Example Content
Iran-Oil example as dynamic observable Events
<?xml version="1.0" encoding="UTF-8"?>
<cybox:Observables xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cybox="http://cybox.mitre.org/cybox_v1" xmlns:common="http://cybox.mitre.org/Common_v1"
xmlns:AddrObj="http://cybox.mitre.org/objects#AddressObject"
xmlns:URIObj="http://cybox.mitre.org/objects#URIObject"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject"
xmlns:EmailMessageObj="http://cybox.mitre.org/objects#EmailMessageObject"
xsi:schemaLocation="http://cybox.mitre.org/cybox_v1
http://cybox.mitre.org/XMLSchema/cybox_core_v1.0(draft).xsd
http://cybox.mitre.org/objects#URIObject
http://cybox.mitre.org/XMLSchema/objects/URI/URI_Object_1.1.xsd
http://cybox.mitre.org/objects#FileObject
http://cybox.mitre.org/XMLSchema/objects/File/File_Object_1.2.xsd
http://cybox.mitre.org/objects#EmailMessageObject
http://cybox.mitre.org/XMLSchema/objects/Email_Message/Email_Message_Object_1.1.xsd"
cybox_major_version="1" cybox_minor_version="0(draft)">
<!-- This collection of observables were observed as part of the widespread "Iran-Oil" (among many other names used) attack campaign in March 2012 -->
<cybox:Observable id="cybox:guid-1a937ec2-90ab-4e0e-a37c-db9b2e66a58e">
<!-- Receive "Iran-Oil" attack campaign email message -->
<cybox:Event type="Email Ops">
<cybox:Description>
<common:Text>Receive "Iran-Oil" attack campaign email message.</common:Text>
</cybox:Description>
<cybox:Actions>
<cybox:Action type="Receive">
<cybox:Associated_Objects>
<cybox:Associated_Object
id="cybox:guid-51359587-f201-4383-b032-5a64522fcd7d"
type="Email Message" association_type="Returned">
<cybox:Defined_Object xsi:type="EmailMessageObj:EmailMessageObjectType">
<EmailMessageObj:Attachments>
<EmailMessageObj:File
object_reference="cybox:guid-49d31c13-8d7b-4528-b8d6-ce8ed0d43ad7"
/>
</EmailMessageObj:Attachments>
<EmailMessageObj:Header>
<EmailMessageObj:To>
<EmailMessageObj:Recipient category="e-mail">
<AddrObj:Address_Value datatype="String"
>william.abnett@gmail.com</AddrObj:Address_Value>
</EmailMessageObj:Recipient>
</EmailMessageObj:To>
<EmailMessageObj:From category="e-mail">
<AddrObj:Address_Value datatype="String"
>wmorrison89@gmail.com</AddrObj:Address_Value>
</EmailMessageObj:From>
<EmailMessageObj:Subject datatype="String">Iran's Oil and
Nuclear Situation</EmailMessageObj:Subject>
<EmailMessageObj:Date datatype="DateTime"
>2012-03-02T07:42:24Z</EmailMessageObj:Date>
</EmailMessageObj:Header>
<EmailMessageObj:Raw_Header datatype="String"><![CDATA[
Return-Path: <wmorrison89@gmail.com>
Received-SPF: pass (google.com: domain of wmorrison89@gmail.com designates
10.236.185.4 as permitted sender) client-ip=10.236.185.4;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of
wmorrison89@gmail.com designates 10.236.185.4 as permitted sender)
smtp.mail=wmorrison89@gmail.com; dkim=pass header.i=wmorrison89@gmail.com
Received: from mr.google.com ([10.236.185.4]) by 10.236.185.4 with SMTP
id t4mr5301660yhm.129.1330692273662 (num_hops = 1); Fri, 02 Mar 2012
04:44:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.185.4 with SMTP id t4mr4236541yhm.129.1330692265380;
Fri,
02 Mar 2012 04:44:25 -0800 (PST)
Received: by 10.147.35.14 with HTTP; Fri, 2 Mar 2012 04:44:24 -0800 (PST)
In-Reply-To:
<CADY6HTa-jmaqmtVyyT-nLz6reztNjcs-617wL4bt9YBOGu+h4w@mail.gmail.com>
References:
<CADY6HTa-jmaqmtVyyT-nLz6reztNjcs-617wL4bt9YBOGu+h4w@mail.gmail.com>
Date: Fri, 2 Mar 2012 07:44:24 -0500
Message-ID:
<CADY6HTZ6oopY5v6WkYU81YcSQw3X124CK_Fx4jhnhUiU3Y9z6A@mail.gmail.com>
Subject: Iran's Oil and Nuclear Situation
From: william abnett <wmorrison89@gmail.com>
To: william.abnett <william.abnett@gmail.com>
Content-Type: multipart/mixed; boundary="20cf303f67fac8928804ba41efd5"
]]></EmailMessageObj:Raw_Header>
</cybox:Defined_Object>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</cybox:Action>
</cybox:Actions>
</cybox:Event>
</cybox:Observable>
<cybox:Observable id="cybox:guid-35f04c28-5fd2-4d72-8aae-2ad04ee1811f">
<!-- Open Iran-Oil corrupted .doc file-->
<cybox:Event type="File Ops (CRUD)">
<cybox:Description>
<common:Text>Open Iran-Oil corrupted .doc file.</common:Text>
</cybox:Description>
<cybox:Actions>
<cybox:Action type="Open">
<cybox:Associated_Objects>
<cybox:Associated_Object
id="cybox:guid-49d31c13-8d7b-4528-b8d6-ce8ed0d43ad7" type="File"
association_type="Affected">
<cybox:Description>
<common:Text>The word document contains flash, which downloads a
corrupted mp4 file. The mp4 file itself is not anything special
but an 0C filled (22kb) mp4 file with a valid mp4
header.</common:Text>
</cybox:Description>
<cybox:Defined_Object xsi:type="FileObj:FileObjectType">
<FileObj:File_Name datatype="String">Iran's Oil and Nuclear
Situation.doc</FileObj:File_Name>
<FileObj:Size_In_Bytes datatype="UnsignedLong"
>106604</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<common:Hash>
<common:Type datatype="String">MD5</common:Type>
<common:Simple_Hash_Value condition="Equals"
datatype="hexBinary"
>E92A4FC283EB2802AD6D0E24C7FCC857</common:Simple_Hash_Value>
</common:Hash>
</FileObj:Hashes>
</cybox:Defined_Object>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</cybox:Action>
</cybox:Actions>
</cybox:Event>
</cybox:Observable>
<cybox:Observable id="cybox:guid-f005fbc6-7427-43ea-8e1e-9a341836f76b">
<!-- Download Iran-Oil invalid .mp4 downloader file-->
<cybox:Event type="File Ops (CRUD)">
<cybox:Description>
<common:Text>Download Iran-Oil invalid .mp4 downloader file.</common:Text>
</cybox:Description>
<cybox:Actions>
<cybox:Action type="Download">
<cybox:Associated_Objects>
<cybox:Associated_Object
idref="cybox:guid-49d31c13-8d7b-4528-b8d6-ce8ed0d43ad7" type="File"
association_type="Initiating"/>
<cybox:Associated_Object
id="cybox:guid-8b463e0d-cc16-4036-950e-5eeb09bc51aa" type="File"
association_type="Affected">
<!-- Iran-Oil invalid .mp4 downloader file-->
<cybox:Description>
<common:Text>This mp4 file causes memory corruption and code
execution via heap-spraying code injection.</common:Text>
</cybox:Description>
<cybox:Defined_Object xsi:type="FileObj:FileObjectType">
<FileObj:File_Name datatype="String">test.mp4</FileObj:File_Name>
<FileObj:Size_In_Bytes datatype="UnsignedLong"
>22384</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<common:Hash>
<common:Type datatype="String">MD5</common:Type>
<common:Simple_Hash_Value condition="Equals"
datatype="hexBinary"
>8933598C8B1FA5E493497B11C48DA4F2</common:Simple_Hash_Value>
</common:Hash>
</FileObj:Hashes>
</cybox:Defined_Object>
<cybox:Related_Objects>
<cybox:Related_Object
idref="cybox:guid-49d31c13-8d7b-4528-b8d6-ce8ed0d43ad7"
type="File" relationship="Downloaded_By"/>
<cybox:Related_Object
idref="cybox:guid-61041b8b-0c15-48a0-ac5f-b49488788010"
type="URI" relationship="Downloaded_From"/>
</cybox:Related_Objects>
</cybox:Associated_Object>
<cybox:Associated_Object
id="cybox:guid-61041b8b-0c15-48a0-ac5f-b49488788010" type="URI"
association_type="Utilized">
<!-- URL from which malicious .mp4 file was downloaded-->
<cybox:Defined_Object xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value datatype="AnyURI" condition="Equals"
>http://208.115.230.76/test.mp4</URIObj:Value>
</cybox:Defined_Object>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</cybox:Action>
</cybox:Actions>
</cybox:Event>
</cybox:Observable>
<cybox:Observable id="cybox:guid-210f18f3-3874-4f9a-861d-71b328be90c6">
<!-- Create Iran-Oil .exe Trojan file-->
<cybox:Event type="File Ops (CRUD)">
<cybox:Description>
<common:Text_Title>Create Iran-Oil .exe Trojan file.</common:Text_Title>
</cybox:Description>
<cybox:Actions>
<cybox:Action type="Create">
<cybox:Associated_Objects>
<cybox:Associated_Object
idref="cybox:guid-8b463e0d-cc16-4036-950e-5eeb09bc51aa" type="File"
association_type="Initiating"/>
<cybox:Associated_Object
id="cybox:guid-b7e0bc39-f519-4878-8fb0-5902554efe1c" type="File"
association_type="Affected">
<cybox:Description>
<common:Text>The file (us.exe MD5: FD1BE09E499E8E380424B3835FC973A8
4861440 bytes) is created in the logged in user %Temp%
directory. The size of the embedded file is 22.5 KB (23040
bytes) and the size of the created us.exe is 4.63MB. It is an
odd discrepancy until you look at the file and it looks like the
code is repeated over and over - 211 times. The file resource
section indicates the file is meant to look like a java updater,
which is always larger than 22.5KB and that would explain all
this padding, which is done at the time when the file is being
written to the disk.</common:Text>
</cybox:Description>
<cybox:Defined_Object xsi:type="FileObj:FileObjectType">
<FileObj:File_Name datatype="String">us.exe</FileObj:File_Name>
<FileObj:File_Path datatype="String">%Temp%</FileObj:File_Path>
<FileObj:Size_In_Bytes datatype="UnsignedLong"
>4861440</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<common:Hash>
<common:Type datatype="String">MD5</common:Type>
<common:Simple_Hash_Value condition="Equals"
datatype="hexBinary"
>FD1BE09E499E8E380424B3835FC973A8</common:Simple_Hash_Value>
</common:Hash>
</FileObj:Hashes>
</cybox:Defined_Object>
<cybox:Related_Objects>
<cybox:Related_Object
idref="cybox:guid-8b463e0d-cc16-4036-950e-5eeb09bc51aa"
type="File" relationship="Created_By"/>
<!-- The trojan connects to the following set of URLs/IPs for C&C -->
<cybox:Related_Object
idref="cybox:guid-41b220d8-4c45-48de-9d08-30d661b2dc8e"
type="URI" relationship="Connected_To"/>
<cybox:Related_Object
idref="cybox:guid-61aa225b-90ef-415c-8bbd-a17282e457c9"
type="IP Address" relationship="Connected_To"/>
<cybox:Related_Object
idref="cybox:guid-568db11e-39ee-43d7-83d8-032bdec3801a"
type="URI" relationship="Connected_To"/>
<cybox:Related_Object
idref="cybox:guid-80bea4d1-0e70-4a03-a54f-e40373bf94f1"
type="IP Address" relationship="Connected_To"/>
<cybox:Related_Object
idref="cybox:guid-af7cb3b6-d70b-4b3b-b24f-7cfad739710f"
type="URI" relationship="Connected_To"/>
<cybox:Related_Object
idref="cybox:guid-5ceb9d54-24e2-4627-948d-6b92ac81962a"
type="IP Address" relationship="Connected_To"/>
</cybox:Related_Objects>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</cybox:Action>
</cybox:Actions>
</cybox:Event>
</cybox:Observable>
<cybox:Observable id="cybox:guid-b650c988-aac7-45ff-967d-9f1e5fc66161">
<!-- Execute Iran-Oil .exe Trojan file-->
<cybox:Event type="File Ops (CRUD)">
<cybox:Description>
<common:Text>Execute Iran-Oil .exe Trojan file.</common:Text>
</cybox:Description>
<cybox:Actions>
<cybox:Action type="Execute">
<cybox:Associated_Objects>
<cybox:Associated_Object
idref="cybox:guid-8b463e0d-cc16-4036-950e-5eeb09bc51aa" type="File"
association_type="Initiating"/>
<cybox:Associated_Object
idref="cybox:guid-b7e0bc39-f519-4878-8fb0-5902554efe1c" type="File"
association_type="Affected"/>
</cybox:Associated_Objects>
</cybox:Action>
</cybox:Actions>
</cybox:Event>
</cybox:Observable>
<cybox:Observable id="cybox:guid-dee72b3e-82fb-4319-bfcc-007e3cf930e8">
<!-- Iran-Oil core embedded .exe Trojan file-->
<cybox:Stateful_Measure>
<cybox:Object id="cybox:guid-bed1ff22-08e8-4e04-b7ac-908b5271176f" type="File">
<cybox:Defined_Object xsi:type="FileObj:FileObjectType">
<FileObj:File_Name datatype="String">us-embedded.exe</FileObj:File_Name>
<FileObj:Size_In_Bytes datatype="UnsignedLong">23040</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<common:Hash>
<common:Type datatype="String">MD5</common:Type>
<common:Simple_Hash_Value condition="Equals" datatype="hexBinary"
>CB3DCDE34FD9FF0E19381D99B02F9692</common:Simple_Hash_Value>
</common:Hash>
</FileObj:Hashes>
</cybox:Defined_Object>
<cybox:Related_Objects>
<cybox:Related_Object idref="cybox:guid-b7e0bc39-f519-4878-8fb0-5902554efe1c"
type="File" relationship="Contained_Within"/>
</cybox:Related_Objects>
</cybox:Object>
</cybox:Stateful_Measure>
</cybox:Observable>
<cybox:Observable id="cybox:guid-a24ff8bc-b534-4616-838b-8bbe260a8e8f">
<!-- Trojan .exe file connects out to C&C URLs/IPs-->
<cybox:Event type="App Layer Traffic">
<cybox:Description>
<common:Text>Trojan .exe file connects out to C2 URLs/IPs.</common:Text>
</cybox:Description>
<cybox:Actions>
<cybox:Action type="Connect">
<cybox:Associated_Objects>
<cybox:Associated_Object
idref="cybox:guid-b7e0bc39-f519-4878-8fb0-5902554efe1c" type="File"
association_type="Initiating"/>
<cybox:Associated_Object
idref="cybox:guid-41b220d8-4c45-48de-9d08-30d661b2dc8e" type="URI"
association_type="Utilized"/>
<cybox:Associated_Object
idref="cybox:guid-61aa225b-90ef-415c-8bbd-a17282e457c9"
type="IP Address" association_type="Utilized"/>
<cybox:Associated_Object
idref="cybox:guid-568db11e-39ee-43d7-83d8-032bdec3801a" type="URI"
association_type="Utilized"/>
<cybox:Associated_Object
idref="cybox:guid-80bea4d1-0e70-4a03-a54f-e40373bf94f1"
type="IP Address" association_type="Utilized"/>
<cybox:Associated_Object
idref="cybox:guid-af7cb3b6-d70b-4b3b-b24f-7cfad739710f" type="URI"
association_type="Utilized"/>
<cybox:Associated_Object
idref="cybox:guid-5ceb9d54-24e2-4627-948d-6b92ac81962a"
type="IP Address" association_type="Utilized"/>
</cybox:Associated_Objects>
</cybox:Action>
</cybox:Actions>
</cybox:Event>
</cybox:Observable>
<!-- The next six Observables represent the 3 different URL/IP pairs of C&C servers that the trojan communicates with-->
<cybox:Observable id="cybox:guid-066cef51-c886-432e-9a22-a17f57f3f3f2">
<!-- One of three Command and Control URLs-->
<cybox:Stateful_Measure>
<cybox:Object id="cybox:guid-41b220d8-4c45-48de-9d08-30d661b2dc8e" type="URI">
<cybox:Defined_Object xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value datatype="AnyURI" condition="Equals"
>www.documents.myPicture.info</URIObj:Value>
</cybox:Defined_Object>
<cybox:Related_Objects>
<cybox:Related_Object idref="cybox:guid-61aa225b-90ef-415c-8bbd-a17282e457c9"
type="IP Address" relationship="Resolved_To"/>
</cybox:Related_Objects>
</cybox:Object>
</cybox:Stateful_Measure>
</cybox:Observable>
<cybox:Observable id="cybox:guid-4e05804c-f552-44e1-9793-ff4bb7f88f9c">
<!-- One of three Command and Control IPs-->
<cybox:Stateful_Measure>
<cybox:Object id="cybox:guid-61aa225b-90ef-415c-8bbd-a17282e457c9" type="IP Address">
<cybox:Defined_Object xsi:type="AddrObj:AddressObjectType" category="ipv4-addr">
<AddrObj:Address_Value datatype="String" condition="Equals"
>199.192.156.134</AddrObj:Address_Value>
</cybox:Defined_Object>
</cybox:Object>
</cybox:Stateful_Measure>
</cybox:Observable>
<cybox:Observable id="cybox:guid-75ce59ad-1f01-4eae-9ecc-0b22c4c24ce7">
<!-- One of three Command and Control URLs-->
<cybox:Stateful_Measure>
<cybox:Object id="cybox:guid-568db11e-39ee-43d7-83d8-032bdec3801a" type="URI">
<cybox:Defined_Object xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value datatype="AnyURI" condition="Equals"
>documents.myPicture.info</URIObj:Value>
</cybox:Defined_Object>
<cybox:Related_Objects>
<cybox:Related_Object idref="cybox:guid-80bea4d1-0e70-4a03-a54f-e40373bf94f1"
type="IP Address" relationship="Resolved_To"/>
</cybox:Related_Objects>
</cybox:Object>
</cybox:Stateful_Measure>
</cybox:Observable>
<cybox:Observable id="cybox:guid-1ea53b14-8fe9-467b-a298-62d9684e797d">
<!-- One of three Command and Control IPs-->
<cybox:Stateful_Measure>
<cybox:Object id="cybox:guid-80bea4d1-0e70-4a03-a54f-e40373bf94f1" type="IP Address">
<cybox:Defined_Object xsi:type="AddrObj:AddressObjectType" category="ipv4-addr">
<AddrObj:Address_Value datatype="String" condition="Equals"
>199.192.156.134</AddrObj:Address_Value>
</cybox:Defined_Object>
</cybox:Object>
</cybox:Stateful_Measure>
</cybox:Observable>
<cybox:Observable id="cybox:guid-f6c8ee75-ee7e-4490-bd5d-0661d0db7264">
<!-- One of three Command and Control URLs-->
<cybox:Stateful_Measure>
<cybox:Object id="cybox:guid-af7cb3b6-d70b-4b3b-b24f-7cfad739710f" type="URI">
<cybox:Defined_Object xsi:type="URIObj:URIObjectType" type="URL">
<URIObj:Value datatype="AnyURI" condition="Equals"
>ftp.documents.myPicture.info</URIObj:Value>
</cybox:Defined_Object>
<cybox:Related_Objects>
<cybox:Related_Object idref="cybox:guid-5ceb9d54-24e2-4627-948d-6b92ac81962a"
type="IP Address" relationship="Resolved_To"/>
</cybox:Related_Objects>
</cybox:Object>
</cybox:Stateful_Measure>
</cybox:Observable>
<cybox:Observable id="cybox:guid-c78c0a83-6d14-45f8-827f-f758f0cd11ea">
<!-- One of three Command and Control IPs-->
<cybox:Stateful_Measure>
<cybox:Object id="cybox:guid-5ceb9d54-24e2-4627-948d-6b92ac81962a" type="IP Address">
<cybox:Defined_Object xsi:type="AddrObj:AddressObjectType" category="ipv4-addr">
<AddrObj:Address_Value datatype="String" condition="Equals"
>199.192.156.134</AddrObj:Address_Value>
</cybox:Defined_Object>
</cybox:Object>
</cybox:Stateful_Measure>
</cybox:Observable>
<cybox:Observable id="cybox:guid-47d6a950-884d-46b5-9938-ac5555065a81">
<!-- This composed observable defines a pattern that is true if the receive email event occurs AND the create malicious .doc file event occurs AND the download the downloader .mp4 file event occurs AND the create trojan .exe file event occurs AND the execute trojan .exe file event occurs AND the connect to all three of the C&C URLs/IPs event occurs-->
<!-- This yields a very tight filter that will have very low false positives but could miss almost any variation of the attack elements-->
<cybox:Observable_Composition operator="AND">
<!-- Receive "Iran-Oil" attack campaign email message -->
<cybox:Observable idref="cybox:guid-1a937ec2-90ab-4e0e-a37c-db9b2e66a58e"/>
<!-- Open Iran-Oil corrupted .doc file-->
<cybox:Observable idref="cybox:guid-35f04c28-5fd2-4d72-8aae-2ad04ee1811f"/>
<!-- Download Iran-Oil invalid .mp4 downloader file-->
<cybox:Observable idref="cybox:guid-f005fbc6-7427-43ea-8e1e-9a341836f76b"/>
<!-- Create Iran-Oil .exe Trojan file-->
<cybox:Observable idref="cybox:guid-210f18f3-3874-4f9a-861d-71b328be90c6"/>
<!-- Execute Iran-Oil .exe Trojan file-->
<cybox:Observable idref="cybox:guid-b650c988-aac7-45ff-967d-9f1e5fc66161"/>
<!-- Trojan .exe file connects out to C&C URLs/IPs-->
<cybox:Observable idref="cybox:guid-a24ff8bc-b534-4616-838b-8bbe260a8e8f"/>
</cybox:Observable_Composition>
</cybox:Observable>
<cybox:Observable id="cybox:guid-80594430-7567-4402-88a4-05d556b21884">
<!-- This composed observable defines a pattern that is true if the receive email event occurs OR the create malicious .doc file event occurs OR the download the downloader .mp4 file event occurs OR the create trojan .exe file event occurs OR the execute trojan .exe file event occurs OR the connect to all three of the C&C URLs/IPs event occurs-->
<!-- This yields a very loose filter that could have false positives but could catch numerous potential variations of the attack elements-->
<cybox:Observable_Composition operator="OR">
<!-- Receive "Iran-Oil" attack campaign email message -->
<cybox:Observable idref="cybox:guid-1a937ec2-90ab-4e0e-a37c-db9b2e66a58e"/>
<!-- Open Iran-Oil corrupted .doc file-->
<cybox:Observable idref="cybox:guid-35f04c28-5fd2-4d72-8aae-2ad04ee1811f"/>
<!-- Download Iran-Oil invalid .mp4 downloader file-->
<cybox:Observable idref="cybox:guid-f005fbc6-7427-43ea-8e1e-9a341836f76b"/>
<!-- Create Iran-Oil .exe Trojan file-->
<cybox:Observable idref="cybox:guid-210f18f3-3874-4f9a-861d-71b328be90c6"/>
<!-- Execute Iran-Oil .exe Trojan file-->
<cybox:Observable idref="cybox:guid-b650c988-aac7-45ff-967d-9f1e5fc66161"/>
<!-- Trojan .exe file connects out to C&C URLs/IPs-->
<cybox:Observable idref="cybox:guid-a24ff8bc-b534-4616-838b-8bbe260a8e8f"/>
</cybox:Observable_Composition>
</cybox:Observable>
<cybox:Observable id="cybox:guid-7d932074-fded-4056-870e-dd51980501d4">
<!-- This composed observable defines a pattern that is true if (the receive email event occurs AND the create malicious .doc file event occurs) OR (the download the downloader .mp4 file event occurs AND the create trojan .exe file event occurs AND the execute trojan .exe file event occurs) OR the connect to all three of the C&C URLs/IPs event occurs-->
<cybox:Observable_Composition operator="OR">
<cybox:Observable>
<cybox:Observable_Composition operator="AND">
<!-- Receive "Iran-Oil" attack campaign email message -->
<cybox:Observable idref="cybox:guid-1a937ec2-90ab-4e0e-a37c-db9b2e66a58e"/>
<!-- Open Iran-Oil corrupted .doc file-->
<cybox:Observable idref="cybox:guid-35f04c28-5fd2-4d72-8aae-2ad04ee1811f"/>
</cybox:Observable_Composition>
</cybox:Observable>
<cybox:Observable>
<cybox:Observable_Composition operator="AND">
<!-- Download Iran-Oil invalid .mp4 downloader file-->
<cybox:Observable idref="cybox:guid-f005fbc6-7427-43ea-8e1e-9a341836f76b"/>
<!-- Create Iran-Oil .exe Trojan file-->
<cybox:Observable idref="cybox:guid-210f18f3-3874-4f9a-861d-71b328be90c6"/>
<!-- Execute Iran-Oil .exe Trojan file-->
<cybox:Observable idref="cybox:guid-b650c988-aac7-45ff-967d-9f1e5fc66161"/>
</cybox:Observable_Composition>
</cybox:Observable>
<!-- Trojan .exe file connects out to C&C URLs/IPs-->
<cybox:Observable idref="cybox:guid-a24ff8bc-b534-4616-838b-8bbe260a8e8f"/>
</cybox:Observable_Composition>
</cybox:Observable>
<!-- CybOX enables a wide myriad of other potential observable pattern variations at the logical composition level or utilizing patterns at the Object attribute level including Regex all of which allow the user to define an almost infinitely variable set of patterns and filters -->
</cybox:Observables>
|
