Molerats (f7c2e501-73b1-400f-a5d9-2e2e07b7dfde)

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Molerats (f7c2e501-73b1-400f-a5d9-2e2e07b7dfde)	Threat Actor	1
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411)	Intrusion Set	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	3
Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	3
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	NeD Worm (eedcf785-d011-4e17-96c4-6ff39138ada0)	Tool	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	3
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a)	Malware	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	4
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	4
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	5
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	5
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	5
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	6
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	6