Molerats (f7c2e501-73b1-400f-a5d9-2e2e07b7dfde)

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Molerats (f7c2e501-73b1-400f-a5d9-2e2e07b7dfde)	Threat Actor	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	2
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	3
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	NeD Worm (eedcf785-d011-4e17-96c4-6ff39138ada0)	Tool	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	4
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	4
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	5
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	5
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	5
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	6
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	6