432 lines
14 KiB
JSON
432 lines
14 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2019-06-12",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Trojan downloader found on Google Play by @Maler360",
|
||
|
"publish_timestamp": "1566554388",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1566554377",
|
||
|
"uuid": "5d01fda4-353c-4011-854f-459c950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#500064",
|
||
|
"name": "ms-caro-malware:malware-type=\"Trojan\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00183c",
|
||
|
"name": "ms-caro-malware-full:malware-type=\"Trojan\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004f4f",
|
||
|
"name": "ecsirt:malicious-code=\"trojan\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#5a0041",
|
||
|
"name": "CERT-XLM:malicious-code=\"trojan-malware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#284800",
|
||
|
"name": "malware_classification:malware-category=\"Trojan\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "microblog",
|
||
|
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
|
||
|
"template_version": "6",
|
||
|
"timestamp": "1560416338",
|
||
|
"uuid": "5d021052-19e0-4c1a-9f4e-4beb950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "post",
|
||
|
"timestamp": "1560416338",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5d021052-eaa4-46aa-834d-47e0950d210f",
|
||
|
"value": "Trojan downloader found on Google Play by @Maler360\r\n\r\n\r\n-once launched, hides itself icon\r\n-downloads additional app over HTTP\r\n-makes user install it\r\n-second app can then download additional apps & make user install them as \"Update Alert\" + display ads\r\n-100,000+ installs\r\n-reported"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1560416339",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5d021053-7740-497d-b628-4080950d210f",
|
||
|
"value": "Twitter"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1560416339",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5d021053-c424-4754-a928-4d60950d210f",
|
||
|
"value": "https://mobile.twitter.com/LukasStefanko/status/1138764352411131905"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "username-quoted",
|
||
|
"timestamp": "1560416339",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5d021053-5310-4d89-9100-4cc4950d210f",
|
||
|
"value": "@Maler360"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "username",
|
||
|
"timestamp": "1560416339",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5d021053-f308-4168-8167-4f9a950d210f",
|
||
|
"value": "LukasStefanko"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "creation-date",
|
||
|
"timestamp": "1560416339",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5d021053-5a70-46c7-938e-47dc950d210f",
|
||
|
"value": "2019-06-12T13:05:00"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1560416558",
|
||
|
"uuid": "5d02112e-2e34-48ce-9cc6-42aa950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1560416558",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5d02112e-20ac-452a-903b-43f1950d210f",
|
||
|
"value": "com.pippa.amazingmonstercar"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1560416568",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5d021138-4ab8-49a2-b718-4513950d210f",
|
||
|
"value": "6d48cf90e0af21da5e516f0009efcc7f"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1560416709",
|
||
|
"uuid": "5d0211c5-e644-494f-9fb6-4475950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1560416710",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5d0211c6-7fb4-451f-ac91-4cb8950d210f",
|
||
|
"value": "nightdescent.apk"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1560416713",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5d0211c9-beec-436e-98b8-4be8950d210f",
|
||
|
"value": "f64cbd33651a99b08a9168607a2374d1"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1566554363",
|
||
|
"uuid": "1aff6893-393f-4b72-ac4d-9e083901d021",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "1aff6893-393f-4b72-ac4d-9e083901d021",
|
||
|
"referenced_uuid": "97e74bae-c5ce-4338-8ccc-42d85a523d67",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1566554365",
|
||
|
"uuid": "5d5fb8fd-f340-4de1-9dc9-4168950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1560416713",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "b32c0591-6c4a-4ed8-a915-35eba5cb1fac",
|
||
|
"value": "f64cbd33651a99b08a9168607a2374d1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1560416713",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "a5d88c4e-b23b-4185-9c52-3e15f613d37a",
|
||
|
"value": "a16bb93ee35e7636e4f824010ddbba975a7db5ed"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1560416713",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6373314d-4122-4da7-9e1f-1207fef3b124",
|
||
|
"value": "3055fc207f21d4140249a3eb3efcdea047dfe005a4c23388ab917ffe3a8515d7"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1566554363",
|
||
|
"uuid": "97e74bae-c5ce-4338-8ccc-42d85a523d67",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1560416713",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "230977f5-f6de-4656-b687-80da6fea7b01",
|
||
|
"value": "2019-06-30T19:04:50"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1560416713",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "cace9e83-b407-4f5f-8650-67b59112656b",
|
||
|
"value": "https://www.virustotal.com/file/3055fc207f21d4140249a3eb3efcdea047dfe005a4c23388ab917ffe3a8515d7/analysis/1561921490/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1560416713",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "7f114609-9d79-47f5-a3f9-1ab3d9abd96f",
|
||
|
"value": "24/61"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1566554364",
|
||
|
"uuid": "43258e1d-e7f7-4d86-81e2-be8ea5699a06",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "43258e1d-e7f7-4d86-81e2-be8ea5699a06",
|
||
|
"referenced_uuid": "e77b5597-90c3-4499-8562-25ffbea00286",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1566554365",
|
||
|
"uuid": "5d5fb8fd-e214-4ed1-ab14-4dca950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1560416568",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "878fd93b-27bf-49e3-a7db-04083ed645d8",
|
||
|
"value": "6d48cf90e0af21da5e516f0009efcc7f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1560416568",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "f6772f0b-7182-4768-b096-109a2d023768",
|
||
|
"value": "83dbf7f9097aa314c64d1ed50a7a112ca87ed38d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1560416568",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "c95bcce1-789d-4e80-a880-d839f1b2d3d4",
|
||
|
"value": "32c3c1732d8a5b299045ef44f9165d2710d098fc402358aa09ad07fcfd05db1c"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1566554364",
|
||
|
"uuid": "e77b5597-90c3-4499-8562-25ffbea00286",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1560416568",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "bd891f80-8e4c-4dc6-801a-dc838de32a1a",
|
||
|
"value": "2019-06-30T19:04:34"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1560416568",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "24a845de-e030-41f1-893e-d0b69cdfb811",
|
||
|
"value": "https://www.virustotal.com/file/32c3c1732d8a5b299045ef44f9165d2710d098fc402358aa09ad07fcfd05db1c/analysis/1561921474/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1560416568",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "55169594-dc67-4c52-8b57-5b134a3fdd8e",
|
||
|
"value": "16/60"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|