misp-circl-feed/feeds/circl/stix-2.1/5a23a972-e6a0-4a05-b505-4e8f02de0b81.json

521 lines
134 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5a23a972-e6a0-4a05-b505-4e8f02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-04T03:00:40.000Z",
"modified": "2017-12-04T03:00:40.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5a23a972-e6a0-4a05-b505-4e8f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-04T03:00:40.000Z",
"modified": "2017-12-04T03:00:40.000Z",
"name": "OSINT - Tizi: Detecting and blocking socially engineered spyware on Android",
"published": "2017-12-28T13:26:58Z",
"object_refs": [
"observed-data--5a23af9f-e5a4-4eaf-9fe1-4bfc02de0b81",
"url--5a23af9f-e5a4-4eaf-9fe1-4bfc02de0b81",
"x-misp-attribute--5a23afb2-9518-4ef0-835c-44e202de0b81",
"x-misp-attribute--5a23d9ed-fd14-4993-975d-4ed602de0b81",
"x-misp-attribute--5a23d9ed-6a88-49ce-84a5-4ed602de0b81",
"x-misp-attribute--5a23d9ed-5898-41c8-b8b2-4ed602de0b81",
"vulnerability--5a23dba4-6458-4b0d-adc0-495702de0b81",
"vulnerability--5a23dba4-b19c-458e-8817-407302de0b81",
"vulnerability--5a23dba4-5848-459b-94fb-4db802de0b81",
"vulnerability--5a23dba4-3244-4e21-9716-4e3602de0b81",
"vulnerability--5a23dba4-b1a0-43f8-8b7f-4c5202de0b81",
"vulnerability--5a23dba4-e6c4-4fd5-8c05-47e902de0b81",
"vulnerability--5a23dba4-7cc8-4e32-a834-42b602de0b81",
"vulnerability--5a23dba4-b3e0-4500-917a-40d302de0b81",
"vulnerability--5a23dba4-9e68-471d-845e-490302de0b81",
"observed-data--5a23dcc8-dbbc-440d-8330-4ed402de0b81",
"file--5a23dcc8-dbbc-440d-8330-4ed402de0b81",
"artifact--5a23dcc8-dbbc-440d-8330-4ed402de0b81",
"indicator--5a23d49c-4b5c-4fee-b173-4b1d02de0b81",
"indicator--5a23d884-e6e0-4a9b-95ab-4b7802de0b81",
"indicator--5a23d8d8-2218-48a0-886b-46b602de0b81",
"indicator--5a23d916-cc6c-4ccb-a420-48a702de0b81",
"indicator--5a23d94e-5c80-47a5-a958-433a02de0b81",
"x-misp-object--5a23dabb-d6fc-4f37-8b83-4a4602de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:android=\"Tizi\"",
"ms-caro-malware:malware-platform=\"AndroidOS\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a23af9f-e5a4-4eaf-9fe1-4bfc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T09:49:35.000Z",
"modified": "2017-12-03T09:49:35.000Z",
"first_observed": "2017-12-03T09:49:35Z",
"last_observed": "2017-12-03T09:49:35Z",
"number_observed": 1,
"object_refs": [
"url--5a23af9f-e5a4-4eaf-9fe1-4bfc02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"osint:source-type=\"manual-analysis\"",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"100\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a23af9f-e5a4-4eaf-9fe1-4bfc02de0b81",
"value": "https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a23afb2-9518-4ef0-835c-44e202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T09:49:34.000Z",
"modified": "2017-12-03T09:49:34.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"osint:source-type=\"manual-analysis\"",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"100\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Google is constantly working to improve our systems that protect users from Potentially Harmful Applications (PHAs). Usually, PHA authors attempt to install their harmful apps on as many devices as possible. However, a few PHA authors spend substantial effort, time, and money to create and install their harmful app on a small number of devices to achieve a certain goal. This blog post covers Tizi, a backdoor family with some rooting capabilities that was used in a targeted attack against devices in African countries, specifically: Kenya, Nigeria, and Tanzania. We'll talk about how the Google Play Protect and Threat Analysis teams worked together to detect and investigate Tizi-infected apps and remove and block them from Android devices."
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a23d9ed-fd14-4993-975d-4ed602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:03:09.000Z",
"modified": "2017-12-03T11:03:09.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-location",
"x_misp_value": "Kenya"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a23d9ed-6a88-49ce-84a5-4ed602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:03:09.000Z",
"modified": "2017-12-03T11:03:09.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-location",
"x_misp_value": "Nigeria"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a23d9ed-5898-41c8-b8b2-4ed602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:03:09.000Z",
"modified": "2017-12-03T11:03:09.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-location",
"x_misp_value": "Tanzania"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-6458-4b0d-adc0-495702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2012-4220",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2012-4220"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-b19c-458e-8817-407302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2013-2596",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2013-2596"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-5848-459b-94fb-4db802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2013-2597",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2013-2597"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-3244-4e21-9716-4e3602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2013-2595",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2013-2595"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-b1a0-43f8-8b7f-4c5202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2013-2094",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2013-2094"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-e6c4-4fd5-8c05-47e902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2013-6282",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2013-6282"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-7cc8-4e32-a834-42b602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2014-3153",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2014-3153"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-b3e0-4500-917a-40d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2015-3636",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-3636"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5a23dba4-9e68-471d-845e-490302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:10:28.000Z",
"modified": "2017-12-03T11:10:28.000Z",
"name": "CVE-2015-1805",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-1805"
}
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a23dcc8-dbbc-440d-8330-4ed402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:15:20.000Z",
"modified": "2017-12-03T11:15:20.000Z",
"first_observed": "2017-12-03T11:15:20Z",
"last_observed": "2017-12-03T11:15:20Z",
"number_observed": 1,
"object_refs": [
"file--5a23dcc8-dbbc-440d-8330-4ed402de0b81",
"artifact--5a23dcc8-dbbc-440d-8330-4ed402de0b81"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5a23dcc8-dbbc-440d-8330-4ed402de0b81",
"name": "tizi1.png",
"content_ref": "artifact--5a23dcc8-dbbc-440d-8330-4ed402de0b81"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5a23dcc8-dbbc-440d-8330-4ed402de0b81",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAAZAAAADmCAIAAAB00UTzAAAAA3NCSVQICAjb4U/gAAAAX3pUWHRSYXcgcHJvZmlsZSB0eXBlIEFQUDEAAAiZ40pPzUstykxWKCjKT8vMSeVSAANjEy4TSxNLo0QDAwMLAwgwNDAwNgSSRkC2OVQo0QAFmJibpQGhuVmymSmIzwUAT7oVaBst2IwAACAASURBVHic7H13nF1F2f/zzMw557btu9nNpmfTCwkEEiCFDiJIkSZIEdRXEbFiQRRF8EWQpj9sAfElgKAgLUDoJQFCSYH0ZFM2bbO933LOmXme3x/n3rt3Sxqiop/9fmBz77lzZubMmfnO8zzzzDMYT3kwgAEMYACfMDBzZyLFzLkXxb+rNgMYwAAGcLAYIKwBDGAA/zEYIKwBDGAA/zFQ/8jNCACIiAiBnpn5t5faeRAZIgohmJmI+n7NQgiBiNmv2eJ6JQtuN8b0qrOQAgCJKLgxyCq3zkGhuVcweMwcBL/2elJEzF7pm+1HQK9MBCIdZIa5VRrAAP7TcdCExQAIoKQQiAJ7D+RglBMxMRtDBztQPM9LJBKhUCgcDjOz1joejyulotFoDhGIRCLhe156MANIKaWUnucVFBRkOQsRtdZdnV35BfkBAQGAEAKYd9XWe55XWVEeDjtGG9/3jSHHsbM3dsUTIceRUmQZzfP9VMoFBIEiKCIcchjAUrkNiCnXtZQSQgTPElTsH6Fv1/MkCstWRIwIXYlkJBw68ByEEL6vhUQE3H/qAQzgE4+DUwkZQAkM2cpWUslegk4aCCAF2ko6tlISD3y0SimXL1t29plnfO3KK0OWdGz1zMKFnzv/3N/cdRcRqYAaEMO2vPv//b+TTjj+gvPPveTiz3/qpBN/cdNNv/n1b46bNzdkySwcW61du+Yzp3+6qakpYBAhRMp1n1j0yvZdtYb42Zff2Fqzy7atdZu23HXPA/FEQiBKKRuamm+6a35tfYNSMqiYknLn7rpHF77w8OPP3f2nvzzy5KLHn3t5+ap1S5d9YCklpZBCSCmVEk+/8FptXYOUEoDv+OMDyz5cKzArhqIUIqgJAAiBQqCUsp8WzMC21ZJ3lv/p4cdtSyEiAN738OOclhwx2/pCpHPoNXsgolLy//3poa6uRLbcAQzg34JA3el1UYjeist+cRASlkB0rH0NMMioMADAzALRVsqS7PrmQBQZRIwn4u++s/Tdd5bedvvtRUVFr77y8huvvz5m7PiWltZUKjly5MhkMrmltvbcc8877fTT//rII7+65dZVa9ZYthUKhc46+6x4yqupqREohJShkDNmzNjf/WF+aWlpIBMR0aJXlhwxbVJrR9eu2rpDp05c9Nqbg8rOIKKddY01O2sPmTReCrH8w7XM7LpeR2eXbVlKqa54YkjFoK9/4YKmlta/Lnz5ixeeFbKtrqTHwO0dnR1dXVJIIi4tKTzr1BOUkFLghuodsWh4956GRDIVCjldiQQytHd22ZYqKSqUUja2tEohu+KJ4sL8WCzaS29NNwhAMpVqaG59/rW3Tz72aF+blraOgAHr6psMUUlRQSQcrm9sLi4qkFIkkiljKBaNMDMiIOLzryzpiCeIeEC+GsC/EYiYSrnxRLKstDjb1aUQzW3ttqWikciBayEHOvFKKRxb7ZcOs6afbEpEdGyl5IEVxDzrqNnR/MI3Xntt1/aajdXV84493nHst956c1zVKGbauH7tmFEjItHIjOmHDBkyBMCaOnnChLFVL7/88vEnntzZ2XX9T66/8aYbJ4wdfe0Pf7hy5cpZhx/a0tIihJBCNLW0EdPO2oamltYhgwe98fb7VSOGNjQ2CyGOnD5545YaKUVza5uvzfjRI3ytX178zs7ddUrJ9z9YvXr9Jp/YM2SMSbmeZ2jVuo3vLPugoanl/Q/WvL70/TvveTCRTD71/Ku76+qVwDffW3neZ04hMvWNzZaSb72z4oG/P/Ph2o3Pvfrmex+ssS3541t//8bS91euWb/g0YUdnV3B5IMAvWQu1/VOP3Huzt17duzakxHQ8OXFS19f+v57K1Y/8dwr2ugnn391+87dIUs99/KSnbV1UkoAEEKs37SltKRo1NDKXqa9AQzgX4zAzHL/o0+vXr8p7FgA4NhWzc7d9z38RHNL+0EJWQfEI0oKR8kDybWvcRoAEMCSwpK4XxYl5qrRo67++tXPPvvMBx9+OGbMmEOmHeJ57syZsw47bMaSJW9WV2++5LIvlJWVpXxjjAHQDGAAiKilvqmirPje++6dM2cOAFxx+eWFBfnZWgFiKpVi4qTrzj1yxqDSkpFDKy0lQ46jtRkxpKKzK97ZFd9VW1deVhIJh0KOM7yyvGZnrdF6d13j6BFDuYdFDgHY9/XYqpHnnHZSSVHh2Z86tqSoyBiSUrR1JnbuqS8syCstLn572QdKoK/1lPFjzjr1uNNPnLdxS00i6YUd68R5R51/+omTJ1QtXvq+bUkAMMTPvPT65m07AtIJGiQaDh952NTF7yw3hiwl99Q3bNux+/wzTjn/rFNs21q3ceu8I2es3lDNAJu27pg0rsoYg4jxeLJmZ+3M6ZOVFLZt4YBKOIB/H4hoUFnJRWd/+rFnXl61vjriWLvr6v/08BOfOfGYkcOHHNSEuv9+HBik/oHaAgAgoqWUJfZPem3t7ZdceslfHnrwuh//5Oyzzg6HI27KHTVi6Lxjj7nvT396auEzZ5/9Wdu2mQM1J11/BATbAYCVy1f8/IafPfTI30484ThAkf4RgJkLCvKbWjvaO7p27Kz929MvxpMpKWX5oFJtjEA4+vBpry55r7G5ddjgQUKgIZowrmr77trmtnYiUz6olLj3EiQgWALeW7mmKx6fPWsGICCCpdTSZSsjIefhx5+t2blryfsfuJqEEEMGlzFDLBaVQqQ8r6ggLz8vZgCGVVbUN7UE7SIEHjp1YnlZSe4rNGSmThoHzCtXrwuHQl3xRElRoWVZAqC0uKi5rW3E0AptzNvLVx1+yETbksxsW2rp8g9Xb6h+8vnXNm3b8fLipe0dnQdrLBjAAD5GGGOGVpZ/80sXPfzk80+/tPjX9z78pYs+O3nCmH6NIfvAfggLERyr287F6T9MwAygAfbBjQxA6VvSsJQU+xw2ZKi5qblq9Mjphx1RV19/yJRJqWTC9TxPmy9/+St/eXBBY33DodOnBVqn1hogva/I933wOnbW7jnhuGPmHXPM5Anj1q9f397aCgDMaQNWYX7eoZPHA8CH6zadftI8bYyvDQCSoZTnT5s49rWl7+9paBoxfIjrelrrorzooNLiJ559ZfYRhzIDMzCzr3XwRIZIoKiu2fXE86/OnTWjrqExmUwxc2tH57sr137va5dfeel5V1563klzZr70xtshx35nxeqmltaNm7ZIIfJjkZ17GtdtrG5taXv7vZXTJo03mXYcUlGeH0sviSKA1sYYAoAzTz3+pcVLE8nU4PKyPQ1N27fvrK1v3lyzc1hlRSQcKSkqfOTJF446YprnGwDwfD3z0KkXn3PazMMOKSrMnzh2dDgcggHnhgH8W+H7urS46MrLzl+5ZsMXP3dW1ahhnu8fbCbyuh//ZB8/O1YPijHAyIAMBEwIZFASIEK/i+YBYSGnf9QIAlEA0N68HRDdVKqwqOjQ6YeOrqqaO2fOrCOPTCSSo0aPmjRpSmVF2Q033PCFyy8/9dOnBQJIKpWqGjN27ty5zJiIx8eOnzBx4sT8/PzBgytXfvDh7traIcOGjZ8w/ogjZoVCdkABFYNKtTaRcDiRTOZFI2NHj8iPRVOuGwmHKsvLwiFncHnZsMHlHV3x8rLSgoK8WDTyylvvnX/Gyb6vEZGIjK+HDx0shPA8LxoN79pTX1pU0NLSvn3XnoL8vJBjM0NFWcnI4UNcXxuG8rKSXXvqGUAb09TU2trROeuwqaVFBS8veXfwoNLNNbsKC/JmzzosO8/ken8JIeOJ5KDS4lgsFnKcspJCgTh9ysTysuIVazbsrmuoGjFs8rgxKBAAouHQ5AljsneHHDs/L684P5pyvfFjRocce8AbawD
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a23d49c-4b5c-4fee-b173-4b1d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T10:41:30.000Z",
"modified": "2017-12-03T10:41:30.000Z",
"pattern": "[file:hashes.SHA256 = '4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7' AND file:name = 'com.press.nasa.com.tanofresh' AND file:x_misp_certificate = '816bbee3cab5eed00b8bd16df56032a96e243201' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-03T10:41:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a23d884-e6e0-4a9b-95ab-4b7802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T10:57:08.000Z",
"modified": "2017-12-03T10:57:08.000Z",
"description": "To encourage further research in the security community, here are some sample applications embedding Tizi that were already on VirusTotal.",
"pattern": "[file:hashes.SHA256 = '7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f' AND file:name = 'com.dailyworkout.tizi' AND file:x_misp_certificate = '404b4d1a7176e219eaa457b0050b4081c22a9a1a' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-03T10:57:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a23d8d8-2218-48a0-886b-46b602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T10:58:32.000Z",
"modified": "2017-12-03T10:58:32.000Z",
"description": "To encourage further research in the security community, here are some sample applications embedding Tizi that were already on VirusTotal.",
"pattern": "[file:hashes.SHA256 = '7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e' AND file:name = 'com.system.update.systemupdate' AND file:x_misp_certificate = '4d2962ac1f6551435709a5a874595d855b1fa8ab' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-03T10:58:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a23d916-cc6c-4ccb-a420-48a702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T10:59:34.000Z",
"modified": "2017-12-03T10:59:34.000Z",
"description": "To encourage further research in the security community, here are some sample digests of exploits and utilities that were used or abused by Tizi.",
"pattern": "[file:hashes.SHA256 = 'f2e45ea50fc71b62d9ea59990ced755636286121437ced6237aff90981388f6a' AND file:name = 'run_root_shell' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-03T10:59:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a23d94e-5c80-47a5-a958-433a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:01:02.000Z",
"modified": "2017-12-03T11:01:02.000Z",
"pattern": "[file:hashes.SHA256 = '4d0887f41d0de2f31459c14e3133debcdf758ad8bbe57128d3bec2c907f2acf3' AND file:name = 'iovyroot' AND file:x_misp_text = 'To encourage further research in the security community, here are some sample digests of exploits and utilities that were used or abused by Tizi.' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-03T11:01:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5a23dabb-d6fc-4f37-8b83-4a4602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-03T11:06:35.000Z",
"modified": "2017-12-03T11:06:35.000Z",
"labels": [
"misp:name=\"victim\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "classification",
"value": "class",
"category": "Other",
"uuid": "5a23dabb-3ae0-4721-b1d8-468f02de0b81"
},
{
"type": "text",
"object_relation": "name",
"value": "Kenya, Nigeria, and Tanzania",
"category": "Other",
"uuid": "5a23dabb-54fc-410f-b964-40f502de0b81"
},
{
"type": "text",
"object_relation": "description",
"value": "This blog post covers Tizi, a backdoor family with some rooting capabilities that was used in a targeted attack against devices in African countries, specifically: Kenya, Nigeria, and Tanzania.",
"category": "Other",
"uuid": "5a23dabb-2120-472b-a09b-4bb902de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "victim"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}