<stix:STIX_Package
	xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
	xmlns:cybox="http://cybox.mitre.org/cybox-2"
	xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
	xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
	xmlns:DomainNameObj="http://cybox.mitre.org/objects#DomainNameObject-1"
	xmlns:EmailMessageObj="http://cybox.mitre.org/objects#EmailMessageObject-2"
	xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
	xmlns:report="http://stix.mitre.org/Report-1"
	xmlns:example="http://example.com"
	xmlns:incident="http://stix.mitre.org/Incident-1"
	xmlns:indicator="http://stix.mitre.org/Indicator-2"
	xmlns:ttp="http://stix.mitre.org/TTP-1"
	xmlns:ta="http://stix.mitre.org/ThreatActor-1"
	xmlns:stixCommon="http://stix.mitre.org/common-1"
	xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
	xmlns:stix="http://stix.mitre.org/stix-1"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="
	http://cybox.mitre.org/common-2 http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd
	http://cybox.mitre.org/cybox-2 http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd
	http://cybox.mitre.org/default_vocabularies-2 http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd
	http://cybox.mitre.org/objects#AddressObject-2 http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd
	http://cybox.mitre.org/objects#DomainNameObject-1 http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd
	http://cybox.mitre.org/objects#EmailMessageObject-2 http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd
	http://cybox.mitre.org/objects#FileObject-2 http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd
	http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
	http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
	http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
	http://stix.mitre.org/ThreatActor-1 http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd
	http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
	http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2/stix_default_vocabularies.xsd
	http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-e622beb9-3781-4dd7-9787-ac21ba84d898" version="1.2">
    <stix:Indicators>
        <stix:Indicator id="example:indicator-d0d3c811-7b88-4e1d-88d4-db4de4f43155" timestamp="2014-07-25T18:16:44.547169+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
            <indicator:Title>Phishing email</indicator:Title>
            <indicator:Description>Malicious emails sent from actors</indicator:Description>
            <indicator:Observable id="example:Observable-71ebe55f-ee21-48b1-ae26-f9ef1e3c5900">
                <cybox:Object id="example:EmailMessage-80f11966-714a-4d38-8bbe-20fdf814c24d">
                    <cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
                        <EmailMessageObj:Header>
                            <EmailMessageObj:Subject>IEEE Aerospace Conference 2014</EmailMessageObj:Subject>
                            <EmailMessageObj:Sender xsi:type="AddressObj:AddressObjectType" category="e-mail">
                                <AddressObj:Address_Value>invite@aeroconf2014.org</AddressObj:Address_Value>
                            </EmailMessageObj:Sender>
                        </EmailMessageObj:Header>
                    </cybox:Properties>
                </cybox:Object>
            </indicator:Observable>
            <indicator:Indicated_TTP>
                <stixCommon:TTP idref="example:ttp-ee5930f0-3798-4069-9aa6-f070f24896d5" xsi:type='ttp:TTPType' version="1.2"/>
            </indicator:Indicated_TTP>
            <indicator:Producer>
                <stixCommon:Identity id="example:Identity-15997768-142d-4043-b175-13b8fe1dba0f">
                    <stixCommon:Name>FireEye</stixCommon:Name>
                </stixCommon:Identity>
                <stixCommon:Time>
                    <cyboxCommon:Produced_Time>2014-05-15T00:00:00</cyboxCommon:Produced_Time>
                </stixCommon:Time>
            </indicator:Producer>
        </stix:Indicator>
        <stix:Indicator id="example:indicator-eb28ff69-edb1-4ab1-af6b-afe2708d4c80" timestamp="2014-07-25T18:16:44.547855+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
            <indicator:Title>Malware control server</indicator:Title>
            <indicator:Description>Malicious domains ond IP wned by actors</indicator:Description>
            <indicator:Observable id="example:Observable-fec4810d-faf1-4b29-97c1-71e8d292caf7">
                <cybox:Observable_Composition operator="AND">
                    <cybox:Observable id="example:Observable-d00b3bad-9110-4f98-8f68-f5bfc477bc3c">
                        <cybox:Object id="example:DomainName-a84a5824-c137-4372-bfb0-62dea60440b9">
                            <cybox:Properties xsi:type="DomainNameObj:DomainNameObjectType">
                                <DomainNameObj:Value>yahoomail.com.co</DomainNameObj:Value>
                            </cybox:Properties>
                        </cybox:Object>
                    </cybox:Observable>
                    <cybox:Observable id="example:Observable-7443ae3e-cfee-4475-978d-89521364c63c">
                        <cybox:Object id="example:Address-322c3cf6-86e7-4523-9d89-cdcf4d22a747">
                            <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
                                <AddressObj:Address_Value condition="Equals">81.17.28.227</AddressObj:Address_Value>
                            </cybox:Properties>
                        </cybox:Object>
                    </cybox:Observable>
                </cybox:Observable_Composition>
            </indicator:Observable>
            <indicator:Indicated_TTP>
                <stixCommon:TTP idref="example:ttp-024e9919-abeb-4e7a-b517-e2c44eaee706" xsi:type='ttp:TTPType' version="1.2"/>
            </indicator:Indicated_TTP>
            <indicator:Producer>
                <stixCommon:Identity id="example:Identity-8981bfb9-d37e-4b20-a40f-2b670df93e46">
                    <stixCommon:Name>FireEye</stixCommon:Name>
                </stixCommon:Identity>
                <stixCommon:Time>
                    <cyboxCommon:Produced_Time>2013-11-28T00:00:00</cyboxCommon:Produced_Time>
                </stixCommon:Time>
            </indicator:Producer>
        </stix:Indicator>
        <stix:Indicator id="example:indicator-32834c23-cfca-484c-9eea-83bc09f84afa" timestamp="2014-07-25T18:16:44.548767+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
            <indicator:Title>Malware used by actors</indicator:Title>
            <indicator:Description>Remote access trojan "Stealer"</indicator:Description>
            <indicator:Observable id="example:Observable-bb13f29d-decc-43aa-a738-b462f80fe018">
                <cybox:Object id="example:File-42272456-6a3a-4177-8c79-ce6fef7f33fb">
                    <cybox:Properties xsi:type="FileObj:FileObjectType">
                        <FileObj:File_Name>IntelRS.exe</FileObj:File_Name>
                        <FileObj:File_Path>C:\Documents and Settings{USER}\Application Data\IntelRapidStart\AppTransferWiz.dll</FileObj:File_Path>
                        <FileObj:File_Extension>.exe</FileObj:File_Extension>
                        <FileObj:Hashes>
                            <cyboxCommon:Hash>
                                <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
                                <cyboxCommon:Simple_Hash_Value>6dc7cc33a3cdcfee6c4edb6c085b869d</cyboxCommon:Simple_Hash_Value>
                            </cyboxCommon:Hash>
                        </FileObj:Hashes>
                    </cybox:Properties>
                    <cybox:Related_Objects>
                        <cybox:Related_Object id="example:Address-27ff2534-0a4a-443c-9843-89b704f933cc">
                            <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
                                <AddressObj:Address_Value condition="Equals">81.17.28.227</AddressObj:Address_Value>
                            </cybox:Properties>
                            <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Related_To</cybox:Relationship>
                        </cybox:Related_Object>
                    </cybox:Related_Objects>
                </cybox:Object>
            </indicator:Observable>
            <indicator:Producer>
                <stixCommon:Identity id="example:Identity-9ccb1c31-f661-4835-826a-09a0ded9bc11">
                    <stixCommon:Name>FireEye</stixCommon:Name>
                </stixCommon:Identity>
                <stixCommon:Time>
                    <cyboxCommon:Produced_Time>2014-05-15T00:00:00</cyboxCommon:Produced_Time>
                </stixCommon:Time>
            </indicator:Producer>
        </stix:Indicator>
    </stix:Indicators>
    <stix:TTPs>
        <stix:TTP id="example:ttp-ee5930f0-3798-4069-9aa6-f070f24896d5" timestamp="2014-07-25T18:16:44.546321+00:00" xsi:type='ttp:TTPType' version="1.2">
            <ttp:Title>Phishing Attempt</ttp:Title>
            <ttp:Description>Emails sent to targets</ttp:Description>
            <ttp:Intended_Effect timestamp="2014-07-25T18:16:44.546353+00:00">
                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Theft - Credential Theft</stixCommon:Value>
            </ttp:Intended_Effect>
        </stix:TTP>
        <stix:TTP id="example:ttp-024e9919-abeb-4e7a-b517-e2c44eaee706" timestamp="2014-07-25T18:16:44.546494+00:00" xsi:type='ttp:TTPType' version="1.2">
            <ttp:Title>Malware Implant</ttp:Title>
            <ttp:Description>Customized trojan written in .NET</ttp:Description>
            <ttp:Intended_Effect timestamp="2014-07-25T18:16:44.546519+00:00">
                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Account Takeover</stixCommon:Value>
            </ttp:Intended_Effect>
        </stix:TTP>
    </stix:TTPs>
    <stix:Threat_Actors>
        <stix:Threat_Actor id="example:threatactor-75255d39-a507-40dd-82f2-0a2c04aefce9" timestamp="2014-07-25T18:16:44.546660+00:00" xsi:type='ta:ThreatActorType' version="1.2">
            <ta:Title>Ajax Team</ta:Title>
            <ta:Description>Iranian intrusion team</ta:Description>
            <ta:Motivation timestamp="2014-07-25T18:16:44.546692+00:00">
                <stixCommon:Value xsi:type="stixVocabs:MotivationVocab-1.1">Political</stixCommon:Value>
            </ta:Motivation>
            <ta:Motivation timestamp="2014-07-25T18:16:44.546721+00:00">
                <stixCommon:Value xsi:type="stixVocabs:MotivationVocab-1.1">Military</stixCommon:Value>
            </ta:Motivation>
            <ta:Sophistication timestamp="2014-07-25T18:16:44.546742+00:00">
                <stixCommon:Value xsi:type="stixVocabs:ThreatActorSophisticationVocab-1.0">Practitioner</stixCommon:Value>
            </ta:Sophistication>
            <ta:Intended_Effect timestamp="2014-07-25T18:16:44.546767+00:00">
                <stixCommon:Value xsi:type="stixVocabs:IntendedEffectVocab-1.0">Advantage - Political</stixCommon:Value>
            </ta:Intended_Effect>
            <ta:Observed_TTPs>
                <ta:Observed_TTP>
                    <stixCommon:TTP idref="example:ttp-ee5930f0-3798-4069-9aa6-f070f24896d5" xsi:type='ttp:TTPType'/>
                </ta:Observed_TTP>
                <ta:Observed_TTP>
                    <stixCommon:TTP idref="example:ttp-024e9919-abeb-4e7a-b517-e2c44eaee706" xsi:type='ttp:TTPType'/>
                </ta:Observed_TTP>
            </ta:Observed_TTPs>
            <ta:Confidence timestamp="2014-07-25T18:16:44.547007+00:00">
                <stixCommon:Value xsi:type="stixVocabs:HighMediumLowVocab-1.0">Medium</stixCommon:Value>
            </ta:Confidence>
        </stix:Threat_Actor>
    </stix:Threat_Actors>
		<stix:Reports>
				<stix:Report id="example:report-a23a316d-5cb1-4642-bd3e-fa0b250a8572" xsi:type="report:ReportType">
						<report:Header>
								<report:Title> FireEye Ajax/Saffron report</report:Title>
								<report:Intent xsi:type="stixVocabs:ReportIntentVocab-1.0">Threat Report</report:Intent>
								<report:Description>Indicators and background on a computer intrusion</report:Description>
								<report:Information_Source>
										<stixCommon:Time>
												<cyboxCommon:Produced_Time>2014-05-15T00:00:00</cyboxCommon:Produced_Time>
										</stixCommon:Time>
								</report:Information_Source>
						</report:Header>
				<report:Indicators>
						<report:Indicator idref="example:indicator-d0d3c811-7b88-4e1d-88d4-db4de4f43155" />
						<report:Indicator idref="example:indicator-eb28ff69-edb1-4ab1-af6b-afe2708d4c80" />
						<report:Indicator idref="example:indicator-32834c23-cfca-484c-9eea-83bc09f84afa" />
				</report:Indicators>
				<report:TTPs>
						<report:TTP idref="example:ttp-ee5930f0-3798-4069-9aa6-f070f24896d5" />
						<report:TTP idref="example:ttp-024e9919-abeb-4e7a-b517-e2c44eaee706" />
				</report:TTPs>
				<report:Threat_Actors>
						<report:Threat_Actor idref="example:threatactor-75255d39-a507-40dd-82f2-0a2c04aefce9" />
				</report:Threat_Actors>
				</stix:Report>
		</stix:Reports>
</stix:STIX_Package>