307 lines
14 KiB
JSON
307 lines
14 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--593e542e-e080-464e-af5a-4c2a950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:49:22.000Z",
|
||
|
"modified": "2017-06-12T08:49:22.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--593e542e-e080-464e-af5a-4c2a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:49:22.000Z",
|
||
|
"modified": "2017-06-12T08:49:22.000Z",
|
||
|
"name": "OSINT - Dvmap: the first Android malware with code injection",
|
||
|
"published": "2017-06-12T08:50:01Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--593e543b-8b70-4cdd-9377-4c91950d210f",
|
||
|
"url--593e543b-8b70-4cdd-9377-4c91950d210f",
|
||
|
"x-misp-attribute--593e544d-3dcc-48b1-bca2-4bd7950d210f",
|
||
|
"indicator--593e54a9-dc78-4bf1-abc2-4c92950d210f",
|
||
|
"indicator--593e54a9-61d8-4713-86e2-4c65950d210f",
|
||
|
"x-misp-attribute--593e553d-878c-4be0-b8ec-46b1950d210f",
|
||
|
"indicator--593e5562-43ec-4dee-a683-409402de0b81",
|
||
|
"indicator--593e5563-8e00-4990-84d5-4e3602de0b81",
|
||
|
"observed-data--593e5563-6840-482e-bb70-4e0b02de0b81",
|
||
|
"url--593e5563-6840-482e-bb70-4e0b02de0b81",
|
||
|
"indicator--593e5564-04a0-4cfe-9dbe-46ff02de0b81",
|
||
|
"indicator--593e5564-15a8-4d4a-9578-4e0702de0b81",
|
||
|
"observed-data--593e5564-1bd0-41ef-bdc4-4b0802de0b81",
|
||
|
"url--593e5564-1bd0-41ef-bdc4-4b0802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"ms-caro-malware:malware-platform=\"AndroidOS\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--593e543b-8b70-4cdd-9377-4c91950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:32.000Z",
|
||
|
"modified": "2017-06-12T08:48:32.000Z",
|
||
|
"first_observed": "2017-06-12T08:48:32Z",
|
||
|
"last_observed": "2017-06-12T08:48:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--593e543b-8b70-4cdd-9377-4c91950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--593e543b-8b70-4cdd-9377-4c91950d210f",
|
||
|
"value": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--593e544d-3dcc-48b1-bca2-4bd7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:32.000Z",
|
||
|
"modified": "2017-06-12T08:48:32.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries. Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.\r\n\r\nThe distribution of rooting malware through Google Play is not a new thing. For example, the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016. But Dvmap is very special rooting malware. It uses a variety of new techniques, but the most interesting thing is that it injects malicious code into the system libraries \u00e2\u20ac\u201c libdmv.so or libandroid_runtime.so.\r\n\r\nThis makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times. Kaspersky Lab reported the Trojan to Google, and it has now been removed from the store."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593e54a9-dc78-4bf1-abc2-4c92950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:32.000Z",
|
||
|
"modified": "2017-06-12T08:48:32.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '43680d1914f28e14c90436e1d42984e2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-12T08:48:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593e54a9-61d8-4713-86e2-4c65950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:32.000Z",
|
||
|
"modified": "2017-06-12T08:48:32.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '20d4b9eb9377c499917c4d69bf4ccebe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-12T08:48:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--593e553d-878c-4be0-b8ec-46b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:32.000Z",
|
||
|
"modified": "2017-06-12T08:48:32.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Trojan.AndroidOS.Dvmap.a"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593e5562-43ec-4dee-a683-409402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:34.000Z",
|
||
|
"modified": "2017-06-12T08:48:34.000Z",
|
||
|
"description": "- Xchecked via VT: 43680d1914f28e14c90436e1d42984e2",
|
||
|
"pattern": "[file:hashes.SHA256 = '92f8bcd9e62047b380c76afe772ab0fe12ced53b9702d08c37e98424dbb590ae']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-12T08:48:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593e5563-8e00-4990-84d5-4e3602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:35.000Z",
|
||
|
"modified": "2017-06-12T08:48:35.000Z",
|
||
|
"description": "- Xchecked via VT: 43680d1914f28e14c90436e1d42984e2",
|
||
|
"pattern": "[file:hashes.SHA1 = '05b0513cb53b0c5ee4ed55ce68cd694e676d4d2b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-12T08:48:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--593e5563-6840-482e-bb70-4e0b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:35.000Z",
|
||
|
"modified": "2017-06-12T08:48:35.000Z",
|
||
|
"first_observed": "2017-06-12T08:48:35Z",
|
||
|
"last_observed": "2017-06-12T08:48:35Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--593e5563-6840-482e-bb70-4e0b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--593e5563-6840-482e-bb70-4e0b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/92f8bcd9e62047b380c76afe772ab0fe12ced53b9702d08c37e98424dbb590ae/analysis/1497023362/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593e5564-04a0-4cfe-9dbe-46ff02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:36.000Z",
|
||
|
"modified": "2017-06-12T08:48:36.000Z",
|
||
|
"description": "- Xchecked via VT: 20d4b9eb9377c499917c4d69bf4ccebe",
|
||
|
"pattern": "[file:hashes.SHA256 = '183e069c563bd16219c205f7aa1d64fc7cb93c8205adf8de77c50367d56dfc2b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-12T08:48:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--593e5564-15a8-4d4a-9578-4e0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:36.000Z",
|
||
|
"modified": "2017-06-12T08:48:36.000Z",
|
||
|
"description": "- Xchecked via VT: 20d4b9eb9377c499917c4d69bf4ccebe",
|
||
|
"pattern": "[file:hashes.SHA1 = '7eaed59d6a166bc3ec8ce19a27eeb3d5e9c5802c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-06-12T08:48:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--593e5564-1bd0-41ef-bdc4-4b0802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-06-12T08:48:36.000Z",
|
||
|
"modified": "2017-06-12T08:48:36.000Z",
|
||
|
"first_observed": "2017-06-12T08:48:36Z",
|
||
|
"last_observed": "2017-06-12T08:48:36Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--593e5564-1bd0-41ef-bdc4-4b0802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--593e5564-1bd0-41ef-bdc4-4b0802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/183e069c563bd16219c205f7aa1d64fc7cb93c8205adf8de77c50367d56dfc2b/analysis/1497040044/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|