misp-circl-feed/feeds/circl/stix-2.1/584003cf-ec58-48c8-933e-4172950d210f.json

992 lines
43 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--584003cf-ec58-48c8-933e-4172950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:47.000Z",
"modified": "2016-12-01T11:09:47.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--584003cf-ec58-48c8-933e-4172950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:47.000Z",
"modified": "2016-12-01T11:09:47.000Z",
"name": "OSINT - New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer",
"published": "2016-12-01T11:11:32Z",
"object_refs": [
"x-misp-attribute--58400425-0490-4bb9-80ec-4454950d210f",
"observed-data--58400436-13f4-4c54-a3fd-d943950d210f",
"url--58400436-13f4-4c54-a3fd-d943950d210f",
"indicator--58400454-171c-4465-99be-b82a950d210f",
"indicator--58400454-b7a0-49df-890f-b82a950d210f",
"indicator--58400454-b8d8-4f88-8f62-b82a950d210f",
"indicator--5840046f-4aa8-4a52-ad8b-4249950d210f",
"indicator--5840046f-a8c0-41dd-83c4-4624950d210f",
"indicator--5840046f-d7ec-4fda-88d0-4874950d210f",
"indicator--5840046f-c7f0-4ce6-9afe-41e9950d210f",
"indicator--58400470-d4b0-48fd-b9ac-4c67950d210f",
"indicator--58400470-6ad8-424f-94dc-4d60950d210f",
"indicator--58400470-7a78-4a71-a237-4b31950d210f",
"indicator--58400470-a5ac-49fc-84f5-4a4b950d210f",
"indicator--58400471-870c-4b6c-bf7e-4015950d210f",
"indicator--58400471-28ac-4d9f-8281-4b52950d210f",
"indicator--58400471-90f4-42ea-ad64-4cca950d210f",
"indicator--58400471-7f5c-4863-be26-44d2950d210f",
"indicator--58400472-36dc-4b9e-abba-4cc2950d210f",
"indicator--58400472-bcc4-4701-aa67-4f13950d210f",
"indicator--58400472-46c0-440d-aeb7-4704950d210f",
"x-misp-attribute--5840049a-e6b4-4da7-a071-4666950d210f",
"x-misp-attribute--5840049b-b858-4d3b-8819-472e950d210f",
"x-misp-attribute--5840049b-1fc4-4e76-9646-46c6950d210f",
"x-misp-attribute--5840049b-de64-49e2-bc68-44f1950d210f",
"x-misp-attribute--5840049b-23ec-4710-abf4-4839950d210f",
"x-misp-attribute--5840049c-dc4c-4899-ac27-4188950d210f",
"x-misp-attribute--5840049c-71e0-49ab-9a17-4620950d210f",
"x-misp-attribute--5840049c-5dac-488e-b24b-457d950d210f",
"x-misp-attribute--5840049c-7e84-45a0-b8ce-44e0950d210f",
"x-misp-attribute--5840049c-7538-414b-b391-46e2950d210f",
"x-misp-attribute--5840049d-5230-4978-9ca6-47f7950d210f",
"x-misp-attribute--5840049d-6af8-4467-b9f8-4644950d210f",
"x-misp-attribute--5840049d-da18-4052-93ad-41bb950d210f",
"x-misp-attribute--5840049d-43b8-4505-9f90-49c1950d210f",
"indicator--584004fc-10f8-4b8e-9b38-b82a02de0b81",
"indicator--584004fc-6104-4404-9c1e-b82a02de0b81",
"observed-data--584004fc-4cbc-4e76-8ada-b82a02de0b81",
"url--584004fc-4cbc-4e76-8ada-b82a02de0b81",
"indicator--584004fc-34b8-4fb4-954a-b82a02de0b81",
"indicator--584004fd-b944-4e04-b745-b82a02de0b81",
"observed-data--584004fd-77dc-4fa8-9503-b82a02de0b81",
"url--584004fd-77dc-4fa8-9503-b82a02de0b81",
"indicator--584004fd-5b30-4ca5-a993-b82a02de0b81",
"indicator--584004fd-4e08-4c7c-bb7e-b82a02de0b81",
"observed-data--584004fe-0ab4-4dd9-8b6f-b82a02de0b81",
"url--584004fe-0ab4-4dd9-8b6f-b82a02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"enisa:nefarious-activity-abuse=\"mobile-malware\"",
"circl:topic=\"finance\"",
"estimative-language:likelihood-probability=\"very-likely\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58400425-0490-4bb9-80ec-4454950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:06:13.000Z",
"modified": "2016-12-01T11:06:13.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_type": "comment",
"x_misp_value": "In January of 2016, we found various \u00e2\u20ac\u0153SmsSecurity\u00e2\u20ac\u009d mobile apps that claimed to be from various banks. These apps supposedly generated one-time passwords (OTPs) that account holders could use to log into the bank; instead they turned out to be malicious apps that stole any password sent via SMS messages. These apps were also capable of receiving commands from a remote attacker, allowing them to take control of a user\u00e2\u20ac\u2122s device.\r\n\r\nSince then, we\u00e2\u20ac\u2122ve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the user. We detect these malicious apps as ANDROIDOS_FAKEBANK.OPSA."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58400436-13f4-4c54-a3fd-d943950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:06:30.000Z",
"modified": "2016-12-01T11:06:30.000Z",
"first_observed": "2016-12-01T11:06:30Z",
"last_observed": "2016-12-01T11:06:30Z",
"number_observed": 1,
"object_refs": [
"url--58400436-13f4-4c54-a3fd-d943950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58400436-13f4-4c54-a3fd-d943950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/new-smssecurity-variant-roots-phones-abuses-accessibility-features-teamviewer"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400454-171c-4465-99be-b82a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:00.000Z",
"modified": "2016-12-01T11:07:00.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA",
"pattern": "[file:hashes.SHA1 = '323bf07667bf9d65055f80a15a90508e99e05632']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400454-b7a0-49df-890f-b82a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:00.000Z",
"modified": "2016-12-01T11:07:00.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA",
"pattern": "[file:hashes.SHA1 = 'd84353986ee05ac61308063271ade3f8f2876ef9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400454-b8d8-4f88-8f62-b82a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:00.000Z",
"modified": "2016-12-01T11:07:00.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA",
"pattern": "[file:hashes.SHA1 = '8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5840046f-4aa8-4a52-ad8b-4249950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:27.000Z",
"modified": "2016-12-01T11:07:27.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://clubk-ginza.net/css/3.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5840046f-a8c0-41dd-83c4-4624950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:27.000Z",
"modified": "2016-12-01T11:07:27.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://edda-mally.at/css/3.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5840046f-d7ec-4fda-88d0-4874950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:27.000Z",
"modified": "2016-12-01T11:07:27.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://gruposoluciomatica.com.br/os3/inc/main.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5840046f-c7f0-4ce6-9afe-41e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:27.000Z",
"modified": "2016-12-01T11:07:27.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://izmirsatranckursu.net/includes/main.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400470-d4b0-48fd-b9ac-4c67950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:28.000Z",
"modified": "2016-12-01T11:07:28.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://jbrianwashman.com/images/photo26962/main.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400470-6ad8-424f-94dc-4d60950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:28.000Z",
"modified": "2016-12-01T11:07:28.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://losbalonazos.com/wp-admin/3.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400470-7a78-4a71-a237-4b31950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:28.000Z",
"modified": "2016-12-01T11:07:28.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://moseybook.com/blog/wp-includes/main.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400470-a5ac-49fc-84f5-4a4b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:28.000Z",
"modified": "2016-12-01T11:07:28.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://naritamemorial.com/analog/3.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400471-870c-4b6c-bf7e-4015950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:29.000Z",
"modified": "2016-12-01T11:07:29.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://pplweb.pplmotorhomes.com/includes/main.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400471-28ac-4d9f-8281-4b52950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:29.000Z",
"modified": "2016-12-01T11:07:29.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://sedalbi.com/img/main.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400471-90f4-42ea-ad64-4cca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:29.000Z",
"modified": "2016-12-01T11:07:29.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://szaivert-numis.at/standardbilder/dll/3.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400471-7f5c-4863-be26-44d2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:29.000Z",
"modified": "2016-12-01T11:07:29.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://www.ircvenezia.it/free/main.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400472-36dc-4b9e-abba-4cc2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:30.000Z",
"modified": "2016-12-01T11:07:30.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://www.oguhtell.ch/cart/3.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400472-bcc4-4701-aa67-4f13950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:30.000Z",
"modified": "2016-12-01T11:07:30.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://www.santamariagorettimestre.it/img/main.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58400472-46c0-440d-aeb7-4704950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:07:30.000Z",
"modified": "2016-12-01T11:07:30.000Z",
"description": "The following command-and-control (C&C) servers were used by variants",
"pattern": "[url:value = 'http://www.vanca.com/media/3.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:07:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049a-e6b4-4da7-a071-4666950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:10.000Z",
"modified": "2016-12-01T11:08:10.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Aargauische Kantonalbank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049b-b858-4d3b-8819-472e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:11.000Z",
"modified": "2016-12-01T11:08:11.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Bank Austria"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049b-1fc4-4e76-9646-46c6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:11.000Z",
"modified": "2016-12-01T11:08:11.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Banque Cantonale de Fribourg"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049b-de64-49e2-bc68-44f1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:11.000Z",
"modified": "2016-12-01T11:08:11.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "BKB Bank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049b-23ec-4710-abf4-4839950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:11.000Z",
"modified": "2016-12-01T11:08:11.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Credit Suisse"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049c-dc4c-4899-ac27-4188950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:12.000Z",
"modified": "2016-12-01T11:08:12.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Glarner Kantonalbank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049c-71e0-49ab-9a17-4620950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:12.000Z",
"modified": "2016-12-01T11:08:12.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Luzerner Kantonalbank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049c-5dac-488e-b24b-457d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:12.000Z",
"modified": "2016-12-01T11:08:12.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Ober Bank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049c-7e84-45a0-b8ce-44e0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:12.000Z",
"modified": "2016-12-01T11:08:12.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Obwaldner Kantonalbank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049c-7538-414b-b391-46e2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:12.000Z",
"modified": "2016-12-01T11:08:12.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Raiffeisen Bank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049d-5230-4978-9ca6-47f7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:13.000Z",
"modified": "2016-12-01T11:08:13.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Schaffhauser Kantonalbank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049d-6af8-4467-b9f8-4644950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:13.000Z",
"modified": "2016-12-01T11:08:13.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Sparkasse"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049d-da18-4052-93ad-41bb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:13.000Z",
"modified": "2016-12-01T11:08:13.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Volksbank"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5840049d-43b8-4505-9f90-49c1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:08:13.000Z",
"modified": "2016-12-01T11:08:13.000Z",
"labels": [
"misp:type=\"target-org\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_type": "target-org",
"x_misp_value": "Z\u00c3\u00bcrcher Kantonalbank"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584004fc-10f8-4b8e-9b38-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:48.000Z",
"modified": "2016-12-01T11:09:48.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae",
"pattern": "[file:hashes.SHA256 = '448d0cb7c84f79233908d9387c81551f50f5288597dd71432c641c7c29683186']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:09:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584004fc-6104-4404-9c1e-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:48.000Z",
"modified": "2016-12-01T11:09:48.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae",
"pattern": "[file:hashes.MD5 = '032f7b1e11010a0d9abb6bcfd805e31a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:09:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--584004fc-4cbc-4e76-8ada-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:48.000Z",
"modified": "2016-12-01T11:09:48.000Z",
"first_observed": "2016-12-01T11:09:48Z",
"last_observed": "2016-12-01T11:09:48Z",
"number_observed": 1,
"object_refs": [
"url--584004fc-4cbc-4e76-8ada-b82a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--584004fc-4cbc-4e76-8ada-b82a02de0b81",
"value": "https://www.virustotal.com/file/448d0cb7c84f79233908d9387c81551f50f5288597dd71432c641c7c29683186/analysis/1471948127/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584004fc-34b8-4fb4-954a-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:48.000Z",
"modified": "2016-12-01T11:09:48.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: d84353986ee05ac61308063271ade3f8f2876ef9",
"pattern": "[file:hashes.SHA256 = '839727158d3a3a6c342a154d07bfd70ad342d82a65c672163cc287213e72da80']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:09:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584004fd-b944-4e04-b745-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:49.000Z",
"modified": "2016-12-01T11:09:49.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: d84353986ee05ac61308063271ade3f8f2876ef9",
"pattern": "[file:hashes.MD5 = 'eea6183fa2dda392976d318b7123bf36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:09:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--584004fd-77dc-4fa8-9503-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:49.000Z",
"modified": "2016-12-01T11:09:49.000Z",
"first_observed": "2016-12-01T11:09:49Z",
"last_observed": "2016-12-01T11:09:49Z",
"number_observed": 1,
"object_refs": [
"url--584004fd-77dc-4fa8-9503-b82a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--584004fd-77dc-4fa8-9503-b82a02de0b81",
"value": "https://www.virustotal.com/file/839727158d3a3a6c342a154d07bfd70ad342d82a65c672163cc287213e72da80/analysis/1473457620/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584004fd-5b30-4ca5-a993-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:49.000Z",
"modified": "2016-12-01T11:09:49.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 323bf07667bf9d65055f80a15a90508e99e05632",
"pattern": "[file:hashes.SHA256 = '3b34615ab4dfbe984ec3ac6c8a266cd25b7d78b1a1db14a9d37c10c1a84007e5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:09:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584004fd-4e08-4c7c-bb7e-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:49.000Z",
"modified": "2016-12-01T11:09:49.000Z",
"description": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 323bf07667bf9d65055f80a15a90508e99e05632",
"pattern": "[file:hashes.MD5 = 'c89dd35061a5500a0e9db4b1d5ad1326']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-01T11:09:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--584004fe-0ab4-4dd9-8b6f-b82a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-01T11:09:50.000Z",
"modified": "2016-12-01T11:09:50.000Z",
"first_observed": "2016-12-01T11:09:50Z",
"last_observed": "2016-12-01T11:09:50Z",
"number_observed": 1,
"object_refs": [
"url--584004fe-0ab4-4dd9-8b6f-b82a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--584004fe-0ab4-4dd9-8b6f-b82a02de0b81",
"value": "https://www.virustotal.com/file/3b34615ab4dfbe984ec3ac6c8a266cd25b7d78b1a1db14a9d37c10c1a84007e5/analysis/1473459659/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}