}
+{"text": "A series of pilot runs were executed .", "spans": {}, "info": {"id": "cyner2_5class_train_05012", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: TROJ_MINER.AUSC TROJ_MINER.AUSC JS/Coinminer.EFAB!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_MINER.AUSC": [[43, 58], [59, 74]], "Indicator: JS/Coinminer.EFAB!tr.dldr": [[75, 100]]}, "info": {"id": "cyner2_5class_train_05013", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Bladabindi.FC.1799 Trojan.Zusy.D17364 Win32.Trojan.WisdomEyes.16070401.9500.9949 TrojWare.MSIL.Dynamer.AS Trojan.DownLoader12.58576 Trojan.Msil W32/Trojan.PPUX-1583 Trj/GdSda.A Win32/Trojan.744", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Bladabindi.FC.1799": [[26, 53]], "Indicator: Trojan.Zusy.D17364": [[54, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9949": [[73, 115]], "Indicator: TrojWare.MSIL.Dynamer.AS": [[116, 140]], "Indicator: Trojan.DownLoader12.58576": [[141, 166]], "Indicator: Trojan.Msil": [[167, 178]], "Indicator: W32/Trojan.PPUX-1583": [[179, 199]], "Indicator: Trj/GdSda.A": [[200, 211]], "Indicator: Win32/Trojan.744": [[212, 228]]}, "info": {"id": "cyner2_5class_train_05014", "source": "cyner2_5class_train"}}
+{"text": "] 26/html2/2018/GrafKey/new-inj-135-3-dark.html hxxp : //88.99.227 [ .", "spans": {"Indicator: hxxp : //88.99.227 [ .": [[48, 70]]}, "info": {"id": "cyner2_5class_train_05015", "source": "cyner2_5class_train"}}
+{"text": "Secondly, PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present.", "spans": {"System: PowerShell": [[10, 20]], "Vulnerability: can be used to steal": [[21, 41]], "Indicator: usernames, passwords,": [[42, 63]], "Indicator: system information": [[74, 92]], "Vulnerability: without an executable file being present.": [[93, 134]]}, "info": {"id": "cyner2_5class_train_05016", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.YahuPass!O Worm.Zaphal Trojan/PSW.YahuPass.jo Trojan.Graftor.D3448 Win32.Trojan.Delf.ff Win.Trojan.Yahupass-1 Trojan.Win32.Scar.oeuq Trojan.Win32.YahuPass.cthys Trojan.Win32.Z.Yahupass.575793 Trojan/PSW.YahuPass.y Trojan[PSW]/Win32.YahuPass Worm:Win32/Zaphal.B Troj.W32.Scar!c Trojan.Win32.Scar.oeuq Trojan/Win32.Losel.C65535 Trojan.Scar Win32/Spy.Delf.OPX Win32.Trojan.Scar.Alis Trojan.PWS.YahuPass!c1rtyKxFJLA Win32/Trojan.57c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.YahuPass!O": [[26, 53]], "Indicator: Worm.Zaphal": [[54, 65]], "Indicator: Trojan/PSW.YahuPass.jo": [[66, 88]], "Indicator: Trojan.Graftor.D3448": [[89, 109]], "Indicator: Win32.Trojan.Delf.ff": [[110, 130]], "Indicator: Win.Trojan.Yahupass-1": [[131, 152]], "Indicator: Trojan.Win32.Scar.oeuq": [[153, 175], [320, 342]], "Indicator: Trojan.Win32.YahuPass.cthys": [[176, 203]], "Indicator: Trojan.Win32.Z.Yahupass.575793": [[204, 234]], "Indicator: Trojan/PSW.YahuPass.y": [[235, 256]], "Indicator: Trojan[PSW]/Win32.YahuPass": [[257, 283]], "Indicator: Worm:Win32/Zaphal.B": [[284, 303]], "Indicator: Troj.W32.Scar!c": [[304, 319]], "Indicator: Trojan/Win32.Losel.C65535": [[343, 368]], "Indicator: Trojan.Scar": [[369, 380]], "Indicator: Win32/Spy.Delf.OPX": [[381, 399]], "Indicator: Win32.Trojan.Scar.Alis": [[400, 422]], "Indicator: Trojan.PWS.YahuPass!c1rtyKxFJLA": [[423, 454]], "Indicator: Win32/Trojan.57c": [[455, 471]]}, "info": {"id": "cyner2_5class_train_05017", "source": "cyner2_5class_train"}}
+{"text": "As this is not the first time that CVE-2017-0199 was exploited for an attack, we thought it fitting to analyze this new attack method to provide some insight into how this vulnerability can be abused by other campaigns in the future.", "spans": {"Vulnerability: CVE-2017-0199": [[35, 48]], "Malware: exploited for": [[53, 66]], "Indicator: attack,": [[70, 77]], "Indicator: new attack": [[116, 126]], "Vulnerability: vulnerability": [[172, 185]]}, "info": {"id": "cyner2_5class_train_05018", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Dropper.Neblso W32/Dropper.CPO Trojan.Dropper TROJ_MULTIDRP.LA Trojan-Dropper.Win32.Neblso Trojan.Win32.Neblso.dkkt Trojan.Win32.PSWLdPinch.41277 Troj.Dropper.W32.Neblso!c Trojan.MulDrop.911 Dropper.Neblso.Win32.7 TROJ_MULTIDRP.LA BehavesLike.Win32.VirRansom.pc Trojan-Dropper.Win32.Neblso W32/Risk.OJSS-0633 TrojanDropper.Ichitaro.Tarodrop.g Trojan[Dropper]/Win32.Neblso Trojan-Dropper.Win32.Neblso Dropper/Win32.Xema.C62110 TrojanDropper.Neblso Win32/TrojanDropper.Neblso Trojan.MultiDrop!Nb+sQh+u4tI W32/Dropper.BBBT!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Dropper.Neblso": [[26, 47]], "Indicator: W32/Dropper.CPO": [[48, 63]], "Indicator: Trojan.Dropper": [[64, 78]], "Indicator: TROJ_MULTIDRP.LA": [[79, 95], [247, 263]], "Indicator: Trojan-Dropper.Win32.Neblso": [[96, 123], [295, 322], [405, 432]], "Indicator: Trojan.Win32.Neblso.dkkt": [[124, 148]], "Indicator: Trojan.Win32.PSWLdPinch.41277": [[149, 178]], "Indicator: Troj.Dropper.W32.Neblso!c": [[179, 204]], "Indicator: Trojan.MulDrop.911": [[205, 223]], "Indicator: Dropper.Neblso.Win32.7": [[224, 246]], "Indicator: BehavesLike.Win32.VirRansom.pc": [[264, 294]], "Indicator: W32/Risk.OJSS-0633": [[323, 341]], "Indicator: TrojanDropper.Ichitaro.Tarodrop.g": [[342, 375]], "Indicator: Trojan[Dropper]/Win32.Neblso": [[376, 404]], "Indicator: Dropper/Win32.Xema.C62110": [[433, 458]], "Indicator: TrojanDropper.Neblso": [[459, 479]], "Indicator: Win32/TrojanDropper.Neblso": [[480, 506]], "Indicator: Trojan.MultiDrop!Nb+sQh+u4tI": [[507, 535]], "Indicator: W32/Dropper.BBBT!tr": [[536, 555]]}, "info": {"id": "cyner2_5class_train_05019", "source": "cyner2_5class_train"}}
+{"text": "Bitcoin was the preferred transaction currency.", "spans": {}, "info": {"id": "cyner2_5class_train_05020", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.RedSpy.Win32.12 Trojan.Heur.E7FD56 Win32.Trojan.WisdomEyes.16070401.9500.9966 W32/Backdoor2.WQR Backdoor.Trojan Backdoor.Win32.RedSpy.12 Trojan.Win32.RedSpy.bnfsv Backdoor.Win32.A.RedSpy.407552 BackDoor.Redspy.12 W32/Backdoor.ZOHG-8805 Trojan[Backdoor]/Win32.RedSpy Backdoor:Win32/RedSpy.1_2 Backdoor.Win32.RedSpy.12 Trojan/Win32.Banker.C143433 Backdoor.RedSpy Backdoor.RedSpy!KQ5NSrZfjaE W32/RedSpy.V12!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.RedSpy.Win32.12": [[26, 50]], "Indicator: Trojan.Heur.E7FD56": [[51, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9966": [[70, 112]], "Indicator: W32/Backdoor2.WQR": [[113, 130]], "Indicator: Backdoor.Trojan": [[131, 146]], "Indicator: Backdoor.Win32.RedSpy.12": [[147, 171], [327, 351]], "Indicator: Trojan.Win32.RedSpy.bnfsv": [[172, 197]], "Indicator: Backdoor.Win32.A.RedSpy.407552": [[198, 228]], "Indicator: BackDoor.Redspy.12": [[229, 247]], "Indicator: W32/Backdoor.ZOHG-8805": [[248, 270]], "Indicator: Trojan[Backdoor]/Win32.RedSpy": [[271, 300]], "Indicator: Backdoor:Win32/RedSpy.1_2": [[301, 326]], "Indicator: Trojan/Win32.Banker.C143433": [[352, 379]], "Indicator: Backdoor.RedSpy": [[380, 395]], "Indicator: Backdoor.RedSpy!KQ5NSrZfjaE": [[396, 423]], "Indicator: W32/RedSpy.V12!tr.bdr": [[424, 445]]}, "info": {"id": "cyner2_5class_train_05021", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9917 Trojan.Cridex Trojan.Win64.PackedENT.exqnqt Trojan.PackedENT.61 BehavesLike.Win64.PdfCrypt.bm W64/Trojan.WJME-6640 Trojan.Mikey.D1231F Trojan.Dridex Trojan.Win64.Krypt Trj/CI.A Win32/Trojan.cb1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9917": [[26, 68]], "Indicator: Trojan.Cridex": [[69, 82]], "Indicator: Trojan.Win64.PackedENT.exqnqt": [[83, 112]], "Indicator: Trojan.PackedENT.61": [[113, 132]], "Indicator: BehavesLike.Win64.PdfCrypt.bm": [[133, 162]], "Indicator: W64/Trojan.WJME-6640": [[163, 183]], "Indicator: Trojan.Mikey.D1231F": [[184, 203]], "Indicator: Trojan.Dridex": [[204, 217]], "Indicator: Trojan.Win64.Krypt": [[218, 236]], "Indicator: Trj/CI.A": [[237, 245]], "Indicator: Win32/Trojan.cb1": [[246, 262]]}, "info": {"id": "cyner2_5class_train_05022", "source": "cyner2_5class_train"}}
+{"text": "One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine.", "spans": {"Indicator: attack": [[18, 24]], "Indicator: spear phishing": [[51, 65]], "Malware: DarkTrack backdoor": [[81, 99]], "Indicator: a fake prescription": [[108, 127]], "Organization: the Minister of Defense of Ukraine.": [[131, 166]]}, "info": {"id": "cyner2_5class_train_05023", "source": "cyner2_5class_train"}}
+{"text": "These kinds of threats will become more common , as more and more companies decide to publish their software directly to consumers .", "spans": {}, "info": {"id": "cyner2_5class_train_05024", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Tvt!O Trojan/Korplug.j Win32.Trojan.WisdomEyes.16070401.9500.9991 Backdoor.Trojan BKDR_THOPER.SMZTDE Trojan.Korplug.Win32.8 BKDR_THOPER.SMZTDE W32/Trojan.LEDO-1330 Trojan/Tvt.ay Trojan/Win32.Tvt Trojan.Kazy.D1C8B5 Backdoor:Win32/Thoper.F!dha Backdoor/Win32.Etso.R19357 Trojan.Tvt!rB4pBoPmMmk Trojan.Kazy Win32/Trojan.9b1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Tvt!O": [[26, 44]], "Indicator: Trojan/Korplug.j": [[45, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[62, 104]], "Indicator: Backdoor.Trojan": [[105, 120]], "Indicator: BKDR_THOPER.SMZTDE": [[121, 139], [163, 181]], "Indicator: Trojan.Korplug.Win32.8": [[140, 162]], "Indicator: W32/Trojan.LEDO-1330": [[182, 202]], "Indicator: Trojan/Tvt.ay": [[203, 216]], "Indicator: Trojan/Win32.Tvt": [[217, 233]], "Indicator: Trojan.Kazy.D1C8B5": [[234, 252]], "Indicator: Backdoor:Win32/Thoper.F!dha": [[253, 280]], "Indicator: Backdoor/Win32.Etso.R19357": [[281, 307]], "Indicator: Trojan.Tvt!rB4pBoPmMmk": [[308, 330]], "Indicator: Trojan.Kazy": [[331, 342]], "Indicator: Win32/Trojan.9b1": [[343, 359]]}, "info": {"id": "cyner2_5class_train_05025", "source": "cyner2_5class_train"}}
+{"text": "Since then, the number of cases using PoisonIvy in such attacks decreased, and there was no special variant with expanded features seen in the wild.", "spans": {"Malware: PoisonIvy": [[38, 47]], "Indicator: attacks": [[56, 63]]}, "info": {"id": "cyner2_5class_train_05026", "source": "cyner2_5class_train"}}
+{"text": "Android bots have also already been found being controlled via other non-traditional means – blogs or some of the many cloud messaging systems like Google ’ s or Baidu ’ s – but Twitoor is the first Twitter-based bot malware , according to Štefanko .", "spans": {"System: Android": [[0, 7]], "Organization: Google": [[148, 154]], "Organization: Baidu": [[162, 167]], "Malware: Twitoor": [[178, 185]], "System: Twitter-based": [[199, 212]]}, "info": {"id": "cyner2_5class_train_05027", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesLTMSTRI.Trojan Trojan/Qhost.admt Win32.Trojan.WisdomEyes.16070401.9500.9983 Trojan.Qhosts Trojan.Win32.Qhost.rfrep Troj.W32.Qhost.admt!c Trojan.FakeAV.10958 Trojan.Qhost.Win32.9572 W32/Trojan.AEUL-0771 Trojan/Qhost.eht TR/Qhost.eozdy Trojan/Win32.Qhost Trojan.Graftor.Elzob.D22D4 Trojan.Qhost Trojan.HostsMod Trj/CI.A Win32/Qhost.ORK Trojan.Qhost!OWegFrReFAQ Trojan.Win32.Qhost", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLTMSTRI.Trojan": [[26, 51]], "Indicator: Trojan/Qhost.admt": [[52, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9983": [[70, 112]], "Indicator: Trojan.Qhosts": [[113, 126]], "Indicator: Trojan.Win32.Qhost.rfrep": [[127, 151]], "Indicator: Troj.W32.Qhost.admt!c": [[152, 173]], "Indicator: Trojan.FakeAV.10958": [[174, 193]], "Indicator: Trojan.Qhost.Win32.9572": [[194, 217]], "Indicator: W32/Trojan.AEUL-0771": [[218, 238]], "Indicator: Trojan/Qhost.eht": [[239, 255]], "Indicator: TR/Qhost.eozdy": [[256, 270]], "Indicator: Trojan/Win32.Qhost": [[271, 289]], "Indicator: Trojan.Graftor.Elzob.D22D4": [[290, 316]], "Indicator: Trojan.Qhost": [[317, 329]], "Indicator: Trojan.HostsMod": [[330, 345]], "Indicator: Trj/CI.A": [[346, 354]], "Indicator: Win32/Qhost.ORK": [[355, 370]], "Indicator: Trojan.Qhost!OWegFrReFAQ": [[371, 395]], "Indicator: Trojan.Win32.Qhost": [[396, 414]]}, "info": {"id": "cyner2_5class_train_05028", "source": "cyner2_5class_train"}}
+{"text": "The backdoor Trojan authors have called it XAgentOSX, which shares the name XAgent with one of Sofacy's Windows-based Trojan and references Apple's previous name for macOS, OS X.", "spans": {"Malware: XAgentOSX,": [[43, 53]], "Malware: XAgent": [[76, 82]], "Malware: Windows-based Trojan": [[104, 124]], "Organization: Apple's": [[140, 147]], "System: macOS, OS X.": [[166, 178]]}, "info": {"id": "cyner2_5class_train_05029", "source": "cyner2_5class_train"}}
+{"text": "Trend Micro first discovered the Alice ATM malware family in November 2016 as result of our joint research project on ATM malware with Europol EC3.", "spans": {"Organization: Trend Micro": [[0, 11]], "Malware: Alice ATM malware family": [[33, 57]], "Malware: ATM malware": [[118, 129]], "Organization: Europol EC3.": [[135, 147]]}, "info": {"id": "cyner2_5class_train_05030", "source": "cyner2_5class_train"}}
+{"text": "After launching , it hides its presence on the system and checks the defined Twitter account at regular intervals for commands .", "spans": {"System: Twitter": [[77, 84]]}, "info": {"id": "cyner2_5class_train_05031", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Veediem Trojan.Razy.D212D5 Win32.Trojan.WisdomEyes.16070401.9500.9585 HackTool.Win32.AllinOne.g Tool.Allinone.1 BehavesLike.Win32.Fujacks.tm HackTool.Win32.AllinOne.g Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Veediem": [[26, 40]], "Indicator: Trojan.Razy.D212D5": [[41, 59]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9585": [[60, 102]], "Indicator: HackTool.Win32.AllinOne.g": [[103, 128], [174, 199]], "Indicator: Tool.Allinone.1": [[129, 144]], "Indicator: BehavesLike.Win32.Fujacks.tm": [[145, 173]], "Indicator: Trj/CI.A": [[200, 208]]}, "info": {"id": "cyner2_5class_train_05032", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ismdoor W32/Ismdoor.A Trojan.MSIL.Ismdoor.a Trojan.Win32.Ismdoor.euvcaa Troj.Msil.Ismdoor!c Trojan.Ismdoor.Win32.2 Trojan.MSIL.Ismdoor W32/Trojan.WGWW-8625 Trojan.MSIL.hjyc Trojan/MSIL.Ismdoor Trojan.MSIL.Ismdoor.a Trojan/Win32.Ismdoor.C2249090 Trojan.MSIL.Ismdoor Trj/WLT.D Trojan.Ismdoor MSIL/Ismdoor.A Msil.Trojan.Ismdoor.Efax Trojan.Ismdoor! W32/Ismdoor.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ismdoor": [[26, 40], [308, 322]], "Indicator: W32/Ismdoor.A": [[41, 54]], "Indicator: Trojan.MSIL.Ismdoor.a": [[55, 76], [226, 247]], "Indicator: Trojan.Win32.Ismdoor.euvcaa": [[77, 104]], "Indicator: Troj.Msil.Ismdoor!c": [[105, 124]], "Indicator: Trojan.Ismdoor.Win32.2": [[125, 147]], "Indicator: Trojan.MSIL.Ismdoor": [[148, 167], [278, 297]], "Indicator: W32/Trojan.WGWW-8625": [[168, 188]], "Indicator: Trojan.MSIL.hjyc": [[189, 205]], "Indicator: Trojan/MSIL.Ismdoor": [[206, 225]], "Indicator: Trojan/Win32.Ismdoor.C2249090": [[248, 277]], "Indicator: Trj/WLT.D": [[298, 307]], "Indicator: MSIL/Ismdoor.A": [[323, 337]], "Indicator: Msil.Trojan.Ismdoor.Efax": [[338, 362]], "Indicator: Trojan.Ismdoor!": [[363, 378]], "Indicator: W32/Ismdoor.A!tr": [[379, 395]]}, "info": {"id": "cyner2_5class_train_05033", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Backdoor.PCClient.TCH Backdoor.PcClient Backdoor.PCClient.TCH BKDR_PCCLIEN.AFR Win32.Trojan.WisdomEyes.16070401.9500.9973 Backdoor.Formador BKDR_PCCLIEN.AFR Backdoor.PCClient.TCH Backdoor.Win32.PcClient.gehc Backdoor.PCClient.TCH Trojan.Win32.PcClient.evwdyc Trojan.Win32.Z.Pcclient.617695.A Backdoor.W32.Pcclient!c Backdoor.PCClient.TCH Backdoor.PCClient.TCH Trojan.Proxy.20157 Backdoor.PcClient.Win32.30956 BehavesLike.Win32.PWSZbot.jc Trojan.Win32.Enigma W32/Trojan.MPTU-6658 Trojan[Backdoor]/Win32.PcClient Backdoor.PCClient.TCH Backdoor.Win32.PcClient.gehc Trojan/Win32.PcClient.C22919 TScope.Malware-Cryptor.SB Win32.Backdoor.Pcclient.Ebqc W32/Bckdr.Z!tr Win32/Backdoor.599", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Backdoor.PCClient.TCH": [[44, 65], [84, 105], [201, 222], [252, 273], [360, 381], [382, 403], [555, 576]], "Indicator: Backdoor.PcClient": [[66, 83]], "Indicator: BKDR_PCCLIEN.AFR": [[106, 122], [184, 200]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9973": [[123, 165]], "Indicator: Backdoor.Formador": [[166, 183]], "Indicator: Backdoor.Win32.PcClient.gehc": [[223, 251], [577, 605]], "Indicator: Trojan.Win32.PcClient.evwdyc": [[274, 302]], "Indicator: Trojan.Win32.Z.Pcclient.617695.A": [[303, 335]], "Indicator: Backdoor.W32.Pcclient!c": [[336, 359]], "Indicator: Trojan.Proxy.20157": [[404, 422]], "Indicator: Backdoor.PcClient.Win32.30956": [[423, 452]], "Indicator: BehavesLike.Win32.PWSZbot.jc": [[453, 481]], "Indicator: Trojan.Win32.Enigma": [[482, 501]], "Indicator: W32/Trojan.MPTU-6658": [[502, 522]], "Indicator: Trojan[Backdoor]/Win32.PcClient": [[523, 554]], "Indicator: Trojan/Win32.PcClient.C22919": [[606, 634]], "Indicator: TScope.Malware-Cryptor.SB": [[635, 660]], "Indicator: Win32.Backdoor.Pcclient.Ebqc": [[661, 689]], "Indicator: W32/Bckdr.Z!tr": [[690, 704]], "Indicator: Win32/Backdoor.599": [[705, 723]]}, "info": {"id": "cyner2_5class_train_05034", "source": "cyner2_5class_train"}}
+{"text": "Most legitimate Android apps are available on the Google Play Store .", "spans": {"System: Android": [[16, 23]], "System: Google Play Store": [[50, 67]]}, "info": {"id": "cyner2_5class_train_05035", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_GE.3396767B Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_GE.3396767B Win.Tool.Winactivator-1 Win32.Riskware.WinActivator.A Trojan.Win32.Kryptik.ernenh BehavesLike.Win32.PUPXAG.tc W32/Trojan.PMWL-5504 HackTool.WinActivator Trj/CI.A Trojan.MSIL.Crypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_GE.3396767B": [[26, 42], [86, 102]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[43, 85]], "Indicator: Win.Tool.Winactivator-1": [[103, 126]], "Indicator: Win32.Riskware.WinActivator.A": [[127, 156]], "Indicator: Trojan.Win32.Kryptik.ernenh": [[157, 184]], "Indicator: BehavesLike.Win32.PUPXAG.tc": [[185, 212]], "Indicator: W32/Trojan.PMWL-5504": [[213, 233]], "Indicator: HackTool.WinActivator": [[234, 255]], "Indicator: Trj/CI.A": [[256, 264]], "Indicator: Trojan.MSIL.Crypt": [[265, 282]]}, "info": {"id": "cyner2_5class_train_05036", "source": "cyner2_5class_train"}}
+{"text": "We also registered one episode of mobile malware spreading via a third-party botnet .", "spans": {}, "info": {"id": "cyner2_5class_train_05037", "source": "cyner2_5class_train"}}
+{"text": "The PC version has the ability to achieve complete remote control over the victim machine, including monitoring webcams and microphones.", "spans": {"System: PC version": [[4, 14]], "Indicator: complete remote control": [[42, 65]], "System: victim machine,": [[75, 90]]}, "info": {"id": "cyner2_5class_train_05038", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D19050 Trojan.Powerduke Trojan:Win32/Yedob.A!dha", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D19050": [[26, 44]], "Indicator: Trojan.Powerduke": [[45, 61]], "Indicator: Trojan:Win32/Yedob.A!dha": [[62, 86]]}, "info": {"id": "cyner2_5class_train_05039", "source": "cyner2_5class_train"}}
+{"text": "As an example, the following email was sent to a Turkish government organization using a lure of purported new portal logins for an airline's website.", "spans": {"Indicator: email": [[29, 34]], "Organization: Turkish government organization": [[49, 80]], "Indicator: new portal logins for an airline's website.": [[107, 150]]}, "info": {"id": "cyner2_5class_train_05040", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9992 TR/Crypt.ZPACK.wqbfr Trojan[Downloader]/Win32.MapsGory Trojan.Razy.D3751F Trojan/Win32.MapsGory.C2205147 Malware-Cryptor.Limpopo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[26, 68]], "Indicator: TR/Crypt.ZPACK.wqbfr": [[69, 89]], "Indicator: Trojan[Downloader]/Win32.MapsGory": [[90, 123]], "Indicator: Trojan.Razy.D3751F": [[124, 142]], "Indicator: Trojan/Win32.MapsGory.C2205147": [[143, 173]], "Indicator: Malware-Cryptor.Limpopo": [[174, 197]]}, "info": {"id": "cyner2_5class_train_05041", "source": "cyner2_5class_train"}}
+{"text": "After launching, it hides its presence on the system and checks the defined Twitter account at regular intervals for commands.", "spans": {"System: system": [[46, 52]], "System: Twitter account": [[76, 91]], "Indicator: regular intervals for commands.": [[95, 126]]}, "info": {"id": "cyner2_5class_train_05042", "source": "cyner2_5class_train"}}
+{"text": "Found bundled with a repackaged app , the spyware ’ s surveillance capabilities involve hiding its presence on the device , recording phone calls , logging incoming text messages , recoding videos , taking pictures and collecting GPS coordinates , then broadcasting all of that to an attacker-controlled C & C ( command and control ) server .", "spans": {"System: GPS": [[230, 233]]}, "info": {"id": "cyner2_5class_train_05043", "source": "cyner2_5class_train"}}
+{"text": "The key for each file is generated randomly and stored in the encrypted file with a fixed offset .", "spans": {}, "info": {"id": "cyner2_5class_train_05044", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Putabmow.RF5 Trojan.Downloader.Wmbatupd Win.Adware.Graftor-5699 Variant.Adware.Graftor.mrlb Adware.Wombat.1 Trojan.FakeAV.Win32.319646 BehavesLike.Win32.BrowseFox.fh Trojan-Downloader.Win32.Putabmow TR/Dldr.Putabmow.AC TrojanDownloader:Win32/Putabmow.A PUP/Win32.Graftor.R158727 Win32/Trojan.a6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Putabmow.RF5": [[26, 55]], "Indicator: Trojan.Downloader.Wmbatupd": [[56, 82]], "Indicator: Win.Adware.Graftor-5699": [[83, 106]], "Indicator: Variant.Adware.Graftor.mrlb": [[107, 134]], "Indicator: Adware.Wombat.1": [[135, 150]], "Indicator: Trojan.FakeAV.Win32.319646": [[151, 177]], "Indicator: BehavesLike.Win32.BrowseFox.fh": [[178, 208]], "Indicator: Trojan-Downloader.Win32.Putabmow": [[209, 241]], "Indicator: TR/Dldr.Putabmow.AC": [[242, 261]], "Indicator: TrojanDownloader:Win32/Putabmow.A": [[262, 295]], "Indicator: PUP/Win32.Graftor.R158727": [[296, 321]], "Indicator: Win32/Trojan.a6d": [[322, 338]]}, "info": {"id": "cyner2_5class_train_05045", "source": "cyner2_5class_train"}}
+{"text": "They should still be on the lookout for these kinds of trojans , as the attackers could target corporate accounts that contain large amounts of money .", "spans": {}, "info": {"id": "cyner2_5class_train_05046", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.EggDrop.u BackDoor.EggDrop.16 Backdoor.Win32.EggDrop Trojan[Backdoor]/Win32.EggDrop.u Backdoor.Win32.EggDrop.u Backdoor:Win32/Dropegg.K Trojan/Win32.Eggdrop.R129522 Backdoor.EggDrop Win32/EggDrop.16", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.EggDrop.u": [[26, 50], [127, 151]], "Indicator: BackDoor.EggDrop.16": [[51, 70]], "Indicator: Backdoor.Win32.EggDrop": [[71, 93]], "Indicator: Trojan[Backdoor]/Win32.EggDrop.u": [[94, 126]], "Indicator: Backdoor:Win32/Dropegg.K": [[152, 176]], "Indicator: Trojan/Win32.Eggdrop.R129522": [[177, 205]], "Indicator: Backdoor.EggDrop": [[206, 222]], "Indicator: Win32/EggDrop.16": [[223, 239]]}, "info": {"id": "cyner2_5class_train_05047", "source": "cyner2_5class_train"}}
+{"text": "Once installed the bootkit infects the operating system with a backdoor at the early booting stage.", "spans": {"Malware: bootkit": [[19, 26]], "System: operating system": [[39, 55]], "Malware: backdoor": [[63, 71]]}, "info": {"id": "cyner2_5class_train_05048", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Notpa Backdoor.Win32!O Backdoor.Notpa Backdoor.Notpa.Win32.4 Backdoor.W32.Notpa.l1pr Backdoor.Notpa W32/Backdoor.YTLZ-6459 Backdoor.Trojan BKDR_NOTPA.A Win.Trojan.NotPad-1 Backdoor.Win32.Notpa Backdoor.Notpa Trojan.Win32.Notpa.dkrv Backdoor.Notpa Backdoor.Win32.BackDoor.2_02 Backdoor.Notpa BackDoor.Zemac.200 BKDR_NOTPA.A W32/Backdoor2.EGAF TR/Notpad.Srv_#1 Trojan[Backdoor]/Win32.Notpa Win32.Hack.Notpa.kcloud Backdoor.Win32.Notpa.10240 Backdoor.Win32.Notpa Backdoor.Notpa Win-Trojan/Notpa.10240 Backdoor.Notpa Win32/BackDoor.2_02 Win32.Backdoor.Notpa.Wwoe Backdoor.Notpa!UhKbM28gXZk Backdoor.Win32.Notpa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Notpa": [[26, 40], [58, 72], [120, 134], [228, 242], [267, 281], [311, 325], [495, 509], [533, 547]], "Indicator: Backdoor.Win32!O": [[41, 57]], "Indicator: Backdoor.Notpa.Win32.4": [[73, 95]], "Indicator: Backdoor.W32.Notpa.l1pr": [[96, 119]], "Indicator: W32/Backdoor.YTLZ-6459": [[135, 157]], "Indicator: Backdoor.Trojan": [[158, 173]], "Indicator: BKDR_NOTPA.A": [[174, 186], [345, 357]], "Indicator: Win.Trojan.NotPad-1": [[187, 206]], "Indicator: Backdoor.Win32.Notpa": [[207, 227], [474, 494], [621, 641]], "Indicator: Trojan.Win32.Notpa.dkrv": [[243, 266]], "Indicator: Backdoor.Win32.BackDoor.2_02": [[282, 310]], "Indicator: BackDoor.Zemac.200": [[326, 344]], "Indicator: W32/Backdoor2.EGAF": [[358, 376]], "Indicator: TR/Notpad.Srv_#1": [[377, 393]], "Indicator: Trojan[Backdoor]/Win32.Notpa": [[394, 422]], "Indicator: Win32.Hack.Notpa.kcloud": [[423, 446]], "Indicator: Backdoor.Win32.Notpa.10240": [[447, 473]], "Indicator: Win-Trojan/Notpa.10240": [[510, 532]], "Indicator: Win32/BackDoor.2_02": [[548, 567]], "Indicator: Win32.Backdoor.Notpa.Wwoe": [[568, 593]], "Indicator: Backdoor.Notpa!UhKbM28gXZk": [[594, 620]]}, "info": {"id": "cyner2_5class_train_05049", "source": "cyner2_5class_train"}}
+{"text": "Conclusion Although the actor behind “ Agent Smith ” decided to make their illegally acquired profit by exploiting the use of ads , another actor could easily take a more intrusive and harmful route .", "spans": {"Malware: Agent Smith": [[39, 50]]}, "info": {"id": "cyner2_5class_train_05050", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Ninja Win32.Trojan.WisdomEyes.151026.9950.9999 Trojan-Ransom.Win32.Democry.a Trojan.Encoder.4608 Trojan.Filecoder.Win32.2542 BehavesLike.Win32.BadFile.tz TR/Symmi.sqfb W32/Filecoder.NGQ!tr Trojan.Symmi.D1F61 Trojan/Win32.Filecoder Ransom:Win32/SieteCrypto.A BScope.P2P-Worm.Palevo Win32.Trojan.Symmi.Wskd Trojan.Democry! Trojan.Win32.Filecoder Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Ninja": [[26, 38]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9999": [[39, 79]], "Indicator: Trojan-Ransom.Win32.Democry.a": [[80, 109]], "Indicator: Trojan.Encoder.4608": [[110, 129]], "Indicator: Trojan.Filecoder.Win32.2542": [[130, 157]], "Indicator: BehavesLike.Win32.BadFile.tz": [[158, 186]], "Indicator: TR/Symmi.sqfb": [[187, 200]], "Indicator: W32/Filecoder.NGQ!tr": [[201, 221]], "Indicator: Trojan.Symmi.D1F61": [[222, 240]], "Indicator: Trojan/Win32.Filecoder": [[241, 263]], "Indicator: Ransom:Win32/SieteCrypto.A": [[264, 290]], "Indicator: BScope.P2P-Worm.Palevo": [[291, 313]], "Indicator: Win32.Trojan.Symmi.Wskd": [[314, 337]], "Indicator: Trojan.Democry!": [[338, 353]], "Indicator: Trojan.Win32.Filecoder": [[354, 376]], "Indicator: Trj/CI.A": [[377, 385]]}, "info": {"id": "cyner2_5class_train_05051", "source": "cyner2_5class_train"}}
+{"text": "operation targeting individuals in Ukraine.", "spans": {"Organization: individuals": [[20, 31]]}, "info": {"id": "cyner2_5class_train_05052", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeDocD.fam.Trojan Worm.Hybris.PLI Worm.Win32.AutoRun!O Worm.AutoIt.Yuner.A Worm.Hybris.PLI Trojan/Yuner.b Worm.Hybris.PLI Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Worm.SEDY-1174 W32.Badday.A WORM_AUTORUN.BWK Worm.Hybris.PLI Worm.Win32.AutoIt.r Worm.Hybris.PLI Worm.Win32.AutoIt.261440 W32.W.AutoIt.l3OL Worm.Hybris.PLI Worm.Win32.AutoIt.~AN Trojan.AVKill.31317 Worm.AutoIt.Win32.2853 WORM_AUTORUN.BWK BehavesLike.Win32.YahLover.dc W32/Worm.MWD TrojanDownloader.JS.hi WORM/Autorun.55698 GrayWare[AdWare]/Win32.Yuner.a Worm:Win32/Yuner.A Worm.Win32.AutoIt.r Win32/Hybris.worm.261539 W32/YahLover.worm Worm.Autoit.Autorunner Trojan.Injector.AutoIt W32/Sohanat.GW.worm I-Worm.Yuner.B Win32/Yuner.B Worm.Win32.AutoRun.f Worm.Win32.AutoRun Trojan.Win32.AutoIt.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeDocD.fam.Trojan": [[26, 49]], "Indicator: Worm.Hybris.PLI": [[50, 65], [107, 122], [138, 153], [246, 261], [282, 297], [341, 356]], "Indicator: Worm.Win32.AutoRun!O": [[66, 86]], "Indicator: Worm.AutoIt.Yuner.A": [[87, 106]], "Indicator: Trojan/Yuner.b": [[123, 137]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[154, 196]], "Indicator: W32/Worm.SEDY-1174": [[197, 215]], "Indicator: W32.Badday.A": [[216, 228]], "Indicator: WORM_AUTORUN.BWK": [[229, 245], [422, 438]], "Indicator: Worm.Win32.AutoIt.r": [[262, 281], [574, 593]], "Indicator: Worm.Win32.AutoIt.261440": [[298, 322]], "Indicator: W32.W.AutoIt.l3OL": [[323, 340]], "Indicator: Worm.Win32.AutoIt.~AN": [[357, 378]], "Indicator: Trojan.AVKill.31317": [[379, 398]], "Indicator: Worm.AutoIt.Win32.2853": [[399, 421]], "Indicator: BehavesLike.Win32.YahLover.dc": [[439, 468]], "Indicator: W32/Worm.MWD": [[469, 481]], "Indicator: TrojanDownloader.JS.hi": [[482, 504]], "Indicator: WORM/Autorun.55698": [[505, 523]], "Indicator: GrayWare[AdWare]/Win32.Yuner.a": [[524, 554]], "Indicator: Worm:Win32/Yuner.A": [[555, 573]], "Indicator: Win32/Hybris.worm.261539": [[594, 618]], "Indicator: W32/YahLover.worm": [[619, 636]], "Indicator: Worm.Autoit.Autorunner": [[637, 659]], "Indicator: Trojan.Injector.AutoIt": [[660, 682]], "Indicator: W32/Sohanat.GW.worm": [[683, 702]], "Indicator: I-Worm.Yuner.B": [[703, 717]], "Indicator: Win32/Yuner.B": [[718, 731]], "Indicator: Worm.Win32.AutoRun.f": [[732, 752]], "Indicator: Worm.Win32.AutoRun": [[753, 771]], "Indicator: Trojan.Win32.AutoIt.D": [[772, 793]]}, "info": {"id": "cyner2_5class_train_05053", "source": "cyner2_5class_train"}}
+{"text": "We identified a notable lack of sophistication in this investigation such as copy/paste , unstable code , dead code and panels that are freely open .", "spans": {}, "info": {"id": "cyner2_5class_train_05054", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Yarner.D@mm Worm/W32.Yarner.437760.D W32.Yarner Trojan.Win32.Yarner.eokq W32/Yarner.D@mm Win32.Yarner Worm.Yarner.D Email-Worm.Win32.Yarner.d Win32.Yarner.D@mm I-Worm.Yarner.D I-Worm.Win32.Yarner.D Worm.Win32.Yarner.D Win32.Yarner.D@mm Win32.HLLM.Yarner.3 W32/YaW-Setup.3 I-Worm/Yarner.d Worm.Yarner.d.kcloud Worm:Win32/Yarner.C@mm Win32/Yarner.worm.437760.C Win32.Yarner.D@mm W32/Yarner.D@mm Worm.Yarner.d Malware.Yarner Win32/Yarner.D Worm.Yarner.d Email-Worm.Win32.Yarner.D W32/Yarner.D@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Yarner.D@mm": [[26, 43], [174, 191], [250, 267], [391, 408]], "Indicator: Worm/W32.Yarner.437760.D": [[44, 68]], "Indicator: W32.Yarner": [[69, 79]], "Indicator: Trojan.Win32.Yarner.eokq": [[80, 104]], "Indicator: W32/Yarner.D@mm": [[105, 120], [409, 424], [509, 524]], "Indicator: Win32.Yarner": [[121, 133]], "Indicator: Worm.Yarner.D": [[134, 147]], "Indicator: Email-Worm.Win32.Yarner.d": [[148, 173]], "Indicator: I-Worm.Yarner.D": [[192, 207]], "Indicator: I-Worm.Win32.Yarner.D": [[208, 229]], "Indicator: Worm.Win32.Yarner.D": [[230, 249]], "Indicator: Win32.HLLM.Yarner.3": [[268, 287]], "Indicator: W32/YaW-Setup.3": [[288, 303]], "Indicator: I-Worm/Yarner.d": [[304, 319]], "Indicator: Worm.Yarner.d.kcloud": [[320, 340]], "Indicator: Worm:Win32/Yarner.C@mm": [[341, 363]], "Indicator: Win32/Yarner.worm.437760.C": [[364, 390]], "Indicator: Worm.Yarner.d": [[425, 438], [469, 482]], "Indicator: Malware.Yarner": [[439, 453]], "Indicator: Win32/Yarner.D": [[454, 468]], "Indicator: Email-Worm.Win32.Yarner.D": [[483, 508]]}, "info": {"id": "cyner2_5class_train_05055", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameRWALXAF.Worm Trojan.Win32.VB!O Trojan.Mofksys.A Worm.Mofksys Trojan/VB.osk Win32.Trojan.VB.kc W32.Gosys Win32/Mofksys.C Trojan-Ransom.Win32.Blocker.oow Trojan.Win32.Blocker.covlpo Troj.W32.Swisyn.mzNn Trojan.VbCrypt.250 Trojan.VB.Win32.59196 BehavesLike.Win32.Swisyn.dh Trojan.Win32.VB Trojan[Ransom]/Win32.Blocker Worm:Win32/Mofksys.A Trojan.Win32.A.VB.192512.N Trojan-Ransom.Win32.Blocker.oow Trojan/Win32.Swisyn.R1452 W32/Swisyn.ag MAS.Trojan.VB.01047", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameRWALXAF.Worm": [[26, 48]], "Indicator: Trojan.Win32.VB!O": [[49, 66]], "Indicator: Trojan.Mofksys.A": [[67, 83]], "Indicator: Worm.Mofksys": [[84, 96]], "Indicator: Trojan/VB.osk": [[97, 110]], "Indicator: Win32.Trojan.VB.kc": [[111, 129]], "Indicator: W32.Gosys": [[130, 139]], "Indicator: Win32/Mofksys.C": [[140, 155]], "Indicator: Trojan-Ransom.Win32.Blocker.oow": [[156, 187], [399, 430]], "Indicator: Trojan.Win32.Blocker.covlpo": [[188, 215]], "Indicator: Troj.W32.Swisyn.mzNn": [[216, 236]], "Indicator: Trojan.VbCrypt.250": [[237, 255]], "Indicator: Trojan.VB.Win32.59196": [[256, 277]], "Indicator: BehavesLike.Win32.Swisyn.dh": [[278, 305]], "Indicator: Trojan.Win32.VB": [[306, 321]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[322, 350]], "Indicator: Worm:Win32/Mofksys.A": [[351, 371]], "Indicator: Trojan.Win32.A.VB.192512.N": [[372, 398]], "Indicator: Trojan/Win32.Swisyn.R1452": [[431, 456]], "Indicator: W32/Swisyn.ag": [[457, 470]], "Indicator: MAS.Trojan.VB.01047": [[471, 490]]}, "info": {"id": "cyner2_5class_train_05056", "source": "cyner2_5class_train"}}
+{"text": "Neutrino Exploit Kit EK appeared on the scene around March of 2013 and continues to remain active and incorporate new exploits.", "spans": {"Malware: Neutrino Exploit Kit": [[0, 20]], "Malware: new exploits.": [[114, 127]]}, "info": {"id": "cyner2_5class_train_05057", "source": "cyner2_5class_train"}}
+{"text": "We immediately contacted psychcentral about this infection as early as we have discovered it.", "spans": {}, "info": {"id": "cyner2_5class_train_05058", "source": "cyner2_5class_train"}}
+{"text": "Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine.", "spans": {"System: Firefox user": [[31, 43]], "Indicator: advertisement": [[64, 77]], "Indicator: news site": [[83, 92]], "Malware: Firefox exploit": [[117, 132]], "Indicator: searched for sensitive files": [[138, 166]], "System: server": [[190, 196]]}, "info": {"id": "cyner2_5class_train_05059", "source": "cyner2_5class_train"}}
+{"text": "Extract the contacts list from the Facebook app .", "spans": {"System: Facebook app": [[35, 47]]}, "info": {"id": "cyner2_5class_train_05060", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Welranax Trojan/Delf.sjo Win32.Trojan.Delf.iv not-a-virus:AdWare.Win32.Delf.gum Trojan.Win32.Z.Delf.409600.D Adware.Delf.Win32.2253 Trojan-Dropper.Delf W32/Trojan.ZLEU-3835 GrayWare[AdWare]/Win32.Delf not-a-virus:AdWare.Win32.Delf.gum Trojan:Win32/Welranax.A Trojan/Win32.Hupigon.C979817 AdWare.Delf Trj/CI.A Win32/Delf.SJO Win32.Adware.Delf.Wrgd PUA.Delf! Win32/Trojan.e91", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Welranax": [[26, 41]], "Indicator: Trojan/Delf.sjo": [[42, 57]], "Indicator: Win32.Trojan.Delf.iv": [[58, 78]], "Indicator: not-a-virus:AdWare.Win32.Delf.gum": [[79, 112], [234, 267]], "Indicator: Trojan.Win32.Z.Delf.409600.D": [[113, 141]], "Indicator: Adware.Delf.Win32.2253": [[142, 164]], "Indicator: Trojan-Dropper.Delf": [[165, 184]], "Indicator: W32/Trojan.ZLEU-3835": [[185, 205]], "Indicator: GrayWare[AdWare]/Win32.Delf": [[206, 233]], "Indicator: Trojan:Win32/Welranax.A": [[268, 291]], "Indicator: Trojan/Win32.Hupigon.C979817": [[292, 320]], "Indicator: AdWare.Delf": [[321, 332]], "Indicator: Trj/CI.A": [[333, 341]], "Indicator: Win32/Delf.SJO": [[342, 356]], "Indicator: Win32.Adware.Delf.Wrgd": [[357, 379]], "Indicator: PUA.Delf!": [[380, 389]], "Indicator: Win32/Trojan.e91": [[390, 406]]}, "info": {"id": "cyner2_5class_train_05061", "source": "cyner2_5class_train"}}
+{"text": "At the forum of the Armbian operating system , a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable \" if combined with networked services that might allow access to /proc .", "spans": {"System: Armbian": [[20, 27]], "Indicator: /proc": [[212, 217]]}, "info": {"id": "cyner2_5class_train_05062", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.94C0 Trojan.Barys.DE38F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.94C0": [[26, 43]], "Indicator: Trojan.Barys.DE38F": [[44, 62]]}, "info": {"id": "cyner2_5class_train_05063", "source": "cyner2_5class_train"}}
+{"text": "Foreign policy, future of the US Army Officer Corps, and economic development are only a few of the keywords that threat actors have been using in spear-phishing attacks against directors and project managers of technology-inclined US government contractors.", "spans": {"Organization: US": [[30, 32]], "Organization: economic development": [[57, 77]], "Indicator: spear-phishing attacks": [[147, 169]], "Organization: directors": [[178, 187]], "Organization: project managers": [[192, 208]], "Organization: US government contractors.": [[232, 258]]}, "info": {"id": "cyner2_5class_train_05064", "source": "cyner2_5class_train"}}
+{"text": "This extensive campaign infected over 14 million devices, rooting 8 million of them with an unprecedented success rate.", "spans": {"System: devices,": [[49, 57]], "Vulnerability: rooting": [[58, 65]]}, "info": {"id": "cyner2_5class_train_05065", "source": "cyner2_5class_train"}}
+{"text": "Affiliates only had to dole out at least 5% of their revenue to continue distributing the ransomware.", "spans": {}, "info": {"id": "cyner2_5class_train_05066", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_DROPPR.SMC Win32.Trojan.WisdomEyes.16070401.9500.9967 TROJ_DROPPR.SMC Win.Downloader.54186-1 Trojan.Win32.Small.depzsf Trojan.MulDrop4.31372 BehavesLike.Win32.FakeAlertSecurityTool.cc Trojan[Downloader]/Win32.Dadobra TrojanDropper:Win32/Preald.A Trojan/Win32.Vilsel.C888605 TrojanDownloader.Dadobra Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_DROPPR.SMC": [[26, 41], [85, 100]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9967": [[42, 84]], "Indicator: Win.Downloader.54186-1": [[101, 123]], "Indicator: Trojan.Win32.Small.depzsf": [[124, 149]], "Indicator: Trojan.MulDrop4.31372": [[150, 171]], "Indicator: BehavesLike.Win32.FakeAlertSecurityTool.cc": [[172, 214]], "Indicator: Trojan[Downloader]/Win32.Dadobra": [[215, 247]], "Indicator: TrojanDropper:Win32/Preald.A": [[248, 276]], "Indicator: Trojan/Win32.Vilsel.C888605": [[277, 304]], "Indicator: TrojanDownloader.Dadobra": [[305, 329]], "Indicator: Trj/CI.A": [[330, 338]]}, "info": {"id": "cyner2_5class_train_05067", "source": "cyner2_5class_train"}}
+{"text": "However , they possess no banking functions , and merely steal the logins and passwords entered by users .", "spans": {}, "info": {"id": "cyner2_5class_train_05068", "source": "cyner2_5class_train"}}
+{"text": "In January of 2016, a tiny downloader named Godzilla Loader was advertised in the Damagelab forum.", "spans": {"Malware: tiny downloader": [[22, 37]], "Malware: Godzilla Loader": [[44, 59]], "Organization: Damagelab forum.": [[82, 98]]}, "info": {"id": "cyner2_5class_train_05069", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.FakeTC.Win32.3 W32/Trojan2.OZHB Win32/FakeTC.A Win32.Trojan.FakeTC.A Trojan.FakeTC.3 W32/Trojan.MTLD-1219 Trojan/FakeTC.c Trojan/Win32.FakeTC Trojan.FakeTC Backdoor.Bot Trojan.Win32.Faketc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.FakeTC.Win32.3": [[26, 47]], "Indicator: W32/Trojan2.OZHB": [[48, 64]], "Indicator: Win32/FakeTC.A": [[65, 79]], "Indicator: Win32.Trojan.FakeTC.A": [[80, 101]], "Indicator: Trojan.FakeTC.3": [[102, 117]], "Indicator: W32/Trojan.MTLD-1219": [[118, 138]], "Indicator: Trojan/FakeTC.c": [[139, 154]], "Indicator: Trojan/Win32.FakeTC": [[155, 174]], "Indicator: Trojan.FakeTC": [[175, 188]], "Indicator: Backdoor.Bot": [[189, 201]], "Indicator: Trojan.Win32.Faketc": [[202, 221]]}, "info": {"id": "cyner2_5class_train_05070", "source": "cyner2_5class_train"}}
+{"text": "] net , negg2.ddns [ .", "spans": {"Indicator: negg2.ddns [ .": [[8, 22]]}, "info": {"id": "cyner2_5class_train_05071", "source": "cyner2_5class_train"}}
+{"text": "Typically, attackers do not use patterns for very long, because security professionals eventually identify and subsequently block these patterns.", "spans": {"Indicator: patterns": [[32, 40]], "Organization: security professionals": [[64, 86]], "Indicator: block these patterns.": [[124, 145]]}, "info": {"id": "cyner2_5class_train_05072", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke.Winerror Joke.Winerror Trojan.Winerror Hoax.W16.BadJoke.WinError!c Joke.Winerror WinError.Trojan Joke.WinError Hoax.Win16.BadJoke.WinError Riskware.Win16.WinError.hwcm Joke.Winerror ApplicUnwnt.Win16.BadJoke.WinError Tool.BadJoke.Win16.8 not-virus:Joke.Win16.WinError JOKE/Winerror.A HackTool[Hoax]/Win16.WinError Joke.Winerror Hoax.Win16.BadJoke.WinError Trojan.Win16.BadJoke.WinError Win16.Trojan-psw.Badjoke.Dygs Hoax.Win16.BadJoke.WinError Joke.Winerror", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke.Winerror": [[26, 39], [40, 53], [98, 111], [199, 212], [345, 358], [475, 488]], "Indicator: Trojan.Winerror": [[54, 69]], "Indicator: Hoax.W16.BadJoke.WinError!c": [[70, 97]], "Indicator: WinError.Trojan": [[112, 127]], "Indicator: Joke.WinError": [[128, 141]], "Indicator: Hoax.Win16.BadJoke.WinError": [[142, 169], [359, 386], [447, 474]], "Indicator: Riskware.Win16.WinError.hwcm": [[170, 198]], "Indicator: ApplicUnwnt.Win16.BadJoke.WinError": [[213, 247]], "Indicator: Tool.BadJoke.Win16.8": [[248, 268]], "Indicator: not-virus:Joke.Win16.WinError": [[269, 298]], "Indicator: JOKE/Winerror.A": [[299, 314]], "Indicator: HackTool[Hoax]/Win16.WinError": [[315, 344]], "Indicator: Trojan.Win16.BadJoke.WinError": [[387, 416]], "Indicator: Win16.Trojan-psw.Badjoke.Dygs": [[417, 446]]}, "info": {"id": "cyner2_5class_train_05073", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PackedCRTD.Win32.9317 Win32.Trojan.WisdomEyes.16070401.9500.9843 Win32.Trojan.Falsesign.Taoo Trojan.PWS.Banker1.22573 Trojan:Win32/Banker.AF Win32/Trojan.115", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PackedCRTD.Win32.9317": [[26, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9843": [[55, 97]], "Indicator: Win32.Trojan.Falsesign.Taoo": [[98, 125]], "Indicator: Trojan.PWS.Banker1.22573": [[126, 150]], "Indicator: Trojan:Win32/Banker.AF": [[151, 173]], "Indicator: Win32/Trojan.115": [[174, 190]]}, "info": {"id": "cyner2_5class_train_05074", "source": "cyner2_5class_train"}}
+{"text": "The malware comes equipped with a variety of features and can be purchased for $50 directly from the author.", "spans": {}, "info": {"id": "cyner2_5class_train_05075", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Nemesis.S1305933 Trojan.Deshacop.Win32.847 Trojan.Ransom.Nemesis.8 Win32.Trojan.WisdomEyes.16070401.9500.9551 Win32.Trojan-Ransom.Nemesis.B Trojan-Ransom.Win32.Cryptoff.xe Heur.Packed.Unknown Trojan.Encoder.15133 Trojan[Ransom]/Win32.Snocry Ransom:Win32/CryptoLemPiz.A Trojan-Ransom.Win32.Cryptoff.xe Trojan/Win32.Snocry.C1923609 BScope.Trojan-Ransom.Snocry Ransom.Cerber Trojan.Win32.Filecoder Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Nemesis.S1305933": [[26, 49]], "Indicator: Trojan.Deshacop.Win32.847": [[50, 75]], "Indicator: Trojan.Ransom.Nemesis.8": [[76, 99]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9551": [[100, 142]], "Indicator: Win32.Trojan-Ransom.Nemesis.B": [[143, 172]], "Indicator: Trojan-Ransom.Win32.Cryptoff.xe": [[173, 204], [302, 333]], "Indicator: Heur.Packed.Unknown": [[205, 224]], "Indicator: Trojan.Encoder.15133": [[225, 245]], "Indicator: Trojan[Ransom]/Win32.Snocry": [[246, 273]], "Indicator: Ransom:Win32/CryptoLemPiz.A": [[274, 301]], "Indicator: Trojan/Win32.Snocry.C1923609": [[334, 362]], "Indicator: BScope.Trojan-Ransom.Snocry": [[363, 390]], "Indicator: Ransom.Cerber": [[391, 404]], "Indicator: Trojan.Win32.Filecoder": [[405, 427]], "Indicator: Trj/CI.A": [[428, 436]]}, "info": {"id": "cyner2_5class_train_05076", "source": "cyner2_5class_train"}}
+{"text": "In the case of the CVE-2017-0199 Word exploit, we have observed this in a much more accelerated time scale.", "spans": {"Indicator: CVE-2017-0199": [[19, 32]], "Malware: Word exploit,": [[33, 46]]}, "info": {"id": "cyner2_5class_train_05077", "source": "cyner2_5class_train"}}
+{"text": "The grabScreenPin method has separate conditioning to handle screen lock events in Samsung devices .", "spans": {"Organization: Samsung": [[83, 90]]}, "info": {"id": "cyner2_5class_train_05078", "source": "cyner2_5class_train"}}
+{"text": "GolfSpy encrypts all the stolen data using a simple XOR operation with a pre-configured key before sending it to the C & C server using the HTTP POST method .", "spans": {"Malware: GolfSpy": [[0, 7]]}, "info": {"id": "cyner2_5class_train_05079", "source": "cyner2_5class_train"}}
+{"text": "BlackBerry researchers have observed a new campaign by the Russian state-sponsored threat group, known as APT29, targeting European Union countries and their diplomatic systems, including that of Poland's ambassador to the United States.", "spans": {"Organization: BlackBerry researchers": [[0, 22]], "System: diplomatic systems,": [[158, 177]], "Organization: Poland's ambassador to the United States.": [[196, 237]]}, "info": {"id": "cyner2_5class_train_05080", "source": "cyner2_5class_train"}}
+{"text": "So the system doesn ’ t see any strange processes running and thus does not cry the alarm .", "spans": {}, "info": {"id": "cyner2_5class_train_05081", "source": "cyner2_5class_train"}}
+{"text": "By : Trend Micro April 20 , 2018 We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong .", "spans": {"Organization: Trend Micro": [[5, 16]]}, "info": {"id": "cyner2_5class_train_05082", "source": "cyner2_5class_train"}}
+{"text": "These services appear to be running on all network interfaces and are therefore accessible to anyone sharing a local network with an infected device .", "spans": {}, "info": {"id": "cyner2_5class_train_05083", "source": "cyner2_5class_train"}}
+{"text": "] today During our investigation , we identified at least four major releases of the RAT .", "spans": {}, "info": {"id": "cyner2_5class_train_05084", "source": "cyner2_5class_train"}}
+{"text": "] com autoandroidup [ .", "spans": {"Indicator: autoandroidup [ .": [[6, 23]]}, "info": {"id": "cyner2_5class_train_05085", "source": "cyner2_5class_train"}}
+{"text": "Fortinet detects this threat as W32/Miner.", "spans": {"Organization: Fortinet": [[0, 8]], "Malware: threat": [[22, 28]], "Indicator: W32/Miner.": [[32, 42]]}, "info": {"id": "cyner2_5class_train_05086", "source": "cyner2_5class_train"}}
+{"text": "The architecture is quite similar to the one described previously , but the opcodes are slightly different .", "spans": {}, "info": {"id": "cyner2_5class_train_05087", "source": "cyner2_5class_train"}}
+{"text": "For example , if a victim has Viber on their device , it will choose to retrieve the Viber Update second stage .", "spans": {"System: Viber": [[30, 35]], "System: Viber Update": [[85, 97]]}, "info": {"id": "cyner2_5class_train_05088", "source": "cyner2_5class_train"}}
+{"text": "It installs malicious modules with different functionality into the system .", "spans": {}, "info": {"id": "cyner2_5class_train_05089", "source": "cyner2_5class_train"}}
+{"text": "ProGuard Obfuscation As with many other Android applications , EventBot is now using obfuscation .", "spans": {"System: ProGuard": [[0, 8]], "System: Android": [[40, 47]], "Malware: EventBot": [[63, 71]]}, "info": {"id": "cyner2_5class_train_05090", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanAPT.Duberath.B3 Backdoor.VB.Win32.14561 Backdoor.W32.VB.mtc!c Backdoor/VB.mtc BKDR_VBBOT.AM W32/VBBot.A Trojan.Dosvine BKDR_VBBOT.AM Win.Trojan.Hydraq-30 Backdoor.Win32.VB.mtc Trojan.Win32.VB.cuyqz Backdoor.Win32.VBbot.118784 Trojan.DownLoader2.62750 Backdoor.IRCBot BehavesLike.Win32.VBObfus.ct Trojan.Win32.Duberath W32/VBBot.DXMJ-6902 Trojan[Backdoor]/Win32.VB Backdoor.Win32.VB.mtc Trojan:Win32/Duberath.B Backdoor.VBbot.A Backdoor.IRCBot Trojan.Crypted.18705 Win32.Backdoor.Vb.Wrha Trojan.VBbot!c3mtyEoqCqM Win32/Backdoor.fdf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanAPT.Duberath.B3": [[26, 47]], "Indicator: Backdoor.VB.Win32.14561": [[48, 71]], "Indicator: Backdoor.W32.VB.mtc!c": [[72, 93]], "Indicator: Backdoor/VB.mtc": [[94, 109]], "Indicator: BKDR_VBBOT.AM": [[110, 123], [151, 164]], "Indicator: W32/VBBot.A": [[124, 135]], "Indicator: Trojan.Dosvine": [[136, 150]], "Indicator: Win.Trojan.Hydraq-30": [[165, 185]], "Indicator: Backdoor.Win32.VB.mtc": [[186, 207], [396, 417]], "Indicator: Trojan.Win32.VB.cuyqz": [[208, 229]], "Indicator: Backdoor.Win32.VBbot.118784": [[230, 257]], "Indicator: Trojan.DownLoader2.62750": [[258, 282]], "Indicator: Backdoor.IRCBot": [[283, 298], [459, 474]], "Indicator: BehavesLike.Win32.VBObfus.ct": [[299, 327]], "Indicator: Trojan.Win32.Duberath": [[328, 349]], "Indicator: W32/VBBot.DXMJ-6902": [[350, 369]], "Indicator: Trojan[Backdoor]/Win32.VB": [[370, 395]], "Indicator: Trojan:Win32/Duberath.B": [[418, 441]], "Indicator: Backdoor.VBbot.A": [[442, 458]], "Indicator: Trojan.Crypted.18705": [[475, 495]], "Indicator: Win32.Backdoor.Vb.Wrha": [[496, 518]], "Indicator: Trojan.VBbot!c3mtyEoqCqM": [[519, 543]], "Indicator: Win32/Backdoor.fdf": [[544, 562]]}, "info": {"id": "cyner2_5class_train_05091", "source": "cyner2_5class_train"}}
+{"text": "The coding style suggests that the cybercriminals behind this campaign are amateurs .", "spans": {}, "info": {"id": "cyner2_5class_train_05092", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod3af.Trojan.e4b3 Trojan-Downloader/W32.Zlob.62877 Trojan.Dropper W32/Trojan2.NNPL Downloader.HJFG TROJ_SPNR.15L411 Trojan.Downloader.NSIS-3 Trojan-Downloader.Win32.NSIS.hn Trojan.DownLoader3.61765 TROJ_SPNR.15L411 Heuristic.BehavesLike.Win32.Downloader.D TrojanDownloader:Win32/Ocibt.A Win-Trojan/Downloader.62877 W32/Trojan.MONE-7612 TrojanDownloader.hn Trj/CI.A W32/Dloader.HG!tr.NSIS Dropper.Instaler.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod3af.Trojan.e4b3": [[26, 49]], "Indicator: Trojan-Downloader/W32.Zlob.62877": [[50, 82]], "Indicator: Trojan.Dropper": [[83, 97]], "Indicator: W32/Trojan2.NNPL": [[98, 114]], "Indicator: Downloader.HJFG": [[115, 130]], "Indicator: TROJ_SPNR.15L411": [[131, 147], [230, 246]], "Indicator: Trojan.Downloader.NSIS-3": [[148, 172]], "Indicator: Trojan-Downloader.Win32.NSIS.hn": [[173, 204]], "Indicator: Trojan.DownLoader3.61765": [[205, 229]], "Indicator: Heuristic.BehavesLike.Win32.Downloader.D": [[247, 287]], "Indicator: TrojanDownloader:Win32/Ocibt.A": [[288, 318]], "Indicator: Win-Trojan/Downloader.62877": [[319, 346]], "Indicator: W32/Trojan.MONE-7612": [[347, 367]], "Indicator: TrojanDownloader.hn": [[368, 387]], "Indicator: Trj/CI.A": [[388, 396]], "Indicator: W32/Dloader.HG!tr.NSIS": [[397, 419]], "Indicator: Dropper.Instaler.F": [[420, 438]]}, "info": {"id": "cyner2_5class_train_05093", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Patpoopy.Win32.18 Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan.MPOM-1589 Win.Trojan.PupyRat-5710268-0 Trojan.Win32.Patpoopy.ewuxjt Trojan.Win32.Z.Zusy.3419648.Q Python.PuPy.20 BehavesLike.Win32.Injector.wc Trojan.Zusy.D4035B Trojan/Win32.Shelma.C2361381 Trojan.Win64.Shelma Trj/CI.A Win32.Trojan.Patpoopy.Lpky Trojan.Win64.Shelma RAT.Pupy W32/Patpoopy.E!tr Win32/Trojan.2c0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Patpoopy.Win32.18": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[51, 93]], "Indicator: W32/Trojan.MPOM-1589": [[94, 114]], "Indicator: Win.Trojan.PupyRat-5710268-0": [[115, 143]], "Indicator: Trojan.Win32.Patpoopy.ewuxjt": [[144, 172]], "Indicator: Trojan.Win32.Z.Zusy.3419648.Q": [[173, 202]], "Indicator: Python.PuPy.20": [[203, 217]], "Indicator: BehavesLike.Win32.Injector.wc": [[218, 247]], "Indicator: Trojan.Zusy.D4035B": [[248, 266]], "Indicator: Trojan/Win32.Shelma.C2361381": [[267, 295]], "Indicator: Trojan.Win64.Shelma": [[296, 315], [352, 371]], "Indicator: Trj/CI.A": [[316, 324]], "Indicator: Win32.Trojan.Patpoopy.Lpky": [[325, 351]], "Indicator: RAT.Pupy": [[372, 380]], "Indicator: W32/Patpoopy.E!tr": [[381, 398]], "Indicator: Win32/Trojan.2c0": [[399, 415]]}, "info": {"id": "cyner2_5class_train_05094", "source": "cyner2_5class_train"}}
+{"text": "We call this new group RTM- it uses custom malware, written in Delphi, that we cover in detail in later sections.", "spans": {"Malware: custom malware,": [[36, 51]], "System: Delphi,": [[63, 70]]}, "info": {"id": "cyner2_5class_train_05095", "source": "cyner2_5class_train"}}
+{"text": "The report includes a review of the malware's sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins.", "spans": {}, "info": {"id": "cyner2_5class_train_05096", "source": "cyner2_5class_train"}}
+{"text": "After scanning the QR code and installing a component downloaded from the link , the user infects his smartphone with the Trojan program that boasts functionality that is of great interest to the attackers .", "spans": {}, "info": {"id": "cyner2_5class_train_05097", "source": "cyner2_5class_train"}}
+{"text": "Note , however , that based on the leak mail from a customer inquiry , Hacking Team was in the process of developing exploits for Android 5.0 Lollipop .", "spans": {"Organization: Hacking Team": [[71, 83]], "System: Android 5.0 Lollipop": [[130, 150]]}, "info": {"id": "cyner2_5class_train_05098", "source": "cyner2_5class_train"}}
+{"text": "Since February this year Antiy CERT has detected a new round of phishing activities using GuLoader to deliver the AgentTesla secret-stealing Trojan.", "spans": {"Organization: Antiy CERT": [[25, 35]], "Indicator: phishing activities": [[64, 83]], "Malware: GuLoader": [[90, 98]], "Malware: the AgentTesla secret-stealing Trojan.": [[110, 148]]}, "info": {"id": "cyner2_5class_train_05099", "source": "cyner2_5class_train"}}
+{"text": "Figure 4 .", "spans": {}, "info": {"id": "cyner2_5class_train_05100", "source": "cyner2_5class_train"}}
+{"text": "Four of them had more than 10,000 installs and one of them had more than 50,000 installs.", "spans": {}, "info": {"id": "cyner2_5class_train_05101", "source": "cyner2_5class_train"}}
+{"text": "This ‘ versatility ’ was present in the first version of Rotexy and has been a feature of all the family ’ s subsequent representatives .", "spans": {"Malware: Rotexy": [[57, 63]]}, "info": {"id": "cyner2_5class_train_05102", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojanpws.Win64 Win32.Trojan.WisdomEyes.16070401.9500.9986 Win64.Trojan-qqpass.Qqrob.Lmug BehavesLike.Win32.Rootkit.dh HackTool.Mimikatz Trojan.PSW.Mimikatz.acm Trojan[PSW]/Win64.Mimikatz HackTool:Win32/Mimikatz.A!dha Troj.Psw.Win64.Mimikatz!c BScope.TrojanPSW.Mimikatz Win32/Trojan.PSW.a2b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojanpws.Win64": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9986": [[42, 84]], "Indicator: Win64.Trojan-qqpass.Qqrob.Lmug": [[85, 115]], "Indicator: BehavesLike.Win32.Rootkit.dh": [[116, 144]], "Indicator: HackTool.Mimikatz": [[145, 162]], "Indicator: Trojan.PSW.Mimikatz.acm": [[163, 186]], "Indicator: Trojan[PSW]/Win64.Mimikatz": [[187, 213]], "Indicator: HackTool:Win32/Mimikatz.A!dha": [[214, 243]], "Indicator: Troj.Psw.Win64.Mimikatz!c": [[244, 269]], "Indicator: BScope.TrojanPSW.Mimikatz": [[270, 295]], "Indicator: Win32/Trojan.PSW.a2b": [[296, 316]]}, "info": {"id": "cyner2_5class_train_05103", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Kinkisc.Worm Trojan.Dropper.SRY TrojanDownloader.Zlob.A4 Trojan.Fanny.MB TROJ_ZLOB.SMFM W32.Fanni Win32/Zlob.PL TROJ_ZLOB.SMFM Win.Worm.Autorun-7948 Trojan.Dropper.SRY Trojan.Win32.EquationDrug.n Trojan.Dropper.SRY Trojan.Win32.Downloader.184320.CW Trojan.Dropper.SRY Trojan.DownLoad2.36935 BehavesLike.Win32.Backdoor.ch Worm.Win32.Funny Worm/Win32.AutoRun Worm:Win32/Fanys.A Trojan.Win32.EquationDrug.n Trojan.Dropper.SRY Worm.Fanny Trojan.Dropper.SRY Trojan.Win32.Downloader.tyo Worm.Win32.Fanny.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Kinkisc.Worm": [[26, 42]], "Indicator: Trojan.Dropper.SRY": [[43, 61], [179, 197], [226, 244], [279, 297], [434, 452], [464, 482]], "Indicator: TrojanDownloader.Zlob.A4": [[62, 86]], "Indicator: Trojan.Fanny.MB": [[87, 102]], "Indicator: TROJ_ZLOB.SMFM": [[103, 117], [142, 156]], "Indicator: W32.Fanni": [[118, 127]], "Indicator: Win32/Zlob.PL": [[128, 141]], "Indicator: Win.Worm.Autorun-7948": [[157, 178]], "Indicator: Trojan.Win32.EquationDrug.n": [[198, 225], [406, 433]], "Indicator: Trojan.Win32.Downloader.184320.CW": [[245, 278]], "Indicator: Trojan.DownLoad2.36935": [[298, 320]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[321, 350]], "Indicator: Worm.Win32.Funny": [[351, 367]], "Indicator: Worm/Win32.AutoRun": [[368, 386]], "Indicator: Worm:Win32/Fanys.A": [[387, 405]], "Indicator: Worm.Fanny": [[453, 463]], "Indicator: Trojan.Win32.Downloader.tyo": [[483, 510]], "Indicator: Worm.Win32.Fanny.A": [[511, 529]]}, "info": {"id": "cyner2_5class_train_05104", "source": "cyner2_5class_train"}}
+{"text": "Archive files ZIP, RAR, ACE, and ISOs containing EXE payloads", "spans": {"Indicator: Archive files ZIP, RAR, ACE,": [[0, 28]], "Indicator: ISOs": [[33, 37]], "Malware: EXE payloads": [[49, 61]]}, "info": {"id": "cyner2_5class_train_05105", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Autoit Trojan.Symmi.D10095 Trojan.Win32.Autoit.exnvng Trojan.Win32.Z.Autoit.1079042 Troj.W32.Autoit!c Trojan.Inject1.38999 Trojan.AutoIt.Win32.7 BehavesLike.Win32.Trojan.th Trojan.Win32.Eupuds Trojan.Autoit.ixi Trojan:Win32/BrobanEup.A Trojan.Autoit.Banker Win32.Trojan.Autoit.Szbl W32/Autoit.AAV!tr Win32/Trojan.839", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Autoit": [[26, 39]], "Indicator: Trojan.Symmi.D10095": [[40, 59]], "Indicator: Trojan.Win32.Autoit.exnvng": [[60, 86]], "Indicator: Trojan.Win32.Z.Autoit.1079042": [[87, 116]], "Indicator: Troj.W32.Autoit!c": [[117, 134]], "Indicator: Trojan.Inject1.38999": [[135, 155]], "Indicator: Trojan.AutoIt.Win32.7": [[156, 177]], "Indicator: BehavesLike.Win32.Trojan.th": [[178, 205]], "Indicator: Trojan.Win32.Eupuds": [[206, 225]], "Indicator: Trojan.Autoit.ixi": [[226, 243]], "Indicator: Trojan:Win32/BrobanEup.A": [[244, 268]], "Indicator: Trojan.Autoit.Banker": [[269, 289]], "Indicator: Win32.Trojan.Autoit.Szbl": [[290, 314]], "Indicator: W32/Autoit.AAV!tr": [[315, 332]], "Indicator: Win32/Trojan.839": [[333, 349]]}, "info": {"id": "cyner2_5class_train_05106", "source": "cyner2_5class_train"}}
+{"text": "Infecting legal web resources help spread mobile malware via popular websites .", "spans": {}, "info": {"id": "cyner2_5class_train_05107", "source": "cyner2_5class_train"}}
+{"text": "We 've contacted the potentially affected users , disabled the applications on affected devices , and implemented changes in Verify Apps to protect all users .", "spans": {"System: Verify Apps": [[125, 136]]}, "info": {"id": "cyner2_5class_train_05108", "source": "cyner2_5class_train"}}
+{"text": "ViperRAT has been operational for quite some time , with what appears to be a test application that surfaced in late 2015 .", "spans": {"Malware: ViperRAT": [[0, 8]]}, "info": {"id": "cyner2_5class_train_05109", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Mirleg.24544 Backdoor/Mirleg.a TROJ_LEMIR.KM Win.Trojan.Mirleg-1 Backdoor.Win32.Mirleg.a Trojan.Win32.Mirleg.dkdm Backdoor.Win32.Mirleg.24544 Backdoor.W32.Mirleg.a!c BackDoor.Mirshell Backdoor.Mirleg.Win32.3 TROJ_LEMIR.KM BehavesLike.Win32.VTFlooder.mc Trojan[Backdoor]/Win32.Mirleg Backdoor.Win32.Mirleg.a Backdoor:Win32/Mirle.A Backdoor.Mirleg Bck/Lmir.D Win32.Backdoor.Mirleg.Tbik Trojan.PSW.LMir!RFMQExC82yY Backdoor.Win32.EggDrop W32/BDoor.BCV!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Mirleg.24544": [[26, 51]], "Indicator: Backdoor/Mirleg.a": [[52, 69]], "Indicator: TROJ_LEMIR.KM": [[70, 83], [247, 260]], "Indicator: Win.Trojan.Mirleg-1": [[84, 103]], "Indicator: Backdoor.Win32.Mirleg.a": [[104, 127], [322, 345]], "Indicator: Trojan.Win32.Mirleg.dkdm": [[128, 152]], "Indicator: Backdoor.Win32.Mirleg.24544": [[153, 180]], "Indicator: Backdoor.W32.Mirleg.a!c": [[181, 204]], "Indicator: BackDoor.Mirshell": [[205, 222]], "Indicator: Backdoor.Mirleg.Win32.3": [[223, 246]], "Indicator: BehavesLike.Win32.VTFlooder.mc": [[261, 291]], "Indicator: Trojan[Backdoor]/Win32.Mirleg": [[292, 321]], "Indicator: Backdoor:Win32/Mirle.A": [[346, 368]], "Indicator: Backdoor.Mirleg": [[369, 384]], "Indicator: Bck/Lmir.D": [[385, 395]], "Indicator: Win32.Backdoor.Mirleg.Tbik": [[396, 422]], "Indicator: Trojan.PSW.LMir!RFMQExC82yY": [[423, 450]], "Indicator: Backdoor.Win32.EggDrop": [[451, 473]], "Indicator: W32/BDoor.BCV!tr.bdr": [[474, 494]]}, "info": {"id": "cyner2_5class_train_05110", "source": "cyner2_5class_train"}}
+{"text": "We have named this tool BBSRAT.", "spans": {"Malware: tool BBSRAT.": [[19, 31]]}, "info": {"id": "cyner2_5class_train_05111", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.VB.EV Heuristic.Crypted", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.VB.EV": [[26, 40]], "Indicator: Heuristic.Crypted": [[41, 58]]}, "info": {"id": "cyner2_5class_train_05112", "source": "cyner2_5class_train"}}
+{"text": "Always keep the \" Unknown Sources '' option disabled in the Android device .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyner2_5class_train_05113", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Farfli.20223 Win32.Trojan.Farfli.t W32/Trojan.LJSX-0343 Backdoor.Trojan BKDR_ZEGOST.SM44 Trojan.Win32.Dwn.dxihqn TrojWare.Win32.AntiAV.~D Trojan.DownLoader16.26781 Trojan.Farfli.Win32.30753 BKDR_ZEGOST.SM44 BehavesLike.Win32.Backdoor.kc BDS/Backdoor.davcs Trj/CI.A Trojan.Farfli!Hj4dzX9BZUM Trojan-PWS.Win32.Bjlog", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Farfli.20223": [[26, 47]], "Indicator: Win32.Trojan.Farfli.t": [[48, 69]], "Indicator: W32/Trojan.LJSX-0343": [[70, 90]], "Indicator: Backdoor.Trojan": [[91, 106]], "Indicator: BKDR_ZEGOST.SM44": [[107, 123], [225, 241]], "Indicator: Trojan.Win32.Dwn.dxihqn": [[124, 147]], "Indicator: TrojWare.Win32.AntiAV.~D": [[148, 172]], "Indicator: Trojan.DownLoader16.26781": [[173, 198]], "Indicator: Trojan.Farfli.Win32.30753": [[199, 224]], "Indicator: BehavesLike.Win32.Backdoor.kc": [[242, 271]], "Indicator: BDS/Backdoor.davcs": [[272, 290]], "Indicator: Trj/CI.A": [[291, 299]], "Indicator: Trojan.Farfli!Hj4dzX9BZUM": [[300, 325]], "Indicator: Trojan-PWS.Win32.Bjlog": [[326, 348]]}, "info": {"id": "cyner2_5class_train_05114", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Hanove W32/Trojan.BLPJ-3540 Backdoor.Trojan Trojan-Dropper.Win32.Dapato.degm Trojan.Win32.Drop.ddlhu Trojan.MulDrop2.26538 BehavesLike.Win32.Trojan.fh TrojanDropper.Dapato.owp Trojan-Dropper.Win32.Dapato.degm Backdoor:Win32/Hanove.A Trojan/Win32.Hanove.C240436 Win32.Trojan-dropper.Dapato.Ebhb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Hanove": [[26, 41]], "Indicator: W32/Trojan.BLPJ-3540": [[42, 62]], "Indicator: Backdoor.Trojan": [[63, 78]], "Indicator: Trojan-Dropper.Win32.Dapato.degm": [[79, 111], [211, 243]], "Indicator: Trojan.Win32.Drop.ddlhu": [[112, 135]], "Indicator: Trojan.MulDrop2.26538": [[136, 157]], "Indicator: BehavesLike.Win32.Trojan.fh": [[158, 185]], "Indicator: TrojanDropper.Dapato.owp": [[186, 210]], "Indicator: Backdoor:Win32/Hanove.A": [[244, 267]], "Indicator: Trojan/Win32.Hanove.C240436": [[268, 295]], "Indicator: Win32.Trojan-dropper.Dapato.Ebhb": [[296, 328]]}, "info": {"id": "cyner2_5class_train_05115", "source": "cyner2_5class_train"}}
+{"text": "Its name originates from the Arabic word maktub which means this is written or this is fate", "spans": {}, "info": {"id": "cyner2_5class_train_05116", "source": "cyner2_5class_train"}}
+{"text": "For most of its history it operated as a government department or public corporation .", "spans": {}, "info": {"id": "cyner2_5class_train_05117", "source": "cyner2_5class_train"}}
+{"text": "In this version of Ursnif I have also encountered an internal peer-to-peer communication which could possibly add the ability for the sample to communicate with other Ursnif peers over the same network.", "spans": {"Malware: Ursnif": [[19, 25], [167, 173]], "Indicator: internal peer-to-peer communication": [[53, 88]]}, "info": {"id": "cyner2_5class_train_05118", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DownloaderHC.Trojan Trojan-Ransom.Win32.FraudBlocker!O Trojan/VB.bn TROJ_RANSVB.SMA Win32.Trojan.WisdomEyes.16070401.9500.9983 W32/MalwareS.U TROJ_RANSVB.SMA Trojan-Ransom.Win32.Chameleon.gfl Trojan.Win32.Chameleon.edluzm Trojan.Win32.A.FraudBlocker.9216.A[UPX] Win32.Trojan.Chameleon.Phqb Trojan.Winlock.364 Trojan.FakeAV.Win32.150033 W32/Risk.WDRB-6022 Trojan.Chameleon.c TR/Ransom.VB.BN Trojan:Win32/SMSer.F Troj.Downloader.W32.Small.l5Bd Trojan-Ransom.Win32.Chameleon.gfl Trojan/Win32.Chameleon.C2304852 SScope.Trojan.Validium.va Trojan.FraudBlocker!3BdV5QfTi3g Trojan-Ransom.Win32.Fullscreen W32/LockScreen.CH!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DownloaderHC.Trojan": [[26, 49]], "Indicator: Trojan-Ransom.Win32.FraudBlocker!O": [[50, 84]], "Indicator: Trojan/VB.bn": [[85, 97]], "Indicator: TROJ_RANSVB.SMA": [[98, 113], [172, 187]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9983": [[114, 156]], "Indicator: W32/MalwareS.U": [[157, 171]], "Indicator: Trojan-Ransom.Win32.Chameleon.gfl": [[188, 221], [472, 505]], "Indicator: Trojan.Win32.Chameleon.edluzm": [[222, 251]], "Indicator: Trojan.Win32.A.FraudBlocker.9216.A[UPX]": [[252, 291]], "Indicator: Win32.Trojan.Chameleon.Phqb": [[292, 319]], "Indicator: Trojan.Winlock.364": [[320, 338]], "Indicator: Trojan.FakeAV.Win32.150033": [[339, 365]], "Indicator: W32/Risk.WDRB-6022": [[366, 384]], "Indicator: Trojan.Chameleon.c": [[385, 403]], "Indicator: TR/Ransom.VB.BN": [[404, 419]], "Indicator: Trojan:Win32/SMSer.F": [[420, 440]], "Indicator: Troj.Downloader.W32.Small.l5Bd": [[441, 471]], "Indicator: Trojan/Win32.Chameleon.C2304852": [[506, 537]], "Indicator: SScope.Trojan.Validium.va": [[538, 563]], "Indicator: Trojan.FraudBlocker!3BdV5QfTi3g": [[564, 595]], "Indicator: Trojan-Ransom.Win32.Fullscreen": [[596, 626]], "Indicator: W32/LockScreen.CH!tr": [[627, 647]]}, "info": {"id": "cyner2_5class_train_05119", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 Win32/Tnega.THZ BehavesLike.Win32.Downloader.hh PWS:Win32/Tibia.BB Trojan.Zusy.Elzob.D6208 Trojan/Win32.Scar.R8662", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[26, 68]], "Indicator: Win32/Tnega.THZ": [[69, 84]], "Indicator: BehavesLike.Win32.Downloader.hh": [[85, 116]], "Indicator: PWS:Win32/Tibia.BB": [[117, 135]], "Indicator: Trojan.Zusy.Elzob.D6208": [[136, 159]], "Indicator: Trojan/Win32.Scar.R8662": [[160, 183]]}, "info": {"id": "cyner2_5class_train_05120", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Exploit/W32.CAN.28672 Exploit.CAN Trojan/Exploit.CAN.2002-0649.a TROJ_SQLEXP.A TROJ_SQLEXP.A Win.Trojan.Exploit-173 Exploit.Win32.CAN.2002-0649.a Exploit.Win32.CAN-2002-0649.gpav Trojan.Win32.Exploit.28672.A Exploit.W32.CAN.2002-0649.a!c Exploit.Sqlck Exploit.CAN.Win32.23 W32/Risk.DCEZ-2564 Exploit.CAN.g TR/Expl.CAN-2002-0649.A Trojan[Exploit]/Win32.CAN Exploit.Win32.CAN.2002-0649.a Exploit:Win32/CAN20020649.A Exploit.CAN Win32/Exploit.CAN-2002-0649.A Win32.Exploit.Can.Eeqq W32/ThcSQL.A!exploit Win32/Trojan.Exploit.96c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Exploit/W32.CAN.28672": [[26, 54]], "Indicator: Exploit.CAN": [[55, 66], [447, 458]], "Indicator: Trojan/Exploit.CAN.2002-0649.a": [[67, 97]], "Indicator: TROJ_SQLEXP.A": [[98, 111], [112, 125]], "Indicator: Win.Trojan.Exploit-173": [[126, 148]], "Indicator: Exploit.Win32.CAN.2002-0649.a": [[149, 178], [389, 418]], "Indicator: Exploit.Win32.CAN-2002-0649.gpav": [[179, 211]], "Indicator: Trojan.Win32.Exploit.28672.A": [[212, 240]], "Indicator: Exploit.W32.CAN.2002-0649.a!c": [[241, 270]], "Indicator: Exploit.Sqlck": [[271, 284]], "Indicator: Exploit.CAN.Win32.23": [[285, 305]], "Indicator: W32/Risk.DCEZ-2564": [[306, 324]], "Indicator: Exploit.CAN.g": [[325, 338]], "Indicator: TR/Expl.CAN-2002-0649.A": [[339, 362]], "Indicator: Trojan[Exploit]/Win32.CAN": [[363, 388]], "Indicator: Exploit:Win32/CAN20020649.A": [[419, 446]], "Indicator: Win32/Exploit.CAN-2002-0649.A": [[459, 488]], "Indicator: Win32.Exploit.Can.Eeqq": [[489, 511]], "Indicator: W32/ThcSQL.A!exploit": [[512, 532]], "Indicator: Win32/Trojan.Exploit.96c": [[533, 557]]}, "info": {"id": "cyner2_5class_train_05121", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Trojan Trojan.Win32.DownLoad3.evepic Win32.Trojan.Spy.Pgde Trojan.DownLoad3.47177 BehavesLike.Win32.Downloader.lm W32/Trojan.XTOU-1556 Trojan:Win32/Netfosor.A!dha Trojan/Win32.Netfosor.C1246582 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: Backdoor.Trojan": [[69, 84]], "Indicator: Trojan.Win32.DownLoad3.evepic": [[85, 114]], "Indicator: Win32.Trojan.Spy.Pgde": [[115, 136]], "Indicator: Trojan.DownLoad3.47177": [[137, 159]], "Indicator: BehavesLike.Win32.Downloader.lm": [[160, 191]], "Indicator: W32/Trojan.XTOU-1556": [[192, 212]], "Indicator: Trojan:Win32/Netfosor.A!dha": [[213, 240]], "Indicator: Trojan/Win32.Netfosor.C1246582": [[241, 271]], "Indicator: Trj/GdSda.A": [[272, 283]]}, "info": {"id": "cyner2_5class_train_05122", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Deborm.AC@mm Worm.Win32.Deborm!O Worm.Deborm Win32.Deborm.AC@mm Win32.Trojan.WisdomEyes.16070401.9500.9895 W32.HLLW.Deborms Win.Downloader.88-1 Win32.Deborm.AC@mm Worm.Win32.Deborm.ac Win32.Deborm.AC@mm Trojan.Win32.Deborm.fvmw Worm.W32.Deborm!c Win32.Deborm.AC@mm Win32.HLLW.Deborm.27 BehavesLike.Win32.Downloader.nz BehavesLike.Win32.ExplorerHijack WORM/Deborm.AC Worm:Win32/Deborm.AC Win32.Deborm.E5BBB3 Worm.Win32.Deborm.ac Worm.Deborm Win32.Deborm.AC@mm Trj/CI.A Win32.Worm.Deborm.Pjxe", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Deborm.AC@mm": [[26, 44], [77, 95], [176, 194], [216, 234], [278, 296], [472, 490]], "Indicator: Worm.Win32.Deborm!O": [[45, 64]], "Indicator: Worm.Deborm": [[65, 76], [460, 471]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9895": [[96, 138]], "Indicator: W32.HLLW.Deborms": [[139, 155]], "Indicator: Win.Downloader.88-1": [[156, 175]], "Indicator: Worm.Win32.Deborm.ac": [[195, 215], [439, 459]], "Indicator: Trojan.Win32.Deborm.fvmw": [[235, 259]], "Indicator: Worm.W32.Deborm!c": [[260, 277]], "Indicator: Win32.HLLW.Deborm.27": [[297, 317]], "Indicator: BehavesLike.Win32.Downloader.nz": [[318, 349]], "Indicator: BehavesLike.Win32.ExplorerHijack": [[350, 382]], "Indicator: WORM/Deborm.AC": [[383, 397]], "Indicator: Worm:Win32/Deborm.AC": [[398, 418]], "Indicator: Win32.Deborm.E5BBB3": [[419, 438]], "Indicator: Trj/CI.A": [[491, 499]], "Indicator: Win32.Worm.Deborm.Pjxe": [[500, 522]]}, "info": {"id": "cyner2_5class_train_05123", "source": "cyner2_5class_train"}}
+{"text": "If the user installs the profile , the malicious website will open , revealing it to be an Apple phishing site , as seen in figure 2 .", "spans": {"Organization: Apple": [[91, 96]]}, "info": {"id": "cyner2_5class_train_05124", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.10163 Trojan.Barys.DE0C3 Win32/Tnega.CfKWaYC Trojan.Click2.60391 BehavesLike.Win32.Autorun.vc Trojan-Banker.Win32.Banker HackTool:Win32/Asoka.A Unwanted/Win32.HackTool.R76574", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.10163": [[26, 46]], "Indicator: Trojan.Barys.DE0C3": [[47, 65]], "Indicator: Win32/Tnega.CfKWaYC": [[66, 85]], "Indicator: Trojan.Click2.60391": [[86, 105]], "Indicator: BehavesLike.Win32.Autorun.vc": [[106, 134]], "Indicator: Trojan-Banker.Win32.Banker": [[135, 161]], "Indicator: HackTool:Win32/Asoka.A": [[162, 184]], "Indicator: Unwanted/Win32.HackTool.R76574": [[185, 215]]}, "info": {"id": "cyner2_5class_train_05125", "source": "cyner2_5class_train"}}
+{"text": "Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish.", "spans": {"Organization: Talos": [[0, 5]], "Indicator: email-based attack": [[24, 42]], "Organization: the energy sector,": [[53, 71]], "Organization: nuclear power,": [[82, 96]], "Indicator: classic word document attachment phish.": [[125, 164]]}, "info": {"id": "cyner2_5class_train_05126", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9926 Trojan-Downloader.Win32.Delf.koxi Trojan.Win32.Delf.eurqqv Trojan.Win32.Z.Delf.2321408 Downloader.Delf.Win32.55823 BehavesLike.Win32.Dropper.vh W32/Trojan.VVSX-7495 TR/Dldr.Delf.xofbe Trojan-Downloader.Win32.Delf.koxi Trj/GdSda.A Trojan-Downloader.Win32.Delf W32/Delf.CFW!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9926": [[26, 68]], "Indicator: Trojan-Downloader.Win32.Delf.koxi": [[69, 102], [253, 286]], "Indicator: Trojan.Win32.Delf.eurqqv": [[103, 127]], "Indicator: Trojan.Win32.Z.Delf.2321408": [[128, 155]], "Indicator: Downloader.Delf.Win32.55823": [[156, 183]], "Indicator: BehavesLike.Win32.Dropper.vh": [[184, 212]], "Indicator: W32/Trojan.VVSX-7495": [[213, 233]], "Indicator: TR/Dldr.Delf.xofbe": [[234, 252]], "Indicator: Trj/GdSda.A": [[287, 298]], "Indicator: Trojan-Downloader.Win32.Delf": [[299, 327]], "Indicator: W32/Delf.CFW!tr.dldr": [[328, 348]]}, "info": {"id": "cyner2_5class_train_05127", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9963 W32.Mytob@mm Net-Worm.Win32.Mytob.bf W32.W.VBNA.tni6 TrojWare.Win32.TrojanDownloader.Delf.accr Win32.HLLM.MyDoom.based BehavesLike.Win32.Trojan.pc Net-Worm.Win32.Mytob Worm/Mytob.atd WORM/Mytob.MD Trojan/Win32.Rukap.C17970 Win32.Trojan.Hoster.Heur", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9963": [[26, 68]], "Indicator: W32.Mytob@mm": [[69, 81]], "Indicator: Net-Worm.Win32.Mytob.bf": [[82, 105]], "Indicator: W32.W.VBNA.tni6": [[106, 121]], "Indicator: TrojWare.Win32.TrojanDownloader.Delf.accr": [[122, 163]], "Indicator: Win32.HLLM.MyDoom.based": [[164, 187]], "Indicator: BehavesLike.Win32.Trojan.pc": [[188, 215]], "Indicator: Net-Worm.Win32.Mytob": [[216, 236]], "Indicator: Worm/Mytob.atd": [[237, 251]], "Indicator: WORM/Mytob.MD": [[252, 265]], "Indicator: Trojan/Win32.Rukap.C17970": [[266, 291]], "Indicator: Win32.Trojan.Hoster.Heur": [[292, 316]]}, "info": {"id": "cyner2_5class_train_05128", "source": "cyner2_5class_train"}}
+{"text": "Since in Android 8.0 ( SDK API 26 ) the system is able to kill idle services , this code raises a fake update notification to prevent it : Cybercriminals have the ability to control the implant via HTTP , XMPP , binary SMS and FirebaseCloudMessaging ( or GoogleCloudMessaging in older versions ) protocols .", "spans": {"System: Android 8.0": [[9, 20]]}, "info": {"id": "cyner2_5class_train_05129", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Small!O Win32.Trojan.WisdomEyes.16070401.9500.9996 Backdoor.Trojan BKDR_PUDORATE.A Win.Trojan.Pudorat-2 Trojan-Dropper.Win32.Small.ix Trojan.Win32.Pudorat.uvlp BackDoor.PudoRat Dropper.Small.Win32.205 BKDR_PUDORATE.A W32/Trojan.ATSN-3573 Backdoor/Pudorat.e BDS/Pudorat.E.Srv Trojan[Backdoor]/Win32.Pudorat Trojan.Graftor.Elzob.D2736 Trojan-Dropper.Win32.Small.ix Backdoor:Win32/Pudorat.E Trojan/Win32.Small.R102192 Backdoor.Pudorat Trojan.DR.Small!n8WI7XFkeRA Backdoor.Win32.Pudorat.G W32/Pudorat.E!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Small!O": [[26, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[55, 97]], "Indicator: Backdoor.Trojan": [[98, 113]], "Indicator: BKDR_PUDORATE.A": [[114, 129], [248, 263]], "Indicator: Win.Trojan.Pudorat-2": [[130, 150]], "Indicator: Trojan-Dropper.Win32.Small.ix": [[151, 180], [380, 409]], "Indicator: Trojan.Win32.Pudorat.uvlp": [[181, 206]], "Indicator: BackDoor.PudoRat": [[207, 223]], "Indicator: Dropper.Small.Win32.205": [[224, 247]], "Indicator: W32/Trojan.ATSN-3573": [[264, 284]], "Indicator: Backdoor/Pudorat.e": [[285, 303]], "Indicator: BDS/Pudorat.E.Srv": [[304, 321]], "Indicator: Trojan[Backdoor]/Win32.Pudorat": [[322, 352]], "Indicator: Trojan.Graftor.Elzob.D2736": [[353, 379]], "Indicator: Backdoor:Win32/Pudorat.E": [[410, 434]], "Indicator: Trojan/Win32.Small.R102192": [[435, 461]], "Indicator: Backdoor.Pudorat": [[462, 478]], "Indicator: Trojan.DR.Small!n8WI7XFkeRA": [[479, 506]], "Indicator: Backdoor.Win32.Pudorat.G": [[507, 531]], "Indicator: W32/Pudorat.E!tr.bdr": [[532, 552]]}, "info": {"id": "cyner2_5class_train_05130", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Katusha.Win32.25040 Win.Trojan.357100-1 Trojan.Win32.Abacab.zfokj BackDoor.Abacab.102 Trojan[Backdoor]/Win32.Revell Backdoor:Win32/Revell.1_02 Win32.Virus.Temcac.A@dam W32/Revll.102!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Katusha.Win32.25040": [[26, 52]], "Indicator: Win.Trojan.357100-1": [[53, 72]], "Indicator: Trojan.Win32.Abacab.zfokj": [[73, 98]], "Indicator: BackDoor.Abacab.102": [[99, 118]], "Indicator: Trojan[Backdoor]/Win32.Revell": [[119, 148]], "Indicator: Backdoor:Win32/Revell.1_02": [[149, 175]], "Indicator: Win32.Virus.Temcac.A@dam": [[176, 200]], "Indicator: W32/Revll.102!tr.bdr": [[201, 221]]}, "info": {"id": "cyner2_5class_train_05131", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.TrodowsLTK.Trojan Trojan/Cosmu.atqv BehavesLike.Win32.AdwareRBlast.dm Trojan.Zusy.Elzob.D560E Trojan.Win32.A.Cosmu.83456[h] Dropper/Malware.253952.FL TrojanDropper:Win32/Blmoon.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TrodowsLTK.Trojan": [[26, 47]], "Indicator: Trojan/Cosmu.atqv": [[48, 65]], "Indicator: BehavesLike.Win32.AdwareRBlast.dm": [[66, 99]], "Indicator: Trojan.Zusy.Elzob.D560E": [[100, 123]], "Indicator: Trojan.Win32.A.Cosmu.83456[h]": [[124, 153]], "Indicator: Dropper/Malware.253952.FL": [[154, 179]], "Indicator: TrojanDropper:Win32/Blmoon.A": [[180, 208]]}, "info": {"id": "cyner2_5class_train_05132", "source": "cyner2_5class_train"}}
+{"text": "DOC and XLS files with malicious macros", "spans": {"Indicator: DOC": [[0, 3]], "Indicator: XLS files": [[8, 17]], "Malware: malicious macros": [[23, 39]]}, "info": {"id": "cyner2_5class_train_05133", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropped:Trojan.Downloader.VU TrojanDownloader.Podcast Trojan/Downloader.Adload.ci Win32.Trojan.WisdomEyes.16070401.9500.9963 W32/Downloader.AIEZ TROJ_DLOADR.CH Win.Downloader.Adload-85 Dropped:Trojan.Downloader.VU Trojan-Downloader.Win32.Adload.amn Dropped:Trojan.Downloader.VU Trojan.Win32.Delf.epwf Trojan.Win32.Downloader.140800.D Dropped:Trojan.Downloader.VU TrojWare.Win32.TrojanDownloader.Adload.CI Dropped:Trojan.Downloader.VU Trojan.DownLoader6.4157 TROJ_DLOADR.CH BehavesLike.Win32.Fujacks.cc Downloader.Delphi W32/Downloader.RKBR-2696 TrojanDownloader.Adload.hk Adware.DollarRevenue TR/Drop.Start.abk.4 Trojan[Downloader]/Win32.Adload Trojan.Downloader.VU Troj.Downloader.W32.Adload.amn!c Trojan-Downloader.Win32.Adload.amn Trojan/Win32.Banload.R41470 Dropped:Trojan.Downloader.VU Trojan-Downloader.Win32.10213 Win32/TrojanDownloader.Adload.CI Win32.Trojan-downloader.Adload.Pkqr Trojan.DL.Adload!u3IAhoIxyiU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Trojan.Downloader.VU": [[26, 54], [211, 239], [275, 303], [360, 388], [431, 459], [788, 816]], "Indicator: TrojanDownloader.Podcast": [[55, 79]], "Indicator: Trojan/Downloader.Adload.ci": [[80, 107]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9963": [[108, 150]], "Indicator: W32/Downloader.AIEZ": [[151, 170]], "Indicator: TROJ_DLOADR.CH": [[171, 185], [484, 498]], "Indicator: Win.Downloader.Adload-85": [[186, 210]], "Indicator: Trojan-Downloader.Win32.Adload.amn": [[240, 274], [725, 759]], "Indicator: Trojan.Win32.Delf.epwf": [[304, 326]], "Indicator: Trojan.Win32.Downloader.140800.D": [[327, 359]], "Indicator: TrojWare.Win32.TrojanDownloader.Adload.CI": [[389, 430]], "Indicator: Trojan.DownLoader6.4157": [[460, 483]], "Indicator: BehavesLike.Win32.Fujacks.cc": [[499, 527]], "Indicator: Downloader.Delphi": [[528, 545]], "Indicator: W32/Downloader.RKBR-2696": [[546, 570]], "Indicator: TrojanDownloader.Adload.hk": [[571, 597]], "Indicator: Adware.DollarRevenue": [[598, 618]], "Indicator: TR/Drop.Start.abk.4": [[619, 638]], "Indicator: Trojan[Downloader]/Win32.Adload": [[639, 670]], "Indicator: Trojan.Downloader.VU": [[671, 691]], "Indicator: Troj.Downloader.W32.Adload.amn!c": [[692, 724]], "Indicator: Trojan/Win32.Banload.R41470": [[760, 787]], "Indicator: Trojan-Downloader.Win32.10213": [[817, 846]], "Indicator: Win32/TrojanDownloader.Adload.CI": [[847, 879]], "Indicator: Win32.Trojan-downloader.Adload.Pkqr": [[880, 915]], "Indicator: Trojan.DL.Adload!u3IAhoIxyiU": [[916, 944]]}, "info": {"id": "cyner2_5class_train_05134", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.FcodeNHc.Trojan Trojan.Dorv.S8319 Ransom.FileLocker Trojan.Foreign.Win32.9536 Ransom.FileLocker/Variant Trojan/Kryptik.aykk Win32.Trojan.Filecoder.u RANSOM_CRYPNAN_GA250444.UVPM Trojan.Win32.Encoder.egvznv Trojan-Ransom.Win32.FileCoder.nan Backdoor.Win32.Hlux.NAN Trojan.Encoder.217 RANSOM_CRYPNAN_GA250444.UVPM BehavesLike.Win32.PWSZbot.dh Trojan/Foreign.ewc Trojan[Ransom]/Win32.Foreign Ransom:Win32/Haperlock.A Trojan.Symmi.D4C7E Trojan/Win32.Foreign.R61679 BScope.Malware-Cryptor.Hlux Win32/Filecoder.NAN Trojan.Foreign!VfdOCZ5FB8A Trojan.Win32.Sisron Trj/Dtcontx.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.FcodeNHc.Trojan": [[26, 51]], "Indicator: Trojan.Dorv.S8319": [[52, 69]], "Indicator: Ransom.FileLocker": [[70, 87]], "Indicator: Trojan.Foreign.Win32.9536": [[88, 113]], "Indicator: Ransom.FileLocker/Variant": [[114, 139]], "Indicator: Trojan/Kryptik.aykk": [[140, 159]], "Indicator: Win32.Trojan.Filecoder.u": [[160, 184]], "Indicator: RANSOM_CRYPNAN_GA250444.UVPM": [[185, 213], [319, 347]], "Indicator: Trojan.Win32.Encoder.egvznv": [[214, 241]], "Indicator: Trojan-Ransom.Win32.FileCoder.nan": [[242, 275]], "Indicator: Backdoor.Win32.Hlux.NAN": [[276, 299]], "Indicator: Trojan.Encoder.217": [[300, 318]], "Indicator: BehavesLike.Win32.PWSZbot.dh": [[348, 376]], "Indicator: Trojan/Foreign.ewc": [[377, 395]], "Indicator: Trojan[Ransom]/Win32.Foreign": [[396, 424]], "Indicator: Ransom:Win32/Haperlock.A": [[425, 449]], "Indicator: Trojan.Symmi.D4C7E": [[450, 468]], "Indicator: Trojan/Win32.Foreign.R61679": [[469, 496]], "Indicator: BScope.Malware-Cryptor.Hlux": [[497, 524]], "Indicator: Win32/Filecoder.NAN": [[525, 544]], "Indicator: Trojan.Foreign!VfdOCZ5FB8A": [[545, 571]], "Indicator: Trojan.Win32.Sisron": [[572, 591]], "Indicator: Trj/Dtcontx.D": [[592, 605]]}, "info": {"id": "cyner2_5class_train_05135", "source": "cyner2_5class_train"}}
+{"text": "This report contains indicators of compromise IOCs and technical details on the tactics, techniques, and procedures TTPs used by APT actors on compromised victims' networks.", "spans": {"Indicator: indicators of compromise IOCs": [[21, 50]], "System: victims' networks.": [[155, 173]]}, "info": {"id": "cyner2_5class_train_05136", "source": "cyner2_5class_train"}}
+{"text": "List of PlugX Command And Control servers used to attack targets in Asia.", "spans": {"Malware: PlugX": [[8, 13]], "Indicator: Command": [[14, 21]], "Indicator: And": [[22, 25]], "Indicator: Control": [[26, 33]], "Indicator: servers": [[34, 41]], "Indicator: attack": [[50, 56]]}, "info": {"id": "cyner2_5class_train_05137", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Chyopic!O Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_OGRAN.A Win.Trojan.Downloader-30022 Trojan.Win32.Chyopic.bksyf Trojan.Win32.S.Downloader.9984.A Backdoor.W32.Chyopic.bu!c Backdoor.Win32.Chyopic.A BackDoor.ClDdos.6 TROJ_OGRAN.A BehavesLike.Win32.FDoSBEnergy.zh TrojanDownloader.Ogran.j Trojan:Win32/Chcod.A Trojan[Backdoor]/Win32.Chyopic Trojan:Win32/Chcod.A Trojan/Win32.HDC.C33704 Trojan.Chcod!5jj9mkC/wqU Backdoor.Win32.Chyopic Win32/Backdoor.7b0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Chyopic!O": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[51, 93]], "Indicator: TROJ_OGRAN.A": [[94, 106], [264, 276]], "Indicator: Win.Trojan.Downloader-30022": [[107, 134]], "Indicator: Trojan.Win32.Chyopic.bksyf": [[135, 161]], "Indicator: Trojan.Win32.S.Downloader.9984.A": [[162, 194]], "Indicator: Backdoor.W32.Chyopic.bu!c": [[195, 220]], "Indicator: Backdoor.Win32.Chyopic.A": [[221, 245]], "Indicator: BackDoor.ClDdos.6": [[246, 263]], "Indicator: BehavesLike.Win32.FDoSBEnergy.zh": [[277, 309]], "Indicator: TrojanDownloader.Ogran.j": [[310, 334]], "Indicator: Trojan:Win32/Chcod.A": [[335, 355], [387, 407]], "Indicator: Trojan[Backdoor]/Win32.Chyopic": [[356, 386]], "Indicator: Trojan/Win32.HDC.C33704": [[408, 431]], "Indicator: Trojan.Chcod!5jj9mkC/wqU": [[432, 456]], "Indicator: Backdoor.Win32.Chyopic": [[457, 479]], "Indicator: Win32/Backdoor.7b0": [[480, 498]]}, "info": {"id": "cyner2_5class_train_05138", "source": "cyner2_5class_train"}}
+{"text": "The customization doesn t end with the lure; the malware used in the campaigns is also targeted by region and vertical.", "spans": {"Malware: malware": [[49, 56]]}, "info": {"id": "cyner2_5class_train_05139", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Risktool.Flystudio.17330 DDOS_NITOL.SMD DDOS_NITOL.SMD Win.Trojan.7486152-1 Backdoor.Win32.Sethift.a Trojan.Win32.Spambot.wpwqo Trojan.Spambot.10932 BehavesLike.Win32.Downloader.qc Trojan.Win32.MicroFake Backdoor.Win32.Sethift.a Backdoor:Win32/Payduse.A!bit Trojan/Win32.PbBot.R11181 Trojan.Cosmu Trj/CI.A W32/Nitol.C Win32/Trojan.b7f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Risktool.Flystudio.17330": [[26, 50]], "Indicator: DDOS_NITOL.SMD": [[51, 65], [66, 80]], "Indicator: Win.Trojan.7486152-1": [[81, 101]], "Indicator: Backdoor.Win32.Sethift.a": [[102, 126], [230, 254]], "Indicator: Trojan.Win32.Spambot.wpwqo": [[127, 153]], "Indicator: Trojan.Spambot.10932": [[154, 174]], "Indicator: BehavesLike.Win32.Downloader.qc": [[175, 206]], "Indicator: Trojan.Win32.MicroFake": [[207, 229]], "Indicator: Backdoor:Win32/Payduse.A!bit": [[255, 283]], "Indicator: Trojan/Win32.PbBot.R11181": [[284, 309]], "Indicator: Trojan.Cosmu": [[310, 322]], "Indicator: Trj/CI.A": [[323, 331]], "Indicator: W32/Nitol.C": [[332, 343]], "Indicator: Win32/Trojan.b7f": [[344, 360]]}, "info": {"id": "cyner2_5class_train_05140", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G W32.Virut.CF Win32/Virut.17408 PE_VIRUX.Q Win.Trojan.Virut-377 Virus.Win32.Virut.q Virus.Win32.Virut.hpeg Win32.Virut.5 Virus.Virut.Win32.1938 PE_VIRUX.Q BehavesLike.Win32.Ipamor.lh Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.cr.61440 Virus:Win32/Virut.BN W32.Virut.l5he Virus.Win32.Virut.q Win32/Virut.F Virus.Virut.13 Win32/Virut.NBP Backdoor.Win32.DsBot W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: W32.Virut.CF": [[73, 85]], "Indicator: Win32/Virut.17408": [[86, 103]], "Indicator: PE_VIRUX.Q": [[104, 114], [216, 226]], "Indicator: Win.Trojan.Virut-377": [[115, 135]], "Indicator: Virus.Win32.Virut.q": [[136, 155], [348, 367]], "Indicator: Virus.Win32.Virut.hpeg": [[156, 178]], "Indicator: Win32.Virut.5": [[179, 192]], "Indicator: Virus.Virut.Win32.1938": [[193, 215]], "Indicator: BehavesLike.Win32.Ipamor.lh": [[227, 254]], "Indicator: Win32/Virut.bn": [[255, 269]], "Indicator: Virus/Win32.Virut.ce": [[270, 290]], "Indicator: Win32.Virut.cr.61440": [[291, 311]], "Indicator: Virus:Win32/Virut.BN": [[312, 332]], "Indicator: W32.Virut.l5he": [[333, 347]], "Indicator: Win32/Virut.F": [[368, 381]], "Indicator: Virus.Virut.13": [[382, 396]], "Indicator: Win32/Virut.NBP": [[397, 412]], "Indicator: Backdoor.Win32.DsBot": [[413, 433]], "Indicator: W32/Sality.AO": [[434, 447]]}, "info": {"id": "cyner2_5class_train_05141", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: Android.Trojan.FakeApp.FC Trojan:Fakebank.B Android.Trojan.FakeApp.FC HEUR:Trojan-Banker.AndroidOS.Asacub.ab A.H.Ste.Banker.B Android.BankBot.221.origin HEUR:Trojan-Banker.AndroidOS.Asacub.ab Android-Trojan/Banker.5d288 a.privacy.spiderbank Trojan-Banker.AndroidOS.RuBank Android/SpyBanker.HH!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.FakeApp.FC": [[43, 68], [87, 112]], "Indicator: Trojan:Fakebank.B": [[69, 86]], "Indicator: HEUR:Trojan-Banker.AndroidOS.Asacub.ab": [[113, 151], [196, 234]], "Indicator: A.H.Ste.Banker.B": [[152, 168]], "Indicator: Android.BankBot.221.origin": [[169, 195]], "Indicator: Android-Trojan/Banker.5d288": [[235, 262]], "Indicator: a.privacy.spiderbank": [[263, 283]], "Indicator: Trojan-Banker.AndroidOS.RuBank": [[284, 314]], "Indicator: Android/SpyBanker.HH!tr": [[315, 338]]}, "info": {"id": "cyner2_5class_train_05142", "source": "cyner2_5class_train"}}
+{"text": "Some of the settings include : The URL of the C & C server Service wake-up intervals Important package names Accessibility permissions status Lockdown screen status Recording status SMS app status Kill switch status Stealth To keep its resources safer and make analysis more difficult for researchers , TrickMo uses an obfuscator to scramble the names of its functions , classes and variables .", "spans": {"Malware: TrickMo": [[303, 310]]}, "info": {"id": "cyner2_5class_train_05143", "source": "cyner2_5class_train"}}
+{"text": "The panels also contain Thai JavaScript comments and the domain names also contain references to Thai food , a tactic commonly employed to entice users to click/visit these C2 panels without much disruption .", "spans": {}, "info": {"id": "cyner2_5class_train_05144", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS.Win32.Banker.1!O Trojan/Kryptik.adfi Win32.Trojan.WisdomEyes.16070401.9500.9985 Infostealer.Bancos TROJ_BANKPTCH.SMA Trojan.PWS.Banker1.4670 TROJ_BANKPTCH.SMA Trojan-PWS.Win32.Banker Trojan/Menti.uci W32.Infostealer.Banker TR/Menti.A.2 Trojan/Win32.Unknown PWS:Win32/Banjori.A Trojan.Kazy.DFB0D TScope.Malware-Cryptor.SB W32/Krypt.CLE!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS.Win32.Banker.1!O": [[26, 53]], "Indicator: Trojan/Kryptik.adfi": [[54, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[74, 116]], "Indicator: Infostealer.Bancos": [[117, 135]], "Indicator: TROJ_BANKPTCH.SMA": [[136, 153], [178, 195]], "Indicator: Trojan.PWS.Banker1.4670": [[154, 177]], "Indicator: Trojan-PWS.Win32.Banker": [[196, 219]], "Indicator: Trojan/Menti.uci": [[220, 236]], "Indicator: W32.Infostealer.Banker": [[237, 259]], "Indicator: TR/Menti.A.2": [[260, 272]], "Indicator: Trojan/Win32.Unknown": [[273, 293]], "Indicator: PWS:Win32/Banjori.A": [[294, 313]], "Indicator: Trojan.Kazy.DFB0D": [[314, 331]], "Indicator: TScope.Malware-Cryptor.SB": [[332, 357]], "Indicator: W32/Krypt.CLE!tr": [[358, 374]]}, "info": {"id": "cyner2_5class_train_05145", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PDF/Dropper.C!Camelot Bloodhound.PDF.24 PDF/Exploit.Pidief.PIT Heuristics.PDF.ObfuscatedNameObject Trojan.Script.ExpKit.esqnwi Exploit.PDF.Pidief.f Exploit.PDF.889 HEUR_PDFEXP.D BehavesLike.PDF.BadFile.dx PDF/Dropper.C EXP/Pidief.akc Exploit:Win32/Pdfdrop.D JS/SARS.S139 possible-Threat.PDF.Acmd VBS/BanLoader.BBAF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PDF/Dropper.C!Camelot": [[26, 47]], "Indicator: Bloodhound.PDF.24": [[48, 65]], "Indicator: PDF/Exploit.Pidief.PIT": [[66, 88]], "Indicator: Heuristics.PDF.ObfuscatedNameObject": [[89, 124]], "Indicator: Trojan.Script.ExpKit.esqnwi": [[125, 152]], "Indicator: Exploit.PDF.Pidief.f": [[153, 173]], "Indicator: Exploit.PDF.889": [[174, 189]], "Indicator: HEUR_PDFEXP.D": [[190, 203]], "Indicator: BehavesLike.PDF.BadFile.dx": [[204, 230]], "Indicator: PDF/Dropper.C": [[231, 244]], "Indicator: EXP/Pidief.akc": [[245, 259]], "Indicator: Exploit:Win32/Pdfdrop.D": [[260, 283]], "Indicator: JS/SARS.S139": [[284, 296]], "Indicator: possible-Threat.PDF.Acmd": [[297, 321]], "Indicator: VBS/BanLoader.BBAF!tr": [[322, 343]]}, "info": {"id": "cyner2_5class_train_05146", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9772 Win32.Worm.Autorun.R Trojan.Win32.Inject.srauk Heur.Packed.Unknown Trojan/Jorik.bmit TrojanDownloader:Win32/Roker.A W32/Llac.SHV!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9772": [[26, 68]], "Indicator: Win32.Worm.Autorun.R": [[69, 89]], "Indicator: Trojan.Win32.Inject.srauk": [[90, 115]], "Indicator: Heur.Packed.Unknown": [[116, 135]], "Indicator: Trojan/Jorik.bmit": [[136, 153]], "Indicator: TrojanDownloader:Win32/Roker.A": [[154, 184]], "Indicator: W32/Llac.SHV!tr": [[185, 200]]}, "info": {"id": "cyner2_5class_train_05147", "source": "cyner2_5class_train"}}
+{"text": "And in an unusual reversal of typical bank phishing social engineering tactics, the phishing emails purport to be from the bank's customers.", "spans": {"Indicator: bank phishing": [[38, 51]], "Indicator: the phishing emails": [[80, 99]], "Organization: the bank's customers.": [[119, 140]]}, "info": {"id": "cyner2_5class_train_05148", "source": "cyner2_5class_train"}}
+{"text": "For example , we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior , exemplifying the rapid evolution of mobile threats that we have also observed on other platforms .", "spans": {"System: Android": [[63, 70]]}, "info": {"id": "cyner2_5class_train_05149", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.B01F Ransom_Troldesh.R011C0DB318 Win32.Trojan.WisdomEyes.16070401.9500.9997 Ransom_Troldesh.R011C0DB318 Trojan-Ransom.Win32.Shade.onr Troj.Ransom.W32.Shade!c Trojan.MulDrop7.59017 BehavesLike.Win32.ObfusRansom.dc TR/Injector.cjsif Ransom:Win32/Troldesh.A Trojan-Ransom.Win32.Shade.onr Trojan/Win32.Shade.R219897 TrojanRansom.Shade Ransom.Shade Trj/CI.A NSIS/Injector.YO Win32.Trojan.Shade.Szbw W32/Injector.YD!tr Win32/Trojan.Ransom.c29", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.B01F": [[26, 42]], "Indicator: Ransom_Troldesh.R011C0DB318": [[43, 70], [114, 141]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[71, 113]], "Indicator: Trojan-Ransom.Win32.Shade.onr": [[142, 171], [293, 322]], "Indicator: Troj.Ransom.W32.Shade!c": [[172, 195]], "Indicator: Trojan.MulDrop7.59017": [[196, 217]], "Indicator: BehavesLike.Win32.ObfusRansom.dc": [[218, 250]], "Indicator: TR/Injector.cjsif": [[251, 268]], "Indicator: Ransom:Win32/Troldesh.A": [[269, 292]], "Indicator: Trojan/Win32.Shade.R219897": [[323, 349]], "Indicator: TrojanRansom.Shade": [[350, 368]], "Indicator: Ransom.Shade": [[369, 381]], "Indicator: Trj/CI.A": [[382, 390]], "Indicator: NSIS/Injector.YO": [[391, 407]], "Indicator: Win32.Trojan.Shade.Szbw": [[408, 431]], "Indicator: W32/Injector.YD!tr": [[432, 450]], "Indicator: Win32/Trojan.Ransom.c29": [[451, 474]]}, "info": {"id": "cyner2_5class_train_05150", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ServicesIpripA.Trojan Trojan.Ripinip.C Backdoor/W32.Ripinip.20480.L Backdoor.Win32.Ripinip!O Backdoor.Ripinip.28625 Trojan.Ripinip.C Backdoor/Ripinip.eea Trojan.Ripinip.C Win32.Backdoor.Ripinip.b Backdoor.Ripinip BKDR_RIPNIP.SMIA Win.Trojan.Ripnip-3 Trojan.Ripinip.C Backdoor.Win32.Ripinip.eea Trojan.Ripinip.C Trojan.Win32.Ripinip.buwod Backdoor.Win32.A.Ripinip.20480 Trojan.Ripinip.C Backdoor.Win32.Ripinip.~eea Trojan.Ripinip.C Win32.HLLW.Autoruner.28406 BackDoor-EVC.a Backdoor.Win32.Ripinip BDS/Ripinip.BN Trojan[Backdoor]/Win32.Ripinip Backdoor:Win32/Ripinip.C Backdoor/Win32.Ripinip.R1964 Backdoor.Win32.Ripinip.eea Win32/Ripinip.AP BackDoor-EVC.a TScope.Malware-Cryptor.SB Backdoor.Win32.Rip.tji Backdoor.Win32.Ripinip.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ServicesIpripA.Trojan": [[26, 51]], "Indicator: Trojan.Ripinip.C": [[52, 68], [146, 162], [184, 200], [280, 296], [324, 340], [399, 415], [444, 460]], "Indicator: Backdoor/W32.Ripinip.20480.L": [[69, 97]], "Indicator: Backdoor.Win32.Ripinip!O": [[98, 122]], "Indicator: Backdoor.Ripinip.28625": [[123, 145]], "Indicator: Backdoor/Ripinip.eea": [[163, 183]], "Indicator: Win32.Backdoor.Ripinip.b": [[201, 225]], "Indicator: Backdoor.Ripinip": [[226, 242]], "Indicator: BKDR_RIPNIP.SMIA": [[243, 259]], "Indicator: Win.Trojan.Ripnip-3": [[260, 279]], "Indicator: Backdoor.Win32.Ripinip.eea": [[297, 323], [626, 652]], "Indicator: Trojan.Win32.Ripinip.buwod": [[341, 367]], "Indicator: Backdoor.Win32.A.Ripinip.20480": [[368, 398]], "Indicator: Backdoor.Win32.Ripinip.~eea": [[416, 443]], "Indicator: Win32.HLLW.Autoruner.28406": [[461, 487]], "Indicator: BackDoor-EVC.a": [[488, 502], [670, 684]], "Indicator: Backdoor.Win32.Ripinip": [[503, 525]], "Indicator: BDS/Ripinip.BN": [[526, 540]], "Indicator: Trojan[Backdoor]/Win32.Ripinip": [[541, 571]], "Indicator: Backdoor:Win32/Ripinip.C": [[572, 596]], "Indicator: Backdoor/Win32.Ripinip.R1964": [[597, 625]], "Indicator: Win32/Ripinip.AP": [[653, 669]], "Indicator: TScope.Malware-Cryptor.SB": [[685, 710]], "Indicator: Backdoor.Win32.Rip.tji": [[711, 733]], "Indicator: Backdoor.Win32.Ripinip.B": [[734, 758]]}, "info": {"id": "cyner2_5class_train_05151", "source": "cyner2_5class_train"}}
+{"text": "Recently a new Carbanak attack campaign dubbed Digital Plagiarist was exposed where the group used weaponized office documents hosted on mirrored domains, in order to distribute malware.", "spans": {"Indicator: mirrored domains,": [[137, 154]], "Malware: malware.": [[178, 186]]}, "info": {"id": "cyner2_5class_train_05152", "source": "cyner2_5class_train"}}
+{"text": "For instance, Sphinx ZeuS has enhanced its capabilities because of the Olympics.", "spans": {"Malware: Sphinx ZeuS": [[14, 25]], "Organization: Olympics.": [[71, 80]]}, "info": {"id": "cyner2_5class_train_05153", "source": "cyner2_5class_train"}}
+{"text": "Like BlackEnergy, the malware used by the so-called Sandworm APT group also known as Quedagh, Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.", "spans": {"Malware: malware": [[22, 29]], "Malware: Potao": [[94, 99]], "Malware: targeted espionage malware": [[117, 143]], "Malware: at": [[160, 162]]}, "info": {"id": "cyner2_5class_train_05154", "source": "cyner2_5class_train"}}
+{"text": "The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language .", "spans": {}, "info": {"id": "cyner2_5class_train_05155", "source": "cyner2_5class_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_05156", "source": "cyner2_5class_train"}}
+{"text": "Allows applications to change network connectivity state .", "spans": {}, "info": {"id": "cyner2_5class_train_05157", "source": "cyner2_5class_train"}}
+{"text": "With their assistance, we have confirmed over 76 additional messages containing NSO exploit links.", "spans": {"Malware: NSO exploit links.": [[80, 98]]}, "info": {"id": "cyner2_5class_train_05158", "source": "cyner2_5class_train"}}
+{"text": "Capabilities and functionality In 2013 , we detected several technological innovations developed and used by criminals in their malicious software .", "spans": {}, "info": {"id": "cyner2_5class_train_05159", "source": "cyner2_5class_train"}}
+{"text": "The RC4 key is hardcoded in EventBot .", "spans": {"Malware: EventBot": [[28, 36]]}, "info": {"id": "cyner2_5class_train_05160", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.Downloader.W32.AutoIt Trojan.Win32.Pasta.ztb Trojan.DownLoader11.57616 Trojan.Strictor.DE515 Trojan/Win32.Inject Trojan.Pasta IM-Worm.Win32.Sohanad", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.Downloader.W32.AutoIt": [[26, 52]], "Indicator: Trojan.Win32.Pasta.ztb": [[53, 75]], "Indicator: Trojan.DownLoader11.57616": [[76, 101]], "Indicator: Trojan.Strictor.DE515": [[102, 123]], "Indicator: Trojan/Win32.Inject": [[124, 143]], "Indicator: Trojan.Pasta": [[144, 156]], "Indicator: IM-Worm.Win32.Sohanad": [[157, 178]]}, "info": {"id": "cyner2_5class_train_05161", "source": "cyner2_5class_train"}}
+{"text": "This ransomware is developed using the Go programming language.", "spans": {"Malware: ransomware": [[5, 15]], "System: the Go programming language.": [[35, 63]]}, "info": {"id": "cyner2_5class_train_05162", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D3D963 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.PWS.Stealer.17779 BehavesLike.Win32.PUPXAG.fc Trojan.MSIL.gotl Trojan:MSIL/Elmb.A!bit Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D3D963": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Trojan.PWS.Stealer.17779": [[88, 112]], "Indicator: BehavesLike.Win32.PUPXAG.fc": [[113, 140]], "Indicator: Trojan.MSIL.gotl": [[141, 157]], "Indicator: Trojan:MSIL/Elmb.A!bit": [[158, 180]], "Indicator: Trj/GdSda.A": [[181, 192]]}, "info": {"id": "cyner2_5class_train_05163", "source": "cyner2_5class_train"}}
+{"text": "Electronicfrontierfoundation.org was not the only domain involved in this attack.", "spans": {"Indicator: Electronicfrontierfoundation.org": [[0, 32]], "Indicator: domain": [[50, 56]], "Indicator: attack.": [[74, 81]]}, "info": {"id": "cyner2_5class_train_05164", "source": "cyner2_5class_train"}}
+{"text": "Other samples communicated with other servers listed at the bottom of this report .", "spans": {}, "info": {"id": "cyner2_5class_train_05165", "source": "cyner2_5class_train"}}
+{"text": "ITG03 used several previously unreported malwares, including backdoor and PowerShell scripts suggesting continued ITG03 interest in exploiting SWIFT three years after its initial campaign in 2016.", "spans": {"Malware: malwares,": [[41, 50]], "Malware: backdoor": [[61, 69]], "System: PowerShell scripts": [[74, 92]], "Vulnerability: exploiting SWIFT": [[132, 148]]}, "info": {"id": "cyner2_5class_train_05166", "source": "cyner2_5class_train"}}
+{"text": "Hence , we name this new spin-off campaign as Jaguar Kill Switch .", "spans": {}, "info": {"id": "cyner2_5class_train_05167", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Kelopol.A3 W32/Application.USPT-4138 Hacktool.Keylogger PWS:MSIL/Kelopol.B Trojan.Win32.KeyLogger.ctnnso Trojan.KeyLogger.14630 TSPY_KELOPOL.SM TR/Habbo.skdh Trojan.MSIL.Krypt.5 Trojan/Win32.Vapsup.R122716", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Kelopol.A3": [[26, 46]], "Indicator: W32/Application.USPT-4138": [[47, 72]], "Indicator: Hacktool.Keylogger": [[73, 91]], "Indicator: PWS:MSIL/Kelopol.B": [[92, 110]], "Indicator: Trojan.Win32.KeyLogger.ctnnso": [[111, 140]], "Indicator: Trojan.KeyLogger.14630": [[141, 163]], "Indicator: TSPY_KELOPOL.SM": [[164, 179]], "Indicator: TR/Habbo.skdh": [[180, 193]], "Indicator: Trojan.MSIL.Krypt.5": [[194, 213]], "Indicator: Trojan/Win32.Vapsup.R122716": [[214, 241]]}, "info": {"id": "cyner2_5class_train_05168", "source": "cyner2_5class_train"}}
+{"text": "In 2015, many of these techniques and activities remain in use.", "spans": {"Indicator: techniques": [[23, 33]]}, "info": {"id": "cyner2_5class_train_05169", "source": "cyner2_5class_train"}}
+{"text": "In today's article, AnyRun look at LimeRAT, a modular piece of malware designed to give attackers control over a victim's computer and use it for crypto-mining or DDoS attacks.", "spans": {"Organization: AnyRun": [[20, 26]], "Malware: LimeRAT,": [[35, 43]], "Malware: modular piece of malware": [[46, 70]], "System: victim's computer": [[113, 130]], "Indicator: crypto-mining": [[146, 159]], "Indicator: DDoS attacks.": [[163, 176]]}, "info": {"id": "cyner2_5class_train_05170", "source": "cyner2_5class_train"}}
+{"text": "In the case of this ransomware , using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable , increasing the chances of the user paying for the ransom .", "spans": {}, "info": {"id": "cyner2_5class_train_05171", "source": "cyner2_5class_train"}}
+{"text": "We have dubbed the groups latest campaign Digital Plagiarist for its signature practice of mirroring legitimate sites using Tenmaxs TelePort Pro and TelePort Ultra site mirroring software onto similarly named domains, on which the TelePort Crew would host and serve up malware laden Office documents.", "spans": {"Indicator: mirroring legitimate sites": [[91, 117]], "Malware: Tenmaxs TelePort Pro": [[124, 144]], "Malware: TelePort Ultra site mirroring software": [[149, 187]], "Indicator: domains,": [[209, 217]], "Malware: malware": [[269, 276]]}, "info": {"id": "cyner2_5class_train_05172", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Kolweb!O Trojan.Lokrodem.25745 Trojan.Kolweb.Win32.139 Troj.W32.Kolweb.mBu8 Trojan/Kolweb.a Win32.Trojan.WisdomEyes.16070401.9500.9687 Adware.Margoc Win32/Startpage.SK Win.Trojan.Kolweb-96 Trojan.Win32.Kolweb.a Trojan.Win32.Kolweb.cxqwlv Trojan.Win32.A.Kolweb.224389[ASPack] Trojan.PWS.Mirka BehavesLike.Win32.Sality.fc Trojan/Kolweb.cm TR/Delf.CF.13 Trojan/Win32.Kolweb Trojan:Win32/Lokrodem.A.dll Trojan.Win32.Kolweb.a Trojan/Win32.Kolweb.C12167 Trojan.Kolweb Trojan.Graftor.D33DE Win32.Trojan.Kolweb.Edns Trojan.PWS.Delf!+6OEG1VoGF8 Win32/Trojan.f0c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Kolweb!O": [[26, 47]], "Indicator: Trojan.Lokrodem.25745": [[48, 69]], "Indicator: Trojan.Kolweb.Win32.139": [[70, 93]], "Indicator: Troj.W32.Kolweb.mBu8": [[94, 114]], "Indicator: Trojan/Kolweb.a": [[115, 130]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9687": [[131, 173]], "Indicator: Adware.Margoc": [[174, 187]], "Indicator: Win32/Startpage.SK": [[188, 206]], "Indicator: Win.Trojan.Kolweb-96": [[207, 227]], "Indicator: Trojan.Win32.Kolweb.a": [[228, 249], [438, 459]], "Indicator: Trojan.Win32.Kolweb.cxqwlv": [[250, 276]], "Indicator: Trojan.Win32.A.Kolweb.224389[ASPack]": [[277, 313]], "Indicator: Trojan.PWS.Mirka": [[314, 330]], "Indicator: BehavesLike.Win32.Sality.fc": [[331, 358]], "Indicator: Trojan/Kolweb.cm": [[359, 375]], "Indicator: TR/Delf.CF.13": [[376, 389]], "Indicator: Trojan/Win32.Kolweb": [[390, 409]], "Indicator: Trojan:Win32/Lokrodem.A.dll": [[410, 437]], "Indicator: Trojan/Win32.Kolweb.C12167": [[460, 486]], "Indicator: Trojan.Kolweb": [[487, 500]], "Indicator: Trojan.Graftor.D33DE": [[501, 521]], "Indicator: Win32.Trojan.Kolweb.Edns": [[522, 546]], "Indicator: Trojan.PWS.Delf!+6OEG1VoGF8": [[547, 574]], "Indicator: Win32/Trojan.f0c": [[575, 591]]}, "info": {"id": "cyner2_5class_train_05173", "source": "cyner2_5class_train"}}
+{"text": "Using the SMS has an initial infection vector is another possibility for the exfiltration .", "spans": {}, "info": {"id": "cyner2_5class_train_05174", "source": "cyner2_5class_train"}}
+{"text": "In the case of Hancitor, it still seen as a favourite carrier of very much active malware families such as Pony and Vawtrak.", "spans": {"Malware: Hancitor,": [[15, 24]], "Malware: malware families": [[82, 98]], "Malware: Pony": [[107, 111]], "Malware: Vawtrak.": [[116, 124]]}, "info": {"id": "cyner2_5class_train_05175", "source": "cyner2_5class_train"}}
+{"text": "We believe that the operators of the Bunitu botnet are selling access to infected proxy bots as a way to monetize their botnet.", "spans": {"Malware: Bunitu botnet": [[37, 50]], "Vulnerability: selling access": [[55, 69]], "Indicator: infected proxy bots": [[73, 92]], "Malware: botnet.": [[120, 127]]}, "info": {"id": "cyner2_5class_train_05176", "source": "cyner2_5class_train"}}
+{"text": "In May 2018, ITG03 actors stole $10 million from the Banco de Chile.", "spans": {"Organization: the Banco de Chile.": [[49, 68]]}, "info": {"id": "cyner2_5class_train_05177", "source": "cyner2_5class_train"}}
+{"text": "Our telemetry shows that H-W0rm is one of the most active RATs we ve seen, with infections observed across virtually all enterprise verticals and geographies in which Fidelis Cybersecurity products are deployed.", "spans": {"Malware: H-W0rm": [[25, 31]], "Malware: RATs": [[58, 62]], "Organization: enterprise": [[121, 131]], "Organization: Fidelis Cybersecurity": [[167, 188]], "System: products": [[189, 197]]}, "info": {"id": "cyner2_5class_train_05178", "source": "cyner2_5class_train"}}
+{"text": "Its price starts around $2500 which is more than double the price of another recent entry to the market.", "spans": {}, "info": {"id": "cyner2_5class_train_05179", "source": "cyner2_5class_train"}}
+{"text": "Other ransomware families use infinite loops of drawing non-system windows , but in between drawing and redrawing , it ’ s possible for users to go to settings and uninstall the offending app .", "spans": {"System: windows": [[67, 74]]}, "info": {"id": "cyner2_5class_train_05180", "source": "cyner2_5class_train"}}
+{"text": "In April 2017 we started observing new rooting malware being distributed through the Google Play Store.", "spans": {"Malware: new rooting malware": [[35, 54]], "System: the Google Play Store.": [[81, 103]]}, "info": {"id": "cyner2_5class_train_05181", "source": "cyner2_5class_train"}}
+{"text": "Within days , the Check Point research team detected another instance with a different package name but which uses the same code .", "spans": {"Organization: Check Point": [[18, 29]]}, "info": {"id": "cyner2_5class_train_05182", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan:MSIL/Ploprolo.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan:MSIL/Ploprolo.A": [[69, 91]]}, "info": {"id": "cyner2_5class_train_05183", "source": "cyner2_5class_train"}}
+{"text": "In order to infect the victims, the attackers distributed spear-phishing emails containing malicious word document, the email purported to have been sent from legitimate email ids.", "spans": {"Indicator: spear-phishing emails": [[58, 79]], "Malware: malicious word document,": [[91, 115]], "Indicator: email": [[120, 125]], "Indicator: legitimate email": [[159, 175]]}, "info": {"id": "cyner2_5class_train_05184", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MTSysAntiD.Worm Packed.Win32.Klone!O PWS-OnlineGames.es PE_MAGOVEL.A Win32.Virus.Induc.b W32/Induc.A Trojan.Packed.16 PE_MAGOVEL.A Win.Trojan.Packed-77 Virus.Win32.Induc.b Trojan.Win32.Downloader.85504.AX Backdoor.Win32.Delf.~DD Win32.HLLP.Lagic Backdoor.Hupigon.Win32.100099 BehavesLike.Win32.MultiPlug.nc W32/Induc.A Win32.Troj.Klone.ab.389660 W32.Induc.tnqE Virus.Win32.Induc.b PWS:Win32/Magovel.A Backdoor/Win32.Hupigon.C61571 Virus.Win32.Induc.c RiskWare.NakedPack Win32.Induc.A Backdoor.Rbot Virus.Win32.Viking.AV", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MTSysAntiD.Worm": [[26, 45]], "Indicator: Packed.Win32.Klone!O": [[46, 66]], "Indicator: PWS-OnlineGames.es": [[67, 85]], "Indicator: PE_MAGOVEL.A": [[86, 98], [148, 160]], "Indicator: Win32.Virus.Induc.b": [[99, 118]], "Indicator: W32/Induc.A": [[119, 130], [337, 348]], "Indicator: Trojan.Packed.16": [[131, 147]], "Indicator: Win.Trojan.Packed-77": [[161, 181]], "Indicator: Virus.Win32.Induc.b": [[182, 201], [391, 410]], "Indicator: Trojan.Win32.Downloader.85504.AX": [[202, 234]], "Indicator: Backdoor.Win32.Delf.~DD": [[235, 258]], "Indicator: Win32.HLLP.Lagic": [[259, 275]], "Indicator: Backdoor.Hupigon.Win32.100099": [[276, 305]], "Indicator: BehavesLike.Win32.MultiPlug.nc": [[306, 336]], "Indicator: Win32.Troj.Klone.ab.389660": [[349, 375]], "Indicator: W32.Induc.tnqE": [[376, 390]], "Indicator: PWS:Win32/Magovel.A": [[411, 430]], "Indicator: Backdoor/Win32.Hupigon.C61571": [[431, 460]], "Indicator: Virus.Win32.Induc.c": [[461, 480]], "Indicator: RiskWare.NakedPack": [[481, 499]], "Indicator: Win32.Induc.A": [[500, 513]], "Indicator: Backdoor.Rbot": [[514, 527]], "Indicator: Virus.Win32.Viking.AV": [[528, 549]]}, "info": {"id": "cyner2_5class_train_05185", "source": "cyner2_5class_train"}}
+{"text": "We have seen this threat access online content, including:JDUDUIFIB.exe", "spans": {"Malware: threat": [[18, 24]], "Indicator: including:JDUDUIFIB.exe": [[48, 71]]}, "info": {"id": "cyner2_5class_train_05186", "source": "cyner2_5class_train"}}
+{"text": "TUESDAY , MAY 19 , 2020 The wolf is back ... NEWS SUMMARY Thai Android devices and users are being targeted by a modified version of DenDroid we are calling \" WolfRAT , '' now targeting messaging apps like WhatsApp , Facebook Messenger and Line .", "spans": {"System: Android": [[63, 70]], "Malware: DenDroid": [[133, 141]], "Malware: WolfRAT": [[159, 166]], "System: WhatsApp": [[206, 214]], "System: Facebook Messenger": [[217, 235]], "System: Line": [[240, 244]]}, "info": {"id": "cyner2_5class_train_05187", "source": "cyner2_5class_train"}}
+{"text": "Distribution / Infection When this campaign started at the start of 2018 , the malware ( \" GlanceLove '' , \" WinkChat '' ) was distributed by the perpetrators mainly via fake Facebook profiles , attempting to seduce IDF soldiers to socialize on a different platform ( their malware ) .", "spans": {"Malware: GlanceLove": [[91, 101]], "Malware: WinkChat": [[109, 117]], "System: Facebook": [[175, 183]]}, "info": {"id": "cyner2_5class_train_05188", "source": "cyner2_5class_train"}}
+{"text": "A June 23 FireEye blog post titled Operation Clandestine Wolf discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash.", "spans": {"Organization: FireEye": [[10, 17]], "Vulnerability: zero-day vulnerability": [[139, 161]], "System: Adobe Flash.": [[165, 177]]}, "info": {"id": "cyner2_5class_train_05189", "source": "cyner2_5class_train"}}
+{"text": "This kind of “ moving target ” behavior made it harder to track their actions .", "spans": {}, "info": {"id": "cyner2_5class_train_05190", "source": "cyner2_5class_train"}}
+{"text": "We collected a list of hashes and the files corresponding to those hashes were then retrieved from VirusTotal for further analysis.", "spans": {"Indicator: hashes": [[23, 29], [67, 73]], "Indicator: files": [[38, 43]], "Organization: VirusTotal": [[99, 109]]}, "info": {"id": "cyner2_5class_train_05191", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VBKrypt Spyware.Pony Downloader.Ponik TSPY_HPFAREIT.SMB Trojan.Win32.VBKrypt.ymio Trojan.Win32.VBKrypt.evkxoj Trojan.VBKrypt.Win32.291698 BehavesLike.Win32.Fareit.ch Trojan.VBKrypt.cgbs TR/Dropper.VB.ocnhj Trojan.Win32.VBKrypt.ymio Trojan/Win32.VBKrypt.R213345 Trojan.VBKrypt Trj/GdSda.A Win32.Trojan.Vbkrypt.Amwf Trojan.VBKrypt!wORN5qK9fN4 Trojan.VB.Crypt W32/FareitVB.BEOK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VBKrypt": [[26, 40], [294, 308]], "Indicator: Spyware.Pony": [[41, 53]], "Indicator: Downloader.Ponik": [[54, 70]], "Indicator: TSPY_HPFAREIT.SMB": [[71, 88]], "Indicator: Trojan.Win32.VBKrypt.ymio": [[89, 114], [239, 264]], "Indicator: Trojan.Win32.VBKrypt.evkxoj": [[115, 142]], "Indicator: Trojan.VBKrypt.Win32.291698": [[143, 170]], "Indicator: BehavesLike.Win32.Fareit.ch": [[171, 198]], "Indicator: Trojan.VBKrypt.cgbs": [[199, 218]], "Indicator: TR/Dropper.VB.ocnhj": [[219, 238]], "Indicator: Trojan/Win32.VBKrypt.R213345": [[265, 293]], "Indicator: Trj/GdSda.A": [[309, 320]], "Indicator: Win32.Trojan.Vbkrypt.Amwf": [[321, 346]], "Indicator: Trojan.VBKrypt!wORN5qK9fN4": [[347, 373]], "Indicator: Trojan.VB.Crypt": [[374, 389]], "Indicator: W32/FareitVB.BEOK!tr": [[390, 410]]}, "info": {"id": "cyner2_5class_train_05192", "source": "cyner2_5class_train"}}
+{"text": "After a series of technical analysis ( which is covered in detail below ) and heuristic threat hunting , we discovered that a complete “ Agent Smith ” infection has three main phases : A dropper app lures victim to install itself voluntarily .", "spans": {"Malware: Agent Smith": [[137, 148]]}, "info": {"id": "cyner2_5class_train_05193", "source": "cyner2_5class_train"}}
+{"text": "A week later, an anonymous user, supposedly the author of AES-NI ransomware the XData is based on, released the master private key.", "spans": {"Organization: anonymous user,": [[17, 32]], "Malware: AES-NI ransomware": [[58, 75]], "Malware: XData": [[80, 85]], "Indicator: master private key.": [[112, 131]]}, "info": {"id": "cyner2_5class_train_05194", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod8cd.Trojan.9e70 Backdoor/W32.BlackAngel.780304 W32/Backdoor.AAVE-7405 Backdoor.Trojan BKDR_BLAKANGEL.A Backdoor.Win32.BlackAngel.05 Trojan.Win32.BlackAngel.hiov Backdoor.Win32.BlackAngel.780304 Backdoor.W32.BlackAngel.05!c Backdoor.Win32.BlackAngel.05 BackDoor.BlackAngel.5 Backdoor.BlackAngel.Win32.6 BKDR_BLAKANGEL.A BehavesLike.Win32.PWSZbot.bc W32/Backdoor.DMA Backdoor/BlackAngel.05 BDS/BlackAngel.05 W32/BlackAn.05!tr.bdr Trojan[Backdoor]/Win32.BlackAngel Backdoor.Win32.BlackAngel.05 Backdoor:Win32/BlackAngel.0_5 Backdoor.BlackAngel Win32/BlackAngel.05 Win32.Backdoor.Blackangel.Lndw Backdoor.Win32.BlackAngel", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod8cd.Trojan.9e70": [[26, 49]], "Indicator: Backdoor/W32.BlackAngel.780304": [[50, 80]], "Indicator: W32/Backdoor.AAVE-7405": [[81, 103]], "Indicator: Backdoor.Trojan": [[104, 119]], "Indicator: BKDR_BLAKANGEL.A": [[120, 136], [336, 352]], "Indicator: Backdoor.Win32.BlackAngel.05": [[137, 165], [257, 285], [496, 524]], "Indicator: Trojan.Win32.BlackAngel.hiov": [[166, 194]], "Indicator: Backdoor.Win32.BlackAngel.780304": [[195, 227]], "Indicator: Backdoor.W32.BlackAngel.05!c": [[228, 256]], "Indicator: BackDoor.BlackAngel.5": [[286, 307]], "Indicator: Backdoor.BlackAngel.Win32.6": [[308, 335]], "Indicator: BehavesLike.Win32.PWSZbot.bc": [[353, 381]], "Indicator: W32/Backdoor.DMA": [[382, 398]], "Indicator: Backdoor/BlackAngel.05": [[399, 421]], "Indicator: BDS/BlackAngel.05": [[422, 439]], "Indicator: W32/BlackAn.05!tr.bdr": [[440, 461]], "Indicator: Trojan[Backdoor]/Win32.BlackAngel": [[462, 495]], "Indicator: Backdoor:Win32/BlackAngel.0_5": [[525, 554]], "Indicator: Backdoor.BlackAngel": [[555, 574]], "Indicator: Win32/BlackAngel.05": [[575, 594]], "Indicator: Win32.Backdoor.Blackangel.Lndw": [[595, 625]], "Indicator: Backdoor.Win32.BlackAngel": [[626, 651]]}, "info": {"id": "cyner2_5class_train_05195", "source": "cyner2_5class_train"}}
+{"text": "Since late November 2016, the Shamoon 2 attack campaign has brought three waves of destructive attacks to organizations within Saudi Arabia.", "spans": {"Indicator: the Shamoon 2 attack": [[26, 46]], "Indicator: attacks": [[95, 102]], "Organization: organizations": [[106, 119]]}, "info": {"id": "cyner2_5class_train_05196", "source": "cyner2_5class_train"}}
+{"text": "The malware mainly targets banking and financial applications , but also looks for popular shopping apps such as eBay or Amazon .", "spans": {"Organization: eBay": [[113, 117]], "Organization: Amazon": [[121, 127]]}, "info": {"id": "cyner2_5class_train_05197", "source": "cyner2_5class_train"}}
+{"text": "Only this time, it's a Hangul Word Processor HWP document leveraging the already known CVE-2015-2545 Encapsulated PostScript EPS vulnerability.", "spans": {"Indicator: a Hangul Word Processor HWP document": [[21, 57]], "Indicator: CVE-2015-2545": [[87, 100]], "Vulnerability: Encapsulated PostScript EPS vulnerability.": [[101, 143]]}, "info": {"id": "cyner2_5class_train_05198", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Sacto.e Trojan.Graftor.D1DEE6 BKDR_SACTO.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9983 Backdoor.Trojan BKDR_SACTO.SM0 TrojWare.Win32.Sacto.A Trojan.PWS.Multi.1194 Backdoor:Win32/Sacto.A!dha W32/Sacto.E!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Sacto.e": [[26, 40]], "Indicator: Trojan.Graftor.D1DEE6": [[41, 62]], "Indicator: BKDR_SACTO.SM0": [[63, 77], [137, 151]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9983": [[78, 120]], "Indicator: Backdoor.Trojan": [[121, 136]], "Indicator: TrojWare.Win32.Sacto.A": [[152, 174]], "Indicator: Trojan.PWS.Multi.1194": [[175, 196]], "Indicator: Backdoor:Win32/Sacto.A!dha": [[197, 223]], "Indicator: W32/Sacto.E!tr": [[224, 238]]}, "info": {"id": "cyner2_5class_train_05199", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Java.Exploit.CVE-2015-2590.A Java.Exploit.CVE-2015-2590.A Java.Exploit.CVE-2015-2590.A Exploit.Java.CVE20120507.cqxpdq Java/Downloader.BM Exp.CVE-2015-2590 JAVA_DLOADR.EFD Java.Exploit.CVE-2015-2590.A Java.Exploit.CVE-2015-2590.A Java.Downloader.1103 JAVA_DLOADR.EFD BehavesLike.Java.Downloader.zj Java/Downloader.BM Java.Exploit.CVE-2015-2590.A TrojanDownloader:Java/Reamshunt.A Java.Exploit.CVE-2015-2590.A Java.Exploit.CVE-2015-2590.A Exploit.Java_c.QQT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Java.Exploit.CVE-2015-2590.A": [[26, 54], [55, 83], [84, 112], [198, 226], [227, 255], [343, 371], [406, 434], [435, 463]], "Indicator: Exploit.Java.CVE20120507.cqxpdq": [[113, 144]], "Indicator: Java/Downloader.BM": [[145, 163], [324, 342]], "Indicator: Exp.CVE-2015-2590": [[164, 181]], "Indicator: JAVA_DLOADR.EFD": [[182, 197], [277, 292]], "Indicator: Java.Downloader.1103": [[256, 276]], "Indicator: BehavesLike.Java.Downloader.zj": [[293, 323]], "Indicator: TrojanDownloader:Java/Reamshunt.A": [[372, 405]], "Indicator: Exploit.Java_c.QQT": [[464, 482]]}, "info": {"id": "cyner2_5class_train_05200", "source": "cyner2_5class_train"}}
+{"text": "For the past several weeks, Forcepoint Security Labs have been tracking a seemingly low-profile piece of malware which piqued our interest for a number of reasons: few samples appear to be available in the wild; there is no previous documentation referring to the C2 domains and IP addresses it uses despite the domains appearing to be at least twelve months old; and, if its compilation timestamps are to be trusted, the campaign itself may have been active for at least six months before samples started to surface...", "spans": {"Organization: Forcepoint Security Labs": [[28, 52]], "Malware: malware": [[105, 112]], "Indicator: the C2 domains and IP addresses": [[260, 291]]}, "info": {"id": "cyner2_5class_train_05201", "source": "cyner2_5class_train"}}
+{"text": "Figure 9 : Malware secretly adds malicious resources to the DEX file Now , after the alteration of the original application , Android ’ s package manager will think that this is an update for the application signed by the same certificate , but in reality , it will execute the malicious DEX file .", "spans": {"System: Android": [[126, 133]]}, "info": {"id": "cyner2_5class_train_05202", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Trojan.DDur.Win32.4 Trojan/DDur.n Win32.Trojan.WisdomEyes.16070401.9500.9937 Trojan.Zlob Win.Trojan.Dnschanger-1136 Trojan.Win32.DDur.xjyd Trojan.Win32.Z.Ddur.16289 Trojan.Packed.253 BehavesLike.Win32.Vundo.lc Trojan.Win32.DNSChanger Win32.Troj.DNSChangerT.kg.14848 Trojan:Win32/Remetrac.C Trojan/Win32.Monder.C72152 BScope.Trojan.Sawbones.vf Win32/Trojan.e0c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zenshirsh.SL7": [[26, 46]], "Indicator: Trojan.DDur.Win32.4": [[47, 66]], "Indicator: Trojan/DDur.n": [[67, 80]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9937": [[81, 123]], "Indicator: Trojan.Zlob": [[124, 135]], "Indicator: Win.Trojan.Dnschanger-1136": [[136, 162]], "Indicator: Trojan.Win32.DDur.xjyd": [[163, 185]], "Indicator: Trojan.Win32.Z.Ddur.16289": [[186, 211]], "Indicator: Trojan.Packed.253": [[212, 229]], "Indicator: BehavesLike.Win32.Vundo.lc": [[230, 256]], "Indicator: Trojan.Win32.DNSChanger": [[257, 280]], "Indicator: Win32.Troj.DNSChangerT.kg.14848": [[281, 312]], "Indicator: Trojan:Win32/Remetrac.C": [[313, 336]], "Indicator: Trojan/Win32.Monder.C72152": [[337, 363]], "Indicator: BScope.Trojan.Sawbones.vf": [[364, 389]], "Indicator: Win32/Trojan.e0c": [[390, 406]]}, "info": {"id": "cyner2_5class_train_05203", "source": "cyner2_5class_train"}}
+{"text": "The malware ’ s creators had used obfuscation to upload the new piece of malware to Google Play .", "spans": {"System: Google Play": [[84, 95]]}, "info": {"id": "cyner2_5class_train_05204", "source": "cyner2_5class_train"}}
+{"text": "A group known as the Cutting Sword of Justice took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack back in 2012, and justified the attack as a measure against the Saudi monarchy.", "spans": {"Organization: the Saudi Aramco": [[62, 78]], "Indicator: attack": [[79, 85], [134, 140]], "Organization: Pastebin message": [[99, 115]]}, "info": {"id": "cyner2_5class_train_05205", "source": "cyner2_5class_train"}}
+{"text": "The fact the trojan can steal both the victim ’ s credentials and also can control their SMS messages and generated 2FA codes means DEFENSOR ID ’ s operators can bypass two-factor authentication .", "spans": {"Malware: DEFENSOR ID": [[132, 143]]}, "info": {"id": "cyner2_5class_train_05206", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Murlo.FK Downloader.Murlo.Win32.1632 Trojan/Downloader.Murlo.fk Trojan.Downloader.Murlo.FK Trojan.DL.Murlo!u+ZN6N7ySiY W32/Downldr2.HWY Trojan.Downloader-8985 Trojan-Downloader.Win32.Murlo.fk Trojan.Win32.Murlo.kadq Trojan.Win32.Downloader.2560.J[h] NORMAL:Trojan.DL.Win32.Murlo.c!1185532 Trojan.Downloader.Murlo.FK TrojWare.Win32.TrojanDownloader.Murlo.FK Trojan.Downloader.Murlo.FK Trojan.DownLoader.26702 BehavesLike.Win32.Mamianune.xh TrojanDownloader.Murlo.ar Trojan[Downloader]/Win32.Murlo Win32.TrojDownloader.Murlo.fk.kcloud Win-Trojan/Murlo.2560.J Trojan.Downloader.Murlo.FK Win32/TrojanDownloader.Murlo.FK Trojan-Downloader.Win32.Tiny.hn Win32/Ngvck.BP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Murlo.FK": [[26, 52], [108, 134], [333, 359], [401, 427], [601, 627]], "Indicator: Downloader.Murlo.Win32.1632": [[53, 80]], "Indicator: Trojan/Downloader.Murlo.fk": [[81, 107]], "Indicator: Trojan.DL.Murlo!u+ZN6N7ySiY": [[135, 162]], "Indicator: W32/Downldr2.HWY": [[163, 179]], "Indicator: Trojan.Downloader-8985": [[180, 202]], "Indicator: Trojan-Downloader.Win32.Murlo.fk": [[203, 235]], "Indicator: Trojan.Win32.Murlo.kadq": [[236, 259]], "Indicator: Trojan.Win32.Downloader.2560.J[h]": [[260, 293]], "Indicator: NORMAL:Trojan.DL.Win32.Murlo.c!1185532": [[294, 332]], "Indicator: TrojWare.Win32.TrojanDownloader.Murlo.FK": [[360, 400]], "Indicator: Trojan.DownLoader.26702": [[428, 451]], "Indicator: BehavesLike.Win32.Mamianune.xh": [[452, 482]], "Indicator: TrojanDownloader.Murlo.ar": [[483, 508]], "Indicator: Trojan[Downloader]/Win32.Murlo": [[509, 539]], "Indicator: Win32.TrojDownloader.Murlo.fk.kcloud": [[540, 576]], "Indicator: Win-Trojan/Murlo.2560.J": [[577, 600]], "Indicator: Win32/TrojanDownloader.Murlo.FK": [[628, 659]], "Indicator: Trojan-Downloader.Win32.Tiny.hn": [[660, 691]], "Indicator: Win32/Ngvck.BP": [[692, 706]]}, "info": {"id": "cyner2_5class_train_05207", "source": "cyner2_5class_train"}}
+{"text": "The implant can log in to the attackers email inbox , parse emails for commands in a special “ Cmd ” folder and save any payloads to a device from email attachments .", "spans": {}, "info": {"id": "cyner2_5class_train_05208", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9818 Riskware.Win32.FileTour.ednjdc Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9818": [[26, 68]], "Indicator: Riskware.Win32.FileTour.ednjdc": [[69, 99]], "Indicator: Trj/GdSda.A": [[100, 111]]}, "info": {"id": "cyner2_5class_train_05209", "source": "cyner2_5class_train"}}
+{"text": "Trojan architecture and capabilities This malware is written in .NET using the Xamarin environment for mobile applications .", "spans": {"System: .NET": [[64, 68]], "System: Xamarin": [[79, 86]]}, "info": {"id": "cyner2_5class_train_05210", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.EA17 Trojan.Tibs.BJ Worm/W32.Nuwar.31364 I-Worm.Zhelatin.eo.n1 Worm.Zhelatin.Win32.1360 W32/Zhelatin.eo Trojan.Tibs.BJ W32/EmailWorm.KUL Trojan.Packed.13 Trojan.Small-2710 Email-Worm.Win32.Zhelatin.eo Trojan.Win32.Zhelatin.chkpnw I-Worm.Win32.Zhelatin.31364[h] PE:Worm.Mail.Win32.Zhelatin.eu!1074243991 Trojan.Tibs.BJ Email-Worm.Win32.Zhelatin.eo Trojan.Tibs.BJ Trojan.Packed.140 Trojan.Vxgame.z TROJ_FORUCON.BMC W32/Worm.YFRS-1205 I-Worm/Zhelatin.cna W32/Tibs.EO@mm Worm[Email]/Win32.Zhelatin Worm.Zhelatin.eo.kcloud Trojan.Tibs.BJ Spammer:Win32/Clodpuntor.A Virus.Win32.Heur.d Trojan.Tibs.BJ Trojan.Vxgame.z Trojan-Downloader.Revelation.Tibs.B Worm.Win32.Zhelatin.Az Win32.Worm-email.Zhelatin.Hwwo Packer.Win32.Tibs Trojan.Tibs.BJ Downloader.Tibs.5.BO Trj/Spammer.ABX Win32/Trojan.be3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.EA17": [[26, 42]], "Indicator: Trojan.Tibs.BJ": [[43, 57], [142, 156], [341, 355], [385, 399], [556, 570], [617, 631], [756, 770]], "Indicator: Worm/W32.Nuwar.31364": [[58, 78]], "Indicator: I-Worm.Zhelatin.eo.n1": [[79, 100]], "Indicator: Worm.Zhelatin.Win32.1360": [[101, 125]], "Indicator: W32/Zhelatin.eo": [[126, 141]], "Indicator: W32/EmailWorm.KUL": [[157, 174]], "Indicator: Trojan.Packed.13": [[175, 191]], "Indicator: Trojan.Small-2710": [[192, 209]], "Indicator: Email-Worm.Win32.Zhelatin.eo": [[210, 238], [356, 384]], "Indicator: Trojan.Win32.Zhelatin.chkpnw": [[239, 267]], "Indicator: I-Worm.Win32.Zhelatin.31364[h]": [[268, 298]], "Indicator: PE:Worm.Mail.Win32.Zhelatin.eu!1074243991": [[299, 340]], "Indicator: Trojan.Packed.140": [[400, 417]], "Indicator: Trojan.Vxgame.z": [[418, 433], [632, 647]], "Indicator: TROJ_FORUCON.BMC": [[434, 450]], "Indicator: W32/Worm.YFRS-1205": [[451, 469]], "Indicator: I-Worm/Zhelatin.cna": [[470, 489]], "Indicator: W32/Tibs.EO@mm": [[490, 504]], "Indicator: Worm[Email]/Win32.Zhelatin": [[505, 531]], "Indicator: Worm.Zhelatin.eo.kcloud": [[532, 555]], "Indicator: Spammer:Win32/Clodpuntor.A": [[571, 597]], "Indicator: Virus.Win32.Heur.d": [[598, 616]], "Indicator: Trojan-Downloader.Revelation.Tibs.B": [[648, 683]], "Indicator: Worm.Win32.Zhelatin.Az": [[684, 706]], "Indicator: Win32.Worm-email.Zhelatin.Hwwo": [[707, 737]], "Indicator: Packer.Win32.Tibs": [[738, 755]], "Indicator: Downloader.Tibs.5.BO": [[771, 791]], "Indicator: Trj/Spammer.ABX": [[792, 807]], "Indicator: Win32/Trojan.be3": [[808, 824]]}, "info": {"id": "cyner2_5class_train_05211", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameELXIAUS.Trojan Trojan.Win32.Buzy!O Backdoor.Tenrite.A4 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_TENRITE_0000000.TOMA Trojan.Win32.Tens.as Trojan.Win32.Buzy.ikstz Trojan.Win32.A.Tens.13312 TrojWare.Win32.Tenrite.A Trojan.Click2.12702 BehavesLike.Win32.BadFile.lz Trojan.Win32.Tenrite TR/Buzy.3083.1 Trojan/Win32.Tens Trojan.Buzy.DC0B Trojan.Win32.Tens.as Backdoor:Win32/Tenrite.A Win32/Tenrite.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameELXIAUS.Trojan": [[26, 50]], "Indicator: Trojan.Win32.Buzy!O": [[51, 70]], "Indicator: Backdoor.Tenrite.A4": [[71, 90]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[91, 133]], "Indicator: TROJ_TENRITE_0000000.TOMA": [[134, 159]], "Indicator: Trojan.Win32.Tens.as": [[160, 180], [376, 396]], "Indicator: Trojan.Win32.Buzy.ikstz": [[181, 204]], "Indicator: Trojan.Win32.A.Tens.13312": [[205, 230]], "Indicator: TrojWare.Win32.Tenrite.A": [[231, 255]], "Indicator: Trojan.Click2.12702": [[256, 275]], "Indicator: BehavesLike.Win32.BadFile.lz": [[276, 304]], "Indicator: Trojan.Win32.Tenrite": [[305, 325]], "Indicator: TR/Buzy.3083.1": [[326, 340]], "Indicator: Trojan/Win32.Tens": [[341, 358]], "Indicator: Trojan.Buzy.DC0B": [[359, 375]], "Indicator: Backdoor:Win32/Tenrite.A": [[397, 421]], "Indicator: Win32/Tenrite.A": [[422, 437]]}, "info": {"id": "cyner2_5class_train_05212", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Adware.BrowseFox.Win32.220089 Trojan.Razy.D2BA2D Win32.Trojan.WisdomEyes.16070401.9500.9546 Win.Trojan.Server-24 Riskware.Win32.Server.ctchyk Program.Server.260 BehavesLike.Win32.HLLP.fz SPR/SmallHTTP.F GrayWare[Server-Web]/Win32.SmallHTTP Riskware.SmallHTTP! not-a-virus:Server-Web.Win32.SmallHTTP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.BrowseFox.Win32.220089": [[26, 55]], "Indicator: Trojan.Razy.D2BA2D": [[56, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9546": [[75, 117]], "Indicator: Win.Trojan.Server-24": [[118, 138]], "Indicator: Riskware.Win32.Server.ctchyk": [[139, 167]], "Indicator: Program.Server.260": [[168, 186]], "Indicator: BehavesLike.Win32.HLLP.fz": [[187, 212]], "Indicator: SPR/SmallHTTP.F": [[213, 228]], "Indicator: GrayWare[Server-Web]/Win32.SmallHTTP": [[229, 265]], "Indicator: Riskware.SmallHTTP!": [[266, 285]], "Indicator: not-a-virus:Server-Web.Win32.SmallHTTP": [[286, 324]]}, "info": {"id": "cyner2_5class_train_05213", "source": "cyner2_5class_train"}}
+{"text": "In our research we identified tens of fake applications that were infected with this malware .", "spans": {}, "info": {"id": "cyner2_5class_train_05214", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/OnLineGames.pmt Trojan.Win32.OnLineGames.djktr W32.Gammima.AG Win32/Pebox.Y Trojan-GameThief.Win32.OnLineGames.ajibj Trojan.PWS.OnLineGames!PDfLLBwapmw Trojan.PWS.Wsgame.37257 TR/PSW.OnlineGames.xbkj Trojan/PSW.OnLineGames.bylz PWS:Win32/DNFOnline.A Malware.Gammima!rem Win32/PSW.OnLineGames.PMT Trojan-GameThief.Win32.OnLineGames W32/Onlinegames.AJIBJ!tr PSW.OnlineGames3.ATWL Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/OnLineGames.pmt": [[26, 48]], "Indicator: Trojan.Win32.OnLineGames.djktr": [[49, 79]], "Indicator: W32.Gammima.AG": [[80, 94]], "Indicator: Win32/Pebox.Y": [[95, 108]], "Indicator: Trojan-GameThief.Win32.OnLineGames.ajibj": [[109, 149]], "Indicator: Trojan.PWS.OnLineGames!PDfLLBwapmw": [[150, 184]], "Indicator: Trojan.PWS.Wsgame.37257": [[185, 208]], "Indicator: TR/PSW.OnlineGames.xbkj": [[209, 232]], "Indicator: Trojan/PSW.OnLineGames.bylz": [[233, 260]], "Indicator: PWS:Win32/DNFOnline.A": [[261, 282]], "Indicator: Malware.Gammima!rem": [[283, 302]], "Indicator: Win32/PSW.OnLineGames.PMT": [[303, 328]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[329, 363]], "Indicator: W32/Onlinegames.AJIBJ!tr": [[364, 388]], "Indicator: PSW.OnlineGames3.ATWL": [[389, 410]], "Indicator: Trj/CI.A": [[411, 419]]}, "info": {"id": "cyner2_5class_train_05215", "source": "cyner2_5class_train"}}
+{"text": "The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine.", "spans": {"Indicator: The Nyetya attack": [[0, 17]], "Malware: ransomware variant": [[36, 54]], "Organization: organizations": [[74, 87]], "Organization: multinational corporations": [[110, 136]]}, "info": {"id": "cyner2_5class_train_05216", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Pincav!O Trojan/Pincav.awm Win.Trojan.Pincav-604 Trojan.Win32.Pincav.awn Trojan.Win32.Pincav.drkdnm Trojan.Win32.A.Pincav.1185236 Troj.Clicker.W32.Small.kZ0E Trojan.Pincav.Win32.12742 Trojan/Pincav.chh Trojan/Win32.Pincav Trojan.Graftor.D836A Trojan.Win32.Pincav.awn Backdoor:Win32/Losfondup.A Trojan/Win32.Pincav.R42635 TScope.Trojan.Delf Backdoor.Losfondup!Ng6K/s6DvsI Trojan-PWS.Win32.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Pincav!O": [[26, 47]], "Indicator: Trojan/Pincav.awm": [[48, 65]], "Indicator: Win.Trojan.Pincav-604": [[66, 87]], "Indicator: Trojan.Win32.Pincav.awn": [[88, 111], [282, 305]], "Indicator: Trojan.Win32.Pincav.drkdnm": [[112, 138]], "Indicator: Trojan.Win32.A.Pincav.1185236": [[139, 168]], "Indicator: Troj.Clicker.W32.Small.kZ0E": [[169, 196]], "Indicator: Trojan.Pincav.Win32.12742": [[197, 222]], "Indicator: Trojan/Pincav.chh": [[223, 240]], "Indicator: Trojan/Win32.Pincav": [[241, 260]], "Indicator: Trojan.Graftor.D836A": [[261, 281]], "Indicator: Backdoor:Win32/Losfondup.A": [[306, 332]], "Indicator: Trojan/Win32.Pincav.R42635": [[333, 359]], "Indicator: TScope.Trojan.Delf": [[360, 378]], "Indicator: Backdoor.Losfondup!Ng6K/s6DvsI": [[379, 409]], "Indicator: Trojan-PWS.Win32.Delf": [[410, 431]]}, "info": {"id": "cyner2_5class_train_05217", "source": "cyner2_5class_train"}}
+{"text": "If not , the application downloads a pack of exploits from the server and runs them one-by-one up until root is achieved .", "spans": {}, "info": {"id": "cyner2_5class_train_05218", "source": "cyner2_5class_train"}}
+{"text": "Although the use of free web-services as a C2 channel is not new, the use of a Github issue for a command/response channel was interesting.", "spans": {"Indicator: free web-services as a C2 channel": [[20, 53]], "System: Github issue": [[79, 91]], "Organization: channel": [[115, 122]]}, "info": {"id": "cyner2_5class_train_05219", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WinwebA.Trojan TrojanDropper.Henbang.A6 Win32.Worm.AutoRun.c W32/Adware.PXAH-3010 W32.Virut.CF Win32/SillyBHO.OL Worm.Win32.AutoRun.ibh Trojan.Win32.AutoRun.cqpmwl Trojan.MulDrop.32523 BehavesLike.Win32.AdwareBetterSurf.gh W32/Adware.ACXN Win32.Virut.cr.61440 TrojanDropper:Win32/Henbang.A Worm.Win32.AutoRun.ibh Win32.Trojan.Webdat.A Worm/Win32.AutoRun.R56346 Backdoor.WinNT.PcClient Win32/Worm.FakeFolder.FF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WinwebA.Trojan": [[26, 44]], "Indicator: TrojanDropper.Henbang.A6": [[45, 69]], "Indicator: Win32.Worm.AutoRun.c": [[70, 90]], "Indicator: W32/Adware.PXAH-3010": [[91, 111]], "Indicator: W32.Virut.CF": [[112, 124]], "Indicator: Win32/SillyBHO.OL": [[125, 142]], "Indicator: Worm.Win32.AutoRun.ibh": [[143, 165], [320, 342]], "Indicator: Trojan.Win32.AutoRun.cqpmwl": [[166, 193]], "Indicator: Trojan.MulDrop.32523": [[194, 214]], "Indicator: BehavesLike.Win32.AdwareBetterSurf.gh": [[215, 252]], "Indicator: W32/Adware.ACXN": [[253, 268]], "Indicator: Win32.Virut.cr.61440": [[269, 289]], "Indicator: TrojanDropper:Win32/Henbang.A": [[290, 319]], "Indicator: Win32.Trojan.Webdat.A": [[343, 364]], "Indicator: Worm/Win32.AutoRun.R56346": [[365, 390]], "Indicator: Backdoor.WinNT.PcClient": [[391, 414]], "Indicator: Win32/Worm.FakeFolder.FF": [[415, 439]]}, "info": {"id": "cyner2_5class_train_05220", "source": "cyner2_5class_train"}}
+{"text": "Instead , in Version 0.0.0.2 , EventBot dynamically loads its main module .", "spans": {"Malware: EventBot": [[31, 39]]}, "info": {"id": "cyner2_5class_train_05221", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RansomwareTQB.Trojan Trojan.ServStart.A Troj.W32.StartServ.tnEy Trojan/ServStart.io Win32.Trojan.ServStart.aj Backdoor.Trojan TROJ_SERVSTART_GJ1000AC.UVPN Trojan.Win32.StartServ.xer Trojan.Win32.Heuristic131.dcnfpc Trojan.Win32.Z.Servstart.196709.QO TrojWare.Win32.ServStart.CA Trojan.Mrblack.3 Trojan.StartServ.Win32.135 TROJ_SERVSTART_GJ1000AC.UVPN Trojan.Win32.ServStart Trojan.Zusy.D23C29 Trojan.Win32.StartServ.xer Backdoor/Win32.Zegost.R117606 Trojan.StartServ Win32/ServStart.IO Win32.Trojan.Startserv.Huzb Win32/Trojan.a35", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RansomwareTQB.Trojan": [[26, 50]], "Indicator: Trojan.ServStart.A": [[51, 69]], "Indicator: Troj.W32.StartServ.tnEy": [[70, 93]], "Indicator: Trojan/ServStart.io": [[94, 113]], "Indicator: Win32.Trojan.ServStart.aj": [[114, 139]], "Indicator: Backdoor.Trojan": [[140, 155]], "Indicator: TROJ_SERVSTART_GJ1000AC.UVPN": [[156, 184], [352, 380]], "Indicator: Trojan.Win32.StartServ.xer": [[185, 211], [423, 449]], "Indicator: Trojan.Win32.Heuristic131.dcnfpc": [[212, 244]], "Indicator: Trojan.Win32.Z.Servstart.196709.QO": [[245, 279]], "Indicator: TrojWare.Win32.ServStart.CA": [[280, 307]], "Indicator: Trojan.Mrblack.3": [[308, 324]], "Indicator: Trojan.StartServ.Win32.135": [[325, 351]], "Indicator: Trojan.Win32.ServStart": [[381, 403]], "Indicator: Trojan.Zusy.D23C29": [[404, 422]], "Indicator: Backdoor/Win32.Zegost.R117606": [[450, 479]], "Indicator: Trojan.StartServ": [[480, 496]], "Indicator: Win32/ServStart.IO": [[497, 515]], "Indicator: Win32.Trojan.Startserv.Huzb": [[516, 543]], "Indicator: Win32/Trojan.a35": [[544, 560]]}, "info": {"id": "cyner2_5class_train_05222", "source": "cyner2_5class_train"}}
+{"text": "As the Play Store has introduced new policies and Google Play Protect has scaled defenses , Bread apps were forced to continually iterate to search for gaps .", "spans": {"System: Play Store": [[7, 17]], "System: Google Play Protect": [[50, 69]], "Malware: Bread": [[92, 97]]}, "info": {"id": "cyner2_5class_train_05223", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Society.A W32/Society.DR Win32.Trojan.WisdomEyes.16070401.9500.9997 W95.Sosume.3363 PE_ALCAUL.H Win.Trojan.Alcaul-8 Virus.Win32.Alcaul.h Win32.Society.A Virus.Win32.Alcaul.ue W32.Alcaul.h!c Win32.Society.A Virus.Win32.Alcaul.h Win32.Society.A Win95.Necromancer.3363 PE_ALCAUL.H BehavesLike.Win32.Mental.xz W32/Risk.GISN-1213 Win32/Alcaul.h W32/Alcaul.H W32/Alcaul.H!tr.dr Virus/Win32.Alcaul Win32.Society.A Backdoor:Win32/Society.A Virus.Win9x.Repus Win32.Society.A W32/Alcal.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Society.A": [[26, 41], [169, 184], [222, 237], [259, 274], [423, 438], [482, 497]], "Indicator: W32/Society.DR": [[42, 56]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[57, 99]], "Indicator: W95.Sosume.3363": [[100, 115]], "Indicator: PE_ALCAUL.H": [[116, 127], [298, 309]], "Indicator: Win.Trojan.Alcaul-8": [[128, 147]], "Indicator: Virus.Win32.Alcaul.h": [[148, 168], [238, 258]], "Indicator: Virus.Win32.Alcaul.ue": [[185, 206]], "Indicator: W32.Alcaul.h!c": [[207, 221]], "Indicator: Win95.Necromancer.3363": [[275, 297]], "Indicator: BehavesLike.Win32.Mental.xz": [[310, 337]], "Indicator: W32/Risk.GISN-1213": [[338, 356]], "Indicator: Win32/Alcaul.h": [[357, 371]], "Indicator: W32/Alcaul.H": [[372, 384]], "Indicator: W32/Alcaul.H!tr.dr": [[385, 403]], "Indicator: Virus/Win32.Alcaul": [[404, 422]], "Indicator: Backdoor:Win32/Society.A": [[439, 463]], "Indicator: Virus.Win9x.Repus": [[464, 481]], "Indicator: W32/Alcal.F": [[498, 509]]}, "info": {"id": "cyner2_5class_train_05224", "source": "cyner2_5class_train"}}
+{"text": "'' The trojan calls this function with the action GLOBAL_ACTION_BACK , which equals the pressing of the back button on the device , thus canceling the opening of the anti-virus application .", "spans": {}, "info": {"id": "cyner2_5class_train_05225", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Dapato!O TrojanClicker.Baffec.A10 Trojan.Downloader Downloader.Dapato.Win32.1470 Trojan/Downloader.Dapato.fxd Win32.Trojan.WisdomEyes.16070401.9500.9610 TROJ_DAPATO_CA08278A.TOMC Trojan-Downloader.Win32.Dapato.fxd Trojan.Win32.Dapato.bxnvih Trojan.Downloader-Dapato Win32.Trojan-downloader.Dapato.Srdc TrojWare.Win32.Downloader.Dapato.FXD Trojan.DownLoad3.2529 TROJ_DAPATO_CA08278A.TOMC Trojan-Downloader.Win32.Dapato TrojanDownloader.Dapato.atd Trojan[Downloader]/Win32.Dapato TrojanClicker:Win32/Baffec.A Trojan.Delf.28 Trojan-Downloader.Win32.Dapato.fxd Downloader/Win32.Dapato.R22620 TrojanDownloader.Dapato Trojan.DL.Dapato!K0jxx5EHs9Y", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Dapato!O": [[26, 58]], "Indicator: TrojanClicker.Baffec.A10": [[59, 83]], "Indicator: Trojan.Downloader": [[84, 101]], "Indicator: Downloader.Dapato.Win32.1470": [[102, 130]], "Indicator: Trojan/Downloader.Dapato.fxd": [[131, 159]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9610": [[160, 202]], "Indicator: TROJ_DAPATO_CA08278A.TOMC": [[203, 228], [411, 436]], "Indicator: Trojan-Downloader.Win32.Dapato.fxd": [[229, 263], [572, 606]], "Indicator: Trojan.Win32.Dapato.bxnvih": [[264, 290]], "Indicator: Trojan.Downloader-Dapato": [[291, 315]], "Indicator: Win32.Trojan-downloader.Dapato.Srdc": [[316, 351]], "Indicator: TrojWare.Win32.Downloader.Dapato.FXD": [[352, 388]], "Indicator: Trojan.DownLoad3.2529": [[389, 410]], "Indicator: Trojan-Downloader.Win32.Dapato": [[437, 467]], "Indicator: TrojanDownloader.Dapato.atd": [[468, 495]], "Indicator: Trojan[Downloader]/Win32.Dapato": [[496, 527]], "Indicator: TrojanClicker:Win32/Baffec.A": [[528, 556]], "Indicator: Trojan.Delf.28": [[557, 571]], "Indicator: Downloader/Win32.Dapato.R22620": [[607, 637]], "Indicator: TrojanDownloader.Dapato": [[638, 661]], "Indicator: Trojan.DL.Dapato!K0jxx5EHs9Y": [[662, 690]]}, "info": {"id": "cyner2_5class_train_05226", "source": "cyner2_5class_train"}}
+{"text": "Ongoing reporting by ClearSky", "spans": {}, "info": {"id": "cyner2_5class_train_05227", "source": "cyner2_5class_train"}}
+{"text": "The users of this app include many well known celebrities who eventually post the dubbed videos on popular social networking platforms like Facebook and Twitter.", "spans": {"Organization: Facebook": [[140, 148]], "Organization: Twitter.": [[153, 161]]}, "info": {"id": "cyner2_5class_train_05228", "source": "cyner2_5class_train"}}
+{"text": "To ensure you are fully protected against PHAs and other threats , we recommend these 5 basic steps : Install apps only from reputable sources : Install apps from a reputable source , such as Google Play .", "spans": {"System: Google Play": [[192, 203]]}, "info": {"id": "cyner2_5class_train_05229", "source": "cyner2_5class_train"}}
+{"text": "This is done by sending “ 3458 ” in an SMS to the blocked device – this will revoke the administrator privileges from the Trojan .", "spans": {}, "info": {"id": "cyner2_5class_train_05230", "source": "cyner2_5class_train"}}
+{"text": "Social networking sites Facebook and Twitter are primarily being used to spread a shortened URL using bit.ly service that points to a Google Cloud Server hosting the malicious payload with .COM or .EXE file extensions.", "spans": {"Indicator: Social networking": [[0, 17]], "Organization: Facebook": [[24, 32]], "Organization: Twitter": [[37, 44]], "Indicator: shortened URL": [[82, 95]], "Indicator: bit.ly service": [[102, 116]], "System: Google Cloud Server hosting": [[134, 161]], "Indicator: malicious payload with .COM": [[166, 193]], "Indicator: .EXE file extensions.": [[197, 218]]}, "info": {"id": "cyner2_5class_train_05231", "source": "cyner2_5class_train"}}
+{"text": "This report documents some of our recent findings regarding its cryptography, network behavior,and banking targets.", "spans": {"Organization: banking targets.": [[99, 115]]}, "info": {"id": "cyner2_5class_train_05232", "source": "cyner2_5class_train"}}
+{"text": "Earlier this year, the SpiderLabs team at Trustwave investigated a series of bank breaches originating from postSovietstates.", "spans": {"Organization: the SpiderLabs team": [[19, 38]], "Malware: at": [[39, 41]], "Organization: Trustwave": [[42, 51]]}, "info": {"id": "cyner2_5class_train_05233", "source": "cyner2_5class_train"}}
+{"text": "Allows applications to access information about networks .", "spans": {}, "info": {"id": "cyner2_5class_train_05234", "source": "cyner2_5class_train"}}
+{"text": "This banking malware can steal login credentials from 94 different mobile banking apps.", "spans": {"Malware: This banking malware": [[0, 20]], "Indicator: steal login credentials": [[25, 48]], "System: mobile banking apps.": [[67, 87]]}, "info": {"id": "cyner2_5class_train_05235", "source": "cyner2_5class_train"}}
+{"text": "In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms.", "spans": {"Indicator: phishing": [[52, 60]]}, "info": {"id": "cyner2_5class_train_05236", "source": "cyner2_5class_train"}}
+{"text": "We also discovered two previously unknown payloads.These payloads contained backdoors that we have named BYEBY and PYLOT respectively.", "spans": {"Malware: unknown payloads.These payloads": [[34, 65]], "Malware: backdoors": [[76, 85]], "Malware: BYEBY": [[105, 110]], "Malware: PYLOT": [[115, 120]]}, "info": {"id": "cyner2_5class_train_05237", "source": "cyner2_5class_train"}}
+{"text": "The malware uses several advanced techniques to hide its real intentions and makes it harder to detect .", "spans": {}, "info": {"id": "cyner2_5class_train_05238", "source": "cyner2_5class_train"}}
+{"text": "EventBot infected device to be sent to the C Information gathered about the infected device to be sent to the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_05239", "source": "cyner2_5class_train"}}
+{"text": "RoomTap : silently answers a telephone call and stays connected in the background , allowing the caller to hear conversations within the range of the phone 's microphone .", "spans": {}, "info": {"id": "cyner2_5class_train_05240", "source": "cyner2_5class_train"}}
+{"text": "HummingBad does this by silently installing promoted apps on infected phones , defrauding legitimate mobile advertisers , and creating fraudulent statistics inside the official Google Play Store .", "spans": {"Malware: HummingBad": [[0, 10]], "System: Google Play Store": [[177, 194]]}, "info": {"id": "cyner2_5class_train_05241", "source": "cyner2_5class_train"}}
+{"text": "Our research showed that the spear phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia.", "spans": {"Indicator: the spear phishing emails": [[25, 50]], "Indicator: compromised email": [[70, 87]], "Indicator: legitimate domain": [[107, 124]]}, "info": {"id": "cyner2_5class_train_05242", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrjnDwnldrMSIL.Ranos.A4 MSIL.Trojan.Injector.q BKDR_RANOS.SM TrojWare.MSIL.TrojanDownloader.Small.DS Trojan.Starter.2890 BKDR_RANOS.SM Trojan.Jintor.1 TrojanDownloader:MSIL/Ranos.A Trojan.Win32.Fsysna MSIL/Injector.CKC!tr Trj/GdSda.A Win32/Trojan.e2d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrjnDwnldrMSIL.Ranos.A4": [[26, 49]], "Indicator: MSIL.Trojan.Injector.q": [[50, 72]], "Indicator: BKDR_RANOS.SM": [[73, 86], [147, 160]], "Indicator: TrojWare.MSIL.TrojanDownloader.Small.DS": [[87, 126]], "Indicator: Trojan.Starter.2890": [[127, 146]], "Indicator: Trojan.Jintor.1": [[161, 176]], "Indicator: TrojanDownloader:MSIL/Ranos.A": [[177, 206]], "Indicator: Trojan.Win32.Fsysna": [[207, 226]], "Indicator: MSIL/Injector.CKC!tr": [[227, 247]], "Indicator: Trj/GdSda.A": [[248, 259]], "Indicator: Win32/Trojan.e2d": [[260, 276]]}, "info": {"id": "cyner2_5class_train_05243", "source": "cyner2_5class_train"}}
+{"text": "La Poste - La Poste is a public limited postal service company in France .", "spans": {"Organization: La Poste": [[0, 8]]}, "info": {"id": "cyner2_5class_train_05244", "source": "cyner2_5class_train"}}
+{"text": "Some of the tactics used in APT attacks die hard.", "spans": {}, "info": {"id": "cyner2_5class_train_05245", "source": "cyner2_5class_train"}}
+{"text": "Therefore , our team managed to generate the public key and craft an SMS message that activated the kill switch .", "spans": {}, "info": {"id": "cyner2_5class_train_05246", "source": "cyner2_5class_train"}}
+{"text": "It has not been confirmed whether these are from test devices or the devices of victims .", "spans": {}, "info": {"id": "cyner2_5class_train_05247", "source": "cyner2_5class_train"}}
+{"text": "How does Gooligan work ? The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device .", "spans": {"Malware: Gooligan": [[9, 17]], "Malware: Gooligan-infected": [[83, 100]]}, "info": {"id": "cyner2_5class_train_05248", "source": "cyner2_5class_train"}}
+{"text": "“ We ’ re appreciative of both Check Point ’ s research and their partnership as we ’ ve worked together to understand these issues , ” said Adrian Ludwig , Google ’ s director of Android security .", "spans": {"Organization: Check Point": [[31, 42]], "Organization: Google": [[157, 163]], "System: Android": [[180, 187]]}, "info": {"id": "cyner2_5class_train_05249", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9931 W32/Trojan.MNLT-0240 TR/Crypt.Xpack.rxrlk Trojan.Symmi.D136A2 Win32/Trojan.859", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9931": [[26, 68]], "Indicator: W32/Trojan.MNLT-0240": [[69, 89]], "Indicator: TR/Crypt.Xpack.rxrlk": [[90, 110]], "Indicator: Trojan.Symmi.D136A2": [[111, 130]], "Indicator: Win32/Trojan.859": [[131, 147]]}, "info": {"id": "cyner2_5class_train_05250", "source": "cyner2_5class_train"}}
+{"text": "This new process downloads and executes the final stage: a Remote Administration Tool RAT based on Gh0st RAT.", "spans": {"Malware: a Remote Administration Tool RAT": [[57, 89]], "Malware: Gh0st RAT.": [[99, 109]]}, "info": {"id": "cyner2_5class_train_05251", "source": "cyner2_5class_train"}}
+{"text": "In 2018 , we have already observed a small but consistent number of samples .", "spans": {}, "info": {"id": "cyner2_5class_train_05252", "source": "cyner2_5class_train"}}
+{"text": "Until mid-2015 , Rotexy used a plain-text JSON format to communicate with its C & C .", "spans": {"Malware: Rotexy": [[17, 23]]}, "info": {"id": "cyner2_5class_train_05253", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy.Win32.TravNet.vmq Trojan.PWS.Spy.17858 Trojan.Win32.Webprefix Trojan.Zusy.D124FE Trojan-Spy.Win32.TravNet.vmq TrojanDownloader:Win32/Travnet.B Trojan/Win32.Travnet.R99919 Trojan.Farfli!4lB/nc8HSss W32/Farfli.LI TrojanSpy.TravNet Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy.Win32.TravNet.vmq": [[26, 54], [118, 146]], "Indicator: Trojan.PWS.Spy.17858": [[55, 75]], "Indicator: Trojan.Win32.Webprefix": [[76, 98]], "Indicator: Trojan.Zusy.D124FE": [[99, 117]], "Indicator: TrojanDownloader:Win32/Travnet.B": [[147, 179]], "Indicator: Trojan/Win32.Travnet.R99919": [[180, 207]], "Indicator: Trojan.Farfli!4lB/nc8HSss": [[208, 233]], "Indicator: W32/Farfli.LI": [[234, 247]], "Indicator: TrojanSpy.TravNet": [[248, 265]], "Indicator: Win32/Trojan.Multi.daf": [[266, 288]]}, "info": {"id": "cyner2_5class_train_05254", "source": "cyner2_5class_train"}}
+{"text": "The oldest sample we found was created in 2009, indicating this tool has been in use for almost seven years.", "spans": {"Malware: tool": [[64, 68]]}, "info": {"id": "cyner2_5class_train_05255", "source": "cyner2_5class_train"}}
+{"text": "Users should adopt best practices , while organizations should ensure that they balance the need for mobility and the importance of security .", "spans": {}, "info": {"id": "cyner2_5class_train_05256", "source": "cyner2_5class_train"}}
+{"text": "Earlier this year, we talked about how cybercriminals took advantage of the popularity of Pokemon Go to launch their own malicious apps.", "spans": {"System: Pokemon Go": [[90, 100]], "Malware: own malicious apps.": [[117, 136]]}, "info": {"id": "cyner2_5class_train_05257", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Krypt.drmwlo BehavesLike.Win32.Backdoor.gh TR/Krypt.503296 Trojan.MSIL.Bladabindi.1 Trj/CI.A Trojan.VB.Inject MSIL/Bbindi.W!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Win32.Krypt.drmwlo": [[69, 94]], "Indicator: BehavesLike.Win32.Backdoor.gh": [[95, 124]], "Indicator: TR/Krypt.503296": [[125, 140]], "Indicator: Trojan.MSIL.Bladabindi.1": [[141, 165]], "Indicator: Trj/CI.A": [[166, 174]], "Indicator: Trojan.VB.Inject": [[175, 191]], "Indicator: MSIL/Bbindi.W!tr": [[192, 208]]}, "info": {"id": "cyner2_5class_train_05258", "source": "cyner2_5class_train"}}
+{"text": "Mozilla products that don't contain the PDF Viewer, such as Firefox for Android, are not vulnerable.", "spans": {"Organization: Mozilla": [[0, 7]], "Indicator: PDF Viewer,": [[40, 51]], "System: Firefox for Android,": [[60, 80]], "Vulnerability: vulnerable.": [[89, 100]]}, "info": {"id": "cyner2_5class_train_05259", "source": "cyner2_5class_train"}}
+{"text": "we are currently working with Adobe to confirm the CVE number for this exploit", "spans": {"Organization: Adobe": [[30, 35]], "Vulnerability: CVE number": [[51, 61]], "Malware: exploit": [[71, 78]]}, "info": {"id": "cyner2_5class_train_05260", "source": "cyner2_5class_train"}}
+{"text": "The malware likely required a significant amount of time and knowledge to create.", "spans": {}, "info": {"id": "cyner2_5class_train_05261", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Crack2000.Win32.1 Trojan/.hack Win.Trojan.HackDream-1 Trojan.IRC.Hack Trojan.Win32.Hack.fvvy TrojWare.IRC.Hack.A Trojan.IrcHack BehavesLike.Win32.Dropper.tc Trojan/IRC.Hack JS/IRC.bdmlu Trojan/IRC.Hack Trojan.Win32.IRCHack.546218 Trojan.IRC.Hack Trojan.2000Cracks IRC/Hack.A IRC/Hack.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crack2000.Win32.1": [[26, 50]], "Indicator: Trojan/.hack": [[51, 63]], "Indicator: Win.Trojan.HackDream-1": [[64, 86]], "Indicator: Trojan.IRC.Hack": [[87, 102], [263, 278]], "Indicator: Trojan.Win32.Hack.fvvy": [[103, 125]], "Indicator: TrojWare.IRC.Hack.A": [[126, 145]], "Indicator: Trojan.IrcHack": [[146, 160]], "Indicator: BehavesLike.Win32.Dropper.tc": [[161, 189]], "Indicator: Trojan/IRC.Hack": [[190, 205], [219, 234]], "Indicator: JS/IRC.bdmlu": [[206, 218]], "Indicator: Trojan.Win32.IRCHack.546218": [[235, 262]], "Indicator: Trojan.2000Cracks": [[279, 296]], "Indicator: IRC/Hack.A": [[297, 307]], "Indicator: IRC/Hack.A!tr": [[308, 321]]}, "info": {"id": "cyner2_5class_train_05262", "source": "cyner2_5class_train"}}
+{"text": "The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.", "spans": {"Vulnerability: DNS-based exfiltration": [[16, 38]], "Malware: malware family;": [[55, 70]], "Malware: POS malware families": [[86, 106]], "Malware: BernhardPOS": [[115, 126]], "Malware: FrameworkPOS": [[131, 143]]}, "info": {"id": "cyner2_5class_train_05263", "source": "cyner2_5class_train"}}
+{"text": "How does the malware work without code for these key components ? As is characteristic for obfuscated threats , the malware has encrypted binary code stored in the Assets folder : When the malware runs for the first time , the static block of the main class is run .", "spans": {}, "info": {"id": "cyner2_5class_train_05264", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817469 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id8817469 [ .": [[21, 65]]}, "info": {"id": "cyner2_5class_train_05265", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Trojan.OnLineGames.Win32.215966 Trojan.Heur.RP.cmIfaG!Q79i TSPY_ONLINEG.TGV Win32.Trojan.WisdomEyes.16070401.9500.9941 Win32/Zuten.DK TSPY_ONLINEG.TGV Trojan-GameThief.Win32.OnLineGames.afmb Trojan.Win32.OnLineGames.cvmqrs Troj.GameThief.W32.OnLineGames.afmb!c TrojWare.Win32.Magania.~D Trojan.PWS.Gamania.9849 BehavesLike.Win32.Sytro.nc Virus.Win32.Onlinegames.BBH TrojanDownloader.Small.unq Trojan[GameThief]/Win32.OnLineGames Trojan:Win32/Hookja.A Trojan-GameThief.Win32.OnLineGames.afmb Trojan/Win32.OnlineGameHack.R70066 Trojan.Win32.OnlineGames.10068 Win32.Trojan-gamethief.Onlinegames.Wvkq W32/Onlinegames.KKW!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[26, 62]], "Indicator: Trojan.OnLineGames.Win32.215966": [[63, 94]], "Indicator: Trojan.Heur.RP.cmIfaG!Q79i": [[95, 121]], "Indicator: TSPY_ONLINEG.TGV": [[122, 138], [197, 213]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9941": [[139, 181]], "Indicator: Win32/Zuten.DK": [[182, 196]], "Indicator: Trojan-GameThief.Win32.OnLineGames.afmb": [[214, 253], [514, 553]], "Indicator: Trojan.Win32.OnLineGames.cvmqrs": [[254, 285]], "Indicator: Troj.GameThief.W32.OnLineGames.afmb!c": [[286, 323]], "Indicator: TrojWare.Win32.Magania.~D": [[324, 349]], "Indicator: Trojan.PWS.Gamania.9849": [[350, 373]], "Indicator: BehavesLike.Win32.Sytro.nc": [[374, 400]], "Indicator: Virus.Win32.Onlinegames.BBH": [[401, 428]], "Indicator: TrojanDownloader.Small.unq": [[429, 455]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[456, 491]], "Indicator: Trojan:Win32/Hookja.A": [[492, 513]], "Indicator: Trojan/Win32.OnlineGameHack.R70066": [[554, 588]], "Indicator: Trojan.Win32.OnlineGames.10068": [[589, 619]], "Indicator: Win32.Trojan-gamethief.Onlinegames.Wvkq": [[620, 659]], "Indicator: W32/Onlinegames.KKW!tr.pws": [[660, 686]]}, "info": {"id": "cyner2_5class_train_05266", "source": "cyner2_5class_train"}}
+{"text": "DroidJack RAT starts capturing sensitive information like call data , SMS data , videos , photos , etc .", "spans": {"Malware: DroidJack RAT": [[0, 13]]}, "info": {"id": "cyner2_5class_train_05267", "source": "cyner2_5class_train"}}
+{"text": "One of the most profitable cyber crimes in recent years is ATM robbery, where the cyber criminals extract cash directly from automated teller machines that have already been infected with malware, causing millions of dollars in loss for the banks worldwide.", "spans": {"System: recent years": [[43, 55]], "System: ATM": [[59, 62]], "System: automated teller machines": [[125, 150]], "Malware: malware,": [[188, 196]], "Organization: banks": [[241, 246]]}, "info": {"id": "cyner2_5class_train_05268", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransome.Crowti.OB4 Tool.Patcher.Win32.14244 Trojan/Filecoder.CryptoWall.d Win32.Trojan.Filecoder.h Ransom.Cryptodefense Ransom_HPCRYPTESLA.SM2 Trojan.Win32.Encoder.dytusk Trojan.Encoder.514 Win32.Malware!Drop Ransom_HPCRYPTESLA.SM2 Variant.Symmi.bop TR/AD.Crowti.Y.580 Packed.Win32.Tpyn Win32.Trojan-Ransom.TeslaCrypt.N Win-Trojan/Inject.249861 Win32.Malware!Drop Win32/Filecoder.CryptoWall.D Trojan.Filecoder!cG6QHMIV+ig Trojan.Win32.Filecoder", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransome.Crowti.OB4": [[26, 44]], "Indicator: Tool.Patcher.Win32.14244": [[45, 69]], "Indicator: Trojan/Filecoder.CryptoWall.d": [[70, 99]], "Indicator: Win32.Trojan.Filecoder.h": [[100, 124]], "Indicator: Ransom.Cryptodefense": [[125, 145]], "Indicator: Ransom_HPCRYPTESLA.SM2": [[146, 168], [235, 257]], "Indicator: Trojan.Win32.Encoder.dytusk": [[169, 196]], "Indicator: Trojan.Encoder.514": [[197, 215]], "Indicator: Win32.Malware!Drop": [[216, 234], [371, 389]], "Indicator: Variant.Symmi.bop": [[258, 275]], "Indicator: TR/AD.Crowti.Y.580": [[276, 294]], "Indicator: Packed.Win32.Tpyn": [[295, 312]], "Indicator: Win32.Trojan-Ransom.TeslaCrypt.N": [[313, 345]], "Indicator: Win-Trojan/Inject.249861": [[346, 370]], "Indicator: Win32/Filecoder.CryptoWall.D": [[390, 418]], "Indicator: Trojan.Filecoder!cG6QHMIV+ig": [[419, 447]], "Indicator: Trojan.Win32.Filecoder": [[448, 470]]}, "info": {"id": "cyner2_5class_train_05269", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Adware.DLBoost.A4 Win32.Trojan.WisdomEyes.16070401.9500.9658 Exploit.Win32.Simadona.b Exploit.Win32.Simadona.eqnhht Trojan.RoboInstall.6 BehavesLike.Win32.Backdoor.wc Trojan.Win32.HackTool HackTool:Win32/Skipun.A!bit Exploit.Win32.Simadona.b PUP/Win32.DLBoost.C1760189 Win32/Trojan.Exploit.09b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.DLBoost.A4": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9658": [[44, 86]], "Indicator: Exploit.Win32.Simadona.b": [[87, 111], [243, 267]], "Indicator: Exploit.Win32.Simadona.eqnhht": [[112, 141]], "Indicator: Trojan.RoboInstall.6": [[142, 162]], "Indicator: BehavesLike.Win32.Backdoor.wc": [[163, 192]], "Indicator: Trojan.Win32.HackTool": [[193, 214]], "Indicator: HackTool:Win32/Skipun.A!bit": [[215, 242]], "Indicator: PUP/Win32.DLBoost.C1760189": [[268, 294]], "Indicator: Win32/Trojan.Exploit.09b": [[295, 319]]}, "info": {"id": "cyner2_5class_train_05270", "source": "cyner2_5class_train"}}
+{"text": "Over the course of the last year, ESET has detected and analyzed several instances of malware used for targeted espionage – dubbed SBDH toolkit.", "spans": {"Organization: ESET": [[34, 38]], "Malware: malware": [[86, 93]], "Malware: dubbed SBDH toolkit.": [[124, 144]]}, "info": {"id": "cyner2_5class_train_05271", "source": "cyner2_5class_train"}}
+{"text": "Mitigations XLoader will not download malicious apps if the Android device uses a mobile data connection .", "spans": {"Malware: XLoader": [[12, 19]]}, "info": {"id": "cyner2_5class_train_05272", "source": "cyner2_5class_train"}}
+{"text": "This article discusses a group of PlugX samples which we believe are all used by the same attackers, and the measures they have taken to attempt to bypass security mechanisms.", "spans": {"Malware: PlugX": [[34, 39]], "Indicator: attempt to bypass security mechanisms.": [[137, 175]]}, "info": {"id": "cyner2_5class_train_05273", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Obfuscated.en!O Trojan.Obfuscated.Win32.70479 Troj.W32.Obfuscated.tpfc Trojan/Obfuscated.a1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Adware.Lop Win.Trojan.Obfus-22 Trojan.Win32.Obfuscated.en Virus.Win32.Sality.bgiylc Trojan.Win32.Obfuscated.3771904 TrojWare.Win32.Obfuscated.en Trojan.Packed.149 BehavesLike.Win32.Dropper.jh Trojan-Downloader.Win32.Swizzor Trojan/Win32.Obfuscated Win32.Troj.ObfuscatedT.cz.545792 Trojan:Win32/C2Lop.C Adware.Lop-Variant Trojan.Win32.Obfuscated.en MalwareScope.Trojan-Downloader.Obfuscated.2 Win32/Obfuscated.A1 W32/Swizzor.B!tr Win32/Trojan.Obfus.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Obfuscated.en!O": [[26, 54]], "Indicator: Trojan.Obfuscated.Win32.70479": [[55, 84]], "Indicator: Troj.W32.Obfuscated.tpfc": [[85, 109]], "Indicator: Trojan/Obfuscated.a1": [[110, 130]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[131, 173]], "Indicator: Adware.Lop": [[174, 184]], "Indicator: Win.Trojan.Obfus-22": [[185, 204]], "Indicator: Trojan.Win32.Obfuscated.en": [[205, 231], [495, 521]], "Indicator: Virus.Win32.Sality.bgiylc": [[232, 257]], "Indicator: Trojan.Win32.Obfuscated.3771904": [[258, 289]], "Indicator: TrojWare.Win32.Obfuscated.en": [[290, 318]], "Indicator: Trojan.Packed.149": [[319, 336]], "Indicator: BehavesLike.Win32.Dropper.jh": [[337, 365]], "Indicator: Trojan-Downloader.Win32.Swizzor": [[366, 397]], "Indicator: Trojan/Win32.Obfuscated": [[398, 421]], "Indicator: Win32.Troj.ObfuscatedT.cz.545792": [[422, 454]], "Indicator: Trojan:Win32/C2Lop.C": [[455, 475]], "Indicator: Adware.Lop-Variant": [[476, 494]], "Indicator: MalwareScope.Trojan-Downloader.Obfuscated.2": [[522, 565]], "Indicator: Win32/Obfuscated.A1": [[566, 585]], "Indicator: W32/Swizzor.B!tr": [[586, 602]], "Indicator: Win32/Trojan.Obfus.A": [[603, 623]]}, "info": {"id": "cyner2_5class_train_05274", "source": "cyner2_5class_train"}}
+{"text": "Bouncing Golf ’ s operators also try to cover their tracks .", "spans": {"Malware: Bouncing Golf": [[0, 13]]}, "info": {"id": "cyner2_5class_train_05275", "source": "cyner2_5class_train"}}
+{"text": "PACKING In addition to implementing custom obfuscation techniques , apps have used several commercially available packers including : Qihoo360 , AliProtect and SecShell .", "spans": {"System: Qihoo360": [[134, 142]], "System: AliProtect": [[145, 155]], "System: SecShell": [[160, 168]]}, "info": {"id": "cyner2_5class_train_05276", "source": "cyner2_5class_train"}}
+{"text": "We are uncertain of its objectives but estimate it is criminally motivated.", "spans": {}, "info": {"id": "cyner2_5class_train_05277", "source": "cyner2_5class_train"}}
+{"text": "The new text ( in Chinese , about relations between China , Japan and the disputed “ Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands ” ) is shown to the victims and reads as following : When opened in a browser , this is what the command-and-control index page looks like : The text on the top means “ Title Title Title ” in Chinese , while the other strings appear to be random characters typed from the keyboard .", "spans": {}, "info": {"id": "cyner2_5class_train_05278", "source": "cyner2_5class_train"}}
+{"text": "These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.", "spans": {"Indicator: attacks": [[6, 13]], "Indicator: political issues": [[47, 63]]}, "info": {"id": "cyner2_5class_train_05279", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor-CUR.svr Win32.Backdoor.Detarmal.b Backdoor.Trojan Backdoor.Win32.Delf.NBJ BackDoor.Cae.7 BehavesLike.Win32.Upatre.qh Backdoor:Win32/Detarmal.A Win32/Delf.NBJ W32/Detarmal.A!tr Bck/Furaxdoor.B Backdoor.Win32.Detarmal.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor-CUR.svr": [[26, 42]], "Indicator: Win32.Backdoor.Detarmal.b": [[43, 68]], "Indicator: Backdoor.Trojan": [[69, 84]], "Indicator: Backdoor.Win32.Delf.NBJ": [[85, 108]], "Indicator: BackDoor.Cae.7": [[109, 123]], "Indicator: BehavesLike.Win32.Upatre.qh": [[124, 151]], "Indicator: Backdoor:Win32/Detarmal.A": [[152, 177]], "Indicator: Win32/Delf.NBJ": [[178, 192]], "Indicator: W32/Detarmal.A!tr": [[193, 210]], "Indicator: Bck/Furaxdoor.B": [[211, 226]], "Indicator: Backdoor.Win32.Detarmal.A": [[227, 252]]}, "info": {"id": "cyner2_5class_train_05280", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_GE.71380BE1 Trojan.Java.Crypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_GE.71380BE1": [[26, 42]], "Indicator: Trojan.Java.Crypt": [[43, 60]]}, "info": {"id": "cyner2_5class_train_05281", "source": "cyner2_5class_train"}}
+{"text": "However in this campaign, the binary payload, which was later found to be a NanoCore RAT client, is actually embedded in the obfuscated HTA.", "spans": {"Malware: the binary payload,": [[26, 45]], "Malware: a NanoCore RAT client,": [[74, 96]]}, "info": {"id": "cyner2_5class_train_05282", "source": "cyner2_5class_train"}}
+{"text": "This event triggers archive downloading thread .", "spans": {}, "info": {"id": "cyner2_5class_train_05283", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.5B76 Trojan.Win32.Yakes.vpjr Trojan.Fakealert.49835 BehavesLike.Win32.PUPXAX.gc W32/Trojan.TMDY-2947 TR/Crypt.ZPACK.mnboo Trojan.Razy.D13B86 Trojan.Win32.Yakes.vpjr W32/Kryptik.EZWB!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.5B76": [[26, 42]], "Indicator: Trojan.Win32.Yakes.vpjr": [[43, 66], [179, 202]], "Indicator: Trojan.Fakealert.49835": [[67, 89]], "Indicator: BehavesLike.Win32.PUPXAX.gc": [[90, 117]], "Indicator: W32/Trojan.TMDY-2947": [[118, 138]], "Indicator: TR/Crypt.ZPACK.mnboo": [[139, 159]], "Indicator: Trojan.Razy.D13B86": [[160, 178]], "Indicator: W32/Kryptik.EZWB!tr": [[203, 222]], "Indicator: Trj/GdSda.A": [[223, 234]]}, "info": {"id": "cyner2_5class_train_05284", "source": "cyner2_5class_train"}}
+{"text": "LeakerLocker claims to have made an unauthorized backup of a phone's sensitive information that could be leaked to a user's contacts unless it receives a modest ransom.", "spans": {"Malware: LeakerLocker": [[0, 12]], "Indicator: unauthorized backup": [[36, 55]], "Indicator: phone's sensitive information": [[61, 90]], "Indicator: leaked to a user's contacts unless": [[105, 139]]}, "info": {"id": "cyner2_5class_train_05285", "source": "cyner2_5class_train"}}
+{"text": "We have made the connection to Bitter APT through tactics, techniques, and procedures TTPs that have been observed in other publications, such as the use of Microsoft Office exploits through Excel files, and the use of CHM and Windows Installer MSI files.", "spans": {"Malware: Microsoft Office exploits": [[157, 182]], "Indicator: Excel files,": [[191, 203]], "System: CHM": [[219, 222]], "System: Windows Installer MSI": [[227, 248]], "Indicator: files.": [[249, 255]]}, "info": {"id": "cyner2_5class_train_05286", "source": "cyner2_5class_train"}}
+{"text": "The setup code receives an installation command from the previous stage .", "spans": {}, "info": {"id": "cyner2_5class_train_05287", "source": "cyner2_5class_train"}}
+{"text": "It ’ s not enough for this malware family to swap just one innocent application with an infected double .", "spans": {}, "info": {"id": "cyner2_5class_train_05288", "source": "cyner2_5class_train"}}
+{"text": "Pawn Storm is an active cyber espionage actor group that has been very aggressive and ambitious in recent years.", "spans": {}, "info": {"id": "cyner2_5class_train_05289", "source": "cyner2_5class_train"}}
+{"text": "Telegram using IP address from Spain.", "spans": {"System: Telegram": [[0, 8]], "Indicator: IP address": [[15, 25]]}, "info": {"id": "cyner2_5class_train_05290", "source": "cyner2_5class_train"}}
+{"text": "However , this is not a genuine “ Google Play Protect ” screen ; instead it gives the app all the permissions it needs while simultaneously disabling the actual Google Play Protect .", "spans": {"System: Google Play": [[34, 45]], "System: Google Play Protect": [[161, 180]]}, "info": {"id": "cyner2_5class_train_05291", "source": "cyner2_5class_train"}}
+{"text": "Today RSA is reporting GlassRAT, a previously undetectable Remote Access Tool RAT which was discovered by the RSA Incident Response Team and investigated by RSA Research during an engagement with a multi-national enterprise.", "spans": {"Organization: RSA": [[6, 9]], "Malware: GlassRAT,": [[23, 32]], "Malware: Remote Access Tool RAT": [[59, 81]], "Organization: RSA Incident Response Team": [[110, 136]], "Organization: RSA Research": [[157, 169]], "Organization: multi-national enterprise.": [[198, 224]]}, "info": {"id": "cyner2_5class_train_05292", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Nanspy Worm.Nanspy.Win32.9 Win32.Trojan.WisdomEyes.16070401.9500.9990 W32/Nanspy.TXTE-7172 W32.Kassbot.B Win.Worm.Nanspy-1 Net-Worm.Win32.Nanspy.e Trojan.Win32.Nanspy.fwie W32.W.Bagle.kZt7 Heur.Packed.MultiPacked BackDoor.Pyev BehavesLike.Win32.HLLPPhilis.nc Trojan-Dropper.Delf W32/Nanspy.O I-Worm/Nanspy.d WORM/Nanspy.E Backdoor:Win32/Nanspy.D Worm.Win32.Net-Nanspy.34368.B Trojan/Win32.Lydra.R96925 Net-Worm.Win32.Nanspy.e Worm.Nanspy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Nanspy": [[26, 37], [457, 468]], "Indicator: Worm.Nanspy.Win32.9": [[38, 57]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[58, 100]], "Indicator: W32/Nanspy.TXTE-7172": [[101, 121]], "Indicator: W32.Kassbot.B": [[122, 135]], "Indicator: Win.Worm.Nanspy-1": [[136, 153]], "Indicator: Net-Worm.Win32.Nanspy.e": [[154, 177], [433, 456]], "Indicator: Trojan.Win32.Nanspy.fwie": [[178, 202]], "Indicator: W32.W.Bagle.kZt7": [[203, 219]], "Indicator: Heur.Packed.MultiPacked": [[220, 243]], "Indicator: BackDoor.Pyev": [[244, 257]], "Indicator: BehavesLike.Win32.HLLPPhilis.nc": [[258, 289]], "Indicator: Trojan-Dropper.Delf": [[290, 309]], "Indicator: W32/Nanspy.O": [[310, 322]], "Indicator: I-Worm/Nanspy.d": [[323, 338]], "Indicator: WORM/Nanspy.E": [[339, 352]], "Indicator: Backdoor:Win32/Nanspy.D": [[353, 376]], "Indicator: Worm.Win32.Net-Nanspy.34368.B": [[377, 406]], "Indicator: Trojan/Win32.Lydra.R96925": [[407, 432]]}, "info": {"id": "cyner2_5class_train_05293", "source": "cyner2_5class_train"}}
+{"text": "The infected application contains its payload inside the DEX file .", "spans": {}, "info": {"id": "cyner2_5class_train_05294", "source": "cyner2_5class_train"}}
+{"text": "For the past five months , Check Point researchers have quietly observed the China-based advertising company behind HummingBad in several ways , including by infiltrating the command and control servers it uses .", "spans": {"Organization: Check Point": [[27, 38]], "Malware: HummingBad": [[116, 126]]}, "info": {"id": "cyner2_5class_train_05295", "source": "cyner2_5class_train"}}
+{"text": "As such, this new attack represents a dangerous new hybrid combining the work of a notorious cyber criminal gang with Chinese cyber espionage group to attack a financial services firm.", "spans": {"Indicator: attack": [[18, 24], [151, 157]], "Organization: financial services firm.": [[160, 184]]}, "info": {"id": "cyner2_5class_train_05296", "source": "cyner2_5class_train"}}
+{"text": "FireEye recently discovered a new variant of a point of sale POS malware family known as NewPosThings.", "spans": {"Organization: FireEye": [[0, 7]], "Malware: new variant of a point of sale POS malware family": [[30, 79]], "Malware: NewPosThings.": [[89, 102]]}, "info": {"id": "cyner2_5class_train_05297", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Imiserv.245760 Trojan.Imiserv.c Trojan/Imiserv.c Trojan.Win32.Malware.1 Win32/Imiserv.C Adware.IEPlugin Trojan.Win32.Imiserv.c Trojan.Win32.Imiserv.B TrojWare.Win32.Imiserv.C Trojan.Win32.Imiserv.c TROJ_IMISERVER.A Trojan.Win32.Imiserv!IK Trojan.Win32.Imiserv.B Win-Trojan/Imiserv.245760 Trojan.Win32.Imiserv.c Trojan.Imiserv.G Trojan.Win32.Imiserv W32/Imiserv.C!tr Trj/Imiserv.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Imiserv.245760": [[26, 51]], "Indicator: Trojan.Imiserv.c": [[52, 68]], "Indicator: Trojan/Imiserv.c": [[69, 85]], "Indicator: Trojan.Win32.Malware.1": [[86, 108]], "Indicator: Win32/Imiserv.C": [[109, 124]], "Indicator: Adware.IEPlugin": [[125, 140]], "Indicator: Trojan.Win32.Imiserv.c": [[141, 163], [212, 234], [325, 347]], "Indicator: Trojan.Win32.Imiserv.B": [[164, 186], [276, 298]], "Indicator: TrojWare.Win32.Imiserv.C": [[187, 211]], "Indicator: TROJ_IMISERVER.A": [[235, 251]], "Indicator: Trojan.Win32.Imiserv!IK": [[252, 275]], "Indicator: Win-Trojan/Imiserv.245760": [[299, 324]], "Indicator: Trojan.Imiserv.G": [[348, 364]], "Indicator: Trojan.Win32.Imiserv": [[365, 385]], "Indicator: W32/Imiserv.C!tr": [[386, 402]], "Indicator: Trj/Imiserv.M": [[403, 416]]}, "info": {"id": "cyner2_5class_train_05298", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Clicker.Win32.VB!O Trojan.VB.al3 Trojan.VB.Win32.56708 W32/Clicker.VB.fli TROJ_LNKIEB.SMI Win32/VB.BHE TROJ_LNKIEB.SMI Win.Trojan.Clicker-4258 Trojan-Clicker.Win32.VB.fli Trojan.Win32.VB.cnwqrx Trojan.Win32.A.Clicker.36892 Win32.Trojan.Vb.Angm TrojWare.Win32.Injector.AMXL TrojanClicker.VB.ffy TR/Lnkiebes.A.6 Trojan[Clicker]/Win32.VB Trojan.Buzy.D6DC Trojan-Clicker.Win32.VB.fli Trojan:Win32/Lnkiebes.A Trojan/Win32.VB.R5515 Trojan.VBRA.03765 Win32/Spy.Chekafev.AD Trojan.CL.VB!fBU5Dy6sJXo Trojan-Clicker.Win32.VB W32/VB.F!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Clicker.Win32.VB!O": [[26, 51]], "Indicator: Trojan.VB.al3": [[52, 65]], "Indicator: Trojan.VB.Win32.56708": [[66, 87]], "Indicator: W32/Clicker.VB.fli": [[88, 106]], "Indicator: TROJ_LNKIEB.SMI": [[107, 122], [136, 151]], "Indicator: Win32/VB.BHE": [[123, 135]], "Indicator: Win.Trojan.Clicker-4258": [[152, 175]], "Indicator: Trojan-Clicker.Win32.VB.fli": [[176, 203], [385, 412]], "Indicator: Trojan.Win32.VB.cnwqrx": [[204, 226]], "Indicator: Trojan.Win32.A.Clicker.36892": [[227, 255]], "Indicator: Win32.Trojan.Vb.Angm": [[256, 276]], "Indicator: TrojWare.Win32.Injector.AMXL": [[277, 305]], "Indicator: TrojanClicker.VB.ffy": [[306, 326]], "Indicator: TR/Lnkiebes.A.6": [[327, 342]], "Indicator: Trojan[Clicker]/Win32.VB": [[343, 367]], "Indicator: Trojan.Buzy.D6DC": [[368, 384]], "Indicator: Trojan:Win32/Lnkiebes.A": [[413, 436]], "Indicator: Trojan/Win32.VB.R5515": [[437, 458]], "Indicator: Trojan.VBRA.03765": [[459, 476]], "Indicator: Win32/Spy.Chekafev.AD": [[477, 498]], "Indicator: Trojan.CL.VB!fBU5Dy6sJXo": [[499, 523]], "Indicator: Trojan-Clicker.Win32.VB": [[524, 547]], "Indicator: W32/VB.F!tr": [[548, 559]]}, "info": {"id": "cyner2_5class_train_05299", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.Small.9216.J Trojan/TopAntiSpyware.i TROJ_ANTISPY.B Win32.Trojan.WisdomEyes.16070401.9500.9859 W32/Trojan.QAS Adware.Topantispyware Win32/DlExaw.E TROJ_ANTISPY.B Html.Trojan.ClickerSmall-71 Trojan.Win32.TopAntiSpyware.j Trojan.Win32.TopAntiSpyware.ehkl Troj.W32.TopAntiSpyware.j!c Win32.Trojan.Topantispyware.Wsju TrojWare.Win32.TopAntiSpyware.~BAAB Trojan.DownLoader.2049 BehavesLike.Win32.Virut.zh Trojan.Win32.TopAntiSpyware.J W32/Trojan.MSMO-2253 Trojan/TopAntiSpyware.c Trojan/Win32.TopAntiSpyware Trojan:Win32/TopAntiSpyware.J Trojan.Win32.TopAntiSpyware.j Trojan/Win32.Adload.C82279 Adware.WarSpy.G", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.Small.9216.J": [[26, 53]], "Indicator: Trojan/TopAntiSpyware.i": [[54, 77]], "Indicator: TROJ_ANTISPY.B": [[78, 92], [188, 202]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9859": [[93, 135]], "Indicator: W32/Trojan.QAS": [[136, 150]], "Indicator: Adware.Topantispyware": [[151, 172]], "Indicator: Win32/DlExaw.E": [[173, 187]], "Indicator: Html.Trojan.ClickerSmall-71": [[203, 230]], "Indicator: Trojan.Win32.TopAntiSpyware.j": [[231, 260], [574, 603]], "Indicator: Trojan.Win32.TopAntiSpyware.ehkl": [[261, 293]], "Indicator: Troj.W32.TopAntiSpyware.j!c": [[294, 321]], "Indicator: Win32.Trojan.Topantispyware.Wsju": [[322, 354]], "Indicator: TrojWare.Win32.TopAntiSpyware.~BAAB": [[355, 390]], "Indicator: Trojan.DownLoader.2049": [[391, 413]], "Indicator: BehavesLike.Win32.Virut.zh": [[414, 440]], "Indicator: Trojan.Win32.TopAntiSpyware.J": [[441, 470]], "Indicator: W32/Trojan.MSMO-2253": [[471, 491]], "Indicator: Trojan/TopAntiSpyware.c": [[492, 515]], "Indicator: Trojan/Win32.TopAntiSpyware": [[516, 543]], "Indicator: Trojan:Win32/TopAntiSpyware.J": [[544, 573]], "Indicator: Trojan/Win32.Adload.C82279": [[604, 630]], "Indicator: Adware.WarSpy.G": [[631, 646]]}, "info": {"id": "cyner2_5class_train_05300", "source": "cyner2_5class_train"}}
+{"text": "This example is from a later version of EventBot , and in other versions the naming convention is very similar , with bot IDs such as word100 , word101 , word102 , and test2005 , test2006 etc .", "spans": {"Malware: EventBot": [[40, 48]]}, "info": {"id": "cyner2_5class_train_05301", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //mailsa-qau [ .", "spans": {"Indicator: hxxp : //mailsa-qau [ .": [[6, 29]]}, "info": {"id": "cyner2_5class_train_05302", "source": "cyner2_5class_train"}}
+{"text": "Locky .diablo6 campaign", "spans": {"Malware: Locky .diablo6": [[0, 14]]}, "info": {"id": "cyner2_5class_train_05303", "source": "cyner2_5class_train"}}
+{"text": "What follows are some of the features exhibited by SpyNote RAT .", "spans": {"Malware: SpyNote RAT": [[51, 62]]}, "info": {"id": "cyner2_5class_train_05304", "source": "cyner2_5class_train"}}
+{"text": "A charge is then added to the user ’ s bill with their mobile service provider .", "spans": {}, "info": {"id": "cyner2_5class_train_05305", "source": "cyner2_5class_train"}}
+{"text": "At the time of writing this research , four versions of the EventBot malware were observed : Version 0.0.0.1 , 0.0.0.2 , and 0.3.0.1 and 0.4.0.1 .", "spans": {"Malware: EventBot": [[60, 68]]}, "info": {"id": "cyner2_5class_train_05306", "source": "cyner2_5class_train"}}
+{"text": "Upon clicking the ads , the malware author receives payment from the website developer , which pays for the illegitimate clicks and traffic .", "spans": {}, "info": {"id": "cyner2_5class_train_05307", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Injector.FC.81 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Dwn.dzugvc TrojWare.MSIL.Disfa.B Trojan.DownLoader17.15248 BehavesLike.Win32.Trojan.fc Trojan.MSIL.Crypt Trojan.Razy.D1AD5 Spyware.Imminent MSIL/Kryptik.EAN!tr Win32/Trojan.982", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Injector.FC.81": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[48, 90]], "Indicator: Trojan.Win32.Dwn.dzugvc": [[91, 114]], "Indicator: TrojWare.MSIL.Disfa.B": [[115, 136]], "Indicator: Trojan.DownLoader17.15248": [[137, 162]], "Indicator: BehavesLike.Win32.Trojan.fc": [[163, 190]], "Indicator: Trojan.MSIL.Crypt": [[191, 208]], "Indicator: Trojan.Razy.D1AD5": [[209, 226]], "Indicator: Spyware.Imminent": [[227, 243]], "Indicator: MSIL/Kryptik.EAN!tr": [[244, 263]], "Indicator: Win32/Trojan.982": [[264, 280]]}, "info": {"id": "cyner2_5class_train_05308", "source": "cyner2_5class_train"}}
+{"text": "Using this and other dangerous applications uploaded by Linux.PNScan.1 to the compromised device, cybercriminals can hack administrative control panel of PHPMyAdmin, which is used to manage relational databases, and brute-force authentication credentials to get unauthorized access to various devices and servers via the SSH protocol.", "spans": {"System: dangerous applications": [[21, 43]], "Indicator: Linux.PNScan.1": [[56, 70]], "System: compromised device,": [[78, 97]], "Vulnerability: PHPMyAdmin,": [[154, 165]], "Vulnerability: brute-force authentication credentials": [[216, 254]], "Indicator: unauthorized access": [[262, 281]], "Indicator: SSH protocol.": [[321, 334]]}, "info": {"id": "cyner2_5class_train_05309", "source": "cyner2_5class_train"}}
+{"text": "During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists.", "spans": {"Malware: malware": [[28, 35]], "Indicator: code paths": [[61, 71]], "System: Mac": [[112, 115]], "System: Unix variant": [[119, 131]], "Malware: tool": [[145, 149]]}, "info": {"id": "cyner2_5class_train_05310", "source": "cyner2_5class_train"}}
+{"text": "] com nampriknum [ .", "spans": {"Indicator: nampriknum [ .": [[6, 20]]}, "info": {"id": "cyner2_5class_train_05311", "source": "cyner2_5class_train"}}
+{"text": "Aside from this campaign's motivation, what grabbed our attention was the way it utilizes pCloud, a free cloud service, for data storage and communication.", "spans": {"System: a free cloud service,": [[98, 119]], "System: data storage": [[124, 136]], "System: communication.": [[141, 155]]}, "info": {"id": "cyner2_5class_train_05312", "source": "cyner2_5class_train"}}
+{"text": "In this third part of Unit 42's Cybercrime Underground blog series, we're taking a slightly different approach.", "spans": {"Organization: Unit 42's Cybercrime Underground": [[22, 54]]}, "info": {"id": "cyner2_5class_train_05313", "source": "cyner2_5class_train"}}
+{"text": "These deceptive sites are carefully crafted to trick unsuspecting users into downloading and executing malware, which can result in stealing the victim's sensitive data.", "spans": {"Indicator: deceptive sites": [[6, 21]], "Malware: malware,": [[103, 111]], "Indicator: the victim's sensitive data.": [[141, 169]]}, "info": {"id": "cyner2_5class_train_05314", "source": "cyner2_5class_train"}}
+{"text": "The analyzed implant has a complex structure , and for now we have observed two modules .", "spans": {}, "info": {"id": "cyner2_5class_train_05315", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.QQPass!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/QQPass.ZQ Trojan-PSW.Win32.QQPass.gkd Trojan.Win32.QQPass.vwban Backdoor.W32.DsBot.l5eP Trojan.PWS.Lineage.10130 BehavesLike.Win32.RAHack.cm Trojan/PSW.QQPass.fng Trojan[GameThief]/Win32.Lmir Win32.Troj.QQPswT.bs.116858 Trojan.Graftor.Elzob.D486F Trojan.Tencent/Variant Trojan-PSW.Win32.QQPass.gkd SScope.Trojan-PSW.Win32.Delf.bav Worm.Win32.AutoRun", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.QQPass!O": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[52, 94]], "Indicator: Win32/QQPass.ZQ": [[95, 110]], "Indicator: Trojan-PSW.Win32.QQPass.gkd": [[111, 138], [371, 398]], "Indicator: Trojan.Win32.QQPass.vwban": [[139, 164]], "Indicator: Backdoor.W32.DsBot.l5eP": [[165, 188]], "Indicator: Trojan.PWS.Lineage.10130": [[189, 213]], "Indicator: BehavesLike.Win32.RAHack.cm": [[214, 241]], "Indicator: Trojan/PSW.QQPass.fng": [[242, 263]], "Indicator: Trojan[GameThief]/Win32.Lmir": [[264, 292]], "Indicator: Win32.Troj.QQPswT.bs.116858": [[293, 320]], "Indicator: Trojan.Graftor.Elzob.D486F": [[321, 347]], "Indicator: Trojan.Tencent/Variant": [[348, 370]], "Indicator: SScope.Trojan-PSW.Win32.Delf.bav": [[399, 431]], "Indicator: Worm.Win32.AutoRun": [[432, 450]]}, "info": {"id": "cyner2_5class_train_05316", "source": "cyner2_5class_train"}}
+{"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products .", "spans": {"Organization: Cisco": [[80, 85]]}, "info": {"id": "cyner2_5class_train_05317", "source": "cyner2_5class_train"}}
+{"text": "] 151/ as a command and control server .", "spans": {}, "info": {"id": "cyner2_5class_train_05318", "source": "cyner2_5class_train"}}
+{"text": "In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms.", "spans": {"Organization: FireEye": [[22, 29]], "Organization: seven global law and investment firms.": [[78, 116]]}, "info": {"id": "cyner2_5class_train_05319", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Injector Trojan.Win32.Dwn.edybnj Trojan.Win32.Z.Razy.328168 Win32.Trojan.Falsesign.Phqf Trojan.DownLoader21.41335 Trojan.MSIL.Crypt TR/Dropper.MSIL.inryd Trojan.Razy.D11CB7 Trojan:Win32/Censer.A Trj/CI.A MSIL/Kryptik.GLN!tr Win32/Trojan.Dropper.32d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Injector": [[26, 41]], "Indicator: Trojan.Win32.Dwn.edybnj": [[42, 65]], "Indicator: Trojan.Win32.Z.Razy.328168": [[66, 92]], "Indicator: Win32.Trojan.Falsesign.Phqf": [[93, 120]], "Indicator: Trojan.DownLoader21.41335": [[121, 146]], "Indicator: Trojan.MSIL.Crypt": [[147, 164]], "Indicator: TR/Dropper.MSIL.inryd": [[165, 186]], "Indicator: Trojan.Razy.D11CB7": [[187, 205]], "Indicator: Trojan:Win32/Censer.A": [[206, 227]], "Indicator: Trj/CI.A": [[228, 236]], "Indicator: MSIL/Kryptik.GLN!tr": [[237, 256]], "Indicator: Win32/Trojan.Dropper.32d": [[257, 281]]}, "info": {"id": "cyner2_5class_train_05320", "source": "cyner2_5class_train"}}
+{"text": "A strong relationship between previously identified malware samples attributed to these campaigns and the newly discovered samples examined in this report.", "spans": {"Malware: malware samples": [[52, 67]], "Malware: campaigns": [[88, 97]]}, "info": {"id": "cyner2_5class_train_05321", "source": "cyner2_5class_train"}}
+{"text": "We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015.", "spans": {}, "info": {"id": "cyner2_5class_train_05322", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Chet.20484 W32/Chet.c@MM W32/Chet.e Trojan.Win32.Chet.emgc W32.Chet@mm Win32/Chet.E Email-Worm.Win32.Chet.e I-Worm.Chet!g52sFTlFeyo I-Worm.Win32.Chet.20484.C[h] Worm.Win32.Chet.E Win32.HLLM.Otchet.20484 Worm.Chet.Win32.4 W32/Chet.c@MM W32/Risk.ZNRZ-7753 I-Worm/Chet.a W32/Chet.E!worm Worm[Email]/Win32.Chet W32.W.Chet.e!c Win32/Chet.worm.20484.C Worm:Win32/Chet.E@mm Win32/Chet.E Worm.Chet Win32.Worm-email.Chet.Szlk Email-Worm.Win32.Chet I-Worm/Chet.C Worm.Win32.Chet.e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Chet.20484": [[26, 45]], "Indicator: W32/Chet.c@MM": [[46, 59], [256, 269]], "Indicator: W32/Chet.e": [[60, 70]], "Indicator: Trojan.Win32.Chet.emgc": [[71, 93]], "Indicator: W32.Chet@mm": [[94, 105]], "Indicator: Win32/Chet.E": [[106, 118], [402, 414]], "Indicator: Email-Worm.Win32.Chet.e": [[119, 142]], "Indicator: I-Worm.Chet!g52sFTlFeyo": [[143, 166]], "Indicator: I-Worm.Win32.Chet.20484.C[h]": [[167, 195]], "Indicator: Worm.Win32.Chet.E": [[196, 213]], "Indicator: Win32.HLLM.Otchet.20484": [[214, 237]], "Indicator: Worm.Chet.Win32.4": [[238, 255]], "Indicator: W32/Risk.ZNRZ-7753": [[270, 288]], "Indicator: I-Worm/Chet.a": [[289, 302]], "Indicator: W32/Chet.E!worm": [[303, 318]], "Indicator: Worm[Email]/Win32.Chet": [[319, 341]], "Indicator: W32.W.Chet.e!c": [[342, 356]], "Indicator: Win32/Chet.worm.20484.C": [[357, 380]], "Indicator: Worm:Win32/Chet.E@mm": [[381, 401]], "Indicator: Worm.Chet": [[415, 424]], "Indicator: Win32.Worm-email.Chet.Szlk": [[425, 451]], "Indicator: Email-Worm.Win32.Chet": [[452, 473]], "Indicator: I-Worm/Chet.C": [[474, 487]], "Indicator: Worm.Win32.Chet.e": [[488, 505]]}, "info": {"id": "cyner2_5class_train_05323", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Downloader.Small.Win32.7020 Trojan/Downloader.Small.bdc Win32.Trojan.WisdomEyes.16070401.9500.9963 W32/Downloader.DXO TROJ_TENGADL.A Win.Downloader.Tenga-1 Trojan-Downloader.Win32.Small.bdc Trojan.Win32.Small.glqe Trojan.Win32.Downloader.3072.B Troj.Downloader.W32.Small.bdc!c TrojWare.Win32.TrojanDownloader.Small.BDC Trojan.DownLoader.3449 TROJ_TENGADL.A W32/Downloader.GWIH-8231 TrojanDownloader.Small.bqb W32.Malware.Downloader TR/Dldr.Small.bdc.2 Trojan[Downloader]/Win32.Small TrojanDownloader:Win32/Gael.A Trojan-Downloader.Win32.Small.bdc Trojan/Win32.Downloader.C22709 Trojan-Downloader.Win32.Utenti Trj/Downloader.DNX Win32/TrojanDownloader.Small.BDC Win32.Trojan-downloader.Small.Wrpx Trojan.DL.Small!rnjf8eX9OeE Trojan-Downloader.Win32.Small W32/Small.BDC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.Small.Win32.7020": [[26, 53]], "Indicator: Trojan/Downloader.Small.bdc": [[54, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9963": [[82, 124]], "Indicator: W32/Downloader.DXO": [[125, 143]], "Indicator: TROJ_TENGADL.A": [[144, 158], [368, 382]], "Indicator: Win.Downloader.Tenga-1": [[159, 181]], "Indicator: Trojan-Downloader.Win32.Small.bdc": [[182, 215], [539, 572]], "Indicator: Trojan.Win32.Small.glqe": [[216, 239]], "Indicator: Trojan.Win32.Downloader.3072.B": [[240, 270]], "Indicator: Troj.Downloader.W32.Small.bdc!c": [[271, 302]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.BDC": [[303, 344]], "Indicator: Trojan.DownLoader.3449": [[345, 367]], "Indicator: W32/Downloader.GWIH-8231": [[383, 407]], "Indicator: TrojanDownloader.Small.bqb": [[408, 434]], "Indicator: W32.Malware.Downloader": [[435, 457]], "Indicator: TR/Dldr.Small.bdc.2": [[458, 477]], "Indicator: Trojan[Downloader]/Win32.Small": [[478, 508]], "Indicator: TrojanDownloader:Win32/Gael.A": [[509, 538]], "Indicator: Trojan/Win32.Downloader.C22709": [[573, 603]], "Indicator: Trojan-Downloader.Win32.Utenti": [[604, 634]], "Indicator: Trj/Downloader.DNX": [[635, 653]], "Indicator: Win32/TrojanDownloader.Small.BDC": [[654, 686]], "Indicator: Win32.Trojan-downloader.Small.Wrpx": [[687, 721]], "Indicator: Trojan.DL.Small!rnjf8eX9OeE": [[722, 749]], "Indicator: Trojan-Downloader.Win32.Small": [[750, 779]], "Indicator: W32/Small.BDC!tr": [[780, 796]]}, "info": {"id": "cyner2_5class_train_05324", "source": "cyner2_5class_train"}}
+{"text": "In order to infect the victims, the attackers distributed spear-phishing email, which purports to have been sent from NIC's Incident response team, the attackers spoofed an email id that is associated with Indian Ministry of Defence to send out email to the victims.", "spans": {"Indicator: infect": [[12, 18]], "Organization: victims,": [[23, 31]], "Indicator: spear-phishing email,": [[58, 79]], "Organization: NIC's Incident response team,": [[118, 147]], "Indicator: spoofed an email id": [[162, 181]], "Organization: Indian Ministry of Defence": [[206, 232]], "Indicator: email": [[245, 250]], "Organization: victims.": [[258, 266]]}, "info": {"id": "cyner2_5class_train_05325", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Paramcud TROJ_UMPER.SMSE Backdoor.Win32.3Para.e TROJ_UMPER.SMSE W32/Adware.KYIR-6825 Trojan.Adware.Symmi.D781 Trojan:Win32/Umper.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Paramcud": [[26, 41]], "Indicator: TROJ_UMPER.SMSE": [[42, 57], [81, 96]], "Indicator: Backdoor.Win32.3Para.e": [[58, 80]], "Indicator: W32/Adware.KYIR-6825": [[97, 117]], "Indicator: Trojan.Adware.Symmi.D781": [[118, 142]], "Indicator: Trojan:Win32/Umper.A": [[143, 163]]}, "info": {"id": "cyner2_5class_train_05326", "source": "cyner2_5class_train"}}
+{"text": "] infogoogle-support-team [ .", "spans": {}, "info": {"id": "cyner2_5class_train_05327", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/IllNotifier.d TROJ_ILLNOTIF.D Win32.Trojan.WisdomEyes.16070401.9500.9964 TROJ_ILLNOTIF.D Trojan-Notifier.Win32.IllNotifier.d Trojan.Win32.IllNotifier.diak Trojan.Win32.IllNotifier.4096 Troj.Notifier.W32.IllNotifier.d!c Win32.TrojanNotifier.IllNotif.D Trojan.Illnot TrojanNotifier.IllNotifier.b TR/IllNotifier.D.1 Trojan-Notifier.Win32.IllNotifier.d Trojan:Win32/IllNotif.D TrojanNotifier.IllNotifier Trj/Notifier.C Win32/TrojanNotifier.IllNotif.D Trojan.IllNotifier!nSHIqsfdJ3I W32/IllNotifier.D!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/IllNotifier.d": [[26, 46]], "Indicator: TROJ_ILLNOTIF.D": [[47, 62], [106, 121]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9964": [[63, 105]], "Indicator: Trojan-Notifier.Win32.IllNotifier.d": [[122, 157], [346, 381]], "Indicator: Trojan.Win32.IllNotifier.diak": [[158, 187]], "Indicator: Trojan.Win32.IllNotifier.4096": [[188, 217]], "Indicator: Troj.Notifier.W32.IllNotifier.d!c": [[218, 251]], "Indicator: Win32.TrojanNotifier.IllNotif.D": [[252, 283]], "Indicator: Trojan.Illnot": [[284, 297]], "Indicator: TrojanNotifier.IllNotifier.b": [[298, 326]], "Indicator: TR/IllNotifier.D.1": [[327, 345]], "Indicator: Trojan:Win32/IllNotif.D": [[382, 405]], "Indicator: TrojanNotifier.IllNotifier": [[406, 432]], "Indicator: Trj/Notifier.C": [[433, 447]], "Indicator: Win32/TrojanNotifier.IllNotif.D": [[448, 479]], "Indicator: Trojan.IllNotifier!nSHIqsfdJ3I": [[480, 510]], "Indicator: W32/IllNotifier.D!tr": [[511, 531]]}, "info": {"id": "cyner2_5class_train_05328", "source": "cyner2_5class_train"}}
+{"text": "As an initial attack vector , “ Agent Smith ” abuses the 9Apps market – with over 360 different dropper variants .", "spans": {"Malware: Agent Smith": [[32, 43]], "System: 9Apps": [[57, 62]]}, "info": {"id": "cyner2_5class_train_05329", "source": "cyner2_5class_train"}}
+{"text": "EventBot requests permissions to always run in the background .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_05330", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.IrcbotFamTMS.Worm W32/CubsPewt.worm Backdoor.RBot.Win32.1857 Trojan.Heur.VP2.Cy2aaWGg!Jbi WORM_CUBSPEW.SMD Win32.Trojan.WisdomEyes.16070401.9500.9943 W32/Worm.ATKB W32.SillyFDC Win32/Cubspewt.E WORM_CUBSPEW.SMD Win.Trojan.Mybot-11593 Trojan.Win32.Rbot.baglt Win32.Worm.Autorun.Wqwe Win32.HLLW.Autoruner.7400 BehavesLike.Win32.Dropper.gc W32/Worm.ZJYN-5347 Backdoor/RBot.jco Trojan[Backdoor]/Win32.Rbot Worm:Win32/Cubspewt.A Backdoor.Win32.IRCBot.425984.C Worm/Win32.IRCBot.R7984 Backdoor.Rbot Backdoor.Rbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.IrcbotFamTMS.Worm": [[26, 47]], "Indicator: W32/CubsPewt.worm": [[48, 65]], "Indicator: Backdoor.RBot.Win32.1857": [[66, 90]], "Indicator: Trojan.Heur.VP2.Cy2aaWGg!Jbi": [[91, 119]], "Indicator: WORM_CUBSPEW.SMD": [[120, 136], [224, 240]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9943": [[137, 179]], "Indicator: W32/Worm.ATKB": [[180, 193]], "Indicator: W32.SillyFDC": [[194, 206]], "Indicator: Win32/Cubspewt.E": [[207, 223]], "Indicator: Win.Trojan.Mybot-11593": [[241, 263]], "Indicator: Trojan.Win32.Rbot.baglt": [[264, 287]], "Indicator: Win32.Worm.Autorun.Wqwe": [[288, 311]], "Indicator: Win32.HLLW.Autoruner.7400": [[312, 337]], "Indicator: BehavesLike.Win32.Dropper.gc": [[338, 366]], "Indicator: W32/Worm.ZJYN-5347": [[367, 385]], "Indicator: Backdoor/RBot.jco": [[386, 403]], "Indicator: Trojan[Backdoor]/Win32.Rbot": [[404, 431]], "Indicator: Worm:Win32/Cubspewt.A": [[432, 453]], "Indicator: Backdoor.Win32.IRCBot.425984.C": [[454, 484]], "Indicator: Worm/Win32.IRCBot.R7984": [[485, 508]], "Indicator: Backdoor.Rbot": [[509, 522], [523, 536]]}, "info": {"id": "cyner2_5class_train_05331", "source": "cyner2_5class_train"}}
+{"text": "The malware uses HTTP for communication with the C2 server for command handling and data exfiltration .", "spans": {}, "info": {"id": "cyner2_5class_train_05332", "source": "cyner2_5class_train"}}
+{"text": "Threat actors are now using this previously unseen executable, created by Samsung, to load variants of the PlugX Trojan.", "spans": {"Organization: Samsung,": [[74, 82]], "Malware: PlugX Trojan.": [[107, 120]]}, "info": {"id": "cyner2_5class_train_05333", "source": "cyner2_5class_train"}}
+{"text": "Poison Ivy has a convenient graphical user interface GUI for managing compromised hosts and provides easy access to a rich suite of post-compromise tools.", "spans": {"Malware: Poison Ivy": [[0, 10]], "Indicator: convenient graphical user interface GUI": [[17, 56]], "Indicator: compromised": [[70, 81]], "System: hosts": [[82, 87]], "Indicator: easy access": [[101, 112]], "Malware: post-compromise tools.": [[132, 154]]}, "info": {"id": "cyner2_5class_train_05334", "source": "cyner2_5class_train"}}
+{"text": "A direct trail was established over a period of years that would lead competent researchers to finger CN operators as responsible for this new activity as well.", "spans": {"Organization: researchers": [[80, 91]]}, "info": {"id": "cyner2_5class_train_05335", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropped:Trojan.Downloader.JKFJ Dropped:Trojan.Downloader.JKFJ Trojan.Downloader.JKFJ Trojan.DownLoad.6115 Dropped:Trojan.Downloader.JKFJ Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Trojan.Downloader.JKFJ": [[26, 56], [57, 87], [132, 162]], "Indicator: Trojan.Downloader.JKFJ": [[88, 110]], "Indicator: Trojan.DownLoad.6115": [[111, 131]], "Indicator: Trj/Downloader.MDW": [[163, 181]]}, "info": {"id": "cyner2_5class_train_05336", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Llac BKDR_COMDAR.SMI Win32.Trojan.WisdomEyes.16070401.9500.9967 BKDR_COMDAR.SMI Win.Trojan.Killav-107 Trojan.Win32.Llac.dpis Trojan.Win32.Hupigon.bjsvj Trojan.Win32.Z.Hupigon.631808 Troj.W32.Llac!c Backdoor.Win32.Amtar.~dkc1 BackDoor.Comet.345 Backdoor.Hupigon.Win32.87925 BehavesLike.Win32.Dropper.jh Trojan/Scar.bmme Trojan[Backdoor]/Win32.Hupigon TrojanDownloader:Win32/Hupigon.C Trojan.Win32.Llac.dpis Trojan/Win32.Hupigon.C98989 TScope.Trojan.Delf Win32.Trojan.Llac.Swuk Virus.Win32.Delf.DTW Win32/Trojan.713", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Llac": [[26, 37]], "Indicator: BKDR_COMDAR.SMI": [[38, 53], [97, 112]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9967": [[54, 96]], "Indicator: Win.Trojan.Killav-107": [[113, 134]], "Indicator: Trojan.Win32.Llac.dpis": [[135, 157], [416, 438]], "Indicator: Trojan.Win32.Hupigon.bjsvj": [[158, 184]], "Indicator: Trojan.Win32.Z.Hupigon.631808": [[185, 214]], "Indicator: Troj.W32.Llac!c": [[215, 230]], "Indicator: Backdoor.Win32.Amtar.~dkc1": [[231, 257]], "Indicator: BackDoor.Comet.345": [[258, 276]], "Indicator: Backdoor.Hupigon.Win32.87925": [[277, 305]], "Indicator: BehavesLike.Win32.Dropper.jh": [[306, 334]], "Indicator: Trojan/Scar.bmme": [[335, 351]], "Indicator: Trojan[Backdoor]/Win32.Hupigon": [[352, 382]], "Indicator: TrojanDownloader:Win32/Hupigon.C": [[383, 415]], "Indicator: Trojan/Win32.Hupigon.C98989": [[439, 466]], "Indicator: TScope.Trojan.Delf": [[467, 485]], "Indicator: Win32.Trojan.Llac.Swuk": [[486, 508]], "Indicator: Virus.Win32.Delf.DTW": [[509, 529]], "Indicator: Win32/Trojan.713": [[530, 546]]}, "info": {"id": "cyner2_5class_train_05337", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropped:Backdoor.SchoolBus.C Backdoor.Schoolbus BackDoor-BL.dr Backdoor.W32.Schoolbus!c W32/Backdoor2.XLL Backdoor.Trojan BKDR_SCHOOLBUS.C Dropped:Backdoor.SchoolBus.C Backdoor.Win32.SchoolBus.15 Dropped:Backdoor.SchoolBus.C Backdoor.Win32.Z.Schoolbus.257515 Dropped:Backdoor.SchoolBus.C Dropped:Backdoor.SchoolBus.C BackDoor.SchoolBus Email-Worm.Win32.GOPworm.196 BKDR_SCHOOLBUS.C BehavesLike.Win32.Dropper.dc W32/Backdoor.CDSN-7186 BDS/SchoolBus.C.DR.8 Backdoor:Win32/Schoolbus.C.dr Backdoor.Win32.SchoolBus.15 Backdoor/Win32.Trojan.C197204 Dropped:Backdoor.SchoolBus.C Email-Worm.Win32.GOPworm.196 Backdoor.Schoolbus Bck/Iroffer.BG Backdoor.SchoolBus.C Win32/SchoolBus.C Win32.Backdoor.Schoolbus.pfo Backdoor.SchoolBus.C Win32/Trojan.374", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Backdoor.SchoolBus.C": [[26, 54], [165, 193], [222, 250], [285, 313], [314, 342], [569, 597]], "Indicator: Backdoor.Schoolbus": [[55, 73], [627, 645]], "Indicator: BackDoor-BL.dr": [[74, 88]], "Indicator: Backdoor.W32.Schoolbus!c": [[89, 113]], "Indicator: W32/Backdoor2.XLL": [[114, 131]], "Indicator: Backdoor.Trojan": [[132, 147]], "Indicator: BKDR_SCHOOLBUS.C": [[148, 164], [391, 407]], "Indicator: Backdoor.Win32.SchoolBus.15": [[194, 221], [511, 538]], "Indicator: Backdoor.Win32.Z.Schoolbus.257515": [[251, 284]], "Indicator: BackDoor.SchoolBus": [[343, 361]], "Indicator: Email-Worm.Win32.GOPworm.196": [[362, 390], [598, 626]], "Indicator: BehavesLike.Win32.Dropper.dc": [[408, 436]], "Indicator: W32/Backdoor.CDSN-7186": [[437, 459]], "Indicator: BDS/SchoolBus.C.DR.8": [[460, 480]], "Indicator: Backdoor:Win32/Schoolbus.C.dr": [[481, 510]], "Indicator: Backdoor/Win32.Trojan.C197204": [[539, 568]], "Indicator: Bck/Iroffer.BG": [[646, 660]], "Indicator: Backdoor.SchoolBus.C": [[661, 681], [729, 749]], "Indicator: Win32/SchoolBus.C": [[682, 699]], "Indicator: Win32.Backdoor.Schoolbus.pfo": [[700, 728]], "Indicator: Win32/Trojan.374": [[750, 766]]}, "info": {"id": "cyner2_5class_train_05338", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.JKVR Backdoor.Pingbed Trojan.Downloader.JKVR Win32.Trojan.WisdomEyes.16070401.9500.9987 W32/Backdoor2.HAEI BKDR_PINGBED.A Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Downloader.JKVR BKDR_PINGBED.A BehavesLike.Win32.PWSOnlineGames.pt W32/Backdoor.DODB-2037 Backdoor:Win32/Pingbed.A Trojan/Win32.Dllbot.R15525 Trojan.Downloader.JKVR Win32/Trojan.Downloader.d4d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.JKVR": [[26, 48], [66, 88], [166, 188], [189, 211], [212, 234], [235, 257], [384, 406]], "Indicator: Backdoor.Pingbed": [[49, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[89, 131]], "Indicator: W32/Backdoor2.HAEI": [[132, 150]], "Indicator: BKDR_PINGBED.A": [[151, 165], [258, 272]], "Indicator: BehavesLike.Win32.PWSOnlineGames.pt": [[273, 308]], "Indicator: W32/Backdoor.DODB-2037": [[309, 331]], "Indicator: Backdoor:Win32/Pingbed.A": [[332, 356]], "Indicator: Trojan/Win32.Dllbot.R15525": [[357, 383]], "Indicator: Win32/Trojan.Downloader.d4d": [[407, 434]]}, "info": {"id": "cyner2_5class_train_05339", "source": "cyner2_5class_train"}}
+{"text": "Mad Max is a targeted trojan that uses a domain generation algorithm DGA", "spans": {"Malware: Mad Max": [[0, 7]], "Malware: targeted trojan": [[13, 28]], "Indicator: domain generation algorithm DGA": [[41, 72]]}, "info": {"id": "cyner2_5class_train_05340", "source": "cyner2_5class_train"}}
+{"text": "Extract the Wi-Fi network 's password .", "spans": {}, "info": {"id": "cyner2_5class_train_05341", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9987 Win.Trojan.Enfal-36 DLOADER.Trojan BehavesLike.Win32.BadFile.qt Trojan.Heur.EED22D0 Backdoor.Win32.PcClient", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[26, 68]], "Indicator: Win.Trojan.Enfal-36": [[69, 88]], "Indicator: DLOADER.Trojan": [[89, 103]], "Indicator: BehavesLike.Win32.BadFile.qt": [[104, 132]], "Indicator: Trojan.Heur.EED22D0": [[133, 152]], "Indicator: Backdoor.Win32.PcClient": [[153, 176]]}, "info": {"id": "cyner2_5class_train_05342", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.PgxviewI.Trojan Win32.Worm.Donked.b Win32/Donked.A Win.Worm.Autorun-7941 Win32.Worm.Donked.A Trojan.Disabler.64 W32/Autorun.worm.he Worm:Win32/Donked.A Win32/Autorun.worm.40960.DM W32/Autorun.worm.he I-Worm.Donked.A Win32/Donked.A Worm.Donked!DgcwScp6hHo W32/Donked.BB!tr Win32/Trojan.88a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.PgxviewI.Trojan": [[26, 45]], "Indicator: Win32.Worm.Donked.b": [[46, 65]], "Indicator: Win32/Donked.A": [[66, 80], [246, 260]], "Indicator: Win.Worm.Autorun-7941": [[81, 102]], "Indicator: Win32.Worm.Donked.A": [[103, 122]], "Indicator: Trojan.Disabler.64": [[123, 141]], "Indicator: W32/Autorun.worm.he": [[142, 161], [210, 229]], "Indicator: Worm:Win32/Donked.A": [[162, 181]], "Indicator: Win32/Autorun.worm.40960.DM": [[182, 209]], "Indicator: I-Worm.Donked.A": [[230, 245]], "Indicator: Worm.Donked!DgcwScp6hHo": [[261, 284]], "Indicator: W32/Donked.BB!tr": [[285, 301]], "Indicator: Win32/Trojan.88a": [[302, 318]]}, "info": {"id": "cyner2_5class_train_05343", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MulDrop7.11292 Trojan.Injector.Win32.494093 Trojan.Fsysna.guw TR/AD.NETCryptor.xslwu Trojan.MSILPerseus.D15D13 Trojan/Win32.MSILKrypt.R210547 Trj/GdSda.A Trojan.Injector!cLW3TSG0Mi8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MulDrop7.11292": [[26, 47]], "Indicator: Trojan.Injector.Win32.494093": [[48, 76]], "Indicator: Trojan.Fsysna.guw": [[77, 94]], "Indicator: TR/AD.NETCryptor.xslwu": [[95, 117]], "Indicator: Trojan.MSILPerseus.D15D13": [[118, 143]], "Indicator: Trojan/Win32.MSILKrypt.R210547": [[144, 174]], "Indicator: Trj/GdSda.A": [[175, 186]], "Indicator: Trojan.Injector!cLW3TSG0Mi8": [[187, 214]]}, "info": {"id": "cyner2_5class_train_05344", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Flashy.Trojan Packed.Win32.TDSS!O Trojan.Disabler.Win32.3 Trojan/Disabler.i WORM_FLASHY.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Glupzy.A Win32/Glupzy.A WORM_FLASHY.SM Win.Trojan.Disabler-3 Trojan.Win32.Disabler.i Trojan.Win32.Disabler.reit Trojan.Win32.Disabler.21185 Win32.Trojan.Fakedoc.Auto Trojan.Flashy BehavesLike.Win32.Dropper.cz Trojan/Disabler.al TR/Disabler.I Trojan/Win32.Disabler Worm:Win32/Glupzy.A W32.W.VB.kZz1 Trojan.Win32.Disabler.i Trojan/Win32.HDC.C51559 Trojan.Flasher.2913 RiskWare.Tool.CK Win32/Disabler.I Trojan.Disabler!sfd9qm983h8 Virus.Win32.Virut W32/Disabler.I!tr Trj/Flashy.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Flashy.Trojan": [[26, 43]], "Indicator: Packed.Win32.TDSS!O": [[44, 63]], "Indicator: Trojan.Disabler.Win32.3": [[64, 87]], "Indicator: Trojan/Disabler.i": [[88, 105]], "Indicator: WORM_FLASHY.SM": [[106, 120], [192, 206]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[121, 163]], "Indicator: W32.Glupzy.A": [[164, 176]], "Indicator: Win32/Glupzy.A": [[177, 191]], "Indicator: Win.Trojan.Disabler-3": [[207, 228]], "Indicator: Trojan.Win32.Disabler.i": [[229, 252], [466, 489]], "Indicator: Trojan.Win32.Disabler.reit": [[253, 279]], "Indicator: Trojan.Win32.Disabler.21185": [[280, 307]], "Indicator: Win32.Trojan.Fakedoc.Auto": [[308, 333]], "Indicator: Trojan.Flashy": [[334, 347]], "Indicator: BehavesLike.Win32.Dropper.cz": [[348, 376]], "Indicator: Trojan/Disabler.al": [[377, 395]], "Indicator: TR/Disabler.I": [[396, 409]], "Indicator: Trojan/Win32.Disabler": [[410, 431]], "Indicator: Worm:Win32/Glupzy.A": [[432, 451]], "Indicator: W32.W.VB.kZz1": [[452, 465]], "Indicator: Trojan/Win32.HDC.C51559": [[490, 513]], "Indicator: Trojan.Flasher.2913": [[514, 533]], "Indicator: RiskWare.Tool.CK": [[534, 550]], "Indicator: Win32/Disabler.I": [[551, 567]], "Indicator: Trojan.Disabler!sfd9qm983h8": [[568, 595]], "Indicator: Virus.Win32.Virut": [[596, 613]], "Indicator: W32/Disabler.I!tr": [[614, 631]], "Indicator: Trj/Flashy.A": [[632, 644]]}, "info": {"id": "cyner2_5class_train_05345", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BehavesLike.Win32.Conficker.mc Trojan.Razy.D1B4E2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Conficker.mc": [[26, 56]], "Indicator: Trojan.Razy.D1B4E2": [[57, 75]]}, "info": {"id": "cyner2_5class_train_05346", "source": "cyner2_5class_train"}}
+{"text": "During the investigation , Talos was also able to determine that the same infrastructure has been used to deploy similar campaigns using different versions of the malware .", "spans": {"Organization: Talos": [[27, 32]]}, "info": {"id": "cyner2_5class_train_05347", "source": "cyner2_5class_train"}}
+{"text": "The ransom demand for 0.2 Bitcoins ( roughly $ 180 ) is a much higher ransom demand than has been seen in mobile ransomware so far .", "spans": {}, "info": {"id": "cyner2_5class_train_05348", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Trojan.Gamex.A Android.FakeUpdate.B Android.Trojan.Gamex.A Android.Trojan.Gamex.e AndroidOS/Gamex.A Android.Mobigapp A.H.Rog.Gamex.B Trojan:Android/Gamex.C Android.DownLoader.1561 AndroidOS/Gamex.A ANDROID/Mobigapp.A Android.Trojan.Gamex.A Android-Trojan/Gamex.1cbc Trojan.AndroidOS.FakeSite.A Android.Trojan.Gamex.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.Gamex.A": [[26, 48], [70, 92], [251, 273], [328, 350]], "Indicator: Android.FakeUpdate.B": [[49, 69]], "Indicator: Android.Trojan.Gamex.e": [[93, 115]], "Indicator: AndroidOS/Gamex.A": [[116, 133], [214, 231]], "Indicator: Android.Mobigapp": [[134, 150]], "Indicator: A.H.Rog.Gamex.B": [[151, 166]], "Indicator: Trojan:Android/Gamex.C": [[167, 189]], "Indicator: Android.DownLoader.1561": [[190, 213]], "Indicator: ANDROID/Mobigapp.A": [[232, 250]], "Indicator: Android-Trojan/Gamex.1cbc": [[274, 299]], "Indicator: Trojan.AndroidOS.FakeSite.A": [[300, 327]]}, "info": {"id": "cyner2_5class_train_05349", "source": "cyner2_5class_train"}}
+{"text": "It enables the bot to stream screenshots and send them to the C2 so that actors can see what is happening on the screen of the infected device .", "spans": {}, "info": {"id": "cyner2_5class_train_05350", "source": "cyner2_5class_train"}}
+{"text": "The ransomeware also leaves the notes README_HOW_TO_UNLOCK.html and README_HOW_TO_UNLOCK.txt throughout the system.", "spans": {"Malware: ransomeware": [[4, 15]], "Indicator: notes README_HOW_TO_UNLOCK.html": [[32, 63]], "Indicator: README_HOW_TO_UNLOCK.txt": [[68, 92]], "System: system.": [[108, 115]]}, "info": {"id": "cyner2_5class_train_05351", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Jorik.Banker!O Trojan.Zusy.D689D Win32.Trojan.WisdomEyes.16070401.9500.9545 W32/Trojan.WDRL-5915 Trojan-Banker.Win32.TuaiBR.edq Trojan.Win32.Zusy.dckfkl Troj.W32.Jorik.Banker.dnz!c Win32.Trojan-banker.Tuaibr.Wlfg Trojan.Jorik.Win32.164763 TR/Spy.Banker.UV Trojan/Win32.Banker TrojanProxy:MSIL/Banker.G Trojan-Banker.Win32.TuaiBR.edq Trojan/Win32.Proxy.C910983 MSIL/Banker.AK!tr.spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Jorik.Banker!O": [[26, 53]], "Indicator: Trojan.Zusy.D689D": [[54, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9545": [[72, 114]], "Indicator: W32/Trojan.WDRL-5915": [[115, 135]], "Indicator: Trojan-Banker.Win32.TuaiBR.edq": [[136, 166], [341, 371]], "Indicator: Trojan.Win32.Zusy.dckfkl": [[167, 191]], "Indicator: Troj.W32.Jorik.Banker.dnz!c": [[192, 219]], "Indicator: Win32.Trojan-banker.Tuaibr.Wlfg": [[220, 251]], "Indicator: Trojan.Jorik.Win32.164763": [[252, 277]], "Indicator: TR/Spy.Banker.UV": [[278, 294]], "Indicator: Trojan/Win32.Banker": [[295, 314]], "Indicator: TrojanProxy:MSIL/Banker.G": [[315, 340]], "Indicator: Trojan/Win32.Proxy.C910983": [[372, 398]], "Indicator: MSIL/Banker.AK!tr.spy": [[399, 420]]}, "info": {"id": "cyner2_5class_train_05352", "source": "cyner2_5class_train"}}
+{"text": "Below is a description of the most noteworthy : The implant is able to spy on all available device sensors and to log registered events .", "spans": {}, "info": {"id": "cyner2_5class_train_05353", "source": "cyner2_5class_train"}}
+{"text": "The group distributing this family of malware decorates it in the branding and logos of well-known social media or media player apps , system update patches , or ( in its most recent campaign ) VPN client apps in an attempt to lure users into downloading , installing , and elevating the privileges of a Trojanized app hosted on a site not affiliated with any reputable app market or store .", "spans": {"System: VPN": [[194, 197]]}, "info": {"id": "cyner2_5class_train_05354", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Boaxxe.E Win32.Trojan.WisdomEyes.16070401.9500.9985 TROJ_ZBOT.SMUI Packed.Win32.Krap.iu Win32.Trojan.Falsesign.Dvgf TrojWare.Win32.Kryptik.ZLB Trojan.DownLoad3.832 TROJ_ZBOT.SMUI Trojan.Win32.Cleaman Trojan/Menti.sbs Trojan[Packed]/Win32.Krap Trojan:Win32/Cleaman.B Packed.Win32.Krap.iu Trojan/Win32.Menti.R20809 SScope.Malware-Cryptor.SB.01798 Bck/Qbot.AO Trojan.Conjar.8 Trojan.Kryptik!pGFdk5FNPhE Win32/Trojan.0ce", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Boaxxe.E": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[42, 84]], "Indicator: TROJ_ZBOT.SMUI": [[85, 99], [197, 211]], "Indicator: Packed.Win32.Krap.iu": [[100, 120], [299, 319]], "Indicator: Win32.Trojan.Falsesign.Dvgf": [[121, 148]], "Indicator: TrojWare.Win32.Kryptik.ZLB": [[149, 175]], "Indicator: Trojan.DownLoad3.832": [[176, 196]], "Indicator: Trojan.Win32.Cleaman": [[212, 232]], "Indicator: Trojan/Menti.sbs": [[233, 249]], "Indicator: Trojan[Packed]/Win32.Krap": [[250, 275]], "Indicator: Trojan:Win32/Cleaman.B": [[276, 298]], "Indicator: Trojan/Win32.Menti.R20809": [[320, 345]], "Indicator: SScope.Malware-Cryptor.SB.01798": [[346, 377]], "Indicator: Bck/Qbot.AO": [[378, 389]], "Indicator: Trojan.Conjar.8": [[390, 405]], "Indicator: Trojan.Kryptik!pGFdk5FNPhE": [[406, 432]], "Indicator: Win32/Trojan.0ce": [[433, 449]]}, "info": {"id": "cyner2_5class_train_05355", "source": "cyner2_5class_train"}}
+{"text": "During our analysis of this sample , we did notice that the class itself is never called or used by the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_05356", "source": "cyner2_5class_train"}}
+{"text": "One of the side effects of this packer is the inability of Android Studio IDE to debug the code .", "spans": {"System: Android Studio IDE": [[59, 77]]}, "info": {"id": "cyner2_5class_train_05357", "source": "cyner2_5class_train"}}
+{"text": "Still , US-based infected phones total almost 287,000 .", "spans": {}, "info": {"id": "cyner2_5class_train_05358", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: SMSFraud.d Win32/Hoax.ArchSMS.KC Hoax.Win32.ArchSMS.hsgx Trojan.SMSSend.520 SMSFraud.d Hoax/Win32.ArchSMS Program:Win32/Pameseg.U Hoax.Win32.ArchSMS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: SMSFraud.d": [[26, 36], [102, 112]], "Indicator: Win32/Hoax.ArchSMS.KC": [[37, 58]], "Indicator: Hoax.Win32.ArchSMS.hsgx": [[59, 82]], "Indicator: Trojan.SMSSend.520": [[83, 101]], "Indicator: Hoax/Win32.ArchSMS": [[113, 131]], "Indicator: Program:Win32/Pameseg.U": [[132, 155]], "Indicator: Hoax.Win32.ArchSMS": [[156, 174]]}, "info": {"id": "cyner2_5class_train_05359", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ShitOverVBx.PE Trojan.Win32.Cosmu!O W32.Lamer.EL3 Trojan.Downloader Downloader.VB.Win32.9689 Troj.Downloader.W32.VB.l4ji Trojan/Downloader.VB.eex TROJ_DLOADR.SMM Win32.Virus.VBbind.a W32/Worm.BAOX W32.Besverit Win32/VB.P TROJ_DLOADR.SMM Virus.Win32.Lamer.el Trojan.Win32.VB.csnpye Worm.Win32.VB.kp Win32.HLLW.Autoruner.6014 BehavesLike.Win32.Dropper.rh W32/Worm.EMYS-2108 Trojan/VB.kro WORM/VB.NVA Virus/Win32.Lamer.el Trojan:Win32/Dorv.A Trojan.Win32.Downloader.90650.B Virus.Win32.Lamer.el Win32.Application.Unwanted.B Dropper/Win32.Cosmu.R14017 SIM.Trojan.VBO.0859 Trojan.Cosmu Win32/AutoRun.VB.JP Worm.VB.FMYJ Worm.Win32 W32/OverDoom.A Worm.Win32.VB.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ShitOverVBx.PE": [[26, 44]], "Indicator: Trojan.Win32.Cosmu!O": [[45, 65]], "Indicator: W32.Lamer.EL3": [[66, 79]], "Indicator: Trojan.Downloader": [[80, 97]], "Indicator: Downloader.VB.Win32.9689": [[98, 122]], "Indicator: Troj.Downloader.W32.VB.l4ji": [[123, 150]], "Indicator: Trojan/Downloader.VB.eex": [[151, 175]], "Indicator: TROJ_DLOADR.SMM": [[176, 191], [251, 266]], "Indicator: Win32.Virus.VBbind.a": [[192, 212]], "Indicator: W32/Worm.BAOX": [[213, 226]], "Indicator: W32.Besverit": [[227, 239]], "Indicator: Win32/VB.P": [[240, 250]], "Indicator: Virus.Win32.Lamer.el": [[267, 287], [501, 521]], "Indicator: Trojan.Win32.VB.csnpye": [[288, 310]], "Indicator: Worm.Win32.VB.kp": [[311, 327]], "Indicator: Win32.HLLW.Autoruner.6014": [[328, 353]], "Indicator: BehavesLike.Win32.Dropper.rh": [[354, 382]], "Indicator: W32/Worm.EMYS-2108": [[383, 401]], "Indicator: Trojan/VB.kro": [[402, 415]], "Indicator: WORM/VB.NVA": [[416, 427]], "Indicator: Virus/Win32.Lamer.el": [[428, 448]], "Indicator: Trojan:Win32/Dorv.A": [[449, 468]], "Indicator: Trojan.Win32.Downloader.90650.B": [[469, 500]], "Indicator: Win32.Application.Unwanted.B": [[522, 550]], "Indicator: Dropper/Win32.Cosmu.R14017": [[551, 577]], "Indicator: SIM.Trojan.VBO.0859": [[578, 597]], "Indicator: Trojan.Cosmu": [[598, 610]], "Indicator: Win32/AutoRun.VB.JP": [[611, 630]], "Indicator: Worm.VB.FMYJ": [[631, 643]], "Indicator: Worm.Win32": [[644, 654]], "Indicator: W32/OverDoom.A": [[655, 669]], "Indicator: Worm.Win32.VB.C": [[670, 685]]}, "info": {"id": "cyner2_5class_train_05360", "source": "cyner2_5class_train"}}
+{"text": "This new organization seems to work on securing Android devices .", "spans": {"Organization: Android": [[48, 55]]}, "info": {"id": "cyner2_5class_train_05361", "source": "cyner2_5class_train"}}
+{"text": "Even the C & C server side was mostly exposed with the file listing available for everyone to traverse through it .", "spans": {}, "info": {"id": "cyner2_5class_train_05362", "source": "cyner2_5class_train"}}
+{"text": "Starting on October 28, we found that these two vulnerabilities were being targeted by the Angler and Nuclear exploit kits.", "spans": {"Vulnerability: vulnerabilities": [[48, 63]], "Malware: Angler": [[91, 97]], "Malware: Nuclear exploit kits.": [[102, 123]]}, "info": {"id": "cyner2_5class_train_05363", "source": "cyner2_5class_train"}}
+{"text": "Unfortunately, the attack is still active and the number of victims has been increasing.", "spans": {"Indicator: attack": [[19, 25]]}, "info": {"id": "cyner2_5class_train_05364", "source": "cyner2_5class_train"}}
+{"text": "It hides traces of its activity by masking the outgoing and incoming text messages and blocking calls and messages from numbers belonging to the bank .", "spans": {}, "info": {"id": "cyner2_5class_train_05365", "source": "cyner2_5class_train"}}
+{"text": "An email with the subject of UK Fuels Collection pretending to come from invoices@ebillinvoice.com with a malicious word doc attachment delivers some sort of malware.", "spans": {"Indicator: email": [[3, 8]], "Indicator: subject": [[18, 25]], "Indicator: UK Fuels Collection": [[29, 48]], "Indicator: invoices@ebillinvoice.com": [[73, 98]], "Malware: malicious word doc": [[106, 124]], "Malware: malware.": [[158, 166]]}, "info": {"id": "cyner2_5class_train_05366", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9805 Trojan.MulDrop7.45925 BehavesLike.Win32.Trojan.hc W32/Trojan.OQZZ-1308 TR/Ransom.JigsawLocker.dneeo Trojan.MSILPerseus.D1E5AF Ransom:MSIL/JigsawLocker.A Ransom.Jigsaw Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9805": [[26, 68]], "Indicator: Trojan.MulDrop7.45925": [[69, 90]], "Indicator: BehavesLike.Win32.Trojan.hc": [[91, 118]], "Indicator: W32/Trojan.OQZZ-1308": [[119, 139]], "Indicator: TR/Ransom.JigsawLocker.dneeo": [[140, 168]], "Indicator: Trojan.MSILPerseus.D1E5AF": [[169, 194]], "Indicator: Ransom:MSIL/JigsawLocker.A": [[195, 221]], "Indicator: Ransom.Jigsaw": [[222, 235]], "Indicator: Trj/GdSda.A": [[236, 247]]}, "info": {"id": "cyner2_5class_train_05367", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: WS.Reputation.1 TROJ_SPNR.08JS11 TROJ_SPNR.08JS11 Trojan:MSIL/Reploxar.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WS.Reputation.1": [[26, 41]], "Indicator: TROJ_SPNR.08JS11": [[42, 58], [59, 75]], "Indicator: Trojan:MSIL/Reploxar.A": [[76, 98]], "Indicator: Trj/CI.A": [[99, 107]]}, "info": {"id": "cyner2_5class_train_05368", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Downloader.EAC O97M.Downloader.GQ W97M.Downloader.EAC W2KM_FAREIT.YYSVN W97M.Downloader.EAC W97M.Downloader.EAC Trojan.Script.MLW.egddty W97M.Downloader.EAC W97M.Downloader.EAC W2KM_FAREIT.YYSVN W97M/Downloader.bhi HEUR/Macro.Downloader Trojan:O97M/Macrobe.D W97M.Downloader.EAC W97M/Downloader.bhi virus.office.obfuscated.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Downloader.EAC": [[26, 45], [65, 84], [103, 122], [123, 142], [168, 187], [188, 207], [290, 309]], "Indicator: O97M.Downloader.GQ": [[46, 64]], "Indicator: W2KM_FAREIT.YYSVN": [[85, 102], [208, 225]], "Indicator: Trojan.Script.MLW.egddty": [[143, 167]], "Indicator: W97M/Downloader.bhi": [[226, 245], [310, 329]], "Indicator: HEUR/Macro.Downloader": [[246, 267]], "Indicator: Trojan:O97M/Macrobe.D": [[268, 289]], "Indicator: virus.office.obfuscated.1": [[330, 355]]}, "info": {"id": "cyner2_5class_train_05369", "source": "cyner2_5class_train"}}
+{"text": "This group is known to have targeted U.S. government agencies, defense contractors, aerospace firms and foreign militaries since 2009.", "spans": {"Organization: U.S. government agencies, defense contractors, aerospace firms and foreign militaries": [[37, 122]]}, "info": {"id": "cyner2_5class_train_05370", "source": "cyner2_5class_train"}}
+{"text": "Unfortunately, at any given point in time, there are thousands of sites that allow users to illegally stream pirated content, and they often manage to devise strategies that allow them to monetize their illegally sourced content with programmatic advertising.", "spans": {}, "info": {"id": "cyner2_5class_train_05371", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Downloader.Small.Win32.7325 Dialer.DialerPlatformLimited Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Downloader.AULY Trojan.Packed.14 Win32/TrojanDownloader.Small.CXG TROJ_OBFUSCAT.EY Win.Trojan.Dialer-266 Trojan.Win32.Busky.cvqace TrojWare.Win32.TrojanDownloader.Small.CXG Trojan.DownLoader.based Trojan-Downloader.Win32.Busky W32/Downloader.MCGP-7971 Trojan[Downloader]/Win32.Busky TrojanDownloader:Win32/Beenut.A Win32/SillyDl.PW MalwareScope.Trojan-Downloader.Obfuscated.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.Small.Win32.7325": [[26, 53]], "Indicator: Dialer.DialerPlatformLimited": [[54, 82]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[83, 125]], "Indicator: W32/Downloader.AULY": [[126, 145]], "Indicator: Trojan.Packed.14": [[146, 162]], "Indicator: Win32/TrojanDownloader.Small.CXG": [[163, 195]], "Indicator: TROJ_OBFUSCAT.EY": [[196, 212]], "Indicator: Win.Trojan.Dialer-266": [[213, 234]], "Indicator: Trojan.Win32.Busky.cvqace": [[235, 260]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.CXG": [[261, 302]], "Indicator: Trojan.DownLoader.based": [[303, 326]], "Indicator: Trojan-Downloader.Win32.Busky": [[327, 356]], "Indicator: W32/Downloader.MCGP-7971": [[357, 381]], "Indicator: Trojan[Downloader]/Win32.Busky": [[382, 412]], "Indicator: TrojanDownloader:Win32/Beenut.A": [[413, 444]], "Indicator: Win32/SillyDl.PW": [[445, 461]], "Indicator: MalwareScope.Trojan-Downloader.Obfuscated.1": [[462, 505]]}, "info": {"id": "cyner2_5class_train_05372", "source": "cyner2_5class_train"}}
+{"text": "We first detected members of this family back in March 2018 .", "spans": {}, "info": {"id": "cyner2_5class_train_05373", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Potential.A Trojan/DownloaderKrap.ii Trojan.Zbot.6 Win32.Trojan.Kryptik.b W32.Priter Win32/SillyDl.YFM Packed.Win32.Krap.ii Virus.Win32.CrazyPrier.lrspi Packer.W32.Krap!c TrojWare.Win32.PkdKrap.II BehavesLike.Win32.HLLPPhilis.nh Packed.Krap.dqky Win32.Troj.fo.40176 TrojanDownloader:Win32/Potentialdownloader.A Packed.Win32.Krap.ii Trojan/Win32.Downloader.R3327 Trojan.Win32.Small.pck Trojan.Win32.Crazyman1649.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Potential.A": [[26, 44]], "Indicator: Trojan/DownloaderKrap.ii": [[45, 69]], "Indicator: Trojan.Zbot.6": [[70, 83]], "Indicator: Win32.Trojan.Kryptik.b": [[84, 106]], "Indicator: W32.Priter": [[107, 117]], "Indicator: Win32/SillyDl.YFM": [[118, 135]], "Indicator: Packed.Win32.Krap.ii": [[136, 156], [344, 364]], "Indicator: Virus.Win32.CrazyPrier.lrspi": [[157, 185]], "Indicator: Packer.W32.Krap!c": [[186, 203]], "Indicator: TrojWare.Win32.PkdKrap.II": [[204, 229]], "Indicator: BehavesLike.Win32.HLLPPhilis.nh": [[230, 261]], "Indicator: Packed.Krap.dqky": [[262, 278]], "Indicator: Win32.Troj.fo.40176": [[279, 298]], "Indicator: TrojanDownloader:Win32/Potentialdownloader.A": [[299, 343]], "Indicator: Trojan/Win32.Downloader.R3327": [[365, 394]], "Indicator: Trojan.Win32.Small.pck": [[395, 417]], "Indicator: Trojan.Win32.Crazyman1649.A": [[418, 445]]}, "info": {"id": "cyner2_5class_train_05374", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Lassab.A@mm Email-Worm.Win32!O W32/Lassa.b Worm.Lassorm.Win32.1 W32/Lassa.B Win32.Lassab.E90817 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Lassie.B Win.Worm.Lassorm-1 Win32.Lassab.A@mm Email-Worm.Win32.Lassorm Win32.Lassab.A@mm Trojan.Win32.Lassorm.emyb Win32.Lassab.A@mm Win32.Lassab.A@mm W32/Lassa.b Email-Worm.Win32.Lassorm Worm[Email]/Win32.Lassorm Worm:Win32/Lassab.A@mm Email-Worm.Win32.Lassorm Worm/Win32.Lassorm.C1532344 Win32.Lassab.A@mm Worm.Lassorm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Lassab.A@mm": [[26, 43], [205, 222], [248, 265], [292, 309], [310, 327], [467, 484]], "Indicator: Email-Worm.Win32!O": [[44, 62]], "Indicator: W32/Lassa.b": [[63, 74], [328, 339]], "Indicator: Worm.Lassorm.Win32.1": [[75, 95]], "Indicator: W32/Lassa.B": [[96, 107]], "Indicator: Win32.Lassab.E90817": [[108, 127]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[128, 170]], "Indicator: Win32/Lassie.B": [[171, 185]], "Indicator: Win.Worm.Lassorm-1": [[186, 204]], "Indicator: Email-Worm.Win32.Lassorm": [[223, 247], [340, 364], [414, 438]], "Indicator: Trojan.Win32.Lassorm.emyb": [[266, 291]], "Indicator: Worm[Email]/Win32.Lassorm": [[365, 390]], "Indicator: Worm:Win32/Lassab.A@mm": [[391, 413]], "Indicator: Worm/Win32.Lassorm.C1532344": [[439, 466]], "Indicator: Worm.Lassorm": [[485, 497]]}, "info": {"id": "cyner2_5class_train_05375", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.DF97 Win32.Zafi.B@mm W32/Zafi.b@MM W32.W.Otwycal.l4av Win32.Zafi.B@mm Win32.Zafi.E2C45E Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Erkez.B@mm Email-Worm.Win32.Zafi.b Trojan.Win32.Zafi.icie Win32.Zafi.B@mm Win32.Hazafi.30720 BehavesLike.Win32.RAHack.mm I-Worm/Zafi.b Worm[Email]/Win32.Zafi Worm:Win32/Zafi.B@mm Email-Worm.Win32.Zafi.b Win32.Zafi.B@mm Win32.Zafi.B@mm W32/Zafi.B.worm Win32/Zafi.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.DF97": [[26, 43]], "Indicator: Win32.Zafi.B@mm": [[44, 59], [93, 108], [232, 247], [377, 392], [393, 408]], "Indicator: W32/Zafi.b@MM": [[60, 73]], "Indicator: W32.W.Otwycal.l4av": [[74, 92]], "Indicator: Win32.Zafi.E2C45E": [[109, 126]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[127, 169]], "Indicator: W32.Erkez.B@mm": [[170, 184]], "Indicator: Email-Worm.Win32.Zafi.b": [[185, 208], [353, 376]], "Indicator: Trojan.Win32.Zafi.icie": [[209, 231]], "Indicator: Win32.Hazafi.30720": [[248, 266]], "Indicator: BehavesLike.Win32.RAHack.mm": [[267, 294]], "Indicator: I-Worm/Zafi.b": [[295, 308]], "Indicator: Worm[Email]/Win32.Zafi": [[309, 331]], "Indicator: Worm:Win32/Zafi.B@mm": [[332, 352]], "Indicator: W32/Zafi.B.worm": [[409, 424]], "Indicator: Win32/Zafi.B": [[425, 437]]}, "info": {"id": "cyner2_5class_train_05376", "source": "cyner2_5class_train"}}
+{"text": "TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish.", "spans": {"Indicator: deployment of website injections": [[57, 89]], "Malware: JavaScript payload": [[103, 121]], "Malware: SocGholish.": [[131, 142]]}, "info": {"id": "cyner2_5class_train_05377", "source": "cyner2_5class_train"}}
+{"text": "Accessibility Service is long known to be the Achilles ’ heel of the Android operating system .", "spans": {"System: Android": [[69, 76]]}, "info": {"id": "cyner2_5class_train_05378", "source": "cyner2_5class_train"}}
+{"text": "Here is a nice example that my spam trap captured a few days ago.", "spans": {}, "info": {"id": "cyner2_5class_train_05379", "source": "cyner2_5class_train"}}
+{"text": "] nampriknum [ .", "spans": {}, "info": {"id": "cyner2_5class_train_05380", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Bebloh.Win32.427 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Injector.CMX TROJ_HPISDA.SM2 Trojan.Win32.NaKocTb.eiktob Trojan.Win32.Inject.213504 Troj.W32.Inject.tn8S BackDoor.Bebloh.272 TROJ_HPISDA.SM2 BehavesLike.Win32.Downloader.ch W32/Injector.UCTI-2382 Trojan.Inject.tpn Trojan/Win32.Inject Trojan.Strictor.D1C966 Backdoor:Win32/Carrotime.A Trojan/Win32.Inject.C1667127 Trj/RansomCrypt.J W32/Kryptik.FJVT!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Bebloh.Win32.427": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[50, 92]], "Indicator: W32/Injector.CMX": [[93, 109]], "Indicator: TROJ_HPISDA.SM2": [[110, 125], [222, 237]], "Indicator: Trojan.Win32.NaKocTb.eiktob": [[126, 153]], "Indicator: Trojan.Win32.Inject.213504": [[154, 180]], "Indicator: Troj.W32.Inject.tn8S": [[181, 201]], "Indicator: BackDoor.Bebloh.272": [[202, 221]], "Indicator: BehavesLike.Win32.Downloader.ch": [[238, 269]], "Indicator: W32/Injector.UCTI-2382": [[270, 292]], "Indicator: Trojan.Inject.tpn": [[293, 310]], "Indicator: Trojan/Win32.Inject": [[311, 330]], "Indicator: Trojan.Strictor.D1C966": [[331, 353]], "Indicator: Backdoor:Win32/Carrotime.A": [[354, 380]], "Indicator: Trojan/Win32.Inject.C1667127": [[381, 409]], "Indicator: Trj/RansomCrypt.J": [[410, 427]], "Indicator: W32/Kryptik.FJVT!tr": [[428, 447]]}, "info": {"id": "cyner2_5class_train_05381", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Downloader Worm.Downloader.Win32.3750 Win32.Trojan.WisdomEyes.16070401.9500.9984 Trojan.Dropper Win.Exploit.Fnstenv_mov-1 Worm.Win32.Downloader.am Trojan.Win32.Rubbish.evjgzp Trojan.Win32.Z.Downloader.135168.A Troj.GameThief.W32.OnLineGames.kZce Worm.Win32.Jalous.K Win32.HLLW.Rubbish BehavesLike.Win32.Downloader.ct Trojan.Win32.KillAV Worm/Downloader.ays EXP/Flash.EB.625 Worm/Win32.Downloader Win32.Troj.DwonLoaderT.xy.133203 Trojan:Win32/Elfapault.A Worm.Win32.Downloader.am Worm/Win32.Downloader.R2522 Win32/Jalous.K Win32.Worm.Downloader.Szlf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Downloader": [[26, 41]], "Indicator: Worm.Downloader.Win32.3750": [[42, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[69, 111]], "Indicator: Trojan.Dropper": [[112, 126]], "Indicator: Win.Exploit.Fnstenv_mov-1": [[127, 152]], "Indicator: Worm.Win32.Downloader.am": [[153, 177], [485, 509]], "Indicator: Trojan.Win32.Rubbish.evjgzp": [[178, 205]], "Indicator: Trojan.Win32.Z.Downloader.135168.A": [[206, 240]], "Indicator: Troj.GameThief.W32.OnLineGames.kZce": [[241, 276]], "Indicator: Worm.Win32.Jalous.K": [[277, 296]], "Indicator: Win32.HLLW.Rubbish": [[297, 315]], "Indicator: BehavesLike.Win32.Downloader.ct": [[316, 347]], "Indicator: Trojan.Win32.KillAV": [[348, 367]], "Indicator: Worm/Downloader.ays": [[368, 387]], "Indicator: EXP/Flash.EB.625": [[388, 404]], "Indicator: Worm/Win32.Downloader": [[405, 426]], "Indicator: Win32.Troj.DwonLoaderT.xy.133203": [[427, 459]], "Indicator: Trojan:Win32/Elfapault.A": [[460, 484]], "Indicator: Worm/Win32.Downloader.R2522": [[510, 537]], "Indicator: Win32/Jalous.K": [[538, 552]], "Indicator: Win32.Worm.Downloader.Szlf": [[553, 579]]}, "info": {"id": "cyner2_5class_train_05382", "source": "cyner2_5class_train"}}
+{"text": "This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code.", "spans": {}, "info": {"id": "cyner2_5class_train_05383", "source": "cyner2_5class_train"}}
+{"text": "By using the login and password stolen from the browser , the Windows Trojan initiates a fake transaction while Perkele intercepts ( via the C & C server ) the mTAN sent by the bank to the user .", "spans": {"Malware: Perkele": [[112, 119]]}, "info": {"id": "cyner2_5class_train_05384", "source": "cyner2_5class_train"}}
+{"text": "In July 2017 we discovered a malicious email sample delivering a new variant of Ursnif, attached within an encrypted Word document with the plaintext password within the email body.", "spans": {"Indicator: email sample": [[39, 51]], "Malware: variant": [[69, 76]], "Malware: Ursnif,": [[80, 87]], "Indicator: an encrypted Word document": [[104, 130]], "Indicator: the plaintext password": [[136, 158]], "Indicator: the email body.": [[166, 181]]}, "info": {"id": "cyner2_5class_train_05385", "source": "cyner2_5class_train"}}
+{"text": "It is still under active development , with at least 5 different versions of the Trojan released within the last 5 months ( June - November 2019 ) .", "spans": {}, "info": {"id": "cyner2_5class_train_05386", "source": "cyner2_5class_train"}}
+{"text": "It appears the attackers sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) .", "spans": {"Organization: Palestinian Security Services": [[124, 153]], "Organization: General Directorate of Civil Defence": [[160, 196]], "Organization: Ministry of the Interior": [[199, 223]], "Organization: Palestinian National Liberation Front": [[262, 299]]}, "info": {"id": "cyner2_5class_train_05387", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Maener.A5 Trojan/CoinMiner.uy Trojan.Zusy.D19BD4 Win32/Tnega.AHKfcVD Win.Trojan.Maener-1 Trojan.Win32.BitCoinMiner.dfdxgr TrojWare.Win32.Graftor.PQIF Trojan.DownLoader11.43085 BehavesLike.Win32.AdwareLinkury.dm Trojan.Win32.CoinMiner Trojan:Win32/Maener.C!bit Trojan.BitCoinMiner Trojan.CoinMiner!oi2LJpWWJQU W32/CoinMiner.TY!tr Win32/Trojan.9e3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Maener.A5": [[26, 42]], "Indicator: Trojan/CoinMiner.uy": [[43, 62]], "Indicator: Trojan.Zusy.D19BD4": [[63, 81]], "Indicator: Win32/Tnega.AHKfcVD": [[82, 101]], "Indicator: Win.Trojan.Maener-1": [[102, 121]], "Indicator: Trojan.Win32.BitCoinMiner.dfdxgr": [[122, 154]], "Indicator: TrojWare.Win32.Graftor.PQIF": [[155, 182]], "Indicator: Trojan.DownLoader11.43085": [[183, 208]], "Indicator: BehavesLike.Win32.AdwareLinkury.dm": [[209, 243]], "Indicator: Trojan.Win32.CoinMiner": [[244, 266]], "Indicator: Trojan:Win32/Maener.C!bit": [[267, 292]], "Indicator: Trojan.BitCoinMiner": [[293, 312]], "Indicator: Trojan.CoinMiner!oi2LJpWWJQU": [[313, 341]], "Indicator: W32/CoinMiner.TY!tr": [[342, 361]], "Indicator: Win32/Trojan.9e3": [[362, 378]]}, "info": {"id": "cyner2_5class_train_05388", "source": "cyner2_5class_train"}}
+{"text": "One of the packages after initial launch The iOS variant is not as sophisticated as the Android version , and contained a subset of the functionality the Android releases offered .", "spans": {"System: iOS": [[45, 48]], "System: Android": [[88, 95], [154, 161]]}, "info": {"id": "cyner2_5class_train_05389", "source": "cyner2_5class_train"}}
+{"text": "You can find a full list of targeted models in the Appendix .", "spans": {}, "info": {"id": "cyner2_5class_train_05390", "source": "cyner2_5class_train"}}
+{"text": "Recently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control C and C communications of their seemingly new backdoor detected by Trend Micro as BKDR64_WINNTI.ONM.", "spans": {"Organization: financial fraud,": [[100, 116]], "System: GitHub": [[139, 145]], "Indicator: the command and control C and C communications": [[179, 225]], "Malware: backdoor": [[249, 257]], "Organization: Trend Micro": [[270, 281]], "Indicator: BKDR64_WINNTI.ONM.": [[285, 303]]}, "info": {"id": "cyner2_5class_train_05391", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Vinself.B Trojan.Vinself Trojan.PWS.DPD.8 BehavesLike.Win32.VTFlooder.ch Trojan.Symmi.DA32B Backdoor:Win32/Wakbot.B Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Vinself.B": [[26, 44]], "Indicator: Trojan.Vinself": [[45, 59]], "Indicator: Trojan.PWS.DPD.8": [[60, 76]], "Indicator: BehavesLike.Win32.VTFlooder.ch": [[77, 107]], "Indicator: Trojan.Symmi.DA32B": [[108, 126]], "Indicator: Backdoor:Win32/Wakbot.B": [[127, 150]], "Indicator: Trj/CI.A": [[151, 159]]}, "info": {"id": "cyner2_5class_train_05392", "source": "cyner2_5class_train"}}
+{"text": "] net svc [ .", "spans": {"Indicator: svc [ .": [[6, 13]]}, "info": {"id": "cyner2_5class_train_05393", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Banker.evqhye BehavesLike.Win32.Dropper.ph W32/Trojan.SNBX-9361 TR/Spy.Banker.fyxgc Trojan.Symmi.DC916 Trj/GdSda.A Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: Trojan.Win32.Banker.evqhye": [[69, 95]], "Indicator: BehavesLike.Win32.Dropper.ph": [[96, 124]], "Indicator: W32/Trojan.SNBX-9361": [[125, 145]], "Indicator: TR/Spy.Banker.fyxgc": [[146, 165]], "Indicator: Trojan.Symmi.DC916": [[166, 184]], "Indicator: Trj/GdSda.A": [[185, 196]], "Indicator: Win32/Trojan.e6d": [[197, 213]]}, "info": {"id": "cyner2_5class_train_05394", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Win32.Trojan.WisdomEyes.16070401.9500.9888 Trojan.Giku.Win32.37 BehavesLike.Win32.Ransomware.fc TrojanDownloader:Win32/Gladgerown.B Trojan-Proxy.AOSK", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9888": [[44, 86]], "Indicator: Trojan.Giku.Win32.37": [[87, 107]], "Indicator: BehavesLike.Win32.Ransomware.fc": [[108, 139]], "Indicator: TrojanDownloader:Win32/Gladgerown.B": [[140, 175]], "Indicator: Trojan-Proxy.AOSK": [[176, 193]]}, "info": {"id": "cyner2_5class_train_05395", "source": "cyner2_5class_train"}}
+{"text": "While Panda Banker has become more prevalent in recent weeks, we have been tracking a large campaign this week targeting banks in Europe and Australia and, interestingly, UK online casinos and international online payment systems.", "spans": {"Malware: Panda Banker": [[6, 18]], "Organization: targeting banks": [[111, 126]], "Organization: casinos": [[181, 188]], "System: international online payment systems.": [[193, 230]]}, "info": {"id": "cyner2_5class_train_05396", "source": "cyner2_5class_train"}}
+{"text": "Information about the C & C domain used by the Ashas adware Knowing that the information provided to a domain registrar might be fake , we continued our search .", "spans": {"Malware: Ashas": [[47, 52]]}, "info": {"id": "cyner2_5class_train_05397", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D22B33 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Hijacker.evkwtm Trojan.DownLoader25.54001 Trojan.Win32.Pastraw Trojan:Win32/Nibagem.A Trojan/Win32.Asprox.C718808 SScope.Backdoor.Sdbot W32/Pastraw.A!tr Win32/Trojan.d54", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D22B33": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Trojan.Win32.Hijacker.evkwtm": [[88, 116]], "Indicator: Trojan.DownLoader25.54001": [[117, 142]], "Indicator: Trojan.Win32.Pastraw": [[143, 163]], "Indicator: Trojan:Win32/Nibagem.A": [[164, 186]], "Indicator: Trojan/Win32.Asprox.C718808": [[187, 214]], "Indicator: SScope.Backdoor.Sdbot": [[215, 236]], "Indicator: W32/Pastraw.A!tr": [[237, 253]], "Indicator: Win32/Trojan.d54": [[254, 270]]}, "info": {"id": "cyner2_5class_train_05398", "source": "cyner2_5class_train"}}
+{"text": "This technique only works for unpatched devices running Android 4.3 or lower .", "spans": {"System: Android 4.3": [[56, 67]]}, "info": {"id": "cyner2_5class_train_05399", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.YakesCS.S1573857 Trojan.Ransom.Sage Trojan.Filecoder.Win32.6418 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.HXTV-7683 Ransom.Cry!g2 Trojan.Win32.Filecoder.etsgeu TrojWare.Win32.Filecoder.GT Trojan.DownLoader25.46287 BehavesLike.Win32.Downloader.gc Trojan.Yakes.xat TR/Crypt.ZPACK.hzbag Trojan.Win32.Sage.442368 Trojan.Yakes Ransom.FileCryptor Win32/Filecoder.NHQ Trojan.Yakes!0Hl2Fx4Uudk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.YakesCS.S1573857": [[26, 49]], "Indicator: Trojan.Ransom.Sage": [[50, 68]], "Indicator: Trojan.Filecoder.Win32.6418": [[69, 96]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[97, 139]], "Indicator: W32/Trojan.HXTV-7683": [[140, 160]], "Indicator: Ransom.Cry!g2": [[161, 174]], "Indicator: Trojan.Win32.Filecoder.etsgeu": [[175, 204]], "Indicator: TrojWare.Win32.Filecoder.GT": [[205, 232]], "Indicator: Trojan.DownLoader25.46287": [[233, 258]], "Indicator: BehavesLike.Win32.Downloader.gc": [[259, 290]], "Indicator: Trojan.Yakes.xat": [[291, 307]], "Indicator: TR/Crypt.ZPACK.hzbag": [[308, 328]], "Indicator: Trojan.Win32.Sage.442368": [[329, 353]], "Indicator: Trojan.Yakes": [[354, 366]], "Indicator: Ransom.FileCryptor": [[367, 385]], "Indicator: Win32/Filecoder.NHQ": [[386, 405]], "Indicator: Trojan.Yakes!0Hl2Fx4Uudk": [[406, 430]]}, "info": {"id": "cyner2_5class_train_05400", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9912 Backdoor:Win32/Ptiger.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9912": [[26, 68]], "Indicator: Backdoor:Win32/Ptiger.A": [[69, 92]]}, "info": {"id": "cyner2_5class_train_05401", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Vreikstadi Trojan.Win32.Inject.evlgqj Trojan.Win32.Injector W32/Trojan.HMUN-3172 TR/Injector.avgqa Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Vreikstadi": [[26, 43]], "Indicator: Trojan.Win32.Inject.evlgqj": [[44, 70]], "Indicator: Trojan.Win32.Injector": [[71, 92]], "Indicator: W32/Trojan.HMUN-3172": [[93, 113]], "Indicator: TR/Injector.avgqa": [[114, 131]], "Indicator: Trj/GdSda.A": [[132, 143]]}, "info": {"id": "cyner2_5class_train_05402", "source": "cyner2_5class_train"}}
+{"text": "The code is obfuscated but not packed .", "spans": {}, "info": {"id": "cyner2_5class_train_05403", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.LogoOneR.PE Worm.Win32.Viking!O W32/HLLP.Philis.ba Worm.Viking.Win32.8 Trojan/PSW.Delf.qo Win32.Worm.Viking.a W32/PWStealer.AOC W32.Looked.P PE_LOOKED.FX Win.Spyware.11941-2 Worm.Win32.Viking.mi Trojan.Win32.Viking.btggzy Worm.Win32.Viking.49152 Worm.Win32.Viking.ae Win32.Viking.AT~clean Win32.HLLW.Gavir.93 PE_LOOKED.FX BehavesLike.Win32.HLLPPhilis.dz Worm.Win32.Viking Worm/Viking.el Worm/Win32.Viking.mi Win32.Viking.av.49152 Virus:Win32/Viking.JB Backdoor.W32.Bifrose.lz9q Worm.Win32.Viking.mi MalwareScope.Worm.Viking.4 Win32/Viking.AT Worm.Viking.FP W32/Viking.WH.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.LogoOneR.PE": [[26, 41]], "Indicator: Worm.Win32.Viking!O": [[42, 61]], "Indicator: W32/HLLP.Philis.ba": [[62, 80]], "Indicator: Worm.Viking.Win32.8": [[81, 100]], "Indicator: Trojan/PSW.Delf.qo": [[101, 119]], "Indicator: Win32.Worm.Viking.a": [[120, 139]], "Indicator: W32/PWStealer.AOC": [[140, 157]], "Indicator: W32.Looked.P": [[158, 170]], "Indicator: PE_LOOKED.FX": [[171, 183], [339, 351]], "Indicator: Win.Spyware.11941-2": [[184, 203]], "Indicator: Worm.Win32.Viking.mi": [[204, 224], [508, 528]], "Indicator: Trojan.Win32.Viking.btggzy": [[225, 251]], "Indicator: Worm.Win32.Viking.49152": [[252, 275]], "Indicator: Worm.Win32.Viking.ae": [[276, 296]], "Indicator: Win32.Viking.AT~clean": [[297, 318]], "Indicator: Win32.HLLW.Gavir.93": [[319, 338]], "Indicator: BehavesLike.Win32.HLLPPhilis.dz": [[352, 383]], "Indicator: Worm.Win32.Viking": [[384, 401]], "Indicator: Worm/Viking.el": [[402, 416]], "Indicator: Worm/Win32.Viking.mi": [[417, 437]], "Indicator: Win32.Viking.av.49152": [[438, 459]], "Indicator: Virus:Win32/Viking.JB": [[460, 481]], "Indicator: Backdoor.W32.Bifrose.lz9q": [[482, 507]], "Indicator: MalwareScope.Worm.Viking.4": [[529, 555]], "Indicator: Win32/Viking.AT": [[556, 571]], "Indicator: Worm.Viking.FP": [[572, 586]], "Indicator: W32/Viking.WH.worm": [[587, 605]]}, "info": {"id": "cyner2_5class_train_05404", "source": "cyner2_5class_train"}}
+{"text": "App icons under which Asacub masks itself The APK files of the Trojan are downloaded from sites such as mmsprivate [ .", "spans": {"Malware: Asacub": [[22, 28]], "Indicator: mmsprivate [ .": [[104, 118]]}, "info": {"id": "cyner2_5class_train_05405", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Sherlol.A Trojan-Downloader/W32.Sherlol.4608 Trojan/StartPage.cj Trojan.Downloader.Sherlol.A Trojan.DL.Sherlol!c8F6ghXOM0o Win32/TrojanDownloader.Sherlol Trojan-Downloader.Win32.Sherlol Trojan.Win32.Sherlol.dngr Trojan.Win32.Downloader.4608.EN[h] Trojan.Downloader.Sherlol.A TrojWare.Win32.TrojanDownloader.Sherlol Trojan.Downloader.Sherlol.A Trojan.DownLoader.4608 Downloader.Sherlol.Win32.3 BehavesLike.Win32.Downloader.xt TrojanDownloader.Satray.k TR/Dldr.Sherlol W32/Sherlol.CJ!tr Trojan[Downloader]/Win32.Sherlol Trojan.Downloader.Sherlol.A Troj.Downloader.W32.Sherlol!c Win-Trojan/Sherlol.4608 Win32/Startpage.CJ!downloader Trojan.Downloader.Sherlol.A Trj/Downloader.CET Trojan.Win32.StartPage Trojan.Downloader.Sherlol.A Downloader.Sherlol.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Sherlol.A": [[26, 53], [109, 136], [291, 318], [359, 386], [562, 589], [674, 701], [744, 771]], "Indicator: Trojan-Downloader/W32.Sherlol.4608": [[54, 88]], "Indicator: Trojan/StartPage.cj": [[89, 108]], "Indicator: Trojan.DL.Sherlol!c8F6ghXOM0o": [[137, 166]], "Indicator: Win32/TrojanDownloader.Sherlol": [[167, 197]], "Indicator: Trojan-Downloader.Win32.Sherlol": [[198, 229]], "Indicator: Trojan.Win32.Sherlol.dngr": [[230, 255]], "Indicator: Trojan.Win32.Downloader.4608.EN[h]": [[256, 290]], "Indicator: TrojWare.Win32.TrojanDownloader.Sherlol": [[319, 358]], "Indicator: Trojan.DownLoader.4608": [[387, 409]], "Indicator: Downloader.Sherlol.Win32.3": [[410, 436]], "Indicator: BehavesLike.Win32.Downloader.xt": [[437, 468]], "Indicator: TrojanDownloader.Satray.k": [[469, 494]], "Indicator: TR/Dldr.Sherlol": [[495, 510]], "Indicator: W32/Sherlol.CJ!tr": [[511, 528]], "Indicator: Trojan[Downloader]/Win32.Sherlol": [[529, 561]], "Indicator: Troj.Downloader.W32.Sherlol!c": [[590, 619]], "Indicator: Win-Trojan/Sherlol.4608": [[620, 643]], "Indicator: Win32/Startpage.CJ!downloader": [[644, 673]], "Indicator: Trj/Downloader.CET": [[702, 720]], "Indicator: Trojan.Win32.StartPage": [[721, 743]], "Indicator: Downloader.Sherlol.B": [[772, 792]]}, "info": {"id": "cyner2_5class_train_05406", "source": "cyner2_5class_train"}}
+{"text": "Smishing ( SMS phishing ) is currently the primary way threat actors are distributing the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_05407", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Sirefef.FR Trojan.Sirefef.FR Win32.Trojan.Sirefef.b Trojan.Sirefef.FR Trojan.Sirefef.FR BackDoor.Maxplus.5220 BehavesLike.Win64.Ramnit.pt Trojan.Win64 Trojan[Backdoor]/Win64.ZAccess Trojan.Sirefef.FR Trojan:Win64/Sirefef.F Trojan.Sirefef.FR Win64/Sirefef.W", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Sirefef.FR": [[26, 43], [44, 61], [85, 102], [103, 120], [215, 232], [256, 273]], "Indicator: Win32.Trojan.Sirefef.b": [[62, 84]], "Indicator: BackDoor.Maxplus.5220": [[121, 142]], "Indicator: BehavesLike.Win64.Ramnit.pt": [[143, 170]], "Indicator: Trojan.Win64": [[171, 183]], "Indicator: Trojan[Backdoor]/Win64.ZAccess": [[184, 214]], "Indicator: Trojan:Win64/Sirefef.F": [[233, 255]], "Indicator: Win64/Sirefef.W": [[274, 289]]}, "info": {"id": "cyner2_5class_train_05408", "source": "cyner2_5class_train"}}
+{"text": "HenBox appears to primarily target the Uyghurs – a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "cyner2_5class_train_05409", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.BAT.Starter.bn Bat.Trojan.Starter.Aliq Backdoor:Win32/Teldoor.C Trojan.BAT.Starter.bn Trojan/Win32.Dropper.C406140 Trojan.Horst.0315 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BAT.Starter.bn": [[26, 47], [97, 118]], "Indicator: Bat.Trojan.Starter.Aliq": [[48, 71]], "Indicator: Backdoor:Win32/Teldoor.C": [[72, 96]], "Indicator: Trojan/Win32.Dropper.C406140": [[119, 147]], "Indicator: Trojan.Horst.0315": [[148, 165]], "Indicator: Trj/GdSda.A": [[166, 177]]}, "info": {"id": "cyner2_5class_train_05410", "source": "cyner2_5class_train"}}
+{"text": "The complete list of apps can be seen below .", "spans": {}, "info": {"id": "cyner2_5class_train_05411", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Symmi.D2391 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Neshgaig-1 BehavesLike.Win32.Worm.gc W32/Trojan.MVJF-1155 Heur:Trojan/PSW.Dnf TrojanDownloader:Win32/Somex.B TrojanSpy.TravNet Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Symmi.D2391": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Win.Trojan.Neshgaig-1": [[88, 109]], "Indicator: BehavesLike.Win32.Worm.gc": [[110, 135]], "Indicator: W32/Trojan.MVJF-1155": [[136, 156]], "Indicator: Heur:Trojan/PSW.Dnf": [[157, 176]], "Indicator: TrojanDownloader:Win32/Somex.B": [[177, 207]], "Indicator: TrojanSpy.TravNet": [[208, 225]], "Indicator: Trj/GdSda.A": [[226, 237]]}, "info": {"id": "cyner2_5class_train_05412", "source": "cyner2_5class_train"}}
+{"text": "Extract logs from WhatsApp .", "spans": {"System: WhatsApp": [[18, 26]]}, "info": {"id": "cyner2_5class_train_05413", "source": "cyner2_5class_train"}}
+{"text": "The operation remains active at the time of writing this post, with attacks reported as recently as February 2017.", "spans": {"Indicator: attacks": [[68, 75]]}, "info": {"id": "cyner2_5class_train_05414", "source": "cyner2_5class_train"}}
+{"text": "The malware authors are currently targeting users of Mexico s second largest bank, Banamex, but it is capable of updating the configuration file to include more financial institutions.", "spans": {"Organization: users": [[44, 49]], "Organization: second largest bank, Banamex,": [[62, 91]], "Organization: financial institutions.": [[161, 184]]}, "info": {"id": "cyner2_5class_train_05415", "source": "cyner2_5class_train"}}
+{"text": "A backdoor targetting Linux also known as: Trojan.Linux.ChinaZ.D Trojan-DDoS.Linux.Znaich.A Trojan.Linux.ChinaZ.D ELF_ZANICH.SMB Trojan.Linux.ChinaZ.D HEUR:Trojan-DDoS.Linux.Znaich.a Trojan.Linux.ChinaZ.D Trojan.Znaich.exfzmb Troj.Ddos.Linux!c Trojan.Linux.ChinaZ.D Trojan.Linux.ChinaZ.D Linux.DDoS.73 Trojan.ChinaZ.Linux.14 ELF_ZANICH.SMB Linux/DDoS-Flood.B ELF/Trojan.ULZK-7 TrojanDDoS.Linux.ax LINUX/ChinaZ.eevfy Trojan[DDoS]/Linux.Znaich.a Trojan.Linux.ChinaZ.D Linux/Ddos.1806356 HEUR:Trojan-DDoS.Linux.Znaich.a Linux/DDoS-Flood.B Trojan.Linux.Znaich.aaac DDOS.Linux.CinaZ Win32/Trojan.9b6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Linux.ChinaZ.D": [[43, 64], [92, 113], [129, 150], [183, 204], [244, 265], [266, 287], [444, 465]], "Indicator: Trojan-DDoS.Linux.Znaich.A": [[65, 91]], "Indicator: ELF_ZANICH.SMB": [[114, 128], [325, 339]], "Indicator: HEUR:Trojan-DDoS.Linux.Znaich.a": [[151, 182], [485, 516]], "Indicator: Trojan.Znaich.exfzmb": [[205, 225]], "Indicator: Troj.Ddos.Linux!c": [[226, 243]], "Indicator: Linux.DDoS.73": [[288, 301]], "Indicator: Trojan.ChinaZ.Linux.14": [[302, 324]], "Indicator: Linux/DDoS-Flood.B": [[340, 358], [517, 535]], "Indicator: ELF/Trojan.ULZK-7": [[359, 376]], "Indicator: TrojanDDoS.Linux.ax": [[377, 396]], "Indicator: LINUX/ChinaZ.eevfy": [[397, 415]], "Indicator: Trojan[DDoS]/Linux.Znaich.a": [[416, 443]], "Indicator: Linux/Ddos.1806356": [[466, 484]], "Indicator: Trojan.Linux.Znaich.aaac": [[536, 560]], "Indicator: DDOS.Linux.CinaZ": [[561, 577]], "Indicator: Win32/Trojan.9b6": [[578, 594]]}, "info": {"id": "cyner2_5class_train_05416", "source": "cyner2_5class_train"}}
+{"text": "Usually , this message targets four or five people at a time .", "spans": {}, "info": {"id": "cyner2_5class_train_05417", "source": "cyner2_5class_train"}}
+{"text": "Bartalex is a name that continues to appear in a cyberthief's arsenal as one of the most popular mechanisms for distributing banking Trojans, ransomware, RATs, and other malware.", "spans": {"Malware: banking Trojans, ransomware,": [[125, 153]], "Malware: RATs,": [[154, 159]], "Malware: other malware.": [[164, 178]]}, "info": {"id": "cyner2_5class_train_05418", "source": "cyner2_5class_train"}}
+{"text": "It is no surprise it's now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns.", "spans": {"Organization: pro-democracy organizations": [[46, 73]], "Organization: supporters": [[78, 88]]}, "info": {"id": "cyner2_5class_train_05419", "source": "cyner2_5class_train"}}
+{"text": "Until now , Android malware that wanted advanced capabilities typically had to trick users into approving sometimes scary-sounding permissions or exploit rooting vulnerabilities .", "spans": {"System: Android": [[12, 19]]}, "info": {"id": "cyner2_5class_train_05420", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameBTP.Worm Trojan-PWS/W32.WebGame.34816.CL Trojan-GameThief.Win32.OnLineGames!O Trojan.Downloader.E9C186 Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Pws.AHAF Trojan.Win32.OnLineGames.cwndth Trojan.Win32.Z.Onlinegames.34816.AS Trojan.PWS.Gamania.10257 Trojan.OnLineGames.Win32.121510 Trojan-GameThief.Win32.OnLineGames Trojan/PSW.OnLineGames.aibk Trojan[GameThief]/Win32.OnLineGames Win32.Troj.Downloader.gy.kcloud Trojan/Win32.OnlineGameHack.C55967 W32/OnlineGames.SOI!tr.pws Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameBTP.Worm": [[26, 44]], "Indicator: Trojan-PWS/W32.WebGame.34816.CL": [[45, 76]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[77, 113]], "Indicator: Trojan.Downloader.E9C186": [[114, 138]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[139, 181]], "Indicator: W32/Pws.AHAF": [[182, 194]], "Indicator: Trojan.Win32.OnLineGames.cwndth": [[195, 226]], "Indicator: Trojan.Win32.Z.Onlinegames.34816.AS": [[227, 262]], "Indicator: Trojan.PWS.Gamania.10257": [[263, 287]], "Indicator: Trojan.OnLineGames.Win32.121510": [[288, 319]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[320, 354]], "Indicator: Trojan/PSW.OnLineGames.aibk": [[355, 382]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[383, 418]], "Indicator: Win32.Troj.Downloader.gy.kcloud": [[419, 450]], "Indicator: Trojan/Win32.OnlineGameHack.C55967": [[451, 485]], "Indicator: W32/OnlineGames.SOI!tr.pws": [[486, 512]], "Indicator: Win32/Trojan.2ff": [[513, 529]]}, "info": {"id": "cyner2_5class_train_05421", "source": "cyner2_5class_train"}}
+{"text": "Version 2, also referred to as Globe2, appeared two months later, in October, but both versions were no match for Emsisoft's team, who released free decrypters for both variants shortly after Globe and Globe2 started hitting users.", "spans": {"Malware: Version 2,": [[0, 10]], "Malware: Globe2,": [[31, 38]], "Malware: versions": [[87, 95]], "Organization: Emsisoft's team,": [[114, 130]], "Indicator: free decrypters": [[144, 159]], "Malware: variants": [[169, 177]], "Malware: Globe": [[192, 197]], "Malware: Globe2": [[202, 208]], "Organization: users.": [[225, 231]]}, "info": {"id": "cyner2_5class_train_05422", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: JS:Trojan.JS.Redirector.BS JS.Redirector.DE JS:Trojan.JS.Redirector.BS JS/Redir.WI Trojan.Malscript!html JS:Trojan.JS.Redirector.BS JS:Trojan.JS.Redirector.BS Trojan.Script.Expack.drqfka JS:Trojan.JS.Redirector.BS JS:Trojan.JS.Redirector.BS BehavesLike.PDF.Trojan.db JS/Redir.WI TrojanDownloader.JS.aufd JS/Redirector.OA.1 JS:Trojan.JS.Redirector.BS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: JS:Trojan.JS.Redirector.BS": [[26, 52], [70, 96], [131, 157], [158, 184], [213, 239], [240, 266], [349, 375]], "Indicator: JS.Redirector.DE": [[53, 69]], "Indicator: JS/Redir.WI": [[97, 108], [293, 304]], "Indicator: Trojan.Malscript!html": [[109, 130]], "Indicator: Trojan.Script.Expack.drqfka": [[185, 212]], "Indicator: BehavesLike.PDF.Trojan.db": [[267, 292]], "Indicator: TrojanDownloader.JS.aufd": [[305, 329]], "Indicator: JS/Redirector.OA.1": [[330, 348]]}, "info": {"id": "cyner2_5class_train_05423", "source": "cyner2_5class_train"}}
+{"text": "Other samples were also noticed , posing as a client of a ticket-finding service or as an app store for Android .", "spans": {"System: Android": [[104, 111]]}, "info": {"id": "cyner2_5class_train_05424", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TSPY_WHITEICE_BK22015F.TOMC Win32.Worm.WhiteIce.a TSPY_WHITEICE_BK22015F.TOMC Trojan.Win32.WhiteIce.cyctb Win32.Virus.Whiteice.Tcvt Win32.HLLW.Bice.8 BehavesLike.Win32.Trojan.jh Virus.Win32.Whiteice WORM/Darksnow.37953.2 Worm/Win32.WhiteIce.R35142 Worm.WhiteIce Win32/Whiteice.B Worm.WhiteIce!tYiT3Eh27BE Trj/CI.A Virus.Win32.BlackIce.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TSPY_WHITEICE_BK22015F.TOMC": [[26, 53], [76, 103]], "Indicator: Win32.Worm.WhiteIce.a": [[54, 75]], "Indicator: Trojan.Win32.WhiteIce.cyctb": [[104, 131]], "Indicator: Win32.Virus.Whiteice.Tcvt": [[132, 157]], "Indicator: Win32.HLLW.Bice.8": [[158, 175]], "Indicator: BehavesLike.Win32.Trojan.jh": [[176, 203]], "Indicator: Virus.Win32.Whiteice": [[204, 224]], "Indicator: WORM/Darksnow.37953.2": [[225, 246]], "Indicator: Worm/Win32.WhiteIce.R35142": [[247, 273]], "Indicator: Worm.WhiteIce": [[274, 287]], "Indicator: Win32/Whiteice.B": [[288, 304]], "Indicator: Worm.WhiteIce!tYiT3Eh27BE": [[305, 330]], "Indicator: Trj/CI.A": [[331, 339]], "Indicator: Virus.Win32.BlackIce.C": [[340, 362]]}, "info": {"id": "cyner2_5class_train_05425", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: JS/ProxyJack.C1!Eldorado JS.Downloader JS/ProxyChanger.BF BehavesLike.JS.Exploit.mm JS/ProxyJack.C1!Eldorado TrojanProxy:JS/Kovonionz.A JS/Nemucod.io Trojan.JS.ProxyChanger JS/ProxyChanger.BF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: JS/ProxyJack.C1!Eldorado": [[26, 50], [110, 134]], "Indicator: JS.Downloader": [[51, 64]], "Indicator: JS/ProxyChanger.BF": [[65, 83]], "Indicator: BehavesLike.JS.Exploit.mm": [[84, 109]], "Indicator: TrojanProxy:JS/Kovonionz.A": [[135, 161]], "Indicator: JS/Nemucod.io": [[162, 175]], "Indicator: Trojan.JS.ProxyChanger": [[176, 198]], "Indicator: JS/ProxyChanger.BF!tr": [[199, 220]]}, "info": {"id": "cyner2_5class_train_05426", "source": "cyner2_5class_train"}}
+{"text": "This software is free and distributed under LGPL license .", "spans": {}, "info": {"id": "cyner2_5class_train_05427", "source": "cyner2_5class_train"}}
+{"text": "The Trojan uses the Windows Management Instrumentation Command-line WMIC to start processes remotely on other Windows computers.", "spans": {"Malware: Trojan": [[4, 10]], "System: the Windows Management Instrumentation Command-line WMIC": [[16, 72]], "System: Windows computers.": [[110, 128]]}, "info": {"id": "cyner2_5class_train_05428", "source": "cyner2_5class_train"}}
+{"text": "New OSX_DOK.C variant performing MiTM.", "spans": {"Indicator: OSX_DOK.C": [[4, 13]], "Malware: MiTM.": [[33, 38]]}, "info": {"id": "cyner2_5class_train_05429", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SwenA.Worm Worm/W32.Swen.151552 Email-Worm.Win32!O W32.Swen.A W32.W.Swen!c Win32.Trojan.WisdomEyes.16070401.9500.9969 W32/Swen.A@mm W32.Swen.A@mm Win32/Swen.A Win.Worm.Gibe-4 Trojan.Win32.Scar.fcci Trojan.Win32.Swen.gicl I-Worm.Win32.Swen.106496 Win32.Trojan.Scar.Wofg Worm.Win32.Swen.A Win32.HLLM.Gibe.2 Worm.Swen.Win32.3 Email-Worm.Win32.Swen W32/Swen.A@mm Trojan/Win32.Scar Trojan.Win32.Scar.fcci Worm:Win32/Swen.A@mm Email-Worm.Win32.Swen W32/Gibe.C.worm I-Worm.Swen.A Win32/Swen.A I-Worm.Swen.A1 W32/Swen.A@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SwenA.Worm": [[26, 40]], "Indicator: Worm/W32.Swen.151552": [[41, 61]], "Indicator: Email-Worm.Win32!O": [[62, 80]], "Indicator: W32.Swen.A": [[81, 91]], "Indicator: W32.W.Swen!c": [[92, 104]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9969": [[105, 147]], "Indicator: W32/Swen.A@mm": [[148, 161], [375, 388], [531, 544]], "Indicator: W32.Swen.A@mm": [[162, 175]], "Indicator: Win32/Swen.A": [[176, 188], [503, 515]], "Indicator: Win.Worm.Gibe-4": [[189, 204]], "Indicator: Trojan.Win32.Scar.fcci": [[205, 227], [407, 429]], "Indicator: Trojan.Win32.Swen.gicl": [[228, 250]], "Indicator: I-Worm.Win32.Swen.106496": [[251, 275]], "Indicator: Win32.Trojan.Scar.Wofg": [[276, 298]], "Indicator: Worm.Win32.Swen.A": [[299, 316]], "Indicator: Win32.HLLM.Gibe.2": [[317, 334]], "Indicator: Worm.Swen.Win32.3": [[335, 352]], "Indicator: Email-Worm.Win32.Swen": [[353, 374], [451, 472]], "Indicator: Trojan/Win32.Scar": [[389, 406]], "Indicator: Worm:Win32/Swen.A@mm": [[430, 450]], "Indicator: W32/Gibe.C.worm": [[473, 488]], "Indicator: I-Worm.Swen.A": [[489, 502]], "Indicator: I-Worm.Swen.A1": [[516, 530]]}, "info": {"id": "cyner2_5class_train_05430", "source": "cyner2_5class_train"}}
+{"text": "Information about all actions performed by Rotexy is logged in the local database and sent to the C & C .", "spans": {"Malware: Rotexy": [[43, 49]]}, "info": {"id": "cyner2_5class_train_05431", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.GekasiK.Trojan Worm.Foler.E5 WORM_SILLY.WXXZLDR Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Hangove WORM_SILLY.WXXZLDR Virus.Win32.Renamer.u ApplicUnwnt.Win32.ArchSMS.DRPA Worm.Renamer.Win32.2 BehavesLike.Win32.Virus.gm Trojan.Win32.Webprefix Virus/Win32.Renamer.u Trojan.Zusy.D15B99 Virus.Win32.Renamer.u Worm:Win32/Foler.C Worm.Win32.Foler.a W32/Foler.A!worm Win32/Worm.b18", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.GekasiK.Trojan": [[26, 44]], "Indicator: Worm.Foler.E5": [[45, 58]], "Indicator: WORM_SILLY.WXXZLDR": [[59, 77], [136, 154]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[78, 120]], "Indicator: Trojan.Hangove": [[121, 135]], "Indicator: Virus.Win32.Renamer.u": [[155, 176], [320, 341]], "Indicator: ApplicUnwnt.Win32.ArchSMS.DRPA": [[177, 207]], "Indicator: Worm.Renamer.Win32.2": [[208, 228]], "Indicator: BehavesLike.Win32.Virus.gm": [[229, 255]], "Indicator: Trojan.Win32.Webprefix": [[256, 278]], "Indicator: Virus/Win32.Renamer.u": [[279, 300]], "Indicator: Trojan.Zusy.D15B99": [[301, 319]], "Indicator: Worm:Win32/Foler.C": [[342, 360]], "Indicator: Worm.Win32.Foler.a": [[361, 379]], "Indicator: W32/Foler.A!worm": [[380, 396]], "Indicator: Win32/Worm.b18": [[397, 411]]}, "info": {"id": "cyner2_5class_train_05432", "source": "cyner2_5class_train"}}
+{"text": "Just as threat actors may use stolen branding in their email lures to trick potential victims , they reproduce a legitimate domain name in a fraudulent domain that is not controlled by the bank .", "spans": {}, "info": {"id": "cyner2_5class_train_05433", "source": "cyner2_5class_train"}}
+{"text": "Looking closer at the structure of this attack, we were surprised when we realized this was the infamous Blackhole.", "spans": {"Indicator: attack,": [[40, 47]], "Malware: Blackhole.": [[105, 115]]}, "info": {"id": "cyner2_5class_train_05434", "source": "cyner2_5class_train"}}
+{"text": "This indicates that multiple C2 servers were used in this campaign , but one ( 37.1.207.31 ) was the most heavily used .", "spans": {"Indicator: 37.1.207.31": [[79, 90]]}, "info": {"id": "cyner2_5class_train_05435", "source": "cyner2_5class_train"}}
+{"text": "In May we also observed an Office 365 credential phishing attack leading to iSpy Keylogger but the combination of OWA with this infection chain takes a different approach.", "spans": {"Indicator: Office 365 credential phishing attack": [[27, 64]], "Malware: iSpy Keylogger": [[76, 90]], "Indicator: OWA": [[114, 117]]}, "info": {"id": "cyner2_5class_train_05436", "source": "cyner2_5class_train"}}
+{"text": "New activity from NewPOSThings and the You Chung actor.", "spans": {"Malware: NewPOSThings": [[18, 30]]}, "info": {"id": "cyner2_5class_train_05437", "source": "cyner2_5class_train"}}
+{"text": "Missing permissions The lack of the READ_FRAME_BUFFER permission can be justified by the removal of the screen record feature .", "spans": {}, "info": {"id": "cyner2_5class_train_05438", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnlineGameNAKSD.Trojan Trojan-Downloader.Win32.VB!O Trojan.VBCrypt.MF.90 Downloader.VB.Win32.66970 Trojan/Downloader.VB.zqs Trojan.Heur.ZGY.5 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan3.BYE Backdoor.Trojan Win32/Axespec.C TSPY_ZBOT.BVV Trojan-Downloader.Win32.VB.zqs Trojan.Win32.VB.bcwli Trojan.Win32.Downloader.71680.CE Trojan.Oficla.59 TSPY_ZBOT.BVV BehavesLike.Win32.PWSAxespec.wc Trojan-Ransom.Win32.PornoBlocker TrojanDownloader.VB.dfho PWS:Win32/Axespec.C Troj.Downloader.W32.VB.tnTN Trojan-Downloader.Win32.VB.zqs Trojan/Win32.FakeAV.R51073 PWS-Axespec.f SScope.Trojan.VB.0862 Trojan.Dropper.VB Trojan.Injector.SOC W32/Injector.VOX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnlineGameNAKSD.Trojan": [[26, 52]], "Indicator: Trojan-Downloader.Win32.VB!O": [[53, 81]], "Indicator: Trojan.VBCrypt.MF.90": [[82, 102]], "Indicator: Downloader.VB.Win32.66970": [[103, 128]], "Indicator: Trojan/Downloader.VB.zqs": [[129, 153]], "Indicator: Trojan.Heur.ZGY.5": [[154, 171]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[172, 214]], "Indicator: W32/Trojan3.BYE": [[215, 230]], "Indicator: Backdoor.Trojan": [[231, 246]], "Indicator: Win32/Axespec.C": [[247, 262]], "Indicator: TSPY_ZBOT.BVV": [[263, 276], [380, 393]], "Indicator: Trojan-Downloader.Win32.VB.zqs": [[277, 307], [532, 562]], "Indicator: Trojan.Win32.VB.bcwli": [[308, 329]], "Indicator: Trojan.Win32.Downloader.71680.CE": [[330, 362]], "Indicator: Trojan.Oficla.59": [[363, 379]], "Indicator: BehavesLike.Win32.PWSAxespec.wc": [[394, 425]], "Indicator: Trojan-Ransom.Win32.PornoBlocker": [[426, 458]], "Indicator: TrojanDownloader.VB.dfho": [[459, 483]], "Indicator: PWS:Win32/Axespec.C": [[484, 503]], "Indicator: Troj.Downloader.W32.VB.tnTN": [[504, 531]], "Indicator: Trojan/Win32.FakeAV.R51073": [[563, 589]], "Indicator: PWS-Axespec.f": [[590, 603]], "Indicator: SScope.Trojan.VB.0862": [[604, 625]], "Indicator: Trojan.Dropper.VB": [[626, 643]], "Indicator: Trojan.Injector.SOC": [[644, 663]], "Indicator: W32/Injector.VOX!tr": [[664, 683]]}, "info": {"id": "cyner2_5class_train_05439", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VB.bjci Trojan.Win32.VB.bkqmep VBTroj.MYNR Trojan.Win32.VB.bjci Trojan.DL.VB!OZxgAC/E/K8 Trojan.Win32.A.VB.1289216[ASPack] TrojWare.Win32.VB.baur Trojan.DownLoader5.27404 Trojan/Win32.VB W32/Trojan.SXSN-1674 Trojan.VB Trojan-Downloader.VB Downloader.VB.7.BG Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VB.bjci": [[26, 40]], "Indicator: Trojan.Win32.VB.bkqmep": [[41, 63]], "Indicator: VBTroj.MYNR": [[64, 75]], "Indicator: Trojan.Win32.VB.bjci": [[76, 96]], "Indicator: Trojan.DL.VB!OZxgAC/E/K8": [[97, 121]], "Indicator: Trojan.Win32.A.VB.1289216[ASPack]": [[122, 155]], "Indicator: TrojWare.Win32.VB.baur": [[156, 178]], "Indicator: Trojan.DownLoader5.27404": [[179, 203]], "Indicator: Trojan/Win32.VB": [[204, 219]], "Indicator: W32/Trojan.SXSN-1674": [[220, 240]], "Indicator: Trojan.VB": [[241, 250]], "Indicator: Trojan-Downloader.VB": [[251, 271]], "Indicator: Downloader.VB.7.BG": [[272, 290]], "Indicator: Trj/CI.A": [[291, 299]]}, "info": {"id": "cyner2_5class_train_05440", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Corrupt.PE BehavesLike.Win32.Rontokbro.nc TrojanDownloader.Femad.at HackTool[Constructor]/Win32.Bom Constructor:Win32/Bom.7_0.dam#2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Corrupt.PE": [[26, 41]], "Indicator: BehavesLike.Win32.Rontokbro.nc": [[42, 72]], "Indicator: TrojanDownloader.Femad.at": [[73, 98]], "Indicator: HackTool[Constructor]/Win32.Bom": [[99, 130]], "Indicator: Constructor:Win32/Bom.7_0.dam#2": [[131, 162]]}, "info": {"id": "cyner2_5class_train_05441", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 has discovered a new malware family we've named Reaver with ties to attackers who use SunOrcal malware.", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: a new malware family": [[23, 43]], "Malware: Reaver": [[56, 62]], "Malware: SunOrcal malware.": [[94, 111]]}, "info": {"id": "cyner2_5class_train_05442", "source": "cyner2_5class_train"}}
+{"text": "The author ( s ) of this malware wrote separate subroutines that identify the operating system version and fire off methods to obtain a list of currently running applications known to work on that particular version of Android .", "spans": {"System: Android": [[219, 226]]}, "info": {"id": "cyner2_5class_train_05443", "source": "cyner2_5class_train"}}
+{"text": "As part of our investigation into this malware , we emulated an infected Android device in order to communicate with the RuMMS C2 server .", "spans": {"System: Android": [[73, 80]], "Malware: RuMMS": [[121, 126]]}, "info": {"id": "cyner2_5class_train_05444", "source": "cyner2_5class_train"}}
+{"text": "] infoupload999 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_05445", "source": "cyner2_5class_train"}}
+{"text": "This article will walk through an incident where Tomcat is used and what critical artifacts you should collect.", "spans": {}, "info": {"id": "cyner2_5class_train_05446", "source": "cyner2_5class_train"}}
+{"text": "The only purpose of this method is to connect to the C & C server .", "spans": {}, "info": {"id": "cyner2_5class_train_05447", "source": "cyner2_5class_train"}}
+{"text": "This task proved to be nontrivial .", "spans": {}, "info": {"id": "cyner2_5class_train_05448", "source": "cyner2_5class_train"}}
+{"text": "Often the app description on the Play Store would reference some SMS messages the targets would supposedly receive leading them to the Play Store page .", "spans": {"System: Play Store": [[33, 43], [135, 145]]}, "info": {"id": "cyner2_5class_train_05449", "source": "cyner2_5class_train"}}
+{"text": "Check Point Research's new report on Chinese cyber-espionage attacks against Southeast Asian government entities shows that a previously undisclosed toolset used by an APT group has been linked to a new family of malware.", "spans": {"Organization: Check Point Research's": [[0, 22]], "Indicator: attacks": [[61, 68]], "Organization: government": [[93, 103]], "Malware: toolset": [[149, 156]], "Malware: malware.": [[213, 221]]}, "info": {"id": "cyner2_5class_train_05450", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: WORM_RBOT.AS Win32.Trojan.WisdomEyes.16070401.9500.9761 W32/Backdoor2.DNGR Win32/SillyAutorun.AIH WORM_RBOT.AS Packed.Win32.CPEX-based.ht Trojan.Win32.CPEXbased.bregf Trojan.MulDrop.23017 W32/Backdoor.MVUH-2689 Backdoor/VB.nkv Packed.Win32.CPEX-based.ht Trojan/Win32.Xema.R61630", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WORM_RBOT.AS": [[26, 38], [124, 136]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9761": [[39, 81]], "Indicator: W32/Backdoor2.DNGR": [[82, 100]], "Indicator: Win32/SillyAutorun.AIH": [[101, 123]], "Indicator: Packed.Win32.CPEX-based.ht": [[137, 163], [253, 279]], "Indicator: Trojan.Win32.CPEXbased.bregf": [[164, 192]], "Indicator: Trojan.MulDrop.23017": [[193, 213]], "Indicator: W32/Backdoor.MVUH-2689": [[214, 236]], "Indicator: Backdoor/VB.nkv": [[237, 252]], "Indicator: Trojan/Win32.Xema.R61630": [[280, 304]]}, "info": {"id": "cyner2_5class_train_05451", "source": "cyner2_5class_train"}}
+{"text": "The actors involved seem to be the same as the ones behind the self sufficient Flash malverts/exploits we've documented before and also reported by security researcher Kafeine Spartan EK.", "spans": {"Vulnerability: Flash malverts/exploits": [[79, 102]], "Organization: security researcher Kafeine": [[148, 175]], "Malware: Spartan EK.": [[176, 187]]}, "info": {"id": "cyner2_5class_train_05452", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.NSIS.Miner.SD Trojan.Strictor.D1B5F4 Multi.Threats.InArchive W32/Trojan.RYKP-1781 WORM_CO.331300D2 Win.Trojan.Virtob-1633 Trojan.Win32.CoinMiner.bn Trojan.Win32.BitCoinMiner.ddjqfi AdWare.W32.OneInstaller.lZ9E Win32.Trojan.Miner.Wwen Trojan.BtcMine.1033 WORM_CO.331300D2 BehavesLike.Win32.TrojanCoinMiner.vc Trojan.NSIS.Coinminer W32/Trojan2.OZCV Trojan/PSW.Tepfer.cbjx Trojan/Win32.Miner.ayf Trojan:Win32/CoinMiner.AQ Trojan.Win32.CoinMiner.bn Trojan/Win32.BitCoinMiner.C931392 RiskWare.BitCoinMiner NSIS/CoinMiner.N W32/Miner.AYF!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.NSIS.Miner.SD": [[26, 46]], "Indicator: Trojan.Strictor.D1B5F4": [[47, 69]], "Indicator: Multi.Threats.InArchive": [[70, 93]], "Indicator: W32/Trojan.RYKP-1781": [[94, 114]], "Indicator: WORM_CO.331300D2": [[115, 131], [287, 303]], "Indicator: Win.Trojan.Virtob-1633": [[132, 154]], "Indicator: Trojan.Win32.CoinMiner.bn": [[155, 180], [452, 477]], "Indicator: Trojan.Win32.BitCoinMiner.ddjqfi": [[181, 213]], "Indicator: AdWare.W32.OneInstaller.lZ9E": [[214, 242]], "Indicator: Win32.Trojan.Miner.Wwen": [[243, 266]], "Indicator: Trojan.BtcMine.1033": [[267, 286]], "Indicator: BehavesLike.Win32.TrojanCoinMiner.vc": [[304, 340]], "Indicator: Trojan.NSIS.Coinminer": [[341, 362]], "Indicator: W32/Trojan2.OZCV": [[363, 379]], "Indicator: Trojan/PSW.Tepfer.cbjx": [[380, 402]], "Indicator: Trojan/Win32.Miner.ayf": [[403, 425]], "Indicator: Trojan:Win32/CoinMiner.AQ": [[426, 451]], "Indicator: Trojan/Win32.BitCoinMiner.C931392": [[478, 511]], "Indicator: RiskWare.BitCoinMiner": [[512, 533]], "Indicator: NSIS/CoinMiner.N": [[534, 550]], "Indicator: W32/Miner.AYF!tr": [[551, 567]], "Indicator: Trj/CI.A": [[568, 576]]}, "info": {"id": "cyner2_5class_train_05453", "source": "cyner2_5class_train"}}
+{"text": "Post-April 2019 : Starting from early 2019 , the new infection rate of “ Agent Smith ” dropped significantly .", "spans": {"Malware: Agent Smith": [[73, 84]]}, "info": {"id": "cyner2_5class_train_05454", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnlinegameXMQB.Trojan Trojan.FlyStudio.UJ W32/AutoRun.soq Win32.Trojan.FlyStudio.hd W32.SillyFDC Win32/Nuj.AD WORM_FLYSTUDI.B Win.Worm.FlyStudio-23 Trojan.Win32.Crypted.wjgrc Worm.Win32.Autorun.175133 W32.W.AutoRun.l8Zk Trojan.Click2.51706 Worm.AutoRun.Win32.2576 WORM_FLYSTUDI.B BehavesLike.Win32.Autorun.bc Trojan.Win32.FlyStudio Worm/AutoRun.fpz Worm/Win32.FlyStudio Worm:Win32/Regul.B Worm.FlyStudio Trj/FlyStudio.CR Trojan.FlyStudio.NAQ Win32/FlyStudio.NAQ Trojan.Win32.FakeFolder.t", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnlinegameXMQB.Trojan": [[26, 51]], "Indicator: Trojan.FlyStudio.UJ": [[52, 71]], "Indicator: W32/AutoRun.soq": [[72, 87]], "Indicator: Win32.Trojan.FlyStudio.hd": [[88, 113]], "Indicator: W32.SillyFDC": [[114, 126]], "Indicator: Win32/Nuj.AD": [[127, 139]], "Indicator: WORM_FLYSTUDI.B": [[140, 155], [294, 309]], "Indicator: Win.Worm.FlyStudio-23": [[156, 177]], "Indicator: Trojan.Win32.Crypted.wjgrc": [[178, 204]], "Indicator: Worm.Win32.Autorun.175133": [[205, 230]], "Indicator: W32.W.AutoRun.l8Zk": [[231, 249]], "Indicator: Trojan.Click2.51706": [[250, 269]], "Indicator: Worm.AutoRun.Win32.2576": [[270, 293]], "Indicator: BehavesLike.Win32.Autorun.bc": [[310, 338]], "Indicator: Trojan.Win32.FlyStudio": [[339, 361]], "Indicator: Worm/AutoRun.fpz": [[362, 378]], "Indicator: Worm/Win32.FlyStudio": [[379, 399]], "Indicator: Worm:Win32/Regul.B": [[400, 418]], "Indicator: Worm.FlyStudio": [[419, 433]], "Indicator: Trj/FlyStudio.CR": [[434, 450]], "Indicator: Trojan.FlyStudio.NAQ": [[451, 471]], "Indicator: Win32/FlyStudio.NAQ": [[472, 491]], "Indicator: Trojan.Win32.FakeFolder.t": [[492, 517]]}, "info": {"id": "cyner2_5class_train_05455", "source": "cyner2_5class_train"}}
+{"text": "In the second step it asks the victim for the Accessibility Service privilege as visible in following screenshot : Ginp Accessibility request Once the user grants the requested Accessibility Service privilege , Ginp starts by granting itself additional permissions , such as ( dynamic ) permissions required in order to be able to send messages and make calls , without requiring any further action from the victim .", "spans": {"Malware: Ginp": [[115, 119], [211, 215]]}, "info": {"id": "cyner2_5class_train_05456", "source": "cyner2_5class_train"}}
+{"text": "In this blog entry, we will introduce and analyze the other tools and malware used by Earth Preta.", "spans": {"Malware: tools": [[60, 65]], "Malware: malware": [[70, 77]]}, "info": {"id": "cyner2_5class_train_05457", "source": "cyner2_5class_train"}}
+{"text": "This IP address has been observed attempting to bruteforce SSH server credentials, SSH, which stands for Secure Shell, is a [network protocol]https://null-byte.wonderhowto.com/how-to/networking-basics/ that allows for encrypted communication over an insecure network.", "spans": {"Indicator: IP address": [[5, 15]], "Indicator: bruteforce": [[48, 58]], "System: SSH server": [[59, 69]], "System: SSH,": [[83, 87]], "System: Secure Shell,": [[105, 118]], "Indicator: [network protocol]https://null-byte.wonderhowto.com/how-to/networking-basics/": [[124, 201]], "Indicator: encrypted communication": [[218, 241]], "System: insecure network.": [[250, 267]]}, "info": {"id": "cyner2_5class_train_05458", "source": "cyner2_5class_train"}}
+{"text": "Facebook profile of the C & C domain registrar ( cover picture and profile picture edited out ) Linked on the malicious developer ’ s Facebook profile , we discovered a Facebook page , Minigameshouse , and an associated domain , minigameshouse [ .", "spans": {"Organization: Facebook": [[0, 8], [134, 142], [169, 177]], "Indicator: Minigameshouse": [[185, 199]], "Indicator: minigameshouse [ .": [[229, 247]]}, "info": {"id": "cyner2_5class_train_05459", "source": "cyner2_5class_train"}}
+{"text": "The activity class “ org.starsizew.MainActivity ” executes when the app is started .", "spans": {"Indicator: org.starsizew.MainActivity": [[21, 47]]}, "info": {"id": "cyner2_5class_train_05460", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeDirC.Worm Win32.Tyhos.A Virus.Win32.Tyhos!O Trojan.Malex.F2 Virus.Tyhos.Win32.4 Win32.Tyhos.A W32.Virut.CF Win32/Tyhos.A Virus.Win32.Tyhos.a Win32.Tyhos.A Trojan.Win32.Tyhos.bdclx Packer.W32.Tibs.l4Hz Trojan.Win32.FakeFolder.mgge Win32.Tyhos.A Win32.Tyhos.A Trojan.Styho BehavesLike.Win32.VirRansom.ph Win32/Virut.bv Virus/Win32.Tyhos.a Worm:Win32/Nestog.A Virus.Win32.Tyhos.a Win32.Tyhos.A HEUR/Fakon.mwf Win32.Tyhos.A Win32.Virut.NAB Win32/Virut.NBP Virus.Win32.Tyhos Trj/Tyghos.A Win32/Virus.4bd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeDirC.Worm": [[26, 43]], "Indicator: Win32.Tyhos.A": [[44, 57], [114, 127], [175, 188], [264, 277], [278, 291], [411, 424], [440, 453]], "Indicator: Virus.Win32.Tyhos!O": [[58, 77]], "Indicator: Trojan.Malex.F2": [[78, 93]], "Indicator: Virus.Tyhos.Win32.4": [[94, 113]], "Indicator: W32.Virut.CF": [[128, 140]], "Indicator: Win32/Tyhos.A": [[141, 154]], "Indicator: Virus.Win32.Tyhos.a": [[155, 174], [391, 410]], "Indicator: Trojan.Win32.Tyhos.bdclx": [[189, 213]], "Indicator: Packer.W32.Tibs.l4Hz": [[214, 234]], "Indicator: Trojan.Win32.FakeFolder.mgge": [[235, 263]], "Indicator: Trojan.Styho": [[292, 304]], "Indicator: BehavesLike.Win32.VirRansom.ph": [[305, 335]], "Indicator: Win32/Virut.bv": [[336, 350]], "Indicator: Virus/Win32.Tyhos.a": [[351, 370]], "Indicator: Worm:Win32/Nestog.A": [[371, 390]], "Indicator: HEUR/Fakon.mwf": [[425, 439]], "Indicator: Win32.Virut.NAB": [[454, 469]], "Indicator: Win32/Virut.NBP": [[470, 485]], "Indicator: Virus.Win32.Tyhos": [[486, 503]], "Indicator: Trj/Tyghos.A": [[504, 516]], "Indicator: Win32/Virus.4bd": [[517, 532]]}, "info": {"id": "cyner2_5class_train_05461", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Tapslix RDN/Autorun.worm!e Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan.PONZ-7153 Trojan.DownLoader5.52616 RDN/Autorun.worm!e Trojan/Win32.Unknown Trojan.Strictor.D4F65 Trojan:Win32/Tapslix.A HEUR/Fakon.mwf Win32.Trojan.Fakedoc.Auto Trojan.CFI!dl5uaEh6TdQ W32/Yoddos.AG!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tapslix": [[26, 40]], "Indicator: RDN/Autorun.worm!e": [[41, 59], [149, 167]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[60, 102]], "Indicator: W32/Trojan.PONZ-7153": [[103, 123]], "Indicator: Trojan.DownLoader5.52616": [[124, 148]], "Indicator: Trojan/Win32.Unknown": [[168, 188]], "Indicator: Trojan.Strictor.D4F65": [[189, 210]], "Indicator: Trojan:Win32/Tapslix.A": [[211, 233]], "Indicator: HEUR/Fakon.mwf": [[234, 248]], "Indicator: Win32.Trojan.Fakedoc.Auto": [[249, 274]], "Indicator: Trojan.CFI!dl5uaEh6TdQ": [[275, 297]], "Indicator: W32/Yoddos.AG!tr": [[298, 314]]}, "info": {"id": "cyner2_5class_train_05462", "source": "cyner2_5class_train"}}
+{"text": "Still included in the last versions , this screen is only used to overlay the official Google Play Store app .", "spans": {"System: Google Play Store": [[87, 104]]}, "info": {"id": "cyner2_5class_train_05463", "source": "cyner2_5class_train"}}
+{"text": "THURSDAY , OCTOBER 11 , 2018 GPlayed Trojan - .Net playing with Google Market Introduction In a world where everything is always connected , and mobile devices are involved in individuals ' day-to-day lives more and more often , malicious actors are seeing increased opportunities to attack these devices .", "spans": {"Malware: GPlayed": [[29, 36]], "Organization: Google": [[64, 70]]}, "info": {"id": "cyner2_5class_train_05464", "source": "cyner2_5class_train"}}
+{"text": "] info including the “ bankaustria ” brand .", "spans": {}, "info": {"id": "cyner2_5class_train_05465", "source": "cyner2_5class_train"}}
+{"text": "Operation Black Atlas has already spread to a multi-state healthcare provider, dental clinics, a machine manufacturer, a technology company focusing on insurance services, a gas station that has a multi-state presence, and a beauty supply shop.", "spans": {"Organization: multi-state healthcare provider, dental clinics,": [[46, 94]], "Organization: machine manufacturer,": [[97, 118]], "Organization: technology company focusing on insurance services,": [[121, 171]], "Organization: gas station": [[174, 185]], "Organization: multi-state presence,": [[197, 218]], "Organization: beauty supply shop.": [[225, 244]]}, "info": {"id": "cyner2_5class_train_05466", "source": "cyner2_5class_train"}}
+{"text": "The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an additional SDK .", "spans": {}, "info": {"id": "cyner2_5class_train_05467", "source": "cyner2_5class_train"}}
+{"text": "Within the framework of the analyzes, however, the BSI has not discovered any malicious software; infections are also not known to the BSI.", "spans": {"Organization: the BSI": [[47, 54]], "Malware: malicious software; infections": [[78, 108]], "Organization: the BSI.": [[131, 139]]}, "info": {"id": "cyner2_5class_train_05468", "source": "cyner2_5class_train"}}
+{"text": "+86.01078456689 Fax .", "spans": {}, "info": {"id": "cyner2_5class_train_05469", "source": "cyner2_5class_train"}}
+{"text": "The data entered by the user is sent to the cybercriminals .", "spans": {}, "info": {"id": "cyner2_5class_train_05470", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Death_Packed.439808 BackDoor-FP.cli Backdoor.Death!/0dScPy2Eok Win32/Death.23 W32/Death.C Backdoor.Trojan W32/Death.2_3 Trojan.Win32.Heur.089 Win32.Death.23 Backdoor.Win32.Death.23 Backdoor.Death.23 Backdoor.Win32.Death.23 Backdoor.Death.23 BackDoor.Death.23 TR/Dearh.23.Cli Backdoor.Win32.Death!IK Backdoor/Death.23 Backdoor/Win32.Death Backdoor.Win32.Death_23.Client Backdoor.Death.23 W32/Death.C Win-Trojan/Death.439808 Backdoor.Trojan Backdoor.Win32.Death W32/Backdoor.LamersDeath-FP BackDoor.Death Bck/Death.23.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Death_Packed.439808": [[26, 58]], "Indicator: BackDoor-FP.cli": [[59, 74]], "Indicator: Backdoor.Death!/0dScPy2Eok": [[75, 101]], "Indicator: Win32/Death.23": [[102, 116]], "Indicator: W32/Death.C": [[117, 128], [426, 437]], "Indicator: Backdoor.Trojan": [[129, 144], [462, 477]], "Indicator: W32/Death.2_3": [[145, 158]], "Indicator: Trojan.Win32.Heur.089": [[159, 180]], "Indicator: Win32.Death.23": [[181, 195]], "Indicator: Backdoor.Win32.Death.23": [[196, 219], [238, 261]], "Indicator: Backdoor.Death.23": [[220, 237], [262, 279], [408, 425]], "Indicator: BackDoor.Death.23": [[280, 297]], "Indicator: TR/Dearh.23.Cli": [[298, 313]], "Indicator: Backdoor.Win32.Death!IK": [[314, 337]], "Indicator: Backdoor/Death.23": [[338, 355]], "Indicator: Backdoor/Win32.Death": [[356, 376]], "Indicator: Backdoor.Win32.Death_23.Client": [[377, 407]], "Indicator: Win-Trojan/Death.439808": [[438, 461]], "Indicator: Backdoor.Win32.Death": [[478, 498]], "Indicator: W32/Backdoor.LamersDeath-FP": [[499, 526]], "Indicator: BackDoor.Death": [[527, 541]], "Indicator: Bck/Death.23.I": [[542, 556]]}, "info": {"id": "cyner2_5class_train_05471", "source": "cyner2_5class_train"}}
+{"text": "In doing so , users can mistakenly install malicious apps , such as the spyware mentioned in this blog .", "spans": {}, "info": {"id": "cyner2_5class_train_05472", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Fareit W32/Injector.GFG Trojan.Win32.Stealer.ewulwv Trojan.Win32.Z.Injector.999936 Trojan.PWS.Stealer.20566 Trojan.Win32.Injector W32/Injector.NZPO-0886 DR/Delphi.pzjjj Trojan[Backdoor]/Win32.Androm Trojan/Win32.Inject.R217517 Backdoor.Androm Trj/CI.A Win32.Trojan.Delf.Swaz W32/Injector.DVFA!tr Win32/Trojan.986", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Fareit": [[26, 39]], "Indicator: W32/Injector.GFG": [[40, 56]], "Indicator: Trojan.Win32.Stealer.ewulwv": [[57, 84]], "Indicator: Trojan.Win32.Z.Injector.999936": [[85, 115]], "Indicator: Trojan.PWS.Stealer.20566": [[116, 140]], "Indicator: Trojan.Win32.Injector": [[141, 162]], "Indicator: W32/Injector.NZPO-0886": [[163, 185]], "Indicator: DR/Delphi.pzjjj": [[186, 201]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[202, 231]], "Indicator: Trojan/Win32.Inject.R217517": [[232, 259]], "Indicator: Backdoor.Androm": [[260, 275]], "Indicator: Trj/CI.A": [[276, 284]], "Indicator: Win32.Trojan.Delf.Swaz": [[285, 307]], "Indicator: W32/Injector.DVFA!tr": [[308, 328]], "Indicator: Win32/Trojan.986": [[329, 345]]}, "info": {"id": "cyner2_5class_train_05473", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Temratanam Trojan.MaskedTeamViewer Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.SCHM-2542 TROJ_GE.52AE4DE2 Backdoor.Win32.TeamBot.cq Trojan.Win32.TeamBot.eutqba BackDoor.TeamViewer.45 TROJ_GE.52AE4DE2 BehavesLike.Win32.Backdoor.tc Backdoor:Win32/Temratanam.A Backdoor.Win32.TeamBot.cq PUP/Win32.StartSurf.R196040 Backdoor.TeamBot Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Temratanam": [[26, 45]], "Indicator: Trojan.MaskedTeamViewer": [[46, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[70, 112]], "Indicator: W32/Trojan.SCHM-2542": [[113, 133]], "Indicator: TROJ_GE.52AE4DE2": [[134, 150], [228, 244]], "Indicator: Backdoor.Win32.TeamBot.cq": [[151, 176], [303, 328]], "Indicator: Trojan.Win32.TeamBot.eutqba": [[177, 204]], "Indicator: BackDoor.TeamViewer.45": [[205, 227]], "Indicator: BehavesLike.Win32.Backdoor.tc": [[245, 274]], "Indicator: Backdoor:Win32/Temratanam.A": [[275, 302]], "Indicator: PUP/Win32.StartSurf.R196040": [[329, 356]], "Indicator: Backdoor.TeamBot": [[357, 373]], "Indicator: Trj/GdSda.A": [[374, 385]]}, "info": {"id": "cyner2_5class_train_05474", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RugoAd.Fam.Trojan TrojanDropper.Purgodoor.A5 TROJ_DROPR.SMD1 Adware.Rugo TROJ_DROPR.SMD1 AdWare.W32.BHO.lhD4 ApplicUnsaf.Win32.AdWare.BHO.AM Trojan.MulDrop1.42303 BehavesLike.Win32.Downloader.gc Adware/MsLock.akh GrayWare[AdWare]/Win32.BHO TrojanDropper:Win32/Purgodoor.A Dropper/Win32.Cadro.R1482 Adware-Rugo.f AdWare.BHO Trj/CI.A Win32.Trojan.Obfuscator.Ajla not-a-virus:AdWare.Win32.BHO Win32/Trojan.b5d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RugoAd.Fam.Trojan": [[26, 47]], "Indicator: TrojanDropper.Purgodoor.A5": [[48, 74]], "Indicator: TROJ_DROPR.SMD1": [[75, 90], [103, 118]], "Indicator: Adware.Rugo": [[91, 102]], "Indicator: AdWare.W32.BHO.lhD4": [[119, 138]], "Indicator: ApplicUnsaf.Win32.AdWare.BHO.AM": [[139, 170]], "Indicator: Trojan.MulDrop1.42303": [[171, 192]], "Indicator: BehavesLike.Win32.Downloader.gc": [[193, 224]], "Indicator: Adware/MsLock.akh": [[225, 242]], "Indicator: GrayWare[AdWare]/Win32.BHO": [[243, 269]], "Indicator: TrojanDropper:Win32/Purgodoor.A": [[270, 301]], "Indicator: Dropper/Win32.Cadro.R1482": [[302, 327]], "Indicator: Adware-Rugo.f": [[328, 341]], "Indicator: AdWare.BHO": [[342, 352]], "Indicator: Trj/CI.A": [[353, 361]], "Indicator: Win32.Trojan.Obfuscator.Ajla": [[362, 390]], "Indicator: not-a-virus:AdWare.Win32.BHO": [[391, 419]], "Indicator: Win32/Trojan.b5d": [[420, 436]]}, "info": {"id": "cyner2_5class_train_05475", "source": "cyner2_5class_train"}}
+{"text": "At this stage , half the job is done for the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_05476", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.InfecDoor.746584 Backdoor.InfecDoor!stFv1Z+nlTE Win32/Infector.20.A Backdoor.Surgeon BKDR_INFDOOR20.A Win32.InfecDoor.20.a Trojan.Infector-17 Backdoor.Win32.InfecDoor.20.a Backdoor.Win32.InfecDoor!IK Backdoor.Win32.Infector.20.A BackDoor.Infector.20 BDS/Infect.20.Srv2 BKDR_INFDOOR20.A Win32/Theinf.20.B Backdoor/Infector.20.a Backdoor:Win32/Infector.2_0 Backdoor.Win32.InfecDoor_20 Win-Trojan/Infecdoor.746584 Backdoor.Surgeon Backdoor.Win32.InfecDoor BackDoor.Infector Bck/Infector.20", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.InfecDoor.746584": [[26, 55]], "Indicator: Backdoor.InfecDoor!stFv1Z+nlTE": [[56, 86]], "Indicator: Win32/Infector.20.A": [[87, 106]], "Indicator: Backdoor.Surgeon": [[107, 123], [450, 466]], "Indicator: BKDR_INFDOOR20.A": [[124, 140], [308, 324]], "Indicator: Win32.InfecDoor.20.a": [[141, 161]], "Indicator: Trojan.Infector-17": [[162, 180]], "Indicator: Backdoor.Win32.InfecDoor.20.a": [[181, 210]], "Indicator: Backdoor.Win32.InfecDoor!IK": [[211, 238]], "Indicator: Backdoor.Win32.Infector.20.A": [[239, 267]], "Indicator: BackDoor.Infector.20": [[268, 288]], "Indicator: BDS/Infect.20.Srv2": [[289, 307]], "Indicator: Win32/Theinf.20.B": [[325, 342]], "Indicator: Backdoor/Infector.20.a": [[343, 365]], "Indicator: Backdoor:Win32/Infector.2_0": [[366, 393]], "Indicator: Backdoor.Win32.InfecDoor_20": [[394, 421]], "Indicator: Win-Trojan/Infecdoor.746584": [[422, 449]], "Indicator: Backdoor.Win32.InfecDoor": [[467, 491]], "Indicator: BackDoor.Infector": [[492, 509]], "Indicator: Bck/Infector.20": [[510, 525]]}, "info": {"id": "cyner2_5class_train_05477", "source": "cyner2_5class_train"}}
+{"text": "We believe the threat actors behind the attack don't use exploit kits and automated installers to instantly compromise and infect victims.", "spans": {"Malware: exploit kits": [[57, 69]]}, "info": {"id": "cyner2_5class_train_05478", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan-Downloader.Small.alkd.3.Pack W32/Downldr3.EY Trojan-Downloader.Win32.Small.aowd Trojan.DownLoad1.37207 TROJ_DOWGAV.SMF Win32/SillyDl.NUS W32/Downldr3.EY TrojanDownloader.Small.aqlm Trojan-Downloader.Win32.Small!IK TrojanDownloader:Win32/Dowgav.A Trojan-Downloader.Win32.Small.aowd Trojan-Downloader.Win32.Small Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan-Downloader.Small.alkd.3.Pack": [[26, 67]], "Indicator: W32/Downldr3.EY": [[68, 83], [176, 191]], "Indicator: Trojan-Downloader.Win32.Small.aowd": [[84, 118], [285, 319]], "Indicator: Trojan.DownLoad1.37207": [[119, 141]], "Indicator: TROJ_DOWGAV.SMF": [[142, 157]], "Indicator: Win32/SillyDl.NUS": [[158, 175]], "Indicator: TrojanDownloader.Small.aqlm": [[192, 219]], "Indicator: Trojan-Downloader.Win32.Small!IK": [[220, 252]], "Indicator: TrojanDownloader:Win32/Dowgav.A": [[253, 284]], "Indicator: Trojan-Downloader.Win32.Small": [[320, 349]], "Indicator: Trj/CI.A": [[350, 358]]}, "info": {"id": "cyner2_5class_train_05479", "source": "cyner2_5class_train"}}
+{"text": "Presumably , this was done to make the app seem more credible to targeted users in different countries .", "spans": {}, "info": {"id": "cyner2_5class_train_05480", "source": "cyner2_5class_train"}}
+{"text": "Using their advanced toolkit, the Turla group compromise networks for the purposes of intelligence collection.", "spans": {"Malware: advanced toolkit,": [[12, 29]], "Indicator: compromise networks": [[46, 65]]}, "info": {"id": "cyner2_5class_train_05481", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Packer.W32.Krap.lFn4 Win32.Trojan.WisdomEyes.16070401.9500.9995 TSPY_EMOTET.SMD12 Trojan.Win32.Gozi.euritn BackDoor.Gozi.135 TrojanSpy.Ursnif.afo TR/Crypt.Xpack.ekgur Trojan:Win32/Trriloa.A Trj/CI.A Trojan.Win32.Krypt Win32/Trojan.8ad", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zenshirsh.SL7": [[26, 46]], "Indicator: Packer.W32.Krap.lFn4": [[47, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[68, 110]], "Indicator: TSPY_EMOTET.SMD12": [[111, 128]], "Indicator: Trojan.Win32.Gozi.euritn": [[129, 153]], "Indicator: BackDoor.Gozi.135": [[154, 171]], "Indicator: TrojanSpy.Ursnif.afo": [[172, 192]], "Indicator: TR/Crypt.Xpack.ekgur": [[193, 213]], "Indicator: Trojan:Win32/Trriloa.A": [[214, 236]], "Indicator: Trj/CI.A": [[237, 245]], "Indicator: Trojan.Win32.Krypt": [[246, 264]], "Indicator: Win32/Trojan.8ad": [[265, 281]]}, "info": {"id": "cyner2_5class_train_05482", "source": "cyner2_5class_train"}}
+{"text": "The infection vector is a Hangul Word Processor document HWP, a popular alternative to Microsoft Office for South Korean users developed by Hancom.", "spans": {"Indicator: infection vector": [[4, 20]], "Indicator: Hangul Word Processor document HWP,": [[26, 61]], "System: Microsoft Office": [[87, 103]], "Organization: users": [[121, 126]], "Organization: Hancom.": [[140, 147]]}, "info": {"id": "cyner2_5class_train_05483", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.cc TR/Crypt.ZPACK.oltlq Trojan.Barys.DD8C9 HackTool:Win64/Mimikatz.A Win-Trojan/MSILKrypt02.Exp Trojan.MSIL.Inject MSIL/Injector.QOT!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: BehavesLike.Win32.Trojan.cc": [[69, 96]], "Indicator: TR/Crypt.ZPACK.oltlq": [[97, 117]], "Indicator: Trojan.Barys.DD8C9": [[118, 136]], "Indicator: HackTool:Win64/Mimikatz.A": [[137, 162]], "Indicator: Win-Trojan/MSILKrypt02.Exp": [[163, 189]], "Indicator: Trojan.MSIL.Inject": [[190, 208]], "Indicator: MSIL/Injector.QOT!tr": [[209, 229]], "Indicator: Trj/GdSda.A": [[230, 241]]}, "info": {"id": "cyner2_5class_train_05484", "source": "cyner2_5class_train"}}
+{"text": "This document likely marks the first observed use of this technique by APT28.", "spans": {"Indicator: document": [[5, 13]]}, "info": {"id": "cyner2_5class_train_05485", "source": "cyner2_5class_train"}}
+{"text": "The adversaries appear to have evolved their tactics and techniques throughout the tracked time-period, iterating through a diverse toolset across different waves of attacks.", "spans": {"Malware: toolset": [[132, 139]], "Indicator: different waves of attacks.": [[147, 174]]}, "info": {"id": "cyner2_5class_train_05486", "source": "cyner2_5class_train"}}
+{"text": "A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled The Murtadd Vote", "spans": {"Organization: Presidential elections,": [[45, 68]], "Indicator: email": [[72, 77]], "Organization: recipients": [[108, 118]], "Indicator: attack": [[133, 139]], "Indicator: The Murtadd Vote": [[239, 255]]}, "info": {"id": "cyner2_5class_train_05487", "source": "cyner2_5class_train"}}
+{"text": "The conditions to build an additional payload are never met .", "spans": {}, "info": {"id": "cyner2_5class_train_05488", "source": "cyner2_5class_train"}}
+{"text": "Trend Micro researchers found a new variant that uses a different way to lure users .", "spans": {"Organization: Trend Micro": [[0, 11]]}, "info": {"id": "cyner2_5class_train_05489", "source": "cyner2_5class_train"}}
+{"text": "Otherwise , it will launch an ACTION_APPLICATION_SETTINGS intent trying to trick the user to grant the permissions .", "spans": {}, "info": {"id": "cyner2_5class_train_05490", "source": "cyner2_5class_train"}}
+{"text": "The C2 backend url looks like this : https : //evilhost/c2folder/njs2/ ? fields [ ] .", "spans": {"Indicator: https : //evilhost/c2folder/njs2/ ? fields [ ]": [[37, 83]]}, "info": {"id": "cyner2_5class_train_05491", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Rootkit.Win32.Stuxnet!O Trojan/Stuxnet.a Win32/PcClient.ACH RTKT_STUXNET.SMA Win.Worm.Stuxnet-10 Rootkit.Win32.Stuxnet.a Trojan.Win32.Stuxnet.ioljg Trojan.Win32.Stuxnet.19968 Rootkit.W32.Stuxnet!c Win32.Rootkit.Stuxnet.Hxqi Trojan:W32/Stuxnet.A Trojan.Stuxnet.1 Rootkit.Stuxnet.Win32.5 RTKT_STUXNET.SMA Rootkit.Stuxnet.b W32.Stuxnet Trojan[Rootkit]/Win32.Stuxnet Win32.Troj.LnkExploit.aa.26616 Trojan.Graftor.DB580 Rootkit.Win32.Stuxnet.a Trojan:WinNT/Stuxnet.A Win-Trojan/Stuxnet.26872 SScope.Rootkit.TmpHider.2 Rootkit.Stuxnet.Z Rootkit.Win32.Stuxnet W32/Stuxnet.A!tr.rkit Win32/RootKit.Rootkit.f73", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Rootkit.Win32.Stuxnet!O": [[26, 49]], "Indicator: Trojan/Stuxnet.a": [[50, 66]], "Indicator: Win32/PcClient.ACH": [[67, 85]], "Indicator: RTKT_STUXNET.SMA": [[86, 102], [312, 328]], "Indicator: Win.Worm.Stuxnet-10": [[103, 122]], "Indicator: Rootkit.Win32.Stuxnet.a": [[123, 146], [441, 464]], "Indicator: Trojan.Win32.Stuxnet.ioljg": [[147, 173]], "Indicator: Trojan.Win32.Stuxnet.19968": [[174, 200]], "Indicator: Rootkit.W32.Stuxnet!c": [[201, 222]], "Indicator: Win32.Rootkit.Stuxnet.Hxqi": [[223, 249]], "Indicator: Trojan:W32/Stuxnet.A": [[250, 270]], "Indicator: Trojan.Stuxnet.1": [[271, 287]], "Indicator: Rootkit.Stuxnet.Win32.5": [[288, 311]], "Indicator: Rootkit.Stuxnet.b": [[329, 346]], "Indicator: W32.Stuxnet": [[347, 358]], "Indicator: Trojan[Rootkit]/Win32.Stuxnet": [[359, 388]], "Indicator: Win32.Troj.LnkExploit.aa.26616": [[389, 419]], "Indicator: Trojan.Graftor.DB580": [[420, 440]], "Indicator: Trojan:WinNT/Stuxnet.A": [[465, 487]], "Indicator: Win-Trojan/Stuxnet.26872": [[488, 512]], "Indicator: SScope.Rootkit.TmpHider.2": [[513, 538]], "Indicator: Rootkit.Stuxnet.Z": [[539, 556]], "Indicator: Rootkit.Win32.Stuxnet": [[557, 578]], "Indicator: W32/Stuxnet.A!tr.rkit": [[579, 600]], "Indicator: Win32/RootKit.Rootkit.f73": [[601, 626]]}, "info": {"id": "cyner2_5class_train_05492", "source": "cyner2_5class_train"}}
+{"text": "As a result , a copy of Angry Birds installed from an unofficial app store or downloaded from a forum could easily contain malicious functionality .", "spans": {"System: Angry Birds": [[24, 35]]}, "info": {"id": "cyner2_5class_train_05493", "source": "cyner2_5class_train"}}
+{"text": "This is a very simple process , which is replacing their update file on SD card with its own malicious payload .", "spans": {}, "info": {"id": "cyner2_5class_train_05494", "source": "cyner2_5class_train"}}
+{"text": "Also , the botnet IDs increment over time as they are submitted .", "spans": {}, "info": {"id": "cyner2_5class_train_05495", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Fleercivet.aa Win.Trojan.Fleercivet-3 BackDoor.Fleercivet.42 Trojan.Fleercivet.Win32.81 Trojan:Win64/Fleercivet.A Win64/Fleercivet.AA Trojan.Fleercivet!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Fleercivet.aa": [[26, 46]], "Indicator: Win.Trojan.Fleercivet-3": [[47, 70]], "Indicator: BackDoor.Fleercivet.42": [[71, 93]], "Indicator: Trojan.Fleercivet.Win32.81": [[94, 120]], "Indicator: Trojan:Win64/Fleercivet.A": [[121, 146]], "Indicator: Win64/Fleercivet.AA": [[147, 166]], "Indicator: Trojan.Fleercivet!": [[167, 185]]}, "info": {"id": "cyner2_5class_train_05496", "source": "cyner2_5class_train"}}
+{"text": "The threat group amassed a significant amount of data, from Skype account databases to planning documents and spreadsheets to photos.", "spans": {"System: Skype account databases": [[60, 83]]}, "info": {"id": "cyner2_5class_train_05497", "source": "cyner2_5class_train"}}
+{"text": "Instead of running its service only at boot time , it registers a receiver that listens to the “ android.intent.action.SCREEN_ON ” and “ android.provider.Telephony.SMS_DELIVER ” broadcast actions .", "spans": {"Indicator: android.intent.action.SCREEN_ON": [[97, 128]], "Indicator: android.provider.Telephony.SMS_DELIVER": [[137, 175]]}, "info": {"id": "cyner2_5class_train_05498", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Spinfy.A4 Trojan/Injector.uni TROJ_FINSPY.A Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/FinFish.ZBVH-2442 Backdoor.Finfish TROJ_FINSPY.A Win.Trojan.FinFisher-1 Backdoor.Win32.Finfish.a Backdoor.W32.Finfish.a!c TrojWare.Win32.FinSpy.A Trojan.MulDrop3.31380 Backdoor.Finfish.Win32.3 W32/FinFish.A Trojan[Backdoor]/Win32.Finfish Trojan:Win32/Spinfy.A Trojan.FinFisher.1 Backdoor.Win32.Finfish.a Backdoor/Win32.Finfish.C198683 Trj/CI.A Win32.Backdoor.Finfish.Eeri Backdoor.Finfish!glcRlW9Rsiw Trojan.Win32.Finspy W32/Finfish.A!tr.bdr Win32/Trojan.5ec", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Spinfy.A4": [[26, 42]], "Indicator: Trojan/Injector.uni": [[43, 62]], "Indicator: TROJ_FINSPY.A": [[63, 76], [159, 172]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[77, 119]], "Indicator: W32/FinFish.ZBVH-2442": [[120, 141]], "Indicator: Backdoor.Finfish": [[142, 158]], "Indicator: Win.Trojan.FinFisher-1": [[173, 195]], "Indicator: Backdoor.Win32.Finfish.a": [[196, 220], [403, 427]], "Indicator: Backdoor.W32.Finfish.a!c": [[221, 245]], "Indicator: TrojWare.Win32.FinSpy.A": [[246, 269]], "Indicator: Trojan.MulDrop3.31380": [[270, 291]], "Indicator: Backdoor.Finfish.Win32.3": [[292, 316]], "Indicator: W32/FinFish.A": [[317, 330]], "Indicator: Trojan[Backdoor]/Win32.Finfish": [[331, 361]], "Indicator: Trojan:Win32/Spinfy.A": [[362, 383]], "Indicator: Trojan.FinFisher.1": [[384, 402]], "Indicator: Backdoor/Win32.Finfish.C198683": [[428, 458]], "Indicator: Trj/CI.A": [[459, 467]], "Indicator: Win32.Backdoor.Finfish.Eeri": [[468, 495]], "Indicator: Backdoor.Finfish!glcRlW9Rsiw": [[496, 524]], "Indicator: Trojan.Win32.Finspy": [[525, 544]], "Indicator: W32/Finfish.A!tr.bdr": [[545, 565]], "Indicator: Win32/Trojan.5ec": [[566, 582]]}, "info": {"id": "cyner2_5class_train_05499", "source": "cyner2_5class_train"}}
+{"text": "Philadelphia has many features, including the ability to generate PDF reports and charts of victims to track the campaigns, as well as the ability to plot victims around the world using Google Maps.", "spans": {"Malware: Philadelphia": [[0, 12]], "Indicator: to generate PDF reports and charts of": [[54, 91]], "Organization: victims": [[155, 162]], "System: Google Maps.": [[186, 198]]}, "info": {"id": "cyner2_5class_train_05500", "source": "cyner2_5class_train"}}
+{"text": "Is UrlZone still a threat and if so, how has it changed?", "spans": {"Malware: UrlZone": [[3, 10]], "Malware: threat": [[19, 25]]}, "info": {"id": "cyner2_5class_train_05501", "source": "cyner2_5class_train"}}
+{"text": "In this version of Rotexy , dynamic generation of lowest-level domains was not used .", "spans": {"Malware: Rotexy": [[19, 25]]}, "info": {"id": "cyner2_5class_train_05502", "source": "cyner2_5class_train"}}
+{"text": "JPCERT/CC has been observing attacks using Datper since around June 2016.", "spans": {"Malware: JPCERT/CC": [[0, 9]], "Indicator: attacks": [[29, 36]], "Malware: Datper": [[43, 49]]}, "info": {"id": "cyner2_5class_train_05503", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDropper.Dapato.S8172 TROJ_INDIGOROSE_FC140186.UVPM TROJ_INDIGOROSE_FC140186.UVPM Trojan.Win32.IndigoRose.eujbip Trojan.Win32.Z.Indigorose.2334813 Trojan.DownLoader21.23836 BehavesLike.Win32.BadFile.vh TR/Dldr.IndigoRose.xrkh TrojanDownloader:Win32/Inros.A Downloader.AdLoad Trj/CI.A Win32/TrojanDownloader.IndigoRose.AI Trojan-Downloader.Win32.Indigorose Win32/Trojan.b3d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Dapato.S8172": [[26, 52]], "Indicator: TROJ_INDIGOROSE_FC140186.UVPM": [[53, 82], [83, 112]], "Indicator: Trojan.Win32.IndigoRose.eujbip": [[113, 143]], "Indicator: Trojan.Win32.Z.Indigorose.2334813": [[144, 177]], "Indicator: Trojan.DownLoader21.23836": [[178, 203]], "Indicator: BehavesLike.Win32.BadFile.vh": [[204, 232]], "Indicator: TR/Dldr.IndigoRose.xrkh": [[233, 256]], "Indicator: TrojanDownloader:Win32/Inros.A": [[257, 287]], "Indicator: Downloader.AdLoad": [[288, 305]], "Indicator: Trj/CI.A": [[306, 314]], "Indicator: Win32/TrojanDownloader.IndigoRose.AI": [[315, 351]], "Indicator: Trojan-Downloader.Win32.Indigorose": [[352, 386]], "Indicator: Win32/Trojan.b3d": [[387, 403]]}, "info": {"id": "cyner2_5class_train_05504", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.1019 O97M.Dropper.BS VB:Trojan.Valyria.1019 VB:Trojan.Valyria.1019 Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.Valyria.1019 VB:Trojan.Valyria.1019 HEUR_VBA.D TrojanDownloader:O97M/Crosspim.A VB:Trojan.Valyria.D3FB VB:Trojan.Valyria.1019 VBA/TrojanDownloader.DZN!tr virus.office.qexvmc.1075", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.1019": [[26, 48], [65, 87], [88, 110], [144, 166], [167, 189], [257, 279]], "Indicator: O97M.Dropper.BS": [[49, 64]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[111, 143]], "Indicator: HEUR_VBA.D": [[190, 200]], "Indicator: TrojanDownloader:O97M/Crosspim.A": [[201, 233]], "Indicator: VB:Trojan.Valyria.D3FB": [[234, 256]], "Indicator: VBA/TrojanDownloader.DZN!tr": [[280, 307]], "Indicator: virus.office.qexvmc.1075": [[308, 332]]}, "info": {"id": "cyner2_5class_train_05505", "source": "cyner2_5class_train"}}
+{"text": "System applications with root , by contrast , have super-user permissions that allow them to break out of such sandboxes .", "spans": {}, "info": {"id": "cyner2_5class_train_05506", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 has recently discovered a new keylogger, named NexusLogger, being used in attempted unsuccessful attacks against Palo Alto Networks customers.", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: keylogger,": [[38, 48]], "Malware: NexusLogger,": [[55, 67]], "Organization: Palo Alto Networks customers.": [[121, 150]]}, "info": {"id": "cyner2_5class_train_05507", "source": "cyner2_5class_train"}}
+{"text": "They seem to use the same technique of mimicking a website associated with well-known software like Notepad++ and Blender 3D.", "spans": {"Indicator: website": [[51, 58]], "System: software": [[86, 94]], "System: Notepad++": [[100, 109]], "System: Blender 3D.": [[114, 125]]}, "info": {"id": "cyner2_5class_train_05508", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D39F0E Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.DownLoader25.65030 BehavesLike.Win32.Trojan.bh TrojanDropper:MSIL/Muldalun.A!bit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D39F0E": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[45, 87]], "Indicator: Trojan.DownLoader25.65030": [[88, 113]], "Indicator: BehavesLike.Win32.Trojan.bh": [[114, 141]], "Indicator: TrojanDropper:MSIL/Muldalun.A!bit": [[142, 175]]}, "info": {"id": "cyner2_5class_train_05509", "source": "cyner2_5class_train"}}
+{"text": "In May 2017, Palo Alto Networks Unit 42 identified a limited spear phishing campaign targeting various individuals across the world.", "spans": {"Organization: Palo Alto Networks Unit 42": [[13, 39]]}, "info": {"id": "cyner2_5class_train_05510", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Androm.drayhs Trojan.DownLoader18.10874 Downloader.Banload.Win32.64034 Trojan/Inject.axyw TrojanDownloader:Win32/BrobanLaw.A Trojan.Strictor.D15B7B Trojan/Win32.MDA.R160449 Trojan.Banker.IGF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Androm.drayhs": [[26, 52]], "Indicator: Trojan.DownLoader18.10874": [[53, 78]], "Indicator: Downloader.Banload.Win32.64034": [[79, 109]], "Indicator: Trojan/Inject.axyw": [[110, 128]], "Indicator: TrojanDownloader:Win32/BrobanLaw.A": [[129, 163]], "Indicator: Trojan.Strictor.D15B7B": [[164, 186]], "Indicator: Trojan/Win32.MDA.R160449": [[187, 211]], "Indicator: Trojan.Banker.IGF": [[212, 229]]}, "info": {"id": "cyner2_5class_train_05511", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.LibarokI.Trojan Trojan/Scar.ejki Win32.Trojan.WisdomEyes.16070401.9500.9609 Trojan.Badlib Win.Downloader.Delf-12262 Trojan.Win32.Scar.256000.B Trojan.DownLoader4.22959 Trojan.Scar.Win32.50666 Backdoor.Win32.Bafruz Backdoor:Win32/Bafruz.C Trojan.Delf.01357 Bck/Koobface.AA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.LibarokI.Trojan": [[26, 45]], "Indicator: Trojan/Scar.ejki": [[46, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9609": [[63, 105]], "Indicator: Trojan.Badlib": [[106, 119]], "Indicator: Win.Downloader.Delf-12262": [[120, 145]], "Indicator: Trojan.Win32.Scar.256000.B": [[146, 172]], "Indicator: Trojan.DownLoader4.22959": [[173, 197]], "Indicator: Trojan.Scar.Win32.50666": [[198, 221]], "Indicator: Backdoor.Win32.Bafruz": [[222, 243]], "Indicator: Backdoor:Win32/Bafruz.C": [[244, 267]], "Indicator: Trojan.Delf.01357": [[268, 285]], "Indicator: Bck/Koobface.AA": [[286, 301]]}, "info": {"id": "cyner2_5class_train_05512", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Bagsu.S31234 Trojan/IRCBot.nhr BKDR_IRCBOT.SMB Backdoor.IRC.Bot BKDR_IRCBOT.SMB BehavesLike.Win32.Dropper.cm Backdoor.Win32.Ursap Backdoor.Athena Win32/IRCBot.NHR", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Bagsu.S31234": [[26, 45]], "Indicator: Trojan/IRCBot.nhr": [[46, 63]], "Indicator: BKDR_IRCBOT.SMB": [[64, 79], [97, 112]], "Indicator: Backdoor.IRC.Bot": [[80, 96]], "Indicator: BehavesLike.Win32.Dropper.cm": [[113, 141]], "Indicator: Backdoor.Win32.Ursap": [[142, 162]], "Indicator: Backdoor.Athena": [[163, 178]], "Indicator: Win32/IRCBot.NHR": [[179, 195]]}, "info": {"id": "cyner2_5class_train_05513", "source": "cyner2_5class_train"}}
+{"text": "It is mainly an information stealer and malware downloader network which installs other malware on infected machines.", "spans": {"Indicator: information stealer": [[16, 35]], "Malware: malware downloader network": [[40, 66]], "Malware: malware": [[88, 95]], "System: infected machines.": [[99, 117]]}, "info": {"id": "cyner2_5class_train_05514", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PSW.FakeAIM.C Trojan.PSW.FakeAIM.C Trojan.PSW.FakeAIM.C W32/PWS.BXQR-8711 Infostealer.Snatch Trojan.PSW.FakeAIM.C Trojan-PSW.Win32.FakeAIM.d Trojan.PSW.FakeAIM.C Trojan.Win32.FakeAIM.dgtt Trojan.Win32.PSWFakeAIM.78848 Troj.PSW32.W.FakeAIM.c!c Trojan.PSW.FakeAIM.C TrojWare.Win32.PSW.FakeAIM.D Trojan.PSW.FakeAIM.C Trojan.PWS.Fakeaim Trojan.FakeAIM.Win32.6 BehavesLike.Win32.Trojan.lc W32/Pws.TXC Trojan/PSW.FakeAIM.c TR/PSW.FakeAIM.C.1 Trojan[PSW]/Win32.FakeAIM PWS:Win32/FakeAIM.C Trojan-PSW.Win32.FakeAIM.d Trojan/Win32.Xema.R89227 TScope.Trojan.VB Win32/PSW.FakeAIM.D W32/AIMFake.C!tr.pws Win32/Trojan.PSW.ee5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PSW.FakeAIM.C": [[26, 46], [47, 67], [68, 88], [126, 146], [174, 194], [276, 296], [326, 346]], "Indicator: W32/PWS.BXQR-8711": [[89, 106]], "Indicator: Infostealer.Snatch": [[107, 125]], "Indicator: Trojan-PSW.Win32.FakeAIM.d": [[147, 173], [515, 541]], "Indicator: Trojan.Win32.FakeAIM.dgtt": [[195, 220]], "Indicator: Trojan.Win32.PSWFakeAIM.78848": [[221, 250]], "Indicator: Troj.PSW32.W.FakeAIM.c!c": [[251, 275]], "Indicator: TrojWare.Win32.PSW.FakeAIM.D": [[297, 325]], "Indicator: Trojan.PWS.Fakeaim": [[347, 365]], "Indicator: Trojan.FakeAIM.Win32.6": [[366, 388]], "Indicator: BehavesLike.Win32.Trojan.lc": [[389, 416]], "Indicator: W32/Pws.TXC": [[417, 428]], "Indicator: Trojan/PSW.FakeAIM.c": [[429, 449]], "Indicator: TR/PSW.FakeAIM.C.1": [[450, 468]], "Indicator: Trojan[PSW]/Win32.FakeAIM": [[469, 494]], "Indicator: PWS:Win32/FakeAIM.C": [[495, 514]], "Indicator: Trojan/Win32.Xema.R89227": [[542, 566]], "Indicator: TScope.Trojan.VB": [[567, 583]], "Indicator: Win32/PSW.FakeAIM.D": [[584, 603]], "Indicator: W32/AIMFake.C!tr.pws": [[604, 624]], "Indicator: Win32/Trojan.PSW.ee5": [[625, 645]]}, "info": {"id": "cyner2_5class_train_05515", "source": "cyner2_5class_train"}}
+{"text": "On March 9 2016, Cyphort Labs discovered an infection on a porn site keng94dotcom redirecting visitors to an exploit kit and installing a Ransom Locker.", "spans": {"Organization: Cyphort Labs": [[17, 29]], "Indicator: infection": [[44, 53]], "Indicator: porn site keng94dotcom": [[59, 81]], "Malware: exploit kit": [[109, 120]], "Malware: Ransom Locker.": [[138, 152]]}, "info": {"id": "cyner2_5class_train_05516", "source": "cyner2_5class_train"}}
+{"text": "One good thing about having a lot of Facebook friends is that you simply act as a honey pot when your friends click on malicious things.", "spans": {"Organization: Facebook friends": [[37, 53]], "Indicator: a honey pot": [[80, 91]], "Malware: malicious": [[119, 128]]}, "info": {"id": "cyner2_5class_train_05517", "source": "cyner2_5class_train"}}
+{"text": "The command & control server ( C & C server ) returns the URL to click along with a very long list of additional parameters in JSON format .", "spans": {}, "info": {"id": "cyner2_5class_train_05518", "source": "cyner2_5class_train"}}
+{"text": "Screenshots : captures an image of the current screen via the raw frame buffer .", "spans": {}, "info": {"id": "cyner2_5class_train_05519", "source": "cyner2_5class_train"}}
+{"text": "Going one step further , we rebuilt the malware to execute the apparent functionality of generating a payload , but discovered that the APK stored in the /res/raw/ directory is empty .", "spans": {}, "info": {"id": "cyner2_5class_train_05520", "source": "cyner2_5class_train"}}
+{"text": "The malicious script fingerprints the victim's machine and can receive any command that will run via PowerShell.", "spans": {"Indicator: The malicious script": [[0, 20]], "System: the victim's machine": [[34, 54]], "Indicator: command that will run via PowerShell.": [[75, 112]]}, "info": {"id": "cyner2_5class_train_05521", "source": "cyner2_5class_train"}}
+{"text": "Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant.", "spans": {"Malware: Windows botnet": [[60, 74]], "Malware: Mirai bot variant.": [[90, 108]]}, "info": {"id": "cyner2_5class_train_05522", "source": "cyner2_5class_train"}}
+{"text": "ESET researchers analyzed a preference file that was used to compromise the system when Uploader! is launched.", "spans": {"Organization: ESET researchers": [[0, 16]], "Indicator: compromise": [[61, 71]], "System: system": [[76, 82]], "System: Uploader!": [[88, 97]]}, "info": {"id": "cyner2_5class_train_05523", "source": "cyner2_5class_train"}}
+{"text": "These campaigns not only represent an uptick in our observed instances of Kronos banker but also a new application of the malware that was first introduced in June 2014 and that we most recently described in relation to campaigns targeting Canada.", "spans": {"Malware: campaigns": [[6, 15]], "Malware: Kronos banker": [[74, 87]], "Malware: malware": [[122, 129]]}, "info": {"id": "cyner2_5class_train_05524", "source": "cyner2_5class_train"}}
+{"text": "The Anthem attack is only one of multiple campaigns that Symantec has attributed to this group.", "spans": {"Organization: Anthem": [[4, 10]], "Indicator: attack": [[11, 17]]}, "info": {"id": "cyner2_5class_train_05525", "source": "cyner2_5class_train"}}
+{"text": "This blog post describes details that we discovered during our analysis of malware that focuses on a specific country — Libya.", "spans": {"Organization: blog post": [[5, 14]], "Malware: malware": [[75, 82]]}, "info": {"id": "cyner2_5class_train_05526", "source": "cyner2_5class_train"}}
+{"text": "This Zscaler ThreatLabz research article investigates the latest malware campaign of DBatLoader, which is being used by threat actors to target various businesses in European countries with Remcos RAT and Formbook.", "spans": {"Organization: Zscaler ThreatLabz research": [[5, 32]], "Malware: DBatLoader,": [[85, 96]], "Organization: businesses": [[152, 162]], "Malware: Remcos RAT": [[190, 200]], "Malware: Formbook.": [[205, 214]]}, "info": {"id": "cyner2_5class_train_05527", "source": "cyner2_5class_train"}}
+{"text": "The Lookout Threat Intelligence team is increasingly seeing the same tradecraft , tactics , and procedures that APT-C-23 favors being used by other actors .", "spans": {"Organization: Lookout Threat Intelligence": [[4, 31]], "Malware: APT-C-23": [[112, 120]]}, "info": {"id": "cyner2_5class_train_05528", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VBA.Trojan.Obfuscated.af W2KM_DLOADR.YYSQK Trojan.Ole2.Vbs-heuristic.druvzi W2KM_DLOADR.YYSQK Trojan:X97M/ShellHide.C virus.office.obfuscated.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VBA.Trojan.Obfuscated.af": [[26, 50]], "Indicator: W2KM_DLOADR.YYSQK": [[51, 68], [102, 119]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[69, 101]], "Indicator: Trojan:X97M/ShellHide.C": [[120, 143]], "Indicator: virus.office.obfuscated.1": [[144, 169]]}, "info": {"id": "cyner2_5class_train_05529", "source": "cyner2_5class_train"}}
+{"text": "We detect the malware used in this attack as “ Backdoor.AndroidOS.Chuli.a ” .", "spans": {"Malware: Backdoor.AndroidOS.Chuli.a": [[47, 73]]}, "info": {"id": "cyner2_5class_train_05530", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.F21F W32/Trojan2.MVJQ Trojan.Win32.Ace.cxham Win32.Backdoor.Ace.ciih Trojan.DownLoader1.8121 Backdoor.Ace.Win32.86 BehavesLike.Win32.Dropper.hh W32/Trojan.QDLI-0337 Trojan[Backdoor]/ASP.Ace TrojanDownloader:Win32/Pluzoks.A Backdoor/Win32.Ace.C78643 Backdoor.ASP.Ace Adware.Ezipop Win32/Adware.AdTrigger W32/ASP_Ace.MF!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.F21F": [[26, 43]], "Indicator: W32/Trojan2.MVJQ": [[44, 60]], "Indicator: Trojan.Win32.Ace.cxham": [[61, 83]], "Indicator: Win32.Backdoor.Ace.ciih": [[84, 107]], "Indicator: Trojan.DownLoader1.8121": [[108, 131]], "Indicator: Backdoor.Ace.Win32.86": [[132, 153]], "Indicator: BehavesLike.Win32.Dropper.hh": [[154, 182]], "Indicator: W32/Trojan.QDLI-0337": [[183, 203]], "Indicator: Trojan[Backdoor]/ASP.Ace": [[204, 228]], "Indicator: TrojanDownloader:Win32/Pluzoks.A": [[229, 261]], "Indicator: Backdoor/Win32.Ace.C78643": [[262, 287]], "Indicator: Backdoor.ASP.Ace": [[288, 304]], "Indicator: Adware.Ezipop": [[305, 318]], "Indicator: Win32/Adware.AdTrigger": [[319, 341]], "Indicator: W32/ASP_Ace.MF!tr.bdr": [[342, 363]]}, "info": {"id": "cyner2_5class_train_05531", "source": "cyner2_5class_train"}}
+{"text": "We were a bit disappointed that we did not see traces of a true privilege escalation exploit after all this deobfuscation work , but it seems these FinFisher samples were designed to work just using UAC bypasses .", "spans": {"Vulnerability: privilege escalation exploit": [[64, 92]], "Malware: FinFisher": [[148, 157]]}, "info": {"id": "cyner2_5class_train_05532", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Rahima.28672 Win32.Trojan.WisdomEyes.16070401.9500.9607 W32/Rahima.QDHZ-4096 W32.Fourseman.B@mm P2P-Worm.Win32.Rahima Trojan.Win32.Rahima.enoe Worm.Win32.P2P-Rahima.28672 W32.W.Rahima!c Worm.Rahima W32/Rahima.A I-Worm/Himera.i WORM/Rahima.A Worm[P2P]/Win32.Rahima P2P-Worm.Win32.Rahima Worm.Rahima Win32.Worm-p2p.Rahima.Pefs Worm.P2P.Rahima W32/Himera.J!worm.p2p Win32/Worm.IM.a16", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Rahima.28672": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9607": [[48, 90]], "Indicator: W32/Rahima.QDHZ-4096": [[91, 111]], "Indicator: W32.Fourseman.B@mm": [[112, 130]], "Indicator: P2P-Worm.Win32.Rahima": [[131, 152], [299, 320]], "Indicator: Trojan.Win32.Rahima.enoe": [[153, 177]], "Indicator: Worm.Win32.P2P-Rahima.28672": [[178, 205]], "Indicator: W32.W.Rahima!c": [[206, 220]], "Indicator: Worm.Rahima": [[221, 232], [321, 332]], "Indicator: W32/Rahima.A": [[233, 245]], "Indicator: I-Worm/Himera.i": [[246, 261]], "Indicator: WORM/Rahima.A": [[262, 275]], "Indicator: Worm[P2P]/Win32.Rahima": [[276, 298]], "Indicator: Win32.Worm-p2p.Rahima.Pefs": [[333, 359]], "Indicator: Worm.P2P.Rahima": [[360, 375]], "Indicator: W32/Himera.J!worm.p2p": [[376, 397]], "Indicator: Win32/Worm.IM.a16": [[398, 415]]}, "info": {"id": "cyner2_5class_train_05533", "source": "cyner2_5class_train"}}
+{"text": "The use of Lua modules, which we'll discuss later, is a technique that has previously been used by Flamer.", "spans": {"Malware: Lua modules,": [[11, 23]]}, "info": {"id": "cyner2_5class_train_05534", "source": "cyner2_5class_train"}}
+{"text": "In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack.", "spans": {"Organization: energy company": [[77, 91]], "Malware: malware": [[105, 112]], "Malware: Disttrack.": [[120, 130]]}, "info": {"id": "cyner2_5class_train_05535", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Geral!O TrojanDownloader.Begseabug.A5 Trojan/Downloader.Geral.aazb Trojan.Graftor.D540C W32.SillyDC Win.Trojan.Downloader-22789 Trojan-Downloader.Win32.Geral.aazb Trojan.Win32.Geral.dkhaf Trojan.Win32.A.Downloader.50176.GE Troj.Downloader.W32.Geral.aazb!c Trojan.Swizzor.18871 Downloader.Geral.Win32.7037 BehavesLike.Win32.Backdoor.ph Trojan-Downloader.Win32.Geral TrojanDownloader.Geral.cjc TrojanDownloader:Win32/Begseabug.A Trojan-Downloader.Win32.Geral.aazb Trojan/Win32.Scar.R4495 TrojanDownloader.Geral Trojan.KillAV Win32.Trojan-downloader.Geral.Sqtn Trojan.DL.Geral!qBECnW5XLLM W32/Pincav.SNS!tr Win32/Trojan.836", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Geral!O": [[26, 57]], "Indicator: TrojanDownloader.Begseabug.A5": [[58, 87]], "Indicator: Trojan/Downloader.Geral.aazb": [[88, 116]], "Indicator: Trojan.Graftor.D540C": [[117, 137]], "Indicator: W32.SillyDC": [[138, 149]], "Indicator: Win.Trojan.Downloader-22789": [[150, 177]], "Indicator: Trojan-Downloader.Win32.Geral.aazb": [[178, 212], [477, 511]], "Indicator: Trojan.Win32.Geral.dkhaf": [[213, 237]], "Indicator: Trojan.Win32.A.Downloader.50176.GE": [[238, 272]], "Indicator: Troj.Downloader.W32.Geral.aazb!c": [[273, 305]], "Indicator: Trojan.Swizzor.18871": [[306, 326]], "Indicator: Downloader.Geral.Win32.7037": [[327, 354]], "Indicator: BehavesLike.Win32.Backdoor.ph": [[355, 384]], "Indicator: Trojan-Downloader.Win32.Geral": [[385, 414]], "Indicator: TrojanDownloader.Geral.cjc": [[415, 441]], "Indicator: TrojanDownloader:Win32/Begseabug.A": [[442, 476]], "Indicator: Trojan/Win32.Scar.R4495": [[512, 535]], "Indicator: TrojanDownloader.Geral": [[536, 558]], "Indicator: Trojan.KillAV": [[559, 572]], "Indicator: Win32.Trojan-downloader.Geral.Sqtn": [[573, 607]], "Indicator: Trojan.DL.Geral!qBECnW5XLLM": [[608, 635]], "Indicator: W32/Pincav.SNS!tr": [[636, 653]], "Indicator: Win32/Trojan.836": [[654, 670]]}, "info": {"id": "cyner2_5class_train_05536", "source": "cyner2_5class_train"}}
+{"text": "Other configuration data is located elsewhere , and some of it can been seen here : The encrypted library path The output folder on the device for the dropped library The name of the library after it is loaded eventBot name string Version number A string used as an RC4 key , both for decrypting the library and as a part of the network data encryption ( hasn ’ t changed from the previous version ) The C2 URLs A randomized class name using the device ’ s accessibility services EventBot extracted configuration Part of the extracted configuration of the new version .", "spans": {"Malware: EventBot": [[480, 488]]}, "info": {"id": "cyner2_5class_train_05537", "source": "cyner2_5class_train"}}
+{"text": "This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app process name or does not have the ability to scan the memory of the system_server process .", "spans": {}, "info": {"id": "cyner2_5class_train_05538", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.1F0C Adware.SearchSafer.A Adware.OutBrowse/Variant Win32.Trojan.WisdomEyes.16070401.9500.9922 Downloader.Sesafer TROJ_GE.24FE3DBE not-a-virus:Downloader.Win32.SearchSafe.a Adware.SearchSafer.A Trojan.Nsis.SearchSafe.dyoiec Adware.SearchSafer.A Adware.Downware.3008 Downloader.SearchSafe.Win32.2 TROJ_GE.24FE3DBE TR/AD.Uascape.myjsl Trojan:Win32/Uascape.A Adware.SearchSafer.A not-a-virus:Downloader.Win32.SearchSafe.a Adware.SearchSafer.A Downloader.SearchSafe PUP.Optional.SearchSafer PUA.Downloader!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.1F0C": [[26, 44]], "Indicator: Adware.SearchSafer.A": [[45, 65], [212, 232], [263, 283], [395, 415], [458, 478]], "Indicator: Adware.OutBrowse/Variant": [[66, 90]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9922": [[91, 133]], "Indicator: Downloader.Sesafer": [[134, 152]], "Indicator: TROJ_GE.24FE3DBE": [[153, 169], [335, 351]], "Indicator: not-a-virus:Downloader.Win32.SearchSafe.a": [[170, 211], [416, 457]], "Indicator: Trojan.Nsis.SearchSafe.dyoiec": [[233, 262]], "Indicator: Adware.Downware.3008": [[284, 304]], "Indicator: Downloader.SearchSafe.Win32.2": [[305, 334]], "Indicator: TR/AD.Uascape.myjsl": [[352, 371]], "Indicator: Trojan:Win32/Uascape.A": [[372, 394]], "Indicator: Downloader.SearchSafe": [[479, 500]], "Indicator: PUP.Optional.SearchSafer": [[501, 525]], "Indicator: PUA.Downloader!": [[526, 541]]}, "info": {"id": "cyner2_5class_train_05539", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ScaraNV.Trojan Trojan/W32.Scar.1611453 Trojan.Win32.Scar!O TrojanDropper.Scudy.S12799 Trojan.Scar.Win32.11534 Trojan.Zusy.D382CD WORM_SCUDY.SMA WORM_SCUDY.SMA Trojan.Win32.A.Scar.876573 Trojan:W32/Scar.O Trojan.Click1.19227 Trojan/Scar.flx TrojanDropper:Win32/Scudy.A Trojan/Win32.Scar.R45219 Trojan.Scar Trojan.Dropper Trojan.Scar!3JbHUSbGsGc Trojan.Win32.Scar", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ScaraNV.Trojan": [[26, 44]], "Indicator: Trojan/W32.Scar.1611453": [[45, 68]], "Indicator: Trojan.Win32.Scar!O": [[69, 88]], "Indicator: TrojanDropper.Scudy.S12799": [[89, 115]], "Indicator: Trojan.Scar.Win32.11534": [[116, 139]], "Indicator: Trojan.Zusy.D382CD": [[140, 158]], "Indicator: WORM_SCUDY.SMA": [[159, 173], [174, 188]], "Indicator: Trojan.Win32.A.Scar.876573": [[189, 215]], "Indicator: Trojan:W32/Scar.O": [[216, 233]], "Indicator: Trojan.Click1.19227": [[234, 253]], "Indicator: Trojan/Scar.flx": [[254, 269]], "Indicator: TrojanDropper:Win32/Scudy.A": [[270, 297]], "Indicator: Trojan/Win32.Scar.R45219": [[298, 322]], "Indicator: Trojan.Scar": [[323, 334]], "Indicator: Trojan.Dropper": [[335, 349]], "Indicator: Trojan.Scar!3JbHUSbGsGc": [[350, 373]], "Indicator: Trojan.Win32.Scar": [[374, 391]]}, "info": {"id": "cyner2_5class_train_05540", "source": "cyner2_5class_train"}}
+{"text": "On April 19, Cyphort hardware sandbox trolled over a site www.49lou.com that served up 83 pieces of Windows executable files EXE and DLL binaries with zero user interaction.", "spans": {"Malware: Cyphort hardware sandbox": [[13, 37]], "Indicator: www.49lou.com": [[58, 71]], "System: 83 pieces of Windows executable files EXE and DLL binaries": [[87, 145]]}, "info": {"id": "cyner2_5class_train_05541", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Vake BehavesLike.Win32.BadFile.mt Trojan.Win32.Vake TR/Vake.onkgl Trojan.Heur.RX.EDF54F Trojan:Win32/Vake.D Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Vake": [[26, 37]], "Indicator: BehavesLike.Win32.BadFile.mt": [[38, 66]], "Indicator: Trojan.Win32.Vake": [[67, 84]], "Indicator: TR/Vake.onkgl": [[85, 98]], "Indicator: Trojan.Heur.RX.EDF54F": [[99, 120]], "Indicator: Trojan:Win32/Vake.D": [[121, 140]], "Indicator: Trj/GdSda.A": [[141, 152]]}, "info": {"id": "cyner2_5class_train_05542", "source": "cyner2_5class_train"}}
+{"text": "Another interesting artifact part of the EK flow is the use of an XML configuration file which contains JScript code.", "spans": {"Malware: EK": [[41, 43]], "Indicator: XML configuration file": [[66, 88]], "Indicator: JScript code.": [[104, 117]]}, "info": {"id": "cyner2_5class_train_05543", "source": "cyner2_5class_train"}}
+{"text": "For Android 4.4.4 and older , the Trojan will patch method _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so , and for Android 5 and newer it will patch method nativeForkAndSpecialize from libandroid_runtime.so .", "spans": {"System: Android 4.4.4": [[4, 17]], "Indicator: libdvm.so": [[100, 109]], "System: Android": [[120, 127]], "Indicator: libandroid_runtime.so": [[190, 211]]}, "info": {"id": "cyner2_5class_train_05544", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Votos Trojan.Zusy.D151C6 Win32.Trojan.WisdomEyes.16070401.9500.9956 Trojan.Win32.Clicker.cqsnmq Trojan.Win32.Z.Zusy.314880.BK Trojan.Click2.61352 Trojan-Downloader.Win32.Votos W32/Trojan.OORK-3033 TR/Taranis.2482 Trojan[Dropper]/Win32.Dinwod TrojanDownloader:Win32/Votos.A Trojan/Win32.Votos.R105546 TrojanDropper.Dinwod Trj/CI.A Win32/Trojan.ac2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Votos": [[26, 48]], "Indicator: Trojan.Zusy.D151C6": [[49, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9956": [[68, 110]], "Indicator: Trojan.Win32.Clicker.cqsnmq": [[111, 138]], "Indicator: Trojan.Win32.Z.Zusy.314880.BK": [[139, 168]], "Indicator: Trojan.Click2.61352": [[169, 188]], "Indicator: Trojan-Downloader.Win32.Votos": [[189, 218]], "Indicator: W32/Trojan.OORK-3033": [[219, 239]], "Indicator: TR/Taranis.2482": [[240, 255]], "Indicator: Trojan[Dropper]/Win32.Dinwod": [[256, 284]], "Indicator: TrojanDownloader:Win32/Votos.A": [[285, 315]], "Indicator: Trojan/Win32.Votos.R105546": [[316, 342]], "Indicator: TrojanDropper.Dinwod": [[343, 363]], "Indicator: Trj/CI.A": [[364, 372]], "Indicator: Win32/Trojan.ac2": [[373, 389]]}, "info": {"id": "cyner2_5class_train_05545", "source": "cyner2_5class_train"}}
+{"text": "We do not know why , but we suspect that it was an attempt to hide the origin of the application .", "spans": {}, "info": {"id": "cyner2_5class_train_05546", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Trojan.OXFE-7365 Backdoor.Chilurat Trojan.Win32.Trochil.a BehavesLike.Win32.Downloader.mz Trojan.Trochil.a Trojan.Win32.Trochil.a Trojan:Win32/Trochil.A Win32.Trojan.Trochil.Wrqj Win32/Trojan.369", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.OXFE-7365": [[26, 46]], "Indicator: Backdoor.Chilurat": [[47, 64]], "Indicator: Trojan.Win32.Trochil.a": [[65, 87], [137, 159]], "Indicator: BehavesLike.Win32.Downloader.mz": [[88, 119]], "Indicator: Trojan.Trochil.a": [[120, 136]], "Indicator: Trojan:Win32/Trochil.A": [[160, 182]], "Indicator: Win32.Trojan.Trochil.Wrqj": [[183, 208]], "Indicator: Win32/Trojan.369": [[209, 225]]}, "info": {"id": "cyner2_5class_train_05547", "source": "cyner2_5class_train"}}
+{"text": "The application downloads the file and dynamically loads it using dalvik.system.DexClassLoader and invokes class and method specified in json .", "spans": {"Indicator: json .": [[137, 143]]}, "info": {"id": "cyner2_5class_train_05548", "source": "cyner2_5class_train"}}
+{"text": "] it Catania server3.exodus.connexxa [ .", "spans": {"Indicator: server3.exodus.connexxa [ .": [[13, 40]]}, "info": {"id": "cyner2_5class_train_05549", "source": "cyner2_5class_train"}}
+{"text": "Threat Source newsletter March 2, 2023 — Little victories in the fight against ransomware", "spans": {"Organization: Threat Source newsletter": [[0, 24]], "Malware: ransomware": [[79, 89]]}, "info": {"id": "cyner2_5class_train_05550", "source": "cyner2_5class_train"}}
+{"text": "This round of FIN7 phishing lures implements hidden shortcut files LNK files to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.", "spans": {"Indicator: hidden shortcut files LNK files to initiate the infection and VBScript functionality launched": [[45, 138]], "Malware: mshta.exe": [[142, 151]], "Organization: victim.": [[166, 173]]}, "info": {"id": "cyner2_5class_train_05551", "source": "cyner2_5class_train"}}
+{"text": "In 2014, TrendMicro began seeing attacks that abused the Windows PowerShell.", "spans": {"Organization: TrendMicro": [[9, 19]], "Indicator: attacks": [[33, 40]], "System: the Windows PowerShell.": [[53, 76]]}, "info": {"id": "cyner2_5class_train_05552", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9944 TSPY_EMOTET.SMD3 Trojan.Win32.Inject.exldsx Trojan.Encoder.24431 TSPY_EMOTET.SMD3 BehavesLike.Win32.Backdoor.dc Trojan.Jorik.afpv TR/Crypt.ZPACK.uxhop Trojan[Dropper]/Win32.Scrop Ransom:Win32/Pulobe.A Trojan.Midie.DA9F2 Trojan.SmokeLoader Win32/Trojan.9b7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9944": [[26, 68]], "Indicator: TSPY_EMOTET.SMD3": [[69, 85], [134, 150]], "Indicator: Trojan.Win32.Inject.exldsx": [[86, 112]], "Indicator: Trojan.Encoder.24431": [[113, 133]], "Indicator: BehavesLike.Win32.Backdoor.dc": [[151, 180]], "Indicator: Trojan.Jorik.afpv": [[181, 198]], "Indicator: TR/Crypt.ZPACK.uxhop": [[199, 219]], "Indicator: Trojan[Dropper]/Win32.Scrop": [[220, 247]], "Indicator: Ransom:Win32/Pulobe.A": [[248, 269]], "Indicator: Trojan.Midie.DA9F2": [[270, 288]], "Indicator: Trojan.SmokeLoader": [[289, 307]], "Indicator: Win32/Trojan.9b7": [[308, 324]]}, "info": {"id": "cyner2_5class_train_05553", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9961 Trojan-Dropper.Win32.Dapato TrojanDropper:Win32/Ambler.F Trojan.Zusy.953", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9961": [[26, 68]], "Indicator: Trojan-Dropper.Win32.Dapato": [[69, 96]], "Indicator: TrojanDropper:Win32/Ambler.F": [[97, 125]], "Indicator: Trojan.Zusy.953": [[126, 141]]}, "info": {"id": "cyner2_5class_train_05554", "source": "cyner2_5class_train"}}
+{"text": "[clearskysec] Attacks against all targets in the Middle East stopped at once, after we published our first report.", "spans": {"Organization: [clearskysec]": [[0, 13]], "Indicator: Attacks": [[14, 21]], "Organization: targets": [[34, 41]]}, "info": {"id": "cyner2_5class_train_05555", "source": "cyner2_5class_train"}}
+{"text": "Thanatos is being marketed as a service with both short and long-term subscriptions and support and the authors claim it is under ongoing development with new plugins and functionality being actively added", "spans": {"Malware: Thanatos": [[0, 8]], "Indicator: service with both short and long-term subscriptions and support": [[32, 95]], "System: plugins": [[159, 166]]}, "info": {"id": "cyner2_5class_train_05556", "source": "cyner2_5class_train"}}
+{"text": "Details about the sample, including a hash are available at the end of this writeup.", "spans": {}, "info": {"id": "cyner2_5class_train_05557", "source": "cyner2_5class_train"}}
+{"text": "Android users warned of malware attack spreading via SMS FEB 16 , 2016 Security researchers are warning owners of Android smartphones about a new malware attack , spreading via SMS text messages .", "spans": {"System: Android": [[0, 7], [114, 121]]}, "info": {"id": "cyner2_5class_train_05558", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy.MSIL.KeyLogger!O TrojanSpy.Moorest Trojan/KeyLogger.iec Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan2.NZWO TSPY_MOOREST.SMJJ Trojan-Spy.MSIL.KeyLogger.iec Trojan.Win32.Clicker.dkktnp IM-Flooder.W32.Delf.l2lu Msil.Trojan-spy.Keylogger.Pito Trojan.Click2.7338 TSPY_MOOREST.SMJJ W32/Trojan.CJSE-3516 Trojan-Spy.MSIL.KeyLogger.iec TrojanSpy:MSIL/Moorest.A TrojanSpy.MSIL.KeyLogger MSIL/Spy.Keylogger.GT Win32/Trojan.Spy.9b9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy.MSIL.KeyLogger!O": [[26, 53]], "Indicator: TrojanSpy.Moorest": [[54, 71]], "Indicator: Trojan/KeyLogger.iec": [[72, 92]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[93, 135]], "Indicator: W32/Trojan2.NZWO": [[136, 152]], "Indicator: TSPY_MOOREST.SMJJ": [[153, 170], [304, 321]], "Indicator: Trojan-Spy.MSIL.KeyLogger.iec": [[171, 200], [343, 372]], "Indicator: Trojan.Win32.Clicker.dkktnp": [[201, 228]], "Indicator: IM-Flooder.W32.Delf.l2lu": [[229, 253]], "Indicator: Msil.Trojan-spy.Keylogger.Pito": [[254, 284]], "Indicator: Trojan.Click2.7338": [[285, 303]], "Indicator: W32/Trojan.CJSE-3516": [[322, 342]], "Indicator: TrojanSpy:MSIL/Moorest.A": [[373, 397]], "Indicator: TrojanSpy.MSIL.KeyLogger": [[398, 422]], "Indicator: MSIL/Spy.Keylogger.GT": [[423, 444]], "Indicator: Win32/Trojan.Spy.9b9": [[445, 465]]}, "info": {"id": "cyner2_5class_train_05559", "source": "cyner2_5class_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_05560", "source": "cyner2_5class_train"}}
+{"text": "Check Point Research has submitted data to Google and law enforcement units to facilitate further investigation .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google": [[43, 49]]}, "info": {"id": "cyner2_5class_train_05561", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Pwstool.Cain Application.Pwcrack.Cain.GL not-a-virus:PSWTool.Win32.Cain.s Application.Pwcrack.Cain.GL Riskware.Win32.Cain.ewvhjq Application.Pwcrack.Cain Tool.Cain PUA.CainAbel PSWTool.Cain.c DR/PSW.Cain.284.47 not-a-virus:PSWTool.Win32.Cain.s Trj/CI.A Win32/Trojan.Dropper.0c3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Pwstool.Cain": [[26, 38]], "Indicator: Application.Pwcrack.Cain.GL": [[39, 66], [100, 127]], "Indicator: not-a-virus:PSWTool.Win32.Cain.s": [[67, 99], [237, 269]], "Indicator: Riskware.Win32.Cain.ewvhjq": [[128, 154]], "Indicator: Application.Pwcrack.Cain": [[155, 179]], "Indicator: Tool.Cain": [[180, 189]], "Indicator: PUA.CainAbel": [[190, 202]], "Indicator: PSWTool.Cain.c": [[203, 217]], "Indicator: DR/PSW.Cain.284.47": [[218, 236]], "Indicator: Trj/CI.A": [[270, 278]], "Indicator: Win32/Trojan.Dropper.0c3": [[279, 303]]}, "info": {"id": "cyner2_5class_train_05562", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Ainslot.A3 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_BLADABI.SMC Trojan.Win32.Drop.dcmduv Trojan.Win32.Z.Fraudrop.205824 Backdoor.MSIL.Parama.RANG BKDR_BLADABI.SMC BehavesLike.Win32.Trojan.dh Trojan-Dropper.Win32.Dorifel Trojan[Dropper]/Win32.FrauDrop Win32.Troj.FrauDrop.kcloud PWS:MSIL/Mintluks.A Trojan/Win32.FrauDrop.R127506 TrojanDropper.FrauDrop MSIL/Blocker.PAN!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Ainslot.A3": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[42, 84]], "Indicator: BKDR_BLADABI.SMC": [[85, 101], [184, 200]], "Indicator: Trojan.Win32.Drop.dcmduv": [[102, 126]], "Indicator: Trojan.Win32.Z.Fraudrop.205824": [[127, 157]], "Indicator: Backdoor.MSIL.Parama.RANG": [[158, 183]], "Indicator: BehavesLike.Win32.Trojan.dh": [[201, 228]], "Indicator: Trojan-Dropper.Win32.Dorifel": [[229, 257]], "Indicator: Trojan[Dropper]/Win32.FrauDrop": [[258, 288]], "Indicator: Win32.Troj.FrauDrop.kcloud": [[289, 315]], "Indicator: PWS:MSIL/Mintluks.A": [[316, 335]], "Indicator: Trojan/Win32.FrauDrop.R127506": [[336, 365]], "Indicator: TrojanDropper.FrauDrop": [[366, 388]], "Indicator: MSIL/Blocker.PAN!tr": [[389, 408]]}, "info": {"id": "cyner2_5class_train_05563", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Webcrack.A Trojan/WebCracker.a W32/Trojan.NDIN-1455 Application.Webcrack.A Application.Webcrack.A Riskware.Win32.WebCrack.bbira Application.Webcrack.A TrojWare.Win32.WebCracker.A Application.Webcrack.A Tool.WebCrack Trojan.WebCracker.Win32.2 W32/Trojan2.MHTV HackTool.WebCrack.40 Win32.Troj.WebCracker.A.kcloud Application.Webcrack.A Trojan/Win32.Webcracker.R66570 Trojan.Webcracker Win32/WebCracker.A Trojan.Win32.WebCracker.tfe Trojan.Win32.Webcracker Trojan.Win32.WebCraker.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Webcrack.A": [[26, 48], [90, 112], [113, 135], [166, 188], [217, 239], [349, 371]], "Indicator: Trojan/WebCracker.a": [[49, 68]], "Indicator: W32/Trojan.NDIN-1455": [[69, 89]], "Indicator: Riskware.Win32.WebCrack.bbira": [[136, 165]], "Indicator: TrojWare.Win32.WebCracker.A": [[189, 216]], "Indicator: Tool.WebCrack": [[240, 253]], "Indicator: Trojan.WebCracker.Win32.2": [[254, 279]], "Indicator: W32/Trojan2.MHTV": [[280, 296]], "Indicator: HackTool.WebCrack.40": [[297, 317]], "Indicator: Win32.Troj.WebCracker.A.kcloud": [[318, 348]], "Indicator: Trojan/Win32.Webcracker.R66570": [[372, 402]], "Indicator: Trojan.Webcracker": [[403, 420]], "Indicator: Win32/WebCracker.A": [[421, 439]], "Indicator: Trojan.Win32.WebCracker.tfe": [[440, 467]], "Indicator: Trojan.Win32.Webcracker": [[468, 491]], "Indicator: Trojan.Win32.WebCraker.A": [[492, 516]]}, "info": {"id": "cyner2_5class_train_05564", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Cossta.152000 Trojan.Cossta W32/Trojan.OSNY-0798 Backdoor.Cruprox Win32/NukeSped.AK Trojan/NukeSped.ak Trojan.Win32.Cossta.akea Trojan.Win32.Cossta.erwfkk Troj.W32.Cossta!c Trojan.DownLoader25.21345 Trojan.Cossta.Win32.10320 BehavesLike.Win32.MysticCompressor.cm Trojan.Win32.Cossta Worm/AutoIt.nml Trojan/Win32.Cossta Trojan.Win32.Cossta.akea Trojan/Win32.Cossta.C2091223 Win32.Trojan.Cossta.Syrj Trojan.Cossta!Kqe4w1x4ygI W32/Cossta.AKEA!tr Trojan.Cossta Trj/CI.A Win32/Trojan.b36", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Cossta.152000": [[26, 50]], "Indicator: Trojan.Cossta": [[51, 64], [480, 493]], "Indicator: W32/Trojan.OSNY-0798": [[65, 85]], "Indicator: Backdoor.Cruprox": [[86, 102]], "Indicator: Win32/NukeSped.AK": [[103, 120]], "Indicator: Trojan/NukeSped.ak": [[121, 139]], "Indicator: Trojan.Win32.Cossta.akea": [[140, 164], [356, 380]], "Indicator: Trojan.Win32.Cossta.erwfkk": [[165, 191]], "Indicator: Troj.W32.Cossta!c": [[192, 209]], "Indicator: Trojan.DownLoader25.21345": [[210, 235]], "Indicator: Trojan.Cossta.Win32.10320": [[236, 261]], "Indicator: BehavesLike.Win32.MysticCompressor.cm": [[262, 299]], "Indicator: Trojan.Win32.Cossta": [[300, 319]], "Indicator: Worm/AutoIt.nml": [[320, 335]], "Indicator: Trojan/Win32.Cossta": [[336, 355]], "Indicator: Trojan/Win32.Cossta.C2091223": [[381, 409]], "Indicator: Win32.Trojan.Cossta.Syrj": [[410, 434]], "Indicator: Trojan.Cossta!Kqe4w1x4ygI": [[435, 460]], "Indicator: W32/Cossta.AKEA!tr": [[461, 479]], "Indicator: Trj/CI.A": [[494, 502]], "Indicator: Win32/Trojan.b36": [[503, 519]]}, "info": {"id": "cyner2_5class_train_05565", "source": "cyner2_5class_train"}}
+{"text": "Figure 5 .", "spans": {}, "info": {"id": "cyner2_5class_train_05566", "source": "cyner2_5class_train"}}
+{"text": "This simulation shows that FakeSpy behaves differently on a physical device versus an emulator .", "spans": {"Malware: FakeSpy": [[27, 34]]}, "info": {"id": "cyner2_5class_train_05567", "source": "cyner2_5class_train"}}
+{"text": "Preferences such as the FTP hostname and username are stored in a file named uploadpref.dat.", "spans": {"Indicator: FTP hostname": [[24, 36]], "Indicator: username": [[41, 49]], "Indicator: file": [[66, 70]], "Indicator: uploadpref.dat.": [[77, 92]]}, "info": {"id": "cyner2_5class_train_05568", "source": "cyner2_5class_train"}}
+{"text": "There has been no evidence found yet that funds have been stolen from any infected banks.", "spans": {}, "info": {"id": "cyner2_5class_train_05569", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clode7b.Trojan.1410 Virtool.6143 Virtool.6143 Flooder.Piaoyes!YL6KHAf2k3Q Flooder.AG Flooder.Win32.Piaoyes.40 Virtool.6143 Virtool.6143 TrojWare.Win32.Flooder.Piaoyes.40 Virtool.6143 TR/Flood.Piaoyes.40.2 HackTool.Piaoyes Win32.Hack.Piaoyes.40.kcloud Win-Trojan/Piaoyes.171008 Virtool.6143 W32/Risk.PMPJ-1484 Win32/Flooder.Piaoyes.40 Flooder.Win32.Piaoyes.40 W32/Piaoyes.40!tr Flooder.DTA Trojan.Win32.Flooder.aS Win32/Trojan.Flood.199", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clode7b.Trojan.1410": [[26, 49]], "Indicator: Virtool.6143": [[50, 62], [63, 75], [140, 152], [153, 165], [200, 212], [307, 319]], "Indicator: Flooder.Piaoyes!YL6KHAf2k3Q": [[76, 103]], "Indicator: Flooder.AG": [[104, 114]], "Indicator: Flooder.Win32.Piaoyes.40": [[115, 139], [364, 388]], "Indicator: TrojWare.Win32.Flooder.Piaoyes.40": [[166, 199]], "Indicator: TR/Flood.Piaoyes.40.2": [[213, 234]], "Indicator: HackTool.Piaoyes": [[235, 251]], "Indicator: Win32.Hack.Piaoyes.40.kcloud": [[252, 280]], "Indicator: Win-Trojan/Piaoyes.171008": [[281, 306]], "Indicator: W32/Risk.PMPJ-1484": [[320, 338]], "Indicator: Win32/Flooder.Piaoyes.40": [[339, 363]], "Indicator: W32/Piaoyes.40!tr": [[389, 406]], "Indicator: Flooder.DTA": [[407, 418]], "Indicator: Trojan.Win32.Flooder.aS": [[419, 442]], "Indicator: Win32/Trojan.Flood.199": [[443, 465]]}, "info": {"id": "cyner2_5class_train_05570", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Ivruat.A11 Worm.AutoRun.Win32.120028 Win32.Trojan.WisdomEyes.16070401.9500.9986 W32/Trojan.TNXK-0638 Trojan.Win32.Autoruner2.cvshvv Win32.HLLW.Autoruner2.20037 BehavesLike.Win32.BadFile.fh Trojan.Win32.Spy W32/Trojan2.OYTC W32.Worm.Pqk Worm:Win32/Ivruat.A Worm/Win32.AutoRun.R140023 Win32.Worm.Autorun.Dxwf Trojan.Scar", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Ivruat.A11": [[26, 41]], "Indicator: Worm.AutoRun.Win32.120028": [[42, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9986": [[68, 110]], "Indicator: W32/Trojan.TNXK-0638": [[111, 131]], "Indicator: Trojan.Win32.Autoruner2.cvshvv": [[132, 162]], "Indicator: Win32.HLLW.Autoruner2.20037": [[163, 190]], "Indicator: BehavesLike.Win32.BadFile.fh": [[191, 219]], "Indicator: Trojan.Win32.Spy": [[220, 236]], "Indicator: W32/Trojan2.OYTC": [[237, 253]], "Indicator: W32.Worm.Pqk": [[254, 266]], "Indicator: Worm:Win32/Ivruat.A": [[267, 286]], "Indicator: Worm/Win32.AutoRun.R140023": [[287, 313]], "Indicator: Win32.Worm.Autorun.Dxwf": [[314, 337]], "Indicator: Trojan.Scar": [[338, 349]]}, "info": {"id": "cyner2_5class_train_05571", "source": "cyner2_5class_train"}}
+{"text": "Push notifications were also used to control audio recording .", "spans": {}, "info": {"id": "cyner2_5class_train_05572", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Optix.340187 Backdoor.Win32.Optix!O Trojan.Madtol.C Backdoor.Optix Packer.W32.NSAnti.kZ85 Backdoor/Optix.f W32/OptixPro.I Backdoor.OptixPro.13 Win32/OptixPro.F BKDR_OPTIXPRO.H Win.Trojan.Optix-5 Backdoor.Win32.Optix.b Trojan.Win32.Optix.bslhnb Backdoor.Win32.Optix_Pro.340203 Trojan.DownLoader.60627 BKDR_OPTIXPRO.H BehavesLike.Win32.Dropper.fc W32/OptixPro.WZQS-7361 Backdoor/Optix.Pro.bd BDS/Optix.Pro.13.7 Trojan[Backdoor]/Win32.Optix Backdoor:Win32/Optixpro.T Backdoor.Win32.Optix.b Trojan/Win32.Xema.C66170 Backdoor.Optix Bck/OptixPro.C Win32/Optix.Pro.13 Backdoor.Optix.Pro.BD Backdoor.Win32.Optix", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Optix.340187": [[26, 51]], "Indicator: Backdoor.Win32.Optix!O": [[52, 74]], "Indicator: Trojan.Madtol.C": [[75, 90]], "Indicator: Backdoor.Optix": [[91, 105], [551, 565]], "Indicator: Packer.W32.NSAnti.kZ85": [[106, 128]], "Indicator: Backdoor/Optix.f": [[129, 145]], "Indicator: W32/OptixPro.I": [[146, 160]], "Indicator: Backdoor.OptixPro.13": [[161, 181]], "Indicator: Win32/OptixPro.F": [[182, 198]], "Indicator: BKDR_OPTIXPRO.H": [[199, 214], [339, 354]], "Indicator: Win.Trojan.Optix-5": [[215, 233]], "Indicator: Backdoor.Win32.Optix.b": [[234, 256], [503, 525]], "Indicator: Trojan.Win32.Optix.bslhnb": [[257, 282]], "Indicator: Backdoor.Win32.Optix_Pro.340203": [[283, 314]], "Indicator: Trojan.DownLoader.60627": [[315, 338]], "Indicator: BehavesLike.Win32.Dropper.fc": [[355, 383]], "Indicator: W32/OptixPro.WZQS-7361": [[384, 406]], "Indicator: Backdoor/Optix.Pro.bd": [[407, 428]], "Indicator: BDS/Optix.Pro.13.7": [[429, 447]], "Indicator: Trojan[Backdoor]/Win32.Optix": [[448, 476]], "Indicator: Backdoor:Win32/Optixpro.T": [[477, 502]], "Indicator: Trojan/Win32.Xema.C66170": [[526, 550]], "Indicator: Bck/OptixPro.C": [[566, 580]], "Indicator: Win32/Optix.Pro.13": [[581, 599]], "Indicator: Backdoor.Optix.Pro.BD": [[600, 621]], "Indicator: Backdoor.Win32.Optix": [[622, 642]]}, "info": {"id": "cyner2_5class_train_05573", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Hider!O W32/Backdoor.BVFG TROJ_HIDER.I Win.Trojan.Hider-4 Trojan.Win32.Hider.234496 Troj.W32.Hider.toFP Trojan.Hidn Trojan.Hider.Win32.266 TROJ_HIDER.I Trojan-Dropper.Delf Trojan/Win32.Hider.gh Win32.Troj.Hider.i.234496 Trojan.Win32.Hider.gh Trojan.Hider Win32/Trojan.0bc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Hider!O": [[26, 46]], "Indicator: W32/Backdoor.BVFG": [[47, 64]], "Indicator: TROJ_HIDER.I": [[65, 77], [178, 190]], "Indicator: Win.Trojan.Hider-4": [[78, 96]], "Indicator: Trojan.Win32.Hider.234496": [[97, 122]], "Indicator: Troj.W32.Hider.toFP": [[123, 142]], "Indicator: Trojan.Hidn": [[143, 154]], "Indicator: Trojan.Hider.Win32.266": [[155, 177]], "Indicator: Trojan-Dropper.Delf": [[191, 210]], "Indicator: Trojan/Win32.Hider.gh": [[211, 232]], "Indicator: Win32.Troj.Hider.i.234496": [[233, 258]], "Indicator: Trojan.Win32.Hider.gh": [[259, 280]], "Indicator: Trojan.Hider": [[281, 293]], "Indicator: Win32/Trojan.0bc": [[294, 310]]}, "info": {"id": "cyner2_5class_train_05574", "source": "cyner2_5class_train"}}
+{"text": "Being aware of this fact can help create defensive strategies , as well as prepare for upcoming attacks .", "spans": {}, "info": {"id": "cyner2_5class_train_05575", "source": "cyner2_5class_train"}}
+{"text": "Over the past few months, new strains of this infamous Android malware family have surfaced in third-party APK markets, as well as in the official Google Play store.", "spans": {"Malware: strains": [[30, 37]], "Malware: Android malware family": [[55, 77]], "System: APK markets,": [[107, 119]], "System: the official Google Play store.": [[134, 165]]}, "info": {"id": "cyner2_5class_train_05576", "source": "cyner2_5class_train"}}
+{"text": "These repackaged apps pose as communication , news , lifestyle , book , and reference apps popularly used in the Middle East .", "spans": {}, "info": {"id": "cyner2_5class_train_05577", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.VBKrypt.315392.AK Trojan.Win32.VBKrypt!O Trojan/Injector.wms Win32.Trojan.Inject.bh HV_VBKRYPT_CG092B3E.RDXN Trojan.Win32.VBKrypt.nrzc Trojan.Win32.VBKrypt.dzjqpk Trojan.MulDrop4.8756 Trojan.VBKrypt.Win32.180705 BehavesLike.Win32.BadFile.fh Trojan-PWS.Win32.Zbot Trojan.VBKrypt.amiu Trojan/Win32.VBKrypt Trojan.Symmi.D4542 Trojan.Win32.A.VBKrypt.315392.CI Trojan.Win32.VBKrypt.nrzc Worm:Win32/Secrar.A Trojan/Win32.Jorik.R37626 BScope.Worm.Gamarue.1191 W32/VBKrypt.MBW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.VBKrypt.315392.AK": [[26, 54]], "Indicator: Trojan.Win32.VBKrypt!O": [[55, 77]], "Indicator: Trojan/Injector.wms": [[78, 97]], "Indicator: Win32.Trojan.Inject.bh": [[98, 120]], "Indicator: HV_VBKRYPT_CG092B3E.RDXN": [[121, 145]], "Indicator: Trojan.Win32.VBKrypt.nrzc": [[146, 171], [393, 418]], "Indicator: Trojan.Win32.VBKrypt.dzjqpk": [[172, 199]], "Indicator: Trojan.MulDrop4.8756": [[200, 220]], "Indicator: Trojan.VBKrypt.Win32.180705": [[221, 248]], "Indicator: BehavesLike.Win32.BadFile.fh": [[249, 277]], "Indicator: Trojan-PWS.Win32.Zbot": [[278, 299]], "Indicator: Trojan.VBKrypt.amiu": [[300, 319]], "Indicator: Trojan/Win32.VBKrypt": [[320, 340]], "Indicator: Trojan.Symmi.D4542": [[341, 359]], "Indicator: Trojan.Win32.A.VBKrypt.315392.CI": [[360, 392]], "Indicator: Worm:Win32/Secrar.A": [[419, 438]], "Indicator: Trojan/Win32.Jorik.R37626": [[439, 464]], "Indicator: BScope.Worm.Gamarue.1191": [[465, 489]], "Indicator: W32/VBKrypt.MBW!tr": [[490, 508]]}, "info": {"id": "cyner2_5class_train_05578", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Proxy/W32.Mitglieder.8304 Trojan/Proxy.Mitglieder.af TrojanProxy.Mitglied!TVlYB86T2l0 Trojan.Mitglieder.G Win32/Mitglieder.Z TSPY_TARNO.D Trojan.Win32.Mitglieder.dkdz TrojWare.Win32.TrojanProxy.Mitglieder.AF Trojan.Mitglieder.Win32.173 TSPY_TARNO.D BehavesLike.Win32.Downloader.xc W32/Mitglieder.M TrojanProxy.Mitglieder.h Win32.Troj.Mitglieder.af.kcloud TrojanProxy:Win32/Mitglieder.DK Win-Trojan/Mitglieder.8304 Trojan-Proxy.Win32.Mitglieder.e Trojan.Win32.Mitglieder.aTNT Win32/TrojanProxy.Mitglieder.AF Win32.Trojan-proxy.Mitglieder.Ectn Trojan-Proxy.Win32.Mitglieder.CL W32/Tarno.D!tr Proxy.4.AZ Win32/Trojan.63b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Proxy/W32.Mitglieder.8304": [[26, 58]], "Indicator: Trojan/Proxy.Mitglieder.af": [[59, 85]], "Indicator: TrojanProxy.Mitglied!TVlYB86T2l0": [[86, 118]], "Indicator: Trojan.Mitglieder.G": [[119, 138]], "Indicator: Win32/Mitglieder.Z": [[139, 157]], "Indicator: TSPY_TARNO.D": [[158, 170], [269, 281]], "Indicator: Trojan.Win32.Mitglieder.dkdz": [[171, 199]], "Indicator: TrojWare.Win32.TrojanProxy.Mitglieder.AF": [[200, 240]], "Indicator: Trojan.Mitglieder.Win32.173": [[241, 268]], "Indicator: BehavesLike.Win32.Downloader.xc": [[282, 313]], "Indicator: W32/Mitglieder.M": [[314, 330]], "Indicator: TrojanProxy.Mitglieder.h": [[331, 355]], "Indicator: Win32.Troj.Mitglieder.af.kcloud": [[356, 387]], "Indicator: TrojanProxy:Win32/Mitglieder.DK": [[388, 419]], "Indicator: Win-Trojan/Mitglieder.8304": [[420, 446]], "Indicator: Trojan-Proxy.Win32.Mitglieder.e": [[447, 478]], "Indicator: Trojan.Win32.Mitglieder.aTNT": [[479, 507]], "Indicator: Win32/TrojanProxy.Mitglieder.AF": [[508, 539]], "Indicator: Win32.Trojan-proxy.Mitglieder.Ectn": [[540, 574]], "Indicator: Trojan-Proxy.Win32.Mitglieder.CL": [[575, 607]], "Indicator: W32/Tarno.D!tr": [[608, 622]], "Indicator: Proxy.4.AZ": [[623, 633]], "Indicator: Win32/Trojan.63b": [[634, 650]]}, "info": {"id": "cyner2_5class_train_05579", "source": "cyner2_5class_train"}}
+{"text": "SilentPush investigates a recent Facebook phishing campaign targeting social media users on Facebook Messenger, but what do we know about the attack's tactics and what can we do about it?", "spans": {"Organization: SilentPush": [[0, 10]], "System: social media": [[70, 82]], "System: Facebook Messenger,": [[92, 111]], "Indicator: attack's": [[142, 150]]}, "info": {"id": "cyner2_5class_train_05580", "source": "cyner2_5class_train"}}
+{"text": "The data that Domestic Kitten steals follows a similar format with Bouncing Golf ’ s , with each type of data having a unique identifying character .", "spans": {"Malware: Domestic Kitten": [[14, 29]], "Malware: Bouncing Golf": [[67, 80]]}, "info": {"id": "cyner2_5class_train_05581", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB Trojan.Symmi.DFDA4 Win32.Trojan.WisdomEyes.16070401.9500.9858 Trojan.Win32.VB.ckrm Trojan.Win32.VB.edplzz Troj.W32.Vb!c Trojan:W32/Kilim.P Trojan.VB.Win32.164816 TR/Kecix.ztie Trojan/Win32.VB Trojan:Win32/Kecix.A Trojan.Win32.VB.ckrm Trojan.VB Trj/CI.A Win32.Trojan.Vb.Pdlo Trojan.VB!Qw/pqsBL6E0 Win32.Outbreak Win32/Trojan.b08", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.VB!O": [[26, 43]], "Indicator: Trojan.VB": [[44, 53], [288, 297]], "Indicator: Trojan.Symmi.DFDA4": [[54, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9858": [[73, 115]], "Indicator: Trojan.Win32.VB.ckrm": [[116, 136], [267, 287]], "Indicator: Trojan.Win32.VB.edplzz": [[137, 159]], "Indicator: Troj.W32.Vb!c": [[160, 173]], "Indicator: Trojan:W32/Kilim.P": [[174, 192]], "Indicator: Trojan.VB.Win32.164816": [[193, 215]], "Indicator: TR/Kecix.ztie": [[216, 229]], "Indicator: Trojan/Win32.VB": [[230, 245]], "Indicator: Trojan:Win32/Kecix.A": [[246, 266]], "Indicator: Trj/CI.A": [[298, 306]], "Indicator: Win32.Trojan.Vb.Pdlo": [[307, 327]], "Indicator: Trojan.VB!Qw/pqsBL6E0": [[328, 349]], "Indicator: Win32.Outbreak": [[350, 364]], "Indicator: Win32/Trojan.b08": [[365, 381]]}, "info": {"id": "cyner2_5class_train_05582", "source": "cyner2_5class_train"}}
+{"text": "Security Without Borders has recently published an analysis of this family , independently , through their blog .", "spans": {"Organization: Security Without Borders": [[0, 24]]}, "info": {"id": "cyner2_5class_train_05583", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Tool.PassView.Win32.702 Win.Trojan.Lmir-87 not-a-virus:PSWTool.Win32.PassView.vly Win32.Trojan.Psw.Szlj Application.Win32.PassView.1_51 BehavesLike.Win32.Dropper.mh not-a-virus:PSWTool.Win32.PassView W32/Application.YMHQ-2387 Backdoor/Prorat.fxr TR/PSW.Dumaru Trojan[PSWTool]/Win32.PassView Worm:Win32/Dumaru.H@mm Application.Heur.E5E9B8 not-a-virus:PSWTool.Win32.PassView.vly PassDump.b PUP.Optional.PassView Riskware.PSWTool!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Tool.PassView.Win32.702": [[26, 49]], "Indicator: Win.Trojan.Lmir-87": [[50, 68]], "Indicator: not-a-virus:PSWTool.Win32.PassView.vly": [[69, 107], [364, 402]], "Indicator: Win32.Trojan.Psw.Szlj": [[108, 129]], "Indicator: Application.Win32.PassView.1_51": [[130, 161]], "Indicator: BehavesLike.Win32.Dropper.mh": [[162, 190]], "Indicator: not-a-virus:PSWTool.Win32.PassView": [[191, 225]], "Indicator: W32/Application.YMHQ-2387": [[226, 251]], "Indicator: Backdoor/Prorat.fxr": [[252, 271]], "Indicator: TR/PSW.Dumaru": [[272, 285]], "Indicator: Trojan[PSWTool]/Win32.PassView": [[286, 316]], "Indicator: Worm:Win32/Dumaru.H@mm": [[317, 339]], "Indicator: Application.Heur.E5E9B8": [[340, 363]], "Indicator: PassDump.b": [[403, 413]], "Indicator: PUP.Optional.PassView": [[414, 435]], "Indicator: Riskware.PSWTool!": [[436, 453]]}, "info": {"id": "cyner2_5class_train_05584", "source": "cyner2_5class_train"}}
+{"text": "While some criminals blow up ATMs to steal cash, others use less destructive methods, such as infecting the ATM with malware and then stealing the money.", "spans": {"System: ATMs": [[29, 33]], "System: ATM": [[108, 111]], "Malware: malware": [[117, 124]]}, "info": {"id": "cyner2_5class_train_05585", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Pinfi.B Win32.Parite.B Virus/W32.Parite.C Virus.Win32.Parite.b!O W32.Perite.A W32/Pate.b W32/Pate.B Win32.Virus.Parite.d W32/Parite.B@mm W32.Pinfi.B Win32/Pinfi.A PE_PARITE.A Heuristics.W32.Parite.B Virus.Win32.Parite.b Win32.Parite.B Virus.Win32.Parite.bgvo W32.Parite.b!c Win32.Parite.B Win32.Parite.B Win32.Parite.2 Virus.Parite.Win32.9 PE_PARITE.A BehavesLike.Win32.Pate.gc Trojan.Win32.FakeAV W32/Parite.LAQX-0866 Win32/Parite.b Virus/Win32.Parite.c Win32.Parite.b.5756 TrojanDownloader:Win32/Grogsas.A Win32.Parite.B Win32.Parite.A Virus.Win32.Parite.b Win32.Parite.B Win32.Parite.B Virus.Win32.Parite.b Win32.Parite.B Win32/Parite.B Win32.Parite.B W32/Parite.B W32/Parite.B Virus.Win32.Parite.H", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Pinfi.B": [[26, 37], [167, 178]], "Indicator: Win32.Parite.B": [[38, 52], [250, 264], [304, 318], [319, 333], [538, 552], [589, 603], [604, 618], [640, 654], [670, 684]], "Indicator: Virus/W32.Parite.C": [[53, 71]], "Indicator: Virus.Win32.Parite.b!O": [[72, 94]], "Indicator: W32.Perite.A": [[95, 107]], "Indicator: W32/Pate.b": [[108, 118]], "Indicator: W32/Pate.B": [[119, 129]], "Indicator: Win32.Virus.Parite.d": [[130, 150]], "Indicator: W32/Parite.B@mm": [[151, 166]], "Indicator: Win32/Pinfi.A": [[179, 192]], "Indicator: PE_PARITE.A": [[193, 204], [370, 381]], "Indicator: Heuristics.W32.Parite.B": [[205, 228]], "Indicator: Virus.Win32.Parite.b": [[229, 249], [568, 588], [619, 639]], "Indicator: Virus.Win32.Parite.bgvo": [[265, 288]], "Indicator: W32.Parite.b!c": [[289, 303]], "Indicator: Win32.Parite.2": [[334, 348]], "Indicator: Virus.Parite.Win32.9": [[349, 369]], "Indicator: BehavesLike.Win32.Pate.gc": [[382, 407]], "Indicator: Trojan.Win32.FakeAV": [[408, 427]], "Indicator: W32/Parite.LAQX-0866": [[428, 448]], "Indicator: Win32/Parite.b": [[449, 463]], "Indicator: Virus/Win32.Parite.c": [[464, 484]], "Indicator: Win32.Parite.b.5756": [[485, 504]], "Indicator: TrojanDownloader:Win32/Grogsas.A": [[505, 537]], "Indicator: Win32.Parite.A": [[553, 567]], "Indicator: Win32/Parite.B": [[655, 669]], "Indicator: W32/Parite.B": [[685, 697], [698, 710]], "Indicator: Virus.Win32.Parite.H": [[711, 731]]}, "info": {"id": "cyner2_5class_train_05586", "source": "cyner2_5class_train"}}
+{"text": "Use mobile threat detection solutions for enhanced security .", "spans": {}, "info": {"id": "cyner2_5class_train_05587", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Suslix.C Backdoor/W32.PlxT.20480 Backdoor.Suslix.C Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Backdoor.NXX Backdoor.Trojan Win32/Paltry.C Win.Trojan.Delf-473 Backdoor.Suslix.C Backdoor.Win32.PlxT.a Backdoor.Suslix.C Backdoor.Win32.Z.Suslix.20480 Backdoor.Suslix.C W32/Backdoor.PGXD-0378 Backdoor/PlxT.b Trojan[Backdoor]/Win32.Suslix Backdoor.Suslix.C Backdoor.Win32.PlxT.a Backdoor:Win32/Suslix.A Backdoor.Suslix.C Trj/CI.A Win32/Suslix.NAA Win32.Backdoor.Plxt.Ejez Trojan.Win32.Spy W32/Suslix.NAA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Suslix.C": [[26, 43], [68, 85], [197, 214], [237, 254], [285, 302], [372, 389], [436, 453]], "Indicator: Backdoor/W32.PlxT.20480": [[44, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[86, 128]], "Indicator: W32/Backdoor.NXX": [[129, 145]], "Indicator: Backdoor.Trojan": [[146, 161]], "Indicator: Win32/Paltry.C": [[162, 176]], "Indicator: Win.Trojan.Delf-473": [[177, 196]], "Indicator: Backdoor.Win32.PlxT.a": [[215, 236], [390, 411]], "Indicator: Backdoor.Win32.Z.Suslix.20480": [[255, 284]], "Indicator: W32/Backdoor.PGXD-0378": [[303, 325]], "Indicator: Backdoor/PlxT.b": [[326, 341]], "Indicator: Trojan[Backdoor]/Win32.Suslix": [[342, 371]], "Indicator: Backdoor:Win32/Suslix.A": [[412, 435]], "Indicator: Trj/CI.A": [[454, 462]], "Indicator: Win32/Suslix.NAA": [[463, 479]], "Indicator: Win32.Backdoor.Plxt.Ejez": [[480, 504]], "Indicator: Trojan.Win32.Spy": [[505, 521]], "Indicator: W32/Suslix.NAA!tr": [[522, 539]]}, "info": {"id": "cyner2_5class_train_05588", "source": "cyner2_5class_train"}}
+{"text": "Cyber4Sight has analyzed the malware distributed via the compromised Polish Financial Supervision Authority webpage and used in targeted attacks against a number of large banks and telecommunication companies.", "spans": {"Organization: Cyber4Sight": [[0, 11]], "Malware: malware": [[29, 36]], "Indicator: compromised Polish Financial Supervision Authority webpage": [[57, 115]], "Indicator: targeted attacks": [[128, 144]], "Organization: large banks": [[165, 176]], "Organization: telecommunication companies.": [[181, 209]]}, "info": {"id": "cyner2_5class_train_05589", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.38400.AY Trojan-Spy.Win32.Brospa!O Trojan.Witkinat Trojan/Spy.Brospa.cm TROJ_BROSPA.SMC Win32.Trojan.WisdomEyes.16070401.9500.9979 Backdoor.Trojan Win32/Witkinat.AY TROJ_BROSPA.SMC Win.Spyware.78717-2 Trojan.Win32.Brospa.bpglj Trojan.Win32.A.Brospa.38400.N Trojan.PWS.iThink.16 Trojan.Brospa.Win32.159 Trojan.Win32.Scar TrojanSpy.Brospa.o W32.Trojan.Witkinat.A Trojan[Spy]/Win32.Brospa Trojan:Win32/Witkinat.A Trojan/Win32.Brospa.R4351 TrojanSpy.Brospa Win32.Trojan-spy.Brospa.Wrqa W32/Witkinat.Q!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.38400.AY": [[26, 51]], "Indicator: Trojan-Spy.Win32.Brospa!O": [[52, 77]], "Indicator: Trojan.Witkinat": [[78, 93]], "Indicator: Trojan/Spy.Brospa.cm": [[94, 114]], "Indicator: TROJ_BROSPA.SMC": [[115, 130], [208, 223]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9979": [[131, 173]], "Indicator: Backdoor.Trojan": [[174, 189]], "Indicator: Win32/Witkinat.AY": [[190, 207]], "Indicator: Win.Spyware.78717-2": [[224, 243]], "Indicator: Trojan.Win32.Brospa.bpglj": [[244, 269]], "Indicator: Trojan.Win32.A.Brospa.38400.N": [[270, 299]], "Indicator: Trojan.PWS.iThink.16": [[300, 320]], "Indicator: Trojan.Brospa.Win32.159": [[321, 344]], "Indicator: Trojan.Win32.Scar": [[345, 362]], "Indicator: TrojanSpy.Brospa.o": [[363, 381]], "Indicator: W32.Trojan.Witkinat.A": [[382, 403]], "Indicator: Trojan[Spy]/Win32.Brospa": [[404, 428]], "Indicator: Trojan:Win32/Witkinat.A": [[429, 452]], "Indicator: Trojan/Win32.Brospa.R4351": [[453, 478]], "Indicator: TrojanSpy.Brospa": [[479, 495]], "Indicator: Win32.Trojan-spy.Brospa.Wrqa": [[496, 524]], "Indicator: W32/Witkinat.Q!tr": [[525, 542]]}, "info": {"id": "cyner2_5class_train_05590", "source": "cyner2_5class_train"}}
+{"text": "Potentially malicious iOS connection Using the codes and “ Concipit1248 ” to check for more versions , we found two other apps in the App Store .", "spans": {"System: iOS": [[22, 25]], "System: App Store": [[134, 143]]}, "info": {"id": "cyner2_5class_train_05591", "source": "cyner2_5class_train"}}
+{"text": "Targeting Postal and Transportation Services Companies One of the most significant findings is that new versions of FakeSpy target not only Korean and Japanese speakers , but also almost any postal service company around the world .", "spans": {"Malware: FakeSpy": [[116, 123]]}, "info": {"id": "cyner2_5class_train_05592", "source": "cyner2_5class_train"}}
+{"text": "We saw the following hardcoded C & C server location in the RAT package : Conclusion : The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware .", "spans": {"Malware: DroidJack RAT": [[91, 104]]}, "info": {"id": "cyner2_5class_train_05593", "source": "cyner2_5class_train"}}
+{"text": "It appears to have evolved from the NewPOSthings family of malware first discovered by Dennis Schwarz and Dave Loftus at Arbor Networks.", "spans": {"Malware: NewPOSthings family of malware": [[36, 66]], "Organization: Arbor Networks.": [[121, 136]]}, "info": {"id": "cyner2_5class_train_05594", "source": "cyner2_5class_train"}}
+{"text": "It 's also raising eyebrows because of the connection with China , which has frequently sparred with the U.S. over cyber espionage .", "spans": {}, "info": {"id": "cyner2_5class_train_05595", "source": "cyner2_5class_train"}}
+{"text": "This new variant, dubbed HummingWhale,' includes new, cutting edge techniques that allow it to perform ad fraud better than ever before.", "spans": {"Malware: HummingWhale,'": [[25, 39]], "Indicator: ad fraud": [[103, 111]]}, "info": {"id": "cyner2_5class_train_05596", "source": "cyner2_5class_train"}}
+{"text": "Checking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse [ .", "spans": {"Indicator: Minigameshouse": [[14, 28]], "Indicator: minigameshouse [ .": [[96, 114]]}, "info": {"id": "cyner2_5class_train_05597", "source": "cyner2_5class_train"}}
+{"text": "SANS mail server quarantined this file FautraPago392023.gz and extracted the file to find there was no .exe extension associated with the file.", "spans": {"System: SANS mail server": [[0, 16]], "Indicator: file FautraPago392023.gz": [[34, 58]], "Indicator: file": [[77, 81]], "Indicator: .exe": [[103, 107]], "Indicator: file.": [[138, 143]]}, "info": {"id": "cyner2_5class_train_05598", "source": "cyner2_5class_train"}}
+{"text": "When installed, GreenDispenser may display an out of service' message on the ATM -- but attackers who enter the correct pin codes can then drain the ATM's cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.", "spans": {"Malware: GreenDispenser": [[16, 30]], "Indicator: display an out of service' message": [[35, 69]], "Organization: ATM": [[77, 80]], "System: ATM's cash vault": [[149, 165]], "Indicator: erase GreenDispenser using a deep delete process,": [[170, 219]], "Indicator: little if any trace": [[228, 247]], "System: ATM": [[259, 262]]}, "info": {"id": "cyner2_5class_train_05599", "source": "cyner2_5class_train"}}
+{"text": "Interestingly , there is an allowlist of tapped activities : ui.ConversationActivity ui.ConversationListActivity SemcInCallScreen Quadrapop SocialPhonebookActivity The listener can operate with only coordinates , so it calculates pressed characters by matching given values with hardcoded ones : Additionally , if there is a predefined command , the keylogger can make a screenshot of the tapped display area : Manual access and operator menu There is a hidden menu ( Activity ) for controlling implant features that looks like it was created for manual operator control .", "spans": {}, "info": {"id": "cyner2_5class_train_05600", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DeltreeY Trojan:BAT/DeltreeY.CA Trojan.BAT.DeltreeY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DeltreeY": [[26, 41]], "Indicator: Trojan:BAT/DeltreeY.CA": [[42, 64]], "Indicator: Trojan.BAT.DeltreeY": [[65, 84]]}, "info": {"id": "cyner2_5class_train_05601", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Miner.CB Application.Miner.CB Linux/RubyMiner.A BAT_COINMINE.WIPX Application.Miner.CB Troj.Downloader.Shell!c Application.Miner.CB Linux.DownLoader.684 BAT_COINMINE.WIPX Trojan.RubyMiner Win32/Trojan.Downloader.72e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Miner.CB": [[26, 46], [47, 67], [104, 124], [149, 169]], "Indicator: Linux/RubyMiner.A": [[68, 85]], "Indicator: BAT_COINMINE.WIPX": [[86, 103], [191, 208]], "Indicator: Troj.Downloader.Shell!c": [[125, 148]], "Indicator: Linux.DownLoader.684": [[170, 190]], "Indicator: Trojan.RubyMiner": [[209, 225]], "Indicator: Win32/Trojan.Downloader.72e": [[226, 253]]}, "info": {"id": "cyner2_5class_train_05602", "source": "cyner2_5class_train"}}
+{"text": "The malware is a reflection of how PoS threats, though no longer novel, are increasingly used against businesses and their customers.", "spans": {"Malware: malware": [[4, 11]], "Malware: PoS threats,": [[35, 47]], "Organization: businesses": [[102, 112]], "Organization: customers.": [[123, 133]]}, "info": {"id": "cyner2_5class_train_05603", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah.19132 Win32.Trojan.WisdomEyes.16070401.9500.9934 not-a-virus:HEUR:Monitor.Win32.BeyondKeyLogger.heur System.Monitor.Relytec.All-in-o TR/Spy.arobe not-a-virus:HEUR:Monitor.Win32.BeyondKeyLogger.heur Trojan:Win32/Dhodareet.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah.19132": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9934": [[47, 89]], "Indicator: not-a-virus:HEUR:Monitor.Win32.BeyondKeyLogger.heur": [[90, 141], [187, 238]], "Indicator: System.Monitor.Relytec.All-in-o": [[142, 173]], "Indicator: TR/Spy.arobe": [[174, 186]], "Indicator: Trojan:Win32/Dhodareet.A": [[239, 263]]}, "info": {"id": "cyner2_5class_train_05604", "source": "cyner2_5class_train"}}
+{"text": "Actors related to the Operation Lotus Blossom campaign continue their attack campaigns in the Asia Pacific region.", "spans": {}, "info": {"id": "cyner2_5class_train_05605", "source": "cyner2_5class_train"}}
+{"text": "] 205 7ed754a802f0b6a1740a99683173db73 com.psiphon3 dexlib 2.x 188.165.49 [ .", "spans": {"Indicator: 7ed754a802f0b6a1740a99683173db73": [[6, 38]], "Indicator: com.psiphon3": [[39, 51]], "Indicator: 188.165.49 [ .": [[63, 77]]}, "info": {"id": "cyner2_5class_train_05606", "source": "cyner2_5class_train"}}
+{"text": "Based on the data we have acquired since October 2016, about 500 organizations from 50 countries were affected by the attack.", "spans": {"Organization: organizations": [[65, 78]], "Indicator: attack.": [[118, 125]]}, "info": {"id": "cyner2_5class_train_05607", "source": "cyner2_5class_train"}}
+{"text": "The AES key is generated using a SHA256 hash and due to the keys being stored on the infected machine, victims in many cases could likely decrypt files without paying the ransom.", "spans": {"Indicator: AES key": [[4, 11]], "Indicator: SHA256 hash": [[33, 44]], "Indicator: keys": [[60, 64]], "System: infected machine,": [[85, 102]]}, "info": {"id": "cyner2_5class_train_05608", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod2e7.Trojan.3dab Backdoor/W32.Bifrose.737280.H Backdoor/Bifrose.chym BKDR_BIFROSE.DMQ W32/Trojan2.NEIM Backdoor.Trojan Win32/Tnega.UYbaRd BKDR_BIFROSE.DMQ Trojan.Win32.Bifrose.crakl Backdoor.W32.Bifrose.chym!c BackDoor.Bifrost.16023 Backdoor.Bifrose.Win32.49130 Backdoor.Bifrose W32/Trojan.TWKO-3939 BDS/Bifrose.chym W32/Bifrose.CHYM!tr.bdr Trojan[Backdoor]/Win32.Bifrose Backdoor/Win32.Bifrose.R127707 Backdoor.Bifrose Backdoor.Bifrose!bEtmoN1K0yI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod2e7.Trojan.3dab": [[26, 49]], "Indicator: Backdoor/W32.Bifrose.737280.H": [[50, 79]], "Indicator: Backdoor/Bifrose.chym": [[80, 101]], "Indicator: BKDR_BIFROSE.DMQ": [[102, 118], [171, 187]], "Indicator: W32/Trojan2.NEIM": [[119, 135]], "Indicator: Backdoor.Trojan": [[136, 151]], "Indicator: Win32/Tnega.UYbaRd": [[152, 170]], "Indicator: Trojan.Win32.Bifrose.crakl": [[188, 214]], "Indicator: Backdoor.W32.Bifrose.chym!c": [[215, 242]], "Indicator: BackDoor.Bifrost.16023": [[243, 265]], "Indicator: Backdoor.Bifrose.Win32.49130": [[266, 294]], "Indicator: Backdoor.Bifrose": [[295, 311], [436, 452]], "Indicator: W32/Trojan.TWKO-3939": [[312, 332]], "Indicator: BDS/Bifrose.chym": [[333, 349]], "Indicator: W32/Bifrose.CHYM!tr.bdr": [[350, 373]], "Indicator: Trojan[Backdoor]/Win32.Bifrose": [[374, 404]], "Indicator: Backdoor/Win32.Bifrose.R127707": [[405, 435]], "Indicator: Backdoor.Bifrose!bEtmoN1K0yI": [[453, 481]]}, "info": {"id": "cyner2_5class_train_05609", "source": "cyner2_5class_train"}}
+{"text": "The affected educational organizations, for instance, are used to deliver employment exams for government employees.", "spans": {"Organization: educational organizations,": [[13, 39]], "Organization: government employees.": [[95, 116]]}, "info": {"id": "cyner2_5class_train_05610", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DusbyetorLTS.Trojan Trojan/W32.Kriskynote.442892.B Backdoor.Kriskynote.A4 Trojan/Rootkitdrv.w Trojan.Graftor.D35150 Win32.Trojan.WisdomEyes.16070401.9500.9510 W32/Trojan.HHCY-2846 Backdoor.Korplug.B Win32/Rootkitdrv.W BKDR_WINNT.SMD Trojan.Win32.Kriskynote.ay Trojan.Win32.Kriskynote.dkkllk Trojan.Win32.Z.Kriskynote.442892 BackDoor.Korplug.18 Trojan.Kriskynote.Win32.1 BKDR_WINNT.SMD Trojan.Win32.Kriskynote Trojan/Kriskynote.a Trojan/Win32.Kriskynote Trojan.Win32.Kriskynote.ay Trojan:Win64/Kriskynote.A!dha Win32/Tnega.aacQTM Trojan.Kriskynote Win32.Trojan.Kriskynote.Lkmz W32/Kriskynote.AY!tr Win32/Trojan.6da", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DusbyetorLTS.Trojan": [[26, 49]], "Indicator: Trojan/W32.Kriskynote.442892.B": [[50, 80]], "Indicator: Backdoor.Kriskynote.A4": [[81, 103]], "Indicator: Trojan/Rootkitdrv.w": [[104, 123]], "Indicator: Trojan.Graftor.D35150": [[124, 145]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9510": [[146, 188]], "Indicator: W32/Trojan.HHCY-2846": [[189, 209]], "Indicator: Backdoor.Korplug.B": [[210, 228]], "Indicator: Win32/Rootkitdrv.W": [[229, 247]], "Indicator: BKDR_WINNT.SMD": [[248, 262], [400, 414]], "Indicator: Trojan.Win32.Kriskynote.ay": [[263, 289], [483, 509]], "Indicator: Trojan.Win32.Kriskynote.dkkllk": [[290, 320]], "Indicator: Trojan.Win32.Z.Kriskynote.442892": [[321, 353]], "Indicator: BackDoor.Korplug.18": [[354, 373]], "Indicator: Trojan.Kriskynote.Win32.1": [[374, 399]], "Indicator: Trojan.Win32.Kriskynote": [[415, 438]], "Indicator: Trojan/Kriskynote.a": [[439, 458]], "Indicator: Trojan/Win32.Kriskynote": [[459, 482]], "Indicator: Trojan:Win64/Kriskynote.A!dha": [[510, 539]], "Indicator: Win32/Tnega.aacQTM": [[540, 558]], "Indicator: Trojan.Kriskynote": [[559, 576]], "Indicator: Win32.Trojan.Kriskynote.Lkmz": [[577, 605]], "Indicator: W32/Kriskynote.AY!tr": [[606, 626]], "Indicator: Win32/Trojan.6da": [[627, 643]]}, "info": {"id": "cyner2_5class_train_05611", "source": "cyner2_5class_train"}}
+{"text": "It contained approximately 8GB of stolen data .", "spans": {}, "info": {"id": "cyner2_5class_train_05612", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Crypt.qk Win32.Trojan.WisdomEyes.16070401.9500.9532 TROJ_KRYPTIK.VTG Trojan.MSIL.Crypt.qk Trojan.Win32.Crypt.djsue BackDoor.Cybergate.1727 Trojan.Crypt.Win32.2613 TROJ_KRYPTIK.VTG Trojan.MSIL.Crypt Trojan/MSIL.bms TR/MSIL.Crypt.qk Trojan.MSIL.Krypt.2 Trojan.MSIL.Crypt.qk TrojanDownloader:Win32/Radet.A Msil.Trojan.Crypt.Swvd Trojan.Crypt!QtVXUF+C8/k Win32/Trojan.b12", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Crypt.qk": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9532": [[42, 84]], "Indicator: TROJ_KRYPTIK.VTG": [[85, 101], [196, 212]], "Indicator: Trojan.MSIL.Crypt.qk": [[102, 122], [284, 304]], "Indicator: Trojan.Win32.Crypt.djsue": [[123, 147]], "Indicator: BackDoor.Cybergate.1727": [[148, 171]], "Indicator: Trojan.Crypt.Win32.2613": [[172, 195]], "Indicator: Trojan.MSIL.Crypt": [[213, 230]], "Indicator: Trojan/MSIL.bms": [[231, 246]], "Indicator: TR/MSIL.Crypt.qk": [[247, 263]], "Indicator: Trojan.MSIL.Krypt.2": [[264, 283]], "Indicator: TrojanDownloader:Win32/Radet.A": [[305, 335]], "Indicator: Msil.Trojan.Crypt.Swvd": [[336, 358]], "Indicator: Trojan.Crypt!QtVXUF+C8/k": [[359, 383]], "Indicator: Win32/Trojan.b12": [[384, 400]]}, "info": {"id": "cyner2_5class_train_05613", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE W32.Virut.G Win32/Virut.17408 PE_VIRUX.J Win.Trojan.Clicker-3135 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.Ce Win32.Virut.56 PE_VIRUX.J BehavesLike.Win32.Virut.mm Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.ce.53248 TrojanClicker:Win32/Sadbick.A W32.Virut.l4o5 Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.06 Win32/Virut.NBP Worm.Win32.VBNA W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: W32.Virut.G": [[39, 50]], "Indicator: Win32/Virut.17408": [[51, 68]], "Indicator: PE_VIRUX.J": [[69, 79], [184, 194]], "Indicator: Win.Trojan.Clicker-3135": [[80, 103]], "Indicator: Virus.Win32.Virut.ce": [[104, 124], [324, 344]], "Indicator: Virus.Win32.Virut.hpeg": [[125, 147]], "Indicator: Virus.Win32.Virut.Ce": [[148, 168]], "Indicator: Win32.Virut.56": [[169, 183]], "Indicator: BehavesLike.Win32.Virut.mm": [[195, 221]], "Indicator: Win32/Virut.bn": [[222, 236]], "Indicator: Virus/Win32.Virut.ce": [[237, 257]], "Indicator: Win32.Virut.ce.53248": [[258, 278]], "Indicator: TrojanClicker:Win32/Sadbick.A": [[279, 308]], "Indicator: W32.Virut.l4o5": [[309, 323]], "Indicator: Win32/Virut.F": [[345, 358]], "Indicator: Virus.Virut.06": [[359, 373]], "Indicator: Win32/Virut.NBP": [[374, 389]], "Indicator: Worm.Win32.VBNA": [[390, 405]], "Indicator: W32/Sality.AO": [[406, 419]]}, "info": {"id": "cyner2_5class_train_05614", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.9ED0 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.HLLM.Reset.493 BehavesLike.Win32.Ransomware.cc Backdoor.Poison Trojan.Midie.DA81B Backdoor/Win32.Poison.R217323 Trojan.Nymaim", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.9ED0": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[43, 85]], "Indicator: Win32.HLLM.Reset.493": [[86, 106]], "Indicator: BehavesLike.Win32.Ransomware.cc": [[107, 138]], "Indicator: Backdoor.Poison": [[139, 154]], "Indicator: Trojan.Midie.DA81B": [[155, 173]], "Indicator: Backdoor/Win32.Poison.R217323": [[174, 203]], "Indicator: Trojan.Nymaim": [[204, 217]]}, "info": {"id": "cyner2_5class_train_05615", "source": "cyner2_5class_train"}}
+{"text": "Mandiant, working in partnership with SonicWall Product Security and Incident Response Team PSIRT, has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access SMA appliance.", "spans": {"Organization: Mandiant,": [[0, 9]], "Organization: SonicWall Product Security": [[38, 64]], "Organization: Incident Response Team PSIRT,": [[69, 98]], "Malware: malware": [[202, 209]], "Organization: SonicWall": [[226, 235]], "System: Secure Mobile Access SMA": [[236, 260]]}, "info": {"id": "cyner2_5class_train_05616", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Antivirus2008.DN MemScan:Trojan.Peed.JRX Trojan.Win32.Pakes.czg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Antivirus2008.DN": [[26, 42]], "Indicator: MemScan:Trojan.Peed.JRX": [[43, 66]], "Indicator: Trojan.Win32.Pakes.czg": [[67, 89]]}, "info": {"id": "cyner2_5class_train_05617", "source": "cyner2_5class_train"}}
+{"text": "This ransomware encrypts files and uses .braincrypt as file name extension for encrypted files.", "spans": {"Malware: ransomware": [[5, 15]], "Indicator: encrypts files": [[16, 30]], "Indicator: uses .braincrypt as file name extension for encrypted files.": [[35, 95]]}, "info": {"id": "cyner2_5class_train_05618", "source": "cyner2_5class_train"}}
+{"text": "The first example, a campaign observed on May 17, 2016, uses a fake Microsoft security alert social engineering lure to trick the victim into opening a link that leads to an executable download.", "spans": {"Indicator: fake Microsoft security alert social engineering": [[63, 111]], "Malware: executable download.": [[174, 194]]}, "info": {"id": "cyner2_5class_train_05619", "source": "cyner2_5class_train"}}
+{"text": "This blog details CNACOM, a web-based campaign that appears to be related to a well-known nation-state actor more commonly associated with spear-phishing attacks.", "spans": {"Indicator: spear-phishing attacks.": [[139, 162]]}, "info": {"id": "cyner2_5class_train_05620", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dyloader Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Injector TR/Dropper.gjdjj Trojan.Graftor.D4C89C W32/Injector.DHHK!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dyloader": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[42, 84]], "Indicator: Trojan.Win32.Injector": [[85, 106]], "Indicator: TR/Dropper.gjdjj": [[107, 123]], "Indicator: Trojan.Graftor.D4C89C": [[124, 145]], "Indicator: W32/Injector.DHHK!tr": [[146, 166]], "Indicator: Trj/GdSda.A": [[167, 178]]}, "info": {"id": "cyner2_5class_train_05621", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Demp.cxoswz TrojanDropper.Demp.aao Trojan[Dropper]/Win32.Injector", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Demp.cxoswz TrojanDropper.Demp.aao Trojan[Dropper]/Win32.Injector": [[26, 104]]}, "info": {"id": "cyner2_5class_train_05622", "source": "cyner2_5class_train"}}
+{"text": "The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.", "spans": {"Organization: Ukraine Cyber police": [[38, 58]], "Organization: companies": [[89, 98]]}, "info": {"id": "cyner2_5class_train_05623", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: RDN/Gaobot.worm!f Backdoor.Agobot.Win32.5073 Backdoor.W32.Agobot.svu!c Trojan.Heur.RP.EDFC38 Win32.Trojan.WisdomEyes.16070401.9500.9986 TROJ_ADAMOL.A Trojan.Win32.Agobot.dikwjo Win32.Backdoor.Agobot.Wlfl TROJ_ADAMOL.A BehavesLike.Win32.Downloader.gh Trojan.ATRAPS Backdoor/Agobot.bnd W32/AgoBot.SVU!tr.bdr Trojan[Backdoor]/Win32.Agobot Trojan:Win32/Adamol.A Trojan/Win32.Hupigon.C48593 Trj/Chgt.L", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RDN/Gaobot.worm!f": [[26, 43]], "Indicator: Backdoor.Agobot.Win32.5073": [[44, 70]], "Indicator: Backdoor.W32.Agobot.svu!c": [[71, 96]], "Indicator: Trojan.Heur.RP.EDFC38": [[97, 118]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9986": [[119, 161]], "Indicator: TROJ_ADAMOL.A": [[162, 175], [230, 243]], "Indicator: Trojan.Win32.Agobot.dikwjo": [[176, 202]], "Indicator: Win32.Backdoor.Agobot.Wlfl": [[203, 229]], "Indicator: BehavesLike.Win32.Downloader.gh": [[244, 275]], "Indicator: Trojan.ATRAPS": [[276, 289]], "Indicator: Backdoor/Agobot.bnd": [[290, 309]], "Indicator: W32/AgoBot.SVU!tr.bdr": [[310, 331]], "Indicator: Trojan[Backdoor]/Win32.Agobot": [[332, 361]], "Indicator: Trojan:Win32/Adamol.A": [[362, 383]], "Indicator: Trojan/Win32.Hupigon.C48593": [[384, 411]], "Indicator: Trj/Chgt.L": [[412, 422]]}, "info": {"id": "cyner2_5class_train_05624", "source": "cyner2_5class_train"}}
+{"text": "On the heels of recent disclosures of ATM malware such as Suceful Plotus and Padpin aka Tyupkin, Proofpoint research has discovered yet another variant of ATM malware, which we have dubbed GreenDispenser.", "spans": {"Malware: ATM malware": [[38, 49]], "Malware: Suceful": [[58, 65]], "Malware: Plotus": [[66, 72]], "Malware: Padpin": [[77, 83]], "Malware: Tyupkin,": [[88, 96]], "Organization: Proofpoint research": [[97, 116]], "Malware: variant of ATM malware,": [[144, 167]], "Malware: GreenDispenser.": [[189, 204]]}, "info": {"id": "cyner2_5class_train_05625", "source": "cyner2_5class_train"}}
+{"text": "WE GIVE 100 % GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT .", "spans": {}, "info": {"id": "cyner2_5class_train_05626", "source": "cyner2_5class_train"}}
+{"text": "Initial reports of the attacks, published April 26 in Hebrew by the Israel National Cyber Event Readiness Team CERT-IL and The Marker, confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel.", "spans": {"Malware: attacks,": [[23, 31]], "Organization: the Israel National Cyber Event Readiness Team CERT-IL": [[64, 118]], "Organization: The Marker,": [[123, 134]], "Indicator: compromised email accounts": [[181, 207]], "Organization: Ben-Gurion University": [[211, 232]]}, "info": {"id": "cyner2_5class_train_05627", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Small Trojan.Win32.Small Trojan.Win32.Small.cva Trojan.Win32.Crypted.dxzuxb Troj.W32.Small!c Trojan.PWS.Banker1.19315 Trojan/Win32.Small Trojan.Win32.Small.cva Trojan.Win32.Small Trojan.Small Trj/CI.A Trojan.Win32.Clipbanker W32/ClipBanker.F!tr Win32/Trojan.65e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Small": [[26, 38], [212, 224]], "Indicator: Trojan.Win32.Small": [[39, 57], [193, 211]], "Indicator: Trojan.Win32.Small.cva": [[58, 80], [170, 192]], "Indicator: Trojan.Win32.Crypted.dxzuxb": [[81, 108]], "Indicator: Troj.W32.Small!c": [[109, 125]], "Indicator: Trojan.PWS.Banker1.19315": [[126, 150]], "Indicator: Trojan/Win32.Small": [[151, 169]], "Indicator: Trj/CI.A": [[225, 233]], "Indicator: Trojan.Win32.Clipbanker": [[234, 257]], "Indicator: W32/ClipBanker.F!tr": [[258, 277]], "Indicator: Win32/Trojan.65e": [[278, 294]]}, "info": {"id": "cyner2_5class_train_05628", "source": "cyner2_5class_train"}}
+{"text": "This is the summary of an analysis by an IT security researcher, which we publish in full.", "spans": {"Organization: IT security researcher,": [[41, 64]]}, "info": {"id": "cyner2_5class_train_05629", "source": "cyner2_5class_train"}}
+{"text": "The malicious library is loaded from Eventbot ’ s assets that contain a font file called default.ttf which is actually the hidden library and then decoded using RC4 .", "spans": {"Malware: Eventbot": [[37, 45]], "Indicator: default.ttf": [[89, 100]]}, "info": {"id": "cyner2_5class_train_05630", "source": "cyner2_5class_train"}}
+{"text": "Carbanak also known as Anunak are a group of financially motivated criminals first exposed in 2015.", "spans": {}, "info": {"id": "cyner2_5class_train_05631", "source": "cyner2_5class_train"}}
+{"text": "Some common techniques include : basic XOR encryption , nested XOR and custom key-derivation methods .", "spans": {}, "info": {"id": "cyner2_5class_train_05632", "source": "cyner2_5class_train"}}
+{"text": "Previous version The capture service class implements the chat applications interception .", "spans": {}, "info": {"id": "cyner2_5class_train_05633", "source": "cyner2_5class_train"}}
+{"text": "For the 64-bit stage 2 malware , the code execution is transferred from the loader using a well-known technique called Heaven ’ s Gate .", "spans": {}, "info": {"id": "cyner2_5class_train_05634", "source": "cyner2_5class_train"}}
+{"text": "It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.", "spans": {"Indicator: spread": [[3, 9]], "Indicator: recompiled version": [[16, 34]], "System: open source BitTorrent client application": [[63, 104]], "Indicator: official website.": [[143, 160]]}, "info": {"id": "cyner2_5class_train_05635", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.QQPass.757760.Q Trojan.Win32.Badur!O Risktool.Flystudio.16885 Trojan/AddUser.q TROJ_ADDUSER_EJ19018D.UVPM Win32/Tnega.CEGPWM TROJ_ADDUSER_EJ19018D.UVPM Trojan-Ransom.Win32.Snocry.yj Trojan.Win32.QQPass.cqivxp Backdoor.W32.Hupigon.lHRl Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R Trojan.DownLoader10.35182 Trojan.QQPass.Win32.21864 Exploit.Win32.MS Trojan/PSW.QQPass.qla TR/Strictor.38430 Trojan[PSW]/Win32.QQPass Trojan.Zusy.D2B925 Trojan-Ransom.Win32.Snocry.yj Trojan:Win32/Casus.A Trojan/Win32.QQPass.C217887 Trojan.Badur Win32/AddUser.Q Trojan.Win32.QQPass.i Trojan.PWS.QQPass!VhZvRiUJbao W32/QQPass.ELG!tr.pws Trojan.Win32.Extortioner.Q", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.QQPass.757760.Q": [[26, 56]], "Indicator: Trojan.Win32.Badur!O": [[57, 77]], "Indicator: Risktool.Flystudio.16885": [[78, 102]], "Indicator: Trojan/AddUser.q": [[103, 119]], "Indicator: TROJ_ADDUSER_EJ19018D.UVPM": [[120, 146], [166, 192]], "Indicator: Win32/Tnega.CEGPWM": [[147, 165]], "Indicator: Trojan-Ransom.Win32.Snocry.yj": [[193, 222], [475, 504]], "Indicator: Trojan.Win32.QQPass.cqivxp": [[223, 249]], "Indicator: Backdoor.W32.Hupigon.lHRl": [[250, 275]], "Indicator: Worm.Win32.Dropper.RA": [[276, 297]], "Indicator: Trojan:W32/DelfInject.R": [[298, 321]], "Indicator: Trojan.DownLoader10.35182": [[322, 347]], "Indicator: Trojan.QQPass.Win32.21864": [[348, 373]], "Indicator: Exploit.Win32.MS": [[374, 390]], "Indicator: Trojan/PSW.QQPass.qla": [[391, 412]], "Indicator: TR/Strictor.38430": [[413, 430]], "Indicator: Trojan[PSW]/Win32.QQPass": [[431, 455]], "Indicator: Trojan.Zusy.D2B925": [[456, 474]], "Indicator: Trojan:Win32/Casus.A": [[505, 525]], "Indicator: Trojan/Win32.QQPass.C217887": [[526, 553]], "Indicator: Trojan.Badur": [[554, 566]], "Indicator: Win32/AddUser.Q": [[567, 582]], "Indicator: Trojan.Win32.QQPass.i": [[583, 604]], "Indicator: Trojan.PWS.QQPass!VhZvRiUJbao": [[605, 634]], "Indicator: W32/QQPass.ELG!tr.pws": [[635, 656]], "Indicator: Trojan.Win32.Extortioner.Q": [[657, 683]]}, "info": {"id": "cyner2_5class_train_05636", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Unruy.C3 Downloader-BPA.d Trojan.Cosmu.Win32.1584 Trojan/Cosmu.fzo Win32.Trojan-Clicker.Cycler.a W32.Unruy.A Win32/Unruy.NaMNFGC HT_UNRUY_GF0601E8.UVPM Win.Trojan.Unruy-5876 Trojan.Win32.Drop.bcagho Troj.Spy.W32.BZub.l2bS TrojWare.Win32.TrojanSpy.BZub.~IP Trojan.MulDrop1.276 HT_UNRUY_GF0601E8.UVPM BehavesLike.Win32.Downloader.rt Trojan-Downloader.Win32.Unruy Trojan/Cosmu.bhh TR/Dldr.Unruy.C Worm/Win32.Unknown TrojanDownloader:Win32/Unruy.C Trojan.Unruy.1 Trojan/Win32.Cosmu.R39186 TrojanClicker.Cycler Trojan.CL.Cycler!gZ0c9KQr9Uk W32/ZAccess.Y!tr W32/OverDoom.B.worm Win32/Trojan.688", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Unruy.C3": [[26, 51]], "Indicator: Downloader-BPA.d": [[52, 68]], "Indicator: Trojan.Cosmu.Win32.1584": [[69, 92]], "Indicator: Trojan/Cosmu.fzo": [[93, 109]], "Indicator: Win32.Trojan-Clicker.Cycler.a": [[110, 139]], "Indicator: W32.Unruy.A": [[140, 151]], "Indicator: Win32/Unruy.NaMNFGC": [[152, 171]], "Indicator: HT_UNRUY_GF0601E8.UVPM": [[172, 194], [319, 341]], "Indicator: Win.Trojan.Unruy-5876": [[195, 216]], "Indicator: Trojan.Win32.Drop.bcagho": [[217, 241]], "Indicator: Troj.Spy.W32.BZub.l2bS": [[242, 264]], "Indicator: TrojWare.Win32.TrojanSpy.BZub.~IP": [[265, 298]], "Indicator: Trojan.MulDrop1.276": [[299, 318]], "Indicator: BehavesLike.Win32.Downloader.rt": [[342, 373]], "Indicator: Trojan-Downloader.Win32.Unruy": [[374, 403]], "Indicator: Trojan/Cosmu.bhh": [[404, 420]], "Indicator: TR/Dldr.Unruy.C": [[421, 436]], "Indicator: Worm/Win32.Unknown": [[437, 455]], "Indicator: TrojanDownloader:Win32/Unruy.C": [[456, 486]], "Indicator: Trojan.Unruy.1": [[487, 501]], "Indicator: Trojan/Win32.Cosmu.R39186": [[502, 527]], "Indicator: TrojanClicker.Cycler": [[528, 548]], "Indicator: Trojan.CL.Cycler!gZ0c9KQr9Uk": [[549, 577]], "Indicator: W32/ZAccess.Y!tr": [[578, 594]], "Indicator: W32/OverDoom.B.worm": [[595, 614]], "Indicator: Win32/Trojan.688": [[615, 631]]}, "info": {"id": "cyner2_5class_train_05637", "source": "cyner2_5class_train"}}
+{"text": "The malware authors seem to be putting a lot of effort into improving this malware , bundling it with numerous new upgrades that make it more sophisticated , evasive , and well-equipped .", "spans": {}, "info": {"id": "cyner2_5class_train_05638", "source": "cyner2_5class_train"}}
+{"text": "Also seen in other Exploits Kits: - Neutrino - Nuclear - Magnitude - RIG - Hanjuan", "spans": {"Malware: Exploits Kits:": [[19, 33]], "Malware: Neutrino": [[36, 44]], "Malware: Nuclear": [[47, 54]], "Malware: Magnitude": [[57, 66]], "Malware: RIG": [[69, 72]], "Malware: Hanjuan": [[75, 82]]}, "info": {"id": "cyner2_5class_train_05639", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PSW.Qwak.A Trojan-PWS/W32.Qwak.24576 PSWTool.Win32.Pqwak!O Trojan.Pqwak Trojan.Qwak.Win32.2 Trojan.PSW.Qwak.A W32/HackTool.AZN TROJ_PQWAK.A Trojan.PSW.Qwak.A not-a-virus:PSWTool.Win32.Pqwak.10 Trojan.PSW.Qwak.A Riskware.Win32.Pqwak.hqlb Trojan.Win32.Z.Qwak.24576 Trojan.PSW.Qwak.A TrojWare.Win32.PSW.Qwak.A Trojan.PWS.Qwak.10 TROJ_PQWAK.A Trojan.Win32.PSW W32/Tool.QTCZ-8948 TR/Pqwak.A Trojan[PSWTool]/Win32.Pqwak not-a-virus:PSWTool.Win32.Pqwak.10 Win-Trojan/Qwak.24576 Trojan.PSW.Qwak.A TrojanPSW.Qwak Trj/CI.A Win32/PSW.Qwak.A Win32.Trojan.Pqwak.Eeha Trojan.PSW.Qwak!llR4IBPnUH0 Win32/Trojan.006", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PSW.Qwak.A": [[26, 43], [125, 142], [173, 190], [226, 243], [296, 313], [504, 521]], "Indicator: Trojan-PWS/W32.Qwak.24576": [[44, 69]], "Indicator: PSWTool.Win32.Pqwak!O": [[70, 91]], "Indicator: Trojan.Pqwak": [[92, 104]], "Indicator: Trojan.Qwak.Win32.2": [[105, 124]], "Indicator: W32/HackTool.AZN": [[143, 159]], "Indicator: TROJ_PQWAK.A": [[160, 172], [359, 371]], "Indicator: not-a-virus:PSWTool.Win32.Pqwak.10": [[191, 225], [447, 481]], "Indicator: Riskware.Win32.Pqwak.hqlb": [[244, 269]], "Indicator: Trojan.Win32.Z.Qwak.24576": [[270, 295]], "Indicator: TrojWare.Win32.PSW.Qwak.A": [[314, 339]], "Indicator: Trojan.PWS.Qwak.10": [[340, 358]], "Indicator: Trojan.Win32.PSW": [[372, 388]], "Indicator: W32/Tool.QTCZ-8948": [[389, 407]], "Indicator: TR/Pqwak.A": [[408, 418]], "Indicator: Trojan[PSWTool]/Win32.Pqwak": [[419, 446]], "Indicator: Win-Trojan/Qwak.24576": [[482, 503]], "Indicator: TrojanPSW.Qwak": [[522, 536]], "Indicator: Trj/CI.A": [[537, 545]], "Indicator: Win32/PSW.Qwak.A": [[546, 562]], "Indicator: Win32.Trojan.Pqwak.Eeha": [[563, 586]], "Indicator: Trojan.PSW.Qwak!llR4IBPnUH0": [[587, 614]], "Indicator: Win32/Trojan.006": [[615, 631]]}, "info": {"id": "cyner2_5class_train_05640", "source": "cyner2_5class_train"}}
+{"text": "For example , we found several suspicious strings written in the Chinese language in a function called isNetworkAvailable , previously discussed in this blog : An almost identical function is mentioned in an earlier research , that ties FakeSpy and other malware to the Roaming Mantis group .", "spans": {"Malware: FakeSpy": [[237, 244]], "Organization: Roaming Mantis": [[270, 284]]}, "info": {"id": "cyner2_5class_train_05641", "source": "cyner2_5class_train"}}
+{"text": "mobile_treats_2013_05s Infections caused by mobile banking programs Today , the majority of banking Trojan attacks affect users in Russia and the CIS .", "spans": {}, "info": {"id": "cyner2_5class_train_05642", "source": "cyner2_5class_train"}}
+{"text": "According to our estimates , about 60 % of mobile malware are elements of both large and small mobile botnets .", "spans": {}, "info": {"id": "cyner2_5class_train_05643", "source": "cyner2_5class_train"}}
+{"text": "Stretching back to April 2016, she d befriended a lot of individuals, as many as 500, with similar interests.", "spans": {"Organization: individuals,": [[57, 69]]}, "info": {"id": "cyner2_5class_train_05644", "source": "cyner2_5class_train"}}
+{"text": "Based on received commands, it can either download malicious apps or switch the C C Twitter account to another one.", "spans": {"Indicator: received commands,": [[9, 27]], "Malware: malicious apps": [[51, 65]], "Indicator: C C Twitter account to another one.": [[80, 115]]}, "info": {"id": "cyner2_5class_train_05645", "source": "cyner2_5class_train"}}
+{"text": "The target list and bank specific fake login pages can be dynamically updated via their C2 panel ( dashboard back-end ) which significantly increases the adaptability and scalability of this attack .", "spans": {}, "info": {"id": "cyner2_5class_train_05646", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDropper.Goominer Win32.Trojan.WisdomEyes.16070401.9500.9958 Trojan.Win32.Kazy.dbtlfz Trojan.Win32.Z.Kazy.939008.A Trojan.Kazy.D607AA TrojanDropper:Win32/Goominer.A Trj/GdSda.A Win32.Trojan.Kazy.Pciu Trojan.Win32.Comitsproc Win32/Trojan.013", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Goominer": [[26, 48]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9958": [[49, 91]], "Indicator: Trojan.Win32.Kazy.dbtlfz": [[92, 116]], "Indicator: Trojan.Win32.Z.Kazy.939008.A": [[117, 145]], "Indicator: Trojan.Kazy.D607AA": [[146, 164]], "Indicator: TrojanDropper:Win32/Goominer.A": [[165, 195]], "Indicator: Trj/GdSda.A": [[196, 207]], "Indicator: Win32.Trojan.Kazy.Pciu": [[208, 230]], "Indicator: Trojan.Win32.Comitsproc": [[231, 254]], "Indicator: Win32/Trojan.013": [[255, 271]]}, "info": {"id": "cyner2_5class_train_05647", "source": "cyner2_5class_train"}}
+{"text": "We dubbed this activity Operation Wilted Tulip", "spans": {}, "info": {"id": "cyner2_5class_train_05648", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Swisyn!O Trojan.Starpage.A.mue Trojan/Swisyn.bhyk Win32.Trojan.Delf.it Trojan.Win32.Fsysna.djck Trojan.Win32.A.Swisyn.97827[UPX] Worm.Win32.Pronny.BL Trojan.PWS.Qqpass.6162 Trojan.Swisyn.Win32.21499 Trojan.Crypt Trojan/Win32.Swisyn HEUR/Fakon.mwf Worm.AutoRun Trojan.Win32.FakeFolder.pb Trojan.Swisyn!4rRLtK78L7s", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Swisyn!O": [[26, 47]], "Indicator: Trojan.Starpage.A.mue": [[48, 69]], "Indicator: Trojan/Swisyn.bhyk": [[70, 88]], "Indicator: Win32.Trojan.Delf.it": [[89, 109]], "Indicator: Trojan.Win32.Fsysna.djck": [[110, 134]], "Indicator: Trojan.Win32.A.Swisyn.97827[UPX]": [[135, 167]], "Indicator: Worm.Win32.Pronny.BL": [[168, 188]], "Indicator: Trojan.PWS.Qqpass.6162": [[189, 211]], "Indicator: Trojan.Swisyn.Win32.21499": [[212, 237]], "Indicator: Trojan.Crypt": [[238, 250]], "Indicator: Trojan/Win32.Swisyn": [[251, 270]], "Indicator: HEUR/Fakon.mwf": [[271, 285]], "Indicator: Worm.AutoRun": [[286, 298]], "Indicator: Trojan.Win32.FakeFolder.pb": [[299, 325]], "Indicator: Trojan.Swisyn!4rRLtK78L7s": [[326, 351]]}, "info": {"id": "cyner2_5class_train_05649", "source": "cyner2_5class_train"}}
+{"text": "Some samples talk to compromised South Korean server at 203.250.148.63 and communicate in port 30000.", "spans": {"Vulnerability: compromised": [[21, 32]], "System: server": [[46, 52]], "Malware: at": [[53, 55]], "Indicator: 203.250.148.63": [[56, 70]], "Indicator: communicate": [[75, 86]], "Indicator: port 30000.": [[90, 101]]}, "info": {"id": "cyner2_5class_train_05650", "source": "cyner2_5class_train"}}
+{"text": "Port 6207 : Viber extraction service .", "spans": {"Indicator: Port 6207": [[0, 9]], "System: Viber": [[12, 17]]}, "info": {"id": "cyner2_5class_train_05651", "source": "cyner2_5class_train"}}
+{"text": "The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan.", "spans": {"Malware: GozNym hybrid": [[8, 21]], "Organization: best": [[32, 36]], "Malware: Nymaim": [[49, 55]], "Malware: Gozi ISFB malware": [[60, 77]], "Malware: powerful Trojan.": [[90, 106]]}, "info": {"id": "cyner2_5class_train_05652", "source": "cyner2_5class_train"}}
+{"text": "The people behind the attacks are likely attempting to gain access to computers where banking transactions are performed, in order to steal banking credentials.", "spans": {"Indicator: attacks": [[22, 29]], "Indicator: gain access": [[55, 66]], "System: computers": [[70, 79]], "Indicator: steal banking credentials.": [[134, 160]]}, "info": {"id": "cyner2_5class_train_05653", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Trojan.Win64 Trojan[Backdoor]/Win32.Simda Trojan:Win64/Claretore.B W64/Simda.BD!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: Trojan.Win64": [[69, 81]], "Indicator: Trojan[Backdoor]/Win32.Simda": [[82, 110]], "Indicator: Trojan:Win64/Claretore.B": [[111, 135]], "Indicator: W64/Simda.BD!tr": [[136, 151]]}, "info": {"id": "cyner2_5class_train_05654", "source": "cyner2_5class_train"}}
+{"text": "One of them was of particular interest because we'd never seen the backdoor before and it leveraged a relatively unique German dynamic DNS provider for command and control.", "spans": {"Malware: backdoor": [[67, 75]], "Indicator: German dynamic DNS provider for command and control.": [[120, 172]]}, "info": {"id": "cyner2_5class_train_05655", "source": "cyner2_5class_train"}}
+{"text": "Finally , the app can remove itself through three ways : Via a command from the server Autoremove if the device has not been able to check in to the server after 60 days Via an antidote file .", "spans": {}, "info": {"id": "cyner2_5class_train_05656", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Htool.WKE Application.Htool.WKE W32/Risk.IUUB-2604 HKTL_DUMPSEC.TOMA Application.Htool.WKE Application.Htool.WKE Trojan.MulDrop3.34925 HKTL_DUMPSEC.TOMA W32/MalwareS.ITI Packed.Multi.rq HackTool:Win32/Dumpsec.A Application.Htool.WKE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Htool.WKE": [[26, 47], [48, 69], [107, 128], [129, 150], [249, 270]], "Indicator: W32/Risk.IUUB-2604": [[70, 88]], "Indicator: HKTL_DUMPSEC.TOMA": [[89, 106], [173, 190]], "Indicator: Trojan.MulDrop3.34925": [[151, 172]], "Indicator: W32/MalwareS.ITI": [[191, 207]], "Indicator: Packed.Multi.rq": [[208, 223]], "Indicator: HackTool:Win32/Dumpsec.A": [[224, 248]]}, "info": {"id": "cyner2_5class_train_05657", "source": "cyner2_5class_train"}}
+{"text": "Marcher inspects its infected devices carefully by using a dedicated, hard-coded configuration in each Android Package Kit APK, Google's file format for distributing and installing application software like mobile banking apps on the Android OS.", "spans": {"Malware: Marcher": [[0, 7]], "Indicator: hard-coded configuration": [[70, 94]], "System: Android Package Kit APK, Google's file format": [[103, 148]], "System: application software": [[181, 201]], "System: mobile banking apps": [[207, 226]], "System: the Android OS.": [[230, 245]]}, "info": {"id": "cyner2_5class_train_05658", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Downldr2.IYLF Trojan.Starter.1949 Riskware/Win32.Krap.ii Win32.Hack.Undef.kcloud TrojanDropper:Win32/Kidtok.A W32/Downloader.LQFG-1421 Virus.Win32.Heur.g BScope.Trojan-Spy.Zbot PE:Malware.FakeDOC@CV!1.9C3B Trojan-Dropper.Win32.Kidtok", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Downldr2.IYLF": [[26, 43]], "Indicator: Trojan.Starter.1949": [[44, 63]], "Indicator: Riskware/Win32.Krap.ii": [[64, 86]], "Indicator: Win32.Hack.Undef.kcloud": [[87, 110]], "Indicator: TrojanDropper:Win32/Kidtok.A": [[111, 139]], "Indicator: W32/Downloader.LQFG-1421": [[140, 164]], "Indicator: Virus.Win32.Heur.g": [[165, 183]], "Indicator: BScope.Trojan-Spy.Zbot": [[184, 206]], "Indicator: PE:Malware.FakeDOC@CV!1.9C3B": [[207, 235]], "Indicator: Trojan-Dropper.Win32.Kidtok": [[236, 263]]}, "info": {"id": "cyner2_5class_train_05659", "source": "cyner2_5class_train"}}
+{"text": "Therefore we instead discuss a number of ways to detect and analyse these documents using freely available tools.", "spans": {}, "info": {"id": "cyner2_5class_train_05660", "source": "cyner2_5class_train"}}
+{"text": "PDFs with download links", "spans": {"Indicator: PDFs with download links": [[0, 24]]}, "info": {"id": "cyner2_5class_train_05661", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PSWTool.Win32.NetPass!O HackTool.Dialupas Tool.NetPass.Win32.1002 Win32.Trojan.WisdomEyes.16070401.9500.9825 W32/Risk.DWIG-1726 Trojan-Spy.IEPV not-a-virus:PSWTool.Win32.NetPass.atx Trojan.Win32.Ool.cjzhzi Tool.PassView.277 BehavesLike.Win32.Downloader.gc W32/MalwareS.AKEN APPL/PSWTool.Pass.A Application.Heur.BmNfbCuqfGoO not-a-virus:PSWTool.Win32.NetPass.atx Trojan/Win32.Klone.C127582 PUP.Optional.Dialupass Trojan.PSWTool!vbtNAUr+Slw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PSWTool.Win32.NetPass!O": [[26, 49]], "Indicator: HackTool.Dialupas": [[50, 67]], "Indicator: Tool.NetPass.Win32.1002": [[68, 91]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9825": [[92, 134]], "Indicator: W32/Risk.DWIG-1726": [[135, 153]], "Indicator: Trojan-Spy.IEPV": [[154, 169]], "Indicator: not-a-virus:PSWTool.Win32.NetPass.atx": [[170, 207], [350, 387]], "Indicator: Trojan.Win32.Ool.cjzhzi": [[208, 231]], "Indicator: Tool.PassView.277": [[232, 249]], "Indicator: BehavesLike.Win32.Downloader.gc": [[250, 281]], "Indicator: W32/MalwareS.AKEN": [[282, 299]], "Indicator: APPL/PSWTool.Pass.A": [[300, 319]], "Indicator: Application.Heur.BmNfbCuqfGoO": [[320, 349]], "Indicator: Trojan/Win32.Klone.C127582": [[388, 414]], "Indicator: PUP.Optional.Dialupass": [[415, 437]], "Indicator: Trojan.PSWTool!vbtNAUr+Slw": [[438, 464]]}, "info": {"id": "cyner2_5class_train_05662", "source": "cyner2_5class_train"}}
+{"text": "The email, first of them submitted from Middle East, purports to be coming from a Turkish trading company, which might further indicate the geographic area where the attacks were active.", "spans": {"Indicator: email,": [[4, 10]], "Organization: a Turkish trading company,": [[80, 106]], "Indicator: attacks": [[166, 173]]}, "info": {"id": "cyner2_5class_train_05663", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Cleanmg.Trojan Trojan-Spy.Win32.TianYan!O BackDoor-YA.dr Trojan/Spy.TianYan.b TSPY_TIANYAN.SMD Win32.Backdoor.Prisos.b W32.Killaut.A Win32/TianYan.A TSPY_TIANYAN.SMD Win.Spyware.35814-2 Trojan.Win32.TianYan.xbqa Trojan.Win32.TianYan.40960 Troj.Spy.W32.TianYan.m9ks TrojWare.Win32.TrojanSpy.TianYan.~A Win32.HLLP.Nemesis.28687 BackDoor-YA.dr TrojanSpy.TianYan.a Trojan[Spy]/Win32.TianYan Win32.Troj.TianYan.b.kcloud Trojan.Symmi.D7121 Backdoor:Win32/Prisos.A Worm/Win32.Mabezat.R26794 TrojanSpy.TianYan Win32/Prisos.A Trojan-Spy.Win32.TianYan.b Win32/Trojan.Dropper.e23", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Cleanmg.Trojan": [[26, 44]], "Indicator: Trojan-Spy.Win32.TianYan!O": [[45, 71]], "Indicator: BackDoor-YA.dr": [[72, 86], [356, 370]], "Indicator: Trojan/Spy.TianYan.b": [[87, 107]], "Indicator: TSPY_TIANYAN.SMD": [[108, 124], [179, 195]], "Indicator: Win32.Backdoor.Prisos.b": [[125, 148]], "Indicator: W32.Killaut.A": [[149, 162]], "Indicator: Win32/TianYan.A": [[163, 178]], "Indicator: Win.Spyware.35814-2": [[196, 215]], "Indicator: Trojan.Win32.TianYan.xbqa": [[216, 241]], "Indicator: Trojan.Win32.TianYan.40960": [[242, 268]], "Indicator: Troj.Spy.W32.TianYan.m9ks": [[269, 294]], "Indicator: TrojWare.Win32.TrojanSpy.TianYan.~A": [[295, 330]], "Indicator: Win32.HLLP.Nemesis.28687": [[331, 355]], "Indicator: TrojanSpy.TianYan.a": [[371, 390]], "Indicator: Trojan[Spy]/Win32.TianYan": [[391, 416]], "Indicator: Win32.Troj.TianYan.b.kcloud": [[417, 444]], "Indicator: Trojan.Symmi.D7121": [[445, 463]], "Indicator: Backdoor:Win32/Prisos.A": [[464, 487]], "Indicator: Worm/Win32.Mabezat.R26794": [[488, 513]], "Indicator: TrojanSpy.TianYan": [[514, 531]], "Indicator: Win32/Prisos.A": [[532, 546]], "Indicator: Trojan-Spy.Win32.TianYan.b": [[547, 573]], "Indicator: Win32/Trojan.Dropper.e23": [[574, 598]]}, "info": {"id": "cyner2_5class_train_05664", "source": "cyner2_5class_train"}}
+{"text": "Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March.", "spans": {}, "info": {"id": "cyner2_5class_train_05665", "source": "cyner2_5class_train"}}
+{"text": "Government agencies and enterprises should look at this threat as an example of the kind of spying that is now possible given how ubiquitous mobile devices are in the workplace .", "spans": {}, "info": {"id": "cyner2_5class_train_05666", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.LRQwegierExe.Trojan Trojan/W32.Small.14848.CH Trojan.Daws.17020 Trojan.Kazy.D192B Win32.Trojan.Dalixi.f Trojan-Dropper.Win32.Daws.dyru Troj.W32.KillAV.lCzy BehavesLike.Win32.VTFlooder.lh Trojan:Win32/Ghodow.A Trojan-Dropper.Win32.Daws.dyru Win32/Dalixi.A Trojan.Dalixi!sYT5S6B5t8c W32/Dloader.IQS!tr.dldr Win32/Trojan.b7f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.LRQwegierExe.Trojan": [[26, 49]], "Indicator: Trojan/W32.Small.14848.CH": [[50, 75]], "Indicator: Trojan.Daws.17020": [[76, 93]], "Indicator: Trojan.Kazy.D192B": [[94, 111]], "Indicator: Win32.Trojan.Dalixi.f": [[112, 133]], "Indicator: Trojan-Dropper.Win32.Daws.dyru": [[134, 164], [239, 269]], "Indicator: Troj.W32.KillAV.lCzy": [[165, 185]], "Indicator: BehavesLike.Win32.VTFlooder.lh": [[186, 216]], "Indicator: Trojan:Win32/Ghodow.A": [[217, 238]], "Indicator: Win32/Dalixi.A": [[270, 284]], "Indicator: Trojan.Dalixi!sYT5S6B5t8c": [[285, 310]], "Indicator: W32/Dloader.IQS!tr.dldr": [[311, 334]], "Indicator: Win32/Trojan.b7f": [[335, 351]]}, "info": {"id": "cyner2_5class_train_05667", "source": "cyner2_5class_train"}}
+{"text": "As soon as the victim tries to log in , it stores the victim 's credentials in /storage/0/DCIM/.fdat Facebook Login Figure 7 : Fake Facebook login The second command is IODBSSUEEZ , which further sends stolen credentials to the C & C server , as seen in Figure 8 .", "spans": {"System: Facebook": [[101, 109], [132, 140]]}, "info": {"id": "cyner2_5class_train_05668", "source": "cyner2_5class_train"}}
+{"text": "A new ransomware called CryptoLuck has been discovered by Proofpoint security researcher and exploit kit expert Kafeine that is being distributed via the RIG-E exploit kit.", "spans": {"Malware: ransomware": [[6, 16]], "Malware: CryptoLuck": [[24, 34]], "Organization: Proofpoint security researcher": [[58, 88]], "Malware: exploit kit": [[93, 104]], "Malware: expert Kafeine": [[105, 119]], "Malware: RIG-E exploit kit.": [[154, 172]]}, "info": {"id": "cyner2_5class_train_05669", "source": "cyner2_5class_train"}}
+{"text": "Error Registration Ok Empty SendSMS RequestGoogleCC Wipe OpenBrowser SendUSSD RequestSMSList RequestAppList RequestLocation ShowNotification SetLockPassword LockNow MuteSound LoadScript LoadPlugin ServerChange StartApp CallPhone SetPingTimer SMSBroadcast RequestContacts AddInject RemoveInject Evaluate Another feature of this trojan is the ability to register injects , which are JavaScript snippets of code .", "spans": {}, "info": {"id": "cyner2_5class_train_05670", "source": "cyner2_5class_train"}}
+{"text": "Ransomware in its various forms continues to make headlines as much for high-profile network disruptions as for the ubiquity of attacks among consumers.", "spans": {"Malware: Ransomware": [[0, 10]], "Organization: high-profile network": [[72, 92]], "Indicator: attacks": [[128, 135]], "Organization: consumers.": [[142, 152]]}, "info": {"id": "cyner2_5class_train_05671", "source": "cyner2_5class_train"}}
+{"text": "Generic detections , advanced behavioral analytics , and machine learning technologies in Windows Defender Advanced Threat Protection detect FinFisher ’ s malicious behavior throughout the attack kill chain and alert SecOps personnel .", "spans": {"System: Windows Defender Advanced Threat Protection": [[90, 133]], "Malware: FinFisher": [[141, 150]]}, "info": {"id": "cyner2_5class_train_05672", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Staget!O Trojan.Vb.AB2 Trojan.Injector Trojan/Staget.fk Trojan.Zusy.D381B TROJ_CHEKAF.SMIA Win32.Trojan.U-Staget.a TROJ_CHEKAF.SMIA Win.Trojan.Staget-28 Trojan.Win32.SelfDel.cdyc Trojan.Win32.Staget.btpvn Trojan.Win32.A.Staget.98334 Troj.W32.SelfDel.tnPD Trojan.MulDrop1.56405 Trojan.Staget.Win32.367 BehavesLike.Win32.Swisyn.nm Trojan/Staget.hg Trojan/Win32.Staget Win32.Troj.Staget.fk.kcloud Trojan.Win32.SelfDel.cdyc Trojan/Win32.Staget.R21060 Trojan.VBRA.09701 Trojan.Staget!A6l5b/HpLEg Trojan.Win32.Staget W32/Staget.EG!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Staget!O": [[26, 47]], "Indicator: Trojan.Vb.AB2": [[48, 61]], "Indicator: Trojan.Injector": [[62, 77]], "Indicator: Trojan/Staget.fk": [[78, 94]], "Indicator: Trojan.Zusy.D381B": [[95, 112]], "Indicator: TROJ_CHEKAF.SMIA": [[113, 129], [154, 170]], "Indicator: Win32.Trojan.U-Staget.a": [[130, 153]], "Indicator: Win.Trojan.Staget-28": [[171, 191]], "Indicator: Trojan.Win32.SelfDel.cdyc": [[192, 217], [433, 458]], "Indicator: Trojan.Win32.Staget.btpvn": [[218, 243]], "Indicator: Trojan.Win32.A.Staget.98334": [[244, 271]], "Indicator: Troj.W32.SelfDel.tnPD": [[272, 293]], "Indicator: Trojan.MulDrop1.56405": [[294, 315]], "Indicator: Trojan.Staget.Win32.367": [[316, 339]], "Indicator: BehavesLike.Win32.Swisyn.nm": [[340, 367]], "Indicator: Trojan/Staget.hg": [[368, 384]], "Indicator: Trojan/Win32.Staget": [[385, 404]], "Indicator: Win32.Troj.Staget.fk.kcloud": [[405, 432]], "Indicator: Trojan/Win32.Staget.R21060": [[459, 485]], "Indicator: Trojan.VBRA.09701": [[486, 503]], "Indicator: Trojan.Staget!A6l5b/HpLEg": [[504, 529]], "Indicator: Trojan.Win32.Staget": [[530, 549]], "Indicator: W32/Staget.EG!tr": [[550, 566]]}, "info": {"id": "cyner2_5class_train_05673", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/CoinMiner.td not-a-virus:RiskTool.Win32.BitCoinMiner.wzo Riskware.Win32.BitCoinMiner.dktqwy Tool.BtcMine.479 Trojan.CoinMiner.Win32.1509 Trojan.Win32.CoinMiner RiskWare[RiskTool]/Win32.BitCoinMiner Trojan:Win32/Dimnir.A Application.Heur2.EE0329 not-a-virus:RiskTool.Win32.BitCoinMiner.wzo W32/CoinMiner.TD!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/CoinMiner.td": [[26, 45]], "Indicator: not-a-virus:RiskTool.Win32.BitCoinMiner.wzo": [[46, 89], [278, 321]], "Indicator: Riskware.Win32.BitCoinMiner.dktqwy": [[90, 124]], "Indicator: Tool.BtcMine.479": [[125, 141]], "Indicator: Trojan.CoinMiner.Win32.1509": [[142, 169]], "Indicator: Trojan.Win32.CoinMiner": [[170, 192]], "Indicator: RiskWare[RiskTool]/Win32.BitCoinMiner": [[193, 230]], "Indicator: Trojan:Win32/Dimnir.A": [[231, 252]], "Indicator: Application.Heur2.EE0329": [[253, 277]], "Indicator: W32/CoinMiner.TD!tr": [[322, 341]]}, "info": {"id": "cyner2_5class_train_05674", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Hotdog.A Backdoor.Hotdog.A Trojan.Win32.Hotdog.chmwe W32/Hotdog.B Spyware.Hotra TROJ_HOTDOG.A Backdoor.Win32.Hotdog Backdoor.Hotdog.A Backdoor.Hotdog!YGk3IGmjo+U Backdoor.Win32.Hotdog.B Backdoor.Hotdog.A Trojan.Hotdog.49152 TROJ_HOTDOG.A Win32.Hack.Hotdog.8F.kcloud Backdoor:Win32/Hotdog.A Trojan.Win32.Hotra.49152 Backdoor.Hotdog.A W32/Hotdog.OZIJ-0895 Win-Trojan/Hotra.57344 Spyware.Hotra Win32/Hotdog.B Backdoor.Win32.Hotdog W32/Hotdog.A!tr.bdr BackDoor.Hotdog.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Hotdog.A": [[26, 43], [44, 61], [151, 168], [221, 238], [350, 367]], "Indicator: Trojan.Win32.Hotdog.chmwe": [[62, 87]], "Indicator: W32/Hotdog.B": [[88, 100]], "Indicator: Spyware.Hotra": [[101, 114], [412, 425]], "Indicator: TROJ_HOTDOG.A": [[115, 128], [259, 272]], "Indicator: Backdoor.Win32.Hotdog": [[129, 150], [441, 462]], "Indicator: Backdoor.Hotdog!YGk3IGmjo+U": [[169, 196]], "Indicator: Backdoor.Win32.Hotdog.B": [[197, 220]], "Indicator: Trojan.Hotdog.49152": [[239, 258]], "Indicator: Win32.Hack.Hotdog.8F.kcloud": [[273, 300]], "Indicator: Backdoor:Win32/Hotdog.A": [[301, 324]], "Indicator: Trojan.Win32.Hotra.49152": [[325, 349]], "Indicator: W32/Hotdog.OZIJ-0895": [[368, 388]], "Indicator: Win-Trojan/Hotra.57344": [[389, 411]], "Indicator: Win32/Hotdog.B": [[426, 440]], "Indicator: W32/Hotdog.A!tr.bdr": [[463, 482]], "Indicator: BackDoor.Hotdog.A": [[483, 500]]}, "info": {"id": "cyner2_5class_train_05675", "source": "cyner2_5class_train"}}
+{"text": "malware used by the HiddenCobra threat group", "spans": {"Malware: malware": [[0, 7]]}, "info": {"id": "cyner2_5class_train_05676", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Dexter.A4 Trojan.Poxters.Win32.176 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_DEXTR.SMM HEUR:Trojan.Win32.Invader Trojan.Win32.Invader.elqaga Trojan.FakeAV.19781 BKDR_DEXTR.SMM BehavesLike.Win32.VTFlooder.nh Trojan.Invader.aqk Trojan/Win32.Invader HEUR:Trojan.Win32.Invader Trojan.Invader! Trojan.Win32.Poxters W32/Poxters.E!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Dexter.A4": [[26, 45]], "Indicator: Trojan.Poxters.Win32.176": [[46, 70]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[71, 113]], "Indicator: BKDR_DEXTR.SMM": [[114, 128], [203, 217]], "Indicator: HEUR:Trojan.Win32.Invader": [[129, 154], [289, 314]], "Indicator: Trojan.Win32.Invader.elqaga": [[155, 182]], "Indicator: Trojan.FakeAV.19781": [[183, 202]], "Indicator: BehavesLike.Win32.VTFlooder.nh": [[218, 248]], "Indicator: Trojan.Invader.aqk": [[249, 267]], "Indicator: Trojan/Win32.Invader": [[268, 288]], "Indicator: Trojan.Invader!": [[315, 330]], "Indicator: Trojan.Win32.Poxters": [[331, 351]], "Indicator: W32/Poxters.E!tr": [[352, 368]], "Indicator: Trj/GdSda.A": [[369, 380]]}, "info": {"id": "cyner2_5class_train_05677", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.FC.316 Win32.Trojan.WisdomEyes.16070401.9500.9957 MSIL.Backdoor.Orcus.A Troj.Spy.Msil!c Trojan.DownLoader25.14345 BehavesLike.Win32.Backdoor.dc TrojanSpy.MSIL.sam TR/Dropper.MSIL.yknpx PWS:MSIL/Orcus.A!bit Win-Trojan/OrcusRAT.Exp Trj/CI.A Win32/Trojan.Spy.c29", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.FC.316": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9957": [[48, 90]], "Indicator: MSIL.Backdoor.Orcus.A": [[91, 112]], "Indicator: Troj.Spy.Msil!c": [[113, 128]], "Indicator: Trojan.DownLoader25.14345": [[129, 154]], "Indicator: BehavesLike.Win32.Backdoor.dc": [[155, 184]], "Indicator: TrojanSpy.MSIL.sam": [[185, 203]], "Indicator: TR/Dropper.MSIL.yknpx": [[204, 225]], "Indicator: PWS:MSIL/Orcus.A!bit": [[226, 246]], "Indicator: Win-Trojan/OrcusRAT.Exp": [[247, 270]], "Indicator: Trj/CI.A": [[271, 279]], "Indicator: Win32/Trojan.Spy.c29": [[280, 300]]}, "info": {"id": "cyner2_5class_train_05678", "source": "cyner2_5class_train"}}
+{"text": "A year later, a more dangerous version was released.", "spans": {}, "info": {"id": "cyner2_5class_train_05679", "source": "cyner2_5class_train"}}
+{"text": "“ jackhex ” is not a common word or phrase and , as noted above , was also seen in the beacon activity with the previously discussed 9002 sample .", "spans": {"Malware: 9002": [[133, 137]]}, "info": {"id": "cyner2_5class_train_05680", "source": "cyner2_5class_train"}}
+{"text": "This attack vector is increasingly popular with malicious actors as almost everyone on the planet carries at least one mobile device they interact with throughout any given day .", "spans": {}, "info": {"id": "cyner2_5class_train_05681", "source": "cyner2_5class_train"}}
+{"text": "The malware spreads very fast using Telegram messenger application in smartphones, targeting high-profile Libyan influential and political figures.", "spans": {"Malware: malware": [[4, 11]], "System: Telegram messenger application": [[36, 66]], "System: smartphones,": [[70, 82]], "Organization: high-profile Libyan influential": [[93, 124]], "Organization: political figures.": [[129, 147]]}, "info": {"id": "cyner2_5class_train_05682", "source": "cyner2_5class_train"}}
+{"text": "Method doInBackground : to send information to remote C2 server As seen from the major code body of method doInBackground shown in Figure 3 ( some of the original classes and methods are renamed for easier understanding ) , there are three calls to HttpPost with different contents as parameters .", "spans": {}, "info": {"id": "cyner2_5class_train_05683", "source": "cyner2_5class_train"}}
+{"text": "Much of the contents of that report are reproduced here.", "spans": {}, "info": {"id": "cyner2_5class_train_05684", "source": "cyner2_5class_train"}}
+{"text": "This actor has shown a surprising level of amateur actions , including code overlaps , open-source project copy/paste , classes never being instanced , unstable packages and unsecured panels .", "spans": {}, "info": {"id": "cyner2_5class_train_05685", "source": "cyner2_5class_train"}}
+{"text": "Thanks to a relative lack of security controls applied to mobile devices , these devices have become very attractive targets for a broad range of malicious actors .", "spans": {}, "info": {"id": "cyner2_5class_train_05686", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Stration PUA.Packed.MEW-1 IM-Worm.Win32.Sumom.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Stration": [[26, 40]], "Indicator: PUA.Packed.MEW-1": [[41, 57]], "Indicator: IM-Worm.Win32.Sumom.C": [[58, 79]]}, "info": {"id": "cyner2_5class_train_05687", "source": "cyner2_5class_train"}}
+{"text": "In a seven-hour window, Raytheon | Websense stopped over 16,000 malicious email messages from being delivered to customers, all of which appear to have been Japanese targets.", "spans": {"Organization: Raytheon": [[24, 32]], "Indicator: malicious email messages": [[64, 88]]}, "info": {"id": "cyner2_5class_train_05688", "source": "cyner2_5class_train"}}
+{"text": "The exploit code attached used for dropping the malware is older – CVE-2012-0158 – and from our vantage point, we have no indication of successful or failed exploitation.", "spans": {"Malware: The exploit code": [[0, 16]], "Malware: malware": [[48, 55]], "Vulnerability: exploitation.": [[157, 170]]}, "info": {"id": "cyner2_5class_train_05689", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.OptixKill.31744 Trojan/OptixKill.10 TROJ_OPTIXKILL.F Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/Trojan.HEHF-6024 TROJ_OPTIXKILL.F Win.Trojan.Killer-4 Trojan.Win32.OptixKill.10 Trojan.Win32.OptixKill.dkur Trojan.Win32.A.OptixKill.31744 TrojWare.Win32.OptixKill.10 Trojan.OptixKiller Trojan.OptixKill.Win32.20 Trojan/Win32.OptixKill.10 W32.Trojan.Backdoor-Ealim TR/OptixKill.10 Trojan/Win32.OptixKill Trojan:Win32/Optixkiller.A Troj.W32.OptixKill.10!c Trojan.Win32.OptixKill.10 Trojan/Win32.HDC.C1938 Trojan.OptixKill Trj/OptixKill.10 Win32/OptixKill.10 Win32.Trojan.Optixkill.Wsat Trojan.OptixKill!RjZYoc6lQeg Trojan-PWS.Win32.Lmir.wj W32/OptixKill.10!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.OptixKill.31744": [[26, 52]], "Indicator: Trojan/OptixKill.10": [[53, 72]], "Indicator: TROJ_OPTIXKILL.F": [[73, 89], [154, 170]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[90, 132]], "Indicator: W32/Trojan.HEHF-6024": [[133, 153]], "Indicator: Win.Trojan.Killer-4": [[171, 190]], "Indicator: Trojan.Win32.OptixKill.10": [[191, 216], [491, 516]], "Indicator: Trojan.Win32.OptixKill.dkur": [[217, 244]], "Indicator: Trojan.Win32.A.OptixKill.31744": [[245, 275]], "Indicator: TrojWare.Win32.OptixKill.10": [[276, 303]], "Indicator: Trojan.OptixKiller": [[304, 322]], "Indicator: Trojan.OptixKill.Win32.20": [[323, 348]], "Indicator: Trojan/Win32.OptixKill.10": [[349, 374]], "Indicator: W32.Trojan.Backdoor-Ealim": [[375, 400]], "Indicator: TR/OptixKill.10": [[401, 416]], "Indicator: Trojan/Win32.OptixKill": [[417, 439]], "Indicator: Trojan:Win32/Optixkiller.A": [[440, 466]], "Indicator: Troj.W32.OptixKill.10!c": [[467, 490]], "Indicator: Trojan/Win32.HDC.C1938": [[517, 539]], "Indicator: Trojan.OptixKill": [[540, 556]], "Indicator: Trj/OptixKill.10": [[557, 573]], "Indicator: Win32/OptixKill.10": [[574, 592]], "Indicator: Win32.Trojan.Optixkill.Wsat": [[593, 620]], "Indicator: Trojan.OptixKill!RjZYoc6lQeg": [[621, 649]], "Indicator: Trojan-PWS.Win32.Lmir.wj": [[650, 674]], "Indicator: W32/OptixKill.10!tr": [[675, 694]]}, "info": {"id": "cyner2_5class_train_05690", "source": "cyner2_5class_train"}}
+{"text": "While threat actors using the PlugX Trojan typically leverage legitimate executables to load their malicious DLLs through a technique called DLL side-loading, Unit 42 has observed a new executable in use for this purpose.", "spans": {"Malware: PlugX Trojan": [[30, 42]], "Indicator: DLL side-loading,": [[141, 158]], "Organization: Unit 42": [[159, 166]]}, "info": {"id": "cyner2_5class_train_05691", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Conficker.lh Trojan.Win32.Spy Win32.Troj.Undef.kcloud Trojan.Kazy.D2002F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: BehavesLike.Win32.Conficker.lh": [[69, 99]], "Indicator: Trojan.Win32.Spy": [[100, 116]], "Indicator: Win32.Troj.Undef.kcloud": [[117, 140]], "Indicator: Trojan.Kazy.D2002F": [[141, 159]]}, "info": {"id": "cyner2_5class_train_05692", "source": "cyner2_5class_train"}}
+{"text": "Although Banker has been in the wild for years, this time we see it using a Dynamic Loading Library DLL with malicious exported functions.", "spans": {"Indicator: Dynamic Loading Library": [[76, 99]], "Malware: malicious exported functions.": [[109, 138]]}, "info": {"id": "cyner2_5class_train_05693", "source": "cyner2_5class_train"}}
+{"text": "It was first reported in 2013 under the version number 2.0-LNK where it used the tag BaneChant in its command-and-control C2 network request.", "spans": {"Malware: 2.0-LNK": [[55, 62]], "Malware: BaneChant": [[85, 94]], "Indicator: command-and-control C2 network request.": [[102, 141]]}, "info": {"id": "cyner2_5class_train_05694", "source": "cyner2_5class_train"}}
+{"text": "Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication.", "spans": {"Indicator: ability to intercept SMS communications,": [[11, 51]], "Malware: malware": [[56, 63]], "Indicator: bypass SMS-based two-factor authentication.": [[80, 123]]}, "info": {"id": "cyner2_5class_train_05695", "source": "cyner2_5class_train"}}
+{"text": "In 2019, X-Force IRIS incident responders observed ITG03 conducting a campaign against a financial institution in Southeast Asia targeting the institution's SWIFT environment.", "spans": {"Organization: X-Force IRIS": [[9, 21]], "Organization: a financial institution": [[87, 110]], "Organization: the institution's SWIFT environment.": [[139, 175]]}, "info": {"id": "cyner2_5class_train_05696", "source": "cyner2_5class_train"}}
+{"text": "The targets and capabilities of HenBox , in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries , indicates this activity likely represents an at least three-year-old espionage campaign .", "spans": {"Malware: HenBox": [[32, 38]]}, "info": {"id": "cyner2_5class_train_05697", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 W32/Small.WMNN-1529 TSPY_ONLING.SMIF Trojan.Win32.OnLineGames.vmk Trojan.DownLoader4.46724 TSPY_ONLING.SMIF W32/Small.IH TR/Fakealert.39719 TrojanDownloader:Win32/Rarcon.B Trojan.Graftor.D46F5 Trojan-Downloader.Win32.Small Win32/Trojan.add", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zenshirsh.SL7": [[26, 46]], "Indicator: W32/Small.WMNN-1529": [[47, 66]], "Indicator: TSPY_ONLING.SMIF": [[67, 83], [138, 154]], "Indicator: Trojan.Win32.OnLineGames.vmk": [[84, 112]], "Indicator: Trojan.DownLoader4.46724": [[113, 137]], "Indicator: W32/Small.IH": [[155, 167]], "Indicator: TR/Fakealert.39719": [[168, 186]], "Indicator: TrojanDownloader:Win32/Rarcon.B": [[187, 218]], "Indicator: Trojan.Graftor.D46F5": [[219, 239]], "Indicator: Trojan-Downloader.Win32.Small": [[240, 269]], "Indicator: Win32/Trojan.add": [[270, 286]]}, "info": {"id": "cyner2_5class_train_05698", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.SmForw.AE Android.Trojan.SMSSend.IA AndroidOS/Trojan.DPEF-9 Android.Trojan.SMSSend.IA A.H.Int.SmsThief.DBA Trojan.Android.SmsForward.duiqpk Android.SmsSpy.672.origin Trojan[SMS]/Android.SmForw.aa Android.Trojan.SMSSend.IA Android-Trojan/SmsSend.915f Trojan.AndroidOS.Lockerpin", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.SmForw.AE": [[26, 43]], "Indicator: Android.Trojan.SMSSend.IA": [[44, 69], [94, 119], [230, 255]], "Indicator: AndroidOS/Trojan.DPEF-9": [[70, 93]], "Indicator: A.H.Int.SmsThief.DBA": [[120, 140]], "Indicator: Trojan.Android.SmsForward.duiqpk": [[141, 173]], "Indicator: Android.SmsSpy.672.origin": [[174, 199]], "Indicator: Trojan[SMS]/Android.SmForw.aa": [[200, 229]], "Indicator: Android-Trojan/SmsSend.915f": [[256, 283]], "Indicator: Trojan.AndroidOS.Lockerpin": [[284, 310]]}, "info": {"id": "cyner2_5class_train_05699", "source": "cyner2_5class_train"}}
+{"text": "SageCrypt downloaders, often poorly detected at the network level due to the usage of LetsEncrypt certificates.", "spans": {"Malware: SageCrypt downloaders,": [[0, 22]], "Indicator: LetsEncrypt certificates.": [[86, 111]]}, "info": {"id": "cyner2_5class_train_05700", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packer.Morphine.B Packer.Morphine.B Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Conhook-11 Packer.Morphine.B Packer.Morphine.B Packer.Morphine.B TrojWare.Win32.PkdMorphine.~AN Packer.Morphine.B Trojan.Click.3614 BehavesLike.Win32.Pykse.gc Trojan.Win32.BHO Packed.Morphine.a Trojan:Win32/Bohojan.A Packer.Morphine.B W32/BHO.BO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packer.Morphine.B": [[26, 43], [44, 61], [127, 144], [145, 162], [163, 180], [212, 229], [333, 350]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[62, 104]], "Indicator: Win.Trojan.Conhook-11": [[105, 126]], "Indicator: TrojWare.Win32.PkdMorphine.~AN": [[181, 211]], "Indicator: Trojan.Click.3614": [[230, 247]], "Indicator: BehavesLike.Win32.Pykse.gc": [[248, 274]], "Indicator: Trojan.Win32.BHO": [[275, 291]], "Indicator: Packed.Morphine.a": [[292, 309]], "Indicator: Trojan:Win32/Bohojan.A": [[310, 332]], "Indicator: W32/BHO.BO!tr": [[351, 364]]}, "info": {"id": "cyner2_5class_train_05701", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Newspy W32/NionSpy.e!dr TROJ_MEWSPY.CE Trojan.Win32.MewsSpy.drsazo TrojWare.Win32.TrojanDownloader.Geral.A Win32.MewsSpy.47 TROJ_MEWSPY.CE BehavesLike.Win32.DocumentCrypt.cc Virus.Win32.MewsSpy W32/Trojan.OBEZ-9322 Trojan.Kazy.D2524 Trojan:Win32/Newspy.A Trj/CI.A Win32.Virus.Mewsspy.Hroy W32/MewsSpy.AE Win32/Trojan.22f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Newspy": [[26, 39]], "Indicator: W32/NionSpy.e!dr": [[40, 56]], "Indicator: TROJ_MEWSPY.CE": [[57, 71], [157, 171]], "Indicator: Trojan.Win32.MewsSpy.drsazo": [[72, 99]], "Indicator: TrojWare.Win32.TrojanDownloader.Geral.A": [[100, 139]], "Indicator: Win32.MewsSpy.47": [[140, 156]], "Indicator: BehavesLike.Win32.DocumentCrypt.cc": [[172, 206]], "Indicator: Virus.Win32.MewsSpy": [[207, 226]], "Indicator: W32/Trojan.OBEZ-9322": [[227, 247]], "Indicator: Trojan.Kazy.D2524": [[248, 265]], "Indicator: Trojan:Win32/Newspy.A": [[266, 287]], "Indicator: Trj/CI.A": [[288, 296]], "Indicator: Win32.Virus.Mewsspy.Hroy": [[297, 321]], "Indicator: W32/MewsSpy.AE": [[322, 336]], "Indicator: Win32/Trojan.22f": [[337, 353]]}, "info": {"id": "cyner2_5class_train_05702", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exp.SWF.CVE-2014-8439.A Trojan.Swifi TROJ_FRS.PMA000B515 Swf.Exploit.Angler-4 Trojan.Swf.CVE20140515.dsfxmi SWF.Z.CVE-2014-0515.87352 Exploit.SWF.376 TROJ_FRS.PMA000B515 BehavesLike.Flash.Exploit.cb Exploit:SWF/Axpergle.B SWF/Exploit.ExKit.H Exploit.SWF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exp.SWF.CVE-2014-8439.A": [[26, 49]], "Indicator: Trojan.Swifi": [[50, 62]], "Indicator: TROJ_FRS.PMA000B515": [[63, 82], [176, 195]], "Indicator: Swf.Exploit.Angler-4": [[83, 103]], "Indicator: Trojan.Swf.CVE20140515.dsfxmi": [[104, 133]], "Indicator: SWF.Z.CVE-2014-0515.87352": [[134, 159]], "Indicator: Exploit.SWF.376": [[160, 175]], "Indicator: BehavesLike.Flash.Exploit.cb": [[196, 224]], "Indicator: Exploit:SWF/Axpergle.B": [[225, 247]], "Indicator: SWF/Exploit.ExKit.H": [[248, 267]], "Indicator: Exploit.SWF": [[268, 279]]}, "info": {"id": "cyner2_5class_train_05703", "source": "cyner2_5class_train"}}
+{"text": "Command execution Command execution can create havoc for victim if the malware developer decides to execute commands in the victim ’ s device .", "spans": {}, "info": {"id": "cyner2_5class_train_05704", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan:Win32/Plugx.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan:Win32/Plugx.B": [[26, 46]]}, "info": {"id": "cyner2_5class_train_05705", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Downloader.Zlob.Win32.16141 Trojan.Kazy.D15115 Win32.Trojan.WisdomEyes.16070401.9500.9987 TROJ_ZLOB.HRX Win.Trojan.Zlob-2206 Trojan-Downloader.Win32.Zlob.vjl Trojan.Win32.Zlob.cvogpg TrojWare.Win32.TrojanDownloader.Zlob.~YG Trojan.Popuper.7315 TROJ_ZLOB.HRX Trojan.Zlob TrojanDownloader.Zlob.lui TR/Dldr.Zlob.pea.1 Trojan[Downloader]/Win32.Zlob Trojan-Downloader.Win32.Zlob.vjl Trojan/Win32.Zlob.R23708 Trojan.Zlob.23616 Win32/TrojanDownloader.Zlob.CHF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.Zlob.Win32.16141": [[26, 53]], "Indicator: Trojan.Kazy.D15115": [[54, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[73, 115]], "Indicator: TROJ_ZLOB.HRX": [[116, 129], [270, 283]], "Indicator: Win.Trojan.Zlob-2206": [[130, 150]], "Indicator: Trojan-Downloader.Win32.Zlob.vjl": [[151, 183], [371, 403]], "Indicator: Trojan.Win32.Zlob.cvogpg": [[184, 208]], "Indicator: TrojWare.Win32.TrojanDownloader.Zlob.~YG": [[209, 249]], "Indicator: Trojan.Popuper.7315": [[250, 269]], "Indicator: Trojan.Zlob": [[284, 295]], "Indicator: TrojanDownloader.Zlob.lui": [[296, 321]], "Indicator: TR/Dldr.Zlob.pea.1": [[322, 340]], "Indicator: Trojan[Downloader]/Win32.Zlob": [[341, 370]], "Indicator: Trojan/Win32.Zlob.R23708": [[404, 428]], "Indicator: Trojan.Zlob.23616": [[429, 446]], "Indicator: Win32/TrojanDownloader.Zlob.CHF": [[447, 478]]}, "info": {"id": "cyner2_5class_train_05706", "source": "cyner2_5class_train"}}
+{"text": "It will check the version of Android installed and decide which library should be patched .", "spans": {"System: Android": [[29, 36]]}, "info": {"id": "cyner2_5class_train_05707", "source": "cyner2_5class_train"}}
+{"text": "For five months, Check Point mobile threat researchers had unprecedented, behind the scenes access to a group of cybercriminals in China.", "spans": {"Organization: Check Point mobile threat researchers": [[17, 54]]}, "info": {"id": "cyner2_5class_train_05708", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Zusy.D3C813 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: Trojan.Zusy.D3C813": [[69, 87]], "Indicator: Trj/GdSda.A": [[88, 99]]}, "info": {"id": "cyner2_5class_train_05709", "source": "cyner2_5class_train"}}
+{"text": "This particular operation has been active since approximately May 2016 up to the present time .", "spans": {}, "info": {"id": "cyner2_5class_train_05710", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.KolabcK.PE Net-Worm.Win32.Kolabc!O W32.Futu.A2 Win32.Virus.Probably.c W32.Blaster.Worm PE_FUTU.A Win.Exploit.DCOM-5 Win32.Trojan-Dropper.Rbot.A Virus.Win32.Kolabc.brlvjf W32.W.Kolabc.m0xC Virus.Win32.Kolabc.aab BackDoor.Swz.125 Worm.Kolabc.Win32.2973 PE_FUTU.A BehavesLike.Win32.Backdoor.wz Worm[Net]/Win32.Kolabc Worm.Kolabc.gu.kcloud Worm/Win32.Kolabc.R68544 BackDoor.Swz! Trojan-Proxy.Win32.Ranky W32/Kolabc.GU!worm.im Worm.Kolabc W32/BadFuture.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.KolabcK.PE": [[26, 46]], "Indicator: Net-Worm.Win32.Kolabc!O": [[47, 70]], "Indicator: W32.Futu.A2": [[71, 82]], "Indicator: Win32.Virus.Probably.c": [[83, 105]], "Indicator: W32.Blaster.Worm": [[106, 122]], "Indicator: PE_FUTU.A": [[123, 132], [287, 296]], "Indicator: Win.Exploit.DCOM-5": [[133, 151]], "Indicator: Win32.Trojan-Dropper.Rbot.A": [[152, 179]], "Indicator: Virus.Win32.Kolabc.brlvjf": [[180, 205]], "Indicator: W32.W.Kolabc.m0xC": [[206, 223]], "Indicator: Virus.Win32.Kolabc.aab": [[224, 246]], "Indicator: BackDoor.Swz.125": [[247, 263]], "Indicator: Worm.Kolabc.Win32.2973": [[264, 286]], "Indicator: BehavesLike.Win32.Backdoor.wz": [[297, 326]], "Indicator: Worm[Net]/Win32.Kolabc": [[327, 349]], "Indicator: Worm.Kolabc.gu.kcloud": [[350, 371]], "Indicator: Worm/Win32.Kolabc.R68544": [[372, 396]], "Indicator: BackDoor.Swz!": [[397, 410]], "Indicator: Trojan-Proxy.Win32.Ranky": [[411, 435]], "Indicator: W32/Kolabc.GU!worm.im": [[436, 457]], "Indicator: Worm.Kolabc": [[458, 469]], "Indicator: W32/BadFuture.A": [[470, 485]]}, "info": {"id": "cyner2_5class_train_05711", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.4A43 Trojan.Application.LoadMoney.Razy.8 Win32.Adware.Kryptik.c Infostealer.Limitail Win.Trojan.Loadmoney-12443 not-a-virus:Downloader.Win32.Plocust.dwa Trojan.Win32.LoadMoney.cspznv TrojWare.Win32.Kryptik.BAJ Trojan.LoadMoney.15 Trojan/StartPage.pch RiskWare[Downloader]/Win32.Plocust.dwa not-a-virus:Downloader.Win32.Plocust.dwa PUP/Win32.LoadMoney.R99289 TScope.Malware-Cryptor.SB Trojan.Win32.Spy Win32/Application.a8e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.4A43": [[26, 44]], "Indicator: Trojan.Application.LoadMoney.Razy.8": [[45, 80]], "Indicator: Win32.Adware.Kryptik.c": [[81, 103]], "Indicator: Infostealer.Limitail": [[104, 124]], "Indicator: Win.Trojan.Loadmoney-12443": [[125, 151]], "Indicator: not-a-virus:Downloader.Win32.Plocust.dwa": [[152, 192], [330, 370]], "Indicator: Trojan.Win32.LoadMoney.cspznv": [[193, 222]], "Indicator: TrojWare.Win32.Kryptik.BAJ": [[223, 249]], "Indicator: Trojan.LoadMoney.15": [[250, 269]], "Indicator: Trojan/StartPage.pch": [[270, 290]], "Indicator: RiskWare[Downloader]/Win32.Plocust.dwa": [[291, 329]], "Indicator: PUP/Win32.LoadMoney.R99289": [[371, 397]], "Indicator: TScope.Malware-Cryptor.SB": [[398, 423]], "Indicator: Trojan.Win32.Spy": [[424, 440]], "Indicator: Win32/Application.a8e": [[441, 462]]}, "info": {"id": "cyner2_5class_train_05712", "source": "cyner2_5class_train"}}
+{"text": "An unknown attacker gained access to the Bangladesh Bank's BB SWIFT payment system and reportedly instructed an American bank to transfer money from BB's account to accounts in The Philippines.", "spans": {"Organization: Bangladesh Bank's BB": [[41, 61]], "System: SWIFT payment system": [[62, 82]], "Organization: American bank": [[112, 125]], "Indicator: transfer money from BB's account to accounts": [[129, 173]]}, "info": {"id": "cyner2_5class_train_05713", "source": "cyner2_5class_train"}}
+{"text": "The Stegoloader malware family also known as Win32/Gatak.DR and TSPY_GATAK.GTK despite not sharing any similarities with the Gataka banking trojan was first identified at the end of 2013 and has attracted little public attention.", "spans": {"Malware: Stegoloader malware": [[4, 23]], "Indicator: Win32/Gatak.DR": [[45, 59]], "Indicator: TSPY_GATAK.GTK": [[64, 78]], "Malware: Gataka banking trojan": [[125, 146]]}, "info": {"id": "cyner2_5class_train_05714", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D2B9C9 Trojan.Delf.Win32.71682 BehavesLike.Win32.BadFile.hh PUA.Toolbar.TB Trojan:Win32/Waqlop.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D2B9C9": [[26, 47]], "Indicator: Trojan.Delf.Win32.71682": [[48, 71]], "Indicator: BehavesLike.Win32.BadFile.hh": [[72, 100]], "Indicator: PUA.Toolbar.TB": [[101, 115]], "Indicator: Trojan:Win32/Waqlop.A": [[116, 137]]}, "info": {"id": "cyner2_5class_train_05715", "source": "cyner2_5class_train"}}
+{"text": "It is of interest primarily because it operates in conjunction with various banking win32-Trojans .", "spans": {"System: win32-Trojans": [[84, 97]]}, "info": {"id": "cyner2_5class_train_05716", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Scar!O Trojan.Scar Win.Trojan.Scar-8271 Trojan.Win32.Scar.evwf Trojan.Win32.A.Scar.53248.I W32.W.WBNA.lJwt Trojan.Scar.Win32.68398 BehavesLike.Win32.VBObfus.lz Trojan.Win32.Scar Trojan/Scar.azur Trojan/Win32.Scar Trojan.Win32.Scar.evwf Trojan/Win32.Scar.R55318 Trojan.Scar Win32/VB.ROS Win32.Trojan.Scar.Pbfp Trojan.Scar!dNffxsGO4PU W32/Scar.EVWF!tr Win32/Trojan.b39", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Scar!O": [[26, 45]], "Indicator: Trojan.Scar": [[46, 57], [300, 311]], "Indicator: Win.Trojan.Scar-8271": [[58, 78]], "Indicator: Trojan.Win32.Scar.evwf": [[79, 101], [252, 274]], "Indicator: Trojan.Win32.A.Scar.53248.I": [[102, 129]], "Indicator: W32.W.WBNA.lJwt": [[130, 145]], "Indicator: Trojan.Scar.Win32.68398": [[146, 169]], "Indicator: BehavesLike.Win32.VBObfus.lz": [[170, 198]], "Indicator: Trojan.Win32.Scar": [[199, 216]], "Indicator: Trojan/Scar.azur": [[217, 233]], "Indicator: Trojan/Win32.Scar": [[234, 251]], "Indicator: Trojan/Win32.Scar.R55318": [[275, 299]], "Indicator: Win32/VB.ROS": [[312, 324]], "Indicator: Win32.Trojan.Scar.Pbfp": [[325, 347]], "Indicator: Trojan.Scar!dNffxsGO4PU": [[348, 371]], "Indicator: W32/Scar.EVWF!tr": [[372, 388]], "Indicator: Win32/Trojan.b39": [[389, 405]]}, "info": {"id": "cyner2_5class_train_05717", "source": "cyner2_5class_train"}}
+{"text": "Fidelis Cybersecurity analysis has identified unrelated cyber criminal activity leveraging the vulnerability cited in CVE-2014-4114, which was initially exploited by advanced persistent threat APT actors in October 2014.", "spans": {"Organization: Fidelis Cybersecurity analysis": [[0, 30]], "Vulnerability: vulnerability": [[95, 108]], "Indicator: CVE-2014-4114,": [[118, 132]], "Vulnerability: exploited": [[153, 162]]}, "info": {"id": "cyner2_5class_train_05718", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.E1FFDC Trojan.Win32.Delf.cxivds BehavesLike.Win32.Trojan.gh TR/Dldr.Slarkic.H.4 Trojan[Downloader]/Win32.Unknown TrojanDownloader:Win32/Notorgatro.B Trojan/Win32.CSon.R2885 Downloader.Delphi Trj/CI.A Win32/Trojan.BO.0a3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.E1FFDC": [[26, 50]], "Indicator: Trojan.Win32.Delf.cxivds": [[51, 75]], "Indicator: BehavesLike.Win32.Trojan.gh": [[76, 103]], "Indicator: TR/Dldr.Slarkic.H.4": [[104, 123]], "Indicator: Trojan[Downloader]/Win32.Unknown": [[124, 156]], "Indicator: TrojanDownloader:Win32/Notorgatro.B": [[157, 192]], "Indicator: Trojan/Win32.CSon.R2885": [[193, 216]], "Indicator: Downloader.Delphi": [[217, 234]], "Indicator: Trj/CI.A": [[235, 243]], "Indicator: Win32/Trojan.BO.0a3": [[244, 263]]}, "info": {"id": "cyner2_5class_train_05719", "source": "cyner2_5class_train"}}
+{"text": "Technical Analysis “ Agent Smith ” has a modular structure and consists of the following modules : Loader Core Boot Patch AdSDK Updater As stated above , the first step of this infection chain is the dropper .", "spans": {"Malware: Agent Smith": [[21, 32]]}, "info": {"id": "cyner2_5class_train_05720", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Protux Backdoor/Protux.wz Trojan.Win32.Protux.pdpbh Backdoor.Trojan Protux.AO Backdoor.Win32.Protux.ws Backdoor.Protux!x0RB0sLZXQU Win32.HLLW.Autoruner1.4496 BDS/Protux.ws Heuristic.BehavesLike.Win32.Backdoor.H Backdoor/Protux.ht Win32.Troj.Undef.kcloud Backdoor.Win32.A.Protux.102400.A Backdoor/Win32.Trojan Backdoor.Protux Backdoor.Trojan Backdoor.Win32.Protux W32/Protux.WS!tr.bdr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Protux": [[26, 41], [344, 359]], "Indicator: Backdoor/Protux.wz": [[42, 60]], "Indicator: Trojan.Win32.Protux.pdpbh": [[61, 86]], "Indicator: Backdoor.Trojan": [[87, 102], [360, 375]], "Indicator: Protux.AO": [[103, 112]], "Indicator: Backdoor.Win32.Protux.ws": [[113, 137]], "Indicator: Backdoor.Protux!x0RB0sLZXQU": [[138, 165]], "Indicator: Win32.HLLW.Autoruner1.4496": [[166, 192]], "Indicator: BDS/Protux.ws": [[193, 206]], "Indicator: Heuristic.BehavesLike.Win32.Backdoor.H": [[207, 245]], "Indicator: Backdoor/Protux.ht": [[246, 264]], "Indicator: Win32.Troj.Undef.kcloud": [[265, 288]], "Indicator: Backdoor.Win32.A.Protux.102400.A": [[289, 321]], "Indicator: Backdoor/Win32.Trojan": [[322, 343]], "Indicator: Backdoor.Win32.Protux": [[376, 397]], "Indicator: W32/Protux.WS!tr.bdr": [[398, 418]], "Indicator: Trj/CI.A": [[419, 427]]}, "info": {"id": "cyner2_5class_train_05721", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Obfuscated.FA Trojan.Win32.Zapchast!IK Dropper.Win32.Mnless.fxg Trojan.Win32.Zapchast", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Obfuscated.FA": [[26, 43]], "Indicator: Trojan.Win32.Zapchast!IK": [[44, 68]], "Indicator: Dropper.Win32.Mnless.fxg": [[69, 93]], "Indicator: Trojan.Win32.Zapchast": [[94, 115]]}, "info": {"id": "cyner2_5class_train_05722", "source": "cyner2_5class_train"}}
+{"text": "The reader looked at the config and realized that his router got a new, suspicious entry in the NTP server name field, namely", "spans": {"Organization: reader": [[4, 10]], "Indicator: config": [[25, 31]], "System: router": [[54, 60]], "Indicator: suspicious entry": [[72, 88]], "Indicator: NTP server name": [[96, 111]]}, "info": {"id": "cyner2_5class_train_05723", "source": "cyner2_5class_train"}}
+{"text": "This functionality can be easily further extended to steal other information , such as bank credentials , although we did not see any banks being targeted in this attack .", "spans": {}, "info": {"id": "cyner2_5class_train_05724", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Nimda.E Win32.Trojan.HotKeysHook.b W32/NetWorm.YYMQ-0484 Win32/Nimda.E Win.Worm.N-74 Win32.Trojan.HotKeysHook.A Net-Worm.Win32.Nimda.e Trojan.Win32.Nimda.glkx Win32.HLLW.Nimda.57344 Worm.Nimda.Win32.79 W32/NetWorm.BF W32/Nimda.3 Worm[Net]/Win32.Nimda.e Trojan.Strictor.D1109F Net-Worm.Win32.Nimda.e Trojan/Win32.HDC.C61626 Worm.Nimda Worm.Nimda!YOZDpQiibZo Trojan.I-Worm.Nimda Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Nimda.E": [[26, 37]], "Indicator: Win32.Trojan.HotKeysHook.b": [[38, 64]], "Indicator: W32/NetWorm.YYMQ-0484": [[65, 86]], "Indicator: Win32/Nimda.E": [[87, 100]], "Indicator: Win.Worm.N-74": [[101, 114]], "Indicator: Win32.Trojan.HotKeysHook.A": [[115, 141]], "Indicator: Net-Worm.Win32.Nimda.e": [[142, 164], [306, 328]], "Indicator: Trojan.Win32.Nimda.glkx": [[165, 188]], "Indicator: Win32.HLLW.Nimda.57344": [[189, 211]], "Indicator: Worm.Nimda.Win32.79": [[212, 231]], "Indicator: W32/NetWorm.BF": [[232, 246]], "Indicator: W32/Nimda.3": [[247, 258]], "Indicator: Worm[Net]/Win32.Nimda.e": [[259, 282]], "Indicator: Trojan.Strictor.D1109F": [[283, 305]], "Indicator: Trojan/Win32.HDC.C61626": [[329, 352]], "Indicator: Worm.Nimda": [[353, 363]], "Indicator: Worm.Nimda!YOZDpQiibZo": [[364, 386]], "Indicator: Trojan.I-Worm.Nimda": [[387, 406]], "Indicator: Trj/CI.A": [[407, 415]]}, "info": {"id": "cyner2_5class_train_05725", "source": "cyner2_5class_train"}}
+{"text": "Take note of the following best practices to prevent this threat from getting in your device : Disable app installations from unknown , third-party sources .", "spans": {}, "info": {"id": "cyner2_5class_train_05726", "source": "cyner2_5class_train"}}
+{"text": "Here is a list of broadcast actions : android.provider.Telephony.SMS_RECEIVED android.net.conn.CONNECTIVITY_CHANGE android.intent.action.BATTERY_CHANGED android.intent.action.USER_PRESENT android.intent.action.PHONE_STATE android.net.wifi.SCAN_RESULTS android.intent.action.PACKAGE_ADDED android.intent.action.PACKAGE_REMOVED android.intent.action.SCREEN_OFF android.intent.action.SCREEN_ON android.media.RINGER_MODE_CHANGED android.sms.msg.action.SMS_SEND android.sms.msg.action.SMS_DELIVERED Creating a Web Server to Phish XLoader creates a provisional web server to receive the broadcast events .", "spans": {"Indicator: android.provider.Telephony.SMS_RECEIVED": [[38, 77]], "Indicator: android.net.conn.CONNECTIVITY_CHANGE": [[78, 114]], "Indicator: android.intent.action.BATTERY_CHANGED": [[115, 152]], "Indicator: android.intent.action.USER_PRESENT": [[153, 187]], "Indicator: android.intent.action.PHONE_STATE": [[188, 221]], "Indicator: android.net.wifi.SCAN_RESULTS": [[222, 251]], "Indicator: android.intent.action.PACKAGE_ADDED": [[252, 287]], "Indicator: android.intent.action.PACKAGE_REMOVED": [[288, 325]], "Indicator: android.intent.action.SCREEN_OFF": [[326, 358]], "Indicator: android.intent.action.SCREEN_ON": [[359, 390]], "Indicator: android.media.RINGER_MODE_CHANGED": [[391, 424]], "Indicator: android.sms.msg.action.SMS_SEND": [[425, 456]], "Indicator: android.sms.msg.action.SMS_DELIVERED": [[457, 493]], "Malware: XLoader": [[525, 532]]}, "info": {"id": "cyner2_5class_train_05727", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Java/Jacksbot.W Backdoor.Trojan Java.Jacksbot.136 BehavesLike.Win32.Trojan.wc Java/Jacksbot.W Trojan.Java.ce Trj/CI.A Win32/Trojan.407", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Java/Jacksbot.W": [[26, 41], [104, 119]], "Indicator: Backdoor.Trojan": [[42, 57]], "Indicator: Java.Jacksbot.136": [[58, 75]], "Indicator: BehavesLike.Win32.Trojan.wc": [[76, 103]], "Indicator: Trojan.Java.ce": [[120, 134]], "Indicator: Trj/CI.A": [[135, 143]], "Indicator: Win32/Trojan.407": [[144, 160]]}, "info": {"id": "cyner2_5class_train_05728", "source": "cyner2_5class_train"}}
+{"text": "The targeting of state and local government agencies as well as the distribution methods are very similar to a CryptFile2 campaign we described in August.", "spans": {"Organization: state": [[17, 22]], "Organization: local government agencies": [[27, 52]], "Indicator: distribution methods": [[68, 88]], "Malware: CryptFile2": [[111, 121]]}, "info": {"id": "cyner2_5class_train_05729", "source": "cyner2_5class_train"}}
+{"text": "We detected yet another 51 Trojan porn clickers accessible for the users to download.", "spans": {"Malware: 51 Trojan porn clickers": [[24, 47]]}, "info": {"id": "cyner2_5class_train_05730", "source": "cyner2_5class_train"}}
+{"text": "EVENTBOT VERSION 0.3.0.1 Additional Assets Based on Country / Region EventBot-23aEventBot Spanish and Italian Images in Spanish and Italian added in version 0.3.0.1 .", "spans": {}, "info": {"id": "cyner2_5class_train_05731", "source": "cyner2_5class_train"}}
+{"text": "After launch , it downloads a codec for MP3 encoding directly from the C & C server : http : //54.67.109.199/skype_resource/libmp3lame.dll The skype_sync2.exe module has a compilation timestamp – Feb 06 2017 and the following PDB string : \\\\vmware-host\\Shared Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb network.exe is a module for submitting all exfiltrated data to the server .", "spans": {"Indicator: http : //54.67.109.199/skype_resource/libmp3lame.dll": [[86, 138]], "Indicator: skype_sync2.exe": [[143, 158]], "Indicator: \\\\vmware-host\\Shared": [[239, 259]], "Indicator: Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb": [[260, 338]], "Indicator: network.exe": [[339, 350]]}, "info": {"id": "cyner2_5class_train_05732", "source": "cyner2_5class_train"}}
+{"text": "In other words , the C2 server can specify the message contents to be sent , the time period in which to forward the voice call , and the recipients of outgoing messages .", "spans": {}, "info": {"id": "cyner2_5class_train_05733", "source": "cyner2_5class_train"}}
+{"text": "Dell SecureWorks Counter Threat Unit™ CTU researchers analyzed spam campaigns that distributed the AdWind remote access trojan RAT.", "spans": {"Organization: Dell SecureWorks Counter Threat Unit™ CTU researchers": [[0, 53]], "Malware: AdWind remote access trojan RAT.": [[99, 131]]}, "info": {"id": "cyner2_5class_train_05734", "source": "cyner2_5class_train"}}
+{"text": "Following a previous discovery, FireEye Labs mobile researchers discovered another malicious adware family quickly spreading worldwide that allows for complete takeover of a user's Android device.", "spans": {"Organization: FireEye Labs mobile researchers": [[32, 63]], "Malware: malicious adware family": [[83, 106]], "System: Android device.": [[181, 196]]}, "info": {"id": "cyner2_5class_train_05735", "source": "cyner2_5class_train"}}
+{"text": "This campaign was focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors.", "spans": {"Organization: South American banks": [[37, 57]], "Indicator: to steal credentials": [[72, 92]], "Indicator: financial gain": [[128, 142]]}, "info": {"id": "cyner2_5class_train_05736", "source": "cyner2_5class_train"}}
+{"text": "Ironically, Ben-Gurion University is home to Israel's Cyber Security Research Center.", "spans": {"Organization: Ben-Gurion University": [[12, 33]], "Organization: Israel's Cyber Security Research Center.": [[45, 85]]}, "info": {"id": "cyner2_5class_train_05737", "source": "cyner2_5class_train"}}
+{"text": "First Signs in September 2019 In September 2019 , a tweet by CERT-Bund caught the attention of the IBM Trusteer Mobile Security Research team .", "spans": {"Organization: CERT-Bund": [[61, 70]], "Organization: IBM Trusteer Mobile Security Research": [[99, 136]]}, "info": {"id": "cyner2_5class_train_05738", "source": "cyner2_5class_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_05739", "source": "cyner2_5class_train"}}
+{"text": "Gooligan then downloads a rootkit from the C & C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT ( CVE-2013-6282 ) and Towelroot ( CVE-2014-3153 ) .", "spans": {"Malware: Gooligan": [[0, 8]], "System: Android 4 and 5": [[89, 104]], "Vulnerability: VROOT": [[139, 144]], "Vulnerability: CVE-2013-6282": [[147, 160]], "Vulnerability: Towelroot": [[167, 176]], "Vulnerability: CVE-2014-3153": [[179, 192]]}, "info": {"id": "cyner2_5class_train_05740", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Typic!O Downldr.TonickCS.S543700 Dropper.Typic.Win32.736 Trojan/Dropper.Typic.arx Win32.Trojan-Downloader.VB.p Win32/Fruspam.GF Win.Trojan.Typic-1 Trojan-Downloader.Win32.Dapato.stb Trojan.Win32.Typic.dvexc TrojWare.Win32.TrojanDownloader.VB.OSNA TrojanDropper.Typic.me Trojan[Dropper]/Win32.Typic Dropper/Win32.Typic.R2031 TrojanDownloader.VB Trojan.Downloader.WCA Win32/TrojanDownloader.VB.OSN Trojan.DR.Typic!OCnhzJxHb3A Backdoor.Win32.Bifrose Trj/Downloader.XOR", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Typic!O": [[26, 54]], "Indicator: Downldr.TonickCS.S543700": [[55, 79]], "Indicator: Dropper.Typic.Win32.736": [[80, 103]], "Indicator: Trojan/Dropper.Typic.arx": [[104, 128]], "Indicator: Win32.Trojan-Downloader.VB.p": [[129, 157]], "Indicator: Win32/Fruspam.GF": [[158, 174]], "Indicator: Win.Trojan.Typic-1": [[175, 193]], "Indicator: Trojan-Downloader.Win32.Dapato.stb": [[194, 228]], "Indicator: Trojan.Win32.Typic.dvexc": [[229, 253]], "Indicator: TrojWare.Win32.TrojanDownloader.VB.OSNA": [[254, 293]], "Indicator: TrojanDropper.Typic.me": [[294, 316]], "Indicator: Trojan[Dropper]/Win32.Typic": [[317, 344]], "Indicator: Dropper/Win32.Typic.R2031": [[345, 370]], "Indicator: TrojanDownloader.VB": [[371, 390]], "Indicator: Trojan.Downloader.WCA": [[391, 412]], "Indicator: Win32/TrojanDownloader.VB.OSN": [[413, 442]], "Indicator: Trojan.DR.Typic!OCnhzJxHb3A": [[443, 470]], "Indicator: Backdoor.Win32.Bifrose": [[471, 493]], "Indicator: Trj/Downloader.XOR": [[494, 512]]}, "info": {"id": "cyner2_5class_train_05741", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Shylock Trojan.Win32.Inject1.dkmayz Trojan.Win32.Z.Matrix.5088483 Trojan.Inject1.30662 Trojan.Blocker.Win32.12010 Trojan.Win32.Trxa W32/Trojan.SIWU-6483 Backdoor/Androm.ayy Trojan/Win32.Unknown Trojan.Matrix.1 Trojan:Win32/Trxa.A Backdoor.Androm Trj/CI.A Msil.Trojan.Kryptik.Lnej Trojan.Kryptik!0hVPn+vQuN8 MSIL/Kryptik.OR!tr Win32/Trojan.edc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[26, 68]], "Indicator: Trojan.Shylock": [[69, 83]], "Indicator: Trojan.Win32.Inject1.dkmayz": [[84, 111]], "Indicator: Trojan.Win32.Z.Matrix.5088483": [[112, 141]], "Indicator: Trojan.Inject1.30662": [[142, 162]], "Indicator: Trojan.Blocker.Win32.12010": [[163, 189]], "Indicator: Trojan.Win32.Trxa": [[190, 207]], "Indicator: W32/Trojan.SIWU-6483": [[208, 228]], "Indicator: Backdoor/Androm.ayy": [[229, 248]], "Indicator: Trojan/Win32.Unknown": [[249, 269]], "Indicator: Trojan.Matrix.1": [[270, 285]], "Indicator: Trojan:Win32/Trxa.A": [[286, 305]], "Indicator: Backdoor.Androm": [[306, 321]], "Indicator: Trj/CI.A": [[322, 330]], "Indicator: Msil.Trojan.Kryptik.Lnej": [[331, 355]], "Indicator: Trojan.Kryptik!0hVPn+vQuN8": [[356, 382]], "Indicator: MSIL/Kryptik.OR!tr": [[383, 401]], "Indicator: Win32/Trojan.edc": [[402, 418]]}, "info": {"id": "cyner2_5class_train_05742", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9967 Trojan.VB.Win32.113731 Backdoor.Win32.Cinasquel Backdoor:Win32/Cinasquel.A Backdoor/Win32.RemoteAccess.R125850", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9967": [[26, 68]], "Indicator: Trojan.VB.Win32.113731": [[69, 91]], "Indicator: Backdoor.Win32.Cinasquel": [[92, 116]], "Indicator: Backdoor:Win32/Cinasquel.A": [[117, 143]], "Indicator: Backdoor/Win32.RemoteAccess.R125850": [[144, 179]]}, "info": {"id": "cyner2_5class_train_05743", "source": "cyner2_5class_train"}}
+{"text": "Comodo Threat Research Labs CTRL identified a new phishing email, that contains a malware file, and spread to email user with subject Dossier M978885982A -", "spans": {"Organization: Comodo Threat Research Labs CTRL": [[0, 32]], "Indicator: phishing email,": [[50, 65]], "Malware: malware file,": [[82, 95]], "Indicator: email": [[110, 115]], "Indicator: subject Dossier M978885982A": [[126, 153]]}, "info": {"id": "cyner2_5class_train_05744", "source": "cyner2_5class_train"}}
+{"text": "Adobe may have already patched a Flash Player vulnerability last week, but several users—especially those in the US, Canada, and the UK —are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems.", "spans": {"Organization: Adobe": [[0, 5]], "System: Flash Player": [[33, 45]], "Malware: at": [[173, 175]], "Malware: CryptoWall 3.0. The Magnitude Exploit Kit": [[206, 247]], "Malware: exploit,": [[260, 268]], "Indicator: SWF_EXPLOIT.MJTE,": [[281, 298]], "Vulnerability: vulnerability,": [[312, 326]], "Malware: crypto-ransomware": [[356, 373]], "System: target systems.": [[385, 400]]}, "info": {"id": "cyner2_5class_train_05745", "source": "cyner2_5class_train"}}
+{"text": "In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn't seem to be documented yet.", "spans": {"Indicator: indicators of compromise,": [[14, 39]], "Indicator: domains": [[51, 58]]}, "info": {"id": "cyner2_5class_train_05746", "source": "cyner2_5class_train"}}
+{"text": "During the app execution , the malware contacts C2 domain for further instructions .", "spans": {}, "info": {"id": "cyner2_5class_train_05747", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropped:Trojan.Script.32120 Trojan.Script.D7D78 Win32.Trojan.WisdomEyes.16070401.9500.9925 Dropped:Trojan.Script.32120 Script.Trojan.Script.Eddq Dropped:Trojan.Script.32120 Trojan.DownLoad1.58708 Dropped:Trojan.Script.32120 Trojan/Win32.Xema.C28003 Dropped:Trojan.Script.32120", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Trojan.Script.32120": [[26, 53], [117, 144], [171, 198], [222, 249], [275, 302]], "Indicator: Trojan.Script.D7D78": [[54, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9925": [[74, 116]], "Indicator: Script.Trojan.Script.Eddq": [[145, 170]], "Indicator: Trojan.DownLoad1.58708": [[199, 221]], "Indicator: Trojan/Win32.Xema.C28003": [[250, 274]]}, "info": {"id": "cyner2_5class_train_05748", "source": "cyner2_5class_train"}}
+{"text": "It also used multiple anti-analysis techniques and the final payload was written in Delphi which is quite unique to the banking trojan landscape.", "spans": {"Malware: the final payload": [[51, 68]], "Malware: Delphi": [[84, 90]], "Malware: the banking trojan": [[116, 134]]}, "info": {"id": "cyner2_5class_train_05749", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Cloda4a.Trojan.4db2 Backdoor/W32.EvilBot.49184.D Backdoor/Evilbot.a Backdoor.Evilbot!ON36921kndI Backdoor.Evilbot BKDR_EVILBOT.A Backdoor.Win32.Evilbot.a Trojan.Win32.Evilbot.dgrj Backdoor.Win32.A.Evilbot.49184 Backdoor.Win32.Brat BackDoor.Brat BDS/Brat.A BKDR_EVILBOT.A Trojan[Backdoor]/Win32.Evilbot Win32.Hack.EvilBot.a.kcloud W32/Risk.PNHY-7386 Bck/Evilbot.H PE:Trojan.Evilbot.a!1173766179 Backdoor.Win32.Evilbot W32/EvilBot.A2!tr Backdoor.Win32.Evilbot.AMnQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Cloda4a.Trojan.4db2": [[26, 49]], "Indicator: Backdoor/W32.EvilBot.49184.D": [[50, 78]], "Indicator: Backdoor/Evilbot.a": [[79, 97]], "Indicator: Backdoor.Evilbot!ON36921kndI": [[98, 126]], "Indicator: Backdoor.Evilbot": [[127, 143]], "Indicator: BKDR_EVILBOT.A": [[144, 158], [286, 300]], "Indicator: Backdoor.Win32.Evilbot.a": [[159, 183]], "Indicator: Trojan.Win32.Evilbot.dgrj": [[184, 209]], "Indicator: Backdoor.Win32.A.Evilbot.49184": [[210, 240]], "Indicator: Backdoor.Win32.Brat": [[241, 260]], "Indicator: BackDoor.Brat": [[261, 274]], "Indicator: BDS/Brat.A": [[275, 285]], "Indicator: Trojan[Backdoor]/Win32.Evilbot": [[301, 331]], "Indicator: Win32.Hack.EvilBot.a.kcloud": [[332, 359]], "Indicator: W32/Risk.PNHY-7386": [[360, 378]], "Indicator: Bck/Evilbot.H": [[379, 392]], "Indicator: PE:Trojan.Evilbot.a!1173766179": [[393, 423]], "Indicator: Backdoor.Win32.Evilbot": [[424, 446]], "Indicator: W32/EvilBot.A2!tr": [[447, 464]], "Indicator: Backdoor.Win32.Evilbot.AMnQ": [[465, 492]]}, "info": {"id": "cyner2_5class_train_05750", "source": "cyner2_5class_train"}}
+{"text": "Using the device accelerometer sensor it implements a simple pedometer that is used to measure movements of the victim .", "spans": {}, "info": {"id": "cyner2_5class_train_05751", "source": "cyner2_5class_train"}}
+{"text": "The most widely infected major Android versions are KitKat with 50 percent , followed by Jelly Bean with 40 percent .", "spans": {"System: Android": [[31, 38]], "System: KitKat": [[52, 58]], "System: Jelly Bean": [[89, 99]]}, "info": {"id": "cyner2_5class_train_05752", "source": "cyner2_5class_train"}}
+{"text": "Report on APT attacks against Korea by AhnLab.", "spans": {"Indicator: attacks": [[14, 21]], "Organization: AhnLab.": [[39, 46]]}, "info": {"id": "cyner2_5class_train_05753", "source": "cyner2_5class_train"}}
+{"text": "Upon receiving the command GUIFXB , the spyware launches a fake Facebook login page .", "spans": {"System: Facebook": [[64, 72]]}, "info": {"id": "cyner2_5class_train_05754", "source": "cyner2_5class_train"}}
+{"text": "Phones ? November 16 , 2016 In what 's being chalked up as an apparent mistake , more than 120,000 Android phones sold in the U.S. were shipped with spying code that sent text messages , call logs and other sensitive data to a server in Shanghai .", "spans": {"System: Android": [[99, 106]]}, "info": {"id": "cyner2_5class_train_05755", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeSmssV.Trojan Backdoor/W32.Jewdo.14848 Backdoor.Win32.Jewdo!O Backdoor.Jedobot.A4 Trojan.Downloader Backdoor/Jewdo.a WORM_JEWDO.SMD Win32.Backdoor.Dipeok.b W32/Trojan3.PWU Backdoor.Warbot WORM_JEWDO.SMD Win.Downloader.94233-1 Trojan.Win32.Fsysna.diom Trojan.Win32.Jewdo.rvcd Backdoor.Win32.Jewdo.14848 Troj.W32.Fsysna.tnhD BackDoor.Ddoser.432 Backdoor.Win32.Jewdo W32/Trojan.YZKF-7158 Trojan[Backdoor]/Win32.Jewdo Win32.Hack.Jewdo.kcloud Backdoor:Win32/Jedobot.A Trojan.Win32.Fsysna.diom Trojan/Win32.Jewdo.R4708 Backdoor.Jewdo Trojan.Dipeok.A Win32/Dipeok.A Backdoor.Win32.Jewdo.a W32/Jewdo.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeSmssV.Trojan": [[26, 46]], "Indicator: Backdoor/W32.Jewdo.14848": [[47, 71]], "Indicator: Backdoor.Win32.Jewdo!O": [[72, 94]], "Indicator: Backdoor.Jedobot.A4": [[95, 114]], "Indicator: Trojan.Downloader": [[115, 132]], "Indicator: Backdoor/Jewdo.a": [[133, 149]], "Indicator: WORM_JEWDO.SMD": [[150, 164], [221, 235]], "Indicator: Win32.Backdoor.Dipeok.b": [[165, 188]], "Indicator: W32/Trojan3.PWU": [[189, 204]], "Indicator: Backdoor.Warbot": [[205, 220]], "Indicator: Win.Downloader.94233-1": [[236, 258]], "Indicator: Trojan.Win32.Fsysna.diom": [[259, 283], [496, 520]], "Indicator: Trojan.Win32.Jewdo.rvcd": [[284, 307]], "Indicator: Backdoor.Win32.Jewdo.14848": [[308, 334]], "Indicator: Troj.W32.Fsysna.tnhD": [[335, 355]], "Indicator: BackDoor.Ddoser.432": [[356, 375]], "Indicator: Backdoor.Win32.Jewdo": [[376, 396]], "Indicator: W32/Trojan.YZKF-7158": [[397, 417]], "Indicator: Trojan[Backdoor]/Win32.Jewdo": [[418, 446]], "Indicator: Win32.Hack.Jewdo.kcloud": [[447, 470]], "Indicator: Backdoor:Win32/Jedobot.A": [[471, 495]], "Indicator: Trojan/Win32.Jewdo.R4708": [[521, 545]], "Indicator: Backdoor.Jewdo": [[546, 560]], "Indicator: Trojan.Dipeok.A": [[561, 576]], "Indicator: Win32/Dipeok.A": [[577, 591]], "Indicator: Backdoor.Win32.Jewdo.a": [[592, 614]], "Indicator: W32/Jewdo.A!tr": [[615, 629]]}, "info": {"id": "cyner2_5class_train_05756", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/Delf.aarf Trojan.Win32.Delf.djezh Backdoor.Trojan Malware.XSSC BKDR_DELF.RFY Backdoor.Win32.Delf.aarf Backdoor.Delf!KqYaW6LeN/8 BKDR_DELF.RFY Backdoor:Win32/Dekara.A Backdoor/Win32.Delf Backdoor.Delf Backdoor.Trojan!rem Trojan-Dropper.Delf W32/Delf.AARF!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/Delf.aarf": [[26, 44]], "Indicator: Trojan.Win32.Delf.djezh": [[45, 68]], "Indicator: Backdoor.Trojan": [[69, 84]], "Indicator: Malware.XSSC": [[85, 97]], "Indicator: BKDR_DELF.RFY": [[98, 111], [163, 176]], "Indicator: Backdoor.Win32.Delf.aarf": [[112, 136]], "Indicator: Backdoor.Delf!KqYaW6LeN/8": [[137, 162]], "Indicator: Backdoor:Win32/Dekara.A": [[177, 200]], "Indicator: Backdoor/Win32.Delf": [[201, 220]], "Indicator: Backdoor.Delf": [[221, 234]], "Indicator: Backdoor.Trojan!rem": [[235, 254]], "Indicator: Trojan-Dropper.Delf": [[255, 274]], "Indicator: W32/Delf.AARF!tr.bdr": [[275, 295]]}, "info": {"id": "cyner2_5class_train_05757", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 BehavesLike.Win32.Backdoor.cc Backdoor:Win32/Govrat.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[26, 68]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[69, 98]], "Indicator: Backdoor:Win32/Govrat.A": [[99, 122]]}, "info": {"id": "cyner2_5class_train_05758", "source": "cyner2_5class_train"}}
+{"text": "Based on data aggregated from a controlled sinkhole, Fidelis Cybersecurity has observed some notable changes with the primary command and control C&C and conducted in-depth analysis of the secondary C&C Domain Generation Algorithim DGA.", "spans": {"Indicator: sinkhole,": [[43, 52]], "Organization: Fidelis Cybersecurity": [[53, 74]], "Indicator: primary command and control C&C": [[118, 149]], "System: C&C Domain Generation Algorithim DGA.": [[199, 236]]}, "info": {"id": "cyner2_5class_train_05759", "source": "cyner2_5class_train"}}
+{"text": "As outlined in the diagram above , It installs an additional application with the same functionality and these two applications monitor the removal of each other .", "spans": {}, "info": {"id": "cyner2_5class_train_05760", "source": "cyner2_5class_train"}}
+{"text": "It can also access the phone ’ s cameras and microphone .", "spans": {}, "info": {"id": "cyner2_5class_train_05761", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.PopUpper!O Worm.Shamli.A3 Trojan.PopUpper.Win32.66 Trojan.ShellStartup.E6CAF2 Win32.Trojan.WisdomEyes.16070401.9500.9949 Trojan.Win32.PopUpper.eg W32.Virut.low6 Trojan.MulDrop3.38938 BehavesLike.Win32.VBObfus.tz Trojan/PopUpper.bi Trojan/Win32.PopUpper Worm:Win32/Shamli.A Trojan.Win32.A.PopUpper.1695744 Trojan.Win32.PopUpper.eg Trojan/Win32.PopUpper.R52146 MAS.Trojan.VB.0879 Win32/VB.ODX Trojan.Win32.PopUpper W32/Popupper.A!tr Trj/Shamli.A Win32/Trojan.41d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.PopUpper!O": [[26, 49]], "Indicator: Worm.Shamli.A3": [[50, 64]], "Indicator: Trojan.PopUpper.Win32.66": [[65, 89]], "Indicator: Trojan.ShellStartup.E6CAF2": [[90, 116]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9949": [[117, 159]], "Indicator: Trojan.Win32.PopUpper.eg": [[160, 184], [344, 368]], "Indicator: W32.Virut.low6": [[185, 199]], "Indicator: Trojan.MulDrop3.38938": [[200, 221]], "Indicator: BehavesLike.Win32.VBObfus.tz": [[222, 250]], "Indicator: Trojan/PopUpper.bi": [[251, 269]], "Indicator: Trojan/Win32.PopUpper": [[270, 291]], "Indicator: Worm:Win32/Shamli.A": [[292, 311]], "Indicator: Trojan.Win32.A.PopUpper.1695744": [[312, 343]], "Indicator: Trojan/Win32.PopUpper.R52146": [[369, 397]], "Indicator: MAS.Trojan.VB.0879": [[398, 416]], "Indicator: Win32/VB.ODX": [[417, 429]], "Indicator: Trojan.Win32.PopUpper": [[430, 451]], "Indicator: W32/Popupper.A!tr": [[452, 469]], "Indicator: Trj/Shamli.A": [[470, 482]], "Indicator: Win32/Trojan.41d": [[483, 499]]}, "info": {"id": "cyner2_5class_train_05762", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper.Joiner Trojan.DR.Joiner!+J8FCDf4wyY W32/Dropper.AVHN Backdoor.Colfusion W32/Microjoin.IG Win32/Joiner.U BKDR_JOINER.U Trojan-Dropper.Win32.Joiner.u Trojan.Dropper.Joiner Trojan-PWS.Win32.Atrojan!IK TrojWare.Win32.TrojanDropper.Joiner.U Trojan.Dropper.Joiner Trojan.MulDrop.210 BKDR_JOINER.U TrojanDropper.Win32.Joiner.u Trojan.Dropper.Joiner W32/Dropper.AVHN Dropper/Joiner.44544 Win32/TrojanDropper.Joiner.U Dropper.Joiner.by Trojan-PWS.Win32.Atrojan W32/Joiner.U!tr Dropper.Delf.AW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.Joiner": [[26, 47], [189, 210], [277, 298], [361, 382]], "Indicator: Trojan.DR.Joiner!+J8FCDf4wyY": [[48, 76]], "Indicator: W32/Dropper.AVHN": [[77, 93], [383, 399]], "Indicator: Backdoor.Colfusion": [[94, 112]], "Indicator: W32/Microjoin.IG": [[113, 129]], "Indicator: Win32/Joiner.U": [[130, 144]], "Indicator: BKDR_JOINER.U": [[145, 158], [318, 331]], "Indicator: Trojan-Dropper.Win32.Joiner.u": [[159, 188]], "Indicator: Trojan-PWS.Win32.Atrojan!IK": [[211, 238]], "Indicator: TrojWare.Win32.TrojanDropper.Joiner.U": [[239, 276]], "Indicator: Trojan.MulDrop.210": [[299, 317]], "Indicator: TrojanDropper.Win32.Joiner.u": [[332, 360]], "Indicator: Dropper/Joiner.44544": [[400, 420]], "Indicator: Win32/TrojanDropper.Joiner.U": [[421, 449]], "Indicator: Dropper.Joiner.by": [[450, 467]], "Indicator: Trojan-PWS.Win32.Atrojan": [[468, 492]], "Indicator: W32/Joiner.U!tr": [[493, 508]], "Indicator: Dropper.Delf.AW": [[509, 524]]}, "info": {"id": "cyner2_5class_train_05763", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Riskware.Confuser! Trojan.Win32.SteamBurglar.dmdrlr Trojan.SteamBurglar.621 Trojan.Katusha.Win32.39398 BehavesLike.Win32.Backdoor.cc TR/Confuser.181248 MSIL/Injector.LTM!tr PWS:MSIL/Stimilini.C Trj/CI.A Trojan.MSIL.Stimilik MSIL6.AKRX Trojan.MSIL.Stimilik.DT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Riskware.Confuser!": [[26, 44]], "Indicator: Trojan.Win32.SteamBurglar.dmdrlr": [[45, 77]], "Indicator: Trojan.SteamBurglar.621": [[78, 101]], "Indicator: Trojan.Katusha.Win32.39398": [[102, 128]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[129, 158]], "Indicator: TR/Confuser.181248": [[159, 177]], "Indicator: MSIL/Injector.LTM!tr": [[178, 198]], "Indicator: PWS:MSIL/Stimilini.C": [[199, 219]], "Indicator: Trj/CI.A": [[220, 228]], "Indicator: Trojan.MSIL.Stimilik": [[229, 249]], "Indicator: MSIL6.AKRX": [[250, 260]], "Indicator: Trojan.MSIL.Stimilik.DT": [[261, 284]]}, "info": {"id": "cyner2_5class_train_05764", "source": "cyner2_5class_train"}}
+{"text": "DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families.", "spans": {"Malware: DotRunpeX": [[0, 9]], "Malware: new injector": [[15, 27]], "System: .NET": [[39, 43]], "Indicator: the Process Hollowing technique": [[50, 81]], "System: systems": [[101, 108]], "Malware: malware families.": [[133, 150]]}, "info": {"id": "cyner2_5class_train_05765", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Sdbot.worm Backdoor.Shark.Win32.1896 Backdoor/Shark.ed Win32.Trojan.WisdomEyes.16070401.9500.9984 W32/Backdoor2.ETS Packed.Win32.Black.a Trojan.Win32.Shark.wxsv Packer.W32.Black.lbw7 Packed.Win32..Black.~A Trojan.Packed.650 W32/Sdbot.worm BDS/Shark.N Trojan[Packed]/Win32.Black Win32.Hack.Shark.eu.kcloud Backdoor:Win32/Sharke.H Backdoor.Win32.Shark.1483254 Packed/Win32.Black.C34704 Win32/Shark.RU Backdoor.Win32.Shark W32/Packed.2D18!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Sdbot.worm": [[26, 40], [254, 268]], "Indicator: Backdoor.Shark.Win32.1896": [[41, 66]], "Indicator: Backdoor/Shark.ed": [[67, 84]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[85, 127]], "Indicator: W32/Backdoor2.ETS": [[128, 145]], "Indicator: Packed.Win32.Black.a": [[146, 166]], "Indicator: Trojan.Win32.Shark.wxsv": [[167, 190]], "Indicator: Packer.W32.Black.lbw7": [[191, 212]], "Indicator: Packed.Win32..Black.~A": [[213, 235]], "Indicator: Trojan.Packed.650": [[236, 253]], "Indicator: BDS/Shark.N": [[269, 280]], "Indicator: Trojan[Packed]/Win32.Black": [[281, 307]], "Indicator: Win32.Hack.Shark.eu.kcloud": [[308, 334]], "Indicator: Backdoor:Win32/Sharke.H": [[335, 358]], "Indicator: Backdoor.Win32.Shark.1483254": [[359, 387]], "Indicator: Packed/Win32.Black.C34704": [[388, 413]], "Indicator: Win32/Shark.RU": [[414, 428]], "Indicator: Backdoor.Win32.Shark": [[429, 449]], "Indicator: W32/Packed.2D18!tr": [[450, 468]]}, "info": {"id": "cyner2_5class_train_05766", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.243F Backdoor.Win32.HacDef.073!O Win32.Trojan.WisdomEyes.16070401.9500.9837 Backdoor.HackDefender Win.Trojan.PcClient-54 Backdoor.Win32.Hupigon.p Trojan.Win32.Maran.enrszy Backdoor.W32.Rbot.lgxa BackDoor.HackDef.239 Backdoor/HacDef.084 BDS/Hacdef.084 Trojan[Backdoor]/Win32.Hupigon Backdoor.Win32.A.Hupigon.41500 Backdoor.Win32.Hupigon.p Trojan/Win32.Xema.C75969 Trojan.Obfuscated!wEhK/9pikzI Trojan-Dropper.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.243F": [[26, 43]], "Indicator: Backdoor.Win32.HacDef.073!O": [[44, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9837": [[72, 114]], "Indicator: Backdoor.HackDefender": [[115, 136]], "Indicator: Win.Trojan.PcClient-54": [[137, 159]], "Indicator: Backdoor.Win32.Hupigon.p": [[160, 184], [352, 376]], "Indicator: Trojan.Win32.Maran.enrszy": [[185, 210]], "Indicator: Backdoor.W32.Rbot.lgxa": [[211, 233]], "Indicator: BackDoor.HackDef.239": [[234, 254]], "Indicator: Backdoor/HacDef.084": [[255, 274]], "Indicator: BDS/Hacdef.084": [[275, 289]], "Indicator: Trojan[Backdoor]/Win32.Hupigon": [[290, 320]], "Indicator: Backdoor.Win32.A.Hupigon.41500": [[321, 351]], "Indicator: Trojan/Win32.Xema.C75969": [[377, 401]], "Indicator: Trojan.Obfuscated!wEhK/9pikzI": [[402, 431]], "Indicator: Trojan-Dropper.Delf": [[432, 451]]}, "info": {"id": "cyner2_5class_train_05767", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PSW.Glacier TrojanPWS.Glacier Trojan.PSW.Glacier Trojan/PSW.glacier W32/Glacier.A Win32/GDoor.F BKDR_GLACIER.A Win.Spyware.9313-2 Trojan.PSW.Glacier Trojan-PSW.Win32.Glacier Trojan.PSW.Glacier Trojan.Win32.Glacier.furm Troj.Psw.W32!c Win32.Trojan-qqpass.Qqrob.Hyx Trojan.PSW.Glacier TrojWare.Win32.PSW.Glacier Trojan.PSW.Glacier Trojan.PWS.Glacier Trojan.Glacier.Win32.8 BKDR_GLACIER.A BackDoor-FR.svr W32/Glacier.UXNT-8441 Backdoor/G_Door.b Trojan.PSW.Glacier Trojan.Win32.Glacier Trojan-PSW.Win32.Glacier Win-Trojan/GDoor.262144 BackDoor-FR.svr TrojanPSW.Glacier Trojan.Glacier Win32/PSW.Glacier Trojan.PWS.Glacier!4KEClY9FaHQ Trojan-PWS.Win32.Glacier W32/Glacier.A!tr.pws Win32/Trojan.ff1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PSW.Glacier": [[26, 44], [63, 81], [163, 181], [207, 225], [297, 315], [343, 361], [475, 493]], "Indicator: TrojanPWS.Glacier": [[45, 62]], "Indicator: Trojan/PSW.glacier": [[82, 100]], "Indicator: W32/Glacier.A": [[101, 114]], "Indicator: Win32/GDoor.F": [[115, 128]], "Indicator: BKDR_GLACIER.A": [[129, 143], [404, 418]], "Indicator: Win.Spyware.9313-2": [[144, 162]], "Indicator: Trojan-PSW.Win32.Glacier": [[182, 206], [515, 539]], "Indicator: Trojan.Win32.Glacier.furm": [[226, 251]], "Indicator: Troj.Psw.W32!c": [[252, 266]], "Indicator: Win32.Trojan-qqpass.Qqrob.Hyx": [[267, 296]], "Indicator: TrojWare.Win32.PSW.Glacier": [[316, 342]], "Indicator: Trojan.PWS.Glacier": [[362, 380]], "Indicator: Trojan.Glacier.Win32.8": [[381, 403]], "Indicator: BackDoor-FR.svr": [[419, 434], [564, 579]], "Indicator: W32/Glacier.UXNT-8441": [[435, 456]], "Indicator: Backdoor/G_Door.b": [[457, 474]], "Indicator: Trojan.Win32.Glacier": [[494, 514]], "Indicator: Win-Trojan/GDoor.262144": [[540, 563]], "Indicator: TrojanPSW.Glacier": [[580, 597]], "Indicator: Trojan.Glacier": [[598, 612]], "Indicator: Win32/PSW.Glacier": [[613, 630]], "Indicator: Trojan.PWS.Glacier!4KEClY9FaHQ": [[631, 661]], "Indicator: Trojan-PWS.Win32.Glacier": [[662, 686]], "Indicator: W32/Glacier.A!tr.pws": [[687, 707]], "Indicator: Win32/Trojan.ff1": [[708, 724]]}, "info": {"id": "cyner2_5class_train_05768", "source": "cyner2_5class_train"}}
+{"text": "Figure 14 : disabling infected apps auto-update Figure 15 : changing the settings of the update timeout The Ad Displaying Payload Following all of the above , now is the time to take a look into the actual payload that displays ads to the victim .", "spans": {}, "info": {"id": "cyner2_5class_train_05769", "source": "cyner2_5class_train"}}
+{"text": "The incident took place in the network of an East Asian company that develops data-loss prevention DLP software.", "spans": {"System: the network": [[27, 38]], "Organization: East Asian company": [[45, 63]], "System: data-loss prevention DLP software.": [[78, 112]]}, "info": {"id": "cyner2_5class_train_05770", "source": "cyner2_5class_train"}}
+{"text": "This group was named Winnti", "spans": {}, "info": {"id": "cyner2_5class_train_05771", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.P2P.Spear.E Win32.P2P.Spear.E I-Worm.Spear.d.n8 W32/Spear.worm.d!p2p Worm.Spear.Win32.12 W32/Spear.d Win32.P2P.Spear.E Trojan.Win32.Spear.enxr W32/Spear.D W32.HLLW.Yoohoo Spear.M Win32/Spear.G WORM_SPEAR.D P2P-Worm.Win32.Spear.d Worm.P2P.Spear.D Worm.Win32.P2P-Spear.15360[h] Win32.P2P.Spear.E Worm.Win32.Spear.D Win32.P2P.Spear.E Win32.HLLW.Spear.15360 WORM_SPEAR.D W32/Spear.worm.d!p2p W32/Spear.YBIW-1290 Worm/P2P.Spear.e Worm/P2P.Spear Worm.Spear.d.kcloud Worm:Win32/Spear.D Win32.P2P.Spear.E Win32/Spear.worm.40448 Win32.P2P.Spear.E W32/Spear.D Win32/Spear.D Win32.Worm-p2p.Spear.Efao Worm.P2P.Spear.Based W32/Spear.D!worm.p2p Worm.Win32.Spear.aAAZ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.P2P.Spear.E": [[26, 43], [44, 61], [133, 150], [308, 325], [345, 362], [511, 528], [552, 569]], "Indicator: I-Worm.Spear.d.n8": [[62, 79]], "Indicator: W32/Spear.worm.d!p2p": [[80, 100], [399, 419]], "Indicator: Worm.Spear.Win32.12": [[101, 120]], "Indicator: W32/Spear.d": [[121, 132]], "Indicator: Trojan.Win32.Spear.enxr": [[151, 174]], "Indicator: W32/Spear.D": [[175, 186], [570, 581]], "Indicator: W32.HLLW.Yoohoo": [[187, 202]], "Indicator: Spear.M": [[203, 210]], "Indicator: Win32/Spear.G": [[211, 224]], "Indicator: WORM_SPEAR.D": [[225, 237], [386, 398]], "Indicator: P2P-Worm.Win32.Spear.d": [[238, 260]], "Indicator: Worm.P2P.Spear.D": [[261, 277]], "Indicator: Worm.Win32.P2P-Spear.15360[h]": [[278, 307]], "Indicator: Worm.Win32.Spear.D": [[326, 344]], "Indicator: Win32.HLLW.Spear.15360": [[363, 385]], "Indicator: W32/Spear.YBIW-1290": [[420, 439]], "Indicator: Worm/P2P.Spear.e": [[440, 456]], "Indicator: Worm/P2P.Spear": [[457, 471]], "Indicator: Worm.Spear.d.kcloud": [[472, 491]], "Indicator: Worm:Win32/Spear.D": [[492, 510]], "Indicator: Win32/Spear.worm.40448": [[529, 551]], "Indicator: Win32/Spear.D": [[582, 595]], "Indicator: Win32.Worm-p2p.Spear.Efao": [[596, 621]], "Indicator: Worm.P2P.Spear.Based": [[622, 642]], "Indicator: W32/Spear.D!worm.p2p": [[643, 663]], "Indicator: Worm.Win32.Spear.aAAZ": [[664, 685]]}, "info": {"id": "cyner2_5class_train_05772", "source": "cyner2_5class_train"}}
+{"text": "MyReceiver and AlarmReceiver start the MainService whenever appropriate events occur .", "spans": {}, "info": {"id": "cyner2_5class_train_05773", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanSpy.Neos.A3 Trojan.Razy.D1F24 TSPY_NEOS.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_NEOS.SM Win.Dropper.Skyneos-6192156-1 Trojan.Win32.KeyLogger.dbjjal TrojWare.MSIL.Spy.Keylogger.agk Trojan.MulDrop3.2465 Win32.Troj.Undef.kcloud TrojanSpy:MSIL/Neos.A Spyware.Keylogger Spyware/Win32.KeyLogger.R30636 Win32.Trojan.Spy.Wqdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanSpy.Neos.A3": [[26, 43]], "Indicator: Trojan.Razy.D1F24": [[44, 61]], "Indicator: TSPY_NEOS.SM": [[62, 74], [118, 130]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[75, 117]], "Indicator: Win.Dropper.Skyneos-6192156-1": [[131, 160]], "Indicator: Trojan.Win32.KeyLogger.dbjjal": [[161, 190]], "Indicator: TrojWare.MSIL.Spy.Keylogger.agk": [[191, 222]], "Indicator: Trojan.MulDrop3.2465": [[223, 243]], "Indicator: Win32.Troj.Undef.kcloud": [[244, 267]], "Indicator: TrojanSpy:MSIL/Neos.A": [[268, 289]], "Indicator: Spyware.Keylogger": [[290, 307]], "Indicator: Spyware/Win32.KeyLogger.R30636": [[308, 338]], "Indicator: Win32.Trojan.Spy.Wqdr": [[339, 360]]}, "info": {"id": "cyner2_5class_train_05774", "source": "cyner2_5class_train"}}
+{"text": "By browsing EventBot ’ s installation path on the device , we can see the library dropped in the app_dex folder .", "spans": {"Malware: EventBot": [[12, 20]]}, "info": {"id": "cyner2_5class_train_05775", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Orsam.A3 TSPY_PATUN.SMHA Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.FakeAV Win32/Petun.B TSPY_PATUN.SMHA BehavesLike.Win32.PWSZbot.nm PWS:MSIL/Petun.A MSIL.Trojan-Spy.Petun.B Trojan.KeyLogger.MSIL Trojan-Spy.Win32.Zbot MSIL/KeyLogger.BA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Orsam.A3": [[26, 41]], "Indicator: TSPY_PATUN.SMHA": [[42, 57], [129, 144]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[58, 100]], "Indicator: Trojan.FakeAV": [[101, 114]], "Indicator: Win32/Petun.B": [[115, 128]], "Indicator: BehavesLike.Win32.PWSZbot.nm": [[145, 173]], "Indicator: PWS:MSIL/Petun.A": [[174, 190]], "Indicator: MSIL.Trojan-Spy.Petun.B": [[191, 214]], "Indicator: Trojan.KeyLogger.MSIL": [[215, 236]], "Indicator: Trojan-Spy.Win32.Zbot": [[237, 258]], "Indicator: MSIL/KeyLogger.BA!tr": [[259, 279]]}, "info": {"id": "cyner2_5class_train_05776", "source": "cyner2_5class_train"}}
+{"text": "It requires attention and action from system developers , device manufacturers , app developers , and users , so that vulnerability fixes are patched , distributed , adopted and installed in time .", "spans": {}, "info": {"id": "cyner2_5class_train_05777", "source": "cyner2_5class_train"}}
+{"text": "Generic Windows Defender ATP detections trigger alerts on FinFisher behavior While our analysis has allowed us to immediately protect our customers , we ’ d like to share our insights and add to the growing number of published analyses by other talented researchers ( listed below this blog post ) .", "spans": {"System: Windows Defender ATP": [[8, 28]], "Malware: FinFisher": [[58, 67]]}, "info": {"id": "cyner2_5class_train_05778", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Rat.10 Backdoor/W32.RAT.8192.B Backdoor.Rat Backdoor/RAT.10 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.XWXN-0597 Win32/Rat.10 BKDR_RAT.10 Win.Trojan.Rat-4 Backdoor.Rat.10 Backdoor.Win32.RAT.10 Backdoor.Rat.10 Trojan.Win32.RAT.bqzxxm Backdoor.Win32.Rat_10.Svr Backdoor.W32.RAT.10!c Backdoor.Rat.10 Troj/Rat-1.0B Backdoor.Win32.Rat-10._0 Backdoor.Rat.10 BackDoor.Rat.10 Backdoor.RAT.Win32.24 BKDR_RAT.10 BehavesLike.Win32.PUP.xz Backdoor/Rat.10 Trojan[Backdoor]/Win32.RAT Backdoor:Win32/Rat.1_0 Backdoor.Rat.10 Backdoor.Win32.RAT.10 Backdoor.Rat.10 Backdoor.Rat.10 Bck/Rat.1_0 Rat.10 Win32.Backdoor.Rat.Szbj Backdoor.RAT!GoQkQzcwjDw W32/Rat.10!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Rat.10": [[26, 41], [201, 216], [239, 254], [327, 342], [382, 397], [539, 554], [577, 592], [593, 608]], "Indicator: Backdoor/W32.RAT.8192.B": [[42, 65]], "Indicator: Backdoor.Rat": [[66, 78]], "Indicator: Backdoor/RAT.10": [[79, 94]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[95, 137]], "Indicator: W32/Trojan.XWXN-0597": [[138, 158]], "Indicator: Win32/Rat.10": [[159, 171]], "Indicator: BKDR_RAT.10": [[172, 183], [436, 447]], "Indicator: Win.Trojan.Rat-4": [[184, 200]], "Indicator: Backdoor.Win32.RAT.10": [[217, 238], [555, 576]], "Indicator: Trojan.Win32.RAT.bqzxxm": [[255, 278]], "Indicator: Backdoor.Win32.Rat_10.Svr": [[279, 304]], "Indicator: Backdoor.W32.RAT.10!c": [[305, 326]], "Indicator: Troj/Rat-1.0B": [[343, 356]], "Indicator: Backdoor.Win32.Rat-10._0": [[357, 381]], "Indicator: BackDoor.Rat.10": [[398, 413]], "Indicator: Backdoor.RAT.Win32.24": [[414, 435]], "Indicator: BehavesLike.Win32.PUP.xz": [[448, 472]], "Indicator: Backdoor/Rat.10": [[473, 488]], "Indicator: Trojan[Backdoor]/Win32.RAT": [[489, 515]], "Indicator: Backdoor:Win32/Rat.1_0": [[516, 538]], "Indicator: Bck/Rat.1_0": [[609, 620]], "Indicator: Rat.10": [[621, 627]], "Indicator: Win32.Backdoor.Rat.Szbj": [[628, 651]], "Indicator: Backdoor.RAT!GoQkQzcwjDw": [[652, 676]], "Indicator: W32/Rat.10!tr.bdr": [[677, 694]]}, "info": {"id": "cyner2_5class_train_05779", "source": "cyner2_5class_train"}}
+{"text": "The malware is based on a freely-available open-source backdoor – something no one would expect from an alleged state-sponsored malware operator.", "spans": {"Malware: malware": [[4, 11]], "Malware: freely-available open-source backdoor": [[26, 63]]}, "info": {"id": "cyner2_5class_train_05780", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint researchers have recently observed the re-emergence of two malware downloaders that had largely disappeared for several months.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: malware downloaders": [[70, 89]]}, "info": {"id": "cyner2_5class_train_05781", "source": "cyner2_5class_train"}}
+{"text": "Their similarity is made more apparent by looking at their naming method for downloadable files , domain structure of fake websites and other details of their deployment techniques , exemplified in figure 10 .", "spans": {}, "info": {"id": "cyner2_5class_train_05782", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_GE.1E00D038 Win32.Trojan.WisdomEyes.16070401.9500.9866 TROJ_GE.1E00D038", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_GE.1E00D038": [[26, 42], [86, 102]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9866": [[43, 85]]}, "info": {"id": "cyner2_5class_train_05783", "source": "cyner2_5class_train"}}
+{"text": "This research has proven valuable for Talos and led the development of better detection methods within the products we support along with the disruption of adversarial operations.", "spans": {}, "info": {"id": "cyner2_5class_train_05784", "source": "cyner2_5class_train"}}
+{"text": "Currently, the XData decryption tools are available.", "spans": {"System: XData decryption tools": [[15, 37]]}, "info": {"id": "cyner2_5class_train_05785", "source": "cyner2_5class_train"}}
+{"text": "All of the Play Store pages we identified and all of the decoys of the apps themselves are written in Italian .", "spans": {"System: Play Store": [[11, 21]]}, "info": {"id": "cyner2_5class_train_05786", "source": "cyner2_5class_train"}}
+{"text": "] it Catanzaro server2fi.exodus.connexxa [ .", "spans": {"Indicator: server2fi.exodus.connexxa [ .": [[15, 44]]}, "info": {"id": "cyner2_5class_train_05787", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Poison!O Backdoor.Poison Trojan.Heur.E84A91 Win32.Worm.VB.sn Trojan.FakeAV Backdoor.Win32.Poison.cwpk W32.W.VBNA.lsMe Win32.Backdoor.Poison.Pfjd Trojan.AVKill.11304 BehavesLike.Win32.RAHack.ct W32/Trojan.ULXW-4781 Backdoor.Poison.zo Trojan[Backdoor]/Win32.Poison Worm:Win32/Ructo.N Backdoor.Win32.Poison.cwpk Win32/Trojan.d07", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Poison!O": [[26, 49]], "Indicator: Backdoor.Poison": [[50, 65]], "Indicator: Trojan.Heur.E84A91": [[66, 84]], "Indicator: Win32.Worm.VB.sn": [[85, 101]], "Indicator: Trojan.FakeAV": [[102, 115]], "Indicator: Backdoor.Win32.Poison.cwpk": [[116, 142], [323, 349]], "Indicator: W32.W.VBNA.lsMe": [[143, 158]], "Indicator: Win32.Backdoor.Poison.Pfjd": [[159, 185]], "Indicator: Trojan.AVKill.11304": [[186, 205]], "Indicator: BehavesLike.Win32.RAHack.ct": [[206, 233]], "Indicator: W32/Trojan.ULXW-4781": [[234, 254]], "Indicator: Backdoor.Poison.zo": [[255, 273]], "Indicator: Trojan[Backdoor]/Win32.Poison": [[274, 303]], "Indicator: Worm:Win32/Ructo.N": [[304, 322]], "Indicator: Win32/Trojan.d07": [[350, 366]]}, "info": {"id": "cyner2_5class_train_05788", "source": "cyner2_5class_train"}}
+{"text": "Researchers from Bitdefender also released an analysis of one of the samples in a blogpost .", "spans": {"System: Bitdefender": [[17, 28]]}, "info": {"id": "cyner2_5class_train_05789", "source": "cyner2_5class_train"}}
+{"text": "Astrum was known to be have been exclusively used by the AdGholas malvertising campaign that delivered a plethora of threats including banking Trojans Dreambot/Gozi also known as Ursnif, and detected by Trend Micro as BKDR_URSNIF and RAMNIT TROJ_RAMNIT, PE_RAMNIT.", "spans": {"Malware: threats": [[117, 124]], "Malware: banking Trojans Dreambot/Gozi": [[135, 164]], "Malware: Ursnif,": [[179, 186]], "Organization: Trend Micro": [[203, 214]], "Indicator: BKDR_URSNIF": [[218, 229]], "Indicator: RAMNIT TROJ_RAMNIT, PE_RAMNIT.": [[234, 264]]}, "info": {"id": "cyner2_5class_train_05790", "source": "cyner2_5class_train"}}
+{"text": "This report reveals a campaign of reconnaissance, phishing, and malware operations that use content and domains made to mimic Chinese language news websites.", "spans": {"Indicator: content": [[92, 99]], "Indicator: domains": [[104, 111]], "Indicator: mimic Chinese language news websites.": [[120, 157]]}, "info": {"id": "cyner2_5class_train_05791", "source": "cyner2_5class_train"}}
+{"text": "It means this was most likely the actual operator.", "spans": {}, "info": {"id": "cyner2_5class_train_05792", "source": "cyner2_5class_train"}}
+{"text": "Over the year , the number of mobile malware modifications designed for phishing , the theft of credit card information and money increased by a factor of 19.7 .", "spans": {}, "info": {"id": "cyner2_5class_train_05793", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.LVBP Win32.Trojan.WisdomEyes.16070401.9500.9984 W32.SillyFDC TrojanSpy:MSIL/Ruzmoil.A Trojan/Win32.Keylogger.R17549", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.LVBP": [[26, 37]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[38, 80]], "Indicator: W32.SillyFDC": [[81, 93]], "Indicator: TrojanSpy:MSIL/Ruzmoil.A": [[94, 118]], "Indicator: Trojan/Win32.Keylogger.R17549": [[119, 148]]}, "info": {"id": "cyner2_5class_train_05794", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Trojan Win32/Wykcores.A BKDR_MURCY.SM1 PE:Backdoor.Win32.Undef.cnd!1463577[F1] DLOADER.Trojan BKDR_MURCY.SM1 BehavesLike.Win32.Backdoor.qh Win32.Hack.PcClient.al.kcloud Trojan.Barys.955 Backdoor/Win32.Etso Backdoor:Win32/Wykcores.A Trojan-Downloader.Delphi", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Trojan": [[26, 41]], "Indicator: Win32/Wykcores.A": [[42, 58]], "Indicator: BKDR_MURCY.SM1": [[59, 73], [129, 143]], "Indicator: PE:Backdoor.Win32.Undef.cnd!1463577[F1]": [[74, 113]], "Indicator: DLOADER.Trojan": [[114, 128]], "Indicator: BehavesLike.Win32.Backdoor.qh": [[144, 173]], "Indicator: Win32.Hack.PcClient.al.kcloud": [[174, 203]], "Indicator: Trojan.Barys.955": [[204, 220]], "Indicator: Backdoor/Win32.Etso": [[221, 240]], "Indicator: Backdoor:Win32/Wykcores.A": [[241, 266]], "Indicator: Trojan-Downloader.Delphi": [[267, 291]]}, "info": {"id": "cyner2_5class_train_05795", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandownloader.Rameh Backdoor/DsBot.ayd Backdoor.Win32.A.DsBot.3918918[UPX] BehavesLike.Win32.BadFile.vc Trojan-Downloader.Win32.Rameh TrojanDownloader:Win32/Rameh.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Rameh": [[26, 48]], "Indicator: Backdoor/DsBot.ayd": [[49, 67]], "Indicator: Backdoor.Win32.A.DsBot.3918918[UPX]": [[68, 103]], "Indicator: BehavesLike.Win32.BadFile.vc": [[104, 132]], "Indicator: Trojan-Downloader.Win32.Rameh": [[133, 162]], "Indicator: TrojanDownloader:Win32/Rameh.C": [[163, 193]]}, "info": {"id": "cyner2_5class_train_05796", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.Staser.f Backdoor.Trojan Win.Trojan.Yoddos-2 Trojan.Win32.Delf.ffdi W32.W.Runouce.lgxV BackDoor.MaosBoot.1707 BehavesLike.Win32.Trojan.mm Backdoor/Huigezi.2008.ybi Trojan[Backdoor]/Win32.Hupigon Trojan:Win32/Yoddos.C Backdoor/Win32.Trojan.C2392352 TScope.Malware-Cryptor.SB Trojan.Kryptik!+IjAt1MW7ss Trojan.Win32.SystemHijack", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Staser.f": [[26, 47]], "Indicator: Backdoor.Trojan": [[48, 63]], "Indicator: Win.Trojan.Yoddos-2": [[64, 83]], "Indicator: Trojan.Win32.Delf.ffdi": [[84, 106]], "Indicator: W32.W.Runouce.lgxV": [[107, 125]], "Indicator: BackDoor.MaosBoot.1707": [[126, 148]], "Indicator: BehavesLike.Win32.Trojan.mm": [[149, 176]], "Indicator: Backdoor/Huigezi.2008.ybi": [[177, 202]], "Indicator: Trojan[Backdoor]/Win32.Hupigon": [[203, 233]], "Indicator: Trojan:Win32/Yoddos.C": [[234, 255]], "Indicator: Backdoor/Win32.Trojan.C2392352": [[256, 286]], "Indicator: TScope.Malware-Cryptor.SB": [[287, 312]], "Indicator: Trojan.Kryptik!+IjAt1MW7ss": [[313, 339]], "Indicator: Trojan.Win32.SystemHijack": [[340, 365]]}, "info": {"id": "cyner2_5class_train_05797", "source": "cyner2_5class_train"}}
+{"text": "Attacks involving this Trojan have been noted since February 2017 but peaked in late May.", "spans": {"Malware: Trojan": [[23, 29]]}, "info": {"id": "cyner2_5class_train_05798", "source": "cyner2_5class_train"}}
+{"text": "In April , at the time of writing this post , we recorded 413 RuMMS infections .", "spans": {"Malware: RuMMS": [[62, 67]]}, "info": {"id": "cyner2_5class_train_05799", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9857 Packed.Win32.Black.a Packer.W32.Black.l6cB Trojan.Packed.650 BehavesLike.Win32.Sdbot.tc BehavesLikeWin32.ExplorerHijack W32/Packed.2D18!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9857": [[26, 68]], "Indicator: Packed.Win32.Black.a": [[69, 89]], "Indicator: Packer.W32.Black.l6cB": [[90, 111]], "Indicator: Trojan.Packed.650": [[112, 129]], "Indicator: BehavesLike.Win32.Sdbot.tc": [[130, 156]], "Indicator: BehavesLikeWin32.ExplorerHijack": [[157, 188]], "Indicator: W32/Packed.2D18!tr": [[189, 207]]}, "info": {"id": "cyner2_5class_train_05800", "source": "cyner2_5class_train"}}
+{"text": "Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan.", "spans": {"Organization: Our researchers": [[0, 15]], "Malware: IcedID": [[27, 33]], "Malware: modular malicious code": [[40, 62]], "Malware: modern banking Trojan": [[68, 89]], "Malware: malware": [[117, 124]], "Malware: the Zeus Trojan.": [[133, 149]]}, "info": {"id": "cyner2_5class_train_05801", "source": "cyner2_5class_train"}}
+{"text": "For example, most organizations have little to no DNS restrictions or security monitoring for DNS activity.", "spans": {"System: DNS": [[50, 53], [94, 97]], "Indicator: security monitoring": [[70, 89]]}, "info": {"id": "cyner2_5class_train_05802", "source": "cyner2_5class_train"}}
+{"text": "Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org .", "spans": {}, "info": {"id": "cyner2_5class_train_05803", "source": "cyner2_5class_train"}}
+{"text": "The Right App at the Right Time The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims .", "spans": {"Malware: HenBox": [[46, 52]], "Indicator: DroidVPN": [[66, 74]]}, "info": {"id": "cyner2_5class_train_05804", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Downloader.Nekill.al Trojan.DL.Nekill.X Adware.Rugo Trojan-Downloader.Win32.Nekill.al Heuristic.BehavesLike.Win32.Downloader.J Trojan-Downloader.Win32.Nekill!IK Adware/MsLock.qg Trojan-Downloader.Nekill.al Adware.Rugo Trojan-Downloader.Win32.Nekill", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.Nekill.al": [[26, 53]], "Indicator: Trojan.DL.Nekill.X": [[54, 72]], "Indicator: Adware.Rugo": [[73, 84], [239, 250]], "Indicator: Trojan-Downloader.Win32.Nekill.al": [[85, 118]], "Indicator: Heuristic.BehavesLike.Win32.Downloader.J": [[119, 159]], "Indicator: Trojan-Downloader.Win32.Nekill!IK": [[160, 193]], "Indicator: Adware/MsLock.qg": [[194, 210]], "Indicator: Trojan-Downloader.Nekill.al": [[211, 238]], "Indicator: Trojan-Downloader.Win32.Nekill": [[251, 281]]}, "info": {"id": "cyner2_5class_train_05805", "source": "cyner2_5class_train"}}
+{"text": "Many of the 10 million infected phones are running old versions of Android and reside in China ( 1.6 million ) and India ( 1.35 million ) .", "spans": {"System: Android": [[67, 74]]}, "info": {"id": "cyner2_5class_train_05806", "source": "cyner2_5class_train"}}
+{"text": "] it Firenze serverrt.exodus.connexxa [ .", "spans": {"Indicator: serverrt.exodus.connexxa [ .": [[13, 41]]}, "info": {"id": "cyner2_5class_train_05807", "source": "cyner2_5class_train"}}
+{"text": "The malware uses smishing , or SMS phishing , to infiltrate target devices , which is a technique that relies on social engineering .", "spans": {}, "info": {"id": "cyner2_5class_train_05808", "source": "cyner2_5class_train"}}
+{"text": "Once this Intent object is generated with the action value pointing to the decrypted content , the decryption function returns the Intent object to the callee .", "spans": {}, "info": {"id": "cyner2_5class_train_05809", "source": "cyner2_5class_train"}}
+{"text": "There are some indicators that this sample is just a test sample on its final stages of development .", "spans": {}, "info": {"id": "cyner2_5class_train_05810", "source": "cyner2_5class_train"}}
+{"text": "These changes not only make it more difficult for the victim to identify what files have been encrypted, but also may thwart security protections currently in place for the CryptoWall threat.", "spans": {"Indicator: files": [[78, 83]], "Indicator: encrypted,": [[94, 104]], "Indicator: may thwart security protections": [[114, 145]], "Malware: CryptoWall threat.": [[173, 191]]}, "info": {"id": "cyner2_5class_train_05811", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Barys.D1CD2 Win32.Trojan.WisdomEyes.16070401.9500.9968 Trojan.MSIL.Inject.abuiq Trojan/Windef.hm DDoS:Win32/Darktima.A Trojan.MSIL.Inject.abuiq TrojanFakeAV.Windef Trj/CI.A Win32.Trojan.Inject.dfju Trojan.DR.MSIL!M+jYeJcGakI Trojan.Win32.FakeAV W32/Dropper.FBQ!tr Win32/Trojan.f70", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Barys.D1CD2": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9968": [[45, 87]], "Indicator: Trojan.MSIL.Inject.abuiq": [[88, 112], [152, 176]], "Indicator: Trojan/Windef.hm": [[113, 129]], "Indicator: DDoS:Win32/Darktima.A": [[130, 151]], "Indicator: TrojanFakeAV.Windef": [[177, 196]], "Indicator: Trj/CI.A": [[197, 205]], "Indicator: Win32.Trojan.Inject.dfju": [[206, 230]], "Indicator: Trojan.DR.MSIL!M+jYeJcGakI": [[231, 257]], "Indicator: Trojan.Win32.FakeAV": [[258, 277]], "Indicator: W32/Dropper.FBQ!tr": [[278, 296]], "Indicator: Win32/Trojan.f70": [[297, 313]]}, "info": {"id": "cyner2_5class_train_05812", "source": "cyner2_5class_train"}}
+{"text": "Consider the following phish delivered to the email address displayed on the bank's website.", "spans": {"Indicator: the email address": [[42, 59]], "Indicator: the bank's website.": [[73, 92]]}, "info": {"id": "cyner2_5class_train_05813", "source": "cyner2_5class_train"}}
+{"text": "In contrast , on the emulator , a toast message is displayed that shows “ Install completed ” , at which point FakeSpy removes its shortcut from the device 's homescreen .", "spans": {"Malware: FakeSpy": [[111, 118]]}, "info": {"id": "cyner2_5class_train_05814", "source": "cyner2_5class_train"}}
+{"text": "Eltima was very responsive and maintained an excellent communication with us throughout the incident.", "spans": {}, "info": {"id": "cyner2_5class_train_05815", "source": "cyner2_5class_train"}}
+{"text": "The full list of banking applications targeted is included in the appendix .", "spans": {}, "info": {"id": "cyner2_5class_train_05816", "source": "cyner2_5class_train"}}
+{"text": "Beginning in December 2016, unconnected Middle Eastern human rights activists began to receive spearphishing messages in English and Persian that were not related to any previously-known groups.", "spans": {"Organization: human rights activists": [[55, 77]], "Indicator: spearphishing messages in English and Persian": [[95, 140]]}, "info": {"id": "cyner2_5class_train_05817", "source": "cyner2_5class_train"}}
+{"text": "This campaign appears to be directly related to the launch and the ensuing discussion of North Korean missile technology.", "spans": {"Organization: North Korean missile technology.": [[89, 121]]}, "info": {"id": "cyner2_5class_train_05818", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Downldr2.FYWH Hacktool.Rootkit Win32/Kerproc.A Win.Trojan.Rootkit-5417 Trojan.Win32.NtRootKit.duatym Trojan.DownLoader12.58402 W32/Downloader.QURR-6406 Trojan[Rootkit]/Win32.Small TrojanDropper:Win32/Bodsuds.A Dropper/Win32.Downloader.R143536 Rootkit.Win32.SMA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: W32/Downldr2.FYWH": [[69, 86]], "Indicator: Hacktool.Rootkit": [[87, 103]], "Indicator: Win32/Kerproc.A": [[104, 119]], "Indicator: Win.Trojan.Rootkit-5417": [[120, 143]], "Indicator: Trojan.Win32.NtRootKit.duatym": [[144, 173]], "Indicator: Trojan.DownLoader12.58402": [[174, 199]], "Indicator: W32/Downloader.QURR-6406": [[200, 224]], "Indicator: Trojan[Rootkit]/Win32.Small": [[225, 252]], "Indicator: TrojanDropper:Win32/Bodsuds.A": [[253, 282]], "Indicator: Dropper/Win32.Downloader.R143536": [[283, 315]], "Indicator: Rootkit.Win32.SMA": [[316, 333]]}, "info": {"id": "cyner2_5class_train_05819", "source": "cyner2_5class_train"}}
+{"text": "That said , so as to hinder detection of new versions , the Trojan ’ s APK file and the C & C server domains are changed regularly , and the Trojan download links are often one-time-use .", "spans": {}, "info": {"id": "cyner2_5class_train_05820", "source": "cyner2_5class_train"}}
+{"text": "ACCESS_NETWORK_STATE - Allows the application to access information about networks .", "spans": {}, "info": {"id": "cyner2_5class_train_05821", "source": "cyner2_5class_train"}}
+{"text": "For example , sending text “ Balance ” will trigger a response with the victim ’ s wallet balance .", "spans": {}, "info": {"id": "cyner2_5class_train_05822", "source": "cyner2_5class_train"}}
+{"text": "While the current campaign from this attacker has been active for a couple of months, there is evidence of activity by this attacker as far back as 2013, employing other backdoors such as Saker, Netbot and DarkStRat", "spans": {"Malware: backdoors": [[170, 179]], "Malware: Saker, Netbot": [[188, 201]], "Malware: DarkStRat": [[206, 215]]}, "info": {"id": "cyner2_5class_train_05823", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DownLoader6.51149 RKIT/Mon.A Backdoor:Win32/Feljina.B Trojan.Graftor.DE2AD TScope.Trojan.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoader6.51149": [[26, 50]], "Indicator: RKIT/Mon.A": [[51, 61]], "Indicator: Backdoor:Win32/Feljina.B": [[62, 86]], "Indicator: Trojan.Graftor.DE2AD": [[87, 107]], "Indicator: TScope.Trojan.Delf": [[108, 126]]}, "info": {"id": "cyner2_5class_train_05824", "source": "cyner2_5class_train"}}
+{"text": "It is spread presumably via ShellShock vulnerabilities.", "spans": {"Vulnerability: ShellShock vulnerabilities.": [[28, 55]]}, "info": {"id": "cyner2_5class_train_05825", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.HiddenTear.H Ransom.Ryzerlo.A3 Trojan.Ransom.HiddenTear.H Ransom.HiddenTear Ransom_CRYPTEAR.SM0 Trojan.Win32.Hesv.crqo Trojan.Ransom.HiddenTear.H Trojan.Ransom.HiddenTear.H Trojan.Encoder.10598 Ransom_CRYPTEAR.SM0 Ransom:MSIL/Ryzerlo.A Trojan.Win32.Hesv.crqo Trojan.Ransom.HiddenTear.H Trj/GdSda.A Win32.Trojan.Fakedoc.Auto Trojan-Ransom.HiddenTear Win32/Trojan.504", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.HiddenTear.H": [[26, 52], [71, 97], [159, 185], [186, 212], [299, 325]], "Indicator: Ransom.Ryzerlo.A3": [[53, 70]], "Indicator: Ransom.HiddenTear": [[98, 115]], "Indicator: Ransom_CRYPTEAR.SM0": [[116, 135], [234, 253]], "Indicator: Trojan.Win32.Hesv.crqo": [[136, 158], [276, 298]], "Indicator: Trojan.Encoder.10598": [[213, 233]], "Indicator: Ransom:MSIL/Ryzerlo.A": [[254, 275]], "Indicator: Trj/GdSda.A": [[326, 337]], "Indicator: Win32.Trojan.Fakedoc.Auto": [[338, 363]], "Indicator: Trojan-Ransom.HiddenTear": [[364, 388]], "Indicator: Win32/Trojan.504": [[389, 405]]}, "info": {"id": "cyner2_5class_train_05826", "source": "cyner2_5class_train"}}
+{"text": "However, recently, we have observed cases where PoisonIvy with expanded features in its communication function were used for attacks.", "spans": {"Malware: PoisonIvy": [[48, 57]], "Indicator: communication function": [[88, 110]], "Indicator: attacks.": [[125, 133]]}, "info": {"id": "cyner2_5class_train_05827", "source": "cyner2_5class_train"}}
+{"text": "For example , some of the more advanced banking Trojans now offer features such as a back-connect proxy , screen-streaming and even remote control .", "spans": {}, "info": {"id": "cyner2_5class_train_05828", "source": "cyner2_5class_train"}}
+{"text": "They might be Jaff ransomware or might be Dridex banking Trojan or Trickbot banking Trojan.", "spans": {"Malware: Jaff ransomware": [[14, 29]], "Malware: Dridex banking Trojan": [[42, 63]], "Malware: Trickbot banking Trojan.": [[67, 91]]}, "info": {"id": "cyner2_5class_train_05829", "source": "cyner2_5class_train"}}
+{"text": "The same numerical code corresponded to one command in different versions , but the set of supported commands varied .", "spans": {}, "info": {"id": "cyner2_5class_train_05830", "source": "cyner2_5class_train"}}
+{"text": "It turns out that this campaign had an association to 2016 Fancy Bear activity previously identified by the German Federal Office for the Protection of the Constitution BfV.", "spans": {"Organization: the German Federal Office for the Protection of the Constitution BfV.": [[104, 173]]}, "info": {"id": "cyner2_5class_train_05831", "source": "cyner2_5class_train"}}
+{"text": "Also of particular interest from an attribution obfuscation perspective is direct IP crossover with previous Dynamic DNS domains associated with known CN-APT activity.", "spans": {"Indicator: direct IP": [[75, 84]], "Indicator: Dynamic DNS domains": [[109, 128]]}, "info": {"id": "cyner2_5class_train_05832", "source": "cyner2_5class_train"}}
+{"text": "It has strong behavioral ties to Ke3chang and is being used in an ongoing attack campaign against Indian embassy personnel worldwide.", "spans": {"Malware: Ke3chang": [[33, 41]], "Organization: Indian embassy personnel worldwide.": [[98, 133]]}, "info": {"id": "cyner2_5class_train_05833", "source": "cyner2_5class_train"}}
+{"text": "It involves modifying browser proxy configurations and capturing traffic between a client and a server, acting as Man-In-The-Middle.", "spans": {"Indicator: modifying browser proxy configurations": [[12, 50]], "Indicator: traffic": [[65, 72]], "Organization: client": [[83, 89]], "Organization: server,": [[96, 103]], "Indicator: Man-In-The-Middle.": [[114, 132]]}, "info": {"id": "cyner2_5class_train_05834", "source": "cyner2_5class_train"}}
+{"text": "With a better understanding of the “ Agent Smith ” actor than we had in the initial phase of campaign hunting , we examined the list of target innocent apps once again and discovered the actor ’ s unusual practices in choosing targets .", "spans": {"Malware: Agent Smith": [[37, 48]]}, "info": {"id": "cyner2_5class_train_05835", "source": "cyner2_5class_train"}}
+{"text": "Late last year, a wave of cyber-attacks hit several critical sectors in Ukraine.", "spans": {"Indicator: cyber-attacks": [[26, 39]], "Organization: critical sectors": [[52, 68]]}, "info": {"id": "cyner2_5class_train_05836", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.LocktETTc.Worm Trojan.Miuref.S21958 Trojan.MalPack Variant.Symmi.m8Nr Win32.Trojan.WisdomEyes.16070401.9500.9995 BehavesLike.Win32.Miuref.tc Trojan.Win32.Miuref Trojan.Miuref.3 Trojan:Win32/Miuref.B Win32.Trojan.Miuref.Wqws Win32/Trojan.eb2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.LocktETTc.Worm": [[26, 50]], "Indicator: Trojan.Miuref.S21958": [[51, 71]], "Indicator: Trojan.MalPack": [[72, 86]], "Indicator: Variant.Symmi.m8Nr": [[87, 105]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[106, 148]], "Indicator: BehavesLike.Win32.Miuref.tc": [[149, 176]], "Indicator: Trojan.Win32.Miuref": [[177, 196]], "Indicator: Trojan.Miuref.3": [[197, 212]], "Indicator: Trojan:Win32/Miuref.B": [[213, 234]], "Indicator: Win32.Trojan.Miuref.Wqws": [[235, 259]], "Indicator: Win32/Trojan.eb2": [[260, 276]]}, "info": {"id": "cyner2_5class_train_05837", "source": "cyner2_5class_train"}}
+{"text": "Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries.", "spans": {"Organization: government bodies, diplomatic institutions,": [[48, 91]], "Organization: military forces": [[96, 111]], "Organization: NATO member states": [[133, 151]], "Organization: Eastern European countries.": [[164, 191]]}, "info": {"id": "cyner2_5class_train_05838", "source": "cyner2_5class_train"}}
+{"text": "After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI has established for government networks have also been adopted by the German Bundestag for its own networks.", "spans": {"Indicator: cyber attack": [[10, 22]], "Organization: the German Bundestag": [[26, 46], [161, 181]], "Organization: BSI": [[91, 94]], "Organization: government networks": [[115, 134]], "System: own networks.": [[190, 203]]}, "info": {"id": "cyner2_5class_train_05839", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D5ABC0 BackDoor.IRC.Skynet.69 BehavesLike.Win32.AdwareLinkury.dc W32/Trojan.ETUC-5276 Trojan[Spy]/Win32.Zbot Trojan:Win32/Zeeborot.A Trj/CI.A BackDoor.Skynet! Trojan.Win32.Zeeborot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D5ABC0": [[26, 47]], "Indicator: BackDoor.IRC.Skynet.69": [[48, 70]], "Indicator: BehavesLike.Win32.AdwareLinkury.dc": [[71, 105]], "Indicator: W32/Trojan.ETUC-5276": [[106, 126]], "Indicator: Trojan[Spy]/Win32.Zbot": [[127, 149]], "Indicator: Trojan:Win32/Zeeborot.A": [[150, 173]], "Indicator: Trj/CI.A": [[174, 182]], "Indicator: BackDoor.Skynet!": [[183, 199]], "Indicator: Trojan.Win32.Zeeborot": [[200, 221]]}, "info": {"id": "cyner2_5class_train_05840", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Darkhotel.692224 Trojan.Inexsmar.r5 Trojan/Inexsmar.a Trojan.Zusy.D25651 W32/Trojan.GJSD-2947 Win32/Inexsmar.A TROJ_INEXSMAR.SMA Trojan.Win32.Darkhotel.c Trojan.Win32.Darkhotel.duiemo Trojan.Win32.Z.Darkhotel.692224[h] Trojan/Win32.Darkhotel Trojan:Win32/Inexsmar.A Troj.W32.Darkhotel.c!c Trojan/Win32.DarkHotel Win32.Trojan.Darkhotel.Pftk Trojan.Darkhotel! Trojan.Win32.Inexsmar W32/Darkhotel.C!tr Trojan.Win32.Darkhotel.c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Darkhotel.692224": [[26, 53]], "Indicator: Trojan.Inexsmar.r5": [[54, 72]], "Indicator: Trojan/Inexsmar.a": [[73, 90]], "Indicator: Trojan.Zusy.D25651": [[91, 109]], "Indicator: W32/Trojan.GJSD-2947": [[110, 130]], "Indicator: Win32/Inexsmar.A": [[131, 147]], "Indicator: TROJ_INEXSMAR.SMA": [[148, 165]], "Indicator: Trojan.Win32.Darkhotel.c": [[166, 190], [436, 460]], "Indicator: Trojan.Win32.Darkhotel.duiemo": [[191, 220]], "Indicator: Trojan.Win32.Z.Darkhotel.692224[h]": [[221, 255]], "Indicator: Trojan/Win32.Darkhotel": [[256, 278]], "Indicator: Trojan:Win32/Inexsmar.A": [[279, 302]], "Indicator: Troj.W32.Darkhotel.c!c": [[303, 325]], "Indicator: Trojan/Win32.DarkHotel": [[326, 348]], "Indicator: Win32.Trojan.Darkhotel.Pftk": [[349, 376]], "Indicator: Trojan.Darkhotel!": [[377, 394]], "Indicator: Trojan.Win32.Inexsmar": [[395, 416]], "Indicator: W32/Darkhotel.C!tr": [[417, 435]]}, "info": {"id": "cyner2_5class_train_05841", "source": "cyner2_5class_train"}}
+{"text": "Original code of the APK on the left , versus injected APK on the right The analysis of the APK was rather interesting , because some of the actions were very common spyware features , such as the exfiltration of SMS messages , call logs and other data .", "spans": {}, "info": {"id": "cyner2_5class_train_05842", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Inject.FC.363 Trojan.MSILKrypt.57 BKDR_HPNOANCOOE.SM Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_HPNOANCOOE.SM Trojan.DownLoader24.26511 Trojan.Injector.Win32.512453 Trojan.MSIL.Crypt Trojan.MSIL.fwua TR/Dropper.MSIL.uuodb Trojan:MSIL/Kuhaname.A Trojan/Win32.MSIL.C957690 Trojan.Malicious Trojan.Injector!2xVDVY5re4U Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject.FC.363": [[26, 46]], "Indicator: Trojan.MSILKrypt.57": [[47, 66]], "Indicator: BKDR_HPNOANCOOE.SM": [[67, 85], [129, 147]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[86, 128]], "Indicator: Trojan.DownLoader24.26511": [[148, 173]], "Indicator: Trojan.Injector.Win32.512453": [[174, 202]], "Indicator: Trojan.MSIL.Crypt": [[203, 220]], "Indicator: Trojan.MSIL.fwua": [[221, 237]], "Indicator: TR/Dropper.MSIL.uuodb": [[238, 259]], "Indicator: Trojan:MSIL/Kuhaname.A": [[260, 282]], "Indicator: Trojan/Win32.MSIL.C957690": [[283, 308]], "Indicator: Trojan.Malicious": [[309, 325]], "Indicator: Trojan.Injector!2xVDVY5re4U": [[326, 353]], "Indicator: Trj/GdSda.A": [[354, 365]]}, "info": {"id": "cyner2_5class_train_05843", "source": "cyner2_5class_train"}}
+{"text": "INTERNET - open network sockets .", "spans": {}, "info": {"id": "cyner2_5class_train_05844", "source": "cyner2_5class_train"}}
+{"text": "Category: Unit 42 Tags: EITest, HoeflerText, malware, RAT", "spans": {"Organization: Unit 42": [[10, 17]], "Malware: EITest, HoeflerText, malware, RAT": [[24, 57]]}, "info": {"id": "cyner2_5class_train_05845", "source": "cyner2_5class_train"}}
+{"text": "] site , and mms4you [ .", "spans": {"Indicator: mms4you [ .": [[13, 24]]}, "info": {"id": "cyner2_5class_train_05846", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Downloader.N Android.Trojan.Downloader.KY Other:Android.Reputation.2 Android.Trojan.Downloader.KY A.L.Rog.BlackCert Android.HiddenAds.171.origin Android.Trojan.Downloader.KY Android-Trojan/Boosad.3b718 a.gray.hiddendown.g Trojan.AndroidOS.Hiddenapp", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Downloader.N": [[26, 46]], "Indicator: Android.Trojan.Downloader.KY": [[47, 75], [103, 131], [179, 207]], "Indicator: Other:Android.Reputation.2": [[76, 102]], "Indicator: A.L.Rog.BlackCert": [[132, 149]], "Indicator: Android.HiddenAds.171.origin": [[150, 178]], "Indicator: Android-Trojan/Boosad.3b718": [[208, 235]], "Indicator: a.gray.hiddendown.g": [[236, 255]], "Indicator: Trojan.AndroidOS.Hiddenapp": [[256, 282]]}, "info": {"id": "cyner2_5class_train_05847", "source": "cyner2_5class_train"}}
+{"text": "A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label the Lotus Blossom Operation likely named for the debug string present in much of the Elise codebase since at least 2012: d:\\lstudio\\projects\\lotus\\…", "spans": {"Organization: Palo Alto Networks": [[44, 62]], "Malware: Elise": [[205, 210]], "Malware: at": [[226, 228]], "Indicator: d:\\lstudio\\projects\\lotus\\…": [[241, 268]]}, "info": {"id": "cyner2_5class_train_05848", "source": "cyner2_5class_train"}}
+{"text": "More recent variants blend rooting capabilities and click fraud .", "spans": {}, "info": {"id": "cyner2_5class_train_05849", "source": "cyner2_5class_train"}}
+{"text": "This particular SLocker variant is notable for being one of the first Android file-encrypting ransomware, and the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak.", "spans": {"Malware: SLocker variant": [[16, 31]], "Malware: Android file-encrypting ransomware,": [[70, 105]], "Malware: mobile ransomware": [[120, 137]], "Malware: WannaCry": [[183, 191]]}, "info": {"id": "cyner2_5class_train_05850", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit.SWF.CVE-2016-4117.B Exploit-RTF.docswf.d Trojan.Mdropper Win32/Exploit.CVE-2016-4117.A TROJ_CVE20164117.A Exploit.SWF.CVE-2016-4117.B Exploit.Swf.CVE20164117.ecpjvq Exploit.SWF.CVE-2016-4117.B Exploit.SWF.CVE-2016-4117.B Exploit.SWF.1001 TROJ_CVE20164117.A Exploit-RTF.docswf.d RTF/Trojan.XBFM-4 TrojanDropper:Win32/CVE-2016-4117.A Exploit.SWF.CVE-2016-4117.B Exploit.SWF.CVE-2016-4117.B Trojan-Dropper.Win32.CVE-2016-4117 Malicious_Behavior.SB swf.exp.shellcode.b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.SWF.CVE-2016-4117.B": [[26, 53], [140, 167], [199, 226], [227, 254], [366, 393], [394, 421]], "Indicator: Exploit-RTF.docswf.d": [[54, 74], [291, 311]], "Indicator: Trojan.Mdropper": [[75, 90]], "Indicator: Win32/Exploit.CVE-2016-4117.A": [[91, 120]], "Indicator: TROJ_CVE20164117.A": [[121, 139], [272, 290]], "Indicator: Exploit.Swf.CVE20164117.ecpjvq": [[168, 198]], "Indicator: Exploit.SWF.1001": [[255, 271]], "Indicator: RTF/Trojan.XBFM-4": [[312, 329]], "Indicator: TrojanDropper:Win32/CVE-2016-4117.A": [[330, 365]], "Indicator: Trojan-Dropper.Win32.CVE-2016-4117": [[422, 456]], "Indicator: Malicious_Behavior.SB": [[457, 478]], "Indicator: swf.exp.shellcode.b": [[479, 498]]}, "info": {"id": "cyner2_5class_train_05851", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WoletixC.Trojan Backdoor.Likseput.B3 Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_LIKSPUT.SMR Trojan.Win32.A.Downloader.14336.AV Win32.Trojan.Spy.Wnmg Trojan.DownLoad2.44669 BKDR_LIKSPUT.SMR BehavesLike.Win32.Downloader.lm Backdoor:Win32/Likseput.B Win32/Backdoor.b78", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WoletixC.Trojan": [[26, 45]], "Indicator: Backdoor.Likseput.B3": [[46, 66]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[67, 109]], "Indicator: BKDR_LIKSPUT.SMR": [[110, 126], [207, 223]], "Indicator: Trojan.Win32.A.Downloader.14336.AV": [[127, 161]], "Indicator: Win32.Trojan.Spy.Wnmg": [[162, 183]], "Indicator: Trojan.DownLoad2.44669": [[184, 206]], "Indicator: BehavesLike.Win32.Downloader.lm": [[224, 255]], "Indicator: Backdoor:Win32/Likseput.B": [[256, 281]], "Indicator: Win32/Backdoor.b78": [[282, 300]]}, "info": {"id": "cyner2_5class_train_05852", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Androm.Win32.27371 Backdoor.W32.Androm.mAsy Trojan/Spy.Shiz.nct Win32.Trojan.Kryptik.qb Win.Trojan.Shifu-6330434-1 Trojan.DownLoader17.28342 Backdoor.Androm.fj TR/AD.Beaugrit.M.29 Trojan[Backdoor]/Win32.Androm Win32.Trojan-Ransom.TeslaCrypt.N SScope.Malware-Cryptor.Drixed Win32/Spy.Shiz.NCT Backdoor.Androm!fkBWkP4HCvw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Androm.Win32.27371": [[26, 53]], "Indicator: Backdoor.W32.Androm.mAsy": [[54, 78]], "Indicator: Trojan/Spy.Shiz.nct": [[79, 98]], "Indicator: Win32.Trojan.Kryptik.qb": [[99, 122]], "Indicator: Win.Trojan.Shifu-6330434-1": [[123, 149]], "Indicator: Trojan.DownLoader17.28342": [[150, 175]], "Indicator: Backdoor.Androm.fj": [[176, 194]], "Indicator: TR/AD.Beaugrit.M.29": [[195, 214]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[215, 244]], "Indicator: Win32.Trojan-Ransom.TeslaCrypt.N": [[245, 277]], "Indicator: SScope.Malware-Cryptor.Drixed": [[278, 307]], "Indicator: Win32/Spy.Shiz.NCT": [[308, 326]], "Indicator: Backdoor.Androm!fkBWkP4HCvw": [[327, 354]]}, "info": {"id": "cyner2_5class_train_05853", "source": "cyner2_5class_train"}}
+{"text": "Currently, the trojan spy is still in development and is not spotted in-the-wild yet.", "spans": {}, "info": {"id": "cyner2_5class_train_05854", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Prosti.AG8 BackDoor-DUG.a Trojan.DL.Delphi!PZt9n9YNSJ4 Hacktool.Rootkit W32/Delf.GRUM Win32/SillyDl.RUQ TROJ_DLOAD.SMMO Trojan.Scraze Trojan.Win32.Scar.cbyd Trojan.Win32.Downloader.723460 TrojWare.Win32.TrojanDownloader.Delf.~QEA Trojan.DownLoad.40151 TR/Dldr.Delf.uvk TROJ_DLOAD.SMMO BackDoor-DUG.a Backdoor.Win32.Prosti!IK TrojanDownloader.Delf.rui Backdoor:Win32/Prosti.AG Adware.ScreenBlaze Trojan/Win32.Scar Trojan-Downloader.Win32.Delf.uvk Hacktool.Rootkit Win32/Adware.ScreenBlaze.AA Backdoor.Win32.Prosti.xa Backdoor.Win32.Prosti W32/Delf.SCB!tr Downloader.Delf Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Prosti.AG8": [[26, 45]], "Indicator: BackDoor-DUG.a": [[46, 60], [320, 334]], "Indicator: Trojan.DL.Delphi!PZt9n9YNSJ4": [[61, 89]], "Indicator: Hacktool.Rootkit": [[90, 106], [481, 497]], "Indicator: W32/Delf.GRUM": [[107, 120]], "Indicator: Win32/SillyDl.RUQ": [[121, 138]], "Indicator: TROJ_DLOAD.SMMO": [[139, 154], [304, 319]], "Indicator: Trojan.Scraze": [[155, 168]], "Indicator: Trojan.Win32.Scar.cbyd": [[169, 191]], "Indicator: Trojan.Win32.Downloader.723460": [[192, 222]], "Indicator: TrojWare.Win32.TrojanDownloader.Delf.~QEA": [[223, 264]], "Indicator: Trojan.DownLoad.40151": [[265, 286]], "Indicator: TR/Dldr.Delf.uvk": [[287, 303]], "Indicator: Backdoor.Win32.Prosti!IK": [[335, 359]], "Indicator: TrojanDownloader.Delf.rui": [[360, 385]], "Indicator: Backdoor:Win32/Prosti.AG": [[386, 410]], "Indicator: Adware.ScreenBlaze": [[411, 429]], "Indicator: Trojan/Win32.Scar": [[430, 447]], "Indicator: Trojan-Downloader.Win32.Delf.uvk": [[448, 480]], "Indicator: Win32/Adware.ScreenBlaze.AA": [[498, 525]], "Indicator: Backdoor.Win32.Prosti.xa": [[526, 550]], "Indicator: Backdoor.Win32.Prosti": [[551, 572]], "Indicator: W32/Delf.SCB!tr": [[573, 588]], "Indicator: Downloader.Delf": [[589, 604]], "Indicator: Trj/Downloader.MDW": [[605, 623]]}, "info": {"id": "cyner2_5class_train_05855", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 BehavesLike.Win32.Downloader.nt Trojan:Win32/Uniemv.B Trojan/Win32.Cryptolocker.C301960 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[26, 68]], "Indicator: BehavesLike.Win32.Downloader.nt": [[69, 100]], "Indicator: Trojan:Win32/Uniemv.B": [[101, 122]], "Indicator: Trojan/Win32.Cryptolocker.C301960": [[123, 156]], "Indicator: Trj/CI.A": [[157, 165]]}, "info": {"id": "cyner2_5class_train_05856", "source": "cyner2_5class_train"}}
+{"text": "Turla macro maldoc - Embassy of the republic of Kazakhstan Helsinki.", "spans": {"Malware: Turla macro maldoc": [[0, 18]], "Organization: Embassy of the republic of Kazakhstan Helsinki.": [[21, 68]]}, "info": {"id": "cyner2_5class_train_05857", "source": "cyner2_5class_train"}}
+{"text": "The archive is a ZIP containing several files , which is protected with a password .", "spans": {}, "info": {"id": "cyner2_5class_train_05858", "source": "cyner2_5class_train"}}
+{"text": "In late October, Proofpoint researchers identified and began tracking a financially-motivated threat actor group with access to banking Trojans and other malware, including Dridex, Ursnif, Tinba, and the point-of-sale POS malware AbaddonPOS with its loader, TinyLoader.", "spans": {"Organization: Proofpoint researchers": [[17, 39]], "Malware: banking Trojans": [[128, 143]], "Malware: malware,": [[154, 162]], "Malware: Dridex, Ursnif, Tinba,": [[173, 195]], "Malware: the point-of-sale POS malware AbaddonPOS": [[200, 240]], "Malware: loader, TinyLoader.": [[250, 269]]}, "info": {"id": "cyner2_5class_train_05859", "source": "cyner2_5class_train"}}
+{"text": "On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns.", "spans": {"Malware: QRAT": [[82, 86]]}, "info": {"id": "cyner2_5class_train_05860", "source": "cyner2_5class_train"}}
+{"text": "] 122:28844 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner2_5class_train_05861", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Banker/W32.BestaFera.3193856 W32/Trojan.UWMZ-4840 Trojan.Win32.Depok.dsfkzn Troj.W32.Depok.akz!c BehavesLike.Win32.Dropper.wh Trojan/Win32.Depok Trojan.Heur.EDDAE3 Backdoor:Win32/Nioriglio.A Trojan.Depok!iA0ZBWd8EAg Trojan.Win32.Depok", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Banker/W32.BestaFera.3193856": [[26, 54]], "Indicator: W32/Trojan.UWMZ-4840": [[55, 75]], "Indicator: Trojan.Win32.Depok.dsfkzn": [[76, 101]], "Indicator: Troj.W32.Depok.akz!c": [[102, 122]], "Indicator: BehavesLike.Win32.Dropper.wh": [[123, 151]], "Indicator: Trojan/Win32.Depok": [[152, 170]], "Indicator: Trojan.Heur.EDDAE3": [[171, 189]], "Indicator: Backdoor:Win32/Nioriglio.A": [[190, 216]], "Indicator: Trojan.Depok!iA0ZBWd8EAg": [[217, 241]], "Indicator: Trojan.Win32.Depok": [[242, 260]]}, "info": {"id": "cyner2_5class_train_05862", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan-Downloader.Dluca.by Trojan.Downloader.Dluca-29 Trojan-Downloader.Win32.Dluca.by TrojWare.Win32.TrojanDownloader.Dluca.~D3 Dialer.Adultparty Trojan-Downloader.Win32.Dluca.dj!IK TrojanDownloader.Dluca.bg TrojanDownloader:Win32/Dluca.DK Win-Trojan/Dluca.94208 Trojan-Downloader.Win32.Dluca.dj", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan-Downloader.Dluca.by": [[26, 58]], "Indicator: Trojan.Downloader.Dluca-29": [[59, 85]], "Indicator: Trojan-Downloader.Win32.Dluca.by": [[86, 118]], "Indicator: TrojWare.Win32.TrojanDownloader.Dluca.~D3": [[119, 160]], "Indicator: Dialer.Adultparty": [[161, 178]], "Indicator: Trojan-Downloader.Win32.Dluca.dj!IK": [[179, 214]], "Indicator: TrojanDownloader.Dluca.bg": [[215, 240]], "Indicator: TrojanDownloader:Win32/Dluca.DK": [[241, 272]], "Indicator: Win-Trojan/Dluca.94208": [[273, 295]], "Indicator: Trojan-Downloader.Win32.Dluca.dj": [[296, 328]]}, "info": {"id": "cyner2_5class_train_05863", "source": "cyner2_5class_train"}}
+{"text": "The actors appear to have learned from our previous takedown and sinkholing of their Command and Control C2 infrastructure – Foudre incorporates new anti-takeover techniques in an attempt to avoid their C2 domains being sinkholed as we did in 2016.", "spans": {"Indicator: takedown": [[52, 60]], "Indicator: sinkholing": [[65, 75]], "Indicator: Command and Control C2": [[85, 107]], "System: infrastructure": [[108, 122]], "Organization: Foudre incorporates": [[125, 144]], "Indicator: C2 domains being sinkholed": [[203, 229]]}, "info": {"id": "cyner2_5class_train_05864", "source": "cyner2_5class_train"}}
+{"text": "On April 20, Proofpoint observed a targeted campaign focused on financial analysts working at top global financial firms operating in Russia and neighboring countries.", "spans": {"Organization: Proofpoint": [[13, 23]], "Organization: financial analysts": [[64, 82]], "Organization: global financial firms": [[98, 120]]}, "info": {"id": "cyner2_5class_train_05865", "source": "cyner2_5class_train"}}
+{"text": "The loader injects a DLL component found in its body into explorer.exe.", "spans": {"Malware: The loader": [[0, 10]], "Indicator: DLL component": [[21, 34]], "Indicator: explorer.exe.": [[58, 71]]}, "info": {"id": "cyner2_5class_train_05866", "source": "cyner2_5class_train"}}
+{"text": "These key technologies allow RSA analysts to process massive datasets and find forensically interesting artifacts in near real-time and more quickly than using standard incident response processes.", "spans": {}, "info": {"id": "cyner2_5class_train_05867", "source": "cyner2_5class_train"}}
+{"text": "The incomplete iOS codes used in this campaign may have been bought while other capabilities appear to have been added .", "spans": {"System: iOS": [[15, 18]]}, "info": {"id": "cyner2_5class_train_05868", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Posmemdump.A8 TSPY_RAWPOS.SM Win32.Trojan.WisdomEyes.16070401.9500.9903 Infostealer.Rawpos!g1 TSPY_RAWPOS.SM Win.Trojan.RawPOS-1 Trojan.Win32.POSCardStealer.dqfnqc Trojan.Inject1.54360 TrojanSpy.POSCardStealer.e Trojan:Win32/MemCCDump.A!POS Trojan.POSMemDump Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Posmemdump.A8": [[26, 46]], "Indicator: TSPY_RAWPOS.SM": [[47, 61], [127, 141]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9903": [[62, 104]], "Indicator: Infostealer.Rawpos!g1": [[105, 126]], "Indicator: Win.Trojan.RawPOS-1": [[142, 161]], "Indicator: Trojan.Win32.POSCardStealer.dqfnqc": [[162, 196]], "Indicator: Trojan.Inject1.54360": [[197, 217]], "Indicator: TrojanSpy.POSCardStealer.e": [[218, 244]], "Indicator: Trojan:Win32/MemCCDump.A!POS": [[245, 273]], "Indicator: Trojan.POSMemDump": [[274, 291]], "Indicator: Trj/CI.A": [[292, 300]]}, "info": {"id": "cyner2_5class_train_05869", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.tc MSIL/Injector.TDS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: BehavesLike.Win32.Trojan.tc": [[69, 96]], "Indicator: MSIL/Injector.TDS!tr": [[97, 117]]}, "info": {"id": "cyner2_5class_train_05870", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32!O Backdoor.Takit W32/Recerv.a.dr Trojan.Heur.E5D728 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Zyxerv Backdoor.Win32.Takit Trojan.Win32.Invader.euuocd Trojan.Win32.Z.Takit.135680 Backdoor.W32.Takit!c Backdoor.Win32.Takit.A BackDoor.TakeIt.1 W32/Recerv.a.dr Backdoor/Takit.a BDS/RedCap.xurnc Trojan/Win32.Invader Backdoor.Win32.Takit Backdoor.Takit Win32/Takit.A Win32.Backdoor.Takit.Wrgr Trojan.Win32.Takit W32/RECERV.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32!O": [[26, 42]], "Indicator: Backdoor.Takit": [[43, 57], [383, 397]], "Indicator: W32/Recerv.a.dr": [[58, 73], [291, 306]], "Indicator: Trojan.Heur.E5D728": [[74, 92]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[93, 135]], "Indicator: Backdoor.Zyxerv": [[136, 151]], "Indicator: Backdoor.Win32.Takit": [[152, 172], [362, 382]], "Indicator: Trojan.Win32.Invader.euuocd": [[173, 200]], "Indicator: Trojan.Win32.Z.Takit.135680": [[201, 228]], "Indicator: Backdoor.W32.Takit!c": [[229, 249]], "Indicator: Backdoor.Win32.Takit.A": [[250, 272]], "Indicator: BackDoor.TakeIt.1": [[273, 290]], "Indicator: Backdoor/Takit.a": [[307, 323]], "Indicator: BDS/RedCap.xurnc": [[324, 340]], "Indicator: Trojan/Win32.Invader": [[341, 361]], "Indicator: Win32/Takit.A": [[398, 411]], "Indicator: Win32.Backdoor.Takit.Wrgr": [[412, 437]], "Indicator: Trojan.Win32.Takit": [[438, 456]], "Indicator: W32/RECERV.A!tr": [[457, 472]]}, "info": {"id": "cyner2_5class_train_05871", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BehavesLike:Win32.Malware", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike:Win32.Malware": [[26, 51]]}, "info": {"id": "cyner2_5class_train_05872", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Python/Motovilo.A Win32.Worm.Motovilo.Hvjc Win32.HLLW.Motovilo.2 BehavesLike.Win32.Trojan.tc Python/Motovilo.A!worm Trojan:Win32/Motve.A Trj/CI.A Win32/Trojan.09a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Python/Motovilo.A": [[26, 43]], "Indicator: Win32.Worm.Motovilo.Hvjc": [[44, 68]], "Indicator: Win32.HLLW.Motovilo.2": [[69, 90]], "Indicator: BehavesLike.Win32.Trojan.tc": [[91, 118]], "Indicator: Python/Motovilo.A!worm": [[119, 141]], "Indicator: Trojan:Win32/Motve.A": [[142, 162]], "Indicator: Trj/CI.A": [[163, 171]], "Indicator: Win32/Trojan.09a": [[172, 188]]}, "info": {"id": "cyner2_5class_train_05873", "source": "cyner2_5class_train"}}
+{"text": "Whether its Exploit Kits or SPAM messages threat actors are pushing as many different variants of Ransomware as possible.", "spans": {"Malware: Exploit Kits": [[12, 24]], "Indicator: SPAM messages": [[28, 41]], "Malware: Ransomware": [[98, 108]]}, "info": {"id": "cyner2_5class_train_05874", "source": "cyner2_5class_train"}}
+{"text": "Our new intelligence on BlackEnergy expands previous findings on the first wide-scale coordinated attack against industrial networks.", "spans": {"Indicator: wide-scale coordinated attack": [[75, 104]], "Indicator: industrial": [[113, 123]]}, "info": {"id": "cyner2_5class_train_05875", "source": "cyner2_5class_train"}}
+{"text": "Here , the RAT stores all the captured videos in a “ video.3gp ” file .", "spans": {"Indicator: video.3gp": [[53, 62]]}, "info": {"id": "cyner2_5class_train_05876", "source": "cyner2_5class_train"}}
+{"text": "The country is resource rich, with a variety of natural resources and a steady labor supply.", "spans": {}, "info": {"id": "cyner2_5class_train_05877", "source": "cyner2_5class_train"}}
+{"text": "Port 6205 : Gmail extraction service .", "spans": {"Indicator: Port 6205": [[0, 9]], "System: Gmail": [[12, 17]]}, "info": {"id": "cyner2_5class_train_05878", "source": "cyner2_5class_train"}}
+{"text": "Please see the IOCs section for all app and package name combinations .", "spans": {}, "info": {"id": "cyner2_5class_train_05879", "source": "cyner2_5class_train"}}
+{"text": "ince mid-2016 we have observed multiple new samples of the Android Adware family Ewind", "spans": {"Malware: the Android Adware family Ewind": [[55, 86]]}, "info": {"id": "cyner2_5class_train_05880", "source": "cyner2_5class_train"}}
+{"text": "Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016.", "spans": {"Organization: Organizations": [[0, 13]], "Indicator: attacks": [[66, 73]]}, "info": {"id": "cyner2_5class_train_05881", "source": "cyner2_5class_train"}}
+{"text": "But GPlayed is an example of where this can go wrong , especially if a mobile user is not aware of how to distinguish a fake app versus a real one .", "spans": {"Malware: GPlayed": [[4, 11]]}, "info": {"id": "cyner2_5class_train_05882", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HLLW.Cloner Trojan.Vir.HLL Trojan.Heur.EA0E79 W32/HLLW.Cloner W32.Cloner PE_CLONER.A Virus.Win32.HLLW.Cloner Virus.Win32.HLLW.gcdu W32.HLLW.Cloner!c Win32.HLLW.Cloner Win32.HLLW.Cloner.32768 Virus.Cloner.Win32.1 PE_CLONER.A W32/Cloner.worm.a Virus.Win32.HLLW W32/HLLW.Cloner Virus/Win32.Cloner Virus.Win32.HLLW.Cloner W32/Cloner.worm.a W32/HLLW.SelfCloner Win32/HLLW.Cloner Win32.HLLW.Cloner", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HLLW.Cloner": [[26, 41]], "Indicator: Trojan.Vir.HLL": [[42, 56]], "Indicator: Trojan.Heur.EA0E79": [[57, 75]], "Indicator: W32/HLLW.Cloner": [[76, 91], [289, 304]], "Indicator: W32.Cloner": [[92, 102]], "Indicator: PE_CLONER.A": [[103, 114], [242, 253]], "Indicator: Virus.Win32.HLLW.Cloner": [[115, 138], [324, 347]], "Indicator: Virus.Win32.HLLW.gcdu": [[139, 160]], "Indicator: W32.HLLW.Cloner!c": [[161, 178]], "Indicator: Win32.HLLW.Cloner": [[179, 196], [404, 421]], "Indicator: Win32.HLLW.Cloner.32768": [[197, 220]], "Indicator: Virus.Cloner.Win32.1": [[221, 241]], "Indicator: W32/Cloner.worm.a": [[254, 271], [348, 365]], "Indicator: Virus.Win32.HLLW": [[272, 288]], "Indicator: Virus/Win32.Cloner": [[305, 323]], "Indicator: W32/HLLW.SelfCloner": [[366, 385]], "Indicator: Win32/HLLW.Cloner": [[386, 403]]}, "info": {"id": "cyner2_5class_train_05883", "source": "cyner2_5class_train"}}
+{"text": "In this collaboration post with Morphisec Lab and Cisco s Research and Efficacy Team, we are now publishing details of this new document variant that makes use of an LNK embedded OLE object, which extracts a JavaScript bot from a document object, and injects a stealer DLL in memory using PowerShell.", "spans": {"Organization: Morphisec Lab": [[32, 45]], "Organization: Cisco s Research": [[50, 66]], "Organization: Efficacy Team,": [[71, 85]], "Malware: variant": [[137, 144]], "Indicator: LNK embedded OLE object,": [[166, 190]], "Malware: JavaScript bot": [[208, 222]], "Indicator: document object,": [[230, 246]], "Indicator: injects": [[251, 258]], "Indicator: in memory": [[273, 282]], "System: PowerShell.": [[289, 300]]}, "info": {"id": "cyner2_5class_train_05884", "source": "cyner2_5class_train"}}
+{"text": "Alert from the CNCERT related to a piece of malware that is being used to perform DDoS attacks.", "spans": {"Organization: CNCERT": [[15, 21]], "Malware: malware": [[44, 51]], "Indicator: DDoS attacks.": [[82, 95]]}, "info": {"id": "cyner2_5class_train_05885", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.W32.Buzus.kZ4S BKDR_PHDET.SMI Win32.Trojan.WisdomEyes.16070401.9500.9959 BKDR_PHDET.SMI Trojan.Win32.A.Downloader.34304.CO BackDoor.Dax BehavesLike.Win32.FDoSBEnergy.nt W32.Trojan.Trojan-downloader.Ge Backdoor:Win32/Phdet.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.W32.Buzus.kZ4S": [[26, 45]], "Indicator: BKDR_PHDET.SMI": [[46, 60], [104, 118]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9959": [[61, 103]], "Indicator: Trojan.Win32.A.Downloader.34304.CO": [[119, 153]], "Indicator: BackDoor.Dax": [[154, 166]], "Indicator: BehavesLike.Win32.FDoSBEnergy.nt": [[167, 199]], "Indicator: W32.Trojan.Trojan-downloader.Ge": [[200, 231]], "Indicator: Backdoor:Win32/Phdet.B": [[232, 254]]}, "info": {"id": "cyner2_5class_train_05886", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Dedler.B Win32.Worm.Dedler.U Worm/W32.Dedler.38400.B Win32.Worm.Dedler.U W32/Dedler.c Win32.Worm.Dedler.U W32.Dedler.Worm Win32/Dedler.E WORM_DEDLER.C Win.Worm.Dedler-12 Win32.Worm.Dedler.U Net-Worm.Win32.Dedler.c Win32.Worm.Dedler.U Trojan.Win32.Dedler.frkx Worm.Win32.S.Net-Dedler.38400 W32.W.Dedler.c!c Win32.Worm-net.Dedler.Ahok Win32.Worm.Dedler.U Worm.Win32.Dedler.E Win32.Worm.Dedler.U Trojan.DownLoader.198 Worm.Dedler.Win32.19 BehavesLike.Win32.Downloader.nc Net-Worm.Win32.Dedler W32/Dedler.B.unp Worm/Dedler.c Worm:Win32/Dedler.B WORM/Dedler.G Worm[Net]/Win32.Dedler Worm:Win32/Dedler.B Net-Worm.Win32.Dedler.c Trojan/Win32.Horst.R28469 Worm.Dedler Backdoor.Dedler.E W32/ICQ.Smvss.A!tr Win32/Worm.352", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Dedler.B": [[26, 40]], "Indicator: Win32.Worm.Dedler.U": [[41, 60], [85, 104], [118, 137], [202, 221], [246, 265], [365, 384], [405, 424]], "Indicator: Worm/W32.Dedler.38400.B": [[61, 84]], "Indicator: W32/Dedler.c": [[105, 117]], "Indicator: W32.Dedler.Worm": [[138, 153]], "Indicator: Win32/Dedler.E": [[154, 168]], "Indicator: WORM_DEDLER.C": [[169, 182]], "Indicator: Win.Worm.Dedler-12": [[183, 201]], "Indicator: Net-Worm.Win32.Dedler.c": [[222, 245], [630, 653]], "Indicator: Trojan.Win32.Dedler.frkx": [[266, 290]], "Indicator: Worm.Win32.S.Net-Dedler.38400": [[291, 320]], "Indicator: W32.W.Dedler.c!c": [[321, 337]], "Indicator: Win32.Worm-net.Dedler.Ahok": [[338, 364]], "Indicator: Worm.Win32.Dedler.E": [[385, 404]], "Indicator: Trojan.DownLoader.198": [[425, 446]], "Indicator: Worm.Dedler.Win32.19": [[447, 467]], "Indicator: BehavesLike.Win32.Downloader.nc": [[468, 499]], "Indicator: Net-Worm.Win32.Dedler": [[500, 521]], "Indicator: W32/Dedler.B.unp": [[522, 538]], "Indicator: Worm/Dedler.c": [[539, 552]], "Indicator: Worm:Win32/Dedler.B": [[553, 572], [610, 629]], "Indicator: WORM/Dedler.G": [[573, 586]], "Indicator: Worm[Net]/Win32.Dedler": [[587, 609]], "Indicator: Trojan/Win32.Horst.R28469": [[654, 679]], "Indicator: Worm.Dedler": [[680, 691]], "Indicator: Backdoor.Dedler.E": [[692, 709]], "Indicator: W32/ICQ.Smvss.A!tr": [[710, 728]], "Indicator: Win32/Worm.352": [[729, 743]]}, "info": {"id": "cyner2_5class_train_05887", "source": "cyner2_5class_train"}}
+{"text": "Perkele and Wroba Foreign users have also been on the receiving end of several malicious innovations targeting bank accounts .", "spans": {"Malware: Perkele": [[0, 7]], "Malware: Wroba": [[12, 17]]}, "info": {"id": "cyner2_5class_train_05888", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Snojan Trojan.Strictor.D43F0 Win.Trojan.Ag-1 Trojan.Win32.Snojan.kbr Trojan.Win32.DownLoad3.csckao Trojan.Win32.Z.Strictor.268488 Troj.W32.Snojan!c Trojan.DownLoad3.30879 Trojan/Invader.kbu TR/Spy.182784.101 Trojan/Win32.Invader TrojanDropper:Win32/Coopop.B Trojan.Win32.Snojan.kbr Trojan.Snojan Win32.Trojan.Snojan.Llhd Trojan-Banker.Win32.Banker Win32/Trojan.67a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Snojan": [[26, 39], [315, 328]], "Indicator: Trojan.Strictor.D43F0": [[40, 61]], "Indicator: Win.Trojan.Ag-1": [[62, 77]], "Indicator: Trojan.Win32.Snojan.kbr": [[78, 101], [291, 314]], "Indicator: Trojan.Win32.DownLoad3.csckao": [[102, 131]], "Indicator: Trojan.Win32.Z.Strictor.268488": [[132, 162]], "Indicator: Troj.W32.Snojan!c": [[163, 180]], "Indicator: Trojan.DownLoad3.30879": [[181, 203]], "Indicator: Trojan/Invader.kbu": [[204, 222]], "Indicator: TR/Spy.182784.101": [[223, 240]], "Indicator: Trojan/Win32.Invader": [[241, 261]], "Indicator: TrojanDropper:Win32/Coopop.B": [[262, 290]], "Indicator: Win32.Trojan.Snojan.Llhd": [[329, 353]], "Indicator: Trojan-Banker.Win32.Banker": [[354, 380]], "Indicator: Win32/Trojan.67a": [[381, 397]]}, "info": {"id": "cyner2_5class_train_05889", "source": "cyner2_5class_train"}}
+{"text": "These components are responsible for a myriad of functions including handling decryption , network communications , gaining super-user privileges , monitoring system logs , loading additional Dalvik code files , tracking the device location and more .", "spans": {}, "info": {"id": "cyner2_5class_train_05890", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Multi.Threats.InArchive Worm.Win32.Poswauto W64/Trojan.LELA-7925 WORM/Poswauto.gwore Worm:Win32/Poswauto.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Multi.Threats.InArchive": [[26, 49]], "Indicator: Worm.Win32.Poswauto": [[50, 69]], "Indicator: W64/Trojan.LELA-7925": [[70, 90]], "Indicator: WORM/Poswauto.gwore": [[91, 110]], "Indicator: Worm:Win32/Poswauto.A": [[111, 132]], "Indicator: Trj/CI.A": [[133, 141]]}, "info": {"id": "cyner2_5class_train_05891", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware03 Trojan.Win32.Pakes!O TSPY_SUKWIDON.C Win32.Trojan.WisdomEyes.16070401.9500.9998 Infostealer.Sofacy Win32/Metlar.A TSPY_SUKWIDON.C Win.Trojan.Sofacy-1 Trojan.Win32.Pakes.qcb Trojan.Win32.Pakes.fizzg Win32.Trojan.Pakes.Pdmf Trojan.KillProc.7386 Trojan.Pakes.Win32.11534 BehavesLike.Win32.Mydoom.nc Trojan/Win32.Pakes Win32.Troj.Unknown.c.kcloud PWS:Win32/Sukwidon.A Trojan.TDss.20 Troj.W32.Pakes.qcb!c Trojan.Win32.Pakes.qcb Trojan/Win32.Xema.C81978 Trojan.Qhost Trojan.DR.Tiny!eZN8HfCUlLI Trojan.Win32.Sasfis W32/Malware_fam.NB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware03": [[26, 45]], "Indicator: Trojan.Win32.Pakes!O": [[46, 66]], "Indicator: TSPY_SUKWIDON.C": [[67, 82], [160, 175]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[83, 125]], "Indicator: Infostealer.Sofacy": [[126, 144]], "Indicator: Win32/Metlar.A": [[145, 159]], "Indicator: Win.Trojan.Sofacy-1": [[176, 195]], "Indicator: Trojan.Win32.Pakes.qcb": [[196, 218], [446, 468]], "Indicator: Trojan.Win32.Pakes.fizzg": [[219, 243]], "Indicator: Win32.Trojan.Pakes.Pdmf": [[244, 267]], "Indicator: Trojan.KillProc.7386": [[268, 288]], "Indicator: Trojan.Pakes.Win32.11534": [[289, 313]], "Indicator: BehavesLike.Win32.Mydoom.nc": [[314, 341]], "Indicator: Trojan/Win32.Pakes": [[342, 360]], "Indicator: Win32.Troj.Unknown.c.kcloud": [[361, 388]], "Indicator: PWS:Win32/Sukwidon.A": [[389, 409]], "Indicator: Trojan.TDss.20": [[410, 424]], "Indicator: Troj.W32.Pakes.qcb!c": [[425, 445]], "Indicator: Trojan/Win32.Xema.C81978": [[469, 493]], "Indicator: Trojan.Qhost": [[494, 506]], "Indicator: Trojan.DR.Tiny!eZN8HfCUlLI": [[507, 533]], "Indicator: Trojan.Win32.Sasfis": [[534, 553]], "Indicator: W32/Malware_fam.NB": [[554, 572]]}, "info": {"id": "cyner2_5class_train_05892", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Downloader Win32/Exploit.CVE-2017-8570.A TROJ_CVE20170199.JVU Exploit.Xml.CVE-2017-0199.equmby PPT.S.Exploit.35022 Trojan[Exploit]/Win32.CVE-2017-8570 Trojan.Win32.Exploit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Downloader": [[26, 41]], "Indicator: Win32/Exploit.CVE-2017-8570.A": [[42, 71]], "Indicator: TROJ_CVE20170199.JVU": [[72, 92]], "Indicator: Exploit.Xml.CVE-2017-0199.equmby": [[93, 125]], "Indicator: PPT.S.Exploit.35022": [[126, 145]], "Indicator: Trojan[Exploit]/Win32.CVE-2017-8570": [[146, 181]], "Indicator: Trojan.Win32.Exploit": [[182, 202]]}, "info": {"id": "cyner2_5class_train_05893", "source": "cyner2_5class_train"}}
+{"text": "Ironically the decoy document is a flyer concerning the Cyber Conflict U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence on 7-8 November 2017 at Washington, D.C. Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security.", "spans": {"Indicator: the decoy document": [[11, 29]], "Organization: the Cyber Conflict U.S. conference": [[52, 86]], "Organization: the NATO Cooperative Cyber Defence Centre of Excellence on": [[100, 158]], "Organization: cyber security.": [[297, 312]]}, "info": {"id": "cyner2_5class_train_05894", "source": "cyner2_5class_train"}}
+{"text": "Version 0.3.0.1 includes Italian and Spanish language compatibility within the resources section .", "spans": {}, "info": {"id": "cyner2_5class_train_05895", "source": "cyner2_5class_train"}}
+{"text": "After downloading , it will be loaded by the main module via DexClassLoader api : As mentioned , we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way .", "spans": {"System: WhatsApp messenger": [[148, 166]]}, "info": {"id": "cyner2_5class_train_05896", "source": "cyner2_5class_train"}}
+{"text": "The knowledge graph below shows the various techniques this ransomware family has been seen using , including abusing the system alert window , abusing accessibility features , and , more recently , abusing notification services .", "spans": {}, "info": {"id": "cyner2_5class_train_05897", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.AutoRun.110592.V Worm.Win32.AutoRun!O Win32.Worm.VB.rp Win.Worm.Autorun-7819 Worm.Win32.AutoRun.hvo Trojan.Win32.AutoRun.ubuid Win32.Worm.Autorun.Aihq Win32.HLLW.Autoruner1.8766 Worm.AutoRun.Win32.41616 BehavesLike.Win32.BadFile.ch Worm.Win32.AutoRun Worm/AutoRun.alsp Worm/Win32.AutoRun Worm:Win32/Krangtor.A Trojan.Heur.VP2.gm0faiC9QKoi Worm.Win32.A.AutoRun.87040.A Worm.AutoRun Win32/AutoRun.VB.AJW Worm.AutoRun!P7D8pPa150U", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.AutoRun.110592.V": [[26, 51]], "Indicator: Worm.Win32.AutoRun!O": [[52, 72]], "Indicator: Win32.Worm.VB.rp": [[73, 89]], "Indicator: Win.Worm.Autorun-7819": [[90, 111]], "Indicator: Worm.Win32.AutoRun.hvo": [[112, 134]], "Indicator: Trojan.Win32.AutoRun.ubuid": [[135, 161]], "Indicator: Win32.Worm.Autorun.Aihq": [[162, 185]], "Indicator: Win32.HLLW.Autoruner1.8766": [[186, 212]], "Indicator: Worm.AutoRun.Win32.41616": [[213, 237]], "Indicator: BehavesLike.Win32.BadFile.ch": [[238, 266]], "Indicator: Worm.Win32.AutoRun": [[267, 285]], "Indicator: Worm/AutoRun.alsp": [[286, 303]], "Indicator: Worm/Win32.AutoRun": [[304, 322]], "Indicator: Worm:Win32/Krangtor.A": [[323, 344]], "Indicator: Trojan.Heur.VP2.gm0faiC9QKoi": [[345, 373]], "Indicator: Worm.Win32.A.AutoRun.87040.A": [[374, 402]], "Indicator: Worm.AutoRun": [[403, 415]], "Indicator: Win32/AutoRun.VB.AJW": [[416, 436]], "Indicator: Worm.AutoRun!P7D8pPa150U": [[437, 461]]}, "info": {"id": "cyner2_5class_train_05898", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Malachite.A W32.WLKSM.A1 Virus.WLKSM.Win32.1 Win32.Malachite.A Win32.Virus.MoonRover.a W32/Malachite.A Virus.Win32.MoonRover Virus.Win32.WLKSM.a Virus.Win32.Infector.dleseh Virus.Win32.WLKSM.AA BehavesLike.Win32.Virut.cc W32/Malachite.A Win32.Malachite.A Virus.Win32.WLKSM.a Win32.Malachite.A Win32.Malachite.A Win32.Malachite.A Virus.Win32.Wlksm.c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Malachite.A": [[26, 43], [77, 94], [269, 286], [307, 324], [325, 342], [343, 360]], "Indicator: W32.WLKSM.A1": [[44, 56]], "Indicator: Virus.WLKSM.Win32.1": [[57, 76]], "Indicator: Win32.Virus.MoonRover.a": [[95, 118]], "Indicator: W32/Malachite.A": [[119, 134], [253, 268]], "Indicator: Virus.Win32.MoonRover": [[135, 156]], "Indicator: Virus.Win32.WLKSM.a": [[157, 176], [287, 306]], "Indicator: Virus.Win32.Infector.dleseh": [[177, 204]], "Indicator: Virus.Win32.WLKSM.AA": [[205, 225]], "Indicator: BehavesLike.Win32.Virut.cc": [[226, 252]], "Indicator: Virus.Win32.Wlksm.c": [[361, 380]]}, "info": {"id": "cyner2_5class_train_05899", "source": "cyner2_5class_train"}}
+{"text": "Digital signature verification can be bypassed by giving the malicious file exactly the same name as a legitimate file and placing it on the same level in the archive .", "spans": {}, "info": {"id": "cyner2_5class_train_05900", "source": "cyner2_5class_train"}}
+{"text": "EventBot loaded library Loaded library as seen in Logcat .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_05901", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Otlard.A W32/Smalltroj.YCPZ Virus.Win32.Heur.c TROJ_OTLARD.SM Trojan-Dropper.Win32.Otlard!IK BackDoor.Gootkit.4 TROJ_OTLARD.SM Win32/Droplet.NU Backdoor/IEbooot.iz TrojanDropper:Win32/Otlard.A Trojan/Win32.Xema Rootkit.Otlard.aa Trojan-Dropper.Win32.Otlard", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Otlard.A": [[26, 40]], "Indicator: W32/Smalltroj.YCPZ": [[41, 59]], "Indicator: Virus.Win32.Heur.c": [[60, 78]], "Indicator: TROJ_OTLARD.SM": [[79, 93], [144, 158]], "Indicator: Trojan-Dropper.Win32.Otlard!IK": [[94, 124]], "Indicator: BackDoor.Gootkit.4": [[125, 143]], "Indicator: Win32/Droplet.NU": [[159, 175]], "Indicator: Backdoor/IEbooot.iz": [[176, 195]], "Indicator: TrojanDropper:Win32/Otlard.A": [[196, 224]], "Indicator: Trojan/Win32.Xema": [[225, 242]], "Indicator: Rootkit.Otlard.aa": [[243, 260]], "Indicator: Trojan-Dropper.Win32.Otlard": [[261, 288]]}, "info": {"id": "cyner2_5class_train_05902", "source": "cyner2_5class_train"}}
+{"text": "Google is actively combating this use of the service , responding quickly to reports from antivirus companies and blocking the IDs of cybercriminals .", "spans": {"Organization: Google": [[0, 6]]}, "info": {"id": "cyner2_5class_train_05903", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.Fasong!O Trojan.Reconyc Worm.Fasong.Win32.10 Win32.Trojan-PSW.OLGames.bm W32/Worm.DPJC-5721 Trojan.PWS.QQPass WORM_FASONG.L Win.Trojan.Fasong-9 Trojan.Win32.Fsysna.djfi Trojan.Win32.Legmir.bonls Worm.Win32.A.Fasong.461667 Worm.Win32.Fasong.G Win32.HLLW.Fasong.7 WORM_FASONG.L BehavesLike.Win32.Virut.gh W32/Worm.AVIX Worm/Fasong.a W32.Worm.Fasong BDS/Delf.H Worm/Win32.Fasong Worm:Win32/Ming.A W32.W.Fasong.l6SH Trojan.Win32.Fsysna.djfi Trojan/Win32.HDC.C154421 Worm.Fasong Win32/Fasong.G Worm.Fasong!UQMX8yr/3P8 Worm.Win32.Fasong", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.Fasong!O": [[26, 45]], "Indicator: Trojan.Reconyc": [[46, 60]], "Indicator: Worm.Fasong.Win32.10": [[61, 81]], "Indicator: Win32.Trojan-PSW.OLGames.bm": [[82, 109]], "Indicator: W32/Worm.DPJC-5721": [[110, 128]], "Indicator: Trojan.PWS.QQPass": [[129, 146]], "Indicator: WORM_FASONG.L": [[147, 160], [299, 312]], "Indicator: Win.Trojan.Fasong-9": [[161, 180]], "Indicator: Trojan.Win32.Fsysna.djfi": [[181, 205], [449, 473]], "Indicator: Trojan.Win32.Legmir.bonls": [[206, 231]], "Indicator: Worm.Win32.A.Fasong.461667": [[232, 258]], "Indicator: Worm.Win32.Fasong.G": [[259, 278]], "Indicator: Win32.HLLW.Fasong.7": [[279, 298]], "Indicator: BehavesLike.Win32.Virut.gh": [[313, 339]], "Indicator: W32/Worm.AVIX": [[340, 353]], "Indicator: Worm/Fasong.a": [[354, 367]], "Indicator: W32.Worm.Fasong": [[368, 383]], "Indicator: BDS/Delf.H": [[384, 394]], "Indicator: Worm/Win32.Fasong": [[395, 412]], "Indicator: Worm:Win32/Ming.A": [[413, 430]], "Indicator: W32.W.Fasong.l6SH": [[431, 448]], "Indicator: Trojan/Win32.HDC.C154421": [[474, 498]], "Indicator: Worm.Fasong": [[499, 510]], "Indicator: Win32/Fasong.G": [[511, 525]], "Indicator: Worm.Fasong!UQMX8yr/3P8": [[526, 549]], "Indicator: Worm.Win32.Fasong": [[550, 567]]}, "info": {"id": "cyner2_5class_train_05904", "source": "cyner2_5class_train"}}
+{"text": "Figure 1 describes this infection process and the main behaviors of RuMMS .", "spans": {"Malware: RuMMS": [[68, 73]]}, "info": {"id": "cyner2_5class_train_05905", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke/W32.BadJoke.561258 Trojan.Aduser.A4 Trojan/AddUser.t TROJ_GRAFTOR_EK2501C5.UVPM Win32.Trojan.AddUser.e TROJ_GRAFTOR_EK2501C5.UVPM Win32.Application.PUPStudio.A Trojan.Win32.Z.Graftor.561258 Worm.Win32.Dropper.RA Trojan.Adduser.216 Tool.BadJoke.Win32.3025 Trojan/Pasta.hsb TR/Winlock.KB Trojan.Graftor.D1E8A6 Trojan:Win32/Adduser.D Spyware.OnlineGames Win32/AddUser.T Win32.Trojan-psw.Badjoke.Taer Trojan.AddUser!BXWljasYS+k", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke/W32.BadJoke.561258": [[26, 49]], "Indicator: Trojan.Aduser.A4": [[50, 66]], "Indicator: Trojan/AddUser.t": [[67, 83]], "Indicator: TROJ_GRAFTOR_EK2501C5.UVPM": [[84, 110], [134, 160]], "Indicator: Win32.Trojan.AddUser.e": [[111, 133]], "Indicator: Win32.Application.PUPStudio.A": [[161, 190]], "Indicator: Trojan.Win32.Z.Graftor.561258": [[191, 220]], "Indicator: Worm.Win32.Dropper.RA": [[221, 242]], "Indicator: Trojan.Adduser.216": [[243, 261]], "Indicator: Tool.BadJoke.Win32.3025": [[262, 285]], "Indicator: Trojan/Pasta.hsb": [[286, 302]], "Indicator: TR/Winlock.KB": [[303, 316]], "Indicator: Trojan.Graftor.D1E8A6": [[317, 338]], "Indicator: Trojan:Win32/Adduser.D": [[339, 361]], "Indicator: Spyware.OnlineGames": [[362, 381]], "Indicator: Win32/AddUser.T": [[382, 397]], "Indicator: Win32.Trojan-psw.Badjoke.Taer": [[398, 427]], "Indicator: Trojan.AddUser!BXWljasYS+k": [[428, 454]]}, "info": {"id": "cyner2_5class_train_05906", "source": "cyner2_5class_train"}}
+{"text": "If , for some reason , SuperService does not switch off the screen when there is an attempt to revoke the device administrator privileges , the Trojan tries to intimidate the user : While running , Rotexy tracks the following : switching on and rebooting of the phone ; termination of its operation – in this case , it relaunches ; sending of an SMS by the app – in this case , the phone is switched to silent mode .", "spans": {"Malware: Rotexy": [[198, 204]]}, "info": {"id": "cyner2_5class_train_05907", "source": "cyner2_5class_train"}}
+{"text": "This background image likely contains a fake “ software update ” screen .", "spans": {}, "info": {"id": "cyner2_5class_train_05908", "source": "cyner2_5class_train"}}
+{"text": "Indeed , due to its ability to hide it ’ s icon from the launcher and impersonates any popular existing apps on a device , there are endless possibilities for this sort of malware to harm a user ’ s device .", "spans": {}, "info": {"id": "cyner2_5class_train_05909", "source": "cyner2_5class_train"}}
+{"text": "Code improvements , new capabilities , anti-emulation techniques , and new , global targets all suggest that this malware is well-maintained by its authors and continues to evolve .", "spans": {}, "info": {"id": "cyner2_5class_train_05910", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Blocker TROJ_PUWIN.A Win32.Trojan.WisdomEyes.16070401.9500.9979 TROJ_PUWIN.A Trojan-Ransom.Win32.Blocker.kgxt Trojan.Win32.Keylogger.evercw Trojan.Win32.Z.Blocker.17408.C Troj.Ransom.W32.Blocker!c Trojan.DownLoader25.58899 W32/Trojan.BMCJ-5014 Trojan.Blocker.hvt Trojan[Ransom]/Win32.Blocker Trojan:MSIL/Puwin.A Trojan-Ransom.Win32.Blocker.kgxt Trojan-Ransom.Blocker Trj/GdSda.A Win32.Trojan.Blocker.Tbsp Trojan.Blocker!xyv3gcnzFBI Trojan-Ransom.Win32.Blocker W32/Blocker.KGXT!tr Win32/Trojan.Ransom.460", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Blocker": [[26, 40]], "Indicator: TROJ_PUWIN.A": [[41, 53], [97, 109]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9979": [[54, 96]], "Indicator: Trojan-Ransom.Win32.Blocker.kgxt": [[110, 142], [345, 377]], "Indicator: Trojan.Win32.Keylogger.evercw": [[143, 172]], "Indicator: Trojan.Win32.Z.Blocker.17408.C": [[173, 203]], "Indicator: Troj.Ransom.W32.Blocker!c": [[204, 229]], "Indicator: Trojan.DownLoader25.58899": [[230, 255]], "Indicator: W32/Trojan.BMCJ-5014": [[256, 276]], "Indicator: Trojan.Blocker.hvt": [[277, 295]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[296, 324]], "Indicator: Trojan:MSIL/Puwin.A": [[325, 344]], "Indicator: Trojan-Ransom.Blocker": [[378, 399]], "Indicator: Trj/GdSda.A": [[400, 411]], "Indicator: Win32.Trojan.Blocker.Tbsp": [[412, 437]], "Indicator: Trojan.Blocker!xyv3gcnzFBI": [[438, 464]], "Indicator: Trojan-Ransom.Win32.Blocker": [[465, 492]], "Indicator: W32/Blocker.KGXT!tr": [[493, 512]], "Indicator: Win32/Trojan.Ransom.460": [[513, 536]]}, "info": {"id": "cyner2_5class_train_05911", "source": "cyner2_5class_train"}}
+{"text": "This is a notable behavior that is characteristic of this ransomware family .", "spans": {}, "info": {"id": "cyner2_5class_train_05912", "source": "cyner2_5class_train"}}
+{"text": "Ignore Battery Optimization : This sets permissions to continue to operate at full capacity while the phone 's screen is turned off and the phone locked .", "spans": {}, "info": {"id": "cyner2_5class_train_05913", "source": "cyner2_5class_train"}}
+{"text": "BrainTest leverages an anti-uninstall watchdog that uses two system applications to monitor the removal of one of the components and reinstall the component .", "spans": {"Malware: BrainTest": [[0, 9]], "Vulnerability: anti-uninstall watchdog": [[23, 46]]}, "info": {"id": "cyner2_5class_train_05914", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: MemScan:Backdoor.Turkojan.DQ Backdoor.Turkojan Backdoor.Turkojan.Win32.25407 Win32.Backdoor.Cakl.c Backdoor.Trojan Win32/Turkojan.A HT_TURKOJAN_HA110001.UVPM Win.Trojan.Truko-10 Backdoor.Win32.Turkojan.zwh MemScan:Backdoor.Turkojan.DQ Trojan.Win32.Turkojan.jebp Win32.Backdoor.Turkojan.Wnwd MemScan:Backdoor.Turkojan.DQ Win32.HLLW.MyBot HT_TURKOJAN_HA110001.UVPM BackDoor-CZP.dr Trojan.Win32.Cakl Backdoor/Turkojan.x BDS/Turkojan.im Trojan[Backdoor]/Win32.Turkojan Backdoor:Win32/Turkojan.AI Backdoor.Turkojan.DQ Troj.W32.Buzus.l4J9 MemScan:Backdoor.Turkojan.DQ Backdoor/Win32.Turkojan.R148548 MemScan:Backdoor.Turkojan.DQ Trojan.SDP.27105 Win32/Cakl.NAG Backdoor.Turkojan.I Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: MemScan:Backdoor.Turkojan.DQ": [[26, 54], [232, 260], [317, 345], [559, 587], [620, 648]], "Indicator: Backdoor.Turkojan": [[55, 72]], "Indicator: Backdoor.Turkojan.Win32.25407": [[73, 102]], "Indicator: Win32.Backdoor.Cakl.c": [[103, 124]], "Indicator: Backdoor.Trojan": [[125, 140]], "Indicator: Win32/Turkojan.A": [[141, 157]], "Indicator: HT_TURKOJAN_HA110001.UVPM": [[158, 183], [363, 388]], "Indicator: Win.Trojan.Truko-10": [[184, 203]], "Indicator: Backdoor.Win32.Turkojan.zwh": [[204, 231]], "Indicator: Trojan.Win32.Turkojan.jebp": [[261, 287]], "Indicator: Win32.Backdoor.Turkojan.Wnwd": [[288, 316]], "Indicator: Win32.HLLW.MyBot": [[346, 362]], "Indicator: BackDoor-CZP.dr": [[389, 404]], "Indicator: Trojan.Win32.Cakl": [[405, 422]], "Indicator: Backdoor/Turkojan.x": [[423, 442]], "Indicator: BDS/Turkojan.im": [[443, 458]], "Indicator: Trojan[Backdoor]/Win32.Turkojan": [[459, 490]], "Indicator: Backdoor:Win32/Turkojan.AI": [[491, 517]], "Indicator: Backdoor.Turkojan.DQ": [[518, 538]], "Indicator: Troj.W32.Buzus.l4J9": [[539, 558]], "Indicator: Backdoor/Win32.Turkojan.R148548": [[588, 619]], "Indicator: Trojan.SDP.27105": [[649, 665]], "Indicator: Win32/Cakl.NAG": [[666, 680]], "Indicator: Backdoor.Turkojan.I": [[681, 700]], "Indicator: Trj/CI.A": [[701, 709]]}, "info": {"id": "cyner2_5class_train_05915", "source": "cyner2_5class_train"}}
+{"text": "These unknown actors continued launching DDoS attacks over the next few years.", "spans": {"Indicator: DDoS attacks": [[41, 53]]}, "info": {"id": "cyner2_5class_train_05916", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Brambul Troj.W32.Brambul.toT6 Win32/Pepex.F Trojan.Win32.Brambul.bp Worm.Win32.Pepex.E0 Win32.HLLW.Bumble BehavesLike.Win32.Downloader.mz Trojan:Win32/Brambul.A Trojan:Win32/Brambul.A!dha Trojan.Win32.Brambul.bp Win32/Tnega.WW Win32.Trojan.Brambul.Dvzk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Brambul": [[26, 40]], "Indicator: Troj.W32.Brambul.toT6": [[41, 62]], "Indicator: Win32/Pepex.F": [[63, 76]], "Indicator: Trojan.Win32.Brambul.bp": [[77, 100], [221, 244]], "Indicator: Worm.Win32.Pepex.E0": [[101, 120]], "Indicator: Win32.HLLW.Bumble": [[121, 138]], "Indicator: BehavesLike.Win32.Downloader.mz": [[139, 170]], "Indicator: Trojan:Win32/Brambul.A": [[171, 193]], "Indicator: Trojan:Win32/Brambul.A!dha": [[194, 220]], "Indicator: Win32/Tnega.WW": [[245, 259]], "Indicator: Win32.Trojan.Brambul.Dvzk": [[260, 285]]}, "info": {"id": "cyner2_5class_train_05917", "source": "cyner2_5class_train"}}
+{"text": "First reports could be linked to Operation Aurora and dated back to 2009 2.", "spans": {}, "info": {"id": "cyner2_5class_train_05918", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Sefnit.ab Trojan/Jorik.Gbot.cdb Trojan.Sefnit.2 TROJ_DLDR.SMII Win32.Trojan.WisdomEyes.16070401.9500.9938 Trojan.ADH.2 TROJ_DLDR.SMII Win.Trojan.Gbot-539 Trojan.Win32.Jorik.wkvaa Trojan.DownLoader4.46549 Trojan.Jorik.Win32.14116 BehavesLike.Win32.MultiPlug.tz Trojan/Win32.Gbot TrojanDownloader:Win32/Tegtomp.A Trojan/Win32.ADH.C90187 Trojan.Gbot Bck/Qbot.AO Trojan.DL.Tegtomp!ykAGemfy9WA W32/Buzus.AABB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Sefnit.ab": [[26, 35]], "Indicator: Trojan/Jorik.Gbot.cdb": [[36, 57]], "Indicator: Trojan.Sefnit.2": [[58, 73]], "Indicator: TROJ_DLDR.SMII": [[74, 88], [145, 159]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9938": [[89, 131]], "Indicator: Trojan.ADH.2": [[132, 144]], "Indicator: Win.Trojan.Gbot-539": [[160, 179]], "Indicator: Trojan.Win32.Jorik.wkvaa": [[180, 204]], "Indicator: Trojan.DownLoader4.46549": [[205, 229]], "Indicator: Trojan.Jorik.Win32.14116": [[230, 254]], "Indicator: BehavesLike.Win32.MultiPlug.tz": [[255, 285]], "Indicator: Trojan/Win32.Gbot": [[286, 303]], "Indicator: TrojanDownloader:Win32/Tegtomp.A": [[304, 336]], "Indicator: Trojan/Win32.ADH.C90187": [[337, 360]], "Indicator: Trojan.Gbot": [[361, 372]], "Indicator: Bck/Qbot.AO": [[373, 384]], "Indicator: Trojan.DL.Tegtomp!ykAGemfy9WA": [[385, 414]], "Indicator: W32/Buzus.AABB!tr": [[415, 432]]}, "info": {"id": "cyner2_5class_train_05919", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.3DA4 Trojan/W32.Sasfis.432279 Trojan.Sasfis.Win32.35026 Win32.Trojan.Injector.jm Trojan.Win32.StartPage.ecbeu Trojan.Win32.A.Sasfis.432083 Troj.W32.Invader.liPS Trojan.StartPage.40117 BehavesLike.Win32.Sdbot.gc Trojan/Win32.Sasfis Trojan:Win32/Kilonepag.A Win32.Trojan.Killav.Losk Trojan.Sasfis!92bCxe6lda4 Win32/Trojan.48c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.3DA4": [[26, 43]], "Indicator: Trojan/W32.Sasfis.432279": [[44, 68]], "Indicator: Trojan.Sasfis.Win32.35026": [[69, 94]], "Indicator: Win32.Trojan.Injector.jm": [[95, 119]], "Indicator: Trojan.Win32.StartPage.ecbeu": [[120, 148]], "Indicator: Trojan.Win32.A.Sasfis.432083": [[149, 177]], "Indicator: Troj.W32.Invader.liPS": [[178, 199]], "Indicator: Trojan.StartPage.40117": [[200, 222]], "Indicator: BehavesLike.Win32.Sdbot.gc": [[223, 249]], "Indicator: Trojan/Win32.Sasfis": [[250, 269]], "Indicator: Trojan:Win32/Kilonepag.A": [[270, 294]], "Indicator: Win32.Trojan.Killav.Losk": [[295, 319]], "Indicator: Trojan.Sasfis!92bCxe6lda4": [[320, 345]], "Indicator: Win32/Trojan.48c": [[346, 362]]}, "info": {"id": "cyner2_5class_train_05920", "source": "cyner2_5class_train"}}
+{"text": "This exercise revealed tons of information about techniques used by FinFisher that we used to make Office 365 ATP more resistant to sandbox detection and Windows Defender ATP to catch similar techniques and generic behaviors .", "spans": {"Malware: FinFisher": [[68, 77]], "System: Office 365 ATP": [[99, 113]], "System: Windows Defender ATP": [[154, 174]]}, "info": {"id": "cyner2_5class_train_05921", "source": "cyner2_5class_train"}}
+{"text": "Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil.", "spans": {"Organization: Zscaler ThreatLabZ": [[0, 18]], "Malware: Spy Banker Trojan": [[53, 70]], "Organization: Portuguese-speaking": [[104, 123]]}, "info": {"id": "cyner2_5class_train_05922", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9989 Trojan.Win32.Kryptik.exgddi Trojange.N TR/Dropper.MSIL.hlkdw Trj/GdSda.A Msil.Trojan.Kryptik.Eyg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[26, 68]], "Indicator: Trojan.Win32.Kryptik.exgddi": [[69, 96]], "Indicator: Trojange.N": [[97, 107]], "Indicator: TR/Dropper.MSIL.hlkdw": [[108, 129]], "Indicator: Trj/GdSda.A": [[130, 141]], "Indicator: Msil.Trojan.Kryptik.Eyg": [[142, 165]]}, "info": {"id": "cyner2_5class_train_05923", "source": "cyner2_5class_train"}}
+{"text": "Chinese language traces in the code : During the investigation , the Cybereason Nocturnus team discovered code artifacts that may indicate Chinese threat actors .", "spans": {"Organization: Cybereason Nocturnus": [[69, 89]]}, "info": {"id": "cyner2_5class_train_05924", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameAZPIXS.Trojan Trojan-Dropper.Win32.Dapato!O Dropper.Dapato.Win32.12031 Trojan.Delf.106 Trojan.Coinbitminer Win32/CoinMiner.AJ Trojan.Win32.Dapato.vksez Troj.Dropper.W32.Dapato.boht!c Trojan.Packed.194 TR/Kryptik.GZC Trojan[Dropper]/Win32.Dapato Trojan:Win32/Kexqoud.A TrojanDropper.Dapato Trojan.Injector!8vu2hFasaTU Trojan-Dropper.Win32.Dapato W32/Injector.URR!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameAZPIXS.Trojan": [[26, 49]], "Indicator: Trojan-Dropper.Win32.Dapato!O": [[50, 79]], "Indicator: Dropper.Dapato.Win32.12031": [[80, 106]], "Indicator: Trojan.Delf.106": [[107, 122]], "Indicator: Trojan.Coinbitminer": [[123, 142]], "Indicator: Win32/CoinMiner.AJ": [[143, 161]], "Indicator: Trojan.Win32.Dapato.vksez": [[162, 187]], "Indicator: Troj.Dropper.W32.Dapato.boht!c": [[188, 218]], "Indicator: Trojan.Packed.194": [[219, 236]], "Indicator: TR/Kryptik.GZC": [[237, 251]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[252, 280]], "Indicator: Trojan:Win32/Kexqoud.A": [[281, 303]], "Indicator: TrojanDropper.Dapato": [[304, 324]], "Indicator: Trojan.Injector!8vu2hFasaTU": [[325, 352]], "Indicator: Trojan-Dropper.Win32.Dapato": [[353, 380]], "Indicator: W32/Injector.URR!tr": [[381, 400]], "Indicator: Trj/CI.A": [[401, 409]]}, "info": {"id": "cyner2_5class_train_05925", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.151026.9950.9999 Trojan-Downloader.Win32.Gootkit.kn Trojan.Packed Trojan.Kryptik.Win32.910183 BehavesLike.Win32.BadFile.cm W32/Trojan.TLOU-5726 TR/Renaz.ivfk W32/Gootkit.KN!tr.dldr Trojan/Win32.Inject Trojan.Win32.Crypt Crypt5.BVAN Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9999": [[26, 66]], "Indicator: Trojan-Downloader.Win32.Gootkit.kn": [[67, 101]], "Indicator: Trojan.Packed": [[102, 115]], "Indicator: Trojan.Kryptik.Win32.910183": [[116, 143]], "Indicator: BehavesLike.Win32.BadFile.cm": [[144, 172]], "Indicator: W32/Trojan.TLOU-5726": [[173, 193]], "Indicator: TR/Renaz.ivfk": [[194, 207]], "Indicator: W32/Gootkit.KN!tr.dldr": [[208, 230]], "Indicator: Trojan/Win32.Inject": [[231, 250]], "Indicator: Trojan.Win32.Crypt": [[251, 269]], "Indicator: Crypt5.BVAN": [[270, 281]], "Indicator: Trj/GdSda.A": [[282, 293]]}, "info": {"id": "cyner2_5class_train_05926", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ServerAJ.Trojan Trojan.Bublik.28294 Trojan.Zusy.Elzob.D833 TSPY_SASFIS_CD10021A.RDXN Win32.Backdoor.Naprat.d W32/Trojan2.MXXM Win32/Spyrat.B TSPY_SASFIS_CD10021A.RDXN Win.Trojan.Hupigon-28437 Trojan.Win32.Bublik.lkn Trojan.Win32.Bot.bblhdq Trojan.Win32.Bublik.lkn TrojWare.Win32.Naprat.A BackDoor.IRC.Bot.355 BehavesLike.Win32.Worm.cc Trojan/Naprat.c Trojan-GameThief.Win32.OnLineGames W32/Trojan.APHW-4252 Trojan/Win32.Sasfis Backdoor:Win32/Naprat.A Trojan.Win32.Bublik.lkn Win-Trojan/Antisb.190976.J Trojan.Bublik Win32/Naprat.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ServerAJ.Trojan": [[26, 45]], "Indicator: Trojan.Bublik.28294": [[46, 65]], "Indicator: Trojan.Zusy.Elzob.D833": [[66, 88]], "Indicator: TSPY_SASFIS_CD10021A.RDXN": [[89, 114], [171, 196]], "Indicator: Win32.Backdoor.Naprat.d": [[115, 138]], "Indicator: W32/Trojan2.MXXM": [[139, 155]], "Indicator: Win32/Spyrat.B": [[156, 170]], "Indicator: Win.Trojan.Hupigon-28437": [[197, 221]], "Indicator: Trojan.Win32.Bublik.lkn": [[222, 245], [270, 293], [481, 504]], "Indicator: Trojan.Win32.Bot.bblhdq": [[246, 269]], "Indicator: TrojWare.Win32.Naprat.A": [[294, 317]], "Indicator: BackDoor.IRC.Bot.355": [[318, 338]], "Indicator: BehavesLike.Win32.Worm.cc": [[339, 364]], "Indicator: Trojan/Naprat.c": [[365, 380]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[381, 415]], "Indicator: W32/Trojan.APHW-4252": [[416, 436]], "Indicator: Trojan/Win32.Sasfis": [[437, 456]], "Indicator: Backdoor:Win32/Naprat.A": [[457, 480]], "Indicator: Win-Trojan/Antisb.190976.J": [[505, 531]], "Indicator: Trojan.Bublik": [[532, 545]], "Indicator: Win32/Naprat.C": [[546, 560]]}, "info": {"id": "cyner2_5class_train_05927", "source": "cyner2_5class_train"}}
+{"text": "Today, we have discovered more pieces of the puzzle: two more Corebot samples and an online crypt service.", "spans": {"Malware: Corebot": [[62, 69]], "Indicator: online crypt service.": [[85, 106]]}, "info": {"id": "cyner2_5class_train_05928", "source": "cyner2_5class_train"}}
+{"text": "The modules analyzed by CTU researchers list recently accessed documents, enumerate installed programs, list recently visited websites, steal passwords, and steal installation files for the IDA tool.", "spans": {"Organization: CTU researchers": [[24, 39]], "Indicator: documents, enumerate installed programs, list recently visited websites, steal passwords,": [[63, 152]], "Indicator: steal installation files": [[157, 181]], "Malware: IDA tool.": [[190, 199]]}, "info": {"id": "cyner2_5class_train_05929", "source": "cyner2_5class_train"}}
+{"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network .", "spans": {}, "info": {"id": "cyner2_5class_train_05930", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Sality!O Ransom_Natasa.R039C0DLB17 W32/Trojan.IPMQ-6780 Ransom_Natasa.R039C0DLB17 Trojan-Ransom.Satan Ransom:Win32/Natasa.A Trojan-Ransom.Win32.Satan.x Trj/CI.A W32/MBRlock.AP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Sality!O": [[26, 46]], "Indicator: Ransom_Natasa.R039C0DLB17": [[47, 72], [94, 119]], "Indicator: W32/Trojan.IPMQ-6780": [[73, 93]], "Indicator: Trojan-Ransom.Satan": [[120, 139]], "Indicator: Ransom:Win32/Natasa.A": [[140, 161]], "Indicator: Trojan-Ransom.Win32.Satan.x": [[162, 189]], "Indicator: Trj/CI.A": [[190, 198]], "Indicator: W32/MBRlock.AP!tr": [[199, 216]]}, "info": {"id": "cyner2_5class_train_05931", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Trojan.Onlinegames Troj.Gamethief.W32.Onlinegames!c Trojan-GameThief.Win32.OnLineGames.bnfw Trojan.Win32.OnLineGames.bwrpuv TrojWare.Win32.GameThief.OnLineGames.~bnfw Trojan.PWS.Qqpass.4325 Trojan-Dropper.Win32.Nemqe Trojan/Vilsel.dki Trojan[GameThief]/Win32.OnLineGames Trojan.Heur.ED351E Trojan-GameThief.Win32.OnLineGames.bnfw TrojanPSW.OnLineGames.a Win32.Trojan-gamethief.Onlinegames.Pfje Win32/Trojan.GameThief.844", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[26, 62]], "Indicator: Trojan.Onlinegames": [[63, 81]], "Indicator: Troj.Gamethief.W32.Onlinegames!c": [[82, 114]], "Indicator: Trojan-GameThief.Win32.OnLineGames.bnfw": [[115, 154], [353, 392]], "Indicator: Trojan.Win32.OnLineGames.bwrpuv": [[155, 186]], "Indicator: TrojWare.Win32.GameThief.OnLineGames.~bnfw": [[187, 229]], "Indicator: Trojan.PWS.Qqpass.4325": [[230, 252]], "Indicator: Trojan-Dropper.Win32.Nemqe": [[253, 279]], "Indicator: Trojan/Vilsel.dki": [[280, 297]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[298, 333]], "Indicator: Trojan.Heur.ED351E": [[334, 352]], "Indicator: TrojanPSW.OnLineGames.a": [[393, 416]], "Indicator: Win32.Trojan-gamethief.Onlinegames.Pfje": [[417, 456]], "Indicator: Win32/Trojan.GameThief.844": [[457, 483]]}, "info": {"id": "cyner2_5class_train_05932", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Cosmu.41472.E Backdoor.Begman.A Trojan/Cosmu.anpk Trojan.Autorun.3 Win32.Trojan.Delf.v W32.Begmian BKDR_BEGMA.SM Trojan.Cosmu.Win32.6467 BKDR_BEGMA.SM BehavesLike.Win32.Sality.pc BDS/Begman.cmnra Worm/Win32.AutoRun Backdoor:Win32/Begman.B Trojan/Win32.Cosmu.R11227 Trj/GdSda.A Trojan.Win32.Autorun.bwq Backdoor.Win32.Begman W32/Begma.SM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Cosmu.41472.E": [[26, 50]], "Indicator: Backdoor.Begman.A": [[51, 68]], "Indicator: Trojan/Cosmu.anpk": [[69, 86]], "Indicator: Trojan.Autorun.3": [[87, 103]], "Indicator: Win32.Trojan.Delf.v": [[104, 123]], "Indicator: W32.Begmian": [[124, 135]], "Indicator: BKDR_BEGMA.SM": [[136, 149], [174, 187]], "Indicator: Trojan.Cosmu.Win32.6467": [[150, 173]], "Indicator: BehavesLike.Win32.Sality.pc": [[188, 215]], "Indicator: BDS/Begman.cmnra": [[216, 232]], "Indicator: Worm/Win32.AutoRun": [[233, 251]], "Indicator: Backdoor:Win32/Begman.B": [[252, 275]], "Indicator: Trojan/Win32.Cosmu.R11227": [[276, 301]], "Indicator: Trj/GdSda.A": [[302, 313]], "Indicator: Trojan.Win32.Autorun.bwq": [[314, 338]], "Indicator: Backdoor.Win32.Begman": [[339, 360]], "Indicator: W32/Begma.SM!tr": [[361, 376]]}, "info": {"id": "cyner2_5class_train_05933", "source": "cyner2_5class_train"}}
+{"text": "The campaign, which experts believe is still in its early stages, targets Android OS devices.", "spans": {"System: Android OS devices.": [[74, 93]]}, "info": {"id": "cyner2_5class_train_05934", "source": "cyner2_5class_train"}}
+{"text": "In addition, Sundown doesn't have the anti-crawling feature used by other exploit kits.", "spans": {"Malware: Sundown": [[13, 20]], "Malware: exploit kits.": [[74, 87]]}, "info": {"id": "cyner2_5class_train_05935", "source": "cyner2_5class_train"}}
+{"text": "It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher.", "spans": {"Indicator: multi-stage installation process": [[10, 42]], "Organization: security researcher.": [[124, 144]]}, "info": {"id": "cyner2_5class_train_05936", "source": "cyner2_5class_train"}}
+{"text": "It is worth noticing that this remote reverse shell does not employ any transport cryptography .", "spans": {}, "info": {"id": "cyner2_5class_train_05937", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.ZKD Trojan/W32.naKocTb.106496 Trojan.Mauvaise.SL1 Spyware.Infostealer.Fareit Spyware.LokiBot Trojan/Fareit.l Trojan.PWS.ZKD TSPY_LOKI.SMA Win32.Trojan.WisdomEyes.16070401.9500.9723 W32/Trojan.LAPN-1109 TSPY_LOKI.SMA Win.Trojan.naKocTb-6331389-1 Trojan.PWS.ZKD Trojan.PWS.ZKD Trojan.Win32.Stealer.eshrhl Trojan.PWS.Stealer.17779 Trojan.naKocTb.Win32.12 BehavesLike.Win32.Downloader.ch W32/Trojan2.PBTA Trojan.naKocTb.l PWS:Win32/Primarypass.A Trojan.PWS.ZKD Troj.W32.naKocTb.tnB5 Trojan/Win32.naKocTb.C1575888 Trojan.naKocTb Trj/GdSda.A Trojan.Nakoctb Win32/PSW.Fareit.L Trojan-Spy.Dyzap Win32/Trojan.15d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.ZKD": [[26, 40], [146, 160], [282, 296], [297, 311], [479, 493]], "Indicator: Trojan/W32.naKocTb.106496": [[41, 66]], "Indicator: Trojan.Mauvaise.SL1": [[67, 86]], "Indicator: Spyware.Infostealer.Fareit": [[87, 113]], "Indicator: Spyware.LokiBot": [[114, 129]], "Indicator: Trojan/Fareit.l": [[130, 145]], "Indicator: TSPY_LOKI.SMA": [[161, 174], [239, 252]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9723": [[175, 217]], "Indicator: W32/Trojan.LAPN-1109": [[218, 238]], "Indicator: Win.Trojan.naKocTb-6331389-1": [[253, 281]], "Indicator: Trojan.Win32.Stealer.eshrhl": [[312, 339]], "Indicator: Trojan.PWS.Stealer.17779": [[340, 364]], "Indicator: Trojan.naKocTb.Win32.12": [[365, 388]], "Indicator: BehavesLike.Win32.Downloader.ch": [[389, 420]], "Indicator: W32/Trojan2.PBTA": [[421, 437]], "Indicator: Trojan.naKocTb.l": [[438, 454]], "Indicator: PWS:Win32/Primarypass.A": [[455, 478]], "Indicator: Troj.W32.naKocTb.tnB5": [[494, 515]], "Indicator: Trojan/Win32.naKocTb.C1575888": [[516, 545]], "Indicator: Trojan.naKocTb": [[546, 560]], "Indicator: Trj/GdSda.A": [[561, 572]], "Indicator: Trojan.Nakoctb": [[573, 587]], "Indicator: Win32/PSW.Fareit.L": [[588, 606]], "Indicator: Trojan-Spy.Dyzap": [[607, 623]], "Indicator: Win32/Trojan.15d": [[624, 640]]}, "info": {"id": "cyner2_5class_train_05938", "source": "cyner2_5class_train"}}
+{"text": "Starting in November 2022, Morphisec has been tracking an advanced info stealer we have named SYS01 stealer. SYS01 stealer uses similar lures and loading techniques to another information stealer recently dubbed S1deload by the Bitdefender group, but the actual payload stealer is different.", "spans": {"Organization: Morphisec": [[27, 36]], "Malware: advanced info stealer": [[58, 79]], "Malware: SYS01 stealer.": [[94, 108]], "Malware: SYS01 stealer": [[109, 122]], "Indicator: information stealer": [[176, 195]], "Malware: S1deload": [[212, 220]], "Organization: the Bitdefender group,": [[224, 246]], "Malware: payload stealer": [[262, 277]]}, "info": {"id": "cyner2_5class_train_05939", "source": "cyner2_5class_train"}}
+{"text": "Article primarily covering activity from 2016.", "spans": {}, "info": {"id": "cyner2_5class_train_05940", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AutoHotkeyA.Worm Virus.Win32.Sality!O Backdoor.Vercuser.B4 Worm.AutoHotKey.Win32.37 Trojan.Heur.uquarfYBWDlih Win32/Tnega.NCdVJJ Win.Trojan.Ag-13 Worm.Win32.AutoHotKey.a Trojan.Win32.AutoHotKey.cmxqxy Win32.HLLW.Autoruner1.26246 BehavesLike.Win32.Virut.fc Backdoor.Win32.Vercuser Worm:Win32/Vercuser.B Trojan/Win32.Hupigon.R57102 Trj/CI.A Win32/Vercuser.B Win32.Worm.Autohotkey.Dzjb Worm.AutoHotKey!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AutoHotkeyA.Worm": [[26, 46]], "Indicator: Virus.Win32.Sality!O": [[47, 67]], "Indicator: Backdoor.Vercuser.B4": [[68, 88]], "Indicator: Worm.AutoHotKey.Win32.37": [[89, 113]], "Indicator: Trojan.Heur.uquarfYBWDlih": [[114, 139]], "Indicator: Win32/Tnega.NCdVJJ": [[140, 158]], "Indicator: Win.Trojan.Ag-13": [[159, 175]], "Indicator: Worm.Win32.AutoHotKey.a": [[176, 199]], "Indicator: Trojan.Win32.AutoHotKey.cmxqxy": [[200, 230]], "Indicator: Win32.HLLW.Autoruner1.26246": [[231, 258]], "Indicator: BehavesLike.Win32.Virut.fc": [[259, 285]], "Indicator: Backdoor.Win32.Vercuser": [[286, 309]], "Indicator: Worm:Win32/Vercuser.B": [[310, 331]], "Indicator: Trojan/Win32.Hupigon.R57102": [[332, 359]], "Indicator: Trj/CI.A": [[360, 368]], "Indicator: Win32/Vercuser.B": [[369, 385]], "Indicator: Win32.Worm.Autohotkey.Dzjb": [[386, 412]], "Indicator: Worm.AutoHotKey!": [[413, 429]]}, "info": {"id": "cyner2_5class_train_05941", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pirril.B5 Trojan/BHO.aisa TROJ_PIRRIL.SMI Win.Trojan.Pirril-7 Trojan.Win32.BHO.czvu Trojan.Win32.BHO.btaog Troj.W32.Bho!c Backdoor.Win32.Ripinip.a TrojWare.Win32.Pirril.smi Win32.HLLW.Riplip.10 Trojan.BHO.Win32.9746 TROJ_PIRRIL.SMI BehavesLike.Win32.Pirril.mm Adware/BHO.bmy Trojan.Graftor.D453B Trojan.Win32.Z.Bho.90112 Trojan.Win32.BHO.czvu Pirril.a Trojan.BHO Trojan.Win32.BHO W32/BHO.AJZ!tr Backdoor.Win32.Ripinip.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pirril.B5": [[26, 42]], "Indicator: Trojan/BHO.aisa": [[43, 58]], "Indicator: TROJ_PIRRIL.SMI": [[59, 74], [249, 264]], "Indicator: Win.Trojan.Pirril-7": [[75, 94]], "Indicator: Trojan.Win32.BHO.czvu": [[95, 116], [354, 375]], "Indicator: Trojan.Win32.BHO.btaog": [[117, 139]], "Indicator: Troj.W32.Bho!c": [[140, 154]], "Indicator: Backdoor.Win32.Ripinip.a": [[155, 179]], "Indicator: TrojWare.Win32.Pirril.smi": [[180, 205]], "Indicator: Win32.HLLW.Riplip.10": [[206, 226]], "Indicator: Trojan.BHO.Win32.9746": [[227, 248]], "Indicator: BehavesLike.Win32.Pirril.mm": [[265, 292]], "Indicator: Adware/BHO.bmy": [[293, 307]], "Indicator: Trojan.Graftor.D453B": [[308, 328]], "Indicator: Trojan.Win32.Z.Bho.90112": [[329, 353]], "Indicator: Pirril.a": [[376, 384]], "Indicator: Trojan.BHO": [[385, 395]], "Indicator: Trojan.Win32.BHO": [[396, 412]], "Indicator: W32/BHO.AJZ!tr": [[413, 427]], "Indicator: Backdoor.Win32.Ripinip.C": [[428, 452]]}, "info": {"id": "cyner2_5class_train_05942", "source": "cyner2_5class_train"}}
+{"text": "Additionally, others have been referring to the group responsible for the OilRig campaign itself as the OilRig group as well.", "spans": {}, "info": {"id": "cyner2_5class_train_05943", "source": "cyner2_5class_train"}}
+{"text": "Expanded with indicators generated by Alienvault Labs", "spans": {"Indicator: indicators": [[14, 24]], "Organization: Alienvault Labs": [[38, 53]]}, "info": {"id": "cyner2_5class_train_05944", "source": "cyner2_5class_train"}}
+{"text": "The screenshots provided by the author align with the advertised features and the features that we discovered while doing our analysis .", "spans": {}, "info": {"id": "cyner2_5class_train_05945", "source": "cyner2_5class_train"}}
+{"text": "What 's new ? WolfRAT is based on a previously leaked malware named DenDroid .", "spans": {"Malware: WolfRAT": [[14, 21]], "Malware: DenDroid": [[68, 76]]}, "info": {"id": "cyner2_5class_train_05946", "source": "cyner2_5class_train"}}
+{"text": "However, Buckeye's focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.", "spans": {"Indicator: compromising": [[87, 99]], "Organization: political entities": [[100, 118]]}, "info": {"id": "cyner2_5class_train_05947", "source": "cyner2_5class_train"}}
+{"text": "F5 research conducted in March 2017 followed 153 Marcher configuration files to uncover target and activity trends in the worldwide attack campaigns.", "spans": {"Organization: F5 research": [[0, 11]], "Malware: Marcher": [[49, 56]], "Indicator: files": [[71, 76]]}, "info": {"id": "cyner2_5class_train_05948", "source": "cyner2_5class_train"}}
+{"text": "The Word document initiated the same multiple-stage infection process as the file from the Hybrid Analysis report we previously discovered and allowed us to reconstruct a more complete infection process.", "spans": {"Indicator: The Word document": [[0, 17]]}, "info": {"id": "cyner2_5class_train_05949", "source": "cyner2_5class_train"}}
+{"text": "SpiderLabs has uncovered a new strain of malware that can steal cryptocurrencies and other digital currencies.", "spans": {"Organization: SpiderLabs": [[0, 10]], "Malware: malware": [[41, 48]], "Indicator: steal cryptocurrencies and other digital currencies.": [[58, 110]]}, "info": {"id": "cyner2_5class_train_05950", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Protoride.59392 W32.Protoride.E Worm.RAHack W32/Protoride2.worm Trojan.Win32.Protoride.fsfk W32/Protoride.C.unp W32.Protoride.Worm Win32/Protoride.E Worm.Protoride.F Worm.Win32.Protoride.59392[h] W32.W.Protoride.e!c Worm.Win32.Protoride.E BackDoor.IRC.Cirilico Worm.Protoride.Win32.7 BehavesLike.Win32.SpyLydra.qc W32/Protoride.ZUZR-8900 Worm/Protoride.e WORM/Protoride.E.2 Worm[Net]/Win32.Protoride Worm/Win32.IRCBot Worm:Win32/Protoride.F Win32/Protoride.F W32/Protoride.worm BScope.Trojan.IRCbot Win32.Worm-net.Protoride.Lorr Net-Worm.Win32.Protoride", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Protoride.59392": [[26, 50]], "Indicator: W32.Protoride.E": [[51, 66]], "Indicator: Worm.RAHack": [[67, 78]], "Indicator: W32/Protoride2.worm": [[79, 98]], "Indicator: Trojan.Win32.Protoride.fsfk": [[99, 126]], "Indicator: W32/Protoride.C.unp": [[127, 146]], "Indicator: W32.Protoride.Worm": [[147, 165]], "Indicator: Win32/Protoride.E": [[166, 183]], "Indicator: Worm.Protoride.F": [[184, 200]], "Indicator: Worm.Win32.Protoride.59392[h]": [[201, 230]], "Indicator: W32.W.Protoride.e!c": [[231, 250]], "Indicator: Worm.Win32.Protoride.E": [[251, 273]], "Indicator: BackDoor.IRC.Cirilico": [[274, 295]], "Indicator: Worm.Protoride.Win32.7": [[296, 318]], "Indicator: BehavesLike.Win32.SpyLydra.qc": [[319, 348]], "Indicator: W32/Protoride.ZUZR-8900": [[349, 372]], "Indicator: Worm/Protoride.e": [[373, 389]], "Indicator: WORM/Protoride.E.2": [[390, 408]], "Indicator: Worm[Net]/Win32.Protoride": [[409, 434]], "Indicator: Worm/Win32.IRCBot": [[435, 452]], "Indicator: Worm:Win32/Protoride.F": [[453, 475]], "Indicator: Win32/Protoride.F": [[476, 493]], "Indicator: W32/Protoride.worm": [[494, 512]], "Indicator: BScope.Trojan.IRCbot": [[513, 533]], "Indicator: Win32.Worm-net.Protoride.Lorr": [[534, 563]], "Indicator: Net-Worm.Win32.Protoride": [[564, 588]]}, "info": {"id": "cyner2_5class_train_05951", "source": "cyner2_5class_train"}}
+{"text": "Exfiltrated contact list data sent to the C2 server .", "spans": {}, "info": {"id": "cyner2_5class_train_05952", "source": "cyner2_5class_train"}}
+{"text": "Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.", "spans": {"Organization: Microsoft": [[49, 58]], "System: EPS,": [[68, 72]], "Organization: FireEye": [[73, 80]], "Vulnerability: unknown vulnerability": [[99, 120]], "System: EPS.": [[124, 128]]}, "info": {"id": "cyner2_5class_train_05953", "source": "cyner2_5class_train"}}
+{"text": "In the most recent versions, APT19 added an application whitelisting bypass to the macro-enabled Microsoft Excel XLSM documents.", "spans": {"Indicator: application whitelisting bypass": [[44, 75]], "Indicator: macro-enabled Microsoft Excel XLSM documents.": [[83, 128]]}, "info": {"id": "cyner2_5class_train_05954", "source": "cyner2_5class_train"}}
+{"text": "The NCSC has observed these tools being used by the Turla group to maintain persistent network access and to conduct network operations.", "spans": {"Organization: The NCSC": [[0, 8]], "Malware: tools": [[28, 33]], "Organization: the Turla group": [[48, 63]], "System: network access": [[87, 101]], "Indicator: conduct network operations.": [[109, 136]]}, "info": {"id": "cyner2_5class_train_05955", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Cerber.B NSIS/ObfusRansom.f Ransom_Enestaller.R00EC0CL417 Packed.NSISPacker!g4 Ransom_Enestaller.R00EC0CL417 Trojan.Nsis.Zerber.emhumo BehavesLike.Win32.ObfusRansom.dc Ransom.Cerber/Variant Trojan/Win32.Cerber.R196343 Ransom.Cerber W32/Injector.UQ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Cerber.B": [[26, 41]], "Indicator: NSIS/ObfusRansom.f": [[42, 60]], "Indicator: Ransom_Enestaller.R00EC0CL417": [[61, 90], [112, 141]], "Indicator: Packed.NSISPacker!g4": [[91, 111]], "Indicator: Trojan.Nsis.Zerber.emhumo": [[142, 167]], "Indicator: BehavesLike.Win32.ObfusRansom.dc": [[168, 200]], "Indicator: Ransom.Cerber/Variant": [[201, 222]], "Indicator: Trojan/Win32.Cerber.R196343": [[223, 250]], "Indicator: Ransom.Cerber": [[251, 264]], "Indicator: W32/Injector.UQ!tr": [[265, 283]]}, "info": {"id": "cyner2_5class_train_05956", "source": "cyner2_5class_train"}}
+{"text": "A file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX.", "spans": {"Indicator: A file": [[0, 6]], "Indicator: x32dbg.exe": [[14, 24]], "Indicator: sideload": [[37, 45]], "Malware: variant": [[81, 88]], "Malware: PlugX.": [[92, 98]]}, "info": {"id": "cyner2_5class_train_05957", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.Elzob.D5035 Win32.Trojan.WisdomEyes.16070401.9500.9799 W32/Trojan2.HUBT Win32/Tnega.RA Trojan.Cebaek BehavesLike.Win32.PWSOnlineGames.pm W32/Trojan.JRGD-8081 PWS:Win32/Jomloon.E BScope.Trojan-Downloader.6707 W32/PWS_y.XR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.Elzob.D5035": [[26, 52]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9799": [[53, 95]], "Indicator: W32/Trojan2.HUBT": [[96, 112]], "Indicator: Win32/Tnega.RA": [[113, 127]], "Indicator: Trojan.Cebaek": [[128, 141]], "Indicator: BehavesLike.Win32.PWSOnlineGames.pm": [[142, 177]], "Indicator: W32/Trojan.JRGD-8081": [[178, 198]], "Indicator: PWS:Win32/Jomloon.E": [[199, 218]], "Indicator: BScope.Trojan-Downloader.6707": [[219, 248]], "Indicator: W32/PWS_y.XR!tr": [[249, 264]]}, "info": {"id": "cyner2_5class_train_05958", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.WinShell.12832 Backdoor.WinShell.I W32/Backdoor.LOY Backdoor.Winshell.50 W32/Winshell.AIC Backdoor.Win32.WinShell.50 BackDoor.WinShell.74 Backdoor.Win32.WinShell.50!IK Backdoor/WinShell.50 Backdoor:Win32/Winshell.G Backdoor.Win32.A.WinShell.203004.A W32/Backdoor.LOY Win-Trojan/Winshell.54178 Backdoor.Win32.WinShell.50 Win32/WinShell.50 Backdoor.WinShell Backdoor.Win32.WinShell.50 W32/Winshell.A!tr.bdr Bck/Winshell.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.WinShell.12832": [[26, 53]], "Indicator: Backdoor.WinShell.I": [[54, 73]], "Indicator: W32/Backdoor.LOY": [[74, 90], [289, 305]], "Indicator: Backdoor.Winshell.50": [[91, 111]], "Indicator: W32/Winshell.AIC": [[112, 128]], "Indicator: Backdoor.Win32.WinShell.50": [[129, 155], [332, 358], [395, 421]], "Indicator: BackDoor.WinShell.74": [[156, 176]], "Indicator: Backdoor.Win32.WinShell.50!IK": [[177, 206]], "Indicator: Backdoor/WinShell.50": [[207, 227]], "Indicator: Backdoor:Win32/Winshell.G": [[228, 253]], "Indicator: Backdoor.Win32.A.WinShell.203004.A": [[254, 288]], "Indicator: Win-Trojan/Winshell.54178": [[306, 331]], "Indicator: Win32/WinShell.50": [[359, 376]], "Indicator: Backdoor.WinShell": [[377, 394]], "Indicator: W32/Winshell.A!tr.bdr": [[422, 443]], "Indicator: Bck/Winshell.F": [[444, 458]]}, "info": {"id": "cyner2_5class_train_05959", "source": "cyner2_5class_train"}}
+{"text": "] it Reggio Calabria server2ct.exodus.connexxa [ .", "spans": {"Indicator: server2ct.exodus.connexxa [ .": [[21, 50]]}, "info": {"id": "cyner2_5class_train_05960", "source": "cyner2_5class_train"}}
+{"text": "Several weeks ago , Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a 0day mobile ransomware from Google Play dubbed “ Charger. ” This incident demonstrates how malware can be a dangerous threat to your business , and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks .", "spans": {"Organization: Check Point": [[20, 31]], "System: Android": [[86, 93]], "System: Google Play": [[197, 208]], "Malware: Charger.": [[218, 226]]}, "info": {"id": "cyner2_5class_train_05961", "source": "cyner2_5class_train"}}
+{"text": "Debug BuildConfig with the version After a deep analysis of all discovered versions of Skygofree , we made an approximate timeline of the implant ’ s evolution .", "spans": {"Malware: Skygofree": [[87, 96]]}, "info": {"id": "cyner2_5class_train_05962", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB.Win32.23241 Trojan/VB.ymg Win32.Trojan.WisdomEyes.16070401.9500.9965 TROJ_VB.JNH Worm.Win32.VBNA.b Trojan.Win32.VB.edhhbs Trojan.Win32.A.VB.206336[UPX] Backdoor.W32.VB.l0cp TrojWare.Win32.Trojan.VB.~Ymg Trojan.VbCrypt.68 TROJ_VB.JNH BehavesLike.Win32.Rontokbro.lc Trojan.Win32.Sopcol Worm.VBNA.skk Trojan:Win32/Sopcol.A Worm/Win32.VBNA Trojan.Jaiko.DF2A Worm.Win32.VBNA.b Trojan:Win32/Sopcol.A Trojan/Win32.Xema.C33567 SScope.Trojan.VBO.0286 Trojan.VB!6EP+kawqBsw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.VB!O": [[26, 43]], "Indicator: Trojan.VB.Win32.23241": [[44, 65]], "Indicator: Trojan/VB.ymg": [[66, 79]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9965": [[80, 122]], "Indicator: TROJ_VB.JNH": [[123, 134], [275, 286]], "Indicator: Worm.Win32.VBNA.b": [[135, 152], [408, 425]], "Indicator: Trojan.Win32.VB.edhhbs": [[153, 175]], "Indicator: Trojan.Win32.A.VB.206336[UPX]": [[176, 205]], "Indicator: Backdoor.W32.VB.l0cp": [[206, 226]], "Indicator: TrojWare.Win32.Trojan.VB.~Ymg": [[227, 256]], "Indicator: Trojan.VbCrypt.68": [[257, 274]], "Indicator: BehavesLike.Win32.Rontokbro.lc": [[287, 317]], "Indicator: Trojan.Win32.Sopcol": [[318, 337]], "Indicator: Worm.VBNA.skk": [[338, 351]], "Indicator: Trojan:Win32/Sopcol.A": [[352, 373], [426, 447]], "Indicator: Worm/Win32.VBNA": [[374, 389]], "Indicator: Trojan.Jaiko.DF2A": [[390, 407]], "Indicator: Trojan/Win32.Xema.C33567": [[448, 472]], "Indicator: SScope.Trojan.VBO.0286": [[473, 495]], "Indicator: Trojan.VB!6EP+kawqBsw": [[496, 517]]}, "info": {"id": "cyner2_5class_train_05963", "source": "cyner2_5class_train"}}
+{"text": "Black Vine's targets include gas turbine manufacturers, large aerospace and aviation companies, healthcare providers, and more.", "spans": {"Organization: gas turbine manufacturers, large aerospace": [[29, 71]], "Organization: aviation companies, healthcare providers,": [[76, 117]]}, "info": {"id": "cyner2_5class_train_05964", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WinfileH.Worm Email-Worm.Win32.VB!O Worm.Wukill.AM3 Trojan.TempCom Win32.Worm.VB.sg W32/VB.KL W32.Traxg@mm Win32/Traxg.B WORM_VB.F Win.Worm.Traxg-4 Trojan.Win32.Scar.avxe Trojan.Win32.Scar.bjfnz Troj.W32.Scar!c Trojan.Win32.Rays.tzs Win32.HLLM.Utenti Worm.Rays.Win32.3 WORM_VB.F BehavesLike.Win32.Autorun.cz W32/VB.CWJD-9096 I-Worm/Wukill.j W32.Email-worm.Win32.Rays WORM/Traxgy.B Worm[Email]/Win32.VB Worm.Rays.8192 I-Worm.Win32.Traxg.57344 Trojan.Win32.Scar.avxe Worm:Win32/Wukill.G@mm Worm/Win32.Traxg.R2565 W32/Nethood.worm SScope.Trojan.VBO.0362 I-Worm.VB.NBB Win32/VB.NBB I-Worm.Rays.K W32/Vinet.A.worm Trojan.Win32.VBCode.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WinfileH.Worm": [[26, 43]], "Indicator: Email-Worm.Win32.VB!O": [[44, 65]], "Indicator: Worm.Wukill.AM3": [[66, 81]], "Indicator: Trojan.TempCom": [[82, 96]], "Indicator: Win32.Worm.VB.sg": [[97, 113]], "Indicator: W32/VB.KL": [[114, 123]], "Indicator: W32.Traxg@mm": [[124, 136]], "Indicator: Win32/Traxg.B": [[137, 150]], "Indicator: WORM_VB.F": [[151, 160], [299, 308]], "Indicator: Win.Worm.Traxg-4": [[161, 177]], "Indicator: Trojan.Win32.Scar.avxe": [[178, 200], [472, 494]], "Indicator: Trojan.Win32.Scar.bjfnz": [[201, 224]], "Indicator: Troj.W32.Scar!c": [[225, 240]], "Indicator: Trojan.Win32.Rays.tzs": [[241, 262]], "Indicator: Win32.HLLM.Utenti": [[263, 280]], "Indicator: Worm.Rays.Win32.3": [[281, 298]], "Indicator: BehavesLike.Win32.Autorun.cz": [[309, 337]], "Indicator: W32/VB.CWJD-9096": [[338, 354]], "Indicator: I-Worm/Wukill.j": [[355, 370]], "Indicator: W32.Email-worm.Win32.Rays": [[371, 396]], "Indicator: WORM/Traxgy.B": [[397, 410]], "Indicator: Worm[Email]/Win32.VB": [[411, 431]], "Indicator: Worm.Rays.8192": [[432, 446]], "Indicator: I-Worm.Win32.Traxg.57344": [[447, 471]], "Indicator: Worm:Win32/Wukill.G@mm": [[495, 517]], "Indicator: Worm/Win32.Traxg.R2565": [[518, 540]], "Indicator: W32/Nethood.worm": [[541, 557]], "Indicator: SScope.Trojan.VBO.0362": [[558, 580]], "Indicator: I-Worm.VB.NBB": [[581, 594]], "Indicator: Win32/VB.NBB": [[595, 607]], "Indicator: I-Worm.Rays.K": [[608, 621]], "Indicator: W32/Vinet.A.worm": [[622, 638]], "Indicator: Trojan.Win32.VBCode.D": [[639, 660]]}, "info": {"id": "cyner2_5class_train_05965", "source": "cyner2_5class_train"}}
+{"text": "According to publicly available information , the founder of Connexxa seems to also be the CEO of eSurv .", "spans": {"Organization: Connexxa": [[61, 69]], "Organization: eSurv": [[98, 103]]}, "info": {"id": "cyner2_5class_train_05966", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Tufei503.PE Win32.Tufik.A Virus.Win32.Tufik!O W32.Tufik.A Troj.GameThief.W32.Magania.leKk PE_TUFIK.B Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Tufik.A W32.Tufik Win32/Tufik.A PE_TUFIK.B Win.Trojan.Tufik-3 Win32.Tufik.A Packed.Win32.Krap.hm Win32.Tufik.A Virus.Win32.Tufik.cdpn Win32.Tufik.A Virus.Win32.Virut.Ce VBS.Dropper.128 Virus.Tufik.Win32.2 BehavesLike.Win32.PWSZbot.dh Trojan-Dropper.Win32.Wlord W32/Tufik.A Win32/Tufei.a W32/Tufik.J Win32.Tufik.a.13824 Win32.Tufik.A Packed.Win32.Krap.hm Worm:Win32/Tufik.A Win32.Tufik.A Virus.Win32.Tufei.13798 Worm.Qakbot W32/Tufei.A Trojan.Zbot Win32/Tufik.A Virus.Win32.Tufik.cb Win32.Perez.B Win32/Sorter.AutoVirus.VMKUKU.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Tufei503.PE": [[26, 41]], "Indicator: Win32.Tufik.A": [[42, 55], [240, 253], [275, 288], [312, 325], [497, 510], [551, 564]], "Indicator: Virus.Win32.Tufik!O": [[56, 75]], "Indicator: W32.Tufik.A": [[76, 87]], "Indicator: Troj.GameThief.W32.Magania.leKk": [[88, 119]], "Indicator: PE_TUFIK.B": [[120, 130], [210, 220]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[131, 173]], "Indicator: W32/Tufik.A": [[174, 185], [439, 450]], "Indicator: W32.Tufik": [[186, 195]], "Indicator: Win32/Tufik.A": [[196, 209], [625, 638]], "Indicator: Win.Trojan.Tufik-3": [[221, 239]], "Indicator: Packed.Win32.Krap.hm": [[254, 274], [511, 531]], "Indicator: Virus.Win32.Tufik.cdpn": [[289, 311]], "Indicator: Virus.Win32.Virut.Ce": [[326, 346]], "Indicator: VBS.Dropper.128": [[347, 362]], "Indicator: Virus.Tufik.Win32.2": [[363, 382]], "Indicator: BehavesLike.Win32.PWSZbot.dh": [[383, 411]], "Indicator: Trojan-Dropper.Win32.Wlord": [[412, 438]], "Indicator: Win32/Tufei.a": [[451, 464]], "Indicator: W32/Tufik.J": [[465, 476]], "Indicator: Win32.Tufik.a.13824": [[477, 496]], "Indicator: Worm:Win32/Tufik.A": [[532, 550]], "Indicator: Virus.Win32.Tufei.13798": [[565, 588]], "Indicator: Worm.Qakbot": [[589, 600]], "Indicator: W32/Tufei.A": [[601, 612]], "Indicator: Trojan.Zbot": [[613, 624]], "Indicator: Virus.Win32.Tufik.cb": [[639, 659]], "Indicator: Win32.Perez.B": [[660, 673]], "Indicator: Win32/Sorter.AutoVirus.VMKUKU.A": [[674, 705]]}, "info": {"id": "cyner2_5class_train_05967", "source": "cyner2_5class_train"}}
+{"text": "In our initial two-part blog series on FIN7 we covered network activity patterns, payloads, and defensive best practices.", "spans": {"Indicator: network activity patterns,": [[55, 81]], "Malware: payloads,": [[82, 91]]}, "info": {"id": "cyner2_5class_train_05968", "source": "cyner2_5class_train"}}
+{"text": "hackers, leaving most areas of western Ukraine in the dark.", "spans": {}, "info": {"id": "cyner2_5class_train_05969", "source": "cyner2_5class_train"}}
+{"text": "The threat actors behind Operation Tropic Trooper—we named specifically for its choice of targets—aim to steal highly classified information from several Taiwanese government ministries and heavy industries as well as the Philippine military.", "spans": {"Organization: Taiwanese government ministries": [[154, 185]], "Organization: heavy industries": [[190, 206]], "Organization: Philippine military.": [[222, 242]]}, "info": {"id": "cyner2_5class_train_05970", "source": "cyner2_5class_train"}}
+{"text": "sms_send : to send C2-specified SMS messages to C2-specified recipients .", "spans": {}, "info": {"id": "cyner2_5class_train_05971", "source": "cyner2_5class_train"}}
+{"text": "In addition to using PlugX and Poison Ivy PIVY, both known to be used by the group, they also used a new Trojan called ChChes by the Japan Computer Emergency Response Team Coordination Center JPCERT.", "spans": {"Malware: PlugX": [[21, 26]], "Malware: Poison Ivy PIVY,": [[31, 47]], "Malware: Trojan": [[105, 111]], "Malware: ChChes": [[119, 125]], "Organization: the Japan Computer Emergency Response Team Coordination Center JPCERT.": [[129, 199]]}, "info": {"id": "cyner2_5class_train_05972", "source": "cyner2_5class_train"}}
+{"text": "Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began .", "spans": {"Organization: Check Point": [[18, 29]], "Malware: Gooligan": [[62, 70]]}, "info": {"id": "cyner2_5class_train_05973", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Quolko.A Trojan/Dropper.Drooptroop.ixt Trojan.Heur.JP.dmGfaeisekjc Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Bamital.I Win32/Droplet.LNE TROJ_KRYPTIK.SMY Trojan.Win32.Drooptroop.cxmbc Troj.GameThief.W32.OnLineGames.lkrK Backdoor.Win32.Shiz.A Trojan.Packed.21232 Dropper.Drooptroop.Win32.3912 TROJ_KRYPTIK.SMY BehavesLike.Win32.Ramnit.qc Trojan.Win32.Bulta W32/Bamital.I TrojanDropper.Drooptroop.cuc Worm:Win32/Yahos.A Trojan/Win32.Zbot.C168741 Trojan.SB.01742 Win32.Trojan-dropper.Drooptroop.Wlzg Trojan.DR.Drooptroop!S4bmnA2fbPM W32/Drooptroop.SMY!tr Win32/Trojan.98f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Quolko.A": [[26, 41]], "Indicator: Trojan/Dropper.Drooptroop.ixt": [[42, 71]], "Indicator: Trojan.Heur.JP.dmGfaeisekjc": [[72, 99]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[100, 142]], "Indicator: W32/Bamital.I": [[143, 156], [394, 407]], "Indicator: Win32/Droplet.LNE": [[157, 174]], "Indicator: TROJ_KRYPTIK.SMY": [[175, 191], [330, 346]], "Indicator: Trojan.Win32.Drooptroop.cxmbc": [[192, 221]], "Indicator: Troj.GameThief.W32.OnLineGames.lkrK": [[222, 257]], "Indicator: Backdoor.Win32.Shiz.A": [[258, 279]], "Indicator: Trojan.Packed.21232": [[280, 299]], "Indicator: Dropper.Drooptroop.Win32.3912": [[300, 329]], "Indicator: BehavesLike.Win32.Ramnit.qc": [[347, 374]], "Indicator: Trojan.Win32.Bulta": [[375, 393]], "Indicator: TrojanDropper.Drooptroop.cuc": [[408, 436]], "Indicator: Worm:Win32/Yahos.A": [[437, 455]], "Indicator: Trojan/Win32.Zbot.C168741": [[456, 481]], "Indicator: Trojan.SB.01742": [[482, 497]], "Indicator: Win32.Trojan-dropper.Drooptroop.Wlzg": [[498, 534]], "Indicator: Trojan.DR.Drooptroop!S4bmnA2fbPM": [[535, 567]], "Indicator: W32/Drooptroop.SMY!tr": [[568, 589]], "Indicator: Win32/Trojan.98f": [[590, 606]]}, "info": {"id": "cyner2_5class_train_05974", "source": "cyner2_5class_train"}}
+{"text": "These are adapted to the information the malicious operator wants to retrieve .", "spans": {}, "info": {"id": "cyner2_5class_train_05975", "source": "cyner2_5class_train"}}
+{"text": "The C2 URL is : hxxp : //64.78.161.133/ * victims ’ s_cell_phone_number * /process.php In addition to this , the malware also reports to another script , “ hxxp : //64.78.161.33/android.php ” .", "spans": {"Indicator: hxxp : //64.78.161.133/ * victims ’ s_cell_phone_number * /process.php": [[16, 86]], "Indicator: hxxp : //64.78.161.33/android.php": [[156, 189]]}, "info": {"id": "cyner2_5class_train_05976", "source": "cyner2_5class_train"}}
+{"text": "] com9oo91e [ .", "spans": {}, "info": {"id": "cyner2_5class_train_05977", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: AIT:Trojan.Autoit.CLU Win32.Trojan.WisdomEyes.16070401.9500.9768 AIT:Trojan.Autoit.CLU AIT:Trojan.Autoit.CLU AIT:Trojan.Autoit.CLU AIT:Trojan.Autoit.CLU Trojan.Autoit.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AIT:Trojan.Autoit.CLU": [[26, 47], [91, 112], [113, 134], [135, 156], [157, 178]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9768": [[48, 90]], "Indicator: Trojan.Autoit.F": [[179, 194]]}, "info": {"id": "cyner2_5class_train_05978", "source": "cyner2_5class_train"}}
+{"text": "Moreover , incoming traffic from the C & C server began to use gzip compression , and the top-level domain for all C & Cs was .com : Since December 2016 , the changes in C & C communication methods have affected only how the relative path in the URL is generated : the pronounceable word was replaced by a rather long random combination of letters and numbers , for example , “ ozvi4malen7dwdh ” or “ f29u8oi77024clufhw1u5ws62 ” .", "spans": {"Indicator: ozvi4malen7dwdh": [[378, 393]], "Indicator: f29u8oi77024clufhw1u5ws62": [[401, 426]]}, "info": {"id": "cyner2_5class_train_05979", "source": "cyner2_5class_train"}}
+{"text": "This alone would attract a whole new audience–and a new stream of revenue–for Yingmob .", "spans": {"Organization: Yingmob": [[78, 85]]}, "info": {"id": "cyner2_5class_train_05980", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Nosok!O Trojan/Nosok.dez Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Worm.AMZR Trojan.Win32.Nosok.ignra Worm.Win32.A.AutoRun.78881 Trojan.DownLoader11.6990 Trojan.Nosok.Win32.81 BehavesLike.Win32.VirRansom.dc W32/Worm.SMLT-2477 Trojan/Nosok.df Trojan.Razy.D2AA1A Trojan/Win32.Xema.C90213 Worm.AutoRun!dge3lshCyjI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Nosok!O": [[26, 46]], "Indicator: Trojan/Nosok.dez": [[47, 63]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[64, 106]], "Indicator: W32/Worm.AMZR": [[107, 120]], "Indicator: Trojan.Win32.Nosok.ignra": [[121, 145]], "Indicator: Worm.Win32.A.AutoRun.78881": [[146, 172]], "Indicator: Trojan.DownLoader11.6990": [[173, 197]], "Indicator: Trojan.Nosok.Win32.81": [[198, 219]], "Indicator: BehavesLike.Win32.VirRansom.dc": [[220, 250]], "Indicator: W32/Worm.SMLT-2477": [[251, 269]], "Indicator: Trojan/Nosok.df": [[270, 285]], "Indicator: Trojan.Razy.D2AA1A": [[286, 304]], "Indicator: Trojan/Win32.Xema.C90213": [[305, 329]], "Indicator: Worm.AutoRun!dge3lshCyjI": [[330, 354]]}, "info": {"id": "cyner2_5class_train_05981", "source": "cyner2_5class_train"}}
+{"text": "Among multiple sub-domains , “ ad.a * * * d.org ” and “ gd.a * * * d.org ” both historically resolved to the same suspicious IP address .", "spans": {"Indicator: ad.a * * * d.org": [[31, 47]], "Indicator: gd.a * * * d.org": [[56, 72]]}, "info": {"id": "cyner2_5class_train_05982", "source": "cyner2_5class_train"}}
+{"text": "In early 2013 we detected two identical applications on Google Play that were allegedly designed for cleaning the operating system of Android-based devices from unnecessary processes .", "spans": {"System: Google Play": [[56, 67]], "System: Android-based": [[134, 147]]}, "info": {"id": "cyner2_5class_train_05983", "source": "cyner2_5class_train"}}
+{"text": "The source process checks the mapping between a process id and a process name .", "spans": {}, "info": {"id": "cyner2_5class_train_05984", "source": "cyner2_5class_train"}}
+{"text": "UNBLOCK – unblock the telephone ( revoke device administrator privileges from the app ) .", "spans": {}, "info": {"id": "cyner2_5class_train_05985", "source": "cyner2_5class_train"}}
+{"text": "The Threat Actor would then craft specific spear phishing emails to direct their targets to visit the malicious web sites and open the malware laden documents.", "spans": {"Indicator: the malicious web sites": [[98, 121]], "Malware: the malware laden documents.": [[131, 159]]}, "info": {"id": "cyner2_5class_train_05986", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Scar Win32.Trojan.WisdomEyes.16070401.9500.9573 Trojan.Win32.Scarsi.apft Trojan.Win32.Inject.ewxioq Trojan.MulDrop6.38561 BehavesLike.Win32.AdwareSearchProtect.jc TR/Inject.oiycd TrojanSpy:MSIL/CoinStealer.C!bit Trojan.Win32.Scarsi.apft Trojan/Win32.Scarsi.C2337044 Trj/CI.A Win32.Trojan.Scarsi.Dkx Trojan.Win32.Injector W32/Injector.DUUK!tr Win32/Trojan.f68", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Scar": [[26, 37]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9573": [[38, 80]], "Indicator: Trojan.Win32.Scarsi.apft": [[81, 105], [245, 269]], "Indicator: Trojan.Win32.Inject.ewxioq": [[106, 132]], "Indicator: Trojan.MulDrop6.38561": [[133, 154]], "Indicator: BehavesLike.Win32.AdwareSearchProtect.jc": [[155, 195]], "Indicator: TR/Inject.oiycd": [[196, 211]], "Indicator: TrojanSpy:MSIL/CoinStealer.C!bit": [[212, 244]], "Indicator: Trojan/Win32.Scarsi.C2337044": [[270, 298]], "Indicator: Trj/CI.A": [[299, 307]], "Indicator: Win32.Trojan.Scarsi.Dkx": [[308, 331]], "Indicator: Trojan.Win32.Injector": [[332, 353]], "Indicator: W32/Injector.DUUK!tr": [[354, 374]], "Indicator: Win32/Trojan.f68": [[375, 391]]}, "info": {"id": "cyner2_5class_train_05987", "source": "cyner2_5class_train"}}
+{"text": "In the second half of 2016, ESET researchers identified a unique malicious toolset that was used in targeted cyberattacks against high-value targets in the Ukrainian financial sector.", "spans": {"Organization: ESET researchers": [[28, 44]], "Malware: malicious toolset": [[65, 82]], "Indicator: cyberattacks": [[109, 121]], "Organization: the Ukrainian financial sector.": [[152, 183]]}, "info": {"id": "cyner2_5class_train_05988", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy is an information stealer that exfiltrates and sends SMS messages , steals financial and application data , reads account information and contact lists , and more .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner2_5class_train_05989", "source": "cyner2_5class_train"}}
+{"text": "Example of more recent FakeSpy campaigns targeting France .", "spans": {"Malware: FakeSpy": [[23, 30]]}, "info": {"id": "cyner2_5class_train_05990", "source": "cyner2_5class_train"}}
+{"text": "In this blog we will detail our discovery of the next two versions of MM Core, namely BigBoss 2.2-LNK and SillyGoose 2.3-LNK.", "spans": {"Malware: versions": [[58, 66]], "Malware: MM Core,": [[70, 78]], "Malware: BigBoss 2.2-LNK": [[86, 101]], "Malware: SillyGoose 2.3-LNK.": [[106, 125]]}, "info": {"id": "cyner2_5class_train_05991", "source": "cyner2_5class_train"}}
+{"text": "During the preparation of the IT threat evolution Q2 2017 report I found several common Trojans in the Top 20 mobile malware programs list that were stealing money from users using WAP-billing – a form of mobile payment that charges costs directly to the user's mobile phone bill so they don't need to register a card or set up a user-name and password.", "spans": {"Organization: the IT threat evolution": [[26, 49]], "Malware: Trojans": [[88, 95]], "Malware: mobile malware": [[110, 124]], "Organization: users": [[169, 174]], "System: user's mobile phone": [[255, 274]], "Indicator: register a card or set up a user-name and password.": [[302, 353]]}, "info": {"id": "cyner2_5class_train_05992", "source": "cyner2_5class_train"}}
+{"text": "Here is a full list of possible commands that can be executed by the first module : Command name Description @ stop Stop IRC @ quit System.exit ( 0 ) @ start Start IRC @ server Set IRC server ( default value is “ irc.freenode.net ” ) , port is always 6667 @ boss Set IRC command and control nickname ( default value is “ ISeency ” ) @ nick Set IRC client nickname @ screen Report every time when screen is on ( enable/disable ) @ root Use root features ( enable/disable ) @ timer Set period of IRCService start @ hide Hide implant icon @ unhide Unhide implant icon @ run Execute specified shell @ broadcast Send command to the second module @ echo Write specified message to log @ install Download and copy specified component to the system path The implant uses a complex intent-based communication mechanism between its components to broadcast commands : Approximate graph of relationships between BusyGasper components Second ( main ) module This module writes a log of the command execution history to the file named “ lock ” , which is later exfiltrated .", "spans": {"Indicator: System.exit ( 0 )": [[132, 149]], "Indicator: irc.freenode.net": [[213, 229]]}, "info": {"id": "cyner2_5class_train_05993", "source": "cyner2_5class_train"}}
+{"text": "This post takes a look at a new banking malware that has, so far, been targeting financial institutions in Latin America—specifically, Mexico and Peru.", "spans": {"Malware: new banking": [[28, 39]], "Organization: financial institutions": [[81, 103]]}, "info": {"id": "cyner2_5class_train_05994", "source": "cyner2_5class_train"}}
+{"text": "On June 9th, 2017 Morphisec Lab published a blog post detailing a new infection vector technique using an RTF document containing an embedded JavaScript OLE object.", "spans": {"Organization: Morphisec Lab": [[18, 31]], "Indicator: RTF document containing": [[106, 129]], "Indicator: embedded JavaScript OLE object.": [[133, 164]]}, "info": {"id": "cyner2_5class_train_05995", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.JS.QAI PDF.Trojan.4250 JS.Exploit.Pdfka.jr JS/Exploit.Pdfka.QNP JS_PIDIEF.SMQ Exploit.JS.Pdfka.axt Trojan.JS.QAI Exploit.Script.Pdfka.otnl Trojan.JS.QAI Exploit.JS.Pdfka.aqn Trojan.JS.QAI JS_PIDIEF.SMQ BehavesLike.PDF.Exploit.zb EXP/Pidief.hcb Trojan[Exploit]/JS.Pdfka.axt Trojan.JS.QAI Exploit.JS.Pdfka.axt Exploit.JS.Pdfka.axt Exploit.JS.Pdfka JS/Pdfka.AABY!exploit virus.js.pdfjs", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.JS.QAI": [[26, 39], [132, 145], [172, 185], [207, 220], [306, 319]], "Indicator: PDF.Trojan.4250": [[40, 55]], "Indicator: JS.Exploit.Pdfka.jr": [[56, 75]], "Indicator: JS/Exploit.Pdfka.QNP": [[76, 96]], "Indicator: JS_PIDIEF.SMQ": [[97, 110], [221, 234]], "Indicator: Exploit.JS.Pdfka.axt": [[111, 131], [320, 340], [341, 361]], "Indicator: Exploit.Script.Pdfka.otnl": [[146, 171]], "Indicator: Exploit.JS.Pdfka.aqn": [[186, 206]], "Indicator: BehavesLike.PDF.Exploit.zb": [[235, 261]], "Indicator: EXP/Pidief.hcb": [[262, 276]], "Indicator: Trojan[Exploit]/JS.Pdfka.axt": [[277, 305]], "Indicator: Exploit.JS.Pdfka": [[362, 378]], "Indicator: JS/Pdfka.AABY!exploit": [[379, 400]], "Indicator: virus.js.pdfjs": [[401, 415]]}, "info": {"id": "cyner2_5class_train_05996", "source": "cyner2_5class_train"}}
+{"text": "Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool RAT that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.", "spans": {"Organization: individuals": [[9, 20]], "Malware: macros": [[34, 40]], "Indicator: malicious Microsoft Word document": [[46, 79]], "Malware: Poison Ivy,": [[108, 119]], "Malware: popular remote access tool RAT": [[122, 152]], "Indicator: key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying,": [[196, 307]]}, "info": {"id": "cyner2_5class_train_05997", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PDF/Phish.AGU Troj.Downloader.Pdf!c PDF/Phish.AGU Trojan.PDF.Phishing Win32/Trojan.Downloader.8a8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PDF/Phish.AGU": [[26, 39], [62, 75]], "Indicator: Troj.Downloader.Pdf!c": [[40, 61]], "Indicator: Trojan.PDF.Phishing": [[76, 95]], "Indicator: Win32/Trojan.Downloader.8a8": [[96, 123]]}, "info": {"id": "cyner2_5class_train_05998", "source": "cyner2_5class_train"}}
+{"text": "Sundown remained highly vigilant and the subdomains in use were recycled quickly to help in avoiding detection.", "spans": {"Malware: Sundown": [[0, 7]], "Indicator: subdomains": [[41, 51]]}, "info": {"id": "cyner2_5class_train_05999", "source": "cyner2_5class_train"}}
+{"text": "Dridex has drastically reduced in volume throughout 2016.Actors are now appearing to prefer crypto-ransomware such as Locky over the infamous banking trojan.However, Dridex is still being actively developed.", "spans": {"Malware: Dridex": [[0, 6], [166, 172]], "Malware: crypto-ransomware": [[92, 109]], "Malware: Locky": [[118, 123]], "Malware: banking": [[142, 149]], "Indicator: trojan.However,": [[150, 165]]}, "info": {"id": "cyner2_5class_train_06000", "source": "cyner2_5class_train"}}
+{"text": "If your account has been breached , the following steps are required : A clean installation of an operating system on your mobile device is required ( a process called “ flashing ” ) .", "spans": {}, "info": {"id": "cyner2_5class_train_06001", "source": "cyner2_5class_train"}}
+{"text": "It does this by using infected devices to imitate clicks on the install , buy , and accept buttons .", "spans": {}, "info": {"id": "cyner2_5class_train_06002", "source": "cyner2_5class_train"}}
+{"text": "Due to this Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and maintain a botnet and C2 infrastructure .", "spans": {"Malware: Cerberus": [[12, 20]]}, "info": {"id": "cyner2_5class_train_06003", "source": "cyner2_5class_train"}}
+{"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner2_5class_train_06004", "source": "cyner2_5class_train"}}
+{"text": "From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we've named MoonWind to target organizations in Thailand, including a utility organization.", "spans": {"Malware: the Trochilus RAT": [[79, 96]], "Malware: RAT": [[118, 121]], "Malware: MoonWind": [[134, 142]], "Organization: organizations": [[153, 166]], "Organization: utility organization.": [[192, 213]]}, "info": {"id": "cyner2_5class_train_06005", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Killav Downloader.Betload.Win32.51 Win32.Trojan.WisdomEyes.16070401.9500.9783 Trojan.Win32.KillAV.me Troj.W32.SchoolGirl.tnx1 Trojan.Win32.Killav BehavesLike.Win32.Downloader.lh Trojan.Win32.KillAV.me Trojan.Win32.Killav BAT/KillAV.NCO Win32.Trojan.Killav.Pgwh PUA.Bat.Hoax W32/KillAV.ME!tr Win32/Trojan.ba9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Killav": [[26, 39]], "Indicator: Downloader.Betload.Win32.51": [[40, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9783": [[68, 110]], "Indicator: Trojan.Win32.KillAV.me": [[111, 133], [211, 233]], "Indicator: Troj.W32.SchoolGirl.tnx1": [[134, 158]], "Indicator: Trojan.Win32.Killav": [[159, 178], [234, 253]], "Indicator: BehavesLike.Win32.Downloader.lh": [[179, 210]], "Indicator: BAT/KillAV.NCO": [[254, 268]], "Indicator: Win32.Trojan.Killav.Pgwh": [[269, 293]], "Indicator: PUA.Bat.Hoax": [[294, 306]], "Indicator: W32/KillAV.ME!tr": [[307, 323]], "Indicator: Win32/Trojan.ba9": [[324, 340]]}, "info": {"id": "cyner2_5class_train_06006", "source": "cyner2_5class_train"}}
+{"text": "The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a number of other researchers in 2014.", "spans": {"Organization: Symantec": [[137, 145]], "Organization: researchers": [[168, 179]]}, "info": {"id": "cyner2_5class_train_06007", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Bamital.EC Trojan/PornoBlocker.jhw W32/PornoBlocker.N Win32/PornoBlocker.EW TROJ_KRYPTK.SM11 Trojan-Ransom.Win32.Gimemo.cpe Trojan.Win32.A.PornoBlocker.59904 Trojan-Ransom.Win32.PornoBlocker!IK TrojWare.Win32.Bamital.FA Trojan.Hosts.4025 TROJ_KRYPTK.SM11 Trojan/PornoBlocker.aba TrojanDropper:Win32/Bamital.I Hoax.PornoBlocker.jhw Downloader.Lofog Win32/Bamital.FA Trojan-Ransom.Win32.PornoBlocker W32/Bamital.FA!tr Bck/Qbot.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Bamital.EC": [[26, 43]], "Indicator: Trojan/PornoBlocker.jhw": [[44, 67]], "Indicator: W32/PornoBlocker.N": [[68, 86]], "Indicator: Win32/PornoBlocker.EW": [[87, 108]], "Indicator: TROJ_KRYPTK.SM11": [[109, 125], [271, 287]], "Indicator: Trojan-Ransom.Win32.Gimemo.cpe": [[126, 156]], "Indicator: Trojan.Win32.A.PornoBlocker.59904": [[157, 190]], "Indicator: Trojan-Ransom.Win32.PornoBlocker!IK": [[191, 226]], "Indicator: TrojWare.Win32.Bamital.FA": [[227, 252]], "Indicator: Trojan.Hosts.4025": [[253, 270]], "Indicator: Trojan/PornoBlocker.aba": [[288, 311]], "Indicator: TrojanDropper:Win32/Bamital.I": [[312, 341]], "Indicator: Hoax.PornoBlocker.jhw": [[342, 363]], "Indicator: Downloader.Lofog": [[364, 380]], "Indicator: Win32/Bamital.FA": [[381, 397]], "Indicator: Trojan-Ransom.Win32.PornoBlocker": [[398, 430]], "Indicator: W32/Bamital.FA!tr": [[431, 448]], "Indicator: Bck/Qbot.AO": [[449, 460]]}, "info": {"id": "cyner2_5class_train_06008", "source": "cyner2_5class_train"}}
+{"text": "The user would have to then open the downloaded executable in order to infect their computer.", "spans": {"Malware: downloaded executable": [[37, 58]], "System: computer.": [[84, 93]]}, "info": {"id": "cyner2_5class_train_06009", "source": "cyner2_5class_train"}}
+{"text": "The first sample found was submitted 7 months ago.", "spans": {}, "info": {"id": "cyner2_5class_train_06010", "source": "cyner2_5class_train"}}
+{"text": "] today svc [ .", "spans": {"Indicator: svc [ .": [[8, 15]]}, "info": {"id": "cyner2_5class_train_06011", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Swrort.d Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Swrort-5710536-0 Packed.Win32.BDF.a Trojan.Win32.Shellcode.ewfvwj TrojWare.Win32.Rozena.A Trojan.Swrort.1 Swrort.d Trojan:Win32/Meterpreter.A Packed.Win32.BDF.a W32/Swrort.C!tr Win32/Trojan.6bc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Swrort.d": [[26, 34], [195, 203]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[35, 77]], "Indicator: Win.Trojan.Swrort-5710536-0": [[78, 105]], "Indicator: Packed.Win32.BDF.a": [[106, 124], [231, 249]], "Indicator: Trojan.Win32.Shellcode.ewfvwj": [[125, 154]], "Indicator: TrojWare.Win32.Rozena.A": [[155, 178]], "Indicator: Trojan.Swrort.1": [[179, 194]], "Indicator: Trojan:Win32/Meterpreter.A": [[204, 230]], "Indicator: W32/Swrort.C!tr": [[250, 265]], "Indicator: Win32/Trojan.6bc": [[266, 282]]}, "info": {"id": "cyner2_5class_train_06012", "source": "cyner2_5class_train"}}
+{"text": "WRITE_SMS - Allows the application to write to SMS messages stored on the device or SIM card , including y deleting messages .", "spans": {}, "info": {"id": "cyner2_5class_train_06013", "source": "cyner2_5class_train"}}
+{"text": "Check Point Mobile Threat Prevention has detected two instances of a mobile malware variant infecting multiple devices within the Check Point customer base .", "spans": {"Organization: Check Point": [[0, 11], [130, 141]], "System: Mobile Threat Prevention": [[12, 36]]}, "info": {"id": "cyner2_5class_train_06014", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Downldr2.EOVV Infostealer.Bancos Trojan-Downloader.Win32.Banload.aadik Trojan.Win32.Banload.bmdsil Trojan.DownLoad.22103 BehavesLike.Win32.Pate.dc W32/Downloader.SIUT-2288 TrojanDownloader.Banload.bhyz Troj.Downloader.W32.Banload.aadik!c Trojan-Downloader.Win32.Banload.aadik Trojan:Win32/Pitke.A Trojan/Win32.Banker.R143357 Win32.Trojan-downloader.Banload.Ebrq Trojan.Win32.Scar W32/DelpBanc.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Downldr2.EOVV": [[26, 43]], "Indicator: Infostealer.Bancos": [[44, 62]], "Indicator: Trojan-Downloader.Win32.Banload.aadik": [[63, 100], [268, 305]], "Indicator: Trojan.Win32.Banload.bmdsil": [[101, 128]], "Indicator: Trojan.DownLoad.22103": [[129, 150]], "Indicator: BehavesLike.Win32.Pate.dc": [[151, 176]], "Indicator: W32/Downloader.SIUT-2288": [[177, 201]], "Indicator: TrojanDownloader.Banload.bhyz": [[202, 231]], "Indicator: Troj.Downloader.W32.Banload.aadik!c": [[232, 267]], "Indicator: Trojan:Win32/Pitke.A": [[306, 326]], "Indicator: Trojan/Win32.Banker.R143357": [[327, 354]], "Indicator: Win32.Trojan-downloader.Banload.Ebrq": [[355, 391]], "Indicator: Trojan.Win32.Scar": [[392, 409]], "Indicator: W32/DelpBanc.A!tr": [[410, 427]]}, "info": {"id": "cyner2_5class_train_06015", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Runar.53248 Backdoor/Runar.b W32/Backdoor.LCQ Backdoor.Trojan Win.Trojan.Runar-2 Backdoor.Win32.Runar.b Trojan.Win32.Runar.dmmx Backdoor.Win32.A.Runar.53248 Win32.Backdoor.Runar.duq Backdoor.Win32.Runar.b BackDoor.Hiper Backdoor.Runar.Win32.6 W32/Backdoor.WJPY-2871 BDS/Runar.B Trojan[Backdoor]/Win32.Runar Backdoor.W32.Runar.b!c Backdoor.Win32.Runar.b Backdoor:Win32/Runar.B Backdoor.Runar Backdoor.Runar!lU3ZFWcAWmA W32/Runar.B!tr.bdr Win32/Backdoor.d80", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Runar.53248": [[26, 50]], "Indicator: Backdoor/Runar.b": [[51, 67]], "Indicator: W32/Backdoor.LCQ": [[68, 84]], "Indicator: Backdoor.Trojan": [[85, 100]], "Indicator: Win.Trojan.Runar-2": [[101, 119]], "Indicator: Backdoor.Win32.Runar.b": [[120, 142], [221, 243], [369, 391]], "Indicator: Trojan.Win32.Runar.dmmx": [[143, 166]], "Indicator: Backdoor.Win32.A.Runar.53248": [[167, 195]], "Indicator: Win32.Backdoor.Runar.duq": [[196, 220]], "Indicator: BackDoor.Hiper": [[244, 258]], "Indicator: Backdoor.Runar.Win32.6": [[259, 281]], "Indicator: W32/Backdoor.WJPY-2871": [[282, 304]], "Indicator: BDS/Runar.B": [[305, 316]], "Indicator: Trojan[Backdoor]/Win32.Runar": [[317, 345]], "Indicator: Backdoor.W32.Runar.b!c": [[346, 368]], "Indicator: Backdoor:Win32/Runar.B": [[392, 414]], "Indicator: Backdoor.Runar": [[415, 429]], "Indicator: Backdoor.Runar!lU3ZFWcAWmA": [[430, 456]], "Indicator: W32/Runar.B!tr.bdr": [[457, 475]], "Indicator: Win32/Backdoor.d80": [[476, 494]]}, "info": {"id": "cyner2_5class_train_06016", "source": "cyner2_5class_train"}}
+{"text": "For example , the Android malware that both deploy share the same strings of code for their decoding algorithm .", "spans": {"System: Android": [[18, 25]]}, "info": {"id": "cyner2_5class_train_06017", "source": "cyner2_5class_train"}}
+{"text": "It did not take long for attackers to repackage this PoC and use it in attacks in the wild.", "spans": {"Malware: PoC": [[53, 56]], "Indicator: attacks": [[71, 78]]}, "info": {"id": "cyner2_5class_train_06018", "source": "cyner2_5class_train"}}
+{"text": "Upon further inspection , we have observed that this RAT extracts WhatsApp data too .", "spans": {"System: WhatsApp": [[66, 74]]}, "info": {"id": "cyner2_5class_train_06019", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom:Win32/Jaffrans.A!rsm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom:Win32/Jaffrans.A!rsm": [[26, 53]]}, "info": {"id": "cyner2_5class_train_06020", "source": "cyner2_5class_train"}}
+{"text": "Hackers can hide their apps ’ real intentions or even manipulate users into leaving positive ratings , in some cases unknowingly .", "spans": {}, "info": {"id": "cyner2_5class_train_06021", "source": "cyner2_5class_train"}}
+{"text": "There are the following relevant detection paths ( the last one is an alternative Telegram client – “ Telegram X “ ) : Name Detection path Sex Game For Adults 18.apk /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/ Psiphon-v91.apk /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/ Backdoored Open Source During the course of our analysis , we also found samples sharing code with the ViceLeaker malware , in particular they shared a delimiter that was used in both cases to parse commands from the C2 server .", "spans": {"Indicator: 18.apk": [[159, 165]], "Indicator: /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/": [[166, 295]], "Indicator: Psiphon-v91.apk": [[296, 311]], "Indicator: /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/": [[312, 387]], "Malware: ViceLeaker": [[491, 501]]}, "info": {"id": "cyner2_5class_train_06022", "source": "cyner2_5class_train"}}
+{"text": "The Darkhotel APT continues to spearphish targets around the world, with a wider geographic reach than its previous botnet buildout and hotel Wi-Fi attacks.", "spans": {"Malware: botnet": [[116, 122]], "Indicator: hotel Wi-Fi attacks.": [[136, 156]]}, "info": {"id": "cyner2_5class_train_06023", "source": "cyner2_5class_train"}}
+{"text": "This , in itself , does not prove that the perpetrators of the malware campaign are based in Russia , but it certainly sounds as if that is a strong possibility .", "spans": {}, "info": {"id": "cyner2_5class_train_06024", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Mangit BKDR_MANGIT.SM W32/Adware5.BH BKDR_MANGIT.SM Trojan-Banker.Win32.Banbra.tolm Trojan.Win32.Banker1.eeflxo Trojan.PWS.Banker1.21424 Dropper.DapatoCRTD.Win32.29 W32/Adware.ZANB-0757 Trojan.Banker.19 Trojan-Banker.Win32.Banbra.tolm Backdoor:Win32/Mangit.A Trj/GdSda.A Win32.Trojan-banker.Banbra.Syia Trojan.PWS.Banbra!KoDGdYjSbaA Trojan-Downloader.Win32.Delf Win32/Trojan.5ed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Mangit": [[26, 41]], "Indicator: BKDR_MANGIT.SM": [[42, 56], [72, 86]], "Indicator: W32/Adware5.BH": [[57, 71]], "Indicator: Trojan-Banker.Win32.Banbra.tolm": [[87, 118], [238, 269]], "Indicator: Trojan.Win32.Banker1.eeflxo": [[119, 146]], "Indicator: Trojan.PWS.Banker1.21424": [[147, 171]], "Indicator: Dropper.DapatoCRTD.Win32.29": [[172, 199]], "Indicator: W32/Adware.ZANB-0757": [[200, 220]], "Indicator: Trojan.Banker.19": [[221, 237]], "Indicator: Backdoor:Win32/Mangit.A": [[270, 293]], "Indicator: Trj/GdSda.A": [[294, 305]], "Indicator: Win32.Trojan-banker.Banbra.Syia": [[306, 337]], "Indicator: Trojan.PWS.Banbra!KoDGdYjSbaA": [[338, 367]], "Indicator: Trojan-Downloader.Win32.Delf": [[368, 396]], "Indicator: Win32/Trojan.5ed": [[397, 413]]}, "info": {"id": "cyner2_5class_train_06025", "source": "cyner2_5class_train"}}
+{"text": "FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability.", "spans": {"Organization: FireEye": [[0, 7]], "Indicator: malicious Microsoft Office RTF documents": [[26, 66]], "Indicator: CVE-2017-0199,": [[81, 95]], "Vulnerability: undisclosed vulnerability.": [[109, 135]]}, "info": {"id": "cyner2_5class_train_06026", "source": "cyner2_5class_train"}}
+{"text": "Virulent Android malware returns , gets > 2 million downloads on Google Play HummingWhale is back with new tricks , including a way to gin user ratings .", "spans": {"Malware: Virulent": [[0, 8]], "System: Android": [[9, 16]], "System: Google Play": [[65, 76]], "Malware: HummingWhale": [[77, 89]]}, "info": {"id": "cyner2_5class_train_06027", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Worm.Rikihaki.A4 Trojan.Razy.D23D4 WORM_RIKIHAKI.SM Trojan.Tinba WORM_RIKIHAKI.SM Trojan.Win32.KillFiles.didhhl Trojan.KillFiles.14550 BehavesLike.Win32.Worm.gh TR/ATRAPS.sxzgc Worm:Win32/Rikihaki.A Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Worm.Rikihaki.A4": [[44, 60]], "Indicator: Trojan.Razy.D23D4": [[61, 78]], "Indicator: WORM_RIKIHAKI.SM": [[79, 95], [109, 125]], "Indicator: Trojan.Tinba": [[96, 108]], "Indicator: Trojan.Win32.KillFiles.didhhl": [[126, 155]], "Indicator: Trojan.KillFiles.14550": [[156, 178]], "Indicator: BehavesLike.Win32.Worm.gh": [[179, 204]], "Indicator: TR/ATRAPS.sxzgc": [[205, 220]], "Indicator: Worm:Win32/Rikihaki.A": [[221, 242]], "Indicator: Trj/GdSda.A": [[243, 254]]}, "info": {"id": "cyner2_5class_train_06028", "source": "cyner2_5class_train"}}
+{"text": "This could change once the trojan spy has fully developed.", "spans": {}, "info": {"id": "cyner2_5class_train_06029", "source": "cyner2_5class_train"}}
+{"text": "The sexually explicit images in this screenshot have been covered with a black box .", "spans": {}, "info": {"id": "cyner2_5class_train_06030", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/VBTroj.CYJD Trojan.Win32.VB!IK Trojan.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/VBTroj.CYJD": [[26, 41]], "Indicator: Trojan.Win32.VB!IK": [[42, 60]], "Indicator: Trojan.Win32.VB": [[61, 76]]}, "info": {"id": "cyner2_5class_train_06031", "source": "cyner2_5class_train"}}
+{"text": "At the same time , the domain admin.nslookupdns [ .", "spans": {"Indicator: domain admin.nslookupdns [ .": [[23, 51]]}, "info": {"id": "cyner2_5class_train_06032", "source": "cyner2_5class_train"}}
+{"text": "Before Google shut it down , it installed more than 50,000 fraudulent apps each day , displayed 20 million malicious advertisements , and generated more than $ 300,000 per month in revenue .", "spans": {"Organization: Google": [[7, 13]]}, "info": {"id": "cyner2_5class_train_06033", "source": "cyner2_5class_train"}}
+{"text": "EventBot loaded library The loaded library dropped on the device .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_06034", "source": "cyner2_5class_train"}}
+{"text": "Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi.", "spans": {"Indicator: attacks": [[12, 19]], "Indicator: UK phone number,": [[51, 67]], "Indicator: attackers speaking in either English or Farsi.": [[73, 119]]}, "info": {"id": "cyner2_5class_train_06035", "source": "cyner2_5class_train"}}
+{"text": "We would like to emphasize that this method of attack only works on Windows XP and Android versions prior to 2.2 .", "spans": {"System: Windows XP": [[68, 78]], "System: Android": [[83, 90]]}, "info": {"id": "cyner2_5class_train_06036", "source": "cyner2_5class_train"}}
+{"text": "While some ransomware i.e. Chimera give bogus threats about stealing and releasing private files, there are other malware families that in fact have made this possibility a reality.", "spans": {"Malware: ransomware": [[11, 21]], "Malware: Chimera": [[27, 34]], "Indicator: bogus threats": [[40, 53]], "Indicator: stealing and releasing private files,": [[60, 97]], "Malware: malware families": [[114, 130]]}, "info": {"id": "cyner2_5class_train_06037", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign.", "spans": {"Organization: Unit 42 researchers": [[0, 19]], "Malware: backdoor Trojan": [[37, 52]]}, "info": {"id": "cyner2_5class_train_06038", "source": "cyner2_5class_train"}}
+{"text": "The software masqueraded as a confidential document and was intended to infect a Windows computer.", "spans": {"System: software": [[4, 12]], "Indicator: confidential document": [[30, 51]], "Indicator: infect": [[72, 78]], "System: Windows computer.": [[81, 98]]}, "info": {"id": "cyner2_5class_train_06039", "source": "cyner2_5class_train"}}
+{"text": "To overcome this issue , “ Agent Smith ” found another solution .", "spans": {"Malware: Agent Smith": [[27, 38]]}, "info": {"id": "cyner2_5class_train_06040", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Proxy.Delf.C Trojan-Proxy/W32.Steredir.524288 Trojan/Proxy.Steredir.a TROJ_PROXY.ARF Backdoor.Trojan.Client TROJ_PROXY.ARF Win.Trojan.Proxy-467 Trojan.Proxy.Delf.C Trojan-Proxy.Win32.Steredir.a Trojan.Proxy.Delf.C Trojan.Win32.Steredir.dqbk Trojan.Win32.Proxy.524288 Troj.Proxy.W32.Steredir.a!c Trojan.Proxy.Delf.C TrojWare.Win32.TrojanProxy.Delf.C Trojan.Proxy.Delf.C BackDoor.StealthRedir.20 W32/Risk.HXFA-2912 TrojanProxy.Steredir.m TR/Proxy.Steredir.A.2 Trojan.Proxy.Delf.C Trojan-Proxy.Win32.Steredir.a TrojanProxy:Win32/Delf.C Backdoor.RAT.StealthRedirector.V2.0 TrojanProxy.Steredir Win32/TrojanProxy.Delf.C Win32.Trojan-proxy.Steredir.Eawz Trojan.PR.Steredir!IftwXs0S3T4 W32/Delf.A!tr Win32/Trojan.Proxy.118", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Proxy.Delf.C": [[26, 45], [177, 196], [227, 246], [328, 347], [382, 401], [491, 510]], "Indicator: Trojan-Proxy/W32.Steredir.524288": [[46, 78]], "Indicator: Trojan/Proxy.Steredir.a": [[79, 102]], "Indicator: TROJ_PROXY.ARF": [[103, 117], [141, 155]], "Indicator: Backdoor.Trojan.Client": [[118, 140]], "Indicator: Win.Trojan.Proxy-467": [[156, 176]], "Indicator: Trojan-Proxy.Win32.Steredir.a": [[197, 226], [511, 540]], "Indicator: Trojan.Win32.Steredir.dqbk": [[247, 273]], "Indicator: Trojan.Win32.Proxy.524288": [[274, 299]], "Indicator: Troj.Proxy.W32.Steredir.a!c": [[300, 327]], "Indicator: TrojWare.Win32.TrojanProxy.Delf.C": [[348, 381]], "Indicator: BackDoor.StealthRedir.20": [[402, 426]], "Indicator: W32/Risk.HXFA-2912": [[427, 445]], "Indicator: TrojanProxy.Steredir.m": [[446, 468]], "Indicator: TR/Proxy.Steredir.A.2": [[469, 490]], "Indicator: TrojanProxy:Win32/Delf.C": [[541, 565]], "Indicator: Backdoor.RAT.StealthRedirector.V2.0": [[566, 601]], "Indicator: TrojanProxy.Steredir": [[602, 622]], "Indicator: Win32/TrojanProxy.Delf.C": [[623, 647]], "Indicator: Win32.Trojan-proxy.Steredir.Eawz": [[648, 680]], "Indicator: Trojan.PR.Steredir!IftwXs0S3T4": [[681, 711]], "Indicator: W32/Delf.A!tr": [[712, 725]], "Indicator: Win32/Trojan.Proxy.118": [[726, 748]]}, "info": {"id": "cyner2_5class_train_06041", "source": "cyner2_5class_train"}}
+{"text": "Phone number for administration changeServer : At this point , the malware changes the C2 to a new host , even though the API and communication protocol continues to be the same .", "spans": {}, "info": {"id": "cyner2_5class_train_06042", "source": "cyner2_5class_train"}}
+{"text": "These attempts differed from other tactics seen by us elsewhere, such as those connected to Iran, with better attention paid to the operation of the campaign.", "spans": {}, "info": {"id": "cyner2_5class_train_06043", "source": "cyner2_5class_train"}}
+{"text": "If a typical user tries to get rid of the malicious app , chances are that only the shortcut ends up getting removed .", "spans": {}, "info": {"id": "cyner2_5class_train_06044", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropper.Dinwod.Win32.1277 Trojan.Zusy.D217BF Win32.Trojan.Delf.iv Trojan.Win32.Dinwod.dqohqi Trojan.MulDrop6.4509 Trojan[Dropper]/Win32.Dinwod Trojan:Win32/Walinlog.A TrojanDropper.Dinwod Win32/Delf.SRU Trojan.DR.Dinwod!WCRzCOHRNbg Win32/Trojan.c58", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropper.Dinwod.Win32.1277": [[26, 51]], "Indicator: Trojan.Zusy.D217BF": [[52, 70]], "Indicator: Win32.Trojan.Delf.iv": [[71, 91]], "Indicator: Trojan.Win32.Dinwod.dqohqi": [[92, 118]], "Indicator: Trojan.MulDrop6.4509": [[119, 139]], "Indicator: Trojan[Dropper]/Win32.Dinwod": [[140, 168]], "Indicator: Trojan:Win32/Walinlog.A": [[169, 192]], "Indicator: TrojanDropper.Dinwod": [[193, 213]], "Indicator: Win32/Delf.SRU": [[214, 228]], "Indicator: Trojan.DR.Dinwod!WCRzCOHRNbg": [[229, 257]], "Indicator: Win32/Trojan.c58": [[258, 274]]}, "info": {"id": "cyner2_5class_train_06045", "source": "cyner2_5class_train"}}
+{"text": "Some are carried out well , others , like WolfRAT , are designed with an overload of functionality in mind as opposed to factoring any sensible approach to the development aspect .", "spans": {"Malware: WolfRAT": [[42, 49]]}, "info": {"id": "cyner2_5class_train_06046", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Swisyn!O Trojan.Swisyn W32/Backdoor.KUPO-4695 TROJ_SWISYN.KK Trojan.Win32.Swisyn.cbuq Troj.W32.Swisyn!c Win32.Trojan.Swisyn.Lrsk Trojan.MulDrop3.21821 Trojan.Swisyn.Win32.23323 TROJ_SWISYN.KK Trojan.Win32.Swisyn W32/Backdoor2.HJRU Trojan/Swisyn.vuq Trojan/Win32.Swisyn Trojan.Win32.A.Swisyn.35840.B[UPX] Trojan.Win32.Swisyn.cbuq TrojanDropper:Win32/Bolardoc.A Trojan/Win32.Swisyn.R43544 Trojan.Swisyn Win32/VB.ODF Trojan.Swisyn!Pk7uhYgClNU W32/Swisyn.CBUQ!tr Win32/Trojan.Dropper.c9f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Swisyn!O": [[26, 47]], "Indicator: Trojan.Swisyn": [[48, 61], [426, 439]], "Indicator: W32/Backdoor.KUPO-4695": [[62, 84]], "Indicator: TROJ_SWISYN.KK": [[85, 99], [216, 230]], "Indicator: Trojan.Win32.Swisyn.cbuq": [[100, 124], [343, 367]], "Indicator: Troj.W32.Swisyn!c": [[125, 142]], "Indicator: Win32.Trojan.Swisyn.Lrsk": [[143, 167]], "Indicator: Trojan.MulDrop3.21821": [[168, 189]], "Indicator: Trojan.Swisyn.Win32.23323": [[190, 215]], "Indicator: Trojan.Win32.Swisyn": [[231, 250]], "Indicator: W32/Backdoor2.HJRU": [[251, 269]], "Indicator: Trojan/Swisyn.vuq": [[270, 287]], "Indicator: Trojan/Win32.Swisyn": [[288, 307]], "Indicator: Trojan.Win32.A.Swisyn.35840.B[UPX]": [[308, 342]], "Indicator: TrojanDropper:Win32/Bolardoc.A": [[368, 398]], "Indicator: Trojan/Win32.Swisyn.R43544": [[399, 425]], "Indicator: Win32/VB.ODF": [[440, 452]], "Indicator: Trojan.Swisyn!Pk7uhYgClNU": [[453, 478]], "Indicator: W32/Swisyn.CBUQ!tr": [[479, 497]], "Indicator: Win32/Trojan.Dropper.c9f": [[498, 522]]}, "info": {"id": "cyner2_5class_train_06047", "source": "cyner2_5class_train"}}
+{"text": "The short URL redirects to the application page at Google Play .", "spans": {"System: Google Play": [[51, 62]]}, "info": {"id": "cyner2_5class_train_06048", "source": "cyner2_5class_train"}}
+{"text": "The adversary had also conducted attacks using Daserf malware in the past, and Symantec refers to them as Tick in their report", "spans": {"Indicator: attacks": [[33, 40]], "Malware: Daserf malware": [[47, 61]], "Organization: Symantec": [[79, 87]], "Malware: Tick": [[106, 110]]}, "info": {"id": "cyner2_5class_train_06049", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.DB9B Spyware.OnlineGames W32/Palevo.eszc Riskware.Win32.Lime.cukpjv HV_PALEVO_CA2255B5.TOMC W32.Worm.Palevo-187 Worm.P2P.Palevo!qwzmy5h6XK0 Worm.Win32.A.P2P-Palevo.2637834[h] Win32.HLLW.Lime.2579 Worm.Palevo.Win32.83875 BehavesLike.Win32.Trojan.vc Worm/Palevo.cubr Worm[P2P]/Win32.Palevo Trojan.Kazy.D1020 Worm/Win32.Palevo Worm.Palevo P2P-Worm.Win32.Palevo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.DB9B": [[26, 42]], "Indicator: Spyware.OnlineGames": [[43, 62]], "Indicator: W32/Palevo.eszc": [[63, 78]], "Indicator: Riskware.Win32.Lime.cukpjv": [[79, 105]], "Indicator: HV_PALEVO_CA2255B5.TOMC": [[106, 129]], "Indicator: W32.Worm.Palevo-187": [[130, 149]], "Indicator: Worm.P2P.Palevo!qwzmy5h6XK0": [[150, 177]], "Indicator: Worm.Win32.A.P2P-Palevo.2637834[h]": [[178, 212]], "Indicator: Win32.HLLW.Lime.2579": [[213, 233]], "Indicator: Worm.Palevo.Win32.83875": [[234, 257]], "Indicator: BehavesLike.Win32.Trojan.vc": [[258, 285]], "Indicator: Worm/Palevo.cubr": [[286, 302]], "Indicator: Worm[P2P]/Win32.Palevo": [[303, 325]], "Indicator: Trojan.Kazy.D1020": [[326, 343]], "Indicator: Worm/Win32.Palevo": [[344, 361]], "Indicator: Worm.Palevo": [[362, 373]], "Indicator: P2P-Worm.Win32.Palevo": [[374, 395]]}, "info": {"id": "cyner2_5class_train_06050", "source": "cyner2_5class_train"}}
+{"text": "Timeline of posts related to the Hacking Team DATE UPDATE July 5 The Italian company Hacking Team was hacked , with more than 400GB of confidential company data made available to the public .", "spans": {"Organization: Hacking Team": [[85, 97]]}, "info": {"id": "cyner2_5class_train_06051", "source": "cyner2_5class_train"}}
+{"text": "Malicious programs of this family request administrator rights and then make themselves invisible in the list of installed apps.", "spans": {}, "info": {"id": "cyner2_5class_train_06052", "source": "cyner2_5class_train"}}
+{"text": "RSA Research investigated the source of suspicious, observed beaconing", "spans": {"Organization: RSA Research": [[0, 12]]}, "info": {"id": "cyner2_5class_train_06053", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Enemany.A@mm Worm/W32.Alcaul.9728.C W32.Enemany.A.int Enemany.A Win32/Enemany.A!intended WORM_ENEMANY.A Email-Worm.Win32.Alcaul.r Win32.Enemany.A@mm I-Worm.Enemany!xtYbjkEFnbQ Win32.Enemany.A@mm Worm.Win32.Enemany.A Win32.Enemany.A@mm Worm.Alcaul.Win32.145 WORM_ENEMANY.A W32/Risk.ZRGC-4282 Worm.Alcaul.r.kcloud Worm:Win32/Enmny.A I-Worm.Win32.Enemany.A[h] Win32/Enemany.worm.9728 Win32.Enemany.A@mm Worm.Win32.Alcaul.am Win32/Enemany.A Email-Worm.Win32.Alcaul W32/Alcaul.R!worm W32/Enemany.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Enemany.A@mm": [[26, 44], [162, 180], [208, 226], [248, 266], [413, 431]], "Indicator: Worm/W32.Alcaul.9728.C": [[45, 67]], "Indicator: W32.Enemany.A.int": [[68, 85]], "Indicator: Enemany.A": [[86, 95]], "Indicator: Win32/Enemany.A!intended": [[96, 120]], "Indicator: WORM_ENEMANY.A": [[121, 135], [289, 303]], "Indicator: Email-Worm.Win32.Alcaul.r": [[136, 161]], "Indicator: I-Worm.Enemany!xtYbjkEFnbQ": [[181, 207]], "Indicator: Worm.Win32.Enemany.A": [[227, 247]], "Indicator: Worm.Alcaul.Win32.145": [[267, 288]], "Indicator: W32/Risk.ZRGC-4282": [[304, 322]], "Indicator: Worm.Alcaul.r.kcloud": [[323, 343]], "Indicator: Worm:Win32/Enmny.A": [[344, 362]], "Indicator: I-Worm.Win32.Enemany.A[h]": [[363, 388]], "Indicator: Win32/Enemany.worm.9728": [[389, 412]], "Indicator: Worm.Win32.Alcaul.am": [[432, 452]], "Indicator: Win32/Enemany.A": [[453, 468]], "Indicator: Email-Worm.Win32.Alcaul": [[469, 492]], "Indicator: W32/Alcaul.R!worm": [[493, 510]], "Indicator: W32/Enemany.A": [[511, 524]]}, "info": {"id": "cyner2_5class_train_06054", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanSpy.Hakey.FC.1702 TSPY_HAKEY.SM MSIL.Trojan-Spy.Keylogger.a Backdoor.Trojan Win32/SillyAutorun.FJI TSPY_HAKEY.SM Trojan.Win32.Win32.dcdhel W32/Application.ZMXW-2371 TrojanSpy:MSIL/Hakey.A MSIL/Spy.Keylogger.DY Trojan-Dropper.MSIL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanSpy.Hakey.FC.1702": [[26, 49]], "Indicator: TSPY_HAKEY.SM": [[50, 63], [131, 144]], "Indicator: MSIL.Trojan-Spy.Keylogger.a": [[64, 91]], "Indicator: Backdoor.Trojan": [[92, 107]], "Indicator: Win32/SillyAutorun.FJI": [[108, 130]], "Indicator: Trojan.Win32.Win32.dcdhel": [[145, 170]], "Indicator: W32/Application.ZMXW-2371": [[171, 196]], "Indicator: TrojanSpy:MSIL/Hakey.A": [[197, 219]], "Indicator: MSIL/Spy.Keylogger.DY": [[220, 241]], "Indicator: Trojan-Dropper.MSIL": [[242, 261]]}, "info": {"id": "cyner2_5class_train_06055", "source": "cyner2_5class_train"}}
+{"text": "More likely , this is a case of common attack tools being re-used between different threat actor groups .", "spans": {}, "info": {"id": "cyner2_5class_train_06056", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9914 Trojan-Ransom.Win32.Birele.aisl Win32.Trojan.Birele.Wtxf Trojan.MulDrop6.10288 Trojan-Ransom.Win32.Birele.aisl Trojan-Ransom.Win32.Foreign", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9914": [[26, 68]], "Indicator: Trojan-Ransom.Win32.Birele.aisl": [[69, 100], [148, 179]], "Indicator: Win32.Trojan.Birele.Wtxf": [[101, 125]], "Indicator: Trojan.MulDrop6.10288": [[126, 147]], "Indicator: Trojan-Ransom.Win32.Foreign": [[180, 207]]}, "info": {"id": "cyner2_5class_train_06057", "source": "cyner2_5class_train"}}
+{"text": "Moreover, the presence of intrusion software does not necessarily equate to its misuse, as such software may be utilized by intelligence or law enforcement agencies in a manner that conforms with rule of law and democratic principles.", "spans": {}, "info": {"id": "cyner2_5class_train_06058", "source": "cyner2_5class_train"}}
+{"text": "What is the scope of Chrysaor ? Chrysaor was never available in Google Play and had a very low volume of installs outside of Google Play .", "spans": {"Malware: Chrysaor": [[21, 29], [32, 40]], "System: Google Play": [[64, 75], [125, 136]]}, "info": {"id": "cyner2_5class_train_06059", "source": "cyner2_5class_train"}}
+{"text": "This is significant, because it indicates a potential shift in the motives of this adversary.", "spans": {}, "info": {"id": "cyner2_5class_train_06060", "source": "cyner2_5class_train"}}
+{"text": "THE INITIAL INSTALLATION PROCESS Once installed , EventBot prompts the user to give it access to accessibility services .", "spans": {"Malware: EventBot": [[50, 58]]}, "info": {"id": "cyner2_5class_train_06061", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/Inject.knu Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.Inject-4540 Trojan.Win32.Donbot.ctdhoe Trojan.Win32.Z.Inject.646633 BackDoor.Donbot.2 Backdoor.Inject.Win32.2858 BehavesLike.Win32.PWSZbot.jc Backdoor/Inject.cpw TR/Donbot.hjsmv Trojan/Win32.Invader Win32.Troj.Undef.kcloud Trojan:Win32/Donbot.A Backdoor/Win32.Trojan.R78442 Backdoor.Inject Win32.Trojan.Spnr.Pijv Backdoor.Inject!WaCQ7k+5qK0 Win32/Trojan.BO.cc2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/Inject.knu": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[46, 88]], "Indicator: Backdoor.Trojan": [[89, 104]], "Indicator: Win.Trojan.Inject-4540": [[105, 127]], "Indicator: Trojan.Win32.Donbot.ctdhoe": [[128, 154]], "Indicator: Trojan.Win32.Z.Inject.646633": [[155, 183]], "Indicator: BackDoor.Donbot.2": [[184, 201]], "Indicator: Backdoor.Inject.Win32.2858": [[202, 228]], "Indicator: BehavesLike.Win32.PWSZbot.jc": [[229, 257]], "Indicator: Backdoor/Inject.cpw": [[258, 277]], "Indicator: TR/Donbot.hjsmv": [[278, 293]], "Indicator: Trojan/Win32.Invader": [[294, 314]], "Indicator: Win32.Troj.Undef.kcloud": [[315, 338]], "Indicator: Trojan:Win32/Donbot.A": [[339, 360]], "Indicator: Backdoor/Win32.Trojan.R78442": [[361, 389]], "Indicator: Backdoor.Inject": [[390, 405]], "Indicator: Win32.Trojan.Spnr.Pijv": [[406, 428]], "Indicator: Backdoor.Inject!WaCQ7k+5qK0": [[429, 456]], "Indicator: Win32/Trojan.BO.cc2": [[457, 476]]}, "info": {"id": "cyner2_5class_train_06062", "source": "cyner2_5class_train"}}
+{"text": ") The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed .", "spans": {"Malware: RCSAndroid": [[6, 16]], "System: Android": [[99, 106]]}, "info": {"id": "cyner2_5class_train_06063", "source": "cyner2_5class_train"}}
+{"text": "The original name given to the encryptor by its creator is not known; other security vendors detect it as Trojan.Encoder.858, Ransom:Win32/Troldesh.", "spans": {"Malware: encryptor": [[31, 40]], "Indicator: Trojan.Encoder.858, Ransom:Win32/Troldesh.": [[106, 148]]}, "info": {"id": "cyner2_5class_train_06064", "source": "cyner2_5class_train"}}
+{"text": "] 205 3b89e5cd49c05ce6dc681589e6c368d9 ir.abed.dastan dexlib 2.x 185.141.60 [ .", "spans": {"Indicator: 3b89e5cd49c05ce6dc681589e6c368d9": [[6, 38]], "Indicator: ir.abed.dastan": [[39, 53]], "Indicator: 185.141.60 [ .": [[65, 79]]}, "info": {"id": "cyner2_5class_train_06065", "source": "cyner2_5class_train"}}
+{"text": "] netsybil-parks [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06066", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.JaydarkE.Trojan Win32.Runouce.B@mm Virus.Worm.Win32.Runouce.1!O W32.Runouce.B Win32.Runouce.B@mm W32.W.Runouce.lk4E W32/Chir.b.dannado Win32.Runouce.E2C45E W32.Chir.B@mm Win32/Chir.B WORM_CHIR.DI Win.Worm.Brontok-88 Win32.Virus.Chir.A Win32.Runouce.B@mm Virus.Win32.Runouce.bxafx Win32.Chir.B Win32.Runouce.B@mm Win32.Runonce.6652 WORM_CHIR.DI BehavesLike.Win32.Virut.nh Email-Worm.Win32.Runouce Win32/cnPeace.b W32/Chir.I Worm[Email]/Win32.Runouce.b Worm.NimdaT.d.18848 Trojan:JS/Nimda.A Win32/ChiHack.6652 W32/Chir.b@MM Virus.Win32.Chur.A Win32/Chir.B Worm.Win32.Runouce.a I-Worm.Chir.B Win32/Trojan.1a7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.JaydarkE.Trojan": [[26, 45]], "Indicator: Win32.Runouce.B@mm": [[46, 64], [108, 126], [265, 283], [323, 341]], "Indicator: Virus.Worm.Win32.Runouce.1!O": [[65, 93]], "Indicator: W32.Runouce.B": [[94, 107]], "Indicator: W32.W.Runouce.lk4E": [[127, 145]], "Indicator: W32/Chir.b.dannado": [[146, 164]], "Indicator: Win32.Runouce.E2C45E": [[165, 185]], "Indicator: W32.Chir.B@mm": [[186, 199]], "Indicator: Win32/Chir.B": [[200, 212], [571, 583]], "Indicator: WORM_CHIR.DI": [[213, 225], [361, 373]], "Indicator: Win.Worm.Brontok-88": [[226, 245]], "Indicator: Win32.Virus.Chir.A": [[246, 264]], "Indicator: Virus.Win32.Runouce.bxafx": [[284, 309]], "Indicator: Win32.Chir.B": [[310, 322]], "Indicator: Win32.Runonce.6652": [[342, 360]], "Indicator: BehavesLike.Win32.Virut.nh": [[374, 400]], "Indicator: Email-Worm.Win32.Runouce": [[401, 425]], "Indicator: Win32/cnPeace.b": [[426, 441]], "Indicator: W32/Chir.I": [[442, 452]], "Indicator: Worm[Email]/Win32.Runouce.b": [[453, 480]], "Indicator: Worm.NimdaT.d.18848": [[481, 500]], "Indicator: Trojan:JS/Nimda.A": [[501, 518]], "Indicator: Win32/ChiHack.6652": [[519, 537]], "Indicator: W32/Chir.b@MM": [[538, 551]], "Indicator: Virus.Win32.Chur.A": [[552, 570]], "Indicator: Worm.Win32.Runouce.a": [[584, 604]], "Indicator: I-Worm.Chir.B": [[605, 618]], "Indicator: Win32/Trojan.1a7": [[619, 635]]}, "info": {"id": "cyner2_5class_train_06067", "source": "cyner2_5class_train"}}
+{"text": "Kaspersky products detect the above-described threat with the verdict Trojan-Banker.AndroidOS.Riltok .", "spans": {"Organization: Kaspersky": [[0, 9]], "Indicator: Trojan-Banker.AndroidOS.Riltok": [[70, 100]]}, "info": {"id": "cyner2_5class_train_06068", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Sality.PE Win32.Sality.3 Virus/W32.Sality.D Worm.Dumpy.S19687 Win32.Sality.3 Virus.Sality.Win32.25 Win32.Sality.3 Win32.Sality.3 W32.Sality.AE Win32/Sality.AA PE_SALITY.RL Trojan-Ransom.Win32.Blocker.gfeq Virus.Win32.Sality.beygb Win32.Sality.3 Win32.Sality.3 Win32.Sector.30 BehavesLike.Win32.Sality.cm Win32/HLLP.Kuku.poly2 W32/Sality.AT Worm:Win32/Dumpy.B Trojan-Ransom.Win32.Blocker.gfeq Win32.Virus.Sality.A HEUR/Fakon.mwf Virus.Win32.Sality.bakc Worm.AutoRun W32/Sality.AA Win32.Sality Win32/Sality.NBA Trojan-Ransom.Win32.Blocker.b Win32.Sality.BL Worm.Win32.Dumpy Virus.Win32.Sality.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Sality.PE": [[26, 39]], "Indicator: Win32.Sality.3": [[40, 54], [92, 106], [129, 143], [144, 158], [260, 274], [275, 289]], "Indicator: Virus/W32.Sality.D": [[55, 73]], "Indicator: Worm.Dumpy.S19687": [[74, 91]], "Indicator: Virus.Sality.Win32.25": [[107, 128]], "Indicator: W32.Sality.AE": [[159, 172]], "Indicator: Win32/Sality.AA": [[173, 188]], "Indicator: PE_SALITY.RL": [[189, 201]], "Indicator: Trojan-Ransom.Win32.Blocker.gfeq": [[202, 234], [389, 421]], "Indicator: Virus.Win32.Sality.beygb": [[235, 259]], "Indicator: Win32.Sector.30": [[290, 305]], "Indicator: BehavesLike.Win32.Sality.cm": [[306, 333]], "Indicator: Win32/HLLP.Kuku.poly2": [[334, 355]], "Indicator: W32/Sality.AT": [[356, 369]], "Indicator: Worm:Win32/Dumpy.B": [[370, 388]], "Indicator: Win32.Virus.Sality.A": [[422, 442]], "Indicator: HEUR/Fakon.mwf": [[443, 457]], "Indicator: Virus.Win32.Sality.bakc": [[458, 481]], "Indicator: Worm.AutoRun": [[482, 494]], "Indicator: W32/Sality.AA": [[495, 508]], "Indicator: Win32.Sality": [[509, 521]], "Indicator: Win32/Sality.NBA": [[522, 538]], "Indicator: Trojan-Ransom.Win32.Blocker.b": [[539, 568]], "Indicator: Win32.Sality.BL": [[569, 584]], "Indicator: Worm.Win32.Dumpy": [[585, 601]], "Indicator: Virus.Win32.Sality.I": [[602, 622]]}, "info": {"id": "cyner2_5class_train_06069", "source": "cyner2_5class_train"}}
+{"text": "By accessing and stealing this data , Eventbot has the potential to access key business data , including financial data .", "spans": {"Malware: Eventbot": [[38, 46]]}, "info": {"id": "cyner2_5class_train_06070", "source": "cyner2_5class_train"}}
+{"text": "Communication with C & C Although Asacub ’ s capabilities gradually evolved , its network behavior and method of communication with the command-and-control ( C & C ) server changed little .", "spans": {"Malware: Asacub": [[34, 40]]}, "info": {"id": "cyner2_5class_train_06071", "source": "cyner2_5class_train"}}
+{"text": "In some samples , Bread has simply directly called the Reflect API on strings decrypted at runtime .", "spans": {"Malware: Bread": [[18, 23]]}, "info": {"id": "cyner2_5class_train_06072", "source": "cyner2_5class_train"}}
+{"text": "This all started with the great analysis and blog done by RSA in August 2017 about a phishing wave targeting Russian Banks.", "spans": {"Organization: RSA": [[58, 61]], "Indicator: phishing wave": [[85, 98]], "Organization: Russian Banks.": [[109, 123]]}, "info": {"id": "cyner2_5class_train_06073", "source": "cyner2_5class_train"}}
+{"text": "The same is true for banking malware .", "spans": {}, "info": {"id": "cyner2_5class_train_06074", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9717 Trojan.Win32.Zbot.dsnigs Trojan.Reconyc.Win32.16630 TrojanSpy.Zbot.ewlp", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9717": [[26, 68]], "Indicator: Trojan.Win32.Zbot.dsnigs": [[69, 93]], "Indicator: Trojan.Reconyc.Win32.16630": [[94, 120]], "Indicator: TrojanSpy.Zbot.ewlp": [[121, 140]]}, "info": {"id": "cyner2_5class_train_06075", "source": "cyner2_5class_train"}}
+{"text": "The emails come with an attached Microsoft Word document file.", "spans": {"Indicator: emails": [[4, 10]], "System: Microsoft Word": [[33, 47]], "Indicator: document file.": [[48, 62]]}, "info": {"id": "cyner2_5class_train_06076", "source": "cyner2_5class_train"}}
+{"text": "During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange DDE technique that has been previously reported by Advanced Threat Research.", "spans": {"Indicator: malicious Word document": [[121, 144]], "System: the Microsoft Office Dynamic Data Exchange DDE": [[170, 216]], "Indicator: technique": [[217, 226]], "Organization: Advanced Threat Research.": [[264, 289]]}, "info": {"id": "cyner2_5class_train_06077", "source": "cyner2_5class_train"}}
+{"text": "The chat application acts as a dropper for this second-stage payload app .", "spans": {}, "info": {"id": "cyner2_5class_train_06078", "source": "cyner2_5class_train"}}
+{"text": "In this case , \" AU '' is the code shown , which is Australia .", "spans": {}, "info": {"id": "cyner2_5class_train_06079", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Webprefix!O Trojan.Webprefix.B3 Trojan.Webprefix.Win32.30550 Trojan/Webprefix.agl Win32.Trojan.Webprefix.d Trojan.Farfli Win32/Webprefix.F Trojan-Downloader.Win32.Klevate.bv Trojan.Win32.Webprefix.balbkt Troj.W32.Webprefix.agl!c Trojan.Win32.Krypttik.a Trojan.Webprefix.13 BehavesLike.Win32.Trojan.ch Trojan/Webprefix.w W32.Trojan.Webprefix Trojan[Packed]/Win32.Katusha Trojan:Win32/Webprefix.B Trojan.Win32.A.Webprefix.128000.B Trojan-Downloader.Win32.Klevate.bv Packed/Win32.Katusha.R3725 Trojan.Webprefix.01 Trojan.Webprefix!EZ6BvH+ekbw Packer.Win32.Katusha", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Webprefix!O": [[26, 50]], "Indicator: Trojan.Webprefix.B3": [[51, 70]], "Indicator: Trojan.Webprefix.Win32.30550": [[71, 99]], "Indicator: Trojan/Webprefix.agl": [[100, 120]], "Indicator: Win32.Trojan.Webprefix.d": [[121, 145]], "Indicator: Trojan.Farfli": [[146, 159]], "Indicator: Win32/Webprefix.F": [[160, 177]], "Indicator: Trojan-Downloader.Win32.Klevate.bv": [[178, 212], [468, 502]], "Indicator: Trojan.Win32.Webprefix.balbkt": [[213, 242]], "Indicator: Troj.W32.Webprefix.agl!c": [[243, 267]], "Indicator: Trojan.Win32.Krypttik.a": [[268, 291]], "Indicator: Trojan.Webprefix.13": [[292, 311]], "Indicator: BehavesLike.Win32.Trojan.ch": [[312, 339]], "Indicator: Trojan/Webprefix.w": [[340, 358]], "Indicator: W32.Trojan.Webprefix": [[359, 379]], "Indicator: Trojan[Packed]/Win32.Katusha": [[380, 408]], "Indicator: Trojan:Win32/Webprefix.B": [[409, 433]], "Indicator: Trojan.Win32.A.Webprefix.128000.B": [[434, 467]], "Indicator: Packed/Win32.Katusha.R3725": [[503, 529]], "Indicator: Trojan.Webprefix.01": [[530, 549]], "Indicator: Trojan.Webprefix!EZ6BvH+ekbw": [[550, 578]], "Indicator: Packer.Win32.Katusha": [[579, 599]]}, "info": {"id": "cyner2_5class_train_06080", "source": "cyner2_5class_train"}}
+{"text": "By : Hara Hiroaki , Lilang Wu , Lorin Wu April 02 , 2019 In previous attacks , XLoader posed as Facebook , Chrome and other legitimate applications to trick users into downloading its malicious app .", "spans": {"Malware: XLoader": [[79, 86]], "System: Facebook": [[96, 104]], "System: Chrome": [[107, 113]]}, "info": {"id": "cyner2_5class_train_06081", "source": "cyner2_5class_train"}}
+{"text": "Permissions in the manifest This malware is designed to avoid detection and analysis .", "spans": {}, "info": {"id": "cyner2_5class_train_06082", "source": "cyner2_5class_train"}}
+{"text": "But the categories targeted by this group seem to be broadening with the inclusion of VPN software .", "spans": {"System: VPN": [[86, 89]]}, "info": {"id": "cyner2_5class_train_06083", "source": "cyner2_5class_train"}}
+{"text": "The frozen TinyML model is useful for making sure images fit the screen without distortion .", "spans": {"System: TinyML": [[11, 17]]}, "info": {"id": "cyner2_5class_train_06084", "source": "cyner2_5class_train"}}
+{"text": "For system administrators and information security professionals , configuring the router to be more resistant to attacks like DNS cache poisoning can help mitigate similar threats .", "spans": {}, "info": {"id": "cyner2_5class_train_06085", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Constructor.MS04-032.b Riskware.Win32.MS04-032.hrwi W32/Trojan.NOKE-5825 Trojan.Moo Constructor.Win32.MS04-032.b Exploit.MS04-032.B Constructor.Win32.MS04-032.b Tool.MS04.Win32.28 W32/TrojanX.IRQ Constructor.MS04-032.d KIT/MS04-032.B W32/MS04_032.B!kit HackTool[Constructor]/Win32.MS04-032 Constructor.W32.MS04-032.b!c Constructor/Xema.36864 Trojan:Win32/Shelcod.A Constructor.MS04032 VirTool.Win32.MS04 Constructor.AMN Trojan.Win32.MS04-032.b Win32/Constructor.990", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Constructor.MS04-032.b": [[26, 55]], "Indicator: Riskware.Win32.MS04-032.hrwi": [[56, 84]], "Indicator: W32/Trojan.NOKE-5825": [[85, 105]], "Indicator: Trojan.Moo": [[106, 116]], "Indicator: Constructor.Win32.MS04-032.b": [[117, 145], [165, 193]], "Indicator: Exploit.MS04-032.B": [[146, 164]], "Indicator: Tool.MS04.Win32.28": [[194, 212]], "Indicator: W32/TrojanX.IRQ": [[213, 228]], "Indicator: Constructor.MS04-032.d": [[229, 251]], "Indicator: KIT/MS04-032.B": [[252, 266]], "Indicator: W32/MS04_032.B!kit": [[267, 285]], "Indicator: HackTool[Constructor]/Win32.MS04-032": [[286, 322]], "Indicator: Constructor.W32.MS04-032.b!c": [[323, 351]], "Indicator: Constructor/Xema.36864": [[352, 374]], "Indicator: Trojan:Win32/Shelcod.A": [[375, 397]], "Indicator: Constructor.MS04032": [[398, 417]], "Indicator: VirTool.Win32.MS04": [[418, 436]], "Indicator: Constructor.AMN": [[437, 452]], "Indicator: Trojan.Win32.MS04-032.b": [[453, 476]], "Indicator: Win32/Constructor.990": [[477, 498]]}, "info": {"id": "cyner2_5class_train_06086", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.BO2K.1.1.2.plugin Backdoor.BO2K.1.1.2.plugin Backdoor/Orifice2K.plugin Win32.Trojan.WisdomEyes.16070401.9500.9851 W32/Risk.JQIA-3547 Backdoor.BO2K.1.1.2.plugin Backdoor.Win32.BO2K.112.plugin Backdoor.BO2K.1.1.2.plugin Trojan.Win32.BO2K-112.guih Win32.Backdoor.Bo2k.Edxg Backdoor.BO2K.1.1.2.plugin Backdoor.Win32.BO2K.112.plugin Backdoor.BO2K.1.1.2.plugin BackDoor.BO2k.plugin Backdoor.BO2K.Win32.168 Backdoor/BO2K.112.Plugin BDS/Bo2k.112.plugin.3 Trojan[Backdoor]/Win32.BO2K Backdoor.BO2K.1.1.2.plugin Backdoor.Win32.BO2K.112.plugin Backdoor:Win32/BO2K.1_12 Backdoor.BO2K.112 Win32/BO2K.112.plugin Backdoor.BO2K.plugin!QCV0kLCiRV0 Trojan.Win32.BO2K", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.BO2K.1.1.2.plugin": [[26, 52], [53, 79], [168, 194], [226, 252], [305, 331], [363, 389], [510, 536]], "Indicator: Backdoor/Orifice2K.plugin": [[80, 105]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9851": [[106, 148]], "Indicator: W32/Risk.JQIA-3547": [[149, 167]], "Indicator: Backdoor.Win32.BO2K.112.plugin": [[195, 225], [332, 362], [537, 567]], "Indicator: Trojan.Win32.BO2K-112.guih": [[253, 279]], "Indicator: Win32.Backdoor.Bo2k.Edxg": [[280, 304]], "Indicator: BackDoor.BO2k.plugin": [[390, 410]], "Indicator: Backdoor.BO2K.Win32.168": [[411, 434]], "Indicator: Backdoor/BO2K.112.Plugin": [[435, 459]], "Indicator: BDS/Bo2k.112.plugin.3": [[460, 481]], "Indicator: Trojan[Backdoor]/Win32.BO2K": [[482, 509]], "Indicator: Backdoor:Win32/BO2K.1_12": [[568, 592]], "Indicator: Backdoor.BO2K.112": [[593, 610]], "Indicator: Win32/BO2K.112.plugin": [[611, 632]], "Indicator: Backdoor.BO2K.plugin!QCV0kLCiRV0": [[633, 665]], "Indicator: Trojan.Win32.BO2K": [[666, 683]]}, "info": {"id": "cyner2_5class_train_06087", "source": "cyner2_5class_train"}}
+{"text": "] ru/4 * * * * * 7 ” , containing a link to download the Trojan .", "spans": {}, "info": {"id": "cyner2_5class_train_06088", "source": "cyner2_5class_train"}}
+{"text": "So far , this software ( along with the Android version ) has been made available through phishing sites that imitated Italian and Turkmenistani mobile carriers .", "spans": {"System: Android": [[40, 47]]}, "info": {"id": "cyner2_5class_train_06089", "source": "cyner2_5class_train"}}
+{"text": "In late August 2015, Symantec identified a previously unknown back door Trojan Backdoor.Dripion infecting organizations primarily located in Taiwan, as well as Brazil and the United States.", "spans": {"Organization: Symantec": [[21, 29]], "Malware: unknown back door Trojan": [[54, 78]], "Indicator: Backdoor.Dripion": [[79, 95]], "Organization: organizations": [[106, 119]]}, "info": {"id": "cyner2_5class_train_06090", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Rakhni Downloader.Rakhni.Win32.344 Trojan-Downloader.Win32.Rakhni.moc TrojanDownloader.Rakhni.hu TR/Dldr.Delf.ltfzo TrojanDownloader:Win32/Docdobex.A Trojan.Zusy.D3FCFF Trojan-Downloader.Win32.Rakhni.moc Downloader/Win32.Rakhni.C2136522 TrojanDownloader.Rakhni W32/Delf.CDW!tr.bdr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Rakhni": [[26, 49], [280, 303]], "Indicator: Downloader.Rakhni.Win32.344": [[50, 77]], "Indicator: Trojan-Downloader.Win32.Rakhni.moc": [[78, 112], [212, 246]], "Indicator: TrojanDownloader.Rakhni.hu": [[113, 139]], "Indicator: TR/Dldr.Delf.ltfzo": [[140, 158]], "Indicator: TrojanDownloader:Win32/Docdobex.A": [[159, 192]], "Indicator: Trojan.Zusy.D3FCFF": [[193, 211]], "Indicator: Downloader/Win32.Rakhni.C2136522": [[247, 279]], "Indicator: W32/Delf.CDW!tr.bdr": [[304, 323]], "Indicator: Trj/GdSda.A": [[324, 335]]}, "info": {"id": "cyner2_5class_train_06091", "source": "cyner2_5class_train"}}
+{"text": "Further investigation showed that the malware , which we named BusyGasper , is not all that sophisticated , but demonstrates some unusual features for this type of threat .", "spans": {"Malware: BusyGasper": [[63, 73]]}, "info": {"id": "cyner2_5class_train_06092", "source": "cyner2_5class_train"}}
+{"text": "The following screenshot shows the contacts being stolen and written in a local array , which is then sent to C & C : Uninstalling apps Uninstalling apps is another function favored by developers of Android spyware and malware .", "spans": {"System: Android": [[199, 206]]}, "info": {"id": "cyner2_5class_train_06093", "source": "cyner2_5class_train"}}
+{"text": "Malware mostly communicating with compromised domains", "spans": {"Malware: Malware": [[0, 7]], "Indicator: communicating": [[15, 28]], "Indicator: compromised domains": [[34, 53]]}, "info": {"id": "cyner2_5class_train_06094", "source": "cyner2_5class_train"}}
+{"text": "This would allow the RAT to receive system notifications .", "spans": {}, "info": {"id": "cyner2_5class_train_06095", "source": "cyner2_5class_train"}}
+{"text": "] comgo-mail-accounts [ .", "spans": {"Indicator: [ .": [[22, 25]]}, "info": {"id": "cyner2_5class_train_06096", "source": "cyner2_5class_train"}}
+{"text": "It 's often hard for average users to know if their phones have been rooted , and Shedun apps often wait some period of time before displaying obtrusive ads or installing apps .", "spans": {"Malware: Shedun": [[82, 88]]}, "info": {"id": "cyner2_5class_train_06097", "source": "cyner2_5class_train"}}
+{"text": "Programs of this family interfere with bank apps, such as the Commerzbank app or Google Play.", "spans": {"Malware: Programs": [[0, 8]], "Malware: family": [[17, 23]], "Malware: bank apps,": [[39, 49]], "System: Commerzbank app": [[62, 77]], "System: Google Play.": [[81, 93]]}, "info": {"id": "cyner2_5class_train_06098", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB Trojan/VB.pra Trojan.Kazy.D61DA Win32.Trojan.WisdomEyes.16070401.9500.9965 W32.SillyFDC Win32/Tnega.AEVL Trojan.Win32.VB.aspi Trojan.Win32.VB.eijsbx Trojan.Win32.A.VB.40960.AS Troj.W32.Vb!c Trojan.VB.Win32.100469 BehavesLike.Win32.Vilsel.pz Trojan/VB.ckmo Trojan:Win32/Tazi.A Trojan.Win32.VB.aspi HEUR/Fakon.mwf Trojan.VB Worm.AutoRun Win32/VB.PRA Win32.Trojan.Vb.Ljka Trojan.VB!n6riGwYVvNo Trojan.Win32.VB W32/SillyFDC.IZ!tr Win32/Trojan.db1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.VB!O": [[26, 43]], "Indicator: Trojan.VB": [[44, 53], [366, 375]], "Indicator: Trojan/VB.pra": [[54, 67]], "Indicator: Trojan.Kazy.D61DA": [[68, 85]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9965": [[86, 128]], "Indicator: W32.SillyFDC": [[129, 141]], "Indicator: Win32/Tnega.AEVL": [[142, 158]], "Indicator: Trojan.Win32.VB.aspi": [[159, 179], [330, 350]], "Indicator: Trojan.Win32.VB.eijsbx": [[180, 202]], "Indicator: Trojan.Win32.A.VB.40960.AS": [[203, 229]], "Indicator: Troj.W32.Vb!c": [[230, 243]], "Indicator: Trojan.VB.Win32.100469": [[244, 266]], "Indicator: BehavesLike.Win32.Vilsel.pz": [[267, 294]], "Indicator: Trojan/VB.ckmo": [[295, 309]], "Indicator: Trojan:Win32/Tazi.A": [[310, 329]], "Indicator: HEUR/Fakon.mwf": [[351, 365]], "Indicator: Worm.AutoRun": [[376, 388]], "Indicator: Win32/VB.PRA": [[389, 401]], "Indicator: Win32.Trojan.Vb.Ljka": [[402, 422]], "Indicator: Trojan.VB!n6riGwYVvNo": [[423, 444]], "Indicator: Trojan.Win32.VB": [[445, 460]], "Indicator: W32/SillyFDC.IZ!tr": [[461, 479]], "Indicator: Win32/Trojan.db1": [[480, 496]]}, "info": {"id": "cyner2_5class_train_06099", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom/W32.WannaCry.5267459 Ransom.WannaCrypt.S1670344 Ransom.WannaCrypt Trojan/Exploit.CVE-2017-0147.a Ransom_WCRY.SMALYM Win32.Worm.Rbot.a Ransom.Wannacry Ransom_WCRY.SMALYM Win.Ransomware.WannaCry-6313787-0 Win32.Exploit.CVE-2017-0147.A Trojan-Ransom.Win32.Wanna.m Trojan.Win32.Wanna.epxkni Trojan.Win32.WannaCry.5267459 Troj.Ransom.W32.Wanna.toP0 Trojan.Encoder.11432 Exploit.CVE.Win32.1765 BehavesLike.Win32.RansomWannaCry.th Trojan.Wanna.k Trojan[Ransom]/Win32.Wanna Ransom:Win32/WannaCrypt.A!rsm Trojan-Ransom.Win32.Wanna.m Trojan/Win32.WannaCryptor.R200894 Hoax.Wanna Trj/GdSda.A Win32/Exploit.CVE-2017-0147.A Trojan-Ransom.Win32.Wanna.m Exploit.CVE-2017-0147! Trojan.Win32.Exploit W32/WannaCryptor.H!tr.ransom", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom/W32.WannaCry.5267459": [[26, 53]], "Indicator: Ransom.WannaCrypt.S1670344": [[54, 80]], "Indicator: Ransom.WannaCrypt": [[81, 98]], "Indicator: Trojan/Exploit.CVE-2017-0147.a": [[99, 129]], "Indicator: Ransom_WCRY.SMALYM": [[130, 148], [183, 201]], "Indicator: Win32.Worm.Rbot.a": [[149, 166]], "Indicator: Ransom.Wannacry": [[167, 182]], "Indicator: Win.Ransomware.WannaCry-6313787-0": [[202, 235]], "Indicator: Win32.Exploit.CVE-2017-0147.A": [[236, 265]], "Indicator: Trojan-Ransom.Win32.Wanna.m": [[266, 293], [529, 556], [644, 671]], "Indicator: Trojan.Win32.Wanna.epxkni": [[294, 319]], "Indicator: Trojan.Win32.WannaCry.5267459": [[320, 349]], "Indicator: Troj.Ransom.W32.Wanna.toP0": [[350, 376]], "Indicator: Trojan.Encoder.11432": [[377, 397]], "Indicator: Exploit.CVE.Win32.1765": [[398, 420]], "Indicator: BehavesLike.Win32.RansomWannaCry.th": [[421, 456]], "Indicator: Trojan.Wanna.k": [[457, 471]], "Indicator: Trojan[Ransom]/Win32.Wanna": [[472, 498]], "Indicator: Ransom:Win32/WannaCrypt.A!rsm": [[499, 528]], "Indicator: Trojan/Win32.WannaCryptor.R200894": [[557, 590]], "Indicator: Hoax.Wanna": [[591, 601]], "Indicator: Trj/GdSda.A": [[602, 613]], "Indicator: Win32/Exploit.CVE-2017-0147.A": [[614, 643]], "Indicator: Exploit.CVE-2017-0147!": [[672, 694]], "Indicator: Trojan.Win32.Exploit": [[695, 715]], "Indicator: W32/WannaCryptor.H!tr.ransom": [[716, 744]]}, "info": {"id": "cyner2_5class_train_06100", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packer.FSG.A Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Downloader.BFIA Downloader.Trojan TROJ_APHER.A Win.Trojan.Small-10534 Packer.FSG.A Trojan-Downloader.Win32.WebDown.10 Packer.FSG.A Trojan.Win32.WebDown.cdwvkr Packer.FSG.A TrojWare.Win32.TrojanDownloader.Apher.0700 Packer.FSG.A Trojan.DownLoader.4572 TROJ_APHER.A Trojan-Downloader.Win32.WebDown W32/Downloader.MUZI-7025 Trojan/Downloader.WebDown.10 Trojan/Win32.Unknown Packer.FSG.A Trojan-Downloader.Win32.WebDown.10 Win-Trojan/Apher.1312 Packer.FSG.A Trj/Downloader.GE Win32/Randon.A W32/Dloader.AE!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packer.FSG.A": [[26, 38], [156, 168], [204, 216], [245, 257], [301, 313], [457, 469], [527, 539]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[39, 81]], "Indicator: W32/Downloader.BFIA": [[82, 101]], "Indicator: Downloader.Trojan": [[102, 119]], "Indicator: TROJ_APHER.A": [[120, 132], [337, 349]], "Indicator: Win.Trojan.Small-10534": [[133, 155]], "Indicator: Trojan-Downloader.Win32.WebDown.10": [[169, 203], [470, 504]], "Indicator: Trojan.Win32.WebDown.cdwvkr": [[217, 244]], "Indicator: TrojWare.Win32.TrojanDownloader.Apher.0700": [[258, 300]], "Indicator: Trojan.DownLoader.4572": [[314, 336]], "Indicator: Trojan-Downloader.Win32.WebDown": [[350, 381]], "Indicator: W32/Downloader.MUZI-7025": [[382, 406]], "Indicator: Trojan/Downloader.WebDown.10": [[407, 435]], "Indicator: Trojan/Win32.Unknown": [[436, 456]], "Indicator: Win-Trojan/Apher.1312": [[505, 526]], "Indicator: Trj/Downloader.GE": [[540, 557]], "Indicator: Win32/Randon.A": [[558, 572]], "Indicator: W32/Dloader.AE!tr": [[573, 590]]}, "info": {"id": "cyner2_5class_train_06101", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.D.EED80 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Bayrob.etejdt BehavesLike.Win32.Ipamor.jc Trojan/Win32.Scar.C59481 Trojan.Win32.Woripecs W32/Scar.CTI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.D.EED80": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[46, 88]], "Indicator: Trojan.Win32.Bayrob.etejdt": [[89, 115]], "Indicator: BehavesLike.Win32.Ipamor.jc": [[116, 143]], "Indicator: Trojan/Win32.Scar.C59481": [[144, 168]], "Indicator: Trojan.Win32.Woripecs": [[169, 190]], "Indicator: W32/Scar.CTI!tr": [[191, 206]]}, "info": {"id": "cyner2_5class_train_06102", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.14336.BM Trojan.Zenshirsh.SL7 Backdoor.Small.Win32.3772 Backdoor/Small.wn BKDR_RINCUX.AD Trojan.Win32.Scar.nzec Backdoor.Win32.Small.32768.H[UPX] Backdoor.W32.Small.wn!c Trojan.DownLoad3.19355 BKDR_RINCUX.AD BehavesLike.Win32.Backdoor.lm BDS/Salamdom.A Trojan.Win32.Scar.nzec Backdoor:Win32/Salamdom.A Adware/AdHelper.B Win32/Salamdom.AA Win32.Backdoor.Small.Sxyt Backdoor.Small!t0Kn4UZH16w Trojan-Downloader.Win32.Pangu W32/ServStart.AS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.14336.BM": [[26, 51]], "Indicator: Trojan.Zenshirsh.SL7": [[52, 72]], "Indicator: Backdoor.Small.Win32.3772": [[73, 98]], "Indicator: Backdoor/Small.wn": [[99, 116]], "Indicator: BKDR_RINCUX.AD": [[117, 131], [236, 250]], "Indicator: Trojan.Win32.Scar.nzec": [[132, 154], [296, 318]], "Indicator: Backdoor.Win32.Small.32768.H[UPX]": [[155, 188]], "Indicator: Backdoor.W32.Small.wn!c": [[189, 212]], "Indicator: Trojan.DownLoad3.19355": [[213, 235]], "Indicator: BehavesLike.Win32.Backdoor.lm": [[251, 280]], "Indicator: BDS/Salamdom.A": [[281, 295]], "Indicator: Backdoor:Win32/Salamdom.A": [[319, 344]], "Indicator: Adware/AdHelper.B": [[345, 362]], "Indicator: Win32/Salamdom.AA": [[363, 380]], "Indicator: Win32.Backdoor.Small.Sxyt": [[381, 406]], "Indicator: Backdoor.Small!t0Kn4UZH16w": [[407, 433]], "Indicator: Trojan-Downloader.Win32.Pangu": [[434, 463]], "Indicator: W32/ServStart.AS!tr": [[464, 483]]}, "info": {"id": "cyner2_5class_train_06103", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //nttdocomo-qae [ .", "spans": {"Indicator: hxxp : //nttdocomo-qae [ .": [[6, 32]]}, "info": {"id": "cyner2_5class_train_06104", "source": "cyner2_5class_train"}}
+{"text": "There are several strings and labels still mentioning 'test ' or 'testcc ' — even the URL used for the credit card data exfiltration is named \" testcc.php .", "spans": {"Indicator: testcc.php": [[144, 154]]}, "info": {"id": "cyner2_5class_train_06105", "source": "cyner2_5class_train"}}
+{"text": "Once the payload is prepared , “ Agent Smith ” uses it to build another APK file , exploiting the Janus vulnerability : Figure 8 : The new infected APK file structure Solely injecting the code of the loader is not enough .", "spans": {"Malware: Agent Smith": [[33, 44]], "Vulnerability: Janus": [[98, 103]]}, "info": {"id": "cyner2_5class_train_06106", "source": "cyner2_5class_train"}}
+{"text": "] qwe-japan [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06107", "source": "cyner2_5class_train"}}
+{"text": "Our analysis confirms the excellent investigative work done by TALOS and expands on what they found.", "spans": {}, "info": {"id": "cyner2_5class_train_06108", "source": "cyner2_5class_train"}}
+{"text": "TABLE OF CONTENTS Key Findings Introduction Threat Analysis Fakespy Code Analysis Dynamic Library Loading Stealing Sensitive Information Anti-Emulator Techniques Under Active Development Who is Behind Fakespy 's Smishing Campaigns ? Conclusions Cybereason Mobile Detects and Stops FakeSpy Indicators of Compromise INTRODUCTION For the past several weeks , Cybereason has been investigating a new version of Android malware dubbed FakeSpy , which was first identified in October 2017 and reported again in October 2018 .", "spans": {"Malware: Fakespy": [[60, 67], [201, 208]], "Organization: Cybereason Mobile": [[245, 262]], "Malware: FakeSpy": [[281, 288], [430, 437]], "Organization: Cybereason": [[356, 366]], "System: Android": [[407, 414]]}, "info": {"id": "cyner2_5class_train_06109", "source": "cyner2_5class_train"}}
+{"text": "For example , when a button is clicked , a view is focused , etc .", "spans": {}, "info": {"id": "cyner2_5class_train_06110", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke/W32.ArchSMS.2449920.C Trojan.Zusy.D14269 Win32.Trojan.WisdomEyes.16070401.9500.9992 not-a-virus:WebToolbar.Win32.Webatla.b Trojan.Win32.ArchSMS.csnmld Trojan.SMSSend.4975 Tool.ArchSMS.Win32.17120 BehavesLike.Win32.BadFile.vc Trojan:Win32/Blinerarch.A Trojan/Win32.ArchSMS.C198920 Hoax.ArchSMS Trojan.ArchSMS!HGAxbs185b0 Hoax.Win32.ArchSMS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke/W32.ArchSMS.2449920.C": [[26, 52]], "Indicator: Trojan.Zusy.D14269": [[53, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[72, 114]], "Indicator: not-a-virus:WebToolbar.Win32.Webatla.b": [[115, 153]], "Indicator: Trojan.Win32.ArchSMS.csnmld": [[154, 181]], "Indicator: Trojan.SMSSend.4975": [[182, 201]], "Indicator: Tool.ArchSMS.Win32.17120": [[202, 226]], "Indicator: BehavesLike.Win32.BadFile.vc": [[227, 255]], "Indicator: Trojan:Win32/Blinerarch.A": [[256, 281]], "Indicator: Trojan/Win32.ArchSMS.C198920": [[282, 310]], "Indicator: Hoax.ArchSMS": [[311, 323]], "Indicator: Trojan.ArchSMS!HGAxbs185b0": [[324, 350]], "Indicator: Hoax.Win32.ArchSMS": [[351, 369]]}, "info": {"id": "cyner2_5class_train_06111", "source": "cyner2_5class_train"}}
+{"text": "Over the course of their campaigns, we analyzed their modus operandi and dissected their tools of the trade—and uncovered common denominators indicating that PLEAD, Shrouded Crossbow, and Waterbear may actually be operated by the same group.", "spans": {"Malware: PLEAD, Shrouded Crossbow,": [[158, 183]], "Malware: Waterbear": [[188, 197]], "Organization: the same group.": [[226, 241]]}, "info": {"id": "cyner2_5class_train_06112", "source": "cyner2_5class_train"}}
+{"text": "Password generation for compressed files takes place client-side with each device using a unique key in most scenarios .", "spans": {}, "info": {"id": "cyner2_5class_train_06113", "source": "cyner2_5class_train"}}
+{"text": "Hancitor is one of the better-known malware downloaders due to its numerous SPAM runs and evolving delivery technique.", "spans": {"Malware: Hancitor": [[0, 8]], "Malware: malware downloaders": [[36, 55]], "Indicator: SPAM": [[76, 80]]}, "info": {"id": "cyner2_5class_train_06114", "source": "cyner2_5class_train"}}
+{"text": "A few days back , we wrote about an Android Marcher trojan variant posing as the Super Mario Run game for Android .", "spans": {"System: Android": [[36, 43], [106, 113]], "Malware: Marcher": [[44, 51]], "System: Super Mario Run": [[81, 96]]}, "info": {"id": "cyner2_5class_train_06115", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FantibagB.Trojan Email-Worm.Win32.Bagle!O Win32.Trojan.WisdomEyes.16070401.9500.9958 Win32/Fantibag.E Email-Worm.Win32.Bagle.cv Email-Worm.Win32.Bagle Worm/Bagle.aac TR/Bagle.BR.A.Dll I-Worm.Win32.Bagle.FA Email-Worm.Win32.Bagle.cv Trojan:Win32/Fantibag.B Win32/Bagle.BI Trojan.Fantibag.A1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FantibagB.Trojan": [[26, 46]], "Indicator: Email-Worm.Win32.Bagle!O": [[47, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9958": [[72, 114]], "Indicator: Win32/Fantibag.E": [[115, 131]], "Indicator: Email-Worm.Win32.Bagle.cv": [[132, 157], [236, 261]], "Indicator: Email-Worm.Win32.Bagle": [[158, 180]], "Indicator: Worm/Bagle.aac": [[181, 195]], "Indicator: TR/Bagle.BR.A.Dll": [[196, 213]], "Indicator: I-Worm.Win32.Bagle.FA": [[214, 235]], "Indicator: Trojan:Win32/Fantibag.B": [[262, 285]], "Indicator: Win32/Bagle.BI": [[286, 300]], "Indicator: Trojan.Fantibag.A1": [[301, 319]]}, "info": {"id": "cyner2_5class_train_06116", "source": "cyner2_5class_train"}}
+{"text": "It is meant solely to empty the safe of ATMs. We detect this new malware family as BKDR_ALICE.A.", "spans": {"Malware: malware": [[65, 72]], "Indicator: BKDR_ALICE.A.": [[83, 96]]}, "info": {"id": "cyner2_5class_train_06117", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper.Refroso.B Trojan/W32.Refroso.62976.D Trojan.Win32.Refroso!O Trojan.Injector.5265 Trojan.Refroso.Win32.766 Trojan/Refroso.dzt Trojan.Dropper.Refroso.B Win32.Trojan.WisdomEyes.16070401.9500.9997 TROJ_LETHIC.SMA Trojan.Win32.Refroso.ayz Trojan.Dropper.Refroso.B Trojan.Win32.Refroso.bwzzc Trojan.Dropper.Refroso.B Trojan.Dropper.Refroso.B BackDoor.Bifrost.26171 TROJ_LETHIC.SMA BehavesLike.Win32.Downloader.kc Backdoor/Poison.bhw Worm:Win32/Refroso.A Trojan[Downloader]/Win32.Refroso Win32.Troj.Refroso.kcloud Worm:Win32/Refroso.A Backdoor.Win32.Poison.46632 Trojan.Dropper.Refroso.B Trojan/Win32.Refroso.R694 Trojan.Dropper.Refroso.B Trojan.Win32.Buzus.8101325 Trojan.Refroso Trojan.Win32.Buzus W32/Injector.IA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.Refroso.B": [[26, 50], [166, 190], [275, 299], [327, 351], [352, 376], [597, 621], [648, 672]], "Indicator: Trojan/W32.Refroso.62976.D": [[51, 77]], "Indicator: Trojan.Win32.Refroso!O": [[78, 100]], "Indicator: Trojan.Injector.5265": [[101, 121]], "Indicator: Trojan.Refroso.Win32.766": [[122, 146]], "Indicator: Trojan/Refroso.dzt": [[147, 165]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[191, 233]], "Indicator: TROJ_LETHIC.SMA": [[234, 249], [400, 415]], "Indicator: Trojan.Win32.Refroso.ayz": [[250, 274]], "Indicator: Trojan.Win32.Refroso.bwzzc": [[300, 326]], "Indicator: BackDoor.Bifrost.26171": [[377, 399]], "Indicator: BehavesLike.Win32.Downloader.kc": [[416, 447]], "Indicator: Backdoor/Poison.bhw": [[448, 467]], "Indicator: Worm:Win32/Refroso.A": [[468, 488], [548, 568]], "Indicator: Trojan[Downloader]/Win32.Refroso": [[489, 521]], "Indicator: Win32.Troj.Refroso.kcloud": [[522, 547]], "Indicator: Backdoor.Win32.Poison.46632": [[569, 596]], "Indicator: Trojan/Win32.Refroso.R694": [[622, 647]], "Indicator: Trojan.Win32.Buzus.8101325": [[673, 699]], "Indicator: Trojan.Refroso": [[700, 714]], "Indicator: Trojan.Win32.Buzus": [[715, 733]], "Indicator: W32/Injector.IA!tr": [[734, 752]]}, "info": {"id": "cyner2_5class_train_06118", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPSW.LdPinch.cds PWS-Lineage.dll Trojan.Downloader-35380 Trojan-GameThief.Win32.OnLineGames.stab Trojan.PWS.Wsgame.origin PWS:Win32/Kotwir.A.dll Trojan-Downloader.Win32.Banload.aqi", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPSW.LdPinch.cds": [[26, 47]], "Indicator: PWS-Lineage.dll": [[48, 63]], "Indicator: Trojan.Downloader-35380": [[64, 87]], "Indicator: Trojan-GameThief.Win32.OnLineGames.stab": [[88, 127]], "Indicator: Trojan.PWS.Wsgame.origin": [[128, 152]], "Indicator: PWS:Win32/Kotwir.A.dll": [[153, 175]], "Indicator: Trojan-Downloader.Win32.Banload.aqi": [[176, 211]]}, "info": {"id": "cyner2_5class_train_06119", "source": "cyner2_5class_train"}}
+{"text": "After manual launch , it shows a fake welcome notification to the user : Dear Customer , we ’ re updating your configuration and it will be ready as soon as possible .", "spans": {}, "info": {"id": "cyner2_5class_train_06120", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Blocker.194764 Trojan.Bepush.Win32.889 Trojan.Strictor.D7317 TROJ_SPNR.11GF13 Win32.Trojan.WisdomEyes.16070401.9500.9800 TROJ_SPNR.11GF13 Win.Trojan.Truado-1 Trojan.Win32.Dapato.dcitdy Trojan-Downloader:W32/Kilim.T Trojan.DownLoader9.41166 Trojan.JS.FBExt W32/Trojan.CAKN-6742 Trojan/Blocker.eyy TR/Dldr.Truado.B.5 TrojanDownloader:MSIL/Truado.B Trojan/Win32.Blocker.R77853 Hoax.Blocker Trj/CI.A Trojan.Blocker!Jm7NxUGe2as Win32/Trojan.a10", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Blocker.194764": [[26, 51]], "Indicator: Trojan.Bepush.Win32.889": [[52, 75]], "Indicator: Trojan.Strictor.D7317": [[76, 97]], "Indicator: TROJ_SPNR.11GF13": [[98, 114], [158, 174]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9800": [[115, 157]], "Indicator: Win.Trojan.Truado-1": [[175, 194]], "Indicator: Trojan.Win32.Dapato.dcitdy": [[195, 221]], "Indicator: Trojan-Downloader:W32/Kilim.T": [[222, 251]], "Indicator: Trojan.DownLoader9.41166": [[252, 276]], "Indicator: Trojan.JS.FBExt": [[277, 292]], "Indicator: W32/Trojan.CAKN-6742": [[293, 313]], "Indicator: Trojan/Blocker.eyy": [[314, 332]], "Indicator: TR/Dldr.Truado.B.5": [[333, 351]], "Indicator: TrojanDownloader:MSIL/Truado.B": [[352, 382]], "Indicator: Trojan/Win32.Blocker.R77853": [[383, 410]], "Indicator: Hoax.Blocker": [[411, 423]], "Indicator: Trj/CI.A": [[424, 432]], "Indicator: Trojan.Blocker!Jm7NxUGe2as": [[433, 459]], "Indicator: Win32/Trojan.a10": [[460, 476]]}, "info": {"id": "cyner2_5class_train_06121", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.LdPinch.TMK Trojan-PWS/W32.LdPinch.557056 Trojan.PWS.LdPinch.TMK Trojan.PWS.LdPinch.TMK Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Pakes.nkj Trojan.PWS.LdPinch.TMK Trojan.Win32.Pakes.gkhlc Trojan.PWS.LdPinch.TMK Trojan.PWS.LdPinch.TMK BehavesLike.Win32.VirRansom.hc Trojan.PWS.LdPinch.TMK Trojan.DR.Jeshex!G2i88bn5YEw W32/LdPinch.TNV!tr.pws Win32/Trojan.PWS.912", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.LdPinch.TMK": [[26, 48], [79, 101], [102, 124], [191, 213], [239, 261], [262, 284], [316, 338]], "Indicator: Trojan-PWS/W32.LdPinch.557056": [[49, 78]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[125, 167]], "Indicator: Trojan.Win32.Pakes.nkj": [[168, 190]], "Indicator: Trojan.Win32.Pakes.gkhlc": [[214, 238]], "Indicator: BehavesLike.Win32.VirRansom.hc": [[285, 315]], "Indicator: Trojan.DR.Jeshex!G2i88bn5YEw": [[339, 367]], "Indicator: W32/LdPinch.TNV!tr.pws": [[368, 390]], "Indicator: Win32/Trojan.PWS.912": [[391, 411]]}, "info": {"id": "cyner2_5class_train_06122", "source": "cyner2_5class_train"}}
+{"text": "January 23 , 2017 SpyNote RAT posing as Netflix app As users have become more attached to their mobile devices , they want everything on those devices .", "spans": {"Malware: SpyNote RAT": [[18, 29]], "System: Netflix app": [[40, 51]]}, "info": {"id": "cyner2_5class_train_06123", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BehavesLike.Win32.BadFile.nm TrojanDownloader:Win32/Xuwuq.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.BadFile.nm": [[26, 54]], "Indicator: TrojanDownloader:Win32/Xuwuq.A": [[55, 85]]}, "info": {"id": "cyner2_5class_train_06124", "source": "cyner2_5class_train"}}
+{"text": "This strengthens our suspicion that this malware is still undergoing development and has not been officially marketed or released yet .", "spans": {}, "info": {"id": "cyner2_5class_train_06125", "source": "cyner2_5class_train"}}
+{"text": "In addition to “ Free VPN Master Android , ” we ’ ve observed Red Alert 2.0 Trojans in the wild disguising themselves using names like : Flash Player or Update Flash Player Android Update or Android Antivirus Chrome Update or Google Update Update Google Market WhatsApp Viber OneCoin Wallet Pornhub Tactic FlashLight or PROFlashLight Finanzonline The vast majority of in-the-wild Red Alert 2.0 samples falsely present themselves as Adobe Flash player for Android , a utility that Adobe stopped supporting years ago .", "spans": {"System: Free VPN Master Android": [[17, 40]], "Malware: Red Alert 2.0": [[62, 75]], "System: Flash Player": [[137, 149]], "System: Update Flash Player": [[153, 172]], "System: Android Update": [[173, 187]], "System: Android Antivirus": [[191, 208]], "System: Chrome Update": [[209, 222]], "System: Google Update": [[226, 239]], "System: Update Google Market": [[240, 260]], "System: WhatsApp": [[261, 269]], "System: Viber": [[270, 275]], "System: OneCoin": [[276, 283]], "System: Wallet": [[284, 290]], "Malware: Red Alert 2.0 samples": [[380, 401]], "System: Adobe Flash player": [[432, 450]], "System: Android": [[455, 462]], "Organization: Adobe": [[480, 485]]}, "info": {"id": "cyner2_5class_train_06126", "source": "cyner2_5class_train"}}
+{"text": "It is the first plain stage that does not employ a VM or obfuscation .", "spans": {}, "info": {"id": "cyner2_5class_train_06127", "source": "cyner2_5class_train"}}
+{"text": "Facebook page managed by the C & C domain registrant uses the same base domain name ( minigameshouse ) and phone number as the registered malicious C & C used by the Ashas adware Of interest is that on the Minigameshouse Facebook page , the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store .", "spans": {"Organization: Facebook": [[0, 8], [221, 229]], "Malware: Ashas": [[166, 171], [297, 302]], "System: Google Play": [[331, 342]], "System: App Store": [[351, 360]]}, "info": {"id": "cyner2_5class_train_06128", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W64.HfsAutoA.4EC7 Exploit.CVE-2015-1701.A Trojan.Win64 Exploit.CVE-2015-1701.A W64/Trojan.CBXE-7834 Exploit.CVE-2015-1701.A Exploit.Win64.CVE-2015-1701.b Exploit.CVE-2015-1701.A Exploit.CVE-2015-1701.A Exploit.CVE2015-1701.1 BehavesLike.Win64.BadFile.mh Virus.Win32.Virut Exploit.CVE-2015-1701.e Trojan[Exploit]/EXE.CVE-2015-1701 Exploit.CVE-2015-1701.A Exploit.Win64.CVE.tnlV Exploit.Win64.CVE-2015-1701.b Trojan/Win32.Exploit.R200799 Exploit.Win64.CVE-2015-1701 Trj/CI.A Win64.Exploit.Cve-2015-1701.Ahyf W64/CVE_2015_1701.A!tr Win32/Trojan.Exploit.059", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W64.HfsAutoA.4EC7": [[26, 43]], "Indicator: Exploit.CVE-2015-1701.A": [[44, 67], [81, 104], [126, 149], [180, 203], [204, 227], [356, 379]], "Indicator: Trojan.Win64": [[68, 80]], "Indicator: W64/Trojan.CBXE-7834": [[105, 125]], "Indicator: Exploit.Win64.CVE-2015-1701.b": [[150, 179], [403, 432]], "Indicator: Exploit.CVE2015-1701.1": [[228, 250]], "Indicator: BehavesLike.Win64.BadFile.mh": [[251, 279]], "Indicator: Virus.Win32.Virut": [[280, 297]], "Indicator: Exploit.CVE-2015-1701.e": [[298, 321]], "Indicator: Trojan[Exploit]/EXE.CVE-2015-1701": [[322, 355]], "Indicator: Exploit.Win64.CVE.tnlV": [[380, 402]], "Indicator: Trojan/Win32.Exploit.R200799": [[433, 461]], "Indicator: Exploit.Win64.CVE-2015-1701": [[462, 489]], "Indicator: Trj/CI.A": [[490, 498]], "Indicator: Win64.Exploit.Cve-2015-1701.Ahyf": [[499, 531]], "Indicator: W64/CVE_2015_1701.A!tr": [[532, 554]], "Indicator: Win32/Trojan.Exploit.059": [[555, 579]]}, "info": {"id": "cyner2_5class_train_06129", "source": "cyner2_5class_train"}}
+{"text": "This is part of a class called CaptureService , which already existed in the previous version but it was not duly implemented .", "spans": {}, "info": {"id": "cyner2_5class_train_06130", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Cult.fvly W32/Cult.B@mm W32.HLLW.Cult@mm Win32/Cult.E Email-Worm.Win32.Cult.b Win32.Cult.B@mm I-Worm.Cult.B Worm.Win32.Cult.B Win32.HLLW.SpyBot I-Worm/Cult.b Worm.Cult.b.kcloud Worm:Win32/Cult.D@mm I-Worm.Win32.Cult.16418 Win32/Cult.worm.16418 Win32.Cult.B@mm W32/Cult.B@mm Worm.Cult Net-Worm.Cult Win32/Cult.B Worm.Cults.b Email-Worm.Win32.Cult W32/Cult.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Cult.fvly": [[26, 48]], "Indicator: W32/Cult.B@mm": [[49, 62], [299, 312]], "Indicator: W32.HLLW.Cult@mm": [[63, 79]], "Indicator: Win32/Cult.E": [[80, 92]], "Indicator: Email-Worm.Win32.Cult.b": [[93, 116]], "Indicator: Win32.Cult.B@mm": [[117, 132], [283, 298]], "Indicator: I-Worm.Cult.B": [[133, 146]], "Indicator: Worm.Win32.Cult.B": [[147, 164]], "Indicator: Win32.HLLW.SpyBot": [[165, 182]], "Indicator: I-Worm/Cult.b": [[183, 196]], "Indicator: Worm.Cult.b.kcloud": [[197, 215]], "Indicator: Worm:Win32/Cult.D@mm": [[216, 236]], "Indicator: I-Worm.Win32.Cult.16418": [[237, 260]], "Indicator: Win32/Cult.worm.16418": [[261, 282]], "Indicator: Worm.Cult": [[313, 322]], "Indicator: Net-Worm.Cult": [[323, 336]], "Indicator: Win32/Cult.B": [[337, 349]], "Indicator: Worm.Cults.b": [[350, 362]], "Indicator: Email-Worm.Win32.Cult": [[363, 384]], "Indicator: W32/Cult.B": [[385, 395]]}, "info": {"id": "cyner2_5class_train_06131", "source": "cyner2_5class_train"}}
+{"text": "Last week, an Endgame researcher was analyzing spam emails for indications of emergent malicious activity.", "spans": {"Organization: Endgame researcher": [[14, 32]], "Indicator: spam emails": [[47, 58]], "Indicator: indications": [[63, 74]]}, "info": {"id": "cyner2_5class_train_06132", "source": "cyner2_5class_train"}}
+{"text": "Symantec is currently investigating reports of yet another new attack in the Middle East involving the destructive disk-wiping malware used by the Shamoon group W32.Disttrack, W32.Disttrack.B.", "spans": {"Organization: Symantec": [[0, 8]], "Indicator: attack": [[63, 69]], "Malware: destructive disk-wiping malware": [[103, 134]], "Indicator: W32.Disttrack, W32.Disttrack.B.": [[161, 192]]}, "info": {"id": "cyner2_5class_train_06133", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnlineGamesXTUG.Worm Trojan-PSW.Win32.QQShou!O Trojan/PSW.QQShou.aqt Trojan.Win32.QQShou.evyqv TROJ_AGKT.SMUS6 Trojan.Qqshou-23 Trojan-PSW.Win32.QQShou.pfp Trojan.PWS.QQShou!WQNr+ttAX9g Trojan.Win32.PSWQQShou.80480[h] Troj.PSW32.W.QQShou.aqt!c Trojan.QQShou.Win32.1230 TROJ_AGKT.SMUS6 BehavesLike.Win32.Autorun.lc Trojan/PSW.QQShou.adz W32/VB.NII!tr Trojan[PSW]/Win32.QQShou Trojan.Graftor.D33E1 Trojan/Win32.QQShou PWS:Win32/QQpass.DW Win32/QQPass.NVO TrojanPSW.QQShou Win32.Trojan-qqpass.Qqrob.Hwwq Trojan-PWS.Qqshou Trojan.Win32.VB.NII", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnlineGamesXTUG.Worm": [[26, 50]], "Indicator: Trojan-PSW.Win32.QQShou!O": [[51, 76]], "Indicator: Trojan/PSW.QQShou.aqt": [[77, 98]], "Indicator: Trojan.Win32.QQShou.evyqv": [[99, 124]], "Indicator: TROJ_AGKT.SMUS6": [[125, 140], [299, 314]], "Indicator: Trojan.Qqshou-23": [[141, 157]], "Indicator: Trojan-PSW.Win32.QQShou.pfp": [[158, 185]], "Indicator: Trojan.PWS.QQShou!WQNr+ttAX9g": [[186, 215]], "Indicator: Trojan.Win32.PSWQQShou.80480[h]": [[216, 247]], "Indicator: Troj.PSW32.W.QQShou.aqt!c": [[248, 273]], "Indicator: Trojan.QQShou.Win32.1230": [[274, 298]], "Indicator: BehavesLike.Win32.Autorun.lc": [[315, 343]], "Indicator: Trojan/PSW.QQShou.adz": [[344, 365]], "Indicator: W32/VB.NII!tr": [[366, 379]], "Indicator: Trojan[PSW]/Win32.QQShou": [[380, 404]], "Indicator: Trojan.Graftor.D33E1": [[405, 425]], "Indicator: Trojan/Win32.QQShou": [[426, 445]], "Indicator: PWS:Win32/QQpass.DW": [[446, 465]], "Indicator: Win32/QQPass.NVO": [[466, 482]], "Indicator: TrojanPSW.QQShou": [[483, 499]], "Indicator: Win32.Trojan-qqpass.Qqrob.Hwwq": [[500, 530]], "Indicator: Trojan-PWS.Qqshou": [[531, 548]], "Indicator: Trojan.Win32.VB.NII": [[549, 568]]}, "info": {"id": "cyner2_5class_train_06134", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Rootkit.9056.H Win32.Trojan.WisdomEyes.16070401.9500.9999 Hacktool.Rootkit Win32/Rookuz.S Trojan.Win32.Hmir.bczend Trojan.NtRootKit.13456 Downloader.Hmir.Win32.3829 Backdoor.Winnt Trojan[Downloader]/Win32.Hmir Troj.GameThief.W32.OnLineGames.kZeW Backdoor:WinNT/Blazgel.A Trojan/Win32.Rootkit.R24603 TrojanDownloader.Hmir Win32/RootKit.Rootkit.03f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Rootkit.9056.H": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[52, 94]], "Indicator: Hacktool.Rootkit": [[95, 111]], "Indicator: Win32/Rookuz.S": [[112, 126]], "Indicator: Trojan.Win32.Hmir.bczend": [[127, 151]], "Indicator: Trojan.NtRootKit.13456": [[152, 174]], "Indicator: Downloader.Hmir.Win32.3829": [[175, 201]], "Indicator: Backdoor.Winnt": [[202, 216]], "Indicator: Trojan[Downloader]/Win32.Hmir": [[217, 246]], "Indicator: Troj.GameThief.W32.OnLineGames.kZeW": [[247, 282]], "Indicator: Backdoor:WinNT/Blazgel.A": [[283, 307]], "Indicator: Trojan/Win32.Rootkit.R24603": [[308, 335]], "Indicator: TrojanDownloader.Hmir": [[336, 357]], "Indicator: Win32/RootKit.Rootkit.03f": [[358, 383]]}, "info": {"id": "cyner2_5class_train_06135", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.BD3E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.BD3E": [[26, 42]]}, "info": {"id": "cyner2_5class_train_06136", "source": "cyner2_5class_train"}}
+{"text": "Symantec first began looking into this threat in the fall of 2013.", "spans": {"Organization: Symantec": [[0, 8]]}, "info": {"id": "cyner2_5class_train_06137", "source": "cyner2_5class_train"}}
+{"text": "Once this malware has successfully installed , it will collect personal data , passwords , keystrokes , banking information , and more .", "spans": {}, "info": {"id": "cyner2_5class_train_06138", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.A.Downloader.39936.EG Trojan.DownLoad2.31494 W32/Trojan.BMBV-5898 TR/Vodvit.A.10 Trojan:Win32/Vodvit.A Trojan.Graftor.D79FB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.A.Downloader.39936.EG": [[26, 60]], "Indicator: Trojan.DownLoad2.31494": [[61, 83]], "Indicator: W32/Trojan.BMBV-5898": [[84, 104]], "Indicator: TR/Vodvit.A.10": [[105, 119]], "Indicator: Trojan:Win32/Vodvit.A": [[120, 141]], "Indicator: Trojan.Graftor.D79FB": [[142, 162]]}, "info": {"id": "cyner2_5class_train_06139", "source": "cyner2_5class_train"}}
+{"text": "This allows it to silently execute any backdoor activity without the user knowing that the device is in an active state .", "spans": {}, "info": {"id": "cyner2_5class_train_06140", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.71D4 Win32.Trojan.Kryptik.hj W32/Trojan.YMZM-8551 Trojan.Win32.SpyEyes.cxesvi Trojan.PWS.Papras.244 BehavesLike.Win32.DocumentCrypt.dc Trojan[Spy]/Win32.SpyEyes Trojan.Kazy.D5A6E2 TrojanDropper:Win32/Vawtrak.A Trojan/Win32.Reveton.R107579 TrojanPSW.Tepfer Backdoor.Andromeda Win32.Trojan.Atraps.Pbfq TrojanSpy.SpyEyes!jq5iqgzT3B4 Trojan-Spy.Zbot W32/Kryptik.EWVT!tr Win32/Trojan.73f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.71D4": [[26, 42]], "Indicator: Win32.Trojan.Kryptik.hj": [[43, 66]], "Indicator: W32/Trojan.YMZM-8551": [[67, 87]], "Indicator: Trojan.Win32.SpyEyes.cxesvi": [[88, 115]], "Indicator: Trojan.PWS.Papras.244": [[116, 137]], "Indicator: BehavesLike.Win32.DocumentCrypt.dc": [[138, 172]], "Indicator: Trojan[Spy]/Win32.SpyEyes": [[173, 198]], "Indicator: Trojan.Kazy.D5A6E2": [[199, 217]], "Indicator: TrojanDropper:Win32/Vawtrak.A": [[218, 247]], "Indicator: Trojan/Win32.Reveton.R107579": [[248, 276]], "Indicator: TrojanPSW.Tepfer": [[277, 293]], "Indicator: Backdoor.Andromeda": [[294, 312]], "Indicator: Win32.Trojan.Atraps.Pbfq": [[313, 337]], "Indicator: TrojanSpy.SpyEyes!jq5iqgzT3B4": [[338, 367]], "Indicator: Trojan-Spy.Zbot": [[368, 383]], "Indicator: W32/Kryptik.EWVT!tr": [[384, 403]], "Indicator: Win32/Trojan.73f": [[404, 420]]}, "info": {"id": "cyner2_5class_train_06141", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.BackdoorWabot.Trojan Backdoor.Win32.Wabot!O Trojan.Wabot.A8 Trojan/Delf.nrf Win32.Backdoor.Wabot.a W32.Wabot Win32/DCMgreen.A BKDR_WABOT.SMIA Win.Trojan.Wabot-6113548-0 Backdoor.Win32.Wabot.a Trojan.Win32.Wabot.dmukv Backdoor.Win32.Wabot.157619 Backdoor.W32.Wabot.tn6b Trojan.Win32.Wabot.a Backdoor.Win32.Wabot.A Trojan.MulDrop6.64369 Backdoor.Wabot.Win32.1 BKDR_WABOT.SMIA BehavesLike.Win32.Wabot.wc P2P-Worm.Win32.Delf Backdoor/Wabot.z Trojan[Backdoor]/Win32.Wabot.a TrojanSpy:MSIL/Omaneat.B Trojan.ShellIni.E7E294 Backdoor.Win32.Wabot.a Worm/Win32.IRCBot.R3689 Backdoor.Wabot Backdoor.Wabot I-Worm.Delf.NRF Win32/Delf.NRF Backdoor.Wabot!jai+hnpgbwI W32/Luiha.M!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BackdoorWabot.Trojan": [[26, 50]], "Indicator: Backdoor.Win32.Wabot!O": [[51, 73]], "Indicator: Trojan.Wabot.A8": [[74, 89]], "Indicator: Trojan/Delf.nrf": [[90, 105]], "Indicator: Win32.Backdoor.Wabot.a": [[106, 128]], "Indicator: W32.Wabot": [[129, 138]], "Indicator: Win32/DCMgreen.A": [[139, 155]], "Indicator: BKDR_WABOT.SMIA": [[156, 171], [388, 403]], "Indicator: Win.Trojan.Wabot-6113548-0": [[172, 198]], "Indicator: Backdoor.Win32.Wabot.a": [[199, 221], [547, 569]], "Indicator: Trojan.Win32.Wabot.dmukv": [[222, 246]], "Indicator: Backdoor.Win32.Wabot.157619": [[247, 274]], "Indicator: Backdoor.W32.Wabot.tn6b": [[275, 298]], "Indicator: Trojan.Win32.Wabot.a": [[299, 319]], "Indicator: Backdoor.Win32.Wabot.A": [[320, 342]], "Indicator: Trojan.MulDrop6.64369": [[343, 364]], "Indicator: Backdoor.Wabot.Win32.1": [[365, 387]], "Indicator: BehavesLike.Win32.Wabot.wc": [[404, 430]], "Indicator: P2P-Worm.Win32.Delf": [[431, 450]], "Indicator: Backdoor/Wabot.z": [[451, 467]], "Indicator: Trojan[Backdoor]/Win32.Wabot.a": [[468, 498]], "Indicator: TrojanSpy:MSIL/Omaneat.B": [[499, 523]], "Indicator: Trojan.ShellIni.E7E294": [[524, 546]], "Indicator: Worm/Win32.IRCBot.R3689": [[570, 593]], "Indicator: Backdoor.Wabot": [[594, 608], [609, 623]], "Indicator: I-Worm.Delf.NRF": [[624, 639]], "Indicator: Win32/Delf.NRF": [[640, 654]], "Indicator: Backdoor.Wabot!jai+hnpgbwI": [[655, 681]], "Indicator: W32/Luiha.M!tr": [[682, 696]]}, "info": {"id": "cyner2_5class_train_06142", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "cyner2_5class_train_06143", "source": "cyner2_5class_train"}}
+{"text": "Starting on May 11, 2017, Flashpoint analysts observed several large spam campaigns originating from the Necurs botnet that aim to dupe recipients into opening malicious attachments that infect their computers with Jaff ransomware.", "spans": {"Organization: Flashpoint": [[26, 36]], "Malware: the Necurs botnet": [[101, 118]], "Indicator: opening malicious attachments": [[152, 181]], "System: computers": [[200, 209]], "Malware: Jaff ransomware.": [[215, 231]]}, "info": {"id": "cyner2_5class_train_06144", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Celofot.D Trojan/W32.Sasfis.93184.B Trojan.Win32.Sasfis!O Trojan.Sasfis TROJ_DELF.SMH Win32.Trojan.WisdomEyes.16070401.9500.9986 W32/Risk.WXEM-5531 Backdoor.Bifrose Trojan.Sasfis Win32/Sasfis.NUH Win.Trojan.Sasfis-42 Backdoor.Celofot.D Trojan.Win32.Sasfis.aobz Backdoor.Celofot.D Trojan.Win32.Sasfis.ikchn Trojan.Win32.A.Sasfis.93696.C Troj.W32.Smardf.lrGo Backdoor.Celofot.D Trojan.DownLoader4.42747 BehavesLike.Win32.SpywareLyndra.nc Trojan-Dropper.Delf W32/MalwareS.BHQS Trojan/Sasfis.koz Trojan/Win32.Sasfis.aobz Backdoor:Win32/Nitvea.A Backdoor.Celofot.D Trojan.Win32.Sasfis.aobz Trojan/Win32.Sasfis.R20535 Backdoor.Celofot.D Backdoor.Celofot.D Win32.Trojan.Sasfis.Pijo Trojan.Sasfis!nQm4iaN0os8 W32/Sasfis.LB!tr Win32/Trojan.6e1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Celofot.D": [[26, 44], [252, 270], [296, 314], [392, 410], [576, 594], [647, 665], [666, 684]], "Indicator: Trojan/W32.Sasfis.93184.B": [[45, 70]], "Indicator: Trojan.Win32.Sasfis!O": [[71, 92]], "Indicator: Trojan.Sasfis": [[93, 106], [200, 213]], "Indicator: TROJ_DELF.SMH": [[107, 120]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9986": [[121, 163]], "Indicator: W32/Risk.WXEM-5531": [[164, 182]], "Indicator: Backdoor.Bifrose": [[183, 199]], "Indicator: Win32/Sasfis.NUH": [[214, 230]], "Indicator: Win.Trojan.Sasfis-42": [[231, 251]], "Indicator: Trojan.Win32.Sasfis.aobz": [[271, 295], [595, 619]], "Indicator: Trojan.Win32.Sasfis.ikchn": [[315, 340]], "Indicator: Trojan.Win32.A.Sasfis.93696.C": [[341, 370]], "Indicator: Troj.W32.Smardf.lrGo": [[371, 391]], "Indicator: Trojan.DownLoader4.42747": [[411, 435]], "Indicator: BehavesLike.Win32.SpywareLyndra.nc": [[436, 470]], "Indicator: Trojan-Dropper.Delf": [[471, 490]], "Indicator: W32/MalwareS.BHQS": [[491, 508]], "Indicator: Trojan/Sasfis.koz": [[509, 526]], "Indicator: Trojan/Win32.Sasfis.aobz": [[527, 551]], "Indicator: Backdoor:Win32/Nitvea.A": [[552, 575]], "Indicator: Trojan/Win32.Sasfis.R20535": [[620, 646]], "Indicator: Win32.Trojan.Sasfis.Pijo": [[685, 709]], "Indicator: Trojan.Sasfis!nQm4iaN0os8": [[710, 735]], "Indicator: W32/Sasfis.LB!tr": [[736, 752]], "Indicator: Win32/Trojan.6e1": [[753, 769]]}, "info": {"id": "cyner2_5class_train_06145", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Backdoor.Prorat.e W32/Prorat.BNXP-3134 Backdoor.Prorat Win32/Prorat.19.P Win.Trojan.Delf-1540 Trojan.Win32.Tiny.baadu Backdoor.W32.Prorat!c BackDoor.ProRat.19 BehavesLike.Win32.Adware.tc Backdoor.Win32.Prorat W32/ProratX.ANJ BDS/Lurpen.rts W32/BDoor.AVW!dam Backdoor/Win32.Prorat.R111443 Backdoor.Prorat Bck/Prorat.HT Backdoor.Prorat!o+pRlXhwebo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Win32.Backdoor.Prorat.e": [[48, 71]], "Indicator: W32/Prorat.BNXP-3134": [[72, 92]], "Indicator: Backdoor.Prorat": [[93, 108], [342, 357]], "Indicator: Win32/Prorat.19.P": [[109, 126]], "Indicator: Win.Trojan.Delf-1540": [[127, 147]], "Indicator: Trojan.Win32.Tiny.baadu": [[148, 171]], "Indicator: Backdoor.W32.Prorat!c": [[172, 193]], "Indicator: BackDoor.ProRat.19": [[194, 212]], "Indicator: BehavesLike.Win32.Adware.tc": [[213, 240]], "Indicator: Backdoor.Win32.Prorat": [[241, 262]], "Indicator: W32/ProratX.ANJ": [[263, 278]], "Indicator: BDS/Lurpen.rts": [[279, 293]], "Indicator: W32/BDoor.AVW!dam": [[294, 311]], "Indicator: Backdoor/Win32.Prorat.R111443": [[312, 341]], "Indicator: Bck/Prorat.HT": [[358, 371]], "Indicator: Backdoor.Prorat!o+pRlXhwebo": [[372, 399]]}, "info": {"id": "cyner2_5class_train_06146", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnlinegameJTPX.Trojan Virus.Win32.Sality!O Troj.GameThief.W32.WOW.hre!c Win32.Trojan.WisdomEyes.16070401.9500.9997 Infostealer.Gampass Win32/Wowpa.HS TROJ_FAM_0001989.TOMA Win.Trojan.Delf-1669 Trojan.Win32.PSWWow.22440.B TrojWare.Win32.Trojan.Banker.~d08 Trojan.PWS.Wow.1283 Trojan.WOW.Win32.2972 TROJ_FAM_0001989.TOMA BehavesLike.Win32.Sality.lc W32/Trojan.EOQM-5227 Trojan/PSW.Moshou.ars Trojan[GameThief]/Win32.WOW Win32.Troj.PswWowT.lk.kcloud TrojanDropper:Win32/Dozmot.B Trojan/Win32.OnlineGameHack.C54025 BScope.Trojan.OnlineGames.0825 Win32/PSW.WOW.DZI Win32.Trojan.Heurinject.Lnxt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnlinegameJTPX.Trojan": [[26, 51]], "Indicator: Virus.Win32.Sality!O": [[52, 72]], "Indicator: Troj.GameThief.W32.WOW.hre!c": [[73, 101]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[102, 144]], "Indicator: Infostealer.Gampass": [[145, 164]], "Indicator: Win32/Wowpa.HS": [[165, 179]], "Indicator: TROJ_FAM_0001989.TOMA": [[180, 201], [327, 348]], "Indicator: Win.Trojan.Delf-1669": [[202, 222]], "Indicator: Trojan.Win32.PSWWow.22440.B": [[223, 250]], "Indicator: TrojWare.Win32.Trojan.Banker.~d08": [[251, 284]], "Indicator: Trojan.PWS.Wow.1283": [[285, 304]], "Indicator: Trojan.WOW.Win32.2972": [[305, 326]], "Indicator: BehavesLike.Win32.Sality.lc": [[349, 376]], "Indicator: W32/Trojan.EOQM-5227": [[377, 397]], "Indicator: Trojan/PSW.Moshou.ars": [[398, 419]], "Indicator: Trojan[GameThief]/Win32.WOW": [[420, 447]], "Indicator: Win32.Troj.PswWowT.lk.kcloud": [[448, 476]], "Indicator: TrojanDropper:Win32/Dozmot.B": [[477, 505]], "Indicator: Trojan/Win32.OnlineGameHack.C54025": [[506, 540]], "Indicator: BScope.Trojan.OnlineGames.0825": [[541, 571]], "Indicator: Win32/PSW.WOW.DZI": [[572, 589]], "Indicator: Win32.Trojan.Heurinject.Lnxt": [[590, 618]]}, "info": {"id": "cyner2_5class_train_06147", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke.Movingmouse Joke/W32.BadJoke.21504 Joke.Movingmouse Joke.MoveMouse Win.Joke.MovingMouse-1 Hoax.Win32.BadJoke.MovingMouse.a Joke.Movingmouse Riskware.Win32.MovingMouse.hrfx Hoax.BadJoke.21504.A Win32.Trojan-psw.Badjoke.Suno Joke.Win32.BadJoke.MovingMouse.~FCD Joke.Movingmouse Trojan.MulDrop.28720 Aplicacion/MovingMouse.a not-a-virus:BadJoke.Win32.MovingMouse.a W32/Joke.RZZA-1623 not-virus:Joke.Win32.MovingMouse HackTool[Hoax]/Win32.MovingMouse Joke.Movingmouse Hoax.W32.BadJoke.MovingMouse.a!c Hoax.Win32.BadJoke.MovingMouse.a Joke.Movingmouse Unwanted/Win32.Movingmouse.R123022 Joke.Movingmouse Win32/Hoax.MovingMouse.B Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke.Movingmouse": [[26, 42], [66, 82], [154, 170], [290, 306], [478, 494], [561, 577], [613, 629]], "Indicator: Joke/W32.BadJoke.21504": [[43, 65]], "Indicator: Joke.MoveMouse": [[83, 97]], "Indicator: Win.Joke.MovingMouse-1": [[98, 120]], "Indicator: Hoax.Win32.BadJoke.MovingMouse.a": [[121, 153], [528, 560]], "Indicator: Riskware.Win32.MovingMouse.hrfx": [[171, 202]], "Indicator: Hoax.BadJoke.21504.A": [[203, 223]], "Indicator: Win32.Trojan-psw.Badjoke.Suno": [[224, 253]], "Indicator: Joke.Win32.BadJoke.MovingMouse.~FCD": [[254, 289]], "Indicator: Trojan.MulDrop.28720": [[307, 327]], "Indicator: Aplicacion/MovingMouse.a": [[328, 352]], "Indicator: not-a-virus:BadJoke.Win32.MovingMouse.a": [[353, 392]], "Indicator: W32/Joke.RZZA-1623": [[393, 411]], "Indicator: not-virus:Joke.Win32.MovingMouse": [[412, 444]], "Indicator: HackTool[Hoax]/Win32.MovingMouse": [[445, 477]], "Indicator: Hoax.W32.BadJoke.MovingMouse.a!c": [[495, 527]], "Indicator: Unwanted/Win32.Movingmouse.R123022": [[578, 612]], "Indicator: Win32/Hoax.MovingMouse.B": [[630, 654]], "Indicator: Win32/Trojan.2ff": [[655, 671]]}, "info": {"id": "cyner2_5class_train_06148", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W64/Application.KFTW-0763 Trojan.Win64.AdAnti.exbcmq ADWARE/AdAnti.nqwib Adware.ChinAd Trj/CI.A Win32/Trojan.7be", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W64/Application.KFTW-0763": [[26, 51]], "Indicator: Trojan.Win64.AdAnti.exbcmq": [[52, 78]], "Indicator: ADWARE/AdAnti.nqwib": [[79, 98]], "Indicator: Adware.ChinAd": [[99, 112]], "Indicator: Trj/CI.A": [[113, 121]], "Indicator: Win32/Trojan.7be": [[122, 138]]}, "info": {"id": "cyner2_5class_train_06149", "source": "cyner2_5class_train"}}
+{"text": "Figure 25 : infected Android version distribution To further analyze “ Agent Smith ” ’ s infection landscape , we dived into the top 10 infected countries : Country Total Devices Total Infection Event Count Avg .", "spans": {"System: Android": [[21, 28]], "Malware: Agent Smith": [[71, 82]]}, "info": {"id": "cyner2_5class_train_06150", "source": "cyner2_5class_train"}}
+{"text": "FrozenCell : Multi-Platform Surveillance Campaign Against Palestinians October 5 , 2017 FrozenCell has been seen masquerading as various well known social media and chat applications as well as an app likely only used by Palestinian or Jordanian students sitting their 2016 general exams .", "spans": {"Malware: FrozenCell": [[0, 10], [88, 98]]}, "info": {"id": "cyner2_5class_train_06151", "source": "cyner2_5class_train"}}
+{"text": "WAKE_LOCK - Allows the application to use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming .", "spans": {}, "info": {"id": "cyner2_5class_train_06152", "source": "cyner2_5class_train"}}
+{"text": "DAN GOODIN - 1/23/2017 , 4:39 PM A virulent family of malware that infected more than 10 million Android devices last year has made a comeback , this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users .", "spans": {"Malware: virulent": [[35, 43]], "System: Android": [[97, 104]], "System: Google Play": [[169, 180]]}, "info": {"id": "cyner2_5class_train_06153", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.MSIL.SpyGate.wsr Trojan.Win32.Disfa.dqmqly BehavesLike.Win32.Trojan.cc GrayWare/MSIL.Injector.AWA Trojan.Zusy.D28231 Trj/CI.A Trojan.Win32.Fsysna Win32/Trojan.7c5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL": [[26, 37]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[38, 80]], "Indicator: Backdoor.MSIL.SpyGate.wsr": [[81, 106]], "Indicator: Trojan.Win32.Disfa.dqmqly": [[107, 132]], "Indicator: BehavesLike.Win32.Trojan.cc": [[133, 160]], "Indicator: GrayWare/MSIL.Injector.AWA": [[161, 187]], "Indicator: Trojan.Zusy.D28231": [[188, 206]], "Indicator: Trj/CI.A": [[207, 215]], "Indicator: Trojan.Win32.Fsysna": [[216, 235]], "Indicator: Win32/Trojan.7c5": [[236, 252]]}, "info": {"id": "cyner2_5class_train_06154", "source": "cyner2_5class_train"}}
+{"text": "tcpdo [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06155", "source": "cyner2_5class_train"}}
+{"text": "Consumers in English-speaking countries, in particular the US and UK, are most at risk, since this is where the largest numbers of targeted banks are located.", "spans": {"Organization: Consumers": [[0, 9]], "Malware: at": [[79, 81]], "Organization: banks": [[140, 145]]}, "info": {"id": "cyner2_5class_train_06156", "source": "cyner2_5class_train"}}
+{"text": "Earlier this month, we spotted a phishing campaign that led victims to unknowingly download the Banker malware.", "spans": {"Malware: Banker malware.": [[96, 111]]}, "info": {"id": "cyner2_5class_train_06157", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah.S5 Downloader.Chindo.Win32.162 Trojan.Adware.Graftor.D374DC not-a-virus:Downloader.Win32.Chindo.ap Trojan.Win32.Chindo.dumnyn Variant.Mikey.mvHB Adware.Chindo.12 PUA.RiskWare.Chindo RiskWare[Downloader]/Win32.Chindo.ap TrojanDownloader:Win32/Codumwis.B not-a-virus:Downloader.Win32.Chindo.ap BScope.Malware-Cryptor.Ngrbot Win32/RiskWare.Chindo.L", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah.S5": [[26, 43]], "Indicator: Downloader.Chindo.Win32.162": [[44, 71]], "Indicator: Trojan.Adware.Graftor.D374DC": [[72, 100]], "Indicator: not-a-virus:Downloader.Win32.Chindo.ap": [[101, 139], [294, 332]], "Indicator: Trojan.Win32.Chindo.dumnyn": [[140, 166]], "Indicator: Variant.Mikey.mvHB": [[167, 185]], "Indicator: Adware.Chindo.12": [[186, 202]], "Indicator: PUA.RiskWare.Chindo": [[203, 222]], "Indicator: RiskWare[Downloader]/Win32.Chindo.ap": [[223, 259]], "Indicator: TrojanDownloader:Win32/Codumwis.B": [[260, 293]], "Indicator: BScope.Malware-Cryptor.Ngrbot": [[333, 362]], "Indicator: Win32/RiskWare.Chindo.L": [[363, 386]]}, "info": {"id": "cyner2_5class_train_06158", "source": "cyner2_5class_train"}}
+{"text": "Odatv is a secular news organization founded in 2007 with a reputation for being critical of Turkey's government and the Gülen Movement.", "spans": {"Organization: Odatv": [[0, 5]], "Organization: secular news organization": [[11, 36]], "Organization: Turkey's government": [[93, 112]], "Organization: the Gülen Movement.": [[117, 136]]}, "info": {"id": "cyner2_5class_train_06159", "source": "cyner2_5class_train"}}
+{"text": "params : This command allows the malicious operator to change configuration parameters in the malware .", "spans": {}, "info": {"id": "cyner2_5class_train_06160", "source": "cyner2_5class_train"}}
+{"text": "This threat can download other malware and unwanted software onto your PC.", "spans": {"Malware: threat": [[5, 11]], "Malware: malware": [[31, 38]], "System: software": [[52, 60]], "System: PC.": [[71, 74]]}, "info": {"id": "cyner2_5class_train_06161", "source": "cyner2_5class_train"}}
+{"text": "This malware appears to be newly developed with code that differs significantly from previously known Android malware .", "spans": {"System: Android": [[102, 109]]}, "info": {"id": "cyner2_5class_train_06162", "source": "cyner2_5class_train"}}
+{"text": "These URLs are all in the form of “ http : // $ C2. $ SERVER. $ IP/api/ ? id= $ NUM ” .", "spans": {"Indicator: http : // $ C2. $ SERVER. $ IP/api/ ? id= $ NUM": [[36, 83]]}, "info": {"id": "cyner2_5class_train_06163", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Bladabindi.FC.3722 Trojan.Zusy.D3D182 Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.lt MSIL/Small.CM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Bladabindi.FC.3722": [[26, 53]], "Indicator: Trojan.Zusy.D3D182": [[54, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[73, 115]], "Indicator: BehavesLike.Win32.Trojan.lt": [[116, 143]], "Indicator: MSIL/Small.CM!tr": [[144, 160]]}, "info": {"id": "cyner2_5class_train_06164", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Yakes.8842 Trojan/CsNowDown.c Win32.Trojan.WisdomEyes.16070401.9500.9736 Downloader.Darkmegi Win.Trojan.Darkcpn-1 Trojan.Win32.Yakes.ktpl Trojan.Win32.Gamania.dridjs Trojan.PWS.Gamania.34539 BehavesLike.Win32.Backdoor.ct Trojan.Graftor.DCAF7 Trojan.Win32.Yakes.ktpl Trojan:WinNT/Waltrodock.A Downloader/Win32.Darkmegi.C1839200 Trj/CI.A W32/CsNowDown.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Yakes.8842": [[26, 43]], "Indicator: Trojan/CsNowDown.c": [[44, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9736": [[63, 105]], "Indicator: Downloader.Darkmegi": [[106, 125]], "Indicator: Win.Trojan.Darkcpn-1": [[126, 146]], "Indicator: Trojan.Win32.Yakes.ktpl": [[147, 170], [275, 298]], "Indicator: Trojan.Win32.Gamania.dridjs": [[171, 198]], "Indicator: Trojan.PWS.Gamania.34539": [[199, 223]], "Indicator: BehavesLike.Win32.Backdoor.ct": [[224, 253]], "Indicator: Trojan.Graftor.DCAF7": [[254, 274]], "Indicator: Trojan:WinNT/Waltrodock.A": [[299, 324]], "Indicator: Downloader/Win32.Darkmegi.C1839200": [[325, 359]], "Indicator: Trj/CI.A": [[360, 368]], "Indicator: W32/CsNowDown.C": [[369, 384]]}, "info": {"id": "cyner2_5class_train_06165", "source": "cyner2_5class_train"}}
+{"text": "Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C & C .", "spans": {}, "info": {"id": "cyner2_5class_train_06166", "source": "cyner2_5class_train"}}
+{"text": "Decrypted EventBot configuration Decrypted EventBot configuration returned from the C2 .", "spans": {"Malware: EventBot": [[10, 18], [43, 51]]}, "info": {"id": "cyner2_5class_train_06167", "source": "cyner2_5class_train"}}
+{"text": "Upon investigation we have determined the malware payload to be DELoader, which downloads a Zeus variant banking trojan upon execution.", "spans": {"Malware: malware payload": [[42, 57]], "Malware: DELoader,": [[64, 73]], "Malware: Zeus variant banking trojan": [[92, 119]]}, "info": {"id": "cyner2_5class_train_06168", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Lexfir.A TrojanAPT.Lexfir.A6 Trojan.Lexfir.A TSPY_DERUSBI.SMJ1 Win32.Trojan.WisdomEyes.16070401.9500.9979 Infostealer.Derusbi TSPY_DERUSBI.SMJ1 Win.Trojan.Derusbi-42 Trojan.Lexfir.A Backdoor.Win32.Winnti.jr Trojan.Lexfir.A Trojan.Lexfir.A Trojan.Lexfir.A DLOADER.PWS.Trojan W32/Trojan.ZNCA-7493 TR/PSW.Lexfir.A.3 Trojan.Lexfir.A Backdoor.Win32.Winnti.jr PWS:Win32/Lexfir.A Backdoor/Win32.Etso.R30303 Win32.Backdoor.Winnti.Lfzs Trojan.Derusbi!jrrDP0rufRk Trojan-Spy.Win32.Derusbi W32/DERUSBI.C!tr Win32/Trojan.PSW.186", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Lexfir.A": [[26, 41], [62, 77], [199, 214], [240, 255], [256, 271], [272, 287], [346, 361]], "Indicator: TrojanAPT.Lexfir.A6": [[42, 61]], "Indicator: TSPY_DERUSBI.SMJ1": [[78, 95], [159, 176]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9979": [[96, 138]], "Indicator: Infostealer.Derusbi": [[139, 158]], "Indicator: Win.Trojan.Derusbi-42": [[177, 198]], "Indicator: Backdoor.Win32.Winnti.jr": [[215, 239], [362, 386]], "Indicator: DLOADER.PWS.Trojan": [[288, 306]], "Indicator: W32/Trojan.ZNCA-7493": [[307, 327]], "Indicator: TR/PSW.Lexfir.A.3": [[328, 345]], "Indicator: PWS:Win32/Lexfir.A": [[387, 405]], "Indicator: Backdoor/Win32.Etso.R30303": [[406, 432]], "Indicator: Win32.Backdoor.Winnti.Lfzs": [[433, 459]], "Indicator: Trojan.Derusbi!jrrDP0rufRk": [[460, 486]], "Indicator: Trojan-Spy.Win32.Derusbi": [[487, 511]], "Indicator: W32/DERUSBI.C!tr": [[512, 528]], "Indicator: Win32/Trojan.PSW.186": [[529, 549]]}, "info": {"id": "cyner2_5class_train_06169", "source": "cyner2_5class_train"}}
+{"text": "The unidentified financial group targeted regional and global banks with offices in the Middle East.", "spans": {"Organization: regional": [[42, 50]], "Organization: global banks": [[55, 67]], "Organization: offices": [[73, 80]]}, "info": {"id": "cyner2_5class_train_06170", "source": "cyner2_5class_train"}}
+{"text": "Security Service of Ukraine SBU indicated that Russian spies had implanted malicious softwares in the State Grid which caused power plants shut down unexpectedly.", "spans": {"Organization: Security Service of Ukraine SBU": [[0, 31]], "Malware: malicious softwares": [[75, 94]], "Organization: the State Grid": [[98, 112]], "Organization: power plants": [[126, 138]]}, "info": {"id": "cyner2_5class_train_06171", "source": "cyner2_5class_train"}}
+{"text": "Other versions included all the pieces needed for a valid disclosure message .", "spans": {}, "info": {"id": "cyner2_5class_train_06172", "source": "cyner2_5class_train"}}
+{"text": "However , it ’ s possible the set of commands may change in future versions of the Trojan .", "spans": {}, "info": {"id": "cyner2_5class_train_06173", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.LarmogasD.Trojan Dropped:Backdoor.Hupigon.211672 W32.Jadtre.B4 Trojan.Black.Win32.3180 Trojan/Dropper.Delf.dlv Dropped:Backdoor.Hupigon.211672 W32/Risk.UMVG-4201 TROJ_JADTRE.SMM Win.Spyware.66802-2 TScope.Malware-Cryptor.SB W32.Parite.lf96 TrojWare.Win32.PSW.OnLineGames.~LLD Trojan.PWS.Legmir.3153 BehavesLike.Win32.Gate.nh W32/Dropper.ANYI Trojan/KillAV.bbj TR/Drop.Delfdru.O Win32.PSWTroj.OnLineGames.kcloud Backdoor.Hupigon.D33AD8 Dropped:Backdoor.Hupigon.211672 Dropper/Win32.Microjoin.R1379 Dropped:Backdoor.Hupigon.211672 Dropped:Backdoor.Hupigon.211672 Trj/CI.A Trojan.DR.Delfdru!ayAD7it/9FQ Win32/Trojan.Dropper.cad", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.LarmogasD.Trojan": [[26, 46]], "Indicator: Dropped:Backdoor.Hupigon.211672": [[47, 78], [141, 172], [465, 496], [527, 558], [559, 590]], "Indicator: W32.Jadtre.B4": [[79, 92]], "Indicator: Trojan.Black.Win32.3180": [[93, 116]], "Indicator: Trojan/Dropper.Delf.dlv": [[117, 140]], "Indicator: W32/Risk.UMVG-4201": [[173, 191]], "Indicator: TROJ_JADTRE.SMM": [[192, 207]], "Indicator: Win.Spyware.66802-2": [[208, 227]], "Indicator: TScope.Malware-Cryptor.SB": [[228, 253]], "Indicator: W32.Parite.lf96": [[254, 269]], "Indicator: TrojWare.Win32.PSW.OnLineGames.~LLD": [[270, 305]], "Indicator: Trojan.PWS.Legmir.3153": [[306, 328]], "Indicator: BehavesLike.Win32.Gate.nh": [[329, 354]], "Indicator: W32/Dropper.ANYI": [[355, 371]], "Indicator: Trojan/KillAV.bbj": [[372, 389]], "Indicator: TR/Drop.Delfdru.O": [[390, 407]], "Indicator: Win32.PSWTroj.OnLineGames.kcloud": [[408, 440]], "Indicator: Backdoor.Hupigon.D33AD8": [[441, 464]], "Indicator: Dropper/Win32.Microjoin.R1379": [[497, 526]], "Indicator: Trj/CI.A": [[591, 599]], "Indicator: Trojan.DR.Delfdru!ayAD7it/9FQ": [[600, 629]], "Indicator: Win32/Trojan.Dropper.cad": [[630, 654]]}, "info": {"id": "cyner2_5class_train_06174", "source": "cyner2_5class_train"}}
+{"text": "APT19 used three different techniques to attempt to compromise targets.", "spans": {"Organization: targets.": [[63, 71]]}, "info": {"id": "cyner2_5class_train_06175", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: AIT:Trojan.Autoit.CAQ AIT:Trojan.Autoit.CAQ Win32.Trojan.WisdomEyes.16070401.9500.9949 AIT:Trojan.Autoit.CAQ Trojan-Banker.Win32.AutoIt.zl AIT:Trojan.Autoit.CAQ Trojan.DownLoader23.53524 Trojan/Banker.AutoIt.bu TrojanSpy:Win32/Aneatop.A Trojan-Banker.Win32.AutoIt.zl Win32.Trojan-banker.Autoit.Suny Win32/Trojan.5f1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AIT:Trojan.Autoit.CAQ": [[26, 47], [48, 69], [113, 134], [165, 186]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9949": [[70, 112]], "Indicator: Trojan-Banker.Win32.AutoIt.zl": [[135, 164], [263, 292]], "Indicator: Trojan.DownLoader23.53524": [[187, 212]], "Indicator: Trojan/Banker.AutoIt.bu": [[213, 236]], "Indicator: TrojanSpy:Win32/Aneatop.A": [[237, 262]], "Indicator: Win32.Trojan-banker.Autoit.Suny": [[293, 324]], "Indicator: Win32/Trojan.5f1": [[325, 341]]}, "info": {"id": "cyner2_5class_train_06176", "source": "cyner2_5class_train"}}
+{"text": "Finally , the malware spawns a thread that has the goal to load , remap , and relocate the stage 5 malware .", "spans": {}, "info": {"id": "cyner2_5class_train_06177", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WscmgrA.Trojan Trojan-PSW.Win32.Delf!O Trojan/PSW.Delf.abx Win32.Trojan.WisdomEyes.16070401.9500.9700 W32/Autorun.MSPP-2235 W32.SillyFDC Win32/Retecha.A WORM_DELF.NAN Win.Trojan.Delf-3449 Trojan-PSW.Win32.Delf.abx Trojan.Win32.Delf.brmlqc Trojan.Win32.Autorun.382020 Win32.Trojan-qqpass.Qqrob.Sxyo Trojan.PWS.Sadas Trojan.Delf.Win32.3468 WORM_DELF.NAN W32/Autorun.O Trojan/PSW.GamePass.yqg TR/PSW.Delf.abx.3 Worm:Win32/Hamtacker.A Trojan-PSW.Win32.Delf.abx Worm/Win32.AutoRun.R76556 Worm.Brontok Trojan.Delf.ABX Win32/PSW.Delf.ABX Hacktool.Dialuppass.A not-a-virus:PSWTool.Win32.Dialupass.an W32/Autorun.PG.worm Win32/Trojan.PSW.8bb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WscmgrA.Trojan": [[26, 44]], "Indicator: Trojan-PSW.Win32.Delf!O": [[45, 68]], "Indicator: Trojan/PSW.Delf.abx": [[69, 88]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9700": [[89, 131]], "Indicator: W32/Autorun.MSPP-2235": [[132, 153]], "Indicator: W32.SillyFDC": [[154, 166]], "Indicator: Win32/Retecha.A": [[167, 182]], "Indicator: WORM_DELF.NAN": [[183, 196], [368, 381]], "Indicator: Win.Trojan.Delf-3449": [[197, 217]], "Indicator: Trojan-PSW.Win32.Delf.abx": [[218, 243], [461, 486]], "Indicator: Trojan.Win32.Delf.brmlqc": [[244, 268]], "Indicator: Trojan.Win32.Autorun.382020": [[269, 296]], "Indicator: Win32.Trojan-qqpass.Qqrob.Sxyo": [[297, 327]], "Indicator: Trojan.PWS.Sadas": [[328, 344]], "Indicator: Trojan.Delf.Win32.3468": [[345, 367]], "Indicator: W32/Autorun.O": [[382, 395]], "Indicator: Trojan/PSW.GamePass.yqg": [[396, 419]], "Indicator: TR/PSW.Delf.abx.3": [[420, 437]], "Indicator: Worm:Win32/Hamtacker.A": [[438, 460]], "Indicator: Worm/Win32.AutoRun.R76556": [[487, 512]], "Indicator: Worm.Brontok": [[513, 525]], "Indicator: Trojan.Delf.ABX": [[526, 541]], "Indicator: Win32/PSW.Delf.ABX": [[542, 560]], "Indicator: Hacktool.Dialuppass.A": [[561, 582]], "Indicator: not-a-virus:PSWTool.Win32.Dialupass.an": [[583, 621]], "Indicator: W32/Autorun.PG.worm": [[622, 641]], "Indicator: Win32/Trojan.PSW.8bb": [[642, 662]]}, "info": {"id": "cyner2_5class_train_06178", "source": "cyner2_5class_train"}}
+{"text": "And this just means attackers will continue to be successful .", "spans": {}, "info": {"id": "cyner2_5class_train_06179", "source": "cyner2_5class_train"}}
+{"text": "Their findings showed that Wolf is headquartered in Germany with offices in Cyprus , Bulgaria , Romania , India and ( possibly ) the U.S .", "spans": {}, "info": {"id": "cyner2_5class_train_06180", "source": "cyner2_5class_train"}}
+{"text": "The following scenario may play out : according to the templates for processing incoming SMSs , Rotexy intercepts a message from the bank that contains the last four digits of the bank card connected to the phone number .", "spans": {"Malware: Rotexy": [[96, 102]]}, "info": {"id": "cyner2_5class_train_06181", "source": "cyner2_5class_train"}}
+{"text": "It is a custom obfuscation partly based on base85 encoding , which is in itself unusual , in malware .", "spans": {"Indicator: base85 encoding": [[43, 58]]}, "info": {"id": "cyner2_5class_train_06182", "source": "cyner2_5class_train"}}
+{"text": "Yet perhaps most notably, BianLian has shifted the main focus of their attacks away from ransoming encrypted files to focus more on data-leak extortion as a means to extract payments from victims.", "spans": {"Indicator: attacks": [[71, 78]], "Indicator: ransoming encrypted files": [[89, 114]], "Indicator: data-leak extortion": [[132, 151]]}, "info": {"id": "cyner2_5class_train_06183", "source": "cyner2_5class_train"}}
+{"text": "Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang.", "spans": {"Organization: Visa": [[0, 4]], "Indicator: Internet addresses": [[30, 48]], "Indicator: Oracle breach": [[84, 97]]}, "info": {"id": "cyner2_5class_train_06184", "source": "cyner2_5class_train"}}
+{"text": "“ Agent Smith ” repacks its prey apps at smali/baksmali code level .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner2_5class_train_06185", "source": "cyner2_5class_train"}}
+{"text": "Destructive malware used by unknown computer network exploitation CNE operators has been identified.", "spans": {"Malware: Destructive malware": [[0, 19]], "Vulnerability: computer network exploitation CNE": [[36, 69]]}, "info": {"id": "cyner2_5class_train_06186", "source": "cyner2_5class_train"}}
+{"text": "The earliest instance where a cyber attack was attributed to the OilRig campaign was in late 2015.", "spans": {"Indicator: cyber attack": [[30, 42]]}, "info": {"id": "cyner2_5class_train_06187", "source": "cyner2_5class_train"}}
+{"text": "This screen persists on the screen and prevents the user from using the navigation buttons .", "spans": {}, "info": {"id": "cyner2_5class_train_06188", "source": "cyner2_5class_train"}}
+{"text": "INDICATORS OF COMPROMISE ( IOCS ) Domains Facebook-photos-au.su Homevideo2-12l.ml videohosting1-5j.gq URLs hxxp : //88.99.227 [ .", "spans": {"Indicator: Homevideo2-12l.ml": [[64, 81]], "Indicator: videohosting1-5j.gq": [[82, 101]], "Indicator: hxxp : //88.99.227 [ .": [[107, 129]]}, "info": {"id": "cyner2_5class_train_06189", "source": "cyner2_5class_train"}}
+{"text": "android.intent.action.SIM_STATE_CHANGED System notification that the SIM card has changed or been removed .", "spans": {"Indicator: android.intent.action.SIM_STATE_CHANGED": [[0, 39]]}, "info": {"id": "cyner2_5class_train_06190", "source": "cyner2_5class_train"}}
+{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.249 [ .", "spans": {"Indicator: 185.158.249 [ .": [[37, 52]]}, "info": {"id": "cyner2_5class_train_06191", "source": "cyner2_5class_train"}}
+{"text": "If the geolocation points to Brazil, then another malicious file is downloaded.", "spans": {"Indicator: another malicious file is downloaded.": [[42, 79]]}, "info": {"id": "cyner2_5class_train_06192", "source": "cyner2_5class_train"}}
+{"text": "Command Description push Shows a push notification .", "spans": {}, "info": {"id": "cyner2_5class_train_06193", "source": "cyner2_5class_train"}}
+{"text": "Furthermore , we found that in just the first two weeks of 2017 , there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild .", "spans": {"Malware: SpyNote": [[147, 154]], "Malware: SpyNote RAT": [[173, 184]]}, "info": {"id": "cyner2_5class_train_06194", "source": "cyner2_5class_train"}}
+{"text": "This is a local root exploit pack , and the Trojan uses 4 different exploit pack files , 3 for 32-bit systems and 1 for 64-bit-systems .", "spans": {}, "info": {"id": "cyner2_5class_train_06195", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.BitcoinMiner Win32.Trojan.WisdomEyes.16070401.9500.9983 Downloader.MisleadApp not-a-virus:RiskTool.Win32.BitCoinMiner.iqlc Trojan.Win32.Z.Svcminer.27648 RiskTool.BitCoinMiner.gvg TR/Downloader.knzhj RiskWare[RiskTool]/Win32.BitCoinMiner TrojanDownloader:Win32/SvcMiner.A!bit not-a-virus:RiskTool.Win32.BitCoinMiner.iqlc Trojan/Win32.Mepaow.C87266 Trj/GdSda.A Trojan.CoinMiner", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BitcoinMiner": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9983": [[46, 88]], "Indicator: Downloader.MisleadApp": [[89, 110]], "Indicator: not-a-virus:RiskTool.Win32.BitCoinMiner.iqlc": [[111, 155], [308, 352]], "Indicator: Trojan.Win32.Z.Svcminer.27648": [[156, 185]], "Indicator: RiskTool.BitCoinMiner.gvg": [[186, 211]], "Indicator: TR/Downloader.knzhj": [[212, 231]], "Indicator: RiskWare[RiskTool]/Win32.BitCoinMiner": [[232, 269]], "Indicator: TrojanDownloader:Win32/SvcMiner.A!bit": [[270, 307]], "Indicator: Trojan/Win32.Mepaow.C87266": [[353, 379]], "Indicator: Trj/GdSda.A": [[380, 391]], "Indicator: Trojan.CoinMiner": [[392, 408]]}, "info": {"id": "cyner2_5class_train_06196", "source": "cyner2_5class_train"}}
+{"text": "In February , we recorded 767 infections .", "spans": {}, "info": {"id": "cyner2_5class_train_06197", "source": "cyner2_5class_train"}}
+{"text": "] net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps , just that the legitimate APK file had been replaced with HenBox for an unknown period of time .", "spans": {"Indicator: DroidVPN": [[15, 23], [73, 81]], "Malware: HenBox": [[63, 69]]}, "info": {"id": "cyner2_5class_train_06198", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RadmasAM.Trojan Worm/W32.Updater.65536.B Virus.Win32.Sality!O Win32.Worm.Pepex.b W32.Virut.CF Win32/Tnega.AQRF WORM_DIPASIK.SM Win.Worm.Updater-4 Email-Worm.Win32.Updater.n Hoax.W32.ArchSMS.m5oU Win32.HLLM.Updater.5 WORM_DIPASIK.SM Email-Worm.Win32.Atak Worm/Updater.e Worm[Email]/Win32.Updater Worm:Win32/Networm.A Email-Worm.Win32.Updater.n Trojan/Win32.Kykymber.R128813 Worm.Updater Win32/Pepex.I Trojan.Win32.Snake.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RadmasAM.Trojan": [[26, 45]], "Indicator: Worm/W32.Updater.65536.B": [[46, 70]], "Indicator: Virus.Win32.Sality!O": [[71, 91]], "Indicator: Win32.Worm.Pepex.b": [[92, 110]], "Indicator: W32.Virut.CF": [[111, 123]], "Indicator: Win32/Tnega.AQRF": [[124, 140]], "Indicator: WORM_DIPASIK.SM": [[141, 156], [246, 261]], "Indicator: Win.Worm.Updater-4": [[157, 175]], "Indicator: Email-Worm.Win32.Updater.n": [[176, 202], [346, 372]], "Indicator: Hoax.W32.ArchSMS.m5oU": [[203, 224]], "Indicator: Win32.HLLM.Updater.5": [[225, 245]], "Indicator: Email-Worm.Win32.Atak": [[262, 283]], "Indicator: Worm/Updater.e": [[284, 298]], "Indicator: Worm[Email]/Win32.Updater": [[299, 324]], "Indicator: Worm:Win32/Networm.A": [[325, 345]], "Indicator: Trojan/Win32.Kykymber.R128813": [[373, 402]], "Indicator: Worm.Updater": [[403, 415]], "Indicator: Win32/Pepex.I": [[416, 429]], "Indicator: Trojan.Win32.Snake.a": [[430, 450]]}, "info": {"id": "cyner2_5class_train_06199", "source": "cyner2_5class_train"}}
+{"text": "Playing further off the suggested GAS Tecnologia link , the app promises better security for its users .", "spans": {"System: GAS Tecnologia": [[34, 48]]}, "info": {"id": "cyner2_5class_train_06200", "source": "cyner2_5class_train"}}
+{"text": "] zqo-japan [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06201", "source": "cyner2_5class_train"}}
+{"text": "Several days ago, researchers at FireEye attributed a recent phishing campaign to FIN7, a campaign in which cybercriminals delivered malicious Microsoft Office documents to users, deploying both Cobalt Strike and a VBS-based backdoor on infected workstations.", "spans": {"Organization: researchers": [[18, 29]], "Organization: FireEye": [[33, 40]], "Malware: malicious Microsoft Office documents": [[133, 169]], "Malware: Cobalt Strike": [[195, 208]], "Malware: VBS-based backdoor": [[215, 233]], "System: infected workstations.": [[237, 259]]}, "info": {"id": "cyner2_5class_train_06202", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9974 Trojan.Win32.ArchSMS.cwxrht Hoax.MSIL.gn Trojan:MSIL/Blinerarch.AU Trj/CI.A Msil.Risk.Hoax.Wure Trojan.ArchSMS!IMpJTYjIG18 Hoax.MSIL Win32/Trojan.Dropper.411", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9974": [[26, 68]], "Indicator: Trojan.Win32.ArchSMS.cwxrht": [[69, 96]], "Indicator: Hoax.MSIL.gn": [[97, 109]], "Indicator: Trojan:MSIL/Blinerarch.AU": [[110, 135]], "Indicator: Trj/CI.A": [[136, 144]], "Indicator: Msil.Risk.Hoax.Wure": [[145, 164]], "Indicator: Trojan.ArchSMS!IMpJTYjIG18": [[165, 191]], "Indicator: Hoax.MSIL": [[192, 201]], "Indicator: Win32/Trojan.Dropper.411": [[202, 226]]}, "info": {"id": "cyner2_5class_train_06203", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Systex.A Trojan.Inject1.7920 Win32.Troj.Undef.kcloud VirTool:Win32/Obfuscator.XZ Rootkit.Xytets HeurEngine.Vmpbad Trojan.Spy.Texy!4898 Trojan.Win32.Spy Trj/Thed.W", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Systex.A": [[26, 38]], "Indicator: Trojan.Inject1.7920": [[39, 58]], "Indicator: Win32.Troj.Undef.kcloud": [[59, 82]], "Indicator: VirTool:Win32/Obfuscator.XZ": [[83, 110]], "Indicator: Rootkit.Xytets": [[111, 125]], "Indicator: HeurEngine.Vmpbad": [[126, 143]], "Indicator: Trojan.Spy.Texy!4898": [[144, 164]], "Indicator: Trojan.Win32.Spy": [[165, 181]], "Indicator: Trj/Thed.W": [[182, 192]]}, "info": {"id": "cyner2_5class_train_06204", "source": "cyner2_5class_train"}}
+{"text": "Subsequently , the malware will change the screen off time-out to 10 minutes .", "spans": {}, "info": {"id": "cyner2_5class_train_06205", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D255EA Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BackDoor.Miniduke.3 BehavesLike.Win32.RansomWannaCry.tz Trojan.Win32.Bayrob TR/Crypt.ZPACK.88814 Trojan[Backdoor]/Win32.CosmicDuke Win32.Hack.CosmicDuke.h.kcloud Trojan:Win32/Bandiu.A Backdoor.CosmicDuke Backdoor.CosmicDuke! W32/CosmicDuke.F!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D255EA": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[48, 90]], "Indicator: Backdoor.Trojan": [[91, 106]], "Indicator: BackDoor.Miniduke.3": [[107, 126]], "Indicator: BehavesLike.Win32.RansomWannaCry.tz": [[127, 162]], "Indicator: Trojan.Win32.Bayrob": [[163, 182]], "Indicator: TR/Crypt.ZPACK.88814": [[183, 203]], "Indicator: Trojan[Backdoor]/Win32.CosmicDuke": [[204, 237]], "Indicator: Win32.Hack.CosmicDuke.h.kcloud": [[238, 268]], "Indicator: Trojan:Win32/Bandiu.A": [[269, 290]], "Indicator: Backdoor.CosmicDuke": [[291, 310]], "Indicator: Backdoor.CosmicDuke!": [[311, 331]], "Indicator: W32/CosmicDuke.F!tr.bdr": [[332, 355]]}, "info": {"id": "cyner2_5class_train_06206", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Pesin.Win32.2 Trojan.Heur.E41DEE Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/Pesin.C Virus.Win32.HLLW.Delf.b Virus.Win32.HLLW.gjjl Trojan.PWS.Mob Trojan/HLLP.s W32/Banker.TOA!tr Worm:Win32/Pesin.C Virus.Win32.HLLW.Delf.b Trojan.Worm.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Pesin.Win32.2": [[26, 45]], "Indicator: Trojan.Heur.E41DEE": [[46, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[65, 107]], "Indicator: Win32/Pesin.C": [[108, 121]], "Indicator: Virus.Win32.HLLW.Delf.b": [[122, 145], [234, 257]], "Indicator: Virus.Win32.HLLW.gjjl": [[146, 167]], "Indicator: Trojan.PWS.Mob": [[168, 182]], "Indicator: Trojan/HLLP.s": [[183, 196]], "Indicator: W32/Banker.TOA!tr": [[197, 214]], "Indicator: Worm:Win32/Pesin.C": [[215, 233]], "Indicator: Trojan.Worm.Delf": [[258, 274]]}, "info": {"id": "cyner2_5class_train_06207", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.35FE WORM_METSYS.SMI W32/Trojan.ZLO Win32/ProRat.AL WORM_METSYS.SMI Trojan.Ratibe W32/Trojan.JJUN-8278 Trojan:Win32/Metsys.A HEUR/Fakon.mwf W32/MediaTest.A.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.35FE": [[26, 43]], "Indicator: WORM_METSYS.SMI": [[44, 59], [91, 106]], "Indicator: W32/Trojan.ZLO": [[60, 74]], "Indicator: Win32/ProRat.AL": [[75, 90]], "Indicator: Trojan.Ratibe": [[107, 120]], "Indicator: W32/Trojan.JJUN-8278": [[121, 141]], "Indicator: Trojan:Win32/Metsys.A": [[142, 163]], "Indicator: HEUR/Fakon.mwf": [[164, 178]], "Indicator: W32/MediaTest.A.worm": [[179, 199]]}, "info": {"id": "cyner2_5class_train_06208", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RansomGimemoE.Trojan Trojan-Ransom.Win32.Gimemo!O Trojan.Dofoil.A Trojan.Gimemo.Win32.2687 Trojan/Injector.sxm Win32.Trojan.Injector.ec W32.Pilleuz Win32/Loktrom.FR TROJ_RANSOM.SM3 Win.Trojan.Injector-603 Trojan-Ransom.Win32.Gimemo.vhu Trojan.Win32.Gimemo.tfgni Trojan.Win32.A.Gimemo.83968 Trojan.Packed.22718 TROJ_RANSOM.SM3 BehavesLike.Win32.ZBot.dc Trojan/Gimemo.cmk Trojan[Ransom]/Win32.Gimemo Ransom:Win32/Loktrom.A Trojan.Zusy.D2A53 Win.Adware.Websearch.moge Trojan-Ransom.Win32.Gimemo.vhu Trojan/Win32.Injector.R30428 BScope.Trojan-Injector.2151 Trojan.Injector!ZShGusAMkc8 Trojan-Ransom.Win32.Gimemo W32/Zbot.YW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RansomGimemoE.Trojan": [[26, 50]], "Indicator: Trojan-Ransom.Win32.Gimemo!O": [[51, 79]], "Indicator: Trojan.Dofoil.A": [[80, 95]], "Indicator: Trojan.Gimemo.Win32.2687": [[96, 120]], "Indicator: Trojan/Injector.sxm": [[121, 140]], "Indicator: Win32.Trojan.Injector.ec": [[141, 165]], "Indicator: W32.Pilleuz": [[166, 177]], "Indicator: Win32/Loktrom.FR": [[178, 194]], "Indicator: TROJ_RANSOM.SM3": [[195, 210], [340, 355]], "Indicator: Win.Trojan.Injector-603": [[211, 234]], "Indicator: Trojan-Ransom.Win32.Gimemo.vhu": [[235, 265], [495, 525]], "Indicator: Trojan.Win32.Gimemo.tfgni": [[266, 291]], "Indicator: Trojan.Win32.A.Gimemo.83968": [[292, 319]], "Indicator: Trojan.Packed.22718": [[320, 339]], "Indicator: BehavesLike.Win32.ZBot.dc": [[356, 381]], "Indicator: Trojan/Gimemo.cmk": [[382, 399]], "Indicator: Trojan[Ransom]/Win32.Gimemo": [[400, 427]], "Indicator: Ransom:Win32/Loktrom.A": [[428, 450]], "Indicator: Trojan.Zusy.D2A53": [[451, 468]], "Indicator: Win.Adware.Websearch.moge": [[469, 494]], "Indicator: Trojan/Win32.Injector.R30428": [[526, 554]], "Indicator: BScope.Trojan-Injector.2151": [[555, 582]], "Indicator: Trojan.Injector!ZShGusAMkc8": [[583, 610]], "Indicator: Trojan-Ransom.Win32.Gimemo": [[611, 637]], "Indicator: W32/Zbot.YW!tr": [[638, 652]]}, "info": {"id": "cyner2_5class_train_06209", "source": "cyner2_5class_train"}}
+{"text": "Employ stronger credentials , for instance , to make them less susceptible to unauthorized access .", "spans": {}, "info": {"id": "cyner2_5class_train_06210", "source": "cyner2_5class_train"}}
+{"text": "In the past two years, two campaigns of Sakula activity stand out as being particularly significant – the French Aerospace Campaign and the Ironman Campaign.", "spans": {"Malware: Sakula": [[40, 46]], "Organization: the French Aerospace Campaign": [[102, 131]], "Organization: the Ironman Campaign.": [[136, 157]]}, "info": {"id": "cyner2_5class_train_06211", "source": "cyner2_5class_train"}}
+{"text": "After the files are encrypted filenames are appended with .rokku", "spans": {"Indicator: encrypted filenames": [[20, 39]], "Indicator: .rokku": [[58, 64]]}, "info": {"id": "cyner2_5class_train_06212", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VB Trojan.Midie.DA596 Win32.Trojan.VB.gx W32/Trojan.ZVBM-4484 Win32/FakeRecycled.A WORM_VB.SMF Win.Trojan.VB-684 Trojan.Win32.VB.aqt Trojan.DownLoad3.64248 WORM_VB.SMF BehavesLike.Win32.Dropper.wc Trojan.Atros6 W32/Trojan.XUP Trojan.Qhost.pw TR/VB.AQT Trojan/Win32.VB Worm:Win32/Fakerecy.A Trojan.Win32.VB.aqt Trojan/Win32.Tiggre.R216587 SScope.Trojan.VBRA.7311 Trj/CI.A Worm.Autorun.DU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VB": [[26, 35]], "Indicator: Trojan.Midie.DA596": [[36, 54]], "Indicator: Win32.Trojan.VB.gx": [[55, 73]], "Indicator: W32/Trojan.ZVBM-4484": [[74, 94]], "Indicator: Win32/FakeRecycled.A": [[95, 115]], "Indicator: WORM_VB.SMF": [[116, 127], [189, 200]], "Indicator: Win.Trojan.VB-684": [[128, 145]], "Indicator: Trojan.Win32.VB.aqt": [[146, 165], [323, 342]], "Indicator: Trojan.DownLoad3.64248": [[166, 188]], "Indicator: BehavesLike.Win32.Dropper.wc": [[201, 229]], "Indicator: Trojan.Atros6": [[230, 243]], "Indicator: W32/Trojan.XUP": [[244, 258]], "Indicator: Trojan.Qhost.pw": [[259, 274]], "Indicator: TR/VB.AQT": [[275, 284]], "Indicator: Trojan/Win32.VB": [[285, 300]], "Indicator: Worm:Win32/Fakerecy.A": [[301, 322]], "Indicator: Trojan/Win32.Tiggre.R216587": [[343, 370]], "Indicator: SScope.Trojan.VBRA.7311": [[371, 394]], "Indicator: Trj/CI.A": [[395, 403]], "Indicator: Worm.Autorun.DU": [[404, 419]]}, "info": {"id": "cyner2_5class_train_06213", "source": "cyner2_5class_train"}}
+{"text": "As a part of this campaign, we also observed attacks on Russian-speaking financial analysts working at global financial firms and covering telecom corporations in Russia, likely a result of collateral damage caused by the attackers targeting tactics.", "spans": {"Organization: Russian-speaking financial analysts": [[56, 91]], "Organization: global financial firms": [[103, 125]], "Organization: telecom corporations": [[139, 159]]}, "info": {"id": "cyner2_5class_train_06214", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Jorik.IRCbot!O Trojan.Jorik Trojan.Jorik.Win32.190644 Troj.W32.Jorik.Ircbot!c Trojan/IRCBot.nhr Win32.Trojan.WisdomEyes.16070401.9500.9992 W32.IRCBot Trojan.Win32.Jorik.IRCbot.wja Trojan.Win32.Jorik.dgdeqb BackDoor.IRC.Sdbot.17833 BehavesLike.Win32.Trojan.nh Trojan.Win32.Jorik Trojan/Jorik.gmen Trojan/Win32.IRCbot Trojan.Win32.Jorik.IRCbot.wja Trojan:Win32/Squida.A Worm/Win32.IRCBot.R123038 Trojan.IRCbot Win32.Trojan.Jorik.Ahef Win32/Trojan.053", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Jorik.IRCbot!O": [[26, 53]], "Indicator: Trojan.Jorik": [[54, 66]], "Indicator: Trojan.Jorik.Win32.190644": [[67, 92]], "Indicator: Troj.W32.Jorik.Ircbot!c": [[93, 116]], "Indicator: Trojan/IRCBot.nhr": [[117, 134]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[135, 177]], "Indicator: W32.IRCBot": [[178, 188]], "Indicator: Trojan.Win32.Jorik.IRCbot.wja": [[189, 218], [355, 384]], "Indicator: Trojan.Win32.Jorik.dgdeqb": [[219, 244]], "Indicator: BackDoor.IRC.Sdbot.17833": [[245, 269]], "Indicator: BehavesLike.Win32.Trojan.nh": [[270, 297]], "Indicator: Trojan.Win32.Jorik": [[298, 316]], "Indicator: Trojan/Jorik.gmen": [[317, 334]], "Indicator: Trojan/Win32.IRCbot": [[335, 354]], "Indicator: Trojan:Win32/Squida.A": [[385, 406]], "Indicator: Worm/Win32.IRCBot.R123038": [[407, 432]], "Indicator: Trojan.IRCbot": [[433, 446]], "Indicator: Win32.Trojan.Jorik.Ahef": [[447, 470]], "Indicator: Win32/Trojan.053": [[471, 487]]}, "info": {"id": "cyner2_5class_train_06215", "source": "cyner2_5class_train"}}
+{"text": "Keylogging : record input events by hooking IPCThreadState : :Transact from /system/lib/libbinder.so , and intercepting android : :parcel with the interface com.android.internal.view.IInputContext .", "spans": {"Indicator: /system/lib/libbinder.so": [[76, 100]], "Indicator: android : :parcel": [[120, 137]], "Indicator: com.android.internal.view.IInputContext": [[157, 196]]}, "info": {"id": "cyner2_5class_train_06216", "source": "cyner2_5class_train"}}
+{"text": "The newest variant, TeslaCrypt 2.0, uses the same encryption algorithm; however, the keys and other configuration data are stored in the Windows Registry instead of a file on the local disk as in previous versions.", "spans": {"Malware: TeslaCrypt 2.0,": [[20, 35]], "Indicator: same encryption algorithm;": [[45, 71]], "Indicator: keys": [[85, 89]], "Indicator: the Windows Registry": [[133, 153]]}, "info": {"id": "cyner2_5class_train_06217", "source": "cyner2_5class_train"}}
+{"text": "During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.", "spans": {"Indicator: domains": [[63, 70]], "System: same infrastructure": [[87, 106]], "Malware: skimmers for": [[119, 131]], "Organization: Magento stores.": [[140, 155]]}, "info": {"id": "cyner2_5class_train_06218", "source": "cyner2_5class_train"}}
+{"text": "Mobile ViceLeaker The following table shows meta information on the observed samples , including compiler timestamps : MD5 Package Compiler C2 51df2597faa3fce38a4c5ae024f97b1c com.xapps.SexGameForAdults dexlib 2.x 188.165.28 [ .", "spans": {"Malware: ViceLeaker": [[7, 17]], "Indicator: 51df2597faa3fce38a4c5ae024f97b1c": [[143, 175]], "Indicator: com.xapps.SexGameForAdults": [[176, 202]], "Indicator: 188.165.28 [ .": [[214, 228]]}, "info": {"id": "cyner2_5class_train_06219", "source": "cyner2_5class_train"}}
+{"text": "The Trojan may ask the user to pay a ransom in order to have their files decrypted.", "spans": {"Malware: Trojan": [[4, 10]], "Organization: user": [[23, 27]], "Indicator: pay": [[31, 34]], "Indicator: ransom": [[37, 43]], "Indicator: files decrypted.": [[67, 83]]}, "info": {"id": "cyner2_5class_train_06220", "source": "cyner2_5class_train"}}
+{"text": "While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or solutions as the Duke group apparently calls them.", "spans": {"Malware: SeaDuke": [[6, 13]], "Malware: malware": [[105, 112]], "Organization: Duke group": [[145, 155]]}, "info": {"id": "cyner2_5class_train_06221", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Strictor.D1A6AB BehavesLike.Win32.DlHelper.tc Trojan:Win32/Merca.A Trj/GdSda.A Trojan-Spy.Banker W32/Delf.OKU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Strictor.D1A6AB": [[26, 48]], "Indicator: BehavesLike.Win32.DlHelper.tc": [[49, 78]], "Indicator: Trojan:Win32/Merca.A": [[79, 99]], "Indicator: Trj/GdSda.A": [[100, 111]], "Indicator: Trojan-Spy.Banker": [[112, 129]], "Indicator: W32/Delf.OKU!tr": [[130, 145]]}, "info": {"id": "cyner2_5class_train_06222", "source": "cyner2_5class_train"}}
+{"text": "According to several timestamps , this payload is used by implant versions created since 2016 .", "spans": {}, "info": {"id": "cyner2_5class_train_06223", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAuto.5860 Backdoor.Lesbot.152 Backdoor.Lesbot.152.n2 Trojan.Win32.Lesbot.djep Win32/Lesbot.B WORM_NETSPREE.A Backdoor.Win32.Lesbot.152 Backdoor.Lesbot.152 Backdoor.Leeter.B Worm.Win32.Netspree Worm.Win32.Netspree.A Backdoor.Lesbot.152 Win32.IRC.Bot.based WORM_NETSPREE.A Backdoor/Lesbot.152 Bck/Lesbot.152 Win32.Hack.Lesbot.kcloud Backdoor.Lesbot.152 W32/Risk.OZRI-5730 Win32/Netspree.worm.48448 Win32/Netspree.A Backdoor.Lesbot.152.a Backdoor.Win32.Lesbot.152 W32/Lesbot.152!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAuto.5860": [[26, 42]], "Indicator: Backdoor.Lesbot.152": [[43, 62], [168, 187], [248, 267], [364, 383]], "Indicator: Backdoor.Lesbot.152.n2": [[63, 85]], "Indicator: Trojan.Win32.Lesbot.djep": [[86, 110]], "Indicator: Win32/Lesbot.B": [[111, 125]], "Indicator: WORM_NETSPREE.A": [[126, 141], [288, 303]], "Indicator: Backdoor.Win32.Lesbot.152": [[142, 167], [468, 493]], "Indicator: Backdoor.Leeter.B": [[188, 205]], "Indicator: Worm.Win32.Netspree": [[206, 225]], "Indicator: Worm.Win32.Netspree.A": [[226, 247]], "Indicator: Win32.IRC.Bot.based": [[268, 287]], "Indicator: Backdoor/Lesbot.152": [[304, 323]], "Indicator: Bck/Lesbot.152": [[324, 338]], "Indicator: Win32.Hack.Lesbot.kcloud": [[339, 363]], "Indicator: W32/Risk.OZRI-5730": [[384, 402]], "Indicator: Win32/Netspree.worm.48448": [[403, 428]], "Indicator: Win32/Netspree.A": [[429, 445]], "Indicator: Backdoor.Lesbot.152.a": [[446, 467]], "Indicator: W32/Lesbot.152!tr": [[494, 511]]}, "info": {"id": "cyner2_5class_train_06224", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.AutoHK.877056 TrojanSpy.AutoHK W32/Trojan.FIJU-8952 Trojan-Spy.Win32.AutoHK.b Trojan.Win32.Z.Autohk.877056.A Win32.Trojan-spy.Autohk.Anzi TrojWare.Win32.Hadoc.AS BehavesLike.Win32.Dropper.ch PUA.EnigmaProtector TrojanSpy.AutoHK.a Trojan:Win32/Haudicx.A!bit Troj.Spy.W32!c Trojan-Spy.Win32.AutoHK.b Trojan/Win32.Asprox.R130565 TrojanSpy.AutoHK Win32/Spy.AHK.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.AutoHK.877056": [[26, 54]], "Indicator: TrojanSpy.AutoHK": [[55, 71], [367, 383]], "Indicator: W32/Trojan.FIJU-8952": [[72, 92]], "Indicator: Trojan-Spy.Win32.AutoHK.b": [[93, 118], [313, 338]], "Indicator: Trojan.Win32.Z.Autohk.877056.A": [[119, 149]], "Indicator: Win32.Trojan-spy.Autohk.Anzi": [[150, 178]], "Indicator: TrojWare.Win32.Hadoc.AS": [[179, 202]], "Indicator: BehavesLike.Win32.Dropper.ch": [[203, 231]], "Indicator: PUA.EnigmaProtector": [[232, 251]], "Indicator: TrojanSpy.AutoHK.a": [[252, 270]], "Indicator: Trojan:Win32/Haudicx.A!bit": [[271, 297]], "Indicator: Troj.Spy.W32!c": [[298, 312]], "Indicator: Trojan/Win32.Asprox.R130565": [[339, 366]], "Indicator: Win32/Spy.AHK.E": [[384, 399]]}, "info": {"id": "cyner2_5class_train_06225", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Cantone.Trojan Win32.Worm.TTE Worm.Win32.Zombaque!O Worm.Ppzombie.A3 Worm.Zombaque.Win32.16 Win32.Worm.TTE WORM_BIZOME.SMF W32/Risk.KAIL-2278 W32.Spybot.Worm Win32/Zombaque.B WORM_BIZOME.SMF Win.Worm.Bizome-4 Worm.Zombaque Worm.Win32.Zombaque.h Trojan.Win32.Zombaque.igegn Trojan.Win32.P2P-Icmp.437760 Win32.HLLW.RAhack.2 BehavesLike.Win32.Downloader.gc Worm.Win32.Zombaque W32/Zombaque.A Worm/Zombaque.k Win32.Virut.cr.61440 Worm:Win32/Ppzombie.A Win32.Worm.TTE Worm.Win32.Zombaque.h Worm/Win32.Zombaque.R15854 Win32.Worm.TTE Win32.Worm.TTE Win32/Zombaque.B Virus.Win32.Virut.ue Worm.Zombaque!1mLwNArV7Hg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Cantone.Trojan": [[26, 44]], "Indicator: Win32.Worm.TTE": [[45, 59], [122, 136], [478, 492], [542, 556], [557, 571]], "Indicator: Worm.Win32.Zombaque!O": [[60, 81]], "Indicator: Worm.Ppzombie.A3": [[82, 98]], "Indicator: Worm.Zombaque.Win32.16": [[99, 121]], "Indicator: WORM_BIZOME.SMF": [[137, 152], [205, 220]], "Indicator: W32/Risk.KAIL-2278": [[153, 171]], "Indicator: W32.Spybot.Worm": [[172, 187]], "Indicator: Win32/Zombaque.B": [[188, 204], [572, 588]], "Indicator: Win.Worm.Bizome-4": [[221, 238]], "Indicator: Worm.Zombaque": [[239, 252]], "Indicator: Worm.Win32.Zombaque.h": [[253, 274], [493, 514]], "Indicator: Trojan.Win32.Zombaque.igegn": [[275, 302]], "Indicator: Trojan.Win32.P2P-Icmp.437760": [[303, 331]], "Indicator: Win32.HLLW.RAhack.2": [[332, 351]], "Indicator: BehavesLike.Win32.Downloader.gc": [[352, 383]], "Indicator: Worm.Win32.Zombaque": [[384, 403]], "Indicator: W32/Zombaque.A": [[404, 418]], "Indicator: Worm/Zombaque.k": [[419, 434]], "Indicator: Win32.Virut.cr.61440": [[435, 455]], "Indicator: Worm:Win32/Ppzombie.A": [[456, 477]], "Indicator: Worm/Win32.Zombaque.R15854": [[515, 541]], "Indicator: Virus.Win32.Virut.ue": [[589, 609]], "Indicator: Worm.Zombaque!1mLwNArV7Hg": [[610, 635]]}, "info": {"id": "cyner2_5class_train_06226", "source": "cyner2_5class_train"}}
+{"text": "The class “ org.starsizew.Tb ” also has a self-monitoring mechanism to restart itself when its own onDestroy API is triggered .", "spans": {"Indicator: org.starsizew.Tb": [[12, 28]]}, "info": {"id": "cyner2_5class_train_06227", "source": "cyner2_5class_train"}}
+{"text": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality.", "spans": {"Malware: UEFI bootkit": [[22, 34]], "Vulnerability: bypassing": [[35, 44]], "System: UEFI Secure Boot": [[45, 61]], "System: UEFI systems": [[79, 91]]}, "info": {"id": "cyner2_5class_train_06228", "source": "cyner2_5class_train"}}
+{"text": "In 2018 , the most actively distributed versions were 5.0.0 and 5.0.3 .", "spans": {}, "info": {"id": "cyner2_5class_train_06229", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ceeinject.6879 PWS-Spyeye.cr Trojan/PornoAsset.avl TROJ_KRYPTO.SMOZ Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Ransom.AQY TROJ_KRYPTO.SMOZ Win.Trojan.Ransom-1156 Trojan.Win32.A.PornoAsset.43521 Trojan.Winlock.3300 PWS-Spyeye.cr Trojan/PornoAsset.nh TR/Winlock.CR Trojan[Backdoor]/Win32.Buterat Trojan.Barys.D8A2 Ransom:Win32/Trasbind.A Trojan/Win32.Tdss.R14197 Hoax.PornoAsset Trojan.Win32.Jorik", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ceeinject.6879": [[26, 47]], "Indicator: PWS-Spyeye.cr": [[48, 61], [253, 266]], "Indicator: Trojan/PornoAsset.avl": [[62, 83]], "Indicator: TROJ_KRYPTO.SMOZ": [[84, 100], [161, 177]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[101, 143]], "Indicator: Win32/Ransom.AQY": [[144, 160]], "Indicator: Win.Trojan.Ransom-1156": [[178, 200]], "Indicator: Trojan.Win32.A.PornoAsset.43521": [[201, 232]], "Indicator: Trojan.Winlock.3300": [[233, 252]], "Indicator: Trojan/PornoAsset.nh": [[267, 287]], "Indicator: TR/Winlock.CR": [[288, 301]], "Indicator: Trojan[Backdoor]/Win32.Buterat": [[302, 332]], "Indicator: Trojan.Barys.D8A2": [[333, 350]], "Indicator: Ransom:Win32/Trasbind.A": [[351, 374]], "Indicator: Trojan/Win32.Tdss.R14197": [[375, 399]], "Indicator: Hoax.PornoAsset": [[400, 415]], "Indicator: Trojan.Win32.Jorik": [[416, 434]]}, "info": {"id": "cyner2_5class_train_06230", "source": "cyner2_5class_train"}}
+{"text": "On the 9th of August, a tweet from @MalwareHunterTeam caught my eye; it mentioned a fake Flash update that used a PowerShell script to connect to a very particular host", "spans": {"Organization: tweet": [[24, 29]], "Organization: @MalwareHunterTeam": [[35, 53]], "Indicator: fake Flash update": [[84, 101]], "Indicator: PowerShell script": [[114, 131]], "Indicator: connect": [[135, 142]]}, "info": {"id": "cyner2_5class_train_06231", "source": "cyner2_5class_train"}}
+{"text": "By late 2015 , the malware ’ s creators had gone mostly silent until the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes .", "spans": {"System: Android": [[182, 189]]}, "info": {"id": "cyner2_5class_train_06232", "source": "cyner2_5class_train"}}
+{"text": "Nemesis, the malware ecosystem used by FIN1, includes comprehensive backdoors that support a variety of network protocols and communication channels for command and control CnC.", "spans": {"Malware: Nemesis,": [[0, 8]], "Malware: malware ecosystem": [[13, 30]], "Malware: backdoors": [[68, 77]], "Indicator: network protocols": [[104, 121]], "Indicator: communication channels for command and control CnC.": [[126, 177]]}, "info": {"id": "cyner2_5class_train_06233", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsOval.152A Backdoor.Win32.VB!O Backdoor.VB.MV3 Trojan.Llac.Win32.24709 Trojan/Injector.eih BKDR_RSHOT.SMA Win32.Backdoor.VB.y BKDR_RSHOT.SMA Win.Trojan.6387874-3 Trojan.Win32.Temr.ssc Trojan.Win32.Temr.ejiehl Backdoor.W32.Ciadoor.lo5L TrojWare.Win32.Qhost.nls Trojan.DownLoader16.56820 Backdoor.Win32.VB BehavesLike.Win32.Trojan.tc Trojan.Temr.ak Backdoor:Win32/Lybsus.A Trojan.Graftor.D4305 Backdoor.Win32.A.VB.168034 Trojan.Win32.Temr.ssc Backdoor.Win32.VB Backdoor.VB Trojan.Injector!pDYfo+3Pf04 Trojan-Spy.Win32.KeyLogger W32/DarkKomet.GUKH!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsOval.152A": [[26, 42]], "Indicator: Backdoor.Win32.VB!O": [[43, 62]], "Indicator: Backdoor.VB.MV3": [[63, 78]], "Indicator: Trojan.Llac.Win32.24709": [[79, 102]], "Indicator: Trojan/Injector.eih": [[103, 122]], "Indicator: BKDR_RSHOT.SMA": [[123, 137], [158, 172]], "Indicator: Win32.Backdoor.VB.y": [[138, 157]], "Indicator: Win.Trojan.6387874-3": [[173, 193]], "Indicator: Trojan.Win32.Temr.ssc": [[194, 215], [451, 472]], "Indicator: Trojan.Win32.Temr.ejiehl": [[216, 240]], "Indicator: Backdoor.W32.Ciadoor.lo5L": [[241, 266]], "Indicator: TrojWare.Win32.Qhost.nls": [[267, 291]], "Indicator: Trojan.DownLoader16.56820": [[292, 317]], "Indicator: Backdoor.Win32.VB": [[318, 335], [473, 490]], "Indicator: BehavesLike.Win32.Trojan.tc": [[336, 363]], "Indicator: Trojan.Temr.ak": [[364, 378]], "Indicator: Backdoor:Win32/Lybsus.A": [[379, 402]], "Indicator: Trojan.Graftor.D4305": [[403, 423]], "Indicator: Backdoor.Win32.A.VB.168034": [[424, 450]], "Indicator: Backdoor.VB": [[491, 502]], "Indicator: Trojan.Injector!pDYfo+3Pf04": [[503, 530]], "Indicator: Trojan-Spy.Win32.KeyLogger": [[531, 557]], "Indicator: W32/DarkKomet.GUKH!tr": [[558, 579]], "Indicator: Trj/CI.A": [[580, 588]]}, "info": {"id": "cyner2_5class_train_06234", "source": "cyner2_5class_train"}}
+{"text": "] 133 ” as a main C2 address , and there is only one domain that is hosted on this dedicated server – iliageram [ .", "spans": {"Indicator: iliageram [ .": [[102, 115]]}, "info": {"id": "cyner2_5class_train_06235", "source": "cyner2_5class_train"}}
+{"text": "Technical details Here is the meta information for the observed samples , certificates and hardcoded version stamps : Certificate MD5 Module Version Serial Number : 0x76607c02 Issuer : CN=Ron Validity : from = Tue Aug 30 13:01:30 MSK 2016 to = Sat Aug 24 13:01:30 MSK 2041 Subject : CN=Ron 9e005144ea1a583531f86663a5f14607 1 – 18abe28730c53de6d9e4786c7765c3d8 2 2.0 Serial Number : 0x6a0d1fec Issuer : CN=Sun Validity : from = Mon May 16 17:42:40 MSK 2016 to = Fri May 10 17:42:40 MSK 2041 Subject : CN=Sun 9ffc350ef94ef840728564846f2802b0 2 v2.51sun 6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s 7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s bde7847487125084f9e03f2b6b05adc3 2 v3.12s 2560942bb50ee6e6f55afc495d238a12 2 v3.18s It ’ s interesting that the issuer “ Sun ” matches the “ Sun1 ” and “ Sun2 ” identifiers of infected devices from the FTP server , suggesting they may be test devices .", "spans": {"Indicator: 0x76607c02": [[165, 175]], "Indicator: 9e005144ea1a583531f86663a5f14607": [[290, 322]], "Indicator: 18abe28730c53de6d9e4786c7765c3d8": [[327, 359]], "Indicator: 0x6a0d1fec": [[382, 392]], "Indicator: 9ffc350ef94ef840728564846f2802b0": [[507, 539]], "Indicator: 6c246bbb40b7c6e75c60a55c0da9e2f2": [[551, 583]], "Indicator: 7c8a12e56e3e03938788b26b84b80bd6": [[593, 625]], "Indicator: bde7847487125084f9e03f2b6b05adc3": [[635, 667]], "Indicator: 2560942bb50ee6e6f55afc495d238a12": [[677, 709]]}, "info": {"id": "cyner2_5class_train_06236", "source": "cyner2_5class_train"}}
+{"text": "It is impossible to deprive it of these rights without the use of specialized tools ( such as Kaspersky Internet Security for Android ) .", "spans": {"System: Kaspersky Internet Security": [[94, 121]], "System: Android": [[126, 133]]}, "info": {"id": "cyner2_5class_train_06237", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Masteseq Win32.Trojan.WisdomEyes.16070401.9500.9872 Backdoor.Masteseq Trojan.Win32.Masteseq.evvgyd Backdoor.W32.Masteseq!c BackDoor.Liskey Backdoor.Masteseq.x Backdoor:Win32/Masteseq.AC Trojan/Win32.Masteseq.R12342 Trj/GdSda.A Win32.Backdoor.Masteseq.Lpbn Backdoor.Win32.Masteseq Win32/Trojan.d37", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Masteseq": [[26, 43], [87, 104]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9872": [[44, 86]], "Indicator: Trojan.Win32.Masteseq.evvgyd": [[105, 133]], "Indicator: Backdoor.W32.Masteseq!c": [[134, 157]], "Indicator: BackDoor.Liskey": [[158, 173]], "Indicator: Backdoor.Masteseq.x": [[174, 193]], "Indicator: Backdoor:Win32/Masteseq.AC": [[194, 220]], "Indicator: Trojan/Win32.Masteseq.R12342": [[221, 249]], "Indicator: Trj/GdSda.A": [[250, 261]], "Indicator: Win32.Backdoor.Masteseq.Lpbn": [[262, 290]], "Indicator: Backdoor.Win32.Masteseq": [[291, 314]], "Indicator: Win32/Trojan.d37": [[315, 331]]}, "info": {"id": "cyner2_5class_train_06238", "source": "cyner2_5class_train"}}
+{"text": "Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant.", "spans": {"Organization: Cisco Talos": [[0, 11]], "Indicator: Samas/Samsam/MSIL.B/C": [[72, 93]], "Malware: ransomware variant.": [[94, 113]]}, "info": {"id": "cyner2_5class_train_06239", "source": "cyner2_5class_train"}}
+{"text": "Last March 2016, we noted that PowerWare crypto-ransomware also abused PowerShell.", "spans": {"Malware: PowerWare crypto-ransomware": [[31, 58]], "Malware: PowerShell.": [[71, 82]]}, "info": {"id": "cyner2_5class_train_06240", "source": "cyner2_5class_train"}}
+{"text": "Sending SMS messages to financial institutions to query account balances .", "spans": {}, "info": {"id": "cyner2_5class_train_06241", "source": "cyner2_5class_train"}}
+{"text": "What makes this botnet successful is its highly configurable and modular design that can fit any malicious intent, like distributing Zeus or, more recently, distributing a Lethic bot.", "spans": {"Malware: botnet": [[16, 22]], "Malware: Zeus": [[133, 137]], "Malware: Lethic bot.": [[172, 183]]}, "info": {"id": "cyner2_5class_train_06242", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Exploit.WordPerf.B Trojan/Exploit.WordPerf.b TROJ_WORDPERF.B W32/Risk.DAAG-1937 Win32/Exploit.WordPerf.B TROJ_WORDPERF.B Win.Trojan.Exploit-204 Exploit.Win32.WordPerf.b Trojan.Exploit.WordPerf.B Exploit.Win32.WordPerf.gpac Exploit.W32.WordPerf.b!c Trojan.Exploit.WordPerf.B TrojWare.Win32.Exploit.WordPerf.B Trojan.Exploit.WordPerf.B Exploit.Qaaz Exploit.WordPerf.Win32.2 Exploit.WordPerf.b TR/Expl.WordPerf.B Trojan[Exploit]/Win32.WordPerf Win32.EXPLOIT.WordPerf.b.kcloud Exploit:Win32/WordPerf.B Trojan.Exploit.WordPerf.B Exploit.Win32.WordPerf.b Trojan.Exploit.WordPerf.B Trojan.Exploit.WordPerf.B Win32.Exploit.Wordperf.Wxrv Exploit.WordPerf!zPzGZ0A1+Q4 Trojan.Win32.Exploit W32/WordPerf.B!exploit Win32/Trojan.827", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Exploit.WordPerf.B": [[26, 51], [202, 227], [281, 306], [341, 366], [531, 556], [582, 607], [608, 633]], "Indicator: Trojan/Exploit.WordPerf.b": [[52, 77]], "Indicator: TROJ_WORDPERF.B": [[78, 93], [138, 153]], "Indicator: W32/Risk.DAAG-1937": [[94, 112]], "Indicator: Win32/Exploit.WordPerf.B": [[113, 137]], "Indicator: Win.Trojan.Exploit-204": [[154, 176]], "Indicator: Exploit.Win32.WordPerf.b": [[177, 201], [557, 581]], "Indicator: Exploit.Win32.WordPerf.gpac": [[228, 255]], "Indicator: Exploit.W32.WordPerf.b!c": [[256, 280]], "Indicator: TrojWare.Win32.Exploit.WordPerf.B": [[307, 340]], "Indicator: Exploit.Qaaz": [[367, 379]], "Indicator: Exploit.WordPerf.Win32.2": [[380, 404]], "Indicator: Exploit.WordPerf.b": [[405, 423]], "Indicator: TR/Expl.WordPerf.B": [[424, 442]], "Indicator: Trojan[Exploit]/Win32.WordPerf": [[443, 473]], "Indicator: Win32.EXPLOIT.WordPerf.b.kcloud": [[474, 505]], "Indicator: Exploit:Win32/WordPerf.B": [[506, 530]], "Indicator: Win32.Exploit.Wordperf.Wxrv": [[634, 661]], "Indicator: Exploit.WordPerf!zPzGZ0A1+Q4": [[662, 690]], "Indicator: Trojan.Win32.Exploit": [[691, 711]], "Indicator: W32/WordPerf.B!exploit": [[712, 734]], "Indicator: Win32/Trojan.827": [[735, 751]]}, "info": {"id": "cyner2_5class_train_06243", "source": "cyner2_5class_train"}}
+{"text": "Original password The main service follows the same structure as the first version , the anti-analysis features are primitive , only checking the emulator environment without any kind of packing or obfuscation .", "spans": {}, "info": {"id": "cyner2_5class_train_06244", "source": "cyner2_5class_train"}}
+{"text": "Additionally , during a period of several days , our infected test device was never remotely disinfected by the operators .", "spans": {}, "info": {"id": "cyner2_5class_train_06245", "source": "cyner2_5class_train"}}
+{"text": "Rokku seems to be distributed by a malicious document, which contains a macro that when is executed downloads and runs Rokku.", "spans": {"Malware: Rokku": [[0, 5]], "Indicator: malicious document,": [[35, 54]], "Malware: macro": [[72, 77]], "Malware: Rokku.": [[119, 125]]}, "info": {"id": "cyner2_5class_train_06246", "source": "cyner2_5class_train"}}
+{"text": "This is another reminder of why users shouldn ’ t rely on ratings alone to decide whether to trust an app .", "spans": {}, "info": {"id": "cyner2_5class_train_06247", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.O W32.Virut.CF Win32/Virut.17408 PE_VIRUX.O Win32.Virus.Virut.Q Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.mzNk Win32.Virut.56 Virus.Virut.Win32.1938 Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.cr.61440 TrojanDownloader:MSIL/Tackerkin.A Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.14 W32/Sality.AO Win32/Virut.NBP Trojan-Downloader.MSIL W32/Virut.CE Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: PE_VIRUX.O": [[73, 83], [115, 125]], "Indicator: W32.Virut.CF": [[84, 96]], "Indicator: Win32/Virut.17408": [[97, 114]], "Indicator: Win32.Virus.Virut.Q": [[126, 145]], "Indicator: Virus.Win32.Virut.ce": [[146, 166], [334, 354]], "Indicator: Virus.Win32.Virut.hpeg": [[167, 189]], "Indicator: W32.Virut.mzNk": [[190, 204]], "Indicator: Win32.Virut.56": [[205, 219]], "Indicator: Virus.Virut.Win32.1938": [[220, 242]], "Indicator: Win32/Virut.bt": [[243, 257]], "Indicator: Virus/Win32.Virut.ce": [[258, 278]], "Indicator: Win32.Virut.cr.61440": [[279, 299]], "Indicator: TrojanDownloader:MSIL/Tackerkin.A": [[300, 333]], "Indicator: Win32/Virut.F": [[355, 368]], "Indicator: Virus.Virut.14": [[369, 383]], "Indicator: W32/Sality.AO": [[384, 397]], "Indicator: Win32/Virut.NBP": [[398, 413]], "Indicator: Trojan-Downloader.MSIL": [[414, 436]], "Indicator: W32/Virut.CE": [[437, 449]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[450, 480]]}, "info": {"id": "cyner2_5class_train_06248", "source": "cyner2_5class_train"}}
+{"text": "Technical Analysis XLoader first loads the encrypted payload from Assets/db as test.dex to drop the necessary modules then requests for device administrator privileges .", "spans": {"Malware: XLoader": [[19, 26]], "Indicator: Assets/db": [[66, 75]], "Indicator: test.dex": [[79, 87]]}, "info": {"id": "cyner2_5class_train_06249", "source": "cyner2_5class_train"}}
+{"text": "We have detected a total of 17 C & C servers on 4 different domains , which probably means the bad guys are quite familiar with what redundancy is .", "spans": {}, "info": {"id": "cyner2_5class_train_06250", "source": "cyner2_5class_train"}}
+{"text": "Both the loader and dropped class are obfuscated using ProGuard , which obfuscates names using alphabet letters .", "spans": {"Indicator: ProGuard": [[55, 63]]}, "info": {"id": "cyner2_5class_train_06251", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Ryzerlo.A3 Trojan.Ransom.HiddenTears.1 Ransom_BLOCCATO.SM Ransom.HiddenTear Ransom_BLOCCATO.SM MSIL.Trojan-Ransom.Cryptear.B Trojan.Win32.Filecoder.ethwkz Trojan.Win32.Z.Ransom.211968.EF TrojWare.MSIL.Ransom.Ryzerlo.A Trojan.Encoder.10598 Trojan-Ransom.HiddenTear TR/ATRAPS.jnrzk Ransom.HiddenTear/Variant Trojan.Ransom.HiddenTear Trj/GdSda.A MSIL/Filecoder.Y!tr Win32/Trojan.61e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Ryzerlo.A3": [[26, 43]], "Indicator: Trojan.Ransom.HiddenTears.1": [[44, 71]], "Indicator: Ransom_BLOCCATO.SM": [[72, 90], [109, 127]], "Indicator: Ransom.HiddenTear": [[91, 108]], "Indicator: MSIL.Trojan-Ransom.Cryptear.B": [[128, 157]], "Indicator: Trojan.Win32.Filecoder.ethwkz": [[158, 187]], "Indicator: Trojan.Win32.Z.Ransom.211968.EF": [[188, 219]], "Indicator: TrojWare.MSIL.Ransom.Ryzerlo.A": [[220, 250]], "Indicator: Trojan.Encoder.10598": [[251, 271]], "Indicator: Trojan-Ransom.HiddenTear": [[272, 296]], "Indicator: TR/ATRAPS.jnrzk": [[297, 312]], "Indicator: Ransom.HiddenTear/Variant": [[313, 338]], "Indicator: Trojan.Ransom.HiddenTear": [[339, 363]], "Indicator: Trj/GdSda.A": [[364, 375]], "Indicator: MSIL/Filecoder.Y!tr": [[376, 395]], "Indicator: Win32/Trojan.61e": [[396, 412]]}, "info": {"id": "cyner2_5class_train_06252", "source": "cyner2_5class_train"}}
+{"text": "The implant provides the ability to grab a lot of exfiltrated data , like call records , text messages , geolocation , surrounding audio , calendar events , and other memory information stored on the device .", "spans": {}, "info": {"id": "cyner2_5class_train_06253", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod232.Trojan.380a Heur.Win32.Veebee.1!O TrojanSpy.VB!WEMPyAgOnlg W32/MalwareF.ZFHU Trojan-Spy.Win32.VB.dwb Trojan.Win32.VB.cpxay Trojan.Win32.A.VB.77932 TrojWare.Win32.TrojanSpy.VB.NNW Trojan.DownLoader1.62643 Trojan[Spy]/Win32.VB PWS:Win32/Gypthoy.A W32/Risk.FBWB-6710 Trojan.VBRA.02824 Trojan-Spy.Win32.VB W32/VB.DWB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod232.Trojan.380a": [[26, 49]], "Indicator: Heur.Win32.Veebee.1!O": [[50, 71]], "Indicator: TrojanSpy.VB!WEMPyAgOnlg": [[72, 96]], "Indicator: W32/MalwareF.ZFHU": [[97, 114]], "Indicator: Trojan-Spy.Win32.VB.dwb": [[115, 138]], "Indicator: Trojan.Win32.VB.cpxay": [[139, 160]], "Indicator: Trojan.Win32.A.VB.77932": [[161, 184]], "Indicator: TrojWare.Win32.TrojanSpy.VB.NNW": [[185, 216]], "Indicator: Trojan.DownLoader1.62643": [[217, 241]], "Indicator: Trojan[Spy]/Win32.VB": [[242, 262]], "Indicator: PWS:Win32/Gypthoy.A": [[263, 282]], "Indicator: W32/Risk.FBWB-6710": [[283, 301]], "Indicator: Trojan.VBRA.02824": [[302, 319]], "Indicator: Trojan-Spy.Win32.VB": [[320, 339]], "Indicator: W32/VB.DWB!tr": [[340, 353]]}, "info": {"id": "cyner2_5class_train_06254", "source": "cyner2_5class_train"}}
+{"text": "The attack was found to heavily rely on RTF exploits and at the time, thought to make use of the PlugX malware family.", "spans": {"Indicator: attack": [[4, 10]], "Vulnerability: RTF exploits": [[40, 52]], "Malware: PlugX malware family.": [[97, 118]]}, "info": {"id": "cyner2_5class_train_06255", "source": "cyner2_5class_train"}}
+{"text": "HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app .", "spans": {"Malware: HenBox": [[0, 6], [127, 133]], "System: Android": [[43, 50]]}, "info": {"id": "cyner2_5class_train_06256", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Backdoor.Bot.97496 W32.Virut.D Backdoor.Bot.97496 Virus.LdPinch.Win32.1 W32/Virut.F Backdoor.Bot.D17CD8 Win32.Virus.Virut.i W32/Sdbot.ACIH W32.IRCBot PE_VIRUT.D-1 Win.Trojan.Virut-16 Backdoor.Bot.97496 Virus.Win32.Virut.n Backdoor.Bot.97496 Virus.Win32.Virut.jxol Backdoor.Win32.A.IRCBot.97792 Virus.W32.Virut!c Backdoor.Bot.97496 PE_VIRUT.D-1 BehavesLike.Win32.Virut.pc Worm.Win32.Kulsibot W32/Sdbot.OGIG-1311 Win32/Virut.e Virus/Win32.Virut.n Win32.Virut.n.2600 Worm:Win32/Kulsibot.A Virus.Win32.Virut.n Win32/Virut.D Win32/Virut.E Virus.Win32.HanKu.e Virus.Win32.Virut.AT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Backdoor.Bot.97496": [[39, 57], [70, 88], [222, 240], [261, 279], [351, 369]], "Indicator: W32.Virut.D": [[58, 69]], "Indicator: Virus.LdPinch.Win32.1": [[89, 110]], "Indicator: W32/Virut.F": [[111, 122]], "Indicator: Backdoor.Bot.D17CD8": [[123, 142]], "Indicator: Win32.Virus.Virut.i": [[143, 162]], "Indicator: W32/Sdbot.ACIH": [[163, 177]], "Indicator: W32.IRCBot": [[178, 188]], "Indicator: PE_VIRUT.D-1": [[189, 201], [370, 382]], "Indicator: Win.Trojan.Virut-16": [[202, 221]], "Indicator: Virus.Win32.Virut.n": [[241, 260], [525, 544]], "Indicator: Virus.Win32.Virut.jxol": [[280, 302]], "Indicator: Backdoor.Win32.A.IRCBot.97792": [[303, 332]], "Indicator: Virus.W32.Virut!c": [[333, 350]], "Indicator: BehavesLike.Win32.Virut.pc": [[383, 409]], "Indicator: Worm.Win32.Kulsibot": [[410, 429]], "Indicator: W32/Sdbot.OGIG-1311": [[430, 449]], "Indicator: Win32/Virut.e": [[450, 463]], "Indicator: Virus/Win32.Virut.n": [[464, 483]], "Indicator: Win32.Virut.n.2600": [[484, 502]], "Indicator: Worm:Win32/Kulsibot.A": [[503, 524]], "Indicator: Win32/Virut.D": [[545, 558]], "Indicator: Win32/Virut.E": [[559, 572]], "Indicator: Virus.Win32.HanKu.e": [[573, 592]], "Indicator: Virus.Win32.Virut.AT": [[593, 613]]}, "info": {"id": "cyner2_5class_train_06257", "source": "cyner2_5class_train"}}
+{"text": "Moreover , BusyGasper boasts some keylogging tools – the malware processes every user tap , gathering its coordinates and calculating characters by matching given values with hardcoded ones .", "spans": {"Malware: BusyGasper": [[11, 21]]}, "info": {"id": "cyner2_5class_train_06258", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.BypauTH.Trojan Application.Hacktool.Vncpass.A Trojan-Spy/W32.Vnc.32768 NetTool.Win32.VNC!O Tool.VNC.Win32.1 Win32.Trojan.WisdomEyes.16070401.9500.9990 W32/Tool.PPKE-1202 Backdoor.Prorat Application.Hacktool.Vncpass.A not-a-virus:NetTool.Win32.VNC.a Application.Hacktool.Vncpass.A Riskware.Win32.VNC.hsfc Application.Hacktool.Vncpass.A ApplicUnsaf.Win32.NetTool.VNC.A Application.Hacktool.Vncpass Tool.VncBypauth not-a-virus:NetTool.Win32.VNC W32/HackTool.CDN NetTool.VNC.b HackTool[NetTool]/Win32.VNC Application.Hacktool.Vncpass.A not-a-virus:NetTool.Win32.VNC.a Win-AppCare/Vnc.32768 HackTool.VNC!Pb5Dm1ZMh30 Win32/Virus.NetTool.8e7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BypauTH.Trojan": [[26, 44]], "Indicator: Application.Hacktool.Vncpass.A": [[45, 75], [216, 246], [279, 309], [334, 364], [531, 561]], "Indicator: Trojan-Spy/W32.Vnc.32768": [[76, 100]], "Indicator: NetTool.Win32.VNC!O": [[101, 120]], "Indicator: Tool.VNC.Win32.1": [[121, 137]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[138, 180]], "Indicator: W32/Tool.PPKE-1202": [[181, 199]], "Indicator: Backdoor.Prorat": [[200, 215]], "Indicator: not-a-virus:NetTool.Win32.VNC.a": [[247, 278], [562, 593]], "Indicator: Riskware.Win32.VNC.hsfc": [[310, 333]], "Indicator: ApplicUnsaf.Win32.NetTool.VNC.A": [[365, 396]], "Indicator: Application.Hacktool.Vncpass": [[397, 425]], "Indicator: Tool.VncBypauth": [[426, 441]], "Indicator: not-a-virus:NetTool.Win32.VNC": [[442, 471]], "Indicator: W32/HackTool.CDN": [[472, 488]], "Indicator: NetTool.VNC.b": [[489, 502]], "Indicator: HackTool[NetTool]/Win32.VNC": [[503, 530]], "Indicator: Win-AppCare/Vnc.32768": [[594, 615]], "Indicator: HackTool.VNC!Pb5Dm1ZMh30": [[616, 640]], "Indicator: Win32/Virus.NetTool.8e7": [[641, 664]]}, "info": {"id": "cyner2_5class_train_06259", "source": "cyner2_5class_train"}}
+{"text": "US defense contractors were only fairly recent targets based on the operation's history, which we traced to spear-phishing in 2010.", "spans": {"Organization: US defense contractors": [[0, 22]], "Indicator: spear-phishing": [[108, 122]]}, "info": {"id": "cyner2_5class_train_06260", "source": "cyner2_5class_train"}}
+{"text": "As MainService is the main controller , the developer has taken the appropriate actions to keep it functional and running at all times .", "spans": {}, "info": {"id": "cyner2_5class_train_06261", "source": "cyner2_5class_train"}}
+{"text": "EVENTBOT VERSION 0.4.0.1 Package Name Randomization In this version , the package name is no longer named ‘ com.example.eventbot ’ , which makes it more difficult to track down .", "spans": {"Indicator: com.example.eventbot": [[108, 128]]}, "info": {"id": "cyner2_5class_train_06262", "source": "cyner2_5class_train"}}
+{"text": "By now, most of the malware researchers are used to seeing drive-by infections that serve up a handful of malware, from droppers to payloads.", "spans": {"Organization: malware researchers": [[20, 39]], "Malware: droppers": [[120, 128]], "Malware: payloads.": [[132, 141]]}, "info": {"id": "cyner2_5class_train_06263", "source": "cyner2_5class_train"}}
+{"text": "Conclusion As our computing increasingly crosses multiple screens , we should expect to see threats extending across mobile and desktop environments .", "spans": {}, "info": {"id": "cyner2_5class_train_06264", "source": "cyner2_5class_train"}}
+{"text": "July 20 A new zero-day vulnerability ( CVE-2015-2426 ) was found in Windows , which Microsoft fixed in an out-of-band patch .", "spans": {"Vulnerability: zero-day vulnerability": [[14, 36]], "Vulnerability: CVE-2015-2426": [[39, 52]], "System: Windows": [[68, 75]], "Organization: Microsoft": [[84, 93]]}, "info": {"id": "cyner2_5class_train_06265", "source": "cyner2_5class_train"}}
+{"text": "However, global security companies are limited in collecting attack information in Korea, and there is also a lack of information about the attacks that Lazarus or Lazarus are suspected of as a small group of threat groups in Korea.", "spans": {"Organization: global security companies": [[9, 34]], "Indicator: attack information": [[61, 79]], "Indicator: lack of information": [[110, 129]], "Indicator: attacks": [[140, 147]]}, "info": {"id": "cyner2_5class_train_06266", "source": "cyner2_5class_train"}}
+{"text": "The decompile method is based on the fact that Android applications are Java-based , meaning it is possible to recompile it .", "spans": {"System: Android": [[47, 54]]}, "info": {"id": "cyner2_5class_train_06267", "source": "cyner2_5class_train"}}
+{"text": "This post does n't follow the chronological evolution of Zen , but instead covers relevant samples from least to most complex .", "spans": {"Malware: Zen": [[57, 60]]}, "info": {"id": "cyner2_5class_train_06268", "source": "cyner2_5class_train"}}
+{"text": "After libmsy.so decrypts the asset file tong.luo , it loads mycode.jar dynamically into FakeSpy ’ s process , as is shown from the output of the “ adb logcat ” command .", "spans": {"Indicator: libmsy.so": [[6, 15]], "Indicator: tong.luo": [[40, 48]], "Indicator: mycode.jar": [[60, 70]], "Malware: FakeSpy": [[88, 95]]}, "info": {"id": "cyner2_5class_train_06269", "source": "cyner2_5class_train"}}
+{"text": "] ir .", "spans": {}, "info": {"id": "cyner2_5class_train_06270", "source": "cyner2_5class_train"}}
+{"text": "But SamSam isn't the only ransomware out there charging eye-watering amounts to decrypt business servers.", "spans": {"Malware: SamSam": [[4, 10]], "Malware: ransomware": [[26, 36]], "System: decrypt business servers.": [[80, 105]]}, "info": {"id": "cyner2_5class_train_06271", "source": "cyner2_5class_train"}}
+{"text": "This variant uses a new UAC bypass method that has been used by the Dridex malware since December, 2014.", "spans": {"Indicator: UAC bypass method": [[24, 41]], "Malware: Dridex malware": [[68, 82]]}, "info": {"id": "cyner2_5class_train_06272", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9882 Backdoor.Teambot Trojan.Win32.Kazy.cxkslh Trojan.PWS.Spy.19585 Trojan.Kazy.D1E900 Backdoor:Win32/Pavica.B!dll Backdoor/Win32.Pavica.R161181", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9882": [[26, 68]], "Indicator: Backdoor.Teambot": [[69, 85]], "Indicator: Trojan.Win32.Kazy.cxkslh": [[86, 110]], "Indicator: Trojan.PWS.Spy.19585": [[111, 131]], "Indicator: Trojan.Kazy.D1E900": [[132, 150]], "Indicator: Backdoor:Win32/Pavica.B!dll": [[151, 178]], "Indicator: Backdoor/Win32.Pavica.R161181": [[179, 208]]}, "info": {"id": "cyner2_5class_train_06273", "source": "cyner2_5class_train"}}
+{"text": "Conclusion The case of Asacub shows that mobile malware can function for several years with minimal changes to the distribution scheme .", "spans": {"Malware: Asacub": [[23, 29]]}, "info": {"id": "cyner2_5class_train_06274", "source": "cyner2_5class_train"}}
+{"text": "Android Trojan Found in Targeted Attack 26 MAR 2013 In the past , we ’ ve seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms .", "spans": {"System: Android": [[0, 7]], "System: Windows": [[136, 143]], "System: Mac OS X": [[148, 156]]}, "info": {"id": "cyner2_5class_train_06275", "source": "cyner2_5class_train"}}
+{"text": "It also drops decoy documents in an attempt to camouflage the attack.", "spans": {"Indicator: drops decoy documents": [[8, 29]], "Indicator: attack.": [[62, 69]]}, "info": {"id": "cyner2_5class_train_06276", "source": "cyner2_5class_train"}}
+{"text": "The base64-encoded image is then uploaded to an image recognition service .", "spans": {}, "info": {"id": "cyner2_5class_train_06277", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9821 BehavesLike.Win32.Trojan.tc Trojan/Win32.MSILKrypt.C2372735", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9821": [[26, 68]], "Indicator: BehavesLike.Win32.Trojan.tc": [[69, 96]], "Indicator: Trojan/Win32.MSILKrypt.C2372735": [[97, 128]]}, "info": {"id": "cyner2_5class_train_06278", "source": "cyner2_5class_train"}}
+{"text": "If that part is found , the app loads Javascript snippets from the JSON parameters to click a button or other HTML element , simulating a real user click .", "spans": {}, "info": {"id": "cyner2_5class_train_06279", "source": "cyner2_5class_train"}}
+{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX .", "spans": {"Organization: Trend Micro": [[0, 11]], "Indicator: ANDROIDOS_XLOADER.HRX": [[29, 50]]}, "info": {"id": "cyner2_5class_train_06280", "source": "cyner2_5class_train"}}
+{"text": "The first method is to send a specially crafted URL to the target via SMS or email .", "spans": {}, "info": {"id": "cyner2_5class_train_06281", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9890 Backdoor.Win32.Ruledor.c BackDoor.Ruller Downloader.Adload.Win32.15034 BehavesLike.Win32.Sural.tc Trojan[Backdoor]/Win32.Ruledor Backdoor:Win32/Ruledor.B Backdoor.Win32.Ruledor.c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9890": [[26, 68]], "Indicator: Backdoor.Win32.Ruledor.c": [[69, 93], [223, 247]], "Indicator: BackDoor.Ruller": [[94, 109]], "Indicator: Downloader.Adload.Win32.15034": [[110, 139]], "Indicator: BehavesLike.Win32.Sural.tc": [[140, 166]], "Indicator: Trojan[Backdoor]/Win32.Ruledor": [[167, 197]], "Indicator: Backdoor:Win32/Ruledor.B": [[198, 222]]}, "info": {"id": "cyner2_5class_train_06282", "source": "cyner2_5class_train"}}
+{"text": "They evade detection by keeping their code simple and flying under the radar.", "spans": {}, "info": {"id": "cyner2_5class_train_06283", "source": "cyner2_5class_train"}}
+{"text": "We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words Thai or Thailand", "spans": {"Indicator: attacks": [[24, 31]], "Malware: Bookworm": [[43, 51]], "Organization: targeting organizations": [[62, 85]], "Indicator: decoys documents,": [[138, 155]], "Indicator: dynamic DNS domain names": [[182, 206]], "Indicator: host C2 servers": [[215, 230]]}, "info": {"id": "cyner2_5class_train_06284", "source": "cyner2_5class_train"}}
+{"text": "In 2020 , it appears that TrickBot ’ s vast bank fraud is an ongoing project that helps the gang monetize compromised accounts .", "spans": {"Malware: TrickBot": [[26, 34]]}, "info": {"id": "cyner2_5class_train_06285", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Autoit.ARV Worm.AutoIt.Helompy.A Trojan.Autoit.ARV Worm.AutoRun.Win32.33975 Win32.Trojan.AutoIt.a W32/Trojan2.MFAR W32.SillyDC Win.Trojan.Autoit-1267 Worm.Win32.AutoIt.agm Trojan.Autoit.ARV Trojan.Win32.Napad.ijfyd Worm.Win32.A.IM-Sohanad.278196 Win32.HLLW.Napad BehavesLike.Win32.YahLover.hc W32/Trojan.MASJ-0546 Worm/AutoRun.sfx Worm:Win32/Helompy.A Trojan.Autoit.ARV Worm.Win32.AutoIt.agm HEUR/Fakon.mwf Trojan.Autoit.ARV Trj/CI.A I-Worm.Autoit.GP Worm.Win32.Autorun.aao Win32/Trojan.e4c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Autoit.ARV": [[26, 43], [66, 83], [205, 222], [385, 402], [440, 457]], "Indicator: Worm.AutoIt.Helompy.A": [[44, 65]], "Indicator: Worm.AutoRun.Win32.33975": [[84, 108]], "Indicator: Win32.Trojan.AutoIt.a": [[109, 130]], "Indicator: W32/Trojan2.MFAR": [[131, 147]], "Indicator: W32.SillyDC": [[148, 159]], "Indicator: Win.Trojan.Autoit-1267": [[160, 182]], "Indicator: Worm.Win32.AutoIt.agm": [[183, 204], [403, 424]], "Indicator: Trojan.Win32.Napad.ijfyd": [[223, 247]], "Indicator: Worm.Win32.A.IM-Sohanad.278196": [[248, 278]], "Indicator: Win32.HLLW.Napad": [[279, 295]], "Indicator: BehavesLike.Win32.YahLover.hc": [[296, 325]], "Indicator: W32/Trojan.MASJ-0546": [[326, 346]], "Indicator: Worm/AutoRun.sfx": [[347, 363]], "Indicator: Worm:Win32/Helompy.A": [[364, 384]], "Indicator: HEUR/Fakon.mwf": [[425, 439]], "Indicator: Trj/CI.A": [[458, 466]], "Indicator: I-Worm.Autoit.GP": [[467, 483]], "Indicator: Worm.Win32.Autorun.aao": [[484, 506]], "Indicator: Win32/Trojan.e4c": [[507, 523]]}, "info": {"id": "cyner2_5class_train_06286", "source": "cyner2_5class_train"}}
+{"text": "If the user closes the windows , they will appear again due to the timer configuration .", "spans": {}, "info": {"id": "cyner2_5class_train_06287", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.ArchSMS Win32.Trojan.WisdomEyes.16070401.9500.9977 Hoax.Win32.ArchSMS.upa Win32.Trojan-psw.Archsms.Pgnh Trojan.Fraudster.307 Trojan:Win32/MobicArch.A Hoax.Win32.ArchSMS.upa Win32.Trojan.ArchSMS.D Spyware/Win32.ArchSMS.R32549 Hoax.ArchSMS.ge Hoax.Win32.ArchSMS Win32/Trojan.b8b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.ArchSMS": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9977": [[41, 83]], "Indicator: Hoax.Win32.ArchSMS.upa": [[84, 106], [183, 205]], "Indicator: Win32.Trojan-psw.Archsms.Pgnh": [[107, 136]], "Indicator: Trojan.Fraudster.307": [[137, 157]], "Indicator: Trojan:Win32/MobicArch.A": [[158, 182]], "Indicator: Win32.Trojan.ArchSMS.D": [[206, 228]], "Indicator: Spyware/Win32.ArchSMS.R32549": [[229, 257]], "Indicator: Hoax.ArchSMS.ge": [[258, 273]], "Indicator: Hoax.Win32.ArchSMS": [[274, 292]], "Indicator: Win32/Trojan.b8b": [[293, 309]]}, "info": {"id": "cyner2_5class_train_06288", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pokey.A Trojan.Pokey.A Trojan.Pokey.A WORM_PIKACHU.A W32/Trojan.GNFD-9297 W32.Pokey.Worm Win32/Pikachu.32768 WORM_PIKACHU.A Win.Worm.Pikachu-2 Trojan.Pokey.A Email-Worm.Win32.Pikachu Trojan.Pokey.A Trojan.Win32.Pikachu.enlz I-Worm.Win32.Pikachu Trojan.Pokey.A Worm.Win32.Pikachu.A Trojan.Pokey.A Worm.Pikachu.Win32.2 Pokey.a Email-Worm.Win32.Pikachu W32/Trojan2.CSH Worm:Win32/Pokey.A@mm WORM/Pikachu.AuExec Worm[Email]/Win32.Pikachu Worm:Win32/Pokey.A@mm Worm.Pokey Email-Worm.Win32.Pikachu Pokey.a Email-Worm.Pikachu Win32/Pikachu.A I-Worm.Pikachu W32/Pikachu.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pokey.A": [[26, 40], [41, 55], [56, 70], [176, 190], [216, 230], [278, 292], [314, 328]], "Indicator: WORM_PIKACHU.A": [[71, 85], [142, 156]], "Indicator: W32/Trojan.GNFD-9297": [[86, 106]], "Indicator: W32.Pokey.Worm": [[107, 121]], "Indicator: Win32/Pikachu.32768": [[122, 141]], "Indicator: Win.Worm.Pikachu-2": [[157, 175]], "Indicator: Email-Worm.Win32.Pikachu": [[191, 215], [358, 382], [500, 524]], "Indicator: Trojan.Win32.Pikachu.enlz": [[231, 256]], "Indicator: I-Worm.Win32.Pikachu": [[257, 277]], "Indicator: Worm.Win32.Pikachu.A": [[293, 313]], "Indicator: Worm.Pikachu.Win32.2": [[329, 349]], "Indicator: Pokey.a": [[350, 357], [525, 532]], "Indicator: W32/Trojan2.CSH": [[383, 398]], "Indicator: Worm:Win32/Pokey.A@mm": [[399, 420], [467, 488]], "Indicator: WORM/Pikachu.AuExec": [[421, 440]], "Indicator: Worm[Email]/Win32.Pikachu": [[441, 466]], "Indicator: Worm.Pokey": [[489, 499]], "Indicator: Email-Worm.Pikachu": [[533, 551]], "Indicator: Win32/Pikachu.A": [[552, 567]], "Indicator: I-Worm.Pikachu": [[568, 582]], "Indicator: W32/Pikachu.A!tr": [[583, 599]]}, "info": {"id": "cyner2_5class_train_06289", "source": "cyner2_5class_train"}}
+{"text": "Derusbi has been widely covered and associated with Chinese threat actors.", "spans": {"Malware: Derusbi": [[0, 7]]}, "info": {"id": "cyner2_5class_train_06290", "source": "cyner2_5class_train"}}
+{"text": "Conclusions Every day , there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters .", "spans": {}, "info": {"id": "cyner2_5class_train_06291", "source": "cyner2_5class_train"}}
+{"text": "The macro will download ransomware or banking malware after execution. JavaScript files, executed by Wscript in Windows, dropping, for example, Locky ransomware.", "spans": {"Malware: macro": [[4, 9]], "Malware: ransomware": [[24, 34]], "Malware: banking malware": [[38, 53]], "Indicator: JavaScript files,": [[71, 88]], "Indicator: Wscript": [[101, 108]], "System: Windows,": [[112, 120]], "Malware: Locky ransomware.": [[144, 161]]}, "info": {"id": "cyner2_5class_train_06292", "source": "cyner2_5class_train"}}
+{"text": "The image below shows the function that parses the SMS messages , decrypts them using the hardcoded RSA private key and executes the commands .", "spans": {}, "info": {"id": "cyner2_5class_train_06293", "source": "cyner2_5class_train"}}
+{"text": "The archive also contained all the necessary codes to target Australian financial institutions .", "spans": {}, "info": {"id": "cyner2_5class_train_06294", "source": "cyner2_5class_train"}}
+{"text": "OceanLotus, also known as APT32, is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics, techniques, and procedures TTPs.", "spans": {"Indicator: attack": [[127, 133]]}, "info": {"id": "cyner2_5class_train_06295", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.SoulClose.E Worm.Win32.VB!O W32.Vb.RC Win32.Worm.SoulClose.E W32/VB.rc Win32.Worm.SoulClose.E PE_SOULOPEN.A Win32.Worm.VB.bc W32/Worm.EGII-1744 W32.Fujacks.C Win32/NoelOpus.B PE_SOULOPEN.A Win.Worm.VB-5176 Win32.Worm.SoulClose.E Worm.Win32.VB.rc Win32.Worm.SoulClose.E Trojan.Win32.VB.ooto Worm.Win32.A.VB.66048.A[UPX] Worm.W32.Vb!c Win32.Worm.SoulClose.E Virus.Win32.VB.~A Win32.Worm.SoulClose.E Win32.HLLW.Autoruner.2173 BehavesLike.Win32.Dropper.tm W32/Worm.VIF Worm/VB.pcu TR/VB.dek.1 Worm/Win32.VB Worm.VB.rc.kcloud Worm:Win32/Soulclose.A Worm.Win32.VB.rc Trojan/Win32.HDC.C146348 W32/HLLP.Soul.a Worm.VB Win32/AutoRun.VB.HG Win32.Worm.Vb.Eex Worm.Soulclose!T6Z53ODblJg Virus.Worm.Win32.VB W32/VB.MJU!tr Virus.Win32.VBViking.I", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.SoulClose.E": [[26, 48], [75, 97], [108, 130], [243, 265], [283, 305], [370, 392], [411, 433]], "Indicator: Worm.Win32.VB!O": [[49, 64]], "Indicator: W32.Vb.RC": [[65, 74]], "Indicator: W32/VB.rc": [[98, 107]], "Indicator: PE_SOULOPEN.A": [[131, 144], [212, 225]], "Indicator: Win32.Worm.VB.bc": [[145, 161]], "Indicator: W32/Worm.EGII-1744": [[162, 180]], "Indicator: W32.Fujacks.C": [[181, 194]], "Indicator: Win32/NoelOpus.B": [[195, 211]], "Indicator: Win.Worm.VB-5176": [[226, 242]], "Indicator: Worm.Win32.VB.rc": [[266, 282], [581, 597]], "Indicator: Trojan.Win32.VB.ooto": [[306, 326]], "Indicator: Worm.Win32.A.VB.66048.A[UPX]": [[327, 355]], "Indicator: Worm.W32.Vb!c": [[356, 369]], "Indicator: Virus.Win32.VB.~A": [[393, 410]], "Indicator: Win32.HLLW.Autoruner.2173": [[434, 459]], "Indicator: BehavesLike.Win32.Dropper.tm": [[460, 488]], "Indicator: W32/Worm.VIF": [[489, 501]], "Indicator: Worm/VB.pcu": [[502, 513]], "Indicator: TR/VB.dek.1": [[514, 525]], "Indicator: Worm/Win32.VB": [[526, 539]], "Indicator: Worm.VB.rc.kcloud": [[540, 557]], "Indicator: Worm:Win32/Soulclose.A": [[558, 580]], "Indicator: Trojan/Win32.HDC.C146348": [[598, 622]], "Indicator: W32/HLLP.Soul.a": [[623, 638]], "Indicator: Worm.VB": [[639, 646]], "Indicator: Win32/AutoRun.VB.HG": [[647, 666]], "Indicator: Win32.Worm.Vb.Eex": [[667, 684]], "Indicator: Worm.Soulclose!T6Z53ODblJg": [[685, 711]], "Indicator: Virus.Worm.Win32.VB": [[712, 731]], "Indicator: W32/VB.MJU!tr": [[732, 745]], "Indicator: Virus.Win32.VBViking.I": [[746, 768]]}, "info": {"id": "cyner2_5class_train_06296", "source": "cyner2_5class_train"}}
+{"text": "In our case , the administrator phone number belongs to a mobile network in Australia .", "spans": {}, "info": {"id": "cyner2_5class_train_06297", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Way Backdoor.Way.Win32.124 W32/Backdoor.HAT Backdoor.Trojan Win32/FakeMS.WOCR Win.Trojan.Dealply-6391261-0 Backdoor.Win32.Way.10 Trojan.Win32.Way.wibi Trojan.Win32.Z.Way.314010 Backdoor.W32.Way!c BackDoor.Way.10 Backdoor.Win32.Way W32/Backdoor.EORF-5693 Backdoor/NetStar.10 Trojan[Backdoor]/Win32.Way Backdoor.Win32.Way.10 Win32.Backdoor.Way.Dztb Backdoor.Way!jjTH+E6uXaw W32/Way.A!tr Win32/Backdoor.008", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Way": [[26, 38]], "Indicator: Backdoor.Way.Win32.124": [[39, 61]], "Indicator: W32/Backdoor.HAT": [[62, 78]], "Indicator: Backdoor.Trojan": [[79, 94]], "Indicator: Win32/FakeMS.WOCR": [[95, 112]], "Indicator: Win.Trojan.Dealply-6391261-0": [[113, 141]], "Indicator: Backdoor.Win32.Way.10": [[142, 163], [336, 357]], "Indicator: Trojan.Win32.Way.wibi": [[164, 185]], "Indicator: Trojan.Win32.Z.Way.314010": [[186, 211]], "Indicator: Backdoor.W32.Way!c": [[212, 230]], "Indicator: BackDoor.Way.10": [[231, 246]], "Indicator: Backdoor.Win32.Way": [[247, 265]], "Indicator: W32/Backdoor.EORF-5693": [[266, 288]], "Indicator: Backdoor/NetStar.10": [[289, 308]], "Indicator: Trojan[Backdoor]/Win32.Way": [[309, 335]], "Indicator: Win32.Backdoor.Way.Dztb": [[358, 381]], "Indicator: Backdoor.Way!jjTH+E6uXaw": [[382, 406]], "Indicator: W32/Way.A!tr": [[407, 419]], "Indicator: Win32/Backdoor.008": [[420, 438]]}, "info": {"id": "cyner2_5class_train_06298", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Sirefef.A Backdoor/ZAccess.trq Win32.Trojan.WisdomEyes.16070401.9500.9982 TROJ_SIREFEF.SM Trojan.Win32.ZAccess.tiikz Backdoor.Win32.A.ZAccess.190464.AD Backdoor.Win32.ZAccess.TZS BackDoor.Maxplus.5433 Trojan.FakeAV.Win32.243037 TROJ_SIREFEF.SM BehavesLike.Win32.ZeroAccess.cc Trojan.Win32.Sirefef Backdoor/ZAccess.dbk Trojan[Backdoor]/Win32.ZAccess Trojan:Win32/Sirefef.P Trojan.Kazy.D1335F Backdoor/Win32.ZAccess.R28242 ZeroAccess.ex BScope.Backdoor.Maxplus.2613 Rootkit.0Access", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Sirefef.A": [[26, 42]], "Indicator: Backdoor/ZAccess.trq": [[43, 63]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[64, 106]], "Indicator: TROJ_SIREFEF.SM": [[107, 122], [261, 276]], "Indicator: Trojan.Win32.ZAccess.tiikz": [[123, 149]], "Indicator: Backdoor.Win32.A.ZAccess.190464.AD": [[150, 184]], "Indicator: Backdoor.Win32.ZAccess.TZS": [[185, 211]], "Indicator: BackDoor.Maxplus.5433": [[212, 233]], "Indicator: Trojan.FakeAV.Win32.243037": [[234, 260]], "Indicator: BehavesLike.Win32.ZeroAccess.cc": [[277, 308]], "Indicator: Trojan.Win32.Sirefef": [[309, 329]], "Indicator: Backdoor/ZAccess.dbk": [[330, 350]], "Indicator: Trojan[Backdoor]/Win32.ZAccess": [[351, 381]], "Indicator: Trojan:Win32/Sirefef.P": [[382, 404]], "Indicator: Trojan.Kazy.D1335F": [[405, 423]], "Indicator: Backdoor/Win32.ZAccess.R28242": [[424, 453]], "Indicator: ZeroAccess.ex": [[454, 467]], "Indicator: BScope.Backdoor.Maxplus.2613": [[468, 496]], "Indicator: Rootkit.0Access": [[497, 512]]}, "info": {"id": "cyner2_5class_train_06299", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Leech.I HEUR:Trojan-Dropper.AndroidOS.Leech.c Android.Packed.5 ZIP/Trojan.PXTI-7 SPR/ANDR.Jiagu.zhye Troj.Dropper.Androidos!c HEUR:Trojan-Dropper.AndroidOS.Leech.c PUA.AndroidOS.MoneyReward", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Leech.I": [[26, 41]], "Indicator: HEUR:Trojan-Dropper.AndroidOS.Leech.c": [[42, 79], [160, 197]], "Indicator: Android.Packed.5": [[80, 96]], "Indicator: ZIP/Trojan.PXTI-7": [[97, 114]], "Indicator: SPR/ANDR.Jiagu.zhye": [[115, 134]], "Indicator: Troj.Dropper.Androidos!c": [[135, 159]], "Indicator: PUA.AndroidOS.MoneyReward": [[198, 223]]}, "info": {"id": "cyner2_5class_train_06300", "source": "cyner2_5class_train"}}
+{"text": "When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up.", "spans": {"Malware: malware": [[15, 22]], "Malware: attackers": [[100, 109]]}, "info": {"id": "cyner2_5class_train_06301", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Packed.EZip.a Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_BIFROS.SMI Win.Trojan.Mybot-4352 Trojan.Win32.139069.ebchy Backdoor.Win32.Rbot.~d5 TROJ_BIFROS.SMI Trojan/Win32.Unknown Trojan.ManBat.1 Troj.W32.Refroso.lnM8 TrojanDropper:Win32/Bifrose.F Trojan.Win32.Rbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Packed.EZip.a": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[47, 89]], "Indicator: TROJ_BIFROS.SMI": [[90, 105], [178, 193]], "Indicator: Win.Trojan.Mybot-4352": [[106, 127]], "Indicator: Trojan.Win32.139069.ebchy": [[128, 153]], "Indicator: Backdoor.Win32.Rbot.~d5": [[154, 177]], "Indicator: Trojan/Win32.Unknown": [[194, 214]], "Indicator: Trojan.ManBat.1": [[215, 230]], "Indicator: Troj.W32.Refroso.lnM8": [[231, 252]], "Indicator: TrojanDropper:Win32/Bifrose.F": [[253, 282]], "Indicator: Trojan.Win32.Rbot": [[283, 300]]}, "info": {"id": "cyner2_5class_train_06302", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Qhosts Virus.W32.Specx.B!c Heur.Corrupt.PE Trojan[Backdoor]/Win32.IRCBot Worm:Win32/Specx.C.dam#2 Trj/CI.A Worm.Win32.Specx Win32/Trojan.bba", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Qhosts": [[26, 39]], "Indicator: Virus.W32.Specx.B!c": [[40, 59]], "Indicator: Heur.Corrupt.PE": [[60, 75]], "Indicator: Trojan[Backdoor]/Win32.IRCBot": [[76, 105]], "Indicator: Worm:Win32/Specx.C.dam#2": [[106, 130]], "Indicator: Trj/CI.A": [[131, 139]], "Indicator: Worm.Win32.Specx": [[140, 156]], "Indicator: Win32/Trojan.bba": [[157, 173]]}, "info": {"id": "cyner2_5class_train_06303", "source": "cyner2_5class_train"}}
+{"text": "After analysis, it was confirmed that the sample belonged to the discovered botnet family Kaiji.", "spans": {"Malware: botnet family Kaiji.": [[76, 96]]}, "info": {"id": "cyner2_5class_train_06304", "source": "cyner2_5class_train"}}
+{"text": "The many changes we see in the way the attacks are performed show that attackers are heavily experimenting to find the best way of infecting a mobile device and abusing existing functionality to perform successful phishing attacks .", "spans": {}, "info": {"id": "cyner2_5class_train_06305", "source": "cyner2_5class_train"}}
+{"text": "After receiving the rights , it sets itself as the default SMS app and disappears from the device screen .", "spans": {}, "info": {"id": "cyner2_5class_train_06306", "source": "cyner2_5class_train"}}
+{"text": "Botnets can make considerably more money than autonomous Trojans .", "spans": {}, "info": {"id": "cyner2_5class_train_06307", "source": "cyner2_5class_train"}}
+{"text": "] orgmediauploader [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06308", "source": "cyner2_5class_train"}}
+{"text": "The spam e-mails are enticing users by impersonating well known companies, using their logos and known subject lines to further sell the deception.", "spans": {"Indicator: spam e-mails": [[4, 16]]}, "info": {"id": "cyner2_5class_train_06309", "source": "cyner2_5class_train"}}
+{"text": "Admin panel The administration panel shows the application configuration , which matches the commands from the C2 .", "spans": {}, "info": {"id": "cyner2_5class_train_06310", "source": "cyner2_5class_train"}}
+{"text": "The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server.", "spans": {"Indicator: javascript window location": [[30, 56]], "Organization: visitor": [[77, 84]], "Indicator: a second URL hosted": [[88, 107]], "System: a dedicated server.": [[111, 130]]}, "info": {"id": "cyner2_5class_train_06311", "source": "cyner2_5class_train"}}
+{"text": "In this campaign, it mainly tries to steal Firefox and other credentials.", "spans": {"Indicator: steal": [[37, 42]], "System: Firefox": [[43, 50]], "Indicator: other credentials.": [[55, 73]]}, "info": {"id": "cyner2_5class_train_06312", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9900 Win.Spyware.Banker-4198 not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.heur Trojan.Winlock.5377 BehavesLike.Win32.Kespo.cc Troj.W32.Delf.l4mb not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.heur Trojan:Win32/Comine.A Trojan-Downloader.Win32.Banload", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9900": [[26, 68]], "Indicator: Win.Spyware.Banker-4198": [[69, 92]], "Indicator: not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.heur": [[93, 142], [209, 258]], "Indicator: Trojan.Winlock.5377": [[143, 162]], "Indicator: BehavesLike.Win32.Kespo.cc": [[163, 189]], "Indicator: Troj.W32.Delf.l4mb": [[190, 208]], "Indicator: Trojan:Win32/Comine.A": [[259, 280]], "Indicator: Trojan-Downloader.Win32.Banload": [[281, 312]]}, "info": {"id": "cyner2_5class_train_06313", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kryptik.Win32.1331272 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Kryptik.ewfvwr Trojan.DownLoader24.52368 BehavesLike.Win32.Trojan.jz Trj/GdSda.A Trojan.MSIL.Crypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kryptik.Win32.1331272": [[26, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[55, 97]], "Indicator: Trojan.Win32.Kryptik.ewfvwr": [[98, 125]], "Indicator: Trojan.DownLoader24.52368": [[126, 151]], "Indicator: BehavesLike.Win32.Trojan.jz": [[152, 179]], "Indicator: Trj/GdSda.A": [[180, 191]], "Indicator: Trojan.MSIL.Crypt": [[192, 209]]}, "info": {"id": "cyner2_5class_train_06314", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.DAD41 Win32.Trojan.WisdomEyes.16070401.9500.9993 PUA.Downloader Trojan.Win32.AVKill.dciepf Trojan.AVKill.30546 TR/Kryptik.clfug Trojan:MSIL/Krolol.A Win32/Trojan.b49", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.DAD41": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[44, 86]], "Indicator: PUA.Downloader": [[87, 101]], "Indicator: Trojan.Win32.AVKill.dciepf": [[102, 128]], "Indicator: Trojan.AVKill.30546": [[129, 148]], "Indicator: TR/Kryptik.clfug": [[149, 165]], "Indicator: Trojan:MSIL/Krolol.A": [[166, 186]], "Indicator: Win32/Trojan.b49": [[187, 203]]}, "info": {"id": "cyner2_5class_train_06315", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Cloda53.Trojan.5b54 W32/Delf.g W32/SillyWorm.CE W32.Miliam@mm Win.Worm.Minima-1 Email-Worm.Win32.Delf.g Trojan.Win32.Delf.gmcr W32.W.Delf.g!c Worm.Win32.Delf.g Worm.Delf.Win32.349 BehavesLike.Win32.Downloader.lc W32/Worm.NVHR-2426 I-Worm/Delf.ls WORM/Atak.L W32/Delf.G@mm Worm[Email]/Win32.Delf Worm/Win32.Xema.N403133190 Worm:Win32/Miliam.A@mm Worm.Delf Win32.Worm-email.Delf.Ebqb Email-Worm.Win32.Delf I-Worm/Delf.X", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Cloda53.Trojan.5b54": [[26, 49]], "Indicator: W32/Delf.g": [[50, 60]], "Indicator: W32/SillyWorm.CE": [[61, 77]], "Indicator: W32.Miliam@mm": [[78, 91]], "Indicator: Win.Worm.Minima-1": [[92, 109]], "Indicator: Email-Worm.Win32.Delf.g": [[110, 133]], "Indicator: Trojan.Win32.Delf.gmcr": [[134, 156]], "Indicator: W32.W.Delf.g!c": [[157, 171]], "Indicator: Worm.Win32.Delf.g": [[172, 189]], "Indicator: Worm.Delf.Win32.349": [[190, 209]], "Indicator: BehavesLike.Win32.Downloader.lc": [[210, 241]], "Indicator: W32/Worm.NVHR-2426": [[242, 260]], "Indicator: I-Worm/Delf.ls": [[261, 275]], "Indicator: WORM/Atak.L": [[276, 287]], "Indicator: W32/Delf.G@mm": [[288, 301]], "Indicator: Worm[Email]/Win32.Delf": [[302, 324]], "Indicator: Worm/Win32.Xema.N403133190": [[325, 351]], "Indicator: Worm:Win32/Miliam.A@mm": [[352, 374]], "Indicator: Worm.Delf": [[375, 384]], "Indicator: Win32.Worm-email.Delf.Ebqb": [[385, 411]], "Indicator: Email-Worm.Win32.Delf": [[412, 433]], "Indicator: I-Worm/Delf.X": [[434, 447]]}, "info": {"id": "cyner2_5class_train_06316", "source": "cyner2_5class_train"}}
+{"text": "MainService is the brain of this spyware and controls almost everything—from stealing the victim 's data to deleting it .", "spans": {}, "info": {"id": "cyner2_5class_train_06317", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Softwarebundler.Wizrem.FC.2316 Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan.Win32.Z.Revirdit.463872 Backdoor:MSIL/Revirdit.A Trojan.MSILPerseus.D1F0A1 Trj/GdSda.A Win32/Trojan.ed9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Softwarebundler.Wizrem.FC.2316": [[26, 56]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[57, 99]], "Indicator: Trojan.Win32.Z.Revirdit.463872": [[100, 130]], "Indicator: Backdoor:MSIL/Revirdit.A": [[131, 155]], "Indicator: Trojan.MSILPerseus.D1F0A1": [[156, 181]], "Indicator: Trj/GdSda.A": [[182, 193]], "Indicator: Win32/Trojan.ed9": [[194, 210]]}, "info": {"id": "cyner2_5class_train_06318", "source": "cyner2_5class_train"}}
+{"text": "] infokalisi [ .", "spans": {"Indicator: [ .": [[13, 16]]}, "info": {"id": "cyner2_5class_train_06319", "source": "cyner2_5class_train"}}
+{"text": "There is a ‘ protected apps ’ list in this brand ’ s smartphones , related to a battery-saving concept .", "spans": {}, "info": {"id": "cyner2_5class_train_06320", "source": "cyner2_5class_train"}}
+{"text": "In total , there are 32 different routines , each of them implementing a different opcode and some basic functionality that the malware program may execute .", "spans": {}, "info": {"id": "cyner2_5class_train_06321", "source": "cyner2_5class_train"}}
+{"text": "During a recent compromise assessment, Cylance incident responders and threat researchers uncovered a surreptitious and sophisticated remote access trojan RAT that had been planted and operated by the suspected threat actor.", "spans": {"Organization: Cylance incident responders": [[39, 66]], "Organization: threat researchers": [[71, 89]], "Malware: remote access trojan RAT": [[134, 158]]}, "info": {"id": "cyner2_5class_train_06322", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Trojan.DPQH-6594 Win32/Tnega.aTYcGTB Trojan.Win32.Small.cjn Troj.W32.Small!c TR/Jord.dvwus Trojan:Win32/Mvpaten.A Trojan.Win32.Small.cjn Win32.Trojan.Small.Llqr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.DPQH-6594": [[26, 46]], "Indicator: Win32/Tnega.aTYcGTB": [[47, 66]], "Indicator: Trojan.Win32.Small.cjn": [[67, 89], [144, 166]], "Indicator: Troj.W32.Small!c": [[90, 106]], "Indicator: TR/Jord.dvwus": [[107, 120]], "Indicator: Trojan:Win32/Mvpaten.A": [[121, 143]], "Indicator: Win32.Trojan.Small.Llqr": [[167, 190]]}, "info": {"id": "cyner2_5class_train_06323", "source": "cyner2_5class_train"}}
+{"text": "Interestingly , we uncovered several expired job posting of Android reverse engineer from the actor ’ s front business published in 2018 and 2019 .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyner2_5class_train_06324", "source": "cyner2_5class_train"}}
+{"text": "mcpef.apk ( SHA256 : a8e7dfac00adf661d371ac52bddc03b543bd6b7aa41314b255e53d810931ceac ) : The malicious system application downloaded from server ( package name – com.android.music.helper ) .", "spans": {"Indicator: mcpef.apk": [[0, 9]], "Indicator: a8e7dfac00adf661d371ac52bddc03b543bd6b7aa41314b255e53d810931ceac": [[21, 85]], "Indicator: com.android.music.helper": [[163, 187]]}, "info": {"id": "cyner2_5class_train_06325", "source": "cyner2_5class_train"}}
+{"text": "Targets included a wide array of high-profile entities, including intelligence services, military, utility providers telecommunications and power, embassies, and government institutions.", "spans": {"Organization: high-profile entities,": [[33, 55]], "Organization: intelligence services, military, utility providers telecommunications and power, embassies,": [[66, 157]], "Organization: government institutions.": [[162, 186]]}, "info": {"id": "cyner2_5class_train_06326", "source": "cyner2_5class_train"}}
+{"text": "Beside the obfuscation and the environment checks , the malware also has some interesting anti-sandbox mechanisms .", "spans": {}, "info": {"id": "cyner2_5class_train_06327", "source": "cyner2_5class_train"}}
+{"text": "The first part is the target directory , the second is a regular expression used to match specific files , while the last part is an ID .", "spans": {}, "info": {"id": "cyner2_5class_train_06328", "source": "cyner2_5class_train"}}
+{"text": "After execution it takes care of restoring the original KernelCallbackTable .", "spans": {}, "info": {"id": "cyner2_5class_train_06329", "source": "cyner2_5class_train"}}
+{"text": "Curiously, the Word document does not contain any macros, or even an exploit.", "spans": {"Indicator: the Word document": [[11, 28]], "Indicator: macros,": [[50, 57]], "Malware: exploit.": [[69, 77]]}, "info": {"id": "cyner2_5class_train_06330", "source": "cyner2_5class_train"}}
+{"text": "Attacks on Windows XP allows mobile malware to infect a PC after connecting a smartphone or tablet .", "spans": {"System: Windows XP": [[11, 21]]}, "info": {"id": "cyner2_5class_train_06331", "source": "cyner2_5class_train"}}
+{"text": "Rotexy will perform further actions after it receives the corresponding commands : START , STOP , RESTART — start , stop , restart SuperService .", "spans": {"Malware: Rotexy": [[0, 6]]}, "info": {"id": "cyner2_5class_train_06332", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Netsky.T@mm.Damaged Damage.Small W32/Netsky.t@MM W32/Netsky.T@MM I-Worm.Netsky.FJ Netsky.T@mm WORM_NSKY.DAM Win32.NetSky.t Email-Worm.Win32.NetSky.t Email-Worm.Win32.NetSky!IK Heur.Corrupt.PE Win32.HLLM.Netsky.18432 Worm/Netsky.#1 WORM_NSKY.DAM W32/Netsky.t@MM I-Worm/NetSky.u Worm:Win32/Netsky.CY@mm.dam#4 Email-Worm.Win32.NetSky.t Worm.Mail.Win32.NetSky.daq Email-Worm.Win32.NetSky W32/Netsky.T@mm W32/Netsky.T.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Netsky.T@mm.Damaged": [[26, 51]], "Indicator: Damage.Small": [[52, 64]], "Indicator: W32/Netsky.t@MM": [[65, 80], [277, 292]], "Indicator: W32/Netsky.T@MM": [[81, 96]], "Indicator: I-Worm.Netsky.FJ": [[97, 113]], "Indicator: Netsky.T@mm": [[114, 125]], "Indicator: WORM_NSKY.DAM": [[126, 139], [263, 276]], "Indicator: Win32.NetSky.t": [[140, 154]], "Indicator: Email-Worm.Win32.NetSky.t": [[155, 180], [339, 364]], "Indicator: Email-Worm.Win32.NetSky!IK": [[181, 207]], "Indicator: Heur.Corrupt.PE": [[208, 223]], "Indicator: Win32.HLLM.Netsky.18432": [[224, 247]], "Indicator: Worm/Netsky.#1": [[248, 262]], "Indicator: I-Worm/NetSky.u": [[293, 308]], "Indicator: Worm:Win32/Netsky.CY@mm.dam#4": [[309, 338]], "Indicator: Worm.Mail.Win32.NetSky.daq": [[365, 391]], "Indicator: Email-Worm.Win32.NetSky": [[392, 415]], "Indicator: W32/Netsky.T@mm": [[416, 431]], "Indicator: W32/Netsky.T.worm": [[432, 449]]}, "info": {"id": "cyner2_5class_train_06333", "source": "cyner2_5class_train"}}
+{"text": "And finally it's important to highlight that the RAT itself is not new.", "spans": {}, "info": {"id": "cyner2_5class_train_06334", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Autoit.CoinMiner.AT Trojan/CoinMiner.jr Win32.Trojan.WisdomEyes.16070401.9500.9906 TROJ_GE.DAFBBB38 Win32.Trojan.Coinminer.A Troj.W32.Autoit.lWc9 Application.Win32.CoinMiner.B Tool.BtcMine.195 Trojan.CoinMiner.Win32.1291 TR/Comitsproc.gbs Trojan.Autoit.Wirus Win32/Fynloski.AN Worm.Win32.AutoIt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Autoit.CoinMiner.AT": [[26, 52]], "Indicator: Trojan/CoinMiner.jr": [[53, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9906": [[73, 115]], "Indicator: TROJ_GE.DAFBBB38": [[116, 132]], "Indicator: Win32.Trojan.Coinminer.A": [[133, 157]], "Indicator: Troj.W32.Autoit.lWc9": [[158, 178]], "Indicator: Application.Win32.CoinMiner.B": [[179, 208]], "Indicator: Tool.BtcMine.195": [[209, 225]], "Indicator: Trojan.CoinMiner.Win32.1291": [[226, 253]], "Indicator: TR/Comitsproc.gbs": [[254, 271]], "Indicator: Trojan.Autoit.Wirus": [[272, 291]], "Indicator: Win32/Fynloski.AN": [[292, 309]], "Indicator: Worm.Win32.AutoIt": [[310, 327]]}, "info": {"id": "cyner2_5class_train_06335", "source": "cyner2_5class_train"}}
+{"text": "At that time of the analysis, it was unclear how victims were exposed to OSX/Keydnap.", "spans": {"Malware: OSX/Keydnap.": [[73, 85]]}, "info": {"id": "cyner2_5class_train_06336", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.BSKG.dlyohq Trojan.Packed.29890 Trojan:Win32/Chanitor.A Trojan/Win32.Zbot.C916515 Win32/Injector.BSKG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.BSKG.dlyohq": [[26, 50]], "Indicator: Trojan.Packed.29890": [[51, 70]], "Indicator: Trojan:Win32/Chanitor.A": [[71, 94]], "Indicator: Trojan/Win32.Zbot.C916515": [[95, 120]], "Indicator: Win32/Injector.BSKG": [[121, 140]]}, "info": {"id": "cyner2_5class_train_06337", "source": "cyner2_5class_train"}}
+{"text": "But if your device is not from a Chinese manufacturer , then chances that you are a victim of it , are very less .", "spans": {}, "info": {"id": "cyner2_5class_train_06338", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Marijku TROJ_DLOAD.XL W32/Downldr2.FJJI Win32/Tnega.AZ TROJ_DLOAD.XL Trojan.Win32.Downloader.208896.AR Trojan.DownLoad3.7906 BehavesLike.Win32.Downloader.dc W32/Downloader.MIEG-4062 Trojan.Heur.D.nm6fbaHVu8n Trojan:Win32/Marijku.A Trojan/Win32.Downloader.R6539 Win32/BHO.NIZ Trojan.Win32.StartPage.BE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Marijku": [[26, 40]], "Indicator: TROJ_DLOAD.XL": [[41, 54], [88, 101]], "Indicator: W32/Downldr2.FJJI": [[55, 72]], "Indicator: Win32/Tnega.AZ": [[73, 87]], "Indicator: Trojan.Win32.Downloader.208896.AR": [[102, 135]], "Indicator: Trojan.DownLoad3.7906": [[136, 157]], "Indicator: BehavesLike.Win32.Downloader.dc": [[158, 189]], "Indicator: W32/Downloader.MIEG-4062": [[190, 214]], "Indicator: Trojan.Heur.D.nm6fbaHVu8n": [[215, 240]], "Indicator: Trojan:Win32/Marijku.A": [[241, 263]], "Indicator: Trojan/Win32.Downloader.R6539": [[264, 293]], "Indicator: Win32/BHO.NIZ": [[294, 307]], "Indicator: Trojan.Win32.StartPage.BE": [[308, 333]]}, "info": {"id": "cyner2_5class_train_06339", "source": "cyner2_5class_train"}}
+{"text": "A spear-phishing email targeting a voice actor YouTuber in South Korea was used to distribute Lumma Stealer malware, according to analysis by S2W TALON and the BBC.", "spans": {"Indicator: spear-phishing email": [[2, 22]], "Organization: a voice actor YouTuber": [[33, 55]], "Malware: Lumma Stealer malware,": [[94, 116]], "Organization: S2W TALON": [[142, 151]], "Organization: the BBC.": [[156, 164]]}, "info": {"id": "cyner2_5class_train_06340", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.Downloader.W32.Zlob.kYLL W32/Trojan.BZWN Trojan.Farfli RTKT_FARFLI.EOJ Win.Downloader.13148-1 TrojWare.Win32.Magania.~E Trojan.DownLoad.47002 Downloader.Win32.55183440 RTKT_FARFLI.EOJ Virus.Win32.Hmir Win32.Troj.RootkitT.r.16800 Backdoor:WinNT/Farfli.B!sys Trojan/Win32.Hmir.C55747 Trojan.Graftor.D5437", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.Downloader.W32.Zlob.kYLL": [[26, 55]], "Indicator: W32/Trojan.BZWN": [[56, 71]], "Indicator: Trojan.Farfli": [[72, 85]], "Indicator: RTKT_FARFLI.EOJ": [[86, 101], [199, 214]], "Indicator: Win.Downloader.13148-1": [[102, 124]], "Indicator: TrojWare.Win32.Magania.~E": [[125, 150]], "Indicator: Trojan.DownLoad.47002": [[151, 172]], "Indicator: Downloader.Win32.55183440": [[173, 198]], "Indicator: Virus.Win32.Hmir": [[215, 231]], "Indicator: Win32.Troj.RootkitT.r.16800": [[232, 259]], "Indicator: Backdoor:WinNT/Farfli.B!sys": [[260, 287]], "Indicator: Trojan/Win32.Hmir.C55747": [[288, 312]], "Indicator: Trojan.Graftor.D5437": [[313, 333]]}, "info": {"id": "cyner2_5class_train_06341", "source": "cyner2_5class_train"}}
+{"text": "Figure 10 .", "spans": {}, "info": {"id": "cyner2_5class_train_06342", "source": "cyner2_5class_train"}}
+{"text": "Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.", "spans": {"Organization: governments of members of the Commonwealth of Independent States; Asian, African,": [[37, 118]], "Organization: Middle Eastern governments; organizations": [[123, 164]], "Organization: Chechen extremism;": [[181, 199]], "Organization: Russian speakers": [[204, 220]]}, "info": {"id": "cyner2_5class_train_06343", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9545 Trojan.Win32.Qhost", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9545": [[26, 68]], "Indicator: Trojan.Win32.Qhost": [[69, 87]]}, "info": {"id": "cyner2_5class_train_06344", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom_Anunau.R002C0DK417 Trojan.Win32.RansomHeur.eutbif Ransom_Anunau.R002C0DK417 BehavesLike.Win32.Evasion.dh Trojan.Win32.Injector TR/AD.RansomHeur.ibtfr Ransom:Win32/Anunau.A Trojan/Win32.Inject.R211968 SScope.Trojan.FakeAV.01695 Trj/CI.A Trojan.Symmi.D13583", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_Anunau.R002C0DK417": [[26, 51], [83, 108]], "Indicator: Trojan.Win32.RansomHeur.eutbif": [[52, 82]], "Indicator: BehavesLike.Win32.Evasion.dh": [[109, 137]], "Indicator: Trojan.Win32.Injector": [[138, 159]], "Indicator: TR/AD.RansomHeur.ibtfr": [[160, 182]], "Indicator: Ransom:Win32/Anunau.A": [[183, 204]], "Indicator: Trojan/Win32.Inject.R211968": [[205, 232]], "Indicator: SScope.Trojan.FakeAV.01695": [[233, 259]], "Indicator: Trj/CI.A": [[260, 268]], "Indicator: Trojan.Symmi.D13583": [[269, 288]]}, "info": {"id": "cyner2_5class_train_06345", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Worm.Seroteb.Win32.16 Win32.Trojan.WisdomEyes.16070401.9500.9522 W32/Trojan2.MQYM Worm.Win32.Seroteb.g BehavesLike.Win32.Trojan.nm W32/Trojan.QDYC-8978 Worm:Win32/Serot.A@mm Trojan.CryptRedol!B3FmVPsxcak Worm.Win32.Serot Trj/CI.A Win32/Trojan.029", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Worm.Seroteb.Win32.16": [[44, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9522": [[66, 108]], "Indicator: W32/Trojan2.MQYM": [[109, 125]], "Indicator: Worm.Win32.Seroteb.g": [[126, 146]], "Indicator: BehavesLike.Win32.Trojan.nm": [[147, 174]], "Indicator: W32/Trojan.QDYC-8978": [[175, 195]], "Indicator: Worm:Win32/Serot.A@mm": [[196, 217]], "Indicator: Trojan.CryptRedol!B3FmVPsxcak": [[218, 247]], "Indicator: Worm.Win32.Serot": [[248, 264]], "Indicator: Trj/CI.A": [[265, 273]], "Indicator: Win32/Trojan.029": [[274, 290]]}, "info": {"id": "cyner2_5class_train_06346", "source": "cyner2_5class_train"}}
+{"text": "AT&T Alientlabs researchers has discovered new variant of BlackGuard stealer infections using spear phisng attack.", "spans": {"Organization: AT&T Alientlabs researchers": [[0, 27]], "Malware: variant": [[47, 54]], "Malware: BlackGuard stealer": [[58, 76]], "Indicator: spear phisng attack.": [[94, 114]]}, "info": {"id": "cyner2_5class_train_06347", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Goabeny.A8 Trojan.Delf.Win32.88456 HT_GRAFTOR_GI070668.UVPM HT_GRAFTOR_GI070668.UVPM Trojan.Win32.Sdbot.ercwiz TrojWare.Win32.Delf.QJW BackDoor.IRC.Sdbot.34285 BehavesLike.Win32.Trojan.dc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Goabeny.A8": [[26, 43]], "Indicator: Trojan.Delf.Win32.88456": [[44, 67]], "Indicator: HT_GRAFTOR_GI070668.UVPM": [[68, 92], [93, 117]], "Indicator: Trojan.Win32.Sdbot.ercwiz": [[118, 143]], "Indicator: TrojWare.Win32.Delf.QJW": [[144, 167]], "Indicator: BackDoor.IRC.Sdbot.34285": [[168, 192]], "Indicator: BehavesLike.Win32.Trojan.dc": [[193, 220]]}, "info": {"id": "cyner2_5class_train_06348", "source": "cyner2_5class_train"}}
+{"text": "One interesting thing is that it added some other functions you wouldn't expect to try and emphasize it wasn't a malicious tool by including a piano game and fun manager", "spans": {"Indicator: piano game": [[143, 153]], "Indicator: fun manager": [[158, 169]]}, "info": {"id": "cyner2_5class_train_06349", "source": "cyner2_5class_train"}}
+{"text": "Additionally new endpoint was added that seems related to downloading a module for the malware , probably with new features or configuration .", "spans": {}, "info": {"id": "cyner2_5class_train_06350", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Riskware.Win32.Winnti.erfdhv Win32.Winnti.1 HackTool:Win32/Passdash.A!dha Trj/CI.A Win32.Risk.Adware.Ecbn Win32/Virus.Adware.708", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Riskware.Win32.Winnti.erfdhv": [[26, 54]], "Indicator: Win32.Winnti.1": [[55, 69]], "Indicator: HackTool:Win32/Passdash.A!dha": [[70, 99]], "Indicator: Trj/CI.A": [[100, 108]], "Indicator: Win32.Risk.Adware.Ecbn": [[109, 131]], "Indicator: Win32/Virus.Adware.708": [[132, 154]]}, "info": {"id": "cyner2_5class_train_06351", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Trojan.RBLM-5940 Trojan[Dropper]/Win32.Dapato TrojanDownloader:Win32/Dapato.M Trojan.Symmi.DB644 Trojan.DR.Dapato!vPidh5qsMRE W32/Onlinegames.QRT!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[26, 68]], "Indicator: W32/Trojan.RBLM-5940": [[69, 89]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[90, 118]], "Indicator: TrojanDownloader:Win32/Dapato.M": [[119, 150]], "Indicator: Trojan.Symmi.DB644": [[151, 169]], "Indicator: Trojan.DR.Dapato!vPidh5qsMRE": [[170, 198]], "Indicator: W32/Onlinegames.QRT!tr": [[199, 221]], "Indicator: Trj/CI.A": [[222, 230]]}, "info": {"id": "cyner2_5class_train_06352", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAdware.CA66 not-a-virus:Downloader.Win32.Elex.u Riskware.Win32.WinZipper.eoijjb Adware.Mutabaha.229 Pua.337.Technologies RiskWare[Downloader]/Win32.Elex.u PUP.Adware.Elex Adware.Elex.612528.A not-a-virus:Downloader.Win32.Elex.u PUP.Optional.Elex PUA.Downloader!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAdware.CA66": [[26, 44]], "Indicator: not-a-virus:Downloader.Win32.Elex.u": [[45, 80], [225, 260]], "Indicator: Riskware.Win32.WinZipper.eoijjb": [[81, 112]], "Indicator: Adware.Mutabaha.229": [[113, 132]], "Indicator: Pua.337.Technologies": [[133, 153]], "Indicator: RiskWare[Downloader]/Win32.Elex.u": [[154, 187]], "Indicator: PUP.Adware.Elex": [[188, 203]], "Indicator: Adware.Elex.612528.A": [[204, 224]], "Indicator: PUP.Optional.Elex": [[261, 278]], "Indicator: PUA.Downloader!": [[279, 294]]}, "info": {"id": "cyner2_5class_train_06353", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.542D Trojan.Zenshirsh.SL7 TSPY_MSPOSER.SMZ TSPY_MSPOSER.SMZ Trojan-Dropper.Win32.Daws.dxwt BehavesLike.Win32.Sality.mc Trojan.Win32.Sisron Trojan:Win32/Blihan.A Trj/GdSda.A Trojan.Win32.Sisron.weqa Win32/Trojan.a66", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.542D": [[26, 43]], "Indicator: Trojan.Zenshirsh.SL7": [[44, 64]], "Indicator: TSPY_MSPOSER.SMZ": [[65, 81], [82, 98]], "Indicator: Trojan-Dropper.Win32.Daws.dxwt": [[99, 129]], "Indicator: BehavesLike.Win32.Sality.mc": [[130, 157]], "Indicator: Trojan.Win32.Sisron": [[158, 177]], "Indicator: Trojan:Win32/Blihan.A": [[178, 199]], "Indicator: Trj/GdSda.A": [[200, 211]], "Indicator: Trojan.Win32.Sisron.weqa": [[212, 236]], "Indicator: Win32/Trojan.a66": [[237, 253]]}, "info": {"id": "cyner2_5class_train_06354", "source": "cyner2_5class_train"}}
+{"text": "a Federal contractor command and control domains, we couldn't help but notice a peculiar related OPM-themed domain, opm-learning[.]org.", "spans": {"Malware: command and control": [[21, 40]], "Indicator: domains,": [[41, 49]], "Indicator: OPM-themed domain, opm-learning[.]org.": [[97, 135]]}, "info": {"id": "cyner2_5class_train_06355", "source": "cyner2_5class_train"}}
+{"text": "] 205 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06356", "source": "cyner2_5class_train"}}
+{"text": "This campaign was sent to millions of recipients across numerous organizations primarily in Australia.", "spans": {}, "info": {"id": "cyner2_5class_train_06357", "source": "cyner2_5class_train"}}
+{"text": "Upon creation , this activity launches a thread that will loop on a 50-second interval .", "spans": {}, "info": {"id": "cyner2_5class_train_06358", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9966 Trojan.Win32.Disfa.eoyfmo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9966": [[26, 68]], "Indicator: Trojan.Win32.Disfa.eoyfmo": [[69, 94]]}, "info": {"id": "cyner2_5class_train_06359", "source": "cyner2_5class_train"}}
+{"text": "Extract call logs , contacts and messages from the Skype app .", "spans": {"System: Skype": [[51, 56]]}, "info": {"id": "cyner2_5class_train_06360", "source": "cyner2_5class_train"}}
+{"text": "Both sources can be found here and here .", "spans": {}, "info": {"id": "cyner2_5class_train_06361", "source": "cyner2_5class_train"}}
+{"text": "New malware is often introduced to underground communities by being promoted and sold or offered as a giveaway .", "spans": {}, "info": {"id": "cyner2_5class_train_06362", "source": "cyner2_5class_train"}}
+{"text": "Malware authors are evolving their techniques to evade network and host-based detection mechanisms.", "spans": {}, "info": {"id": "cyner2_5class_train_06363", "source": "cyner2_5class_train"}}
+{"text": "Of those , 21 were still available at the time of discovery .", "spans": {}, "info": {"id": "cyner2_5class_train_06364", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.VBbot!O Trojan.Jorik.Win32.68017 Win32.Trojan.WisdomEyes.16070401.9500.9994 Trojan.ADH.2 Win.Trojan.Dishigy-5 Worm.Win32.WBNA.ipa Trojan.VbCrypt.68 BehavesLike.Win32.Backdoor.dc Trojan.Win32.Spyeye Worm/Kolab.fyb Worm.Win32.WBNA.ipa Trojan/Win32.Bifrose.C110110 Trojan.Injector!36BeufFOyC8 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.VBbot!O": [[26, 48]], "Indicator: Trojan.Jorik.Win32.68017": [[49, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[74, 116]], "Indicator: Trojan.ADH.2": [[117, 129]], "Indicator: Win.Trojan.Dishigy-5": [[130, 150]], "Indicator: Worm.Win32.WBNA.ipa": [[151, 170], [254, 273]], "Indicator: Trojan.VbCrypt.68": [[171, 188]], "Indicator: BehavesLike.Win32.Backdoor.dc": [[189, 218]], "Indicator: Trojan.Win32.Spyeye": [[219, 238]], "Indicator: Worm/Kolab.fyb": [[239, 253]], "Indicator: Trojan/Win32.Bifrose.C110110": [[274, 302]], "Indicator: Trojan.Injector!36BeufFOyC8": [[303, 330]], "Indicator: Trj/CI.A": [[331, 339]]}, "info": {"id": "cyner2_5class_train_06365", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Other:Android.Reputation.2 HEUR:Trojan-Downloader.AndroidOS.Masplot.a Riskware.Android.RemoteCode.epsqsx Troj.Downloader.Androidos!c Android/Masplot.A!tr.dldr Trojan[Downloader]/Android.Masplot HEUR:Trojan-Downloader.AndroidOS.Masplot.a Android-PUP/Metasploit.5b3de a.gray.stdon", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Other:Android.Reputation.2": [[26, 52]], "Indicator: HEUR:Trojan-Downloader.AndroidOS.Masplot.a": [[53, 95], [220, 262]], "Indicator: Riskware.Android.RemoteCode.epsqsx": [[96, 130]], "Indicator: Troj.Downloader.Androidos!c": [[131, 158]], "Indicator: Android/Masplot.A!tr.dldr": [[159, 184]], "Indicator: Trojan[Downloader]/Android.Masplot": [[185, 219]], "Indicator: Android-PUP/Metasploit.5b3de": [[263, 291]], "Indicator: a.gray.stdon": [[292, 304]]}, "info": {"id": "cyner2_5class_train_06366", "source": "cyner2_5class_train"}}
+{"text": "This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents.", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Indicator: inject arbitrary code": [[47, 68]]}, "info": {"id": "cyner2_5class_train_06367", "source": "cyner2_5class_train"}}
+{"text": "Because we hate scammers of all types but especially these guys -- tricking people out of their money by lying to them is evil here are some more Tech Support Scam sites, along with some sample screenshots to give you a sense of the different ways they pitch their scams:", "spans": {}, "info": {"id": "cyner2_5class_train_06368", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Mofei.A Trojan.Win32.Mofeir.ruhef W32/Mofei.A W32.Femot.Worm WORM_MOFEI.A Win32.Femot Net-Worm.Win32.Mofeir.a Win32.Worm.Mopfei.B I-Worm.Mofai!mDpfss79YzI Worm.Win32.Mofei.A Win32.Worm.Mopfei.B BackDoor.Mofei BDS/Mofeir.101.B WORM_MOFEI.A Backdoor/Mofei.101 Worm.Mofeir.kcloud Backdoor:Win32/Mofeir.1_01 Worm.Win32.MoFei.11776 Worm/Win32.Mytob Win32.Worm.Mopfei.B W32/Mofei.CGUW-2000 Worm.Mofeir Net-Worm.Femot Win32/Mofei.A Net-Worm.Win32.Mofeir W32/MoFei.D!worm Worm/Mofeir.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Mofei.A": [[26, 37]], "Indicator: Trojan.Win32.Mofeir.ruhef": [[38, 63]], "Indicator: W32/Mofei.A": [[64, 75]], "Indicator: W32.Femot.Worm": [[76, 90]], "Indicator: WORM_MOFEI.A": [[91, 103], [256, 268]], "Indicator: Win32.Femot": [[104, 115]], "Indicator: Net-Worm.Win32.Mofeir.a": [[116, 139]], "Indicator: Win32.Worm.Mopfei.B": [[140, 159], [204, 223], [374, 393]], "Indicator: I-Worm.Mofai!mDpfss79YzI": [[160, 184]], "Indicator: Worm.Win32.Mofei.A": [[185, 203]], "Indicator: BackDoor.Mofei": [[224, 238]], "Indicator: BDS/Mofeir.101.B": [[239, 255]], "Indicator: Backdoor/Mofei.101": [[269, 287]], "Indicator: Worm.Mofeir.kcloud": [[288, 306]], "Indicator: Backdoor:Win32/Mofeir.1_01": [[307, 333]], "Indicator: Worm.Win32.MoFei.11776": [[334, 356]], "Indicator: Worm/Win32.Mytob": [[357, 373]], "Indicator: W32/Mofei.CGUW-2000": [[394, 413]], "Indicator: Worm.Mofeir": [[414, 425]], "Indicator: Net-Worm.Femot": [[426, 440]], "Indicator: Win32/Mofei.A": [[441, 454]], "Indicator: Net-Worm.Win32.Mofeir": [[455, 476]], "Indicator: W32/MoFei.D!worm": [[477, 493]], "Indicator: Worm/Mofeir.B": [[494, 507]]}, "info": {"id": "cyner2_5class_train_06369", "source": "cyner2_5class_train"}}
+{"text": "However , samples don ’ t have key capabilities to infect innocent apps on victim devices yet .", "spans": {}, "info": {"id": "cyner2_5class_train_06370", "source": "cyner2_5class_train"}}
+{"text": "Last but not least , we publish our findings to help Android users protect themselves .", "spans": {"System: Android": [[53, 60]]}, "info": {"id": "cyner2_5class_train_06371", "source": "cyner2_5class_train"}}
+{"text": "How do Android devices become infected ? We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores .", "spans": {"Malware: Gooligan": [[64, 72]], "System: Android": [[138, 145]]}, "info": {"id": "cyner2_5class_train_06372", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Win32.Trojan.FlyStudio.F Riskware.Win32.Adw.dneswh Trojan.MulDrop6.42243 BehavesLike.Win32.PWSZbot.tm Trojan.Win32.Seodec TR/Seodec.abne RiskWare[Downloader]/Win32.AdLoad Trojan:Win32/Seodec.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zenshirsh.SL7": [[26, 46]], "Indicator: Win32.Trojan.FlyStudio.F": [[47, 71]], "Indicator: Riskware.Win32.Adw.dneswh": [[72, 97]], "Indicator: Trojan.MulDrop6.42243": [[98, 119]], "Indicator: BehavesLike.Win32.PWSZbot.tm": [[120, 148]], "Indicator: Trojan.Win32.Seodec": [[149, 168]], "Indicator: TR/Seodec.abne": [[169, 183]], "Indicator: RiskWare[Downloader]/Win32.AdLoad": [[184, 217]], "Indicator: Trojan:Win32/Seodec.A": [[218, 239]]}, "info": {"id": "cyner2_5class_train_06373", "source": "cyner2_5class_train"}}
+{"text": "WhatsApp message capture The service com.serenegiant.service.ScreenRecorderService , is invoked by the ScreenRecorderActivity .", "spans": {"System: WhatsApp": [[0, 8]], "Indicator: com.serenegiant.service.ScreenRecorderService": [[37, 82]]}, "info": {"id": "cyner2_5class_train_06374", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RustogaLTF.Worm Backdoor/W32.Androm.37888 Worm.Kasidet.20653 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Neutrino-6 Backdoor.Win32.Androm.hkrm Trojan.Win32.Neutrino.cwggio BackDoor.Neutrino.1 BehavesLike.Win32.VTFlooder.nh Backdoor/Androm.kfh Trojan[Backdoor]/Win32.Androm Worm:Win32/Kasidet.A Backdoor.Win32.Androm.hkrm Backdoor.Neutrino", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RustogaLTF.Worm": [[26, 45]], "Indicator: Backdoor/W32.Androm.37888": [[46, 71]], "Indicator: Worm.Kasidet.20653": [[72, 90]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[91, 133]], "Indicator: Win.Trojan.Neutrino-6": [[134, 155]], "Indicator: Backdoor.Win32.Androm.hkrm": [[156, 182], [334, 360]], "Indicator: Trojan.Win32.Neutrino.cwggio": [[183, 211]], "Indicator: BackDoor.Neutrino.1": [[212, 231]], "Indicator: BehavesLike.Win32.VTFlooder.nh": [[232, 262]], "Indicator: Backdoor/Androm.kfh": [[263, 282]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[283, 312]], "Indicator: Worm:Win32/Kasidet.A": [[313, 333]], "Indicator: Backdoor.Neutrino": [[361, 378]]}, "info": {"id": "cyner2_5class_train_06375", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VBKryptPS.Trojan Trojan/W32.VBKrypt.147456.CC Downldr.Umbald.S624840 Trojan.VBKrypt.Win32.179340 Troj.W32.VBKrypt.tpcC Trojan/VBKrypt.mhte Win32.Trojan.WisdomEyes.16070401.9500.9970 W32/VBTrojan.Dropper.4!Maximus Trojan.VBKrypt Trojan.Win32.VBKrypt.xabo Trojan.Win32.Umbra.efkzrr Trojan.Win32.A.VBKrypt.147456.YW BackDoor.Umbra.10 W32/VBTrojan.Dropper.4!Maximus Trojan/VBKrypt.hmyy Trojan/Win32.VBKrypt Win32.Troj.VBKrypt.kcloud TrojanDownloader:Win32/Umbald.A Trojan.Symmi.DD60 Trojan.Win32.VBKrypt.xabo Trojan/Win32.Jorik.R27694 Trojan.Crypt Win32/Delf.AVY W32/VBKrypt.MBSX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VBKryptPS.Trojan": [[26, 46]], "Indicator: Trojan/W32.VBKrypt.147456.CC": [[47, 75]], "Indicator: Downldr.Umbald.S624840": [[76, 98]], "Indicator: Trojan.VBKrypt.Win32.179340": [[99, 126]], "Indicator: Troj.W32.VBKrypt.tpcC": [[127, 148]], "Indicator: Trojan/VBKrypt.mhte": [[149, 168]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9970": [[169, 211]], "Indicator: W32/VBTrojan.Dropper.4!Maximus": [[212, 242], [361, 391]], "Indicator: Trojan.VBKrypt": [[243, 257]], "Indicator: Trojan.Win32.VBKrypt.xabo": [[258, 283], [509, 534]], "Indicator: Trojan.Win32.Umbra.efkzrr": [[284, 309]], "Indicator: Trojan.Win32.A.VBKrypt.147456.YW": [[310, 342]], "Indicator: BackDoor.Umbra.10": [[343, 360]], "Indicator: Trojan/VBKrypt.hmyy": [[392, 411]], "Indicator: Trojan/Win32.VBKrypt": [[412, 432]], "Indicator: Win32.Troj.VBKrypt.kcloud": [[433, 458]], "Indicator: TrojanDownloader:Win32/Umbald.A": [[459, 490]], "Indicator: Trojan.Symmi.DD60": [[491, 508]], "Indicator: Trojan/Win32.Jorik.R27694": [[535, 560]], "Indicator: Trojan.Crypt": [[561, 573]], "Indicator: Win32/Delf.AVY": [[574, 588]], "Indicator: W32/VBKrypt.MBSX!tr": [[589, 608]]}, "info": {"id": "cyner2_5class_train_06376", "source": "cyner2_5class_train"}}
+{"text": "Naturally , this resulted in the introduction of malware for mobile platforms , especially Android devices , including Cerberus , Xhelper and the Anubis Banking Trojan .", "spans": {"System: Android": [[91, 98]], "Malware: Cerberus": [[119, 127]], "Malware: Xhelper": [[130, 137]], "Malware: Anubis": [[146, 152]]}, "info": {"id": "cyner2_5class_train_06377", "source": "cyner2_5class_train"}}
+{"text": "The malware calls itself Grabit and is distinctive because of its versatile behavior.", "spans": {"Malware: malware": [[4, 11]], "Malware: Grabit": [[25, 31]]}, "info": {"id": "cyner2_5class_train_06378", "source": "cyner2_5class_train"}}
+{"text": "People who want to know if their Android devices are infected can download the Check Point app here .", "spans": {"System: Android": [[33, 40]], "Organization: Check Point": [[79, 90]]}, "info": {"id": "cyner2_5class_train_06379", "source": "cyner2_5class_train"}}
+{"text": "By analyzing running processes on the infected device , it shows that the malware creates a child process of itself to perform the multi-process ptrace anti-debugging technique .", "spans": {}, "info": {"id": "cyner2_5class_train_06380", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Botter Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Wortrik Email-Worm.Win32.Botter.bv Trojan.Win32.Botter.eroupz Email.Worm.W32!c Win32.HLLW.Phorpiex.222 Worm.AutoRun.Win32.131461 Worm.Win32.Phorpiex Worm.Botter.j Email-Worm.Win32.Botter.bv Worm:Win32/Dipasik.C!bit Trojan/Win32.Phorpiex.C1326764 BScope.Trojan.IRCbot Win32.Worm-email.Botter.Hyy W32/IRCBot.C!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Botter": [[26, 37]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[38, 80]], "Indicator: Trojan.Wortrik": [[81, 95]], "Indicator: Email-Worm.Win32.Botter.bv": [[96, 122], [251, 277]], "Indicator: Trojan.Win32.Botter.eroupz": [[123, 149]], "Indicator: Email.Worm.W32!c": [[150, 166]], "Indicator: Win32.HLLW.Phorpiex.222": [[167, 190]], "Indicator: Worm.AutoRun.Win32.131461": [[191, 216]], "Indicator: Worm.Win32.Phorpiex": [[217, 236]], "Indicator: Worm.Botter.j": [[237, 250]], "Indicator: Worm:Win32/Dipasik.C!bit": [[278, 302]], "Indicator: Trojan/Win32.Phorpiex.C1326764": [[303, 333]], "Indicator: BScope.Trojan.IRCbot": [[334, 354]], "Indicator: Win32.Worm-email.Botter.Hyy": [[355, 382]], "Indicator: W32/IRCBot.C!worm": [[383, 400]]}, "info": {"id": "cyner2_5class_train_06381", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VB.Win32.155357 Trojan.Symmi.DEA81 Win32.Trojan.VB.hs Trojan.Win32.VB.ebwbzr TrojWare.Win32.Downloader.FraudLoad.R BehavesLike.Win32.BadFile.vh W32/VB.GI!tr Trojan:Win32/Tacpud.A Trojan/Win32.VB.C2028217 Trj/GdSda.A Win32.Trojan.Vb.Amcv Trojan.VB!9TqYT8CSaE0 Trojan.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VB.Win32.155357": [[26, 48]], "Indicator: Trojan.Symmi.DEA81": [[49, 67]], "Indicator: Win32.Trojan.VB.hs": [[68, 86]], "Indicator: Trojan.Win32.VB.ebwbzr": [[87, 109]], "Indicator: TrojWare.Win32.Downloader.FraudLoad.R": [[110, 147]], "Indicator: BehavesLike.Win32.BadFile.vh": [[148, 176]], "Indicator: W32/VB.GI!tr": [[177, 189]], "Indicator: Trojan:Win32/Tacpud.A": [[190, 211]], "Indicator: Trojan/Win32.VB.C2028217": [[212, 236]], "Indicator: Trj/GdSda.A": [[237, 248]], "Indicator: Win32.Trojan.Vb.Amcv": [[249, 269]], "Indicator: Trojan.VB!9TqYT8CSaE0": [[270, 291]], "Indicator: Trojan.Win32.VB": [[292, 307]]}, "info": {"id": "cyner2_5class_train_06382", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.E9A8 Trojan.Zusy.D3F56 Win32.Trojan.WisdomEyes.16070401.9500.9972 W32/Backdoor.RTBO-4851 Backdoor.Trojan BKDR_EXPLOIT.AN Win.Trojan.Ploit-1 BackDoor.Xconf.21 BKDR_EXPLOIT.AN W32/Backdoor.KWF BDS/DarkView.A.3 Backdoor:Win32/DarkView.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.E9A8": [[26, 43]], "Indicator: Trojan.Zusy.D3F56": [[44, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9972": [[62, 104]], "Indicator: W32/Backdoor.RTBO-4851": [[105, 127]], "Indicator: Backdoor.Trojan": [[128, 143]], "Indicator: BKDR_EXPLOIT.AN": [[144, 159], [197, 212]], "Indicator: Win.Trojan.Ploit-1": [[160, 178]], "Indicator: BackDoor.Xconf.21": [[179, 196]], "Indicator: W32/Backdoor.KWF": [[213, 229]], "Indicator: BDS/DarkView.A.3": [[230, 246]], "Indicator: Backdoor:Win32/DarkView.A": [[247, 272]]}, "info": {"id": "cyner2_5class_train_06383", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_WEVARM.SM Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_WEVARM.SM Win.Trojan.Regrun-429 Trojan.Win32.KillProc.boctad Trojan.Win32.Z.Regrun.1865432 W32.W.AutoRun.l6Zu Trojan.KillProc.12652 BehavesLike.Win32.VirRansom.tc TrojanDropper:Win32/Vixemb.A Trojan.KillProc Trj/CI.A Worm.Swimnag!wS08av/7yqU Worm.Win32.Swimnag W32/Swimnag.E!tr Win32/Trojan.1e8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_WEVARM.SM": [[26, 40], [84, 98]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[41, 83]], "Indicator: Win.Trojan.Regrun-429": [[99, 120]], "Indicator: Trojan.Win32.KillProc.boctad": [[121, 149]], "Indicator: Trojan.Win32.Z.Regrun.1865432": [[150, 179]], "Indicator: W32.W.AutoRun.l6Zu": [[180, 198]], "Indicator: Trojan.KillProc.12652": [[199, 220]], "Indicator: BehavesLike.Win32.VirRansom.tc": [[221, 251]], "Indicator: TrojanDropper:Win32/Vixemb.A": [[252, 280]], "Indicator: Trojan.KillProc": [[281, 296]], "Indicator: Trj/CI.A": [[297, 305]], "Indicator: Worm.Swimnag!wS08av/7yqU": [[306, 330]], "Indicator: Worm.Win32.Swimnag": [[331, 349]], "Indicator: W32/Swimnag.E!tr": [[350, 366]], "Indicator: Win32/Trojan.1e8": [[367, 383]]}, "info": {"id": "cyner2_5class_train_06384", "source": "cyner2_5class_train"}}
+{"text": "OpcJacker is an interesting piece of malware, since its configuration file uses a custom file format to define the stealer's behavior.", "spans": {"Malware: OpcJacker": [[0, 9]], "Malware: malware,": [[37, 45]], "Indicator: configuration file uses": [[56, 79]], "Indicator: custom file format": [[82, 100]]}, "info": {"id": "cyner2_5class_train_06385", "source": "cyner2_5class_train"}}
+{"text": "Android documentation describes that function as \" a global action .", "spans": {"System: Android": [[0, 7]]}, "info": {"id": "cyner2_5class_train_06386", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zbot.Win32.171106 Win32.Trojan.Zbot.a Trojan.Zbot TSPY_ZBOT.SMQF Win.Spyware.Zbot-1275 Trojan-Spy.Win32.Zbot.wqpm Trojan.Win32.Panda.cqqwdy Trojan-Spy:W32/Zbot.AVTH Trojan.PWS.Panda.11236 TSPY_ZBOT.SMQF BehavesLike.Win32.PWSZbot.dh Trojan/Win32.Unknown Trojan.Kazy.D359E8 Spyware/Win32.Zbot.R27121 SScope.Trojan.FakeAV.01110 Win32/Spy.Zbot.AAO Trojan.Win32.Zbot.aaw TrojanSpy.Zbot!A8UvbpHn23U Trojan-Spy.Banker.Citadel W32/Zbot.AT!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zbot.Win32.171106": [[26, 50]], "Indicator: Win32.Trojan.Zbot.a": [[51, 70]], "Indicator: Trojan.Zbot": [[71, 82]], "Indicator: TSPY_ZBOT.SMQF": [[83, 97], [221, 235]], "Indicator: Win.Spyware.Zbot-1275": [[98, 119]], "Indicator: Trojan-Spy.Win32.Zbot.wqpm": [[120, 146]], "Indicator: Trojan.Win32.Panda.cqqwdy": [[147, 172]], "Indicator: Trojan-Spy:W32/Zbot.AVTH": [[173, 197]], "Indicator: Trojan.PWS.Panda.11236": [[198, 220]], "Indicator: BehavesLike.Win32.PWSZbot.dh": [[236, 264]], "Indicator: Trojan/Win32.Unknown": [[265, 285]], "Indicator: Trojan.Kazy.D359E8": [[286, 304]], "Indicator: Spyware/Win32.Zbot.R27121": [[305, 330]], "Indicator: SScope.Trojan.FakeAV.01110": [[331, 357]], "Indicator: Win32/Spy.Zbot.AAO": [[358, 376]], "Indicator: Trojan.Win32.Zbot.aaw": [[377, 398]], "Indicator: TrojanSpy.Zbot!A8UvbpHn23U": [[399, 425]], "Indicator: Trojan-Spy.Banker.Citadel": [[426, 451]], "Indicator: W32/Zbot.AT!tr": [[452, 466]]}, "info": {"id": "cyner2_5class_train_06387", "source": "cyner2_5class_train"}}
+{"text": "This pulse contains indicators related to a phishing campaign launched against the US election system in 2016.", "spans": {"Indicator: indicators": [[20, 30]], "Organization: the US election system": [[79, 101]]}, "info": {"id": "cyner2_5class_train_06388", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dorgam!O Win32.Trojan-Dropper.Dorgam.cgdc Backdoor.Bifrose Trojan.Win32.Clicker.ddouvz Trojan.Win32.A.PSW-QQPass.802816 Trojan.Click2.1642 BehavesLike.Win32.BadFile.ch TR/Taranis.4038 Backdoor:Win32/Babmote.A Troj.W32.Sasfis.lqzi Win32.Trojan.FlyStudio.F TrojanDropper.Dorgam Trojan.DR.Dorgam!Cb+DVu4OzCQ W32/QQPass.YZN!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Dorgam!O": [[26, 55]], "Indicator: Win32.Trojan-Dropper.Dorgam.cgdc": [[56, 88]], "Indicator: Backdoor.Bifrose": [[89, 105]], "Indicator: Trojan.Win32.Clicker.ddouvz": [[106, 133]], "Indicator: Trojan.Win32.A.PSW-QQPass.802816": [[134, 166]], "Indicator: Trojan.Click2.1642": [[167, 185]], "Indicator: BehavesLike.Win32.BadFile.ch": [[186, 214]], "Indicator: TR/Taranis.4038": [[215, 230]], "Indicator: Backdoor:Win32/Babmote.A": [[231, 255]], "Indicator: Troj.W32.Sasfis.lqzi": [[256, 276]], "Indicator: Win32.Trojan.FlyStudio.F": [[277, 301]], "Indicator: TrojanDropper.Dorgam": [[302, 322]], "Indicator: Trojan.DR.Dorgam!Cb+DVu4OzCQ": [[323, 351]], "Indicator: W32/QQPass.YZN!tr.pws": [[352, 373]]}, "info": {"id": "cyner2_5class_train_06389", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Modphip.A3 Trojan.Graftor.D45BA7 Win32.Trojan.WisdomEyes.16070401.9500.9995 Win32/Pilleuz.H Packed.Win32.Krap.hm Trojan.Win32.Krap.bsvym Trojan.Packed.20343 Trojan.Win32.Yakes Trojan[Packed]/Win32.Krap Trojan:Win32/Modphip.A Packed.Win32.Krap.hm Trojan/Win32.Krap.R35222 BScope.P2P-Worm.Palevo W32/Kryptik.DKU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Modphip.A3": [[26, 43]], "Indicator: Trojan.Graftor.D45BA7": [[44, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[66, 108]], "Indicator: Win32/Pilleuz.H": [[109, 124]], "Indicator: Packed.Win32.Krap.hm": [[125, 145], [258, 278]], "Indicator: Trojan.Win32.Krap.bsvym": [[146, 169]], "Indicator: Trojan.Packed.20343": [[170, 189]], "Indicator: Trojan.Win32.Yakes": [[190, 208]], "Indicator: Trojan[Packed]/Win32.Krap": [[209, 234]], "Indicator: Trojan:Win32/Modphip.A": [[235, 257]], "Indicator: Trojan/Win32.Krap.R35222": [[279, 303]], "Indicator: BScope.P2P-Worm.Palevo": [[304, 326]], "Indicator: W32/Kryptik.DKU!tr": [[327, 345]]}, "info": {"id": "cyner2_5class_train_06390", "source": "cyner2_5class_train"}}
+{"text": "The stolen information was transmitted back to the threat actors' infrastructure in an encrypted format.", "spans": {"System: infrastructure": [[66, 80]], "Indicator: encrypted format.": [[87, 104]]}, "info": {"id": "cyner2_5class_train_06391", "source": "cyner2_5class_train"}}
+{"text": "Based on reports, as of 2014, it has global users of more than 490 million registered users.", "spans": {}, "info": {"id": "cyner2_5class_train_06392", "source": "cyner2_5class_train"}}
+{"text": "The sample we analyzed uses an icon very similar to Google Apps , with the label \" Google Play Marketplace '' to disguise itself .", "spans": {"System: Google Apps": [[52, 63]], "System: Google Play Marketplace": [[83, 106]]}, "info": {"id": "cyner2_5class_train_06393", "source": "cyner2_5class_train"}}
+{"text": "] 204 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06394", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Proxy.21493 BehavesLike.Win32.VBObfus.nm Trojan.Trickster.a Trojan:Win32/Donvba.A Trojan.Jaik.D3551 Trojan/Win32.Fareit.C1614161 W32/Injector.DGQK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Proxy.21493": [[69, 87]], "Indicator: BehavesLike.Win32.VBObfus.nm": [[88, 116]], "Indicator: Trojan.Trickster.a": [[117, 135]], "Indicator: Trojan:Win32/Donvba.A": [[136, 157]], "Indicator: Trojan.Jaik.D3551": [[158, 175]], "Indicator: Trojan/Win32.Fareit.C1614161": [[176, 204]], "Indicator: W32/Injector.DGQK!tr": [[205, 225]]}, "info": {"id": "cyner2_5class_train_06395", "source": "cyner2_5class_train"}}
+{"text": "The phones are sold at Best Buy and Amazon.com , among other retail outlets .", "spans": {"Organization: Best Buy": [[23, 31]], "Organization: Amazon.com": [[36, 46]]}, "info": {"id": "cyner2_5class_train_06396", "source": "cyner2_5class_train"}}
+{"text": "It contained a part of recently leaked Zeus source code, which allowed Ramnit to become a banking trojan.", "spans": {"Malware: Zeus source code,": [[39, 56]], "Malware: Ramnit": [[71, 77]], "Malware: a banking trojan.": [[88, 105]]}, "info": {"id": "cyner2_5class_train_06397", "source": "cyner2_5class_train"}}
+{"text": "( deprecated in API level 21 ) SYSTEM_ALERT_WINDOW - Allows the application to create windows shown on top of all other apps .", "spans": {}, "info": {"id": "cyner2_5class_train_06398", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Garex Trojan.Win64.Wurser.b Troj.Win64.Wurser!c Trojan.Win64.Wurser W64/Trojan.LBAM-3513 Trojan.Win64.Wurser.b Backdoor:Win32/Garex.B!dha Trojan.Win64.Wurser Win64.Trojan.Wurser.Peqd Win32/Trojan.7be", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Garex": [[26, 40]], "Indicator: Trojan.Win64.Wurser.b": [[41, 62], [124, 145]], "Indicator: Troj.Win64.Wurser!c": [[63, 82]], "Indicator: Trojan.Win64.Wurser": [[83, 102], [173, 192]], "Indicator: W64/Trojan.LBAM-3513": [[103, 123]], "Indicator: Backdoor:Win32/Garex.B!dha": [[146, 172]], "Indicator: Win64.Trojan.Wurser.Peqd": [[193, 217]], "Indicator: Win32/Trojan.7be": [[218, 234]]}, "info": {"id": "cyner2_5class_train_06399", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Inject Win32.Trojan.Delf.am W32/Trojan.SHRZ-8205 Win32.Worm.Delf.Dxcp Trojan.PWS.Banks.799 W32.W.AutoRun.lmnK Backdoor:Win32/Aybo.B Trojan.Delf Trojan.Win32.VMProtect Win32/Trojan.079", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject": [[26, 39]], "Indicator: Win32.Trojan.Delf.am": [[40, 60]], "Indicator: W32/Trojan.SHRZ-8205": [[61, 81]], "Indicator: Win32.Worm.Delf.Dxcp": [[82, 102]], "Indicator: Trojan.PWS.Banks.799": [[103, 123]], "Indicator: W32.W.AutoRun.lmnK": [[124, 142]], "Indicator: Backdoor:Win32/Aybo.B": [[143, 164]], "Indicator: Trojan.Delf": [[165, 176]], "Indicator: Trojan.Win32.VMProtect": [[177, 199]], "Indicator: Win32/Trojan.079": [[200, 216]]}, "info": {"id": "cyner2_5class_train_06400", "source": "cyner2_5class_train"}}
+{"text": "On several occasions, we verified that these details are correct for the intended victim.", "spans": {}, "info": {"id": "cyner2_5class_train_06401", "source": "cyner2_5class_train"}}
+{"text": "\" Emboldened by financial and technological independence , their skillsets will advance–putting end users , enterprises , and government agencies at risk .", "spans": {}, "info": {"id": "cyner2_5class_train_06402", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Packed-76 Trojan-Downloader.Win32.Qvod.col Trojan.Win32.Swisyn!IK Trojan.Win32.Swisyn W32/Qvod.EF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Packed-76": [[26, 42]], "Indicator: Trojan-Downloader.Win32.Qvod.col": [[43, 75]], "Indicator: Trojan.Win32.Swisyn!IK": [[76, 98]], "Indicator: Trojan.Win32.Swisyn": [[99, 118]], "Indicator: W32/Qvod.EF!tr": [[119, 133]]}, "info": {"id": "cyner2_5class_train_06403", "source": "cyner2_5class_train"}}
+{"text": "The increasing sophistication of surveillanceware The structure of the surveillanceware indicates it is very sophisticated .", "spans": {}, "info": {"id": "cyner2_5class_train_06404", "source": "cyner2_5class_train"}}
+{"text": "The Wekby actors have recently been observed compromising organizations in the Manufacturing, Technology and Utilities verticals, but have had a long standing interest in the HealthCare industry.", "spans": {"Organization: organizations": [[58, 71]], "Organization: Manufacturing, Technology": [[79, 104]], "Organization: Utilities verticals,": [[109, 129]], "Organization: the HealthCare industry.": [[171, 195]]}, "info": {"id": "cyner2_5class_train_06405", "source": "cyner2_5class_train"}}
+{"text": "'' Debug information on logcat Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum .", "spans": {}, "info": {"id": "cyner2_5class_train_06406", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Redrac.A@mm Win32.Redrac.A@mm Win32.Redrac.A@mm Trojan.Win32.Redrac.enor W32.Redrac@mm Win32/Redrac.A Email-Worm.Win32.Redrac Win32.Redrac.A@mm Worm.Redrac!vQPr8wluFnM W32.W.Redrac!c Win32.Redrac.A@mm Worm.Win32.Redrac.A Win32.Redrac.A@mm Win32.HLLM.Redrac Worm.Redrac.Win32.1 BehavesLike.Win32.AdwareRBlast.cc W32/Redrac.AFIQ-7566 Worm/Sramota.axa WORM/Redrac.A Worm[Email]/Win32.Redrac Win32.Redrac.E90817 Trojan/Win32.Xema Worm:Win32/Redrac.A@mm Virus.Win32.Heur.l W32/Gnome.C.worm Win32.Redrac.A@mm I-Worm/Redrac.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Redrac.A@mm": [[26, 43], [44, 61], [62, 79], [158, 175], [215, 232], [253, 270], [517, 534]], "Indicator: Trojan.Win32.Redrac.enor": [[80, 104]], "Indicator: W32.Redrac@mm": [[105, 118]], "Indicator: Win32/Redrac.A": [[119, 133]], "Indicator: Email-Worm.Win32.Redrac": [[134, 157]], "Indicator: Worm.Redrac!vQPr8wluFnM": [[176, 199]], "Indicator: W32.W.Redrac!c": [[200, 214]], "Indicator: Worm.Win32.Redrac.A": [[233, 252]], "Indicator: Win32.HLLM.Redrac": [[271, 288]], "Indicator: Worm.Redrac.Win32.1": [[289, 308]], "Indicator: BehavesLike.Win32.AdwareRBlast.cc": [[309, 342]], "Indicator: W32/Redrac.AFIQ-7566": [[343, 363]], "Indicator: Worm/Sramota.axa": [[364, 380]], "Indicator: WORM/Redrac.A": [[381, 394]], "Indicator: Worm[Email]/Win32.Redrac": [[395, 419]], "Indicator: Win32.Redrac.E90817": [[420, 439]], "Indicator: Trojan/Win32.Xema": [[440, 457]], "Indicator: Worm:Win32/Redrac.A@mm": [[458, 480]], "Indicator: Virus.Win32.Heur.l": [[481, 499]], "Indicator: W32/Gnome.C.worm": [[500, 516]], "Indicator: I-Worm/Redrac.A": [[535, 550]]}, "info": {"id": "cyner2_5class_train_06407", "source": "cyner2_5class_train"}}
+{"text": "This enables it to launch malicious apps without the user ’ s awareness and explicit consent .", "spans": {}, "info": {"id": "cyner2_5class_train_06408", "source": "cyner2_5class_train"}}
+{"text": "It provides a robust set of capabilities, including: file transfer, screen capture, keystroke logging, process injection, process manipulation, and task scheduling.", "spans": {}, "info": {"id": "cyner2_5class_train_06409", "source": "cyner2_5class_train"}}
+{"text": "CONCLUSIONS FakeSpy was first seen in October 2017 and until recently mainly targeted East Asian countries .", "spans": {"Malware: FakeSpy": [[12, 19]]}, "info": {"id": "cyner2_5class_train_06410", "source": "cyner2_5class_train"}}
+{"text": "A common misconfiguration attempts to download the non-existant file at http://www.server.com/sqlite3.dll", "spans": {"Indicator: misconfiguration": [[9, 25]], "Indicator: file": [[64, 68]], "Indicator: http://www.server.com/sqlite3.dll": [[72, 105]]}, "info": {"id": "cyner2_5class_train_06411", "source": "cyner2_5class_train"}}
+{"text": "Check Point researchers discovered another widespread malware campaign on Google Play , Google ’ s official app store .", "spans": {"Organization: Check Point": [[0, 11]], "System: Google Play": [[74, 85]], "Organization: Google": [[88, 94]]}, "info": {"id": "cyner2_5class_train_06412", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Ladex.A@mm W32/Ladex.worm W32.W.Ladex.a!c W32/Ladex.worm Win32.Ladex.E90817 W32.Dalbug.Worm Win32/Ladex.A Win.Worm.Ladex-1 Worm.Win32.Ladex.a Win32.Ladex.A@mm Trojan.Win32.Ladex.bxker Win32.Ladex.A@mm Worm.Win32.Ladex.A Win32.Ladex.A@mm Win32.HLLW.Ladex Worm.Ladex.Win32.2 W32/Ladex.worm W32/Risk.UDJC-2718 WORM/Ladex.A W32/Ladex.A!worm Worm/Win32.Ladex Worm.Win32.Ladex.a Win32.Ladex.A@mm Worm.Ladex W32/Ladex.D.worm Worm.Win32.Ladex.a.2 Trojan-IM.Win16.PS Win32.Ladex.A@mm Win32/Worm.f02", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Ladex.A@mm": [[26, 42], [174, 190], [216, 232], [252, 268], [405, 421], [490, 506]], "Indicator: W32/Ladex.worm": [[43, 57], [74, 88], [305, 319]], "Indicator: W32.W.Ladex.a!c": [[58, 73]], "Indicator: Win32.Ladex.E90817": [[89, 107]], "Indicator: W32.Dalbug.Worm": [[108, 123]], "Indicator: Win32/Ladex.A": [[124, 137]], "Indicator: Win.Worm.Ladex-1": [[138, 154]], "Indicator: Worm.Win32.Ladex.a": [[155, 173], [386, 404]], "Indicator: Trojan.Win32.Ladex.bxker": [[191, 215]], "Indicator: Worm.Win32.Ladex.A": [[233, 251]], "Indicator: Win32.HLLW.Ladex": [[269, 285]], "Indicator: Worm.Ladex.Win32.2": [[286, 304]], "Indicator: W32/Risk.UDJC-2718": [[320, 338]], "Indicator: WORM/Ladex.A": [[339, 351]], "Indicator: W32/Ladex.A!worm": [[352, 368]], "Indicator: Worm/Win32.Ladex": [[369, 385]], "Indicator: Worm.Ladex": [[422, 432]], "Indicator: W32/Ladex.D.worm": [[433, 449]], "Indicator: Worm.Win32.Ladex.a.2": [[450, 470]], "Indicator: Trojan-IM.Win16.PS": [[471, 489]], "Indicator: Win32/Worm.f02": [[507, 521]]}, "info": {"id": "cyner2_5class_train_06413", "source": "cyner2_5class_train"}}
+{"text": "It is quite unusual to find an actual organization behind mobile malware , as most of them are developed by purely malicious actors .", "spans": {}, "info": {"id": "cyner2_5class_train_06414", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.ZbalCS.S302126 Backdoor.Konus.Win32.1 Trojan/Kryptik.flew Trojan.Midie.D88E4 TROJ_KRYPTIK_GC140164.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9700 TROJ_KRYPTIK_GC140164.UVPM Win.Trojan.Ag-4254306-1 Trojan.Win32.Kryptik.emceui Trojan.DownLoader23.52205 BehavesLike.Win32.PWSZbot.fc Backdoor.Konus.b TR/Crypt.EPACK.rguwm Backdoor.Konus! W32/Kryptik.FLEW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.ZbalCS.S302126": [[26, 47]], "Indicator: Backdoor.Konus.Win32.1": [[48, 70]], "Indicator: Trojan/Kryptik.flew": [[71, 90]], "Indicator: Trojan.Midie.D88E4": [[91, 109]], "Indicator: TROJ_KRYPTIK_GC140164.UVPM": [[110, 136], [180, 206]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9700": [[137, 179]], "Indicator: Win.Trojan.Ag-4254306-1": [[207, 230]], "Indicator: Trojan.Win32.Kryptik.emceui": [[231, 258]], "Indicator: Trojan.DownLoader23.52205": [[259, 284]], "Indicator: BehavesLike.Win32.PWSZbot.fc": [[285, 313]], "Indicator: Backdoor.Konus.b": [[314, 330]], "Indicator: TR/Crypt.EPACK.rguwm": [[331, 351]], "Indicator: Backdoor.Konus!": [[352, 367]], "Indicator: W32/Kryptik.FLEW!tr": [[368, 387]]}, "info": {"id": "cyner2_5class_train_06415", "source": "cyner2_5class_train"}}
+{"text": "Enterprises are currently being targeted by the macro malware BARTALEX in a recent outbreak of thousands of spammed emails.", "spans": {"Malware: macro malware BARTALEX": [[48, 70]], "Indicator: spammed emails.": [[108, 123]]}, "info": {"id": "cyner2_5class_train_06416", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Ares.A Backdoor/W32.Aresdor.15872 Backdoor/Aresdor.13 Backdoor.Ares.A W32/Risk.WUTO-4007 Backdoor.Trojan Win32/Aresdor.13.C BKDR_ARESDOR.A Backdoor.Win32.Aresdor.13 Trojan.Win32.Aresdor.dblp Backdoor.Win32.Z.Aresdor.15872[h] Backdoor.W32.Aresdor.13!c Backdoor.Ares.A Backdoor.Win32.Aresdor.13.C Backdoor.Ares.A BackDoor.Ares.13 Backdoor.Aresdor.Win32.3 BKDR_ARESDOR.A Backdoor/Aresdor.a BDC/Aresdor.13.1.A W32/Ares.C!tr.bdr Trojan[Backdoor]/Win32.Aresdor Backdoor.Ares.A Win-Trojan/Aresdor.15872 Backdoor:Win32/Ares.A Backdoor.Ares.A Backdoor.Aresdor Win32.Backdoor.Aresdor.Wpte Backdoor.Aresdor!SN6VLScBnkQ Trojan.Win32.Aresdor Backdoor.Ares.A BackDoor.Aresdor.C Backdoor.Win32.Aresdor.13 Win32/Backdoor.a98", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Ares.A": [[26, 41], [89, 104], [286, 301], [330, 345], [490, 505], [553, 568], [664, 679]], "Indicator: Backdoor/W32.Aresdor.15872": [[42, 68]], "Indicator: Backdoor/Aresdor.13": [[69, 88]], "Indicator: W32/Risk.WUTO-4007": [[105, 123]], "Indicator: Backdoor.Trojan": [[124, 139]], "Indicator: Win32/Aresdor.13.C": [[140, 158]], "Indicator: BKDR_ARESDOR.A": [[159, 173], [388, 402]], "Indicator: Backdoor.Win32.Aresdor.13": [[174, 199], [699, 724]], "Indicator: Trojan.Win32.Aresdor.dblp": [[200, 225]], "Indicator: Backdoor.Win32.Z.Aresdor.15872[h]": [[226, 259]], "Indicator: Backdoor.W32.Aresdor.13!c": [[260, 285]], "Indicator: Backdoor.Win32.Aresdor.13.C": [[302, 329]], "Indicator: BackDoor.Ares.13": [[346, 362]], "Indicator: Backdoor.Aresdor.Win32.3": [[363, 387]], "Indicator: Backdoor/Aresdor.a": [[403, 421]], "Indicator: BDC/Aresdor.13.1.A": [[422, 440]], "Indicator: W32/Ares.C!tr.bdr": [[441, 458]], "Indicator: Trojan[Backdoor]/Win32.Aresdor": [[459, 489]], "Indicator: Win-Trojan/Aresdor.15872": [[506, 530]], "Indicator: Backdoor:Win32/Ares.A": [[531, 552]], "Indicator: Backdoor.Aresdor": [[569, 585]], "Indicator: Win32.Backdoor.Aresdor.Wpte": [[586, 613]], "Indicator: Backdoor.Aresdor!SN6VLScBnkQ": [[614, 642]], "Indicator: Trojan.Win32.Aresdor": [[643, 663]], "Indicator: BackDoor.Aresdor.C": [[680, 698]], "Indicator: Win32/Backdoor.a98": [[725, 743]]}, "info": {"id": "cyner2_5class_train_06417", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Dropper.E W97M/DownldExe.A W97M.Downloader W97M/DownldExe.A W2000M/Dldr.Jetoypt.A W97M/Dloader.NCN!tr HEUR.VBA.Trojan Heur.MSWord.Downloader.b Trojan-Downloader.W97M.Small Macro.Trojan-Downloader.Broxoff.B heur.macro.download.e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Dropper.E": [[26, 40]], "Indicator: W97M/DownldExe.A": [[41, 57], [74, 90]], "Indicator: W97M.Downloader": [[58, 73]], "Indicator: W2000M/Dldr.Jetoypt.A": [[91, 112]], "Indicator: W97M/Dloader.NCN!tr": [[113, 132]], "Indicator: HEUR.VBA.Trojan": [[133, 148]], "Indicator: Heur.MSWord.Downloader.b": [[149, 173]], "Indicator: Trojan-Downloader.W97M.Small": [[174, 202]], "Indicator: Macro.Trojan-Downloader.Broxoff.B": [[203, 236]], "Indicator: heur.macro.download.e": [[237, 258]]}, "info": {"id": "cyner2_5class_train_06418", "source": "cyner2_5class_train"}}
+{"text": "It highlights the analysis flow using two of our flagship products, Security Analytics SA and the Enterprise Compromise Assessment Tool ECAT, for an Advance Persistent Threat APT intrusion investigation.", "spans": {"System: flagship products, Security Analytics SA": [[49, 89]], "System: the Enterprise Compromise Assessment Tool ECAT,": [[94, 141]]}, "info": {"id": "cyner2_5class_train_06419", "source": "cyner2_5class_train"}}
+{"text": "This app appears to have become unavailable on Google Play in March 2020 .", "spans": {"System: Google Play": [[47, 58]]}, "info": {"id": "cyner2_5class_train_06420", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Perkesh.B TrojanDropper.Perkesh.C2 Trojan.Perkesh.B Trojan/Downloader.Fiegi.ar TROJ_PERKESH.SMF TROJ_PERKESH.SMF Trojan.Perkesh.B Trojan.Perkesh.B Trojan.Win32.Downloader.44032.DO TrojWare.Win32.Downloader.Small.ai43 Trojan.MulDrop.34331 TrojanDropper:Win32/Perkesh.C Trojan.Perkesh.B BScope.Trojan.SvcHorse.01643 Trojan.Perkesh.B Trj/Murlo.P Win32/TrojanDownloader.Perkesh.F Trojan-Downloader.Win32.Perkesh", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Perkesh.B": [[26, 42], [68, 84], [146, 162], [163, 179], [301, 317], [347, 363]], "Indicator: TrojanDropper.Perkesh.C2": [[43, 67]], "Indicator: Trojan/Downloader.Fiegi.ar": [[85, 111]], "Indicator: TROJ_PERKESH.SMF": [[112, 128], [129, 145]], "Indicator: Trojan.Win32.Downloader.44032.DO": [[180, 212]], "Indicator: TrojWare.Win32.Downloader.Small.ai43": [[213, 249]], "Indicator: Trojan.MulDrop.34331": [[250, 270]], "Indicator: TrojanDropper:Win32/Perkesh.C": [[271, 300]], "Indicator: BScope.Trojan.SvcHorse.01643": [[318, 346]], "Indicator: Trj/Murlo.P": [[364, 375]], "Indicator: Win32/TrojanDownloader.Perkesh.F": [[376, 408]], "Indicator: Trojan-Downloader.Win32.Perkesh": [[409, 440]]}, "info": {"id": "cyner2_5class_train_06421", "source": "cyner2_5class_train"}}
+{"text": "MalwareBytes recently came across a campaign targeting a Saudi Arabia Government entity via a malicious Word document which at first reminded us of an attack we had previously described on this blog.", "spans": {"Malware: MalwareBytes": [[0, 12]], "Organization: a Saudi Arabia Government": [[55, 80]], "Indicator: malicious Word document": [[94, 117]], "Indicator: an attack": [[148, 157]]}, "info": {"id": "cyner2_5class_train_06422", "source": "cyner2_5class_train"}}
+{"text": "We have been monitoring a new campaign specifically targeting WordPress sites, using hundreds of them for SEO spam distribution.", "spans": {"Indicator: WordPress sites,": [[62, 78]], "Indicator: SEO spam distribution.": [[106, 128]]}, "info": {"id": "cyner2_5class_train_06423", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/VB.auv BKDR_VB.GXX Win32.Trojan.WisdomEyes.16070401.9500.9813 W32/Backdoor2.EBKN Backdoor.Trojan BKDR_VB.GXX Backdoor.Win32.VB.apw Trojan.Win32.VB.ehzv Backdoor.Win32.S.VB.1007657.A Backdoor.W32.VB.apw!c Backdoor.Win32.VB.~UU Backdoor.VB.Win32.2378 BehavesLike.Win32.Trojan.dm W32/Backdoor.LCBL-3812 BDS/VB.A.109 Trojan[Backdoor]/Win32.VB Backdoor.Win32.VB.apw Trojan/Win32.Xema.C44642 BScope.Trojan-Dropper.Injector Trj/SpyMaster.C Win32/VB.AUV Win32.Backdoor.Vb.srv Backdoor.VB!xTNIvgAXzis Backdoor.Win32.VB W32/VB.0F07!tr Win32/Backdoor.8f4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/VB.auv": [[26, 41]], "Indicator: BKDR_VB.GXX": [[42, 53], [132, 143]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9813": [[54, 96]], "Indicator: W32/Backdoor2.EBKN": [[97, 115]], "Indicator: Backdoor.Trojan": [[116, 131]], "Indicator: Backdoor.Win32.VB.apw": [[144, 165], [374, 395]], "Indicator: Trojan.Win32.VB.ehzv": [[166, 186]], "Indicator: Backdoor.Win32.S.VB.1007657.A": [[187, 216]], "Indicator: Backdoor.W32.VB.apw!c": [[217, 238]], "Indicator: Backdoor.Win32.VB.~UU": [[239, 260]], "Indicator: Backdoor.VB.Win32.2378": [[261, 283]], "Indicator: BehavesLike.Win32.Trojan.dm": [[284, 311]], "Indicator: W32/Backdoor.LCBL-3812": [[312, 334]], "Indicator: BDS/VB.A.109": [[335, 347]], "Indicator: Trojan[Backdoor]/Win32.VB": [[348, 373]], "Indicator: Trojan/Win32.Xema.C44642": [[396, 420]], "Indicator: BScope.Trojan-Dropper.Injector": [[421, 451]], "Indicator: Trj/SpyMaster.C": [[452, 467]], "Indicator: Win32/VB.AUV": [[468, 480]], "Indicator: Win32.Backdoor.Vb.srv": [[481, 502]], "Indicator: Backdoor.VB!xTNIvgAXzis": [[503, 526]], "Indicator: Backdoor.Win32.VB": [[527, 544]], "Indicator: W32/VB.0F07!tr": [[545, 559]], "Indicator: Win32/Backdoor.8f4": [[560, 578]]}, "info": {"id": "cyner2_5class_train_06424", "source": "cyner2_5class_train"}}
+{"text": "The last time I wrote about poker-related malware, it was about PokerAgent, a trojan propagating through Facebook that was used to steal Facebook users' logon credentials, credit card information and the level of Zynga poker credit.", "spans": {"Malware: poker-related malware,": [[28, 50]], "Malware: PokerAgent,": [[64, 75]], "Malware: trojan": [[78, 84]], "Organization: Facebook": [[105, 113], [137, 145]], "Indicator: users'": [[146, 152]]}, "info": {"id": "cyner2_5class_train_06425", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Joke/W32.BadJoke.230912 Hoax.Fakedel JokeTool.RJLSoftware Aplicacion/FakeDel.c W32/Joke.BE Joke.FakeDel JOKE_FAKEDEL.C Win.Joke.FakeDelete-1 Hoax.Win32.BadJoke.FakeDel.c Riskware.Win32.FakeDel.hsrd Hoax.W32.BadJoke.FakeDel.c!c Joke.Fakedel Tool.BadJoke.Win32.441 JOKE_FAKEDEL.C not-a-virus:BadJoke.Win32.FakeDel.b W32/Joke.HLOW-7548 Hoax.BadJoke.FakeDel.a Joke:Win32/Fakedel.C JOKE/FakeDel.C HackTool[Hoax]/Win32.FakeDel Joke:Win32/Fakedel.C Hoax.Win32.BadJoke.FakeDel.c BadJoke.Win32.FakeDel.c Joke/Fakedel.D Win32.Trojan-psw.Badjoke.Svrk Trojan.BadJoke!Ig2iP/M1kgM Win32/Joke.309", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke/W32.BadJoke.230912": [[26, 49]], "Indicator: Hoax.Fakedel": [[50, 62]], "Indicator: JokeTool.RJLSoftware": [[63, 83]], "Indicator: Aplicacion/FakeDel.c": [[84, 104]], "Indicator: W32/Joke.BE": [[105, 116]], "Indicator: Joke.FakeDel": [[117, 129]], "Indicator: JOKE_FAKEDEL.C": [[130, 144], [289, 303]], "Indicator: Win.Joke.FakeDelete-1": [[145, 166]], "Indicator: Hoax.Win32.BadJoke.FakeDel.c": [[167, 195], [468, 496]], "Indicator: Riskware.Win32.FakeDel.hsrd": [[196, 223]], "Indicator: Hoax.W32.BadJoke.FakeDel.c!c": [[224, 252]], "Indicator: Joke.Fakedel": [[253, 265]], "Indicator: Tool.BadJoke.Win32.441": [[266, 288]], "Indicator: not-a-virus:BadJoke.Win32.FakeDel.b": [[304, 339]], "Indicator: W32/Joke.HLOW-7548": [[340, 358]], "Indicator: Hoax.BadJoke.FakeDel.a": [[359, 381]], "Indicator: Joke:Win32/Fakedel.C": [[382, 402], [447, 467]], "Indicator: JOKE/FakeDel.C": [[403, 417]], "Indicator: HackTool[Hoax]/Win32.FakeDel": [[418, 446]], "Indicator: BadJoke.Win32.FakeDel.c": [[497, 520]], "Indicator: Joke/Fakedel.D": [[521, 535]], "Indicator: Win32.Trojan-psw.Badjoke.Svrk": [[536, 565]], "Indicator: Trojan.BadJoke!Ig2iP/M1kgM": [[566, 592]], "Indicator: Win32/Joke.309": [[593, 607]]}, "info": {"id": "cyner2_5class_train_06426", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.921B Trojan.Win32.VBKrypt!O Trojan.VBKrypt Trojan.Heur.E6E8D0 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.VBKrypt.hrqc Trojan.Win32.Drop.bccyya Trojan.Win32.Z.Vbkrypt.602112.J Trojan.MulDrop2.63923 BehavesLike.Win32.Trojan.hc Trojan.Win32.VB Trojan/VBKrypt.gkpp Trojan/Win32.VBKrypt Trojan:Win32/Msposer.A Trojan.Win32.VBKrypt.hrqc Trojan.VBKrypt Win32.Trojan.Vbkrypt.Phrb W32/Refroso.AGEA!tr Win32/Trojan.169", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.921B": [[26, 42]], "Indicator: Trojan.Win32.VBKrypt!O": [[43, 65]], "Indicator: Trojan.VBKrypt": [[66, 80], [382, 396]], "Indicator: Trojan.Heur.E6E8D0": [[81, 99]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[100, 142]], "Indicator: Trojan.Win32.VBKrypt.hrqc": [[143, 168], [356, 381]], "Indicator: Trojan.Win32.Drop.bccyya": [[169, 193]], "Indicator: Trojan.Win32.Z.Vbkrypt.602112.J": [[194, 225]], "Indicator: Trojan.MulDrop2.63923": [[226, 247]], "Indicator: BehavesLike.Win32.Trojan.hc": [[248, 275]], "Indicator: Trojan.Win32.VB": [[276, 291]], "Indicator: Trojan/VBKrypt.gkpp": [[292, 311]], "Indicator: Trojan/Win32.VBKrypt": [[312, 332]], "Indicator: Trojan:Win32/Msposer.A": [[333, 355]], "Indicator: Win32.Trojan.Vbkrypt.Phrb": [[397, 422]], "Indicator: W32/Refroso.AGEA!tr": [[423, 442]], "Indicator: Win32/Trojan.169": [[443, 459]]}, "info": {"id": "cyner2_5class_train_06427", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.W32.Autoit!c TROJ_FILPOR.AI Backdoor.Enfourks TROJ_FILPOR.AI Trojan.Win32.Autoit.ezc Trojan.Win32.Autoit.ecevvi Trojan.DownLoader21.32598 Trojan.Autoit.Win32.30656 BehavesLike.Win32.Autorun.hc TR/Autoit.qhpu Trojan.Win32.Autoit.ezc Trojan:Win32/Filpor.A Win32.Trojan.Autoit.Pepf Trojan.Win32.Autoit W32/Autoit.EZC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.W32.Autoit!c": [[26, 43]], "Indicator: TROJ_FILPOR.AI": [[44, 58], [77, 91]], "Indicator: Backdoor.Enfourks": [[59, 76]], "Indicator: Trojan.Win32.Autoit.ezc": [[92, 115], [239, 262]], "Indicator: Trojan.Win32.Autoit.ecevvi": [[116, 142]], "Indicator: Trojan.DownLoader21.32598": [[143, 168]], "Indicator: Trojan.Autoit.Win32.30656": [[169, 194]], "Indicator: BehavesLike.Win32.Autorun.hc": [[195, 223]], "Indicator: TR/Autoit.qhpu": [[224, 238]], "Indicator: Trojan:Win32/Filpor.A": [[263, 284]], "Indicator: Win32.Trojan.Autoit.Pepf": [[285, 309]], "Indicator: Trojan.Win32.Autoit": [[310, 329]], "Indicator: W32/Autoit.EZC!tr": [[330, 347]]}, "info": {"id": "cyner2_5class_train_06428", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DropperHQc.Trojan Trojan.Dropper.UUW Trojan.Dynamer.A4 W32/Trojan.YSAI-0703 Win32/Tnega.ARWO Trojan-Spy.MSIL.KeyLogger.cssc Trojan.Dropper.UUW Trojan.Win32.Drop.ewucrk Uds.Dangerousobject.Multi!c Trojan.Dropper.UUW Trojan.DownLoader1.49310 BehavesLike.Win32.Shodi.cc Trojan.Dropper.UUW Trojan.Win32.Z.Dropper.833273 Trojan-Spy.MSIL.KeyLogger.cssc TrojanDropper:Win32/FakeFlexnet.A Trojan.Dropper.UUW Trojan.Dropper.UUW Hoax.Win32.BadJoke Trj/CI.A Win32/Trojan.BO.19d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DropperHQc.Trojan": [[26, 47]], "Indicator: Trojan.Dropper.UUW": [[48, 66], [154, 172], [226, 244], [297, 315], [411, 429], [430, 448]], "Indicator: Trojan.Dynamer.A4": [[67, 84]], "Indicator: W32/Trojan.YSAI-0703": [[85, 105]], "Indicator: Win32/Tnega.ARWO": [[106, 122]], "Indicator: Trojan-Spy.MSIL.KeyLogger.cssc": [[123, 153], [346, 376]], "Indicator: Trojan.Win32.Drop.ewucrk": [[173, 197]], "Indicator: Uds.Dangerousobject.Multi!c": [[198, 225]], "Indicator: Trojan.DownLoader1.49310": [[245, 269]], "Indicator: BehavesLike.Win32.Shodi.cc": [[270, 296]], "Indicator: Trojan.Win32.Z.Dropper.833273": [[316, 345]], "Indicator: TrojanDropper:Win32/FakeFlexnet.A": [[377, 410]], "Indicator: Hoax.Win32.BadJoke": [[449, 467]], "Indicator: Trj/CI.A": [[468, 476]], "Indicator: Win32/Trojan.BO.19d": [[477, 496]]}, "info": {"id": "cyner2_5class_train_06429", "source": "cyner2_5class_train"}}
+{"text": "And that ’ s exactly what has happened recently .", "spans": {}, "info": {"id": "cyner2_5class_train_06430", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom/W32.Blocker.3262976 Trojan.MSIL.FC.4195 Win32.Trojan.WisdomEyes.16070401.9500.9943 W32/Trojan.RPCY-7702 Ransom_Blocker.R038C0DAH18 Trojan-Ransom.Win32.Blocker.juiv Trojan.Win32.Blocker.etmtcp Trojan.Win32.Z.Blocker.3262976.X Troj.Ransom.W32.Blocker!c Trojan.MulDrop7.48467 Ransom_Blocker.R038C0DAH18 Trojan[Ransom]/Win32.Blocker Trojan.MSILPerseus.D107B2 Trojan-Ransom.Win32.Blocker.juiv TrojanSpy:MSIL/Reven.A!bit Trojan/Win32.Blocker.R203232 Ransom.FileCryptor Trj/CI.A Win32.Trojan.Blocker.Aiip Trojan.MSIL.Spy Win32/Trojan.Ransom.df0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom/W32.Blocker.3262976": [[26, 52]], "Indicator: Trojan.MSIL.FC.4195": [[53, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9943": [[73, 115]], "Indicator: W32/Trojan.RPCY-7702": [[116, 136]], "Indicator: Ransom_Blocker.R038C0DAH18": [[137, 163], [306, 332]], "Indicator: Trojan-Ransom.Win32.Blocker.juiv": [[164, 196], [388, 420]], "Indicator: Trojan.Win32.Blocker.etmtcp": [[197, 224]], "Indicator: Trojan.Win32.Z.Blocker.3262976.X": [[225, 257]], "Indicator: Troj.Ransom.W32.Blocker!c": [[258, 283]], "Indicator: Trojan.MulDrop7.48467": [[284, 305]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[333, 361]], "Indicator: Trojan.MSILPerseus.D107B2": [[362, 387]], "Indicator: TrojanSpy:MSIL/Reven.A!bit": [[421, 447]], "Indicator: Trojan/Win32.Blocker.R203232": [[448, 476]], "Indicator: Ransom.FileCryptor": [[477, 495]], "Indicator: Trj/CI.A": [[496, 504]], "Indicator: Win32.Trojan.Blocker.Aiip": [[505, 530]], "Indicator: Trojan.MSIL.Spy": [[531, 546]], "Indicator: Win32/Trojan.Ransom.df0": [[547, 570]]}, "info": {"id": "cyner2_5class_train_06431", "source": "cyner2_5class_train"}}
+{"text": "A few weeks ago Cisco Talos became interested in just such a campaign with a smaller number of circulating email messages.", "spans": {"Organization: Cisco Talos": [[16, 27]], "Indicator: email messages.": [[107, 122]]}, "info": {"id": "cyner2_5class_train_06432", "source": "cyner2_5class_train"}}
+{"text": "As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.", "spans": {"Malware: FileCoder": [[3, 12]], "Malware: at": [[28, 30]], "Malware: KeRanger": [[69, 77]], "Malware: fully functional ransomware": [[91, 118]], "System: OS X platform.": [[131, 145]]}, "info": {"id": "cyner2_5class_train_06433", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BehavesLike:Win32.Malware DLOADER.Trojan SHeur.CDXP Heuristic.Malware", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike:Win32.Malware": [[26, 51]], "Indicator: DLOADER.Trojan": [[52, 66]], "Indicator: SHeur.CDXP": [[67, 77]], "Indicator: Heuristic.Malware": [[78, 95]]}, "info": {"id": "cyner2_5class_train_06434", "source": "cyner2_5class_train"}}
+{"text": "Banking trojans are among some of the biggest threats to everyday users as they directly impact the user in terms of financial loss.", "spans": {"Malware: Banking trojans": [[0, 15]], "Malware: threats": [[46, 53]], "Organization: user": [[100, 104]]}, "info": {"id": "cyner2_5class_train_06435", "source": "cyner2_5class_train"}}
+{"text": "XLoader also prevents victims from accessing the device ’ s settings or using a known antivirus ( AV ) app in the country .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner2_5class_train_06436", "source": "cyner2_5class_train"}}
+{"text": "Remsec is a stealthy tool that appears to be primarily designed for spying purposes.", "spans": {"Malware: Remsec": [[0, 6]], "Malware: stealthy tool": [[12, 25]]}, "info": {"id": "cyner2_5class_train_06437", "source": "cyner2_5class_train"}}
+{"text": "It does so for each and every app on the device as long as the package names are on its prey list .", "spans": {}, "info": {"id": "cyner2_5class_train_06438", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Flooder.Napsterokoz!ZeoO3ZzZXAQ PUA.Win32.Packer.NetExecutable-1 Flooder.Win32.Napsterokoz.a Trojan.DownLoader5.2173 Trojan-PWS.Win32.Fignotok!IK Flooder.Napsterokoz.a Flooder.Napsterokoz.a Trojan-PWS.Win32.Fignotok Flooder.IJJ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Flooder.Napsterokoz!ZeoO3ZzZXAQ": [[26, 57]], "Indicator: PUA.Win32.Packer.NetExecutable-1": [[58, 90]], "Indicator: Flooder.Win32.Napsterokoz.a": [[91, 118]], "Indicator: Trojan.DownLoader5.2173": [[119, 142]], "Indicator: Trojan-PWS.Win32.Fignotok!IK": [[143, 171]], "Indicator: Flooder.Napsterokoz.a": [[172, 193], [194, 215]], "Indicator: Trojan-PWS.Win32.Fignotok": [[216, 241]], "Indicator: Flooder.IJJ": [[242, 253]]}, "info": {"id": "cyner2_5class_train_06439", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mdropper TROJ_MDROPPR.CA Win32.Mdropper TROJ_MDROPPR.CA Trojan.Mdropper", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mdropper": [[26, 41], [89, 104]], "Indicator: TROJ_MDROPPR.CA": [[42, 57], [73, 88]], "Indicator: Win32.Mdropper": [[58, 72]]}, "info": {"id": "cyner2_5class_train_06440", "source": "cyner2_5class_train"}}
+{"text": "Attackers know that rooting devices via malware exploits is an effective means to control devices and gather information from them .", "spans": {}, "info": {"id": "cyner2_5class_train_06441", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HackerAu3.Worm Win32.Worm.Autoit.Q Backdoor.Win32.Shark.axz!O Worm.Autoit.i Win32.Worm.Autoit.Q Worm.AutoIt.Win32.2 W32/AutoRun.fjx WORM_UTOTI.RC Win32.Worm.Sohanad.br W32/Downloader.AEEC-3989 W32.SillyDC Win32/Vishawon.A WORM_UTOTI.RC Worm.Win32.AutoIt.i Win32.Worm.Autoit.Q Trojan.Script.AutoIt.delira Worm.Win32.Autorun.215552.B Win32.Virus.Alman.Svhc Win32.Worm.Autoit.Q Worm.Win32.AutoIt.~MT Win32.HLLW.Autoruner.1483 W32/Downldr2.AICJ Worm/AutoRun.jsl W32/Almanahe.C Win32.Worm.Autoit.Q W32.W.AutoRun.lbrr Worm.Win32.AutoIt.i Win32.Worm.Autoit.Q Trojan/Win32.AutoRun.C97057 Worm.AutoRun.FLD I-Worm.Autoit.AC Win32/Autoit.BA Worm.AutoIT.V Worm.Win32.AutoIt W32/AutoIt.I!worm Win32/Worm.c3b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HackerAu3.Worm": [[26, 44]], "Indicator: Win32.Worm.Autoit.Q": [[45, 64], [106, 125], [286, 305], [385, 404], [503, 522], [562, 581]], "Indicator: Backdoor.Win32.Shark.axz!O": [[65, 91]], "Indicator: Worm.Autoit.i": [[92, 105]], "Indicator: Worm.AutoIt.Win32.2": [[126, 145]], "Indicator: W32/AutoRun.fjx": [[146, 161]], "Indicator: WORM_UTOTI.RC": [[162, 175], [252, 265]], "Indicator: Win32.Worm.Sohanad.br": [[176, 197]], "Indicator: W32/Downloader.AEEC-3989": [[198, 222]], "Indicator: W32.SillyDC": [[223, 234]], "Indicator: Win32/Vishawon.A": [[235, 251]], "Indicator: Worm.Win32.AutoIt.i": [[266, 285], [542, 561]], "Indicator: Trojan.Script.AutoIt.delira": [[306, 333]], "Indicator: Worm.Win32.Autorun.215552.B": [[334, 361]], "Indicator: Win32.Virus.Alman.Svhc": [[362, 384]], "Indicator: Worm.Win32.AutoIt.~MT": [[405, 426]], "Indicator: Win32.HLLW.Autoruner.1483": [[427, 452]], "Indicator: W32/Downldr2.AICJ": [[453, 470]], "Indicator: Worm/AutoRun.jsl": [[471, 487]], "Indicator: W32/Almanahe.C": [[488, 502]], "Indicator: W32.W.AutoRun.lbrr": [[523, 541]], "Indicator: Trojan/Win32.AutoRun.C97057": [[582, 609]], "Indicator: Worm.AutoRun.FLD": [[610, 626]], "Indicator: I-Worm.Autoit.AC": [[627, 643]], "Indicator: Win32/Autoit.BA": [[644, 659]], "Indicator: Worm.AutoIT.V": [[660, 673]], "Indicator: Worm.Win32.AutoIt": [[674, 691]], "Indicator: W32/AutoIt.I!worm": [[692, 709]], "Indicator: Win32/Worm.c3b": [[710, 724]]}, "info": {"id": "cyner2_5class_train_06442", "source": "cyner2_5class_train"}}
+{"text": "98.05 % of all malware detected in 2013 targeted this platform , confirming both the popularity of this mobile OS and the vulnerability of its architecture .", "spans": {}, "info": {"id": "cyner2_5class_train_06443", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeuserinitQC.Trojan TrojanDownloader.Paglst.B4 Trojan.Ursu.D206A Backdoor.Graybird Win32/Adload.NOU Win.Trojan.Adload-2949 Trojan-Downloader.Win32.Adload.cfms Trojan.Win32.Adload.rhwua Trojan.Win32.A.Downloader.6381568 Adware.Win32.AdLoader.a TrojWare.Win32.Downloader.AdLoad.CFMS Trojan.DownLoad2.64118 Downloader.Adload.Win32.13800 TrojanDownloader.Adload.oqx TR/Adload.V Trojan[Downloader]/Win32.Adload.cfms TrojanDownloader:Win32/Paglst.B Troj.Downloader.W32.Adload.toiw Trojan-Downloader.Win32.Adload.cfms Downloader/Win32.Adload.R32544 TScope.Malware-Cryptor.SB Win32/TrojanDownloader.Adload.NJM Trojan-Downloader.Win32.Adload W32/Adload.CFMS!tr.dldr Trojan.PSW.Win32.QQPass.DT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeuserinitQC.Trojan": [[26, 51]], "Indicator: TrojanDownloader.Paglst.B4": [[52, 78]], "Indicator: Trojan.Ursu.D206A": [[79, 96]], "Indicator: Backdoor.Graybird": [[97, 114]], "Indicator: Win32/Adload.NOU": [[115, 131]], "Indicator: Win.Trojan.Adload-2949": [[132, 154]], "Indicator: Trojan-Downloader.Win32.Adload.cfms": [[155, 190], [507, 542]], "Indicator: Trojan.Win32.Adload.rhwua": [[191, 216]], "Indicator: Trojan.Win32.A.Downloader.6381568": [[217, 250]], "Indicator: Adware.Win32.AdLoader.a": [[251, 274]], "Indicator: TrojWare.Win32.Downloader.AdLoad.CFMS": [[275, 312]], "Indicator: Trojan.DownLoad2.64118": [[313, 335]], "Indicator: Downloader.Adload.Win32.13800": [[336, 365]], "Indicator: TrojanDownloader.Adload.oqx": [[366, 393]], "Indicator: TR/Adload.V": [[394, 405]], "Indicator: Trojan[Downloader]/Win32.Adload.cfms": [[406, 442]], "Indicator: TrojanDownloader:Win32/Paglst.B": [[443, 474]], "Indicator: Troj.Downloader.W32.Adload.toiw": [[475, 506]], "Indicator: Downloader/Win32.Adload.R32544": [[543, 573]], "Indicator: TScope.Malware-Cryptor.SB": [[574, 599]], "Indicator: Win32/TrojanDownloader.Adload.NJM": [[600, 633]], "Indicator: Trojan-Downloader.Win32.Adload": [[634, 664]], "Indicator: W32/Adload.CFMS!tr.dldr": [[665, 688]], "Indicator: Trojan.PSW.Win32.QQPass.DT": [[689, 715]]}, "info": {"id": "cyner2_5class_train_06444", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod6d6.Trojan.587c Trojan.Downloader.JMWD Trojan.Downloader.JMWD Trojan.Boupke.A6 Trojan.Downloader.JMWD Trojan.Win32.S.Downloader.196096.A Trojan.Downloader.JMWD Trojan.Downloader.JMWD DDoS.5686 Trojan:Win32/Doschald.A Trojan.Downloader.JMWD Trj/Downloader.MDW Trojan.Win32.Downloader.au Win32/Trojan.Downloader.001", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod6d6.Trojan.587c": [[26, 49]], "Indicator: Trojan.Downloader.JMWD": [[50, 72], [73, 95], [113, 135], [171, 193], [194, 216], [251, 273]], "Indicator: Trojan.Boupke.A6": [[96, 112]], "Indicator: Trojan.Win32.S.Downloader.196096.A": [[136, 170]], "Indicator: DDoS.5686": [[217, 226]], "Indicator: Trojan:Win32/Doschald.A": [[227, 250]], "Indicator: Trj/Downloader.MDW": [[274, 292]], "Indicator: Trojan.Win32.Downloader.au": [[293, 319]], "Indicator: Win32/Trojan.Downloader.001": [[320, 347]]}, "info": {"id": "cyner2_5class_train_06445", "source": "cyner2_5class_train"}}
+{"text": "Mobile malware is a significant risk for organizations and consumers alike , and must be considered when protecting personal and business data .", "spans": {}, "info": {"id": "cyner2_5class_train_06446", "source": "cyner2_5class_train"}}
+{"text": "The mediaserver will first builds a new unique track , start to play the track , loop play all audio buffer , then finally stop the playback .", "spans": {}, "info": {"id": "cyner2_5class_train_06447", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Letbetom.Trojan Trojan-Spy.MSIL.Redator!O Trojan/Redator.a Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/MalwareF.LRAK Win.Trojan.Keylogger-796 Trojan-Spy.MSIL.Redator.a Trojan.Win32.Redator.cwfoqm Trojan.Win32.Z.Redator.186456 Backdoor.PePatch.Win32.36732 W32/Risk.TYVS-3062 TrojanSpy.MSIL.dwl System.Monitor.Stealthddos Trojan[Spy]/MSIL.Redator Trojan.MSIL.Krypt.2 Troj.Spy.MSIL.KeyLogger.ljvI Trojan-Spy.MSIL.Redator.a Trojan/Win32.Keylogger.R4155 TrojanSpy.MSIL.Redator Trj/CI.A MSIL/Spy.Keylogger.AK Msil.Trojan-spy.Redator.Pgcw W32/Mdrop.CRV!tr Win32/Trojan.Spy.17f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Letbetom.Trojan": [[26, 45]], "Indicator: Trojan-Spy.MSIL.Redator!O": [[46, 71]], "Indicator: Trojan/Redator.a": [[72, 88]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[89, 131]], "Indicator: W32/MalwareF.LRAK": [[132, 149]], "Indicator: Win.Trojan.Keylogger-796": [[150, 174]], "Indicator: Trojan-Spy.MSIL.Redator.a": [[175, 200], [427, 452]], "Indicator: Trojan.Win32.Redator.cwfoqm": [[201, 228]], "Indicator: Trojan.Win32.Z.Redator.186456": [[229, 258]], "Indicator: Backdoor.PePatch.Win32.36732": [[259, 287]], "Indicator: W32/Risk.TYVS-3062": [[288, 306]], "Indicator: TrojanSpy.MSIL.dwl": [[307, 325]], "Indicator: System.Monitor.Stealthddos": [[326, 352]], "Indicator: Trojan[Spy]/MSIL.Redator": [[353, 377]], "Indicator: Trojan.MSIL.Krypt.2": [[378, 397]], "Indicator: Troj.Spy.MSIL.KeyLogger.ljvI": [[398, 426]], "Indicator: Trojan/Win32.Keylogger.R4155": [[453, 481]], "Indicator: TrojanSpy.MSIL.Redator": [[482, 504]], "Indicator: Trj/CI.A": [[505, 513]], "Indicator: MSIL/Spy.Keylogger.AK": [[514, 535]], "Indicator: Msil.Trojan-spy.Redator.Pgcw": [[536, 564]], "Indicator: W32/Mdrop.CRV!tr": [[565, 581]], "Indicator: Win32/Trojan.Spy.17f": [[582, 602]]}, "info": {"id": "cyner2_5class_train_06448", "source": "cyner2_5class_train"}}
+{"text": "Trojan native capabilities This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan .", "spans": {}, "info": {"id": "cyner2_5class_train_06449", "source": "cyner2_5class_train"}}
+{"text": "It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server.", "spans": {"Malware: webshell": [[18, 26]], "Indicator: commands": [[77, 85]], "System: the compromised server.": [[89, 112]]}, "info": {"id": "cyner2_5class_train_06450", "source": "cyner2_5class_train"}}
+{"text": "As an example , in the two images below , we can see the encrypted and decrypted shared preferences file , which is encrypted using the java “ PBEWithMD5AndDES �� algorithm .", "spans": {}, "info": {"id": "cyner2_5class_train_06451", "source": "cyner2_5class_train"}}
+{"text": "Figure 1 – Phishing Email When the email link is opened from an Android device , an APK file ( Fattura002873.apk ) , is downloaded .", "spans": {"System: Android": [[64, 71]], "Indicator: Fattura002873.apk": [[95, 112]]}, "info": {"id": "cyner2_5class_train_06452", "source": "cyner2_5class_train"}}
+{"text": "Not long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue.", "spans": {"Malware: younger sibling": [[40, 55]], "Vulnerability: sensational vulnerability": [[64, 89]], "Malware: EternalBlue.": [[90, 102]]}, "info": {"id": "cyner2_5class_train_06453", "source": "cyner2_5class_train"}}
+{"text": "At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.", "spans": {"Malware: At": [[0, 2]], "Malware: the Joao downloader": [[37, 56]], "Indicator: the anime-themed MMORPG Grand Fantasia": [[83, 121]], "Indicator: gf.ignitgames[.]to.": [[133, 152]]}, "info": {"id": "cyner2_5class_train_06454", "source": "cyner2_5class_train"}}
+{"text": "DDoS tools developed by this organization use SSH weak passwords and server vulnerabilities to control many Linux chickens.", "spans": {"Malware: DDoS tools": [[0, 10]], "Indicator: SSH weak passwords": [[46, 64]], "Indicator: server": [[69, 75]], "System: Linux": [[108, 113]]}, "info": {"id": "cyner2_5class_train_06455", "source": "cyner2_5class_train"}}
+{"text": "If the device is located outside Russia or is an emulator , the application displays a stub page : In this case , the Trojan ’ s logs contain records in Russian with grammatical errors and spelling mistakes : If the check is successful , Rotexy registers with GCM and launches SuperService which tracks if the Trojan has device administrator privileges .", "spans": {"Malware: Rotexy": [[238, 244]], "System: GCM": [[260, 263]]}, "info": {"id": "cyner2_5class_train_06456", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9848 BehavesLike.Win64.BadFile.lm Backdoor:Win64/Syscon.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9848": [[26, 68]], "Indicator: BehavesLike.Win64.BadFile.lm": [[69, 97]], "Indicator: Backdoor:Win64/Syscon.A": [[98, 121]], "Indicator: Trj/CI.A": [[122, 130]]}, "info": {"id": "cyner2_5class_train_06457", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Flooder.ICQ.Raptof.01 Trojan/W32.Flooder.223744 Flooder.Raptof.ra Trojan.Flooder.ICQ.Raptof.01 IM-Flooder.W32.Raptof.01!c Trojan.Flooder.ICQ.Raptof.01 Flooder.Raptof!8im4oqjQSco Hacktool.Flooder Win32/Flooder.ICQ.Raptof.01 Win.Trojan.Raptof IM-Flooder.Win32.Raptof.01 Trojan.Win32.Raptof.dlvc Spyware.IM-Flooder.Raptof.223744[h] Trojan.Flooder.ICQ.Raptof.01 TrojWare.Win32.Flooder.ICQ.01 Trojan.Flooder.ICQ.Raptof.01 FDOS.Raptof Tool.Raptof.Win32.1 BehavesLike.Win32.Malware.dc W32/Risk.YFGX-8652 Flooder.ICQ.Raptof.01 HackTool[Flooder]/Win32.Raptof Win-Trojan/Raptof.223744 Trojan.Flooder.ICQ.Raptof.01 IMFlooder.Raptof Win32.Trojan.Raptof.Eflc Malware_fam.gw Flooder.BBR Trojan.Win32.ICQ.Raptof Win32/Trojan.Flood.be5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Flooder.ICQ.Raptof.01": [[26, 54], [99, 127], [155, 183], [362, 390], [421, 449], [608, 636]], "Indicator: Trojan/W32.Flooder.223744": [[55, 80]], "Indicator: Flooder.Raptof.ra": [[81, 98]], "Indicator: IM-Flooder.W32.Raptof.01!c": [[128, 154]], "Indicator: Flooder.Raptof!8im4oqjQSco": [[184, 210]], "Indicator: Hacktool.Flooder": [[211, 227]], "Indicator: Win32/Flooder.ICQ.Raptof.01": [[228, 255]], "Indicator: Win.Trojan.Raptof": [[256, 273]], "Indicator: IM-Flooder.Win32.Raptof.01": [[274, 300]], "Indicator: Trojan.Win32.Raptof.dlvc": [[301, 325]], "Indicator: Spyware.IM-Flooder.Raptof.223744[h]": [[326, 361]], "Indicator: TrojWare.Win32.Flooder.ICQ.01": [[391, 420]], "Indicator: FDOS.Raptof": [[450, 461]], "Indicator: Tool.Raptof.Win32.1": [[462, 481]], "Indicator: BehavesLike.Win32.Malware.dc": [[482, 510]], "Indicator: W32/Risk.YFGX-8652": [[511, 529]], "Indicator: Flooder.ICQ.Raptof.01": [[530, 551]], "Indicator: HackTool[Flooder]/Win32.Raptof": [[552, 582]], "Indicator: Win-Trojan/Raptof.223744": [[583, 607]], "Indicator: IMFlooder.Raptof": [[637, 653]], "Indicator: Win32.Trojan.Raptof.Eflc": [[654, 678]], "Indicator: Malware_fam.gw": [[679, 693]], "Indicator: Flooder.BBR": [[694, 705]], "Indicator: Trojan.Win32.ICQ.Raptof": [[706, 729]], "Indicator: Win32/Trojan.Flood.be5": [[730, 752]]}, "info": {"id": "cyner2_5class_train_06458", "source": "cyner2_5class_train"}}
+{"text": "This suggests that multiple actors may be using similar source code, or the malware is being customized as a service for targeted campaigns.", "spans": {"Malware: malware": [[76, 83]], "Malware: targeted campaigns.": [[121, 140]]}, "info": {"id": "cyner2_5class_train_06459", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.QuastihusLTG.Trojan Worm.Jenxcus.A4 Trojan/Autoit.jh Trojan.Heur.AutoIT.10 W32/Trojan2.OIEK Win.Trojan.Autoit-581 W32.Sality.mCD7 Worm.AutoIT.Win32 BehavesLike.Win32.Dropper.jh W32/Trojan.WAFR-6845 TrojanDropper.Sysn.fg Trojan:AutoIt/Nateqj.B Trojan/Win32.Zapchast.R114120 Worm.AutoIt Trj/CI.A I-Worm.Autoit.JH Win32/Autoit.JH Win32.Worm.Autoit.Wofs Win32/Trojan.5a2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.QuastihusLTG.Trojan": [[26, 49]], "Indicator: Worm.Jenxcus.A4": [[50, 65]], "Indicator: Trojan/Autoit.jh": [[66, 82]], "Indicator: Trojan.Heur.AutoIT.10": [[83, 104]], "Indicator: W32/Trojan2.OIEK": [[105, 121]], "Indicator: Win.Trojan.Autoit-581": [[122, 143]], "Indicator: W32.Sality.mCD7": [[144, 159]], "Indicator: Worm.AutoIT.Win32": [[160, 177]], "Indicator: BehavesLike.Win32.Dropper.jh": [[178, 206]], "Indicator: W32/Trojan.WAFR-6845": [[207, 227]], "Indicator: TrojanDropper.Sysn.fg": [[228, 249]], "Indicator: Trojan:AutoIt/Nateqj.B": [[250, 272]], "Indicator: Trojan/Win32.Zapchast.R114120": [[273, 302]], "Indicator: Worm.AutoIt": [[303, 314]], "Indicator: Trj/CI.A": [[315, 323]], "Indicator: I-Worm.Autoit.JH": [[324, 340]], "Indicator: Win32/Autoit.JH": [[341, 356]], "Indicator: Win32.Worm.Autoit.Wofs": [[357, 379]], "Indicator: Win32/Trojan.5a2": [[380, 396]]}, "info": {"id": "cyner2_5class_train_06460", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper/W32.Keylogger.2292572 RiskWare.WinActivator MSIL.Riskware.Hacktool.B Tool.Wpakill.13 Trojan.Keylogger.Win32.50652 HackTool.Win32.Wpakill W32.Hack.Tool Trojan[Spy]/MSIL.Keylogger HackTool/Win32.Wpakill.C2293432 TrojanSpy.MSIL.Keylogger TrojanSpy.Keylogger!axHWqO6gDEY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper/W32.Keylogger.2292572": [[26, 62]], "Indicator: RiskWare.WinActivator": [[63, 84]], "Indicator: MSIL.Riskware.Hacktool.B": [[85, 109]], "Indicator: Tool.Wpakill.13": [[110, 125]], "Indicator: Trojan.Keylogger.Win32.50652": [[126, 154]], "Indicator: HackTool.Win32.Wpakill": [[155, 177]], "Indicator: W32.Hack.Tool": [[178, 191]], "Indicator: Trojan[Spy]/MSIL.Keylogger": [[192, 218]], "Indicator: HackTool/Win32.Wpakill.C2293432": [[219, 250]], "Indicator: TrojanSpy.MSIL.Keylogger": [[251, 275]], "Indicator: TrojanSpy.Keylogger!axHWqO6gDEY": [[276, 307]]}, "info": {"id": "cyner2_5class_train_06461", "source": "cyner2_5class_train"}}
+{"text": "The attackers invested significant effort in attempting to hide the tool by changing the source code of the RAT and the RAT server, and by using an obfuscator and packer.", "spans": {"Malware: tool": [[68, 72]], "Malware: RAT": [[108, 111], [120, 123]], "System: server,": [[124, 131]], "System: an obfuscator": [[145, 158]], "System: packer.": [[163, 170]]}, "info": {"id": "cyner2_5class_train_06462", "source": "cyner2_5class_train"}}
+{"text": "In addition , this type of Android banking malware does not require the device to be rooted or the app to have any specific Android permission ( besides android.permission.INTERNET to retrieve the overlay contents and send its captured data ) .", "spans": {"System: Android": [[27, 34], [124, 131]], "Indicator: android.permission.INTERNET": [[153, 180]]}, "info": {"id": "cyner2_5class_train_06463", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Cloddf4.Trojan.f747 Win32.Worm.P2p.Reur.P I-Worm.Reur.l.n2 W32/Reur.worm!p2p Worm.Reur.Win32.19 W32/Reur.p Worm.P2P.Reur!QrOO3e6Ele8 W32/Reur.YOAP-3596 W32.HLLW.Reur Win32/Reur.J P2P-Worm.Win32.Reur.p Win32.Worm.P2p.Reur.P Trojan.Win32.Reur.inko Win32.Worm.P2p.Reur.P Worm.Win32.Reur.S Win32.Worm.P2p.Reur.P BehavesLike.Win32.Dropper.gc W32/Reur.K Worm/Sramota.afo Worm[P2P]/Win32.Reur Worm.Reur.p.kcloud Worm:Win32/Reur.S Win32.Worm.P2p.Reur.P Trojan/Win32.HDC Worm.Reur Win32/Reur.S W32/Reur.K!worm.p2p Worm/Reur.V Worm.Win32.Reur.alHx Win32/Worm.226", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Cloddf4.Trojan.f747": [[26, 49]], "Indicator: Win32.Worm.P2p.Reur.P": [[50, 71], [231, 252], [276, 297], [316, 337], [453, 474]], "Indicator: I-Worm.Reur.l.n2": [[72, 88]], "Indicator: W32/Reur.worm!p2p": [[89, 106]], "Indicator: Worm.Reur.Win32.19": [[107, 125]], "Indicator: W32/Reur.p": [[126, 136]], "Indicator: Worm.P2P.Reur!QrOO3e6Ele8": [[137, 162]], "Indicator: W32/Reur.YOAP-3596": [[163, 181]], "Indicator: W32.HLLW.Reur": [[182, 195]], "Indicator: Win32/Reur.J": [[196, 208]], "Indicator: P2P-Worm.Win32.Reur.p": [[209, 230]], "Indicator: Trojan.Win32.Reur.inko": [[253, 275]], "Indicator: Worm.Win32.Reur.S": [[298, 315]], "Indicator: BehavesLike.Win32.Dropper.gc": [[338, 366]], "Indicator: W32/Reur.K": [[367, 377]], "Indicator: Worm/Sramota.afo": [[378, 394]], "Indicator: Worm[P2P]/Win32.Reur": [[395, 415]], "Indicator: Worm.Reur.p.kcloud": [[416, 434]], "Indicator: Worm:Win32/Reur.S": [[435, 452]], "Indicator: Trojan/Win32.HDC": [[475, 491]], "Indicator: Worm.Reur": [[492, 501]], "Indicator: Win32/Reur.S": [[502, 514]], "Indicator: W32/Reur.K!worm.p2p": [[515, 534]], "Indicator: Worm/Reur.V": [[535, 546]], "Indicator: Worm.Win32.Reur.alHx": [[547, 567]], "Indicator: Win32/Worm.226": [[568, 582]]}, "info": {"id": "cyner2_5class_train_06464", "source": "cyner2_5class_train"}}
+{"text": "The phishing site uses the gathered information as its GET parameter , allowing the attacker to access the stolen information .", "spans": {}, "info": {"id": "cyner2_5class_train_06465", "source": "cyner2_5class_train"}}
+{"text": "] it Catania server2cz.exodus.connexxa [ .", "spans": {"Indicator: server2cz.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner2_5class_train_06466", "source": "cyner2_5class_train"}}
+{"text": "Its main job is to send spam, but it is able to do other tasks as well.", "spans": {}, "info": {"id": "cyner2_5class_train_06467", "source": "cyner2_5class_train"}}
+{"text": "The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept POC code to install a Trojan called Emissary, which is related to the Operation Lotus Blossom campaign.", "spans": {"Vulnerability: exploit": [[24, 31]], "Indicator: CVE-2014-6332": [[32, 45]], "Malware: proof-of-concept POC code": [[87, 112]], "Malware: Trojan": [[126, 132]], "Malware: Emissary,": [[140, 149]], "Indicator: campaign.": [[198, 207]]}, "info": {"id": "cyner2_5class_train_06468", "source": "cyner2_5class_train"}}
+{"text": "Limiting app installations on corporate devices , as well as ensuring that applications are created by trusted developers on official marketplaces , can help in reducing the risk of infection as well .", "spans": {}, "info": {"id": "cyner2_5class_train_06469", "source": "cyner2_5class_train"}}
+{"text": "'' in a variety of ways , such as static analysis , dynamic analysis , and machine learning .", "spans": {}, "info": {"id": "cyner2_5class_train_06470", "source": "cyner2_5class_train"}}
+{"text": "Although most apps have positive ratings , some of the users have noticed and reported Judy ’ s suspicious activities , as seen in the images below : As seen in previous malware , such as DressCode , a high reputation does not necessarily indicate that the app is safe for use .", "spans": {"Malware: Judy": [[87, 91]], "Malware: DressCode": [[188, 197]]}, "info": {"id": "cyner2_5class_train_06471", "source": "cyner2_5class_train"}}
+{"text": "A combination of factors made this pattern effective and successful, explaining why ITG08 has remained operational for so long.", "spans": {"Indicator: factors": [[17, 24]], "Indicator: pattern": [[35, 42]]}, "info": {"id": "cyner2_5class_train_06472", "source": "cyner2_5class_train"}}
+{"text": "'' The latest samples attributed to this campaign were discovered by security researchers from ClearSky .", "spans": {"Organization: ClearSky": [[95, 103]]}, "info": {"id": "cyner2_5class_train_06473", "source": "cyner2_5class_train"}}
+{"text": "It then decrypts a hardcoded encrypted value and sets the “ action ” parameter of the Intent using the setAction API .", "spans": {}, "info": {"id": "cyner2_5class_train_06474", "source": "cyner2_5class_train"}}
+{"text": "Ploutus is one of the most advanced ATM malware families we've seen in the last few years.", "spans": {"Malware: Ploutus": [[0, 7]], "Malware: advanced ATM malware families": [[27, 56]]}, "info": {"id": "cyner2_5class_train_06475", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win.HLLP.Sector.C Win.HLLP.Sector.C Win.HLLP.Sector.C Win.HLLP.Sector Win/HLLP.Sector.C NE_HLLP_SECTOR.C Win.HLLP.Sector.C Win.HLLP.Sector.C Trojan.Win16.HLLP.exkzou Win.Hllp.Sector!c Win.HLLP.Sector.C Win.HLLP.Sector.C Win.HLLP.Sector.18864 NE_HLLP_SECTOR.C W16/TNT.a W16/HLLP.Sector.C Backdoor:Win16/Sector.C W16/TNT.a Win32.Virus.Hllp.Akes Virus.Win.Hllp", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win.HLLP.Sector.C": [[26, 43], [44, 61], [62, 79], [131, 148], [149, 166], [210, 227], [228, 245]], "Indicator: Win.HLLP.Sector": [[80, 95]], "Indicator: Win/HLLP.Sector.C": [[96, 113]], "Indicator: NE_HLLP_SECTOR.C": [[114, 130], [268, 284]], "Indicator: Trojan.Win16.HLLP.exkzou": [[167, 191]], "Indicator: Win.Hllp.Sector!c": [[192, 209]], "Indicator: Win.HLLP.Sector.18864": [[246, 267]], "Indicator: W16/TNT.a": [[285, 294], [337, 346]], "Indicator: W16/HLLP.Sector.C": [[295, 312]], "Indicator: Backdoor:Win16/Sector.C": [[313, 336]], "Indicator: Win32.Virus.Hllp.Akes": [[347, 368]], "Indicator: Virus.Win.Hllp": [[369, 383]]}, "info": {"id": "cyner2_5class_train_06476", "source": "cyner2_5class_train"}}
+{"text": "Per its advertisements it is an infostealer that steals form data from various web browsers and other applications.", "spans": {"Malware: infostealer": [[32, 43]], "Indicator: steals form data from various web browsers": [[49, 91]], "Indicator: other applications.": [[96, 115]]}, "info": {"id": "cyner2_5class_train_06477", "source": "cyner2_5class_train"}}
+{"text": "However , in order to block Janus abuse , app developers need to sign their apps with the new scheme so that Android framework security component could conduct integrity checks with enhanced features .", "spans": {"Vulnerability: Janus": [[28, 33]], "System: Android": [[109, 116]]}, "info": {"id": "cyner2_5class_train_06478", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: WS.Reputation.1 WORM_DUPTWU.SMIA Worm.Autorun-6650 Backdoor.Win32.LolBot.dyk Trojan.Downloader.JNUS Backdoor.Win32.LolBot!IK Trojan.Downloader.JNUS WORM_DUPTWU.SMIA Worm:Win32/Duptwux.A Trojan.Downloader.JNUS Backdoor/Win32.LolBot Backdoor.LolBot.ju Worm.Win32.FakeFolder.t Backdoor.Win32.LolBot W32/LolBot.DYK!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WS.Reputation.1": [[26, 41]], "Indicator: WORM_DUPTWU.SMIA": [[42, 58], [174, 190]], "Indicator: Worm.Autorun-6650": [[59, 76]], "Indicator: Backdoor.Win32.LolBot.dyk": [[77, 102]], "Indicator: Trojan.Downloader.JNUS": [[103, 125], [151, 173], [212, 234]], "Indicator: Backdoor.Win32.LolBot!IK": [[126, 150]], "Indicator: Worm:Win32/Duptwux.A": [[191, 211]], "Indicator: Backdoor/Win32.LolBot": [[235, 256]], "Indicator: Backdoor.LolBot.ju": [[257, 275]], "Indicator: Worm.Win32.FakeFolder.t": [[276, 299]], "Indicator: Backdoor.Win32.LolBot": [[300, 321]], "Indicator: W32/LolBot.DYK!tr.bdr": [[322, 343]]}, "info": {"id": "cyner2_5class_train_06479", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Scarpnex-1 Trojan.MulDrop4.61017 Trojan[Spy]/MSIL.KeyLogger Trojan:MSIL/Scarpnex.A Trojan.Zusy.D9B94 TrojanSpy.KeyLogger!icGvcsfSy6M Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Win.Trojan.Scarpnex-1": [[69, 90]], "Indicator: Trojan.MulDrop4.61017": [[91, 112]], "Indicator: Trojan[Spy]/MSIL.KeyLogger": [[113, 139]], "Indicator: Trojan:MSIL/Scarpnex.A": [[140, 162]], "Indicator: Trojan.Zusy.D9B94": [[163, 180]], "Indicator: TrojanSpy.KeyLogger!icGvcsfSy6M": [[181, 212]], "Indicator: Trj/CI.A": [[213, 221]]}, "info": {"id": "cyner2_5class_train_06480", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Msxrat Trojan.Win32.Z.Msxrat.522564 TR/Crypt.Xpack.wccie Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Msxrat": [[26, 41]], "Indicator: Trojan.Win32.Z.Msxrat.522564": [[42, 70]], "Indicator: TR/Crypt.Xpack.wccie": [[71, 91]], "Indicator: Trj/CI.A": [[92, 100]]}, "info": {"id": "cyner2_5class_train_06481", "source": "cyner2_5class_train"}}
+{"text": "The LOCKBIT ransomware group is one of the most notorious cyber-thieves in the world, targeting companies across Europe, the United States, India, and the Middle East in a series of attacks that began in December 2022.", "spans": {"Organization: companies": [[96, 105]], "Indicator: attacks": [[182, 189]]}, "info": {"id": "cyner2_5class_train_06482", "source": "cyner2_5class_train"}}
+{"text": "It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat APT actors.", "spans": {}, "info": {"id": "cyner2_5class_train_06483", "source": "cyner2_5class_train"}}
+{"text": "We investigated further and found that this campaign is specifically targeted to Korean sites and Korean banks.", "spans": {"Indicator: Korean sites": [[81, 93]], "Organization: Korean banks.": [[98, 111]]}, "info": {"id": "cyner2_5class_train_06484", "source": "cyner2_5class_train"}}
+{"text": "The activities continue : the most recently observed domain was registered on October 31 , 2017 .", "spans": {}, "info": {"id": "cyner2_5class_train_06485", "source": "cyner2_5class_train"}}
+{"text": "The latest Petya-like outbreak has gathered a lot of attention from the media.", "spans": {}, "info": {"id": "cyner2_5class_train_06486", "source": "cyner2_5class_train"}}
+{"text": "After installation , the malware connects to the designated Command and Control ( C & C ) server , and receives a command to perform .", "spans": {}, "info": {"id": "cyner2_5class_train_06487", "source": "cyner2_5class_train"}}
+{"text": "This division of labor among the cybercriminals can also be seen in the behavior of their Trojans .", "spans": {}, "info": {"id": "cyner2_5class_train_06488", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.Gimemo!O Trojan.PornoAsset.Win32.9310 Trojan/Gimemo.aunq Trojan.Symmi.D1B0C Trojan.Winlock.7482 BehavesLike.Win32.BadFile.ch Trojan/PornoAsset.ooo Trojan[Ransom]/Win32.Gimemo Trojan:Win32/Fsblock.A TScope.Trojan.VB Trojan-Dropper.Win32.Injector W32/Injector.CLTY!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.Gimemo!O": [[26, 54]], "Indicator: Trojan.PornoAsset.Win32.9310": [[55, 83]], "Indicator: Trojan/Gimemo.aunq": [[84, 102]], "Indicator: Trojan.Symmi.D1B0C": [[103, 121]], "Indicator: Trojan.Winlock.7482": [[122, 141]], "Indicator: BehavesLike.Win32.BadFile.ch": [[142, 170]], "Indicator: Trojan/PornoAsset.ooo": [[171, 192]], "Indicator: Trojan[Ransom]/Win32.Gimemo": [[193, 220]], "Indicator: Trojan:Win32/Fsblock.A": [[221, 243]], "Indicator: TScope.Trojan.VB": [[244, 260]], "Indicator: Trojan-Dropper.Win32.Injector": [[261, 290]], "Indicator: W32/Injector.CLTY!tr": [[291, 311]]}, "info": {"id": "cyner2_5class_train_06489", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9520 Win32.Trojan.Razy.Hsjc BehavesLike.Win32.BadFile.mz TR/Razy.anyu Trojan:Win32/Rekilc.C Trojan.Razy.D822B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9520": [[26, 68]], "Indicator: Win32.Trojan.Razy.Hsjc": [[69, 91]], "Indicator: BehavesLike.Win32.BadFile.mz": [[92, 120]], "Indicator: TR/Razy.anyu": [[121, 133]], "Indicator: Trojan:Win32/Rekilc.C": [[134, 155]], "Indicator: Trojan.Razy.D822B": [[156, 173]]}, "info": {"id": "cyner2_5class_train_06490", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Degrub Trojan-Spy.Win32.Delf.avce Trojan.Win32.Symmi.daxrzp Trojan.Win32.Z.Delf.731648 Troj.Spy.W32.Delf!c Trojan.Delf.Win32.64416 BehavesLike.Win32.Dropper.bh Trojan-Spy.Win32.Delf TrojanSpy.Delf.iwz TR/Spy.Delf.agiu Backdoor:Win32/Degrub.A Trojan-Spy.Win32.Delf.avce TScope.Trojan.Delf Trj/Chgt.A Win32.Trojan-spy.Delf.Akpg TrojanSpy.Delf!bLkOUU0IMLc W32/Delf.AFB!tr Win32/Trojan.Keylog.e29", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Degrub": [[26, 41]], "Indicator: Trojan-Spy.Win32.Delf.avce": [[42, 68], [277, 303]], "Indicator: Trojan.Win32.Symmi.daxrzp": [[69, 94]], "Indicator: Trojan.Win32.Z.Delf.731648": [[95, 121]], "Indicator: Troj.Spy.W32.Delf!c": [[122, 141]], "Indicator: Trojan.Delf.Win32.64416": [[142, 165]], "Indicator: BehavesLike.Win32.Dropper.bh": [[166, 194]], "Indicator: Trojan-Spy.Win32.Delf": [[195, 216]], "Indicator: TrojanSpy.Delf.iwz": [[217, 235]], "Indicator: TR/Spy.Delf.agiu": [[236, 252]], "Indicator: Backdoor:Win32/Degrub.A": [[253, 276]], "Indicator: TScope.Trojan.Delf": [[304, 322]], "Indicator: Trj/Chgt.A": [[323, 333]], "Indicator: Win32.Trojan-spy.Delf.Akpg": [[334, 360]], "Indicator: TrojanSpy.Delf!bLkOUU0IMLc": [[361, 387]], "Indicator: W32/Delf.AFB!tr": [[388, 403]], "Indicator: Win32/Trojan.Keylog.e29": [[404, 427]]}, "info": {"id": "cyner2_5class_train_06491", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Trojan.Win32.Mlw.ewygwi Backdoor.W32.Androm.mfVY Trojan.Injector.Win32.586108 TR/Dropper.MSIL.xejse Trojan.MSIL.Inject Trj/GdSda.A Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[26, 68]], "Indicator: Trojan.Win32.Mlw.ewygwi": [[69, 92]], "Indicator: Backdoor.W32.Androm.mfVY": [[93, 117]], "Indicator: Trojan.Injector.Win32.586108": [[118, 146]], "Indicator: TR/Dropper.MSIL.xejse": [[147, 168]], "Indicator: Trojan.MSIL.Inject": [[169, 187]], "Indicator: Trj/GdSda.A": [[188, 199]], "Indicator: Win32/Trojan.e6d": [[200, 216]]}, "info": {"id": "cyner2_5class_train_06492", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.401 Vb.Troj.Valyria!c Trojan.GQXF-6 VB:Trojan.Valyria.401 Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.Valyria.401 VB:Trojan.Valyria.401 HEUR_VBA.E HEUR.VBA.Trojan.d TrojanDropper:O97M/SilverMob.A!dha VB:Trojan.Valyria.401 Macro.Trojan.Dropperd.Auto Trojan.VB.Valyria VB:Trojan.Valyria.401 virus.office.obfuscated.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.401": [[26, 47], [80, 101], [135, 156], [157, 178], [243, 264], [310, 331]], "Indicator: Vb.Troj.Valyria!c": [[48, 65]], "Indicator: Trojan.GQXF-6": [[66, 79]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[102, 134]], "Indicator: HEUR_VBA.E": [[179, 189]], "Indicator: HEUR.VBA.Trojan.d": [[190, 207]], "Indicator: TrojanDropper:O97M/SilverMob.A!dha": [[208, 242]], "Indicator: Macro.Trojan.Dropperd.Auto": [[265, 291]], "Indicator: Trojan.VB.Valyria": [[292, 309]], "Indicator: virus.office.obfuscated.1": [[332, 357]]}, "info": {"id": "cyner2_5class_train_06493", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Troj.GameThief.W32.Magania.lhJV Win32.Trojan-PSW.OLGames.ck TSPY_ONLINEG.VBY Win.Spyware.18411-2 Trojan-GameThief.Win32.OnLineGames.hmv Trojan.Win32.OnLineGames.bjsgmk TrojWare.Win32.Magania.~I Trojan.PWS.Wsgame.4325 TSPY_ONLINEG.VBY Trojan-GameThief.Win32.OnLineGames TR/CrashSystem.C Trojan[GameThief]/Win32.OnLineGames Win32.Troj.OnLimeGamesT.gs.73779 Trojan-GameThief.Win32.OnLineGames.hmv Trojan/Win32.OnlineGameHack.R96963 Trojan.Graftor.Elzob.D370C Trojan.PWS.OnLineGames!SkDSyFiZd8U", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.GameThief.W32.Magania.lhJV": [[26, 57]], "Indicator: Win32.Trojan-PSW.OLGames.ck": [[58, 85]], "Indicator: TSPY_ONLINEG.VBY": [[86, 102], [243, 259]], "Indicator: Win.Spyware.18411-2": [[103, 122]], "Indicator: Trojan-GameThief.Win32.OnLineGames.hmv": [[123, 161], [381, 419]], "Indicator: Trojan.Win32.OnLineGames.bjsgmk": [[162, 193]], "Indicator: TrojWare.Win32.Magania.~I": [[194, 219]], "Indicator: Trojan.PWS.Wsgame.4325": [[220, 242]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[260, 294]], "Indicator: TR/CrashSystem.C": [[295, 311]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[312, 347]], "Indicator: Win32.Troj.OnLimeGamesT.gs.73779": [[348, 380]], "Indicator: Trojan/Win32.OnlineGameHack.R96963": [[420, 454]], "Indicator: Trojan.Graftor.Elzob.D370C": [[455, 481]], "Indicator: Trojan.PWS.OnLineGames!SkDSyFiZd8U": [[482, 516]]}, "info": {"id": "cyner2_5class_train_06494", "source": "cyner2_5class_train"}}
+{"text": "This has the same functionality as mcpef.apk .", "spans": {"Indicator: mcpef.apk": [[35, 44]]}, "info": {"id": "cyner2_5class_train_06495", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.ProxyChanger Trojan.Banload Trojan/ProxyChanger.ik TROJ_BANLOAD.HVU W32/Trojan2.NXCH Win32/Tnega.ASRL Trojan.ProxyChanger.IK TROJ_BANLOAD.HVU Win.Trojan.Dealply-6391261-0 Trojan.DownLoad3.29408 BehavesLike.Win32.Dropper.gh W32/Trojan.YDHZ-1016 TR/ProxyChanger.H.1 Trojan/Win32.Unknown Trojan:Win32/ProxyChanger.H Trojan/Win32.ChePro.R102488 TScope.Trojan.Delf Win32/ProxyChanger.IK Trojan.ProxyChanger!NBBwWIBks/E Trojan.Crypt W32/Banloa.NX!tr Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.ProxyChanger": [[26, 45]], "Indicator: Trojan.Banload": [[46, 60]], "Indicator: Trojan/ProxyChanger.ik": [[61, 83]], "Indicator: TROJ_BANLOAD.HVU": [[84, 100], [158, 174]], "Indicator: W32/Trojan2.NXCH": [[101, 117]], "Indicator: Win32/Tnega.ASRL": [[118, 134]], "Indicator: Trojan.ProxyChanger.IK": [[135, 157]], "Indicator: Win.Trojan.Dealply-6391261-0": [[175, 203]], "Indicator: Trojan.DownLoad3.29408": [[204, 226]], "Indicator: BehavesLike.Win32.Dropper.gh": [[227, 255]], "Indicator: W32/Trojan.YDHZ-1016": [[256, 276]], "Indicator: TR/ProxyChanger.H.1": [[277, 296]], "Indicator: Trojan/Win32.Unknown": [[297, 317]], "Indicator: Trojan:Win32/ProxyChanger.H": [[318, 345]], "Indicator: Trojan/Win32.ChePro.R102488": [[346, 373]], "Indicator: TScope.Trojan.Delf": [[374, 392]], "Indicator: Win32/ProxyChanger.IK": [[393, 414]], "Indicator: Trojan.ProxyChanger!NBBwWIBks/E": [[415, 446]], "Indicator: Trojan.Crypt": [[447, 459]], "Indicator: W32/Banloa.NX!tr": [[460, 476]], "Indicator: Win32/Trojan.e6d": [[477, 493]]}, "info": {"id": "cyner2_5class_train_06496", "source": "cyner2_5class_train"}}
+{"text": "In other words , it goes through every object on the screen and saves its text data .", "spans": {}, "info": {"id": "cyner2_5class_train_06497", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Gaobot.iawc W32/Joke.OA Joke.Rosenu TROJ_SPNR.03D111 Backdoor.Pasur!NYY0BVh8dz8 TrojWare.Win32.Trojan.Chifrax.~A TROJ_SPNR.03D111 W32/Joke.ERJK-0662 Joke.Rosenu Win32/Joke.ScreenRoses Trojan.Win32.Inject Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Gaobot.iawc": [[26, 50]], "Indicator: W32/Joke.OA": [[51, 62]], "Indicator: Joke.Rosenu": [[63, 74], [188, 199]], "Indicator: TROJ_SPNR.03D111": [[75, 91], [152, 168]], "Indicator: Backdoor.Pasur!NYY0BVh8dz8": [[92, 118]], "Indicator: TrojWare.Win32.Trojan.Chifrax.~A": [[119, 151]], "Indicator: W32/Joke.ERJK-0662": [[169, 187]], "Indicator: Win32/Joke.ScreenRoses": [[200, 222]], "Indicator: Trojan.Win32.Inject": [[223, 242]], "Indicator: Trj/CI.A": [[243, 251]]}, "info": {"id": "cyner2_5class_train_06498", "source": "cyner2_5class_train"}}
+{"text": "A family of ransomware Trojans that encrypts files and adds the extensions .xtbl and .ytbl emerged in late 2014/early 2015, and quickly established itself among the top three most widespread encryptors in Russia along with Trojan-Ransom.Win32.Cryakl and Trojan-Ransom.BAT.Scatter.", "spans": {"Malware: ransomware Trojans": [[12, 30]], "Indicator: encrypts files": [[36, 50]], "Indicator: adds the extensions .xtbl": [[55, 80]], "Organization: .ytbl": [[85, 90]], "Malware: encryptors": [[191, 201]], "Indicator: Trojan-Ransom.Win32.Cryakl": [[223, 249]], "Indicator: Trojan-Ransom.BAT.Scatter.": [[254, 280]]}, "info": {"id": "cyner2_5class_train_06499", "source": "cyner2_5class_train"}}
+{"text": "A month after observing sample 2 , we obtained another which used the same package name as sample 2 ( cn.android.setting ) .", "spans": {"Indicator: cn.android.setting": [[102, 120]]}, "info": {"id": "cyner2_5class_train_06500", "source": "cyner2_5class_train"}}
+{"text": "The commands received via GCM can not be blocked immediately on an infected device .", "spans": {"System: GCM": [[26, 29]]}, "info": {"id": "cyner2_5class_train_06501", "source": "cyner2_5class_train"}}
+{"text": "Morphick is tracking this malware under the name ScanPOS due to the build string present in the malware.", "spans": {"Organization: Morphick": [[0, 8]], "Malware: malware": [[26, 33]], "Malware: ScanPOS": [[49, 56]], "Malware: malware.": [[96, 104]]}, "info": {"id": "cyner2_5class_train_06502", "source": "cyner2_5class_train"}}
+{"text": "They also state that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans that are either based completely on the source of another Trojan ( such as the leaked Anubis source code that is now being resold ) or at least borrow parts of other Trojans .", "spans": {"Malware: Anubis": [[223, 229]]}, "info": {"id": "cyner2_5class_train_06503", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9673 Trojan.PWS.Zhui BehavesLike.Win32.VTFlooder.mh Win32.Troj.Wow.q.kcloud Trj/QQFile.D Win32.Trojan-qqpass.Qqrob.Akon Trojan.SystemHijack!vG9DZPEgkqo", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9673": [[26, 68]], "Indicator: Trojan.PWS.Zhui": [[69, 84]], "Indicator: BehavesLike.Win32.VTFlooder.mh": [[85, 115]], "Indicator: Win32.Troj.Wow.q.kcloud": [[116, 139]], "Indicator: Trj/QQFile.D": [[140, 152]], "Indicator: Win32.Trojan-qqpass.Qqrob.Akon": [[153, 183]], "Indicator: Trojan.SystemHijack!vG9DZPEgkqo": [[184, 215]]}, "info": {"id": "cyner2_5class_train_06504", "source": "cyner2_5class_train"}}
+{"text": "Always apply critical thinking and consider whether you should give a certain app the permissions it requests .", "spans": {}, "info": {"id": "cyner2_5class_train_06505", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojandownloader.Halnine Trojan.Zusy.D2FDB Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.DlrSysWrtbased!M.bdazop Trojan.Win32.Z.Zusy.15872.DI TrojanDownloader:Win32/Halnine.A Win32.Trojan.Spy.Swve", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Halnine": [[26, 50]], "Indicator: Trojan.Zusy.D2FDB": [[51, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[69, 111]], "Indicator: Trojan.Win32.DlrSysWrtbased!M.bdazop": [[112, 148]], "Indicator: Trojan.Win32.Z.Zusy.15872.DI": [[149, 177]], "Indicator: TrojanDownloader:Win32/Halnine.A": [[178, 210]], "Indicator: Win32.Trojan.Spy.Swve": [[211, 232]]}, "info": {"id": "cyner2_5class_train_06506", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BehavesLike.Win64.Fake.jh Trojan.Win32.Crypt Trojan.PSW.Mimikatz.un TR/AD.Trier.sqhjh Joke:VBS/Trier.A Trj/CI.A VBS/BadJoke.AL Win32/Trojan.7be", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win64.Fake.jh": [[26, 51]], "Indicator: Trojan.Win32.Crypt": [[52, 70]], "Indicator: Trojan.PSW.Mimikatz.un": [[71, 93]], "Indicator: TR/AD.Trier.sqhjh": [[94, 111]], "Indicator: Joke:VBS/Trier.A": [[112, 128]], "Indicator: Trj/CI.A": [[129, 137]], "Indicator: VBS/BadJoke.AL": [[138, 152]], "Indicator: Win32/Trojan.7be": [[153, 169]]}, "info": {"id": "cyner2_5class_train_06507", "source": "cyner2_5class_train"}}
+{"text": "The C2 can also use WebSocket as a backup communication channel .", "spans": {}, "info": {"id": "cyner2_5class_train_06508", "source": "cyner2_5class_train"}}
+{"text": "] com , lending further credence the remaining two domains , gooledriveservice [ .", "spans": {"Indicator: gooledriveservice [ .": [[61, 82]]}, "info": {"id": "cyner2_5class_train_06509", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.FakeAV.NRC Trojan.Bampeass.B5 Trojan.FakeAV.NRC TROJ64_BAMPEASS.SM Win.Trojan.Fakeav-103064 Trojan.FakeAV.NRC Trojan.Win32.Wakme.c Trojan.FakeAV.NRC Variant.Kazy.mAdQ Trojan.FakeAV.NRC Trojan.FakeAV.Win32.316028 TROJ64_BAMPEASS.SM W64/Trojan.CZHS-5421 Trojan.Fakeav.bg TR/Bampeass.abd Trojan.FakeAV.NRC PUP.BrowseFox/Variant Trojan.Win32.Wakme.c Trojan:Win64/Bampeass.C Trojan.FakeAV.NRC Trj/CI.A Win32.Trojan.Wakme.Akew Win32/Trojan.d9f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.FakeAV.NRC": [[26, 43], [63, 80], [125, 142], [164, 181], [200, 217], [318, 335], [403, 420]], "Indicator: Trojan.Bampeass.B5": [[44, 62]], "Indicator: TROJ64_BAMPEASS.SM": [[81, 99], [245, 263]], "Indicator: Win.Trojan.Fakeav-103064": [[100, 124]], "Indicator: Trojan.Win32.Wakme.c": [[143, 163], [358, 378]], "Indicator: Variant.Kazy.mAdQ": [[182, 199]], "Indicator: Trojan.FakeAV.Win32.316028": [[218, 244]], "Indicator: W64/Trojan.CZHS-5421": [[264, 284]], "Indicator: Trojan.Fakeav.bg": [[285, 301]], "Indicator: TR/Bampeass.abd": [[302, 317]], "Indicator: PUP.BrowseFox/Variant": [[336, 357]], "Indicator: Trojan:Win64/Bampeass.C": [[379, 402]], "Indicator: Trj/CI.A": [[421, 429]], "Indicator: Win32.Trojan.Wakme.Akew": [[430, 453]], "Indicator: Win32/Trojan.d9f": [[454, 470]]}, "info": {"id": "cyner2_5class_train_06510", "source": "cyner2_5class_train"}}
+{"text": "Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang.", "spans": {"Organization: Forcepoint Security Labs™": [[0, 25]], "Malware: trojanized": [[50, 60]], "Indicator: RTF document": [[61, 73]]}, "info": {"id": "cyner2_5class_train_06511", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader:PowerShell/Hipolel.A Trojan.Win32.Swrort Win32/Trojan.Downloader.c1c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader:PowerShell/Hipolel.A": [[26, 63]], "Indicator: Trojan.Win32.Swrort": [[64, 83]], "Indicator: Win32/Trojan.Downloader.c1c": [[84, 111]]}, "info": {"id": "cyner2_5class_train_06512", "source": "cyner2_5class_train"}}
+{"text": "Doc with Macro that downloads Dridex", "spans": {"Indicator: Doc": [[0, 3]], "Indicator: Macro": [[9, 14]], "Indicator: downloads": [[20, 29]], "Malware: Dridex": [[30, 36]]}, "info": {"id": "cyner2_5class_train_06513", "source": "cyner2_5class_train"}}
+{"text": "Under a model known as sandboxing , most Android apps are n't permitted to access passwords or other data available to most other apps .", "spans": {"System: Android": [[41, 48]]}, "info": {"id": "cyner2_5class_train_06514", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader/W32.Small.8704.HT TrojanDownloader.Tooki Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win32/Tydpec.A TROJ_DLOADER.OXH Win.Downloader.16819-1 Trojan-Spy.Win32.KeyLogger.aszl Trojan.DownLoader8.62321 TROJ_DLOADER.OXH TrojanDownloader:Win32/Tooki.A Trojan-Spy.Win32.KeyLogger.aszl Win32.Trojan-spy.Keylogger.Lpbj", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader/W32.Small.8704.HT": [[26, 61]], "Indicator: TrojanDownloader.Tooki": [[62, 84]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[85, 127]], "Indicator: Backdoor.Trojan": [[128, 143]], "Indicator: Win32/Tydpec.A": [[144, 158]], "Indicator: TROJ_DLOADER.OXH": [[159, 175], [256, 272]], "Indicator: Win.Downloader.16819-1": [[176, 198]], "Indicator: Trojan-Spy.Win32.KeyLogger.aszl": [[199, 230], [304, 335]], "Indicator: Trojan.DownLoader8.62321": [[231, 255]], "Indicator: TrojanDownloader:Win32/Tooki.A": [[273, 303]], "Indicator: Win32.Trojan-spy.Keylogger.Lpbj": [[336, 367]]}, "info": {"id": "cyner2_5class_train_06515", "source": "cyner2_5class_train"}}
+{"text": "throughout the Android package .", "spans": {"System: Android": [[15, 22]]}, "info": {"id": "cyner2_5class_train_06516", "source": "cyner2_5class_train"}}
+{"text": "Constantly update your Android devices to the latest version to help prevent exploits , especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat .", "spans": {"System: Android": [[23, 30]], "Malware: RCSAndroid": [[114, 124]], "System: 4.4.4 KitKat": [[161, 173]]}, "info": {"id": "cyner2_5class_train_06517", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.16896.DU Trojan-Spy.Win32.Zbot!O Backdoor.Small.D10 Trojan.Spy.Zbot W32.Spacefam Win32/Zbot.EUI TSPY_FIFESOCK_BK082A3D.TOMC Win.Trojan.Zbot-13661 Trojan.Win32.Zbot.curnd Trojan.Win32.A.Zbot.16896 Trojan.Proxy.18997 TSPY_FIFESOCK_BK082A3D.TOMC TrojanSpy.Zbot.awmw TR/Spy.ZBot.axcq.3 Trojan[Spy]/Win32.Zbot Trojan.Razy.D7DC8 Backdoor.W32.IRCBot.liBA Spyware/Win32.Zbot.R2503 SScope.Trojan.Zbot.01428", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.16896.DU": [[26, 51]], "Indicator: Trojan-Spy.Win32.Zbot!O": [[52, 75]], "Indicator: Backdoor.Small.D10": [[76, 94]], "Indicator: Trojan.Spy.Zbot": [[95, 110]], "Indicator: W32.Spacefam": [[111, 123]], "Indicator: Win32/Zbot.EUI": [[124, 138]], "Indicator: TSPY_FIFESOCK_BK082A3D.TOMC": [[139, 166], [258, 285]], "Indicator: Win.Trojan.Zbot-13661": [[167, 188]], "Indicator: Trojan.Win32.Zbot.curnd": [[189, 212]], "Indicator: Trojan.Win32.A.Zbot.16896": [[213, 238]], "Indicator: Trojan.Proxy.18997": [[239, 257]], "Indicator: TrojanSpy.Zbot.awmw": [[286, 305]], "Indicator: TR/Spy.ZBot.axcq.3": [[306, 324]], "Indicator: Trojan[Spy]/Win32.Zbot": [[325, 347]], "Indicator: Trojan.Razy.D7DC8": [[348, 365]], "Indicator: Backdoor.W32.IRCBot.liBA": [[366, 390]], "Indicator: Spyware/Win32.Zbot.R2503": [[391, 415]], "Indicator: SScope.Trojan.Zbot.01428": [[416, 440]]}, "info": {"id": "cyner2_5class_train_06518", "source": "cyner2_5class_train"}}
+{"text": "Sample 1 may use AES-encrypted strings with reflection , while Sample 2 ( submitted on the same day ) will use the same code but with plaintext strings .", "spans": {"Organization: AES-encrypted": [[17, 30]]}, "info": {"id": "cyner2_5class_train_06519", "source": "cyner2_5class_train"}}
+{"text": "Using DGA Domain Generation Algorithm to find the C C Command and Control server", "spans": {"System: DGA Domain Generation Algorithm": [[6, 37]], "Indicator: the C C Command and Control server": [[46, 80]]}, "info": {"id": "cyner2_5class_train_06520", "source": "cyner2_5class_train"}}
+{"text": "We discovered a new variant of a Brazilian-made ransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files using the extension .___xratteamLucked and asking to pay the ransom.", "spans": {"Malware: Brazilian-made ransomware,": [[33, 59]], "Indicator: Trojan-Ransom.Win32.Xpan,": [[60, 85]], "Organization: local companies": [[115, 130]], "Organization: hospitals,": [[135, 145]], "Indicator: encrypting their files using the extension .___xratteamLucked": [[182, 243]]}, "info": {"id": "cyner2_5class_train_06521", "source": "cyner2_5class_train"}}
+{"text": "These investigations took place during mid-to-late 2017, and each bank compromise resulted in a significant amount of stolen funds.", "spans": {"Organization: bank": [[66, 70]]}, "info": {"id": "cyner2_5class_train_06522", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Molock Win32.Trojan.WisdomEyes.16070401.9500.9974 TR/Molock.nylne Trojan.Mikey.DD047 PUA.BlackMoon Win32/Trojan.2ce", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Molock": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9974": [[40, 82]], "Indicator: TR/Molock.nylne": [[83, 98]], "Indicator: Trojan.Mikey.DD047": [[99, 117]], "Indicator: PUA.BlackMoon": [[118, 131]], "Indicator: Win32/Trojan.2ce": [[132, 148]]}, "info": {"id": "cyner2_5class_train_06523", "source": "cyner2_5class_train"}}
+{"text": "In March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates.", "spans": {"Organization: Symantec": [[15, 23]], "Indicator: attacks": [[101, 108]], "Organization: organizations": [[142, 155]], "Indicator: steal digital certificates.": [[159, 186]]}, "info": {"id": "cyner2_5class_train_06524", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RansomCryakl.Trojan Trojan.Cryakl Trojan.Ransom.Cryakl Ransom_CRYPICH.SMA Win32.Trojan.WisdomEyes.16070401.9500.9790 W32/Trojan.GTXF-0130 Ransom_CRYPICH.SMA Trojan-Ransom.Win32.Cryakl.sw Trojan.Win32.Cryakl.drogeo Trojan.Win32.Z.Filecoder.626656 Win32.Trojan.Cryakl.Ahys Trojan.Encoder.1041 Trojan.Cryakl.Win32.53 Trojan-PWS.Win32.Delf Trojan/Cryakl.ap W32.Cryakl TR/FileCoder.bikix Trojan[Ransom]/Win32.Cryakl Trojan-Ransom.Win32.Cryakl.sw Trojan/Win32.Xema.C2455 Trojan-Ransom.Cryakl Ransom.TeslaCrypt.OL Trojan.Cryakl! W32/Filecoder.EQ!tr Win32/Trojan.c28", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RansomCryakl.Trojan": [[26, 49]], "Indicator: Trojan.Cryakl": [[50, 63]], "Indicator: Trojan.Ransom.Cryakl": [[64, 84]], "Indicator: Ransom_CRYPICH.SMA": [[85, 103], [168, 186]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9790": [[104, 146]], "Indicator: W32/Trojan.GTXF-0130": [[147, 167]], "Indicator: Trojan-Ransom.Win32.Cryakl.sw": [[187, 216], [441, 470]], "Indicator: Trojan.Win32.Cryakl.drogeo": [[217, 243]], "Indicator: Trojan.Win32.Z.Filecoder.626656": [[244, 275]], "Indicator: Win32.Trojan.Cryakl.Ahys": [[276, 300]], "Indicator: Trojan.Encoder.1041": [[301, 320]], "Indicator: Trojan.Cryakl.Win32.53": [[321, 343]], "Indicator: Trojan-PWS.Win32.Delf": [[344, 365]], "Indicator: Trojan/Cryakl.ap": [[366, 382]], "Indicator: W32.Cryakl": [[383, 393]], "Indicator: TR/FileCoder.bikix": [[394, 412]], "Indicator: Trojan[Ransom]/Win32.Cryakl": [[413, 440]], "Indicator: Trojan/Win32.Xema.C2455": [[471, 494]], "Indicator: Trojan-Ransom.Cryakl": [[495, 515]], "Indicator: Ransom.TeslaCrypt.OL": [[516, 536]], "Indicator: Trojan.Cryakl!": [[537, 551]], "Indicator: W32/Filecoder.EQ!tr": [[552, 571]], "Indicator: Win32/Trojan.c28": [[572, 588]]}, "info": {"id": "cyner2_5class_train_06525", "source": "cyner2_5class_train"}}
+{"text": "When before it had used several different social media platforms , it now uses the Twitter platform , something FakeSpy has done in its past attacks .", "spans": {"Organization: Twitter": [[83, 90]], "Malware: FakeSpy": [[112, 119]]}, "info": {"id": "cyner2_5class_train_06526", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Dropped:Backdoor.Rootodor.H Backdoor.W32.SdBot.aop!c Backdoor/SdBot.aop Backdoor.Rootodor.H Backdoor.Sdbot Win.Trojan.SdBot-8443 Dropped:Backdoor.Rootodor.H Backdoor.Win32.SdBot.aop Dropped:Backdoor.Rootodor.H Trojan.Win32.SdBot.fptq Dropped:Backdoor.Rootodor.H Dropped:Backdoor.Rootodor.H BackDoor.Rtkit.12 Backdoor.SDBot BehavesLike.Win32.Downloader.dc Backdoor/SdBot.cr WORM/SdBot.298496.1 Win32.Hack.SdBot.kcloud TrojanDropper:Win32/Srvdrop.A Backdoor.Win32.SdBot.aop Dropped:Backdoor.Rootodor.H Backdoor.SDBot Backdoor.SdBot Win32.Backdoor.Sdbot.Wrgb Worm.SdBot!0ktHNidYgyk Backdoor.Win32.SdBot W32/SDBot.AOP!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Backdoor.Rootodor.H": [[26, 53], [155, 182], [208, 235], [260, 287], [288, 315], [498, 525]], "Indicator: Backdoor.W32.SdBot.aop!c": [[54, 78]], "Indicator: Backdoor/SdBot.aop": [[79, 97]], "Indicator: Backdoor.Rootodor.H": [[98, 117]], "Indicator: Backdoor.Sdbot": [[118, 132]], "Indicator: Win.Trojan.SdBot-8443": [[133, 154]], "Indicator: Backdoor.Win32.SdBot.aop": [[183, 207], [473, 497]], "Indicator: Trojan.Win32.SdBot.fptq": [[236, 259]], "Indicator: BackDoor.Rtkit.12": [[316, 333]], "Indicator: Backdoor.SDBot": [[334, 348], [526, 540]], "Indicator: BehavesLike.Win32.Downloader.dc": [[349, 380]], "Indicator: Backdoor/SdBot.cr": [[381, 398]], "Indicator: WORM/SdBot.298496.1": [[399, 418]], "Indicator: Win32.Hack.SdBot.kcloud": [[419, 442]], "Indicator: TrojanDropper:Win32/Srvdrop.A": [[443, 472]], "Indicator: Backdoor.SdBot": [[541, 555]], "Indicator: Win32.Backdoor.Sdbot.Wrgb": [[556, 581]], "Indicator: Worm.SdBot!0ktHNidYgyk": [[582, 604]], "Indicator: Backdoor.Win32.SdBot": [[605, 625]], "Indicator: W32/SDBot.AOP!tr.bdr": [[626, 646]]}, "info": {"id": "cyner2_5class_train_06527", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Pua.Cpush W32/Trojan.VJJX-8459 not-a-virus:AdWare.Win32.Cpush.a Adware.Cpush.Win32.21 BehavesLike.Win32.Downloader.fc Trojan.Zusy.D2AB1B not-a-virus:AdWare.Win32.Cpush.a AdWare.Cpush Trj/CI.A Win32/VB.NYC Win32.Adware.Cpush.Dwjc Adware.Cpush!ybdhrKQu3UY Trojan-Dropper.Win32.VB W32/VB.NYC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Pua.Cpush": [[26, 35]], "Indicator: W32/Trojan.VJJX-8459": [[36, 56]], "Indicator: not-a-virus:AdWare.Win32.Cpush.a": [[57, 89], [163, 195]], "Indicator: Adware.Cpush.Win32.21": [[90, 111]], "Indicator: BehavesLike.Win32.Downloader.fc": [[112, 143]], "Indicator: Trojan.Zusy.D2AB1B": [[144, 162]], "Indicator: AdWare.Cpush": [[196, 208]], "Indicator: Trj/CI.A": [[209, 217]], "Indicator: Win32/VB.NYC": [[218, 230]], "Indicator: Win32.Adware.Cpush.Dwjc": [[231, 254]], "Indicator: Adware.Cpush!ybdhrKQu3UY": [[255, 279]], "Indicator: Trojan-Dropper.Win32.VB": [[280, 303]], "Indicator: W32/VB.NYC!tr": [[304, 317]]}, "info": {"id": "cyner2_5class_train_06528", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.NSIS.Androm.7 Ransom.Onion.A Win32.Trojan.WisdomEyes.16070401.9500.9984 Packed.NSISPacker!g6 Ransom_.97182692 Trojan.NSIS.Androm.7 Trojan.Win32.Graftor.evkohe Trojan:W32/Gamarue.E Trojan.Inject2.64079 Ransom_.97182692 BehavesLike.Win32.Ransom.cc Trojan.Win32.Injector W32/Trojan.HJUO-7930 Trojan.Graftor.D6B214 Ransom.Cerber/Variant Ransom:Win32/Malasypt.A Trojan/Win32.Miuref.R183155 Trj/CI.A Trojan.Injector!s1rN7kKLdpI W32/Injector.DDGJ!tr Win32/Trojan.5c1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.NSIS.Androm.7": [[26, 46], [143, 163]], "Indicator: Ransom.Onion.A": [[47, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[62, 104]], "Indicator: Packed.NSISPacker!g6": [[105, 125]], "Indicator: Ransom_.97182692": [[126, 142], [234, 250]], "Indicator: Trojan.Win32.Graftor.evkohe": [[164, 191]], "Indicator: Trojan:W32/Gamarue.E": [[192, 212]], "Indicator: Trojan.Inject2.64079": [[213, 233]], "Indicator: BehavesLike.Win32.Ransom.cc": [[251, 278]], "Indicator: Trojan.Win32.Injector": [[279, 300]], "Indicator: W32/Trojan.HJUO-7930": [[301, 321]], "Indicator: Trojan.Graftor.D6B214": [[322, 343]], "Indicator: Ransom.Cerber/Variant": [[344, 365]], "Indicator: Ransom:Win32/Malasypt.A": [[366, 389]], "Indicator: Trojan/Win32.Miuref.R183155": [[390, 417]], "Indicator: Trj/CI.A": [[418, 426]], "Indicator: Trojan.Injector!s1rN7kKLdpI": [[427, 454]], "Indicator: W32/Injector.DDGJ!tr": [[455, 475]], "Indicator: Win32/Trojan.5c1": [[476, 492]]}, "info": {"id": "cyner2_5class_train_06529", "source": "cyner2_5class_train"}}
+{"text": "Version # 4 : April 2020 — Domain : nampriknum.net Following the same pattern , this version has some added features and others , which were not in use , removed .", "spans": {"Indicator: nampriknum.net": [[36, 50]]}, "info": {"id": "cyner2_5class_train_06530", "source": "cyner2_5class_train"}}
+{"text": "Analysis Marcher is frequently distributed via SMS , but in this case , victims are presented with a link in an email .", "spans": {"Malware: Marcher": [[9, 16]]}, "info": {"id": "cyner2_5class_train_06531", "source": "cyner2_5class_train"}}
+{"text": "For example , version 9.0.7 ( 2017 ) featured the following set of commands : 2 , 4 , 8 , 11 , 12 , 15 , 16 , 17 , 18 , 19 , 20 .", "spans": {}, "info": {"id": "cyner2_5class_train_06532", "source": "cyner2_5class_train"}}
+{"text": "Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East.", "spans": {"Organization: Vectra Threat Labs researchers": [[0, 30]], "Indicator: attacks": [[117, 124]]}, "info": {"id": "cyner2_5class_train_06533", "source": "cyner2_5class_train"}}
+{"text": "These websites, and the hosted programs, were designed to entice visitors to download and install the programs.", "spans": {}, "info": {"id": "cyner2_5class_train_06534", "source": "cyner2_5class_train"}}
+{"text": "Moreover , the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card .", "spans": {}, "info": {"id": "cyner2_5class_train_06535", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader23.44275 Trojan.Graftor.D69D4B Trojan:Win32/Seepeed.A Trj/CI.A Win32.Trojan.Atraps.Pgmx W32/Kryptik.DNGA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.DownLoader23.44275": [[69, 94]], "Indicator: Trojan.Graftor.D69D4B": [[95, 116]], "Indicator: Trojan:Win32/Seepeed.A": [[117, 139]], "Indicator: Trj/CI.A": [[140, 148]], "Indicator: Win32.Trojan.Atraps.Pgmx": [[149, 173]], "Indicator: W32/Kryptik.DNGA!tr": [[174, 193]]}, "info": {"id": "cyner2_5class_train_06536", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.QQPass!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Spyware.59892-2 Trojan-PSW.Win32.QQPass.sso Trojan.Win32.QQPass.bcshgi Trojan.Win32.Downloader.75264.M TrojWare.Win32.PSW.QQPass.~Sso Backdoor.PePatch.Win32.16970 Trojan[PSW]/Win32.QQPass Troj.PSW32.W.QQPass.toI3 Trojan-PSW.Win32.QQPass.sso PWS:Win32/Stealer.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.QQPass!O": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[52, 94]], "Indicator: Win.Spyware.59892-2": [[95, 114]], "Indicator: Trojan-PSW.Win32.QQPass.sso": [[115, 142], [312, 339]], "Indicator: Trojan.Win32.QQPass.bcshgi": [[143, 169]], "Indicator: Trojan.Win32.Downloader.75264.M": [[170, 201]], "Indicator: TrojWare.Win32.PSW.QQPass.~Sso": [[202, 232]], "Indicator: Backdoor.PePatch.Win32.16970": [[233, 261]], "Indicator: Trojan[PSW]/Win32.QQPass": [[262, 286]], "Indicator: Troj.PSW32.W.QQPass.toI3": [[287, 311]], "Indicator: PWS:Win32/Stealer.M": [[340, 359]]}, "info": {"id": "cyner2_5class_train_06537", "source": "cyner2_5class_train"}}
+{"text": "Figure 9 : Prompt for application permissions upon installation Figures 10 and 11 show the other permission screens for the app : Figure 10 Figure 10 : Part 1 of the permission screen for the app Figure 11 : Part 2 of the permission screen for the app Once installed the app will place a legitimate looking icon on the phone ’ s home screen , again using branding stolen from the bank .", "spans": {}, "info": {"id": "cyner2_5class_train_06538", "source": "cyner2_5class_train"}}
+{"text": "Step 1 : Download Bank Austria Security App Download the Bank Austria security app to your Android device .", "spans": {"System: Bank Austria Security App": [[18, 43]]}, "info": {"id": "cyner2_5class_train_06539", "source": "cyner2_5class_train"}}
+{"text": "smishing ) .", "spans": {}, "info": {"id": "cyner2_5class_train_06540", "source": "cyner2_5class_train"}}
+{"text": "The example below steals Facebook data : All the other hardcoded applications targeted by the payload : Package name Name jp.naver.line.android LINE : Free Calls & Messages com.facebook.orca Facebook messenger com.facebook.katana Facebook com.whatsapp WhatsApp com.viber.voip Viber Parser payload Upon receiving a specific command , the implant can download a special payload to grab sensitive information from external applications .", "spans": {"System: Facebook": [[25, 33], [230, 238]], "Indicator: jp.naver.line.android": [[122, 143]], "System: LINE : Free Calls & Messages": [[144, 172]], "Indicator: com.facebook.orca": [[173, 190]], "System: Facebook messenger": [[191, 209]], "Indicator: com.facebook.katana": [[210, 229]], "Indicator: com.whatsapp": [[239, 251]], "System: WhatsApp": [[252, 260]], "Indicator: com.viber.voip": [[261, 275]], "System: Viber": [[276, 281]]}, "info": {"id": "cyner2_5class_train_06541", "source": "cyner2_5class_train"}}
+{"text": "ESET detects the games that install the Trojan as Android/TrojanDropper.Mapin and the Trojan itself as Android/Mapin.", "spans": {"Organization: ESET": [[0, 4]], "System: games": [[17, 22]], "Malware: Trojan": [[40, 46], [86, 92]], "Indicator: Android/TrojanDropper.Mapin": [[50, 77]], "Indicator: Android/Mapin.": [[103, 117]]}, "info": {"id": "cyner2_5class_train_06542", "source": "cyner2_5class_train"}}
+{"text": "Malware Seen In The Middle East Region Domains used by APT28.", "spans": {"Malware: Malware": [[0, 7]], "Vulnerability: Domains": [[39, 46]]}, "info": {"id": "cyner2_5class_train_06543", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Downloader-39183 Trojan.Win32.Dwn.whgnl Trojan.Win32.A.Downloader.28672.AMZ Trojan.DownLoader6.15686 BehavesLike.Win32.BadFile.mm Trojan[Downloader]/Win32.Tobor Trojan.Graftor.D45EB TrojanDownloader:Win32/Tobor.A TrojanDownloader.Tobor Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Win.Trojan.Downloader-39183": [[69, 96]], "Indicator: Trojan.Win32.Dwn.whgnl": [[97, 119]], "Indicator: Trojan.Win32.A.Downloader.28672.AMZ": [[120, 155]], "Indicator: Trojan.DownLoader6.15686": [[156, 180]], "Indicator: BehavesLike.Win32.BadFile.mm": [[181, 209]], "Indicator: Trojan[Downloader]/Win32.Tobor": [[210, 240]], "Indicator: Trojan.Graftor.D45EB": [[241, 261]], "Indicator: TrojanDownloader:Win32/Tobor.A": [[262, 292]], "Indicator: TrojanDownloader.Tobor": [[293, 315]], "Indicator: Win32/Trojan.e6d": [[316, 332]]}, "info": {"id": "cyner2_5class_train_06544", "source": "cyner2_5class_train"}}
+{"text": "] today svc [ .", "spans": {"Indicator: svc [ .": [[8, 15]]}, "info": {"id": "cyner2_5class_train_06545", "source": "cyner2_5class_train"}}
+{"text": "The software manages the delivery of firmware updates over-the-air , the term used for transmission via a mobile network .", "spans": {}, "info": {"id": "cyner2_5class_train_06546", "source": "cyner2_5class_train"}}
+{"text": "We have detected several malicious programs using GCM for command and control – the widespread Trojan-SMS.AndroidOS.FakeInst.a , Trojan-SMS.AndroidOS.Agent.ao , and Trojan-SMS.AndroidOS.OpFake.a among others .", "spans": {"System: GCM": [[50, 53]], "Malware: Trojan-SMS.AndroidOS.FakeInst.a": [[95, 126]], "Malware: Trojan-SMS.AndroidOS.Agent.ao": [[129, 158]], "Malware: Trojan-SMS.AndroidOS.OpFake.a": [[165, 194]]}, "info": {"id": "cyner2_5class_train_06547", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.Elzob.D2B30 BehavesLike.Win32.BadFile.qm HackTool:Win32/WMIShell.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.Elzob.D2B30": [[26, 52]], "Indicator: BehavesLike.Win32.BadFile.qm": [[53, 81]], "Indicator: HackTool:Win32/WMIShell.A": [[82, 107]], "Indicator: Trj/CI.A": [[108, 116]]}, "info": {"id": "cyner2_5class_train_06548", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Sefnit.Win32.13226 Trojan.Win32.Sefnit.ekkxqe Trojan.DownLoader23.50639 Trojan.Sefnit.pj Trojan/Win32.Sefnit TrojanDownloader:Win32/Trulop.A Trj/GdSda.A Win32/RA-based.NFG Trojan.Sefnit!apDWbcANJlc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Sefnit.Win32.13226": [[26, 51]], "Indicator: Trojan.Win32.Sefnit.ekkxqe": [[52, 78]], "Indicator: Trojan.DownLoader23.50639": [[79, 104]], "Indicator: Trojan.Sefnit.pj": [[105, 121]], "Indicator: Trojan/Win32.Sefnit": [[122, 141]], "Indicator: TrojanDownloader:Win32/Trulop.A": [[142, 173]], "Indicator: Trj/GdSda.A": [[174, 185]], "Indicator: Win32/RA-based.NFG": [[186, 204]], "Indicator: Trojan.Sefnit!apDWbcANJlc": [[205, 230]]}, "info": {"id": "cyner2_5class_train_06549", "source": "cyner2_5class_train"}}
+{"text": "BankBot is a family of Trojan malware targeting Android devices that surfaced in the second half of 2016.", "spans": {"Malware: BankBot": [[0, 7]], "Malware: family of Trojan malware": [[13, 37]], "System: Android devices": [[48, 63]]}, "info": {"id": "cyner2_5class_train_06550", "source": "cyner2_5class_train"}}
+{"text": "Let ’ s compare examples of traffic from Smaps and Asacub — an initializing request to the C & C server with information about the infected device and a response from the server with a command for execution : Smaps request Asacub request Decrypted data from Asacub traffic : { “ id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” type ” : ” get ” , ” info ” : ” imei:365548770159066 , country : PL , cell : Tele2 , android:4.2.2 , model : GT-N5100 , phonenumber : +486679225120 , sim:6337076348906359089f , app : null , ver:5.0.2″ } Data sent to the server [ { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” \\u0410\\u0412\\u0422\\u041e\\u041f\\u041b\\u0410\\u0422\\u0415\\u0416 1000 50″ , ” timestamp ” : ” 1452272572″ } } , { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” BALANCE ” , ” timestamp ” : ” 1452272573″ } } ] Instructions received from the server A comparison can also be made of the format in which Asacub and Smaps forward incoming SMS ( encoded with the base64 algorithm ) from the device to the C & C server : Smaps format Asacub format Decrypted data from Asacub traffic : { “ data ” : ” 2015:10:14_02:41:15″ , ” id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” text ” : ” SSB0aG91Z2h0IHdlIGdvdCBwYXN0IHRoaXMhISBJJ20gbm90IGh1bmdyeSBhbmQgbmU= ” , ” number ” : ” 1790″ , ” type ” : ” load ” } Propagation The banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS .", "spans": {"Malware: Smaps": [[41, 46], [209, 214]], "Malware: Asacub": [[51, 57], [223, 229], [258, 264]], "Indicator: 532bf15a-b784-47e5-92fa-72198a2929f5″": [[288, 325], [1209, 1246]]}, "info": {"id": "cyner2_5class_train_06551", "source": "cyner2_5class_train"}}
+{"text": "In this way , when the service runs during boot , the original Windows executable is executed from a different location and it will automatically load and map the malicious DLL inside its address space , instead of using the genuine system library .", "spans": {"System: Windows": [[63, 70]]}, "info": {"id": "cyner2_5class_train_06552", "source": "cyner2_5class_train"}}
+{"text": "“ .clic ” and “ k ( ) ; ” ) .", "spans": {}, "info": {"id": "cyner2_5class_train_06553", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9972 Infostealer.Tarno.B TrojWare.Win32.GhostDEL.~A Trojan.MulDrop4.8101 BehavesLike.Win32.Virut.qc Backdoor/Huigezi.2007.aqzf TrojanDownloader:Win32/Ksare.A Trj/CI.A Win32/Trojan.66a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9972": [[26, 68]], "Indicator: Infostealer.Tarno.B": [[69, 88]], "Indicator: TrojWare.Win32.GhostDEL.~A": [[89, 115]], "Indicator: Trojan.MulDrop4.8101": [[116, 136]], "Indicator: BehavesLike.Win32.Virut.qc": [[137, 163]], "Indicator: Backdoor/Huigezi.2007.aqzf": [[164, 190]], "Indicator: TrojanDownloader:Win32/Ksare.A": [[191, 221]], "Indicator: Trj/CI.A": [[222, 230]], "Indicator: Win32/Trojan.66a": [[231, 247]]}, "info": {"id": "cyner2_5class_train_06554", "source": "cyner2_5class_train"}}
+{"text": "Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke.", "spans": {"Malware: SeaDuke": [[84, 91]], "Malware: CloudDuke.": [[96, 106]]}, "info": {"id": "cyner2_5class_train_06555", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D20DA2 TrojWare.Win32.TrojanDownloader.Delf.SAD BehavesLike.Win32.Dropper.dc TR/Dldr.Vifuls.pwiho TrojanDownloader:Win32/Vifuls.A TScope.Trojan.Delf Win32.Trojan.Badur.Eddg Win32/Trojan.fd8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D20DA2": [[26, 47]], "Indicator: TrojWare.Win32.TrojanDownloader.Delf.SAD": [[48, 88]], "Indicator: BehavesLike.Win32.Dropper.dc": [[89, 117]], "Indicator: TR/Dldr.Vifuls.pwiho": [[118, 138]], "Indicator: TrojanDownloader:Win32/Vifuls.A": [[139, 170]], "Indicator: TScope.Trojan.Delf": [[171, 189]], "Indicator: Win32.Trojan.Badur.Eddg": [[190, 213]], "Indicator: Win32/Trojan.fd8": [[214, 230]]}, "info": {"id": "cyner2_5class_train_06556", "source": "cyner2_5class_train"}}
+{"text": "Several bots relied heavily, if not exclusively, on systems with weak and/or default passwords to spread.", "spans": {"Malware: bots": [[8, 12]], "System: systems": [[52, 59]], "Indicator: weak and/or default passwords": [[65, 94]]}, "info": {"id": "cyner2_5class_train_06557", "source": "cyner2_5class_train"}}
+{"text": "It even has its own virtual keyboard that supposedly protects the victim from keyloggers .", "spans": {}, "info": {"id": "cyner2_5class_train_06558", "source": "cyner2_5class_train"}}
+{"text": "In other words, the attack targeted organizations that design, build and support industrial solutions for critical infrastructure.", "spans": {"Organization: organizations": [[36, 49]], "Organization: industrial solutions": [[81, 101]], "System: critical infrastructure.": [[106, 130]]}, "info": {"id": "cyner2_5class_train_06559", "source": "cyner2_5class_train"}}
+{"text": "While revisiting a Flokibot campaign that was targeting point of sale PoS systems in Brazil earlier this year, we discovered something interesting.", "spans": {"Malware: Flokibot": [[19, 27]], "System: PoS systems": [[70, 81]]}, "info": {"id": "cyner2_5class_train_06560", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Finfish.11008 Backdoor.Win32.Finfish!O Backdoor.Finfish.r6 Backdoor.Finfish.Win32.1 Backdoor.W32.Finfish.b!c Backdoor/Finfish.b Backdoor.Finfish!WTL5ZVLbFgg Backdoor.Finfish Win32/Belesak.D TROJ_FINSPY.A Backdoor.Win32.Finfish.b Trojan.Win32.Finfish.wbhuj Trojan.Win32.Z.Finfish.11008[h] Backdoor.Win32.Finfish.B Trojan:W32/FinSpy.B Trojan.NtRootKit.14434 TROJ_FINSPY.A W32/Backdoor.CLPB-2084 Backdoor/Finfish.a W32/Belesak.D Trojan:WinNT/Spinfy.A Backdoor.Finfish Backdoor.Win32.Finfish.b Win32.Backdoor.Finfish.Iso Backdoor.Win32.Finfish", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Finfish.11008": [[26, 52]], "Indicator: Backdoor.Win32.Finfish!O": [[53, 77]], "Indicator: Backdoor.Finfish.r6": [[78, 97]], "Indicator: Backdoor.Finfish.Win32.1": [[98, 122]], "Indicator: Backdoor.W32.Finfish.b!c": [[123, 147]], "Indicator: Backdoor/Finfish.b": [[148, 166]], "Indicator: Backdoor.Finfish!WTL5ZVLbFgg": [[167, 195]], "Indicator: Backdoor.Finfish": [[196, 212], [487, 503]], "Indicator: Win32/Belesak.D": [[213, 228]], "Indicator: TROJ_FINSPY.A": [[229, 242], [395, 408]], "Indicator: Backdoor.Win32.Finfish.b": [[243, 267], [504, 528]], "Indicator: Trojan.Win32.Finfish.wbhuj": [[268, 294]], "Indicator: Trojan.Win32.Z.Finfish.11008[h]": [[295, 326]], "Indicator: Backdoor.Win32.Finfish.B": [[327, 351]], "Indicator: Trojan:W32/FinSpy.B": [[352, 371]], "Indicator: Trojan.NtRootKit.14434": [[372, 394]], "Indicator: W32/Backdoor.CLPB-2084": [[409, 431]], "Indicator: Backdoor/Finfish.a": [[432, 450]], "Indicator: W32/Belesak.D": [[451, 464]], "Indicator: Trojan:WinNT/Spinfy.A": [[465, 486]], "Indicator: Win32.Backdoor.Finfish.Iso": [[529, 555]], "Indicator: Backdoor.Win32.Finfish": [[556, 578]]}, "info": {"id": "cyner2_5class_train_06561", "source": "cyner2_5class_train"}}
+{"text": "But an investigation now suggests the attack was in fact carried out by a group of Russian hackers.", "spans": {"Organization: group": [[74, 79]]}, "info": {"id": "cyner2_5class_train_06562", "source": "cyner2_5class_train"}}
+{"text": "The Trojan also employs various obfuscation methods : from the simplest , such as string concatenation and renaming of classes and methods , to implementing functions in native code and embedding SO libraries in C/C++ in the APK file , which requires the use of additional tools or dynamic analysis for deobfuscation , since most tools for static analysis of Android apps support only Dalvik bytecode .", "spans": {}, "info": {"id": "cyner2_5class_train_06563", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.Luder!O Worm.Polkayam.A3 Worm.Luder Trojan/Spy.VB.nub TROJ_SPNR.15GB13 Backdoor.Trojan Win32/Tnega.VHcOIY TROJ_SPNR.15GB13 Win.Trojan.Luder-83 Trojan.Win32.Luder.crcdfm W32.W.WBNA.lJLh Worm.Luder.Win32.197 Worm/Luder.chm TR/Dynamer.dtc.9853 Worm/Win32.Luder Worm:Win32/Polkayam.A Worm/Win32.Luder.C169426 Worm.Luder Worm.Luder!PF0ilQ/gy98 Worm.Win32.Luder W32/Luder.BQPT!tr Win32/Trojan.cfc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.Luder!O": [[26, 44]], "Indicator: Worm.Polkayam.A3": [[45, 61]], "Indicator: Worm.Luder": [[62, 72], [342, 352]], "Indicator: Trojan/Spy.VB.nub": [[73, 90]], "Indicator: TROJ_SPNR.15GB13": [[91, 107], [143, 159]], "Indicator: Backdoor.Trojan": [[108, 123]], "Indicator: Win32/Tnega.VHcOIY": [[124, 142]], "Indicator: Win.Trojan.Luder-83": [[160, 179]], "Indicator: Trojan.Win32.Luder.crcdfm": [[180, 205]], "Indicator: W32.W.WBNA.lJLh": [[206, 221]], "Indicator: Worm.Luder.Win32.197": [[222, 242]], "Indicator: Worm/Luder.chm": [[243, 257]], "Indicator: TR/Dynamer.dtc.9853": [[258, 277]], "Indicator: Worm/Win32.Luder": [[278, 294]], "Indicator: Worm:Win32/Polkayam.A": [[295, 316]], "Indicator: Worm/Win32.Luder.C169426": [[317, 341]], "Indicator: Worm.Luder!PF0ilQ/gy98": [[353, 375]], "Indicator: Worm.Win32.Luder": [[376, 392]], "Indicator: W32/Luder.BQPT!tr": [[393, 410]], "Indicator: Win32/Trojan.cfc": [[411, 427]]}, "info": {"id": "cyner2_5class_train_06564", "source": "cyner2_5class_train"}}
+{"text": "Third , based on the server response , the app can also hide its icon and create a shortcut instead .", "spans": {}, "info": {"id": "cyner2_5class_train_06565", "source": "cyner2_5class_train"}}
+{"text": "SMS grabbing : EventBot has the ability to parse SMS messages by using the targeted device ’ s SDK version to parse them correctly .", "spans": {"Malware: EventBot": [[15, 23]]}, "info": {"id": "cyner2_5class_train_06566", "source": "cyner2_5class_train"}}
+{"text": "In this post we will show links to a recently publicized PoS malware campaign, and describe possible threat motivations behind this or other POS vendor exploitation campaign.", "spans": {"Malware: PoS malware": [[57, 68]], "Vulnerability: POS vendor exploitation": [[141, 164]]}, "info": {"id": "cyner2_5class_train_06567", "source": "cyner2_5class_train"}}
+{"text": "These hooks are created using the root access and a custom native code called Lmt_INJECT , although the algorithm for this is well known .", "spans": {}, "info": {"id": "cyner2_5class_train_06568", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.TUD Trojan/W32.Hesv.372736.B Worm.Folxrun Win32.Worm.TUD Win32.Worm.TUD Win32.Trojan.VB.ja W32.Rasith Win32/Rasith.A TROJ_FSYSNA_FB120272.UVPM Win32.Worm.TUD Trojan.Win32.Hesv.bjrj Win32.Worm.TUD Trojan.Win32.Autoruner2.ewcqfg Troj.W32.Hesv!c Win32.Worm.TUD Win32.Worm.TUD Win32.HLLW.Autoruner2.29691 Trojan.Fsysna.Win32.4334 BehavesLike.Win32.Vesenlosow.fm Worm.Win32.Rasith W32/Trojan.SHGP-6241 Trojan/Fsysna.atg Trojan/Win32.Fsysna Worm:Win32/Folxrun.A Trojan/Win32.Injector.R167793 Trojan.Win32.Hesv.bjrj Trojan.Fsysna Trj/CI.A Win32.Trojan.Hesv.Lkdf Trojan.Fsysna! Win32/Worm.4c0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.TUD": [[26, 40], [79, 93], [94, 108], [180, 194], [218, 232], [280, 294], [295, 309]], "Indicator: Trojan/W32.Hesv.372736.B": [[41, 65]], "Indicator: Worm.Folxrun": [[66, 78]], "Indicator: Win32.Trojan.VB.ja": [[109, 127]], "Indicator: W32.Rasith": [[128, 138]], "Indicator: Win32/Rasith.A": [[139, 153]], "Indicator: TROJ_FSYSNA_FB120272.UVPM": [[154, 179]], "Indicator: Trojan.Win32.Hesv.bjrj": [[195, 217], [523, 545]], "Indicator: Trojan.Win32.Autoruner2.ewcqfg": [[233, 263]], "Indicator: Troj.W32.Hesv!c": [[264, 279]], "Indicator: Win32.HLLW.Autoruner2.29691": [[310, 337]], "Indicator: Trojan.Fsysna.Win32.4334": [[338, 362]], "Indicator: BehavesLike.Win32.Vesenlosow.fm": [[363, 394]], "Indicator: Worm.Win32.Rasith": [[395, 412]], "Indicator: W32/Trojan.SHGP-6241": [[413, 433]], "Indicator: Trojan/Fsysna.atg": [[434, 451]], "Indicator: Trojan/Win32.Fsysna": [[452, 471]], "Indicator: Worm:Win32/Folxrun.A": [[472, 492]], "Indicator: Trojan/Win32.Injector.R167793": [[493, 522]], "Indicator: Trojan.Fsysna": [[546, 559]], "Indicator: Trj/CI.A": [[560, 568]], "Indicator: Win32.Trojan.Hesv.Lkdf": [[569, 591]], "Indicator: Trojan.Fsysna!": [[592, 606]], "Indicator: Win32/Worm.4c0": [[607, 621]]}, "info": {"id": "cyner2_5class_train_06569", "source": "cyner2_5class_train"}}
+{"text": "Novetta has collected and shares within this report evidence that suggests multiple actors,", "spans": {"Organization: Novetta": [[0, 7]]}, "info": {"id": "cyner2_5class_train_06570", "source": "cyner2_5class_train"}}
+{"text": "This botnet is responsible for the majority of Locky and Dridex activity.", "spans": {"Malware: botnet": [[5, 11]], "Malware: Locky": [[47, 52]], "Malware: Dridex": [[57, 63]]}, "info": {"id": "cyner2_5class_train_06571", "source": "cyner2_5class_train"}}
+{"text": "As mentioned previously , the beaconing is done every 60 seconds .", "spans": {}, "info": {"id": "cyner2_5class_train_06572", "source": "cyner2_5class_train"}}
+{"text": ") Calculate the difference between this pointer and the User32 base address .", "spans": {}, "info": {"id": "cyner2_5class_train_06573", "source": "cyner2_5class_train"}}
+{"text": "The tool has been used in global phishing attacks and its use has been implicated in a number of notable attacks.", "spans": {"Malware: tool": [[4, 8]], "Indicator: global phishing attacks": [[26, 49]], "Indicator: notable attacks.": [[97, 113]]}, "info": {"id": "cyner2_5class_train_06574", "source": "cyner2_5class_train"}}
+{"text": "In this case I spent more time analyzing the campaign than I initially planned.", "spans": {}, "info": {"id": "cyner2_5class_train_06575", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.9E06 Win32.Trojan.WisdomEyes.16070401.9500.9767 Spyware.Perfect Win32/Gamepass.QHH Trojan-Dropper.Win32.Dorgam.xfl Win32.TenThief.QQPsw_def.fvg Trojan.PWS.Wsgame.36114 BehavesLike.Win32.Ransomware.dc Trojan.Win32.QQpass TrojanSpy.FlyStudio.cx TR/QQpass.E.4 Trojan-Dropper.Win32.Dorgam.xfl Win32/PSW.QQPass.OHY Win32/Trojan.884", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.9E06": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9767": [[44, 86]], "Indicator: Spyware.Perfect": [[87, 102]], "Indicator: Win32/Gamepass.QHH": [[103, 121]], "Indicator: Trojan-Dropper.Win32.Dorgam.xfl": [[122, 153], [296, 327]], "Indicator: Win32.TenThief.QQPsw_def.fvg": [[154, 182]], "Indicator: Trojan.PWS.Wsgame.36114": [[183, 206]], "Indicator: BehavesLike.Win32.Ransomware.dc": [[207, 238]], "Indicator: Trojan.Win32.QQpass": [[239, 258]], "Indicator: TrojanSpy.FlyStudio.cx": [[259, 281]], "Indicator: TR/QQpass.E.4": [[282, 295]], "Indicator: Win32/PSW.QQPass.OHY": [[328, 348]], "Indicator: Win32/Trojan.884": [[349, 365]]}, "info": {"id": "cyner2_5class_train_06576", "source": "cyner2_5class_train"}}
+{"text": "The malware waits for victims to open the Google Play store and then displays a fake html overlay page asking for credit card information.", "spans": {"Malware: malware": [[4, 11]], "Indicator: waits": [[12, 17]], "Indicator: open": [[33, 37]], "System: Google Play store": [[42, 59]], "Indicator: displays a fake html overlay": [[69, 97]], "Indicator: credit card information.": [[114, 138]]}, "info": {"id": "cyner2_5class_train_06577", "source": "cyner2_5class_train"}}
+{"text": "On July 14, FireEye researchers discovered attacks exploiting the Adobe Flash vulnerability CVE-2015-5122, just four days after Adobe released a patch.", "spans": {"Organization: FireEye researchers": [[12, 31]], "Vulnerability: exploiting": [[51, 61]], "System: Adobe Flash": [[66, 77]], "Vulnerability: vulnerability": [[78, 91]], "Indicator: CVE-2015-5122,": [[92, 106]], "Organization: Adobe": [[128, 133]]}, "info": {"id": "cyner2_5class_train_06578", "source": "cyner2_5class_train"}}
+{"text": "Attacks involving Marcher have become increasingly sophisticated , with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms [ 1 ] [ 2 ] .", "spans": {"Malware: Marcher": [[18, 25]]}, "info": {"id": "cyner2_5class_train_06579", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.S239831 Trojan.RA.Win32.52 Trojan.Win32.Reconyc.ejtcsm BehavesLike.Win32.Dropper.vc TR/RemoteAdmin.romkw Trojan/Win32.Scar Trojan.Zusy.D258ED Trojan.Banload Trojan.Win32.ChePro", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.S239831": [[26, 48]], "Indicator: Trojan.RA.Win32.52": [[49, 67]], "Indicator: Trojan.Win32.Reconyc.ejtcsm": [[68, 95]], "Indicator: BehavesLike.Win32.Dropper.vc": [[96, 124]], "Indicator: TR/RemoteAdmin.romkw": [[125, 145]], "Indicator: Trojan/Win32.Scar": [[146, 163]], "Indicator: Trojan.Zusy.D258ED": [[164, 182]], "Indicator: Trojan.Banload": [[183, 197]], "Indicator: Trojan.Win32.ChePro": [[198, 217]]}, "info": {"id": "cyner2_5class_train_06580", "source": "cyner2_5class_train"}}
+{"text": "The source code appears to have been picked by one or more threat actors and was used to conduct DDoS attacks against Georgia in 2008.", "spans": {"Indicator: source code": [[4, 15]], "Indicator: DDoS attacks": [[97, 109]]}, "info": {"id": "cyner2_5class_train_06581", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanAPT.Moudoor.A8 TROJ_BANLOAD.GDV Backdoor.Moudoor TROJ_BANLOAD.GDV Win.Trojan.Downloader-27596 Trojan.DownLoader6.13038 Trojan-Downloader.Win32.Banload W32/Trojan.MQRX-7833 W32.Malware.Heur Trojan[Downloader]/Win32.Unknown Win32.Troj.Undef.kcloud Trojan.Downloader.cmGfaSmx9Rpb TrojanDownloader:Win32/Moudoor.A Win-Trojan/Downloader.46592.GU Trojan.Downloader.46592 Win32/TrojanDownloader.Moudoor.A W32/Downloader_a.BWT!tr Win32/RootKit.Rootkit.7e5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanAPT.Moudoor.A8": [[26, 46]], "Indicator: TROJ_BANLOAD.GDV": [[47, 63], [81, 97]], "Indicator: Backdoor.Moudoor": [[64, 80]], "Indicator: Win.Trojan.Downloader-27596": [[98, 125]], "Indicator: Trojan.DownLoader6.13038": [[126, 150]], "Indicator: Trojan-Downloader.Win32.Banload": [[151, 182]], "Indicator: W32/Trojan.MQRX-7833": [[183, 203]], "Indicator: W32.Malware.Heur": [[204, 220]], "Indicator: Trojan[Downloader]/Win32.Unknown": [[221, 253]], "Indicator: Win32.Troj.Undef.kcloud": [[254, 277]], "Indicator: Trojan.Downloader.cmGfaSmx9Rpb": [[278, 308]], "Indicator: TrojanDownloader:Win32/Moudoor.A": [[309, 341]], "Indicator: Win-Trojan/Downloader.46592.GU": [[342, 372]], "Indicator: Trojan.Downloader.46592": [[373, 396]], "Indicator: Win32/TrojanDownloader.Moudoor.A": [[397, 429]], "Indicator: W32/Downloader_a.BWT!tr": [[430, 453]], "Indicator: Win32/RootKit.Rootkit.7e5": [[454, 479]]}, "info": {"id": "cyner2_5class_train_06582", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.OnlineGames.KDPO TrojanPWS.Dozmot.D4 Infostealer.Gampass W32/Magania.GZ TROJ_GAMEHTI.SMI Trojan.Spy-73883 Trojan-GameThief.Win32.OnLineGames.bnkb Trojan.PWS.OnlineGames.KDPO Trojan.PWS.Magania!Tq/DAk7oVGo Virus.Win32.Part.a TrojWare.Win32.PSW.OnlineGames.~BNKB Trojan-PSW:W32/OnlineGames.UBO Trojan.PWS.Gamania.30052 TROJ_GAMEHTI.SMI Trojan-GameThief.Win32.WOW!IK Trojan/PSW.OnLineGames.bton Win32.PSWTroj.OnLineGames.kcloud PWS:Win32/Dozmot.D Trojan.Win32.PSWIGames.27176.E Trojan.PWS.OnlineGames.KDPO Trojan/Win32.OnlineGameHack BScope.Trojan.OnlineGames.0825 Trojan-PSW.Gampass Win32/PSW.WOW.NQS Trojan.Win32.FakeKsUsr.a Trojan-GameThief.Win32.WOW W32/Onlinegames.OST!tr.pws Trj/Lineage.LNC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.OnlineGames.KDPO": [[26, 53], [183, 210], [512, 539]], "Indicator: TrojanPWS.Dozmot.D4": [[54, 73]], "Indicator: Infostealer.Gampass": [[74, 93]], "Indicator: W32/Magania.GZ": [[94, 108]], "Indicator: TROJ_GAMEHTI.SMI": [[109, 125], [354, 370]], "Indicator: Trojan.Spy-73883": [[126, 142]], "Indicator: Trojan-GameThief.Win32.OnLineGames.bnkb": [[143, 182]], "Indicator: Trojan.PWS.Magania!Tq/DAk7oVGo": [[211, 241]], "Indicator: Virus.Win32.Part.a": [[242, 260]], "Indicator: TrojWare.Win32.PSW.OnlineGames.~BNKB": [[261, 297]], "Indicator: Trojan-PSW:W32/OnlineGames.UBO": [[298, 328]], "Indicator: Trojan.PWS.Gamania.30052": [[329, 353]], "Indicator: Trojan-GameThief.Win32.WOW!IK": [[371, 400]], "Indicator: Trojan/PSW.OnLineGames.bton": [[401, 428]], "Indicator: Win32.PSWTroj.OnLineGames.kcloud": [[429, 461]], "Indicator: PWS:Win32/Dozmot.D": [[462, 480]], "Indicator: Trojan.Win32.PSWIGames.27176.E": [[481, 511]], "Indicator: Trojan/Win32.OnlineGameHack": [[540, 567]], "Indicator: BScope.Trojan.OnlineGames.0825": [[568, 598]], "Indicator: Trojan-PSW.Gampass": [[599, 617]], "Indicator: Win32/PSW.WOW.NQS": [[618, 635]], "Indicator: Trojan.Win32.FakeKsUsr.a": [[636, 660]], "Indicator: Trojan-GameThief.Win32.WOW": [[661, 687]], "Indicator: W32/Onlinegames.OST!tr.pws": [[688, 714]], "Indicator: Trj/Lineage.LNC": [[715, 730]]}, "info": {"id": "cyner2_5class_train_06583", "source": "cyner2_5class_train"}}
+{"text": "The average user might not have the necessary skills to distinguish legitimate sites from malicious ones .", "spans": {}, "info": {"id": "cyner2_5class_train_06584", "source": "cyner2_5class_train"}}
+{"text": "Upon decryption , we can see that the response from the server is a JSON object of EventBot ’ s configuration , which contains C2 URLs and a targeted applications list .", "spans": {"Malware: EventBot": [[83, 91]]}, "info": {"id": "cyner2_5class_train_06585", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Bedep Trojan.Zusy.D3CF93 Backdoor.Win32.Bedep.lls Win32.Backdoor.Bedep.Lnob BDS/Bedep.ghjmg Trojan[Backdoor]/Win32.Bedep Backdoor.Win32.Bedep.lls Win-Trojan/Bmdoor.100864 Backdoor.Win32.Bedep", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Bedep": [[26, 40]], "Indicator: Trojan.Zusy.D3CF93": [[41, 59]], "Indicator: Backdoor.Win32.Bedep.lls": [[60, 84], [156, 180]], "Indicator: Win32.Backdoor.Bedep.Lnob": [[85, 110]], "Indicator: BDS/Bedep.ghjmg": [[111, 126]], "Indicator: Trojan[Backdoor]/Win32.Bedep": [[127, 155]], "Indicator: Win-Trojan/Bmdoor.100864": [[181, 205]], "Indicator: Backdoor.Win32.Bedep": [[206, 226]]}, "info": {"id": "cyner2_5class_train_06586", "source": "cyner2_5class_train"}}
+{"text": "Tofsee is a multi-purpose malware with wide array of capabilities – it can mine bitcoins, send emails, steal credentials, perform DDoS attacks, and more.", "spans": {"Malware: Tofsee": [[0, 6]], "Malware: multi-purpose malware": [[12, 33]], "Indicator: mine bitcoins, send emails, steal credentials, perform DDoS attacks,": [[75, 143]]}, "info": {"id": "cyner2_5class_train_06587", "source": "cyner2_5class_train"}}
+{"text": "These are detected within Alienvault USM by looking for Excel launching Cmd.exe.", "spans": {"Organization: Alienvault USM": [[26, 40]], "Indicator: Excel launching Cmd.exe.": [[56, 80]]}, "info": {"id": "cyner2_5class_train_06588", "source": "cyner2_5class_train"}}
+{"text": "In this blog , we showed that the threat actor behind the recent FakeSpy campaign is a Chinese-speaking group called “ Roaming Mantis ” known to operate mainly in Asia .", "spans": {"Malware: FakeSpy": [[65, 72]], "Organization: Roaming Mantis": [[119, 133]]}, "info": {"id": "cyner2_5class_train_06589", "source": "cyner2_5class_train"}}
+{"text": "It impersonates a porn player app or MMS application but without having their functionality .", "spans": {}, "info": {"id": "cyner2_5class_train_06590", "source": "cyner2_5class_train"}}
+{"text": "In that research we discussed two new malware families we named KASPERAGENT and MICROPSIA.", "spans": {"Malware: malware families": [[38, 54]], "Malware: KASPERAGENT": [[64, 75]], "Malware: MICROPSIA.": [[80, 90]]}, "info": {"id": "cyner2_5class_train_06591", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.FakeAV Trojan.FakeSysDef.Win32.707 Trojan/Kryptik.ahre Win32.Trojan.WisdomEyes.16070401.9500.9999 TrojWare.Win32.Spy.Zbot.HEUB Trojan.DownLoader5.64514 BehavesLike.Win32.Downloader.dc Trojan/SmartFixer.gv W32.Trojan.Fakesysdef TR/FakeSysdef.aqwrb Trojan.Zbot.76 Trojan/Win32.FakeAV.R28472 FakeAlert-SysDef.ae TrojanFakeAV.FakeSysDef Trojan.Zbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.FakeAV": [[26, 39]], "Indicator: Trojan.FakeSysDef.Win32.707": [[40, 67]], "Indicator: Trojan/Kryptik.ahre": [[68, 87]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[88, 130]], "Indicator: TrojWare.Win32.Spy.Zbot.HEUB": [[131, 159]], "Indicator: Trojan.DownLoader5.64514": [[160, 184]], "Indicator: BehavesLike.Win32.Downloader.dc": [[185, 216]], "Indicator: Trojan/SmartFixer.gv": [[217, 237]], "Indicator: W32.Trojan.Fakesysdef": [[238, 259]], "Indicator: TR/FakeSysdef.aqwrb": [[260, 279]], "Indicator: Trojan.Zbot.76": [[280, 294]], "Indicator: Trojan/Win32.FakeAV.R28472": [[295, 321]], "Indicator: FakeAlert-SysDef.ae": [[322, 341]], "Indicator: TrojanFakeAV.FakeSysDef": [[342, 365]], "Indicator: Trojan.Zbot": [[366, 377]]}, "info": {"id": "cyner2_5class_train_06592", "source": "cyner2_5class_train"}}
+{"text": "Taiwan has been a regular target of cyber espionage threat actors for a number of years.", "spans": {}, "info": {"id": "cyner2_5class_train_06593", "source": "cyner2_5class_train"}}
+{"text": "It is evident that the ultimate goal of this program is to steal information .", "spans": {}, "info": {"id": "cyner2_5class_train_06594", "source": "cyner2_5class_train"}}
+{"text": "If the user long-presses the icon , the name of the app responsible for the activity is revealed ( right ) .", "spans": {}, "info": {"id": "cyner2_5class_train_06595", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Nekozillot Win32.Trojan.WisdomEyes.16070401.9500.9656 Trojan.DownLoader25.61646 W32/Trojan.RZHM-5084 BDS/RedCap.gyswy Trojan.MSILPerseus.D21311 Backdoor:MSIL/Nekozillot.A!bit Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Nekozillot": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9656": [[46, 88]], "Indicator: Trojan.DownLoader25.61646": [[89, 114]], "Indicator: W32/Trojan.RZHM-5084": [[115, 135]], "Indicator: BDS/RedCap.gyswy": [[136, 152]], "Indicator: Trojan.MSILPerseus.D21311": [[153, 178]], "Indicator: Backdoor:MSIL/Nekozillot.A!bit": [[179, 209]], "Indicator: Trj/GdSda.A": [[210, 221]]}, "info": {"id": "cyner2_5class_train_06596", "source": "cyner2_5class_train"}}
+{"text": "On later versions , specifically iOS 12.1.1 and iOS 12.2 , the process is different .", "spans": {"System: iOS 12.1.1": [[33, 43]], "System: iOS 12.2": [[48, 56]]}, "info": {"id": "cyner2_5class_train_06597", "source": "cyner2_5class_train"}}
+{"text": "Also , the longer the delay , the lower the risk of the user associating the unwanted ads with a particular app .", "spans": {}, "info": {"id": "cyner2_5class_train_06598", "source": "cyner2_5class_train"}}
+{"text": "It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks.", "spans": {"Indicator: massive spam attacks.": [[87, 108]]}, "info": {"id": "cyner2_5class_train_06599", "source": "cyner2_5class_train"}}
+{"text": "We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these , 97 percent , were highly likely encrypted images taken using the device camera .", "spans": {}, "info": {"id": "cyner2_5class_train_06600", "source": "cyner2_5class_train"}}
+{"text": "and launch the new activity as the payload.", "spans": {"Malware: payload.": [[35, 43]]}, "info": {"id": "cyner2_5class_train_06601", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Quby.b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Quby.b": [[26, 45]]}, "info": {"id": "cyner2_5class_train_06602", "source": "cyner2_5class_train"}}
+{"text": "The latest version is analyzed here ; we weren ’ t able to determine if the earlier versions were also malicious .", "spans": {}, "info": {"id": "cyner2_5class_train_06603", "source": "cyner2_5class_train"}}
+{"text": "So far, these campaigns have targeted countries including Germany, Austria, and the United Kingdom.", "spans": {}, "info": {"id": "cyner2_5class_train_06604", "source": "cyner2_5class_train"}}
+{"text": "This includes,among others, Poland, Australia, United Kingdom and Spain.", "spans": {}, "info": {"id": "cyner2_5class_train_06605", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Roron.F Worm.Roron.Win32.28 WORM_OROR.Q Win32.Trojan.WisdomEyes.16070401.9500.9941 W32/Roro.AA@mm W32.HLLW.Oror.C@mm Win32/Oror.U WORM_OROR.Q Win.Trojan.Oror-3 Trojan.Win32.IRCBot.dvpnyt W32.W.Envid.l6rk Win32.Backdoor.Ircbot.Lned Worm.Win32.Roron.51 Win32.HLLM.RoRo BehavesLike.Win32.Backdoor.cc W32/Roro.AA@mm Backdoor/IRCBot.rdt WORM/Roron.51 Worm[Email]/Win32.Roron Win32.Hack.IRCBot.g.kcloud I-Worm.Win32.Roron.82954 Worm:Win32/Roron.Z@mm Win32/Roron.worm.81925 Worm.Roron Win32/Roron.51 IRC.Roron.G Email-Worm.Win32.Roron W32/Roron.B!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Roron.F": [[26, 37]], "Indicator: Worm.Roron.Win32.28": [[38, 57]], "Indicator: WORM_OROR.Q": [[58, 69], [160, 171]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9941": [[70, 112]], "Indicator: W32/Roro.AA@mm": [[113, 127], [327, 341]], "Indicator: W32.HLLW.Oror.C@mm": [[128, 146]], "Indicator: Win32/Oror.U": [[147, 159]], "Indicator: Win.Trojan.Oror-3": [[172, 189]], "Indicator: Trojan.Win32.IRCBot.dvpnyt": [[190, 216]], "Indicator: W32.W.Envid.l6rk": [[217, 233]], "Indicator: Win32.Backdoor.Ircbot.Lned": [[234, 260]], "Indicator: Worm.Win32.Roron.51": [[261, 280]], "Indicator: Win32.HLLM.RoRo": [[281, 296]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[297, 326]], "Indicator: Backdoor/IRCBot.rdt": [[342, 361]], "Indicator: WORM/Roron.51": [[362, 375]], "Indicator: Worm[Email]/Win32.Roron": [[376, 399]], "Indicator: Win32.Hack.IRCBot.g.kcloud": [[400, 426]], "Indicator: I-Worm.Win32.Roron.82954": [[427, 451]], "Indicator: Worm:Win32/Roron.Z@mm": [[452, 473]], "Indicator: Win32/Roron.worm.81925": [[474, 496]], "Indicator: Worm.Roron": [[497, 507]], "Indicator: Win32/Roron.51": [[508, 522]], "Indicator: IRC.Roron.G": [[523, 534]], "Indicator: Email-Worm.Win32.Roron": [[535, 557]], "Indicator: W32/Roron.B!worm": [[558, 574]]}, "info": {"id": "cyner2_5class_train_06606", "source": "cyner2_5class_train"}}
+{"text": "The Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in Brazil that had fallen victim to this Ransomware family.", "spans": {"Organization: The Kaspersky Anti-Ransom team": [[0, 30]], "Malware: Xpan Trojan,": [[45, 57]], "Organization: Hospital": [[97, 105]], "Malware: Ransomware family.": [[147, 165]]}, "info": {"id": "cyner2_5class_train_06607", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.DL.BHO.UDE W32/DLoader.AIYY Trojan.Downloader-70412 TrojWare.Win32.Bho.yme Trojan.Win32.Bho.yme Trojan.MulDrop.origin Heuristic.BehavesLike.Win32.Dropper.K TrojanDropper.Softfy.cn Trojan:Win32/Gedanjo.A Trojan-Downloader.Win32.BHO.lff Trojan.Clicker.Win32.Undef.mi", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DL.BHO.UDE": [[26, 43]], "Indicator: W32/DLoader.AIYY": [[44, 60]], "Indicator: Trojan.Downloader-70412": [[61, 84]], "Indicator: TrojWare.Win32.Bho.yme": [[85, 107]], "Indicator: Trojan.Win32.Bho.yme": [[108, 128]], "Indicator: Trojan.MulDrop.origin": [[129, 150]], "Indicator: Heuristic.BehavesLike.Win32.Dropper.K": [[151, 188]], "Indicator: TrojanDropper.Softfy.cn": [[189, 212]], "Indicator: Trojan:Win32/Gedanjo.A": [[213, 235]], "Indicator: Trojan-Downloader.Win32.BHO.lff": [[236, 267]], "Indicator: Trojan.Clicker.Win32.Undef.mi": [[268, 297]]}, "info": {"id": "cyner2_5class_train_06608", "source": "cyner2_5class_train"}}
+{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day CVE-2015-2590 in July 2015.", "spans": {"Malware: JHUHUGIT implant": [[4, 20]], "Indicator: Sofacy attacks": [[69, 83]], "Vulnerability: Java zero-day": [[110, 123]], "Indicator: CVE-2015-2590": [[124, 137]]}, "info": {"id": "cyner2_5class_train_06609", "source": "cyner2_5class_train"}}
+{"text": "These spam campaigns feature a multi-stage infection chain including a PDF file, a malicious Microsoft Office document, and finally, the Jaff ransomware loader.", "spans": {"Indicator: multi-stage infection": [[31, 52]], "Indicator: PDF file, a malicious Microsoft Office document,": [[71, 119]], "Malware: the Jaff ransomware loader.": [[133, 160]]}, "info": {"id": "cyner2_5class_train_06610", "source": "cyner2_5class_train"}}
+{"text": "Indicators of the malware used in two bank heist against Tienphong Commercial Bank in Vietnam and the Bangladesh central bank.", "spans": {"Indicator: Indicators": [[0, 10]], "Malware: malware": [[18, 25]], "Indicator: bank heist": [[38, 48]], "Organization: Tienphong Commercial Bank": [[57, 82]], "Organization: the Bangladesh central bank.": [[98, 126]]}, "info": {"id": "cyner2_5class_train_06611", "source": "cyner2_5class_train"}}
+{"text": "In the next sections , for simplicity , we will continue the analysis only on the 64-bit payload .", "spans": {}, "info": {"id": "cyner2_5class_train_06612", "source": "cyner2_5class_train"}}
+{"text": "The malware will start the main service if all the requested permissions and the device admin privileges are granted .", "spans": {}, "info": {"id": "cyner2_5class_train_06613", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: RiskWare.Tool.CK Win32.Trojan.WisdomEyes.16070401.9500.9947 Trojan.Win32.Clicker.8989 TrojWare.Win32.Patched.KSU Trojan.DownLoader.5848 BehavesLike.Win32.Ramnit.xc TR/Dldr.Hup.UH.15.B Win32.Troj.download.kcloud Trojan.Dropper/Packed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RiskWare.Tool.CK": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9947": [[43, 85]], "Indicator: Trojan.Win32.Clicker.8989": [[86, 111]], "Indicator: TrojWare.Win32.Patched.KSU": [[112, 138]], "Indicator: Trojan.DownLoader.5848": [[139, 161]], "Indicator: BehavesLike.Win32.Ramnit.xc": [[162, 189]], "Indicator: TR/Dldr.Hup.UH.15.B": [[190, 209]], "Indicator: Win32.Troj.download.kcloud": [[210, 236]], "Indicator: Trojan.Dropper/Packed": [[237, 258]]}, "info": {"id": "cyner2_5class_train_06614", "source": "cyner2_5class_train"}}
+{"text": "The delivery document also saved the post-exploitation credential harvesting tool known as Mimikatz, which we believe the threat actors will use to gather account credentials from the compromised system.", "spans": {"Malware: the post-exploitation credential harvesting tool": [[33, 81]], "Malware: Mimikatz,": [[91, 100]], "System: the compromised system.": [[180, 203]]}, "info": {"id": "cyner2_5class_train_06615", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Standardtest.17104 Win32.Trojan.WisdomEyes.16070401.9500.9983 Win32/Tnega.FJZCPHC Win.Trojan.Standardtest-1 Trojan.Win32.StandardTest.cthmar Win32.Trojan.Standardtest.Dvpy TrojWare.Win32.StandardTest.A Trojan.Win32.StandardTest TR/StandardTest.0 Trojan.Razy.D1D493 Trojan:Win32/StandardTest.0 Trojan/Win32.Kazy.C224799 Trojan.Kazy!M40EV8PiuTc Win32/Trojan.b42", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Standardtest.17104": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9983": [[52, 94]], "Indicator: Win32/Tnega.FJZCPHC": [[95, 114]], "Indicator: Win.Trojan.Standardtest-1": [[115, 140]], "Indicator: Trojan.Win32.StandardTest.cthmar": [[141, 173]], "Indicator: Win32.Trojan.Standardtest.Dvpy": [[174, 204]], "Indicator: TrojWare.Win32.StandardTest.A": [[205, 234]], "Indicator: Trojan.Win32.StandardTest": [[235, 260]], "Indicator: TR/StandardTest.0": [[261, 278]], "Indicator: Trojan.Razy.D1D493": [[279, 297]], "Indicator: Trojan:Win32/StandardTest.0": [[298, 325]], "Indicator: Trojan/Win32.Kazy.C224799": [[326, 351]], "Indicator: Trojan.Kazy!M40EV8PiuTc": [[352, 375]], "Indicator: Win32/Trojan.b42": [[376, 392]]}, "info": {"id": "cyner2_5class_train_06616", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MalPack Ransom_Blocker.R011C0RB618 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.FakeAV Win.Trojan.Emotet-6441079-0 Trojan-Ransom.Win32.Blocker.krar Trojan.Win32.Encoder.exomzo Trojan.Win32.Z.Zusy.183296.BS TrojWare.Win32.Ransom.GandCrypt.A Trojan.Encoder.24475 BehavesLike.Win32.PWSZbot.cc Trojan.Win32.Crypt Trojan.Blocker.ier TR/Crypt.ZPACK.hwjhn Trojan.Zusy.D42FEC Trojan-Ransom.Win32.Blocker.krar TrojanProxy:Win32/Bunitu.Q!bit Trojan/Win32.Magniber.R219494 W32/Injector.DVHR!tr Win32/Trojan.ff4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MalPack": [[26, 40]], "Indicator: Ransom_Blocker.R011C0RB618": [[41, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[68, 110]], "Indicator: Trojan.FakeAV": [[111, 124]], "Indicator: Win.Trojan.Emotet-6441079-0": [[125, 152]], "Indicator: Trojan-Ransom.Win32.Blocker.krar": [[153, 185], [406, 438]], "Indicator: Trojan.Win32.Encoder.exomzo": [[186, 213]], "Indicator: Trojan.Win32.Z.Zusy.183296.BS": [[214, 243]], "Indicator: TrojWare.Win32.Ransom.GandCrypt.A": [[244, 277]], "Indicator: Trojan.Encoder.24475": [[278, 298]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[299, 327]], "Indicator: Trojan.Win32.Crypt": [[328, 346]], "Indicator: Trojan.Blocker.ier": [[347, 365]], "Indicator: TR/Crypt.ZPACK.hwjhn": [[366, 386]], "Indicator: Trojan.Zusy.D42FEC": [[387, 405]], "Indicator: TrojanProxy:Win32/Bunitu.Q!bit": [[439, 469]], "Indicator: Trojan/Win32.Magniber.R219494": [[470, 499]], "Indicator: W32/Injector.DVHR!tr": [[500, 520]], "Indicator: Win32/Trojan.ff4": [[521, 537]]}, "info": {"id": "cyner2_5class_train_06617", "source": "cyner2_5class_train"}}
+{"text": "The FireEye as a Service team detected independent phishing campaigns conducted by two Chinese advanced persistent threat APT groups that we track, APT3 and APT18.", "spans": {"Organization: FireEye": [[4, 11]], "Organization: Service team": [[17, 29]]}, "info": {"id": "cyner2_5class_train_06618", "source": "cyner2_5class_train"}}
+{"text": "The code and functionality have changed numerous times ; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device .", "spans": {}, "info": {"id": "cyner2_5class_train_06619", "source": "cyner2_5class_train"}}
+{"text": "The ability to carry out these types of intelligence-gathering activities on phones represents a huge score for the operator .", "spans": {}, "info": {"id": "cyner2_5class_train_06620", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.HllpHQc.Trojan Win32.HLLP.DeTroie.A HLLP.DeTroie Win32.HLLP.DeTroie.A Virus.DeTroie.Win32.8 W32/HLLP.DeTroie.a Win32.HLLP.DeTroie.A Win32.Worm.DeTroie.b W32/HLLP.Detroie.A W32.HLLP.DeTroie Win32/DeTroie.D WORM_DETROIE.A Win.Trojan.DeTroie-1 Virus.Win32.HLLP.DeTroie Win32.HLLP.DeTroie.A Virus.Win32.DeTroie.bbxbrd W32.HLLP.DeTroie.tnqA Virus.Win32.Hllp.aad Win32.HLLP.DeTroie.A Virus.Win32.HLLP.DeTroie.E Win32.HLLP.Cheval WORM_DETROIE.A BehavesLike.Win32.Cheval.tz W32/HLLP.Detroie.A Win32/HLLP.DeTroie W32.Hllp.Detroie Virus/Win32.HLLP.DeTroie Worm:Win32/Cheval.D Win32.Detroie.A Virus.Win32.HLLP.DeTroie Win32.HLLP.DeTroie.A Win32/HLLP.Detroie.D W32/Cheval.dr Virus.Win32.HLLP.DeTroie Win32/HLLP.DeTroie Win32.HLLP.DeTroie.C Virus.Win32.HLLP.DeTroie W95/HLLP.Detroie.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.HllpHQc.Trojan": [[26, 50]], "Indicator: Win32.HLLP.DeTroie.A": [[51, 71], [85, 105], [147, 167], [302, 322], [393, 413], [643, 663]], "Indicator: HLLP.DeTroie": [[72, 84]], "Indicator: Virus.DeTroie.Win32.8": [[106, 127]], "Indicator: W32/HLLP.DeTroie.a": [[128, 146]], "Indicator: Win32.Worm.DeTroie.b": [[168, 188]], "Indicator: W32/HLLP.Detroie.A": [[189, 207], [502, 520]], "Indicator: W32.HLLP.DeTroie": [[208, 224]], "Indicator: Win32/DeTroie.D": [[225, 240]], "Indicator: WORM_DETROIE.A": [[241, 255], [459, 473]], "Indicator: Win.Trojan.DeTroie-1": [[256, 276]], "Indicator: Virus.Win32.HLLP.DeTroie": [[277, 301], [618, 642], [699, 723], [764, 788]], "Indicator: Virus.Win32.DeTroie.bbxbrd": [[323, 349]], "Indicator: W32.HLLP.DeTroie.tnqA": [[350, 371]], "Indicator: Virus.Win32.Hllp.aad": [[372, 392]], "Indicator: Virus.Win32.HLLP.DeTroie.E": [[414, 440]], "Indicator: Win32.HLLP.Cheval": [[441, 458]], "Indicator: BehavesLike.Win32.Cheval.tz": [[474, 501]], "Indicator: Win32/HLLP.DeTroie": [[521, 539], [724, 742]], "Indicator: W32.Hllp.Detroie": [[540, 556]], "Indicator: Virus/Win32.HLLP.DeTroie": [[557, 581]], "Indicator: Worm:Win32/Cheval.D": [[582, 601]], "Indicator: Win32.Detroie.A": [[602, 617]], "Indicator: Win32/HLLP.Detroie.D": [[664, 684]], "Indicator: W32/Cheval.dr": [[685, 698]], "Indicator: Win32.HLLP.DeTroie.C": [[743, 763]], "Indicator: W95/HLLP.Detroie.E": [[789, 807]]}, "info": {"id": "cyner2_5class_train_06621", "source": "cyner2_5class_train"}}
+{"text": "The malware contains a list of 209 packages hardcoded in its source code .", "spans": {}, "info": {"id": "cyner2_5class_train_06622", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.E0AE Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Yakes.vphb Trojan.Win32.Yakes.exslpy Trojan.Encoder.3976 BehavesLike.Win32.Downloader.kc Trojan.Win32.Crypt Trojan.Yakes.yvz TR/Crypt.ZPACK.rwser Trojan.Win32.Yakes.vphb Trojan:Win32/Godzilia.B!bit Trj/GdSda.A W32/Kryptik.EYKI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.E0AE": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[43, 85]], "Indicator: Trojan.Win32.Yakes.vphb": [[86, 109], [245, 268]], "Indicator: Trojan.Win32.Yakes.exslpy": [[110, 135]], "Indicator: Trojan.Encoder.3976": [[136, 155]], "Indicator: BehavesLike.Win32.Downloader.kc": [[156, 187]], "Indicator: Trojan.Win32.Crypt": [[188, 206]], "Indicator: Trojan.Yakes.yvz": [[207, 223]], "Indicator: TR/Crypt.ZPACK.rwser": [[224, 244]], "Indicator: Trojan:Win32/Godzilia.B!bit": [[269, 296]], "Indicator: Trj/GdSda.A": [[297, 308]], "Indicator: W32/Kryptik.EYKI!tr": [[309, 328]]}, "info": {"id": "cyner2_5class_train_06623", "source": "cyner2_5class_train"}}
+{"text": "How these recorded calls are sent to the command and control server ( CnC ) is taken care of by MainService , which is discussed next .", "spans": {}, "info": {"id": "cyner2_5class_train_06624", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Spybot.Worm Win32.Stration Win32.HLLW.SpyBot Worm/Spyboter.44064 P2P-Worm.Win32.SpyBot.gl!IK P2P-Worm.Win32.SpyBot.eu", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Spybot.Worm": [[26, 41]], "Indicator: Win32.Stration": [[42, 56]], "Indicator: Win32.HLLW.SpyBot": [[57, 74]], "Indicator: Worm/Spyboter.44064": [[75, 94]], "Indicator: P2P-Worm.Win32.SpyBot.gl!IK": [[95, 122]], "Indicator: P2P-Worm.Win32.SpyBot.eu": [[123, 147]]}, "info": {"id": "cyner2_5class_train_06625", "source": "cyner2_5class_train"}}
+{"text": "Figure 22 : world infection heat map Considering that India is by far the most infected county by “ Agent Smith ” , overall compromised device brand distribution is heavily influenced by brand popularity among Indian Android users : Figure 23 : infected brand distribution While most infections occurred on devices running Android 5 and 6 , we also see a considerable number of successful attacks against newer Android versions .", "spans": {"Malware: Agent Smith": [[100, 111]], "System: Android": [[217, 224], [411, 418]], "System: Android 5 and 6": [[323, 338]]}, "info": {"id": "cyner2_5class_train_06626", "source": "cyner2_5class_train"}}
+{"text": "Visiting the main page hosted at www.president-office.gov[.]mm triggered the malicious content, as the threat actors injected an inline frame IFRAME into a JavaScript file used by Drupal for the site's theme.", "spans": {"Indicator: www.president-office.gov[.]mm": [[33, 62]], "Malware: malicious": [[77, 86]], "Indicator: inline frame IFRAME": [[129, 148]], "Indicator: JavaScript file": [[156, 171]], "Organization: Drupal": [[180, 186]]}, "info": {"id": "cyner2_5class_train_06627", "source": "cyner2_5class_train"}}
+{"text": "This campaign started in April 2017, using a spear phishing campaign to deliver the MICROPSIA payload in order to remotely control infected systems.", "spans": {"Malware: MICROPSIA payload": [[84, 101]], "System: infected systems.": [[131, 148]]}, "info": {"id": "cyner2_5class_train_06628", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OngameJFT.Trojan Application.Hacktool.CX Worm/W32.AutoRun.11656 RiskTool.Win32.Tcpz!O Risktool.Tcpz W32/AutoRun.ezt W32/Spybot.QYN Hacktool.Rootkit Win32/Tcpz.A Win.Trojan.B-285 Application.Hacktool.CX not-a-virus:RiskTool.Win32.Tcpz.a Application.Hacktool.CX Trojan.Win32.SdBot.hjuf Application.Hacktool.CX TrojWare.Win32.Trojan.TCPZ.~A Rootkit:W32/Tcpz.A Tool.TcpZ Backdoor.IRCBot.Win32.17564 Backdoor.Win32.IRCBot W32/Spybot.XPIF-6513 W32.Hack.Tool Application.Hacktool.CX Worm.AutoRun/Variant not-a-virus:RiskTool.Win32.Tcpz.a HackTool:WinNT/Tcpz.A Trojan/Win32.Rootkit.C53179 Rootkit.Win32.Drucker Hacktool/Tcpz.A HackTool.Tcpz!rBSvpdUKEZI W32/Tcpz.A!tr Win32/Worm.AutoRun.750", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OngameJFT.Trojan": [[26, 46]], "Indicator: Application.Hacktool.CX": [[47, 70], [208, 231], [266, 289], [314, 337], [482, 505]], "Indicator: Worm/W32.AutoRun.11656": [[71, 93]], "Indicator: RiskTool.Win32.Tcpz!O": [[94, 115]], "Indicator: Risktool.Tcpz": [[116, 129]], "Indicator: W32/AutoRun.ezt": [[130, 145]], "Indicator: W32/Spybot.QYN": [[146, 160]], "Indicator: Hacktool.Rootkit": [[161, 177]], "Indicator: Win32/Tcpz.A": [[178, 190]], "Indicator: Win.Trojan.B-285": [[191, 207]], "Indicator: not-a-virus:RiskTool.Win32.Tcpz.a": [[232, 265], [527, 560]], "Indicator: Trojan.Win32.SdBot.hjuf": [[290, 313]], "Indicator: TrojWare.Win32.Trojan.TCPZ.~A": [[338, 367]], "Indicator: Rootkit:W32/Tcpz.A": [[368, 386]], "Indicator: Tool.TcpZ": [[387, 396]], "Indicator: Backdoor.IRCBot.Win32.17564": [[397, 424]], "Indicator: Backdoor.Win32.IRCBot": [[425, 446]], "Indicator: W32/Spybot.XPIF-6513": [[447, 467]], "Indicator: W32.Hack.Tool": [[468, 481]], "Indicator: Worm.AutoRun/Variant": [[506, 526]], "Indicator: HackTool:WinNT/Tcpz.A": [[561, 582]], "Indicator: Trojan/Win32.Rootkit.C53179": [[583, 610]], "Indicator: Rootkit.Win32.Drucker": [[611, 632]], "Indicator: Hacktool/Tcpz.A": [[633, 648]], "Indicator: HackTool.Tcpz!rBSvpdUKEZI": [[649, 674]], "Indicator: W32/Tcpz.A!tr": [[675, 688]], "Indicator: Win32/Worm.AutoRun.750": [[689, 711]]}, "info": {"id": "cyner2_5class_train_06629", "source": "cyner2_5class_train"}}
+{"text": "This report records the analysis and tracing process of the entire incident.", "spans": {}, "info": {"id": "cyner2_5class_train_06630", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan.Win32.Scar!O Trojan.Scar Troj.W32.Scar.toQM Win32.Trojan.VB.ac WORM_OTORUN.SM0 Trojan.Win32.Scar.lpco Trojan.Win32.Scar.crgjex TrojWare.Win32.WBNA.THR Trojan.MulDrop3.10901 WORM_OTORUN.SM0 BehavesLike.Win32.VBObfus.lt Worm.Win32.VB Worm/WBNA.hgwu Trojan/Win32.Scar Win32.Troj.Scar.fw.kcloud Trojan.Symmi.DFA6A Trojan.Win32.Scar.lpco Trojan:Win32/Tookibe.B!bit HEUR/Fakon.mwf TScope.Trojan.VB Trj/GdSda.A Win32/VB.OGG Win32.Trojan.Scar.Wqms W32/VB.QHS!tr Win32/Trojan.e82", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeW7Folder.Fam.Trojan": [[26, 53]], "Indicator: Trojan.Win32.Scar!O": [[54, 73]], "Indicator: Trojan.Scar": [[74, 85]], "Indicator: Troj.W32.Scar.toQM": [[86, 104]], "Indicator: Win32.Trojan.VB.ac": [[105, 123]], "Indicator: WORM_OTORUN.SM0": [[124, 139], [234, 249]], "Indicator: Trojan.Win32.Scar.lpco": [[140, 162], [371, 393]], "Indicator: Trojan.Win32.Scar.crgjex": [[163, 187]], "Indicator: TrojWare.Win32.WBNA.THR": [[188, 211]], "Indicator: Trojan.MulDrop3.10901": [[212, 233]], "Indicator: BehavesLike.Win32.VBObfus.lt": [[250, 278]], "Indicator: Worm.Win32.VB": [[279, 292]], "Indicator: Worm/WBNA.hgwu": [[293, 307]], "Indicator: Trojan/Win32.Scar": [[308, 325]], "Indicator: Win32.Troj.Scar.fw.kcloud": [[326, 351]], "Indicator: Trojan.Symmi.DFA6A": [[352, 370]], "Indicator: Trojan:Win32/Tookibe.B!bit": [[394, 420]], "Indicator: HEUR/Fakon.mwf": [[421, 435]], "Indicator: TScope.Trojan.VB": [[436, 452]], "Indicator: Trj/GdSda.A": [[453, 464]], "Indicator: Win32/VB.OGG": [[465, 477]], "Indicator: Win32.Trojan.Scar.Wqms": [[478, 500]], "Indicator: W32/VB.QHS!tr": [[501, 514]], "Indicator: Win32/Trojan.e82": [[515, 531]]}, "info": {"id": "cyner2_5class_train_06631", "source": "cyner2_5class_train"}}
+{"text": "EventBot uses this function to update its C2s , the configuration of webinjects , etc .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_06632", "source": "cyner2_5class_train"}}
+{"text": "Casinos and resort hotels are the most recent victims of an attack that used RawPOS, an old POS malware, to steal customer data.", "spans": {"Organization: Casinos": [[0, 7]], "Organization: resort hotels": [[12, 25]], "Malware: RawPOS,": [[77, 84]], "Malware: POS malware,": [[92, 104]], "Indicator: steal customer data.": [[108, 128]]}, "info": {"id": "cyner2_5class_train_06633", "source": "cyner2_5class_train"}}
+{"text": "If the user unlocks their device , they will see a black screen while the app drops the call , resets call settings and prepares for the user to interact with the device normally .", "spans": {}, "info": {"id": "cyner2_5class_train_06634", "source": "cyner2_5class_train"}}
+{"text": "However , the apps are still available in third-party app stores .", "spans": {}, "info": {"id": "cyner2_5class_train_06635", "source": "cyner2_5class_train"}}
+{"text": "Since mid-July 2015, I've noticed an increase in malicious spam malspam caught by my employer's spam filters with java archive .jar file attachments.", "spans": {"Indicator: malicious spam malspam": [[49, 71]], "Indicator: java archive .jar file attachments.": [[114, 149]]}, "info": {"id": "cyner2_5class_train_06636", "source": "cyner2_5class_train"}}
+{"text": "These activities depend on the device configuration .", "spans": {}, "info": {"id": "cyner2_5class_train_06637", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Staget.bz W32/Trojan2.NIBK Trojan.Startpage W32/Staqet.B Win32.TRCrypt.Fkm Win.Trojan.Staget-7 Trojan.Win32.Staget.bz Trojan.Staget!Y7ZdgRV9k0Q TrojanBanker.Banker.tx TrojanDownloader:Win32/Kotibu.A Trojan/Win32.VB W32/Trojan2.NIBK Trojan.Staget.bz Trojan.Startpage!rem Win32/VB.PBM Trojan.Kotibu!447E Trojan.Win32.Staget W32/VB.ABBL!tr.dldr Trj/StartPage.DAW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Staget.bz": [[26, 42], [265, 281]], "Indicator: W32/Trojan2.NIBK": [[43, 59], [248, 264]], "Indicator: Trojan.Startpage": [[60, 76]], "Indicator: W32/Staqet.B": [[77, 89]], "Indicator: Win32.TRCrypt.Fkm": [[90, 107]], "Indicator: Win.Trojan.Staget-7": [[108, 127]], "Indicator: Trojan.Win32.Staget.bz": [[128, 150]], "Indicator: Trojan.Staget!Y7ZdgRV9k0Q": [[151, 176]], "Indicator: TrojanBanker.Banker.tx": [[177, 199]], "Indicator: TrojanDownloader:Win32/Kotibu.A": [[200, 231]], "Indicator: Trojan/Win32.VB": [[232, 247]], "Indicator: Trojan.Startpage!rem": [[282, 302]], "Indicator: Win32/VB.PBM": [[303, 315]], "Indicator: Trojan.Kotibu!447E": [[316, 334]], "Indicator: Trojan.Win32.Staget": [[335, 354]], "Indicator: W32/VB.ABBL!tr.dldr": [[355, 374]], "Indicator: Trj/StartPage.DAW": [[375, 392]]}, "info": {"id": "cyner2_5class_train_06638", "source": "cyner2_5class_train"}}
+{"text": "Moreover , as we dived deeper into the investigation , we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine .", "spans": {"System: Windows": [[95, 102]]}, "info": {"id": "cyner2_5class_train_06639", "source": "cyner2_5class_train"}}
+{"text": "In total, it appears this threat may have impacted users from 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.", "spans": {}, "info": {"id": "cyner2_5class_train_06640", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.DownLoad1.dddutq TrojWare.Win32.Downloader.Delf.frgf Trojan.DownLoad1.22694 Downloader.Delf.Win32.47996 BehavesLike.Win32.Dropper.bm Trojan-Dropper.Delf TrojanDownloader:Win32/Parkchicers.C Trojan.Graftor.D35402", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.DownLoad1.dddutq": [[26, 55]], "Indicator: TrojWare.Win32.Downloader.Delf.frgf": [[56, 91]], "Indicator: Trojan.DownLoad1.22694": [[92, 114]], "Indicator: Downloader.Delf.Win32.47996": [[115, 142]], "Indicator: BehavesLike.Win32.Dropper.bm": [[143, 171]], "Indicator: Trojan-Dropper.Delf": [[172, 191]], "Indicator: TrojanDownloader:Win32/Parkchicers.C": [[192, 228]], "Indicator: Trojan.Graftor.D35402": [[229, 250]]}, "info": {"id": "cyner2_5class_train_06641", "source": "cyner2_5class_train"}}
+{"text": "They are interested in users of remote banking systems RBS, mainly in Russia and neighbouring countries.", "spans": {"Malware: remote banking systems RBS,": [[32, 59]]}, "info": {"id": "cyner2_5class_train_06642", "source": "cyner2_5class_train"}}
+{"text": "This blog post describes an attack campaign where NIC National Informatics Centre Cyber Security themed spear phishing email was used to possibly target Indian government organizations.", "spans": {"Organization: NIC National Informatics Centre Cyber Security": [[50, 96]], "Indicator: spear phishing email": [[104, 124]], "Organization: Indian government organizations.": [[153, 185]]}, "info": {"id": "cyner2_5class_train_06643", "source": "cyner2_5class_train"}}
+{"text": "This is most probably how the application spreads .", "spans": {}, "info": {"id": "cyner2_5class_train_06644", "source": "cyner2_5class_train"}}
+{"text": "Instead of the normal modus operandi phishing attacks or drive-by downloads that lead to automatic execution of ransomware, the attackers gained persistent access to the victim's network through vulnerability exploitation and spread their access to any connected systems that they could.", "spans": {"Indicator: normal modus operandi phishing attacks": [[15, 53]], "Indicator: drive-by downloads": [[57, 75]], "Malware: ransomware,": [[112, 123]], "Indicator: persistent access to the victim's network": [[145, 186]], "Vulnerability: vulnerability exploitation": [[195, 221]], "Vulnerability: connected systems": [[253, 270]]}, "info": {"id": "cyner2_5class_train_06645", "source": "cyner2_5class_train"}}
+{"text": "The new one with the title \" Coralco Archimedes , '' and an older version with the title \" Wolf Intelligence : '' New panel Old panel The new panel name contains \" Coralco '' in its name .", "spans": {}, "info": {"id": "cyner2_5class_train_06646", "source": "cyner2_5class_train"}}
+{"text": "null is not the only payload opening a shell on the phone .", "spans": {}, "info": {"id": "cyner2_5class_train_06647", "source": "cyner2_5class_train"}}
+{"text": "Duuzer is a well-designed threat that gives attackers remote access to the compromised computer, downloads additional files, and steals data.", "spans": {"Malware: Duuzer": [[0, 6]], "Malware: threat": [[26, 32]], "Malware: remote access": [[54, 67]], "System: compromised computer,": [[75, 96]], "Indicator: downloads": [[97, 106]]}, "info": {"id": "cyner2_5class_train_06648", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.PePatch.Win32.12525 Win32.Trojan.WisdomEyes.16070401.9500.9959 TROJ_PINCAV.SME Trojan.Win32.Pincav.bbbvr Trojan.Packed.149 TROJ_PINCAV.SME BehavesLike.Win32.VirRansom.cc Worm/Kapucen.ce TrojanDropper:Win32/Bablo.B Worm/Win32.Drefir.R30526 Trojan.DR.Bablo!ESXrt1Se74g Trojan-Dropper.Win32.Bablo W32/Packcav.PLK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.PePatch.Win32.12525": [[26, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9959": [[55, 97]], "Indicator: TROJ_PINCAV.SME": [[98, 113], [158, 173]], "Indicator: Trojan.Win32.Pincav.bbbvr": [[114, 139]], "Indicator: Trojan.Packed.149": [[140, 157]], "Indicator: BehavesLike.Win32.VirRansom.cc": [[174, 204]], "Indicator: Worm/Kapucen.ce": [[205, 220]], "Indicator: TrojanDropper:Win32/Bablo.B": [[221, 248]], "Indicator: Worm/Win32.Drefir.R30526": [[249, 273]], "Indicator: Trojan.DR.Bablo!ESXrt1Se74g": [[274, 301]], "Indicator: Trojan-Dropper.Win32.Bablo": [[302, 328]], "Indicator: W32/Packcav.PLK!tr": [[329, 347]]}, "info": {"id": "cyner2_5class_train_06649", "source": "cyner2_5class_train"}}
+{"text": "It is notable that NetWire was also used as a payload in that campaign.", "spans": {"Malware: NetWire": [[19, 26]], "Malware: payload": [[46, 53]]}, "info": {"id": "cyner2_5class_train_06650", "source": "cyner2_5class_train"}}
+{"text": "If the user has provided the details of another card , then the following window is displayed : The application leaves the user with almost no option but to enter the correct card number , as it checks the entered number against the bank card details the cybercriminals received earlier .", "spans": {}, "info": {"id": "cyner2_5class_train_06651", "source": "cyner2_5class_train"}}
+{"text": "CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware", "spans": {"Indicator: CVE-2017-0199": [[0, 13]], "Vulnerability: Zero Day": [[22, 30]], "Malware: FINSPY Espionage Malware": [[45, 69]], "Malware: LATENTBOT Cyber Crime Malware": [[74, 103]]}, "info": {"id": "cyner2_5class_train_06652", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.WinSecND.Trojan Trojan.Win32.Winsecsrv.h Trojan.Win32.Winsecsrv.ebicpl TrojWare.Win32.Winsecsrv.B Trojan.Win32.Winsecsrv Trojan.Winsecsrv.ll TR/Taranis.2428 Trojan/Win32.Winsecsrv.h Trojan:Win32/Winexert.C!bit Trojan.Winsecsrv.1 Trojan.Win32.Winsecsrv.h Trojan/Win32.Dynamer.R176993 Win32.Trojan.Winsecsrv.Wwoi", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.WinSecND.Trojan": [[26, 51]], "Indicator: Trojan.Win32.Winsecsrv.h": [[52, 76], [265, 289]], "Indicator: Trojan.Win32.Winsecsrv.ebicpl": [[77, 106]], "Indicator: TrojWare.Win32.Winsecsrv.B": [[107, 133]], "Indicator: Trojan.Win32.Winsecsrv": [[134, 156]], "Indicator: Trojan.Winsecsrv.ll": [[157, 176]], "Indicator: TR/Taranis.2428": [[177, 192]], "Indicator: Trojan/Win32.Winsecsrv.h": [[193, 217]], "Indicator: Trojan:Win32/Winexert.C!bit": [[218, 245]], "Indicator: Trojan.Winsecsrv.1": [[246, 264]], "Indicator: Trojan/Win32.Dynamer.R176993": [[290, 318]], "Indicator: Win32.Trojan.Winsecsrv.Wwoi": [[319, 346]]}, "info": {"id": "cyner2_5class_train_06653", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D48EFA Trojan.DownLoader25.1955 W32/Trojan.HNMY-5442 TrojanSpy:MSIL/Hoetou.AC Trj/GdSda.A Win32/Trojan.efe", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D48EFA": [[26, 47]], "Indicator: Trojan.DownLoader25.1955": [[48, 72]], "Indicator: W32/Trojan.HNMY-5442": [[73, 93]], "Indicator: TrojanSpy:MSIL/Hoetou.AC": [[94, 118]], "Indicator: Trj/GdSda.A": [[119, 130]], "Indicator: Win32/Trojan.efe": [[131, 147]]}, "info": {"id": "cyner2_5class_train_06654", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojWare.Win32.Hadoc.AS BehavesLike.Win32.Dropper.dh Trojan.Win32.Rimecud TrojanSpy.AutoHK.a Trojan:Win32/Hadoc.A Trojan/Win32.Asprox.R130565 TrojanSpy.AutoHK Win32/Spy.AHK.E Win32/Trojan.bc3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojWare.Win32.Hadoc.AS": [[26, 49]], "Indicator: BehavesLike.Win32.Dropper.dh": [[50, 78]], "Indicator: Trojan.Win32.Rimecud": [[79, 99]], "Indicator: TrojanSpy.AutoHK.a": [[100, 118]], "Indicator: Trojan:Win32/Hadoc.A": [[119, 139]], "Indicator: Trojan/Win32.Asprox.R130565": [[140, 167]], "Indicator: TrojanSpy.AutoHK": [[168, 184]], "Indicator: Win32/Spy.AHK.E": [[185, 200]], "Indicator: Win32/Trojan.bc3": [[201, 217]]}, "info": {"id": "cyner2_5class_train_06655", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.VBCloneAATTc.Worm Trojan.VBClone.S500460 Trojan/VBClone.b Win32.Adware.Kryptik.h Trojan.Dropper Trojan.Win32.VB.cuvt Trojan.Win32.VB.dwthyt TrojWare.Win32.VBClone.CUV Trojan.VbCrypt.250 BehavesLike.Win32.VBObfus.qz Trojan.Crypt Trojan/VB.czdk Trojan/Win32.VB.cuvt Troj.W32.VB.tnqI Trojan.Win32.VB.cuvt TScope.Trojan.VB Win32/VBClone.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.VBCloneAATTc.Worm": [[26, 53]], "Indicator: Trojan.VBClone.S500460": [[54, 76]], "Indicator: Trojan/VBClone.b": [[77, 93]], "Indicator: Win32.Adware.Kryptik.h": [[94, 116]], "Indicator: Trojan.Dropper": [[117, 131]], "Indicator: Trojan.Win32.VB.cuvt": [[132, 152], [317, 337]], "Indicator: Trojan.Win32.VB.dwthyt": [[153, 175]], "Indicator: TrojWare.Win32.VBClone.CUV": [[176, 202]], "Indicator: Trojan.VbCrypt.250": [[203, 221]], "Indicator: BehavesLike.Win32.VBObfus.qz": [[222, 250]], "Indicator: Trojan.Crypt": [[251, 263]], "Indicator: Trojan/VB.czdk": [[264, 278]], "Indicator: Trojan/Win32.VB.cuvt": [[279, 299]], "Indicator: Troj.W32.VB.tnqI": [[300, 316]], "Indicator: TScope.Trojan.VB": [[338, 354]], "Indicator: Win32/VBClone.B": [[355, 370]]}, "info": {"id": "cyner2_5class_train_06656", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Small.15973 Win32.Trojan.WisdomEyes.16070401.9500.9775 Trojan.Dropper TROJ_MICROJOIN.W Trojan.Win32.Small.dpzper TrojWare.Win32.TrojanProxy.Puma.jsjk Trojan.Celln TROJ_MICROJOIN.W Trojan-Proxy.Win32.Puma Trojan:Win32/Ditul.B Trojan.Heur.RP.ciWfayCj9ogb Trojan/Win32.Xema.C32762", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Small.15973": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9775": [[45, 87]], "Indicator: Trojan.Dropper": [[88, 102]], "Indicator: TROJ_MICROJOIN.W": [[103, 119], [196, 212]], "Indicator: Trojan.Win32.Small.dpzper": [[120, 145]], "Indicator: TrojWare.Win32.TrojanProxy.Puma.jsjk": [[146, 182]], "Indicator: Trojan.Celln": [[183, 195]], "Indicator: Trojan-Proxy.Win32.Puma": [[213, 236]], "Indicator: Trojan:Win32/Ditul.B": [[237, 257]], "Indicator: Trojan.Heur.RP.ciWfayCj9ogb": [[258, 285]], "Indicator: Trojan/Win32.Xema.C32762": [[286, 310]]}, "info": {"id": "cyner2_5class_train_06657", "source": "cyner2_5class_train"}}
+{"text": "This family showcases the amount of resources that malware authors now have to expend .", "spans": {}, "info": {"id": "cyner2_5class_train_06658", "source": "cyner2_5class_train"}}
+{"text": "When users try to close the ads , the new functionality causes already downloaded apps to run in a virtual machine .", "spans": {}, "info": {"id": "cyner2_5class_train_06659", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Iterign.B3 Trojan.Win32.FAUL.exlexh Packed:MSIL/SmartIL.A BehavesLike.Win32.Trojan.dc TR/Dropper.MSIL.hxupg Trojan.Razy.D1E910 TrojanDownloader:MSIL/Iterign.B Trojan/Win32.ZBot.R139607 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Iterign.B3": [[26, 53]], "Indicator: Trojan.Win32.FAUL.exlexh": [[54, 78]], "Indicator: Packed:MSIL/SmartIL.A": [[79, 100]], "Indicator: BehavesLike.Win32.Trojan.dc": [[101, 128]], "Indicator: TR/Dropper.MSIL.hxupg": [[129, 150]], "Indicator: Trojan.Razy.D1E910": [[151, 169]], "Indicator: TrojanDownloader:MSIL/Iterign.B": [[170, 201]], "Indicator: Trojan/Win32.ZBot.R139607": [[202, 227]], "Indicator: Trj/GdSda.A": [[228, 239]]}, "info": {"id": "cyner2_5class_train_06660", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Disabler!O WORM_DISABLER.SM Win32.Trojan.WisdomEyes.16070401.9500.9981 W32.Glupzy.A WORM_DISABLER.SM Win.Trojan.Disabler-3 Trojan.Win32.Disabler.i Trojan.Win32.Disabler.beace TrojWare.Win32.Disabler.~A Trojan.Flashy BehavesLike.Win32.Downloader.qz Trojan/Win32.Disabler Troj.W32.Disabler.tnvR Trojan.Win32.Disabler.i Worm/Win32.IRCBot.R53504 Trojan.Disabler Win32/Disabler.I Trj/Flashy.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Disabler!O": [[26, 49]], "Indicator: WORM_DISABLER.SM": [[50, 66], [123, 139]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9981": [[67, 109]], "Indicator: W32.Glupzy.A": [[110, 122]], "Indicator: Win.Trojan.Disabler-3": [[140, 161]], "Indicator: Trojan.Win32.Disabler.i": [[162, 185], [332, 355]], "Indicator: Trojan.Win32.Disabler.beace": [[186, 213]], "Indicator: TrojWare.Win32.Disabler.~A": [[214, 240]], "Indicator: Trojan.Flashy": [[241, 254]], "Indicator: BehavesLike.Win32.Downloader.qz": [[255, 286]], "Indicator: Trojan/Win32.Disabler": [[287, 308]], "Indicator: Troj.W32.Disabler.tnvR": [[309, 331]], "Indicator: Worm/Win32.IRCBot.R53504": [[356, 380]], "Indicator: Trojan.Disabler": [[381, 396]], "Indicator: Win32/Disabler.I": [[397, 413]], "Indicator: Trj/Flashy.B": [[414, 426]]}, "info": {"id": "cyner2_5class_train_06661", "source": "cyner2_5class_train"}}
+{"text": "In order to support network defenders,Fidelis Cybersecurity is offering a new, free data feed of verified indicators to support thedetection and mitigation of Pushdo.", "spans": {"Organization: defenders,Fidelis Cybersecurity": [[28, 59]], "Malware: Pushdo.": [[159, 166]]}, "info": {"id": "cyner2_5class_train_06662", "source": "cyner2_5class_train"}}
+{"text": "The sample discussed was found during an incident response engagement in March 2017.", "spans": {}, "info": {"id": "cyner2_5class_train_06663", "source": "cyner2_5class_train"}}
+{"text": "At some point in his Google Play “ career ” , he apparently decided to increase his ad revenue by implementing adware functionality in his apps ’ code .", "spans": {"System: Google Play": [[21, 32]]}, "info": {"id": "cyner2_5class_train_06664", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Lowzones.A6 Trojan.Zzinfor.1 Trojan.Win32.Dwn.dndeiz TrojWare.Win32.Zzinfor.KQ Trojan.DownLoader12.14740 Trojan.Win32.Spy Adware.Zzinfor/Variant Dropper/Win32.Injector.C189960", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Lowzones.A6": [[26, 44]], "Indicator: Trojan.Zzinfor.1": [[45, 61]], "Indicator: Trojan.Win32.Dwn.dndeiz": [[62, 85]], "Indicator: TrojWare.Win32.Zzinfor.KQ": [[86, 111]], "Indicator: Trojan.DownLoader12.14740": [[112, 137]], "Indicator: Trojan.Win32.Spy": [[138, 154]], "Indicator: Adware.Zzinfor/Variant": [[155, 177]], "Indicator: Dropper/Win32.Injector.C189960": [[178, 208]]}, "info": {"id": "cyner2_5class_train_06665", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.ZER Troj.Pws.Zer!c Trojan.PWS.ZER Win32.Trojan.WisdomEyes.16070401.9500.9954 Trojan.Bitterbug Trojan.PWS.ZER Trojan.PWS.ZER Trojan.PWS.ZER BehavesLike.Win32.Dropper.ch TR/PSW.ZER Backdoor:Win32/Saluchtra.B!dha Spyware.Infostealer.FakeMS Win32.Trojan.Psw.Liqs Trojan.Bitterbug! Trojan.Win32.Bitterbug Trojan.PWS.ZER", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.ZER": [[26, 40], [56, 70], [131, 145], [146, 160], [161, 175], [337, 351]], "Indicator: Troj.Pws.Zer!c": [[41, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9954": [[71, 113]], "Indicator: Trojan.Bitterbug": [[114, 130]], "Indicator: BehavesLike.Win32.Dropper.ch": [[176, 204]], "Indicator: TR/PSW.ZER": [[205, 215]], "Indicator: Backdoor:Win32/Saluchtra.B!dha": [[216, 246]], "Indicator: Spyware.Infostealer.FakeMS": [[247, 273]], "Indicator: Win32.Trojan.Psw.Liqs": [[274, 295]], "Indicator: Trojan.Bitterbug!": [[296, 313]], "Indicator: Trojan.Win32.Bitterbug": [[314, 336]]}, "info": {"id": "cyner2_5class_train_06666", "source": "cyner2_5class_train"}}
+{"text": "One would think that this would result in widespread use, but instead it has only been found in limited areas.", "spans": {}, "info": {"id": "cyner2_5class_train_06667", "source": "cyner2_5class_train"}}
+{"text": "We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "cyner2_5class_train_06668", "source": "cyner2_5class_train"}}
+{"text": "This malvertising attack preyed on visitors to sketchy websites offering anything from torrents of copyrighted movies, live streams of the latest flicks, or pirated software.", "spans": {"Indicator: malvertising attack": [[5, 24]], "Indicator: sketchy websites": [[47, 63]], "Indicator: torrents": [[87, 95]], "Indicator: copyrighted movies, live streams": [[99, 131]], "Indicator: latest flicks,": [[139, 153]], "Indicator: pirated software.": [[157, 174]]}, "info": {"id": "cyner2_5class_train_06669", "source": "cyner2_5class_train"}}
+{"text": "Very active, we can now see ~ 50k live scanner IPs daily.", "spans": {"Indicator: 50k live scanner IPs daily.": [[30, 57]]}, "info": {"id": "cyner2_5class_train_06670", "source": "cyner2_5class_train"}}
+{"text": "Android ransomware that claims it has detected forbidden pornographic pictures on your device, says it has reported it to the FBI and asks you to pay a fine of $500.", "spans": {"Malware: Android ransomware": [[0, 18]], "Indicator: forbidden pornographic pictures on your device,": [[47, 94]], "Organization: FBI": [[126, 129]], "Indicator: pay a fine of $500.": [[146, 165]]}, "info": {"id": "cyner2_5class_train_06671", "source": "cyner2_5class_train"}}
+{"text": "So if you have Android 4.4.4 or some more recent version of this OS on your device , your chances of getting infected with Triada are significantly lower .", "spans": {"System: Android 4.4.4": [[15, 28]], "Malware: Triada": [[123, 129]]}, "info": {"id": "cyner2_5class_train_06672", "source": "cyner2_5class_train"}}
+{"text": "A Russian security firm 'Doctor Web ' identified the first mass distributed Android bootkit malware called 'Android.Oldboot ' , a piece of malware that 's designed to re-infect devices after reboot , even if you delete all working components of it .", "spans": {"Organization: Web": [[32, 35]], "System: Android": [[76, 83]]}, "info": {"id": "cyner2_5class_train_06673", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDropper.Gepys.A Trojan.Kryptik.Win32.524542 Trojan/Kryptik.banx Win32.Trojan.Kryptik.eg Trojan.Win32.Redirect.ctxvfh TrojWare.Win32.Kryptik.BANN Trojan.Redirect.147 Trojan/ShipUp.km Trojan/Win32.Unknown Trojan:Win32/Gepys.A Trojan.Zusy.D404B9 Trojan/Win32.Shipup.R65212 Trojan-Downloader.Win32.Dofoil", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Gepys.A": [[26, 47]], "Indicator: Trojan.Kryptik.Win32.524542": [[48, 75]], "Indicator: Trojan/Kryptik.banx": [[76, 95]], "Indicator: Win32.Trojan.Kryptik.eg": [[96, 119]], "Indicator: Trojan.Win32.Redirect.ctxvfh": [[120, 148]], "Indicator: TrojWare.Win32.Kryptik.BANN": [[149, 176]], "Indicator: Trojan.Redirect.147": [[177, 196]], "Indicator: Trojan/ShipUp.km": [[197, 213]], "Indicator: Trojan/Win32.Unknown": [[214, 234]], "Indicator: Trojan:Win32/Gepys.A": [[235, 255]], "Indicator: Trojan.Zusy.D404B9": [[256, 274]], "Indicator: Trojan/Win32.Shipup.R65212": [[275, 301]], "Indicator: Trojan-Downloader.Win32.Dofoil": [[302, 332]]}, "info": {"id": "cyner2_5class_train_06674", "source": "cyner2_5class_train"}}
+{"text": "These threat actors appear to be choosing the right apps – those that could be popular with locals in the region , at the right time – while tensions grow in this region of China , to ensure a good victim install-base .", "spans": {}, "info": {"id": "cyner2_5class_train_06675", "source": "cyner2_5class_train"}}
+{"text": "However , the trojan replaces the '= ' by 'AAAZZZXXX ' , the '+ ' by '| ' and the '/ ' by ' .", "spans": {}, "info": {"id": "cyner2_5class_train_06676", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.BCC5 W32.Virut.G Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Foreign-502 Trojan.DownLoader11.60294 BehavesLike.Win32.Sality.cc Win32.Virut.eb.368640 Trojan/Win32.Foreign.R131573 Trojan-Ransom.Win32.Foreign", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.BCC5": [[26, 42]], "Indicator: W32.Virut.G": [[43, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[55, 97]], "Indicator: Win.Trojan.Foreign-502": [[98, 120]], "Indicator: Trojan.DownLoader11.60294": [[121, 146]], "Indicator: BehavesLike.Win32.Sality.cc": [[147, 174]], "Indicator: Win32.Virut.eb.368640": [[175, 196]], "Indicator: Trojan/Win32.Foreign.R131573": [[197, 225]], "Indicator: Trojan-Ransom.Win32.Foreign": [[226, 253]]}, "info": {"id": "cyner2_5class_train_06677", "source": "cyner2_5class_train"}}
+{"text": "The package name ( vyn.hhsdzgvoexobmkygffzwuewrbikzud ) and its many activities and services have randomized names , probably to make it a bit more difficult to detect the package using blacklisting .", "spans": {"Indicator: vyn.hhsdzgvoexobmkygffzwuewrbikzud": [[19, 53]]}, "info": {"id": "cyner2_5class_train_06678", "source": "cyner2_5class_train"}}
+{"text": "From the server , the Trojan receives commands ( for example , to send SMS ) and changes in the configuration .", "spans": {}, "info": {"id": "cyner2_5class_train_06679", "source": "cyner2_5class_train"}}
+{"text": "Moreover , we retrieved his University ID ; a quick googling showed some of his exam grades .", "spans": {}, "info": {"id": "cyner2_5class_train_06680", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Strictor.D2148 Win32.Trojan.WisdomEyes.16070401.9500.9567 Trojan-Downloader.Win32.Perkesh HackTool[VirTool]/Win32.Unknown", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Strictor.D2148": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9567": [[48, 90]], "Indicator: Trojan-Downloader.Win32.Perkesh": [[91, 122]], "Indicator: HackTool[VirTool]/Win32.Unknown": [[123, 154]]}, "info": {"id": "cyner2_5class_train_06681", "source": "cyner2_5class_train"}}
+{"text": "Check Point Research reported these dangerous apps to Google upon discovery .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google": [[54, 60]]}, "info": {"id": "cyner2_5class_train_06682", "source": "cyner2_5class_train"}}
+{"text": "CYBEREASON MOBILE Cybereason Mobile detects EventBot and immediately takes remediation actions to protect the end user .", "spans": {"System: CYBEREASON MOBILE": [[0, 17]], "System: Cybereason Mobile detects": [[18, 43]], "Malware: EventBot": [[44, 52]]}, "info": {"id": "cyner2_5class_train_06683", "source": "cyner2_5class_train"}}
+{"text": "The banking app test : the credentials as entered ( left ) and as available in the database ( right ) Second , we wrote a test message in an email client .", "spans": {}, "info": {"id": "cyner2_5class_train_06684", "source": "cyner2_5class_train"}}
+{"text": "The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware.", "spans": {"Malware: The exploit": [[0, 11]], "Indicator: a Microsoft Office document": [[34, 61]], "Malware: payload": [[76, 83]], "Malware: FinSpy malware.": [[110, 125]]}, "info": {"id": "cyner2_5class_train_06685", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DomytnxASAAAC.Trojan Trojan.Locky.Win32.658 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.KGRA-2902 Ransom_HPLOCKY.SM4 Trojan-Ransom.Win32.Locky.aoc Trojan.Win32.Encoder.eemdlz Trojan.Win32.Locky.288947 Troj.Ransom.W32.Locky!c Trojan.Encoder.3976 Ransom_HPLOCKY.SM4 BehavesLike.Win32.MultiPlug.cc Trojan.Locky.aqx Trojan[Ransom]/Win32.Locky Trojan.Mikey.DC99C Trojan-Ransom.Win32.Locky.aoc TrojanDownloader:Win32/Terdot.A Trojan/Win32.Locky.C1503881 Trojan-Ransom.Locky Trj/CI.A W32/Bebloh.K!tr Win32/Trojan.Ransom.2d2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DomytnxASAAAC.Trojan": [[26, 50]], "Indicator: Trojan.Locky.Win32.658": [[51, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[74, 116]], "Indicator: W32/Trojan.KGRA-2902": [[117, 137]], "Indicator: Ransom_HPLOCKY.SM4": [[138, 156], [285, 303]], "Indicator: Trojan-Ransom.Win32.Locky.aoc": [[157, 186], [398, 427]], "Indicator: Trojan.Win32.Encoder.eemdlz": [[187, 214]], "Indicator: Trojan.Win32.Locky.288947": [[215, 240]], "Indicator: Troj.Ransom.W32.Locky!c": [[241, 264]], "Indicator: Trojan.Encoder.3976": [[265, 284]], "Indicator: BehavesLike.Win32.MultiPlug.cc": [[304, 334]], "Indicator: Trojan.Locky.aqx": [[335, 351]], "Indicator: Trojan[Ransom]/Win32.Locky": [[352, 378]], "Indicator: Trojan.Mikey.DC99C": [[379, 397]], "Indicator: TrojanDownloader:Win32/Terdot.A": [[428, 459]], "Indicator: Trojan/Win32.Locky.C1503881": [[460, 487]], "Indicator: Trojan-Ransom.Locky": [[488, 507]], "Indicator: Trj/CI.A": [[508, 516]], "Indicator: W32/Bebloh.K!tr": [[517, 532]], "Indicator: Win32/Trojan.Ransom.2d2": [[533, 556]]}, "info": {"id": "cyner2_5class_train_06686", "source": "cyner2_5class_train"}}
+{"text": "MalwareBytes have been monitoring a malvertising campaign very closely as it really soared during the past week.", "spans": {"Organization: MalwareBytes": [[0, 12]]}, "info": {"id": "cyner2_5class_train_06687", "source": "cyner2_5class_train"}}
+{"text": "With this information, an attacker can access a user's Google account data like Google Play, Google Photos, Gmail, Google Drive, and G Suite.", "spans": {"Indicator: can access": [[35, 45]], "System: Google account data": [[55, 74]], "System: Google Play, Google Photos, Gmail, Google Drive,": [[80, 128]], "System: G Suite.": [[133, 141]]}, "info": {"id": "cyner2_5class_train_06688", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VBA/PowerShell.A Win.Trojan.PowerShell-8 Trojan.Ole2.Vbs-heuristic.druvzi TrojanDownloader:O97M/Poseket.A HEUR.VBA.Trojan.e heur.macro.powershell.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VBA/PowerShell.A": [[26, 42]], "Indicator: Win.Trojan.PowerShell-8": [[43, 66]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[67, 99]], "Indicator: TrojanDownloader:O97M/Poseket.A": [[100, 131]], "Indicator: HEUR.VBA.Trojan.e": [[132, 149]], "Indicator: heur.macro.powershell.a": [[150, 173]]}, "info": {"id": "cyner2_5class_train_06689", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TR/Spammer.Z Trojan.Win32.Spammer.BZ Trojan.SpamTool SpamTool.KEM Trj/CI.A Win32/Trojan.Spammer.4de", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TR/Spammer.Z": [[26, 38]], "Indicator: Trojan.Win32.Spammer.BZ": [[39, 62]], "Indicator: Trojan.SpamTool": [[63, 78]], "Indicator: SpamTool.KEM": [[79, 91]], "Indicator: Trj/CI.A": [[92, 100]], "Indicator: Win32/Trojan.Spammer.4de": [[101, 125]]}, "info": {"id": "cyner2_5class_train_06690", "source": "cyner2_5class_train"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06691", "source": "cyner2_5class_train"}}
+{"text": "The Executive Yuan Council evaluates statutory and budgetary bills and bills concerning martial law, amnesty, declaration of war, conclusion of peace and treaties, and other important affairs.", "spans": {"Organization: The Executive Yuan Council": [[0, 26]]}, "info": {"id": "cyner2_5class_train_06692", "source": "cyner2_5class_train"}}
+{"text": "Network activity BrainTest communicates with five servers : APK files provider ( http : //psserviceonline [ .", "spans": {"Indicator: http : //psserviceonline [ .": [[81, 109]]}, "info": {"id": "cyner2_5class_train_06693", "source": "cyner2_5class_train"}}
+{"text": "Recently, we've seen information indicating that the scope of targets can be wider and is no longer limited to the entertainment business.", "spans": {}, "info": {"id": "cyner2_5class_train_06694", "source": "cyner2_5class_train"}}
+{"text": "This blog will discuss and uncover additional details regarding a recent campaign targeting entities in the Middle East.", "spans": {}, "info": {"id": "cyner2_5class_train_06695", "source": "cyner2_5class_train"}}
+{"text": "The Trojan also registered in Google Cloud Messaging ( GCM ) , meaning it could then receive commands via that service .", "spans": {"System: Google Cloud Messaging ( GCM )": [[30, 60]]}, "info": {"id": "cyner2_5class_train_06696", "source": "cyner2_5class_train"}}
+{"text": "After the VM code has checked again the user environment , it proceeds to extract and execute the final un-obfuscated payload sample directly into winlogon.exe ( alternatively , into explorer.exe ) process .", "spans": {"Indicator: winlogon.exe": [[147, 159]], "Indicator: explorer.exe": [[183, 195]]}, "info": {"id": "cyner2_5class_train_06697", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Inject!QFG7kQRUHDk Trojan.VBInject!4947 Malware_fam.NB Skodna.GameHack.CXD Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Inject!QFG7kQRUHDk": [[26, 53]], "Indicator: Trojan.VBInject!4947": [[54, 74]], "Indicator: Malware_fam.NB": [[75, 89]], "Indicator: Skodna.GameHack.CXD": [[90, 109]], "Indicator: Trj/CI.A": [[110, 118]]}, "info": {"id": "cyner2_5class_train_06698", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FOverND.PE Virus.Win32.Sality!O W32.Sivis.A3 Backdoor.Poison.Win32.87654 Trojan/Kryptik.gace W32.Suviapen Packed.Win32.Krap.jc Trojan.Win32.Kespo.evacni Win32.HLLP.Kespo.4 BehavesLike.Win32.Trojan.vh Packed.Krap.fzmh Trojan[Packed]/Win32.Krap Packed.Win32.Krap.jc Trojan-Ransom.Rokku RAT.Sakula", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FOverND.PE": [[26, 40]], "Indicator: Virus.Win32.Sality!O": [[41, 61]], "Indicator: W32.Sivis.A3": [[62, 74]], "Indicator: Backdoor.Poison.Win32.87654": [[75, 102]], "Indicator: Trojan/Kryptik.gace": [[103, 122]], "Indicator: W32.Suviapen": [[123, 135]], "Indicator: Packed.Win32.Krap.jc": [[136, 156], [273, 293]], "Indicator: Trojan.Win32.Kespo.evacni": [[157, 182]], "Indicator: Win32.HLLP.Kespo.4": [[183, 201]], "Indicator: BehavesLike.Win32.Trojan.vh": [[202, 229]], "Indicator: Packed.Krap.fzmh": [[230, 246]], "Indicator: Trojan[Packed]/Win32.Krap": [[247, 272]], "Indicator: Trojan-Ransom.Rokku": [[294, 313]], "Indicator: RAT.Sakula": [[314, 324]]}, "info": {"id": "cyner2_5class_train_06699", "source": "cyner2_5class_train"}}
+{"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat .", "spans": {"System: Next-Generation Firewall": [[36, 60]], "System: Next-Generation Intrusion Prevention System": [[72, 115]], "System: Meraki MX": [[132, 141]]}, "info": {"id": "cyner2_5class_train_06700", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Arande.A3 Win32.Worm.VB.nr Trojan.Win32.VB.dibs Win32.Trojan.Vb.Wnwj Trojan.VB.Win32.116507 Trojan/VB.cujo W32.Heuristic.Dkvt TR/Taranis.2367 Trojan.Heur.E914A2 Trojan.Win32.VB.dibs Trojan/Win32.VBKrypt.C956342 Trojan.VB!SXP1KraqrZw Trojan.VB2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Arande.A3": [[26, 42]], "Indicator: Win32.Worm.VB.nr": [[43, 59]], "Indicator: Trojan.Win32.VB.dibs": [[60, 80], [194, 214]], "Indicator: Win32.Trojan.Vb.Wnwj": [[81, 101]], "Indicator: Trojan.VB.Win32.116507": [[102, 124]], "Indicator: Trojan/VB.cujo": [[125, 139]], "Indicator: W32.Heuristic.Dkvt": [[140, 158]], "Indicator: TR/Taranis.2367": [[159, 174]], "Indicator: Trojan.Heur.E914A2": [[175, 193]], "Indicator: Trojan/Win32.VBKrypt.C956342": [[215, 243]], "Indicator: Trojan.VB!SXP1KraqrZw": [[244, 265]], "Indicator: Trojan.VB2": [[266, 276]]}, "info": {"id": "cyner2_5class_train_06701", "source": "cyner2_5class_train"}}
+{"text": "] cc/TiktokPro .", "spans": {}, "info": {"id": "cyner2_5class_train_06702", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Trupto TROJ_INJECTR.BUSZ Trojan.Win32.Buzus.yhkt Trojan.Win32.Buzus.ewiofb TROJ_INJECTR.BUSZ Trojan.Win32.Crypt W32/Trojan.ALBD-0280 Trojan.Buzus.cni Trojan:Win32/Trupto.A Trojan.Win32.Buzus.yhkt Trj/CI.A Win32.Trojan.Inject.Auto", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Trupto": [[26, 39]], "Indicator: TROJ_INJECTR.BUSZ": [[40, 57], [108, 125]], "Indicator: Trojan.Win32.Buzus.yhkt": [[58, 81], [205, 228]], "Indicator: Trojan.Win32.Buzus.ewiofb": [[82, 107]], "Indicator: Trojan.Win32.Crypt": [[126, 144]], "Indicator: W32/Trojan.ALBD-0280": [[145, 165]], "Indicator: Trojan.Buzus.cni": [[166, 182]], "Indicator: Trojan:Win32/Trupto.A": [[183, 204]], "Indicator: Trj/CI.A": [[229, 237]], "Indicator: Win32.Trojan.Inject.Auto": [[238, 262]]}, "info": {"id": "cyner2_5class_train_06703", "source": "cyner2_5class_train"}}
+{"text": "Mobile users are called on to be on top of this news and be on guard for signs of monitoring .", "spans": {}, "info": {"id": "cyner2_5class_train_06704", "source": "cyner2_5class_train"}}
+{"text": "One chunk contains the entire malware DLL code ( without PE headers ) .", "spans": {}, "info": {"id": "cyner2_5class_train_06705", "source": "cyner2_5class_train"}}
+{"text": "To distribute the Trojan, cybercriminals log in to the vulnerable devices via the SSH protocol.", "spans": {"Malware: Trojan,": [[18, 25]], "System: vulnerable devices": [[55, 73]], "Indicator: SSH protocol.": [[82, 95]]}, "info": {"id": "cyner2_5class_train_06706", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint researchers originally spotted the MarsJoke ransomware in late August by trawling through our repository of unknown malware.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: MarsJoke ransomware": [[46, 65]], "Malware: unknown malware.": [[119, 135]]}, "info": {"id": "cyner2_5class_train_06707", "source": "cyner2_5class_train"}}
+{"text": "] cendata [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06708", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.ReplaceMiKsLT.Fam.RSF Trojan-PWS/W32.Frethoq.34461.C Trojan-GameThief.Win32.Frethoq!O TrojanPWS.Lolyda.BF5 Troj.GameThief.W32.OnLineGames.lnFT Trojan/OnLineGames.qbf TROJ_RVERSE.SMI Win32.Trojan-PSW.OLGames.i TROJ_RVERSE.SMI Win32.Trojan-Spy.Lolyda.A Trojan-GameThief.Win32.OnLineGames.ajqgf Trojan.Win32.Gamania.thvvt Trojan.Win32.A.Zbot.34461 Trojan.PWS.Gamania.36445 BehavesLike.Win32.PWSOnlineGames.nh TR/PSW.Lolyda.bfmna Trojan[GameThief]/Win32.Frethoq PWS:Win32/Lolyda.BF Trojan-GameThief.Win32.OnLineGames.ajqgf Trojan/Win32.OnlineGameHack.R21894 BScope.Trojan.OLGames.4521 Trojan.Zusy.DBE3 Win32/PSW.OnLineGames.QBF Trojan.PSW.Win32.GamePass.a Trojan.PWS.OnLineGames!V9usvrFPqu0 Trojan-PWS.Win32.Lolyda W32/OnLineGames.REV!tr Trojan.PSW.Win32.GameOnline.CO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ReplaceMiKsLT.Fam.RSF": [[26, 51]], "Indicator: Trojan-PWS/W32.Frethoq.34461.C": [[52, 82]], "Indicator: Trojan-GameThief.Win32.Frethoq!O": [[83, 115]], "Indicator: TrojanPWS.Lolyda.BF5": [[116, 136]], "Indicator: Troj.GameThief.W32.OnLineGames.lnFT": [[137, 172]], "Indicator: Trojan/OnLineGames.qbf": [[173, 195]], "Indicator: TROJ_RVERSE.SMI": [[196, 211], [239, 254]], "Indicator: Win32.Trojan-PSW.OLGames.i": [[212, 238]], "Indicator: Win32.Trojan-Spy.Lolyda.A": [[255, 280]], "Indicator: Trojan-GameThief.Win32.OnLineGames.ajqgf": [[281, 321], [508, 548]], "Indicator: Trojan.Win32.Gamania.thvvt": [[322, 348]], "Indicator: Trojan.Win32.A.Zbot.34461": [[349, 374]], "Indicator: Trojan.PWS.Gamania.36445": [[375, 399]], "Indicator: BehavesLike.Win32.PWSOnlineGames.nh": [[400, 435]], "Indicator: TR/PSW.Lolyda.bfmna": [[436, 455]], "Indicator: Trojan[GameThief]/Win32.Frethoq": [[456, 487]], "Indicator: PWS:Win32/Lolyda.BF": [[488, 507]], "Indicator: Trojan/Win32.OnlineGameHack.R21894": [[549, 583]], "Indicator: BScope.Trojan.OLGames.4521": [[584, 610]], "Indicator: Trojan.Zusy.DBE3": [[611, 627]], "Indicator: Win32/PSW.OnLineGames.QBF": [[628, 653]], "Indicator: Trojan.PSW.Win32.GamePass.a": [[654, 681]], "Indicator: Trojan.PWS.OnLineGames!V9usvrFPqu0": [[682, 716]], "Indicator: Trojan-PWS.Win32.Lolyda": [[717, 740]], "Indicator: W32/OnLineGames.REV!tr": [[741, 763]], "Indicator: Trojan.PSW.Win32.GameOnline.CO": [[764, 794]]}, "info": {"id": "cyner2_5class_train_06709", "source": "cyner2_5class_train"}}
+{"text": "The msvcr90.dll file is opened , read , and decrypted , and the code execution control is transferred to the RunDll exported routine .", "spans": {"Indicator: msvcr90.dll file": [[4, 20]]}, "info": {"id": "cyner2_5class_train_06710", "source": "cyner2_5class_train"}}
+{"text": "The group is known to use custom malware called Daserf, but also employs multiple commodity and custom tools, exploit vulnerabilities, and use social engineering techniques.", "spans": {"Malware: custom malware": [[26, 40]], "Malware: Daserf,": [[48, 55]], "Malware: custom tools, exploit": [[96, 117]], "Vulnerability: vulnerabilities,": [[118, 134]]}, "info": {"id": "cyner2_5class_train_06711", "source": "cyner2_5class_train"}}
+{"text": "The code never informed phone users that it was collecting that data , a behavior uniformly viewed by many as a serious security concern .", "spans": {}, "info": {"id": "cyner2_5class_train_06712", "source": "cyner2_5class_train"}}
+{"text": "] com/ hxxp : //files.spamo [ .", "spans": {"Indicator: hxxp : //files.spamo [ .": [[7, 31]]}, "info": {"id": "cyner2_5class_train_06713", "source": "cyner2_5class_train"}}
+{"text": "Its targets include the military organizations and governments of countries with national interests in the South China Sea, including some within the U.S. defense industrial base.", "spans": {"Organization: military organizations": [[24, 46]], "Organization: governments of countries": [[51, 75]]}, "info": {"id": "cyner2_5class_train_06714", "source": "cyner2_5class_train"}}
+{"text": "It may be that these submissions are made from the author ’ s machine , or that they submit it to a detection service that in turn submits to online malware databases .", "spans": {}, "info": {"id": "cyner2_5class_train_06715", "source": "cyner2_5class_train"}}
+{"text": "Once a matching intent is triggered , the respective Receiver code will be executed , leading to other HenBox behaviors being launched , which are described later .", "spans": {}, "info": {"id": "cyner2_5class_train_06716", "source": "cyner2_5class_train"}}
+{"text": "Another important modification is in the message transfer process : With this modification , an application sends device location coordinates with every message .", "spans": {}, "info": {"id": "cyner2_5class_train_06717", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Noancooe MSIL.Backdoor.Bladabindi.AM TR/Nanocore.dfari Trojan:MSIL/Noancooe.D!bit Trj/CI.A Worm.Win32.Ainslot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Noancooe": [[26, 41]], "Indicator: MSIL.Backdoor.Bladabindi.AM": [[42, 69]], "Indicator: TR/Nanocore.dfari": [[70, 87]], "Indicator: Trojan:MSIL/Noancooe.D!bit": [[88, 114]], "Indicator: Trj/CI.A": [[115, 123]], "Indicator: Worm.Win32.Ainslot": [[124, 142]]}, "info": {"id": "cyner2_5class_train_06718", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy package permissions .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner2_5class_train_06719", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Sasfis.4023296 Trojan/Sasfis.bnyn Trojan.Strictor.DEB1C Win32.Trojan.WisdomEyes.16070401.9500.9554 Backdoor.Graybird Win.Trojan.Yobdam-4 Trojan-Dropper.Win32.Dapato.bwsw Trojan.Win32.Sasfis.diovf Trojan.MulDrop2.58470 Backdoor.Yobdam.Win32.845 BehavesLike.Win32.BadFile.wc Trojan/Buzus.awfr Trojan/Win32.Sasfis Trojan-Dropper.Win32.Dapato.bwsw Trojan/Win32.Injector.C1773 SScope.Trojan.MBRLock.2121 Trojan.Sasfis!aSW+l8me7nU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Sasfis.4023296": [[26, 51]], "Indicator: Trojan/Sasfis.bnyn": [[52, 70]], "Indicator: Trojan.Strictor.DEB1C": [[71, 92]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9554": [[93, 135]], "Indicator: Backdoor.Graybird": [[136, 153]], "Indicator: Win.Trojan.Yobdam-4": [[154, 173]], "Indicator: Trojan-Dropper.Win32.Dapato.bwsw": [[174, 206], [348, 380]], "Indicator: Trojan.Win32.Sasfis.diovf": [[207, 232]], "Indicator: Trojan.MulDrop2.58470": [[233, 254]], "Indicator: Backdoor.Yobdam.Win32.845": [[255, 280]], "Indicator: BehavesLike.Win32.BadFile.wc": [[281, 309]], "Indicator: Trojan/Buzus.awfr": [[310, 327]], "Indicator: Trojan/Win32.Sasfis": [[328, 347]], "Indicator: Trojan/Win32.Injector.C1773": [[381, 408]], "Indicator: SScope.Trojan.MBRLock.2121": [[409, 435]], "Indicator: Trojan.Sasfis!aSW+l8me7nU": [[436, 461]]}, "info": {"id": "cyner2_5class_train_06720", "source": "cyner2_5class_train"}}
+{"text": "YOUR FILES WERE ENCRYPTED.", "spans": {"Indicator: YOUR FILES WERE ENCRYPTED.": [[0, 26]]}, "info": {"id": "cyner2_5class_train_06721", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Infostealer.Lineage Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Nilage.XS Infostealer.Lineage Trojan-GameThief.Win32.Nilage.bdm W32.W.Bagle.kZt7 Trojan.PWS.Lineage.9841 BehavesLike.Win32.Pate.pc Trojan-PWS.Win32.Delf W32/Nilage.KWZM-6493 Trojan/PSW.Nilage.auz Trojan[GameThief]/Win32.Magania Trojan-GameThief.Win32.Nilage.bdm Trojan/Win32.OnlineGameHack.R24518 PWS-Gamania.dll Infostealer.Lineage MalwareScope.Trojan-PSW.Game.13 Trojan.PWS.Nilage!v/lUmVrQ3Ac", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Infostealer.Lineage": [[26, 45], [103, 122], [406, 425]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[46, 88]], "Indicator: W32/Nilage.XS": [[89, 102]], "Indicator: Trojan-GameThief.Win32.Nilage.bdm": [[123, 156], [321, 354]], "Indicator: W32.W.Bagle.kZt7": [[157, 173]], "Indicator: Trojan.PWS.Lineage.9841": [[174, 197]], "Indicator: BehavesLike.Win32.Pate.pc": [[198, 223]], "Indicator: Trojan-PWS.Win32.Delf": [[224, 245]], "Indicator: W32/Nilage.KWZM-6493": [[246, 266]], "Indicator: Trojan/PSW.Nilage.auz": [[267, 288]], "Indicator: Trojan[GameThief]/Win32.Magania": [[289, 320]], "Indicator: Trojan/Win32.OnlineGameHack.R24518": [[355, 389]], "Indicator: PWS-Gamania.dll": [[390, 405]], "Indicator: MalwareScope.Trojan-PSW.Game.13": [[426, 457]], "Indicator: Trojan.PWS.Nilage!v/lUmVrQ3Ac": [[458, 487]]}, "info": {"id": "cyner2_5class_train_06722", "source": "cyner2_5class_train"}}
+{"text": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched.", "spans": {"Organization: X-Force research,": [[13, 30]], "Malware: banking Trojan": [[39, 53]]}, "info": {"id": "cyner2_5class_train_06723", "source": "cyner2_5class_train"}}
+{"text": "The focus of this blog post is MiKey, a little-known and poorly detected keylogger.", "spans": {"Malware: MiKey,": [[31, 37]], "Malware: keylogger.": [[73, 83]]}, "info": {"id": "cyner2_5class_train_06724", "source": "cyner2_5class_train"}}
+{"text": "\" Due to the special RAM disk feature of Android devices ' boot partition , all current mobile antivirus products in the world ca n't completely remove this Trojan or effectively repair the system .", "spans": {"System: Android": [[41, 48]]}, "info": {"id": "cyner2_5class_train_06725", "source": "cyner2_5class_train"}}
+{"text": "This post will use the PlugX malware as an example PlugX is well known and has had its various iterations analyzed many times, due in part to its ongoing activity and will focus on leveraging metadata from VirusTotal due to it being publicly accessible.", "spans": {"Malware: PlugX malware": [[23, 36]], "Malware: PlugX": [[51, 56]], "Organization: VirusTotal": [[206, 216]]}, "info": {"id": "cyner2_5class_train_06726", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.5FA3 Trojan.Glox Infostealer.Gampass Packed.Win32.MUPACK.~KW BehavesLike.Win32.Spybot.dc Trojan/Win32.ADH Trj/Pupack.A Win32.Trojan.Xed.Dzkj", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.5FA3": [[26, 42]], "Indicator: Trojan.Glox": [[43, 54]], "Indicator: Infostealer.Gampass": [[55, 74]], "Indicator: Packed.Win32.MUPACK.~KW": [[75, 98]], "Indicator: BehavesLike.Win32.Spybot.dc": [[99, 126]], "Indicator: Trojan/Win32.ADH": [[127, 143]], "Indicator: Trj/Pupack.A": [[144, 156]], "Indicator: Win32.Trojan.Xed.Dzkj": [[157, 178]]}, "info": {"id": "cyner2_5class_train_06727", "source": "cyner2_5class_train"}}
+{"text": "If the package name of the foreground app is included in the target list , an overlay is shown .", "spans": {}, "info": {"id": "cyner2_5class_train_06728", "source": "cyner2_5class_train"}}
+{"text": "Figure 1 .", "spans": {}, "info": {"id": "cyner2_5class_train_06729", "source": "cyner2_5class_train"}}
+{"text": "Maktub Locker is another ransomware that comes with a beautifully designed GUI and few interesting features.", "spans": {"Malware: Maktub Locker": [[0, 13]], "Malware: ransomware": [[25, 35]]}, "info": {"id": "cyner2_5class_train_06730", "source": "cyner2_5class_train"}}
+{"text": "It adds the file extension .AnubisCrypt to each encrypted file and sends it to the C2 .", "spans": {"Indicator: .AnubisCrypt": [[27, 39]]}, "info": {"id": "cyner2_5class_train_06731", "source": "cyner2_5class_train"}}
+{"text": "checkApps : Asks the malware to see if the packages sent as parameters are installed .", "spans": {}, "info": {"id": "cyner2_5class_train_06732", "source": "cyner2_5class_train"}}
+{"text": "Disguised Spyware Uploaded on Google Play Store We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years .", "spans": {"System: Google Play Store": [[30, 47], [125, 142]]}, "info": {"id": "cyner2_5class_train_06733", "source": "cyner2_5class_train"}}
+{"text": "This is done by reading the /proc/ [ pid ] /cmdline file .", "spans": {"Indicator: /proc/ [ pid ] /cmdline": [[28, 51]]}, "info": {"id": "cyner2_5class_train_06734", "source": "cyner2_5class_train"}}
+{"text": "That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows .", "spans": {"Organization: Microsoft": [[12, 21]], "System: Windows": [[110, 117]]}, "info": {"id": "cyner2_5class_train_06735", "source": "cyner2_5class_train"}}
+{"text": "For example , going back , going home , opening recents , etc .", "spans": {}, "info": {"id": "cyner2_5class_train_06736", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packed.Win32.CPEX-based!O Trojan.Delfinject.16926 PWS-LDPinch.a!hv Trojan.Buzus.Win32.2199 Trojan/Buzus.rrb TROJ_FAM_0001199.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9967 Win32/Lunibot.B TROJ_FAM_0001199.TOMA Win.Trojan.Buzus-2288 Packed.Win32.CPEX-based.eq Trojan.Win32.CPEXbased.bejytp Trojan.Win32.Buzus.374868 Win32.Trojan.Dovqplay.clht TrojWare.Win32.TrojanDropper.Binder.G BackDoor.Poison.61 BehavesLike.Win32.SoftPulse.tc Virus.Win32.DelfInject W32/Trojan2.CYTZ Trojan/Buzus.puv Trojan[Packed]/Win32.CPEX-based Backdoor:Win32/Mielit.A Packed.Win32.CPEX-based.eq Trojan/Win32.Xema.R44960 BScope.Binder.Buzus.er W32/Buzus.BZ.worm VirTool.DelfInject!GapcEdmyxw8 W32/Injector.fam!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packed.Win32.CPEX-based!O": [[26, 51]], "Indicator: Trojan.Delfinject.16926": [[52, 75]], "Indicator: PWS-LDPinch.a!hv": [[76, 92]], "Indicator: Trojan.Buzus.Win32.2199": [[93, 116]], "Indicator: Trojan/Buzus.rrb": [[117, 133]], "Indicator: TROJ_FAM_0001199.TOMA": [[134, 155], [215, 236]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9967": [[156, 198]], "Indicator: Win32/Lunibot.B": [[199, 214]], "Indicator: Win.Trojan.Buzus-2288": [[237, 258]], "Indicator: Packed.Win32.CPEX-based.eq": [[259, 285], [570, 596]], "Indicator: Trojan.Win32.CPEXbased.bejytp": [[286, 315]], "Indicator: Trojan.Win32.Buzus.374868": [[316, 341]], "Indicator: Win32.Trojan.Dovqplay.clht": [[342, 368]], "Indicator: TrojWare.Win32.TrojanDropper.Binder.G": [[369, 406]], "Indicator: BackDoor.Poison.61": [[407, 425]], "Indicator: BehavesLike.Win32.SoftPulse.tc": [[426, 456]], "Indicator: Virus.Win32.DelfInject": [[457, 479]], "Indicator: W32/Trojan2.CYTZ": [[480, 496]], "Indicator: Trojan/Buzus.puv": [[497, 513]], "Indicator: Trojan[Packed]/Win32.CPEX-based": [[514, 545]], "Indicator: Backdoor:Win32/Mielit.A": [[546, 569]], "Indicator: Trojan/Win32.Xema.R44960": [[597, 621]], "Indicator: BScope.Binder.Buzus.er": [[622, 644]], "Indicator: W32/Buzus.BZ.worm": [[645, 662]], "Indicator: VirTool.DelfInject!GapcEdmyxw8": [[663, 693]], "Indicator: W32/Injector.fam!tr": [[694, 713]]}, "info": {"id": "cyner2_5class_train_06737", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.XinarilD.Trojan Trojan.Zusy.D26766 Trojan.Win32.Zusy.exkztw W32/Trojan.HJTJ-8943 Trojan/Scar.bmgw TR/Zusy.2726400 Trojan:Win64/SvcMiner.A Trojan.Win32.Z.Zusy.2726400.CY Backdoor.Bot Trj/CI.A Trojan.Scar!zCrXbtgxLOk Win32/Trojan.e88", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.XinarilD.Trojan": [[26, 45]], "Indicator: Trojan.Zusy.D26766": [[46, 64]], "Indicator: Trojan.Win32.Zusy.exkztw": [[65, 89]], "Indicator: W32/Trojan.HJTJ-8943": [[90, 110]], "Indicator: Trojan/Scar.bmgw": [[111, 127]], "Indicator: TR/Zusy.2726400": [[128, 143]], "Indicator: Trojan:Win64/SvcMiner.A": [[144, 167]], "Indicator: Trojan.Win32.Z.Zusy.2726400.CY": [[168, 198]], "Indicator: Backdoor.Bot": [[199, 211]], "Indicator: Trj/CI.A": [[212, 220]], "Indicator: Trojan.Scar!zCrXbtgxLOk": [[221, 244]], "Indicator: Win32/Trojan.e88": [[245, 261]]}, "info": {"id": "cyner2_5class_train_06738", "source": "cyner2_5class_train"}}
+{"text": "In this post, we will focus on the mobile part of their operation and discuss in detail several Android and BlackBerry apps they are using.", "spans": {"System: Android": [[96, 103]], "System: BlackBerry apps": [[108, 123]]}, "info": {"id": "cyner2_5class_train_06739", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 researchers identified a new OS X Trojan associated with the Sofacy group that we are now tracking with the Komplex' tag using the Palo Alto Networks AutoFocus threat intelligence platform.", "spans": {"Organization: Unit 42 researchers": [[0, 19]], "System: OS X": [[37, 41]], "Malware: Trojan": [[42, 48]], "Malware: Komplex'": [[116, 124]], "Organization: Palo Alto Networks": [[139, 157]], "System: AutoFocus threat intelligence platform.": [[158, 197]]}, "info": {"id": "cyner2_5class_train_06740", "source": "cyner2_5class_train"}}
+{"text": "We are accustomed to seeing this gate operate directly from typical' compromised websites, but not so much from ad serving ones.", "spans": {}, "info": {"id": "cyner2_5class_train_06741", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9959 Trojan.Win32.Yuzi.euhfho Backdoor.Yuzi W32/Trojan.UPLJ-0202 BDS/Yuzi.lbwpa Trojan.Win32.Z.Ursu.91648 Backdoor:MSIL/Yuzi.A Trj/GdSda.A Win32/Trojan.fd2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9959": [[26, 68]], "Indicator: Trojan.Win32.Yuzi.euhfho": [[69, 93]], "Indicator: Backdoor.Yuzi": [[94, 107]], "Indicator: W32/Trojan.UPLJ-0202": [[108, 128]], "Indicator: BDS/Yuzi.lbwpa": [[129, 143]], "Indicator: Trojan.Win32.Z.Ursu.91648": [[144, 169]], "Indicator: Backdoor:MSIL/Yuzi.A": [[170, 190]], "Indicator: Trj/GdSda.A": [[191, 202]], "Indicator: Win32/Trojan.fd2": [[203, 219]]}, "info": {"id": "cyner2_5class_train_06742", "source": "cyner2_5class_train"}}
+{"text": "In addition to Russia, targeted regions include neighboring countries such as Mongolia, Belarus, and other European countries.", "spans": {}, "info": {"id": "cyner2_5class_train_06743", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Klevate.S3 Trojan.Webprefix.Win32.62419 Trojan.Dropper.104 Win32.Trojan.Webprefix.a W32/WebPrefix.A Trojan.Win32.Webprefix.crgiyt Backdoor.W32.Androm.mCpQ TrojWare.Win32.Sisron.C BackDoor.Bulknet.1328 BehavesLike.Win32.Trojan.cc W32/Application.KRYM-8973 TrojanDownloader.Klevate.a Win32.Trojan-Dropper.Dlpro.A Trojan/Win32.Zbot.R94414 Win32/Webprefix.D W32/Webprefix.B!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Klevate.S3": [[26, 43]], "Indicator: Trojan.Webprefix.Win32.62419": [[44, 72]], "Indicator: Trojan.Dropper.104": [[73, 91]], "Indicator: Win32.Trojan.Webprefix.a": [[92, 116]], "Indicator: W32/WebPrefix.A": [[117, 132]], "Indicator: Trojan.Win32.Webprefix.crgiyt": [[133, 162]], "Indicator: Backdoor.W32.Androm.mCpQ": [[163, 187]], "Indicator: TrojWare.Win32.Sisron.C": [[188, 211]], "Indicator: BackDoor.Bulknet.1328": [[212, 233]], "Indicator: BehavesLike.Win32.Trojan.cc": [[234, 261]], "Indicator: W32/Application.KRYM-8973": [[262, 287]], "Indicator: TrojanDownloader.Klevate.a": [[288, 314]], "Indicator: Win32.Trojan-Dropper.Dlpro.A": [[315, 343]], "Indicator: Trojan/Win32.Zbot.R94414": [[344, 368]], "Indicator: Win32/Webprefix.D": [[369, 386]], "Indicator: W32/Webprefix.B!tr": [[387, 405]], "Indicator: Trj/CI.A": [[406, 414]]}, "info": {"id": "cyner2_5class_train_06744", "source": "cyner2_5class_train"}}
+{"text": "For example , if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port .", "spans": {}, "info": {"id": "cyner2_5class_train_06745", "source": "cyner2_5class_train"}}
+{"text": "It is therefore impossible to decode the communication if one wasn't listening right from its beginning.", "spans": {}, "info": {"id": "cyner2_5class_train_06746", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Banker.Win32.BHO!O Win32.Trojan.WisdomEyes.16070401.9500.9988 Backdoor.Ratenjay Trojan-Downloader.Win32.VB.ifws Trojan.DownLoader5.54023 Trojan.Kazy.DE581 Trojan-Downloader.Win32.VB.ifws Downloader/Win32.Banload.C62226 Trojan-Downloader.Win32.Bancos", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Banker.Win32.BHO!O": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[52, 94]], "Indicator: Backdoor.Ratenjay": [[95, 112]], "Indicator: Trojan-Downloader.Win32.VB.ifws": [[113, 144], [188, 219]], "Indicator: Trojan.DownLoader5.54023": [[145, 169]], "Indicator: Trojan.Kazy.DE581": [[170, 187]], "Indicator: Downloader/Win32.Banload.C62226": [[220, 251]], "Indicator: Trojan-Downloader.Win32.Bancos": [[252, 282]]}, "info": {"id": "cyner2_5class_train_06747", "source": "cyner2_5class_train"}}
+{"text": "The new malware appears to be linked to the infamous Wolf Research organization and targets Android devices located in Thailand .", "spans": {"Organization: Wolf Research": [[53, 66]], "System: Android": [[92, 99]]}, "info": {"id": "cyner2_5class_train_06748", "source": "cyner2_5class_train"}}
+{"text": "So , what can you do to protect yourself from this stealthy beast ? 1 .", "spans": {}, "info": {"id": "cyner2_5class_train_06749", "source": "cyner2_5class_train"}}
+{"text": "EventBot uses multiple methods to exploit accessibility events for webinjects and other information stealing purposes .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_06750", "source": "cyner2_5class_train"}}
+{"text": "] today : Som Tum We also identified comments in Thai on the C2 infrastructure mentioned in the previous chapter : MALWARE DenDroid The Android malware is based on the DenDroid Android malware .", "spans": {"Malware: DenDroid": [[123, 131], [168, 176]], "System: Android": [[136, 143]]}, "info": {"id": "cyner2_5class_train_06751", "source": "cyner2_5class_train"}}
+{"text": "According to our research , TrickMo is still under active development as we expect to see frequent changes and updates .", "spans": {"Malware: TrickMo": [[28, 35]]}, "info": {"id": "cyner2_5class_train_06752", "source": "cyner2_5class_train"}}
+{"text": "] it Firenze server4fi.exodus.connexxa [ .", "spans": {"Indicator: server4fi.exodus.connexxa [ .": [[13, 42]]}, "info": {"id": "cyner2_5class_train_06753", "source": "cyner2_5class_train"}}
+{"text": "The Zen trojan does not implement any kind of obfuscation except for one string that is encoded using Base64 encoding .", "spans": {"Malware: Zen": [[4, 7]]}, "info": {"id": "cyner2_5class_train_06754", "source": "cyner2_5class_train"}}
+{"text": "Based on our KSN statistics , there are several infected individuals , exclusively in Italy .", "spans": {}, "info": {"id": "cyner2_5class_train_06755", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/HLLW.Std.B Worm/STD.B W32/Std.18437 Win32/HLLP.Std.B Worm.STD.A I-Worm.STD.B.nw5 Email-Worm.Win32.STD.B I-Worm/STD.b Email-Worm.Win32.Std.B W32/HLLW.Std.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/HLLW.Std.B": [[26, 40], [170, 184]], "Indicator: Worm/STD.B": [[41, 51]], "Indicator: W32/Std.18437": [[52, 65]], "Indicator: Win32/HLLP.Std.B": [[66, 82]], "Indicator: Worm.STD.A": [[83, 93]], "Indicator: I-Worm.STD.B.nw5": [[94, 110]], "Indicator: Email-Worm.Win32.STD.B": [[111, 133]], "Indicator: I-Worm/STD.b": [[134, 146]], "Indicator: Email-Worm.Win32.Std.B": [[147, 169]]}, "info": {"id": "cyner2_5class_train_06756", "source": "cyner2_5class_train"}}
+{"text": "It is unclear if the remote server is capable of solving the CAPTCHA image automatically or if this is done manually by a human in the background .", "spans": {}, "info": {"id": "cyner2_5class_train_06757", "source": "cyner2_5class_train"}}
+{"text": "The end payload that was installed is the HttpBrowser RAT, known to be used by the Chinese group in previous targeted attacks against governments.", "spans": {"Malware: payload": [[8, 15]], "Indicator: HttpBrowser": [[42, 53]], "Malware: RAT,": [[54, 58]], "Indicator: attacks": [[118, 125]], "Organization: governments.": [[134, 146]]}, "info": {"id": "cyner2_5class_train_06758", "source": "cyner2_5class_train"}}
+{"text": "This Trojan is interesting due to its ability to steal logins, passwords, and other confidential data by displaying fraudulent authentication forms on top of any applications.", "spans": {"Malware: Trojan": [[5, 11]], "Indicator: steal logins, passwords,": [[49, 73]], "Indicator: confidential data": [[84, 101]], "Indicator: displaying fraudulent authentication": [[105, 141]], "System: applications.": [[162, 175]]}, "info": {"id": "cyner2_5class_train_06759", "source": "cyner2_5class_train"}}
+{"text": "It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45.", "spans": {"Malware: Disttrack samples": [[34, 51]], "Indicator: destruction,": [[75, 87]], "Indicator: configured with a non-operational C2 server": [[108, 151]], "Organization: begin wiping data": [[181, 198]]}, "info": {"id": "cyner2_5class_train_06760", "source": "cyner2_5class_train"}}
+{"text": "Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan's capabilities.", "spans": {"Malware: Kazuar": [[0, 6]], "Indicator: remotely load additional plugins": [[79, 111]], "Malware: Trojan's": [[128, 136]]}, "info": {"id": "cyner2_5class_train_06761", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeSvchostsysLnrA.Trojan Win32.Trojan.WisdomEyes.16070401.9500.9849 Trojan.Win32.Downloader.40960.TR Trojan.Win32.Swisyn W32/Trojan.UTND-0495 Downloader/Win32.OnlineGameHack.R3893 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeSvchostsysLnrA.Trojan": [[26, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9849": [[56, 98]], "Indicator: Trojan.Win32.Downloader.40960.TR": [[99, 131]], "Indicator: Trojan.Win32.Swisyn": [[132, 151]], "Indicator: W32/Trojan.UTND-0495": [[152, 172]], "Indicator: Downloader/Win32.OnlineGameHack.R3893": [[173, 210]], "Indicator: Trj/CI.A": [[211, 219]]}, "info": {"id": "cyner2_5class_train_06762", "source": "cyner2_5class_train"}}
+{"text": "However, many of these malware are fileless only while entering a user's system, as they eventually reveal themselves when they execute their payload.", "spans": {"Malware: malware": [[23, 30]], "Malware: fileless": [[35, 43]], "System: a user's system,": [[64, 80]], "Malware: payload.": [[142, 150]]}, "info": {"id": "cyner2_5class_train_06763", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah.9109 Trojan.Injector BKDR_RMTSVC.V W32/Trojan.FQOB-6520 BKDR_RMTSVC.V Trojan.Win32.Pincav.darg Trojan.Win32.Pincav.dmwojx Troj.W32.Pincav!c Trojan.Inject1.50635 Trojan.Pincav.Win32.24903 BehavesLike.Win32.Dropper.gc Trojan.Pincav.um Trojan.Win32.Pincav.darg Backdoor:Win32/Rmtsvc.C!bit Trojan.Pincav Win32.Trojan.Pincav.Akpm Trojan.Pincav!MRbJOfrjW/0 Backdoor.Win32.RmtSvc W32/Pincav.B!tr Win32/Trojan.84c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah.9109": [[26, 45]], "Indicator: Trojan.Injector": [[46, 61]], "Indicator: BKDR_RMTSVC.V": [[62, 75], [97, 110]], "Indicator: W32/Trojan.FQOB-6520": [[76, 96]], "Indicator: Trojan.Win32.Pincav.darg": [[111, 135], [274, 298]], "Indicator: Trojan.Win32.Pincav.dmwojx": [[136, 162]], "Indicator: Troj.W32.Pincav!c": [[163, 180]], "Indicator: Trojan.Inject1.50635": [[181, 201]], "Indicator: Trojan.Pincav.Win32.24903": [[202, 227]], "Indicator: BehavesLike.Win32.Dropper.gc": [[228, 256]], "Indicator: Trojan.Pincav.um": [[257, 273]], "Indicator: Backdoor:Win32/Rmtsvc.C!bit": [[299, 326]], "Indicator: Trojan.Pincav": [[327, 340]], "Indicator: Win32.Trojan.Pincav.Akpm": [[341, 365]], "Indicator: Trojan.Pincav!MRbJOfrjW/0": [[366, 391]], "Indicator: Backdoor.Win32.RmtSvc": [[392, 413]], "Indicator: W32/Pincav.B!tr": [[414, 429]], "Indicator: Win32/Trojan.84c": [[430, 446]]}, "info": {"id": "cyner2_5class_train_06764", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Hupigon.Win32.133953 Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/QQRob.LP Trojan.PWS.QQPass Win32/AdClicker.UB Backdoor.Win32.Hupigon.olbg Trojan.Win32.Hupigon.eajxbh Trojan.PWS.Qqrobber.155 trojan.win32.dorv.a PWS-Gamania.dll W32/QQRob.TWJB-5358 Trojan/PSW.QQRobber.iu DR/PSW.QQRob.V.2 Trojan[Backdoor]/Win32.Hupigon Trojan.Heur.PT.E044E0 Trojan/Win32.Pwstealer.C63180 PWS-Gamania.dll Win32/PSW.QQRob.NAH Backdoor.Win32.Hupigon Win32/Cekar.G Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Hupigon.Win32.133953": [[26, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[56, 98]], "Indicator: W32/QQRob.LP": [[99, 111]], "Indicator: Trojan.PWS.QQPass": [[112, 129]], "Indicator: Win32/AdClicker.UB": [[130, 148]], "Indicator: Backdoor.Win32.Hupigon.olbg": [[149, 176]], "Indicator: Trojan.Win32.Hupigon.eajxbh": [[177, 204]], "Indicator: Trojan.PWS.Qqrobber.155": [[205, 228]], "Indicator: trojan.win32.dorv.a": [[229, 248]], "Indicator: PWS-Gamania.dll": [[249, 264], [408, 423]], "Indicator: W32/QQRob.TWJB-5358": [[265, 284]], "Indicator: Trojan/PSW.QQRobber.iu": [[285, 307]], "Indicator: DR/PSW.QQRob.V.2": [[308, 324]], "Indicator: Trojan[Backdoor]/Win32.Hupigon": [[325, 355]], "Indicator: Trojan.Heur.PT.E044E0": [[356, 377]], "Indicator: Trojan/Win32.Pwstealer.C63180": [[378, 407]], "Indicator: Win32/PSW.QQRob.NAH": [[424, 443]], "Indicator: Backdoor.Win32.Hupigon": [[444, 466]], "Indicator: Win32/Cekar.G": [[467, 480]], "Indicator: Trj/CI.A": [[481, 489]]}, "info": {"id": "cyner2_5class_train_06765", "source": "cyner2_5class_train"}}
+{"text": "This sample displayed ads from various sources .", "spans": {}, "info": {"id": "cyner2_5class_train_06766", "source": "cyner2_5class_train"}}
+{"text": "Method onPostExecute : to handle instructions from remote C2 Figure 6 shows an example response sent back from one C2 server .", "spans": {}, "info": {"id": "cyner2_5class_train_06767", "source": "cyner2_5class_train"}}
+{"text": "Content of bdata.xml file : It can be added to the /system/etc/sysconfig/ path to allowlist specified implant components from the battery saving system .", "spans": {"Indicator: /system/etc/sysconfig/": [[51, 73]]}, "info": {"id": "cyner2_5class_train_06768", "source": "cyner2_5class_train"}}
+{"text": "As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player 17.0.0.169", "spans": {"Organization: FireEye": [[14, 21]], "Vulnerability: vulnerability": [[76, 89]], "System: Flash Player": [[123, 135]]}, "info": {"id": "cyner2_5class_train_06769", "source": "cyner2_5class_train"}}
+{"text": "In the first of our series on the dark web, Cyble uncovered a new strain of InfoStealer malware targeting Cryptocurrency users via phishing sites and YouTube channels, as well as the source code and GitHub repository.", "spans": {"Organization: Cyble": [[44, 49]], "Malware: new strain": [[62, 72]], "Malware: InfoStealer malware": [[76, 95]], "Organization: Cryptocurrency users": [[106, 126]], "Indicator: phishing sites": [[131, 145]], "Organization: YouTube channels,": [[150, 167]], "Indicator: the source code": [[179, 194]], "System: GitHub repository.": [[199, 217]]}, "info": {"id": "cyner2_5class_train_06770", "source": "cyner2_5class_train"}}
+{"text": "This newest entry seems to indicate that these changes won ’ t be stopping soon .", "spans": {}, "info": {"id": "cyner2_5class_train_06771", "source": "cyner2_5class_train"}}
+{"text": "In April 2017, the Cisco Talos team disclosed the Scarcruft group's proprietary tool, ROKRAT, a malware that has been continuously modified and used by the group to this day.", "spans": {"Organization: Cisco Talos team": [[19, 35]], "Malware: ROKRAT,": [[86, 93]], "Malware: malware": [[96, 103]]}, "info": {"id": "cyner2_5class_train_06772", "source": "cyner2_5class_train"}}
+{"text": "com.xiaomi.smarthome.receive_alarm Received notifications from Xiaomi ’ s smart home IoT devices .", "spans": {"Indicator: com.xiaomi.smarthome.receive_alarm": [[0, 34]], "Organization: Xiaomi": [[63, 69]]}, "info": {"id": "cyner2_5class_train_06773", "source": "cyner2_5class_train"}}
+{"text": "Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers.", "spans": {"Malware: malicious code": [[4, 18]], "Indicator: Mach-O object file": [[35, 53]], "System: Xcode installers.": [[96, 113]]}, "info": {"id": "cyner2_5class_train_06774", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.VB!O TROJ_GE.C2A90427 Multi.Threats.InArchive W32/Rewdulon.A TROJ_GE.C2A90427 Win.Trojan.Dentenspy-1 Trojan.Win32.VB.pbucu Trojan.WinSpy.1721 Trojan.VB.Win32.74988 W32/Rewdulon.RWFU-0950 TrojanSpy.VB.eqx TR/Proxy.VB.mm Trojan[Proxy]/Win32.VB Backdoor:Win32/Rewdulon.A Trojan.Heur.VP2.EA6021 Trojan/Win32.Winspy.R17397 TrojanProxy.VB Win32/Spy.VB.NPF Trojan.PR.VB!L9iJM/+WFQY Trojan-Proxy.Win32.VB Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.VB!O": [[26, 45]], "Indicator: TROJ_GE.C2A90427": [[46, 62], [102, 118]], "Indicator: Multi.Threats.InArchive": [[63, 86]], "Indicator: W32/Rewdulon.A": [[87, 101]], "Indicator: Win.Trojan.Dentenspy-1": [[119, 141]], "Indicator: Trojan.Win32.VB.pbucu": [[142, 163]], "Indicator: Trojan.WinSpy.1721": [[164, 182]], "Indicator: Trojan.VB.Win32.74988": [[183, 204]], "Indicator: W32/Rewdulon.RWFU-0950": [[205, 227]], "Indicator: TrojanSpy.VB.eqx": [[228, 244]], "Indicator: TR/Proxy.VB.mm": [[245, 259]], "Indicator: Trojan[Proxy]/Win32.VB": [[260, 282]], "Indicator: Backdoor:Win32/Rewdulon.A": [[283, 308]], "Indicator: Trojan.Heur.VP2.EA6021": [[309, 331]], "Indicator: Trojan/Win32.Winspy.R17397": [[332, 358]], "Indicator: TrojanProxy.VB": [[359, 373]], "Indicator: Win32/Spy.VB.NPF": [[374, 390]], "Indicator: Trojan.PR.VB!L9iJM/+WFQY": [[391, 415]], "Indicator: Trojan-Proxy.Win32.VB": [[416, 437]], "Indicator: Trj/CI.A": [[438, 446]]}, "info": {"id": "cyner2_5class_train_06775", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Trojan.FakeInst.L Android.FakeNotify.A Android.Trojan.FakeInst.L Android.Trojan.FakeInst.L HEUR:Trojan-SMS.AndroidOS.Opfake.bo A.H.Pay.Emugo.L Trojan.Android.Opfake.dtqjss Android.Malware.Trojan Trojan:Android/FakeNotify.A Trojan[SMS]/Android.Opfake Android.Trojan.FakeInst.L HEUR:Trojan-SMS.AndroidOS.Opfake.bo Android-Trojan/SmsSend.837f Trojan.AndroidOS.FakeInst.D Trojan.AndroidOS.MalCrypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.FakeInst.L": [[26, 51], [73, 98], [99, 124], [284, 309]], "Indicator: Android.FakeNotify.A": [[52, 72]], "Indicator: HEUR:Trojan-SMS.AndroidOS.Opfake.bo": [[125, 160], [310, 345]], "Indicator: A.H.Pay.Emugo.L": [[161, 176]], "Indicator: Trojan.Android.Opfake.dtqjss": [[177, 205]], "Indicator: Android.Malware.Trojan": [[206, 228]], "Indicator: Trojan:Android/FakeNotify.A": [[229, 256]], "Indicator: Trojan[SMS]/Android.Opfake": [[257, 283]], "Indicator: Android-Trojan/SmsSend.837f": [[346, 373]], "Indicator: Trojan.AndroidOS.FakeInst.D": [[374, 401]], "Indicator: Trojan.AndroidOS.MalCrypt": [[402, 427]]}, "info": {"id": "cyner2_5class_train_06776", "source": "cyner2_5class_train"}}
+{"text": "A new spear phishing campaign is targeting Saudi Arabia governmental organizations.", "spans": {"Organization: governmental organizations.": [[56, 83]]}, "info": {"id": "cyner2_5class_train_06777", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D25EAD Win32.Trojan.WisdomEyes.16070401.9500.9841 Backdoor.Trojan BKDR_SMALL.W Win.Trojan.Coreshell-1 Trojan.Win32.Metlar.hmosd Trojan.Click2.7627 BKDR_SMALL.W BDS/Metlar.A Backdoor:Win32/Metlar.A W32/Small.W!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D25EAD": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9841": [[48, 90]], "Indicator: Backdoor.Trojan": [[91, 106]], "Indicator: BKDR_SMALL.W": [[107, 119], [188, 200]], "Indicator: Win.Trojan.Coreshell-1": [[120, 142]], "Indicator: Trojan.Win32.Metlar.hmosd": [[143, 168]], "Indicator: Trojan.Click2.7627": [[169, 187]], "Indicator: BDS/Metlar.A": [[201, 213]], "Indicator: Backdoor:Win32/Metlar.A": [[214, 237]], "Indicator: W32/Small.W!tr.bdr": [[238, 256]]}, "info": {"id": "cyner2_5class_train_06778", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Blackmail.Worm Win32.Worm.Killav.GR Worm/W32.Nyxem.65024.B Email-Worm.Win32.Nyxem!O Worm.Nyxem W32/MyWife.d@MM!M24 W32/VB.bi WORM_NYXEM.E Win32.Worm.VB.sy W32/Kapser.A@mm W32.Blackmal.E@mm Win32/Blackmal.F!CME24 WORM_NYXEM.E Win.Worm.Nyxem-7 Email-Worm.Win32.Nyxem.e Win32.Worm.Killav.GR Trojan.Win32.Nyxem.wcrgf W32.W.Nyxem.lNe6 Win32.Worm-email.Nyxem.Syhr Win32.Worm.Killav.GR Worm.Win32.VB.NEI Email-Worm:W32/Nyxem.E BehavesLike.Win32.Worm.kc W32/Kapser.KOCX-1196 I-Worm/VB.g WORM/KillAV.GR Worm[Email]/Win32.Nyxem Worm:Win32/Mywife.E@mm!CME24 Win32.Worm.Killav.GR I-Worm.Win32.Nyxem.E Win32.Worm.Killav.GR Worm/Win32.Nyxem.R67250 Win32.Worm.Killav.GR Email-Worm.VB Win32/VB.NEI Worm.P2P.VB.CIL!CME-24 Win32.Worm.Killav.GR W32/Nyxem.E@mm W32/Tearec.A.worm!CME-24 Trojan.Win32.KillAV.AG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Blackmail.Worm": [[26, 44]], "Indicator: Win32.Worm.Killav.GR": [[45, 65], [297, 317], [388, 408], [577, 597], [619, 639], [664, 684], [735, 755]], "Indicator: Worm/W32.Nyxem.65024.B": [[66, 88]], "Indicator: Email-Worm.Win32.Nyxem!O": [[89, 113]], "Indicator: Worm.Nyxem": [[114, 124]], "Indicator: W32/MyWife.d@MM!M24": [[125, 144]], "Indicator: W32/VB.bi": [[145, 154]], "Indicator: WORM_NYXEM.E": [[155, 167], [242, 254]], "Indicator: Win32.Worm.VB.sy": [[168, 184]], "Indicator: W32/Kapser.A@mm": [[185, 200]], "Indicator: W32.Blackmal.E@mm": [[201, 218]], "Indicator: Win32/Blackmal.F!CME24": [[219, 241]], "Indicator: Win.Worm.Nyxem-7": [[255, 271]], "Indicator: Email-Worm.Win32.Nyxem.e": [[272, 296]], "Indicator: Trojan.Win32.Nyxem.wcrgf": [[318, 342]], "Indicator: W32.W.Nyxem.lNe6": [[343, 359]], "Indicator: Win32.Worm-email.Nyxem.Syhr": [[360, 387]], "Indicator: Worm.Win32.VB.NEI": [[409, 426]], "Indicator: Email-Worm:W32/Nyxem.E": [[427, 449]], "Indicator: BehavesLike.Win32.Worm.kc": [[450, 475]], "Indicator: W32/Kapser.KOCX-1196": [[476, 496]], "Indicator: I-Worm/VB.g": [[497, 508]], "Indicator: WORM/KillAV.GR": [[509, 523]], "Indicator: Worm[Email]/Win32.Nyxem": [[524, 547]], "Indicator: Worm:Win32/Mywife.E@mm!CME24": [[548, 576]], "Indicator: I-Worm.Win32.Nyxem.E": [[598, 618]], "Indicator: Worm/Win32.Nyxem.R67250": [[640, 663]], "Indicator: Email-Worm.VB": [[685, 698]], "Indicator: Win32/VB.NEI": [[699, 711]], "Indicator: Worm.P2P.VB.CIL!CME-24": [[712, 734]], "Indicator: W32/Nyxem.E@mm": [[756, 770]], "Indicator: W32/Tearec.A.worm!CME-24": [[771, 795]], "Indicator: Trojan.Win32.KillAV.AG": [[796, 818]]}, "info": {"id": "cyner2_5class_train_06779", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: AIT:Trojan.Nymeria.219 Trojan.Fsysna AIT:Trojan.Nymeria.219 W32/Trojan.KHZX-2886 Trojan.Win32.Fsysna.epqb AIT:Trojan.Nymeria.219 Trojan.Win32.Fsysna.eusaby AIT:Trojan.Nymeria.219 AIT:Trojan.Nymeria.219 Trojan.Fsysna.Win32.15287 Trojan.Win32.Autoit TR/Fsysna.vdzaj AIT:Trojan.Nymeria.219 Trojan.Win32.Fsysna.epqb Trojan:Win32/Enotdap.A Trojan/Win32.Fsysna.C2239375 Trj/CI.A Win32.Trojan.Fsysna.Iiu W32/Autoit.CK!tr.spy Win32/Trojan.623", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AIT:Trojan.Nymeria.219": [[26, 48], [63, 85], [132, 154], [182, 204], [205, 227], [290, 312]], "Indicator: Trojan.Fsysna": [[49, 62]], "Indicator: W32/Trojan.KHZX-2886": [[86, 106]], "Indicator: Trojan.Win32.Fsysna.epqb": [[107, 131], [313, 337]], "Indicator: Trojan.Win32.Fsysna.eusaby": [[155, 181]], "Indicator: Trojan.Fsysna.Win32.15287": [[228, 253]], "Indicator: Trojan.Win32.Autoit": [[254, 273]], "Indicator: TR/Fsysna.vdzaj": [[274, 289]], "Indicator: Trojan:Win32/Enotdap.A": [[338, 360]], "Indicator: Trojan/Win32.Fsysna.C2239375": [[361, 389]], "Indicator: Trj/CI.A": [[390, 398]], "Indicator: Win32.Trojan.Fsysna.Iiu": [[399, 422]], "Indicator: W32/Autoit.CK!tr.spy": [[423, 443]], "Indicator: Win32/Trojan.623": [[444, 460]]}, "info": {"id": "cyner2_5class_train_06780", "source": "cyner2_5class_train"}}
+{"text": "In April, the new Infostealer family of Spanish origin was first noted targeting users in the U.S. and Mexico.", "spans": {"Malware: Infostealer family": [[18, 36]], "Organization: targeting users": [[71, 86]]}, "info": {"id": "cyner2_5class_train_06781", "source": "cyner2_5class_train"}}
+{"text": "The operation uses known and patched exploits to deliver a custom backdoor known as KeyBoy.", "spans": {"Vulnerability: patched exploits": [[29, 45]], "Malware: KeyBoy.": [[84, 91]]}, "info": {"id": "cyner2_5class_train_06782", "source": "cyner2_5class_train"}}
+{"text": "It was late 2018 when Riltok climbed onto the international stage .", "spans": {"Malware: Riltok": [[22, 28]]}, "info": {"id": "cyner2_5class_train_06783", "source": "cyner2_5class_train"}}
+{"text": "The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS.", "spans": {"Malware: variant": [[4, 11]], "Indicator: highly targeted, digitally signed,": [[15, 49]], "Indicator: exfiltrates stolen payment card data": [[54, 90]], "System: DNS.": [[96, 100]]}, "info": {"id": "cyner2_5class_train_06784", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87721 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id87721 [ .": [[21, 63]]}, "info": {"id": "cyner2_5class_train_06785", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dropper.Snuff.A Win32.TrojanDropper.Snuff.A.2 Trojan/Dropper.FC.a Trojan.DR.FC!ID4WOR5KQxg Win32/TrojanDropper.FC.A Backdoor.Trojan.dr W32/FC.Y Win32/TrojanRunner.I TROJ_DROPPER.ACU Win32.TRFC.A Trojan-Dropper.Win32.FC.a Trojan.Dropper.Snuff.A Virus.Win32.Trojano.421!IK TrojWare.Win32.TrojanDropper.FC.A Trojan.Dropper.Snuff.A BackDoor.Bifrost.14965 TR/FC.A TROJ_DROPPER.ACU TrojanDropper.Win32.FC TrojanDropper:Win32/Snuff.A Trojan.Win32.FC.21040 Trojan.Dropper.Snuff.A Dropper/FC.4096 Trojan-Dropper.Win32.FC.a Backdoor.Trojan Harm.SysCrash Virus.Win32.Trojano.421 W32/Fc.A!tr Dropper.Tiny.K Trj/MultiDrp.AF", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.Snuff.A": [[26, 48], [254, 276], [338, 360], [482, 504]], "Indicator: Win32.TrojanDropper.Snuff.A.2": [[49, 78]], "Indicator: Trojan/Dropper.FC.a": [[79, 98]], "Indicator: Trojan.DR.FC!ID4WOR5KQxg": [[99, 123]], "Indicator: Win32/TrojanDropper.FC.A": [[124, 148]], "Indicator: Backdoor.Trojan.dr": [[149, 167]], "Indicator: W32/FC.Y": [[168, 176]], "Indicator: Win32/TrojanRunner.I": [[177, 197]], "Indicator: TROJ_DROPPER.ACU": [[198, 214], [392, 408]], "Indicator: Win32.TRFC.A": [[215, 227]], "Indicator: Trojan-Dropper.Win32.FC.a": [[228, 253], [521, 546]], "Indicator: Virus.Win32.Trojano.421!IK": [[277, 303]], "Indicator: TrojWare.Win32.TrojanDropper.FC.A": [[304, 337]], "Indicator: BackDoor.Bifrost.14965": [[361, 383]], "Indicator: TR/FC.A": [[384, 391]], "Indicator: TrojanDropper.Win32.FC": [[409, 431]], "Indicator: TrojanDropper:Win32/Snuff.A": [[432, 459]], "Indicator: Trojan.Win32.FC.21040": [[460, 481]], "Indicator: Dropper/FC.4096": [[505, 520]], "Indicator: Backdoor.Trojan": [[547, 562]], "Indicator: Harm.SysCrash": [[563, 576]], "Indicator: Virus.Win32.Trojano.421": [[577, 600]], "Indicator: W32/Fc.A!tr": [[601, 612]], "Indicator: Dropper.Tiny.K": [[613, 627]], "Indicator: Trj/MultiDrp.AF": [[628, 643]]}, "info": {"id": "cyner2_5class_train_06786", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Zusy.D3A031 Trojan.Kwampirs TROJ_KWAMPIRS.SMJK Trojan.Win32.Bedep.az TROJ_KWAMPIRS.SMJK BehavesLike.Win32.BadFile.dm Trojan.Win32.Kwampirs Trojan.Bedep.u TR/Crypt.ZPACK.sfqtf Trojan.Win32.Bedep.az Trojan/Win32.Bedep.R199961 Trojan.Bedep Trojan.Injector Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Trojan.Zusy.D3A031": [[46, 64]], "Indicator: Trojan.Kwampirs": [[65, 80]], "Indicator: TROJ_KWAMPIRS.SMJK": [[81, 99], [122, 140]], "Indicator: Trojan.Win32.Bedep.az": [[100, 121], [228, 249]], "Indicator: BehavesLike.Win32.BadFile.dm": [[141, 169]], "Indicator: Trojan.Win32.Kwampirs": [[170, 191]], "Indicator: Trojan.Bedep.u": [[192, 206]], "Indicator: TR/Crypt.ZPACK.sfqtf": [[207, 227]], "Indicator: Trojan/Win32.Bedep.R199961": [[250, 276]], "Indicator: Trojan.Bedep": [[277, 289]], "Indicator: Trojan.Injector": [[290, 305]], "Indicator: Trj/GdSda.A": [[306, 317]]}, "info": {"id": "cyner2_5class_train_06787", "source": "cyner2_5class_train"}}
+{"text": "When done , the bot is functional and ready to receive commands and perform overlay attacks .", "spans": {}, "info": {"id": "cyner2_5class_train_06788", "source": "cyner2_5class_train"}}
+{"text": "From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS.", "spans": {"Malware: tools": [[64, 69]], "Vulnerability: zero-day exploits": [[98, 115]], "System: applications": [[133, 145]], "System: Java": [[154, 158]], "System: Microsoft Office,": [[162, 179]], "Indicator: spear-phishing attacks, compromising legitimate websites": [[193, 249]], "Indicator: watering-hole attacks,": [[259, 281]], "System: operating systems": [[314, 331]], "System: Windows, OSX, Linux,": [[334, 354]], "System: mobile iOS.": [[360, 371]]}, "info": {"id": "cyner2_5class_train_06789", "source": "cyner2_5class_train"}}
+{"text": "The algorithm for generating the lowest-level domain name was hardwired in the Trojan ’ s code .", "spans": {}, "info": {"id": "cyner2_5class_train_06790", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.4D03 Trojan.Zenshirsh.SL7 Win32.Trojan.WisdomEyes.16070401.9500.9639 Trojan.Win32.TPM.eslggg BehavesLike.Win32.PWSZbot.cc Trojan.Heur.RP.ZyWaayyb2wki Trojan.Win32.Z.Ircbot.839168.A Win32.Trojan.Crypt.Hqux Trojan.Themida! Trojan-PWS.OnlineGames Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.4D03": [[26, 43]], "Indicator: Trojan.Zenshirsh.SL7": [[44, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9639": [[65, 107]], "Indicator: Trojan.Win32.TPM.eslggg": [[108, 131]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[132, 160]], "Indicator: Trojan.Heur.RP.ZyWaayyb2wki": [[161, 188]], "Indicator: Trojan.Win32.Z.Ircbot.839168.A": [[189, 219]], "Indicator: Win32.Trojan.Crypt.Hqux": [[220, 243]], "Indicator: Trojan.Themida!": [[244, 259]], "Indicator: Trojan-PWS.OnlineGames": [[260, 282]], "Indicator: Trj/CI.A": [[283, 291]]}, "info": {"id": "cyner2_5class_train_06791", "source": "cyner2_5class_train"}}
+{"text": "cecilia-gilbert [ .", "spans": {"Indicator: cecilia-gilbert [ .": [[0, 19]]}, "info": {"id": "cyner2_5class_train_06792", "source": "cyner2_5class_train"}}
+{"text": "C2 and Targeted Banks As described earlier , the C2 domain is kept in the app ’ s resources .", "spans": {}, "info": {"id": "cyner2_5class_train_06793", "source": "cyner2_5class_train"}}
+{"text": "If not , the response is scrubbed of the strings used to complete the billing fraud .", "spans": {}, "info": {"id": "cyner2_5class_train_06794", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Gamarue.2!O Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_PROTUX.SMZKEB-G Trojan.Win32.RedCap.exxfqg Trojan.Win32.Z.Zusy.8916480 Trojan.MulDrop7.62734 Trojan.Banbra.Win32.27829 BKDR_PROTUX.SMZKEB-G W32/Trojan.CPEN-4136 TR/RedCap.xslwz Trojan.Symmi.D1461E Trojan/Win32.Comnie.R209069 Trojan.Drnohell Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Gamarue.2!O": [[26, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[62, 104]], "Indicator: BKDR_PROTUX.SMZKEB-G": [[105, 125], [229, 249]], "Indicator: Trojan.Win32.RedCap.exxfqg": [[126, 152]], "Indicator: Trojan.Win32.Z.Zusy.8916480": [[153, 180]], "Indicator: Trojan.MulDrop7.62734": [[181, 202]], "Indicator: Trojan.Banbra.Win32.27829": [[203, 228]], "Indicator: W32/Trojan.CPEN-4136": [[250, 270]], "Indicator: TR/RedCap.xslwz": [[271, 286]], "Indicator: Trojan.Symmi.D1461E": [[287, 306]], "Indicator: Trojan/Win32.Comnie.R209069": [[307, 334]], "Indicator: Trojan.Drnohell": [[335, 350]], "Indicator: Trj/CI.A": [[351, 359]]}, "info": {"id": "cyner2_5class_train_06795", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Bublik.274432.B Backdoor.Win32.Caphaw Trojan.Symmi.D1465 Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan.ELRU-2307 Trojan.Win32.Caphaw.exkhwo Trojan.Win32.A.Bublik.274432.D BackDoor.Caphaw.2 BehavesLike.Win32.PWSZbot.dh Trojan.Win32.Bublik Trojan/Bublik.ank Backdoor:Win32/Caphaw.D Trojan/Win32.Bublik.R46085 Backdoor.Win32.Caphaw SScope.Backdoor.Caphaw.A Win32/Trojan.144", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Bublik.274432.B": [[26, 52]], "Indicator: Backdoor.Win32.Caphaw": [[53, 74], [352, 373]], "Indicator: Trojan.Symmi.D1465": [[75, 93]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[94, 136]], "Indicator: W32/Trojan.ELRU-2307": [[137, 157]], "Indicator: Trojan.Win32.Caphaw.exkhwo": [[158, 184]], "Indicator: Trojan.Win32.A.Bublik.274432.D": [[185, 215]], "Indicator: BackDoor.Caphaw.2": [[216, 233]], "Indicator: BehavesLike.Win32.PWSZbot.dh": [[234, 262]], "Indicator: Trojan.Win32.Bublik": [[263, 282]], "Indicator: Trojan/Bublik.ank": [[283, 300]], "Indicator: Backdoor:Win32/Caphaw.D": [[301, 324]], "Indicator: Trojan/Win32.Bublik.R46085": [[325, 351]], "Indicator: SScope.Backdoor.Caphaw.A": [[374, 398]], "Indicator: Win32/Trojan.144": [[399, 415]]}, "info": {"id": "cyner2_5class_train_06796", "source": "cyner2_5class_train"}}
+{"text": "] net .", "spans": {}, "info": {"id": "cyner2_5class_train_06797", "source": "cyner2_5class_train"}}
+{"text": "VICTIMOLOGY ON THE IDENTIFIED CAMPAIGNS The campaigns we analyzed targeted Android devices in Thailand .", "spans": {"System: Android": [[75, 82]]}, "info": {"id": "cyner2_5class_train_06798", "source": "cyner2_5class_train"}}
+{"text": "HenBox Enters the Uyghur App Store In May 2016 , a HenBox app was downloaded from uyghurapps [ .", "spans": {"Malware: HenBox": [[0, 6], [51, 57]], "System: Uyghur App Store": [[18, 34]], "Indicator: uyghurapps [ .": [[82, 96]]}, "info": {"id": "cyner2_5class_train_06799", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Fifesock W32.W.Otwycal.l4av Net-Worm.Win32.Koobface Spammer:Win32/Fifesock.B Win32/RiskWare.PEMalform.E Win32/Trojan.c9e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Fifesock": [[26, 41]], "Indicator: W32.W.Otwycal.l4av": [[42, 60]], "Indicator: Net-Worm.Win32.Koobface": [[61, 84]], "Indicator: Spammer:Win32/Fifesock.B": [[85, 109]], "Indicator: Win32/RiskWare.PEMalform.E": [[110, 136]], "Indicator: Win32/Trojan.c9e": [[137, 153]]}, "info": {"id": "cyner2_5class_train_06800", "source": "cyner2_5class_train"}}
+{"text": "Most mobile malware is designed to steal users ’ money , including SMS-Trojans , and lots of backdoors and Trojans .", "spans": {}, "info": {"id": "cyner2_5class_train_06801", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RansomGimemoB.Trojan Trojan.Win32.Kazy!O Trojan.Qhost.Win32.6280 Trojan.Kazy.D7BDE9 Win32.Trojan.WisdomEyes.16070401.9500.9903 Win32/Ternanu.C HV_ZYX_BG26035C.TOMC Trojan.Win32.Inject.sbpf Trojan.Win32.DownLoad2.brqxff Packer.W32.Krap.ldx7 Trojan.DownLoad2.39110 BehavesLike.Win32.Virus.dh Trojan-Ransom.Win32.Gimemo Trojan/Qhost.cty W32.Gimemo Trojan[Backdoor]/Win32.Delf Trojan/Win32.FakeAV.R10033 Trojan-Dropper.11705 Ransom.FileCryptor W32/Injector.HVQ!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RansomGimemoB.Trojan": [[26, 50]], "Indicator: Trojan.Win32.Kazy!O": [[51, 70]], "Indicator: Trojan.Qhost.Win32.6280": [[71, 94]], "Indicator: Trojan.Kazy.D7BDE9": [[95, 113]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9903": [[114, 156]], "Indicator: Win32/Ternanu.C": [[157, 172]], "Indicator: HV_ZYX_BG26035C.TOMC": [[173, 193]], "Indicator: Trojan.Win32.Inject.sbpf": [[194, 218]], "Indicator: Trojan.Win32.DownLoad2.brqxff": [[219, 248]], "Indicator: Packer.W32.Krap.ldx7": [[249, 269]], "Indicator: Trojan.DownLoad2.39110": [[270, 292]], "Indicator: BehavesLike.Win32.Virus.dh": [[293, 319]], "Indicator: Trojan-Ransom.Win32.Gimemo": [[320, 346]], "Indicator: Trojan/Qhost.cty": [[347, 363]], "Indicator: W32.Gimemo": [[364, 374]], "Indicator: Trojan[Backdoor]/Win32.Delf": [[375, 402]], "Indicator: Trojan/Win32.FakeAV.R10033": [[403, 429]], "Indicator: Trojan-Dropper.11705": [[430, 450]], "Indicator: Ransom.FileCryptor": [[451, 469]], "Indicator: W32/Injector.HVQ!tr": [[470, 489]], "Indicator: Trj/CI.A": [[490, 498]]}, "info": {"id": "cyner2_5class_train_06802", "source": "cyner2_5class_train"}}
+{"text": "FAKE REVIEWS When early versions of apps are first published , many five star reviews appear with comments like : “ So .. good .. ” “ very beautiful ” Later , 1 star reviews from real users start appearing with comments like : “ Deception ” “ The app is not honest … ” SUMMARY Sheer volume appears to be the preferred approach for Bread developers .", "spans": {"Malware: Bread": [[331, 336]]}, "info": {"id": "cyner2_5class_train_06803", "source": "cyner2_5class_train"}}
+{"text": "We are not including the IP addresses from the C2 infrastructure since it is compromised infrastructure that is not longer in use", "spans": {"Indicator: IP addresses": [[25, 37]], "System: C2 infrastructure": [[47, 64]], "Vulnerability: compromised": [[77, 88]]}, "info": {"id": "cyner2_5class_train_06804", "source": "cyner2_5class_train"}}
+{"text": "This version adds one significant class — it requests DEVICE_ADMIN privileges .", "spans": {}, "info": {"id": "cyner2_5class_train_06805", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.S488527 Trojan.Smallprox Trojan.Win32.Zusy.elolmi Trojan.Proxy2.577 TR/Proxy.mzyhy Trojan.Symmi.D11AD5 Win32/Trojan.1ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.S488527": [[26, 48]], "Indicator: Trojan.Smallprox": [[49, 65]], "Indicator: Trojan.Win32.Zusy.elolmi": [[66, 90]], "Indicator: Trojan.Proxy2.577": [[91, 108]], "Indicator: TR/Proxy.mzyhy": [[109, 123]], "Indicator: Trojan.Symmi.D11AD5": [[124, 143]], "Indicator: Win32/Trojan.1ff": [[144, 160]]}, "info": {"id": "cyner2_5class_train_06806", "source": "cyner2_5class_train"}}
+{"text": "This diagram illustrates the whole process .", "spans": {}, "info": {"id": "cyner2_5class_train_06807", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.HackTool.18432.M Win32.Trojan.WisdomEyes.16070401.9500.9952 Hacktool.Notahproxy HackTool:Win32/Onaht.A Riskware.HackTool!NeLzDaI7P40 Malware_fam.NB Win32/Trojan.Hacktool.4e9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.HackTool.18432.M": [[26, 53]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9952": [[54, 96]], "Indicator: Hacktool.Notahproxy": [[97, 116]], "Indicator: HackTool:Win32/Onaht.A": [[117, 139]], "Indicator: Riskware.HackTool!NeLzDaI7P40": [[140, 169]], "Indicator: Malware_fam.NB": [[170, 184]], "Indicator: Win32/Trojan.Hacktool.4e9": [[185, 210]]}, "info": {"id": "cyner2_5class_train_06808", "source": "cyner2_5class_train"}}
+{"text": "Examples included fake commercial suppliers or shipping companies sending an updated price list, banks asking customers to validate banking information, or confirmation of equipment delivery.", "spans": {"Indicator: fake commercial suppliers": [[18, 43]], "Indicator: shipping companies sending an updated price list, banks asking customers to validate banking information,": [[47, 152]], "Indicator: confirmation of equipment delivery.": [[156, 191]]}, "info": {"id": "cyner2_5class_train_06809", "source": "cyner2_5class_train"}}
+{"text": "We have chosen to join forces to continue the investigation around Gooligan .", "spans": {"Malware: Gooligan": [[67, 75]]}, "info": {"id": "cyner2_5class_train_06810", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Adware.FC.529 Trojan.Razy.D2449C Win32.Trojan.WisdomEyes.16070401.9500.9898 Riskware.Win32.Dotdo.ewnrxt Adware.Dotdo.25 Trojan.MSIL.Trojanproxy TR/Proxy.ulkkx Trojan:MSIL/Faikdal.A PUP.DotDo/Variant Adware.DotDo.DotPrx Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Adware.FC.529": [[26, 44]], "Indicator: Trojan.Razy.D2449C": [[45, 63]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9898": [[64, 106]], "Indicator: Riskware.Win32.Dotdo.ewnrxt": [[107, 134]], "Indicator: Adware.Dotdo.25": [[135, 150]], "Indicator: Trojan.MSIL.Trojanproxy": [[151, 174]], "Indicator: TR/Proxy.ulkkx": [[175, 189]], "Indicator: Trojan:MSIL/Faikdal.A": [[190, 211]], "Indicator: PUP.DotDo/Variant": [[212, 229]], "Indicator: Adware.DotDo.DotPrx": [[230, 249]], "Indicator: Trj/GdSda.A": [[250, 261]]}, "info": {"id": "cyner2_5class_train_06811", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OpaservA.Worm Net-Worm.Win32.Opasoft!O W32.OpaServ.A W32/Opaserv.worm.a WORM_OPASERV.A Win32.Worm.Opaserv.e W32/Opaserv.worm.A W32.Opaserv.Worm Win32/Opaserv.A WORM_OPASERV.A Win.Worm.OpaSoft-3 Net-Worm.Win32.Opasoft.a Trojan.Win32.Opasoft.wglh Worm.Win32.Opaserv Win32.Worm-net.Opasoft.Eeqs Win32.Opasoft Trojan.OpaKill.Win32.1 W32/Opaserv.worm.a Worm.Win32.Opasoft.A W32/Opaserv.worm.A Worm/Opasoft.a Worm[Net]/Win32.Opasoft Worm.Opasoft Net-Worm.Win32.Opasoft.a Worm:Win32/Opaserv.A Win32/Opasoft.worm.28672 Worm.Opaserv.AT W32/Opaserv.fam", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OpaservA.Worm": [[26, 43]], "Indicator: Net-Worm.Win32.Opasoft!O": [[44, 68]], "Indicator: W32.OpaServ.A": [[69, 82]], "Indicator: W32/Opaserv.worm.a": [[83, 101], [359, 377]], "Indicator: WORM_OPASERV.A": [[102, 116], [190, 204]], "Indicator: Win32.Worm.Opaserv.e": [[117, 137]], "Indicator: W32/Opaserv.worm.A": [[138, 156], [399, 417]], "Indicator: W32.Opaserv.Worm": [[157, 173]], "Indicator: Win32/Opaserv.A": [[174, 189]], "Indicator: Win.Worm.OpaSoft-3": [[205, 223]], "Indicator: Net-Worm.Win32.Opasoft.a": [[224, 248], [470, 494]], "Indicator: Trojan.Win32.Opasoft.wglh": [[249, 274]], "Indicator: Worm.Win32.Opaserv": [[275, 293]], "Indicator: Win32.Worm-net.Opasoft.Eeqs": [[294, 321]], "Indicator: Win32.Opasoft": [[322, 335]], "Indicator: Trojan.OpaKill.Win32.1": [[336, 358]], "Indicator: Worm.Win32.Opasoft.A": [[378, 398]], "Indicator: Worm/Opasoft.a": [[418, 432]], "Indicator: Worm[Net]/Win32.Opasoft": [[433, 456]], "Indicator: Worm.Opasoft": [[457, 469]], "Indicator: Worm:Win32/Opaserv.A": [[495, 515]], "Indicator: Win32/Opasoft.worm.28672": [[516, 540]], "Indicator: Worm.Opaserv.AT": [[541, 556]], "Indicator: W32/Opaserv.fam": [[557, 572]]}, "info": {"id": "cyner2_5class_train_06812", "source": "cyner2_5class_train"}}
+{"text": "Hidden Configuration Data As mentioned above , EventBot begins using obfuscation .", "spans": {"Malware: EventBot": [[47, 55]]}, "info": {"id": "cyner2_5class_train_06813", "source": "cyner2_5class_train"}}
+{"text": "Version # 3 : Sept. - Dec. 2019 — Domain : ponethus [ .", "spans": {"Indicator: ponethus [ .": [[43, 55]]}, "info": {"id": "cyner2_5class_train_06814", "source": "cyner2_5class_train"}}
+{"text": "The threat actors are reusing tools, techniques, and procedures which overlap throughout these operations with little variance.", "spans": {"Malware: tools,": [[30, 36]]}, "info": {"id": "cyner2_5class_train_06815", "source": "cyner2_5class_train"}}
+{"text": "This attack highlights how macro malware in Microsoft Office files is fast becoming a big threat to businesses and organizations.", "spans": {"Malware: macro malware": [[27, 40]], "System: Microsoft Office": [[44, 60]], "Vulnerability: big threat": [[86, 96]], "Organization: businesses": [[100, 110]], "Organization: organizations.": [[115, 129]]}, "info": {"id": "cyner2_5class_train_06816", "source": "cyner2_5class_train"}}
+{"text": "] infogooogel-drive [ .", "spans": {"Indicator: [ .": [[20, 23]]}, "info": {"id": "cyner2_5class_train_06817", "source": "cyner2_5class_train"}}
+{"text": "Both of these libraries are runtime libraries related to Dalvik and ART runtime environments .", "spans": {"System: Dalvik": [[57, 63]], "System: ART": [[68, 71]]}, "info": {"id": "cyner2_5class_train_06818", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heur.Corrupt.PE Trojan[Exploit]/Win32.CCProxyOver Exploit:Win32/Prix.A.dam#2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Corrupt.PE": [[26, 41]], "Indicator: Trojan[Exploit]/Win32.CCProxyOver": [[42, 75]], "Indicator: Exploit:Win32/Prix.A.dam#2": [[76, 102]]}, "info": {"id": "cyner2_5class_train_06819", "source": "cyner2_5class_train"}}
+{"text": "As reported, the source of the attack appears to have been the website of the Polish financial regulator.", "spans": {"Indicator: attack": [[31, 37]], "Indicator: website": [[63, 70]], "Organization: the Polish financial regulator.": [[74, 105]]}, "info": {"id": "cyner2_5class_train_06820", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan:MSIL/Bogoclak.A Trojan.MSIL.Lynx.3 Trj/GdSda.A Backdoor.MSIL MSIL/Stealors.NET!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[26, 68]], "Indicator: Trojan:MSIL/Bogoclak.A": [[69, 91]], "Indicator: Trojan.MSIL.Lynx.3": [[92, 110]], "Indicator: Trj/GdSda.A": [[111, 122]], "Indicator: Backdoor.MSIL": [[123, 136]], "Indicator: MSIL/Stealors.NET!tr": [[137, 157]]}, "info": {"id": "cyner2_5class_train_06821", "source": "cyner2_5class_train"}}
+{"text": "Signing the malware with a stolen and subsequently publicly leaked code-signing certificate is sloppy even for well-known CN-APT groups.", "spans": {"Malware: malware": [[12, 19]], "Indicator: stolen": [[27, 33]], "Indicator: publicly leaked code-signing certificate": [[51, 91]]}, "info": {"id": "cyner2_5class_train_06822", "source": "cyner2_5class_train"}}
+{"text": "Through correlation of technical indicators and command and control infrastructure, FireEye assess that APT28 is probably responsible for this activity.", "spans": {"System: command": [[48, 55]], "Organization: FireEye": [[84, 91]]}, "info": {"id": "cyner2_5class_train_06823", "source": "cyner2_5class_train"}}
+{"text": "With every Android update , the malware authors are forced to come up with new tricks .", "spans": {"System: Android": [[11, 18]]}, "info": {"id": "cyner2_5class_train_06824", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Chiko.Worm Trojan/W32.StartPage.377856 Trojan.Win32.StartPage!O Worm.AutoRun W32.W.Fearso.kYUv WORM_SILLY.ICA Win32.Worm.Delf.cg W32.SillyFDC Win32/Chike.A Worm.Win32.AutoRun.ihn Trojan.Win32.StartPage.yqro Trojan.Win32.StartPage.377856 Trojan.StartPage.52501 Trojan.StartPage.Win32.1 Virus.Win32.Alman Trojan/StartPage.de TR/Delf.AKP Trojan/Win32.StartPage Win32.Virut.ce.57344 Trojan.Heur.ED91C9 Worm.Win32.AutoRun.ihn Worm:Win32/Chiki.A HEUR/Fakon.mwf TScope.Trojan.Delf W32/Chike.C.worm Win32/Delf.NFT Win32.Worm.Autorun.Pavh Trojan.StartPage!orHv1sw9Olo W32/StartPage.AJH!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Chiko.Worm": [[26, 40]], "Indicator: Trojan/W32.StartPage.377856": [[41, 68]], "Indicator: Trojan.Win32.StartPage!O": [[69, 93]], "Indicator: Worm.AutoRun": [[94, 106]], "Indicator: W32.W.Fearso.kYUv": [[107, 124]], "Indicator: WORM_SILLY.ICA": [[125, 139]], "Indicator: Win32.Worm.Delf.cg": [[140, 158]], "Indicator: W32.SillyFDC": [[159, 171]], "Indicator: Win32/Chike.A": [[172, 185]], "Indicator: Worm.Win32.AutoRun.ihn": [[186, 208], [428, 450]], "Indicator: Trojan.Win32.StartPage.yqro": [[209, 236]], "Indicator: Trojan.Win32.StartPage.377856": [[237, 266]], "Indicator: Trojan.StartPage.52501": [[267, 289]], "Indicator: Trojan.StartPage.Win32.1": [[290, 314]], "Indicator: Virus.Win32.Alman": [[315, 332]], "Indicator: Trojan/StartPage.de": [[333, 352]], "Indicator: TR/Delf.AKP": [[353, 364]], "Indicator: Trojan/Win32.StartPage": [[365, 387]], "Indicator: Win32.Virut.ce.57344": [[388, 408]], "Indicator: Trojan.Heur.ED91C9": [[409, 427]], "Indicator: Worm:Win32/Chiki.A": [[451, 469]], "Indicator: HEUR/Fakon.mwf": [[470, 484]], "Indicator: TScope.Trojan.Delf": [[485, 503]], "Indicator: W32/Chike.C.worm": [[504, 520]], "Indicator: Win32/Delf.NFT": [[521, 535]], "Indicator: Win32.Worm.Autorun.Pavh": [[536, 559]], "Indicator: Trojan.StartPage!orHv1sw9Olo": [[560, 588]], "Indicator: W32/StartPage.AJH!tr": [[589, 609]]}, "info": {"id": "cyner2_5class_train_06825", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.W32.Nethief.l7ro TrojWare.Win32.Packed.PNC BehavesLike.Win32.Backdoor.kc Trojan.Krypt.19 Trojan-Dropper.Delf Trj/CI.A Win32/Trojan.8cd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.W32.Nethief.l7ro": [[26, 51]], "Indicator: TrojWare.Win32.Packed.PNC": [[52, 77]], "Indicator: BehavesLike.Win32.Backdoor.kc": [[78, 107]], "Indicator: Trojan.Krypt.19": [[108, 123]], "Indicator: Trojan-Dropper.Delf": [[124, 143]], "Indicator: Trj/CI.A": [[144, 152]], "Indicator: Win32/Trojan.8cd": [[153, 169]]}, "info": {"id": "cyner2_5class_train_06826", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Inject.ASP Trojan.Inject.ASP Trojan.Inject.ASP Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Inject.ASP Trojan.Inject.ASP Trojan.Win32.Kryptik.evmmfw Trojan.Win32.Z.Inject.49664 Trojan.Inject.ASP Trojan.Inject.ASP Trojan.Crypt3 W32/Trojan.HLQX-0378 Backdoor:Win32/Deselia.B!dha Trojan/Win32.Kryptik.R153606 W32/ESILE.C!tr Script/Trojan.b13", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject.ASP": [[26, 43], [44, 61], [62, 79], [123, 140], [141, 158], [215, 232], [233, 250]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[80, 122]], "Indicator: Trojan.Win32.Kryptik.evmmfw": [[159, 186]], "Indicator: Trojan.Win32.Z.Inject.49664": [[187, 214]], "Indicator: Trojan.Crypt3": [[251, 264]], "Indicator: W32/Trojan.HLQX-0378": [[265, 285]], "Indicator: Backdoor:Win32/Deselia.B!dha": [[286, 314]], "Indicator: Trojan/Win32.Kryptik.R153606": [[315, 343]], "Indicator: W32/ESILE.C!tr": [[344, 358]], "Indicator: Script/Trojan.b13": [[359, 376]]}, "info": {"id": "cyner2_5class_train_06827", "source": "cyner2_5class_train"}}
+{"text": "Longhorn, which we internally refer to as The Lamberts first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability CVE-2014-4148.", "spans": {"Organization: ITSec community": [[90, 105]], "Organization: FireEye": [[140, 147]], "Indicator: attack": [[162, 168]], "Vulnerability: a zero day vulnerability": [[175, 199]], "Indicator: CVE-2014-4148.": [[200, 214]]}, "info": {"id": "cyner2_5class_train_06828", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D2E557 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D2E557": [[26, 44]], "Indicator: Trj/GdSda.A": [[45, 56]]}, "info": {"id": "cyner2_5class_train_06829", "source": "cyner2_5class_train"}}
+{"text": "Windows Defender ATP also integrates with the Windows protection stack so that protections from Windows Defender AV and Windows Defender Exploit Guard are reported in Windows Defender ATP portal , enabling SecOps personnel to centrally manage security , and as well as promptly investigate and respond to hostile activity in the network .", "spans": {"System: Windows Defender ATP": [[0, 20], [167, 187]], "System: Windows": [[46, 53]], "System: Windows Defender AV": [[96, 115]], "System: Windows Defender Exploit Guard": [[120, 150]]}, "info": {"id": "cyner2_5class_train_06830", "source": "cyner2_5class_train"}}
+{"text": "It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area, apparently in search of geo-political intelligence.", "spans": {}, "info": {"id": "cyner2_5class_train_06831", "source": "cyner2_5class_train"}}
+{"text": "BEBLOH always came up with new defensive measures to avoid AV products, and this time is no different.", "spans": {"Malware: BEBLOH": [[0, 6]], "Indicator: new defensive measures": [[27, 49]], "System: AV products,": [[59, 71]]}, "info": {"id": "cyner2_5class_train_06832", "source": "cyner2_5class_train"}}
+{"text": "Other attacks on Bank Austria customers that we observed resolved to the following .top domains : Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817062 [ .", "spans": {"System: Bank Austria": [[17, 29]], "Indicator: hxxp : //online.bankaustria.at.id8817062 [ .": [[112, 156]]}, "info": {"id": "cyner2_5class_train_06833", "source": "cyner2_5class_train"}}
+{"text": "] 923525 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_06834", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Downloader.Banload.reo Win32.Trojan.WisdomEyes.16070401.9500.9590 Win.Trojan.Graftor-2494 Trojan.Win32.Graftor.cuifrv Trojan.Banker.Win32.94901 TR/Graftor.6930.12 Trojan.Graftor.D17FC TrojanDownloader:Win32/Bangkgrob.A Trj/CI.A TrojanSpy.Banker!0zttYTGMFlo Trojan-Downloader.Win32.Banload W32/Banker.ZZN!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.Banload.reo": [[26, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9590": [[56, 98]], "Indicator: Win.Trojan.Graftor-2494": [[99, 122]], "Indicator: Trojan.Win32.Graftor.cuifrv": [[123, 150]], "Indicator: Trojan.Banker.Win32.94901": [[151, 176]], "Indicator: TR/Graftor.6930.12": [[177, 195]], "Indicator: Trojan.Graftor.D17FC": [[196, 216]], "Indicator: TrojanDownloader:Win32/Bangkgrob.A": [[217, 251]], "Indicator: Trj/CI.A": [[252, 260]], "Indicator: TrojanSpy.Banker!0zttYTGMFlo": [[261, 289]], "Indicator: Trojan-Downloader.Win32.Banload": [[290, 321]], "Indicator: W32/Banker.ZZN!tr": [[322, 339]]}, "info": {"id": "cyner2_5class_train_06835", "source": "cyner2_5class_train"}}
+{"text": "That number is likely inflated, mainly because of dynamic IP allocation and historic records not being removed promptly.", "spans": {"Indicator: dynamic IP allocation": [[50, 71]], "Vulnerability: historic records not being removed promptly.": [[76, 120]]}, "info": {"id": "cyner2_5class_train_06836", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Malruze Trojan.Win32.Z.Malruze.113664 Trojan:Win32/Malruze.A!gfc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Malruze": [[26, 40]], "Indicator: Trojan.Win32.Z.Malruze.113664": [[41, 70]], "Indicator: Trojan:Win32/Malruze.A!gfc": [[71, 97]]}, "info": {"id": "cyner2_5class_train_06837", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.Birele!O Win32.Trojan.WisdomEyes.16070401.9500.9907 W32/Miner.UKCL-7487 W32/Miner.B Trojan.Win32.CoinMiner.pmp Trojan/Win32.Miner.C2255099", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.Birele!O": [[26, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9907": [[55, 97]], "Indicator: W32/Miner.UKCL-7487": [[98, 117]], "Indicator: W32/Miner.B": [[118, 129]], "Indicator: Trojan.Win32.CoinMiner.pmp": [[130, 156]], "Indicator: Trojan/Win32.Miner.C2255099": [[157, 184]]}, "info": {"id": "cyner2_5class_train_06838", "source": "cyner2_5class_train"}}
+{"text": "Recently, the Threat Monitoring System of QiAnXin Threat Intelligence Center monitored that a botnet written in GO language was spreading through multiple vulnerabilities.", "spans": {"System: the Threat Monitoring System": [[10, 38]], "Organization: QiAnXin Threat Intelligence Center": [[42, 76]], "Malware: botnet": [[94, 100]], "System: GO language": [[112, 123]], "Vulnerability: multiple vulnerabilities.": [[146, 171]]}, "info": {"id": "cyner2_5class_train_06839", "source": "cyner2_5class_train"}}
+{"text": "Details : Name : Super Mario Run Package Name : net.droidjack.server MD5 : 69b4b32e4636f1981841cbbe3b927560 Technical Analysis : The malicious package claims to be the Super Mario Run game , as shown in the permissions screenshot below , but in reality this is a malicious RAT called DroidJack ( also known as SandroRAT ) that is getting installed .", "spans": {"System: Super Mario Run": [[17, 32], [168, 183]], "Indicator: net.droidjack.server": [[48, 68]], "Indicator: 69b4b32e4636f1981841cbbe3b927560": [[75, 107]], "Malware: DroidJack": [[284, 293]], "Malware: SandroRAT": [[310, 319]]}, "info": {"id": "cyner2_5class_train_06840", "source": "cyner2_5class_train"}}
+{"text": "The site is redirecting users to rgdotfoldersasapdotcom which is a RIG EK landing page that serves a malicious flash file and a malicious binary.", "spans": {"Indicator: site": [[4, 8]], "Indicator: redirecting": [[12, 23]], "Indicator: rgdotfoldersasapdotcom": [[33, 55]], "Malware: RIG EK": [[67, 73]], "Indicator: landing page": [[74, 86]], "Malware: malicious flash file": [[101, 121]], "Malware: malicious binary.": [[128, 145]]}, "info": {"id": "cyner2_5class_train_06841", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.WintaskLTH.Trojan Worm.Psyokym.A3 W32.SillyFDC WORM_PSYOKYM.SM23 Trojan-Dropper.Win32.Sysn.bqcc Trojan.Win32.WBNA.ctgbxm Trojan.DownLoader5.33626 WORM_PSYOKYM.SM23 Worm.Win32.Psyokym WORM/Psyokym.A.34 Worm:Win32/Psyokym.A Trojan.Zusy.D393D Trojan.Win32.Downloader.189952.AV Trojan-Dropper.Win32.Sysn.bqcc HEUR/Fakon.mwf Worm.AutoRun!angV1RJQRlk W32/Virut.CE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WintaskLTH.Trojan": [[26, 47]], "Indicator: Worm.Psyokym.A3": [[48, 63]], "Indicator: W32.SillyFDC": [[64, 76]], "Indicator: WORM_PSYOKYM.SM23": [[77, 94], [176, 193]], "Indicator: Trojan-Dropper.Win32.Sysn.bqcc": [[95, 125], [304, 334]], "Indicator: Trojan.Win32.WBNA.ctgbxm": [[126, 150]], "Indicator: Trojan.DownLoader5.33626": [[151, 175]], "Indicator: Worm.Win32.Psyokym": [[194, 212]], "Indicator: WORM/Psyokym.A.34": [[213, 230]], "Indicator: Worm:Win32/Psyokym.A": [[231, 251]], "Indicator: Trojan.Zusy.D393D": [[252, 269]], "Indicator: Trojan.Win32.Downloader.189952.AV": [[270, 303]], "Indicator: HEUR/Fakon.mwf": [[335, 349]], "Indicator: Worm.AutoRun!angV1RJQRlk": [[350, 374]], "Indicator: W32/Virut.CE": [[375, 387]]}, "info": {"id": "cyner2_5class_train_06842", "source": "cyner2_5class_train"}}
+{"text": "For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea.", "spans": {}, "info": {"id": "cyner2_5class_train_06843", "source": "cyner2_5class_train"}}
+{"text": "ussd : to call a C2-specified phone number .", "spans": {}, "info": {"id": "cyner2_5class_train_06844", "source": "cyner2_5class_train"}}
+{"text": "Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call .", "spans": {}, "info": {"id": "cyner2_5class_train_06845", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D14EB5 Win32/Oflwr.A!crypt Win.Downloader.Boltolog-223 Win32.Application.PUPStudio.A Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R BackDoor.BlackHole.20244 TR/Graftor.123479.4 Trojan:Win32/Semsubim.A Trojan.Wecod Win32/Trojan.Clicker.4d5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D14EB5": [[26, 44]], "Indicator: Win32/Oflwr.A!crypt": [[45, 64]], "Indicator: Win.Downloader.Boltolog-223": [[65, 92]], "Indicator: Win32.Application.PUPStudio.A": [[93, 122]], "Indicator: Worm.Win32.Dropper.RA": [[123, 144]], "Indicator: Trojan:W32/DelfInject.R": [[145, 168]], "Indicator: BackDoor.BlackHole.20244": [[169, 193]], "Indicator: TR/Graftor.123479.4": [[194, 213]], "Indicator: Trojan:Win32/Semsubim.A": [[214, 237]], "Indicator: Trojan.Wecod": [[238, 250]], "Indicator: Win32/Trojan.Clicker.4d5": [[251, 275]]}, "info": {"id": "cyner2_5class_train_06846", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.CED3 Trojan.Zenshirsh.SL7 Trojan.Zusy.D13E0F Win32.Trojan.Kryptik.av Trojan.Win32.Emager.ngb Trojan.Win32.FKM.dsobxk Trojan.Win32.Z.Zusy.159744.AME Backdoor.W32.Hupigon.le6i TrojWare.Win32.BHO.NJYY Trojan.Packed.26400 BehavesLike.Win32.Backdoor.cc Trojan.Win32.Spy Trojan.Emager.ly W32.Infostealer.Zeus Win32.Troj.Undef.kcloud Trojan.Win32.Emager.ngb Trojan/Win32.Small.C10819 TScope.Malware-Cryptor.SB Trojan.Win32.Dropper.abe Trojan.Emager!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.CED3": [[26, 42]], "Indicator: Trojan.Zenshirsh.SL7": [[43, 63]], "Indicator: Trojan.Zusy.D13E0F": [[64, 82]], "Indicator: Win32.Trojan.Kryptik.av": [[83, 106]], "Indicator: Trojan.Win32.Emager.ngb": [[107, 130], [365, 388]], "Indicator: Trojan.Win32.FKM.dsobxk": [[131, 154]], "Indicator: Trojan.Win32.Z.Zusy.159744.AME": [[155, 185]], "Indicator: Backdoor.W32.Hupigon.le6i": [[186, 211]], "Indicator: TrojWare.Win32.BHO.NJYY": [[212, 235]], "Indicator: Trojan.Packed.26400": [[236, 255]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[256, 285]], "Indicator: Trojan.Win32.Spy": [[286, 302]], "Indicator: Trojan.Emager.ly": [[303, 319]], "Indicator: W32.Infostealer.Zeus": [[320, 340]], "Indicator: Win32.Troj.Undef.kcloud": [[341, 364]], "Indicator: Trojan/Win32.Small.C10819": [[389, 414]], "Indicator: TScope.Malware-Cryptor.SB": [[415, 440]], "Indicator: Trojan.Win32.Dropper.abe": [[441, 465]], "Indicator: Trojan.Emager!": [[466, 480]]}, "info": {"id": "cyner2_5class_train_06847", "source": "cyner2_5class_train"}}
+{"text": "EventBot screenPinPrefs.xml The content of screenPinPrefs.xml .", "spans": {"Indicator: screenPinPrefs.xml": [[9, 27], [43, 61]]}, "info": {"id": "cyner2_5class_train_06848", "source": "cyner2_5class_train"}}
+{"text": "During our research we also arrived at the conclusion that this Trojan evolved from an SMS spyware Trojan that was first spotted in October 2014 .", "spans": {}, "info": {"id": "cyner2_5class_train_06849", "source": "cyner2_5class_train"}}
+{"text": "Unit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with United States defense contractors.", "spans": {"Organization: Unit 42 researchers": [[0, 19]], "Organization: Palo Alto Networks": [[23, 41]], "Organization: United States defense contractors.": [[114, 148]]}, "info": {"id": "cyner2_5class_train_06850", "source": "cyner2_5class_train"}}
+{"text": "However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine.", "spans": {}, "info": {"id": "cyner2_5class_train_06851", "source": "cyner2_5class_train"}}
+{"text": "At the time, it was being distributed via both targeted email campaigns and exploit kits EKs.", "spans": {"Malware: exploit kits EKs.": [[76, 93]]}, "info": {"id": "cyner2_5class_train_06852", "source": "cyner2_5class_train"}}
+{"text": "MISLEADING USERS Bread apps sometimes display a pop-up to the user that implies some form of compliance or disclosure , showing terms and conditions or a confirm button .", "spans": {"Malware: Bread": [[17, 22]]}, "info": {"id": "cyner2_5class_train_06853", "source": "cyner2_5class_train"}}
+{"text": "While investing a lot of resources in the development of this malware , the actor behind “ Agent Smith ” does not want a real update to remove all of the changes made , so here is where the “ patch ” module comes in to play With the sole purpose of disabling automatic updates for the infected application , this module observes the update directory for the original application and removes the file once it appears .", "spans": {"Malware: Agent Smith": [[91, 102]]}, "info": {"id": "cyner2_5class_train_06854", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDropper.RAR W32/Trojan.WAHH-7616 Trojan.Win32.RAR.crvcdy Trojan.Win32.Z.Dropper.1318323 Trojan:MSIL/Ainslot.A Win32/PSW.Tibia.NGP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.RAR": [[26, 43]], "Indicator: W32/Trojan.WAHH-7616": [[44, 64]], "Indicator: Trojan.Win32.RAR.crvcdy": [[65, 88]], "Indicator: Trojan.Win32.Z.Dropper.1318323": [[89, 119]], "Indicator: Trojan:MSIL/Ainslot.A": [[120, 141]], "Indicator: Win32/PSW.Tibia.NGP": [[142, 161]]}, "info": {"id": "cyner2_5class_train_06855", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.BypassUAC Exploit.Win32.BypassUAC.ihb Trojan.Win32.Tordev.exuhxz Exploit.W32.Bypassuac!c BackDoor.Tordev.976 Exploit.BypassUAC.Win32.1119 BehavesLike.Win32.Dropper.bc Trojan.Win32.Ekstak Exploit.BypassUAC.amp TR/Injector.otvkc Trojan[Exploit]/Win32.BypassUAC Trojan.Graftor.D71C73 Exploit.Win32.BypassUAC.ihb Backdoor:Win32/Rescoms.B Trojan/Win32.BypassUAC.C2399731 Exploit.BypassUAC Trj/CI.A Win32.Trojan.Inject.Auto Win32/Trojan.852", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BypassUAC": [[26, 42]], "Indicator: Exploit.Win32.BypassUAC.ihb": [[43, 70], [314, 341]], "Indicator: Trojan.Win32.Tordev.exuhxz": [[71, 97]], "Indicator: Exploit.W32.Bypassuac!c": [[98, 121]], "Indicator: BackDoor.Tordev.976": [[122, 141]], "Indicator: Exploit.BypassUAC.Win32.1119": [[142, 170]], "Indicator: BehavesLike.Win32.Dropper.bc": [[171, 199]], "Indicator: Trojan.Win32.Ekstak": [[200, 219]], "Indicator: Exploit.BypassUAC.amp": [[220, 241]], "Indicator: TR/Injector.otvkc": [[242, 259]], "Indicator: Trojan[Exploit]/Win32.BypassUAC": [[260, 291]], "Indicator: Trojan.Graftor.D71C73": [[292, 313]], "Indicator: Backdoor:Win32/Rescoms.B": [[342, 366]], "Indicator: Trojan/Win32.BypassUAC.C2399731": [[367, 398]], "Indicator: Exploit.BypassUAC": [[399, 416]], "Indicator: Trj/CI.A": [[417, 425]], "Indicator: Win32.Trojan.Inject.Auto": [[426, 450]], "Indicator: Win32/Trojan.852": [[451, 467]]}, "info": {"id": "cyner2_5class_train_06856", "source": "cyner2_5class_train"}}
+{"text": "This is why we recently released Cybereason Mobile , a new offering that strengthens the Cybereason Defense Platform by bringing prevention , detection , and response capabilities to mobile devices .", "spans": {"System: Cybereason Mobile": [[33, 50]], "System: Cybereason Defense Platform": [[89, 116]]}, "info": {"id": "cyner2_5class_train_06857", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.VB.z4 Trojan.VB.Win32.155172 Trojan/Dropper.StartPage.dzs Win32.Trojan.WisdomEyes.16070401.9500.9663 Trojan.Win32.VBKrypt TrojanDownloader:Win32/Swity.C Trojan.VB!g1fz4qjxDzc W32/VB.NTK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.VB.z4": [[26, 48]], "Indicator: Trojan.VB.Win32.155172": [[49, 71]], "Indicator: Trojan/Dropper.StartPage.dzs": [[72, 100]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9663": [[101, 143]], "Indicator: Trojan.Win32.VBKrypt": [[144, 164]], "Indicator: TrojanDownloader:Win32/Swity.C": [[165, 195]], "Indicator: Trojan.VB!g1fz4qjxDzc": [[196, 217]], "Indicator: W32/VB.NTK!tr": [[218, 231]]}, "info": {"id": "cyner2_5class_train_06858", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.SmokeLdr.A3 Trojan.Ransom.GlobeImposter Trojan.Injector TROJ_INJECT.AUSPTF Win32.Trojan.Injector.MH Trojan.Win32.Khalesi.bjm Trojan.Win32.Khalesi.exdymq Trojan.Win32.Z.Razy.286720.EN Trojan.Encoder.11539 TROJ_INJECT.AUSPTF BehavesLike.Win32.PWSZbot.dm Trojan-Ransom.GlobeImposter W32/Trojan.BXWF-8222 Trojan.Khalesi.jz TR/Kryptik.nopxu Trojan/Win32.Khalesi Trojan.Razy.D3C133 Trojan.Win32.Khalesi.bjm Trojan/Win32.VBKrypt.C2374802 Trojan.Khalesi Trj/GdSda.A Win32.Trojan.Khalesi.Swkj Win32/Trojan.674", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.SmokeLdr.A3": [[26, 44]], "Indicator: Trojan.Ransom.GlobeImposter": [[45, 72]], "Indicator: Trojan.Injector": [[73, 88]], "Indicator: TROJ_INJECT.AUSPTF": [[89, 107], [237, 255]], "Indicator: Win32.Trojan.Injector.MH": [[108, 132]], "Indicator: Trojan.Win32.Khalesi.bjm": [[133, 157], [409, 433]], "Indicator: Trojan.Win32.Khalesi.exdymq": [[158, 185]], "Indicator: Trojan.Win32.Z.Razy.286720.EN": [[186, 215]], "Indicator: Trojan.Encoder.11539": [[216, 236]], "Indicator: BehavesLike.Win32.PWSZbot.dm": [[256, 284]], "Indicator: Trojan-Ransom.GlobeImposter": [[285, 312]], "Indicator: W32/Trojan.BXWF-8222": [[313, 333]], "Indicator: Trojan.Khalesi.jz": [[334, 351]], "Indicator: TR/Kryptik.nopxu": [[352, 368]], "Indicator: Trojan/Win32.Khalesi": [[369, 389]], "Indicator: Trojan.Razy.D3C133": [[390, 408]], "Indicator: Trojan/Win32.VBKrypt.C2374802": [[434, 463]], "Indicator: Trojan.Khalesi": [[464, 478]], "Indicator: Trj/GdSda.A": [[479, 490]], "Indicator: Win32.Trojan.Khalesi.Swkj": [[491, 516]], "Indicator: Win32/Trojan.674": [[517, 533]]}, "info": {"id": "cyner2_5class_train_06859", "source": "cyner2_5class_train"}}
+{"text": "AOSP patched the Janus vulnerability since version 7 by introducing APK Signature Scheme V2 .", "spans": {"Vulnerability: Janus": [[17, 22]]}, "info": {"id": "cyner2_5class_train_06860", "source": "cyner2_5class_train"}}
+{"text": "It is an old threat and was well-described by Symantec back in 2009.", "spans": {"Malware: old threat": [[9, 19]], "Organization: Symantec": [[46, 54]]}, "info": {"id": "cyner2_5class_train_06861", "source": "cyner2_5class_train"}}
+{"text": "Also , we found a debug version of the implant ( 70a937b2504b3ad6c623581424c7e53d ) that contains interesting constants , including the version of the spyware .", "spans": {"Indicator: 70a937b2504b3ad6c623581424c7e53d": [[49, 81]]}, "info": {"id": "cyner2_5class_train_06862", "source": "cyner2_5class_train"}}
+{"text": "In this case , it registers three broadcast receivers : MyReceiver - Triggers when the device is booted .", "spans": {}, "info": {"id": "cyner2_5class_train_06863", "source": "cyner2_5class_train"}}
+{"text": "A nubmer of downloaders installing further malware from http://mondaynightfundarts[.]com/images/Nu48djdi.zip", "spans": {"Malware: downloaders": [[12, 23]], "Malware: malware": [[43, 50]], "Indicator: http://mondaynightfundarts[.]com/images/Nu48djdi.zip": [[56, 108]]}, "info": {"id": "cyner2_5class_train_06864", "source": "cyner2_5class_train"}}
+{"text": "It's a trojan spy which is installed as service called RCSU.", "spans": {"Malware: trojan spy": [[7, 17]], "Indicator: installed as service": [[27, 47]], "Indicator: RCSU.": [[55, 60]]}, "info": {"id": "cyner2_5class_train_06865", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodeac.Trojan.9edf Trojan.PlugX.A4 BKDR_PLUGX.DUKH Win32.Trojan.WisdomEyes.16070401.9500.9975 BKDR_PLUGX.DUKH Trojan-Spy.Win32.Lurk.vtx Trojan.Win32.Datufly.ebtzfj Trojan.Win32.Z.Injector.9728.AR[h] Uds.Dangerousobject.Multi!c Trojan.Injector.Win32.378784 worm.win32.gamarue.z TrojanSpy.Lurk.ep TR/Datufly.hmoo W32/Injector.CXAC!tr Trojan.Graftor.D429AC Trojan:Win32/Datufly.B!dha Trojan/Win32.Datufly.R184100 TrojanSpy.Lurk Win32.Trojan-spy.Lurk.Amck TrojanSpy.Lurk!fV54mUiVDuY Trojan.Win32.Injector Inject3.AMFK Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodeac.Trojan.9edf": [[26, 49]], "Indicator: Trojan.PlugX.A4": [[50, 65]], "Indicator: BKDR_PLUGX.DUKH": [[66, 81], [125, 140]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9975": [[82, 124]], "Indicator: Trojan-Spy.Win32.Lurk.vtx": [[141, 166]], "Indicator: Trojan.Win32.Datufly.ebtzfj": [[167, 194]], "Indicator: Trojan.Win32.Z.Injector.9728.AR[h]": [[195, 229]], "Indicator: Uds.Dangerousobject.Multi!c": [[230, 257]], "Indicator: Trojan.Injector.Win32.378784": [[258, 286]], "Indicator: worm.win32.gamarue.z": [[287, 307]], "Indicator: TrojanSpy.Lurk.ep": [[308, 325]], "Indicator: TR/Datufly.hmoo": [[326, 341]], "Indicator: W32/Injector.CXAC!tr": [[342, 362]], "Indicator: Trojan.Graftor.D429AC": [[363, 384]], "Indicator: Trojan:Win32/Datufly.B!dha": [[385, 411]], "Indicator: Trojan/Win32.Datufly.R184100": [[412, 440]], "Indicator: TrojanSpy.Lurk": [[441, 455]], "Indicator: Win32.Trojan-spy.Lurk.Amck": [[456, 482]], "Indicator: TrojanSpy.Lurk!fV54mUiVDuY": [[483, 509]], "Indicator: Trojan.Win32.Injector": [[510, 531]], "Indicator: Inject3.AMFK": [[532, 544]], "Indicator: Trj/GdSda.A": [[545, 556]]}, "info": {"id": "cyner2_5class_train_06866", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Irc.Mimic.C Trojan.Glitch.A BKDR_IRCMIMIC.C IRC/Mimic.C Hacktool.Flooder BKDR_IRCMIMIC.C Win.Trojan.Soldier-7 Backdoor.IRC.Mimic.c Backdoor.Irc.Mimic.C DoS.W32.LifeWare!c Backdoor.Irc.Mimic.C DDoS.LifeWire BehavesLike.Win32.PWSZbot.bc Trojan.Win32.DoS IRC/Mimic.C IRC/Mimic.8 HackTool[DoS]/Win32.LifeWare DDoS:Win32/LifeWire.A Backdoor.IRC.Mimic.c DoS.LifeWare Trojan.HideWindows Bck/Iroffer.BG Irc.Backdoor.Mimic.Htmt VBS.Flood.L W32/LifeWare.A!dos Win32/Virus.IRC.f2c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Irc.Mimic.C": [[26, 46], [166, 186], [206, 226]], "Indicator: Trojan.Glitch.A": [[47, 62]], "Indicator: BKDR_IRCMIMIC.C": [[63, 78], [108, 123]], "Indicator: IRC/Mimic.C": [[79, 90], [287, 298]], "Indicator: Hacktool.Flooder": [[91, 107]], "Indicator: Win.Trojan.Soldier-7": [[124, 144]], "Indicator: Backdoor.IRC.Mimic.c": [[145, 165], [362, 382]], "Indicator: DoS.W32.LifeWare!c": [[187, 205]], "Indicator: DDoS.LifeWire": [[227, 240]], "Indicator: BehavesLike.Win32.PWSZbot.bc": [[241, 269]], "Indicator: Trojan.Win32.DoS": [[270, 286]], "Indicator: IRC/Mimic.8": [[299, 310]], "Indicator: HackTool[DoS]/Win32.LifeWare": [[311, 339]], "Indicator: DDoS:Win32/LifeWire.A": [[340, 361]], "Indicator: DoS.LifeWare": [[383, 395]], "Indicator: Trojan.HideWindows": [[396, 414]], "Indicator: Bck/Iroffer.BG": [[415, 429]], "Indicator: Irc.Backdoor.Mimic.Htmt": [[430, 453]], "Indicator: VBS.Flood.L": [[454, 465]], "Indicator: W32/LifeWare.A!dos": [[466, 484]], "Indicator: Win32/Virus.IRC.f2c": [[485, 504]]}, "info": {"id": "cyner2_5class_train_06867", "source": "cyner2_5class_train"}}
+{"text": "Using the Dynamic Threat Intelligence Cloud DTI, FireEye researchers detected a pattern of attacks beginning on April 13th, 2015.", "spans": {"System: Dynamic Threat Intelligence Cloud DTI,": [[10, 48]], "Organization: FireEye": [[49, 56]], "Indicator: pattern of attacks": [[80, 98]]}, "info": {"id": "cyner2_5class_train_06868", "source": "cyner2_5class_train"}}
+{"text": "Just recently, we found a new spam campaign of Hancitor with some notable developments that may have been in the previous variants, but were not discussed in any other reports.", "spans": {"Malware: Hancitor": [[47, 55]], "Malware: variants,": [[122, 131]]}, "info": {"id": "cyner2_5class_train_06869", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Fadedoor.287744 Email-Worm.Win32.GOPworm.196 Trojan.Heur.rGWarTuQ32piy Win32.Trojan.WisdomEyes.16070401.9500.9787 W32/Backdoor.MAW Backdoor.Trojan Backdoor.Win32.Fadedoor.a Trojan.Win32.Fadedoor.frpv Backdoor.Win32.Fadedoor.287744 Backdoor.W32.Fadedoor.a!c Backdoor.Win32.Fadedoor.10 BackDoor.Fade.10 Backdoor.Fadedoor.Win32.22 W32/Backdoor.THLZ-3240 Backdoor/Fadedoor.i BDS/Fade.10.Srv1 Trojan[Backdoor]/Win32.Fadedoor Win32.Hack.Fadedoor.a.kcloud Backdoor:Win32/Fakedoor.B Backdoor.Win32.Fadedoor.a Worm/Win32.IRCBot.R67641 Email-Worm.Win32.GOPworm.196 TScope.Trojan.Delf Bck/Fadedoor.A Win32.Backdoor.Fadedoor.Efue Backdoor.Fadedoor!nYSsZcqQ6hQ W32/Fadedoor.A!tr Win32/Trojan.fd1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Fadedoor.287744": [[26, 54]], "Indicator: Email-Worm.Win32.GOPworm.196": [[55, 83], [565, 593]], "Indicator: Trojan.Heur.rGWarTuQ32piy": [[84, 109]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9787": [[110, 152]], "Indicator: W32/Backdoor.MAW": [[153, 169]], "Indicator: Backdoor.Trojan": [[170, 185]], "Indicator: Backdoor.Win32.Fadedoor.a": [[186, 211], [514, 539]], "Indicator: Trojan.Win32.Fadedoor.frpv": [[212, 238]], "Indicator: Backdoor.Win32.Fadedoor.287744": [[239, 269]], "Indicator: Backdoor.W32.Fadedoor.a!c": [[270, 295]], "Indicator: Backdoor.Win32.Fadedoor.10": [[296, 322]], "Indicator: BackDoor.Fade.10": [[323, 339]], "Indicator: Backdoor.Fadedoor.Win32.22": [[340, 366]], "Indicator: W32/Backdoor.THLZ-3240": [[367, 389]], "Indicator: Backdoor/Fadedoor.i": [[390, 409]], "Indicator: BDS/Fade.10.Srv1": [[410, 426]], "Indicator: Trojan[Backdoor]/Win32.Fadedoor": [[427, 458]], "Indicator: Win32.Hack.Fadedoor.a.kcloud": [[459, 487]], "Indicator: Backdoor:Win32/Fakedoor.B": [[488, 513]], "Indicator: Worm/Win32.IRCBot.R67641": [[540, 564]], "Indicator: TScope.Trojan.Delf": [[594, 612]], "Indicator: Bck/Fadedoor.A": [[613, 627]], "Indicator: Win32.Backdoor.Fadedoor.Efue": [[628, 656]], "Indicator: Backdoor.Fadedoor!nYSsZcqQ6hQ": [[657, 686]], "Indicator: W32/Fadedoor.A!tr": [[687, 704]], "Indicator: Win32/Trojan.fd1": [[705, 721]]}, "info": {"id": "cyner2_5class_train_06870", "source": "cyner2_5class_train"}}
+{"text": "The strings section of the app contains embedded command-and-control IP addresses , ports , and domain names in plaintext .", "spans": {}, "info": {"id": "cyner2_5class_train_06871", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Downloader.VB.lvv W32/Downldr2.FUOC DLoader.APBLQ TROJ_SPNR.07L611 Win32.HEURCrypted Trojan.Downloader-71476 Trojan-Downloader.Win32.VB.lwz Trojan.DL.VB!n7YxP+4/z6k Trojan.Win32.Downloader.94208.EO Virus.Win32.Heur.k TrojWare.Win32.Trojan.VB.~BVZ Trojan.DownLoad1.50365 TROJ_SPNR.0CA512 TrojanDownloader.VB.rbu Win32.TrojDownloader.VB.kcloud W32/Downloader.RCLB-8389 Win-Trojan/Xema.variant TrojanDownloader.VB Trojan-Downloader.Win32.VB W32/VB.LVV!tr.dldr Trj/Downloader.VVG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.VB.lvv": [[26, 50]], "Indicator: W32/Downldr2.FUOC": [[51, 68]], "Indicator: DLoader.APBLQ": [[69, 82]], "Indicator: TROJ_SPNR.07L611": [[83, 99]], "Indicator: Win32.HEURCrypted": [[100, 117]], "Indicator: Trojan.Downloader-71476": [[118, 141]], "Indicator: Trojan-Downloader.Win32.VB.lwz": [[142, 172]], "Indicator: Trojan.DL.VB!n7YxP+4/z6k": [[173, 197]], "Indicator: Trojan.Win32.Downloader.94208.EO": [[198, 230]], "Indicator: Virus.Win32.Heur.k": [[231, 249]], "Indicator: TrojWare.Win32.Trojan.VB.~BVZ": [[250, 279]], "Indicator: Trojan.DownLoad1.50365": [[280, 302]], "Indicator: TROJ_SPNR.0CA512": [[303, 319]], "Indicator: TrojanDownloader.VB.rbu": [[320, 343]], "Indicator: Win32.TrojDownloader.VB.kcloud": [[344, 374]], "Indicator: W32/Downloader.RCLB-8389": [[375, 399]], "Indicator: Win-Trojan/Xema.variant": [[400, 423]], "Indicator: TrojanDownloader.VB": [[424, 443]], "Indicator: Trojan-Downloader.Win32.VB": [[444, 470]], "Indicator: W32/VB.LVV!tr.dldr": [[471, 489]], "Indicator: Trj/Downloader.VVG": [[490, 508]]}, "info": {"id": "cyner2_5class_train_06872", "source": "cyner2_5class_train"}}
+{"text": "AsyncRAT is a popular malware commodity and tools used by attackers to gain access to targeted hosts or networks, including those using Microsoft's OneNote email address.", "spans": {"Malware: AsyncRAT": [[0, 8]], "Malware: malware": [[22, 29]], "Malware: tools": [[44, 49]], "System: networks,": [[104, 113]], "System: Microsoft's OneNote": [[136, 155]], "Indicator: email address.": [[156, 170]]}, "info": {"id": "cyner2_5class_train_06873", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Razy.D1D44E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D1D44E": [[26, 44]]}, "info": {"id": "cyner2_5class_train_06874", "source": "cyner2_5class_train"}}
+{"text": "JPCERT / CC confirms that a targeted mail with a ZIP file containing an executable file has been sent to domestic organizations around October 2016.", "spans": {"Organization: JPCERT": [[0, 6]], "Organization: CC": [[9, 11]], "Indicator: mail": [[37, 41]], "Indicator: ZIP file": [[49, 57]], "Indicator: executable file": [[72, 87]], "Organization: domestic organizations": [[105, 127]]}, "info": {"id": "cyner2_5class_train_06875", "source": "cyner2_5class_train"}}
+{"text": "Typically , it is a message saying that the user has received a money transfer , and that they must enter their bank card details so the money can be transferred to their account .", "spans": {}, "info": {"id": "cyner2_5class_train_06876", "source": "cyner2_5class_train"}}
+{"text": "Recently, we have discovered 132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages, with the most popular one having more than 10,000 installs alone.", "spans": {"System: Android apps on Google Play": [[33, 60]], "Indicator: tiny hidden IFrames": [[75, 94]], "Indicator: malicious domains": [[108, 125]], "Indicator: local HTML pages,": [[135, 152]]}, "info": {"id": "cyner2_5class_train_06877", "source": "cyner2_5class_train"}}
+{"text": "The threat actors target a wide range of organizations: CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects, but also targeting other industry verticals and attacking organizations involved in international relations.", "spans": {"Organization: CTU researchers": [[56, 71]], "Indicator: obtaining confidential data": [[101, 128]], "Organization: defense": [[132, 139]], "Organization: industry": [[189, 197]], "Indicator: attacking": [[212, 221]], "Organization: organizations": [[222, 235]], "Organization: international relations.": [[248, 272]]}, "info": {"id": "cyner2_5class_train_06878", "source": "cyner2_5class_train"}}
+{"text": "] 190:8822 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "cyner2_5class_train_06879", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9607 Trojan.Win32.DownLoad4.exjknn Trojan.DownLoad4.114 Trojan/Win32.Cerber.R219560 Trojan.BitCoinMiner Trojan.Zusy.D42D87 Trj/CI.A Win32/Trojan.5a2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9607": [[26, 68]], "Indicator: Trojan.Win32.DownLoad4.exjknn": [[69, 98]], "Indicator: Trojan.DownLoad4.114": [[99, 119]], "Indicator: Trojan/Win32.Cerber.R219560": [[120, 147]], "Indicator: Trojan.BitCoinMiner": [[148, 167]], "Indicator: Trojan.Zusy.D42D87": [[168, 186]], "Indicator: Trj/CI.A": [[187, 195]], "Indicator: Win32/Trojan.5a2": [[196, 212]]}, "info": {"id": "cyner2_5class_train_06880", "source": "cyner2_5class_train"}}
+{"text": "The attackers used compromised websites or watering holes to infect pre-selected targets with previously unknown malware.", "spans": {"Indicator: compromised websites": [[19, 39]], "Indicator: watering holes": [[43, 57]], "Malware: unknown malware.": [[105, 121]]}, "info": {"id": "cyner2_5class_train_06881", "source": "cyner2_5class_train"}}
+{"text": "Structure of data sent to the server : To begin with , the Trojan sends information about the device to the server : In response , the server sends the code of the command for execution ( “ command ” ) , its parameters ( “ params ” ) , and the time delay before execution ( “ waitrun ” in milliseconds ) .", "spans": {}, "info": {"id": "cyner2_5class_train_06882", "source": "cyner2_5class_train"}}
+{"text": "On the C2 panel , we found a potential link between Wolf Research and another Cyprus organization named Coralco Tech .", "spans": {"Organization: Wolf Research": [[52, 65]], "Organization: Coralco Tech": [[104, 116]]}, "info": {"id": "cyner2_5class_train_06883", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Downloader.Kather.e Win32.Trojan.WisdomEyes.16070401.9500.9855 W32/Downldr2.ANMO Backdoor.Trojan WORM_POSAM.A Win.Trojan.Kather-1 Trojan-Downloader.Win32.Kather.e Trojan.Win32.Kather.dips Win32.Trojan-downloader.Kather.Tdfl TrojWare.Win32.TrojanDownloader.Kather.E Trojan.Kather.43661 Downloader.Kather.Win32.6 WORM_POSAM.A W32/Downloader.KXIZ-5728 Trojan/Kather.i TR/Dldr.Kather.E Trojan[Downloader]/Win32.Kather Win32.TrojDownloader.Kather.e.kcloud Troj.Downloader.W32.Kather.e!c Trojan-Downloader.Win32.Kather.e TrojanDownloader:Win32/Kather.E Win32/TrojanDownloader.Kather.E Trojan.DL.Kather!WhdeU9hib+w W32/Kather.A!tr.dldr Win32/Trojan.b64", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.Kather.e": [[26, 52]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9855": [[53, 95]], "Indicator: W32/Downldr2.ANMO": [[96, 113]], "Indicator: Backdoor.Trojan": [[114, 129]], "Indicator: WORM_POSAM.A": [[130, 142], [344, 356]], "Indicator: Win.Trojan.Kather-1": [[143, 162]], "Indicator: Trojan-Downloader.Win32.Kather.e": [[163, 195], [515, 547]], "Indicator: Trojan.Win32.Kather.dips": [[196, 220]], "Indicator: Win32.Trojan-downloader.Kather.Tdfl": [[221, 256]], "Indicator: TrojWare.Win32.TrojanDownloader.Kather.E": [[257, 297]], "Indicator: Trojan.Kather.43661": [[298, 317]], "Indicator: Downloader.Kather.Win32.6": [[318, 343]], "Indicator: W32/Downloader.KXIZ-5728": [[357, 381]], "Indicator: Trojan/Kather.i": [[382, 397]], "Indicator: TR/Dldr.Kather.E": [[398, 414]], "Indicator: Trojan[Downloader]/Win32.Kather": [[415, 446]], "Indicator: Win32.TrojDownloader.Kather.e.kcloud": [[447, 483]], "Indicator: Troj.Downloader.W32.Kather.e!c": [[484, 514]], "Indicator: TrojanDownloader:Win32/Kather.E": [[548, 579]], "Indicator: Win32/TrojanDownloader.Kather.E": [[580, 611]], "Indicator: Trojan.DL.Kather!WhdeU9hib+w": [[612, 640]], "Indicator: W32/Kather.A!tr.dldr": [[641, 661]], "Indicator: Win32/Trojan.b64": [[662, 678]]}, "info": {"id": "cyner2_5class_train_06884", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.VBTipocadLTJ.Trojan Trojan/W32.Reconyc.95744 Trojan.Reconyc Trojan.Win32.Reconyc.ghqx Trojan.Win64.Reconyc.ewbtpt Troj.W32.Reconyc.tnqK BehavesLike.Win64.Downloader.nh Trojan.Win32.Reconyc TR/Dropper.onknt TrojanDownloader:Win32/Reconyc.B!bit Trojan.Win32.Reconyc.ghqx Trojan/Win64.Reconyc.C1746256 Trojan.Reconyc Trojan.Reconyc Trj/CI.A VBS/Kryptik.D Win32.Trojan.Reconyc.Hwdh Trojan.Reconyc! Win32/Trojan.658", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VBTipocadLTJ.Trojan": [[26, 49]], "Indicator: Trojan/W32.Reconyc.95744": [[50, 74]], "Indicator: Trojan.Reconyc": [[75, 89], [329, 343], [344, 358]], "Indicator: Trojan.Win32.Reconyc.ghqx": [[90, 115], [273, 298]], "Indicator: Trojan.Win64.Reconyc.ewbtpt": [[116, 143]], "Indicator: Troj.W32.Reconyc.tnqK": [[144, 165]], "Indicator: BehavesLike.Win64.Downloader.nh": [[166, 197]], "Indicator: Trojan.Win32.Reconyc": [[198, 218]], "Indicator: TR/Dropper.onknt": [[219, 235]], "Indicator: TrojanDownloader:Win32/Reconyc.B!bit": [[236, 272]], "Indicator: Trojan/Win64.Reconyc.C1746256": [[299, 328]], "Indicator: Trj/CI.A": [[359, 367]], "Indicator: VBS/Kryptik.D": [[368, 381]], "Indicator: Win32.Trojan.Reconyc.Hwdh": [[382, 407]], "Indicator: Trojan.Reconyc!": [[408, 423]], "Indicator: Win32/Trojan.658": [[424, 440]]}, "info": {"id": "cyner2_5class_train_06885", "source": "cyner2_5class_train"}}
+{"text": "We discovered this China-based third-party iOS app store aggressively promoting their repackaged apps in social network channels—YouTube, Facebook, Google+, and Twitter—banking on the popularity of games and apps such as Minecraft, Terraria, and Instagram to lure users into downloading them.", "spans": {"System: China-based third-party iOS app store": [[19, 56]], "Indicator: repackaged apps": [[86, 101]], "System: channels—YouTube, Facebook, Google+,": [[120, 156]], "System: Twitter—banking": [[161, 176]], "System: games": [[198, 203]], "System: apps": [[208, 212]], "System: Minecraft, Terraria,": [[221, 241]], "System: Instagram": [[246, 255]]}, "info": {"id": "cyner2_5class_train_06886", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Sirefef.A Trojan.CoinMiner.Win32.474 Trojan.Kazy.D54A3A Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Limitail Trojan.Win32.Yakes.cvappu Troj.W32.Yakes.egne!c Trojan.BtcMine.148 BehavesLike.Win32.Downloader.fh Trojan.Win32.CoinMiner W32/Trojan.XYUN-7891 Trojan/Yakes.mzh TR/Rogue.1594174 Trojan/Win32.Yakes Trojan:Win32/Kraziomel.D Trojan/Win32.Yakes.C284072 Trojan.TDSS.01414 Win32/CoinMiner.CF Trojan.Yakes!WgDSy6aOE8s W32/Kryptik.EXA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Sirefef.A": [[26, 42]], "Indicator: Trojan.CoinMiner.Win32.474": [[43, 69]], "Indicator: Trojan.Kazy.D54A3A": [[70, 88]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[89, 131]], "Indicator: Infostealer.Limitail": [[132, 152]], "Indicator: Trojan.Win32.Yakes.cvappu": [[153, 178]], "Indicator: Troj.W32.Yakes.egne!c": [[179, 200]], "Indicator: Trojan.BtcMine.148": [[201, 219]], "Indicator: BehavesLike.Win32.Downloader.fh": [[220, 251]], "Indicator: Trojan.Win32.CoinMiner": [[252, 274]], "Indicator: W32/Trojan.XYUN-7891": [[275, 295]], "Indicator: Trojan/Yakes.mzh": [[296, 312]], "Indicator: TR/Rogue.1594174": [[313, 329]], "Indicator: Trojan/Win32.Yakes": [[330, 348]], "Indicator: Trojan:Win32/Kraziomel.D": [[349, 373]], "Indicator: Trojan/Win32.Yakes.C284072": [[374, 400]], "Indicator: Trojan.TDSS.01414": [[401, 418]], "Indicator: Win32/CoinMiner.CF": [[419, 437]], "Indicator: Trojan.Yakes!WgDSy6aOE8s": [[438, 462]], "Indicator: W32/Kryptik.EXA!tr": [[463, 481]]}, "info": {"id": "cyner2_5class_train_06887", "source": "cyner2_5class_train"}}
+{"text": "This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments ( sandboxes ) and on the test devices of malware analysts .", "spans": {}, "info": {"id": "cyner2_5class_train_06888", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.NSIS.Androm.8 Troj.Nsis.Androm!c Win32.Trojan.WisdomEyes.16070401.9500.9791 Ransom.Rokku Ransom_.97182692 Zum.Ransom.NSIS.Cerber.1 Trojan-Ransom.Win32.Zcryptor.g Trojan.NSIS.Androm.8 Trojan.Win32.Inject.evkooj Trojan.Win32.Z.Injector.697990 Ransom_.97182692 BehavesLike.Win32.Ransom.jc Trojan.Win32.Injector Ransom:Win32/ZCryptor.A Trojan-Ransom.Win32.Zcryptor.g Trojan-Ransom.Zcryptor Trj/CI.A Zum.Ransom.NSIS.Cerber.1 Win32.Trojan.Zcryptor.Lndy Win32/Trojan.Ransom.a9f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.NSIS.Androm.8": [[26, 46], [195, 215]], "Indicator: Troj.Nsis.Androm!c": [[47, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9791": [[66, 108]], "Indicator: Ransom.Rokku": [[109, 121]], "Indicator: Ransom_.97182692": [[122, 138], [274, 290]], "Indicator: Zum.Ransom.NSIS.Cerber.1": [[139, 163], [428, 452]], "Indicator: Trojan-Ransom.Win32.Zcryptor.g": [[164, 194], [365, 395]], "Indicator: Trojan.Win32.Inject.evkooj": [[216, 242]], "Indicator: Trojan.Win32.Z.Injector.697990": [[243, 273]], "Indicator: BehavesLike.Win32.Ransom.jc": [[291, 318]], "Indicator: Trojan.Win32.Injector": [[319, 340]], "Indicator: Ransom:Win32/ZCryptor.A": [[341, 364]], "Indicator: Trojan-Ransom.Zcryptor": [[396, 418]], "Indicator: Trj/CI.A": [[419, 427]], "Indicator: Win32.Trojan.Zcryptor.Lndy": [[453, 479]], "Indicator: Win32/Trojan.Ransom.a9f": [[480, 503]]}, "info": {"id": "cyner2_5class_train_06889", "source": "cyner2_5class_train"}}
+{"text": "Slowly putting the pieces together, the global picture began to take shape, exposing a massive adware campaign affecting approximately half a million users.", "spans": {"Organization: half a million users.": [[135, 156]]}, "info": {"id": "cyner2_5class_train_06890", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Trojan.Banker.DF Android.Trojan.Banker.DF Other:Android.Reputation.2 Infostealer.Bancos Android.Trojan.Banker.DF HEUR:Trojan-Banker.AndroidOS.Svpeng.q A.H.Pri.SvPeng.E Trojan.Android.Banker.egowei Trojan:Android/InfoStealer.CM Android.Banker.70.origin ZIP/Trojan.IGVK-5 Android.Trojan.Banker.DF Android-Trojan/Svpeng.3becd HEUR:Trojan-Banker.AndroidOS.Svpeng.q Trojan.AndroidOS.Banker.A a.expense.fakeinstall.b Trojan-Banker.AndroidOS.Svpeng", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.Banker.DF": [[26, 50], [51, 75], [122, 146], [304, 328]], "Indicator: Other:Android.Reputation.2": [[76, 102]], "Indicator: Infostealer.Bancos": [[103, 121]], "Indicator: HEUR:Trojan-Banker.AndroidOS.Svpeng.q": [[147, 184], [357, 394]], "Indicator: A.H.Pri.SvPeng.E": [[185, 201]], "Indicator: Trojan.Android.Banker.egowei": [[202, 230]], "Indicator: Trojan:Android/InfoStealer.CM": [[231, 260]], "Indicator: Android.Banker.70.origin": [[261, 285]], "Indicator: ZIP/Trojan.IGVK-5": [[286, 303]], "Indicator: Android-Trojan/Svpeng.3becd": [[329, 356]], "Indicator: Trojan.AndroidOS.Banker.A": [[395, 420]], "Indicator: a.expense.fakeinstall.b": [[421, 444]], "Indicator: Trojan-Banker.AndroidOS.Svpeng": [[445, 475]]}, "info": {"id": "cyner2_5class_train_06891", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.MSIL Trojan.SpamThru Trojan.DownLoader25.28452 BehavesLike.Win32.Trojan.wm TR/Dropper.MSIL.qtean Backdoor:VBS/Sisbot.A Trojan.MSIL.Androm.9 Trojan/Win32.Sisbot.R216242 Trj/GdSda.A MSIL/Dropper.XXX!tr Win32/Trojan.b5b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.MSIL": [[26, 39]], "Indicator: Trojan.SpamThru": [[40, 55]], "Indicator: Trojan.DownLoader25.28452": [[56, 81]], "Indicator: BehavesLike.Win32.Trojan.wm": [[82, 109]], "Indicator: TR/Dropper.MSIL.qtean": [[110, 131]], "Indicator: Backdoor:VBS/Sisbot.A": [[132, 153]], "Indicator: Trojan.MSIL.Androm.9": [[154, 174]], "Indicator: Trojan/Win32.Sisbot.R216242": [[175, 202]], "Indicator: Trj/GdSda.A": [[203, 214]], "Indicator: MSIL/Dropper.XXX!tr": [[215, 234]], "Indicator: Win32/Trojan.b5b": [[235, 251]]}, "info": {"id": "cyner2_5class_train_06892", "source": "cyner2_5class_train"}}
+{"text": "Functionality After starting , DEFENSOR ID requests the following permissions : allow modify system settings permit drawing over other apps , and activate accessibility services .", "spans": {"Malware: DEFENSOR ID": [[31, 42]]}, "info": {"id": "cyner2_5class_train_06893", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.A728 Trojan.PWS.OnlineGames.AADX Trojan-GameThief.Win32.OnLineGames!O Trojan.PWS.OnlineGames.AADX Trojan/OnLineGames.snrt Win32.Trojan.WisdomEyes.16070401.9500.9990 Infostealer.Gampass TROJ_SYSTEMHI.IM Win.Spyware.50098-2 Trojan-GameThief.Win32.OnLineGames.snrt Trojan.PWS.OnlineGames.AADX Trojan.Win32.Drop.bbdxzx Trojan.PWS.OnlineGames.AADX Trojan.PWS.OnlineGames.AADX Trojan.MulDrop.21159 TROJ_SYSTEMHI.IM Backdoor/Bifrose.jhl Trojan[GameThief]/Win32.OnLineGames Trojan.PWS.OnlineGames.AADX Trojan.Win32.PSWIGames.21508 Trojan-GameThief.Win32.OnLineGames.snrt Trojan.PWS.OnlineGames.AADX Trojan/Win32.OnlineGameHack.R10533 Win32.Trojan-GameThief.Onlinegames.cruv Trojan-PWS.LDPinch", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.A728": [[26, 43]], "Indicator: Trojan.PWS.OnlineGames.AADX": [[44, 71], [109, 136], [301, 328], [354, 381], [382, 409], [505, 532], [602, 629]], "Indicator: Trojan-GameThief.Win32.OnLineGames!O": [[72, 108]], "Indicator: Trojan/OnLineGames.snrt": [[137, 160]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[161, 203]], "Indicator: Infostealer.Gampass": [[204, 223]], "Indicator: TROJ_SYSTEMHI.IM": [[224, 240], [431, 447]], "Indicator: Win.Spyware.50098-2": [[241, 260]], "Indicator: Trojan-GameThief.Win32.OnLineGames.snrt": [[261, 300], [562, 601]], "Indicator: Trojan.Win32.Drop.bbdxzx": [[329, 353]], "Indicator: Trojan.MulDrop.21159": [[410, 430]], "Indicator: Backdoor/Bifrose.jhl": [[448, 468]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[469, 504]], "Indicator: Trojan.Win32.PSWIGames.21508": [[533, 561]], "Indicator: Trojan/Win32.OnlineGameHack.R10533": [[630, 664]], "Indicator: Win32.Trojan-GameThief.Onlinegames.cruv": [[665, 704]], "Indicator: Trojan-PWS.LDPinch": [[705, 723]]}, "info": {"id": "cyner2_5class_train_06894", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Androm.A5 Win32.Trojan.WisdomEyes.16070401.9500.9994 Virus.W32.Rootkit!c Trojan.Inject2.30717 Trojan.Kryptik.Win32.1154178 Trojan.Win32.Crypt Trojan.Scarsi.ait Trojan/Win32.Scarsi Trojan.Win32.Z.Kryptik.563972 W32/Dorkbot.B!tr Win32/RootKit.Rootkit.7e5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Androm.A5": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[45, 87]], "Indicator: Virus.W32.Rootkit!c": [[88, 107]], "Indicator: Trojan.Inject2.30717": [[108, 128]], "Indicator: Trojan.Kryptik.Win32.1154178": [[129, 157]], "Indicator: Trojan.Win32.Crypt": [[158, 176]], "Indicator: Trojan.Scarsi.ait": [[177, 194]], "Indicator: Trojan/Win32.Scarsi": [[195, 214]], "Indicator: Trojan.Win32.Z.Kryptik.563972": [[215, 244]], "Indicator: W32/Dorkbot.B!tr": [[245, 261]], "Indicator: Win32/RootKit.Rootkit.7e5": [[262, 287]]}, "info": {"id": "cyner2_5class_train_06895", "source": "cyner2_5class_train"}}
+{"text": "Microsoft refers to this family of malware as Sarvdap, however it must be noted that the detection appears somewhat generic.", "spans": {"Organization: Microsoft": [[0, 9]], "Malware: malware": [[35, 42]], "Malware: Sarvdap,": [[46, 54]]}, "info": {"id": "cyner2_5class_train_06896", "source": "cyner2_5class_train"}}
+{"text": "FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015.", "spans": {}, "info": {"id": "cyner2_5class_train_06897", "source": "cyner2_5class_train"}}
+{"text": "As already stated in the ‘ malware features ’ part , there are multiple giveaways in the code .", "spans": {}, "info": {"id": "cyner2_5class_train_06898", "source": "cyner2_5class_train"}}
+{"text": "'' For each interaction , the malware will check if the generator is a package that belongs to the anti-virus list , the malware will abuse another feature of the Accessibility API .", "spans": {"System: Accessibility API": [[163, 180]]}, "info": {"id": "cyner2_5class_train_06899", "source": "cyner2_5class_train"}}
+{"text": "The set of permissions required by Marcher according to the manifest is as follows : ∗ android.permission.CHANGE_NETWORK_STATE ( change network connectivity state ) ∗ android.permission.SEND_SMS ( send SMS messages ) ∗ android.permission.USES_POLICY_FORCE_LOCK ( lock the device ) ∗ android.permission.RECEIVE_BOOT_COMPLETED ( start malware when device boots ) ∗ android.permission.INTERNET ( communicate with the internet ) ∗ android.permission.VIBRATE ( control the vibrator ) ∗ android.permission.ACCESS_WIFI_STATE ( view information about the status of Wi-Fi ) ∗ android.permission.WRITE_SMS ( edit/delete SMS ) ∗ android.permission.ACCESS_NETWORK_STATE ( view the status of all networks ) ∗ android.permission.WAKE_LOCK ( prevent the phone from going to sleep ) ∗ android.permission.GET_TASKS ( retrieve running applications ) ∗ android.permission.CALL_PHONE ( call phone numbers ) ∗ android.permission.WRITE_SETTINGS ( read/write global system settings ) ∗ android.permission.RECEIVE_SMS ( intercept SMS messages ) ∗ android.permission.READ_PHONE_STATE ( read phone details of the device such as phone number and serial number ) ∗ android.permission.CHANGE_WIFI_STATE ( connect to and disconnect from Wi-Fi networks and make changes to configured networks ) ∗ android.permission.READ_CONTACTS ( read all contact data ) * android.permission.READ_SMS ( read SMS messages ) Obviously a fairly significant list of permissions of which many are suspicious , especially when combined .", "spans": {"Malware: Marcher": [[35, 42]], "Indicator: android.permission.CHANGE_NETWORK_STATE": [[87, 126]], "Indicator: android.permission.SEND_SMS": [[167, 194]], "Indicator: android.permission.USES_POLICY_FORCE_LOCK": [[219, 260]], "Indicator: android.permission.RECEIVE_BOOT_COMPLETED": [[283, 324]], "Indicator: android.permission.INTERNET": [[363, 390]], "Indicator: android.permission.VIBRATE": [[427, 453]], "Indicator: android.permission.ACCESS_WIFI_STATE": [[481, 517]], "Indicator: android.permission.WRITE_SMS": [[567, 595]], "Indicator: android.permission.ACCESS_NETWORK_STATE": [[618, 657]], "Indicator: android.permission.WAKE_LOCK": [[696, 724]], "Indicator: android.permission.GET_TASKS": [[769, 797]], "Indicator: android.permission.CALL_PHONE": [[834, 863]], "Indicator: android.permission.WRITE_SETTINGS": [[889, 922]], "Indicator: android.permission.RECEIVE_SMS": [[963, 993]], "Indicator: android.permission.READ_PHONE_STATE": [[1023, 1058]], "Indicator: android.permission.CHANGE_WIFI_STATE": [[1137, 1173]], "Indicator: android.permission.READ_CONTACTS": [[1266, 1298]], "Indicator: android.permission.READ_SMS": [[1327, 1354]]}, "info": {"id": "cyner2_5class_train_06900", "source": "cyner2_5class_train"}}
+{"text": "In December 2015, Chinese users reported they were infected by this malware.", "spans": {"Organization: Chinese users": [[18, 31]], "Malware: malware.": [[68, 76]]}, "info": {"id": "cyner2_5class_train_06901", "source": "cyner2_5class_train"}}
+{"text": "We took a look at the malware specifically in the INOCNATION campaign to analyze what was new and different about the techniques used by the threat actor.", "spans": {"Malware: malware": [[22, 29]]}, "info": {"id": "cyner2_5class_train_06902", "source": "cyner2_5class_train"}}
+{"text": "New nodes are continually added as new victims are enlisted, and they are unpublished outside of the Terracotta user-base.", "spans": {"Malware: Terracotta": [[101, 111]], "System: user-base.": [[112, 122]]}, "info": {"id": "cyner2_5class_train_06903", "source": "cyner2_5class_train"}}
+{"text": "With the prevalence of Google Android smartphones and the popularity of feature-rich apps, more and more people rely on smartphones to store and handle kinds of personal and business information which attracts adversaries who want to steal that information.", "spans": {"Organization: Google": [[23, 29]], "System: Android smartphones": [[30, 49]], "Indicator: apps,": [[85, 90]], "System: smartphones": [[120, 131]], "Indicator: personal and business information": [[161, 194]], "Indicator: steal that information.": [[234, 257]]}, "info": {"id": "cyner2_5class_train_06904", "source": "cyner2_5class_train"}}
+{"text": "July 28 A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team .", "spans": {"System: Flash": [[76, 81]], "Organization: Hacking Team": [[102, 114]]}, "info": {"id": "cyner2_5class_train_06905", "source": "cyner2_5class_train"}}
+{"text": "Zen apps gain access to root permissions from a rooting trojan in its infection chain .", "spans": {"Malware: Zen": [[0, 3]]}, "info": {"id": "cyner2_5class_train_06906", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Zbot.VA3 Trojan.Tofsee Trojan/Injector.ccfi TROJ_HPVB.SM6 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom.Kovter TROJ_HPVB.SM6 Trojan.Win32.Inject.wlzt Trojan.Win32.Inject.dwzyvq Troj.W32.Inject.tnFQ Trojan.Kovter.69 Trojan.Inject.Win32.168460 Trojan.Win32.Injector Trojan/Inject.baac Trojan/Win32.Inject Trojan.Symmi.DCC5C Trojan.Win32.Inject.wlzt Trojan/Win32.Kovter.R153629 Trojan.Inject Trojan.Inject!3ypDMCpDv7Y W32/Injector.CEEO!tr Win32/Trojan.Dropper.43b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Zbot.VA3": [[26, 44]], "Indicator: Trojan.Tofsee": [[45, 58]], "Indicator: Trojan/Injector.ccfi": [[59, 79]], "Indicator: TROJ_HPVB.SM6": [[80, 93], [151, 164]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[94, 136]], "Indicator: Ransom.Kovter": [[137, 150]], "Indicator: Trojan.Win32.Inject.wlzt": [[165, 189], [362, 386]], "Indicator: Trojan.Win32.Inject.dwzyvq": [[190, 216]], "Indicator: Troj.W32.Inject.tnFQ": [[217, 237]], "Indicator: Trojan.Kovter.69": [[238, 254]], "Indicator: Trojan.Inject.Win32.168460": [[255, 281]], "Indicator: Trojan.Win32.Injector": [[282, 303]], "Indicator: Trojan/Inject.baac": [[304, 322]], "Indicator: Trojan/Win32.Inject": [[323, 342]], "Indicator: Trojan.Symmi.DCC5C": [[343, 361]], "Indicator: Trojan/Win32.Kovter.R153629": [[387, 414]], "Indicator: Trojan.Inject": [[415, 428]], "Indicator: Trojan.Inject!3ypDMCpDv7Y": [[429, 454]], "Indicator: W32/Injector.CEEO!tr": [[455, 475]], "Indicator: Win32/Trojan.Dropper.43b": [[476, 500]]}, "info": {"id": "cyner2_5class_train_06907", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Mytob Win32.Trojan.WisdomEyes.16070401.9500.9860 W32/Trojan.DMPW-1529 Net-Worm.Win32.Mytob.lsk Trojan.Win32.Win32.dchvpv Trojan.Win32.Z.Mytob.27648 Net.Worm.W32.Mytob!c Trojan.Win32.Clicker!BT Worm/Mytob.als TR/Clicker.ofeiu Worm[Net]/Win32.Mytob Net-Worm.Win32.Mytob.lsk TrojanClicker:MSIL/Doviali.A Worm/Win32.Mytob.C84872 Trojan.Win32.Clicker!BT Net-Worm.Mytob Trojan.MSIL.TrojanClicker W32/MyTob.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Mytob": [[26, 36]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9860": [[37, 79]], "Indicator: W32/Trojan.DMPW-1529": [[80, 100]], "Indicator: Net-Worm.Win32.Mytob.lsk": [[101, 125], [278, 302]], "Indicator: Trojan.Win32.Win32.dchvpv": [[126, 151]], "Indicator: Trojan.Win32.Z.Mytob.27648": [[152, 178]], "Indicator: Net.Worm.W32.Mytob!c": [[179, 199]], "Indicator: Trojan.Win32.Clicker!BT": [[200, 223], [356, 379]], "Indicator: Worm/Mytob.als": [[224, 238]], "Indicator: TR/Clicker.ofeiu": [[239, 255]], "Indicator: Worm[Net]/Win32.Mytob": [[256, 277]], "Indicator: TrojanClicker:MSIL/Doviali.A": [[303, 331]], "Indicator: Worm/Win32.Mytob.C84872": [[332, 355]], "Indicator: Net-Worm.Mytob": [[380, 394]], "Indicator: Trojan.MSIL.TrojanClicker": [[395, 420]], "Indicator: W32/MyTob.A!tr": [[421, 435]]}, "info": {"id": "cyner2_5class_train_06908", "source": "cyner2_5class_train"}}
+{"text": "After the profile is downloaded , the iOS system will first ask users to review the profile in their settings if they want to install it .", "spans": {"System: iOS": [[38, 41]]}, "info": {"id": "cyner2_5class_train_06909", "source": "cyner2_5class_train"}}
+{"text": "Top 20 countries targeted by Hummingbad/Shedun .", "spans": {"Malware: Hummingbad/Shedun": [[29, 46]]}, "info": {"id": "cyner2_5class_train_06910", "source": "cyner2_5class_train"}}
+{"text": "We encourage Android users to validate whether their accounts have been breached .", "spans": {"System: Android": [[13, 20]]}, "info": {"id": "cyner2_5class_train_06911", "source": "cyner2_5class_train"}}
+{"text": "Trend Micro detects this as ANDROIDOS_SOCKSBOT.A and has found at least 3,000 Trojanized apps.", "spans": {"Organization: Trend Micro": [[0, 11]], "Indicator: ANDROIDOS_SOCKSBOT.A": [[28, 48]], "Malware: 3,000 Trojanized apps.": [[72, 94]]}, "info": {"id": "cyner2_5class_train_06912", "source": "cyner2_5class_train"}}
+{"text": "Communication between both Trojans and their C & C servers is based on the same principle , the relative addresses to which Trojans send network requests are generated in a similar manner , and the set of possible commands that the two Trojans can perform also overlaps .", "spans": {}, "info": {"id": "cyner2_5class_train_06913", "source": "cyner2_5class_train"}}
+{"text": "This post analyzes targeted malware attacks against groups in the Tibetan diaspora and pro-democracy groups in Hong Kong.", "spans": {"Malware: malware attacks": [[28, 43]]}, "info": {"id": "cyner2_5class_train_06914", "source": "cyner2_5class_train"}}
+{"text": "We believe that , when it is officially released , it will most likely be uploaded to rogue APK stores and other shady websites , while masquerading as real applications .", "spans": {}, "info": {"id": "cyner2_5class_train_06915", "source": "cyner2_5class_train"}}
+{"text": "This particular strain of Adware was found in 206 applications , and the combined download count has reached almost 150 million .", "spans": {}, "info": {"id": "cyner2_5class_train_06916", "source": "cyner2_5class_train"}}
+{"text": "] com overlaps with PlugX , Zupdax , and Poison Ivy malware families discussed in more detail later .", "spans": {"Malware: PlugX": [[20, 25]], "Malware: Zupdax": [[28, 34]], "Malware: Poison Ivy": [[41, 51]]}, "info": {"id": "cyner2_5class_train_06917", "source": "cyner2_5class_train"}}
+{"text": "In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target's webmail credentials.", "spans": {"Organization: individuals": [[57, 68]], "Indicator: phishing emails": [[74, 89]], "Indicator: target's webmail credentials.": [[119, 148]]}, "info": {"id": "cyner2_5class_train_06918", "source": "cyner2_5class_train"}}
+{"text": "On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit a.k.a. XswKit malware.", "spans": {"Organization: Cyphort Labs": [[20, 32]], "Indicator: site": [[46, 50]], "Malware: Angler EK": [[65, 74]], "Indicator: fileless": [[88, 96]], "Malware: Gootkit": [[97, 104]], "Malware: XswKit malware.": [[112, 127]]}, "info": {"id": "cyner2_5class_train_06919", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Foosace Trojan.Sofacy.C TSPY_SEDNIT.A Trojan.Win32.Z.Graftor.81408.L TSPY_SEDNIT.A W32/Trojan.GBLK-5942 Trojan:Win32/Foosace.K!dha Trojan/Win32.Sednit.R155481 Win32/Sednit.C Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Foosace": [[26, 40]], "Indicator: Trojan.Sofacy.C": [[41, 56]], "Indicator: TSPY_SEDNIT.A": [[57, 70], [102, 115]], "Indicator: Trojan.Win32.Z.Graftor.81408.L": [[71, 101]], "Indicator: W32/Trojan.GBLK-5942": [[116, 136]], "Indicator: Trojan:Win32/Foosace.K!dha": [[137, 163]], "Indicator: Trojan/Win32.Sednit.R155481": [[164, 191]], "Indicator: Win32/Sednit.C": [[192, 206]], "Indicator: Win32/Trojan.e6d": [[207, 223]]}, "info": {"id": "cyner2_5class_train_06920", "source": "cyner2_5class_train"}}
+{"text": "Two prominent lawyers representing the families of three slain Mexican women were sent infection attempts with NSO Group's Pegasus spyware", "spans": {"Organization: lawyers": [[14, 21]], "Organization: families": [[39, 47]], "Organization: three slain Mexican women": [[51, 76]], "Indicator: infection attempts": [[87, 105]], "Malware: Pegasus spyware": [[123, 138]]}, "info": {"id": "cyner2_5class_train_06921", "source": "cyner2_5class_train"}}
+{"text": "htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in Chinese cyberattackers' campaign against Association of Southeast Asian Nations ASEAN.", "spans": {"Malware: htpRAT,": [[0, 7]], "Organization: RiskIQ cyber investigators,": [[21, 48]], "Malware: weapon": [[63, 69]], "Organization: Association of Southeast Asian Nations ASEAN.": [[114, 159]]}, "info": {"id": "cyner2_5class_train_06922", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 PWS:MSIL/Logbro.A Trojan/Win32.Skeeyah.R207512 MSIL.Backdoor.SRat.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: PWS:MSIL/Logbro.A": [[69, 86]], "Indicator: Trojan/Win32.Skeeyah.R207512": [[87, 115]], "Indicator: MSIL.Backdoor.SRat.A": [[116, 136]]}, "info": {"id": "cyner2_5class_train_06923", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.DP.ED408E Ransom_Delcryset.R055C0DAF18 Trojan-Ransom.Win32.Matrix.qt Trojan.Win32.Matrix.ewhoom Trojan.DownLoader26.4261 Ransom_Delcryset.R055C0DAF18 BehavesLike.Win32.BadFile.dh W32/Trojan.YJSB-6810 TR/AD.RansomHeur.ulxhr Ransom:Win32/Delcryset.A Trojan-Ransom.Win32.Matrix.qt Trj/GdSda.A W32/Filecoder_LockedFile.D!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.DP.ED408E": [[26, 47]], "Indicator: Ransom_Delcryset.R055C0DAF18": [[48, 76], [159, 187]], "Indicator: Trojan-Ransom.Win32.Matrix.qt": [[77, 106], [286, 315]], "Indicator: Trojan.Win32.Matrix.ewhoom": [[107, 133]], "Indicator: Trojan.DownLoader26.4261": [[134, 158]], "Indicator: BehavesLike.Win32.BadFile.dh": [[188, 216]], "Indicator: W32/Trojan.YJSB-6810": [[217, 237]], "Indicator: TR/AD.RansomHeur.ulxhr": [[238, 260]], "Indicator: Ransom:Win32/Delcryset.A": [[261, 285]], "Indicator: Trj/GdSda.A": [[316, 327]], "Indicator: W32/Filecoder_LockedFile.D!tr": [[328, 357]]}, "info": {"id": "cyner2_5class_train_06924", "source": "cyner2_5class_train"}}
+{"text": "Allows an application to read the user 's contacts data .", "spans": {}, "info": {"id": "cyner2_5class_train_06925", "source": "cyner2_5class_train"}}
+{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX .", "spans": {"Organization: Trend Micro": [[0, 11]], "Indicator: ANDROIDOS_XLOADER.HRX": [[29, 50]]}, "info": {"id": "cyner2_5class_train_06926", "source": "cyner2_5class_train"}}
+{"text": "As we 've seen with actors like Dark Caracal , this low cost , low sophistication approach that relies heavily upon social engineering has still been shown to be highly successful for those operating such campaigns .", "spans": {"Malware: Dark Caracal": [[32, 44]]}, "info": {"id": "cyner2_5class_train_06927", "source": "cyner2_5class_train"}}
+{"text": "These tools include: HKTL_MIMIKATZ, HKTL_FGDUMP, and HKTL_VNCPASSVIEW.", "spans": {"Malware: tools": [[6, 11]], "Indicator: HKTL_MIMIKATZ, HKTL_FGDUMP,": [[21, 48]], "Indicator: HKTL_VNCPASSVIEW.": [[53, 70]]}, "info": {"id": "cyner2_5class_train_06928", "source": "cyner2_5class_train"}}
+{"text": "FIN7 is a financially-motivated threat actor targeting large organizations that process payment card data or have a significant point of sale environment.", "spans": {"Organization: organizations": [[61, 74]], "Indicator: process payment card data": [[80, 105]], "System: point of sale environment.": [[128, 154]]}, "info": {"id": "cyner2_5class_train_06929", "source": "cyner2_5class_train"}}
+{"text": "This dissimilarity only grew with the further enumeration of other targets, describing a broad targeting across the Middle East without wholly implicating any particular interest, despite clear political intent.", "spans": {}, "info": {"id": "cyner2_5class_train_06930", "source": "cyner2_5class_train"}}
+{"text": "Early versions of the Android application used infrastructure which belonged to a company named Connexxa S.R.L .", "spans": {"System: Android": [[22, 29]], "Organization: Connexxa S.R.L .": [[96, 112]]}, "info": {"id": "cyner2_5class_train_06931", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.B82E Trojan.Nsis.Dwn.ewrrol BehavesLike.Win32.Vopak.cc Trojan.Inject.acan TrojanDownloader:Win32/Tanske.A!bit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.B82E": [[26, 42]], "Indicator: Trojan.Nsis.Dwn.ewrrol": [[43, 65]], "Indicator: BehavesLike.Win32.Vopak.cc": [[66, 92]], "Indicator: Trojan.Inject.acan": [[93, 111]], "Indicator: TrojanDownloader:Win32/Tanske.A!bit": [[112, 147]]}, "info": {"id": "cyner2_5class_train_06932", "source": "cyner2_5class_train"}}
+{"text": "The malware is responsible for encrypting files on a victim's machine and demanding a ransom via the Bitcoin cryptocurrency.", "spans": {"Malware: malware": [[4, 11]], "Indicator: encrypting files": [[31, 47]], "System: victim's machine": [[53, 69]], "Indicator: ransom": [[86, 92]]}, "info": {"id": "cyner2_5class_train_06933", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ekidoa.FC.2847 Trojan.MSILPerseus.D1EE89 Win32.Trojan.WisdomEyes.16070401.9500.9998 TrojWare.MSIL.Ekidoa.A BackDoor.Bladabindi.13678 Trojan.MSIL.Crypt TR/Dropper.MSIL.hoclc MSIL/Kryptik.FDF!tr Trojan:MSIL/Ekidoa.A!bit Trojan/Win32.Skeeyah.R194563 Backdoor.MSIL.SpyGate Backdoor.Bladabindi Backdoor.SpyGate!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ekidoa.FC.2847": [[26, 47]], "Indicator: Trojan.MSILPerseus.D1EE89": [[48, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[74, 116]], "Indicator: TrojWare.MSIL.Ekidoa.A": [[117, 139]], "Indicator: BackDoor.Bladabindi.13678": [[140, 165]], "Indicator: Trojan.MSIL.Crypt": [[166, 183]], "Indicator: TR/Dropper.MSIL.hoclc": [[184, 205]], "Indicator: MSIL/Kryptik.FDF!tr": [[206, 225]], "Indicator: Trojan:MSIL/Ekidoa.A!bit": [[226, 250]], "Indicator: Trojan/Win32.Skeeyah.R194563": [[251, 279]], "Indicator: Backdoor.MSIL.SpyGate": [[280, 301]], "Indicator: Backdoor.Bladabindi": [[302, 321]], "Indicator: Backdoor.SpyGate!": [[322, 339]]}, "info": {"id": "cyner2_5class_train_06934", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/FlyStudio.atk Win.Trojan.7691310-1 Trojan-Dropper.Win32.Dinwod.vqz Trojan.Win32.FlyStudio.zlxrd Trojan.PWS.Wsgame.36294 BehavesLike.Win32.Ipamor.fc Trojan/FlyStudio.dpn Trojan/Win32.FlyStudio Trojan:Win32/Derunsex.A Troj.W32.FlyStudio.atk!c Trojan-Dropper.Win32.Dinwod.vqz Trj/CI.A Win32.Trojan.Flystudio.dbsu Trojan.Crypt W32/FlyStudio.ATK!tr Win32/Trojan.0e3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/FlyStudio.atk": [[26, 46]], "Indicator: Win.Trojan.7691310-1": [[47, 67]], "Indicator: Trojan-Dropper.Win32.Dinwod.vqz": [[68, 99], [274, 305]], "Indicator: Trojan.Win32.FlyStudio.zlxrd": [[100, 128]], "Indicator: Trojan.PWS.Wsgame.36294": [[129, 152]], "Indicator: BehavesLike.Win32.Ipamor.fc": [[153, 180]], "Indicator: Trojan/FlyStudio.dpn": [[181, 201]], "Indicator: Trojan/Win32.FlyStudio": [[202, 224]], "Indicator: Trojan:Win32/Derunsex.A": [[225, 248]], "Indicator: Troj.W32.FlyStudio.atk!c": [[249, 273]], "Indicator: Trj/CI.A": [[306, 314]], "Indicator: Win32.Trojan.Flystudio.dbsu": [[315, 342]], "Indicator: Trojan.Crypt": [[343, 355]], "Indicator: W32/FlyStudio.ATK!tr": [[356, 376]], "Indicator: Win32/Trojan.0e3": [[377, 393]]}, "info": {"id": "cyner2_5class_train_06935", "source": "cyner2_5class_train"}}
+{"text": "On March 29, 2023, reports circulating about a potential supply chain compromise for 3CXDesktopApp — a softphone application from 3CX.", "spans": {"Vulnerability: compromise": [[70, 80]], "System: 3CXDesktopApp": [[85, 98]], "System: softphone application": [[103, 124]], "Organization: 3CX.": [[130, 134]]}, "info": {"id": "cyner2_5class_train_06936", "source": "cyner2_5class_train"}}
+{"text": "Distribution via trojanized updates to MeDoc users", "spans": {"Indicator: Distribution": [[0, 12]], "Malware: trojanized updates": [[17, 35]], "Organization: MeDoc users": [[39, 50]]}, "info": {"id": "cyner2_5class_train_06937", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Ransom.Crypren.11 Ransom_Denisca.R011C0DLD17 Ransom_Denisca.R011C0DLD17 Trojan.Win32.Crypren.emfrxs Trojan.MulDrop7.20062 BehavesLike.Win32.PWSZbot.dc Trojan.Win32.Crypt W32/Trojan.HSTQ-8964 TR/AD.Ergop.ipwuu Trj/CI.A Trojan.Crypren!pGn+9M0dsUI W32/Kryptik.FPNC!tr Win32/Trojan.Ransom.a8a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.Crypren.11": [[26, 50]], "Indicator: Ransom_Denisca.R011C0DLD17": [[51, 77], [78, 104]], "Indicator: Trojan.Win32.Crypren.emfrxs": [[105, 132]], "Indicator: Trojan.MulDrop7.20062": [[133, 154]], "Indicator: BehavesLike.Win32.PWSZbot.dc": [[155, 183]], "Indicator: Trojan.Win32.Crypt": [[184, 202]], "Indicator: W32/Trojan.HSTQ-8964": [[203, 223]], "Indicator: TR/AD.Ergop.ipwuu": [[224, 241]], "Indicator: Trj/CI.A": [[242, 250]], "Indicator: Trojan.Crypren!pGn+9M0dsUI": [[251, 277]], "Indicator: W32/Kryptik.FPNC!tr": [[278, 297]], "Indicator: Win32/Trojan.Ransom.a8a": [[298, 321]]}, "info": {"id": "cyner2_5class_train_06938", "source": "cyner2_5class_train"}}
+{"text": "Enable a secure lock screen : Pick a PIN , pattern , or password that is easy for you to remember and hard for others to guess .", "spans": {}, "info": {"id": "cyner2_5class_train_06939", "source": "cyner2_5class_train"}}
+{"text": "This included altering the icon of the executable to appear as other file types as well as decoy documents to trick users into thinking they had opened a legitimate file.", "spans": {"Indicator: decoy documents": [[91, 106]]}, "info": {"id": "cyner2_5class_train_06940", "source": "cyner2_5class_train"}}
+{"text": "What do I need to do ? It is extremely unlikely you or someone you know was affected by Chrysaor malware .", "spans": {"Malware: Chrysaor": [[88, 96]]}, "info": {"id": "cyner2_5class_train_06941", "source": "cyner2_5class_train"}}
+{"text": "It shows that the malware can detect whether it ’ s running in an emulated environment or a real mobile device , and can change its code pattern accordingly .", "spans": {}, "info": {"id": "cyner2_5class_train_06942", "source": "cyner2_5class_train"}}
+{"text": "What it does FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat .", "spans": {"Malware: FrozenCell": [[13, 23]], "System: Facebook": [[78, 86]], "System: WhatsApp": [[89, 97]], "System: Messenger": [[100, 109]], "System: LINE": [[112, 116]], "System: LoveChat": [[123, 131]]}, "info": {"id": "cyner2_5class_train_06943", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Risk.Deceptor.Lmla Program.Unwanted.2594 Trojan:Win32/Spideepri.A PUP/Win32.SpeedItUpFree.R211310 Trojan.Spideepri", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Risk.Deceptor.Lmla": [[26, 50]], "Indicator: Program.Unwanted.2594": [[51, 72]], "Indicator: Trojan:Win32/Spideepri.A": [[73, 97]], "Indicator: PUP/Win32.SpeedItUpFree.R211310": [[98, 129]], "Indicator: Trojan.Spideepri": [[130, 146]]}, "info": {"id": "cyner2_5class_train_06944", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Mimikatz.Win32.268 Win32.Trojan.WisdomEyes.16070401.9500.9999 Hacktool.Mimikatz Trojan.Win32.Mimikatz.ergkpd Application.Win32.HackTool.Mimikatz.DC Tool.PassView.1872 HackTool.Inject.ew Trojan[PSW]/Win32.Mimikatz Trojan/Win32.Mimikatz.R202679 TrojanPSW.Mimikatz HackTool.Mimikatz Trj/CI.A Trojan.Application.Hacktool.Mimikatz.1 Win32.Trojan-qqpass.Qqrob.Tclv HackTool.Mimikatz hacktool.mimikatz Win32/Trojan.PSW.c71", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mimikatz.Win32.268": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[52, 94]], "Indicator: Hacktool.Mimikatz": [[95, 112]], "Indicator: Trojan.Win32.Mimikatz.ergkpd": [[113, 141]], "Indicator: Application.Win32.HackTool.Mimikatz.DC": [[142, 180]], "Indicator: Tool.PassView.1872": [[181, 199]], "Indicator: HackTool.Inject.ew": [[200, 218]], "Indicator: Trojan[PSW]/Win32.Mimikatz": [[219, 245]], "Indicator: Trojan/Win32.Mimikatz.R202679": [[246, 275]], "Indicator: TrojanPSW.Mimikatz": [[276, 294]], "Indicator: HackTool.Mimikatz": [[295, 312], [392, 409]], "Indicator: Trj/CI.A": [[313, 321]], "Indicator: Trojan.Application.Hacktool.Mimikatz.1": [[322, 360]], "Indicator: Win32.Trojan-qqpass.Qqrob.Tclv": [[361, 391]], "Indicator: hacktool.mimikatz": [[410, 427]], "Indicator: Win32/Trojan.PSW.c71": [[428, 448]]}, "info": {"id": "cyner2_5class_train_06945", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Olufus.A3 WORM_VB_FB25010D.UVPM Win32.Worm.VB.rb WORM_VB_FB25010D.UVPM Trojan.Win32.Cosmu.dipp Trojan.Win32.Crypt.dsqpuq Trojan.MulDrop5.34309 Net-Worm.Win32.Cynic Worm:Win32/Olufus.A Trojan.Heur.E2E727 W32.Virut.low6 Trojan.Win32.Cosmu.dipp Trojan/Win32.Bredolab.R151314 TScope.Trojan.VB Win32/VB.OKI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Olufus.A3": [[26, 40]], "Indicator: WORM_VB_FB25010D.UVPM": [[41, 62], [80, 101]], "Indicator: Win32.Worm.VB.rb": [[63, 79]], "Indicator: Trojan.Win32.Cosmu.dipp": [[102, 125], [249, 272]], "Indicator: Trojan.Win32.Crypt.dsqpuq": [[126, 151]], "Indicator: Trojan.MulDrop5.34309": [[152, 173]], "Indicator: Net-Worm.Win32.Cynic": [[174, 194]], "Indicator: Worm:Win32/Olufus.A": [[195, 214]], "Indicator: Trojan.Heur.E2E727": [[215, 233]], "Indicator: W32.Virut.low6": [[234, 248]], "Indicator: Trojan/Win32.Bredolab.R151314": [[273, 302]], "Indicator: TScope.Trojan.VB": [[303, 319]], "Indicator: Win32/VB.OKI": [[320, 332]]}, "info": {"id": "cyner2_5class_train_06946", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.KlassTT.Trojan Backdoor.Sdbot.6331 Troj.Dropper.W32.Sysn!c Win32.Trojan.WisdomEyes.16070401.9500.9991 Backdoor.Trojan Trojan-Dropper.Win32.Sysn.brns Backdoor.Win32.IRCBot.60928.J BackDoor.IRC.Huxor.59 BehavesLike.Win32.Backdoor.qh Backdoor.Win32.SdBot Trojan[Backdoor]/Win32.IRCBot Trojan.Kazy.D14BCA Trojan-Dropper.Win32.Sysn.brns Backdoor:Win32/Arwobot.B Worm/Win32.IRCBot.R4516 Win32.Trojan-dropper.Sysn.Lmuh Win32/Trojan.8b1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.KlassTT.Trojan": [[26, 44]], "Indicator: Backdoor.Sdbot.6331": [[45, 64]], "Indicator: Troj.Dropper.W32.Sysn!c": [[65, 88]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9991": [[89, 131]], "Indicator: Backdoor.Trojan": [[132, 147]], "Indicator: Trojan-Dropper.Win32.Sysn.brns": [[148, 178], [331, 361]], "Indicator: Backdoor.Win32.IRCBot.60928.J": [[179, 208]], "Indicator: BackDoor.IRC.Huxor.59": [[209, 230]], "Indicator: BehavesLike.Win32.Backdoor.qh": [[231, 260]], "Indicator: Backdoor.Win32.SdBot": [[261, 281]], "Indicator: Trojan[Backdoor]/Win32.IRCBot": [[282, 311]], "Indicator: Trojan.Kazy.D14BCA": [[312, 330]], "Indicator: Backdoor:Win32/Arwobot.B": [[362, 386]], "Indicator: Worm/Win32.IRCBot.R4516": [[387, 410]], "Indicator: Win32.Trojan-dropper.Sysn.Lmuh": [[411, 441]], "Indicator: Win32/Trojan.8b1": [[442, 458]]}, "info": {"id": "cyner2_5class_train_06947", "source": "cyner2_5class_train"}}
+{"text": "These embedded OLE Word documents then contain embedded Adobe Flash .SWF files that are designed to exploit Abode Flash vulnerabilities.", "spans": {"Indicator: embedded OLE Word documents": [[6, 33]], "Indicator: embedded Adobe Flash .SWF files": [[47, 78]], "Vulnerability: exploit Abode Flash vulnerabilities.": [[100, 136]]}, "info": {"id": "cyner2_5class_train_06948", "source": "cyner2_5class_train"}}
+{"text": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015.", "spans": {"Organization: multiple organisations": [[47, 69]]}, "info": {"id": "cyner2_5class_train_06949", "source": "cyner2_5class_train"}}
+{"text": "In the course of this tactical hunt for unidentified code, RSA discovered a sophisticated attack on a software supply-chain involving a Trojan inserted in otherwise legitimate software; software that is typically used by enterprise system administrators.", "spans": {"Indicator: unidentified code, RSA": [[40, 62]], "Indicator: sophisticated attack": [[76, 96]], "Organization: software supply-chain": [[102, 123]], "Malware: Trojan": [[136, 142]], "System: legitimate software; software": [[165, 194]], "System: enterprise system administrators.": [[221, 254]]}, "info": {"id": "cyner2_5class_train_06950", "source": "cyner2_5class_train"}}
+{"text": "Neuron and Nautilus are malicious tools designed to operate on Microsoft Windows platforms, primarily targeting mail servers and web servers.", "spans": {"Malware: Neuron": [[0, 6]], "Malware: Nautilus": [[11, 19]], "Malware: malicious tools": [[24, 39]], "System: Microsoft Windows platforms,": [[63, 91]], "Organization: mail servers": [[112, 124]], "Organization: web servers.": [[129, 141]]}, "info": {"id": "cyner2_5class_train_06951", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.MambaAHQc.Trojan Trojan.Python.Win32.34 Trojan/Mamba.g Win32.Trojan.WisdomEyes.16070401.9500.9555 BehavesLike.Win32.Trojan.vh Python/Blakamba.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.MambaAHQc.Trojan": [[26, 52]], "Indicator: Trojan.Python.Win32.34": [[53, 75]], "Indicator: Trojan/Mamba.g": [[76, 90]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9555": [[91, 133]], "Indicator: BehavesLike.Win32.Trojan.vh": [[134, 161]], "Indicator: Python/Blakamba.A!tr": [[162, 182]]}, "info": {"id": "cyner2_5class_train_06952", "source": "cyner2_5class_train"}}
+{"text": "In our tests , the malware sample was able to easily detect both VMWare and Hyper-V environments through the detection of the virtualized peripherals ( for example , Vmware has VEN_15AD as vendor ID , HyperV has VMBus as bus name ) .", "spans": {"System: VMWare": [[65, 71]], "System: Hyper-V": [[76, 83]], "Organization: Vmware": [[166, 172]]}, "info": {"id": "cyner2_5class_train_06953", "source": "cyner2_5class_train"}}
+{"text": "The attack compromised their devices and exfiltrated data to the attackers' command and control server.", "spans": {"Indicator: attack compromised": [[4, 22]], "System: devices": [[29, 36]], "Indicator: exfiltrated data": [[41, 57]], "Indicator: command and control server.": [[76, 103]]}, "info": {"id": "cyner2_5class_train_06954", "source": "cyner2_5class_train"}}
+{"text": "Infrastructure At the time of writing the following domains have either been used by this family or are currently active .", "spans": {}, "info": {"id": "cyner2_5class_train_06955", "source": "cyner2_5class_train"}}
+{"text": "Overview The malware was first detected on a Nexus 5 smartphone , and although the user attempted to remove the infected app , the malware reappeared on the same device shortly thereafter .", "spans": {"System: Nexus 5": [[45, 52]]}, "info": {"id": "cyner2_5class_train_06956", "source": "cyner2_5class_train"}}
+{"text": "The earliest we observed this spreader variant pushing Mirai downloaders was January 2017.", "spans": {"Malware: Mirai downloaders": [[55, 72]]}, "info": {"id": "cyner2_5class_train_06957", "source": "cyner2_5class_train"}}
+{"text": "In late 2013­­­–early 2014, a compromised FTP client dubbed StealZilla, based off the open source FileZilla FTP client was discovered.", "spans": {"Indicator: compromised FTP": [[30, 45]], "Malware: StealZilla,": [[60, 71]], "System: FTP client": [[108, 118]]}, "info": {"id": "cyner2_5class_train_06958", "source": "cyner2_5class_train"}}
+{"text": "This particular APT is targeting organizations that include weapons manufacturers, human rights activists, and pro-democracy groups, among others.", "spans": {"Organization: organizations": [[33, 46]], "Organization: weapons manufacturers, human rights activists,": [[60, 106]], "Organization: pro-democracy groups,": [[111, 132]]}, "info": {"id": "cyner2_5class_train_06959", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Danmec.E.iw5 Trojan.Asprox W32/Danmec.R TROJ_DANMEC.SM Trojan.Win32.Danmec!IK TrojWare.Win32.Kryptik.CG Trojan.DownLoad2.37322 TR/Spy.Web.H TROJ_DANMEC.SM Worm/Aspxor.ey Trojan/Win32.Danmec Trojan.Danmec Trojan.Asprox!rem Trojan.Win32.Danmec W32/Danmec.C!tr Trj/Damnec.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Danmec.E.iw5": [[26, 45]], "Indicator: Trojan.Asprox": [[46, 59]], "Indicator: W32/Danmec.R": [[60, 72]], "Indicator: TROJ_DANMEC.SM": [[73, 87], [173, 187]], "Indicator: Trojan.Win32.Danmec!IK": [[88, 110]], "Indicator: TrojWare.Win32.Kryptik.CG": [[111, 136]], "Indicator: Trojan.DownLoad2.37322": [[137, 159]], "Indicator: TR/Spy.Web.H": [[160, 172]], "Indicator: Worm/Aspxor.ey": [[188, 202]], "Indicator: Trojan/Win32.Danmec": [[203, 222]], "Indicator: Trojan.Danmec": [[223, 236]], "Indicator: Trojan.Asprox!rem": [[237, 254]], "Indicator: Trojan.Win32.Danmec": [[255, 274]], "Indicator: W32/Danmec.C!tr": [[275, 290]], "Indicator: Trj/Damnec.A": [[291, 303]]}, "info": {"id": "cyner2_5class_train_06960", "source": "cyner2_5class_train"}}
+{"text": "As a result , it may be that are looking into a compromised , parked domain that was initially used legitimately , but is now participating in malicious activities .", "spans": {}, "info": {"id": "cyner2_5class_train_06961", "source": "cyner2_5class_train"}}
+{"text": "The ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger.", "spans": {"Organization: The ART team": [[0, 12]], "Organization: Fortinet": [[16, 24]], "Malware: malware": [[46, 53]], "Malware: Proteus,": [[60, 68]], "Malware: botnet": [[87, 93]], "System: .NET": [[105, 109]], "Malware: proxy, coin miner, e-commerce merchant account checker,": [[131, 186]], "Malware: keylogger.": [[191, 201]]}, "info": {"id": "cyner2_5class_train_06962", "source": "cyner2_5class_train"}}
+{"text": "CHANGE_GCM_ID – change GCM ID .", "spans": {}, "info": {"id": "cyner2_5class_train_06963", "source": "cyner2_5class_train"}}
+{"text": "] net , is now a legitimate version of the DroidVPN app , and looks as shown in Figure 1 below .", "spans": {"Indicator: DroidVPN": [[43, 51]]}, "info": {"id": "cyner2_5class_train_06964", "source": "cyner2_5class_train"}}
+{"text": "From the Nymaim malware, it leverages the dropper's stealth and persistence; the Gozi ISFB parts add the banking Trojan's capabilities to facilitate fraud via infected Internet browsers.", "spans": {"Malware: Nymaim malware,": [[9, 24]], "Indicator: dropper's stealth": [[42, 59]], "Indicator: persistence;": [[64, 76]], "Malware: Gozi ISFB": [[81, 90]], "Malware: banking Trojan's": [[105, 121]], "Indicator: capabilities": [[122, 134]], "System: infected Internet browsers.": [[159, 186]]}, "info": {"id": "cyner2_5class_train_06965", "source": "cyner2_5class_train"}}
+{"text": "The email address and country information drove us to a list of students attending a class at a Vietnamese university – corroborating the existence of the person under whose name the domain was registered .", "spans": {}, "info": {"id": "cyner2_5class_train_06966", "source": "cyner2_5class_train"}}
+{"text": "Backdoor that installs itself at %Application Data%\\remcos", "spans": {"Malware: Backdoor": [[0, 8]], "Indicator: %Application Data%\\remcos": [[33, 58]]}, "info": {"id": "cyner2_5class_train_06967", "source": "cyner2_5class_train"}}
+{"text": "] 122:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "cyner2_5class_train_06968", "source": "cyner2_5class_train"}}
+{"text": "Based on strings found in the samples we analyzed, we have named this backdoor Gazer", "spans": {"Malware: backdoor": [[70, 78]], "Malware: Gazer": [[79, 84]]}, "info": {"id": "cyner2_5class_train_06969", "source": "cyner2_5class_train"}}
+{"text": "It spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion.", "spans": {"Indicator: hijacking of traffic from nationwide ISPs,": [[44, 86]], "Malware: SNS worm": [[90, 98]], "System: Windows,": [[102, 110]], "System: offline app": [[118, 129]]}, "info": {"id": "cyner2_5class_train_06970", "source": "cyner2_5class_train"}}
+{"text": "The Zen trojan After achieving persistence , the trojan downloads additional payloads , including another trojan called Zen .", "spans": {"Malware: Zen": [[4, 7], [120, 123]]}, "info": {"id": "cyner2_5class_train_06971", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer Win32.Trojan.WisdomEyes.16070401.9500.9986 Trojan.Win32.Dwn.efyiis Trojan.DownLoader22.7328 BehavesLike.Win32.PUPXAA.kc Trojan:MSIL/Watam.A Trojan.MSIL.Spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9986": [[41, 83]], "Indicator: Trojan.Win32.Dwn.efyiis": [[84, 107]], "Indicator: Trojan.DownLoader22.7328": [[108, 132]], "Indicator: BehavesLike.Win32.PUPXAA.kc": [[133, 160]], "Indicator: Trojan:MSIL/Watam.A": [[161, 180]], "Indicator: Trojan.MSIL.Spy": [[181, 196]]}, "info": {"id": "cyner2_5class_train_06972", "source": "cyner2_5class_train"}}
+{"text": "Our analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group , commonly referred to as \" Roaming Mantis '' , a group that is known to have launched similar campaigns in the past .", "spans": {"Malware: FakeSpy": [[52, 59]], "Organization: Roaming Mantis": [[124, 138]]}, "info": {"id": "cyner2_5class_train_06973", "source": "cyner2_5class_train"}}
+{"text": "The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server.", "spans": {"Malware: payload": [[4, 11]], "Organization: Korean banks": [[45, 57], [128, 140]], "System: infected systems": [[75, 91]], "Indicator: hosts file to redirect traffic": [[92, 122]], "Indicator: controlled server.": [[148, 166]]}, "info": {"id": "cyner2_5class_train_06974", "source": "cyner2_5class_train"}}
+{"text": "This particular peice of malware uses a open source VB6 peice of malware called vnLoader'.", "spans": {"Malware: malware": [[25, 32], [65, 72]], "Indicator: open source VB6": [[40, 55]], "Malware: vnLoader'.": [[80, 90]]}, "info": {"id": "cyner2_5class_train_06975", "source": "cyner2_5class_train"}}
+{"text": "This group has been active since 2010. We dub this operation Shrouded Crossbow, after a mutex in a backdoor the group developed.", "spans": {"Malware: mutex": [[88, 93]], "Malware: backdoor": [[99, 107]]}, "info": {"id": "cyner2_5class_train_06976", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Trojan.Boxer.as HEUR:Trojan-SMS.AndroidOS.FakeInst.a HEUR:Trojan-SMS.AndroidOS.FakeInst.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.Boxer.as": [[26, 49]], "Indicator: HEUR:Trojan-SMS.AndroidOS.FakeInst.a": [[50, 86], [87, 123]]}, "info": {"id": "cyner2_5class_train_06977", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.FC.314 Win32.Trojan.WisdomEyes.16070401.9500.9959 Trojan.Win32.Inject.aexnv Trojan.DownLoader24.51009 TR/AD.NETCryptor.dneew Trojan/Win32.Inject Backdoor:MSIL/Omaneat.B Trojan.MSILPerseus.D17E4F Trojan/Win32.Fsysna.C1935209 Trojan.Win32.Inject.aexnv Trj/GdSda.A Win32.Trojan.Inject.Fsc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.FC.314": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9959": [[48, 90]], "Indicator: Trojan.Win32.Inject.aexnv": [[91, 116], [265, 290]], "Indicator: Trojan.DownLoader24.51009": [[117, 142]], "Indicator: TR/AD.NETCryptor.dneew": [[143, 165]], "Indicator: Trojan/Win32.Inject": [[166, 185]], "Indicator: Backdoor:MSIL/Omaneat.B": [[186, 209]], "Indicator: Trojan.MSILPerseus.D17E4F": [[210, 235]], "Indicator: Trojan/Win32.Fsysna.C1935209": [[236, 264]], "Indicator: Trj/GdSda.A": [[291, 302]], "Indicator: Win32.Trojan.Inject.Fsc": [[303, 326]]}, "info": {"id": "cyner2_5class_train_06978", "source": "cyner2_5class_train"}}
+{"text": "FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems.", "spans": {"Organization: FireEye Labs": [[0, 12]], "Malware: unknown variant": [[46, 61]], "Malware: backdoor XSLCmd – OSX.XSLCmd –": [[73, 103]], "System: Apple OS X systems.": [[136, 155]]}, "info": {"id": "cyner2_5class_train_06979", "source": "cyner2_5class_train"}}
+{"text": "It is safe to say that today ’ s cybercriminal is no longer a lone hacker but part of a serious business operation .", "spans": {}, "info": {"id": "cyner2_5class_train_06980", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.Kukel.A Trojan-PWS/W32.Kukel.14116 Trojan.PWS.Kukel.A Trojan/PSW.Kukel Trojan.PWS.Kukel.A Win32.Trojan.WisdomEyes.16070401.9500.9985 TROJ_KUKEL.A Trojan.PWS.Kukel.A Trojan-PSW.Win32.Kukel Trojan.PWS.Kukel.A Trojan.Win32.Kukel.hjwe Trojan.Win32.PSWKukel.14116 Troj.PSW32.W.Kukel!c Trojan.PWS.Kukel.A TrojWare.Win32.PSW.Kukel Trojan.PWS.Kukel.A Trojan.PWS.Kukel Trojan.Kukel.Win32.4 TROJ_KUKEL.A W32/Risk.QXSE-2226 Trojan/PSW.Kukel TR/PSW.Kukel.1 Trojan-PSW.Win32.Kukel TrojanPSW.Kukel Win32/PSW.Kukel Win32.Trojan-qqpass.Qqrob.Wsko Trojan.PWS.Kukel!uom8kUpytHQ W32/Kukel.A!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.Kukel.A": [[26, 44], [72, 90], [108, 126], [183, 201], [225, 243], [317, 335], [361, 379]], "Indicator: Trojan-PWS/W32.Kukel.14116": [[45, 71]], "Indicator: Trojan/PSW.Kukel": [[91, 107], [450, 466]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[127, 169]], "Indicator: TROJ_KUKEL.A": [[170, 182], [418, 430]], "Indicator: Trojan-PSW.Win32.Kukel": [[202, 224], [482, 504]], "Indicator: Trojan.Win32.Kukel.hjwe": [[244, 267]], "Indicator: Trojan.Win32.PSWKukel.14116": [[268, 295]], "Indicator: Troj.PSW32.W.Kukel!c": [[296, 316]], "Indicator: TrojWare.Win32.PSW.Kukel": [[336, 360]], "Indicator: Trojan.PWS.Kukel": [[380, 396]], "Indicator: Trojan.Kukel.Win32.4": [[397, 417]], "Indicator: W32/Risk.QXSE-2226": [[431, 449]], "Indicator: TR/PSW.Kukel.1": [[467, 481]], "Indicator: TrojanPSW.Kukel": [[505, 520]], "Indicator: Win32/PSW.Kukel": [[521, 536]], "Indicator: Win32.Trojan-qqpass.Qqrob.Wsko": [[537, 567]], "Indicator: Trojan.PWS.Kukel!uom8kUpytHQ": [[568, 596]], "Indicator: W32/Kukel.A!tr.pws": [[597, 615]]}, "info": {"id": "cyner2_5class_train_06981", "source": "cyner2_5class_train"}}
+{"text": "This entry is to explain features of Datper, malware used for targeted attacks against Japanese organisations and how to detect it from the logs.", "spans": {"Malware: Datper, malware": [[37, 52]], "Indicator: attacks": [[71, 78]], "Organization: Japanese organisations": [[87, 109]]}, "info": {"id": "cyner2_5class_train_06982", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Tvt Trojan.Korplug.Win32.309 Trojan.Zusy.D41CD9 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Tvt.ll Trojan.KeyLogger.27522 Backdoor:Win32/Sogu.A!dha Trojan.Win32.Tvt.ll Backdoor/Win32.Etso.R17333 Trojan.Win32.Korplug", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tvt": [[26, 36]], "Indicator: Trojan.Korplug.Win32.309": [[37, 61]], "Indicator: Trojan.Zusy.D41CD9": [[62, 80]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[81, 123]], "Indicator: Trojan.Win32.Tvt.ll": [[124, 143], [193, 212]], "Indicator: Trojan.KeyLogger.27522": [[144, 166]], "Indicator: Backdoor:Win32/Sogu.A!dha": [[167, 192]], "Indicator: Backdoor/Win32.Etso.R17333": [[213, 239]], "Indicator: Trojan.Win32.Korplug": [[240, 260]]}, "info": {"id": "cyner2_5class_train_06983", "source": "cyner2_5class_train"}}
+{"text": "Detected as ANDROIDOS_SLOCKER.OPSCB, this new SLocker mobile ransomware variant features new routines that utilize features of the Chinese social network QQ, along with persistent screen-locking capabilities.", "spans": {"Indicator: ANDROIDOS_SLOCKER.OPSCB,": [[12, 36]], "Malware: SLocker mobile ransomware variant": [[46, 79]], "Organization: the Chinese social network QQ,": [[127, 157]]}, "info": {"id": "cyner2_5class_train_06984", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9984 Trojan-Banker.Win32.Metel.cai Trojan.Win32.Metel.edlvqj Troj.Banker.W32.Metel!c Trojan.Bayanker.42 BehavesLike.Win32.FakeAlertSecurityTool.dc Trojan.Banker.Metel.ys TR/Kryptik.rfzx Trojan:Win32/Exgectow.A Trojan-Banker.Win32.Metel.cai Trojan/Win32.Dorv.R166106 Trj/CI.A Win32/Corkow.AI Win32.Outbreak Win32/Trojan.9df", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[26, 68]], "Indicator: Trojan-Banker.Win32.Metel.cai": [[69, 98], [274, 303]], "Indicator: Trojan.Win32.Metel.edlvqj": [[99, 124]], "Indicator: Troj.Banker.W32.Metel!c": [[125, 148]], "Indicator: Trojan.Bayanker.42": [[149, 167]], "Indicator: BehavesLike.Win32.FakeAlertSecurityTool.dc": [[168, 210]], "Indicator: Trojan.Banker.Metel.ys": [[211, 233]], "Indicator: TR/Kryptik.rfzx": [[234, 249]], "Indicator: Trojan:Win32/Exgectow.A": [[250, 273]], "Indicator: Trojan/Win32.Dorv.R166106": [[304, 329]], "Indicator: Trj/CI.A": [[330, 338]], "Indicator: Win32/Corkow.AI": [[339, 354]], "Indicator: Win32.Outbreak": [[355, 369]], "Indicator: Win32/Trojan.9df": [[370, 386]]}, "info": {"id": "cyner2_5class_train_06985", "source": "cyner2_5class_train"}}
+{"text": "Recent new reporting was released on the DragonOK group which unveiled the many versions of the Sysget backdoor as well as the IsSpace backdoor.", "spans": {"Malware: versions": [[80, 88]], "Malware: Sysget backdoor": [[96, 111]], "Malware: the IsSpace backdoor.": [[123, 144]]}, "info": {"id": "cyner2_5class_train_06986", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Vehidis Trojan.Win32.Vehidis.wpm Trojan.Win32.Crypted.dodbbd Trojan.Win32.Z.Vehidis.24576.K Troj.W32.Vehidis!c Trojan.Vehidis.Win32.1902 Trojan.Vehidis.hd BDS/Sakkair.ebcng Backdoor:Win32/Sakkair.A Trojan.Win32.Vehidis.wpm Trojan/Win32.Farfli.R115053 Trojan.Vehidis Trj/CI.A Win32.Trojan.Vehidis.Hquw", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Vehidis": [[26, 40], [284, 298]], "Indicator: Trojan.Win32.Vehidis.wpm": [[41, 65], [231, 255]], "Indicator: Trojan.Win32.Crypted.dodbbd": [[66, 93]], "Indicator: Trojan.Win32.Z.Vehidis.24576.K": [[94, 124]], "Indicator: Troj.W32.Vehidis!c": [[125, 143]], "Indicator: Trojan.Vehidis.Win32.1902": [[144, 169]], "Indicator: Trojan.Vehidis.hd": [[170, 187]], "Indicator: BDS/Sakkair.ebcng": [[188, 205]], "Indicator: Backdoor:Win32/Sakkair.A": [[206, 230]], "Indicator: Trojan/Win32.Farfli.R115053": [[256, 283]], "Indicator: Trj/CI.A": [[299, 307]], "Indicator: Win32.Trojan.Vehidis.Hquw": [[308, 333]]}, "info": {"id": "cyner2_5class_train_06987", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9655 Infostealer.Limitail Trojan.Win32.Z.Limitail.303616 Trojan.DownLoader19.57204 BehavesLike.Win32.PUPXAG.dc TR/Dropper.MSIL.lrzyl Trojan.MSILPerseus.D234A0 TrojanSpy:MSIL/Plimrost.B Trojan/Win32.Kryptik.C2400864 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL": [[26, 37]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9655": [[38, 80]], "Indicator: Infostealer.Limitail": [[81, 101]], "Indicator: Trojan.Win32.Z.Limitail.303616": [[102, 132]], "Indicator: Trojan.DownLoader19.57204": [[133, 158]], "Indicator: BehavesLike.Win32.PUPXAG.dc": [[159, 186]], "Indicator: TR/Dropper.MSIL.lrzyl": [[187, 208]], "Indicator: Trojan.MSILPerseus.D234A0": [[209, 234]], "Indicator: TrojanSpy:MSIL/Plimrost.B": [[235, 260]], "Indicator: Trojan/Win32.Kryptik.C2400864": [[261, 290]], "Indicator: Trj/GdSda.A": [[291, 302]]}, "info": {"id": "cyner2_5class_train_06988", "source": "cyner2_5class_train"}}
+{"text": "Standing out because of its prevalence and its sophistication, Stantinko turned out to be quite a puzzle to solve.", "spans": {}, "info": {"id": "cyner2_5class_train_06989", "source": "cyner2_5class_train"}}
+{"text": "This utility does several interesting things to evade antivirus detection.", "spans": {}, "info": {"id": "cyner2_5class_train_06990", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Android.Adware.Airpush.55AE Android.Adware.Plankton.A Android.Adware.Plankton.A Android.Trojan.Plankton.k AndroidOS/Plankton.B A.H.Pri.Afoynq.F Trojan.Android.Airpush.djpqsd Adware.MultiAds!1.9D9E Android.Adware.Plankton.A Android.Adware.Plankton Adware.Airpush.3.origin AndroidOS/Plankton.B Android.Adware.Plankton.A Android.Adware.Plankton!c Android-PUP/Airpush.2ac1 Android.Adware.Plankton.A Adware.AndroidOS.AirPush.a AdWare.AndroidOS.Apperhand", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Adware.Airpush.55AE": [[26, 53]], "Indicator: Android.Adware.Plankton.A": [[54, 79], [80, 105], [223, 248], [318, 343], [395, 420]], "Indicator: Android.Trojan.Plankton.k": [[106, 131]], "Indicator: AndroidOS/Plankton.B": [[132, 152], [297, 317]], "Indicator: A.H.Pri.Afoynq.F": [[153, 169]], "Indicator: Trojan.Android.Airpush.djpqsd": [[170, 199]], "Indicator: Adware.MultiAds!1.9D9E": [[200, 222]], "Indicator: Android.Adware.Plankton": [[249, 272]], "Indicator: Adware.Airpush.3.origin": [[273, 296]], "Indicator: Android.Adware.Plankton!c": [[344, 369]], "Indicator: Android-PUP/Airpush.2ac1": [[370, 394]], "Indicator: Adware.AndroidOS.AirPush.a": [[421, 447]], "Indicator: AdWare.AndroidOS.Apperhand": [[448, 474]]}, "info": {"id": "cyner2_5class_train_06991", "source": "cyner2_5class_train"}}
+{"text": "Successful exploitation seems to be possible on all currently supported versions of MS Office up and including the MS15-022 patch.", "spans": {"Vulnerability: exploitation": [[11, 23]], "System: MS Office": [[84, 93]], "Indicator: MS15-022 patch.": [[115, 130]]}, "info": {"id": "cyner2_5class_train_06992", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: Turla": [[100, 105]], "Indicator: .NET/MSIL dropper": [[118, 135]], "Malware: backdoor": [[152, 160]], "Indicator: JS/KopiLuwak.": [[168, 181]]}, "info": {"id": "cyner2_5class_train_06993", "source": "cyner2_5class_train"}}
+{"text": "] com ws.my-local-weather [ .", "spans": {"Indicator: ws.my-local-weather [ .": [[6, 29]]}, "info": {"id": "cyner2_5class_train_06994", "source": "cyner2_5class_train"}}
+{"text": "Both apps shared the same C & C server , but we couldn ’ t investigate the latter as it had already been removed from the Google Play store .", "spans": {"System: Google Play store": [[122, 139]]}, "info": {"id": "cyner2_5class_train_06995", "source": "cyner2_5class_train"}}
+{"text": "Once installed , HenBox steals information from the devices from a myriad of sources , including many mainstream chat , communication , and social media apps .", "spans": {"Malware: HenBox": [[17, 23]]}, "info": {"id": "cyner2_5class_train_06996", "source": "cyner2_5class_train"}}
+{"text": "The malware itself is a fully featured RAT, which uses a compressed, optionally encrypted, raw TCP socket and binary message protocol for command and control communications.", "spans": {"Malware: malware": [[4, 11]], "Malware: RAT,": [[39, 43]], "Indicator: compressed,": [[57, 68]], "Indicator: encrypted, raw TCP socket": [[80, 105]], "Indicator: binary message protocol": [[110, 133]], "Indicator: command and control communications.": [[138, 173]]}, "info": {"id": "cyner2_5class_train_06997", "source": "cyner2_5class_train"}}
+{"text": "This time, however, attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the PlugX Remote Access Trojan RAT.", "spans": {"Indicator: spear-phishing emails": [[53, 74]], "Indicator: Microsoft Word attachment": [[82, 107]], "Vulnerability: exploiting": [[108, 118]], "Indicator: CVE-2017-0199": [[140, 153]], "Malware: ZeroT Trojan,": [[168, 181]], "Malware: downloaded": [[196, 206]], "Malware: PlugX Remote Access Trojan RAT.": [[211, 242]]}, "info": {"id": "cyner2_5class_train_06998", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Banker.Win32.89325 Trojan/Spy.Banker.yss Trojan.Win32.Z.Banker.5002130 Trojan.DownLoader13.22038 Trojan/Win32.Scar Win32.Troj.Undef.kcloud PWS:Win32/Mujormel.A TScope.Trojan.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Banker.Win32.89325": [[26, 51]], "Indicator: Trojan/Spy.Banker.yss": [[52, 73]], "Indicator: Trojan.Win32.Z.Banker.5002130": [[74, 103]], "Indicator: Trojan.DownLoader13.22038": [[104, 129]], "Indicator: Trojan/Win32.Scar": [[130, 147]], "Indicator: Win32.Troj.Undef.kcloud": [[148, 171]], "Indicator: PWS:Win32/Mujormel.A": [[172, 192]], "Indicator: TScope.Trojan.Delf": [[193, 211]]}, "info": {"id": "cyner2_5class_train_06999", "source": "cyner2_5class_train"}}
+{"text": "Within the last week, the now infamous man-in-the-browser MITB banking malware Dyreza appears to have significantly expanded its target set of entities from which to steal credentials.", "spans": {"Malware: man-in-the-browser MITB banking malware Dyreza": [[39, 85]], "Indicator: to steal credentials.": [[163, 184]]}, "info": {"id": "cyner2_5class_train_07000", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan2.KJRE Infostealer.Bancos Win.Spyware.Banker-3740 Trojan.Win32.Banker.brismu Troj.Spy.W32.Delf.gmb!c Trojan.PWS.Spy.281 Trojan.Banker.Win32.115104 BehavesLike.Win32.Ramnit.cc W32/Trojan.FKOH-7228 TrojanSpy.Delf.efw W32.InfoStealer.Bancos Win32.Troj.Delf.kcloud Trojan/Win32.Xema.C140526 Trj/CI.A Win32.Trojan.Spy.Edyh TrojanSpy.Delf!R/OQYQsjYN8 Trojan-Spy.Win32.Bancos W32/DelpBanc.A!tr Win32/Trojan.Spy.1ee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[26, 68]], "Indicator: W32/Trojan2.KJRE": [[69, 85]], "Indicator: Infostealer.Bancos": [[86, 104]], "Indicator: Win.Spyware.Banker-3740": [[105, 128]], "Indicator: Trojan.Win32.Banker.brismu": [[129, 155]], "Indicator: Troj.Spy.W32.Delf.gmb!c": [[156, 179]], "Indicator: Trojan.PWS.Spy.281": [[180, 198]], "Indicator: Trojan.Banker.Win32.115104": [[199, 225]], "Indicator: BehavesLike.Win32.Ramnit.cc": [[226, 253]], "Indicator: W32/Trojan.FKOH-7228": [[254, 274]], "Indicator: TrojanSpy.Delf.efw": [[275, 293]], "Indicator: W32.InfoStealer.Bancos": [[294, 316]], "Indicator: Win32.Troj.Delf.kcloud": [[317, 339]], "Indicator: Trojan/Win32.Xema.C140526": [[340, 365]], "Indicator: Trj/CI.A": [[366, 374]], "Indicator: Win32.Trojan.Spy.Edyh": [[375, 396]], "Indicator: TrojanSpy.Delf!R/OQYQsjYN8": [[397, 423]], "Indicator: Trojan-Spy.Win32.Bancos": [[424, 447]], "Indicator: W32/DelpBanc.A!tr": [[448, 465]], "Indicator: Win32/Trojan.Spy.1ee": [[466, 486]]}, "info": {"id": "cyner2_5class_train_07001", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1939 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.S-3 Win.Worm.Taz-1 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg PE_VIRUX.S-3 Win32/Virut.bt Virus/Win32.Virut.ce Trojan:Win32/VBloader.B Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.14 Win32/Virut.NBP Trojan-Banker.Win32.Bancos W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: Virus.Virut.Win32.1939": [[73, 95]], "Indicator: W32.Virut.CF": [[96, 108]], "Indicator: Win32/Virut.17408": [[109, 126]], "Indicator: PE_VIRUX.S-3": [[127, 139], [199, 211]], "Indicator: Win.Worm.Taz-1": [[140, 154]], "Indicator: Virus.Win32.Virut.ce": [[155, 175], [272, 292]], "Indicator: Virus.Win32.Virut.hpeg": [[176, 198]], "Indicator: Win32/Virut.bt": [[212, 226]], "Indicator: Virus/Win32.Virut.ce": [[227, 247]], "Indicator: Trojan:Win32/VBloader.B": [[248, 271]], "Indicator: Win32/Virut.F": [[293, 306]], "Indicator: Virus.Virut.14": [[307, 321]], "Indicator: Win32/Virut.NBP": [[322, 337]], "Indicator: Trojan-Banker.Win32.Bancos": [[338, 364]], "Indicator: W32/Sality.AO": [[365, 378]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[379, 409]]}, "info": {"id": "cyner2_5class_train_07002", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.MiadheardLTM.Trojan Backdoor.Mask.E Trojan/W32.Mask.17920 Trojan.Seedna Trojan.SGH.Win32.1 Troj.W32.SGH.o!c Backdoor.Mask.E W32/Mask.C Backdoor.Weevil.B BKDR_CARETO.A Backdoor.Mask.E Trojan.Win32.SGH.o Backdoor.Mask.E Trojan.Win32.SGH.ctugql Backdoor.Mask.E Backdoor:W32/Mask.A BKDR_CARETO.A Backdoor.Mask W32/Mask.NPPK-3802 Trojan.Win32.a W32.Trojan.Careto TR/Heap.A.4 Trojan/Win32.SGH Trojan:Win32/Seedna.A Trojan.Win32.SGH.o Trojan/Win32.Careto.R97388 Backdoor.Mask Trj/Careto.A Win32/Appetite.C Win32.Trojan.Sgh.Srmy W32/Themas.G!tr Win32/Trojan.aa5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.MiadheardLTM.Trojan": [[26, 49]], "Indicator: Backdoor.Mask.E": [[50, 65], [138, 153], [197, 212], [232, 247], [272, 287]], "Indicator: Trojan/W32.Mask.17920": [[66, 87]], "Indicator: Trojan.Seedna": [[88, 101]], "Indicator: Trojan.SGH.Win32.1": [[102, 120]], "Indicator: Troj.W32.SGH.o!c": [[121, 137]], "Indicator: W32/Mask.C": [[154, 164]], "Indicator: Backdoor.Weevil.B": [[165, 182]], "Indicator: BKDR_CARETO.A": [[183, 196], [308, 321]], "Indicator: Trojan.Win32.SGH.o": [[213, 231], [439, 457]], "Indicator: Trojan.Win32.SGH.ctugql": [[248, 271]], "Indicator: Backdoor:W32/Mask.A": [[288, 307]], "Indicator: Backdoor.Mask": [[322, 335], [485, 498]], "Indicator: W32/Mask.NPPK-3802": [[336, 354]], "Indicator: Trojan.Win32.a": [[355, 369]], "Indicator: W32.Trojan.Careto": [[370, 387]], "Indicator: TR/Heap.A.4": [[388, 399]], "Indicator: Trojan/Win32.SGH": [[400, 416]], "Indicator: Trojan:Win32/Seedna.A": [[417, 438]], "Indicator: Trojan/Win32.Careto.R97388": [[458, 484]], "Indicator: Trj/Careto.A": [[499, 511]], "Indicator: Win32/Appetite.C": [[512, 528]], "Indicator: Win32.Trojan.Sgh.Srmy": [[529, 550]], "Indicator: W32/Themas.G!tr": [[551, 566]], "Indicator: Win32/Trojan.aa5": [[567, 583]]}, "info": {"id": "cyner2_5class_train_07003", "source": "cyner2_5class_train"}}
+{"text": "These could include resetting the user ’ s PIN , enabling or disabling various alerts and confirmations , and confirming the user ’ s identity .", "spans": {}, "info": {"id": "cyner2_5class_train_07004", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Ptakks.217 Backdoor.Ptakks.217 Backdoor.Win32.Ptakks!O Trojan.Win32.Ptakks.bdqil Backdoor.Trojan Win32/Ptakks.C BKDR_PTAKKS.B Trojan.Ptakks.216 Backdoor.Win32.Ptakks.217 Backdoor.Ptakks.217 Backdoor.Ptakks.217!9LO95ovp5Xo Backdoor.Win32.Ptakks_217.Svr Backdoor.Ptakks.217 Backdoor.Win32.Ptakks.2_17 Backdoor.Ptakks.217 BackDoor.Ptakks.217 BDS/Ptakks.2 BKDR_PTAKKS.B Backdoor/Ptakks.217 Win32.Hack.Ptakks217.kcloud Backdoor:Win32/Ptakks.2_17 Backdoor.Ptakks.217 W32/Risk.CITI-5061 Trojan/Win32.HDC Backdoor.Ptakks Bck/Ptakks.217 Win32/Ptakks.2_17 PE:Trojan.Ptakks.217!1073777762 Backdoor.Win32.Ptakks W32/Ptakks.217!tr.bdr BackDoor.Ptakks Backdoor.Win32.Ptakks.AY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Ptakks.217": [[26, 45], [46, 65], [205, 224], [287, 306], [334, 353], [476, 495]], "Indicator: Backdoor.Win32.Ptakks!O": [[66, 89]], "Indicator: Trojan.Win32.Ptakks.bdqil": [[90, 115]], "Indicator: Backdoor.Trojan": [[116, 131]], "Indicator: Win32/Ptakks.C": [[132, 146]], "Indicator: BKDR_PTAKKS.B": [[147, 160], [387, 400]], "Indicator: Trojan.Ptakks.216": [[161, 178]], "Indicator: Backdoor.Win32.Ptakks.217": [[179, 204]], "Indicator: Backdoor.Ptakks.217!9LO95ovp5Xo": [[225, 256]], "Indicator: Backdoor.Win32.Ptakks_217.Svr": [[257, 286]], "Indicator: Backdoor.Win32.Ptakks.2_17": [[307, 333]], "Indicator: BackDoor.Ptakks.217": [[354, 373]], "Indicator: BDS/Ptakks.2": [[374, 386]], "Indicator: Backdoor/Ptakks.217": [[401, 420]], "Indicator: Win32.Hack.Ptakks217.kcloud": [[421, 448]], "Indicator: Backdoor:Win32/Ptakks.2_17": [[449, 475]], "Indicator: W32/Risk.CITI-5061": [[496, 514]], "Indicator: Trojan/Win32.HDC": [[515, 531]], "Indicator: Backdoor.Ptakks": [[532, 547]], "Indicator: Bck/Ptakks.217": [[548, 562]], "Indicator: Win32/Ptakks.2_17": [[563, 580]], "Indicator: PE:Trojan.Ptakks.217!1073777762": [[581, 612]], "Indicator: Backdoor.Win32.Ptakks": [[613, 634]], "Indicator: W32/Ptakks.217!tr.bdr": [[635, 656]], "Indicator: BackDoor.Ptakks": [[657, 672]], "Indicator: Backdoor.Win32.Ptakks.AY": [[673, 697]]}, "info": {"id": "cyner2_5class_train_07005", "source": "cyner2_5class_train"}}
+{"text": "It is extremely popular and is currently ranked #10 under Top free Android apps.", "spans": {"System: Android apps.": [[67, 80]]}, "info": {"id": "cyner2_5class_train_07006", "source": "cyner2_5class_train"}}
+{"text": "Heaven ’ s gate is still in use in 2017 Stage 2 : A second multi-platform virtual machine The 64-bit stage 2 malware implements another loader combined with another virtual machine .", "spans": {}, "info": {"id": "cyner2_5class_train_07007", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clod22a.Trojan.8281 TrojanDownloader.Bunabom Trojan.Delf.Win32.72720 Trojan/Delf.qzl TROJ_SPNR.0BKS13 TROJ_SPNR.0BKS13 Troj.Delf.Sjr!c trojandownloader.win32.bunabom.a TR/Delf.sjr.1 TrojanDownloader:Win32/Bunabom.A Trojan.Delf!fsmGjeXPdPQ Trojan-Dropper.Delf Win32/Trojan.4da", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod22a.Trojan.8281": [[26, 49]], "Indicator: TrojanDownloader.Bunabom": [[50, 74]], "Indicator: Trojan.Delf.Win32.72720": [[75, 98]], "Indicator: Trojan/Delf.qzl": [[99, 114]], "Indicator: TROJ_SPNR.0BKS13": [[115, 131], [132, 148]], "Indicator: Troj.Delf.Sjr!c": [[149, 164]], "Indicator: trojandownloader.win32.bunabom.a": [[165, 197]], "Indicator: TR/Delf.sjr.1": [[198, 211]], "Indicator: TrojanDownloader:Win32/Bunabom.A": [[212, 244]], "Indicator: Trojan.Delf!fsmGjeXPdPQ": [[245, 268]], "Indicator: Trojan-Dropper.Delf": [[269, 288]], "Indicator: Win32/Trojan.4da": [[289, 305]]}, "info": {"id": "cyner2_5class_train_07008", "source": "cyner2_5class_train"}}
+{"text": "Sophos detects all the samples of this Trojan family as Andr/Banker-GWC and Andr/Spybot-A .", "spans": {"Organization: Sophos": [[0, 6]]}, "info": {"id": "cyner2_5class_train_07009", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exploit/W97.CVE-2012-0158 Exp.OLE.CVE-2012-0158.AA Exploit.Ole2.Toolbar!c Win32.Exploit.ShellCode.b Trojan.Mdropper TROJ_CVE20120158.MEVP Win.Trojan.TerminatorRat-2 Exploit.OLE2.Toolbar.a Exploit.ComObj.CVE-2012-0158.hzuf TROJ_CVE20120158.MEVP Trojan.DJPK-4 Exploit.CVE-2012-0158.f MSWord/Toolbar.A!exploit Trojan[Exploit]/MSWord.CVE-2012-0158.di DOC.S.CVE-2012-0158.1106567 Exploit.OLE2.Toolbar.a Exploit.CVE-2012-0158 Exploit.WORD.CVE-2012-0158.A Exploit.CVE-2012-0158 virus.exp.20120158", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit/W97.CVE-2012-0158": [[26, 51]], "Indicator: Exp.OLE.CVE-2012-0158.AA": [[52, 76]], "Indicator: Exploit.Ole2.Toolbar!c": [[77, 99]], "Indicator: Win32.Exploit.ShellCode.b": [[100, 125]], "Indicator: Trojan.Mdropper": [[126, 141]], "Indicator: TROJ_CVE20120158.MEVP": [[142, 163], [248, 269]], "Indicator: Win.Trojan.TerminatorRat-2": [[164, 190]], "Indicator: Exploit.OLE2.Toolbar.a": [[191, 213], [401, 423]], "Indicator: Exploit.ComObj.CVE-2012-0158.hzuf": [[214, 247]], "Indicator: Trojan.DJPK-4": [[270, 283]], "Indicator: Exploit.CVE-2012-0158.f": [[284, 307]], "Indicator: MSWord/Toolbar.A!exploit": [[308, 332]], "Indicator: Trojan[Exploit]/MSWord.CVE-2012-0158.di": [[333, 372]], "Indicator: DOC.S.CVE-2012-0158.1106567": [[373, 400]], "Indicator: Exploit.CVE-2012-0158": [[424, 445], [475, 496]], "Indicator: Exploit.WORD.CVE-2012-0158.A": [[446, 474]], "Indicator: virus.exp.20120158": [[497, 515]]}, "info": {"id": "cyner2_5class_train_07010", "source": "cyner2_5class_train"}}
+{"text": "HtpRAT, a newly discovered Remote Access Trojan RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming.", "spans": {"Malware: HtpRAT,": [[0, 7]], "Malware: Remote Access Trojan RAT": [[27, 51]], "Malware: RATs": [[92, 96]], "Indicator: remote execution of custom commands and programming.": [[119, 171]]}, "info": {"id": "cyner2_5class_train_07011", "source": "cyner2_5class_train"}}
+{"text": "The library includes such operations as : Get address of cybercriminal C & C server Get configuration file with web injects from C & C , as well as default list of injects Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps Set malware as default SMS app Get address of the phishing page that opens when the app runs , and others getStartWebUrl function – get address of phishing page The configuration file contains a list of injects for mobile banking apps – links to phishing pages matching the mobile banking app used by the user .", "spans": {}, "info": {"id": "cyner2_5class_train_07012", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransomware.Weelsof.C5 Trojan/Weelsof.b Trojan.Symmi.D1959 Ransom_Weelsof.R002C0CAD18 Win32.Trojan.Kryptik.tx W32/Trojan2.NUBG Win32/Weelsof.BC Ransom_Weelsof.R002C0CAD18 Trojan.Win32.Weelsof.bbkjex Trojan.Win32.Z.Weelsof.116224 Trojan.Winlock.6870 Trojan.Weelsof.Win32.258 W32/Trojan.ECLA-1171 Trojan/Weelsof.ok TR/Weelsof.wm Trojan/Win32.Weelsof Ransom:Win32/Weelsof.C Trojan/Win32.Weelsof.C408750 Trj/CI.A Trojan.Weelsof.B Win32/Weelsof.B Win32.Trojan.Weelsof.cuoj Trojan.Weelsof!AcPYBHX50TA Win32/Trojan.Ransom.434", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransomware.Weelsof.C5": [[26, 47]], "Indicator: Trojan/Weelsof.b": [[48, 64]], "Indicator: Trojan.Symmi.D1959": [[65, 83]], "Indicator: Ransom_Weelsof.R002C0CAD18": [[84, 110], [169, 195]], "Indicator: Win32.Trojan.Kryptik.tx": [[111, 134]], "Indicator: W32/Trojan2.NUBG": [[135, 151]], "Indicator: Win32/Weelsof.BC": [[152, 168]], "Indicator: Trojan.Win32.Weelsof.bbkjex": [[196, 223]], "Indicator: Trojan.Win32.Z.Weelsof.116224": [[224, 253]], "Indicator: Trojan.Winlock.6870": [[254, 273]], "Indicator: Trojan.Weelsof.Win32.258": [[274, 298]], "Indicator: W32/Trojan.ECLA-1171": [[299, 319]], "Indicator: Trojan/Weelsof.ok": [[320, 337]], "Indicator: TR/Weelsof.wm": [[338, 351]], "Indicator: Trojan/Win32.Weelsof": [[352, 372]], "Indicator: Ransom:Win32/Weelsof.C": [[373, 395]], "Indicator: Trojan/Win32.Weelsof.C408750": [[396, 424]], "Indicator: Trj/CI.A": [[425, 433]], "Indicator: Trojan.Weelsof.B": [[434, 450]], "Indicator: Win32/Weelsof.B": [[451, 466]], "Indicator: Win32.Trojan.Weelsof.cuoj": [[467, 492]], "Indicator: Trojan.Weelsof!AcPYBHX50TA": [[493, 519]], "Indicator: Win32/Trojan.Ransom.434": [[520, 543]]}, "info": {"id": "cyner2_5class_train_07013", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Protux.61400 Backdoor.Protux Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_PROTUX.SMZKEB-A Win.Trojan.Protux-22 Trojan.Win32.Protux.illnz TrojWare.Win32.TrojanDownloader.JMXQ.~0 BackDoor.Diho.190 Backdoor.Protux.Win32.108 BKDR_PROTUX.SMZKEB-A Backdoor.Win32.Protux Backdoor/Protux.dj Trojan:Win32/Dingu.A Trojan[Backdoor]/Win32.Protux Trojan.Heur.E43D7C Backdoor:Win32/Protux.B!dll Trojan/Win32.Xema.R89528 Backdoor.Protux Trj/Protux.C Win32/Protux.NAF Win32.Backdoor.Protux.Pfsy Backdoor.Protux!S6uzS9ogTK0 W32/Protux.KJ!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Protux.61400": [[26, 51]], "Indicator: Backdoor.Protux": [[52, 67], [464, 479]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[68, 110]], "Indicator: Backdoor.Trojan": [[111, 126]], "Indicator: BKDR_PROTUX.SMZKEB-A": [[127, 147], [279, 299]], "Indicator: Win.Trojan.Protux-22": [[148, 168]], "Indicator: Trojan.Win32.Protux.illnz": [[169, 194]], "Indicator: TrojWare.Win32.TrojanDownloader.JMXQ.~0": [[195, 234]], "Indicator: BackDoor.Diho.190": [[235, 252]], "Indicator: Backdoor.Protux.Win32.108": [[253, 278]], "Indicator: Backdoor.Win32.Protux": [[300, 321]], "Indicator: Backdoor/Protux.dj": [[322, 340]], "Indicator: Trojan:Win32/Dingu.A": [[341, 361]], "Indicator: Trojan[Backdoor]/Win32.Protux": [[362, 391]], "Indicator: Trojan.Heur.E43D7C": [[392, 410]], "Indicator: Backdoor:Win32/Protux.B!dll": [[411, 438]], "Indicator: Trojan/Win32.Xema.R89528": [[439, 463]], "Indicator: Trj/Protux.C": [[480, 492]], "Indicator: Win32/Protux.NAF": [[493, 509]], "Indicator: Win32.Backdoor.Protux.Pfsy": [[510, 536]], "Indicator: Backdoor.Protux!S6uzS9ogTK0": [[537, 564]], "Indicator: W32/Protux.KJ!tr.bdr": [[565, 585]]}, "info": {"id": "cyner2_5class_train_07014", "source": "cyner2_5class_train"}}
+{"text": "These malicious apps are distributed via SEO-optimized fake websites, with keywords targeting hot scandals and affairs used.", "spans": {"Malware: malicious apps": [[6, 20]], "Indicator: SEO-optimized fake websites,": [[41, 69]], "Indicator: keywords targeting hot scandals": [[75, 106]], "Indicator: affairs used.": [[111, 124]]}, "info": {"id": "cyner2_5class_train_07015", "source": "cyner2_5class_train"}}
+{"text": "Earlier this year, the Andromeda botnet was seen using macro-based malware, which is yet again an old trick.", "spans": {"Malware: Andromeda botnet": [[23, 39]], "Malware: macro-based malware,": [[55, 75]]}, "info": {"id": "cyner2_5class_train_07016", "source": "cyner2_5class_train"}}
+{"text": "First observed as early as 2004, NetTraveler is a Trojan used widely in targeted attacks.", "spans": {"Malware: NetTraveler": [[33, 44]], "Malware: Trojan": [[50, 56]], "Indicator: targeted attacks.": [[72, 89]]}, "info": {"id": "cyner2_5class_train_07017", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.QqpaNHm.Trojan Backdoor.Hupigon.275309 Trojan.Danginex.A2 Backdoor.Hupigon.275309 Backdoor/Hupigon.pgzz Backdoor.Hupigon.D4336D Win32.Trojan.FakeIME.d Win32/Oflwr.A!crypt Backdoor.Hupigon.275309 Trojan.Win32.Hupigon.chvyyc Backdoor.Hupigon.275309 Backdoor.Hupigon.275309 BackDoor.BlackHole.19996 Backdoor.Hupigon.Win32.133590 Backdoor.Win32.Hupigon TR/Orsam.A.7773 Trojan[Backdoor]/Win32.Hupigon Unwanted/Win32.HackTool.R19815 Backdoor.Hupigon Trojan.Offend!DNC2JYmeA/w", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.QqpaNHm.Trojan": [[26, 50]], "Indicator: Backdoor.Hupigon.275309": [[51, 74], [94, 117], [207, 230], [259, 282], [283, 306]], "Indicator: Trojan.Danginex.A2": [[75, 93]], "Indicator: Backdoor/Hupigon.pgzz": [[118, 139]], "Indicator: Backdoor.Hupigon.D4336D": [[140, 163]], "Indicator: Win32.Trojan.FakeIME.d": [[164, 186]], "Indicator: Win32/Oflwr.A!crypt": [[187, 206]], "Indicator: Trojan.Win32.Hupigon.chvyyc": [[231, 258]], "Indicator: BackDoor.BlackHole.19996": [[307, 331]], "Indicator: Backdoor.Hupigon.Win32.133590": [[332, 361]], "Indicator: Backdoor.Win32.Hupigon": [[362, 384]], "Indicator: TR/Orsam.A.7773": [[385, 400]], "Indicator: Trojan[Backdoor]/Win32.Hupigon": [[401, 431]], "Indicator: Unwanted/Win32.HackTool.R19815": [[432, 462]], "Indicator: Backdoor.Hupigon": [[463, 479]], "Indicator: Trojan.Offend!DNC2JYmeA/w": [[480, 505]]}, "info": {"id": "cyner2_5class_train_07018", "source": "cyner2_5class_train"}}
+{"text": "Armed with this code , we removed this first layer of anti-analysis protection .", "spans": {}, "info": {"id": "cyner2_5class_train_07019", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Tinba.19899 W32/Trojan.WNMW-0038 TROJ_MALKRYP.SM7 Trojan.Win32.Androm.dqyyyn Trojan.PWS.Tinba.161 Trojan.Zbot.Win32.178596 TROJ_MALKRYP.SM7 BehavesLike.Win32.PWSZbot.dc Trojan/PSW.Tepfer.ccuq TR/Bunitu.A.194 Trojan.Graftor.D2D2CC TrojanDownloader:Win32/Tonnejoom.A Trojan/Win32.ZBot.R141968 Trojan.ProxyChanger!r8e5ImNFSC4 Trojan.Win32.Injector W32/Injector.BZCD!tr Trojan.ProxyChanger", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tinba.19899": [[26, 44]], "Indicator: W32/Trojan.WNMW-0038": [[45, 65]], "Indicator: TROJ_MALKRYP.SM7": [[66, 82], [156, 172]], "Indicator: Trojan.Win32.Androm.dqyyyn": [[83, 109]], "Indicator: Trojan.PWS.Tinba.161": [[110, 130]], "Indicator: Trojan.Zbot.Win32.178596": [[131, 155]], "Indicator: BehavesLike.Win32.PWSZbot.dc": [[173, 201]], "Indicator: Trojan/PSW.Tepfer.ccuq": [[202, 224]], "Indicator: TR/Bunitu.A.194": [[225, 240]], "Indicator: Trojan.Graftor.D2D2CC": [[241, 262]], "Indicator: TrojanDownloader:Win32/Tonnejoom.A": [[263, 297]], "Indicator: Trojan/Win32.ZBot.R141968": [[298, 323]], "Indicator: Trojan.ProxyChanger!r8e5ImNFSC4": [[324, 355]], "Indicator: Trojan.Win32.Injector": [[356, 377]], "Indicator: W32/Injector.BZCD!tr": [[378, 398]], "Indicator: Trojan.ProxyChanger": [[399, 418]]}, "info": {"id": "cyner2_5class_train_07020", "source": "cyner2_5class_train"}}
+{"text": "Once again , it does n't seem to actually be in use .", "spans": {}, "info": {"id": "cyner2_5class_train_07021", "source": "cyner2_5class_train"}}
+{"text": "During the month of November, Proofpoint observed multiple campaigns from TA530 - an actor we have previously referred to as the personalized actor for their highly personalized campaigns - targeting customer service and managerial staff at retailers.", "spans": {"Organization: Proofpoint": [[30, 40]], "Organization: customer service": [[200, 216]], "Organization: managerial staff at retailers.": [[221, 251]]}, "info": {"id": "cyner2_5class_train_07022", "source": "cyner2_5class_train"}}
+{"text": "EternalRocks is a network worm i.e. self-replicating, emerged in first half of May 2017.", "spans": {"Malware: EternalRocks": [[0, 12]], "Malware: network worm": [[18, 30]]}, "info": {"id": "cyner2_5class_train_07023", "source": "cyner2_5class_train"}}
+{"text": "We'll discuss how we discovered it, as well as possible attribution towards the individual behind these attacks.", "spans": {}, "info": {"id": "cyner2_5class_train_07024", "source": "cyner2_5class_train"}}
+{"text": "The attack used highly targeted malicious software to destroy the TV network systems.", "spans": {"Malware: malicious software": [[32, 50]], "System: TV network systems.": [[66, 85]]}, "info": {"id": "cyner2_5class_train_07025", "source": "cyner2_5class_train"}}
+{"text": "Proofpoint researchers recently observed a campaign targeting telecom and military in Russia.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Organization: telecom": [[62, 69]], "Organization: military": [[74, 82]]}, "info": {"id": "cyner2_5class_train_07026", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.65536.HV TrojanDownloader.Kolilks.B5 Trojan/Scar.cavw Trojan.Graftor.Elzob.D3707 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Win32/SillyDl.HER TROJ_DLOADE.SMEP Trojan.Win32.Scar.bxwdr Trojan.DownLoad1.2460 TROJ_DLOADE.SMEP W32.Malware.Downloader Trojan/Win32.Scar TrojanDownloader:Win32/Kolilks.B Trojan.Win32.A.Scar.48640.J Trojan/Win32.Scar.R4127 TrojanDownloader.BHO Worm.Win32.Kolios.a Trojan-Downloader.Win32.Kolilks W32/Mdrop.EB!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.65536.HV": [[26, 57]], "Indicator: TrojanDownloader.Kolilks.B5": [[58, 85]], "Indicator: Trojan/Scar.cavw": [[86, 102]], "Indicator: Trojan.Graftor.Elzob.D3707": [[103, 129]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[130, 172]], "Indicator: Trojan.Dropper": [[173, 187]], "Indicator: Win32/SillyDl.HER": [[188, 205]], "Indicator: TROJ_DLOADE.SMEP": [[206, 222], [269, 285]], "Indicator: Trojan.Win32.Scar.bxwdr": [[223, 246]], "Indicator: Trojan.DownLoad1.2460": [[247, 268]], "Indicator: W32.Malware.Downloader": [[286, 308]], "Indicator: Trojan/Win32.Scar": [[309, 326]], "Indicator: TrojanDownloader:Win32/Kolilks.B": [[327, 359]], "Indicator: Trojan.Win32.A.Scar.48640.J": [[360, 387]], "Indicator: Trojan/Win32.Scar.R4127": [[388, 411]], "Indicator: TrojanDownloader.BHO": [[412, 432]], "Indicator: Worm.Win32.Kolios.a": [[433, 452]], "Indicator: Trojan-Downloader.Win32.Kolilks": [[453, 484]], "Indicator: W32/Mdrop.EB!tr": [[485, 500]]}, "info": {"id": "cyner2_5class_train_07027", "source": "cyner2_5class_train"}}
+{"text": "Stealing FTP credentials and browser cookies", "spans": {"Indicator: Stealing FTP credentials": [[0, 24]], "Indicator: browser cookies": [[29, 44]]}, "info": {"id": "cyner2_5class_train_07028", "source": "cyner2_5class_train"}}
+{"text": "In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link.", "spans": {"Indicator: a PDF file": [[18, 28]], "Indicator: an embedded javascript": [[34, 56]], "Malware: the payload": [[77, 88]], "System: Google Drive": [[96, 108]], "Indicator: link.": [[116, 121]]}, "info": {"id": "cyner2_5class_train_07029", "source": "cyner2_5class_train"}}
+{"text": "In addition , we uncovered the IMEIs of the targeted individuals ( IMEIs will not be shared publicly for the privacy and safety of the victims ) as well as the types of exfiltrated content .", "spans": {}, "info": {"id": "cyner2_5class_train_07030", "source": "cyner2_5class_train"}}
+{"text": "With the new architecture, PluginPhantom achieves more flexibility to update its modules without reinstalling apps.", "spans": {"System: architecture,": [[13, 26]], "Malware: PluginPhantom": [[27, 40]], "System: apps.": [[110, 115]]}, "info": {"id": "cyner2_5class_train_07031", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Pwstool.Netpass Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Riskware.WebBrowserPassView.A Riskware.Win32.PassView.eqrnrb Tool.PassView.1871 BehavesLike.Win32.Dropper.gc PSWTool.NetPass.gh RiskWare[PSWTool]/Win32.NetPass PUP.Optional.PasswordViewer Riskware.PSWTool! Win32/Virus.PSW.a52", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Pwstool.Netpass": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[42, 84]], "Indicator: Win32.Riskware.WebBrowserPassView.A": [[85, 120]], "Indicator: Riskware.Win32.PassView.eqrnrb": [[121, 151]], "Indicator: Tool.PassView.1871": [[152, 170]], "Indicator: BehavesLike.Win32.Dropper.gc": [[171, 199]], "Indicator: PSWTool.NetPass.gh": [[200, 218]], "Indicator: RiskWare[PSWTool]/Win32.NetPass": [[219, 250]], "Indicator: PUP.Optional.PasswordViewer": [[251, 278]], "Indicator: Riskware.PSWTool!": [[279, 296]], "Indicator: Win32/Virus.PSW.a52": [[297, 316]]}, "info": {"id": "cyner2_5class_train_07032", "source": "cyner2_5class_train"}}
+{"text": "The table below shows the commands available to the operator for tasking on infected devices .", "spans": {}, "info": {"id": "cyner2_5class_train_07033", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameERALV.Trojan Trojan/W32.Loader.36932 Trojan.Win32.Loader!O Trojan.Myma.A3 Trojan.Loader.Win32.2 Troj.W32.Loader.c!c Trojan/Loader.c Trojan.Graftor.D51D2 Win32.Trojan.Loader.b Backdoor.Trojan Win32/Loader.B TROJ_LOADER.SMIA Win.Trojan.Starter-291 Trojan.Win32.Loader.c Trojan.Win32.Loader.bwzwn Trojan.Win32.A.Loader.36864 Trojan.Loader.575 TROJ_LOADER.SMIA Trojan/Loader.b Backdoor.Trojan TR/Loader.C Trojan/Win32.Loader Trojan:Win32/Loader.WOD Trojan.Win32.Loader.c Trojan/Win32.Loader.R4213 Trojan.Loader Trj/Loader.B Trojan.Win32.Loader.cc Trojan.Loader!V/30nEGDEMU Trojan.Win32.LOADER W32/LOADER.C!tr Trojan.PSW.Win32.QQPass.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameERALV.Trojan": [[26, 48]], "Indicator: Trojan/W32.Loader.36932": [[49, 72]], "Indicator: Trojan.Win32.Loader!O": [[73, 94]], "Indicator: Trojan.Myma.A3": [[95, 109]], "Indicator: Trojan.Loader.Win32.2": [[110, 131]], "Indicator: Troj.W32.Loader.c!c": [[132, 151]], "Indicator: Trojan/Loader.c": [[152, 167]], "Indicator: Trojan.Graftor.D51D2": [[168, 188]], "Indicator: Win32.Trojan.Loader.b": [[189, 210]], "Indicator: Backdoor.Trojan": [[211, 226], [409, 424]], "Indicator: Win32/Loader.B": [[227, 241]], "Indicator: TROJ_LOADER.SMIA": [[242, 258], [376, 392]], "Indicator: Win.Trojan.Starter-291": [[259, 281]], "Indicator: Trojan.Win32.Loader.c": [[282, 303], [481, 502]], "Indicator: Trojan.Win32.Loader.bwzwn": [[304, 329]], "Indicator: Trojan.Win32.A.Loader.36864": [[330, 357]], "Indicator: Trojan.Loader.575": [[358, 375]], "Indicator: Trojan/Loader.b": [[393, 408]], "Indicator: TR/Loader.C": [[425, 436]], "Indicator: Trojan/Win32.Loader": [[437, 456]], "Indicator: Trojan:Win32/Loader.WOD": [[457, 480]], "Indicator: Trojan/Win32.Loader.R4213": [[503, 528]], "Indicator: Trojan.Loader": [[529, 542]], "Indicator: Trj/Loader.B": [[543, 555]], "Indicator: Trojan.Win32.Loader.cc": [[556, 578]], "Indicator: Trojan.Loader!V/30nEGDEMU": [[579, 604]], "Indicator: Trojan.Win32.LOADER": [[605, 624]], "Indicator: W32/LOADER.C!tr": [[625, 640]], "Indicator: Trojan.PSW.Win32.QQPass.D": [[641, 666]]}, "info": {"id": "cyner2_5class_train_07034", "source": "cyner2_5class_train"}}
+{"text": "A possible indication for timing might be when the app reaches a specific number of downloads or infected devices .", "spans": {}, "info": {"id": "cyner2_5class_train_07035", "source": "cyner2_5class_train"}}
+{"text": "This app carries a number of the capabilities : Upload GSM , WhatsApp , Telegram , Facebook , and Threema messages Upload voice notes , contacts stored , accounts , call logs , location information , and images Upload the expanded list of collected device information ( e.g. , IMEI , product , board , manufacturer , tag , host , Android version , application version , name , model brand , user , serial , hardware , bootloader , and device ID ) Upload SIM information ( e.g. , IMSI , operator code , country , MCC-mobile country , SIM serial , operator name , and mobile number ) Upload wifi information ( e.g. , SSID , wifi speed , and MAC address ) Upload other information ( e.g. , display , date , time , fingerprint , created at , and updated at ) The app is capable of stealing messages from popular messaging apps by abusing the notification permissions to read the notification content and saving it to the database .", "spans": {"System: GSM": [[55, 58]], "System: WhatsApp": [[61, 69]], "System: Telegram": [[72, 80]], "System: Facebook": [[83, 91]], "System: Threema": [[98, 105]], "System: Android": [[330, 337]]}, "info": {"id": "cyner2_5class_train_07036", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_FAM_00005ae.TOMA Win32.Trojan-Downloader.Small.bh W32/Downldr2.GMBK TROJ_FAM_00005ae.TOMA Win.Downloader.77716-1 Trojan.Win32.DownLoad.cvxyj Trojan.DownLoad.50492 Backdoor.CPEX.Win32.14166 W32/Downloader.FCDJ-0388", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_FAM_00005ae.TOMA": [[26, 47], [99, 120]], "Indicator: Win32.Trojan-Downloader.Small.bh": [[48, 80]], "Indicator: W32/Downldr2.GMBK": [[81, 98]], "Indicator: Win.Downloader.77716-1": [[121, 143]], "Indicator: Trojan.Win32.DownLoad.cvxyj": [[144, 171]], "Indicator: Trojan.DownLoad.50492": [[172, 193]], "Indicator: Backdoor.CPEX.Win32.14166": [[194, 219]], "Indicator: W32/Downloader.FCDJ-0388": [[220, 244]]}, "info": {"id": "cyner2_5class_train_07037", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.FraudPack.30252 Trojan.Win32.FraudPack!O TjnDownldr.Ladivyrop.S79502 Win32.Trojan.WisdomEyes.16070401.9500.9993 Trojan.Win32.FraudPack.aie Trojan.Win32.FraudPack.cysfht Trojan.FraudPack.Win32.31030 BehavesLike.Win32.Dropper.mc Trojan-Downloader.Win32.Adload Trojan/FraudPack.anzn Trojan.Kazy.D5D389 Trojan.Win32.FraudPack.aie TrojanDownloader:Win32/Ladivyrop.A Trojan.FraudPack Trojan.FraudPack!cVlSVwD6LBI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.FraudPack.30252": [[26, 52]], "Indicator: Trojan.Win32.FraudPack!O": [[53, 77]], "Indicator: TjnDownldr.Ladivyrop.S79502": [[78, 105]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[106, 148]], "Indicator: Trojan.Win32.FraudPack.aie": [[149, 175], [336, 362]], "Indicator: Trojan.Win32.FraudPack.cysfht": [[176, 205]], "Indicator: Trojan.FraudPack.Win32.31030": [[206, 234]], "Indicator: BehavesLike.Win32.Dropper.mc": [[235, 263]], "Indicator: Trojan-Downloader.Win32.Adload": [[264, 294]], "Indicator: Trojan/FraudPack.anzn": [[295, 316]], "Indicator: Trojan.Kazy.D5D389": [[317, 335]], "Indicator: TrojanDownloader:Win32/Ladivyrop.A": [[363, 397]], "Indicator: Trojan.FraudPack": [[398, 414]], "Indicator: Trojan.FraudPack!cVlSVwD6LBI": [[415, 443]]}, "info": {"id": "cyner2_5class_train_07038", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.F2DC Trojan.JS.StartPage!O Win32.Trojan.WisdomEyes.16070401.9500.9691 W32/Meredrop.MBVJ-0788 HV_STARTPAGE_CA223323.TOMC Trojan.JS.StartPage.dv Trojan.JS.StartPage.dv Trojan.Script.Ocyt.cqtcgb Trojan.StartPage.35625 Trojan.Win32.Meredrop BehavesLike.Win32.RansomTescrypt.nc Trojan.JS.IEstart W32/Meredrop.DRO Trojan/JS.te W32.Trojan.Meredrop Win32.Troj.Undef.kcloud Trojan:JS/Ociyota.A Trojan.JS.StartPage.dv Trojan/Win32.StartPage.C53044 Trojan.Win32.Meredrop Trojan.Meredrop!IA1ZWY8Gf9I W32/StartPage.IMA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.F2DC": [[26, 42]], "Indicator: Trojan.JS.StartPage!O": [[43, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9691": [[65, 107]], "Indicator: W32/Meredrop.MBVJ-0788": [[108, 130]], "Indicator: HV_STARTPAGE_CA223323.TOMC": [[131, 157]], "Indicator: Trojan.JS.StartPage.dv": [[158, 180], [181, 203], [423, 445]], "Indicator: Trojan.Script.Ocyt.cqtcgb": [[204, 229]], "Indicator: Trojan.StartPage.35625": [[230, 252]], "Indicator: Trojan.Win32.Meredrop": [[253, 274], [476, 497]], "Indicator: BehavesLike.Win32.RansomTescrypt.nc": [[275, 310]], "Indicator: Trojan.JS.IEstart": [[311, 328]], "Indicator: W32/Meredrop.DRO": [[329, 345]], "Indicator: Trojan/JS.te": [[346, 358]], "Indicator: W32.Trojan.Meredrop": [[359, 378]], "Indicator: Win32.Troj.Undef.kcloud": [[379, 402]], "Indicator: Trojan:JS/Ociyota.A": [[403, 422]], "Indicator: Trojan/Win32.StartPage.C53044": [[446, 475]], "Indicator: Trojan.Meredrop!IA1ZWY8Gf9I": [[498, 525]], "Indicator: W32/StartPage.IMA!tr": [[526, 546]]}, "info": {"id": "cyner2_5class_train_07039", "source": "cyner2_5class_train"}}
+{"text": "Other infection vectors include pornographic websites serving apps called Adobe Flash or YouPorn .", "spans": {"System: Adobe Flash": [[74, 85]], "System: YouPorn": [[89, 96]]}, "info": {"id": "cyner2_5class_train_07040", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.BlackEnergy.Trojan Trojan/W32.Small.27648.MW Trojan.Win32.Jorik.Tedroo!O Trojan.Mauvaise.SL1 Win32.Trojan.BlackEnergy.b Backdoor.Win32.BlackEnergy.d Backdoor.Win32.A.Kbot.27648.B TrojWare.Win32.Rootkit.BlackEnergy.AC Trojan-Downloader.Win32.Phdet Backdoor/Kbot.ara Trojan[Backdoor]/Win32.Kbot TrojanDownloader:Win32/Phdet.E Backdoor.Win32.BlackEnergy.d Backdoor/Win32.Kbot.R47968 Backdoor.BlackEnergy Backdoor.Kbot!JCoulsYcyBQ W32/BlackEnergy.AC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BlackEnergy.Trojan": [[26, 48]], "Indicator: Trojan/W32.Small.27648.MW": [[49, 74]], "Indicator: Trojan.Win32.Jorik.Tedroo!O": [[75, 102]], "Indicator: Trojan.Mauvaise.SL1": [[103, 122]], "Indicator: Win32.Trojan.BlackEnergy.b": [[123, 149]], "Indicator: Backdoor.Win32.BlackEnergy.d": [[150, 178], [354, 382]], "Indicator: Backdoor.Win32.A.Kbot.27648.B": [[179, 208]], "Indicator: TrojWare.Win32.Rootkit.BlackEnergy.AC": [[209, 246]], "Indicator: Trojan-Downloader.Win32.Phdet": [[247, 276]], "Indicator: Backdoor/Kbot.ara": [[277, 294]], "Indicator: Trojan[Backdoor]/Win32.Kbot": [[295, 322]], "Indicator: TrojanDownloader:Win32/Phdet.E": [[323, 353]], "Indicator: Backdoor/Win32.Kbot.R47968": [[383, 409]], "Indicator: Backdoor.BlackEnergy": [[410, 430]], "Indicator: Backdoor.Kbot!JCoulsYcyBQ": [[431, 456]], "Indicator: W32/BlackEnergy.AC!tr": [[457, 478]]}, "info": {"id": "cyner2_5class_train_07041", "source": "cyner2_5class_train"}}
+{"text": "Several papers have been published about the group's operations, but until the Epic Turla research was published by Kaspersky Lab, little information was available about the more unusual aspects of their operations, such as the first stages of infection through watering-hole attacks.", "spans": {"Organization: Kaspersky Lab,": [[116, 130]], "Indicator: watering-hole attacks.": [[262, 284]]}, "info": {"id": "cyner2_5class_train_07042", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Clodfcc.Trojan.046a TrojanDownloader.Halocy Win32.Trojan.WisdomEyes.16070401.9500.9785 Trojan.Win32.Palibu.ekyevo Troj.Banker.W32.Palibu!c BehavesLike.Win32.Dropper.vh W32/Trojan.JGOQ-7647 TR/Spy.Banker.ysyj W32/Delf.BUL!tr.dldr TrojanDownloader:Win32/Halocy.B!bit Trojan/Win32.Banload.C1318047 Trojan.DL.Delf!CR51fUDm05E Trojan.Spy.Banker Trj/CI.A Win32/Trojan.ca7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodfcc.Trojan.046a": [[26, 49]], "Indicator: TrojanDownloader.Halocy": [[50, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9785": [[74, 116]], "Indicator: Trojan.Win32.Palibu.ekyevo": [[117, 143]], "Indicator: Troj.Banker.W32.Palibu!c": [[144, 168]], "Indicator: BehavesLike.Win32.Dropper.vh": [[169, 197]], "Indicator: W32/Trojan.JGOQ-7647": [[198, 218]], "Indicator: TR/Spy.Banker.ysyj": [[219, 237]], "Indicator: W32/Delf.BUL!tr.dldr": [[238, 258]], "Indicator: TrojanDownloader:Win32/Halocy.B!bit": [[259, 294]], "Indicator: Trojan/Win32.Banload.C1318047": [[295, 324]], "Indicator: Trojan.DL.Delf!CR51fUDm05E": [[325, 351]], "Indicator: Trojan.Spy.Banker": [[352, 369]], "Indicator: Trj/CI.A": [[370, 378]], "Indicator: Win32/Trojan.ca7": [[379, 395]]}, "info": {"id": "cyner2_5class_train_07043", "source": "cyner2_5class_train"}}
+{"text": "In this post, we are going to explain how Dridex gain persistence in the system and how Dridex performs AtomBombing in detail.", "spans": {"Malware: Dridex": [[42, 48], [88, 94]], "System: the system": [[69, 79]], "Indicator: AtomBombing": [[104, 115]]}, "info": {"id": "cyner2_5class_train_07044", "source": "cyner2_5class_train"}}
+{"text": "The iOS apps leverage the same C2 infrastructure as the Android version and use similar communications protocols .", "spans": {"System: iOS": [[4, 7]], "System: Android": [[56, 63]]}, "info": {"id": "cyner2_5class_train_07045", "source": "cyner2_5class_train"}}
+{"text": "This server runs an instance of ‘ Parse Server ’ ( source on GitHub ) , an open source version of the Parse Backend infrastructure , which is a model for providing web app and mobile app developers with a way to link their applications to backend cloud storage and APIs exposed by back-end applications , while also providing features such as user management , push notifications and more .", "spans": {"Organization: GitHub": [[61, 67]]}, "info": {"id": "cyner2_5class_train_07046", "source": "cyner2_5class_train"}}
+{"text": "Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred.", "spans": {"Organization: Managed Defense": [[50, 65]], "Malware: the threat": [[98, 108]]}, "info": {"id": "cyner2_5class_train_07047", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_SAMSA.H Win32.Trojan.WisdomEyes.16070401.9500.9936 W32/Trojan.XHGP-7520 Win32/SillyDl.GBZ TROJ_SAMSA.H Win.Trojan.Inject-46 Trojan.Win32.Samsa.rznk Trojan.Win32.A.Samsa.53248 Troj.W32.Samsa.e!c Backdoor:W32/Enfal.K BackDoor.Mask Trojan-Ransom.SamSam W32/Trojan.BDWY Trojan/PSW.Almat.vn TR/Enfal.F Trojan/Win32.Enfal Win32.Troj.Samsa.d.kcloud Trojan.Symmi.D100E7 Trojan:Win32/Samsa.A Trojan.Win32.Samsa.aw Trj/Qhost.ER Win32.Trojan.Invader.Duml W32/Samsa.H!tr Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_SAMSA.H": [[26, 38], [121, 133]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9936": [[39, 81]], "Indicator: W32/Trojan.XHGP-7520": [[82, 102]], "Indicator: Win32/SillyDl.GBZ": [[103, 120]], "Indicator: Win.Trojan.Inject-46": [[134, 154]], "Indicator: Trojan.Win32.Samsa.rznk": [[155, 178]], "Indicator: Trojan.Win32.A.Samsa.53248": [[179, 205]], "Indicator: Troj.W32.Samsa.e!c": [[206, 224]], "Indicator: Backdoor:W32/Enfal.K": [[225, 245]], "Indicator: BackDoor.Mask": [[246, 259]], "Indicator: Trojan-Ransom.SamSam": [[260, 280]], "Indicator: W32/Trojan.BDWY": [[281, 296]], "Indicator: Trojan/PSW.Almat.vn": [[297, 316]], "Indicator: TR/Enfal.F": [[317, 327]], "Indicator: Trojan/Win32.Enfal": [[328, 346]], "Indicator: Win32.Troj.Samsa.d.kcloud": [[347, 372]], "Indicator: Trojan.Symmi.D100E7": [[373, 392]], "Indicator: Trojan:Win32/Samsa.A": [[393, 413]], "Indicator: Trojan.Win32.Samsa.aw": [[414, 435]], "Indicator: Trj/Qhost.ER": [[436, 448]], "Indicator: Win32.Trojan.Invader.Duml": [[449, 474]], "Indicator: W32/Samsa.H!tr": [[475, 489]], "Indicator: Win32/Trojan.e6d": [[490, 506]]}, "info": {"id": "cyner2_5class_train_07048", "source": "cyner2_5class_train"}}
+{"text": "It 's one of the strings - \" How you 'll sign in '' - that it looks for during the account creation process .", "spans": {}, "info": {"id": "cyner2_5class_train_07049", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Scar.dxkn Trojan.Win32.Scar.ecdkn Scar.HF TROJ_SCAR_000002b.TOMA Trojan.Win32.Scar.dxkn Trojan.Scar!44JrqMeLFEQ BackDoor.IRC.Bot.947 SPR/Tool.271360 TROJ_SCAR_000002b.TOMA Trojan/Scar.abjq Backdoor:Win32/ProxyBot.D Trojan/Win32.Scar Win32/CryptExe.A Trj/Scar.AL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Scar.dxkn": [[26, 42]], "Indicator: Trojan.Win32.Scar.ecdkn": [[43, 66]], "Indicator: Scar.HF": [[67, 74]], "Indicator: TROJ_SCAR_000002b.TOMA": [[75, 97], [182, 204]], "Indicator: Trojan.Win32.Scar.dxkn": [[98, 120]], "Indicator: Trojan.Scar!44JrqMeLFEQ": [[121, 144]], "Indicator: BackDoor.IRC.Bot.947": [[145, 165]], "Indicator: SPR/Tool.271360": [[166, 181]], "Indicator: Trojan/Scar.abjq": [[205, 221]], "Indicator: Backdoor:Win32/ProxyBot.D": [[222, 247]], "Indicator: Trojan/Win32.Scar": [[248, 265]], "Indicator: Win32/CryptExe.A": [[266, 282]], "Indicator: Trj/Scar.AL": [[283, 294]]}, "info": {"id": "cyner2_5class_train_07050", "source": "cyner2_5class_train"}}
+{"text": "At least three of the messages were intended to check a user ’ s account balance at the institution ( we could not confirm the purpose of the fourth ) .Through additional research , we identified several forum posts where victims complained of funds ( up to 600 rubles ) were transferred out of their accounts after RuMMS infected their phones .", "spans": {"Malware: RuMMS": [[316, 321]]}, "info": {"id": "cyner2_5class_train_07051", "source": "cyner2_5class_train"}}
+{"text": "In this blog, we will discuss how the TinyV Trojan spreads and how it works.", "spans": {"Indicator: TinyV Trojan": [[38, 50]]}, "info": {"id": "cyner2_5class_train_07052", "source": "cyner2_5class_train"}}
+{"text": "Akamai researchers on the Security Intelligence Response Team SIRT have discovered a new Go-based, DDoS-focused botnet.", "spans": {"Organization: Akamai researchers": [[0, 18]], "Organization: the Security Intelligence Response Team SIRT": [[22, 66]], "Malware: Go-based, DDoS-focused botnet.": [[89, 119]]}, "info": {"id": "cyner2_5class_train_07053", "source": "cyner2_5class_train"}}
+{"text": "By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised.", "spans": {"Malware: Trigona ransomware": [[13, 31]], "Organization: VirusTotal,": [[72, 83]], "Organization: Unit 42": [[112, 119]], "Malware: Trigona": [[158, 165]], "Organization: potential victims": [[221, 238]], "Indicator: compromised.": [[245, 257]]}, "info": {"id": "cyner2_5class_train_07054", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SayokaroiEA.Trojan Worm.Hilgild.A4 Troj.Banker.W32.Tinba.mAnM Trojan.Symmi.DB2FC W32.SillyFDC WORM_HILGIL.SMRP Trojan.Win32.Hesv.avgr Win32.Trojan.Hesv.Wwok TrojWare.Win32.Hilgild.AKO BackDoor.Nethief.310 WORM_HILGIL.SMRP Worm:Win32/Hilgild.A Trojan.Win32.Hesv.avgr Worm.Win32.Hilgild.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SayokaroiEA.Trojan": [[26, 48]], "Indicator: Worm.Hilgild.A4": [[49, 64]], "Indicator: Troj.Banker.W32.Tinba.mAnM": [[65, 91]], "Indicator: Trojan.Symmi.DB2FC": [[92, 110]], "Indicator: W32.SillyFDC": [[111, 123]], "Indicator: WORM_HILGIL.SMRP": [[124, 140], [235, 251]], "Indicator: Trojan.Win32.Hesv.avgr": [[141, 163], [273, 295]], "Indicator: Win32.Trojan.Hesv.Wwok": [[164, 186]], "Indicator: TrojWare.Win32.Hilgild.AKO": [[187, 213]], "Indicator: BackDoor.Nethief.310": [[214, 234]], "Indicator: Worm:Win32/Hilgild.A": [[252, 272]], "Indicator: Worm.Win32.Hilgild.A": [[296, 316]]}, "info": {"id": "cyner2_5class_train_07055", "source": "cyner2_5class_train"}}
+{"text": "These examples , together with the HenBox app placed on a very specific third-party app store , point clearly to at least some of the intended targets of these malicious apps being Uyghurs , specifically those with interest in or association with terrorist groups .", "spans": {"Malware: HenBox": [[35, 41]]}, "info": {"id": "cyner2_5class_train_07056", "source": "cyner2_5class_train"}}
+{"text": "This RAT records all the calls and stores the recording to an “ .amr ” file .", "spans": {"Indicator: .amr": [[64, 68]]}, "info": {"id": "cyner2_5class_train_07057", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Deshacop.195072 Ransomware.ShinoLock.A3 Ransom.ShinoLocker.MSIL Trojan.Ransom.Shinolock.5 Ransom_SHINOLOCK.SMI0 Win32.Trojan.WisdomEyes.16070401.9500.9975 Ransom_SHINOLOCK.SMI0 Trojan.Win32.Ransom.195074 Trojan.DownLoader22.15733 Trojan.Win32.Filecoder Trojan.Deshacop.rk Ransom:MSIL/ShinoLock.A Trj/GdSda.A Trojan-Ransom.Win32.ShinoLocker.a Trojan.Deshacop!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Deshacop.195072": [[26, 52]], "Indicator: Ransomware.ShinoLock.A3": [[53, 76]], "Indicator: Ransom.ShinoLocker.MSIL": [[77, 100]], "Indicator: Trojan.Ransom.Shinolock.5": [[101, 126]], "Indicator: Ransom_SHINOLOCK.SMI0": [[127, 148], [192, 213]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9975": [[149, 191]], "Indicator: Trojan.Win32.Ransom.195074": [[214, 240]], "Indicator: Trojan.DownLoader22.15733": [[241, 266]], "Indicator: Trojan.Win32.Filecoder": [[267, 289]], "Indicator: Trojan.Deshacop.rk": [[290, 308]], "Indicator: Ransom:MSIL/ShinoLock.A": [[309, 332]], "Indicator: Trj/GdSda.A": [[333, 344]], "Indicator: Trojan-Ransom.Win32.ShinoLocker.a": [[345, 378]], "Indicator: Trojan.Deshacop!": [[379, 395]]}, "info": {"id": "cyner2_5class_train_07058", "source": "cyner2_5class_train"}}
+{"text": "It can turn off “ VerifyApps ” and enable the installation of apps from 3rd party stores by changing system settings .", "spans": {}, "info": {"id": "cyner2_5class_train_07059", "source": "cyner2_5class_train"}}
+{"text": "The Dukes primarily target Western governments and related organizations, suchas government ministries and agencies, political think tanks, and governmental subcontractors.", "spans": {"Organization: Western governments": [[27, 46]], "Organization: organizations,": [[59, 73]], "Organization: government ministries": [[81, 102]], "Organization: agencies, political think tanks,": [[107, 139]], "Organization: governmental subcontractors.": [[144, 172]]}, "info": {"id": "cyner2_5class_train_07060", "source": "cyner2_5class_train"}}
+{"text": "Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year .", "spans": {"Malware: Gooligan": [[0, 8]], "Malware: SnapPea": [[90, 97]]}, "info": {"id": "cyner2_5class_train_07061", "source": "cyner2_5class_train"}}
+{"text": "Over the last few weeks, we collaborated with ClearSky and uncovered several indicators that were researched and found to be related to a new hacking campaign targeting large Vietnamese organisations.", "spans": {"Organization: ClearSky": [[46, 54]], "Organization: Vietnamese organisations.": [[175, 200]]}, "info": {"id": "cyner2_5class_train_07062", "source": "cyner2_5class_train"}}
+{"text": "The critically acclaimed show focuses on a fictional group of political hacktivists, and follows a young cybersecurity engineer called Elliot Alderson who suffers from social anxiety disorder and forms connections through hacking.", "spans": {}, "info": {"id": "cyner2_5class_train_07063", "source": "cyner2_5class_train"}}
+{"text": "However , the botnet operators can start distributing other malware , including ransomware , at any time warns Štefanko .", "spans": {}, "info": {"id": "cyner2_5class_train_07064", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Sartmob.r3 Trojan.StartPage!bEEY6Bd79s4 Trojan.Zbot Trojan.MSIL.StartPage.az Trojan.Win32.StartPage.cvohfz Trojan.StartPage.61440 W32/Trojan.CBVH-4150 Trojan/MSIL.bjlms.aigeayx Trojan/MSIL.StartPage Trojan:MSIL/Sartmob.A Trojan.MSIL.StartPage Trj/CI.A MSIL/StartPage.AD Msil.Trojan.Startpage.Efus Trojan.MSIL2 W32/StartPage.AZ!tr MSIL2.BIFV Trojan.MSIL.StartPage.az Win32/Trojan.Dropper.a9c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Sartmob.r3": [[26, 43]], "Indicator: Trojan.StartPage!bEEY6Bd79s4": [[44, 72]], "Indicator: Trojan.Zbot": [[73, 84]], "Indicator: Trojan.MSIL.StartPage.az": [[85, 109], [374, 398]], "Indicator: Trojan.Win32.StartPage.cvohfz": [[110, 139]], "Indicator: Trojan.StartPage.61440": [[140, 162]], "Indicator: W32/Trojan.CBVH-4150": [[163, 183]], "Indicator: Trojan/MSIL.bjlms.aigeayx": [[184, 209]], "Indicator: Trojan/MSIL.StartPage": [[210, 231]], "Indicator: Trojan:MSIL/Sartmob.A": [[232, 253]], "Indicator: Trojan.MSIL.StartPage": [[254, 275]], "Indicator: Trj/CI.A": [[276, 284]], "Indicator: MSIL/StartPage.AD": [[285, 302]], "Indicator: Msil.Trojan.Startpage.Efus": [[303, 329]], "Indicator: Trojan.MSIL2": [[330, 342]], "Indicator: W32/StartPage.AZ!tr": [[343, 362]], "Indicator: MSIL2.BIFV": [[363, 373]], "Indicator: Win32/Trojan.Dropper.a9c": [[399, 423]]}, "info": {"id": "cyner2_5class_train_07065", "source": "cyner2_5class_train"}}
+{"text": "After we blocked those samples , they moved a significant portion of malicious functionality into the native library , which resulted in a rather peculiar back and forth between Dalvik and native code : COMMAND & CONTROL Dynamic Shortcodes & Content Early versions of Bread utilized a basic command and control infrastructure to dynamically deliver content and retrieve billing details .", "spans": {}, "info": {"id": "cyner2_5class_train_07066", "source": "cyner2_5class_train"}}
+{"text": "The same event interception is used to place the webview overlay when the user tries to access the targeted applications , allowing it to display its overlay , thus intercepting the credentials .", "spans": {}, "info": {"id": "cyner2_5class_train_07067", "source": "cyner2_5class_train"}}
+{"text": "Before connecting with the socket , it creates a malware environment in ‘ APPDATA/myupd ’ and creates a sqlite3 database there – ‘ myupd_tmp\\\\mng.db ’ : CREATE TABLE MANAGE ( ID INT PRIMARY KEY NOT NULL , Send INT NOT NULL , Keylogg INT NOT NULL , Screenshot INT NOT NULL , Audio INT NOT NULL ) ; INSERT INTO MANAGE ( ID , Send , Keylogg , Screenshot , Audio ) VALUES ( 1 , 1 , 1 , 1 , 0 ) Finally , the malware modifies the ‘ Software\\Microsoft\\Windows\\CurrentVersion\\Run ’ registry key to enable autostart of the main module .", "spans": {"Indicator: APPDATA/myupd": [[74, 87]], "Indicator: myupd_tmp\\\\mng.db": [[131, 148]], "Indicator: Software\\Microsoft\\Windows\\CurrentVersion\\Run": [[427, 472]]}, "info": {"id": "cyner2_5class_train_07068", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Heuristic_Anomaly.A TROJ_TRACUR.SMVD Trojan:Win32/Chroject.D!dll Trojan.Win32.Kryptik.bCOPL Trojan.Win32.Crypt W32/Kryptik.COPL!tr Crypt3.BBGH", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heuristic_Anomaly.A": [[26, 45]], "Indicator: TROJ_TRACUR.SMVD": [[46, 62]], "Indicator: Trojan:Win32/Chroject.D!dll": [[63, 90]], "Indicator: Trojan.Win32.Kryptik.bCOPL": [[91, 117]], "Indicator: Trojan.Win32.Crypt": [[118, 136]], "Indicator: W32/Kryptik.COPL!tr": [[137, 156]], "Indicator: Crypt3.BBGH": [[157, 168]]}, "info": {"id": "cyner2_5class_train_07069", "source": "cyner2_5class_train"}}
+{"text": "The Linux VENOM rootkit is a two-component malicious software aimed at maintaining unauthorized access on compromised Linux systems.", "spans": {"Malware: The Linux VENOM rootkit": [[0, 23]], "Malware: two-component malicious software": [[29, 61]], "System: Linux systems.": [[118, 132]]}, "info": {"id": "cyner2_5class_train_07070", "source": "cyner2_5class_train"}}
+{"text": "This report describes the latest iteration in a long-running espionage campaign against the Tibetan community.", "spans": {"Organization: Tibetan community.": [[92, 110]]}, "info": {"id": "cyner2_5class_train_07071", "source": "cyner2_5class_train"}}
+{"text": "While we do not have detailed telemetry, we have reason to believe this attack targeted an individual at a public utilities company in the Middle East.", "spans": {"System: telemetry,": [[30, 40]], "Indicator: attack": [[72, 78]], "Organization: individual": [[91, 101]], "Organization: public utilities company": [[107, 131]]}, "info": {"id": "cyner2_5class_train_07072", "source": "cyner2_5class_train"}}
+{"text": "It is also a keylogger and can take screenshots.", "spans": {}, "info": {"id": "cyner2_5class_train_07073", "source": "cyner2_5class_train"}}
+{"text": "Tordow 2.0 can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot a device, rename files, and act as ransomware.", "spans": {"Malware: Tordow 2.0": [[0, 10]], "Indicator: install programs,": [[72, 89]], "Indicator: steal login credentials, access contacts,": [[90, 131]], "Indicator: encrypt": [[132, 139]], "Indicator: webpages,": [[153, 162]], "Indicator: banking data,": [[174, 187]], "Indicator: remove security software,": [[188, 213]], "Malware: ransomware.": [[256, 267]]}, "info": {"id": "cyner2_5class_train_07074", "source": "cyner2_5class_train"}}
+{"text": "] 102 2020-04-02 http : //marta.martatovaglieri [ .", "spans": {"Indicator: http : //marta.martatovaglieri [ .": [[17, 51]]}, "info": {"id": "cyner2_5class_train_07075", "source": "cyner2_5class_train"}}
+{"text": "The 3102 payload used in this attack also appears to be related to the Evilgrab payload delivered in the watering hole attack hosted on the President of Myanmar's website in May 2015.", "spans": {"Malware: The 3102 payload": [[0, 16]], "Indicator: attack": [[30, 36]], "Malware: Evilgrab payload": [[71, 87]], "Indicator: watering hole attack": [[105, 125]], "Organization: the President of Myanmar's": [[136, 162]], "Indicator: website": [[163, 170]]}, "info": {"id": "cyner2_5class_train_07076", "source": "cyner2_5class_train"}}
+{"text": "Since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain this library.", "spans": {"Organization: Palo Alto Networks": [[16, 34]], "System: WildFire": [[35, 43]], "Malware: Android apps": [[69, 81]], "Vulnerability: library.": [[100, 108]]}, "info": {"id": "cyner2_5class_train_07077", "source": "cyner2_5class_train"}}
+{"text": "Advertisement The VM also disguises the malicious activity , making it easier for the apps to infiltrate Google Play .", "spans": {"System: Google Play": [[105, 116]]}, "info": {"id": "cyner2_5class_train_07078", "source": "cyner2_5class_train"}}
+{"text": "APT-C-61 Tengyun Snake organization is an APT organization mainly active in South Asia.", "spans": {}, "info": {"id": "cyner2_5class_train_07079", "source": "cyner2_5class_train"}}
+{"text": "In the most recent case , the choice of the payload zip file depends on the device process architecture .", "spans": {}, "info": {"id": "cyner2_5class_train_07080", "source": "cyner2_5class_train"}}
+{"text": "An updated library name is generated by calculating the md5sum of several device properties , while concatenating the build model twice in case of an update to the library .", "spans": {}, "info": {"id": "cyner2_5class_train_07081", "source": "cyner2_5class_train"}}
+{"text": "The attachment instead tries to download a template file over an SMB connection so that the user s credentials can be silently harvested.", "spans": {"Indicator: attachment": [[4, 14]], "Indicator: template file over an SMB connection": [[43, 79]], "Indicator: credentials": [[99, 110]], "Indicator: harvested.": [[127, 137]]}, "info": {"id": "cyner2_5class_train_07082", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Dokstormac Trojan.Downloader Trojan.Injector.Win32.137915 Trojan/Injector.upj Backdoor.Arcomrat TSPY_DOKSTORMAC_BK220249.TOMC Win.Trojan.7639863-1 Trojan.Win32.Pakes.vtl Trojan.Win32.Pakes.bbujhs BackDoor.Minirat TSPY_DOKSTORMAC_BK220249.TOMC BehavesLike.Win32.AdwareDealPly.fc BDS/Dokstormac.A.1 Backdoor:Win32/Dokstormac.A Trojan.Win32.Pakes.vtl Trojan/Win32.Pakes.R39576 Trojan-Injector.61205 Win32/Fynloski.AA Trojan.Injector!2nop4664l2U Backdoor.Win32.Dokstormac RAT.Arcom", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Dokstormac": [[26, 45]], "Indicator: Trojan.Downloader": [[46, 63]], "Indicator: Trojan.Injector.Win32.137915": [[64, 92]], "Indicator: Trojan/Injector.upj": [[93, 112]], "Indicator: Backdoor.Arcomrat": [[113, 130]], "Indicator: TSPY_DOKSTORMAC_BK220249.TOMC": [[131, 160], [248, 277]], "Indicator: Win.Trojan.7639863-1": [[161, 181]], "Indicator: Trojan.Win32.Pakes.vtl": [[182, 204], [360, 382]], "Indicator: Trojan.Win32.Pakes.bbujhs": [[205, 230]], "Indicator: BackDoor.Minirat": [[231, 247]], "Indicator: BehavesLike.Win32.AdwareDealPly.fc": [[278, 312]], "Indicator: BDS/Dokstormac.A.1": [[313, 331]], "Indicator: Backdoor:Win32/Dokstormac.A": [[332, 359]], "Indicator: Trojan/Win32.Pakes.R39576": [[383, 408]], "Indicator: Trojan-Injector.61205": [[409, 430]], "Indicator: Win32/Fynloski.AA": [[431, 448]], "Indicator: Trojan.Injector!2nop4664l2U": [[449, 476]], "Indicator: Backdoor.Win32.Dokstormac": [[477, 502]], "Indicator: RAT.Arcom": [[503, 512]]}, "info": {"id": "cyner2_5class_train_07083", "source": "cyner2_5class_train"}}
+{"text": "With access to business critical information, senior executives and consultants are often said to be valuable targets for threat actors tasked with obtaining sensitive business secrets.", "spans": {}, "info": {"id": "cyner2_5class_train_07084", "source": "cyner2_5class_train"}}
+{"text": "Through our investigation , we identified less than 3 dozen devices affected by Chrysaor , we have disabled Chrysaor on those devices , and we have notified users of all known affected devices .", "spans": {"Malware: Chrysaor": [[80, 88], [108, 116]]}, "info": {"id": "cyner2_5class_train_07085", "source": "cyner2_5class_train"}}
+{"text": "Yoroi ZLab has discovered evidence of new campaign utilizing different tactics, including more complex delivery mechanisms and victimology, which began in April, 2022.", "spans": {"Organization: Yoroi ZLab": [[0, 10]]}, "info": {"id": "cyner2_5class_train_07086", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Unruy.5 Win32.Trojan.Kryptik.ak Trojan.ADH.2 Trojan.Win32.Crypted.bbxiyv Backdoor.Win32.A.Banito.73728.A Trojan.Scar.Win32.47454 BehavesLike.Win32.Downloader.fc Trojan-Downloader.Win32.Bulilit Trojan/Scar.ajgx Trojan:Win32/Tript.A Trojan/Win32.ADH.C261975 TScope.Malware-Cryptor.SB Win32.Trojan.Deepscan.Wnlw Trojan.DL.Unruy!ze+OfqNv7J8 Win32/Trojan.PSW.ea7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Unruy.5": [[26, 40]], "Indicator: Win32.Trojan.Kryptik.ak": [[41, 64]], "Indicator: Trojan.ADH.2": [[65, 77]], "Indicator: Trojan.Win32.Crypted.bbxiyv": [[78, 105]], "Indicator: Backdoor.Win32.A.Banito.73728.A": [[106, 137]], "Indicator: Trojan.Scar.Win32.47454": [[138, 161]], "Indicator: BehavesLike.Win32.Downloader.fc": [[162, 193]], "Indicator: Trojan-Downloader.Win32.Bulilit": [[194, 225]], "Indicator: Trojan/Scar.ajgx": [[226, 242]], "Indicator: Trojan:Win32/Tript.A": [[243, 263]], "Indicator: Trojan/Win32.ADH.C261975": [[264, 288]], "Indicator: TScope.Malware-Cryptor.SB": [[289, 314]], "Indicator: Win32.Trojan.Deepscan.Wnlw": [[315, 341]], "Indicator: Trojan.DL.Unruy!ze+OfqNv7J8": [[342, 369]], "Indicator: Win32/Trojan.PSW.ea7": [[370, 390]]}, "info": {"id": "cyner2_5class_train_07087", "source": "cyner2_5class_train"}}
+{"text": "While still compromised, the ARC website also hosted an archive with the filename: the 3rd ASEAN Defence Ministers' Meeting.rar.", "spans": {"Vulnerability: compromised,": [[12, 24]], "Indicator: the ARC website": [[25, 40]], "Indicator: the 3rd ASEAN Defence Ministers' Meeting.rar.": [[83, 128]]}, "info": {"id": "cyner2_5class_train_07088", "source": "cyner2_5class_train"}}
+{"text": "The purely nominal control over the applications uploaded to these stores means attackers can conceal Trojans in apps made to look like innocent games or utilities .", "spans": {}, "info": {"id": "cyner2_5class_train_07089", "source": "cyner2_5class_train"}}
+{"text": "AgentTesla is a fairly popular keylogger built using the Microsoft .NET Framework and has shown a substantial rise in usage over the past few months.", "spans": {"Malware: AgentTesla": [[0, 10]], "Malware: keylogger": [[31, 40]], "System: the Microsoft .NET Framework": [[53, 81]]}, "info": {"id": "cyner2_5class_train_07090", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.EliteWrap!O Trojan/Dropper.EliteWrap.103 Win32.Trojan.WisdomEyes.16070401.9500.9872 Win32/EliteWrap.103 Trojan-Dropper.Win32.EliteWrap.103 Trojan.Win32.EliteWrap.cstdvv TrojWare.Win32.EliteWrap.103 Trojan.MulDrop.19 Dropper.EliteWrap.Win32.6 Trojan-Dropper.Win32.EliteWrap TrojanDropper.Win32.EliteWrap.103 Trojan[Dropper]/Win32.EliteWrap Win32.Troj.ElitWrap.kcloud Trojan.Graftor.D934B Trojan-Dropper.Win32.EliteWrap.103 TrojanDropper:Win32/Elitewrap.A Trojan/Win32.HDC.C67537 TrojanDropper.EliteWrap Trojan.DR.EliteWrap!+qx1E/0nG5w W32/Multidr.E!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.EliteWrap!O": [[26, 58]], "Indicator: Trojan/Dropper.EliteWrap.103": [[59, 87]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9872": [[88, 130]], "Indicator: Win32/EliteWrap.103": [[131, 150]], "Indicator: Trojan-Dropper.Win32.EliteWrap.103": [[151, 185], [434, 468]], "Indicator: Trojan.Win32.EliteWrap.cstdvv": [[186, 215]], "Indicator: TrojWare.Win32.EliteWrap.103": [[216, 244]], "Indicator: Trojan.MulDrop.19": [[245, 262]], "Indicator: Dropper.EliteWrap.Win32.6": [[263, 288]], "Indicator: Trojan-Dropper.Win32.EliteWrap": [[289, 319]], "Indicator: TrojanDropper.Win32.EliteWrap.103": [[320, 353]], "Indicator: Trojan[Dropper]/Win32.EliteWrap": [[354, 385]], "Indicator: Win32.Troj.ElitWrap.kcloud": [[386, 412]], "Indicator: Trojan.Graftor.D934B": [[413, 433]], "Indicator: TrojanDropper:Win32/Elitewrap.A": [[469, 500]], "Indicator: Trojan/Win32.HDC.C67537": [[501, 524]], "Indicator: TrojanDropper.EliteWrap": [[525, 548]], "Indicator: Trojan.DR.EliteWrap!+qx1E/0nG5w": [[549, 580]], "Indicator: W32/Multidr.E!tr": [[581, 597]]}, "info": {"id": "cyner2_5class_train_07091", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Qhost Trojan/KillProc.b Win.Trojan.4904185-1 Trojan.Inject.10975 Trojan.Win32.FakeAV TR/Qhost.DK.1 W32/Qhost.BE!tr Trojan:Win64/Qhost.DK Trj/CI.A Win32/Trojan.1ea", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Qhost": [[26, 38]], "Indicator: Trojan/KillProc.b": [[39, 56]], "Indicator: Win.Trojan.4904185-1": [[57, 77]], "Indicator: Trojan.Inject.10975": [[78, 97]], "Indicator: Trojan.Win32.FakeAV": [[98, 117]], "Indicator: TR/Qhost.DK.1": [[118, 131]], "Indicator: W32/Qhost.BE!tr": [[132, 147]], "Indicator: Trojan:Win64/Qhost.DK": [[148, 169]], "Indicator: Trj/CI.A": [[170, 178]], "Indicator: Win32/Trojan.1ea": [[179, 195]]}, "info": {"id": "cyner2_5class_train_07092", "source": "cyner2_5class_train"}}
+{"text": "\" In the end , the consumer needs to vote with their wallet , '' he says .", "spans": {}, "info": {"id": "cyner2_5class_train_07093", "source": "cyner2_5class_train"}}
+{"text": "Its creators reduced the app ’ s malicious surface to the bare minimum by removing all potentially malicious functionalities but one : abusing Accessibility Service .", "spans": {}, "info": {"id": "cyner2_5class_train_07094", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Glomaru.10240 Trojan.Mauvaise.SL1 Trojan.Win32.Glomaru.a Trojan.Win32.FraudLoad.egvymu Troj.W32.Dialer.lwu8 Win32.Trojan.Glomaru.Wozz TrojWare.Win32.Glomaru.A Trojan.DownLoader23.35677 Trojan.Glomaru.a TR/FraudLoad.poenc Trojan.Zusy.D3521C Trojan.Win32.Glomaru.a Win32.Trojan.Small.P Trojan.Glomaru", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Glomaru.10240": [[26, 50]], "Indicator: Trojan.Mauvaise.SL1": [[51, 70]], "Indicator: Trojan.Win32.Glomaru.a": [[71, 93], [277, 299]], "Indicator: Trojan.Win32.FraudLoad.egvymu": [[94, 123]], "Indicator: Troj.W32.Dialer.lwu8": [[124, 144]], "Indicator: Win32.Trojan.Glomaru.Wozz": [[145, 170]], "Indicator: TrojWare.Win32.Glomaru.A": [[171, 195]], "Indicator: Trojan.DownLoader23.35677": [[196, 221]], "Indicator: Trojan.Glomaru.a": [[222, 238]], "Indicator: TR/FraudLoad.poenc": [[239, 257]], "Indicator: Trojan.Zusy.D3521C": [[258, 276]], "Indicator: Win32.Trojan.Small.P": [[300, 320]], "Indicator: Trojan.Glomaru": [[321, 335]]}, "info": {"id": "cyner2_5class_train_07095", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Small.43520.J Backdoor.Win32.PcClient!O Backdoor.Pcclient.19199 Backdoor.PcClient.Win32.16939 Trojan/PcClient.ngo Trojan.Tsaisda.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win32/PcClient.BIJ Win.Trojan.PcClient-5088 Trojan.Win32.Pcclient.cqndw Backdoor.Win32.A.PcClient.43520 Backdoor.W32.Hupigon.kYKa TrojWare.Win32.PcClient.NOP BackDoor.PcClient.5363 Trojan.FraudPack Backdoor/PcClient.aesj W32.Tsaisda.A BDS/Pcclient.AL Trojan[Backdoor]/Win32.PcClient Backdoor:Win32/Tsaisda.A Trojan/Win32.PcClient.R25878 Backdoor.PcClient Backdoor.PcClient!ID9InYPBgAg W32/PcClient.GG!tr Win32/Backdoor.fa2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Small.43520.J": [[26, 52]], "Indicator: Backdoor.Win32.PcClient!O": [[53, 78]], "Indicator: Backdoor.Pcclient.19199": [[79, 102]], "Indicator: Backdoor.PcClient.Win32.16939": [[103, 132]], "Indicator: Trojan/PcClient.ngo": [[133, 152]], "Indicator: Trojan.Tsaisda.1": [[153, 169]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[170, 212]], "Indicator: Backdoor.Trojan": [[213, 228]], "Indicator: Win32/PcClient.BIJ": [[229, 247]], "Indicator: Win.Trojan.PcClient-5088": [[248, 272]], "Indicator: Trojan.Win32.Pcclient.cqndw": [[273, 300]], "Indicator: Backdoor.Win32.A.PcClient.43520": [[301, 332]], "Indicator: Backdoor.W32.Hupigon.kYKa": [[333, 358]], "Indicator: TrojWare.Win32.PcClient.NOP": [[359, 386]], "Indicator: BackDoor.PcClient.5363": [[387, 409]], "Indicator: Trojan.FraudPack": [[410, 426]], "Indicator: Backdoor/PcClient.aesj": [[427, 449]], "Indicator: W32.Tsaisda.A": [[450, 463]], "Indicator: BDS/Pcclient.AL": [[464, 479]], "Indicator: Trojan[Backdoor]/Win32.PcClient": [[480, 511]], "Indicator: Backdoor:Win32/Tsaisda.A": [[512, 536]], "Indicator: Trojan/Win32.PcClient.R25878": [[537, 565]], "Indicator: Backdoor.PcClient": [[566, 583]], "Indicator: Backdoor.PcClient!ID9InYPBgAg": [[584, 613]], "Indicator: W32/PcClient.GG!tr": [[614, 632]], "Indicator: Win32/Backdoor.fa2": [[633, 651]]}, "info": {"id": "cyner2_5class_train_07096", "source": "cyner2_5class_train"}}
+{"text": "The C & C role for Rotexy can be filled not only by a web server but also by any device that can send SMSs .", "spans": {"Malware: Rotexy": [[19, 25]]}, "info": {"id": "cyner2_5class_train_07097", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.8048 Win32.Nemim.A Win32.Trojan.WisdomEyes.16070401.9500.9999 HT_GARVEEP_FI060DBE.UVPM Win32.Nemim.A Win32.Pioneer.C Virus.Win32.Pioneer.e Win32.Nemim.A Win32.Nemim.A BehavesLike.Win32.Ramnit.th Virus.Win32.Nemim TR/Taranis.3944 TrojanDownloader:Win32/Garveep.D Win32.Nemim.A W32.Pioneer.mv7p Win32.Nemim.A Win32.Nemim.A Win32/Nemim.B Trojan.DownLoader! W32/Nemim.B Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.8048": [[26, 43]], "Indicator: Win32.Nemim.A": [[44, 57], [126, 139], [178, 191], [192, 205], [301, 314], [332, 345], [346, 359]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[58, 100]], "Indicator: HT_GARVEEP_FI060DBE.UVPM": [[101, 125]], "Indicator: Win32.Pioneer.C": [[140, 155]], "Indicator: Virus.Win32.Pioneer.e": [[156, 177]], "Indicator: BehavesLike.Win32.Ramnit.th": [[206, 233]], "Indicator: Virus.Win32.Nemim": [[234, 251]], "Indicator: TR/Taranis.3944": [[252, 267]], "Indicator: TrojanDownloader:Win32/Garveep.D": [[268, 300]], "Indicator: W32.Pioneer.mv7p": [[315, 331]], "Indicator: Win32/Nemim.B": [[360, 373]], "Indicator: Trojan.DownLoader!": [[374, 392]], "Indicator: W32/Nemim.B": [[393, 404]], "Indicator: Trj/CI.A": [[405, 413]]}, "info": {"id": "cyner2_5class_train_07098", "source": "cyner2_5class_train"}}
+{"text": "Given what we ve seen previously with Vawtrak, simply switching to HTTPS is not a major update in terms of development -- but it does show that the threat actors are interested in protecting their C2 communications.", "spans": {"Malware: Vawtrak,": [[38, 46]], "Indicator: HTTPS": [[67, 72]], "Indicator: C2 communications.": [[197, 215]]}, "info": {"id": "cyner2_5class_train_07099", "source": "cyner2_5class_train"}}
+{"text": "T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application .", "spans": {"System: GAS Tecnologia": [[67, 81]]}, "info": {"id": "cyner2_5class_train_07100", "source": "cyner2_5class_train"}}
+{"text": "] 208 attiva.exodus.esurv [ .", "spans": {"Indicator: attiva.exodus.esurv [ .": [[6, 29]]}, "info": {"id": "cyner2_5class_train_07101", "source": "cyner2_5class_train"}}
+{"text": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus.", "spans": {"Organization: military": [[57, 65]], "Organization: aerospace": [[70, 79]]}, "info": {"id": "cyner2_5class_train_07102", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Meciv Win32/Pucedoor.A Trojan.Enfal-11 Application.Win32.BlkIC.IMG Trojan.MulDrop1.40578 TR/Spy.174210 Trojan.Heur.E0B301 Backdoor:Win32/Meciv.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Meciv": [[26, 40]], "Indicator: Win32/Pucedoor.A": [[41, 57]], "Indicator: Trojan.Enfal-11": [[58, 73]], "Indicator: Application.Win32.BlkIC.IMG": [[74, 101]], "Indicator: Trojan.MulDrop1.40578": [[102, 123]], "Indicator: TR/Spy.174210": [[124, 137]], "Indicator: Trojan.Heur.E0B301": [[138, 156]], "Indicator: Backdoor:Win32/Meciv.A": [[157, 179]], "Indicator: Trj/CI.A": [[180, 188]]}, "info": {"id": "cyner2_5class_train_07103", "source": "cyner2_5class_train"}}
+{"text": "This current variant includes a link to the following payment onion website: http://zvnvp2rhe3ljwf2m[.]onion.", "spans": {"Indicator: link": [[32, 36]], "Indicator: payment onion website: http://zvnvp2rhe3ljwf2m[.]onion.": [[54, 109]]}, "info": {"id": "cyner2_5class_train_07104", "source": "cyner2_5class_train"}}
+{"text": "TV5Monde was taken off air in April 2015.", "spans": {"Organization: TV5Monde": [[0, 8]]}, "info": {"id": "cyner2_5class_train_07105", "source": "cyner2_5class_train"}}
+{"text": "Kaspersky Some time ago while tracking Winnti group activity we came across a suspicious 64-bit sample.", "spans": {"Organization: Kaspersky": [[0, 9]], "Indicator: 64-bit sample.": [[89, 103]]}, "info": {"id": "cyner2_5class_train_07106", "source": "cyner2_5class_train"}}
+{"text": "I hope that by uncovering this malware at such an early stage , we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods .", "spans": {}, "info": {"id": "cyner2_5class_train_07107", "source": "cyner2_5class_train"}}
+{"text": "The group discussed in this white paper is part of this new trend.", "spans": {}, "info": {"id": "cyner2_5class_train_07108", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.3E85 Backdoor.Win32.Nepoe!O Dropper.Paradrop.Win32.108 W32/Korgo.worm PE_AGOBOT.AQM Win32.Trojan.WisdomEyes.16070401.9500.9889 W32/Bobax.AO W32.Bleshare PE_AGOBOT.AQM Win.Trojan.Poebot-45 Trojan-Dropper.Win32.Paradrop.a Trojan.Win32.Paradrop.xhlx Dropper.Paradrop.180736 Troj.Dropper.W32.Paradrop.kYTK TrojWare.Win32.TrojanDropper.Paradrop.a0 Trojan.MulDrop.2267 BehavesLike.Win32.Conficker.cc Backdoor.Win32.PoeBot.C W32/Bobax.LVYX-1108 TrojanDropper.Paradrop TR/Drop.Paradro.a.3 Trojan[Backdoor]/Win32.Agobot TrojanDropper:Win32/Paradrop.J Trojan-Dropper.Win32.Paradrop.a W32/Polybot.dr Backdoor.PoeBot Trj/Droppofonic.A Win32/TrojanDropper.Paradrop.A Worm.PoeBot.S W32/Paradrop.B!tr.dr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.3E85": [[26, 42]], "Indicator: Backdoor.Win32.Nepoe!O": [[43, 65]], "Indicator: Dropper.Paradrop.Win32.108": [[66, 92]], "Indicator: W32/Korgo.worm": [[93, 107]], "Indicator: PE_AGOBOT.AQM": [[108, 121], [191, 204]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9889": [[122, 164]], "Indicator: W32/Bobax.AO": [[165, 177]], "Indicator: W32.Bleshare": [[178, 190]], "Indicator: Win.Trojan.Poebot-45": [[205, 225]], "Indicator: Trojan-Dropper.Win32.Paradrop.a": [[226, 257], [580, 611]], "Indicator: Trojan.Win32.Paradrop.xhlx": [[258, 284]], "Indicator: Dropper.Paradrop.180736": [[285, 308]], "Indicator: Troj.Dropper.W32.Paradrop.kYTK": [[309, 339]], "Indicator: TrojWare.Win32.TrojanDropper.Paradrop.a0": [[340, 380]], "Indicator: Trojan.MulDrop.2267": [[381, 400]], "Indicator: BehavesLike.Win32.Conficker.cc": [[401, 431]], "Indicator: Backdoor.Win32.PoeBot.C": [[432, 455]], "Indicator: W32/Bobax.LVYX-1108": [[456, 475]], "Indicator: TrojanDropper.Paradrop": [[476, 498]], "Indicator: TR/Drop.Paradro.a.3": [[499, 518]], "Indicator: Trojan[Backdoor]/Win32.Agobot": [[519, 548]], "Indicator: TrojanDropper:Win32/Paradrop.J": [[549, 579]], "Indicator: W32/Polybot.dr": [[612, 626]], "Indicator: Backdoor.PoeBot": [[627, 642]], "Indicator: Trj/Droppofonic.A": [[643, 660]], "Indicator: Win32/TrojanDropper.Paradrop.A": [[661, 691]], "Indicator: Worm.PoeBot.S": [[692, 705]], "Indicator: W32/Paradrop.B!tr.dr": [[706, 726]]}, "info": {"id": "cyner2_5class_train_07109", "source": "cyner2_5class_train"}}
+{"text": "] databit [ .", "spans": {}, "info": {"id": "cyner2_5class_train_07110", "source": "cyner2_5class_train"}}
+{"text": "] 204 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_07111", "source": "cyner2_5class_train"}}
+{"text": "This blog will provide an analysis of the Bookworm Trojan and known indicators of compromise.", "spans": {"Malware: Bookworm Trojan": [[42, 57]], "Indicator: indicators of compromise.": [[68, 93]]}, "info": {"id": "cyner2_5class_train_07112", "source": "cyner2_5class_train"}}
+{"text": "The beaconing is sent to the URL http : // /api/v2/get.php with an interval of 60 seconds .", "spans": {"Indicator: http : // /api/v2/get.php": [[33, 58]]}, "info": {"id": "cyner2_5class_train_07113", "source": "cyner2_5class_train"}}
+{"text": "Copy the stage 5 DLL into winlogon.exe Allocate a chunk of memory in winlogon.exe process and copy the same APC routine seen previously Read and save the original pointer of the __fnDWORD internal User32 routine ( located at offset +0x10 of the KernelCallbackTable ) and replace this pointer with the address of the APC stub routine After this function pointer hijacking , when winlogon.exe makes any graphical call ( GDI ) , the malicious code can execute without using CreateRemoteThread or similar triggers that are easily detectable .", "spans": {"Indicator: winlogon.exe": [[26, 38], [69, 81], [378, 390]]}, "info": {"id": "cyner2_5class_train_07114", "source": "cyner2_5class_train"}}
+{"text": "SentinelLabs analyzed several iterations of AlienFox, a comprehensive toolset for harvesting credentials for multiple cloud service providers.", "spans": {"Organization: SentinelLabs": [[0, 12]], "Organization: AlienFox,": [[44, 53]], "Malware: toolset": [[70, 77]], "Indicator: harvesting credentials": [[82, 104]], "System: cloud service providers.": [[118, 142]]}, "info": {"id": "cyner2_5class_train_07115", "source": "cyner2_5class_train"}}
+{"text": "Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere .", "spans": {"System: Play Store": [[85, 95]]}, "info": {"id": "cyner2_5class_train_07116", "source": "cyner2_5class_train"}}
+{"text": "While not too seriously , these elements made us restrict our research into surveillance companies from the region .", "spans": {}, "info": {"id": "cyner2_5class_train_07117", "source": "cyner2_5class_train"}}
+{"text": "The app ties together two malware families - Desert Scorpion and another targeted surveillanceware family named FrozenCell - that we believe are being developed by a single , evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East .", "spans": {"Malware: Desert Scorpion": [[45, 60]], "Malware: FrozenCell": [[112, 122]], "Malware: APT-C-23": [[214, 222]]}, "info": {"id": "cyner2_5class_train_07118", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesLTPGOWF.Trojan Trojan/W32.Small.35840.NP Backdoor.Win32.Floder!O Backdoor/Floder.rlw Win32/Tnega.ANRP Backdoor.Win32.A.Floder.37376[UPX] Trojan.MulDrop1.37252 Backdoor/Floder.age Trojan[Backdoor]/Win32.Floder Backdoor:Win32/RDPopen.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLTPGOWF.Trojan": [[26, 51]], "Indicator: Trojan/W32.Small.35840.NP": [[52, 77]], "Indicator: Backdoor.Win32.Floder!O": [[78, 101]], "Indicator: Backdoor/Floder.rlw": [[102, 121]], "Indicator: Win32/Tnega.ANRP": [[122, 138]], "Indicator: Backdoor.Win32.A.Floder.37376[UPX]": [[139, 173]], "Indicator: Trojan.MulDrop1.37252": [[174, 195]], "Indicator: Backdoor/Floder.age": [[196, 215]], "Indicator: Trojan[Backdoor]/Win32.Floder": [[216, 245]], "Indicator: Backdoor:Win32/RDPopen.A": [[246, 270]]}, "info": {"id": "cyner2_5class_train_07119", "source": "cyner2_5class_train"}}
+{"text": "The remaining 99 C C servers were duplicated configurations from different APKs. This is likely due to configuration files being hardcoded within the APK, and old spam campaigns infecting different users, thus, old configurations still being detected in the wild.", "spans": {"Indicator: 99 C C servers": [[14, 28]], "Indicator: configurations": [[45, 59], [215, 229]], "System: APKs.": [[75, 80]], "Indicator: configuration": [[103, 116]], "System: APK,": [[150, 154]], "Organization: users,": [[198, 204]]}, "info": {"id": "cyner2_5class_train_07120", "source": "cyner2_5class_train"}}
+{"text": "The Android banking Trojan rental business Rental of banking Trojans is not new .", "spans": {"System: Android": [[4, 11]]}, "info": {"id": "cyner2_5class_train_07121", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom_Ciluf.R002C0DL517 Win32.Trojan.WisdomEyes.16070401.9500.9967 Ransom_Ciluf.R002C0DL517 BehavesLike.Win32.Backdoor.ct W32/Trojan.QHYA-4995 Ransom:Win32/Ciluf.A Ransom.Lucifer Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_Ciluf.R002C0DL517": [[26, 50], [94, 118]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9967": [[51, 93]], "Indicator: BehavesLike.Win32.Backdoor.ct": [[119, 148]], "Indicator: W32/Trojan.QHYA-4995": [[149, 169]], "Indicator: Ransom:Win32/Ciluf.A": [[170, 190]], "Indicator: Ransom.Lucifer": [[191, 205]], "Indicator: Trj/GdSda.A": [[206, 217]]}, "info": {"id": "cyner2_5class_train_07122", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Tiny.3072 Backdoor.Win32.Tiny!O Backdoor.Tiny BackDoor-IQ.b Troj.Dropper.W32.Small.l6P3 Backdoor/Tiny.c Win32.Trojan.WisdomEyes.16070401.9500.9646 Backdoor.Trojan BKDR_IQ.B Backdoor.Win32.Tiny.c Backdoor.Win32.Tiny.6144 BackDoor.Tiny.40 BKDR_IQ.B BackDoor-IQ.b Backdoor/Tiny.aw TR/Tiny.nmclh Trojan[Backdoor]/Win32.Tiny.c Trojan.Zusy.Elzob.804 Backdoor.Win32.Tiny.c Backdoor:Win32/Tiny.FBC Win-Trojan/IQ.B Backdoor.Win32.Small.Epi Bck/Tiny.B Win32.Backdoor.Tiny.Pcsz Backdoor.Win32.Tiny BDoor.IQ!tr.bdr Win32/Trojan.d37", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Tiny.3072": [[26, 48]], "Indicator: Backdoor.Win32.Tiny!O": [[49, 70]], "Indicator: Backdoor.Tiny": [[71, 84]], "Indicator: BackDoor-IQ.b": [[85, 98], [286, 299]], "Indicator: Troj.Dropper.W32.Small.l6P3": [[99, 126]], "Indicator: Backdoor/Tiny.c": [[127, 142]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9646": [[143, 185]], "Indicator: Backdoor.Trojan": [[186, 201]], "Indicator: BKDR_IQ.B": [[202, 211], [276, 285]], "Indicator: Backdoor.Win32.Tiny.c": [[212, 233], [383, 404]], "Indicator: Backdoor.Win32.Tiny.6144": [[234, 258]], "Indicator: BackDoor.Tiny.40": [[259, 275]], "Indicator: Backdoor/Tiny.aw": [[300, 316]], "Indicator: TR/Tiny.nmclh": [[317, 330]], "Indicator: Trojan[Backdoor]/Win32.Tiny.c": [[331, 360]], "Indicator: Trojan.Zusy.Elzob.804": [[361, 382]], "Indicator: Backdoor:Win32/Tiny.FBC": [[405, 428]], "Indicator: Win-Trojan/IQ.B": [[429, 444]], "Indicator: Backdoor.Win32.Small.Epi": [[445, 469]], "Indicator: Bck/Tiny.B": [[470, 480]], "Indicator: Win32.Backdoor.Tiny.Pcsz": [[481, 505]], "Indicator: Backdoor.Win32.Tiny": [[506, 525]], "Indicator: BDoor.IQ!tr.bdr": [[526, 541]], "Indicator: Win32/Trojan.d37": [[542, 558]]}, "info": {"id": "cyner2_5class_train_07123", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Nofear.C W32.W.Fearso.kYUv W32/Fearso.c Win32.Worm.Farex.a W32/Worm.AEST W32.Nofer.A@mm win32/Nofear.A Win.Worm.Fearso-2 Email-Worm.Win32.Fearso.c Trojan.Win32.Fearso.cssoyh I-Worm.Win32.A.Fearso.86541 Worm.Win32.Fearso.~BAAA Trojan.AVKill.9837 Worm.Fearso.Win32.9 BehavesLike.Win32.Nofear.mh Backdoor.Win32.Gobot W32/Worm.ENOQ-1581 I-Worm/Fearso.c Worm:Win32/Nofear.C@mm Worm[Email]/Win32.Fearso Worm:Win32/Nofear.C@mm Worm.Fearo Email-Worm.Win32.Fearso.c Worm.Fearso W32/Fearso.V.worm I-Worm.Farex.Y Win32/Farex.Y Trojan.Win32.Fearso.c I-Worm.Fearso!qiaAnheOcEc Worm.Win32.Nofear.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Nofear.C": [[26, 39]], "Indicator: W32.W.Fearso.kYUv": [[40, 57]], "Indicator: W32/Fearso.c": [[58, 70]], "Indicator: Win32.Worm.Farex.a": [[71, 89]], "Indicator: W32/Worm.AEST": [[90, 103]], "Indicator: W32.Nofer.A@mm": [[104, 118]], "Indicator: win32/Nofear.A": [[119, 133]], "Indicator: Win.Worm.Fearso-2": [[134, 151]], "Indicator: Email-Worm.Win32.Fearso.c": [[152, 177], [462, 487]], "Indicator: Trojan.Win32.Fearso.cssoyh": [[178, 204]], "Indicator: I-Worm.Win32.A.Fearso.86541": [[205, 232]], "Indicator: Worm.Win32.Fearso.~BAAA": [[233, 256]], "Indicator: Trojan.AVKill.9837": [[257, 275]], "Indicator: Worm.Fearso.Win32.9": [[276, 295]], "Indicator: BehavesLike.Win32.Nofear.mh": [[296, 323]], "Indicator: Backdoor.Win32.Gobot": [[324, 344]], "Indicator: W32/Worm.ENOQ-1581": [[345, 363]], "Indicator: I-Worm/Fearso.c": [[364, 379]], "Indicator: Worm:Win32/Nofear.C@mm": [[380, 402], [428, 450]], "Indicator: Worm[Email]/Win32.Fearso": [[403, 427]], "Indicator: Worm.Fearo": [[451, 461]], "Indicator: Worm.Fearso": [[488, 499]], "Indicator: W32/Fearso.V.worm": [[500, 517]], "Indicator: I-Worm.Farex.Y": [[518, 532]], "Indicator: Win32/Farex.Y": [[533, 546]], "Indicator: Trojan.Win32.Fearso.c": [[547, 568]], "Indicator: I-Worm.Fearso!qiaAnheOcEc": [[569, 594]], "Indicator: Worm.Win32.Nofear.A": [[595, 614]]}, "info": {"id": "cyner2_5class_train_07124", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9925 Trojan.Win32.Yakes.vpge TR/Crypt.ZPACK.jrfyx Trojan:Win64/Carberp.A!bit Trojan.Win32.Yakes.vpge", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9925": [[26, 68]], "Indicator: Trojan.Win32.Yakes.vpge": [[69, 92], [141, 164]], "Indicator: TR/Crypt.ZPACK.jrfyx": [[93, 113]], "Indicator: Trojan:Win64/Carberp.A!bit": [[114, 140]]}, "info": {"id": "cyner2_5class_train_07125", "source": "cyner2_5class_train"}}
+{"text": "A worm that spreads by copying itself to file shares and removable drives.", "spans": {"Malware: worm": [[2, 6]], "Indicator: file shares": [[41, 52]], "System: removable drives.": [[57, 74]]}, "info": {"id": "cyner2_5class_train_07126", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9554 Trojan.Win32.Mlw.eugajo Trojan.Win32.Z.Firsot.3520512 W32/Trojan.KPJB-2397 Backdoor:MSIL/Firsot.A Trj/CI.A Backdoor.MSIL.Firsot Win32/Trojan.289", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL": [[26, 37]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9554": [[38, 80]], "Indicator: Trojan.Win32.Mlw.eugajo": [[81, 104]], "Indicator: Trojan.Win32.Z.Firsot.3520512": [[105, 134]], "Indicator: W32/Trojan.KPJB-2397": [[135, 155]], "Indicator: Backdoor:MSIL/Firsot.A": [[156, 178]], "Indicator: Trj/CI.A": [[179, 187]], "Indicator: Backdoor.MSIL.Firsot": [[188, 208]], "Indicator: Win32/Trojan.289": [[209, 225]]}, "info": {"id": "cyner2_5class_train_07127", "source": "cyner2_5class_train"}}
+{"text": "EVENTBOT VERSION 0.0.0.2 Dynamic Library Loading As of Version 0.0.0.2 , EventBot attempts to hide its main functionality from static analysis .", "spans": {"Malware: EVENTBOT": [[0, 8]], "Malware: EventBot": [[73, 81]]}, "info": {"id": "cyner2_5class_train_07128", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D1D724 W32/Trojan.PVRS-3848 Trojan.Win32.PcClient.eptxte Trojan.Win32.Z.Pcclient.356864 BackDoor.PcClient.6543 Trojan.Reconyc.Win32.20285 BehavesLike.Win32.Dropper.fc Trojan.Win32.Krypt Trojan.Reconyc.gyp TR/Crypt.ZPACK.igurt Trojan[DDoS]/Win32.Macri TrojanDownloader:Win32/Redosdru.F!bit Trojan/Win32.Infostealer.R206663 TrojanDDoS.Macri Trj/CI.A W32/Kryptik.FQKI!tr Win32/Trojan.443", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D1D724": [[26, 44]], "Indicator: W32/Trojan.PVRS-3848": [[45, 65]], "Indicator: Trojan.Win32.PcClient.eptxte": [[66, 94]], "Indicator: Trojan.Win32.Z.Pcclient.356864": [[95, 125]], "Indicator: BackDoor.PcClient.6543": [[126, 148]], "Indicator: Trojan.Reconyc.Win32.20285": [[149, 175]], "Indicator: BehavesLike.Win32.Dropper.fc": [[176, 204]], "Indicator: Trojan.Win32.Krypt": [[205, 223]], "Indicator: Trojan.Reconyc.gyp": [[224, 242]], "Indicator: TR/Crypt.ZPACK.igurt": [[243, 263]], "Indicator: Trojan[DDoS]/Win32.Macri": [[264, 288]], "Indicator: TrojanDownloader:Win32/Redosdru.F!bit": [[289, 326]], "Indicator: Trojan/Win32.Infostealer.R206663": [[327, 359]], "Indicator: TrojanDDoS.Macri": [[360, 376]], "Indicator: Trj/CI.A": [[377, 385]], "Indicator: W32/Kryptik.FQKI!tr": [[386, 405]], "Indicator: Win32/Trojan.443": [[406, 422]]}, "info": {"id": "cyner2_5class_train_07129", "source": "cyner2_5class_train"}}
+{"text": "One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT Information Technology and IR Incident Response staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.", "spans": {"Indicator: malware files": [[91, 104]], "Organization: IT Information Technology": [[108, 133]], "Organization: IR Incident Response staff;": [[138, 165]], "Indicator: file names": [[196, 206]], "Indicator: IT functions": [[254, 266]], "Indicator: IR tools": [[270, 278]], "Indicator: cyber attack": [[287, 299]]}, "info": {"id": "cyner2_5class_train_07130", "source": "cyner2_5class_train"}}
+{"text": "Once delivered, Escelar has multiple installation stages where malware is downloaded using direct connections to multiple Microsoft SQL servers.", "spans": {"Malware: Escelar": [[16, 23]], "Malware: malware": [[63, 70]], "Indicator: direct connections": [[91, 109]], "System: multiple Microsoft SQL servers.": [[113, 144]]}, "info": {"id": "cyner2_5class_train_07131", "source": "cyner2_5class_train"}}
+{"text": "However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner.", "spans": {"Malware: Dyre": [[16, 20]], "Organization: banking information,": [[50, 70]], "Malware: Rombertik": [[71, 80]]}, "info": {"id": "cyner2_5class_train_07132", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Heur.DP.E18DA6 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.W.Dorifel.moev TrojWare.Win32.Delf.OSP1 Trojan.DownLoad1.16614 Trojan-Downloader.Win32.Rochap TR/Dldr.Rochap.J Trojan/Win32.Unknown TrojanDropper:Win32/Rochap.H Win32/Delf.OSP W32/Dropper.VFR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.DP.E18DA6": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[48, 90]], "Indicator: W32.W.Dorifel.moev": [[91, 109]], "Indicator: TrojWare.Win32.Delf.OSP1": [[110, 134]], "Indicator: Trojan.DownLoad1.16614": [[135, 157]], "Indicator: Trojan-Downloader.Win32.Rochap": [[158, 188]], "Indicator: TR/Dldr.Rochap.J": [[189, 205]], "Indicator: Trojan/Win32.Unknown": [[206, 226]], "Indicator: TrojanDropper:Win32/Rochap.H": [[227, 255]], "Indicator: Win32/Delf.OSP": [[256, 270]], "Indicator: W32/Dropper.VFR!tr": [[271, 289]]}, "info": {"id": "cyner2_5class_train_07133", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig!O Downloader.Small.28090 Trojan/Downloader.Harnig.al Win32.Trojan.WisdomEyes.16070401.9500.9939 Downloader.Trojan Win.Downloader.Small-579 Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig.al Trojan.Downloader.Harnig.al Trojan.Win32.Harnig.voqq Trojan.Win32.A.Downloader.10240.FS Troj.Downloader.W32.Harnig.al!c Trojan.Downloader.Harnig.al TrojWare.Win32.TrojanDownloader.Harnig.AL Trojan.Downloader.Harnig.al Trojan.DownLoader.919 Downloader.Harnig.Win32.353 BehavesLike.Win32.Cutwail.lt Trojan-Downloader.Win32.Harnig Trojan/Startpage.nv W32.Trojan.Downloader.Harnig Trojan[Downloader]/Win32.Harnig Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig.al Trojan/Win32.Downloader.R39433 Trojan.Downloader.Harnig.al OScope.Downloader.GCLA Trj/Harnig.AD Win32/TrojanDownloader.Harnig.AL Win32.Trojan-downloader.Harnig.Sxyp Trojan.QHost.L W32/Harnig.AI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Harnig.al": [[26, 53], [224, 251], [286, 313], [406, 433], [476, 503], [695, 722], [788, 815]], "Indicator: Trojan-Downloader.Win32.Harnig!O": [[54, 86]], "Indicator: Downloader.Small.28090": [[87, 109]], "Indicator: Trojan/Downloader.Harnig.al": [[110, 137]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9939": [[138, 180]], "Indicator: Downloader.Trojan": [[181, 198]], "Indicator: Win.Downloader.Small-579": [[199, 223]], "Indicator: Trojan-Downloader.Win32.Harnig.al": [[252, 285], [723, 756]], "Indicator: Trojan.Win32.Harnig.voqq": [[314, 338]], "Indicator: Trojan.Win32.A.Downloader.10240.FS": [[339, 373]], "Indicator: Troj.Downloader.W32.Harnig.al!c": [[374, 405]], "Indicator: TrojWare.Win32.TrojanDownloader.Harnig.AL": [[434, 475]], "Indicator: Trojan.DownLoader.919": [[504, 525]], "Indicator: Downloader.Harnig.Win32.353": [[526, 553]], "Indicator: BehavesLike.Win32.Cutwail.lt": [[554, 582]], "Indicator: Trojan-Downloader.Win32.Harnig": [[583, 613]], "Indicator: Trojan/Startpage.nv": [[614, 633]], "Indicator: W32.Trojan.Downloader.Harnig": [[634, 662]], "Indicator: Trojan[Downloader]/Win32.Harnig": [[663, 694]], "Indicator: Trojan/Win32.Downloader.R39433": [[757, 787]], "Indicator: OScope.Downloader.GCLA": [[816, 838]], "Indicator: Trj/Harnig.AD": [[839, 852]], "Indicator: Win32/TrojanDownloader.Harnig.AL": [[853, 885]], "Indicator: Win32.Trojan-downloader.Harnig.Sxyp": [[886, 921]], "Indicator: Trojan.QHost.L": [[922, 936]], "Indicator: W32/Harnig.AI!tr": [[937, 953]]}, "info": {"id": "cyner2_5class_train_07134", "source": "cyner2_5class_train"}}
+{"text": "This campaign involved five separate phishing attacks, each carrying a different variant of Sysget malware, also known as HelloBridge.", "spans": {"Indicator: phishing attacks,": [[37, 54]], "Malware: Sysget malware,": [[92, 107]], "Malware: HelloBridge.": [[122, 134]]}, "info": {"id": "cyner2_5class_train_07135", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.SkipnetA.Trojan Trojan.VB W32/Bybz.ehk Trojan.IPZ.3 Win32.Trojan.WisdomEyes.16070401.9500.9995 TROJ_VB_GA2509B6.UVPM Win.Trojan.Injector-397 Trojan.Win32.AutoRun.thcnx Worm.Win32.AutoRun.dck Trojan.MulDrop2.2467 Worm.Bybz.Win32.935 TROJ_VB_GA2509B6.UVPM BehavesLike.Win32.VBobfus.dc Trojan/Cosmu.gzo W32/Llac.PMC!tr Worm/Win32.Bybz Worm.Win32.A.AutoRun.206367 Worm/Win32.AutoRun.C11891 PWS-Spyeye.ai OScope.Worm.Bybz.31321 Worm.Bybz!gMC6zzOscGs Backdoor.Win32.Poison", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SkipnetA.Trojan": [[26, 45]], "Indicator: Trojan.VB": [[46, 55]], "Indicator: W32/Bybz.ehk": [[56, 68]], "Indicator: Trojan.IPZ.3": [[69, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[82, 124]], "Indicator: TROJ_VB_GA2509B6.UVPM": [[125, 146], [262, 283]], "Indicator: Win.Trojan.Injector-397": [[147, 170]], "Indicator: Trojan.Win32.AutoRun.thcnx": [[171, 197]], "Indicator: Worm.Win32.AutoRun.dck": [[198, 220]], "Indicator: Trojan.MulDrop2.2467": [[221, 241]], "Indicator: Worm.Bybz.Win32.935": [[242, 261]], "Indicator: BehavesLike.Win32.VBobfus.dc": [[284, 312]], "Indicator: Trojan/Cosmu.gzo": [[313, 329]], "Indicator: W32/Llac.PMC!tr": [[330, 345]], "Indicator: Worm/Win32.Bybz": [[346, 361]], "Indicator: Worm.Win32.A.AutoRun.206367": [[362, 389]], "Indicator: Worm/Win32.AutoRun.C11891": [[390, 415]], "Indicator: PWS-Spyeye.ai": [[416, 429]], "Indicator: OScope.Worm.Bybz.31321": [[430, 452]], "Indicator: Worm.Bybz!gMC6zzOscGs": [[453, 474]], "Indicator: Backdoor.Win32.Poison": [[475, 496]]}, "info": {"id": "cyner2_5class_train_07136", "source": "cyner2_5class_train"}}
+{"text": "These tools included utilities from Microsoft Sysinternals and parts of open-source projects.", "spans": {"Malware: tools": [[6, 11]], "System: Microsoft Sysinternals": [[36, 58]], "System: open-source projects.": [[72, 93]]}, "info": {"id": "cyner2_5class_train_07137", "source": "cyner2_5class_train"}}
+{"text": "Once opened , HenBox runs the following query to gather message information .", "spans": {"Malware: HenBox": [[14, 20]]}, "info": {"id": "cyner2_5class_train_07138", "source": "cyner2_5class_train"}}
+{"text": "To distribute the malicious excel file, the attackers registered a domain which impersonated the identity of most influential Indian think tank IDSA Institute for Defence Studies and Analyses and used the email id from the impersonating domain to send out the spear-phishing emails to the victims.", "spans": {"Indicator: malicious excel file,": [[18, 39]], "Indicator: domain": [[67, 73]], "Indicator: identity of most influential Indian": [[97, 132]], "Organization: think tank IDSA Institute for Defence Studies and Analyses": [[133, 191]], "Indicator: email": [[205, 210]], "Indicator: impersonating domain": [[223, 243]], "Indicator: spear-phishing emails": [[260, 281]], "Organization: victims.": [[289, 297]]}, "info": {"id": "cyner2_5class_train_07139", "source": "cyner2_5class_train"}}
+{"text": "For example , the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016 .", "spans": {"Malware: Ztorg Trojan": [[18, 30]], "System: Google Play": [[52, 63]]}, "info": {"id": "cyner2_5class_train_07140", "source": "cyner2_5class_train"}}
+{"text": "YouTube channel of the malicious developer His YouTube channel provided us with another valuable piece of information : he himself features in a video tutorial for one of his other projects .", "spans": {"System: YouTube": [[0, 7], [47, 54]]}, "info": {"id": "cyner2_5class_train_07141", "source": "cyner2_5class_train"}}
+{"text": "The malware appears to have been named Hinata by the malware author after a character from the popular anime series, Naruto.", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "cyner2_5class_train_07142", "source": "cyner2_5class_train"}}
+{"text": "Screen capture and audio recording SpyNote RAT was able to take screen captures and , using the device ’ s microphone , listen to audio conversations .", "spans": {"Malware: SpyNote RAT": [[35, 46]]}, "info": {"id": "cyner2_5class_train_07143", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9964 Infostealer.Gampass Trojan-GameThief.Win32.OnLineGames.jez Trojan.Win32.OnLineGames.csyqf Trojan.PWS.Gamania.6047 BehavesLike.Win32.BadFile.lc Trojan-PWS.OnlineGames Trojan/PSW.OnLineGames.cqju Win32.PSWTroj.OnLineGames.kcloud Trojan-GameThief.Win32.OnLineGames.jez Trojan/Win32.OnlineGameHack.R6228 TScope.Malware-Cryptor.SB Win32/PSW.OnLineGames.HCV", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9964": [[26, 68]], "Indicator: Infostealer.Gampass": [[69, 88]], "Indicator: Trojan-GameThief.Win32.OnLineGames.jez": [[89, 127], [296, 334]], "Indicator: Trojan.Win32.OnLineGames.csyqf": [[128, 158]], "Indicator: Trojan.PWS.Gamania.6047": [[159, 182]], "Indicator: BehavesLike.Win32.BadFile.lc": [[183, 211]], "Indicator: Trojan-PWS.OnlineGames": [[212, 234]], "Indicator: Trojan/PSW.OnLineGames.cqju": [[235, 262]], "Indicator: Win32.PSWTroj.OnLineGames.kcloud": [[263, 295]], "Indicator: Trojan/Win32.OnlineGameHack.R6228": [[335, 368]], "Indicator: TScope.Malware-Cryptor.SB": [[369, 394]], "Indicator: Win32/PSW.OnLineGames.HCV": [[395, 420]]}, "info": {"id": "cyner2_5class_train_07144", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Bck/DSNX.05 Bloodhound.Morphine Trojan.Packed-86 Backdoor.Win32.DSNX.05.a Backdoor.Dsnx.05.A Backdoor.Win32.DSNX.05.a Backdoor:Win32/DSNX.E Backdoor.DSNX.05.a BackDoor.Dsnx Backdoor.DSNX.05 Bck/DSNX.05 Trojan.Dsnx Trojan-Spy.Win32.Flux.a Win32/DSNX.05 Bck/DSNX.05", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Bck/DSNX.05": [[26, 37], [216, 227], [278, 289]], "Indicator: Bloodhound.Morphine": [[38, 57]], "Indicator: Trojan.Packed-86": [[58, 74]], "Indicator: Backdoor.Win32.DSNX.05.a": [[75, 99], [119, 143]], "Indicator: Backdoor.Dsnx.05.A": [[100, 118]], "Indicator: Backdoor:Win32/DSNX.E": [[144, 165]], "Indicator: Backdoor.DSNX.05.a": [[166, 184]], "Indicator: BackDoor.Dsnx": [[185, 198]], "Indicator: Backdoor.DSNX.05": [[199, 215]], "Indicator: Trojan.Dsnx": [[228, 239]], "Indicator: Trojan-Spy.Win32.Flux.a": [[240, 263]], "Indicator: Win32/DSNX.05": [[264, 277]]}, "info": {"id": "cyner2_5class_train_07145", "source": "cyner2_5class_train"}}
+{"text": "For exploiting this issue , any process running with any UID can be converted into root easily by simply using the following command : echo \" rootmydevice '' > /proc/sunxi_debug/sunxi_debug The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM for tablets , but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs , Orange Pi , and other devices .", "spans": {"Indicator: rootmydevice": [[142, 154]], "Indicator: Linux 3.4-sunxi": [[194, 209]], "System: Android": [[256, 263]], "Organization: Allwinner": [[284, 293], [356, 365]], "System: ARM": [[294, 297]], "System: Linux": [[342, 347]], "System: Banana Pi micro-PCs": [[392, 411]], "System: Orange Pi": [[414, 423]]}, "info": {"id": "cyner2_5class_train_07146", "source": "cyner2_5class_train"}}
+{"text": "In July 2014, Trend Micro published a report about a threat called Retefe, an ebanking Trojan that is targeting financial institutions in Switzerland, Austria, Sweden and Japan.", "spans": {"Organization: Trend Micro": [[14, 25]], "Malware: Retefe,": [[67, 74]], "Malware: ebanking Trojan": [[78, 93]], "Organization: financial institutions": [[112, 134]]}, "info": {"id": "cyner2_5class_train_07147", "source": "cyner2_5class_train"}}
+{"text": "Based on other public reports, SANs saw the expected Qakbot activity.", "spans": {"Organization: SANs": [[31, 35]], "Malware: Qakbot": [[53, 59]]}, "info": {"id": "cyner2_5class_train_07148", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Regin.A Trojan.Regin Backdoor.Regin.A Trojan/Downloader.Tiny.br Backdoor.Regin.A W32/Backdoor.NAZD-1177 Backdoor.Regin Backdoor.Regin.A Backdoor.Regin.A Backdoor.Regin.A Heur.Packed.Unknown Backdoor.Regin.A Virus.Win32.Dion.b TR/Regin.qzqib Trojan:WinNT/Regin.A!dha Trj/CI.A Win32/Trojan.2d3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Regin.A": [[26, 42], [56, 72], [99, 115], [154, 170], [171, 187], [188, 204], [225, 241]], "Indicator: Trojan.Regin": [[43, 55]], "Indicator: Trojan/Downloader.Tiny.br": [[73, 98]], "Indicator: W32/Backdoor.NAZD-1177": [[116, 138]], "Indicator: Backdoor.Regin": [[139, 153]], "Indicator: Heur.Packed.Unknown": [[205, 224]], "Indicator: Virus.Win32.Dion.b": [[242, 260]], "Indicator: TR/Regin.qzqib": [[261, 275]], "Indicator: Trojan:WinNT/Regin.A!dha": [[276, 300]], "Indicator: Trj/CI.A": [[301, 309]], "Indicator: Win32/Trojan.2d3": [[310, 326]]}, "info": {"id": "cyner2_5class_train_07149", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hacktool.Paycrack Trojan/Hacktool.PayCrack.a W32/Trojan.TVD Win32/HackTool.PayCrack.A HackTool.Win32.PayCrack.a Riskware.Win32.PayCrack.hsmb Win32.Hacktool.Paycrack.Amwe Application.Win32.HackTool.PayCrack.A Tool.PayCrack.Win32.1 W32/Trojan.IFEJ-8553 HackTool.PayCrack.a Malware_fam.gw HackTool/Win32.PayCrack Win32.HackTool.PayCrack.a.kcloud Trojan.Kazy.D2127B HackTool.W32.PayCrack.a!c HackTool.Win32.PayCrack.a HackTool:Win32/Paycrack.A Trojan.VBRA.03914 HackTool.PayCrack!/HSSYr26Jv4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Paycrack": [[26, 43]], "Indicator: Trojan/Hacktool.PayCrack.a": [[44, 70]], "Indicator: W32/Trojan.TVD": [[71, 85]], "Indicator: Win32/HackTool.PayCrack.A": [[86, 111]], "Indicator: HackTool.Win32.PayCrack.a": [[112, 137], [414, 439]], "Indicator: Riskware.Win32.PayCrack.hsmb": [[138, 166]], "Indicator: Win32.Hacktool.Paycrack.Amwe": [[167, 195]], "Indicator: Application.Win32.HackTool.PayCrack.A": [[196, 233]], "Indicator: Tool.PayCrack.Win32.1": [[234, 255]], "Indicator: W32/Trojan.IFEJ-8553": [[256, 276]], "Indicator: HackTool.PayCrack.a": [[277, 296]], "Indicator: Malware_fam.gw": [[297, 311]], "Indicator: HackTool/Win32.PayCrack": [[312, 335]], "Indicator: Win32.HackTool.PayCrack.a.kcloud": [[336, 368]], "Indicator: Trojan.Kazy.D2127B": [[369, 387]], "Indicator: HackTool.W32.PayCrack.a!c": [[388, 413]], "Indicator: HackTool:Win32/Paycrack.A": [[440, 465]], "Indicator: Trojan.VBRA.03914": [[466, 483]], "Indicator: HackTool.PayCrack!/HSSYr26Jv4": [[484, 513]]}, "info": {"id": "cyner2_5class_train_07150", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Rootkit.13224.C Win32.Trojan.KillAV.aa Trojan.Win32.NtRootKit.crkykj Trojan.NtRootKit.12298 Trojan.Zusy.75 Trojan:WinNT/Kernelpatch.A Trojan.Win32.KillAV", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Rootkit.13224.C": [[26, 52]], "Indicator: Win32.Trojan.KillAV.aa": [[53, 75]], "Indicator: Trojan.Win32.NtRootKit.crkykj": [[76, 105]], "Indicator: Trojan.NtRootKit.12298": [[106, 128]], "Indicator: Trojan.Zusy.75": [[129, 143]], "Indicator: Trojan:WinNT/Kernelpatch.A": [[144, 170]], "Indicator: Trojan.Win32.KillAV": [[171, 190]]}, "info": {"id": "cyner2_5class_train_07151", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Mariofev Dropper.Drooptroop.Win32.3960 Trojan/Dropper.Drooptroop.jqh Trojan.TDss.50 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/MalwareF.QVRD TROJ_DROPPER.OFB Trojan.Win32.Drooptroop.cphrc Backdoor.Win32.Shiz.A Trojan.DownLoader1.42134 TROJ_DROPPER.OFB BehavesLike.Win32.Ramnit.mc W32/Risk.VWDX-4897 TrojanDropper.Drooptroop.cvo W32.Malware.Downloader TrojanDownloader:Win32/Mariofev.B Win-Trojan/Drooptroop.29184 Trojan.SB.01742 Trj/Sinowal.WXO Win32.Trojan-dropper.Drooptroop.Suxo Trojan.DR.Drooptroop!YuxRFC8vqfA Win32/Trojan.Downloader.5d7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Mariofev": [[26, 51]], "Indicator: Dropper.Drooptroop.Win32.3960": [[52, 81]], "Indicator: Trojan/Dropper.Drooptroop.jqh": [[82, 111]], "Indicator: Trojan.TDss.50": [[112, 126]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[127, 169]], "Indicator: W32/MalwareF.QVRD": [[170, 187]], "Indicator: TROJ_DROPPER.OFB": [[188, 204], [282, 298]], "Indicator: Trojan.Win32.Drooptroop.cphrc": [[205, 234]], "Indicator: Backdoor.Win32.Shiz.A": [[235, 256]], "Indicator: Trojan.DownLoader1.42134": [[257, 281]], "Indicator: BehavesLike.Win32.Ramnit.mc": [[299, 326]], "Indicator: W32/Risk.VWDX-4897": [[327, 345]], "Indicator: TrojanDropper.Drooptroop.cvo": [[346, 374]], "Indicator: W32.Malware.Downloader": [[375, 397]], "Indicator: TrojanDownloader:Win32/Mariofev.B": [[398, 431]], "Indicator: Win-Trojan/Drooptroop.29184": [[432, 459]], "Indicator: Trojan.SB.01742": [[460, 475]], "Indicator: Trj/Sinowal.WXO": [[476, 491]], "Indicator: Win32.Trojan-dropper.Drooptroop.Suxo": [[492, 528]], "Indicator: Trojan.DR.Drooptroop!YuxRFC8vqfA": [[529, 561]], "Indicator: Win32/Trojan.Downloader.5d7": [[562, 589]]}, "info": {"id": "cyner2_5class_train_07152", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.6E94 Dropped:Backdoor.Hupigon.AACP Backdoor.Delf.13917 Backdoor.Delf.Win32.18733 Trojan/Ceckno.nag Backdoor.Hupigon.AACP Win32.Trojan.Hupigon.b Win.Trojan.Crypted-5 Backdoor.Win32.Delf.cxe Dropped:Backdoor.Hupigon.AACP Trojan.Win32.Delf.ivaq Backdoor.W32.Delf.lqj!c Win32.Backdoor.Delf.Lkxm Dropped:Backdoor.Hupigon.AACP Packed.Win32.Klone.~KE Dropped:Backdoor.Hupigon.AACP BackDoor.Beizhu.origin Trojan.Win32.Cosmu VirTool.MaskPE.f Trojan[Backdoor]/Win32.Delf PWS:Win32/Populf.E!dll Dropped:Backdoor.Hupigon.AACP Backdoor/Win32.Delf.C195770 Dropped:Backdoor.Hupigon.AACP TScope.Trojan.Delf Backdoor.Delf!JSU0HMDt5JA W32/PEMask.A!tr Win32/Backdoor.Hupigon.88a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.6E94": [[26, 43]], "Indicator: Dropped:Backdoor.Hupigon.AACP": [[44, 73], [228, 257], [330, 359], [383, 412], [523, 552], [581, 610]], "Indicator: Backdoor.Delf.13917": [[74, 93]], "Indicator: Backdoor.Delf.Win32.18733": [[94, 119]], "Indicator: Trojan/Ceckno.nag": [[120, 137]], "Indicator: Backdoor.Hupigon.AACP": [[138, 159]], "Indicator: Win32.Trojan.Hupigon.b": [[160, 182]], "Indicator: Win.Trojan.Crypted-5": [[183, 203]], "Indicator: Backdoor.Win32.Delf.cxe": [[204, 227]], "Indicator: Trojan.Win32.Delf.ivaq": [[258, 280]], "Indicator: Backdoor.W32.Delf.lqj!c": [[281, 304]], "Indicator: Win32.Backdoor.Delf.Lkxm": [[305, 329]], "Indicator: Packed.Win32.Klone.~KE": [[360, 382]], "Indicator: BackDoor.Beizhu.origin": [[413, 435]], "Indicator: Trojan.Win32.Cosmu": [[436, 454]], "Indicator: VirTool.MaskPE.f": [[455, 471]], "Indicator: Trojan[Backdoor]/Win32.Delf": [[472, 499]], "Indicator: PWS:Win32/Populf.E!dll": [[500, 522]], "Indicator: Backdoor/Win32.Delf.C195770": [[553, 580]], "Indicator: TScope.Trojan.Delf": [[611, 629]], "Indicator: Backdoor.Delf!JSU0HMDt5JA": [[630, 655]], "Indicator: W32/PEMask.A!tr": [[656, 671]], "Indicator: Win32/Backdoor.Hupigon.88a": [[672, 698]]}, "info": {"id": "cyner2_5class_train_07153", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Tosct BKDR_WEBRV.A Win32.Trojan.WisdomEyes.16070401.9500.9995 BKDR_WEBRV.A W32/Trojan.FUQN-2612 W32.Trojan.Downloader Trojan.Heur.RP.EBE28B Backdoor:Win32/Tosct.A W32/Dloader.GQ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Tosct": [[26, 40]], "Indicator: BKDR_WEBRV.A": [[41, 53], [97, 109]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[54, 96]], "Indicator: W32/Trojan.FUQN-2612": [[110, 130]], "Indicator: W32.Trojan.Downloader": [[131, 152]], "Indicator: Trojan.Heur.RP.EBE28B": [[153, 174]], "Indicator: Backdoor:Win32/Tosct.A": [[175, 197]], "Indicator: W32/Dloader.GQ!tr": [[198, 215]]}, "info": {"id": "cyner2_5class_train_07154", "source": "cyner2_5class_train"}}
+{"text": "The spam messages we observed used several different tactics to deliver malicious payloads to users, including macros, packager shell objects aka OLE objects, and links.", "spans": {"Indicator: The spam messages": [[0, 17]], "Malware: malicious payloads": [[72, 90]], "Malware: macros, packager shell objects": [[111, 141]], "Indicator: OLE objects,": [[146, 158]], "Indicator: links.": [[163, 169]]}, "info": {"id": "cyner2_5class_train_07155", "source": "cyner2_5class_train"}}
+{"text": "In this blog we begin with data from a real attack in the wild, and use the evidence from that attack to make a connection back to underground forums and the actors who are using them.", "spans": {"Indicator: real attack": [[39, 50]], "Indicator: attack": [[95, 101]]}, "info": {"id": "cyner2_5class_train_07156", "source": "cyner2_5class_train"}}
+{"text": "Verification that the request is coming from the user ’ s device is completed using two possible methods : The user connects to the site over mobile data , not WiFi ( so the service provider directly handles the connection and can validate the phone number ) ; or The user must retrieve a code sent to them via SMS and enter it into the web page ( thereby proving access to the provided phone number ) .", "spans": {}, "info": {"id": "cyner2_5class_train_07157", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Gatt.A Backdoor.Small.oo Backdoor/Small.oo W32/Trojan.AVEH Infostealer.Onlinegame BKDR_SMALL.ALN Trojan.Downloader-17400 Backdoor.Win32.Small.oo Trojan.Gatt.A Trojan.Win32.Veslorn!IK Trojan.Gatt.A DDoS.Bonke BKDR_SMALL.ALN W32/Trojan.AVEH Trojan.Gatt.A Win-Trojan/Xema.variant Backdoor.Win32.Small.oo Trojan-PSW.Onlinegame Backdoor.Pina.k Trojan.Win32.Veslorn", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Gatt.A": [[26, 39], [178, 191], [216, 229], [272, 285]], "Indicator: Backdoor.Small.oo": [[40, 57]], "Indicator: Backdoor/Small.oo": [[58, 75]], "Indicator: W32/Trojan.AVEH": [[76, 91], [256, 271]], "Indicator: Infostealer.Onlinegame": [[92, 114]], "Indicator: BKDR_SMALL.ALN": [[115, 129], [241, 255]], "Indicator: Trojan.Downloader-17400": [[130, 153]], "Indicator: Backdoor.Win32.Small.oo": [[154, 177], [310, 333]], "Indicator: Trojan.Win32.Veslorn!IK": [[192, 215]], "Indicator: DDoS.Bonke": [[230, 240]], "Indicator: Win-Trojan/Xema.variant": [[286, 309]], "Indicator: Trojan-PSW.Onlinegame": [[334, 355]], "Indicator: Backdoor.Pina.k": [[356, 371]], "Indicator: Trojan.Win32.Veslorn": [[372, 392]]}, "info": {"id": "cyner2_5class_train_07158", "source": "cyner2_5class_train"}}
+{"text": "Long before Kryptowire 's announcement , Tim Strazzere , a mobile security researcher with RedNaga Security , contacted BLU Products in March 2015 after he found two vulnerabilities that could be traced to Adup 's code .", "spans": {"Organization: Kryptowire": [[12, 22]], "Organization: RedNaga Security": [[91, 107]], "Organization: Adup": [[206, 210]]}, "info": {"id": "cyner2_5class_train_07159", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.KillProc.33379 Trojan.Foreign.Win32.54666 Trojan[Ransom]/Win32.Foreign TrojanDropper:Win32/Rovnix.N W32/Kryptik.DDLY!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.KillProc.33379": [[26, 47]], "Indicator: Trojan.Foreign.Win32.54666": [[48, 74]], "Indicator: Trojan[Ransom]/Win32.Foreign": [[75, 103]], "Indicator: TrojanDropper:Win32/Rovnix.N": [[104, 132]], "Indicator: W32/Kryptik.DDLY!tr": [[133, 152]]}, "info": {"id": "cyner2_5class_train_07160", "source": "cyner2_5class_train"}}
+{"text": "He told Amnesty International: one of my colleagues called me…and said I received an email from you and you're mentioning something about political prisoners and there is an attachment there.", "spans": {"Organization: Amnesty International:": [[8, 30]], "Organization: colleagues": [[41, 51]], "Indicator: me…and said": [[59, 70]]}, "info": {"id": "cyner2_5class_train_07161", "source": "cyner2_5class_train"}}
+{"text": "As mentioned before , our test device was automatically from stage one to stage two , which started collecting data .", "spans": {}, "info": {"id": "cyner2_5class_train_07162", "source": "cyner2_5class_train"}}
+{"text": "In the summer of 2015, Fidelis Cybersecurity had the opportunity to analyze a Derusbi malware sample used as part", "spans": {"Organization: Fidelis Cybersecurity": [[23, 44]], "Malware: Derusbi malware": [[78, 93]]}, "info": {"id": "cyner2_5class_train_07163", "source": "cyner2_5class_train"}}
+{"text": "The carrier can determine that the request originates from the user ’ s device , but does not require any interaction from the user that can not be automated .", "spans": {}, "info": {"id": "cyner2_5class_train_07164", "source": "cyner2_5class_train"}}
+{"text": "Recent samples are shown to infect Windows hosts with the NetSupport Manager remote access tool RAT.", "spans": {"System: Windows hosts": [[35, 48]], "Malware: the NetSupport Manager remote access tool RAT.": [[54, 100]]}, "info": {"id": "cyner2_5class_train_07165", "source": "cyner2_5class_train"}}
+{"text": "In this case , a threat actor has been targeting customers of Bank Austria , Raiffeisen Meine Bank , and Sparkasse since at least January 2017 .", "spans": {}, "info": {"id": "cyner2_5class_train_07166", "source": "cyner2_5class_train"}}
+{"text": "List of packages received from the C2 adminNumber : Setup of the admin phone number .", "spans": {}, "info": {"id": "cyner2_5class_train_07167", "source": "cyner2_5class_train"}}
+{"text": "Tracking Subaat: Targeted Phishing Attacks Point Leader to Threat Actor's Repository", "spans": {"Malware: Subaat:": [[9, 16]], "Indicator: Phishing Attacks": [[26, 42]], "Indicator: Repository": [[74, 84]]}, "info": {"id": "cyner2_5class_train_07168", "source": "cyner2_5class_train"}}
+{"text": "Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.", "spans": {}, "info": {"id": "cyner2_5class_train_07169", "source": "cyner2_5class_train"}}
+{"text": "Following the seemingly quiet state of point-of-sale PoS malware these past few months, we are now faced with two new PoS malware named Katrina and CenterPoS now available to cybercriminals.", "spans": {"Malware: point-of-sale PoS malware": [[39, 64]], "Malware: PoS malware": [[118, 129]], "Malware: Katrina": [[136, 143]], "Malware: CenterPoS": [[148, 157]]}, "info": {"id": "cyner2_5class_train_07170", "source": "cyner2_5class_train"}}
+{"text": "We recently wrote about the KONNI Remote Access Trojan RAT which has been distributed by a small number of campaigns over the past 3 years.", "spans": {"Malware: KONNI Remote Access Trojan RAT": [[28, 58]]}, "info": {"id": "cyner2_5class_train_07171", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Virut.G W32/Virut.CF_2 Win32/Virut.17408 PE_VIRUX.F-1 Virus.Win32.Virut.ce Win32.Virut.AL Virus.Win32.Virut.Ce Win32.Virut.56 PE_VIRUX.F-1 Win32/Virut.bn Trojan:Win32/Ertfor.A Virus.Virut.06 HeurEngine.MaliciousPacker Win32/Virut.NBP W32/PackTDss.W!tr W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.G": [[26, 37]], "Indicator: W32/Virut.CF_2": [[38, 52]], "Indicator: Win32/Virut.17408": [[53, 70]], "Indicator: PE_VIRUX.F-1": [[71, 83], [156, 168]], "Indicator: Virus.Win32.Virut.ce": [[84, 104]], "Indicator: Win32.Virut.AL": [[105, 119]], "Indicator: Virus.Win32.Virut.Ce": [[120, 140]], "Indicator: Win32.Virut.56": [[141, 155]], "Indicator: Win32/Virut.bn": [[169, 183]], "Indicator: Trojan:Win32/Ertfor.A": [[184, 205]], "Indicator: Virus.Virut.06": [[206, 220]], "Indicator: HeurEngine.MaliciousPacker": [[221, 247]], "Indicator: Win32/Virut.NBP": [[248, 263]], "Indicator: W32/PackTDss.W!tr": [[264, 281]], "Indicator: W32/Sality.AO": [[282, 295]]}, "info": {"id": "cyner2_5class_train_07172", "source": "cyner2_5class_train"}}
+{"text": "During our research into a widespread spam campaign, we discovered yet another POS malware that we've named NitlovePOS.", "spans": {"Malware: POS malware": [[79, 90]], "Malware: NitlovePOS.": [[108, 119]]}, "info": {"id": "cyner2_5class_train_07173", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.VB!O W32/Autorun.worm.aba Win32.Trojan.WisdomEyes.16070401.9500.9993 W32.SillyFDC Trojan-Dropper.Win32.Dapato.ddfx Trojan.Win32.Dapato.efldrk Win32.HLLW.Autoruner.10315 Worm.VB.Win32.2517 W32/Autorun.worm.aba Worm.Win32.VB Worm/VB.pfc W32.Worm.Sphr Worm/Win32.VB Worm.VB.kcloud Worm:Win32/Dashvolex.A Trojan.Strictor.DCDB Trojan-Dropper.Win32.Dapato.ddfx Worm/Win32.VB.C95007 Trojan.VBO.014708 Worm.VB!8247fVrcIiA W32/VB.OAN!tr Win32/Trojan.Dropper.d0e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.VB!O": [[26, 41]], "Indicator: W32/Autorun.worm.aba": [[42, 62], [225, 245]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[63, 105]], "Indicator: W32.SillyFDC": [[106, 118]], "Indicator: Trojan-Dropper.Win32.Dapato.ddfx": [[119, 151], [359, 391]], "Indicator: Trojan.Win32.Dapato.efldrk": [[152, 178]], "Indicator: Win32.HLLW.Autoruner.10315": [[179, 205]], "Indicator: Worm.VB.Win32.2517": [[206, 224]], "Indicator: Worm.Win32.VB": [[246, 259]], "Indicator: Worm/VB.pfc": [[260, 271]], "Indicator: W32.Worm.Sphr": [[272, 285]], "Indicator: Worm/Win32.VB": [[286, 299]], "Indicator: Worm.VB.kcloud": [[300, 314]], "Indicator: Worm:Win32/Dashvolex.A": [[315, 337]], "Indicator: Trojan.Strictor.DCDB": [[338, 358]], "Indicator: Worm/Win32.VB.C95007": [[392, 412]], "Indicator: Trojan.VBO.014708": [[413, 430]], "Indicator: Worm.VB!8247fVrcIiA": [[431, 450]], "Indicator: W32/VB.OAN!tr": [[451, 464]], "Indicator: Win32/Trojan.Dropper.d0e": [[465, 489]]}, "info": {"id": "cyner2_5class_train_07174", "source": "cyner2_5class_train"}}
+{"text": "The Carbanak group is infamous for infiltrating various financial institutions, and stealing millions of dollars by learning and abusing the internals of victim payment processing networks, ATM networks and transaction systems.", "spans": {"Indicator: infiltrating": [[35, 47]], "Organization: financial institutions,": [[56, 79]], "Indicator: stealing millions of dollars": [[84, 112]], "Indicator: abusing the internals": [[129, 150]], "Indicator: victim payment processing networks,": [[154, 189]], "System: ATM networks": [[190, 202]], "System: transaction systems.": [[207, 227]]}, "info": {"id": "cyner2_5class_train_07175", "source": "cyner2_5class_train"}}
+{"text": "This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming MuddyWater", "spans": {"Indicator: attacks": [[29, 36]], "Organization: Unit 42": [[119, 126]], "Malware: MuddyWater": [[137, 147]]}, "info": {"id": "cyner2_5class_train_07176", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Dtr.1.4.4 Backdoor.DTR BackDoor-WF.svr.rmv Email-Worm.Win32.GOPworm.196 Backdoor.Dtr.1.4.4 W32/Risk.RVZV-3966 Backdoor.Trojan Win32/DTR.14.rmvr BKDR_WF.SVR Backdoor.Dtr.1.4.4 Backdoor.Dtr.1.4.4 Trojan.Win32.Dtr.zmvuu Backdoor.Dtr.1.4.4 Backdoor.Win32.DTR.14.rmvr BackDoor.Dtr.143 Backdoor.Win32.C01A9ACD BackDoor-WF.svr.rmv W32.DTR.B BDS/Dtr.1.4.4 Backdoor:Win32/DTR.B Backdoor.Dtr.1.4.4 Email-Worm.Win32.GOPworm.196 Win32.Trojan.Wf.Pefg Backdoor.WF!ynwdN87+ujc Trojan.Win32.DTR W32/Bdoor.WH!tr.bdr Win32/Backdoor.9a4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Dtr.1.4.4": [[26, 44], [107, 125], [191, 209], [210, 228], [252, 270], [404, 422]], "Indicator: Backdoor.DTR": [[45, 57]], "Indicator: BackDoor-WF.svr.rmv": [[58, 77], [339, 358]], "Indicator: Email-Worm.Win32.GOPworm.196": [[78, 106], [423, 451]], "Indicator: W32/Risk.RVZV-3966": [[126, 144]], "Indicator: Backdoor.Trojan": [[145, 160]], "Indicator: Win32/DTR.14.rmvr": [[161, 178]], "Indicator: BKDR_WF.SVR": [[179, 190]], "Indicator: Trojan.Win32.Dtr.zmvuu": [[229, 251]], "Indicator: Backdoor.Win32.DTR.14.rmvr": [[271, 297]], "Indicator: BackDoor.Dtr.143": [[298, 314]], "Indicator: Backdoor.Win32.C01A9ACD": [[315, 338]], "Indicator: W32.DTR.B": [[359, 368]], "Indicator: BDS/Dtr.1.4.4": [[369, 382]], "Indicator: Backdoor:Win32/DTR.B": [[383, 403]], "Indicator: Win32.Trojan.Wf.Pefg": [[452, 472]], "Indicator: Backdoor.WF!ynwdN87+ujc": [[473, 496]], "Indicator: Trojan.Win32.DTR": [[497, 513]], "Indicator: W32/Bdoor.WH!tr.bdr": [[514, 533]], "Indicator: Win32/Backdoor.9a4": [[534, 552]]}, "info": {"id": "cyner2_5class_train_07177", "source": "cyner2_5class_train"}}
+{"text": "In this attack, AutoIT was utilized to install a Remote Access Trojan RAT and maintain persistence on the host in a manner that's similar to normal administration activity.", "spans": {"Indicator: attack,": [[8, 15]], "Malware: AutoIT": [[16, 22]], "Malware: a Remote Access Trojan RAT": [[47, 73]]}, "info": {"id": "cyner2_5class_train_07178", "source": "cyner2_5class_train"}}
+{"text": "This report contained a sentence of particular interest to Cyber4Sight: FIN7 is referred to by many vendors as Carbanak Group,' although we do not equate all usage of the Carbanak backdoor with FIN7. In their previous report on this threat actor group, FireEye stopped short of making this direct connection, stating instead that The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions, ATM compromise, and other monetization schemes.", "spans": {"Malware: the Carbanak backdoor": [[167, 188]], "Organization: FireEye": [[253, 260]], "Malware: CARBANAK malware": [[345, 361]], "Indicator: fraudulent banking transactions, ATM compromise, and other monetization schemes.": [[498, 578]]}, "info": {"id": "cyner2_5class_train_07179", "source": "cyner2_5class_train"}}
+{"text": "UNIX-based operating systems are widely used in servers, workstations, and even mobile devices.", "spans": {"System: UNIX-based operating systems": [[0, 28]], "System: servers, workstations,": [[48, 70]], "System: mobile devices.": [[80, 95]]}, "info": {"id": "cyner2_5class_train_07180", "source": "cyner2_5class_train"}}
+{"text": "I.e., malicious email messages are sent to selected targets rather than random mass distribution, but are not tailored specifically to each and every target.", "spans": {"Indicator: malicious email messages are sent": [[6, 39]]}, "info": {"id": "cyner2_5class_train_07181", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.AutoDoor!O Worm.AutoDoor Trojan.Win32.Buzus Win32.Trojan.WisdomEyes.16070401.9500.9827 W32/Trojan2.CWJR W32.IRCBot Win32/DfInject.CI TROJ_BUZUS.JW Win.Trojan.Buzus-2971 Worm.Win32.AutoDoor.fd Trojan.Win32.Buzus.qvdn Trojan.Win32.Buzus.48128 TrojWare.Win32.Buzus.~BAAM Trojan.MulDrop.27694 Trojan.Buzus.Win32.5559 TROJ_BUZUS.JW BehavesLike.Win32.Worm.cz Trojan/Buzus.esq Trojan/Win32.Buzus Trojan:Win32/Buzus.A Worm.Win32.AutoDoor.fd Trojan/Win32.Buzus.C140550 Trojan.Win32.Buzus.ck Trojan.Win32.Buzus Trj/Buzus.ER Virus.Win32.Virut.ue Worm.Win32.AutoDoor W32/Injector.fam!tr Win32/Worm.07d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.AutoDoor!O": [[26, 47]], "Indicator: Worm.AutoDoor": [[48, 61]], "Indicator: Trojan.Win32.Buzus": [[62, 80], [519, 537]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9827": [[81, 123]], "Indicator: W32/Trojan2.CWJR": [[124, 140]], "Indicator: W32.IRCBot": [[141, 151]], "Indicator: Win32/DfInject.CI": [[152, 169]], "Indicator: TROJ_BUZUS.JW": [[170, 183], [350, 363]], "Indicator: Win.Trojan.Buzus-2971": [[184, 205]], "Indicator: Worm.Win32.AutoDoor.fd": [[206, 228], [447, 469]], "Indicator: Trojan.Win32.Buzus.qvdn": [[229, 252]], "Indicator: Trojan.Win32.Buzus.48128": [[253, 277]], "Indicator: TrojWare.Win32.Buzus.~BAAM": [[278, 304]], "Indicator: Trojan.MulDrop.27694": [[305, 325]], "Indicator: Trojan.Buzus.Win32.5559": [[326, 349]], "Indicator: BehavesLike.Win32.Worm.cz": [[364, 389]], "Indicator: Trojan/Buzus.esq": [[390, 406]], "Indicator: Trojan/Win32.Buzus": [[407, 425]], "Indicator: Trojan:Win32/Buzus.A": [[426, 446]], "Indicator: Trojan/Win32.Buzus.C140550": [[470, 496]], "Indicator: Trojan.Win32.Buzus.ck": [[497, 518]], "Indicator: Trj/Buzus.ER": [[538, 550]], "Indicator: Virus.Win32.Virut.ue": [[551, 571]], "Indicator: Worm.Win32.AutoDoor": [[572, 591]], "Indicator: W32/Injector.fam!tr": [[592, 611]], "Indicator: Win32/Worm.07d": [[612, 626]]}, "info": {"id": "cyner2_5class_train_07182", "source": "cyner2_5class_train"}}
+{"text": "Click fraud PHAs simulate user clicks on ads instead of simply displaying ads and waiting for users to click them .", "spans": {}, "info": {"id": "cyner2_5class_train_07183", "source": "cyner2_5class_train"}}
+{"text": "new_url : to change the URL of the C2 server in the app preference .", "spans": {}, "info": {"id": "cyner2_5class_train_07184", "source": "cyner2_5class_train"}}
+{"text": "Extract messages and the encryption key from the Telegram app .", "spans": {"System: Telegram": [[49, 57]]}, "info": {"id": "cyner2_5class_train_07185", "source": "cyner2_5class_train"}}
+{"text": "In particular , EventBot can intercept SMS messages and bypass two-factor authentication mechanisms .", "spans": {"Malware: EventBot": [[16, 24]]}, "info": {"id": "cyner2_5class_train_07186", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanPWS.Mintluks.FC.1419 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Inject.dhybnf Trojan.DownLoader11.61306 PWS:MSIL/Mintluks.A Trojan.Razy.D2D0CD MSIL.Trojan.Injector.HD Backdoor.Bot Trojan.MSIL.Injector Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Mintluks.FC.1419": [[26, 52]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[53, 95]], "Indicator: Trojan.Win32.Inject.dhybnf": [[96, 122]], "Indicator: Trojan.DownLoader11.61306": [[123, 148]], "Indicator: PWS:MSIL/Mintluks.A": [[149, 168]], "Indicator: Trojan.Razy.D2D0CD": [[169, 187]], "Indicator: MSIL.Trojan.Injector.HD": [[188, 211]], "Indicator: Backdoor.Bot": [[212, 224]], "Indicator: Trojan.MSIL.Injector": [[225, 245]], "Indicator: Trj/CI.A": [[246, 254]]}, "info": {"id": "cyner2_5class_train_07187", "source": "cyner2_5class_train"}}
+{"text": "The Patchwork attack group has been targeting more than just government-associated organizations.", "spans": {"Indicator: The Patchwork attack group": [[0, 26]], "Organization: government-associated organizations.": [[61, 97]]}, "info": {"id": "cyner2_5class_train_07188", "source": "cyner2_5class_train"}}
+{"text": "It is usually used as a downloader for the actual binary payload.", "spans": {"Malware: downloader": [[24, 34]], "Malware: the actual binary payload.": [[39, 65]]}, "info": {"id": "cyner2_5class_train_07189", "source": "cyner2_5class_train"}}
+{"text": "However, over a period of just over two weeks June 10 to June 28, we saw a recurrence of this threat.", "spans": {"Malware: threat.": [[94, 101]]}, "info": {"id": "cyner2_5class_train_07190", "source": "cyner2_5class_train"}}
+{"text": "Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.", "spans": {"Malware: malware": [[12, 19]], "Malware: Remote Access Trojans": [[53, 74]], "Malware: keyloggers.": [[79, 90]]}, "info": {"id": "cyner2_5class_train_07191", "source": "cyner2_5class_train"}}
+{"text": "The attackers initially injected a malicious user-defined function Downloader.Chikdos into servers in order to compromise them with the Trojan.Chikdos.A DDoS malware According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands.", "spans": {"Indicator: Downloader.Chikdos": [[67, 85]], "System: servers": [[91, 98]], "Indicator: Trojan.Chikdos.A": [[136, 152]], "Malware: DDoS malware": [[153, 165]], "Organization: Symantec telemetry,": [[179, 198]], "System: compromised servers": [[219, 238]]}, "info": {"id": "cyner2_5class_train_07192", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Retefe W32/Trojan.IYLJ-0833 Ransom.Cry Trojan.Win32.Banker1.euqajf TrojWare.Win32.Amtar.TAW Trojan.PWS.Banker1.23740 Trojan.Adware.a Trojan/Win32.Injector.C2217431 Trj/CI.A Win32.Trojan.Fakeversign.Vgov Win32/Trojan.Adware.37e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Retefe": [[26, 39]], "Indicator: W32/Trojan.IYLJ-0833": [[40, 60]], "Indicator: Ransom.Cry": [[61, 71]], "Indicator: Trojan.Win32.Banker1.euqajf": [[72, 99]], "Indicator: TrojWare.Win32.Amtar.TAW": [[100, 124]], "Indicator: Trojan.PWS.Banker1.23740": [[125, 149]], "Indicator: Trojan.Adware.a": [[150, 165]], "Indicator: Trojan/Win32.Injector.C2217431": [[166, 196]], "Indicator: Trj/CI.A": [[197, 205]], "Indicator: Win32.Trojan.Fakeversign.Vgov": [[206, 235]], "Indicator: Win32/Trojan.Adware.37e": [[236, 259]]}, "info": {"id": "cyner2_5class_train_07193", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanProxy.Roficor W32/Trojan.GIFJ-9110 Win32/Tnega.TOWATOC TrojanProxy:Win32/Roficor.A Win32.Trojan.Falsesign.Duco", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanProxy.Roficor": [[26, 45]], "Indicator: W32/Trojan.GIFJ-9110": [[46, 66]], "Indicator: Win32/Tnega.TOWATOC": [[67, 86]], "Indicator: TrojanProxy:Win32/Roficor.A": [[87, 114]], "Indicator: Win32.Trojan.Falsesign.Duco": [[115, 142]]}, "info": {"id": "cyner2_5class_train_07194", "source": "cyner2_5class_train"}}
+{"text": "Adwind is a Java-based remote access tool RAT used by malware authors to infect computers with backdoor access.", "spans": {"Malware: Adwind": [[0, 6]], "Malware: Java-based remote access tool RAT": [[12, 45]], "System: computers": [[80, 89]], "Malware: backdoor access.": [[95, 111]]}, "info": {"id": "cyner2_5class_train_07195", "source": "cyner2_5class_train"}}
+{"text": "All modules set hidden attributes to their files : Module Paths Exfiltrated data format msconf.exe % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m % d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3 yyyyMMddHHmmss_out.mp3 ( skype calls records ) Moreover , we found one module written in .Net – skype_sync2.exe .", "spans": {"Indicator: msconf.exe": [[88, 98]], "Indicator: % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m % d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3": [[99, 550]], "Indicator: yyyyMMddHHmmss_out.mp3": [[551, 573]], "System: .Net": [[640, 644]], "Indicator: skype_sync2.exe": [[647, 662]]}, "info": {"id": "cyner2_5class_train_07196", "source": "cyner2_5class_train"}}
+{"text": "Removing the junk instructions revealed a readable block of code .", "spans": {}, "info": {"id": "cyner2_5class_train_07197", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Scar.995328.O Trojan/Scar.dzrv Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Bayrob Trojan.Win32.Scar.cpddg Troj.W32.Scar.dzrv!c Trojan.Scar.Win32.50507 BehavesLike.Win32.GameVance.dt Trojan/Scar.bagk TR/Woripecs.A.48 Trojan.Heur.JP.EFC713 Backdoor:Win32/Nivdort.A!dll Trojan/Win32.Bayrob.C236811 Trojan.Scar!yb6+goUnDvM Trojan.Win32.Woripecs W32/Scar.AT!tr Win32/Trojan.Spy.84a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Scar.995328.O": [[26, 50]], "Indicator: Trojan/Scar.dzrv": [[51, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[68, 110]], "Indicator: Trojan.Bayrob": [[111, 124]], "Indicator: Trojan.Win32.Scar.cpddg": [[125, 148]], "Indicator: Troj.W32.Scar.dzrv!c": [[149, 169]], "Indicator: Trojan.Scar.Win32.50507": [[170, 193]], "Indicator: BehavesLike.Win32.GameVance.dt": [[194, 224]], "Indicator: Trojan/Scar.bagk": [[225, 241]], "Indicator: TR/Woripecs.A.48": [[242, 258]], "Indicator: Trojan.Heur.JP.EFC713": [[259, 280]], "Indicator: Backdoor:Win32/Nivdort.A!dll": [[281, 309]], "Indicator: Trojan/Win32.Bayrob.C236811": [[310, 337]], "Indicator: Trojan.Scar!yb6+goUnDvM": [[338, 361]], "Indicator: Trojan.Win32.Woripecs": [[362, 383]], "Indicator: W32/Scar.AT!tr": [[384, 398]], "Indicator: Win32/Trojan.Spy.84a": [[399, 419]]}, "info": {"id": "cyner2_5class_train_07198", "source": "cyner2_5class_train"}}
+{"text": "Stealing SMS Figure 10 : Stealing SMS messages .", "spans": {}, "info": {"id": "cyner2_5class_train_07199", "source": "cyner2_5class_train"}}
+{"text": "The spreading method of a fake antivirus website was also quite confusing, normally I see these things dropping FakeAV's as I've written on in the past.", "spans": {"Indicator: fake antivirus website": [[26, 48]], "Indicator: FakeAV's": [[112, 120]]}, "info": {"id": "cyner2_5class_train_07200", "source": "cyner2_5class_train"}}
+{"text": "Some of Regin's custom payloads point to a high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of the developers.", "spans": {"Malware: Regin's custom payloads": [[8, 31]], "Organization: telecoms infrastructure software,": [[109, 142]]}, "info": {"id": "cyner2_5class_train_07201", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Tagazie.Trojan Trojan/W32.Small.36864.ACH Trojan.Win32.Scar!O TrojanDownloader.Bredolab.AJ2 Virus.Virut.Win32.1911 Trojan/Scar.eaml Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_SCAR_0000027.TOMA Trojan.Win32.Scar.eaml Trojan.Win32.Scar.djhme Trojan.Win32.Scar.9216.A Trojan.Win32.Scar.eaml Trojan.Proxy.19837 BehavesLike.Win32.PWSZbot.nc Trojan/Scar.airi Trojan/Win32.Scar Trojan:Win32/Hioles.D Troj.W32.Scar.lrnw Trojan.Win32.Scar.eaml Trojan/Win32.Scar.R7877 Worm.Fakeupdate.2821 Win32.Magistr Trojan.Scar!QrzKm85lu1k Trojan.Win32.Comame", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Tagazie.Trojan": [[26, 44]], "Indicator: Trojan/W32.Small.36864.ACH": [[45, 71]], "Indicator: Trojan.Win32.Scar!O": [[72, 91]], "Indicator: TrojanDownloader.Bredolab.AJ2": [[92, 121]], "Indicator: Virus.Virut.Win32.1911": [[122, 144]], "Indicator: Trojan/Scar.eaml": [[145, 161]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[162, 204]], "Indicator: TROJ_SCAR_0000027.TOMA": [[205, 227]], "Indicator: Trojan.Win32.Scar.eaml": [[228, 250], [300, 322], [447, 469]], "Indicator: Trojan.Win32.Scar.djhme": [[251, 274]], "Indicator: Trojan.Win32.Scar.9216.A": [[275, 299]], "Indicator: Trojan.Proxy.19837": [[323, 341]], "Indicator: BehavesLike.Win32.PWSZbot.nc": [[342, 370]], "Indicator: Trojan/Scar.airi": [[371, 387]], "Indicator: Trojan/Win32.Scar": [[388, 405]], "Indicator: Trojan:Win32/Hioles.D": [[406, 427]], "Indicator: Troj.W32.Scar.lrnw": [[428, 446]], "Indicator: Trojan/Win32.Scar.R7877": [[470, 493]], "Indicator: Worm.Fakeupdate.2821": [[494, 514]], "Indicator: Win32.Magistr": [[515, 528]], "Indicator: Trojan.Scar!QrzKm85lu1k": [[529, 552]], "Indicator: Trojan.Win32.Comame": [[553, 572]]}, "info": {"id": "cyner2_5class_train_07202", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Script.634117 Trojan.Win32.Miner!O Win32.Trojan.WisdomEyes.16070401.9500.9944 PUA.Deminnix Trojan.Win32.Miner.aau Trojan.Script.634117 Riskware.Win32.BitCoinMiner.csteyy Trojan.Script.634117 Tool.BtcMine.83 Trojan.Miner.Win32.426 W32/Trojan.IJIB-0603 Trojan/Miner.dc Trojan.Graftor.D194A6 Trojan.Win32.Miner.aau Trojan.BitMiner Win32/CoinMiner.EC Riskware.BitCoinMiner!FKk5sgQEcRQ Trojan.Win32.Deminnix", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Script.634117": [[26, 46], [147, 167], [203, 223]], "Indicator: Trojan.Win32.Miner!O": [[47, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9944": [[68, 110]], "Indicator: PUA.Deminnix": [[111, 123]], "Indicator: Trojan.Win32.Miner.aau": [[124, 146], [322, 344]], "Indicator: Riskware.Win32.BitCoinMiner.csteyy": [[168, 202]], "Indicator: Tool.BtcMine.83": [[224, 239]], "Indicator: Trojan.Miner.Win32.426": [[240, 262]], "Indicator: W32/Trojan.IJIB-0603": [[263, 283]], "Indicator: Trojan/Miner.dc": [[284, 299]], "Indicator: Trojan.Graftor.D194A6": [[300, 321]], "Indicator: Trojan.BitMiner": [[345, 360]], "Indicator: Win32/CoinMiner.EC": [[361, 379]], "Indicator: Riskware.BitCoinMiner!FKk5sgQEcRQ": [[380, 413]], "Indicator: Trojan.Win32.Deminnix": [[414, 435]]}, "info": {"id": "cyner2_5class_train_07203", "source": "cyner2_5class_train"}}
+{"text": "] ee , is the same one used in the Android version of Project Spy .", "spans": {"System: Android": [[35, 42]], "System: Project Spy": [[54, 65]]}, "info": {"id": "cyner2_5class_train_07204", "source": "cyner2_5class_train"}}
+{"text": "The investigations showed that the attacks shared a number of common features, such as involving large amount of monetary loss originating from what initially appeared to be legitimate bank customer accounts.", "spans": {}, "info": {"id": "cyner2_5class_train_07205", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware03 Trojan.Kimad.19394 Trojan/Downloader.Stantinko.o TROJ_KIMAD_EK04051A.UVPM Win32.Trojan-Downloader.Stantinko.a TROJ_KIMAD_EK04051A.UVPM Win.Trojan.12288703-1 Trojan.Kbdmai.14 Downloader.Stantinko.Win32.10 Trojan-Downloader.Win32.Stantinko Variant.Graftor.eb Trojan.Graftor.D2AB64 Trojan/Win32.Kimad.R138166 Trojan.DL.Stantinko! Win32/Trojan.Stantinko.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware03": [[26, 45]], "Indicator: Trojan.Kimad.19394": [[46, 64]], "Indicator: Trojan/Downloader.Stantinko.o": [[65, 94]], "Indicator: TROJ_KIMAD_EK04051A.UVPM": [[95, 119], [156, 180]], "Indicator: Win32.Trojan-Downloader.Stantinko.a": [[120, 155]], "Indicator: Win.Trojan.12288703-1": [[181, 202]], "Indicator: Trojan.Kbdmai.14": [[203, 219]], "Indicator: Downloader.Stantinko.Win32.10": [[220, 249]], "Indicator: Trojan-Downloader.Win32.Stantinko": [[250, 283]], "Indicator: Variant.Graftor.eb": [[284, 302]], "Indicator: Trojan.Graftor.D2AB64": [[303, 324]], "Indicator: Trojan/Win32.Kimad.R138166": [[325, 351]], "Indicator: Trojan.DL.Stantinko!": [[352, 372]], "Indicator: Win32/Trojan.Stantinko.A": [[373, 397]]}, "info": {"id": "cyner2_5class_train_07206", "source": "cyner2_5class_train"}}
+{"text": "DarkKomet is a freeware remote access trojan that was released by an independent software developer.", "spans": {"Malware: DarkKomet": [[0, 9]], "Malware: freeware remote access trojan": [[15, 44]]}, "info": {"id": "cyner2_5class_train_07207", "source": "cyner2_5class_train"}}
+{"text": "For example , Svpeng uses a previously unknown vulnerability to protect itself from being removed manually or by the antivirus program .", "spans": {"Malware: Svpeng": [[14, 20]]}, "info": {"id": "cyner2_5class_train_07208", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DownloadGelodeA.Trojan Adware.WSearch.Win32.494 TROJ_RUGO.SM Win32.Trojan.WisdomEyes.16070401.9500.9989 TROJ_RUGO.SM Trojan.Win32.Dwn.vrhnq Trojan.DownLoader5.16461 TR/Graftor.16274.28 Trojan/Win32.Unknown TrojanDownloader:Win32/Nekotimed.A Trojan.Graftor.D3F92 Downloader/Win32.Nekill.R1661 Adware.WSearch!QcX4Awfq1EM Trojan-Downloader.Win32.Adnur", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DownloadGelodeA.Trojan": [[26, 52]], "Indicator: Adware.WSearch.Win32.494": [[53, 77]], "Indicator: TROJ_RUGO.SM": [[78, 90], [134, 146]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[91, 133]], "Indicator: Trojan.Win32.Dwn.vrhnq": [[147, 169]], "Indicator: Trojan.DownLoader5.16461": [[170, 194]], "Indicator: TR/Graftor.16274.28": [[195, 214]], "Indicator: Trojan/Win32.Unknown": [[215, 235]], "Indicator: TrojanDownloader:Win32/Nekotimed.A": [[236, 270]], "Indicator: Trojan.Graftor.D3F92": [[271, 291]], "Indicator: Downloader/Win32.Nekill.R1661": [[292, 321]], "Indicator: Adware.WSearch!QcX4Awfq1EM": [[322, 348]], "Indicator: Trojan-Downloader.Win32.Adnur": [[349, 378]]}, "info": {"id": "cyner2_5class_train_07209", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.163 Trojan.FTKN-6 Doc.Macro.Injection-6355574-0 VB:Trojan.Valyria.163 Troj.Downloader.Script!c VB:Trojan.Valyria.163 W97M.DownLoader.631 VB:Trojan.Valyria.163 VB:Trojan.Valyria.163 Win32.Outbreak VB:Trojan.Valyria.163 virus.office.qexvmc.1070", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.163": [[26, 47], [92, 113], [139, 160], [181, 202], [203, 224], [240, 261]], "Indicator: Trojan.FTKN-6": [[48, 61]], "Indicator: Doc.Macro.Injection-6355574-0": [[62, 91]], "Indicator: Troj.Downloader.Script!c": [[114, 138]], "Indicator: W97M.DownLoader.631": [[161, 180]], "Indicator: Win32.Outbreak": [[225, 239]], "Indicator: virus.office.qexvmc.1070": [[262, 286]]}, "info": {"id": "cyner2_5class_train_07210", "source": "cyner2_5class_train"}}
+{"text": "The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors.", "spans": {"Vulnerability: zero-day": [[23, 31]], "Malware: attack tool": [[59, 70]], "Organization: software vendors.": [[124, 141]]}, "info": {"id": "cyner2_5class_train_07211", "source": "cyner2_5class_train"}}
+{"text": "Small businesses are generally more likely to use remote administration software for their POS terminals so that 3rd parties can manage the terminals.", "spans": {"Organization: Small businesses": [[0, 16]], "System: remote administration software": [[50, 80]], "System: POS terminals": [[91, 104]]}, "info": {"id": "cyner2_5class_train_07212", "source": "cyner2_5class_train"}}
+{"text": "HenBox can also access sensors such as the device camera ( s ) and the microphone .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "cyner2_5class_train_07213", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Nurjax TROJ_GE.273CBA41 Trojan.Win32.Nurjax.ufm Trojan.Win32.Nurjax.dxmzxe Trojan.Win32.Z.Nurjax.10297344 Troj.W32.Nurjax!c BehavesLike.Win32.Dropper.tc W32/Trojan.TKWG-0004 Trojan.Nurjax.a Trojan/Win32.Nurjax TrojanDownloader:Win32/Lentrigy.A Trojan.Win32.Nurjax.ufm Trj/CI.A Win32.Trojan.Nurjax.Ajbs Trojan.Nurjax! W32/Nurjax.BQZ!tr Win32/Trojan.e9c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Nurjax": [[26, 39]], "Indicator: TROJ_GE.273CBA41": [[40, 56]], "Indicator: Trojan.Win32.Nurjax.ufm": [[57, 80], [277, 300]], "Indicator: Trojan.Win32.Nurjax.dxmzxe": [[81, 107]], "Indicator: Trojan.Win32.Z.Nurjax.10297344": [[108, 138]], "Indicator: Troj.W32.Nurjax!c": [[139, 156]], "Indicator: BehavesLike.Win32.Dropper.tc": [[157, 185]], "Indicator: W32/Trojan.TKWG-0004": [[186, 206]], "Indicator: Trojan.Nurjax.a": [[207, 222]], "Indicator: Trojan/Win32.Nurjax": [[223, 242]], "Indicator: TrojanDownloader:Win32/Lentrigy.A": [[243, 276]], "Indicator: Trj/CI.A": [[301, 309]], "Indicator: Win32.Trojan.Nurjax.Ajbs": [[310, 334]], "Indicator: Trojan.Nurjax!": [[335, 349]], "Indicator: W32/Nurjax.BQZ!tr": [[350, 367]], "Indicator: Win32/Trojan.e9c": [[368, 384]]}, "info": {"id": "cyner2_5class_train_07214", "source": "cyner2_5class_train"}}
+{"text": "The Fidelis Threat Research team recently analyzed a new variant to Vawtrak using HTTPS for C2 communications.", "spans": {"Organization: The Fidelis Threat Research team": [[0, 32]], "Malware: variant": [[57, 64]], "Malware: Vawtrak": [[68, 75]], "Indicator: HTTPS for C2 communications.": [[82, 110]]}, "info": {"id": "cyner2_5class_train_07215", "source": "cyner2_5class_train"}}
+{"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ .", "spans": {"Indicator: 31.214.157 [ .": [[38, 52]]}, "info": {"id": "cyner2_5class_train_07216", "source": "cyner2_5class_train"}}
+{"text": "It sends “ home ” key data about the affected device : device type , OS version , language , number of installed apps , free storage space , battery status , whether the device is rooted and Developer mode enabled , and whether Facebook and FB Messenger are installed .", "spans": {"Organization: Facebook": [[228, 236]], "System: Messenger": [[244, 253]]}, "info": {"id": "cyner2_5class_train_07217", "source": "cyner2_5class_train"}}
+{"text": "These thefts targeted banks in Vietnam, Bangladesh, Taiwan, and Mexico between 2016 and 2017.", "spans": {"Organization: banks": [[22, 27]]}, "info": {"id": "cyner2_5class_train_07218", "source": "cyner2_5class_train"}}
+{"text": "North Korea conducted a test missile launch on 3rd July.", "spans": {}, "info": {"id": "cyner2_5class_train_07219", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Hacktool.BruteForce.mp Win32.Trojan.WisdomEyes.16070401.9500.9985 Win.Trojan.Hacktool-315 Trojan.Win32.BruteForce.recrn Tool.Bruteforce.84 Tool.BruteForce.Win32.143 HTool.BruteForce.g", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Hacktool.BruteForce.mp": [[26, 55]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[56, 98]], "Indicator: Win.Trojan.Hacktool-315": [[99, 122]], "Indicator: Trojan.Win32.BruteForce.recrn": [[123, 152]], "Indicator: Tool.Bruteforce.84": [[153, 171]], "Indicator: Tool.BruteForce.Win32.143": [[172, 197]], "Indicator: HTool.BruteForce.g": [[198, 216]]}, "info": {"id": "cyner2_5class_train_07220", "source": "cyner2_5class_train"}}
+{"text": "This approach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps .", "spans": {}, "info": {"id": "cyner2_5class_train_07221", "source": "cyner2_5class_train"}}
+{"text": "In order to ensure we have the most effective detection possible, Talos reverse engineered CryptoWall 4 to better understand its execution, behavior, deltas from previous versions and share our research and findings with the community.", "spans": {"Organization: Talos": [[66, 71]], "Malware: CryptoWall 4": [[91, 103]], "Indicator: execution, behavior,": [[129, 149]], "Organization: community.": [[225, 235]]}, "info": {"id": "cyner2_5class_train_07222", "source": "cyner2_5class_train"}}
+{"text": "We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation.", "spans": {"Organization: Dropbox": [[21, 28]], "Malware: threat,": [[48, 55]], "Organization: cooperation": [[64, 75]]}, "info": {"id": "cyner2_5class_train_07223", "source": "cyner2_5class_train"}}
+{"text": "This gives JavaScript run in the WebView access to this method .", "spans": {}, "info": {"id": "cyner2_5class_train_07224", "source": "cyner2_5class_train"}}
+{"text": "The most common way to achieve this is by creating a broadcast receiver that is registered to the “ android.intent.action.BOOT_COMPLETED ” broadcast action and adding code that boots the application when the broadcast is fired .", "spans": {"Indicator: android.intent.action.BOOT_COMPLETED": [[100, 136]]}, "info": {"id": "cyner2_5class_train_07225", "source": "cyner2_5class_train"}}
+{"text": "While details would vary , all of the identified copies of this spyware shared a similar disguise .", "spans": {}, "info": {"id": "cyner2_5class_train_07226", "source": "cyner2_5class_train"}}
+{"text": "In the observed version of the implant it doesn ’ t have an interface to work with the skype_sync2.exe module .", "spans": {"Indicator: skype_sync2.exe": [[87, 102]]}, "info": {"id": "cyner2_5class_train_07227", "source": "cyner2_5class_train"}}
+{"text": "When we published that blog Unit 42 hadn ’ t seen any of the three registrants overlap domains used in malicious activity .", "spans": {}, "info": {"id": "cyner2_5class_train_07228", "source": "cyner2_5class_train"}}
+{"text": "Further analysis Upon further research , we found this spyware to be developed by a framework similar to Spynote and Spymax , meaning this could be an updated version of these Trojan builders , which allow anyone , even with limited knowledge , to develop full-fledged spyware .", "spans": {"Malware: Spynote": [[105, 112]], "Malware: Spymax": [[117, 123]]}, "info": {"id": "cyner2_5class_train_07229", "source": "cyner2_5class_train"}}
+{"text": "PluginPhantom implements each element of malicious functionality as a plugin, and utilizes a host app to control the plugins.", "spans": {"Malware: PluginPhantom": [[0, 13]], "Malware: malicious functionality": [[41, 64]], "System: plugin,": [[70, 77]], "System: host app": [[93, 101]], "Indicator: control the plugins.": [[105, 125]]}, "info": {"id": "cyner2_5class_train_07230", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader/W32.Byterage.8193 Trojan/Downloader.Byterage Trojan.Win32.Byterage.hipq W32/Downloader.HPW Byterage.C TROJ_EXCEPTION.F Trojan-Downloader.Win32.Byterage Trojan.Byterage.A Trojan.Win32.Downloader.8193 Virus.Win32.Part.k TrojWare.Win32.TrojanDownloader.Byterage Trojan.Duho TR/Byterage.Dldr TROJ_EXCEPTION.F TrojanDownloader.Win32.Byterage Trojan/Win32.Byterage Win32.Troj.DownByteage.kcloud W32/Downloader.KOEY-6366 Win-Trojan/Byterage.8193 Malware-Cryptor.InstallCore.1 Win32/TrojanDownloader.Byterage Trojan.DL.Byterage Trojan-Downloader.Win32.Small W32/Dloader.AW!tr Downloader.Byterage", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader/W32.Byterage.8193": [[26, 61]], "Indicator: Trojan/Downloader.Byterage": [[62, 88]], "Indicator: Trojan.Win32.Byterage.hipq": [[89, 115]], "Indicator: W32/Downloader.HPW": [[116, 134]], "Indicator: Byterage.C": [[135, 145]], "Indicator: TROJ_EXCEPTION.F": [[146, 162], [332, 348]], "Indicator: Trojan-Downloader.Win32.Byterage": [[163, 195]], "Indicator: Trojan.Byterage.A": [[196, 213]], "Indicator: Trojan.Win32.Downloader.8193": [[214, 242]], "Indicator: Virus.Win32.Part.k": [[243, 261]], "Indicator: TrojWare.Win32.TrojanDownloader.Byterage": [[262, 302]], "Indicator: Trojan.Duho": [[303, 314]], "Indicator: TR/Byterage.Dldr": [[315, 331]], "Indicator: TrojanDownloader.Win32.Byterage": [[349, 380]], "Indicator: Trojan/Win32.Byterage": [[381, 402]], "Indicator: Win32.Troj.DownByteage.kcloud": [[403, 432]], "Indicator: W32/Downloader.KOEY-6366": [[433, 457]], "Indicator: Win-Trojan/Byterage.8193": [[458, 482]], "Indicator: Malware-Cryptor.InstallCore.1": [[483, 512]], "Indicator: Win32/TrojanDownloader.Byterage": [[513, 544]], "Indicator: Trojan.DL.Byterage": [[545, 563]], "Indicator: Trojan-Downloader.Win32.Small": [[564, 593]], "Indicator: W32/Dloader.AW!tr": [[594, 611]], "Indicator: Downloader.Byterage": [[612, 631]]}, "info": {"id": "cyner2_5class_train_07231", "source": "cyner2_5class_train"}}
+{"text": "In addition, thanks to a coding mistake by the attackers, this particular backdoor does not always run the right commands.", "spans": {"Vulnerability: coding mistake": [[25, 39]], "Malware: backdoor": [[74, 82]]}, "info": {"id": "cyner2_5class_train_07232", "source": "cyner2_5class_train"}}
+{"text": "A snapshot of the code that processes each VM opcode and the associate interpreter The presence of a VM and virtualized instruction blocks can be described in simpler terms : Essentially , the creators of FinFisher interposed a layer of dynamic code translation ( the virtual machine ) that makes analysis using regular tools practically impossible .", "spans": {"Malware: snapshot": [[2, 10]], "Malware: FinFisher": [[205, 214]]}, "info": {"id": "cyner2_5class_train_07233", "source": "cyner2_5class_train"}}
+{"text": "The gopuram backdoor might be the main implant and the final payload in the attack chain.", "spans": {"Malware: The gopuram": [[0, 11]], "Malware: backdoor": [[12, 20]], "Malware: implant": [[39, 46]], "Malware: final payload": [[55, 68]], "Indicator: the attack chain.": [[72, 89]]}, "info": {"id": "cyner2_5class_train_07234", "source": "cyner2_5class_train"}}
+{"text": "We also observed that the threat actors were actively changing their tools, tactics, and procedures TTPs to bypass security solutions.", "spans": {"Malware: tools,": [[69, 75]], "Vulnerability: bypass security solutions.": [[108, 134]]}, "info": {"id": "cyner2_5class_train_07235", "source": "cyner2_5class_train"}}
+{"text": "] ee Backend server ftp [ .", "spans": {"Indicator: server ftp [ .": [[13, 27]]}, "info": {"id": "cyner2_5class_train_07236", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Java.Exploit.CVE-2012-0507.K Exp.JAVA.CVE-2012-0507 Trojan.Inject.GE Exploit.CVE.JS.1533 Exploit.Java.Cve!c Java.Exploit.CVE-2012-0507.K Trojan.Maljava Java/Exploit.CVE-2012-0507.AJ JAVA_EXPLOIT.KRZ Exploit.Java.CVE-2012-0507.gd Exploit.Java.CVE20120507.cqxpdq Java.S.CVE-2012-0507.141383[h] Java.Exploit.CVE-2012-0507.K Java.Exploit.CVE-2012-0507.K Exploit.CVE2012-0507.13 JAVA_EXPLOIT.KRZ BehavesLike.Downloader.cz Exploit.CVE-2012-0507.d JAVA/Adwind.sagg.26 Java.Exploit.CVE-2012-0507.K Exploit.Java.CVE-2012-0507.eg Java.Exploit.Cve-2012-0507.Akpd Exploit.Java.CVE-2012-0507 Java.Exploit.CVE-2012-0507.K Java/Exploit.AZT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Java.Exploit.CVE-2012-0507.K": [[26, 54], [134, 162], [318, 346], [347, 375], [487, 515], [605, 633]], "Indicator: Exp.JAVA.CVE-2012-0507": [[55, 77]], "Indicator: Trojan.Inject.GE": [[78, 94]], "Indicator: Exploit.CVE.JS.1533": [[95, 114]], "Indicator: Exploit.Java.Cve!c": [[115, 133]], "Indicator: Trojan.Maljava": [[163, 177]], "Indicator: Java/Exploit.CVE-2012-0507.AJ": [[178, 207]], "Indicator: JAVA_EXPLOIT.KRZ": [[208, 224], [400, 416]], "Indicator: Exploit.Java.CVE-2012-0507.gd": [[225, 254]], "Indicator: Exploit.Java.CVE20120507.cqxpdq": [[255, 286]], "Indicator: Java.S.CVE-2012-0507.141383[h]": [[287, 317]], "Indicator: Exploit.CVE2012-0507.13": [[376, 399]], "Indicator: BehavesLike.Downloader.cz": [[417, 442]], "Indicator: Exploit.CVE-2012-0507.d": [[443, 466]], "Indicator: JAVA/Adwind.sagg.26": [[467, 486]], "Indicator: Exploit.Java.CVE-2012-0507.eg": [[516, 545]], "Indicator: Java.Exploit.Cve-2012-0507.Akpd": [[546, 577]], "Indicator: Exploit.Java.CVE-2012-0507": [[578, 604]], "Indicator: Java/Exploit.AZT": [[634, 650]]}, "info": {"id": "cyner2_5class_train_07237", "source": "cyner2_5class_train"}}
+{"text": "The final stage is an ARMEB version from the LuaBot Malware.", "spans": {"Malware: ARMEB version": [[22, 35]], "Malware: LuaBot Malware.": [[45, 60]]}, "info": {"id": "cyner2_5class_train_07238", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.5441 Win32.Trojan.WisdomEyes.16070401.9500.9941 TROJ_INJECT.AUSPTO Trojan.Win32.Phpw.gez Trojan.Win32.Phpw.expttn TROJ_INJECT.AUSPTO BehavesLike.Win32.Trojan.cc Trojan.Win32.Themida W32/Trojan.JODZ-3607 Trojan.Win32.Phpw.gez Backdoor:MSIL/Zqorat.A Trojan/Win32.Phpw.C2403487 TScope.Malware-Cryptor.SB Trj/CI.A Win32.Trojan.Phpw.Ahym", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.5441": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9941": [[44, 86]], "Indicator: TROJ_INJECT.AUSPTO": [[87, 105], [153, 171]], "Indicator: Trojan.Win32.Phpw.gez": [[106, 127], [242, 263]], "Indicator: Trojan.Win32.Phpw.expttn": [[128, 152]], "Indicator: BehavesLike.Win32.Trojan.cc": [[172, 199]], "Indicator: Trojan.Win32.Themida": [[200, 220]], "Indicator: W32/Trojan.JODZ-3607": [[221, 241]], "Indicator: Backdoor:MSIL/Zqorat.A": [[264, 286]], "Indicator: Trojan/Win32.Phpw.C2403487": [[287, 313]], "Indicator: TScope.Malware-Cryptor.SB": [[314, 339]], "Indicator: Trj/CI.A": [[340, 348]], "Indicator: Win32.Trojan.Phpw.Ahym": [[349, 371]]}, "info": {"id": "cyner2_5class_train_07239", "source": "cyner2_5class_train"}}
+{"text": "Stage 5 : The final loader takes control The stage 5 malware is needed only to provide one more layer of obfuscation , through the VM , of the final malware payload and to set up a special Structured Exception Hander routine , which is inserted as Wow64PrepareForException in Ntdll .", "spans": {}, "info": {"id": "cyner2_5class_train_07240", "source": "cyner2_5class_train"}}
+{"text": "The first example of this is in the onStart function , where the malware looks for the string “ Emulator ” and a x86 processor model .", "spans": {}, "info": {"id": "cyner2_5class_train_07241", "source": "cyner2_5class_train"}}
+{"text": "In this case , the attackers hacked a Tibetan activist ’ s account and used it to attack Uyghur activists .", "spans": {}, "info": {"id": "cyner2_5class_train_07242", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.VBS.Downloader.ADR JS.Ransom.R VBS/Downldr.HM VBS.Downloader.B Vbs.Downloader.Locky-6348805-0 Trojan.VBS.Downloader.ADR Trojan.VBS.Downloader.ADR Trojan.Script.Vbs-heuristic.druvzi VBS.Downloader.11760 Troj.Downloader.Script!c Trojan.VBS.Downloader.ADR Trojan.VBS.Downloader.ADR VBS.DownLoader.957 VBS/Downloader.ea VBS/Downldr.HM Trojan.VBS.Downloader.ADR VBS/Obfus.S4 VBS/Downloader.ea Js.Trojan.Raas.Auto Trojan-Downloader.JS.Nemucod", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VBS.Downloader.ADR": [[26, 51], [127, 152], [153, 178], [260, 285], [286, 311], [364, 389]], "Indicator: JS.Ransom.R": [[52, 63]], "Indicator: VBS/Downldr.HM": [[64, 78], [349, 363]], "Indicator: VBS.Downloader.B": [[79, 95]], "Indicator: Vbs.Downloader.Locky-6348805-0": [[96, 126]], "Indicator: Trojan.Script.Vbs-heuristic.druvzi": [[179, 213]], "Indicator: VBS.Downloader.11760": [[214, 234]], "Indicator: Troj.Downloader.Script!c": [[235, 259]], "Indicator: VBS.DownLoader.957": [[312, 330]], "Indicator: VBS/Downloader.ea": [[331, 348], [403, 420]], "Indicator: VBS/Obfus.S4": [[390, 402]], "Indicator: Js.Trojan.Raas.Auto": [[421, 440]], "Indicator: Trojan-Downloader.JS.Nemucod": [[441, 469]]}, "info": {"id": "cyner2_5class_train_07243", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware14 Trojan/W32.Nymaim.478544 Trojan.Win32.Shiz.3!O Trojan.Kryptik.Win32.905858 Trojan.Inject2.25223 Trojan:Win32/Pennelas.A!gfc Trojan/Win32.Silcon.R186780 Trojan.Nymaim!w9Ehxpvgr9U Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware14": [[26, 45]], "Indicator: Trojan/W32.Nymaim.478544": [[46, 70]], "Indicator: Trojan.Win32.Shiz.3!O": [[71, 92]], "Indicator: Trojan.Kryptik.Win32.905858": [[93, 120]], "Indicator: Trojan.Inject2.25223": [[121, 141]], "Indicator: Trojan:Win32/Pennelas.A!gfc": [[142, 169]], "Indicator: Trojan/Win32.Silcon.R186780": [[170, 197]], "Indicator: Trojan.Nymaim!w9Ehxpvgr9U": [[198, 223]], "Indicator: Trj/GdSda.A": [[224, 235]]}, "info": {"id": "cyner2_5class_train_07244", "source": "cyner2_5class_train"}}
+{"text": "] cashnow [ .", "spans": {}, "info": {"id": "cyner2_5class_train_07245", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Htool.WIP Trojan.Mauvaise.SL1 HackTool.BruteForce Trojan/Hacktool.BruteForce.ze Application.Htool.WIP Win32.Trojan.WisdomEyes.16070401.9500.9930 Win32/Tnega.dRWGBOC HV_BRUTEFORCE_CG153BD9.RDXN Win.Trojan.Bruteforce-13 Application.Htool.WIP Application.Htool.WIP Trojan.Win32.BruteForce.srzyv Application.Htool.WIP Tool.Bruteforce.185 Tool.BruteForce.Win32.254 HackTool.Win32.BruteForce HTool.BruteForce.f SPR/DUBrute.owoan HackTool/Win32.BruteForce HackTool:Win32/DUBrute.A HackTool.BruteForce Trojan/Win32.Bruteforce.R23399 HackTool.BruteForce!jw9TQR6yLS4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Htool.WIP": [[26, 47], [118, 139], [256, 277], [278, 299], [330, 351]], "Indicator: Trojan.Mauvaise.SL1": [[48, 67]], "Indicator: HackTool.BruteForce": [[68, 87], [512, 531]], "Indicator: Trojan/Hacktool.BruteForce.ze": [[88, 117]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9930": [[140, 182]], "Indicator: Win32/Tnega.dRWGBOC": [[183, 202]], "Indicator: HV_BRUTEFORCE_CG153BD9.RDXN": [[203, 230]], "Indicator: Win.Trojan.Bruteforce-13": [[231, 255]], "Indicator: Trojan.Win32.BruteForce.srzyv": [[300, 329]], "Indicator: Tool.Bruteforce.185": [[352, 371]], "Indicator: Tool.BruteForce.Win32.254": [[372, 397]], "Indicator: HackTool.Win32.BruteForce": [[398, 423]], "Indicator: HTool.BruteForce.f": [[424, 442]], "Indicator: SPR/DUBrute.owoan": [[443, 460]], "Indicator: HackTool/Win32.BruteForce": [[461, 486]], "Indicator: HackTool:Win32/DUBrute.A": [[487, 511]], "Indicator: Trojan/Win32.Bruteforce.R23399": [[532, 562]], "Indicator: HackTool.BruteForce!jw9TQR6yLS4": [[563, 594]]}, "info": {"id": "cyner2_5class_train_07246", "source": "cyner2_5class_train"}}
+{"text": "This is worm-like ransomware based on Petya.", "spans": {"Malware: worm-like ransomware": [[8, 28]], "Malware: Petya.": [[38, 44]]}, "info": {"id": "cyner2_5class_train_07247", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE W32.Francette.M W32.Francette.Worm Heur.Corrupt.PE Backdoor.Win32.RedSpy Worm:Win32/Francette.M.dam#2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: W32.Francette.M": [[48, 63]], "Indicator: W32.Francette.Worm": [[64, 82]], "Indicator: Heur.Corrupt.PE": [[83, 98]], "Indicator: Backdoor.Win32.RedSpy": [[99, 120]], "Indicator: Worm:Win32/Francette.M.dam#2": [[121, 149]]}, "info": {"id": "cyner2_5class_train_07248", "source": "cyner2_5class_train"}}
+{"text": "IOCS Hashes 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda 1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4 d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2 ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065 Domains cvcws [ .", "spans": {"Indicator: 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367": [[12, 76]], "Indicator: e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1": [[77, 141], [142, 206]], "Indicator: e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda": [[207, 271]], "Indicator: 1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4": [[272, 336]], "Indicator: d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7": [[337, 401]], "Indicator: 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810": [[402, 466]], "Indicator: 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2": [[467, 531]], "Indicator: ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83": [[532, 596]], "Indicator: 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a": [[597, 661]], "Indicator: 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e": [[662, 726]], "Indicator: 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f": [[727, 791]], "Indicator: ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66": [[792, 856]], "Indicator: 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065": [[857, 921]], "Indicator: cvcws [ .": [[930, 939]]}, "info": {"id": "cyner2_5class_train_07249", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.Emudbot.S15201 Worm.AutoRun.Win32.57341 W32/AutoRun.diqe Win32.Trojan.WisdomEyes.16070401.9500.9953 Win.Worm.Autorun-9966 Worm.AutoRun Trojan.Win32.Emud.reytg Win32.HLLW.EmudBot.12 BehavesLike.Win32.BadFile.kh Worm/AutoRun.agrm W32.Worm.Autorun Worm.Autorun.kcloud Worm:Win32/Emudbot.A Trojan.Graftor.Elzob.D3011 Worm/Win32.AutoRun.C69047 Win32/AutoRun.Delf.MI Worm.AutoRun!NSqws7tLdQs Worm.Win32.Emudbot W32/Autorun.BGT!tr Win32/Trojan.Dropper.65e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.AutoRun!O": [[26, 46]], "Indicator: Worm.Emudbot.S15201": [[47, 66]], "Indicator: Worm.AutoRun.Win32.57341": [[67, 91]], "Indicator: W32/AutoRun.diqe": [[92, 108]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9953": [[109, 151]], "Indicator: Win.Worm.Autorun-9966": [[152, 173]], "Indicator: Worm.AutoRun": [[174, 186]], "Indicator: Trojan.Win32.Emud.reytg": [[187, 210]], "Indicator: Win32.HLLW.EmudBot.12": [[211, 232]], "Indicator: BehavesLike.Win32.BadFile.kh": [[233, 261]], "Indicator: Worm/AutoRun.agrm": [[262, 279]], "Indicator: W32.Worm.Autorun": [[280, 296]], "Indicator: Worm.Autorun.kcloud": [[297, 316]], "Indicator: Worm:Win32/Emudbot.A": [[317, 337]], "Indicator: Trojan.Graftor.Elzob.D3011": [[338, 364]], "Indicator: Worm/Win32.AutoRun.C69047": [[365, 390]], "Indicator: Win32/AutoRun.Delf.MI": [[391, 412]], "Indicator: Worm.AutoRun!NSqws7tLdQs": [[413, 437]], "Indicator: Worm.Win32.Emudbot": [[438, 456]], "Indicator: W32/Autorun.BGT!tr": [[457, 475]], "Indicator: Win32/Trojan.Dropper.65e": [[476, 500]]}, "info": {"id": "cyner2_5class_train_07250", "source": "cyner2_5class_train"}}
+{"text": "The software generated 2FA code as it appeared on the device ’ s display ( left ) and as available in the database ( right ) Along with the malicious DEFENSOR ID app , another malicious app named Defensor Digital was discovered .", "spans": {"Malware: Defensor Digital": [[196, 212]]}, "info": {"id": "cyner2_5class_train_07251", "source": "cyner2_5class_train"}}
+{"text": "We Kaspersky have already seen some cryptor attacks where malicious programs with different functions have been used in combination.", "spans": {"Organization: Kaspersky": [[3, 12]], "Indicator: cryptor attacks": [[36, 51]], "Malware: malicious programs": [[58, 76]]}, "info": {"id": "cyner2_5class_train_07252", "source": "cyner2_5class_train"}}
+{"text": "If the original SMS app has been restored , it will send “ the app returned to its original place. ” Controlling TrickMo TrickMo ’ s operators can control the malware via two channels : Through its C & C via a plaintext HTTP protocol using JSON objects Through encrypted SMS messages There are predefined commands to change the malware ’ s configuration and make it execute certain tasks .", "spans": {"Malware: TrickMo": [[113, 120], [121, 128]]}, "info": {"id": "cyner2_5class_train_07253", "source": "cyner2_5class_train"}}
+{"text": "iSIGHT Partners has dubbed the intrusion operators who leverage the CVE-2014-4114 zero-day Sandworm Team. The name was chosen due to unique references to the classic science fiction series Dune, which are characterized by the use of multiple BlackEnergy malware variants.", "spans": {"Organization: iSIGHT Partners": [[0, 15]], "Vulnerability: CVE-2014-4114 zero-day": [[68, 90]], "Malware: BlackEnergy malware variants.": [[242, 271]]}, "info": {"id": "cyner2_5class_train_07254", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Teper Trojan/AutoRun.Delf.lv Trojan.MSIL.Krypt.11 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_INJECTOR_FA250012.UVPM Trojan.Win32.DarkKomet.dkhkpy TrojWare.MSIL.Teper.A Trojan.PWS.Stealer.13025 TROJ_INJECTOR_FA250012.UVPM BehavesLike.Win32.Trojan.dc Backdoor/Androm.dvy TR/Inject.xbbeiet W32/Vobfus.GEP.worm Win32/AutoRun.Delf.LV Win32.Worm.Autorun.Suxp Win32/Trojan.d74", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Teper": [[26, 38]], "Indicator: Trojan/AutoRun.Delf.lv": [[39, 61]], "Indicator: Trojan.MSIL.Krypt.11": [[62, 82]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[83, 125]], "Indicator: TROJ_INJECTOR_FA250012.UVPM": [[126, 153], [231, 258]], "Indicator: Trojan.Win32.DarkKomet.dkhkpy": [[154, 183]], "Indicator: TrojWare.MSIL.Teper.A": [[184, 205]], "Indicator: Trojan.PWS.Stealer.13025": [[206, 230]], "Indicator: BehavesLike.Win32.Trojan.dc": [[259, 286]], "Indicator: Backdoor/Androm.dvy": [[287, 306]], "Indicator: TR/Inject.xbbeiet": [[307, 324]], "Indicator: W32/Vobfus.GEP.worm": [[325, 344]], "Indicator: Win32/AutoRun.Delf.LV": [[345, 366]], "Indicator: Win32.Worm.Autorun.Suxp": [[367, 390]], "Indicator: Win32/Trojan.d74": [[391, 407]]}, "info": {"id": "cyner2_5class_train_07255", "source": "cyner2_5class_train"}}
+{"text": "Note that inside this single response , there is one “ install_true ” command , one “ sms_grab ” command and four “ sms_send ” commands .", "spans": {}, "info": {"id": "cyner2_5class_train_07256", "source": "cyner2_5class_train"}}
+{"text": "The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary , in-house apps to their employees without needing to use the iOS App Store .", "spans": {"Organization: Apple Developer Enterprise": [[4, 30]], "System: iOS": [[162, 165]], "System: App Store": [[166, 175]]}, "info": {"id": "cyner2_5class_train_07257", "source": "cyner2_5class_train"}}
+{"text": "They are using the RockLoader malware to download Bart over HTTPS.", "spans": {"Malware: RockLoader malware": [[19, 37]], "Malware: Bart": [[50, 54]], "Indicator: HTTPS.": [[60, 66]]}, "info": {"id": "cyner2_5class_train_07258", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Win32.Trojan.WisdomEyes.16070401.9500.9996 W32.SillyFDC Win32/Auraax.W Win.Trojan.Zbot-1219 Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Trojan.DownLoad.5092 Worm.AutoRun.Win32.24333 Backdoor.W32.Bifrose.kZn8 Win32/AutoRun.YM Trojan-Spy.Win32.Zbot W32/Autorun.MFA!worm Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.Autorun.MK": [[26, 47], [48, 69], [70, 91], [184, 205], [206, 227], [228, 249], [250, 271]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[92, 134]], "Indicator: W32.SillyFDC": [[135, 147]], "Indicator: Win32/Auraax.W": [[148, 162]], "Indicator: Win.Trojan.Zbot-1219": [[163, 183]], "Indicator: Trojan.DownLoad.5092": [[272, 292]], "Indicator: Worm.AutoRun.Win32.24333": [[293, 317]], "Indicator: Backdoor.W32.Bifrose.kZn8": [[318, 343]], "Indicator: Win32/AutoRun.YM": [[344, 360]], "Indicator: Trojan-Spy.Win32.Zbot": [[361, 382]], "Indicator: W32/Autorun.MFA!worm": [[383, 403]], "Indicator: Trj/CI.A": [[404, 412]]}, "info": {"id": "cyner2_5class_train_07259", "source": "cyner2_5class_train"}}
+{"text": "The threat posed by custom malware such as Dripion illustrates the value of multilayered security.", "spans": {"Malware: threat": [[4, 10]], "Malware: custom malware": [[20, 34]], "Malware: Dripion": [[43, 50]]}, "info": {"id": "cyner2_5class_train_07260", "source": "cyner2_5class_train"}}
+{"text": "However, it doesn't stop there: some versions of RAA also include a Pony Trojan file, which steals confidential information from the infected computer.", "spans": {"Malware: RAA": [[49, 52]], "Malware: Pony Trojan file,": [[68, 85]], "Indicator: steals confidential information": [[92, 123]], "System: the infected computer.": [[129, 151]]}, "info": {"id": "cyner2_5class_train_07261", "source": "cyner2_5class_train"}}
+{"text": "Due to this feature , it is clear that the developers paid special attention to the work of the implant on Huawei devices .", "spans": {"Organization: Huawei": [[107, 113]]}, "info": {"id": "cyner2_5class_train_07262", "source": "cyner2_5class_train"}}
+{"text": "The attack was initially thought to be attributed to North Korea, by way of a Chinese IP found during the attack, but no other strong evidence of North Korea's involvement has been produced since then.", "spans": {"Indicator: attack": [[4, 10]], "Indicator: Chinese IP": [[78, 88]], "Indicator: attack,": [[106, 113]]}, "info": {"id": "cyner2_5class_train_07263", "source": "cyner2_5class_train"}}
+{"text": "After the modules are installed they are deployed to the short term memory and deleted from the device storage , which makes the Trojan a lot harder to catch .", "spans": {}, "info": {"id": "cyner2_5class_train_07264", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PPDropper.F PPT97/PPDropper.C TROJ_PPDROPPER.L TROJ_PPDROPPER.L Exploit-PPT.d Exploit:Win32/Nappto.A Exploit-PPT.d PP97M/TrojanDropper.PPDrop.F Trojan-Dropper.PP97M.Ppdrop Exploit/PPT.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PPDropper.F": [[26, 44]], "Indicator: PPT97/PPDropper.C": [[45, 62]], "Indicator: TROJ_PPDROPPER.L": [[63, 79], [80, 96]], "Indicator: Exploit-PPT.d": [[97, 110], [134, 147]], "Indicator: Exploit:Win32/Nappto.A": [[111, 133]], "Indicator: PP97M/TrojanDropper.PPDrop.F": [[148, 176]], "Indicator: Trojan-Dropper.PP97M.Ppdrop": [[177, 204]], "Indicator: Exploit/PPT.A": [[205, 218]]}, "info": {"id": "cyner2_5class_train_07265", "source": "cyner2_5class_train"}}
+{"text": "Nevertheless , users should practice proper security hygiene to mitigate threats that may take advantage of a home or business router ’ s security gaps .", "spans": {}, "info": {"id": "cyner2_5class_train_07266", "source": "cyner2_5class_train"}}
+{"text": "This is the same behaviour we have been seeing with the recent UPS failed to deliver nemucod ransomware versions", "spans": {"Malware: nemucod ransomware versions": [[85, 112]]}, "info": {"id": "cyner2_5class_train_07267", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Ryzerlo.S4 Trojan.Ransom.HiddenTear Trojan.Ransom.HiddenTears.1 Win32.Trojan.WisdomEyes.16070401.9500.9717 Ransom.HiddenTear!g1 Ransom_CRYPTEAR.SMI1 Trojan.Win32.Encoder.ewzwkj Trojan.Win32.Z.Ransom.174592.P Trojan.Encoder.10598 Ransom_CRYPTEAR.SMI1 Trojan-Ransom.HiddenTear W32/Ransom.EJHW-4383 TR/Downloader.fuswg Ransom:MSIL/Flyterper.A Trj/GdSda.A Win32/Trojan.Ransom.786", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Ryzerlo.S4": [[26, 43]], "Indicator: Trojan.Ransom.HiddenTear": [[44, 68]], "Indicator: Trojan.Ransom.HiddenTears.1": [[69, 96]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9717": [[97, 139]], "Indicator: Ransom.HiddenTear!g1": [[140, 160]], "Indicator: Ransom_CRYPTEAR.SMI1": [[161, 181], [262, 282]], "Indicator: Trojan.Win32.Encoder.ewzwkj": [[182, 209]], "Indicator: Trojan.Win32.Z.Ransom.174592.P": [[210, 240]], "Indicator: Trojan.Encoder.10598": [[241, 261]], "Indicator: Trojan-Ransom.HiddenTear": [[283, 307]], "Indicator: W32/Ransom.EJHW-4383": [[308, 328]], "Indicator: TR/Downloader.fuswg": [[329, 348]], "Indicator: Ransom:MSIL/Flyterper.A": [[349, 372]], "Indicator: Trj/GdSda.A": [[373, 384]], "Indicator: Win32/Trojan.Ransom.786": [[385, 408]]}, "info": {"id": "cyner2_5class_train_07268", "source": "cyner2_5class_train"}}
+{"text": "“ Agent Smith ” itself , though , seems to target mainly India users .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner2_5class_train_07269", "source": "cyner2_5class_train"}}
+{"text": "Although this malware 's credential-harvest mechanism is not particularly sophisticated , it does have an advanced self-preservation mechanism .", "spans": {}, "info": {"id": "cyner2_5class_train_07270", "source": "cyner2_5class_train"}}
+{"text": "Several indicators inside the samples we have analysed point to a new major version of the malware.", "spans": {"Indicator: indicators": [[8, 18]], "Malware: samples": [[30, 37]], "Malware: malware.": [[91, 99]]}, "info": {"id": "cyner2_5class_train_07271", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DroppenAS.Trojan Worm.Nohad.A9 Trojan/AutoRun.Delf.qi Win32.Worm.Delf.bw W32/Trojan.KDXB-0268 Win32/Tnega.AUMK WORM_SOHANAD.SM0 Win32.Worm.Autorun.T Trojan.Win32.Special.dtabba Trojan.Fakealert.51818 WORM_SOHANAD.SM0 W32/Trojan2.OEMC TR/Dropper.pjrqu Trojan.Zusy.D18D1A HEUR/Fakon.mwf Win32/AutoRun.Delf.QI W32/AutoRun.QIAU!tr VBS/Jenxcus.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DroppenAS.Trojan": [[26, 46]], "Indicator: Worm.Nohad.A9": [[47, 60]], "Indicator: Trojan/AutoRun.Delf.qi": [[61, 83]], "Indicator: Win32.Worm.Delf.bw": [[84, 102]], "Indicator: W32/Trojan.KDXB-0268": [[103, 123]], "Indicator: Win32/Tnega.AUMK": [[124, 140]], "Indicator: WORM_SOHANAD.SM0": [[141, 157], [230, 246]], "Indicator: Win32.Worm.Autorun.T": [[158, 178]], "Indicator: Trojan.Win32.Special.dtabba": [[179, 206]], "Indicator: Trojan.Fakealert.51818": [[207, 229]], "Indicator: W32/Trojan2.OEMC": [[247, 263]], "Indicator: TR/Dropper.pjrqu": [[264, 280]], "Indicator: Trojan.Zusy.D18D1A": [[281, 299]], "Indicator: HEUR/Fakon.mwf": [[300, 314]], "Indicator: Win32/AutoRun.Delf.QI": [[315, 336]], "Indicator: W32/AutoRun.QIAU!tr": [[337, 356]], "Indicator: VBS/Jenxcus.A": [[357, 370]]}, "info": {"id": "cyner2_5class_train_07272", "source": "cyner2_5class_train"}}
+{"text": "We identified over two hundred samples of malware generated by the group over the last two years.", "spans": {"Malware: malware": [[42, 49]]}, "info": {"id": "cyner2_5class_train_07273", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/AutoRun.bhyp Trojan.Heur.E5CD44 Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/MalwareF.IWEH Win.Spyware.76175-2 Trojan.Win32.FrusEfas.iumlo Worm.Win32.Autorun.2101887 Trojan.MulDrop1.52015 BehavesLike.Win32.BadFile.vc W32/Risk.GYGM-4699 TrojanClicker.FrusEfas.a Trojan:Win32/Tofe.A Worm.AutoRun Trojan-GameThief.Win32.Magania", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/AutoRun.bhyp": [[26, 42]], "Indicator: Trojan.Heur.E5CD44": [[43, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[62, 104]], "Indicator: W32/MalwareF.IWEH": [[105, 122]], "Indicator: Win.Spyware.76175-2": [[123, 142]], "Indicator: Trojan.Win32.FrusEfas.iumlo": [[143, 170]], "Indicator: Worm.Win32.Autorun.2101887": [[171, 197]], "Indicator: Trojan.MulDrop1.52015": [[198, 219]], "Indicator: BehavesLike.Win32.BadFile.vc": [[220, 248]], "Indicator: W32/Risk.GYGM-4699": [[249, 267]], "Indicator: TrojanClicker.FrusEfas.a": [[268, 292]], "Indicator: Trojan:Win32/Tofe.A": [[293, 312]], "Indicator: Worm.AutoRun": [[313, 325]], "Indicator: Trojan-GameThief.Win32.Magania": [[326, 356]]}, "info": {"id": "cyner2_5class_train_07274", "source": "cyner2_5class_train"}}
+{"text": "The HenBox app downloaded in May 2016 , as described in Table 1 below , masquerades as a legitimate version of the DroidVPN app by using the same app name “ DroidVPN ” and the same iconography used when displaying the app in Android ’ s launcher view , as highlighted in Figure 2 below Table 1 .", "spans": {"Indicator: DroidVPN": [[115, 123]], "System: DroidVPN": [[157, 165]], "System: Android": [[225, 232]]}, "info": {"id": "cyner2_5class_train_07275", "source": "cyner2_5class_train"}}
+{"text": "To that end, I have been working on automating ways to help ASERT better understand the context around samples so we can answer question about what may have been targeted, why it was targeted and when it was targeted.", "spans": {}, "info": {"id": "cyner2_5class_train_07276", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Simda.A Trojan.Beaugrit.S714409 Backdoor.Simda.A Trojan.Shiz.Win32.341 Trojan/Spy.Shiz.ncd Win32.Trojan-Spy.Shiz.b Backdoor.Trojan TROJ_BEAUGRIT_GC3101D5.UVPM Backdoor.Simda.A Backdoor.Simda.A TrojWare.Win32.Spy.Shiz.AB Backdoor.Simda.A Trojan.PWS.Ibank.300 TROJ_BEAUGRIT_GC3101D5.UVPM BehavesLike.Win32.Backdoor.jh Backdoor.Win32.Simda Backdoor.Simda.A Backdoor.Simda.A Backdoor.Simda TrojanSpy.Shiz!u9u05UapnAM W32/Shiz.NBX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Simda.A": [[26, 42], [67, 83], [194, 210], [211, 227], [255, 271], [372, 388], [389, 405]], "Indicator: Trojan.Beaugrit.S714409": [[43, 66]], "Indicator: Trojan.Shiz.Win32.341": [[84, 105]], "Indicator: Trojan/Spy.Shiz.ncd": [[106, 125]], "Indicator: Win32.Trojan-Spy.Shiz.b": [[126, 149]], "Indicator: Backdoor.Trojan": [[150, 165]], "Indicator: TROJ_BEAUGRIT_GC3101D5.UVPM": [[166, 193], [293, 320]], "Indicator: TrojWare.Win32.Spy.Shiz.AB": [[228, 254]], "Indicator: Trojan.PWS.Ibank.300": [[272, 292]], "Indicator: BehavesLike.Win32.Backdoor.jh": [[321, 350]], "Indicator: Backdoor.Win32.Simda": [[351, 371]], "Indicator: Backdoor.Simda": [[406, 420]], "Indicator: TrojanSpy.Shiz!u9u05UapnAM": [[421, 447]], "Indicator: W32/Shiz.NBX!tr": [[448, 463]]}, "info": {"id": "cyner2_5class_train_07277", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.AutorunSevLnr.Worm Worm.AutoRun.Win32.27239 WORM_VERST.SM Win32.Worm.AutoRun.fp W32/Trojan2.OAQT WORM_VERST.SM Trojan.Win32.AutoRun.bxdzl W32.Virut.mDxm BackDoor.Pushnik.16 BehavesLike.Win32.Autorun.jc W32/Trojan.ORVC-8944 Worm/AutoRun.zqc W32.Worm.Lj Worm:Win32/Verst.A Trojan.Rimecud.2 Worm.Win32.A.P2P-Palevo.649216 HEUR/Fakon.mwf W32/Autorun.worm.bcf Worm.AutoRun Trojan.Dropper Win32/AutoRun.Delf.DK Trojan.Kryptik!Od8vCev28v4 Trojan.Win32.DNSChanger Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AutorunSevLnr.Worm": [[26, 48]], "Indicator: Worm.AutoRun.Win32.27239": [[49, 73]], "Indicator: WORM_VERST.SM": [[74, 87], [127, 140]], "Indicator: Win32.Worm.AutoRun.fp": [[88, 109]], "Indicator: W32/Trojan2.OAQT": [[110, 126]], "Indicator: Trojan.Win32.AutoRun.bxdzl": [[141, 167]], "Indicator: W32.Virut.mDxm": [[168, 182]], "Indicator: BackDoor.Pushnik.16": [[183, 202]], "Indicator: BehavesLike.Win32.Autorun.jc": [[203, 231]], "Indicator: W32/Trojan.ORVC-8944": [[232, 252]], "Indicator: Worm/AutoRun.zqc": [[253, 269]], "Indicator: W32.Worm.Lj": [[270, 281]], "Indicator: Worm:Win32/Verst.A": [[282, 300]], "Indicator: Trojan.Rimecud.2": [[301, 317]], "Indicator: Worm.Win32.A.P2P-Palevo.649216": [[318, 348]], "Indicator: HEUR/Fakon.mwf": [[349, 363]], "Indicator: W32/Autorun.worm.bcf": [[364, 384]], "Indicator: Worm.AutoRun": [[385, 397]], "Indicator: Trojan.Dropper": [[398, 412]], "Indicator: Win32/AutoRun.Delf.DK": [[413, 434]], "Indicator: Trojan.Kryptik!Od8vCev28v4": [[435, 461]], "Indicator: Trojan.Win32.DNSChanger": [[462, 485]], "Indicator: Trj/CI.A": [[486, 494]]}, "info": {"id": "cyner2_5class_train_07278", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.FakeTool.eqvbgr Trojan.Strictor.D13D9C Riskware.HackTool!mJNDS6pSVDk HackTool.Win32.FakeHack", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.FakeTool.eqvbgr": [[26, 54]], "Indicator: Trojan.Strictor.D13D9C": [[55, 77]], "Indicator: Riskware.HackTool!mJNDS6pSVDk": [[78, 107]], "Indicator: HackTool.Win32.FakeHack": [[108, 131]]}, "info": {"id": "cyner2_5class_train_07279", "source": "cyner2_5class_train"}}
+{"text": "Stolen data is stored in external storage under the /DCIM/ directory with a hidden sub-directory named \" .dat '' .", "spans": {}, "info": {"id": "cyner2_5class_train_07280", "source": "cyner2_5class_train"}}
+{"text": "In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active.", "spans": {"Organization: Trend Micro": [[16, 27]], "Organization: ClearSky": [[32, 40]]}, "info": {"id": "cyner2_5class_train_07281", "source": "cyner2_5class_train"}}
+{"text": "the first of a new wave of malspam.", "spans": {}, "info": {"id": "cyner2_5class_train_07282", "source": "cyner2_5class_train"}}
+{"text": "It ’ s worth noting , newer versions of the DroidVPN app are available on Google Play , as well as in some other third-party app stores , which could indicate uyghurapps [ .", "spans": {"System: DroidVPN": [[44, 52]], "System: Google Play": [[74, 85]], "Indicator: uyghurapps [ .": [[159, 173]]}, "info": {"id": "cyner2_5class_train_07283", "source": "cyner2_5class_train"}}
+{"text": "MacSpy is advertised as the most sophisticated Mac spyware ever with the low starting price of free.", "spans": {"Malware: MacSpy": [[0, 6]], "Malware: Mac spyware": [[47, 58]]}, "info": {"id": "cyner2_5class_train_07284", "source": "cyner2_5class_train"}}
+{"text": "However, they do deploy some novel tactics, detailed below, and the implications of these attacks could be significant.", "spans": {}, "info": {"id": "cyner2_5class_train_07285", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.RsRabND.Worm Trojan.Ransom.BUY Trojan.Ransom.BUY Ransom.BadRabbit Win32.Trojan.Ransom.b Ransom_BADRABBIT.SM Win.Ransomware.BadRabbit-6355462-2 Trojan.Ransom.BUY Trojan-Ransom.Win32.BadRabbit.e Trojan.Ransom.BUY Trojan.Win32.BadRabbit.euhxbd Trojan.Win32.Ransom.441899 Trojan.Ransom.BUY Trojan.BadRabbit.2 Ransom_BADRABBIT.SM BehavesLike.Win32.Malware.gc Trojan.Win32.Diskcoder Trojan.BadRabbit.d TR/Dropper.uobxc Trojan.Ransom.BUY Trojan-Ransom.Win32.BadRabbit.e Trojan/Win32.Diskcoder.R211512 Trojan-Ransom.BadRabbit Trj/CI.A Trojan.Badrabbit Win32/Diskcoder.D Trojan.Diskcoder! ransom.BadRabbit Win32/Trojan.RansomBadRabbit.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.RsRabND.Worm": [[26, 42]], "Indicator: Trojan.Ransom.BUY": [[43, 60], [61, 78], [173, 190], [223, 240], [298, 315], [443, 460]], "Indicator: Ransom.BadRabbit": [[79, 95]], "Indicator: Win32.Trojan.Ransom.b": [[96, 117]], "Indicator: Ransom_BADRABBIT.SM": [[118, 137], [335, 354]], "Indicator: Win.Ransomware.BadRabbit-6355462-2": [[138, 172]], "Indicator: Trojan-Ransom.Win32.BadRabbit.e": [[191, 222], [461, 492]], "Indicator: Trojan.Win32.BadRabbit.euhxbd": [[241, 270]], "Indicator: Trojan.Win32.Ransom.441899": [[271, 297]], "Indicator: Trojan.BadRabbit.2": [[316, 334]], "Indicator: BehavesLike.Win32.Malware.gc": [[355, 383]], "Indicator: Trojan.Win32.Diskcoder": [[384, 406]], "Indicator: Trojan.BadRabbit.d": [[407, 425]], "Indicator: TR/Dropper.uobxc": [[426, 442]], "Indicator: Trojan/Win32.Diskcoder.R211512": [[493, 523]], "Indicator: Trojan-Ransom.BadRabbit": [[524, 547]], "Indicator: Trj/CI.A": [[548, 556]], "Indicator: Trojan.Badrabbit": [[557, 573]], "Indicator: Win32/Diskcoder.D": [[574, 591]], "Indicator: Trojan.Diskcoder!": [[592, 609]], "Indicator: ransom.BadRabbit": [[610, 626]], "Indicator: Win32/Trojan.RansomBadRabbit.E": [[627, 657]]}, "info": {"id": "cyner2_5class_train_07286", "source": "cyner2_5class_train"}}
+{"text": "We actually track samples of Winnti malware all the time, but so far we haven't been able to catch one with solid clues indicating other targeted industries.", "spans": {"Malware: Winnti malware": [[29, 43]]}, "info": {"id": "cyner2_5class_train_07287", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TR/Drop.Hirin.B PWS:MSIL/Parple.B PWS.MSIL Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TR/Drop.Hirin.B": [[26, 41]], "Indicator: PWS:MSIL/Parple.B": [[42, 59]], "Indicator: PWS.MSIL": [[60, 68]], "Indicator: Trj/CI.A": [[69, 77]]}, "info": {"id": "cyner2_5class_train_07288", "source": "cyner2_5class_train"}}
+{"text": "Google's Threat Analysis Group TAG recently discovered usage of an unpatched security bypass in Microsoft's SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings.", "spans": {"Organization: Google's Threat Analysis Group TAG": [[0, 34]], "Vulnerability: unpatched security bypass": [[67, 92]], "System: Microsoft's SmartScreen security feature,": [[96, 137]], "Malware: the Magniber ransomware": [[194, 217]]}, "info": {"id": "cyner2_5class_train_07289", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hacktool.Gamehack Trojan.Packed.Win32.57174 Win32.Packed.VMProtect.a HT_GAMEHACK_GH01014A.UVPM HT_GAMEHACK_GH01014A.UVPM Trojan.VMProtect!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Gamehack": [[26, 43]], "Indicator: Trojan.Packed.Win32.57174": [[44, 69]], "Indicator: Win32.Packed.VMProtect.a": [[70, 94]], "Indicator: HT_GAMEHACK_GH01014A.UVPM": [[95, 120], [121, 146]], "Indicator: Trojan.VMProtect!": [[147, 164]]}, "info": {"id": "cyner2_5class_train_07290", "source": "cyner2_5class_train"}}
+{"text": "Few details were given and no hashes were available, which made it interesting to find samples and conduct an initial analysis.", "spans": {}, "info": {"id": "cyner2_5class_train_07291", "source": "cyner2_5class_train"}}
+{"text": "The InterceptCall receiver is triggered whenever there is an incoming or outgoing call .", "spans": {}, "info": {"id": "cyner2_5class_train_07292", "source": "cyner2_5class_train"}}
+{"text": "Given its age, it might seem logical that security controls would have this threat on lockdown.", "spans": {}, "info": {"id": "cyner2_5class_train_07293", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Clicker!BT Win32.Trojan.Wowlik.a W32/Trojan.AKEF-2737 Trojan.Win32.Graftor.espyif Win32.Trojan.Graftor.Llrb TrojWare.Win32.Wowlik.BE Trojan.DownLoader11.55853 Trojan.Graftor.D26FB7 TrojanClicker:Win32/Spackit.A Trojan.Win32.Clicker!BT Trj/CI.A Win32/Trojan.55a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Clicker!BT": [[26, 49], [250, 273]], "Indicator: Win32.Trojan.Wowlik.a": [[50, 71]], "Indicator: W32/Trojan.AKEF-2737": [[72, 92]], "Indicator: Trojan.Win32.Graftor.espyif": [[93, 120]], "Indicator: Win32.Trojan.Graftor.Llrb": [[121, 146]], "Indicator: TrojWare.Win32.Wowlik.BE": [[147, 171]], "Indicator: Trojan.DownLoader11.55853": [[172, 197]], "Indicator: Trojan.Graftor.D26FB7": [[198, 219]], "Indicator: TrojanClicker:Win32/Spackit.A": [[220, 249]], "Indicator: Trj/CI.A": [[274, 282]], "Indicator: Win32/Trojan.55a": [[283, 299]]}, "info": {"id": "cyner2_5class_train_07294", "source": "cyner2_5class_train"}}
+{"text": "By proxying all requests through a custom server , the real source of ads is opaque .", "spans": {}, "info": {"id": "cyner2_5class_train_07295", "source": "cyner2_5class_train"}}
+{"text": "What's particularly interesting is that the malware that was used this time is not BlackEnergy, which poses further questions about the perpetrators behind the ongoing operation.", "spans": {"Malware: malware": [[44, 51]]}, "info": {"id": "cyner2_5class_train_07296", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97m.Downloader.EMU W97M.Downloader.MF W97M/Dropper.cp Troj.Dropper.Msword!c Trojan.Mdropper W2KM_DROPPR.CSYH W97m.Downloader.EMU W97m.Downloader.EMU W97m.Downloader.EMU Trojan:W97M/Nastjencro.A W97M.MulDrop.142 W2KM_DROPPR.CSYH W97M/Dropper.cp W97m.Downloader.EMU W97m.Downloader.EMU OLE.Win32.Macro.700400 virus.office.obfuscated.5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97m.Downloader.EMU": [[26, 45], [136, 155], [156, 175], [176, 195], [271, 290], [291, 310]], "Indicator: W97M.Downloader.MF": [[46, 64]], "Indicator: W97M/Dropper.cp": [[65, 80], [255, 270]], "Indicator: Troj.Dropper.Msword!c": [[81, 102]], "Indicator: Trojan.Mdropper": [[103, 118]], "Indicator: W2KM_DROPPR.CSYH": [[119, 135], [238, 254]], "Indicator: Trojan:W97M/Nastjencro.A": [[196, 220]], "Indicator: W97M.MulDrop.142": [[221, 237]], "Indicator: OLE.Win32.Macro.700400": [[311, 333]], "Indicator: virus.office.obfuscated.5": [[334, 359]]}, "info": {"id": "cyner2_5class_train_07297", "source": "cyner2_5class_train"}}
+{"text": "The choice of a particular payload is determined by the implant ’ s version , and it can be downloaded from the command and control ( C & C ) server soon after the implant starts , or after a specific command .", "spans": {}, "info": {"id": "cyner2_5class_train_07298", "source": "cyner2_5class_train"}}
+{"text": "The version number was bumped to 1.6.2a.", "spans": {}, "info": {"id": "cyner2_5class_train_07299", "source": "cyner2_5class_train"}}
+{"text": "Seeing that the developer did not take any measures to protect his identity , it seems likely that his intentions weren ’ t dishonest at first – and this is also supported by the fact that not all his published apps contained unwanted ads .", "spans": {}, "info": {"id": "cyner2_5class_train_07300", "source": "cyner2_5class_train"}}
+{"text": "The core malware ’ s icon is hidden .", "spans": {}, "info": {"id": "cyner2_5class_train_07301", "source": "cyner2_5class_train"}}
+{"text": "Our research points to centralized planning and development by one or more advanced persistent threat APT actors.", "spans": {}, "info": {"id": "cyner2_5class_train_07302", "source": "cyner2_5class_train"}}
+{"text": "SpyNote RAT was designed to function only over Wi-Fi , which is the preferable mode for Android malware to send files to C & C .", "spans": {"Malware: SpyNote RAT": [[0, 11]], "System: Android": [[88, 95]]}, "info": {"id": "cyner2_5class_train_07303", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G W32/Virut.AM Win32/Virut.17408 PE_VIRUX.R Win32.Virus.Virut.U Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.lqR9 Win32.Virut.56 Virus.Virut.Win32.1938 PE_VIRUX.R BehavesLike.Win32.VBObfus.dc W32/Virut.AM Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.dd.368640 Virus.Win32.Virut.ce Win32/Virut.F Win32/Virut.NBP W32/Virut.CE Virus.Virut.14 W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: W32/Virut.AM": [[73, 85], [272, 284]], "Indicator: Win32/Virut.17408": [[86, 103]], "Indicator: PE_VIRUX.R": [[104, 114], [232, 242]], "Indicator: Win32.Virus.Virut.U": [[115, 134]], "Indicator: Virus.Win32.Virut.ce": [[135, 155], [343, 363]], "Indicator: Virus.Win32.Virut.hpeg": [[156, 178]], "Indicator: W32.Virut.lqR9": [[179, 193]], "Indicator: Win32.Virut.56": [[194, 208]], "Indicator: Virus.Virut.Win32.1938": [[209, 231]], "Indicator: BehavesLike.Win32.VBObfus.dc": [[243, 271]], "Indicator: Win32/Virut.bt": [[285, 299]], "Indicator: Virus/Win32.Virut.ce": [[300, 320]], "Indicator: Win32.Virut.dd.368640": [[321, 342]], "Indicator: Win32/Virut.F": [[364, 377]], "Indicator: Win32/Virut.NBP": [[378, 393]], "Indicator: W32/Virut.CE": [[394, 406]], "Indicator: Virus.Virut.14": [[407, 421]], "Indicator: W32/Sality.AO": [[422, 435]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[436, 466]]}, "info": {"id": "cyner2_5class_train_07304", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.LionumD.Trojan Trojan.Injector.AF Trojan-Spy.Win32.Zbot!O Trojan.CoinMiner.Win32.82 Trojan.Injector.AF Trojan.Win32.Delf.bkqgta Trojan.Injector.AF Trojan.DownLoader7.62911 Trojan/Win32.Miner TrojanDownloader:Win32/Hoptto.B Trojan.Injector.AF Trojan.Injector.AF Trojan.Injector.AF Virus.Win32.DelfInject", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.LionumD.Trojan": [[26, 44]], "Indicator: Trojan.Injector.AF": [[45, 63], [114, 132], [158, 176], [253, 271], [272, 290], [291, 309]], "Indicator: Trojan-Spy.Win32.Zbot!O": [[64, 87]], "Indicator: Trojan.CoinMiner.Win32.82": [[88, 113]], "Indicator: Trojan.Win32.Delf.bkqgta": [[133, 157]], "Indicator: Trojan.DownLoader7.62911": [[177, 201]], "Indicator: Trojan/Win32.Miner": [[202, 220]], "Indicator: TrojanDownloader:Win32/Hoptto.B": [[221, 252]], "Indicator: Virus.Win32.DelfInject": [[310, 332]]}, "info": {"id": "cyner2_5class_train_07305", "source": "cyner2_5class_train"}}
+{"text": "Research reports on the adversary are published from LAC SecureWorks and Palo Alto Networks", "spans": {"Organization: Research": [[0, 8]], "Organization: LAC": [[53, 56]], "Organization: SecureWorks": [[57, 68]], "Organization: Palo Alto Networks": [[73, 91]]}, "info": {"id": "cyner2_5class_train_07306", "source": "cyner2_5class_train"}}
+{"text": "The malware has all the popular capabilities of modern spyware .", "spans": {}, "info": {"id": "cyner2_5class_train_07307", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.50FA Trojan.Win32.Pakes.miu Trojan.Symmi.D62C5 Trojan.Win32.Bepiv TR/Drop.RKit.CM Backdoor:WinNT/Tofsee.A.dr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.50FA": [[26, 42]], "Indicator: Trojan.Win32.Pakes.miu": [[43, 65]], "Indicator: Trojan.Symmi.D62C5": [[66, 84]], "Indicator: Trojan.Win32.Bepiv": [[85, 103]], "Indicator: TR/Drop.RKit.CM": [[104, 119]], "Indicator: Backdoor:WinNT/Tofsee.A.dr": [[120, 146]]}, "info": {"id": "cyner2_5class_train_07308", "source": "cyner2_5class_train"}}
+{"text": "The Root of All ( Android ) Evil So how does TrickMo get around these security features ? It abuses accessibility services .", "spans": {"System: Android": [[18, 25]], "Malware: TrickMo": [[45, 52]]}, "info": {"id": "cyner2_5class_train_07309", "source": "cyner2_5class_train"}}
+{"text": "The description in Portuguese promises more protection for the user ’ s applications , including end-to-end encryption .", "spans": {}, "info": {"id": "cyner2_5class_train_07310", "source": "cyner2_5class_train"}}
+{"text": "A recent research by Check Point Research shows how voice phishing can be used to infiltrate the South Korean banking sector and extract private data from the victim's mobile device, and how to prevent it.", "spans": {"Organization: Check Point Research": [[21, 41]], "Organization: the South Korean banking sector": [[93, 124]], "System: the victim's mobile device,": [[155, 182]]}, "info": {"id": "cyner2_5class_train_07311", "source": "cyner2_5class_train"}}
+{"text": "Following is the HTTP response from the C2 server , containing the encrypted configuration : EventBot Encrypted HTTP response returned from the C2 Encrypted HTTP response returned from the C2 .", "spans": {"Malware: EventBot": [[93, 101]]}, "info": {"id": "cyner2_5class_train_07312", "source": "cyner2_5class_train"}}
+{"text": "In addition , the malware can log in to the attacker ’ s email inbox , parse emails in a special folder for commands and save any payloads to a device from email attachments .", "spans": {}, "info": {"id": "cyner2_5class_train_07313", "source": "cyner2_5class_train"}}
+{"text": "The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed.", "spans": {"Malware: malware": [[4, 11]], "Vulnerability: 24 potential security products that": [[57, 92]], "System: system": [[113, 119]], "Indicator: customizes its installation mechanism": [[124, 161]]}, "info": {"id": "cyner2_5class_train_07314", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.PWS.ZIY Trojan-PSW.Win32.Tepfer!O Trojan.Fareit.S467850 Trojan.Tepfer.Win32.85789 Trojan/Fareit.a Trojan.PWS.ZIY Win32.Trojan-PSW.Fareit.a Win32/PSW.Fareit.A BKDR_PONY.SM Win.Trojan.Fareit-403 Trojan.PWS.ZIY Trojan.Win32.Tepfer.dnnwuu Trojan.PWS.ZIY TrojWare.Win32.PWS.Fareit.GS Trojan.PWS.ZIY Trojan.PWS.Stealer.1932 BKDR_PONY.SM BehavesLike.Win32.ZBot.nh W32.Tepfer TR/PSW.Fareit.iloen Trojan[PSW]/Win32.Tepfer Trojan.Win32.PSW-Tepfer.92672 Trojan/Win32.Tepfer.R50650 Trojan.PWS.ZIY BScope.Malware-Cryptor.Ponik Spyware.Pony Trj/Tepfer.D Trojan.Fareit Win32.Outbreak Win32.Trojan-Stealer.Zbot.AB Win32/Trojan.PSW.5cd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.ZIY": [[26, 40], [131, 145], [226, 240], [268, 282], [312, 326], [503, 517]], "Indicator: Trojan-PSW.Win32.Tepfer!O": [[41, 66]], "Indicator: Trojan.Fareit.S467850": [[67, 88]], "Indicator: Trojan.Tepfer.Win32.85789": [[89, 114]], "Indicator: Trojan/Fareit.a": [[115, 130]], "Indicator: Win32.Trojan-PSW.Fareit.a": [[146, 171]], "Indicator: Win32/PSW.Fareit.A": [[172, 190]], "Indicator: BKDR_PONY.SM": [[191, 203], [351, 363]], "Indicator: Win.Trojan.Fareit-403": [[204, 225]], "Indicator: Trojan.Win32.Tepfer.dnnwuu": [[241, 267]], "Indicator: TrojWare.Win32.PWS.Fareit.GS": [[283, 311]], "Indicator: Trojan.PWS.Stealer.1932": [[327, 350]], "Indicator: BehavesLike.Win32.ZBot.nh": [[364, 389]], "Indicator: W32.Tepfer": [[390, 400]], "Indicator: TR/PSW.Fareit.iloen": [[401, 420]], "Indicator: Trojan[PSW]/Win32.Tepfer": [[421, 445]], "Indicator: Trojan.Win32.PSW-Tepfer.92672": [[446, 475]], "Indicator: Trojan/Win32.Tepfer.R50650": [[476, 502]], "Indicator: BScope.Malware-Cryptor.Ponik": [[518, 546]], "Indicator: Spyware.Pony": [[547, 559]], "Indicator: Trj/Tepfer.D": [[560, 572]], "Indicator: Trojan.Fareit": [[573, 586]], "Indicator: Win32.Outbreak": [[587, 601]], "Indicator: Win32.Trojan-Stealer.Zbot.AB": [[602, 630]], "Indicator: Win32/Trojan.PSW.5cd": [[631, 651]]}, "info": {"id": "cyner2_5class_train_07315", "source": "cyner2_5class_train"}}
+{"text": "These factors , in combination with the fact that the command and control infrastructure used by Frozen Cell and Desert Scorpion resides in similar IP blocks , supports the theory that the same actor is responsible for operating , if not developing , both families .", "spans": {"Malware: Frozen Cell": [[97, 108]], "Malware: Desert Scorpion": [[113, 128]]}, "info": {"id": "cyner2_5class_train_07316", "source": "cyner2_5class_train"}}
+{"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner2_5class_train_07317", "source": "cyner2_5class_train"}}
+{"text": "“ Agent Smith ” is possibly the first campaign seen that ingrates and weaponized all these loopholes and are described in detail below .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner2_5class_train_07318", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TSPY_DOWNLOADER_DD300501.UVPA Win32.Trojan.WisdomEyes.16070401.9500.9967 Infostealer.Donx TSPY_DOWNLOADER_DD300501.UVPA Trojan.Win32.VB.ckqm Trojan.VB.Win32.119679 BehavesLike.Win32.Sality.dm Worm.Win32.VB Trojan/VB.cvqf Trojan/Win32.VB Worm:Win32/Vberaspul.A Trojan.Heur.RX.E04E5F Trojan.Win32.VB.ckqm Trojan/Win32.VB.R85915 Trojan.VB Win32/AutoRun.VB.BDA Trojan.VB!nw7hcYRbBc8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TSPY_DOWNLOADER_DD300501.UVPA": [[26, 55], [116, 145]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9967": [[56, 98]], "Indicator: Infostealer.Donx": [[99, 115]], "Indicator: Trojan.Win32.VB.ckqm": [[146, 166], [308, 328]], "Indicator: Trojan.VB.Win32.119679": [[167, 189]], "Indicator: BehavesLike.Win32.Sality.dm": [[190, 217]], "Indicator: Worm.Win32.VB": [[218, 231]], "Indicator: Trojan/VB.cvqf": [[232, 246]], "Indicator: Trojan/Win32.VB": [[247, 262]], "Indicator: Worm:Win32/Vberaspul.A": [[263, 285]], "Indicator: Trojan.Heur.RX.E04E5F": [[286, 307]], "Indicator: Trojan/Win32.VB.R85915": [[329, 351]], "Indicator: Trojan.VB": [[352, 361]], "Indicator: Win32/AutoRun.VB.BDA": [[362, 382]], "Indicator: Trojan.VB!nw7hcYRbBc8": [[383, 404]]}, "info": {"id": "cyner2_5class_train_07319", "source": "cyner2_5class_train"}}
+{"text": "] comlila-tournai [ .", "spans": {}, "info": {"id": "cyner2_5class_train_07320", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TROJ_CLICKER.API W32/Trojan.HUCV-9091 TROJ_CLICKER.API Win.Trojan.Clicker-2623 Trojan.Win32.Click.ddmsji W32/Trojan2.GMLR Adware/Clicker.hjb TrojanDownloader:Win32/Valfroc.A Win32.Trojan.Clicker.Tbip W32/CLICKER.API!tr Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_CLICKER.API": [[26, 42], [64, 80]], "Indicator: W32/Trojan.HUCV-9091": [[43, 63]], "Indicator: Win.Trojan.Clicker-2623": [[81, 104]], "Indicator: Trojan.Win32.Click.ddmsji": [[105, 130]], "Indicator: W32/Trojan2.GMLR": [[131, 147]], "Indicator: Adware/Clicker.hjb": [[148, 166]], "Indicator: TrojanDownloader:Win32/Valfroc.A": [[167, 199]], "Indicator: Win32.Trojan.Clicker.Tbip": [[200, 225]], "Indicator: W32/CLICKER.API!tr": [[226, 244]], "Indicator: Win32/Trojan.Multi.daf": [[245, 267]]}, "info": {"id": "cyner2_5class_train_07321", "source": "cyner2_5class_train"}}
+{"text": "Additionally , rootdaemon attempts to remove its own power usage statistics from Huawei phones ' SystemManager : Similarly , the malicious application probably attempts to minimize traces on Samsung phones by adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/apm_sp_status_of_apps.xml the following lines : And adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/com.samsung.android.securitylogagent_preferences.xml these lines instead : Data Collection and Exfiltration As mentioned , mike.jar equips the spyware with extensive collection capabilities , including : Retrieve a list of installed applications .", "spans": {"Organization: Huawei": [[81, 87]], "Organization: Samsung": [[191, 198]], "Indicator: /data/data/com.samsung.android.securitylogagent/shared_prefs/apm_sp_status_of_apps.xml": [[228, 314]], "Indicator: /data/data/com.samsung.android.securitylogagent/shared_prefs/com.samsung.android.securitylogagent_preferences.xml": [[360, 473]], "Indicator: mike.jar": [[544, 552]]}, "info": {"id": "cyner2_5class_train_07322", "source": "cyner2_5class_train"}}
+{"text": "In light of this , we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised .", "spans": {"Vulnerability: unpatched vulnerabilities": [[48, 73]]}, "info": {"id": "cyner2_5class_train_07323", "source": "cyner2_5class_train"}}
+{"text": "Seeing this type of activity typically indicates that a particular ransomware will see much wider distribution and thus a larger amount of victims.", "spans": {"Malware: ransomware": [[67, 77]], "Organization: a larger amount of victims.": [[120, 147]]}, "info": {"id": "cyner2_5class_train_07324", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.LibPatcher!O W32/Trojan.KFBA-3961 Trojan.KillAV Win32/KillAV.EA RTKT_BUREY.C TrojWare.Win32.AntiAV.~B Trojan.MulDrop.30985 Downloader.LibPatcher.Win32.272 RTKT_BUREY.C BehavesLike.Win32.Backdoor.mc W32/Dldr.Age.41984.C Trojan[Downloader]/Win32.LibPatcher Trojan:Win32/Perkesh.A Trojan/Win32.KillAV.R5311 Win32.Trojan-downloader.Libpatcher.Dumk Trojan-Downloader.Win32.Perkesh W32/Perkesh.A!tr Win32/Virus.81b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.LibPatcher!O": [[26, 62]], "Indicator: W32/Trojan.KFBA-3961": [[63, 83]], "Indicator: Trojan.KillAV": [[84, 97]], "Indicator: Win32/KillAV.EA": [[98, 113]], "Indicator: RTKT_BUREY.C": [[114, 126], [205, 217]], "Indicator: TrojWare.Win32.AntiAV.~B": [[127, 151]], "Indicator: Trojan.MulDrop.30985": [[152, 172]], "Indicator: Downloader.LibPatcher.Win32.272": [[173, 204]], "Indicator: BehavesLike.Win32.Backdoor.mc": [[218, 247]], "Indicator: W32/Dldr.Age.41984.C": [[248, 268]], "Indicator: Trojan[Downloader]/Win32.LibPatcher": [[269, 304]], "Indicator: Trojan:Win32/Perkesh.A": [[305, 327]], "Indicator: Trojan/Win32.KillAV.R5311": [[328, 353]], "Indicator: Win32.Trojan-downloader.Libpatcher.Dumk": [[354, 393]], "Indicator: Trojan-Downloader.Win32.Perkesh": [[394, 425]], "Indicator: W32/Perkesh.A!tr": [[426, 442]], "Indicator: Win32/Virus.81b": [[443, 458]]}, "info": {"id": "cyner2_5class_train_07325", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.CKTNum.Trojan Virus.Win32.VB!O Virus.VB.Win32.90 W32.W.Mabezat.kZb9 Trojan.Heur.E2A0A7 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Worm.EJIG-5497 Trojan.Killfiles Win32/Disackt.B TROJ_VB.BHC Trojan.Win32.VB.mrc Virus.Win32.VB.bcfhqp Win32.Trojan.Vb.Eddp TrojWare.Win32.VB.AMN TROJ_VB.BHC BehavesLike.Win32.Downloader.mz W32/Worm.AWSI Virus.VB.bc W32/Overwriter.A Worm:Win32/Disackt.A Trojan.Win32.VB.mrc TScope.Trojan.VB Win32/VB.AMN Trojan.VB!eJU5EBjve4c Virus.Win32.VB W32/VB.AMN!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CKTNum.Trojan": [[26, 43]], "Indicator: Virus.Win32.VB!O": [[44, 60]], "Indicator: Virus.VB.Win32.90": [[61, 78]], "Indicator: W32.W.Mabezat.kZb9": [[79, 97]], "Indicator: Trojan.Heur.E2A0A7": [[98, 116]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[117, 159]], "Indicator: W32/Worm.EJIG-5497": [[160, 178]], "Indicator: Trojan.Killfiles": [[179, 195]], "Indicator: Win32/Disackt.B": [[196, 211]], "Indicator: TROJ_VB.BHC": [[212, 223], [309, 320]], "Indicator: Trojan.Win32.VB.mrc": [[224, 243], [417, 436]], "Indicator: Virus.Win32.VB.bcfhqp": [[244, 265]], "Indicator: Win32.Trojan.Vb.Eddp": [[266, 286]], "Indicator: TrojWare.Win32.VB.AMN": [[287, 308]], "Indicator: BehavesLike.Win32.Downloader.mz": [[321, 352]], "Indicator: W32/Worm.AWSI": [[353, 366]], "Indicator: Virus.VB.bc": [[367, 378]], "Indicator: W32/Overwriter.A": [[379, 395]], "Indicator: Worm:Win32/Disackt.A": [[396, 416]], "Indicator: TScope.Trojan.VB": [[437, 453]], "Indicator: Win32/VB.AMN": [[454, 466]], "Indicator: Trojan.VB!eJU5EBjve4c": [[467, 488]], "Indicator: Virus.Win32.VB": [[489, 503]], "Indicator: W32/VB.AMN!tr": [[504, 517]], "Indicator: Trj/CI.A": [[518, 526]]}, "info": {"id": "cyner2_5class_train_07326", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.49152.AYF Trojan.Dofoil.A Trojan/Kryptik.vgb Win32.Trojan.WisdomEyes.16070401.9500.9963 W32/Trojan.QQGJ-6488 Trojan.Win32.ULPM.eszgb Trojan.Yakes.Win32.1447 BehavesLike.Win32.Conficker.pc Trojan-Dropper.Win32.Injector W32/Kryptik.VIA!tr Trojan.Kazy.DABAF TrojanDropper:Win32/Finkmilt.C Trojan/Win32.Yakes.C144665 BScope.Trojan.Jorik.1421 Trojan.Kryptik!Y5cjjPIzRWk Bck/Qbot.AO Win32/Trojan.aeb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.49152.AYF": [[26, 52]], "Indicator: Trojan.Dofoil.A": [[53, 68]], "Indicator: Trojan/Kryptik.vgb": [[69, 87]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9963": [[88, 130]], "Indicator: W32/Trojan.QQGJ-6488": [[131, 151]], "Indicator: Trojan.Win32.ULPM.eszgb": [[152, 175]], "Indicator: Trojan.Yakes.Win32.1447": [[176, 199]], "Indicator: BehavesLike.Win32.Conficker.pc": [[200, 230]], "Indicator: Trojan-Dropper.Win32.Injector": [[231, 260]], "Indicator: W32/Kryptik.VIA!tr": [[261, 279]], "Indicator: Trojan.Kazy.DABAF": [[280, 297]], "Indicator: TrojanDropper:Win32/Finkmilt.C": [[298, 328]], "Indicator: Trojan/Win32.Yakes.C144665": [[329, 355]], "Indicator: BScope.Trojan.Jorik.1421": [[356, 380]], "Indicator: Trojan.Kryptik!Y5cjjPIzRWk": [[381, 407]], "Indicator: Bck/Qbot.AO": [[408, 419]], "Indicator: Win32/Trojan.aeb": [[420, 436]]}, "info": {"id": "cyner2_5class_train_07327", "source": "cyner2_5class_train"}}
+{"text": "At the end of December 2015, the network system of Ukrainian power companies was attacked by", "spans": {"Malware: At": [[0, 2]], "Organization: network system of Ukrainian power companies": [[33, 76]], "Indicator: attacked": [[81, 89]]}, "info": {"id": "cyner2_5class_train_07328", "source": "cyner2_5class_train"}}
+{"text": "Stage 6 : The payload is a modular spyware framework for further analysis Our journey to deobfuscating FinFisher has allowed us to uncover the complex anti-analysis techniques used by this malware , as well as to use this intel to protect our customers , which is our top priority .", "spans": {"Malware: FinFisher": [[103, 112]]}, "info": {"id": "cyner2_5class_train_07329", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32/Socks.agz Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan2.BFTZ HT_PHDET_FD042CB0.UVPM Trojan.Win32.Socks.utqwi Trojan.MulDrop7.51577 HT_PHDET_FD042CB0.UVPM BehavesLike.Win32.Dropper.jc W32/Trojan.NOBV-3130 TrojanDownloader.Small.sui Worm/Win32.Socks Trojan:Win32/Phdet.E Worm.Win32.A.Socks.93017 SScope.Worm.Socks.afv Worm.Socks!GMlFK48cpa8 W32/Kryptik.BD!tr Win32/Trojan.e0b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Socks.agz": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[40, 82]], "Indicator: W32/Trojan2.BFTZ": [[83, 99]], "Indicator: HT_PHDET_FD042CB0.UVPM": [[100, 122], [170, 192]], "Indicator: Trojan.Win32.Socks.utqwi": [[123, 147]], "Indicator: Trojan.MulDrop7.51577": [[148, 169]], "Indicator: BehavesLike.Win32.Dropper.jc": [[193, 221]], "Indicator: W32/Trojan.NOBV-3130": [[222, 242]], "Indicator: TrojanDownloader.Small.sui": [[243, 269]], "Indicator: Worm/Win32.Socks": [[270, 286]], "Indicator: Trojan:Win32/Phdet.E": [[287, 307]], "Indicator: Worm.Win32.A.Socks.93017": [[308, 332]], "Indicator: SScope.Worm.Socks.afv": [[333, 354]], "Indicator: Worm.Socks!GMlFK48cpa8": [[355, 377]], "Indicator: W32/Kryptik.BD!tr": [[378, 395]], "Indicator: Win32/Trojan.e0b": [[396, 412]]}, "info": {"id": "cyner2_5class_train_07330", "source": "cyner2_5class_train"}}
+{"text": "Recently, WeipTech was analyzing suspicious Apple iOS tweaks reported by users and found over 225,000 valid Apple accounts with passwords stored on a server.", "spans": {"Organization: WeipTech": [[10, 18]], "System: Apple iOS": [[44, 53]], "Organization: users": [[73, 78]], "System: Apple accounts": [[108, 122]], "System: server.": [[150, 157]]}, "info": {"id": "cyner2_5class_train_07331", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.D676 Win32.Trojan.WisdomEyes.16070401.9500.9591 TR/Drop.Delfsnif.pmkbu TrojanDropper:Win32/Delfsnif.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.D676": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9591": [[44, 86]], "Indicator: TR/Drop.Delfsnif.pmkbu": [[87, 109]], "Indicator: TrojanDropper:Win32/Delfsnif.A": [[110, 140]]}, "info": {"id": "cyner2_5class_train_07332", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.AphexLace!O TrojanDropper.AphexLace Dropper.AphexLace.Win32.1 Troj.W32.Inject!c Trojan/Dropper.AphexLace.b Trojan.Heur.EA2D6B TROJ_APHEXLACE.D Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Dropper.IHO Trojan.Dropper TROJ_APHEXLACE.D Trojan.Win32.Inject.vgog Trojan.Win32.AphexLace.glqv Dropper.AphexLace.17920 TrojWare.Win32.TrojanDropper.AphexLace.B Trojan.MulDrop.12656 Trojan-Dropper.Win32.Delf W32/Risk.JBWO-6048 TrojanDropper.AphexLace.b TR/Drop.AphexLace.B Trojan[Dropper]/Win32.Poisoner TrojanDropper:Win32/AphexLace.B Trojan.Win32.Inject.vgog Dropper/Win32.Xema.C57521 TrojanDropper.Poisoner Win32/TrojanDropper.AphexLace.B Win32.Trojan.Inject.Dypn Trojan.DR.AphexLace!M08TVuH6+oM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.AphexLace!O": [[26, 58]], "Indicator: TrojanDropper.AphexLace": [[59, 82]], "Indicator: Dropper.AphexLace.Win32.1": [[83, 108]], "Indicator: Troj.W32.Inject!c": [[109, 126]], "Indicator: Trojan/Dropper.AphexLace.b": [[127, 153]], "Indicator: Trojan.Heur.EA2D6B": [[154, 172]], "Indicator: TROJ_APHEXLACE.D": [[173, 189], [264, 280]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[190, 232]], "Indicator: W32/Dropper.IHO": [[233, 248]], "Indicator: Trojan.Dropper": [[249, 263]], "Indicator: Trojan.Win32.Inject.vgog": [[281, 305], [574, 598]], "Indicator: Trojan.Win32.AphexLace.glqv": [[306, 333]], "Indicator: Dropper.AphexLace.17920": [[334, 357]], "Indicator: TrojWare.Win32.TrojanDropper.AphexLace.B": [[358, 398]], "Indicator: Trojan.MulDrop.12656": [[399, 419]], "Indicator: Trojan-Dropper.Win32.Delf": [[420, 445]], "Indicator: W32/Risk.JBWO-6048": [[446, 464]], "Indicator: TrojanDropper.AphexLace.b": [[465, 490]], "Indicator: TR/Drop.AphexLace.B": [[491, 510]], "Indicator: Trojan[Dropper]/Win32.Poisoner": [[511, 541]], "Indicator: TrojanDropper:Win32/AphexLace.B": [[542, 573]], "Indicator: Dropper/Win32.Xema.C57521": [[599, 624]], "Indicator: TrojanDropper.Poisoner": [[625, 647]], "Indicator: Win32/TrojanDropper.AphexLace.B": [[648, 679]], "Indicator: Win32.Trojan.Inject.Dypn": [[680, 704]], "Indicator: Trojan.DR.AphexLace!M08TVuH6+oM": [[705, 736]]}, "info": {"id": "cyner2_5class_train_07333", "source": "cyner2_5class_train"}}
+{"text": "The best bet for Readers who want to make sure their phone is n't infected is to scan their phones using the free version of the Lookout Security and Antivirus app .", "spans": {"Organization: Lookout": [[129, 136]]}, "info": {"id": "cyner2_5class_train_07334", "source": "cyner2_5class_train"}}
+{"text": "Indicators related to the Sundown Exploit Kit", "spans": {"Indicator: Indicators": [[0, 10]], "Malware: Sundown Exploit Kit": [[26, 45]]}, "info": {"id": "cyner2_5class_train_07335", "source": "cyner2_5class_train"}}
+{"text": "CopyCat is a fully developed malware with vast capabilities, including elevating privileges to root, establishing persistency, and to top it all - injecting code into Zygote.", "spans": {"Malware: CopyCat": [[0, 7]], "Malware: malware": [[29, 36]], "Indicator: elevating privileges to root, establishing persistency,": [[71, 126]], "Indicator: injecting code": [[147, 161]], "Malware: Zygote.": [[167, 174]]}, "info": {"id": "cyner2_5class_train_07336", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.D9E5 TrojanSpy.Zbot Spyware.LokiBot Win.Packer.VbPack-0-6334882-0 Trojan-Spy.Win32.Zbot.yjsw Trojan.Win32.Zbot.etexpw Trojan.Win32.Z.Zbot.1081344 Trojan.PWS.Panda.12377 Trojan.Zbot.Win32.204854 BehavesLike.Win32.Fareit.tc Trojan.Win32.Injector TrojanSpy.Zbot.fkpq TR/AD.Zbot.cxjcv Trojan[Spy]/Win32.Zbot Trojan.Symmi.D1360F Trojan-Spy.Win32.Zbot.yjsw Trojan:Win32/Dukrid.A!bit Spyware/Win32.Zbot.R210148 TScope.Trojan.VB Trj/GdSda.A Win32.Trojan-spy.Zbot.Lqer TrojanSpy.Zbot!AasFtIJIGGs W32/Zbot.YJSW!tr Win32/Trojan.BO.553", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.D9E5": [[26, 42]], "Indicator: TrojanSpy.Zbot": [[43, 57]], "Indicator: Spyware.LokiBot": [[58, 73]], "Indicator: Win.Packer.VbPack-0-6334882-0": [[74, 103]], "Indicator: Trojan-Spy.Win32.Zbot.yjsw": [[104, 130], [362, 388]], "Indicator: Trojan.Win32.Zbot.etexpw": [[131, 155]], "Indicator: Trojan.Win32.Z.Zbot.1081344": [[156, 183]], "Indicator: Trojan.PWS.Panda.12377": [[184, 206]], "Indicator: Trojan.Zbot.Win32.204854": [[207, 231]], "Indicator: BehavesLike.Win32.Fareit.tc": [[232, 259]], "Indicator: Trojan.Win32.Injector": [[260, 281]], "Indicator: TrojanSpy.Zbot.fkpq": [[282, 301]], "Indicator: TR/AD.Zbot.cxjcv": [[302, 318]], "Indicator: Trojan[Spy]/Win32.Zbot": [[319, 341]], "Indicator: Trojan.Symmi.D1360F": [[342, 361]], "Indicator: Trojan:Win32/Dukrid.A!bit": [[389, 414]], "Indicator: Spyware/Win32.Zbot.R210148": [[415, 441]], "Indicator: TScope.Trojan.VB": [[442, 458]], "Indicator: Trj/GdSda.A": [[459, 470]], "Indicator: Win32.Trojan-spy.Zbot.Lqer": [[471, 497]], "Indicator: TrojanSpy.Zbot!AasFtIJIGGs": [[498, 524]], "Indicator: W32/Zbot.YJSW!tr": [[525, 541]], "Indicator: Win32/Trojan.BO.553": [[542, 561]]}, "info": {"id": "cyner2_5class_train_07337", "source": "cyner2_5class_train"}}
+{"text": "The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository.", "spans": {"Organization: The WordPress.org team": [[0, 22]], "Malware: plugin": [[54, 60]], "Organization: the official WordPress Plugins repository.": [[66, 108]]}, "info": {"id": "cyner2_5class_train_07338", "source": "cyner2_5class_train"}}
+{"text": "It is likely these spearphishes are generated via a builder - so attribution to an exact group of attackers may be incorrect.", "spans": {"Indicator: spearphishes": [[19, 31]]}, "info": {"id": "cyner2_5class_train_07339", "source": "cyner2_5class_train"}}
+{"text": "SimBad : A Rogue Adware Campaign On Google Play March 13 , 2019 Check Point researchers from the Mobile Threat Team have discovered a new adware campaign on the Google Play Store .", "spans": {"Malware: SimBad": [[0, 6]], "System: Google Play": [[36, 47]], "Organization: Check Point": [[64, 75]], "System: Google Play Store": [[161, 178]]}, "info": {"id": "cyner2_5class_train_07340", "source": "cyner2_5class_train"}}
+{"text": "This campaign was found to be connected to the same party which previously targeted Vietnam Airlines and some other high profile targets possibly led by the Chinese 1937CN group.", "spans": {"Organization: Vietnam Airlines": [[84, 100]], "Organization: high profile targets": [[116, 136]], "Organization: the Chinese 1937CN group.": [[153, 178]]}, "info": {"id": "cyner2_5class_train_07341", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: I-Worm.Stator.A Worm/W32.Stator.62976 Email-Worm.Win32.Stator!O W32.Stator.A Worm.Stator.Win32.3 W32/Stator.worm I-Worm.Stator.A W32/Stator.A W32.Stator@mm Win32/Stator.62464.A WORM_STATOR.A Win.Worm.Stator-1 I-Worm.Stator.A Email-Worm.Win32.Stator.a I-Worm.Stator.A Trojan.Win32.Stator.jahi I-Worm.Win32.Stator I-Worm.Stator.A EmailWorm.Win32.Stator.a0 I-Worm.Stator.A Win32.HLLW.Plict WORM_STATOR.A BehavesLike.Win32.Downloader.kc Email-Worm.Win32.Stator.a W32/Stator.A I-Worm/Stator.a Worm[Email]/Win32.Stator Worm:Win32/Stator.A@mm Email-Worm.Win32.Stator.a Trojan/Win32.HDC.C40377 I-Worm.Stator.A Win32.HLLW.Stator.A I-Worm.Stator.62464 Win32/Stator.62464 Win32.Stator.B W32/Stator.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: I-Worm.Stator.A": [[26, 41], [139, 154], [235, 250], [277, 292], [338, 353], [380, 395], [612, 627]], "Indicator: Worm/W32.Stator.62976": [[42, 63]], "Indicator: Email-Worm.Win32.Stator!O": [[64, 89]], "Indicator: W32.Stator.A": [[90, 102]], "Indicator: Worm.Stator.Win32.3": [[103, 122]], "Indicator: W32/Stator.worm": [[123, 138]], "Indicator: W32/Stator.A": [[155, 167], [485, 497], [702, 714]], "Indicator: W32.Stator@mm": [[168, 181]], "Indicator: Win32/Stator.62464.A": [[182, 202]], "Indicator: WORM_STATOR.A": [[203, 216], [413, 426]], "Indicator: Win.Worm.Stator-1": [[217, 234]], "Indicator: Email-Worm.Win32.Stator.a": [[251, 276], [459, 484], [562, 587]], "Indicator: Trojan.Win32.Stator.jahi": [[293, 317]], "Indicator: I-Worm.Win32.Stator": [[318, 337]], "Indicator: EmailWorm.Win32.Stator.a0": [[354, 379]], "Indicator: Win32.HLLW.Plict": [[396, 412]], "Indicator: BehavesLike.Win32.Downloader.kc": [[427, 458]], "Indicator: I-Worm/Stator.a": [[498, 513]], "Indicator: Worm[Email]/Win32.Stator": [[514, 538]], "Indicator: Worm:Win32/Stator.A@mm": [[539, 561]], "Indicator: Trojan/Win32.HDC.C40377": [[588, 611]], "Indicator: Win32.HLLW.Stator.A": [[628, 647]], "Indicator: I-Worm.Stator.62464": [[648, 667]], "Indicator: Win32/Stator.62464": [[668, 686]], "Indicator: Win32.Stator.B": [[687, 701]]}, "info": {"id": "cyner2_5class_train_07342", "source": "cyner2_5class_train"}}
+{"text": "Talos assess with high confidence that this campaign is targeting Australian financial institutions based on several factors .", "spans": {"Organization: Talos": [[0, 5]]}, "info": {"id": "cyner2_5class_train_07343", "source": "cyner2_5class_train"}}
+{"text": "encrypt its APK and shell code,", "spans": {"Indicator: encrypt": [[0, 7]], "System: APK": [[12, 15]], "Indicator: shell code,": [[20, 31]]}, "info": {"id": "cyner2_5class_train_07344", "source": "cyner2_5class_train"}}
+{"text": "It looked like a typical backdoor that could be uploaded anywhere on a compromised server, not just in this particular plugin.", "spans": {"Malware: backdoor": [[25, 33]], "Indicator: uploaded anywhere": [[48, 65]], "System: compromised server,": [[71, 90]], "System: plugin.": [[119, 126]]}, "info": {"id": "cyner2_5class_train_07345", "source": "cyner2_5class_train"}}
+{"text": "Emissary is related to the Elise Trojan and the Operation Lotus Blossom attack campaign, which prompted us to start collecting additional samples of Emissary.", "spans": {"Malware: Emissary": [[0, 8]], "Malware: the Elise Trojan": [[23, 39]], "Malware: Emissary.": [[149, 158]]}, "info": {"id": "cyner2_5class_train_07346", "source": "cyner2_5class_train"}}
+{"text": "The authors are trying to latch onto the popularity of the Super Mario Run game to target eagerly waiting Android users .", "spans": {"System: Super Mario Run": [[59, 74]], "System: Android": [[106, 113]]}, "info": {"id": "cyner2_5class_train_07347", "source": "cyner2_5class_train"}}
+{"text": "This trojan 's design and implementation is of an uncommonly high level , making it a dangerous threat .", "spans": {}, "info": {"id": "cyner2_5class_train_07348", "source": "cyner2_5class_train"}}
+{"text": "To quote the original article: It could be through attachments in spam messages, downloads from untrusted websites or something else.", "spans": {}, "info": {"id": "cyner2_5class_train_07349", "source": "cyner2_5class_train"}}
+{"text": "The spyware in this analysis was portraying itself as the Netflix app .", "spans": {"System: Netflix app": [[58, 69]]}, "info": {"id": "cyner2_5class_train_07350", "source": "cyner2_5class_train"}}
+{"text": "Command Action Unistxcr Restart the app dowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C & C server Caspylistx Get a list of all hidden files in the /DCIM/.dat/ directory spxcheck Check whether call details are collected by the spyware S8p8y0 Delete call details stored by the spyware screXmex Take screenshots of the device screen Batrxiops Check battery status L4oclOCMAWS Fetch the victim 's location GUIFXB Launch the fake Facebook login page IODBSSUEEZ Send a file containing stolen Facebook credentials to the C & C server FdelSRRT Delete files containing stolen Facebook credentials chkstzeaw Launch Facebook LUNAPXER Launch apps according to the package name sent by the C & C server Gapxplister Get a list of all installed applications DOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory Acouxacour Get a list of accounts on the victim 's device Fimxmiisx Open the camera Scxreexcv4 Capture an image micmokmi8x Capture audio Yufsssp Get latitude and longitude GExCaalsss7 Get call logs PHOCAs7 Call phone numbers sent by the C & C server Gxextsxms Get a list of inbox SMS messages Msppossag Send SMS with message body sent by the C & C server Getconstactx Get a list of all contacts Rinxgosa Play a ringtone bithsssp64 Execute commands sent by the C & C server DOWdeletx Deletes the file specified by the C & C server Deldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory We do n't have the space to cover all of the commands , but let 's take a look at some of the major ones .", "spans": {"System: Facebook": [[454, 462], [515, 523], [596, 604], [634, 642]]}, "info": {"id": "cyner2_5class_train_07351", "source": "cyner2_5class_train"}}
+{"text": "If any of these conditions is true , the application does not continue to execute the malicious flow .", "spans": {}, "info": {"id": "cyner2_5class_train_07352", "source": "cyner2_5class_train"}}
+{"text": "It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet.", "spans": {"Malware: GhostNet": [[142, 150]], "Indicator: attacks": [[151, 158]]}, "info": {"id": "cyner2_5class_train_07353", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Miner Troj.W32.Miner!c Trojan.MulDrop7.60223 TR/Muldrop.jzijj Trojan.Win32.Miner.tjvn", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Miner": [[26, 38]], "Indicator: Troj.W32.Miner!c": [[39, 55]], "Indicator: Trojan.MulDrop7.60223": [[56, 77]], "Indicator: TR/Muldrop.jzijj": [[78, 94]], "Indicator: Trojan.Win32.Miner.tjvn": [[95, 118]]}, "info": {"id": "cyner2_5class_train_07354", "source": "cyner2_5class_train"}}
+{"text": "The threat actor's campaigns attempt to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls or video chats.", "spans": {"Organization: high-profile North American and European government officials": [[49, 110]], "Organization: CEOs": [[122, 126]], "Organization: companies": [[140, 149]], "Organization: celebrities": [[154, 165]], "Organization: recorded": [[188, 196]]}, "info": {"id": "cyner2_5class_train_07355", "source": "cyner2_5class_train"}}
+{"text": "The earliest evidence obtained shows it has been in use since at least November 2016.", "spans": {}, "info": {"id": "cyner2_5class_train_07356", "source": "cyner2_5class_train"}}
+{"text": "The hash listed in the Pastebin led us to a malicious Word document that had also been uploaded to a public sandbox.", "spans": {"Indicator: The hash listed": [[0, 15]], "Organization: the Pastebin": [[19, 31]], "Indicator: a malicious Word document": [[42, 67]], "System: a public sandbox.": [[99, 116]]}, "info": {"id": "cyner2_5class_train_07357", "source": "cyner2_5class_train"}}
+{"text": "Similarly to another Android spyware made in Italy , originally discovered by Lukas Stefanko and later named Skygofree and analyzed in depth by Kaspersky Labs , Exodus also takes advantage of \" protectedapps '' , a feature in Huawei phones that allows to configure power-saving options for running applications .", "spans": {"System: Android": [[21, 28]], "Malware: Skygofree": [[109, 118]], "Organization: Kaspersky Labs": [[144, 158]], "Malware: Exodus": [[161, 167]], "Organization: Huawei": [[226, 232]]}, "info": {"id": "cyner2_5class_train_07358", "source": "cyner2_5class_train"}}
+{"text": "At the time of writing we had no evidence of an exploit being used to obtain root privileges , though it is possible that the attackers used some unseen component to implement this feature .", "spans": {}, "info": {"id": "cyner2_5class_train_07359", "source": "cyner2_5class_train"}}
+{"text": "] 91 2020-03-04 http : //ora.carlaarrabitoarchitetto [ .", "spans": {"Indicator: http : //ora.carlaarrabitoarchitetto [ .": [[16, 56]]}, "info": {"id": "cyner2_5class_train_07360", "source": "cyner2_5class_train"}}
+{"text": "] com ’ as an ad-related SDK .", "spans": {}, "info": {"id": "cyner2_5class_train_07361", "source": "cyner2_5class_train"}}
+{"text": "Aside from the credential stealing , this malware also includes features like the theft of users ' contact list , collecting phone numbers associated names , and files and photos on the device .", "spans": {}, "info": {"id": "cyner2_5class_train_07362", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom/W32.Locky.48128 Exploit.Cve20151701 Win32.Trojan.WisdomEyes.16070401.9500.9999 Exploit.Win32.CVE-2015-1701.bd Exploit.Win32.CVE20151701.euekja Trojan.Win32.LockCrypt.48128.A Trojan.Encoder.12135 BehavesLike.Win32.Mydoom.pm W32/Trojan.JPLA-3344 Exploit.CVE-2015-1701.ar TR/AD.RansomHeur.fbqvj Exploit.W32.Cve!c Exploit.Win32.CVE-2015-1701.bd Ransom:Win32/LockCrypt.A!bit Trojan/Win32.Scar.R211760 Exploit.CVE-2015-1701 Ransom.DXXD Trj/GdSda.A Trojan.Win32.Filecoder Win32.Trojan-Ransom.LockCrypt.A Win32/Trojan.Exploit.3d9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom/W32.Locky.48128": [[26, 48]], "Indicator: Exploit.Cve20151701": [[49, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[69, 111]], "Indicator: Exploit.Win32.CVE-2015-1701.bd": [[112, 142], [343, 373]], "Indicator: Exploit.Win32.CVE20151701.euekja": [[143, 175]], "Indicator: Trojan.Win32.LockCrypt.48128.A": [[176, 206]], "Indicator: Trojan.Encoder.12135": [[207, 227]], "Indicator: BehavesLike.Win32.Mydoom.pm": [[228, 255]], "Indicator: W32/Trojan.JPLA-3344": [[256, 276]], "Indicator: Exploit.CVE-2015-1701.ar": [[277, 301]], "Indicator: TR/AD.RansomHeur.fbqvj": [[302, 324]], "Indicator: Exploit.W32.Cve!c": [[325, 342]], "Indicator: Ransom:Win32/LockCrypt.A!bit": [[374, 402]], "Indicator: Trojan/Win32.Scar.R211760": [[403, 428]], "Indicator: Exploit.CVE-2015-1701": [[429, 450]], "Indicator: Ransom.DXXD": [[451, 462]], "Indicator: Trj/GdSda.A": [[463, 474]], "Indicator: Trojan.Win32.Filecoder": [[475, 497]], "Indicator: Win32.Trojan-Ransom.LockCrypt.A": [[498, 529]], "Indicator: Win32/Trojan.Exploit.3d9": [[530, 554]]}, "info": {"id": "cyner2_5class_train_07363", "source": "cyner2_5class_train"}}
+{"text": "This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm also known as Fancy Bear, APT28, Sofacy, and STRONTIUM ramped up its spear-phishing campaigns against various governments and embassies around the world.", "spans": {"Organization: governments": [[215, 226]], "Organization: embassies": [[231, 240]]}, "info": {"id": "cyner2_5class_train_07364", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32!O W32.Etap W32/Etap.dr Win32.Trojan.WisdomEyes.16070401.9500.9929 W32.Simile Virus.Win32.Etap Win32.Etap.E Win32/Linux.Etap W32/Etap.dr Virus.Win32.Etap Backdoor/Hupigon.ish Virus/Win32.Etap Trojan.Kazy.D65E9 Virus.Win32.Etap Backdoor:Win32/Etap.dr Win32/Etap.E W32/Etap.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32!O": [[26, 39]], "Indicator: W32.Etap": [[40, 48]], "Indicator: W32/Etap.dr": [[49, 60], [162, 173]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9929": [[61, 103]], "Indicator: W32.Simile": [[104, 114]], "Indicator: Virus.Win32.Etap": [[115, 131], [174, 190], [247, 263]], "Indicator: Win32.Etap.E": [[132, 144]], "Indicator: Win32/Linux.Etap": [[145, 161]], "Indicator: Backdoor/Hupigon.ish": [[191, 211]], "Indicator: Virus/Win32.Etap": [[212, 228]], "Indicator: Trojan.Kazy.D65E9": [[229, 246]], "Indicator: Backdoor:Win32/Etap.dr": [[264, 286]], "Indicator: Win32/Etap.E": [[287, 299]], "Indicator: W32/Etap.D": [[300, 310]]}, "info": {"id": "cyner2_5class_train_07365", "source": "cyner2_5class_train"}}
+{"text": "Furthermore, each of the stages used different development platform and was obfuscated in a different way.", "spans": {}, "info": {"id": "cyner2_5class_train_07366", "source": "cyner2_5class_train"}}
+{"text": "Rather than simply copying the features that were present within the Zeus trojan as-is Floki Bot claims to feature several new capabilities making it an attractive tool for criminals.", "spans": {"Malware: Zeus trojan": [[69, 80]], "Malware: Floki Bot": [[87, 96]]}, "info": {"id": "cyner2_5class_train_07367", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Silva.447488 Worm.Keco W32.W.Silva.d!c W32/Silva.d W32/Silva.D W32.Silva@mm Trojan.Win32.Silva.envq Worm.Win32.Silva.D Win32.HLLW.Silva Worm.Win32.Silva W32/Silva.QGXV-8360 I-Worm/Silva.d Worm:Win32/Silva.D@mm Worm:Win32/Silva.D@mm Email-Worm.Keco W32/Keco.G.worm Win32/Silva.D Win32.Worm-email.Keco.Peze I-Worm.Silva!97fYr5ijFvQ W32/Silva.D@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Silva.447488": [[26, 47]], "Indicator: Worm.Keco": [[48, 57]], "Indicator: W32.W.Silva.d!c": [[58, 73]], "Indicator: W32/Silva.d": [[74, 85]], "Indicator: W32/Silva.D": [[86, 97]], "Indicator: W32.Silva@mm": [[98, 110]], "Indicator: Trojan.Win32.Silva.envq": [[111, 134]], "Indicator: Worm.Win32.Silva.D": [[135, 153]], "Indicator: Win32.HLLW.Silva": [[154, 170]], "Indicator: Worm.Win32.Silva": [[171, 187]], "Indicator: W32/Silva.QGXV-8360": [[188, 207]], "Indicator: I-Worm/Silva.d": [[208, 222]], "Indicator: Worm:Win32/Silva.D@mm": [[223, 244], [245, 266]], "Indicator: Email-Worm.Keco": [[267, 282]], "Indicator: W32/Keco.G.worm": [[283, 298]], "Indicator: Win32/Silva.D": [[299, 312]], "Indicator: Win32.Worm-email.Keco.Peze": [[313, 339]], "Indicator: I-Worm.Silva!97fYr5ijFvQ": [[340, 364]], "Indicator: W32/Silva.D@mm": [[365, 379]]}, "info": {"id": "cyner2_5class_train_07368", "source": "cyner2_5class_train"}}
+{"text": "Below are a couple of images of the panel that the attacker would be utilizing.", "spans": {}, "info": {"id": "cyner2_5class_train_07369", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.BHO.Delf.T Trojan.Win32.Delf!O Trojan.Lnkhyd.A7 Trojan.Delf.Win32.15794 Troj.W32.Delf.lV2h Win32/Delf.AXIT TROJ_DELF.PVC Win.Trojan.Delf-11211 Trojan.BHO.Delf.T Trojan.Win32.Delf.ssh Trojan.BHO.Delf.T Trojan.Win32.Delf.cjzwb Trojan.Win32.Delf.157696.J Trojan.BHO.Delf.T TROJ_DELF.PVC Trojan.Lnkhyd Trojan/Delf.mdz Trojan:Win32/Lnkhyd.A Trojan/Win32.Delf Trojan.BHO.Delf.T Trojan.Win32.Delf.ssh Trojan:Win32/Lnkhyd.A Trojan/Win32.Fides.R3508 Trojan.BHO.Delf.T TScope.Trojan.Delf Win32.Trojan.Delf.Ednr Trojan.Win32.BHO.R", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BHO.Delf.T": [[26, 43], [176, 193], [216, 233], [285, 302], [387, 404], [474, 491]], "Indicator: Trojan.Win32.Delf!O": [[44, 63]], "Indicator: Trojan.Lnkhyd.A7": [[64, 80]], "Indicator: Trojan.Delf.Win32.15794": [[81, 104]], "Indicator: Troj.W32.Delf.lV2h": [[105, 123]], "Indicator: Win32/Delf.AXIT": [[124, 139]], "Indicator: TROJ_DELF.PVC": [[140, 153], [303, 316]], "Indicator: Win.Trojan.Delf-11211": [[154, 175]], "Indicator: Trojan.Win32.Delf.ssh": [[194, 215], [405, 426]], "Indicator: Trojan.Win32.Delf.cjzwb": [[234, 257]], "Indicator: Trojan.Win32.Delf.157696.J": [[258, 284]], "Indicator: Trojan.Lnkhyd": [[317, 330]], "Indicator: Trojan/Delf.mdz": [[331, 346]], "Indicator: Trojan:Win32/Lnkhyd.A": [[347, 368], [427, 448]], "Indicator: Trojan/Win32.Delf": [[369, 386]], "Indicator: Trojan/Win32.Fides.R3508": [[449, 473]], "Indicator: TScope.Trojan.Delf": [[492, 510]], "Indicator: Win32.Trojan.Delf.Ednr": [[511, 533]], "Indicator: Trojan.Win32.BHO.R": [[534, 552]]}, "info": {"id": "cyner2_5class_train_07370", "source": "cyner2_5class_train"}}
+{"text": "Interaction with these servers is performed in two different threads.", "spans": {}, "info": {"id": "cyner2_5class_train_07371", "source": "cyner2_5class_train"}}
+{"text": "The samples sharing this overlap are modified versions of an open source Jabber/XMPP client called “ Conversations ” with some code additions .", "spans": {"System: Jabber/XMPP": [[73, 84]]}, "info": {"id": "cyner2_5class_train_07372", "source": "cyner2_5class_train"}}
+{"text": "They use compromised e-mail accounts to distribute their malware widely and their targeting appears opportunistic rather than specific.", "spans": {"Indicator: compromised e-mail accounts": [[9, 36]], "Malware: malware": [[57, 64]]}, "info": {"id": "cyner2_5class_train_07373", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PUP.Riskware.Tool Trojan.Win32.Cindyc.wrlqe TR/DyCode.A.110 Backdoor/Cindyc.bv Win32.Troj.Undef.kcloud Trojan:Win32/DyCode.A Backdoor.Win32.A.Cindyc.141184 Backdoor/Win32.Cindyc Backdoor.Cindyc.adk Backdoor.Win32.Cindyc Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PUP.Riskware.Tool": [[26, 43]], "Indicator: Trojan.Win32.Cindyc.wrlqe": [[44, 69]], "Indicator: TR/DyCode.A.110": [[70, 85]], "Indicator: Backdoor/Cindyc.bv": [[86, 104]], "Indicator: Win32.Troj.Undef.kcloud": [[105, 128]], "Indicator: Trojan:Win32/DyCode.A": [[129, 150]], "Indicator: Backdoor.Win32.A.Cindyc.141184": [[151, 181]], "Indicator: Backdoor/Win32.Cindyc": [[182, 203]], "Indicator: Backdoor.Cindyc.adk": [[204, 223]], "Indicator: Backdoor.Win32.Cindyc": [[224, 245]], "Indicator: Trj/CI.A": [[246, 254]]}, "info": {"id": "cyner2_5class_train_07374", "source": "cyner2_5class_train"}}
+{"text": "] com csip6 [ .", "spans": {"Indicator: csip6 [ .": [[6, 15]]}, "info": {"id": "cyner2_5class_train_07375", "source": "cyner2_5class_train"}}
+{"text": "Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices.", "spans": {"Organization: Credit card industry": [[0, 20]], "Organization: Visa": [[27, 31]], "Organization: companies": [[74, 83]], "System: point-of-sale devices": [[90, 111]], "Organization: Oracle": [[120, 126]], "System: MICROS retail unit": [[129, 147]], "System: machines": [[168, 176]], "Malware: malicious software": [[181, 199]], "Indicator: unusual network activity,": [[203, 228]], "System: devices.": [[260, 268]]}, "info": {"id": "cyner2_5class_train_07376", "source": "cyner2_5class_train"}}
+{"text": "The dropper family, referred to internally as PNG_dropper, was observed being used as a second stage tool in different targeted attacks.", "spans": {"Malware: The dropper family,": [[0, 19]], "Indicator: PNG_dropper,": [[46, 58]], "Malware: second stage tool": [[88, 105]], "Indicator: attacks.": [[128, 136]]}, "info": {"id": "cyner2_5class_train_07377", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.StartPageCRTD.Win32.8798 Win32.Trojan.WisdomEyes.16070401.9500.9990 Trojan.Win32.Clicker!BT Trojan.MSIL.EzirizNetReactor TR/Dropper.MSIL.76348 TrojanClicker:MSIL/Balamid.B Trojan.Jatif.32 Trojan/Win32.FakeMS.R113384 Trojan.Win32.Clicker!BT Win32/Trojan.Dropper.2f1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.StartPageCRTD.Win32.8798": [[26, 57]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[58, 100]], "Indicator: Trojan.Win32.Clicker!BT": [[101, 124], [249, 272]], "Indicator: Trojan.MSIL.EzirizNetReactor": [[125, 153]], "Indicator: TR/Dropper.MSIL.76348": [[154, 175]], "Indicator: TrojanClicker:MSIL/Balamid.B": [[176, 204]], "Indicator: Trojan.Jatif.32": [[205, 220]], "Indicator: Trojan/Win32.FakeMS.R113384": [[221, 248]], "Indicator: Win32/Trojan.Dropper.2f1": [[273, 297]]}, "info": {"id": "cyner2_5class_train_07378", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9589 TROJ_DELF.IVW Trojan-Downloader.Win32.Delf.acc Troj.Downloader.W32.Delf!c Win32.Trojan-downloader.Delf.Edoh TrojWare.Win32.TrojanDownloader.Delf.~ABI Trojan.DownLoader.46506 Trojan-Downloader.Win32.Delf.ACC TrojanDownloader.Delf.fqq Trojan[Downloader]/Win32.Delf Win32.TrojDownloader.Delf.ac.kcloud Trojan.Downloader.bGWcaOz2KakG Trojan.Win32.A.Downloader.34816.FA Trojan-Downloader.Win32.Delf.acc Trj/Banbra.FSU Win32/Trojan.Downloader.dac", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9589": [[26, 68]], "Indicator: TROJ_DELF.IVW": [[69, 82]], "Indicator: Trojan-Downloader.Win32.Delf.acc": [[83, 115], [434, 466]], "Indicator: Troj.Downloader.W32.Delf!c": [[116, 142]], "Indicator: Win32.Trojan-downloader.Delf.Edoh": [[143, 176]], "Indicator: TrojWare.Win32.TrojanDownloader.Delf.~ABI": [[177, 218]], "Indicator: Trojan.DownLoader.46506": [[219, 242]], "Indicator: Trojan-Downloader.Win32.Delf.ACC": [[243, 275]], "Indicator: TrojanDownloader.Delf.fqq": [[276, 301]], "Indicator: Trojan[Downloader]/Win32.Delf": [[302, 331]], "Indicator: Win32.TrojDownloader.Delf.ac.kcloud": [[332, 367]], "Indicator: Trojan.Downloader.bGWcaOz2KakG": [[368, 398]], "Indicator: Trojan.Win32.A.Downloader.34816.FA": [[399, 433]], "Indicator: Trj/Banbra.FSU": [[467, 481]], "Indicator: Win32/Trojan.Downloader.dac": [[482, 509]]}, "info": {"id": "cyner2_5class_train_07379", "source": "cyner2_5class_train"}}
+{"text": "Malicious app com.qualcmm.timeservices As I mentioned before , in the “ initial phase ” , the Trojan will install the “ com.qualcmm.timeservices ” app .", "spans": {"Indicator: com.qualcmm.timeservices": [[14, 38], [120, 144]]}, "info": {"id": "cyner2_5class_train_07380", "source": "cyner2_5class_train"}}
+{"text": "It does this by leveraging the Android plugin technology.", "spans": {"System: the Android plugin technology.": [[27, 57]]}, "info": {"id": "cyner2_5class_train_07381", "source": "cyner2_5class_train"}}
+{"text": "That creates a fake ID that allows the perpetrators to generate referral revenues .", "spans": {}, "info": {"id": "cyner2_5class_train_07382", "source": "cyner2_5class_train"}}
+{"text": "HenBox : The Chickens Come Home to Roost March 13 , 2018 at 5:00 AM Unit 42 recently discovered a new Android malware family we named “ HenBox ” masquerading as a variety of legitimate Android apps .", "spans": {"Malware: HenBox": [[0, 6], [136, 142]], "System: Android": [[102, 109], [185, 192]]}, "info": {"id": "cyner2_5class_train_07383", "source": "cyner2_5class_train"}}
+{"text": "Trojan Ransom Xpan was created by an organized gang, which used targeted attacks via RDP that abused weak passwords and wrong implementations.", "spans": {"Malware: Trojan Ransom Xpan": [[0, 18]], "Indicator: attacks": [[73, 80]], "Vulnerability: RDP": [[85, 88]], "Vulnerability: weak passwords": [[101, 115]], "Vulnerability: wrong implementations.": [[120, 142]]}, "info": {"id": "cyner2_5class_train_07384", "source": "cyner2_5class_train"}}
+{"text": "The operators have used use a range of techniques to target Windows computers and Android phones with the apparent goal of penetrating the computers of well-connected individuals in the Syrian opposition.", "spans": {"System: Windows computers": [[60, 77]], "System: Android phones": [[82, 96]], "System: computers": [[139, 148]], "Organization: individuals": [[167, 178]], "Organization: Syrian opposition.": [[186, 204]]}, "info": {"id": "cyner2_5class_train_07385", "source": "cyner2_5class_train"}}
+{"text": "On the network traffic analysis end, post compromise activity results in some interesting but not unexpected activity.", "spans": {}, "info": {"id": "cyner2_5class_train_07386", "source": "cyner2_5class_train"}}
+{"text": "Based on this evidence we believe this new malware is likely targeting South Koreans.", "spans": {"Malware: malware": [[43, 50]]}, "info": {"id": "cyner2_5class_train_07387", "source": "cyner2_5class_train"}}
+{"text": "A series of malware attacks targeting users of cryptocurrency wallets has been identified by security firm Kaspersky, which has developed an anti-malware solution to detect and prevent such attacks in the future.", "spans": {"Malware: malware": [[12, 19]], "Indicator: attacks": [[20, 27], [190, 197]], "Organization: users": [[38, 43]], "System: cryptocurrency wallets": [[47, 69]], "Organization: security firm Kaspersky,": [[93, 117]], "System: anti-malware solution": [[141, 162]]}, "info": {"id": "cyner2_5class_train_07388", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus/W32.Patched.P W32.Patched.QC1 Trojan.Razy.D19982 PE_PATCHED.SMB Win32.Trojan.ImPatch.a W32/Floxif.A PE_PATCHED.SMB Trojan.Win32.Patched.qc Troj.W32.Patched.lnCt Trojan.Starter.3187 W32/Floxif.A Trojan.Win32.Patched.qc Trojan.Patched.al W32/Patched.AL Virus.Win32.Loader.abd Trojan.Win32.Patched W32/Patched.AL!tr Virus.Win32.Patched.DG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus/W32.Patched.P": [[26, 45]], "Indicator: W32.Patched.QC1": [[46, 61]], "Indicator: Trojan.Razy.D19982": [[62, 80]], "Indicator: PE_PATCHED.SMB": [[81, 95], [132, 146]], "Indicator: Win32.Trojan.ImPatch.a": [[96, 118]], "Indicator: W32/Floxif.A": [[119, 131], [213, 225]], "Indicator: Trojan.Win32.Patched.qc": [[147, 170], [226, 249]], "Indicator: Troj.W32.Patched.lnCt": [[171, 192]], "Indicator: Trojan.Starter.3187": [[193, 212]], "Indicator: Trojan.Patched.al": [[250, 267]], "Indicator: W32/Patched.AL": [[268, 282]], "Indicator: Virus.Win32.Loader.abd": [[283, 305]], "Indicator: Trojan.Win32.Patched": [[306, 326]], "Indicator: W32/Patched.AL!tr": [[327, 344]], "Indicator: Virus.Win32.Patched.DG": [[345, 367]]}, "info": {"id": "cyner2_5class_train_07389", "source": "cyner2_5class_train"}}
+{"text": "The name of the folder and the malware configuration are read from a customized configuration file stored in the resource section of the setup program .", "spans": {}, "info": {"id": "cyner2_5class_train_07390", "source": "cyner2_5class_train"}}
+{"text": "There the user is prompted to download and install a Trojan imitating an Adobe Flash Player update .", "spans": {"System: Adobe Flash Player": [[73, 91]]}, "info": {"id": "cyner2_5class_train_07391", "source": "cyner2_5class_train"}}
+{"text": "In our research , we focus on the most recent sample , an application dubbed as \" Golden Cup '' , launched just before the start of World Cup 2018 .", "spans": {"Malware: Golden Cup": [[82, 92]]}, "info": {"id": "cyner2_5class_train_07392", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGamesGBTOFAB.Trojan Trojan-Dropper.Win32.Dapato!O Trojan/Vilsel.bftr Trojan-Dropper.Win32.Dapato.bzqh Trojan.Win32.Vilsel.dktcmg Trojan.Vilsel.Win32.24133 Trojan-PWS.Win32.QQPass TrojanDropper.Dapato.jop Trojan/Win32.Vilsel Win32.Troj.Vilsel.kcloud Trojan-Dropper.Win32.Dapato.bzqh Trojan.Vilsel", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesGBTOFAB.Trojan": [[26, 51]], "Indicator: Trojan-Dropper.Win32.Dapato!O": [[52, 81]], "Indicator: Trojan/Vilsel.bftr": [[82, 100]], "Indicator: Trojan-Dropper.Win32.Dapato.bzqh": [[101, 133], [281, 313]], "Indicator: Trojan.Win32.Vilsel.dktcmg": [[134, 160]], "Indicator: Trojan.Vilsel.Win32.24133": [[161, 186]], "Indicator: Trojan-PWS.Win32.QQPass": [[187, 210]], "Indicator: TrojanDropper.Dapato.jop": [[211, 235]], "Indicator: Trojan/Win32.Vilsel": [[236, 255]], "Indicator: Win32.Troj.Vilsel.kcloud": [[256, 280]], "Indicator: Trojan.Vilsel": [[314, 327]]}, "info": {"id": "cyner2_5class_train_07393", "source": "cyner2_5class_train"}}
+{"text": "The first timer will be fired on the configured interval ( 20 seconds in this case ) , pinging the command and control ( C2 ) server .", "spans": {}, "info": {"id": "cyner2_5class_train_07394", "source": "cyner2_5class_train"}}
+{"text": "Our intelligence shows “ Agent Smith ” droppers proliferate through third-party app store “ 9Apps ” , a UC team backed store , targeted mostly at Indian ( Hindi ) , Arabic , and Indonesian users .", "spans": {"Malware: Agent Smith": [[25, 36]], "System: 9Apps": [[92, 97]]}, "info": {"id": "cyner2_5class_train_07395", "source": "cyner2_5class_train"}}
+{"text": "For now , that is the only way how cybercriminals can profit from Triada , but don ’ t forget that it ’ s a modular Trojan , so it can be turned into literally everything on one command from the C & C server .", "spans": {"Malware: Triada": [[66, 72]]}, "info": {"id": "cyner2_5class_train_07396", "source": "cyner2_5class_train"}}
+{"text": "Most users are pushing a variety of information stealers with the service.", "spans": {"System: service.": [[66, 74]]}, "info": {"id": "cyner2_5class_train_07397", "source": "cyner2_5class_train"}}
+{"text": "Rooting and Ad Network Presentation The reflection loaded methods check if the device is rooted .", "spans": {}, "info": {"id": "cyner2_5class_train_07398", "source": "cyner2_5class_train"}}
+{"text": "This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle ( MitM ) attacks .", "spans": {}, "info": {"id": "cyner2_5class_train_07399", "source": "cyner2_5class_train"}}
+{"text": "This data shows a distinct concentration of infected devices beaconing from Gaza , Palestine .", "spans": {}, "info": {"id": "cyner2_5class_train_07400", "source": "cyner2_5class_train"}}
+{"text": "First, users cannot easily spot any malicious behavior since PowerShell runs in the background.", "spans": {"Vulnerability: cannot easily spot any malicious behavior": [[13, 54]], "Vulnerability: PowerShell runs in the background.": [[61, 95]]}, "info": {"id": "cyner2_5class_train_07401", "source": "cyner2_5class_train"}}
+{"text": "We found no similarities to commercial spyware products or to other known spyware variants , which suggests BusyGasper is self-developed and used by a single threat actor .", "spans": {"Malware: BusyGasper": [[108, 118]]}, "info": {"id": "cyner2_5class_train_07402", "source": "cyner2_5class_train"}}
+{"text": "root9B's analysis determined that the adversary is using advanced memory-resident techniques to maintain persistence and avoid detection.", "spans": {"Malware: root9B's": [[0, 8]], "Indicator: advanced memory-resident techniques": [[57, 92]]}, "info": {"id": "cyner2_5class_train_07403", "source": "cyner2_5class_train"}}
+{"text": "The malware has a remote controlling function, and attackers sending these emails seem to attempt intruding into the targets' network using the malware.", "spans": {"Malware: malware": [[4, 11]], "Indicator: remote controlling function,": [[18, 46]], "Indicator: emails": [[75, 81]], "System: network": [[126, 133]], "Malware: malware.": [[144, 152]]}, "info": {"id": "cyner2_5class_train_07404", "source": "cyner2_5class_train"}}
+{"text": "Usually they would upload a clean version back on Google Play the very same day .", "spans": {"System: Google Play": [[50, 61]]}, "info": {"id": "cyner2_5class_train_07405", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Virus.Win32.Sality!O Ransom.Exxroute.A3 Trojan.Kryptik.Win32.1099877 Troj.Downloader.W32.Banload.l42y Ransom_CERBER.SM3B Win32.Trojan.Kryptik.bjm W32/Trojan.FUEH-0857 Backdoor.Trojan Ransom_CERBER.SM3B Trojan.Encoder.10103 BehavesLike.Win32.Cutwail.ph Trojan.Spora.mw TR/AD.Spora.svton Trojan[Ransom]/Win32.Spora Trojan.Symmi.DB88E Ransom:Win32/Spora.A Hoax.Spora Virus.Win32.VBInject", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Sality!O": [[26, 46]], "Indicator: Ransom.Exxroute.A3": [[47, 65]], "Indicator: Trojan.Kryptik.Win32.1099877": [[66, 94]], "Indicator: Troj.Downloader.W32.Banload.l42y": [[95, 127]], "Indicator: Ransom_CERBER.SM3B": [[128, 146], [209, 227]], "Indicator: Win32.Trojan.Kryptik.bjm": [[147, 171]], "Indicator: W32/Trojan.FUEH-0857": [[172, 192]], "Indicator: Backdoor.Trojan": [[193, 208]], "Indicator: Trojan.Encoder.10103": [[228, 248]], "Indicator: BehavesLike.Win32.Cutwail.ph": [[249, 277]], "Indicator: Trojan.Spora.mw": [[278, 293]], "Indicator: TR/AD.Spora.svton": [[294, 311]], "Indicator: Trojan[Ransom]/Win32.Spora": [[312, 338]], "Indicator: Trojan.Symmi.DB88E": [[339, 357]], "Indicator: Ransom:Win32/Spora.A": [[358, 378]], "Indicator: Hoax.Spora": [[379, 389]], "Indicator: Virus.Win32.VBInject": [[390, 410]]}, "info": {"id": "cyner2_5class_train_07406", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BKDR_PIRPI.YE Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_PIRPI.YE Trojan.Heur.LP.E69C7F Trojan:Win32/Pirpi.O Win32.Backdoor.Backdoor.Hwmn Win32/Trojan.9b5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BKDR_PIRPI.YE": [[26, 39], [99, 112]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[40, 82]], "Indicator: Backdoor.Trojan": [[83, 98]], "Indicator: Trojan.Heur.LP.E69C7F": [[113, 134]], "Indicator: Trojan:Win32/Pirpi.O": [[135, 155]], "Indicator: Win32.Backdoor.Backdoor.Hwmn": [[156, 184]], "Indicator: Win32/Trojan.9b5": [[185, 201]]}, "info": {"id": "cyner2_5class_train_07407", "source": "cyner2_5class_train"}}
+{"text": "The SMS message with a link to a banker looked as follows : “ % USERNAME % , i send you prepayment gumtree [ .", "spans": {"Indicator: gumtree [ .": [[99, 110]]}, "info": {"id": "cyner2_5class_train_07408", "source": "cyner2_5class_train"}}
+{"text": "Called “ DEFENSOR ID ” , the banking trojan was available on Google Play at the time of the analysis .", "spans": {"Malware: DEFENSOR ID": [[9, 20]], "System: Google Play": [[61, 72]]}, "info": {"id": "cyner2_5class_train_07409", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TSPY_MAJIKPOS.SMA Trojan.Majikpos TSPY_MAJIKPOS.SMA Trojan.DownLoader23.50404 W32/Trojan.QKOU-4044 Trojan.MSIL.Krypt.2 TrojanSpy:MSIL/Majikpos.A Spyware/Win32.Majikpos.C1861368 Trj/GdSda.A PUA.BrowseSmart Win32/Trojan.d60", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TSPY_MAJIKPOS.SMA": [[26, 43], [60, 77]], "Indicator: Trojan.Majikpos": [[44, 59]], "Indicator: Trojan.DownLoader23.50404": [[78, 103]], "Indicator: W32/Trojan.QKOU-4044": [[104, 124]], "Indicator: Trojan.MSIL.Krypt.2": [[125, 144]], "Indicator: TrojanSpy:MSIL/Majikpos.A": [[145, 170]], "Indicator: Spyware/Win32.Majikpos.C1861368": [[171, 202]], "Indicator: Trj/GdSda.A": [[203, 214]], "Indicator: PUA.BrowseSmart": [[215, 230]], "Indicator: Win32/Trojan.d60": [[231, 247]]}, "info": {"id": "cyner2_5class_train_07410", "source": "cyner2_5class_train"}}
+{"text": "The DragonOK group has been actively launching attacks for years.", "spans": {"Organization: The DragonOK group": [[0, 18]], "Indicator: attacks": [[47, 54]]}, "info": {"id": "cyner2_5class_train_07411", "source": "cyner2_5class_train"}}
+{"text": "non-Google Play ) app stores which often have fewer security and vetting procedures for the apps they host .", "spans": {"System: Play": [[11, 15]]}, "info": {"id": "cyner2_5class_train_07412", "source": "cyner2_5class_train"}}
+{"text": "The infrastructure has several layers , although not being very dynamic , still has several layers each one providing some level of protection .", "spans": {}, "info": {"id": "cyner2_5class_train_07413", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameMITL.Trojan RDN/Downloader.a!vq Win32.Trojan.WisdomEyes.16070401.9500.9883 Trojan.FakeAV Trojan.DownLoad.41552 BehavesLike.Win32.Backdoor.ch Trojan.Win32.Redosdru Trojan/PSW.WOW.amc TrojanDownloader:Win32/Induiba.A Trojan.Heur.RP.EEBC2E Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameMITL.Trojan": [[26, 47]], "Indicator: RDN/Downloader.a!vq": [[48, 67]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9883": [[68, 110]], "Indicator: Trojan.FakeAV": [[111, 124]], "Indicator: Trojan.DownLoad.41552": [[125, 146]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[147, 176]], "Indicator: Trojan.Win32.Redosdru": [[177, 198]], "Indicator: Trojan/PSW.WOW.amc": [[199, 217]], "Indicator: TrojanDownloader:Win32/Induiba.A": [[218, 250]], "Indicator: Trojan.Heur.RP.EEBC2E": [[251, 272]], "Indicator: Trj/CI.A": [[273, 281]]}, "info": {"id": "cyner2_5class_train_07414", "source": "cyner2_5class_train"}}
+{"text": "By analyzing the TaskManager class we can see the new commands that are supported at this stage : As can be seen in the code snippet above , there are quite a lot of data collection tasks that are now available : Collect device info Track location Upload contacts information Upload sent and received SMS messages Upload images Upload video files Send recursive dirlist of the external storage Upload specific files Record audio using the microphone Record calls Use the camera to capture bursts of snapshots Those tasks can either run periodically , on event ( such as incoming call ) or when getting a command from the C & C server .", "spans": {}, "info": {"id": "cyner2_5class_train_07415", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Kargatroj!O Trojan.Kargatroj.Win32.5 BKDR_DEPPEELS.A Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.FYPB-4329 Backdoor.Kargatroj BKDR_DEPPEELS.A Win.Trojan.Kargatroj-5 Trojan.Win32.Kargatroj.a Trojan.Win32.Kargatroj.zribt Trojan.Win32.A.Kargatroj.288256 Trojan.Click2.18984 BehavesLike.Win32.Virus.dh Backdoor.Win32.IRCBot Trojan/Kargatroj.e WORM/Autorun.Agr.3 Trojan/Win32.Kargatroj Backdoor:Win32/Deppeels.A Trojan.Win32.Kargatroj.a Trojan/Win32.Kargatroj.R50492 Trojan.Kargatroj Trojan.Kargatroj!+VQ4l8zO8kI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Kargatroj!O": [[26, 50]], "Indicator: Trojan.Kargatroj.Win32.5": [[51, 75]], "Indicator: BKDR_DEPPEELS.A": [[76, 91], [175, 190]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[92, 134]], "Indicator: W32/Trojan.FYPB-4329": [[135, 155]], "Indicator: Backdoor.Kargatroj": [[156, 174]], "Indicator: Win.Trojan.Kargatroj-5": [[191, 213]], "Indicator: Trojan.Win32.Kargatroj.a": [[214, 238], [456, 480]], "Indicator: Trojan.Win32.Kargatroj.zribt": [[239, 267]], "Indicator: Trojan.Win32.A.Kargatroj.288256": [[268, 299]], "Indicator: Trojan.Click2.18984": [[300, 319]], "Indicator: BehavesLike.Win32.Virus.dh": [[320, 346]], "Indicator: Backdoor.Win32.IRCBot": [[347, 368]], "Indicator: Trojan/Kargatroj.e": [[369, 387]], "Indicator: WORM/Autorun.Agr.3": [[388, 406]], "Indicator: Trojan/Win32.Kargatroj": [[407, 429]], "Indicator: Backdoor:Win32/Deppeels.A": [[430, 455]], "Indicator: Trojan/Win32.Kargatroj.R50492": [[481, 510]], "Indicator: Trojan.Kargatroj": [[511, 527]], "Indicator: Trojan.Kargatroj!+VQ4l8zO8kI": [[528, 556]]}, "info": {"id": "cyner2_5class_train_07416", "source": "cyner2_5class_train"}}
+{"text": "We refer to this utility as BOOTRASH.", "spans": {"Malware: BOOTRASH.": [[28, 37]]}, "info": {"id": "cyner2_5class_train_07417", "source": "cyner2_5class_train"}}
+{"text": "Security analysts are typically equipped with the tools to defeat a good number of similar tricks during malware investigations .", "spans": {}, "info": {"id": "cyner2_5class_train_07418", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.W.Fujack.lmEa Trojan.Dropper Win.Trojan.Packed-24 Trojan.Win32.Baidu.iidnc Trojan.Win32.A.PSW-Magania.1913020.A Trojan/Win32.Zegost Trojan.Zusy.D88F TrojanDropper:Win32/Demekaf.A Trojan.MalPack.NSPack Win32/TrojanDropper.Demekaf.A Trojan.Win32.Jorik W32/Obfuscated.AAAD!tr Win32/Trojan.4b9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.W.Fujack.lmEa": [[26, 43]], "Indicator: Trojan.Dropper": [[44, 58]], "Indicator: Win.Trojan.Packed-24": [[59, 79]], "Indicator: Trojan.Win32.Baidu.iidnc": [[80, 104]], "Indicator: Trojan.Win32.A.PSW-Magania.1913020.A": [[105, 141]], "Indicator: Trojan/Win32.Zegost": [[142, 161]], "Indicator: Trojan.Zusy.D88F": [[162, 178]], "Indicator: TrojanDropper:Win32/Demekaf.A": [[179, 208]], "Indicator: Trojan.MalPack.NSPack": [[209, 230]], "Indicator: Win32/TrojanDropper.Demekaf.A": [[231, 260]], "Indicator: Trojan.Win32.Jorik": [[261, 279]], "Indicator: W32/Obfuscated.AAAD!tr": [[280, 302]], "Indicator: Win32/Trojan.4b9": [[303, 319]]}, "info": {"id": "cyner2_5class_train_07419", "source": "cyner2_5class_train"}}
+{"text": "The Check Point researchers have dubbed the malware family \" HummingBad , '' but researchers from mobile security company Lookout say HummingBad is in fact Shedun , a family of auto-rooting malware that came to light last November and had already infected a large number of devices .", "spans": {"Organization: Check Point": [[4, 15]], "Malware: HummingBad": [[61, 71], [134, 144]], "Organization: Lookout": [[122, 129]], "Malware: Shedun": [[156, 162]]}, "info": {"id": "cyner2_5class_train_07420", "source": "cyner2_5class_train"}}
+{"text": "We believe that it is the largest Google account breach to date , and we are working with Google to continue the investigation .", "spans": {"Malware: Google": [[34, 40]], "Organization: Google": [[90, 96]]}, "info": {"id": "cyner2_5class_train_07421", "source": "cyner2_5class_train"}}
+{"text": "In most so-called Western versions of the Trojan , the package names in the default configuration file are erased .", "spans": {}, "info": {"id": "cyner2_5class_train_07422", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper/W32.Hirhir.2779437 TrojanDropper.Hirhir.20 Trojan/Dropper.Hirhir.20 Trojan-Dropper.Win32.Hirhir.20 Win32/TrojanDropper.Hirhir.20 W32/Hirhir.A Trojan.Dropper W32/Smalldrp.BTL Win32.Dropper.Hirhir Trojan.Dropper-1156 Trojan-Dropper.Win32.Hirhir.20 Trojan.Dropper.Hirhir.2.0 TrojWare.Win32.TrojanDropper.Hirhir.20 Trojan.Dropper.Hirhir.2.0 Trojan.MulDrop.1734 TR/Drop.Hirhir.20.5 TROJ_HIRHIR.20 Trojan.Drop.Hirhir.20.5 Win32/DigitalM.10 W32/Hirhir.A TrojanDropper.Dmexeb.10 Trojan-Dropper.Win32.Hirhir.20!IK TrojanDropper:Win32/Hirhir.2_0 Trojan.Win32.Hirhir.2164429 Trojan.Dropper.Hirhir.2.0 Dropper/Hirhir.11776 Win32.TrojanDropper.Hirhir.20 Trojan.DR.Hirhir.H Trojan.Dmexeb.10 Trojan-Dropper.Win32.Hirhir.20 W32/Hirhir.A!tr.dr Dropper.Hirhir Trj/Hirhir.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper/W32.Hirhir.2779437": [[26, 59]], "Indicator: TrojanDropper.Hirhir.20": [[60, 83]], "Indicator: Trojan/Dropper.Hirhir.20": [[84, 108]], "Indicator: Trojan-Dropper.Win32.Hirhir.20": [[109, 139], [256, 286], [718, 748]], "Indicator: Win32/TrojanDropper.Hirhir.20": [[140, 169]], "Indicator: W32/Hirhir.A": [[170, 182], [475, 487]], "Indicator: Trojan.Dropper": [[183, 197]], "Indicator: W32/Smalldrp.BTL": [[198, 214]], "Indicator: Win32.Dropper.Hirhir": [[215, 235]], "Indicator: Trojan.Dropper-1156": [[236, 255]], "Indicator: Trojan.Dropper.Hirhir.2.0": [[287, 312], [352, 377], [605, 630]], "Indicator: TrojWare.Win32.TrojanDropper.Hirhir.20": [[313, 351]], "Indicator: Trojan.MulDrop.1734": [[378, 397]], "Indicator: TR/Drop.Hirhir.20.5": [[398, 417]], "Indicator: TROJ_HIRHIR.20": [[418, 432]], "Indicator: Trojan.Drop.Hirhir.20.5": [[433, 456]], "Indicator: Win32/DigitalM.10": [[457, 474]], "Indicator: TrojanDropper.Dmexeb.10": [[488, 511]], "Indicator: Trojan-Dropper.Win32.Hirhir.20!IK": [[512, 545]], "Indicator: TrojanDropper:Win32/Hirhir.2_0": [[546, 576]], "Indicator: Trojan.Win32.Hirhir.2164429": [[577, 604]], "Indicator: Dropper/Hirhir.11776": [[631, 651]], "Indicator: Win32.TrojanDropper.Hirhir.20": [[652, 681]], "Indicator: Trojan.DR.Hirhir.H": [[682, 700]], "Indicator: Trojan.Dmexeb.10": [[701, 717]], "Indicator: W32/Hirhir.A!tr.dr": [[749, 767]], "Indicator: Dropper.Hirhir": [[768, 782]], "Indicator: Trj/Hirhir.A": [[783, 795]]}, "info": {"id": "cyner2_5class_train_07423", "source": "cyner2_5class_train"}}
+{"text": "delivery : to deliver specified text to all victim ’ s contacts ( SMS worming ) .", "spans": {}, "info": {"id": "cyner2_5class_train_07424", "source": "cyner2_5class_train"}}
+{"text": "Configuration file received from the C & C server As for stealth and resilience , the attacker uses a number of tricks .", "spans": {}, "info": {"id": "cyner2_5class_train_07425", "source": "cyner2_5class_train"}}
+{"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner2_5class_train_07426", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE TROJ_ZYX_BK083A77.TOMC Heur.Corrupt.PE TROJ_ZYX_BK083A77.TOMC Trojan-Downloader.Win32.Vorloma TrojanDownloader:Win32/Vorloma.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: TROJ_ZYX_BK083A77.TOMC": [[48, 70], [87, 109]], "Indicator: Heur.Corrupt.PE": [[71, 86]], "Indicator: Trojan-Downloader.Win32.Vorloma": [[110, 141]], "Indicator: TrojanDownloader:Win32/Vorloma.A": [[142, 174]]}, "info": {"id": "cyner2_5class_train_07427", "source": "cyner2_5class_train"}}
+{"text": "This very first step fails in Android 7.0 and higher , even with a root permission .", "spans": {"System: Android 7.0": [[30, 41]]}, "info": {"id": "cyner2_5class_train_07428", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: PE:Trojan.Win32.Xcomp.a!1075128424 Heur.Packed.MultiPacked DDoS.Rincux Backdoor.Httpbot.Win32.799 BehavesLike.Win32.Trojan.cz Backdoor:Win32/Luder.H Trojan/Win32.Injector Virus.Win32.Heur.c Trj/CI.A Packed.Win32.PolyCrypt Trojan.Win32.Downloader.aC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PE:Trojan.Win32.Xcomp.a!1075128424": [[26, 60]], "Indicator: Heur.Packed.MultiPacked": [[61, 84]], "Indicator: DDoS.Rincux": [[85, 96]], "Indicator: Backdoor.Httpbot.Win32.799": [[97, 123]], "Indicator: BehavesLike.Win32.Trojan.cz": [[124, 151]], "Indicator: Backdoor:Win32/Luder.H": [[152, 174]], "Indicator: Trojan/Win32.Injector": [[175, 196]], "Indicator: Virus.Win32.Heur.c": [[197, 215]], "Indicator: Trj/CI.A": [[216, 224]], "Indicator: Packed.Win32.PolyCrypt": [[225, 247]], "Indicator: Trojan.Win32.Downloader.aC": [[248, 274]]}, "info": {"id": "cyner2_5class_train_07429", "source": "cyner2_5class_train"}}
+{"text": "The specific points of connection between these new samples and Operation Blockbuster include: payloads delivered by the macros discussed in Operation Blockbuster Sequel", "spans": {"Malware: payloads": [[95, 103]], "Malware: macros": [[121, 127]]}, "info": {"id": "cyner2_5class_train_07430", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.ADH.2 Win.Trojan.Mediyes-1761 Trojan.Hosts.5806 Trojan.VBCRTD.Win32.7945 Trojan:Win32/Mediyes.C Trojan.Pirminay Trojan.Win32.Mediyes", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.ADH.2": [[26, 38]], "Indicator: Win.Trojan.Mediyes-1761": [[39, 62]], "Indicator: Trojan.Hosts.5806": [[63, 80]], "Indicator: Trojan.VBCRTD.Win32.7945": [[81, 105]], "Indicator: Trojan:Win32/Mediyes.C": [[106, 128]], "Indicator: Trojan.Pirminay": [[129, 144]], "Indicator: Trojan.Win32.Mediyes": [[145, 165]]}, "info": {"id": "cyner2_5class_train_07431", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Aimaster.A Backdoor/W32.Aimaster.49152 Backdoor.Aimmaster Backdoor.RAT.Aimaster Backdoor.Trojan Win32/Aimaster.A BKDR_AIMASTER.A Win.Trojan.Aimaster-4 Backdoor.Win32.Aimaster Backdoor.Aimaster.A Trojan.Win32.Aimaster-Bd.fdhc Win32.Backdoor.Aimaster.Ahyt Backdoor.Aimaster.A Backdoor.Win32.Aimaster.A Backdoor.Aimaster.A BackDoor.Master.10 BackDoor-XT.svr W32/Risk.FHHV-3782 BDS/Aimaster.B W32/Aimaste.A!tr.bdr Trojan[Backdoor]/Win32.Aimaster Backdoor.Aimaster.A Backdoor.W32.Aimaster!c Backdoor.Win32.Aimaster Trojan/Win32.Aimaster.C662411 BackDoor-XT.svr Backdoor.Aimaster Backdoor.Aimaster!2o1TvHIl4Fg Backdoor.Aimaster.A Win32/Backdoor.IM.d95", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Aimaster.A": [[26, 45], [210, 229], [289, 308], [335, 354], [477, 496], [639, 658]], "Indicator: Backdoor/W32.Aimaster.49152": [[46, 73]], "Indicator: Backdoor.Aimmaster": [[74, 92]], "Indicator: Backdoor.RAT.Aimaster": [[93, 114]], "Indicator: Backdoor.Trojan": [[115, 130]], "Indicator: Win32/Aimaster.A": [[131, 147]], "Indicator: BKDR_AIMASTER.A": [[148, 163]], "Indicator: Win.Trojan.Aimaster-4": [[164, 185]], "Indicator: Backdoor.Win32.Aimaster": [[186, 209], [521, 544]], "Indicator: Trojan.Win32.Aimaster-Bd.fdhc": [[230, 259]], "Indicator: Win32.Backdoor.Aimaster.Ahyt": [[260, 288]], "Indicator: Backdoor.Win32.Aimaster.A": [[309, 334]], "Indicator: BackDoor.Master.10": [[355, 373]], "Indicator: BackDoor-XT.svr": [[374, 389], [575, 590]], "Indicator: W32/Risk.FHHV-3782": [[390, 408]], "Indicator: BDS/Aimaster.B": [[409, 423]], "Indicator: W32/Aimaste.A!tr.bdr": [[424, 444]], "Indicator: Trojan[Backdoor]/Win32.Aimaster": [[445, 476]], "Indicator: Backdoor.W32.Aimaster!c": [[497, 520]], "Indicator: Trojan/Win32.Aimaster.C662411": [[545, 574]], "Indicator: Backdoor.Aimaster": [[591, 608]], "Indicator: Backdoor.Aimaster!2o1TvHIl4Fg": [[609, 638]], "Indicator: Win32/Backdoor.IM.d95": [[659, 680]]}, "info": {"id": "cyner2_5class_train_07432", "source": "cyner2_5class_train"}}
+{"text": "The data available in the leaked Hacking Team files provides circumstantial evidence pointing to an interest in compromising individuals with ties to South Korea i.e., Korean language speakers who use software or apps popular in South Korea, or South Korean editions of Samsung phones.", "spans": {"Organization: Hacking Team": [[33, 45]], "Indicator: compromising individuals": [[112, 136]], "System: software": [[201, 209]], "System: apps": [[213, 217]], "System: Samsung phones.": [[270, 285]]}, "info": {"id": "cyner2_5class_train_07433", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Amitis.827392 Backdoor.Amitis!GgBFlh0m/G4 W32/Amitis.MXVV-8538 Backdoor.Amitis Win32/Amitis.13 BKDR_AMITIS.B Trojan.Amitis.13-B Backdoor.Win32.Amitis.13 Trojan.Win32.Amitis.dbhy Backdoor.Win32.S.Amitis.827392.A[h] Backdoor.W32.Amitis.13!c Backdoor.Win32.Amitis.13 BackDoor.Amitist.13 Backdoor.Amitis.Win32.17 BKDR_AMITIS.B BehavesLike.Win32.Downloader.ch W32/Amitis.N@bd Backdoor/Amitis.p W32/Amitis.C!tr Trojan[Backdoor]/Win32.Amitis Win-Trojan/Amitis.827392 Backdoor:Win32/Amitis.1_3 Win32/Amitis.13 Backdoor.Amitis Win32.Backdoor.Amitis.Akfc Backdoor.Win32.Amitis BackDoor.Amitis.G Backdoor.Win32.Amitis.13", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Amitis.827392": [[26, 52]], "Indicator: Backdoor.Amitis!GgBFlh0m/G4": [[53, 80]], "Indicator: W32/Amitis.MXVV-8538": [[81, 101]], "Indicator: Backdoor.Amitis": [[102, 117], [541, 556]], "Indicator: Win32/Amitis.13": [[118, 133], [525, 540]], "Indicator: BKDR_AMITIS.B": [[134, 147], [348, 361]], "Indicator: Trojan.Amitis.13-B": [[148, 166]], "Indicator: Backdoor.Win32.Amitis.13": [[167, 191], [278, 302], [624, 648]], "Indicator: Trojan.Win32.Amitis.dbhy": [[192, 216]], "Indicator: Backdoor.Win32.S.Amitis.827392.A[h]": [[217, 252]], "Indicator: Backdoor.W32.Amitis.13!c": [[253, 277]], "Indicator: BackDoor.Amitist.13": [[303, 322]], "Indicator: Backdoor.Amitis.Win32.17": [[323, 347]], "Indicator: BehavesLike.Win32.Downloader.ch": [[362, 393]], "Indicator: W32/Amitis.N@bd": [[394, 409]], "Indicator: Backdoor/Amitis.p": [[410, 427]], "Indicator: W32/Amitis.C!tr": [[428, 443]], "Indicator: Trojan[Backdoor]/Win32.Amitis": [[444, 473]], "Indicator: Win-Trojan/Amitis.827392": [[474, 498]], "Indicator: Backdoor:Win32/Amitis.1_3": [[499, 524]], "Indicator: Win32.Backdoor.Amitis.Akfc": [[557, 583]], "Indicator: Backdoor.Win32.Amitis": [[584, 605]], "Indicator: BackDoor.Amitis.G": [[606, 623]]}, "info": {"id": "cyner2_5class_train_07434", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Patcher Backdoor.RBot.Win32.54805 Troj.GameThief.W32.Magania.lHhM Multi.Threats.InArchive W32.Pilleuz Win.Worm.Mytob-399 Trojan.Win32.Rbot.bhwabq Heur.Packed.Unknown Win32.HLLW.MyBot.based Trojan[Backdoor]/Win32.Rbot Trojan/Win32.Malco.R7515 Trj/CI.A Win32.Viking.BJ Backdoor.Win32.Rbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Patcher": [[26, 42]], "Indicator: Backdoor.RBot.Win32.54805": [[43, 68]], "Indicator: Troj.GameThief.W32.Magania.lHhM": [[69, 100]], "Indicator: Multi.Threats.InArchive": [[101, 124]], "Indicator: W32.Pilleuz": [[125, 136]], "Indicator: Win.Worm.Mytob-399": [[137, 155]], "Indicator: Trojan.Win32.Rbot.bhwabq": [[156, 180]], "Indicator: Heur.Packed.Unknown": [[181, 200]], "Indicator: Win32.HLLW.MyBot.based": [[201, 223]], "Indicator: Trojan[Backdoor]/Win32.Rbot": [[224, 251]], "Indicator: Trojan/Win32.Malco.R7515": [[252, 276]], "Indicator: Trj/CI.A": [[277, 285]], "Indicator: Win32.Viking.BJ": [[286, 301]], "Indicator: Backdoor.Win32.Rbot": [[302, 321]]}, "info": {"id": "cyner2_5class_train_07435", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Mlw.ewdlbx TR/Dropper.lusig Trojan.Win32.Eightow Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Mlw.ewdlbx": [[26, 49]], "Indicator: TR/Dropper.lusig": [[50, 66]], "Indicator: Trojan.Win32.Eightow": [[67, 87]], "Indicator: Trj/CI.A": [[88, 96]]}, "info": {"id": "cyner2_5class_train_07436", "source": "cyner2_5class_train"}}
+{"text": "Though Orcus has all the typical features of RAT malware, it allows users to build custom plugins and also has a modular architecture for better management and scalability.", "spans": {"Malware: Orcus": [[7, 12]], "Malware: RAT malware,": [[45, 57]], "System: architecture": [[121, 133]]}, "info": {"id": "cyner2_5class_train_07437", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Worm.SdDrop.C Worm.Sddrop W32/Sddrop.worm.c!p2p Win32.Worm.SdDrop.C Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Kwbot.Worm Unix.Tool.IRC-1 Win32.Worm.SdDrop.C P2P-Worm.Win32.SdDrop.c Win32.Worm.SdDrop.C Trojan.Win32.SdDrop.entp W32.W.SdDrop.c!c Win32.Worm.SdDrop.C Win32.Worm.SdDrop.C Win32.SdDrop.3 Worm.SdDrop.Win32.21 W32/Sddrop.worm.c!p2p Backdoor.Win32.SdBot I-Worm/P2P.SdDrop.c BDS/Sdbot.AA Worm[P2P]/Win32.SdDrop Worm:Win32/Sddrop.C P2P-Worm.Win32.SdDrop.c Trojan/Win32.HDC.C38855 Win32.Worm.SdDrop.C Backdoor.Sdbot Trj/CI.A Worm.SdDrop Win32/Sddrop.C Win32.Worm-p2p.Sddrop.Lknd Worm.P2P.SdDrop!LrfriCz8zKY W32/KWBot.E!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Worm.SdDrop.C": [[26, 45], [80, 99], [174, 193], [218, 237], [280, 299], [300, 319], [523, 542]], "Indicator: Worm.Sddrop": [[46, 57]], "Indicator: W32/Sddrop.worm.c!p2p": [[58, 79], [356, 377]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[100, 142]], "Indicator: W32.Kwbot.Worm": [[143, 157]], "Indicator: Unix.Tool.IRC-1": [[158, 173]], "Indicator: P2P-Worm.Win32.SdDrop.c": [[194, 217], [475, 498]], "Indicator: Trojan.Win32.SdDrop.entp": [[238, 262]], "Indicator: W32.W.SdDrop.c!c": [[263, 279]], "Indicator: Win32.SdDrop.3": [[320, 334]], "Indicator: Worm.SdDrop.Win32.21": [[335, 355]], "Indicator: Backdoor.Win32.SdBot": [[378, 398]], "Indicator: I-Worm/P2P.SdDrop.c": [[399, 418]], "Indicator: BDS/Sdbot.AA": [[419, 431]], "Indicator: Worm[P2P]/Win32.SdDrop": [[432, 454]], "Indicator: Worm:Win32/Sddrop.C": [[455, 474]], "Indicator: Trojan/Win32.HDC.C38855": [[499, 522]], "Indicator: Backdoor.Sdbot": [[543, 557]], "Indicator: Trj/CI.A": [[558, 566]], "Indicator: Worm.SdDrop": [[567, 578]], "Indicator: Win32/Sddrop.C": [[579, 593]], "Indicator: Win32.Worm-p2p.Sddrop.Lknd": [[594, 620]], "Indicator: Worm.P2P.SdDrop!LrfriCz8zKY": [[621, 648]], "Indicator: W32/KWBot.E!worm": [[649, 665]]}, "info": {"id": "cyner2_5class_train_07438", "source": "cyner2_5class_train"}}
+{"text": "Recently, the FortiGuard Labs research team observed that a new variant of Poison Ivy was being spread through a compromised PowerPoint file.", "spans": {"Organization: FortiGuard Labs research team": [[14, 43]], "Malware: new variant of Poison Ivy": [[60, 85]], "Indicator: compromised PowerPoint file.": [[113, 141]]}, "info": {"id": "cyner2_5class_train_07439", "source": "cyner2_5class_train"}}
+{"text": "Many victims have discussed YiSpecter infections of their jailbroken and non-jailbroken iPhones in online forums and have reported the activity to Apple.", "spans": {"Malware: YiSpecter": [[28, 37]], "System: jailbroken": [[58, 68]], "System: non-jailbroken iPhones": [[73, 95]], "Organization: Apple.": [[147, 153]]}, "info": {"id": "cyner2_5class_train_07440", "source": "cyner2_5class_train"}}
+{"text": "This particular case is not an exception .", "spans": {}, "info": {"id": "cyner2_5class_train_07441", "source": "cyner2_5class_train"}}
+{"text": "send funds via a wire transfer ) .", "spans": {}, "info": {"id": "cyner2_5class_train_07442", "source": "cyner2_5class_train"}}
+{"text": "The campaign operated out of handful of IPs, but we ended up finding in excess of 80K malicious subdomains associated with more than 500 domains leveraging various registrant accounts.", "spans": {"Indicator: IPs,": [[40, 44]], "Indicator: malicious subdomains": [[86, 106]], "Indicator: 500 domains": [[133, 144]]}, "info": {"id": "cyner2_5class_train_07443", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Udsdangerousobject.Multi TROJ_DLOADR.YLP TROJ_DLOADR.YLP Trojan.Win32.Dwn.dcbaru Trojan.Win32.Z.Tapaoux.49152 Trojan.DownLoader11.19325 W32/Trojan.FALA-2329 TR/Rogue.icdl Trojan.DownLoader! Trojan.Rogue", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Udsdangerousobject.Multi": [[26, 50]], "Indicator: TROJ_DLOADR.YLP": [[51, 66], [67, 82]], "Indicator: Trojan.Win32.Dwn.dcbaru": [[83, 106]], "Indicator: Trojan.Win32.Z.Tapaoux.49152": [[107, 135]], "Indicator: Trojan.DownLoader11.19325": [[136, 161]], "Indicator: W32/Trojan.FALA-2329": [[162, 182]], "Indicator: TR/Rogue.icdl": [[183, 196]], "Indicator: Trojan.DownLoader!": [[197, 215]], "Indicator: Trojan.Rogue": [[216, 228]]}, "info": {"id": "cyner2_5class_train_07444", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.MSIL.Bladabindi.1 Win32.Trojan.WisdomEyes.16070401.9500.9922 Trojan.Win32.Bladabindi.etjjte Trojan.Win32.Z.Clicker.90624 Trojan.Win32.Clicker!BT BehavesLike.Win32.PWSZbot.mm Trojan.Win32.Clicker!BT Trj/Chgt.O Win32.Outbreak", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.Bladabindi.1": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9922": [[51, 93]], "Indicator: Trojan.Win32.Bladabindi.etjjte": [[94, 124]], "Indicator: Trojan.Win32.Z.Clicker.90624": [[125, 153]], "Indicator: Trojan.Win32.Clicker!BT": [[154, 177], [207, 230]], "Indicator: BehavesLike.Win32.PWSZbot.mm": [[178, 206]], "Indicator: Trj/Chgt.O": [[231, 241]], "Indicator: Win32.Outbreak": [[242, 256]]}, "info": {"id": "cyner2_5class_train_07445", "source": "cyner2_5class_train"}}
+{"text": "The most popular member of the Android/AdDisplay.Ashas family on Google Play was “ Video downloader master ” with over five million downloads Ashas functionality All the apps provide the functionality they promise , besides working as adware .", "spans": {"Malware: Android/AdDisplay.Ashas family": [[31, 61]], "System: Google Play": [[65, 76]], "Malware: Ashas": [[142, 147]]}, "info": {"id": "cyner2_5class_train_07446", "source": "cyner2_5class_train"}}
+{"text": "If any application from that list was found , it utilizes the Janus vulnerability to inject the “ boot ” module into the repacked application .", "spans": {"Vulnerability: Janus": [[62, 67]]}, "info": {"id": "cyner2_5class_train_07447", "source": "cyner2_5class_train"}}
+{"text": "The file size of the malware is mostly around ~50Kb, as you can see from the list of sample hashes at the end of this report.", "spans": {"Indicator: file size": [[4, 13]], "Malware: malware": [[21, 28]], "Indicator: ~50Kb,": [[46, 52]], "Malware: sample": [[85, 91]], "Indicator: hashes": [[92, 98]]}, "info": {"id": "cyner2_5class_train_07448", "source": "cyner2_5class_train"}}
+{"text": "C2 Communication The C2 communication includes two parts : sending information to the remote HTTP server and parsing the server ’ s response to execute any commands as instructed by the remote attackers .", "spans": {}, "info": {"id": "cyner2_5class_train_07449", "source": "cyner2_5class_train"}}
+{"text": "For this purpose , the app receives from the C & C server the isGoogleIp flag , which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers .", "spans": {}, "info": {"id": "cyner2_5class_train_07450", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.YahooPass.Spyware Backdoor.Win32.Bredavi!O Backdoor.Bredavi.Win32.215 Backdoor.W32.Bredavi.kYWA Backdoor/Bredavi.le Win32.Trojan-PSW.Yahoo.a Backdoor.Trojan Win32/Bredolab.PS Win.Trojan.Bredolab-1635 Trojan.Win32.Krap.ihir Backdoor.Win32.Bredavi.348960 Application.Win32.Adware.Superjuan.~JAJ Trojan.BhoSpy.97 Trojan.Win32.Glecia Backdoor/Bredavi.bf BDS/Glecia.A Trojan[Backdoor]/Win32.Bredavi Adware.Heur.E51E88 Trojan/Win32.Bredavi.C83160 Backdoor.Bredavi Trj/Sinowal.WNX Win32/PSW.YahooPass.NAD", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.YahooPass.Spyware": [[26, 47]], "Indicator: Backdoor.Win32.Bredavi!O": [[48, 72]], "Indicator: Backdoor.Bredavi.Win32.215": [[73, 99]], "Indicator: Backdoor.W32.Bredavi.kYWA": [[100, 125]], "Indicator: Backdoor/Bredavi.le": [[126, 145]], "Indicator: Win32.Trojan-PSW.Yahoo.a": [[146, 170]], "Indicator: Backdoor.Trojan": [[171, 186]], "Indicator: Win32/Bredolab.PS": [[187, 204]], "Indicator: Win.Trojan.Bredolab-1635": [[205, 229]], "Indicator: Trojan.Win32.Krap.ihir": [[230, 252]], "Indicator: Backdoor.Win32.Bredavi.348960": [[253, 282]], "Indicator: Application.Win32.Adware.Superjuan.~JAJ": [[283, 322]], "Indicator: Trojan.BhoSpy.97": [[323, 339]], "Indicator: Trojan.Win32.Glecia": [[340, 359]], "Indicator: Backdoor/Bredavi.bf": [[360, 379]], "Indicator: BDS/Glecia.A": [[380, 392]], "Indicator: Trojan[Backdoor]/Win32.Bredavi": [[393, 423]], "Indicator: Adware.Heur.E51E88": [[424, 442]], "Indicator: Trojan/Win32.Bredavi.C83160": [[443, 470]], "Indicator: Backdoor.Bredavi": [[471, 487]], "Indicator: Trj/Sinowal.WNX": [[488, 503]], "Indicator: Win32/PSW.YahooPass.NAD": [[504, 527]]}, "info": {"id": "cyner2_5class_train_07451", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Email-Worm.Win32.Scano!O W32/Scano.bm WORM_SCANO.BT Win32.Worm.Scano.a W32.Areses.P@mm WORM_SCANO.BT Win.Worm.Scano-70 Email-Worm.Win32.Scano.bm Trojan.Win32.LdPinch.fmye I-Worm.Win32.A.Scano.105231 W32.W.Otwycal.l7h6 Win32.HLLM.Perf Worm.Scano.Win32.69 BehavesLike.Win32.Autorun.cm Email-Worm.Win32.Scano Worm/Scano.at W32.Worm.Areses Worm[Email]/Win32.Scano Email-Worm.Win32.Scano.bm Worm/Win32.Scano.R1851 BScope.Trojan-Dropper.Injector Win32/Scano.BM I-Worm.Scano!zrLOU/XMrws W32/Scano.AA@mm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Email-Worm.Win32.Scano!O": [[26, 50]], "Indicator: W32/Scano.bm": [[51, 63]], "Indicator: WORM_SCANO.BT": [[64, 77], [113, 126]], "Indicator: Win32.Worm.Scano.a": [[78, 96]], "Indicator: W32.Areses.P@mm": [[97, 112]], "Indicator: Win.Worm.Scano-70": [[127, 144]], "Indicator: Email-Worm.Win32.Scano.bm": [[145, 170], [386, 411]], "Indicator: Trojan.Win32.LdPinch.fmye": [[171, 196]], "Indicator: I-Worm.Win32.A.Scano.105231": [[197, 224]], "Indicator: W32.W.Otwycal.l7h6": [[225, 243]], "Indicator: Win32.HLLM.Perf": [[244, 259]], "Indicator: Worm.Scano.Win32.69": [[260, 279]], "Indicator: BehavesLike.Win32.Autorun.cm": [[280, 308]], "Indicator: Email-Worm.Win32.Scano": [[309, 331]], "Indicator: Worm/Scano.at": [[332, 345]], "Indicator: W32.Worm.Areses": [[346, 361]], "Indicator: Worm[Email]/Win32.Scano": [[362, 385]], "Indicator: Worm/Win32.Scano.R1851": [[412, 434]], "Indicator: BScope.Trojan-Dropper.Injector": [[435, 465]], "Indicator: Win32/Scano.BM": [[466, 480]], "Indicator: I-Worm.Scano!zrLOU/XMrws": [[481, 505]], "Indicator: W32/Scano.AA@mm": [[506, 521]]}, "info": {"id": "cyner2_5class_train_07452", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Fsysna Win32.Trojan.WisdomEyes.16070401.9500.9969 Trojan.Win32.Fsysna.eqvl Trojan.Win32.Z.Strictor.607232.C Trojan.MulDrop7.49159 Trojan.Fsysna.Win32.15357 Trojan.MSIL.Spy TrojanSpy:MSIL/Logadat.A Trojan.Win32.Fsysna.eqvl Trojan.Fsysna Trj/GdSda.A Win32.Trojan.Fsysna.Lqym", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Fsysna": [[26, 39], [255, 268]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9969": [[40, 82]], "Indicator: Trojan.Win32.Fsysna.eqvl": [[83, 107], [230, 254]], "Indicator: Trojan.Win32.Z.Strictor.607232.C": [[108, 140]], "Indicator: Trojan.MulDrop7.49159": [[141, 162]], "Indicator: Trojan.Fsysna.Win32.15357": [[163, 188]], "Indicator: Trojan.MSIL.Spy": [[189, 204]], "Indicator: TrojanSpy:MSIL/Logadat.A": [[205, 229]], "Indicator: Trj/GdSda.A": [[269, 280]], "Indicator: Win32.Trojan.Fsysna.Lqym": [[281, 305]]}, "info": {"id": "cyner2_5class_train_07453", "source": "cyner2_5class_train"}}
+{"text": "The report includes extra detail to help potential targets recognize similar attacks.", "spans": {}, "info": {"id": "cyner2_5class_train_07454", "source": "cyner2_5class_train"}}
+{"text": "ThreatStream Labs recently became aware of a campaign beginning on 30 June 2015 by the omniprescent Wekby threat actors a/k/a TG-0416, APT-18, Dynamite Panda.", "spans": {"Organization: ThreatStream Labs": [[0, 17]]}, "info": {"id": "cyner2_5class_train_07455", "source": "cyner2_5class_train"}}
+{"text": "All of the other IP address we discovered sharing the same TLS certificate behave in the same way .", "spans": {}, "info": {"id": "cyner2_5class_train_07456", "source": "cyner2_5class_train"}}
+{"text": "Adding this extra layer of filtering may help the group focus on targets of interest and evade detection due to use of known malware.", "spans": {"Malware: malware.": [[125, 133]]}, "info": {"id": "cyner2_5class_train_07457", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M.Downloader TROJ_CVE201711882.E Exploit.Xml.CVE-2017-0199.equmby Xml.Exploit.Cve!c TROJ_CVE201711882.E Malicious_Behavior.SB DOC.S.Exploit.11442 XML/Dloader.S1 Exploit.CVE-2017-0199 XML.Exploit.CVE-2017-0199.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Downloader": [[26, 41]], "Indicator: TROJ_CVE201711882.E": [[42, 61], [113, 132]], "Indicator: Exploit.Xml.CVE-2017-0199.equmby": [[62, 94]], "Indicator: Xml.Exploit.Cve!c": [[95, 112]], "Indicator: Malicious_Behavior.SB": [[133, 154]], "Indicator: DOC.S.Exploit.11442": [[155, 174]], "Indicator: XML/Dloader.S1": [[175, 189]], "Indicator: Exploit.CVE-2017-0199": [[190, 211]], "Indicator: XML.Exploit.CVE-2017-0199.E": [[212, 239]]}, "info": {"id": "cyner2_5class_train_07458", "source": "cyner2_5class_train"}}
+{"text": "Our malware analysts Nikita Buchka and Mikhail Kuzin can easily name 11 families of such Trojans .", "spans": {}, "info": {"id": "cyner2_5class_train_07459", "source": "cyner2_5class_train"}}
+{"text": "It was a standalone utility with the name HDD Rootkit for planting a bootkit on a computer.", "spans": {"System: standalone utility": [[9, 27]], "Indicator: name HDD Rootkit": [[37, 53]], "Malware: bootkit": [[69, 76]], "System: computer.": [[82, 91]]}, "info": {"id": "cyner2_5class_train_07460", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32/Goft.B Trojan.Win32.cvrsqp.eaqdwq Trojan.MyRunner BehavesLike.Win32.PWSZbot.nc Virus.Win32.AA Trojan/PSW.QQPass.fx Trojan/Win32.QQTail.R5474", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32/Goft.B": [[26, 38]], "Indicator: Trojan.Win32.cvrsqp.eaqdwq": [[39, 65]], "Indicator: Trojan.MyRunner": [[66, 81]], "Indicator: BehavesLike.Win32.PWSZbot.nc": [[82, 110]], "Indicator: Virus.Win32.AA": [[111, 125]], "Indicator: Trojan/PSW.QQPass.fx": [[126, 146]], "Indicator: Trojan/Win32.QQTail.R5474": [[147, 172]]}, "info": {"id": "cyner2_5class_train_07461", "source": "cyner2_5class_train"}}
+{"text": "It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.", "spans": {"Malware: remote access tool:": [[59, 78]]}, "info": {"id": "cyner2_5class_train_07462", "source": "cyner2_5class_train"}}
+{"text": "Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET Detected by Trend Micro as JS_POWMET.DE, which arrives via an autostart registry procedure.", "spans": {"Malware: fileless malware": [[28, 44]], "Malware: new trojan": [[108, 118]], "Malware: JS_POWMET": [[128, 137]], "Organization: Trend Micro": [[150, 161]], "Indicator: JS_POWMET.DE,": [[165, 178]], "Indicator: an autostart registry procedure.": [[197, 229]]}, "info": {"id": "cyner2_5class_train_07463", "source": "cyner2_5class_train"}}
+{"text": "As you can see in the sample list below, this means that many school employees will have received this spam, as K-12 schools very commonly use .us domain names.", "spans": {"Organization: school employees": [[62, 78]], "Malware: spam,": [[103, 108]], "Indicator: K-12 schools": [[112, 124]], "Indicator: use .us domain names.": [[139, 160]]}, "info": {"id": "cyner2_5class_train_07464", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.R W32/Virut.AM Win32/Virut.17408 Trojan.Scar PE_VIRUX.R Win.Trojan.Virtob-1456 Win32.Virus.Virut.U Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 BehavesLike.Win32.Virut.qh W32/Virut.AM Virus/Win32.Virut.ce Win32.Virut.dd.368640 W32.Virut.lqR9 Virus.Win32.Virut.ce Trojan:Win32/QHosts.BR Win32/Virut.F Virus.Virut.14 W32/Sality.AO Win32/Virut.NBP Trojan.Win32.Downloader.toh Trojan.Win32.Scar Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: PE_VIRUX.R": [[73, 83], [127, 137]], "Indicator: W32/Virut.AM": [[84, 96], [311, 323]], "Indicator: Win32/Virut.17408": [[97, 114]], "Indicator: Trojan.Scar": [[115, 126]], "Indicator: Win.Trojan.Virtob-1456": [[138, 160]], "Indicator: Win32.Virus.Virut.U": [[161, 180]], "Indicator: Virus.Win32.Virut.ce": [[181, 201], [382, 402]], "Indicator: Virus.Win32.Virut.hpeg": [[202, 224]], "Indicator: Virus.Win32.Virut.CE": [[225, 245]], "Indicator: Win32.Virut.56": [[246, 260]], "Indicator: Virus.Virut.Win32.1938": [[261, 283]], "Indicator: BehavesLike.Win32.Virut.qh": [[284, 310]], "Indicator: Virus/Win32.Virut.ce": [[324, 344]], "Indicator: Win32.Virut.dd.368640": [[345, 366]], "Indicator: W32.Virut.lqR9": [[367, 381]], "Indicator: Trojan:Win32/QHosts.BR": [[403, 425]], "Indicator: Win32/Virut.F": [[426, 439]], "Indicator: Virus.Virut.14": [[440, 454]], "Indicator: W32/Sality.AO": [[455, 468]], "Indicator: Win32/Virut.NBP": [[469, 484]], "Indicator: Trojan.Win32.Downloader.toh": [[485, 512]], "Indicator: Trojan.Win32.Scar": [[513, 530]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[531, 561]]}, "info": {"id": "cyner2_5class_train_07465", "source": "cyner2_5class_train"}}
+{"text": "Change server request The URL 's for the new server is obfuscated , preventing easy network identification .", "spans": {}, "info": {"id": "cyner2_5class_train_07466", "source": "cyner2_5class_train"}}
+{"text": "This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists .", "spans": {"Organization: East Turkestan Islamic Party": [[44, 72]]}, "info": {"id": "cyner2_5class_train_07467", "source": "cyner2_5class_train"}}
+{"text": "All of these attacks leveraged CVE-2014-4114 and were delivered via malicious Microsoft PowerPoint Slideshow files *.pps.", "spans": {"Indicator: attacks": [[13, 20]], "Indicator: CVE-2014-4114": [[31, 44]], "System: Microsoft PowerPoint Slideshow files": [[78, 114]], "Indicator: *.pps.": [[115, 121]]}, "info": {"id": "cyner2_5class_train_07468", "source": "cyner2_5class_train"}}
+{"text": "Brambul and Joanap appear to be used to download extra payloads and carry out reconnaissance on infected computers.", "spans": {"Malware: Brambul": [[0, 7]], "Malware: Joanap": [[12, 18]], "Indicator: download extra payloads": [[40, 63]], "System: infected computers.": [[96, 115]]}, "info": {"id": "cyner2_5class_train_07469", "source": "cyner2_5class_train"}}
+{"text": "] com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a blog published by Arbor Networks in April 2016 .", "spans": {"Malware: Poison Ivy": [[19, 29]], "Organization: Arbor Networks": [[132, 146]]}, "info": {"id": "cyner2_5class_train_07470", "source": "cyner2_5class_train"}}
+{"text": "Then the app finds a process id value for the process it wants to inject with code .", "spans": {}, "info": {"id": "cyner2_5class_train_07471", "source": "cyner2_5class_train"}}
+{"text": "] com hxxp : //mailsa-qaw [ .", "spans": {"Indicator: hxxp : //mailsa-qaw [ .": [[6, 29]]}, "info": {"id": "cyner2_5class_train_07472", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Packed.Win32.Tibs!O Worm.Zhelatin Trojan.Heur.RP.fqWcaaXp5um Win32.Trojan.WisdomEyes.16070401.9500.9882 W32/Trojan.LQOD-4441 Trojan.Dropper Email-Worm.Win32.Zhelatin.rn Trojan.Win32.Z.Zhelatin.88576 MalCrypt.Indus! Trojan.Spambot.2559 Email.Worm.W32!c Email-Worm.Win32.Zhelatin.rn Worm/Win32.Zhelatin.R38109 BScope.Trojan.Zhelatin.12 Trj/CI.A Win32/Nuwar.BH Win32.Worm-email.Zhelatin.Sxxs Worm.Win32.Nuwar Win32/Worm.Email-Worm.43d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packed.Win32.Tibs!O": [[26, 45]], "Indicator: Worm.Zhelatin": [[46, 59]], "Indicator: Trojan.Heur.RP.fqWcaaXp5um": [[60, 86]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9882": [[87, 129]], "Indicator: W32/Trojan.LQOD-4441": [[130, 150]], "Indicator: Trojan.Dropper": [[151, 165]], "Indicator: Email-Worm.Win32.Zhelatin.rn": [[166, 194], [278, 306]], "Indicator: Trojan.Win32.Z.Zhelatin.88576": [[195, 224]], "Indicator: MalCrypt.Indus!": [[225, 240]], "Indicator: Trojan.Spambot.2559": [[241, 260]], "Indicator: Email.Worm.W32!c": [[261, 277]], "Indicator: Worm/Win32.Zhelatin.R38109": [[307, 333]], "Indicator: BScope.Trojan.Zhelatin.12": [[334, 359]], "Indicator: Trj/CI.A": [[360, 368]], "Indicator: Win32/Nuwar.BH": [[369, 383]], "Indicator: Win32.Worm-email.Zhelatin.Sxxs": [[384, 414]], "Indicator: Worm.Win32.Nuwar": [[415, 431]], "Indicator: Win32/Worm.Email-Worm.43d": [[432, 457]]}, "info": {"id": "cyner2_5class_train_07473", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58717 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id58717 [ .": [[21, 63]]}, "info": {"id": "cyner2_5class_train_07474", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Rustock.NDU Backdoor.Win32.Rbot!O Backdoor.Rustock.NDU Backdoor.Rbot Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan.TDBQ-4167 Backdoor.Rustock.B Win.Trojan.Crypt-278 Backdoor.Rustock.NDU Backdoor.Win32.Rbot.szn Backdoor.Rustock.NDU Backdoor.Win32.A.Rbot.70656.J Backdoor.Rustock.NDU Backdoor.Rustock.NDU Trojan.Fakealert.33205 BehavesLike.Win32.Downloader.kt Rootkit.KernelBot.m TR/Tiny.705 Backdoor.Rustock.NDU Backdoor.Win32.Rbot.szn Trojan:Win32/Silentbanker.B Worm/Win32.IRCBot.C36854 Backdoor.Rbot Trj/CI.A Win32.Backdoor.Rbot.Aiik Virus.Win32.Virut.n W32/RBot.SZN!tr.bdr Win32/Backdoor.0a5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Rustock.NDU": [[26, 46], [69, 89], [208, 228], [253, 273], [304, 324], [325, 345], [433, 453]], "Indicator: Backdoor.Win32.Rbot!O": [[47, 68]], "Indicator: Backdoor.Rbot": [[90, 103], [531, 544]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[104, 146]], "Indicator: W32/Trojan.TDBQ-4167": [[147, 167]], "Indicator: Backdoor.Rustock.B": [[168, 186]], "Indicator: Win.Trojan.Crypt-278": [[187, 207]], "Indicator: Backdoor.Win32.Rbot.szn": [[229, 252], [454, 477]], "Indicator: Backdoor.Win32.A.Rbot.70656.J": [[274, 303]], "Indicator: Trojan.Fakealert.33205": [[346, 368]], "Indicator: BehavesLike.Win32.Downloader.kt": [[369, 400]], "Indicator: Rootkit.KernelBot.m": [[401, 420]], "Indicator: TR/Tiny.705": [[421, 432]], "Indicator: Trojan:Win32/Silentbanker.B": [[478, 505]], "Indicator: Worm/Win32.IRCBot.C36854": [[506, 530]], "Indicator: Trj/CI.A": [[545, 553]], "Indicator: Win32.Backdoor.Rbot.Aiik": [[554, 578]], "Indicator: Virus.Win32.Virut.n": [[579, 598]], "Indicator: W32/RBot.SZN!tr.bdr": [[599, 618]], "Indicator: Win32/Backdoor.0a5": [[619, 637]]}, "info": {"id": "cyner2_5class_train_07475", "source": "cyner2_5class_train"}}
+{"text": "During a recent United States Secret Service investigation, Trustwave encountered a new family of POS malware, that we named Punkey.", "spans": {"Organization: United States Secret Service": [[16, 44]], "Organization: Trustwave": [[60, 69]], "Malware: POS malware,": [[98, 110]], "Malware: Punkey.": [[125, 132]]}, "info": {"id": "cyner2_5class_train_07476", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.FakeAV.29696.H Backdoor.Ziyazo Trojan.Graftor.D21706 TROJ_FAKEAV.ORH Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan.B TROJ_FAKEAV.ORH Win.Trojan.Ziyazo-1 Trojan.Win32.FakeAv.cuscpt Troj.W32.FakeAv.rxda!c Trojan.Fakealert.45728 Trojan.FakeAV.Win32.293288 BehavesLike.Win32.Backdoor.mc W32/Trojan.TSSV-1630 Trojan/Fakeav.blva Trojan/Win32.FakeAv Backdoor:Win32/Ziyazo.A Trojan/Win32.FakeAV.R94861 Trj/Dynamer.A Trojan.FakeAv!73pMuD6/3rE Trojan.Win32.FakeAV W32/FakeAv.RXDA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.FakeAV.29696.H": [[26, 51]], "Indicator: Backdoor.Ziyazo": [[52, 67]], "Indicator: Trojan.Graftor.D21706": [[68, 89]], "Indicator: TROJ_FAKEAV.ORH": [[90, 105], [167, 182]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[106, 148]], "Indicator: Backdoor.Trojan.B": [[149, 166]], "Indicator: Win.Trojan.Ziyazo-1": [[183, 202]], "Indicator: Trojan.Win32.FakeAv.cuscpt": [[203, 229]], "Indicator: Troj.W32.FakeAv.rxda!c": [[230, 252]], "Indicator: Trojan.Fakealert.45728": [[253, 275]], "Indicator: Trojan.FakeAV.Win32.293288": [[276, 302]], "Indicator: BehavesLike.Win32.Backdoor.mc": [[303, 332]], "Indicator: W32/Trojan.TSSV-1630": [[333, 353]], "Indicator: Trojan/Fakeav.blva": [[354, 372]], "Indicator: Trojan/Win32.FakeAv": [[373, 392]], "Indicator: Backdoor:Win32/Ziyazo.A": [[393, 416]], "Indicator: Trojan/Win32.FakeAV.R94861": [[417, 443]], "Indicator: Trj/Dynamer.A": [[444, 457]], "Indicator: Trojan.FakeAv!73pMuD6/3rE": [[458, 483]], "Indicator: Trojan.Win32.FakeAV": [[484, 503]], "Indicator: W32/FakeAv.RXDA!tr": [[504, 522]]}, "info": {"id": "cyner2_5class_train_07477", "source": "cyner2_5class_train"}}
+{"text": "Subsequent to the publishing of this article, through cooperation with the parties responsible for the C2 domains, Unit 42 researchers successfully gained control of multiple C2 domains.", "spans": {"Indicator: C2 domains,": [[103, 114]], "Organization: Unit 42 researchers": [[115, 134]], "Indicator: control of multiple C2 domains.": [[155, 186]]}, "info": {"id": "cyner2_5class_train_07478", "source": "cyner2_5class_train"}}
+{"text": "This library is used because it uses the only ( publicly known ) way to retrieve this information on Android 6 ( using the process OOM score read from the /proc directory ) .", "spans": {"System: Android 6": [[101, 110]]}, "info": {"id": "cyner2_5class_train_07479", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Hacktool.Superscan Trojan.Win32.XFMP5368.dfvidz HackTool:Win32/SuperScan.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Superscan": [[26, 44]], "Indicator: Trojan.Win32.XFMP5368.dfvidz": [[45, 73]], "Indicator: HackTool:Win32/SuperScan.A": [[74, 100]]}, "info": {"id": "cyner2_5class_train_07480", "source": "cyner2_5class_train"}}
+{"text": "Lurk was believed to have siphoned over $45 million from financial organizations, ultimately disrupting the victims' operations, reputation, and bottom line.", "spans": {"Organization: financial organizations,": [[57, 81]], "Organization: operations,": [[117, 128]]}, "info": {"id": "cyner2_5class_train_07481", "source": "cyner2_5class_train"}}
+{"text": "While Empire RIG-E disappeared at the end of December after 4 months of activity on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.", "spans": {"Malware: Empire RIG-E": [[6, 18]], "Malware: at": [[31, 33]], "Malware: a new exploit kit": [[109, 126]], "Malware: Nebula": [[134, 140]]}, "info": {"id": "cyner2_5class_train_07482", "source": "cyner2_5class_train"}}
+{"text": "A powerful threat actor known as Wild Neutron also known as Jripbot and Morpho has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.", "spans": {"Organization: high profile companies": [[126, 148]], "Malware: exploits, watering holes": [[193, 217]], "Malware: multi-platform malware.": [[222, 245]]}, "info": {"id": "cyner2_5class_train_07483", "source": "cyner2_5class_train"}}
+{"text": "Extract the calls log .", "spans": {}, "info": {"id": "cyner2_5class_train_07484", "source": "cyner2_5class_train"}}
+{"text": "Figure 4 .", "spans": {}, "info": {"id": "cyner2_5class_train_07485", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Hacktool.Pipecmd.B HackTool.Pipecmd Win32.HackTool.Pipecmd.a Application.Hacktool.Pipecmd.B Application.Hacktool.Pipecmd.B Application.Hacktool.Pipecmd.B Trojan.Starter.5008 BehavesLike.Win32.PUP.lc Application.Hacktool.Pipecmd.B Trojan/Win32.Inject.C500093", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Hacktool.Pipecmd.B": [[26, 56], [99, 129], [130, 160], [161, 191], [237, 267]], "Indicator: HackTool.Pipecmd": [[57, 73]], "Indicator: Win32.HackTool.Pipecmd.a": [[74, 98]], "Indicator: Trojan.Starter.5008": [[192, 211]], "Indicator: BehavesLike.Win32.PUP.lc": [[212, 236]], "Indicator: Trojan/Win32.Inject.C500093": [[268, 295]]}, "info": {"id": "cyner2_5class_train_07486", "source": "cyner2_5class_train"}}
+{"text": "Once installed , the application requests permissions so that it may control SMS messages and steal sensitive data on the device , as well as proliferate to other devices in the target device ’ s contact list .", "spans": {}, "info": {"id": "cyner2_5class_train_07487", "source": "cyner2_5class_train"}}
+{"text": "Following a three-month hiatus, Emotet spam activities resumed in March 2023, when a botnet known as Epoch 4 began delivering malicious documents embedded in Zip files that were attached to the emails.", "spans": {"Malware: Emotet": [[32, 38]], "Indicator: spam activities": [[39, 54]], "Malware: botnet": [[85, 91]], "Malware: Epoch 4": [[101, 108]], "Indicator: malicious documents embedded": [[126, 154]], "Indicator: Zip files": [[158, 167]], "Indicator: the emails.": [[190, 201]]}, "info": {"id": "cyner2_5class_train_07488", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.Sage.S1609000 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.TNMG-4793 Ransom.Cry Trojan.Win32.Yakes.etrgag BehavesLike.Win32.Ramnit.fc TR/AD.MalwareCrypter.zdeue Trojan.Zusy.D3FCFB Trojan/Win32.Yakes.C2201035 Trojan.Yakes Trojan.Yakes!KiOJwMzaTlA", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Sage.S1609000": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[47, 89]], "Indicator: W32/Trojan.TNMG-4793": [[90, 110]], "Indicator: Ransom.Cry": [[111, 121]], "Indicator: Trojan.Win32.Yakes.etrgag": [[122, 147]], "Indicator: BehavesLike.Win32.Ramnit.fc": [[148, 175]], "Indicator: TR/AD.MalwareCrypter.zdeue": [[176, 202]], "Indicator: Trojan.Zusy.D3FCFB": [[203, 221]], "Indicator: Trojan/Win32.Yakes.C2201035": [[222, 249]], "Indicator: Trojan.Yakes": [[250, 262]], "Indicator: Trojan.Yakes!KiOJwMzaTlA": [[263, 287]]}, "info": {"id": "cyner2_5class_train_07489", "source": "cyner2_5class_train"}}
+{"text": "Bots can use various methods to establish a line of communication between themselves and their command-and-control C C server.", "spans": {"Malware: Bots": [[0, 4]], "Indicator: line of communication": [[44, 65]], "Indicator: command-and-control C C server.": [[95, 126]]}, "info": {"id": "cyner2_5class_train_07490", "source": "cyner2_5class_train"}}
+{"text": "Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud ; Cerberus is yet a new Trojan active in the wild ! Appendix Samples Some of the latest Cerberus samples found in the wild : App name Package name SHA 256 hash Flash Player com.uxlgtsvfdc.zipvwntdy 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f Flash Player com.ognbsfhszj.hqpquokjdp fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329 Flash Player com.mwmnfwt.arhkrgajn ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c Flash Player com.wogdjywtwq.oiofvpzpxyo 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 Flash Player com.hvdnaiujzwo.fovzeukzywfr cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b Flash Player com.gzhlubw.pmevdiexmn 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63 Target list The actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications .", "spans": {"Malware: Cerberus": [[142, 150], [228, 236], [984, 992]], "System: Flash Player": [[300, 312], [403, 415], [507, 519], [607, 619], [712, 724], [819, 831]], "Indicator: com.uxlgtsvfdc.zipvwntdy": [[313, 337]], "Indicator: 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f": [[338, 402]], "Indicator: com.ognbsfhszj.hqpquokjdp": [[416, 441]], "Indicator: fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329": [[442, 506]], "Indicator: com.mwmnfwt.arhkrgajn": [[520, 541]], "Indicator: ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c": [[542, 606]], "Indicator: com.wogdjywtwq.oiofvpzpxyo": [[620, 646]], "Indicator: 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4": [[647, 711]], "Indicator: com.hvdnaiujzwo.fovzeukzywfr": [[725, 753]], "Indicator: cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b": [[754, 818]], "Indicator: com.gzhlubw.pmevdiexmn": [[832, 854]], "Indicator: 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63": [[855, 919]]}, "info": {"id": "cyner2_5class_train_07491", "source": "cyner2_5class_train"}}
+{"text": "CVE-2015-5122 was the second Adobe Flash zero-day revealed in the leak of HackingTeam's internal data.", "spans": {"Indicator: CVE-2015-5122": [[0, 13]], "System: Adobe Flash": [[29, 40]], "Vulnerability: zero-day": [[41, 49]], "Organization: HackingTeam's": [[74, 87]]}, "info": {"id": "cyner2_5class_train_07492", "source": "cyner2_5class_train"}}
+{"text": "At the peak of procrastinators filing their taxes at the last minute, those who send in their tax forms are exactly the technically less-sophisticated users these kinds of campaigns target.", "spans": {}, "info": {"id": "cyner2_5class_train_07493", "source": "cyner2_5class_train"}}
+{"text": "The same happens with the package squareup.otto , which is an open-source bus implementation focused on Android implementation .", "spans": {"Indicator: squareup.otto": [[34, 47]], "System: Android": [[104, 111]]}, "info": {"id": "cyner2_5class_train_07494", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Vesenlosow.1237156 Worm.Vesenlosow Worm.VB.Win32.13725 W32.W.Vesenlosow.luZW Trojan/VB.nzt WORM_VESENLO.SMA Win32.Worm.VB.m W32.Winiga WORM_VESENLO.SMA Trojan.Win32.Vesenlosow.bclidy Worm.Win32.A.Vesenlosow.909312 Trojan.MulDrop3.6950 BehavesLike.Win32.Rontokbro.tm Trojan.Win32.VB Worm/Vesenlosow.q WORM/VB.argu Trojan/Win32.VB Worm:Win32/Vesenlosow.A Trojan/Win32.VB.R46099 Trojan.Keylogger.1021 W32/Vobfus.GEP.worm Win32.Virut.NBP Win32/VB.NZT Win32.Worm.Vb.Akzk Worm.Win32.Msmm.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Vesenlosow.1237156": [[26, 53]], "Indicator: Worm.Vesenlosow": [[54, 69]], "Indicator: Worm.VB.Win32.13725": [[70, 89]], "Indicator: W32.W.Vesenlosow.luZW": [[90, 111]], "Indicator: Trojan/VB.nzt": [[112, 125]], "Indicator: WORM_VESENLO.SMA": [[126, 142], [170, 186]], "Indicator: Win32.Worm.VB.m": [[143, 158]], "Indicator: W32.Winiga": [[159, 169]], "Indicator: Trojan.Win32.Vesenlosow.bclidy": [[187, 217]], "Indicator: Worm.Win32.A.Vesenlosow.909312": [[218, 248]], "Indicator: Trojan.MulDrop3.6950": [[249, 269]], "Indicator: BehavesLike.Win32.Rontokbro.tm": [[270, 300]], "Indicator: Trojan.Win32.VB": [[301, 316]], "Indicator: Worm/Vesenlosow.q": [[317, 334]], "Indicator: WORM/VB.argu": [[335, 347]], "Indicator: Trojan/Win32.VB": [[348, 363]], "Indicator: Worm:Win32/Vesenlosow.A": [[364, 387]], "Indicator: Trojan/Win32.VB.R46099": [[388, 410]], "Indicator: Trojan.Keylogger.1021": [[411, 432]], "Indicator: W32/Vobfus.GEP.worm": [[433, 452]], "Indicator: Win32.Virut.NBP": [[453, 468]], "Indicator: Win32/VB.NZT": [[469, 481]], "Indicator: Win32.Worm.Vb.Akzk": [[482, 500]], "Indicator: Worm.Win32.Msmm.A": [[501, 518]]}, "info": {"id": "cyner2_5class_train_07495", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.1034 VBS/Downldr.IA W97M.Dropper TROJ_RUBREG.SM VB:Trojan.Valyria.1034 Trojan.Script.ExpKit.evbkht Troj.Downloader.Script!c VB:Trojan.Valyria.1034 VB:Trojan.Valyria.1034 VBS.DownLoader.1040 TROJ_RUBREG.SM VBS/Downloader.ea VBS/Downldr.IA TrojanDownloader:VBS/Vibrio.P VB:Trojan.Valyria.D40A VBS/Downloader.ea virus.vbs.houdini.b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.1034": [[26, 48], [92, 114], [168, 190], [191, 213]], "Indicator: VBS/Downldr.IA": [[49, 63], [267, 281]], "Indicator: W97M.Dropper": [[64, 76]], "Indicator: TROJ_RUBREG.SM": [[77, 91], [234, 248]], "Indicator: Trojan.Script.ExpKit.evbkht": [[115, 142]], "Indicator: Troj.Downloader.Script!c": [[143, 167]], "Indicator: VBS.DownLoader.1040": [[214, 233]], "Indicator: VBS/Downloader.ea": [[249, 266], [335, 352]], "Indicator: TrojanDownloader:VBS/Vibrio.P": [[282, 311]], "Indicator: VB:Trojan.Valyria.D40A": [[312, 334]], "Indicator: virus.vbs.houdini.b": [[353, 372]]}, "info": {"id": "cyner2_5class_train_07496", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Mydse!O TrojanDropper.Goriadu Win32.Trojan.WisdomEyes.16070401.9500.9578 TROJ_GORIADU.SMX Trojan.Win32.Mydse.az Trojan.Win32.Click.tdtvg TROJ_GORIADU.SMX BehavesLike.Win32.BadFile.fh Trojan-Clicker.ANTO TR/Clicker.9984610 Win32.Troj.AntiCloudAV.d.kcloud TrojanDropper:Win32/Goriadu.A!bit Trojan.Zusy.D38CD Trojan.Win32.Mydse.az W32/GORIADU.SMX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Mydse!O": [[26, 46]], "Indicator: TrojanDropper.Goriadu": [[47, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9578": [[69, 111]], "Indicator: TROJ_GORIADU.SMX": [[112, 128], [176, 192]], "Indicator: Trojan.Win32.Mydse.az": [[129, 150], [345, 366]], "Indicator: Trojan.Win32.Click.tdtvg": [[151, 175]], "Indicator: BehavesLike.Win32.BadFile.fh": [[193, 221]], "Indicator: Trojan-Clicker.ANTO": [[222, 241]], "Indicator: TR/Clicker.9984610": [[242, 260]], "Indicator: Win32.Troj.AntiCloudAV.d.kcloud": [[261, 292]], "Indicator: TrojanDropper:Win32/Goriadu.A!bit": [[293, 326]], "Indicator: Trojan.Zusy.D38CD": [[327, 344]], "Indicator: W32/GORIADU.SMX!tr": [[367, 385]]}, "info": {"id": "cyner2_5class_train_07497", "source": "cyner2_5class_train"}}
+{"text": "Who is affected ? Gooligan potentially affects devices on Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop ) , which is over 74 % of in-market devices today .", "spans": {"Malware: Gooligan": [[18, 26]], "System: Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop )": [[58, 110]]}, "info": {"id": "cyner2_5class_train_07498", "source": "cyner2_5class_train"}}
+{"text": "Around 2011 , the infamous Zeus Trojan started using web injects that tricked users into downloading a mobile component called “ ZitMo ” ( Zeus in the Mobile ) .", "spans": {"Malware: Zeus Trojan": [[27, 38]], "Malware: ZitMo": [[129, 134]], "Malware: Zeus": [[139, 143]]}, "info": {"id": "cyner2_5class_train_07499", "source": "cyner2_5class_train"}}
+{"text": "Figure 1 shows embedded URL in an Elirks sample found in early 2016.", "spans": {"Indicator: embedded URL": [[15, 27]], "Malware: Elirks": [[34, 40]]}, "info": {"id": "cyner2_5class_train_07500", "source": "cyner2_5class_train"}}
+{"text": "This malware is well-known for its ability to steal credentials and quickly spread through an enterprise over network shares.", "spans": {"Malware: malware": [[5, 12]], "Indicator: steal credentials": [[46, 63]], "Organization: enterprise": [[94, 104]], "System: network shares.": [[110, 125]]}, "info": {"id": "cyner2_5class_train_07501", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Adware.Heur.E101B3 Win32.Trojan.BHO.r Trojan.Win32.BHO.bropxr Adware.Softomate.603 Trojan:Win32/Jifcapi.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Adware.Heur.E101B3": [[44, 62]], "Indicator: Win32.Trojan.BHO.r": [[63, 81]], "Indicator: Trojan.Win32.BHO.bropxr": [[82, 105]], "Indicator: Adware.Softomate.603": [[106, 126]], "Indicator: Trojan:Win32/Jifcapi.A": [[127, 149]]}, "info": {"id": "cyner2_5class_train_07502", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kromebit TROJ_KROMEBIT.SM Win32.Trojan.WisdomEyes.16070401.9500.9982 TROJ_KROMEBIT.SM Trojan.Win32.Dwn.eurwpx Trojan.Win32.Z.Kromebit.1068032 Trojan.DownLoader25.50889 BehavesLike.Win32.Dropper.tt W32/Trojan.EJDN-0785 Trojan:Win32/Kromebit.B Trj/CI.A Trojan.Win32.Kromebit W32/KROMEBIT.SM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kromebit": [[26, 41]], "Indicator: TROJ_KROMEBIT.SM": [[42, 58], [102, 118]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[59, 101]], "Indicator: Trojan.Win32.Dwn.eurwpx": [[119, 142]], "Indicator: Trojan.Win32.Z.Kromebit.1068032": [[143, 174]], "Indicator: Trojan.DownLoader25.50889": [[175, 200]], "Indicator: BehavesLike.Win32.Dropper.tt": [[201, 229]], "Indicator: W32/Trojan.EJDN-0785": [[230, 250]], "Indicator: Trojan:Win32/Kromebit.B": [[251, 274]], "Indicator: Trj/CI.A": [[275, 283]], "Indicator: Trojan.Win32.Kromebit": [[284, 305]], "Indicator: W32/KROMEBIT.SM!tr": [[306, 324]]}, "info": {"id": "cyner2_5class_train_07503", "source": "cyner2_5class_train"}}
+{"text": "Today this malware shows unwanted ads , tomorrow it could steal sensitive information ; from private messages to banking credentials and much more .", "spans": {}, "info": {"id": "cyner2_5class_train_07504", "source": "cyner2_5class_train"}}
+{"text": "The report closes with some security suggestions, highlighting the importance of two-factor authentication.", "spans": {"Indicator: security": [[28, 36]], "System: two-factor authentication.": [[81, 107]]}, "info": {"id": "cyner2_5class_train_07505", "source": "cyner2_5class_train"}}
+{"text": "The record contains a personal email address : WHOIS records of C2 server exposing the attacker ’ s email address We were aware of the possibility that the attackers might be using a compromised email account , so we dug deeper to find more information related to this email address .", "spans": {}, "info": {"id": "cyner2_5class_train_07506", "source": "cyner2_5class_train"}}
+{"text": "This week the spam party did not just include CERBER, but also decided to invite an old friend – the KOVTER family.", "spans": {"Indicator: the spam party": [[10, 24]], "Malware: CERBER,": [[46, 53]], "Malware: the KOVTER family.": [[97, 115]]}, "info": {"id": "cyner2_5class_train_07507", "source": "cyner2_5class_train"}}
+{"text": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska.", "spans": {"Malware: Tofsee,": [[0, 7]], "Malware: Gheg,": [[22, 27]], "Malware: botnet": [[39, 45]], "Organization: CERT Polska.": [[58, 70]]}, "info": {"id": "cyner2_5class_train_07508", "source": "cyner2_5class_train"}}
+{"text": "We assess with high confidence that this modified version is operated by the infamous Wolf Research .", "spans": {"Organization: Wolf Research": [[86, 99]]}, "info": {"id": "cyner2_5class_train_07509", "source": "cyner2_5class_train"}}
+{"text": "It ’ s possible , as with other Android malware , that some apps may also be available on forums , file-sharing sites or even sent to victims as email attachments , and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find .", "spans": {"System: Android": [[32, 39]]}, "info": {"id": "cyner2_5class_train_07510", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.15616.H Trojan.Bibei.A6 Bibei.a Win.Trojan.Rootkit-3954 Trojan.Win32.NtRootKit.rigfr TrojWare.Win32.Olmarik.AWI Trojan.NtRootKit.12543 Bibei.a TR/Offend.69286423 Trojan.Zusy.D27F7 Trojan:WinNT/Bibei.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.15616.H": [[26, 50]], "Indicator: Trojan.Bibei.A6": [[51, 66]], "Indicator: Bibei.a": [[67, 74], [178, 185]], "Indicator: Win.Trojan.Rootkit-3954": [[75, 98]], "Indicator: Trojan.Win32.NtRootKit.rigfr": [[99, 127]], "Indicator: TrojWare.Win32.Olmarik.AWI": [[128, 154]], "Indicator: Trojan.NtRootKit.12543": [[155, 177]], "Indicator: TR/Offend.69286423": [[186, 204]], "Indicator: Trojan.Zusy.D27F7": [[205, 222]], "Indicator: Trojan:WinNT/Bibei.A": [[223, 243]]}, "info": {"id": "cyner2_5class_train_07511", "source": "cyner2_5class_train"}}
+{"text": "During the investigation , this app was able to successfully connect to the command and control server , but it received no commands .", "spans": {}, "info": {"id": "cyner2_5class_train_07512", "source": "cyner2_5class_train"}}
+{"text": "Another trick in “ Agent Smith ’ s arsenal is to change the settings of the update timeout , making the original application wait endlessly for the update check .", "spans": {"Malware: Agent Smith": [[19, 30]]}, "info": {"id": "cyner2_5class_train_07513", "source": "cyner2_5class_train"}}
+{"text": "The service continues by loading an ELF , created by Baidu , which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code “ +86 ” prefix , which relates to the People ’ s Republic of China .", "spans": {"Organization: Baidu": [[53, 58]]}, "info": {"id": "cyner2_5class_train_07514", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/W32.Propas.110663 Trojan.Heur.RP.EDD84E Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.AQD TROJ_PASSPRO.C Win.Trojan.Enfal-62 Trojan.PWS.Winlog TROJ_PASSPRO.C BehavesLike.Win32.Dropper.ch W32/Trojan.IWQS-9238 Trojan:Win32/Propas.A Trojan:Win32/Propas.A Trojan.Propas!M9i4NRQV2R8 W32/Propas.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Propas.110663": [[26, 50]], "Indicator: Trojan.Heur.RP.EDD84E": [[51, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[73, 115]], "Indicator: W32/Trojan.AQD": [[116, 130]], "Indicator: TROJ_PASSPRO.C": [[131, 145], [184, 198]], "Indicator: Win.Trojan.Enfal-62": [[146, 165]], "Indicator: Trojan.PWS.Winlog": [[166, 183]], "Indicator: BehavesLike.Win32.Dropper.ch": [[199, 227]], "Indicator: W32/Trojan.IWQS-9238": [[228, 248]], "Indicator: Trojan:Win32/Propas.A": [[249, 270], [271, 292]], "Indicator: Trojan.Propas!M9i4NRQV2R8": [[293, 318]], "Indicator: W32/Propas.A!tr": [[319, 334]]}, "info": {"id": "cyner2_5class_train_07515", "source": "cyner2_5class_train"}}
+{"text": "One of the samples ( e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 ) uses the C2 server svcws [ .", "spans": {"Indicator: e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1": [[21, 85]], "Indicator: svcws [ .": [[107, 116]]}, "info": {"id": "cyner2_5class_train_07516", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Syph.B Backdoor/W32.Syph.361984 Backdoor.Syph Backdoor.W32.Syph.b!c Trojan/Syph.b Backdoor.Syph.B Backdoor.Trojan BKDR_SYPH.B Win.Trojan.Syph-2 Backdoor.Syph.B Backdoor.Win32.Syph.b Backdoor.Syph.B Trojan.Win32.Syph.bfjuy Backdoor.Win32.Syph.361984 Win32.Backdoor.Syph.cyqv Backdoor.Syph.B Backdoor.Win32.Syph.B BackDoor.Syph BKDR_SYPH.B W32/Risk.GBZV-6047 Backdoor/Syph.b BDS/Syph.b.Srv Trojan[Backdoor]/Win32.Syph Backdoor:Win32/Syph.B Backdoor.Win32.Syph.b Backdoor.Syphillis Backdoor.Syph.b Bck/Syphillis.1.18 Win32/Syph.B Backdoor.Syph!hEmUZuSaZVQ Win32/Backdoor.e16", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Syph.B": [[26, 41], [117, 132], [179, 194], [217, 232], [309, 324]], "Indicator: Backdoor/W32.Syph.361984": [[42, 66]], "Indicator: Backdoor.Syph": [[67, 80]], "Indicator: Backdoor.W32.Syph.b!c": [[81, 102]], "Indicator: Trojan/Syph.b": [[103, 116]], "Indicator: Backdoor.Trojan": [[133, 148]], "Indicator: BKDR_SYPH.B": [[149, 160], [361, 372]], "Indicator: Win.Trojan.Syph-2": [[161, 178]], "Indicator: Backdoor.Win32.Syph.b": [[195, 216], [473, 494]], "Indicator: Trojan.Win32.Syph.bfjuy": [[233, 256]], "Indicator: Backdoor.Win32.Syph.361984": [[257, 283]], "Indicator: Win32.Backdoor.Syph.cyqv": [[284, 308]], "Indicator: Backdoor.Win32.Syph.B": [[325, 346]], "Indicator: BackDoor.Syph": [[347, 360]], "Indicator: W32/Risk.GBZV-6047": [[373, 391]], "Indicator: Backdoor/Syph.b": [[392, 407]], "Indicator: BDS/Syph.b.Srv": [[408, 422]], "Indicator: Trojan[Backdoor]/Win32.Syph": [[423, 450]], "Indicator: Backdoor:Win32/Syph.B": [[451, 472]], "Indicator: Backdoor.Syphillis": [[495, 513]], "Indicator: Backdoor.Syph.b": [[514, 529]], "Indicator: Bck/Syphillis.1.18": [[530, 548]], "Indicator: Win32/Syph.B": [[549, 561]], "Indicator: Backdoor.Syph!hEmUZuSaZVQ": [[562, 587]], "Indicator: Win32/Backdoor.e16": [[588, 606]]}, "info": {"id": "cyner2_5class_train_07517", "source": "cyner2_5class_train"}}
+{"text": "From April 19-24, 2017, a politically-motivated, targeted campaign was carried out against numerous Israeli organizations.", "spans": {"Organization: Israeli organizations.": [[100, 122]]}, "info": {"id": "cyner2_5class_train_07518", "source": "cyner2_5class_train"}}
+{"text": "Although this technique has been used before by other malware campaigns, it is still not a common strategy.", "spans": {}, "info": {"id": "cyner2_5class_train_07519", "source": "cyner2_5class_train"}}
+{"text": "It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI , an operating system based on Google Android made by Xiaomi .", "spans": {"Organization: Xiaomi": [[53, 59], [137, 143]], "System: MIUI": [[78, 82]], "System: Google Android": [[114, 128]]}, "info": {"id": "cyner2_5class_train_07520", "source": "cyner2_5class_train"}}
+{"text": "We gathered information from affected devices , and concurrently , attempted to acquire Chrysaor apps to better understand its impact on users .", "spans": {"Malware: Chrysaor": [[88, 96]]}, "info": {"id": "cyner2_5class_train_07521", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9692 TR/Brysay.A PWS:Win32/Enesbot.A Trojan-Downloader.MSIL.Banload", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9692": [[26, 68]], "Indicator: TR/Brysay.A": [[69, 80]], "Indicator: PWS:Win32/Enesbot.A": [[81, 100]], "Indicator: Trojan-Downloader.MSIL.Banload": [[101, 131]]}, "info": {"id": "cyner2_5class_train_07522", "source": "cyner2_5class_train"}}
+{"text": "Some of the icons used can be seen below .", "spans": {}, "info": {"id": "cyner2_5class_train_07523", "source": "cyner2_5class_train"}}
+{"text": "Yet I recently uncovered evidence that suggests it was the work of a well-known Chinese threat group.", "spans": {}, "info": {"id": "cyner2_5class_train_07524", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Trojan.Win32.Farfli Backdoor:Win32/Dorbop.B!bit Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: Trojan.Win32.Farfli": [[69, 88]], "Indicator: Backdoor:Win32/Dorbop.B!bit": [[89, 116]], "Indicator: Trj/GdSda.A": [[117, 128]]}, "info": {"id": "cyner2_5class_train_07525", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.AD.eqoszf TR/AD.PSLoader.kykon Trojan.Razy.D1F16C Win32/Powerless.F Trojan.Powerless! W32/Powerless.F!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.AD.eqoszf": [[26, 48]], "Indicator: TR/AD.PSLoader.kykon": [[49, 69]], "Indicator: Trojan.Razy.D1F16C": [[70, 88]], "Indicator: Win32/Powerless.F": [[89, 106]], "Indicator: Trojan.Powerless!": [[107, 124]], "Indicator: W32/Powerless.F!tr": [[125, 143]]}, "info": {"id": "cyner2_5class_train_07526", "source": "cyner2_5class_train"}}
+{"text": "We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.", "spans": {}, "info": {"id": "cyner2_5class_train_07527", "source": "cyner2_5class_train"}}
+{"text": "] orgacount-manager [ .", "spans": {}, "info": {"id": "cyner2_5class_train_07528", "source": "cyner2_5class_train"}}
+{"text": "In our previous research, we detailed how an information stealer Trojan was deployed via a Word macro, in order to spy on its victims various parts of the Saudi Government.", "spans": {"Malware: information stealer Trojan": [[45, 71]], "Malware: Word macro,": [[91, 102]], "Indicator: spy": [[115, 118]], "Organization: the Saudi Government.": [[151, 172]]}, "info": {"id": "cyner2_5class_train_07529", "source": "cyner2_5class_train"}}
+{"text": "] 175 [ .", "spans": {}, "info": {"id": "cyner2_5class_train_07530", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FakeMsHelpCenter.Trojan Trojan.Graftor.D67ED Win32.Trojan.WisdomEyes.16070401.9500.9997 TROJ_ALTHUMS_EI030112.UVPM Trojan.Win32.DownLoad2.rlsdn Trojan.Win32.A.Downloader.84626 Trojan.DownLoad2.63614 Trojan.Allthumbs.Win32.1 TROJ_ALTHUMS_EI030112.UVPM BehavesLike.Win32.Worm.tz Trojan:Win32/Althums.A Trojan/Win32.Goz.R10705 Trj/CI.A Trojan.Graftor!H+8m5ivUpKY Win32/Trojan.0be", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeMsHelpCenter.Trojan": [[26, 53]], "Indicator: Trojan.Graftor.D67ED": [[54, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[75, 117]], "Indicator: TROJ_ALTHUMS_EI030112.UVPM": [[118, 144], [254, 280]], "Indicator: Trojan.Win32.DownLoad2.rlsdn": [[145, 173]], "Indicator: Trojan.Win32.A.Downloader.84626": [[174, 205]], "Indicator: Trojan.DownLoad2.63614": [[206, 228]], "Indicator: Trojan.Allthumbs.Win32.1": [[229, 253]], "Indicator: BehavesLike.Win32.Worm.tz": [[281, 306]], "Indicator: Trojan:Win32/Althums.A": [[307, 329]], "Indicator: Trojan/Win32.Goz.R10705": [[330, 353]], "Indicator: Trj/CI.A": [[354, 362]], "Indicator: Trojan.Graftor!H+8m5ivUpKY": [[363, 389]], "Indicator: Win32/Trojan.0be": [[390, 406]]}, "info": {"id": "cyner2_5class_train_07531", "source": "cyner2_5class_train"}}
+{"text": "Such data includes contact and location information , phone and message activity , the ability to record from the microphone , camera , and other sensors as well as the capability to access data from many popular messaging and social media apps .", "spans": {}, "info": {"id": "cyner2_5class_train_07532", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BKDR_MATSNU.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_MATSNU.SM0 BehavesLike.Win32.Ransom.ch TR/Crypt.ZPACK.8577 Trojan/Win32.Trapwot.R152769 Trojan.FakeAV.01657", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BKDR_MATSNU.SM0": [[26, 41], [85, 100]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[42, 84]], "Indicator: BehavesLike.Win32.Ransom.ch": [[101, 128]], "Indicator: TR/Crypt.ZPACK.8577": [[129, 148]], "Indicator: Trojan/Win32.Trapwot.R152769": [[149, 177]], "Indicator: Trojan.FakeAV.01657": [[178, 197]]}, "info": {"id": "cyner2_5class_train_07533", "source": "cyner2_5class_train"}}
+{"text": "A full list of targeted applications is included in the IOC section at the end of this post .", "spans": {}, "info": {"id": "cyner2_5class_train_07534", "source": "cyner2_5class_train"}}
+{"text": "This finding was listed in our Anthem blog, and we have continued to monitor it in ThreatConnect since mid February.", "spans": {"Organization: Anthem": [[31, 37]], "System: ThreatConnect": [[83, 96]]}, "info": {"id": "cyner2_5class_train_07535", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.JapiletAA.Trojan Trojan.Dropper.Delf.BB Worm.Win32.Fesber!O Worm.Fesber Worm.Fesber.Win32.3 Trojan/Fesber.a W32/Fesber.A Win32/Fesber.A WORM_YERO.A Win.Worm.Yero-1 Worm.Win32.Fesber.g Trojan.Dropper.Delf.BB Virus.Win32.Fesber.iiof Worm.Win32.A.Fesber.13116[UPX] Virus.Win32.Fesber.k Trojan.Dropper.Delf.BB Win32.HLLW.FSB WORM_YERO.A BehavesLike.Win32.Fesber.vh W32/Fesber.QPGQ-0002 Worm/Fesber.g Worm/Win32.Fesber.g Worm.Fesber.kcloud Worm:Win32/Fesber.A Trojan.Dropper.Delf.BB Troj.PSW32.W.QQPass.lgj2 Worm.Win32.Fesber.g Trojan.Dropper.Delf.BB Worm/Win32.Fesber.R4309 Trojan.Dropper.Delf.BB Virus.Fsb.1 I-Worm.Fesber.A Win32/Fesber.A Worm.Fesber!I2XPvd5yXYs Worm.Win32.Fesber W32/Cosmu.H.worm Worm.Win32.Fesber.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.JapiletAA.Trojan": [[26, 46]], "Indicator: Trojan.Dropper.Delf.BB": [[47, 69], [214, 236], [313, 335], [485, 507], [553, 575], [600, 622]], "Indicator: Worm.Win32.Fesber!O": [[70, 89]], "Indicator: Worm.Fesber": [[90, 101]], "Indicator: Worm.Fesber.Win32.3": [[102, 121]], "Indicator: Trojan/Fesber.a": [[122, 137]], "Indicator: W32/Fesber.A": [[138, 150]], "Indicator: Win32/Fesber.A": [[151, 165], [651, 665]], "Indicator: WORM_YERO.A": [[166, 177], [351, 362]], "Indicator: Win.Worm.Yero-1": [[178, 193]], "Indicator: Worm.Win32.Fesber.g": [[194, 213], [533, 552]], "Indicator: Virus.Win32.Fesber.iiof": [[237, 260]], "Indicator: Worm.Win32.A.Fesber.13116[UPX]": [[261, 291]], "Indicator: Virus.Win32.Fesber.k": [[292, 312]], "Indicator: Win32.HLLW.FSB": [[336, 350]], "Indicator: BehavesLike.Win32.Fesber.vh": [[363, 390]], "Indicator: W32/Fesber.QPGQ-0002": [[391, 411]], "Indicator: Worm/Fesber.g": [[412, 425]], "Indicator: Worm/Win32.Fesber.g": [[426, 445]], "Indicator: Worm.Fesber.kcloud": [[446, 464]], "Indicator: Worm:Win32/Fesber.A": [[465, 484]], "Indicator: Troj.PSW32.W.QQPass.lgj2": [[508, 532]], "Indicator: Worm/Win32.Fesber.R4309": [[576, 599]], "Indicator: Virus.Fsb.1": [[623, 634]], "Indicator: I-Worm.Fesber.A": [[635, 650]], "Indicator: Worm.Fesber!I2XPvd5yXYs": [[666, 689]], "Indicator: Worm.Win32.Fesber": [[690, 707]], "Indicator: W32/Cosmu.H.worm": [[708, 724]], "Indicator: Worm.Win32.Fesber.A": [[725, 744]]}, "info": {"id": "cyner2_5class_train_07536", "source": "cyner2_5class_train"}}
+{"text": "What is special about it is that it comes as a Windows link file, .LNK, that downloads and runs a malicious HTML application, .HTA, that drops and executes a malicious binary.", "spans": {"Indicator: Windows link file, .LNK,": [[47, 71]], "Indicator: runs a malicious HTML application, .HTA,": [[91, 131]]}, "info": {"id": "cyner2_5class_train_07537", "source": "cyner2_5class_train"}}
+{"text": "] 147 Red Alert 2.0 : Android Trojan targets security-seekers A malicious , counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT .", "spans": {"Malware: Red Alert 2.0": [[6, 19]], "System: Android": [[22, 29]], "System: VPN": [[101, 104]]}, "info": {"id": "cyner2_5class_train_07538", "source": "cyner2_5class_train"}}
+{"text": "We report them to Google and take other steps to disrupt malicious campaigns we discover .", "spans": {"Organization: Google": [[18, 24]]}, "info": {"id": "cyner2_5class_train_07539", "source": "cyner2_5class_train"}}
+{"text": "Our analysis of the Adobe Flash zero-day vulnerability used in the latest Pawn Storm campaign reveals that the previous mitigation techniques introduced by Adobe were not enough to secure the platform.", "spans": {"System: Adobe Flash": [[20, 31]], "Vulnerability: zero-day vulnerability": [[32, 54]], "Organization: Adobe": [[156, 161]]}, "info": {"id": "cyner2_5class_train_07540", "source": "cyner2_5class_train"}}
+{"text": "The actors behind Dridex 220 and Locky Affid=3 have introduced a new ransomware called Bart", "spans": {"Malware: Dridex 220": [[18, 28]], "Malware: Locky Affid=3": [[33, 46]], "Malware: ransomware": [[69, 79]], "Malware: Bart": [[87, 91]]}, "info": {"id": "cyner2_5class_train_07541", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Application.Joke.Flipped.E Joke.Flipped Riskware.Win16.Flipped.yzsd Joke.Flipped JOKE_FLIPPED.A Joke.Flipped Application.Joke.Flipped.E Joke.Flipped Application.Joke.Flipped Joke.Flipped JOKE_FLIPPED.A Joke.Flipped Backdoor/IRC.IRC Joke:Win32/Flipped.A Trojan.Win32.A.Zbot.4128 Application.Joke.Flipped.E Joke.Flipped Joke.Flipped", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Joke.Flipped.E": [[26, 52], [135, 161], [304, 330]], "Indicator: Joke.Flipped": [[53, 65], [94, 106], [122, 134], [162, 174], [200, 212], [228, 240], [331, 343], [344, 356]], "Indicator: Riskware.Win16.Flipped.yzsd": [[66, 93]], "Indicator: JOKE_FLIPPED.A": [[107, 121], [213, 227]], "Indicator: Application.Joke.Flipped": [[175, 199]], "Indicator: Backdoor/IRC.IRC": [[241, 257]], "Indicator: Joke:Win32/Flipped.A": [[258, 278]], "Indicator: Trojan.Win32.A.Zbot.4128": [[279, 303]]}, "info": {"id": "cyner2_5class_train_07542", "source": "cyner2_5class_train"}}
+{"text": "Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows.", "spans": {"Malware: Komplex": [[0, 7]], "Malware: tool": [[77, 81]], "Malware: Carberp variant": [[103, 118]], "System: systems running Windows.": [[172, 196]]}, "info": {"id": "cyner2_5class_train_07543", "source": "cyner2_5class_train"}}
+{"text": "Figure 6 : Targeted ad network Figure 7 : Injection example After all of the required changes , “ Agent Smith ” compiles the application and builds a DEX file containing both the original code of the original application and the malicious payload .", "spans": {"Malware: Agent Smith": [[98, 109]]}, "info": {"id": "cyner2_5class_train_07544", "source": "cyner2_5class_train"}}
+{"text": "In 2014, our colleagues at Crowdstrike wrote an exposé about a long-standing Chinese APT threat group they self-named Putter Panda, which Mandiant/FireEye refers to as APT2.", "spans": {"Organization: colleagues": [[13, 23]], "Organization: Crowdstrike": [[27, 38]], "Organization: Mandiant/FireEye": [[138, 154]]}, "info": {"id": "cyner2_5class_train_07545", "source": "cyner2_5class_train"}}
+{"text": "Apache Tomcat is a java based web service that is used for different applications.", "spans": {"System: Apache Tomcat": [[0, 13]], "System: java": [[19, 23]], "System: web service": [[30, 41]], "System: different applications.": [[59, 82]]}, "info": {"id": "cyner2_5class_train_07546", "source": "cyner2_5class_train"}}
+{"text": "Among the 153 configuration files, 54 distinct command and control C C servers were detected.", "spans": {"Indicator: 153 configuration files, 54 distinct command and control C C servers": [[10, 78]]}, "info": {"id": "cyner2_5class_train_07547", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.RedCap.ewfcku BehavesLike.Win32.VBobfus.gc Trojan.CopyKittens TR/RedCap.eevfy Trojan.Razy.D33AF6 TrojanDropper:Win32/Noratops.B!dha Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.RedCap.ewfcku": [[26, 52]], "Indicator: BehavesLike.Win32.VBobfus.gc": [[53, 81]], "Indicator: Trojan.CopyKittens": [[82, 100]], "Indicator: TR/RedCap.eevfy": [[101, 116]], "Indicator: Trojan.Razy.D33AF6": [[117, 135]], "Indicator: TrojanDropper:Win32/Noratops.B!dha": [[136, 170]], "Indicator: Trj/GdSda.A": [[171, 182]]}, "info": {"id": "cyner2_5class_train_07548", "source": "cyner2_5class_train"}}
+{"text": "According to a blog article by Microsoft, the malware is associated with an attacker group identified as DarkHotel Microsoft calls it as Dubnium .", "spans": {"Organization: Microsoft,": [[31, 41]], "Malware: malware": [[46, 53]], "Organization: Microsoft": [[115, 124]]}, "info": {"id": "cyner2_5class_train_07549", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Lamer.KL8 PE_LAMER_EL150191.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9987 PE_LAMER_EL150191.UVPM Virus.Win32.Lamer.kl Virus.W32.Lamer!c ApplicUnsaf.Win32.ScreenMate.AA Backdoor.PePatch.Win32.75884 Virus.Win32.Lamer TR/Taranis.2787 Trojan[Ransom]/Win32.CryFile Virus.Win32.Lamer.kl Hoax.CryFile Virus.Win32.Lamer.j Win32/Virus.HideDoc.L", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Lamer.KL8": [[26, 39]], "Indicator: PE_LAMER_EL150191.UVPM": [[40, 62], [106, 128]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[63, 105]], "Indicator: Virus.Win32.Lamer.kl": [[129, 149], [292, 312]], "Indicator: Virus.W32.Lamer!c": [[150, 167]], "Indicator: ApplicUnsaf.Win32.ScreenMate.AA": [[168, 199]], "Indicator: Backdoor.PePatch.Win32.75884": [[200, 228]], "Indicator: Virus.Win32.Lamer": [[229, 246]], "Indicator: TR/Taranis.2787": [[247, 262]], "Indicator: Trojan[Ransom]/Win32.CryFile": [[263, 291]], "Indicator: Hoax.CryFile": [[313, 325]], "Indicator: Virus.Win32.Lamer.j": [[326, 345]], "Indicator: Win32/Virus.HideDoc.L": [[346, 367]]}, "info": {"id": "cyner2_5class_train_07550", "source": "cyner2_5class_train"}}
+{"text": "But that does n't mean companies and organizations are out of the woods .", "spans": {}, "info": {"id": "cyner2_5class_train_07551", "source": "cyner2_5class_train"}}
+{"text": "Google's security team recently identified a new domain masquerading as an official EFF site as part of a targeted malware campaign.", "spans": {"Organization: Google's security team": [[0, 22]], "Indicator: new domain masquerading": [[45, 68]], "Indicator: official EFF site": [[75, 92]]}, "info": {"id": "cyner2_5class_train_07552", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.OnGameELAIUZAC.Trojan Trojan.Zusy.D3B59 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Clicker.cwyjjr Trojan.Click2.34240 Win32.Troj.Undef.kcloud Trojan:MSIL/Ainscomp.A Trj/CI.A Trojan.Ainscomp!KTuN3cZslCo Trojan.Msil Win32/Trojan.bfc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameELAIUZAC.Trojan": [[26, 51]], "Indicator: Trojan.Zusy.D3B59": [[52, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[70, 112]], "Indicator: Trojan.Win32.Clicker.cwyjjr": [[113, 140]], "Indicator: Trojan.Click2.34240": [[141, 160]], "Indicator: Win32.Troj.Undef.kcloud": [[161, 184]], "Indicator: Trojan:MSIL/Ainscomp.A": [[185, 207]], "Indicator: Trj/CI.A": [[208, 216]], "Indicator: Trojan.Ainscomp!KTuN3cZslCo": [[217, 244]], "Indicator: Trojan.Msil": [[245, 256]], "Indicator: Win32/Trojan.bfc": [[257, 273]]}, "info": {"id": "cyner2_5class_train_07553", "source": "cyner2_5class_train"}}
+{"text": "FinFisher is not afraid of using all kinds of tricks , ranging from junk instructions and “ spaghetti code ” to multiple layers of virtual machines and several known and lesser-known anti-debug and defensive measures .", "spans": {"Malware: FinFisher": [[0, 9]]}, "info": {"id": "cyner2_5class_train_07554", "source": "cyner2_5class_train"}}
+{"text": "EventBot parsing of grabbed SMS messages Parsing of grabbed SMS messages .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_5class_train_07555", "source": "cyner2_5class_train"}}
+{"text": "The second attack vector , the overlay attack , shows a customized phishing window whenever a targeted application is started on the device .", "spans": {}, "info": {"id": "cyner2_5class_train_07556", "source": "cyner2_5class_train"}}
+{"text": "The three InPage exploit files are linked through their use of very similar shellcode, which suggests that either the same actor is behind these attacks, or the attackers have access to a shared builder.", "spans": {"Malware: InPage exploit": [[10, 24]], "Indicator: files": [[25, 30]], "Indicator: use of very similar shellcode,": [[56, 86]], "Indicator: attacks,": [[145, 153]]}, "info": {"id": "cyner2_5class_train_07557", "source": "cyner2_5class_train"}}
+{"text": "A new type of macOS-based stealer is being sold on the dark web for $100 £70.", "spans": {"Malware: macOS-based stealer": [[14, 33]], "Indicator: the dark web": [[51, 63]]}, "info": {"id": "cyner2_5class_train_07558", "source": "cyner2_5class_train"}}
+{"text": "BLOCKER_EXTORTIONIST_START – display HTML page of the ransomware .", "spans": {}, "info": {"id": "cyner2_5class_train_07559", "source": "cyner2_5class_train"}}
+{"text": "If the user ignores or rejects the request , the window reopens every few seconds .", "spans": {}, "info": {"id": "cyner2_5class_train_07560", "source": "cyner2_5class_train"}}
+{"text": "The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point of interaction with systems is the most vulnerable: by potentially reaching so many individuals, campaigns such as this can - and do - succeed in infecting people.", "spans": {"System: systems": [[124, 131]], "Vulnerability: vulnerable:": [[144, 155]], "Organization: individuals,": [[188, 200]]}, "info": {"id": "cyner2_5class_train_07561", "source": "cyner2_5class_train"}}
+{"text": "MD5 43680D1914F28E14C90436E1D42984E2 20D4B9EB9377C499917C4D69BF4CCEBE First widely distributed Android bootkit Malware infects more than 350,000 Devices January 29 , 2014 In the last quarter of 2013 , sale of a Smartphone with ANDROID operating system has increased and every second person you see is a DROID user .", "spans": {"Indicator: 43680D1914F28E14C90436E1D42984E2": [[4, 36]], "Indicator: 20D4B9EB9377C499917C4D69BF4CCEBE": [[37, 69]], "System: Android": [[95, 102]], "System: ANDROID": [[227, 234]], "System: DROID": [[303, 308]]}, "info": {"id": "cyner2_5class_train_07562", "source": "cyner2_5class_train"}}
+{"text": "Most custom backdoors used by advanced attackers have limited functionality.", "spans": {"Malware: custom backdoors": [[5, 21]]}, "info": {"id": "cyner2_5class_train_07563", "source": "cyner2_5class_train"}}
+{"text": "EVENTBOT INFRASTRUCTURE By mapping the C2 servers , a clear , repeated pattern emerges based on the specific URL gate_cb8a5aea1ab302f0_c .", "spans": {"Malware: EVENTBOT": [[0, 8]]}, "info": {"id": "cyner2_5class_train_07564", "source": "cyner2_5class_train"}}
+{"text": "We anticipate this malware to continue to evolve with additional new features ; the only question now is when we will see the next wave .", "spans": {}, "info": {"id": "cyner2_5class_train_07565", "source": "cyner2_5class_train"}}
+{"text": "This leads us to believe this is another actor .", "spans": {}, "info": {"id": "cyner2_5class_train_07566", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Bifrose.nel Win.Trojan.AutoIT-6333854-0 Trojan-Dropper.Win32.Autoit.bvg Trojan.Win32.AutoIt.expdpu BehavesLike.Win32.Backdoor.tc Trojan.Win32.Z.Autoit.1633763 Dropper/Win32.Androm.C2387785 Win32/Injector.Autoit.DFJ Backdoor.MSIL W32/Injector.CYH!tr Win32/Trojan.38f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Bifrose.nel": [[26, 44]], "Indicator: Win.Trojan.AutoIT-6333854-0": [[45, 72]], "Indicator: Trojan-Dropper.Win32.Autoit.bvg": [[73, 104]], "Indicator: Trojan.Win32.AutoIt.expdpu": [[105, 131]], "Indicator: BehavesLike.Win32.Backdoor.tc": [[132, 161]], "Indicator: Trojan.Win32.Z.Autoit.1633763": [[162, 191]], "Indicator: Dropper/Win32.Androm.C2387785": [[192, 221]], "Indicator: Win32/Injector.Autoit.DFJ": [[222, 247]], "Indicator: Backdoor.MSIL": [[248, 261]], "Indicator: W32/Injector.CYH!tr": [[262, 281]], "Indicator: Win32/Trojan.38f": [[282, 298]]}, "info": {"id": "cyner2_5class_train_07567", "source": "cyner2_5class_train"}}
+{"text": "Several analysis reports were published on this malware in 2014 and , finally , the source code was leaked in 2015 .", "spans": {}, "info": {"id": "cyner2_5class_train_07568", "source": "cyner2_5class_train"}}
+{"text": "These devices were located in the following countries : How we protect you To protect Android devices and users , Google Play provides a complete set of security services that update outside of platform releases .", "spans": {"System: Android": [[86, 93]], "System: Google Play": [[114, 125]]}, "info": {"id": "cyner2_5class_train_07569", "source": "cyner2_5class_train"}}
+{"text": "MALWARE UNDER ACTIVE DEVELOPMENT EventBot “ cfg ” class EventBot “ cfg ” class .", "spans": {"Malware: EventBot": [[33, 41], [56, 64]]}, "info": {"id": "cyner2_5class_train_07570", "source": "cyner2_5class_train"}}
+{"text": "Over the past couple of months McAfee Labs has seen an increase in the usage of macros to deliver malware.", "spans": {"Organization: McAfee Labs": [[31, 42]], "Malware: macros": [[80, 86]], "Malware: malware.": [[98, 106]]}, "info": {"id": "cyner2_5class_train_07571", "source": "cyner2_5class_train"}}
+{"text": "We mostly observe attacks using Elirks occurring in East Asia.", "spans": {"Indicator: attacks": [[18, 25]], "Malware: Elirks": [[32, 38]]}, "info": {"id": "cyner2_5class_train_07572", "source": "cyner2_5class_train"}}
+{"text": "We observed an anomaly when approximately 60 domains all [.]top TLDs registered on April 7, 2016 started serving a coin mining malware – to mine BitMonero, a form of digital currency – on their main page under the mime-type of html/text.", "spans": {"Indicator: 60 domains all [.]top TLDs registered on": [[42, 82]], "Malware: coin mining malware": [[115, 134]], "Indicator: mime-type of html/text.": [[214, 237]]}, "info": {"id": "cyner2_5class_train_07573", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.E147 Trojan.Banker.Win32.5895 Trojan/Banker.ju W32/Banker.AJC Win.Trojan.Bancos-852 Trojan-Banker.Win32.Banker.ju Trojan.Win32.Banker.bmncx Trojan.PWS.Banker.based Trojan-Spy.Win32.Banker W32/Banker.WTGS-4277 Trojan/Banker.Banker.ufm Trojan[Banker]/Win32.Banker Trojan-Banker.Win32.Banker.ju TrojanBanker.Banker Trojan.Banker!qguLAzH8AII W32/Banker.DUU!tr Trj/Banker.FWD Win32/Trojan.a46", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.E147": [[26, 43]], "Indicator: Trojan.Banker.Win32.5895": [[44, 68]], "Indicator: Trojan/Banker.ju": [[69, 85]], "Indicator: W32/Banker.AJC": [[86, 100]], "Indicator: Win.Trojan.Bancos-852": [[101, 122]], "Indicator: Trojan-Banker.Win32.Banker.ju": [[123, 152], [301, 330]], "Indicator: Trojan.Win32.Banker.bmncx": [[153, 178]], "Indicator: Trojan.PWS.Banker.based": [[179, 202]], "Indicator: Trojan-Spy.Win32.Banker": [[203, 226]], "Indicator: W32/Banker.WTGS-4277": [[227, 247]], "Indicator: Trojan/Banker.Banker.ufm": [[248, 272]], "Indicator: Trojan[Banker]/Win32.Banker": [[273, 300]], "Indicator: TrojanBanker.Banker": [[331, 350]], "Indicator: Trojan.Banker!qguLAzH8AII": [[351, 376]], "Indicator: W32/Banker.DUU!tr": [[377, 394]], "Indicator: Trj/Banker.FWD": [[395, 409]], "Indicator: Win32/Trojan.a46": [[410, 426]]}, "info": {"id": "cyner2_5class_train_07574", "source": "cyner2_5class_train"}}
+{"text": "At least two different stealers, Rhadamanthys and RedLine, were abusing the search engine promotion plan in order to deliver malicious payloads to victims' machines.", "spans": {"Malware: At": [[0, 2]], "Malware: stealers, Rhadamanthys": [[23, 45]], "Malware: RedLine,": [[50, 58]], "System: the search engine": [[72, 89]], "Malware: malicious payloads": [[125, 143]], "System: victims' machines.": [[147, 165]]}, "info": {"id": "cyner2_5class_train_07575", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9925 Trojan.Win32.Graftor.bovqdb TrojWare.Win32.GameThief.Nilage.~CRSH TR/Graftor.Elzob.6117.1 Backdoor:Win32/Parcim.A Trj/CI.A Trojan.Graftor.Elzob.D17E5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9925": [[26, 68]], "Indicator: Trojan.Win32.Graftor.bovqdb": [[69, 96]], "Indicator: TrojWare.Win32.GameThief.Nilage.~CRSH": [[97, 134]], "Indicator: TR/Graftor.Elzob.6117.1": [[135, 158]], "Indicator: Backdoor:Win32/Parcim.A": [[159, 182]], "Indicator: Trj/CI.A": [[183, 191]], "Indicator: Trojan.Graftor.Elzob.D17E5": [[192, 218]]}, "info": {"id": "cyner2_5class_train_07576", "source": "cyner2_5class_train"}}
+{"text": "It has been in the news the past few weeks as it is the bot that was used in the DDoS attack on Brian Kreb's security blog.", "spans": {"Malware: bot": [[56, 59]], "Indicator: DDoS attack": [[81, 92]], "Organization: Brian Kreb's security blog.": [[96, 123]]}, "info": {"id": "cyner2_5class_train_07577", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Jevafus.A Trojan.Jevafus.A Trojan.Jevafus.A Trojan.Win32.Drop.euelge Trojan.Jevafus.A Trojan.Jevafus.A BehavesLike.Win32.BadFile.vh TrojanDropper:Win32/Jevafus.A Trojan.Jevafus.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Jevafus.A": [[26, 42], [43, 59], [60, 76], [102, 118], [119, 135], [195, 211]], "Indicator: Trojan.Win32.Drop.euelge": [[77, 101]], "Indicator: BehavesLike.Win32.BadFile.vh": [[136, 164]], "Indicator: TrojanDropper:Win32/Jevafus.A": [[165, 194]]}, "info": {"id": "cyner2_5class_train_07578", "source": "cyner2_5class_train"}}
+{"text": "So far, all theories regarding the spread of ExPetr/Petya point into two directions:", "spans": {}, "info": {"id": "cyner2_5class_train_07579", "source": "cyner2_5class_train"}}
+{"text": "What ’ s more , the user can not check the balance via mobile banking or change any settings there , because after receiving the command with code 40 , the Trojan prevents the banking app from running on the phone .", "spans": {}, "info": {"id": "cyner2_5class_train_07580", "source": "cyner2_5class_train"}}
+{"text": "The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November.", "spans": {"Malware: The CatB ransomware family,": [[0, 27]], "Malware: CatB99": [[53, 59]], "Malware: Baxtoy,": [[63, 70]]}, "info": {"id": "cyner2_5class_train_07581", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Svectas.Win64.1 Packer.Win32.Katusha TR/Svectas.smnlb W64/Svectas.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Svectas.Win64.1": [[26, 48]], "Indicator: Packer.Win32.Katusha": [[49, 69]], "Indicator: TR/Svectas.smnlb": [[70, 86]], "Indicator: W64/Svectas.B!tr": [[87, 103]]}, "info": {"id": "cyner2_5class_train_07582", "source": "cyner2_5class_train"}}
+{"text": "PaloAltorecently discovered a new Android Trojan called SpyNote which facilitates remote spying.", "spans": {"Malware: Android Trojan": [[34, 48]], "Malware: SpyNote": [[56, 63]], "Indicator: remote spying.": [[82, 96]]}, "info": {"id": "cyner2_5class_train_07583", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.F81D Trojan.Mikhail.Win32.4 Trojan.Ransom.Mischa.2 Ransom_MISCHA.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_MISCHA.SM Win32.Trojan-Ransom.Petya.D Trojan-Ransom.Win32.Mikhail.a Trojan.Win32.Petya.96256 Trojan.Encoder.4544 Trojan.Petr.a TR/AD.Petya.Y.rxxx Trojan[Ransom]/Win32.Mikhail Ransom:Win32/Mischa.A Trojan-Ransom.Win32.Mikhail.a Trojan/Win32.Mischa.C1478164 Hoax.Mikhail Trojan.Mikhail!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.F81D": [[26, 43]], "Indicator: Trojan.Mikhail.Win32.4": [[44, 66]], "Indicator: Trojan.Ransom.Mischa.2": [[67, 89]], "Indicator: Ransom_MISCHA.SM": [[90, 106], [150, 166]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[107, 149]], "Indicator: Win32.Trojan-Ransom.Petya.D": [[167, 194]], "Indicator: Trojan-Ransom.Win32.Mikhail.a": [[195, 224], [354, 383]], "Indicator: Trojan.Win32.Petya.96256": [[225, 249]], "Indicator: Trojan.Encoder.4544": [[250, 269]], "Indicator: Trojan.Petr.a": [[270, 283]], "Indicator: TR/AD.Petya.Y.rxxx": [[284, 302]], "Indicator: Trojan[Ransom]/Win32.Mikhail": [[303, 331]], "Indicator: Ransom:Win32/Mischa.A": [[332, 353]], "Indicator: Trojan/Win32.Mischa.C1478164": [[384, 412]], "Indicator: Hoax.Mikhail": [[413, 425]], "Indicator: Trojan.Mikhail!": [[426, 441]]}, "info": {"id": "cyner2_5class_train_07584", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Doc.Exploit.DDEautoexec-6346603-0 Exploit.Xml.DDEAuto.euqmxe Trojan[Exploit]/MSOffice.DDE.c Win32.Outbreak", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Doc.Exploit.DDEautoexec-6346603-0": [[26, 59]], "Indicator: Exploit.Xml.DDEAuto.euqmxe": [[60, 86]], "Indicator: Trojan[Exploit]/MSOffice.DDE.c": [[87, 117]], "Indicator: Win32.Outbreak": [[118, 132]]}, "info": {"id": "cyner2_5class_train_07585", "source": "cyner2_5class_train"}}
+{"text": "In a much-improved Android security environment , the actors behind Agent Smith seem to have moved into the more complex world of constantly searching for new loopholes , such as Janus , Bundle and Man-in-the-Disk , to achieve a 3-stage infection chain , in order to build a botnet of controlled devices to earn profit for the perpetrator .", "spans": {"System: Android": [[19, 26]], "Malware: Agent Smith": [[68, 79]], "Vulnerability: Janus": [[179, 184]], "Vulnerability: Bundle": [[187, 193]], "Vulnerability: Man-in-the-Disk": [[198, 213]]}, "info": {"id": "cyner2_5class_train_07586", "source": "cyner2_5class_train"}}
+{"text": "The end result is a new banking Trojan in the wild.", "spans": {"Malware: banking Trojan": [[24, 38]]}, "info": {"id": "cyner2_5class_train_07587", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9899 HV_ROGUE_CG152C85.RDXN Heur.Packed.Unknown TR/Spy.Banker.45879 TrojanProxy:BAT/Banker.G Win32/RiskWare.PEMalform.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9899": [[26, 68]], "Indicator: HV_ROGUE_CG152C85.RDXN": [[69, 91]], "Indicator: Heur.Packed.Unknown": [[92, 111]], "Indicator: TR/Spy.Banker.45879": [[112, 131]], "Indicator: TrojanProxy:BAT/Banker.G": [[132, 156]], "Indicator: Win32/RiskWare.PEMalform.E": [[157, 183]]}, "info": {"id": "cyner2_5class_train_07588", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Proxy/W32.Steredir.504832 Trojan/Proxy.Steredir.c Trojan-Proxy.Win32.Steredir.c Trojan.Win32.Steredir.fqli Troj.Proxy.W32.Steredir.c!c TrojWare.Win32.TrojanProxy.Steredir.C Trojan.Stedir.11 Trojan.Steredir.Win32.7 Trojan-Dropper.Delf W32/Risk.RESM-4501 TrojanProxy.Steredir.c TR/Proxy.Steredir.C Trojan[Proxy]/Win32.Steredir Win32.Troj.Steredir.c.kcloud Trojan.Heur.EFD23B1 Trojan.Win32.Proxy.504832 Trojan-Proxy.Win32.Steredir.c TrojanProxy:Win32/Steredir.C Win32/TrojanProxy.Steredir.C Trojan.PR.Steredir!cYzY1isGQt0 W32/Steredir.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Proxy/W32.Steredir.504832": [[26, 58]], "Indicator: Trojan/Proxy.Steredir.c": [[59, 82]], "Indicator: Trojan-Proxy.Win32.Steredir.c": [[83, 112], [433, 462]], "Indicator: Trojan.Win32.Steredir.fqli": [[113, 139]], "Indicator: Troj.Proxy.W32.Steredir.c!c": [[140, 167]], "Indicator: TrojWare.Win32.TrojanProxy.Steredir.C": [[168, 205]], "Indicator: Trojan.Stedir.11": [[206, 222]], "Indicator: Trojan.Steredir.Win32.7": [[223, 246]], "Indicator: Trojan-Dropper.Delf": [[247, 266]], "Indicator: W32/Risk.RESM-4501": [[267, 285]], "Indicator: TrojanProxy.Steredir.c": [[286, 308]], "Indicator: TR/Proxy.Steredir.C": [[309, 328]], "Indicator: Trojan[Proxy]/Win32.Steredir": [[329, 357]], "Indicator: Win32.Troj.Steredir.c.kcloud": [[358, 386]], "Indicator: Trojan.Heur.EFD23B1": [[387, 406]], "Indicator: Trojan.Win32.Proxy.504832": [[407, 432]], "Indicator: TrojanProxy:Win32/Steredir.C": [[463, 491]], "Indicator: Win32/TrojanProxy.Steredir.C": [[492, 520]], "Indicator: Trojan.PR.Steredir!cYzY1isGQt0": [[521, 551]], "Indicator: W32/Steredir.C!tr": [[552, 569]]}, "info": {"id": "cyner2_5class_train_07589", "source": "cyner2_5class_train"}}
+{"text": "Do not download mobile apps from unofficial or unauthorized sources .", "spans": {}, "info": {"id": "cyner2_5class_train_07590", "source": "cyner2_5class_train"}}
+{"text": "Attitude Change The disinterest in the issues appears to have changed with The New York Times report , which lit a fire underneath Adups and BLU .", "spans": {"Organization: New York Times": [[79, 93]], "Organization: Adups": [[131, 136]], "Organization: BLU": [[141, 144]]}, "info": {"id": "cyner2_5class_train_07591", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.gc Trojan.MSIL.Bladabindi.1 HackTool:MSIL/Injector.A Trojan.LVBP.ED Backdoor.Win32.DarkKomet", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: BehavesLike.Win32.Trojan.gc": [[69, 96]], "Indicator: Trojan.MSIL.Bladabindi.1": [[97, 121]], "Indicator: HackTool:MSIL/Injector.A": [[122, 146]], "Indicator: Trojan.LVBP.ED": [[147, 161]], "Indicator: Backdoor.Win32.DarkKomet": [[162, 186]]}, "info": {"id": "cyner2_5class_train_07592", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O TrojanDropper.Dowque.A8 Backdoor.Hupigon.Win32.182 Backdoor/Hupigon.dkwt TROJ_DOWQUE.NY Win32.Trojan.Delf.b W32/Backdoor2.CWRX Backdoor.Graybird TROJ_DOWQUE.NY Win.Worm.Autorun-12451 Backdoor.Win32.Hupigon.56864 Backdoor.W32.Hupigon.l9fO BackDoor.Graybird.75 BehavesLike.Win32.SpywareLyndra.tc W32/Backdoor.DAWT-3367 Backdoor/Huigezi.2008.qny BDS/Farfli.kj.2 Win32.TrojDownloader.dl.kcloud TrojanDropper:Win32/Dowque.A Trojan/Win32.Hupigon.C29670 Backdoor.Bot Win32/Delf.NSN Backdoor.Win32.Hupigon.dkw Backdoor.Hupigon!hgCryiT987Y Backdoor.Win32.HacDef W32/Injector.fam!tr Trojan.Win32.Downloader.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Hupigon!O": [[26, 50]], "Indicator: TrojanDropper.Dowque.A8": [[51, 74]], "Indicator: Backdoor.Hupigon.Win32.182": [[75, 101]], "Indicator: Backdoor/Hupigon.dkwt": [[102, 123]], "Indicator: TROJ_DOWQUE.NY": [[124, 138], [196, 210]], "Indicator: Win32.Trojan.Delf.b": [[139, 158]], "Indicator: W32/Backdoor2.CWRX": [[159, 177]], "Indicator: Backdoor.Graybird": [[178, 195]], "Indicator: Win.Worm.Autorun-12451": [[211, 233]], "Indicator: Backdoor.Win32.Hupigon.56864": [[234, 262]], "Indicator: Backdoor.W32.Hupigon.l9fO": [[263, 288]], "Indicator: BackDoor.Graybird.75": [[289, 309]], "Indicator: BehavesLike.Win32.SpywareLyndra.tc": [[310, 344]], "Indicator: W32/Backdoor.DAWT-3367": [[345, 367]], "Indicator: Backdoor/Huigezi.2008.qny": [[368, 393]], "Indicator: BDS/Farfli.kj.2": [[394, 409]], "Indicator: Win32.TrojDownloader.dl.kcloud": [[410, 440]], "Indicator: TrojanDropper:Win32/Dowque.A": [[441, 469]], "Indicator: Trojan/Win32.Hupigon.C29670": [[470, 497]], "Indicator: Backdoor.Bot": [[498, 510]], "Indicator: Win32/Delf.NSN": [[511, 525]], "Indicator: Backdoor.Win32.Hupigon.dkw": [[526, 552]], "Indicator: Backdoor.Hupigon!hgCryiT987Y": [[553, 581]], "Indicator: Backdoor.Win32.HacDef": [[582, 603]], "Indicator: W32/Injector.fam!tr": [[604, 623]], "Indicator: Trojan.Win32.Downloader.M": [[624, 649]]}, "info": {"id": "cyner2_5class_train_07593", "source": "cyner2_5class_train"}}
+{"text": "The file is named in such a way as to confuse WordPress administrators who are familiar with XML-RPC.", "spans": {"Indicator: file": [[4, 8]], "System: WordPress administrators": [[46, 70]], "Indicator: XML-RPC.": [[93, 101]]}, "info": {"id": "cyner2_5class_train_07594", "source": "cyner2_5class_train"}}
+{"text": "Conclusion The days when one needed in-depth coding knowledge to develop malware are long gone .", "spans": {}, "info": {"id": "cyner2_5class_train_07595", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HackTool.Win64.PSWDump.f BehavesLike.Win64.SoftPulse.lh HackTool.Mimikatz HackTool.Win64.PSWDump.f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Win64.PSWDump.f": [[26, 50], [100, 124]], "Indicator: BehavesLike.Win64.SoftPulse.lh": [[51, 81]], "Indicator: HackTool.Mimikatz": [[82, 99]]}, "info": {"id": "cyner2_5class_train_07596", "source": "cyner2_5class_train"}}
+{"text": "The story was about a new vulnerability for *nix-based systems – EternalRed aka SambaCry.", "spans": {"Vulnerability: new vulnerability": [[22, 39]], "System: *nix-based systems": [[44, 62]], "Malware: EternalRed": [[65, 75]], "Malware: SambaCry.": [[80, 89]]}, "info": {"id": "cyner2_5class_train_07597", "source": "cyner2_5class_train"}}
+{"text": "sms_grab : to upload periodically the SMS messages in the inbox to C2 server .", "spans": {}, "info": {"id": "cyner2_5class_train_07598", "source": "cyner2_5class_train"}}
+{"text": "There have been an emegerence of new domains for FighterPOS recently and I discovered a whole load of other possible domains that could be used for the command and control.", "spans": {"Malware: FighterPOS": [[49, 59]], "Indicator: domains": [[117, 124]], "Indicator: command and control.": [[152, 172]]}, "info": {"id": "cyner2_5class_train_07599", "source": "cyner2_5class_train"}}
+{"text": "FakeSpy uses an anti-debugging technique by creating another child process of itself .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner2_5class_train_07600", "source": "cyner2_5class_train"}}
+{"text": "The core malware is usually disguised as Google Updater , Google Update for U or “ com.google.vending ” .", "spans": {"Organization: Google": [[41, 47], [58, 64]], "Indicator: com.google.vending": [[83, 101]]}, "info": {"id": "cyner2_5class_train_07601", "source": "cyner2_5class_train"}}
+{"text": "The service connects back to the attacker machine and waits for commands which will be given by the attacker.", "spans": {"Indicator: service": [[4, 11]], "System: machine": [[42, 49]], "Indicator: commands": [[64, 72]]}, "info": {"id": "cyner2_5class_train_07602", "source": "cyner2_5class_train"}}
+{"text": "Crooks behind MajikPOS have various tricks up their sleeves.", "spans": {"Malware: MajikPOS": [[14, 22]]}, "info": {"id": "cyner2_5class_train_07603", "source": "cyner2_5class_train"}}
+{"text": "TA473 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe.", "spans": {"Vulnerability: unpatched Zimbra vulnerability": [[36, 66]], "System: publicly facing webmail": [[70, 93]], "System: email mailboxes": [[141, 156]], "Organization: government entities": [[160, 179]]}, "info": {"id": "cyner2_5class_train_07604", "source": "cyner2_5class_train"}}
+{"text": "Unlike previously seen non-GP ( Google Play ) centric malware campaigns , “ Agent Smith ” has a significant impact upon not only developing countries but also some developed countries where GP is readily available .", "spans": {"System: Google Play": [[32, 43]], "Malware: Agent Smith": [[76, 87]]}, "info": {"id": "cyner2_5class_train_07605", "source": "cyner2_5class_train"}}
+{"text": "Presumably from the same author of Petya, which was first seen in December 2016, and the Petya-Mischa combo, which hit users back in July 2016, Janus Cybercrime Solution's latest creation is another step in the evolution of their ransomware-as-a-service expansion.", "spans": {"Malware: Petya,": [[35, 41]], "Malware: Petya-Mischa": [[89, 101]], "Organization: users": [[119, 124]], "Organization: Janus Cybercrime Solution's": [[144, 171]], "Malware: ransomware-as-a-service": [[230, 253]]}, "info": {"id": "cyner2_5class_train_07606", "source": "cyner2_5class_train"}}
+{"text": "Our research indicates that the group has sufficient financial resources to purchase the source code of a widely available malware tool, and the human resources to design improved versions of its own backdoors based on this.", "spans": {"Organization: Our research": [[0, 12]], "Indicator: source code": [[89, 100]], "Malware: malware tool,": [[123, 136]], "Malware: backdoors": [[200, 209]]}, "info": {"id": "cyner2_5class_train_07607", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Downloader.JRQH Trojan.Downloader.JRQH Win32.Trojan.WisdomEyes.16070401.9500.9945 Win32.Trojan-Downloader.Banload.J Trojan-Downloader.MSIL.Banload.bgr Trojan.Downloader.JRQH Trojan.Win32.Banload.dzssxt Trojan.Downloader.JRQH Trojan.Downloader.JRQH Trojan-Downloader.MSIL.Banload.bgr TrojanDownloader:MSIL/Banload.T Trojan/Win32.Banload.C829219 Trojan.Banker.ABR Trj/GdSda.A Msil.Trojan-downloader.Banload.Efkz Trojan-Downloader.MSIL.Banload", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.JRQH": [[26, 48], [49, 71], [184, 206], [235, 257], [258, 280]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9945": [[72, 114]], "Indicator: Win32.Trojan-Downloader.Banload.J": [[115, 148]], "Indicator: Trojan-Downloader.MSIL.Banload.bgr": [[149, 183], [281, 315]], "Indicator: Trojan.Win32.Banload.dzssxt": [[207, 234]], "Indicator: TrojanDownloader:MSIL/Banload.T": [[316, 347]], "Indicator: Trojan/Win32.Banload.C829219": [[348, 376]], "Indicator: Trojan.Banker.ABR": [[377, 394]], "Indicator: Trj/GdSda.A": [[395, 406]], "Indicator: Msil.Trojan-downloader.Banload.Efkz": [[407, 442]], "Indicator: Trojan-Downloader.MSIL.Banload": [[443, 473]]}, "info": {"id": "cyner2_5class_train_07608", "source": "cyner2_5class_train"}}
+{"text": "Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022.", "spans": {"Malware: Trigona ransomware": [[0, 18]], "Organization: security researchers": [[51, 71]]}, "info": {"id": "cyner2_5class_train_07609", "source": "cyner2_5class_train"}}
+{"text": "update.exe module and Xenotix Python Keylogger code comparison ‘ addStartup ’ method from msconf.exe module ‘ addStartup ’ method from Xenotix Python Keylogger Distribution We found several landing pages that spread the Android implants .", "spans": {"Indicator: update.exe": [[0, 10]], "System: Xenotix Python Keylogger": [[22, 46], [135, 159]], "Indicator: msconf.exe": [[90, 100]], "System: Android": [[220, 227]]}, "info": {"id": "cyner2_5class_train_07610", "source": "cyner2_5class_train"}}
+{"text": "THE CAMPAIGN The malware 's primary infection vector is SMS .", "spans": {}, "info": {"id": "cyner2_5class_train_07611", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.A537 Packed.Win32.TDSS!O RiskWare.Tool.CK BehavesLike.Win32.Downloader.dc TR/Bumat.A.2896 Win32.Troj.Undef.kcloud Win-Trojan/Xema.variant PE:Malware.XPACK-HIE/Heur!1.9C48 Trojan.Crypt W32/Malware_fam.NB Win32/Trojan.648", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.A537": [[26, 42]], "Indicator: Packed.Win32.TDSS!O": [[43, 62]], "Indicator: RiskWare.Tool.CK": [[63, 79]], "Indicator: BehavesLike.Win32.Downloader.dc": [[80, 111]], "Indicator: TR/Bumat.A.2896": [[112, 127]], "Indicator: Win32.Troj.Undef.kcloud": [[128, 151]], "Indicator: Win-Trojan/Xema.variant": [[152, 175]], "Indicator: PE:Malware.XPACK-HIE/Heur!1.9C48": [[176, 208]], "Indicator: Trojan.Crypt": [[209, 221]], "Indicator: W32/Malware_fam.NB": [[222, 240]], "Indicator: Win32/Trojan.648": [[241, 257]]}, "info": {"id": "cyner2_5class_train_07612", "source": "cyner2_5class_train"}}
+{"text": "We observed legitimate exfiltrated files of the following types of data : Contact information Compressed recorded audio in the Adaptive Multi-Rate ( amr ) file format Images captured from the device camera Images stored on both internal device and SDCard storage that are listed in the MediaStore Device geolocation information SMS content Chrome browser search history and bookmarks Call log information Cell tower information Device network metadata ; such as phone number , device software version , network country , network operator , SIM country , SIM operator , SIM serial , IMSI , voice mail number , phone type , network type , data state , data activity , call state , SIM state , whether device is roaming , and if SMS is supported .", "spans": {}, "info": {"id": "cyner2_5class_train_07613", "source": "cyner2_5class_train"}}
+{"text": "This post describes the new campaign.", "spans": {}, "info": {"id": "cyner2_5class_train_07614", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.2431 Trojan.MSIL.FKV WS.Reputation.1 Stimilik.S Trojan.Win32.Confuser.dkqarl BehavesLike.Win32.Kudj.gc Trojan/Win32.Stealer PUA.MSIL.Confuser", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.2431": [[26, 42]], "Indicator: Trojan.MSIL.FKV": [[43, 58]], "Indicator: WS.Reputation.1": [[59, 74]], "Indicator: Stimilik.S": [[75, 85]], "Indicator: Trojan.Win32.Confuser.dkqarl": [[86, 114]], "Indicator: BehavesLike.Win32.Kudj.gc": [[115, 140]], "Indicator: Trojan/Win32.Stealer": [[141, 161]], "Indicator: PUA.MSIL.Confuser": [[162, 179]]}, "info": {"id": "cyner2_5class_train_07615", "source": "cyner2_5class_train"}}
+{"text": "Attackers also used the name of the top NIC official in the signature of the email, this is to make it look like the email was sent by a high ranking Government official working at NIC National Informatics Centre.", "spans": {"Organization: NIC official": [[40, 52]], "Indicator: the signature of the email,": [[56, 83]], "Organization: Government": [[150, 160]], "Organization: NIC National Informatics Centre.": [[181, 213]]}, "info": {"id": "cyner2_5class_train_07616", "source": "cyner2_5class_train"}}
+{"text": "PaloAlto observed a targeted attack in November directed at an individual working for the French Ministry of Foreign Affairs.", "spans": {"Organization: PaloAlto": [[0, 8]], "Indicator: targeted attack": [[20, 35]], "Malware: at": [[57, 59]], "Organization: individual": [[63, 73]], "Organization: French Ministry of Foreign Affairs.": [[90, 125]]}, "info": {"id": "cyner2_5class_train_07617", "source": "cyner2_5class_train"}}
+{"text": "Red Alert Plays Dress-Up In the wild , we found Web pages designed to ( vaguely ) resemble legitimate app market pages , hosting files for download that have been disguised as a legitimate mobile application of moderately broad appeal , such as a media player or social media app .", "spans": {"Malware: Red Alert": [[0, 9]]}, "info": {"id": "cyner2_5class_train_07618", "source": "cyner2_5class_train"}}
+{"text": "HMRC taxes application with reference L4TI 2A0A UWSV WASP received", "spans": {"Organization: HMRC": [[0, 4]], "Indicator: taxes application": [[5, 22]], "Indicator: L4TI 2A0A UWSV WASP": [[38, 57]]}, "info": {"id": "cyner2_5class_train_07619", "source": "cyner2_5class_train"}}
+{"text": "The infection attempts occurred in September and October of 2015 as public frustration grew at the Mexican government's seemingly contradictory statements about the Narvarte case", "spans": {"Malware: infection": [[4, 13]], "Malware: at": [[92, 94]], "Organization: the Mexican government's": [[95, 119]], "Organization: the Narvarte case": [[161, 178]]}, "info": {"id": "cyner2_5class_train_07620", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm/W32.Mydoom.28864 W32.Mydoom.M W32/Mydoom.o@MM W32/Mydoom.m I-Worm.Mydoom!qBn5HU3v+Lw W32/Mydoom.O@mm W32.Mydoom.M@mm MyDoom.L@mm Win32/Mydoom.O Win32.Mydoom.m Worm.Mydoom-27 Email-Worm.Win32.Mydoom.m I-Worm.Win32.Mydoom.28864.A Email-Worm.Win32.Mydoom!IK Worm.Win32.Mydoom.R Win32.HLLM.MyDoom.54464 Worm/Mydoom.O.1 W32/Mydoom.o@MM Worm/Sramota.bef Worm/Win32.Mydoom Worm:Win32/Mydoom.O@mm W32/Mydoom.O@mm Win32/Mydoom.worm.49344.B Email-Worm.Win32.Mydoom.m Win32/Mydoom.R Worm.Mail.Mydoom.dh Email-Worm.Win32.Mydoom W32/Mydoom.M!dam I-Worm/Mydoom.O W32/Mydoom.N.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Mydoom.28864": [[26, 47]], "Indicator: W32.Mydoom.M": [[48, 60]], "Indicator: W32/Mydoom.o@MM": [[61, 76], [346, 361]], "Indicator: W32/Mydoom.m": [[77, 89]], "Indicator: I-Worm.Mydoom!qBn5HU3v+Lw": [[90, 115]], "Indicator: W32/Mydoom.O@mm": [[116, 131], [420, 435]], "Indicator: W32.Mydoom.M@mm": [[132, 147]], "Indicator: MyDoom.L@mm": [[148, 159]], "Indicator: Win32/Mydoom.O": [[160, 174]], "Indicator: Win32.Mydoom.m": [[175, 189]], "Indicator: Worm.Mydoom-27": [[190, 204]], "Indicator: Email-Worm.Win32.Mydoom.m": [[205, 230], [462, 487]], "Indicator: I-Worm.Win32.Mydoom.28864.A": [[231, 258]], "Indicator: Email-Worm.Win32.Mydoom!IK": [[259, 285]], "Indicator: Worm.Win32.Mydoom.R": [[286, 305]], "Indicator: Win32.HLLM.MyDoom.54464": [[306, 329]], "Indicator: Worm/Mydoom.O.1": [[330, 345]], "Indicator: Worm/Sramota.bef": [[362, 378]], "Indicator: Worm/Win32.Mydoom": [[379, 396]], "Indicator: Worm:Win32/Mydoom.O@mm": [[397, 419]], "Indicator: Win32/Mydoom.worm.49344.B": [[436, 461]], "Indicator: Win32/Mydoom.R": [[488, 502]], "Indicator: Worm.Mail.Mydoom.dh": [[503, 522]], "Indicator: Email-Worm.Win32.Mydoom": [[523, 546]], "Indicator: W32/Mydoom.M!dam": [[547, 563]], "Indicator: I-Worm/Mydoom.O": [[564, 579]], "Indicator: W32/Mydoom.N.worm": [[580, 597]]}, "info": {"id": "cyner2_5class_train_07621", "source": "cyner2_5class_train"}}
+{"text": "The news organization provides reporting on its website in English, Georgian, and Russian.", "spans": {"Organization: news organization": [[4, 21]], "Indicator: website": [[48, 55]]}, "info": {"id": "cyner2_5class_train_07622", "source": "cyner2_5class_train"}}
+{"text": "Lookout researchers have identified a new , highly targeted surveillanceware family known as Desert Scorpion in the Google Play Store .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: Desert Scorpion": [[93, 108]], "System: Google Play Store": [[116, 133]]}, "info": {"id": "cyner2_5class_train_07623", "source": "cyner2_5class_train"}}
+{"text": "Mandiant suspects UNC2970 specifically targeted security researchers in this operation.", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: security researchers": [[48, 68]]}, "info": {"id": "cyner2_5class_train_07624", "source": "cyner2_5class_train"}}
+{"text": "It is also much harder for network defenders or researchers to track a campaign where the infrastructure is a moving target .", "spans": {}, "info": {"id": "cyner2_5class_train_07625", "source": "cyner2_5class_train"}}
+{"text": "jhfrte.jar : This is a java archive file downloaded from server .", "spans": {}, "info": {"id": "cyner2_5class_train_07626", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.LoringK.Trojan Backdoor.Bot.158614 Trojan-Dropper.Win32!O TrojanDropper.Loring.A11 Backdoor.Bot.158614 Backdoor.IRCBot Trojan/IRCBot.ov WORM_KWBOT.AR W32/Risk.VXNU-4867 W32.Kwbot.Worm Win32/Loring.A WORM_KWBOT.AR Win.Trojan.Obfuscated-1662 Backdoor.Bot.158614 Trojan.Win32.Reconyc.gunk Backdoor.Bot.158614 Trojan.Win32.IRCBot.dmigck Dropper.Loring.291411 Backdoor.Bot.158614 Backdoor.Bot.158614 Trojan.MulDrop5.7150 Trojan.Reconyc.Win32.6040 WORM/IrcBot.86875 Trojan[Backdoor]/Win32.IRCBot Win32.Troj.Loring.EA.kcloud Backdoor.Bot.D26B96 Troj.Dropper.W32.Loring.l8Ew Worm/Win32.IRCBot.R3593 TScope.Trojan.Delf Trojan.IRCBot.OV Win32/IRCBot.OV Trojan.DR.Loring!O3IAMVgzzx8 Trojan-Dropper.Win32.Loring", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.LoringK.Trojan": [[26, 50]], "Indicator: Backdoor.Bot.158614": [[51, 70], [119, 138], [276, 295], [322, 341], [391, 410], [411, 430]], "Indicator: Trojan-Dropper.Win32!O": [[71, 93]], "Indicator: TrojanDropper.Loring.A11": [[94, 118]], "Indicator: Backdoor.IRCBot": [[139, 154]], "Indicator: Trojan/IRCBot.ov": [[155, 171]], "Indicator: WORM_KWBOT.AR": [[172, 185], [235, 248]], "Indicator: W32/Risk.VXNU-4867": [[186, 204]], "Indicator: W32.Kwbot.Worm": [[205, 219]], "Indicator: Win32/Loring.A": [[220, 234]], "Indicator: Win.Trojan.Obfuscated-1662": [[249, 275]], "Indicator: Trojan.Win32.Reconyc.gunk": [[296, 321]], "Indicator: Trojan.Win32.IRCBot.dmigck": [[342, 368]], "Indicator: Dropper.Loring.291411": [[369, 390]], "Indicator: Trojan.MulDrop5.7150": [[431, 451]], "Indicator: Trojan.Reconyc.Win32.6040": [[452, 477]], "Indicator: WORM/IrcBot.86875": [[478, 495]], "Indicator: Trojan[Backdoor]/Win32.IRCBot": [[496, 525]], "Indicator: Win32.Troj.Loring.EA.kcloud": [[526, 553]], "Indicator: Backdoor.Bot.D26B96": [[554, 573]], "Indicator: Troj.Dropper.W32.Loring.l8Ew": [[574, 602]], "Indicator: Worm/Win32.IRCBot.R3593": [[603, 626]], "Indicator: TScope.Trojan.Delf": [[627, 645]], "Indicator: Trojan.IRCBot.OV": [[646, 662]], "Indicator: Win32/IRCBot.OV": [[663, 678]], "Indicator: Trojan.DR.Loring!O3IAMVgzzx8": [[679, 707]], "Indicator: Trojan-Dropper.Win32.Loring": [[708, 735]]}, "info": {"id": "cyner2_5class_train_07627", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/Injector.iuc Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Pushbot.AJZ WORM_PALEVO.SMA Win.Trojan.Ircbrute-54 Trojan.Win32.Ircbrute.eqsrw Trojan.Spambot.9818 Trojan.Injector.Win32.53831 WORM_PALEVO.SMA BehavesLike.Win32.PWSZbot.lh Backdoor.Win32.IRCBot Trojan/Win32.Unknown Trojan:Win32/Ircbrute.B Trojan.Graftor.DCFC Worm/Win32.Ckbface.R16129 Trojan.Injector!aNdlYeuOVuU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Injector.iuc": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[46, 88]], "Indicator: Win32/Pushbot.AJZ": [[89, 106]], "Indicator: WORM_PALEVO.SMA": [[107, 122], [222, 237]], "Indicator: Win.Trojan.Ircbrute-54": [[123, 145]], "Indicator: Trojan.Win32.Ircbrute.eqsrw": [[146, 173]], "Indicator: Trojan.Spambot.9818": [[174, 193]], "Indicator: Trojan.Injector.Win32.53831": [[194, 221]], "Indicator: BehavesLike.Win32.PWSZbot.lh": [[238, 266]], "Indicator: Backdoor.Win32.IRCBot": [[267, 288]], "Indicator: Trojan/Win32.Unknown": [[289, 309]], "Indicator: Trojan:Win32/Ircbrute.B": [[310, 333]], "Indicator: Trojan.Graftor.DCFC": [[334, 353]], "Indicator: Worm/Win32.Ckbface.R16129": [[354, 379]], "Indicator: Trojan.Injector!aNdlYeuOVuU": [[380, 407]]}, "info": {"id": "cyner2_5class_train_07628", "source": "cyner2_5class_train"}}
+{"text": "While the malware was not detectable by endpoint antivirus products, RSA Security Analytics was able to identify and alert on its network traffic, and RSA ECAT subsequently identified the malware.", "spans": {"Malware: malware": [[10, 17]], "Organization: RSA Security Analytics": [[69, 91]], "Indicator: network traffic,": [[130, 146]], "Organization: RSA ECAT": [[151, 159]], "Malware: malware.": [[188, 196]]}, "info": {"id": "cyner2_5class_train_07629", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Script.400873 Exploit/PDF-URI2.AS Exploit-PDF.f Exploit.W32.Pidief!c PDF.Exploit.Pidief.an Bloodhound.PDF.9 Trojan.Script.400873 Exploit.Win32.Pidief.asz Trojan.Script.400873 Exploit.Script.Pidief.ibwe PDF.S.Exploit.10714 Win32.Exploit.Pidief.Anfp Trojan.Script.400873 Exploit.JS.Pdfka.MJ Trojan.Script.400873 Exploit.PDF.303 HEUR_PDFEXP.B BehavesLike.PDF.Trojan.lr Exploit:Win32/Pdffir.A Trojan.Script.D61DE9 Exploit.Win32.Pidief.asz PDF/Pidief.EI Trojan.Script.400873 Exploit.Win32.Pidief.asz JS.Crypt.BSP Exploit.JS.Pdfka JS/Pdfka.BSP!exploit virus.pdf.20090837.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Script.400873": [[26, 46], [141, 161], [187, 207], [281, 301], [322, 342], [482, 502]], "Indicator: Exploit/PDF-URI2.AS": [[47, 66]], "Indicator: Exploit-PDF.f": [[67, 80]], "Indicator: Exploit.W32.Pidief!c": [[81, 101]], "Indicator: PDF.Exploit.Pidief.an": [[102, 123]], "Indicator: Bloodhound.PDF.9": [[124, 140]], "Indicator: Exploit.Win32.Pidief.asz": [[162, 186], [443, 467], [503, 527]], "Indicator: Exploit.Script.Pidief.ibwe": [[208, 234]], "Indicator: PDF.S.Exploit.10714": [[235, 254]], "Indicator: Win32.Exploit.Pidief.Anfp": [[255, 280]], "Indicator: Exploit.JS.Pdfka.MJ": [[302, 321]], "Indicator: Exploit.PDF.303": [[343, 358]], "Indicator: HEUR_PDFEXP.B": [[359, 372]], "Indicator: BehavesLike.PDF.Trojan.lr": [[373, 398]], "Indicator: Exploit:Win32/Pdffir.A": [[399, 421]], "Indicator: Trojan.Script.D61DE9": [[422, 442]], "Indicator: PDF/Pidief.EI": [[468, 481]], "Indicator: JS.Crypt.BSP": [[528, 540]], "Indicator: Exploit.JS.Pdfka": [[541, 557]], "Indicator: JS/Pdfka.BSP!exploit": [[558, 578]], "Indicator: virus.pdf.20090837.1": [[579, 599]]}, "info": {"id": "cyner2_5class_train_07630", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DropperZbotS.Trojan Trojan-Spy.Win32.Zbot!O Trojan.AutoIt.Pik.A Backdoor/Poison.evja Trojan.Zbot Trojan.Win32.Autoit.pik Trojan.Win32.Autoit.exoora Trojan.Win32.Z.Autoit.955563 Troj.W32.Autoit!c BehavesLike.Win32.Dropper.dc Trojan.Win32.Injector Trojan.Autoit.kzp TR/AD.Zbot.cgaww Trojan.Win32.Autoit.pik Trojan:Win32/Krilog.A Trojan.Autoit.F Win32/Injector.Autoit.AOI Win32.Trojan.Autoit.Edne W32/Autoit.NWS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DropperZbotS.Trojan": [[26, 49]], "Indicator: Trojan-Spy.Win32.Zbot!O": [[50, 73]], "Indicator: Trojan.AutoIt.Pik.A": [[74, 93]], "Indicator: Backdoor/Poison.evja": [[94, 114]], "Indicator: Trojan.Zbot": [[115, 126]], "Indicator: Trojan.Win32.Autoit.pik": [[127, 150], [311, 334]], "Indicator: Trojan.Win32.Autoit.exoora": [[151, 177]], "Indicator: Trojan.Win32.Z.Autoit.955563": [[178, 206]], "Indicator: Troj.W32.Autoit!c": [[207, 224]], "Indicator: BehavesLike.Win32.Dropper.dc": [[225, 253]], "Indicator: Trojan.Win32.Injector": [[254, 275]], "Indicator: Trojan.Autoit.kzp": [[276, 293]], "Indicator: TR/AD.Zbot.cgaww": [[294, 310]], "Indicator: Trojan:Win32/Krilog.A": [[335, 356]], "Indicator: Trojan.Autoit.F": [[357, 372]], "Indicator: Win32/Injector.Autoit.AOI": [[373, 398]], "Indicator: Win32.Trojan.Autoit.Edne": [[399, 423]], "Indicator: W32/Autoit.NWS!tr": [[424, 441]]}, "info": {"id": "cyner2_5class_train_07631", "source": "cyner2_5class_train"}}
+{"text": "Several hardcoded applications targeted by the MDM-grabbing command ‘ wifi ’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled .", "spans": {}, "info": {"id": "cyner2_5class_train_07632", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.DakusarDRW.Trojan Trojan.Blocker.Win32.34866 Trojan.DownLoader24.32105 BehavesLike.Win32.Shodi.tc Worm:Win32/Icorimg.A Trojan.Strictor.D1C7BA HEUR/Fakon.mwf Trojan.Worm!33g50yRKTx8 Trojan.FLCM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DakusarDRW.Trojan": [[26, 47]], "Indicator: Trojan.Blocker.Win32.34866": [[48, 74]], "Indicator: Trojan.DownLoader24.32105": [[75, 100]], "Indicator: BehavesLike.Win32.Shodi.tc": [[101, 127]], "Indicator: Worm:Win32/Icorimg.A": [[128, 148]], "Indicator: Trojan.Strictor.D1C7BA": [[149, 171]], "Indicator: HEUR/Fakon.mwf": [[172, 186]], "Indicator: Trojan.Worm!33g50yRKTx8": [[187, 210]], "Indicator: Trojan.FLCM!tr": [[211, 225]]}, "info": {"id": "cyner2_5class_train_07633", "source": "cyner2_5class_train"}}
+{"text": "First , an activity named MainActivity fires up , taking care of hiding the icon and showing the fake notification .", "spans": {}, "info": {"id": "cyner2_5class_train_07634", "source": "cyner2_5class_train"}}
+{"text": "Upon further inspection, the RAT appeared to share many similarities with an old Chinese backdoor known as Hacker's Door first released publicly in 2004 and updated in 2005.", "spans": {"Malware: the RAT": [[25, 32]], "Malware: an old Chinese backdoor": [[74, 97]], "Malware: Hacker's Door": [[107, 120]]}, "info": {"id": "cyner2_5class_train_07635", "source": "cyner2_5class_train"}}
+{"text": "Due to the current absence of maintained and supported Android banking Malware-as-a-Service in the underground community , there is a certainly demand for a new service .", "spans": {"Malware: Android": [[55, 62]]}, "info": {"id": "cyner2_5class_train_07636", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: BackDoor-CMQ.dldr Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_HORST.SMPE Monitor.W32.WebWatcher.lt5Y TROJ_HORST.SMPE BackDoor-CMQ.dldr Trojan.Graftor.D476C BScope.Malware-Cryptor.Win32.313 Trojan.Win32.Cosmu W32/Dloader.BOW!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor-CMQ.dldr": [[26, 43], [147, 164]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[44, 86]], "Indicator: TROJ_HORST.SMPE": [[87, 102], [131, 146]], "Indicator: Monitor.W32.WebWatcher.lt5Y": [[103, 130]], "Indicator: Trojan.Graftor.D476C": [[165, 185]], "Indicator: BScope.Malware-Cryptor.Win32.313": [[186, 218]], "Indicator: Trojan.Win32.Cosmu": [[219, 237]], "Indicator: W32/Dloader.BOW!tr.dldr": [[238, 261]]}, "info": {"id": "cyner2_5class_train_07637", "source": "cyner2_5class_train"}}
+{"text": "The campaign was active between November 2016 and January 2017, targeting a limited number of people.", "spans": {"Organization: limited number of people.": [[76, 101]]}, "info": {"id": "cyner2_5class_train_07638", "source": "cyner2_5class_train"}}
+{"text": "In this particular case , the bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window , as shown in the following code snippet : Targets Some examples of phishing overlays are shown below .", "spans": {}, "info": {"id": "cyner2_5class_train_07639", "source": "cyner2_5class_train"}}
+{"text": "Quasar is a .NET Framework-based open-source RAT.", "spans": {"Malware: Quasar": [[0, 6]], "System: .NET": [[12, 16]], "Malware: RAT.": [[45, 49]]}, "info": {"id": "cyner2_5class_train_07640", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Z.Delf.2373896 Troj.Spy.W32.Zbot.lw7D Win32.Trojan-downloader.Rakhni.Html Trojan-Downloader.Win32.Delf W32/Application.AJYX-3726 TrojanDownloader.Rakhni.ec TR/Dldr.Delf.tbxxd W32/Dloader.CDW!tr Trojan[Downloader]/Win32.Rakhni Trojan.Application.Bundler.InstallMonster.392 Trojan-Downloader.Win32.Rakhni.jqc Trj/CI.A Win32/Trojan.036", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Z.Delf.2373896": [[26, 53]], "Indicator: Troj.Spy.W32.Zbot.lw7D": [[54, 76]], "Indicator: Win32.Trojan-downloader.Rakhni.Html": [[77, 112]], "Indicator: Trojan-Downloader.Win32.Delf": [[113, 141]], "Indicator: W32/Application.AJYX-3726": [[142, 167]], "Indicator: TrojanDownloader.Rakhni.ec": [[168, 194]], "Indicator: TR/Dldr.Delf.tbxxd": [[195, 213]], "Indicator: W32/Dloader.CDW!tr": [[214, 232]], "Indicator: Trojan[Downloader]/Win32.Rakhni": [[233, 264]], "Indicator: Trojan.Application.Bundler.InstallMonster.392": [[265, 310]], "Indicator: Trojan-Downloader.Win32.Rakhni.jqc": [[311, 345]], "Indicator: Trj/CI.A": [[346, 354]], "Indicator: Win32/Trojan.036": [[355, 371]]}, "info": {"id": "cyner2_5class_train_07641", "source": "cyner2_5class_train"}}
+{"text": ") If the application hasn ’ t received instructions about the rules for processing incoming SMSs , it simply saves all SMSs to a local database and uploads them to the C & C .", "spans": {}, "info": {"id": "cyner2_5class_train_07642", "source": "cyner2_5class_train"}}
+{"text": "While it is not clear whether the primary goal of the attack was delivering the malicious payload or capturing the targets OWA credentials, this attack uses an OWA phish to additionally pushes a malicious document with a Veil-Framework payload capable of downloading further malware.", "spans": {"Indicator: attack": [[54, 60]], "Malware: malicious payload": [[80, 97]], "Organization: OWA": [[123, 126]], "Malware: attack": [[145, 151]], "Vulnerability: OWA": [[160, 163]], "Indicator: phish": [[164, 169]], "Indicator: malicious document": [[195, 213]], "Malware: Veil-Framework payload": [[221, 243]], "Malware: malware.": [[275, 283]]}, "info": {"id": "cyner2_5class_train_07643", "source": "cyner2_5class_train"}}
+{"text": "The second Project Spy version has similar capabilities to the first version , with the addition of the following : Stealing notification messages sent from WhatsApp , Facebook , and Telegram Abandoning the FTP mode of uploading the recorded images Aside from changing the app ’ s supposed function and look , the second and third versions ’ codes had little differences .", "spans": {"Malware: Project Spy": [[11, 22]], "System: WhatsApp": [[157, 165]], "System: Facebook": [[168, 176]], "System: Telegram": [[183, 191]]}, "info": {"id": "cyner2_5class_train_07644", "source": "cyner2_5class_train"}}
+{"text": "Installed with backdoored software, for example:- Telegram.exe - mech_korolya_artura_2017.HDRip.exe", "spans": {"Malware: backdoored software, for": [[15, 39]], "Indicator: Telegram.exe": [[50, 62]], "Indicator: mech_korolya_artura_2017.HDRip.exe": [[65, 99]]}, "info": {"id": "cyner2_5class_train_07645", "source": "cyner2_5class_train"}}
+{"text": "Founded in 2013, the Android Marcher mobile malware has widely been targeting Google Play -- harvesting user credentials and credit card data.", "spans": {"Malware: Android Marcher mobile malware": [[21, 51]], "System: Google Play": [[78, 89]], "Indicator: credentials and credit card data.": [[109, 142]]}, "info": {"id": "cyner2_5class_train_07646", "source": "cyner2_5class_train"}}
+{"text": "Ransomware persists as one of the top crimeware threats thus far into 2016.", "spans": {"Malware: Ransomware": [[0, 10]], "Malware: crimeware threats": [[38, 55]]}, "info": {"id": "cyner2_5class_train_07647", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.AxVDb.Trojan Trojan.Rincux.AW Trojan.Injector.26488 Trojan.Rincux.AW Trojan.Injector Tool.StormAttack.Win32.10 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.Rincux-6417593-0 Trojan-DDoS.Win32.StormAttack.c Trojan.Rincux.AW Trojan.Win32.Tdss.bziyas Trojan.Rincux.AW TrojWare.Win32.Magania.~AAC DDoS.Storm.156 BehavesLike.Win32.Backdoor.km TrojanDDoS.StormAttack.a Trojan[Rootkit]/Win32.TDSS DDoS:Win32/Stormser.A Trojan.Rincux.AW Trojan-DDoS.Win32.StormAttack.c BScope.Trojan.Win32.Inject.2 Trojan-Downloader.Win32.Pangu W32/ServStart.AS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.AxVDb.Trojan": [[26, 48]], "Indicator: Trojan.Rincux.AW": [[49, 65], [88, 104], [266, 282], [308, 324], [472, 488]], "Indicator: Trojan.Injector.26488": [[66, 87]], "Indicator: Trojan.Injector": [[105, 120]], "Indicator: Tool.StormAttack.Win32.10": [[121, 146]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[147, 189]], "Indicator: Backdoor.Trojan": [[190, 205]], "Indicator: Win.Trojan.Rincux-6417593-0": [[206, 233]], "Indicator: Trojan-DDoS.Win32.StormAttack.c": [[234, 265], [489, 520]], "Indicator: Trojan.Win32.Tdss.bziyas": [[283, 307]], "Indicator: TrojWare.Win32.Magania.~AAC": [[325, 352]], "Indicator: DDoS.Storm.156": [[353, 367]], "Indicator: BehavesLike.Win32.Backdoor.km": [[368, 397]], "Indicator: TrojanDDoS.StormAttack.a": [[398, 422]], "Indicator: Trojan[Rootkit]/Win32.TDSS": [[423, 449]], "Indicator: DDoS:Win32/Stormser.A": [[450, 471]], "Indicator: BScope.Trojan.Win32.Inject.2": [[521, 549]], "Indicator: Trojan-Downloader.Win32.Pangu": [[550, 579]], "Indicator: W32/ServStart.AS!tr": [[580, 599]]}, "info": {"id": "cyner2_5class_train_07648", "source": "cyner2_5class_train"}}
+{"text": "That version flags messages \" containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user 's contacts , '' the company says .", "spans": {}, "info": {"id": "cyner2_5class_train_07649", "source": "cyner2_5class_train"}}
+{"text": "] com Given that there is some overlap in the previous two versions , it came as no surprise to us that we finally identified a sample which is an evolution based on both previous versions .", "spans": {}, "info": {"id": "cyner2_5class_train_07650", "source": "cyner2_5class_train"}}
+{"text": "Daserf's main purpose is information stealing and the Trojan is capable of gathering information from infected computers and relaying it back to attacker-controlled servers.", "spans": {"Malware: Daserf's": [[0, 8]], "Indicator: information stealing": [[25, 45]], "Malware: Trojan": [[54, 60]], "Indicator: gathering information": [[75, 96]], "System: infected computers": [[102, 120]], "System: attacker-controlled servers.": [[145, 173]]}, "info": {"id": "cyner2_5class_train_07651", "source": "cyner2_5class_train"}}
+{"text": "Due to new EU money laundering guidelines , the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system .", "spans": {"Organization: EU": [[11, 13]], "System: Bank Austria security app": [[52, 77]]}, "info": {"id": "cyner2_5class_train_07652", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Flystud!O Trojan.Hookmoot.S217748 Trojan.Symmi.D7D5 Win32.Worm.FlyStudio.mc Trojan.Dropper Win32/SillyAutorun.ALB Win.Trojan.Rootkit-7763 Win32.Trojan.FlyStudio.A Trojan-GameThief.Win32.OnLineGames.boif Trojan.Win32.QQPass.esaped Troj.Dropper.W32.Flystud.lBWL Trojan.MulDrop5.5320 Dropper.Flystud.Win32.139 BehavesLike.Win32.Autorun.vc Trojan/PSW.OnLineGames.cvvq RKIT/Tiny.BK.2 Trojan:Win32/Englov.A Trojan-GameThief.Win32.OnLineGames.boif HEUR/Fakon.mwf Rootkit.Tiny Trojan.AutoRun Win32/FlyStudio.A Trojan.TenThief.QQPsw.tss Worm.Autorun!1DOkY6YfgQ8 Rootkit.Win32.Tiny W32/BDoor.DRV!tr Win32/Trojan.dd5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Flystud!O": [[26, 56]], "Indicator: Trojan.Hookmoot.S217748": [[57, 80]], "Indicator: Trojan.Symmi.D7D5": [[81, 98]], "Indicator: Win32.Worm.FlyStudio.mc": [[99, 122]], "Indicator: Trojan.Dropper": [[123, 137]], "Indicator: Win32/SillyAutorun.ALB": [[138, 160]], "Indicator: Win.Trojan.Rootkit-7763": [[161, 184]], "Indicator: Win32.Trojan.FlyStudio.A": [[185, 209]], "Indicator: Trojan-GameThief.Win32.OnLineGames.boif": [[210, 249], [448, 487]], "Indicator: Trojan.Win32.QQPass.esaped": [[250, 276]], "Indicator: Troj.Dropper.W32.Flystud.lBWL": [[277, 306]], "Indicator: Trojan.MulDrop5.5320": [[307, 327]], "Indicator: Dropper.Flystud.Win32.139": [[328, 353]], "Indicator: BehavesLike.Win32.Autorun.vc": [[354, 382]], "Indicator: Trojan/PSW.OnLineGames.cvvq": [[383, 410]], "Indicator: RKIT/Tiny.BK.2": [[411, 425]], "Indicator: Trojan:Win32/Englov.A": [[426, 447]], "Indicator: HEUR/Fakon.mwf": [[488, 502]], "Indicator: Rootkit.Tiny": [[503, 515]], "Indicator: Trojan.AutoRun": [[516, 530]], "Indicator: Win32/FlyStudio.A": [[531, 548]], "Indicator: Trojan.TenThief.QQPsw.tss": [[549, 574]], "Indicator: Worm.Autorun!1DOkY6YfgQ8": [[575, 599]], "Indicator: Rootkit.Win32.Tiny": [[600, 618]], "Indicator: W32/BDoor.DRV!tr": [[619, 635]], "Indicator: Win32/Trojan.dd5": [[636, 652]]}, "info": {"id": "cyner2_5class_train_07653", "source": "cyner2_5class_train"}}
+{"text": "This attack , however , seems exclusive to Android users , as it does not have the code to attack iOS devices .", "spans": {"System: Android": [[43, 50]], "System: iOS": [[98, 101]]}, "info": {"id": "cyner2_5class_train_07654", "source": "cyner2_5class_train"}}
+{"text": "The code implementation again seems that it has been added for testing purposes only .", "spans": {}, "info": {"id": "cyner2_5class_train_07655", "source": "cyner2_5class_train"}}
+{"text": "But we recently identified an app that demonstrated new ways of successfully evading Apple's code review.", "spans": {"Organization: Apple's": [[85, 92]]}, "info": {"id": "cyner2_5class_train_07656", "source": "cyner2_5class_train"}}
+{"text": "The stolen credentials may be used for remote access into the victim network if applicable.", "spans": {"Indicator: stolen": [[4, 10]], "Indicator: remote access": [[39, 52]], "System: the victim network": [[58, 76]]}, "info": {"id": "cyner2_5class_train_07657", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Darkshell BehavesLike.Win32.Ipamor.nm Trojan[Downloader]/Win32.Delf Trojan:WinNT/Darkshell.C Trojan/Win32.CSon.R1800 Trojan.Win32.Scar.mg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Darkshell": [[26, 42]], "Indicator: BehavesLike.Win32.Ipamor.nm": [[43, 70]], "Indicator: Trojan[Downloader]/Win32.Delf": [[71, 100]], "Indicator: Trojan:WinNT/Darkshell.C": [[101, 125]], "Indicator: Trojan/Win32.CSon.R1800": [[126, 149]], "Indicator: Trojan.Win32.Scar.mg": [[150, 170]]}, "info": {"id": "cyner2_5class_train_07658", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.B01D Troj.Crypt.Tpm!c BehavesLike.Win32.PWSQQPass.vc Trojan:Win32/Valan.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.B01D": [[26, 43]], "Indicator: Troj.Crypt.Tpm!c": [[44, 60]], "Indicator: BehavesLike.Win32.PWSQQPass.vc": [[61, 91]], "Indicator: Trojan:Win32/Valan.A": [[92, 112]]}, "info": {"id": "cyner2_5class_train_07659", "source": "cyner2_5class_train"}}
+{"text": "It can also imitate a legitimate website to lure you into revealing your sensitive information.", "spans": {"Indicator: legitimate website": [[22, 40]], "Indicator: sensitive information.": [[73, 95]]}, "info": {"id": "cyner2_5class_train_07660", "source": "cyner2_5class_train"}}
+{"text": "Dyreza originally focused on intercepting end-user bank logins, and later expanded to job hunting, file hosting, domain registration, website hosting, file hosting, tax services, and online retail categories", "spans": {"Malware: Dyreza": [[0, 6]], "Indicator: intercepting end-user bank logins,": [[29, 63]], "Organization: job hunting, file hosting, domain registration, website hosting, file hosting, tax services, and online retail categories": [[86, 207]]}, "info": {"id": "cyner2_5class_train_07661", "source": "cyner2_5class_train"}}
+{"text": "Brain Test has been removed from Google Play since September 24.", "spans": {"Malware: Brain Test": [[0, 10]], "System: Google Play": [[33, 44]]}, "info": {"id": "cyner2_5class_train_07662", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.DinwoodAATTC.Worm Trojan.Zenshirsh.SL7 TSPY_EYDROP.SMA Win32/Oflwr.A!crypt TSPY_EYDROP.SMA Win.Worm.Allaple-5 Trojan-Dropper.Win32.Dinwod.acqn Trojan.Win32.Dinwod.ejafor Troj.Dropper.W32.Dinwod.toVw TrojWare.Win32.TrojanDropper.Dinwod.A Trojan.Inject1.58305 BehavesLike.Win32.Dropper.wh TrojanDropper.Dinwod.ale Worm[NET]/Win32.Nimda.gic Trojan-Dropper.Win32.Dinwod.acqn Trojan/Win32.OnlineGameHack.C33730 TrojanDropper.Dinwod Trojan.Dropper Trojan.DR.Dinwod!dCCk6/8cSJk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.DinwoodAATTC.Worm": [[26, 53]], "Indicator: Trojan.Zenshirsh.SL7": [[54, 74]], "Indicator: TSPY_EYDROP.SMA": [[75, 90], [111, 126]], "Indicator: Win32/Oflwr.A!crypt": [[91, 110]], "Indicator: Win.Worm.Allaple-5": [[127, 145]], "Indicator: Trojan-Dropper.Win32.Dinwod.acqn": [[146, 178], [374, 406]], "Indicator: Trojan.Win32.Dinwod.ejafor": [[179, 205]], "Indicator: Troj.Dropper.W32.Dinwod.toVw": [[206, 234]], "Indicator: TrojWare.Win32.TrojanDropper.Dinwod.A": [[235, 272]], "Indicator: Trojan.Inject1.58305": [[273, 293]], "Indicator: BehavesLike.Win32.Dropper.wh": [[294, 322]], "Indicator: TrojanDropper.Dinwod.ale": [[323, 347]], "Indicator: Worm[NET]/Win32.Nimda.gic": [[348, 373]], "Indicator: Trojan/Win32.OnlineGameHack.C33730": [[407, 441]], "Indicator: TrojanDropper.Dinwod": [[442, 462]], "Indicator: Trojan.Dropper": [[463, 477]], "Indicator: Trojan.DR.Dinwod!dCCk6/8cSJk": [[478, 506]]}, "info": {"id": "cyner2_5class_train_07663", "source": "cyner2_5class_train"}}
+{"text": "Finally , the specific overlays are designed for Australian financial institutions , and Australia is one of the geographic regions that is accepted by the C2 .", "spans": {}, "info": {"id": "cyner2_5class_train_07664", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Win32.Symmi!O WS.Reputation.1 OnLineGames.IRMW Win32/Oflwr.A!crypt Riskware.Win32.FakeLPK.cwuava BackDoor.BlackHole.21297 TR/Obfuscated.XZ.937 HackTool.Sniffer.WpePro PSW.OnlineGames4.BEIZ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Symmi!O": [[26, 46]], "Indicator: WS.Reputation.1": [[47, 62]], "Indicator: OnLineGames.IRMW": [[63, 79]], "Indicator: Win32/Oflwr.A!crypt": [[80, 99]], "Indicator: Riskware.Win32.FakeLPK.cwuava": [[100, 129]], "Indicator: BackDoor.BlackHole.21297": [[130, 154]], "Indicator: TR/Obfuscated.XZ.937": [[155, 175]], "Indicator: HackTool.Sniffer.WpePro": [[176, 199]], "Indicator: PSW.OnlineGames4.BEIZ": [[200, 221]]}, "info": {"id": "cyner2_5class_train_07665", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Connapts Trojan/Small.ndx Trojan.Heur.LP.EDC094 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.MLW.dylhy W32/Trojan.CISW-8628 Backdoor.Bot/Variant Trojan/Win32.Xema.C93063 W32/Small.NDX!tr Win32/Backdoor.796", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Connapts": [[26, 41]], "Indicator: Trojan/Small.ndx": [[42, 58]], "Indicator: Trojan.Heur.LP.EDC094": [[59, 80]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[81, 123]], "Indicator: Trojan.Win32.MLW.dylhy": [[124, 146]], "Indicator: W32/Trojan.CISW-8628": [[147, 167]], "Indicator: Backdoor.Bot/Variant": [[168, 188]], "Indicator: Trojan/Win32.Xema.C93063": [[189, 213]], "Indicator: W32/Small.NDX!tr": [[214, 230]], "Indicator: Win32/Backdoor.796": [[231, 249]]}, "info": {"id": "cyner2_5class_train_07666", "source": "cyner2_5class_train"}}
+{"text": "This spring, the author of the NukeBot banking Trojan published the source code of his creation.", "spans": {"Malware: NukeBot banking Trojan": [[31, 53]], "Indicator: the source code": [[64, 79]]}, "info": {"id": "cyner2_5class_train_07667", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Adware.ELEXCRTD.Win32.5604 Trojan.Johnnie.D709 not-a-virus:AdWare.Win32.Elex.sgn Adware.Mutabaha.1819 RiskTool.Uncheckit.l TR/Chuckenit.dglxl Trojan:Win32/Chuckenit.A not-a-virus:AdWare.Win32.Elex.sgn", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.ELEXCRTD.Win32.5604": [[26, 52]], "Indicator: Trojan.Johnnie.D709": [[53, 72]], "Indicator: not-a-virus:AdWare.Win32.Elex.sgn": [[73, 106], [193, 226]], "Indicator: Adware.Mutabaha.1819": [[107, 127]], "Indicator: RiskTool.Uncheckit.l": [[128, 148]], "Indicator: TR/Chuckenit.dglxl": [[149, 167]], "Indicator: Trojan:Win32/Chuckenit.A": [[168, 192]]}, "info": {"id": "cyner2_5class_train_07668", "source": "cyner2_5class_train"}}
+{"text": "This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.", "spans": {"Malware: Carbon": [[92, 98]]}, "info": {"id": "cyner2_5class_train_07669", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Slingup BKDR_SLINGUP.M W32/Zbot.AAJD Backdoor.Trojan BKDR_SLINGUP.M Trojan.Win32.Yakes.pqep Trojan.Win32.Inject.ecmohu Trojan.Win32.Z.Yakes.672768 Troj.W32.Yakes.tn6w BackDoor.Tordev.8 Trojan.Win32.Injector W32/Zbot.EUMY-8878 TR/Injector.juol Trojan/Win32.Yakes Trojan:Win32/Casidel.A Trojan.Win32.Yakes.pqep Trojan.Yakes Trojan.Yakes Trj/CI.A Win32/Injector.CXUT Win32.Trojan.Yakes.Ehid Trojan.Yakes!YuLYvE8ikp0 W32/Injector.CGQK!tr Win32/Trojan.621", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Slingup": [[26, 42]], "Indicator: BKDR_SLINGUP.M": [[43, 57], [88, 102]], "Indicator: W32/Zbot.AAJD": [[58, 71]], "Indicator: Backdoor.Trojan": [[72, 87]], "Indicator: Trojan.Win32.Yakes.pqep": [[103, 126], [320, 343]], "Indicator: Trojan.Win32.Inject.ecmohu": [[127, 153]], "Indicator: Trojan.Win32.Z.Yakes.672768": [[154, 181]], "Indicator: Troj.W32.Yakes.tn6w": [[182, 201]], "Indicator: BackDoor.Tordev.8": [[202, 219]], "Indicator: Trojan.Win32.Injector": [[220, 241]], "Indicator: W32/Zbot.EUMY-8878": [[242, 260]], "Indicator: TR/Injector.juol": [[261, 277]], "Indicator: Trojan/Win32.Yakes": [[278, 296]], "Indicator: Trojan:Win32/Casidel.A": [[297, 319]], "Indicator: Trojan.Yakes": [[344, 356], [357, 369]], "Indicator: Trj/CI.A": [[370, 378]], "Indicator: Win32/Injector.CXUT": [[379, 398]], "Indicator: Win32.Trojan.Yakes.Ehid": [[399, 422]], "Indicator: Trojan.Yakes!YuLYvE8ikp0": [[423, 447]], "Indicator: W32/Injector.CGQK!tr": [[448, 468]], "Indicator: Win32/Trojan.621": [[469, 485]]}, "info": {"id": "cyner2_5class_train_07670", "source": "cyner2_5class_train"}}
+{"text": "We do not know exactly how many people have been infected with RuMMS malware .", "spans": {"Malware: RuMMS": [[63, 68]]}, "info": {"id": "cyner2_5class_train_07671", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.27 W32/Virut.AI W32.Virut.CF Win32/Virut.17408 PE_VIRUX.A-1 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.tt Virus.Win32.Virut.CE Trojan.MulDrop1.57199 PE_VIRUX.A-1 BehavesLike.Win32.Virut.dc W32/Virut.AI Win32/Virut.bn Trojan[Dropper]/Win32.Injector Win32.Virut.nc.53248 Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.06 Win32.Virut.E Win32/Virut.NBP IM-Worm.Win32.Zeroll W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: Virus.Virut.Win32.27": [[73, 93]], "Indicator: W32/Virut.AI": [[94, 106], [299, 311]], "Indicator: W32.Virut.CF": [[107, 119]], "Indicator: Win32/Virut.17408": [[120, 137]], "Indicator: PE_VIRUX.A-1": [[138, 150], [259, 271]], "Indicator: Virus.Win32.Virut.ce": [[151, 171], [379, 399]], "Indicator: Virus.Win32.Virut.hpeg": [[172, 194]], "Indicator: Virus.Win32.Virut.tt": [[195, 215]], "Indicator: Virus.Win32.Virut.CE": [[216, 236]], "Indicator: Trojan.MulDrop1.57199": [[237, 258]], "Indicator: BehavesLike.Win32.Virut.dc": [[272, 298]], "Indicator: Win32/Virut.bn": [[312, 326]], "Indicator: Trojan[Dropper]/Win32.Injector": [[327, 357]], "Indicator: Win32.Virut.nc.53248": [[358, 378]], "Indicator: Win32/Virut.F": [[400, 413]], "Indicator: Virus.Virut.06": [[414, 428]], "Indicator: Win32.Virut.E": [[429, 442]], "Indicator: Win32/Virut.NBP": [[443, 458]], "Indicator: IM-Worm.Win32.Zeroll": [[459, 479]], "Indicator: W32/Sality.AO": [[480, 493]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[494, 524]]}, "info": {"id": "cyner2_5class_train_07672", "source": "cyner2_5class_train"}}
+{"text": "Spreads via password guessing over networks", "spans": {}, "info": {"id": "cyner2_5class_train_07673", "source": "cyner2_5class_train"}}
+{"text": "The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia .", "spans": {}, "info": {"id": "cyner2_5class_train_07674", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Kitoles Trojan.Ransom.Scarab Win32.Trojan.WisdomEyes.16070401.9500.9547 W32/Trojan.LUOM-4097 Ransom.CryptXXX Win.Ransomware.Scarab-6336012-1 Win32.Trojan-Ransom.Amnesia.J52DUW Trojan.Win32.Encoder.ewdzie Trojan.Win32.Z.Securityshield.193058 Trojan.Encoder.23898 Trojan-Ransom.FileCoder Trojan.Purga.w Trojan.Ransom.Scarab.3 Ransom:Win32/Kitoles.A Trojan/Win32.Scarab.R213792 Trojan-Ransom.Purga Win32.Trojan.Filecoder.Phqc Win32/Trojan.Ransom.089", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kitoles": [[26, 40]], "Indicator: Trojan.Ransom.Scarab": [[41, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9547": [[62, 104]], "Indicator: W32/Trojan.LUOM-4097": [[105, 125]], "Indicator: Ransom.CryptXXX": [[126, 141]], "Indicator: Win.Ransomware.Scarab-6336012-1": [[142, 173]], "Indicator: Win32.Trojan-Ransom.Amnesia.J52DUW": [[174, 208]], "Indicator: Trojan.Win32.Encoder.ewdzie": [[209, 236]], "Indicator: Trojan.Win32.Z.Securityshield.193058": [[237, 273]], "Indicator: Trojan.Encoder.23898": [[274, 294]], "Indicator: Trojan-Ransom.FileCoder": [[295, 318]], "Indicator: Trojan.Purga.w": [[319, 333]], "Indicator: Trojan.Ransom.Scarab.3": [[334, 356]], "Indicator: Ransom:Win32/Kitoles.A": [[357, 379]], "Indicator: Trojan/Win32.Scarab.R213792": [[380, 407]], "Indicator: Trojan-Ransom.Purga": [[408, 427]], "Indicator: Win32.Trojan.Filecoder.Phqc": [[428, 455]], "Indicator: Win32/Trojan.Ransom.089": [[456, 479]]}, "info": {"id": "cyner2_5class_train_07675", "source": "cyner2_5class_train"}}
+{"text": "This specific downloader, Cmstar, is associated with the Lurid downloader also known as Enfal'.", "spans": {"Malware: downloader, Cmstar,": [[14, 33]], "Malware: Lurid downloader": [[57, 73]], "Malware: Enfal'.": [[88, 95]]}, "info": {"id": "cyner2_5class_train_07676", "source": "cyner2_5class_train"}}
+{"text": "We assume it was rushed because , unlike GlanceLove , it lacked any real obfuscation .", "spans": {"Malware: GlanceLove": [[41, 51]]}, "info": {"id": "cyner2_5class_train_07677", "source": "cyner2_5class_train"}}
+{"text": "Recently Malwarebytes got access to several elements of the espionage toolkit that has been captured attacking Vietnamese institutions.", "spans": {"Organization: Malwarebytes": [[9, 21]], "Malware: espionage toolkit": [[60, 77]], "Indicator: attacking": [[101, 110]], "Organization: Vietnamese institutions.": [[111, 135]]}, "info": {"id": "cyner2_5class_train_07678", "source": "cyner2_5class_train"}}
+{"text": "I am not entirely sure what it is but it has some indications of fareit Trojan.", "spans": {"Indicator: indications": [[50, 61]], "Malware: fareit Trojan.": [[65, 79]]}, "info": {"id": "cyner2_5class_train_07679", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dos.Bonk.C DoS.Win32.Bonk!O Dos.Bonk Win32.Trojan.Bonk.Tcwa W32/Tool.FPXO-2436 DoS.Win32.Bonk.c Trojan.Dos.Bonk.C Trojan.Win32.Bonk.ddda TrojWare.Win32.DoS.Bonk.C Trojan.Dos.Bonk.C Trojan.Inject.654 BehavesLike.Win32.ExploitMydoom.mm Backdoor.Win32.HacDef W32/VirTool.RO TR/RedCap.kudtu DoS:Win32/Bonk.C Trojan.Dos.Bonk.C DoS.Win32.Bonk.c Trojan.Dos.Bonk.C Trojan.Asthma.23305 Trojan.Dos.Bonk.C Trojan.Dos.Bonk.C Win32/DoS.Bonk.C DoS.Bonk!CFlP7tiJI8A DoS/Bonk.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dos.Bonk.C": [[26, 43], [129, 146], [196, 213], [337, 354], [372, 389], [410, 427], [428, 445]], "Indicator: DoS.Win32.Bonk!O": [[44, 60]], "Indicator: Dos.Bonk": [[61, 69]], "Indicator: Win32.Trojan.Bonk.Tcwa": [[70, 92]], "Indicator: W32/Tool.FPXO-2436": [[93, 111]], "Indicator: DoS.Win32.Bonk.c": [[112, 128], [355, 371]], "Indicator: Trojan.Win32.Bonk.ddda": [[147, 169]], "Indicator: TrojWare.Win32.DoS.Bonk.C": [[170, 195]], "Indicator: Trojan.Inject.654": [[214, 231]], "Indicator: BehavesLike.Win32.ExploitMydoom.mm": [[232, 266]], "Indicator: Backdoor.Win32.HacDef": [[267, 288]], "Indicator: W32/VirTool.RO": [[289, 303]], "Indicator: TR/RedCap.kudtu": [[304, 319]], "Indicator: DoS:Win32/Bonk.C": [[320, 336]], "Indicator: Trojan.Asthma.23305": [[390, 409]], "Indicator: Win32/DoS.Bonk.C": [[446, 462]], "Indicator: DoS.Bonk!CFlP7tiJI8A": [[463, 483]], "Indicator: DoS/Bonk.A": [[484, 494]]}, "info": {"id": "cyner2_5class_train_07680", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Duqu Trojan.Duqu.Win32.13 TROJ_DUQU.DEC Win32.Trojan.WisdomEyes.16070401.9500.9587 Win32/Duqu.A TROJ_DUQU.DEC Win.Trojan.Duqu-14 Trojan.Win32.Duqu.evvbpp Trojan.Duqu.2 W32/Trojan.CVVB-9378 TR/Offend.6750706 W32/Duqu.A!tr Trojan:Win32/Duqu.C Worm/Win32.Stuxnet.R608 Trojan.Duqu!ZB0mf9vKpU8 Trojan.Win32.Urelas Win32/Trojan.d72", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Duqu": [[26, 37]], "Indicator: Trojan.Duqu.Win32.13": [[38, 58]], "Indicator: TROJ_DUQU.DEC": [[59, 72], [129, 142]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9587": [[73, 115]], "Indicator: Win32/Duqu.A": [[116, 128]], "Indicator: Win.Trojan.Duqu-14": [[143, 161]], "Indicator: Trojan.Win32.Duqu.evvbpp": [[162, 186]], "Indicator: Trojan.Duqu.2": [[187, 200]], "Indicator: W32/Trojan.CVVB-9378": [[201, 221]], "Indicator: TR/Offend.6750706": [[222, 239]], "Indicator: W32/Duqu.A!tr": [[240, 253]], "Indicator: Trojan:Win32/Duqu.C": [[254, 273]], "Indicator: Worm/Win32.Stuxnet.R608": [[274, 297]], "Indicator: Trojan.Duqu!ZB0mf9vKpU8": [[298, 321]], "Indicator: Trojan.Win32.Urelas": [[322, 341]], "Indicator: Win32/Trojan.d72": [[342, 358]]}, "info": {"id": "cyner2_5class_train_07681", "source": "cyner2_5class_train"}}
+{"text": "r1-r4 : This is a local privilege escalation ( root ) exploit , which includes : CVE-2013-6282 , camerageroot ( http : //www.77169.org/exploits/2013/20130414031700 ) , a rooting tool for mtk6592 and addtional exploit .", "spans": {"Vulnerability: CVE-2013-6282": [[81, 94]], "Indicator: http : //www.77169.org/exploits/2013/20130414031700 )": [[112, 165]]}, "info": {"id": "cyner2_5class_train_07682", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.10E5 Trojan-Dropper.Win32.Decay!O Troj.Dropper.W32.Decay.fvr!c Trojan/Dropper.Decay.dst Trojan.Razy.DD584 W32/Dropper.ANEZ TROJ_DECAY.SM Trojan-Dropper.Win32.Decay.fvr Trojan.Win32.Decay.biarma TrojWare.Win32.TrojanDropper.Decay.ghu Trojan.MulDrop6.60922 TROJ_DECAY.SM BehavesLike.Win32.Virut.lc W32/Risk.RTXX-1196 TrojanDropper.Decay.bo TR/Drop.Decay.ayb Trojan[Dropper]/Win32.Decay TrojanDropper:Win32/Decay.A Dropper.Decay.47104.B Trojan-Dropper.Win32.Decay.fvr Win32.Trojan.Yoybot.A Dropper/Win32.Decay.R2060 TrojanDropper.Decay Backdoor.Win32.Poison W32/Decay.FVR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.10E5": [[26, 43]], "Indicator: Trojan-Dropper.Win32.Decay!O": [[44, 72]], "Indicator: Troj.Dropper.W32.Decay.fvr!c": [[73, 101]], "Indicator: Trojan/Dropper.Decay.dst": [[102, 126]], "Indicator: Trojan.Razy.DD584": [[127, 144]], "Indicator: W32/Dropper.ANEZ": [[145, 161]], "Indicator: TROJ_DECAY.SM": [[162, 175], [294, 307]], "Indicator: Trojan-Dropper.Win32.Decay.fvr": [[176, 206], [473, 503]], "Indicator: Trojan.Win32.Decay.biarma": [[207, 232]], "Indicator: TrojWare.Win32.TrojanDropper.Decay.ghu": [[233, 271]], "Indicator: Trojan.MulDrop6.60922": [[272, 293]], "Indicator: BehavesLike.Win32.Virut.lc": [[308, 334]], "Indicator: W32/Risk.RTXX-1196": [[335, 353]], "Indicator: TrojanDropper.Decay.bo": [[354, 376]], "Indicator: TR/Drop.Decay.ayb": [[377, 394]], "Indicator: Trojan[Dropper]/Win32.Decay": [[395, 422]], "Indicator: TrojanDropper:Win32/Decay.A": [[423, 450]], "Indicator: Dropper.Decay.47104.B": [[451, 472]], "Indicator: Win32.Trojan.Yoybot.A": [[504, 525]], "Indicator: Dropper/Win32.Decay.R2060": [[526, 551]], "Indicator: TrojanDropper.Decay": [[552, 571]], "Indicator: Backdoor.Win32.Poison": [[572, 593]], "Indicator: W32/Decay.FVR!tr": [[594, 610]]}, "info": {"id": "cyner2_5class_train_07683", "source": "cyner2_5class_train"}}
+{"text": "An example SMS message is shown in Figure 1 .", "spans": {}, "info": {"id": "cyner2_5class_train_07684", "source": "cyner2_5class_train"}}
+{"text": "It was an existing business model when computer-based banking malware was the only form of banking malware and has shifted to the Android equivalent a few years later .", "spans": {"System: Android": [[130, 137]]}, "info": {"id": "cyner2_5class_train_07685", "source": "cyner2_5class_train"}}
+{"text": "Uptycs research team has discovered a malware family that controls its operations over the messaging service Telegram.", "spans": {"Organization: Uptycs research team": [[0, 20]], "Malware: malware family": [[38, 52]], "System: Telegram.": [[109, 118]]}, "info": {"id": "cyner2_5class_train_07686", "source": "cyner2_5class_train"}}
+{"text": "Dolkun lsa Chairman of the Executive Committee Word Uyghur Congress ” While the victim reads this fake message , the malware secretly reports the infection to a command-and-control server .", "spans": {"Organization: Executive Committee Word Uyghur Congress": [[27, 67]]}, "info": {"id": "cyner2_5class_train_07687", "source": "cyner2_5class_train"}}
+{"text": "At runtime , the apps can check which carrier the device is connected to and fetch a configuration object from the command and control server .", "spans": {}, "info": {"id": "cyner2_5class_train_07688", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom_Blulock.R002C0CKC17 Trojan.Ransomlock.AI Ransom_Blulock.R002C0CKC17 Win32.Worm.FlyStudio.C not-a-virus:RiskTool.Win32.FlyStudio.awnz Trojan.Win32.Z.Strictor.901632.H TrojWare.Win32.FlyStudio.~UJ Trojan.Winlock.11779 TR/Strictor.901632.1 Trojan.Strictor.DC183 not-a-virus:RiskTool.Win32.FlyStudio.awnz Ransom:Win32/Blulock.A Trojan/Win32.Ransomlock.R135596 Trojan.FlyStudio Trj/CI.A Trojan.Win32.Winlock.f Ransom.FUL!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_Blulock.R002C0CKC17": [[26, 52], [74, 100]], "Indicator: Trojan.Ransomlock.AI": [[53, 73]], "Indicator: Win32.Worm.FlyStudio.C": [[101, 123]], "Indicator: not-a-virus:RiskTool.Win32.FlyStudio.awnz": [[124, 165], [292, 333]], "Indicator: Trojan.Win32.Z.Strictor.901632.H": [[166, 198]], "Indicator: TrojWare.Win32.FlyStudio.~UJ": [[199, 227]], "Indicator: Trojan.Winlock.11779": [[228, 248]], "Indicator: TR/Strictor.901632.1": [[249, 269]], "Indicator: Trojan.Strictor.DC183": [[270, 291]], "Indicator: Ransom:Win32/Blulock.A": [[334, 356]], "Indicator: Trojan/Win32.Ransomlock.R135596": [[357, 388]], "Indicator: Trojan.FlyStudio": [[389, 405]], "Indicator: Trj/CI.A": [[406, 414]], "Indicator: Trojan.Win32.Winlock.f": [[415, 437]], "Indicator: Ransom.FUL!tr": [[438, 451]]}, "info": {"id": "cyner2_5class_train_07689", "source": "cyner2_5class_train"}}
+{"text": "SpyNote RAT builder The SpyNote Remote Access Trojan ( RAT ) builder is gaining popularity in the hacking community , so we decided to study its pervasiveness .", "spans": {"Malware: SpyNote RAT": [[0, 11]], "Malware: SpyNote": [[24, 31]]}, "info": {"id": "cyner2_5class_train_07690", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Pucedoor.Win32.63 Troj.W32.Pucedoor!c W32/Trojan.MNET-5041 Trojan.Pucedoor Trojan.Win32.Pucedoor.aa Trojan.Win32.AD.eoqlfa Trojan.Win32.Z.Pucedoor.15360 Trojan.Pucedoor.d TR/Pucedoor.hopld Trojan/Win32.Pucedoor Trojan:Win32/Mirsonk.A Trojan.Mikey.D109B5 Trojan.Win32.Pucedoor.aa Trojan/Win32.Pucedoor.R216811 Trj/CI.A Win32.Trojan.Pucedoor.Sxxz Win32/Trojan.Proxy.62e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Pucedoor.Win32.63": [[26, 50]], "Indicator: Troj.W32.Pucedoor!c": [[51, 70]], "Indicator: W32/Trojan.MNET-5041": [[71, 91]], "Indicator: Trojan.Pucedoor": [[92, 107]], "Indicator: Trojan.Win32.Pucedoor.aa": [[108, 132], [287, 311]], "Indicator: Trojan.Win32.AD.eoqlfa": [[133, 155]], "Indicator: Trojan.Win32.Z.Pucedoor.15360": [[156, 185]], "Indicator: Trojan.Pucedoor.d": [[186, 203]], "Indicator: TR/Pucedoor.hopld": [[204, 221]], "Indicator: Trojan/Win32.Pucedoor": [[222, 243]], "Indicator: Trojan:Win32/Mirsonk.A": [[244, 266]], "Indicator: Trojan.Mikey.D109B5": [[267, 286]], "Indicator: Trojan/Win32.Pucedoor.R216811": [[312, 341]], "Indicator: Trj/CI.A": [[342, 350]], "Indicator: Win32.Trojan.Pucedoor.Sxxz": [[351, 377]], "Indicator: Win32/Trojan.Proxy.62e": [[378, 400]]}, "info": {"id": "cyner2_5class_train_07691", "source": "cyner2_5class_train"}}
+{"text": "The extraction method is the same , but the encryption algorithm ( also XOR ) is much simpler .", "spans": {}, "info": {"id": "cyner2_5class_train_07692", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan/MSILPack.a Trojan.MSIL.VB!/kGPqcrNINQ TROJ_FAM_0000b54.TOMA Packed.MSIL.MSILPack.a Worm.Win32.Rebhip!IK Packed:W32/DonutCrypt.A Trojan.MulDrop1.40622 TROJ_FAM_0000b54.TOMA Packed.MSIL.is TrojanDropper:MSIL/VB.K Packed/Win32.MSILPack Worm.Win32.Rebhip MSIL/AntiAV.NET!tr Trj/Dropper.AJX", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/MSILPack.a": [[26, 43]], "Indicator: Trojan.MSIL.VB!/kGPqcrNINQ": [[44, 70]], "Indicator: TROJ_FAM_0000b54.TOMA": [[71, 92], [183, 204]], "Indicator: Packed.MSIL.MSILPack.a": [[93, 115]], "Indicator: Worm.Win32.Rebhip!IK": [[116, 136]], "Indicator: Packed:W32/DonutCrypt.A": [[137, 160]], "Indicator: Trojan.MulDrop1.40622": [[161, 182]], "Indicator: Packed.MSIL.is": [[205, 219]], "Indicator: TrojanDropper:MSIL/VB.K": [[220, 243]], "Indicator: Packed/Win32.MSILPack": [[244, 265]], "Indicator: Worm.Win32.Rebhip": [[266, 283]], "Indicator: MSIL/AntiAV.NET!tr": [[284, 302]], "Indicator: Trj/Dropper.AJX": [[303, 318]]}, "info": {"id": "cyner2_5class_train_07693", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Senna KIT/SennaSpy.30 HackTool[Constructor]/Win32.SennaSpy VTool.SennaSpy.30.kcloud Constructor:Win32/Sennaspy.3_0 Constructor.Win32.SennaSpy Win32/Constructor.Spy.58d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Senna": [[26, 40]], "Indicator: KIT/SennaSpy.30": [[41, 56]], "Indicator: HackTool[Constructor]/Win32.SennaSpy": [[57, 93]], "Indicator: VTool.SennaSpy.30.kcloud": [[94, 118]], "Indicator: Constructor:Win32/Sennaspy.3_0": [[119, 149]], "Indicator: Constructor.Win32.SennaSpy": [[150, 176]], "Indicator: Win32/Constructor.Spy.58d": [[177, 202]]}, "info": {"id": "cyner2_5class_train_07694", "source": "cyner2_5class_train"}}
+{"text": "We also discovered, based on the samples we gathered, that the malware, which we call CloudTap, has been in use for over a year.", "spans": {"Malware: samples": [[33, 40]], "Malware: malware,": [[63, 71]], "Malware: CloudTap,": [[86, 95]]}, "info": {"id": "cyner2_5class_train_07695", "source": "cyner2_5class_train"}}
+{"text": "Last week Forcepoint tracked an interesting e-mail campaign that was distributing double zipped files with Windows Script Files WSFs inside.", "spans": {"Organization: Forcepoint": [[10, 20]], "Indicator: double zipped files with Windows Script Files WSFs": [[82, 132]]}, "info": {"id": "cyner2_5class_train_07696", "source": "cyner2_5class_train"}}
+{"text": "Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks.", "spans": {"Organization: Symantec": [[0, 8]], "Organization: customers": [[40, 49]], "Malware: exploit kit": [[92, 103]], "Organization: the Polish banks.": [[118, 135]]}, "info": {"id": "cyner2_5class_train_07697", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/Small.acc Backdoor.Trojan Backdoor.Win32.Small.acc Trojan.Win32.Small.gcwll Backdoor.W32.Small.acc!c Win32.Backdoor.Small.Egnw Backdoor.Small.Win32.7271 Backdoor/Small.dwv BDS/Dalbot.147456 Trojan[Backdoor]/Win32.Small Backdoor.Win32.A.Small.147456 Backdoor.Win32.Small.acc Trojan/Win32.Dalbot.C330242 Backdoor.Small W32/Small.ACC!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/Small.acc": [[26, 44]], "Indicator: Backdoor.Trojan": [[45, 60]], "Indicator: Backdoor.Win32.Small.acc": [[61, 85], [284, 308]], "Indicator: Trojan.Win32.Small.gcwll": [[86, 110]], "Indicator: Backdoor.W32.Small.acc!c": [[111, 135]], "Indicator: Win32.Backdoor.Small.Egnw": [[136, 161]], "Indicator: Backdoor.Small.Win32.7271": [[162, 187]], "Indicator: Backdoor/Small.dwv": [[188, 206]], "Indicator: BDS/Dalbot.147456": [[207, 224]], "Indicator: Trojan[Backdoor]/Win32.Small": [[225, 253]], "Indicator: Backdoor.Win32.A.Small.147456": [[254, 283]], "Indicator: Trojan/Win32.Dalbot.C330242": [[309, 336]], "Indicator: Backdoor.Small": [[337, 351]], "Indicator: W32/Small.ACC!tr.dldr": [[352, 373]]}, "info": {"id": "cyner2_5class_train_07698", "source": "cyner2_5class_train"}}
+{"text": "They are known to run watering hole and spearphishing campaigns to better pinpoint their targets.", "spans": {"Indicator: watering hole": [[22, 35]]}, "info": {"id": "cyner2_5class_train_07699", "source": "cyner2_5class_train"}}
+{"text": "In addition , its original target list is extremely narrow and seems to be focused on Spanish banks .", "spans": {}, "info": {"id": "cyner2_5class_train_07700", "source": "cyner2_5class_train"}}
+{"text": "An investigation by Wiz Threat Research has revealed that tens of thousands of websites in East Asia have been hijacked, redirecting users to adult-themed content over the last few months.", "spans": {"Organization: Wiz Threat Research": [[20, 39]], "Indicator: tens of thousands of websites": [[58, 87]], "Indicator: hijacked,": [[111, 120]], "Indicator: adult-themed content": [[142, 162]]}, "info": {"id": "cyner2_5class_train_07701", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Symmi.D5257 Troj.Downloader.W32!c Trojan.Click2.53876 BehavesLike.Win32.Comame.pc TrojanProxy:Win32/Potukorp.A Trj/CI.A W32/Farfli.WF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Trojan.Symmi.D5257": [[48, 66]], "Indicator: Troj.Downloader.W32!c": [[67, 88]], "Indicator: Trojan.Click2.53876": [[89, 108]], "Indicator: BehavesLike.Win32.Comame.pc": [[109, 136]], "Indicator: TrojanProxy:Win32/Potukorp.A": [[137, 165]], "Indicator: Trj/CI.A": [[166, 174]], "Indicator: W32/Farfli.WF!tr": [[175, 191]]}, "info": {"id": "cyner2_5class_train_07702", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Dynamer.S467543 Trojan.Injector.Win32.474808 Trojan/Injector.dkps Trojan.Zbot.191 Win32.Trojan.WisdomEyes.16070401.9500.9969 Ransom_NATAS.SM1 Win.Ransomware.Satan-5713061-0 Trojan.Win32.DKPS.elolak Trojan.Win32.Z.Satan.189345 TrojWare.Win32.Lepoh.A Trojan.Packed2.39908 Ransom_NATAS.SM1 BehavesLike.Win32.Trojan.cc Ransom:Win32/Nasan.B!bit Ransom.Satan/Variant Trojan.Packed Ransom.Satan Win32/Filecoder.Natas.A Win32.Trojan.Filecoder.Hqlr Trojan-Ransom.Satan Win32/Trojan.BO.91d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dynamer.S467543": [[26, 48]], "Indicator: Trojan.Injector.Win32.474808": [[49, 77]], "Indicator: Trojan/Injector.dkps": [[78, 98]], "Indicator: Trojan.Zbot.191": [[99, 114]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9969": [[115, 157]], "Indicator: Ransom_NATAS.SM1": [[158, 174], [303, 319]], "Indicator: Win.Ransomware.Satan-5713061-0": [[175, 205]], "Indicator: Trojan.Win32.DKPS.elolak": [[206, 230]], "Indicator: Trojan.Win32.Z.Satan.189345": [[231, 258]], "Indicator: TrojWare.Win32.Lepoh.A": [[259, 281]], "Indicator: Trojan.Packed2.39908": [[282, 302]], "Indicator: BehavesLike.Win32.Trojan.cc": [[320, 347]], "Indicator: Ransom:Win32/Nasan.B!bit": [[348, 372]], "Indicator: Ransom.Satan/Variant": [[373, 393]], "Indicator: Trojan.Packed": [[394, 407]], "Indicator: Ransom.Satan": [[408, 420]], "Indicator: Win32/Filecoder.Natas.A": [[421, 444]], "Indicator: Win32.Trojan.Filecoder.Hqlr": [[445, 472]], "Indicator: Trojan-Ransom.Satan": [[473, 492]], "Indicator: Win32/Trojan.BO.91d": [[493, 512]]}, "info": {"id": "cyner2_5class_train_07703", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Selfdel.B7 PUP.Optional.InstallMonster Win32.Trojan.Kryptik.zv Trojan.Win32.InstallCube.echedc Application.Win32.ICLoader.VAL Trojan.InstallCube.1058 Trojan.Win32.Crypt Trojan.ExtenBro.od Pua.Downloadmanager GrayWare[AdWare]/Win32.SmartInstaller Trojan.Barys.DD4DA Trojan:Win32/Selfdel.B PUP/Win32.ICLoader.R181040 TScope.Malware-Cryptor.SB Trj/CI.A Trojan.ExtenBro! Win32/Trojan.d13", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Selfdel.B7": [[26, 43]], "Indicator: PUP.Optional.InstallMonster": [[44, 71]], "Indicator: Win32.Trojan.Kryptik.zv": [[72, 95]], "Indicator: Trojan.Win32.InstallCube.echedc": [[96, 127]], "Indicator: Application.Win32.ICLoader.VAL": [[128, 158]], "Indicator: Trojan.InstallCube.1058": [[159, 182]], "Indicator: Trojan.Win32.Crypt": [[183, 201]], "Indicator: Trojan.ExtenBro.od": [[202, 220]], "Indicator: Pua.Downloadmanager": [[221, 240]], "Indicator: GrayWare[AdWare]/Win32.SmartInstaller": [[241, 278]], "Indicator: Trojan.Barys.DD4DA": [[279, 297]], "Indicator: Trojan:Win32/Selfdel.B": [[298, 320]], "Indicator: PUP/Win32.ICLoader.R181040": [[321, 347]], "Indicator: TScope.Malware-Cryptor.SB": [[348, 373]], "Indicator: Trj/CI.A": [[374, 382]], "Indicator: Trojan.ExtenBro!": [[383, 399]], "Indicator: Win32/Trojan.d13": [[400, 416]]}, "info": {"id": "cyner2_5class_train_07704", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Ransom.SintaCry BehavesLike.Win32.Trojan.tc Ransom:Win32/SintaCry.A Win32.Trojan-Ransom.CryPy.C Trojan/Win32.CryptXXX.C1966139 Python/Filecoder.AB Trojan.Win32.CryPy.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.SintaCry": [[26, 41]], "Indicator: BehavesLike.Win32.Trojan.tc": [[42, 69]], "Indicator: Ransom:Win32/SintaCry.A": [[70, 93]], "Indicator: Win32.Trojan-Ransom.CryPy.C": [[94, 121]], "Indicator: Trojan/Win32.CryptXXX.C1966139": [[122, 152]], "Indicator: Python/Filecoder.AB": [[153, 172]], "Indicator: Trojan.Win32.CryPy.a": [[173, 193]]}, "info": {"id": "cyner2_5class_train_07705", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: HW32.Packed.7656 Spyware.OnlineGames Trojan.Barys.156 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Application.PUPStudio.A BehavesLike.Win32.Backdoor.tc TrojanDownloader:Win32/Neglemir.A PUA.RiskWare.DYAMAR", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.7656": [[26, 42]], "Indicator: Spyware.OnlineGames": [[43, 62]], "Indicator: Trojan.Barys.156": [[63, 79]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[80, 122]], "Indicator: Win32.Application.PUPStudio.A": [[123, 152]], "Indicator: BehavesLike.Win32.Backdoor.tc": [[153, 182]], "Indicator: TrojanDownloader:Win32/Neglemir.A": [[183, 216]], "Indicator: PUA.RiskWare.DYAMAR": [[217, 236]]}, "info": {"id": "cyner2_5class_train_07706", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: W97M/Downloader.clk W97M.Downloader W2KM_POWLOAD.UHAOEBF Macro.Trojan.Dropperd.Auto W2KM_POWLOAD.UHAOEBF W97M/Downloader.ciz Malicious_Behavior.SB virus.office.qexvmc.1070", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M/Downloader.clk": [[26, 45]], "Indicator: W97M.Downloader": [[46, 61]], "Indicator: W2KM_POWLOAD.UHAOEBF": [[62, 82], [110, 130]], "Indicator: Macro.Trojan.Dropperd.Auto": [[83, 109]], "Indicator: W97M/Downloader.ciz": [[131, 150]], "Indicator: Malicious_Behavior.SB": [[151, 172]], "Indicator: virus.office.qexvmc.1070": [[173, 197]]}, "info": {"id": "cyner2_5class_train_07707", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Rovnix.AB4 Trojan.Rovnix Trojan/Rovnix.af Trojan.Cidox.E TROJ_ROVNIX.SMA0 Win.Trojan.Rovnix-7 Trojan.Win32.Rovnix.dxtqfl Trojan.Win32.Z.Rovnix.78336.D[h] Trojan.Rovnix.Win32.624 TROJ_ROVNIX.SMA0 Trojan.Rovnix.cl W32/Rovnix.AG!tr Trojan/Win32.Rovnix Trojan.Razy.D3C8A Troj.W32.Rovnix!c Trojan/Win32.Rovnix TrojanDownloader:Win32/Rovnix.A Trojan.Win32.Rovnix.jg Trojan.Rovnix!Bc+f/jzbrBg Trojan.Win32.Rovnix Atros2.AGYW Trj/Rovnix.B Win32/Trojan.bb6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Rovnix.AB4": [[26, 53]], "Indicator: Trojan.Rovnix": [[54, 67]], "Indicator: Trojan/Rovnix.af": [[68, 84]], "Indicator: Trojan.Cidox.E": [[85, 99]], "Indicator: TROJ_ROVNIX.SMA0": [[100, 116], [221, 237]], "Indicator: Win.Trojan.Rovnix-7": [[117, 136]], "Indicator: Trojan.Win32.Rovnix.dxtqfl": [[137, 163]], "Indicator: Trojan.Win32.Z.Rovnix.78336.D[h]": [[164, 196]], "Indicator: Trojan.Rovnix.Win32.624": [[197, 220]], "Indicator: Trojan.Rovnix.cl": [[238, 254]], "Indicator: W32/Rovnix.AG!tr": [[255, 271]], "Indicator: Trojan/Win32.Rovnix": [[272, 291], [328, 347]], "Indicator: Trojan.Razy.D3C8A": [[292, 309]], "Indicator: Troj.W32.Rovnix!c": [[310, 327]], "Indicator: TrojanDownloader:Win32/Rovnix.A": [[348, 379]], "Indicator: Trojan.Win32.Rovnix.jg": [[380, 402]], "Indicator: Trojan.Rovnix!Bc+f/jzbrBg": [[403, 428]], "Indicator: Trojan.Win32.Rovnix": [[429, 448]], "Indicator: Atros2.AGYW": [[449, 460]], "Indicator: Trj/Rovnix.B": [[461, 473]], "Indicator: Win32/Trojan.bb6": [[474, 490]]}, "info": {"id": "cyner2_5class_train_07708", "source": "cyner2_5class_train"}}
+{"text": "While we do not know for sure the source of these details, they frequently appear on public websites, such as LinkedIn or the company's own website.", "spans": {"Indicator: public websites,": [[85, 101]], "Organization: LinkedIn": [[110, 118]], "Indicator: the company's own website.": [[122, 148]]}, "info": {"id": "cyner2_5class_train_07709", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: TrojanDownloader.Delf Downloader.Delf.Win32.55939 Win.Trojan.Delf-6394424-2 Trojan-Downloader.Win32.Delf.kqql Trojan.Win32.Delf.evdbxm Trojan.Win32.Z.Delf.912896 Troj.Downloader.W32.Delf!c Trojan.DownLoad3.47593 Trojan-Downloader.Win32.Delf W32/Trojan.NTEF-5615 TR/Downloader.lpmfp Trojan-Downloader.Win32.Delf.kqql Downloader/Win32.Delf.C2285081 Trj/GdSda.A Win32.Trojan-downloader.Delf.Ammc W32/Delf.CGH!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Delf": [[26, 47]], "Indicator: Downloader.Delf.Win32.55939": [[48, 75]], "Indicator: Win.Trojan.Delf-6394424-2": [[76, 101]], "Indicator: Trojan-Downloader.Win32.Delf.kqql": [[102, 135], [308, 341]], "Indicator: Trojan.Win32.Delf.evdbxm": [[136, 160]], "Indicator: Trojan.Win32.Z.Delf.912896": [[161, 187]], "Indicator: Troj.Downloader.W32.Delf!c": [[188, 214]], "Indicator: Trojan.DownLoad3.47593": [[215, 237]], "Indicator: Trojan-Downloader.Win32.Delf": [[238, 266]], "Indicator: W32/Trojan.NTEF-5615": [[267, 287]], "Indicator: TR/Downloader.lpmfp": [[288, 307]], "Indicator: Downloader/Win32.Delf.C2285081": [[342, 372]], "Indicator: Trj/GdSda.A": [[373, 384]], "Indicator: Win32.Trojan-downloader.Delf.Ammc": [[385, 418]], "Indicator: W32/Delf.CGH!tr.dldr": [[419, 439]]}, "info": {"id": "cyner2_5class_train_07710", "source": "cyner2_5class_train"}}
+{"text": "In this case , the device should be re-flashed with an official ROM .", "spans": {}, "info": {"id": "cyner2_5class_train_07711", "source": "cyner2_5class_train"}}
+{"text": "The Trojan stores information about C & C servers and the data harvested from the infected device in a local SQLite database .", "spans": {}, "info": {"id": "cyner2_5class_train_07712", "source": "cyner2_5class_train"}}
+{"text": "We first started tracking Bread ( also known as Joker ) in early 2017 , identifying apps designed solely for SMS fraud .", "spans": {"Malware: Bread": [[26, 31]], "Malware: Joker": [[48, 53]]}, "info": {"id": "cyner2_5class_train_07713", "source": "cyner2_5class_train"}}
+{"text": "This strongly suggested that the banking Trojans , despite differing in terms of capability , belong to the same family .", "spans": {}, "info": {"id": "cyner2_5class_train_07714", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Exp.SWF.CVE-2017-11292.1 Trojan.Maljava SWF/Exploit.CVE-2017-11292.A DOC.Z.CVE-2017-1129.10752 Exploit.CVE-2017-11292.1 SWF_EXPLOIT.YYRZ Trojan.DWCI-31 EXP/CVE-2017-11292.B Trojan[Exploit]/SWF.CVE-2017-11292.a Trojan:O97M/Gamafeshi.A Trojan.SWF.Exploit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exp.SWF.CVE-2017-11292.1": [[26, 50]], "Indicator: Trojan.Maljava": [[51, 65]], "Indicator: SWF/Exploit.CVE-2017-11292.A": [[66, 94]], "Indicator: DOC.Z.CVE-2017-1129.10752": [[95, 120]], "Indicator: Exploit.CVE-2017-11292.1": [[121, 145]], "Indicator: SWF_EXPLOIT.YYRZ": [[146, 162]], "Indicator: Trojan.DWCI-31": [[163, 177]], "Indicator: EXP/CVE-2017-11292.B": [[178, 198]], "Indicator: Trojan[Exploit]/SWF.CVE-2017-11292.a": [[199, 235]], "Indicator: Trojan:O97M/Gamafeshi.A": [[236, 259]], "Indicator: Trojan.SWF.Exploit": [[260, 278]]}, "info": {"id": "cyner2_5class_train_07715", "source": "cyner2_5class_train"}}
+{"text": "We were also able to link the FrozenCell 's Android infrastructure to numerous desktop samples that are part of the larger multi-platform attack .", "spans": {"Malware: FrozenCell": [[30, 40]], "System: Android": [[44, 51]]}, "info": {"id": "cyner2_5class_train_07716", "source": "cyner2_5class_train"}}
+{"text": "The hacker proceeded to leak archives of internal Hacking Team tools and communications.", "spans": {"Organization: Hacking Team": [[50, 62]]}, "info": {"id": "cyner2_5class_train_07717", "source": "cyner2_5class_train"}}
+{"text": "This means that the malware can do anything from harvest the user 's banking credentials , to monitoring the device 's location .", "spans": {}, "info": {"id": "cyner2_5class_train_07718", "source": "cyner2_5class_train"}}
+{"text": "addWifiConfig method code fragments ‘ camera ’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks the device .", "spans": {}, "info": {"id": "cyner2_5class_train_07719", "source": "cyner2_5class_train"}}
+{"text": "Second Phase The second phase dex file contains 3 main services that are being used : • ConnManager - handles connections to the C & C • ReceiverManager - waits for incoming calls / app installations • TaskManager - manages the data collection tasks The C & C server address is different than the one that is used by the first phase , so the app reconnects to the new server as well as starts the periodic data collector tasks .", "spans": {}, "info": {"id": "cyner2_5class_train_07720", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor/W32.Small.8192.U Backdoor.Win32.Small!O Backdoor.Small Backdoor/Small.aad BKDR_SMALL.LIY Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/MalwareS.BJDC BKDR_SMALL.LIY Win.Trojan.Small-15022 Backdoor.Win32.Small.aad Trojan.Win32.Small.cgfnz Backdoor.Win32.A.Small.8192.J Backdoor.Win32.Small.~C W32/Risk.EHGV-6738 Backdoor/Small.cqd W32.Malware.Downloader BDS/Small.L Trojan[Backdoor]/Win32.Small Backdoor.W32.Small.aad!c Backdoor.Win32.Small.aad Backdoor:Win32/Neporoot.A Trojan/Win32.Downloader.C113283 Backdoor.Small Trj/CI.A Win32.Backdoor.Small.Eckj Trojan.DL.Troxen!zKvgG9AM1Ro Backdoor.Win32.Small W32/CMDer.AA!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Small.8192.U": [[26, 51]], "Indicator: Backdoor.Win32.Small!O": [[52, 74]], "Indicator: Backdoor.Small": [[75, 89], [537, 551]], "Indicator: Backdoor/Small.aad": [[90, 108]], "Indicator: BKDR_SMALL.LIY": [[109, 123], [185, 199]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[124, 166]], "Indicator: W32/MalwareS.BJDC": [[167, 184]], "Indicator: Win.Trojan.Small-15022": [[200, 222]], "Indicator: Backdoor.Win32.Small.aad": [[223, 247], [454, 478]], "Indicator: Trojan.Win32.Small.cgfnz": [[248, 272]], "Indicator: Backdoor.Win32.A.Small.8192.J": [[273, 302]], "Indicator: Backdoor.Win32.Small.~C": [[303, 326]], "Indicator: W32/Risk.EHGV-6738": [[327, 345]], "Indicator: Backdoor/Small.cqd": [[346, 364]], "Indicator: W32.Malware.Downloader": [[365, 387]], "Indicator: BDS/Small.L": [[388, 399]], "Indicator: Trojan[Backdoor]/Win32.Small": [[400, 428]], "Indicator: Backdoor.W32.Small.aad!c": [[429, 453]], "Indicator: Backdoor:Win32/Neporoot.A": [[479, 504]], "Indicator: Trojan/Win32.Downloader.C113283": [[505, 536]], "Indicator: Trj/CI.A": [[552, 560]], "Indicator: Win32.Backdoor.Small.Eckj": [[561, 586]], "Indicator: Trojan.DL.Troxen!zKvgG9AM1Ro": [[587, 615]], "Indicator: Backdoor.Win32.Small": [[616, 636]], "Indicator: W32/CMDer.AA!tr": [[637, 652]]}, "info": {"id": "cyner2_5class_train_07721", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Worm.Skypii Trojan/Injector.aech Trojan.Johnnie.D5D69 W32.Phopifas Win.Trojan.Zbot-63011 Trojan-Dropper.Win32.Injector.tsab Trojan.Win32.Zbot.crqlec Trojan.Win32.Z.Johnnie.44972 Trojan.MulDrop2.64582 Trojan.Win32.Injector W32/Trojan.GAQU-5890 TR/Buzus.A.287 Worm:Win32/Skypii.A Trojan-Dropper.Win32.Injector.tsab Trojan/Win32.Inject.R57535 BScope.Adware.Softpulse Win32.Trojan-dropper.Injector.Hyah W32/Inject.AEC!tr Win32/Trojan.Downloader.31f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Skypii": [[26, 37]], "Indicator: Trojan/Injector.aech": [[38, 58]], "Indicator: Trojan.Johnnie.D5D69": [[59, 79]], "Indicator: W32.Phopifas": [[80, 92]], "Indicator: Win.Trojan.Zbot-63011": [[93, 114]], "Indicator: Trojan-Dropper.Win32.Injector.tsab": [[115, 149], [304, 338]], "Indicator: Trojan.Win32.Zbot.crqlec": [[150, 174]], "Indicator: Trojan.Win32.Z.Johnnie.44972": [[175, 203]], "Indicator: Trojan.MulDrop2.64582": [[204, 225]], "Indicator: Trojan.Win32.Injector": [[226, 247]], "Indicator: W32/Trojan.GAQU-5890": [[248, 268]], "Indicator: TR/Buzus.A.287": [[269, 283]], "Indicator: Worm:Win32/Skypii.A": [[284, 303]], "Indicator: Trojan/Win32.Inject.R57535": [[339, 365]], "Indicator: BScope.Adware.Softpulse": [[366, 389]], "Indicator: Win32.Trojan-dropper.Injector.Hyah": [[390, 424]], "Indicator: W32/Inject.AEC!tr": [[425, 442]], "Indicator: Win32/Trojan.Downloader.31f": [[443, 470]]}, "info": {"id": "cyner2_5class_train_07722", "source": "cyner2_5class_train"}}
+{"text": "Note that in almost all cases , this payload file , contained in zip archives , is named ‘ setting ’ or ‘ setting.o ’ .", "spans": {"Indicator: setting": [[91, 98]], "Indicator: setting.o": [[106, 115]]}, "info": {"id": "cyner2_5class_train_07723", "source": "cyner2_5class_train"}}
+{"text": "Another novelty is a VPN-related package , which is based on OrbotVPN .", "spans": {"System: OrbotVPN": [[61, 69]]}, "info": {"id": "cyner2_5class_train_07724", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Brancud Dropper.Wlord.Win32.197 Trojan/Dropper.Wlord.vg Trojan.Barys.D14BD W32/Backdoor2.FFAV Win.Trojan.Delf-10381 Trojan.Win32.Pigeon.edgwvf NetWorm.Win32.Kolab.~F BackDoor.Pigeon.14364 BehavesLike.Win32.HLLP.vc Trojan.Win32.ProcessHijack W32/Backdoor.UDBV-8754 Win32.Troj.Wlord.vg.kcloud Spyware.Wlord.Dr.2888704 TrojanDropper.Wlord Win32/TrojanDropper.Delf.NQG Win32.Trojan-dropper.Wlord.Wncj Trojan.DR.Wlord!ooBDWiiijA4 Win32/Trojan.f50", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Brancud": [[26, 40]], "Indicator: Dropper.Wlord.Win32.197": [[41, 64]], "Indicator: Trojan/Dropper.Wlord.vg": [[65, 88]], "Indicator: Trojan.Barys.D14BD": [[89, 107]], "Indicator: W32/Backdoor2.FFAV": [[108, 126]], "Indicator: Win.Trojan.Delf-10381": [[127, 148]], "Indicator: Trojan.Win32.Pigeon.edgwvf": [[149, 175]], "Indicator: NetWorm.Win32.Kolab.~F": [[176, 198]], "Indicator: BackDoor.Pigeon.14364": [[199, 220]], "Indicator: BehavesLike.Win32.HLLP.vc": [[221, 246]], "Indicator: Trojan.Win32.ProcessHijack": [[247, 273]], "Indicator: W32/Backdoor.UDBV-8754": [[274, 296]], "Indicator: Win32.Troj.Wlord.vg.kcloud": [[297, 323]], "Indicator: Spyware.Wlord.Dr.2888704": [[324, 348]], "Indicator: TrojanDropper.Wlord": [[349, 368]], "Indicator: Win32/TrojanDropper.Delf.NQG": [[369, 397]], "Indicator: Win32.Trojan-dropper.Wlord.Wncj": [[398, 429]], "Indicator: Trojan.DR.Wlord!ooBDWiiijA4": [[430, 457]], "Indicator: Win32/Trojan.f50": [[458, 474]]}, "info": {"id": "cyner2_5class_train_07725", "source": "cyner2_5class_train"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ .", "spans": {"Indicator: hxxp : //online.bankaustria.at.id58729 [ .": [[21, 63]]}, "info": {"id": "cyner2_5class_train_07726", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9947 Trojan.Razy.D1B384 Backdoor:MSIL/Gataspi.A Backdoor.NanoCore Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9947": [[26, 68]], "Indicator: Trojan.Razy.D1B384": [[69, 87]], "Indicator: Backdoor:MSIL/Gataspi.A": [[88, 111]], "Indicator: Backdoor.NanoCore": [[112, 129]], "Indicator: Trj/GdSda.A": [[130, 141]]}, "info": {"id": "cyner2_5class_train_07727", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Proxyier!O DNSChanger.cw Trojan.Zusy.Elzob.D136F TROJ_DNSCHANGER_0000063.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9713 TROJ_DNSCHANGER_0000063.TOMA Win.Trojan.B-445 Backdoor.Win32.Simda.ph Trojan.Win32.Simda.bxootp Backdoor.Proxyier.Win32.9 BehavesLike.Win32.Backdoor.fc Backdoor/Proxyier.o Trojan/Win32.Proxyier Trojan:Win64/Simda.A Backdoor.Win32.Simda.ph Trojan/Win32.Jorik.R13830 SScope.Trojan-Proxy.1821 Trojan.FakeAlert Trojan.Win32.FakeAV W32/Binder.RZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Proxyier!O": [[26, 51]], "Indicator: DNSChanger.cw": [[52, 65]], "Indicator: Trojan.Zusy.Elzob.D136F": [[66, 89]], "Indicator: TROJ_DNSCHANGER_0000063.TOMA": [[90, 118], [162, 190]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9713": [[119, 161]], "Indicator: Win.Trojan.B-445": [[191, 207]], "Indicator: Backdoor.Win32.Simda.ph": [[208, 231], [377, 400]], "Indicator: Trojan.Win32.Simda.bxootp": [[232, 257]], "Indicator: Backdoor.Proxyier.Win32.9": [[258, 283]], "Indicator: BehavesLike.Win32.Backdoor.fc": [[284, 313]], "Indicator: Backdoor/Proxyier.o": [[314, 333]], "Indicator: Trojan/Win32.Proxyier": [[334, 355]], "Indicator: Trojan:Win64/Simda.A": [[356, 376]], "Indicator: Trojan/Win32.Jorik.R13830": [[401, 426]], "Indicator: SScope.Trojan-Proxy.1821": [[427, 451]], "Indicator: Trojan.FakeAlert": [[452, 468]], "Indicator: Trojan.Win32.FakeAV": [[469, 488]], "Indicator: W32/Binder.RZ!tr": [[489, 505]]}, "info": {"id": "cyner2_5class_train_07728", "source": "cyner2_5class_train"}}
+{"text": "The malware infected a wide spread of Android users in China, stealing their bank credentials and other sensitive personal information.", "spans": {"Malware: malware": [[4, 11]], "System: Android users": [[38, 51]], "Indicator: bank credentials": [[77, 93]], "Indicator: other sensitive personal information.": [[98, 135]]}, "info": {"id": "cyner2_5class_train_07729", "source": "cyner2_5class_train"}}
+{"text": "Like many other bankers , they were disguised as apps for popular free ad services in Russia .", "spans": {}, "info": {"id": "cyner2_5class_train_07730", "source": "cyner2_5class_train"}}
+{"text": "UrlZone is a banking trojan that appeared in 2009.", "spans": {"Malware: UrlZone": [[0, 7]], "Malware: banking trojan": [[13, 27]]}, "info": {"id": "cyner2_5class_train_07731", "source": "cyner2_5class_train"}}
+{"text": "Port 6212 : Chrome extraction service .", "spans": {"Indicator: Port 6212": [[0, 9]], "System: Chrome": [[12, 18]]}, "info": {"id": "cyner2_5class_train_07732", "source": "cyner2_5class_train"}}
+{"text": "There has been considerable discussion about domain fronting following the release of a paper detailing these techniques.", "spans": {}, "info": {"id": "cyner2_5class_train_07733", "source": "cyner2_5class_train"}}
+{"text": "This attack was dubbed Dark Seoul'; it involved wreaking havoc on affected systems by wiping their hard drives, in addition to seeking military intelligence.", "spans": {"Indicator: attack": [[5, 11]], "System: affected systems": [[66, 82]]}, "info": {"id": "cyner2_5class_train_07734", "source": "cyner2_5class_train"}}
+{"text": "Last week, Patrick Wardle published a very nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well.", "spans": {"Organization: Wardle published": [[19, 35]], "Malware: Backdoor": [[66, 74]], "Malware: Dropper": [[79, 86]], "Organization: HackingTeam,": [[95, 107]]}, "info": {"id": "cyner2_5class_train_07735", "source": "cyner2_5class_train"}}
+{"text": "We have worked with Google and they ensure that Google Play Protect proactively catches apps of this nature .", "spans": {"Organization: Google": [[20, 26]], "System: Google Play Protect": [[48, 67]]}, "info": {"id": "cyner2_5class_train_07736", "source": "cyner2_5class_train"}}
+{"text": "Indicators imply an exploitation attempt, that may not have been successful.", "spans": {"Indicator: Indicators": [[0, 10]], "Vulnerability: exploitation": [[20, 32]]}, "info": {"id": "cyner2_5class_train_07737", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Pdf.Fareit.A PDF/PowerShell.C Exploit.PDF.16243 HEUR_PDF.PS TrojanDownloader:Win32/Perferd.A PDF/Exploit.S3 PDF/PowerShell.ECC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Pdf.Fareit.A": [[26, 38]], "Indicator: PDF/PowerShell.C": [[39, 55]], "Indicator: Exploit.PDF.16243": [[56, 73]], "Indicator: HEUR_PDF.PS": [[74, 85]], "Indicator: TrojanDownloader:Win32/Perferd.A": [[86, 118]], "Indicator: PDF/Exploit.S3": [[119, 133]], "Indicator: PDF/PowerShell.ECC!tr": [[134, 155]]}, "info": {"id": "cyner2_5class_train_07738", "source": "cyner2_5class_train"}}
+{"text": "Figure 9 .", "spans": {}, "info": {"id": "cyner2_5class_train_07739", "source": "cyner2_5class_train"}}
+{"text": "In certain situations , variants intercept compromised apps ’ original legitimate ads display events and report back to the intended ad-exchange with the “ Agent Smith ” campaign hacker ’ s ad IDs .", "spans": {"Malware: Agent Smith": [[156, 167]]}, "info": {"id": "cyner2_5class_train_07740", "source": "cyner2_5class_train"}}
+{"text": "A backdoor also known as: Trojan.Python.Simplified.b Trojan.Py2Exe.HackSpy.ekhfvk Trojan.DownLoader25.20169 Trojan.Python.Simplified.b Trojan:Win32/Pitroj.A Trj/CI.A Win32.Trojan.Simplified.Dxmm W32/Python_Simplified.B!tr Win32/Trojan.IM.2b4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Python.Simplified.b": [[26, 52], [108, 134]], "Indicator: Trojan.Py2Exe.HackSpy.ekhfvk": [[53, 81]], "Indicator: Trojan.DownLoader25.20169": [[82, 107]], "Indicator: Trojan:Win32/Pitroj.A": [[135, 156]], "Indicator: Trj/CI.A": [[157, 165]], "Indicator: Win32.Trojan.Simplified.Dxmm": [[166, 194]], "Indicator: W32/Python_Simplified.B!tr": [[195, 221]], "Indicator: Win32/Trojan.IM.2b4": [[222, 241]]}, "info": {"id": "cyner2_5class_train_07741", "source": "cyner2_5class_train"}}
+{"text": "Over the past month, Palo Alto Networks has observed two spam campaigns targeting users residing in Italy.", "spans": {"Organization: Palo Alto Networks": [[21, 39]]}, "info": {"id": "cyner2_5class_train_07742", "source": "cyner2_5class_train"}}
+{"text": "possibly working independently while sharing information between themselves, are exploiting the Elasticsearch vulnerability primarily to establish widespread DDoS botnet infrastructures.", "spans": {"Vulnerability: exploiting the Elasticsearch vulnerability": [[81, 123]], "Malware: DDoS botnet": [[158, 169]], "System: infrastructures.": [[170, 186]]}, "info": {"id": "cyner2_5class_train_07743", "source": "cyner2_5class_train"}}
+{"text": "It detects this ransomware ( AndroidOS/MalLocker.B ) , as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics , in addition to content-based detection .", "spans": {"Indicator: AndroidOS/MalLocker.B": [[29, 50]]}, "info": {"id": "cyner2_5class_train_07744", "source": "cyner2_5class_train"}}
+{"text": "A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly.", "spans": {"System: cross-platform win32-based": [[2, 28]], "Malware: Mirai spreader": [[29, 43]], "Malware: botnet": [[48, 54]]}, "info": {"id": "cyner2_5class_train_07745", "source": "cyner2_5class_train"}}
+{"text": "When DualToy began to spread in January 2015, it was only capable of infecting Android devices.", "spans": {"Malware: DualToy": [[5, 12]], "System: Android devices.": [[79, 95]]}, "info": {"id": "cyner2_5class_train_07746", "source": "cyner2_5class_train"}}
+{"text": "This group is well known for a widely publicized attack involving the compromise of Forbes.com, in which the site was used to compromise selected targets via a watering hole to a zero-day Adobe Flash exploit.", "spans": {"Indicator: attack": [[49, 55]], "Indicator: compromise of Forbes.com,": [[70, 95]], "Indicator: compromise": [[126, 136]], "Indicator: watering hole": [[160, 173]], "Vulnerability: zero-day": [[179, 187]], "Malware: Adobe Flash exploit.": [[188, 208]]}, "info": {"id": "cyner2_5class_train_07747", "source": "cyner2_5class_train"}}
+{"text": "For example, intended victims frequently have titles of Chief Financial Officer, Head of Finance, Senior Vice President, Director and other high level roles.", "spans": {"Organization: Chief Financial Officer, Head of Finance, Senior Vice President, Director": [[56, 129]], "Organization: high level roles.": [[140, 157]]}, "info": {"id": "cyner2_5class_train_07748", "source": "cyner2_5class_train"}}
+{"text": "One of the most impressive features of this malware is its resilience .", "spans": {}, "info": {"id": "cyner2_5class_train_07749", "source": "cyner2_5class_train"}}
+{"text": "Links returned by a Google search, however, are not guaranteed to be safe.", "spans": {"Indicator: Links": [[0, 5]], "System: a Google search,": [[18, 34]]}, "info": {"id": "cyner2_5class_train_07750", "source": "cyner2_5class_train"}}