{"text": "In the case of the infected application not specified in the code , “ Agent Smith ” will simply show ads on the activity being loaded .", "spans": {"Malware: Agent Smith": [[70, 81]]}, "info": {"id": "cyner2_8class_test_00000", "source": "cyner2_8class_test"}}
{"text": "If the malware obtains device administrator rights , it will be able to lock the screen by itself , expire the password , and resist being uninstalled through normal methods .", "spans": {}, "info": {"id": "cyner2_8class_test_00001", "source": "cyner2_8class_test"}}
{"text": "According to publicly available statistics , as well as confirmation from Google , most of these apps collected a few dozens installations each , with one case reaching over 350 .", "spans": {"Organization: Google": [[74, 80]]}, "info": {"id": "cyner2_8class_test_00002", "source": "cyner2_8class_test"}}
{"text": "Offensive security researchers then start experimenting with AV evasion, and the exploit finally ends up in underground exploit builders.", "spans": {"Organization: Offensive security researchers": [[0, 30]], "System: AV": [[61, 63]], "Malware: exploit": [[81, 88]], "ThreatActor: underground exploit builders.": [[108, 137]]}, "info": {"id": "cyner2_8class_test_00003", "source": "cyner2_8class_test"}}
{"text": "This Trojan, which is still under development and regularly updated, is already capable of multiple malicious behaviors.", "spans": {"Malware: Trojan,": [[5, 12]], "Malware: multiple malicious behaviors.": [[91, 120]]}, "info": {"id": "cyner2_8class_test_00004", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Dwn.eusizc Trojan.DownLoader25.49110 BehavesLike.Win32.BadFile.fc W32/Trojan.UQIH-2124 Trojan/Win32.Crypt.C2237672 Trj/GdSda.A Trojan.Crypt W32/DwnLdr.UQF!tr Win32/Trojan.cb1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Dwn.eusizc": [[26, 49]], "Indicator: Trojan.DownLoader25.49110": [[50, 75]], "Indicator: BehavesLike.Win32.BadFile.fc": [[76, 104]], "Indicator: W32/Trojan.UQIH-2124": [[105, 125]], "Indicator: Trojan/Win32.Crypt.C2237672": [[126, 153]], "Indicator: Trj/GdSda.A": [[154, 165]], "Indicator: Trojan.Crypt": [[166, 178]], "Indicator: W32/DwnLdr.UQF!tr": [[179, 196]], "Indicator: Win32/Trojan.cb1": [[197, 213]]}, "info": {"id": "cyner2_8class_test_00005", "source": "cyner2_8class_test"}}
{"text": "STRING & DATA OBFUSCATION Bread apps have used many innovative and classic techniques to hide strings from analysis engines .", "spans": {}, "info": {"id": "cyner2_8class_test_00006", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Inject.RA Trojan/W32.Inject.33280.AC AdWare.Win32.PurityScan!O Trojan.Inject.RA Win32.Trojan.WisdomEyes.16070401.9500.9988 W32/MalwareS.BHSK Trojan.Cryect Win32/SillyDl.VHZ Win.Adware.Purityscan-27 Trojan.Inject.RA not-a-virus:AdWare.Win32.PurityScan.jz Trojan.Inject.RA Riskware.Win32.PurityScan.hbehp W32.W.AutoRun.kZzH Win32.Adware.Purityscan.Lpuz Trojan.Inject.RA Trojan.Inject.RA Adware.ClickSpring.338 W32/Risk.PDOJ-3563 Adware/PurityScan.h GrayWare[AdWare]/Win32.PurityScan Trojan.Inject.RA not-a-virus:AdWare.Win32.PurityScan.jz TrojanDownloader:Win32/Taleret.B Adware.PurityScan Trj/CI.A not-a-virus:AdWare.Win32.PurityScan Win32/Trojan.8c4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject.RA": [[26, 42], [96, 112], [231, 247], [287, 303], [384, 400], [401, 417], [514, 530]], "Indicator: Trojan/W32.Inject.33280.AC": [[43, 69]], "Indicator: AdWare.Win32.PurityScan!O": [[70, 95]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[113, 155]], "Indicator: W32/MalwareS.BHSK": [[156, 173]], "Indicator: Trojan.Cryect": [[174, 187]], "Indicator: Win32/SillyDl.VHZ": [[188, 205]], "Indicator: Win.Adware.Purityscan-27": [[206, 230]], "Indicator: not-a-virus:AdWare.Win32.PurityScan.jz": [[248, 286], [531, 569]], "Indicator: Riskware.Win32.PurityScan.hbehp": [[304, 335]], "Indicator: W32.W.AutoRun.kZzH": [[336, 354]], "Indicator: Win32.Adware.Purityscan.Lpuz": [[355, 383]], "Indicator: Adware.ClickSpring.338": [[418, 440]], "Indicator: W32/Risk.PDOJ-3563": [[441, 459]], "Indicator: Adware/PurityScan.h": [[460, 479]], "Indicator: GrayWare[AdWare]/Win32.PurityScan": [[480, 513]], "Indicator: TrojanDownloader:Win32/Taleret.B": [[570, 602]], "Indicator: Adware.PurityScan": [[603, 620]], "Indicator: Trj/CI.A": [[621, 629]], "Indicator: not-a-virus:AdWare.Win32.PurityScan": [[630, 665]], "Indicator: Win32/Trojan.8c4": [[666, 682]]}, "info": {"id": "cyner2_8class_test_00007", "source": "cyner2_8class_test"}}
{"text": "In this case the payload was Kronos, a banking Trojan which was introduced in July of 2014.", "spans": {"Malware: payload": [[17, 24]], "Malware: Kronos,": [[29, 36]], "Malware: banking Trojan": [[39, 53]], "Date: July of 2014.": [[78, 91]]}, "info": {"id": "cyner2_8class_test_00008", "source": "cyner2_8class_test"}}
{"text": "This submitter has thousands of other submissions in VirusTotal , however , it is the only one that continues to submit EventBot samples via the VirusTotal API .", "spans": {"Malware: EventBot": [[120, 128]]}, "info": {"id": "cyner2_8class_test_00009", "source": "cyner2_8class_test"}}
{"text": "Shodan tells us that more than 5 million devices make their TR-069 service available to the outside world.", "spans": {"Organization: Shodan": [[0, 6]], "System: devices": [[41, 48]], "System: TR-069 service": [[60, 74]], "Location: world.": [[100, 106]]}, "info": {"id": "cyner2_8class_test_00010", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.9E95 Win32.Trojan.WisdomEyes.16070401.9500.9996 TrojWare.Win32.Kryptik.RS BehavesLike.Win32.Downloader.nh Trojan.Fareit.1 Win32.Trojan.Fareit.A Trojan/Win32.Jorik.R21377 Trojan.Kryptik!6N5GdNWw3hk Trojan-PWS.Win32.Fareit Win32/Trojan.b7a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.9E95": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[43, 85]], "Indicator: TrojWare.Win32.Kryptik.RS": [[86, 111]], "Indicator: BehavesLike.Win32.Downloader.nh": [[112, 143]], "Indicator: Trojan.Fareit.1": [[144, 159]], "Indicator: Win32.Trojan.Fareit.A": [[160, 181]], "Indicator: Trojan/Win32.Jorik.R21377": [[182, 207]], "Indicator: Trojan.Kryptik!6N5GdNWw3hk": [[208, 234]], "Indicator: Trojan-PWS.Win32.Fareit": [[235, 258]], "Indicator: Win32/Trojan.b7a": [[259, 275]]}, "info": {"id": "cyner2_8class_test_00011", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 TROJ_FSYNA.AS Trojan/Win32.Fareit Trojan.Zusy.D1AACE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[26, 68]], "Indicator: TROJ_FSYNA.AS": [[69, 82]], "Indicator: Trojan/Win32.Fareit": [[83, 102]], "Indicator: Trojan.Zusy.D1AACE": [[103, 121]]}, "info": {"id": "cyner2_8class_test_00012", "source": "cyner2_8class_test"}}
{"text": "In 2015, there have already been a variety of new POS malware identified including a new Alina variant, LogPOS, FighterPOS and Punkey.", "spans": {"Date: 2015,": [[3, 8]], "Malware: POS malware": [[50, 61]], "Malware: Alina variant, LogPOS, FighterPOS": [[89, 122]], "Malware: Punkey.": [[127, 134]]}, "info": {"id": "cyner2_8class_test_00013", "source": "cyner2_8class_test"}}
{"text": "The malware known as TROJ_GATAK has been active since 2012 and uses steganography techniques to hide components in .PNG files.", "spans": {"Malware: malware": [[4, 11]], "Indicator: TROJ_GATAK": [[21, 31]], "Date: 2012": [[54, 58]], "Indicator: steganography techniques": [[68, 92]], "Indicator: .PNG files.": [[115, 126]]}, "info": {"id": "cyner2_8class_test_00014", "source": "cyner2_8class_test"}}
{"text": "TrickMo uses accessibility services to identify and control some of these screens and make its own choices before giving the user a chance to react .", "spans": {"Malware: TrickMo": [[0, 7]]}, "info": {"id": "cyner2_8class_test_00015", "source": "cyner2_8class_test"}}
{"text": "If one these commands is found , then the malware will encode the stolen data with Base64 and upload it to the command and control server .", "spans": {}, "info": {"id": "cyner2_8class_test_00016", "source": "cyner2_8class_test"}}
{"text": "In this specific attack, a malicious Excel document was used to create a PowerShell script, which then used the Domain Name System DNS to communicate with an Internet Command and Control C2 server.", "spans": {"Indicator: attack,": [[17, 24]], "Indicator: malicious Excel document": [[27, 51]], "System: PowerShell script,": [[73, 91]], "System: Domain Name System DNS": [[112, 134]], "Indicator: communicate": [[138, 149]], "Indicator: Command and Control C2 server.": [[167, 197]]}, "info": {"id": "cyner2_8class_test_00017", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Injector.16825 Win32.Trojan.WisdomEyes.16070401.9500.9990 Trojan.Cidox!gm TROJ_LATOT.SM Trojan.Win32.Gofot.eci Win32.Trojan-gamethief.Onlinegames.Pgcv TROJ_LATOT.SM TrojanDownloader:Win32/Latot.A Trojan.Win32.Gofot.eci Trojan/Win32.Latot.R175617 W32/Onlinegames.QXA!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Injector.16825": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[48, 90]], "Indicator: Trojan.Cidox!gm": [[91, 106]], "Indicator: TROJ_LATOT.SM": [[107, 120], [184, 197]], "Indicator: Trojan.Win32.Gofot.eci": [[121, 143], [229, 251]], "Indicator: Win32.Trojan-gamethief.Onlinegames.Pgcv": [[144, 183]], "Indicator: TrojanDownloader:Win32/Latot.A": [[198, 228]], "Indicator: Trojan/Win32.Latot.R175617": [[252, 278]], "Indicator: W32/Onlinegames.QXA!tr": [[279, 301]], "Indicator: Trj/GdSda.A": [[302, 313]]}, "info": {"id": "cyner2_8class_test_00018", "source": "cyner2_8class_test"}}
{"text": "This post dismantles a sample of this malware to determine whether we need to take Bert the Turtle's advice to duck and cover.", "spans": {"Malware: sample": [[23, 29]], "Malware: malware": [[38, 45]]}, "info": {"id": "cyner2_8class_test_00019", "source": "cyner2_8class_test"}}
{"text": "Recently, PaloAlto discovered another Windows Trojan we named DualToy which side loads malicious or risky apps to both Android and iOS devices via a USB connection.", "spans": {"Organization: PaloAlto": [[10, 18]], "System: Windows": [[38, 45]], "Malware: Trojan": [[46, 52]], "Malware: DualToy": [[62, 69]], "Malware: malicious": [[87, 96]], "System: risky apps": [[100, 110]], "System: Android": [[119, 126]], "System: iOS devices": [[131, 142]], "System: USB": [[149, 152]], "Indicator: connection.": [[153, 164]]}, "info": {"id": "cyner2_8class_test_00020", "source": "cyner2_8class_test"}}
{"text": "On October 14th, a report was publicly released regarding the Sandworm team.", "spans": {"Date: October 14th,": [[3, 16]], "ThreatActor: Sandworm team.": [[62, 76]]}, "info": {"id": "cyner2_8class_test_00021", "source": "cyner2_8class_test"}}
{"text": "The owners of the RAA cryptor, however, took a different tack.", "spans": {"ThreatActor: owners": [[4, 10]], "Malware: RAA cryptor,": [[18, 30]]}, "info": {"id": "cyner2_8class_test_00022", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Madi.B Trojan.Win32.Upof!O Trojan.Madi.B Trojan.Madi.B Trojan.Madi TROJ_MADIH.SM Trojan.Madi.B Trojan.Win32.SMSSend.dtabeg Troj.W32.Upof.c!c Trojan.Madi.B TrojWare.Win32.Upof.C Trojan.Madi.B TROJ_MADIH.SM BehavesLike.Win32.Dropper.dc Trojan/Upof.z Trojan/Win32.Unknown TrojanDownloader:Win32/Upof.A Trojan.Win32.A.Upof.279552 Trojan.Madi.B Trojan/Win32.Madi.R30772 Trojan.Upof Trojan.Win32.Upof W32/Upof.C!tr Trj/Madi.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Madi.B": [[26, 39], [60, 73], [74, 87], [114, 127], [174, 187], [210, 223], [359, 372]], "Indicator: Trojan.Win32.Upof!O": [[40, 59]], "Indicator: Trojan.Madi": [[88, 99]], "Indicator: TROJ_MADIH.SM": [[100, 113], [224, 237]], "Indicator: Trojan.Win32.SMSSend.dtabeg": [[128, 155]], "Indicator: Troj.W32.Upof.c!c": [[156, 173]], "Indicator: TrojWare.Win32.Upof.C": [[188, 209]], "Indicator: BehavesLike.Win32.Dropper.dc": [[238, 266]], "Indicator: Trojan/Upof.z": [[267, 280]], "Indicator: Trojan/Win32.Unknown": [[281, 301]], "Indicator: TrojanDownloader:Win32/Upof.A": [[302, 331]], "Indicator: Trojan.Win32.A.Upof.279552": [[332, 358]], "Indicator: Trojan/Win32.Madi.R30772": [[373, 397]], "Indicator: Trojan.Upof": [[398, 409]], "Indicator: Trojan.Win32.Upof": [[410, 427]], "Indicator: W32/Upof.C!tr": [[428, 441]], "Indicator: Trj/Madi.A": [[442, 452]]}, "info": {"id": "cyner2_8class_test_00023", "source": "cyner2_8class_test"}}
{"text": "The URL will trigger exploits for arbitrary memory read ( CVE-2012-2825 ) and heap buffer overflow ( CVE-2012-2871 ) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean , allowing another local privilege escalation exploit to execute .", "spans": {"Vulnerability: arbitrary memory read ( CVE-2012-2825 )": [[34, 73]], "Vulnerability: heap buffer overflow ( CVE-2012-2871 )": [[78, 116]], "System: Android versions 4.0 Ice Cream Sandwich": [[160, 199]], "System: 4.3 Jelly Bean": [[203, 217]]}, "info": {"id": "cyner2_8class_test_00024", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Vilsel!O Troj.W32.Patched.lnCt Trojan.Heur.E7F0E9 Win32.Trojan.ImPatch.a TROJ_FLYMUX.SMIB Win.Trojan.Toopu-1 Trojan.Win32.Vilsel.mwo Trojan.Win32.Vilsel.cxoek Trojan.DownLoad1.51956 TROJ_FLYMUX.SMIB Trojan-Dropper.Win32.Ekafod Trojan/Vilsel.aggq Trojan/Win32.Vilsel Trojan.Win32.Vilsel.mwo Trojan.BHORA.04931", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Vilsel!O": [[26, 47]], "Indicator: Troj.W32.Patched.lnCt": [[48, 69]], "Indicator: Trojan.Heur.E7F0E9": [[70, 88]], "Indicator: Win32.Trojan.ImPatch.a": [[89, 111]], "Indicator: TROJ_FLYMUX.SMIB": [[112, 128], [221, 237]], "Indicator: Win.Trojan.Toopu-1": [[129, 147]], "Indicator: Trojan.Win32.Vilsel.mwo": [[148, 171], [305, 328]], "Indicator: Trojan.Win32.Vilsel.cxoek": [[172, 197]], "Indicator: Trojan.DownLoad1.51956": [[198, 220]], "Indicator: Trojan-Dropper.Win32.Ekafod": [[238, 265]], "Indicator: Trojan/Vilsel.aggq": [[266, 284]], "Indicator: Trojan/Win32.Vilsel": [[285, 304]], "Indicator: Trojan.BHORA.04931": [[329, 347]]}, "info": {"id": "cyner2_8class_test_00025", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.VBS Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Disfa.dtznyx BehavesLike.Win32.AdwareLinkury.fc Trojan:Win32/Skeeyah.A!bit Win32/Trojan.2fe", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VBS": [[26, 36]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[37, 79]], "Indicator: Trojan.Win32.Disfa.dtznyx": [[80, 105]], "Indicator: BehavesLike.Win32.AdwareLinkury.fc": [[106, 140]], "Indicator: Trojan:Win32/Skeeyah.A!bit": [[141, 167]], "Indicator: Win32/Trojan.2fe": [[168, 184]]}, "info": {"id": "cyner2_8class_test_00026", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dycler!O Exploit.BypassUAC Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.MulDrop3.61094 Dropper.Dycler.Win32.309 BehavesLike.Win32.Dropper.tz TrojanDropper.Dycler.ca BDS/Dervec.3000832 Trojan[Dropper]/Win32.Dycler Trojan.Heur.EC561A Dropper/Win32.Dycler.C2335962 TrojanDropper.Dycler Win32.Trojan-Dropper.Dycler.dejx Win32/Trojan.4f0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Dycler!O": [[26, 55]], "Indicator: Exploit.BypassUAC": [[56, 73]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[74, 116]], "Indicator: Trojan.MulDrop3.61094": [[117, 138]], "Indicator: Dropper.Dycler.Win32.309": [[139, 163]], "Indicator: BehavesLike.Win32.Dropper.tz": [[164, 192]], "Indicator: TrojanDropper.Dycler.ca": [[193, 216]], "Indicator: BDS/Dervec.3000832": [[217, 235]], "Indicator: Trojan[Dropper]/Win32.Dycler": [[236, 264]], "Indicator: Trojan.Heur.EC561A": [[265, 283]], "Indicator: Dropper/Win32.Dycler.C2335962": [[284, 313]], "Indicator: TrojanDropper.Dycler": [[314, 334]], "Indicator: Win32.Trojan-Dropper.Dycler.dejx": [[335, 367]], "Indicator: Win32/Trojan.4f0": [[368, 384]]}, "info": {"id": "cyner2_8class_test_00027", "source": "cyner2_8class_test"}}
{"text": "The exploit appeared on day three of the Permanent Court of Arbitration tribunal, exposing an untold number of interested parties that visited the webpage to potential exploitation.", "spans": {"Malware: exploit": [[4, 11]], "Date: day three": [[24, 33]], "Organization: the Permanent Court of Arbitration tribunal,": [[37, 81]], "Organization: parties": [[122, 129]], "Indicator: webpage": [[147, 154]], "Vulnerability: exploitation.": [[168, 181]]}, "info": {"id": "cyner2_8class_test_00028", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.CabisNHc.PE Worm/W32.Cosmu Trojan.Win32.Cosmu!O Trojan.Klaut.AB1 W32/Sural.a Trojan/Cosmu.so HT_COSMU_FI060D75.UVPM Win32.Trojan.Canbis.b Win32/LdPinch.AGZ TROJ_COSMU_0000000.TOMA Win.Trojan.Delf-2305 Win32.Trojan-Dropper.Cosmu.A Trojan.Win32.Cosmu.so Trojan.Win32.MLW.eelav Trojan.Win32.Cosmu.124928 Troj.W32.Cosmu.tnsc Trojan.DownLoader2.61876 Trojan.Cosmu.Win32.696 BehavesLike.Win32.Sural.vt Trojan/Cosmu.aja Trojan.Win32.Cosmu.so Trojan/Win32.Cosmu.R747 Trojan.Cosmu W32/Knase.C Trojan.Cosmu Win32/Canbis.B Virus.Win32.Tailer.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.CabisNHc.PE": [[26, 47]], "Indicator: Worm/W32.Cosmu": [[48, 62]], "Indicator: Trojan.Win32.Cosmu!O": [[63, 83]], "Indicator: Trojan.Klaut.AB1": [[84, 100]], "Indicator: W32/Sural.a": [[101, 112]], "Indicator: Trojan/Cosmu.so": [[113, 128]], "Indicator: HT_COSMU_FI060D75.UVPM": [[129, 151]], "Indicator: Win32.Trojan.Canbis.b": [[152, 173]], "Indicator: Win32/LdPinch.AGZ": [[174, 191]], "Indicator: TROJ_COSMU_0000000.TOMA": [[192, 215]], "Indicator: Win.Trojan.Delf-2305": [[216, 236]], "Indicator: Win32.Trojan-Dropper.Cosmu.A": [[237, 265]], "Indicator: Trojan.Win32.Cosmu.so": [[266, 287], [449, 470]], "Indicator: Trojan.Win32.MLW.eelav": [[288, 310]], "Indicator: Trojan.Win32.Cosmu.124928": [[311, 336]], "Indicator: Troj.W32.Cosmu.tnsc": [[337, 356]], "Indicator: Trojan.DownLoader2.61876": [[357, 381]], "Indicator: Trojan.Cosmu.Win32.696": [[382, 404]], "Indicator: BehavesLike.Win32.Sural.vt": [[405, 431]], "Indicator: Trojan/Cosmu.aja": [[432, 448]], "Indicator: Trojan/Win32.Cosmu.R747": [[471, 494]], "Indicator: Trojan.Cosmu": [[495, 507], [520, 532]], "Indicator: W32/Knase.C": [[508, 519]], "Indicator: Win32/Canbis.B": [[533, 547]], "Indicator: Virus.Win32.Tailer.a": [[548, 568]]}, "info": {"id": "cyner2_8class_test_00029", "source": "cyner2_8class_test"}}
{"text": "Using DNS for data exfiltration provides several advantages to the attacker.", "spans": {"System: DNS": [[6, 9]], "Vulnerability: data exfiltration": [[14, 31]], "ThreatActor: attacker.": [[67, 76]]}, "info": {"id": "cyner2_8class_test_00030", "source": "cyner2_8class_test"}}
{"text": "Once installed , it displayed the icon found in the actual Netflix app on Google Play .", "spans": {"System: Netflix app": [[59, 70]], "System: Google Play": [[74, 85]]}, "info": {"id": "cyner2_8class_test_00031", "source": "cyner2_8class_test"}}
{"text": "Figure 3 .", "spans": {}, "info": {"id": "cyner2_8class_test_00032", "source": "cyner2_8class_test"}}
{"text": "Antivirus often detects the associated malware as Banload, a family of Trojans that downloads other malware.", "spans": {"System: Antivirus": [[0, 9]], "Malware: malware": [[39, 46]], "Malware: Banload,": [[50, 58]], "Malware: family of Trojans": [[61, 78]], "Malware: malware.": [[100, 108]]}, "info": {"id": "cyner2_8class_test_00033", "source": "cyner2_8class_test"}}
{"text": "We found two malicious gaming apps that were published on Google Play and are capable of rooting Android devices.", "spans": {"Malware: malicious": [[13, 22]], "System: gaming apps": [[23, 34]], "System: Google Play": [[58, 69]], "Indicator: rooting Android devices.": [[89, 113]]}, "info": {"id": "cyner2_8class_test_00034", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Dimnie.61440 Trojan.Dimnie.Win32.50 Troj.Heur2.JP.lqY.mDK9 Trojan.Mikey.D1266C Trojan.Dimnie Trojan.Win32.Dimnie.he Trojan.Win32.Dimnie.elmtgi BackDoor.Bebloh.184 Trojan.Dimnie.w Trojan/Win32.Dimnie Trojan:Win32/Dimnie.G Trojan.Win32.Dimnie.he Trojan/Win32.Dimnie.C1889767", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Dimnie.61440": [[26, 49]], "Indicator: Trojan.Dimnie.Win32.50": [[50, 72]], "Indicator: Troj.Heur2.JP.lqY.mDK9": [[73, 95]], "Indicator: Trojan.Mikey.D1266C": [[96, 115]], "Indicator: Trojan.Dimnie": [[116, 129]], "Indicator: Trojan.Win32.Dimnie.he": [[130, 152], [258, 280]], "Indicator: Trojan.Win32.Dimnie.elmtgi": [[153, 179]], "Indicator: BackDoor.Bebloh.184": [[180, 199]], "Indicator: Trojan.Dimnie.w": [[200, 215]], "Indicator: Trojan/Win32.Dimnie": [[216, 235]], "Indicator: Trojan:Win32/Dimnie.G": [[236, 257]], "Indicator: Trojan/Win32.Dimnie.C1889767": [[281, 309]]}, "info": {"id": "cyner2_8class_test_00035", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.DL.Delf!Pzeg8X5RT2o W32/Downldr2.BXIW BKDR_ELLIKIC.B Trojan-Downloader.Win32.Delf.hhc Trojan.Win32.Delf.uibf TrojWare.Win32.Ellikic.C Trojan.DownLoader.62800 Trojan.Delf.Win32.7551 BKDR_ELLIKIC.B BehavesLike.Win32.Dropper.jh W32/Downloader.DSRK-7508 Trojan/Delf.jcy TR/Dldr.Delf.hhc.1 Malware_fam.A Spyware[AdWare:not-a-virus]/Win32.Iclick Win32.Troj.Delf.kcloud Trojan.Adware.Symmi.D11E5 Trojan/Win32.AdClicker TrojanDownloader.Delf Trj/CI.A Trojan-Dropper.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DL.Delf!Pzeg8X5RT2o": [[26, 52]], "Indicator: W32/Downldr2.BXIW": [[53, 70]], "Indicator: BKDR_ELLIKIC.B": [[71, 85], [214, 228]], "Indicator: Trojan-Downloader.Win32.Delf.hhc": [[86, 118]], "Indicator: Trojan.Win32.Delf.uibf": [[119, 141]], "Indicator: TrojWare.Win32.Ellikic.C": [[142, 166]], "Indicator: Trojan.DownLoader.62800": [[167, 190]], "Indicator: Trojan.Delf.Win32.7551": [[191, 213]], "Indicator: BehavesLike.Win32.Dropper.jh": [[229, 257]], "Indicator: W32/Downloader.DSRK-7508": [[258, 282]], "Indicator: Trojan/Delf.jcy": [[283, 298]], "Indicator: TR/Dldr.Delf.hhc.1": [[299, 317]], "Indicator: Malware_fam.A": [[318, 331]], "Indicator: Spyware[AdWare:not-a-virus]/Win32.Iclick": [[332, 372]], "Indicator: Win32.Troj.Delf.kcloud": [[373, 395]], "Indicator: Trojan.Adware.Symmi.D11E5": [[396, 421]], "Indicator: Trojan/Win32.AdClicker": [[422, 444]], "Indicator: TrojanDownloader.Delf": [[445, 466]], "Indicator: Trj/CI.A": [[467, 475]], "Indicator: Trojan-Dropper.Delf": [[476, 495]]}, "info": {"id": "cyner2_8class_test_00036", "source": "cyner2_8class_test"}}
{"text": "Since then , we have seen Poison Ivy samples using third-levels of querlyurl [ .", "spans": {"Malware: Poison Ivy": [[26, 36]], "Indicator: querlyurl [ .": [[67, 80]]}, "info": {"id": "cyner2_8class_test_00037", "source": "cyner2_8class_test"}}
{"text": "Spaghetti code makes the program flow hard to read by adding continuous code jumps , hence the name .", "spans": {}, "info": {"id": "cyner2_8class_test_00038", "source": "cyner2_8class_test"}}
{"text": "From this initial message, we uncovered a watering hole website with malicious programs, malicious PowerPoint files, and Android malware, all apparently designed to appeal to members of the opposition.", "spans": {"Indicator: watering hole website with malicious programs, malicious PowerPoint files,": [[42, 116]], "Malware: Android malware,": [[121, 137]]}, "info": {"id": "cyner2_8class_test_00039", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/PWStealer.AH Backdoor.Botex W32/Mifeng.F TROJ_LEMIR.CS Trojan.PWS.Mifeng!erocD61I7Go Trojan.Win32.PSWMifeng.390156 TrojWare.Win32.PSW.Mifeng.E Trojan.MulDrop.2881 TR/PSW.Mifeng.e.2 TROJ_LEMIR.CS Backdoor/Hupigon.ckcc Win32.PSWTroj.Mifeng.bo.kcloud W32/PWStealer.AH Trojan/Win32.Bifrose Trojan-PSW.Win32.Mifeng.e Backdoor.Botex!rem Win32/PSW.Mifeng.E Trojan.PSW.Mifeng.bo Trojan-PWS.Win32.Mifeng.E W32/MIFENG.G!tr Collected.9.BK", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/PWStealer.AH": [[26, 42], [278, 294]], "Indicator: Backdoor.Botex": [[43, 57]], "Indicator: W32/Mifeng.F": [[58, 70]], "Indicator: TROJ_LEMIR.CS": [[71, 84], [211, 224]], "Indicator: Trojan.PWS.Mifeng!erocD61I7Go": [[85, 114]], "Indicator: Trojan.Win32.PSWMifeng.390156": [[115, 144]], "Indicator: TrojWare.Win32.PSW.Mifeng.E": [[145, 172]], "Indicator: Trojan.MulDrop.2881": [[173, 192]], "Indicator: TR/PSW.Mifeng.e.2": [[193, 210]], "Indicator: Backdoor/Hupigon.ckcc": [[225, 246]], "Indicator: Win32.PSWTroj.Mifeng.bo.kcloud": [[247, 277]], "Indicator: Trojan/Win32.Bifrose": [[295, 315]], "Indicator: Trojan-PSW.Win32.Mifeng.e": [[316, 341]], "Indicator: Backdoor.Botex!rem": [[342, 360]], "Indicator: Win32/PSW.Mifeng.E": [[361, 379]], "Indicator: Trojan.PSW.Mifeng.bo": [[380, 400]], "Indicator: Trojan-PWS.Win32.Mifeng.E": [[401, 426]], "Indicator: W32/MIFENG.G!tr": [[427, 442]], "Indicator: Collected.9.BK": [[443, 457]]}, "info": {"id": "cyner2_8class_test_00040", "source": "cyner2_8class_test"}}
{"text": "“ As part of our ongoing efforts to protect users from the Ghost Push family of malware , we ’ ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall. ” We are very encouraged by the statement Google shared with us addressing the issue .", "spans": {"Malware: Ghost Push family": [[59, 76]], "System: Android": [[172, 179]], "Organization: Google": [[241, 247]]}, "info": {"id": "cyner2_8class_test_00041", "source": "cyner2_8class_test"}}
{"text": "] com or hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[9, 34]]}, "info": {"id": "cyner2_8class_test_00042", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Agobot.3.AA Backdoor.Agobot.3.AA Backdoor.Gaobot Backdoor.Agobot.3.AA W32/Agobot.CNB Backdoor.Gaobot Win32/Agobot.3.CQ BKDR_GAOBOT.A Backdoor.Win32.Agobot.aa Trojan.Win32.Agobot.daue Backdoor.Win32.A.Agobot.36864.A[h] Backdoor.Agobot.3.AA Backdoor.Win32.Agobot.3.CQ Backdoor.Agobot.3.AA Trojan.Starter.333 Backdoor.Agobot.Win32.1382 BKDR_GAOBOT.A W32/Agobot.SHCF-4880 Backdoor/SdBot.dtc WORM/AgoBot.AA W32/AgoBot.AA!tr.bdr Trojan[Backdoor]/Win32.Agobot Backdoor.Agobot.3.AA Backdoor.W32.Agobot.aa!c Backdoor:Win32/Gaobot.AA Win32/IRCBot.worm.variant Backdoor.Agobot.3.AA Backdoor.Gaobot Backdoor.Agobot Win32.Backdoor.Agobot.Sxyf Backdoor.Win32.Agobot Backdoor.Agobot.3.AA Backdoor.Win32.Agobot.aa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Agobot.3.AA": [[26, 46], [47, 67], [84, 104], [253, 273], [301, 321], [488, 508], [585, 605], [687, 707]], "Indicator: Backdoor.Gaobot": [[68, 83], [120, 135], [606, 621]], "Indicator: W32/Agobot.CNB": [[105, 119]], "Indicator: Win32/Agobot.3.CQ": [[136, 153]], "Indicator: BKDR_GAOBOT.A": [[154, 167], [368, 381]], "Indicator: Backdoor.Win32.Agobot.aa": [[168, 192], [708, 732]], "Indicator: Trojan.Win32.Agobot.daue": [[193, 217]], "Indicator: Backdoor.Win32.A.Agobot.36864.A[h]": [[218, 252]], "Indicator: Backdoor.Win32.Agobot.3.CQ": [[274, 300]], "Indicator: Trojan.Starter.333": [[322, 340]], "Indicator: Backdoor.Agobot.Win32.1382": [[341, 367]], "Indicator: W32/Agobot.SHCF-4880": [[382, 402]], "Indicator: Backdoor/SdBot.dtc": [[403, 421]], "Indicator: WORM/AgoBot.AA": [[422, 436]], "Indicator: W32/AgoBot.AA!tr.bdr": [[437, 457]], "Indicator: Trojan[Backdoor]/Win32.Agobot": [[458, 487]], "Indicator: Backdoor.W32.Agobot.aa!c": [[509, 533]], "Indicator: Backdoor:Win32/Gaobot.AA": [[534, 558]], "Indicator: Win32/IRCBot.worm.variant": [[559, 584]], "Indicator: Backdoor.Agobot": [[622, 637]], "Indicator: Win32.Backdoor.Agobot.Sxyf": [[638, 664]], "Indicator: Backdoor.Win32.Agobot": [[665, 686]]}, "info": {"id": "cyner2_8class_test_00043", "source": "cyner2_8class_test"}}
{"text": "AlarmReceiver - Triggers every three minutes .", "spans": {}, "info": {"id": "cyner2_8class_test_00044", "source": "cyner2_8class_test"}}
{"text": "On May 12, 2015, Unit 42 observed an apparent watering hole attack, also known as a strategic website compromise SWC, involving the President of Myanmar's website.", "spans": {"Date: May 12, 2015,": [[3, 16]], "Organization: Unit 42": [[17, 24]], "Indicator: watering hole attack,": [[46, 67]], "Indicator: strategic website compromise SWC,": [[84, 117]], "Organization: the President of Myanmar's": [[128, 154]], "Indicator: website.": [[155, 163]]}, "info": {"id": "cyner2_8class_test_00045", "source": "cyner2_8class_test"}}
{"text": "On connecting a smartphone in the USB drive emulation mode to a computer running Windows XP , the system automatically starts the Trojan ( if AutoPlay on the external media is not disabled ) and is infected .", "spans": {"System: USB drive": [[34, 43]], "System: Windows XP": [[81, 91]]}, "info": {"id": "cyner2_8class_test_00046", "source": "cyner2_8class_test"}}
{"text": "The replacement of a single character renders it nearly indistinguishable from the real Akamai-owned domain.", "spans": {}, "info": {"id": "cyner2_8class_test_00047", "source": "cyner2_8class_test"}}
{"text": "In order to achieve this , mike.jar connects to rootdaemon through various TCP ports that the daemon binds on some extraction routines for supported applications : Port 6202 : WhatsApp extraction service .", "spans": {"Indicator: mike.jar": [[27, 35]], "Indicator: Port 6202": [[164, 173]], "System: WhatsApp": [[176, 184]]}, "info": {"id": "cyner2_8class_test_00048", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.HfsAutoB.B699 BehavesLike.Win32.Trojan.th Trojan.Win32.Cryptor TR/Crypt.Xpack.ihifb Trojan.Win32.Z.Crowti.1270272 Backdoor:Win32/Lisuife.A!dha Trojan.Swrort.ED Trj/GdSda.A Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.B699": [[26, 43]], "Indicator: BehavesLike.Win32.Trojan.th": [[44, 71]], "Indicator: Trojan.Win32.Cryptor": [[72, 92]], "Indicator: TR/Crypt.Xpack.ihifb": [[93, 113]], "Indicator: Trojan.Win32.Z.Crowti.1270272": [[114, 143]], "Indicator: Backdoor:Win32/Lisuife.A!dha": [[144, 172]], "Indicator: Trojan.Swrort.ED": [[173, 189]], "Indicator: Trj/GdSda.A": [[190, 201]], "Indicator: Win32/Trojan.e6d": [[202, 218]]}, "info": {"id": "cyner2_8class_test_00049", "source": "cyner2_8class_test"}}
{"text": "Exodus is equipped with extensive collection and interception capabilities .", "spans": {"Malware: Exodus": [[0, 6]]}, "info": {"id": "cyner2_8class_test_00050", "source": "cyner2_8class_test"}}
{"text": "Android ’ s accessibility services were originally developed by Google for the benefit of users with disabilities .", "spans": {"System: Android": [[0, 7]], "Organization: Google": [[64, 70]]}, "info": {"id": "cyner2_8class_test_00051", "source": "cyner2_8class_test"}}
{"text": "Then , a request is formed in such a way that an activity that installs the application is called , bypassing all security checks .", "spans": {}, "info": {"id": "cyner2_8class_test_00052", "source": "cyner2_8class_test"}}
{"text": "However, a closer look into a sample showed an interesting downloading method which I haven t seen before user R136a1", "spans": {}, "info": {"id": "cyner2_8class_test_00053", "source": "cyner2_8class_test"}}
{"text": "If you answered c' you might be correct! FireEye Labs discovered a new piece of ATM malware 4BDD67FF852C221112337FECD0681EAC that we detect as Backdoor.ATM.Suceful the name comes from a typo made by the malware authors, which targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks.", "spans": {"Organization: FireEye Labs": [[41, 53]], "Malware: ATM malware": [[80, 91]], "Indicator: 4BDD67FF852C221112337FECD0681EAC": [[92, 124]], "Indicator: Backdoor.ATM.Suceful": [[143, 163]], "ThreatActor: malware authors,": [[203, 219]], "Organization: cardholders": [[234, 245]], "Organization: ATMs,": [[292, 297]], "Indicator: read the debit card tracks.": [[317, 344]]}, "info": {"id": "cyner2_8class_test_00054", "source": "cyner2_8class_test"}}
{"text": "The instance we discovered and analyzed at the time was configured to steal information from customers of UK and Australian banks.", "spans": {"Indicator: steal information from customers": [[70, 102]], "Organization: UK": [[106, 108]], "Organization: Australian banks.": [[113, 130]]}, "info": {"id": "cyner2_8class_test_00055", "source": "cyner2_8class_test"}}
{"text": "Sensitive environments that process card data will often monitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments.", "spans": {"System: Sensitive environments": [[0, 22]], "Indicator: process card data": [[28, 45]], "Indicator: HTTP": [[98, 102]], "Indicator: FTP traffic": [[106, 117]], "Vulnerability: exfiltration": [[133, 145]], "System: environments.": [[155, 168]]}, "info": {"id": "cyner2_8class_test_00056", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Kazy.D780C Win32.Trojan.Zbot.a Win.Spyware.Zbot-1275 Trojan-Spy.Win32.Zbot.ymvi Win32.Trojan.Kazy.Pgcv Trojan.PWS.Panda.655 Constructor.Win32.Zbot TR/Crypt.ZPACK.ieoes Constructor:Win32/Zbot.A Trojan-Spy.Win32.Zbot.ymvi Win32.Trojan-Spy.Zbot.DB Spyware/Win32.Zbot.R68889 SScope.Trojan.FakeAV.01110 W32/Zbot.YW!tr Win32/Trojan.c5f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D780C": [[26, 43]], "Indicator: Win32.Trojan.Zbot.a": [[44, 63]], "Indicator: Win.Spyware.Zbot-1275": [[64, 85]], "Indicator: Trojan-Spy.Win32.Zbot.ymvi": [[86, 112], [226, 252]], "Indicator: Win32.Trojan.Kazy.Pgcv": [[113, 135]], "Indicator: Trojan.PWS.Panda.655": [[136, 156]], "Indicator: Constructor.Win32.Zbot": [[157, 179]], "Indicator: TR/Crypt.ZPACK.ieoes": [[180, 200]], "Indicator: Constructor:Win32/Zbot.A": [[201, 225]], "Indicator: Win32.Trojan-Spy.Zbot.DB": [[253, 277]], "Indicator: Spyware/Win32.Zbot.R68889": [[278, 303]], "Indicator: SScope.Trojan.FakeAV.01110": [[304, 330]], "Indicator: W32/Zbot.YW!tr": [[331, 345]], "Indicator: Win32/Trojan.c5f": [[346, 362]]}, "info": {"id": "cyner2_8class_test_00057", "source": "cyner2_8class_test"}}
{"text": "Researchers has observed recent espionage-related activity by TA473, including yet to be reported instances of TA473 targeting US elected officials and staffers.", "spans": {"Organization: Researchers": [[0, 11]], "ThreatActor: espionage-related": [[32, 49]], "ThreatActor: TA473,": [[62, 68]], "ThreatActor: TA473": [[111, 116]], "Organization: US elected officials": [[127, 147]], "Organization: staffers.": [[152, 161]]}, "info": {"id": "cyner2_8class_test_00058", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Abuse-Worry/W32.WinPassViewer.182272 Win32.Trojan.WisdomEyes.16070401.9500.9975 not-a-virus:PSWTool.Win32.WinPassViewer.bg Tool.PassView.1748 Tool.WinPassViewer.Win32.19 BehavesLike.Win32.BadFile.cc AdWare.Amonetize.anis RiskWare[PSWTool]/Win32.WinPassViewer not-a-virus:PSWTool.Win32.WinPassViewer.bg Win-AppCare/Getpassword.182272", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Abuse-Worry/W32.WinPassViewer.182272": [[26, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9975": [[63, 105]], "Indicator: not-a-virus:PSWTool.Win32.WinPassViewer.bg": [[106, 148], [285, 327]], "Indicator: Tool.PassView.1748": [[149, 167]], "Indicator: Tool.WinPassViewer.Win32.19": [[168, 195]], "Indicator: BehavesLike.Win32.BadFile.cc": [[196, 224]], "Indicator: AdWare.Amonetize.anis": [[225, 246]], "Indicator: RiskWare[PSWTool]/Win32.WinPassViewer": [[247, 284]], "Indicator: Win-AppCare/Getpassword.182272": [[328, 358]]}, "info": {"id": "cyner2_8class_test_00059", "source": "cyner2_8class_test"}}
{"text": "Domain fronting provides outbound network connections that are indistinguishable from legitimate requests for popular websites.", "spans": {"Indicator: Domain fronting": [[0, 15]], "System: network": [[34, 41]], "Indicator: connections": [[42, 53]], "Indicator: popular websites.": [[110, 127]]}, "info": {"id": "cyner2_8class_test_00060", "source": "cyner2_8class_test"}}
{"text": "Charger SHA256 hash : 58eb6c368e129b17559bdeacb3aed4d9a5d3596f774cf5ed3fdcf51775232ba0 Infostealer , Keylogger , and Ransomware in One : Anubis Targets More than 250 Android Applications October 29 , 2021 The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device .", "spans": {"Indicator: 58eb6c368e129b17559bdeacb3aed4d9a5d3596f774cf5ed3fdcf51775232ba0": [[22, 86]], "Malware: Anubis": [[137, 143]], "System: Android": [[166, 173], [306, 313], [366, 373]], "Organization: Cofense Phishing Defense Center": [[209, 240]]}, "info": {"id": "cyner2_8class_test_00061", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.DownloaderDll.Worm Trojan-Downloader.Win32.Small!O Trojan/Downloader.Small.gkh Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Downloader.RQOF-2765 Win32/Filitop.E Win.Downloader.19989-1 Trojan-Downloader.Win32.Small.gkh Trojan.Win32.Small.baasq Trojan.Win32.Downloader.7713 TrojWare.Win32.TrojanDownloader.Small.BW Trojan.DownLoader.37335 Downloader.Small.Win32.7224 W32/Downldr2.AKNJ TrojanDownloader.Small.nin Trojan[Downloader]/Win32.Small Win32.TrojDownloader.Small.kcloud Trojan-Downloader.Win32.Small.gkh Trojan/Win32.Downloader.C81971 TrojanDownloader.Small Trojan.DL.Small!Sm7hHElQfpU W32/Small.GKH!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DownloaderDll.Worm": [[26, 48]], "Indicator: Trojan-Downloader.Win32.Small!O": [[49, 80]], "Indicator: Trojan/Downloader.Small.gkh": [[81, 108]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[109, 151]], "Indicator: W32/Downloader.RQOF-2765": [[152, 176]], "Indicator: Win32/Filitop.E": [[177, 192]], "Indicator: Win.Downloader.19989-1": [[193, 215]], "Indicator: Trojan-Downloader.Win32.Small.gkh": [[216, 249], [507, 540]], "Indicator: Trojan.Win32.Small.baasq": [[250, 274]], "Indicator: Trojan.Win32.Downloader.7713": [[275, 303]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.BW": [[304, 344]], "Indicator: Trojan.DownLoader.37335": [[345, 368]], "Indicator: Downloader.Small.Win32.7224": [[369, 396]], "Indicator: W32/Downldr2.AKNJ": [[397, 414]], "Indicator: TrojanDownloader.Small.nin": [[415, 441]], "Indicator: Trojan[Downloader]/Win32.Small": [[442, 472]], "Indicator: Win32.TrojDownloader.Small.kcloud": [[473, 506]], "Indicator: Trojan/Win32.Downloader.C81971": [[541, 571]], "Indicator: TrojanDownloader.Small": [[572, 594]], "Indicator: Trojan.DL.Small!Sm7hHElQfpU": [[595, 622]], "Indicator: W32/Small.GKH!tr.dldr": [[623, 644]]}, "info": {"id": "cyner2_8class_test_00062", "source": "cyner2_8class_test"}}
{"text": "This suggests that these attacks were part of a planned operation against specific targets in India.", "spans": {"Indicator: attacks": [[25, 32]], "ThreatActor: planned operation": [[48, 65]], "Location: India.": [[94, 100]]}, "info": {"id": "cyner2_8class_test_00063", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.PWS.YVX Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.PWS.YVX Trojan.PWS.YVX Trojan.PWS.YVX Trojan.PWS.YVX BehavesLike.Win32.VTFlooder.hc Trojan.PWS.YVX Troj.Pws.Yvx!c Trojan.PWS.YVX Trj/CI.A Trojan-PWS.YVX W32/Kryptik.SHU!tr Win32/Trojan.PWS.3b2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.YVX": [[26, 40], [84, 98], [99, 113], [114, 128], [129, 143], [175, 189], [205, 219]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[41, 83]], "Indicator: BehavesLike.Win32.VTFlooder.hc": [[144, 174]], "Indicator: Troj.Pws.Yvx!c": [[190, 204]], "Indicator: Trj/CI.A": [[220, 228]], "Indicator: Trojan-PWS.YVX": [[229, 243]], "Indicator: W32/Kryptik.SHU!tr": [[244, 262]], "Indicator: Win32/Trojan.PWS.3b2": [[263, 283]]}, "info": {"id": "cyner2_8class_test_00064", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Msic Backdoor.Msic Backdoor.Msic Backdoor.Msic Trojan/Delf.de Trojan.Win32.Delf.binhsf W32/Backdoor.FYD Backdoor.Msic BKDR_DELF.DE Backdoor.Win32.Delf.de Backdoor.Delf!QqXK5yDKgAs Backdoor.Msic Backdoor.Win32.Delf.DE Backdoor.Msic BackDoor.GWBoy.91 BKDR_DELF.DE W32/Backdoor.FFNS-0086 Win32.Hack.Delf.de.kcloud HEUR/Fakon.mwf Backdoor.Msic Win32/Delf.DE Backdoor.Win32.Y3KRat W32/Delf.DE!tr.bdr BackDoor.Delf.AV Backdoor.Win32.Delf.au", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Msic": [[26, 39], [40, 53], [54, 67], [68, 81], [139, 152], [215, 228], [252, 265], [361, 374]], "Indicator: Trojan/Delf.de": [[82, 96]], "Indicator: Trojan.Win32.Delf.binhsf": [[97, 121]], "Indicator: W32/Backdoor.FYD": [[122, 138]], "Indicator: BKDR_DELF.DE": [[153, 165], [284, 296]], "Indicator: Backdoor.Win32.Delf.de": [[166, 188]], "Indicator: Backdoor.Delf!QqXK5yDKgAs": [[189, 214]], "Indicator: Backdoor.Win32.Delf.DE": [[229, 251]], "Indicator: BackDoor.GWBoy.91": [[266, 283]], "Indicator: W32/Backdoor.FFNS-0086": [[297, 319]], "Indicator: Win32.Hack.Delf.de.kcloud": [[320, 345]], "Indicator: HEUR/Fakon.mwf": [[346, 360]], "Indicator: Win32/Delf.DE": [[375, 388]], "Indicator: Backdoor.Win32.Y3KRat": [[389, 410]], "Indicator: W32/Delf.DE!tr.bdr": [[411, 429]], "Indicator: BackDoor.Delf.AV": [[430, 446]], "Indicator: Backdoor.Win32.Delf.au": [[447, 469]]}, "info": {"id": "cyner2_8class_test_00065", "source": "cyner2_8class_test"}}
{"text": "After an app is installed , the ad service pays the attacker .", "spans": {}, "info": {"id": "cyner2_8class_test_00066", "source": "cyner2_8class_test"}}
{"text": "Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets , ARM-based PCs , set-top boxes , and other electronic devices worldwide .", "spans": {"Organization: Allwinner": [[38, 47]], "System: Android": [[127, 134]], "Organization: ARM-based": [[145, 154]]}, "info": {"id": "cyner2_8class_test_00067", "source": "cyner2_8class_test"}}
{"text": "STRONTIUM is Microsoft's code name for this group, following its internal practice of assigning chemical element names to activity groups; other researchers have used code names such as APT28, Sednit, Sofacy and Fancy Bear as labels for a group or groups", "spans": {"ThreatActor: STRONTIUM": [[0, 9]], "Organization: Microsoft's": [[13, 24]], "Organization: researchers": [[145, 156]], "ThreatActor: APT28, Sednit, Sofacy": [[186, 207]], "ThreatActor: Fancy Bear": [[212, 222]], "ThreatActor: group": [[239, 244]], "ThreatActor: groups": [[248, 254]]}, "info": {"id": "cyner2_8class_test_00068", "source": "cyner2_8class_test"}}
{"text": "Stealing and Concealing SMS Messages As some banks still use SMS-based transaction authorization , TrickMo is configured to automatically steal all SMS messages that are stored on the device .", "spans": {"Malware: TrickMo": [[99, 106]]}, "info": {"id": "cyner2_8class_test_00069", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Meciv.a Win32.Trojan.WisdomEyes.16070401.9500.9994 Backdoor.Meciv BKDR_MECIV.SME Win.Trojan.Enfal-82 Backdoor.Win32.Meciv.a BKDR_MECIV.SME Trojan[Backdoor]/Win32.Meciv Trojan.Bodegun.3 Backdoor.Win32.Meciv.a TrojanDropper:Win32/Meciv.A Trj/CI.A Win32/Pucedoor.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Meciv.a": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[43, 85]], "Indicator: Backdoor.Meciv": [[86, 100]], "Indicator: BKDR_MECIV.SME": [[101, 115], [159, 173]], "Indicator: Win.Trojan.Enfal-82": [[116, 135]], "Indicator: Backdoor.Win32.Meciv.a": [[136, 158], [220, 242]], "Indicator: Trojan[Backdoor]/Win32.Meciv": [[174, 202]], "Indicator: Trojan.Bodegun.3": [[203, 219]], "Indicator: TrojanDropper:Win32/Meciv.A": [[243, 270]], "Indicator: Trj/CI.A": [[271, 279]], "Indicator: Win32/Pucedoor.A": [[280, 296]]}, "info": {"id": "cyner2_8class_test_00070", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Win32.Trojan-Ransom.Mole.A Trojan.Win32.Encoder.eqqmxg Worm.Win32.Pushbot.A Trojan.Encoder.11008 BehavesLike.Win32.VTFlooder.cm Trojan-Ransom.FileCoder Behavior:Win32/Pryncimoklyn.A!rsm BScope.Trojan-Ransom.Fury Win32.Trojan.Raas.Auto", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: Win32.Trojan-Ransom.Mole.A": [[69, 95]], "Indicator: Trojan.Win32.Encoder.eqqmxg": [[96, 123]], "Indicator: Worm.Win32.Pushbot.A": [[124, 144]], "Indicator: Trojan.Encoder.11008": [[145, 165]], "Indicator: BehavesLike.Win32.VTFlooder.cm": [[166, 196]], "Indicator: Trojan-Ransom.FileCoder": [[197, 220]], "Indicator: Behavior:Win32/Pryncimoklyn.A!rsm": [[221, 254]], "Indicator: BScope.Trojan-Ransom.Fury": [[255, 280]], "Indicator: Win32.Trojan.Raas.Auto": [[281, 303]]}, "info": {"id": "cyner2_8class_test_00071", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TR/Dropper.MSIL.252169 Trj/GdSda.A Virus.PSW.ILSpy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TR/Dropper.MSIL.252169": [[26, 48]], "Indicator: Trj/GdSda.A": [[49, 60]], "Indicator: Virus.PSW.ILSpy": [[61, 76]]}, "info": {"id": "cyner2_8class_test_00072", "source": "cyner2_8class_test"}}
{"text": "With this in mind , we thoroughly look forward to working with you on these matters .", "spans": {}, "info": {"id": "cyner2_8class_test_00073", "source": "cyner2_8class_test"}}
{"text": "Several months later and it seems to have evolved again, this time adding cryptocurrency theft to its routines.", "spans": {"Date: Several months": [[0, 14]], "Indicator: cryptocurrency theft": [[74, 94]]}, "info": {"id": "cyner2_8class_test_00074", "source": "cyner2_8class_test"}}
{"text": "Symantec Corp, a digital security company, says it has identified a sustained cyber spying campaign, likely state-sponsored, against Indian and Pakistani entities involved in regional security issues.", "spans": {"Organization: Symantec Corp,": [[0, 14]], "Organization: digital security company,": [[17, 42]], "ThreatActor: cyber spying campaign,": [[78, 100]], "ThreatActor: state-sponsored,": [[108, 124]], "Location: Indian": [[133, 139]], "Location: Pakistani": [[144, 153]], "ThreatActor: entities": [[154, 162]], "Indicator: regional security issues.": [[175, 200]]}, "info": {"id": "cyner2_8class_test_00075", "source": "cyner2_8class_test"}}
{"text": "Without context , this method does not reveal much about its intended behavior , and there are no calls made to it anywhere in the DEX .", "spans": {}, "info": {"id": "cyner2_8class_test_00076", "source": "cyner2_8class_test"}}
{"text": "] 6 2020-03-26 http : //rxc.rxcoordinator [ .", "spans": {"Indicator: http : //rxc.rxcoordinator [ .": [[15, 45]]}, "info": {"id": "cyner2_8class_test_00077", "source": "cyner2_8class_test"}}
{"text": "Office 365 ATP sandbox employs special mechanisms to avoid being detected by similar checks .", "spans": {"System: Office 365 ATP": [[0, 14]]}, "info": {"id": "cyner2_8class_test_00078", "source": "cyner2_8class_test"}}
{"text": "During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be something else", "spans": {"Date: last hours,": [[11, 22]], "Malware: OSX/Keydnap": [[23, 34]], "Indicator: trusted website,": [[56, 72]]}, "info": {"id": "cyner2_8class_test_00079", "source": "cyner2_8class_test"}}
{"text": "The threat actors used IcedID, delivering the payload using an ISO image on this occasion.", "spans": {"ThreatActor: The threat actors": [[0, 17]], "Malware: IcedID,": [[23, 30]], "Malware: payload": [[46, 53]], "Indicator: an ISO image": [[60, 72]]}, "info": {"id": "cyner2_8class_test_00080", "source": "cyner2_8class_test"}}
{"text": "Comparing encrypted vs decrypted asset file .", "spans": {}, "info": {"id": "cyner2_8class_test_00081", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.PorakeseDRAG.Trojan TrojanSpy.Crime.B4 Trojan.Keylogger.Win32.35471 Trojan/Spy.Keylogger.zu TSPY_VBMSIL.SMIA Win.Trojan.KillAV-49 Trojan.Win32.Win32.dccnnq Trojan.MSIL.Spy TR/BAS.Samca.11318183 TrojanSpy:MSIL/Crime.B Trojan.Diztakun", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.PorakeseDRAG.Trojan": [[26, 49]], "Indicator: TrojanSpy.Crime.B4": [[50, 68]], "Indicator: Trojan.Keylogger.Win32.35471": [[69, 97]], "Indicator: Trojan/Spy.Keylogger.zu": [[98, 121]], "Indicator: TSPY_VBMSIL.SMIA": [[122, 138]], "Indicator: Win.Trojan.KillAV-49": [[139, 159]], "Indicator: Trojan.Win32.Win32.dccnnq": [[160, 185]], "Indicator: Trojan.MSIL.Spy": [[186, 201]], "Indicator: TR/BAS.Samca.11318183": [[202, 223]], "Indicator: TrojanSpy:MSIL/Crime.B": [[224, 246]], "Indicator: Trojan.Diztakun": [[247, 262]]}, "info": {"id": "cyner2_8class_test_00082", "source": "cyner2_8class_test"}}
{"text": "] cashnow [ .", "spans": {}, "info": {"id": "cyner2_8class_test_00083", "source": "cyner2_8class_test"}}
{"text": "The Android.ZBot Trojan is one of these malicious programs.", "spans": {"Malware: Android.ZBot Trojan": [[4, 23]], "Malware: malicious programs.": [[40, 59]]}, "info": {"id": "cyner2_8class_test_00084", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Virus.Win32.Dialer.1313 PSW.OnlineGames_r.AC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Dialer.1313": [[26, 49]], "Indicator: PSW.OnlineGames_r.AC": [[50, 70]]}, "info": {"id": "cyner2_8class_test_00085", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Inject.GK Trojan.Inject.GK TROJ_AUTORUN_000003d.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.VHK Trojan.Minit TROJ_AUTORUN_000003d.TOMA Win.Worm.Autorun-374 Trojan.Inject.GK Trojan.Win32.Autoruner.rjamm Trojan.Inject.GK Worm.Win32.Autorun.q0 Trojan.Inject.GK Win32.HLLW.Autoruner1.61072 W32/Autorun.worm.q W32/Trojan.TSME-5158 W32/AutoRun.BDJ!tr Trojan.Inject.GK Trojan:Win32/Remdruk.A Worm/Win32.AutoRun.R1836 W32/Autorun.worm.q BScope.Trojan-Dropper.Injector Virus.Win32.AutoRun.sd Trojan.Inject.GK W32/Autorun.HN.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject.GK": [[26, 42], [43, 59], [205, 221], [251, 267], [290, 306], [394, 410], [532, 548]], "Indicator: TROJ_AUTORUN_000003d.TOMA": [[60, 85], [158, 183]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[86, 128]], "Indicator: W32/Trojan2.VHK": [[129, 144]], "Indicator: Trojan.Minit": [[145, 157]], "Indicator: Win.Worm.Autorun-374": [[184, 204]], "Indicator: Trojan.Win32.Autoruner.rjamm": [[222, 250]], "Indicator: Worm.Win32.Autorun.q0": [[268, 289]], "Indicator: Win32.HLLW.Autoruner1.61072": [[307, 334]], "Indicator: W32/Autorun.worm.q": [[335, 353], [459, 477]], "Indicator: W32/Trojan.TSME-5158": [[354, 374]], "Indicator: W32/AutoRun.BDJ!tr": [[375, 393]], "Indicator: Trojan:Win32/Remdruk.A": [[411, 433]], "Indicator: Worm/Win32.AutoRun.R1836": [[434, 458]], "Indicator: BScope.Trojan-Dropper.Injector": [[478, 508]], "Indicator: Virus.Win32.AutoRun.sd": [[509, 531]], "Indicator: W32/Autorun.HN.worm": [[549, 568]]}, "info": {"id": "cyner2_8class_test_00086", "source": "cyner2_8class_test"}}
{"text": "Based on data from Trend Micro Mobile App Reputation Service, we detected more than 800 applications embedded the ad library's SDK that have been downloaded millions of times from Google Play.", "spans": {"Organization: Trend Micro": [[19, 30]], "System: Mobile App Reputation Service,": [[31, 61]], "System: 800 applications": [[84, 100]], "System: SDK": [[127, 130]], "System: Google Play.": [[180, 192]]}, "info": {"id": "cyner2_8class_test_00087", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O Backdoor.Xifos.S14134 TROJ_GOVDI.F Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.SSXY-8201 TROJ_GOVDI.F Trojan-Downloader.Win32.Small.apyd Trojan.Win32.Small.ovxwu Trojan.Win32.A.Downloader.13824.AT Troj.Downloader.W32.Small.apyd!c Trojan.DownLoad2.51103 Downloader.Small.Win32.68519 Trojan.Win32.Spy TrojanDownloader.Small.aidi W32.Malware.Downloader TR/Dldr.Namsoth.B W32/Small.QVC!tr.dldr Trojan[Downloader]/Win32.Small Trojan.Heur.RP.ED2300E Trojan-Downloader.Win32.Small.apyd TrojanDownloader:Win32/Namsoth.B Downloader/Win32.Small.C65448 Trojan.Downloader.Small TScope.Malware-Cryptor.SB Win32.Trojan-downloader.Small.Ebhl Trojan.DL.Small!PqMADy2OaN0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Small!O": [[26, 57]], "Indicator: Backdoor.Xifos.S14134": [[58, 79]], "Indicator: TROJ_GOVDI.F": [[80, 92], [157, 169]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[93, 135]], "Indicator: W32/Trojan.SSXY-8201": [[136, 156]], "Indicator: Trojan-Downloader.Win32.Small.apyd": [[170, 204], [512, 546]], "Indicator: Trojan.Win32.Small.ovxwu": [[205, 229]], "Indicator: Trojan.Win32.A.Downloader.13824.AT": [[230, 264]], "Indicator: Troj.Downloader.W32.Small.apyd!c": [[265, 297]], "Indicator: Trojan.DownLoad2.51103": [[298, 320]], "Indicator: Downloader.Small.Win32.68519": [[321, 349]], "Indicator: Trojan.Win32.Spy": [[350, 366]], "Indicator: TrojanDownloader.Small.aidi": [[367, 394]], "Indicator: W32.Malware.Downloader": [[395, 417]], "Indicator: TR/Dldr.Namsoth.B": [[418, 435]], "Indicator: W32/Small.QVC!tr.dldr": [[436, 457]], "Indicator: Trojan[Downloader]/Win32.Small": [[458, 488]], "Indicator: Trojan.Heur.RP.ED2300E": [[489, 511]], "Indicator: TrojanDownloader:Win32/Namsoth.B": [[547, 579]], "Indicator: Downloader/Win32.Small.C65448": [[580, 609]], "Indicator: Trojan.Downloader.Small": [[610, 633]], "Indicator: TScope.Malware-Cryptor.SB": [[634, 659]], "Indicator: Win32.Trojan-downloader.Small.Ebhl": [[660, 694]], "Indicator: Trojan.DL.Small!PqMADy2OaN0": [[695, 722]]}, "info": {"id": "cyner2_8class_test_00088", "source": "cyner2_8class_test"}}
{"text": "The group continues to primarily use publicly available pentesting tools outside of the US.", "spans": {"ThreatActor: The group": [[0, 9]], "Malware: tools": [[67, 72]], "Location: the US.": [[84, 91]]}, "info": {"id": "cyner2_8class_test_00089", "source": "cyner2_8class_test"}}
{"text": "brother.apk ( SHA256 : 422fec2e201600bb2ea3140951563f8c6fbd4f8279a04a164aca5e8e753c40e8 ) : The package name – com.android.system.certificate .", "spans": {"System: brother.apk": [[0, 11]], "Indicator: 422fec2e201600bb2ea3140951563f8c6fbd4f8279a04a164aca5e8e753c40e8": [[23, 87]], "Indicator: com.android.system.certificate": [[111, 141]]}, "info": {"id": "cyner2_8class_test_00090", "source": "cyner2_8class_test"}}
{"text": "When we first observed the malware in January , we recorded 380 infections .", "spans": {}, "info": {"id": "cyner2_8class_test_00091", "source": "cyner2_8class_test"}}
{"text": "In later versions , when it starts , the Trojan additionally opens a phishing site in the browser that simulates a free ad service so as to dupe the user into entering their login credentials and bank card details .", "spans": {}, "info": {"id": "cyner2_8class_test_00092", "source": "cyner2_8class_test"}}
{"text": "One technique we've been tracking with this threat group is their use of the Clayslide delivery document as attachments to spear-phishing emails in attacks since May 2016.", "spans": {"ThreatActor: threat group": [[44, 56]], "Indicator: the Clayslide delivery document as attachments": [[73, 119]], "Indicator: spear-phishing emails": [[123, 144]], "Indicator: attacks": [[148, 155]], "Date: May 2016.": [[162, 171]]}, "info": {"id": "cyner2_8class_test_00093", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Multi W32/Trojan3.AEFY TSPY_LOKI.THABET Trojan.Win32.Inject.exlwmp Trojan.PWS.Stealer.21330 TSPY_LOKI.THABET BehavesLike.Win32.Trojan.bh Trojan.Win32.Injector W32/Trojan.BSXG-7335 DR/Delphi.cmzkc Trojan[Backdoor]/Win32.Androm Uds.Dangerousobject.Multi!c TrojanSpy.Noon Spyware.LokiBot Trj/WLT.D Trojan.Injector!1D2XpjXiYyw W32/Injector.DVFA!tr Win32/Backdoor.2e1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: W32/Trojan3.AEFY": [[39, 55]], "Indicator: TSPY_LOKI.THABET": [[56, 72], [125, 141]], "Indicator: Trojan.Win32.Inject.exlwmp": [[73, 99]], "Indicator: Trojan.PWS.Stealer.21330": [[100, 124]], "Indicator: BehavesLike.Win32.Trojan.bh": [[142, 169]], "Indicator: Trojan.Win32.Injector": [[170, 191]], "Indicator: W32/Trojan.BSXG-7335": [[192, 212]], "Indicator: DR/Delphi.cmzkc": [[213, 228]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[229, 258]], "Indicator: Uds.Dangerousobject.Multi!c": [[259, 286]], "Indicator: TrojanSpy.Noon": [[287, 301]], "Indicator: Spyware.LokiBot": [[302, 317]], "Indicator: Trj/WLT.D": [[318, 327]], "Indicator: Trojan.Injector!1D2XpjXiYyw": [[328, 355]], "Indicator: W32/Injector.DVFA!tr": [[356, 376]], "Indicator: Win32/Backdoor.2e1": [[377, 395]]}, "info": {"id": "cyner2_8class_test_00094", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.NetWiredRC.esv Trojan.Win32.NetWiredRC.exccjt Win32.Backdoor.Netwiredrc.Pcso Backdoor.NetWiredRC.Win32.1167 Trojan.Win32.Injector Backdoor:Win32/NetWiredRC.B Backdoor.Win32.NetWiredRC.esv Trj/GdSda.A W32/VBINJECT.SM!tr Win32/Backdoor.a0c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Backdoor.Win32.NetWiredRC.esv": [[69, 98], [242, 271]], "Indicator: Trojan.Win32.NetWiredRC.exccjt": [[99, 129]], "Indicator: Win32.Backdoor.Netwiredrc.Pcso": [[130, 160]], "Indicator: Backdoor.NetWiredRC.Win32.1167": [[161, 191]], "Indicator: Trojan.Win32.Injector": [[192, 213]], "Indicator: Backdoor:Win32/NetWiredRC.B": [[214, 241]], "Indicator: Trj/GdSda.A": [[272, 283]], "Indicator: W32/VBINJECT.SM!tr": [[284, 302]], "Indicator: Win32/Backdoor.a0c": [[303, 321]]}, "info": {"id": "cyner2_8class_test_00095", "source": "cyner2_8class_test"}}
{"text": "Allwinner has also been less transparent about the backdoor code .", "spans": {"Organization: Allwinner": [[0, 9]]}, "info": {"id": "cyner2_8class_test_00096", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9954 TROJ_WEBJACK.A Trojan.Win32.Sennoma.eqbupe Trojan.DownLoader25.692 TROJ_WEBJACK.A BehavesLike.Win32.Vundo.lh Trojan.Sennoma.ey TR/AD.Derbit.yhtwf Trojan.Sirefef.DE9D Trojan:Win32/Derbit.D!bit Trojan.Downloader Trojan.Sennoma! Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9954": [[26, 68]], "Indicator: TROJ_WEBJACK.A": [[69, 83], [136, 150]], "Indicator: Trojan.Win32.Sennoma.eqbupe": [[84, 111]], "Indicator: Trojan.DownLoader25.692": [[112, 135]], "Indicator: BehavesLike.Win32.Vundo.lh": [[151, 177]], "Indicator: Trojan.Sennoma.ey": [[178, 195]], "Indicator: TR/AD.Derbit.yhtwf": [[196, 214]], "Indicator: Trojan.Sirefef.DE9D": [[215, 234]], "Indicator: Trojan:Win32/Derbit.D!bit": [[235, 260]], "Indicator: Trojan.Downloader": [[261, 278]], "Indicator: Trojan.Sennoma!": [[279, 294]], "Indicator: Trj/GdSda.A": [[295, 306]]}, "info": {"id": "cyner2_8class_test_00097", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Fsysna.Win32.7926 Win32.Trojan.VB.ja Trojan.Win32.Fsysna.celb Trojan.Win32.Fsysna.dylomu Trojan.Win32.Z.Fsysna.163840 Troj.W32.Fsysna!c BehavesLike.Win32.Vilsel.cz Trojan/Fsysna.ebj WORM/Rasith.xxjtz Trojan/Win32.Fsysna Trojan.Heur.E8E0BD Trojan.Win32.Fsysna.celb Worm:Win32/Rasit.A Trojan.Fsysna Trj/CI.A Win32.Trojan.Fsysna.Aiij Trojan.Fsysna! W32/Rasith.B!worm Win32/Trojan.c65", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Fsysna.Win32.7926": [[26, 50]], "Indicator: Win32.Trojan.VB.ja": [[51, 69]], "Indicator: Trojan.Win32.Fsysna.celb": [[70, 94], [272, 296]], "Indicator: Trojan.Win32.Fsysna.dylomu": [[95, 121]], "Indicator: Trojan.Win32.Z.Fsysna.163840": [[122, 150]], "Indicator: Troj.W32.Fsysna!c": [[151, 168]], "Indicator: BehavesLike.Win32.Vilsel.cz": [[169, 196]], "Indicator: Trojan/Fsysna.ebj": [[197, 214]], "Indicator: WORM/Rasith.xxjtz": [[215, 232]], "Indicator: Trojan/Win32.Fsysna": [[233, 252]], "Indicator: Trojan.Heur.E8E0BD": [[253, 271]], "Indicator: Worm:Win32/Rasit.A": [[297, 315]], "Indicator: Trojan.Fsysna": [[316, 329]], "Indicator: Trj/CI.A": [[330, 338]], "Indicator: Win32.Trojan.Fsysna.Aiij": [[339, 363]], "Indicator: Trojan.Fsysna!": [[364, 378]], "Indicator: W32/Rasith.B!worm": [[379, 396]], "Indicator: Win32/Trojan.c65": [[397, 413]]}, "info": {"id": "cyner2_8class_test_00098", "source": "cyner2_8class_test"}}
{"text": "Earth Preta delivering lure archives via spear-phishing emails and Google Drive links.", "spans": {"ThreatActor: Earth Preta": [[0, 11]], "Indicator: spear-phishing emails": [[41, 62]], "System: Google Drive": [[67, 79]], "Indicator: links.": [[80, 86]]}, "info": {"id": "cyner2_8class_test_00099", "source": "cyner2_8class_test"}}
{"text": "Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously bug its targets – and uses Dropbox to store exfiltrated data, CyberX has named it Operation BugDrop.", "spans": {"System: PC": [[73, 75]], "System: Dropbox": [[145, 152]], "Indicator: exfiltrated data,": [[162, 179]], "ThreatActor: CyberX": [[180, 186]], "ThreatActor: Operation BugDrop.": [[200, 218]]}, "info": {"id": "cyner2_8class_test_00100", "source": "cyner2_8class_test"}}
{"text": "FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability.", "spans": {"Organization: FireEye": [[0, 7]], "Indicator: a malicious Microsoft Office RTF document": [[26, 67]], "Indicator: CVE-2017-8759,": [[83, 97]], "Vulnerability: a SOAP WSDL parser code injection vulnerability.": [[98, 146]]}, "info": {"id": "cyner2_8class_test_00101", "source": "cyner2_8class_test"}}
{"text": "] com http : //www.i4vip [ .", "spans": {"Indicator: http : //www.i4vip [ .": [[6, 28]]}, "info": {"id": "cyner2_8class_test_00102", "source": "cyner2_8class_test"}}
{"text": "The malware, using stolen credentials, spreads throughout the targeted networks and then at a set date and time wipes the disks attached to the victim computers.", "spans": {"Malware: malware,": [[4, 12]], "Indicator: stolen credentials,": [[19, 38]], "Organization: targeted networks": [[62, 79]], "Date: set date and time": [[94, 111]], "Indicator: wipes": [[112, 117]], "Indicator: disks": [[122, 127]], "System: victim computers.": [[144, 161]]}, "info": {"id": "cyner2_8class_test_00103", "source": "cyner2_8class_test"}}
{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ .", "spans": {"Indicator: 185.158.248 [ .": [[37, 52]]}, "info": {"id": "cyner2_8class_test_00104", "source": "cyner2_8class_test"}}
{"text": "BankBot is also capable of hijacking and intercepting SMS messages, which means that it can bypass SMS-based 2-factor authentication.", "spans": {"Malware: BankBot": [[0, 7]], "Indicator: capable of hijacking": [[16, 36]], "Indicator: intercepting SMS messages,": [[41, 67]], "Indicator: bypass SMS-based 2-factor authentication.": [[92, 133]]}, "info": {"id": "cyner2_8class_test_00105", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Posevol Win32.Trojan.WisdomEyes.16070401.9500.9865 Trojan.Win32.Yakes.vphp Trojan.Win32.Yakes.exokki Trojan.Win32.Z.Yakes.146962 Troj.W32.Yakes!c BackDoor.Andromeda.614 BehavesLike.Win32.Worm.ch Trojan.Yakes.ywi TR/RedCap.okrph Trojan/Win32.Yakes Trojan:Win32/Posevol.A Trojan.Win32.Yakes.vphp Trojan.Yakes Backdoor.Bot Trj/RnkBend.A Win32.Trojan.Yakes.Aiij", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Trojan.Posevol": [[48, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9865": [[63, 105]], "Indicator: Trojan.Win32.Yakes.vphp": [[106, 129], [325, 348]], "Indicator: Trojan.Win32.Yakes.exokki": [[130, 155]], "Indicator: Trojan.Win32.Z.Yakes.146962": [[156, 183]], "Indicator: Troj.W32.Yakes!c": [[184, 200]], "Indicator: BackDoor.Andromeda.614": [[201, 223]], "Indicator: BehavesLike.Win32.Worm.ch": [[224, 249]], "Indicator: Trojan.Yakes.ywi": [[250, 266]], "Indicator: TR/RedCap.okrph": [[267, 282]], "Indicator: Trojan/Win32.Yakes": [[283, 301]], "Indicator: Trojan:Win32/Posevol.A": [[302, 324]], "Indicator: Trojan.Yakes": [[349, 361]], "Indicator: Backdoor.Bot": [[362, 374]], "Indicator: Trj/RnkBend.A": [[375, 388]], "Indicator: Win32.Trojan.Yakes.Aiij": [[389, 412]]}, "info": {"id": "cyner2_8class_test_00106", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Flystud!O Worm.Nuj.IM6 Worm.AutoRun.Win32.2 Win32/Nuj.ACN TROJ_DROPR.CU Win32.Trojan-Downloader.Bulilit.A Trojan.Win32.FlyStudio.dswuoo W32.Troj.Downloader!c ApplicUnsaf.Win32.HackTool.FlySky.AC Trojan-Downloader:W32/VB.BUE TROJ_DROPR.CU Worm:Win32/Nuj.A Worm:Win32/Nuj.A Trojan.FlyStudio W32/DROPR.CU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Flystud!O": [[26, 56]], "Indicator: Worm.Nuj.IM6": [[57, 69]], "Indicator: Worm.AutoRun.Win32.2": [[70, 90]], "Indicator: Win32/Nuj.ACN": [[91, 104]], "Indicator: TROJ_DROPR.CU": [[105, 118], [271, 284]], "Indicator: Win32.Trojan-Downloader.Bulilit.A": [[119, 152]], "Indicator: Trojan.Win32.FlyStudio.dswuoo": [[153, 182]], "Indicator: W32.Troj.Downloader!c": [[183, 204]], "Indicator: ApplicUnsaf.Win32.HackTool.FlySky.AC": [[205, 241]], "Indicator: Trojan-Downloader:W32/VB.BUE": [[242, 270]], "Indicator: Worm:Win32/Nuj.A": [[285, 301], [302, 318]], "Indicator: Trojan.FlyStudio": [[319, 335]], "Indicator: W32/DROPR.CU!tr": [[336, 351]]}, "info": {"id": "cyner2_8class_test_00107", "source": "cyner2_8class_test"}}
{"text": "In July 2015, Eduardo Prado released a Proof of Concept PoC exploit for this vulnerability here.", "spans": {"Date: July 2015,": [[3, 13]], "Organization: Eduardo Prado": [[14, 27]], "Malware: Proof of Concept PoC exploit": [[39, 67]], "Vulnerability: vulnerability": [[77, 90]]}, "info": {"id": "cyner2_8class_test_00108", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm.Silly Trojan.Krypt.24 WORM_PALEVO.SMJJ Win32.Trojan.WisdomEyes.16070401.9500.9555 WORM_PALEVO.SMJJ Win.Trojan.Ag-1 P2P-Worm.Win32.Palevo.jub MalCrypt.Indus! Trojan.Packed.20312 BehavesLike.Win32.Downloader.cc P2P-Worm.Win32.Palevo Worm/Palevo.jub Worm:Win32/Silly_P2P.G BScope.P2P-Worm.Palevo Trj/Rimecud.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Silly": [[26, 36]], "Indicator: Trojan.Krypt.24": [[37, 52]], "Indicator: WORM_PALEVO.SMJJ": [[53, 69], [113, 129]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9555": [[70, 112]], "Indicator: Win.Trojan.Ag-1": [[130, 145]], "Indicator: P2P-Worm.Win32.Palevo.jub": [[146, 171]], "Indicator: MalCrypt.Indus!": [[172, 187]], "Indicator: Trojan.Packed.20312": [[188, 207]], "Indicator: BehavesLike.Win32.Downloader.cc": [[208, 239]], "Indicator: P2P-Worm.Win32.Palevo": [[240, 261]], "Indicator: Worm/Palevo.jub": [[262, 277]], "Indicator: Worm:Win32/Silly_P2P.G": [[278, 300]], "Indicator: BScope.P2P-Worm.Palevo": [[301, 323]], "Indicator: Trj/Rimecud.a": [[324, 337]]}, "info": {"id": "cyner2_8class_test_00109", "source": "cyner2_8class_test"}}
{"text": "It has similar functionality to the ‘ AndroidMDMSupport ’ command from the current versions – stealing data belonging to other installed applications .", "spans": {}, "info": {"id": "cyner2_8class_test_00110", "source": "cyner2_8class_test"}}
{"text": "\" When BLU raised objections , Adups took immediate measures to disable that functionality on BLU phones , '' Adups says .", "spans": {"Organization: BLU": [[7, 10], [94, 97]], "Organization: Adups": [[31, 36]]}, "info": {"id": "cyner2_8class_test_00111", "source": "cyner2_8class_test"}}
{"text": "Examples of the overlays available to the malware Above , you can see examples of the injections that distributed to the malware as part of this specific campaign .", "spans": {}, "info": {"id": "cyner2_8class_test_00112", "source": "cyner2_8class_test"}}
{"text": "] net , at the time of writing .", "spans": {}, "info": {"id": "cyner2_8class_test_00113", "source": "cyner2_8class_test"}}
{"text": "The official “ Golden Cup ” Facebook page .", "spans": {"Malware: Golden Cup": [[15, 25]], "System: Facebook": [[28, 36]]}, "info": {"id": "cyner2_8class_test_00114", "source": "cyner2_8class_test"}}
{"text": "One particularly persistent adware attack piqued our interest around March.", "spans": {"Malware: adware": [[28, 34]], "Indicator: attack": [[35, 41]], "Date: March.": [[69, 75]]}, "info": {"id": "cyner2_8class_test_00115", "source": "cyner2_8class_test"}}
{"text": "To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games MMORPGs originally published by Aeria Games.", "spans": {"Malware: malware,": [[16, 24]], "ThreatActor: the attackers": [[25, 38]], "System: massively-multiplayer online role-playing games MMORPGs": [[64, 119]], "System: Aeria Games.": [[144, 156]]}, "info": {"id": "cyner2_8class_test_00116", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Smokedown!O TrojanDownloader.Smokedown Trojan/CoinMiner.ap Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Droppedmalwaresdld.HZUA-6171 PUA.Bitcoinminer TSPY_DOWNLOADER_BL132D10.TOMC Trojan-Downloader.Win32.Smokedown.d Trojan.Win32.CoinMiner.bbxdtj Trojan.Win32.A.Downloader.16896.AAJ Troj.Downloader.W32!c Trojan.DownLoader7.18034 TSPY_DOWNLOADER_BL132D10.TOMC Trojan.Win32.Malex TrojanDropper.Dorifel.bxh Trojan[Downloader]/Win32.Smokedown Trojan-Downloader.Win32.Smokedown.d Dropper/Win32.Dorifel.R42031 TrojanDownloader.Smokedown Trojan.BCMiner Win32/CoinMiner.AP Win32.Trojan-downloader.Smokedown.Ebhi Win32/Trojan.Downloader.53e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Smokedown!O": [[26, 61]], "Indicator: TrojanDownloader.Smokedown": [[62, 88], [556, 582]], "Indicator: Trojan/CoinMiner.ap": [[89, 108]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[109, 151]], "Indicator: W32/Droppedmalwaresdld.HZUA-6171": [[152, 184]], "Indicator: PUA.Bitcoinminer": [[185, 201]], "Indicator: TSPY_DOWNLOADER_BL132D10.TOMC": [[202, 231], [381, 410]], "Indicator: Trojan-Downloader.Win32.Smokedown.d": [[232, 267], [491, 526]], "Indicator: Trojan.Win32.CoinMiner.bbxdtj": [[268, 297]], "Indicator: Trojan.Win32.A.Downloader.16896.AAJ": [[298, 333]], "Indicator: Troj.Downloader.W32!c": [[334, 355]], "Indicator: Trojan.DownLoader7.18034": [[356, 380]], "Indicator: Trojan.Win32.Malex": [[411, 429]], "Indicator: TrojanDropper.Dorifel.bxh": [[430, 455]], "Indicator: Trojan[Downloader]/Win32.Smokedown": [[456, 490]], "Indicator: Dropper/Win32.Dorifel.R42031": [[527, 555]], "Indicator: Trojan.BCMiner": [[583, 597]], "Indicator: Win32/CoinMiner.AP": [[598, 616]], "Indicator: Win32.Trojan-downloader.Smokedown.Ebhi": [[617, 655]], "Indicator: Win32/Trojan.Downloader.53e": [[656, 683]]}, "info": {"id": "cyner2_8class_test_00117", "source": "cyner2_8class_test"}}
{"text": "Distribution Cybercriminals made use of some exceptionally sophisticated methods to infect mobile devices .", "spans": {}, "info": {"id": "cyner2_8class_test_00118", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Palevo.ekgxpo Trojan.Win32.Z.Palevo.1703416 HackTool.W32.Sniffer.WpePro.lqH9 Worm.Win32.Dropper.RA Trojan.DownLoader24.60205 Worm[P2P]/Win32.Palevo Trojan:Win32/Fushield.A!bit Worm.Palevo Trojan.Win32.Fushield W32/Phrasing!tr.bdr Win32/Trojan.Downloader.c8c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Palevo.ekgxpo": [[26, 52]], "Indicator: Trojan.Win32.Z.Palevo.1703416": [[53, 82]], "Indicator: HackTool.W32.Sniffer.WpePro.lqH9": [[83, 115]], "Indicator: Worm.Win32.Dropper.RA": [[116, 137]], "Indicator: Trojan.DownLoader24.60205": [[138, 163]], "Indicator: Worm[P2P]/Win32.Palevo": [[164, 186]], "Indicator: Trojan:Win32/Fushield.A!bit": [[187, 214]], "Indicator: Worm.Palevo": [[215, 226]], "Indicator: Trojan.Win32.Fushield": [[227, 248]], "Indicator: W32/Phrasing!tr.bdr": [[249, 268]], "Indicator: Win32/Trojan.Downloader.c8c": [[269, 296]]}, "info": {"id": "cyner2_8class_test_00119", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.stunexa4.Worm Win32.Worm.Stuxnet.B Win32.Worm.Stuxnet.B Worm.Win32.Stuxnet!O Worm.Stuxnet.Win32.6 Trojan.Win32.Stuxnet.bnpqz W32/MalwareF.GXSH Stuxnet.A Win32/Stuxnet.K TROJ_STUXNET.DX Trojan.Stuxnet-28 Worm.Win32.Stuxnet.ab Win32.Worm.Stuxnet.B Worm.Stuxnet!uh9RYlBH8TQ Worm.Win32.A.Stuxnet.297984[h] Win32.Worm.Stuxnet.Syif Win32.Worm.Stuxnet.B Worm.Win32.Stuxnet.A Win32.Worm.Stuxnet.B Trojan.Stuxnet.1 TROJ_STUXNET.DX W32/Risk.CWCG-6512 Worm/Stuxnet.j Worm/Stuxnet.A.6 Worm/Win32.Stuxnet Worm.Stuxnet.a.kcloud Trojan:Win32/Stuxnet.A Win32.Worm.Stuxnet.B Worm/Win32.Stuxnet Win32.Worm.Stuxnet.B Win32/Stuxnet.C PE:Worm.Win32.Stuxnet.c!1075333313 Win32.Stuxnet W32/STUXNET.AB!worm Win32/Worm.5cd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.stunexa4.Worm": [[26, 43]], "Indicator: Win32.Worm.Stuxnet.B": [[44, 64], [65, 85], [255, 275], [356, 376], [398, 418], [567, 587], [607, 627]], "Indicator: Worm.Win32.Stuxnet!O": [[86, 106]], "Indicator: Worm.Stuxnet.Win32.6": [[107, 127]], "Indicator: Trojan.Win32.Stuxnet.bnpqz": [[128, 154]], "Indicator: W32/MalwareF.GXSH": [[155, 172]], "Indicator: Stuxnet.A": [[173, 182]], "Indicator: Win32/Stuxnet.K": [[183, 198]], "Indicator: TROJ_STUXNET.DX": [[199, 214], [436, 451]], "Indicator: Trojan.Stuxnet-28": [[215, 232]], "Indicator: Worm.Win32.Stuxnet.ab": [[233, 254]], "Indicator: Worm.Stuxnet!uh9RYlBH8TQ": [[276, 300]], "Indicator: Worm.Win32.A.Stuxnet.297984[h]": [[301, 331]], "Indicator: Win32.Worm.Stuxnet.Syif": [[332, 355]], "Indicator: Worm.Win32.Stuxnet.A": [[377, 397]], "Indicator: Trojan.Stuxnet.1": [[419, 435]], "Indicator: W32/Risk.CWCG-6512": [[452, 470]], "Indicator: Worm/Stuxnet.j": [[471, 485]], "Indicator: Worm/Stuxnet.A.6": [[486, 502]], "Indicator: Worm/Win32.Stuxnet": [[503, 521], [588, 606]], "Indicator: Worm.Stuxnet.a.kcloud": [[522, 543]], "Indicator: Trojan:Win32/Stuxnet.A": [[544, 566]], "Indicator: Win32/Stuxnet.C": [[628, 643]], "Indicator: PE:Worm.Win32.Stuxnet.c!1075333313": [[644, 678]], "Indicator: Win32.Stuxnet": [[679, 692]], "Indicator: W32/STUXNET.AB!worm": [[693, 712]], "Indicator: Win32/Worm.5cd": [[713, 727]]}, "info": {"id": "cyner2_8class_test_00120", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Downloader.Regonid.28370 Trojan/Dropper.Mudrop.jlg TROJ_DROPPR.SMR Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Risk.GRBI-0276 TROJ_DROPPR.SMR Trojan.Win32.Mudrop.bunnk Troj.Dropper.W32.Mudrop.l63L Trojan.MulDrop1.39552 BehavesLike.Win32.Ransomware.dc Trojan-Dropper.Win32.Mudrop W32/MalwareS.BGPK TrojanDropper.Mudrop.ben W32.Trojan.Dropper Trojan[Dropper]/Win32.Mudrop Trojan.Razy.DA954 TrojanDownloader:Win32/Regonid.B Dropper/Win32.Mudrop.R9955 TrojanDropper.Mudrop Trojan.DR.Mudrop!u4bkYKypm+g Win32/Trojan.79e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.Regonid.28370": [[26, 50]], "Indicator: Trojan/Dropper.Mudrop.jlg": [[51, 76]], "Indicator: TROJ_DROPPR.SMR": [[77, 92], [155, 170]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[93, 135]], "Indicator: W32/Risk.GRBI-0276": [[136, 154]], "Indicator: Trojan.Win32.Mudrop.bunnk": [[171, 196]], "Indicator: Troj.Dropper.W32.Mudrop.l63L": [[197, 225]], "Indicator: Trojan.MulDrop1.39552": [[226, 247]], "Indicator: BehavesLike.Win32.Ransomware.dc": [[248, 279]], "Indicator: Trojan-Dropper.Win32.Mudrop": [[280, 307]], "Indicator: W32/MalwareS.BGPK": [[308, 325]], "Indicator: TrojanDropper.Mudrop.ben": [[326, 350]], "Indicator: W32.Trojan.Dropper": [[351, 369]], "Indicator: Trojan[Dropper]/Win32.Mudrop": [[370, 398]], "Indicator: Trojan.Razy.DA954": [[399, 416]], "Indicator: TrojanDownloader:Win32/Regonid.B": [[417, 449]], "Indicator: Dropper/Win32.Mudrop.R9955": [[450, 476]], "Indicator: TrojanDropper.Mudrop": [[477, 497]], "Indicator: Trojan.DR.Mudrop!u4bkYKypm+g": [[498, 526]], "Indicator: Win32/Trojan.79e": [[527, 543]]}, "info": {"id": "cyner2_8class_test_00121", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Exploit.Iis.Thcunreal.01.A Trojan-Exploit/W32.Thcunreal.28672.B Trojan.Exploit.Iis.Thcunreal.01.A Exploit.W32.Thcunreal.a!c Trojan/Exploit.Thcunreal.a W32/Risk.INJJ-3275 Hacktool.NT.Exploit TROJ_IIS.A Exploit.Win32.Thcunreal.a Trojan.Exploit.Iis.Thcunreal.01.A Exploit.Win32.Thcunreal.goxw Trojan.Exploit.Iis.Thcunreal.01.A TrojWare.Win32.Exploit.IIS.01.A Trojan.Exploit.Iis.Thcunreal.01.A Exploit.IIS TROJ_IIS.A Exploit-IIS.Thcun Exploit.IIS.Thcunreal.01.a TR/Expl.IIS.Thcunreal.01.A W32/IIS.A!exploit Trojan[Exploit]/Win32.Thcunreal Trojan.Exploit.Iis.Thcunreal.01.A Exploit.Win32.Thcunreal.a Exploit:Win32/IISThcunreal.A Exploit-IIS.Thcun Exploit.Thcunreal Win32/Exploit.IIS.Thcunreal.01.A Win32.Exploit.Thcunreal.Lpuu Exploit.Thcunreal!kKvFaxcSUi0 Trojan.Win32.Exploit Trojan.Exploit.Iis.Thcunreal.01.A Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Exploit.Iis.Thcunreal.01.A": [[26, 59], [97, 130], [260, 293], [323, 356], [389, 422], [568, 601], [806, 839]], "Indicator: Trojan-Exploit/W32.Thcunreal.28672.B": [[60, 96]], "Indicator: Exploit.W32.Thcunreal.a!c": [[131, 156]], "Indicator: Trojan/Exploit.Thcunreal.a": [[157, 183]], "Indicator: W32/Risk.INJJ-3275": [[184, 202]], "Indicator: Hacktool.NT.Exploit": [[203, 222]], "Indicator: TROJ_IIS.A": [[223, 233], [435, 445]], "Indicator: Exploit.Win32.Thcunreal.a": [[234, 259], [602, 627]], "Indicator: Exploit.Win32.Thcunreal.goxw": [[294, 322]], "Indicator: TrojWare.Win32.Exploit.IIS.01.A": [[357, 388]], "Indicator: Exploit.IIS": [[423, 434]], "Indicator: Exploit-IIS.Thcun": [[446, 463], [657, 674]], "Indicator: Exploit.IIS.Thcunreal.01.a": [[464, 490]], "Indicator: TR/Expl.IIS.Thcunreal.01.A": [[491, 517]], "Indicator: W32/IIS.A!exploit": [[518, 535]], "Indicator: Trojan[Exploit]/Win32.Thcunreal": [[536, 567]], "Indicator: Exploit:Win32/IISThcunreal.A": [[628, 656]], "Indicator: Exploit.Thcunreal": [[675, 692]], "Indicator: Win32/Exploit.IIS.Thcunreal.01.A": [[693, 725]], "Indicator: Win32.Exploit.Thcunreal.Lpuu": [[726, 754]], "Indicator: Exploit.Thcunreal!kKvFaxcSUi0": [[755, 784]], "Indicator: Trojan.Win32.Exploit": [[785, 805]], "Indicator: Win32/Trojan.2ff": [[840, 856]]}, "info": {"id": "cyner2_8class_test_00122", "source": "cyner2_8class_test"}}
{"text": "In addition to stealing data, Ursnif also has the ability to download additional malicious components from the attacker's Command Control C C servers and load them dynamically into memory.", "spans": {"Malware: Ursnif": [[30, 36]], "Malware: malicious components": [[81, 101]], "ThreatActor: attacker's": [[111, 121]], "Indicator: Command Control C C servers": [[122, 149]], "Vulnerability: memory.": [[181, 188]]}, "info": {"id": "cyner2_8class_test_00123", "source": "cyner2_8class_test"}}
{"text": "A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat APT group and other researchers refer to as admin@338, may have conduced the activity. The email messages contained malicious documents with a malware payload called LOWBALL.", "spans": {"ThreatActor: China-based cyber threat group,": [[2, 33]], "Organization: FireEye": [[40, 47]], "ThreatActor: advanced persistent threat APT group": [[75, 111]], "Organization: researchers": [[122, 133]], "ThreatActor: admin@338,": [[146, 156]], "Malware: malware payload": [[245, 260]], "Malware: LOWBALL.": [[268, 276]]}, "info": {"id": "cyner2_8class_test_00124", "source": "cyner2_8class_test"}}
{"text": ") Let ’ s take a more detailed look at how this banking Trojan works .", "spans": {}, "info": {"id": "cyner2_8class_test_00125", "source": "cyner2_8class_test"}}
{"text": "This allows the “ boot ” module to execute the payloads when the infected application is started .", "spans": {}, "info": {"id": "cyner2_8class_test_00126", "source": "cyner2_8class_test"}}
{"text": "Check Point has worked closely with Google and at the time of publishing , no malicious apps remain on the Play Store .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google": [[36, 42]], "System: Play Store": [[107, 117]]}, "info": {"id": "cyner2_8class_test_00127", "source": "cyner2_8class_test"}}
{"text": "Svpeng In mid-July , we detected Trojan-SMS.AndroidOS.Svpeng.a which , unlike its SMS Trojan counterparts , is focused on stealing money from the victiim ’ s bank account rather than from his mobile phone .", "spans": {"Malware: Svpeng": [[0, 6]], "Malware: Trojan-SMS.AndroidOS.Svpeng.a": [[33, 62]]}, "info": {"id": "cyner2_8class_test_00128", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/Delf.tjj Trojan.Zusy.D2E47A Win32.Trojan.WisdomEyes.16070401.9500.9990 Infostealer.Limitail HT_XIHET_GA310B61.UVPM Trojan.Win32.Delf.egkxur Trojan.DownLoader22.50210 Trojan.Delf.Win32.76470 HT_XIHET_GA310B61.UVPM Trojan.Reconyc Trojan-Banker.Win32.Banbra Win32/Trojan.db6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Delf.tjj": [[26, 41]], "Indicator: Trojan.Zusy.D2E47A": [[42, 60]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9990": [[61, 103]], "Indicator: Infostealer.Limitail": [[104, 124]], "Indicator: HT_XIHET_GA310B61.UVPM": [[125, 147], [223, 245]], "Indicator: Trojan.Win32.Delf.egkxur": [[148, 172]], "Indicator: Trojan.DownLoader22.50210": [[173, 198]], "Indicator: Trojan.Delf.Win32.76470": [[199, 222]], "Indicator: Trojan.Reconyc": [[246, 260]], "Indicator: Trojan-Banker.Win32.Banbra": [[261, 287]], "Indicator: Win32/Trojan.db6": [[288, 304]]}, "info": {"id": "cyner2_8class_test_00129", "source": "cyner2_8class_test"}}
{"text": "The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": {"Organization: Fatah": [[133, 138]]}, "info": {"id": "cyner2_8class_test_00130", "source": "cyner2_8class_test"}}
{"text": "At the beginning of August, a new version of this Trojan—Linux.DDoS.89—was discovered.", "spans": {"Date: beginning of August,": [[7, 27]], "Indicator: Trojan—Linux.DDoS.89—was": [[50, 74]]}, "info": {"id": "cyner2_8class_test_00131", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.6E07 Win32.Trojan.WisdomEyes.16070401.9500.9975 MalCrypt.Indus! BehavesLike.Win32.Trojan.tc PUA.NoobyProtect Win32.Riskware.NoobyProtect.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.6E07": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9975": [[43, 85]], "Indicator: MalCrypt.Indus!": [[86, 101]], "Indicator: BehavesLike.Win32.Trojan.tc": [[102, 129]], "Indicator: PUA.NoobyProtect": [[130, 146]], "Indicator: Win32.Riskware.NoobyProtect.B": [[147, 176]]}, "info": {"id": "cyner2_8class_test_00132", "source": "cyner2_8class_test"}}
{"text": "While this malware shares some commonalities with that family, it departs from the standard operating procedure of the previous versions rather dramatically.", "spans": {"Malware: malware": [[11, 18]]}, "info": {"id": "cyner2_8class_test_00133", "source": "cyner2_8class_test"}}
{"text": "However , it also targets applications from Romania , Ireland , India , Austria , Switzerland , Australia , Poland and the USA .", "spans": {}, "info": {"id": "cyner2_8class_test_00134", "source": "cyner2_8class_test"}}
{"text": "] com hxxp : //nttdocomo-qaq [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaq [ .": [[6, 32]]}, "info": {"id": "cyner2_8class_test_00135", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.NetSpy.20!O Backdoor.Netspy Win32.Trojan.WisdomEyes.16070401.9500.9942 W32/Trojan.WJAE-6009 Backdoor.Trojan Backdoor.Win32.NetSpy.20.j Trojan.Win32.Netspy.eroujl Backdoor.W32.Netspy!c BackDoor.Netspy.20 Backdoor.NetSpy.Win32.85 BehavesLike.Win32.VirRansom.dc Backdoor/NetSpy.30 BDS/Netspy.iatae Trojan[Backdoor]/Win32.NetSpy Backdoor:Win32/Netspy.20.I Backdoor.Win32.NetSpy.20.j Backdoor.NetSpy Trj/CI.A Win32/NetSpy.20.I Win32.Backdoor.Netspy.Glu Backdoor.NetSpy!l8M8eeD/P+c Backdoor.Win32.Netspy W32/NetSpy.J!tr Win32/Backdoor.Spy.1ac", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.NetSpy.20!O": [[26, 52]], "Indicator: Backdoor.Netspy": [[53, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9942": [[69, 111]], "Indicator: W32/Trojan.WJAE-6009": [[112, 132]], "Indicator: Backdoor.Trojan": [[133, 148]], "Indicator: Backdoor.Win32.NetSpy.20.j": [[149, 175], [393, 419]], "Indicator: Trojan.Win32.Netspy.eroujl": [[176, 202]], "Indicator: Backdoor.W32.Netspy!c": [[203, 224]], "Indicator: BackDoor.Netspy.20": [[225, 243]], "Indicator: Backdoor.NetSpy.Win32.85": [[244, 268]], "Indicator: BehavesLike.Win32.VirRansom.dc": [[269, 299]], "Indicator: Backdoor/NetSpy.30": [[300, 318]], "Indicator: BDS/Netspy.iatae": [[319, 335]], "Indicator: Trojan[Backdoor]/Win32.NetSpy": [[336, 365]], "Indicator: Backdoor:Win32/Netspy.20.I": [[366, 392]], "Indicator: Backdoor.NetSpy": [[420, 435]], "Indicator: Trj/CI.A": [[436, 444]], "Indicator: Win32/NetSpy.20.I": [[445, 462]], "Indicator: Win32.Backdoor.Netspy.Glu": [[463, 488]], "Indicator: Backdoor.NetSpy!l8M8eeD/P+c": [[489, 516]], "Indicator: Backdoor.Win32.Netspy": [[517, 538]], "Indicator: W32/NetSpy.J!tr": [[539, 554]], "Indicator: Win32/Backdoor.Spy.1ac": [[555, 577]]}, "info": {"id": "cyner2_8class_test_00136", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Exploit/W32.THAUS.73216 Exploit.Win32.THAUS!O Trojan.Mauvaise.SL1 Trojan/Exploit.THAUS.a W32/MalwareS.BJQW Win.Tool.KiTrap-1 Exploit.Win32.THAUS.a Exploit.Win32.Vdm.ihuhu Trojan.Win32.EX-THAUS.73216 Win32.Exploit.Thaus.Hupd Exploit.Win32.Thaus.~asd Exploit.Vdm.2 Exploit.THAUS.Win32.17 Exploit.Win32.THAUS Exploit.THAUS.l W32.Hack.Tool Trojan[Exploit]/Win32.THAUS Win32.EXPLOIT.VDM.xj.73216 HackTool:Win32/Kitrap.A Exploit.W32.THAUS.a!c Exploit.Win32.THAUS.a Exploit.THAUS Exploit.THAUS Exploit.THAUS!2nbzKjrayCc W32/ThausLoader.A!tr Trj/CI.A Win32/Trojan.Exploit.f21", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Exploit/W32.THAUS.73216": [[26, 56]], "Indicator: Exploit.Win32.THAUS!O": [[57, 78]], "Indicator: Trojan.Mauvaise.SL1": [[79, 98]], "Indicator: Trojan/Exploit.THAUS.a": [[99, 121]], "Indicator: W32/MalwareS.BJQW": [[122, 139]], "Indicator: Win.Tool.KiTrap-1": [[140, 157]], "Indicator: Exploit.Win32.THAUS.a": [[158, 179], [470, 491]], "Indicator: Exploit.Win32.Vdm.ihuhu": [[180, 203]], "Indicator: Trojan.Win32.EX-THAUS.73216": [[204, 231]], "Indicator: Win32.Exploit.Thaus.Hupd": [[232, 256]], "Indicator: Exploit.Win32.Thaus.~asd": [[257, 281]], "Indicator: Exploit.Vdm.2": [[282, 295]], "Indicator: Exploit.THAUS.Win32.17": [[296, 318]], "Indicator: Exploit.Win32.THAUS": [[319, 338]], "Indicator: Exploit.THAUS.l": [[339, 354]], "Indicator: W32.Hack.Tool": [[355, 368]], "Indicator: Trojan[Exploit]/Win32.THAUS": [[369, 396]], "Indicator: Win32.EXPLOIT.VDM.xj.73216": [[397, 423]], "Indicator: HackTool:Win32/Kitrap.A": [[424, 447]], "Indicator: Exploit.W32.THAUS.a!c": [[448, 469]], "Indicator: Exploit.THAUS": [[492, 505], [506, 519]], "Indicator: Exploit.THAUS!2nbzKjrayCc": [[520, 545]], "Indicator: W32/ThausLoader.A!tr": [[546, 566]], "Indicator: Trj/CI.A": [[567, 575]], "Indicator: Win32/Trojan.Exploit.f21": [[576, 600]]}, "info": {"id": "cyner2_8class_test_00137", "source": "cyner2_8class_test"}}
{"text": "] 87:28844 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "cyner2_8class_test_00138", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Android.Trojan.Lightdd.b HEUR:Trojan-Downloader.AndroidOS.DorDrae.a HEUR:Trojan-Downloader.AndroidOS.DorDrae.a Trojan.AndroidOS.DorDrae Android/DrdLight.A!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.Lightdd.b": [[26, 50]], "Indicator: HEUR:Trojan-Downloader.AndroidOS.DorDrae.a": [[51, 93], [94, 136]], "Indicator: Trojan.AndroidOS.DorDrae": [[137, 161]], "Indicator: Android/DrdLight.A!tr.dldr": [[162, 188]]}, "info": {"id": "cyner2_8class_test_00139", "source": "cyner2_8class_test"}}
{"text": "It is possible that this botnet is sold as a pay-per-infection botnet in the underground markets.", "spans": {"Malware: botnet": [[25, 31]], "Malware: pay-per-infection botnet": [[45, 69]], "ThreatActor: underground markets.": [[77, 97]]}, "info": {"id": "cyner2_8class_test_00140", "source": "cyner2_8class_test"}}
{"text": "The same websites have hosted different RuMMS samples at different dates .", "spans": {"Malware: RuMMS": [[40, 45]]}, "info": {"id": "cyner2_8class_test_00141", "source": "cyner2_8class_test"}}
{"text": "The company uses a type of software from Adups that 's nicknamed FOTA , short for firmware over-the-air .", "spans": {"Organization: Adups": [[41, 46]], "System: FOTA": [[65, 69]]}, "info": {"id": "cyner2_8class_test_00142", "source": "cyner2_8class_test"}}
{"text": "The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": {"Organization: Fatah": [[159, 164]]}, "info": {"id": "cyner2_8class_test_00143", "source": "cyner2_8class_test"}}
{"text": "Months Device Remained Infected India 15,230,123 2,017,873,249 2.6 1.7 2.1 Bangladesh 2,539,913 208,026,886 2.4 1.5 2.2 Pakistan 1,686,216 94,296,907 2.4 1.6 2 Indonesia 572,025 67,685,983 2 1.5 2.2 Nepal 469,274 44,961,341 2.4 1.6 2.4 US 302,852 19,327,093 1.7 1.4 1.8 Nigeria 287,167 21,278,498 2.4 1.3 2.3 Hungary 282,826 7,856,064 1.7 1.3 1.7 Saudi Arabia 245,698 18,616,259 2.3 1.6 1.9 Myanmar 234,338 9,729,572 1.5 1.4 1.9 “ Agent Smith ” Timeline Early signs of activity from the actor behind “ Agent Smith ” can be traced back to January 2016 .", "spans": {"Malware: Agent Smith": [[431, 442]]}, "info": {"id": "cyner2_8class_test_00144", "source": "cyner2_8class_test"}}
{"text": "Upon kill chain completion , “ Agent Smith ” will then hijack compromised user apps to show ads .", "spans": {"Malware: Agent Smith": [[31, 42]]}, "info": {"id": "cyner2_8class_test_00145", "source": "cyner2_8class_test"}}
{"text": "Depending if the victim has any of the targeted applications , the anti-virus installed or geographic location , the malware can harvest credentials from the targeted applications , exfiltrate all personal information or simply use the victim 's device to send SMS to spread the trojan The malware deploys overlaying webviews to trick the user and eventually steal their login credentials .", "spans": {}, "info": {"id": "cyner2_8class_test_00146", "source": "cyner2_8class_test"}}
{"text": "Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal.", "spans": {"Malware: Carbon,": [[43, 50]], "Malware: backdoor": [[66, 74]], "ThreatActor: the Turla group arsenal.": [[78, 102]]}, "info": {"id": "cyner2_8class_test_00147", "source": "cyner2_8class_test"}}
{"text": "During the course of our research , we noticed that we were not the only ones to have found the operation .", "spans": {}, "info": {"id": "cyner2_8class_test_00148", "source": "cyner2_8class_test"}}
{"text": "But the malicious ip file does not contain any methods from the original ip file .", "spans": {}, "info": {"id": "cyner2_8class_test_00149", "source": "cyner2_8class_test"}}
{"text": "What makes this function more suspicious is the two strings written in Chinese characters : ===状态=== ( ===Status=== ) - Checks whether the device is connected to a network ===类型=== ( ===Type=== ) - Checks whether the device sees available nearby Wifi networks isNetworkAvailable function used for monitoring network connectivity status .", "spans": {}, "info": {"id": "cyner2_8class_test_00150", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.OnGameEEWAL.Trojan Backdoor/W32.Cakl.23552.B Backdoor.Win32.Cakl!O Backdoor.Cakl Trojan/FakeAV.ryd W32/Backdoor.NXW Backdoor.Trojan Win32/Cakl.F BKDR_TURKO.SME Win.Trojan.Cakl-3 Backdoor.Win32.Cakl.g Trojan.Win32.Cakl.eajvqz Backdoor.Win32.Cakl.23552.B BackDoor.Dosia BKDR_TURKO.SME Backdoor.Win32.Cakl W32/Backdoor.DFVB-2135 Backdoor/Cakl.h BDS/Cakl.D.51 Trojan[Backdoor]/Win32.Cakl Win32.Hack.Cakl.d.kcloud Trojan.Graftor.DCFE9 Backdoor.Win32.Cakl.g Backdoor:Win32/Cakl.D Trojan/Win32.Cakl.C187190 Backdoor.Cakl Trj/Cakl.J Win32/Cakl.D Backdoor.Cakl.G W32/Cakl.NAQ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameEEWAL.Trojan": [[26, 48]], "Indicator: Backdoor/W32.Cakl.23552.B": [[49, 74]], "Indicator: Backdoor.Win32.Cakl!O": [[75, 96]], "Indicator: Backdoor.Cakl": [[97, 110], [530, 543]], "Indicator: Trojan/FakeAV.ryd": [[111, 128]], "Indicator: W32/Backdoor.NXW": [[129, 145]], "Indicator: Backdoor.Trojan": [[146, 161]], "Indicator: Win32/Cakl.F": [[162, 174]], "Indicator: BKDR_TURKO.SME": [[175, 189], [298, 312]], "Indicator: Win.Trojan.Cakl-3": [[190, 207]], "Indicator: Backdoor.Win32.Cakl.g": [[208, 229], [460, 481]], "Indicator: Trojan.Win32.Cakl.eajvqz": [[230, 254]], "Indicator: Backdoor.Win32.Cakl.23552.B": [[255, 282]], "Indicator: BackDoor.Dosia": [[283, 297]], "Indicator: Backdoor.Win32.Cakl": [[313, 332]], "Indicator: W32/Backdoor.DFVB-2135": [[333, 355]], "Indicator: Backdoor/Cakl.h": [[356, 371]], "Indicator: BDS/Cakl.D.51": [[372, 385]], "Indicator: Trojan[Backdoor]/Win32.Cakl": [[386, 413]], "Indicator: Win32.Hack.Cakl.d.kcloud": [[414, 438]], "Indicator: Trojan.Graftor.DCFE9": [[439, 459]], "Indicator: Backdoor:Win32/Cakl.D": [[482, 503]], "Indicator: Trojan/Win32.Cakl.C187190": [[504, 529]], "Indicator: Trj/Cakl.J": [[544, 554]], "Indicator: Win32/Cakl.D": [[555, 567]], "Indicator: Backdoor.Cakl.G": [[568, 583]], "Indicator: W32/Cakl.NAQ!tr": [[584, 599]]}, "info": {"id": "cyner2_8class_test_00151", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.ComreropExpLnr.Trojan Trojan/W32.Small.49261 Trojan.Win32.VBKrypt!O Trojan.Comrerop.AZ3 Downloader.VB.Win32.27622 Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/VBInject.DUQ Trojan.Win32.VBKrypt.enmu Trojan.Win32.A.VBKrypt.24576.CK BehavesLike.Win32.BadFile.pz Trojan/VBKrypt.hcih Trojan/Win32.VBKrypt Win32.Troj.VBKrypt.kcloud TrojanDownloader:Win32/CoinMiner.D Trojan.Win32.VBKrypt.enmu Trojan/Win32.VBKrypt.R120570 Win32/TrojanDownloader.VB.PHU Trojan.Bumat!jKE3yygrvxI Trojan.Injector", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ComreropExpLnr.Trojan": [[26, 51]], "Indicator: Trojan/W32.Small.49261": [[52, 74]], "Indicator: Trojan.Win32.VBKrypt!O": [[75, 97]], "Indicator: Trojan.Comrerop.AZ3": [[98, 117]], "Indicator: Downloader.VB.Win32.27622": [[118, 143]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[144, 186]], "Indicator: Win32/VBInject.DUQ": [[187, 205]], "Indicator: Trojan.Win32.VBKrypt.enmu": [[206, 231], [395, 420]], "Indicator: Trojan.Win32.A.VBKrypt.24576.CK": [[232, 263]], "Indicator: BehavesLike.Win32.BadFile.pz": [[264, 292]], "Indicator: Trojan/VBKrypt.hcih": [[293, 312]], "Indicator: Trojan/Win32.VBKrypt": [[313, 333]], "Indicator: Win32.Troj.VBKrypt.kcloud": [[334, 359]], "Indicator: TrojanDownloader:Win32/CoinMiner.D": [[360, 394]], "Indicator: Trojan/Win32.VBKrypt.R120570": [[421, 449]], "Indicator: Win32/TrojanDownloader.VB.PHU": [[450, 479]], "Indicator: Trojan.Bumat!jKE3yygrvxI": [[480, 504]], "Indicator: Trojan.Injector": [[505, 520]]}, "info": {"id": "cyner2_8class_test_00152", "source": "cyner2_8class_test"}}
{"text": "If the user wants to check which app is responsible for the ad being displayed , by hitting the “ Recent apps ” button , another trick is used : the app displays a Facebook or Google icon , as seen in Figure 6 .", "spans": {"Organization: Facebook": [[164, 172]], "Organization: Google": [[176, 182]]}, "info": {"id": "cyner2_8class_test_00153", "source": "cyner2_8class_test"}}
{"text": "In the image below , we can see a packet that was sent to the attacker ’ s C & C containing collected information along with stolen SMS data .", "spans": {}, "info": {"id": "cyner2_8class_test_00154", "source": "cyner2_8class_test"}}
{"text": "The second timer will run every five seconds and it will try to enable the WiFi if it 's disabled .", "spans": {}, "info": {"id": "cyner2_8class_test_00155", "source": "cyner2_8class_test"}}
{"text": "It spreads under the name AvitoPay.apk ( or similar ) and downloads from websites with names like youla9d6h.tk , prodam8n9.tk , prodamfkz.ml , avitoe0ys.tk , etc .", "spans": {"Indicator: AvitoPay.apk": [[26, 38]], "Indicator: youla9d6h.tk": [[98, 110]], "Indicator: prodam8n9.tk": [[113, 125]], "Indicator: prodamfkz.ml": [[128, 140]], "Indicator: avitoe0ys.tk": [[143, 155]]}, "info": {"id": "cyner2_8class_test_00156", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.B3E2 W32/AllocUp.b W32.AllocUp.A WORM_ALLOCU.A Net-Worm.Win32.AllocUp.c Trojan.Win32.AllocUp.fkxb Worm.Win32.Net-AllocUp.32326[h] Worm.Win32.Robobot._0 Win32.HLLW.Allocup Backdoor.Robobot.Win32.1 WORM_ALLOCU.A BehavesLike.Win32.Dropper.nc Worm/AllocUp.b Worm[Net]/Win32.AllocUp W32.W.AllocUp.c!c Win32/Allocup.worm.32326.N Worm:Win32/Dalloc.A W32/AllocUp.A.worm Backdoor.Win32.Robobot.P Exploit.CVE-2009-3129 Worm.Win32.AllocUp.c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.B3E2": [[26, 42]], "Indicator: W32/AllocUp.b": [[43, 56]], "Indicator: W32.AllocUp.A": [[57, 70]], "Indicator: WORM_ALLOCU.A": [[71, 84], [234, 247]], "Indicator: Net-Worm.Win32.AllocUp.c": [[85, 109]], "Indicator: Trojan.Win32.AllocUp.fkxb": [[110, 135]], "Indicator: Worm.Win32.Net-AllocUp.32326[h]": [[136, 167]], "Indicator: Worm.Win32.Robobot._0": [[168, 189]], "Indicator: Win32.HLLW.Allocup": [[190, 208]], "Indicator: Backdoor.Robobot.Win32.1": [[209, 233]], "Indicator: BehavesLike.Win32.Dropper.nc": [[248, 276]], "Indicator: Worm/AllocUp.b": [[277, 291]], "Indicator: Worm[Net]/Win32.AllocUp": [[292, 315]], "Indicator: W32.W.AllocUp.c!c": [[316, 333]], "Indicator: Win32/Allocup.worm.32326.N": [[334, 360]], "Indicator: Worm:Win32/Dalloc.A": [[361, 380]], "Indicator: W32/AllocUp.A.worm": [[381, 399]], "Indicator: Backdoor.Win32.Robobot.P": [[400, 424]], "Indicator: Exploit.CVE-2009-3129": [[425, 446]], "Indicator: Worm.Win32.AllocUp.c": [[447, 467]]}, "info": {"id": "cyner2_8class_test_00157", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.AdojNHc.Trojan VirTool.CeeInject.DU4 Trojan/Downloader.Small.bzru SScope.Backdoor.Simbot Win32.Trojan.Inject.bm Win.Trojan.Rubinurd-67 Troj.Downloader.W32.Small.lk0q Trojan.DownLoad2.36100 BehavesLike.Win32.Downloader.mc W32.Trojan.Downloader.Small Trojan/Win32.Injector.qis Backdoor/Win32.CSon.R885 Backdoor.Simbot Trojan.Injector.QIS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.AdojNHc.Trojan": [[26, 50]], "Indicator: VirTool.CeeInject.DU4": [[51, 72]], "Indicator: Trojan/Downloader.Small.bzru": [[73, 101]], "Indicator: SScope.Backdoor.Simbot": [[102, 124]], "Indicator: Win32.Trojan.Inject.bm": [[125, 147]], "Indicator: Win.Trojan.Rubinurd-67": [[148, 170]], "Indicator: Troj.Downloader.W32.Small.lk0q": [[171, 201]], "Indicator: Trojan.DownLoad2.36100": [[202, 224]], "Indicator: BehavesLike.Win32.Downloader.mc": [[225, 256]], "Indicator: W32.Trojan.Downloader.Small": [[257, 284]], "Indicator: Trojan/Win32.Injector.qis": [[285, 310]], "Indicator: Backdoor/Win32.CSon.R885": [[311, 335]], "Indicator: Backdoor.Simbot": [[336, 351]], "Indicator: Trojan.Injector.QIS": [[352, 371]]}, "info": {"id": "cyner2_8class_test_00158", "source": "cyner2_8class_test"}}
{"text": "TL ; DR Google Play Protect detected and removed 1.7k unique Bread apps from the Play Store before ever being downloaded by users Bread apps originally performed SMS fraud , but have largely abandoned this for WAP billing following the introduction of new Play policies restricting use of the SEND_SMS permission and increased coverage by Google Play Protect More information on stats and relative impact is available in the Android Security 2018 Year in Review report BILLING FRAUD Bread apps typically fall into two categories : SMS fraud ( older versions ) and toll fraud ( newer versions ) .", "spans": {"System: Google Play Protect": [[8, 27], [339, 358]], "Malware: Bread": [[61, 66], [130, 135], [483, 488]], "System: Play Store": [[81, 91]], "System: Play": [[256, 260]], "System: Android": [[425, 432]]}, "info": {"id": "cyner2_8class_test_00159", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Dropped:Win32.Maddis.A Trojan-Proxy/W32.TexLock.105984 Troj.Proxy.W32.TexLock.b!c Trojan/Proxy.TexLock.b Dropped:Win32.Maddis.A Trojan.PR.TexLock!wwwu4M21S4c W32/Maddis.A W32.Maddis.B Win32/TrojanProxy.TexLock.B WORM_MADDIS.B Trojan.Proxy.Texlock.B Trojan-Proxy.Win32.TexLock.b Trojan.Win32.TexLock.gtjh Trojan.Win32.Proxy.105984[h] Virus.Win32.Heur.l Dropped:Win32.Maddis.A TrojWare.Win32.TrojanProxy.TexLock.B Dropped:Win32.Maddis.A Trojan.Texlok Trojan.TexLock.Win32.3 WORM_MADDIS.A BehavesLike.Win32.Backdoor.cc W32/Maddis.DDAN-1036 TrojanProxy.TexLock.a WORM/Maddis.B Trojan[Proxy]/Win32.TexLock Win32.Maddis.A Win-Trojan/TexLock.105984 TrojanProxy:Win32/Texlock.B Win32/Maddis.B Dropped:Win32.Maddis.A TrojanProxy.TexLock Trojan.Win32.TexLock.b Trojan-Dropper.Win32.Prate Dropped:Win32.Maddis.A Proxy.3.BS W32/Maddis.A.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Win32.Maddis.A": [[26, 48], [131, 153], [378, 400], [438, 460], [711, 733], [804, 826]], "Indicator: Trojan-Proxy/W32.TexLock.105984": [[49, 80]], "Indicator: Troj.Proxy.W32.TexLock.b!c": [[81, 107]], "Indicator: Trojan/Proxy.TexLock.b": [[108, 130]], "Indicator: Trojan.PR.TexLock!wwwu4M21S4c": [[154, 183]], "Indicator: W32/Maddis.A": [[184, 196]], "Indicator: W32.Maddis.B": [[197, 209]], "Indicator: Win32/TrojanProxy.TexLock.B": [[210, 237]], "Indicator: WORM_MADDIS.B": [[238, 251]], "Indicator: Trojan.Proxy.Texlock.B": [[252, 274]], "Indicator: Trojan-Proxy.Win32.TexLock.b": [[275, 303]], "Indicator: Trojan.Win32.TexLock.gtjh": [[304, 329]], "Indicator: Trojan.Win32.Proxy.105984[h]": [[330, 358]], "Indicator: Virus.Win32.Heur.l": [[359, 377]], "Indicator: TrojWare.Win32.TrojanProxy.TexLock.B": [[401, 437]], "Indicator: Trojan.Texlok": [[461, 474]], "Indicator: Trojan.TexLock.Win32.3": [[475, 497]], "Indicator: WORM_MADDIS.A": [[498, 511]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[512, 541]], "Indicator: W32/Maddis.DDAN-1036": [[542, 562]], "Indicator: TrojanProxy.TexLock.a": [[563, 584]], "Indicator: WORM/Maddis.B": [[585, 598]], "Indicator: Trojan[Proxy]/Win32.TexLock": [[599, 626]], "Indicator: Win32.Maddis.A": [[627, 641]], "Indicator: Win-Trojan/TexLock.105984": [[642, 667]], "Indicator: TrojanProxy:Win32/Texlock.B": [[668, 695]], "Indicator: Win32/Maddis.B": [[696, 710]], "Indicator: TrojanProxy.TexLock": [[734, 753]], "Indicator: Trojan.Win32.TexLock.b": [[754, 776]], "Indicator: Trojan-Dropper.Win32.Prate": [[777, 803]], "Indicator: Proxy.3.BS": [[827, 837]], "Indicator: W32/Maddis.A.worm": [[838, 855]]}, "info": {"id": "cyner2_8class_test_00160", "source": "cyner2_8class_test"}}
{"text": "Doctor Web security researchers examined a new dangerous Trojan for routers running Linux.", "spans": {"Organization: Doctor Web security": [[0, 19]], "Malware: Trojan": [[57, 63]], "System: routers": [[68, 75]], "System: Linux.": [[84, 90]]}, "info": {"id": "cyner2_8class_test_00161", "source": "cyner2_8class_test"}}
{"text": "FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here.", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: vulnerability": [[34, 47]], "Organization: Microsoft": [[53, 62], [144, 153]], "Vulnerability: address the vulnerability,": [[157, 183]]}, "info": {"id": "cyner2_8class_test_00162", "source": "cyner2_8class_test"}}
{"text": "The Trojan is a script that contains a compressed and encrypted application designed to mine cryptocurrency.", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: script": [[16, 22]], "Indicator: encrypted application": [[54, 75]], "Indicator: to mine cryptocurrency.": [[85, 108]]}, "info": {"id": "cyner2_8class_test_00163", "source": "cyner2_8class_test"}}
{"text": "Affected industries include manufacturing, device fabrication, education, logistics, and pyrotechnics.", "spans": {"Organization: industries": [[9, 19]], "Organization: manufacturing, device fabrication, education, logistics,": [[28, 84]], "Organization: pyrotechnics.": [[89, 102]]}, "info": {"id": "cyner2_8class_test_00164", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Exploit.Getad Trojan-Exploit/W32.Getad.40960 Trojan.Exploit.Getad Trojan/Exploit.GetAdmin.a Trojan.Exploit.Getad Win.Tool.Getad-1 Trojan.Exploit.Getad Exploit.Win32.Getad Trojan.Exploit.Getad Exploit.Win32.Getad.gpai Trojan.Win32.Getad_Exploit.40960 Exploit.W32.Getad!c Trojan.Exploit.Getad TrojWare.Win32.Exploit.GetAd Trojan.Exploit.Getad Exploit.Getad Exploit.Getad.Win32.7 Exploit.Getad TR/Expl.Getad Trojan[Exploit]/Win32.Getad Exploit.Win32.Getad Exploit.Getad Win32/Exploit.GetAd Exploit.Win32.Getad", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Exploit.Getad": [[26, 46], [78, 98], [125, 145], [163, 183], [204, 224], [303, 323], [353, 373]], "Indicator: Trojan-Exploit/W32.Getad.40960": [[47, 77]], "Indicator: Trojan/Exploit.GetAdmin.a": [[99, 124]], "Indicator: Win.Tool.Getad-1": [[146, 162]], "Indicator: Exploit.Win32.Getad": [[184, 203], [466, 485], [520, 539]], "Indicator: Exploit.Win32.Getad.gpai": [[225, 249]], "Indicator: Trojan.Win32.Getad_Exploit.40960": [[250, 282]], "Indicator: Exploit.W32.Getad!c": [[283, 302]], "Indicator: TrojWare.Win32.Exploit.GetAd": [[324, 352]], "Indicator: Exploit.Getad": [[374, 387], [410, 423], [486, 499]], "Indicator: Exploit.Getad.Win32.7": [[388, 409]], "Indicator: TR/Expl.Getad": [[424, 437]], "Indicator: Trojan[Exploit]/Win32.Getad": [[438, 465]], "Indicator: Win32/Exploit.GetAd": [[500, 519]]}, "info": {"id": "cyner2_8class_test_00165", "source": "cyner2_8class_test"}}
{"text": "] com , which resolved to the IP address 222.239.91 [ .", "spans": {"Indicator: 222.239.91 [ .": [[41, 55]]}, "info": {"id": "cyner2_8class_test_00166", "source": "cyner2_8class_test"}}
{"text": "Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.", "spans": {"Malware: at": [[13, 15]], "Date: 2014,": [[22, 27]], "ThreatActor: actor": [[33, 38]], "Organization: maritime industries, naval defense contractors,": [[69, 116]], "Organization: associated research institutions": [[121, 153]], "Location: the United States": [[157, 174]], "Location: Western Europe.": [[179, 194]]}, "info": {"id": "cyner2_8class_test_00167", "source": "cyner2_8class_test"}}
{"text": "The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden .", "spans": {}, "info": {"id": "cyner2_8class_test_00168", "source": "cyner2_8class_test"}}
{"text": "While analyzing the code , we found that the whole system consists of four critical components , as follows : penetration solutions , ways to get inside the device , either via SMS/email or a legitimate app low-level native code , advanced exploits and spy tools beyond Android ’ s security framework high-level Java agent – the app ’ s malicious APK command-and-control ( C & C ) servers , used to remotely send/receive malicious commands Attackers use two methods to get targets to download RCSAndroid .", "spans": {"System: Android": [[270, 277]], "Malware: RCSAndroid": [[493, 503]]}, "info": {"id": "cyner2_8class_test_00169", "source": "cyner2_8class_test"}}
{"text": "Unit42 recently discovered 22 Android apps that belong to a new Trojan family we're calling Xbot", "spans": {"Organization: Unit42": [[0, 6]], "System: 22 Android apps": [[27, 42]], "Malware: Trojan family": [[64, 77]], "Malware: Xbot": [[92, 96]]}, "info": {"id": "cyner2_8class_test_00170", "source": "cyner2_8class_test"}}
{"text": "Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control C2 infrastructure.", "spans": {"ThreatActor: Turla": [[14, 19]], "ThreatActor: WhiteBear": [[30, 39]], "Indicator: compromised websites": [[50, 70]], "Indicator: hijacked satellite connections": [[75, 105]], "Organization: command and control C2": [[110, 132]], "System: infrastructure.": [[133, 148]]}, "info": {"id": "cyner2_8class_test_00171", "source": "cyner2_8class_test"}}
{"text": "Amongst the evidence gathered during the MONSOON investigation were a number of indicators which make it highly probable1 that this adversary and the OPERATION HANGOVER adversary are one and the same.", "spans": {"Organization: MONSOON": [[41, 48]], "Indicator: indicators": [[80, 90]], "ThreatActor: adversary": [[132, 141]], "ThreatActor: the OPERATION HANGOVER adversary": [[146, 178]]}, "info": {"id": "cyner2_8class_test_00172", "source": "cyner2_8class_test"}}
{"text": "This business unit and the eSurv software and brand was sold from Connexxa S.R.L .", "spans": {"Organization: eSurv": [[27, 32]], "Organization: Connexxa S.R.L .": [[66, 82]]}, "info": {"id": "cyner2_8class_test_00173", "source": "cyner2_8class_test"}}
{"text": "The team has encountered different versions of the malware over time as it has rapidly evolved .", "spans": {}, "info": {"id": "cyner2_8class_test_00174", "source": "cyner2_8class_test"}}
{"text": "Cerber ransomware has acquired the reputation of being one of the most rapidly evolving ransomware families to date.", "spans": {"Malware: Cerber ransomware": [[0, 17]], "Malware: ransomware families": [[88, 107]], "Date: to date.": [[108, 116]]}, "info": {"id": "cyner2_8class_test_00175", "source": "cyner2_8class_test"}}
{"text": "] jp/佐川急便.apk hxxp : //mailsa-qae [ .", "spans": {"Indicator: hxxp : //mailsa-qae [ .": [[14, 37]]}, "info": {"id": "cyner2_8class_test_00176", "source": "cyner2_8class_test"}}
{"text": "It is also being classified as a variant of Bublik but the former is much more descriptive of the malware.", "spans": {"Malware: variant of Bublik": [[33, 50]], "Malware: malware.": [[98, 106]]}, "info": {"id": "cyner2_8class_test_00177", "source": "cyner2_8class_test"}}
{"text": "It can also be sold on the dark web and used in various spoofing attacks .", "spans": {}, "info": {"id": "cyner2_8class_test_00178", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.Vinself!O Backdoor.Vinself.r4 Backdoor/Vinself.a Backdoor.Vinself Trojan.Win32.Vinself.cpadj Backdoor.Win32.A.Vinself.57344[h] Virus.Win32.Part.e PE:Trojan.PSW.Win32.GameOL.szn!1440726[F1] BackDoor.Comet.435 Trojan[Backdoor]/Win32.Vinself Trojan:Win32/Sipoo.A Win32.Backdoor.Vinself.Pdmk Backdoor.Win32.Vinself W32/Vinself.A!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Vinself!O": [[26, 50]], "Indicator: Backdoor.Vinself.r4": [[51, 70]], "Indicator: Backdoor/Vinself.a": [[71, 89]], "Indicator: Backdoor.Vinself": [[90, 106]], "Indicator: Trojan.Win32.Vinself.cpadj": [[107, 133]], "Indicator: Backdoor.Win32.A.Vinself.57344[h]": [[134, 167]], "Indicator: Virus.Win32.Part.e": [[168, 186]], "Indicator: PE:Trojan.PSW.Win32.GameOL.szn!1440726[F1]": [[187, 229]], "Indicator: BackDoor.Comet.435": [[230, 248]], "Indicator: Trojan[Backdoor]/Win32.Vinself": [[249, 279]], "Indicator: Trojan:Win32/Sipoo.A": [[280, 300]], "Indicator: Win32.Backdoor.Vinself.Pdmk": [[301, 328]], "Indicator: Backdoor.Win32.Vinself": [[329, 351]], "Indicator: W32/Vinself.A!tr.bdr": [[352, 372]]}, "info": {"id": "cyner2_8class_test_00179", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan-Dropper.Win32.Dapato!O TrojanDropper.Dapato W32.SillyFDC Win32/Tnega.ASPW WORM_FLASHBOT.SM Win.Trojan.Dapato-2218 Trojan-Dropper.Win32.Dapato.bfjn Trojan.Win32.Flashbot.dfurol Trojan.DownLoader7.37820 WORM_FLASHBOT.SM Trojan-Dropper.Win32.Dapato TrojanDropper.Dapato.lov WORM/Pimybot.JA.1 Trojan[Dropper]/Win32.Dapato Worm:Win32/Pimybot.A Trojan.Graftor.D2114C Trojan-Dropper.Win32.Dapato.bfjn HEUR/Fakon.mwf TrojanDropper.Dapato Trojan.Dapato Win32/Flashbot.A Trojan.Win32.Dapato.b Trojan.DR.Dapato!1GbmTavCgco", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeW7Folder.Fam.Trojan": [[26, 53]], "Indicator: Trojan-Dropper.Win32.Dapato!O": [[54, 83]], "Indicator: TrojanDropper.Dapato": [[84, 104], [470, 490]], "Indicator: W32.SillyFDC": [[105, 117]], "Indicator: Win32/Tnega.ASPW": [[118, 134]], "Indicator: WORM_FLASHBOT.SM": [[135, 151], [262, 278]], "Indicator: Win.Trojan.Dapato-2218": [[152, 174]], "Indicator: Trojan-Dropper.Win32.Dapato.bfjn": [[175, 207], [422, 454]], "Indicator: Trojan.Win32.Flashbot.dfurol": [[208, 236]], "Indicator: Trojan.DownLoader7.37820": [[237, 261]], "Indicator: Trojan-Dropper.Win32.Dapato": [[279, 306]], "Indicator: TrojanDropper.Dapato.lov": [[307, 331]], "Indicator: WORM/Pimybot.JA.1": [[332, 349]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[350, 378]], "Indicator: Worm:Win32/Pimybot.A": [[379, 399]], "Indicator: Trojan.Graftor.D2114C": [[400, 421]], "Indicator: HEUR/Fakon.mwf": [[455, 469]], "Indicator: Trojan.Dapato": [[491, 504]], "Indicator: Win32/Flashbot.A": [[505, 521]], "Indicator: Trojan.Win32.Dapato.b": [[522, 543]], "Indicator: Trojan.DR.Dapato!1GbmTavCgco": [[544, 572]]}, "info": {"id": "cyner2_8class_test_00180", "source": "cyner2_8class_test"}}
{"text": "24 Aug 2016 - 02:05PM Android/Twitoor is a backdoor capable of downloading other malware onto an infected device .", "spans": {"Malware: Android/Twitoor": [[22, 37]]}, "info": {"id": "cyner2_8class_test_00181", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Swifi SWF/Exploit.ExKit.AZC Exploit.Swf.FLASH.ektvib SWF.S.Exploit.25602 SWF.Exploit.29 BehavesLike.Flash.XSS.mb SWF/Trojan.DRZE-8 Exploit:SWF/Rigved.A Exploit.SWF.Downloader Exploit.FLASH.Pubenush", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Swifi": [[26, 38]], "Indicator: SWF/Exploit.ExKit.AZC": [[39, 60]], "Indicator: Exploit.Swf.FLASH.ektvib": [[61, 85]], "Indicator: SWF.S.Exploit.25602": [[86, 105]], "Indicator: SWF.Exploit.29": [[106, 120]], "Indicator: BehavesLike.Flash.XSS.mb": [[121, 145]], "Indicator: SWF/Trojan.DRZE-8": [[146, 163]], "Indicator: Exploit:SWF/Rigved.A": [[164, 184]], "Indicator: Exploit.SWF.Downloader": [[185, 207]], "Indicator: Exploit.FLASH.Pubenush": [[208, 230]]}, "info": {"id": "cyner2_8class_test_00182", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.HLLW.Quin.A Worm.Quin Trojan/Quin.a WORM_QUIN.A W32/Risk.SNXM-0851 W32.Quin.Irc WORM_QUIN.A Win.Worm.Quin-3 Win32.HLLW.Quin.A IRC-Worm.Win32.Quin.a Win32.HLLW.Quin.A Trojan.Win32.Quin.ennw Win32.HLLW.Quin.A Win32.HLLW.Quin.A Win32.HLLW.Sytro.14 Worm.Quin.Win32.6 Worm/Quin.d WORM/Quin.A Worm[IRC]/Win32.Quin Win32.HLLW.Quin.A W32.W.Quin.a!c IRC-Worm.Win32.Quin.a Win32/Quin.worm.306176 Win32.HLLW.Quin.A IRCWorm.Quin Win32/HLLW.Quin Win32.Worm-irc.Quin.Dztv I-Worm.Quin.A Worm.Win32.Hllw W32/Quin.A!worm.irc Win32/Worm.7f5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.HLLW.Quin.A": [[26, 43], [140, 157], [180, 197], [221, 238], [239, 256], [340, 357], [418, 435]], "Indicator: Worm.Quin": [[44, 53]], "Indicator: Trojan/Quin.a": [[54, 67]], "Indicator: WORM_QUIN.A": [[68, 79], [112, 123]], "Indicator: W32/Risk.SNXM-0851": [[80, 98]], "Indicator: W32.Quin.Irc": [[99, 111]], "Indicator: Win.Worm.Quin-3": [[124, 139]], "Indicator: IRC-Worm.Win32.Quin.a": [[158, 179], [373, 394]], "Indicator: Trojan.Win32.Quin.ennw": [[198, 220]], "Indicator: Win32.HLLW.Sytro.14": [[257, 276]], "Indicator: Worm.Quin.Win32.6": [[277, 294]], "Indicator: Worm/Quin.d": [[295, 306]], "Indicator: WORM/Quin.A": [[307, 318]], "Indicator: Worm[IRC]/Win32.Quin": [[319, 339]], "Indicator: W32.W.Quin.a!c": [[358, 372]], "Indicator: Win32/Quin.worm.306176": [[395, 417]], "Indicator: IRCWorm.Quin": [[436, 448]], "Indicator: Win32/HLLW.Quin": [[449, 464]], "Indicator: Win32.Worm-irc.Quin.Dztv": [[465, 489]], "Indicator: I-Worm.Quin.A": [[490, 503]], "Indicator: Worm.Win32.Hllw": [[504, 519]], "Indicator: W32/Quin.A!worm.irc": [[520, 539]], "Indicator: Win32/Worm.7f5": [[540, 554]]}, "info": {"id": "cyner2_8class_test_00183", "source": "cyner2_8class_test"}}
{"text": "Once a user downloads a malicious app , it silently registers receivers which establish a connection with the C & C server .", "spans": {}, "info": {"id": "cyner2_8class_test_00184", "source": "cyner2_8class_test"}}
{"text": "WAKE_LOCK - prevent the processor from sleeping and dimming the screen .", "spans": {}, "info": {"id": "cyner2_8class_test_00185", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.IRCBot!O Trojan.Zenshirsh.SL7 Backdoor.Aimbot Trojan/IRCBot.nbq W32/Trojan.DYXS-4795 Backdoor.IRC.Bot BKDR_IRCBOT_EK160034.UVPM Backdoor.Win32.IRCBot.udu Trojan.Win32.IRCBot.hebhd Backdoor.Win32.A.IRCBot.218566[UPX] Trojan.Click2.16673 BKDR_IRCBOT_EK160034.UVPM BehavesLike.Win32.BadFile.nc W32/Trojan2.LZPX Trojan[Backdoor]/Win32.IRCBot Backdoor:Win32/Aimbot.D Backdoor.Win32.IRCBot.udu Worm/Win32.IRCBot.R36004 Backdoor.Aimbot Backdoor.IRCBot Backdoor.IRCBot Win32/IRCBot.NBQ Backdoor.IRCbot!FWk6roe7FwA Backdoor.Win32.IRCBot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.IRCBot!O": [[26, 49]], "Indicator: Trojan.Zenshirsh.SL7": [[50, 70]], "Indicator: Backdoor.Aimbot": [[71, 86], [454, 469]], "Indicator: Trojan/IRCBot.nbq": [[87, 104]], "Indicator: W32/Trojan.DYXS-4795": [[105, 125]], "Indicator: Backdoor.IRC.Bot": [[126, 142]], "Indicator: BKDR_IRCBOT_EK160034.UVPM": [[143, 168], [277, 302]], "Indicator: Backdoor.Win32.IRCBot.udu": [[169, 194], [403, 428]], "Indicator: Trojan.Win32.IRCBot.hebhd": [[195, 220]], "Indicator: Backdoor.Win32.A.IRCBot.218566[UPX]": [[221, 256]], "Indicator: Trojan.Click2.16673": [[257, 276]], "Indicator: BehavesLike.Win32.BadFile.nc": [[303, 331]], "Indicator: W32/Trojan2.LZPX": [[332, 348]], "Indicator: Trojan[Backdoor]/Win32.IRCBot": [[349, 378]], "Indicator: Backdoor:Win32/Aimbot.D": [[379, 402]], "Indicator: Worm/Win32.IRCBot.R36004": [[429, 453]], "Indicator: Backdoor.IRCBot": [[470, 485], [486, 501]], "Indicator: Win32/IRCBot.NBQ": [[502, 518]], "Indicator: Backdoor.IRCbot!FWk6roe7FwA": [[519, 546]], "Indicator: Backdoor.Win32.IRCBot": [[547, 568]]}, "info": {"id": "cyner2_8class_test_00186", "source": "cyner2_8class_test"}}
{"text": "Additionally , the improvements we made to our protections have been enabled for all users of our security services .", "spans": {}, "info": {"id": "cyner2_8class_test_00187", "source": "cyner2_8class_test"}}
{"text": "Since TrickMo ’ s HTTP traffic with its C & C server is not encrypted , it can easily be tampered with .", "spans": {"Indicator: HTTP": [[18, 22]]}, "info": {"id": "cyner2_8class_test_00188", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: AdWare/Win32.BHO Adware/BHO.aim Adware.BHO.OGI Backdoor.Sdbot not-a-virus:AdWare.Win32.BHO.eos Trojan.Click.23982 DR/BHO.eos.2 Trojan.Dropper.BHO.eos.2 AdWare.Win32.BHO.eos Trojan.Win32.AvKiller.gd Virus.Win32.QQHelper.GR", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AdWare/Win32.BHO": [[26, 42]], "Indicator: Adware/BHO.aim": [[43, 57]], "Indicator: Adware.BHO.OGI": [[58, 72]], "Indicator: Backdoor.Sdbot": [[73, 87]], "Indicator: not-a-virus:AdWare.Win32.BHO.eos": [[88, 120]], "Indicator: Trojan.Click.23982": [[121, 139]], "Indicator: DR/BHO.eos.2": [[140, 152]], "Indicator: Trojan.Dropper.BHO.eos.2": [[153, 177]], "Indicator: AdWare.Win32.BHO.eos": [[178, 198]], "Indicator: Trojan.Win32.AvKiller.gd": [[199, 223]], "Indicator: Virus.Win32.QQHelper.GR": [[224, 247]]}, "info": {"id": "cyner2_8class_test_00189", "source": "cyner2_8class_test"}}
{"text": "The primary infection vector is the exploit of the vulnerability CVE-2014-6332 which drops the binary file hosted on an HTTPd File Server HFS", "spans": {"Malware: exploit": [[36, 43]], "Vulnerability: vulnerability": [[51, 64]], "Indicator: CVE-2014-6332": [[65, 78]], "Indicator: binary file hosted": [[95, 113]], "Indicator: HTTPd File Server HFS": [[120, 141]]}, "info": {"id": "cyner2_8class_test_00190", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Exploit.Aluigi Exploit.Aluigi.gx Exploit.Win32.Aluigi W32/Aluigi.NR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.Aluigi": [[26, 40]], "Indicator: Exploit.Aluigi.gx": [[41, 58]], "Indicator: Exploit.Win32.Aluigi": [[59, 79]], "Indicator: W32/Aluigi.NR!tr": [[80, 96]]}, "info": {"id": "cyner2_8class_test_00191", "source": "cyner2_8class_test"}}
{"text": "The Rocket Kitten group and its attacks have been analyzed on numerous occasions by several vendors and security professionals, resulting in various reports describing the group's method of operation, tools and techniques.", "spans": {"ThreatActor: Rocket Kitten group": [[4, 23]], "Indicator: attacks": [[32, 39]], "Organization: vendors": [[92, 99]], "Organization: security professionals,": [[104, 127]], "ThreatActor: group's method": [[172, 186]]}, "info": {"id": "cyner2_8class_test_00192", "source": "cyner2_8class_test"}}
{"text": "In a different period of the “ Agent Smith ” campaign , droppers and core modules used various combinations of the “ a * * * d ” and “ i * * * e ” domains for malicious operations such as prey list query , patch request and ads request .", "spans": {"Malware: Agent Smith": [[31, 42]]}, "info": {"id": "cyner2_8class_test_00193", "source": "cyner2_8class_test"}}
{"text": "Each threat group quickly took advantage of a zero-day vulnerability CVE-2015-5119, which was leaked in the disclosure of Hacking Team's internal data.", "spans": {"ThreatActor: threat group": [[5, 17]], "Vulnerability: zero-day vulnerability": [[46, 68]], "Indicator: CVE-2015-5119,": [[69, 83]], "Organization: Hacking Team's": [[122, 136]]}, "info": {"id": "cyner2_8class_test_00194", "source": "cyner2_8class_test"}}
{"text": "An in-depth understanding of the “ Agent Smith ’ s campaign C & C infrastructure enabled us to reach the conclusion that the owner of “ i * * * e.com ” , “ h * * * g.com ” is the group of hackers behind “ Agent Smith ” .", "spans": {"Malware: Agent Smith": [[35, 46], [205, 216]], "Indicator: “ i * * * e.com": [[134, 149]], "Indicator: h * * * g.com": [[156, 169]]}, "info": {"id": "cyner2_8class_test_00195", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9992", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[26, 68]]}, "info": {"id": "cyner2_8class_test_00196", "source": "cyner2_8class_test"}}
{"text": "Sample configuration file of the Trojan Through AccessibilityService , the malware monitors AccessibilityEvent events .", "spans": {}, "info": {"id": "cyner2_8class_test_00197", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Yakes.8851 Trojan.Win32.OnLineGames.iiggm BehavesLike.Win32.Pate.wz Trojan/PSW.OnLineGames.cawa Win32.Troj.JunkUndefT.hh.24576 Trojan:Win32/Kredbegg.A Trojan/Win32.HDC.C94404 Trojan-PWS.Win32.OnLineGames W32/Onlinegames.AJIUO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Yakes.8851": [[26, 43]], "Indicator: Trojan.Win32.OnLineGames.iiggm": [[44, 74]], "Indicator: BehavesLike.Win32.Pate.wz": [[75, 100]], "Indicator: Trojan/PSW.OnLineGames.cawa": [[101, 128]], "Indicator: Win32.Troj.JunkUndefT.hh.24576": [[129, 159]], "Indicator: Trojan:Win32/Kredbegg.A": [[160, 183]], "Indicator: Trojan/Win32.HDC.C94404": [[184, 207]], "Indicator: Trojan-PWS.Win32.OnLineGames": [[208, 236]], "Indicator: W32/Onlinegames.AJIUO!tr": [[237, 261]]}, "info": {"id": "cyner2_8class_test_00198", "source": "cyner2_8class_test"}}
{"text": "Mobile Malware Evolution : 2013 24 FEB 2014 The mobile malware sector is growing rapidly both technologically and structurally .", "spans": {}, "info": {"id": "cyner2_8class_test_00199", "source": "cyner2_8class_test"}}
{"text": "Base85 encoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom preferences files , using the same obfuscation scheme .", "spans": {"Indicator: Base85 encoding": [[0, 15]]}, "info": {"id": "cyner2_8class_test_00200", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Mosucker.30.C Backdoor.Win32.MoSucker.30!O Trojan.VBCrypt.MF.206 Backdoor.Mosucker.30.C Backdoor.MoSucker.Win32.142 Trojan/MoSucker.30.c Backdoor.Mosucker.30.C Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Mosucker.D Backdoor.Mosuck Win32/Mosuck.M BKDR_MOSUCK.C Win.Trojan.Mosucker-238 Backdoor.Mosucker.30.C Backdoor.Win32.MoSucker.40.c Backdoor.Mosucker.30.C Trojan.Win32.MoSucker.jojq Backdoor.Win32.Z.Mosucker.1762479 Backdoor.W32.Mosucker!c Backdoor.Mosucker.30.C Backdoor.Win32.MoSucker.30.C Backdoor.Mosucker.30.C BKDR_MOSUCK.C BehavesLike.Win32.Trojan.tz Backdoor.Win32.MoSucker W32/Mosucker.VQJB-6831 BDS/Mosucker.30.C Trojan[Backdoor]/Win32.MoSucker Backdoor:Win32/Mosucker.C Backdoor.Win32.MoSucker.40.c Trojan/Win32.HDC.C139642 Backdoor.MoSucker Bck/Mosuck.AA Win32/MoSucker.30.C Win32.Backdoor.Mosucker.Ljjv Backdoor.MoSucker!Dghh1yW8jJU W32/MoSucker.B!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Mosucker.30.C": [[26, 48], [100, 122], [172, 194], [322, 344], [374, 396], [482, 504], [534, 556]], "Indicator: Backdoor.Win32.MoSucker.30!O": [[49, 77]], "Indicator: Trojan.VBCrypt.MF.206": [[78, 99]], "Indicator: Backdoor.MoSucker.Win32.142": [[123, 150]], "Indicator: Trojan/MoSucker.30.c": [[151, 171]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[195, 237]], "Indicator: W32/Mosucker.D": [[238, 252]], "Indicator: Backdoor.Mosuck": [[253, 268]], "Indicator: Win32/Mosuck.M": [[269, 283]], "Indicator: BKDR_MOSUCK.C": [[284, 297], [557, 570]], "Indicator: Win.Trojan.Mosucker-238": [[298, 321]], "Indicator: Backdoor.Win32.MoSucker.40.c": [[345, 373], [722, 750]], "Indicator: Trojan.Win32.MoSucker.jojq": [[397, 423]], "Indicator: Backdoor.Win32.Z.Mosucker.1762479": [[424, 457]], "Indicator: Backdoor.W32.Mosucker!c": [[458, 481]], "Indicator: Backdoor.Win32.MoSucker.30.C": [[505, 533]], "Indicator: BehavesLike.Win32.Trojan.tz": [[571, 598]], "Indicator: Backdoor.Win32.MoSucker": [[599, 622]], "Indicator: W32/Mosucker.VQJB-6831": [[623, 645]], "Indicator: BDS/Mosucker.30.C": [[646, 663]], "Indicator: Trojan[Backdoor]/Win32.MoSucker": [[664, 695]], "Indicator: Backdoor:Win32/Mosucker.C": [[696, 721]], "Indicator: Trojan/Win32.HDC.C139642": [[751, 775]], "Indicator: Backdoor.MoSucker": [[776, 793]], "Indicator: Bck/Mosuck.AA": [[794, 807]], "Indicator: Win32/MoSucker.30.C": [[808, 827]], "Indicator: Win32.Backdoor.Mosucker.Ljjv": [[828, 856]], "Indicator: Backdoor.MoSucker!Dghh1yW8jJU": [[857, 886]], "Indicator: W32/MoSucker.B!tr.bdr": [[887, 908]]}, "info": {"id": "cyner2_8class_test_00201", "source": "cyner2_8class_test"}}
{"text": "Below we outline initial findings. URL hosting the Scanbox exploit kit A worm from 2012 that continues to spread Hosting for a keylogger", "spans": {"Indicator: URL hosting": [[35, 46]], "Malware: the Scanbox exploit kit": [[47, 70]], "Malware: worm": [[73, 77]], "Date: 2012": [[83, 87]], "Indicator: keylogger": [[127, 136]]}, "info": {"id": "cyner2_8class_test_00202", "source": "cyner2_8class_test"}}
{"text": "This new version used Salsa20 for symmetric encryption, but the ECC algorithm was replaced with Curve25519.", "spans": {"System: Salsa20": [[22, 29]], "Indicator: symmetric encryption,": [[34, 55]], "System: the ECC algorithm": [[60, 77]], "System: Curve25519.": [[96, 107]]}, "info": {"id": "cyner2_8class_test_00203", "source": "cyner2_8class_test"}}
{"text": "We watched WolfRAT evolve through various iterations which shows that the actor wanted to ensure functional improvements — perhaps they had deadlines to meet for their customers , but with no thought given to removing old code blocks , classes , etc .", "spans": {"Malware: WolfRAT": [[11, 18]]}, "info": {"id": "cyner2_8class_test_00204", "source": "cyner2_8class_test"}}
{"text": "It has the added benefit of installing a nearly unlimited number of fraudulent apps without overloading the infected device .", "spans": {}, "info": {"id": "cyner2_8class_test_00205", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Neloweg!dr BehavesLike.Win32.Downloader.lh TR/Drop.Elms.A Win32.Troj.Undef.kcloud Trojan:Win32/Reder.A Trojan.Kazy.D729C BScope.Trojan-Spy.Zbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: Trojan.Neloweg!dr": [[69, 86]], "Indicator: BehavesLike.Win32.Downloader.lh": [[87, 118]], "Indicator: TR/Drop.Elms.A": [[119, 133]], "Indicator: Win32.Troj.Undef.kcloud": [[134, 157]], "Indicator: Trojan:Win32/Reder.A": [[158, 178]], "Indicator: Trojan.Kazy.D729C": [[179, 196]], "Indicator: BScope.Trojan-Spy.Zbot": [[197, 219]]}, "info": {"id": "cyner2_8class_test_00206", "source": "cyner2_8class_test"}}
{"text": "Initial reports of attacks were highlighted by Telefonica in Spain but the malware quickly spread to networks in the UK where the National Health Service NHS was impacted, followed by many other networks across the world.", "spans": {"Indicator: attacks": [[19, 26]], "Organization: Telefonica": [[47, 57]], "Location: Spain": [[61, 66]], "Malware: malware": [[75, 82]], "System: networks": [[101, 109]], "Location: UK": [[117, 119]], "Organization: the National Health Service NHS": [[126, 157]], "Organization: networks": [[195, 203]], "Location: world.": [[215, 221]]}, "info": {"id": "cyner2_8class_test_00207", "source": "cyner2_8class_test"}}
{"text": "The loader has a very simple purpose , extract and run the “ core ” module of “ Agent Smith ” .", "spans": {"Malware: Agent Smith": [[80, 91]]}, "info": {"id": "cyner2_8class_test_00208", "source": "cyner2_8class_test"}}
{"text": "Every Pony domain appears to belong to the same group, the infrastructure is mainly in Russia and Ukraine.", "spans": {"Malware: Pony": [[6, 10]], "ThreatActor: the same": [[39, 47]], "System: infrastructure": [[59, 73]], "Location: Russia": [[87, 93]], "Location: Ukraine.": [[98, 106]]}, "info": {"id": "cyner2_8class_test_00209", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Spy.Middadle.A Adware/Midadle.b W32/Adware.ABP Adware.WinFetch W32/Midadle.B Win32/Maddle.C TROJ_MIDADDLE.A not-a-virus:AdWare.Win32.Midadle.b Trojan.Spy.Middadle.A Application.Win32.Adware.MidADdle Trojan.Spy.Middadle.A Adware.Midaddle SPR/Midadle.B.1 TROJ_MIDADDLE.A Riskware.AdWare.Win32.Midadle!IK TrojanDownloader:Win32/Midaddle.B Trojan.Spy.Middadle.A Win-Trojan/Downloader.200817 Adware.Win32.Midadle Win32/Adware.MidADdle not-a-virus:AdWare.Win32.Midadle W32/Midaddle.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Spy.Middadle.A": [[26, 47], [176, 197], [232, 253], [369, 390]], "Indicator: Adware/Midadle.b": [[48, 64]], "Indicator: W32/Adware.ABP": [[65, 79]], "Indicator: Adware.WinFetch": [[80, 95]], "Indicator: W32/Midadle.B": [[96, 109]], "Indicator: Win32/Maddle.C": [[110, 124]], "Indicator: TROJ_MIDADDLE.A": [[125, 140], [286, 301]], "Indicator: not-a-virus:AdWare.Win32.Midadle.b": [[141, 175]], "Indicator: Application.Win32.Adware.MidADdle": [[198, 231]], "Indicator: Adware.Midaddle": [[254, 269]], "Indicator: SPR/Midadle.B.1": [[270, 285]], "Indicator: Riskware.AdWare.Win32.Midadle!IK": [[302, 334]], "Indicator: TrojanDownloader:Win32/Midaddle.B": [[335, 368]], "Indicator: Win-Trojan/Downloader.200817": [[391, 419]], "Indicator: Adware.Win32.Midadle": [[420, 440]], "Indicator: Win32/Adware.MidADdle": [[441, 462]], "Indicator: not-a-virus:AdWare.Win32.Midadle": [[463, 495]], "Indicator: W32/Midaddle.A!tr": [[496, 513]]}, "info": {"id": "cyner2_8class_test_00210", "source": "cyner2_8class_test"}}
{"text": "The following is a screenshot from IDA with comments showing the strings and JNI functions .", "spans": {}, "info": {"id": "cyner2_8class_test_00211", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.KryptikTQP.Trojan Backdoor/W32.Akdoor.4096 Trojan.Dynamer.S12223 Troj.Downloader.Win64.TinyLoader.tnJD Trojan/Tiny.d BKDR64_TINY.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9996 BKDR64_TINY.SM0 Trojan-Downloader.Win64.TinyLoader.b Trojan.Tiny.Win64.6 BehavesLike.Win64.FDoSBEnergy.xz Trojan.Win64.Tiny TrojanDownloader.TinyLoader.a TR/Downloader.bcmjo Trojan:Win64/Anobato.A Trojan-Downloader.Win64.TinyLoader.b Win64.Trojan-downloader.Tinyloader.Pgcx Win32/Trojan.7be", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.KryptikTQP.Trojan": [[26, 47]], "Indicator: Backdoor/W32.Akdoor.4096": [[48, 72]], "Indicator: Trojan.Dynamer.S12223": [[73, 94]], "Indicator: Troj.Downloader.Win64.TinyLoader.tnJD": [[95, 132]], "Indicator: Trojan/Tiny.d": [[133, 146]], "Indicator: BKDR64_TINY.SM0": [[147, 162], [206, 221]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[163, 205]], "Indicator: Trojan-Downloader.Win64.TinyLoader.b": [[222, 258], [403, 439]], "Indicator: Trojan.Tiny.Win64.6": [[259, 278]], "Indicator: BehavesLike.Win64.FDoSBEnergy.xz": [[279, 311]], "Indicator: Trojan.Win64.Tiny": [[312, 329]], "Indicator: TrojanDownloader.TinyLoader.a": [[330, 359]], "Indicator: TR/Downloader.bcmjo": [[360, 379]], "Indicator: Trojan:Win64/Anobato.A": [[380, 402]], "Indicator: Win64.Trojan-downloader.Tinyloader.Pgcx": [[440, 479]], "Indicator: Win32/Trojan.7be": [[480, 496]]}, "info": {"id": "cyner2_8class_test_00212", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.TestabdTM.Trojan TSPY_WOWSTIL.SMI Win32.Trojan.WisdomEyes.16070401.9500.9982 W32/Trojan2.HOGB Infostealer.Gampass Win32/Wowpa.LD TSPY_WOWSTIL.SMI Win.Trojan.WOW-161 Trojan.Win32.Gamania.deyveu TrojWare.Win32.GameThief.WOW.d09 Trojan.PWS.Wow.origin BehavesLike.Win32.Downloader.kt Trojan-GameThief.Win32.WOW W32/Trojan.XZGJ-5202 Trojan.Heur.E01F7E TrojanDropper:Win32/Wowsteal.AO Trojan/Win32.WowHack.R36813 TScope.Malware-Cryptor.SB W32/OnLineGames.NKL!tr.pws Win32/Trojan.8e2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.TestabdTM.Trojan": [[26, 46]], "Indicator: TSPY_WOWSTIL.SMI": [[47, 63], [159, 175]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[64, 106]], "Indicator: W32/Trojan2.HOGB": [[107, 123]], "Indicator: Infostealer.Gampass": [[124, 143]], "Indicator: Win32/Wowpa.LD": [[144, 158]], "Indicator: Win.Trojan.WOW-161": [[176, 194]], "Indicator: Trojan.Win32.Gamania.deyveu": [[195, 222]], "Indicator: TrojWare.Win32.GameThief.WOW.d09": [[223, 255]], "Indicator: Trojan.PWS.Wow.origin": [[256, 277]], "Indicator: BehavesLike.Win32.Downloader.kt": [[278, 309]], "Indicator: Trojan-GameThief.Win32.WOW": [[310, 336]], "Indicator: W32/Trojan.XZGJ-5202": [[337, 357]], "Indicator: Trojan.Heur.E01F7E": [[358, 376]], "Indicator: TrojanDropper:Win32/Wowsteal.AO": [[377, 408]], "Indicator: Trojan/Win32.WowHack.R36813": [[409, 436]], "Indicator: TScope.Malware-Cryptor.SB": [[437, 462]], "Indicator: W32/OnLineGames.NKL!tr.pws": [[463, 489]], "Indicator: Win32/Trojan.8e2": [[490, 506]]}, "info": {"id": "cyner2_8class_test_00213", "source": "cyner2_8class_test"}}
{"text": "How Judy operates : To bypass Bouncer , Google Play ’ s protection , the hackers create a seemingly benign bridgehead app , meant to establish connection to the victim ’ s device , and insert it into the app store .", "spans": {"Malware: Judy": [[4, 8]], "System: Bouncer": [[30, 37]], "System: Google Play": [[40, 51]]}, "info": {"id": "cyner2_8class_test_00214", "source": "cyner2_8class_test"}}
{"text": "This malicious program spreads via SMS spam and from compromised legitimate sites that redirect mobile users to a malicious resource .", "spans": {}, "info": {"id": "cyner2_8class_test_00215", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Virus.Win32.OtwycalP.1!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.Karsh-1 Backdoor.Win32.Shark.v Trojan[Backdoor]/Win32.Shark Backdoor:Win32/Vharke.K Backdoor.Win32.Shark.v Backdoor.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.OtwycalP.1!O": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[51, 93]], "Indicator: Backdoor.Trojan": [[94, 109]], "Indicator: Win.Trojan.Karsh-1": [[110, 128]], "Indicator: Backdoor.Win32.Shark.v": [[129, 151], [205, 227]], "Indicator: Trojan[Backdoor]/Win32.Shark": [[152, 180]], "Indicator: Backdoor:Win32/Vharke.K": [[181, 204]], "Indicator: Backdoor.Win32.VB": [[228, 245]]}, "info": {"id": "cyner2_8class_test_00216", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.NetThief Trojan.Win32.Z.Strictor.708608.AH W32/Trojan.GYUP-2462 BDS/NetThief.A.9 Trojan.Strictor.D184A Backdoor/Win32.NetThief.C1031988 Backdoor.NetThief! Backdoor.Win32.NetThief Win32/Backdoor.e2d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.NetThief": [[26, 43]], "Indicator: Trojan.Win32.Z.Strictor.708608.AH": [[44, 77]], "Indicator: W32/Trojan.GYUP-2462": [[78, 98]], "Indicator: BDS/NetThief.A.9": [[99, 115]], "Indicator: Trojan.Strictor.D184A": [[116, 137]], "Indicator: Backdoor/Win32.NetThief.C1031988": [[138, 170]], "Indicator: Backdoor.NetThief!": [[171, 189]], "Indicator: Backdoor.Win32.NetThief": [[190, 213]], "Indicator: Win32/Backdoor.e2d": [[214, 232]]}, "info": {"id": "cyner2_8class_test_00217", "source": "cyner2_8class_test"}}
{"text": "We detail how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing that draws on inside knowledge of community activities.", "spans": {"ThreatActor: attackers": [[18, 27]], "ThreatActor: campaigns": [[53, 62]], "Malware: document-based malware": [[103, 125]], "Indicator: conventional phishing": [[129, 150]], "Organization: community activities.": [[185, 206]]}, "info": {"id": "cyner2_8class_test_00218", "source": "cyner2_8class_test"}}
{"text": "This app , dubbed “ TrickMo ” by our team , is designed to bypass second factor and strong authentication pushed to bank customers when they need to authorize a transaction .", "spans": {"Malware: TrickMo": [[20, 27]]}, "info": {"id": "cyner2_8class_test_00219", "source": "cyner2_8class_test"}}
{"text": "Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information.", "spans": {"Malware: malware": [[31, 38]], "ThreatActor: STRONTIUM": [[70, 79]]}, "info": {"id": "cyner2_8class_test_00220", "source": "cyner2_8class_test"}}
{"text": "Active users of mobile banking apps should be aware of a new Android banking malware campaign targeting customers of large banks in the United States, Germany, France, Australia, Turkey, Poland, and Austria.", "spans": {"System: mobile banking apps": [[16, 35]], "System: Android": [[61, 68]], "ThreatActor: banking malware campaign": [[69, 93]], "Organization: customers": [[104, 113]], "Organization: large banks": [[117, 128]], "Location: the United States, Germany, France, Australia, Turkey, Poland,": [[132, 194]], "Location: Austria.": [[199, 207]]}, "info": {"id": "cyner2_8class_test_00221", "source": "cyner2_8class_test"}}
{"text": "After the server returns the solution , the app enters it into the appropriate text field to complete the CAPTCHA challenge .", "spans": {}, "info": {"id": "cyner2_8class_test_00222", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Downloader.AFP SecurityRisk.Downldr W32/INService.BF Win32/Inservice.M TROJ_INSERVC.C Trojan-Downloader.Win32.INService.bm TrojWare.Win32.TrojanDownloader.INService.BL Trojan.DownLoader.2568 TR/Dldr.INServic.BL TROJ_INSERVC.C Heuristic.LooksLike.Win32.INSer.I Trojan-Downloader.Win32.INService!IK TrojanDownloader.INService.n TrojanDownloader:Win32/Small.AAV Win-Trojan/Inservice.15360.Q W32/Downloader.AFP Trojan-Downloader.Win32.INService.dd Win32/TrojanDownloader.INService.BL Trojan.Win32.Nodef.jqe Trojan-Downloader.Win32.INService W32/Dowins.BL!tr Downloader.Small.25.AT Adware/IST.ISTBar", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Downloader.AFP": [[26, 44], [418, 436]], "Indicator: SecurityRisk.Downldr": [[45, 65]], "Indicator: W32/INService.BF": [[66, 82]], "Indicator: Win32/Inservice.M": [[83, 100]], "Indicator: TROJ_INSERVC.C": [[101, 115], [241, 255]], "Indicator: Trojan-Downloader.Win32.INService.bm": [[116, 152]], "Indicator: TrojWare.Win32.TrojanDownloader.INService.BL": [[153, 197]], "Indicator: Trojan.DownLoader.2568": [[198, 220]], "Indicator: TR/Dldr.INServic.BL": [[221, 240]], "Indicator: Heuristic.LooksLike.Win32.INSer.I": [[256, 289]], "Indicator: Trojan-Downloader.Win32.INService!IK": [[290, 326]], "Indicator: TrojanDownloader.INService.n": [[327, 355]], "Indicator: TrojanDownloader:Win32/Small.AAV": [[356, 388]], "Indicator: Win-Trojan/Inservice.15360.Q": [[389, 417]], "Indicator: Trojan-Downloader.Win32.INService.dd": [[437, 473]], "Indicator: Win32/TrojanDownloader.INService.BL": [[474, 509]], "Indicator: Trojan.Win32.Nodef.jqe": [[510, 532]], "Indicator: Trojan-Downloader.Win32.INService": [[533, 566]], "Indicator: W32/Dowins.BL!tr": [[567, 583]], "Indicator: Downloader.Small.25.AT": [[584, 606]], "Indicator: Adware/IST.ISTBar": [[607, 624]]}, "info": {"id": "cyner2_8class_test_00223", "source": "cyner2_8class_test"}}
{"text": "Proofpoint threat researchers recently analyzed Ovidiy Stealer, a previously undocumented credential stealer which appears to be marketed primarily in the Russian-speaking regions.", "spans": {"Organization: Proofpoint threat researchers": [[0, 29]], "Malware: Ovidiy Stealer,": [[48, 63]], "Malware: credential stealer": [[90, 108]], "Location: the Russian-speaking regions.": [[151, 180]]}, "info": {"id": "cyner2_8class_test_00224", "source": "cyner2_8class_test"}}
{"text": "The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices.", "spans": {"Indicator: ransomware attacks": [[15, 33]], "System: Windows endpoints": [[51, 68]], "Date: the past half decade": [[74, 94]], "System: Mac devices.": [[141, 153]]}, "info": {"id": "cyner2_8class_test_00225", "source": "cyner2_8class_test"}}
{"text": "Trend Micro™ Mobile Security for Enterprise provides device , compliance and application management , data protection , and configuration provisioning , as well as protects devices from attacks that exploit vulnerabilities , preventing unauthorized access to apps , and detecting and blocking malware and fraudulent websites .", "spans": {"Organization: Trend Micro™": [[0, 12]], "System: Mobile Security for Enterprise": [[13, 43]]}, "info": {"id": "cyner2_8class_test_00226", "source": "cyner2_8class_test"}}
{"text": "Broadcast Receiver Figure 4 : MyReceiver broadcast receiver .", "spans": {}, "info": {"id": "cyner2_8class_test_00227", "source": "cyner2_8class_test"}}
{"text": "Key information consists of an MD5 hash of the device 's Android ID , the device manufacturer , and the device model with each separated by an underscore .", "spans": {"System: Android": [[57, 64]]}, "info": {"id": "cyner2_8class_test_00228", "source": "cyner2_8class_test"}}
{"text": "A search for this certificate fingerprint on the Internet scanning service Censys returns 8 additional servers : IP address 34.208.71.9 34.212.92.0 34.216.43.114 52.34.144.229 54.69.156.31 54.71.249.137 54.189.5.198 78.5.0.195 207.180.245.74 Opening the Command & Control web page in a browser presents a Basic Authentication prompt : Closing this prompt causes the server to send a \" 401 Unauthorized Response '' with an \" Access Denied '' message in Italian .", "spans": {"Indicator: 34.208.71.9": [[124, 135]], "Indicator: 34.212.92.0": [[136, 147]], "Indicator: 34.216.43.114": [[148, 161]], "Indicator: 52.34.144.229": [[162, 175]], "Indicator: 54.69.156.31": [[176, 188]], "Indicator: 54.71.249.137": [[189, 202]], "Indicator: 54.189.5.198": [[203, 215]], "Indicator: 78.5.0.195": [[216, 226]], "Indicator: 207.180.245.74": [[227, 241]]}, "info": {"id": "cyner2_8class_test_00229", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_MEDFOS.SMI TROJ_MEDFOS.SMI Medfos.b Trojan:Win32/Caponett.A Trojan.Symmi.D91E Trojan/Win32.Midhos.R26177 Medfos.b Trojan.Win32.Medfos.a Virus.Win32.Cryptor W32/Midhos.FH!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: TROJ_MEDFOS.SMI": [[69, 84], [85, 100]], "Indicator: Medfos.b": [[101, 109], [179, 187]], "Indicator: Trojan:Win32/Caponett.A": [[110, 133]], "Indicator: Trojan.Symmi.D91E": [[134, 151]], "Indicator: Trojan/Win32.Midhos.R26177": [[152, 178]], "Indicator: Trojan.Win32.Medfos.a": [[188, 209]], "Indicator: Virus.Win32.Cryptor": [[210, 229]], "Indicator: W32/Midhos.FH!tr": [[230, 246]]}, "info": {"id": "cyner2_8class_test_00230", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojandownloader.Sryin Downloader.Pengdoloder TROJ_DLOAD.TEYIQ TROJ_DLOAD.TEYIQ TR/Dldr.Sryin.A TrojanDownloader:Win32/Sryin.A W32/DwnLdr.KNL!tr Win32/Trojan.bdf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Sryin": [[26, 48]], "Indicator: Downloader.Pengdoloder": [[49, 71]], "Indicator: TROJ_DLOAD.TEYIQ": [[72, 88], [89, 105]], "Indicator: TR/Dldr.Sryin.A": [[106, 121]], "Indicator: TrojanDownloader:Win32/Sryin.A": [[122, 152]], "Indicator: W32/DwnLdr.KNL!tr": [[153, 170]], "Indicator: Win32/Trojan.bdf": [[171, 187]]}, "info": {"id": "cyner2_8class_test_00231", "source": "cyner2_8class_test"}}
{"text": "Today, we look at a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator.", "spans": {"Malware: Magecart skimmer": [[20, 36]], "Malware: Hunter, a PHP Javascript obfuscator.": [[47, 83]]}, "info": {"id": "cyner2_8class_test_00232", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Hostil.A8 Trojan/Cosmu.appd Trojan.Zusy.Elzob.D307A Win32.Trojan.WisdomEyes.16070401.9500.9912 Backdoor.Trojan TROJ_INJECT_FI0802CD.UVPM Win.Trojan.Cosmu-441 Trojan.Win32.Drop.ctcxhm Trojan.Win32.Z.Cosmu.283652.A TrojWare.Win32.Delf.OAY Trojan.MulDrop7.61818 Trojan.Cosmu.Win32.7107 BehavesLike.Win32.Backdoor.dh Virus.Win32.Delf.DTW Trojan/Win32.Cosmu Win32.Troj.DeepScan.a.kcloud Trojan/Win32.Inject.R186111 Trojan.Inject Win32/Backdoor.1c6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Hostil.A8": [[26, 44]], "Indicator: Trojan/Cosmu.appd": [[45, 62]], "Indicator: Trojan.Zusy.Elzob.D307A": [[63, 86]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9912": [[87, 129]], "Indicator: Backdoor.Trojan": [[130, 145]], "Indicator: TROJ_INJECT_FI0802CD.UVPM": [[146, 171]], "Indicator: Win.Trojan.Cosmu-441": [[172, 192]], "Indicator: Trojan.Win32.Drop.ctcxhm": [[193, 217]], "Indicator: Trojan.Win32.Z.Cosmu.283652.A": [[218, 247]], "Indicator: TrojWare.Win32.Delf.OAY": [[248, 271]], "Indicator: Trojan.MulDrop7.61818": [[272, 293]], "Indicator: Trojan.Cosmu.Win32.7107": [[294, 317]], "Indicator: BehavesLike.Win32.Backdoor.dh": [[318, 347]], "Indicator: Virus.Win32.Delf.DTW": [[348, 368]], "Indicator: Trojan/Win32.Cosmu": [[369, 387]], "Indicator: Win32.Troj.DeepScan.a.kcloud": [[388, 416]], "Indicator: Trojan/Win32.Inject.R186111": [[417, 444]], "Indicator: Trojan.Inject": [[445, 458]], "Indicator: Win32/Backdoor.1c6": [[459, 477]]}, "info": {"id": "cyner2_8class_test_00233", "source": "cyner2_8class_test"}}
{"text": "To achieve this , “ Agent Smith ” utilizes a series of 1-day vulnerabilities , which allows any application to run an activity inside a system application , even if this activity is not exported .", "spans": {"Malware: Agent Smith": [[20, 31]], "Vulnerability: 1-day vulnerabilities": [[55, 76]]}, "info": {"id": "cyner2_8class_test_00234", "source": "cyner2_8class_test"}}
{"text": "After that so many Zeus-like webinjects around, this was kind of refreshing.", "spans": {"Indicator: Zeus-like webinjects": [[19, 39]]}, "info": {"id": "cyner2_8class_test_00235", "source": "cyner2_8class_test"}}
{"text": "HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia .", "spans": {"Malware: HenBox": [[0, 6]]}, "info": {"id": "cyner2_8class_test_00236", "source": "cyner2_8class_test"}}
{"text": "To get around this , the app then uses its root privilege to inject code into the Setup Wizard , extract the CAPTCHA image , and sends it to a remote server to try to solve the CAPTCHA .", "spans": {}, "info": {"id": "cyner2_8class_test_00237", "source": "cyner2_8class_test"}}
{"text": "However, the story is interesting not only because of the large amount of money stolen but also from a technical point of view.", "spans": {}, "info": {"id": "cyner2_8class_test_00238", "source": "cyner2_8class_test"}}
{"text": "At the cost of possibly being overly verbose , following is the output of an nmap scan of the infected Android device from a laptop in the same local network , which further demonstrantes the availability of the same open TCP ports that we have mentioned thus far : Identification of eSurv Presence of Italian language At a first look , the first samples of the spyware we obtained did not show immediately evident connections to any company .", "spans": {"Organization: eSurv": [[284, 289]]}, "info": {"id": "cyner2_8class_test_00239", "source": "cyner2_8class_test"}}
{"text": "There are a lot of other ‘ Negg ’ mentions in Whois records and references to it .", "spans": {}, "info": {"id": "cyner2_8class_test_00240", "source": "cyner2_8class_test"}}
{"text": "It is meant for effective operation in tandem with its worm32Dll module.", "spans": {"Indicator: effective operation": [[16, 35]], "Malware: worm32Dll module.": [[55, 72]]}, "info": {"id": "cyner2_8class_test_00241", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.Ruskill!O Trojan.Win32.VB.bxbv W32.W.Otwycal.l4av TrojWare.Win32.Injector.SRR Trojan.Win32.VB.bxbv TrojanProxy:Win32/Banker.GI Win32/RiskWare.PEMalform.E Win32.Trojan.Vb.Szuz PUA.RiskWare.PEMalform W32/VBInjector.W!tr Win32/Trojan.003", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Ruskill!O": [[26, 50]], "Indicator: Trojan.Win32.VB.bxbv": [[51, 71], [119, 139]], "Indicator: W32.W.Otwycal.l4av": [[72, 90]], "Indicator: TrojWare.Win32.Injector.SRR": [[91, 118]], "Indicator: TrojanProxy:Win32/Banker.GI": [[140, 167]], "Indicator: Win32/RiskWare.PEMalform.E": [[168, 194]], "Indicator: Win32.Trojan.Vb.Szuz": [[195, 215]], "Indicator: PUA.RiskWare.PEMalform": [[216, 238]], "Indicator: W32/VBInjector.W!tr": [[239, 258]], "Indicator: Win32/Trojan.003": [[259, 275]]}, "info": {"id": "cyner2_8class_test_00242", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Trojan2.PWKM Infostealer.Lokibot!g6 TSPY_FAREIT.SMBD1 Trojan.Symmi.D92E2 Trojan.Win32.NaKocTb.ersosm Trojan.PWS.Stealer.17779 Trojan.Fareit.Win32.22139 TSPY_FAREIT.SMBD1 W32/Trojan.RCEK-1109 Exploit.BypassUAC.oh", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan2.PWKM": [[26, 42]], "Indicator: Infostealer.Lokibot!g6": [[43, 65]], "Indicator: TSPY_FAREIT.SMBD1": [[66, 83], [182, 199]], "Indicator: Trojan.Symmi.D92E2": [[84, 102]], "Indicator: Trojan.Win32.NaKocTb.ersosm": [[103, 130]], "Indicator: Trojan.PWS.Stealer.17779": [[131, 155]], "Indicator: Trojan.Fareit.Win32.22139": [[156, 181]], "Indicator: W32/Trojan.RCEK-1109": [[200, 220]], "Indicator: Exploit.BypassUAC.oh": [[221, 241]]}, "info": {"id": "cyner2_8class_test_00243", "source": "cyner2_8class_test"}}
{"text": "This attack is from the same attack group as Cyber Attack 1.", "spans": {"ThreatActor: attack group": [[29, 41]], "Indicator: Cyber Attack": [[45, 57]]}, "info": {"id": "cyner2_8class_test_00244", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.VariantZusyAO.Trojan Backdoor.Blubot.A3 Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan.HRPE-6100 DDoS.Trojan BKDR_BLUBOT.SM TrojWare.MSIL.Blubot.AA Trojan.DownLoader11.38015 W32/Trojan2.OSSR Trojan/Win32.Badur Backdoor:Win32/Blubot.A Trojan.Zusy.D18DD3 MSIL.Trojan-DDoS.Blubot.A Backdoor.Bot Trojan-Dropper.Win32.Dapato Trj/Zbot.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VariantZusyAO.Trojan": [[26, 50]], "Indicator: Backdoor.Blubot.A3": [[51, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[70, 112]], "Indicator: W32/Trojan.HRPE-6100": [[113, 133]], "Indicator: DDoS.Trojan": [[134, 145]], "Indicator: BKDR_BLUBOT.SM": [[146, 160]], "Indicator: TrojWare.MSIL.Blubot.AA": [[161, 184]], "Indicator: Trojan.DownLoader11.38015": [[185, 210]], "Indicator: W32/Trojan2.OSSR": [[211, 227]], "Indicator: Trojan/Win32.Badur": [[228, 246]], "Indicator: Backdoor:Win32/Blubot.A": [[247, 270]], "Indicator: Trojan.Zusy.D18DD3": [[271, 289]], "Indicator: MSIL.Trojan-DDoS.Blubot.A": [[290, 315]], "Indicator: Backdoor.Bot": [[316, 328]], "Indicator: Trojan-Dropper.Win32.Dapato": [[329, 356]], "Indicator: Trj/Zbot.M": [[357, 367]]}, "info": {"id": "cyner2_8class_test_00245", "source": "cyner2_8class_test"}}
{"text": "Most point-of-sale PoS threats follow a common process: dump, scrape, store, exfiltrate.", "spans": {"Malware: point-of-sale PoS threats": [[5, 30]]}, "info": {"id": "cyner2_8class_test_00246", "source": "cyner2_8class_test"}}
{"text": "Additionally , should the command-and-control ( C & C ) servers get seized by the authorities , it would ultimately lead to disclosing information about the entire botnet .", "spans": {}, "info": {"id": "cyner2_8class_test_00247", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Win32.Comet.exldji BackDoor.Comet.134 Trojan.MSIL.Injector TR/Dropper.MSIL.wnzdd Ransom:Win32/Nemreq.A Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[26, 68]], "Indicator: Trojan.Win32.Comet.exldji": [[69, 94]], "Indicator: BackDoor.Comet.134": [[95, 113]], "Indicator: Trojan.MSIL.Injector": [[114, 134]], "Indicator: TR/Dropper.MSIL.wnzdd": [[135, 156]], "Indicator: Ransom:Win32/Nemreq.A": [[157, 178]], "Indicator: Trj/GdSda.A": [[179, 190]]}, "info": {"id": "cyner2_8class_test_00248", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9821 Trojan.ADH TROJ_SPNR.30HR13 Backdoor.Win32.Redaptor.ckn Hoax.W32.ArchSMS.ltFg BackDoor.Termuser.196 TROJ_SPNR.30HR13 Backdoor.Win32.Redaptor W32.Malware.Heur Trojan[Backdoor]/Win32.Redaptor Trojan.Symmi.D4D83 Backdoor.Win32.Redaptor.ckn Trojan.SB.01742 Trojan.Kryptik!Yusoob9I30Y Win32/Trojan.97e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9821": [[26, 68]], "Indicator: Trojan.ADH": [[69, 79]], "Indicator: TROJ_SPNR.30HR13": [[80, 96], [169, 185]], "Indicator: Backdoor.Win32.Redaptor.ckn": [[97, 124], [278, 305]], "Indicator: Hoax.W32.ArchSMS.ltFg": [[125, 146]], "Indicator: BackDoor.Termuser.196": [[147, 168]], "Indicator: Backdoor.Win32.Redaptor": [[186, 209]], "Indicator: W32.Malware.Heur": [[210, 226]], "Indicator: Trojan[Backdoor]/Win32.Redaptor": [[227, 258]], "Indicator: Trojan.Symmi.D4D83": [[259, 277]], "Indicator: Trojan.SB.01742": [[306, 321]], "Indicator: Trojan.Kryptik!Yusoob9I30Y": [[322, 348]], "Indicator: Win32/Trojan.97e": [[349, 365]]}, "info": {"id": "cyner2_8class_test_00249", "source": "cyner2_8class_test"}}
{"text": "We are calling the malicious loader StegBaus based on its use of custom steganography and a PDB string, which was found in an embedded DLL.", "spans": {"Malware: malicious loader StegBaus": [[19, 44]], "Indicator: custom steganography": [[65, 85]], "Indicator: PDB string,": [[92, 103]], "Indicator: an embedded DLL.": [[123, 139]]}, "info": {"id": "cyner2_8class_test_00250", "source": "cyner2_8class_test"}}
{"text": "Malware developers use a variety of distribution methods in order to confuse users and evade certain AV solutions.", "spans": {"ThreatActor: Malware developers": [[0, 18]], "System: AV solutions.": [[101, 114]]}, "info": {"id": "cyner2_8class_test_00251", "source": "cyner2_8class_test"}}
{"text": "Lollipop has 7 percent , Ice Cream Sandwich has 2 percent , and Marshmallow has 1 percent .", "spans": {"System: Lollipop": [[0, 8]], "System: Ice Cream Sandwich": [[25, 43]], "System: Marshmallow": [[64, 75]]}, "info": {"id": "cyner2_8class_test_00252", "source": "cyner2_8class_test"}}
{"text": "Our findings , along with previous research , indicates that the threat actor behind these recent campaigns is likely a Chinese group dubbed “ Roaming Mantis ” .", "spans": {"Organization: Roaming Mantis": [[143, 157]]}, "info": {"id": "cyner2_8class_test_00253", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom.Satan Trojan/Injector.f Riskware.Win64.Packed2.exhubz Trojan.Win32.Z.Injector.69246.S Trojan.Packed2.39908 Trojan.Injector.Win64.7 Trojan.Ransom TR/AD.Satwancrypt.hlwrr Trojan.Mikey.D12267 Trojan/Win64.Crypted.C2101402 Trojan.Win64.Injector W64/Injector.F!tr Win32/Trojan.7be", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Satan": [[26, 38]], "Indicator: Trojan/Injector.f": [[39, 56]], "Indicator: Riskware.Win64.Packed2.exhubz": [[57, 86]], "Indicator: Trojan.Win32.Z.Injector.69246.S": [[87, 118]], "Indicator: Trojan.Packed2.39908": [[119, 139]], "Indicator: Trojan.Injector.Win64.7": [[140, 163]], "Indicator: Trojan.Ransom": [[164, 177]], "Indicator: TR/AD.Satwancrypt.hlwrr": [[178, 201]], "Indicator: Trojan.Mikey.D12267": [[202, 221]], "Indicator: Trojan/Win64.Crypted.C2101402": [[222, 251]], "Indicator: Trojan.Win64.Injector": [[252, 273]], "Indicator: W64/Injector.F!tr": [[274, 291]], "Indicator: Win32/Trojan.7be": [[292, 308]]}, "info": {"id": "cyner2_8class_test_00254", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Script W32/Trojan.ALLN-6642 TROJ_FRS.0NA003L117 TROJ_FRS.0NA003L117 BehavesLike.Win32.Trojan.dh", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Script": [[26, 39]], "Indicator: W32/Trojan.ALLN-6642": [[40, 60]], "Indicator: TROJ_FRS.0NA003L117": [[61, 80], [81, 100]], "Indicator: BehavesLike.Win32.Trojan.dh": [[101, 128]]}, "info": {"id": "cyner2_8class_test_00255", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win.Trojan.Ezoons-1 Trojan.Win32.Ezoons.fftg Joke.Errore.10 Trojan.Ezoons.Win32.1 Trojan.Ezoons", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win.Trojan.Ezoons-1": [[26, 45]], "Indicator: Trojan.Win32.Ezoons.fftg": [[46, 70]], "Indicator: Joke.Errore.10": [[71, 85]], "Indicator: Trojan.Ezoons.Win32.1": [[86, 107]], "Indicator: Trojan.Ezoons": [[108, 121]]}, "info": {"id": "cyner2_8class_test_00256", "source": "cyner2_8class_test"}}
{"text": "The attacks targeted high-profile targets, including government and commercial organizations.", "spans": {"Indicator: attacks": [[4, 11]], "Organization: high-profile targets,": [[21, 42]], "Organization: government": [[53, 63]], "Organization: commercial organizations.": [[68, 93]]}, "info": {"id": "cyner2_8class_test_00257", "source": "cyner2_8class_test"}}
{"text": "Device admin request from app that says it is WhatsApp The app then stays in the background listening to commands from the cybercrooks .", "spans": {}, "info": {"id": "cyner2_8class_test_00258", "source": "cyner2_8class_test"}}
{"text": "The Gaza cybergang's attacks have never slowed down and its typical targets include government entities/embassies, oil and gas, media/press, activists, politicians, and diplomats.", "spans": {"ThreatActor: The Gaza cybergang's": [[0, 20]], "Indicator: attacks": [[21, 28]], "Organization: government entities/embassies, oil": [[84, 118]], "Organization: gas, media/press, activists, politicians,": [[123, 164]], "Organization: diplomats.": [[169, 179]]}, "info": {"id": "cyner2_8class_test_00259", "source": "cyner2_8class_test"}}
{"text": "These download second stages from encrypted zips, likely from a compromised website.", "spans": {"Indicator: encrypted zips,": [[34, 49]], "Indicator: a compromised website.": [[62, 84]]}, "info": {"id": "cyner2_8class_test_00260", "source": "cyner2_8class_test"}}
{"text": "According to the configuration pattern , these actions are registered to certain events : Sync configuration data , upgrade modules , and download new payload ( This uses transport protocol ZProtocol encrypted by AES/CBC/PKCS5Padding algorithm to communicate with the C & C server .", "spans": {}, "info": {"id": "cyner2_8class_test_00261", "source": "cyner2_8class_test"}}
{"text": "This backdoor has several aliases in the community; Sophos calls the embedded components Brebsd-A and several other reference the code as simply Rambo", "spans": {"Malware: backdoor": [[5, 13]], "Organization: community;": [[41, 51]], "Organization: Sophos": [[52, 58]], "Malware: Brebsd-A": [[89, 97]], "Malware: Rambo": [[145, 150]]}, "info": {"id": "cyner2_8class_test_00262", "source": "cyner2_8class_test"}}
{"text": "Allows an application to read SMS messages .", "spans": {}, "info": {"id": "cyner2_8class_test_00263", "source": "cyner2_8class_test"}}
{"text": "setFullScreenIntent ( ) – This API wires the notification to a GUI so that it pops up when the user taps on it .", "spans": {}, "info": {"id": "cyner2_8class_test_00264", "source": "cyner2_8class_test"}}
{"text": "Our analysis indicates that the threat actors are no longer limiting their campaigns to East Asian countries , but are targeting additional countries around the world .", "spans": {}, "info": {"id": "cyner2_8class_test_00265", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.DlKroha!O TrojanDownloader.Axent Downloader-DA.dll Trojan/Downloader.DlKroha.r TROJ_MONKIF.SMX Win32.Trojan.WisdomEyes.16070401.9500.9892 TROJ_MONKIF.SMX Win.Downloader.83851-1 Trojan-Downloader.Win32.Calper.pgd Trojan.Win32.DlKroha.bsfym Trojan.Win32.A.Downloader.15360.RF TrojWare.Win32.TrojanDownloader.Small.~ZK Trojan.DownLoad.29330 Downloader.DlKroha.Win32.171 Downloader-DA.dll TrojanDownloader.DlKroha.f TR/Dldr.DlKroha.s Trojan[Downloader]/Win32.DlKroha Win32.TrojDownloader.DlKroha.s.kcloud Trojan.Heur.ED137B7 Troj.PSW32.W.Kykymber.lxga Trojan-Downloader.Win32.Calper.pgd TrojanDownloader:Win32/Axent.A Backdoor/Win32.PcClient.R1733 TrojanDownloader.DlKroha Win32/TrojanDownloader.Small.OLL Trojan-Downloader.Win32.DlKroha", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.DlKroha!O": [[26, 59]], "Indicator: TrojanDownloader.Axent": [[60, 82]], "Indicator: Downloader-DA.dll": [[83, 100], [417, 434]], "Indicator: Trojan/Downloader.DlKroha.r": [[101, 128]], "Indicator: TROJ_MONKIF.SMX": [[129, 144], [188, 203]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9892": [[145, 187]], "Indicator: Win.Downloader.83851-1": [[204, 226]], "Indicator: Trojan-Downloader.Win32.Calper.pgd": [[227, 261], [598, 632]], "Indicator: Trojan.Win32.DlKroha.bsfym": [[262, 288]], "Indicator: Trojan.Win32.A.Downloader.15360.RF": [[289, 323]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.~ZK": [[324, 365]], "Indicator: Trojan.DownLoad.29330": [[366, 387]], "Indicator: Downloader.DlKroha.Win32.171": [[388, 416]], "Indicator: TrojanDownloader.DlKroha.f": [[435, 461]], "Indicator: TR/Dldr.DlKroha.s": [[462, 479]], "Indicator: Trojan[Downloader]/Win32.DlKroha": [[480, 512]], "Indicator: Win32.TrojDownloader.DlKroha.s.kcloud": [[513, 550]], "Indicator: Trojan.Heur.ED137B7": [[551, 570]], "Indicator: Troj.PSW32.W.Kykymber.lxga": [[571, 597]], "Indicator: TrojanDownloader:Win32/Axent.A": [[633, 663]], "Indicator: Backdoor/Win32.PcClient.R1733": [[664, 693]], "Indicator: TrojanDownloader.DlKroha": [[694, 718]], "Indicator: Win32/TrojanDownloader.Small.OLL": [[719, 751]], "Indicator: Trojan-Downloader.Win32.DlKroha": [[752, 783]]}, "info": {"id": "cyner2_8class_test_00266", "source": "cyner2_8class_test"}}
{"text": "FakeSpy is an information stealer used to steal SMS messages , send SMS messages , steal financial data , read account information and contact lists , steal application data , and do much more .", "spans": {"Malware: FakeSpy": [[0, 7]]}, "info": {"id": "cyner2_8class_test_00267", "source": "cyner2_8class_test"}}
{"text": "Please follow these basic precautions during the current crisis—and at all times : Install apps only from official stores , such as Google Play .", "spans": {"System: Google Play": [[132, 143]]}, "info": {"id": "cyner2_8class_test_00268", "source": "cyner2_8class_test"}}
{"text": "It expects a json with url , class and method name .", "spans": {}, "info": {"id": "cyner2_8class_test_00269", "source": "cyner2_8class_test"}}
{"text": "Dell SecureWorks Counter Threat UnitTM CTU researchers analyzed multiple versions of a remote access trojan RAT named Sakula also known as Sakurel and VIPER.", "spans": {"Organization: Dell SecureWorks Counter Threat UnitTM CTU researchers": [[0, 54]], "Malware: remote access trojan RAT": [[87, 111]], "Malware: Sakula": [[118, 124]], "Malware: Sakurel": [[139, 146]], "Malware: VIPER.": [[151, 157]]}, "info": {"id": "cyner2_8class_test_00270", "source": "cyner2_8class_test"}}
{"text": "Attackers are keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying .", "spans": {"System: Android": [[155, 162]]}, "info": {"id": "cyner2_8class_test_00271", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.C0A3 Trojan.Yakes.A6 Trojan.Yakes.Win32.29829 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Ransomlock!g83 Trojan.Win32.Yakes.dntgop Trojan.Win32.Z.Yakes.290820.D TrojWare.Win32.Ransom.Cryptor.A Trojan:W32/Dridex.D BackDoor.Reveton.444 BehavesLike.Win32.Trojan.dc Trojan.Win32.Crypt Trojan/Yakes.rfb TR/Kryptik.elposp Trojan/Win32.Yakes Trojan.Yakes Trojan.Yakes!Nbikm7ahQzA W32/Kryptik.CWPL!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.C0A3": [[26, 42]], "Indicator: Trojan.Yakes.A6": [[43, 58]], "Indicator: Trojan.Yakes.Win32.29829": [[59, 83]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[84, 126]], "Indicator: Trojan.Ransomlock!g83": [[127, 148]], "Indicator: Trojan.Win32.Yakes.dntgop": [[149, 174]], "Indicator: Trojan.Win32.Z.Yakes.290820.D": [[175, 204]], "Indicator: TrojWare.Win32.Ransom.Cryptor.A": [[205, 236]], "Indicator: Trojan:W32/Dridex.D": [[237, 256]], "Indicator: BackDoor.Reveton.444": [[257, 277]], "Indicator: BehavesLike.Win32.Trojan.dc": [[278, 305]], "Indicator: Trojan.Win32.Crypt": [[306, 324]], "Indicator: Trojan/Yakes.rfb": [[325, 341]], "Indicator: TR/Kryptik.elposp": [[342, 359]], "Indicator: Trojan/Win32.Yakes": [[360, 378]], "Indicator: Trojan.Yakes": [[379, 391]], "Indicator: Trojan.Yakes!Nbikm7ahQzA": [[392, 416]], "Indicator: W32/Kryptik.CWPL!tr": [[417, 436]]}, "info": {"id": "cyner2_8class_test_00272", "source": "cyner2_8class_test"}}
{"text": "The Emotet malware has returned for the second time in less than a year, and this time it is using new techniques to evade detection and evade security tools..", "spans": {"Malware: The Emotet malware": [[0, 18]], "Date: less than a year,": [[55, 72]], "Malware: tools..": [[152, 159]]}, "info": {"id": "cyner2_8class_test_00273", "source": "cyner2_8class_test"}}
{"text": "'' This DLL contains one root class called \" eClient , '' which is the core of the trojan .", "spans": {}, "info": {"id": "cyner2_8class_test_00274", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Virus/W32.Alman W32.Almanahe.A W32/Almanahe.b Win32/Alman.A W32/Alman.D W32.Almanahe.A!inf W32/Alman.A PE_ALMANAHE.A W32.Alman.cd Virus.Win32.Alman.a Win32.Almam.A Win32.Alman.A Virus.Win32.Alman.A Win32.Almam.A Win32.Alman.2 W32/Almanahe.A PE_ALMANAHE.A W32/Almanahe.b Win32/Almanahe.C W32/Alman.D Win32/Almana.a Virus:Win32/Almanahe.A Win32.Almam.A Virus.Win32.Alman.1 Malware.Almanahe Worm.Magistr.c Virus.Win32.Alman.a W32/Alman.DB W32/Almanahe.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus/W32.Alman": [[26, 41]], "Indicator: W32.Almanahe.A": [[42, 56]], "Indicator: W32/Almanahe.b": [[57, 71], [281, 295]], "Indicator: Win32/Alman.A": [[72, 85]], "Indicator: W32/Alman.D": [[86, 97], [313, 324]], "Indicator: W32.Almanahe.A!inf": [[98, 116]], "Indicator: W32/Alman.A": [[117, 128]], "Indicator: PE_ALMANAHE.A": [[129, 142], [267, 280]], "Indicator: W32.Alman.cd": [[143, 155]], "Indicator: Virus.Win32.Alman.a": [[156, 175], [429, 448]], "Indicator: Win32.Almam.A": [[176, 189], [224, 237], [363, 376]], "Indicator: Win32.Alman.A": [[190, 203]], "Indicator: Virus.Win32.Alman.A": [[204, 223]], "Indicator: Win32.Alman.2": [[238, 251]], "Indicator: W32/Almanahe.A": [[252, 266]], "Indicator: Win32/Almanahe.C": [[296, 312]], "Indicator: Win32/Almana.a": [[325, 339]], "Indicator: Virus:Win32/Almanahe.A": [[340, 362]], "Indicator: Virus.Win32.Alman.1": [[377, 396]], "Indicator: Malware.Almanahe": [[397, 413]], "Indicator: Worm.Magistr.c": [[414, 428]], "Indicator: W32/Alman.DB": [[449, 461]], "Indicator: W32/Almanahe.B": [[462, 476]]}, "info": {"id": "cyner2_8class_test_00275", "source": "cyner2_8class_test"}}
{"text": "In this blog, we will cover a recent Gamarue infection that we looked at, which downloads and installs the Lethic bot on an infected system.", "spans": {"Malware: Gamarue": [[37, 44]], "Malware: at,": [[70, 73]], "Malware: Lethic bot": [[107, 117]], "System: infected system.": [[124, 140]]}, "info": {"id": "cyner2_8class_test_00276", "source": "cyner2_8class_test"}}
{"text": "The group uses an advanced piece of malware known as Remsec Backdoor.Remsec to conduct its attacks.", "spans": {"Malware: malware": [[36, 43]], "Malware: Remsec": [[53, 59]], "Indicator: Backdoor.Remsec": [[60, 75]], "Indicator: attacks.": [[91, 99]]}, "info": {"id": "cyner2_8class_test_00277", "source": "cyner2_8class_test"}}
{"text": "The entered data is forwarded to the cybercriminals .", "spans": {}, "info": {"id": "cyner2_8class_test_00278", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.BlackduA.Worm P2P-Worm.Win32.Picsys!O Worm.Picsys W32/Picsys.worm.c Worm.Picsys.Win32.1 W32/Picsys.c Win32.Worm.Picsys.a W32.HLLW.Yoof Win32/Picsys.C WORM_SPYBOT.PA Win.Worm.Picsys-3 Worm.Picsys P2P-Worm.Win32.Picsys.c Riskware.Win32.Sock4Proxy.csnqbg Worm.Win32.A.P2P-Picsys.71011[UPX] W32.W.Picsys.tp0s Worm.Win32.Picsys.C Win32.HLLW.Morpheus.3 BehavesLike.Win32.Dropper.kc P2P-Worm.Win32.Picsys W32/Picsys.PYSN-0191 Worm/Picsys.a Worm[P2P]/Win32.Picsys Worm:Win32/Picsys.C Worm/Win32.Picsys.R7826 Win32/Picsys.C Worm.Win32.Picsys.a Worm.Picsys!XMnMuiZSf1k Worm.Win32.Picsys.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BlackduA.Worm": [[26, 43]], "Indicator: P2P-Worm.Win32.Picsys!O": [[44, 67]], "Indicator: Worm.Picsys": [[68, 79], [213, 224]], "Indicator: W32/Picsys.worm.c": [[80, 97]], "Indicator: Worm.Picsys.Win32.1": [[98, 117]], "Indicator: W32/Picsys.c": [[118, 130]], "Indicator: Win32.Worm.Picsys.a": [[131, 150]], "Indicator: W32.HLLW.Yoof": [[151, 164]], "Indicator: Win32/Picsys.C": [[165, 179], [530, 544]], "Indicator: WORM_SPYBOT.PA": [[180, 194]], "Indicator: Win.Worm.Picsys-3": [[195, 212]], "Indicator: P2P-Worm.Win32.Picsys.c": [[225, 248]], "Indicator: Riskware.Win32.Sock4Proxy.csnqbg": [[249, 281]], "Indicator: Worm.Win32.A.P2P-Picsys.71011[UPX]": [[282, 316]], "Indicator: W32.W.Picsys.tp0s": [[317, 334]], "Indicator: Worm.Win32.Picsys.C": [[335, 354]], "Indicator: Win32.HLLW.Morpheus.3": [[355, 376]], "Indicator: BehavesLike.Win32.Dropper.kc": [[377, 405]], "Indicator: P2P-Worm.Win32.Picsys": [[406, 427]], "Indicator: W32/Picsys.PYSN-0191": [[428, 448]], "Indicator: Worm/Picsys.a": [[449, 462]], "Indicator: Worm[P2P]/Win32.Picsys": [[463, 485]], "Indicator: Worm:Win32/Picsys.C": [[486, 505]], "Indicator: Worm/Win32.Picsys.R7826": [[506, 529]], "Indicator: Worm.Win32.Picsys.a": [[545, 564]], "Indicator: Worm.Picsys!XMnMuiZSf1k": [[565, 588]], "Indicator: Worm.Win32.Picsys.A": [[589, 608]]}, "info": {"id": "cyner2_8class_test_00279", "source": "cyner2_8class_test"}}
{"text": "Locky has been a devastating force for the last year in the spam and ransomware landscape.", "spans": {"Malware: Locky": [[0, 5]], "Date: the last year": [[39, 52]], "Indicator: spam": [[60, 64]], "Malware: ransomware": [[69, 79]]}, "info": {"id": "cyner2_8class_test_00280", "source": "cyner2_8class_test"}}
{"text": "S21Sec have spotted a new banking trojan in the wild that uses JSON formatted webinjects.", "spans": {"Organization: S21Sec": [[0, 6]], "Malware: banking trojan": [[26, 40]], "Indicator: JSON formatted webinjects.": [[63, 89]]}, "info": {"id": "cyner2_8class_test_00281", "source": "cyner2_8class_test"}}
{"text": "To activate this menu the operator needs to call the hardcoded number “ 9909 ” from the infected device : A hidden menu then instantly appears on the device display : The operator can use this interface to type any command for execution .", "spans": {}, "info": {"id": "cyner2_8class_test_00282", "source": "cyner2_8class_test"}}
{"text": "Dridex was most active between 2014 and 2015, and smaller campaigns were observed throughout 2016.", "spans": {"Malware: Dridex": [[0, 6]], "Date: between 2014 and 2015,": [[23, 45]], "ThreatActor: smaller campaigns": [[50, 67]], "Date: 2016.": [[93, 98]]}, "info": {"id": "cyner2_8class_test_00283", "source": "cyner2_8class_test"}}
{"text": "Communication with the C & C In order to communicate with its C & C , the app uses the MQTT ( Message Queuing Telemetry Transport ) protocol , which is transported over TCP port 1883 .", "spans": {"Indicator: TCP port 1883": [[169, 182]]}, "info": {"id": "cyner2_8class_test_00284", "source": "cyner2_8class_test"}}
{"text": "These threats can be deployed to a system by brute-forcing log in credentials on machines with weak passwords.", "spans": {"Indicator: brute-forcing log in credentials": [[45, 77]], "System: machines": [[81, 89]], "Indicator: weak passwords.": [[95, 110]]}, "info": {"id": "cyner2_8class_test_00285", "source": "cyner2_8class_test"}}
{"text": "YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors.", "spans": {"Malware: YiSpecter": [[0, 9]], "Malware: iOS malware": [[44, 55]], "Indicator: attacks": [[67, 74]], "Indicator: jailbroken and non-jailbroken iOS devices": [[80, 121]]}, "info": {"id": "cyner2_8class_test_00286", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Dropper Trojan.Win32.Invader.vpkho W32.W.Otwycal.l4av Backdoor.Win32.Kilya.A Trojan.Inject1.6183 Heur:Trojan/PSW.OnLineGames Trojan:WinNT/Tandfuy.B BScope.Trojan-Dropper.Inject", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper": [[26, 40]], "Indicator: Trojan.Win32.Invader.vpkho": [[41, 67]], "Indicator: W32.W.Otwycal.l4av": [[68, 86]], "Indicator: Backdoor.Win32.Kilya.A": [[87, 109]], "Indicator: Trojan.Inject1.6183": [[110, 129]], "Indicator: Heur:Trojan/PSW.OnLineGames": [[130, 157]], "Indicator: Trojan:WinNT/Tandfuy.B": [[158, 180]], "Indicator: BScope.Trojan-Dropper.Inject": [[181, 209]]}, "info": {"id": "cyner2_8class_test_00287", "source": "cyner2_8class_test"}}
{"text": "Dropped files appear to be kernel level key loggers", "spans": {"Indicator: Dropped files": [[0, 13]], "Malware: kernel level key loggers": [[27, 51]]}, "info": {"id": "cyner2_8class_test_00288", "source": "cyner2_8class_test"}}
{"text": "Trend Micro researchers detected a new SLocker variant that mimics the GUI of the WannaCry crypto-ransomware on the Android platform.", "spans": {"Organization: Trend Micro researchers": [[0, 23]], "Malware: new SLocker variant": [[35, 54]], "Malware: WannaCry crypto-ransomware": [[82, 108]], "System: the Android platform.": [[112, 133]]}, "info": {"id": "cyner2_8class_test_00289", "source": "cyner2_8class_test"}}
{"text": "In this age of global operations, that's a huge deal.", "spans": {}, "info": {"id": "cyner2_8class_test_00290", "source": "cyner2_8class_test"}}
{"text": "This is only a small picture of the threat actor 's operations .", "spans": {}, "info": {"id": "cyner2_8class_test_00291", "source": "cyner2_8class_test"}}
{"text": "Letting an attacker get access to this kind of data can have severe consequences .", "spans": {}, "info": {"id": "cyner2_8class_test_00292", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.CydoorO.Worm Trojan.Downloader.JLGQ Trojan/W32.Inject.20480.N Trojan.Win32.Inject!O TROJ_FAKEAV.JU Win32/FakeAlert.AEE TROJ_FAKEAV.JU Win.Trojan.Inject-1918 Trojan.Downloader.JLGQ Packed.Win32.Katusha.a Trojan.Downloader.JLGQ Troj.GameThief.W32.OnLineGames.ljfQ Trojan.Downloader.JLGQ TrojWare.Win32.Trojan.Inject.~INE Trojan.Downloader.JLGQ Trojan.DownLoader.50219 Downloader.FakeAlert.Win32.16570 BehavesLike.Win32.Dropper.mh Trojan[Packed]/Win32.Katusha Trojan.Downloader.JLGQ Packed.Win32.Katusha.a TrojanDownloader:Win32/Podcite.A Trojan/Win32.Downloader.R10196 Trojan.Downloader.JLGQ TScope.Malware-Cryptor.SB Win32.Packed.Katusha.Pepo Trojan.Zlob.LFD Trojan.Fakealert", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CydoorO.Worm": [[26, 42]], "Indicator: Trojan.Downloader.JLGQ": [[43, 65], [187, 209], [233, 255], [292, 314], [349, 371], [487, 509], [597, 619]], "Indicator: Trojan/W32.Inject.20480.N": [[66, 91]], "Indicator: Trojan.Win32.Inject!O": [[92, 113]], "Indicator: TROJ_FAKEAV.JU": [[114, 128], [149, 163]], "Indicator: Win32/FakeAlert.AEE": [[129, 148]], "Indicator: Win.Trojan.Inject-1918": [[164, 186]], "Indicator: Packed.Win32.Katusha.a": [[210, 232], [510, 532]], "Indicator: Troj.GameThief.W32.OnLineGames.ljfQ": [[256, 291]], "Indicator: TrojWare.Win32.Trojan.Inject.~INE": [[315, 348]], "Indicator: Trojan.DownLoader.50219": [[372, 395]], "Indicator: Downloader.FakeAlert.Win32.16570": [[396, 428]], "Indicator: BehavesLike.Win32.Dropper.mh": [[429, 457]], "Indicator: Trojan[Packed]/Win32.Katusha": [[458, 486]], "Indicator: TrojanDownloader:Win32/Podcite.A": [[533, 565]], "Indicator: Trojan/Win32.Downloader.R10196": [[566, 596]], "Indicator: TScope.Malware-Cryptor.SB": [[620, 645]], "Indicator: Win32.Packed.Katusha.Pepo": [[646, 671]], "Indicator: Trojan.Zlob.LFD": [[672, 687]], "Indicator: Trojan.Fakealert": [[688, 704]]}, "info": {"id": "cyner2_8class_test_00293", "source": "cyner2_8class_test"}}
{"text": "Then it adds onTouchListener to this textView and is able to process every user tap .", "spans": {}, "info": {"id": "cyner2_8class_test_00294", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Clodb0d.Trojan.9c3e TrojanDropper.Spacekito PUP.Optional.Vittalia PUP.ConvertAd/Variant Trojan.Razy.DFAEB TROJ_SP.81E42145 Multi.Threats.InArchive Trojan.ADH TROJ_SPACEKITO.SMA virus.win32.sality.at BehavesLike.Win32.Downloader.hc TrojanDropper:Win32/Spacekito.A Trojan.Msil W32/Malware_fam.NB Trj/CI.A Win32/Trojan.Downloader.78c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodb0d.Trojan.9c3e": [[26, 49]], "Indicator: TrojanDropper.Spacekito": [[50, 73]], "Indicator: PUP.Optional.Vittalia": [[74, 95]], "Indicator: PUP.ConvertAd/Variant": [[96, 117]], "Indicator: Trojan.Razy.DFAEB": [[118, 135]], "Indicator: TROJ_SP.81E42145": [[136, 152]], "Indicator: Multi.Threats.InArchive": [[153, 176]], "Indicator: Trojan.ADH": [[177, 187]], "Indicator: TROJ_SPACEKITO.SMA": [[188, 206]], "Indicator: virus.win32.sality.at": [[207, 228]], "Indicator: BehavesLike.Win32.Downloader.hc": [[229, 260]], "Indicator: TrojanDropper:Win32/Spacekito.A": [[261, 292]], "Indicator: Trojan.Msil": [[293, 304]], "Indicator: W32/Malware_fam.NB": [[305, 323]], "Indicator: Trj/CI.A": [[324, 332]], "Indicator: Win32/Trojan.Downloader.78c": [[333, 360]]}, "info": {"id": "cyner2_8class_test_00295", "source": "cyner2_8class_test"}}
{"text": "It can also be downloaded by a specific command .", "spans": {}, "info": {"id": "cyner2_8class_test_00296", "source": "cyner2_8class_test"}}
{"text": "Their campaigns employ the Daserf backdoor detected by Trend Micro as BKDR_DASERF, otherwise known as Muirim and Nioupale that has four main capabilities: execute shell commands, download and upload data, take screenshots, and log keystrokes.", "spans": {"ThreatActor: campaigns": [[6, 15]], "Malware: the Daserf backdoor": [[23, 42]], "Organization: Trend Micro": [[55, 66]], "Indicator: BKDR_DASERF,": [[70, 82]], "Malware: Muirim": [[102, 108]], "Malware: Nioupale": [[113, 121]], "Indicator: execute shell commands, download and upload data, take screenshots, and log keystrokes.": [[155, 242]]}, "info": {"id": "cyner2_8class_test_00297", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: KeyLogger.Ardamax Riskware.Ardamax! WS.Reputation.1 Trojan.Win32.KeyLogger.djcsib Trojan.KeyLogger.24635 BehavesLike.Win32.Keylog.rc W32/Application.ARMZ-3982 Backdoor/Gbot.ptj BDS/Gbot.qxwmnb W32/Gbot.ACCR!tr.bdr Trojan[Backdoor]/Win32.Gbot Trojan.FAkeAlert.105 Trojan/Win32.Fakon Backdoor.Gbot PUA.Keylogger.Ardamax Ardamax.CFW Trojan.Win32.Ardamax.NBQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: KeyLogger.Ardamax": [[26, 43]], "Indicator: Riskware.Ardamax!": [[44, 61]], "Indicator: WS.Reputation.1": [[62, 77]], "Indicator: Trojan.Win32.KeyLogger.djcsib": [[78, 107]], "Indicator: Trojan.KeyLogger.24635": [[108, 130]], "Indicator: BehavesLike.Win32.Keylog.rc": [[131, 158]], "Indicator: W32/Application.ARMZ-3982": [[159, 184]], "Indicator: Backdoor/Gbot.ptj": [[185, 202]], "Indicator: BDS/Gbot.qxwmnb": [[203, 218]], "Indicator: W32/Gbot.ACCR!tr.bdr": [[219, 239]], "Indicator: Trojan[Backdoor]/Win32.Gbot": [[240, 267]], "Indicator: Trojan.FAkeAlert.105": [[268, 288]], "Indicator: Trojan/Win32.Fakon": [[289, 307]], "Indicator: Backdoor.Gbot": [[308, 321]], "Indicator: PUA.Keylogger.Ardamax": [[322, 343]], "Indicator: Ardamax.CFW": [[344, 355]], "Indicator: Trojan.Win32.Ardamax.NBQ": [[356, 380]]}, "info": {"id": "cyner2_8class_test_00298", "source": "cyner2_8class_test"}}
{"text": "This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit.", "spans": {"Vulnerability: vulnerability": [[5, 18]], "ThreatActor: malicious actor": [[28, 43]], "Indicator: execute a Visual Basic script containing PowerShell commands": [[60, 120]], "Indicator: opens": [[133, 138]], "Indicator: document": [[141, 149]], "Malware: an embedded exploit.": [[161, 181]]}, "info": {"id": "cyner2_8class_test_00299", "source": "cyner2_8class_test"}}
{"text": "Apps with a custom-made advertisement SDK The simplest PHA from the author 's portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic .", "spans": {}, "info": {"id": "cyner2_8class_test_00300", "source": "cyner2_8class_test"}}
{"text": "] fun , you-foto [ .", "spans": {"Indicator: you-foto [ .": [[8, 20]]}, "info": {"id": "cyner2_8class_test_00301", "source": "cyner2_8class_test"}}
{"text": "Allows an application to receive SMS messages .", "spans": {}, "info": {"id": "cyner2_8class_test_00302", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.VB Trojan.Buzy.D6D2 Trojan-Downloader.Win32.Miscer.bwe Trojan.Win32.VB.euzpgu Trojan.Win32.Z.Buzy.71168 Troj.Clicker.W32.Vb!c BehavesLike.Win32.SoftPulse.kh W32.Malware.Downloader TrojanDownloader:Win32/Miscer.B Trojan-Downloader.Win32.Miscer.bwe Packed/Win32.Morphine.R14850 Win32.Trojan-downloader.Miscer.Crj W32/VB.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.VB": [[26, 35]], "Indicator: Trojan.Buzy.D6D2": [[36, 52]], "Indicator: Trojan-Downloader.Win32.Miscer.bwe": [[53, 87], [245, 279]], "Indicator: Trojan.Win32.VB.euzpgu": [[88, 110]], "Indicator: Trojan.Win32.Z.Buzy.71168": [[111, 136]], "Indicator: Troj.Clicker.W32.Vb!c": [[137, 158]], "Indicator: BehavesLike.Win32.SoftPulse.kh": [[159, 189]], "Indicator: W32.Malware.Downloader": [[190, 212]], "Indicator: TrojanDownloader:Win32/Miscer.B": [[213, 244]], "Indicator: Packed/Win32.Morphine.R14850": [[280, 308]], "Indicator: Win32.Trojan-downloader.Miscer.Crj": [[309, 343]], "Indicator: W32/VB.C!tr": [[344, 355]]}, "info": {"id": "cyner2_8class_test_00303", "source": "cyner2_8class_test"}}
{"text": "Zygote is the core process in the Android OS that is used as a template for every application , which means that once the Trojan gets into Zygote , it becomes a part of literally every app that is launched on the device .", "spans": {"System: Zygote": [[0, 6], [139, 145]], "System: Android": [[34, 41]]}, "info": {"id": "cyner2_8class_test_00304", "source": "cyner2_8class_test"}}
{"text": "Proofpoint researchers have observed and documented, for the first time, three distinct variants of the malware known as IcedID.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: variants": [[88, 96]], "Malware: malware": [[104, 111]], "Malware: IcedID.": [[121, 128]]}, "info": {"id": "cyner2_8class_test_00305", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.CarigatG.Trojan Trojan-Downloader.Win32.Banload!O Trojan/Downloader.Banload.ihm Win32.Trojan.VB.gu W32/Downldr2.DEAQ W32.SillyFDC Win32/Lefgroo.A WORM_AUTORUN.SMG Win.Trojan.VB-1518 Trojan.Win32.Dwn.vttwn Trojan.Win32.Downloader.910336 TrojWare.Win32.Downloader.Banload.~AAD Trojan.DownLoad1.19749 Downloader.Banload.Win32.44018 WORM_AUTORUN.SMG W32/Downloader.ARMS-0839 TR/Banload.ihm Trojan[Downloader]/Win32.Banload Worm:Win32/Lefgroo.A HEUR/Fakon.mwf Worm.Brontok Trj/VB.AAY Trojan.Banload Win32/VB.NMS Trojan.Win32.FakeFolder.pa Trojan.DL.Banload!rYSm24e8R00", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CarigatG.Trojan": [[26, 45]], "Indicator: Trojan-Downloader.Win32.Banload!O": [[46, 79]], "Indicator: Trojan/Downloader.Banload.ihm": [[80, 109]], "Indicator: Win32.Trojan.VB.gu": [[110, 128]], "Indicator: W32/Downldr2.DEAQ": [[129, 146]], "Indicator: W32.SillyFDC": [[147, 159]], "Indicator: Win32/Lefgroo.A": [[160, 175]], "Indicator: WORM_AUTORUN.SMG": [[176, 192], [359, 375]], "Indicator: Win.Trojan.VB-1518": [[193, 211]], "Indicator: Trojan.Win32.Dwn.vttwn": [[212, 234]], "Indicator: Trojan.Win32.Downloader.910336": [[235, 265]], "Indicator: TrojWare.Win32.Downloader.Banload.~AAD": [[266, 304]], "Indicator: Trojan.DownLoad1.19749": [[305, 327]], "Indicator: Downloader.Banload.Win32.44018": [[328, 358]], "Indicator: W32/Downloader.ARMS-0839": [[376, 400]], "Indicator: TR/Banload.ihm": [[401, 415]], "Indicator: Trojan[Downloader]/Win32.Banload": [[416, 448]], "Indicator: Worm:Win32/Lefgroo.A": [[449, 469]], "Indicator: HEUR/Fakon.mwf": [[470, 484]], "Indicator: Worm.Brontok": [[485, 497]], "Indicator: Trj/VB.AAY": [[498, 508]], "Indicator: Trojan.Banload": [[509, 523]], "Indicator: Win32/VB.NMS": [[524, 536]], "Indicator: Trojan.Win32.FakeFolder.pa": [[537, 563]], "Indicator: Trojan.DL.Banload!rYSm24e8R00": [[564, 593]]}, "info": {"id": "cyner2_8class_test_00306", "source": "cyner2_8class_test"}}
{"text": "The researchers believe that the devices somehow had the malware pre-loaded at the time of shipping from the manufacturer , or was likely distributed inside modified Android firmware .", "spans": {"System: Android": [[166, 173]]}, "info": {"id": "cyner2_8class_test_00307", "source": "cyner2_8class_test"}}
{"text": "The success is largely the result of the malware 's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android .", "spans": {"Vulnerability: vulnerabilities that remain unfixed in older versions of Android": [[135, 199]]}, "info": {"id": "cyner2_8class_test_00308", "source": "cyner2_8class_test"}}
{"text": "However , in addition to the traditional functionality , there were also backdoor capabilities such as upload , download , delete files , camera takeover and record surrounding audio .", "spans": {}, "info": {"id": "cyner2_8class_test_00309", "source": "cyner2_8class_test"}}
{"text": "CyS-CERT specialists at Sai Ess Center have detected signs that a wave of targeted attacks on Ukrainian enterprises with the use of the Ursnif malware also known as GoZi on 14/03/2017 was discovered during the monitoring of network threats and information security. / ISFB.", "spans": {"Organization: CyS-CERT specialists": [[0, 20]], "Organization: Sai Ess Center": [[24, 38]], "Indicator: attacks": [[83, 90]], "Organization: Ukrainian enterprises": [[94, 115]], "Malware: the": [[132, 135]], "Malware: Ursnif malware": [[136, 150]], "Malware: GoZi": [[165, 169]], "Date: 14/03/2017": [[173, 183]], "Malware: network threats": [[224, 239]], "Organization: ISFB.": [[268, 273]]}, "info": {"id": "cyner2_8class_test_00310", "source": "cyner2_8class_test"}}
{"text": "A new LockBit ransomware campaign is targeting firms in Spanish-speaking areas.", "spans": {"ThreatActor: LockBit ransomware campaign": [[6, 33]], "Organization: firms": [[47, 52]], "Location: Spanish-speaking areas.": [[56, 79]]}, "info": {"id": "cyner2_8class_test_00311", "source": "cyner2_8class_test"}}
{"text": "] com/api/ads/ which is used for obtaining a link to APK file .", "spans": {}, "info": {"id": "cyner2_8class_test_00312", "source": "cyner2_8class_test"}}
{"text": "Malware that enslaves devices to form botnets needs to be able to receive updated instructions .", "spans": {}, "info": {"id": "cyner2_8class_test_00313", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Mooqkel Trojan.Win32.SelfDel.asbd Trojan.Win32.KillFiles.drxdvi Troj.W32.SelfDel.mA4R Win32.Trojan.Selfdel.Pgmr TrojWare.Win32.Selfdel.DRX Trojan.KillFiles.27538 Trojan.SelfDel.Win32.49747 BehavesLike.Win32.AdwareConvertAd.dc Trojan/Selfdel.atub TR/Taranis.4019 Trojan/Win32.SelfDel Trojan.Zusy.D262B0 Trojan.Win32.SelfDel.asbd Trojan:Win32/Mooqkel.A Trojan.SelfDel Trojan.Graftor!XKRphH87aYk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mooqkel": [[26, 40]], "Indicator: Trojan.Win32.SelfDel.asbd": [[41, 66], [335, 360]], "Indicator: Trojan.Win32.KillFiles.drxdvi": [[67, 96]], "Indicator: Troj.W32.SelfDel.mA4R": [[97, 118]], "Indicator: Win32.Trojan.Selfdel.Pgmr": [[119, 144]], "Indicator: TrojWare.Win32.Selfdel.DRX": [[145, 171]], "Indicator: Trojan.KillFiles.27538": [[172, 194]], "Indicator: Trojan.SelfDel.Win32.49747": [[195, 221]], "Indicator: BehavesLike.Win32.AdwareConvertAd.dc": [[222, 258]], "Indicator: Trojan/Selfdel.atub": [[259, 278]], "Indicator: TR/Taranis.4019": [[279, 294]], "Indicator: Trojan/Win32.SelfDel": [[295, 315]], "Indicator: Trojan.Zusy.D262B0": [[316, 334]], "Indicator: Trojan:Win32/Mooqkel.A": [[361, 383]], "Indicator: Trojan.SelfDel": [[384, 398]], "Indicator: Trojan.Graftor!XKRphH87aYk": [[399, 425]]}, "info": {"id": "cyner2_8class_test_00314", "source": "cyner2_8class_test"}}
{"text": "The “ core ” module communicates with the C & C server , receiving the predetermined list of popular apps to scan the device for .", "spans": {}, "info": {"id": "cyner2_8class_test_00315", "source": "cyner2_8class_test"}}
{"text": "After we notified Google and published an article about these fake Dubsmash Trojans, we discovered other fake Dubsmash versions being uploaded again infected with the same porn clicker.", "spans": {"Organization: Google": [[18, 24]], "Malware: Dubsmash Trojans,": [[67, 84]], "Indicator: fake Dubsmash": [[105, 118]], "Malware: porn clicker.": [[172, 185]]}, "info": {"id": "cyner2_8class_test_00316", "source": "cyner2_8class_test"}}
{"text": "Of the 54 distinct C C servers, 12 of them were online and operational until F5 had them shut down in March, 10 were sink-holed, and 32 were already offline.", "spans": {"Indicator: 54 distinct C C servers,": [[7, 31]], "Organization: F5": [[77, 79]], "Date: March, 10": [[102, 111]], "Indicator: sink-holed,": [[117, 128]]}, "info": {"id": "cyner2_8class_test_00317", "source": "cyner2_8class_test"}}
{"text": "The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims.", "spans": {"ThreatActor: attackers": [[4, 13]], "Indicator: spoofed": [[14, 21]], "Indicator: email ids": [[26, 35]], "Organization: Indian Ministry of Home Affairs": [[52, 83]]}, "info": {"id": "cyner2_8class_test_00318", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Downloader.JJVD Trojan-Downloader.Win32.BHO!O Trojan.Downloader.JJVD Downloader.BHO.Win32.1833 Troj.Downloader.W32.BHO.l33b TROJ_DLOADER.LER Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Downloader.JGGW-3321 Infostealer.Gampass Win32/SillyDl.DVK TROJ_DLOADER.LER Trojan.Downloader.JJVD Trojan-Downloader.Win32.BHO.xfn Trojan.Downloader.JJVD Trojan.Win32.BHO.cbhkf Trojan.Win32.Downloader.38438 Trojan.Downloader.JJVD Trojan.DownLoader.49249 BehavesLike.Win32.Downloader.nc W32/Downldr2.IBZP TrojanDownloader.BHO.bn Trojan.Downloader.JJVD Trojan-Downloader.Win32.BHO.xfn TrojanClicker:Win32/Zirit.O Trojan/Win32.BHO.C67509 TrojanDownloader.BHO Trj/Downloader.SPH Win32/BHO.NCG Trojan.DL.BHO!younfCjFxPg Trojan-Downloader.Win32.BHO.ct", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.JJVD": [[26, 48], [79, 101], [297, 319], [352, 374], [428, 450], [549, 571]], "Indicator: Trojan-Downloader.Win32.BHO!O": [[49, 78]], "Indicator: Downloader.BHO.Win32.1833": [[102, 127]], "Indicator: Troj.Downloader.W32.BHO.l33b": [[128, 156]], "Indicator: TROJ_DLOADER.LER": [[157, 173], [280, 296]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[174, 216]], "Indicator: W32/Downloader.JGGW-3321": [[217, 241]], "Indicator: Infostealer.Gampass": [[242, 261]], "Indicator: Win32/SillyDl.DVK": [[262, 279]], "Indicator: Trojan-Downloader.Win32.BHO.xfn": [[320, 351], [572, 603]], "Indicator: Trojan.Win32.BHO.cbhkf": [[375, 397]], "Indicator: Trojan.Win32.Downloader.38438": [[398, 427]], "Indicator: Trojan.DownLoader.49249": [[451, 474]], "Indicator: BehavesLike.Win32.Downloader.nc": [[475, 506]], "Indicator: W32/Downldr2.IBZP": [[507, 524]], "Indicator: TrojanDownloader.BHO.bn": [[525, 548]], "Indicator: TrojanClicker:Win32/Zirit.O": [[604, 631]], "Indicator: Trojan/Win32.BHO.C67509": [[632, 655]], "Indicator: TrojanDownloader.BHO": [[656, 676]], "Indicator: Trj/Downloader.SPH": [[677, 695]], "Indicator: Win32/BHO.NCG": [[696, 709]], "Indicator: Trojan.DL.BHO!younfCjFxPg": [[710, 735]], "Indicator: Trojan-Downloader.Win32.BHO.ct": [[736, 766]]}, "info": {"id": "cyner2_8class_test_00319", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.3704 Packer.Morphine.B Packer.Morphine.B Packer.Morphine.B Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.Packed-85 Packer.Morphine.B Trojan.Win32.Morphine.cwnmax Packer.Morphine.B TrojWare.Win32.PkdMorphine.~AN BackDoor.IRC.Sdbot.3653 BehavesLike.Win32.Trojan.pc Packed.Morphine.a TrojanProxy:Win32/Daemonize.K Packer.Morphine.B Email-Worm.Win32.Bagle.pp Packed/Morphine.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.3704": [[26, 42]], "Indicator: Packer.Morphine.B": [[43, 60], [61, 78], [79, 96], [177, 194], [224, 241], [373, 390]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[97, 139]], "Indicator: Backdoor.Trojan": [[140, 155]], "Indicator: Win.Trojan.Packed-85": [[156, 176]], "Indicator: Trojan.Win32.Morphine.cwnmax": [[195, 223]], "Indicator: TrojWare.Win32.PkdMorphine.~AN": [[242, 272]], "Indicator: BackDoor.IRC.Sdbot.3653": [[273, 296]], "Indicator: BehavesLike.Win32.Trojan.pc": [[297, 324]], "Indicator: Packed.Morphine.a": [[325, 342]], "Indicator: TrojanProxy:Win32/Daemonize.K": [[343, 372]], "Indicator: Email-Worm.Win32.Bagle.pp": [[391, 416]], "Indicator: Packed/Morphine.B": [[417, 434]]}, "info": {"id": "cyner2_8class_test_00320", "source": "cyner2_8class_test"}}
{"text": "In October 2015, PaloAlto discovered a malicious payload file targeting Apple iOS devices.", "spans": {"Date: October 2015,": [[3, 16]], "Organization: PaloAlto": [[17, 25]], "Malware: malicious payload": [[39, 56]], "System: Apple iOS devices.": [[72, 90]]}, "info": {"id": "cyner2_8class_test_00321", "source": "cyner2_8class_test"}}
{"text": "Port 6211 : Calendar extraction service .", "spans": {"Indicator: Port 6211": [[0, 9]], "System: Calendar": [[12, 20]]}, "info": {"id": "cyner2_8class_test_00322", "source": "cyner2_8class_test"}}
{"text": "Although this backdoor has been actively deployed since at least 2016, it has not been documented anywhere.", "spans": {"Malware: backdoor": [[14, 22]], "Date: 2016,": [[65, 70]]}, "info": {"id": "cyner2_8class_test_00323", "source": "cyner2_8class_test"}}
{"text": "] com and ora.studiolegalebasili [ .", "spans": {"Indicator: ora.studiolegalebasili [ .": [[10, 36]]}, "info": {"id": "cyner2_8class_test_00324", "source": "cyner2_8class_test"}}
{"text": "A thorough analysis of the infected system by our Incident Response and Malware Research teams quickly revealed that the server was indeed compromised.", "spans": {"Organization: Incident Response and Malware Research teams": [[50, 94]], "Indicator: server was indeed compromised.": [[121, 151]]}, "info": {"id": "cyner2_8class_test_00325", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.Liondoor.90112 Backdoor.Win32.Liondoor!O Backdoor.Liondoor Win32.Backdoor.Liondoor.c Backdoor.Trojan Backdoor.Win32.Liondoor.240 Trojan.Win32.Liondoor.eszzel Backdoor.Win32.A.Liondoor.385024 Backdoor.W32.Liondoor!c Trojan.Proxy.336 Backdoor.Liondoor.Win32.133 W32/Trojan.LXWF-9335 Backdoor/Liondoor.af BDS/Liondoor.241 Trojan[Backdoor]/Win32.Liondoor Backdoor.Liondoor Backdoor.Win32.Liondoor.240 Backdoor/Win32.Hupigon.R16709 Backdoor.Liondoor Trj/CI.A Win32.Backdoor.Liondoor.Ajlp Trojan.Liondoor!FZGmJzoQPdI Backdoor.Win32.Liondoor W32/Liondoor.240!tr.bdr Win32/Backdoor.f9c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Liondoor.90112": [[26, 53]], "Indicator: Backdoor.Win32.Liondoor!O": [[54, 79]], "Indicator: Backdoor.Liondoor": [[80, 97], [390, 407], [466, 483]], "Indicator: Win32.Backdoor.Liondoor.c": [[98, 123]], "Indicator: Backdoor.Trojan": [[124, 139]], "Indicator: Backdoor.Win32.Liondoor.240": [[140, 167], [408, 435]], "Indicator: Trojan.Win32.Liondoor.eszzel": [[168, 196]], "Indicator: Backdoor.Win32.A.Liondoor.385024": [[197, 229]], "Indicator: Backdoor.W32.Liondoor!c": [[230, 253]], "Indicator: Trojan.Proxy.336": [[254, 270]], "Indicator: Backdoor.Liondoor.Win32.133": [[271, 298]], "Indicator: W32/Trojan.LXWF-9335": [[299, 319]], "Indicator: Backdoor/Liondoor.af": [[320, 340]], "Indicator: BDS/Liondoor.241": [[341, 357]], "Indicator: Trojan[Backdoor]/Win32.Liondoor": [[358, 389]], "Indicator: Backdoor/Win32.Hupigon.R16709": [[436, 465]], "Indicator: Trj/CI.A": [[484, 492]], "Indicator: Win32.Backdoor.Liondoor.Ajlp": [[493, 521]], "Indicator: Trojan.Liondoor!FZGmJzoQPdI": [[522, 549]], "Indicator: Backdoor.Win32.Liondoor": [[550, 573]], "Indicator: W32/Liondoor.240!tr.bdr": [[574, 597]], "Indicator: Win32/Backdoor.f9c": [[598, 616]]}, "info": {"id": "cyner2_8class_test_00326", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan.Scar.AG Trojan/W32.Scar.139264.AR Trojan.Win32.Scar!O Trojan.Scar.AG Win32.Trojan.VB.ac Trojan.Scar WORM_OTORUN.SM0 Trojan.Win32.Scar.lpco Trojan.Scar.AG Trojan.Win32.Scar.crgjex Trojan.Win32.Scar.128768 TrojWare.Win32.WBNA.THR Trojan.Scar.AG Trojan.MulDrop3.10901 Trojan.VB.Win32.69922 WORM_OTORUN.SM0 BehavesLike.Win32.VBObfus.cz Trojan.Win32.Sulunch Worm/WBNA.hgwu Trojan/Win32.Scar Troj.W32.Scar.toQM Trojan.Win32.Scar.lpco HEUR/Fakon.mwf Trojan.Scar Trojan.Scar.AG Trojan.Scar.AG Win32/VB.OGG W32/VB.QHS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FakeW7Folder.Fam.Trojan": [[26, 53]], "Indicator: Trojan.Scar.AG": [[54, 68], [115, 129], [200, 214], [289, 303], [516, 530], [531, 545]], "Indicator: Trojan/W32.Scar.139264.AR": [[69, 94]], "Indicator: Trojan.Win32.Scar!O": [[95, 114]], "Indicator: Win32.Trojan.VB.ac": [[130, 148]], "Indicator: Trojan.Scar": [[149, 160], [504, 515]], "Indicator: WORM_OTORUN.SM0": [[161, 176], [348, 363]], "Indicator: Trojan.Win32.Scar.lpco": [[177, 199], [466, 488]], "Indicator: Trojan.Win32.Scar.crgjex": [[215, 239]], "Indicator: Trojan.Win32.Scar.128768": [[240, 264]], "Indicator: TrojWare.Win32.WBNA.THR": [[265, 288]], "Indicator: Trojan.MulDrop3.10901": [[304, 325]], "Indicator: Trojan.VB.Win32.69922": [[326, 347]], "Indicator: BehavesLike.Win32.VBObfus.cz": [[364, 392]], "Indicator: Trojan.Win32.Sulunch": [[393, 413]], "Indicator: Worm/WBNA.hgwu": [[414, 428]], "Indicator: Trojan/Win32.Scar": [[429, 446]], "Indicator: Troj.W32.Scar.toQM": [[447, 465]], "Indicator: HEUR/Fakon.mwf": [[489, 503]], "Indicator: Win32/VB.OGG": [[546, 558]], "Indicator: W32/VB.QHS!tr": [[559, 572]]}, "info": {"id": "cyner2_8class_test_00327", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Constructor.Macro.Moothie.B Constructor.Moothie Win32.Trojan.WisdomEyes.16070401.9500.9657 W32/Trojan.BEVX Constructor.Win32.Moothie.b Trojan.Constructor.Macro.Moothie.B Riskware.Win32.Moothie.hptn Constructor.Macro.Moothie.B Trojan.Constructor.Macro.Moothie.B VirusConstructor.Mvc Tool.Moothie.Win32.6 TROJ_MOOTHIE.B BehavesLike.Win32.Virus.jz W32/Trojan.SAMQ-1725 Constructor.Macro.Moothie.b KIT/Mac.Moothie.B W32/HMVC.A!tr HackTool[Constructor]/Win32.Moothie Trojan.Constructor.Macro.Moothie.B Constructor.W32.Moothie!c Constructor.Win32.Moothie.b Constructor:W97M/Moothie.B Trojan.Constructor.Macro.Moothie.B Trojan.Constructor.Macro.Moothie.B Win32.Trojan.Moothie.Lkmz Constructor.Moothie!khF/Jv27CA8 Trojan.Constructor.Macro.Moothie.B Constructor.Moothie Win32/Constructor.d3d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Constructor.Macro.Moothie.B": [[26, 60], [168, 202], [259, 293], [495, 529], [611, 645], [646, 680], [739, 773]], "Indicator: Constructor.Moothie": [[61, 80], [774, 793]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9657": [[81, 123]], "Indicator: W32/Trojan.BEVX": [[124, 139]], "Indicator: Constructor.Win32.Moothie.b": [[140, 167], [556, 583]], "Indicator: Riskware.Win32.Moothie.hptn": [[203, 230]], "Indicator: Constructor.Macro.Moothie.B": [[231, 258]], "Indicator: VirusConstructor.Mvc": [[294, 314]], "Indicator: Tool.Moothie.Win32.6": [[315, 335]], "Indicator: TROJ_MOOTHIE.B": [[336, 350]], "Indicator: BehavesLike.Win32.Virus.jz": [[351, 377]], "Indicator: W32/Trojan.SAMQ-1725": [[378, 398]], "Indicator: Constructor.Macro.Moothie.b": [[399, 426]], "Indicator: KIT/Mac.Moothie.B": [[427, 444]], "Indicator: W32/HMVC.A!tr": [[445, 458]], "Indicator: HackTool[Constructor]/Win32.Moothie": [[459, 494]], "Indicator: Constructor.W32.Moothie!c": [[530, 555]], "Indicator: Constructor:W97M/Moothie.B": [[584, 610]], "Indicator: Win32.Trojan.Moothie.Lkmz": [[681, 706]], "Indicator: Constructor.Moothie!khF/Jv27CA8": [[707, 738]], "Indicator: Win32/Constructor.d3d": [[794, 815]]}, "info": {"id": "cyner2_8class_test_00328", "source": "cyner2_8class_test"}}
{"text": "Device information : EventBot queries for device information like OS , model , etc , and also sends that to the C2 .", "spans": {"Malware: EventBot": [[21, 29]]}, "info": {"id": "cyner2_8class_test_00329", "source": "cyner2_8class_test"}}
{"text": "We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.", "spans": {"Location: Russia": [[113, 119]], "Location: Ukraine": [[124, 131]], "Malware: new threats": [[156, 167]], "Location: regions.": [[177, 185]]}, "info": {"id": "cyner2_8class_test_00330", "source": "cyner2_8class_test"}}
{"text": "They also left traces showing that their operations were active as recently as March, raising the possibility that the online spying continues today.", "spans": {"Date: March,": [[79, 85]], "Indicator: spying": [[126, 132]], "Date: today.": [[143, 149]]}, "info": {"id": "cyner2_8class_test_00331", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Symmi.DA390 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Milicenso Trojan.Win32.Kryptik.diiygp Trojan.Win32.Z.Symmi.1347536 Trojan.DownLoader7.14920 BehavesLike.Win32.Dropper.tm TR/Drop.Vundo.AB.98 TrojanDropper:Win32/Vundo.AB Win32/Trojan.4ba", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Symmi.DA390": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Trojan.Milicenso": [[88, 104]], "Indicator: Trojan.Win32.Kryptik.diiygp": [[105, 132]], "Indicator: Trojan.Win32.Z.Symmi.1347536": [[133, 161]], "Indicator: Trojan.DownLoader7.14920": [[162, 186]], "Indicator: BehavesLike.Win32.Dropper.tm": [[187, 215]], "Indicator: TR/Drop.Vundo.AB.98": [[216, 235]], "Indicator: TrojanDropper:Win32/Vundo.AB": [[236, 264]], "Indicator: Win32/Trojan.4ba": [[265, 281]]}, "info": {"id": "cyner2_8class_test_00332", "source": "cyner2_8class_test"}}
{"text": "Qbot, also known as Qakbot, is a network-aware worm with backdoor capabilities, primarily designed as a credential harvester.", "spans": {"Malware: Qbot,": [[0, 5]], "Malware: Qakbot,": [[20, 27]], "Malware: network-aware worm": [[33, 51]], "Malware: backdoor": [[57, 65]], "Indicator: credential harvester.": [[104, 125]]}, "info": {"id": "cyner2_8class_test_00333", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Dropper.SSX Trojan.Killav Trojan.Dropper Win.Trojan.Onlinegames-2466 Trojan.Dropper.SSX Trojan.Dropper.SSX Trojan.Win32.OnLineGames.csxlu BackDoor.Drat.131 BehavesLike.Win32.HLLPPhilis.gh Backdoor/Huigezi.eop Trojan.Dropper.SSX Trojan.Dropper.SSX Trojan.Dropper.SSX Trojan.Delf!DY4HT/zU/wg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.SSX": [[26, 44], [102, 120], [121, 139], [242, 260], [261, 279], [280, 298]], "Indicator: Trojan.Killav": [[45, 58]], "Indicator: Trojan.Dropper": [[59, 73]], "Indicator: Win.Trojan.Onlinegames-2466": [[74, 101]], "Indicator: Trojan.Win32.OnLineGames.csxlu": [[140, 170]], "Indicator: BackDoor.Drat.131": [[171, 188]], "Indicator: BehavesLike.Win32.HLLPPhilis.gh": [[189, 220]], "Indicator: Backdoor/Huigezi.eop": [[221, 241]], "Indicator: Trojan.Delf!DY4HT/zU/wg": [[299, 322]]}, "info": {"id": "cyner2_8class_test_00334", "source": "cyner2_8class_test"}}
{"text": "Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services .", "spans": {"Malware: Gooligan-infected": [[0, 17]]}, "info": {"id": "cyner2_8class_test_00335", "source": "cyner2_8class_test"}}
{"text": "Initially some particular words from the decompiled classes.dex of Exodus Two sent us in the right direction .", "spans": {"Indicator: classes.dex": [[52, 63]], "Malware: Exodus": [[67, 73]]}, "info": {"id": "cyner2_8class_test_00336", "source": "cyner2_8class_test"}}
{"text": "Back in February 2014, ESET researchers wrote a blog post about an OpenSSH backdoor and credential stealer called Linux/Ebury.", "spans": {"Date: February 2014,": [[8, 22]], "Organization: ESET researchers": [[23, 39]], "Malware: OpenSSH backdoor": [[67, 83]], "Malware: credential stealer": [[88, 106]], "Malware: Linux/Ebury.": [[114, 126]]}, "info": {"id": "cyner2_8class_test_00337", "source": "cyner2_8class_test"}}
{"text": "Since then, we have had time to digest and dissect the propagating malware and share our findings with you.", "spans": {}, "info": {"id": "cyner2_8class_test_00338", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Trojan.FRWF-9180 BehavesLike.Win32.Ransom.mc Trojan-Downloader.BAT.Ftper TR/Dldr.Ftper.gfdbs Trojan/Win32.VB.gic Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.FRWF-9180": [[26, 46]], "Indicator: BehavesLike.Win32.Ransom.mc": [[47, 74]], "Indicator: Trojan-Downloader.BAT.Ftper": [[75, 102]], "Indicator: TR/Dldr.Ftper.gfdbs": [[103, 122]], "Indicator: Trojan/Win32.VB.gic": [[123, 142]], "Indicator: Trj/CI.A": [[143, 151]]}, "info": {"id": "cyner2_8class_test_00339", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Trojan.WisdomEyes.16070401.9500.9998 TrojWare.Win32.VirRansom.A Trojan.DownLoad4.385 BehavesLike.Win32.RAHack.vc Trojan.Win32.Injector W32/Trojan.TYLA-7339 Trojan.Heur.GZ.EE99E1 Trj/CI.A Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[48, 90]], "Indicator: TrojWare.Win32.VirRansom.A": [[91, 117]], "Indicator: Trojan.DownLoad4.385": [[118, 138]], "Indicator: BehavesLike.Win32.RAHack.vc": [[139, 166]], "Indicator: Trojan.Win32.Injector": [[167, 188]], "Indicator: W32/Trojan.TYLA-7339": [[189, 209]], "Indicator: Trojan.Heur.GZ.EE99E1": [[210, 231]], "Indicator: Trj/CI.A": [[232, 240]], "Indicator: Win32/Trojan.e6d": [[241, 257]]}, "info": {"id": "cyner2_8class_test_00340", "source": "cyner2_8class_test"}}
{"text": "The router rebooted every 15 to 20 minutes.", "spans": {"System: The router": [[0, 10]], "Indicator: rebooted every 15 to 20 minutes.": [[11, 43]]}, "info": {"id": "cyner2_8class_test_00341", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Symmi.DB912 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.OIII-5864 Backdoor.Trojan Trojan.DownLoader23.39450 BehavesLike.Win32.PWSZbot.lm TR/Downloader.udrmo Trojan/Win32.Unknown Malware-Cryptor.InstallCore.7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Symmi.DB912": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: W32/Trojan.OIII-5864": [[88, 108]], "Indicator: Backdoor.Trojan": [[109, 124]], "Indicator: Trojan.DownLoader23.39450": [[125, 150]], "Indicator: BehavesLike.Win32.PWSZbot.lm": [[151, 179]], "Indicator: TR/Downloader.udrmo": [[180, 199]], "Indicator: Trojan/Win32.Unknown": [[200, 220]], "Indicator: Malware-Cryptor.InstallCore.7": [[221, 250]]}, "info": {"id": "cyner2_8class_test_00342", "source": "cyner2_8class_test"}}
{"text": "Forcepoint Security Labs™ came across a malicious reconnaissance campaign that targets websites.", "spans": {"Organization: Forcepoint Security Labs™": [[0, 25]], "ThreatActor: malicious reconnaissance campaign": [[40, 73]], "Indicator: websites.": [[87, 96]]}, "info": {"id": "cyner2_8class_test_00343", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 TrojWare.Win32.TrojanDownloader.Onkods.Q DLOADER.Trojan Worm:Win32/Skypoot.A BScope.Trojan.IRCbot", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: TrojWare.Win32.TrojanDownloader.Onkods.Q": [[69, 109]], "Indicator: DLOADER.Trojan": [[110, 124]], "Indicator: Worm:Win32/Skypoot.A": [[125, 145]], "Indicator: BScope.Trojan.IRCbot": [[146, 166]]}, "info": {"id": "cyner2_8class_test_00344", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.GamarueInjector.Trojan Worm/W32.WBNA.3906752 Trojan.Win32.VBKrypt!O Worm.Gamarue.S145097 Trojan.Injector.Win32.141998 Trojan/VBKrypt.nrap Trojan.Symmi.D13A6C Win32.Trojan.Inject.bh Downloader.Dromedan Win32/Gamarue.eBPZLT TSPY_VBKRYPT_BK08455D.TOMC Worm.Win32.WBNA.bsoy Trojan.Win32.VBKrypt.cmxrxa TrojWare.Win32.Injector.XFR BackDoor.Andromeda.22 TSPY_VBKRYPT_BK08455D.TOMC Trojan/VBKrypt.hdpu Trojan/Win32.VBKrypt Worm:Win32/Gamarue.I W32.W.WBNA.tnqm Worm.Win32.WBNA.bsoy Trojan/Win32.Injector.R37109 BScope.Trojan-Spy.Zbot Trojan.VBCrypt Trojan.Injector.XFR Worm.WBNA!5uxrHkVli7M Worm.Win32.Gamarue W32/VBKrypt.MBW!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.GamarueInjector.Trojan": [[26, 52]], "Indicator: Worm/W32.WBNA.3906752": [[53, 74]], "Indicator: Trojan.Win32.VBKrypt!O": [[75, 97]], "Indicator: Worm.Gamarue.S145097": [[98, 118]], "Indicator: Trojan.Injector.Win32.141998": [[119, 147]], "Indicator: Trojan/VBKrypt.nrap": [[148, 167]], "Indicator: Trojan.Symmi.D13A6C": [[168, 187]], "Indicator: Win32.Trojan.Inject.bh": [[188, 210]], "Indicator: Downloader.Dromedan": [[211, 230]], "Indicator: Win32/Gamarue.eBPZLT": [[231, 251]], "Indicator: TSPY_VBKRYPT_BK08455D.TOMC": [[252, 278], [378, 404]], "Indicator: Worm.Win32.WBNA.bsoy": [[279, 299], [483, 503]], "Indicator: Trojan.Win32.VBKrypt.cmxrxa": [[300, 327]], "Indicator: TrojWare.Win32.Injector.XFR": [[328, 355]], "Indicator: BackDoor.Andromeda.22": [[356, 377]], "Indicator: Trojan/VBKrypt.hdpu": [[405, 424]], "Indicator: Trojan/Win32.VBKrypt": [[425, 445]], "Indicator: Worm:Win32/Gamarue.I": [[446, 466]], "Indicator: W32.W.WBNA.tnqm": [[467, 482]], "Indicator: Trojan/Win32.Injector.R37109": [[504, 532]], "Indicator: BScope.Trojan-Spy.Zbot": [[533, 555]], "Indicator: Trojan.VBCrypt": [[556, 570]], "Indicator: Trojan.Injector.XFR": [[571, 590]], "Indicator: Worm.WBNA!5uxrHkVli7M": [[591, 612]], "Indicator: Worm.Win32.Gamarue": [[613, 631]], "Indicator: W32/VBKrypt.MBW!tr": [[632, 650]]}, "info": {"id": "cyner2_8class_test_00345", "source": "cyner2_8class_test"}}
{"text": "The class “ org.starsizew.Ac ” is designed for this purpose ; its only task is to check if the main service is running , and restart the main service if the answer is no .", "spans": {"Indicator: org.starsizew.Ac": [[12, 28]]}, "info": {"id": "cyner2_8class_test_00346", "source": "cyner2_8class_test"}}
{"text": "Following a month-long hiatus after a number of arrests, and despite a recent reported takedown, Dridex actors appear to have taken the recent disruptions as a challenge to bounce back better than ever.", "spans": {"Date: month-long": [[12, 22]], "ThreatActor: Dridex actors": [[97, 110]]}, "info": {"id": "cyner2_8class_test_00347", "source": "cyner2_8class_test"}}
{"text": "The C & C server then responds with a configuration file , containing the personal identification number for the device and some settings — the time interval between contacting the server , the list of modules to be installed and so on .", "spans": {}, "info": {"id": "cyner2_8class_test_00348", "source": "cyner2_8class_test"}}
{"text": "More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable.", "spans": {"Indicator: destroy data": [[54, 66]], "Indicator: render infected systems unusable.": [[74, 107]]}, "info": {"id": "cyner2_8class_test_00349", "source": "cyner2_8class_test"}}
{"text": "It calculates the MD5 hash of the lower-case process image name and terminates if one of the following conditions are met : The MD5 hash of the parent process image name is either D0C4DBFA1F3962AED583F6FCE666F8BC or 3CE30F5FED4C67053379518EACFCF879 The parent process ’ s full image path is equal to its own process path If these initial checks are passed , the loader builds a complete IAT by reading four imported libraries from disk ( ntdll.dll , kernel32.dll , advapi32.dll , and version.dll ) and remapping them in memory .", "spans": {"Indicator: D0C4DBFA1F3962AED583F6FCE666F8BC": [[180, 212]], "Indicator: 3CE30F5FED4C67053379518EACFCF879": [[216, 248]], "Indicator: ntdll.dll": [[438, 447]], "Indicator: kernel32.dll": [[450, 462]], "Indicator: advapi32.dll": [[465, 477]], "Indicator: version.dll": [[484, 495]]}, "info": {"id": "cyner2_8class_test_00350", "source": "cyner2_8class_test"}}
{"text": "nis : The su application used to execute shell commands with root privileges .", "spans": {}, "info": {"id": "cyner2_8class_test_00351", "source": "cyner2_8class_test"}}
{"text": "Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network.", "spans": {"Indicator: attacking": [[11, 20]], "Indicator: attacks": [[32, 39]], "Indicator: Wi-Fi network": [[44, 57]], "System: wireless router": [[107, 122]], "System: network.": [[139, 147]]}, "info": {"id": "cyner2_8class_test_00352", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.Blocker!O Trojan.Blocker.Win32.9993 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Trojan-Ransom.Win32.Blocker.azqp Trojan.Win32.Blocker.bxpndh W32.W.Luder.lUDu Trojan.Inject1.11547 Trojan[Ransom]/Win32.Blocker TrojanDownloader:Win32/Gippers.A Trojan-Ransom.Win32.Blocker.azqp Trojan/Win32.Blocker.R78431 Hoax.Blocker Trojan-ransom.Win32.Blocker.cgth Trojan.Blocker!jkFHGuClN9Y", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Ransom.Win32.Blocker!O": [[26, 55]], "Indicator: Trojan.Blocker.Win32.9993": [[56, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[82, 124]], "Indicator: Trojan.Dropper": [[125, 139]], "Indicator: Trojan-Ransom.Win32.Blocker.azqp": [[140, 172], [301, 333]], "Indicator: Trojan.Win32.Blocker.bxpndh": [[173, 200]], "Indicator: W32.W.Luder.lUDu": [[201, 217]], "Indicator: Trojan.Inject1.11547": [[218, 238]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[239, 267]], "Indicator: TrojanDownloader:Win32/Gippers.A": [[268, 300]], "Indicator: Trojan/Win32.Blocker.R78431": [[334, 361]], "Indicator: Hoax.Blocker": [[362, 374]], "Indicator: Trojan-ransom.Win32.Blocker.cgth": [[375, 407]], "Indicator: Trojan.Blocker!jkFHGuClN9Y": [[408, 434]]}, "info": {"id": "cyner2_8class_test_00353", "source": "cyner2_8class_test"}}
{"text": "The app requesting the installation is passed off as a Manage Settings' app.", "spans": {"System: app": [[4, 7]], "Indicator: Manage Settings' app.": [[55, 76]]}, "info": {"id": "cyner2_8class_test_00354", "source": "cyner2_8class_test"}}
{"text": "It emerged in 2010, transferred by removable drives within infected executables and HTML files.", "spans": {"Date: 2010,": [[14, 19]], "System: removable drives": [[35, 51]], "Indicator: infected executables": [[59, 79]], "Indicator: HTML files.": [[84, 95]]}, "info": {"id": "cyner2_8class_test_00355", "source": "cyner2_8class_test"}}
{"text": "EventBot screen lock with support for Samsung devices A new method to handle screen lock with support for Samsung devices .", "spans": {"Malware: EventBot": [[0, 8]], "Organization: Samsung": [[38, 45], [106, 113]]}, "info": {"id": "cyner2_8class_test_00356", "source": "cyner2_8class_test"}}
{"text": "The spam emails attempt to install the pervasive Andromeda malware onto victim machines.", "spans": {"Indicator: spam emails": [[4, 15]], "Malware: Andromeda malware": [[49, 66]], "System: victim machines.": [[72, 88]]}, "info": {"id": "cyner2_8class_test_00357", "source": "cyner2_8class_test"}}
{"text": "The attackers also leveraged a common Windows exploit to access a privileged command shell without authenticating.", "spans": {"ThreatActor: attackers": [[4, 13]], "Malware: Windows exploit": [[38, 53]], "Vulnerability: without authenticating.": [[91, 114]]}, "info": {"id": "cyner2_8class_test_00358", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Android.Trojan.GingerMaster.gOJG Android.GingerMaster.N Android.Trojan.GingerMaster.gOJG Android.Trojan.GingerMaster.gOJG HEUR:Backdoor.AndroidOS.GinMaster.a A.H.Pri.Hippo.AG Trojan.Android.GinMaster.dkfsfi Android.Trojan.GingerMaster.gOJG Android.Trojan.GingerMaster.gOJG Android.DownLoader.92.origin Android.Trojan.GingerMaster.gOJG Android-Trojan/GinMaster.8982 Trojan.AndroidOS.GinMaster Android/G2M.LN.6C72B89F5841", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Trojan.GingerMaster.gOJG": [[26, 58], [82, 114], [115, 147], [233, 265], [266, 298], [328, 360]], "Indicator: Android.GingerMaster.N": [[59, 81]], "Indicator: HEUR:Backdoor.AndroidOS.GinMaster.a": [[148, 183]], "Indicator: A.H.Pri.Hippo.AG": [[184, 200]], "Indicator: Trojan.Android.GinMaster.dkfsfi": [[201, 232]], "Indicator: Android.DownLoader.92.origin": [[299, 327]], "Indicator: Android-Trojan/GinMaster.8982": [[361, 390]], "Indicator: Trojan.AndroidOS.GinMaster": [[391, 417]], "Indicator: Android/G2M.LN.6C72B89F5841": [[418, 445]]}, "info": {"id": "cyner2_8class_test_00359", "source": "cyner2_8class_test"}}
{"text": "In this case , “ Agent Smith ” is being used to for financial gain through the use of malicious advertisements .", "spans": {"Malware: Agent Smith": [[17, 28]]}, "info": {"id": "cyner2_8class_test_00360", "source": "cyner2_8class_test"}}
{"text": "However , the actual text would often only display a basic welcome message .", "spans": {}, "info": {"id": "cyner2_8class_test_00361", "source": "cyner2_8class_test"}}
{"text": "Google officials removed the malicious apps from the Play market after receiving a private report of their existence .", "spans": {"Organization: Google": [[0, 6]], "System: Play market": [[53, 64]]}, "info": {"id": "cyner2_8class_test_00362", "source": "cyner2_8class_test"}}
{"text": "This kind of persistence has made it difficult for security vendors to detect the malware.", "spans": {"Organization: security vendors": [[51, 67]], "Malware: malware.": [[82, 90]]}, "info": {"id": "cyner2_8class_test_00363", "source": "cyner2_8class_test"}}
{"text": "The second type of apps reveals an evolution in the author 's tactics .", "spans": {}, "info": {"id": "cyner2_8class_test_00364", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Application.Hacktool.JQ Trojan/W32.HackTool.217088.G Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9995 W64/WinCred.A Win.Tool.Wincred-6333920-0 HackTool.Win64.WinCred.l Application.Hacktool.JQ Application.Hacktool.JQ Application.Hacktool.JQ Tool.WinCred.4 HackTool.Win64 W64/WinCred.A Application.Hacktool.JQ HackTool.Win64.WinCred.l HackTool:Win32/Wincred.H Application.Hacktool.JQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Hacktool.JQ": [[26, 49], [208, 231], [232, 255], [256, 279], [324, 347], [398, 421]], "Indicator: Trojan/W32.HackTool.217088.G": [[50, 78]], "Indicator: Trojan.Mauvaise.SL1": [[79, 98]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[99, 141]], "Indicator: W64/WinCred.A": [[142, 155], [310, 323]], "Indicator: Win.Tool.Wincred-6333920-0": [[156, 182]], "Indicator: HackTool.Win64.WinCred.l": [[183, 207], [348, 372]], "Indicator: Tool.WinCred.4": [[280, 294]], "Indicator: HackTool.Win64": [[295, 309]], "Indicator: HackTool:Win32/Wincred.H": [[373, 397]]}, "info": {"id": "cyner2_8class_test_00365", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9927 PWS:Win32/Stimilina.D!bit Trojan.Graftor.D63AB9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9927": [[26, 68]], "Indicator: PWS:Win32/Stimilina.D!bit": [[69, 94]], "Indicator: Trojan.Graftor.D63AB9": [[95, 116]]}, "info": {"id": "cyner2_8class_test_00366", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.NotFunNY.Worm Trojan.Win32.TDSS!O Trojan.VBCrypt.MF.91 Trojan.TDSS.Win32.10599 Trojan/TDSS.brqg Trojan.Razy.DA584 TSPY_TEBTAIR_BH0100C2.TOMC Win32.Trojan.VB.hy Win32/Scar.AAI TSPY_TEBTAIR_BH0100C2.TOMC Win.Trojan.VB-1373 Trojan.Win32.TDSS.brqg Trojan.Win32.TDSS.dxocff Trojan.Win32.A.Tdss.58062 Troj.W32.TDSS.mcnb TrojWare.Win32.Tdss.ht BackDoor.Tdss.5794 BehavesLike.Win32.VBObfus.dt Trojan.Win32.Tdss Trojan/Tdss.vun Trojan:Win32/Tebtair.A Trojan/Win32.TDSS Trojan:Win32/Tebtair.A Trojan.Win32.TDSS.brqg Trojan/Win32.Scar.R9677 Trojan.VBRA.05364 Trojan.VB!cacUcnNEbXs", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.NotFunNY.Worm": [[26, 43]], "Indicator: Trojan.Win32.TDSS!O": [[44, 63]], "Indicator: Trojan.VBCrypt.MF.91": [[64, 84]], "Indicator: Trojan.TDSS.Win32.10599": [[85, 108]], "Indicator: Trojan/TDSS.brqg": [[109, 125]], "Indicator: Trojan.Razy.DA584": [[126, 143]], "Indicator: TSPY_TEBTAIR_BH0100C2.TOMC": [[144, 170], [205, 231]], "Indicator: Win32.Trojan.VB.hy": [[171, 189]], "Indicator: Win32/Scar.AAI": [[190, 204]], "Indicator: Win.Trojan.VB-1373": [[232, 250]], "Indicator: Trojan.Win32.TDSS.brqg": [[251, 273], [513, 535]], "Indicator: Trojan.Win32.TDSS.dxocff": [[274, 298]], "Indicator: Trojan.Win32.A.Tdss.58062": [[299, 324]], "Indicator: Troj.W32.TDSS.mcnb": [[325, 343]], "Indicator: TrojWare.Win32.Tdss.ht": [[344, 366]], "Indicator: BackDoor.Tdss.5794": [[367, 385]], "Indicator: BehavesLike.Win32.VBObfus.dt": [[386, 414]], "Indicator: Trojan.Win32.Tdss": [[415, 432]], "Indicator: Trojan/Tdss.vun": [[433, 448]], "Indicator: Trojan:Win32/Tebtair.A": [[449, 471], [490, 512]], "Indicator: Trojan/Win32.TDSS": [[472, 489]], "Indicator: Trojan/Win32.Scar.R9677": [[536, 559]], "Indicator: Trojan.VBRA.05364": [[560, 577]], "Indicator: Trojan.VB!cacUcnNEbXs": [[578, 599]]}, "info": {"id": "cyner2_8class_test_00367", "source": "cyner2_8class_test"}}
{"text": "The German Bundesamt für Verfassungsschutz BfV and the National Intelligence Service of the Republic of Korea NIS issue the following JointCyber Security Advisory to raise awareness of KIMSUKY's a.k.a. Thallium, Velvet Chollima, etc. cyber campaigns against Google's browser and app store services targeting experts on the Korean Peninsula and North Korea issues.", "spans": {"Organization: The German Bundesamt für Verfassungsschutz BfV": [[0, 47]], "Organization: the National Intelligence Service of the Republic of Korea NIS": [[52, 114]], "Organization: JointCyber Security Advisory": [[135, 163]], "ThreatActor: KIMSUKY's": [[186, 195]], "ThreatActor: Thallium, Velvet Chollima,": [[203, 229]], "ThreatActor: cyber campaigns": [[235, 250]], "System: Google's browser": [[259, 275]], "System: app store services": [[280, 298]], "Organization: experts": [[309, 316]], "Location: the Korean Peninsula": [[320, 340]], "Location: North Korea issues.": [[345, 364]]}, "info": {"id": "cyner2_8class_test_00368", "source": "cyner2_8class_test"}}
{"text": "Such notifications would be received by the MiHome app or any other , such as HenBox , so long as they register their intent to do so .", "spans": {"System: MiHome": [[44, 50]], "Malware: HenBox": [[78, 84]]}, "info": {"id": "cyner2_8class_test_00369", "source": "cyner2_8class_test"}}
{"text": "We recently found 200 unique Android apps—with installs ranging between 500,000 and a million on Google Play—embedded with a backdoor: MilkyDoor detected by Trend Micro as ANDROIDOS_MILKYDOOR.A.", "spans": {"System: Android apps—with": [[29, 46]], "System: Google Play—embedded": [[97, 117]], "Malware: backdoor: MilkyDoor": [[125, 144]], "Organization: Trend Micro": [[157, 168]], "Indicator: ANDROIDOS_MILKYDOOR.A.": [[172, 194]]}, "info": {"id": "cyner2_8class_test_00370", "source": "cyner2_8class_test"}}
{"text": "These are not technically sophisticated attackers.", "spans": {"ThreatActor: attackers.": [[40, 50]]}, "info": {"id": "cyner2_8class_test_00371", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/Kovter.d Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/VB.GANE-7543 Ransom_CRYPSHED.SMV Trojan.Win32.Fsysna.dkgh Trojan.Win32.Encoder.edublg Trojan.Encoder.858 Ransom_CRYPSHED.SMV W32/VB.DZF Trojan.Fsysna.duh Trojan/Win32.Fsysna Trojan.Win32.Fsysna.dkgh Trojan/Win32.Inject.R183706 Trojan.Fsysna W32/Injector.DHGK!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Kovter.d": [[26, 41]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[42, 84]], "Indicator: W32/VB.GANE-7543": [[85, 101]], "Indicator: Ransom_CRYPSHED.SMV": [[102, 121], [194, 213]], "Indicator: Trojan.Win32.Fsysna.dkgh": [[122, 146], [263, 287]], "Indicator: Trojan.Win32.Encoder.edublg": [[147, 174]], "Indicator: Trojan.Encoder.858": [[175, 193]], "Indicator: W32/VB.DZF": [[214, 224]], "Indicator: Trojan.Fsysna.duh": [[225, 242]], "Indicator: Trojan/Win32.Fsysna": [[243, 262]], "Indicator: Trojan/Win32.Inject.R183706": [[288, 315]], "Indicator: Trojan.Fsysna": [[316, 329]], "Indicator: W32/Injector.DHGK!tr": [[330, 350]]}, "info": {"id": "cyner2_8class_test_00372", "source": "cyner2_8class_test"}}
{"text": "The user simply needs to text a prescribed keyword to a prescribed number ( shortcode ) .", "spans": {}, "info": {"id": "cyner2_8class_test_00373", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Zebro BehavesLike.Win32.PWSZbot.cc Trojan/Menti.ckw Trojan.Zeus.EA.0999", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Virus.Win32.Sality!O": [[44, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[65, 107]], "Indicator: Trojan.Zebro": [[108, 120]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[121, 149]], "Indicator: Trojan/Menti.ckw": [[150, 166]], "Indicator: Trojan.Zeus.EA.0999": [[167, 186]]}, "info": {"id": "cyner2_8class_test_00374", "source": "cyner2_8class_test"}}
{"text": "At peak times of activity , we have seen up to 23 different apps from this family submitted to Play in one day .", "spans": {"System: Play": [[95, 99]]}, "info": {"id": "cyner2_8class_test_00375", "source": "cyner2_8class_test"}}
{"text": "Additionally, the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia, but also a company in Qatar and government organizations in Turkey, Israel and the United States.", "spans": {"Organization: organizations": [[27, 40], [97, 110]], "ThreatActor: group": [[58, 63]], "Location: Saudi Arabia,": [[118, 131]], "Organization: company": [[143, 150]], "Location: Qatar": [[154, 159]], "Organization: government organizations": [[164, 188]], "Location: Turkey, Israel": [[192, 206]], "Location: the United States.": [[211, 229]]}, "info": {"id": "cyner2_8class_test_00376", "source": "cyner2_8class_test"}}
{"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network .", "spans": {"System: Umbrella": [[0, 8]]}, "info": {"id": "cyner2_8class_test_00377", "source": "cyner2_8class_test"}}
{"text": "'' This class will open a WebView with a Google-themed page asking for payment in order to use the Google services .", "spans": {"Organization: Google-themed": [[41, 54]], "Organization: Google": [[99, 105]]}, "info": {"id": "cyner2_8class_test_00378", "source": "cyner2_8class_test"}}
{"text": "It will use either a standard web request or it will write data into a web socket if the first method fails .", "spans": {}, "info": {"id": "cyner2_8class_test_00379", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Injector.Win32.428391 Win32.Trojan.WisdomEyes.16070401.9500.9989 Trojan.Win32.Tepfer.ehzjly Trojan.PWS.Stealer.1932 Trojan.Foreign.btf Trojan[Ransom]/Win32.Foreign Trojan.Graftor.D4C46E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Injector.Win32.428391": [[26, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[55, 97]], "Indicator: Trojan.Win32.Tepfer.ehzjly": [[98, 124]], "Indicator: Trojan.PWS.Stealer.1932": [[125, 148]], "Indicator: Trojan.Foreign.btf": [[149, 167]], "Indicator: Trojan[Ransom]/Win32.Foreign": [[168, 196]], "Indicator: Trojan.Graftor.D4C46E": [[197, 218]]}, "info": {"id": "cyner2_8class_test_00380", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm.Netres.b.n8 Trojan.Win32.Netres.enie W32.Netres WORM_NETRES.B Worm.Win32.Netres.b Worm.Netres!bl6FeOelVl8 PE:Worm.Netres.b!1073822833 Worm.Netres.B Win32.HLLW.NetRes WORM_NETRES.B W32/Risk.WEVS-2872 Worm/Netres.b Worm/Netres.B Worm/Win32.Netres Worm.Netres.b.kcloud Worm:Win32/Netres.B Win32/Netres.worm.380928 Worm.Netres Worm.Win32.Netres.AI Netres.B Worm.Win32.Netres Worm/Netres.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Netres.b.n8": [[26, 42]], "Indicator: Trojan.Win32.Netres.enie": [[43, 67]], "Indicator: W32.Netres": [[68, 78]], "Indicator: WORM_NETRES.B": [[79, 92], [197, 210]], "Indicator: Worm.Win32.Netres.b": [[93, 112]], "Indicator: Worm.Netres!bl6FeOelVl8": [[113, 136]], "Indicator: PE:Worm.Netres.b!1073822833": [[137, 164]], "Indicator: Worm.Netres.B": [[165, 178]], "Indicator: Win32.HLLW.NetRes": [[179, 196]], "Indicator: W32/Risk.WEVS-2872": [[211, 229]], "Indicator: Worm/Netres.b": [[230, 243]], "Indicator: Worm/Netres.B": [[244, 257], [402, 415]], "Indicator: Worm/Win32.Netres": [[258, 275]], "Indicator: Worm.Netres.b.kcloud": [[276, 296]], "Indicator: Worm:Win32/Netres.B": [[297, 316]], "Indicator: Win32/Netres.worm.380928": [[317, 341]], "Indicator: Worm.Netres": [[342, 353]], "Indicator: Worm.Win32.Netres.AI": [[354, 374]], "Indicator: Netres.B": [[375, 383]], "Indicator: Worm.Win32.Netres": [[384, 401]]}, "info": {"id": "cyner2_8class_test_00381", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trj/Katien.E W32/Katien.AB Trojan.Tsunami.B Backdoor.Win32.Katien.d Backdoor.Katien.D Backdoor.Win32.Katien.d BDS/Katien.D.1 BKDR_KATIEN.D Backdoor:Win32/Katien.D Backdoor.Katien.d Backdoor.Win32.Katien.d BackDoor.Katien.L Win-Trojan/Katien.49207.B Backdoor.Win32.Katien.d Backdoor.IRCBot Backdoor.Katien.p Backdoor.Win32.Katien.d W32/Katien.D!tr Win32/Katien.D Trj/Katien.E Trojan.Backdoor.Katien.D.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trj/Katien.E": [[26, 38], [388, 400]], "Indicator: W32/Katien.AB": [[39, 52]], "Indicator: Trojan.Tsunami.B": [[53, 69]], "Indicator: Backdoor.Win32.Katien.d": [[70, 93], [112, 135], [207, 230], [275, 298], [333, 356]], "Indicator: Backdoor.Katien.D": [[94, 111]], "Indicator: BDS/Katien.D.1": [[136, 150]], "Indicator: BKDR_KATIEN.D": [[151, 164]], "Indicator: Backdoor:Win32/Katien.D": [[165, 188]], "Indicator: Backdoor.Katien.d": [[189, 206]], "Indicator: BackDoor.Katien.L": [[231, 248]], "Indicator: Win-Trojan/Katien.49207.B": [[249, 274]], "Indicator: Backdoor.IRCBot": [[299, 314]], "Indicator: Backdoor.Katien.p": [[315, 332]], "Indicator: W32/Katien.D!tr": [[357, 372]], "Indicator: Win32/Katien.D": [[373, 387]], "Indicator: Trojan.Backdoor.Katien.D.1": [[401, 427]]}, "info": {"id": "cyner2_8class_test_00382", "source": "cyner2_8class_test"}}
{"text": "WRITE_EXTERNAL_STORAGE - Allows the application to write to external storage .", "spans": {}, "info": {"id": "cyner2_8class_test_00383", "source": "cyner2_8class_test"}}
{"text": "Notably, some of this recent activity demonstrated actors implementing a technique that bypassed antivirus detection by saving a PowerPoint document in which malware executed once the document was opened in Slide Show presentation format.", "spans": {"System: PowerPoint document": [[129, 148]], "Malware: malware": [[158, 165]], "Indicator: executed once the document was opened in Slide Show presentation format.": [[166, 238]]}, "info": {"id": "cyner2_8class_test_00384", "source": "cyner2_8class_test"}}
{"text": "While the BlackMoon malware code has been constantly updated by its perpetrators, the extent of the campaign s infection is previously unknown.", "spans": {"Malware: BlackMoon malware": [[10, 27]], "ThreatActor: perpetrators,": [[68, 81]], "ThreatActor: campaign": [[100, 108]]}, "info": {"id": "cyner2_8class_test_00385", "source": "cyner2_8class_test"}}
{"text": "By the time of this publication , two Jaguar Kill Switch infected app has reached 10 million downloads while others are still in their early stages .", "spans": {}, "info": {"id": "cyner2_8class_test_00386", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Reconyc Troj.W32.Reconyc!c Win32.Trojan.WisdomEyes.16070401.9500.9944 Backdoor.Trojan Trojan.Win32.Reconyc.ipfq Trojan.DownLoader4.51992 W32/Trojan.KRNZ-3842 Trojan/Win32.Reconyc Trojan.Win32.Reconyc.ipfq TrojanDownloader:Win32/Riprox.A Trojan/Win32.Swisyn.C63610 Win32.Trojan.Reconyc.Ajky Win32/Trojan.bf7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Reconyc": [[26, 40]], "Indicator: Troj.W32.Reconyc!c": [[41, 59]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9944": [[60, 102]], "Indicator: Backdoor.Trojan": [[103, 118]], "Indicator: Trojan.Win32.Reconyc.ipfq": [[119, 144], [212, 237]], "Indicator: Trojan.DownLoader4.51992": [[145, 169]], "Indicator: W32/Trojan.KRNZ-3842": [[170, 190]], "Indicator: Trojan/Win32.Reconyc": [[191, 211]], "Indicator: TrojanDownloader:Win32/Riprox.A": [[238, 269]], "Indicator: Trojan/Win32.Swisyn.C63610": [[270, 296]], "Indicator: Win32.Trojan.Reconyc.Ajky": [[297, 322]], "Indicator: Win32/Trojan.bf7": [[323, 339]]}, "info": {"id": "cyner2_8class_test_00387", "source": "cyner2_8class_test"}}
{"text": "This particular botnet is downloaded by the Andromeda botnet.", "spans": {"Malware: botnet": [[16, 22]], "Malware: Andromeda botnet.": [[44, 61]]}, "info": {"id": "cyner2_8class_test_00388", "source": "cyner2_8class_test"}}
{"text": "It posed a considerable threat to users and businesses, as Encryptor RaaS attacks can vary based on the customizations applied by the affiliate.", "spans": {"Organization: users": [[34, 39]], "Organization: businesses,": [[44, 55]], "Malware: Encryptor RaaS": [[59, 73]], "Indicator: attacks": [[74, 81]]}, "info": {"id": "cyner2_8class_test_00389", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Sinowal.Win32.3993 Backdoor/Sinowal.fma Trojan.Krypt.23 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_SINOWAL.SME Win.Trojan.Sinowal-16743 Backdoor.Win32.Sinowal.fma Trojan.Win32.Lampa.ftzdt Backdoor.W32.Sinowal.fma!c Backdoor.Win32.Sinowal.~CRSR Trojan.Packed.21724 BKDR_SINOWAL.SME BehavesLike.Win32.Conficker.nc Backdoor.Win32.Sinowal Backdoor/Sinowal.fmz Backdoor.Win32.Sinowal.fma Trojan/Win32.Sinowal.R2810 SScope.Trojan.Cryptor Win32.Backdoor.Sinowal.Lmau", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Sinowal.Win32.3993": [[26, 53]], "Indicator: Backdoor/Sinowal.fma": [[54, 74]], "Indicator: Trojan.Krypt.23": [[75, 90]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[91, 133]], "Indicator: BKDR_SINOWAL.SME": [[134, 150], [304, 320]], "Indicator: Win.Trojan.Sinowal-16743": [[151, 175]], "Indicator: Backdoor.Win32.Sinowal.fma": [[176, 202], [396, 422]], "Indicator: Trojan.Win32.Lampa.ftzdt": [[203, 227]], "Indicator: Backdoor.W32.Sinowal.fma!c": [[228, 254]], "Indicator: Backdoor.Win32.Sinowal.~CRSR": [[255, 283]], "Indicator: Trojan.Packed.21724": [[284, 303]], "Indicator: BehavesLike.Win32.Conficker.nc": [[321, 351]], "Indicator: Backdoor.Win32.Sinowal": [[352, 374]], "Indicator: Backdoor/Sinowal.fmz": [[375, 395]], "Indicator: Trojan/Win32.Sinowal.R2810": [[423, 449]], "Indicator: SScope.Trojan.Cryptor": [[450, 471]], "Indicator: Win32.Backdoor.Sinowal.Lmau": [[472, 499]]}, "info": {"id": "cyner2_8class_test_00390", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.ZagawiiC.Trojan Backdoor/W32.HttpBot.80896 Backdoor.Httpbot.Win32.574 Backdoor/Httpbot.app Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Trojan.EJSL-5192 TROJ_RENEG.SMUM3 Trojan.Win32.Httpbot.ilomg TrojWare.Win32.TrojanDownloader.Small.DG Trojan.DownLoader2.10028 TROJ_RENEG.SMUM3 TR/Systemhijack.AA Trojan[Backdoor]/Win32.Httpbot Backdoor.W32.Httpbot.lmxk SScope.Trojan.Win32.Heur.V", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ZagawiiC.Trojan": [[26, 45]], "Indicator: Backdoor/W32.HttpBot.80896": [[46, 72]], "Indicator: Backdoor.Httpbot.Win32.574": [[73, 99]], "Indicator: Backdoor/Httpbot.app": [[100, 120]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[121, 163]], "Indicator: W32/Trojan.EJSL-5192": [[164, 184]], "Indicator: TROJ_RENEG.SMUM3": [[185, 201], [295, 311]], "Indicator: Trojan.Win32.Httpbot.ilomg": [[202, 228]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.DG": [[229, 269]], "Indicator: Trojan.DownLoader2.10028": [[270, 294]], "Indicator: TR/Systemhijack.AA": [[312, 330]], "Indicator: Trojan[Backdoor]/Win32.Httpbot": [[331, 361]], "Indicator: Backdoor.W32.Httpbot.lmxk": [[362, 387]], "Indicator: SScope.Trojan.Win32.Heur.V": [[388, 414]]}, "info": {"id": "cyner2_8class_test_00391", "source": "cyner2_8class_test"}}
{"text": "We have been able to tie the malware to a long-running Facebook profile that we observed promoting the first stage of this family , a malicious chat application called Dardesh via links to Google Play .", "spans": {"Organization: Facebook": [[55, 63]], "Malware: Dardesh": [[168, 175]], "System: Google Play": [[189, 200]]}, "info": {"id": "cyner2_8class_test_00392", "source": "cyner2_8class_test"}}
{"text": "While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others.", "spans": {"ThreatActor: campaign,": [[38, 47]], "Malware: malware,": [[89, 97]], "System: a web server": [[108, 120]], "System: host": [[138, 142]], "Indicator: attack": [[175, 181]]}, "info": {"id": "cyner2_8class_test_00393", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.4B44 Trojan-Spy.Win32.Dibik!O Trojan.Delfinject.9710 Win32.Trojan.Delf.ae TSPY_DELF.SMK Win.Trojan.Dibik-3 Trojan-Ransom.Win32.PornoAsset.cwjq Trojan.Win32.Dibik.bnigz Backdoor.Win32.Dbs.a Trojan.DownLoader4.13174 TSPY_DELF.SMK BehavesLike.Win32.Downloader.dc Trojan/Invader.pg Trojan[Spy]/Win32.Dibik.fpd Trojan.Graftor.D1CAF Troj.W32.Invader.lpJQ Trojan-Ransom.Win32.PornoAsset.cwjq Trojan/Win32.Hupigon.R34191 TrojanSpy.Dibik!YurHSOFj1jo Trojan-Spy.Win32.Dibik W32/Injector.fam!tr Backdoor.Win32.BDS.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.4B44": [[26, 42]], "Indicator: Trojan-Spy.Win32.Dibik!O": [[43, 67]], "Indicator: Trojan.Delfinject.9710": [[68, 90]], "Indicator: Win32.Trojan.Delf.ae": [[91, 111]], "Indicator: TSPY_DELF.SMK": [[112, 125], [252, 265]], "Indicator: Win.Trojan.Dibik-3": [[126, 144]], "Indicator: Trojan-Ransom.Win32.PornoAsset.cwjq": [[145, 180], [387, 422]], "Indicator: Trojan.Win32.Dibik.bnigz": [[181, 205]], "Indicator: Backdoor.Win32.Dbs.a": [[206, 226]], "Indicator: Trojan.DownLoader4.13174": [[227, 251]], "Indicator: BehavesLike.Win32.Downloader.dc": [[266, 297]], "Indicator: Trojan/Invader.pg": [[298, 315]], "Indicator: Trojan[Spy]/Win32.Dibik.fpd": [[316, 343]], "Indicator: Trojan.Graftor.D1CAF": [[344, 364]], "Indicator: Troj.W32.Invader.lpJQ": [[365, 386]], "Indicator: Trojan/Win32.Hupigon.R34191": [[423, 450]], "Indicator: TrojanSpy.Dibik!YurHSOFj1jo": [[451, 478]], "Indicator: Trojan-Spy.Win32.Dibik": [[479, 501]], "Indicator: W32/Injector.fam!tr": [[502, 521]], "Indicator: Backdoor.Win32.BDS.A": [[522, 542]]}, "info": {"id": "cyner2_8class_test_00394", "source": "cyner2_8class_test"}}
{"text": "Immediately after activation , the malware creates a textView element in a new window with the following layout parameters : All these parameters ensure the element is hidden from the user .", "spans": {}, "info": {"id": "cyner2_8class_test_00395", "source": "cyner2_8class_test"}}
{"text": "Spoiler alert: they originated from Fancy Bear actors.", "spans": {"ThreatActor: Fancy Bear actors.": [[36, 54]]}, "info": {"id": "cyner2_8class_test_00396", "source": "cyner2_8class_test"}}
{"text": "Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.", "spans": {"Date: Last year,": [[0, 10]], "Organization: Swiss GovCERT.ch": [[62, 78]], "Indicator: attack": [[117, 123]], "Organization: defense firm": [[131, 143]], "Organization: the Swiss government, RUAG,": [[153, 180]], "Date: the past.": [[193, 202]]}, "info": {"id": "cyner2_8class_test_00397", "source": "cyner2_8class_test"}}
{"text": "File Server ( http : //www.psservicedl [ .", "spans": {"Indicator: http : //www.psservicedl [ .": [[14, 42]]}, "info": {"id": "cyner2_8class_test_00398", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.UrelasTTc.Worm Trojan.Gupboot.G.mue Trojan/Urelas.o Win32.Trojan.Urelas.a Backdoor.Win32.Plite.bhuz Trojan.Win32.Plite.eizuzf Backdoor.W32.Plite.tnq2 TrojWare.Win32.Small.NAF Trojan.AVKill.33021 Trojan.Urelas.Win32.542 BehavesLike.Win32.CryptDoma.dc Backdoor.Plite.ck Trojan[Backdoor]/Win32.Plite Trojan.Zusy.D3036B Backdoor.Win32.Plite.bhuz Trojan:Win32/Urelas.AA Backdoor/Win32.Plite.C195259 Trojan.Urelas!CWpjcly5U1k Backdoor.Plite Win32/Trojan.Plite.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.UrelasTTc.Worm": [[26, 50]], "Indicator: Trojan.Gupboot.G.mue": [[51, 71]], "Indicator: Trojan/Urelas.o": [[72, 87]], "Indicator: Win32.Trojan.Urelas.a": [[88, 109]], "Indicator: Backdoor.Win32.Plite.bhuz": [[110, 135], [352, 377]], "Indicator: Trojan.Win32.Plite.eizuzf": [[136, 161]], "Indicator: Backdoor.W32.Plite.tnq2": [[162, 185]], "Indicator: TrojWare.Win32.Small.NAF": [[186, 210]], "Indicator: Trojan.AVKill.33021": [[211, 230]], "Indicator: Trojan.Urelas.Win32.542": [[231, 254]], "Indicator: BehavesLike.Win32.CryptDoma.dc": [[255, 285]], "Indicator: Backdoor.Plite.ck": [[286, 303]], "Indicator: Trojan[Backdoor]/Win32.Plite": [[304, 332]], "Indicator: Trojan.Zusy.D3036B": [[333, 351]], "Indicator: Trojan:Win32/Urelas.AA": [[378, 400]], "Indicator: Backdoor/Win32.Plite.C195259": [[401, 429]], "Indicator: Trojan.Urelas!CWpjcly5U1k": [[430, 455]], "Indicator: Backdoor.Plite": [[456, 470]], "Indicator: Win32/Trojan.Plite.A": [[471, 491]]}, "info": {"id": "cyner2_8class_test_00399", "source": "cyner2_8class_test"}}
{"text": "leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control.", "spans": {"Malware: leetMX": [[0, 6]], "System: infrastructure": [[7, 21]], "Indicator: hosts": [[34, 39]], "Indicator: domains": [[44, 51]], "Malware: malware delivery": [[61, 77]], "Indicator: command and control.": [[85, 105]]}, "info": {"id": "cyner2_8class_test_00400", "source": "cyner2_8class_test"}}
{"text": "We first reported on CMSTAR in spear phishing attacks in spring of 2015 and later in 2016.", "spans": {"Malware: CMSTAR": [[21, 27]], "Indicator: spear phishing attacks": [[31, 53]], "Date: spring of 2015": [[57, 71]], "Date: later in 2016.": [[76, 90]]}, "info": {"id": "cyner2_8class_test_00401", "source": "cyner2_8class_test"}}
{"text": "This Dragonfly 2.0 campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group.", "spans": {"ThreatActor: Dragonfly 2.0 campaign,": [[5, 28]], "Date: 2015,": [[65, 70]], "ThreatActor: campaigns": [[112, 121]], "ThreatActor: the group.": [[125, 135]]}, "info": {"id": "cyner2_8class_test_00402", "source": "cyner2_8class_test"}}
{"text": "First Twitter‑controlled Android botnet discovered Detected by ESET as Android/Twitoor , this malware is unique because of its resilience mechanism .", "spans": {"System: Twitter‑controlled": [[6, 24]], "System: Android": [[25, 32]], "Organization: ESET": [[63, 67]], "Malware: Android/Twitoor": [[71, 86]]}, "info": {"id": "cyner2_8class_test_00403", "source": "cyner2_8class_test"}}
{"text": "( You can find additional IoCs at the end of this article ) As you can see , the Web page uses a similar colour scheme as , and the icon design from , a legitimate VPN application ( VPN Proxy Master ) found on the Google Play store .", "spans": {"System: Google Play store": [[214, 231]]}, "info": {"id": "cyner2_8class_test_00404", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.DC11 Trojan/Kryptik.amwu Win32.Trojan.WisdomEyes.16070401.9500.9655 TrojWare.Win32.Kryptik.AMW Trojan.Click2.61967 BehavesLike.Win32.VirRansom.mc Trojan/Win32.Unknown TrojanDownloader:Win32/Tijcont.A Trojan.Heur.S.ED17C9E Trojan/Win32.Downloader.R41544 Trojan.Kryptik!nPMRNlMixv4 W32/Kryptik.AHWM!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.DC11": [[26, 42]], "Indicator: Trojan/Kryptik.amwu": [[43, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9655": [[63, 105]], "Indicator: TrojWare.Win32.Kryptik.AMW": [[106, 132]], "Indicator: Trojan.Click2.61967": [[133, 152]], "Indicator: BehavesLike.Win32.VirRansom.mc": [[153, 183]], "Indicator: Trojan/Win32.Unknown": [[184, 204]], "Indicator: TrojanDownloader:Win32/Tijcont.A": [[205, 237]], "Indicator: Trojan.Heur.S.ED17C9E": [[238, 259]], "Indicator: Trojan/Win32.Downloader.R41544": [[260, 290]], "Indicator: Trojan.Kryptik!nPMRNlMixv4": [[291, 317]], "Indicator: W32/Kryptik.AHWM!tr": [[318, 337]], "Indicator: Trj/CI.A": [[338, 346]]}, "info": {"id": "cyner2_8class_test_00405", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9980 Trojan.Win32.Pakes.miu Trojan.MulDrop.28501 Trojan.Win32.Pakes.miu Win32.Virus.Unknown.Heur", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9980": [[26, 68]], "Indicator: Trojan.Win32.Pakes.miu": [[69, 91], [113, 135]], "Indicator: Trojan.MulDrop.28501": [[92, 112]], "Indicator: Win32.Virus.Unknown.Heur": [[136, 160]]}, "info": {"id": "cyner2_8class_test_00406", "source": "cyner2_8class_test"}}
{"text": "In this article, we will share our findings of these recent updates.", "spans": {}, "info": {"id": "cyner2_8class_test_00407", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Pasur.r3 Bds.Pasur.A!c Trojan/PSW.LdPinch.cwi W32/Backdoor2.HMZN Backdoor.Graybird Trojan.Win32.Z.Pasur.223969[h] W32/Backdoor.JFQE-8545 Win32.Backdoor.Pasur.Dvge", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Pasur.r3": [[26, 43]], "Indicator: Bds.Pasur.A!c": [[44, 57]], "Indicator: Trojan/PSW.LdPinch.cwi": [[58, 80]], "Indicator: W32/Backdoor2.HMZN": [[81, 99]], "Indicator: Backdoor.Graybird": [[100, 117]], "Indicator: Trojan.Win32.Z.Pasur.223969[h]": [[118, 148]], "Indicator: W32/Backdoor.JFQE-8545": [[149, 171]], "Indicator: Win32.Backdoor.Pasur.Dvge": [[172, 197]]}, "info": {"id": "cyner2_8class_test_00408", "source": "cyner2_8class_test"}}
{"text": "JNI Bread has also tested our ability to analyze native code .", "spans": {"Malware: Bread": [[4, 9]]}, "info": {"id": "cyner2_8class_test_00409", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.HfsAutoB.BCC2 DoS.Win32.Ras!O Dos.Ras Win32/DDoS.Ras.11 Win.Trojan.DoS-3 DoS.Win32.Ras.11 Trojan.Win32.Ras.dlvd Trojan.Win32.Ras_11 TrojWare.Win32.DDoS.Ras.11 Nuke.Ras Tool.Ras.Win32.1 Trojan.Win32.DDos W32/Trojan.MYRM-3305 DoS.Win32.Ras.11 TR/Dos.RAS.11 HackTool[DoS]/Win32.Ras Dos.W32.Ras!c DoS.Win32.Ras.11 DoS:Win32/Ras.1_1 Win32.Trojan.Ras.Hzdo DoS.Ras!A9BBlzliems DoS.Ras", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.BCC2": [[26, 43]], "Indicator: DoS.Win32.Ras!O": [[44, 59]], "Indicator: Dos.Ras": [[60, 67]], "Indicator: Win32/DDoS.Ras.11": [[68, 85]], "Indicator: Win.Trojan.DoS-3": [[86, 102]], "Indicator: DoS.Win32.Ras.11": [[103, 119], [254, 270], [323, 339]], "Indicator: Trojan.Win32.Ras.dlvd": [[120, 141]], "Indicator: Trojan.Win32.Ras_11": [[142, 161]], "Indicator: TrojWare.Win32.DDoS.Ras.11": [[162, 188]], "Indicator: Nuke.Ras": [[189, 197]], "Indicator: Tool.Ras.Win32.1": [[198, 214]], "Indicator: Trojan.Win32.DDos": [[215, 232]], "Indicator: W32/Trojan.MYRM-3305": [[233, 253]], "Indicator: TR/Dos.RAS.11": [[271, 284]], "Indicator: HackTool[DoS]/Win32.Ras": [[285, 308]], "Indicator: Dos.W32.Ras!c": [[309, 322]], "Indicator: DoS:Win32/Ras.1_1": [[340, 357]], "Indicator: Win32.Trojan.Ras.Hzdo": [[358, 379]], "Indicator: DoS.Ras!A9BBlzliems": [[380, 399]], "Indicator: DoS.Ras": [[400, 407]]}, "info": {"id": "cyner2_8class_test_00410", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Pws.BFTY Win.Spyware.57171-2 Trojan.Click.25911 W32/PWS.UUDR-5623 PWS:Win32/Seratin.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Pws.BFTY": [[26, 38]], "Indicator: Win.Spyware.57171-2": [[39, 58]], "Indicator: Trojan.Click.25911": [[59, 77]], "Indicator: W32/PWS.UUDR-5623": [[78, 95]], "Indicator: PWS:Win32/Seratin.A": [[96, 115]]}, "info": {"id": "cyner2_8class_test_00411", "source": "cyner2_8class_test"}}
{"text": "Hacker's Door is now sold privately by the original author yyt_hac with updates to support newer Operating Systems and architectures.", "spans": {"Malware: Hacker's Door": [[0, 13]], "ThreatActor: the original author yyt_hac": [[39, 66]], "System: Operating Systems": [[97, 114]], "System: architectures.": [[119, 133]]}, "info": {"id": "cyner2_8class_test_00412", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.HackTool.7168.C Trojan/Hacktool.Auha.30 W32/Trojan.MSQS-8786 Hacktool.Scan TROJ_SCAN.A HackTool.Win32.Auha.30 Riskware.Win32.Auha.hrhi HackTool.Auha.7168 HackTool.W32.Auha.30!c TrojWare.Win32.HackTool.Auha.A Tool.Autohack Tool.Auha.Win32.7 TROJ_SCAN.A W32/TrojanX.JNP Hacktool.Auha.30 HackTool/Win32.Auha HackTool.Win32.Auha.30 HackTool:Win32/Auha.A Win32/HackTool.Auha.30.A Win32.Hacktool.Auha.Alsn HackTool.Win32.Auha Malware_fam.gw Win32/Trojan.Hacktool.d21", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.HackTool.7168.C": [[26, 52]], "Indicator: Trojan/Hacktool.Auha.30": [[53, 76]], "Indicator: W32/Trojan.MSQS-8786": [[77, 97]], "Indicator: Hacktool.Scan": [[98, 111]], "Indicator: TROJ_SCAN.A": [[112, 123], [277, 288]], "Indicator: HackTool.Win32.Auha.30": [[124, 146], [342, 364]], "Indicator: Riskware.Win32.Auha.hrhi": [[147, 171]], "Indicator: HackTool.Auha.7168": [[172, 190]], "Indicator: HackTool.W32.Auha.30!c": [[191, 213]], "Indicator: TrojWare.Win32.HackTool.Auha.A": [[214, 244]], "Indicator: Tool.Autohack": [[245, 258]], "Indicator: Tool.Auha.Win32.7": [[259, 276]], "Indicator: W32/TrojanX.JNP": [[289, 304]], "Indicator: Hacktool.Auha.30": [[305, 321]], "Indicator: HackTool/Win32.Auha": [[322, 341]], "Indicator: HackTool:Win32/Auha.A": [[365, 386]], "Indicator: Win32/HackTool.Auha.30.A": [[387, 411]], "Indicator: Win32.Hacktool.Auha.Alsn": [[412, 436]], "Indicator: HackTool.Win32.Auha": [[437, 456]], "Indicator: Malware_fam.gw": [[457, 471]], "Indicator: Win32/Trojan.Hacktool.d21": [[472, 497]]}, "info": {"id": "cyner2_8class_test_00413", "source": "cyner2_8class_test"}}
{"text": "PHA Family Highlights : Bread ( and Friends ) January 9 , 2020 In this edition of our PHA Family Highlights series we introduce Bread , a large-scale billing fraud family .", "spans": {"Malware: Bread": [[24, 29], [128, 133]]}, "info": {"id": "cyner2_8class_test_00414", "source": "cyner2_8class_test"}}
{"text": "Unit 42 published a blog at the beginning of May titled Prince of Persia, in which we described the discovery of a decade-long campaign using a formerly unknown malware family, Infy, that targeted government and industry interests worldwide.", "spans": {"Organization: Unit 42": [[0, 7]], "Date: May": [[45, 48]], "ThreatActor: a decade-long campaign": [[113, 135]], "Malware: unknown malware family, Infy,": [[153, 182]], "Organization: government": [[197, 207]], "Organization: industry": [[212, 220]], "Location: worldwide.": [[231, 241]]}, "info": {"id": "cyner2_8class_test_00415", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm/W32.Gruel.102400.F Worm.Gruel Worm.Gruel/Variant W32/Fakerr.A@mm W32.Gruel@mm Win32/Fakerr.A WORM_GRUEL.A Win.Worm.Gruel-1 Email-Worm.Win32.Gruel.a Trojan.Win32.Gruel.hnbv W32.W.Gruel.a!c Win32.Worm-email.Gruel.Pfjn Worm.Win32.Gruel.C WORM_GRUEL.A W32/Fakerr.A@mm I-Worm/Gruel.a WORM/Gruel.01 Worm[Email]/Win32.Gruel Worm:Win32/Gruel.A@mm Trojan.Heur.E2E08E I-Worm.Win32.Gruel.102400.C Email-Worm.Win32.Gruel.a Win32.Worm.Gruel.A Worm/Win32.Gruel.R105674 Worm.Gruel Win32/Gruel.C I-Worm.Gruel!y+ASYamZKhI Virus.Win32.Gruel.B W32/Gruel.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Gruel.102400.F": [[26, 49]], "Indicator: Worm.Gruel": [[50, 60], [486, 496]], "Indicator: Worm.Gruel/Variant": [[61, 79]], "Indicator: W32/Fakerr.A@mm": [[80, 95], [279, 294]], "Indicator: W32.Gruel@mm": [[96, 108]], "Indicator: Win32/Fakerr.A": [[109, 123]], "Indicator: WORM_GRUEL.A": [[124, 136], [266, 278]], "Indicator: Win.Worm.Gruel-1": [[137, 153]], "Indicator: Email-Worm.Win32.Gruel.a": [[154, 178], [417, 441]], "Indicator: Trojan.Win32.Gruel.hnbv": [[179, 202]], "Indicator: W32.W.Gruel.a!c": [[203, 218]], "Indicator: Win32.Worm-email.Gruel.Pfjn": [[219, 246]], "Indicator: Worm.Win32.Gruel.C": [[247, 265]], "Indicator: I-Worm/Gruel.a": [[295, 309]], "Indicator: WORM/Gruel.01": [[310, 323]], "Indicator: Worm[Email]/Win32.Gruel": [[324, 347]], "Indicator: Worm:Win32/Gruel.A@mm": [[348, 369]], "Indicator: Trojan.Heur.E2E08E": [[370, 388]], "Indicator: I-Worm.Win32.Gruel.102400.C": [[389, 416]], "Indicator: Win32.Worm.Gruel.A": [[442, 460]], "Indicator: Worm/Win32.Gruel.R105674": [[461, 485]], "Indicator: Win32/Gruel.C": [[497, 510]], "Indicator: I-Worm.Gruel!y+ASYamZKhI": [[511, 535]], "Indicator: Virus.Win32.Gruel.B": [[536, 555]], "Indicator: W32/Gruel.B": [[556, 567]]}, "info": {"id": "cyner2_8class_test_00416", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.HfsAutoB.2623 Application.Hacktool.Gsecdump.C Hacktool.Gsecdump Trojan/Yakes.bkcr Win32.Trojan.WisdomEyes.16070401.9500.9993 Hacktool.PTHToolkit Win.Trojan.7503818-1 not-a-virus:PSWTool.Win64.Gsecdmp.e Application.Hacktool.Gsecdump.C Trojan.Win32.Obfuscate.spuel Application.Hacktool.Gsecdump.C Trojan.Yakes.Win32.5554 BehavesLike.Win32.PUP.hh Win32.Malware Trojan/Yakes.ebk Application.Hacktool.Gsecdump.C Application.Hacktool.Gsecdump.C Win-Trojan/Hacktool.557568 Trojan.Yakes!R8V8ToLltnc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.2623": [[26, 43]], "Indicator: Application.Hacktool.Gsecdump.C": [[44, 75], [232, 263], [293, 324], [405, 436], [437, 468]], "Indicator: Hacktool.Gsecdump": [[76, 93]], "Indicator: Trojan/Yakes.bkcr": [[94, 111]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[112, 154]], "Indicator: Hacktool.PTHToolkit": [[155, 174]], "Indicator: Win.Trojan.7503818-1": [[175, 195]], "Indicator: not-a-virus:PSWTool.Win64.Gsecdmp.e": [[196, 231]], "Indicator: Trojan.Win32.Obfuscate.spuel": [[264, 292]], "Indicator: Trojan.Yakes.Win32.5554": [[325, 348]], "Indicator: BehavesLike.Win32.PUP.hh": [[349, 373]], "Indicator: Win32.Malware": [[374, 387]], "Indicator: Trojan/Yakes.ebk": [[388, 404]], "Indicator: Win-Trojan/Hacktool.557568": [[469, 495]], "Indicator: Trojan.Yakes!R8V8ToLltnc": [[496, 520]]}, "info": {"id": "cyner2_8class_test_00417", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: WS.Reputation.1 Trojan.Dropper-22862 Backdoor.Win32.Poison.bgfu Backdoor.Win32.Poison!IK Heur.Packed.Unknown BDS/Poison.bgfu TrojanDropper.Binder.rb Win-Trojan/Poison.28672.HZ Packer.Win32.UnkPacker.b Backdoor.Win32.Poison", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WS.Reputation.1": [[26, 41]], "Indicator: Trojan.Dropper-22862": [[42, 62]], "Indicator: Backdoor.Win32.Poison.bgfu": [[63, 89]], "Indicator: Backdoor.Win32.Poison!IK": [[90, 114]], "Indicator: Heur.Packed.Unknown": [[115, 134]], "Indicator: BDS/Poison.bgfu": [[135, 150]], "Indicator: TrojanDropper.Binder.rb": [[151, 174]], "Indicator: Win-Trojan/Poison.28672.HZ": [[175, 201]], "Indicator: Packer.Win32.UnkPacker.b": [[202, 226]], "Indicator: Backdoor.Win32.Poison": [[227, 248]]}, "info": {"id": "cyner2_8class_test_00418", "source": "cyner2_8class_test"}}
{"text": "Instances of this spyware were found on the Google Play Store , disguised as service applications from mobile operators .", "spans": {"System: Google Play Store": [[44, 61]]}, "info": {"id": "cyner2_8class_test_00419", "source": "cyner2_8class_test"}}
{"text": "Earlier versions were described by Palo Alto Networks.", "spans": {"Organization: Palo Alto Networks.": [[35, 54]]}, "info": {"id": "cyner2_8class_test_00420", "source": "cyner2_8class_test"}}
{"text": "With the capabilities of showing out-of-scope ads , exposing the user to other applications , and opening a URL in a browser , ‘ SimBad ’ acts now as an Adware , but already has the infrastructure to evolve into a much larger threat .", "spans": {"Malware: SimBad": [[129, 135]]}, "info": {"id": "cyner2_8class_test_00421", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Farfli.16459 Trojan/Jorik.Zegost.egv Trojan.Strictor.D1905 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Gosht.IV Trojan-Dropper.Win32.Dapato.ojsb Trojan.Win32.Jorik.uutks TrojWare.Win32.GameThief.Magania.~UB Trojan.DownLoader8.55569 BehavesLike.Win32.Dropper.jc Trojan.Win32.KillAV Trojan/Jorik.fcjq Trojan/Win32.Zegost Trojan-Dropper.Win32.Dapato.ojsb Trojan/Win32.Jorik.R92633 Trojan.Zegost", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Farfli.16459": [[26, 47]], "Indicator: Trojan/Jorik.Zegost.egv": [[48, 71]], "Indicator: Trojan.Strictor.D1905": [[72, 93]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[94, 136]], "Indicator: Win32/Gosht.IV": [[137, 151]], "Indicator: Trojan-Dropper.Win32.Dapato.ojsb": [[152, 184], [359, 391]], "Indicator: Trojan.Win32.Jorik.uutks": [[185, 209]], "Indicator: TrojWare.Win32.GameThief.Magania.~UB": [[210, 246]], "Indicator: Trojan.DownLoader8.55569": [[247, 271]], "Indicator: BehavesLike.Win32.Dropper.jc": [[272, 300]], "Indicator: Trojan.Win32.KillAV": [[301, 320]], "Indicator: Trojan/Jorik.fcjq": [[321, 338]], "Indicator: Trojan/Win32.Zegost": [[339, 358]], "Indicator: Trojan/Win32.Jorik.R92633": [[392, 417]], "Indicator: Trojan.Zegost": [[418, 431]]}, "info": {"id": "cyner2_8class_test_00422", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Heur.E6E5F4 Win32.Trojan.WisdomEyes.16070401.9500.9780 W32.Stration.CX@mm Win.Worm.Stration-502 Email-Worm.Win32.Warezov.et Win32.HLLM.Limar.based Win32.Warezov TrojanDownloader:Win32/Stration.A Email-Worm.Win32.Warezov.et Win32/Stration.JP", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.E6E5F4": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9780": [[45, 87]], "Indicator: W32.Stration.CX@mm": [[88, 106]], "Indicator: Win.Worm.Stration-502": [[107, 128]], "Indicator: Email-Worm.Win32.Warezov.et": [[129, 156], [228, 255]], "Indicator: Win32.HLLM.Limar.based": [[157, 179]], "Indicator: Win32.Warezov": [[180, 193]], "Indicator: TrojanDownloader:Win32/Stration.A": [[194, 227]], "Indicator: Win32/Stration.JP": [[256, 273]]}, "info": {"id": "cyner2_8class_test_00423", "source": "cyner2_8class_test"}}
{"text": "Command and control domains used by the Trojan-Banker.AndroidOS.Marcher Android Banker.", "spans": {"Indicator: Command and control domains": [[0, 27]], "Indicator: Trojan-Banker.AndroidOS.Marcher": [[40, 71]], "Malware: Android Banker.": [[72, 87]]}, "info": {"id": "cyner2_8class_test_00424", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Spyware.Zbot Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Downloader.Win32.Upatre.gmrt Trojan.Win32.Upatre.exfuvy Win32.Trojan-downloader.Upatre.Llrm Trojan.MulDrop7.57372 TrojanDownloader.Upatre.aiek TR/Crypt.Xpack.piamo Trojan[Downloader]/Win32.Upatre Trojan.Razy.D3AA79 Trojan-Downloader.Win32.Upatre.gmrt Win-Trojan/Magniber.Exp TrojanDownloader.Upatre Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Spyware.Zbot": [[26, 38]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[39, 81]], "Indicator: Trojan-Downloader.Win32.Upatre.gmrt": [[82, 117], [304, 339]], "Indicator: Trojan.Win32.Upatre.exfuvy": [[118, 144]], "Indicator: Win32.Trojan-downloader.Upatre.Llrm": [[145, 180]], "Indicator: Trojan.MulDrop7.57372": [[181, 202]], "Indicator: TrojanDownloader.Upatre.aiek": [[203, 231]], "Indicator: TR/Crypt.Xpack.piamo": [[232, 252]], "Indicator: Trojan[Downloader]/Win32.Upatre": [[253, 284]], "Indicator: Trojan.Razy.D3AA79": [[285, 303]], "Indicator: Win-Trojan/Magniber.Exp": [[340, 363]], "Indicator: TrojanDownloader.Upatre": [[364, 387]], "Indicator: Trj/GdSda.A": [[388, 399]]}, "info": {"id": "cyner2_8class_test_00425", "source": "cyner2_8class_test"}}
{"text": "The first type of content , starting with “ method=install ” , will be sent when the app is started for the first time , including the following device private information : Victim identifier Network operator Device model Device OS version Phone number Device identifier App version Country The second type of information will be sent periodically to indicate that the device is alive .", "spans": {}, "info": {"id": "cyner2_8class_test_00426", "source": "cyner2_8class_test"}}
{"text": "DNS queries distribution over time The campaign does n't seem to be growing at a fast pace .", "spans": {}, "info": {"id": "cyner2_8class_test_00427", "source": "cyner2_8class_test"}}
{"text": "Since the early hours of October 8, employees of various corporations in Japan started to receive suspicious-looking emails which turned out to carry malicious attachments.", "spans": {"Date: October 8,": [[25, 35]], "Organization: employees": [[36, 45]], "Organization: corporations": [[57, 69]], "Location: Japan": [[73, 78]], "Indicator: receive suspicious-looking emails": [[90, 123]], "Indicator: carry malicious attachments.": [[144, 172]]}, "info": {"id": "cyner2_8class_test_00428", "source": "cyner2_8class_test"}}
{"text": "The code for this characteristic and the corresponding Twitter accounts can be seen in figures 3 and 4 respectively .", "spans": {"Organization: Twitter": [[55, 62]]}, "info": {"id": "cyner2_8class_test_00429", "source": "cyner2_8class_test"}}
{"text": "The ultimate reach of the malicious code being tied to how much traffic a site will receive, ad servers are the ideal candidate since they are used by hundreds or thousands of other websites relying on advertising.", "spans": {}, "info": {"id": "cyner2_8class_test_00430", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Buzus.425984 Heur.Win32.VBKrypt.1!O Trojan.Llac Trojan/Buzus.zrq TROJ_BUZUS.UU Win32.Trojan.WisdomEyes.16070401.9500.9949 W32/Trojan2.EOFH TROJ_BUZUS.UU Win.Trojan.Buzus-2943 Trojan.Win32.Llac.jzcf Trojan.Win32.Buzus.tooy Trojan.Win32.Buzus.425984.B Troj.W32.Llac!c TrojWare.Win32.Buzus.zrq Trojan.Buzus.Win32.269 Virus.Trojan.Win32.Buzus.zrq W32/Trojan.YQZR-7209 Packed.Krap.esub Trojan[Packed]/Win32.Krap Trojan.Win32.Llac.jzcf Trojan:Win32/Vcryptoz.A Trojan/Win32.Buzus.C317353 Trojan.VB.Pedro Win32.Trojan.Llac.Lkeg Trojan.Buzus.BYY Win32/Trojan.cc2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Buzus.425984": [[26, 49]], "Indicator: Heur.Win32.VBKrypt.1!O": [[50, 72]], "Indicator: Trojan.Llac": [[73, 84]], "Indicator: Trojan/Buzus.zrq": [[85, 101]], "Indicator: TROJ_BUZUS.UU": [[102, 115], [176, 189]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9949": [[116, 158]], "Indicator: W32/Trojan2.EOFH": [[159, 175]], "Indicator: Win.Trojan.Buzus-2943": [[190, 211]], "Indicator: Trojan.Win32.Llac.jzcf": [[212, 234], [444, 466]], "Indicator: Trojan.Win32.Buzus.tooy": [[235, 258]], "Indicator: Trojan.Win32.Buzus.425984.B": [[259, 286]], "Indicator: Troj.W32.Llac!c": [[287, 302]], "Indicator: TrojWare.Win32.Buzus.zrq": [[303, 327]], "Indicator: Trojan.Buzus.Win32.269": [[328, 350]], "Indicator: Virus.Trojan.Win32.Buzus.zrq": [[351, 379]], "Indicator: W32/Trojan.YQZR-7209": [[380, 400]], "Indicator: Packed.Krap.esub": [[401, 417]], "Indicator: Trojan[Packed]/Win32.Krap": [[418, 443]], "Indicator: Trojan:Win32/Vcryptoz.A": [[467, 490]], "Indicator: Trojan/Win32.Buzus.C317353": [[491, 517]], "Indicator: Trojan.VB.Pedro": [[518, 533]], "Indicator: Win32.Trojan.Llac.Lkeg": [[534, 556]], "Indicator: Trojan.Buzus.BYY": [[557, 573]], "Indicator: Win32/Trojan.cc2": [[574, 590]]}, "info": {"id": "cyner2_8class_test_00431", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm/W32.Bagle.59904 Win32.Trojan.WisdomEyes.16070401.9500.9972 W32/Trojan.VWJE-2922 Win32/Glieder.II TROJ_DROPPR.SMXA Email-Worm.Win32.Bagle.majf Trojan.Win32.Click.bkszb Win32.Worm-email.Bagle.Swkr TrojWare.Win32.TrojanDropper.Delf.~KF Trojan.PWS.LDPinch.11735 TROJ_DROPPR.SMXA BehavesLike.Win32.Dropper.qc W32/Trojan2.GZAQ Trojan/LdPinch.az Worm[Email]/Win32.Bagle TrojanDropper:Win32/Umrena.E Trojan.Win32.A.Swisyn.46052 Email-Worm.Win32.Bagle.majf Trojan/Win32.Xema.C994 Trojan.VkHost Trojan.DR.Umrena!flF93BG8zsg W32/IrcMiranda.B.worm Win32/Trojan.9dc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Bagle.59904": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9972": [[47, 89]], "Indicator: W32/Trojan.VWJE-2922": [[90, 110]], "Indicator: Win32/Glieder.II": [[111, 127]], "Indicator: TROJ_DROPPR.SMXA": [[128, 144], [289, 305]], "Indicator: Email-Worm.Win32.Bagle.majf": [[145, 172], [451, 478]], "Indicator: Trojan.Win32.Click.bkszb": [[173, 197]], "Indicator: Win32.Worm-email.Bagle.Swkr": [[198, 225]], "Indicator: TrojWare.Win32.TrojanDropper.Delf.~KF": [[226, 263]], "Indicator: Trojan.PWS.LDPinch.11735": [[264, 288]], "Indicator: BehavesLike.Win32.Dropper.qc": [[306, 334]], "Indicator: W32/Trojan2.GZAQ": [[335, 351]], "Indicator: Trojan/LdPinch.az": [[352, 369]], "Indicator: Worm[Email]/Win32.Bagle": [[370, 393]], "Indicator: TrojanDropper:Win32/Umrena.E": [[394, 422]], "Indicator: Trojan.Win32.A.Swisyn.46052": [[423, 450]], "Indicator: Trojan/Win32.Xema.C994": [[479, 501]], "Indicator: Trojan.VkHost": [[502, 515]], "Indicator: Trojan.DR.Umrena!flF93BG8zsg": [[516, 544]], "Indicator: W32/IrcMiranda.B.worm": [[545, 566]], "Indicator: Win32/Trojan.9dc": [[567, 583]]}, "info": {"id": "cyner2_8class_test_00432", "source": "cyner2_8class_test"}}
{"text": "STEALING SENSITIVE INFORMATION FakeSpy has multiple built in information stealing capabilities .", "spans": {"Malware: FakeSpy": [[31, 38]]}, "info": {"id": "cyner2_8class_test_00433", "source": "cyner2_8class_test"}}
{"text": "This type of change doesn't occur often and was coupled with some other interesting tidbits including how the HTTP 302 cushioning has evolved and the payload of another ransomware has changed.", "spans": {"Indicator: HTTP 302 cushioning": [[110, 129]], "Malware: payload": [[150, 157]], "Malware: ransomware": [[169, 179]]}, "info": {"id": "cyner2_8class_test_00434", "source": "cyner2_8class_test"}}
{"text": "For a while, we have noticed that Magnitude EK has been using Internet Explorer vulnerabilities without necessarily resorting to Flash exploits.", "spans": {"Malware: Magnitude EK": [[34, 46]], "Vulnerability: Internet Explorer vulnerabilities": [[62, 95]], "Vulnerability: Flash exploits.": [[129, 144]]}, "info": {"id": "cyner2_8class_test_00435", "source": "cyner2_8class_test"}}
{"text": "The reality is that the RAT permissions can be implemented just with the permissions declared on the manifest , thus there is no need for higher permissions .", "spans": {}, "info": {"id": "cyner2_8class_test_00436", "source": "cyner2_8class_test"}}
{"text": "The timer triggers additional thread which makes a request to the server .", "spans": {}, "info": {"id": "cyner2_8class_test_00437", "source": "cyner2_8class_test"}}
{"text": "Mcafee recently found on Google Play a type of mobile ransomware that does not encrypt files.", "spans": {"Organization: Mcafee": [[0, 6]], "Organization: Google Play": [[25, 36]], "Malware: mobile ransomware": [[47, 64]]}, "info": {"id": "cyner2_8class_test_00438", "source": "cyner2_8class_test"}}
{"text": "There are two main methods used to deliver the malware to victims' computers: spam messages and exploit kits in particular, NuclearEK.", "spans": {"Malware: malware": [[47, 54]], "System: victims' computers:": [[58, 77]], "Indicator: spam messages": [[78, 91]], "Malware: exploit kits": [[96, 108]], "Malware: NuclearEK.": [[124, 134]]}, "info": {"id": "cyner2_8class_test_00439", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.UsernameHoxLnrA.Trojan Worm/W32.WBNA.159744 Heur.Win32.VBKrypt.2!O Trojan.Downloader.IC Trojan/AutoRun.VB.alc Trojan.VBKrypt.23 WORM_VOBFUS.SMAC Win32.Worm.Pronny.d W32.Changeup WORM_VOBFUS.SMAC Win.Trojan.Vobfus-70363 Worm.Win32.WBNA.ayx Trojan.Win32.VB.cojadt W32.W.WBNA.luev TrojWare.Win32.Diple.CY Trojan.VbCrypt.60 BehavesLike.Win32.VBObfus.cm Worm:Win32/Scparm.A Worm.Win32.WBNA.ayx Trojan/Win32.Diple.R13793 VBObfus.bb TScope.Trojan.VB Trojan.Win32.Koobface.p Trojan.Win32.Spy W32/VBKrypt.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.UsernameHoxLnrA.Trojan": [[26, 52]], "Indicator: Worm/W32.WBNA.159744": [[53, 73]], "Indicator: Heur.Win32.VBKrypt.2!O": [[74, 96]], "Indicator: Trojan.Downloader.IC": [[97, 117]], "Indicator: Trojan/AutoRun.VB.alc": [[118, 139]], "Indicator: Trojan.VBKrypt.23": [[140, 157]], "Indicator: WORM_VOBFUS.SMAC": [[158, 174], [208, 224]], "Indicator: Win32.Worm.Pronny.d": [[175, 194]], "Indicator: W32.Changeup": [[195, 207]], "Indicator: Win.Trojan.Vobfus-70363": [[225, 248]], "Indicator: Worm.Win32.WBNA.ayx": [[249, 268], [399, 418]], "Indicator: Trojan.Win32.VB.cojadt": [[269, 291]], "Indicator: W32.W.WBNA.luev": [[292, 307]], "Indicator: TrojWare.Win32.Diple.CY": [[308, 331]], "Indicator: Trojan.VbCrypt.60": [[332, 349]], "Indicator: BehavesLike.Win32.VBObfus.cm": [[350, 378]], "Indicator: Worm:Win32/Scparm.A": [[379, 398]], "Indicator: Trojan/Win32.Diple.R13793": [[419, 444]], "Indicator: VBObfus.bb": [[445, 455]], "Indicator: TScope.Trojan.VB": [[456, 472]], "Indicator: Trojan.Win32.Koobface.p": [[473, 496]], "Indicator: Trojan.Win32.Spy": [[497, 513]], "Indicator: W32/VBKrypt.C!tr": [[514, 530]]}, "info": {"id": "cyner2_8class_test_00440", "source": "cyner2_8class_test"}}
{"text": "Back then, it was uncommon for malware to use this particular feature of Windows.", "spans": {"Malware: malware": [[31, 38]], "System: Windows.": [[73, 81]]}, "info": {"id": "cyner2_8class_test_00441", "source": "cyner2_8class_test"}}
{"text": "Allows applications to open network sockets .", "spans": {}, "info": {"id": "cyner2_8class_test_00442", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom.Onion.17166 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_Critroni.R00AC0DL217 Trojan-Ransom.Win32.Onion.dh Trojan.Win32.Z.Onion.200752 Troj.Ransom.W32!c Trojan.Encoder.858 Trojan.Vimditator.Win32.70 Ransom_Critroni.R00AC0DL217 BehavesLike.Win32.Backdoor.cc W32/Trojan.USOI-7993 Trojan/Win32.Vimditator Trojan.Kazy.D92ACD Trojan-Ransom.Win32.Onion.dh Ransom:Win32/Critroni.B Trojan/Win32.Ransom.C913974 Hoax.Onion Win32.Trojan.Onion.Pcsg Trojan.FileCryptor W32/Onion.DH!tr Win32/Trojan.49b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Onion.17166": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Ransom_Critroni.R00AC0DL217": [[88, 115], [237, 264]], "Indicator: Trojan-Ransom.Win32.Onion.dh": [[116, 144], [359, 387]], "Indicator: Trojan.Win32.Z.Onion.200752": [[145, 172]], "Indicator: Troj.Ransom.W32!c": [[173, 190]], "Indicator: Trojan.Encoder.858": [[191, 209]], "Indicator: Trojan.Vimditator.Win32.70": [[210, 236]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[265, 294]], "Indicator: W32/Trojan.USOI-7993": [[295, 315]], "Indicator: Trojan/Win32.Vimditator": [[316, 339]], "Indicator: Trojan.Kazy.D92ACD": [[340, 358]], "Indicator: Ransom:Win32/Critroni.B": [[388, 411]], "Indicator: Trojan/Win32.Ransom.C913974": [[412, 439]], "Indicator: Hoax.Onion": [[440, 450]], "Indicator: Win32.Trojan.Onion.Pcsg": [[451, 474]], "Indicator: Trojan.FileCryptor": [[475, 493]], "Indicator: W32/Onion.DH!tr": [[494, 509]], "Indicator: Win32/Trojan.49b": [[510, 526]]}, "info": {"id": "cyner2_8class_test_00443", "source": "cyner2_8class_test"}}
{"text": "Typically , however , cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally , attacking users in other countries .", "spans": {}, "info": {"id": "cyner2_8class_test_00444", "source": "cyner2_8class_test"}}
{"text": "The “ core ” module will use one of two methods to infect the application – Decompile and Binary .", "spans": {}, "info": {"id": "cyner2_8class_test_00445", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.Kryptik.Win32.103188 Trojan/Kryptik.qhp TROJ_SPNR.16I612 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.AVPL-8335 Win32/Tracur.KC Trojan.Tracur.D TROJ_SPNR.16I612 Win.Trojan.30823-3 BehavesLike.Win32.PWSZbot.hc Trojan-Downloader.Win32.Tracur W32/Trojan2.NVIO W32.Pdf.Exploit TR/Dldr.Tracur.Y.4 Trojan/Win32.Scar Win32.Troj.DeepScan.kcloud Trojan:Win32/Tracur.Y Trojan.Win32.A.Scar.550912 Trojan/Win32.Menti.R145926 Trojan.Tracur Win32/TrojanDownloader.Tracur.D Trojan.Kryptik!MU/I7iKSs4k", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Trojan.Kryptik.Win32.103188": [[44, 71]], "Indicator: Trojan/Kryptik.qhp": [[72, 90]], "Indicator: TROJ_SPNR.16I612": [[91, 107], [204, 220]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[108, 150]], "Indicator: W32/Trojan.AVPL-8335": [[151, 171]], "Indicator: Win32/Tracur.KC": [[172, 187]], "Indicator: Trojan.Tracur.D": [[188, 203]], "Indicator: Win.Trojan.30823-3": [[221, 239]], "Indicator: BehavesLike.Win32.PWSZbot.hc": [[240, 268]], "Indicator: Trojan-Downloader.Win32.Tracur": [[269, 299]], "Indicator: W32/Trojan2.NVIO": [[300, 316]], "Indicator: W32.Pdf.Exploit": [[317, 332]], "Indicator: TR/Dldr.Tracur.Y.4": [[333, 351]], "Indicator: Trojan/Win32.Scar": [[352, 369]], "Indicator: Win32.Troj.DeepScan.kcloud": [[370, 396]], "Indicator: Trojan:Win32/Tracur.Y": [[397, 418]], "Indicator: Trojan.Win32.A.Scar.550912": [[419, 445]], "Indicator: Trojan/Win32.Menti.R145926": [[446, 472]], "Indicator: Trojan.Tracur": [[473, 486]], "Indicator: Win32/TrojanDownloader.Tracur.D": [[487, 518]], "Indicator: Trojan.Kryptik!MU/I7iKSs4k": [[519, 545]]}, "info": {"id": "cyner2_8class_test_00446", "source": "cyner2_8class_test"}}
{"text": "Latest version ( 2018 ) Let ’ s now return to the present day and a detailed description of the functionality of a current representative of the Rotexy family ( SHA256 : ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 ) .", "spans": {"Malware: Rotexy": [[145, 151]], "Indicator: ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84": [[170, 234]]}, "info": {"id": "cyner2_8class_test_00447", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.UltimateRAT.Plugin Backdoor.UltimateRAT.Plugin BackDoor-PK.plugin Backdoor/UltimateRAT.plugin Backdoor.UltimateRAT.Plugin Backdoor.UltimateRAT!1s7gtpI1GIE Backdoor.Trojan UltimateRAT.BF Backdoor.Win32.UltimateRAT.plugin Trojan.Win32.UltimateRAT.bsemwg Backdoor.UltimateRAT.Plugin Backdoor.Win32.UltimateRAT.Plugin Backdoor.UltimateRAT.Plugin BackDoor.Rat.20 Backdoor.UltimateRAT.Win32.41 BackDoor-PK.plugin W32/Risk.IYJI-7514 Backdoor/UltimateRAT.plugjt BDS/UltimaRat.PI.11 Trojan[Backdoor]/Win32.UltimateRAT Win32.Hack.UltimateRAT.pl.kcloud Backdoor:Win32/UltimateRat.2_0.plugin Win-Trojan/Ultimaterat.11264 Backdoor.UltimateRAT.Plugin Backdoor.UltimateRAT.Plugin Backdoor.UltimateRAT.plugin Win32/UltimateRAT.Plugin Backdoor.Win32.UltimateRat.plugin W32/Bdoor.PK!tr.bdr BackDoor.UltimateRAT Backdoor.Win32.UltimateRAT.plugin", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.UltimateRAT.Plugin": [[26, 53], [54, 81], [129, 156], [287, 314], [349, 376], [644, 671], [672, 699]], "Indicator: BackDoor-PK.plugin": [[82, 100], [423, 441]], "Indicator: Backdoor/UltimateRAT.plugin": [[101, 128]], "Indicator: Backdoor.UltimateRAT!1s7gtpI1GIE": [[157, 189]], "Indicator: Backdoor.Trojan": [[190, 205]], "Indicator: UltimateRAT.BF": [[206, 220]], "Indicator: Backdoor.Win32.UltimateRAT.plugin": [[221, 254], [828, 861]], "Indicator: Trojan.Win32.UltimateRAT.bsemwg": [[255, 286]], "Indicator: Backdoor.Win32.UltimateRAT.Plugin": [[315, 348]], "Indicator: BackDoor.Rat.20": [[377, 392]], "Indicator: Backdoor.UltimateRAT.Win32.41": [[393, 422]], "Indicator: W32/Risk.IYJI-7514": [[442, 460]], "Indicator: Backdoor/UltimateRAT.plugjt": [[461, 488]], "Indicator: BDS/UltimaRat.PI.11": [[489, 508]], "Indicator: Trojan[Backdoor]/Win32.UltimateRAT": [[509, 543]], "Indicator: Win32.Hack.UltimateRAT.pl.kcloud": [[544, 576]], "Indicator: Backdoor:Win32/UltimateRat.2_0.plugin": [[577, 614]], "Indicator: Win-Trojan/Ultimaterat.11264": [[615, 643]], "Indicator: Backdoor.UltimateRAT.plugin": [[700, 727]], "Indicator: Win32/UltimateRAT.Plugin": [[728, 752]], "Indicator: Backdoor.Win32.UltimateRat.plugin": [[753, 786]], "Indicator: W32/Bdoor.PK!tr.bdr": [[787, 806]], "Indicator: BackDoor.UltimateRAT": [[807, 827]]}, "info": {"id": "cyner2_8class_test_00448", "source": "cyner2_8class_test"}}
{"text": "The Gamarue aka Andromeda botnet is a highly modular botnet family that allows attackers to take complete control of an infected system and perform a range of malicious activity by downloading additional payloads.", "spans": {"Malware: Gamarue": [[4, 11]], "Malware: botnet": [[53, 59]], "System: infected system": [[120, 135]], "Indicator: downloading additional payloads.": [[181, 213]]}, "info": {"id": "cyner2_8class_test_00449", "source": "cyner2_8class_test"}}
{"text": "This adaptation appears to track changes in security behaviors within the Tibetan community, which has been promoting a move from sharing attachments via e-mail to using cloud-based file sharing alternatives such as Google Drive.", "spans": {"Organization: Tibetan community,": [[74, 92]], "Indicator: sharing attachments via e-mail to using cloud-based file sharing": [[130, 194]], "System: Google Drive.": [[216, 229]]}, "info": {"id": "cyner2_8class_test_00450", "source": "cyner2_8class_test"}}
{"text": "The Campaign achieved exponential growth from June to December 2018 with the infection number staying stable into early 2019 .", "spans": {}, "info": {"id": "cyner2_8class_test_00451", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Trojan.Win32.Dwn.eemvmy Trojan.DownLoader17.29370 DDoS.Win32.Flusihoc DDoS:Win32/Flusihoc.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zenshirsh.SL7": [[26, 46]], "Indicator: Trojan.Win32.Dwn.eemvmy": [[47, 70]], "Indicator: Trojan.DownLoader17.29370": [[71, 96]], "Indicator: DDoS.Win32.Flusihoc": [[97, 116]], "Indicator: DDoS:Win32/Flusihoc.A": [[117, 138]]}, "info": {"id": "cyner2_8class_test_00452", "source": "cyner2_8class_test"}}
{"text": "Major government sectors and corporations in both Taiwan and the Philippines have become the latest targets in an ongoing attack campaign in the Asia Pacific region.", "spans": {"Organization: government sectors and corporations": [[6, 41]], "Location: Taiwan": [[50, 56]], "Location: Philippines": [[65, 76]], "Indicator: attack campaign": [[122, 137]], "Location: Asia Pacific region.": [[145, 165]]}, "info": {"id": "cyner2_8class_test_00453", "source": "cyner2_8class_test"}}
{"text": "As the attacker attempts to remove all local traces, it is highly recommended to deploy and use a remote logging service e.g. remote syslog.", "spans": {"ThreatActor: attacker": [[7, 15]], "Malware: remote logging service e.g. remote syslog.": [[98, 140]]}, "info": {"id": "cyner2_8class_test_00454", "source": "cyner2_8class_test"}}
{"text": "It uses the same trick to prevent the smartphone from being returned to its factory settings .", "spans": {}, "info": {"id": "cyner2_8class_test_00455", "source": "cyner2_8class_test"}}
{"text": "The malicious apps can steal personally identifiable and financial data and install additional apps .", "spans": {}, "info": {"id": "cyner2_8class_test_00456", "source": "cyner2_8class_test"}}
{"text": "A lockdown activity , which is a transparent window shown at the top of the screen that contains a “ loading ” cursor .", "spans": {}, "info": {"id": "cyner2_8class_test_00457", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.Ruskill!O Trojan.Zusy.D8577 Win32.Trojan.WisdomEyes.16070401.9500.9969 Trojan.Stabuniq Trojan.Win32.Ruskill.edxmao Trojan.Win32.Z.Zusy.59392.TB Trojan.Buniq.2 Trojan/Invader.iin TR/Buniq.A.3 Trojan:Win32/Buniq.A Win32/Trojan.e18", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Ruskill!O": [[26, 50]], "Indicator: Trojan.Zusy.D8577": [[51, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9969": [[69, 111]], "Indicator: Trojan.Stabuniq": [[112, 127]], "Indicator: Trojan.Win32.Ruskill.edxmao": [[128, 155]], "Indicator: Trojan.Win32.Z.Zusy.59392.TB": [[156, 184]], "Indicator: Trojan.Buniq.2": [[185, 199]], "Indicator: Trojan/Invader.iin": [[200, 218]], "Indicator: TR/Buniq.A.3": [[219, 231]], "Indicator: Trojan:Win32/Buniq.A": [[232, 252]], "Indicator: Win32/Trojan.e18": [[253, 269]]}, "info": {"id": "cyner2_8class_test_00458", "source": "cyner2_8class_test"}}
{"text": "Triada : organized crime on Android 2 .", "spans": {"Malware: Triada": [[0, 6]], "System: Android": [[28, 35]]}, "info": {"id": "cyner2_8class_test_00459", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Blocker.131072.M TrojanRansom.Blocker.aapj Trojan/SpyVoltar.a Trojan-Ransom.Win32.Blocker.aapj Trojan.SpyVoltar!4cYYgmm5xhU TrojWare.Win32.Injector.pqb BackDoor.Butirat.233 Win32.Troj.Undef.kcloud Trojan/Win32.Blocker Hoax.Blocker.aapj Win32/SpyVoltar.A Virus.Win32.Vundo W32/Injector.ZSC!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Blocker.131072.M": [[26, 53]], "Indicator: TrojanRansom.Blocker.aapj": [[54, 79]], "Indicator: Trojan/SpyVoltar.a": [[80, 98]], "Indicator: Trojan-Ransom.Win32.Blocker.aapj": [[99, 131]], "Indicator: Trojan.SpyVoltar!4cYYgmm5xhU": [[132, 160]], "Indicator: TrojWare.Win32.Injector.pqb": [[161, 188]], "Indicator: BackDoor.Butirat.233": [[189, 209]], "Indicator: Win32.Troj.Undef.kcloud": [[210, 233]], "Indicator: Trojan/Win32.Blocker": [[234, 254]], "Indicator: Hoax.Blocker.aapj": [[255, 272]], "Indicator: Win32/SpyVoltar.A": [[273, 290]], "Indicator: Virus.Win32.Vundo": [[291, 308]], "Indicator: W32/Injector.ZSC!tr": [[309, 328]]}, "info": {"id": "cyner2_8class_test_00460", "source": "cyner2_8class_test"}}
{"text": "Oddly enough they also use it to make fun of the AV community , sharing detection screenshots from VirusTotal ( thus leaking IoC ) and even engaging in discussions with malware researchers directly The following screenshot shows tweets from their advertisement campaign : That unusual behavior could be explained by the combination of the need for attention and a probable lack of experience .", "spans": {"Organization: VirusTotal": [[99, 109]]}, "info": {"id": "cyner2_8class_test_00461", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.ConimeFV.Trojan Trojan.Downloader.Dapato.D Trojan-Dropper.Win32.Dapato!O Trojan.Vasport Dropper.Dapato.Win32.9027 Troj.Dropper.W32.Dapato.bcdy!c BKDR_SERVPAS.HVN W32/Trojan2.NRVO Backdoor.Vasport BKDR_SERVPAS.HVN Win.Trojan.Hydraq-113 Trojan-Dropper.Win32.Dapato.bcdy Trojan.Downloader.Dapato.D Trojan.Win32.UPKM.duxsmi Trojan.Downloader.Dapato.D Trojan.Downloader.Dapato.D Trojan.DownLoader6.15302 Trojan-Dropper.Win32.Dapato W32/Trojan.RCHY-1259 TrojanDropper.Dapato.gta TR/Vasport.A W32/Dapato.BCDY!tr Trojan[Dropper]/Win32.Dapato Win32.Troj.Dapato.kcloud Trojan.Downloader.Dapato.D Trojan-Dropper.Win32.Dapato.bcdy Trojan:Win32/Vasport.A Win-Trojan/Vasport.57344 Trojan.Vasport.57344 TrojanDropper.Dapato Win32.Trojan-dropper.Dapato.Wurh Trojan.DR.Dapato!XiP/be+f/0U Trojan.Downloader.Dapato.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.ConimeFV.Trojan": [[26, 45]], "Indicator: Trojan.Downloader.Dapato.D": [[46, 72], [298, 324], [350, 376], [377, 403], [589, 615], [801, 827]], "Indicator: Trojan-Dropper.Win32.Dapato!O": [[73, 102]], "Indicator: Trojan.Vasport": [[103, 117]], "Indicator: Dropper.Dapato.Win32.9027": [[118, 143]], "Indicator: Troj.Dropper.W32.Dapato.bcdy!c": [[144, 174]], "Indicator: BKDR_SERVPAS.HVN": [[175, 191], [226, 242]], "Indicator: W32/Trojan2.NRVO": [[192, 208]], "Indicator: Backdoor.Vasport": [[209, 225]], "Indicator: Win.Trojan.Hydraq-113": [[243, 264]], "Indicator: Trojan-Dropper.Win32.Dapato.bcdy": [[265, 297], [616, 648]], "Indicator: Trojan.Win32.UPKM.duxsmi": [[325, 349]], "Indicator: Trojan.DownLoader6.15302": [[404, 428]], "Indicator: Trojan-Dropper.Win32.Dapato": [[429, 456]], "Indicator: W32/Trojan.RCHY-1259": [[457, 477]], "Indicator: TrojanDropper.Dapato.gta": [[478, 502]], "Indicator: TR/Vasport.A": [[503, 515]], "Indicator: W32/Dapato.BCDY!tr": [[516, 534]], "Indicator: Trojan[Dropper]/Win32.Dapato": [[535, 563]], "Indicator: Win32.Troj.Dapato.kcloud": [[564, 588]], "Indicator: Trojan:Win32/Vasport.A": [[649, 671]], "Indicator: Win-Trojan/Vasport.57344": [[672, 696]], "Indicator: Trojan.Vasport.57344": [[697, 717]], "Indicator: TrojanDropper.Dapato": [[718, 738]], "Indicator: Win32.Trojan-dropper.Dapato.Wurh": [[739, 771]], "Indicator: Trojan.DR.Dapato!XiP/be+f/0U": [[772, 800]]}, "info": {"id": "cyner2_8class_test_00462", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm.Win32.SillyShareCopy!IK Packed.Win32.Krap.w Heur.Packed.Unknown Trojan.Winlock.938 TROJ_QAKBOT.SMG BScope.Malware-Cryptor.073 Worm.Win32.SillyShareCopy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.SillyShareCopy!IK": [[26, 54]], "Indicator: Packed.Win32.Krap.w": [[55, 74]], "Indicator: Heur.Packed.Unknown": [[75, 94]], "Indicator: Trojan.Winlock.938": [[95, 113]], "Indicator: TROJ_QAKBOT.SMG": [[114, 129]], "Indicator: BScope.Malware-Cryptor.073": [[130, 156]], "Indicator: Worm.Win32.SillyShareCopy": [[157, 182]]}, "info": {"id": "cyner2_8class_test_00463", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Delf Trojan.Razy.D37D5D Trojan.Win32.Delf.eoam Trojan.Win32.Delf.ewsqwr Troj.W32.Delf!c BehavesLike.Win32.Dropper.wh Trojan-Downloader.Win32.Inferiore W32/Trojan.UHFF-6546 TR/Delf.nphvp Trojan/Win32.Delf Trojan.Win32.Delf.eoam Trojan.Dropper Trj/RnkBend.A Win32.Trojan.Delf.Pgmw Win32/Trojan.874", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Delf": [[26, 37]], "Indicator: Trojan.Razy.D37D5D": [[38, 56]], "Indicator: Trojan.Win32.Delf.eoam": [[57, 79], [237, 259]], "Indicator: Trojan.Win32.Delf.ewsqwr": [[80, 104]], "Indicator: Troj.W32.Delf!c": [[105, 120]], "Indicator: BehavesLike.Win32.Dropper.wh": [[121, 149]], "Indicator: Trojan-Downloader.Win32.Inferiore": [[150, 183]], "Indicator: W32/Trojan.UHFF-6546": [[184, 204]], "Indicator: TR/Delf.nphvp": [[205, 218]], "Indicator: Trojan/Win32.Delf": [[219, 236]], "Indicator: Trojan.Dropper": [[260, 274]], "Indicator: Trj/RnkBend.A": [[275, 288]], "Indicator: Win32.Trojan.Delf.Pgmw": [[289, 311]], "Indicator: Win32/Trojan.874": [[312, 328]]}, "info": {"id": "cyner2_8class_test_00464", "source": "cyner2_8class_test"}}
{"text": "This particular new routine points to the possibility of the cybercriminals' intention of riding on the popularity of the Olympics to lure users.", "spans": {}, "info": {"id": "cyner2_8class_test_00465", "source": "cyner2_8class_test"}}
{"text": "Here is an approximate diagram of the opcode data structure : Figure 5 .", "spans": {}, "info": {"id": "cyner2_8class_test_00466", "source": "cyner2_8class_test"}}
{"text": "Users are cautioned to research and check reviews before they download apps .", "spans": {}, "info": {"id": "cyner2_8class_test_00467", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Spyware.LokiBot W32/Injector.GGA Trojan.PWS.Stealer.21373 BehavesLike.Win32.Trojan.jh W32/Injector.UJPR-1263 DR/Delphi.updmg Trojan[Backdoor]/Win32.Androm Trojan.Crypt Win32/Trojan.805", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Spyware.LokiBot": [[26, 41]], "Indicator: W32/Injector.GGA": [[42, 58]], "Indicator: Trojan.PWS.Stealer.21373": [[59, 83]], "Indicator: BehavesLike.Win32.Trojan.jh": [[84, 111]], "Indicator: W32/Injector.UJPR-1263": [[112, 134]], "Indicator: DR/Delphi.updmg": [[135, 150]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[151, 180]], "Indicator: Trojan.Crypt": [[181, 193]], "Indicator: Win32/Trojan.805": [[194, 210]]}, "info": {"id": "cyner2_8class_test_00468", "source": "cyner2_8class_test"}}
{"text": "On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions.", "spans": {"Date: January 10, 2017,": [[3, 20]], "Organization: Italian police,": [[59, 74]], "Indicator: cyberattacks": [[100, 112]], "Malware: at": [[122, 124]], "Organization: Italian government members": [[129, 155]], "Organization: institutions.": [[160, 173]]}, "info": {"id": "cyner2_8class_test_00469", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom.Crypren.6971 Trojan.Gpcode.Win32.71 Win32.Trojan.WisdomEyes.16070401.9500.9971 Ransom.OMG Win32.Trojan-Ransom.GPCode.A Trojan-Ransom.Win32.Crypren.pjx Trojan.Win32.Crypren.cssknx Trojan.Win32.Z.Crypren.13829 Trojan.Encoder.385 Trojan/Crypren.bt Trojan-Ransom.Win32.Crypren.pjx Ransom:Win32/Fortrypt.A Hoax.Crypren Trj/CI.A Win32.Trojan.Crypren.Wska Trojan.Crypren!hLlCoLoECeg Win32/Trojan.Ransom.2a6", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Crypren.6971": [[26, 45]], "Indicator: Trojan.Gpcode.Win32.71": [[46, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9971": [[69, 111]], "Indicator: Ransom.OMG": [[112, 122]], "Indicator: Win32.Trojan-Ransom.GPCode.A": [[123, 151]], "Indicator: Trojan-Ransom.Win32.Crypren.pjx": [[152, 183], [278, 309]], "Indicator: Trojan.Win32.Crypren.cssknx": [[184, 211]], "Indicator: Trojan.Win32.Z.Crypren.13829": [[212, 240]], "Indicator: Trojan.Encoder.385": [[241, 259]], "Indicator: Trojan/Crypren.bt": [[260, 277]], "Indicator: Ransom:Win32/Fortrypt.A": [[310, 333]], "Indicator: Hoax.Crypren": [[334, 346]], "Indicator: Trj/CI.A": [[347, 355]], "Indicator: Win32.Trojan.Crypren.Wska": [[356, 381]], "Indicator: Trojan.Crypren!hLlCoLoECeg": [[382, 408]], "Indicator: Win32/Trojan.Ransom.2a6": [[409, 432]]}, "info": {"id": "cyner2_8class_test_00470", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Script Trojan/Dropper.VB.oqo Win32.Trojan.WisdomEyes.16070401.9500.9532 BehavesLike.Win32.Tupym.bc TR/AD.ContadorBot.bwojd Trojan:Win32/Beeldeb.C Trj/CI.A Win32/TrojanDropper.Autoit.IE Trojan-Dropper.Win32.Autoit W32/Autoit.IE!tr Win32/Trojan.2d9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Script": [[26, 39]], "Indicator: Trojan/Dropper.VB.oqo": [[40, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9532": [[62, 104]], "Indicator: BehavesLike.Win32.Tupym.bc": [[105, 131]], "Indicator: TR/AD.ContadorBot.bwojd": [[132, 155]], "Indicator: Trojan:Win32/Beeldeb.C": [[156, 178]], "Indicator: Trj/CI.A": [[179, 187]], "Indicator: Win32/TrojanDropper.Autoit.IE": [[188, 217]], "Indicator: Trojan-Dropper.Win32.Autoit": [[218, 245]], "Indicator: W32/Autoit.IE!tr": [[246, 262]], "Indicator: Win32/Trojan.2d9": [[263, 279]]}, "info": {"id": "cyner2_8class_test_00471", "source": "cyner2_8class_test"}}
{"text": "The AhnLab Security Emergency Response Center ASEC analysis team detected the distribution of CHM malware, which is believed to have been created by the RedEyes threat actor also known as APT37, ScarCruft, to domestic users.", "spans": {"Organization: The AhnLab Security Emergency Response Center ASEC analysis team": [[0, 64]], "Malware: CHM malware,": [[94, 106]], "ThreatActor: the RedEyes threat actor": [[149, 173]], "ThreatActor: APT37, ScarCruft,": [[188, 205]], "Organization: domestic users.": [[209, 224]]}, "info": {"id": "cyner2_8class_test_00472", "source": "cyner2_8class_test"}}
{"text": "These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors.", "spans": {"Indicator: attacks": [[6, 13]], "Organization: organizations": [[48, 61]], "Organization: banking, securities, trading,": [[79, 108]], "Organization: payroll sectors.": [[113, 129]]}, "info": {"id": "cyner2_8class_test_00473", "source": "cyner2_8class_test"}}
{"text": "Despite its small size of 6 KB, this downloader didn t look very special at first.", "spans": {"Indicator: small size of 6 KB,": [[12, 31]], "Malware: downloader": [[37, 47]]}, "info": {"id": "cyner2_8class_test_00474", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O TrojanDownloader.Small Win32.Trojan.WisdomEyes.16070401.9500.9988 Backdoor.Graybird TROJ_DLOADER.GWK Win.Downloader.Small-3303 Trojan-Downloader.Win32.Small.dwu Trojan.Win32.Hupigon.dxlfko Backdoor.Win32.vanbot.hg Trojan.DownLoader.14116 Downloader.Small.Win32.20647 TROJ_DLOADER.GWK Trojan-Downloader.Win32.Delf TrojanDownloader.Delf.amt Trojan[Downloader]/Win32.Small Win32.Troj.Downloader.sl.kcloud Trojan-Downloader.Win32.Small.dwu Trojan/Win32.Downloader.R86636 BScope.Trojan-Spy.Zbot Win32/Trojan.d54", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Small!O": [[26, 57]], "Indicator: TrojanDownloader.Small": [[58, 80]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[81, 123]], "Indicator: Backdoor.Graybird": [[124, 141]], "Indicator: TROJ_DLOADER.GWK": [[142, 158], [325, 341]], "Indicator: Win.Downloader.Small-3303": [[159, 184]], "Indicator: Trojan-Downloader.Win32.Small.dwu": [[185, 218], [460, 493]], "Indicator: Trojan.Win32.Hupigon.dxlfko": [[219, 246]], "Indicator: Backdoor.Win32.vanbot.hg": [[247, 271]], "Indicator: Trojan.DownLoader.14116": [[272, 295]], "Indicator: Downloader.Small.Win32.20647": [[296, 324]], "Indicator: Trojan-Downloader.Win32.Delf": [[342, 370]], "Indicator: TrojanDownloader.Delf.amt": [[371, 396]], "Indicator: Trojan[Downloader]/Win32.Small": [[397, 427]], "Indicator: Win32.Troj.Downloader.sl.kcloud": [[428, 459]], "Indicator: Trojan/Win32.Downloader.R86636": [[494, 524]], "Indicator: BScope.Trojan-Spy.Zbot": [[525, 547]], "Indicator: Win32/Trojan.d54": [[548, 564]]}, "info": {"id": "cyner2_8class_test_00475", "source": "cyner2_8class_test"}}
{"text": "EventBot targets users of over 200 different financial applications , including banking , money transfer services , and crypto-currency wallets .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_8class_test_00476", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm.Goosky W32/Backdoor2.HTEW Nice.A Trojan.Win32.Xtrat.abdv Trojan.Win32.ZAccess.cvhheu Trojan.Win32.Z.Kazy.3450368 TrojWare.Win32.Injector.ARVP Trojan.PWS.Multi.1182 Trojan.Scarsi.Win32.1081 BehavesLike.Win32.Dropper.wm W32/Backdoor.OGZU-7605 Backdoor/SdBot.mky TR/Injector.ngeoz Worm:Win32/Goosky.A Trojan.Kazy.D48641 Trojan.Win32.Xtrat.abdv Backdoor.ZAccess Trj/CI.A I-Worm.Neeris.B Win32/Injector.ARHG Trojan.Win32.Patcher Win32/Trojan.7b3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Goosky": [[26, 37]], "Indicator: W32/Backdoor2.HTEW": [[38, 56]], "Indicator: Nice.A": [[57, 63]], "Indicator: Trojan.Win32.Xtrat.abdv": [[64, 87], [348, 371]], "Indicator: Trojan.Win32.ZAccess.cvhheu": [[88, 115]], "Indicator: Trojan.Win32.Z.Kazy.3450368": [[116, 143]], "Indicator: TrojWare.Win32.Injector.ARVP": [[144, 172]], "Indicator: Trojan.PWS.Multi.1182": [[173, 194]], "Indicator: Trojan.Scarsi.Win32.1081": [[195, 219]], "Indicator: BehavesLike.Win32.Dropper.wm": [[220, 248]], "Indicator: W32/Backdoor.OGZU-7605": [[249, 271]], "Indicator: Backdoor/SdBot.mky": [[272, 290]], "Indicator: TR/Injector.ngeoz": [[291, 308]], "Indicator: Worm:Win32/Goosky.A": [[309, 328]], "Indicator: Trojan.Kazy.D48641": [[329, 347]], "Indicator: Backdoor.ZAccess": [[372, 388]], "Indicator: Trj/CI.A": [[389, 397]], "Indicator: I-Worm.Neeris.B": [[398, 413]], "Indicator: Win32/Injector.ARHG": [[414, 433]], "Indicator: Trojan.Win32.Patcher": [[434, 454]], "Indicator: Win32/Trojan.7b3": [[455, 471]]}, "info": {"id": "cyner2_8class_test_00477", "source": "cyner2_8class_test"}}
{"text": "On Tuesday September 26, 2017 MalwareBytes blogged about a phishing campaign targeting the Middle East, more specifically Saudi Arabia.", "spans": {"Date: Tuesday September 26, 2017": [[3, 29]], "Organization: MalwareBytes": [[30, 42]], "ThreatActor: a phishing campaign": [[57, 76]], "Location: the Middle East,": [[87, 103]], "Location: Saudi Arabia.": [[122, 135]]}, "info": {"id": "cyner2_8class_test_00478", "source": "cyner2_8class_test"}}
{"text": "The second section will provide an analysis on campaign information that was gathered throughout the research.", "spans": {}, "info": {"id": "cyner2_8class_test_00479", "source": "cyner2_8class_test"}}
{"text": "The blog post said HummingBad \" uses a completely different infrastructure with little in common '' with Shedun .", "spans": {"Malware: HummingBad": [[19, 29]]}, "info": {"id": "cyner2_8class_test_00480", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Buzus.28672.DN TrojWare.Win32.TrojanDropper.Binder.v Backdoor/Bifrose.zjs Backdoor.Poison/Variant Win32.Risk.Dropper.Wlpb W32/Dx.TJZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Buzus.28672.DN": [[26, 51]], "Indicator: TrojWare.Win32.TrojanDropper.Binder.v": [[52, 89]], "Indicator: Backdoor/Bifrose.zjs": [[90, 110]], "Indicator: Backdoor.Poison/Variant": [[111, 134]], "Indicator: Win32.Risk.Dropper.Wlpb": [[135, 158]], "Indicator: W32/Dx.TJZ!tr": [[159, 172]]}, "info": {"id": "cyner2_8class_test_00481", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Graftor.D103D8 Win32.Trojan.WisdomEyes.16070401.9500.9984 Win32/Danmec.C Troj.W32.Jorik.Fraud.luCt Trojan.DownLoader6.2355 Trojan.Jorik.Win32.73903 BehavesLike.Win32.LoadMoney.dh Trojan/Jorik.Aspxor.bu Trojan.Win32.Jorik Trojan/Jorik.cfft TR/Kazy.LU.1 Trojan/Win32.Unknown Win32.Troj.Jorik.bu.kcloud TrojanDropper:Win32/Danmec.A W32/Dofoil.QTZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D103D8": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[48, 90]], "Indicator: Win32/Danmec.C": [[91, 105]], "Indicator: Troj.W32.Jorik.Fraud.luCt": [[106, 131]], "Indicator: Trojan.DownLoader6.2355": [[132, 155]], "Indicator: Trojan.Jorik.Win32.73903": [[156, 180]], "Indicator: BehavesLike.Win32.LoadMoney.dh": [[181, 211]], "Indicator: Trojan/Jorik.Aspxor.bu": [[212, 234]], "Indicator: Trojan.Win32.Jorik": [[235, 253]], "Indicator: Trojan/Jorik.cfft": [[254, 271]], "Indicator: TR/Kazy.LU.1": [[272, 284]], "Indicator: Trojan/Win32.Unknown": [[285, 305]], "Indicator: Win32.Troj.Jorik.bu.kcloud": [[306, 332]], "Indicator: TrojanDropper:Win32/Danmec.A": [[333, 361]], "Indicator: W32/Dofoil.QTZ!tr": [[362, 379]]}, "info": {"id": "cyner2_8class_test_00482", "source": "cyner2_8class_test"}}
{"text": "Wind Tre SpA - an Italian telecom operator TMCell - the state owned mobile operator in Turkmenistan Deployment to users outside Apple ’ s app store was made possible through abuse of Apple ’ s enterprise provisioning system .", "spans": {"Organization: Wind Tre SpA": [[0, 12]], "Organization: TMCell": [[43, 49]], "Organization: Apple": [[128, 133], [183, 188]]}, "info": {"id": "cyner2_8class_test_00483", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9952 BackDoor.Bladabindi.1056 BehavesLike.Win32.Backdoor.fc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9952": [[26, 68]], "Indicator: BackDoor.Bladabindi.1056": [[69, 93]], "Indicator: BehavesLike.Win32.Backdoor.fc": [[94, 123]]}, "info": {"id": "cyner2_8class_test_00484", "source": "cyner2_8class_test"}}
{"text": "Initial phase During this phase , the Trojan tries to gain root rights on the device and to install some modules .", "spans": {}, "info": {"id": "cyner2_8class_test_00485", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Application.Hacktool.Bruteforce.L Hacktool.Ngbrumail Win.Trojan.Hacktool-1108 Application.Hacktool.Bruteforce.L Application.Hacktool.Bruteforce.L Application.Hacktool.Bruteforce.L Application.Hacktool.Bruteforce Trojan.Bladabindi.Win32.91392 BehavesLike.Win32.BackdoorNJRat.pm HackTool:Win32/Ngbrumail.A Application.Hacktool.Bruteforce.L Trojan/Win32.MSIL.C2164956 MSIL/HackTool.BruteForce.AI MSIL/BruteForce.AI!tr Trj/CI.A Win32/Application.Hacktool.d5d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Hacktool.Bruteforce.L": [[26, 59], [104, 137], [138, 171], [172, 205], [330, 363]], "Indicator: Hacktool.Ngbrumail": [[60, 78]], "Indicator: Win.Trojan.Hacktool-1108": [[79, 103]], "Indicator: Application.Hacktool.Bruteforce": [[206, 237]], "Indicator: Trojan.Bladabindi.Win32.91392": [[238, 267]], "Indicator: BehavesLike.Win32.BackdoorNJRat.pm": [[268, 302]], "Indicator: HackTool:Win32/Ngbrumail.A": [[303, 329]], "Indicator: Trojan/Win32.MSIL.C2164956": [[364, 390]], "Indicator: MSIL/HackTool.BruteForce.AI": [[391, 418]], "Indicator: MSIL/BruteForce.AI!tr": [[419, 440]], "Indicator: Trj/CI.A": [[441, 449]], "Indicator: Win32/Application.Hacktool.d5d": [[450, 480]]}, "info": {"id": "cyner2_8class_test_00486", "source": "cyner2_8class_test"}}
{"text": "It also has the ability to load custom features tailored to individual targets.", "spans": {}, "info": {"id": "cyner2_8class_test_00487", "source": "cyner2_8class_test"}}
{"text": "Operation Lotus Blossom describes a persistent cyber espionage campaign against government and military organizations in Southeast Asia.", "spans": {"ThreatActor: Operation Lotus Blossom": [[0, 23]], "ThreatActor: cyber espionage campaign": [[47, 71]], "Organization: government": [[80, 90]], "Organization: military organizations": [[95, 117]], "Location: Southeast": [[121, 130]], "Location: Asia.": [[131, 136]]}, "info": {"id": "cyner2_8class_test_00488", "source": "cyner2_8class_test"}}
{"text": "Another example of FakeSpy ’ s anti-emulation techniques is how it uses the getMachine function , which uses the TelephonyManager class to check for the deviceID , phone number , IMEI , and IMSI .", "spans": {"Malware: FakeSpy": [[19, 26]]}, "info": {"id": "cyner2_8class_test_00489", "source": "cyner2_8class_test"}}
{"text": "Code structure Obviously , this code is not obfuscated when compared with the previous version it becomes clear that this is the same code base .", "spans": {}, "info": {"id": "cyner2_8class_test_00490", "source": "cyner2_8class_test"}}
{"text": "Several technical details indicated that the software was likely the product of a well-funded development effort and aimed at the lawful intercept market .", "spans": {}, "info": {"id": "cyner2_8class_test_00491", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.GTbot!O Trojan/Aebot.c TROJ_SPNR.35DG13 Win32.Backdoor.Aebot.e W32/Trojan.HMPR-5159 TROJ_SPNR.35DG13 Win.Trojan.Sdbot-2485 Backdoor.Win32.GTbot.c Trojan.Win32.GTbot.brmmqq Backdoor.W32.Gtbot!c Backdoor.Win32.Aebot.C Win32.IRC.Bot.based BehavesLike.Win32.Backdoor.cz Backdoor.Win32.Aebot.C Backdoor/Aebot.ah Trojan[Backdoor]/Win32.GTbot Backdoor.Win32.GTbot.c BScope.P2P-Worm.Palevo Win32/Aebot.C Win32.Backdoor.Gtbot.Hufw Backdoor.Aebot!g5wkJjEeLc0 W32/Aebot.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.GTbot!O": [[26, 48]], "Indicator: Trojan/Aebot.c": [[49, 63]], "Indicator: TROJ_SPNR.35DG13": [[64, 80], [125, 141]], "Indicator: Win32.Backdoor.Aebot.e": [[81, 103]], "Indicator: W32/Trojan.HMPR-5159": [[104, 124]], "Indicator: Win.Trojan.Sdbot-2485": [[142, 163]], "Indicator: Backdoor.Win32.GTbot.c": [[164, 186], [377, 399]], "Indicator: Trojan.Win32.GTbot.brmmqq": [[187, 212]], "Indicator: Backdoor.W32.Gtbot!c": [[213, 233]], "Indicator: Backdoor.Win32.Aebot.C": [[234, 256], [307, 329]], "Indicator: Win32.IRC.Bot.based": [[257, 276]], "Indicator: BehavesLike.Win32.Backdoor.cz": [[277, 306]], "Indicator: Backdoor/Aebot.ah": [[330, 347]], "Indicator: Trojan[Backdoor]/Win32.GTbot": [[348, 376]], "Indicator: BScope.P2P-Worm.Palevo": [[400, 422]], "Indicator: Win32/Aebot.C": [[423, 436]], "Indicator: Win32.Backdoor.Gtbot.Hufw": [[437, 462]], "Indicator: Backdoor.Aebot!g5wkJjEeLc0": [[463, 489]], "Indicator: W32/Aebot.C!tr": [[490, 504]]}, "info": {"id": "cyner2_8class_test_00492", "source": "cyner2_8class_test"}}
{"text": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue.", "spans": {"ThreatActor: group": [[5, 10]], "Malware: malware": [[21, 28]], "System: Android devices": [[45, 60]], "Date: per month": [[84, 93]]}, "info": {"id": "cyner2_8class_test_00493", "source": "cyner2_8class_test"}}
{"text": "In a blog post, TrendMicro also detailed recently compiled versions of the NewPOSthings family that bear a closer resemblance to NewPOSthings than Punkey.", "spans": {"Organization: TrendMicro": [[16, 26]]}, "info": {"id": "cyner2_8class_test_00494", "source": "cyner2_8class_test"}}
{"text": "The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth .", "spans": {"Malware: DEFENSOR ID": [[4, 15]], "System: Google Play store": [[53, 70]]}, "info": {"id": "cyner2_8class_test_00495", "source": "cyner2_8class_test"}}
{"text": "We found that among the leaked files is the code for Hacking Team ’ s open-source malware suite RCSAndroid ( Remote Control System Android ) , which was sold by the company as a tool for monitoring targets .", "spans": {"Malware: RCSAndroid": [[96, 106]], "Malware: Remote Control System Android": [[109, 138]]}, "info": {"id": "cyner2_8class_test_00496", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.28160.hawwx Trojan.DownLoader5.1182 TR/Spy.28160.103 Win32/Virut.bn TrojanDropper:Win32/Chacker.A Downloader/Win32.Small BScope.Trojan-Spy.Zbot Trojan-Downloader.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.28160.hawwx": [[26, 50]], "Indicator: Trojan.DownLoader5.1182": [[51, 74]], "Indicator: TR/Spy.28160.103": [[75, 91]], "Indicator: Win32/Virut.bn": [[92, 106]], "Indicator: TrojanDropper:Win32/Chacker.A": [[107, 136]], "Indicator: Downloader/Win32.Small": [[137, 159]], "Indicator: BScope.Trojan-Spy.Zbot": [[160, 182]], "Indicator: Trojan-Downloader.Win32.Small": [[183, 212]]}, "info": {"id": "cyner2_8class_test_00497", "source": "cyner2_8class_test"}}
{"text": "Exodus : New Android Spyware Made in Italy Mar 29 Summary We identified a new Android spyware platform we named Exodus , which is composed of two stages we call Exodus One and Exodus Two .", "spans": {"Malware: Exodus": [[0, 6], [112, 118]], "System: Android": [[13, 20], [78, 85]], "Malware: Exodus One": [[161, 171]], "Malware: Exodus Two": [[176, 186]]}, "info": {"id": "cyner2_8class_test_00498", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojWare.Win32.Trojan.Delf.~NM Win32.HLLW.Cdbur.4 Worm:Win32/Ofderug.A TR/Kryptik.gta.8 Trojan:Win32/Stocop.A Trj/CI.A I-Worm.Delf.NFO Win32/Delf.NFO Trojan.Win32.FakeFolder.ble", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojWare.Win32.Trojan.Delf.~NM": [[26, 56]], "Indicator: Win32.HLLW.Cdbur.4": [[57, 75]], "Indicator: Worm:Win32/Ofderug.A": [[76, 96]], "Indicator: TR/Kryptik.gta.8": [[97, 113]], "Indicator: Trojan:Win32/Stocop.A": [[114, 135]], "Indicator: Trj/CI.A": [[136, 144]], "Indicator: I-Worm.Delf.NFO": [[145, 160]], "Indicator: Win32/Delf.NFO": [[161, 175]], "Indicator: Trojan.Win32.FakeFolder.ble": [[176, 203]]}, "info": {"id": "cyner2_8class_test_00499", "source": "cyner2_8class_test"}}
{"text": "A later blog will explore the associated attack campaigns and attributions surrounding Bookworm.", "spans": {"ThreatActor: attack campaigns": [[41, 57]], "Malware: Bookworm.": [[87, 96]]}, "info": {"id": "cyner2_8class_test_00500", "source": "cyner2_8class_test"}}
{"text": "We captured a PowerPoint file named Payment_Advice.ppsx, which is in OOXML format.", "spans": {"Indicator: PowerPoint file": [[14, 29]], "Indicator: Payment_Advice.ppsx,": [[36, 56]], "Indicator: OOXML format.": [[69, 82]]}, "info": {"id": "cyner2_8class_test_00501", "source": "cyner2_8class_test"}}
{"text": "The website has been infected with a malicious javascript file that redirects users to a website with a fake browser update message.", "spans": {"Indicator: website": [[4, 11], [89, 96]], "Malware: malicious javascript file": [[37, 62]], "Indicator: a fake browser update message.": [[102, 132]]}, "info": {"id": "cyner2_8class_test_00502", "source": "cyner2_8class_test"}}
{"text": "The earliest identified sample , however , can be traced back to Jan. 18 , 2016 .", "spans": {}, "info": {"id": "cyner2_8class_test_00503", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 BehavesLike.Win32.BadFile.gc W32/Kryptik.EXQF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: BehavesLike.Win32.BadFile.gc": [[69, 97]], "Indicator: W32/Kryptik.EXQF!tr": [[98, 117]]}, "info": {"id": "cyner2_8class_test_00504", "source": "cyner2_8class_test"}}
{"text": "] com hxxp : //mailsa-wqp [ .", "spans": {"Indicator: hxxp : //mailsa-wqp [ .": [[6, 29]]}, "info": {"id": "cyner2_8class_test_00505", "source": "cyner2_8class_test"}}
{"text": "Vulnerabilities Reported BLU Products , founded in 2009 , makes lower-end Android-powered smartphones that sell for as little as $ 50 on Amazon .", "spans": {"System: Android-powered": [[74, 89]], "Organization: Amazon": [[137, 143]]}, "info": {"id": "cyner2_8class_test_00506", "source": "cyner2_8class_test"}}
{"text": "The rootdaemon binary in fact offers several other possibilities to execute commands on the infected device just by connecting to TCP port 6200 and issuing one of the following commands .", "spans": {"Indicator: port 6200": [[134, 143]]}, "info": {"id": "cyner2_8class_test_00507", "source": "cyner2_8class_test"}}
{"text": "A backdoor targetting Linux also known as: Unix.Trojan.Mumblehard-3 Trojan.Unix.Mumblehard.evzwgt Elf.Dropperl.M!c Linux.Mumblehard.1 LINUX/Mumblehard.usimn Trojan.Linux.Mumblehard Win32/Trojan.Dropper.bcd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Unix.Trojan.Mumblehard-3": [[43, 67]], "Indicator: Trojan.Unix.Mumblehard.evzwgt": [[68, 97]], "Indicator: Elf.Dropperl.M!c": [[98, 114]], "Indicator: Linux.Mumblehard.1": [[115, 133]], "Indicator: LINUX/Mumblehard.usimn": [[134, 156]], "Indicator: Trojan.Linux.Mumblehard": [[157, 180]], "Indicator: Win32/Trojan.Dropper.bcd": [[181, 205]]}, "info": {"id": "cyner2_8class_test_00508", "source": "cyner2_8class_test"}}
{"text": "All known samples from these periods used infected Excel files attached to phishing emails to infect victims.", "spans": {"Indicator: Excel files": [[51, 62]], "Indicator: phishing emails": [[75, 90]], "Organization: infect victims.": [[94, 109]]}, "info": {"id": "cyner2_8class_test_00509", "source": "cyner2_8class_test"}}
{"text": "In the process, they created at least four distinct spyware bundles, all communicating with the same server set to receive Nisman's data.", "spans": {"Malware: four distinct spyware": [[38, 59]], "System: server": [[101, 107]]}, "info": {"id": "cyner2_8class_test_00510", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.OnGameWLLPAIZXAP.Trojan Trojan/Downloader.Soddsat.a Trojan.Zusy.DC5F W32/Trojan.KLDD-5403 Win.Downloader.132677-1 Trojan.Win32.Dwn.vuaks Trojan.DownLoader4.54475 TR/Offend.7223657.9 TrojanDownloader:Win32/Soddsat.A Trojan.Win32.A.Swisyn.57344.F Downloader/Win32.Small.C84345 Win32.TenThief.DNFTrojan_def.clcy Trojan.DL.Soddsat!U5Ia4/b890c Trojan-Downloader.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGameWLLPAIZXAP.Trojan": [[26, 53]], "Indicator: Trojan/Downloader.Soddsat.a": [[54, 81]], "Indicator: Trojan.Zusy.DC5F": [[82, 98]], "Indicator: W32/Trojan.KLDD-5403": [[99, 119]], "Indicator: Win.Downloader.132677-1": [[120, 143]], "Indicator: Trojan.Win32.Dwn.vuaks": [[144, 166]], "Indicator: Trojan.DownLoader4.54475": [[167, 191]], "Indicator: TR/Offend.7223657.9": [[192, 211]], "Indicator: TrojanDownloader:Win32/Soddsat.A": [[212, 244]], "Indicator: Trojan.Win32.A.Swisyn.57344.F": [[245, 274]], "Indicator: Downloader/Win32.Small.C84345": [[275, 304]], "Indicator: Win32.TenThief.DNFTrojan_def.clcy": [[305, 338]], "Indicator: Trojan.DL.Soddsat!U5Ia4/b890c": [[339, 368]], "Indicator: Trojan-Downloader.Win32.Small": [[369, 398]]}, "info": {"id": "cyner2_8class_test_00511", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Virus.Sality.Win32.15 W32/AutoRun.bgfs Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Autorun.ZT W32.SillyFDC Win32/SillyAutorun.CYU Win.Worm.Autorun-3999 Worm.Win32.AutoRun.hdg Trojan.Win32.AutoRun.vugpc W32.Virut.lQTU Win32.Worm.Autorun.Suxt Win32.HLLW.Autoruner.19538 W32/Autorun.worm.aaap W32/Autorun.ICAE-4530 Worm/AutoRun.amlr WORM/Vigilant.65024 Worm/Win32.AutoRun Worm:Win32/Levitiang.A Worm.Win32.A.AutoRun.330752.A Worm.Win32.AutoRun.hdg Worm/Win32.AutoRun.R3855 Trojan.VBRA.014781 Win32/AutoRun.VB.VH Backdoor.Win32.IRCBot W32/Autorun.JDU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.AutoRun!O": [[26, 46]], "Indicator: Virus.Sality.Win32.15": [[47, 68]], "Indicator: W32/AutoRun.bgfs": [[69, 85]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[86, 128]], "Indicator: W32/Autorun.ZT": [[129, 143]], "Indicator: W32.SillyFDC": [[144, 156]], "Indicator: Win32/SillyAutorun.CYU": [[157, 179]], "Indicator: Win.Worm.Autorun-3999": [[180, 201]], "Indicator: Worm.Win32.AutoRun.hdg": [[202, 224], [472, 494]], "Indicator: Trojan.Win32.AutoRun.vugpc": [[225, 251]], "Indicator: W32.Virut.lQTU": [[252, 266]], "Indicator: Win32.Worm.Autorun.Suxt": [[267, 290]], "Indicator: Win32.HLLW.Autoruner.19538": [[291, 317]], "Indicator: W32/Autorun.worm.aaap": [[318, 339]], "Indicator: W32/Autorun.ICAE-4530": [[340, 361]], "Indicator: Worm/AutoRun.amlr": [[362, 379]], "Indicator: WORM/Vigilant.65024": [[380, 399]], "Indicator: Worm/Win32.AutoRun": [[400, 418]], "Indicator: Worm:Win32/Levitiang.A": [[419, 441]], "Indicator: Worm.Win32.A.AutoRun.330752.A": [[442, 471]], "Indicator: Worm/Win32.AutoRun.R3855": [[495, 519]], "Indicator: Trojan.VBRA.014781": [[520, 538]], "Indicator: Win32/AutoRun.VB.VH": [[539, 558]], "Indicator: Backdoor.Win32.IRCBot": [[559, 580]], "Indicator: W32/Autorun.JDU": [[581, 596]]}, "info": {"id": "cyner2_8class_test_00512", "source": "cyner2_8class_test"}}
{"text": "IOCs SHA256 0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7 4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96 76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b 7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386 9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7 b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec С & C 2014–2015 : secondby.ru darkclub.net holerole.org googleapis.link 2015–2016 : test2016.ru blackstar.pro synchronize.pw lineout.pw sync-weather.pw 2016 freedns.website streamout.space 2017–2018 : streamout.space sky-sync.pw gms-service.info EventBot : A New Mobile Banking Trojan is Born April 30 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating EventBot , a new type of Android mobile malware that emerged around March 2020 .", "spans": {"Indicator: 0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7": [[12, 76]], "Indicator: 4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96": [[77, 141]], "Indicator: 76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b": [[142, 206]], "Indicator: 7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386": [[207, 271]], "Indicator: 9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba": [[272, 336]], "Indicator: ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7": [[337, 401]], "Indicator: b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b": [[402, 466]], "Indicator: ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84": [[467, 531]], "Indicator: ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c": [[532, 596]], "Indicator: e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec": [[597, 661]], "Indicator: secondby.ru": [[680, 691]], "Indicator: darkclub.net": [[692, 704]], "Indicator: holerole.org": [[705, 717]], "Indicator: googleapis.link": [[718, 733]], "Indicator: test2016.ru": [[746, 757]], "Indicator: blackstar.pro": [[758, 771]], "Indicator: synchronize.pw": [[772, 786]], "Indicator: lineout.pw": [[787, 797]], "Indicator: sync-weather.pw": [[798, 813]], "Indicator: streamout.space": [[835, 850], [863, 878]], "Indicator: sky-sync.pw": [[879, 890]], "Indicator: gms-service.info": [[891, 907]], "Malware: EventBot": [[908, 916], [1031, 1039]], "Organization: Cybereason Nocturnus": [[988, 1008]], "System: Android": [[1056, 1063]]}, "info": {"id": "cyner2_8class_test_00513", "source": "cyner2_8class_test"}}
{"text": "We noticed Java and PDF exploits collected by our honeypot which we haven't seen in ages.", "spans": {"System: Java": [[11, 15]], "Malware: PDF exploits": [[20, 32]], "System: honeypot": [[50, 58]]}, "info": {"id": "cyner2_8class_test_00514", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.OnGamesLT170812GHJHGT.Trojan Backdoor.Darkddoser.S6855 Win32.Trojan.Delf.iq Backdoor.Trojan BKDR_DARKDDOSER.SM Trojan.PWS.Firefox.560 BKDR_DARKDDOSER.SM TR/Spy.ZBot.1310725 Trojan.Zusy.D3CEB Backdoor:Win32/Darkddoser.C Trojan.PasswordStealer Win32/Delf.OGC Win32.Trojan.Spy.Hnku Trojan.Win32.Ridok Win32/Trojan.Spy.ed7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLT170812GHJHGT.Trojan": [[26, 58]], "Indicator: Backdoor.Darkddoser.S6855": [[59, 84]], "Indicator: Win32.Trojan.Delf.iq": [[85, 105]], "Indicator: Backdoor.Trojan": [[106, 121]], "Indicator: BKDR_DARKDDOSER.SM": [[122, 140], [164, 182]], "Indicator: Trojan.PWS.Firefox.560": [[141, 163]], "Indicator: TR/Spy.ZBot.1310725": [[183, 202]], "Indicator: Trojan.Zusy.D3CEB": [[203, 220]], "Indicator: Backdoor:Win32/Darkddoser.C": [[221, 248]], "Indicator: Trojan.PasswordStealer": [[249, 271]], "Indicator: Win32/Delf.OGC": [[272, 286]], "Indicator: Win32.Trojan.Spy.Hnku": [[287, 308]], "Indicator: Trojan.Win32.Ridok": [[309, 327]], "Indicator: Win32/Trojan.Spy.ed7": [[328, 348]]}, "info": {"id": "cyner2_8class_test_00515", "source": "cyner2_8class_test"}}
{"text": "Machine learning module indicates continuous evolution As mentioned , this ransomware is the latest variant of a malware family that has undergone several stages of evolution .", "spans": {}, "info": {"id": "cyner2_8class_test_00516", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9956 BehavesLike.Win32.Trojan.bc Trojan.MSIL.Crypt W32/Trojan.KCHZ-1086 TR/Dropper.MSIL.qosig TrojanSpy:MSIL/Nitwil.A MSIL/Kryptik.CTJ!tr Trj/CI.A Win32/Trojan.087", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9956": [[26, 68]], "Indicator: BehavesLike.Win32.Trojan.bc": [[69, 96]], "Indicator: Trojan.MSIL.Crypt": [[97, 114]], "Indicator: W32/Trojan.KCHZ-1086": [[115, 135]], "Indicator: TR/Dropper.MSIL.qosig": [[136, 157]], "Indicator: TrojanSpy:MSIL/Nitwil.A": [[158, 181]], "Indicator: MSIL/Kryptik.CTJ!tr": [[182, 201]], "Indicator: Trj/CI.A": [[202, 210]], "Indicator: Win32/Trojan.087": [[211, 227]]}, "info": {"id": "cyner2_8class_test_00517", "source": "cyner2_8class_test"}}
{"text": "The Andromeda botnet is a well-known botnet that surfaced around 2011 and has", "spans": {"Malware: Andromeda botnet": [[4, 20]], "Malware: botnet": [[37, 43]], "Date: 2011": [[65, 69]]}, "info": {"id": "cyner2_8class_test_00518", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm/W32.Holar.65928 W32.Holar.J Win32.Trojan.WisdomEyes.16070401.9500.9848 W32/Hawawi.G@mm W32.Galil.C@mm Win32/Holar.G WORM_HAWAWI.F Win.Worm.Galil-1 Email-Worm.Win32.Hawawi.g Trojan.Win32.Hawawi.emrl W32.W.Hawawi.g!c Win32.Worm-email.Hawawi.Lhwz Worm.Win32.Holar.I Trojan.MulDrop.510 Worm.Holar.Win32.10 WORM_HAWAWI.F BehavesLike.Win32.PUPXAX.kc Email-Worm.Win32.Hawawi W32/Hawawi.CPIS-5852 I-Worm/Hawawi.g WORM/Hawawi.G.Exp HackTool[NetTool]/Win32.SmtpModule Trojan.Strictor.D64A7 I-Worm.Win32.Holar.9126 Email-Worm.Win32.Hawawi.g Worm:Win32/Holar.L@mm Worm/Win32.Holar.R140993 SScope.Trojan.VBRA.6861 Win32/Holar.I I-Worm.Holar!/Jhd5gkzw68 W32/Holar.I!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.Holar.65928": [[26, 46]], "Indicator: W32.Holar.J": [[47, 58]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9848": [[59, 101]], "Indicator: W32/Hawawi.G@mm": [[102, 117]], "Indicator: W32.Galil.C@mm": [[118, 132]], "Indicator: Win32/Holar.G": [[133, 146]], "Indicator: WORM_HAWAWI.F": [[147, 160], [333, 346]], "Indicator: Win.Worm.Galil-1": [[161, 177]], "Indicator: Email-Worm.Win32.Hawawi.g": [[178, 203], [535, 560]], "Indicator: Trojan.Win32.Hawawi.emrl": [[204, 228]], "Indicator: W32.W.Hawawi.g!c": [[229, 245]], "Indicator: Win32.Worm-email.Hawawi.Lhwz": [[246, 274]], "Indicator: Worm.Win32.Holar.I": [[275, 293]], "Indicator: Trojan.MulDrop.510": [[294, 312]], "Indicator: Worm.Holar.Win32.10": [[313, 332]], "Indicator: BehavesLike.Win32.PUPXAX.kc": [[347, 374]], "Indicator: Email-Worm.Win32.Hawawi": [[375, 398]], "Indicator: W32/Hawawi.CPIS-5852": [[399, 419]], "Indicator: I-Worm/Hawawi.g": [[420, 435]], "Indicator: WORM/Hawawi.G.Exp": [[436, 453]], "Indicator: HackTool[NetTool]/Win32.SmtpModule": [[454, 488]], "Indicator: Trojan.Strictor.D64A7": [[489, 510]], "Indicator: I-Worm.Win32.Holar.9126": [[511, 534]], "Indicator: Worm:Win32/Holar.L@mm": [[561, 582]], "Indicator: Worm/Win32.Holar.R140993": [[583, 607]], "Indicator: SScope.Trojan.VBRA.6861": [[608, 631]], "Indicator: Win32/Holar.I": [[632, 645]], "Indicator: I-Worm.Holar!/Jhd5gkzw68": [[646, 670]], "Indicator: W32/Holar.I!worm": [[671, 687]]}, "info": {"id": "cyner2_8class_test_00519", "source": "cyner2_8class_test"}}
{"text": "The LetsEncrypt certificate is shared between a number of malicious domains.", "spans": {"Indicator: The LetsEncrypt certificate": [[0, 27]], "Indicator: malicious domains.": [[58, 76]]}, "info": {"id": "cyner2_8class_test_00520", "source": "cyner2_8class_test"}}
{"text": "Ongoing activity While monitoring this particular threat , we found another XLoader variant posing as a pornography app aimed at South Korean users .", "spans": {"Malware: XLoader": [[76, 83]]}, "info": {"id": "cyner2_8class_test_00521", "source": "cyner2_8class_test"}}
{"text": "CHTHONIC was discovered in 2014 by Kaspersky security researchers and is considered to be an evolution of ZeusVM malware.", "spans": {"Malware: CHTHONIC": [[0, 8]], "Date: 2014": [[27, 31]], "Organization: Kaspersky security researchers": [[35, 65]], "Malware: ZeusVM malware.": [[106, 121]]}, "info": {"id": "cyner2_8class_test_00522", "source": "cyner2_8class_test"}}
{"text": "In 2019, ITG03 campaigns continued to aim against the cryptocurrency industry, targeting both Windows and MacOS users with malicious Word documents.", "spans": {"Date: 2019,": [[3, 8]], "ThreatActor: ITG03 campaigns": [[9, 24]], "Organization: the cryptocurrency industry,": [[50, 78]], "System: Windows": [[94, 101]], "System: MacOS": [[106, 111]], "Organization: users": [[112, 117]], "Indicator: malicious Word documents.": [[123, 148]]}, "info": {"id": "cyner2_8class_test_00523", "source": "cyner2_8class_test"}}
{"text": "The Android version of the malware has the ability to use the GPS embedded in the phone to track the user and use the camera and microphone to spy on the user.", "spans": {"System: Android version": [[4, 19]], "Malware: malware": [[27, 34]]}, "info": {"id": "cyner2_8class_test_00524", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Downloader.Troll.A Trojan.Downloader.Troll.A Trojan.Downloader.Troll.A TrojanDownloader.Troll!49SU++no+Bs W32/Risk.ASAS-4248 Downloader.Trojan Win32/Troll.10!Kit TROJ_TROLL.H Trojan-Downloader.Win32.Troll.a Trojan.Win32.Troll.ehlh Backdoor.W32.Rbot Trojan.Downloader.Troll.A Worm.Win32.Prux.A Trojan.Downloader.Troll.A Trojan.Troll Downloader.Troll.Win32.4 TROJ_TROLL.H TrojanDownloader.Troll.10.cfg TR/Troll.A Win32.Troj.Troll.kcloud TrojanDownloader:Win32/Troll.A Trojan.Downloader.Troll.A Trojan.Downloader.Troll.A TrojanDownloader.Troll Win32/TrojanDownloader.Troll.A Win32.Trojan-downloader.Troll.Lqyr Trojan-Downloader.Win32.Troll.A Downloader.Troll.C Trojan.Win32.Troll.atR Win32/Trojan.Downloader.b34", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader.Troll.A": [[26, 51], [52, 77], [78, 103], [282, 307], [326, 351], [499, 524], [525, 550]], "Indicator: TrojanDownloader.Troll!49SU++no+Bs": [[104, 138]], "Indicator: W32/Risk.ASAS-4248": [[139, 157]], "Indicator: Downloader.Trojan": [[158, 175]], "Indicator: Win32/Troll.10!Kit": [[176, 194]], "Indicator: TROJ_TROLL.H": [[195, 207], [390, 402]], "Indicator: Trojan-Downloader.Win32.Troll.a": [[208, 239]], "Indicator: Trojan.Win32.Troll.ehlh": [[240, 263]], "Indicator: Backdoor.W32.Rbot": [[264, 281]], "Indicator: Worm.Win32.Prux.A": [[308, 325]], "Indicator: Trojan.Troll": [[352, 364]], "Indicator: Downloader.Troll.Win32.4": [[365, 389]], "Indicator: TrojanDownloader.Troll.10.cfg": [[403, 432]], "Indicator: TR/Troll.A": [[433, 443]], "Indicator: Win32.Troj.Troll.kcloud": [[444, 467]], "Indicator: TrojanDownloader:Win32/Troll.A": [[468, 498]], "Indicator: TrojanDownloader.Troll": [[551, 573]], "Indicator: Win32/TrojanDownloader.Troll.A": [[574, 604]], "Indicator: Win32.Trojan-downloader.Troll.Lqyr": [[605, 639]], "Indicator: Trojan-Downloader.Win32.Troll.A": [[640, 671]], "Indicator: Downloader.Troll.C": [[672, 690]], "Indicator: Trojan.Win32.Troll.atR": [[691, 713]], "Indicator: Win32/Trojan.Downloader.b34": [[714, 741]]}, "info": {"id": "cyner2_8class_test_00525", "source": "cyner2_8class_test"}}
{"text": "Apple has confirmed that the iOS apps are not functioning based on analysis of the codes , and stated that the sandbox is able to detect and block these malicious behaviors .", "spans": {"Organization: Apple": [[0, 5]], "System: iOS": [[29, 32]]}, "info": {"id": "cyner2_8class_test_00526", "source": "cyner2_8class_test"}}
{"text": "The Trojan intercepts incoming SMSs and can receive the following commands from them : “ 3458 ” — revoke device administrator privileges from the app ; “ hi ” , “ ask ” — enable and disable mobile internet ; “ privet ” , “ ru ” — enable and disable Wi-Fi ; “ check ” — send text “ install : [ device IMEI ] ” to phone number from which SMS was sent ; “ stop_blocker ” — stop displaying all blocking HTML pages ; “ 393838 ” — change C & C address to that specified in the SMS .", "spans": {}, "info": {"id": "cyner2_8class_test_00527", "source": "cyner2_8class_test"}}
{"text": "We are analyzing injects, as they are capable of using ATS.", "spans": {"Indicator: injects,": [[17, 25]], "System: ATS.": [[55, 59]]}, "info": {"id": "cyner2_8class_test_00528", "source": "cyner2_8class_test"}}
{"text": "New FakeSpy applications masquerading as post office apps .", "spans": {"Malware: FakeSpy": [[4, 11]]}, "info": {"id": "cyner2_8class_test_00529", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Injector.016639 HT_DINOLAP_FD260018.UVPM Dropper.Injector.Win32.76638 BehavesLike.Win32.Backdoor.lm TrojanDropper.Injector.bgnv W32/Injector.ONBC!tr Trojan[Dropper]/Win32.Injector Trojan.Graftor.D23FE9 Trojan:Win32/Dinolap.A Trojan.Win32.Injector.i Trojan.DR.Injector!s7l+mcQvCiI", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Injector.016639": [[26, 48]], "Indicator: HT_DINOLAP_FD260018.UVPM": [[49, 73]], "Indicator: Dropper.Injector.Win32.76638": [[74, 102]], "Indicator: BehavesLike.Win32.Backdoor.lm": [[103, 132]], "Indicator: TrojanDropper.Injector.bgnv": [[133, 160]], "Indicator: W32/Injector.ONBC!tr": [[161, 181]], "Indicator: Trojan[Dropper]/Win32.Injector": [[182, 212]], "Indicator: Trojan.Graftor.D23FE9": [[213, 234]], "Indicator: Trojan:Win32/Dinolap.A": [[235, 257]], "Indicator: Trojan.Win32.Injector.i": [[258, 281]], "Indicator: Trojan.DR.Injector!s7l+mcQvCiI": [[282, 312]]}, "info": {"id": "cyner2_8class_test_00530", "source": "cyner2_8class_test"}}
{"text": "Chinese security firm QiAnXin has captured attack samples from the Donot group, a group believed to be carrying out cyber-espionage operations against government agencies and businesses in South Asian countries.", "spans": {"Organization: Chinese security firm QiAnXin": [[0, 29]], "Indicator: attack": [[43, 49]], "ThreatActor: the Donot group,": [[63, 79]], "ThreatActor: group": [[82, 87]], "ThreatActor: cyber-espionage operations": [[116, 142]], "Organization: government agencies": [[151, 170]], "Organization: businesses": [[175, 185]], "Location: South Asian countries.": [[189, 211]]}, "info": {"id": "cyner2_8class_test_00531", "source": "cyner2_8class_test"}}
{"text": "Example download via Powershell: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcu BYpaSs new-object system.net.webclient.", "spans": {"Malware: download": [[8, 16]], "Indicator: Powershell: pOwERShell.exe -nOl -NoNiNt -WInDOws": [[21, 69]], "Indicator: -NoprOFIle -eXEcu BYpaSs new-object system.net.webclient.": [[72, 129]]}, "info": {"id": "cyner2_8class_test_00532", "source": "cyner2_8class_test"}}
{"text": "The screenshot below shows SpyNote RAT scanning for Wi-Fi and enabling it if a known channel is found : Additional features - SpyNote RAT could click photos using the device 's camera , based on commands from C & C .", "spans": {"Malware: SpyNote RAT": [[27, 38], [126, 137]]}, "info": {"id": "cyner2_8class_test_00533", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Zapchast.Win32.21320 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Bladabindi.cwxrgb TrojWare.MSIL.TrojanDownloader.Tiny.AH Trojan.DownLoader11.49091 W32/Trojan.XWPH-7415 BDS/Bladabindi.apqew Win32.Troj.FrauDrop.kcloud TrojanDownloader:MSIL/Bladabindi.A Trojan.Zusy.D13349 Trj/CI.A Win32/Trojan.Downloader.89b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zapchast.Win32.21320": [[26, 53]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[54, 96]], "Indicator: Trojan.Win32.Bladabindi.cwxrgb": [[97, 127]], "Indicator: TrojWare.MSIL.TrojanDownloader.Tiny.AH": [[128, 166]], "Indicator: Trojan.DownLoader11.49091": [[167, 192]], "Indicator: W32/Trojan.XWPH-7415": [[193, 213]], "Indicator: BDS/Bladabindi.apqew": [[214, 234]], "Indicator: Win32.Troj.FrauDrop.kcloud": [[235, 261]], "Indicator: TrojanDownloader:MSIL/Bladabindi.A": [[262, 296]], "Indicator: Trojan.Zusy.D13349": [[297, 315]], "Indicator: Trj/CI.A": [[316, 324]], "Indicator: Win32/Trojan.Downloader.89b": [[325, 352]]}, "info": {"id": "cyner2_8class_test_00534", "source": "cyner2_8class_test"}}
{"text": "The domain on this campaign was registered on Jan. 19 , 2019 .", "spans": {}, "info": {"id": "cyner2_8class_test_00535", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TROJ_DLOADE.EHS Trojan-Dropper.Win32.Parsi.ly Trojan.Win32.Downloader.29215[h] Trojan.MulDrop.11401 Backdoor.CPEX.Win32.4494 TROJ_DLOADE.EHS BehavesLike.Win32.Downloader.pm Trojan[Dropper]/Win32.Parsi TrojanDownloader:Win32/Tsunovest.A TrojanDropper.Parsi Trojan-Dropper.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_DLOADE.EHS": [[26, 41], [151, 166]], "Indicator: Trojan-Dropper.Win32.Parsi.ly": [[42, 71]], "Indicator: Trojan.Win32.Downloader.29215[h]": [[72, 104]], "Indicator: Trojan.MulDrop.11401": [[105, 125]], "Indicator: Backdoor.CPEX.Win32.4494": [[126, 150]], "Indicator: BehavesLike.Win32.Downloader.pm": [[167, 198]], "Indicator: Trojan[Dropper]/Win32.Parsi": [[199, 226]], "Indicator: TrojanDownloader:Win32/Tsunovest.A": [[227, 261]], "Indicator: TrojanDropper.Parsi": [[262, 281]], "Indicator: Trojan-Dropper.Delf": [[282, 301]]}, "info": {"id": "cyner2_8class_test_00536", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanDownloader.Small.H4 Trojan.Meredrop Trojan.MSIL.Krypt.4 TROJ_DROPR.SMH Win32.Trojan.Small.j Win32/Dropper.IP TROJ_DROPR.SMH Trojan.Win32.Meredrop.60928 BackDoor.Cybergate.1703 Trojan.Win32.Small TrojanDropper.MSIL.eye TrojanDownloader:MSIL/Small.H Win32/Small.NJA TrojanSpy.Spyeye!gkhDSEQCv00", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Small.H4": [[26, 51]], "Indicator: Trojan.Meredrop": [[52, 67]], "Indicator: Trojan.MSIL.Krypt.4": [[68, 87]], "Indicator: TROJ_DROPR.SMH": [[88, 102], [141, 155]], "Indicator: Win32.Trojan.Small.j": [[103, 123]], "Indicator: Win32/Dropper.IP": [[124, 140]], "Indicator: Trojan.Win32.Meredrop.60928": [[156, 183]], "Indicator: BackDoor.Cybergate.1703": [[184, 207]], "Indicator: Trojan.Win32.Small": [[208, 226]], "Indicator: TrojanDropper.MSIL.eye": [[227, 249]], "Indicator: TrojanDownloader:MSIL/Small.H": [[250, 279]], "Indicator: Win32/Small.NJA": [[280, 295]], "Indicator: TrojanSpy.Spyeye!gkhDSEQCv00": [[296, 324]]}, "info": {"id": "cyner2_8class_test_00537", "source": "cyner2_8class_test"}}
{"text": "The service is implemented in the class com.serenegiant.service.ScreenRecorderService which is declared in the package manifest .", "spans": {"Indicator: com.serenegiant.service.ScreenRecorderService": [[40, 85]]}, "info": {"id": "cyner2_8class_test_00538", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.D788 Win32.Trojan.WisdomEyes.16070401.9500.9931 W32/Trojan.ZMAA-7241 WORM_MOLDYOW.SMB BackDoor.Woodin.48 WORM_MOLDYOW.SMB BehavesLike.Win32.BadFile.cc W32/Trojan2.GQNY Worm:Win32/Moldyow.A Troj.Downloader.W32.Bagle.kYXw Trojan/Win32.Inject.R8017 Worm.Win32.Moldyow", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.D788": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9931": [[43, 85]], "Indicator: W32/Trojan.ZMAA-7241": [[86, 106]], "Indicator: WORM_MOLDYOW.SMB": [[107, 123], [143, 159]], "Indicator: BackDoor.Woodin.48": [[124, 142]], "Indicator: BehavesLike.Win32.BadFile.cc": [[160, 188]], "Indicator: W32/Trojan2.GQNY": [[189, 205]], "Indicator: Worm:Win32/Moldyow.A": [[206, 226]], "Indicator: Troj.Downloader.W32.Bagle.kYXw": [[227, 257]], "Indicator: Trojan/Win32.Inject.R8017": [[258, 283]], "Indicator: Worm.Win32.Moldyow": [[284, 302]]}, "info": {"id": "cyner2_8class_test_00539", "source": "cyner2_8class_test"}}
{"text": "These attacks are being conducted through numerous strategically compromised websites and have occurred over several high-profile ASEAN summits.", "spans": {"Indicator: compromised websites": [[65, 85]], "Organization: high-profile ASEAN summits.": [[117, 144]]}, "info": {"id": "cyner2_8class_test_00540", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.Fluxay!O Trojan.Skeeyah.8843 Multi.Threats.InArchive Win.Trojan.Fluxay-5 Trojan.Win32.Fluxay.llihw Trojan.KillFiles.24121 W32/Trojan.DXRJ-2026 Trojan[Backdoor]/Win32.Fluxay Trojan.Win32.HT-Fluxay.9018965 Backdoor.Fluxay PUA.Pskill Win32/Fluxay.A Backdoor.Fluxay!QPeWJM2XnDo Trojan.Win32.Skeeyah", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Fluxay!O": [[26, 49]], "Indicator: Trojan.Skeeyah.8843": [[50, 69]], "Indicator: Multi.Threats.InArchive": [[70, 93]], "Indicator: Win.Trojan.Fluxay-5": [[94, 113]], "Indicator: Trojan.Win32.Fluxay.llihw": [[114, 139]], "Indicator: Trojan.KillFiles.24121": [[140, 162]], "Indicator: W32/Trojan.DXRJ-2026": [[163, 183]], "Indicator: Trojan[Backdoor]/Win32.Fluxay": [[184, 213]], "Indicator: Trojan.Win32.HT-Fluxay.9018965": [[214, 244]], "Indicator: Backdoor.Fluxay": [[245, 260]], "Indicator: PUA.Pskill": [[261, 271]], "Indicator: Win32/Fluxay.A": [[272, 286]], "Indicator: Backdoor.Fluxay!QPeWJM2XnDo": [[287, 314]], "Indicator: Trojan.Win32.Skeeyah": [[315, 335]]}, "info": {"id": "cyner2_8class_test_00541", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.Bjlog.196608.BG Backdoor.Zegost.B Trojan.Bjlog.Win32.2452 Trojan/PSW.Bjlog.ien BKDR_ZEGOST.SMF Win32.Backdoor.Zegost.d BKDR_ZEGOST.SMF Win.Trojan.DNSchanger-7 Trojan.Win32.Bjlog.cqnvac Trojan.MulDrop1.27754 BehavesLike.Win32.Virut.ch Trojan/PSW.Bjlog.alv Trojan[PSW]/Win32.Bjlog TrojanDropper:Win32/Zegost.C Trojan.Kazy.D2C6B8 Trojan/Win32.Bjlog.C7535 Trojan.SB.0546 Trojan.PWS.Bjlog!siJtl6w2R70 Backdoor.Win32.Zegost Bck/Gh0stRat.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.Bjlog.196608.BG": [[26, 56]], "Indicator: Backdoor.Zegost.B": [[57, 74]], "Indicator: Trojan.Bjlog.Win32.2452": [[75, 98]], "Indicator: Trojan/PSW.Bjlog.ien": [[99, 119]], "Indicator: BKDR_ZEGOST.SMF": [[120, 135], [160, 175]], "Indicator: Win32.Backdoor.Zegost.d": [[136, 159]], "Indicator: Win.Trojan.DNSchanger-7": [[176, 199]], "Indicator: Trojan.Win32.Bjlog.cqnvac": [[200, 225]], "Indicator: Trojan.MulDrop1.27754": [[226, 247]], "Indicator: BehavesLike.Win32.Virut.ch": [[248, 274]], "Indicator: Trojan/PSW.Bjlog.alv": [[275, 295]], "Indicator: Trojan[PSW]/Win32.Bjlog": [[296, 319]], "Indicator: TrojanDropper:Win32/Zegost.C": [[320, 348]], "Indicator: Trojan.Kazy.D2C6B8": [[349, 367]], "Indicator: Trojan/Win32.Bjlog.C7535": [[368, 392]], "Indicator: Trojan.SB.0546": [[393, 407]], "Indicator: Trojan.PWS.Bjlog!siJtl6w2R70": [[408, 436]], "Indicator: Backdoor.Win32.Zegost": [[437, 458]], "Indicator: Bck/Gh0stRat.F": [[459, 473]]}, "info": {"id": "cyner2_8class_test_00542", "source": "cyner2_8class_test"}}
{"text": "After reversing these opcodes , we were able to update our interpreter script to support both 32-bit and 64-bit virtual machines used by FinFisher .", "spans": {"Malware: FinFisher": [[137, 146]]}, "info": {"id": "cyner2_8class_test_00543", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FlooderCA.Trojan Trojan.Spy.VB.NDR Trojan.Spy.VB.NDR Trojan.Spy.VB.NDR Backdoor/Brabot.a Trojan.Win32.Brabot.gycn W32/Brainbot.D@bd Backdoor.IRC.Bot Win32/Brabot.A HKTL_PASSDUMP.A Worm.VB-13 P2P-Worm.Win32.VB.cm Trojan.Spy.VB.NDR Backdoor.Brabot.A Backdoor.Win32.Brabot.471994[h] W32.W.VB.cm!c Trojan.Spy.VB.NDR Backdoor.Win32.Brabot.A Trojan.Spy.VB.NDR Backdoor.Brabot.Win32.4 HKTL_PASSDUMP.A BehavesLike.Win32.PWSZbot.gm W32/Brainbot.VHHE-1644 Worm/VB.hew BDS/Brabot.B W32/Bbuild.B!worm Trojan[Backdoor]/Win32.Bifrose Trojan.Spy.VB.NDR Worm/Win32.IRCBot Backdoor:Win32/Brabot.A Win32/Brabot.A Trojan.VBRA.02834 Bck/Brabot.A Win32.Worm-p2p.Vb.Ajlv Backdoor.Win32.Brabot Trojan.Spy.VB.NDR Worm/VB.2.C Worm.Win32.VB.cm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FlooderCA.Trojan": [[26, 46]], "Indicator: Trojan.Spy.VB.NDR": [[47, 64], [65, 82], [83, 100], [242, 259], [324, 341], [366, 383], [550, 567], [701, 718]], "Indicator: Backdoor/Brabot.a": [[101, 118]], "Indicator: Trojan.Win32.Brabot.gycn": [[119, 143]], "Indicator: W32/Brainbot.D@bd": [[144, 161]], "Indicator: Backdoor.IRC.Bot": [[162, 178]], "Indicator: Win32/Brabot.A": [[179, 193], [610, 624]], "Indicator: HKTL_PASSDUMP.A": [[194, 209], [408, 423]], "Indicator: Worm.VB-13": [[210, 220]], "Indicator: P2P-Worm.Win32.VB.cm": [[221, 241]], "Indicator: Backdoor.Brabot.A": [[260, 277]], "Indicator: Backdoor.Win32.Brabot.471994[h]": [[278, 309]], "Indicator: W32.W.VB.cm!c": [[310, 323]], "Indicator: Backdoor.Win32.Brabot.A": [[342, 365]], "Indicator: Backdoor.Brabot.Win32.4": [[384, 407]], "Indicator: BehavesLike.Win32.PWSZbot.gm": [[424, 452]], "Indicator: W32/Brainbot.VHHE-1644": [[453, 475]], "Indicator: Worm/VB.hew": [[476, 487]], "Indicator: BDS/Brabot.B": [[488, 500]], "Indicator: W32/Bbuild.B!worm": [[501, 518]], "Indicator: Trojan[Backdoor]/Win32.Bifrose": [[519, 549]], "Indicator: Worm/Win32.IRCBot": [[568, 585]], "Indicator: Backdoor:Win32/Brabot.A": [[586, 609]], "Indicator: Trojan.VBRA.02834": [[625, 642]], "Indicator: Bck/Brabot.A": [[643, 655]], "Indicator: Win32.Worm-p2p.Vb.Ajlv": [[656, 678]], "Indicator: Backdoor.Win32.Brabot": [[679, 700]], "Indicator: Worm/VB.2.C": [[719, 730]], "Indicator: Worm.Win32.VB.cm": [[731, 747]]}, "info": {"id": "cyner2_8class_test_00544", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Xtreme Backdoor.Xtreme.Win32.17656 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.Xtreme.ayqh Trojan.Win32.Llac.egfndm Trojan.Win32.Z.Razy.90112.CZR Backdoor.W32.Xtreme!c Trojan.Win32.Injector Backdoor.Xtreme.arc TR/AD.XtremeRAT.cznhs Trojan[Backdoor]/Win32.Xtreme Trojan.Razy.D164F4 Backdoor.Win32.Xtreme.ayqh Trojan/Win32.Llac.R188289 TScope.Trojan.VB Trj/GdSda.A Win32.Backdoor.Xtreme.Lhng Win32/Trojan.4e7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Xtreme": [[26, 41]], "Indicator: Backdoor.Xtreme.Win32.17656": [[42, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[70, 112]], "Indicator: Backdoor.Win32.Xtreme.ayqh": [[113, 139], [330, 356]], "Indicator: Trojan.Win32.Llac.egfndm": [[140, 164]], "Indicator: Trojan.Win32.Z.Razy.90112.CZR": [[165, 194]], "Indicator: Backdoor.W32.Xtreme!c": [[195, 216]], "Indicator: Trojan.Win32.Injector": [[217, 238]], "Indicator: Backdoor.Xtreme.arc": [[239, 258]], "Indicator: TR/AD.XtremeRAT.cznhs": [[259, 280]], "Indicator: Trojan[Backdoor]/Win32.Xtreme": [[281, 310]], "Indicator: Trojan.Razy.D164F4": [[311, 329]], "Indicator: Trojan/Win32.Llac.R188289": [[357, 382]], "Indicator: TScope.Trojan.VB": [[383, 399]], "Indicator: Trj/GdSda.A": [[400, 411]], "Indicator: Win32.Backdoor.Xtreme.Lhng": [[412, 438]], "Indicator: Win32/Trojan.4e7": [[439, 455]]}, "info": {"id": "cyner2_8class_test_00545", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.OnlinegameEETTc.Worm Trojan/W32.KRBanker.29824 TrojanPWS.OnLineGames.A55 Trojan.KillAV.sysdll Trojan/OnLineGames.quk TROJ_ONLINEGAMES_EC250023.UVPA Win32.Trojan-PSW.OLGames.bx Win32/Tnega.AQQWXMB TROJ_ONLINEGAMES_EC250023.UVPA Win.Trojan.Onlinegames-18826 Trojan-GameThief.Win32.OnLineGames2.cizz Trojan.Win32.OnLineGames.djxnuk Trojan.PWS.GamaniaENT.1 Trojan.OnLineGames.Win32.190234 Trojan.Win32.PSW Trojan/PSW.OnLineGames.cuwc TR/Symmi.29952 TrojanDropper:WinNT/Enterok.A Troj.GameThief.W32.OnLineGames.mf8q Trojan-GameThief.Win32.OnLineGames2.cizz Trojan/Win32.OnLineGames.R127617 TrojanPSW.OnLineGames.a Trj/CI.A Win32.Trojan-gamethief.Onlinegames2.Llgy Trojan.PWS.OnLineGames!AdRUDWW3hk0 Win32/Trojan.ace", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.OnlinegameEETTc.Worm": [[26, 56]], "Indicator: Trojan/W32.KRBanker.29824": [[57, 82]], "Indicator: TrojanPWS.OnLineGames.A55": [[83, 108]], "Indicator: Trojan.KillAV.sysdll": [[109, 129]], "Indicator: Trojan/OnLineGames.quk": [[130, 152]], "Indicator: TROJ_ONLINEGAMES_EC250023.UVPA": [[153, 183], [232, 262]], "Indicator: Win32.Trojan-PSW.OLGames.bx": [[184, 211]], "Indicator: Win32/Tnega.AQQWXMB": [[212, 231]], "Indicator: Win.Trojan.Onlinegames-18826": [[263, 291]], "Indicator: Trojan-GameThief.Win32.OnLineGames2.cizz": [[292, 332], [547, 587]], "Indicator: Trojan.Win32.OnLineGames.djxnuk": [[333, 364]], "Indicator: Trojan.PWS.GamaniaENT.1": [[365, 388]], "Indicator: Trojan.OnLineGames.Win32.190234": [[389, 420]], "Indicator: Trojan.Win32.PSW": [[421, 437]], "Indicator: Trojan/PSW.OnLineGames.cuwc": [[438, 465]], "Indicator: TR/Symmi.29952": [[466, 480]], "Indicator: TrojanDropper:WinNT/Enterok.A": [[481, 510]], "Indicator: Troj.GameThief.W32.OnLineGames.mf8q": [[511, 546]], "Indicator: Trojan/Win32.OnLineGames.R127617": [[588, 620]], "Indicator: TrojanPSW.OnLineGames.a": [[621, 644]], "Indicator: Trj/CI.A": [[645, 653]], "Indicator: Win32.Trojan-gamethief.Onlinegames2.Llgy": [[654, 694]], "Indicator: Trojan.PWS.OnLineGames!AdRUDWW3hk0": [[695, 729]], "Indicator: Win32/Trojan.ace": [[730, 746]]}, "info": {"id": "cyner2_8class_test_00546", "source": "cyner2_8class_test"}}
{"text": "After the payload is extracted , decrypted , and mapped in the process memory , the malware calls the new DLL entry point , and then the RunDll exported function .", "spans": {}, "info": {"id": "cyner2_8class_test_00547", "source": "cyner2_8class_test"}}
{"text": "After establishing a connection with them via the SSH protocol, the Trojan attempts to run a copy of itself on them.", "spans": {"Indicator: connection": [[21, 31]], "Indicator: SSH protocol,": [[50, 63]], "Malware: Trojan": [[68, 74]]}, "info": {"id": "cyner2_8class_test_00548", "source": "cyner2_8class_test"}}
{"text": "Using similar traits , such as copycat iconography and app or package names , victims are likely socially engineered into installing the malicious apps , especially when available on so-called third-party ( i.e .", "spans": {}, "info": {"id": "cyner2_8class_test_00549", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.65D5 Trojan.QzonitCS.S892249 Win32.Trojan.WisdomEyes.16070401.9500.9936 Trojan.DownLoader24.53170 TR/ATRAPS.yyemu Trojan[Banker]/Win32.Banbra Trojan:Win32/Qzonit.A!bit Trojan/Win32.Banki.R199618 TrojanBanker.Banbra Trojan.PWS.Banbra!aQHZ31wDzOU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.65D5": [[26, 42]], "Indicator: Trojan.QzonitCS.S892249": [[43, 66]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9936": [[67, 109]], "Indicator: Trojan.DownLoader24.53170": [[110, 135]], "Indicator: TR/ATRAPS.yyemu": [[136, 151]], "Indicator: Trojan[Banker]/Win32.Banbra": [[152, 179]], "Indicator: Trojan:Win32/Qzonit.A!bit": [[180, 205]], "Indicator: Trojan/Win32.Banki.R199618": [[206, 232]], "Indicator: TrojanBanker.Banbra": [[233, 252]], "Indicator: Trojan.PWS.Banbra!aQHZ31wDzOU": [[253, 282]]}, "info": {"id": "cyner2_8class_test_00550", "source": "cyner2_8class_test"}}
{"text": "Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound.", "spans": {"Organization: Unit 42": [[0, 7]], "ThreatActor: persistent attack campaign": [[25, 51]], "Location: the Middle East": [[75, 90]], "Malware: at": [[106, 108]], "Date: mid-2016": [[115, 123]], "ThreatActor: Magic Hound.": [[144, 156]]}, "info": {"id": "cyner2_8class_test_00551", "source": "cyner2_8class_test"}}
{"text": "The spearphishing attempt posed as a message from the Director of United for Iran, a U.S.-based human rights organization, claiming that the organization had developed a secure communications tool for activists.", "spans": {"ThreatActor: spearphishing": [[4, 17]], "Indicator: message from the Director of United for Iran, a U.S.-based human rights organization, claiming that the organization had developed a secure communications tool for activists.": [[37, 211]]}, "info": {"id": "cyner2_8class_test_00552", "source": "cyner2_8class_test"}}
{"text": "malware used in the 2016 attack on the Bangladesh SWIFT banking system", "spans": {"Malware: malware": [[0, 7]], "Date: 2016": [[20, 24]], "Indicator: attack": [[25, 31]], "System: the Bangladesh SWIFT banking system": [[35, 70]]}, "info": {"id": "cyner2_8class_test_00553", "source": "cyner2_8class_test"}}
{"text": "The new macros and Bateleur backdoor use sophisticated anti-analysis and sandbox evasion techniques as they attempt to cloak their activities and expand their victim pool.", "spans": {"Malware: macros": [[8, 14]], "Malware: Bateleur backdoor": [[19, 36]], "System: sandbox": [[73, 80]], "Organization: victim pool.": [[159, 171]]}, "info": {"id": "cyner2_8class_test_00554", "source": "cyner2_8class_test"}}
{"text": "] me under names in the format : photo_ [ number ] _img.apk , mms_ [ number ] _img.apk avito_ [ number ] .apk , mms.img_ [ number ] _photo.apk , mms [ number ] _photo.image.apk , mms [ number ] _photo.img.apk , mms.img.photo_ [ number ] .apk , photo_ [ number ] _obmen.img.apk .", "spans": {"Indicator: photo_ [ number ] _img.apk": [[33, 59]], "Indicator: mms_ [ number ] _img.apk": [[62, 86]], "Indicator: avito_ [ number ] .apk": [[87, 109]], "Indicator: mms.img_ [ number ] _photo.apk": [[112, 142]], "Indicator: mms [ number ] _photo.image.apk": [[145, 176]], "Indicator: mms [ number ] _photo.img.apk": [[179, 208]], "Indicator: mms.img.photo_ [ number ] .apk": [[211, 241]], "Indicator: photo_ [ number ] _obmen.img.apk": [[244, 276]]}, "info": {"id": "cyner2_8class_test_00555", "source": "cyner2_8class_test"}}
{"text": "The group also makes use of several different modules that they deploy where appropriate to their targets.", "spans": {"ThreatActor: The group": [[0, 9]], "Organization: targets.": [[98, 106]]}, "info": {"id": "cyner2_8class_test_00556", "source": "cyner2_8class_test"}}
{"text": "More than twenty were found and exposed during the said months.", "spans": {"Malware: twenty": [[10, 16]], "Date: the said months.": [[47, 63]]}, "info": {"id": "cyner2_8class_test_00557", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.MSIL.Qhost.bgq Trojan.Win32.Qhost.exeaec Trojan.Hosts.43624 Trojan:MSIL/Wirzemro.A Trojan.MSIL.Qhost.bgq Adware/Win32.AdInstaller.C2358455 Trojan.MSIL.Qhost Msil.Trojan.Qhost.Syhr Trojan.MSIL.Qhost", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL.Qhost.bgq": [[26, 47], [116, 137]], "Indicator: Trojan.Win32.Qhost.exeaec": [[48, 73]], "Indicator: Trojan.Hosts.43624": [[74, 92]], "Indicator: Trojan:MSIL/Wirzemro.A": [[93, 115]], "Indicator: Adware/Win32.AdInstaller.C2358455": [[138, 171]], "Indicator: Trojan.MSIL.Qhost": [[172, 189], [213, 230]], "Indicator: Msil.Trojan.Qhost.Syhr": [[190, 212]]}, "info": {"id": "cyner2_8class_test_00558", "source": "cyner2_8class_test"}}
{"text": "] com ) : Contains android packages , java archives and zip archives with exploits Archive Link domains : Three domains with the same functionality , but the application chooses one of them to send request for archive link .", "spans": {"System: android": [[19, 26]]}, "info": {"id": "cyner2_8class_test_00559", "source": "cyner2_8class_test"}}
{"text": "If all conditions are met , “ Agent Smith ” tries to infect the application .", "spans": {"Malware: Agent Smith": [[30, 41]]}, "info": {"id": "cyner2_8class_test_00560", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win.Worm.Autorun-5678 W32.W.Otwycal.l4av Trojan.Win32.Dropper.abr Trojan.DownLoader.55579 Worm:Win32/Rimcoss.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win.Worm.Autorun-5678": [[26, 47]], "Indicator: W32.W.Otwycal.l4av": [[48, 66]], "Indicator: Trojan.Win32.Dropper.abr": [[67, 91]], "Indicator: Trojan.DownLoader.55579": [[92, 115]], "Indicator: Worm:Win32/Rimcoss.A": [[116, 136]]}, "info": {"id": "cyner2_8class_test_00561", "source": "cyner2_8class_test"}}
{"text": "Animal Farm is the security industry's name for a group of attackers first described by Canada's Communications Security Establishment CSE in a set of slides leaked by Edward Snowden in March 2014.", "spans": {"ThreatActor: Animal Farm": [[0, 11]], "ThreatActor: security industry's": [[19, 38]], "ThreatActor: group of attackers": [[50, 68]], "Organization: Canada's Communications Security Establishment CSE": [[88, 138]], "ThreatActor: Edward Snowden": [[168, 182]], "Date: March 2014.": [[186, 197]]}, "info": {"id": "cyner2_8class_test_00562", "source": "cyner2_8class_test"}}
{"text": "Conversations-based app mimics Telegram messenger Even when we originally thought this was a backdoored version of the Conversations app , used to infect victims , we didn´t discovered anything malicious in it .", "spans": {"System: Telegram messenger": [[31, 49]]}, "info": {"id": "cyner2_8class_test_00563", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: BehavesLike.Win32.Downloader.fc Worm:Win32/Nokpuda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BehavesLike.Win32.Downloader.fc": [[26, 57]], "Indicator: Worm:Win32/Nokpuda.A": [[58, 78]]}, "info": {"id": "cyner2_8class_test_00564", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.FA63 Trojan.Barys.DDC1E Win32.Trojan.WisdomEyes.16070401.9500.9811 Trojan/Win32.Banbra.C1546872", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.FA63": [[26, 42]], "Indicator: Trojan.Barys.DDC1E": [[43, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9811": [[62, 104]], "Indicator: Trojan/Win32.Banbra.C1546872": [[105, 133]]}, "info": {"id": "cyner2_8class_test_00565", "source": "cyner2_8class_test"}}
{"text": "The name Asacub appeared with version 4 in late 2015 ; previous versions were known as Trojan-SMS.AndroidOS.Smaps .", "spans": {"Malware: Asacub": [[9, 15]], "Indicator: Trojan-SMS.AndroidOS.Smaps": [[87, 113]]}, "info": {"id": "cyner2_8class_test_00566", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.K2pS.Trojan Trojan/W32.Kuang.7680 Weird.11264 Kuang.pws TROJ_PSW_RING0.B Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.Kuang.B Infostealer.Kuang.B Win32/Kuang.F TROJ_PSW_RING0.B Win.Trojan.KunagB-1 Trojan-PSW.Win32.Kuang.h Trojan.Win32.Kuang.fzlh Trojan.PWS.Kuang Trojan.Kuang.Win32.4 BehavesLike.Win32.Backdoor.zm W32/Trojan.Kuang.B Trojan/PSW.Kuang.b Trojan[PSW]/Win32.Kuang Trojan.Win32.KuangLogger.7680 Trojan-PSW.Win32.Kuang.h Trojan:Win32/Kuang.B Trojan.PSW.Kuang2 Win32.Kuang.I Trojan.Win32.Kuang W32/Kuang.B!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.K2pS.Trojan": [[26, 41]], "Indicator: Trojan/W32.Kuang.7680": [[42, 63]], "Indicator: Weird.11264": [[64, 75]], "Indicator: Kuang.pws": [[76, 85]], "Indicator: TROJ_PSW_RING0.B": [[86, 102], [199, 215]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[103, 145]], "Indicator: W32/Trojan.Kuang.B": [[146, 164], [353, 371]], "Indicator: Infostealer.Kuang.B": [[165, 184]], "Indicator: Win32/Kuang.F": [[185, 198]], "Indicator: Win.Trojan.KunagB-1": [[216, 235]], "Indicator: Trojan-PSW.Win32.Kuang.h": [[236, 260], [445, 469]], "Indicator: Trojan.Win32.Kuang.fzlh": [[261, 284]], "Indicator: Trojan.PWS.Kuang": [[285, 301]], "Indicator: Trojan.Kuang.Win32.4": [[302, 322]], "Indicator: BehavesLike.Win32.Backdoor.zm": [[323, 352]], "Indicator: Trojan/PSW.Kuang.b": [[372, 390]], "Indicator: Trojan[PSW]/Win32.Kuang": [[391, 414]], "Indicator: Trojan.Win32.KuangLogger.7680": [[415, 444]], "Indicator: Trojan:Win32/Kuang.B": [[470, 490]], "Indicator: Trojan.PSW.Kuang2": [[491, 508]], "Indicator: Win32.Kuang.I": [[509, 522]], "Indicator: Trojan.Win32.Kuang": [[523, 541]], "Indicator: W32/Kuang.B!tr.pws": [[542, 560]]}, "info": {"id": "cyner2_8class_test_00567", "source": "cyner2_8class_test"}}
{"text": "As “ Agent Smith ” uses a modular approach , and as stated earlier , the original loader extracts everything from the assets , the usage of the Janus vulnerability can only change the code of the original application , not the resources .", "spans": {"Malware: Agent Smith": [[5, 16]], "Vulnerability: Janus": [[144, 149]]}, "info": {"id": "cyner2_8class_test_00568", "source": "cyner2_8class_test"}}
{"text": "Figure 16 : integrating an in-house ad SDK Figure 17 : replacing original app activities with the malicious ad SDK activity Figure 18 : the malware showing ads on any activity being loaded Connecting the Dots As our malware sample analysis took the team closer to reveal the “ Agent Smith ” campaign in its entirety and it is here that the C & C server investigation enters the center stage .", "spans": {}, "info": {"id": "cyner2_8class_test_00569", "source": "cyner2_8class_test"}}
{"text": "This led to the publication of a whitepaper covering the full operation.", "spans": {}, "info": {"id": "cyner2_8class_test_00570", "source": "cyner2_8class_test"}}
{"text": "First , based on information that is associated with the registered C & C domain , we identified the name of the registrant , along with further data like country and email address , as seen in Figure 8 .", "spans": {}, "info": {"id": "cyner2_8class_test_00571", "source": "cyner2_8class_test"}}
{"text": "These applications range from utility apps such as photo manipulators to wallpaper and ringtone changers.", "spans": {}, "info": {"id": "cyner2_8class_test_00572", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.MulDrop5.crmtcx WS.Reputation.1 Trojan.MulDrop5.4437 Trojan.CoinMiner CoinMiner.AAM Trojan.Win32.CoinMiner.HY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.MulDrop5.crmtcx": [[26, 54]], "Indicator: WS.Reputation.1": [[55, 70]], "Indicator: Trojan.MulDrop5.4437": [[71, 91]], "Indicator: Trojan.CoinMiner": [[92, 108]], "Indicator: CoinMiner.AAM": [[109, 122]], "Indicator: Trojan.Win32.CoinMiner.HY": [[123, 148]]}, "info": {"id": "cyner2_8class_test_00573", "source": "cyner2_8class_test"}}
{"text": "The fake page will not go away until the user provides the payment information.", "spans": {"Indicator: The fake page": [[0, 13]]}, "info": {"id": "cyner2_8class_test_00574", "source": "cyner2_8class_test"}}
{"text": "] pw/4 * * * * * 7 ” ( It .", "spans": {}, "info": {"id": "cyner2_8class_test_00575", "source": "cyner2_8class_test"}}
{"text": "No matter what button is pressed , the window stays on top of all other windows .", "spans": {}, "info": {"id": "cyner2_8class_test_00576", "source": "cyner2_8class_test"}}
{"text": "In April 2013 , we saw the first sample , which made heavy use of dynamic code loading ( i.e. , fetching executable code from remote sources after the initial app is installed ) .", "spans": {}, "info": {"id": "cyner2_8class_test_00577", "source": "cyner2_8class_test"}}
{"text": "We chose the name “ HenBox ” based on metadata found in most of the malicious apps such as package names and signer detail .", "spans": {"Malware: HenBox": [[20, 26]]}, "info": {"id": "cyner2_8class_test_00578", "source": "cyner2_8class_test"}}
{"text": "The StrongPity APT is a technically capable group operating under the radar for several years.", "spans": {"ThreatActor: The StrongPity APT": [[0, 18]], "ThreatActor: group": [[44, 49]], "Date: several years.": [[80, 94]]}, "info": {"id": "cyner2_8class_test_00579", "source": "cyner2_8class_test"}}
{"text": "Stage 1 : Loader malware keeps sandbox and debuggers away The first stage of FinFisher running through this complicated virtual machine is a loader malware designed to probe the system and determine whether it ’ s running in a sandbox environment ( typical for cloud-based detonation solution like Office 365 ATP ) .", "spans": {"Malware: FinFisher": [[77, 86]], "System: Office 365 ATP": [[298, 312]]}, "info": {"id": "cyner2_8class_test_00580", "source": "cyner2_8class_test"}}
{"text": "DYNAMIC LIBRARY LOADING Once the application has finished the installation process , the malware starts its real malicious activity .", "spans": {}, "info": {"id": "cyner2_8class_test_00581", "source": "cyner2_8class_test"}}
{"text": "Exploit kits EK are typically used to distribute malware and other malicious programs to large numbers of victims using existing vulnerabilities in commonly-used browsers.", "spans": {"Malware: Exploit kits EK": [[0, 15]], "Malware: malware": [[49, 56]], "Malware: malicious programs": [[67, 85]], "Vulnerability: vulnerabilities": [[129, 144]], "System: browsers.": [[162, 171]]}, "info": {"id": "cyner2_8class_test_00582", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Dropper.Sysn.Win32.631 Trojan.Zusy.D41DFC TROJ_SYSN_GE2300B9.UVPA W32.Faedevour Win32/Bzub.KUWUUcC TROJ_SYSN_GE2300B9.UVPA Trojan-Dropper.Win32.Sysn.bqcl Trojan.Win32.ddncff.eaqdzv Trojan.Inject1.27874 BehavesLike.Win32.RansomWannaCry.dc TrojanDropper.Sysn.avc Trojan[Dropper]/Win32.Sysn Trojan-Dropper.Win32.Sysn.bqcl Dropper/Win32.Sysn.R120846 TrojanDropper.Sysn", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Dropper.Sysn.Win32.631": [[46, 68]], "Indicator: Trojan.Zusy.D41DFC": [[69, 87]], "Indicator: TROJ_SYSN_GE2300B9.UVPA": [[88, 111], [145, 168]], "Indicator: W32.Faedevour": [[112, 125]], "Indicator: Win32/Bzub.KUWUUcC": [[126, 144]], "Indicator: Trojan-Dropper.Win32.Sysn.bqcl": [[169, 199], [334, 364]], "Indicator: Trojan.Win32.ddncff.eaqdzv": [[200, 226]], "Indicator: Trojan.Inject1.27874": [[227, 247]], "Indicator: BehavesLike.Win32.RansomWannaCry.dc": [[248, 283]], "Indicator: TrojanDropper.Sysn.avc": [[284, 306]], "Indicator: Trojan[Dropper]/Win32.Sysn": [[307, 333]], "Indicator: Dropper/Win32.Sysn.R120846": [[365, 391]], "Indicator: TrojanDropper.Sysn": [[392, 410]]}, "info": {"id": "cyner2_8class_test_00583", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: IMIServer.download Downloader.OneClickNetSearch.Win32.8 Trojan/Downloader.OneClickNetSearch.i Trojan.Graftor.D60D9 W32/Downloader.BBQ Adware.IEPlugin Win32/SillyDl.FM TROJ_DLOADER.VR Win.Trojan.Downloader-40673 Trojan-Downloader.Win32.OneClickNetSearch.i Trojan.Win32.OneClickNetSearch.dkts Troj.Downloader.W32.OneClickNetSearch.i!c Trojan.DownLoader.28897 TROJ_DLOADER.VR BehavesLike.Win32.Backdoor.km W32/Downloader.VQVS-3601 TrojanDownloader.OneClickNetSearch.c Adware.ShopNavUpdater TR/Dldr.OneClic.I Trojan[Downloader]/Win32.OneClickNetSearch TrojanDownloader:Win32/OneClickNetSearch.I Adware.IEPlugin Trojan-Downloader.Win32.OneClickNetSearch.i Trojan/Win32.HDC.C12454 Adware.IEPlugin TrojanDownloader.OneClickNetSearch Win32.Trojan-downloader.Oneclicknetsearch.Lnec Trojan.DL.NetSearch!M12OX4IwWPY Trojan-Downloader.Win32.OneClickNetSearch W32/OneClickNetSearch.I!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: IMIServer.download": [[26, 44]], "Indicator: Downloader.OneClickNetSearch.Win32.8": [[45, 81]], "Indicator: Trojan/Downloader.OneClickNetSearch.i": [[82, 119]], "Indicator: Trojan.Graftor.D60D9": [[120, 140]], "Indicator: W32/Downloader.BBQ": [[141, 159]], "Indicator: Adware.IEPlugin": [[160, 175], [617, 632], [701, 716]], "Indicator: Win32/SillyDl.FM": [[176, 192]], "Indicator: TROJ_DLOADER.VR": [[193, 208], [383, 398]], "Indicator: Win.Trojan.Downloader-40673": [[209, 236]], "Indicator: Trojan-Downloader.Win32.OneClickNetSearch.i": [[237, 280], [633, 676]], "Indicator: Trojan.Win32.OneClickNetSearch.dkts": [[281, 316]], "Indicator: Troj.Downloader.W32.OneClickNetSearch.i!c": [[317, 358]], "Indicator: Trojan.DownLoader.28897": [[359, 382]], "Indicator: BehavesLike.Win32.Backdoor.km": [[399, 428]], "Indicator: W32/Downloader.VQVS-3601": [[429, 453]], "Indicator: TrojanDownloader.OneClickNetSearch.c": [[454, 490]], "Indicator: Adware.ShopNavUpdater": [[491, 512]], "Indicator: TR/Dldr.OneClic.I": [[513, 530]], "Indicator: Trojan[Downloader]/Win32.OneClickNetSearch": [[531, 573]], "Indicator: TrojanDownloader:Win32/OneClickNetSearch.I": [[574, 616]], "Indicator: Trojan/Win32.HDC.C12454": [[677, 700]], "Indicator: TrojanDownloader.OneClickNetSearch": [[717, 751]], "Indicator: Win32.Trojan-downloader.Oneclicknetsearch.Lnec": [[752, 798]], "Indicator: Trojan.DL.NetSearch!M12OX4IwWPY": [[799, 830]], "Indicator: Trojan-Downloader.Win32.OneClickNetSearch": [[831, 872]], "Indicator: W32/OneClickNetSearch.I!tr": [[873, 899]]}, "info": {"id": "cyner2_8class_test_00584", "source": "cyner2_8class_test"}}
{"text": "The malware was deployed via the software update mechanism in a piece of Ukranian accounting software on the morning of Tuesday 27th June 2017.", "spans": {"Malware: malware": [[4, 11]], "System: software update mechanism": [[33, 58]], "System: Ukranian accounting software": [[73, 101]], "Date: morning of Tuesday 27th June 2017.": [[109, 143]]}, "info": {"id": "cyner2_8class_test_00585", "source": "cyner2_8class_test"}}
{"text": "Security firm Symantec has released a list of tools used by the Blackfly espionage group in recent years, which it believes may have been used in a series of attacks in China and Asia.", "spans": {"Organization: Security firm": [[0, 13]], "Organization: Symantec": [[14, 22]], "Malware: tools": [[46, 51]], "ThreatActor: the Blackfly espionage group": [[60, 88]], "Date: recent years,": [[92, 105]], "Indicator: attacks": [[158, 165]], "Location: China": [[169, 174]], "Location: Asia.": [[179, 184]]}, "info": {"id": "cyner2_8class_test_00586", "source": "cyner2_8class_test"}}
{"text": "This stealth technique has been gaining popularity among adware-related threats distributed via Google Play .", "spans": {"System: Google Play": [[96, 107]]}, "info": {"id": "cyner2_8class_test_00587", "source": "cyner2_8class_test"}}
{"text": "? q= - : As is common with trojans , the communication is always initiated by the trojan on the device to the C2 .", "spans": {}, "info": {"id": "cyner2_8class_test_00588", "source": "cyner2_8class_test"}}
{"text": "Parsing of instructions by EventBot Parsing of instructions by the bot from the C2 .", "spans": {"Malware: EventBot": [[27, 35]]}, "info": {"id": "cyner2_8class_test_00589", "source": "cyner2_8class_test"}}
{"text": "] meacount-manager [ .", "spans": {"Indicator: [ .": [[19, 22]]}, "info": {"id": "cyner2_8class_test_00590", "source": "cyner2_8class_test"}}
{"text": "Legitimate ones will typically require a subscription fee or rely on advertising as part of their business model.", "spans": {}, "info": {"id": "cyner2_8class_test_00591", "source": "cyner2_8class_test"}}
{"text": "It is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011.", "spans": {"Indicator: same codebase": [[19, 32]], "Malware: Zeus trojan,": [[63, 75]], "Indicator: source code": [[80, 91]], "Date: 2011.": [[115, 120]]}, "info": {"id": "cyner2_8class_test_00592", "source": "cyner2_8class_test"}}
{"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner2_8class_test_00593", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom/W32.Magniber.218114 Trojan.Ransom.MyRansom Win32.Trojan.WisdomEyes.16070401.9500.9994 TROJ_HPWORTRIK.SM Trojan-Banker.Win32.Jimmy.ep Trojan.Win32.Mikey.ettifq Trojan.Win32.MyRansom.629760 Trojan.DownLoad3.46525 TROJ_HPWORTRIK.SM BehavesLike.Win32.MultiPlug.dc W32/Trojan.ZTWR-3024 TrojanDownloader.Geral.ead TR/Crypt.ZPACK.dggks Ransom:Win32/Sobnot.A Uds.Dangerousobject.Multi!c Trojan-Banker.Win32.Jimmy.ep Trojan/Win32.Magniber.R210623 TrojanBanker.Jimmy Trojan.MalPack Trj/CI.A W32/Injector.DSPI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom/W32.Magniber.218114": [[26, 52]], "Indicator: Trojan.Ransom.MyRansom": [[53, 75]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[76, 118]], "Indicator: TROJ_HPWORTRIK.SM": [[119, 136], [244, 261]], "Indicator: Trojan-Banker.Win32.Jimmy.ep": [[137, 165], [412, 440]], "Indicator: Trojan.Win32.Mikey.ettifq": [[166, 191]], "Indicator: Trojan.Win32.MyRansom.629760": [[192, 220]], "Indicator: Trojan.DownLoad3.46525": [[221, 243]], "Indicator: BehavesLike.Win32.MultiPlug.dc": [[262, 292]], "Indicator: W32/Trojan.ZTWR-3024": [[293, 313]], "Indicator: TrojanDownloader.Geral.ead": [[314, 340]], "Indicator: TR/Crypt.ZPACK.dggks": [[341, 361]], "Indicator: Ransom:Win32/Sobnot.A": [[362, 383]], "Indicator: Uds.Dangerousobject.Multi!c": [[384, 411]], "Indicator: Trojan/Win32.Magniber.R210623": [[441, 470]], "Indicator: TrojanBanker.Jimmy": [[471, 489]], "Indicator: Trojan.MalPack": [[490, 504]], "Indicator: Trj/CI.A": [[505, 513]], "Indicator: W32/Injector.DSPI!tr": [[514, 534]]}, "info": {"id": "cyner2_8class_test_00594", "source": "cyner2_8class_test"}}
{"text": "It is also another example for why organizations and consumers alike should have an advanced mobile threat prevention solution installed on the device to protect themselves against the possibility of unknowingly installing malicious apps , even from trusted app stores .", "spans": {}, "info": {"id": "cyner2_8class_test_00595", "source": "cyner2_8class_test"}}
{"text": "The server sends back encoded json containing URL , class name and method name .", "spans": {}, "info": {"id": "cyner2_8class_test_00596", "source": "cyner2_8class_test"}}
{"text": "Rooting trojans The Zen authors have also created a rooting trojan .", "spans": {"Malware: Zen": [[20, 23]]}, "info": {"id": "cyner2_8class_test_00597", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Eggnog.f W32/Worm.AWIJ Trojan.ADH W32/Malware.GIJQ Win32/Eggnog.F TROJ_COSPET.B WIN.Worm.Eggnog P2P-Worm.Win32.Eggnog.f Trojan.Cospet!FlzIxxaUDss Worm.Win32.A.P2P-Eggnog.39754 TrojWare.Win32.Cospet.X0 Win32.HLLW.Kazaa.512 TR/Cospet.X TROJ_COSPET.B Win32.Troj.Cospet.x.kcloud Worm:Win32/Eggnog.D Worm/Win32.Eggnog W32/Worm.AWIJ Trojan.Win32.Cospet.x Trojan.ADH Win32/Eggnog.E Email-Worm.Win32.Fearso W32/Eggnog.W@mm Bck/Poison.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Eggnog.f": [[26, 38]], "Indicator: W32/Worm.AWIJ": [[39, 52], [343, 356]], "Indicator: Trojan.ADH": [[53, 63], [379, 389]], "Indicator: W32/Malware.GIJQ": [[64, 80]], "Indicator: Win32/Eggnog.F": [[81, 95]], "Indicator: TROJ_COSPET.B": [[96, 109], [264, 277]], "Indicator: WIN.Worm.Eggnog": [[110, 125]], "Indicator: P2P-Worm.Win32.Eggnog.f": [[126, 149]], "Indicator: Trojan.Cospet!FlzIxxaUDss": [[150, 175]], "Indicator: Worm.Win32.A.P2P-Eggnog.39754": [[176, 205]], "Indicator: TrojWare.Win32.Cospet.X0": [[206, 230]], "Indicator: Win32.HLLW.Kazaa.512": [[231, 251]], "Indicator: TR/Cospet.X": [[252, 263]], "Indicator: Win32.Troj.Cospet.x.kcloud": [[278, 304]], "Indicator: Worm:Win32/Eggnog.D": [[305, 324]], "Indicator: Worm/Win32.Eggnog": [[325, 342]], "Indicator: Trojan.Win32.Cospet.x": [[357, 378]], "Indicator: Win32/Eggnog.E": [[390, 404]], "Indicator: Email-Worm.Win32.Fearso": [[405, 428]], "Indicator: W32/Eggnog.W@mm": [[429, 444]], "Indicator: Bck/Poison.F": [[445, 457]]}, "info": {"id": "cyner2_8class_test_00598", "source": "cyner2_8class_test"}}
{"text": "By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion.", "spans": {"Organization: banking": [[45, 52]], "ThreatActor: the attackers": [[71, 84]]}, "info": {"id": "cyner2_8class_test_00599", "source": "cyner2_8class_test"}}
{"text": "This paper documents attempted exploitation activity aimed at Uyghur interests outside of China.", "spans": {"Vulnerability: exploitation activity": [[31, 52]], "Organization: Uyghur": [[62, 68]], "Location: China.": [[90, 96]]}, "info": {"id": "cyner2_8class_test_00600", "source": "cyner2_8class_test"}}
{"text": "The bot can then be used by cybercriminals to steal money, a much more profitable outcome than just receiving a ransom to decrypt some files.", "spans": {"ThreatActor: cybercriminals": [[28, 42]], "Indicator: decrypt some files.": [[122, 141]]}, "info": {"id": "cyner2_8class_test_00601", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.Symmi.Lnez BehavesLike.Win32.PWSZbot.dm Trojan:Win32/Peals.B!gfc Trojan.Symmi.D90B8 TrojanDropper.Hassur Backdoor.Win32.Sobador", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Symmi.Lnez": [[26, 49]], "Indicator: BehavesLike.Win32.PWSZbot.dm": [[50, 78]], "Indicator: Trojan:Win32/Peals.B!gfc": [[79, 103]], "Indicator: Trojan.Symmi.D90B8": [[104, 122]], "Indicator: TrojanDropper.Hassur": [[123, 143]], "Indicator: Backdoor.Win32.Sobador": [[144, 166]]}, "info": {"id": "cyner2_8class_test_00602", "source": "cyner2_8class_test"}}
{"text": "While these common internet protocols may be disabled within a restrictive card processing environment, DNS is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked.", "spans": {"Indicator: common internet protocols may be disabled": [[12, 53]], "Indicator: restrictive card processing environment,": [[63, 103]], "Vulnerability: DNS": [[104, 107]], "Indicator: resolve hostnames": [[130, 147]], "Organization: corporate environment": [[159, 180]]}, "info": {"id": "cyner2_8class_test_00603", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Korplug Trojan.KorplugCRTD.Win32.5229 BKDR_PLUGX.DUKPX Trojan.Win32.Mocker.epfvig BKDR_PLUGX.DUKPX Trojan.Win32.Korplug Trojan.Korplug.h W32/Mocker.ID!tr.bdr Trojan[Backdoor]/Win32.Mocker Trojan/Win32.Downloader.R193185 Trj/CI.A Win32.Backdoor.Mocker.Pluq Win32/Backdoor.a63", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Korplug": [[26, 40]], "Indicator: Trojan.KorplugCRTD.Win32.5229": [[41, 70]], "Indicator: BKDR_PLUGX.DUKPX": [[71, 87], [115, 131]], "Indicator: Trojan.Win32.Mocker.epfvig": [[88, 114]], "Indicator: Trojan.Win32.Korplug": [[132, 152]], "Indicator: Trojan.Korplug.h": [[153, 169]], "Indicator: W32/Mocker.ID!tr.bdr": [[170, 190]], "Indicator: Trojan[Backdoor]/Win32.Mocker": [[191, 220]], "Indicator: Trojan/Win32.Downloader.R193185": [[221, 252]], "Indicator: Trj/CI.A": [[253, 261]], "Indicator: Win32.Backdoor.Mocker.Pluq": [[262, 288]], "Indicator: Win32/Backdoor.a63": [[289, 307]]}, "info": {"id": "cyner2_8class_test_00604", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Malware11 TrojanPWS.OnLineGames.AH7 Trojan.OnLineGames.Win32.176380 Trojan/OnLineGames.qoc Trojan.Symmi.D309E PUA_ONLINEG.SM Win32.Trojan-GameThief.OnLineGames.c Infostealer.Gampass Win32/Gamepass.NbRQGb PUA_ONLINEG.SM Win.Spyware.Onlinegames-18853 Trojan.Win32.Wsgame.bxoznw Trojan.Win32.PSWIGames.350720.A TrojWare.Win32.GameThief.OnLineGames.AJQT Trojan.PWS.Wsgame.40807 Trojan-GameThief.Win32.OnLineGames Trojan/PEF13F.cv TR/PSW.OnlineGames.AH.8 Trojan/Win32.Unknown PWS:Win32/Enterak.A Trojan.Win32.OnlineGame.f Trojan.PWS.OnLineGames!l5ipAZ0fFAE W32/GAMEPSW.C!tr Win32/Trojan.PSW.39f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware11": [[26, 45]], "Indicator: TrojanPWS.OnLineGames.AH7": [[46, 71]], "Indicator: Trojan.OnLineGames.Win32.176380": [[72, 103]], "Indicator: Trojan/OnLineGames.qoc": [[104, 126]], "Indicator: Trojan.Symmi.D309E": [[127, 145]], "Indicator: PUA_ONLINEG.SM": [[146, 160], [240, 254]], "Indicator: Win32.Trojan-GameThief.OnLineGames.c": [[161, 197]], "Indicator: Infostealer.Gampass": [[198, 217]], "Indicator: Win32/Gamepass.NbRQGb": [[218, 239]], "Indicator: Win.Spyware.Onlinegames-18853": [[255, 284]], "Indicator: Trojan.Win32.Wsgame.bxoznw": [[285, 311]], "Indicator: Trojan.Win32.PSWIGames.350720.A": [[312, 343]], "Indicator: TrojWare.Win32.GameThief.OnLineGames.AJQT": [[344, 385]], "Indicator: Trojan.PWS.Wsgame.40807": [[386, 409]], "Indicator: Trojan-GameThief.Win32.OnLineGames": [[410, 444]], "Indicator: Trojan/PEF13F.cv": [[445, 461]], "Indicator: TR/PSW.OnlineGames.AH.8": [[462, 485]], "Indicator: Trojan/Win32.Unknown": [[486, 506]], "Indicator: PWS:Win32/Enterak.A": [[507, 526]], "Indicator: Trojan.Win32.OnlineGame.f": [[527, 552]], "Indicator: Trojan.PWS.OnLineGames!l5ipAZ0fFAE": [[553, 587]], "Indicator: W32/GAMEPSW.C!tr": [[588, 604]], "Indicator: Win32/Trojan.PSW.39f": [[605, 625]]}, "info": {"id": "cyner2_8class_test_00605", "source": "cyner2_8class_test"}}
{"text": "Our investigation indicates that the campaign has existed since at least November 2013 but has remained active until today.", "spans": {"ThreatActor: campaign": [[37, 45]], "Malware: at": [[64, 66]], "Date: November 2013": [[73, 86]], "Date: today.": [[117, 123]]}, "info": {"id": "cyner2_8class_test_00606", "source": "cyner2_8class_test"}}
{"text": "Our worldwide sensor network provides researchers at FireEye Labs with unique opportunities to detect innovative tactics employed by malicious actors and protects our clients from these tactics.", "spans": {"System: sensor network": [[14, 28]], "Organization: FireEye Labs": [[53, 65]], "ThreatActor: malicious actors": [[133, 149]]}, "info": {"id": "cyner2_8class_test_00607", "source": "cyner2_8class_test"}}
{"text": "Since 2012, we have found more than 9,000 apps using the Mario name on various sources online.", "spans": {"Date: 2012,": [[6, 11]], "System: apps": [[42, 46]], "Malware: Mario name": [[57, 67]], "Organization: sources online.": [[79, 94]]}, "info": {"id": "cyner2_8class_test_00608", "source": "cyner2_8class_test"}}
{"text": "The source process reads /proc/ [ pid ] /maps to find where libc is located in the target process memory .", "spans": {"Indicator: /proc/ [ pid ] /maps": [[25, 45]]}, "info": {"id": "cyner2_8class_test_00609", "source": "cyner2_8class_test"}}
{"text": "This version brings back the ACCESS_SUPERUSER and READ_FRAME_BUFFER permissions .", "spans": {}, "info": {"id": "cyner2_8class_test_00610", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Heur.AutoIT.13 Win32.Trojan.WisdomEyes.16070401.9500.9827 W32/Trojan.PPOR-1386 Trojan.Win32.Autoit.ezk Trojan.Win32.Autoit Trojan/Reconyc.ma Trojan:Win32/Autibep.A!bit Trojan.Win32.Autoit.ezk Trojan/Win32.Autoit.C2358053", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.AutoIT.13": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9827": [[48, 90]], "Indicator: W32/Trojan.PPOR-1386": [[91, 111]], "Indicator: Trojan.Win32.Autoit.ezk": [[112, 135], [201, 224]], "Indicator: Trojan.Win32.Autoit": [[136, 155]], "Indicator: Trojan/Reconyc.ma": [[156, 173]], "Indicator: Trojan:Win32/Autibep.A!bit": [[174, 200]], "Indicator: Trojan/Win32.Autoit.C2358053": [[225, 253]]}, "info": {"id": "cyner2_8class_test_00611", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Jabxin Win32.Trojan.WisdomEyes.16070401.9500.9985 Trojan.Win32.Jabxin.exmnee W32/Trojan.XFOU-3426 Trojan.Snojan.cw TR/Jabxin.sphdn Trojan.Kazy.D4B7E4 Trojan:Win32/Jabxin.A Trojan/Win32.Xema.C215983 Trj/Dtcontx.G Win32.Trojan.Kazy.Jcv", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Jabxin": [[26, 39]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9985": [[40, 82]], "Indicator: Trojan.Win32.Jabxin.exmnee": [[83, 109]], "Indicator: W32/Trojan.XFOU-3426": [[110, 130]], "Indicator: Trojan.Snojan.cw": [[131, 147]], "Indicator: TR/Jabxin.sphdn": [[148, 163]], "Indicator: Trojan.Kazy.D4B7E4": [[164, 182]], "Indicator: Trojan:Win32/Jabxin.A": [[183, 204]], "Indicator: Trojan/Win32.Xema.C215983": [[205, 230]], "Indicator: Trj/Dtcontx.G": [[231, 244]], "Indicator: Win32.Trojan.Kazy.Jcv": [[245, 266]]}, "info": {"id": "cyner2_8class_test_00612", "source": "cyner2_8class_test"}}
{"text": "First , the malicious app tries to determine whether it is being tested by the Google Play security mechanism .", "spans": {"System: Google Play": [[79, 90]]}, "info": {"id": "cyner2_8class_test_00613", "source": "cyner2_8class_test"}}
{"text": "Analysis of a sample I came across on twitter which uses a GitHub issue as a communication channel for the malware.", "spans": {"Malware: sample": [[14, 20]], "Organization: twitter": [[38, 45]], "System: GitHub issue": [[59, 71]], "Indicator: communication channel": [[77, 98]], "Malware: malware.": [[107, 115]]}, "info": {"id": "cyner2_8class_test_00614", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: BKDR_KIRPICH.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_KIRPICH.SM Win.Trojan.RegSubDat-19 Trojan.Win32.Dwn.dtfqe Trojan.DownLoader4.46899 Trojan:Win32/Gyplit.A Trojan.Win32.Gyplit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BKDR_KIRPICH.SM": [[26, 41], [85, 100]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[42, 84]], "Indicator: Win.Trojan.RegSubDat-19": [[101, 124]], "Indicator: Trojan.Win32.Dwn.dtfqe": [[125, 147]], "Indicator: Trojan.DownLoader4.46899": [[148, 172]], "Indicator: Trojan:Win32/Gyplit.A": [[173, 194]], "Indicator: Trojan.Win32.Gyplit": [[195, 214]]}, "info": {"id": "cyner2_8class_test_00615", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanMSIL.Shmandaler.A4 Trojan.Bedep Trojan/Downloader.Small.afq TSPY_LIMITAIL.SMJC Infostealer.Limitail TSPY_LIMITAIL.SMJC Trojan-Downloader.MSIL.Tiny.um Trojan.Win32.Tiny.ebvkml TrojWare.MSIL.TrojanDownloader.Small.AFQ Trojan.DownLoader23.40196 TR/Dldr.Small.18434.2 Trojan.MSIL.Krypt.2 Trojan-Downloader.MSIL.Tiny.um TrojanDownloader:MSIL/Shmandaler.A Trj/GdSda.A MSIL/TrojanDownloader.Small.AFQ Trojan.DL.Small!QZBtiX7UwsI Trojan-Downloader.MSIL.Small MSIL/Small.AFQ!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanMSIL.Shmandaler.A4": [[26, 50]], "Indicator: Trojan.Bedep": [[51, 63]], "Indicator: Trojan/Downloader.Small.afq": [[64, 91]], "Indicator: TSPY_LIMITAIL.SMJC": [[92, 110], [132, 150]], "Indicator: Infostealer.Limitail": [[111, 131]], "Indicator: Trojan-Downloader.MSIL.Tiny.um": [[151, 181], [316, 346]], "Indicator: Trojan.Win32.Tiny.ebvkml": [[182, 206]], "Indicator: TrojWare.MSIL.TrojanDownloader.Small.AFQ": [[207, 247]], "Indicator: Trojan.DownLoader23.40196": [[248, 273]], "Indicator: TR/Dldr.Small.18434.2": [[274, 295]], "Indicator: Trojan.MSIL.Krypt.2": [[296, 315]], "Indicator: TrojanDownloader:MSIL/Shmandaler.A": [[347, 381]], "Indicator: Trj/GdSda.A": [[382, 393]], "Indicator: MSIL/TrojanDownloader.Small.AFQ": [[394, 425]], "Indicator: Trojan.DL.Small!QZBtiX7UwsI": [[426, 453]], "Indicator: Trojan-Downloader.MSIL.Small": [[454, 482]], "Indicator: MSIL/Small.AFQ!tr.dldr": [[483, 505]]}, "info": {"id": "cyner2_8class_test_00616", "source": "cyner2_8class_test"}}
{"text": "The attack ultimately compromised accounts and stole research and intellectual property.", "spans": {}, "info": {"id": "cyner2_8class_test_00617", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Graftor.D1EB1 Win32.Trojan.WisdomEyes.16070401.9500.9966 BehavesLike.Win32.BadFile.tz Virus.Win32.VBInject Trojan/Win32.Diple Trojan:Win32/Bangsmoop.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Graftor.D1EB1": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9966": [[47, 89]], "Indicator: BehavesLike.Win32.BadFile.tz": [[90, 118]], "Indicator: Virus.Win32.VBInject": [[119, 139]], "Indicator: Trojan/Win32.Diple": [[140, 158]], "Indicator: Trojan:Win32/Bangsmoop.A": [[159, 183]]}, "info": {"id": "cyner2_8class_test_00618", "source": "cyner2_8class_test"}}
{"text": "Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered.", "spans": {"Organization: Trend Micro": [[0, 11]], "Malware: family of ATM malware": [[33, 54]], "Malware: Alice,": [[62, 68]], "Malware: ATM malware family": [[101, 119]]}, "info": {"id": "cyner2_8class_test_00619", "source": "cyner2_8class_test"}}
{"text": "Lookout Discovers Phishing Sites Distributing New IOS And Android Surveillanceware April 8 , 2019 For the past year , Lookout researchers have been tracking Android and iOS surveillanceware , that can exfiltrate contacts , audio recordings , photos , location , and more from devices .", "spans": {"Organization: Lookout": [[0, 7], [118, 125]], "System: IOS": [[50, 53]], "System: Android": [[58, 65], [157, 164]], "Malware: Surveillanceware": [[66, 82]], "System: iOS": [[169, 172]], "Malware: surveillanceware": [[173, 189]]}, "info": {"id": "cyner2_8class_test_00620", "source": "cyner2_8class_test"}}
{"text": "A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya.", "spans": {"ThreatActor: ransomware campaign": [[9, 28]], "Location: Ukraine": [[40, 47]], "Date: today,": [[61, 67]], "ThreatActor: ransomware campaigns": [[112, 132]], "Location: country,": [[161, 169]], "Malware: XData, PScrypt,": [[178, 193]], "Malware: NotPetya.": [[211, 220]]}, "info": {"id": "cyner2_8class_test_00621", "source": "cyner2_8class_test"}}
{"text": "] info OpSec fails and use of cryptography While looking at this infrastructure , we identified that one of these domains has directory indexing enabled .", "spans": {}, "info": {"id": "cyner2_8class_test_00622", "source": "cyner2_8class_test"}}
{"text": "Microsoft Defender for Endpoint on Android , now generally available , extends Microsoft ’ s industry-leading endpoint protection to Android .", "spans": {"System: Microsoft Defender": [[0, 18]], "System: Android": [[35, 42], [133, 140]], "Organization: Microsoft": [[79, 88]]}, "info": {"id": "cyner2_8class_test_00623", "source": "cyner2_8class_test"}}
{"text": "In this blog , we ’ ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven ’ t seen leveraged by malware before , as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note .", "spans": {"System: Android": [[106, 113]]}, "info": {"id": "cyner2_8class_test_00624", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.Gibbon.160256 Backdoor.Trojan Win32/Gibbon.B BKDR_SCANREGW.A Backdoor.Win32.Gibbon.b Trojan.Win32.Gibbon.fgmc Backdoor.Win32.Gibbon.160256[h] Backdoor.Win32.Gibbon.B BackDoor.Gibbon Backdoor.Gibbon.Win32.3 BKDR_SCANREGW.A W32/Risk.JIWD-6248 Backdoor/Gibbon.b BDS/Gibbon.B W32/Gibbon.B!tr.bdr Trojan[Backdoor]/Win32.Gibbon Backdoor.W32.Gibbon.b!c Win-Trojan/Gibbon.160256 Backdoor:Win32/Gibbon.1_24 Backdoor.Gibbon Bck/Gibbon.b Win32.Backdoor.Gibbon.Wsud Backdoor.Gibbon!c66jqE55ZiA Backdoor.Win32.Gibbon BackDoor.Gibbon Backdoor.Win32.Gibbon.b Win32/Backdoor.BO.c71", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Gibbon.160256": [[26, 52]], "Indicator: Backdoor.Trojan": [[53, 68]], "Indicator: Win32/Gibbon.B": [[69, 83]], "Indicator: BKDR_SCANREGW.A": [[84, 99], [245, 260]], "Indicator: Backdoor.Win32.Gibbon.b": [[100, 123], [559, 582]], "Indicator: Trojan.Win32.Gibbon.fgmc": [[124, 148]], "Indicator: Backdoor.Win32.Gibbon.160256[h]": [[149, 180]], "Indicator: Backdoor.Win32.Gibbon.B": [[181, 204]], "Indicator: BackDoor.Gibbon": [[205, 220], [543, 558]], "Indicator: Backdoor.Gibbon.Win32.3": [[221, 244]], "Indicator: W32/Risk.JIWD-6248": [[261, 279]], "Indicator: Backdoor/Gibbon.b": [[280, 297]], "Indicator: BDS/Gibbon.B": [[298, 310]], "Indicator: W32/Gibbon.B!tr.bdr": [[311, 330]], "Indicator: Trojan[Backdoor]/Win32.Gibbon": [[331, 360]], "Indicator: Backdoor.W32.Gibbon.b!c": [[361, 384]], "Indicator: Win-Trojan/Gibbon.160256": [[385, 409]], "Indicator: Backdoor:Win32/Gibbon.1_24": [[410, 436]], "Indicator: Backdoor.Gibbon": [[437, 452]], "Indicator: Bck/Gibbon.b": [[453, 465]], "Indicator: Win32.Backdoor.Gibbon.Wsud": [[466, 492]], "Indicator: Backdoor.Gibbon!c66jqE55ZiA": [[493, 520]], "Indicator: Backdoor.Win32.Gibbon": [[521, 542]], "Indicator: Win32/Backdoor.BO.c71": [[583, 604]]}, "info": {"id": "cyner2_8class_test_00625", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Gaobot.worm!e Worm.Agobot.WQWW Win32.Horse Backdoor.Win32.Agobot.rci Backdoor.Win32.S.Agobot.584192 Heuristic.BehavesLike.Win32.Dropper.H Backdoor/Agobot.dwx Worm:Win32/Gaobot.B Backdoor/Win32.Agobot Backdoor.Win32.Agobot.rci Worm/Agobot.HYF W32/Gaobot.OXI.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Gaobot.worm!e": [[26, 43]], "Indicator: Worm.Agobot.WQWW": [[44, 60]], "Indicator: Win32.Horse": [[61, 72]], "Indicator: Backdoor.Win32.Agobot.rci": [[73, 98], [230, 255]], "Indicator: Backdoor.Win32.S.Agobot.584192": [[99, 129]], "Indicator: Heuristic.BehavesLike.Win32.Dropper.H": [[130, 167]], "Indicator: Backdoor/Agobot.dwx": [[168, 187]], "Indicator: Worm:Win32/Gaobot.B": [[188, 207]], "Indicator: Backdoor/Win32.Agobot": [[208, 229]], "Indicator: Worm/Agobot.HYF": [[256, 271]], "Indicator: W32/Gaobot.OXI.worm": [[272, 291]]}, "info": {"id": "cyner2_8class_test_00626", "source": "cyner2_8class_test"}}
{"text": "A group calling itself the Cyber Caliphate, linked to so-called Islamic State, first claimed responsibility.", "spans": {"ThreatActor: Cyber Caliphate,": [[27, 43]], "Organization: Islamic State,": [[64, 78]]}, "info": {"id": "cyner2_8class_test_00627", "source": "cyner2_8class_test"}}
{"text": "These attacks have some links to earlier attacks by a group called Budminer involving the Taidoor Trojan Trojan.Taidoor.", "spans": {"Indicator: attacks": [[6, 13], [41, 48]], "ThreatActor: group": [[54, 59]], "ThreatActor: Budminer": [[67, 75]], "Malware: Taidoor Trojan": [[90, 104]], "Indicator: Trojan.Taidoor.": [[105, 120]]}, "info": {"id": "cyner2_8class_test_00628", "source": "cyner2_8class_test"}}
{"text": "The core of this functionality is also based on an open-source project that can be found here .", "spans": {}, "info": {"id": "cyner2_8class_test_00629", "source": "cyner2_8class_test"}}
{"text": "Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "System: products": [[14, 22]], "Indicator: Trojan.AndroidOS.Dvmap.a.": [[36, 61]]}, "info": {"id": "cyner2_8class_test_00630", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Wavipeg.A8 Troj.W32.Scar.to7k Trojan.Zusy.D8DC2 Backdoor.Ratenjay Win32/Tnega.GEXfUSB BKDR_WAVIPEG.SM Trojan.Win32.Scar.hgxl Trojan.Win32.Scar.cqkqmh Trojan.Click2.51376 Trojan.Scar.Win32.77443 BKDR_WAVIPEG.SM Trojan/Scar.azvv Trojan/Win32.Scar Backdoor:Win32/Wavipeg.A Trojan.Win32.Scar.hgxl Trojan/Win32.Scar.R62287 Trojan.Scar Trojan.Scar!gyQE2NlfXyY Win32/Trojan.40a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Wavipeg.A8": [[26, 45]], "Indicator: Troj.W32.Scar.to7k": [[46, 64]], "Indicator: Trojan.Zusy.D8DC2": [[65, 82]], "Indicator: Backdoor.Ratenjay": [[83, 100]], "Indicator: Win32/Tnega.GEXfUSB": [[101, 120]], "Indicator: BKDR_WAVIPEG.SM": [[121, 136], [229, 244]], "Indicator: Trojan.Win32.Scar.hgxl": [[137, 159], [305, 327]], "Indicator: Trojan.Win32.Scar.cqkqmh": [[160, 184]], "Indicator: Trojan.Click2.51376": [[185, 204]], "Indicator: Trojan.Scar.Win32.77443": [[205, 228]], "Indicator: Trojan/Scar.azvv": [[245, 261]], "Indicator: Trojan/Win32.Scar": [[262, 279]], "Indicator: Backdoor:Win32/Wavipeg.A": [[280, 304]], "Indicator: Trojan/Win32.Scar.R62287": [[328, 352]], "Indicator: Trojan.Scar": [[353, 364]], "Indicator: Trojan.Scar!gyQE2NlfXyY": [[365, 388]], "Indicator: Win32/Trojan.40a": [[389, 405]]}, "info": {"id": "cyner2_8class_test_00631", "source": "cyner2_8class_test"}}
{"text": "JS/Nemucod downloads additional malware and executes it without the user's consent.", "spans": {"Indicator: JS/Nemucod": [[0, 10]], "Malware: malware": [[32, 39]]}, "info": {"id": "cyner2_8class_test_00632", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.JS.Iframe.AEZ Trojan.JS.Iframe.AEZ Trojan.JS.Iframe.AEZ JS.IFrame.68 JS/iFrame.psa.22 HTML/Iframer.F Trojan.JS.Iframe.AEZ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.JS.Iframe.AEZ": [[26, 46], [47, 67], [68, 88], [134, 154]], "Indicator: JS.IFrame.68": [[89, 101]], "Indicator: JS/iFrame.psa.22": [[102, 118]], "Indicator: HTML/Iframer.F": [[119, 133]]}, "info": {"id": "cyner2_8class_test_00633", "source": "cyner2_8class_test"}}
{"text": "McAfee product detection is covered in the Indicators of Compromise section at the end of the document.", "spans": {"Organization: McAfee": [[0, 6]], "System: product": [[7, 14]], "Indicator: the Indicators of Compromise section": [[39, 75]]}, "info": {"id": "cyner2_8class_test_00634", "source": "cyner2_8class_test"}}
{"text": "The function main uses a DES encryption algorithm to encode these addresses .", "spans": {}, "info": {"id": "cyner2_8class_test_00635", "source": "cyner2_8class_test"}}
{"text": "Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app , launching an app and then performing any click/tap action controlled remotely by the attacker ( see Figure 5 ) .", "spans": {"Malware: DEFENSOR ID": [[23, 34]]}, "info": {"id": "cyner2_8class_test_00636", "source": "cyner2_8class_test"}}
{"text": "FIN7 is referred to by many vendors as Carbanak Group although we do not equate all usage of the CARBANAK backdoor with FIN7.", "spans": {"ThreatActor: FIN7": [[0, 4]], "Organization: vendors": [[28, 35]], "ThreatActor: Carbanak Group": [[39, 53]], "Malware: CARBANAK backdoor": [[97, 114]], "ThreatActor: FIN7.": [[120, 125]]}, "info": {"id": "cyner2_8class_test_00637", "source": "cyner2_8class_test"}}
{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_8class_test_00638", "source": "cyner2_8class_test"}}
{"text": "Stick to Google Play and use VPN software from reputable vendors .", "spans": {"System: Google Play": [[9, 20]]}, "info": {"id": "cyner2_8class_test_00639", "source": "cyner2_8class_test"}}
{"text": "These requests rely on the end user accepting the permission changes and points to the importance of healthy skepticism when giving applications permissions .", "spans": {}, "info": {"id": "cyner2_8class_test_00640", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Crypt.ULPM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Crypt.ULPM": [[26, 43]]}, "info": {"id": "cyner2_8class_test_00641", "source": "cyner2_8class_test"}}
{"text": "This tunnel provided the attacker remote access to the host system using the Terminal Services TS, NetBIOS, and Server Message Block SMB services, while appearing to be traffic to legitimate websites.", "spans": {"System: tunnel": [[5, 11]], "ThreatActor: attacker": [[25, 33]], "Indicator: remote access": [[34, 47]], "System: the host system": [[51, 66]], "System: Terminal Services TS, NetBIOS,": [[77, 107]], "System: Server Message Block SMB services,": [[112, 146]], "Indicator: traffic": [[169, 176]], "Indicator: legitimate websites.": [[180, 200]]}, "info": {"id": "cyner2_8class_test_00642", "source": "cyner2_8class_test"}}
{"text": "] 137 54.69.156 [ .", "spans": {"Indicator: 54.69.156 [ .": [[6, 19]]}, "info": {"id": "cyner2_8class_test_00643", "source": "cyner2_8class_test"}}
{"text": "More interestingly however, Fancy Bear employed a new tactic we hadn t previously seen: using Blogspot-hosted URLs in their spear-phishing email messages.", "spans": {"ThreatActor: Fancy Bear": [[28, 38]], "Indicator: Blogspot-hosted URLs": [[94, 114]], "Indicator: spear-phishing email messages.": [[124, 154]]}, "info": {"id": "cyner2_8class_test_00644", "source": "cyner2_8class_test"}}
{"text": "] com webmail [ .", "spans": {"Indicator: webmail [ .": [[6, 17]]}, "info": {"id": "cyner2_8class_test_00645", "source": "cyner2_8class_test"}}
{"text": "In the beginning of July, Neutrino reportedly incorporated the HackingTeam 0day CVE-2015-5119, and in the past few days we've seen a massive uptick in the use of the kit.", "spans": {"Date: beginning of July,": [[7, 25]], "Malware: Neutrino": [[26, 34]], "Organization: HackingTeam": [[63, 74]], "Vulnerability: 0day": [[75, 79]], "Indicator: CVE-2015-5119,": [[80, 94]], "Malware: kit.": [[166, 170]]}, "info": {"id": "cyner2_8class_test_00646", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: DoS.Win32.VB!O Win32.Trojan.WisdomEyes.16070401.9500.9942 DoS.Win32.VB.u Trojan.Win32.VB.cyoswl Tool.VB.Win32.2571 BehavesLike.Win32.BadFile.ft DoS.VB.gc DoS:Win32/VB.U DoS.Win32.VB.u DoS.VB!+iXnI0PBPqU", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: DoS.Win32.VB!O": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9942": [[41, 83]], "Indicator: DoS.Win32.VB.u": [[84, 98], [195, 209]], "Indicator: Trojan.Win32.VB.cyoswl": [[99, 121]], "Indicator: Tool.VB.Win32.2571": [[122, 140]], "Indicator: BehavesLike.Win32.BadFile.ft": [[141, 169]], "Indicator: DoS.VB.gc": [[170, 179]], "Indicator: DoS:Win32/VB.U": [[180, 194]], "Indicator: DoS.VB!+iXnI0PBPqU": [[210, 228]]}, "info": {"id": "cyner2_8class_test_00647", "source": "cyner2_8class_test"}}
{"text": "In the dangerous module lies a kill switch logic which looks for the keyword “ infect ” .", "spans": {}, "info": {"id": "cyner2_8class_test_00648", "source": "cyner2_8class_test"}}
{"text": "Since May 2016, the APT-C-23 has organized an organized, planned and targeted long-term uninterrupted attack on important areas such as Palestinian educational institutions and military institutions.", "spans": {"Date: May 2016,": [[6, 15]], "ThreatActor: APT-C-23": [[20, 28]], "Indicator: attack": [[102, 108]], "Organization: Palestinian educational institutions": [[136, 172]], "Organization: military institutions.": [[177, 199]]}, "info": {"id": "cyner2_8class_test_00649", "source": "cyner2_8class_test"}}
{"text": "] it server1na.exodus.connexxa [ .", "spans": {"Indicator: server1na.exodus.connexxa [ .": [[5, 34]]}, "info": {"id": "cyner2_8class_test_00650", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.HackTool.4170 HackTool.Win32.QQMima!O Hacktool.Qqmima Trojan/Hacktool.QQMima.a Win32.HackTool.QQMima.a HKTL_QQMIMA.A Win.Trojan.Qqmima-1 HackTool.Win32.QQMima.a Riskware.Win32.QQMima.hzhnq Backdoor.Win32.A.Hupigon.12288.D[UPX] Troj.W32.Tiny.to39 Win32.Hacktool.Qqmima.Dvzq Tool.Qqmima Tool.QQMima.Win32.1 HKTL_QQMIMA.A HackTool.QQMima.k HackTool/Win32.QQMima HackTool.Win32.QQMima.a HackTool:Win32/Qqmima.A Trojan/Win32.HackTool.R46193 Win32/HackTool.QQMima.A HackTool.Win32.QQMima Win32/Trojan.1e8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.HackTool.4170": [[26, 50]], "Indicator: HackTool.Win32.QQMima!O": [[51, 74]], "Indicator: Hacktool.Qqmima": [[75, 90]], "Indicator: Trojan/Hacktool.QQMima.a": [[91, 115]], "Indicator: Win32.HackTool.QQMima.a": [[116, 139]], "Indicator: HKTL_QQMIMA.A": [[140, 153], [342, 355]], "Indicator: Win.Trojan.Qqmima-1": [[154, 173]], "Indicator: HackTool.Win32.QQMima.a": [[174, 197], [396, 419]], "Indicator: Riskware.Win32.QQMima.hzhnq": [[198, 225]], "Indicator: Backdoor.Win32.A.Hupigon.12288.D[UPX]": [[226, 263]], "Indicator: Troj.W32.Tiny.to39": [[264, 282]], "Indicator: Win32.Hacktool.Qqmima.Dvzq": [[283, 309]], "Indicator: Tool.Qqmima": [[310, 321]], "Indicator: Tool.QQMima.Win32.1": [[322, 341]], "Indicator: HackTool.QQMima.k": [[356, 373]], "Indicator: HackTool/Win32.QQMima": [[374, 395]], "Indicator: HackTool:Win32/Qqmima.A": [[420, 443]], "Indicator: Trojan/Win32.HackTool.R46193": [[444, 472]], "Indicator: Win32/HackTool.QQMima.A": [[473, 496]], "Indicator: HackTool.Win32.QQMima": [[497, 518]], "Indicator: Win32/Trojan.1e8": [[519, 535]]}, "info": {"id": "cyner2_8class_test_00651", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Backdoor.DarkKomet.Win32.4059 Troj.Ransom.W32.Blocker.tnqj Infostealer.Limitail Win32/Tnega.RfCSaJB Win32.Trojan-Dropper.BeiF.A Trojan-Ransom.Win32.Blocker.hrft Trojan.Win32.FakeAV.bdkdze BackDoor.Comet.152 Ransom_ATOM.SM0 BehavesLike.Win32.Ransomware.jc Backdoor/DarkKomet.kwk TR/Dropper.MSIL.svnaf Trojan-Ransom.Win32.Blocker.hrft TrojanDropper:Win32/Effbee.A Backdoor/Win32.DarkKomet.R48242 Hoax.Blocker Trojan.Dropper Trojan-Ransom.Win32.Blocker.a W32/Dropper.PYN!tr Win32/Trojan.Dropper.569", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Backdoor.DarkKomet.Win32.4059": [[46, 75]], "Indicator: Troj.Ransom.W32.Blocker.tnqj": [[76, 104]], "Indicator: Infostealer.Limitail": [[105, 125]], "Indicator: Win32/Tnega.RfCSaJB": [[126, 145]], "Indicator: Win32.Trojan-Dropper.BeiF.A": [[146, 173]], "Indicator: Trojan-Ransom.Win32.Blocker.hrft": [[174, 206], [346, 378]], "Indicator: Trojan.Win32.FakeAV.bdkdze": [[207, 233]], "Indicator: BackDoor.Comet.152": [[234, 252]], "Indicator: Ransom_ATOM.SM0": [[253, 268]], "Indicator: BehavesLike.Win32.Ransomware.jc": [[269, 300]], "Indicator: Backdoor/DarkKomet.kwk": [[301, 323]], "Indicator: TR/Dropper.MSIL.svnaf": [[324, 345]], "Indicator: TrojanDropper:Win32/Effbee.A": [[379, 407]], "Indicator: Backdoor/Win32.DarkKomet.R48242": [[408, 439]], "Indicator: Hoax.Blocker": [[440, 452]], "Indicator: Trojan.Dropper": [[453, 467]], "Indicator: Trojan-Ransom.Win32.Blocker.a": [[468, 497]], "Indicator: W32/Dropper.PYN!tr": [[498, 516]], "Indicator: Win32/Trojan.Dropper.569": [[517, 541]]}, "info": {"id": "cyner2_8class_test_00652", "source": "cyner2_8class_test"}}
{"text": "When loaded with startup command 2 , the installer can copy the original explorer.exe file inside its current running directory and rename d3d9.dll to uxtheme.dll .", "spans": {"Indicator: explorer.exe file": [[73, 90]], "Indicator: d3d9.dll": [[139, 147]], "Indicator: uxtheme.dll": [[151, 162]]}, "info": {"id": "cyner2_8class_test_00653", "source": "cyner2_8class_test"}}
{"text": "In most cases they would be crafted to appear as applications distributed by unspecified mobile operators in Italy .", "spans": {}, "info": {"id": "cyner2_8class_test_00654", "source": "cyner2_8class_test"}}
{"text": "In a curious case of life imitating art, a new ransomware variant inspired by the popular TV show, Mr. Robot, has emerged.", "spans": {"Malware: ransomware variant": [[47, 65]]}, "info": {"id": "cyner2_8class_test_00655", "source": "cyner2_8class_test"}}
{"text": "We identified infrastructure overlaps and string references to previous Wolf Research work .", "spans": {"Organization: Wolf Research": [[72, 85]]}, "info": {"id": "cyner2_8class_test_00656", "source": "cyner2_8class_test"}}
{"text": "The registrant contact details of the C & C domains used in the campaign , for instance , were masked .", "spans": {}, "info": {"id": "cyner2_8class_test_00657", "source": "cyner2_8class_test"}}
{"text": "The compromised websites are the site for a group of information technology companies in Thailand, and all the tools were stored in the same directory.", "spans": {"Indicator: The compromised websites": [[0, 24]], "ThreatActor: group": [[44, 49]], "Organization: information technology companies": [[53, 85]], "Location: Thailand,": [[89, 98]], "Malware: tools": [[111, 116]]}, "info": {"id": "cyner2_8class_test_00658", "source": "cyner2_8class_test"}}
{"text": "Rasul Jafarov is a prominent lawyer and human rights defender in Azerbaijan.", "spans": {"Organization: Rasul Jafarov": [[0, 13]], "Organization: prominent lawyer and human rights defender": [[19, 61]], "Location: Azerbaijan.": [[65, 76]]}, "info": {"id": "cyner2_8class_test_00659", "source": "cyner2_8class_test"}}
{"text": "Ransomware continues to be a plague on the internet and still sets itself as the fastest growing malware family we have seen in the last number of years.", "spans": {"Malware: Ransomware": [[0, 10]], "Malware: malware family": [[97, 111]], "Date: the last number of years.": [[128, 153]]}, "info": {"id": "cyner2_8class_test_00660", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Paganini.Heur Backdoor.Win32.Small!O Trojan.Malex.F4 W32.Virut.CF Win32/Pigeon.BCWZ BKDR_GANIPIN.SMI Win.Trojan.Small-14355 Backdoor.Win32.Small.abv Virus.Win32.Virut.Ce BKDR_GANIPIN.SMI BehavesLike.Win32.PWSZbot.lh Trojan[Backdoor]/Win32.Small Win32.Virut.cr.61440 Backdoor:Win32/Ganipin.A Backdoor.Win32.A.Small.53248.G Backdoor.Win32.Small.abv HEUR/Fakon.mwf Backdoor.Small Trojan.FakeMS.ED Win32/Virut.NBP Trojan.Win32.Malex W32/Ganipin.KID!tr W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Paganini.Heur": [[26, 43]], "Indicator: Backdoor.Win32.Small!O": [[44, 66]], "Indicator: Trojan.Malex.F4": [[67, 82]], "Indicator: W32.Virut.CF": [[83, 95]], "Indicator: Win32/Pigeon.BCWZ": [[96, 113]], "Indicator: BKDR_GANIPIN.SMI": [[114, 130], [200, 216]], "Indicator: Win.Trojan.Small-14355": [[131, 153]], "Indicator: Backdoor.Win32.Small.abv": [[154, 178], [352, 376]], "Indicator: Virus.Win32.Virut.Ce": [[179, 199]], "Indicator: BehavesLike.Win32.PWSZbot.lh": [[217, 245]], "Indicator: Trojan[Backdoor]/Win32.Small": [[246, 274]], "Indicator: Win32.Virut.cr.61440": [[275, 295]], "Indicator: Backdoor:Win32/Ganipin.A": [[296, 320]], "Indicator: Backdoor.Win32.A.Small.53248.G": [[321, 351]], "Indicator: HEUR/Fakon.mwf": [[377, 391]], "Indicator: Backdoor.Small": [[392, 406]], "Indicator: Trojan.FakeMS.ED": [[407, 423]], "Indicator: Win32/Virut.NBP": [[424, 439]], "Indicator: Trojan.Win32.Malex": [[440, 458]], "Indicator: W32/Ganipin.KID!tr": [[459, 477]], "Indicator: W32/Sality.AO": [[478, 491]]}, "info": {"id": "cyner2_8class_test_00661", "source": "cyner2_8class_test"}}
{"text": "After closer inspection, it appears to be a completely distinct Trojan, which we have dubbed Bookworm and track in Autofocus using the tag Bookworm.", "spans": {"Malware: Trojan,": [[64, 71]], "Malware: Bookworm": [[93, 101]], "Malware: Autofocus": [[115, 124]], "Malware: Bookworm.": [[139, 148]]}, "info": {"id": "cyner2_8class_test_00662", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Turla Backdoor.Win32.Turla BDS/Turla.biysb Backdoor:Win32/Turla.PA Trojan/Win32.Turla.C2322328 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Turla": [[26, 40]], "Indicator: Backdoor.Win32.Turla": [[41, 61]], "Indicator: BDS/Turla.biysb": [[62, 77]], "Indicator: Backdoor:Win32/Turla.PA": [[78, 101]], "Indicator: Trojan/Win32.Turla.C2322328": [[102, 129]], "Indicator: Trj/CI.A": [[130, 138]]}, "info": {"id": "cyner2_8class_test_00663", "source": "cyner2_8class_test"}}
{"text": "How did it work ? The malware mimics legit services such as Google service , GooglePlay or Flash update .", "spans": {"Organization: Google": [[60, 66]], "System: GooglePlay": [[77, 87]], "System: Flash": [[91, 96]]}, "info": {"id": "cyner2_8class_test_00664", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/ExeDot.dpg Win32.Trojan.BHO.l W32/MalwareS.BGEU TROJ_DROPPR.SMS Win.Trojan.Exedot-76 Trojan.Win32.ExeDot.ctyvd Trojan.Win32.A.ExeDot.348684.A Backdoor.Win32.Cycbot.SM Trojan.MulDrop1.15257 Trojan.ExeDot.Win32.233 TROJ_DROPPR.SMS Trojan.Win32.ExeDot Trojan/ExeDot.ar TR/Spy.348684.2 Trojan/Win32.ExeDot Win32/BHO.NYW Trojan.ExeDot!RnagdE48E2U", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/ExeDot.dpg": [[26, 43]], "Indicator: Win32.Trojan.BHO.l": [[44, 62]], "Indicator: W32/MalwareS.BGEU": [[63, 80]], "Indicator: TROJ_DROPPR.SMS": [[81, 96], [246, 261]], "Indicator: Win.Trojan.Exedot-76": [[97, 117]], "Indicator: Trojan.Win32.ExeDot.ctyvd": [[118, 143]], "Indicator: Trojan.Win32.A.ExeDot.348684.A": [[144, 174]], "Indicator: Backdoor.Win32.Cycbot.SM": [[175, 199]], "Indicator: Trojan.MulDrop1.15257": [[200, 221]], "Indicator: Trojan.ExeDot.Win32.233": [[222, 245]], "Indicator: Trojan.Win32.ExeDot": [[262, 281]], "Indicator: Trojan/ExeDot.ar": [[282, 298]], "Indicator: TR/Spy.348684.2": [[299, 314]], "Indicator: Trojan/Win32.ExeDot": [[315, 334]], "Indicator: Win32/BHO.NYW": [[335, 348]], "Indicator: Trojan.ExeDot!RnagdE48E2U": [[349, 374]]}, "info": {"id": "cyner2_8class_test_00665", "source": "cyner2_8class_test"}}
{"text": "] commargaery [ .", "spans": {"Indicator: [ .": [[14, 17]]}, "info": {"id": "cyner2_8class_test_00666", "source": "cyner2_8class_test"}}
{"text": "This trojan is highly evolved in its design .", "spans": {}, "info": {"id": "cyner2_8class_test_00667", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.HoiuyetsA.Trojan Trojan.Win32.Cossta!O TrojanDownloader.Gemax.A8 Trojan/Cossta.loo Trojan.Graftor.D779B TROJ_GEMAX.SMI Win32.Trojan.StartPage.x Win32/SillyDl.XBR TROJ_GEMAX.SMI Win.Trojan.Cossta-78 Trojan.Win32.Cossta.loo Trojan.Win32.Cossta.iikiu Trojan.KeyLogger.10368 BehavesLike.Win32.Worm.fh Trojan-Downloader.Win32.Gemax Trojan/Win32.Cossta TrojanDownloader:Win32/Gemax.A Trojan.Win32.A.Cossta.379904 Trojan.Win32.Cossta.loo Trojan/Win32.Cossta.R5364 Trojan.Cossta Win32/StartPage.NXB W32/Cossta.NXB!tr Win32/Trojan.6eb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HoiuyetsA.Trojan": [[26, 46]], "Indicator: Trojan.Win32.Cossta!O": [[47, 68]], "Indicator: TrojanDownloader.Gemax.A8": [[69, 94]], "Indicator: Trojan/Cossta.loo": [[95, 112]], "Indicator: Trojan.Graftor.D779B": [[113, 133]], "Indicator: TROJ_GEMAX.SMI": [[134, 148], [192, 206]], "Indicator: Win32.Trojan.StartPage.x": [[149, 173]], "Indicator: Win32/SillyDl.XBR": [[174, 191]], "Indicator: Win.Trojan.Cossta-78": [[207, 227]], "Indicator: Trojan.Win32.Cossta.loo": [[228, 251], [437, 460]], "Indicator: Trojan.Win32.Cossta.iikiu": [[252, 277]], "Indicator: Trojan.KeyLogger.10368": [[278, 300]], "Indicator: BehavesLike.Win32.Worm.fh": [[301, 326]], "Indicator: Trojan-Downloader.Win32.Gemax": [[327, 356]], "Indicator: Trojan/Win32.Cossta": [[357, 376]], "Indicator: TrojanDownloader:Win32/Gemax.A": [[377, 407]], "Indicator: Trojan.Win32.A.Cossta.379904": [[408, 436]], "Indicator: Trojan/Win32.Cossta.R5364": [[461, 486]], "Indicator: Trojan.Cossta": [[487, 500]], "Indicator: Win32/StartPage.NXB": [[501, 520]], "Indicator: W32/Cossta.NXB!tr": [[521, 538]], "Indicator: Win32/Trojan.6eb": [[539, 555]]}, "info": {"id": "cyner2_8class_test_00668", "source": "cyner2_8class_test"}}
{"text": "This is consistent with previous KONNI distribution campaigns which have also frequently mentioned North Korea.", "spans": {"Malware: KONNI": [[33, 38]], "ThreatActor: distribution campaigns": [[39, 61]], "Location: North Korea.": [[99, 111]]}, "info": {"id": "cyner2_8class_test_00669", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: WS.Reputation.1 Trojan/Win32.StartPage", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WS.Reputation.1": [[26, 41]], "Indicator: Trojan/Win32.StartPage": [[42, 64]]}, "info": {"id": "cyner2_8class_test_00670", "source": "cyner2_8class_test"}}
{"text": "This new wave also presents unique attack vectors based on the kind of device it has accessed .", "spans": {}, "info": {"id": "cyner2_8class_test_00671", "source": "cyner2_8class_test"}}
{"text": "Gindin, which exposed new information about the attack and is currently assisting with the investigation.", "spans": {"Organization: Gindin,": [[0, 7]]}, "info": {"id": "cyner2_8class_test_00672", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: BAT.PowScript.A.GC Trojan.Malscript TROJ_POWSHELL.IA Trojan.AQMK-7 Trojan:PowerShell/Dpow.A Trojan.PowerShell.Dpow", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BAT.PowScript.A.GC": [[26, 44]], "Indicator: Trojan.Malscript": [[45, 61]], "Indicator: TROJ_POWSHELL.IA": [[62, 78]], "Indicator: Trojan.AQMK-7": [[79, 92]], "Indicator: Trojan:PowerShell/Dpow.A": [[93, 117]], "Indicator: Trojan.PowerShell.Dpow": [[118, 140]]}, "info": {"id": "cyner2_8class_test_00673", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Sauron.A5 Troj.Multi.Remsec!c W64/Trojan.JRSI-8772 Trojan.Win32.Z.Remsec.79872 Backdoor:W64/Remsec.C Trojan.Remsec.10 BehavesLike.Win64.PWSZbot.lc Trojan.Multi.f BDS/Remsec.ivhvc Trojan/Multi.Remsec Backdoor:Win64/Remsec.A!dha Trj/CI.A Win32.Trojan.Remsec.Svhs Backdoor..Remsec Win32/Trojan.Multi.c3f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Sauron.A5": [[26, 44]], "Indicator: Troj.Multi.Remsec!c": [[45, 64]], "Indicator: W64/Trojan.JRSI-8772": [[65, 85]], "Indicator: Trojan.Win32.Z.Remsec.79872": [[86, 113]], "Indicator: Backdoor:W64/Remsec.C": [[114, 135]], "Indicator: Trojan.Remsec.10": [[136, 152]], "Indicator: BehavesLike.Win64.PWSZbot.lc": [[153, 181]], "Indicator: Trojan.Multi.f": [[182, 196]], "Indicator: BDS/Remsec.ivhvc": [[197, 213]], "Indicator: Trojan/Multi.Remsec": [[214, 233]], "Indicator: Backdoor:Win64/Remsec.A!dha": [[234, 261]], "Indicator: Trj/CI.A": [[262, 270]], "Indicator: Win32.Trojan.Remsec.Svhs": [[271, 295]], "Indicator: Backdoor..Remsec": [[296, 312]], "Indicator: Win32/Trojan.Multi.c3f": [[313, 335]]}, "info": {"id": "cyner2_8class_test_00674", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.Singu!O Trojan.Banbra Backdoor/Singu.o Win32.Trojan.WisdomEyes.16070401.9500.9965 W32/Singu.FOSG-1503 Win32/Singu.G BKDR_SINGU.L Trojan-Banker.Win32.Banbra.tode Trojan.Win32.Singu.dnjf Backdoor.W32.Singu.l3vO Win32.Trojan-banker.Banbra.Alsa BackDoor.BlackHole.22965 Backdoor.Singu.Win32.191 BKDR_SINGU.L BehavesLike.Win32.Backdoor.dc Backdoor.Win32.Singu W32/Singu.BA@bd Backdoor/Heidong2005.mh BDS/Singu.O.2 Trojan[Backdoor]/Win32.Singu Trojan.Graftor.D92DE Backdoor.Win32.Singu.210668 Trojan-Banker.Win32.Banbra.tode Backdoor:Win32/Singu.AB Trojan/Win32.Xema.C113743 Backdoor.Singu Win32/Singu.NAD W32/Singu.L!tr.bdr Bck/Singu.Q Win32/Trojan.a3e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Singu!O": [[26, 48]], "Indicator: Trojan.Banbra": [[49, 62]], "Indicator: Backdoor/Singu.o": [[63, 79]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9965": [[80, 122]], "Indicator: W32/Singu.FOSG-1503": [[123, 142]], "Indicator: Win32/Singu.G": [[143, 156]], "Indicator: BKDR_SINGU.L": [[157, 169], [332, 344]], "Indicator: Trojan-Banker.Win32.Banbra.tode": [[170, 201], [528, 559]], "Indicator: Trojan.Win32.Singu.dnjf": [[202, 225]], "Indicator: Backdoor.W32.Singu.l3vO": [[226, 249]], "Indicator: Win32.Trojan-banker.Banbra.Alsa": [[250, 281]], "Indicator: BackDoor.BlackHole.22965": [[282, 306]], "Indicator: Backdoor.Singu.Win32.191": [[307, 331]], "Indicator: BehavesLike.Win32.Backdoor.dc": [[345, 374]], "Indicator: Backdoor.Win32.Singu": [[375, 395]], "Indicator: W32/Singu.BA@bd": [[396, 411]], "Indicator: Backdoor/Heidong2005.mh": [[412, 435]], "Indicator: BDS/Singu.O.2": [[436, 449]], "Indicator: Trojan[Backdoor]/Win32.Singu": [[450, 478]], "Indicator: Trojan.Graftor.D92DE": [[479, 499]], "Indicator: Backdoor.Win32.Singu.210668": [[500, 527]], "Indicator: Backdoor:Win32/Singu.AB": [[560, 583]], "Indicator: Trojan/Win32.Xema.C113743": [[584, 609]], "Indicator: Backdoor.Singu": [[610, 624]], "Indicator: Win32/Singu.NAD": [[625, 640]], "Indicator: W32/Singu.L!tr.bdr": [[641, 659]], "Indicator: Bck/Singu.Q": [[660, 671]], "Indicator: Win32/Trojan.a3e": [[672, 688]]}, "info": {"id": "cyner2_8class_test_00675", "source": "cyner2_8class_test"}}
{"text": "The malicious application is on the left-hand side .", "spans": {}, "info": {"id": "cyner2_8class_test_00676", "source": "cyner2_8class_test"}}
{"text": "To perform some of its activities , the malware does not need high privileges inside the device , as we will explain ahead .", "spans": {}, "info": {"id": "cyner2_8class_test_00677", "source": "cyner2_8class_test"}}
{"text": "Investigators put the origin of the attack as Iranian; Morphisec's research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns.", "spans": {"Organization: Investigators": [[0, 13]], "Indicator: attack": [[36, 42]], "Location: Iranian;": [[46, 54]], "Organization: Morphisec's research": [[55, 75]], "Indicator: attacks": [[120, 127]], "ThreatActor: infamous hacker group": [[140, 161]], "ThreatActor: the OilRig malware campaigns.": [[178, 207]]}, "info": {"id": "cyner2_8class_test_00678", "source": "cyner2_8class_test"}}
{"text": "Alienvault has added additional and related infrastructure found when we analyzed the PoisonIvy sample.", "spans": {"Organization: Alienvault": [[0, 10]], "Malware: PoisonIvy": [[86, 95]]}, "info": {"id": "cyner2_8class_test_00679", "source": "cyner2_8class_test"}}
{"text": "An internal investigation by the University of Toyama and other sources has revealed that a research centre at the university known for its work on tritium, a substance used to fuel nuclear fusion reactors, is feared to have been targeted by cyberattacks over a period of about six months.", "spans": {"Organization: University of Toyama": [[33, 53]], "Organization: research centre at": [[92, 110]], "Organization: university": [[115, 125]], "ThreatActor: cyberattacks": [[242, 254]], "Date: six months.": [[278, 289]]}, "info": {"id": "cyner2_8class_test_00680", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1938 Trojan.Dirtjump Win32/Virut.NBP PE_VIRUX.R Win.Trojan.Misun-1 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.lDnT Virus.Win32.Virut.CE Win32.Virut.56 PE_VIRUX.R BehavesLike.Win32.Downloader.dh Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.dd.368640 TrojanDownloader:Win32/Misun.A Virus.Win32.Virut.ce Win32/Virut.17408 Virus.Virut.14 Trojan.Pandora Trojan-Downloader.Win32.Misun W32/Virut.CE W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Virus.Win32.Virut.1!O": [[39, 60]], "Indicator: W32.Virut.G": [[61, 72]], "Indicator: Virus.Virut.Win32.1938": [[73, 95]], "Indicator: Trojan.Dirtjump": [[96, 111]], "Indicator: Win32/Virut.NBP": [[112, 127]], "Indicator: PE_VIRUX.R": [[128, 138], [253, 263]], "Indicator: Win.Trojan.Misun-1": [[139, 157]], "Indicator: Virus.Win32.Virut.ce": [[158, 178], [385, 405]], "Indicator: Virus.Win32.Virut.hpeg": [[179, 201]], "Indicator: W32.Virut.lDnT": [[202, 216]], "Indicator: Virus.Win32.Virut.CE": [[217, 237]], "Indicator: Win32.Virut.56": [[238, 252]], "Indicator: BehavesLike.Win32.Downloader.dh": [[264, 295]], "Indicator: Win32/Virut.bt": [[296, 310]], "Indicator: Virus/Win32.Virut.ce": [[311, 331]], "Indicator: Win32.Virut.dd.368640": [[332, 353]], "Indicator: TrojanDownloader:Win32/Misun.A": [[354, 384]], "Indicator: Win32/Virut.17408": [[406, 423]], "Indicator: Virus.Virut.14": [[424, 438]], "Indicator: Trojan.Pandora": [[439, 453]], "Indicator: Trojan-Downloader.Win32.Misun": [[454, 483]], "Indicator: W32/Virut.CE": [[484, 496]], "Indicator: W32/Sality.AO": [[497, 510]], "Indicator: Virus.Win32.VirutChangeEntry.A": [[511, 541]]}, "info": {"id": "cyner2_8class_test_00681", "source": "cyner2_8class_test"}}
{"text": "This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.", "spans": {"System: compromising servers": [[51, 71]], "Indicator: network": [[131, 138]], "Indicator: compromise": [[142, 152]], "System: additional machines": [[153, 172]], "Malware: ransom.": [[197, 204]]}, "info": {"id": "cyner2_8class_test_00682", "source": "cyner2_8class_test"}}
{"text": "] com hxxp : //mailsa-wqu [ .", "spans": {"Indicator: hxxp : //mailsa-wqu [ .": [[6, 29]]}, "info": {"id": "cyner2_8class_test_00683", "source": "cyner2_8class_test"}}
{"text": "The new drive-by download attacks we caught over the weekend rely on the same structure as the original Blackhole, even reusing the old PDF and Java exploits.", "spans": {"Indicator: drive-by download attacks": [[8, 33]], "Malware: Blackhole,": [[104, 114]], "Indicator: old PDF": [[132, 139]], "Vulnerability: Java exploits.": [[144, 158]]}, "info": {"id": "cyner2_8class_test_00684", "source": "cyner2_8class_test"}}
{"text": "All communication with the C2 is done over HTTP .", "spans": {}, "info": {"id": "cyner2_8class_test_00685", "source": "cyner2_8class_test"}}
{"text": "More recently , we have seen Bread-related apps trying to hide malicious code in a native library shipped with the APK .", "spans": {"Malware: Bread-related": [[29, 42]]}, "info": {"id": "cyner2_8class_test_00686", "source": "cyner2_8class_test"}}
{"text": "I haven't seen any write-up or info about it yet nor had any major incidents at $dayjob or heard of it from any other analysts.", "spans": {}, "info": {"id": "cyner2_8class_test_00687", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Win32/Virut.17408.C!corrupt Worm.Win32.WBNA.roc Win32.Worm.Wbna.Htcg BehavesLike.Win32.BadFile.pt Virus.Win32.Trojan Win32.Virut.cr.52736 Worm.Win32.WBNA.roc W32/WBNA.ROC!worm Win32/Worm.d5f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[26, 68]], "Indicator: Win32/Virut.17408.C!corrupt": [[69, 96]], "Indicator: Worm.Win32.WBNA.roc": [[97, 116], [207, 226]], "Indicator: Win32.Worm.Wbna.Htcg": [[117, 137]], "Indicator: BehavesLike.Win32.BadFile.pt": [[138, 166]], "Indicator: Virus.Win32.Trojan": [[167, 185]], "Indicator: Win32.Virut.cr.52736": [[186, 206]], "Indicator: W32/WBNA.ROC!worm": [[227, 244]], "Indicator: Win32/Worm.d5f": [[245, 259]]}, "info": {"id": "cyner2_8class_test_00688", "source": "cyner2_8class_test"}}
{"text": "Protecting organizations from threats across domains and platforms Mobile threats continue to rapidly evolve , with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal , whether financial gain or finding an entry point to broader network compromise .", "spans": {}, "info": {"id": "cyner2_8class_test_00689", "source": "cyner2_8class_test"}}
{"text": "In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity.", "spans": {"Date: November 2015,": [[3, 17]], "Organization: ClearSky": [[18, 26]], "Organization: Minerva Labs": [[31, 43]]}, "info": {"id": "cyner2_8class_test_00690", "source": "cyner2_8class_test"}}
{"text": "The worm serves as a backdoor.", "spans": {"Malware: worm": [[4, 8]], "Malware: backdoor.": [[21, 30]]}, "info": {"id": "cyner2_8class_test_00691", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.StuxnetQKD.Worm Worm.Win32.Stuxnet!O TrojanDropper.Stuxnet.A Trojan/Dropper.Stuxnet.e Trojan.Razy.D295EE WORM_STUXNET.SM Win32.Worm.Stuxnet.b W32/Stuxnet.A Win32/Stuxnet.A WORM_STUXNET.SM Win.Trojan.Stuxnet-16 Worm.Win32.Stuxnet.e Trojan.Win32.Stuxnet.yqyt Dropper.Stuxnet.517632 W32.W.Stuxnet.tnba Worm.Win32.Stuxnet.a Trojan.Stuxnet.1 BehavesLike.Win32.Ransomware.hc W32/Stuxnet.WKAU-7295 TrojanDropper.Stuxnet.c W32.Stuxnet TR/Drop.Stuxnet.A Worm/Win32.Stuxnet TrojanDropper:Win32/Stuxnet.A Worm.Win32.Stuxnet.e Worm/Win32.Stuxnet.R608 Trojan.Stuxnet W32/Stuxnet.A.worm Win32/Stuxnet.A Win32.Worm.Stuxnet.Wtxk Trojan-Dropper.Win32.Stuxnet Worm.Win32.Stuxnet.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.StuxnetQKD.Worm": [[26, 45]], "Indicator: Worm.Win32.Stuxnet!O": [[46, 66]], "Indicator: TrojanDropper.Stuxnet.A": [[67, 90]], "Indicator: Trojan/Dropper.Stuxnet.e": [[91, 115]], "Indicator: Trojan.Razy.D295EE": [[116, 134]], "Indicator: WORM_STUXNET.SM": [[135, 150], [202, 217]], "Indicator: Win32.Worm.Stuxnet.b": [[151, 171]], "Indicator: W32/Stuxnet.A": [[172, 185]], "Indicator: Win32/Stuxnet.A": [[186, 201], [603, 618]], "Indicator: Win.Trojan.Stuxnet-16": [[218, 239]], "Indicator: Worm.Win32.Stuxnet.e": [[240, 260], [524, 544]], "Indicator: Trojan.Win32.Stuxnet.yqyt": [[261, 286]], "Indicator: Dropper.Stuxnet.517632": [[287, 309]], "Indicator: W32.W.Stuxnet.tnba": [[310, 328]], "Indicator: Worm.Win32.Stuxnet.a": [[329, 349]], "Indicator: Trojan.Stuxnet.1": [[350, 366]], "Indicator: BehavesLike.Win32.Ransomware.hc": [[367, 398]], "Indicator: W32/Stuxnet.WKAU-7295": [[399, 420]], "Indicator: TrojanDropper.Stuxnet.c": [[421, 444]], "Indicator: W32.Stuxnet": [[445, 456]], "Indicator: TR/Drop.Stuxnet.A": [[457, 474]], "Indicator: Worm/Win32.Stuxnet": [[475, 493]], "Indicator: TrojanDropper:Win32/Stuxnet.A": [[494, 523]], "Indicator: Worm/Win32.Stuxnet.R608": [[545, 568]], "Indicator: Trojan.Stuxnet": [[569, 583]], "Indicator: W32/Stuxnet.A.worm": [[584, 602]], "Indicator: Win32.Worm.Stuxnet.Wtxk": [[619, 642]], "Indicator: Trojan-Dropper.Win32.Stuxnet": [[643, 671]], "Indicator: Worm.Win32.Stuxnet.B": [[672, 692]]}, "info": {"id": "cyner2_8class_test_00692", "source": "cyner2_8class_test"}}
{"text": "Certificate Used The apps themselves pretended to be carrier assistance apps which instructed the user to “ keep the app installed on your device and stay under Wi-Fi coverage to be contacted by one of our operators ” .", "spans": {}, "info": {"id": "cyner2_8class_test_00693", "source": "cyner2_8class_test"}}
{"text": "A new Malware-as-Service MaaS platform, called Cinoshi, is offering free malware services, including a stealer, botnet, and cryptominer.", "spans": {"ThreatActor: A new Malware-as-Service MaaS platform,": [[0, 39]], "ThreatActor: Cinoshi,": [[47, 55]], "Malware: malware services,": [[73, 90]], "Malware: stealer, botnet,": [[103, 119]], "Malware: cryptominer.": [[124, 136]]}, "info": {"id": "cyner2_8class_test_00694", "source": "cyner2_8class_test"}}
{"text": "The second vulnerability was a Flash vulnerability that worked on versions up to 18.0.0.232", "spans": {"Vulnerability: vulnerability": [[11, 24]], "Vulnerability: Flash vulnerability": [[31, 50]]}, "info": {"id": "cyner2_8class_test_00695", "source": "cyner2_8class_test"}}
{"text": "The group, known to Symantec as Tick, has maintained a low profile, appearing to be active for at least 10 years prior to discovery.", "spans": {"Organization: Symantec": [[20, 28]], "ThreatActor: Tick,": [[32, 37]], "Date: 10 years": [[104, 112]]}, "info": {"id": "cyner2_8class_test_00696", "source": "cyner2_8class_test"}}
{"text": "Some of the lure documents observed contained employee W-2 tax documents, I-9, and real estate purchase contracts.", "spans": {}, "info": {"id": "cyner2_8class_test_00697", "source": "cyner2_8class_test"}}
{"text": "EventBot web injects execution method Web injects execution method by a pre-established configuration .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_8class_test_00698", "source": "cyner2_8class_test"}}
{"text": "of a campaign we've labeled Turbo, for the associated kernel module that was deployed.", "spans": {"ThreatActor: campaign": [[5, 13]], "Malware: Turbo, for": [[28, 38]], "Indicator: associated kernel module": [[43, 67]]}, "info": {"id": "cyner2_8class_test_00699", "source": "cyner2_8class_test"}}
{"text": "Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan RAT and added Microsoft Compiled HTML Help .chm as one of the initial droppers delivered in spear-phishing emails.", "spans": {"Date: summer of 2016,": [[10, 25]], "ThreatActor: group": [[31, 36]], "Malware: downloader": [[55, 65]], "Malware: ZeroT": [[75, 80]], "Malware: PlugX remote access Trojan RAT": [[96, 126]], "Indicator: Microsoft Compiled HTML Help .chm": [[137, 170]], "Indicator: initial droppers": [[185, 201]], "Indicator: spear-phishing emails.": [[215, 237]]}, "info": {"id": "cyner2_8class_test_00700", "source": "cyner2_8class_test"}}
{"text": "In addition, Emissary appears to only be used against Taiwanese or Hong Kong based targets, all of the decoys are written in Traditional Chinese, and they use themes related to the government or military.", "spans": {"Malware: Emissary": [[13, 21]], "Organization: Taiwanese": [[54, 63]], "Organization: Hong Kong based targets,": [[67, 91]], "Indicator: decoys": [[103, 109]], "Indicator: Traditional Chinese,": [[125, 145]], "Organization: the government": [[177, 191]], "Organization: military.": [[195, 204]]}, "info": {"id": "cyner2_8class_test_00701", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Kitro.G@mm Worm/W32.Kitro.501760 Worm.Kitro Worm.Kitro.Win32.7 W32.W.Kitro.g1!c Win32.Kitro.EAD1A6 W32/Kitro.L Win32/Kitro.N Win32.Kitro.G@mm Email-Worm.Win32.Kitro.g1 Win32.Kitro.G@mm Trojan.Win32.Kitro.fpwn Win32.Kitro.G@mm Worm.Win32.Kitro.G1 Win32.HLLM.Kitro.16 BehavesLike.Win32.Backdoor.gh W32/Kitro.CDOE-2657 I-Worm/Kitro.g WORM/Kitro.G1 Worm[Email]/Win32.Kitro Worm:Win32/Kitro.G@mm Email-Worm.Win32.Kitro.g1 Trojan/Win32.Xema.C24227 Win32.Kitro.G@mm TScope.Trojan.Delf Win32/Kitro.G1 Win32.Worm-email.Kitro.Lnxz Worm.Win32.Kitro Win32/Worm.d9a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Kitro.G@mm": [[26, 42], [157, 173], [200, 216], [241, 257], [474, 490]], "Indicator: Worm/W32.Kitro.501760": [[43, 64]], "Indicator: Worm.Kitro": [[65, 75]], "Indicator: Worm.Kitro.Win32.7": [[76, 94]], "Indicator: W32.W.Kitro.g1!c": [[95, 111]], "Indicator: Win32.Kitro.EAD1A6": [[112, 130]], "Indicator: W32/Kitro.L": [[131, 142]], "Indicator: Win32/Kitro.N": [[143, 156]], "Indicator: Email-Worm.Win32.Kitro.g1": [[174, 199], [423, 448]], "Indicator: Trojan.Win32.Kitro.fpwn": [[217, 240]], "Indicator: Worm.Win32.Kitro.G1": [[258, 277]], "Indicator: Win32.HLLM.Kitro.16": [[278, 297]], "Indicator: BehavesLike.Win32.Backdoor.gh": [[298, 327]], "Indicator: W32/Kitro.CDOE-2657": [[328, 347]], "Indicator: I-Worm/Kitro.g": [[348, 362]], "Indicator: WORM/Kitro.G1": [[363, 376]], "Indicator: Worm[Email]/Win32.Kitro": [[377, 400]], "Indicator: Worm:Win32/Kitro.G@mm": [[401, 422]], "Indicator: Trojan/Win32.Xema.C24227": [[449, 473]], "Indicator: TScope.Trojan.Delf": [[491, 509]], "Indicator: Win32/Kitro.G1": [[510, 524]], "Indicator: Win32.Worm-email.Kitro.Lnxz": [[525, 552]], "Indicator: Worm.Win32.Kitro": [[553, 569]], "Indicator: Win32/Worm.d9a": [[570, 584]]}, "info": {"id": "cyner2_8class_test_00702", "source": "cyner2_8class_test"}}
{"text": "The threat actors seem to have abandoned these URLs and might be looking into other ways to reach more victims .", "spans": {}, "info": {"id": "cyner2_8class_test_00703", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Orsam.TS3 Win32/CInject.LO Win32.Trojan.Dropper.MS Trojan.Win32.Crypt.mhmvv W32/Trojan.XTDW-7154 Trojan/MSIL.ciz Trojan.MSILKrypt.13 Trojan:MSIL/Soar.A Trojan.Win32.Crypt.cj Trojan.Crypt!AAtL5gQIwSc W32/Crypt.BE!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Orsam.TS3": [[26, 42]], "Indicator: Win32/CInject.LO": [[43, 59]], "Indicator: Win32.Trojan.Dropper.MS": [[60, 83]], "Indicator: Trojan.Win32.Crypt.mhmvv": [[84, 108]], "Indicator: W32/Trojan.XTDW-7154": [[109, 129]], "Indicator: Trojan/MSIL.ciz": [[130, 145]], "Indicator: Trojan.MSILKrypt.13": [[146, 165]], "Indicator: Trojan:MSIL/Soar.A": [[166, 184]], "Indicator: Trojan.Win32.Crypt.cj": [[185, 206]], "Indicator: Trojan.Crypt!AAtL5gQIwSc": [[207, 231]], "Indicator: W32/Crypt.BE!tr": [[232, 247]]}, "info": {"id": "cyner2_8class_test_00704", "source": "cyner2_8class_test"}}
{"text": "The PDF and DOC/XLS campaigns primarily impacted the United States and the Archive campaigns largely impacted the Unites States and South Korea.", "spans": {"Indicator: The PDF": [[0, 7]], "Indicator: DOC/XLS": [[12, 19]], "ThreatActor: campaigns": [[20, 29]], "Location: the United States": [[49, 66]], "ThreatActor: the Archive campaigns": [[71, 92]], "Location: the Unites States": [[110, 127]], "Location: South Korea.": [[132, 144]]}, "info": {"id": "cyner2_8class_test_00705", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Ransom_Teerac.R032C0DJ717 Backdoor.Win32.Androm.jzkg Trojan.Win32.Androm.etmmzg Trojan.Encoder.761 Ransom_Teerac.R032C0DJ717 BehavesLike.Win32.MultiPlug.fc Backdoor.Androm.jqc Trojan[Backdoor]/Win32.Androm Trojan.Graftor.D432D1 Backdoor.Win32.Androm.jzkg Ransom:Win32/Teerac.I W32/TorrentLocker.C!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: Ransom_Teerac.R032C0DJ717": [[69, 94], [168, 193]], "Indicator: Backdoor.Win32.Androm.jzkg": [[95, 121], [297, 323]], "Indicator: Trojan.Win32.Androm.etmmzg": [[122, 148]], "Indicator: Trojan.Encoder.761": [[149, 167]], "Indicator: BehavesLike.Win32.MultiPlug.fc": [[194, 224]], "Indicator: Backdoor.Androm.jqc": [[225, 244]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[245, 274]], "Indicator: Trojan.Graftor.D432D1": [[275, 296]], "Indicator: Ransom:Win32/Teerac.I": [[324, 345]], "Indicator: W32/TorrentLocker.C!tr": [[346, 368]]}, "info": {"id": "cyner2_8class_test_00706", "source": "cyner2_8class_test"}}
{"text": "It steals bank card information ( the number , the expiry date , CVC2/CVV2 ) imitating the process of registering the bank card with Google Play .", "spans": {"System: Google Play": [[133, 144]]}, "info": {"id": "cyner2_8class_test_00707", "source": "cyner2_8class_test"}}
{"text": "In this article FireEye examines TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular dump shop, which sells stolen credit card data.", "spans": {"Organization: FireEye": [[16, 23]], "Malware: TREASUREHUNT, POS malware": [[33, 58]], "ThreatActor: operations": [[106, 116]], "ThreatActor: dump shop,": [[133, 143]], "Indicator: sells stolen credit card data.": [[150, 180]]}, "info": {"id": "cyner2_8class_test_00708", "source": "cyner2_8class_test"}}
{"text": "] com .", "spans": {}, "info": {"id": "cyner2_8class_test_00709", "source": "cyner2_8class_test"}}
{"text": "The function onUserLeaveHint ( ) is called whenever the malware screen is pushed to background , causing the in-call Activity to be automatically brought to the foreground .", "spans": {}, "info": {"id": "cyner2_8class_test_00710", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Banbra Trojan/Banbra.ahku Trojan.Heur.4mSfrSrP2REU Win32/Spy.Banker.AAWF Trojan-Banker.Win32.Banbra.ahku Trojan.Win32.Banbra.ktysi Trojan.Win32.Z.Banbra.926720 Troj.Banker.W32.Banbra.ahku!c Trojan.PWS.Banker.56593 Trojan.Banbra.Win32.11005 BehavesLike.Win32.Backdoor.dc W32/Trojan.UCVI-2531 Trojan/Banker.ajr TR/Spy.926720.1 Win32.Troj.Undef.kcloud Trojan-Banker.Win32.Banbra.ahku TrojanDownloader:Win32/Bradop.B Trojan-Banker.Banbra Trj/CI.A Win32.Trojan-Banker.Banbra.vkt Trojan.PWS.Banbra!V1hcdsPLM4g Win32/Trojan.15a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Banbra": [[26, 39]], "Indicator: Trojan/Banbra.ahku": [[40, 58]], "Indicator: Trojan.Heur.4mSfrSrP2REU": [[59, 83]], "Indicator: Win32/Spy.Banker.AAWF": [[84, 105]], "Indicator: Trojan-Banker.Win32.Banbra.ahku": [[106, 137], [382, 413]], "Indicator: Trojan.Win32.Banbra.ktysi": [[138, 163]], "Indicator: Trojan.Win32.Z.Banbra.926720": [[164, 192]], "Indicator: Troj.Banker.W32.Banbra.ahku!c": [[193, 222]], "Indicator: Trojan.PWS.Banker.56593": [[223, 246]], "Indicator: Trojan.Banbra.Win32.11005": [[247, 272]], "Indicator: BehavesLike.Win32.Backdoor.dc": [[273, 302]], "Indicator: W32/Trojan.UCVI-2531": [[303, 323]], "Indicator: Trojan/Banker.ajr": [[324, 341]], "Indicator: TR/Spy.926720.1": [[342, 357]], "Indicator: Win32.Troj.Undef.kcloud": [[358, 381]], "Indicator: TrojanDownloader:Win32/Bradop.B": [[414, 445]], "Indicator: Trojan-Banker.Banbra": [[446, 466]], "Indicator: Trj/CI.A": [[467, 475]], "Indicator: Win32.Trojan-Banker.Banbra.vkt": [[476, 506]], "Indicator: Trojan.PWS.Banbra!V1hcdsPLM4g": [[507, 536]], "Indicator: Win32/Trojan.15a": [[537, 553]]}, "info": {"id": "cyner2_8class_test_00711", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.PSW.MSN.Faker.M Trojan/W32.Faker.176128 Trojan.Faker Trojan/Faker.m TROJ_MSN.M W32/Faker.M TROJ_MSN.M Win.Trojan.Faker-5 Trojan.PSW.MSN.Faker.M Trojan-IM.Win32.Faker.m Trojan.PSW.MSN.Faker.M Trojan.Win32.Faker.dguo Trojan.Win32.Z.Faker.176128 Troj.IM.W32.Faker.m!c Trojan.PSW.MSN.Faker.M TrojWare.Win32.PSW.MSN.M Trojan.PSW.MSN.Faker.M Trojan.PWS.MSNFake Trojan.Faker.Win32.10 Trojan-IM.Win32.Faker W32/Faker.KUAU-2229 Trojan/PSW.MSN.Faker.m TR/PSW.MSN.Faker.M.1 Trojan[IM]/Win32.Faker Trojan.PSW.MSN.Faker.M Trojan-IM.Win32.Faker.m PWS:Win32/Faker.M Trojan/Win32.HDC.C244648 Trojan.PSW.MSN.Faker.M Trojan.VB Win32/PSW.MSN.Faker.M Win32.Trojan-im.Faker.Lizy Trojan.Faker.W W32/MSN.M!tr Win32/Trojan.PSW.7e0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PSW.MSN.Faker.M": [[26, 48], [154, 176], [201, 223], [298, 320], [346, 368], [519, 541], [609, 631]], "Indicator: Trojan/W32.Faker.176128": [[49, 72]], "Indicator: Trojan.Faker": [[73, 85]], "Indicator: Trojan/Faker.m": [[86, 100]], "Indicator: TROJ_MSN.M": [[101, 111], [124, 134]], "Indicator: W32/Faker.M": [[112, 123]], "Indicator: Win.Trojan.Faker-5": [[135, 153]], "Indicator: Trojan-IM.Win32.Faker.m": [[177, 200], [542, 565]], "Indicator: Trojan.Win32.Faker.dguo": [[224, 247]], "Indicator: Trojan.Win32.Z.Faker.176128": [[248, 275]], "Indicator: Troj.IM.W32.Faker.m!c": [[276, 297]], "Indicator: TrojWare.Win32.PSW.MSN.M": [[321, 345]], "Indicator: Trojan.PWS.MSNFake": [[369, 387]], "Indicator: Trojan.Faker.Win32.10": [[388, 409]], "Indicator: Trojan-IM.Win32.Faker": [[410, 431]], "Indicator: W32/Faker.KUAU-2229": [[432, 451]], "Indicator: Trojan/PSW.MSN.Faker.m": [[452, 474]], "Indicator: TR/PSW.MSN.Faker.M.1": [[475, 495]], "Indicator: Trojan[IM]/Win32.Faker": [[496, 518]], "Indicator: PWS:Win32/Faker.M": [[566, 583]], "Indicator: Trojan/Win32.HDC.C244648": [[584, 608]], "Indicator: Trojan.VB": [[632, 641]], "Indicator: Win32/PSW.MSN.Faker.M": [[642, 663]], "Indicator: Win32.Trojan-im.Faker.Lizy": [[664, 690]], "Indicator: Trojan.Faker.W": [[691, 705]], "Indicator: W32/MSN.M!tr": [[706, 718]], "Indicator: Win32/Trojan.PSW.7e0": [[719, 739]]}, "info": {"id": "cyner2_8class_test_00712", "source": "cyner2_8class_test"}}
{"text": "The only noticeable difference is the game has more ads , including ads on the very first screen .", "spans": {}, "info": {"id": "cyner2_8class_test_00713", "source": "cyner2_8class_test"}}
{"text": "All recent FakeSpy versions contain the same code with minor changes .", "spans": {"Malware: FakeSpy": [[11, 18]]}, "info": {"id": "cyner2_8class_test_00714", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.HLLW.Motovilo.1 Trojan:Win32/Mousky.A Python/Motovilo.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.HLLW.Motovilo.1": [[26, 47]], "Indicator: Trojan:Win32/Mousky.A": [[48, 69]], "Indicator: Python/Motovilo.A": [[70, 87]], "Indicator: Trj/CI.A": [[88, 96]]}, "info": {"id": "cyner2_8class_test_00715", "source": "cyner2_8class_test"}}
{"text": "Facebook phishing One of the interesting features of this spyware is the ability to steal Facebook credentials using a fake login page , similar to phishing .", "spans": {"System: Facebook": [[0, 8], [90, 98]]}, "info": {"id": "cyner2_8class_test_00716", "source": "cyner2_8class_test"}}
{"text": "Red Alert 2.0 IoCs list C2 addresses 103.239.30.126:7878 146.185.241.29:7878 146.185.241.42:7878 185.126.200.3:7878 185.126.200.12:7878 185.126.200.15:7878 185.126.200.18:7878 185.165.28.15:7878 185.243.243.241:7878 185.243.243.244:7878 185.243.243.245:7878 Domains Malware source Web hosts on 167.99.176.61 : free-androidvpn.date free-androidvpn.download free-androidvpn.online free-vpn.date free-vpn.download free-vpn.online Hashes 22fcfce096392f085218c3a78dd0fa4be9e67ed725bce42b965a27725f671cf 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372 be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef As a result of a lot of hard work done by our security research teams , we revealed today a new and alarming malware campaign .", "spans": {"Malware: Red Alert 2.0": [[0, 13]], "Indicator: 103.239.30.126:7878": [[37, 56]], "Indicator: 146.185.241.29:7878": [[57, 76]], "Indicator: 146.185.241.42:7878": [[77, 96]], "Indicator: 185.126.200.3:7878": [[97, 115]], "Indicator: 185.126.200.12:7878": [[116, 135]], "Indicator: 185.126.200.15:7878": [[136, 155]], "Indicator: 185.126.200.18:7878": [[156, 175]], "Indicator: 185.165.28.15:7878": [[176, 194]], "Indicator: 185.243.243.241:7878": [[195, 215]], "Indicator: 185.243.243.244:7878": [[216, 236]], "Indicator: 185.243.243.245:7878": [[237, 257]], "Indicator: 167.99.176.61": [[294, 307]], "Indicator: free-androidvpn.date": [[310, 330]], "Indicator: free-vpn.date": [[379, 392]], "Indicator: 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372": [[498, 562]], "Indicator: be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31": [[563, 627]], "Indicator: 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c": [[628, 692]], "Indicator: 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5": [[693, 757]], "Indicator: 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef": [[758, 822]]}, "info": {"id": "cyner2_8class_test_00717", "source": "cyner2_8class_test"}}
{"text": "This contains the Mobile Country Code ( MCC ) and Mobile Network Code ( MNC ) values that the billing process will work for .", "spans": {}, "info": {"id": "cyner2_8class_test_00718", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Trojan/Buzus.hts Win32.Trojan.WisdomEyes.16070401.9500.9517 Backdoor.Win32.Bifrose.fwvf Trojan.Win32.Buzus.dkrvi Troj.W32.Buzus.hts!c Trojan.DownLoader4.41400 Trojan.Buzus.Win32.81109 BehavesLike.Win32.SoftPulse.hc Trojan/PSW.Almat.efi Backdoor:Win32/Buzus.C Backdoor.Win32.Bifrose.fwvf Trojan.Inject Trj/CI.A Win32.Trojan.Buzus.Ebqs Trojan.Buzus!tyFfEDrkzzg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Virus.Win32.Sality!O": [[44, 64]], "Indicator: Trojan/Buzus.hts": [[65, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9517": [[82, 124]], "Indicator: Backdoor.Win32.Bifrose.fwvf": [[125, 152], [324, 351]], "Indicator: Trojan.Win32.Buzus.dkrvi": [[153, 177]], "Indicator: Troj.W32.Buzus.hts!c": [[178, 198]], "Indicator: Trojan.DownLoader4.41400": [[199, 223]], "Indicator: Trojan.Buzus.Win32.81109": [[224, 248]], "Indicator: BehavesLike.Win32.SoftPulse.hc": [[249, 279]], "Indicator: Trojan/PSW.Almat.efi": [[280, 300]], "Indicator: Backdoor:Win32/Buzus.C": [[301, 323]], "Indicator: Trojan.Inject": [[352, 365]], "Indicator: Trj/CI.A": [[366, 374]], "Indicator: Win32.Trojan.Buzus.Ebqs": [[375, 398]], "Indicator: Trojan.Buzus!tyFfEDrkzzg": [[399, 423]]}, "info": {"id": "cyner2_8class_test_00719", "source": "cyner2_8class_test"}}
{"text": "As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn't bad enough, it all gets just a little bit worse.", "spans": {"Indicator: breach": [[17, 23]], "Indicator: public data dump": [[39, 55]], "Organization: Italian company Hacking Team": [[70, 98]]}, "info": {"id": "cyner2_8class_test_00720", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9988 Trojan.Win32.Starter.dabbar Trojan.Starter.2136 TR/Rarnmel.A.5 Trojan/Win32.Unknown Trojan.Zusy.D592F Trojan:Win32/Rarnmel.A Trojan/Win32.Qpolos.R8363 Trojan.Rarnmel!0uh7i88bHnk W32/Dloader.EH!tr Win32/Trojan.37e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[26, 68]], "Indicator: Trojan.Win32.Starter.dabbar": [[69, 96]], "Indicator: Trojan.Starter.2136": [[97, 116]], "Indicator: TR/Rarnmel.A.5": [[117, 131]], "Indicator: Trojan/Win32.Unknown": [[132, 152]], "Indicator: Trojan.Zusy.D592F": [[153, 170]], "Indicator: Trojan:Win32/Rarnmel.A": [[171, 193]], "Indicator: Trojan/Win32.Qpolos.R8363": [[194, 219]], "Indicator: Trojan.Rarnmel!0uh7i88bHnk": [[220, 246]], "Indicator: W32/Dloader.EH!tr": [[247, 264]], "Indicator: Win32/Trojan.37e": [[265, 281]]}, "info": {"id": "cyner2_8class_test_00721", "source": "cyner2_8class_test"}}
{"text": "In recent weeks, Unit 42 has been monitoring a new e-mail campaign distributing the Trapwot malware family.", "spans": {"Organization: Unit 42": [[17, 24]], "Indicator: e-mail campaign": [[51, 66]], "Malware: Trapwot malware family.": [[84, 107]]}, "info": {"id": "cyner2_8class_test_00722", "source": "cyner2_8class_test"}}
{"text": "Thanks to that project , we were able to extract his Facebook profile – which lists his studies at the aforementioned university .", "spans": {"Organization: Facebook": [[53, 61]]}, "info": {"id": "cyner2_8class_test_00723", "source": "cyner2_8class_test"}}
{"text": "July 14 A new zero-day vulnerability ( CVE-2015-2425 ) was found in Internet Explorer .", "spans": {"Vulnerability: zero-day vulnerability": [[14, 36]], "Vulnerability: CVE-2015-2425": [[39, 52]], "System: Internet Explorer": [[68, 85]]}, "info": {"id": "cyner2_8class_test_00724", "source": "cyner2_8class_test"}}
{"text": "However , this particular email downloads an Android Package Kit ( APK ) , which is the common format used by Android to distribute and install applications .", "spans": {"System: Android Package Kit": [[45, 64]], "System: Android": [[110, 117]]}, "info": {"id": "cyner2_8class_test_00725", "source": "cyner2_8class_test"}}
{"text": "They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected .", "spans": {}, "info": {"id": "cyner2_8class_test_00726", "source": "cyner2_8class_test"}}
{"text": "For example , the default configuration file with injects is non-operational , and the malware contains no fake built-in windows requesting bank card details .", "spans": {}, "info": {"id": "cyner2_8class_test_00727", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Jorik.44032.L Trojan.Jorik.Win32.110854 Trojan/Jorik.Mokes.agc Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_ZBOT.SM3T Win.Trojan.Jorik-4495 Trojan.Win32.Jorik.vrckf TrojWare.Win32.Kryptik.AIDO BackDoor.Andromeda.22 TSPY_ZBOT.SM3T Trojan/Birele.cdk TR/Cridex.EB.23 Trojan/Win32.Mokes DDoS:Win32/Dofoil.A Trojan.Kazy.DA9C1 Trojan/Win32.Birele.R39959 BScope.Trojan-Inject.01659 Spyware.Zbot Trojan.Mokes!dIcqmwDMJRk Trojan-Dropper.Win32.Dapato", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Jorik.44032.L": [[26, 50]], "Indicator: Trojan.Jorik.Win32.110854": [[51, 76]], "Indicator: Trojan/Jorik.Mokes.agc": [[77, 99]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[100, 142]], "Indicator: TSPY_ZBOT.SM3T": [[143, 157], [255, 269]], "Indicator: Win.Trojan.Jorik-4495": [[158, 179]], "Indicator: Trojan.Win32.Jorik.vrckf": [[180, 204]], "Indicator: TrojWare.Win32.Kryptik.AIDO": [[205, 232]], "Indicator: BackDoor.Andromeda.22": [[233, 254]], "Indicator: Trojan/Birele.cdk": [[270, 287]], "Indicator: TR/Cridex.EB.23": [[288, 303]], "Indicator: Trojan/Win32.Mokes": [[304, 322]], "Indicator: DDoS:Win32/Dofoil.A": [[323, 342]], "Indicator: Trojan.Kazy.DA9C1": [[343, 360]], "Indicator: Trojan/Win32.Birele.R39959": [[361, 387]], "Indicator: BScope.Trojan-Inject.01659": [[388, 414]], "Indicator: Spyware.Zbot": [[415, 427]], "Indicator: Trojan.Mokes!dIcqmwDMJRk": [[428, 452]], "Indicator: Trojan-Dropper.Win32.Dapato": [[453, 480]]}, "info": {"id": "cyner2_8class_test_00728", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.G_Door!O Backdoor.FR BackDoor-FR.svr Backdoor.GDoor.Win32.3 BKDR_G_DOOR.B Win32.Trojan.BingHe.a W32/Backdoor.RBPV-2001 Backdoor.GDoor Win32/Glace.B BKDR_G_DOOR.B Win.Trojan.Gdoor-3 Backdoor.Win32.G_Door.aa Trojan.Win32.G_Door.hgau Win32.Backdoor.G_door.Wuhg Backdoor.Win32.G_Door.B BackDoor.GDoor.30 BehavesLike.Win32.Fake.dc W32/Backdoor.BJZE Backdoor/IceRiver.c TR/G-Door.Srv Trojan[Backdoor]/Win32.G_Door Win32.Hack.G_Door.b.kcloud Backdoor.Win32.G_Door.266385 Win-Trojan/GDoor_v22.B Backdoor.G_Door Backdoor.G_Door Win32/G_Door.B Backdoor.G_Door!IqXZ/OUSD/8 Backdoor.Win32.G_Door.B Bck/Iroffer.BG", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.G_Door!O": [[26, 49]], "Indicator: Backdoor.FR": [[50, 61]], "Indicator: BackDoor-FR.svr": [[62, 77]], "Indicator: Backdoor.GDoor.Win32.3": [[78, 100]], "Indicator: BKDR_G_DOOR.B": [[101, 114], [189, 202]], "Indicator: Win32.Trojan.BingHe.a": [[115, 136]], "Indicator: W32/Backdoor.RBPV-2001": [[137, 159]], "Indicator: Backdoor.GDoor": [[160, 174]], "Indicator: Win32/Glace.B": [[175, 188]], "Indicator: Win.Trojan.Gdoor-3": [[203, 221]], "Indicator: Backdoor.Win32.G_Door.aa": [[222, 246]], "Indicator: Trojan.Win32.G_Door.hgau": [[247, 271]], "Indicator: Win32.Backdoor.G_door.Wuhg": [[272, 298]], "Indicator: Backdoor.Win32.G_Door.B": [[299, 322], [603, 626]], "Indicator: BackDoor.GDoor.30": [[323, 340]], "Indicator: BehavesLike.Win32.Fake.dc": [[341, 366]], "Indicator: W32/Backdoor.BJZE": [[367, 384]], "Indicator: Backdoor/IceRiver.c": [[385, 404]], "Indicator: TR/G-Door.Srv": [[405, 418]], "Indicator: Trojan[Backdoor]/Win32.G_Door": [[419, 448]], "Indicator: Win32.Hack.G_Door.b.kcloud": [[449, 475]], "Indicator: Backdoor.Win32.G_Door.266385": [[476, 504]], "Indicator: Win-Trojan/GDoor_v22.B": [[505, 527]], "Indicator: Backdoor.G_Door": [[528, 543], [544, 559]], "Indicator: Win32/G_Door.B": [[560, 574]], "Indicator: Backdoor.G_Door!IqXZ/OUSD/8": [[575, 602]], "Indicator: Bck/Iroffer.BG": [[627, 641]]}, "info": {"id": "cyner2_8class_test_00729", "source": "cyner2_8class_test"}}
{"text": "The reverse DNS history of this IP brought “ ads.i * * * e.com ” into our attention .", "spans": {"Indicator: ads.i * * * e.com": [[45, 62]]}, "info": {"id": "cyner2_8class_test_00730", "source": "cyner2_8class_test"}}
{"text": "The new class is called NotificationListener and extends the NotificationListenerService class .", "spans": {}, "info": {"id": "cyner2_8class_test_00731", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Ole2.Vbs-heuristic.druvzi", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[26, 58]]}, "info": {"id": "cyner2_8class_test_00732", "source": "cyner2_8class_test"}}
{"text": "The infection chain had multiple stages, and was accomplished using bodiless/fileless exploit payloads executed in-memory without additional persistence mechanisms.", "spans": {"Indicator: bodiless/fileless exploit payloads": [[68, 102]], "Vulnerability: in-memory": [[112, 121]], "Indicator: additional persistence mechanisms.": [[130, 164]]}, "info": {"id": "cyner2_8class_test_00733", "source": "cyner2_8class_test"}}
{"text": "It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver .", "spans": {}, "info": {"id": "cyner2_8class_test_00734", "source": "cyner2_8class_test"}}
{"text": "In this version , the developer added more classes from the same package .", "spans": {}, "info": {"id": "cyner2_8class_test_00735", "source": "cyner2_8class_test"}}
{"text": "than 50 countries, with a substantial infection rate located in the Asia-Pacific region.", "spans": {"Location: Asia-Pacific region.": [[68, 88]]}, "info": {"id": "cyner2_8class_test_00736", "source": "cyner2_8class_test"}}
{"text": "Either method to load HenBox ultimately results in an instance of a service being launched .", "spans": {"Malware: HenBox": [[22, 28]]}, "info": {"id": "cyner2_8class_test_00737", "source": "cyner2_8class_test"}}
{"text": "As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim's computer.", "spans": {"Malware: RAT,": [[27, 31]], "Malware: tool": [[36, 40]], "Indicator: grabbing passwords, key logging": [[55, 86]], "Indicator: browsing files": [[91, 105]], "System: victim's computer.": [[113, 131]]}, "info": {"id": "cyner2_8class_test_00738", "source": "cyner2_8class_test"}}
{"text": "Otherwise , in the case of conditional opcodes , the variable part can contain the next JIT packet ID or the next relative virtual address ( RVA ) where code execution should continue .", "spans": {}, "info": {"id": "cyner2_8class_test_00739", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.Rotrumas.A3 Downloader.VB.Win32.3884 Trojan/Downloader.VB.bnp Win32.Worm.VB.te W32/Downldr2.BEZK Win32/Detsysrot.A Trojan.Win32.Fsysna.diju Trojan.Win32.VB.lefg Trojan.Win32.Downloader.137728.C Worm.Win32.VB.NNJ Win32.HLLW.Kati BehavesLike.Win32.YahLover.ch Worm.Win32.VB W32/Downloader.JTPS-5013 TrojanDownloader.VB.nyp Trojan[Downloader]/Win32.VB Trojan.Heur.imMfrHddqEnib Worm:Win32/Rotrumas.A HEUR/Fakon.mwf Trojan.VBS.01505 W32/Penetrator.A.worm Win32/VB.NNJ Worm.AutoRun!SysxXnMz9Ho W32/Dloader.A!tr Win32/Trojan.a97", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Win32.AutoRun!O": [[26, 46]], "Indicator: Worm.Rotrumas.A3": [[47, 63]], "Indicator: Downloader.VB.Win32.3884": [[64, 88]], "Indicator: Trojan/Downloader.VB.bnp": [[89, 113]], "Indicator: Win32.Worm.VB.te": [[114, 130]], "Indicator: W32/Downldr2.BEZK": [[131, 148]], "Indicator: Win32/Detsysrot.A": [[149, 166]], "Indicator: Trojan.Win32.Fsysna.diju": [[167, 191]], "Indicator: Trojan.Win32.VB.lefg": [[192, 212]], "Indicator: Trojan.Win32.Downloader.137728.C": [[213, 245]], "Indicator: Worm.Win32.VB.NNJ": [[246, 263]], "Indicator: Win32.HLLW.Kati": [[264, 279]], "Indicator: BehavesLike.Win32.YahLover.ch": [[280, 309]], "Indicator: Worm.Win32.VB": [[310, 323]], "Indicator: W32/Downloader.JTPS-5013": [[324, 348]], "Indicator: TrojanDownloader.VB.nyp": [[349, 372]], "Indicator: Trojan[Downloader]/Win32.VB": [[373, 400]], "Indicator: Trojan.Heur.imMfrHddqEnib": [[401, 426]], "Indicator: Worm:Win32/Rotrumas.A": [[427, 448]], "Indicator: HEUR/Fakon.mwf": [[449, 463]], "Indicator: Trojan.VBS.01505": [[464, 480]], "Indicator: W32/Penetrator.A.worm": [[481, 502]], "Indicator: Win32/VB.NNJ": [[503, 515]], "Indicator: Worm.AutoRun!SysxXnMz9Ho": [[516, 540]], "Indicator: W32/Dloader.A!tr": [[541, 557]], "Indicator: Win32/Trojan.a97": [[558, 574]]}, "info": {"id": "cyner2_8class_test_00740", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Small.34304.EG Trojan.Win32.Cossta!O Backdoor.Neunut Troj.W32.Cossta.grt!c TSPY_COSSTA.DH Win32.Trojan.WisdomEyes.16070401.9500.9989 TSPY_COSSTA.DH Win.Trojan.Cossta-71 Backdoor.Win32.Small.liy Trojan.Win32.Cossta.cqvyn Trojan.Win32.A.Cossta.34304.A Trojan.Cossta.Win32.3853 Trojan.Win32.Cossta W32/Trojan.OCZY-0389 Trojan/Cossta.bna TR/Cossta.grt.6 Trojan/Win32.Cossta Backdoor:Win32/Neunut.A Backdoor.Win32.Small.liy Trojan/Win32.Cossta.C106712 Trojan.Cossta Win32.Backdoor.Small.Eded Trojan.Cossta!P8rygE6kCUE Win32/Trojan.29f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.34304.EG": [[26, 51]], "Indicator: Trojan.Win32.Cossta!O": [[52, 73]], "Indicator: Backdoor.Neunut": [[74, 89]], "Indicator: Troj.W32.Cossta.grt!c": [[90, 111]], "Indicator: TSPY_COSSTA.DH": [[112, 126], [170, 184]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[127, 169]], "Indicator: Win.Trojan.Cossta-71": [[185, 205]], "Indicator: Backdoor.Win32.Small.liy": [[206, 230], [431, 455]], "Indicator: Trojan.Win32.Cossta.cqvyn": [[231, 256]], "Indicator: Trojan.Win32.A.Cossta.34304.A": [[257, 286]], "Indicator: Trojan.Cossta.Win32.3853": [[287, 311]], "Indicator: Trojan.Win32.Cossta": [[312, 331]], "Indicator: W32/Trojan.OCZY-0389": [[332, 352]], "Indicator: Trojan/Cossta.bna": [[353, 370]], "Indicator: TR/Cossta.grt.6": [[371, 386]], "Indicator: Trojan/Win32.Cossta": [[387, 406]], "Indicator: Backdoor:Win32/Neunut.A": [[407, 430]], "Indicator: Trojan/Win32.Cossta.C106712": [[456, 483]], "Indicator: Trojan.Cossta": [[484, 497]], "Indicator: Win32.Backdoor.Small.Eded": [[498, 523]], "Indicator: Trojan.Cossta!P8rygE6kCUE": [[524, 549]], "Indicator: Win32/Trojan.29f": [[550, 566]]}, "info": {"id": "cyner2_8class_test_00741", "source": "cyner2_8class_test"}}
{"text": "If the apps Brain Test and RetroTetris ring a bell, better check your devices.", "spans": {"System: apps Brain Test": [[7, 22]], "System: RetroTetris": [[27, 38]], "System: devices.": [[70, 78]]}, "info": {"id": "cyner2_8class_test_00742", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Reconyc.S19048 Trojan/Delf.tjj Trojan.Zusy.D38F35 TROJ_GRAFTOR_GB010057.UVPM Trojan.Win32.Click3.ejbwdp Trojan.Click3.23122 Trojan.Delf.Win32.77716 TROJ_GRAFTOR_GB010057.UVPM Trojan.Reconyc.gnx Trojan/Win32.Reconyc.C1667812 Trojan.Reconyc Trojan.Delf!BE+iw+tlojw Trojan.Win32.Asacky", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Reconyc.S19048": [[26, 47]], "Indicator: Trojan/Delf.tjj": [[48, 63]], "Indicator: Trojan.Zusy.D38F35": [[64, 82]], "Indicator: TROJ_GRAFTOR_GB010057.UVPM": [[83, 109], [181, 207]], "Indicator: Trojan.Win32.Click3.ejbwdp": [[110, 136]], "Indicator: Trojan.Click3.23122": [[137, 156]], "Indicator: Trojan.Delf.Win32.77716": [[157, 180]], "Indicator: Trojan.Reconyc.gnx": [[208, 226]], "Indicator: Trojan/Win32.Reconyc.C1667812": [[227, 256]], "Indicator: Trojan.Reconyc": [[257, 271]], "Indicator: Trojan.Delf!BE+iw+tlojw": [[272, 295]], "Indicator: Trojan.Win32.Asacky": [[296, 315]]}, "info": {"id": "cyner2_8class_test_00743", "source": "cyner2_8class_test"}}
{"text": "] com also registered six other domains .", "spans": {}, "info": {"id": "cyner2_8class_test_00744", "source": "cyner2_8class_test"}}
{"text": "The last step of the activation cycle is the download of a password-protected ZIP file .", "spans": {}, "info": {"id": "cyner2_8class_test_00745", "source": "cyner2_8class_test"}}
{"text": ") Upload and purge collected evidence Destroy device by resetting locking password Execute shell commands Send SMS with defined content or location Disable network Disable root Uninstall bot To avoid detection and removal of the agent app in the device memory , the RCSAndroid suite also detects emulators or sandboxes , obfuscates code using DexGuard , uses ELF string obfuscator , and adjusts the OOM ( out-of-memory ) value .", "spans": {"Malware: RCSAndroid": [[266, 276]], "System: DexGuard": [[343, 351]]}, "info": {"id": "cyner2_8class_test_00746", "source": "cyner2_8class_test"}}
{"text": "Linux/Mumblehard is a family of malware targeting servers running both the Linux and BSD operating systems.", "spans": {"Malware: Linux/Mumblehard": [[0, 16]], "Malware: malware": [[32, 39]], "System: Linux and BSD operating systems.": [[75, 107]]}, "info": {"id": "cyner2_8class_test_00747", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Dropped:Win32.Ramnit.Dam Backdoor.Win32.Hupigon!O Trojan.Mauvaise.SL1 BackDoor-AWQ!hv.o Spyware.OnlineGames Win32.Ramnit.Dam Win32.Trojan-GameThief.OnlineGames.j W32/Backdoor.WTTC-8437 Win32/Brengr.N TROJ_DROPR.SMIF Win.Trojan.Hupigon-14460 Dropped:Win32.Ramnit.Dam Trojan.Win32.OnLineGames.iiiay Troj.GameThief.W32.OnLineGames.l2KE Trojan.TenThief.QQPsw.tne Dropped:Win32.Ramnit.Dam Backdoor.Win32.Hupigon.~EPW Dropped:Win32.Ramnit.Dam Trojan.MulDrop5.48291 TROJ_DROPR.SMIF BackDoor-AWQ!hv.o Trojan.Renos W32/Backdoor2.CBFI Trojan[GameThief]/Win32.OnLineGames Win32.Hack.Huigezi.86528 TrojanDropper:Win32/Picazen.A Backdoor.Win32.Hupigon.547840.I Win32.Application.PUPStudio.B Dropped:Win32.Ramnit.Dam Virus.Win32.Nimnul.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Dropped:Win32.Ramnit.Dam": [[26, 50], [267, 291], [385, 409], [438, 462], [704, 728]], "Indicator: Backdoor.Win32.Hupigon!O": [[51, 75]], "Indicator: Trojan.Mauvaise.SL1": [[76, 95]], "Indicator: BackDoor-AWQ!hv.o": [[96, 113], [501, 518]], "Indicator: Spyware.OnlineGames": [[114, 133]], "Indicator: Win32.Ramnit.Dam": [[134, 150]], "Indicator: Win32.Trojan-GameThief.OnlineGames.j": [[151, 187]], "Indicator: W32/Backdoor.WTTC-8437": [[188, 210]], "Indicator: Win32/Brengr.N": [[211, 225]], "Indicator: TROJ_DROPR.SMIF": [[226, 241], [485, 500]], "Indicator: Win.Trojan.Hupigon-14460": [[242, 266]], "Indicator: Trojan.Win32.OnLineGames.iiiay": [[292, 322]], "Indicator: Troj.GameThief.W32.OnLineGames.l2KE": [[323, 358]], "Indicator: Trojan.TenThief.QQPsw.tne": [[359, 384]], "Indicator: Backdoor.Win32.Hupigon.~EPW": [[410, 437]], "Indicator: Trojan.MulDrop5.48291": [[463, 484]], "Indicator: Trojan.Renos": [[519, 531]], "Indicator: W32/Backdoor2.CBFI": [[532, 550]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[551, 586]], "Indicator: Win32.Hack.Huigezi.86528": [[587, 611]], "Indicator: TrojanDropper:Win32/Picazen.A": [[612, 641]], "Indicator: Backdoor.Win32.Hupigon.547840.I": [[642, 673]], "Indicator: Win32.Application.PUPStudio.B": [[674, 703]], "Indicator: Virus.Win32.Nimnul.a": [[729, 749]]}, "info": {"id": "cyner2_8class_test_00748", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Gupboot!O Trojan.Gupboot.B.mue Backdoor.Graybird Win.Trojan.R-102 Trojan.Win32.Wecod.as Trojan.Win32.AVKill.bdepgw Troj.Rogue.lDtG Rootkit.Win32.Plite.aaa Trojan.AVKill.24465 Trojan.Urelas.Win32.1117 TR/GupBoot.987721 Trojan/Win32.Wecod Trojan.Zusy.D5F79 Trojan:Win32/Urelas.AA Trojan/Win32.PbBot.R35329 Trojan.Delf!nkcF4XkjtH0 Trojan.Win32.Gupboot W32/Urelas.F!tr Win32/Trojan.ccc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Gupboot!O": [[26, 56]], "Indicator: Trojan.Gupboot.B.mue": [[57, 77]], "Indicator: Backdoor.Graybird": [[78, 95]], "Indicator: Win.Trojan.R-102": [[96, 112]], "Indicator: Trojan.Win32.Wecod.as": [[113, 134]], "Indicator: Trojan.Win32.AVKill.bdepgw": [[135, 161]], "Indicator: Troj.Rogue.lDtG": [[162, 177]], "Indicator: Rootkit.Win32.Plite.aaa": [[178, 201]], "Indicator: Trojan.AVKill.24465": [[202, 221]], "Indicator: Trojan.Urelas.Win32.1117": [[222, 246]], "Indicator: TR/GupBoot.987721": [[247, 264]], "Indicator: Trojan/Win32.Wecod": [[265, 283]], "Indicator: Trojan.Zusy.D5F79": [[284, 301]], "Indicator: Trojan:Win32/Urelas.AA": [[302, 324]], "Indicator: Trojan/Win32.PbBot.R35329": [[325, 350]], "Indicator: Trojan.Delf!nkcF4XkjtH0": [[351, 374]], "Indicator: Trojan.Win32.Gupboot": [[375, 395]], "Indicator: W32/Urelas.F!tr": [[396, 411]], "Indicator: Win32/Trojan.ccc": [[412, 428]]}, "info": {"id": "cyner2_8class_test_00749", "source": "cyner2_8class_test"}}
{"text": "Forward incoming phone calls to intercept voice-based two-factor authentication .", "spans": {}, "info": {"id": "cyner2_8class_test_00750", "source": "cyner2_8class_test"}}
{"text": "Unit 42 has discovered activity involving threat actors responsible for the OilRig campaign with a potential link to a threat group known as GreenBug.", "spans": {"Organization: Unit 42": [[0, 7]], "ThreatActor: threat actors": [[42, 55]], "ThreatActor: the OilRig campaign": [[72, 91]], "Indicator: potential link": [[99, 113]], "ThreatActor: threat group": [[119, 131]], "ThreatActor: GreenBug.": [[141, 150]]}, "info": {"id": "cyner2_8class_test_00751", "source": "cyner2_8class_test"}}
{"text": "Infection vector and victims While looking for the infection vector , we found no evidence of spear phishing or any of the other common vectors .", "spans": {}, "info": {"id": "cyner2_8class_test_00752", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Clicker.ecmcyi Troj.Downloader.W32.CodecPack.lTRv TrojWare.Win32.Rootkit.podnuha.ek6 Trojan.Click2.12882 Trojan.Graftor.DF3C8 TrojanDropper:Win32/Boaxxe.G Trojan/Win32.Xema.C9267 Trojan.Smardf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Clicker.ecmcyi": [[26, 53]], "Indicator: Troj.Downloader.W32.CodecPack.lTRv": [[54, 88]], "Indicator: TrojWare.Win32.Rootkit.podnuha.ek6": [[89, 123]], "Indicator: Trojan.Click2.12882": [[124, 143]], "Indicator: Trojan.Graftor.DF3C8": [[144, 164]], "Indicator: TrojanDropper:Win32/Boaxxe.G": [[165, 193]], "Indicator: Trojan/Win32.Xema.C9267": [[194, 217]], "Indicator: Trojan.Smardf": [[218, 231]]}, "info": {"id": "cyner2_8class_test_00753", "source": "cyner2_8class_test"}}
{"text": "Our evidence suggests the actors behind these attacks have been operating for over five years and have maintained a single command and control server for almost two.", "spans": {"ThreatActor: actors": [[26, 32]], "Indicator: attacks": [[46, 53]], "Date: five years": [[83, 93]], "Indicator: command and control server": [[123, 149]]}, "info": {"id": "cyner2_8class_test_00754", "source": "cyner2_8class_test"}}
{"text": "Gooligan, a new variant of the Android malware Check Point researchers found in the SnapPea app last year, has breached the security of more than a million Google accounts, potentially exposing messages, documents, and other sensitive data to attack.", "spans": {"Malware: Gooligan,": [[0, 9]], "Malware: variant": [[16, 23]], "Organization: Android malware Check Point researchers": [[31, 70]], "System: SnapPea app": [[84, 95]], "Date: last year,": [[96, 106]], "Indicator: breached": [[111, 119]], "System: Google accounts,": [[156, 172]], "Indicator: attack.": [[243, 250]]}, "info": {"id": "cyner2_8class_test_00755", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE TrojanDropper:Win32/Decept.2_1.dam#2 Trojan-Dropper.Win32.Decept", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Heur.Corrupt.PE": [[26, 41]], "Indicator: TrojanDropper:Win32/Decept.2_1.dam#2": [[42, 78]], "Indicator: Trojan-Dropper.Win32.Decept": [[79, 106]]}, "info": {"id": "cyner2_8class_test_00756", "source": "cyner2_8class_test"}}
{"text": "Indicators for MenuPass/APT10", "spans": {"Indicator: Indicators for": [[0, 14]], "ThreatActor: MenuPass/APT10": [[15, 29]]}, "info": {"id": "cyner2_8class_test_00757", "source": "cyner2_8class_test"}}
{"text": "The Taiwanese television network involved has been producing and importing TV shows and movies for a decade.", "spans": {"Organization: The Taiwanese television network": [[0, 32]]}, "info": {"id": "cyner2_8class_test_00758", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TR/Proxy.Cimuz.1 Trojan.Spambot.origin Trojan:Win32/Mespam.B Trojan.Proxy.Cimuz.1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TR/Proxy.Cimuz.1": [[26, 42]], "Indicator: Trojan.Spambot.origin": [[43, 64]], "Indicator: Trojan:Win32/Mespam.B": [[65, 86]], "Indicator: Trojan.Proxy.Cimuz.1": [[87, 107]]}, "info": {"id": "cyner2_8class_test_00759", "source": "cyner2_8class_test"}}
{"text": "ViperRAT : The Mobile APT Targeting The Israeli Defense Force That Should Be On Your Radar February 16 , 2017 ViperRAT is an active , advanced persistent threat ( APT ) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device , and seem most interested in exfiltrating images and audio content .", "spans": {"Malware: ViperRAT": [[0, 8], [110, 118], [297, 305]], "Organization: Israeli Defense Force": [[40, 61]], "Organization: Israeli Defense Force.The": [[246, 271]]}, "info": {"id": "cyner2_8class_test_00760", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Barys.DD29C BackDoor.Bladabindi.13678", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Barys.DD29C": [[26, 44]], "Indicator: BackDoor.Bladabindi.13678": [[45, 70]]}, "info": {"id": "cyner2_8class_test_00761", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.DownLoader3.33368 TrojanDownloader:Win32/Massdi.C Trojan.Win32.Downloader.67608 Win-Trojan/Downloader.67608 Trojan.Win32.Fednu.aez W32/Dloader.EP!tr.NSIS Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoader3.33368": [[26, 50]], "Indicator: TrojanDownloader:Win32/Massdi.C": [[51, 82]], "Indicator: Trojan.Win32.Downloader.67608": [[83, 112]], "Indicator: Win-Trojan/Downloader.67608": [[113, 140]], "Indicator: Trojan.Win32.Fednu.aez": [[141, 163]], "Indicator: W32/Dloader.EP!tr.NSIS": [[164, 186]], "Indicator: Trj/CI.A": [[187, 195]]}, "info": {"id": "cyner2_8class_test_00762", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Cryptjoke Trojan.Ransom.CryptoJoker Ransom_CryptJoke.R002C0DL617 W32/Trojan.CLVZ-6630 Ransom_CryptJoke.R002C0DL617 Trojan.Win32.FileCoder.evvfqf Trojan.Win32.Z.Cryptjoke.306863 Trojan.Filecoder.Win32.6801 Trojan-Ransom.FileCoder TR/FileCoder.gijrz Ransom:MSIL/CryptJoke.B!bit RansomMSIL.CryptJoke Ransom.CryptoJoker Trj/GdSda.A MSIL/Filecoder_CryptoJoker.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Cryptjoke": [[26, 42]], "Indicator: Trojan.Ransom.CryptoJoker": [[43, 68]], "Indicator: Ransom_CryptJoke.R002C0DL617": [[69, 97], [119, 147]], "Indicator: W32/Trojan.CLVZ-6630": [[98, 118]], "Indicator: Trojan.Win32.FileCoder.evvfqf": [[148, 177]], "Indicator: Trojan.Win32.Z.Cryptjoke.306863": [[178, 209]], "Indicator: Trojan.Filecoder.Win32.6801": [[210, 237]], "Indicator: Trojan-Ransom.FileCoder": [[238, 261]], "Indicator: TR/FileCoder.gijrz": [[262, 280]], "Indicator: Ransom:MSIL/CryptJoke.B!bit": [[281, 308]], "Indicator: RansomMSIL.CryptJoke": [[309, 329]], "Indicator: Ransom.CryptoJoker": [[330, 348]], "Indicator: Trj/GdSda.A": [[349, 360]], "Indicator: MSIL/Filecoder_CryptoJoker.A!tr": [[361, 392]]}, "info": {"id": "cyner2_8class_test_00763", "source": "cyner2_8class_test"}}
{"text": "These encoded strings contain the new URL addresses not seen in older versions of FakeSpy .", "spans": {"Malware: FakeSpy": [[82, 89]]}, "info": {"id": "cyner2_8class_test_00764", "source": "cyner2_8class_test"}}
{"text": "Smaller groups can have the advantage of being able to stay under the radar for longer periods of time, which is what happened here.", "spans": {}, "info": {"id": "cyner2_8class_test_00765", "source": "cyner2_8class_test"}}
{"text": "On Windows 10 , similar code integrity policies can be configured using Windows Defender Application Control .", "spans": {"System: Windows 10": [[3, 13]], "System: Windows Defender Application Control": [[72, 108]]}, "info": {"id": "cyner2_8class_test_00766", "source": "cyner2_8class_test"}}
{"text": "Meanwhile , desktop banking Trojans developed the ability to execute various social engineering schemes by using web injections , a method that alters the content presented to the infected victim in their browser .", "spans": {}, "info": {"id": "cyner2_8class_test_00767", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Pwstool.Icq Trojan/PSW.M2.19.b Win32.Trojan.WisdomEyes.16070401.9500.9959 Win.Trojan.Ag-1 Trojan-PSW.Win32.M2.19.b Trojan.Win32.PWStealer.hfsc Troj.Psw.W32!c TrojWare.Win32.PSW.M2.B1 Trojan.PWS.M2.19 Trojan.M2.Win32.58 BehavesLike.Win32.Downloader.mc Worm.Win32.Bizex W32/Risk.TTOL-3341 Trojan/PSW.M2.i Trojan[PSW]/Win32.M2 Trojan-PSW.Win32.M2.19.b PWS:Win32/M2.19.A Trojan/Win32.Koobface.R130163 TrojanPSW.M2 Win32/PSW.M2.19.B1 Trojan.PWS.M2!KEVJQ1JFfwA W32/M2_19.B!tr.pws Win32/Trojan.PSW.310", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Pwstool.Icq": [[26, 37]], "Indicator: Trojan/PSW.M2.19.b": [[38, 56]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9959": [[57, 99]], "Indicator: Win.Trojan.Ag-1": [[100, 115]], "Indicator: Trojan-PSW.Win32.M2.19.b": [[116, 140], [350, 374]], "Indicator: Trojan.Win32.PWStealer.hfsc": [[141, 168]], "Indicator: Troj.Psw.W32!c": [[169, 183]], "Indicator: TrojWare.Win32.PSW.M2.B1": [[184, 208]], "Indicator: Trojan.PWS.M2.19": [[209, 225]], "Indicator: Trojan.M2.Win32.58": [[226, 244]], "Indicator: BehavesLike.Win32.Downloader.mc": [[245, 276]], "Indicator: Worm.Win32.Bizex": [[277, 293]], "Indicator: W32/Risk.TTOL-3341": [[294, 312]], "Indicator: Trojan/PSW.M2.i": [[313, 328]], "Indicator: Trojan[PSW]/Win32.M2": [[329, 349]], "Indicator: PWS:Win32/M2.19.A": [[375, 392]], "Indicator: Trojan/Win32.Koobface.R130163": [[393, 422]], "Indicator: TrojanPSW.M2": [[423, 435]], "Indicator: Win32/PSW.M2.19.B1": [[436, 454]], "Indicator: Trojan.PWS.M2!KEVJQ1JFfwA": [[455, 480]], "Indicator: W32/M2_19.B!tr.pws": [[481, 499]], "Indicator: Win32/Trojan.PSW.310": [[500, 520]]}, "info": {"id": "cyner2_8class_test_00768", "source": "cyner2_8class_test"}}
{"text": "It does so using the Services , Broadcast Receivers , and Activities components of the Android platform .", "spans": {"System: Android": [[87, 94]]}, "info": {"id": "cyner2_8class_test_00769", "source": "cyner2_8class_test"}}
{"text": "The only active target list observed in the wild is available in the appendix and contains a total of 30 unique targets .", "spans": {}, "info": {"id": "cyner2_8class_test_00770", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Exploit.PDF.BR Trojan-Exploit/W32.Pidief.232166.CST Exploit.PDF.BR VBS/PdfDrop.A TROJ_PIDIEF1.DAM Exploit.PDF.BR Exploit.Win32.Pidief.dcd Exploit.PDF.BR Win32.Exploit.Pidief.Pgcn Exploit.PDF.BR PDF.MulDrop.2 TROJ_PIDIEF1.DAM BehavesLike.PDF.Trojan.dx VBS/PdfDrop.A EXP/Pidief.bls TrojanDropper:Win32/Pidrop.A Exploit.PDF.BR Exploit.W32.Pidief!c Exploit.Win32.Pidief.dcd Exploit-PDF.sd Exploit.Win32.Pidief Win32/Trojan.Script.9b0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit.PDF.BR": [[26, 40], [78, 92], [124, 138], [164, 178], [205, 219], [335, 349]], "Indicator: Trojan-Exploit/W32.Pidief.232166.CST": [[41, 77]], "Indicator: VBS/PdfDrop.A": [[93, 106], [277, 290]], "Indicator: TROJ_PIDIEF1.DAM": [[107, 123], [234, 250]], "Indicator: Exploit.Win32.Pidief.dcd": [[139, 163], [371, 395]], "Indicator: Win32.Exploit.Pidief.Pgcn": [[179, 204]], "Indicator: PDF.MulDrop.2": [[220, 233]], "Indicator: BehavesLike.PDF.Trojan.dx": [[251, 276]], "Indicator: EXP/Pidief.bls": [[291, 305]], "Indicator: TrojanDropper:Win32/Pidrop.A": [[306, 334]], "Indicator: Exploit.W32.Pidief!c": [[350, 370]], "Indicator: Exploit-PDF.sd": [[396, 410]], "Indicator: Exploit.Win32.Pidief": [[411, 431]], "Indicator: Win32/Trojan.Script.9b0": [[432, 455]]}, "info": {"id": "cyner2_8class_test_00771", "source": "cyner2_8class_test"}}
{"text": "The advertisement SDK also collects statistics about clicks and impressions to make it easier to track revenue .", "spans": {}, "info": {"id": "cyner2_8class_test_00772", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/Zuza.bc Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Zuza-19 Trojan.Win32.Zuza.dajyp Backdoor.Zuza.Win32.17 BehavesLike.Win32.BadFile.pt Backdoor/Zuza.m Trojan[Backdoor]/Win32.Zuza Trojan.Barys.D420 Trojan/Win32.Dllbot.R683 Backdoor.Zuza Backdoor.Zuza!e9P3bfkzixo Backdoor.Win32.Zuza Win32/Trojan.b7f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/Zuza.bc": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[43, 85]], "Indicator: Win.Trojan.Zuza-19": [[86, 104]], "Indicator: Trojan.Win32.Zuza.dajyp": [[105, 128]], "Indicator: Backdoor.Zuza.Win32.17": [[129, 151]], "Indicator: BehavesLike.Win32.BadFile.pt": [[152, 180]], "Indicator: Backdoor/Zuza.m": [[181, 196]], "Indicator: Trojan[Backdoor]/Win32.Zuza": [[197, 224]], "Indicator: Trojan.Barys.D420": [[225, 242]], "Indicator: Trojan/Win32.Dllbot.R683": [[243, 267]], "Indicator: Backdoor.Zuza": [[268, 281]], "Indicator: Backdoor.Zuza!e9P3bfkzixo": [[282, 307]], "Indicator: Backdoor.Win32.Zuza": [[308, 327]], "Indicator: Win32/Trojan.b7f": [[328, 344]]}, "info": {"id": "cyner2_8class_test_00773", "source": "cyner2_8class_test"}}
{"text": "It has become common for users to use Google to find information that they do not know.", "spans": {}, "info": {"id": "cyner2_8class_test_00774", "source": "cyner2_8class_test"}}
{"text": "We have been closely monitoring the tools, techniques and procedures TTPs of APT37 also known as ScarCruft or Temp.Reaper - a North Korea-based advanced persistent threat actor.", "spans": {"ThreatActor: APT37": [[77, 82]], "ThreatActor: ScarCruft": [[97, 106]], "ThreatActor: Temp.Reaper": [[110, 121]], "ThreatActor: a North Korea-based advanced persistent threat actor.": [[124, 177]]}, "info": {"id": "cyner2_8class_test_00775", "source": "cyner2_8class_test"}}
{"text": "In some versions , the server would only return valid responses several days after the apps were submitted .", "spans": {}, "info": {"id": "cyner2_8class_test_00776", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.VobfusSmetasV.Trojan Trojan.Strictor.D6F4 Win32.Worm.VB.me W32/MalwareS.BBPK Win32/SillyFDC.ZK Trojan.Win32.FakeFolder.txw Win32.HLLW.Autoruner.16482 W32/Risk.AYZE-4531 Worm:Win32/Fakefolder.A TScope.Malware-Cryptor.SB Win32/VB.NUZ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VobfusSmetasV.Trojan": [[26, 50]], "Indicator: Trojan.Strictor.D6F4": [[51, 71]], "Indicator: Win32.Worm.VB.me": [[72, 88]], "Indicator: W32/MalwareS.BBPK": [[89, 106]], "Indicator: Win32/SillyFDC.ZK": [[107, 124]], "Indicator: Trojan.Win32.FakeFolder.txw": [[125, 152]], "Indicator: Win32.HLLW.Autoruner.16482": [[153, 179]], "Indicator: W32/Risk.AYZE-4531": [[180, 198]], "Indicator: Worm:Win32/Fakefolder.A": [[199, 222]], "Indicator: TScope.Malware-Cryptor.SB": [[223, 248]], "Indicator: Win32/VB.NUZ": [[249, 261]]}, "info": {"id": "cyner2_8class_test_00777", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Ekidoa.FC.3268 Win32.Trojan.WisdomEyes.16070401.9500.9995 Trojan.DownLoader23.9057 Trojan.MSIL.Crypt W32.Malware.Heur Trojan/Win32.Bladabindi.C2099890 MSIL/Kryptik.EOO!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ekidoa.FC.3268": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[48, 90]], "Indicator: Trojan.DownLoader23.9057": [[91, 115]], "Indicator: Trojan.MSIL.Crypt": [[116, 133]], "Indicator: W32.Malware.Heur": [[134, 150]], "Indicator: Trojan/Win32.Bladabindi.C2099890": [[151, 183]], "Indicator: MSIL/Kryptik.EOO!tr": [[184, 203]]}, "info": {"id": "cyner2_8class_test_00778", "source": "cyner2_8class_test"}}
{"text": "From mTAN to pushTAN In the past few years , some banks in Europe , especially in Germany , stopped using SMS-based authentication and switched to dedicated pushTAN applications for 2FA schemes .", "spans": {}, "info": {"id": "cyner2_8class_test_00779", "source": "cyner2_8class_test"}}
{"text": "Curiously, the two initial targets have little in common with each other aside from human rights activism – although not having worked on overlapping issues or countries.", "spans": {}, "info": {"id": "cyner2_8class_test_00780", "source": "cyner2_8class_test"}}
{"text": "The infection was remediated after the system notified the devices owners and the system administrators.", "spans": {"System: system": [[39, 45]], "System: the devices owners": [[55, 73]], "Organization: system administrators.": [[82, 104]]}, "info": {"id": "cyner2_8class_test_00781", "source": "cyner2_8class_test"}}
{"text": "We have seen two types of apps that use this custom-made SDK .", "spans": {}, "info": {"id": "cyner2_8class_test_00782", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/Sykipot.br Backdoor.Sykipot!z89rc7diIEY Backdoor.Sykipot Win32.TRSpy Backdoor.Win32.Sykipot.br Backdoor.Win32.Wkysol!IK BackDoor.Terapy.5 Backdoor:Win32/Wkysol.E Backdoor/Win32.CSon Backdoor.Sykipot.br Backdoor.Sykipot Backdoor.Win32.Wkysol W32/BDoor.FDE!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/Sykipot.br": [[26, 45]], "Indicator: Backdoor.Sykipot!z89rc7diIEY": [[46, 74]], "Indicator: Backdoor.Sykipot": [[75, 91], [237, 253]], "Indicator: Win32.TRSpy": [[92, 103]], "Indicator: Backdoor.Win32.Sykipot.br": [[104, 129]], "Indicator: Backdoor.Win32.Wkysol!IK": [[130, 154]], "Indicator: BackDoor.Terapy.5": [[155, 172]], "Indicator: Backdoor:Win32/Wkysol.E": [[173, 196]], "Indicator: Backdoor/Win32.CSon": [[197, 216]], "Indicator: Backdoor.Sykipot.br": [[217, 236]], "Indicator: Backdoor.Win32.Wkysol": [[254, 275]], "Indicator: W32/BDoor.FDE!tr.bdr": [[276, 296]]}, "info": {"id": "cyner2_8class_test_00783", "source": "cyner2_8class_test"}}
{"text": "This malware usually infects all sites that share the same FTP account, which means cleaning just one website won't help as hackers use the compromised site to reinfect all sites on the server in a matter of minutes.", "spans": {"Malware: malware": [[5, 12]], "Malware: sites": [[33, 38]], "Vulnerability: that share the same FTP account,": [[39, 71]], "ThreatActor: hackers": [[124, 131]], "Indicator: compromised site": [[140, 156]], "Indicator: sites": [[173, 178]], "System: server": [[186, 192]]}, "info": {"id": "cyner2_8class_test_00784", "source": "cyner2_8class_test"}}
{"text": "We named this campaign “ Bouncing Golf ” based on the malware ’ s code in the package named “ golf. ” June 18 , 2019 We uncovered a cyberespionage campaign targeting Middle Eastern countries .", "spans": {"Malware: Bouncing Golf": [[25, 38]]}, "info": {"id": "cyner2_8class_test_00785", "source": "cyner2_8class_test"}}
{"text": "Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": {"System: Cisco Cloud Web Security ( CWS )": [[0, 32]], "System: Web Security Appliance ( WSA )": [[36, 66]]}, "info": {"id": "cyner2_8class_test_00786", "source": "cyner2_8class_test"}}
{"text": "Operating since 2012, the group's activity has been reported by Norman Kaspersky FireEye and PwC", "spans": {"Date: 2012,": [[16, 21]], "ThreatActor: group's activity": [[26, 42]], "Organization: Norman": [[64, 70]], "Organization: Kaspersky": [[71, 80]], "Organization: FireEye": [[81, 88]], "Organization: PwC": [[93, 96]]}, "info": {"id": "cyner2_8class_test_00787", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Application.Hacktool.KMSActivator.AB PUA.HackKMS.A4 Win32.Riskware.HackKMS.D not-a-virus:RiskTool.Win32.HackKMS.aq Application.Hacktool.KMSActivator.AB Riskware.Win32.HackKMS.eltxzs BehavesLike.Win32.PUPXAX.nc RiskTool.HackKMS.af W32.Riskware.Hackkms.D RiskWare[RiskTool]/Win32.Hackkms.n Application.Hacktool.KMSActivator.AB PUP.HackKMS/Variant not-a-virus:RiskTool.Win32.HackKMS.aq Unwanted/Win32.HackKMS.R197642 Application.Hacktool.KMSActivator.AB Trj/CI.A HackTool.Win32.AutoKMS Win32/Virus.RiskTool.10e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Application.Hacktool.KMSActivator.AB": [[26, 62], [141, 177], [314, 350], [440, 476]], "Indicator: PUA.HackKMS.A4": [[63, 77]], "Indicator: Win32.Riskware.HackKMS.D": [[78, 102]], "Indicator: not-a-virus:RiskTool.Win32.HackKMS.aq": [[103, 140], [371, 408]], "Indicator: Riskware.Win32.HackKMS.eltxzs": [[178, 207]], "Indicator: BehavesLike.Win32.PUPXAX.nc": [[208, 235]], "Indicator: RiskTool.HackKMS.af": [[236, 255]], "Indicator: W32.Riskware.Hackkms.D": [[256, 278]], "Indicator: RiskWare[RiskTool]/Win32.Hackkms.n": [[279, 313]], "Indicator: PUP.HackKMS/Variant": [[351, 370]], "Indicator: Unwanted/Win32.HackKMS.R197642": [[409, 439]], "Indicator: Trj/CI.A": [[477, 485]], "Indicator: HackTool.Win32.AutoKMS": [[486, 508]], "Indicator: Win32/Virus.RiskTool.10e": [[509, 533]]}, "info": {"id": "cyner2_8class_test_00788", "source": "cyner2_8class_test"}}
{"text": "The Android-targeting BankBot malware all variants detected by Trend Micro as ANDROIDOS_BANKBOT first surfaced January of this year and is reportedly the improved version of an unnamed open source banking malware that was leaked in an underground hacking forum.", "spans": {"Malware: The Android-targeting BankBot malware": [[0, 37]], "Organization: Trend Micro": [[63, 74]], "Indicator: ANDROIDOS_BANKBOT": [[78, 95]], "Date: January": [[111, 118]], "Date: year": [[127, 131]], "Malware: open source banking malware": [[185, 212]], "ThreatActor: an underground hacking forum.": [[232, 261]]}, "info": {"id": "cyner2_8class_test_00789", "source": "cyner2_8class_test"}}
{"text": "* Actually , we are currently investigating whether this group might also be behind a large-scale web-oriented attack at the end of 2018 using code injection and exploiting SQL vulnerabilities .", "spans": {"Vulnerability: SQL vulnerabilities": [[173, 192]]}, "info": {"id": "cyner2_8class_test_00790", "source": "cyner2_8class_test"}}
{"text": "Impact T1516 Input Injection Can enter text and perform clicks on behalf of user .", "spans": {}, "info": {"id": "cyner2_8class_test_00791", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W97M.Downloader.BAZ W97M.ShellHide.A W97M/Downloader.bav Troj.Downloader.Script!c Trojan.Dropper W2KM_CRYPTESLA.A W97M.Downloader.BAZ Trojan.Script.Vba.clxgqb W97M.Downloader.BAZ W97M.Downloader.BAZ W2KM_CRYPTESLA.A W97M/Downloader.bav Trojan:W97M/Shellhide.B W97M.Downloader.BAZ OLE.Win32.Macro.700080 virus.office.qexvmc.1090", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W97M.Downloader.BAZ": [[26, 45], [140, 159], [185, 204], [205, 224], [286, 305]], "Indicator: W97M.ShellHide.A": [[46, 62]], "Indicator: W97M/Downloader.bav": [[63, 82], [242, 261]], "Indicator: Troj.Downloader.Script!c": [[83, 107]], "Indicator: Trojan.Dropper": [[108, 122]], "Indicator: W2KM_CRYPTESLA.A": [[123, 139], [225, 241]], "Indicator: Trojan.Script.Vba.clxgqb": [[160, 184]], "Indicator: Trojan:W97M/Shellhide.B": [[262, 285]], "Indicator: OLE.Win32.Macro.700080": [[306, 328]], "Indicator: virus.office.qexvmc.1090": [[329, 353]]}, "info": {"id": "cyner2_8class_test_00792", "source": "cyner2_8class_test"}}
{"text": "When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf.", "spans": {"ThreatActor: Middle Eastern hacker groups": [[26, 54]], "ThreatActor: Iranian group": [[128, 141]], "Malware: SHAMOON": [[163, 170]], "Malware: Disttrack": [[177, 186]], "Organization: organizations": [[199, 212]], "Location: the Persian Gulf.": [[216, 233]]}, "info": {"id": "cyner2_8class_test_00793", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/MalwareS.AXNC Riskware.PSWTool.NetPass!IK Not_a_virus:PSWTool.NetPass.117533 W32/MalwareS.AXNC not-a-virus.PSWTool.NetPass Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/MalwareS.AXNC": [[26, 43], [107, 124]], "Indicator: Riskware.PSWTool.NetPass!IK": [[44, 71]], "Indicator: Not_a_virus:PSWTool.NetPass.117533": [[72, 106]], "Indicator: not-a-virus.PSWTool.NetPass": [[125, 152]], "Indicator: Trj/CI.A": [[153, 161]]}, "info": {"id": "cyner2_8class_test_00794", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Inject.HD Backdoor/Harvester.2005.05 Trojan.Inject.HD Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_HARVESTER.X Trojan.Inject.HD Backdoor.Win32.Harvester.07 Trojan.Inject.HD Trojan.Win32.Harvester.bcqbz Backdoor.Win32.A.Harvester.105472 Backdoor.W32.Harvester.2005.05!c Trojan.Inject.HD Trojan.Inject.HD BackDoor.Harvester.66 Backdoor.Harvester.Win32.35 BKDR_HARVESTER.X BehavesLike.Win32.Nofear.ch Trojan-Downloader.Win32.Delf W32/Harvester.AI@pws Backdoor/FearLess.10.e BDS/Harve.2005.05.A Trojan[Spy]/Win32.Harvester Win32.Hack.Harvester.kcloud Backdoor:Win32/Harvester.O Backdoor.Win32.Harvester.07 Trojan/Win32.Mbro.R105536 Trojan.Inject.HD BScope.Trojan-Spy.Zbot Win32/Harvester.65 Win32.Backdoor.Harvester.Lify Backdoor.Harvester!+cE04k5XYM4 W32/Harvester.V2005!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject.HD": [[26, 42], [70, 86], [147, 163], [192, 208], [305, 321], [322, 338], [664, 680]], "Indicator: Backdoor/Harvester.2005.05": [[43, 69]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[87, 129]], "Indicator: BKDR_HARVESTER.X": [[130, 146], [389, 405]], "Indicator: Backdoor.Win32.Harvester.07": [[164, 191], [610, 637]], "Indicator: Trojan.Win32.Harvester.bcqbz": [[209, 237]], "Indicator: Backdoor.Win32.A.Harvester.105472": [[238, 271]], "Indicator: Backdoor.W32.Harvester.2005.05!c": [[272, 304]], "Indicator: BackDoor.Harvester.66": [[339, 360]], "Indicator: Backdoor.Harvester.Win32.35": [[361, 388]], "Indicator: BehavesLike.Win32.Nofear.ch": [[406, 433]], "Indicator: Trojan-Downloader.Win32.Delf": [[434, 462]], "Indicator: W32/Harvester.AI@pws": [[463, 483]], "Indicator: Backdoor/FearLess.10.e": [[484, 506]], "Indicator: BDS/Harve.2005.05.A": [[507, 526]], "Indicator: Trojan[Spy]/Win32.Harvester": [[527, 554]], "Indicator: Win32.Hack.Harvester.kcloud": [[555, 582]], "Indicator: Backdoor:Win32/Harvester.O": [[583, 609]], "Indicator: Trojan/Win32.Mbro.R105536": [[638, 663]], "Indicator: BScope.Trojan-Spy.Zbot": [[681, 703]], "Indicator: Win32/Harvester.65": [[704, 722]], "Indicator: Win32.Backdoor.Harvester.Lify": [[723, 752]], "Indicator: Backdoor.Harvester!+cE04k5XYM4": [[753, 783]], "Indicator: W32/Harvester.V2005!tr.bdr": [[784, 810]]}, "info": {"id": "cyner2_8class_test_00795", "source": "cyner2_8class_test"}}
{"text": "Since that time, Locky has been frequently noted in various campaigns using malicious spam malspam to spread this relatively new strain of ransomware.", "spans": {"Malware: Locky": [[17, 22]], "ThreatActor: various campaigns": [[52, 69]], "Indicator: malicious spam malspam": [[76, 98]], "Malware: new strain of ransomware.": [[125, 150]]}, "info": {"id": "cyner2_8class_test_00796", "source": "cyner2_8class_test"}}
{"text": "A backdoor targetting Linux also known as: Linux.Dofloo.CE994 Linux/Dofloo.b Backdoor.Dofloo.Linux.30 Backdoor.Linux.Dofloo!c Linux.Dofloo ELF_SONEX.SMA Unix.Trojan.Spike-6301360-0 HEUR:Backdoor.Linux.Dofloo.d Trojan.Unix.Dofloo.exnolq Linux.Mrblack.103 ELF_SONEX.SMA Linux/Dofloo.b ELF/Trojan.AIBQ-0 Backdoor.Linux.ogb LINUX/Dofloo.DA Trojan[Backdoor]/Linux.Dofloo.d Trojan.Trojan.Linux.MrBlack.1 HEUR:Backdoor.Linux.Dofloo.d Linux.Backdoor.Dofloo.Llrg Trojan.Linux.Dofloo Linux/Dofloo.B!tr Win32/Trojan.DDoS.13c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Linux.Dofloo.CE994": [[43, 61]], "Indicator: Linux/Dofloo.b": [[62, 76], [268, 282]], "Indicator: Backdoor.Dofloo.Linux.30": [[77, 101]], "Indicator: Backdoor.Linux.Dofloo!c": [[102, 125]], "Indicator: Linux.Dofloo": [[126, 138]], "Indicator: ELF_SONEX.SMA": [[139, 152], [254, 267]], "Indicator: Unix.Trojan.Spike-6301360-0": [[153, 180]], "Indicator: HEUR:Backdoor.Linux.Dofloo.d": [[181, 209], [398, 426]], "Indicator: Trojan.Unix.Dofloo.exnolq": [[210, 235]], "Indicator: Linux.Mrblack.103": [[236, 253]], "Indicator: ELF/Trojan.AIBQ-0": [[283, 300]], "Indicator: Backdoor.Linux.ogb": [[301, 319]], "Indicator: LINUX/Dofloo.DA": [[320, 335]], "Indicator: Trojan[Backdoor]/Linux.Dofloo.d": [[336, 367]], "Indicator: Trojan.Trojan.Linux.MrBlack.1": [[368, 397]], "Indicator: Linux.Backdoor.Dofloo.Llrg": [[427, 453]], "Indicator: Trojan.Linux.Dofloo": [[454, 473]], "Indicator: Linux/Dofloo.B!tr": [[474, 491]], "Indicator: Win32/Trojan.DDoS.13c": [[492, 513]]}, "info": {"id": "cyner2_8class_test_00797", "source": "cyner2_8class_test"}}
{"text": "The encryption key is different from the one used for sending stolen data via HTTP .", "spans": {}, "info": {"id": "cyner2_8class_test_00798", "source": "cyner2_8class_test"}}
{"text": "After that , the Trojan will replace the original /system/bin/ip with a malicious one from the archive ( Game324.res or Game644.res ) .", "spans": {"Indicator: /system/bin/ip": [[50, 64]], "Indicator: Game324.res": [[105, 116]], "Indicator: Game644.res": [[120, 131]]}, "info": {"id": "cyner2_8class_test_00799", "source": "cyner2_8class_test"}}
{"text": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware.", "spans": {"Organization: Unit 42 threat researchers": [[0, 26]], "ThreatActor: a threat group": [[50, 64]], "Malware: custom developed malware.": [[83, 108]]}, "info": {"id": "cyner2_8class_test_00800", "source": "cyner2_8class_test"}}
{"text": "Figure 28 : Jaguar Kill Switch infected GP apps Peek Into the Actor Based on all of the above , we connected “ Agent Smith ” campaign to a Chinese internet company located in Guangzhou whose front end legitimate business is to help Chinese Android developers publish and promote their apps on overseas platforms .", "spans": {"Malware: Agent Smith": [[111, 122]], "System: Android": [[240, 247]]}, "info": {"id": "cyner2_8class_test_00801", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.Noon.905266 Trojan.Injector TSPY_NOON.P Trojan-Spy.Win32.Noon.ccu Trojan.Win32.Delphi.etnpfb Trojan.Noon.Win32.401 TSPY_NOON.P Trojan.Win32.Krypt DR/Delphi.wtwos Trojan-Spy.Win32.Noon.ccu Backdoor.Androm Trj/CI.A Win32.Trojan.Inject.Auto TrojanSpy.Noon!", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Spy/W32.Noon.905266": [[26, 52]], "Indicator: Trojan.Injector": [[53, 68]], "Indicator: TSPY_NOON.P": [[69, 80], [156, 167]], "Indicator: Trojan-Spy.Win32.Noon.ccu": [[81, 106], [203, 228]], "Indicator: Trojan.Win32.Delphi.etnpfb": [[107, 133]], "Indicator: Trojan.Noon.Win32.401": [[134, 155]], "Indicator: Trojan.Win32.Krypt": [[168, 186]], "Indicator: DR/Delphi.wtwos": [[187, 202]], "Indicator: Backdoor.Androm": [[229, 244]], "Indicator: Trj/CI.A": [[245, 253]], "Indicator: Win32.Trojan.Inject.Auto": [[254, 278]], "Indicator: TrojanSpy.Noon!": [[279, 294]]}, "info": {"id": "cyner2_8class_test_00802", "source": "cyner2_8class_test"}}
{"text": "The attackers try to lure targets through spear phishing emails that include compressed executables.", "spans": {"ThreatActor: attackers": [[4, 13]], "Indicator: spear phishing emails": [[42, 63]], "Indicator: compressed executables.": [[77, 100]]}, "info": {"id": "cyner2_8class_test_00803", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: PSWTool.Win32.GetPass!O HackTool.CiscoGetCS.S165619 W32/HackTool.CDL not-a-virus:PSWTool.Win32.GetPass.e Riskware.Win32.GetPass.cxqend Tool.GetPass.11 W32/Tool.QYHO-1001 SPR/Getpass.B not-a-virus:PSWTool.Win32.GetPass.e Trojan/Win32.HDC.C113148 Trj/CI.A Riskware.PSWTool! Win32/Virus.PSW.a34", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PSWTool.Win32.GetPass!O": [[26, 49]], "Indicator: HackTool.CiscoGetCS.S165619": [[50, 77]], "Indicator: W32/HackTool.CDL": [[78, 94]], "Indicator: not-a-virus:PSWTool.Win32.GetPass.e": [[95, 130], [210, 245]], "Indicator: Riskware.Win32.GetPass.cxqend": [[131, 160]], "Indicator: Tool.GetPass.11": [[161, 176]], "Indicator: W32/Tool.QYHO-1001": [[177, 195]], "Indicator: SPR/Getpass.B": [[196, 209]], "Indicator: Trojan/Win32.HDC.C113148": [[246, 270]], "Indicator: Trj/CI.A": [[271, 279]], "Indicator: Riskware.PSWTool!": [[280, 297]], "Indicator: Win32/Virus.PSW.a34": [[298, 317]]}, "info": {"id": "cyner2_8class_test_00804", "source": "cyner2_8class_test"}}
{"text": "This installs additional application from assets directory ( brother.apk ) and listens for PACKAGE_REMOVED events .", "spans": {"System: brother.apk": [[61, 72]]}, "info": {"id": "cyner2_8class_test_00805", "source": "cyner2_8class_test"}}
{"text": "In its analysis , CSIS notes that MazarBOT was reported by Recorded Future last November as being actively sold in Russian underground forums and intriguingly , the malware will not activate on Android devices configured with Russian language settings .", "spans": {"Organization: CSIS": [[18, 22]], "Malware: MazarBOT": [[34, 42]], "Organization: Recorded Future": [[59, 74]], "System: Android": [[194, 201]]}, "info": {"id": "cyner2_8class_test_00806", "source": "cyner2_8class_test"}}
{"text": "This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries .", "spans": {}, "info": {"id": "cyner2_8class_test_00807", "source": "cyner2_8class_test"}}
{"text": "Moreover , as we use mobile devices to access the web and phishing templates extend to mobile environments , we should expect to see a greater variety of integrated threats like the scheme we detail here .", "spans": {}, "info": {"id": "cyner2_8class_test_00808", "source": "cyner2_8class_test"}}
{"text": "Request encoding process The HTTP requests follow the format below , while on the WebSocket only the query data is written .", "spans": {}, "info": {"id": "cyner2_8class_test_00809", "source": "cyner2_8class_test"}}
{"text": "This variant of HenBox also used the common green Android figure as the app logo and was named 设置 ( “ Backup ” in English ) .", "spans": {"Malware: HenBox": [[16, 22]], "System: Android": [[50, 57]]}, "info": {"id": "cyner2_8class_test_00810", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Downloader Trojan.Heur.DP.E90E6B Win32.Trojan.WisdomEyes.16070401.9500.9977 Win32/SillyDl.NUU Win.Downloader.72812-1 Trojan.Win32.DownLoad.eskiur Trojan.DownLoad.51835 W32/Trojan.VSBV-7807 Trojan[Downloader]/Win32.Murlo TrojanDownloader:Win32/Doneltart.A Trojan/Win32.Scar.C53686 Trj/CI.A Trojan-Downloader.Win32.Doneltart W32/Delf.OZG!tr Win32/Trojan.a6a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Downloader": [[26, 43]], "Indicator: Trojan.Heur.DP.E90E6B": [[44, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9977": [[66, 108]], "Indicator: Win32/SillyDl.NUU": [[109, 126]], "Indicator: Win.Downloader.72812-1": [[127, 149]], "Indicator: Trojan.Win32.DownLoad.eskiur": [[150, 178]], "Indicator: Trojan.DownLoad.51835": [[179, 200]], "Indicator: W32/Trojan.VSBV-7807": [[201, 221]], "Indicator: Trojan[Downloader]/Win32.Murlo": [[222, 252]], "Indicator: TrojanDownloader:Win32/Doneltart.A": [[253, 287]], "Indicator: Trojan/Win32.Scar.C53686": [[288, 312]], "Indicator: Trj/CI.A": [[313, 321]], "Indicator: Trojan-Downloader.Win32.Doneltart": [[322, 355]], "Indicator: W32/Delf.OZG!tr": [[356, 371]], "Indicator: Win32/Trojan.a6a": [[372, 388]]}, "info": {"id": "cyner2_8class_test_00811", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Delf!O Backdoor.Bot W32.W.Deecee.lrKT Win32.Trojan.WisdomEyes.16070401.9500.9977 TROJ_DELF_00001d6.TOMA Trojan-Downloader.Win32.Delf.begb Trojan.Win32.Delf.ecktai Trojan.Win32.A.Downloader.613376.A Trojan.MulDrop6.46521 Downloader.Delf.Win32.36278 BehavesLike.Win32.PWSZbot.hm TrojanDownloader.Delf.adst Trojan/Win32.Unknown Trojan.Barys.DDD08 Trojan-Downloader.Win32.Delf.begb TrojanDownloader:Win32/Peguese.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader.Win32.Delf!O": [[26, 56]], "Indicator: Backdoor.Bot": [[57, 69]], "Indicator: W32.W.Deecee.lrKT": [[70, 87]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9977": [[88, 130]], "Indicator: TROJ_DELF_00001d6.TOMA": [[131, 153]], "Indicator: Trojan-Downloader.Win32.Delf.begb": [[154, 187], [394, 427]], "Indicator: Trojan.Win32.Delf.ecktai": [[188, 212]], "Indicator: Trojan.Win32.A.Downloader.613376.A": [[213, 247]], "Indicator: Trojan.MulDrop6.46521": [[248, 269]], "Indicator: Downloader.Delf.Win32.36278": [[270, 297]], "Indicator: BehavesLike.Win32.PWSZbot.hm": [[298, 326]], "Indicator: TrojanDownloader.Delf.adst": [[327, 353]], "Indicator: Trojan/Win32.Unknown": [[354, 374]], "Indicator: Trojan.Barys.DDD08": [[375, 393]], "Indicator: TrojanDownloader:Win32/Peguese.D": [[428, 460]]}, "info": {"id": "cyner2_8class_test_00812", "source": "cyner2_8class_test"}}
{"text": "The newcomer appeared to be a dark horse: it was multiplatform, had an appealing price, and empowered budding malefactors an easier entry point to cybercrime.", "spans": {"Malware: dark horse:": [[30, 41]], "System: multiplatform,": [[49, 63]], "Indicator: cybercrime.": [[147, 158]]}, "info": {"id": "cyner2_8class_test_00813", "source": "cyner2_8class_test"}}
{"text": "We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran.", "spans": {"Indicator: attacks,": [[45, 53], [144, 152]], "Location: Iran.": [[166, 171]]}, "info": {"id": "cyner2_8class_test_00814", "source": "cyner2_8class_test"}}
{"text": "Once the victim opens this file using the MS PowerPoint program, the malicious code contained in the file is executed.", "spans": {"System: the MS PowerPoint program,": [[38, 64]], "Malware: malicious code": [[69, 83]], "Indicator: the file is executed.": [[97, 118]]}, "info": {"id": "cyner2_8class_test_00815", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Zusy.D3FB1A Win32.Trojan.WisdomEyes.16070401.9500.9943 W32/Downldr2.EUYL Win.Downloader.60202-1 Trojan.Win32.Downloader.36864.GI Trojan.DownLoad.9925 BehavesLike.Win32.Dropper.nz W32/Downloader.XEZX-3301 Trojan:Win32/Melkash.A Trojan/Win32.Banload.R2066 TScope.Malware-Cryptor.SB W32/Heuri.AMWD!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D3FB1A": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9943": [[45, 87]], "Indicator: W32/Downldr2.EUYL": [[88, 105]], "Indicator: Win.Downloader.60202-1": [[106, 128]], "Indicator: Trojan.Win32.Downloader.36864.GI": [[129, 161]], "Indicator: Trojan.DownLoad.9925": [[162, 182]], "Indicator: BehavesLike.Win32.Dropper.nz": [[183, 211]], "Indicator: W32/Downloader.XEZX-3301": [[212, 236]], "Indicator: Trojan:Win32/Melkash.A": [[237, 259]], "Indicator: Trojan/Win32.Banload.R2066": [[260, 286]], "Indicator: TScope.Malware-Cryptor.SB": [[287, 312]], "Indicator: W32/Heuri.AMWD!tr.dldr": [[313, 335]]}, "info": {"id": "cyner2_8class_test_00816", "source": "cyner2_8class_test"}}
{"text": "Phone numbers, the texts of the messages to be intercepted, and cybercriminal phone numbers for redirecting calls are downloaded from the command-and-control server.", "spans": {"Indicator: Phone numbers,": [[0, 14]], "Indicator: texts": [[19, 24]], "Indicator: messages": [[32, 40]], "Indicator: phone numbers": [[78, 91]], "Indicator: calls": [[108, 113]], "Indicator: command-and-control server.": [[138, 165]]}, "info": {"id": "cyner2_8class_test_00817", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/Papras.ch Win32.Trojan.WisdomEyes.16070401.9500.9988 TROJ_DAWS.DT Win.Trojan.Retruse-1 Trojan.Win32.Inject1.cyajjw Trojan.Inject1.9526 Trojan.Papras.Win32.1326 TR/Papras.L PWS:Win32/Pesut.A Win32/PSW.Papras.CH Trojan.PWS.Papras!82MgiPq8Zlg Trojan-PWS.Win32.Pesut W32/Daws.BX!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Papras.ch": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[43, 85]], "Indicator: TROJ_DAWS.DT": [[86, 98]], "Indicator: Win.Trojan.Retruse-1": [[99, 119]], "Indicator: Trojan.Win32.Inject1.cyajjw": [[120, 147]], "Indicator: Trojan.Inject1.9526": [[148, 167]], "Indicator: Trojan.Papras.Win32.1326": [[168, 192]], "Indicator: TR/Papras.L": [[193, 204]], "Indicator: PWS:Win32/Pesut.A": [[205, 222]], "Indicator: Win32/PSW.Papras.CH": [[223, 242]], "Indicator: Trojan.PWS.Papras!82MgiPq8Zlg": [[243, 272]], "Indicator: Trojan-PWS.Win32.Pesut": [[273, 295]], "Indicator: W32/Daws.BX!tr": [[296, 310]]}, "info": {"id": "cyner2_8class_test_00818", "source": "cyner2_8class_test"}}
{"text": "Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface API to a built-in webserver.", "spans": {"Malware: Kazuar:": [[44, 51]], "System: Application Programming Interface API": [[91, 128]], "System: built-in webserver.": [[134, 153]]}, "info": {"id": "cyner2_8class_test_00819", "source": "cyner2_8class_test"}}
{"text": "Malware code showing initializing broadcast receiver Figure 15 .", "spans": {}, "info": {"id": "cyner2_8class_test_00820", "source": "cyner2_8class_test"}}
{"text": "The following method is declared in the DEX .", "spans": {}, "info": {"id": "cyner2_8class_test_00821", "source": "cyner2_8class_test"}}
{"text": "After investigating, we believe the payload belongs to a new iOS Trojan family that we're calling TinyV", "spans": {"Malware: payload": [[36, 43]], "Malware: iOS Trojan family": [[61, 78]], "Malware: TinyV": [[98, 103]]}, "info": {"id": "cyner2_8class_test_00822", "source": "cyner2_8class_test"}}
{"text": "This is hardcoded and equals “ phone ” .", "spans": {}, "info": {"id": "cyner2_8class_test_00823", "source": "cyner2_8class_test"}}
{"text": "Network communication is obfuscated with single-byte XOR encoding.", "spans": {"Indicator: obfuscated": [[25, 35]], "Indicator: single-byte XOR encoding.": [[41, 66]]}, "info": {"id": "cyner2_8class_test_00824", "source": "cyner2_8class_test"}}
{"text": "End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security™ .", "spans": {"Organization: Trend Micro™": [[95, 107]]}, "info": {"id": "cyner2_8class_test_00825", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom.Cerber.A4 Trojan.Injector Trojan/Kryptik.ffay Trojan.Razy.D16447 Win32.Trojan.Kryptik.avs Ransom_CRYPTESLA.SMW Trojan.Win32.Menti.evgneg TrojWare.Win32.Kryptik.ERJ Backdoor.Androm.Win32.36147 Ransom_CRYPTESLA.SMW BehavesLike.Win32.Ransomware.gh TR/AD.TorrentLocker.lokd Backdoor.Androm Trj/GdSda.A Backdoor.Androm!t0g9Od7Ri9c Trojan.Win32.Filecoder W32/Kryptik.FSUS!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Cerber.A4": [[26, 42]], "Indicator: Trojan.Injector": [[43, 58]], "Indicator: Trojan/Kryptik.ffay": [[59, 78]], "Indicator: Trojan.Razy.D16447": [[79, 97]], "Indicator: Win32.Trojan.Kryptik.avs": [[98, 122]], "Indicator: Ransom_CRYPTESLA.SMW": [[123, 143], [225, 245]], "Indicator: Trojan.Win32.Menti.evgneg": [[144, 169]], "Indicator: TrojWare.Win32.Kryptik.ERJ": [[170, 196]], "Indicator: Backdoor.Androm.Win32.36147": [[197, 224]], "Indicator: BehavesLike.Win32.Ransomware.gh": [[246, 277]], "Indicator: TR/AD.TorrentLocker.lokd": [[278, 302]], "Indicator: Backdoor.Androm": [[303, 318]], "Indicator: Trj/GdSda.A": [[319, 330]], "Indicator: Backdoor.Androm!t0g9Od7Ri9c": [[331, 358]], "Indicator: Trojan.Win32.Filecoder": [[359, 381]], "Indicator: W32/Kryptik.FSUS!tr": [[382, 401]]}, "info": {"id": "cyner2_8class_test_00826", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Turla.dofvdj Win32/Spindest.H Backdoor.Win32.Turla.j Trojan.Rogue!f5e8Dq0NJR0 Trojan.Win32.Z.Turla.151552[h] Backdoor.Turla.Win32.4 TR/Rogue.11209314 W32/Backdr.KA!tr Backdoor/Win32.Apocalipto BScope.P2P-Worm.Palevo Backdoor.Win32.Turla.j", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Turla.dofvdj": [[26, 51]], "Indicator: Win32/Spindest.H": [[52, 68]], "Indicator: Backdoor.Win32.Turla.j": [[69, 91], [255, 277]], "Indicator: Trojan.Rogue!f5e8Dq0NJR0": [[92, 116]], "Indicator: Trojan.Win32.Z.Turla.151552[h]": [[117, 147]], "Indicator: Backdoor.Turla.Win32.4": [[148, 170]], "Indicator: TR/Rogue.11209314": [[171, 188]], "Indicator: W32/Backdr.KA!tr": [[189, 205]], "Indicator: Backdoor/Win32.Apocalipto": [[206, 231]], "Indicator: BScope.P2P-Worm.Palevo": [[232, 254]]}, "info": {"id": "cyner2_8class_test_00827", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.HackTool.715060 Trojan-PWS.QQPass Trojan/Hacktool.Delf.bi Riskware.Win32.Delf.hsjo W32/Trojan.VLJ Trojan.PWS.QQPass Win32/HackTool.Delf.BI HKTL_QQPASS.TD HackTool.Win32.Delf.bi Virus.Win32.Heur.l Tool.Delf.Win32.188 HKTL_QQPASS.TD BehavesLike.Win32.Dropper.jc W32/Trojan.YNJZ-1231 HackTool/Delf.l SPR/Delf.BI W32/Qqpass.A!tr HackTool/Win32.Delf HackTool.W32.Delf.bi!c Win-Trojan/Xema.variant HackTool:Win32/Delf.BI Trojan-PWS.QQPass Win32.Hacktool.Delf.Sxow", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.HackTool.715060": [[26, 52]], "Indicator: Trojan-PWS.QQPass": [[53, 70], [452, 469]], "Indicator: Trojan/Hacktool.Delf.bi": [[71, 94]], "Indicator: Riskware.Win32.Delf.hsjo": [[95, 119]], "Indicator: W32/Trojan.VLJ": [[120, 134]], "Indicator: Trojan.PWS.QQPass": [[135, 152]], "Indicator: Win32/HackTool.Delf.BI": [[153, 175]], "Indicator: HKTL_QQPASS.TD": [[176, 190], [253, 267]], "Indicator: HackTool.Win32.Delf.bi": [[191, 213]], "Indicator: Virus.Win32.Heur.l": [[214, 232]], "Indicator: Tool.Delf.Win32.188": [[233, 252]], "Indicator: BehavesLike.Win32.Dropper.jc": [[268, 296]], "Indicator: W32/Trojan.YNJZ-1231": [[297, 317]], "Indicator: HackTool/Delf.l": [[318, 333]], "Indicator: SPR/Delf.BI": [[334, 345]], "Indicator: W32/Qqpass.A!tr": [[346, 361]], "Indicator: HackTool/Win32.Delf": [[362, 381]], "Indicator: HackTool.W32.Delf.bi!c": [[382, 404]], "Indicator: Win-Trojan/Xema.variant": [[405, 428]], "Indicator: HackTool:Win32/Delf.BI": [[429, 451]], "Indicator: Win32.Hacktool.Delf.Sxow": [[470, 494]]}, "info": {"id": "cyner2_8class_test_00828", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.WOW Troj.GameThief.W32.Magania.l943 Trojan/PSW.WOW.acd Win32.Trojan-PSW.OLGames.d Infostealer.Wowcraft Win32/Wow.A TSPY_WOW.BL Win.Spyware.16281-1 Trojan-GameThief.Win32.WOW.ach Trojan.Win32.WOW.bnexl TrojWare.Win32.PSW.WOW.ACE Trojan.PWS.Wow.1404 Trojan.WOW.Win32.14563 TSPY_WOW.BL PWS-WoW.dll Trojan-Spy.Frethog Trojan/PSW.Moshou.qn Trojan[GameThief]/Win32.WOW.gic Win32.PSWTroj.WowT.my.17831 Trojan-GameThief.Win32.WOW.ach PWS:Win32/Wowsteal.ZD Trojan/Win32.OnlineGameHack.R2081 OScope.PSW.Game.3A5A Win32/PSW.WOW.ACE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.WOW": [[26, 36]], "Indicator: Troj.GameThief.W32.Magania.l943": [[37, 68]], "Indicator: Trojan/PSW.WOW.acd": [[69, 87]], "Indicator: Win32.Trojan-PSW.OLGames.d": [[88, 114]], "Indicator: Infostealer.Wowcraft": [[115, 135]], "Indicator: Win32/Wow.A": [[136, 147]], "Indicator: TSPY_WOW.BL": [[148, 159], [304, 315]], "Indicator: Win.Spyware.16281-1": [[160, 179]], "Indicator: Trojan-GameThief.Win32.WOW.ach": [[180, 210], [428, 458]], "Indicator: Trojan.Win32.WOW.bnexl": [[211, 233]], "Indicator: TrojWare.Win32.PSW.WOW.ACE": [[234, 260]], "Indicator: Trojan.PWS.Wow.1404": [[261, 280]], "Indicator: Trojan.WOW.Win32.14563": [[281, 303]], "Indicator: PWS-WoW.dll": [[316, 327]], "Indicator: Trojan-Spy.Frethog": [[328, 346]], "Indicator: Trojan/PSW.Moshou.qn": [[347, 367]], "Indicator: Trojan[GameThief]/Win32.WOW.gic": [[368, 399]], "Indicator: Win32.PSWTroj.WowT.my.17831": [[400, 427]], "Indicator: PWS:Win32/Wowsteal.ZD": [[459, 480]], "Indicator: Trojan/Win32.OnlineGameHack.R2081": [[481, 514]], "Indicator: OScope.PSW.Game.3A5A": [[515, 535]], "Indicator: Win32/PSW.WOW.ACE": [[536, 553]]}, "info": {"id": "cyner2_8class_test_00829", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.IRCBot.64000.Q Backdoor.Momibot.a Trojan/Kryptik.bio W32/Backdoor2.GYPR TROJ_MOMIBOT.AE Win32.Backdoor.IRC.Z Backdoor.IRC.ZGQ Backdoor.IRC.ZGQ TR/PSW.ZGQ.17 TROJ_MOMIBOT.AE Backdoor.IRC.ZGQ!IK Win32/Tnega.BTQ W32/Backdoor2.GYPR Backdoor.IRC.ZGQ Backdoor.IRC.ZGQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.IRCBot.64000.Q": [[26, 53]], "Indicator: Backdoor.Momibot.a": [[54, 72]], "Indicator: Trojan/Kryptik.bio": [[73, 91]], "Indicator: W32/Backdoor2.GYPR": [[92, 110], [248, 266]], "Indicator: TROJ_MOMIBOT.AE": [[111, 126], [196, 211]], "Indicator: Win32.Backdoor.IRC.Z": [[127, 147]], "Indicator: Backdoor.IRC.ZGQ": [[148, 164], [165, 181], [267, 283], [284, 300]], "Indicator: TR/PSW.ZGQ.17": [[182, 195]], "Indicator: Backdoor.IRC.ZGQ!IK": [[212, 231]], "Indicator: Win32/Tnega.BTQ": [[232, 247]]}, "info": {"id": "cyner2_8class_test_00830", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Clod90e.Trojan.9eaa Trojan/W32.Vilsel.263680.E Trojan.Banker Trojan/Vilsel.bbgv Trojan.Vilsel!pyaltINkh1Y WS.Reputation.1 TROJ_DLOADR.FDZ Trojan.Win32.Vilsel.bbgv Trojan.Win32.VB.cpetaq PE:Backdoor.Arquivos!1.667B TROJ_DLOADR.FDZ Trojan/Vilsel.ykg Trojan[:HEUR]/Win32.Unknown Trojan:Win32/Deleter.A Trojan/Win32.Vilsel Trojan.Vilsel Win32.Trojan.Vilsel.crnl Trojan.Win32.Diple W32/Vilsel.BBGV!tr Trojan.Win32.Diple.Az Win32/Trojan.fe9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod90e.Trojan.9eaa": [[26, 49]], "Indicator: Trojan/W32.Vilsel.263680.E": [[50, 76]], "Indicator: Trojan.Banker": [[77, 90]], "Indicator: Trojan/Vilsel.bbgv": [[91, 109]], "Indicator: Trojan.Vilsel!pyaltINkh1Y": [[110, 135]], "Indicator: WS.Reputation.1": [[136, 151]], "Indicator: TROJ_DLOADR.FDZ": [[152, 167], [244, 259]], "Indicator: Trojan.Win32.Vilsel.bbgv": [[168, 192]], "Indicator: Trojan.Win32.VB.cpetaq": [[193, 215]], "Indicator: PE:Backdoor.Arquivos!1.667B": [[216, 243]], "Indicator: Trojan/Vilsel.ykg": [[260, 277]], "Indicator: Trojan[:HEUR]/Win32.Unknown": [[278, 305]], "Indicator: Trojan:Win32/Deleter.A": [[306, 328]], "Indicator: Trojan/Win32.Vilsel": [[329, 348]], "Indicator: Trojan.Vilsel": [[349, 362]], "Indicator: Win32.Trojan.Vilsel.crnl": [[363, 387]], "Indicator: Trojan.Win32.Diple": [[388, 406]], "Indicator: W32/Vilsel.BBGV!tr": [[407, 425]], "Indicator: Trojan.Win32.Diple.Az": [[426, 447]], "Indicator: Win32/Trojan.fe9": [[448, 464]]}, "info": {"id": "cyner2_8class_test_00831", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Bubnix.A Trojan/Bubnix.bb Trojan.Bubnix.1 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Bubnix Win.Trojan.Bubnix-930 Rootkit.Win32.Bubnix.bem Trojan.NtRootKit.9660 Rootkit.Bubnix.aub Rootkit.Win32.Bubnix.bem Win32.Rootkit.Bubnix.ihj Rootkit.Bubnix!Ts7U77Ag3pk Rootkit.Win32.Bubnix", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Bubnix.A": [[26, 41]], "Indicator: Trojan/Bubnix.bb": [[42, 58]], "Indicator: Trojan.Bubnix.1": [[59, 74]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[75, 117]], "Indicator: Trojan.Bubnix": [[118, 131]], "Indicator: Win.Trojan.Bubnix-930": [[132, 153]], "Indicator: Rootkit.Win32.Bubnix.bem": [[154, 178], [220, 244]], "Indicator: Trojan.NtRootKit.9660": [[179, 200]], "Indicator: Rootkit.Bubnix.aub": [[201, 219]], "Indicator: Win32.Rootkit.Bubnix.ihj": [[245, 269]], "Indicator: Rootkit.Bubnix!Ts7U77Ag3pk": [[270, 296]], "Indicator: Rootkit.Win32.Bubnix": [[297, 317]]}, "info": {"id": "cyner2_8class_test_00832", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.Beastdoor!O Trojan.Xih Backdoor.Beastdoor.Win32.1000 Backdoor/Beastdoor.201.c Trojan.Graftor.D4532 W32/Backdoor.ZBX Infostealer.Bancos BKDR_BISTDOR.SMI Win.Trojan.Beastdoor-105 Trojan.Win32.Xih.phw Trojan.Win32.Beastdoor.bsekq Backdoor.Win32.Beastdoor.24576 Troj.W32.Xih.tonR Trojan.MulDrop.418 BKDR_BISTDOR.SMI Backdoor.Win32.Beastdoor W32/Backdoor.DXXM-0159 Trojan[Backdoor]/Win32.Beastdoor TrojanDropper:Win32/Beastdoor.P Trojan.Win32.Xih.phw Trojan/Win32.BeastDoor.R4731 Backdoor.BeastDoor.201 Win32/Beastdoor.201.C Backdoor.Beastdoor!SnWSaW3qdEw Win32/Trojan.fd9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Beastdoor!O": [[26, 52]], "Indicator: Trojan.Xih": [[53, 63]], "Indicator: Backdoor.Beastdoor.Win32.1000": [[64, 93]], "Indicator: Backdoor/Beastdoor.201.c": [[94, 118]], "Indicator: Trojan.Graftor.D4532": [[119, 139]], "Indicator: W32/Backdoor.ZBX": [[140, 156]], "Indicator: Infostealer.Bancos": [[157, 175]], "Indicator: BKDR_BISTDOR.SMI": [[176, 192], [336, 352]], "Indicator: Win.Trojan.Beastdoor-105": [[193, 217]], "Indicator: Trojan.Win32.Xih.phw": [[218, 238], [466, 486]], "Indicator: Trojan.Win32.Beastdoor.bsekq": [[239, 267]], "Indicator: Backdoor.Win32.Beastdoor.24576": [[268, 298]], "Indicator: Troj.W32.Xih.tonR": [[299, 316]], "Indicator: Trojan.MulDrop.418": [[317, 335]], "Indicator: Backdoor.Win32.Beastdoor": [[353, 377]], "Indicator: W32/Backdoor.DXXM-0159": [[378, 400]], "Indicator: Trojan[Backdoor]/Win32.Beastdoor": [[401, 433]], "Indicator: TrojanDropper:Win32/Beastdoor.P": [[434, 465]], "Indicator: Trojan/Win32.BeastDoor.R4731": [[487, 515]], "Indicator: Backdoor.BeastDoor.201": [[516, 538]], "Indicator: Win32/Beastdoor.201.C": [[539, 560]], "Indicator: Backdoor.Beastdoor!SnWSaW3qdEw": [[561, 591]], "Indicator: Win32/Trojan.fd9": [[592, 608]]}, "info": {"id": "cyner2_8class_test_00833", "source": "cyner2_8class_test"}}
{"text": "Researchers discovered a new malware, which we named OpcJacker due to its opcode configuration design and its cryptocurrency hijacking ability, that has been distributed in the wild since the second half of 2022.", "spans": {"Malware: malware,": [[29, 37]], "Malware: OpcJacker": [[53, 62]], "Indicator: opcode configuration design": [[74, 101]], "Indicator: cryptocurrency hijacking ability,": [[110, 143]], "Date: the second half of 2022.": [[188, 212]]}, "info": {"id": "cyner2_8class_test_00834", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Troj.W32.Regin.hopscotch!c Trojan/Regin.g TROJ_REGIN.A Backdoor.Trojan TROJ_REGIN.A Trojan.Win32.Regin.hopscotch Trojan.Win32.Regin.dmvwtc Trojan.Regin.Win32.7 BehavesLike.Win32.PUPXAX.lh W32/Trojan.WHDQ-0942 Trojan/Regin.j Trojan/Win32.Regin Backdoor:Win32/Regin.D!dha Trojan.Win32.Regin.hopscotch Trojan.Heur.PT.E24C70 Win32/Regin.G Win32.Trojan.Regin.Pdwk W32/Regin.HOPSCOTCH!tr Win32/Trojan.6f8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Troj.W32.Regin.hopscotch!c": [[26, 52]], "Indicator: Trojan/Regin.g": [[53, 67]], "Indicator: TROJ_REGIN.A": [[68, 80], [97, 109]], "Indicator: Backdoor.Trojan": [[81, 96]], "Indicator: Trojan.Win32.Regin.hopscotch": [[110, 138], [296, 324]], "Indicator: Trojan.Win32.Regin.dmvwtc": [[139, 164]], "Indicator: Trojan.Regin.Win32.7": [[165, 185]], "Indicator: BehavesLike.Win32.PUPXAX.lh": [[186, 213]], "Indicator: W32/Trojan.WHDQ-0942": [[214, 234]], "Indicator: Trojan/Regin.j": [[235, 249]], "Indicator: Trojan/Win32.Regin": [[250, 268]], "Indicator: Backdoor:Win32/Regin.D!dha": [[269, 295]], "Indicator: Trojan.Heur.PT.E24C70": [[325, 346]], "Indicator: Win32/Regin.G": [[347, 360]], "Indicator: Win32.Trojan.Regin.Pdwk": [[361, 384]], "Indicator: W32/Regin.HOPSCOTCH!tr": [[385, 407]], "Indicator: Win32/Trojan.6f8": [[408, 424]]}, "info": {"id": "cyner2_8class_test_00835", "source": "cyner2_8class_test"}}
{"text": "Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in the device ’ s RAM , which makes it extremely hard to detect .", "spans": {"Malware: Triada": [[0, 6]]}, "info": {"id": "cyner2_8class_test_00836", "source": "cyner2_8class_test"}}
{"text": "Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise .", "spans": {"System: Android": [[32, 39]]}, "info": {"id": "cyner2_8class_test_00837", "source": "cyner2_8class_test"}}
{"text": "As soon as the user clicks the spyware ’ s icon for the first time , nothing seems to happen and the icon disappears from the home screen .", "spans": {}, "info": {"id": "cyner2_8class_test_00838", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Inject.exluks Trojan.Inject.54807 Trojan.Barys.884 HackTool:MSIL/Binder.B Trojan-Dropper.MSIL Trj/CI.A Win32/Trojan.Dropper.0c7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[26, 68]], "Indicator: Trojan.Win32.Inject.exluks": [[69, 95]], "Indicator: Trojan.Inject.54807": [[96, 115]], "Indicator: Trojan.Barys.884": [[116, 132]], "Indicator: HackTool:MSIL/Binder.B": [[133, 155]], "Indicator: Trojan-Dropper.MSIL": [[156, 175]], "Indicator: Trj/CI.A": [[176, 184]], "Indicator: Win32/Trojan.Dropper.0c7": [[185, 209]]}, "info": {"id": "cyner2_8class_test_00839", "source": "cyner2_8class_test"}}
{"text": "The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks .", "spans": {}, "info": {"id": "cyner2_8class_test_00840", "source": "cyner2_8class_test"}}
{"text": "One such immediately apparent connection was the similar deployment technique used by both XLoader 6.0 and FakeSpy .", "spans": {"Malware: XLoader 6.0": [[91, 102]], "Malware: FakeSpy": [[107, 114]]}, "info": {"id": "cyner2_8class_test_00841", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Small.12800.LZ Trojan-Downloader.Win64.Madyd!O TrojanDownloader.Win64 Win32.Trojan.WisdomEyes.16070401.9500.9924 Trojan-Downloader.Win64.Madyd.a Trojan.Win64.Viknok.evbeox Trojan.Win32.Z.Viknok.12800 Troj.Downloader.Win64!c Trojan:W64/Viknok.A Trojan.DownLoader8.51959 Trojan.Viknok.Win64.1 BehavesLike.Win64.Dropper.lt W64/Trojan.RTLC-8859 TrojanDownloader.Madyd.b TR/Viknok.tlctg Trojan[Downloader]/Win64.Madyd Trojan-Downloader.Win64.Madyd.a Trojan:Win64/Viknok.A Trj/CI.A Win64/Viknok.A Win64.Trojan-downloader.Madyd.Lmai W64/Viknok.A!tr Win32/Trojan.207", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.12800.LZ": [[26, 51]], "Indicator: Trojan-Downloader.Win64.Madyd!O": [[52, 83]], "Indicator: TrojanDownloader.Win64": [[84, 106]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9924": [[107, 149]], "Indicator: Trojan-Downloader.Win64.Madyd.a": [[150, 181], [450, 481]], "Indicator: Trojan.Win64.Viknok.evbeox": [[182, 208]], "Indicator: Trojan.Win32.Z.Viknok.12800": [[209, 236]], "Indicator: Troj.Downloader.Win64!c": [[237, 260]], "Indicator: Trojan:W64/Viknok.A": [[261, 280]], "Indicator: Trojan.DownLoader8.51959": [[281, 305]], "Indicator: Trojan.Viknok.Win64.1": [[306, 327]], "Indicator: BehavesLike.Win64.Dropper.lt": [[328, 356]], "Indicator: W64/Trojan.RTLC-8859": [[357, 377]], "Indicator: TrojanDownloader.Madyd.b": [[378, 402]], "Indicator: TR/Viknok.tlctg": [[403, 418]], "Indicator: Trojan[Downloader]/Win64.Madyd": [[419, 449]], "Indicator: Trojan:Win64/Viknok.A": [[482, 503]], "Indicator: Trj/CI.A": [[504, 512]], "Indicator: Win64/Viknok.A": [[513, 527]], "Indicator: Win64.Trojan-downloader.Madyd.Lmai": [[528, 562]], "Indicator: W64/Viknok.A!tr": [[563, 578]], "Indicator: Win32/Trojan.207": [[579, 595]]}, "info": {"id": "cyner2_8class_test_00842", "source": "cyner2_8class_test"}}
{"text": "As soon as this service is started , it creates two processes that take care of connection and disconnection to the C & C server .", "spans": {}, "info": {"id": "cyner2_8class_test_00843", "source": "cyner2_8class_test"}}
{"text": "Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically and periodically scanned by our solutions .", "spans": {"System: Google Play": [[18, 29], [75, 86]], "System: Google Play Protect": [[39, 58]]}, "info": {"id": "cyner2_8class_test_00844", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanDownloader.Sinresby Trojan.Win32.Hijacker.evumcs Trojan.Win32.Z.Hijacker.1734656 BehavesLike.Win32.Downloader.tc TrojanDownloader:Win32/Sinresby.B Trj/GdSda.A Win32.Trojan.Hijacker.Hupk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Sinresby": [[26, 51]], "Indicator: Trojan.Win32.Hijacker.evumcs": [[52, 80]], "Indicator: Trojan.Win32.Z.Hijacker.1734656": [[81, 112]], "Indicator: BehavesLike.Win32.Downloader.tc": [[113, 144]], "Indicator: TrojanDownloader:Win32/Sinresby.B": [[145, 178]], "Indicator: Trj/GdSda.A": [[179, 190]], "Indicator: Win32.Trojan.Hijacker.Hupk": [[191, 217]]}, "info": {"id": "cyner2_8class_test_00845", "source": "cyner2_8class_test"}}
{"text": "Talos has investigated a targeted malware campaign against South Korean users.", "spans": {"Organization: Talos": [[0, 5]], "ThreatActor: targeted malware campaign": [[25, 50]], "Location: South Korean": [[59, 71]], "Organization: users.": [[72, 78]]}, "info": {"id": "cyner2_8class_test_00846", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Troj.Spy.W32!c BackDoor.Tordev.976 Trojan.MSIL.Injector TR/Dropper.MSIL.miqxe Trojan:MSIL/Redlonam.A Trj/GdSda.A Win32/Trojan.Dropper.788", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[26, 68]], "Indicator: Troj.Spy.W32!c": [[69, 83]], "Indicator: BackDoor.Tordev.976": [[84, 103]], "Indicator: Trojan.MSIL.Injector": [[104, 124]], "Indicator: TR/Dropper.MSIL.miqxe": [[125, 146]], "Indicator: Trojan:MSIL/Redlonam.A": [[147, 169]], "Indicator: Trj/GdSda.A": [[170, 181]], "Indicator: Win32/Trojan.Dropper.788": [[182, 206]]}, "info": {"id": "cyner2_8class_test_00847", "source": "cyner2_8class_test"}}
{"text": "But some clues , such as the existence of a hidden menu for operator control , point to a manual installation method – the attackers used physical access to a victim ’ s device to install the malware .", "spans": {}, "info": {"id": "cyner2_8class_test_00848", "source": "cyner2_8class_test"}}
{"text": "Step 3 : Run installation Start the Bank Austria security app from the notifications or your download folder , tap Install .", "spans": {"System: Bank Austria security app": [[36, 61]]}, "info": {"id": "cyner2_8class_test_00849", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Iyeclore.A Backdoor/Hupigon.mzkf Win32.Trojan.WisdomEyes.16070401.9500.9936 Trojan.Win32.Click1.cramur Trojan.Win32.Iyeclore.bp Trojan.Click1.28512 Trojan.Iyeclore.Win32.176 BackDoor-AWQ.m Trojan[Backdoor]/Win32.Hupigon Trojan.Buzy.D646 Trojan:Win32/Iyeclore.A!dll Backdoor/Win32.Trojan.R83644 BackDoor-AWQ.m Trojan.Iyeclore!uEAYssliQJc Trojan-Dropper.Delf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Iyeclore.A": [[26, 43]], "Indicator: Backdoor/Hupigon.mzkf": [[44, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9936": [[66, 108]], "Indicator: Trojan.Win32.Click1.cramur": [[109, 135]], "Indicator: Trojan.Win32.Iyeclore.bp": [[136, 160]], "Indicator: Trojan.Click1.28512": [[161, 180]], "Indicator: Trojan.Iyeclore.Win32.176": [[181, 206]], "Indicator: BackDoor-AWQ.m": [[207, 221], [327, 341]], "Indicator: Trojan[Backdoor]/Win32.Hupigon": [[222, 252]], "Indicator: Trojan.Buzy.D646": [[253, 269]], "Indicator: Trojan:Win32/Iyeclore.A!dll": [[270, 297]], "Indicator: Backdoor/Win32.Trojan.R83644": [[298, 326]], "Indicator: Trojan.Iyeclore!uEAYssliQJc": [[342, 369]], "Indicator: Trojan-Dropper.Delf": [[370, 389]]}, "info": {"id": "cyner2_8class_test_00850", "source": "cyner2_8class_test"}}
{"text": "Based on received commands , it can either download malicious apps or switch the C & C Twitter account to another one .", "spans": {"System: Twitter": [[87, 94]]}, "info": {"id": "cyner2_8class_test_00851", "source": "cyner2_8class_test"}}
{"text": "and an attached Microsoft Word file, some with names like these:", "spans": {"System: Microsoft Word file,": [[16, 36]]}, "info": {"id": "cyner2_8class_test_00852", "source": "cyner2_8class_test"}}
{"text": "The executable in this instance appears to be a variant of a Trojan known as ISMAgent and uses the domain www.ntpupdateserver[.]com for command and control C2.", "spans": {"Indicator: executable": [[4, 14]], "Malware: variant": [[48, 55]], "Malware: Trojan": [[61, 67]], "Malware: ISMAgent": [[77, 85]], "Indicator: domain www.ntpupdateserver[.]com for command and control C2.": [[99, 159]]}, "info": {"id": "cyner2_8class_test_00853", "source": "cyner2_8class_test"}}
{"text": "After which, they used the compromised servers not only as gateways to the rest of the network but also as C&C servers.", "spans": {"Vulnerability: compromised servers": [[27, 46]], "Vulnerability: gateways": [[59, 67]], "System: network": [[87, 94]], "System: C&C servers.": [[107, 119]]}, "info": {"id": "cyner2_8class_test_00854", "source": "cyner2_8class_test"}}
{"text": "As the screenshot above shows , the malware has its own command syntax that represents a combination of characters while the “ # ” symbol is a delimiter .", "spans": {}, "info": {"id": "cyner2_8class_test_00855", "source": "cyner2_8class_test"}}
{"text": "Most samples maintain persistence through a registry Run key, although some samples configure themselves as a service.", "spans": {"Indicator: registry Run key,": [[44, 61]], "Indicator: service.": [[110, 118]]}, "info": {"id": "cyner2_8class_test_00856", "source": "cyner2_8class_test"}}
{"text": "According to Doctor Web specialists, the devices infected by Android.ZBot are grouped into botnets, the number of which is now more than ten.", "spans": {"Organization: Doctor Web specialists,": [[13, 36]], "System: devices": [[41, 48]], "Malware: Android.ZBot": [[61, 73]], "Malware: botnets,": [[91, 99]]}, "info": {"id": "cyner2_8class_test_00857", "source": "cyner2_8class_test"}}
{"text": "Figure 2 .", "spans": {}, "info": {"id": "cyner2_8class_test_00858", "source": "cyner2_8class_test"}}
{"text": "The DLL side-loaded stage 4 malware mimicking a real export table to avoid detection Stage 4 : The memory loader – Fun injection with GDI function hijacking Depending on how stage 4 was launched , two different things may happen : In the low-integrity case ( under UAC ) the installer simply injects the stage 5 malware into the bogus explorer.exe process started earlier and terminates In the high-integrity case ( with administrative privileges or after UAC bypass ) , the code searches for the process hosting the Plug and Play service ( usually svchost.exe ) loaded in memory and injects itself into it For the second scenario , the injection process works like this : The malware opens the target service process .", "spans": {"Indicator: explorer.exe": [[335, 347]], "Indicator: svchost.exe": [[549, 560]]}, "info": {"id": "cyner2_8class_test_00859", "source": "cyner2_8class_test"}}
{"text": "There has been no appreciable evolution of this Trojan over time – only the format of the encrypted file's name, the C&C server addresses and the RSA keys have been changing.", "spans": {"Malware: Trojan": [[48, 54]], "Indicator: C&C server addresses": [[117, 137]], "Indicator: RSA keys": [[146, 154]]}, "info": {"id": "cyner2_8class_test_00860", "source": "cyner2_8class_test"}}
{"text": "Conclusion and security recommendations The continued monitoring of XLoader showed how its operators continuously changed its features , such as its attack vector deployment infrastructure and deployment techniques .", "spans": {"Malware: XLoader": [[68, 75]]}, "info": {"id": "cyner2_8class_test_00861", "source": "cyner2_8class_test"}}
{"text": "Retrieve all SMS messages .", "spans": {}, "info": {"id": "cyner2_8class_test_00862", "source": "cyner2_8class_test"}}
{"text": "The new Rawpos variant is largely similar to the 2015 variant.", "spans": {"Malware: The new Rawpos variant": [[0, 22]], "Date: 2015": [[49, 53]], "Malware: variant.": [[54, 62]]}, "info": {"id": "cyner2_8class_test_00863", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Boybi.Win32.2 W32/Trojan.DNSN-2587 Trojan.ADH.2 Win32/Swisyn.HP Trojan.Win32.Boybi.pgj Trojan.Win32.Boybi.xatwe Troj.W32.Boybi.afm!c BehavesLike.Win32.Ramnit.cz TR/Kazy.66987452 Win32.Troj.Alipay.lx.kcloud Trojan:Win32/Autrino.A Trojan.Graftor.DB93F Trojan.Win32.Boybi.pgj RDN/Downloader.a!vq Trojan.Graftor!1prEoEXm0Dk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Boybi.Win32.2": [[26, 46]], "Indicator: W32/Trojan.DNSN-2587": [[47, 67]], "Indicator: Trojan.ADH.2": [[68, 80]], "Indicator: Win32/Swisyn.HP": [[81, 96]], "Indicator: Trojan.Win32.Boybi.pgj": [[97, 119], [283, 305]], "Indicator: Trojan.Win32.Boybi.xatwe": [[120, 144]], "Indicator: Troj.W32.Boybi.afm!c": [[145, 165]], "Indicator: BehavesLike.Win32.Ramnit.cz": [[166, 193]], "Indicator: TR/Kazy.66987452": [[194, 210]], "Indicator: Win32.Troj.Alipay.lx.kcloud": [[211, 238]], "Indicator: Trojan:Win32/Autrino.A": [[239, 261]], "Indicator: Trojan.Graftor.DB93F": [[262, 282]], "Indicator: RDN/Downloader.a!vq": [[306, 325]], "Indicator: Trojan.Graftor!1prEoEXm0Dk": [[326, 352]]}, "info": {"id": "cyner2_8class_test_00864", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Bot.97762 Trojan-Dropper.Win32.Small!O Pwstool.Messen Backdoor.Vatos.Win32.2 Trojan/Dropper.Small.vy TROJ_MALM94.A Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Dropper.EWS Backdoor.Trojan Win32/Vatos.A TROJ_MALM94.A Win.Dropper.Small-5120 Trojan-Dropper.Win32.Small.vy Backdoor.Bot.97762 Trojan.Win32.Small.dbulc Backdoor.Bot.97762 TrojWare.Win32.TrojanDropper.Small.~DF BackDoor.Vatosajan W32/Risk.GMZD-7537 TrojanDownloader.Small.agt Trojan[Backdoor]/Win32.Vatos Backdoor.Bot.D17DE2 Dropper.Small.359856 Trojan-Dropper.Win32.Small.vy Backdoor.Bot.97762 Trojan/Win32.Prorat.R1877 Backdoor.Bot.97762 TrojanDropper.Small Trojan-Dropper.Win32.Small.VY Bck/Prorat.HT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Bot.97762": [[26, 44], [306, 324], [350, 368], [573, 591], [618, 636]], "Indicator: Trojan-Dropper.Win32.Small!O": [[45, 73]], "Indicator: Pwstool.Messen": [[74, 88]], "Indicator: Backdoor.Vatos.Win32.2": [[89, 111]], "Indicator: Trojan/Dropper.Small.vy": [[112, 135]], "Indicator: TROJ_MALM94.A": [[136, 149], [239, 252]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[150, 192]], "Indicator: W32/Dropper.EWS": [[193, 208]], "Indicator: Backdoor.Trojan": [[209, 224]], "Indicator: Win32/Vatos.A": [[225, 238]], "Indicator: Win.Dropper.Small-5120": [[253, 275]], "Indicator: Trojan-Dropper.Win32.Small.vy": [[276, 305], [543, 572]], "Indicator: Trojan.Win32.Small.dbulc": [[325, 349]], "Indicator: TrojWare.Win32.TrojanDropper.Small.~DF": [[369, 407]], "Indicator: BackDoor.Vatosajan": [[408, 426]], "Indicator: W32/Risk.GMZD-7537": [[427, 445]], "Indicator: TrojanDownloader.Small.agt": [[446, 472]], "Indicator: Trojan[Backdoor]/Win32.Vatos": [[473, 501]], "Indicator: Backdoor.Bot.D17DE2": [[502, 521]], "Indicator: Dropper.Small.359856": [[522, 542]], "Indicator: Trojan/Win32.Prorat.R1877": [[592, 617]], "Indicator: TrojanDropper.Small": [[637, 656]], "Indicator: Trojan-Dropper.Win32.Small.VY": [[657, 686]], "Indicator: Bck/Prorat.HT": [[687, 700]]}, "info": {"id": "cyner2_8class_test_00865", "source": "cyner2_8class_test"}}
{"text": "] site , photolike [ .", "spans": {"Indicator: photolike [ .": [[9, 22]]}, "info": {"id": "cyner2_8class_test_00866", "source": "cyner2_8class_test"}}
{"text": "This example code shows a JSON reply returned by the C & C server .", "spans": {}, "info": {"id": "cyner2_8class_test_00867", "source": "cyner2_8class_test"}}
{"text": "The Event Action Trigger module triggers malicious actions based on certain events .", "spans": {}, "info": {"id": "cyner2_8class_test_00868", "source": "cyner2_8class_test"}}
{"text": "In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag.", "spans": {"Date: March 2017,": [[3, 14]], "Organization: ClearSky": [[15, 23]], "Organization: the German Bundestag.": [[101, 122]]}, "info": {"id": "cyner2_8class_test_00869", "source": "cyner2_8class_test"}}
{"text": "Command Description SEND_SMS Send an SMS from the bot to a specific number NEW_URL Update the C2 URL KILL Disable the bot PING_DELAY Update interval between each ping request CLEAN_IGNORE_PKG Empty list of overlayed apps WRITE_INJECTS Update target list READ_INJECTS Get current target list START_ADMIN Request Device Admin privileges ALL_SMS Get all SMS messages DISABLE_ACCESSIBILITY Stop preventing user from disabling the accessibility service ENABLE_ACCESSIBILITY Prevent user from disabling the accessibility service ENABLE_HIDDEN_SMS Set malware as default SMS app DISABLE_HIDDEN_SMS Remove malware as default SMS app ENABLE_EXTENDED_INJECT Enable overlay attacks DISABLE_EXTENDED_INJECT Disable overlay attacks ENABLE_CC_GRABBER Enable the Google Play overlay DISABLE_CC_GRABBER Disable the Google Play overlay START_DEBUG Enable debugging GET_LOGCAT Get logs from the device STOP_DEBUG Disable debugging GET_APPS Get installed applications GET_CONTACTS Get contacts SEND_BULK_SMS Send SMS to multiple numbers UPDATE_APK Not implemented INJECT_PACKAGE Add new overlay target CALL_FORWARD Enable/disable call forwarding START_PERMISSIONS Starts request for additional permissions ( Accessibility privileges , battery optimizations bypass , dynamic permissions ) Features The most recent version of Ginp has the same capabilities as most other Android banking Trojans , such as the use of overlay attacks , SMS control and contact list harvesting .", "spans": {"System: Google Play": [[748, 759], [799, 810]], "System: Android": [[1350, 1357]]}, "info": {"id": "cyner2_8class_test_00870", "source": "cyner2_8class_test"}}
{"text": "As our researchers discovered , it also lays its hands on the outgoing SMS and filters the incoming ones .", "spans": {}, "info": {"id": "cyner2_8class_test_00871", "source": "cyner2_8class_test"}}
{"text": "At the time of writing , a reverse image search for the favicon on Shodan using the query http.favicon.hash:990643579 returned around 40 web servers which use the same favicon .", "spans": {"Indicator: http.favicon.hash:990643579": [[90, 117]]}, "info": {"id": "cyner2_8class_test_00872", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.CreateWinsockKeyLTAJ.Trojan Trojan.Win32.Zapchast!O Trojan.Pabueri Trojan/Zapchast.abuk Trojan.Graftor.D89D0 Win32.Trojan-PSW.OLGames.m Trojan.Gampass.B!inf Win32/Gamepass.QDC Trojan.Win32.Zapchast.abuk Trojan.Win32.Zapchast.rmfxd Trojan.Win32.A.Zapchast.17920.B TrojWare.Win32.Kryptik.ATA Trojan.PWS.Gamania.36444 Trojan.Zapchast.Win32.9724 PWS-OnlineGames.lw Trojan.Win32.Patched Heur:Trojan/PSW.QQPass TR/Patched.9984012 Trojan/Win32.Unknown Trojan.Win32.Zapchast.abuk Trojan/Win32.OnlineGameHack.R39710 PWS-OnlineGames.lw Trojan.Zapchast Win32/PSW.OnLineGames.QAP Trojan.Win32.Inject.thx Trojan.Zapchast!w+M30s8FNYQ W32/Onlinegames.QAP!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.CreateWinsockKeyLTAJ.Trojan": [[26, 57]], "Indicator: Trojan.Win32.Zapchast!O": [[58, 81]], "Indicator: Trojan.Pabueri": [[82, 96]], "Indicator: Trojan/Zapchast.abuk": [[97, 117]], "Indicator: Trojan.Graftor.D89D0": [[118, 138]], "Indicator: Win32.Trojan-PSW.OLGames.m": [[139, 165]], "Indicator: Trojan.Gampass.B!inf": [[166, 186]], "Indicator: Win32/Gamepass.QDC": [[187, 205]], "Indicator: Trojan.Win32.Zapchast.abuk": [[206, 232], [475, 501]], "Indicator: Trojan.Win32.Zapchast.rmfxd": [[233, 260]], "Indicator: Trojan.Win32.A.Zapchast.17920.B": [[261, 292]], "Indicator: TrojWare.Win32.Kryptik.ATA": [[293, 319]], "Indicator: Trojan.PWS.Gamania.36444": [[320, 344]], "Indicator: Trojan.Zapchast.Win32.9724": [[345, 371]], "Indicator: PWS-OnlineGames.lw": [[372, 390], [537, 555]], "Indicator: Trojan.Win32.Patched": [[391, 411]], "Indicator: Heur:Trojan/PSW.QQPass": [[412, 434]], "Indicator: TR/Patched.9984012": [[435, 453]], "Indicator: Trojan/Win32.Unknown": [[454, 474]], "Indicator: Trojan/Win32.OnlineGameHack.R39710": [[502, 536]], "Indicator: Trojan.Zapchast": [[556, 571]], "Indicator: Win32/PSW.OnLineGames.QAP": [[572, 597]], "Indicator: Trojan.Win32.Inject.thx": [[598, 621]], "Indicator: Trojan.Zapchast!w+M30s8FNYQ": [[622, 649]], "Indicator: W32/Onlinegames.QAP!tr": [[650, 672]]}, "info": {"id": "cyner2_8class_test_00873", "source": "cyner2_8class_test"}}
{"text": "Figure 13 .", "spans": {}, "info": {"id": "cyner2_8class_test_00874", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O Backdoor/Hupigon.kxio Win32.Trojan.WisdomEyes.16070401.9500.9776 W32/Downloader.TCTH-1863 Backdoor.Hupigon.Win32.99947 Backdoor.Win32.Mestys W32/Downldr2.IPCN Backdoor/Hupigon.ayow Trojan.Heur.ECFAB2 Backdoor:Win32/Mestys.A BScope.Trojan.SvcHorse.01643", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.Hupigon!O": [[26, 50]], "Indicator: Backdoor/Hupigon.kxio": [[51, 72]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9776": [[73, 115]], "Indicator: W32/Downloader.TCTH-1863": [[116, 140]], "Indicator: Backdoor.Hupigon.Win32.99947": [[141, 169]], "Indicator: Backdoor.Win32.Mestys": [[170, 191]], "Indicator: W32/Downldr2.IPCN": [[192, 209]], "Indicator: Backdoor/Hupigon.ayow": [[210, 231]], "Indicator: Trojan.Heur.ECFAB2": [[232, 250]], "Indicator: Backdoor:Win32/Mestys.A": [[251, 274]], "Indicator: BScope.Trojan.SvcHorse.01643": [[275, 303]]}, "info": {"id": "cyner2_8class_test_00875", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.MoSucker.30!O Backdoor.Mosucker Backdoor.MoSucker.Win32.159 Backdoor.W32.Mosucker!c Backdoor/MoSucker.30.e BKDR_MOSUCK.A Win32.Trojan.WisdomEyes.16070401.9500.9924 W32/Mosucker.Z@bd Backdoor.Mosuck Win32/Mosuck.L BKDR_MOSUCK.A Win.Trojan.MoSucker-1 Backdoor.Win32.MoSucker.40.e Trojan.Win32.MoSucker-30.gymr Backdoor.Win32.Mosuck.30 BehavesLike.Win32.Fake.cc Backdoor.Win32.VB W32/Mosucker.EBWJ-6580 Backdoor/MoSucker.30.e BDS/Mosucker.30.E Trojan[Backdoor]/Win32.MoSucker Backdoor:Win32/Mosuck.3_0 Backdoor.Win32.MoSucker.40.e Trojan/Win32.HDC.C41794 TScope.Trojan.VB Bck/Mosucker.H Win32/Mosuck.30 Win32.Backdoor.Mosucker.dirf Win32/Backdoor.d9c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.MoSucker.30!O": [[26, 54]], "Indicator: Backdoor.Mosucker": [[55, 72]], "Indicator: Backdoor.MoSucker.Win32.159": [[73, 100]], "Indicator: Backdoor.W32.Mosucker!c": [[101, 124]], "Indicator: Backdoor/MoSucker.30.e": [[125, 147], [441, 463]], "Indicator: BKDR_MOSUCK.A": [[148, 161], [254, 267]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9924": [[162, 204]], "Indicator: W32/Mosucker.Z@bd": [[205, 222]], "Indicator: Backdoor.Mosuck": [[223, 238]], "Indicator: Win32/Mosuck.L": [[239, 253]], "Indicator: Win.Trojan.MoSucker-1": [[268, 289]], "Indicator: Backdoor.Win32.MoSucker.40.e": [[290, 318], [540, 568]], "Indicator: Trojan.Win32.MoSucker-30.gymr": [[319, 348]], "Indicator: Backdoor.Win32.Mosuck.30": [[349, 373]], "Indicator: BehavesLike.Win32.Fake.cc": [[374, 399]], "Indicator: Backdoor.Win32.VB": [[400, 417]], "Indicator: W32/Mosucker.EBWJ-6580": [[418, 440]], "Indicator: BDS/Mosucker.30.E": [[464, 481]], "Indicator: Trojan[Backdoor]/Win32.MoSucker": [[482, 513]], "Indicator: Backdoor:Win32/Mosuck.3_0": [[514, 539]], "Indicator: Trojan/Win32.HDC.C41794": [[569, 592]], "Indicator: TScope.Trojan.VB": [[593, 609]], "Indicator: Bck/Mosucker.H": [[610, 624]], "Indicator: Win32/Mosuck.30": [[625, 640]], "Indicator: Win32.Backdoor.Mosucker.dirf": [[641, 669]], "Indicator: Win32/Backdoor.d9c": [[670, 688]]}, "info": {"id": "cyner2_8class_test_00876", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK BehavesLike.Win32.Trojan.dh AIT:Trojan.Autoit.DBK Trojan.Autoit.Injcrypt", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AIT:Trojan.Autoit.DBK": [[26, 47], [48, 69], [70, 91], [92, 113], [114, 135], [136, 157], [186, 207]], "Indicator: BehavesLike.Win32.Trojan.dh": [[158, 185]], "Indicator: Trojan.Autoit.Injcrypt": [[208, 230]]}, "info": {"id": "cyner2_8class_test_00877", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Script Trojan.Win32.Xtreme.exozxc Trojan.Win32.Z.Xtreme.679916 BackDoor.XtremeRat.6 BehavesLike.Win32.Trojan.jh Trojan.Win32.Injector TR/AD.XtremeRAT.qsqva Backdoor:Win32/Xtrat.AC Backdoor.Wirenet Trj/CI.A W32/Xtreme.BQJ!tr.bdr Win32/Trojan.Script.ed4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Script": [[26, 39]], "Indicator: Trojan.Win32.Xtreme.exozxc": [[40, 66]], "Indicator: Trojan.Win32.Z.Xtreme.679916": [[67, 95]], "Indicator: BackDoor.XtremeRat.6": [[96, 116]], "Indicator: BehavesLike.Win32.Trojan.jh": [[117, 144]], "Indicator: Trojan.Win32.Injector": [[145, 166]], "Indicator: TR/AD.XtremeRAT.qsqva": [[167, 188]], "Indicator: Backdoor:Win32/Xtrat.AC": [[189, 212]], "Indicator: Backdoor.Wirenet": [[213, 229]], "Indicator: Trj/CI.A": [[230, 238]], "Indicator: W32/Xtreme.BQJ!tr.bdr": [[239, 260]], "Indicator: Win32/Trojan.Script.ed4": [[261, 284]]}, "info": {"id": "cyner2_8class_test_00878", "source": "cyner2_8class_test"}}
{"text": "The most recent version of Ginp ( at the time of writing ) was detected at the end of November 2019 .", "spans": {"Malware: Ginp": [[27, 31]]}, "info": {"id": "cyner2_8class_test_00879", "source": "cyner2_8class_test"}}
{"text": "It is perhaps the first in a new wave of targeted attacks aimed at Android users .", "spans": {"System: Android": [[67, 74]]}, "info": {"id": "cyner2_8class_test_00880", "source": "cyner2_8class_test"}}
{"text": "Proofpoint calls it Win32/RediModiUpd based on a debugging string from an earlier sample.", "spans": {"Organization: Proofpoint": [[0, 10]], "Indicator: Win32/RediModiUpd": [[20, 37]]}, "info": {"id": "cyner2_8class_test_00881", "source": "cyner2_8class_test"}}
{"text": "In some cases , it uses this mechanism to send log data of important actions .", "spans": {}, "info": {"id": "cyner2_8class_test_00882", "source": "cyner2_8class_test"}}
{"text": "When the family ceases to exist a new one is already available to fill the void , proving that the demand for such malware is always present and that therefore Cerberus has a good chance to survive .", "spans": {"Malware: Cerberus": [[160, 168]]}, "info": {"id": "cyner2_8class_test_00883", "source": "cyner2_8class_test"}}
{"text": "Palo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously discussed CMSTAR malware family targeting various government entities in the country of Belarus.", "spans": {"Organization: Palo Alto Networks Unit 42": [[0, 26]], "Indicator: series of phishing emails": [[44, 69]], "Malware: CMSTAR malware family": [[126, 147]], "Organization: government entities": [[166, 185]], "Location: Belarus.": [[204, 212]]}, "info": {"id": "cyner2_8class_test_00884", "source": "cyner2_8class_test"}}
{"text": "First , the app has to turn off SELinux protection .", "spans": {"System: SELinux": [[32, 39]]}, "info": {"id": "cyner2_8class_test_00885", "source": "cyner2_8class_test"}}
{"text": "Upon running the JavaScript, the Locky ransomware is downloaded and executed.", "spans": {"Indicator: JavaScript,": [[17, 28]], "Malware: Locky ransomware": [[33, 49]]}, "info": {"id": "cyner2_8class_test_00886", "source": "cyner2_8class_test"}}
{"text": "Although we have not observed this malicious APK in the wild, it was uploaded to a malicious file repository service at 09:19:27 UTC on July 7, 2016, less than 72 hours after the game was officially released in New Zealand and Australia.", "spans": {"Malware: malicious APK": [[35, 48]], "Indicator: malicious file repository service": [[83, 116]], "Date: 09:19:27 UTC on July 7, 2016,": [[120, 149]], "System: game": [[179, 183]], "Location: New Zealand": [[211, 222]], "Location: Australia.": [[227, 237]]}, "info": {"id": "cyner2_8class_test_00887", "source": "cyner2_8class_test"}}
{"text": "The LookingGlass Cyber Threat Intelligence Group CTIG observed a widespread malspam campaign sent to victims appearing as if it had been an email to themselves with a malicious attachment.", "spans": {"Organization: The LookingGlass Cyber Threat Intelligence Group CTIG": [[0, 53]], "ThreatActor: malspam campaign": [[76, 92]], "Indicator: email to themselves with a malicious attachment.": [[140, 188]]}, "info": {"id": "cyner2_8class_test_00888", "source": "cyner2_8class_test"}}
{"text": "Once an application has been identified , Anubis overlays the original application with a fake login page to capture the user ’ s credentials .", "spans": {"Malware: Anubis": [[42, 48]]}, "info": {"id": "cyner2_8class_test_00889", "source": "cyner2_8class_test"}}
{"text": "This threat has been assigned the verdict Trojan-Ransom.Win32.Shade according to Kaspersky Lab's classification.", "spans": {"Malware: threat": [[5, 11]], "Indicator: Trojan-Ransom.Win32.Shade": [[42, 67]], "Organization: Kaspersky Lab's": [[81, 96]]}, "info": {"id": "cyner2_8class_test_00890", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Program.Unwanted.2208 RiskTool.SysTweaker.c PUA/AdvanceSystemCare.sadf Trojan:Win32/Speesipro.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Program.Unwanted.2208": [[26, 47]], "Indicator: RiskTool.SysTweaker.c": [[48, 69]], "Indicator: PUA/AdvanceSystemCare.sadf": [[70, 96]], "Indicator: Trojan:Win32/Speesipro.A": [[97, 121]]}, "info": {"id": "cyner2_8class_test_00891", "source": "cyner2_8class_test"}}
{"text": "This happens because the IDE executes the code from the Android debug bridge ( ADB ) by calling the activity declared in the manifest by name .", "spans": {"System: Android debug bridge": [[56, 76]]}, "info": {"id": "cyner2_8class_test_00892", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.FakeAlert.AWZ Trojan-Downloader.Win32.WarSpy!O Trojan.FakeAlert.AWZ Trojan/Downloader.warspy Trojan.FakeAlert.AWZ Win32.Trojan.WisdomEyes.16070401.9500.9955 Trojan.Desktophijack TROJ_WARSPY.A Trojan.FakeAlert.AWZ Trojan.FakeAlert.AWZ Trojan.Win32.Click.eoqljn Trojan.FakeAlert.AWZ TrojWare.Win32.TrojanDownloader.WarSpy Trojan.FakeAlert.AWZ Trojan.Click.373 Downloader.WarSpy.Win32.20 TROJ_WARSPY.A Warspy.dll TrojanDownloader.WarSpy.l TR/Dldr.WarSpy.pprwo Trojan[Downloader]/Win32.WarSpy TrojanDownloader:Win32/WarSpy.F Trojan/Win32.Downloader.C60200 Warspy.dll TrojanDownloader.WarSpy Trj/GdSda.A Win32/TrojanDownloader.WarSpy not-a-virus:AdWare.Win32.Serpo W32/StartPage.PPR!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.FakeAlert.AWZ": [[26, 46], [80, 100], [126, 146], [225, 245], [246, 266], [293, 313], [353, 373]], "Indicator: Trojan-Downloader.Win32.WarSpy!O": [[47, 79]], "Indicator: Trojan/Downloader.warspy": [[101, 125]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9955": [[147, 189]], "Indicator: Trojan.Desktophijack": [[190, 210]], "Indicator: TROJ_WARSPY.A": [[211, 224], [418, 431]], "Indicator: Trojan.Win32.Click.eoqljn": [[267, 292]], "Indicator: TrojWare.Win32.TrojanDownloader.WarSpy": [[314, 352]], "Indicator: Trojan.Click.373": [[374, 390]], "Indicator: Downloader.WarSpy.Win32.20": [[391, 417]], "Indicator: Warspy.dll": [[432, 442], [585, 595]], "Indicator: TrojanDownloader.WarSpy.l": [[443, 468]], "Indicator: TR/Dldr.WarSpy.pprwo": [[469, 489]], "Indicator: Trojan[Downloader]/Win32.WarSpy": [[490, 521]], "Indicator: TrojanDownloader:Win32/WarSpy.F": [[522, 553]], "Indicator: Trojan/Win32.Downloader.C60200": [[554, 584]], "Indicator: TrojanDownloader.WarSpy": [[596, 619]], "Indicator: Trj/GdSda.A": [[620, 631]], "Indicator: Win32/TrojanDownloader.WarSpy": [[632, 661]], "Indicator: not-a-virus:AdWare.Win32.Serpo": [[662, 692]], "Indicator: W32/StartPage.PPR!tr": [[693, 713]]}, "info": {"id": "cyner2_8class_test_00893", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Alyak.B3 Win32.Trojan.Alyak.a Downloader.Bouncedoc TROJ_SPNR.0BFD13 TrojWare.Win32.Alyak.B Trojan.DownLoader6.51294 TROJ_SPNR.0BFD13 PWS-OnlineGames.lq TR/Dldr.Kanav.H.1 TrojanDownloader:Win32/Kanav.H Trojan.Graftor.Elzob.D3781 Dropper/Win32.OnlineGameHack.R35034 PWS-OnlineGames.lq BScope.Trojan.Win32.Inject.2 Trojan.Win32.Alyak", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Alyak.B3": [[26, 41]], "Indicator: Win32.Trojan.Alyak.a": [[42, 62]], "Indicator: Downloader.Bouncedoc": [[63, 83]], "Indicator: TROJ_SPNR.0BFD13": [[84, 100], [149, 165]], "Indicator: TrojWare.Win32.Alyak.B": [[101, 123]], "Indicator: Trojan.DownLoader6.51294": [[124, 148]], "Indicator: PWS-OnlineGames.lq": [[166, 184], [297, 315]], "Indicator: TR/Dldr.Kanav.H.1": [[185, 202]], "Indicator: TrojanDownloader:Win32/Kanav.H": [[203, 233]], "Indicator: Trojan.Graftor.Elzob.D3781": [[234, 260]], "Indicator: Dropper/Win32.OnlineGameHack.R35034": [[261, 296]], "Indicator: BScope.Trojan.Win32.Inject.2": [[316, 344]], "Indicator: Trojan.Win32.Alyak": [[345, 363]]}, "info": {"id": "cyner2_8class_test_00894", "source": "cyner2_8class_test"}}
{"text": "] cc/TiktokPro .", "spans": {}, "info": {"id": "cyner2_8class_test_00895", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojandownloader.Faxplor Trojan.Razy.D15905 W32/Trojan.CLBI-3375 Trojan.Win32.Scarsi.aohf Trojan.Win32.Fsysna.ejthvr Trojan.KillProc.54385 TrojanDownloader:MSIL/Faxplor.A!bit Trojan.Win32.Scarsi.aohf Trj/GdSda.A Win32.Trojan.Atraps.Lmul Win32/Trojan.781", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Faxplor": [[26, 50]], "Indicator: Trojan.Razy.D15905": [[51, 69]], "Indicator: W32/Trojan.CLBI-3375": [[70, 90]], "Indicator: Trojan.Win32.Scarsi.aohf": [[91, 115], [201, 225]], "Indicator: Trojan.Win32.Fsysna.ejthvr": [[116, 142]], "Indicator: Trojan.KillProc.54385": [[143, 164]], "Indicator: TrojanDownloader:MSIL/Faxplor.A!bit": [[165, 200]], "Indicator: Trj/GdSda.A": [[226, 237]], "Indicator: Win32.Trojan.Atraps.Lmul": [[238, 262]], "Indicator: Win32/Trojan.781": [[263, 279]]}, "info": {"id": "cyner2_8class_test_00896", "source": "cyner2_8class_test"}}
{"text": "Only later is the malicious code introduced , through an update .", "spans": {}, "info": {"id": "cyner2_8class_test_00897", "source": "cyner2_8class_test"}}
{"text": "The malware we observed on this infrastructure was almost uniquely commodity RATs including DarkComet, DarkTrack, LuminosityLink, NJRAT, ImminentMonitor, NanoCore, Orcus, NetWireRAT, BabylonRAT, Remcos, ZyklonHTTP, SandroRAT, RevengeRAT, SpyNote, QuasarRAT, and HWorm.", "spans": {"Malware: malware": [[4, 11]], "System: infrastructure": [[32, 46]], "Malware: RATs": [[77, 81]], "Malware: DarkComet, DarkTrack, LuminosityLink, NJRAT, ImminentMonitor, NanoCore, Orcus, NetWireRAT, BabylonRAT, Remcos, ZyklonHTTP, SandroRAT, RevengeRAT, SpyNote, QuasarRAT,": [[92, 257]], "Malware: HWorm.": [[262, 268]]}, "info": {"id": "cyner2_8class_test_00898", "source": "cyner2_8class_test"}}
{"text": "For example : WireLurker installed malicious apps on non-jailbroken iPhones Six different Trojan , Adware and HackTool families launched “ BackStab ” attacks to steal backup archives of iOS and BlackBerry devices The HackingTeam ’ s RCS delivered its Spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones Recently , we discovered another Windows Trojan we named “ DualToy ” which side loads malicious or risky apps to both Android and iOS devices via a USB connection .", "spans": {"Malware: WireLurker": [[14, 24]], "Malware: HackTool families": [[110, 127]], "System: iOS": [[186, 189], [300, 303], [464, 467]], "System: BlackBerry": [[194, 204], [316, 326]], "Malware: HackingTeam": [[217, 228]], "Malware: RCS": [[233, 236]], "System: Windows": [[367, 374]], "Malware: DualToy": [[393, 400]], "System: Android": [[452, 459]], "System: USB": [[482, 485]]}, "info": {"id": "cyner2_8class_test_00899", "source": "cyner2_8class_test"}}
{"text": "This feature is implemented using another open-source software package that can be found here .", "spans": {}, "info": {"id": "cyner2_8class_test_00900", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Injector!O TROJ_JORIK.SM4 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_JORIK.SM4 Trojan-Dropper.Win32.Injector.fjim Tool.PassView.604 Dropper.Injector.Win32.48748 W32/Autorun.worm.aadc Worm.Win32.Rombrast TrojanDropper.Injector.bltt Trojan[Dropper]/Win32.Injector Trojan-Dropper.Win32.Injector.fjim Trojan/Win32.Gimemo.R29683 W32/Autorun.worm.aadc TrojanDropper.Injector", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Injector!O": [[26, 57]], "Indicator: TROJ_JORIK.SM4": [[58, 72], [116, 130]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[73, 115]], "Indicator: Trojan-Dropper.Win32.Injector.fjim": [[131, 165], [314, 348]], "Indicator: Tool.PassView.604": [[166, 183]], "Indicator: Dropper.Injector.Win32.48748": [[184, 212]], "Indicator: W32/Autorun.worm.aadc": [[213, 234], [376, 397]], "Indicator: Worm.Win32.Rombrast": [[235, 254]], "Indicator: TrojanDropper.Injector.bltt": [[255, 282]], "Indicator: Trojan[Dropper]/Win32.Injector": [[283, 313]], "Indicator: Trojan/Win32.Gimemo.R29683": [[349, 375]], "Indicator: TrojanDropper.Injector": [[398, 420]]}, "info": {"id": "cyner2_8class_test_00901", "source": "cyner2_8class_test"}}
{"text": "It requests permission to access the additional storage .", "spans": {}, "info": {"id": "cyner2_8class_test_00902", "source": "cyner2_8class_test"}}
{"text": "In this blog, we will describe the latest piece of malware implemented by the Ploutus Team with its malware variant known as Ploutus-D, where one of the most interesting features allows the attackers to manage the infected ATMs from the Internet and therefore making them operate like an IoT device.", "spans": {"Malware: malware": [[51, 58], [100, 107]], "ThreatActor: the Ploutus Team": [[74, 90]], "Malware: Ploutus-D,": [[125, 135]], "ThreatActor: attackers": [[190, 199]], "System: ATMs": [[223, 227]], "System: Internet": [[237, 245]], "Indicator: operate": [[272, 279]], "System: IoT device.": [[288, 299]]}, "info": {"id": "cyner2_8class_test_00903", "source": "cyner2_8class_test"}}
{"text": "SPEAR was able to identify just over three hundred unique victims over the past month, as well as over 100GB worth of data that was exfiltrated and stored on one of the C2 servers.", "spans": {"Malware: SPEAR": [[0, 5]], "Organization: three hundred unique victims": [[37, 65]], "Date: the past month,": [[71, 86]], "Indicator: data": [[118, 122]], "Indicator: the C2 servers.": [[165, 180]]}, "info": {"id": "cyner2_8class_test_00904", "source": "cyner2_8class_test"}}
{"text": "In this example , the server response contains several values for Thai carriers .", "spans": {}, "info": {"id": "cyner2_8class_test_00905", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Backdoor.Win32.BO!O Orifice.svr.d BackOrifice.Trojan Backdoor.Win32.BO.a Heur.Corrupt.PE BackDoor.BOrifice.120 Orifice.svr.d Backdoor/BO.a TR/BO.Srv Backdoor.Win32.BO.a Backdoor:Win32/BO.A.dam#2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Backdoor.Win32.BO!O": [[48, 67]], "Indicator: Orifice.svr.d": [[68, 81], [159, 172]], "Indicator: BackOrifice.Trojan": [[82, 100]], "Indicator: Backdoor.Win32.BO.a": [[101, 120], [197, 216]], "Indicator: Heur.Corrupt.PE": [[121, 136]], "Indicator: BackDoor.BOrifice.120": [[137, 158]], "Indicator: Backdoor/BO.a": [[173, 186]], "Indicator: TR/BO.Srv": [[187, 196]], "Indicator: Backdoor:Win32/BO.A.dam#2": [[217, 242]]}, "info": {"id": "cyner2_8class_test_00906", "source": "cyner2_8class_test"}}
{"text": "Unlike previously discovered non Google Play centric campaigns whose victims almost exclusively come from less developed countries and regions , “ Agent Smith ” successfully penetrated into noticeable number of devices in developed countries such as Saudi Arabia , UK and US .", "spans": {"System: Google Play": [[33, 44]], "Malware: Agent Smith": [[147, 158]]}, "info": {"id": "cyner2_8class_test_00907", "source": "cyner2_8class_test"}}
{"text": "Cyber Threat Group that Exploited Governments and Commercial Entities across Southeast Asia and India for over a Decade The first group, named Moafee, appears to operate from the Guandong Province.", "spans": {"ThreatActor: Cyber Threat Group": [[0, 18]], "Organization: Governments": [[34, 45]], "Organization: Commercial Entities": [[50, 69]], "Location: across Southeast Asia": [[70, 91]], "Location: India": [[96, 101]], "ThreatActor: Moafee,": [[143, 150]], "Location: Guandong Province.": [[179, 197]]}, "info": {"id": "cyner2_8class_test_00908", "source": "cyner2_8class_test"}}
{"text": "At the same time , it 's extremely flexible , making it a very effective tool for malicious actors .", "spans": {}, "info": {"id": "cyner2_8class_test_00909", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Ekstak.bwtk Trojan.Win32.Ekstak.evfqig Trojan.Win32.CryptXXX.270336.D Trojan.Ekstak.Win32.3480 BehavesLike.Win32.PWSZbot.jc Trojan.Win32.Injector TR/Crypt.ZPACK.dtseo Trojan[Backdoor]/Win32.Androm TrojanDropper:Win32/Pitou.B Virus.W32.Troj!c Trojan.Win32.Ekstak.bwtk Hoax.Scatter Trj/GdSda.A W32/Injector.DIOR!tr Win32/Trojan.eeb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Ekstak.bwtk": [[26, 50], [281, 305]], "Indicator: Trojan.Win32.Ekstak.evfqig": [[51, 77]], "Indicator: Trojan.Win32.CryptXXX.270336.D": [[78, 108]], "Indicator: Trojan.Ekstak.Win32.3480": [[109, 133]], "Indicator: BehavesLike.Win32.PWSZbot.jc": [[134, 162]], "Indicator: Trojan.Win32.Injector": [[163, 184]], "Indicator: TR/Crypt.ZPACK.dtseo": [[185, 205]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[206, 235]], "Indicator: TrojanDropper:Win32/Pitou.B": [[236, 263]], "Indicator: Virus.W32.Troj!c": [[264, 280]], "Indicator: Hoax.Scatter": [[306, 318]], "Indicator: Trj/GdSda.A": [[319, 330]], "Indicator: W32/Injector.DIOR!tr": [[331, 351]], "Indicator: Win32/Trojan.eeb": [[352, 368]]}, "info": {"id": "cyner2_8class_test_00910", "source": "cyner2_8class_test"}}
{"text": "ViceLeaker Operation : mobile espionage targeting Middle East 26 JUN 2019 In May 2018 , we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens .", "spans": {"Malware: ViceLeaker": [[0, 10]], "System: Android": [[140, 147]]}, "info": {"id": "cyner2_8class_test_00911", "source": "cyner2_8class_test"}}
{"text": "The modern version of Rotexy combines the functions of a banking Trojan and ransomware .", "spans": {"Malware: Rotexy": [[22, 28]]}, "info": {"id": "cyner2_8class_test_00912", "source": "cyner2_8class_test"}}
{"text": "Not even a day ago I blogged on a piece of ransomware named CryptoApp' which I discovered while it was still in its development & testing phase: [Analysis of a piece of ransomware in development: the story of CryptoApp'].", "spans": {"Malware: ransomware": [[43, 53], [169, 179]], "Malware: CryptoApp'": [[60, 70]], "Malware: CryptoApp'].": [[209, 221]]}, "info": {"id": "cyner2_8class_test_00913", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win.Exploit.Fnstenv_mov-1 Exploit.Win32.SqlShell.a Exploit.Win32.SqlShell.cvvofc Trojan.SqlShell Trojan.SqlShell.Win32.9 Exploit.SqlShell.a Trojan[Exploit]/Win32.SqlShell Exploit:Win32/Siveras.E Exploit.Win32.SqlShell.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win.Exploit.Fnstenv_mov-1": [[26, 51]], "Indicator: Exploit.Win32.SqlShell.a": [[52, 76], [221, 245]], "Indicator: Exploit.Win32.SqlShell.cvvofc": [[77, 106]], "Indicator: Trojan.SqlShell": [[107, 122]], "Indicator: Trojan.SqlShell.Win32.9": [[123, 146]], "Indicator: Exploit.SqlShell.a": [[147, 165]], "Indicator: Trojan[Exploit]/Win32.SqlShell": [[166, 196]], "Indicator: Exploit:Win32/Siveras.E": [[197, 220]]}, "info": {"id": "cyner2_8class_test_00914", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.DownLoader23.14020 TrojanDownloader:Win32/Apcrewnod.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoader23.14020": [[26, 51]], "Indicator: TrojanDownloader:Win32/Apcrewnod.A": [[52, 86]]}, "info": {"id": "cyner2_8class_test_00915", "source": "cyner2_8class_test"}}
{"text": "We also describe apps that we think are coming from the same author or a group of authors .", "spans": {}, "info": {"id": "cyner2_8class_test_00916", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE TrojanSpy.MSIL Troj.Spy.Msil!c Win32.Trojan.WisdomEyes.16070401.9500.9996 Win32.Trojan.Kryptik.JK Trojan.Win32.Jenxcus.expoor Trojan.Win32.Z.Autoruns.585216 BehavesLike.Win32.Fareit.hc Trojan.MSIL.Crypt TrojanSpy.MSIL.vlx TR/AD.Jenxcus.xrytt Trojan/MSIL.Crypt Worm:Win32/Jenxcus.A Trojan/Win32.MSIL.R219591 Spyware.PasswordStealer Trj/GdSda.A MSIL/Kryptik.MNQ!tr Win32/Trojan.f56", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: TrojanSpy.MSIL": [[48, 62]], "Indicator: Troj.Spy.Msil!c": [[63, 78]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[79, 121]], "Indicator: Win32.Trojan.Kryptik.JK": [[122, 145]], "Indicator: Trojan.Win32.Jenxcus.expoor": [[146, 173]], "Indicator: Trojan.Win32.Z.Autoruns.585216": [[174, 204]], "Indicator: BehavesLike.Win32.Fareit.hc": [[205, 232]], "Indicator: Trojan.MSIL.Crypt": [[233, 250]], "Indicator: TrojanSpy.MSIL.vlx": [[251, 269]], "Indicator: TR/AD.Jenxcus.xrytt": [[270, 289]], "Indicator: Trojan/MSIL.Crypt": [[290, 307]], "Indicator: Worm:Win32/Jenxcus.A": [[308, 328]], "Indicator: Trojan/Win32.MSIL.R219591": [[329, 354]], "Indicator: Spyware.PasswordStealer": [[355, 378]], "Indicator: Trj/GdSda.A": [[379, 390]], "Indicator: MSIL/Kryptik.MNQ!tr": [[391, 410]], "Indicator: Win32/Trojan.f56": [[411, 427]]}, "info": {"id": "cyner2_8class_test_00917", "source": "cyner2_8class_test"}}
{"text": "The 3cx supply chain attack infected companies all over the world, especially in France, Italy, Germany, and Brazil.", "spans": {"Organization: The 3cx": [[0, 7]], "Indicator: attack": [[21, 27]], "Organization: companies": [[37, 46]], "Location: France, Italy, Germany,": [[81, 104]], "Location: Brazil.": [[109, 116]]}, "info": {"id": "cyner2_8class_test_00918", "source": "cyner2_8class_test"}}
{"text": "This code starts by allocating two chunks of memory : a global 1 MB buffer and one 64 KB buffer per thread .", "spans": {}, "info": {"id": "cyner2_8class_test_00919", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Mudrop!O W32/Backdoor2.DOAJ Infostealer.Tarno.B TROJ_DROPPER.SGQ Trojan-Dropper.Win32.Mudrop.cy Trojan.Win32.Mudrop.njme Trojan.Win32.MulDrop.191866 Troj.Dropper.W32.Mudrop.l2yP Trojan.MulDrop.3684 Dropper.Mudrop.Win32.966 TROJ_DROPPER.SGQ BehavesLike.Win32.PWSZbot.cc Trojan-Dropper.Win32.Mudrop W32/Backdoor.ZSGQ-5731 TrojanDropper.Mudrop.ahz TR/Drop.Mudrop.ER Win32.Troj.Mudrop.cy.kcloud Trojan.Conjar.9 Trojan-Dropper.Win32.Mudrop.cy TrojanDropper:Win32/Mudrop.W Dropper/Win32.Mudrop.R6557 Trj/Multidropper.RPV Win32.Trojan-dropper.Mudrop.Anpp Trojan.DR.Mudrop.TK", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Mudrop!O": [[26, 55]], "Indicator: W32/Backdoor2.DOAJ": [[56, 74]], "Indicator: Infostealer.Tarno.B": [[75, 94]], "Indicator: TROJ_DROPPER.SGQ": [[95, 111], [270, 286]], "Indicator: Trojan-Dropper.Win32.Mudrop.cy": [[112, 142], [454, 484]], "Indicator: Trojan.Win32.Mudrop.njme": [[143, 167]], "Indicator: Trojan.Win32.MulDrop.191866": [[168, 195]], "Indicator: Troj.Dropper.W32.Mudrop.l2yP": [[196, 224]], "Indicator: Trojan.MulDrop.3684": [[225, 244]], "Indicator: Dropper.Mudrop.Win32.966": [[245, 269]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[287, 315]], "Indicator: Trojan-Dropper.Win32.Mudrop": [[316, 343]], "Indicator: W32/Backdoor.ZSGQ-5731": [[344, 366]], "Indicator: TrojanDropper.Mudrop.ahz": [[367, 391]], "Indicator: TR/Drop.Mudrop.ER": [[392, 409]], "Indicator: Win32.Troj.Mudrop.cy.kcloud": [[410, 437]], "Indicator: Trojan.Conjar.9": [[438, 453]], "Indicator: TrojanDropper:Win32/Mudrop.W": [[485, 513]], "Indicator: Dropper/Win32.Mudrop.R6557": [[514, 540]], "Indicator: Trj/Multidropper.RPV": [[541, 561]], "Indicator: Win32.Trojan-dropper.Mudrop.Anpp": [[562, 594]], "Indicator: Trojan.DR.Mudrop.TK": [[595, 614]]}, "info": {"id": "cyner2_8class_test_00920", "source": "cyner2_8class_test"}}
{"text": "July 7 Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump .", "spans": {"System: Flash Player": [[32, 44]], "System: Windows": [[61, 68]]}, "info": {"id": "cyner2_8class_test_00921", "source": "cyner2_8class_test"}}
{"text": "Initial research into the exploit by Unit 42 indicates that this actor has opted to include multiple exploits.", "spans": {"Malware: exploit": [[26, 33]], "Organization: Unit 42": [[37, 44]], "ThreatActor: actor": [[65, 70]], "Malware: multiple exploits.": [[92, 110]]}, "info": {"id": "cyner2_8class_test_00922", "source": "cyner2_8class_test"}}
{"text": "Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT.", "spans": {"Organization: Travelers": [[0, 9]], "Location: US": [[25, 27]], "Location: Switzerland": [[36, 47]], "ThreatActor: cyber-criminals": [[74, 89]], "Malware: malware": [[102, 109]], "Malware: QRAT.": [[117, 122]]}, "info": {"id": "cyner2_8class_test_00923", "source": "cyner2_8class_test"}}
{"text": "Worm that connects to theworldnews.byethost5[.]com/online.php", "spans": {"Malware: Worm": [[0, 4]], "Indicator: theworldnews.byethost5[.]com/online.php": [[22, 61]]}, "info": {"id": "cyner2_8class_test_00924", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Tool.KeyLogger.Win32.722 Riskware.Win32.EliteKeylogger.eluvck Application.EliteKeyLogger SPR/EliteKeyLog.AC", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Tool.KeyLogger.Win32.722": [[26, 50]], "Indicator: Riskware.Win32.EliteKeylogger.eluvck": [[51, 87]], "Indicator: Application.EliteKeyLogger": [[88, 114]], "Indicator: SPR/EliteKeyLog.AC": [[115, 133]]}, "info": {"id": "cyner2_8class_test_00925", "source": "cyner2_8class_test"}}
{"text": "The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through .", "spans": {}, "info": {"id": "cyner2_8class_test_00926", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Clodc8d.Trojan.f6fa Trojan.Skeeyah Trojan.Zusy.D2C0FC TROJ_SKEEYAH_FB24024B.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9772 Backdoor.Trojan TROJ_SKEEYAH_FB24024B.UVPM Trojan.DownLoader19.10801 Adware.BrowseFox.Win32.317622 W32/Trojan.UZWX-1729 BScope.P2P-Worm.Palevo Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clodc8d.Trojan.f6fa": [[26, 49]], "Indicator: Trojan.Skeeyah": [[50, 64]], "Indicator: Trojan.Zusy.D2C0FC": [[65, 83]], "Indicator: TROJ_SKEEYAH_FB24024B.UVPM": [[84, 110], [170, 196]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9772": [[111, 153]], "Indicator: Backdoor.Trojan": [[154, 169]], "Indicator: Trojan.DownLoader19.10801": [[197, 222]], "Indicator: Adware.BrowseFox.Win32.317622": [[223, 252]], "Indicator: W32/Trojan.UZWX-1729": [[253, 273]], "Indicator: BScope.P2P-Worm.Palevo": [[274, 296]], "Indicator: Trj/GdSda.A": [[297, 308]]}, "info": {"id": "cyner2_8class_test_00927", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TROJ_HILOTI.SMWQ Win32.Trojan.WisdomEyes.16070401.9500.9839 TROJ_HILOTI.SMWQ Trojan.PackedENT.24737 Virus.Win32.Cryptor Trojan.Famudin.1 Trojan:Win32/Famudin.A Trojan/Win32.Zefarch.R8475", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_HILOTI.SMWQ": [[26, 42], [86, 102]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9839": [[43, 85]], "Indicator: Trojan.PackedENT.24737": [[103, 125]], "Indicator: Virus.Win32.Cryptor": [[126, 145]], "Indicator: Trojan.Famudin.1": [[146, 162]], "Indicator: Trojan:Win32/Famudin.A": [[163, 185]], "Indicator: Trojan/Win32.Zefarch.R8475": [[186, 212]]}, "info": {"id": "cyner2_8class_test_00928", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Chkdsk.Worm Trojan-Downloader.Win32.PurityScan!O Downloader.PurityScan.Win32.185 Trojan/Downloader.PurityScan.hl Win32.Trojan.WisdomEyes.16070401.9500.9994 Adware.Purityscan Win.Adware.Purityscan-45 Trojan.Win32.Fsysna.amty Trojan.Win32.PurityScan.wjls Adware.MediaTicket BehavesLike.Win32.Sytro.kc TrojanDownloader.PurityScan.ge Trojan[Downloader]/Win32.PurityScan Win32.TrojDownloader.PurityScan.hl.kcloud TrojanDropper:Win32/Puritany.A!bit Trojan.Heur.D.emHfbGXR0jj Trojan.Win32.A.Downloader.68677.C[UPX] TrojanDownloader.PurityScan Trojan-Downloader.Win32.PurityScan", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Chkdsk.Worm": [[26, 41]], "Indicator: Trojan-Downloader.Win32.PurityScan!O": [[42, 78]], "Indicator: Downloader.PurityScan.Win32.185": [[79, 110]], "Indicator: Trojan/Downloader.PurityScan.hl": [[111, 142]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[143, 185]], "Indicator: Adware.Purityscan": [[186, 203]], "Indicator: Win.Adware.Purityscan-45": [[204, 228]], "Indicator: Trojan.Win32.Fsysna.amty": [[229, 253]], "Indicator: Trojan.Win32.PurityScan.wjls": [[254, 282]], "Indicator: Adware.MediaTicket": [[283, 301]], "Indicator: BehavesLike.Win32.Sytro.kc": [[302, 328]], "Indicator: TrojanDownloader.PurityScan.ge": [[329, 359]], "Indicator: Trojan[Downloader]/Win32.PurityScan": [[360, 395]], "Indicator: Win32.TrojDownloader.PurityScan.hl.kcloud": [[396, 437]], "Indicator: TrojanDropper:Win32/Puritany.A!bit": [[438, 472]], "Indicator: Trojan.Heur.D.emHfbGXR0jj": [[473, 498]], "Indicator: Trojan.Win32.A.Downloader.68677.C[UPX]": [[499, 537]], "Indicator: TrojanDownloader.PurityScan": [[538, 565]], "Indicator: Trojan-Downloader.Win32.PurityScan": [[566, 600]]}, "info": {"id": "cyner2_8class_test_00929", "source": "cyner2_8class_test"}}
{"text": "The “ id ” value inside the “ data ” block is equal to the “ timestamp ” value of the relevant command : In addition , the Trojan sets itself as the default SMS application and , on receiving a new SMS , forwards the sender ’ s number and the message text in base64 format to the cybercriminal : Thus , Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone .", "spans": {"Malware: Asacub": [[303, 309]]}, "info": {"id": "cyner2_8class_test_00930", "source": "cyner2_8class_test"}}
{"text": "While Google implemented multiple mechanisms , like two-factor-authentication , to prevent hackers from compromising Google accounts , a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in .", "spans": {"Organization: Google": [[6, 12], [117, 123]]}, "info": {"id": "cyner2_8class_test_00931", "source": "cyner2_8class_test"}}
{"text": "This also aligns with HenBox ’ s timeline , as in total we have identified almost 200 HenBox samples , with the oldest dating to 2015 .", "spans": {"Malware: HenBox": [[22, 28], [86, 92]]}, "info": {"id": "cyner2_8class_test_00932", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Z.Mikey.225280.T Backdoor.Win32.Sobador W32/Trojan.VKIR-9186 Worm:Win32/Docmuck.A Trj/CI.A Win32/Trojan.639", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Z.Mikey.225280.T": [[26, 55]], "Indicator: Backdoor.Win32.Sobador": [[56, 78]], "Indicator: W32/Trojan.VKIR-9186": [[79, 99]], "Indicator: Worm:Win32/Docmuck.A": [[100, 120]], "Indicator: Trj/CI.A": [[121, 129]], "Indicator: Win32/Trojan.639": [[130, 146]]}, "info": {"id": "cyner2_8class_test_00933", "source": "cyner2_8class_test"}}
{"text": "The 9002 RAT is not new.", "spans": {"Malware: 9002 RAT": [[4, 12]]}, "info": {"id": "cyner2_8class_test_00934", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.2A05 Trojan.Win32.VBKrypt!O TrojanDropper.VB.HV3 Trojan/VBKrypt.vvt Win32.Trojan.WisdomEyes.151026.9950.9999 W32/Dropper.BJGL Heur.AdvML.B Win32/RiskWare.PEMalform.B TROJ_VBDROP.SMIA Win.Trojan.VB-26665 Backdoor.Win32.Hupigon.usxr Trojan.Win32.AutoRun.wqect Trojan.Win32.A.VBKrypt.220160.A[h] Troj.W32.VBKrypt.vvt!c TrojWare.Win32.Kryptik.~NT Trojan.Click1.48058 Trojan.VBKrypt.Win32.42907 TROJ_VBDROP.SMIA BehavesLike.Win32.Downloader.dc Trojan/VBKrypt.hfjo W32/Onlinegames.ASE!tr Trojan/Win32.VBKrypt Trojan.Graftor.D6DF1 Trojan/Win32.VBKrypt.N368238745 TrojanDropper:Win32/Popsenong.A Win32/Popsenong.BD Trojan.Pasta Win32.Trojan.Vbkrypt.byqw Trojan.Win32.VBKrypt Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.2A05": [[26, 42]], "Indicator: Trojan.Win32.VBKrypt!O": [[43, 65]], "Indicator: TrojanDropper.VB.HV3": [[66, 86]], "Indicator: Trojan/VBKrypt.vvt": [[87, 105]], "Indicator: Win32.Trojan.WisdomEyes.151026.9950.9999": [[106, 146]], "Indicator: W32/Dropper.BJGL": [[147, 163]], "Indicator: Heur.AdvML.B": [[164, 176]], "Indicator: Win32/RiskWare.PEMalform.B": [[177, 203]], "Indicator: TROJ_VBDROP.SMIA": [[204, 220], [428, 444]], "Indicator: Win.Trojan.VB-26665": [[221, 240]], "Indicator: Backdoor.Win32.Hupigon.usxr": [[241, 268]], "Indicator: Trojan.Win32.AutoRun.wqect": [[269, 295]], "Indicator: Trojan.Win32.A.VBKrypt.220160.A[h]": [[296, 330]], "Indicator: Troj.W32.VBKrypt.vvt!c": [[331, 353]], "Indicator: TrojWare.Win32.Kryptik.~NT": [[354, 380]], "Indicator: Trojan.Click1.48058": [[381, 400]], "Indicator: Trojan.VBKrypt.Win32.42907": [[401, 427]], "Indicator: BehavesLike.Win32.Downloader.dc": [[445, 476]], "Indicator: Trojan/VBKrypt.hfjo": [[477, 496]], "Indicator: W32/Onlinegames.ASE!tr": [[497, 519]], "Indicator: Trojan/Win32.VBKrypt": [[520, 540]], "Indicator: Trojan.Graftor.D6DF1": [[541, 561]], "Indicator: Trojan/Win32.VBKrypt.N368238745": [[562, 593]], "Indicator: TrojanDropper:Win32/Popsenong.A": [[594, 625]], "Indicator: Win32/Popsenong.BD": [[626, 644]], "Indicator: Trojan.Pasta": [[645, 657]], "Indicator: Win32.Trojan.Vbkrypt.byqw": [[658, 683]], "Indicator: Trojan.Win32.VBKrypt": [[684, 704]], "Indicator: Trj/CI.A": [[705, 713]]}, "info": {"id": "cyner2_8class_test_00935", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Zusy.D3C179 TROJ_UPADEMTYS.SM Trojan.DownLoader25.8430 TROJ_UPADEMTYS.SM Trojan:Win32/Cenjonsla.D!bit Trojan.Win32.U.Downloader.437248 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Trojan.Zusy.D3C179": [[46, 64]], "Indicator: TROJ_UPADEMTYS.SM": [[65, 82], [108, 125]], "Indicator: Trojan.DownLoader25.8430": [[83, 107]], "Indicator: Trojan:Win32/Cenjonsla.D!bit": [[126, 154]], "Indicator: Trojan.Win32.U.Downloader.437248": [[155, 187]], "Indicator: Trj/GdSda.A": [[188, 199]]}, "info": {"id": "cyner2_8class_test_00936", "source": "cyner2_8class_test"}}
{"text": "The spaghetti code in FinFisher dropper This problem is not novel , and in common situations there are known reversing plugins that may help for this task .", "spans": {"Malware: FinFisher": [[22, 31]]}, "info": {"id": "cyner2_8class_test_00937", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.YahLoverQKB.Trojan Worm.Autoit.Sohanad.S Worm.AutoRun Worm.Sohanad.Win32.3409 Trojan.Heur.AutoIT.2 Win32.Worm.Sohanad.x Win32/SillyAutorun.DQF WORM_SOHAND.SM IM-Worm.Win32.Sohanad.pw W32.W.Sohanad.m0tE Worm.Win32.Sohanad.NCB WORM_SOHAND.SM BehavesLike.Win32.Tupym.wt Win32.Worm.Autorun.M HEUR/Fakon.mwf I-Worm.Sohanad.NFS Win32/Sohanad.NCB Trojan.AutoIT.ZU not-a-virus:Monitor.Win32.007SpySoft", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.YahLoverQKB.Trojan": [[26, 48]], "Indicator: Worm.Autoit.Sohanad.S": [[49, 70]], "Indicator: Worm.AutoRun": [[71, 83]], "Indicator: Worm.Sohanad.Win32.3409": [[84, 107]], "Indicator: Trojan.Heur.AutoIT.2": [[108, 128]], "Indicator: Win32.Worm.Sohanad.x": [[129, 149]], "Indicator: Win32/SillyAutorun.DQF": [[150, 172]], "Indicator: WORM_SOHAND.SM": [[173, 187], [255, 269]], "Indicator: IM-Worm.Win32.Sohanad.pw": [[188, 212]], "Indicator: W32.W.Sohanad.m0tE": [[213, 231]], "Indicator: Worm.Win32.Sohanad.NCB": [[232, 254]], "Indicator: BehavesLike.Win32.Tupym.wt": [[270, 296]], "Indicator: Win32.Worm.Autorun.M": [[297, 317]], "Indicator: HEUR/Fakon.mwf": [[318, 332]], "Indicator: I-Worm.Sohanad.NFS": [[333, 351]], "Indicator: Win32/Sohanad.NCB": [[352, 369]], "Indicator: Trojan.AutoIT.ZU": [[370, 386]], "Indicator: not-a-virus:Monitor.Win32.007SpySoft": [[387, 423]]}, "info": {"id": "cyner2_8class_test_00938", "source": "cyner2_8class_test"}}
{"text": "Receiver Intent Name Description BootReceiver android.intent.action.BOOT_COMPLETED System notification that the device has finished booting .", "spans": {"Indicator: android.intent.action.BOOT_COMPLETED": [[46, 82]]}, "info": {"id": "cyner2_8class_test_00939", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Trojan4.AADB Rootkit.Win32.AntiAv.pqy TrojWare.Win32.TrojanDownloader.Icehart.A Trojan.MulDrop5.35956 W32/Trojan.QEHW-5913 Trojan:WinNT/Percol.A Trojan-Downloader.Win32.Icehart", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan4.AADB": [[26, 42]], "Indicator: Rootkit.Win32.AntiAv.pqy": [[43, 67]], "Indicator: TrojWare.Win32.TrojanDownloader.Icehart.A": [[68, 109]], "Indicator: Trojan.MulDrop5.35956": [[110, 131]], "Indicator: W32/Trojan.QEHW-5913": [[132, 152]], "Indicator: Trojan:WinNT/Percol.A": [[153, 174]], "Indicator: Trojan-Downloader.Win32.Icehart": [[175, 206]]}, "info": {"id": "cyner2_8class_test_00940", "source": "cyner2_8class_test"}}
{"text": "Sneaking unwanted or harmful functionality into popular , benign apps is a common practice among “ bad ” developers , and we are committed to tracking down such apps .", "spans": {}, "info": {"id": "cyner2_8class_test_00941", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanDownloader.Moure.A3 TROJ_MOURE.SM TROJ_MOURE.SM Trojan.Win32.KillProc.cvivhz BehavesLike.Win32.Dropper.lc Trojan.Win32.Droma TR/Moure.A.17 Trojan.Kazy.D39E9B TScope.Malware-Cryptor.SB Trj/CI.A Win32.Trojan.Moure.Hxzu Trojan.Droma!2wG5lxLKOCU Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Moure.A3": [[26, 51]], "Indicator: TROJ_MOURE.SM": [[52, 65], [66, 79]], "Indicator: Trojan.Win32.KillProc.cvivhz": [[80, 108]], "Indicator: BehavesLike.Win32.Dropper.lc": [[109, 137]], "Indicator: Trojan.Win32.Droma": [[138, 156]], "Indicator: TR/Moure.A.17": [[157, 170]], "Indicator: Trojan.Kazy.D39E9B": [[171, 189]], "Indicator: TScope.Malware-Cryptor.SB": [[190, 215]], "Indicator: Trj/CI.A": [[216, 224]], "Indicator: Win32.Trojan.Moure.Hxzu": [[225, 248]], "Indicator: Trojan.Droma!2wG5lxLKOCU": [[249, 273]], "Indicator: Win32/Trojan.Multi.daf": [[274, 296]]}, "info": {"id": "cyner2_8class_test_00942", "source": "cyner2_8class_test"}}
{"text": "It was configured to activate via SMS sent from a Czech Republic number .", "spans": {}, "info": {"id": "cyner2_8class_test_00943", "source": "cyner2_8class_test"}}
{"text": "As we began to analyze and tear down the various samples we collected, we found significant overlaps with previously reported and documented adversary groups, attack campaigns, and their toolsets, exemplifying the concept of the Digital Quartermaster.", "spans": {"Malware: samples": [[49, 56]], "ThreatActor: adversary groups, attack campaigns,": [[141, 176]], "Malware: toolsets,": [[187, 196]], "Indicator: the Digital Quartermaster.": [[225, 251]]}, "info": {"id": "cyner2_8class_test_00944", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.MiraVM.Worm Worm.Mira.IM6 Trojan/Mira.a WORM_MIRAS.SMN Win32.Worm.Mira.c W32.SillyFDC Win32/Tnega.MFcdAFD WORM_MIRAS.SMN Win32.Worm.Mira.D Trojan.Win32.Mira.etthwn Trojan.Win32.Mira.741847 Trojan.MulDrop5.32888 TR/Zusy.BQ HEUR/Fakon.mwf Win32/Mira.A Worm.Win32.Mira.a Trojan-Spy.Zbot W32/Mira.9C5!tr W32/Milam.A.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.MiraVM.Worm": [[26, 47]], "Indicator: Worm.Mira.IM6": [[48, 61]], "Indicator: Trojan/Mira.a": [[62, 75]], "Indicator: WORM_MIRAS.SMN": [[76, 90], [142, 156]], "Indicator: Win32.Worm.Mira.c": [[91, 108]], "Indicator: W32.SillyFDC": [[109, 121]], "Indicator: Win32/Tnega.MFcdAFD": [[122, 141]], "Indicator: Win32.Worm.Mira.D": [[157, 174]], "Indicator: Trojan.Win32.Mira.etthwn": [[175, 199]], "Indicator: Trojan.Win32.Mira.741847": [[200, 224]], "Indicator: Trojan.MulDrop5.32888": [[225, 246]], "Indicator: TR/Zusy.BQ": [[247, 257]], "Indicator: HEUR/Fakon.mwf": [[258, 272]], "Indicator: Win32/Mira.A": [[273, 285]], "Indicator: Worm.Win32.Mira.a": [[286, 303]], "Indicator: Trojan-Spy.Zbot": [[304, 319]], "Indicator: W32/Mira.9C5!tr": [[320, 335]], "Indicator: W32/Milam.A.worm": [[336, 352]]}, "info": {"id": "cyner2_8class_test_00945", "source": "cyner2_8class_test"}}
{"text": "The current investigations are still underway but the known indicators of compromise in these new attacks will be presented below.", "spans": {}, "info": {"id": "cyner2_8class_test_00946", "source": "cyner2_8class_test"}}
{"text": "As it launches , it requests device administrator rights , and then starts communicating with its C & C server .", "spans": {}, "info": {"id": "cyner2_8class_test_00947", "source": "cyner2_8class_test"}}
{"text": "The delivery method for these documents remained consistent to other common malicious e-mail campaigns.", "spans": {"Indicator: The delivery method": [[0, 19]], "Malware: malicious": [[76, 85]], "ThreatActor: e-mail campaigns.": [[86, 103]]}, "info": {"id": "cyner2_8class_test_00948", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Downldr2.HMDO Trojan.FakeAdvapi.11 TrojanDownloader:Win32/Tapivat.B W32/Downldr2.HMDO Backdoor.Win32.Undef.cjv Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Downldr2.HMDO": [[26, 43], [98, 115]], "Indicator: Trojan.FakeAdvapi.11": [[44, 64]], "Indicator: TrojanDownloader:Win32/Tapivat.B": [[65, 97]], "Indicator: Backdoor.Win32.Undef.cjv": [[116, 140]], "Indicator: Trj/Downloader.MDW": [[141, 159]]}, "info": {"id": "cyner2_8class_test_00949", "source": "cyner2_8class_test"}}
{"text": "Multiple new variants of the previously discussed sysget malware family have been observed in use by DragonOK.", "spans": {"Malware: variants": [[13, 21]], "Malware: sysget malware family": [[50, 71]], "Indicator: DragonOK.": [[101, 110]]}, "info": {"id": "cyner2_8class_test_00950", "source": "cyner2_8class_test"}}
{"text": "Then , it uses the accessibility service for its malicious operations , some of which include : Preventing the user from uninstalling the app Becoming the default SMS app by changing device settings Monitoring the currently running application ( s ) Scraping on-screen text Android operating systems include many dialog screens that require the denial , or approval , of app permissions and actions that have to receive input from the user by tapping a button on the screen .", "spans": {"System: Android": [[274, 281]]}, "info": {"id": "cyner2_8class_test_00951", "source": "cyner2_8class_test"}}
{"text": "This domain also contains pages to phish credentials for popular online mail providers such as Gmail and Yahoo.", "spans": {"Indicator: domain": [[5, 11]], "Indicator: pages": [[26, 31]], "Indicator: phish credentials": [[35, 52]], "Organization: online mail providers": [[65, 86]], "System: Gmail": [[95, 100]], "System: Yahoo.": [[105, 111]]}, "info": {"id": "cyner2_8class_test_00952", "source": "cyner2_8class_test"}}
{"text": "Upon further analysis it became clear this application was as malicious as they come and initially resembled the CopyCat malware , discovered by Check Point Research back in April 2016 .", "spans": {"Malware: CopyCat": [[113, 120]], "Organization: Check Point": [[145, 156]]}, "info": {"id": "cyner2_8class_test_00953", "source": "cyner2_8class_test"}}
{"text": "The campaign seeks to deliver Anubis , a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan .", "spans": {"Malware: Anubis": [[30, 36]]}, "info": {"id": "cyner2_8class_test_00954", "source": "cyner2_8class_test"}}
{"text": "Smishing : The Major Way To Distribute RuMMS We have not observed any instances of RuMMS on Google Play or other online app stores .", "spans": {"Malware: RuMMS": [[39, 44], [83, 88]], "System: Google Play": [[92, 103]]}, "info": {"id": "cyner2_8class_test_00955", "source": "cyner2_8class_test"}}
{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner2_8class_test_00956", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9980 Trojan.Win32.Hijacker.evenzx Win32.Trojan.Hijacker.Aiij DLOADER.Trojan Worm.Kasidet.Win32.342 Trojan.Razy.D361B7 Backdoor:Win32/Quicdy.A Worm.Kasidet! Worm.Win32.Kasidet W32/Kasidet.AU!worm Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9980": [[26, 68]], "Indicator: Trojan.Win32.Hijacker.evenzx": [[69, 97]], "Indicator: Win32.Trojan.Hijacker.Aiij": [[98, 124]], "Indicator: DLOADER.Trojan": [[125, 139]], "Indicator: Worm.Kasidet.Win32.342": [[140, 162]], "Indicator: Trojan.Razy.D361B7": [[163, 181]], "Indicator: Backdoor:Win32/Quicdy.A": [[182, 205]], "Indicator: Worm.Kasidet!": [[206, 219]], "Indicator: Worm.Win32.Kasidet": [[220, 238]], "Indicator: W32/Kasidet.AU!worm": [[239, 258]], "Indicator: Trj/GdSda.A": [[259, 270]]}, "info": {"id": "cyner2_8class_test_00957", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.IRCBot.ACPE Worm.Butibrot Backdoor.IRCBot.ACPE Backdoor.IRCBot.ACPE Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.IRCBot-846 SScope.Trojan.YM.0379 P2P-Worm.Win32.Butibrot.fx Trojan.Win32.Hosts2.ewqtym Backdoor.W32.IRCBot.li6r Win32.HLLW.Autoruner.6328 Virus.Win32.IRCBot.BSX Backdoor.IRCBot.ACPE P2P-Worm.Win32.Butibrot.fx Win32.Trojan.Qhost.A Worm/Win32.IRCBot.R6005 Backdoor.IRCBot.ACPE Trojan.QHosts.G Win32/Backdoor.BO.263", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.IRCBot.ACPE": [[26, 46], [61, 81], [82, 102], [318, 338], [411, 431]], "Indicator: Worm.Butibrot": [[47, 60]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[103, 145]], "Indicator: Win.Trojan.IRCBot-846": [[146, 167]], "Indicator: SScope.Trojan.YM.0379": [[168, 189]], "Indicator: P2P-Worm.Win32.Butibrot.fx": [[190, 216], [339, 365]], "Indicator: Trojan.Win32.Hosts2.ewqtym": [[217, 243]], "Indicator: Backdoor.W32.IRCBot.li6r": [[244, 268]], "Indicator: Win32.HLLW.Autoruner.6328": [[269, 294]], "Indicator: Virus.Win32.IRCBot.BSX": [[295, 317]], "Indicator: Win32.Trojan.Qhost.A": [[366, 386]], "Indicator: Worm/Win32.IRCBot.R6005": [[387, 410]], "Indicator: Trojan.QHosts.G": [[432, 447]], "Indicator: Win32/Backdoor.BO.263": [[448, 469]]}, "info": {"id": "cyner2_8class_test_00958", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Multi Uds.Dangerousobject.Multi!c Trojan/Downloader.Fosniw.al Trojan.Win32.Mirai.exojtt Trojan.DownLoader26.15190 BDS/Mirai.kpgws Backdoor:Win32/Mirai.A Trojan/Win32.Mirai.C2393598 Adware.Elex Trj/RnkBend.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: Uds.Dangerousobject.Multi!c": [[39, 66]], "Indicator: Trojan/Downloader.Fosniw.al": [[67, 94]], "Indicator: Trojan.Win32.Mirai.exojtt": [[95, 120]], "Indicator: Trojan.DownLoader26.15190": [[121, 146]], "Indicator: BDS/Mirai.kpgws": [[147, 162]], "Indicator: Backdoor:Win32/Mirai.A": [[163, 185]], "Indicator: Trojan/Win32.Mirai.C2393598": [[186, 213]], "Indicator: Adware.Elex": [[214, 225]], "Indicator: Trj/RnkBend.A": [[226, 239]]}, "info": {"id": "cyner2_8class_test_00959", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom/W32.Blocker.191946 Trojan-Ransom.Win32.Blocker!O Trojan.Autorun.WR4 Trojan.Blocker.Win32.7173 BKDR_TOFSEE.SMJ0 Win32/FakeAV.YeKRCbC BKDR_TOFSEE.SMJ0 Win.Trojan.Blocker-302 Trojan-Ransom.Win32.Blocker.kgw Trojan.Win32.Blocker.btwdzu Troj.Downloader.Small.mxel Trojan-ransom.Win32.Blocker.kgw Trojan.StartPage.49691 BehavesLike.Win32.Ransom.cc Trojan/Blocker.afz TR/Rogue.zxdv Trojan-Ransom.Win32.Blocker.kgw Trojan/Win32.Blocker.R46032 Hoax.Blocker Ransom.Winlock Trojan.Blocker!9ES4EgQtPbA Trojan-Ransom.Win32.Blocker", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom/W32.Blocker.191946": [[26, 51]], "Indicator: Trojan-Ransom.Win32.Blocker!O": [[52, 81]], "Indicator: Trojan.Autorun.WR4": [[82, 100]], "Indicator: Trojan.Blocker.Win32.7173": [[101, 126]], "Indicator: BKDR_TOFSEE.SMJ0": [[127, 143], [165, 181]], "Indicator: Win32/FakeAV.YeKRCbC": [[144, 164]], "Indicator: Win.Trojan.Blocker-302": [[182, 204]], "Indicator: Trojan-Ransom.Win32.Blocker.kgw": [[205, 236], [408, 439]], "Indicator: Trojan.Win32.Blocker.btwdzu": [[237, 264]], "Indicator: Troj.Downloader.Small.mxel": [[265, 291]], "Indicator: Trojan-ransom.Win32.Blocker.kgw": [[292, 323]], "Indicator: Trojan.StartPage.49691": [[324, 346]], "Indicator: BehavesLike.Win32.Ransom.cc": [[347, 374]], "Indicator: Trojan/Blocker.afz": [[375, 393]], "Indicator: TR/Rogue.zxdv": [[394, 407]], "Indicator: Trojan/Win32.Blocker.R46032": [[440, 467]], "Indicator: Hoax.Blocker": [[468, 480]], "Indicator: Ransom.Winlock": [[481, 495]], "Indicator: Trojan.Blocker!9ES4EgQtPbA": [[496, 522]], "Indicator: Trojan-Ransom.Win32.Blocker": [[523, 550]]}, "info": {"id": "cyner2_8class_test_00960", "source": "cyner2_8class_test"}}
{"text": "These apps also had a large amount of downloads between 4 and 18 million , meaning the total spread of the malware may have reached between 8.5 and 36.5 million users .", "spans": {}, "info": {"id": "cyner2_8class_test_00961", "source": "cyner2_8class_test"}}
{"text": "Mandiant currently tracks this actor as UNC4540.", "spans": {"Organization: Mandiant": [[0, 8]], "ThreatActor: actor": [[31, 36]], "ThreatActor: UNC4540.": [[40, 48]]}, "info": {"id": "cyner2_8class_test_00962", "source": "cyner2_8class_test"}}
{"text": "mobile_treats_2013_04s The number of mobile banking Trojans in our collection Mobile banking Trojans can run together with Win-32 Trojans to bypass the two-factor authentication – mTAN theft ( the theft of banking verification codes that banks send their customers in SMS messages ) .", "spans": {"System: Win-32": [[123, 129]]}, "info": {"id": "cyner2_8class_test_00963", "source": "cyner2_8class_test"}}
{"text": "This was likely done because DNS is required for normal network operations.", "spans": {"System: DNS": [[29, 32]], "Vulnerability: required for normal network operations.": [[36, 75]]}, "info": {"id": "cyner2_8class_test_00964", "source": "cyner2_8class_test"}}
{"text": "Unsurprisingly, it took just under 3 hours for the first infection to hit.", "spans": {}, "info": {"id": "cyner2_8class_test_00965", "source": "cyner2_8class_test"}}
{"text": "Since at least 2015, the group appears to have fragmented into smaller, loosely related groups,each with its own preferred toolsets and Trojans, although many similarities in tactics, techniques and procedures TTPs exist.", "spans": {"Date: Since at least 2015,": [[0, 20]], "ThreatActor: the group": [[21, 30]], "Malware: toolsets": [[123, 131]], "Malware: Trojans,": [[136, 144]]}, "info": {"id": "cyner2_8class_test_00966", "source": "cyner2_8class_test"}}
{"text": "The SANS ISC recently published a very interesting technical analysis of Bartalex.", "spans": {"Organization: The SANS ISC": [[0, 12]], "Malware: Bartalex.": [[73, 82]]}, "info": {"id": "cyner2_8class_test_00967", "source": "cyner2_8class_test"}}
{"text": "The stolen data fields are : Mobile - The infected device phone number and contact ’ s phone number Contacts - A headline used for the attacker to distinguish between the type of stolen information he gets Name - Contact ’ s full name ( Display name ) upCon ( upload contact ) function used for stealing contact list information .", "spans": {}, "info": {"id": "cyner2_8class_test_00968", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.IRCBot.7909376 Trojan.MaptoSteal.S14224 Infostealer.Lineage Win.Trojan.8117429-1 not-a-virus:RiskTool.Win32.Gamehack.xzb Trojan.Click1.56234 Trojan.OnLineGames.Win32.67502 BehavesLike.Win32.PWSOnlineGames.wh RiskTool.Gamehack.ajo not-a-virus:RiskTool.Win32.Gamehack.xzb Trojan/Win32.Mapstosteal.R121969 Trj/CI.A DroppedWin32.Worm.Stration.EM", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.IRCBot.7909376": [[26, 53]], "Indicator: Trojan.MaptoSteal.S14224": [[54, 78]], "Indicator: Infostealer.Lineage": [[79, 98]], "Indicator: Win.Trojan.8117429-1": [[99, 119]], "Indicator: not-a-virus:RiskTool.Win32.Gamehack.xzb": [[120, 159], [269, 308]], "Indicator: Trojan.Click1.56234": [[160, 179]], "Indicator: Trojan.OnLineGames.Win32.67502": [[180, 210]], "Indicator: BehavesLike.Win32.PWSOnlineGames.wh": [[211, 246]], "Indicator: RiskTool.Gamehack.ajo": [[247, 268]], "Indicator: Trojan/Win32.Mapstosteal.R121969": [[309, 341]], "Indicator: Trj/CI.A": [[342, 350]], "Indicator: DroppedWin32.Worm.Stration.EM": [[351, 380]]}, "info": {"id": "cyner2_8class_test_00969", "source": "cyner2_8class_test"}}
{"text": "This new variant roots devices and steals email addresses and authentication tokens stored on the device.", "spans": {"Malware: variant": [[9, 16]], "Vulnerability: roots devices": [[17, 30]], "Indicator: steals email addresses": [[35, 57]], "Indicator: authentication tokens stored on the device.": [[62, 105]]}, "info": {"id": "cyner2_8class_test_00970", "source": "cyner2_8class_test"}}
{"text": "Registering broadcast receivers enable XLoader to trigger its malicious routines .", "spans": {"Malware: XLoader": [[39, 46]]}, "info": {"id": "cyner2_8class_test_00971", "source": "cyner2_8class_test"}}
{"text": "In the latter case, the Trojan used a diskless method of operation and was notoriously more difficult to detect and track.", "spans": {}, "info": {"id": "cyner2_8class_test_00972", "source": "cyner2_8class_test"}}
{"text": "After downloading and unpacking , the main module executes the exploit binary file .", "spans": {}, "info": {"id": "cyner2_8class_test_00973", "source": "cyner2_8class_test"}}
{"text": "'' Strazzere 's experience in trying to contact both vendors last year is typical of the frustrations frequently faced by security researchers .", "spans": {}, "info": {"id": "cyner2_8class_test_00974", "source": "cyner2_8class_test"}}
{"text": "Behind the scenes , there are number of process occurring simultaneously .", "spans": {}, "info": {"id": "cyner2_8class_test_00975", "source": "cyner2_8class_test"}}
{"text": "] 102 2020-04-14 http : //pub.douglasshome [ .", "spans": {"Indicator: http : //pub.douglasshome [ .": [[17, 46]]}, "info": {"id": "cyner2_8class_test_00976", "source": "cyner2_8class_test"}}
{"text": "Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well and as discovered later, even the U.S. and UK governments.", "spans": {"Organization: Security researchers": [[0, 20]], "ThreatActor: campaign": [[78, 86]], "Organization: Israelis": [[110, 118]], "Organization: Palestinians": [[123, 135]], "Organization: U.S.": [[178, 182]], "Organization: UK governments.": [[187, 202]]}, "info": {"id": "cyner2_8class_test_00977", "source": "cyner2_8class_test"}}
{"text": "Within some of the first of those commands , the bot typically receives a list of banks it will target .", "spans": {}, "info": {"id": "cyner2_8class_test_00978", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.BackdoorWabot.Trojan Backdoor.Win32.Wabot!O Trojan.Wabot.A8 Backdoor.Wabot Trojan/Delf.nrf Win32.Backdoor.Wabot.a W32.Wabot Win32/DCMgreen.A BKDR_WABOT.SMIA Win.Trojan.Wabot-6113548-0 Backdoor.Win32.Wabot.a Trojan.Win32.Wabot.dmukv Backdoor.Win32.Wabot.157619 Backdoor.W32.Wabot.tn6b Backdoor.Win32.Wabot.A Trojan.MulDrop6.64369 Backdoor.Wabot.Win32.1 BKDR_WABOT.SMIA BehavesLike.Win32.Wabot.rc P2P-Worm.Win32.Delf Backdoor/Wabot.z Trojan[Backdoor]/Win32.Wabot.a Trojan.ShellIni.E86D3B Backdoor.Win32.Wabot.a Backdoor:Win32/Wabot.A Worm/Win32.IRCBot.R3689 Backdoor.Wabot I-Worm.Delf.NRF Win32/Delf.NRF Trojan.Win32.Wabot.a Backdoor.Wabot!jai+hnpgbwI W32/Luiha.M!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BackdoorWabot.Trojan": [[26, 50]], "Indicator: Backdoor.Win32.Wabot!O": [[51, 73]], "Indicator: Trojan.Wabot.A8": [[74, 89]], "Indicator: Backdoor.Wabot": [[90, 104], [586, 600]], "Indicator: Trojan/Delf.nrf": [[105, 120]], "Indicator: Win32.Backdoor.Wabot.a": [[121, 143]], "Indicator: W32.Wabot": [[144, 153]], "Indicator: Win32/DCMgreen.A": [[154, 170]], "Indicator: BKDR_WABOT.SMIA": [[171, 186], [382, 397]], "Indicator: Win.Trojan.Wabot-6113548-0": [[187, 213]], "Indicator: Backdoor.Win32.Wabot.a": [[214, 236], [516, 538]], "Indicator: Trojan.Win32.Wabot.dmukv": [[237, 261]], "Indicator: Backdoor.Win32.Wabot.157619": [[262, 289]], "Indicator: Backdoor.W32.Wabot.tn6b": [[290, 313]], "Indicator: Backdoor.Win32.Wabot.A": [[314, 336]], "Indicator: Trojan.MulDrop6.64369": [[337, 358]], "Indicator: Backdoor.Wabot.Win32.1": [[359, 381]], "Indicator: BehavesLike.Win32.Wabot.rc": [[398, 424]], "Indicator: P2P-Worm.Win32.Delf": [[425, 444]], "Indicator: Backdoor/Wabot.z": [[445, 461]], "Indicator: Trojan[Backdoor]/Win32.Wabot.a": [[462, 492]], "Indicator: Trojan.ShellIni.E86D3B": [[493, 515]], "Indicator: Backdoor:Win32/Wabot.A": [[539, 561]], "Indicator: Worm/Win32.IRCBot.R3689": [[562, 585]], "Indicator: I-Worm.Delf.NRF": [[601, 616]], "Indicator: Win32/Delf.NRF": [[617, 631]], "Indicator: Trojan.Win32.Wabot.a": [[632, 652]], "Indicator: Backdoor.Wabot!jai+hnpgbwI": [[653, 679]], "Indicator: W32/Luiha.M!tr": [[680, 694]]}, "info": {"id": "cyner2_8class_test_00979", "source": "cyner2_8class_test"}}
{"text": "The exploit was dropping some malicious payloads that we took for further analysis.", "spans": {"Malware: The exploit": [[0, 11]], "Malware: malicious payloads": [[30, 48]]}, "info": {"id": "cyner2_8class_test_00980", "source": "cyner2_8class_test"}}
{"text": "These sites pretend to be porn video websites, and all lead to various malicious apps being downloaded.", "spans": {"Indicator: sites": [[6, 11]], "Indicator: porn video websites,": [[26, 46]], "Malware: malicious apps": [[71, 85]]}, "info": {"id": "cyner2_8class_test_00981", "source": "cyner2_8class_test"}}
{"text": "2016 From mid-2016 on , the cybercriminals returned to dynamic generation of lowest-level domains .", "spans": {}, "info": {"id": "cyner2_8class_test_00982", "source": "cyner2_8class_test"}}
{"text": "Use of the virtual machine brings many technical benefits to the operators , chief among them allowing the malware to install apps without requiring users to approve a list of elevated permissions .", "spans": {}, "info": {"id": "cyner2_8class_test_00983", "source": "cyner2_8class_test"}}
{"text": "This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector .", "spans": {}, "info": {"id": "cyner2_8class_test_00984", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Jorik.25600.I Trojan.Win32.Jorik.Nbdd!O Downloader.Isnev.16705 Trojan.Win32.Gofot.d Trojan.Win32.Jorik2.bcihcn Troj.Downloader.W32.Small.lfJx Win32.Trojan.Gofot.Swbj TrojWare.Win32.Patched.IL0 Trojan.DownLoader7.19964 Trojan.Jorik.Win32.165240 Trojan-Downloader.Win32.Isnev Trojan/Jorik.ftgq TR/Patched.IL Trojan/Win32.Nbdd Win32.Troj.Jorik.kcloud Trojan.Graftor.DE014 Trojan.Win32.Gofot.d Win-Trojan/Downloader.25600.JL Trojan.Gofot Win32/Trojan.Downloader.a03", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Jorik.25600.I": [[26, 50]], "Indicator: Trojan.Win32.Jorik.Nbdd!O": [[51, 76]], "Indicator: Downloader.Isnev.16705": [[77, 99]], "Indicator: Trojan.Win32.Gofot.d": [[100, 120], [406, 426]], "Indicator: Trojan.Win32.Jorik2.bcihcn": [[121, 147]], "Indicator: Troj.Downloader.W32.Small.lfJx": [[148, 178]], "Indicator: Win32.Trojan.Gofot.Swbj": [[179, 202]], "Indicator: TrojWare.Win32.Patched.IL0": [[203, 229]], "Indicator: Trojan.DownLoader7.19964": [[230, 254]], "Indicator: Trojan.Jorik.Win32.165240": [[255, 280]], "Indicator: Trojan-Downloader.Win32.Isnev": [[281, 310]], "Indicator: Trojan/Jorik.ftgq": [[311, 328]], "Indicator: TR/Patched.IL": [[329, 342]], "Indicator: Trojan/Win32.Nbdd": [[343, 360]], "Indicator: Win32.Troj.Jorik.kcloud": [[361, 384]], "Indicator: Trojan.Graftor.DE014": [[385, 405]], "Indicator: Win-Trojan/Downloader.25600.JL": [[427, 457]], "Indicator: Trojan.Gofot": [[458, 470]], "Indicator: Win32/Trojan.Downloader.a03": [[471, 498]]}, "info": {"id": "cyner2_8class_test_00985", "source": "cyner2_8class_test"}}
{"text": "The FBI and the US Department of Health and Social Security HHS have issued a joint cybersecurity advisory, #StopRansomware, following a recent incident involving Hive Ransomeware.", "spans": {"Organization: The FBI": [[0, 7]], "Organization: the US Department of Health and Social Security HHS": [[12, 63]], "Indicator: cybersecurity advisory,": [[84, 107]], "ThreatActor: #StopRansomware,": [[108, 124]], "Malware: Hive Ransomeware.": [[163, 180]]}, "info": {"id": "cyner2_8class_test_00986", "source": "cyner2_8class_test"}}
{"text": "Figure 11 .", "spans": {}, "info": {"id": "cyner2_8class_test_00987", "source": "cyner2_8class_test"}}
{"text": "To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.", "spans": {"Date: To date,": [[0, 8]], "Malware: malware": [[28, 35]], "Organization: Palo Alto Networks": [[44, 62]]}, "info": {"id": "cyner2_8class_test_00988", "source": "cyner2_8class_test"}}
{"text": "The paranoid antihero leader of the group is known as Mr. Robot, who leads an underground hacker society named you've guessed it FSociety.", "spans": {}, "info": {"id": "cyner2_8class_test_00989", "source": "cyner2_8class_test"}}
{"text": "There were several distinct areas where mobile malware underwent advances .", "spans": {}, "info": {"id": "cyner2_8class_test_00990", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/Scar.cefr Trojan.Graftor.D44C TROJ_SCAR.AO Win32.Trojan.WisdomEyes.16070401.9500.9761 W32/Trojan2.MNFO TROJ_SCAR.AO Win.Trojan.Scar-1871 Trojan.Win32.Scar.cefr Trojan.Win32.Scar.vsxm Trojan.Win32.Scar.46080.D Troj.W32.Scar.cefr!c TrojWare.Win32.TrojanDownloader.Murlo.~JH2 Trojan.PWS.Gamania.25505 Trojan.Scar.Win32.23993 BehavesLike.Win32.Fesber.ph W32/Trojan.QJAT-4881 Trojan/Scar.uvi Trojan/Win32.Scar Trojan:Win32/Kolbot.A Trojan.Win32.Scar.cefr Trojan/Win32.Lmirhack.R36071 Win32.Trojan.Scar.Amce Trojan.Scar!efY4TUtZ30I Trojan.Win32.Scar W32/Scar.CEFR!tr Win32/Trojan.154", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Scar.cefr": [[26, 42]], "Indicator: Trojan.Graftor.D44C": [[43, 62]], "Indicator: TROJ_SCAR.AO": [[63, 75], [136, 148]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9761": [[76, 118]], "Indicator: W32/Trojan2.MNFO": [[119, 135]], "Indicator: Win.Trojan.Scar-1871": [[149, 169]], "Indicator: Trojan.Win32.Scar.cefr": [[170, 192], [460, 482]], "Indicator: Trojan.Win32.Scar.vsxm": [[193, 215]], "Indicator: Trojan.Win32.Scar.46080.D": [[216, 241]], "Indicator: Troj.W32.Scar.cefr!c": [[242, 262]], "Indicator: TrojWare.Win32.TrojanDownloader.Murlo.~JH2": [[263, 305]], "Indicator: Trojan.PWS.Gamania.25505": [[306, 330]], "Indicator: Trojan.Scar.Win32.23993": [[331, 354]], "Indicator: BehavesLike.Win32.Fesber.ph": [[355, 382]], "Indicator: W32/Trojan.QJAT-4881": [[383, 403]], "Indicator: Trojan/Scar.uvi": [[404, 419]], "Indicator: Trojan/Win32.Scar": [[420, 437]], "Indicator: Trojan:Win32/Kolbot.A": [[438, 459]], "Indicator: Trojan/Win32.Lmirhack.R36071": [[483, 511]], "Indicator: Win32.Trojan.Scar.Amce": [[512, 534]], "Indicator: Trojan.Scar!efY4TUtZ30I": [[535, 558]], "Indicator: Trojan.Win32.Scar": [[559, 576]], "Indicator: W32/Scar.CEFR!tr": [[577, 593]], "Indicator: Win32/Trojan.154": [[594, 610]]}, "info": {"id": "cyner2_8class_test_00991", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.BackFs.Worm Win32.Worm.VB.NUT IM-Worm.Win32.VB!O W32/Autorun.worm.h Win32.Worm.VB.NUT WORM_ABI.A W32.SillyFDC Win32/SillyAutorun.HX WORM_ABI.A Win.Worm.VB-710 Win32.Worm.VB.NUT IM-Worm.Win32.VB.gd Win32.Worm.VB.NUT Trojan.Win32.BFJU.vkeq Worm.Win32.IM-VB.86016.B Win32.Worm.VB.NUT TrojWare.Win32.Regrun.Q Win32.Worm.VB.NUT Win32.HLLW.Backfs Worm.VB.Win32.309 W32/Autorun.worm.h Trojan-Dropper.Win32.VB Worm/VB.ppr TR/Autorun.UA Worm[IM]/Win32.VB Worm:Win32/Rapsha.A IM-Worm.Win32.VB.gd Worm/Win32.AutoRun.R122830 Win32.Worm.VB.NUT TScope.Trojan.VB W32/VB.RM!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.BackFs.Worm": [[26, 41]], "Indicator: Win32.Worm.VB.NUT": [[42, 59], [98, 115], [189, 206], [227, 244], [293, 310], [335, 352], [543, 560]], "Indicator: IM-Worm.Win32.VB!O": [[60, 78]], "Indicator: W32/Autorun.worm.h": [[79, 97], [389, 407]], "Indicator: WORM_ABI.A": [[116, 126], [162, 172]], "Indicator: W32.SillyFDC": [[127, 139]], "Indicator: Win32/SillyAutorun.HX": [[140, 161]], "Indicator: Win.Worm.VB-710": [[173, 188]], "Indicator: IM-Worm.Win32.VB.gd": [[207, 226], [496, 515]], "Indicator: Trojan.Win32.BFJU.vkeq": [[245, 267]], "Indicator: Worm.Win32.IM-VB.86016.B": [[268, 292]], "Indicator: TrojWare.Win32.Regrun.Q": [[311, 334]], "Indicator: Win32.HLLW.Backfs": [[353, 370]], "Indicator: Worm.VB.Win32.309": [[371, 388]], "Indicator: Trojan-Dropper.Win32.VB": [[408, 431]], "Indicator: Worm/VB.ppr": [[432, 443]], "Indicator: TR/Autorun.UA": [[444, 457]], "Indicator: Worm[IM]/Win32.VB": [[458, 475]], "Indicator: Worm:Win32/Rapsha.A": [[476, 495]], "Indicator: Worm/Win32.AutoRun.R122830": [[516, 542]], "Indicator: TScope.Trojan.VB": [[561, 577]], "Indicator: W32/VB.RM!worm": [[578, 592]]}, "info": {"id": "cyner2_8class_test_00992", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: P2P-Worm.Win32.KillFiles!O Worm.KillFiles Trojan.FakeAV.Win32.8553 Win32.Trojan.WisdomEyes.16070401.9500.9998 Win32/Buzus.HL Win.Trojan.Buzus-7265 P2P-Worm.Win32.KillFiles.a Trojan.Win32.Shellbot.wkhrk Trojan.Win32.Buzus.34816.K TrojWare.Win32.Trojan.FakeAV.ACS0 Trojan.PWS.Panda.3091 WORM_RBOT.SMJF BehavesLike.Win32.Backdoor.cc Trojan/Refroso.fmj TR/FakeAV.kzz.26 Worm[P2P]/Win32.KillFiles Trojan.Graftor.D1374 P2P-Worm.Win32.KillFiles.a Trojan/Win32.Refroso.R6215 BScope.Trojan-Dropper.MTA.0116 W32/MSNWorm.HL.worm Win32.Worm-p2p.Killfiles.Pgwo Trojan.Fakeav Win32/Worm.P2P-Worm.3c2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: P2P-Worm.Win32.KillFiles!O": [[26, 52]], "Indicator: Worm.KillFiles": [[53, 67]], "Indicator: Trojan.FakeAV.Win32.8553": [[68, 92]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[93, 135]], "Indicator: Win32/Buzus.HL": [[136, 150]], "Indicator: Win.Trojan.Buzus-7265": [[151, 172]], "Indicator: P2P-Worm.Win32.KillFiles.a": [[173, 199], [439, 465]], "Indicator: Trojan.Win32.Shellbot.wkhrk": [[200, 227]], "Indicator: Trojan.Win32.Buzus.34816.K": [[228, 254]], "Indicator: TrojWare.Win32.Trojan.FakeAV.ACS0": [[255, 288]], "Indicator: Trojan.PWS.Panda.3091": [[289, 310]], "Indicator: WORM_RBOT.SMJF": [[311, 325]], "Indicator: BehavesLike.Win32.Backdoor.cc": [[326, 355]], "Indicator: Trojan/Refroso.fmj": [[356, 374]], "Indicator: TR/FakeAV.kzz.26": [[375, 391]], "Indicator: Worm[P2P]/Win32.KillFiles": [[392, 417]], "Indicator: Trojan.Graftor.D1374": [[418, 438]], "Indicator: Trojan/Win32.Refroso.R6215": [[466, 492]], "Indicator: BScope.Trojan-Dropper.MTA.0116": [[493, 523]], "Indicator: W32/MSNWorm.HL.worm": [[524, 543]], "Indicator: Win32.Worm-p2p.Killfiles.Pgwo": [[544, 573]], "Indicator: Trojan.Fakeav": [[574, 587]], "Indicator: Win32/Worm.P2P-Worm.3c2": [[588, 611]]}, "info": {"id": "cyner2_8class_test_00993", "source": "cyner2_8class_test"}}
{"text": "This is the first time in nearly two years that a new Java zero-day vulnerability was reported.", "spans": {"System: Java": [[54, 58]], "Vulnerability: zero-day vulnerability": [[59, 81]]}, "info": {"id": "cyner2_8class_test_00994", "source": "cyner2_8class_test"}}
{"text": "This is known as a targeted attack .", "spans": {}, "info": {"id": "cyner2_8class_test_00995", "source": "cyner2_8class_test"}}
{"text": "Zen family PHA authors exhibit a wide range of techniques , from simply inserting an advertising SDK to a sophisticated trojan .", "spans": {"Malware: Zen": [[0, 3]]}, "info": {"id": "cyner2_8class_test_00996", "source": "cyner2_8class_test"}}
{"text": "These e-mails kick off a multi-stage infection chain.", "spans": {"Indicator: e-mails": [[6, 13]], "Indicator: multi-stage infection chain.": [[25, 53]]}, "info": {"id": "cyner2_8class_test_00997", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: not-a-virus:NetTool.Win32.Nuker.Click.22 Nuke.Click.22 TR/Clicker.fnogv not-a-virus:NetTool.Win32.Nuker.Click.22 Win32/Nuker.Click Trojan.Win32.Nuker Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: not-a-virus:NetTool.Win32.Nuker.Click.22": [[26, 66], [98, 138]], "Indicator: Nuke.Click.22": [[67, 80]], "Indicator: TR/Clicker.fnogv": [[81, 97]], "Indicator: Win32/Nuker.Click": [[139, 156]], "Indicator: Trojan.Win32.Nuker": [[157, 175]], "Indicator: Trj/CI.A": [[176, 184]]}, "info": {"id": "cyner2_8class_test_00998", "source": "cyner2_8class_test"}}
{"text": "Extract events from the Calendar app .", "spans": {"System: Calendar app": [[24, 36]]}, "info": {"id": "cyner2_8class_test_00999", "source": "cyner2_8class_test"}}
{"text": "For more detailed information about the threat , check out the blog post from CSIS .", "spans": {"Organization: CSIS": [[78, 82]]}, "info": {"id": "cyner2_8class_test_01000", "source": "cyner2_8class_test"}}
{"text": "The Trojan, named Android.Spy.377.origin, is a remote administration tool RAT that is distributed under the guise of benign applications.", "spans": {"Malware: Trojan,": [[4, 11]], "Indicator: Android.Spy.377.origin,": [[18, 41]], "Malware: remote administration tool RAT": [[47, 77]], "System: benign applications.": [[117, 137]]}, "info": {"id": "cyner2_8class_test_01001", "source": "cyner2_8class_test"}}
{"text": "Whether or not rooting succeeds , HummingBad downloads a large number of apps .", "spans": {"Malware: HummingBad": [[34, 44]]}, "info": {"id": "cyner2_8class_test_01002", "source": "cyner2_8class_test"}}
{"text": "Some actions include ( with rough translations ) : The command-and-control server The command-and-control server is located at IP 64.78.161.133 .", "spans": {"Indicator: 64.78.161.133": [[130, 143]]}, "info": {"id": "cyner2_8class_test_01003", "source": "cyner2_8class_test"}}
{"text": "Accessibility features are typically used to help users with disabilities by giving the device the ability to write into input fields , auto-generate permissions , perform gestures for the user , etc .", "spans": {}, "info": {"id": "cyner2_8class_test_01004", "source": "cyner2_8class_test"}}
{"text": "Other backdoors used by the same actor are Bisonal, Pipcreat, HeartBeat..", "spans": {"Malware: backdoors": [[6, 15]], "ThreatActor: actor": [[33, 38]], "Malware: Bisonal, Pipcreat, HeartBeat..": [[43, 73]]}, "info": {"id": "cyner2_8class_test_01005", "source": "cyner2_8class_test"}}
{"text": "We believe that this attacker operates out of China.", "spans": {"ThreatActor: attacker": [[21, 29]], "Location: China.": [[46, 52]]}, "info": {"id": "cyner2_8class_test_01006", "source": "cyner2_8class_test"}}
{"text": "More significantly, the group also uses a previously undocumented JScript backdoor called Ostap and a Delphi dropper we named MrWhite", "spans": {"ThreatActor: group": [[24, 29]], "Malware: JScript backdoor": [[66, 82]], "Malware: Ostap": [[90, 95]], "Malware: Delphi dropper": [[102, 116]], "Malware: MrWhite": [[126, 133]]}, "info": {"id": "cyner2_8class_test_01007", "source": "cyner2_8class_test"}}
{"text": "Malware authors use injected clicks , custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user .", "spans": {}, "info": {"id": "cyner2_8class_test_01008", "source": "cyner2_8class_test"}}
{"text": "We identified campaigns targeting Thai users and their devices .", "spans": {}, "info": {"id": "cyner2_8class_test_01009", "source": "cyner2_8class_test"}}
{"text": "It searches for mobile banking applications , removes them and uploads counterfeit versions .", "spans": {}, "info": {"id": "cyner2_8class_test_01010", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Virut.dr!4BBD3556FA82 Win32.Worm.VB.nv Trojan.Festalco Win32/Tnega.HAWAeO TSPY_COSMU_DD3005E3.UVPA Win.Trojan.Sovfo-1 Trojan.Win32.Cosmu.cdqg Trojan.Zusy.D35D23 Trojan.Win32.Cosmu.ecjywu W32.W.WBNA.mn3B Trojan.DownLoader15.59945 Trojan.Cosmu.Win32.13264 TSPY_COSMU_DD3005E3.UVPA Trojan.Cosmu.hk W32.Trojan.Heur2.Vp.Im0@acxgvrf Trojan/Win32.Cosmu Worm:Win32/Sovfo.A Trojan.Win32.Cosmu.cdqg Trojan/Win32.Cosmu.R109200 Trojan.Cosmu Trojan.Cosmu!t+6saFz/t3s Trojan.Win32.Cosmu Trj/Dtcontx.G Win32/Trojan.24c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Virut.dr!4BBD3556FA82": [[26, 51]], "Indicator: Win32.Worm.VB.nv": [[52, 68]], "Indicator: Trojan.Festalco": [[69, 84]], "Indicator: Win32/Tnega.HAWAeO": [[85, 103]], "Indicator: TSPY_COSMU_DD3005E3.UVPA": [[104, 128], [284, 308]], "Indicator: Win.Trojan.Sovfo-1": [[129, 147]], "Indicator: Trojan.Win32.Cosmu.cdqg": [[148, 171], [395, 418]], "Indicator: Trojan.Zusy.D35D23": [[172, 190]], "Indicator: Trojan.Win32.Cosmu.ecjywu": [[191, 216]], "Indicator: W32.W.WBNA.mn3B": [[217, 232]], "Indicator: Trojan.DownLoader15.59945": [[233, 258]], "Indicator: Trojan.Cosmu.Win32.13264": [[259, 283]], "Indicator: Trojan.Cosmu.hk": [[309, 324]], "Indicator: W32.Trojan.Heur2.Vp.Im0@acxgvrf": [[325, 356]], "Indicator: Trojan/Win32.Cosmu": [[357, 375]], "Indicator: Worm:Win32/Sovfo.A": [[376, 394]], "Indicator: Trojan/Win32.Cosmu.R109200": [[419, 445]], "Indicator: Trojan.Cosmu": [[446, 458]], "Indicator: Trojan.Cosmu!t+6saFz/t3s": [[459, 483]], "Indicator: Trojan.Win32.Cosmu": [[484, 502]], "Indicator: Trj/Dtcontx.G": [[503, 516]], "Indicator: Win32/Trojan.24c": [[517, 533]]}, "info": {"id": "cyner2_8class_test_01011", "source": "cyner2_8class_test"}}
{"text": "Distribution via alternative app stores .", "spans": {}, "info": {"id": "cyner2_8class_test_01012", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.PWS.FIU.1.6.6.D Trojan.PWS.FIU.1.6.6.D Trojan.PWS.FIU.1.6.6.D Trojan.Dos.FIU.fpit Win32/PSW.FIU.166 TROJ_PSWFIU166.A Trojan.FIU.166.D Trojan-PSW.Win32.FIU.166.d Trojan.Win32.Z.Fiu.40624[h] Trojan.PWS.FIU.1.6.6.D TrojWare.Win32.PSW.FIU.166 Trojan.PWS.FIU.1.6.6.D Trojan.PWS.Fiu.1666 Trojan.FIU.Win32.16 TROJ_PSWFIU166.A VirTool.TrojConfig TR/FIU.166.D W32/FIU.A!tr.pws Trojan[PSW]/Win32.FIU Troj.PSW32.W.FIU.166.d!c PWS:Win32/Fiu.D Trojan.PWS.FIU.1.6.6.D Trojan.PSW.FIU.166.d Trojan-PWS.Win32.FIU Trojan.PWS.FIU.1.6.6.D", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.FIU.1.6.6.D": [[26, 48], [49, 71], [72, 94], [222, 244], [272, 294], [464, 486], [529, 551]], "Indicator: Trojan.Dos.FIU.fpit": [[95, 114]], "Indicator: Win32/PSW.FIU.166": [[115, 132]], "Indicator: TROJ_PSWFIU166.A": [[133, 149], [335, 351]], "Indicator: Trojan.FIU.166.D": [[150, 166]], "Indicator: Trojan-PSW.Win32.FIU.166.d": [[167, 193]], "Indicator: Trojan.Win32.Z.Fiu.40624[h]": [[194, 221]], "Indicator: TrojWare.Win32.PSW.FIU.166": [[245, 271]], "Indicator: Trojan.PWS.Fiu.1666": [[295, 314]], "Indicator: Trojan.FIU.Win32.16": [[315, 334]], "Indicator: VirTool.TrojConfig": [[352, 370]], "Indicator: TR/FIU.166.D": [[371, 383]], "Indicator: W32/FIU.A!tr.pws": [[384, 400]], "Indicator: Trojan[PSW]/Win32.FIU": [[401, 422]], "Indicator: Troj.PSW32.W.FIU.166.d!c": [[423, 447]], "Indicator: PWS:Win32/Fiu.D": [[448, 463]], "Indicator: Trojan.PSW.FIU.166.d": [[487, 507]], "Indicator: Trojan-PWS.Win32.FIU": [[508, 528]]}, "info": {"id": "cyner2_8class_test_01013", "source": "cyner2_8class_test"}}
{"text": "] websiteaccounts-fb [ .", "spans": {"Indicator: websiteaccounts-fb [ .": [[2, 24]]}, "info": {"id": "cyner2_8class_test_01014", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.6436 Trojan.Win32.Diple!O Trojan/Injector.dafr Trojan.Johnnie.D3FF8 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Inject.aaeih Trojan.Win32.Packed2.edlhvv Trojan.Packed2.38120 Trojan.Injector.Win32.388422 BehavesLike.Win32.Trojan.cc Trojan.Inject.lyz Trojan/Win32.Inject Trojan.Win32.Inject.aaeih Trojan.Inject Trojan.Injector Trojan.Inject!/Yd9s6+AsF8 W32/Filecoder.ED!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.6436": [[26, 42]], "Indicator: Trojan.Win32.Diple!O": [[43, 63]], "Indicator: Trojan/Injector.dafr": [[64, 84]], "Indicator: Trojan.Johnnie.D3FF8": [[85, 105]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[106, 148]], "Indicator: Trojan.Win32.Inject.aaeih": [[149, 174], [319, 344]], "Indicator: Trojan.Win32.Packed2.edlhvv": [[175, 202]], "Indicator: Trojan.Packed2.38120": [[203, 223]], "Indicator: Trojan.Injector.Win32.388422": [[224, 252]], "Indicator: BehavesLike.Win32.Trojan.cc": [[253, 280]], "Indicator: Trojan.Inject.lyz": [[281, 298]], "Indicator: Trojan/Win32.Inject": [[299, 318]], "Indicator: Trojan.Inject": [[345, 358]], "Indicator: Trojan.Injector": [[359, 374]], "Indicator: Trojan.Inject!/Yd9s6+AsF8": [[375, 400]], "Indicator: W32/Filecoder.ED!tr": [[401, 420]]}, "info": {"id": "cyner2_8class_test_01015", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Skeeyah.10874 Trojan/PcClient.ngo Trojan.PcClient.1 HT_PCCLIENT_GF070181.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9989 HT_PCCLIENT_GF070181.UVPM Backdoor.W32.Hupigon.kYKa TrojWare.Win32.PcClient.NOP Trojan.Win32.PcClient", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah.10874": [[26, 46]], "Indicator: Trojan/PcClient.ngo": [[47, 66]], "Indicator: Trojan.PcClient.1": [[67, 84]], "Indicator: HT_PCCLIENT_GF070181.UVPM": [[85, 110], [154, 179]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[111, 153]], "Indicator: Backdoor.W32.Hupigon.kYKa": [[180, 205]], "Indicator: TrojWare.Win32.PcClient.NOP": [[206, 233]], "Indicator: Trojan.Win32.PcClient": [[234, 255]]}, "info": {"id": "cyner2_8class_test_01016", "source": "cyner2_8class_test"}}
{"text": "Indicators of Compromise ( IoCs ) Package Name Hash ESET detection name com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App via Authorized App Store Impersonates security app on Google Play .", "spans": {"Organization: ESET": [[52, 56]], "Indicator: com.secure.protect.world": [[72, 96]], "Indicator: F17AEBC741957AA21CFE7C7D7BAEC0900E863F61": [[97, 137]], "Indicator: Android/Spy.BanBra.A": [[138, 158], [224, 244]], "Indicator: com.brazil.android.free": [[159, 182]], "Indicator: EA069A5C96DC1DB0715923EB68192FD325F3D3CE": [[183, 223]], "Organization: MITRE": [[245, 250]], "System: App Store": [[356, 365]], "System: Google Play": [[395, 406]]}, "info": {"id": "cyner2_8class_test_01017", "source": "cyner2_8class_test"}}
{"text": "The Android permissions requested by HenBox , as defined in the apps ’ AndroidManifest.xml files , range from accessing location and network settings to messages , call , and contact data .", "spans": {"System: Android": [[4, 11]], "Malware: HenBox": [[37, 43]]}, "info": {"id": "cyner2_8class_test_01018", "source": "cyner2_8class_test"}}
{"text": "List of commands sewn into the body of the Trojan : Command code Parameters Actions 2 – Sending a list of contacts from the address book of the infected device to the C & C server 7 “ to ” : int Calling the specified number 11 “ to ” : int , “ body ” : string Sending an SMS with the specified text to the specified number 19 “ text ” : string , “ n ” : string Sending SMS with the specified text to numbers from the address book of the infected device , with the name of the addressee from the address book substituted into the message text 40 “ text ” : string Shutting down applications with specific names ( antivirus and banking applications ) The set of possible commands is the most significant difference between the various flavors of Asacub .", "spans": {"System: address book": [[124, 136], [417, 429], [495, 507]], "Malware: Asacub": [[744, 750]]}, "info": {"id": "cyner2_8class_test_01019", "source": "cyner2_8class_test"}}
{"text": "These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak.", "spans": {"Malware: tools": [[17, 22]], "ThreatActor: attacker": [[61, 69]]}, "info": {"id": "cyner2_8class_test_01020", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Razy.D44DD PE_MEWSPY.B-O PE_MEWSPY.B-O Packed.Win32.TDSS.c Trojan.Win32.TDSS.dzwxza TrojWare.Win32.MewsSpy.DA Win32.MewsSpy.42 Trojan.Bayrob.Win32.27338 BehavesLike.Win32.RAHack.nc Virus.Win32.MewsSpy Packed.Tdss.btdb ADWARE/Taranis.2355 Trojan[Packed]/Win32.TDSS Packed.Win32.TDSS.c Trojan.Bayrob Win32/MewsSpy.AE W32/MewsSpy.AE", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D44DD": [[26, 43]], "Indicator: PE_MEWSPY.B-O": [[44, 57], [58, 71]], "Indicator: Packed.Win32.TDSS.c": [[72, 91], [297, 316]], "Indicator: Trojan.Win32.TDSS.dzwxza": [[92, 116]], "Indicator: TrojWare.Win32.MewsSpy.DA": [[117, 142]], "Indicator: Win32.MewsSpy.42": [[143, 159]], "Indicator: Trojan.Bayrob.Win32.27338": [[160, 185]], "Indicator: BehavesLike.Win32.RAHack.nc": [[186, 213]], "Indicator: Virus.Win32.MewsSpy": [[214, 233]], "Indicator: Packed.Tdss.btdb": [[234, 250]], "Indicator: ADWARE/Taranis.2355": [[251, 270]], "Indicator: Trojan[Packed]/Win32.TDSS": [[271, 296]], "Indicator: Trojan.Bayrob": [[317, 330]], "Indicator: Win32/MewsSpy.AE": [[331, 347]], "Indicator: W32/MewsSpy.AE": [[348, 362]]}, "info": {"id": "cyner2_8class_test_01021", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.HfsAutoB.52A1 Worm/W32.Vifiter.898736 Worm.Email.Vifi W32/Vifiter.worm Worm.P2P.Vifiter!oGKebgYvRAs W32/Vifiter.A W32.HLLW.Vifiter Win32/Vifiter.A BKDR_LITHIUM.B Worm.P2P.Vifiter P2P-Worm.Win32.Vifiter Trojan.Win32.Vifiter-wrm.fslw Worm.Win32.A.P2P-Vifiter.1131056[h] W32.W.Vifiter!c Worm.Win32.Vifiter.A Win32.HLLW.Filter Worm.Vifiter.Win32.1 BKDR_LITHIUM.B W32/Vifiter.worm W32/Vifiter.BMAP-4367 Worm/P2P.Vifiter WORM/Vifiter.2 W32/Vifiter!worm.p2p Trojan[Backdoor]/Win32.Lithium Win32/Vifiter.worm.672350 Worm:Win32/Vifiter.A Virus.Win32.Heur.l W32/Vifiter.worm Backdoor.Lithium Backdoor.Win32.Lithium Worm.Win32.Vifiter.aa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.52A1": [[26, 43]], "Indicator: Worm/W32.Vifiter.898736": [[44, 67]], "Indicator: Worm.Email.Vifi": [[68, 83]], "Indicator: W32/Vifiter.worm": [[84, 100], [389, 405], [578, 594]], "Indicator: Worm.P2P.Vifiter!oGKebgYvRAs": [[101, 129]], "Indicator: W32/Vifiter.A": [[130, 143]], "Indicator: W32.HLLW.Vifiter": [[144, 160]], "Indicator: Win32/Vifiter.A": [[161, 176]], "Indicator: BKDR_LITHIUM.B": [[177, 191], [374, 388]], "Indicator: Worm.P2P.Vifiter": [[192, 208]], "Indicator: P2P-Worm.Win32.Vifiter": [[209, 231]], "Indicator: Trojan.Win32.Vifiter-wrm.fslw": [[232, 261]], "Indicator: Worm.Win32.A.P2P-Vifiter.1131056[h]": [[262, 297]], "Indicator: W32.W.Vifiter!c": [[298, 313]], "Indicator: Worm.Win32.Vifiter.A": [[314, 334]], "Indicator: Win32.HLLW.Filter": [[335, 352]], "Indicator: Worm.Vifiter.Win32.1": [[353, 373]], "Indicator: W32/Vifiter.BMAP-4367": [[406, 427]], "Indicator: Worm/P2P.Vifiter": [[428, 444]], "Indicator: WORM/Vifiter.2": [[445, 459]], "Indicator: W32/Vifiter!worm.p2p": [[460, 480]], "Indicator: Trojan[Backdoor]/Win32.Lithium": [[481, 511]], "Indicator: Win32/Vifiter.worm.672350": [[512, 537]], "Indicator: Worm:Win32/Vifiter.A": [[538, 558]], "Indicator: Virus.Win32.Heur.l": [[559, 577]], "Indicator: Backdoor.Lithium": [[595, 611]], "Indicator: Backdoor.Win32.Lithium": [[612, 634]], "Indicator: Worm.Win32.Vifiter.aa": [[635, 656]]}, "info": {"id": "cyner2_8class_test_01022", "source": "cyner2_8class_test"}}
{"text": "The case where we observed this involved WhatsApp .", "spans": {"System: WhatsApp": [[41, 49]]}, "info": {"id": "cyner2_8class_test_01023", "source": "cyner2_8class_test"}}
{"text": "EventBot ’ s request to use accessibility services .", "spans": {}, "info": {"id": "cyner2_8class_test_01024", "source": "cyner2_8class_test"}}
{"text": "In 2018 , we saw similar behavior , but all the click actions were hardcoded and suited only for the app of the attacker ’ s choice .", "spans": {}, "info": {"id": "cyner2_8class_test_01025", "source": "cyner2_8class_test"}}
{"text": "Parallax RAT aka, ParallaxRAT has been distributed through spam campaigns or phishing emails with attachments since December 2019.", "spans": {"Malware: Parallax RAT": [[0, 12]], "Malware: ParallaxRAT": [[18, 29]], "ThreatActor: spam campaigns": [[59, 73]], "Indicator: phishing emails with attachments": [[77, 109]], "Date: December 2019.": [[116, 130]]}, "info": {"id": "cyner2_8class_test_01026", "source": "cyner2_8class_test"}}
{"text": "An example of FinFisher ’ s spaghetti code is shown below .", "spans": {"Malware: FinFisher": [[14, 23]]}, "info": {"id": "cyner2_8class_test_01027", "source": "cyner2_8class_test"}}
{"text": "Last month ESET researchers wrote an article about a new OS X malware called OSX/Keydnap, built to steal the content of OS X's keychain and maintain a permanent backdoor.", "spans": {"Date: Last month": [[0, 10]], "Organization: ESET researchers": [[11, 27]], "System: OS X": [[57, 61]], "Malware: malware": [[62, 69]], "Malware: OSX/Keydnap,": [[77, 89]], "System: OS X's": [[120, 126]], "Malware: keychain": [[127, 135]], "Malware: permanent backdoor.": [[151, 170]]}, "info": {"id": "cyner2_8class_test_01028", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Joke.Rain Trojan.Zusy.Elzob.D11E7 W32/Joke.WVJV-1809 Win32/Tnega.AKPK Win.Joke.Schmilz-1 Riskware.Win32.Splash.iaxa Variant.Application.Bundler.mDBF Joke.Splash not-virus:Joke.Win32.Splash Win32.Joke.Splash.kcloud Win-Joke/Melt.163927 Joke.Schmilz Joke.Schmilz Joke.Schmilz", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Joke.Rain": [[26, 35]], "Indicator: Trojan.Zusy.Elzob.D11E7": [[36, 59]], "Indicator: W32/Joke.WVJV-1809": [[60, 78]], "Indicator: Win32/Tnega.AKPK": [[79, 95]], "Indicator: Win.Joke.Schmilz-1": [[96, 114]], "Indicator: Riskware.Win32.Splash.iaxa": [[115, 141]], "Indicator: Variant.Application.Bundler.mDBF": [[142, 174]], "Indicator: Joke.Splash": [[175, 186]], "Indicator: not-virus:Joke.Win32.Splash": [[187, 214]], "Indicator: Win32.Joke.Splash.kcloud": [[215, 239]], "Indicator: Win-Joke/Melt.163927": [[240, 260]], "Indicator: Joke.Schmilz": [[261, 273], [274, 286], [287, 299]]}, "info": {"id": "cyner2_8class_test_01029", "source": "cyner2_8class_test"}}
{"text": "Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device .", "spans": {"System: Google Play Protect": [[0, 19]]}, "info": {"id": "cyner2_8class_test_01030", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Multi BKDR_PIRPI.YE Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Trojan BKDR_PIRPI.YE Trojan.Win32.MLW.cyfeos Uds.Dangerousobject.Multi!c BehavesLike.Win32.Downloader.ch Trojan.Win32.Pirpi W32/Backdoor.OJLB-8266 Backdoor:Win32/Pirpi.E!dha Win32.Backdoor.Backdoor.Ug W32/BackDoor.VD!tr Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Multi": [[26, 38]], "Indicator: BKDR_PIRPI.YE": [[39, 52], [112, 125]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[53, 95]], "Indicator: Backdoor.Trojan": [[96, 111]], "Indicator: Trojan.Win32.MLW.cyfeos": [[126, 149]], "Indicator: Uds.Dangerousobject.Multi!c": [[150, 177]], "Indicator: BehavesLike.Win32.Downloader.ch": [[178, 209]], "Indicator: Trojan.Win32.Pirpi": [[210, 228]], "Indicator: W32/Backdoor.OJLB-8266": [[229, 251]], "Indicator: Backdoor:Win32/Pirpi.E!dha": [[252, 278]], "Indicator: Win32.Backdoor.Backdoor.Ug": [[279, 305]], "Indicator: W32/BackDoor.VD!tr": [[306, 324]], "Indicator: Win32/Trojan.Multi.daf": [[325, 347]]}, "info": {"id": "cyner2_8class_test_01031", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.IRCBot.~EAV Win32.IRC.Bot.based Backdoor.Win32.SdBot Backdoor.IRCBot.jh BDS/Hackarmy.X Backdoor:Win32/Hackarmy.X Backdoor.Hackarmy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Backdoor.Win32.IRCBot.~EAV": [[69, 95]], "Indicator: Win32.IRC.Bot.based": [[96, 115]], "Indicator: Backdoor.Win32.SdBot": [[116, 136]], "Indicator: Backdoor.IRCBot.jh": [[137, 155]], "Indicator: BDS/Hackarmy.X": [[156, 170]], "Indicator: Backdoor:Win32/Hackarmy.X": [[171, 196]], "Indicator: Backdoor.Hackarmy": [[197, 214]]}, "info": {"id": "cyner2_8class_test_01032", "source": "cyner2_8class_test"}}
{"text": "This data is immediately sent to the cybercriminals and the computer displays the QR code containing a link to the alleged certificate of the online banking system .", "spans": {}, "info": {"id": "cyner2_8class_test_01033", "source": "cyner2_8class_test"}}
{"text": "MD5s : c4c4077e9449147d754afd972e247efc Document.apk 0b8806b38b52bebfe39ff585639e2ea2 WUC ’ s Conference.apk Triada : organized crime on Android Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and uses several clever methods to become almost invisible March 3 , 2016 You know how armies typically move : first come the scouts to make sure everything is ok. Then the heavy troops arrive ; at least that was how it used to be before the age of cyber wars .", "spans": {"Indicator: c4c4077e9449147d754afd972e247efc": [[7, 39]], "Indicator: Document.apk": [[40, 52]], "Indicator: 0b8806b38b52bebfe39ff585639e2ea2": [[53, 85]], "Indicator: Conference.apk": [[94, 108]], "Malware: Triada": [[109, 115], [145, 151]], "System: Android": [[137, 144]]}, "info": {"id": "cyner2_8class_test_01034", "source": "cyner2_8class_test"}}
{"text": "Typhon has been in continuous development and a new version named Typhon Reborn was released just several months later of its first release.", "spans": {"Malware: Typhon": [[0, 6]], "Malware: Typhon Reborn": [[66, 79]], "Date: several months": [[98, 112]]}, "info": {"id": "cyner2_8class_test_01035", "source": "cyner2_8class_test"}}
{"text": "But before we go into the details of what the latest version of Rotexy can do and why it ’ s distinctive , we would like to give a summary of the path the Trojan has taken since 2014 up to the present day .", "spans": {"Malware: Rotexy": [[64, 70]]}, "info": {"id": "cyner2_8class_test_01036", "source": "cyner2_8class_test"}}
{"text": "Encryptor RaaS's purveyor created a full web panel for his patrons, accessible only via the Tor network, that enabled them to manage victims' systems.", "spans": {"ThreatActor: Encryptor RaaS's purveyor": [[0, 25]], "System: Tor network,": [[92, 104]], "System: victims' systems.": [[133, 150]]}, "info": {"id": "cyner2_8class_test_01037", "source": "cyner2_8class_test"}}
{"text": "Evolution The initial version of the malware dates back to early June 2019 , masquerading as a “ Google Play Verificator ” app .", "spans": {"System: Google Play Verificator": [[97, 120]]}, "info": {"id": "cyner2_8class_test_01038", "source": "cyner2_8class_test"}}
{"text": "Two strings are passed into the call , the shortcode and keyword used for SMS billing ( getter methods renamed here for clarity ) .", "spans": {}, "info": {"id": "cyner2_8class_test_01039", "source": "cyner2_8class_test"}}
{"text": "As a rule , bots self-proliferate by sending out text messages with a malicious link to addresses in the victim ’ s address book .", "spans": {}, "info": {"id": "cyner2_8class_test_01040", "source": "cyner2_8class_test"}}
{"text": "The attacker can choose the data types to collect , which are written in a certain format .", "spans": {}, "info": {"id": "cyner2_8class_test_01041", "source": "cyner2_8class_test"}}
{"text": "If we look on Ramnit's history, it's hard to exactly pin down which malware family it actually belongs to.", "spans": {"Malware: Ramnit's": [[14, 22]], "Malware: malware family": [[68, 82]]}, "info": {"id": "cyner2_8class_test_01042", "source": "cyner2_8class_test"}}
{"text": "The attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google's Chrome browser.", "spans": {"ThreatActor: The attackers": [[0, 13]], "ThreatActor: the EITest campaign": [[21, 40]], "Indicator: fake HoeflerText": [[105, 121]], "Malware: malware": [[143, 150]], "System: Google's Chrome browser.": [[170, 194]]}, "info": {"id": "cyner2_8class_test_01043", "source": "cyner2_8class_test"}}
{"text": "Extract information on pictures from the Gallery .", "spans": {}, "info": {"id": "cyner2_8class_test_01044", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9897 Trojan.Win32.Midhos.dxoj Trojan.Win32.Inject.dndqbs Trojan.Inject BehavesLike.Win32.Upatre.ch TR/AD.Medfos.ifaaj Trojan/Win32.Midhos Trojan:Win32/Medfos.AF Trojan.Symmi.D52D2 Trojan.Win32.Midhos.dxoj SScope.Trojan.Midhos.2513 Virus.Win32.Cryptor", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9897": [[26, 68]], "Indicator: Trojan.Win32.Midhos.dxoj": [[69, 93], [244, 268]], "Indicator: Trojan.Win32.Inject.dndqbs": [[94, 120]], "Indicator: Trojan.Inject": [[121, 134]], "Indicator: BehavesLike.Win32.Upatre.ch": [[135, 162]], "Indicator: TR/AD.Medfos.ifaaj": [[163, 181]], "Indicator: Trojan/Win32.Midhos": [[182, 201]], "Indicator: Trojan:Win32/Medfos.AF": [[202, 224]], "Indicator: Trojan.Symmi.D52D2": [[225, 243]], "Indicator: SScope.Trojan.Midhos.2513": [[269, 294]], "Indicator: Virus.Win32.Cryptor": [[295, 314]]}, "info": {"id": "cyner2_8class_test_01045", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Zusy.D3B7DB Win32.Trojan.WisdomEyes.16070401.9500.9838 TSPY_TINCLEX.SM1 Trojan.DownLoader25.2852 TSPY_TINCLEX.SM1 Backdoor.Win32.Xiclog Backdoor:Win32/Xiclog.A Trojan/Win32.Xiclog.C2155395 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D3B7DB": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9838": [[45, 87]], "Indicator: TSPY_TINCLEX.SM1": [[88, 104], [130, 146]], "Indicator: Trojan.DownLoader25.2852": [[105, 129]], "Indicator: Backdoor.Win32.Xiclog": [[147, 168]], "Indicator: Backdoor:Win32/Xiclog.A": [[169, 192]], "Indicator: Trojan/Win32.Xiclog.C2155395": [[193, 221]], "Indicator: Trj/GdSda.A": [[222, 233]]}, "info": {"id": "cyner2_8class_test_01046", "source": "cyner2_8class_test"}}
{"text": "These SMS messages masquerade as a message from the local post office and link to the FakeSpy download .", "spans": {"Malware: FakeSpy": [[86, 93]]}, "info": {"id": "cyner2_8class_test_01047", "source": "cyner2_8class_test"}}
{"text": "SSH backdoor that binds to port 2222", "spans": {"Malware: SSH backdoor": [[0, 12]], "Indicator: port 2222": [[27, 36]]}, "info": {"id": "cyner2_8class_test_01048", "source": "cyner2_8class_test"}}
{"text": "Of course, you have to have the Java Runtime Environment installed, which many people do.", "spans": {}, "info": {"id": "cyner2_8class_test_01049", "source": "cyner2_8class_test"}}
{"text": "In November 2018 , a version of the Trojan for the English market appeared in the shape of Gumtree.apk .", "spans": {"Indicator: Gumtree.apk": [[91, 102]]}, "info": {"id": "cyner2_8class_test_01050", "source": "cyner2_8class_test"}}
{"text": "EventBot is in constant development , as seen with the botnetID string above , which shows consecutive numbering across versions .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_8class_test_01051", "source": "cyner2_8class_test"}}
{"text": "The main reason for developers to choose SMS over traditional payments via Internet is that in the case with SMS no Internet connection is required .", "spans": {}, "info": {"id": "cyner2_8class_test_01052", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.AutoRun!O Worm.Spyonpc WORM_AUTORUN.JEF Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan.B WORM_AUTORUN.JEF Trojan.Win32.AutoRun.duc Trojan.Win32.AutoRun.ctqtit Trojan/AutoRun.ei Trojan.Heur.RP.EB30B0 Troj.W32.AutoRun.duc!c Trojan.Win32.AutoRun.duc Worm:Win32/Spyonpc.A BScope.Trojan.SvcHorse.01643 Win32.Trojan.Autorun.Sxom Trojan.AutoRun!wA9W6qFisoU Trojan.Win32.Spy Win32/Trojan.2ed", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.AutoRun!O": [[26, 48]], "Indicator: Worm.Spyonpc": [[49, 61]], "Indicator: WORM_AUTORUN.JEF": [[62, 78], [140, 156]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[79, 121]], "Indicator: Backdoor.Trojan.B": [[122, 139]], "Indicator: Trojan.Win32.AutoRun.duc": [[157, 181], [273, 297]], "Indicator: Trojan.Win32.AutoRun.ctqtit": [[182, 209]], "Indicator: Trojan/AutoRun.ei": [[210, 227]], "Indicator: Trojan.Heur.RP.EB30B0": [[228, 249]], "Indicator: Troj.W32.AutoRun.duc!c": [[250, 272]], "Indicator: Worm:Win32/Spyonpc.A": [[298, 318]], "Indicator: BScope.Trojan.SvcHorse.01643": [[319, 347]], "Indicator: Win32.Trojan.Autorun.Sxom": [[348, 373]], "Indicator: Trojan.AutoRun!wA9W6qFisoU": [[374, 400]], "Indicator: Trojan.Win32.Spy": [[401, 417]], "Indicator: Win32/Trojan.2ed": [[418, 434]]}, "info": {"id": "cyner2_8class_test_01053", "source": "cyner2_8class_test"}}
{"text": "The module allows Gooligan to : Steal a user ’ s Google email account and authentication token information Install apps from Google Play and rate them to raise their reputation Install adware to generate revenue Ad servers , which don ’ t know whether an app using its service is malicious or not , send Gooligan the names of the apps to download from Google Play .", "spans": {"Malware: Gooligan": [[18, 26], [304, 312]], "Organization: Google": [[49, 55]], "System: Google Play": [[125, 136], [352, 363]]}, "info": {"id": "cyner2_8class_test_01054", "source": "cyner2_8class_test"}}
{"text": "Red Alert 2.0 is a banking bot that is currently very active online , and presents a risk to Android devices .", "spans": {"Malware: Red Alert 2.0": [[0, 13]]}, "info": {"id": "cyner2_8class_test_01055", "source": "cyner2_8class_test"}}
{"text": "The attack platform mainly includes Windows and Android, the attack range is mainly for the Middle East region, as of now we have captured a total of 24 Android samples, 19 Windows samples, involving C C domain name 29.", "spans": {"System: Windows": [[36, 43]], "System: Android,": [[48, 56]], "Indicator: attack": [[61, 67]], "Location: the Middle East region,": [[88, 111]], "Malware: Android samples, 19 Windows samples,": [[153, 189]], "Indicator: C C domain name 29.": [[200, 219]]}, "info": {"id": "cyner2_8class_test_01056", "source": "cyner2_8class_test"}}
{"text": "Of these Banload samples, we've seen 2,132 samples during the first six months of 2017.", "spans": {"Malware: Banload": [[9, 16]], "Malware: samples": [[43, 50]], "Date: first six months of 2017.": [[62, 87]]}, "info": {"id": "cyner2_8class_test_01057", "source": "cyner2_8class_test"}}
{"text": "Data collectors are used in conjunction with repeated commands to collect user data including , SMS settings , SMS messages , Call logs , Browser History , Calendar , Contacts , Emails , and messages from selected messaging apps , including WhatsApp , Twitter , Facebook , Kakoa , Viber , and Skype by making /data/data directories of the apps world readable .", "spans": {"System: WhatsApp": [[241, 249]], "System: Twitter": [[252, 259]], "System: Facebook": [[262, 270]], "System: Kakoa": [[273, 278]], "System: Viber": [[281, 286]], "System: Skype": [[293, 298]]}, "info": {"id": "cyner2_8class_test_01058", "source": "cyner2_8class_test"}}
{"text": "] zqo-japan [ .", "spans": {}, "info": {"id": "cyner2_8class_test_01059", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Smalldoor.JZSK TSPY_SPATET.SMT Trojan.Dropper-24471 Win32.HLLW.Autoruner.15386 TSPY_SPATET.SMT TrojanDropper.MSIL.fg TrojanDropper:MSIL/RednibTihs.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Smalldoor.JZSK": [[26, 44]], "Indicator: TSPY_SPATET.SMT": [[45, 60], [109, 124]], "Indicator: Trojan.Dropper-24471": [[61, 81]], "Indicator: Win32.HLLW.Autoruner.15386": [[82, 108]], "Indicator: TrojanDropper.MSIL.fg": [[125, 146]], "Indicator: TrojanDropper:MSIL/RednibTihs.A": [[147, 178]], "Indicator: Trj/CI.A": [[179, 187]]}, "info": {"id": "cyner2_8class_test_01060", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 W32.Pws.Stealer TR/Crypt.Xpack.hosv Trojan.Graftor.D47380 Trojan/Win32.Deshacop.R189693 SScope.TrojanRansom.WannaCry", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: W32.Pws.Stealer": [[69, 84]], "Indicator: TR/Crypt.Xpack.hosv": [[85, 104]], "Indicator: Trojan.Graftor.D47380": [[105, 126]], "Indicator: Trojan/Win32.Deshacop.R189693": [[127, 156]], "Indicator: SScope.TrojanRansom.WannaCry": [[157, 185]]}, "info": {"id": "cyner2_8class_test_01061", "source": "cyner2_8class_test"}}
{"text": "The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample .", "spans": {}, "info": {"id": "cyner2_8class_test_01062", "source": "cyner2_8class_test"}}
{"text": "In addition , admin.nslookupdns [ .", "spans": {"Indicator: admin.nslookupdns [ .": [[14, 35]]}, "info": {"id": "cyner2_8class_test_01063", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.WansickyG.Trojan Trojan.Win32.Scar!O Worm.Pochi.MF.128 TROJ_SCAR.AD Win32.Trojan.VB.jo W32/VBTrojan.19H!Maximus TROJ_SCAR.AD Trojan.Win32.Scar.ajze Trojan.Win32.Scar.bsvmh Trojan.Win32.A.Scar.108211 Troj.W32.Scar.tp4e Trojan.MulDrop3.4297 Trojan.Scar.Win32.45700 BehavesLike.Win32.Autorun.pm Trojan.Win32.Scar W32/VBTrojan.19H!Maximus Trojan.Scar.jji Trojan/Win32.Scar Trojan.Win32.Scar.ajze Worm:Win32/Pochi.A Trojan.Scar Trj/Scar.N Win32/VB.PSB Trojan.Scar!bkhwPXcAv6E W32/Scar.AJZE!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.WansickyG.Trojan": [[26, 46]], "Indicator: Trojan.Win32.Scar!O": [[47, 66]], "Indicator: Worm.Pochi.MF.128": [[67, 84]], "Indicator: TROJ_SCAR.AD": [[85, 97], [142, 154]], "Indicator: Win32.Trojan.VB.jo": [[98, 116]], "Indicator: W32/VBTrojan.19H!Maximus": [[117, 141], [340, 364]], "Indicator: Trojan.Win32.Scar.ajze": [[155, 177], [399, 421]], "Indicator: Trojan.Win32.Scar.bsvmh": [[178, 201]], "Indicator: Trojan.Win32.A.Scar.108211": [[202, 228]], "Indicator: Troj.W32.Scar.tp4e": [[229, 247]], "Indicator: Trojan.MulDrop3.4297": [[248, 268]], "Indicator: Trojan.Scar.Win32.45700": [[269, 292]], "Indicator: BehavesLike.Win32.Autorun.pm": [[293, 321]], "Indicator: Trojan.Win32.Scar": [[322, 339]], "Indicator: Trojan.Scar.jji": [[365, 380]], "Indicator: Trojan/Win32.Scar": [[381, 398]], "Indicator: Worm:Win32/Pochi.A": [[422, 440]], "Indicator: Trojan.Scar": [[441, 452]], "Indicator: Trj/Scar.N": [[453, 463]], "Indicator: Win32/VB.PSB": [[464, 476]], "Indicator: Trojan.Scar!bkhwPXcAv6E": [[477, 500]], "Indicator: W32/Scar.AJZE!tr": [[501, 517]]}, "info": {"id": "cyner2_8class_test_01064", "source": "cyner2_8class_test"}}
{"text": "Investigation of this domain led to additional domains that appear to have been registered for use with the campaign , but are not in use yet .", "spans": {}, "info": {"id": "cyner2_8class_test_01065", "source": "cyner2_8class_test"}}
{"text": "Additionally , it also writes addresses of dlopen , dlsym , and dlclose into the same region , so that they can be used by the shellcode .", "spans": {}, "info": {"id": "cyner2_8class_test_01066", "source": "cyner2_8class_test"}}
{"text": "] databit [ .", "spans": {}, "info": {"id": "cyner2_8class_test_01067", "source": "cyner2_8class_test"}}
{"text": "Although there does not appear to be any direct evidence in the open source at this time, media reports indicated that U.S. government officials have linked the campaign to Russia.", "spans": {"Indicator: the open source": [[60, 75]], "Malware: at": [[76, 78]], "Organization: media": [[90, 95]], "Organization: U.S. government officials": [[119, 144]], "ThreatActor: campaign": [[161, 169]], "Location: Russia.": [[173, 180]]}, "info": {"id": "cyner2_8class_test_01068", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.PWS.Lmir.UNK TrojanPWS.Mapdimp.A5 PWS-OnlineGames.ax Trojan.OnLineGames.Win32.92696 Trojan/PSW.OnLineGames.rydr Trojan.PWS.Lmir.UNK Win32.Trojan-GameThief.OnlineGames.s Infostealer.Gampass TSPY_GAMETHIE.SE Win.Spyware.48189-2 Trojan.PWS.Lmir.UNK Trojan.Win32.OnLineGames.vxxdj Trojan.Win32.PSWIGames.1068692 Troj.GameThief.W32.OnLineGames.lgZ8 Trojan.PWS.Lmir.UNK Trojan.PWS.Lmir.UNK Trojan.PWS.Wsgame.6445 TSPY_GAMETHIE.SE PWS-OnlineGames.ax Virus.Win32.Nilage.NP Trojan[GameThief]/Win32.OnLineGames Win32.Troj.EncodeGameT.am.1035692 PWS:Win32/Mapdimp.A Trojan.PWS.Lmir.UNK Trojan.Win32.Lmir.gfv", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Trojan.PWS.Lmir.UNK": [[44, 63], [163, 182], [277, 296], [395, 414], [415, 434], [606, 625]], "Indicator: TrojanPWS.Mapdimp.A5": [[64, 84]], "Indicator: PWS-OnlineGames.ax": [[85, 103], [475, 493]], "Indicator: Trojan.OnLineGames.Win32.92696": [[104, 134]], "Indicator: Trojan/PSW.OnLineGames.rydr": [[135, 162]], "Indicator: Win32.Trojan-GameThief.OnlineGames.s": [[183, 219]], "Indicator: Infostealer.Gampass": [[220, 239]], "Indicator: TSPY_GAMETHIE.SE": [[240, 256], [458, 474]], "Indicator: Win.Spyware.48189-2": [[257, 276]], "Indicator: Trojan.Win32.OnLineGames.vxxdj": [[297, 327]], "Indicator: Trojan.Win32.PSWIGames.1068692": [[328, 358]], "Indicator: Troj.GameThief.W32.OnLineGames.lgZ8": [[359, 394]], "Indicator: Trojan.PWS.Wsgame.6445": [[435, 457]], "Indicator: Virus.Win32.Nilage.NP": [[494, 515]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[516, 551]], "Indicator: Win32.Troj.EncodeGameT.am.1035692": [[552, 585]], "Indicator: PWS:Win32/Mapdimp.A": [[586, 605]], "Indicator: Trojan.Win32.Lmir.gfv": [[626, 647]]}, "info": {"id": "cyner2_8class_test_01069", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.DataboLTSB.Trojan VirTool.VBInject Trojan.FakeMS.ED Trojan/Injector.abip Win32.Trojan.Inject.ba W32.Rontokbro@mm Win32/Inject.TSaKNBD Win.Trojan.Injector-13562 Trojan.Win32.Autoruner1.brmigt Troj.W32.SelfDel.mA4R TrojWare.Win32.Injector.AOO Win32.HLLW.Autoruner1.24454 Trojan.Injector.Win32.169993 BehavesLike.Win32.Trojan.tz Trojan.Win32.Injector TR/Injector.anq Trojan/Win32.Unknown Trojan.Symmi.D2C49 Trojan:Win32/Rontokbro.A Win32/Rontokbro.worm.109512.B Trojan.Injector.ABIP Trojan.Injector!50IGAxMRdFE W32/Injector.ZYM!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.DataboLTSB.Trojan": [[26, 47]], "Indicator: VirTool.VBInject": [[48, 64]], "Indicator: Trojan.FakeMS.ED": [[65, 81]], "Indicator: Trojan/Injector.abip": [[82, 102]], "Indicator: Win32.Trojan.Inject.ba": [[103, 125]], "Indicator: W32.Rontokbro@mm": [[126, 142]], "Indicator: Win32/Inject.TSaKNBD": [[143, 163]], "Indicator: Win.Trojan.Injector-13562": [[164, 189]], "Indicator: Trojan.Win32.Autoruner1.brmigt": [[190, 220]], "Indicator: Troj.W32.SelfDel.mA4R": [[221, 242]], "Indicator: TrojWare.Win32.Injector.AOO": [[243, 270]], "Indicator: Win32.HLLW.Autoruner1.24454": [[271, 298]], "Indicator: Trojan.Injector.Win32.169993": [[299, 327]], "Indicator: BehavesLike.Win32.Trojan.tz": [[328, 355]], "Indicator: Trojan.Win32.Injector": [[356, 377]], "Indicator: TR/Injector.anq": [[378, 393]], "Indicator: Trojan/Win32.Unknown": [[394, 414]], "Indicator: Trojan.Symmi.D2C49": [[415, 433]], "Indicator: Trojan:Win32/Rontokbro.A": [[434, 458]], "Indicator: Win32/Rontokbro.worm.109512.B": [[459, 488]], "Indicator: Trojan.Injector.ABIP": [[489, 509]], "Indicator: Trojan.Injector!50IGAxMRdFE": [[510, 537]], "Indicator: W32/Injector.ZYM!tr": [[538, 557]]}, "info": {"id": "cyner2_8class_test_01070", "source": "cyner2_8class_test"}}
{"text": "Lures contained subjects related to recent invoices, or other matters requiring the victim's attention, such as an overdue bill.", "spans": {"Malware: Lures": [[0, 5]], "Indicator: subjects": [[16, 24]], "Indicator: recent invoices,": [[36, 52]], "Indicator: matters requiring the victim's attention,": [[62, 103]], "Indicator: an overdue bill.": [[112, 128]]}, "info": {"id": "cyner2_8class_test_01071", "source": "cyner2_8class_test"}}
{"text": "Using intelligence from our in-depth investigation , Windows Defender ATP can raise alerts for malicious behavior employed by FinFisher ( such as memory injection in persistence ) in different stages of the attack kill chain .", "spans": {"System: Windows Defender ATP": [[53, 73]], "Malware: FinFisher": [[126, 135]]}, "info": {"id": "cyner2_8class_test_01072", "source": "cyner2_8class_test"}}
{"text": "This may also explain the timing in between the apps becoming fully functional and “ incubation. ” As this is a group we have not observed before , we will continue monitoring this campaign for further developments .", "spans": {}, "info": {"id": "cyner2_8class_test_01073", "source": "cyner2_8class_test"}}
{"text": "Figure 1 .", "spans": {}, "info": {"id": "cyner2_8class_test_01074", "source": "cyner2_8class_test"}}
{"text": "7/7/2016 , 1:50 PM Security experts have documented a disturbing spike in a particularly virulent family of Android malware , with more than 10 million handsets infected and more than 286,000 of them in the US .", "spans": {"System: Android": [[108, 115]]}, "info": {"id": "cyner2_8class_test_01075", "source": "cyner2_8class_test"}}
{"text": "Cisco What initially drew our interest to this particular malware sample was a tweet published by security researcher on Twitter thanks simpo! regarding a Powershell script that he was analyzing that contained the base64 encoded string SourceFireSux", "spans": {"Organization: Cisco": [[0, 5]], "Malware: malware sample": [[58, 72]], "Organization: security researcher": [[98, 117]], "Organization: Twitter": [[121, 128]], "Organization: simpo!": [[136, 142]], "System: Powershell script": [[155, 172]], "Indicator: base64": [[214, 220]], "Malware: SourceFireSux": [[236, 249]]}, "info": {"id": "cyner2_8class_test_01076", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.W32.Corum!c Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.ZTAP-2170 Backdoor.Frigcase Backdoor.Win32.Corum.b Trojan.PWS.Banker1.24798 Trojan.Win32.Dynamer Trojan.Graftor.D1F11A Backdoor.Win32.Corum.b Backdoor:Win32/Kluch.A Trj/GdSda.A Win32.Backdoor.Corum.Wrzy Win32/Backdoor.a14", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.W32.Corum!c": [[26, 46]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[47, 89]], "Indicator: W32/Trojan.ZTAP-2170": [[90, 110]], "Indicator: Backdoor.Frigcase": [[111, 128]], "Indicator: Backdoor.Win32.Corum.b": [[129, 151], [220, 242]], "Indicator: Trojan.PWS.Banker1.24798": [[152, 176]], "Indicator: Trojan.Win32.Dynamer": [[177, 197]], "Indicator: Trojan.Graftor.D1F11A": [[198, 219]], "Indicator: Backdoor:Win32/Kluch.A": [[243, 265]], "Indicator: Trj/GdSda.A": [[266, 277]], "Indicator: Win32.Backdoor.Corum.Wrzy": [[278, 303]], "Indicator: Win32/Backdoor.a14": [[304, 322]]}, "info": {"id": "cyner2_8class_test_01077", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: BackDoor-CCT.dll Bck/Dumador.DS Backdoor.Dumador.ET Backdoor.Dumador.et BackDoor-CCT.dll Backdoor.Win32.Dumador.et Backdoor.Dumador.DD W32/Dumador.DI@bd Backdoor.Nibu W32/Dumador.MZ Backdoor.Win32.Dumador.et Backdoor.Dumador.ET Backdoor.Win32.Dumador.et BackDoor.Dumaru.23 BDS/Dumador.ET.2 BKDR_NIBU.J W32/Dumador.DI@bd Backdoor.Win32.Dumador!IK Trojan.Backdoor.Dumador.ET.2 Backdoor.Win32.Dumador.28672 Backdoor.Dumador.ET Backdoor.Dumador.DD Backdoor.Dumador.jm Backdoor.Win32.Dumador W32/Dumador.T!tr.bdr Bck/Dumador.DS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: BackDoor-CCT.dll": [[26, 42], [98, 114]], "Indicator: Bck/Dumador.DS": [[43, 57], [534, 548]], "Indicator: Backdoor.Dumador.ET": [[58, 77], [234, 253], [430, 449]], "Indicator: Backdoor.Dumador.et": [[78, 97]], "Indicator: Backdoor.Win32.Dumador.et": [[115, 140], [208, 233], [254, 279]], "Indicator: Backdoor.Dumador.DD": [[141, 160], [450, 469]], "Indicator: W32/Dumador.DI@bd": [[161, 178], [328, 345]], "Indicator: Backdoor.Nibu": [[179, 192]], "Indicator: W32/Dumador.MZ": [[193, 207]], "Indicator: BackDoor.Dumaru.23": [[280, 298]], "Indicator: BDS/Dumador.ET.2": [[299, 315]], "Indicator: BKDR_NIBU.J": [[316, 327]], "Indicator: Backdoor.Win32.Dumador!IK": [[346, 371]], "Indicator: Trojan.Backdoor.Dumador.ET.2": [[372, 400]], "Indicator: Backdoor.Win32.Dumador.28672": [[401, 429]], "Indicator: Backdoor.Dumador.jm": [[470, 489]], "Indicator: Backdoor.Win32.Dumador": [[490, 512]], "Indicator: W32/Dumador.T!tr.bdr": [[513, 533]]}, "info": {"id": "cyner2_8class_test_01078", "source": "cyner2_8class_test"}}
{"text": "FastPOS initially detected by Trend Micro as TSPY_FASTPOS.SMZTDA was different with the way it removed a middleman and went straight from stealing credit card data to directly exfiltrating them to its command and control C C servers.", "spans": {"Malware: FastPOS": [[0, 7]], "Organization: Trend Micro": [[30, 41]], "Indicator: TSPY_FASTPOS.SMZTDA": [[45, 64]], "Indicator: stealing credit card data": [[138, 163]], "Indicator: exfiltrating": [[176, 188]], "Indicator: command and control C C servers.": [[201, 233]]}, "info": {"id": "cyner2_8class_test_01079", "source": "cyner2_8class_test"}}
{"text": "Contrary to its counterparts, it is not used on mainstream websites or via malvertising attacks but rather it specifically targets Chinese websites and users.", "spans": {"Indicator: malvertising attacks": [[75, 95]], "Indicator: Chinese websites": [[131, 147]]}, "info": {"id": "cyner2_8class_test_01080", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Exploit-TaroDrop.e Trojan.Tarodrop.G TROJ_TARODROP.ZKEJ-A TROJ_TARODROP.ZKEJ-A Exploit-TaroDrop.e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Exploit-TaroDrop.e": [[26, 44], [105, 123]], "Indicator: Trojan.Tarodrop.G": [[45, 62]], "Indicator: TROJ_TARODROP.ZKEJ-A": [[63, 83], [84, 104]]}, "info": {"id": "cyner2_8class_test_01081", "source": "cyner2_8class_test"}}
{"text": "On June 10, South Korean web hosting company NAYANA was hit by Erebus ransomware detected by Trend Micro as RANSOM_ELFEREBUS.A, infecting 153 Linux servers and over 3,400 business websites the company hosts.", "spans": {"Date: June 10,": [[3, 11]], "Location: South Korean": [[12, 24]], "Organization: web hosting company NAYANA": [[25, 51]], "Malware: Erebus ransomware": [[63, 80]], "Organization: Trend Micro": [[93, 104]], "Indicator: RANSOM_ELFEREBUS.A,": [[108, 127]], "System: Linux servers": [[142, 155]], "Indicator: business websites": [[171, 188]], "Organization: the company": [[189, 200]], "System: hosts.": [[201, 207]]}, "info": {"id": "cyner2_8class_test_01082", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 Trojan.Starter.2890 BehavesLike.Win32.Dropper.vh Trojan.MSILPerseus.D210E0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[26, 68]], "Indicator: Trojan.Starter.2890": [[69, 88]], "Indicator: BehavesLike.Win32.Dropper.vh": [[89, 117]], "Indicator: Trojan.MSILPerseus.D210E0": [[118, 143]]}, "info": {"id": "cyner2_8class_test_01083", "source": "cyner2_8class_test"}}
{"text": "In recent months, CrowdStrike has observed limited use of what appears to be a third Sakula variant.", "spans": {"Organization: CrowdStrike": [[18, 29]], "Malware: third Sakula variant.": [[79, 100]]}, "info": {"id": "cyner2_8class_test_01084", "source": "cyner2_8class_test"}}
{"text": "Our research into the group found that it's been attacking a broad range of industries, including aviation, broadcasting, and finance, to drop back door Trojans.", "spans": {"Organization: research": [[4, 12]], "ThreatActor: group": [[22, 27]], "Indicator: attacking": [[49, 58]], "Organization: industries,": [[76, 87]], "Organization: aviation, broadcasting,": [[98, 121]], "Organization: finance,": [[126, 134]], "Malware: back door Trojans.": [[143, 161]]}, "info": {"id": "cyner2_8class_test_01085", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Malware10 Trojan.Bodegun.3 Win32.Trojan.WisdomEyes.16070401.9500.9927 Backdoor.Trojan W32/Farfli.NJ!tr Backdoor:Win32/Shoco.B Trojan.SelfDelete Trj/CI.A Win32/Trojan.198", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware10": [[26, 45]], "Indicator: Trojan.Bodegun.3": [[46, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9927": [[63, 105]], "Indicator: Backdoor.Trojan": [[106, 121]], "Indicator: W32/Farfli.NJ!tr": [[122, 138]], "Indicator: Backdoor:Win32/Shoco.B": [[139, 161]], "Indicator: Trojan.SelfDelete": [[162, 179]], "Indicator: Trj/CI.A": [[180, 188]], "Indicator: Win32/Trojan.198": [[189, 205]]}, "info": {"id": "cyner2_8class_test_01086", "source": "cyner2_8class_test"}}
{"text": "Uploading screenshots of sensitive information", "spans": {}, "info": {"id": "cyner2_8class_test_01087", "source": "cyner2_8class_test"}}
{"text": "It helps the attacker find out which banks the owner of the smartphone calls – the Trojan receives a list of bank phone numbers from its C & C server .", "spans": {}, "info": {"id": "cyner2_8class_test_01088", "source": "cyner2_8class_test"}}
{"text": "When the Trojan is executed, it may connect to one of the following remote locations: [http://]crcchecker.com/in[REMOVED] [http://]msmodule.com/in[REMOVED] [http://]msgetupdt.com/in[REMOVED] [http://]mssendinf.com/in[REMOVED]", "spans": {"Malware: Trojan": [[9, 15]], "Indicator: remote locations: [http://]crcchecker.com/in[REMOVED] [http://]msmodule.com/in[REMOVED] [http://]msgetupdt.com/in[REMOVED] [http://]mssendinf.com/in[REMOVED]": [[68, 225]]}, "info": {"id": "cyner2_8class_test_01089", "source": "cyner2_8class_test"}}
{"text": "A novel cryptojacking campaign targeting Redis has been uncovered by Cado Labs, the UK-based firm that specialises in security research and development for the digital world's largest online marketplace.", "spans": {"ThreatActor: cryptojacking campaign": [[8, 30]], "Organization: Redis": [[41, 46]], "Organization: Cado Labs,": [[69, 79]], "Location: UK-based": [[84, 92]], "Organization: firm": [[93, 97]], "Organization: security research": [[118, 135]], "Organization: development": [[140, 151]]}, "info": {"id": "cyner2_8class_test_01090", "source": "cyner2_8class_test"}}
{"text": "On the other hand , it ’ s extremely easy for the crooks to re-direct communications to another freshly created account , ” explains Štefanko .", "spans": {}, "info": {"id": "cyner2_8class_test_01091", "source": "cyner2_8class_test"}}
{"text": "In December, Microsoft's eSentire published a summary of BatLoader activity whereby Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files.", "spans": {"Date: December,": [[3, 12]], "Organization: Microsoft's eSentire": [[13, 33]], "Malware: BatLoader": [[57, 66]], "System: Google Search Ads": [[84, 101]], "System: software": [[127, 135]], "System: WinRAR": [[144, 150]], "Malware: malicious Windows Installer files.": [[162, 196]]}, "info": {"id": "cyner2_8class_test_01092", "source": "cyner2_8class_test"}}
{"text": "The Trojan ’ s list of possible commands has remained practically unchanged throughout its life , and will be described below in detail .", "spans": {}, "info": {"id": "cyner2_8class_test_01093", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm/W32.WBNA.75102 VBObfus.da Trojan/Slenfbot.ak Win32.Worm.Autorun.l Win.Packer.VBCrypt-5731541-0 Worm.Win32.WBNA.ipa Trojan.Win32.Z.Wbna.75102 Worm.W32.Wbna!c Trojan.Facebook.297 Worm.Slenfbot.Win32.261 BehavesLike.Win32.Backdoor.lt Trojan.VB Worm.WBNA.eomd Worm.Win32.WBNA.ipa Trojan:Win32/Acbot.A Worm.WBNA Win32.Worm.Wbna.Dxmv", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.WBNA.75102": [[26, 45]], "Indicator: VBObfus.da": [[46, 56]], "Indicator: Trojan/Slenfbot.ak": [[57, 75]], "Indicator: Win32.Worm.Autorun.l": [[76, 96]], "Indicator: Win.Packer.VBCrypt-5731541-0": [[97, 125]], "Indicator: Worm.Win32.WBNA.ipa": [[126, 145], [287, 306]], "Indicator: Trojan.Win32.Z.Wbna.75102": [[146, 171]], "Indicator: Worm.W32.Wbna!c": [[172, 187]], "Indicator: Trojan.Facebook.297": [[188, 207]], "Indicator: Worm.Slenfbot.Win32.261": [[208, 231]], "Indicator: BehavesLike.Win32.Backdoor.lt": [[232, 261]], "Indicator: Trojan.VB": [[262, 271]], "Indicator: Worm.WBNA.eomd": [[272, 286]], "Indicator: Trojan:Win32/Acbot.A": [[307, 327]], "Indicator: Worm.WBNA": [[328, 337]], "Indicator: Win32.Worm.Wbna.Dxmv": [[338, 358]]}, "info": {"id": "cyner2_8class_test_01094", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Swizzor.3!O Trojan/EraseMBR.a Win32.Trojan.WisdomEyes.16070401.9500.9912 W32/DistTrack.B W32.Disttrack Win.Trojan.DistTrack-1 Trojan.Win32.EraseMBR.a Trojan.Win32.EraseMBR.elqhim Trojan.Win32.EraseMBR.989184 Win32.Trojan.Erasembr.Phzv Virus.Win32.DistTrac.A Trojan.KillMBR.165 Trojan.EraseMBR.Win32.2 W32/DistTrack.VGNA-8394 Trojan/Win32.EraseMBR Win32.Troj.Undef.kcloud Trojan.Graftor.D9CE0 Troj.W32.EraseMBR.tnis Trojan.Win32.EraseMBR.a Trojan:Win32/WipMBR.A Win-Trojan/Disttrack.989184.B Trojan.EraseMBR!AdfCNAQ/Vbs Trojan.Win32.Disttrack Trojan.Tarkserv.18805 Trj/CI.A Win32/Trojan.3f8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Swizzor.3!O": [[26, 50]], "Indicator: Trojan/EraseMBR.a": [[51, 68]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9912": [[69, 111]], "Indicator: W32/DistTrack.B": [[112, 127]], "Indicator: W32.Disttrack": [[128, 141]], "Indicator: Win.Trojan.DistTrack-1": [[142, 164]], "Indicator: Trojan.Win32.EraseMBR.a": [[165, 188], [454, 477]], "Indicator: Trojan.Win32.EraseMBR.elqhim": [[189, 217]], "Indicator: Trojan.Win32.EraseMBR.989184": [[218, 246]], "Indicator: Win32.Trojan.Erasembr.Phzv": [[247, 273]], "Indicator: Virus.Win32.DistTrac.A": [[274, 296]], "Indicator: Trojan.KillMBR.165": [[297, 315]], "Indicator: Trojan.EraseMBR.Win32.2": [[316, 339]], "Indicator: W32/DistTrack.VGNA-8394": [[340, 363]], "Indicator: Trojan/Win32.EraseMBR": [[364, 385]], "Indicator: Win32.Troj.Undef.kcloud": [[386, 409]], "Indicator: Trojan.Graftor.D9CE0": [[410, 430]], "Indicator: Troj.W32.EraseMBR.tnis": [[431, 453]], "Indicator: Trojan:Win32/WipMBR.A": [[478, 499]], "Indicator: Win-Trojan/Disttrack.989184.B": [[500, 529]], "Indicator: Trojan.EraseMBR!AdfCNAQ/Vbs": [[530, 557]], "Indicator: Trojan.Win32.Disttrack": [[558, 580]], "Indicator: Trojan.Tarkserv.18805": [[581, 602]], "Indicator: Trj/CI.A": [[603, 611]], "Indicator: Win32/Trojan.3f8": [[612, 628]]}, "info": {"id": "cyner2_8class_test_01095", "source": "cyner2_8class_test"}}
{"text": "In February 2016, Novetta announced a profiling report entitled Operation Blockbuster: Unraveling the Long Thread of Sony Attack in association with global security companies Kaspersky Lab, Symantec, Trend Micro, JPCERT / CC, etc..", "spans": {"Date: February 2016,": [[3, 17]], "Organization: Novetta": [[18, 25]], "ThreatActor: Operation Blockbuster:": [[64, 86]], "Organization: Sony": [[117, 121]], "Indicator: Attack": [[122, 128]], "Organization: global security companies Kaspersky Lab,": [[149, 189]], "Organization: Symantec,": [[190, 199]], "Organization: Trend Micro,": [[200, 212]], "Organization: JPCERT": [[213, 219]], "Organization: CC,": [[222, 225]]}, "info": {"id": "cyner2_8class_test_01096", "source": "cyner2_8class_test"}}
{"text": "This service hides the app from plain sight and loads another ELF library to gather environmental information about the device , such as running processes and apps , and details about device hardware , primarily through parsing system logs and querying running processes .", "spans": {}, "info": {"id": "cyner2_8class_test_01097", "source": "cyner2_8class_test"}}
{"text": "Corerrelation of the TelePort Crews TTPs and infrastructure leads us to believe the group is closely affiliated with, and may in fact be, the Carbanak Threat Actor.", "spans": {"ThreatActor: TelePort Crews": [[21, 35]], "System: infrastructure": [[45, 59]], "ThreatActor: group": [[84, 89]], "ThreatActor: the Carbanak Threat Actor.": [[138, 164]]}, "info": {"id": "cyner2_8class_test_01098", "source": "cyner2_8class_test"}}
{"text": "] net , which was also used as a Poison Ivy C2 in the Arbor Networks blog .", "spans": {"Malware: Poison Ivy": [[33, 43]], "Organization: Arbor Networks": [[54, 68]]}, "info": {"id": "cyner2_8class_test_01099", "source": "cyner2_8class_test"}}
{"text": "Specifically , the app was an Android Package ( APK ) file that will be discussed in more detail shortly .", "spans": {"System: Android Package": [[30, 45]]}, "info": {"id": "cyner2_8class_test_01100", "source": "cyner2_8class_test"}}
{"text": "This allowed it to search for and upload potentially sensitive local files.", "spans": {}, "info": {"id": "cyner2_8class_test_01101", "source": "cyner2_8class_test"}}
{"text": "Apps not selected as protected apps stop working once the screen is off and await re-activation , so the implant is able to determine that it is running on a Huawei device and add itself to this list .", "spans": {"Organization: Huawei": [[158, 164]]}, "info": {"id": "cyner2_8class_test_01102", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.BHO Trojan/BHO.rrk Trojan.Adware.Graftor.DB443 Win32/AdClicker.AZ Trojan.Win32.BHO.czvr Trojan.Win32.BHO.bqymi Trojan.Win32.Z.Bho.203776 Backdoor.W32.IRCBot.kYVM TrojWare.Win32.BHO.RU Trojan.BHO.Win32.3468 AdWare.Win32.BHO W32/Trojan.QGGR-1095 Trojan/BHO.jgz TR/BHO.rrk Trojan:Win32/Yenfhur.A Adware.Vumer Trojan.Win32.BHO.czvr Trojan/Win32.BHO.R21503 Win32.Trojan.Bho.Lpcb Trojan.BHO!sZ6oLyvN9vY W32/BHO.NKS!tr Win32/Trojan.10e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BHO": [[26, 36]], "Indicator: Trojan/BHO.rrk": [[37, 51]], "Indicator: Trojan.Adware.Graftor.DB443": [[52, 79]], "Indicator: Win32/AdClicker.AZ": [[80, 98]], "Indicator: Trojan.Win32.BHO.czvr": [[99, 120], [339, 360]], "Indicator: Trojan.Win32.BHO.bqymi": [[121, 143]], "Indicator: Trojan.Win32.Z.Bho.203776": [[144, 169]], "Indicator: Backdoor.W32.IRCBot.kYVM": [[170, 194]], "Indicator: TrojWare.Win32.BHO.RU": [[195, 216]], "Indicator: Trojan.BHO.Win32.3468": [[217, 238]], "Indicator: AdWare.Win32.BHO": [[239, 255]], "Indicator: W32/Trojan.QGGR-1095": [[256, 276]], "Indicator: Trojan/BHO.jgz": [[277, 291]], "Indicator: TR/BHO.rrk": [[292, 302]], "Indicator: Trojan:Win32/Yenfhur.A": [[303, 325]], "Indicator: Adware.Vumer": [[326, 338]], "Indicator: Trojan/Win32.BHO.R21503": [[361, 384]], "Indicator: Win32.Trojan.Bho.Lpcb": [[385, 406]], "Indicator: Trojan.BHO!sZ6oLyvN9vY": [[407, 429]], "Indicator: W32/BHO.NKS!tr": [[430, 444]], "Indicator: Win32/Trojan.10e": [[445, 461]]}, "info": {"id": "cyner2_8class_test_01103", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Virus.Win32.Virut.1!O Trojan.Autoit.Gasonen.A Trojan-Downloader.a W32.Virut.CF Win32/Virut.NBP Virus.Win32.Virut.ce Virus.Win32.Virut.ue Virus.Win32.Virut.Ce Trojan.DownLoader24.36108 Downloader.AutoIt.Win32.", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Virus.Win32.Virut.1!O": [[26, 47]], "Indicator: Trojan.Autoit.Gasonen.A": [[48, 71]], "Indicator: Trojan-Downloader.a": [[72, 91]], "Indicator: W32.Virut.CF": [[92, 104]], "Indicator: Win32/Virut.NBP": [[105, 120]], "Indicator: Virus.Win32.Virut.ce": [[121, 141]], "Indicator: Virus.Win32.Virut.ue": [[142, 162]], "Indicator: Virus.Win32.Virut.Ce": [[163, 183]], "Indicator: Trojan.DownLoader24.36108": [[184, 209]], "Indicator: Downloader.AutoIt.Win32.": [[210, 234]]}, "info": {"id": "cyner2_8class_test_01104", "source": "cyner2_8class_test"}}
{"text": "However, Dridex is still taking good care of its notorious original business– banking Trojans.", "spans": {"ThreatActor: Dridex": [[9, 15]], "Indicator: original business– banking Trojans.": [[59, 94]]}, "info": {"id": "cyner2_8class_test_01105", "source": "cyner2_8class_test"}}
{"text": "If you ’ ve downloaded one of the apps listed in Appendix A , below , you might be infected .", "spans": {}, "info": {"id": "cyner2_8class_test_01106", "source": "cyner2_8class_test"}}
{"text": "It first starts another activity defined in “ org.starsizew.Aa ” to request device administrator privileges , and then calls the following API of “ android.content.pm.PackageManager ” ( the Android package manager to remove its own icon on the home screen in order to conceal the existence of RuMMS from the user : At the same time , ” org.starsizew.MainActivity ” will start the main service as defined in “ org.starsizew.Tb ” , and use a few mechanisms to keep the main service running continuously in the background .", "spans": {"Indicator: org.starsizew.Aa": [[46, 62]], "Indicator: android.content.pm.PackageManager": [[148, 181]], "System: Android": [[190, 197]], "Malware: RuMMS": [[293, 298]], "Indicator: org.starsizew.MainActivity": [[336, 362]], "Indicator: org.starsizew.Tb": [[409, 425]]}, "info": {"id": "cyner2_8class_test_01107", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.CWS.15872.C Trojan/Downloader.CWS.s W32/Downloader.NGQ Trojan.Bookmarker Win32/Chopenoz.AT TROJ_DLOADER.CML Win.Downloader.CWS-5 Trojan-Downloader.Win32.CWS.s Trojan.Win32.CWS.whoyd Troj.Downloader.W32.CWS.s!c Trojan.DownLoader.5656 Downloader.CWS.Win32.255 TROJ_DLOADER.CML BehavesLike.Win32.Backdoor.lc W32/Downloader.PTUP-4639 TrojanDownloader.CWS.p W32.Trojan.Relayer-Komforochka TR/Dldr.CWS.ARQ.2 Trojan.Win32.Downloader.15872.P Trojan-Downloader.Win32.CWS.s TrojanDownloader:Win32/Chopanez.A Trojan/Win32.Cws.R71052 TrojanDownloader.CWS Trojan.Krepper!v2daonCoc1Y Trojan-Downloader.Win32.CWS W32/Cwsaq.S!tr Adware/CWS.Yexe", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader/W32.CWS.15872.C": [[26, 59]], "Indicator: Trojan/Downloader.CWS.s": [[60, 83]], "Indicator: W32/Downloader.NGQ": [[84, 102]], "Indicator: Trojan.Bookmarker": [[103, 120]], "Indicator: Win32/Chopenoz.AT": [[121, 138]], "Indicator: TROJ_DLOADER.CML": [[139, 155], [306, 322]], "Indicator: Win.Downloader.CWS-5": [[156, 176]], "Indicator: Trojan-Downloader.Win32.CWS.s": [[177, 206], [482, 511]], "Indicator: Trojan.Win32.CWS.whoyd": [[207, 229]], "Indicator: Troj.Downloader.W32.CWS.s!c": [[230, 257]], "Indicator: Trojan.DownLoader.5656": [[258, 280]], "Indicator: Downloader.CWS.Win32.255": [[281, 305]], "Indicator: BehavesLike.Win32.Backdoor.lc": [[323, 352]], "Indicator: W32/Downloader.PTUP-4639": [[353, 377]], "Indicator: TrojanDownloader.CWS.p": [[378, 400]], "Indicator: W32.Trojan.Relayer-Komforochka": [[401, 431]], "Indicator: TR/Dldr.CWS.ARQ.2": [[432, 449]], "Indicator: Trojan.Win32.Downloader.15872.P": [[450, 481]], "Indicator: TrojanDownloader:Win32/Chopanez.A": [[512, 545]], "Indicator: Trojan/Win32.Cws.R71052": [[546, 569]], "Indicator: TrojanDownloader.CWS": [[570, 590]], "Indicator: Trojan.Krepper!v2daonCoc1Y": [[591, 617]], "Indicator: Trojan-Downloader.Win32.CWS": [[618, 645]], "Indicator: W32/Cwsaq.S!tr": [[646, 660]], "Indicator: Adware/CWS.Yexe": [[661, 676]]}, "info": {"id": "cyner2_8class_test_01108", "source": "cyner2_8class_test"}}
{"text": "Figure 6 – Ransomware component Anubis has been known to utilize Twitter or Telegram to retrieve the C2 address and this sample is no exception ( Figure 7 ) .", "spans": {"Malware: Anubis": [[32, 38]], "Organization: Twitter": [[65, 72]], "Organization: Telegram": [[76, 84]]}, "info": {"id": "cyner2_8class_test_01109", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Hacktool.Webshell Trojan.Chopper.Win32.2 Backdoor.Hadmad Win.Trojan.Chopper-3 HackTool.Win32.WebShell.cv Trojan.Win32.Chopper.csobpu Trojan.Win32.Z.Chopper.700416 Hacktool.W32.Webshell!c TrojWare.Win32.Chopper.A BackDoor.Chopper.23 BehavesLike.Win32.BadFile.jm Trojan-PWS.Win32.LdPinch W32/Trojan.LZKC-7904 HackTool.WebShell.c TR/Chopper.wsqdz Trojan:Win32/Chopper.A HackTool.Win32.WebShell.cv Trojan/Win32.HDC.C534259 Trj/CI.A Win32.Hacktool.Webshell.Ajlk Win32/Trojan.51c", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Webshell": [[26, 43]], "Indicator: Trojan.Chopper.Win32.2": [[44, 66]], "Indicator: Backdoor.Hadmad": [[67, 82]], "Indicator: Win.Trojan.Chopper-3": [[83, 103]], "Indicator: HackTool.Win32.WebShell.cv": [[104, 130], [393, 419]], "Indicator: Trojan.Win32.Chopper.csobpu": [[131, 158]], "Indicator: Trojan.Win32.Z.Chopper.700416": [[159, 188]], "Indicator: Hacktool.W32.Webshell!c": [[189, 212]], "Indicator: TrojWare.Win32.Chopper.A": [[213, 237]], "Indicator: BackDoor.Chopper.23": [[238, 257]], "Indicator: BehavesLike.Win32.BadFile.jm": [[258, 286]], "Indicator: Trojan-PWS.Win32.LdPinch": [[287, 311]], "Indicator: W32/Trojan.LZKC-7904": [[312, 332]], "Indicator: HackTool.WebShell.c": [[333, 352]], "Indicator: TR/Chopper.wsqdz": [[353, 369]], "Indicator: Trojan:Win32/Chopper.A": [[370, 392]], "Indicator: Trojan/Win32.HDC.C534259": [[420, 444]], "Indicator: Trj/CI.A": [[445, 453]], "Indicator: Win32.Hacktool.Webshell.Ajlk": [[454, 482]], "Indicator: Win32/Trojan.51c": [[483, 499]]}, "info": {"id": "cyner2_8class_test_01110", "source": "cyner2_8class_test"}}
{"text": "This threat may arrive as an email spammed macro malware which, when opened, socially engineers you to enable it in your PC.", "spans": {"Indicator: threat": [[5, 11]], "Indicator: email spammed macro malware": [[29, 56]], "Indicator: socially engineers": [[77, 95]], "System: PC.": [[121, 124]]}, "info": {"id": "cyner2_8class_test_01111", "source": "cyner2_8class_test"}}
{"text": "A backdoor targetting Linux also known as: Unix.Trojan.Mirai-5678467-0 HEUR:Trojan-Downloader.Linux.Mirai.b Trojan.Unix.Dwn.exoczj Troj.Downloader.Linux!c Linux.DownLoader.569 LINUX/Dldr.Mirai.vzbiu HEUR:Trojan-Downloader.Linux.Mirai.b Linux.Trojan-downloader.Mirai.Ecua Trojan-Downloader.Linux.Mirai W32/Mirai.A!tr.dldr virus.elf.mirai.a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Unix.Trojan.Mirai-5678467-0": [[43, 70]], "Indicator: HEUR:Trojan-Downloader.Linux.Mirai.b": [[71, 107], [199, 235]], "Indicator: Trojan.Unix.Dwn.exoczj": [[108, 130]], "Indicator: Troj.Downloader.Linux!c": [[131, 154]], "Indicator: Linux.DownLoader.569": [[155, 175]], "Indicator: LINUX/Dldr.Mirai.vzbiu": [[176, 198]], "Indicator: Linux.Trojan-downloader.Mirai.Ecua": [[236, 270]], "Indicator: Trojan-Downloader.Linux.Mirai": [[271, 300]], "Indicator: W32/Mirai.A!tr.dldr": [[301, 320]], "Indicator: virus.elf.mirai.a": [[321, 338]]}, "info": {"id": "cyner2_8class_test_01112", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojandownloader.Script Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.QNWY-7354 Trojan.Win32.CoinMiner.etwjwz Troj.Downloader.Script!c BehavesLike.Win32.Dropper.jm TrojanDropper:Win32/Sminager.G Exploit.UACSkip Trj/CI.A VBS/CoinMiner.EQ Exploit.UACSkip! Win32/Trojan.Downloader.251", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Script": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[50, 92]], "Indicator: W32/Trojan.QNWY-7354": [[93, 113]], "Indicator: Trojan.Win32.CoinMiner.etwjwz": [[114, 143]], "Indicator: Troj.Downloader.Script!c": [[144, 168]], "Indicator: BehavesLike.Win32.Dropper.jm": [[169, 197]], "Indicator: TrojanDropper:Win32/Sminager.G": [[198, 228]], "Indicator: Exploit.UACSkip": [[229, 244]], "Indicator: Trj/CI.A": [[245, 253]], "Indicator: VBS/CoinMiner.EQ": [[254, 270]], "Indicator: Exploit.UACSkip!": [[271, 287]], "Indicator: Win32/Trojan.Downloader.251": [[288, 315]]}, "info": {"id": "cyner2_8class_test_01113", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.Spy.Pefj Win32.Trojan.WisdomEyes.16070401.9500.9992 Trojan.DownLoader11.48785 Trojan.Banker.Win32.91178 W32/Trojan.PJQW-4501 TR/Spy.Banker.368582 Trojan:Win32/Qobahk.B Trojan.Zusy.D22440 Trojan/Win32.Banki.C820251 TScope.Trojan.Delf Trojan-Banker.Win32.Banker Win32/Trojan.c01", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.Spy.Pefj": [[26, 47]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9992": [[48, 90]], "Indicator: Trojan.DownLoader11.48785": [[91, 116]], "Indicator: Trojan.Banker.Win32.91178": [[117, 142]], "Indicator: W32/Trojan.PJQW-4501": [[143, 163]], "Indicator: TR/Spy.Banker.368582": [[164, 184]], "Indicator: Trojan:Win32/Qobahk.B": [[185, 206]], "Indicator: Trojan.Zusy.D22440": [[207, 225]], "Indicator: Trojan/Win32.Banki.C820251": [[226, 252]], "Indicator: TScope.Trojan.Delf": [[253, 271]], "Indicator: Trojan-Banker.Win32.Banker": [[272, 298]], "Indicator: Win32/Trojan.c01": [[299, 315]]}, "info": {"id": "cyner2_8class_test_01114", "source": "cyner2_8class_test"}}
{"text": "The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.", "spans": {"ThreatActor: attackers": [[4, 13]], "Indicator: website": [[30, 37]], "Malware: exploit kit": [[65, 76]], "Malware: malware": [[104, 111]]}, "info": {"id": "cyner2_8class_test_01115", "source": "cyner2_8class_test"}}
{"text": "] clubupload999 [ .", "spans": {"Indicator: [ .": [[16, 19]]}, "info": {"id": "cyner2_8class_test_01116", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanDownloader.Upatre.A4 Trojan.Bublik.Win32.12537 TROJ_UPATRE.SM2 Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan3.GOF Win32/Tnega.ATTF TROJ_UPATRE.SM2 Trojan.Win32.Bublik.cqqgyg Trojan.DownLoad3.28161 BehavesLike.Win32.Downloader.lm W32/Trojan.SDXU-6768 Trojan/Bublik.ggx TR/Kazy.295577 Trojan/Win32.Bublik Win32.Troj.Bublik.bl.kcloud TrojanDownloader:Win32/Waski.A Trojan/Win32.Zbot.C218571 Trojan.Bublik Trojan.Waski.A Win32/TrojanDownloader.Waski.A Trojan.Bublik!q4FUqHvnUCs W32/Waski.A!tr Win32/Trojan.bee", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Upatre.A4": [[26, 52]], "Indicator: Trojan.Bublik.Win32.12537": [[53, 78]], "Indicator: TROJ_UPATRE.SM2": [[79, 94], [171, 186]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[95, 137]], "Indicator: W32/Trojan3.GOF": [[138, 153]], "Indicator: Win32/Tnega.ATTF": [[154, 170]], "Indicator: Trojan.Win32.Bublik.cqqgyg": [[187, 213]], "Indicator: Trojan.DownLoad3.28161": [[214, 236]], "Indicator: BehavesLike.Win32.Downloader.lm": [[237, 268]], "Indicator: W32/Trojan.SDXU-6768": [[269, 289]], "Indicator: Trojan/Bublik.ggx": [[290, 307]], "Indicator: TR/Kazy.295577": [[308, 322]], "Indicator: Trojan/Win32.Bublik": [[323, 342]], "Indicator: Win32.Troj.Bublik.bl.kcloud": [[343, 370]], "Indicator: TrojanDownloader:Win32/Waski.A": [[371, 401]], "Indicator: Trojan/Win32.Zbot.C218571": [[402, 427]], "Indicator: Trojan.Bublik": [[428, 441]], "Indicator: Trojan.Waski.A": [[442, 456]], "Indicator: Win32/TrojanDownloader.Waski.A": [[457, 487]], "Indicator: Trojan.Bublik!q4FUqHvnUCs": [[488, 513]], "Indicator: W32/Waski.A!tr": [[514, 528]], "Indicator: Win32/Trojan.bee": [[529, 545]]}, "info": {"id": "cyner2_8class_test_01117", "source": "cyner2_8class_test"}}
{"text": "Decrypting the assets After being decrypted , the asset turns into the .dex file .", "spans": {}, "info": {"id": "cyner2_8class_test_01118", "source": "cyner2_8class_test"}}
{"text": "This should be highly alarming to any government agency or enterprise .", "spans": {}, "info": {"id": "cyner2_8class_test_01119", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Backdoor.Farfli Win32.Trojan.WisdomEyes.16070401.9500.9960 Heur.Corrupt.PE Trojan.DownLoader18.34796 TR/Taranis.1439 TrojanDownloader:Win32/Syten.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Backdoor.Farfli": [[46, 61]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9960": [[62, 104]], "Indicator: Heur.Corrupt.PE": [[105, 120]], "Indicator: Trojan.DownLoader18.34796": [[121, 146]], "Indicator: TR/Taranis.1439": [[147, 162]], "Indicator: TrojanDownloader:Win32/Syten.A": [[163, 193]]}, "info": {"id": "cyner2_8class_test_01120", "source": "cyner2_8class_test"}}
{"text": "Example of using native code for obfuscation Examples of using string concatenation for obfuscation Example of encrypting strings in the Trojan Asacub distribution geography Asacub is primarily aimed at Russian users : 98 % of infections ( 225,000 ) occur in Russia , since the cybercriminals specifically target clients of a major Russian bank .", "spans": {"Malware: Asacub": [[144, 150], [174, 180]]}, "info": {"id": "cyner2_8class_test_01121", "source": "cyner2_8class_test"}}
{"text": "But during a recent investigation we found a backdoor that takes a very different approach.", "spans": {}, "info": {"id": "cyner2_8class_test_01122", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.939 Vb.Troj.Valyria!c Trojan.Mdropper X2KM_POWLOAD.THAOEFK VB:Trojan.Valyria.939 VB:Trojan.Valyria.939 Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.Valyria.939 VB:Trojan.Valyria.939 X2KM_POWLOAD.THAOEFK TrojanDownloader:O97M/Powdow.F HEUR.VBA.Trojan.e VB:Trojan.Valyria.939 VBA/TrojanDownloader.DIW!tr.dldr virus.office.qexvmc.1095", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.939": [[26, 47], [103, 124], [125, 146], [180, 201], [202, 223], [294, 315]], "Indicator: Vb.Troj.Valyria!c": [[48, 65]], "Indicator: Trojan.Mdropper": [[66, 81]], "Indicator: X2KM_POWLOAD.THAOEFK": [[82, 102], [224, 244]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[147, 179]], "Indicator: TrojanDownloader:O97M/Powdow.F": [[245, 275]], "Indicator: HEUR.VBA.Trojan.e": [[276, 293]], "Indicator: VBA/TrojanDownloader.DIW!tr.dldr": [[316, 348]], "Indicator: virus.office.qexvmc.1095": [[349, 373]]}, "info": {"id": "cyner2_8class_test_01123", "source": "cyner2_8class_test"}}
{"text": "We have noticed that hundreds of the email addresses are associated with enterprise accounts worldwide .", "spans": {}, "info": {"id": "cyner2_8class_test_01124", "source": "cyner2_8class_test"}}
{"text": "Sample of the PlugX malware family", "spans": {"Malware: PlugX malware family": [[14, 34]]}, "info": {"id": "cyner2_8class_test_01125", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Agobot.daqfvn Win32.HLLW.Agobot.1609 Backdoor.Agobot.Win32.4720 RDN/Gaobot.worm!f Backdoor/Agobot.blu W32/AgoBot.SSP!tr.bdr Trojan[Backdoor]/Win32.Agobot Trojan.Symmi.428 Backdoor:Win32/Ocivat.A RDN/Gaobot.worm!f Backdoor.Agobot Trj/OCJ.F Win32.Backdoor.Agobot.Pcsf Trojan.Agobot!RVcISK47AgQ Backdoor.Win32.Agobot.ssp Win32/Backdoor.BO.02a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Agobot.daqfvn": [[26, 52]], "Indicator: Win32.HLLW.Agobot.1609": [[53, 75]], "Indicator: Backdoor.Agobot.Win32.4720": [[76, 102]], "Indicator: RDN/Gaobot.worm!f": [[103, 120], [234, 251]], "Indicator: Backdoor/Agobot.blu": [[121, 140]], "Indicator: W32/AgoBot.SSP!tr.bdr": [[141, 162]], "Indicator: Trojan[Backdoor]/Win32.Agobot": [[163, 192]], "Indicator: Trojan.Symmi.428": [[193, 209]], "Indicator: Backdoor:Win32/Ocivat.A": [[210, 233]], "Indicator: Backdoor.Agobot": [[252, 267]], "Indicator: Trj/OCJ.F": [[268, 277]], "Indicator: Win32.Backdoor.Agobot.Pcsf": [[278, 304]], "Indicator: Trojan.Agobot!RVcISK47AgQ": [[305, 330]], "Indicator: Backdoor.Win32.Agobot.ssp": [[331, 356]], "Indicator: Win32/Backdoor.BO.02a": [[357, 378]]}, "info": {"id": "cyner2_8class_test_01126", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TR/FileCoder.129024 W32/Filecoder.EZ!tr Trojan.Zusy.D25F0A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TR/FileCoder.129024": [[26, 45]], "Indicator: W32/Filecoder.EZ!tr": [[46, 65]], "Indicator: Trojan.Zusy.D25F0A": [[66, 84]]}, "info": {"id": "cyner2_8class_test_01127", "source": "cyner2_8class_test"}}
{"text": "All Lookout customers are protected from this threat .", "spans": {"Organization: Lookout": [[4, 11]]}, "info": {"id": "cyner2_8class_test_01128", "source": "cyner2_8class_test"}}
{"text": "Steps to request the user 's credit card information In our sample configuration , the request for the views above can not be canceled or removed from the screen — behaving just like a screen lock that wo n't be disabled without providing credit card information .", "spans": {}, "info": {"id": "cyner2_8class_test_01129", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Clod1ac.Trojan.2cfd Trojan.Subnix.A Trojan/W32.Subnix.81920 QDel297.dr Trojan.Win32.Subnix.cpbwt Subnix.D TROJ_SUBNIX.A Trojan.Win32.Subnix Trojan.Subnix.A Trojan.Subnix!nbK8wParH3w Trojan.Subnix.A TrojWare.Win32.Subnix.A Trojan.Subnix.A Trojan.Subnix TROJ_SUBNIX.A QDel297.dr Trojan:Win32/Subnix.A Win-Trojan/Subnix.81920 Trojan.Subnix.A W32/Risk.RJJS-1740 Trojan.Subnix Win32/Subnix.A Trojan.Win32.Subnix W32/QDel297.A!tr Trojan.Win32.Subnix.AL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod1ac.Trojan.2cfd": [[26, 49]], "Indicator: Trojan.Subnix.A": [[50, 65], [170, 185], [212, 227], [252, 267], [353, 368]], "Indicator: Trojan/W32.Subnix.81920": [[66, 89]], "Indicator: QDel297.dr": [[90, 100], [296, 306]], "Indicator: Trojan.Win32.Subnix.cpbwt": [[101, 126]], "Indicator: Subnix.D": [[127, 135]], "Indicator: TROJ_SUBNIX.A": [[136, 149], [282, 295]], "Indicator: Trojan.Win32.Subnix": [[150, 169], [417, 436]], "Indicator: Trojan.Subnix!nbK8wParH3w": [[186, 211]], "Indicator: TrojWare.Win32.Subnix.A": [[228, 251]], "Indicator: Trojan.Subnix": [[268, 281], [388, 401]], "Indicator: Trojan:Win32/Subnix.A": [[307, 328]], "Indicator: Win-Trojan/Subnix.81920": [[329, 352]], "Indicator: W32/Risk.RJJS-1740": [[369, 387]], "Indicator: Win32/Subnix.A": [[402, 416]], "Indicator: W32/QDel297.A!tr": [[437, 453]], "Indicator: Trojan.Win32.Subnix.AL": [[454, 476]]}, "info": {"id": "cyner2_8class_test_01130", "source": "cyner2_8class_test"}}
{"text": "This new attack appears to involve the same actors who reused the same techniques to alter the source code of the widely used open source Telnet/SSH client, PuTTY, and used their network of compromised web servers to serve up similar fake Putty download pages.", "spans": {"ThreatActor: actors": [[44, 50]], "Indicator: open source Telnet/SSH client, PuTTY,": [[126, 163]], "Vulnerability: network of compromised web servers": [[179, 213]], "Indicator: fake Putty download pages.": [[234, 260]]}, "info": {"id": "cyner2_8class_test_01131", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Heur.ciTeuaMV96kb Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Yakes.vqgla Packed.Win32.Klone.~KMG Trojan.PWS.Webmonier.804 Trojan.Yakes.Win32.5199 Trojan-Spy.Frethog Trojan/Yakes.elw TR/Obfuscate.C.1823 Trojan/Win32.Yakes PWS:Win32/Chexct.A Troj.GameThief.W32.Magania.l943 Trojan/Win32.OnlineGameHack.R36096 Trojan.Yakes Win32.Trojan.Xytrojan.Lpbj Win32/Trojan.52b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Heur.ciTeuaMV96kb": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[51, 93]], "Indicator: Trojan.Win32.Yakes.vqgla": [[94, 118]], "Indicator: Packed.Win32.Klone.~KMG": [[119, 142]], "Indicator: Trojan.PWS.Webmonier.804": [[143, 167]], "Indicator: Trojan.Yakes.Win32.5199": [[168, 191]], "Indicator: Trojan-Spy.Frethog": [[192, 210]], "Indicator: Trojan/Yakes.elw": [[211, 227]], "Indicator: TR/Obfuscate.C.1823": [[228, 247]], "Indicator: Trojan/Win32.Yakes": [[248, 266]], "Indicator: PWS:Win32/Chexct.A": [[267, 285]], "Indicator: Troj.GameThief.W32.Magania.l943": [[286, 317]], "Indicator: Trojan/Win32.OnlineGameHack.R36096": [[318, 352]], "Indicator: Trojan.Yakes": [[353, 365]], "Indicator: Win32.Trojan.Xytrojan.Lpbj": [[366, 392]], "Indicator: Win32/Trojan.52b": [[393, 409]]}, "info": {"id": "cyner2_8class_test_01132", "source": "cyner2_8class_test"}}
{"text": "The actual amount of money stolen was different in each case, with the average amount around USD$5 million in cash, ranging from USD$3 to USD$10 million.", "spans": {}, "info": {"id": "cyner2_8class_test_01133", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Swisyn!O Trojan.Swysin.A3 Win32.Trojan.WisdomEyes.16070401.9500.9994 TROJ_DROPPR.SMAI Trojan.Win32.Swisyn.acfk Trojan.Win32.Swisyn.updbv Trojan.Win32.A.Swisyn.100000.H Win32.Trojan.Swisyn.Pfti Trojan.Packed.507 TROJ_DROPPR.SMAI Trojan/Buzus.mfe Trojan/Win32.Swisyn TrojanDropper:Win32/Forcud.A Trojan.Heur.EF59FD Trojan.Win32.Swisyn.acfk Trojan/Win32.Swisyn.R4650 Trojan.Dropper Trojan-Dropper.Win32.Forcud W32/Forcud.A!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Swisyn!O": [[26, 47]], "Indicator: Trojan.Swysin.A3": [[48, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9994": [[65, 107]], "Indicator: TROJ_DROPPR.SMAI": [[108, 124], [250, 266]], "Indicator: Trojan.Win32.Swisyn.acfk": [[125, 149], [352, 376]], "Indicator: Trojan.Win32.Swisyn.updbv": [[150, 175]], "Indicator: Trojan.Win32.A.Swisyn.100000.H": [[176, 206]], "Indicator: Win32.Trojan.Swisyn.Pfti": [[207, 231]], "Indicator: Trojan.Packed.507": [[232, 249]], "Indicator: Trojan/Buzus.mfe": [[267, 283]], "Indicator: Trojan/Win32.Swisyn": [[284, 303]], "Indicator: TrojanDropper:Win32/Forcud.A": [[304, 332]], "Indicator: Trojan.Heur.EF59FD": [[333, 351]], "Indicator: Trojan/Win32.Swisyn.R4650": [[377, 402]], "Indicator: Trojan.Dropper": [[403, 417]], "Indicator: Trojan-Dropper.Win32.Forcud": [[418, 445]], "Indicator: W32/Forcud.A!tr": [[446, 461]], "Indicator: Trj/CI.A": [[462, 470]]}, "info": {"id": "cyner2_8class_test_01134", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9944 Ransom_HERMES.B Trojan.Win32.Encoder.exsmjb Trojan.Encoder.10700 Ransom_HERMES.B W32.InfoStealer.Zeus W32/Filecoder_Hermes.F!tr Ransom:Win32/Wyhymyz.D Trojan/Win32.Ransomlock.C2400763 Trojan.Ransom.Hermes Ransom.Hermes Win32.Trojan.Filecoder.Hpsg Trojan-Ransom.FileCoder Trj/GdSda.A Win32/Trojan.03f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9944": [[26, 68]], "Indicator: Ransom_HERMES.B": [[69, 84], [134, 149]], "Indicator: Trojan.Win32.Encoder.exsmjb": [[85, 112]], "Indicator: Trojan.Encoder.10700": [[113, 133]], "Indicator: W32.InfoStealer.Zeus": [[150, 170]], "Indicator: W32/Filecoder_Hermes.F!tr": [[171, 196]], "Indicator: Ransom:Win32/Wyhymyz.D": [[197, 219]], "Indicator: Trojan/Win32.Ransomlock.C2400763": [[220, 252]], "Indicator: Trojan.Ransom.Hermes": [[253, 273]], "Indicator: Ransom.Hermes": [[274, 287]], "Indicator: Win32.Trojan.Filecoder.Hpsg": [[288, 315]], "Indicator: Trojan-Ransom.FileCoder": [[316, 339]], "Indicator: Trj/GdSda.A": [[340, 351]], "Indicator: Win32/Trojan.03f": [[352, 368]]}, "info": {"id": "cyner2_8class_test_01135", "source": "cyner2_8class_test"}}
{"text": "This allows the application to appear legitimate , especially given these applications icons and user interface .", "spans": {}, "info": {"id": "cyner2_8class_test_01136", "source": "cyner2_8class_test"}}
{"text": "Although this technique is not new, it remains an effective technique for attackers.", "spans": {}, "info": {"id": "cyner2_8class_test_01137", "source": "cyner2_8class_test"}}
{"text": "As we have progressed in our research and uncovered additional attack phases, tooling, and infrastructure as discussed in our recent posting Striking Oil: A Closer Look at Adversary Infrastructure it has become apparent that the threat group responsible for the OilRig attack campaign is likely to be a unique, previously unknown adversary.", "spans": {"Indicator: attack phases,": [[63, 77]], "Malware: tooling,": [[78, 86]], "System: infrastructure": [[91, 105]], "ThreatActor: Adversary Infrastructure": [[172, 196]], "ThreatActor: the threat group": [[225, 241]], "ThreatActor: the OilRig attack campaign": [[258, 284]], "ThreatActor: unknown adversary.": [[322, 340]]}, "info": {"id": "cyner2_8class_test_01138", "source": "cyner2_8class_test"}}
{"text": "Bitdefender researchers have identified a new Android spyware , dubbed Triout , which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications .", "spans": {"Organization: Bitdefender": [[0, 11]], "System: Android": [[46, 53]], "Malware: Triout": [[71, 77]]}, "info": {"id": "cyner2_8class_test_01139", "source": "cyner2_8class_test"}}
{"text": "Conclusion The “ Corona Updates ” app had relatively low downloads in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia .", "spans": {}, "info": {"id": "cyner2_8class_test_01140", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Patched.Shopperz.1 Trojan.DllPatcher.A4 PTCH_NOPLE.SMA Trojan.Mentono!inf PTCH_NOPLE.SMA Trojan.Patched.Shopperz.1 Trojan.Win32.Patched.qw Trojan.Patched.Shopperz.1 Trojan.Win32.Patched.ejthtr TrojWare.Win32.Patched.AP Trojan.Patched.Shopperz.1 Trojan.Hosts.37524 Trojan.Win32.Patched Trojan/Win32.Patched.ap Trojan.Patched.Shopperz.1 Trojan.Win32.Patched.qw Win-Trojan/Patched.DY Virus.Win32.Patched.qwb W32/Patched.AP!tr Win32/Trojan.133", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Patched.Shopperz.1": [[26, 51], [122, 147], [172, 197], [252, 277], [342, 367]], "Indicator: Trojan.DllPatcher.A4": [[52, 72]], "Indicator: PTCH_NOPLE.SMA": [[73, 87], [107, 121]], "Indicator: Trojan.Mentono!inf": [[88, 106]], "Indicator: Trojan.Win32.Patched.qw": [[148, 171], [368, 391]], "Indicator: Trojan.Win32.Patched.ejthtr": [[198, 225]], "Indicator: TrojWare.Win32.Patched.AP": [[226, 251]], "Indicator: Trojan.Hosts.37524": [[278, 296]], "Indicator: Trojan.Win32.Patched": [[297, 317]], "Indicator: Trojan/Win32.Patched.ap": [[318, 341]], "Indicator: Win-Trojan/Patched.DY": [[392, 413]], "Indicator: Virus.Win32.Patched.qwb": [[414, 437]], "Indicator: W32/Patched.AP!tr": [[438, 455]], "Indicator: Win32/Trojan.133": [[456, 472]]}, "info": {"id": "cyner2_8class_test_01141", "source": "cyner2_8class_test"}}
{"text": "More and more smartphone and tablet owners use their devices to access websites , unaware that even the most reputable resources can be hacked .", "spans": {}, "info": {"id": "cyner2_8class_test_01142", "source": "cyner2_8class_test"}}
{"text": "While not all SMS-based IAP applications steal user data, we recently identified that the Chinese Taomike SDK has begun capturing copies of all messages received by the phone and sending them to a Taomike controlled server.", "spans": {"System: SMS-based IAP applications": [[14, 40]], "Malware: Chinese Taomike SDK": [[90, 109]], "Indicator: Taomike controlled server.": [[197, 223]]}, "info": {"id": "cyner2_8class_test_01143", "source": "cyner2_8class_test"}}
{"text": "Zscaler ThreatLabz has been tracking the Nokoyawa ransomware family and its predecessors including Karma and Nemty ransomware.", "spans": {"Organization: Zscaler": [[0, 7]], "Organization: ThreatLabz": [[8, 18]], "Malware: the Nokoyawa ransomware family": [[37, 67]], "Malware: Karma": [[99, 104]], "Malware: Nemty ransomware.": [[109, 126]]}, "info": {"id": "cyner2_8class_test_01144", "source": "cyner2_8class_test"}}
{"text": "Data collectors : dump all existing content on the device into a queue .", "spans": {}, "info": {"id": "cyner2_8class_test_01145", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: EXP/Pidief.EB.860 Exp.Pidief.Eb!c Trojan:Win32/Pdfphish.AA Trojan.Win32.Pdfphish Win32/Trojan.Exploit.ca2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: EXP/Pidief.EB.860": [[26, 43]], "Indicator: Exp.Pidief.Eb!c": [[44, 59]], "Indicator: Trojan:Win32/Pdfphish.AA": [[60, 84]], "Indicator: Trojan.Win32.Pdfphish": [[85, 106]], "Indicator: Win32/Trojan.Exploit.ca2": [[107, 131]]}, "info": {"id": "cyner2_8class_test_01146", "source": "cyner2_8class_test"}}
{"text": "Figure 2 .", "spans": {}, "info": {"id": "cyner2_8class_test_01147", "source": "cyner2_8class_test"}}
{"text": "The com.dsufabunfzs.dowiflubs strings in the screenshot above refer to the internal name this particular malware was given , which in this case was randomized into alphabet salad .", "spans": {}, "info": {"id": "cyner2_8class_test_01148", "source": "cyner2_8class_test"}}
{"text": "The last time I saw the HoelferText popup, it was sending Spora ransomware link, but now it s Mole ransomware.", "spans": {"Malware: HoelferText": [[24, 35]], "Malware: Spora ransomware": [[58, 74]], "Indicator: link,": [[75, 80]], "Malware: Mole ransomware.": [[94, 110]]}, "info": {"id": "cyner2_8class_test_01149", "source": "cyner2_8class_test"}}
{"text": "The message translates roughly to “ You got a photo in MMS format : hxxp : //yyyyyyyy.XXXX.ru/mms.apk. ” So far we identified seven different URLs being used to spread RuMMS in the wild .", "spans": {"Indicator: hxxp : //yyyyyyyy.XXXX.ru/mms.apk.": [[68, 102]], "Malware: RuMMS": [[168, 173]]}, "info": {"id": "cyner2_8class_test_01150", "source": "cyner2_8class_test"}}
{"text": "The Marcher banking malware uses two main attack vectors .", "spans": {"Malware: Marcher": [[4, 11]]}, "info": {"id": "cyner2_8class_test_01151", "source": "cyner2_8class_test"}}
{"text": "Stegoloader's modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis.", "spans": {"Malware: Stegoloader's": [[0, 13]], "Malware: malware": [[110, 117]]}, "info": {"id": "cyner2_8class_test_01152", "source": "cyner2_8class_test"}}
{"text": "The victims created the majority of the data from May 2013 to December 2013.", "spans": {"Date: May 2013": [[50, 58]], "Date: December 2013.": [[62, 76]]}, "info": {"id": "cyner2_8class_test_01153", "source": "cyner2_8class_test"}}
{"text": "This week, Proofpoint researchers observed the now infamous man-in-the-browser MITB banking malware Dyre experimenting with new ways to deliver spam attachments.", "spans": {"Organization: Proofpoint researchers": [[11, 33]], "Malware: man-in-the-browser MITB banking malware Dyre": [[60, 104]], "Indicator: deliver spam attachments.": [[136, 161]]}, "info": {"id": "cyner2_8class_test_01154", "source": "cyner2_8class_test"}}
{"text": "Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a Protected View mode.", "spans": {"System: applications": [[13, 25]], "System: the Microsoft Office suite, Microsoft Publisher": [[33, 80]], "System: Protected View mode.": [[100, 120]]}, "info": {"id": "cyner2_8class_test_01155", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom_HPLOCKY.SME W32/Trojan2.ZCC Trojan.Hachilem Win32/Tnega.VYF Ransom_HPLOCKY.SME Win.Trojan.Hider-5 Trojan.Click.16602 BehavesLike.Win32.Trojan.dc W32/Trojan.LJTW-7715 Trojan/PSW.Almat.dfp Trojan:Win32/Adclicker.AU Trojan.Heur.EACEB7 Trj/Clicker.AKQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_HPLOCKY.SME": [[26, 44], [93, 111]], "Indicator: W32/Trojan2.ZCC": [[45, 60]], "Indicator: Trojan.Hachilem": [[61, 76]], "Indicator: Win32/Tnega.VYF": [[77, 92]], "Indicator: Win.Trojan.Hider-5": [[112, 130]], "Indicator: Trojan.Click.16602": [[131, 149]], "Indicator: BehavesLike.Win32.Trojan.dc": [[150, 177]], "Indicator: W32/Trojan.LJTW-7715": [[178, 198]], "Indicator: Trojan/PSW.Almat.dfp": [[199, 219]], "Indicator: Trojan:Win32/Adclicker.AU": [[220, 245]], "Indicator: Trojan.Heur.EACEB7": [[246, 264]], "Indicator: Trj/Clicker.AKQ": [[265, 280]]}, "info": {"id": "cyner2_8class_test_01156", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.MSIL.Crypt.gblb Trojan.Win32.Crypt.exngtv Trojan.Inject3.2514 Trojan.MSIL.Crypt TR/Dropper.MSIL.abtme Trojan.Razy.D3D634 Trojan.MSIL.Crypt.gblb Trojan.SteamStealer Trj/GdSda.A MSIL/Kryptik.MNQ!tr Win32/Trojan.a01", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.MSIL.Crypt.gblb": [[69, 91], [197, 219]], "Indicator: Trojan.Win32.Crypt.exngtv": [[92, 117]], "Indicator: Trojan.Inject3.2514": [[118, 137]], "Indicator: Trojan.MSIL.Crypt": [[138, 155]], "Indicator: TR/Dropper.MSIL.abtme": [[156, 177]], "Indicator: Trojan.Razy.D3D634": [[178, 196]], "Indicator: Trojan.SteamStealer": [[220, 239]], "Indicator: Trj/GdSda.A": [[240, 251]], "Indicator: MSIL/Kryptik.MNQ!tr": [[252, 271]], "Indicator: Win32/Trojan.a01": [[272, 288]]}, "info": {"id": "cyner2_8class_test_01157", "source": "cyner2_8class_test"}}
{"text": "Anonymous proxies play an important role in protecting one's privacy while on the Internet; however, when unsuspecting individuals have their systems turned into proxies without their consent, it can create a dangerous situation.", "spans": {"System: Anonymous proxies": [[0, 17]], "Organization: Internet;": [[82, 91]], "ThreatActor: individuals": [[119, 130]], "System: systems": [[142, 149]], "System: proxies": [[162, 169]]}, "info": {"id": "cyner2_8class_test_01158", "source": "cyner2_8class_test"}}
{"text": "The Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and actively targeting the MENA Middle East North Africa region.", "spans": {"ThreatActor: The Gaza cybergang": [[0, 18]], "ThreatActor: Arabic-language, politically-motivated cybercriminal group,": [[25, 84]], "Date: 2012": [[101, 105]], "Location: the MENA Middle East North Africa region.": [[129, 170]]}, "info": {"id": "cyner2_8class_test_01159", "source": "cyner2_8class_test"}}
{"text": "Below is a list of the payloads used by the Skygofree implant in the second and third stages .", "spans": {"Malware: Skygofree": [[44, 53]]}, "info": {"id": "cyner2_8class_test_01160", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.DownLoader9.6249 BehavesLike.Win32.Mydoom.nc W32/Trojan.CMRE-8473 WORM/Dramnudge.csjup Worm:Win32/Dramnudge.A Trojan.Jaik.D47C2 BScope.Trojan.IRCbot Virus.Win32.Virut", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoader9.6249": [[26, 49]], "Indicator: BehavesLike.Win32.Mydoom.nc": [[50, 77]], "Indicator: W32/Trojan.CMRE-8473": [[78, 98]], "Indicator: WORM/Dramnudge.csjup": [[99, 119]], "Indicator: Worm:Win32/Dramnudge.A": [[120, 142]], "Indicator: Trojan.Jaik.D47C2": [[143, 160]], "Indicator: BScope.Trojan.IRCbot": [[161, 181]], "Indicator: Virus.Win32.Virut": [[182, 199]]}, "info": {"id": "cyner2_8class_test_01161", "source": "cyner2_8class_test"}}
{"text": "In this paper, we cover the details of their tools, whom they target, and offer a rare glimpse into", "spans": {}, "info": {"id": "cyner2_8class_test_01162", "source": "cyner2_8class_test"}}
{"text": "The more interesting one was a targeted attack towards the Secretary General of Taiwan's Government office – Executive Yuan.", "spans": {"Indicator: attack": [[40, 46]], "Organization: the Secretary General of Taiwan's Government office": [[55, 106]], "Organization: Executive Yuan.": [[109, 124]]}, "info": {"id": "cyner2_8class_test_01163", "source": "cyner2_8class_test"}}
{"text": "The “ boot ” module has placeholder classes for the entry points of the infected applications .", "spans": {}, "info": {"id": "cyner2_8class_test_01164", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.VariantScarC.Trojan Trojan/W32.Scar.1595904 Worm.Macoute.S559150 Worm.PasswordStealer/Variant W32.Pholdicon Trojan.DownLoader22.23546 Trojan.Scar.Win32.54986 BehavesLike.Win32.Dropper.tz Trojan.Win32.Scar Trojan/Scar.agsm Trojan.Keylogger.8 Worm:Win32/Macoute.A Trojan/Win32.Scar.R160138 Trojan.Scar Worm.PasswordStealer", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VariantScarC.Trojan": [[26, 49]], "Indicator: Trojan/W32.Scar.1595904": [[50, 73]], "Indicator: Worm.Macoute.S559150": [[74, 94]], "Indicator: Worm.PasswordStealer/Variant": [[95, 123]], "Indicator: W32.Pholdicon": [[124, 137]], "Indicator: Trojan.DownLoader22.23546": [[138, 163]], "Indicator: Trojan.Scar.Win32.54986": [[164, 187]], "Indicator: BehavesLike.Win32.Dropper.tz": [[188, 216]], "Indicator: Trojan.Win32.Scar": [[217, 234]], "Indicator: Trojan/Scar.agsm": [[235, 251]], "Indicator: Trojan.Keylogger.8": [[252, 270]], "Indicator: Worm:Win32/Macoute.A": [[271, 291]], "Indicator: Trojan/Win32.Scar.R160138": [[292, 317]], "Indicator: Trojan.Scar": [[318, 329]], "Indicator: Worm.PasswordStealer": [[330, 350]]}, "info": {"id": "cyner2_8class_test_01165", "source": "cyner2_8class_test"}}
{"text": "The provider ’ s website described how the code 7494 can be used to provide a series of payment-related capabilities .", "spans": {}, "info": {"id": "cyner2_8class_test_01166", "source": "cyner2_8class_test"}}
{"text": "collect intelligence in support of foreign and security policy decision-making. continue successfully compromising their targets, as well as in their ability to operate with impunity.", "spans": {}, "info": {"id": "cyner2_8class_test_01167", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.ADC1 Win32.Trojan.WisdomEyes.16070401.9500.9988 BKDR_HPQAKBOT.SMD16 Trojan.Win32.Kryptik.euukvm Trojan.Inject2.62570 BKDR_HPQAKBOT.SMD16 BehavesLike.Win32.Trojan.gc W32/Trojan.HFDB-6851 TR/Crypt.ZPACK.uyunz Trojan.Razy.D36246 Backdoor/Win32.QBot.C2234313 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.ADC1": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9988": [[43, 85]], "Indicator: BKDR_HPQAKBOT.SMD16": [[86, 105], [155, 174]], "Indicator: Trojan.Win32.Kryptik.euukvm": [[106, 133]], "Indicator: Trojan.Inject2.62570": [[134, 154]], "Indicator: BehavesLike.Win32.Trojan.gc": [[175, 202]], "Indicator: W32/Trojan.HFDB-6851": [[203, 223]], "Indicator: TR/Crypt.ZPACK.uyunz": [[224, 244]], "Indicator: Trojan.Razy.D36246": [[245, 263]], "Indicator: Backdoor/Win32.QBot.C2234313": [[264, 292]], "Indicator: Trj/GdSda.A": [[293, 304]]}, "info": {"id": "cyner2_8class_test_01168", "source": "cyner2_8class_test"}}
{"text": "changeActivity command The webview injects are not hosted on the C2 , they are hosted on a completely different server .", "spans": {}, "info": {"id": "cyner2_8class_test_01169", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Inject.IA Trojan.Win32.Yakes!O Trojan.Inject.IA TROJ_WIGON.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Pandex!gm TROJ_WIGON.SM Trojan.Inject.IA Trojan.Win32.DNSChanger.zfu Trojan.Inject.IA TrojWare.Win32.Wigon.DC Trojan.Inject.IA BackDoor.Bulknet.739 BehavesLike.Win32.Pykse.ch Trojan.Inject.IA Trojan.Win32.DNSChanger.zfu Packed/Win32.Katusha.C93684 Trojan.Inject.IA W32/Cutwail.RU!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Inject.IA": [[26, 42], [64, 80], [169, 185], [214, 230], [255, 271], [320, 336], [393, 409]], "Indicator: Trojan.Win32.Yakes!O": [[43, 63]], "Indicator: TROJ_WIGON.SM": [[81, 94], [155, 168]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[95, 137]], "Indicator: Trojan.Pandex!gm": [[138, 154]], "Indicator: Trojan.Win32.DNSChanger.zfu": [[186, 213], [337, 364]], "Indicator: TrojWare.Win32.Wigon.DC": [[231, 254]], "Indicator: BackDoor.Bulknet.739": [[272, 292]], "Indicator: BehavesLike.Win32.Pykse.ch": [[293, 319]], "Indicator: Packed/Win32.Katusha.C93684": [[365, 392]], "Indicator: W32/Cutwail.RU!tr": [[410, 427]]}, "info": {"id": "cyner2_8class_test_01170", "source": "cyner2_8class_test"}}
{"text": "The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests.", "spans": {}, "info": {"id": "cyner2_8class_test_01171", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.MSIL Trojan.Kazy.D2EF3D Win32.Trojan.WisdomEyes.16070401.9500.9687 Infostealer.Derusbi TROJ_DERUSBI.AJ Trojan.Win32.Dwn.dtkwki Trojan.DownLoader12.9606 TROJ_DERUSBI.AJ W32/Trojan.FOPB-8219 Trojan/MSIL.eynz Backdoor:MSIL/Njogv.A Trojan/Win32.Nbdd.C255258 Trj/CI.A W32/BDoor.FGI!tr.bdr Win32/Trojan.f1b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.MSIL": [[26, 37]], "Indicator: Trojan.Kazy.D2EF3D": [[38, 56]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9687": [[57, 99]], "Indicator: Infostealer.Derusbi": [[100, 119]], "Indicator: TROJ_DERUSBI.AJ": [[120, 135], [185, 200]], "Indicator: Trojan.Win32.Dwn.dtkwki": [[136, 159]], "Indicator: Trojan.DownLoader12.9606": [[160, 184]], "Indicator: W32/Trojan.FOPB-8219": [[201, 221]], "Indicator: Trojan/MSIL.eynz": [[222, 238]], "Indicator: Backdoor:MSIL/Njogv.A": [[239, 260]], "Indicator: Trojan/Win32.Nbdd.C255258": [[261, 286]], "Indicator: Trj/CI.A": [[287, 295]], "Indicator: W32/BDoor.FGI!tr.bdr": [[296, 316]], "Indicator: Win32/Trojan.f1b": [[317, 333]]}, "info": {"id": "cyner2_8class_test_01172", "source": "cyner2_8class_test"}}
{"text": "The message was a snippet from the article of USA Today, and has a ZIP archive called The Murtadd Vote.zip", "spans": {"Indicator: message": [[4, 11]], "Organization: USA Today,": [[46, 56]], "Indicator: ZIP archive": [[67, 78]], "Indicator: The Murtadd Vote.zip": [[86, 106]]}, "info": {"id": "cyner2_8class_test_01173", "source": "cyner2_8class_test"}}
{"text": "The Perkele Android Trojan not only attacks Russian users but also clients of several European banks .", "spans": {"Malware: Perkele": [[4, 11]]}, "info": {"id": "cyner2_8class_test_01174", "source": "cyner2_8class_test"}}
{"text": "Firmware is low-level code deep in an operating system that often has high access privileges , so it 's critical that it 's verified and contains no software vulnerabilities .", "spans": {}, "info": {"id": "cyner2_8class_test_01175", "source": "cyner2_8class_test"}}
{"text": "In the areas marked ‘ { text } ’ Rotexy displays the text it receives from the C & C .", "spans": {"Malware: Rotexy": [[33, 39]]}, "info": {"id": "cyner2_8class_test_01176", "source": "cyner2_8class_test"}}
{"text": "Attackers exploiting HP OpenView via CVE-2010-1553 to deliver malicious payloads", "spans": {"ThreatActor: Attackers": [[0, 9]], "System: HP OpenView": [[21, 32]], "Indicator: CVE-2010-1553": [[37, 50]], "Malware: malicious payloads": [[62, 80]]}, "info": {"id": "cyner2_8class_test_01177", "source": "cyner2_8class_test"}}
{"text": "The stolen information includes personal and device information .", "spans": {}, "info": {"id": "cyner2_8class_test_01178", "source": "cyner2_8class_test"}}
{"text": "Upon analysis , we discovered that this is a decoy functionality and no new payload is generated .", "spans": {}, "info": {"id": "cyner2_8class_test_01179", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader7.3270 BehavesLike.Win32.Dropper.lh PWS:Win32/Yahoopass.M Trojan.Zusy.D60ED Trojan.Win32.A.Downloader.81920.VA Dropper/Win32.Daws.R47114 W32/ZLob.BBDE!tr.spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.DownLoader7.3270": [[69, 92]], "Indicator: BehavesLike.Win32.Dropper.lh": [[93, 121]], "Indicator: PWS:Win32/Yahoopass.M": [[122, 143]], "Indicator: Trojan.Zusy.D60ED": [[144, 161]], "Indicator: Trojan.Win32.A.Downloader.81920.VA": [[162, 196]], "Indicator: Dropper/Win32.Daws.R47114": [[197, 222]], "Indicator: W32/ZLob.BBDE!tr.spy": [[223, 243]]}, "info": {"id": "cyner2_8class_test_01180", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Packed.Win32.TDSS!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.FSPM.etswnp Trojan.MulDrop7.44563 BehavesLike.Win32.VBObfus.mc Trojan.Razy.D35F46 PWS:Win32/Tendcef.A Trj/GdSda.A Trojan.NewHeur_VB_Trojan W32/VB.NXC!tr Trojan/Win32.lssj.2cc.rgrk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Packed.Win32.TDSS!O": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[46, 88]], "Indicator: Trojan.Win32.FSPM.etswnp": [[89, 113]], "Indicator: Trojan.MulDrop7.44563": [[114, 135]], "Indicator: BehavesLike.Win32.VBObfus.mc": [[136, 164]], "Indicator: Trojan.Razy.D35F46": [[165, 183]], "Indicator: PWS:Win32/Tendcef.A": [[184, 203]], "Indicator: Trj/GdSda.A": [[204, 215]], "Indicator: Trojan.NewHeur_VB_Trojan": [[216, 240]], "Indicator: W32/VB.NXC!tr": [[241, 254]], "Indicator: Trojan/Win32.lssj.2cc.rgrk": [[255, 281]]}, "info": {"id": "cyner2_8class_test_01181", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Trojan.RRTN-3169 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.RRTN-3169": [[26, 46]], "Indicator: Trj/GdSda.A": [[47, 58]]}, "info": {"id": "cyner2_8class_test_01182", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: AutoIt.Trojan.Injector.bq BehavesLike.Win32.Downloader.vh Trojan.Autoit Trojan:AutoIt/Injector.H W32/Injector.COJ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: AutoIt.Trojan.Injector.bq": [[26, 51]], "Indicator: BehavesLike.Win32.Downloader.vh": [[52, 83]], "Indicator: Trojan.Autoit": [[84, 97]], "Indicator: Trojan:AutoIt/Injector.H": [[98, 122]], "Indicator: W32/Injector.COJ!tr": [[123, 142]]}, "info": {"id": "cyner2_8class_test_01183", "source": "cyner2_8class_test"}}
{"text": "Although we have observed low volume spam campaigns by some cybercriminals who have purchased MWI, we recently discovered spearphishing emails by one group using MWI to direct an attack against point-of-sale POS service providers.", "spans": {"Indicator: spam campaigns": [[37, 51]], "ThreatActor: cybercriminals": [[60, 74]], "Malware: MWI,": [[94, 98]], "Indicator: spearphishing emails": [[122, 142]], "ThreatActor: group": [[150, 155]], "Malware: MWI": [[162, 165]], "Organization: point-of-sale POS service providers.": [[194, 230]]}, "info": {"id": "cyner2_8class_test_01184", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Evid.EJLF-8760 Trojan.Win32.ULPM.etlpga ApplicUnsaf.Win32.Tool.EvID4226 BehavesLike.Win32.Trojan.cz W32/Evid.B HackTool:Win32/Evidpatch.A RiskWare.TCPIPPatcher.A Backdoor.Win32.Virkel.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Evid.EJLF-8760": [[26, 44]], "Indicator: Trojan.Win32.ULPM.etlpga": [[45, 69]], "Indicator: ApplicUnsaf.Win32.Tool.EvID4226": [[70, 101]], "Indicator: BehavesLike.Win32.Trojan.cz": [[102, 129]], "Indicator: W32/Evid.B": [[130, 140]], "Indicator: HackTool:Win32/Evidpatch.A": [[141, 167]], "Indicator: RiskWare.TCPIPPatcher.A": [[168, 191]], "Indicator: Backdoor.Win32.Virkel.A": [[192, 215]]}, "info": {"id": "cyner2_8class_test_01185", "source": "cyner2_8class_test"}}
{"text": "In the same timeframe of the Komplex attacks, we collected several weaponized documents that use a tactic previously not observed in use by the Sofacy group.", "spans": {"Malware: Komplex": [[29, 36]], "Indicator: attacks,": [[37, 45]], "Indicator: weaponized documents": [[67, 87]], "ThreatActor: the Sofacy group.": [[140, 157]]}, "info": {"id": "cyner2_8class_test_01186", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.OnGamesFHKAGBAAG.Trojan Trojan/W32.Exploder.43542 Trojan.Win32!O Trojan.Exploder.AX Win32.Trojan.WisdomEyes.16070401.9500.9851 Win.Trojan.ActiveX-3 Trojan.Win32.Exploder Trojan.Win32.Exploder.gtwc Troj.W32.Exploder.l5lq Win32.Trojan.Exploder.Eop TrojWare.AX.Exploder Trojan.Exploder Trojan.Exploder.Win32.1 W32/Trojan.CBQC-1258 Trojan/ActiveX.Exploder TR/NetList.acy Trojan/Win32.Exploder Trojan.Zusy.D41ADC Trojan.Win32.Exploder.29184 Trojan.Win32.Exploder Trojan.Exploder!ToBFf1990Jg Trojan.Win32.Exploder Trojan.ActiveX.Exploder", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesFHKAGBAAG.Trojan": [[26, 53]], "Indicator: Trojan/W32.Exploder.43542": [[54, 79]], "Indicator: Trojan.Win32!O": [[80, 94]], "Indicator: Trojan.Exploder.AX": [[95, 113]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9851": [[114, 156]], "Indicator: Win.Trojan.ActiveX-3": [[157, 177]], "Indicator: Trojan.Win32.Exploder": [[178, 199], [466, 487], [516, 537]], "Indicator: Trojan.Win32.Exploder.gtwc": [[200, 226]], "Indicator: Troj.W32.Exploder.l5lq": [[227, 249]], "Indicator: Win32.Trojan.Exploder.Eop": [[250, 275]], "Indicator: TrojWare.AX.Exploder": [[276, 296]], "Indicator: Trojan.Exploder": [[297, 312]], "Indicator: Trojan.Exploder.Win32.1": [[313, 336]], "Indicator: W32/Trojan.CBQC-1258": [[337, 357]], "Indicator: Trojan/ActiveX.Exploder": [[358, 381]], "Indicator: TR/NetList.acy": [[382, 396]], "Indicator: Trojan/Win32.Exploder": [[397, 418]], "Indicator: Trojan.Zusy.D41ADC": [[419, 437]], "Indicator: Trojan.Win32.Exploder.29184": [[438, 465]], "Indicator: Trojan.Exploder!ToBFf1990Jg": [[488, 515]], "Indicator: Trojan.ActiveX.Exploder": [[538, 561]]}, "info": {"id": "cyner2_8class_test_01187", "source": "cyner2_8class_test"}}
{"text": "Should a device become infected , this backdoor can not be removed without root privilege .", "spans": {}, "info": {"id": "cyner2_8class_test_01188", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanDownloader.Pedrp Trojan.Zusy.DF27 Downloader.Pengdoloder TROJ_PEDRP.AA Trojan.Win32.Pedrp.bcibql Trojan.Click2.44676 TROJ_PEDRP.AA W32/Trojan.UPQQ-8147 TR/Dldr.Pedrp.A TrojanDownloader:Win32/Pedrp.A Trojan.DL.Pedrp!zhWe6bBNULk Trojan-Downloader.Win32.Pedrp W32/DwnLdr.JTQ!tr Win32/Trojan.669", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDownloader.Pedrp": [[26, 48]], "Indicator: Trojan.Zusy.DF27": [[49, 65]], "Indicator: Downloader.Pengdoloder": [[66, 88]], "Indicator: TROJ_PEDRP.AA": [[89, 102], [149, 162]], "Indicator: Trojan.Win32.Pedrp.bcibql": [[103, 128]], "Indicator: Trojan.Click2.44676": [[129, 148]], "Indicator: W32/Trojan.UPQQ-8147": [[163, 183]], "Indicator: TR/Dldr.Pedrp.A": [[184, 199]], "Indicator: TrojanDownloader:Win32/Pedrp.A": [[200, 230]], "Indicator: Trojan.DL.Pedrp!zhWe6bBNULk": [[231, 258]], "Indicator: Trojan-Downloader.Win32.Pedrp": [[259, 288]], "Indicator: W32/DwnLdr.JTQ!tr": [[289, 306]], "Indicator: Win32/Trojan.669": [[307, 323]]}, "info": {"id": "cyner2_8class_test_01189", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.3448 Trojan.Ddos.Boxed.A Trojan/W32.DDoS.27718 Trojan.Ddos.Boxed.A Trojan.Ddos.Boxed.A Trojan.Win32.Boxed.fqap Win32/DDoS.Boxed.M Trojan.QHosts.G Trojan.Win32.DDoS-Boxed.27718.B[h] Win32.Trojan-ddos.Boxed.Wlfe Trojan.Ddos.Boxed.A Worm.Win32.Robobot._0 Trojan.Ddos.Boxed.A Flooder.Boxed Tool.Boxed.Win32.13 BehavesLike.Win32.Backdoor.mc Trojan-DDoS.Boxed.a Trojan[DDoS]/Win32.Boxed Trojan.Ddos.Boxed.A Win-Trojan/Boxed.60185 DDoS:Win32/Horst.AK TrojanDDoS.Boxed Trojan.Ddos.Boxed.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.3448": [[26, 42]], "Indicator: Trojan.Ddos.Boxed.A": [[43, 62], [85, 104], [105, 124], [248, 267], [290, 309], [419, 438], [499, 518]], "Indicator: Trojan/W32.DDoS.27718": [[63, 84]], "Indicator: Trojan.Win32.Boxed.fqap": [[125, 148]], "Indicator: Win32/DDoS.Boxed.M": [[149, 167]], "Indicator: Trojan.QHosts.G": [[168, 183]], "Indicator: Trojan.Win32.DDoS-Boxed.27718.B[h]": [[184, 218]], "Indicator: Win32.Trojan-ddos.Boxed.Wlfe": [[219, 247]], "Indicator: Worm.Win32.Robobot._0": [[268, 289]], "Indicator: Flooder.Boxed": [[310, 323]], "Indicator: Tool.Boxed.Win32.13": [[324, 343]], "Indicator: BehavesLike.Win32.Backdoor.mc": [[344, 373]], "Indicator: Trojan-DDoS.Boxed.a": [[374, 393]], "Indicator: Trojan[DDoS]/Win32.Boxed": [[394, 418]], "Indicator: Win-Trojan/Boxed.60185": [[439, 461]], "Indicator: DDoS:Win32/Horst.AK": [[462, 481]], "Indicator: TrojanDDoS.Boxed": [[482, 498]]}, "info": {"id": "cyner2_8class_test_01190", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Exploit.Sqlhuc.A Trojan-Exploit/W32.Sqlhuc.61440 Exploit.W32.SQLhuc.a!c Trojan/Exploit.SQLhuc.a Trojan.Exploit.Sqlhuc.A Win32.Trojan.WisdomEyes.16070401.9500.9604 Win.Trojan.Exploit-436 Trojan.Exploit.Sqlhuc.A Exploit.Win32.SQLhuc.a Trojan.Exploit.Sqlhuc.A Exploit.Win32.SQLhuc.ikewf Trojan.Exploit.Sqlhuc.A Exploit.Dameware Exploit.SQLhuc.Win32.13 Exploit.SQLhuc.a Trojan[Exploit]/Win32.SQLhuc Exploit.Win32.SQLhuc.a Trojan.Exploit.Sqlhuc.A Exploit.SQLhuc Win32.Exploit.Sqlhuc.dovt Exploit.SQLhuc!yHLnpmu0I0s Exploit.Win32.SQLhuc", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Exploit.Sqlhuc.A": [[26, 49], [129, 152], [219, 242], [266, 289], [317, 340], [451, 474]], "Indicator: Trojan-Exploit/W32.Sqlhuc.61440": [[50, 81]], "Indicator: Exploit.W32.SQLhuc.a!c": [[82, 104]], "Indicator: Trojan/Exploit.SQLhuc.a": [[105, 128]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9604": [[153, 195]], "Indicator: Win.Trojan.Exploit-436": [[196, 218]], "Indicator: Exploit.Win32.SQLhuc.a": [[243, 265], [428, 450]], "Indicator: Exploit.Win32.SQLhuc.ikewf": [[290, 316]], "Indicator: Exploit.Dameware": [[341, 357]], "Indicator: Exploit.SQLhuc.Win32.13": [[358, 381]], "Indicator: Exploit.SQLhuc.a": [[382, 398]], "Indicator: Trojan[Exploit]/Win32.SQLhuc": [[399, 427]], "Indicator: Exploit.SQLhuc": [[475, 489]], "Indicator: Win32.Exploit.Sqlhuc.dovt": [[490, 515]], "Indicator: Exploit.SQLhuc!yHLnpmu0I0s": [[516, 542]], "Indicator: Exploit.Win32.SQLhuc": [[543, 563]]}, "info": {"id": "cyner2_8class_test_01191", "source": "cyner2_8class_test"}}
{"text": "With this blog series we will be sharing our research analysis with the research and broader security community , starting with the PHA family , Zen .", "spans": {"Malware: Zen": [[145, 148]]}, "info": {"id": "cyner2_8class_test_01192", "source": "cyner2_8class_test"}}
{"text": "] com md5c [ .", "spans": {"Indicator: md5c [ .": [[6, 14]]}, "info": {"id": "cyner2_8class_test_01193", "source": "cyner2_8class_test"}}
{"text": "The website uses a different fixed twitter account ( https : //twitter.com/fdgoer343 ) .", "spans": {"Organization: twitter": [[35, 42]], "Indicator: https : //twitter.com/fdgoer343": [[53, 84]]}, "info": {"id": "cyner2_8class_test_01194", "source": "cyner2_8class_test"}}
{"text": "We deployed our IR team andtechnologyand immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR.", "spans": {"Organization: IR team": [[16, 23]], "ThreatActor: adversaries": [[82, 93]], "ThreatActor: COZY BEAR": [[111, 120]], "ThreatActor: FANCY BEAR.": [[125, 136]]}, "info": {"id": "cyner2_8class_test_01195", "source": "cyner2_8class_test"}}
{"text": "The configuration file contains a list of financial applications that can be targeted by EventBot .", "spans": {"Malware: EventBot": [[89, 97]]}, "info": {"id": "cyner2_8class_test_01196", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Downloader.Small.Win32.93529 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Small.edqjmf TrojWare.MSIL.TrojanDownloader.Small.ANH Trojan.DownLoader22.5786 TR/Dropper.ihejz TrojanDownloader:MSIL/Samll.GM!bit Trojan/Win32.Small.R187245 Trojan-Downloader.MSIL.Small Trj/Downloader.WKR", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.Small.Win32.93529": [[26, 54]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[55, 97]], "Indicator: Trojan.Win32.Small.edqjmf": [[98, 123]], "Indicator: TrojWare.MSIL.TrojanDownloader.Small.ANH": [[124, 164]], "Indicator: Trojan.DownLoader22.5786": [[165, 189]], "Indicator: TR/Dropper.ihejz": [[190, 206]], "Indicator: TrojanDownloader:MSIL/Samll.GM!bit": [[207, 241]], "Indicator: Trojan/Win32.Small.R187245": [[242, 268]], "Indicator: Trojan-Downloader.MSIL.Small": [[269, 297]], "Indicator: Trj/Downloader.WKR": [[298, 316]]}, "info": {"id": "cyner2_8class_test_01197", "source": "cyner2_8class_test"}}
{"text": "One peculiar thing about the actor group behind this banking malware is that they have an “ official ” twitter account that they use to post promotional content ( even videos ) about the malware .", "spans": {"Organization: twitter": [[103, 110]]}, "info": {"id": "cyner2_8class_test_01198", "source": "cyner2_8class_test"}}
{"text": "Each sample contains a userId hardcoded , meaning that each sample can only be used in a victim .", "spans": {}, "info": {"id": "cyner2_8class_test_01199", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.SalemiG.Trojan Trojan-Clicker/W32.Small.94208.B Trojan-Clicker.Win32.Small!O Backdoor.Jepesroot Trojan.Clicker.Small Trojan.Zusy.D177ED TROJ_CLICKER.EXY Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.OOJA-2903 Trojan.Downbot TROJ_CLICKER.EXY Trojan-Clicker.Win32.Small.alj Trojan.Win32.Small.ecxxnx Troj.Clicker.W32.Small.alj!c Trojan.Click2.56222 Trojan.Small.Win32.19361 Trojan-Clicker.Win32.Small TrojanClicker.Small.bzp TR/Spy.94208.966 Trojan[Clicker]/Win32.Small Backdoor:Win32/Jepesroot.A Trojan-Clicker.Win32.Small.alj TrojanClicker.Small Win32.Trojan.Small.Fic Trojan.CL.Small!2UY0dzWAQPY W32/Small.ALJ!tr Win32/Trojan.Clicker.7c4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.SalemiG.Trojan": [[26, 44]], "Indicator: Trojan-Clicker/W32.Small.94208.B": [[45, 77]], "Indicator: Trojan-Clicker.Win32.Small!O": [[78, 106]], "Indicator: Backdoor.Jepesroot": [[107, 125]], "Indicator: Trojan.Clicker.Small": [[126, 146]], "Indicator: Trojan.Zusy.D177ED": [[147, 165]], "Indicator: TROJ_CLICKER.EXY": [[166, 182], [262, 278]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[183, 225]], "Indicator: W32/Trojan.OOJA-2903": [[226, 246]], "Indicator: Trojan.Downbot": [[247, 261]], "Indicator: Trojan-Clicker.Win32.Small.alj": [[279, 309], [533, 563]], "Indicator: Trojan.Win32.Small.ecxxnx": [[310, 335]], "Indicator: Troj.Clicker.W32.Small.alj!c": [[336, 364]], "Indicator: Trojan.Click2.56222": [[365, 384]], "Indicator: Trojan.Small.Win32.19361": [[385, 409]], "Indicator: Trojan-Clicker.Win32.Small": [[410, 436]], "Indicator: TrojanClicker.Small.bzp": [[437, 460]], "Indicator: TR/Spy.94208.966": [[461, 477]], "Indicator: Trojan[Clicker]/Win32.Small": [[478, 505]], "Indicator: Backdoor:Win32/Jepesroot.A": [[506, 532]], "Indicator: TrojanClicker.Small": [[564, 583]], "Indicator: Win32.Trojan.Small.Fic": [[584, 606]], "Indicator: Trojan.CL.Small!2UY0dzWAQPY": [[607, 634]], "Indicator: W32/Small.ALJ!tr": [[635, 651]], "Indicator: Win32/Trojan.Clicker.7c4": [[652, 676]]}, "info": {"id": "cyner2_8class_test_01200", "source": "cyner2_8class_test"}}
{"text": "] ee Backend server xyz [ .", "spans": {"Indicator: server xyz [ .": [[13, 27]]}, "info": {"id": "cyner2_8class_test_01201", "source": "cyner2_8class_test"}}
{"text": "What did surprise us though was what password combination was first to be hit; ubnt/ubnt.", "spans": {}, "info": {"id": "cyner2_8class_test_01202", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.DownLoad.6018 TrojanDownloader:Win32/Seimon.D Trojan.DL.Win32.Mnless.des Virus.Win32.Crypt.CHY Downloader.Tiny.W", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoad.6018": [[26, 46]], "Indicator: TrojanDownloader:Win32/Seimon.D": [[47, 78]], "Indicator: Trojan.DL.Win32.Mnless.des": [[79, 105]], "Indicator: Virus.Win32.Crypt.CHY": [[106, 127]], "Indicator: Downloader.Tiny.W": [[128, 145]]}, "info": {"id": "cyner2_8class_test_01203", "source": "cyner2_8class_test"}}
{"text": "In fact, the malware authors' intention was to cause damage, so they did all that they could to make data decryption very unlikely.", "spans": {"ThreatActor: malware authors'": [[13, 29]], "Indicator: cause damage,": [[47, 60]], "Indicator: data decryption very unlikely.": [[101, 131]]}, "info": {"id": "cyner2_8class_test_01204", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9789 Backdoor.Trojan W32/Trojan.IJEJ-0016 Trojan:Win32/Piver.A Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9789": [[26, 68]], "Indicator: Backdoor.Trojan": [[69, 84]], "Indicator: W32/Trojan.IJEJ-0016": [[85, 105]], "Indicator: Trojan:Win32/Piver.A": [[106, 126]], "Indicator: Trj/GdSda.A": [[127, 138]]}, "info": {"id": "cyner2_8class_test_01205", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Razy.D182C6 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Trojan.Cerber.Ecaz Trojan.DownLoader22.58394 BehavesLike.Win32.BadFile.ph TR/Crypt.ZPACK.shqbd TrojanDownloader:Win32/Aningik.A Trojan/Win32.Injector.C2272311 TrojanDropper.Injector Trj/GdSda.A W32/Kryptik.FQRH!tr Win32/Trojan.0eb", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Razy.D182C6": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[45, 87]], "Indicator: Win32.Trojan.Cerber.Ecaz": [[88, 112]], "Indicator: Trojan.DownLoader22.58394": [[113, 138]], "Indicator: BehavesLike.Win32.BadFile.ph": [[139, 167]], "Indicator: TR/Crypt.ZPACK.shqbd": [[168, 188]], "Indicator: TrojanDownloader:Win32/Aningik.A": [[189, 221]], "Indicator: Trojan/Win32.Injector.C2272311": [[222, 252]], "Indicator: TrojanDropper.Injector": [[253, 275]], "Indicator: Trj/GdSda.A": [[276, 287]], "Indicator: W32/Kryptik.FQRH!tr": [[288, 307]], "Indicator: Win32/Trojan.0eb": [[308, 324]]}, "info": {"id": "cyner2_8class_test_01206", "source": "cyner2_8class_test"}}
{"text": "Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews .", "spans": {"System: Google Play": [[127, 138]]}, "info": {"id": "cyner2_8class_test_01207", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Neutrinopos Troj.Banker.W32.Neutrinopos!c TSPY_EMOTET.SMD3 Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.UKAG-9003 Win.Trojan.Emotet-6443084-0 Trojan-Banker.Win32.NeutrinoPOS.aob Trojan.Win32.NeutrinoPOS.exlwaa Trojan.DownLoad4.218 BehavesLike.Win32.MultiPlug.dc TR/Crypt.Xpack.ngfuq Trojan[Banker]/Win32.NeutrinoPOS Trojan:Win32/Awkolo.A Trojan.Trojan.Crypt.21 Trojan.Win32.Z.Neutrinopos.233984 Trojan/Win32.Hermesran.C2375358 Trojan-Banker.Win32.NeutrinoPOS.aob W32/Kryptik.GBHF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Neutrinopos": [[26, 44]], "Indicator: Troj.Banker.W32.Neutrinopos!c": [[45, 74]], "Indicator: TSPY_EMOTET.SMD3": [[75, 91]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9993": [[92, 134]], "Indicator: W32/Trojan.UKAG-9003": [[135, 155]], "Indicator: Win.Trojan.Emotet-6443084-0": [[156, 183]], "Indicator: Trojan-Banker.Win32.NeutrinoPOS.aob": [[184, 219], [469, 504]], "Indicator: Trojan.Win32.NeutrinoPOS.exlwaa": [[220, 251]], "Indicator: Trojan.DownLoad4.218": [[252, 272]], "Indicator: BehavesLike.Win32.MultiPlug.dc": [[273, 303]], "Indicator: TR/Crypt.Xpack.ngfuq": [[304, 324]], "Indicator: Trojan[Banker]/Win32.NeutrinoPOS": [[325, 357]], "Indicator: Trojan:Win32/Awkolo.A": [[358, 379]], "Indicator: Trojan.Trojan.Crypt.21": [[380, 402]], "Indicator: Trojan.Win32.Z.Neutrinopos.233984": [[403, 436]], "Indicator: Trojan/Win32.Hermesran.C2375358": [[437, 468]], "Indicator: W32/Kryptik.GBHF!tr": [[505, 524]]}, "info": {"id": "cyner2_8class_test_01208", "source": "cyner2_8class_test"}}
{"text": "To date, two periods of high activity have been identified following the initial attack. These were in May and October 2016.", "spans": {"Date: date,": [[3, 8]], "Indicator: attack.": [[81, 88]], "Date: May": [[103, 106]], "Date: October 2016.": [[111, 124]]}, "info": {"id": "cyner2_8class_test_01209", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Deshacop.1549312 Ransom.Haknata.S1240226 Ransom_AIRACROP.SM Ransom.Haknata!g1 Ransom_AIRACROP.SM Trojan-Ransom.Win32.Xpan.f Trojan.Win32.Deshacop.enxprt TrojWare.Win32.Ransom.XRatLocker.D Trojan.Encoder.11112 Trojan.Xpan.Win32.2 Trojan.Xpan.b Ransom:Win32/Haknata.A!rsm Trojan.Win32.Ransom.1549312 Trojan-Ransom.Win32.Xpan.f Trojan/Win32.Ransom.C1926988 Hoax.Xpan Ransom.NMoreira Trojan-Ransom.Win32.Xpan.f Trojan.Xpan! Win32.Trojan-Ransom.XPan.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Deshacop.1549312": [[26, 53]], "Indicator: Ransom.Haknata.S1240226": [[54, 77]], "Indicator: Ransom_AIRACROP.SM": [[78, 96], [115, 133]], "Indicator: Ransom.Haknata!g1": [[97, 114]], "Indicator: Trojan-Ransom.Win32.Xpan.f": [[134, 160], [335, 361], [417, 443]], "Indicator: Trojan.Win32.Deshacop.enxprt": [[161, 189]], "Indicator: TrojWare.Win32.Ransom.XRatLocker.D": [[190, 224]], "Indicator: Trojan.Encoder.11112": [[225, 245]], "Indicator: Trojan.Xpan.Win32.2": [[246, 265]], "Indicator: Trojan.Xpan.b": [[266, 279]], "Indicator: Ransom:Win32/Haknata.A!rsm": [[280, 306]], "Indicator: Trojan.Win32.Ransom.1549312": [[307, 334]], "Indicator: Trojan/Win32.Ransom.C1926988": [[362, 390]], "Indicator: Hoax.Xpan": [[391, 400]], "Indicator: Ransom.NMoreira": [[401, 416]], "Indicator: Trojan.Xpan!": [[444, 456]], "Indicator: Win32.Trojan-Ransom.XPan.B": [[457, 483]]}, "info": {"id": "cyner2_8class_test_01210", "source": "cyner2_8class_test"}}
{"text": "We also saw a lot of copycats use HiddenTear in local attacks.", "spans": {"Malware: HiddenTear": [[34, 44]], "Indicator: local attacks.": [[48, 62]]}, "info": {"id": "cyner2_8class_test_01211", "source": "cyner2_8class_test"}}
{"text": "Location services to enable ( GPS/network ) tracking : The email command and control protocol .", "spans": {}, "info": {"id": "cyner2_8class_test_01212", "source": "cyner2_8class_test"}}
{"text": "When inserted , this method runs every time any Activity object in any Android app is created .", "spans": {}, "info": {"id": "cyner2_8class_test_01213", "source": "cyner2_8class_test"}}
{"text": "This customer is a global technology company, which deployed Skycure's Enterprise Mobile Threat Defense solution for all iOS and Android devices within their organization.", "spans": {"Organization: customer": [[5, 13]], "Organization: global technology company,": [[19, 45]], "System: Skycure's Enterprise Mobile Threat Defense solution": [[61, 112]], "System: iOS": [[121, 124]], "System: Android devices": [[129, 144]], "Organization: organization.": [[158, 171]]}, "info": {"id": "cyner2_8class_test_01214", "source": "cyner2_8class_test"}}
{"text": "] it server3fi.exodus.connexxa [ .", "spans": {"Indicator: server3fi.exodus.connexxa [ .": [[5, 34]]}, "info": {"id": "cyner2_8class_test_01215", "source": "cyner2_8class_test"}}
{"text": "The following is the code routine for video capturing .", "spans": {}, "info": {"id": "cyner2_8class_test_01216", "source": "cyner2_8class_test"}}
{"text": "FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection.", "spans": {"ThreatActor: FIN7": [[0, 4]], "Malware: Microsoft Office macros": [[36, 59]]}, "info": {"id": "cyner2_8class_test_01217", "source": "cyner2_8class_test"}}
{"text": "] com Unit 42 published a blog in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive .", "spans": {"Malware: 9002": [[50, 54]]}, "info": {"id": "cyner2_8class_test_01218", "source": "cyner2_8class_test"}}
{"text": "PoshCoder has been encrypting files with PowerShell since 2014, and the new variant named PowerWare was reported in March 2016.", "spans": {"Malware: PoshCoder": [[0, 9]], "Indicator: encrypting files with": [[19, 40]], "System: PowerShell": [[41, 51]], "Date: 2014,": [[58, 63]], "Malware: variant named PowerWare": [[76, 99]], "Date: March 2016.": [[116, 127]]}, "info": {"id": "cyner2_8class_test_01219", "source": "cyner2_8class_test"}}
{"text": "Previous reports alleged this surveillanceware tool was deployed using ‘ honey traps ’ where the actor behind it would reach out to targets via fake social media profiles of young women .", "spans": {}, "info": {"id": "cyner2_8class_test_01220", "source": "cyner2_8class_test"}}
{"text": "Its targets? Mostly rural banks.", "spans": {}, "info": {"id": "cyner2_8class_test_01221", "source": "cyner2_8class_test"}}
{"text": "EventBot is a mobile banking trojan and infostealer that abuses Android ’ s accessibility features to steal user data from financial applications , read user SMS messages , and steal SMS messages to allow the malware to bypass two-factor authentication .", "spans": {"Malware: EventBot": [[0, 8]], "System: Android": [[64, 71]]}, "info": {"id": "cyner2_8class_test_01222", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/Delf.okv TROJ_SPNR.07E313 Win32.Trojan.WisdomEyes.16070401.9500.9758 Trojan.Blackrev TROJ_SPNR.07E313 Win.Trojan.BlackRev-1 Backdoor.Win32.Botan.g Trojan.Win32.Botan.brdkmd Backdoor.W32.Botan.g!c BehavesLike.Win32.Downloader.dh Trojan[Backdoor]/Win32.Botan Trojan.Heur.DP.ED2FCD Backdoor.Win32.Botan.g Trojan:Win32/Blaruv.A Backdoor/Win32.Botan.R68943 Backdoor.Botan Win32.Backdoor.Botan.bqxd Backdoor.Botan!qG6ElS48lO0 W32/Botan.G!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Delf.okv": [[26, 41]], "Indicator: TROJ_SPNR.07E313": [[42, 58], [118, 134]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9758": [[59, 101]], "Indicator: Trojan.Blackrev": [[102, 117]], "Indicator: Win.Trojan.BlackRev-1": [[135, 156]], "Indicator: Backdoor.Win32.Botan.g": [[157, 179], [312, 334]], "Indicator: Trojan.Win32.Botan.brdkmd": [[180, 205]], "Indicator: Backdoor.W32.Botan.g!c": [[206, 228]], "Indicator: BehavesLike.Win32.Downloader.dh": [[229, 260]], "Indicator: Trojan[Backdoor]/Win32.Botan": [[261, 289]], "Indicator: Trojan.Heur.DP.ED2FCD": [[290, 311]], "Indicator: Trojan:Win32/Blaruv.A": [[335, 356]], "Indicator: Backdoor/Win32.Botan.R68943": [[357, 384]], "Indicator: Backdoor.Botan": [[385, 399]], "Indicator: Win32.Backdoor.Botan.bqxd": [[400, 425]], "Indicator: Backdoor.Botan!qG6ElS48lO0": [[426, 452]], "Indicator: W32/Botan.G!tr.bdr": [[453, 471]]}, "info": {"id": "cyner2_8class_test_01223", "source": "cyner2_8class_test"}}
{"text": "Check Point analyzed Yingmob ’ s Umeng account to gain further insights into the HummingBad campaign and found that beyond the 10 million devices under the control of malicious apps , Yingmob has non-malicious apps installed on another 75 million or so devices .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Yingmob": [[21, 28], [184, 191]], "Malware: HummingBad": [[81, 91]]}, "info": {"id": "cyner2_8class_test_01224", "source": "cyner2_8class_test"}}
{"text": "GreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault.", "spans": {"Malware: GreenDispenser": [[0, 14]], "ThreatActor: attacker": [[27, 35]], "Indicator: infected ATM": [[65, 77]]}, "info": {"id": "cyner2_8class_test_01225", "source": "cyner2_8class_test"}}
{"text": "The time bomb triggers unpacker thread .", "spans": {}, "info": {"id": "cyner2_8class_test_01226", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.IcqSmiley!O Trojan.Comisproc Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/PWStealer.ALC TROJ_SMALL.FUG Win.Trojan.Killav-128 Trojan.Win32.KillAV.ko Trojan.Win32.IcqSmiley.lfar Trojan.Win32.PSWIcqSmiley.318464 Backdoor.W32.Rbot.leZz TrojWare.Win32.TrojanDropper.Delf.~EP Trojan.MulDrop3.64513 TROJ_SMALL.FUG BehavesLike.Win32.Rontokbro.gc W32/PWS.KAIY-5570 BAT/KillAV.OF Trojan/Win32.KillAV PWS:Win32/Icqsmiley.C Trojan.Win32.KillAV.ko Trojan/Win32.Icqsmiley.R2458 TrojanPSW.IcqSmiley Trj/Bifrose.ADX Win32.Trojan.Killav.Lmko Trojan.PWS.IcqSmiley.CT Trojan-PWS.Win32.IcqSmiley", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.IcqSmiley!O": [[26, 54]], "Indicator: Trojan.Comisproc": [[55, 71]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9989": [[72, 114]], "Indicator: W32/PWStealer.ALC": [[115, 132]], "Indicator: TROJ_SMALL.FUG": [[133, 147], [337, 351]], "Indicator: Win.Trojan.Killav-128": [[148, 169]], "Indicator: Trojan.Win32.KillAV.ko": [[170, 192], [457, 479]], "Indicator: Trojan.Win32.IcqSmiley.lfar": [[193, 220]], "Indicator: Trojan.Win32.PSWIcqSmiley.318464": [[221, 253]], "Indicator: Backdoor.W32.Rbot.leZz": [[254, 276]], "Indicator: TrojWare.Win32.TrojanDropper.Delf.~EP": [[277, 314]], "Indicator: Trojan.MulDrop3.64513": [[315, 336]], "Indicator: BehavesLike.Win32.Rontokbro.gc": [[352, 382]], "Indicator: W32/PWS.KAIY-5570": [[383, 400]], "Indicator: BAT/KillAV.OF": [[401, 414]], "Indicator: Trojan/Win32.KillAV": [[415, 434]], "Indicator: PWS:Win32/Icqsmiley.C": [[435, 456]], "Indicator: Trojan/Win32.Icqsmiley.R2458": [[480, 508]], "Indicator: TrojanPSW.IcqSmiley": [[509, 528]], "Indicator: Trj/Bifrose.ADX": [[529, 544]], "Indicator: Win32.Trojan.Killav.Lmko": [[545, 569]], "Indicator: Trojan.PWS.IcqSmiley.CT": [[570, 593]], "Indicator: Trojan-PWS.Win32.IcqSmiley": [[594, 620]]}, "info": {"id": "cyner2_8class_test_01227", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Pendix.hkft WS.Reputation.1 Win32/Tnega.HKQ Trojan.DL.Pendix!lutuOvIGAUo TrojWare.Win32.TrojanDownloader.Small.DO Trojan.DownLoad.31536 TR/Dldr.Pendix.C.4 Win32.TrojDownloader.Small.kcloud TrojanDownloader:Win32/Pendix.C Win-Trojan/Xema.variant TrojanDownloader.Pendix Worm.Win32.Viking.pf Trojan.Crypt.XPACK W32/Dloader.AC!tr.dldr Downloader.Small.61.AQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Pendix.hkft": [[26, 50]], "Indicator: WS.Reputation.1": [[51, 66]], "Indicator: Win32/Tnega.HKQ": [[67, 82]], "Indicator: Trojan.DL.Pendix!lutuOvIGAUo": [[83, 111]], "Indicator: TrojWare.Win32.TrojanDownloader.Small.DO": [[112, 152]], "Indicator: Trojan.DownLoad.31536": [[153, 174]], "Indicator: TR/Dldr.Pendix.C.4": [[175, 193]], "Indicator: Win32.TrojDownloader.Small.kcloud": [[194, 227]], "Indicator: TrojanDownloader:Win32/Pendix.C": [[228, 259]], "Indicator: Win-Trojan/Xema.variant": [[260, 283]], "Indicator: TrojanDownloader.Pendix": [[284, 307]], "Indicator: Worm.Win32.Viking.pf": [[308, 328]], "Indicator: Trojan.Crypt.XPACK": [[329, 347]], "Indicator: W32/Dloader.AC!tr.dldr": [[348, 370]], "Indicator: Downloader.Small.61.AQ": [[371, 393]]}, "info": {"id": "cyner2_8class_test_01228", "source": "cyner2_8class_test"}}
{"text": "] com hxxp : //nttdocomo-qaq [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaq [ .": [[6, 32]]}, "info": {"id": "cyner2_8class_test_01229", "source": "cyner2_8class_test"}}
{"text": "Together , during the latter half of 2018 , we worked to remove the apps from the Play store while it was being deployed in the wild .", "spans": {"System: Play store": [[82, 92]]}, "info": {"id": "cyner2_8class_test_01230", "source": "cyner2_8class_test"}}
{"text": "In particular , avoid side-loading apps from third-party app stores and avoid the temptation to play games that are not yet available on Android .", "spans": {"System: Android": [[137, 144]]}, "info": {"id": "cyner2_8class_test_01231", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Exploit.Rpclsa.Akyn Win32.Trojan.WisdomEyes.16070401.9500.9998 Hacktool.LsassSba Win.Trojan.Packed-85 Exploit.Win32.RPCLsa.01.c Trojan.Win32.RPCLsa.fzmz TrojWare.Win32.PkdMorphine.~AN Exploit.Lsass BehavesLike.Win32.Dropper.mc W32/Risk.UYXY-7581 Packed.Morphine.a HackTool:Win32/Lasba.A Exploit.Win32.RPCLsa.01.c Exploit.RPCLsa.01 Win32/Exploit.RPCLsa.01.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Exploit.Rpclsa.Akyn": [[26, 51]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[52, 94]], "Indicator: Hacktool.LsassSba": [[95, 112]], "Indicator: Win.Trojan.Packed-85": [[113, 133]], "Indicator: Exploit.Win32.RPCLsa.01.c": [[134, 159], [319, 344]], "Indicator: Trojan.Win32.RPCLsa.fzmz": [[160, 184]], "Indicator: TrojWare.Win32.PkdMorphine.~AN": [[185, 215]], "Indicator: Exploit.Lsass": [[216, 229]], "Indicator: BehavesLike.Win32.Dropper.mc": [[230, 258]], "Indicator: W32/Risk.UYXY-7581": [[259, 277]], "Indicator: Packed.Morphine.a": [[278, 295]], "Indicator: HackTool:Win32/Lasba.A": [[296, 318]], "Indicator: Exploit.RPCLsa.01": [[345, 362]], "Indicator: Win32/Exploit.RPCLsa.01.C": [[363, 388]]}, "info": {"id": "cyner2_8class_test_01232", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.HackTool.45056.D HackTool.Win32.IPCCrack Win32/HackTool.IPCCrack.A W32/Downloader.ZNW Hacktool.IPCscan Hacktool.Ipccrack HackTool.Win32.IPCCrack Trojan.Hacktool.Ipccrack.A HackTool.Win32.IPCCrack Tool.IPCcrack Win32/HackTool.IPCCrack.A SPR/Hackto.IPCCrack W32/Downloader.ZNW HackTool.Win32.IPCCrack!IK Riskware.Hackto.IPCCrack Trojan.Hacktool.Ipccrack.A Win-Trojan/IPCHack.45056 HackTool.Win32.IPCCrack HackTool.EB", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.HackTool.45056.D": [[26, 53]], "Indicator: HackTool.Win32.IPCCrack": [[54, 77], [158, 181], [209, 232], [416, 439]], "Indicator: Win32/HackTool.IPCCrack.A": [[78, 103], [247, 272]], "Indicator: W32/Downloader.ZNW": [[104, 122], [293, 311]], "Indicator: Hacktool.IPCscan": [[123, 139]], "Indicator: Hacktool.Ipccrack": [[140, 157]], "Indicator: Trojan.Hacktool.Ipccrack.A": [[182, 208], [364, 390]], "Indicator: Tool.IPCcrack": [[233, 246]], "Indicator: SPR/Hackto.IPCCrack": [[273, 292]], "Indicator: HackTool.Win32.IPCCrack!IK": [[312, 338]], "Indicator: Riskware.Hackto.IPCCrack": [[339, 363]], "Indicator: Win-Trojan/IPCHack.45056": [[391, 415]], "Indicator: HackTool.EB": [[440, 451]]}, "info": {"id": "cyner2_8class_test_01233", "source": "cyner2_8class_test"}}
{"text": "The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations.", "spans": {"Organization: The energy sector": [[0, 17]], "Location: Europe": [[21, 27]], "Location: North America": [[32, 45]], "Indicator: cyber attacks": [[81, 94]], "ThreatActor: attackers": [[114, 123]]}, "info": {"id": "cyner2_8class_test_01234", "source": "cyner2_8class_test"}}
{"text": "By : Tony Bao , Junzhi Lu April 14 , 2020 We discovered a potential cyberespionage campaign , which we have named Project Spy , that infects Android and iOS devices with spyware ( detected by Trend Micro as AndroidOS_ProjectSpy.HRX and IOS_ProjectSpy.A , respectively ) .", "spans": {"Malware: Project Spy": [[114, 125]], "System: Android": [[141, 148]], "System: iOS": [[153, 156]], "Organization: Trend Micro": [[192, 203]], "Indicator: AndroidOS_ProjectSpy.HRX": [[207, 231]], "Indicator: IOS_ProjectSpy.A": [[236, 252]]}, "info": {"id": "cyner2_8class_test_01235", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm/W32.FileInfector.74752 Trojan.Win32.Antavmu!O Trojan.Antavmu.D7 Variant.Kazy.mC6j Trojan/Antavmu.jws Win32.Trojan.WisdomEyes.16070401.9500.9984 Win32/Antavmu.HM TSPY_ANTAVMU_BK08301E.TOMC Win.Trojan.Antavmu-112 Virus.DOS.Moctezuma.2416 Trojan.Win32.Antavmu.dhwgp Trojan.Win32.A.Antavmu.74752 TrojWare.Win32.KillFiles.NEH Trojan.MulDrop7.61508 BehavesLike.Win32.Dropper.lh Backdoor.Poison TR/Antavmu.doena RiskWare[RiskTool]/Win32.Killfiles.neh Trojan:Win32/Antavmu.D Worm.Antavmu Virus.DOS.Moctezuma.2416 Trojan/Win32.Antavmu.R25058 Moctezuma.2416", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm/W32.FileInfector.74752": [[26, 53]], "Indicator: Trojan.Win32.Antavmu!O": [[54, 76]], "Indicator: Trojan.Antavmu.D7": [[77, 94]], "Indicator: Variant.Kazy.mC6j": [[95, 112]], "Indicator: Trojan/Antavmu.jws": [[113, 131]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9984": [[132, 174]], "Indicator: Win32/Antavmu.HM": [[175, 191]], "Indicator: TSPY_ANTAVMU_BK08301E.TOMC": [[192, 218]], "Indicator: Win.Trojan.Antavmu-112": [[219, 241]], "Indicator: Virus.DOS.Moctezuma.2416": [[242, 266], [511, 535]], "Indicator: Trojan.Win32.Antavmu.dhwgp": [[267, 293]], "Indicator: Trojan.Win32.A.Antavmu.74752": [[294, 322]], "Indicator: TrojWare.Win32.KillFiles.NEH": [[323, 351]], "Indicator: Trojan.MulDrop7.61508": [[352, 373]], "Indicator: BehavesLike.Win32.Dropper.lh": [[374, 402]], "Indicator: Backdoor.Poison": [[403, 418]], "Indicator: TR/Antavmu.doena": [[419, 435]], "Indicator: RiskWare[RiskTool]/Win32.Killfiles.neh": [[436, 474]], "Indicator: Trojan:Win32/Antavmu.D": [[475, 497]], "Indicator: Worm.Antavmu": [[498, 510]], "Indicator: Trojan/Win32.Antavmu.R25058": [[536, 563]], "Indicator: Moctezuma.2416": [[564, 578]]}, "info": {"id": "cyner2_8class_test_01236", "source": "cyner2_8class_test"}}
{"text": "Malware code showing definition of populateConfigMap Figure 14 .", "spans": {}, "info": {"id": "cyner2_8class_test_01237", "source": "cyner2_8class_test"}}
{"text": "Earlier this week Symantec released a blog post detailing a new Trojan used by the Duke' family of malware.", "spans": {"Organization: Symantec": [[18, 26]], "Malware: Trojan": [[64, 70]], "Malware: Duke' family of malware.": [[83, 107]]}, "info": {"id": "cyner2_8class_test_01238", "source": "cyner2_8class_test"}}
{"text": "This Pokémon is known for hiding in the night, which is an appropriate characteristic for a rootkit. We detect Umbreon under the ELF_UMBREON family.", "spans": {"Malware: rootkit.": [[92, 100]], "Malware: Umbreon": [[111, 118]], "Indicator: ELF_UMBREON": [[129, 140]], "Malware: family.": [[141, 148]]}, "info": {"id": "cyner2_8class_test_01239", "source": "cyner2_8class_test"}}
{"text": "Reports indicate fake versions of the Amaq app exist , likely in order to spy on those that use it .", "spans": {"System: Amaq": [[38, 42]]}, "info": {"id": "cyner2_8class_test_01240", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Virut.G Dropper.Injector.Win32.74722 Win32.Trojan.WisdomEyes.16070401.9500.9918 W32/Trojan.KWXU-0317 Worm.Win32.AutoIt.akx Win32.Worm.Autoit.Syrr BehavesLike.Win32.Downloader.bh Worm.Win32.AutoIt Worm:Win32/Wervik.A Worm.Win32.AutoIt.akx Dropper/Win32.Autoit.R153775 Trojan.Autoit.Wirus Win32/Autoit.IV W32/AutoIt.AKX!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.G": [[26, 37]], "Indicator: Dropper.Injector.Win32.74722": [[38, 66]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9918": [[67, 109]], "Indicator: W32/Trojan.KWXU-0317": [[110, 130]], "Indicator: Worm.Win32.AutoIt.akx": [[131, 152], [246, 267]], "Indicator: Win32.Worm.Autoit.Syrr": [[153, 175]], "Indicator: BehavesLike.Win32.Downloader.bh": [[176, 207]], "Indicator: Worm.Win32.AutoIt": [[208, 225]], "Indicator: Worm:Win32/Wervik.A": [[226, 245]], "Indicator: Dropper/Win32.Autoit.R153775": [[268, 296]], "Indicator: Trojan.Autoit.Wirus": [[297, 316]], "Indicator: Win32/Autoit.IV": [[317, 332]], "Indicator: W32/AutoIt.AKX!worm": [[333, 352]]}, "info": {"id": "cyner2_8class_test_01241", "source": "cyner2_8class_test"}}
{"text": "The adware functionality is the same in all the apps we analyzed .", "spans": {}, "info": {"id": "cyner2_8class_test_01242", "source": "cyner2_8class_test"}}
{"text": "In our previous analysis MalwareBytes we showed how the Bunitu Trojan was distributed via the Neutrino exploit kit in various malvertising campaigns.", "spans": {"Organization: MalwareBytes": [[25, 37]], "Malware: Bunitu Trojan": [[56, 69]], "Malware: Neutrino exploit kit": [[94, 114]], "ThreatActor: malvertising campaigns.": [[126, 149]]}, "info": {"id": "cyner2_8class_test_01243", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.43A8 Backdoor.W32.Bifrose!c Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Bifrose Win32/Bifrost.D BKDR_BIFROSE.A Win.Trojan.Packed-85 Backdoor.Win32.Bifrose.uw Trojan.Win32.Bifrose.whnua Backdoor.Win32.A.Bifrose.185028 Trojan.Proxy.993 BKDR_BIFROSE.A BehavesLike.Win32.Sdbot.cc Packed.Morphine.a Backdoor.Win32.Bifrose.uw BackDoor-CEP.svr Win32/Bifrose.E Backdoor.Bifrose.LV Win32/Backdoor.b41", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.43A8": [[26, 42]], "Indicator: Backdoor.W32.Bifrose!c": [[43, 65]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[66, 108]], "Indicator: Backdoor.Bifrose": [[109, 125]], "Indicator: Win32/Bifrost.D": [[126, 141]], "Indicator: BKDR_BIFROSE.A": [[142, 156], [280, 294]], "Indicator: Win.Trojan.Packed-85": [[157, 177]], "Indicator: Backdoor.Win32.Bifrose.uw": [[178, 203], [340, 365]], "Indicator: Trojan.Win32.Bifrose.whnua": [[204, 230]], "Indicator: Backdoor.Win32.A.Bifrose.185028": [[231, 262]], "Indicator: Trojan.Proxy.993": [[263, 279]], "Indicator: BehavesLike.Win32.Sdbot.cc": [[295, 321]], "Indicator: Packed.Morphine.a": [[322, 339]], "Indicator: BackDoor-CEP.svr": [[366, 382]], "Indicator: Win32/Bifrose.E": [[383, 398]], "Indicator: Backdoor.Bifrose.LV": [[399, 418]], "Indicator: Win32/Backdoor.b41": [[419, 437]]}, "info": {"id": "cyner2_8class_test_01244", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-GameThief.Win32.Nilage!O Trojan.Bitman Troj.Ransom.W32.Bitman!c Trojan.Zusy.D10181 Ransom_Bitman.R002C0DAD18 Win32.Trojan.WisdomEyes.16070401.9500.9824 Ransom_Bitman.R002C0DAD18 Trojan-Ransom.Win32.Bitman.acpk Trojan.Win32.Dwn.rggld Packed.Win32.TDSS.~AA Trojan.DownLoader5.23077 BehavesLike.Win32.Spyware.mm not-a-virus:PSWTool.Win32.PassView.b TrojanDownloader:Win32/Xolondox.A Win32.Trojan.Bitman.Pfta", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-GameThief.Win32.Nilage!O": [[26, 57]], "Indicator: Trojan.Bitman": [[58, 71]], "Indicator: Troj.Ransom.W32.Bitman!c": [[72, 96]], "Indicator: Trojan.Zusy.D10181": [[97, 115]], "Indicator: Ransom_Bitman.R002C0DAD18": [[116, 141], [185, 210]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9824": [[142, 184]], "Indicator: Trojan-Ransom.Win32.Bitman.acpk": [[211, 242]], "Indicator: Trojan.Win32.Dwn.rggld": [[243, 265]], "Indicator: Packed.Win32.TDSS.~AA": [[266, 287]], "Indicator: Trojan.DownLoader5.23077": [[288, 312]], "Indicator: BehavesLike.Win32.Spyware.mm": [[313, 341]], "Indicator: not-a-virus:PSWTool.Win32.PassView.b": [[342, 378]], "Indicator: TrojanDownloader:Win32/Xolondox.A": [[379, 412]], "Indicator: Win32.Trojan.Bitman.Pfta": [[413, 437]]}, "info": {"id": "cyner2_8class_test_01245", "source": "cyner2_8class_test"}}
{"text": "Some variants have gone so far as to use a different key for the strings of each class .", "spans": {}, "info": {"id": "cyner2_8class_test_01246", "source": "cyner2_8class_test"}}
{"text": "Swiss Post - The national postal service of Switzerland , a fully state-owned limited company ( AG ) regulated by public law .", "spans": {"Organization: Swiss Post": [[0, 10]]}, "info": {"id": "cyner2_8class_test_01247", "source": "cyner2_8class_test"}}
{"text": "There have been several recent examples of companies choosing to release their software directly to consumers , bypassing traditional storefronts .", "spans": {}, "info": {"id": "cyner2_8class_test_01248", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm.Dorkbot.I4 Trojan.Graftor.D1F4E7 TROJ_KRYPTK.SM37 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Inject.BIM TROJ_KRYPTK.SM37 Trojan.Win32.Inject.ctewuy Trojan.Inject2.23 Trojan.Injector.Win32.224146 Backdoor/Androm.cbq Trojan[Backdoor]/Win32.Androm Win32.Hack.Androm.bl.kcloud Trojan/Win32.Androm.R95438 TScope.Malware-Cryptor.SB Trj/Crilock.C Virus.Win32.Cryptor", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Dorkbot.I4": [[26, 41]], "Indicator: Trojan.Graftor.D1F4E7": [[42, 63]], "Indicator: TROJ_KRYPTK.SM37": [[64, 80], [141, 157]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[81, 123]], "Indicator: Win32/Inject.BIM": [[124, 140]], "Indicator: Trojan.Win32.Inject.ctewuy": [[158, 184]], "Indicator: Trojan.Inject2.23": [[185, 202]], "Indicator: Trojan.Injector.Win32.224146": [[203, 231]], "Indicator: Backdoor/Androm.cbq": [[232, 251]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[252, 281]], "Indicator: Win32.Hack.Androm.bl.kcloud": [[282, 309]], "Indicator: Trojan/Win32.Androm.R95438": [[310, 336]], "Indicator: TScope.Malware-Cryptor.SB": [[337, 362]], "Indicator: Trj/Crilock.C": [[363, 376]], "Indicator: Virus.Win32.Cryptor": [[377, 396]]}, "info": {"id": "cyner2_8class_test_01249", "source": "cyner2_8class_test"}}
{"text": "Their publicly advertised products include CCTV management systems , surveillance drones , face and license plate recognition systems .", "spans": {}, "info": {"id": "cyner2_8class_test_01250", "source": "cyner2_8class_test"}}
{"text": "Proofpoint wrote about the DroidJack RAT side-loaded with the Pokemon GO app back in July 2016 ; the difference here is that there is no game included in the malicious package .", "spans": {"Organization: Proofpoint": [[0, 10]], "Malware: DroidJack RAT": [[27, 40]], "System: Pokemon GO": [[62, 72]]}, "info": {"id": "cyner2_8class_test_01251", "source": "cyner2_8class_test"}}
{"text": "This indicates that the authors are trying to hide some messages showed by the system during the setup process .", "spans": {}, "info": {"id": "cyner2_8class_test_01252", "source": "cyner2_8class_test"}}
{"text": "Our logs show a number of simultaneous Red Alert 2.0 campaigns in operation , many ( but not all ) hosted on dynamic DNS domains .", "spans": {"Malware: simultaneous Red Alert 2.0 campaigns": [[26, 62]]}, "info": {"id": "cyner2_8class_test_01253", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.DownLoad.33363 TrojanClicker:Win32/Befeenk.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.DownLoad.33363": [[26, 47]], "Indicator: TrojanClicker:Win32/Befeenk.A": [[48, 77]]}, "info": {"id": "cyner2_8class_test_01254", "source": "cyner2_8class_test"}}
{"text": "Once on the device , as installed by a duped user , the TrickMo component opens and sends an intent to start the accessibility settings activity , coercing the user to grant it with accessibility permissions .", "spans": {"Malware: TrickMo": [[56, 63]]}, "info": {"id": "cyner2_8class_test_01255", "source": "cyner2_8class_test"}}
{"text": "Embedding malicious code in legitimate programs helps conceal infections from the victim .", "spans": {}, "info": {"id": "cyner2_8class_test_01256", "source": "cyner2_8class_test"}}
{"text": "This figure demonstrates the following interesting information : The time range when threat actors distributed RuMMS on those shared-hosting websites is from January 2016 to March 2016 .", "spans": {"Malware: RuMMS": [[111, 116]]}, "info": {"id": "cyner2_8class_test_01257", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Worm.Lehs.A W32/Lehs.A@mm W32/Lehs.A@mm Win32.Lehs Win32.Lehs.A@mm W32/Lehs.A@mm Worm.Win32.Lehs.A W32/Lehs.A@mm Win32.Lehs.a Worm:Win32/Lehs.A Win32/Lehs.A Worm.Win32.Lehs.A Worm.Win32.Lehs.A I-Worm/Lehs.A W32/Lehs.A.worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Worm.Lehs.A": [[26, 37]], "Indicator: W32/Lehs.A@mm": [[38, 51], [52, 65], [93, 106], [125, 138]], "Indicator: Win32.Lehs": [[66, 76]], "Indicator: Win32.Lehs.A@mm": [[77, 92]], "Indicator: Worm.Win32.Lehs.A": [[107, 124], [183, 200], [201, 218]], "Indicator: Win32.Lehs.a": [[139, 151]], "Indicator: Worm:Win32/Lehs.A": [[152, 169]], "Indicator: Win32/Lehs.A": [[170, 182]], "Indicator: I-Worm/Lehs.A": [[219, 232]], "Indicator: W32/Lehs.A.worm": [[233, 248]]}, "info": {"id": "cyner2_8class_test_01258", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.HfsAutoB.81FD Backdoor.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9747 W32/Trojan.UVNP-1836 Trojan.Win32.TPM.ewgpwa Win32.Trojan.Crypt.Sunr BehavesLike.Win32.PUP.tc Backdoor.MSIL.ycb Trj/CI.A Riskware.Themida! Trojan-Ransom.Win32.Blocker", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.81FD": [[26, 43]], "Indicator: Backdoor.MSIL": [[44, 57]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9747": [[58, 100]], "Indicator: W32/Trojan.UVNP-1836": [[101, 121]], "Indicator: Trojan.Win32.TPM.ewgpwa": [[122, 145]], "Indicator: Win32.Trojan.Crypt.Sunr": [[146, 169]], "Indicator: BehavesLike.Win32.PUP.tc": [[170, 194]], "Indicator: Backdoor.MSIL.ycb": [[195, 212]], "Indicator: Trj/CI.A": [[213, 221]], "Indicator: Riskware.Themida!": [[222, 239]], "Indicator: Trojan-Ransom.Win32.Blocker": [[240, 267]]}, "info": {"id": "cyner2_8class_test_01259", "source": "cyner2_8class_test"}}
{"text": "During our analysis, we were able communicate directly with the command and control server as recently as early June 2017.", "spans": {"Indicator: communicate": [[34, 45]], "Indicator: command and control server": [[64, 90]], "Date: June 2017.": [[112, 122]]}, "info": {"id": "cyner2_8class_test_01260", "source": "cyner2_8class_test"}}
{"text": "In 2007, he reportedly stopped working on it and sold the source code for an estimated $700.", "spans": {"Date: 2007,": [[3, 8]], "Indicator: source code": [[58, 69]]}, "info": {"id": "cyner2_8class_test_01261", "source": "cyner2_8class_test"}}
{"text": "The number to call is received along with the command , as seen in Figure 9 .", "spans": {}, "info": {"id": "cyner2_8class_test_01262", "source": "cyner2_8class_test"}}
{"text": "If users allow such apps to be installed , then it can be actively installed on the victim ’ s device .", "spans": {}, "info": {"id": "cyner2_8class_test_01263", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_CERBER.SMALY0 Trojan.Win32.Encoder.etbotv Ransom_CERBER.SMALY0 BehavesLike.Win32.PWSZbot.cc W32/Locky.FWSD!tr.ransom Ransom:Win32/Cryproto.B Win-Trojan/RansomCrypt.Exp Ransom.Locky Trojan-Ransom.Locky", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Ransom_CERBER.SMALY0": [[69, 89], [118, 138]], "Indicator: Trojan.Win32.Encoder.etbotv": [[90, 117]], "Indicator: BehavesLike.Win32.PWSZbot.cc": [[139, 167]], "Indicator: W32/Locky.FWSD!tr.ransom": [[168, 192]], "Indicator: Ransom:Win32/Cryproto.B": [[193, 216]], "Indicator: Win-Trojan/RansomCrypt.Exp": [[217, 243]], "Indicator: Ransom.Locky": [[244, 256]], "Indicator: Trojan-Ransom.Locky": [[257, 276]]}, "info": {"id": "cyner2_8class_test_01264", "source": "cyner2_8class_test"}}
{"text": "It spreads through public The Shadow Brokers NSA dump SMB exploits: ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.", "spans": {"Indicator: The Shadow Brokers NSA dump": [[26, 53]], "Vulnerability: SMB exploits:": [[54, 67]], "Malware: ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE": [[68, 112]], "Malware: ETERNALSYNERGY,": [[117, 132]], "Malware: DOUBLEPULSAR, ARCHITOUCH": [[162, 186]], "Malware: SMBTOUCH.": [[191, 200]]}, "info": {"id": "cyner2_8class_test_01265", "source": "cyner2_8class_test"}}
{"text": "In September 2022, a Rust-based version of Nokoyawa ransomware was released.", "spans": {"Date: September 2022,": [[3, 18]], "System: Rust-based": [[21, 31]], "Malware: Nokoyawa ransomware": [[43, 62]]}, "info": {"id": "cyner2_8class_test_01266", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.PWS.OnlineGames.WNE Trojan-Dropper.Win32.Delf!O Trojan.Nagram PWS-Hook.dll Dropper.Delf.Win32.716 W32.W.Bagle.kZt7 Trojan/Dropper.Delf.rd Trojan.PWS.OnlineGames.WNE Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Risk.KWGR-4694 Trojan.PWS.QQPass Win.Trojan.Dropper-12698 Trojan-PSW.Win32.QQPass.ji Trojan.PWS.OnlineGames.WNE Trojan.Win32.QQPass.bwvfwk Trojan.PWS.OnlineGames.WNE Trojan.PWS.OnlineGames.WNE Trojan.PWS.Qqpass.97 BehavesLike.Win32.Backdoor.mc W32/Dropper.CTB Trojan/PSW.QQPass.abt TR/Drop.Del.rd.41.A Trojan[PSW]/Win32.QQPass Win32.Troj.PswQQDao.kg.kcloud Trojan.Win32.A.PSW-QQPass.21742[UPX] Trojan-PSW.Win32.QQPass.ji Trojan.PWS.OnlineGames.WNE Trojan/Win32.OnlineGameHack.R2041 Trojan.PWS.OnlineGames.WNE TrojanDropper.Delf Trojan.DR.Delf!tjmeRDZWpSg Trojan-Dropper.Delf W32/HookGetMage.A!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PWS.OnlineGames.WNE": [[26, 52], [171, 197], [330, 356], [384, 410], [411, 437], [666, 692], [727, 753]], "Indicator: Trojan-Dropper.Win32.Delf!O": [[53, 80]], "Indicator: Trojan.Nagram": [[81, 94]], "Indicator: PWS-Hook.dll": [[95, 107]], "Indicator: Dropper.Delf.Win32.716": [[108, 130]], "Indicator: W32.W.Bagle.kZt7": [[131, 147]], "Indicator: Trojan/Dropper.Delf.rd": [[148, 170]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9995": [[198, 240]], "Indicator: W32/Risk.KWGR-4694": [[241, 259]], "Indicator: Trojan.PWS.QQPass": [[260, 277]], "Indicator: Win.Trojan.Dropper-12698": [[278, 302]], "Indicator: Trojan-PSW.Win32.QQPass.ji": [[303, 329], [639, 665]], "Indicator: Trojan.Win32.QQPass.bwvfwk": [[357, 383]], "Indicator: Trojan.PWS.Qqpass.97": [[438, 458]], "Indicator: BehavesLike.Win32.Backdoor.mc": [[459, 488]], "Indicator: W32/Dropper.CTB": [[489, 504]], "Indicator: Trojan/PSW.QQPass.abt": [[505, 526]], "Indicator: TR/Drop.Del.rd.41.A": [[527, 546]], "Indicator: Trojan[PSW]/Win32.QQPass": [[547, 571]], "Indicator: Win32.Troj.PswQQDao.kg.kcloud": [[572, 601]], "Indicator: Trojan.Win32.A.PSW-QQPass.21742[UPX]": [[602, 638]], "Indicator: Trojan/Win32.OnlineGameHack.R2041": [[693, 726]], "Indicator: TrojanDropper.Delf": [[754, 772]], "Indicator: Trojan.DR.Delf!tjmeRDZWpSg": [[773, 799]], "Indicator: Trojan-Dropper.Delf": [[800, 819]], "Indicator: W32/HookGetMage.A!tr": [[820, 840]]}, "info": {"id": "cyner2_8class_test_01267", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Rocalog Trojan.Win32.EncPkMR.lwtoq Virus.Win32.Trojan DangerousObject.Multi.bik Trojan:Win32/Rocalog.A Trj/CI.A Trojan.Rocalog!WvnhEr62E+Q", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Rocalog": [[26, 40]], "Indicator: Trojan.Win32.EncPkMR.lwtoq": [[41, 67]], "Indicator: Virus.Win32.Trojan": [[68, 86]], "Indicator: DangerousObject.Multi.bik": [[87, 112]], "Indicator: Trojan:Win32/Rocalog.A": [[113, 135]], "Indicator: Trj/CI.A": [[136, 144]], "Indicator: Trojan.Rocalog!WvnhEr62E+Q": [[145, 171]]}, "info": {"id": "cyner2_8class_test_01268", "source": "cyner2_8class_test"}}
{"text": "Geo-location .", "spans": {}, "info": {"id": "cyner2_8class_test_01269", "source": "cyner2_8class_test"}}
{"text": "The said technique brings the advantage of avoiding auto-start extensibility points ( ASEP ) scanners and programs that checks for binaries installed as service ( for the latter , the service chosen by FinFisher will show up as a clean Windows signed binary ) .", "spans": {"Malware: FinFisher": [[202, 211]], "System: Windows": [[236, 243]]}, "info": {"id": "cyner2_8class_test_01270", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Rootkit.Win32.Winnti!O Trojan.Winnti Trojan/Winnti.o RTKT_WINNTI.B W32/Trojan.PBJZ-5532 Hacktool.Rootkit RTKT_WINNTI.B Trojan.Win32.Winnti.wtomi Rootkit.W32.Winnti!c Win32.Exploit.Winnti.Wptr Trojan.NtRootKit.14417 Rootkit.Winnti.Win32.3 Rootkit.Patchun.b RKIT/Winnti.o Trojan[Rootkit]/Win32.Winnti Trojan.Zusy.Elzob.D5138 Trojan:Win64/Winnti.A Win-Trojan/Rootkit.14208 TScope.Malware-Cryptor.SB Rootkit.Winnti!QT0JRa+Uack W32/Winnti.O!tr.rkit Win32/RootKit.Rootkit.45b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Rootkit.Win32.Winnti!O": [[26, 48]], "Indicator: Trojan.Winnti": [[49, 62]], "Indicator: Trojan/Winnti.o": [[63, 78]], "Indicator: RTKT_WINNTI.B": [[79, 92], [131, 144]], "Indicator: W32/Trojan.PBJZ-5532": [[93, 113]], "Indicator: Hacktool.Rootkit": [[114, 130]], "Indicator: Trojan.Win32.Winnti.wtomi": [[145, 170]], "Indicator: Rootkit.W32.Winnti!c": [[171, 191]], "Indicator: Win32.Exploit.Winnti.Wptr": [[192, 217]], "Indicator: Trojan.NtRootKit.14417": [[218, 240]], "Indicator: Rootkit.Winnti.Win32.3": [[241, 263]], "Indicator: Rootkit.Patchun.b": [[264, 281]], "Indicator: RKIT/Winnti.o": [[282, 295]], "Indicator: Trojan[Rootkit]/Win32.Winnti": [[296, 324]], "Indicator: Trojan.Zusy.Elzob.D5138": [[325, 348]], "Indicator: Trojan:Win64/Winnti.A": [[349, 370]], "Indicator: Win-Trojan/Rootkit.14208": [[371, 395]], "Indicator: TScope.Malware-Cryptor.SB": [[396, 421]], "Indicator: Rootkit.Winnti!QT0JRa+Uack": [[422, 448]], "Indicator: W32/Winnti.O!tr.rkit": [[449, 469]], "Indicator: Win32/RootKit.Rootkit.45b": [[470, 495]]}, "info": {"id": "cyner2_8class_test_01271", "source": "cyner2_8class_test"}}
{"text": "Cerberus is already capable to fulfill this demand .", "spans": {"Malware: Cerberus": [[0, 8]]}, "info": {"id": "cyner2_8class_test_01272", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Malware10 Trojan-Downloader.Win32.Geral!O Worm.Dogkild.c4 Trojan/Downloader.Geral.mwu TROJ_KILLAV.SMT Win32.Trojan.WisdomEyes.16070401.9500.9987 W32/Downldr2.ILRE Trojan.KillAV TROJ_KILLAV.SMT Win.Trojan.Downloader-29041 Trojan-Downloader.Win32.Geral.mwu Trojan.Win32.Geral.vutjb Trojan.Win32.Downloader.17668.C Trojan-Downloader:W32/Geral.E Trojan.MulDrop5.33035 Downloader.Geral.Win32.3073 Trojan-Downloader.Win32.Geral Trojan/AntiAV.ake Worm:Win32/Dogkild.C TR/Killav.P.1 Trojan[Downloader]/Win32.Geral Trojan-Downloader.Win32.Geral.mwu Worm:Win32/Dogkild.C W32/Spamta.QO.worm Win32.Trojan-downloader.Geral.Wqdc Trojan.DL.Geral!8LJu9xHMBVQ W32/KILLAV.SMT!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware10": [[26, 45]], "Indicator: Trojan-Downloader.Win32.Geral!O": [[46, 77]], "Indicator: Worm.Dogkild.c4": [[78, 93]], "Indicator: Trojan/Downloader.Geral.mwu": [[94, 121]], "Indicator: TROJ_KILLAV.SMT": [[122, 137], [213, 228]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9987": [[138, 180]], "Indicator: W32/Downldr2.ILRE": [[181, 198]], "Indicator: Trojan.KillAV": [[199, 212]], "Indicator: Win.Trojan.Downloader-29041": [[229, 256]], "Indicator: Trojan-Downloader.Win32.Geral.mwu": [[257, 290], [542, 575]], "Indicator: Trojan.Win32.Geral.vutjb": [[291, 315]], "Indicator: Trojan.Win32.Downloader.17668.C": [[316, 347]], "Indicator: Trojan-Downloader:W32/Geral.E": [[348, 377]], "Indicator: Trojan.MulDrop5.33035": [[378, 399]], "Indicator: Downloader.Geral.Win32.3073": [[400, 427]], "Indicator: Trojan-Downloader.Win32.Geral": [[428, 457]], "Indicator: Trojan/AntiAV.ake": [[458, 475]], "Indicator: Worm:Win32/Dogkild.C": [[476, 496], [576, 596]], "Indicator: TR/Killav.P.1": [[497, 510]], "Indicator: Trojan[Downloader]/Win32.Geral": [[511, 541]], "Indicator: W32/Spamta.QO.worm": [[597, 615]], "Indicator: Win32.Trojan-downloader.Geral.Wqdc": [[616, 650]], "Indicator: Trojan.DL.Geral!8LJu9xHMBVQ": [[651, 678]], "Indicator: W32/KILLAV.SMT!tr": [[679, 696]]}, "info": {"id": "cyner2_8class_test_01273", "source": "cyner2_8class_test"}}
{"text": "Encounter In early 2019 , the Check Point Research team observed a surge of Android malware attack attempts against users in India which had strong characteristics of Janus vulnerability abuse ; All samples our team collected during preliminary investigation had the ability to hide their app icons and claim to be Google related updaters or vending modules ( a key component of Google Play framework ) .", "spans": {"Organization: Check Point": [[30, 41]], "System: Android": [[76, 83]], "Vulnerability: Janus": [[167, 172]], "Organization: Google": [[315, 321]], "System: Google Play": [[379, 390]]}, "info": {"id": "cyner2_8class_test_01274", "source": "cyner2_8class_test"}}
{"text": "Collection of IOCs related to targeting of civil society by Botherder", "spans": {"Indicator: IOCs": [[14, 18]], "Organization: civil society by Botherder": [[43, 69]]}, "info": {"id": "cyner2_8class_test_01275", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Tipsac HackTool:Win32/Certsteal.C Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Tipsac": [[26, 39]], "Indicator: HackTool:Win32/Certsteal.C": [[40, 66]], "Indicator: Trj/CI.A": [[67, 75]]}, "info": {"id": "cyner2_8class_test_01276", "source": "cyner2_8class_test"}}
{"text": "To collect the victim's OTP Token combination and proceed with previously prepared fraudulent.", "spans": {}, "info": {"id": "cyner2_8class_test_01277", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Ransom.CardSome Backdoor.Ratenjay MSIL.Trojan-Ransom.CardSome.A TR/RedCap.ugxeq Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.CardSome": [[26, 48]], "Indicator: Backdoor.Ratenjay": [[49, 66]], "Indicator: MSIL.Trojan-Ransom.CardSome.A": [[67, 96]], "Indicator: TR/RedCap.ugxeq": [[97, 112]], "Indicator: Trj/GdSda.A": [[113, 124]]}, "info": {"id": "cyner2_8class_test_01278", "source": "cyner2_8class_test"}}
{"text": "] 23 222.139.212 [ .", "spans": {"Indicator: 222.139.212 [ .": [[5, 20]]}, "info": {"id": "cyner2_8class_test_01279", "source": "cyner2_8class_test"}}
{"text": "An investigation by The Intercept indicates that this targeting was likely not an isolated event.", "spans": {"Organization: The Intercept indicates": [[20, 43]]}, "info": {"id": "cyner2_8class_test_01280", "source": "cyner2_8class_test"}}
{"text": "If he doesn ’ t have Viber , the generically-named System Updates app gets downloaded and installed instead .", "spans": {}, "info": {"id": "cyner2_8class_test_01281", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Banker.Android.1352 Android.Trojan.Banker.BV Other:Android.Reputation.2 Infostealer.Bancos Android/Spy.Banker.FU Android.Trojan.Banker.BV A.H.Rog.Ntdmn Trojan.Android.Hidden.efxvou Trojan:Android/Marcher.J Android.Hidden.177 ZIP/PWS.OSOY-64 ANDROID/Spy.Banker.sewvt Android.Trojan.Banker.BV Android-Trojan/Slocker.36a0a Trojan.AndroidOS.Marcher.A a.gray.andrsca.f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Banker.Android.1352": [[26, 52]], "Indicator: Android.Trojan.Banker.BV": [[53, 77], [146, 170], [299, 323]], "Indicator: Other:Android.Reputation.2": [[78, 104]], "Indicator: Infostealer.Bancos": [[105, 123]], "Indicator: Android/Spy.Banker.FU": [[124, 145]], "Indicator: A.H.Rog.Ntdmn": [[171, 184]], "Indicator: Trojan.Android.Hidden.efxvou": [[185, 213]], "Indicator: Trojan:Android/Marcher.J": [[214, 238]], "Indicator: Android.Hidden.177": [[239, 257]], "Indicator: ZIP/PWS.OSOY-64": [[258, 273]], "Indicator: ANDROID/Spy.Banker.sewvt": [[274, 298]], "Indicator: Android-Trojan/Slocker.36a0a": [[324, 352]], "Indicator: Trojan.AndroidOS.Marcher.A": [[353, 379]], "Indicator: a.gray.andrsca.f": [[380, 396]]}, "info": {"id": "cyner2_8class_test_01282", "source": "cyner2_8class_test"}}
{"text": "The stolen data is sent to the C2 server using the URL ending with /servlet/xx .", "spans": {"Indicator: /servlet/xx": [[67, 78]]}, "info": {"id": "cyner2_8class_test_01283", "source": "cyner2_8class_test"}}
{"text": "Today's diary shares indicators from the infection.", "spans": {}, "info": {"id": "cyner2_8class_test_01284", "source": "cyner2_8class_test"}}
{"text": "As part of their activities , they are known for hijacking DNS settings on Japanese routers that redirect users to malicious IP addresses , creating disguised malicious Android apps that appear as popular apps , stealing Apple ID credentials by creating Apple phishing pages , as well as performing web crypto mining on browsers .", "spans": {"System: Android": [[169, 176]], "Organization: Apple": [[221, 226], [254, 259]]}, "info": {"id": "cyner2_8class_test_01285", "source": "cyner2_8class_test"}}
{"text": "Device registration This is the last of the three main timers that are created .", "spans": {}, "info": {"id": "cyner2_8class_test_01286", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HackTool.Win32.Wpakill HackTool:Win32/Wpakill.B HackTool.WpaKill HackTool.Wpakill!SOi5swsIFpg", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Win32.Wpakill": [[26, 48]], "Indicator: HackTool:Win32/Wpakill.B": [[49, 73]], "Indicator: HackTool.WpaKill": [[74, 90]], "Indicator: HackTool.Wpakill!SOi5swsIFpg": [[91, 119]]}, "info": {"id": "cyner2_8class_test_01287", "source": "cyner2_8class_test"}}
{"text": "We will be sharing our findings as we are able on this page and perhaps even open sourcing some aspects of our analysis.", "spans": {}, "info": {"id": "cyner2_8class_test_01288", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: RiskTool.Win32.Inject!O HackTool.Injectxin Backdoor/Poison.aylh W32/Risk.MYRU-5193 Win32/Poison.DZ Trojan-Spy.Win32.ICQ.vir Trojan.Win32.Poison.bmhcw Backdoor.Win32.Poison.268800 ApplicUnwnt.Win32.ToolInj.2688000 Tool.Inject.9 Backdoor.Poison.Win32.18709 W32/MalwareS.BACP Backdoor/Poison.dzl W32.Backdoor.Poisonivy SPR/Tool.inj.268800 RiskWare[RiskTool]/Win32.Inject.f Trojan.Strictor.D128EF Backdoor/Win32.Poison.R2075 TScope.Trojan.Delf Trj/CI.A Win32.Trojan-spy.Icq.Ajln Backdoor.Poison!ABxqWHF7KMk", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: RiskTool.Win32.Inject!O": [[26, 49]], "Indicator: HackTool.Injectxin": [[50, 68]], "Indicator: Backdoor/Poison.aylh": [[69, 89]], "Indicator: W32/Risk.MYRU-5193": [[90, 108]], "Indicator: Win32/Poison.DZ": [[109, 124]], "Indicator: Trojan-Spy.Win32.ICQ.vir": [[125, 149]], "Indicator: Trojan.Win32.Poison.bmhcw": [[150, 175]], "Indicator: Backdoor.Win32.Poison.268800": [[176, 204]], "Indicator: ApplicUnwnt.Win32.ToolInj.2688000": [[205, 238]], "Indicator: Tool.Inject.9": [[239, 252]], "Indicator: Backdoor.Poison.Win32.18709": [[253, 280]], "Indicator: W32/MalwareS.BACP": [[281, 298]], "Indicator: Backdoor/Poison.dzl": [[299, 318]], "Indicator: W32.Backdoor.Poisonivy": [[319, 341]], "Indicator: SPR/Tool.inj.268800": [[342, 361]], "Indicator: RiskWare[RiskTool]/Win32.Inject.f": [[362, 395]], "Indicator: Trojan.Strictor.D128EF": [[396, 418]], "Indicator: Backdoor/Win32.Poison.R2075": [[419, 446]], "Indicator: TScope.Trojan.Delf": [[447, 465]], "Indicator: Trj/CI.A": [[466, 474]], "Indicator: Win32.Trojan-spy.Icq.Ajln": [[475, 500]], "Indicator: Backdoor.Poison!ABxqWHF7KMk": [[501, 528]]}, "info": {"id": "cyner2_8class_test_01289", "source": "cyner2_8class_test"}}
{"text": "But TrickMo does things differently .", "spans": {"Malware: TrickMo": [[4, 11]]}, "info": {"id": "cyner2_8class_test_01290", "source": "cyner2_8class_test"}}
{"text": "In fact, Retefe is already around since November 2013.", "spans": {"Malware: Retefe": [[9, 15]], "Date: November 2013.": [[40, 54]]}, "info": {"id": "cyner2_8class_test_01291", "source": "cyner2_8class_test"}}
{"text": "One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file .", "spans": {}, "info": {"id": "cyner2_8class_test_01292", "source": "cyner2_8class_test"}}
{"text": "Since a full proof of concept for CVE-2016-0189 vulnerability was published on GitHub, Zscaler ThreatLabZ has been closely tracking its proliferation.", "spans": {"Indicator: CVE-2016-0189": [[34, 47]], "Vulnerability: vulnerability": [[48, 61]], "Organization: GitHub, Zscaler ThreatLabZ": [[79, 105]]}, "info": {"id": "cyner2_8class_test_01293", "source": "cyner2_8class_test"}}
{"text": "We also found similarities in two older samples disguised as a Google service and , subsequently , as a music app after further investigation .", "spans": {"Organization: Google": [[63, 69]]}, "info": {"id": "cyner2_8class_test_01294", "source": "cyner2_8class_test"}}
{"text": "This indicated a unique skillset, well above the average DDoS botnet master.", "spans": {"Malware: DDoS botnet master.": [[57, 76]]}, "info": {"id": "cyner2_8class_test_01295", "source": "cyner2_8class_test"}}
{"text": "It is a worrying observation .", "spans": {}, "info": {"id": "cyner2_8class_test_01296", "source": "cyner2_8class_test"}}
{"text": "Kaspersky Internet Security for Android detects all three of Triada ’ s modules , so it can save your money from cybercriminals that are behind Triada .", "spans": {"System: Kaspersky Internet Security": [[0, 27]], "System: Android": [[32, 39]], "Malware: Triada": [[61, 67], [144, 150]]}, "info": {"id": "cyner2_8class_test_01297", "source": "cyner2_8class_test"}}
{"text": "Note: For a technical walk-through of RTF and its commonly exploited vulnerabilities, we recommend readers take a look at this post by RSA Engineering s Kevin Douglas.", "spans": {"Malware: RTF": [[38, 41]], "Malware: exploited": [[59, 68]], "Vulnerability: vulnerabilities,": [[69, 85]], "Malware: at": [[119, 121]], "Organization: RSA Engineering s Kevin Douglas.": [[135, 167]]}, "info": {"id": "cyner2_8class_test_01298", "source": "cyner2_8class_test"}}
{"text": "We decided to take a peek under the hood of a modern member of the Asacub family .", "spans": {"Malware: Asacub": [[67, 73]]}, "info": {"id": "cyner2_8class_test_01299", "source": "cyner2_8class_test"}}
{"text": "This one is a remote access trojan typically used to spy on people's activities or take control of their computers for whatever end the attacker wants to reach.", "spans": {"Malware: a remote access trojan": [[12, 34]], "Indicator: spy": [[53, 56]], "System: computers": [[105, 114]], "ThreatActor: attacker": [[136, 144]]}, "info": {"id": "cyner2_8class_test_01300", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Alien W32/Trojan.BTOY-6638 Trojan.Win32.Alien.bvw Trojan.Win32.Banker1.eseoat Troj.W32.Alien!c Win32.Trojan.Alien.Wuhb Trojan.PWS.Banker1.23328 TrojanDownloader.Delf.aeli TR/Crypt.fkm.amqdk Trojan:Win32/BrobanLaw.D!bit Trojan.Jacard.D10501 Trojan.Win32.Alien.bvw Trojan-Dropper.Win32.Delf Trj/CI.A Win32/Trojan.de4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Alien": [[26, 38]], "Indicator: W32/Trojan.BTOY-6638": [[39, 59]], "Indicator: Trojan.Win32.Alien.bvw": [[60, 82], [273, 295]], "Indicator: Trojan.Win32.Banker1.eseoat": [[83, 110]], "Indicator: Troj.W32.Alien!c": [[111, 127]], "Indicator: Win32.Trojan.Alien.Wuhb": [[128, 151]], "Indicator: Trojan.PWS.Banker1.23328": [[152, 176]], "Indicator: TrojanDownloader.Delf.aeli": [[177, 203]], "Indicator: TR/Crypt.fkm.amqdk": [[204, 222]], "Indicator: Trojan:Win32/BrobanLaw.D!bit": [[223, 251]], "Indicator: Trojan.Jacard.D10501": [[252, 272]], "Indicator: Trojan-Dropper.Win32.Delf": [[296, 321]], "Indicator: Trj/CI.A": [[322, 330]], "Indicator: Win32/Trojan.de4": [[331, 347]]}, "info": {"id": "cyner2_8class_test_01301", "source": "cyner2_8class_test"}}
{"text": "The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[30, 38], [98, 106]], "Malware: HenBox": [[60, 66]], "Indicator: uyghurapps [ .": [[135, 149]]}, "info": {"id": "cyner2_8class_test_01302", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.PurityScan!O Spyware.MediaTicketsCDT Trojan.LowZones Win.Dropper.Purityscan-3 Trojan-Dropper.Win32.PurityScan.y Win32.Trojan-dropper.Purityscan.Pbpf Trojan.PurityAd.origin TrojanDropper.PurityScan.a TR/Drop.PurityScan.G.31 Trojan[Dropper]/Win32.PurityScan TrojanDropper:Win32/PurityScan.Y Trojan-Dropper.Win32.PurityScan.y Worm/Win32.IRCBot.R135632 Adware.PurityScan Trojan.DR.PurityScan!ZdsVRGhHA2E Trojan-Dropper.Win32.PurityScan.Q W32/PurityScan.2!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.PurityScan!O": [[26, 59]], "Indicator: Spyware.MediaTicketsCDT": [[60, 83]], "Indicator: Trojan.LowZones": [[84, 99]], "Indicator: Win.Dropper.Purityscan-3": [[100, 124]], "Indicator: Trojan-Dropper.Win32.PurityScan.y": [[125, 158], [336, 369]], "Indicator: Win32.Trojan-dropper.Purityscan.Pbpf": [[159, 195]], "Indicator: Trojan.PurityAd.origin": [[196, 218]], "Indicator: TrojanDropper.PurityScan.a": [[219, 245]], "Indicator: TR/Drop.PurityScan.G.31": [[246, 269]], "Indicator: Trojan[Dropper]/Win32.PurityScan": [[270, 302]], "Indicator: TrojanDropper:Win32/PurityScan.Y": [[303, 335]], "Indicator: Worm/Win32.IRCBot.R135632": [[370, 395]], "Indicator: Adware.PurityScan": [[396, 413]], "Indicator: Trojan.DR.PurityScan!ZdsVRGhHA2E": [[414, 446]], "Indicator: Trojan-Dropper.Win32.PurityScan.Q": [[447, 480]], "Indicator: W32/PurityScan.2!tr": [[481, 500]]}, "info": {"id": "cyner2_8class_test_01303", "source": "cyner2_8class_test"}}
{"text": "Android shell A new package was added that allows the execution of commands in the Android shell .", "spans": {"System: Android": [[0, 7], [83, 90]]}, "info": {"id": "cyner2_8class_test_01304", "source": "cyner2_8class_test"}}
{"text": "Despite the targeted nature of the spearphishing emails, the payload was the widely distributed Vawktrak banking Trojan.", "spans": {"Indicator: spearphishing emails,": [[35, 56]], "Malware: payload": [[61, 68]], "Malware: Vawktrak banking Trojan.": [[96, 120]]}, "info": {"id": "cyner2_8class_test_01305", "source": "cyner2_8class_test"}}
{"text": "We searched for the base64 encoded value which was referenced in the tweet, and were able to identify a sample that had been uploaded to the public malware analysis sandbox, Hybrid Analysis.", "spans": {"Indicator: the base64 encoded value": [[16, 40]], "System: tweet,": [[69, 75]], "Malware: sample": [[104, 110]], "Malware: malware": [[148, 155]], "System: sandbox,": [[165, 173]]}, "info": {"id": "cyner2_8class_test_01306", "source": "cyner2_8class_test"}}
{"text": "The attackers sent phishing emails to companies in the fields of manufacturing, energy, and the Internet in many European and Asian countries with the subject of product quotations, and discovered an attack against a domestic company.", "spans": {"ThreatActor: The attackers": [[0, 13]], "Indicator: phishing emails": [[19, 34]], "Organization: companies": [[38, 47]], "Organization: manufacturing, energy,": [[65, 87]], "Organization: the Internet": [[92, 104]], "Location: European": [[113, 121]], "Location: Asian countries": [[126, 141]], "Indicator: attack": [[200, 206]], "Organization: a domestic company.": [[215, 234]]}, "info": {"id": "cyner2_8class_test_01307", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Gudra.A7 Trojan/Gudra.a TROJ_GUDRA_EK160090.UVPM TROJ_GUDRA_EK160090.UVPM Trojan:Win32/Gudra.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Gudra.A7": [[26, 41]], "Indicator: Trojan/Gudra.a": [[42, 56]], "Indicator: TROJ_GUDRA_EK160090.UVPM": [[57, 81], [82, 106]], "Indicator: Trojan:Win32/Gudra.A": [[107, 127]]}, "info": {"id": "cyner2_8class_test_01308", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Trojan.Inject.Win32.179720 Trojan.Symmi.D1345D Trojan.Win32.Inject.ewwzof BehavesLike.Win32.VTFlooder.nc Trojan.Injector W32/Trojan.RKSR-6539 Variant.Zusy.nm Win32/Trojan.724", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Virus02": [[26, 43]], "Indicator: Virus.Win32.Sality!O": [[44, 64]], "Indicator: Trojan.Inject.Win32.179720": [[65, 91]], "Indicator: Trojan.Symmi.D1345D": [[92, 111]], "Indicator: Trojan.Win32.Inject.ewwzof": [[112, 138]], "Indicator: BehavesLike.Win32.VTFlooder.nc": [[139, 169]], "Indicator: Trojan.Injector": [[170, 185]], "Indicator: W32/Trojan.RKSR-6539": [[186, 206]], "Indicator: Variant.Zusy.nm": [[207, 222]], "Indicator: Win32/Trojan.724": [[223, 239]]}, "info": {"id": "cyner2_8class_test_01309", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.VaritanoH.Trojan Trojan.Win32.Zcrypt.1!O Trojan/Buzus.mrww Trojan.Symmi.D219C TROJ_RANSOM.SMWX Win32.Trojan.WisdomEyes.16070401.9500.9692 Trojan.Ransomlock!g32 TROJ_RANSOM.SMWX Trojan.Win32.Inject.ccrpqp Trojan.Win32.A.Buzus.101376.H Win.Troj.Downloader.Dapato.lEzW Trojan.DownLoader.36324 Virus.Win32.Cryptor Trojan/Buzus.bjmw Trojan/Win32.Unknown Trojan:Win32/Nagderr.A Spyware/Win32.Zbot.R45824 Worm.Dorkbot.1312 W32/Asprox.B!tr Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VaritanoH.Trojan": [[26, 46]], "Indicator: Trojan.Win32.Zcrypt.1!O": [[47, 70]], "Indicator: Trojan/Buzus.mrww": [[71, 88]], "Indicator: Trojan.Symmi.D219C": [[89, 107]], "Indicator: TROJ_RANSOM.SMWX": [[108, 124], [190, 206]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9692": [[125, 167]], "Indicator: Trojan.Ransomlock!g32": [[168, 189]], "Indicator: Trojan.Win32.Inject.ccrpqp": [[207, 233]], "Indicator: Trojan.Win32.A.Buzus.101376.H": [[234, 263]], "Indicator: Win.Troj.Downloader.Dapato.lEzW": [[264, 295]], "Indicator: Trojan.DownLoader.36324": [[296, 319]], "Indicator: Virus.Win32.Cryptor": [[320, 339]], "Indicator: Trojan/Buzus.bjmw": [[340, 357]], "Indicator: Trojan/Win32.Unknown": [[358, 378]], "Indicator: Trojan:Win32/Nagderr.A": [[379, 401]], "Indicator: Spyware/Win32.Zbot.R45824": [[402, 427]], "Indicator: Worm.Dorkbot.1312": [[428, 445]], "Indicator: W32/Asprox.B!tr": [[446, 461]], "Indicator: Win32/Trojan.e6d": [[462, 478]]}, "info": {"id": "cyner2_8class_test_01310", "source": "cyner2_8class_test"}}
{"text": "The attackers accomplished much of this with JavaScript they placed on the media organization's website.", "spans": {"ThreatActor: attackers": [[4, 13]], "Indicator: JavaScript": [[45, 55]], "Indicator: the media organization's website.": [[71, 104]]}, "info": {"id": "cyner2_8class_test_01311", "source": "cyner2_8class_test"}}
{"text": "The infamous Sednit espionage group is currently using the Hacking Team exploits disclosed earlier this week to target eastern European institutions.", "spans": {"ThreatActor: Sednit espionage group": [[13, 35]], "Organization: Hacking Team": [[59, 71]], "Organization: eastern European institutions.": [[119, 149]]}, "info": {"id": "cyner2_8class_test_01312", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/Downloader.Delf.abd Trojan.DL.Delf!OrZGbLJDQAk W32/Downloader.KHL W32/DLoader.NJP Win32/Pazscorer.A Win32.Delf.abd Trojan.Downloader.Delf-180 Trojan-Downloader.Win32.Delf.abd Trojan.Downloader.Delf.D TrojWare.Win32.TrojanDownloader.Delf.NCE Trojan.Downloader.Delf.D Trojan.DownLoader.32027 DR/DLoader.aae Trojan-Downloader.Win32.Delf.abd!IK TrojanDownloader.Delf.abfd TrojanDropper:Win32/Delf.DJ Trojan.Win32.A.Downloader.289792.K Trojan.Downloader.Delf.D W32/Downloader.KHL TrojanDownloader.Delf.lbw Win32/TrojanDownloader.Delf.NCE Trojan.DL.Delf.abx Trojan-Downloader.Win32.Delf.abd W32/Delf.ABD!tr Trj/Downloader.GUT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Downloader.Delf.abd": [[26, 52]], "Indicator: Trojan.DL.Delf!OrZGbLJDQAk": [[53, 79]], "Indicator: W32/Downloader.KHL": [[80, 98], [489, 507]], "Indicator: W32/DLoader.NJP": [[99, 114]], "Indicator: Win32/Pazscorer.A": [[115, 132]], "Indicator: Win32.Delf.abd": [[133, 147]], "Indicator: Trojan.Downloader.Delf-180": [[148, 174]], "Indicator: Trojan-Downloader.Win32.Delf.abd": [[175, 207], [585, 617]], "Indicator: Trojan.Downloader.Delf.D": [[208, 232], [274, 298], [464, 488]], "Indicator: TrojWare.Win32.TrojanDownloader.Delf.NCE": [[233, 273]], "Indicator: Trojan.DownLoader.32027": [[299, 322]], "Indicator: DR/DLoader.aae": [[323, 337]], "Indicator: Trojan-Downloader.Win32.Delf.abd!IK": [[338, 373]], "Indicator: TrojanDownloader.Delf.abfd": [[374, 400]], "Indicator: TrojanDropper:Win32/Delf.DJ": [[401, 428]], "Indicator: Trojan.Win32.A.Downloader.289792.K": [[429, 463]], "Indicator: TrojanDownloader.Delf.lbw": [[508, 533]], "Indicator: Win32/TrojanDownloader.Delf.NCE": [[534, 565]], "Indicator: Trojan.DL.Delf.abx": [[566, 584]], "Indicator: W32/Delf.ABD!tr": [[618, 633]], "Indicator: Trj/Downloader.GUT": [[634, 652]]}, "info": {"id": "cyner2_8class_test_01313", "source": "cyner2_8class_test"}}
{"text": "The Lazarus Group has been responsible for several operations since at least 2009, including the attack that affected Sony Pictures Entertainment in 2014.", "spans": {"ThreatActor: The Lazarus Group": [[0, 17]], "ThreatActor: operations": [[51, 61]], "Date: 2009,": [[77, 82]], "Indicator: attack": [[97, 103]], "Organization: Sony Pictures Entertainment": [[118, 145]], "Date: 2014.": [[149, 154]]}, "info": {"id": "cyner2_8class_test_01314", "source": "cyner2_8class_test"}}
{"text": "To protect yourself from these threats , FireEye suggests that users : Take caution before clicking any links where you are not sure about the origin .", "spans": {"Organization: FireEye": [[41, 48]]}, "info": {"id": "cyner2_8class_test_01315", "source": "cyner2_8class_test"}}
{"text": "Volexity works closely with several human rights and civil society organizations.", "spans": {"Organization: Volexity": [[0, 8]], "Organization: civil society organizations.": [[53, 81]]}, "info": {"id": "cyner2_8class_test_01316", "source": "cyner2_8class_test"}}
{"text": "] orgaryastark [ .", "spans": {}, "info": {"id": "cyner2_8class_test_01317", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.Farfli.13824 TjnDownldr.Nystprac.S35843 Win32.Trojan.WisdomEyes.16070401.9500.9949 BKDR_ZEGOST.SM32 Backdoor.Win32.Farfli.ajly Trojan.Win32.Farfli.elvztf Win32.Backdoor.Farfli.Akza Trojan.DownLoader21.53580 BKDR_ZEGOST.SM32 TrojanDownloader:Win32/Nystprac.A Backdoor.Win32.Farfli.ajly Trojan/Win32.Farfli.R182355 Backdoor.Farfli Trojan.ServStart Backdoor.Farfli!/eZlV447elU Win32/Trojan.Downloader.9e5", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Farfli.13824": [[26, 51]], "Indicator: TjnDownldr.Nystprac.S35843": [[52, 78]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9949": [[79, 121]], "Indicator: BKDR_ZEGOST.SM32": [[122, 138], [246, 262]], "Indicator: Backdoor.Win32.Farfli.ajly": [[139, 165], [297, 323]], "Indicator: Trojan.Win32.Farfli.elvztf": [[166, 192]], "Indicator: Win32.Backdoor.Farfli.Akza": [[193, 219]], "Indicator: Trojan.DownLoader21.53580": [[220, 245]], "Indicator: TrojanDownloader:Win32/Nystprac.A": [[263, 296]], "Indicator: Trojan/Win32.Farfli.R182355": [[324, 351]], "Indicator: Backdoor.Farfli": [[352, 367]], "Indicator: Trojan.ServStart": [[368, 384]], "Indicator: Backdoor.Farfli!/eZlV447elU": [[385, 412]], "Indicator: Win32/Trojan.Downloader.9e5": [[413, 440]]}, "info": {"id": "cyner2_8class_test_01318", "source": "cyner2_8class_test"}}
{"text": "We observed a few variants of attacks exploiting CVE-2015-0097 that are using the same PoC to create a .doc exploit.", "spans": {"Vulnerability: exploiting": [[38, 48]], "Indicator: CVE-2015-0097": [[49, 62]], "Malware: PoC": [[87, 90]], "Indicator: .doc": [[103, 107]], "Malware: exploit.": [[108, 116]]}, "info": {"id": "cyner2_8class_test_01319", "source": "cyner2_8class_test"}}
{"text": "The final step in the trojan 's initialization is the escalation and maintenance of privileges in the device .", "spans": {}, "info": {"id": "cyner2_8class_test_01320", "source": "cyner2_8class_test"}}
{"text": "Based on the organization website , it also proposes services and developed zero-day vulnerabilities to test their own products : Zero-day research from lokd.com We can see that the organization owner still has an interest in Android devices .", "spans": {"Vulnerability: zero-day vulnerabilities": [[76, 100]], "Organization: lokd.com": [[153, 161]], "System: Android": [[226, 233]]}, "info": {"id": "cyner2_8class_test_01321", "source": "cyner2_8class_test"}}
{"text": "Data acquired from mike.jar 's extraction modules is normally XORed and stored in a folder named .lost+found on the SD card .", "spans": {"Indicator: mike.jar": [[19, 27]]}, "info": {"id": "cyner2_8class_test_01322", "source": "cyner2_8class_test"}}
{"text": "Rather than rooting devices , the latest variant includes new virtual machine techniques that allow the malware to perform ad fraud better than ever , company researchers said in a blog post published Monday .", "spans": {}, "info": {"id": "cyner2_8class_test_01323", "source": "cyner2_8class_test"}}
{"text": "They don't seem to bother to have to disappear. With this paper, we feel fairly certain that Rocket Kitten's prime targets are not companies and political organizations as entire bodies but individuals that operate in strategically interesting fields such as diplomacy, foreign policy research, and defense-related businesses.", "spans": {"ThreatActor: Rocket Kitten's": [[93, 108]], "Organization: companies": [[131, 140]], "Organization: political organizations": [[145, 168]], "Organization: individuals": [[190, 201]], "Organization: diplomacy, foreign policy research,": [[259, 294]], "Organization: defense-related businesses.": [[299, 326]]}, "info": {"id": "cyner2_8class_test_01324", "source": "cyner2_8class_test"}}
{"text": "DATA GATHERING Getting a list of all installed applications : Once EventBot is installed on the target machine , it lists all the applications on the target machine and sends them to the C2 .", "spans": {"Malware: EventBot": [[67, 75]]}, "info": {"id": "cyner2_8class_test_01325", "source": "cyner2_8class_test"}}
{"text": "Data encryption : In the initial version of EventBot , the data being exfiltrated is encrypted using Base64 and RC4 .", "spans": {"Malware: EventBot": [[44, 52]]}, "info": {"id": "cyner2_8class_test_01326", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanDropper.MSIL.g5 Trojan/Spy.RapidStealer.a Trojan.Win32.Kazy.didwco W32/Backdoor2.HUPA Trojan.Rapidstealer Win32/Spy.RapidStealer.A TSPY_RSTEALER.B TrojWare.Win32.TrojanSpy.Malas.RA Trojan.DownLoader9.26072 TSPY_RSTEALER.B W32/Backdoor.RBCJ-0211 TR/RapidStealer.A.6 Win32.Troj.Undef.kcloud Trojan:MSIL/RapidStealer.A!dha Trojan/Win32.RapidStealer Trojan.Injector.AEPI MSIL3.ATDO Win32/Trojan.ce9", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.MSIL.g5": [[26, 47]], "Indicator: Trojan/Spy.RapidStealer.a": [[48, 73]], "Indicator: Trojan.Win32.Kazy.didwco": [[74, 98]], "Indicator: W32/Backdoor2.HUPA": [[99, 117]], "Indicator: Trojan.Rapidstealer": [[118, 137]], "Indicator: Win32/Spy.RapidStealer.A": [[138, 162]], "Indicator: TSPY_RSTEALER.B": [[163, 178], [238, 253]], "Indicator: TrojWare.Win32.TrojanSpy.Malas.RA": [[179, 212]], "Indicator: Trojan.DownLoader9.26072": [[213, 237]], "Indicator: W32/Backdoor.RBCJ-0211": [[254, 276]], "Indicator: TR/RapidStealer.A.6": [[277, 296]], "Indicator: Win32.Troj.Undef.kcloud": [[297, 320]], "Indicator: Trojan:MSIL/RapidStealer.A!dha": [[321, 351]], "Indicator: Trojan/Win32.RapidStealer": [[352, 377]], "Indicator: Trojan.Injector.AEPI": [[378, 398]], "Indicator: MSIL3.ATDO": [[399, 409]], "Indicator: Win32/Trojan.ce9": [[410, 426]]}, "info": {"id": "cyner2_8class_test_01327", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.RedLeaves.183808 Virus.Win32.Sality!O Trojan.Redleaves Trojan.Win32.RedLeaves.a Trojan.Win32.RedLeaves.euxsiq Troj.W32.Redleaves!c Trojan.DownLoader24.37648 Trojan.RedLeaves.Win32.1 BehavesLike.Win32.Downloader.cc Trojan.Blocker.gvq Trojan/Win32.RedLeaves Trojan.Win32.RedLeaves.a Trojan:Win32/ChChes.A!dha Trojan.RedLeaves! Trj/CI.A Win32/Trojan.6b8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.RedLeaves.183808": [[26, 53]], "Indicator: Virus.Win32.Sality!O": [[54, 74]], "Indicator: Trojan.Redleaves": [[75, 91]], "Indicator: Trojan.Win32.RedLeaves.a": [[92, 116], [293, 317]], "Indicator: Trojan.Win32.RedLeaves.euxsiq": [[117, 146]], "Indicator: Troj.W32.Redleaves!c": [[147, 167]], "Indicator: Trojan.DownLoader24.37648": [[168, 193]], "Indicator: Trojan.RedLeaves.Win32.1": [[194, 218]], "Indicator: BehavesLike.Win32.Downloader.cc": [[219, 250]], "Indicator: Trojan.Blocker.gvq": [[251, 269]], "Indicator: Trojan/Win32.RedLeaves": [[270, 292]], "Indicator: Trojan:Win32/ChChes.A!dha": [[318, 343]], "Indicator: Trojan.RedLeaves!": [[344, 361]], "Indicator: Trj/CI.A": [[362, 370]], "Indicator: Win32/Trojan.6b8": [[371, 387]]}, "info": {"id": "cyner2_8class_test_01328", "source": "cyner2_8class_test"}}
{"text": "The version we found was built at the beginning of 2017 , and at the moment we are not sure whether this implant has been used in the wild .", "spans": {}, "info": {"id": "cyner2_8class_test_01329", "source": "cyner2_8class_test"}}
{"text": "In parallel, we received reports from other firms and security researchers seeing similar activity, which pushed us to look into this further.", "spans": {"Organization: other firms": [[38, 49]], "Organization: security researchers": [[54, 74]]}, "info": {"id": "cyner2_8class_test_01330", "source": "cyner2_8class_test"}}
{"text": "However , FinFisher is in a different category of malware for the level of its anti-analysis protection .", "spans": {"Malware: FinFisher": [[10, 19]]}, "info": {"id": "cyner2_8class_test_01331", "source": "cyner2_8class_test"}}
{"text": "Malicious activity Once the activation cycle ends , the trojan will start its malicious activities .", "spans": {}, "info": {"id": "cyner2_8class_test_01332", "source": "cyner2_8class_test"}}
{"text": "As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.", "spans": {"Malware: malware": [[24, 31]], "System: CIMPILICITY,": [[42, 54]], "System: CIMPLICITY": [[79, 89]], "Indicator: installation directory using the %CIMPATH% environment variable": [[90, 153]], "System: victim machines.": [[161, 177]]}, "info": {"id": "cyner2_8class_test_01333", "source": "cyner2_8class_test"}}
{"text": "Not only does this malware have the ability to overwrite the affected system's master boot record MBR in order to lock users out, it is also interesting to note that it is delivered to victims via a legitimate cloud storage service in this case, via Dropbox.", "spans": {"Malware: malware": [[19, 26]], "System: system's master boot record MBR": [[70, 101]], "Indicator: lock users out,": [[114, 129]], "Indicator: delivered": [[172, 181]], "Indicator: legitimate": [[199, 209]], "System: cloud storage service": [[210, 231]], "System: Dropbox.": [[250, 258]]}, "info": {"id": "cyner2_8class_test_01334", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/Dropper.Dapato.slg Trojan.Script.Qhost.ddprkv Bicololo.PW Win32/Jorik.KJ Trojan.Win32.Bicololo.bbwh Trojan:W32/Qhost.WE Win32.Troj.Bicololo.bb.kcloud Trojan:Win32/Anaki.A Trojan/Win32.Bicololo Trojan.Win32.Bicololo.AHsn Trojan.Filecoder.W Win32/Bicololo.A Win32.Trojan.Bicololo.Agvb Trojan.BAT.Qhost Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Dropper.Dapato.slg": [[26, 51]], "Indicator: Trojan.Script.Qhost.ddprkv": [[52, 78]], "Indicator: Bicololo.PW": [[79, 90]], "Indicator: Win32/Jorik.KJ": [[91, 105]], "Indicator: Trojan.Win32.Bicololo.bbwh": [[106, 132]], "Indicator: Trojan:W32/Qhost.WE": [[133, 152]], "Indicator: Win32.Troj.Bicololo.bb.kcloud": [[153, 182]], "Indicator: Trojan:Win32/Anaki.A": [[183, 203]], "Indicator: Trojan/Win32.Bicololo": [[204, 225]], "Indicator: Trojan.Win32.Bicololo.AHsn": [[226, 252]], "Indicator: Trojan.Filecoder.W": [[253, 271]], "Indicator: Win32/Bicololo.A": [[272, 288]], "Indicator: Win32.Trojan.Bicololo.Agvb": [[289, 315]], "Indicator: Trojan.BAT.Qhost": [[316, 332]], "Indicator: Trj/CI.A": [[333, 341]]}, "info": {"id": "cyner2_8class_test_01335", "source": "cyner2_8class_test"}}
{"text": "As a result , information related to the malicious actor is tentatively redacted in this publication .", "spans": {}, "info": {"id": "cyner2_8class_test_01336", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Vetor.PE Worm.Autorun.VB.AA Virus.Win32.Virut.1!O W32.Virut.G Worm.Autorun.VB.AA PE_VIRUX.O W32.SillyFDC Win32/Virut.17408 PE_VIRUX.O Virus.Win32.Virut.ce Worm.Autorun.VB.AA Virus.Win32.Virut.hpeg W32.Virut.llPw Worm.Autorun.VB.AA Win32.Virut.56 Virus.Virut.Win32.1938 BehavesLike.Win32.Virut.dt Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.cr.61440 Worm.Autorun.VB.AA Virus.Win32.Virut.ce Worm:Win32/Thraegisa.A HEUR/Fakon.mwf Virus.Virut.14 HackTool.Patcher W32/Sality.AO I-Worm.VB.NQK Win32/Virut.NBP Worm.Threagisa.A W32/Virut.CE Virus.Win32.Virut.M", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Vetor.PE": [[26, 38]], "Indicator: Worm.Autorun.VB.AA": [[39, 57], [92, 110], [185, 203], [242, 260], [383, 401]], "Indicator: Virus.Win32.Virut.1!O": [[58, 79]], "Indicator: W32.Virut.G": [[80, 91]], "Indicator: PE_VIRUX.O": [[111, 121], [153, 163]], "Indicator: W32.SillyFDC": [[122, 134]], "Indicator: Win32/Virut.17408": [[135, 152]], "Indicator: Virus.Win32.Virut.ce": [[164, 184], [402, 422]], "Indicator: Virus.Win32.Virut.hpeg": [[204, 226]], "Indicator: W32.Virut.llPw": [[227, 241]], "Indicator: Win32.Virut.56": [[261, 275]], "Indicator: Virus.Virut.Win32.1938": [[276, 298]], "Indicator: BehavesLike.Win32.Virut.dt": [[299, 325]], "Indicator: Win32/Virut.bt": [[326, 340]], "Indicator: Virus/Win32.Virut.ce": [[341, 361]], "Indicator: Win32.Virut.cr.61440": [[362, 382]], "Indicator: Worm:Win32/Thraegisa.A": [[423, 445]], "Indicator: HEUR/Fakon.mwf": [[446, 460]], "Indicator: Virus.Virut.14": [[461, 475]], "Indicator: HackTool.Patcher": [[476, 492]], "Indicator: W32/Sality.AO": [[493, 506]], "Indicator: I-Worm.VB.NQK": [[507, 520]], "Indicator: Win32/Virut.NBP": [[521, 536]], "Indicator: Worm.Threagisa.A": [[537, 553]], "Indicator: W32/Virut.CE": [[554, 566]], "Indicator: Virus.Win32.Virut.M": [[567, 586]]}, "info": {"id": "cyner2_8class_test_01337", "source": "cyner2_8class_test"}}
{"text": "If it ’ s not 0x1B ( for 32-bit systems ) or 0x23 ( for 32-bit system under Wow64 ) , the loader exits .", "spans": {}, "info": {"id": "cyner2_8class_test_01338", "source": "cyner2_8class_test"}}
{"text": "As the investigation progressed , Talos came to understand that this campaign was associated with the \" ChristinaMorrow '' text message spam scam previously spotted in Australia .", "spans": {"Organization: Talos": [[34, 39]]}, "info": {"id": "cyner2_8class_test_01339", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Android.Exploit.GingerBreak.C Android.Exploit.GingerBreak.C ELF/Andr/Lotoor.E Android.5F8D2988 Unix.Exploit.Gingerbreak-2 Exploit.Linux.Lotoor.t Android.Exploit.GingerBreak.C Android.5F8D2988 ELF/Andr/Lotoor.E EXP/Flash.EB.1043 Trojan[Exploit]/Linux.Lotoor.t Exploit.Linux.Lotoor.t Exploit.Linux.Lotoor Linux.Exploit.Lotoor.Hqvh Exploit.Linux.Lotoor Android.Exploit.GingerBreak.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Android.Exploit.GingerBreak.C": [[26, 55], [56, 85], [171, 200], [376, 405]], "Indicator: ELF/Andr/Lotoor.E": [[86, 103], [218, 235]], "Indicator: Android.5F8D2988": [[104, 120], [201, 217]], "Indicator: Unix.Exploit.Gingerbreak-2": [[121, 147]], "Indicator: Exploit.Linux.Lotoor.t": [[148, 170], [285, 307]], "Indicator: EXP/Flash.EB.1043": [[236, 253]], "Indicator: Trojan[Exploit]/Linux.Lotoor.t": [[254, 284]], "Indicator: Exploit.Linux.Lotoor": [[308, 328], [355, 375]], "Indicator: Linux.Exploit.Lotoor.Hqvh": [[329, 354]]}, "info": {"id": "cyner2_8class_test_01340", "source": "cyner2_8class_test"}}
{"text": "Port 6208 : IMO extraction service .", "spans": {"Indicator: Port 6208": [[0, 9]], "System: IMO": [[12, 15]]}, "info": {"id": "cyner2_8class_test_01341", "source": "cyner2_8class_test"}}
{"text": "With Version 0.0.0.1 , there is a dedicated functions class where all main malicious activity happens and can be observed .", "spans": {}, "info": {"id": "cyner2_8class_test_01342", "source": "cyner2_8class_test"}}
{"text": "It also starts an Android service named MainService .", "spans": {"System: Android": [[18, 25]]}, "info": {"id": "cyner2_8class_test_01343", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Plugax.bh Trojan.Win32.Mdmbot.dptqgl Trojan.Win32.Dllbot.45056.B Trojan.Mdmbot Trojan.Plugax.Win32.2 Trojan.Win32.Plugax W32/Trojan.YOMS-1721 TR/Plugax.dneew Trojan.Razy.D189CB Trojan.Win32.Plugax.bh Backdoor:Win32/Mdmbot.G!dha Trojan/Win32.Dllbot.R23624 Trj/CI.A Win32.Trojan.Plugax.Fsd Trojan.Plugax!XGKVPHd7fzY", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Plugax.bh": [[26, 48], [216, 238]], "Indicator: Trojan.Win32.Mdmbot.dptqgl": [[49, 75]], "Indicator: Trojan.Win32.Dllbot.45056.B": [[76, 103]], "Indicator: Trojan.Mdmbot": [[104, 117]], "Indicator: Trojan.Plugax.Win32.2": [[118, 139]], "Indicator: Trojan.Win32.Plugax": [[140, 159]], "Indicator: W32/Trojan.YOMS-1721": [[160, 180]], "Indicator: TR/Plugax.dneew": [[181, 196]], "Indicator: Trojan.Razy.D189CB": [[197, 215]], "Indicator: Backdoor:Win32/Mdmbot.G!dha": [[239, 266]], "Indicator: Trojan/Win32.Dllbot.R23624": [[267, 293]], "Indicator: Trj/CI.A": [[294, 302]], "Indicator: Win32.Trojan.Plugax.Fsd": [[303, 326]], "Indicator: Trojan.Plugax!XGKVPHd7fzY": [[327, 352]]}, "info": {"id": "cyner2_8class_test_01344", "source": "cyner2_8class_test"}}
{"text": "Well, sometimes targeted entities have included telecommunication companies, or better, large holdings, but it seems that at least one of their businesses was in some way related to the production or distribution of computer games.", "spans": {"Organization: targeted entities": [[16, 33]], "Organization: telecommunication companies,": [[48, 76]], "Organization: large holdings,": [[88, 103]], "Organization: businesses": [[144, 154]], "Organization: production": [[186, 196]], "Organization: distribution of computer games.": [[200, 231]]}, "info": {"id": "cyner2_8class_test_01345", "source": "cyner2_8class_test"}}
{"text": "The permissions on the first version of the malware lay out the foundations of a spying trojan .", "spans": {}, "info": {"id": "cyner2_8class_test_01346", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanPWS.AutoIT.Dclog.S Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Script.AutoIt.estdtw BehavesLike.Win32.AdwareLinkury.tc Trojan[Dropper]/Win32.FrauDrop Trojan.Win32.Injector", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.AutoIT.Dclog.S": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[51, 93]], "Indicator: Trojan.Script.AutoIt.estdtw": [[94, 121]], "Indicator: BehavesLike.Win32.AdwareLinkury.tc": [[122, 156]], "Indicator: Trojan[Dropper]/Win32.FrauDrop": [[157, 187]], "Indicator: Trojan.Win32.Injector": [[188, 209]]}, "info": {"id": "cyner2_8class_test_01347", "source": "cyner2_8class_test"}}
{"text": "] com/aa hxxp : //nttdocomo-qar [ .", "spans": {"Indicator: hxxp : //nttdocomo-qar [ .": [[9, 35]]}, "info": {"id": "cyner2_8class_test_01348", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32!O W32/Backdoor.Ripper Backdoor.Trojan Backdoor.Win32.Ripper Trojan.Win32.Ripper.dmld Backdoor.Win32.Ripper_10.Client BackDoor.Ripper Backdoor.Ripper.Win32.2 BehavesLike.Win32.AdwareDealPly.dh Backdoor.Win32.Ripper W32/Backdoor.Ripper Trojan[Backdoor]/Win32.Ripper Backdoor.Win32.Ripper Win-Trojan/Ripper.305664 Backdoor.Ripper Bck/Ripper.Cli", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32!O": [[26, 42]], "Indicator: W32/Backdoor.Ripper": [[43, 62], [255, 274]], "Indicator: Backdoor.Trojan": [[63, 78]], "Indicator: Backdoor.Win32.Ripper": [[79, 100], [233, 254], [305, 326]], "Indicator: Trojan.Win32.Ripper.dmld": [[101, 125]], "Indicator: Backdoor.Win32.Ripper_10.Client": [[126, 157]], "Indicator: BackDoor.Ripper": [[158, 173]], "Indicator: Backdoor.Ripper.Win32.2": [[174, 197]], "Indicator: BehavesLike.Win32.AdwareDealPly.dh": [[198, 232]], "Indicator: Trojan[Backdoor]/Win32.Ripper": [[275, 304]], "Indicator: Win-Trojan/Ripper.305664": [[327, 351]], "Indicator: Backdoor.Ripper": [[352, 367]], "Indicator: Bck/Ripper.Cli": [[368, 382]]}, "info": {"id": "cyner2_8class_test_01349", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.265 VB:Trojan.Valyria.265 X2KM_DLOAD.YYTK VB:Trojan.Valyria.265 VB:Trojan.Valyria.265 Trojan.Ole2.Vbs-heuristic.druvzi Troj.Dropper.Vbs!c VB:Trojan.Valyria.265 VB:Trojan.Valyria.265 X97M.DownLoader.119 X2KM_DLOAD.YYTK X97M/Dropper.bca TrojanDropper:W97M/Avosim.A VB:Trojan.Valyria.265 X97M/Dropper.bca Win32.Trojan.Downloader.Qszb virus.office.qexvmc.1085", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.265": [[26, 47], [48, 69], [86, 107], [108, 129], [182, 203], [204, 225], [307, 328]], "Indicator: X2KM_DLOAD.YYTK": [[70, 85], [246, 261]], "Indicator: Trojan.Ole2.Vbs-heuristic.druvzi": [[130, 162]], "Indicator: Troj.Dropper.Vbs!c": [[163, 181]], "Indicator: X97M.DownLoader.119": [[226, 245]], "Indicator: X97M/Dropper.bca": [[262, 278], [329, 345]], "Indicator: TrojanDropper:W97M/Avosim.A": [[279, 306]], "Indicator: Win32.Trojan.Downloader.Qszb": [[346, 374]], "Indicator: virus.office.qexvmc.1085": [[375, 399]]}, "info": {"id": "cyner2_8class_test_01350", "source": "cyner2_8class_test"}}
{"text": "Linux/Moose is a malware family that primarily targets Linux-based consumer routers but that can infect other Linux-based embedded systems in its path.", "spans": {"Indicator: Linux/Moose": [[0, 11]], "Malware: malware family": [[17, 31]], "System: Linux-based consumer routers": [[55, 83]], "System: Linux-based embedded systems": [[110, 138]]}, "info": {"id": "cyner2_8class_test_01351", "source": "cyner2_8class_test"}}
{"text": "All of these domains are registered to ‘ Li Jun Biao ’ on Bizcn , Inc , a Chinese Internet application service provider .", "spans": {"Organization: Bizcn , Inc": [[58, 69]]}, "info": {"id": "cyner2_8class_test_01352", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Zusy.D3C397 Win32.Trojan.WisdomEyes.16070401.9500.9538 Win.Trojan.Ovidiy-6333880-0 PWS:MSIL/Cidekoq.A Spyware.PasswordStealer Trj/CI.A Trojan.FNOI!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Zusy.D3C397": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9538": [[45, 87]], "Indicator: Win.Trojan.Ovidiy-6333880-0": [[88, 115]], "Indicator: PWS:MSIL/Cidekoq.A": [[116, 134]], "Indicator: Spyware.PasswordStealer": [[135, 158]], "Indicator: Trj/CI.A": [[159, 167]], "Indicator: Trojan.FNOI!tr": [[168, 182]]}, "info": {"id": "cyner2_8class_test_01353", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Bladabindi.FC.178 MSIL.Backdoor.Bladabindi.a Backdoor.Ratenjay Win.Trojan.B-468 Trojan.DownLoader25.6185 BDS/Bladabindi.ajoos Backdoor:MSIL/Corinrat.A Trj/GdSda.A Trojan.MSIL.Bladabindi Win32/Trojan.b1d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Bladabindi.FC.178": [[26, 52]], "Indicator: MSIL.Backdoor.Bladabindi.a": [[53, 79]], "Indicator: Backdoor.Ratenjay": [[80, 97]], "Indicator: Win.Trojan.B-468": [[98, 114]], "Indicator: Trojan.DownLoader25.6185": [[115, 139]], "Indicator: BDS/Bladabindi.ajoos": [[140, 160]], "Indicator: Backdoor:MSIL/Corinrat.A": [[161, 185]], "Indicator: Trj/GdSda.A": [[186, 197]], "Indicator: Trojan.MSIL.Bladabindi": [[198, 220]], "Indicator: Win32/Trojan.b1d": [[221, 237]]}, "info": {"id": "cyner2_8class_test_01354", "source": "cyner2_8class_test"}}
{"text": "In March 2015, Microsoft patched a remote code execution RCE vulnerability CVE-2015-0097 in Microsoft Office.", "spans": {"Date: March 2015,": [[3, 14]], "Organization: Microsoft": [[15, 24]], "Malware: remote code execution RCE": [[35, 60]], "Vulnerability: vulnerability": [[61, 74]], "Indicator: CVE-2015-0097": [[75, 88]], "System: Microsoft Office.": [[92, 109]]}, "info": {"id": "cyner2_8class_test_01355", "source": "cyner2_8class_test"}}
{"text": "We named the malware Skygofree , because we found the word in one of the domains * .", "spans": {"Malware: Skygofree": [[21, 30]]}, "info": {"id": "cyner2_8class_test_01356", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Midie.D10C7 Win32.Trojan.WisdomEyes.16070401.9500.9914 Backdoor.MSIL.IRCBot.pfh Trojan.Win32.Bonque.bobhgq Msil.Backdoor.Ircbot.Pbyu Trojan.PWS.Bonque.45 Backdoor.IRCBot Backdoor.MSIL Trojan/Win32.Unknown Backdoor:MSIL/IRCbot.K!bit Backdoor.MSIL.IRCBot.pfh Backdoor/Win32.IRCBot.R87115 Backdoor.IRCBot Backdoor.MSIL.IRCBot Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Midie.D10C7": [[26, 44]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9914": [[45, 87]], "Indicator: Backdoor.MSIL.IRCBot.pfh": [[88, 112], [265, 289]], "Indicator: Trojan.Win32.Bonque.bobhgq": [[113, 139]], "Indicator: Msil.Backdoor.Ircbot.Pbyu": [[140, 165]], "Indicator: Trojan.PWS.Bonque.45": [[166, 186]], "Indicator: Backdoor.IRCBot": [[187, 202], [319, 334]], "Indicator: Backdoor.MSIL": [[203, 216]], "Indicator: Trojan/Win32.Unknown": [[217, 237]], "Indicator: Backdoor:MSIL/IRCbot.K!bit": [[238, 264]], "Indicator: Backdoor/Win32.IRCBot.R87115": [[290, 318]], "Indicator: Backdoor.MSIL.IRCBot": [[335, 355]], "Indicator: Trj/CI.A": [[356, 364]]}, "info": {"id": "cyner2_8class_test_01357", "source": "cyner2_8class_test"}}
{"text": "It reminds us of Upatre, which gained notoriety status over the past two years but has now died down, possibly due to the takedowns of its major payloads.", "spans": {"Malware: Upatre,": [[17, 24]], "Date: the past two years": [[60, 78]], "Malware: major payloads.": [[139, 154]]}, "info": {"id": "cyner2_8class_test_01358", "source": "cyner2_8class_test"}}
{"text": "The package certificate is issued under the package name , which also resembles the name of the main DLL name .", "spans": {}, "info": {"id": "cyner2_8class_test_01359", "source": "cyner2_8class_test"}}
{"text": "Thus, at first glance, the DNS tunneled traffic generated by ITG08's POS malware looks like any typical DNS address resolution query for a legitimate Akamai domain.", "spans": {"System: DNS tunneled traffic": [[27, 47]], "Malware: ITG08's POS malware": [[61, 80]], "Indicator: DNS address resolution": [[104, 126]], "Indicator: a legitimate Akamai domain.": [[137, 164]]}, "info": {"id": "cyner2_8class_test_01360", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Virut.G Win32/Virut.NBP Trojan-Dropper.Delf!IK Trojan.SlhBack Virus.Win32.Virut.ce TrojWare.Win32.Inject.~D Virus.Win32.Virut.ce Win32.Virut.56 Win32/Virut.NBP PE_VIRUX.E-2 Win32/Virut.17408 Win32/Virut.bn W32.Virut.CF Virus:Win32/Virut.BM Win32.Virut.AM Virus.Win32.Virut.X5 Constructor.SlhBack.bk Trojan.Win32.Delf.fey Trojan-Dropper.Delf W32/Virut.CE Dropper.Delf W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.G": [[26, 37]], "Indicator: Win32/Virut.NBP": [[38, 53], [174, 189]], "Indicator: Trojan-Dropper.Delf!IK": [[54, 76]], "Indicator: Trojan.SlhBack": [[77, 91]], "Indicator: Virus.Win32.Virut.ce": [[92, 112], [138, 158]], "Indicator: TrojWare.Win32.Inject.~D": [[113, 137]], "Indicator: Win32.Virut.56": [[159, 173]], "Indicator: PE_VIRUX.E-2": [[190, 202]], "Indicator: Win32/Virut.17408": [[203, 220]], "Indicator: Win32/Virut.bn": [[221, 235]], "Indicator: W32.Virut.CF": [[236, 248]], "Indicator: Virus:Win32/Virut.BM": [[249, 269]], "Indicator: Win32.Virut.AM": [[270, 284]], "Indicator: Virus.Win32.Virut.X5": [[285, 305]], "Indicator: Constructor.SlhBack.bk": [[306, 328]], "Indicator: Trojan.Win32.Delf.fey": [[329, 350]], "Indicator: Trojan-Dropper.Delf": [[351, 370]], "Indicator: W32/Virut.CE": [[371, 383]], "Indicator: Dropper.Delf": [[384, 396]], "Indicator: W32/Sality.AO": [[397, 410]]}, "info": {"id": "cyner2_8class_test_01361", "source": "cyner2_8class_test"}}
{"text": "A TrickMo version from January 2020 contained code that checks if the app is running on a rooted device or an emulator to prevent analysis .", "spans": {"Malware: TrickMo": [[2, 9]]}, "info": {"id": "cyner2_8class_test_01362", "source": "cyner2_8class_test"}}
{"text": "With each subsequent request , a new subdomain was generated .", "spans": {}, "info": {"id": "cyner2_8class_test_01363", "source": "cyner2_8class_test"}}
{"text": "The infrastructure behind the Blank Slate campaign has two distinct phases.", "spans": {"System: infrastructure": [[4, 18]], "ThreatActor: the Blank Slate campaign": [[26, 50]]}, "info": {"id": "cyner2_8class_test_01364", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Adware.Dlhelper Dropper.FrauDropCRTD.Win32.6286 Trojan.Application.Bundler.DlHelper.255 Win32.Trojan.Kryptik.pf not-a-virus:WebToolbar.Win32.MutiBar.sy Riskware.Win32.MutiBar.dygvox Trojan.Zadved.203 PUA.Multibar WebToolbar.MutiBar.by RiskWare[WebToolbar]/Win32.MutiBar not-a-virus:WebToolbar.Win32.MutiBar.sy SScope.Downware.Dlhelper PUA.Toolbar.MutiBar! W32/Kryptik.FWLF!tr Win32/Application.d4d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.Dlhelper": [[26, 41]], "Indicator: Dropper.FrauDropCRTD.Win32.6286": [[42, 73]], "Indicator: Trojan.Application.Bundler.DlHelper.255": [[74, 113]], "Indicator: Win32.Trojan.Kryptik.pf": [[114, 137]], "Indicator: not-a-virus:WebToolbar.Win32.MutiBar.sy": [[138, 177], [296, 335]], "Indicator: Riskware.Win32.MutiBar.dygvox": [[178, 207]], "Indicator: Trojan.Zadved.203": [[208, 225]], "Indicator: PUA.Multibar": [[226, 238]], "Indicator: WebToolbar.MutiBar.by": [[239, 260]], "Indicator: RiskWare[WebToolbar]/Win32.MutiBar": [[261, 295]], "Indicator: SScope.Downware.Dlhelper": [[336, 360]], "Indicator: PUA.Toolbar.MutiBar!": [[361, 381]], "Indicator: W32/Kryptik.FWLF!tr": [[382, 401]], "Indicator: Win32/Application.d4d": [[402, 423]]}, "info": {"id": "cyner2_8class_test_01365", "source": "cyner2_8class_test"}}
{"text": "The Infection Chain Once the user downloads and installs one of the infected applications , ‘ SimBad ’ registers itself to the ‘ BOOT_COMPLETE ’ and ‘ USER_PRESENT ’ intents , which lets ‘ SimBad ’ to perform actions after the device has finished booting and while the user is using his device respectively .", "spans": {"Malware: SimBad": [[94, 100], [189, 195]]}, "info": {"id": "cyner2_8class_test_01366", "source": "cyner2_8class_test"}}
{"text": "These features likely suggest ITG03 continues evolving tactics to target users in the cryptocurrency industry.", "spans": {"ThreatActor: ITG03": [[30, 35]], "Organization: users": [[73, 78]], "Organization: the cryptocurrency industry.": [[82, 110]]}, "info": {"id": "cyner2_8class_test_01367", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9918 Trojan.Win32.Stealer.exprxh Trojan.Win32.Z.Zusy.2021449 Trojan.PWS.Stealer.1856 W32/Trojan.PKEU-6036 Trojan.Zusy.D3DCC3 Trojan:Win32/SvcMiner.A Trojan/Win32.CoinMiner.R214201 TrojanPSW.Stealer Trojan.FakeMS Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9918": [[26, 68]], "Indicator: Trojan.Win32.Stealer.exprxh": [[69, 96]], "Indicator: Trojan.Win32.Z.Zusy.2021449": [[97, 124]], "Indicator: Trojan.PWS.Stealer.1856": [[125, 148]], "Indicator: W32/Trojan.PKEU-6036": [[149, 169]], "Indicator: Trojan.Zusy.D3DCC3": [[170, 188]], "Indicator: Trojan:Win32/SvcMiner.A": [[189, 212]], "Indicator: Trojan/Win32.CoinMiner.R214201": [[213, 243]], "Indicator: TrojanPSW.Stealer": [[244, 261]], "Indicator: Trojan.FakeMS": [[262, 275]], "Indicator: Trj/CI.A": [[276, 284]]}, "info": {"id": "cyner2_8class_test_01368", "source": "cyner2_8class_test"}}
{"text": "It also protects users and organizations from other mobile threats , such as mobile phishing , unsafe network connections , and unauthorized access to sensitive data .", "spans": {}, "info": {"id": "cyner2_8class_test_01369", "source": "cyner2_8class_test"}}
{"text": "XLoader as Spyware and Banking Trojan XLoader can also collect information related to usage of apps installed in the device .", "spans": {"Malware: XLoader": [[0, 7]], "Indicator: XLoader": [[38, 45]]}, "info": {"id": "cyner2_8class_test_01370", "source": "cyner2_8class_test"}}
{"text": "The United Nations has already imposed significant sanctions on North Korea; however, a recent announcement by China that it will shut down North Korean companies operating within its borders could indicate significant financial trouble for North Korea.", "spans": {"Organization: The United Nations": [[0, 18]], "Location: North Korea;": [[64, 76]], "Location: China": [[111, 116]], "Organization: North Korean companies": [[140, 162]], "Location: North Korea.": [[241, 253]]}, "info": {"id": "cyner2_8class_test_01371", "source": "cyner2_8class_test"}}
{"text": "The overlay consisted of a generic credit card grabber targeting social and utility apps , such as Google Play , Facebook , WhatsApp , Chrome , Skype , Instagram and Twitter .", "spans": {"System: Google Play": [[99, 110]], "System: Facebook": [[113, 121]], "System: WhatsApp": [[124, 132]], "System: Chrome": [[135, 141]], "System: Skype": [[144, 149]], "System: Instagram": [[152, 161]], "System: Twitter": [[166, 173]]}, "info": {"id": "cyner2_8class_test_01372", "source": "cyner2_8class_test"}}
{"text": "This vulnerability CVE-2017-7494 relates to all versions of Samba, starting from 3.5.0, which was released in 2010, and was patched only in the latest versions of the package 4.6.4/4.5.10/4.4.14.", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Indicator: CVE-2017-7494": [[19, 32]], "Malware: Samba,": [[60, 66]], "Malware: 3.5.0,": [[81, 87]], "Date: 2010,": [[110, 115]], "Malware: latest versions of the package 4.6.4/4.5.10/4.4.14.": [[144, 195]]}, "info": {"id": "cyner2_8class_test_01373", "source": "cyner2_8class_test"}}
{"text": "The result is a large online population who have been the subject of numerous cyber-attacks in the past .", "spans": {}, "info": {"id": "cyner2_8class_test_01374", "source": "cyner2_8class_test"}}
{"text": "And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group.", "spans": {"Malware: SeaDuke,": [[25, 33]], "System: Windows": [[69, 76]], "System: Linux,": [[81, 87]], "Malware: cross-platform malware": [[101, 123]], "ThreatActor: Duke group.": [[150, 161]]}, "info": {"id": "cyner2_8class_test_01375", "source": "cyner2_8class_test"}}
{"text": "We also noticed how most of these spammed emails were sent between 9 a.m. – 11 a.m. UTC, a time when employees in European countries are starting their day at work.", "spans": {"Indicator: spammed emails were sent between 9 a.m. – 11 a.m. UTC,": [[34, 88]], "Organization: employees": [[101, 110]], "Location: European countries": [[114, 132]]}, "info": {"id": "cyner2_8class_test_01376", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.QQPass.103018 Trojan-PSW.Win32.QQShou!O TrojanPWS.QQpass Trojan/PSW.QQPass.ig Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Pws.AJSA Infostealer.Gampass Win.Spyware.WOW-37 Trojan-PSW.Win32.QQPass.ig Trojan.Win32.QQPass.lwwt Trojan.Win32.A.PSW-QQPass.102400.E TrojWare.Win32.PSW.QQShou Trojan.PWS.Tencent Trojan.QQPass.Win32.2020 BehavesLike.Win32.Downloader.cm Trojan-PWS.Win32.QQShou W32/PWS.OWXU-8397 Trojan/PSW.Chuanhua.iq Trojan[PSW]/Win32.QQPass Backdoor.W32.Hupigon.l57k Trojan/Win32.QQShou.R5746 TrojanPSW.QQPass Trj/QQshou.AA Win32/PSW.QQShou Win32.Trojan-qqpass.Qqrob.Syik Trojan.PWS.QQPass!ev/WXAy55hs W32/QQPass.IG!tr.pws Win32/Trojan.d5b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.QQPass.103018": [[26, 54]], "Indicator: Trojan-PSW.Win32.QQShou!O": [[55, 80]], "Indicator: TrojanPWS.QQpass": [[81, 97]], "Indicator: Trojan/PSW.QQPass.ig": [[98, 118]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[119, 161]], "Indicator: W32/Pws.AJSA": [[162, 174]], "Indicator: Infostealer.Gampass": [[175, 194]], "Indicator: Win.Spyware.WOW-37": [[195, 213]], "Indicator: Trojan-PSW.Win32.QQPass.ig": [[214, 240]], "Indicator: Trojan.Win32.QQPass.lwwt": [[241, 265]], "Indicator: Trojan.Win32.A.PSW-QQPass.102400.E": [[266, 300]], "Indicator: TrojWare.Win32.PSW.QQShou": [[301, 326]], "Indicator: Trojan.PWS.Tencent": [[327, 345]], "Indicator: Trojan.QQPass.Win32.2020": [[346, 370]], "Indicator: BehavesLike.Win32.Downloader.cm": [[371, 402]], "Indicator: Trojan-PWS.Win32.QQShou": [[403, 426]], "Indicator: W32/PWS.OWXU-8397": [[427, 444]], "Indicator: Trojan/PSW.Chuanhua.iq": [[445, 467]], "Indicator: Trojan[PSW]/Win32.QQPass": [[468, 492]], "Indicator: Backdoor.W32.Hupigon.l57k": [[493, 518]], "Indicator: Trojan/Win32.QQShou.R5746": [[519, 544]], "Indicator: TrojanPSW.QQPass": [[545, 561]], "Indicator: Trj/QQshou.AA": [[562, 575]], "Indicator: Win32/PSW.QQShou": [[576, 592]], "Indicator: Win32.Trojan-qqpass.Qqrob.Syik": [[593, 623]], "Indicator: Trojan.PWS.QQPass!ev/WXAy55hs": [[624, 653]], "Indicator: W32/QQPass.IG!tr.pws": [[654, 674]], "Indicator: Win32/Trojan.d5b": [[675, 691]]}, "info": {"id": "cyner2_8class_test_01377", "source": "cyner2_8class_test"}}
{"text": "This instruction is especially important for malware that tries to avoid user interaction by running in the background as a service .", "spans": {}, "info": {"id": "cyner2_8class_test_01378", "source": "cyner2_8class_test"}}
{"text": "Unit 42 has been closely tracking the OilRig threat group since May 2016.", "spans": {"Organization: Unit 42": [[0, 7]], "ThreatActor: the OilRig threat group": [[34, 57]], "Date: May 2016.": [[64, 73]]}, "info": {"id": "cyner2_8class_test_01379", "source": "cyner2_8class_test"}}
{"text": "People using certain VPN service providers to protect their privacy are completely unaware that the backend uses a criminal infrastructure of infected computers worldwide.", "spans": {"Organization: VPN service providers": [[21, 42]], "System: criminal infrastructure": [[115, 138]], "System: computers": [[151, 160]]}, "info": {"id": "cyner2_8class_test_01380", "source": "cyner2_8class_test"}}
{"text": "And others have all malicious content removed , except for log comments referencing the payment process .", "spans": {}, "info": {"id": "cyner2_8class_test_01381", "source": "cyner2_8class_test"}}
{"text": "Rotexy then sent information about the smartphone to the C & C , including the phone model , number , name of the mobile network operator , versions of the operating system and IMEI .", "spans": {"Malware: Rotexy": [[0, 6]]}, "info": {"id": "cyner2_8class_test_01382", "source": "cyner2_8class_test"}}
{"text": "This ongoing research lead us to a new Middle Eastern campaign.", "spans": {"ThreatActor: a new Middle Eastern campaign.": [[33, 63]]}, "info": {"id": "cyner2_8class_test_01383", "source": "cyner2_8class_test"}}
{"text": "The said screen is the ransom note , which contains threats and instructions to pay the ransom .", "spans": {}, "info": {"id": "cyner2_8class_test_01384", "source": "cyner2_8class_test"}}
{"text": "Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", "spans": {"ThreatActor: MuddyWater": [[38, 48]], "Indicator: attacks,": [[49, 57]], "Malware: tools": [[118, 123]]}, "info": {"id": "cyner2_8class_test_01385", "source": "cyner2_8class_test"}}
{"text": "After conveniently granting itself additional privileges and securing its persistence on the device , Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks .", "spans": {"Malware: Cerberus": [[102, 110]]}, "info": {"id": "cyner2_8class_test_01386", "source": "cyner2_8class_test"}}
{"text": "Even a fake Facebook profile to pretend to be an actual company, aided in this process.", "spans": {}, "info": {"id": "cyner2_8class_test_01387", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.QuaresLTAAI.Trojan Worm.Fadok.IM5 Win32.Worm.FakeDoc.a WORM_FAKEDOC_FD050240.UVPM Trojan.Win32.Dwn.drcagm TrojWare.Win32.Scar.FAKD Win32.HLLW.Rendoc.3 Trojan.Scar.Win32.88546 WORM_FAKEDOC_FD050240.UVPM Trojan/Scar.bgdv Trojan/Win32.Scar.jfya Worm:Win32/Fadok.A Trojan.Razy.DA7C7 Worm/Win32.Fadok.R189010 Win32/FakeDoc.A Trojan.DownLoader! Worm.Win32.Fakedoc W32/FakeDoc.A!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.QuaresLTAAI.Trojan": [[26, 48]], "Indicator: Worm.Fadok.IM5": [[49, 63]], "Indicator: Win32.Worm.FakeDoc.a": [[64, 84]], "Indicator: WORM_FAKEDOC_FD050240.UVPM": [[85, 111], [205, 231]], "Indicator: Trojan.Win32.Dwn.drcagm": [[112, 135]], "Indicator: TrojWare.Win32.Scar.FAKD": [[136, 160]], "Indicator: Win32.HLLW.Rendoc.3": [[161, 180]], "Indicator: Trojan.Scar.Win32.88546": [[181, 204]], "Indicator: Trojan/Scar.bgdv": [[232, 248]], "Indicator: Trojan/Win32.Scar.jfya": [[249, 271]], "Indicator: Worm:Win32/Fadok.A": [[272, 290]], "Indicator: Trojan.Razy.DA7C7": [[291, 308]], "Indicator: Worm/Win32.Fadok.R189010": [[309, 333]], "Indicator: Win32/FakeDoc.A": [[334, 349]], "Indicator: Trojan.DownLoader!": [[350, 368]], "Indicator: Worm.Win32.Fakedoc": [[369, 387]], "Indicator: W32/FakeDoc.A!worm": [[388, 406]]}, "info": {"id": "cyner2_8class_test_01388", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.KeyStart.181760 Backdoor.Win32.KeyStart!O Backdoor.KeyStart Win32.Trojan.WisdomEyes.16070401.9500.9963 Win32/Slupim.A Backdoor.Win32.KeyStart.ck Trojan.Win32.KeyStart.hfzs Trojan.Win32.Z.Keystart.181760 Backdoor.W32.Keystart!c Trojan.DownLoad.31797 Backdoor.KeyStart.Win32.47 BehavesLike.Win32.Downloader.ch Backdoor.Win32.KeyStart Backdoor/KeyStart.ak Trojan[Backdoor]/Win32.KeyStart Backdoor.Win32.KeyStart.ck Trojan:Win32/Slupim.B Bck/KeyStart.B Win32/Trojan.ec7", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.KeyStart.181760": [[26, 54]], "Indicator: Backdoor.Win32.KeyStart!O": [[55, 80]], "Indicator: Backdoor.KeyStart": [[81, 98]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9963": [[99, 141]], "Indicator: Win32/Slupim.A": [[142, 156]], "Indicator: Backdoor.Win32.KeyStart.ck": [[157, 183], [424, 450]], "Indicator: Trojan.Win32.KeyStart.hfzs": [[184, 210]], "Indicator: Trojan.Win32.Z.Keystart.181760": [[211, 241]], "Indicator: Backdoor.W32.Keystart!c": [[242, 265]], "Indicator: Trojan.DownLoad.31797": [[266, 287]], "Indicator: Backdoor.KeyStart.Win32.47": [[288, 314]], "Indicator: BehavesLike.Win32.Downloader.ch": [[315, 346]], "Indicator: Backdoor.Win32.KeyStart": [[347, 370]], "Indicator: Backdoor/KeyStart.ak": [[371, 391]], "Indicator: Trojan[Backdoor]/Win32.KeyStart": [[392, 423]], "Indicator: Trojan:Win32/Slupim.B": [[451, 472]], "Indicator: Bck/KeyStart.B": [[473, 487]], "Indicator: Win32/Trojan.ec7": [[488, 504]]}, "info": {"id": "cyner2_8class_test_01389", "source": "cyner2_8class_test"}}
{"text": "The Android rootnik malware uses open-sourced Android root exploit tools and the MTK root scheme from the dashi root tool to gain root access on an Android device.", "spans": {"Malware: The Android rootnik malware": [[0, 27]], "Vulnerability: open-sourced Android root exploit": [[33, 66]], "Malware: tools": [[67, 72]], "Indicator: MTK root scheme": [[81, 96]], "Malware: dashi root tool": [[106, 121]], "System: Android device.": [[148, 163]]}, "info": {"id": "cyner2_8class_test_01390", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.DNSChanger.R Trojan.DNSChanger Trojan.DNSChanger.R Trojan.DNSChanger.R TROJ_DNSCHAN.ADD Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Flush.G TROJ_DNSCHAN.ADD Win.Downloader.Small-1720 Trojan.DNSChanger.R Trojan.Win32.DNSChanger.as Trojan.DNSChanger.R Trojan.Win32.DNSChanger.gwnl Trojan.DNSChanger.R TrojWare.Win32.DNSChanger.Y Trojan.DNSChanger.R Trojan.DnsChange Trojan.DNSChanger.Win32.6451 BehavesLike.Win32.VTFlooder.mc Trojan.Win32.DNSChanger W32.Alureon.Rootkit Trojan.Win32.DNSChanger.as Trojan/Win32.DNSChanger.R5962 DNSChanger.a MalwareScope.Trojan.DnsChange.1 Trj/DNSChanger.AQ", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.FamVT.ExpiroPC.PE": [[26, 47]], "Indicator: Trojan.DNSChanger.R": [[48, 67], [86, 105], [106, 125], [244, 263], [291, 310], [340, 359], [388, 407]], "Indicator: Trojan.DNSChanger": [[68, 85]], "Indicator: TROJ_DNSCHAN.ADD": [[126, 142], [201, 217]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[143, 185]], "Indicator: Trojan.Flush.G": [[186, 200]], "Indicator: Win.Downloader.Small-1720": [[218, 243]], "Indicator: Trojan.Win32.DNSChanger.as": [[264, 290], [529, 555]], "Indicator: Trojan.Win32.DNSChanger.gwnl": [[311, 339]], "Indicator: TrojWare.Win32.DNSChanger.Y": [[360, 387]], "Indicator: Trojan.DnsChange": [[408, 424]], "Indicator: Trojan.DNSChanger.Win32.6451": [[425, 453]], "Indicator: BehavesLike.Win32.VTFlooder.mc": [[454, 484]], "Indicator: Trojan.Win32.DNSChanger": [[485, 508]], "Indicator: W32.Alureon.Rootkit": [[509, 528]], "Indicator: Trojan/Win32.DNSChanger.R5962": [[556, 585]], "Indicator: DNSChanger.a": [[586, 598]], "Indicator: MalwareScope.Trojan.DnsChange.1": [[599, 630]], "Indicator: Trj/DNSChanger.AQ": [[631, 648]]}, "info": {"id": "cyner2_8class_test_01391", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Adware.NetFilter.BH Adware.NetFilter.BH Hacktool.Rootkit Adware.NetFilter.BH Adware.NetFilter.BH Adware.NetFilter.BH Adware.5Hex.Win64.8 AdWare.5hex ADWARE/5Hex.yxyby Trojan:Win64/Detrahere.E Adware.NetFilter.BH", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Adware.NetFilter.BH": [[26, 45], [46, 65], [83, 102], [103, 122], [123, 142], [218, 237]], "Indicator: Hacktool.Rootkit": [[66, 82]], "Indicator: Adware.5Hex.Win64.8": [[143, 162]], "Indicator: AdWare.5hex": [[163, 174]], "Indicator: ADWARE/5Hex.yxyby": [[175, 192]], "Indicator: Trojan:Win64/Detrahere.E": [[193, 217]]}, "info": {"id": "cyner2_8class_test_01392", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Dridex Trojan.Midie.DA3BA Win32.Trojan.WisdomEyes.16070401.9500.9999 W64/Trojan.NYZW-9167 Trojan.Win32.Z.Dridex.679936.E Trojan.Kryptik.Win64.2184 Trojan.Crypt Trojan.Dridex.cy TR/Crypt.ZPACK.ohzec Trojan/Win64.Dridex.R212058 Trj/CI.A Win32/Trojan.82a", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dridex": [[26, 39]], "Indicator: Trojan.Midie.DA3BA": [[40, 58]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[59, 101]], "Indicator: W64/Trojan.NYZW-9167": [[102, 122]], "Indicator: Trojan.Win32.Z.Dridex.679936.E": [[123, 153]], "Indicator: Trojan.Kryptik.Win64.2184": [[154, 179]], "Indicator: Trojan.Crypt": [[180, 192]], "Indicator: Trojan.Dridex.cy": [[193, 209]], "Indicator: TR/Crypt.ZPACK.ohzec": [[210, 230]], "Indicator: Trojan/Win64.Dridex.R212058": [[231, 258]], "Indicator: Trj/CI.A": [[259, 267]], "Indicator: Win32/Trojan.82a": [[268, 284]]}, "info": {"id": "cyner2_8class_test_01393", "source": "cyner2_8class_test"}}
{"text": "The primary targets , so far , are based in India though other Asian countries such as Pakistan and Bangladesh are also affected .", "spans": {}, "info": {"id": "cyner2_8class_test_01394", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.eHeur.Malware03 Worm.Drolnux.S644909 Troj.Ransom.W32.Foreign.tnvv Trojan/Ibashade.c Win32.Trojan.Kryptik.bio W32/Trojan.MTDN-3978 Trojan.Toraldrop WORM_DROLNUX_GC310160.UVPM Win.Trojan.Aavirus-2 Trojan.Win32.Kryptik.eljjir Trojan.Win32.Z.Ibashade.507562 Worm.Win32.Ibashade.D Trojan.PackedENT.44 WORM_DROLNUX_GC310160.UVPM BehavesLike.Win32.Jeefo.gh Win32/Ibashade.C Worm.Win32.Ibashade W32/Kryptik.FOAD!tr Win32/Trojan.df3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.eHeur.Malware03": [[26, 45]], "Indicator: Worm.Drolnux.S644909": [[46, 66]], "Indicator: Troj.Ransom.W32.Foreign.tnvv": [[67, 95]], "Indicator: Trojan/Ibashade.c": [[96, 113]], "Indicator: Win32.Trojan.Kryptik.bio": [[114, 138]], "Indicator: W32/Trojan.MTDN-3978": [[139, 159]], "Indicator: Trojan.Toraldrop": [[160, 176]], "Indicator: WORM_DROLNUX_GC310160.UVPM": [[177, 203], [326, 352]], "Indicator: Win.Trojan.Aavirus-2": [[204, 224]], "Indicator: Trojan.Win32.Kryptik.eljjir": [[225, 252]], "Indicator: Trojan.Win32.Z.Ibashade.507562": [[253, 283]], "Indicator: Worm.Win32.Ibashade.D": [[284, 305]], "Indicator: Trojan.PackedENT.44": [[306, 325]], "Indicator: BehavesLike.Win32.Jeefo.gh": [[353, 379]], "Indicator: Win32/Ibashade.C": [[380, 396]], "Indicator: Worm.Win32.Ibashade": [[397, 416]], "Indicator: W32/Kryptik.FOAD!tr": [[417, 436]], "Indicator: Win32/Trojan.df3": [[437, 453]]}, "info": {"id": "cyner2_8class_test_01395", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/Dropper.Delf.nsc Trojan.DR.Delf!iMS7sjct8CE TROJ_DELF.SML TrojWare.Win32.TrojanSpy.Delf.AW TROJ_DELF.SML Trojan-Dropper.Delf!IK Backdoor:Win32/Beastdoor.DT Trojan/Win32.Pincav Trojan-Dropper.Delf Injector.NW", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/Dropper.Delf.nsc": [[26, 49]], "Indicator: Trojan.DR.Delf!iMS7sjct8CE": [[50, 76]], "Indicator: TROJ_DELF.SML": [[77, 90], [124, 137]], "Indicator: TrojWare.Win32.TrojanSpy.Delf.AW": [[91, 123]], "Indicator: Trojan-Dropper.Delf!IK": [[138, 160]], "Indicator: Backdoor:Win32/Beastdoor.DT": [[161, 188]], "Indicator: Trojan/Win32.Pincav": [[189, 208]], "Indicator: Trojan-Dropper.Delf": [[209, 228]], "Indicator: Injector.NW": [[229, 240]]}, "info": {"id": "cyner2_8class_test_01396", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Exploit.Linux.68 TROJ_GE.F0CE4FC1 Win32.Trojan.WisdomEyes.16070401.9500.9817 TROJ_GE.F0CE4FC1 HEUR:Exploit.AndroidOS.Psneuter.a Riskware.Rooter.dshucf Tool.Rooter.6 BehavesLike.Win32.Dropper.rc HEUR:Exploit.AndroidOS.Psneuter.a Linux.Riskware.Neuter.A Android/Exploit.PSN.A Exploit.AndroidOS.Psn", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Exploit.Linux.68": [[26, 49]], "Indicator: TROJ_GE.F0CE4FC1": [[50, 66], [110, 126]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9817": [[67, 109]], "Indicator: HEUR:Exploit.AndroidOS.Psneuter.a": [[127, 160], [227, 260]], "Indicator: Riskware.Rooter.dshucf": [[161, 183]], "Indicator: Tool.Rooter.6": [[184, 197]], "Indicator: BehavesLike.Win32.Dropper.rc": [[198, 226]], "Indicator: Linux.Riskware.Neuter.A": [[261, 284]], "Indicator: Android/Exploit.PSN.A": [[285, 306]], "Indicator: Exploit.AndroidOS.Psn": [[307, 328]]}, "info": {"id": "cyner2_8class_test_01397", "source": "cyner2_8class_test"}}
{"text": "XLoader abuses the MessagePack ( a data interchange format ) to package the stolen data and exfiltrate it via the WebSocket protocol for faster and more efficient transmission .", "spans": {"Malware: XLoader": [[0, 7]]}, "info": {"id": "cyner2_8class_test_01398", "source": "cyner2_8class_test"}}
{"text": "Moafee may have chosen its targets based on the rich resources of South China Sea region – the world's second business sea-lane, according to Wikipedia – including rare earth metals, crude oil, and natural gas.", "spans": {"ThreatActor: Moafee": [[0, 6]], "Location: South China Sea region": [[66, 88]], "ThreatActor: earth": [[169, 174]]}, "info": {"id": "cyner2_8class_test_01399", "source": "cyner2_8class_test"}}
{"text": "If an incoming SMS contains one of the following magic strings : ” 2736428734″ or ” 7238742800″ the malware will execute multiple initial commands : Keylogger implementation Keylogging is implemented in an original manner .", "spans": {"Indicator: 2736428734″": [[67, 78]], "Indicator: 7238742800″": [[84, 95]]}, "info": {"id": "cyner2_8class_test_01400", "source": "cyner2_8class_test"}}
{"text": "The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns.", "spans": {"ThreatActor: attackers": [[4, 13]], "ThreatActor: Operation Pawn Storm": [[21, 41]], "ThreatActor: campaigns.": [[111, 121]]}, "info": {"id": "cyner2_8class_test_01401", "source": "cyner2_8class_test"}}
{"text": "After analyzing the traffic associated with these short links , we determined that each one was associated with a referral path from mail.mosa.pna.ps .", "spans": {"Indicator: mail.mosa.pna.ps": [[133, 149]]}, "info": {"id": "cyner2_8class_test_01402", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HackTool.Fbhack Trojan.MSIL.HackTool.15 Trj/GdSda.A Win32/Trojan.Hacktool.afa", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HackTool.Fbhack": [[26, 41]], "Indicator: Trojan.MSIL.HackTool.15": [[42, 65]], "Indicator: Trj/GdSda.A": [[66, 77]], "Indicator: Win32/Trojan.Hacktool.afa": [[78, 103]]}, "info": {"id": "cyner2_8class_test_01403", "source": "cyner2_8class_test"}}
{"text": "Perhaps the app ’ s false capabilities also fueled the low number of downloads .", "spans": {}, "info": {"id": "cyner2_8class_test_01404", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Clod692.Trojan.ee6f Backdoor/W32.Thunk.23072 Backdoor/Thunk.a Trojan.Heur.JP.E22B62 W32/Backdoor.FUI Trojan.Bookmarker.C Hoax.Win32.Renos.dv Trojan.Win32.Thunk.ehif Win32.Trojan-psw.Lpkstart.Pftk Backdoor.Win32.Thunk.A BackDoor.Thunker Backdoor.Thunk.Win32.1 BehavesLike.Win32.PWSOnlineGames.mt W32/Backdoor.LZAN-6163 Backdoor/Thunk.c Trojan[Backdoor]/Win32.Thunk Hoax.W32.Renos.dv!c Win-Trojan/Thunk.23072 Trojan.Win32.BadJoke.dv Win32/Thunk.A Trojan.Renos!te8dhAWGe20 Backdoor.Win32.Thunk.a W32/Thunk.A!tr.bdr BackDoor.Thunk.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod692.Trojan.ee6f": [[26, 49]], "Indicator: Backdoor/W32.Thunk.23072": [[50, 74]], "Indicator: Backdoor/Thunk.a": [[75, 91]], "Indicator: Trojan.Heur.JP.E22B62": [[92, 113]], "Indicator: W32/Backdoor.FUI": [[114, 130]], "Indicator: Trojan.Bookmarker.C": [[131, 150]], "Indicator: Hoax.Win32.Renos.dv": [[151, 170]], "Indicator: Trojan.Win32.Thunk.ehif": [[171, 194]], "Indicator: Win32.Trojan-psw.Lpkstart.Pftk": [[195, 225]], "Indicator: Backdoor.Win32.Thunk.A": [[226, 248]], "Indicator: BackDoor.Thunker": [[249, 265]], "Indicator: Backdoor.Thunk.Win32.1": [[266, 288]], "Indicator: BehavesLike.Win32.PWSOnlineGames.mt": [[289, 324]], "Indicator: W32/Backdoor.LZAN-6163": [[325, 347]], "Indicator: Backdoor/Thunk.c": [[348, 364]], "Indicator: Trojan[Backdoor]/Win32.Thunk": [[365, 393]], "Indicator: Hoax.W32.Renos.dv!c": [[394, 413]], "Indicator: Win-Trojan/Thunk.23072": [[414, 436]], "Indicator: Trojan.Win32.BadJoke.dv": [[437, 460]], "Indicator: Win32/Thunk.A": [[461, 474]], "Indicator: Trojan.Renos!te8dhAWGe20": [[475, 499]], "Indicator: Backdoor.Win32.Thunk.a": [[500, 522]], "Indicator: W32/Thunk.A!tr.bdr": [[523, 541]], "Indicator: BackDoor.Thunk.A": [[542, 558]]}, "info": {"id": "cyner2_8class_test_01405", "source": "cyner2_8class_test"}}
{"text": "Criminals are increasingly using obfuscation , the deliberate act of creating complex code to make it difficult to analyze .", "spans": {}, "info": {"id": "cyner2_8class_test_01406", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.PePatch!o2sJKTZeQwo W32/TrojanX.BKLZ W32.Spybot.Worm W32/Buzus.HBR Win32.TRBuzus.Adaa Packed.Win32.PePatch.lc Riskware.Win32.CeeInject.A!IK Constructor.Win32.Bifrose.be BackDoor.Poison.61 TR/Bifrose.EB.1 Trojan/Buzus.ejw Trojan.Win32.S.Buzus.1254544 Trojan/Win32.Xema W32/TrojanX.BKLZ BScope.Trojan.871206 Backdoor.Bifrose!rem VirTool.Win32.CeeInject.A W32/Buzus.ADBZ!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PePatch!o2sJKTZeQwo": [[26, 52]], "Indicator: W32/TrojanX.BKLZ": [[53, 69], [301, 317]], "Indicator: W32.Spybot.Worm": [[70, 85]], "Indicator: W32/Buzus.HBR": [[86, 99]], "Indicator: Win32.TRBuzus.Adaa": [[100, 118]], "Indicator: Packed.Win32.PePatch.lc": [[119, 142]], "Indicator: Riskware.Win32.CeeInject.A!IK": [[143, 172]], "Indicator: Constructor.Win32.Bifrose.be": [[173, 201]], "Indicator: BackDoor.Poison.61": [[202, 220]], "Indicator: TR/Bifrose.EB.1": [[221, 236]], "Indicator: Trojan/Buzus.ejw": [[237, 253]], "Indicator: Trojan.Win32.S.Buzus.1254544": [[254, 282]], "Indicator: Trojan/Win32.Xema": [[283, 300]], "Indicator: BScope.Trojan.871206": [[318, 338]], "Indicator: Backdoor.Bifrose!rem": [[339, 359]], "Indicator: VirTool.Win32.CeeInject.A": [[360, 385]], "Indicator: W32/Buzus.ADBZ!tr": [[386, 403]]}, "info": {"id": "cyner2_8class_test_01407", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Injector!O Backdoor.Daserf Dropper.Injector.Win32.60582 Troj.Dropper.W32.Injector.jrzp!c Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_DASERF.ZBEI-A Trojan-Dropper.Win32.Injector.jrzp Trojan.Win32.Inject1.cmrdfo Win32.Trojan-dropper.Injector.Wnmi Trojan.Inject1.31463 BKDR_DASERF.ZBEI-A BehavesLike.Win32.Injector.mh Backdoor.Win32.Daserf W32/Trojan.YKAI-2038 W32/Injector.A!tr Trojan[Dropper]/Win32.Injector Backdoor:Win32/Daserf.A Trojan-Dropper.Win32.Injector.jrzp Trojan.Heur.FU.E0F811 Trojan.DR.Injector!lk1UiObxqaY Win32/Trojan.Dropper.cd3", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Injector!O": [[26, 57]], "Indicator: Backdoor.Daserf": [[58, 73]], "Indicator: Dropper.Injector.Win32.60582": [[74, 102]], "Indicator: Troj.Dropper.W32.Injector.jrzp!c": [[103, 135]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[136, 178]], "Indicator: Backdoor.Trojan": [[179, 194]], "Indicator: BKDR_DASERF.ZBEI-A": [[195, 213], [333, 351]], "Indicator: Trojan-Dropper.Win32.Injector.jrzp": [[214, 248], [498, 532]], "Indicator: Trojan.Win32.Inject1.cmrdfo": [[249, 276]], "Indicator: Win32.Trojan-dropper.Injector.Wnmi": [[277, 311]], "Indicator: Trojan.Inject1.31463": [[312, 332]], "Indicator: BehavesLike.Win32.Injector.mh": [[352, 381]], "Indicator: Backdoor.Win32.Daserf": [[382, 403]], "Indicator: W32/Trojan.YKAI-2038": [[404, 424]], "Indicator: W32/Injector.A!tr": [[425, 442]], "Indicator: Trojan[Dropper]/Win32.Injector": [[443, 473]], "Indicator: Backdoor:Win32/Daserf.A": [[474, 497]], "Indicator: Trojan.Heur.FU.E0F811": [[533, 554]], "Indicator: Trojan.DR.Injector!lk1UiObxqaY": [[555, 585]], "Indicator: Win32/Trojan.Dropper.cd3": [[586, 610]]}, "info": {"id": "cyner2_8class_test_01408", "source": "cyner2_8class_test"}}
{"text": "It's often associated with dropping vawtrak and pony.", "spans": {"Malware: vawtrak": [[36, 43]], "Malware: pony.": [[48, 53]]}, "info": {"id": "cyner2_8class_test_01409", "source": "cyner2_8class_test"}}
{"text": "] today www [ .", "spans": {"Indicator: www [ .": [[8, 15]]}, "info": {"id": "cyner2_8class_test_01410", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9598 Troj.W32.Inject.l78q Trojan.DownLoader5.58525 BehavesLike.Win32.BadFile.ph Trojan[Downloader]/Win32.Unknown Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Swfdown.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9598": [[26, 68]], "Indicator: Troj.W32.Inject.l78q": [[69, 89]], "Indicator: Trojan.DownLoader5.58525": [[90, 114]], "Indicator: BehavesLike.Win32.BadFile.ph": [[115, 143]], "Indicator: Trojan[Downloader]/Win32.Unknown": [[144, 176]], "Indicator: Win32.Troj.Undef.kcloud": [[177, 200]], "Indicator: TrojanDownloader:Win32/Swfdown.A": [[201, 233]]}, "info": {"id": "cyner2_8class_test_01411", "source": "cyner2_8class_test"}}
{"text": "Proofpoint researchers discovered a never-before-documented malware strain on February 15.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: malware strain": [[60, 74]], "Date: February 15.": [[78, 90]]}, "info": {"id": "cyner2_8class_test_01412", "source": "cyner2_8class_test"}}
{"text": "Indicators for BlackEnergy attacks in Ukraine", "spans": {"Indicator: Indicators": [[0, 10]], "ThreatActor: BlackEnergy": [[15, 26]], "Indicator: attacks": [[27, 34]], "Location: Ukraine": [[38, 45]]}, "info": {"id": "cyner2_8class_test_01413", "source": "cyner2_8class_test"}}
{"text": "This scam is used more and more often to attack businesses, especially SMBs, in various countries.", "spans": {"Indicator: attack": [[41, 47]], "Organization: businesses,": [[48, 59]], "Organization: SMBs,": [[71, 76]], "Location: countries.": [[88, 98]]}, "info": {"id": "cyner2_8class_test_01414", "source": "cyner2_8class_test"}}
{"text": "This report covers a campaign of phishing and malware which we have named Operation Manul and which, based on the available evidence, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers.", "spans": {"ThreatActor: campaign": [[21, 29]], "Malware: phishing": [[33, 41]], "Malware: malware": [[46, 53]], "ThreatActor: Operation Manul": [[74, 89]], "Organization: the government of Kazakhstan": [[193, 221]], "Organization: journalists,": [[230, 242]], "Location: Europe,": [[264, 271]], "Organization: family members, known associates,": [[278, 311]], "Organization: their lawyers.": [[316, 330]]}, "info": {"id": "cyner2_8class_test_01415", "source": "cyner2_8class_test"}}
{"text": "Deceptively , the app was listed in the Education section .", "spans": {}, "info": {"id": "cyner2_8class_test_01416", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TROJ_AHENTE.RED Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Application.TQMP-8317 Trojan.Krast.C TROJ_AHENTE.RED Trojan.Win32.Gamania.ctppae Trojan.Win32.KeyLogger.93696 Trojan.PWS.Gamania.42279 Trojan.Keylogger.Win32.30981 BehavesLike.Win32.BrowseFox.ch Trojan/Win32.Unknown Win32.Troj.Undef.kcloud Backdoor:Win32/Toyecma.A!dha Trj/Vilsel.AF TrojanSpy.KeyLogger!GSKBdfHkyqU W32/KeyLogger.OFI!tr.spy", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_AHENTE.RED": [[26, 41], [126, 141]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[42, 84]], "Indicator: W32/Application.TQMP-8317": [[85, 110]], "Indicator: Trojan.Krast.C": [[111, 125]], "Indicator: Trojan.Win32.Gamania.ctppae": [[142, 169]], "Indicator: Trojan.Win32.KeyLogger.93696": [[170, 198]], "Indicator: Trojan.PWS.Gamania.42279": [[199, 223]], "Indicator: Trojan.Keylogger.Win32.30981": [[224, 252]], "Indicator: BehavesLike.Win32.BrowseFox.ch": [[253, 283]], "Indicator: Trojan/Win32.Unknown": [[284, 304]], "Indicator: Win32.Troj.Undef.kcloud": [[305, 328]], "Indicator: Backdoor:Win32/Toyecma.A!dha": [[329, 357]], "Indicator: Trj/Vilsel.AF": [[358, 371]], "Indicator: TrojanSpy.KeyLogger!GSKBdfHkyqU": [[372, 403]], "Indicator: W32/KeyLogger.OFI!tr.spy": [[404, 428]]}, "info": {"id": "cyner2_8class_test_01417", "source": "cyner2_8class_test"}}
{"text": "Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016 .", "spans": {"Malware: TrickBot": [[41, 49]]}, "info": {"id": "cyner2_8class_test_01418", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.16A4 Troj.W32.Monder.l3LF Win32.Trojan.WisdomEyes.16070401.9500.9996 MalCrypt.Indus! Trojan.Packed.338 BehavesLike.Win32.Downloader.mc Trojan-Downloader.Win32.Clopack Trojan.Heur.TDss.E7D957 TrojanDownloader:Win32/Conhook.AF Trojan/Win32.Xema.C130136", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.16A4": [[26, 42]], "Indicator: Troj.W32.Monder.l3LF": [[43, 63]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9996": [[64, 106]], "Indicator: MalCrypt.Indus!": [[107, 122]], "Indicator: Trojan.Packed.338": [[123, 140]], "Indicator: BehavesLike.Win32.Downloader.mc": [[141, 172]], "Indicator: Trojan-Downloader.Win32.Clopack": [[173, 204]], "Indicator: Trojan.Heur.TDss.E7D957": [[205, 228]], "Indicator: TrojanDownloader:Win32/Conhook.AF": [[229, 262]], "Indicator: Trojan/Win32.Xema.C130136": [[263, 288]]}, "info": {"id": "cyner2_8class_test_01419", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Pinfi.B Win32.Parite.B Virus/W32.Parite.C Virus.Win32.Parite.b!O W32.Perite.A Win32.Parite.B Ransom.Locky Virus.Parite.Win32.9 W32/Pate.B Win32.Parite.B PE_PARITE.A Win32.Virus.Parite.d W32/Locky.IGOK-1178 W32.Pinfi.B Win32/Pinfi.A PE_PARITE.A Heuristics.W32.Parite.B Virus.Win32.Parite.b Win32.Parite.B Virus.Win32.Parite.bgvo Virus.Win32.Dropper.c Win32.Parite.B Trojan.DownLoader19.38965 W32/Pate.b W32/Locky.EM Win32/Parite.b Virus/Win32.Parite.c Win32.Parite.b.5756 Win32.Parite.A Virus.Win32.Parite.b Win32.Parite.B W32/Pate.b Virus.Win32.Parite.b Trojan.Locky Win32/Parite.B Win32.Parite.B Virus.Win32.Parite W32/Kryptik.EQFZ!tr W32/Parite.B Virus.Win32.Parite.H", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Pinfi.B": [[26, 37], [236, 247]], "Indicator: Win32.Parite.B": [[38, 52], [108, 122], [168, 182], [319, 333], [380, 394], [537, 551], [612, 626]], "Indicator: Virus/W32.Parite.C": [[53, 71]], "Indicator: Virus.Win32.Parite.b!O": [[72, 94]], "Indicator: W32.Perite.A": [[95, 107]], "Indicator: Ransom.Locky": [[123, 135]], "Indicator: Virus.Parite.Win32.9": [[136, 156]], "Indicator: W32/Pate.B": [[157, 167]], "Indicator: PE_PARITE.A": [[183, 194], [262, 273]], "Indicator: Win32.Virus.Parite.d": [[195, 215]], "Indicator: W32/Locky.IGOK-1178": [[216, 235]], "Indicator: Win32/Pinfi.A": [[248, 261]], "Indicator: Heuristics.W32.Parite.B": [[274, 297]], "Indicator: Virus.Win32.Parite.b": [[298, 318], [516, 536], [563, 583]], "Indicator: Virus.Win32.Parite.bgvo": [[334, 357]], "Indicator: Virus.Win32.Dropper.c": [[358, 379]], "Indicator: Trojan.DownLoader19.38965": [[395, 420]], "Indicator: W32/Pate.b": [[421, 431], [552, 562]], "Indicator: W32/Locky.EM": [[432, 444]], "Indicator: Win32/Parite.b": [[445, 459]], "Indicator: Virus/Win32.Parite.c": [[460, 480]], "Indicator: Win32.Parite.b.5756": [[481, 500]], "Indicator: Win32.Parite.A": [[501, 515]], "Indicator: Trojan.Locky": [[584, 596]], "Indicator: Win32/Parite.B": [[597, 611]], "Indicator: Virus.Win32.Parite": [[627, 645]], "Indicator: W32/Kryptik.EQFZ!tr": [[646, 665]], "Indicator: W32/Parite.B": [[666, 678]], "Indicator: Virus.Win32.Parite.H": [[679, 699]]}, "info": {"id": "cyner2_8class_test_01420", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Ransom.Filecoder Ransom_MINDLOST.THBOAH Ransom_MINDLOST.THBOAH Trojan.Win32.Ransom.exdtkr TR/Ransom.uxivv Ransom:MSIL/Paggalangrypt.A!rsm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Ransom.Filecoder": [[26, 49]], "Indicator: Ransom_MINDLOST.THBOAH": [[50, 72], [73, 95]], "Indicator: Trojan.Win32.Ransom.exdtkr": [[96, 122]], "Indicator: TR/Ransom.uxivv": [[123, 138]], "Indicator: Ransom:MSIL/Paggalangrypt.A!rsm": [[139, 170]]}, "info": {"id": "cyner2_8class_test_01421", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Skeeyah.5634 Trojan.Zusy.D38734 Win32.Trojan.WisdomEyes.16070401.9500.9944 TROJ_FASTREK.SM Trojan.DownLoader14.31853 TROJ_FASTREK.SM W32/Trojan.SYFE-6527 TR/Spy.A.5028 Trojan:Win32/Fastrek.A Win32.Trojan.Spy.Sudt Win32/Trojan.Spy.102", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Skeeyah.5634": [[26, 45]], "Indicator: Trojan.Zusy.D38734": [[46, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9944": [[65, 107]], "Indicator: TROJ_FASTREK.SM": [[108, 123], [150, 165]], "Indicator: Trojan.DownLoader14.31853": [[124, 149]], "Indicator: W32/Trojan.SYFE-6527": [[166, 186]], "Indicator: TR/Spy.A.5028": [[187, 200]], "Indicator: Trojan:Win32/Fastrek.A": [[201, 223]], "Indicator: Win32.Trojan.Spy.Sudt": [[224, 245]], "Indicator: Win32/Trojan.Spy.102": [[246, 266]]}, "info": {"id": "cyner2_8class_test_01422", "source": "cyner2_8class_test"}}
{"text": "Officials at BLU could n't be immediately reached for comment .", "spans": {"Organization: BLU": [[13, 16]]}, "info": {"id": "cyner2_8class_test_01423", "source": "cyner2_8class_test"}}
{"text": "With the daily growth of the different kinds of ransomware and distribution techniques, Fox-IT's Security Operations Center was investigating a new ransomware called Mole.", "spans": {"Malware: ransomware": [[48, 58], [148, 158]], "Organization: Fox-IT's Security Operations Center": [[88, 123]], "Malware: Mole.": [[166, 171]]}, "info": {"id": "cyner2_8class_test_01424", "source": "cyner2_8class_test"}}
{"text": "This implies that the authors are actively working to optimize EventBot over time .", "spans": {"Malware: EventBot": [[63, 71]]}, "info": {"id": "cyner2_8class_test_01425", "source": "cyner2_8class_test"}}
{"text": "Despite the lack of sophistication of the technical details of the malware and its mechanisms for spreading, the threat actors have demonstrated ability to compromise governmental websites successfully.", "spans": {"Malware: malware": [[67, 74]], "ThreatActor: the threat actors": [[109, 126]], "Indicator: compromise governmental websites": [[156, 188]]}, "info": {"id": "cyner2_8class_test_01426", "source": "cyner2_8class_test"}}
{"text": "We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government.", "spans": {"ThreatActor: campaign": [[24, 32]], "ThreatActor: APT19,": [[38, 44]], "ThreatActor: group": [[47, 52]], "Organization: freelancers,": [[83, 95]], "Organization: the Chinese government.": [[131, 154]]}, "info": {"id": "cyner2_8class_test_01427", "source": "cyner2_8class_test"}}
{"text": "App Icon Figure 1 : App icon and fake notification .", "spans": {}, "info": {"id": "cyner2_8class_test_01428", "source": "cyner2_8class_test"}}
{"text": "Quite possibly , this routine targets older platforms like Windows 7 and machines not taking advantage of hardware protections like UEFI and SecureBoot , available on Windows 10 .", "spans": {"System: Windows 7": [[59, 68]], "System: Windows 10": [[167, 177]]}, "info": {"id": "cyner2_8class_test_01429", "source": "cyner2_8class_test"}}
{"text": "January 2016 – May 2018 : In this stage , “ Agent Smith ” hackers started to try out 9Apps as a distribution channel for their adware .", "spans": {"Malware: Agent Smith": [[44, 55]]}, "info": {"id": "cyner2_8class_test_01430", "source": "cyner2_8class_test"}}
{"text": "In fact , recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size , a valuable function given the variety of Android devices .", "spans": {"System: Android": [[213, 220]]}, "info": {"id": "cyner2_8class_test_01431", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Hacktool.Proxy Win.Trojan.Proxy-1292 Trojan.Proxy.2134 TR/Dldr.Small.ewd.1 TrojanProxy:Win32/Guilt.A Bck/GuilDNS.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Hacktool.Proxy": [[26, 40]], "Indicator: Win.Trojan.Proxy-1292": [[41, 62]], "Indicator: Trojan.Proxy.2134": [[63, 80]], "Indicator: TR/Dldr.Small.ewd.1": [[81, 100]], "Indicator: TrojanProxy:Win32/Guilt.A": [[101, 126]], "Indicator: Bck/GuilDNS.C": [[127, 140]]}, "info": {"id": "cyner2_8class_test_01432", "source": "cyner2_8class_test"}}
{"text": "We've been tracking a series of exploit documents which, upon successful exploitation, simply drop a file and perform no other actions; these documents have dropped a variety of backdoors associated with a range of previously identified threat groups.", "spans": {"Indicator: exploit documents": [[32, 49]], "Vulnerability: exploitation,": [[73, 86]], "Indicator: drop a file": [[94, 105]], "Malware: backdoors": [[178, 187]], "ThreatActor: threat groups.": [[237, 251]]}, "info": {"id": "cyner2_8class_test_01433", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Fednu.a Backdoor.Trojan Trojan.Win32.Click1.cgqbj TrojWare.Win32.Fedon.a Trojan.Click1.28242 Fednu.a Trojan:Win32/Fednu.A Trojan/Win32.Fedon.R1249 Trojan.Win32.Startpage.d W32/FAKEMS.E!tr Trojan.Win32.StartPage.BL", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Fednu.a": [[26, 33], [119, 126]], "Indicator: Backdoor.Trojan": [[34, 49]], "Indicator: Trojan.Win32.Click1.cgqbj": [[50, 75]], "Indicator: TrojWare.Win32.Fedon.a": [[76, 98]], "Indicator: Trojan.Click1.28242": [[99, 118]], "Indicator: Trojan:Win32/Fednu.A": [[127, 147]], "Indicator: Trojan/Win32.Fedon.R1249": [[148, 172]], "Indicator: Trojan.Win32.Startpage.d": [[173, 197]], "Indicator: W32/FAKEMS.E!tr": [[198, 213]], "Indicator: Trojan.Win32.StartPage.BL": [[214, 239]]}, "info": {"id": "cyner2_8class_test_01434", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.W.Fearso.lGmx Trojan/Boaxxe.a Trojan.Win32.Boaxxe.112128 TrojWare.Win32.Boaxxe.aak Trojan.Inject.8496 BehavesLike.Win32.Conficker.cc Trojan:Win32/Boaxxe.E Trojan.Beax.2 Trojan:Win32/Boaxxe.E Trojan/Win32.Boaxxe.R2341 Win32/Trojan.0e8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.W.Fearso.lGmx": [[26, 43]], "Indicator: Trojan/Boaxxe.a": [[44, 59]], "Indicator: Trojan.Win32.Boaxxe.112128": [[60, 86]], "Indicator: TrojWare.Win32.Boaxxe.aak": [[87, 112]], "Indicator: Trojan.Inject.8496": [[113, 131]], "Indicator: BehavesLike.Win32.Conficker.cc": [[132, 162]], "Indicator: Trojan:Win32/Boaxxe.E": [[163, 184], [199, 220]], "Indicator: Trojan.Beax.2": [[185, 198]], "Indicator: Trojan/Win32.Boaxxe.R2341": [[221, 246]], "Indicator: Win32/Trojan.0e8": [[247, 263]]}, "info": {"id": "cyner2_8class_test_01435", "source": "cyner2_8class_test"}}
{"text": "The original app looks innocent , with most of its code aimed at implementing the real features that the app claims to provide .", "spans": {}, "info": {"id": "cyner2_8class_test_01436", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.OnGamesFHKAGBAC.Trojan Trojan.Win32.Small!O Trojan.Keebie.S15324 Trojan/Small.akcc Trojan.Naffy.1 W32/Small.HE Win32/Keebie.A RTKT_KEEBIE.SMIA Win.Trojan.Small-14056 Trojan.Win32.A.Small.5632 TrojWare.Win32.Small.GZ Trojan.NtRootKit.17168 RTKT_KEEBIE.SMIA W32/Small.ULEB-5410 Trojan/Small.hyh TR/Small.GO.1 Trojan/Win32.Small Trojan:WinNT/Keebie.A Backdoor/Win32.Buzy.R2623 Trojan.Small Trj/Small.CN Trojan.Win32.Small.ae Trojan.Small!ebs6Gbgb5Gk Trojan.Win32.Small W32/Anno.A!tr RootKit.Win32.Koutodoor.E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesFHKAGBAC.Trojan": [[26, 52]], "Indicator: Trojan.Win32.Small!O": [[53, 73]], "Indicator: Trojan.Keebie.S15324": [[74, 94]], "Indicator: Trojan/Small.akcc": [[95, 112]], "Indicator: Trojan.Naffy.1": [[113, 127]], "Indicator: W32/Small.HE": [[128, 140]], "Indicator: Win32/Keebie.A": [[141, 155]], "Indicator: RTKT_KEEBIE.SMIA": [[156, 172], [269, 285]], "Indicator: Win.Trojan.Small-14056": [[173, 195]], "Indicator: Trojan.Win32.A.Small.5632": [[196, 221]], "Indicator: TrojWare.Win32.Small.GZ": [[222, 245]], "Indicator: Trojan.NtRootKit.17168": [[246, 268]], "Indicator: W32/Small.ULEB-5410": [[286, 305]], "Indicator: Trojan/Small.hyh": [[306, 322]], "Indicator: TR/Small.GO.1": [[323, 336]], "Indicator: Trojan/Win32.Small": [[337, 355]], "Indicator: Trojan:WinNT/Keebie.A": [[356, 377]], "Indicator: Backdoor/Win32.Buzy.R2623": [[378, 403]], "Indicator: Trojan.Small": [[404, 416]], "Indicator: Trj/Small.CN": [[417, 429]], "Indicator: Trojan.Win32.Small.ae": [[430, 451]], "Indicator: Trojan.Small!ebs6Gbgb5Gk": [[452, 476]], "Indicator: Trojan.Win32.Small": [[477, 495]], "Indicator: W32/Anno.A!tr": [[496, 509]], "Indicator: RootKit.Win32.Koutodoor.E": [[510, 535]]}, "info": {"id": "cyner2_8class_test_01437", "source": "cyner2_8class_test"}}
{"text": "Also , the software vulnerabilities pointed out in the FOTA software by Strazzere in 2015 could have been taken advantage of by cybercriminals looking to steal bank account details or execute other frauds .", "spans": {"Vulnerability: software vulnerabilities": [[11, 35]], "System: FOTA": [[55, 59]]}, "info": {"id": "cyner2_8class_test_01438", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanPWS.Fareit Spyware.Pony Trojan.Symmi.D11C87 Win32.Trojan.WisdomEyes.16070401.9500.9803 Trojan-PSW.Win32.Fareit.cpmi Win32.Trojan-qqpass.Qqrob.Huge BehavesLike.Win32.Fareit.dm TR/Dropper.VB.bzhbo Trojan-PSW.Win32.Fareit.cpmi Win32.Trojan.Injector.LG Trojan/Win32.Inject.R198261 BScope.Trojan.VBKrypt Trojan.VB.Crypt W32/Injector.DNRZ!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanPWS.Fareit": [[26, 42]], "Indicator: Spyware.Pony": [[43, 55]], "Indicator: Trojan.Symmi.D11C87": [[56, 75]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9803": [[76, 118]], "Indicator: Trojan-PSW.Win32.Fareit.cpmi": [[119, 147], [227, 255]], "Indicator: Win32.Trojan-qqpass.Qqrob.Huge": [[148, 178]], "Indicator: BehavesLike.Win32.Fareit.dm": [[179, 206]], "Indicator: TR/Dropper.VB.bzhbo": [[207, 226]], "Indicator: Win32.Trojan.Injector.LG": [[256, 280]], "Indicator: Trojan/Win32.Inject.R198261": [[281, 308]], "Indicator: BScope.Trojan.VBKrypt": [[309, 330]], "Indicator: Trojan.VB.Crypt": [[331, 346]], "Indicator: W32/Injector.DNRZ!tr": [[347, 367]], "Indicator: Trj/GdSda.A": [[368, 379]]}, "info": {"id": "cyner2_8class_test_01439", "source": "cyner2_8class_test"}}
{"text": "NexusLogger collects keystrokes, system information, stored passwords and will take screenshots.", "spans": {"Malware: NexusLogger": [[0, 11]], "Indicator: collects keystrokes, system information, stored passwords": [[12, 69]], "Indicator: screenshots.": [[84, 96]]}, "info": {"id": "cyner2_8class_test_01440", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_TRUEBOT.SMZIEK-A Win.Trojan.Silence-6367670-0 Trojan.DownLoader25.20128 W32/Trojan.PYHP-7871 TrojanDownloader:Win32/Truebot.A Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Mauvaise.SL1": [[26, 45]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[46, 88]], "Indicator: TROJ_TRUEBOT.SMZIEK-A": [[89, 110]], "Indicator: Win.Trojan.Silence-6367670-0": [[111, 139]], "Indicator: Trojan.DownLoader25.20128": [[140, 165]], "Indicator: W32/Trojan.PYHP-7871": [[166, 186]], "Indicator: TrojanDownloader:Win32/Truebot.A": [[187, 219]], "Indicator: Trj/GdSda.A": [[220, 231]]}, "info": {"id": "cyner2_8class_test_01441", "source": "cyner2_8class_test"}}
{"text": "EventBot Logcat from the infected device Logcat from the infected device .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner2_8class_test_01442", "source": "cyner2_8class_test"}}
{"text": "The C & C address was specified in the code and was also unencrypted : In some versions , a dynamically generated low-level domain was used as an address : In its first communication , the Trojan sent the infected device ’ s IMEI to the C & C , and in return it received a set of rules for processing incoming SMSs ( phone numbers , keywords and regular expressions ) – these applied mainly to messages from banks , payment systems and mobile network operators .", "spans": {}, "info": {"id": "cyner2_8class_test_01443", "source": "cyner2_8class_test"}}
{"text": "The author has introduced the capability to grant the app the device admin permission .", "spans": {}, "info": {"id": "cyner2_8class_test_01444", "source": "cyner2_8class_test"}}
{"text": "During the final update installation process , it relies on the Janus vulnerability to bypass Android ’ s APK integrity checks .", "spans": {"Vulnerability: Janus": [[64, 69]], "System: Android": [[94, 101]]}, "info": {"id": "cyner2_8class_test_01445", "source": "cyner2_8class_test"}}
{"text": "The website was compromised to launch an apparent watering-hole attack against the company's customers.", "spans": {"Indicator: website": [[4, 11]], "Indicator: watering-hole attack": [[50, 70]], "Organization: company's customers.": [[83, 103]]}, "info": {"id": "cyner2_8class_test_01446", "source": "cyner2_8class_test"}}
{"text": "These are then uploaded to the C & C HTTP server .", "spans": {}, "info": {"id": "cyner2_8class_test_01447", "source": "cyner2_8class_test"}}
{"text": "The attackers also tend to deploy what works or what s convenient, as we've also seen them attempt to infect the target host with other PoS malware such as PwnPOS TSPY_PWNPOS.SMA, and BlackPOS TSPY_POCARDL.AI.", "spans": {"ThreatActor: attackers": [[4, 13]], "Malware: PoS malware": [[136, 147]], "Malware: PwnPOS": [[156, 162]], "Indicator: TSPY_PWNPOS.SMA,": [[163, 179]], "Malware: BlackPOS": [[184, 192]], "Indicator: TSPY_POCARDL.AI.": [[193, 209]]}, "info": {"id": "cyner2_8class_test_01448", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.Iconomon.a2.AD Trojan/Delf.cbcd Trojan.Delf!+j/t0TLqQk4 Trojan.Dropper Delf.KXWK Win32/Delf.AQT TROJ_SPNR.30FE12 Trojan.Win32.Delf.chfk Trojan.Win32.Delf.djowe TR/Offend.kdv.99866 TROJ_SPNR.30FE12 Trojan/Delf.sze Trojan:Win32/Iconomon.A Trojan.Win32.A.Delf.320512.H Trojan/Win32.Delf Trojan.Delf.aqjx Trojan.Dropper Win32/Delf.PXF Trojan.Win32.Delf Delf.VWX", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.Iconomon.a2.AD": [[26, 53]], "Indicator: Trojan/Delf.cbcd": [[54, 70]], "Indicator: Trojan.Delf!+j/t0TLqQk4": [[71, 94]], "Indicator: Trojan.Dropper": [[95, 109], [340, 354]], "Indicator: Delf.KXWK": [[110, 119]], "Indicator: Win32/Delf.AQT": [[120, 134]], "Indicator: TROJ_SPNR.30FE12": [[135, 151], [219, 235]], "Indicator: Trojan.Win32.Delf.chfk": [[152, 174]], "Indicator: Trojan.Win32.Delf.djowe": [[175, 198]], "Indicator: TR/Offend.kdv.99866": [[199, 218]], "Indicator: Trojan/Delf.sze": [[236, 251]], "Indicator: Trojan:Win32/Iconomon.A": [[252, 275]], "Indicator: Trojan.Win32.A.Delf.320512.H": [[276, 304]], "Indicator: Trojan/Win32.Delf": [[305, 322]], "Indicator: Trojan.Delf.aqjx": [[323, 339]], "Indicator: Win32/Delf.PXF": [[355, 369]], "Indicator: Trojan.Win32.Delf": [[370, 387]], "Indicator: Delf.VWX": [[388, 396]]}, "info": {"id": "cyner2_8class_test_01449", "source": "cyner2_8class_test"}}
{"text": "The Naikon APT aligns with the actor our colleagues at FireEye recently revealed to be APT30, but we haven't discovered any exact matches.", "spans": {"ThreatActor: The Naikon APT": [[0, 14]], "Organization: FireEye": [[55, 62]], "ThreatActor: APT30,": [[87, 93]]}, "info": {"id": "cyner2_8class_test_01450", "source": "cyner2_8class_test"}}
{"text": "We are especially delighted about the platform and programme of work established in the declaration of the conference , upon which we sincerely hope will be built a strong and resolute working relationship on our shared goals for the future .", "spans": {}, "info": {"id": "cyner2_8class_test_01451", "source": "cyner2_8class_test"}}
{"text": "Xcode is Apple's official tool for developing iOS or OS X apps and it is clear that some Chinese developers have downloaded these Trojanized packages.", "spans": {"System: Xcode": [[0, 5]], "Organization: Apple's": [[9, 16]], "System: iOS": [[46, 49]], "System: OS X apps": [[53, 62]], "Organization: Chinese developers": [[89, 107]], "Malware: Trojanized": [[130, 140]]}, "info": {"id": "cyner2_8class_test_01452", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.E526 Trojan/Proxy.Dlena.cb Win32.Trojan.WisdomEyes.16070401.9500.9685 W32/Proxy.AWL Trojan.Packed.9 Win32.HLLM.Bid BehavesLike.Win32.Sality.nc W32/Proxy.MUPL-7031 TrojanProxy.Dlena.bk TrojanProxy:Win32/Dlena.CB Trojan/Win32.Dlena.C245630 BScope.Trojan.Dlena Trojan.PR.Dlena!kg9jx7szz7g Win32/Trojan.ea0", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.E526": [[26, 42]], "Indicator: Trojan/Proxy.Dlena.cb": [[43, 64]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9685": [[65, 107]], "Indicator: W32/Proxy.AWL": [[108, 121]], "Indicator: Trojan.Packed.9": [[122, 137]], "Indicator: Win32.HLLM.Bid": [[138, 152]], "Indicator: BehavesLike.Win32.Sality.nc": [[153, 180]], "Indicator: W32/Proxy.MUPL-7031": [[181, 200]], "Indicator: TrojanProxy.Dlena.bk": [[201, 221]], "Indicator: TrojanProxy:Win32/Dlena.CB": [[222, 248]], "Indicator: Trojan/Win32.Dlena.C245630": [[249, 275]], "Indicator: BScope.Trojan.Dlena": [[276, 295]], "Indicator: Trojan.PR.Dlena!kg9jx7szz7g": [[296, 323]], "Indicator: Win32/Trojan.ea0": [[324, 340]]}, "info": {"id": "cyner2_8class_test_01453", "source": "cyner2_8class_test"}}
{"text": "The US government's Cybersecurity and Infrastructure Security Agency CISA has issued a warning about a vulnerability in its IIS server, which allows attackers to exploit a security hole in the network.", "spans": {"Organization: The US government's Cybersecurity": [[0, 33]], "Organization: Infrastructure Security Agency CISA": [[38, 73]], "Vulnerability: vulnerability": [[103, 116]], "System: IIS server,": [[124, 135]], "ThreatActor: attackers": [[149, 158]], "Malware: exploit": [[162, 169]], "Vulnerability: security hole": [[172, 185]], "System: network.": [[193, 201]]}, "info": {"id": "cyner2_8class_test_01454", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Spamer Trojan.Symmi.DDE55 Win32.Trojan.Kryptik.nv Trojan.Win32.Spamer.km Trojan.Win32.Kryptik.ewffdy Troj.W32.Yakes.mAv7 Trojan.DownLoader26.3007 BehavesLike.Win32.Worm.ch W32/Trojan.OMMU-8573 Trojan.Spamer.ae Trojan.Win32.Spamer.km Trojan.Spamer Trj/CI.A Win32.Trojan.Spamer.Akze Trojan.Win32.Crypt W32/Kryptic.ABGK!tr Win32/Trojan.48b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Spamer": [[26, 39], [266, 279]], "Indicator: Trojan.Symmi.DDE55": [[40, 58]], "Indicator: Win32.Trojan.Kryptik.nv": [[59, 82]], "Indicator: Trojan.Win32.Spamer.km": [[83, 105], [243, 265]], "Indicator: Trojan.Win32.Kryptik.ewffdy": [[106, 133]], "Indicator: Troj.W32.Yakes.mAv7": [[134, 153]], "Indicator: Trojan.DownLoader26.3007": [[154, 178]], "Indicator: BehavesLike.Win32.Worm.ch": [[179, 204]], "Indicator: W32/Trojan.OMMU-8573": [[205, 225]], "Indicator: Trojan.Spamer.ae": [[226, 242]], "Indicator: Trj/CI.A": [[280, 288]], "Indicator: Win32.Trojan.Spamer.Akze": [[289, 313]], "Indicator: Trojan.Win32.Crypt": [[314, 332]], "Indicator: W32/Kryptic.ABGK!tr": [[333, 352]], "Indicator: Win32/Trojan.48b": [[353, 369]]}, "info": {"id": "cyner2_8class_test_01455", "source": "cyner2_8class_test"}}
{"text": "We have written about this phenomenon extensively in the past and today we can add another family of malware to the list – Backdoor.Win32.ATMii.", "spans": {"Date: past": [[57, 61]], "Date: today": [[66, 71]], "Malware: family of malware": [[91, 108]], "Indicator: Backdoor.Win32.ATMii.": [[123, 144]]}, "info": {"id": "cyner2_8class_test_01456", "source": "cyner2_8class_test"}}
{"text": "This lockdown screen includes two parts : A WebView containing a background picture loaded from a predefined URL .", "spans": {}, "info": {"id": "cyner2_8class_test_01457", "source": "cyner2_8class_test"}}
{"text": "Change archive command After this activation cycle , the malware will start the collection of information activities and dissemination .", "spans": {}, "info": {"id": "cyner2_8class_test_01458", "source": "cyner2_8class_test"}}
{"text": "This blog serves to discuss changes made by this group and the SamSa malware family since we last discussed them.", "spans": {"ThreatActor: group": [[49, 54]], "Malware: SamSa malware family": [[63, 83]]}, "info": {"id": "cyner2_8class_test_01459", "source": "cyner2_8class_test"}}
{"text": "The “ core ” module contacts the C & C server , trying to get a fresh list of applications to search for , or if that fails , use a default app list : whatsapp lenovo.anyshare.gps mxtech.videoplayer.ad jio.jioplay.tv jio.media.jiobeats jiochat.jiochatapp jio.join good.gamecollection opera.mini.native startv.hotstar meitu.beautyplusme domobile.applock touchtype.swiftkey flipkart.android cn.xender eterno truecaller For each application on the list , the “ core ” module checks for a matching version and MD5 hash of the installed application , and also checks for the application running in the user-space .", "spans": {"System: whatsapp": [[151, 159]], "Indicator: lenovo.anyshare.gps": [[160, 179]], "Indicator: mxtech.videoplayer.ad": [[180, 201]], "Indicator: jio.jioplay.tv": [[202, 216]], "Indicator: jio.media.jiobeats": [[217, 235]], "Indicator: jiochat.jiochatapp": [[236, 254]], "Indicator: jio.join": [[255, 263]], "Indicator: good.gamecollection": [[264, 283]], "Indicator: opera.mini.native": [[284, 301]], "Indicator: startv.hotstar": [[302, 316]], "Indicator: meitu.beautyplusme": [[317, 335]], "Indicator: domobile.applock": [[336, 352]], "Indicator: touchtype.swiftkey": [[353, 371]], "Indicator: flipkart.android": [[372, 388]], "Indicator: cn.xender": [[389, 398]]}, "info": {"id": "cyner2_8class_test_01460", "source": "cyner2_8class_test"}}
{"text": "The supposed purpose of that app is to obtain and use a required “ security code ” to log in to their online banking site .", "spans": {}, "info": {"id": "cyner2_8class_test_01461", "source": "cyner2_8class_test"}}
{"text": "youlabuy [ .", "spans": {"Indicator: youlabuy [ .": [[0, 12]]}, "info": {"id": "cyner2_8class_test_01462", "source": "cyner2_8class_test"}}
{"text": "They exist in two types : the credentials stealers ( first 2 screenshots ) and the credit card grabbers ( last screenshot ) .", "spans": {}, "info": {"id": "cyner2_8class_test_01463", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.474112 Trojan/OnLineGames.thbb TROJ_GAMETHI.CCS Win32.Trojan.WisdomEyes.16070401.9500.9694 W32/Trojan.DBPJ-8386 Infostealer.Onlinegame Win32/Zajim.A TROJ_GAMETHI.CCS Win.Trojan.Onlinegames-15948 Trojan.Win32.OnLineGames.bqprmm Trojan.Win32.PSWIGames.474112 Troj.GameThief.W32.OnLineGames.thbb!c Backdoor.Win32.DarkstRat.~A Trojan.PWS.Lineage.4854 Trojan.OnLineGames.Win32.74056 BehavesLike.Win32.Dropper.gh Trojan-PWS.Win32.QQPass W32/Trojan2.JUUB TrojanSpy.OnLineGames.eex Trojan:Win32/Blorso.B Trojan[GameThief]/Win32.OnLineGames Win32.PSWTroj.OnLineGames.kcloud Trojan:Win32/Blorso.B Trojan/Win32.OnlineGameHack.R58928 TScope.Trojan.Delf Win32.Trojan-GameThief.Onlinegames.bovd Trojan.PWS.OnLineGames!E2qkzLkLTec W32/OnLineGames.DRT!tr.pws", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PWS/W32.WebGame.474112": [[26, 55]], "Indicator: Trojan/OnLineGames.thbb": [[56, 79]], "Indicator: TROJ_GAMETHI.CCS": [[80, 96], [198, 214]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9694": [[97, 139]], "Indicator: W32/Trojan.DBPJ-8386": [[140, 160]], "Indicator: Infostealer.Onlinegame": [[161, 183]], "Indicator: Win32/Zajim.A": [[184, 197]], "Indicator: Win.Trojan.Onlinegames-15948": [[215, 243]], "Indicator: Trojan.Win32.OnLineGames.bqprmm": [[244, 275]], "Indicator: Trojan.Win32.PSWIGames.474112": [[276, 305]], "Indicator: Troj.GameThief.W32.OnLineGames.thbb!c": [[306, 343]], "Indicator: Backdoor.Win32.DarkstRat.~A": [[344, 371]], "Indicator: Trojan.PWS.Lineage.4854": [[372, 395]], "Indicator: Trojan.OnLineGames.Win32.74056": [[396, 426]], "Indicator: BehavesLike.Win32.Dropper.gh": [[427, 455]], "Indicator: Trojan-PWS.Win32.QQPass": [[456, 479]], "Indicator: W32/Trojan2.JUUB": [[480, 496]], "Indicator: TrojanSpy.OnLineGames.eex": [[497, 522]], "Indicator: Trojan:Win32/Blorso.B": [[523, 544], [614, 635]], "Indicator: Trojan[GameThief]/Win32.OnLineGames": [[545, 580]], "Indicator: Win32.PSWTroj.OnLineGames.kcloud": [[581, 613]], "Indicator: Trojan/Win32.OnlineGameHack.R58928": [[636, 670]], "Indicator: TScope.Trojan.Delf": [[671, 689]], "Indicator: Win32.Trojan-GameThief.Onlinegames.bovd": [[690, 729]], "Indicator: Trojan.PWS.OnLineGames!E2qkzLkLTec": [[730, 764]], "Indicator: W32/OnLineGames.DRT!tr.pws": [[765, 791]]}, "info": {"id": "cyner2_8class_test_01464", "source": "cyner2_8class_test"}}
{"text": "We have compiled its main features in this brief analysis.", "spans": {}, "info": {"id": "cyner2_8class_test_01465", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.Bionet.593920 Backdoor.Bionet Backdoor.RAT.BioNet Backdoor.Bionet.Win32.159 Backdoor.W32.Bionet.21!c Backdoor/Bionet.21 W32/Bionet.J Backdoor.Trojan Win32/Bionet.261 Html.Trojan.BioNetPlugin-1 Backdoor.Win32.Bionet.21 Trojan.Win32.Bionet-keyhook.guhf Backdoor.Win32.Bionet_21.EditSvr BackDoor.BioNet.210 Email-Worm.Win32.GOPworm.196 Backdoor.Win32.Bionet W32/Bionet.XPHY-4314 Backdoor/Bionet.21 Trojan.Bionet BDC/Bionet.21.EdS Trojan[Backdoor]/Win32.Bionet Backdoor:Win32/Bionet.2_1 Backdoor.Win32.Bionet.21 Win-Trojan/Bionet_v21.EditSvr Email-Worm.Win32.GOPworm.196 Backdoor.Bionet Win32/Bionet.21 Win32.Backdoor.Bionet.dmkz Backdoor.Bionet!E616B62dMbM W32/Bdoor.FK!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Bionet.593920": [[26, 52]], "Indicator: Backdoor.Bionet": [[53, 68], [606, 621]], "Indicator: Backdoor.RAT.BioNet": [[69, 88]], "Indicator: Backdoor.Bionet.Win32.159": [[89, 114]], "Indicator: Backdoor.W32.Bionet.21!c": [[115, 139]], "Indicator: Backdoor/Bionet.21": [[140, 158], [415, 433]], "Indicator: W32/Bionet.J": [[159, 171]], "Indicator: Backdoor.Trojan": [[172, 187]], "Indicator: Win32/Bionet.261": [[188, 204]], "Indicator: Html.Trojan.BioNetPlugin-1": [[205, 231]], "Indicator: Backdoor.Win32.Bionet.21": [[232, 256], [522, 546]], "Indicator: Trojan.Win32.Bionet-keyhook.guhf": [[257, 289]], "Indicator: Backdoor.Win32.Bionet_21.EditSvr": [[290, 322]], "Indicator: BackDoor.BioNet.210": [[323, 342]], "Indicator: Email-Worm.Win32.GOPworm.196": [[343, 371], [577, 605]], "Indicator: Backdoor.Win32.Bionet": [[372, 393]], "Indicator: W32/Bionet.XPHY-4314": [[394, 414]], "Indicator: Trojan.Bionet": [[434, 447]], "Indicator: BDC/Bionet.21.EdS": [[448, 465]], "Indicator: Trojan[Backdoor]/Win32.Bionet": [[466, 495]], "Indicator: Backdoor:Win32/Bionet.2_1": [[496, 521]], "Indicator: Win-Trojan/Bionet_v21.EditSvr": [[547, 576]], "Indicator: Win32/Bionet.21": [[622, 637]], "Indicator: Win32.Backdoor.Bionet.dmkz": [[638, 664]], "Indicator: Backdoor.Bionet!E616B62dMbM": [[665, 692]], "Indicator: W32/Bdoor.FK!tr.bdr": [[693, 712]]}, "info": {"id": "cyner2_8class_test_01466", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.AppdataWinupdtLnr.Trojan Trojan.Dusvext.A5 Trojan/Vnfraye.a Trojan.Zusy.DAD2 TROJ_DUSVEXT.SM Win32.Backdoor.Vnfraye.b W32/Dusvext.A Backdoor.Trojan Win32/Tnega.AGBV TROJ_DUSVEXT.SM Backdoor.Win32.Vernet.axt Trojan.Win32.MLW.dpvjba Backdoor.Win32.IRCBot.146944.J Backdoor.W32.Vernet.to4n Backdoor.Win32.Amtar.vna BackDoor.Gbot.2171 Trojan.Vnfraye.Win32.1 BehavesLike.Win32.ZBot.ch W32/Dusvext.JEML-8693 BDS/Vertex.A Trojan:Win32/Dusvext.A Backdoor.Win32.Vernet.axt Backdoor.Vernet Trojan.Vnfraye.A Win32/Vnfraye.A Win32.Backdoor.Vernet.Pjdv Trojan.Vnfraye!ZphwYheYjUY RAT.Vertex W32/Vnfraye.AAA!tr Win32/Trojan.d72", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.AppdataWinupdtLnr.Trojan": [[26, 54]], "Indicator: Trojan.Dusvext.A5": [[55, 72]], "Indicator: Trojan/Vnfraye.a": [[73, 89]], "Indicator: Trojan.Zusy.DAD2": [[90, 106]], "Indicator: TROJ_DUSVEXT.SM": [[107, 122], [195, 210]], "Indicator: Win32.Backdoor.Vnfraye.b": [[123, 147]], "Indicator: W32/Dusvext.A": [[148, 161]], "Indicator: Backdoor.Trojan": [[162, 177]], "Indicator: Win32/Tnega.AGBV": [[178, 194]], "Indicator: Backdoor.Win32.Vernet.axt": [[211, 236], [468, 493]], "Indicator: Trojan.Win32.MLW.dpvjba": [[237, 260]], "Indicator: Backdoor.Win32.IRCBot.146944.J": [[261, 291]], "Indicator: Backdoor.W32.Vernet.to4n": [[292, 316]], "Indicator: Backdoor.Win32.Amtar.vna": [[317, 341]], "Indicator: BackDoor.Gbot.2171": [[342, 360]], "Indicator: Trojan.Vnfraye.Win32.1": [[361, 383]], "Indicator: BehavesLike.Win32.ZBot.ch": [[384, 409]], "Indicator: W32/Dusvext.JEML-8693": [[410, 431]], "Indicator: BDS/Vertex.A": [[432, 444]], "Indicator: Trojan:Win32/Dusvext.A": [[445, 467]], "Indicator: Backdoor.Vernet": [[494, 509]], "Indicator: Trojan.Vnfraye.A": [[510, 526]], "Indicator: Win32/Vnfraye.A": [[527, 542]], "Indicator: Win32.Backdoor.Vernet.Pjdv": [[543, 569]], "Indicator: Trojan.Vnfraye!ZphwYheYjUY": [[570, 596]], "Indicator: RAT.Vertex": [[597, 607]], "Indicator: W32/Vnfraye.AAA!tr": [[608, 626]], "Indicator: Win32/Trojan.d72": [[627, 643]]}, "info": {"id": "cyner2_8class_test_01467", "source": "cyner2_8class_test"}}
{"text": "After the installation of the trojan , it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called \" GoogleCC .", "spans": {}, "info": {"id": "cyner2_8class_test_01468", "source": "cyner2_8class_test"}}
{"text": "The malware was first spotted by Tatyana Shishkova from Kaspersky by end October 2019 , but actually dates back to June 2019 .", "spans": {"Organization: Kaspersky": [[56, 65]]}, "info": {"id": "cyner2_8class_test_01469", "source": "cyner2_8class_test"}}
{"text": "Of the 10 million people who downloaded HummingBad-contaminated apps , an estimated 286,000 of them were located in the US .", "spans": {"Malware: HummingBad-contaminated": [[40, 63]]}, "info": {"id": "cyner2_8class_test_01470", "source": "cyner2_8class_test"}}
{"text": "] 160 [ .", "spans": {}, "info": {"id": "cyner2_8class_test_01471", "source": "cyner2_8class_test"}}
{"text": "EventBot is particularly interesting because it is in such early stages .", "spans": {"Organization: EventBot": [[0, 8]]}, "info": {"id": "cyner2_8class_test_01472", "source": "cyner2_8class_test"}}
{"text": "Stolen Data Figure 8 : Sending data to the attacker .", "spans": {}, "info": {"id": "cyner2_8class_test_01473", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.PSW.Sadam Trojan-PWS/W32.Sadam.18944 Trojan.PSW.Sadam Trojan/PSW.Sadam Trojan.Win32.Sadam.fxjw Win32/PSW.Sadam Trojan.PSW.Sadam Trojan-PSW.Win32.Sadam Trojan.PSW.Sadam Trojan.PWS.Sadam!lFmRyYmpwOU Trojan.Win32.A.PSW-Sadam.18944[h] Trojan.PSW.Sadam TrojWare.Win32.PSW.Sadam Trojan.PSW.Sadam Trojan.PWS.Pwl.4 Trojan.Sadam.Win32.1 BehavesLike.Win32.PWSOnlineGames.lm W32/Trojan.HRPL-2973 Trojan/PSW.Sadam W32/Farfli.NJ!tr Trojan[PSW]/Win32.Sadam Trojan.PSW.Sadam Troj.PSW32.W.Sadam!c Win-Trojan/PwlStealer.18944 TrojanPSW.Sadam Trojan.Win32.PSW Trojan.PSW.Sadam Win32/Trojan.PSW.418", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.PSW.Sadam": [[26, 42], [70, 86], [144, 160], [184, 200], [264, 280], [306, 322], [476, 492], [575, 591]], "Indicator: Trojan-PWS/W32.Sadam.18944": [[43, 69]], "Indicator: Trojan/PSW.Sadam": [[87, 103], [418, 434]], "Indicator: Trojan.Win32.Sadam.fxjw": [[104, 127]], "Indicator: Win32/PSW.Sadam": [[128, 143]], "Indicator: Trojan-PSW.Win32.Sadam": [[161, 183]], "Indicator: Trojan.PWS.Sadam!lFmRyYmpwOU": [[201, 229]], "Indicator: Trojan.Win32.A.PSW-Sadam.18944[h]": [[230, 263]], "Indicator: TrojWare.Win32.PSW.Sadam": [[281, 305]], "Indicator: Trojan.PWS.Pwl.4": [[323, 339]], "Indicator: Trojan.Sadam.Win32.1": [[340, 360]], "Indicator: BehavesLike.Win32.PWSOnlineGames.lm": [[361, 396]], "Indicator: W32/Trojan.HRPL-2973": [[397, 417]], "Indicator: W32/Farfli.NJ!tr": [[435, 451]], "Indicator: Trojan[PSW]/Win32.Sadam": [[452, 475]], "Indicator: Troj.PSW32.W.Sadam!c": [[493, 513]], "Indicator: Win-Trojan/PwlStealer.18944": [[514, 541]], "Indicator: TrojanPSW.Sadam": [[542, 557]], "Indicator: Trojan.Win32.PSW": [[558, 574]], "Indicator: Win32/Trojan.PSW.418": [[592, 612]]}, "info": {"id": "cyner2_8class_test_01474", "source": "cyner2_8class_test"}}
{"text": "In this day and age, it's slightly different.", "spans": {}, "info": {"id": "cyner2_8class_test_01475", "source": "cyner2_8class_test"}}
{"text": "Mcafee analyzed one recent email campaign with an attached .rar file.", "spans": {"Organization: Mcafee": [[0, 6]], "ThreatActor: email campaign": [[27, 41]], "Indicator: .rar file.": [[59, 69]]}, "info": {"id": "cyner2_8class_test_01476", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Dropper.YIQ TrojanDropper.Blakamba.A5 Trojan.Dropper.YIQ Trojan.Dropper.YIQ TROJ_BLAKAMBA.SM TROJ_BLAKAMBA.SM Trojan.Dropper.YIQ Trojan.Dropper.YIQ Trojan.Win32.Blakamba.dxuyil Trojan.Dropper.YIQ TrojWare.Win32.TrojanDropper.Blakamba.A Trojan.Dropper.YIQ Adware.Yotoon.Win32.3224 BehavesLike.Win32.Multiplug.tc Virus.Win32.Obfuscator TR/Blakamba.aonaia Malware/Win32.SAPE.C1835825 Win32/Trojan.435", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Dropper.YIQ": [[26, 44], [71, 89], [90, 108], [143, 161], [162, 180], [210, 228], [269, 287]], "Indicator: TrojanDropper.Blakamba.A5": [[45, 70]], "Indicator: TROJ_BLAKAMBA.SM": [[109, 125], [126, 142]], "Indicator: Trojan.Win32.Blakamba.dxuyil": [[181, 209]], "Indicator: TrojWare.Win32.TrojanDropper.Blakamba.A": [[229, 268]], "Indicator: Adware.Yotoon.Win32.3224": [[288, 312]], "Indicator: BehavesLike.Win32.Multiplug.tc": [[313, 343]], "Indicator: Virus.Win32.Obfuscator": [[344, 366]], "Indicator: TR/Blakamba.aonaia": [[367, 385]], "Indicator: Malware/Win32.SAPE.C1835825": [[386, 413]], "Indicator: Win32/Trojan.435": [[414, 430]]}, "info": {"id": "cyner2_8class_test_01477", "source": "cyner2_8class_test"}}
{"text": "Stolen data will also be encrypted and sent to the C & C server via the socket connection .", "spans": {}, "info": {"id": "cyner2_8class_test_01478", "source": "cyner2_8class_test"}}
{"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat .", "spans": {"System: Next-Generation Firewall ( NGFW )": [[36, 69]], "System: Next-Generation Intrusion Prevention System ( NGIPS )": [[72, 125]], "System: Meraki MX": [[132, 141]]}, "info": {"id": "cyner2_8class_test_01479", "source": "cyner2_8class_test"}}
{"text": "Apart from collecting the above data , the spyware monitors users ’ phone calls , records them , and saves the recorded file on the device .", "spans": {}, "info": {"id": "cyner2_8class_test_01480", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Clicker Win32.Trojan.WisdomEyes.16070401.9500.9977 Trojan.DownLoader11.40591 Trojan.Win32.Clicker!BT Trojan.MSIL.TrojanClicker TrojanClicker:MSIL/Ezbro.B Trojan.Zusy.D1C4A9 Trojan.Win32.Clicker!BT", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Clicker": [[26, 40]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9977": [[41, 83]], "Indicator: Trojan.DownLoader11.40591": [[84, 109]], "Indicator: Trojan.Win32.Clicker!BT": [[110, 133], [206, 229]], "Indicator: Trojan.MSIL.TrojanClicker": [[134, 159]], "Indicator: TrojanClicker:MSIL/Ezbro.B": [[160, 186]], "Indicator: Trojan.Zusy.D1C4A9": [[187, 205]]}, "info": {"id": "cyner2_8class_test_01481", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Winib.Worm Trojan.Rincux.AW Backdoor.Rbot Trojan/PSW.Sinowal.ag Trojan.Rincux.AW Win32.Trojan.WisdomEyes.16070401.9500.9982 Win32/Xema.A!Dropper Win.Spyware.7826-2 Trojan.Rincux.AW Backdoor.Win32.Agobot.121020 Troj.Spy.W32!c Trojan.Rincux.AW Trojan.Rincux.AW BackDoor.Monsh BehavesLike.Win32.Dropper.ch W32.Trojan.Rincux Trojan.Rincux.AW Trojan.Rincux.AW Backdoor.Agobot Worm.AutoRun W32/AgoBot.H!tr.bdr Win32/Trojan.d74", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Winib.Worm": [[26, 40]], "Indicator: Trojan.Rincux.AW": [[41, 57], [94, 110], [194, 210], [255, 271], [272, 288], [351, 367], [368, 384]], "Indicator: Backdoor.Rbot": [[58, 71]], "Indicator: Trojan/PSW.Sinowal.ag": [[72, 93]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[111, 153]], "Indicator: Win32/Xema.A!Dropper": [[154, 174]], "Indicator: Win.Spyware.7826-2": [[175, 193]], "Indicator: Backdoor.Win32.Agobot.121020": [[211, 239]], "Indicator: Troj.Spy.W32!c": [[240, 254]], "Indicator: BackDoor.Monsh": [[289, 303]], "Indicator: BehavesLike.Win32.Dropper.ch": [[304, 332]], "Indicator: W32.Trojan.Rincux": [[333, 350]], "Indicator: Backdoor.Agobot": [[385, 400]], "Indicator: Worm.AutoRun": [[401, 413]], "Indicator: W32/AgoBot.H!tr.bdr": [[414, 433]], "Indicator: Win32/Trojan.d74": [[434, 450]]}, "info": {"id": "cyner2_8class_test_01482", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.HfsAutoB.A1C4 Trojan/W32.Blocker.1092848 Trojan-Ransom.Win32.Blocker!O Trojan.Zusy.D8875 W32/Trojan.NJLB-1147 Ransom_Blocker.R002C0DLP17 Trojan-Ransom.Win32.Blocker.zdm Trojan.Win32.Blocker.crgjar Trojan.Win32.A.Blocker.1071104 Troj.Ransom.W32.Blocker!c Trojan.Inject1.15883 Trojan.Blocker.Win32.2372 Trojan/Blocker.otu TR/Injector.zuzfm Trojan[Ransom]/Win32.Blocker Trojan-Ransom.Win32.Blocker.zdm Hoax.Blocker Trojan-ransom.Win32.Blocker.kjb Trojan.Blocker!JH0Sb6Ye/p4 W32/Injector.YVK!tr Win32/Trojan.Ransom.ac8", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.A1C4": [[26, 43]], "Indicator: Trojan/W32.Blocker.1092848": [[44, 70]], "Indicator: Trojan-Ransom.Win32.Blocker!O": [[71, 100]], "Indicator: Trojan.Zusy.D8875": [[101, 118]], "Indicator: W32/Trojan.NJLB-1147": [[119, 139]], "Indicator: Ransom_Blocker.R002C0DLP17": [[140, 166]], "Indicator: Trojan-Ransom.Win32.Blocker.zdm": [[167, 198], [397, 428]], "Indicator: Trojan.Win32.Blocker.crgjar": [[199, 226]], "Indicator: Trojan.Win32.A.Blocker.1071104": [[227, 257]], "Indicator: Troj.Ransom.W32.Blocker!c": [[258, 283]], "Indicator: Trojan.Inject1.15883": [[284, 304]], "Indicator: Trojan.Blocker.Win32.2372": [[305, 330]], "Indicator: Trojan/Blocker.otu": [[331, 349]], "Indicator: TR/Injector.zuzfm": [[350, 367]], "Indicator: Trojan[Ransom]/Win32.Blocker": [[368, 396]], "Indicator: Hoax.Blocker": [[429, 441]], "Indicator: Trojan-ransom.Win32.Blocker.kjb": [[442, 473]], "Indicator: Trojan.Blocker!JH0Sb6Ye/p4": [[474, 500]], "Indicator: W32/Injector.YVK!tr": [[501, 520]], "Indicator: Win32/Trojan.Ransom.ac8": [[521, 544]]}, "info": {"id": "cyner2_8class_test_01483", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.645 W97M.Downloader.BDU W97M/Downloader.cct W97M.Downloader W2KM_DLOADR.YYTBR Doc.Macro.Obfuscation-6331107-0 VB:Trojan.Valyria.645 VB:Trojan.Valyria.645 W97M.S.Downloader.277504.A VB:Trojan.Valyria.645 VB:Trojan.Valyria.645 W2KM_DLOADR.YYTBR W97M/Downloader.cct W2000M/Downloader.MS.102 Trojan:O97M/Paudo.A HEUR.VBA.Trojan.e VB:Trojan.Valyria.645 W97M/Dropper.VM virus.office.qexvmc.1095", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VB:Trojan.Valyria.645": [[26, 47], [154, 175], [176, 197], [225, 246], [247, 268], [370, 391]], "Indicator: W97M.Downloader.BDU": [[48, 67]], "Indicator: W97M/Downloader.cct": [[68, 87], [287, 306]], "Indicator: W97M.Downloader": [[88, 103]], "Indicator: W2KM_DLOADR.YYTBR": [[104, 121], [269, 286]], "Indicator: Doc.Macro.Obfuscation-6331107-0": [[122, 153]], "Indicator: W97M.S.Downloader.277504.A": [[198, 224]], "Indicator: W2000M/Downloader.MS.102": [[307, 331]], "Indicator: Trojan:O97M/Paudo.A": [[332, 351]], "Indicator: HEUR.VBA.Trojan.e": [[352, 369]], "Indicator: W97M/Dropper.VM": [[392, 407]], "Indicator: virus.office.qexvmc.1095": [[408, 432]]}, "info": {"id": "cyner2_8class_test_01484", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: WS.Reputation.1 Percol.A Trojan.DownLoad3.22191 TrojanDownloader.Icehart.bt Win32.Troj.Undef.kcloud TrojanDropper:Win32/Percol.B Downloader/Win32.Icehart Trojan-Downloader.Win32.Icehart Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: WS.Reputation.1": [[26, 41]], "Indicator: Percol.A": [[42, 50]], "Indicator: Trojan.DownLoad3.22191": [[51, 73]], "Indicator: TrojanDownloader.Icehart.bt": [[74, 101]], "Indicator: Win32.Troj.Undef.kcloud": [[102, 125]], "Indicator: TrojanDropper:Win32/Percol.B": [[126, 154]], "Indicator: Downloader/Win32.Icehart": [[155, 179]], "Indicator: Trojan-Downloader.Win32.Icehart": [[180, 211]], "Indicator: Trj/CI.A": [[212, 220]]}, "info": {"id": "cyner2_8class_test_01485", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Nuker.BattlePong.1.0 Trojan/W32.Nuker.199168 Trojan.Battlepong FDoS-BattlePong.03 Trojan/Exploit.Nuker.BattlePong.10 Win32/Nuker.BattlePong.10 Win.Trojan.N-122 Exploit.Win32.Nuker.BattlePong.10 Trojan.Nuker.BattlePong.1.0 Exploit.Win32.BattlePong.cqpilz Exploit.W32.Nuker.BattlePong.10!c Win32.Exploit.Nuker.Lked Trojan.Nuker.BattlePong.1.0 TrojWare.Win32.Nuker.BattlePong.10 Trojan.Nuker.BattlePong.1.0 FDOS.Pong.10 Tool.BattlePong.Win32.2 FDoS-BattlePong.03 Nuker.Win32.BattlePong W32/Risk.MXKK-2153 Nuke/Win32.BattlePong.10 TR/Nuke.BattlePo.10 Trojan[Exploit]/Win32.Nuker Win32.Troj.BattlePong.kcloud Trojan.Nuker.BattlePong.1.0 Trojan.Win32.BattlePong_Nuker Exploit.Win32.Nuker.BattlePong.10 Trojan/Win32.HDC.C1336 Trojan.Nuker.BattlePong.1.0 Nuker.BattlePong Trojan.BattlePong Trojan.Nuker.BattlePong.1.0 Nuker/BattlePong.10 Win32/Trojan.Nuker.129", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Nuker.BattlePong.1.0": [[26, 53], [227, 254], [346, 373], [409, 436], [637, 664], [752, 779], [815, 842]], "Indicator: Trojan/W32.Nuker.199168": [[54, 77]], "Indicator: Trojan.Battlepong": [[78, 95]], "Indicator: FDoS-BattlePong.03": [[96, 114], [474, 492]], "Indicator: Trojan/Exploit.Nuker.BattlePong.10": [[115, 149]], "Indicator: Win32/Nuker.BattlePong.10": [[150, 175]], "Indicator: Win.Trojan.N-122": [[176, 192]], "Indicator: Exploit.Win32.Nuker.BattlePong.10": [[193, 226], [695, 728]], "Indicator: Exploit.Win32.BattlePong.cqpilz": [[255, 286]], "Indicator: Exploit.W32.Nuker.BattlePong.10!c": [[287, 320]], "Indicator: Win32.Exploit.Nuker.Lked": [[321, 345]], "Indicator: TrojWare.Win32.Nuker.BattlePong.10": [[374, 408]], "Indicator: FDOS.Pong.10": [[437, 449]], "Indicator: Tool.BattlePong.Win32.2": [[450, 473]], "Indicator: Nuker.Win32.BattlePong": [[493, 515]], "Indicator: W32/Risk.MXKK-2153": [[516, 534]], "Indicator: Nuke/Win32.BattlePong.10": [[535, 559]], "Indicator: TR/Nuke.BattlePo.10": [[560, 579]], "Indicator: Trojan[Exploit]/Win32.Nuker": [[580, 607]], "Indicator: Win32.Troj.BattlePong.kcloud": [[608, 636]], "Indicator: Trojan.Win32.BattlePong_Nuker": [[665, 694]], "Indicator: Trojan/Win32.HDC.C1336": [[729, 751]], "Indicator: Nuker.BattlePong": [[780, 796]], "Indicator: Trojan.BattlePong": [[797, 814]], "Indicator: Nuker/BattlePong.10": [[843, 862]], "Indicator: Win32/Trojan.Nuker.129": [[863, 885]]}, "info": {"id": "cyner2_8class_test_01486", "source": "cyner2_8class_test"}}
{"text": "TimeReceiver android.intent.action.ACTION_TIME_CHANGED System notification that the time was set .", "spans": {"Indicator: android.intent.action.ACTION_TIME_CHANGED": [[13, 54]]}, "info": {"id": "cyner2_8class_test_01487", "source": "cyner2_8class_test"}}
{"text": "The Sandworm Team has carried out a global, sustained cyber espionage campaign since at least 2009.", "spans": {"ThreatActor: The Sandworm Team": [[0, 17]], "ThreatActor: cyber espionage campaign": [[54, 78]], "Date: 2009.": [[94, 99]]}, "info": {"id": "cyner2_8class_test_01488", "source": "cyner2_8class_test"}}
{"text": "Next, it was used in combination with DNS-based exfiltration aka DNS tunneling.", "spans": {"System: DNS-based exfiltration": [[38, 60]], "System: DNS tunneling.": [[65, 79]]}, "info": {"id": "cyner2_8class_test_01489", "source": "cyner2_8class_test"}}
{"text": "Check Point reached out to Google on September 10 , 2015 , and the app containing the malware was removed from Google Play on September 15 , 2015 .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google": [[27, 33]], "System: Google Play": [[111, 122]]}, "info": {"id": "cyner2_8class_test_01490", "source": "cyner2_8class_test"}}
{"text": "Kaspersky Internet Security for Android and the Sberbank Online app securely protect users against attacks by this Trojan .", "spans": {"System: Kaspersky Internet Security": [[0, 27]], "System: Android": [[32, 39]], "System: Sberbank Online app": [[48, 67]]}, "info": {"id": "cyner2_8class_test_01491", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.8FE8 Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Adylkuzz-6317076-0 BehavesLike.Win32.Ramnit.tc Trojan:Win32/Adylkuzz.B Trojan.Symmi.D1383C Unwanted/Win32.BitCoinMiner.C1986458 Trojan.Win32.Adylkuzz W32/Packed.GV!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.8FE8": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9998": [[43, 85]], "Indicator: Win.Trojan.Adylkuzz-6317076-0": [[86, 115]], "Indicator: BehavesLike.Win32.Ramnit.tc": [[116, 143]], "Indicator: Trojan:Win32/Adylkuzz.B": [[144, 167]], "Indicator: Trojan.Symmi.D1383C": [[168, 187]], "Indicator: Unwanted/Win32.BitCoinMiner.C1986458": [[188, 224]], "Indicator: Trojan.Win32.Adylkuzz": [[225, 246]], "Indicator: W32/Packed.GV!tr": [[247, 263]]}, "info": {"id": "cyner2_8class_test_01492", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.VB!O TrojanPWS.VB.CX Trojan/PSW.VB.bia Win32.Trojan.WisdomEyes.16070401.9500.9740 W32/PWS.MPWG-1251 Win.Spyware.73829-2 Worm.Win32.VBNA.b Trojan.Win32.VB.eakjix Trojan.Win32.PSWVB.69812 Worm.W32.Vbna!c TrojWare.Win32.PSW.VB.NEC0 Trojan.MulDrop2.64396 Worm.VBNA.Win32.30118 BehavesLike.Win32.BadFile.lt Trojan-PWS.Win32.VB W32/Pws.BOIA Worm.VBNA.pcb Worm/Win32.VBNA Trojan.Heur.VP.E2F388 Worm.Win32.VBNA.b PWS:Win32/Tamenoc.A Worm/Win32.VBNA.C99913 MAS.Trojan.VB.01252 Win32/PSW.VB.NEC Win32.Worm.Vbna.Phqe Trojan.PWS.VB!uu94wtoX/Rs W32/VBNA.B!worm", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-PSW.Win32.VB!O": [[26, 47]], "Indicator: TrojanPWS.VB.CX": [[48, 63]], "Indicator: Trojan/PSW.VB.bia": [[64, 81]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9740": [[82, 124]], "Indicator: W32/PWS.MPWG-1251": [[125, 142]], "Indicator: Win.Spyware.73829-2": [[143, 162]], "Indicator: Worm.Win32.VBNA.b": [[163, 180], [430, 447]], "Indicator: Trojan.Win32.VB.eakjix": [[181, 203]], "Indicator: Trojan.Win32.PSWVB.69812": [[204, 228]], "Indicator: Worm.W32.Vbna!c": [[229, 244]], "Indicator: TrojWare.Win32.PSW.VB.NEC0": [[245, 271]], "Indicator: Trojan.MulDrop2.64396": [[272, 293]], "Indicator: Worm.VBNA.Win32.30118": [[294, 315]], "Indicator: BehavesLike.Win32.BadFile.lt": [[316, 344]], "Indicator: Trojan-PWS.Win32.VB": [[345, 364]], "Indicator: W32/Pws.BOIA": [[365, 377]], "Indicator: Worm.VBNA.pcb": [[378, 391]], "Indicator: Worm/Win32.VBNA": [[392, 407]], "Indicator: Trojan.Heur.VP.E2F388": [[408, 429]], "Indicator: PWS:Win32/Tamenoc.A": [[448, 467]], "Indicator: Worm/Win32.VBNA.C99913": [[468, 490]], "Indicator: MAS.Trojan.VB.01252": [[491, 510]], "Indicator: Win32/PSW.VB.NEC": [[511, 527]], "Indicator: Win32.Worm.Vbna.Phqe": [[528, 548]], "Indicator: Trojan.PWS.VB!uu94wtoX/Rs": [[549, 574]], "Indicator: W32/VBNA.B!worm": [[575, 590]]}, "info": {"id": "cyner2_8class_test_01493", "source": "cyner2_8class_test"}}
{"text": "Activities are key building blocks , central to an app ’ s navigation , for example .", "spans": {}, "info": {"id": "cyner2_8class_test_01494", "source": "cyner2_8class_test"}}
{"text": "The organization appears to be shut down , but the threat actors are still very active .", "spans": {}, "info": {"id": "cyner2_8class_test_01495", "source": "cyner2_8class_test"}}
{"text": "Taking this information from directory listings , like the one shown above , allowed for the decryption of all content .", "spans": {}, "info": {"id": "cyner2_8class_test_01496", "source": "cyner2_8class_test"}}
{"text": "These campaigns utilized fileless loading of a relatively new malware called August through the use of Word macros and PowerShell.", "spans": {"ThreatActor: campaigns": [[6, 15]], "Malware: malware": [[62, 69]], "Malware: August": [[77, 83]], "Malware: Word macros": [[103, 114]], "System: PowerShell.": [[119, 130]]}, "info": {"id": "cyner2_8class_test_01497", "source": "cyner2_8class_test"}}
{"text": "Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code.", "spans": {"Malware: Stegoloader": [[0, 11]], "Malware: malware:": [[49, 57]], "Indicator: digital steganography": [[69, 90]], "Malware: malicious code.": [[99, 114]]}, "info": {"id": "cyner2_8class_test_01498", "source": "cyner2_8class_test"}}
{"text": "Additionally, TA530 customizes the email to each target by specifying the target's name, job title, phone number, and company name in the email body, subject, and attachment names.", "spans": {"ThreatActor: TA530": [[14, 19]], "Indicator: email": [[35, 40]], "Indicator: target's name, job title, phone number, and company name in the email body, subject, and attachment names.": [[74, 180]]}, "info": {"id": "cyner2_8class_test_01499", "source": "cyner2_8class_test"}}
{"text": "Recently, Unit42 discovered a new version of the OceanLotus backdoor in our WildFire cloud analysis platform which may be one of the more advanced backdoors we have seen on macOS to date.", "spans": {"Organization: Unit42": [[10, 16]], "Malware: OceanLotus": [[49, 59]], "Malware: backdoor": [[60, 68]], "Malware: advanced backdoors": [[138, 156]], "System: macOS": [[173, 178]], "Date: to date.": [[179, 187]]}, "info": {"id": "cyner2_8class_test_01500", "source": "cyner2_8class_test"}}
{"text": "Despite having been in the wild for an extended period of time, the operation appears to still be active.", "spans": {}, "info": {"id": "cyner2_8class_test_01501", "source": "cyner2_8class_test"}}
{"text": "Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA Middle East North Africa region, mainly Egypt, United Arab Emirates and Yemen.", "spans": {"ThreatActor: Gaza cybergang": [[0, 14]], "ThreatActor: Arabic cybercriminal group": [[42, 68]], "Location: MENA Middle East North Africa region,": [[86, 123]], "Location: Egypt, United Arab Emirates": [[131, 158]], "Location: Yemen.": [[163, 169]]}, "info": {"id": "cyner2_8class_test_01502", "source": "cyner2_8class_test"}}
{"text": "For this particular packet , the reason is registration of the bot .", "spans": {}, "info": {"id": "cyner2_8class_test_01503", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TrojanDropper.Injector Win32.Trojan.WisdomEyes.16070401.9500.9783 W32/Trojan.AFOE-3875 Trojan-Dropper.Win32.Injector.phoq Trojan.Win32.Dwn.eekcko Trojan.Win32.Z.Zusy.396034 W32.W.Fearso.lDrx Trojan.DownLoader14.35508 Trojan.Delf.Win32.76181 BehavesLike.Win32.Oror.fc Trojan.Win32.PSW Trojan.Zusy.D34BC4 Trojan-Dropper.Win32.Injector.phoq PWS:Win32/Cowdenry.A!bit Trojan/Win32.Buzus.R2227 TrojanDropper.Injector Trj/CI.A Win32.Trojan.Inject.Auto Win32/Trojan.5a2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TrojanDropper.Injector": [[26, 48], [414, 436]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9783": [[49, 91]], "Indicator: W32/Trojan.AFOE-3875": [[92, 112]], "Indicator: Trojan-Dropper.Win32.Injector.phoq": [[113, 147], [329, 363]], "Indicator: Trojan.Win32.Dwn.eekcko": [[148, 171]], "Indicator: Trojan.Win32.Z.Zusy.396034": [[172, 198]], "Indicator: W32.W.Fearso.lDrx": [[199, 216]], "Indicator: Trojan.DownLoader14.35508": [[217, 242]], "Indicator: Trojan.Delf.Win32.76181": [[243, 266]], "Indicator: BehavesLike.Win32.Oror.fc": [[267, 292]], "Indicator: Trojan.Win32.PSW": [[293, 309]], "Indicator: Trojan.Zusy.D34BC4": [[310, 328]], "Indicator: PWS:Win32/Cowdenry.A!bit": [[364, 388]], "Indicator: Trojan/Win32.Buzus.R2227": [[389, 413]], "Indicator: Trj/CI.A": [[437, 445]], "Indicator: Win32.Trojan.Inject.Auto": [[446, 470]], "Indicator: Win32/Trojan.5a2": [[471, 487]]}, "info": {"id": "cyner2_8class_test_01504", "source": "cyner2_8class_test"}}
{"text": "The organization was closed after the CSIS presentation .", "spans": {"Organization: CSIS": [[38, 42]]}, "info": {"id": "cyner2_8class_test_01505", "source": "cyner2_8class_test"}}
{"text": "LemonDuck mining botnet, also known as the Eternal Blue downloader Trojan DTLMiner.", "spans": {"Malware: LemonDuck mining botnet,": [[0, 24]], "Malware: the Eternal Blue downloader Trojan": [[39, 73]], "Malware: DTLMiner.": [[74, 83]]}, "info": {"id": "cyner2_8class_test_01506", "source": "cyner2_8class_test"}}
{"text": "Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine.", "spans": {"Malware: Disttrack, Shamoon": [[14, 32]], "Malware: malware family": [[57, 71]], "System: the victim machine.": [[95, 114]]}, "info": {"id": "cyner2_8class_test_01507", "source": "cyner2_8class_test"}}
{"text": "CopyKittens is a cyberespionage group that has been operating since at least 2013.", "spans": {"ThreatActor: CopyKittens": [[0, 11]], "ThreatActor: cyberespionage group": [[17, 37]], "Date: 2013.": [[77, 82]]}, "info": {"id": "cyner2_8class_test_01508", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Small.40960.AEH Downloader.Multidl.16282 Trojan.Graftor.DFA71 Trojan.DownLoad3.32618 BehavesLike.Win32.Downloader.pc Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Small.40960.AEH": [[26, 52]], "Indicator: Downloader.Multidl.16282": [[53, 77]], "Indicator: Trojan.Graftor.DFA71": [[78, 98]], "Indicator: Trojan.DownLoad3.32618": [[99, 121]], "Indicator: BehavesLike.Win32.Downloader.pc": [[122, 153]], "Indicator: Trj/CI.A": [[154, 162]]}, "info": {"id": "cyner2_8class_test_01509", "source": "cyner2_8class_test"}}
{"text": "Below is a fragment of such a log : Log with specified command Log files can be uploaded to the FTP server and sent to the attacker ’ s email inbox .", "spans": {}, "info": {"id": "cyner2_8class_test_01510", "source": "cyner2_8class_test"}}
{"text": "Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy .", "spans": {"Malware: HenBox": [[25, 31]]}, "info": {"id": "cyner2_8class_test_01511", "source": "cyner2_8class_test"}}
{"text": "About 57 % of these devices are located in Asia and about 9 % are in Europe .", "spans": {}, "info": {"id": "cyner2_8class_test_01512", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Kazy.D2AFE6 MSIL.Backdoor.Bladabindi.a W32/Trojan.ZFGR-8663 Trojan.Msil TR/Spy.zwtrn TrojanSpy:MSIL/Flunuceo.B!bit", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Kazy.D2AFE6": [[26, 44]], "Indicator: MSIL.Backdoor.Bladabindi.a": [[45, 71]], "Indicator: W32/Trojan.ZFGR-8663": [[72, 92]], "Indicator: Trojan.Msil": [[93, 104]], "Indicator: TR/Spy.zwtrn": [[105, 117]], "Indicator: TrojanSpy:MSIL/Flunuceo.B!bit": [[118, 147]]}, "info": {"id": "cyner2_8class_test_01513", "source": "cyner2_8class_test"}}
{"text": "With a lot of highly confidential data found in these servers and devices, a UNIX version of BIFROSE can certainly be classified as a threat.", "spans": {"System: servers": [[54, 61]], "System: devices,": [[66, 74]], "System: UNIX version": [[77, 89]], "Malware: BIFROSE": [[93, 100]], "Malware: threat.": [[134, 141]]}, "info": {"id": "cyner2_8class_test_01514", "source": "cyner2_8class_test"}}
{"text": "An analysis of the malware family can be found later in this blog.", "spans": {"Malware: malware family": [[19, 33]]}, "info": {"id": "cyner2_8class_test_01515", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Clod7f8.Trojan.ff31 Backdoor.Win32.Vinself!O Backdoor/Vinself.a Win32.Trojan.WisdomEyes.16070401.9500.9569 W32/MalwareF.ADSSJ Backdoor.Trojan Trojan.Win32.Vinself.cpadj Backdoor.Win32.A.Vinself.57344[h] Backdoor.W32.Vinself.a!c BackDoor.Comet.435 BehavesLike.Win32.Dropper.qm W32/Risk.KOVS-4418 Backdoor:Win32/Vinself.A Backdoor.Vinself Win32.Backdoor.Backdoor.Alir Backdoor.Win32.Vinself", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod7f8.Trojan.ff31": [[26, 49]], "Indicator: Backdoor.Win32.Vinself!O": [[50, 74]], "Indicator: Backdoor/Vinself.a": [[75, 93]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9569": [[94, 136]], "Indicator: W32/MalwareF.ADSSJ": [[137, 155]], "Indicator: Backdoor.Trojan": [[156, 171]], "Indicator: Trojan.Win32.Vinself.cpadj": [[172, 198]], "Indicator: Backdoor.Win32.A.Vinself.57344[h]": [[199, 232]], "Indicator: Backdoor.W32.Vinself.a!c": [[233, 257]], "Indicator: BackDoor.Comet.435": [[258, 276]], "Indicator: BehavesLike.Win32.Dropper.qm": [[277, 305]], "Indicator: W32/Risk.KOVS-4418": [[306, 324]], "Indicator: Backdoor:Win32/Vinself.A": [[325, 349]], "Indicator: Backdoor.Vinself": [[350, 366]], "Indicator: Win32.Backdoor.Backdoor.Alir": [[367, 395]], "Indicator: Backdoor.Win32.Vinself": [[396, 418]]}, "info": {"id": "cyner2_8class_test_01516", "source": "cyner2_8class_test"}}
{"text": "This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009.", "spans": {"Malware: backdoor": [[5, 13]], "System: Windows-based version": [[64, 85]], "Malware: XSLCmd backdoor": [[93, 108]], "Date: 2009.": [[145, 150]]}, "info": {"id": "cyner2_8class_test_01517", "source": "cyner2_8class_test"}}
{"text": "This opens the door to , for example , fully controlling the victim ’ s bank account .", "spans": {}, "info": {"id": "cyner2_8class_test_01518", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.CSpam.122880.B Win32.Trojan.WisdomEyes.16070401.9500.9694 Backdoor.Trojan Win.Trojan.Cspam-3 Trojan.Win32.CSpam.vpryu Backdoor.Win32.A.CSpam.118784 Backdoor.W32.CSpam.c!c Trojan.MulDrop3.10935 Backdoor/CSpam.a BDS/CSpam.CA Trojan[Backdoor]/Win32.CSpam Backdoor:Win32/Samcigap.A Backdoor.CSpam Backdoor.CSpam!oR5QSbjV3Js Backdoor.Win32.CSpam Win32/Trojan.3ff", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.CSpam.122880.B": [[26, 53]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9694": [[54, 96]], "Indicator: Backdoor.Trojan": [[97, 112]], "Indicator: Win.Trojan.Cspam-3": [[113, 131]], "Indicator: Trojan.Win32.CSpam.vpryu": [[132, 156]], "Indicator: Backdoor.Win32.A.CSpam.118784": [[157, 186]], "Indicator: Backdoor.W32.CSpam.c!c": [[187, 209]], "Indicator: Trojan.MulDrop3.10935": [[210, 231]], "Indicator: Backdoor/CSpam.a": [[232, 248]], "Indicator: BDS/CSpam.CA": [[249, 261]], "Indicator: Trojan[Backdoor]/Win32.CSpam": [[262, 290]], "Indicator: Backdoor:Win32/Samcigap.A": [[291, 316]], "Indicator: Backdoor.CSpam": [[317, 331]], "Indicator: Backdoor.CSpam!oR5QSbjV3Js": [[332, 358]], "Indicator: Backdoor.Win32.CSpam": [[359, 379]], "Indicator: Win32/Trojan.3ff": [[380, 396]]}, "info": {"id": "cyner2_8class_test_01519", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojandownloader.Moljec Backdoor.W32.Hupigon.kYZB Trojan.Razy.D3D5A4 Win32.Trojan.WisdomEyes.16070401.9500.9808 BehavesLike.Win32.RAHack.nm Trojan-Downloader.Win32.Moljec TR/Dldr.Moljec.hglxv TrojanDownloader:Win32/Moljec.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojandownloader.Moljec": [[26, 49]], "Indicator: Backdoor.W32.Hupigon.kYZB": [[50, 75]], "Indicator: Trojan.Razy.D3D5A4": [[76, 94]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9808": [[95, 137]], "Indicator: BehavesLike.Win32.RAHack.nm": [[138, 165]], "Indicator: Trojan-Downloader.Win32.Moljec": [[166, 196]], "Indicator: TR/Dldr.Moljec.hglxv": [[197, 217]], "Indicator: TrojanDownloader:Win32/Moljec.A": [[218, 249]]}, "info": {"id": "cyner2_8class_test_01520", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.OnGamesLTLIBMSK.Trojan Backdoor/W32.Nbdd.73728.C Backdoor.Win32.Nbdd!O Backdoor.Venik.A6 Backdoor/Nbdd.myv Trojan.Kazy.D77C8E Win32.Trojan.PcClient.f Backdoor.Trojan Win.Trojan.Nbdd-12 Trojan.Win32.Nbdd.dutcj Trojan.DownLoad.64546 BehavesLike.Win32.Dropper.lh Backdoor/Nbdd.mk Trojan[Backdoor]/Win32.Nbdd Backdoor:Win32/Netbot.D Backdoor/Win32.Nbdd.R12332 Backdoor.Nbdd Backdoor.Nbdd!JW4qDWiwtBQ W32/Nbdd.MYV!tr Backdoor.Win32.NBVIP.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.OnGamesLTLIBMSK.Trojan": [[26, 52]], "Indicator: Backdoor/W32.Nbdd.73728.C": [[53, 78]], "Indicator: Backdoor.Win32.Nbdd!O": [[79, 100]], "Indicator: Backdoor.Venik.A6": [[101, 118]], "Indicator: Backdoor/Nbdd.myv": [[119, 136]], "Indicator: Trojan.Kazy.D77C8E": [[137, 155]], "Indicator: Win32.Trojan.PcClient.f": [[156, 179]], "Indicator: Backdoor.Trojan": [[180, 195]], "Indicator: Win.Trojan.Nbdd-12": [[196, 214]], "Indicator: Trojan.Win32.Nbdd.dutcj": [[215, 238]], "Indicator: Trojan.DownLoad.64546": [[239, 260]], "Indicator: BehavesLike.Win32.Dropper.lh": [[261, 289]], "Indicator: Backdoor/Nbdd.mk": [[290, 306]], "Indicator: Trojan[Backdoor]/Win32.Nbdd": [[307, 334]], "Indicator: Backdoor:Win32/Netbot.D": [[335, 358]], "Indicator: Backdoor/Win32.Nbdd.R12332": [[359, 385]], "Indicator: Backdoor.Nbdd": [[386, 399]], "Indicator: Backdoor.Nbdd!JW4qDWiwtBQ": [[400, 425]], "Indicator: W32/Nbdd.MYV!tr": [[426, 441]], "Indicator: Backdoor.Win32.NBVIP.B": [[442, 464]]}, "info": {"id": "cyner2_8class_test_01521", "source": "cyner2_8class_test"}}
{"text": "The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names : Decryption with a twist The malware uses an interesting decryption routine : the string values passed to the decryption function do not correspond to the decrypted value , they correspond to junk code to simply hinder analysis .", "spans": {}, "info": {"id": "cyner2_8class_test_01522", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor/W32.Androm.331776.K Backdoor.Androm Backdoor.W32.Androm!c Win32.Trojan.WisdomEyes.16070401.9500.9514 Backdoor.Win32.Androm.oyyc Trojan.Win32.Androm.exlhcw Trojan.Win32.Z.Androm.331776.Q Trojan.DownLoader26.14144 Trojan.Win32.Injector Backdoor.Androm.wlr Trojan[Backdoor]/Win32.Androm Trojan:Win32/Totbrick.H Backdoor.Win32.Androm.oyyc Trojan.TrickBot Trj/CI.A Trojan.Midie.DAA06 Win32.Backdoor.Androm.Wsud Win32/Backdoor.06f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor/W32.Androm.331776.K": [[26, 54]], "Indicator: Backdoor.Androm": [[55, 70]], "Indicator: Backdoor.W32.Androm!c": [[71, 92]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9514": [[93, 135]], "Indicator: Backdoor.Win32.Androm.oyyc": [[136, 162], [343, 369]], "Indicator: Trojan.Win32.Androm.exlhcw": [[163, 189]], "Indicator: Trojan.Win32.Z.Androm.331776.Q": [[190, 220]], "Indicator: Trojan.DownLoader26.14144": [[221, 246]], "Indicator: Trojan.Win32.Injector": [[247, 268]], "Indicator: Backdoor.Androm.wlr": [[269, 288]], "Indicator: Trojan[Backdoor]/Win32.Androm": [[289, 318]], "Indicator: Trojan:Win32/Totbrick.H": [[319, 342]], "Indicator: Trojan.TrickBot": [[370, 385]], "Indicator: Trj/CI.A": [[386, 394]], "Indicator: Trojan.Midie.DAA06": [[395, 413]], "Indicator: Win32.Backdoor.Androm.Wsud": [[414, 440]], "Indicator: Win32/Backdoor.06f": [[441, 459]]}, "info": {"id": "cyner2_8class_test_01523", "source": "cyner2_8class_test"}}
{"text": "An extended malware hunting process returned to us a large set of “ Agent Smith ” dropper variants which helped us further deduce a relation among multiple C & C server infrastructures .", "spans": {"Malware: Agent Smith": [[68, 79]]}, "info": {"id": "cyner2_8class_test_01524", "source": "cyner2_8class_test"}}
{"text": "Palo Alto Networks' Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months.", "spans": {"Organization: Palo Alto Networks'": [[0, 19]], "Malware: Poison Ivy variant": [[57, 75]], "Location: Hong Kong": [[86, 95]], "Organization: activists": [[96, 105]], "Malware: SPIVY": [[113, 118]], "Indicator: DLL sideloading": [[129, 144]], "Organization: ASERT": [[212, 217]], "Date: past 12 months.": [[256, 271]]}, "info": {"id": "cyner2_8class_test_01525", "source": "cyner2_8class_test"}}
{"text": "In addition to adding the code , the attackers also changed the icon and package name .", "spans": {}, "info": {"id": "cyner2_8class_test_01526", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Neurevt.A5 Win32.Trojan.WisdomEyes.16070401.9500.9799 W32/Trojan.PLNQ-7286 Trojan.Win32.GuX.ewvemj TrojWare.Win32.Neurevt.BBS Trojan.Win32.Neurevt Trojan.Heur.E04C69 Trojan/Win32.Neurevt.R156208 Trojan.Neurevt Trj/CI.A W32/Neurevt.3C40!tr Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Neurevt.A5": [[26, 43]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9799": [[44, 86]], "Indicator: W32/Trojan.PLNQ-7286": [[87, 107]], "Indicator: Trojan.Win32.GuX.ewvemj": [[108, 131]], "Indicator: TrojWare.Win32.Neurevt.BBS": [[132, 158]], "Indicator: Trojan.Win32.Neurevt": [[159, 179]], "Indicator: Trojan.Heur.E04C69": [[180, 198]], "Indicator: Trojan/Win32.Neurevt.R156208": [[199, 227]], "Indicator: Trojan.Neurevt": [[228, 242]], "Indicator: Trj/CI.A": [[243, 251]], "Indicator: W32/Neurevt.3C40!tr": [[252, 271]], "Indicator: Win32/Trojan.e6d": [[272, 288]]}, "info": {"id": "cyner2_8class_test_01527", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.OneClickNetSearch.69632.C IMIServer.download Trojan/Downloader.OneClickNetSearch.b Trojan.Win32.OneClickNetSearch.dktm W32/Downloader.JOSL-6677 Adware.IEPlugin Win32/TrojanDownloader.OneClickNetS.B SPYW_IMISERV.C Trojan.Downloader.OneClickNetSearch-2 Trojan-Downloader.Win32.OneClickNetSearch.b TrojanDownloader.NetSearch!886wZrg7qCQ Virus.Win32.Heur.c TrojWare.Win32.TrojanDownloader.OneClickNetS.B Trojan.DownLoader.765 Downloader.OneClickNetSearch.Win32.9 SPYW_IMISERV.C BehavesLike.Win32.Comame.kt W32/Downldr2.AGKQ TrojanDownloader.ClkNetSch.b TR/OneClickSrch.E.2 Trojan[Downloader]/Win32.OneClickNetSearch Troj.Downloader.W32.OneClickNetSearch.b!c Win-Trojan/Oneclicknetsearch.69632.C TrojanDownloader:Win32/OneClkNetSrch.B Trj/Imiserv.B Trojan-Downloader.Win32.OneClickNetSearch Downloader.Onenet.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Downloader/W32.OneClickNetSearch.69632.C": [[26, 73]], "Indicator: IMIServer.download": [[74, 92]], "Indicator: Trojan/Downloader.OneClickNetSearch.b": [[93, 130]], "Indicator: Trojan.Win32.OneClickNetSearch.dktm": [[131, 166]], "Indicator: W32/Downloader.JOSL-6677": [[167, 191]], "Indicator: Adware.IEPlugin": [[192, 207]], "Indicator: Win32/TrojanDownloader.OneClickNetS.B": [[208, 245]], "Indicator: SPYW_IMISERV.C": [[246, 260], [507, 521]], "Indicator: Trojan.Downloader.OneClickNetSearch-2": [[261, 298]], "Indicator: Trojan-Downloader.Win32.OneClickNetSearch.b": [[299, 342]], "Indicator: TrojanDownloader.NetSearch!886wZrg7qCQ": [[343, 381]], "Indicator: Virus.Win32.Heur.c": [[382, 400]], "Indicator: TrojWare.Win32.TrojanDownloader.OneClickNetS.B": [[401, 447]], "Indicator: Trojan.DownLoader.765": [[448, 469]], "Indicator: Downloader.OneClickNetSearch.Win32.9": [[470, 506]], "Indicator: BehavesLike.Win32.Comame.kt": [[522, 549]], "Indicator: W32/Downldr2.AGKQ": [[550, 567]], "Indicator: TrojanDownloader.ClkNetSch.b": [[568, 596]], "Indicator: TR/OneClickSrch.E.2": [[597, 616]], "Indicator: Trojan[Downloader]/Win32.OneClickNetSearch": [[617, 659]], "Indicator: Troj.Downloader.W32.OneClickNetSearch.b!c": [[660, 701]], "Indicator: Win-Trojan/Oneclicknetsearch.69632.C": [[702, 738]], "Indicator: TrojanDownloader:Win32/OneClkNetSrch.B": [[739, 777]], "Indicator: Trj/Imiserv.B": [[778, 791]], "Indicator: Trojan-Downloader.Win32.OneClickNetSearch": [[792, 833]], "Indicator: Downloader.Onenet.B": [[834, 853]]}, "info": {"id": "cyner2_8class_test_01528", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Clod664.Trojan.cba8 Win32.Trojan.WisdomEyes.16070401.9500.9684 W32/Trojan.MJBK-1284 BKDR_ISMDOOR.C Trojan.Win32.Revizer.eizvti Trojan.Revizer.1141 trojan.winnt.mooqkel.a Trojan:Win32/Toorf.A!dha Trojan/Win32.Ismdoor.R194423 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Clod664.Trojan.cba8": [[26, 49]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9684": [[50, 92]], "Indicator: W32/Trojan.MJBK-1284": [[93, 113]], "Indicator: BKDR_ISMDOOR.C": [[114, 128]], "Indicator: Trojan.Win32.Revizer.eizvti": [[129, 156]], "Indicator: Trojan.Revizer.1141": [[157, 176]], "Indicator: trojan.winnt.mooqkel.a": [[177, 199]], "Indicator: Trojan:Win32/Toorf.A!dha": [[200, 224]], "Indicator: Trojan/Win32.Ismdoor.R194423": [[225, 253]], "Indicator: Trj/GdSda.A": [[254, 265]]}, "info": {"id": "cyner2_8class_test_01529", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: JS.Exploit.Pdfka.qe JS/Crypted.LT Bloodhound.Exploit.357 PDF/CVE-2010-2883.A!exploit TROJ_PIDIEF.SMZH Exploit.Win32.CVE-2010-2883.a Exploit.Script.Pdfka.bkbqa Exploit.TTF.CVE-2010-2883.a SCRIPT.Virus BehavesLike.PDF.Evasion.cn JS/Crypted.LT EXP/CVE-2010-2883.AI Trojan[Exploit]/TTF.CVE-2010-2883 Exploit.Win32.CVE-2010-2883.a JS/Exploit.Pdfka.OIB JS.Base64er.B Exploit.Win32.CVE-2010-2883 PDF:Exploit.PDF-JS.AGL virus.cve.20102883", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: JS.Exploit.Pdfka.qe": [[26, 45]], "Indicator: JS/Crypted.LT": [[46, 59], [253, 266]], "Indicator: Bloodhound.Exploit.357": [[60, 82]], "Indicator: PDF/CVE-2010-2883.A!exploit": [[83, 110]], "Indicator: TROJ_PIDIEF.SMZH": [[111, 127]], "Indicator: Exploit.Win32.CVE-2010-2883.a": [[128, 157], [322, 351]], "Indicator: Exploit.Script.Pdfka.bkbqa": [[158, 184]], "Indicator: Exploit.TTF.CVE-2010-2883.a": [[185, 212]], "Indicator: SCRIPT.Virus": [[213, 225]], "Indicator: BehavesLike.PDF.Evasion.cn": [[226, 252]], "Indicator: EXP/CVE-2010-2883.AI": [[267, 287]], "Indicator: Trojan[Exploit]/TTF.CVE-2010-2883": [[288, 321]], "Indicator: JS/Exploit.Pdfka.OIB": [[352, 372]], "Indicator: JS.Base64er.B": [[373, 386]], "Indicator: Exploit.Win32.CVE-2010-2883": [[387, 414]], "Indicator: PDF:Exploit.PDF-JS.AGL": [[415, 437]], "Indicator: virus.cve.20102883": [[438, 456]]}, "info": {"id": "cyner2_8class_test_01530", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Ransom_Zuresq.R002C0DAQ18 Win.Trojan.Zerolocker-1 Hoax.Win32.FakeRansom.df Trojan.Win32.Z.Zuresq.406528 Ransom_Zuresq.R002C0DAQ18 W32/Trojan.LNUU-1055 TR/Fraud.xacle Ransom:Win32/Zuresq.A Trojan.MSILPerseus.D1AE93 Hoax.Win32.FakeRansom.df Trojan/Win32.Ransomcrypt.C536978 Trj/GdSda.A Trojan-Ransom.FileCoder Win32/Trojan.89b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9982": [[26, 68]], "Indicator: Ransom_Zuresq.R002C0DAQ18": [[69, 94], [173, 198]], "Indicator: Win.Trojan.Zerolocker-1": [[95, 118]], "Indicator: Hoax.Win32.FakeRansom.df": [[119, 143], [283, 307]], "Indicator: Trojan.Win32.Z.Zuresq.406528": [[144, 172]], "Indicator: W32/Trojan.LNUU-1055": [[199, 219]], "Indicator: TR/Fraud.xacle": [[220, 234]], "Indicator: Ransom:Win32/Zuresq.A": [[235, 256]], "Indicator: Trojan.MSILPerseus.D1AE93": [[257, 282]], "Indicator: Trojan/Win32.Ransomcrypt.C536978": [[308, 340]], "Indicator: Trj/GdSda.A": [[341, 352]], "Indicator: Trojan-Ransom.FileCoder": [[353, 376]], "Indicator: Win32/Trojan.89b": [[377, 393]]}, "info": {"id": "cyner2_8class_test_01531", "source": "cyner2_8class_test"}}
{"text": "Figure 26 : “ Agent Smith ” Campaign timeline Greater “ Agent Smith ” Campaign Discovery Orchestrating a successful 9Apps centric malware campaign , the actor behind “ Agent Smith ” established solid strategies in malware proliferation and payload delivery .", "spans": {"Malware: Agent Smith": [[14, 25], [56, 67], [168, 179]], "System: 9Apps": [[116, 121]]}, "info": {"id": "cyner2_8class_test_01532", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9959 Trojan.Razy.D1F561 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9959": [[26, 68]], "Indicator: Trojan.Razy.D1F561": [[69, 87]], "Indicator: Trj/GdSda.A": [[88, 99]]}, "info": {"id": "cyner2_8class_test_01533", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.D6C8 Trojan.Farfli.Win32.7981 Win32.Trojan-GameThief.OnlineGames.h BehavesLike.Win32.Trojan.cc TR/Zegost.EB Backdoor:Win32/Morix.B Trojan.Heur.GM.D3D8682 Adware/Win32.NaviPromo.R36681 TScope.Malware-Cryptor.SB Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.D6C8": [[26, 42]], "Indicator: Trojan.Farfli.Win32.7981": [[43, 67]], "Indicator: Win32.Trojan-GameThief.OnlineGames.h": [[68, 104]], "Indicator: BehavesLike.Win32.Trojan.cc": [[105, 132]], "Indicator: TR/Zegost.EB": [[133, 145]], "Indicator: Backdoor:Win32/Morix.B": [[146, 168]], "Indicator: Trojan.Heur.GM.D3D8682": [[169, 191]], "Indicator: Adware/Win32.NaviPromo.R36681": [[192, 221]], "Indicator: TScope.Malware-Cryptor.SB": [[222, 247]], "Indicator: Trj/CI.A": [[248, 256]]}, "info": {"id": "cyner2_8class_test_01534", "source": "cyner2_8class_test"}}
{"text": "Citizen Lab This report describes an elaborate phishing campaign against targets in Iran's diaspora, and at least one Western activist.", "spans": {"Organization: Citizen Lab": [[0, 11]], "ThreatActor: phishing campaign": [[47, 64]], "Organization: Iran's diaspora,": [[84, 100]], "Malware: at": [[105, 107]], "Organization: Western activist.": [[118, 135]]}, "info": {"id": "cyner2_8class_test_01535", "source": "cyner2_8class_test"}}
{"text": "What we found was a kit that operated on a relatively small infrastructure footprint, but had what appeared to be one of the largest domain shadowing implementations we had ever seen.", "spans": {"Malware: kit": [[20, 23]], "System: small infrastructure": [[54, 74]], "Indicator: domain shadowing": [[133, 149]]}, "info": {"id": "cyner2_8class_test_01536", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Suweezy.N5 PUP.Optional.Elex Trojan.Win32.AdLoad.egraob PUP.ELEX/Variant Adware.SoEasy.1 BehavesLike.Win32.PUPXAI.ch Trojan.Adload.f PUP/Win32.Helper.R188556 Trojan.AdLoad Trj/GdSda.A Win32/Virus.e45", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Suweezy.N5": [[26, 43]], "Indicator: PUP.Optional.Elex": [[44, 61]], "Indicator: Trojan.Win32.AdLoad.egraob": [[62, 88]], "Indicator: PUP.ELEX/Variant": [[89, 105]], "Indicator: Adware.SoEasy.1": [[106, 121]], "Indicator: BehavesLike.Win32.PUPXAI.ch": [[122, 149]], "Indicator: Trojan.Adload.f": [[150, 165]], "Indicator: PUP/Win32.Helper.R188556": [[166, 190]], "Indicator: Trojan.AdLoad": [[191, 204]], "Indicator: Trj/GdSda.A": [[205, 216]], "Indicator: Win32/Virus.e45": [[217, 232]]}, "info": {"id": "cyner2_8class_test_01537", "source": "cyner2_8class_test"}}
{"text": "Various artifices indicate that the main target of this campaign is IEC – Israel Electric Company.", "spans": {"ThreatActor: campaign": [[56, 64]], "Organization: IEC": [[68, 71]], "Organization: Israel Electric Company.": [[74, 98]]}, "info": {"id": "cyner2_8class_test_01538", "source": "cyner2_8class_test"}}
{"text": "We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats .", "spans": {}, "info": {"id": "cyner2_8class_test_01539", "source": "cyner2_8class_test"}}
{"text": "Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are either in in or business interests in Saudi Arabia.", "spans": {"Organization: organizations": [[52, 65]], "Organization: the energy, government,": [[69, 92]], "Organization: technology sectors": [[97, 115]], "Organization: business interests": [[141, 159]], "Location: Saudi Arabia.": [[163, 176]]}, "info": {"id": "cyner2_8class_test_01540", "source": "cyner2_8class_test"}}
{"text": "A new breed of cybercriminals has surfaced in China.", "spans": {"ThreatActor: cybercriminals": [[15, 29]], "Location: China.": [[46, 52]]}, "info": {"id": "cyner2_8class_test_01541", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: PDF:Exploit.PDF-JS.VD Exploit.Js.Pdfka!c Trojan.Pidief JS/Exploit.Pdfka.QDD TROJ_PIDIEF.OPL PDF:Exploit.PDF-JS.VD Exploit.JS.Pdfka.giy Trojan.Pdf.Pdfka.blkemm PDF.S.Exploit.806918 Exploit:W32/MiniDuke.C Exploit.PDF.5708 TROJ_PIDIEF.OPL BehavesLike.PDF.Trojan.bb EXP/CVE-2013-0640.A Exploit.JS.Pdfka.giy Exploit-PDF.b Exploit.JS.Pdfka.giy Pdf.Exploit.Pdfka.Ljki Exploit.PDF.Miniduke PDF/Pdfka.GIY!exploit virus.js.unescapepmen.4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PDF:Exploit.PDF-JS.VD": [[26, 47], [118, 139]], "Indicator: Exploit.Js.Pdfka!c": [[48, 66]], "Indicator: Trojan.Pidief": [[67, 80]], "Indicator: JS/Exploit.Pdfka.QDD": [[81, 101]], "Indicator: TROJ_PIDIEF.OPL": [[102, 117], [246, 261]], "Indicator: Exploit.JS.Pdfka.giy": [[140, 160], [308, 328], [343, 363]], "Indicator: Trojan.Pdf.Pdfka.blkemm": [[161, 184]], "Indicator: PDF.S.Exploit.806918": [[185, 205]], "Indicator: Exploit:W32/MiniDuke.C": [[206, 228]], "Indicator: Exploit.PDF.5708": [[229, 245]], "Indicator: BehavesLike.PDF.Trojan.bb": [[262, 287]], "Indicator: EXP/CVE-2013-0640.A": [[288, 307]], "Indicator: Exploit-PDF.b": [[329, 342]], "Indicator: Pdf.Exploit.Pdfka.Ljki": [[364, 386]], "Indicator: Exploit.PDF.Miniduke": [[387, 407]], "Indicator: PDF/Pdfka.GIY!exploit": [[408, 429]], "Indicator: virus.js.unescapepmen.4": [[430, 453]]}, "info": {"id": "cyner2_8class_test_01542", "source": "cyner2_8class_test"}}
{"text": "Weaponizing documents to exploit known Microsoft Word vulnerabilities is a common tactic deployed by many adversary groups, but in this example, we discovered RTF documents containing embedded OLE Word documents further containing embedded Adobe Flash .SWF files, designed to exploit Flash vulnerabilities rather than Microsoft Word.", "spans": {"Indicator: Weaponizing documents": [[0, 21]], "Indicator: exploit": [[25, 32]], "Vulnerability: Microsoft Word vulnerabilities": [[39, 69]], "ThreatActor: adversary groups,": [[106, 123]], "Indicator: RTF documents": [[159, 172]], "Indicator: embedded OLE Word documents further containing embedded Adobe Flash .SWF files,": [[184, 263]], "Vulnerability: exploit Flash vulnerabilities": [[276, 305]], "System: Microsoft Word.": [[318, 333]]}, "info": {"id": "cyner2_8class_test_01543", "source": "cyner2_8class_test"}}
{"text": "A few days later, security teams overseas claimed that this incident was related to the BlackEnergy trojan and some malicious code samples had been acquired and analyzed.", "spans": {"Date: few days later,": [[2, 17]], "Organization: security teams overseas": [[18, 41]], "Indicator: incident": [[60, 68]], "ThreatActor: BlackEnergy": [[88, 99]], "Malware: trojan": [[100, 106]], "Malware: malicious code samples": [[116, 138]]}, "info": {"id": "cyner2_8class_test_01544", "source": "cyner2_8class_test"}}
{"text": "This matches our observations of C2 servers as shown in Figure 7 .", "spans": {}, "info": {"id": "cyner2_8class_test_01545", "source": "cyner2_8class_test"}}
{"text": "Brazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to focus their efforts in new areas, including ransomware.", "spans": {"ThreatActor: Brazilian cybercriminals": [[0, 24]], "Malware: develop banking trojans": [[60, 83]], "Malware: ransomware.": [[157, 168]]}, "info": {"id": "cyner2_8class_test_01546", "source": "cyner2_8class_test"}}
{"text": "When rooting fails , a second component delivers a fake system update notification in hopes of tricking users into granting HummingBad system-level permissions .", "spans": {"Malware: HummingBad": [[124, 134]]}, "info": {"id": "cyner2_8class_test_01547", "source": "cyner2_8class_test"}}
{"text": "When all the necessary card details are entered and have been checked , all the information is uploaded to the C & C .", "spans": {}, "info": {"id": "cyner2_8class_test_01548", "source": "cyner2_8class_test"}}
{"text": "In that case , the only help comes from an antivirus solution , for example , Kaspersky Internet Security for Android .", "spans": {"System: Kaspersky Internet Security": [[78, 105]], "System: Android": [[110, 117]]}, "info": {"id": "cyner2_8class_test_01549", "source": "cyner2_8class_test"}}
{"text": "The developer simply has to register and receive a unique ID for his applications .", "spans": {}, "info": {"id": "cyner2_8class_test_01550", "source": "cyner2_8class_test"}}
{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_8class_test_01551", "source": "cyner2_8class_test"}}
{"text": "In early July 2015, Chinese APT actors used an Adobe Flash Player exploit within a specific webpage detailing a noteworthy international legal case between the Philippines and China.", "spans": {"Date: early July 2015,": [[3, 19]], "ThreatActor: Chinese APT actors": [[20, 38]], "System: Adobe Flash Player": [[47, 65]], "Malware: exploit": [[66, 73]], "Indicator: specific webpage": [[83, 99]], "Location: Philippines": [[160, 171]], "Location: China.": [[176, 182]]}, "info": {"id": "cyner2_8class_test_01552", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Kryptik.eumbqf Trojan.Trick.45153 W32/Trojan.CBMR-6295 TR/Crypt.ZPACK.zookg Trojan.Symmi.D1340B Trojan/Win32.Mansabo.R210617 Trj/GdSda.A Win32.Trojan.Graftor.Lhdi Trojan.Win32.Crypt W32/Kryptik.FXWW!tr Win32/Trojan.dbf", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Win32.Kryptik.eumbqf": [[69, 96]], "Indicator: Trojan.Trick.45153": [[97, 115]], "Indicator: W32/Trojan.CBMR-6295": [[116, 136]], "Indicator: TR/Crypt.ZPACK.zookg": [[137, 157]], "Indicator: Trojan.Symmi.D1340B": [[158, 177]], "Indicator: Trojan/Win32.Mansabo.R210617": [[178, 206]], "Indicator: Trj/GdSda.A": [[207, 218]], "Indicator: Win32.Trojan.Graftor.Lhdi": [[219, 244]], "Indicator: Trojan.Win32.Crypt": [[245, 263]], "Indicator: W32/Kryptik.FXWW!tr": [[264, 283]], "Indicator: Win32/Trojan.dbf": [[284, 300]]}, "info": {"id": "cyner2_8class_test_01553", "source": "cyner2_8class_test"}}
{"text": "Figure 12 : Boot module After the patch module is extracted , the “ boot ” module executes it , using the same method described in the “ loader ” module .", "spans": {}, "info": {"id": "cyner2_8class_test_01554", "source": "cyner2_8class_test"}}
{"text": "The Trojan can also leverage keylogging to broaden the attack scope .", "spans": {}, "info": {"id": "cyner2_8class_test_01555", "source": "cyner2_8class_test"}}
{"text": "The system verifies the signature of the legitimate file while installing the malicious file .", "spans": {}, "info": {"id": "cyner2_8class_test_01556", "source": "cyner2_8class_test"}}
{"text": "Other MacOS targeting activities reveal continuous refinement of AppleJeus, a MacOS backdoor developed by ITG03, complete with fake website to legitimize itself.", "spans": {"System: MacOS": [[6, 11], [78, 83]], "Malware: AppleJeus,": [[65, 75]], "Malware: backdoor": [[84, 92]], "ThreatActor: ITG03,": [[106, 112]], "Indicator: fake website": [[127, 139]]}, "info": {"id": "cyner2_8class_test_01557", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Dzan.A Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/SillyAutorun.ADC Trojan.MulDrop2.16084 BehavesLike.Win32.Virus.ct W32/Dzan.C Trojan:Win32/Obvesa.A Win32/Dzan.E Virus.Obvesa.24905 Virus.Win32.Dzan.ac Win32/Trojan.aca", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Dzan.A": [[26, 36]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9997": [[37, 79]], "Indicator: Win32/SillyAutorun.ADC": [[80, 102]], "Indicator: Trojan.MulDrop2.16084": [[103, 124]], "Indicator: BehavesLike.Win32.Virus.ct": [[125, 151]], "Indicator: W32/Dzan.C": [[152, 162]], "Indicator: Trojan:Win32/Obvesa.A": [[163, 184]], "Indicator: Win32/Dzan.E": [[185, 197]], "Indicator: Virus.Obvesa.24905": [[198, 216]], "Indicator: Virus.Win32.Dzan.ac": [[217, 236]], "Indicator: Win32/Trojan.aca": [[237, 253]]}, "info": {"id": "cyner2_8class_test_01558", "source": "cyner2_8class_test"}}
{"text": "SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", "spans": {"Malware: SpyDealer": [[0, 9]], "Malware: exploits": [[15, 23]], "System: commercial rooting app": [[31, 53]], "Vulnerability: root privilege,": [[62, 77]], "Indicator: subsequent data theft.": [[96, 118]]}, "info": {"id": "cyner2_8class_test_01559", "source": "cyner2_8class_test"}}
{"text": "Analysis of this telemetry shows infected devices are completely based in Gaza , Palestine .", "spans": {}, "info": {"id": "cyner2_8class_test_01560", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Yakes.Win32.67751 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Snojan.ccyy Trojan.Win32.Yakes.exngmv Troj.Crypt.Xpack!c Trojan.Ssebot.2 BehavesLike.Win32.Dropper.tc Trojan.Yakes.yvk Trojan/Win32.Yakes Spammer:Win32/Morphisil.A Trojan.Win32.Snojan.ccyy Trojan/Win32.Yakes.C2388388 Trojan.Win32.Krypt W32/Kryptik.EYUI!tr Trj/GdSda.A Win32/Trojan.6c1", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Yakes.Win32.67751": [[26, 50]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[51, 93]], "Indicator: Trojan.Win32.Snojan.ccyy": [[94, 118], [271, 295]], "Indicator: Trojan.Win32.Yakes.exngmv": [[119, 144]], "Indicator: Troj.Crypt.Xpack!c": [[145, 163]], "Indicator: Trojan.Ssebot.2": [[164, 179]], "Indicator: BehavesLike.Win32.Dropper.tc": [[180, 208]], "Indicator: Trojan.Yakes.yvk": [[209, 225]], "Indicator: Trojan/Win32.Yakes": [[226, 244]], "Indicator: Spammer:Win32/Morphisil.A": [[245, 270]], "Indicator: Trojan/Win32.Yakes.C2388388": [[296, 323]], "Indicator: Trojan.Win32.Krypt": [[324, 342]], "Indicator: W32/Kryptik.EYUI!tr": [[343, 362]], "Indicator: Trj/GdSda.A": [[363, 374]], "Indicator: Win32/Trojan.6c1": [[375, 391]]}, "info": {"id": "cyner2_8class_test_01561", "source": "cyner2_8class_test"}}
{"text": "While adware is usually considered annoying for users and relatively harmless to enterprise security, the adware campaigns we've seen since the beginning of 2016 behave more like advanced network threats.", "spans": {"Malware: adware": [[6, 12]], "Organization: users": [[48, 53]], "Organization: to enterprise security,": [[78, 101]], "ThreatActor: the adware campaigns": [[102, 122]], "Date: 2016": [[157, 161]], "Malware: advanced network threats.": [[179, 204]]}, "info": {"id": "cyner2_8class_test_01562", "source": "cyner2_8class_test"}}
{"text": "In the run up to the French election runoff between Emmanuel Macron and Marine Le Pen, ThreatConnect reviews intelligence suggesting domains spoofing Macron's En-Marche.fr website are associated with Russian cyber activity.", "spans": {"Organization: the French election": [[17, 36]], "Organization: Emmanuel Macron": [[52, 67]], "Organization: Marine Le Pen,": [[72, 86]], "Organization: ThreatConnect": [[87, 100]], "Indicator: domains spoofing Macron's En-Marche.fr website": [[133, 179]], "ThreatActor: Russian cyber activity.": [[200, 223]]}, "info": {"id": "cyner2_8class_test_01563", "source": "cyner2_8class_test"}}
{"text": "We have also been tracking an actor experimenting with various loaders, providing insights into these evolving components of malware ecosystems.", "spans": {"ThreatActor: actor": [[30, 35]], "Malware: loaders,": [[63, 71]], "Malware: malware ecosystems.": [[125, 144]]}, "info": {"id": "cyner2_8class_test_01564", "source": "cyner2_8class_test"}}
{"text": "Widely discussed in the media, the attacks took advantage of known BlackEnergy Trojans as well as several new modules.", "spans": {"Organization: media,": [[24, 30]], "Indicator: attacks": [[35, 42]], "ThreatActor: BlackEnergy": [[67, 78]], "Malware: Trojans": [[79, 86]], "Malware: modules.": [[110, 118]]}, "info": {"id": "cyner2_8class_test_01565", "source": "cyner2_8class_test"}}
{"text": "The callee then invokes the getAction method to get the decrypted content .", "spans": {}, "info": {"id": "cyner2_8class_test_01566", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom.Enigma.A7 Ransom_Eniqma.R002C0DA118 W32/Trojan.LKZC-7910 Ransom.Enigma!gm Ransom_Eniqma.R002C0DA118 Win32.Trojan-Ransom.Enigma.A Trojan.Win32.Encoder.ewphil Trojan.Win32.Z.Zusy.537088.HH Trojan.Encoder.4462 BehavesLike.Win32.AdwareConvertAd.hh Trojan.Crynigma.a TR/FileCoder.udtur Trojan[Ransom]/Win32.Crypmod Trojan.Zusy.D2EDC9 Ransom:Win32/Eniqma.A Trojan/Win32.Coverton.C1407984 Trojan-Ransom.FileCoder Win32/Trojan.808", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom.Enigma.A7": [[26, 42]], "Indicator: Ransom_Eniqma.R002C0DA118": [[43, 68], [107, 132]], "Indicator: W32/Trojan.LKZC-7910": [[69, 89]], "Indicator: Ransom.Enigma!gm": [[90, 106]], "Indicator: Win32.Trojan-Ransom.Enigma.A": [[133, 161]], "Indicator: Trojan.Win32.Encoder.ewphil": [[162, 189]], "Indicator: Trojan.Win32.Z.Zusy.537088.HH": [[190, 219]], "Indicator: Trojan.Encoder.4462": [[220, 239]], "Indicator: BehavesLike.Win32.AdwareConvertAd.hh": [[240, 276]], "Indicator: Trojan.Crynigma.a": [[277, 294]], "Indicator: TR/FileCoder.udtur": [[295, 313]], "Indicator: Trojan[Ransom]/Win32.Crypmod": [[314, 342]], "Indicator: Trojan.Zusy.D2EDC9": [[343, 361]], "Indicator: Ransom:Win32/Eniqma.A": [[362, 383]], "Indicator: Trojan/Win32.Coverton.C1407984": [[384, 414]], "Indicator: Trojan-Ransom.FileCoder": [[415, 438]], "Indicator: Win32/Trojan.808": [[439, 455]]}, "info": {"id": "cyner2_8class_test_01567", "source": "cyner2_8class_test"}}
{"text": "Various versions may also change the index of the split ( e.g .", "spans": {}, "info": {"id": "cyner2_8class_test_01568", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Troj.Undef.kcloud Win32/Scieron.F W32/Scieron.F", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Troj.Undef.kcloud": [[26, 49]], "Indicator: Win32/Scieron.F": [[50, 65]], "Indicator: W32/Scieron.F": [[66, 79]]}, "info": {"id": "cyner2_8class_test_01569", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: VBS.DownLoader.1051 VBS/Downldr.HM VBS/Nemucod.391C!tr.dldr Trojan-Ransom.Script.GlobeImposter", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: VBS.DownLoader.1051": [[26, 45]], "Indicator: VBS/Downldr.HM": [[46, 60]], "Indicator: VBS/Nemucod.391C!tr.dldr": [[61, 85]], "Indicator: Trojan-Ransom.Script.GlobeImposter": [[86, 120]]}, "info": {"id": "cyner2_8class_test_01570", "source": "cyner2_8class_test"}}
{"text": "] 11/xvideo/ hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[13, 38]]}, "info": {"id": "cyner2_8class_test_01571", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TROJ_GE.5C3C51AF Win32.Trojan.WisdomEyes.16070401.9500.9933 Trojan.Win32.Kryptik.eljody Trojan.DownLoader23.49708 TR/Crypt.Xpack.341620 Trojan:Win32/Dacic.A!rfn Trj/CI.A Trojan.MSIL.Disfa Win32/Trojan.d7e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TROJ_GE.5C3C51AF": [[26, 42]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9933": [[43, 85]], "Indicator: Trojan.Win32.Kryptik.eljody": [[86, 113]], "Indicator: Trojan.DownLoader23.49708": [[114, 139]], "Indicator: TR/Crypt.Xpack.341620": [[140, 161]], "Indicator: Trojan:Win32/Dacic.A!rfn": [[162, 186]], "Indicator: Trj/CI.A": [[187, 195]], "Indicator: Trojan.MSIL.Disfa": [[196, 213]], "Indicator: Win32/Trojan.d7e": [[214, 230]]}, "info": {"id": "cyner2_8class_test_01572", "source": "cyner2_8class_test"}}
{"text": "Indicators of Compromise ( IoCs ) hxxp : //mcsoft365.com/c hxxp : //pingconnect.net/c Hashes MD5 : 5c749c9fce8c41bf6bcc9bd8a691621b SHA256 : 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c MD5 : b264af5d2f3390e465052ab502b0726d SHA256 : 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6 The TrickMo Factor The TrickBot Trojan was one of the most active banking malware strains in the cybercrime arena in 2019 .", "spans": {"Indicator: hxxp : //mcsoft365.com/c hxxp : //pingconnect.net/c": [[34, 85]], "Indicator: 5c749c9fce8c41bf6bcc9bd8a691621b": [[99, 131]], "Indicator: 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c": [[141, 205]], "Indicator: b264af5d2f3390e465052ab502b0726d": [[212, 244]], "Indicator: 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6": [[254, 318]], "Malware: TrickMo": [[323, 330]], "Malware: TrickBot Trojan": [[342, 357]]}, "info": {"id": "cyner2_8class_test_01573", "source": "cyner2_8class_test"}}
{"text": "After performing a fraudulent action , stealing the OTP/mTAN , TrickMo buys some time by activating the lock screen and preventing the user from accessing their device .", "spans": {"Malware: TrickMo": [[63, 70]]}, "info": {"id": "cyner2_8class_test_01574", "source": "cyner2_8class_test"}}
{"text": "] today PHA Family Highlights : Zen and its cousins January 11 , 2019 Google Play Protect detects Potentially Harmful Applications ( PHAs ) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as \" malware .", "spans": {"Malware: Zen": [[32, 35]], "System: Google Play Protect": [[70, 89], [146, 165]]}, "info": {"id": "cyner2_8class_test_01575", "source": "cyner2_8class_test"}}
{"text": "A new type of botnet malware written in the Go programming language is active and targets web servers, according to researchers at Palo Alto Networks, who have recently discovered a sample of Go-based malware.", "spans": {"Malware: botnet malware": [[14, 28]], "System: the Go programming language": [[40, 67]], "System: web servers,": [[90, 102]], "Organization: researchers": [[116, 127]], "Organization: Palo Alto Networks,": [[131, 150]], "Malware: Go-based malware.": [[192, 209]]}, "info": {"id": "cyner2_8class_test_01576", "source": "cyner2_8class_test"}}
{"text": "Javascript RAT mostly targeting Brazilian users.", "spans": {"Malware: Javascript RAT": [[0, 14]], "Organization: Brazilian users.": [[32, 48]]}, "info": {"id": "cyner2_8class_test_01577", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Downloader.Ponik Backdoor.Win32.Kasidet.fmc BehavesLike.Win32.Trojan.cc Trojan.MSIL.Crypt TR/Dropper.MSIL.owbdk Trojan[Backdoor]/Win32.Kasidet Trojan:Win32/Raybel.A!bit Backdoor.Win32.Kasidet.fmc Win32.Backdoor.Kasidet.Ecan Win32/Backdoor.e94", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Downloader.Ponik": [[26, 42]], "Indicator: Backdoor.Win32.Kasidet.fmc": [[43, 69], [195, 221]], "Indicator: BehavesLike.Win32.Trojan.cc": [[70, 97]], "Indicator: Trojan.MSIL.Crypt": [[98, 115]], "Indicator: TR/Dropper.MSIL.owbdk": [[116, 137]], "Indicator: Trojan[Backdoor]/Win32.Kasidet": [[138, 168]], "Indicator: Trojan:Win32/Raybel.A!bit": [[169, 194]], "Indicator: Win32.Backdoor.Kasidet.Ecan": [[222, 249]], "Indicator: Win32/Backdoor.e94": [[250, 268]]}, "info": {"id": "cyner2_8class_test_01578", "source": "cyner2_8class_test"}}
{"text": "Sakula enables an adversary to run interactive commands as well as to download and execute additional components.", "spans": {"Malware: Sakula": [[0, 6]]}, "info": {"id": "cyner2_8class_test_01579", "source": "cyner2_8class_test"}}
{"text": "Background Uncovering PHAs takes a lot of detective work and unraveling the mystery of how they 're possibly connected to other apps takes even more .", "spans": {}, "info": {"id": "cyner2_8class_test_01580", "source": "cyner2_8class_test"}}
{"text": "The packaged application is dropped silently onto the device but has to ask the user to actually install it.", "spans": {"System: packaged application": [[4, 24]], "System: device": [[54, 60]]}, "info": {"id": "cyner2_8class_test_01581", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Ransom_HPCRYPMIC.SM3 Ransom.CryptXXX!g6 Ransom_HPCRYPMIC.SM3 BehavesLike.Win32.Downloader.gc Trojan.Win32.Crypt TR/ATRAPS.buwr Ransom:Win32/Exxroute.E Trojan/Win32.CryptXXX.R184950 Trojan.Ransom.CryptXXX Trojan.MalPack Trojan.Symmi.D1070E", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Ransom_HPCRYPMIC.SM3": [[26, 46], [66, 86]], "Indicator: Ransom.CryptXXX!g6": [[47, 65]], "Indicator: BehavesLike.Win32.Downloader.gc": [[87, 118]], "Indicator: Trojan.Win32.Crypt": [[119, 137]], "Indicator: TR/ATRAPS.buwr": [[138, 152]], "Indicator: Ransom:Win32/Exxroute.E": [[153, 176]], "Indicator: Trojan/Win32.CryptXXX.R184950": [[177, 206]], "Indicator: Trojan.Ransom.CryptXXX": [[207, 229]], "Indicator: Trojan.MalPack": [[230, 244]], "Indicator: Trojan.Symmi.D1070E": [[245, 264]]}, "info": {"id": "cyner2_8class_test_01582", "source": "cyner2_8class_test"}}
{"text": "Dynamic overlays When victims open up a targeted app , Marcher smoothly displays an overlay , a customized WebView , looks in its application preferences ( main_prefs.xml ) and decides which specified URL is needed for the targeted app .", "spans": {"Malware: Marcher": [[55, 62]]}, "info": {"id": "cyner2_8class_test_01583", "source": "cyner2_8class_test"}}
{"text": "TO DECRYPT FILES, PLEASE, CONTACT US WRITING ON THIS EMAIL: headlessbuild@india.com", "spans": {"Indicator: TO DECRYPT FILES, PLEASE, CONTACT US WRITING ON THIS EMAIL: headlessbuild@india.com": [[0, 83]]}, "info": {"id": "cyner2_8class_test_01584", "source": "cyner2_8class_test"}}
{"text": "A backdoor targetting Linux also known as: Linux.Trojan.Turla.A ELF/Trojan.SKID-4 Linux.Turla Linux/Turla.B ELF_TURLA.A Linux.Trojan.Turla.A Trojan.Unix.Turla.ebdolr Backdoor.Linux.Turla!c Linux.Backdoor.Turla.Ajbi Linux.Trojan.Turla.A Backdoor:Linux/Turla.A Linux.BackDoor.Turla.2 Trojan.Turla.Linux.1 ELF_TURLA.A Backdoor.Linux.vp LINUX/Turla.wqxdp Linux.Trojan.Turla.A Backdoor:Linux/Turla.A Linux/Backdoor.801561 Linux.Trojan.Turla.A Trojan.Linux.Turla Linux.Trojan.Turla.A Linux/Turla.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Linux.Trojan.Turla.A": [[43, 63], [120, 140], [215, 235], [351, 371], [417, 437], [457, 477]], "Indicator: ELF/Trojan.SKID-4": [[64, 81]], "Indicator: Linux.Turla": [[82, 93]], "Indicator: Linux/Turla.B": [[94, 107], [478, 491]], "Indicator: ELF_TURLA.A": [[108, 119], [303, 314]], "Indicator: Trojan.Unix.Turla.ebdolr": [[141, 165]], "Indicator: Backdoor.Linux.Turla!c": [[166, 188]], "Indicator: Linux.Backdoor.Turla.Ajbi": [[189, 214]], "Indicator: Backdoor:Linux/Turla.A": [[236, 258], [372, 394]], "Indicator: Linux.BackDoor.Turla.2": [[259, 281]], "Indicator: Trojan.Turla.Linux.1": [[282, 302]], "Indicator: Backdoor.Linux.vp": [[315, 332]], "Indicator: LINUX/Turla.wqxdp": [[333, 350]], "Indicator: Linux/Backdoor.801561": [[395, 416]], "Indicator: Trojan.Linux.Turla": [[438, 456]]}, "info": {"id": "cyner2_8class_test_01585", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.VBKrypt.2tPS.Trojan Trojan.Win32.VBKrypt!O Trojan.EyeStye PWS-Spyeye.el Troj.W32.VBKrypt.toSU Trojan/Injector.eyu Trojan.ManBat.1 HT_EYESTYE_GE05002C.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9961 HT_EYESTYE_GE05002C.UVPM Win.Trojan.Vbkrypt-10134 Trojan.Win32.VBKrypt.cgnr Trojan.Win32.Stealer.eaiffn Trojan.Win32.A.VBKrypt.295936.G TrojWare.Win32.VBKrypt.cjub Trojan.PWS.Stealer.379 Trojan.VBKrypt.Win32.80508 BehavesLike.Win32.PWSSpyeye.dc Trojan.Win32.VBKrypt Trojan.VBKrypt.pmn TR/BAS.Samca.2207880 Win32.Troj.VBKrypt.kcloud Trojan.Win32.VBKrypt.cgnr Trojan/Win32.VBKrypt.C47082 SScope.Malware-Cryptor.VBCR.1841 Trojan.VBKrypt!CruzV+TB6eI W32/Injector.MQI!tr Win32/Trojan.script.56b", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.VBKrypt.2tPS.Trojan": [[26, 49]], "Indicator: Trojan.Win32.VBKrypt!O": [[50, 72]], "Indicator: Trojan.EyeStye": [[73, 87]], "Indicator: PWS-Spyeye.el": [[88, 101]], "Indicator: Troj.W32.VBKrypt.toSU": [[102, 123]], "Indicator: Trojan/Injector.eyu": [[124, 143]], "Indicator: Trojan.ManBat.1": [[144, 159]], "Indicator: HT_EYESTYE_GE05002C.UVPM": [[160, 184], [228, 252]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9961": [[185, 227]], "Indicator: Win.Trojan.Vbkrypt-10134": [[253, 277]], "Indicator: Trojan.Win32.VBKrypt.cgnr": [[278, 303], [560, 585]], "Indicator: Trojan.Win32.Stealer.eaiffn": [[304, 331]], "Indicator: Trojan.Win32.A.VBKrypt.295936.G": [[332, 363]], "Indicator: TrojWare.Win32.VBKrypt.cjub": [[364, 391]], "Indicator: Trojan.PWS.Stealer.379": [[392, 414]], "Indicator: Trojan.VBKrypt.Win32.80508": [[415, 441]], "Indicator: BehavesLike.Win32.PWSSpyeye.dc": [[442, 472]], "Indicator: Trojan.Win32.VBKrypt": [[473, 493]], "Indicator: Trojan.VBKrypt.pmn": [[494, 512]], "Indicator: TR/BAS.Samca.2207880": [[513, 533]], "Indicator: Win32.Troj.VBKrypt.kcloud": [[534, 559]], "Indicator: Trojan/Win32.VBKrypt.C47082": [[586, 613]], "Indicator: SScope.Malware-Cryptor.VBCR.1841": [[614, 646]], "Indicator: Trojan.VBKrypt!CruzV+TB6eI": [[647, 673]], "Indicator: W32/Injector.MQI!tr": [[674, 693]], "Indicator: Win32/Trojan.script.56b": [[694, 717]]}, "info": {"id": "cyner2_8class_test_01586", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Mudrop!O Trojan.StartPage.Win32.11288 Trojan/Dropper.Mudrop.vle Trojan-Clicker.Win32.Iedriver.a Trojan.Win32.Mudrop.demyl Trojan.MulDrop3.201 Trojan/StartPage.ize Trojan-Clicker.Win32.Iedriver.a Trojan.DR.Mudrop!xzqlDC4rTJk Trojan.Win32.StartPage", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan-Dropper.Win32.Mudrop!O": [[26, 55]], "Indicator: Trojan.StartPage.Win32.11288": [[56, 84]], "Indicator: Trojan/Dropper.Mudrop.vle": [[85, 110]], "Indicator: Trojan-Clicker.Win32.Iedriver.a": [[111, 142], [210, 241]], "Indicator: Trojan.Win32.Mudrop.demyl": [[143, 168]], "Indicator: Trojan.MulDrop3.201": [[169, 188]], "Indicator: Trojan/StartPage.ize": [[189, 209]], "Indicator: Trojan.DR.Mudrop!xzqlDC4rTJk": [[242, 270]], "Indicator: Trojan.Win32.StartPage": [[271, 293]]}, "info": {"id": "cyner2_8class_test_01587", "source": "cyner2_8class_test"}}
{"text": "Figure 3 .", "spans": {}, "info": {"id": "cyner2_8class_test_01588", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Trojan.EWSM-6788 TrojanDownloader:Win32/Tipikit.D Heur.Trojan.Hlux Trj/GdSda.A Win32.Trojan.Atraps.Swud Trojan.Win32.Rozena W32/Tiny.NNB!tr Win32/Trojan.5a2", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Trojan.EWSM-6788": [[26, 46]], "Indicator: TrojanDownloader:Win32/Tipikit.D": [[47, 79]], "Indicator: Heur.Trojan.Hlux": [[80, 96]], "Indicator: Trj/GdSda.A": [[97, 108]], "Indicator: Win32.Trojan.Atraps.Swud": [[109, 133]], "Indicator: Trojan.Win32.Rozena": [[134, 153]], "Indicator: W32/Tiny.NNB!tr": [[154, 169]], "Indicator: Win32/Trojan.5a2": [[170, 186]]}, "info": {"id": "cyner2_8class_test_01589", "source": "cyner2_8class_test"}}
{"text": "Machine learning in Windows Defender ATP further flags suspicious behaviors observed related to the manipulation of legitimate Windows binaries .", "spans": {"System: Windows Defender ATP": [[20, 40]], "System: Windows": [[127, 134]]}, "info": {"id": "cyner2_8class_test_01590", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win32.StartPage.qrmpv Trojan.StartPage.47270 BehavesLike.Win32.BadFile.tc Trojan.Win32.StartPage Trojan:Win32/BootInstal.A!dll TScope.Trojan.Delf Trj/CI.A Win32.Trojan.Startpage.ddff Trojan.StartPage!We+P27yFUb0 Win32/Trojan.b7f", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win32.StartPage.qrmpv": [[26, 54]], "Indicator: Trojan.StartPage.47270": [[55, 77]], "Indicator: BehavesLike.Win32.BadFile.tc": [[78, 106]], "Indicator: Trojan.Win32.StartPage": [[107, 129]], "Indicator: Trojan:Win32/BootInstal.A!dll": [[130, 159]], "Indicator: TScope.Trojan.Delf": [[160, 178]], "Indicator: Trj/CI.A": [[179, 187]], "Indicator: Win32.Trojan.Startpage.ddff": [[188, 215]], "Indicator: Trojan.StartPage!We+P27yFUb0": [[216, 244]], "Indicator: Win32/Trojan.b7f": [[245, 261]]}, "info": {"id": "cyner2_8class_test_01591", "source": "cyner2_8class_test"}}
{"text": "Recently we came across a new variant of the malware ServStart.", "spans": {"Malware: a new variant": [[24, 37]], "Malware: the malware ServStart.": [[41, 63]]}, "info": {"id": "cyner2_8class_test_01592", "source": "cyner2_8class_test"}}
{"text": "http : //www.himobilephone [ .", "spans": {"Indicator: http : //www.himobilephone [ .": [[0, 30]]}, "info": {"id": "cyner2_8class_test_01593", "source": "cyner2_8class_test"}}
{"text": "This article attempts to detail this variant.", "spans": {}, "info": {"id": "cyner2_8class_test_01594", "source": "cyner2_8class_test"}}
{"text": "Her looks almost certainly helped her apparent popularity.", "spans": {}, "info": {"id": "cyner2_8class_test_01595", "source": "cyner2_8class_test"}}
{"text": "A Chinese threat group, known as ChinaZ, is using malware to target poorly managed Linux servers and IoT systems, according to AhnLab Security Emergency Response Center ASEC in Seoul.", "spans": {"ThreatActor: Chinese threat group,": [[2, 23]], "ThreatActor: ChinaZ,": [[33, 40]], "Malware: malware": [[50, 57]], "System: Linux servers": [[83, 96]], "System: IoT systems,": [[101, 113]], "Organization: AhnLab Security Emergency Response Center ASEC": [[127, 173]], "Location: Seoul.": [[177, 183]]}, "info": {"id": "cyner2_8class_test_01596", "source": "cyner2_8class_test"}}
{"text": "It can also remotely lock infected Android devices, encrypt the user's files in external storage e.g., SD card, and then ask for a U.S. $100 PayPal cash card as ransom.", "spans": {"Indicator: remotely lock": [[12, 25]], "System: Android devices,": [[35, 51]], "Indicator: encrypt": [[52, 59]], "Indicator: U.S. $100 PayPal cash card as ransom.": [[131, 168]]}, "info": {"id": "cyner2_8class_test_01597", "source": "cyner2_8class_test"}}
{"text": "A backdoor targetting Linux also known as: Tool.Shark.Linux.1 Hacktool.Linux.Shark!c HackTool.Linux.Shark.a Trojan.Unix.Shark.ewyskc Tool.Shark ELF/Trojan.QXQM-0 HackTool.Linux.z SPR/LNX.Shark.osieo HackTool.Linux.Shark.a Linux.Hacktool.Shark.Hqlw W32/HTShark.A!tr Win32/Trojan.173", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Tool.Shark.Linux.1": [[43, 61]], "Indicator: Hacktool.Linux.Shark!c": [[62, 84]], "Indicator: HackTool.Linux.Shark.a": [[85, 107], [199, 221]], "Indicator: Trojan.Unix.Shark.ewyskc": [[108, 132]], "Indicator: Tool.Shark": [[133, 143]], "Indicator: ELF/Trojan.QXQM-0": [[144, 161]], "Indicator: HackTool.Linux.z": [[162, 178]], "Indicator: SPR/LNX.Shark.osieo": [[179, 198]], "Indicator: Linux.Hacktool.Shark.Hqlw": [[222, 247]], "Indicator: W32/HTShark.A!tr": [[248, 264]], "Indicator: Win32/Trojan.173": [[265, 281]]}, "info": {"id": "cyner2_8class_test_01598", "source": "cyner2_8class_test"}}
{"text": "Trojan.Win32.Banker.NWT is a Trojan that targets the Windows platform.", "spans": {"Indicator: Trojan.Win32.Banker.NWT": [[0, 23]], "Malware: Trojan": [[29, 35]], "System: Windows platform.": [[53, 70]]}, "info": {"id": "cyner2_8class_test_01599", "source": "cyner2_8class_test"}}
{"text": "The attackers are also hijacking the device camera to take pictures .", "spans": {}, "info": {"id": "cyner2_8class_test_01600", "source": "cyner2_8class_test"}}
{"text": "In other words , TrickMo ’ s service will start either after the device becomes interactive or after a new SMS message is received .", "spans": {"Malware: TrickMo": [[17, 24]]}, "info": {"id": "cyner2_8class_test_01601", "source": "cyner2_8class_test"}}
{"text": "It is an invaluable source of intelligence about a given campaign .. The following snippet shows the location within the Trojan where it uses SQLite database commands to store and recall command-and-control addresses : Backdoor Commands The Red Alert code also contains an embedded list of commands the botmaster can send to the bot .", "spans": {"Malware: Red Alert code": [[241, 255]]}, "info": {"id": "cyner2_8class_test_01602", "source": "cyner2_8class_test"}}
{"text": "Since the release of the ETERNALBLUE exploit by The Shadow Brokers' last month security researchers have been watching for a mass attack on global networks.", "spans": {"Malware: ETERNALBLUE exploit": [[25, 44]], "ThreatActor: The Shadow Brokers'": [[48, 67]], "Date: last month": [[68, 78]], "Organization: security researchers": [[79, 99]], "Indicator: mass attack": [[125, 136]], "Organization: global networks.": [[140, 156]]}, "info": {"id": "cyner2_8class_test_01603", "source": "cyner2_8class_test"}}
{"text": "The person or persons behind the attempted monitoring appear to have run other surveillance operations involving various locations throughout South America, at least one apparently targeting a rabble-rousing Argentine journalist.", "spans": {"ThreatActor: person": [[4, 10]], "ThreatActor: persons": [[14, 21]], "Location: South America,": [[142, 156]], "Malware: at": [[157, 159]], "Organization: rabble-rousing Argentine journalist.": [[193, 229]]}, "info": {"id": "cyner2_8class_test_01604", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Win64.PSW TR/Hitbrovi.vjxdb Win32/Trojan.Adware.37e", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Win64.PSW": [[26, 42]], "Indicator: TR/Hitbrovi.vjxdb": [[43, 60]], "Indicator: Win32/Trojan.Adware.37e": [[61, 84]]}, "info": {"id": "cyner2_8class_test_01605", "source": "cyner2_8class_test"}}
{"text": "] 923915 [ .", "spans": {}, "info": {"id": "cyner2_8class_test_01606", "source": "cyner2_8class_test"}}
{"text": "Grabbing the Screen PIN with Support for Samsung Devices Version 0.3.0.1 added an ~800 line long method called grabScreenPin , which uses accessibility features to track pin code changes in the device ’ s settings .", "spans": {"Organization: Samsung": [[41, 48]]}, "info": {"id": "cyner2_8class_test_01607", "source": "cyner2_8class_test"}}
{"text": "However, within six months the malicious actors added the capability to infect iOS devices.", "spans": {"Date: six months": [[16, 26]], "ThreatActor: malicious actors": [[31, 47]], "System: iOS devices.": [[79, 91]]}, "info": {"id": "cyner2_8class_test_01608", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TSPY_HUNTPOS.SMB Trojan.Huntpos!g1 TSPY_HUNTPOS.SMB Trojan.Win32.Fakealert.exludw Trojan.Win32.Z.Treasurehunter.80896.B Trojan.Fakealert.origin BehavesLike.Win32.Trojan.lm TR/RedCap.rghtn TrojanDropper:Win32/Randrew.A!bit Spyware/Win32.Huntpos.C1261817 W32/Kryptik.1600!tr Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TSPY_HUNTPOS.SMB": [[26, 42], [61, 77]], "Indicator: Trojan.Huntpos!g1": [[43, 60]], "Indicator: Trojan.Win32.Fakealert.exludw": [[78, 107]], "Indicator: Trojan.Win32.Z.Treasurehunter.80896.B": [[108, 145]], "Indicator: Trojan.Fakealert.origin": [[146, 169]], "Indicator: BehavesLike.Win32.Trojan.lm": [[170, 197]], "Indicator: TR/RedCap.rghtn": [[198, 213]], "Indicator: TrojanDropper:Win32/Randrew.A!bit": [[214, 247]], "Indicator: Spyware/Win32.Huntpos.C1261817": [[248, 278]], "Indicator: W32/Kryptik.1600!tr": [[279, 298]], "Indicator: Trj/GdSda.A": [[299, 310]]}, "info": {"id": "cyner2_8class_test_01609", "source": "cyner2_8class_test"}}
{"text": "We have covered Angler previously, such as the discussion of domain shadowing.", "spans": {"Malware: Angler": [[16, 22]], "Indicator: domain shadowing.": [[61, 78]]}, "info": {"id": "cyner2_8class_test_01610", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.Virut.G BehavesLikeWin32.FileInfector!IK W32/Virut.BV Win32/Virut.bn Win32.Virut.AM Virus.Win32.Virut.X5 Harm.Win32.Autorun.c BehavesLikeWin32.FileInfector W32/Virut.CE W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.Virut.G": [[26, 37]], "Indicator: BehavesLikeWin32.FileInfector!IK": [[38, 70]], "Indicator: W32/Virut.BV": [[71, 83]], "Indicator: Win32/Virut.bn": [[84, 98]], "Indicator: Win32.Virut.AM": [[99, 113]], "Indicator: Virus.Win32.Virut.X5": [[114, 134]], "Indicator: Harm.Win32.Autorun.c": [[135, 155]], "Indicator: BehavesLikeWin32.FileInfector": [[156, 185]], "Indicator: W32/Virut.CE": [[186, 198]], "Indicator: W32/Sality.AO": [[199, 212]]}, "info": {"id": "cyner2_8class_test_01611", "source": "cyner2_8class_test"}}
{"text": "The 2016 attack on Ukraine's power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack.", "spans": {"Date: 2016": [[4, 8]], "Indicator: attack": [[9, 15]], "Organization: Ukraine's power grid": [[19, 39]], "Location: Kiev,": [[75, 80]], "Date: for an hour": [[90, 101]], "Indicator: cyberattack.": [[118, 130]]}, "info": {"id": "cyner2_8class_test_01612", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32/Oledata!exploit.6402 Trojan.Dropper TROJ_MDROPPER.XC Trojan-Dropper.MSWord.1Table.bp Exploit.MSWord.CVE-2006-2492.bzzjba Exploit.Word.CVE-2006-2492 Exploit.CVE-2006-2492 TROJ_MDROPPER.XC TrojanDropper.MSWord.1Table.a MSWord/CVE20062492.fam!exploit Trojan-Dropper.MSWord.1Table.bp", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32/Oledata!exploit.6402": [[26, 50]], "Indicator: Trojan.Dropper": [[51, 65]], "Indicator: TROJ_MDROPPER.XC": [[66, 82], [200, 216]], "Indicator: Trojan-Dropper.MSWord.1Table.bp": [[83, 114], [278, 309]], "Indicator: Exploit.MSWord.CVE-2006-2492.bzzjba": [[115, 150]], "Indicator: Exploit.Word.CVE-2006-2492": [[151, 177]], "Indicator: Exploit.CVE-2006-2492": [[178, 199]], "Indicator: TrojanDropper.MSWord.1Table.a": [[217, 246]], "Indicator: MSWord/CVE20062492.fam!exploit": [[247, 277]]}, "info": {"id": "cyner2_8class_test_01613", "source": "cyner2_8class_test"}}
{"text": "BLU Products has now updated its phones to remove the spying code , which most likely would have never been detected by regular users .", "spans": {"Organization: BLU": [[0, 3]]}, "info": {"id": "cyner2_8class_test_01614", "source": "cyner2_8class_test"}}
{"text": "With Cybereason Mobile , analysts can address mobile threats in the same platform as traditional endpoint threats , all as part of one incident .", "spans": {"System: Cybereason Mobile": [[5, 22]]}, "info": {"id": "cyner2_8class_test_01615", "source": "cyner2_8class_test"}}
{"text": "Since most of the infrastructure used in the attack relies on cloud services, and the Trojan used is written in Python language, it is named Tengyun Snake.", "spans": {"System: infrastructure": [[18, 32]], "Indicator: attack": [[45, 51]], "System: cloud services,": [[62, 77]], "Malware: the Trojan": [[82, 92]], "System: Python language,": [[112, 128]], "ThreatActor: Tengyun Snake.": [[141, 155]]}, "info": {"id": "cyner2_8class_test_01616", "source": "cyner2_8class_test"}}
{"text": "The Trojan download window Asacub masquerades under the guise of an MMS app or a client of a popular free ads service .", "spans": {"Malware: Asacub": [[27, 33]]}, "info": {"id": "cyner2_8class_test_01617", "source": "cyner2_8class_test"}}
{"text": "RECEIVE_SMS - Allows the application to receive SMS messages .", "spans": {}, "info": {"id": "cyner2_8class_test_01618", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.RemoteHack.C Backdoor/W32.RemoteHack.569344 Backdoor.RemoteHack.C W32/Risk.KPAX-3182 Backdoor.Trojan BKDR_REMHACK.13 Backdoor.RemoteHack.C Backdoor.Win32.RemoteHack.13 Backdoor.RemoteHack.C Trojan.Win32.RemoteHack.gnoa Backdoor.RemoteHack.C Backdoor.Win32.RemoteHack.13 Backdoor.RemoteHack.C BackDoor.RemHack.13 Backdoor.RemoteHack.Win32.37 BKDR_REMHACK.13 Backdoor.Win32.RemoteHack Backdoor/RemoteHack.13 Trojan[Backdoor]/Win32.RemoteHack Backdoor:Win32/RemoteHack.1_3 Backdoor.Win32.RemoteHack.13 Backdoor.RemoteHack.C TScope.Trojan.Delf Win32/VB.OLV Win32.Backdoor.Remotehack.Hoye Backdoor.RemoteHack!IKDTl0tZ3pY W32/RemoteHack.13!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.RemoteHack.C": [[26, 47], [79, 100], [152, 173], [203, 224], [254, 275], [305, 326], [534, 555]], "Indicator: Backdoor/W32.RemoteHack.569344": [[48, 78]], "Indicator: W32/Risk.KPAX-3182": [[101, 119]], "Indicator: Backdoor.Trojan": [[120, 135]], "Indicator: BKDR_REMHACK.13": [[136, 151], [376, 391]], "Indicator: Backdoor.Win32.RemoteHack.13": [[174, 202], [276, 304], [505, 533]], "Indicator: Trojan.Win32.RemoteHack.gnoa": [[225, 253]], "Indicator: BackDoor.RemHack.13": [[327, 346]], "Indicator: Backdoor.RemoteHack.Win32.37": [[347, 375]], "Indicator: Backdoor.Win32.RemoteHack": [[392, 417]], "Indicator: Backdoor/RemoteHack.13": [[418, 440]], "Indicator: Trojan[Backdoor]/Win32.RemoteHack": [[441, 474]], "Indicator: Backdoor:Win32/RemoteHack.1_3": [[475, 504]], "Indicator: TScope.Trojan.Delf": [[556, 574]], "Indicator: Win32/VB.OLV": [[575, 587]], "Indicator: Win32.Backdoor.Remotehack.Hoye": [[588, 618]], "Indicator: Backdoor.RemoteHack!IKDTl0tZ3pY": [[619, 650]], "Indicator: W32/RemoteHack.13!tr.bdr": [[651, 675]]}, "info": {"id": "cyner2_8class_test_01619", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.StBotTenuA.Trojan Trojan.HorsumCS.S75593 Trojan/Horsum.c Win32.Trojan.Horsum.b TrojWare.Win32.Horsum.A Trojan:Win32/Horsum.B Trojan.Zusy.DEEE5 Win32/Horsum.C", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.StBotTenuA.Trojan": [[26, 47]], "Indicator: Trojan.HorsumCS.S75593": [[48, 70]], "Indicator: Trojan/Horsum.c": [[71, 86]], "Indicator: Win32.Trojan.Horsum.b": [[87, 108]], "Indicator: TrojWare.Win32.Horsum.A": [[109, 132]], "Indicator: Trojan:Win32/Horsum.B": [[133, 154]], "Indicator: Trojan.Zusy.DEEE5": [[155, 172]], "Indicator: Win32/Horsum.C": [[173, 187]]}, "info": {"id": "cyner2_8class_test_01620", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Steam.exmzim Trojan.PWS.Steam.1340 BehavesLike.Win32.Trojan.fc TR/Dropper.MSIL.vfmsq Trojan.Kazy.D8D397 Trojan:MSIL/BitcoinMiner.A Trojan/Win32.Kazy.C331514 Trj/GdSda.A Win32.Trojan.Kazy.Svhm Trojan.MSIL.Injector MSIL/Injector.IOF!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[26, 68]], "Indicator: Trojan.Win32.Steam.exmzim": [[69, 94]], "Indicator: Trojan.PWS.Steam.1340": [[95, 116]], "Indicator: BehavesLike.Win32.Trojan.fc": [[117, 144]], "Indicator: TR/Dropper.MSIL.vfmsq": [[145, 166]], "Indicator: Trojan.Kazy.D8D397": [[167, 185]], "Indicator: Trojan:MSIL/BitcoinMiner.A": [[186, 212]], "Indicator: Trojan/Win32.Kazy.C331514": [[213, 238]], "Indicator: Trj/GdSda.A": [[239, 250]], "Indicator: Win32.Trojan.Kazy.Svhm": [[251, 273]], "Indicator: Trojan.MSIL.Injector": [[274, 294]], "Indicator: MSIL/Injector.IOF!tr": [[295, 315]]}, "info": {"id": "cyner2_8class_test_01621", "source": "cyner2_8class_test"}}
{"text": "An interesting Web site infection, this time affecting a Web server belonging to the Turkish government, where the cybercriminals behind the campaign have uploaded a malware-serving fake DivX plug-in Required! Facebook-themed Web page.", "spans": {"Indicator: Web site infection,": [[15, 34]], "System: Web server": [[57, 67]], "Organization: Turkish government,": [[85, 104]], "ThreatActor: cybercriminals": [[115, 129]], "ThreatActor: campaign": [[141, 149]], "Indicator: malware-serving fake DivX plug-in Required! Facebook-themed Web page.": [[166, 235]]}, "info": {"id": "cyner2_8class_test_01622", "source": "cyner2_8class_test"}}
{"text": "It ’ s even possible to send log messages via SMS to the attacker ’ s number .", "spans": {}, "info": {"id": "cyner2_8class_test_01623", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: HW32.Packed.73FF Trojan.Hookmoota Trojan.Strictor.D26544 Win32.Application.PUPStudio.A Trojan.Win32.Blamon.bbg Trojan.Win32.Blamon.exrwow BackDoor.BlackMoon.15 BehavesLike.Win32.Downloader.rc Trojan[Packed]/Win32.Vemply Trojan.Win32.Blamon.bbg Rootkit.HideProc Trj/GdSda.A Win32.Trojan.Blamon.Tcwd", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: HW32.Packed.73FF": [[26, 42]], "Indicator: Trojan.Hookmoota": [[43, 59]], "Indicator: Trojan.Strictor.D26544": [[60, 82]], "Indicator: Win32.Application.PUPStudio.A": [[83, 112]], "Indicator: Trojan.Win32.Blamon.bbg": [[113, 136], [246, 269]], "Indicator: Trojan.Win32.Blamon.exrwow": [[137, 163]], "Indicator: BackDoor.BlackMoon.15": [[164, 185]], "Indicator: BehavesLike.Win32.Downloader.rc": [[186, 217]], "Indicator: Trojan[Packed]/Win32.Vemply": [[218, 245]], "Indicator: Rootkit.HideProc": [[270, 286]], "Indicator: Trj/GdSda.A": [[287, 298]], "Indicator: Win32.Trojan.Blamon.Tcwd": [[299, 323]]}, "info": {"id": "cyner2_8class_test_01624", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Lukicsel Backdoor.PePatch.Win32.4586 Win32.Trojan.Delf.hh W32/Trojan.AKPR-4713 Infostealer.Gampass Win32/Delfsnif.C TROJ_BCKDR.BH Trojan-Spy.Win32.Blaxblax.mp Trojan.Win32.Blaxblax.blctg Backdoor.Lukicsel Trojan.DownLoad.44012 TROJ_BCKDR.BH W32/Trojan2.HCWA Backdoor:Win32/Lukicsel.A Trojan.Win32.A.Blaxblax.399894 Trojan-Spy.Win32.Blaxblax.mp Win32/Delf.OKY Trojan.ATRAPS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Lukicsel": [[26, 41]], "Indicator: Backdoor.PePatch.Win32.4586": [[42, 69]], "Indicator: Win32.Trojan.Delf.hh": [[70, 90]], "Indicator: W32/Trojan.AKPR-4713": [[91, 111]], "Indicator: Infostealer.Gampass": [[112, 131]], "Indicator: Win32/Delfsnif.C": [[132, 148]], "Indicator: TROJ_BCKDR.BH": [[149, 162], [260, 273]], "Indicator: Trojan-Spy.Win32.Blaxblax.mp": [[163, 191], [348, 376]], "Indicator: Trojan.Win32.Blaxblax.blctg": [[192, 219]], "Indicator: Backdoor.Lukicsel": [[220, 237]], "Indicator: Trojan.DownLoad.44012": [[238, 259]], "Indicator: W32/Trojan2.HCWA": [[274, 290]], "Indicator: Backdoor:Win32/Lukicsel.A": [[291, 316]], "Indicator: Trojan.Win32.A.Blaxblax.399894": [[317, 347]], "Indicator: Win32/Delf.OKY": [[377, 391]], "Indicator: Trojan.ATRAPS": [[392, 405]]}, "info": {"id": "cyner2_8class_test_01625", "source": "cyner2_8class_test"}}
{"text": "We also detected it in apps targeted toward specific Middle Eastern demographics .", "spans": {}, "info": {"id": "cyner2_8class_test_01626", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.Hacktool.Flood.A Trojan.Shell Trojan.Hacktool.Flood.A Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Hacktool.Flood.A Trojan.Hacktool.Flood.A Trojan.Script.Bbdos.cpglly Trojan.Hacktool.Flood.A Perl.Flood.3 W32/Trojan.ERNQ-5964 TR/Hacktool.jtxjg DoS:Perl/UDPFlood.A Trj/CI.A Perl/HackTool.BBSXP.NAB Perl/HackTool.NAB!tr Win32/Trojan.Flooder.363", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.Hacktool.Flood.A": [[26, 49], [63, 86], [130, 153], [154, 177], [205, 228]], "Indicator: Trojan.Shell": [[50, 62]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9999": [[87, 129]], "Indicator: Trojan.Script.Bbdos.cpglly": [[178, 204]], "Indicator: Perl.Flood.3": [[229, 241]], "Indicator: W32/Trojan.ERNQ-5964": [[242, 262]], "Indicator: TR/Hacktool.jtxjg": [[263, 280]], "Indicator: DoS:Perl/UDPFlood.A": [[281, 300]], "Indicator: Trj/CI.A": [[301, 309]], "Indicator: Perl/HackTool.BBSXP.NAB": [[310, 333]], "Indicator: Perl/HackTool.NAB!tr": [[334, 354]], "Indicator: Win32/Trojan.Flooder.363": [[355, 379]]}, "info": {"id": "cyner2_8class_test_01627", "source": "cyner2_8class_test"}}
{"text": "We believe that the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send malicious spear phishing emails to the recipients.", "spans": {"ThreatActor: the threat actor": [[16, 32]], "Indicator: hijacked": [[33, 41]], "Indicator: existing, legitimate in-progress conversation": [[45, 90]], "Indicator: send malicious spear phishing emails": [[130, 166]], "Organization: recipients.": [[174, 185]]}, "info": {"id": "cyner2_8class_test_01628", "source": "cyner2_8class_test"}}
{"text": "Analysts suggest that both China and the United States are vying for greater influence in Myanmar, with China in particular having geopolitical interest due to sea passages, port deals, and fuel pipelines that are important to its goals.", "spans": {"Organization: Analysts": [[0, 8]], "Location: China": [[27, 32], [104, 109]], "Location: the United States": [[37, 54]], "Location: Myanmar,": [[90, 98]]}, "info": {"id": "cyner2_8class_test_01629", "source": "cyner2_8class_test"}}
{"text": "] comkalisi [ .", "spans": {}, "info": {"id": "cyner2_8class_test_01630", "source": "cyner2_8class_test"}}
{"text": "Pony was originally configured to download different malware families, however, due to criminal strategy changes, it currently only downloads Dyre.", "spans": {"Malware: Pony": [[0, 4]], "Malware: malware families,": [[53, 70]], "Malware: Dyre.": [[142, 147]]}, "info": {"id": "cyner2_8class_test_01631", "source": "cyner2_8class_test"}}
{"text": "This request is only made upon installation , but there is no guarantee that it will be installed .", "spans": {}, "info": {"id": "cyner2_8class_test_01632", "source": "cyner2_8class_test"}}
{"text": "Information gathered from the email account provides a lot of the victims ’ personal data , including messages from IM applications .", "spans": {}, "info": {"id": "cyner2_8class_test_01633", "source": "cyner2_8class_test"}}
{"text": "This is also the first version where the package name changes into something that a less aware user may be tricked by , com.android.playup .", "spans": {"Indicator: com.android.playup": [[120, 138]]}, "info": {"id": "cyner2_8class_test_01634", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan/W32.Dialer.112255.D Trojan-GameThief.Win32.Magania!O Trojan.Aksula.A BackDoor-DVB.e Trojan/Dialer.bkm Win32.Trojan.Farfli.ai Win32/Dialer.NEW TROJ_REDOS.SM2 Trojan-GameThief.Win32.Magania.actz Trojan.Win32.Pigeon.ccmtgy Trojan.Win32.Dialer.vfq TrojWare.Win32.Trojan.Dialer.~AL BackDoor.Pigeon.12989 TROJ_REDOS.SM2 BehavesLike.Win32.Backdoor.ch Trojan/Dialer.dtm Trojan[Rootkit]/Win32.Ressdt Trojan.Win32.Dialer.112771 Trojan-GameThief.Win32.Magania.actz Win32/Gamepass.MCG Spyware.OnlineGames W32/Dropper.TMP!tr BScope.Trojan.SvcHorse.01643 Backdoor.Win32.Gh0st.BS", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan/W32.Dialer.112255.D": [[26, 52]], "Indicator: Trojan-GameThief.Win32.Magania!O": [[53, 85]], "Indicator: Trojan.Aksula.A": [[86, 101]], "Indicator: BackDoor-DVB.e": [[102, 116]], "Indicator: Trojan/Dialer.bkm": [[117, 134]], "Indicator: Win32.Trojan.Farfli.ai": [[135, 157]], "Indicator: Win32/Dialer.NEW": [[158, 174]], "Indicator: TROJ_REDOS.SM2": [[175, 189], [332, 346]], "Indicator: Trojan-GameThief.Win32.Magania.actz": [[190, 225], [451, 486]], "Indicator: Trojan.Win32.Pigeon.ccmtgy": [[226, 252]], "Indicator: Trojan.Win32.Dialer.vfq": [[253, 276]], "Indicator: TrojWare.Win32.Trojan.Dialer.~AL": [[277, 309]], "Indicator: BackDoor.Pigeon.12989": [[310, 331]], "Indicator: BehavesLike.Win32.Backdoor.ch": [[347, 376]], "Indicator: Trojan/Dialer.dtm": [[377, 394]], "Indicator: Trojan[Rootkit]/Win32.Ressdt": [[395, 423]], "Indicator: Trojan.Win32.Dialer.112771": [[424, 450]], "Indicator: Win32/Gamepass.MCG": [[487, 505]], "Indicator: Spyware.OnlineGames": [[506, 525]], "Indicator: W32/Dropper.TMP!tr": [[526, 544]], "Indicator: BScope.Trojan.SvcHorse.01643": [[545, 573]], "Indicator: Backdoor.Win32.Gh0st.BS": [[574, 597]]}, "info": {"id": "cyner2_8class_test_01635", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: PDF/Pidief.TI JS.Obfuscator.Z Trojan.Downloader.JMUB JS.Exploit.Pdfka.ij Bloodhound.PDF.21 JS_PIDIEF.SMX Trojan.Downloader.JMUB Exploit.JS.Pdfka.cop Exploit.Script.Pdfka.bzjgv JS_PIDIEF.SMX BehavesLike.PDF.Obfuscated.xb EXP/Pidief.2292 Trojan[Exploit]/JS.Pdfka.cop Exploit:JS/Pdfjsc.R Exploit.JS.Pdfka.cop Exploit.JS.Pdfka.cop Exploit.JS.Pdfka virus.pdf.za.4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: PDF/Pidief.TI": [[26, 39]], "Indicator: JS.Obfuscator.Z": [[40, 55]], "Indicator: Trojan.Downloader.JMUB": [[56, 78], [131, 153]], "Indicator: JS.Exploit.Pdfka.ij": [[79, 98]], "Indicator: Bloodhound.PDF.21": [[99, 116]], "Indicator: JS_PIDIEF.SMX": [[117, 130], [202, 215]], "Indicator: Exploit.JS.Pdfka.cop": [[154, 174], [311, 331], [332, 352]], "Indicator: Exploit.Script.Pdfka.bzjgv": [[175, 201]], "Indicator: BehavesLike.PDF.Obfuscated.xb": [[216, 245]], "Indicator: EXP/Pidief.2292": [[246, 261]], "Indicator: Trojan[Exploit]/JS.Pdfka.cop": [[262, 290]], "Indicator: Exploit:JS/Pdfjsc.R": [[291, 310]], "Indicator: Exploit.JS.Pdfka": [[353, 369]], "Indicator: virus.pdf.za.4": [[370, 384]]}, "info": {"id": "cyner2_8class_test_01636", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: TR/DelWin.B Trojan.DOS.DelWin.b Trojan.DOS.DelWin.B Trojan.DelWin.b Trojan.QDel TROJ_DELWIN.E Trojan.DOS.DelWin.b Trojan:DOS/Delwin.B DelWin.B DelWin.b!Trojan W32/QDel176.B!tr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: TR/DelWin.B": [[26, 37]], "Indicator: Trojan.DOS.DelWin.b": [[38, 57], [120, 139]], "Indicator: Trojan.DOS.DelWin.B": [[58, 77]], "Indicator: Trojan.DelWin.b": [[78, 93]], "Indicator: Trojan.QDel": [[94, 105]], "Indicator: TROJ_DELWIN.E": [[106, 119]], "Indicator: Trojan:DOS/Delwin.B": [[140, 159]], "Indicator: DelWin.B": [[160, 168]], "Indicator: DelWin.b!Trojan": [[169, 184]], "Indicator: W32/QDel176.B!tr": [[185, 201]]}, "info": {"id": "cyner2_8class_test_01637", "source": "cyner2_8class_test"}}
{"text": "The operation used spyware made by the NSO Group, an Israeli company that sells intrusion tools to remotely compromise mobile phones.", "spans": {"ThreatActor: operation": [[4, 13]], "Malware: spyware": [[19, 26]], "ThreatActor: the NSO Group,": [[35, 49]], "ThreatActor: Israeli company": [[53, 68]], "Malware: intrusion tools": [[80, 95]], "Indicator: remotely compromise": [[99, 118]], "System: mobile phones.": [[119, 133]]}, "info": {"id": "cyner2_8class_test_01638", "source": "cyner2_8class_test"}}
{"text": "Our investigation was conducted with the collaboration and assistance of R3D, SocialTic and Article 19.", "spans": {"Organization: R3D, SocialTic": [[73, 87]], "Organization: Article 19.": [[92, 103]]}, "info": {"id": "cyner2_8class_test_01639", "source": "cyner2_8class_test"}}
{"text": "Strider's attacks have tentative links with a previously uncovered group, Flamer.", "spans": {"Indicator: Strider's attacks": [[0, 17]], "Indicator: links": [[33, 38]], "ThreatActor: group, Flamer.": [[67, 81]]}, "info": {"id": "cyner2_8class_test_01640", "source": "cyner2_8class_test"}}
{"text": "Some were only 3 bytes long , containing strings such as “ ddd ” and “ 333 ” , or were otherwise corrupted .", "spans": {}, "info": {"id": "cyner2_8class_test_01641", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.BAT.Downloader.DN BAT/CoinMiner.RU TROJ_CONMINER.CFG Trojan.BAT.Downloader.DN Trojan.BAT.Downloader.DN TrojWare.Bat.CoinMiner.~ Trojan.BAT.Downloader.DN TROJ_CONMINER.CFG Trojan.IPVC-4 Trojan.BAT.Downloader.DN BAT.S.Downloader.3133 Trojan:BAT/CoinMiner.A Misc.Riskware.BitCoinMiner Trojan.BAT.Downloader.DN", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.BAT.Downloader.DN": [[26, 50], [86, 110], [111, 135], [161, 185], [218, 242], [315, 339]], "Indicator: BAT/CoinMiner.RU": [[51, 67]], "Indicator: TROJ_CONMINER.CFG": [[68, 85], [186, 203]], "Indicator: TrojWare.Bat.CoinMiner.~": [[136, 160]], "Indicator: Trojan.IPVC-4": [[204, 217]], "Indicator: BAT.S.Downloader.3133": [[243, 264]], "Indicator: Trojan:BAT/CoinMiner.A": [[265, 287]], "Indicator: Misc.Riskware.BitCoinMiner": [[288, 314]]}, "info": {"id": "cyner2_8class_test_01642", "source": "cyner2_8class_test"}}
{"text": "Seeing as the system loader of the DEX files ( ART ) fully ignores everything that goes after the data section , the patcher writes all of its resources right there .", "spans": {}, "info": {"id": "cyner2_8class_test_01643", "source": "cyner2_8class_test"}}
{"text": "However , GPP does not treat new apps and updates any differently from an analysis perspective .", "spans": {}, "info": {"id": "cyner2_8class_test_01644", "source": "cyner2_8class_test"}}
{"text": "Operation Desert Eagle takes a look into the recent activity of the Molerats Gaza cybergang group.", "spans": {"ThreatActor: Operation Desert Eagle": [[0, 22]], "ThreatActor: Molerats Gaza cybergang group.": [[68, 98]]}, "info": {"id": "cyner2_8class_test_01645", "source": "cyner2_8class_test"}}
{"text": "The infection attempts took place in early March of 2016, shortly after the GIEI had criticized the Mexican government for interference in their investigation, and as they were preparing their final report", "spans": {"Indicator: infection": [[4, 13]], "Date: March of 2016,": [[43, 57]], "Organization: the GIEI": [[72, 80]], "Organization: the Mexican government": [[96, 118]]}, "info": {"id": "cyner2_8class_test_01646", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Trojan.CMOS.A Cmoskill.C TROJ_KILLCMOS.B Trojan.DOS.KillCMOS.b Trojan.CMOS.A TrojWare.DOS.KillCMOS.b Trojan.CMOS.A Trojan.KillCMOS TROJ_KILLCMOS.B Trojan/KillCMOS.b Trojan/DOS.KillCMOS Trojan:Win32/KillCMOS.B Trojan.CMOS.A KillCMOS.B Trojan.DOS.KillCMOS KillCMOS.B KillCmos.B", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Trojan.CMOS.A": [[26, 39], [89, 102], [127, 140], [235, 248]], "Indicator: Cmoskill.C": [[40, 50]], "Indicator: TROJ_KILLCMOS.B": [[51, 66], [157, 172]], "Indicator: Trojan.DOS.KillCMOS.b": [[67, 88]], "Indicator: TrojWare.DOS.KillCMOS.b": [[103, 126]], "Indicator: Trojan.KillCMOS": [[141, 156]], "Indicator: Trojan/KillCMOS.b": [[173, 190]], "Indicator: Trojan/DOS.KillCMOS": [[191, 210]], "Indicator: Trojan:Win32/KillCMOS.B": [[211, 234]], "Indicator: KillCMOS.B": [[249, 259], [280, 290]], "Indicator: Trojan.DOS.KillCMOS": [[260, 279]], "Indicator: KillCmos.B": [[291, 301]]}, "info": {"id": "cyner2_8class_test_01647", "source": "cyner2_8class_test"}}
{"text": "These domains have been registered by the attackers since 2015 .", "spans": {}, "info": {"id": "cyner2_8class_test_01648", "source": "cyner2_8class_test"}}
{"text": "We have not been able to ascertain how the DroidVPN app on the uyghurapps [ .", "spans": {"Indicator: DroidVPN": [[43, 51]], "Indicator: uyghurapps [ .": [[63, 77]]}, "info": {"id": "cyner2_8class_test_01649", "source": "cyner2_8class_test"}}
{"text": "Please note that these unblocking instructions are based on an analysis of the current version of Rotexy and have been tested on it .", "spans": {"Malware: Rotexy": [[98, 104]]}, "info": {"id": "cyner2_8class_test_01650", "source": "cyner2_8class_test"}}
{"text": "Although the binary names have mirai mentioned it is probably not wise to treat it just as a mirai variant.", "spans": {"Indicator: binary names": [[13, 25]], "Malware: mirai": [[31, 36]], "Malware: a mirai variant.": [[91, 107]]}, "info": {"id": "cyner2_8class_test_01651", "source": "cyner2_8class_test"}}
{"text": "The malware architecture is modular , which means that it can execute plugins .", "spans": {}, "info": {"id": "cyner2_8class_test_01652", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: Backdoor.Win32.VB!O Backdoor/VB.nb Win32.Trojan.WisdomEyes.16070401.9500.9683 W32/MemWatcher.DVPF-1178 Adware.Quadro Win32/Memwatch.F Win.Downloader.VB-61 Backdoor.Win32.VB.nb Trojan.Win32.VB.etebsn Backdoor.Win32.A.VB.233482 Backdoor.Win32.VB.NB Trojan.VbCrypt.60 Backdoor.VB.Win32.2125 BKDR_SANDBOX.A BehavesLike.Win32.VBObfus.dm Backdoor.Win32.VB W32/MemWatcher.A Backdoor/VB.ngt BDS/VB.NB Trojan[Backdoor]/Win32.VB Trojan.Heur.VP.ED107DA Backdoor.Win32.VB.nb Trojan:Win32/Sandbox.A Trojan/Win32.Xema.R122751 Backdoor.VB Win32/VB.NB Win32.Backdoor.Vb.Dzjg Backdoor.VB!sB1m+2s72zg W32/VB.NB!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: Backdoor.Win32.VB!O": [[26, 45]], "Indicator: Backdoor/VB.nb": [[46, 60]], "Indicator: Win32.Trojan.WisdomEyes.16070401.9500.9683": [[61, 103]], "Indicator: W32/MemWatcher.DVPF-1178": [[104, 128]], "Indicator: Adware.Quadro": [[129, 142]], "Indicator: Win32/Memwatch.F": [[143, 159]], "Indicator: Win.Downloader.VB-61": [[160, 180]], "Indicator: Backdoor.Win32.VB.nb": [[181, 201], [468, 488]], "Indicator: Trojan.Win32.VB.etebsn": [[202, 224]], "Indicator: Backdoor.Win32.A.VB.233482": [[225, 251]], "Indicator: Backdoor.Win32.VB.NB": [[252, 272]], "Indicator: Trojan.VbCrypt.60": [[273, 290]], "Indicator: Backdoor.VB.Win32.2125": [[291, 313]], "Indicator: BKDR_SANDBOX.A": [[314, 328]], "Indicator: BehavesLike.Win32.VBObfus.dm": [[329, 357]], "Indicator: Backdoor.Win32.VB": [[358, 375]], "Indicator: W32/MemWatcher.A": [[376, 392]], "Indicator: Backdoor/VB.ngt": [[393, 408]], "Indicator: BDS/VB.NB": [[409, 418]], "Indicator: Trojan[Backdoor]/Win32.VB": [[419, 444]], "Indicator: Trojan.Heur.VP.ED107DA": [[445, 467]], "Indicator: Trojan:Win32/Sandbox.A": [[489, 511]], "Indicator: Trojan/Win32.Xema.R122751": [[512, 537]], "Indicator: Backdoor.VB": [[538, 549]], "Indicator: Win32/VB.NB": [[550, 561]], "Indicator: Win32.Backdoor.Vb.Dzjg": [[562, 584]], "Indicator: Backdoor.VB!sB1m+2s72zg": [[585, 608]], "Indicator: W32/VB.NB!tr.bdr": [[609, 625]]}, "info": {"id": "cyner2_8class_test_01653", "source": "cyner2_8class_test"}}
{"text": "During the trojan registration stage , the trojan exfiltrates private information such as the phone 's model , IMEI , phone number and country .", "spans": {}, "info": {"id": "cyner2_8class_test_01654", "source": "cyner2_8class_test"}}
{"text": "Email account A Gmail account with password is mentioned in the sample ’ s code : It contains the victim ’ s exfiltrated data and “ cmd ” directory with commands for victim devices .", "spans": {"System: Gmail": [[16, 21]]}, "info": {"id": "cyner2_8class_test_01655", "source": "cyner2_8class_test"}}
{"text": "Unit 42's ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East.", "spans": {"Organization: Unit 42's": [[0, 9]], "ThreatActor: the OilRig campaign": [[32, 51]], "ThreatActor: the threat actors": [[63, 80]], "ThreatActor: the original attack campaign": [[93, 121]], "Malware: Trojans": [[142, 149]], "Malware: toolset": [[159, 166]], "Indicator: attacks": [[197, 204]], "Location: the Middle East.": [[208, 224]]}, "info": {"id": "cyner2_8class_test_01656", "source": "cyner2_8class_test"}}
{"text": "For several years now, the Vawtrak trojan has been targeting banking and financial institutions, most recently in Canada as reported last week.", "spans": {"Date: several years": [[4, 17]], "Malware: Vawtrak trojan": [[27, 41]], "Organization: banking": [[61, 68]], "Organization: financial institutions,": [[73, 96]], "Location: Canada": [[114, 120]], "Date: last week.": [[133, 143]]}, "info": {"id": "cyner2_8class_test_01657", "source": "cyner2_8class_test"}}
{"text": "We chose the name MoonWind' based on debugging strings we saw within the samples, as well as the compiler used to generate the samples.", "spans": {"Malware: MoonWind'": [[18, 27]]}, "info": {"id": "cyner2_8class_test_01658", "source": "cyner2_8class_test"}}
{"text": "A backdoor also known as: W32.HfsAutoB.9C3D Trojan.Graftor.D444DD Win32.Trojan.Kryptik.aey TROJ_HPISDA.SM Win32.Trojan.Injector.HN Trojan.Win32.Dwn.eblljj Trojan.Win32.Z.Graftor.114176.Y Trojan.DownLoader20.53198 TROJ_HPISDA.SM BehavesLike.Win32.Trojan.cm W32/Trojan.QEKF-4451 Trojan[Ransom]/Win32.Locky.e Trojan:Win32/Zlader.A Trojan.Downloader Trj/CI.A Trojan.Win32.Crypt W32/Injector.CZNG!tr Win32/Trojan.af4", "spans": {"Malware: backdoor": [[2, 10]], "Indicator: W32.HfsAutoB.9C3D": [[26, 43]], "Indicator: Trojan.Graftor.D444DD": [[44, 65]], "Indicator: Win32.Trojan.Kryptik.aey": [[66, 90]], "Indicator: TROJ_HPISDA.SM": [[91, 105], [213, 227]], "Indicator: Win32.Trojan.Injector.HN": [[106, 130]], "Indicator: Trojan.Win32.Dwn.eblljj": [[131, 154]], "Indicator: Trojan.Win32.Z.Graftor.114176.Y": [[155, 186]], "Indicator: Trojan.DownLoader20.53198": [[187, 212]], "Indicator: BehavesLike.Win32.Trojan.cm": [[228, 255]], "Indicator: W32/Trojan.QEKF-4451": [[256, 276]], "Indicator: Trojan[Ransom]/Win32.Locky.e": [[277, 305]], "Indicator: Trojan:Win32/Zlader.A": [[306, 327]], "Indicator: Trojan.Downloader": [[328, 345]], "Indicator: Trj/CI.A": [[346, 354]], "Indicator: Trojan.Win32.Crypt": [[355, 373]], "Indicator: W32/Injector.CZNG!tr": [[374, 394]], "Indicator: Win32/Trojan.af4": [[395, 411]]}, "info": {"id": "cyner2_8class_test_01659", "source": "cyner2_8class_test"}}
{"text": "However, the heavy-handedness of the government has also inadvertently created a situation where Iranian users are better positioned than others to avoid some surveillance activities – increasing the burden of finding pseudonymous users.", "spans": {}, "info": {"id": "cyner2_8class_test_01660", "source": "cyner2_8class_test"}}
{"text": "Each APK has the ability to target different financial institutions in specific geographical locations.", "spans": {"System: APK": [[5, 8]], "Organization: different financial institutions": [[35, 67]], "Location: specific geographical locations.": [[71, 103]]}, "info": {"id": "cyner2_8class_test_01661", "source": "cyner2_8class_test"}}