2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2017-12-03" ,
"extends_uuid" : "" ,
"info" : "OSINT - Android Malware Appears Linked to Lazarus Cybercrime Group" ,
"publish_timestamp" : "1512310272" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1512310223" ,
"uuid" : "5a24041c-d7c8-4dc1-b0ed-45f702de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#13eb00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Lazarus Group\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#5f0077" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware:malware-platform=\"AndroidOS\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310035" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a240429-4354-43b6-8940-4e4e02de0b81" ,
"value" : "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#007ed9" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"93\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310035" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a24043e-7338-4ea0-99e0-401e02de0b81" ,
"value" : "The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)\r\n\r\nThe malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild." ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#007ed9" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"93\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-534c-44f0-aaa0-485602de0b81" ,
"value" : "110.45.145.103"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-ff18-49dd-99e9-4bd502de0b81" ,
"value" : "114.215.130.173"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-d7f4-4beb-a63b-44cc02de0b81" ,
"value" : "119.29.11.203"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-16e8-46a5-96c3-455c02de0b81" ,
"value" : "124.248.228.30"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-5c80-44fc-8b58-4b5e02de0b81" ,
"value" : "139.196.55.146"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-87ec-4dfe-b2f3-4df202de0b81" ,
"value" : "14.139.200.107"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-6664-45b5-a902-461302de0b81" ,
"value" : "175.100.189.174"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-a980-40d3-84ec-432602de0b81" ,
"value" : "181.119.19.100"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-75dc-40a5-96f5-498d02de0b81" ,
"value" : "197.211.212.31"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-9f38-4e74-a2e0-4c1002de0b81" ,
"value" : "199.180.148.134"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-6b38-4ece-af7c-4a9502de0b81" ,
"value" : "217.117.4.110"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5a240487-dc90-46ed-a6fa-47b102de0b81" ,
"value" : "61.106.2.96"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5a2404de-10ec-4843-a865-428c02de0b81" ,
"value" : "mail.wavenet.com.ar"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5a2404de-bf84-4257-be7e-4e8302de0b81" ,
"value" : "vmware-probe.zol.co.zw"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5a2404de-a8f4-4bcd-8bc7-44f202de0b81" ,
"value" : "wtps.org"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a2404ef-1f38-47de-a5c5-4b0c02de0b81" ,
"value" : "24f61120946ddac5e1d15cd64c48b7e6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a2404ef-bb48-4ffe-8860-471502de0b81" ,
"value" : "8b98bdf2c6a299e1fed217889af54845"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a2404ef-338c-42d5-af7e-45ad02de0b81" ,
"value" : "9ce9a0b3876aacbf0e8023c97fd0a21d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "- Xchecked via VT: 24f61120946ddac5e1d15cd64c48b7e6" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a240514-e3dc-4f24-bf92-4bfa02de0b81" ,
"value" : "800f9ffd063dd2526a4a43b7370a8b04fbb9ffeff9c578aa644c44947d367266"
} ,
{
"category" : "Payload delivery" ,
"comment" : "- Xchecked via VT: 24f61120946ddac5e1d15cd64c48b7e6" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a240514-6284-4d76-8aa6-46d302de0b81" ,
"value" : "903e3421a8cec914a41e851a31bd5a385f8d95b1"
} ,
{
"category" : "External analysis" ,
"comment" : "- Xchecked via VT: 24f61120946ddac5e1d15cd64c48b7e6" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310036" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a240514-a630-4963-af31-4add02de0b81" ,
"value" : "https://www.virustotal.com/file/800f9ffd063dd2526a4a43b7370a8b04fbb9ffeff9c578aa644c44947d367266/analysis/1511337265/"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310116" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a240564-a824-4c62-95b4-43ac02de0b81" ,
"value" : "/data/system/dnscd.db"
} ,
{
"category" : "External analysis" ,
"comment" : "An overview of the malware\u00e2\u20ac\u2122s operation." ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B Y c A A A Q a C A Y A A A F v A P d Q A A A A A X N S R 0 I A r s 4 c 6 Q A A A A R n Q U 1 B A A C x j w v 8 Y Q U A A A A J c E h Z c w A A F x E A A B c R A c o m 8 z 8 A A P + l S U R B V H h e 7 N 0 L l B R V m i 96 H 8 w M b d P d n G n p w / T Q M 65 z n R 7 m 4 s x 41 j j n e M 6 i B + c u + y z m N C o q K A I q K q 0 o i I y i g q I o t N J K C y q 2 i I i o t K K C o j x E E e R R 8 g a L 96 u Q 4 l 1 g o Q g F F F B A 3 P r v 2 l + y K y o y K y M z I n J H x v + 31 l 4 Z s S M y M j N y 55 d f R u 7 Y c Y 5 D F H N s x B R 7 b M Q U e 2 z E F H t s x B R 7 b M Q U e 2 z E F H t s x B R 7 b M Q U e 2 z E F H v W N u L u 3 b v r q b N O n T q l p 4 j O i l U j P u c c f n F Q Q 7 F q x M C G T G 7 W t g g 0 1 i V L l j h d u 3 Z V D V r m 2 Y j J z e p G X F F R 4 f y X //JfnH79+qn5Ll26sBFTA1Y34hkzZji//OUvnZdeeslp2bKlqmMjJjerG/G5557boLARk5u1LYI/7Chb1raIt99+O5U+uAuRKRYt4vL5DznnfNRRzxHVF0ojdkfLcePG1bsFrLNly5bUdLt27dS026OPPurccMMNTs2Zun/rWrRoUW/dNm3aqFusN2vWrFS0xn1kGWC5zJvPg+IvtEgsjcmclsZn1u/atUtNg1kvMH3w4EHVKM+56v9RDdW0aNEiPVUf1gc85urVq9W02kbt9sxGPM94LIqn2L2DzWd001PBqS4v11MUR7EMQ2Hlx4zK8RSLd21dx4aNNswfeqerq/UUxUEsGnG6CBlmQ2ZUjo9YN2Jo8vH1eiocu0eN0lNkq1g04k09eugpb12W/0FP1dk/caKeCgajst2K5t2pOH5QT9WZ36SJngrOkosu0lNkk6IOMWFE0GWtW+spskXRf0+GlQowxbBHIt6JRS1b6qlg7ZswQU9RIRVlI66qaXic9/Dy5XoqeIzKhRWbvb/qiiv0VHYGrH9LT0XjTE2NnqKoxaYR5xLtmk3voqeiw6gcvaJuxJDuX72K8eP1VDjYqSg6sWnEZX366Cn/0jXkMI4lmxiVo5GYvZyuIUfR0PL5AFLjEhUq0uXIUTTksKN+kiXu+67/ujf0VH04lryhi/8fguW1uW+nTp30XONKmjXTUxSUxDVi8DqODOWDB+spf6699lrnkUceyarAxjTDEZimTp2qp6gxiWzEQUMjhsOHD6tb086dO9XtY4895jz11FNqWvCHXzBitRdXXnaZnrJLpkb8zDPPqDHkOnfu7Fx/fcO+z0c3btRTDe3bt885c+aMc/r0aTU2c7pyzTXX6HtkZ8SIEXqqOMSqEQcZuTp6nPKUK69GfNttt6Xq4cYbb1QNOR2v14ZGjOdpbgfuuusutT2RSyO+6qqr1LYbK3GQ2EYs3P2Qc9FYOoHlgwYNcoYOHaprveH1mZ2VvBpxr169nHvuuce5+uqrU40sl0bs9a1gRvVly5Y51113nZq2Xawa8df9++up4GDcin977z495w0NJhNpZCdPnlS3XtasWeNs3bpVz2XHqxFjGgWNDbdIN4JqxCD11dXVzrBhw9S07RIfieVrVc7V27Rpk7oVlZWVWTViHHnA7YEDB1RBOuE+MoHiR7p0AnXScEtKSgJrxMtdPf327t2rpxqSbwEbxKoRh0EaMeBfvb59+6qG/MQTT6jGM2bMmKwjMRoGvoKl5AuNGD/qTJh3l6AasbyOxl6vbdiIjUYMaMi3336784c//CHVKAv9pr744oupcuzYMV2bu0zphB/48GBf4dsqnbKystCjNhuxqxEDGrLkg3ijsI4XjOsmBWT8N5A681bGgJO6QkEjBvNbI5dGjX2Dgn8tBeZPnDih5xxnyJAhyW3EUf1j5d7BmEf583fPHmZK14ghXYN0N2KzgZujdRbC8OHD1e17773n3HHHHanil1cjFthvuNYKPhyYDpO1jRi8DllFadS2GXoqWjKKJz4A7g+D+1ZgfvLkyXouGl6N+Oabb3buu+/s0R4JBGGyuhFXVVWpY5c4jGT+Q+Uus2fP1vcInoyL7BeOpIRxNCUXksbg20A+ILiVsZ9x7BnwQcC01AsMjyvrmNCA8XvBHYnnzJmjp+ouW5H4Ruy1E/BpN7/+zJ1mk621X6c2kegtERvz0nCRJ8tyqRdo1F7wD6T7vZHIa5Z0118JSuwaMQ4DIQLgb1f5MeK3EZtvkMl8E4X8CEKdGZ2yFWRDtiWyu+FSbVIKIXaNGNP4CkNDxq9qpBq2RmIRVEMOqxHb+uHIVuwaMWAejRjwj1WQjThTLlt2JP0/WI0JoiFvGzBATwVn79ixeso/SUtwi2upCPMSFpDumy8o1jdi/CNlcv9bhRLGD7t0owZ1WvasnvLPphy55mDuHZ/QKPFjUX4wmse/3SlXunw6SFY3YjnEZv5j9emnn6q6KGxP0+ss3Umn2bChIcc9fXArrlcTEq83Pa4NOawGXMgPBhuxD99MmqSn6kTZkG2OnpmeW//+/X333vPLqj1j/gCQXMr890pyL8A8rm8H7vowLWjaVE/Viaoh59OIv7r8cj0VrGy3K4cpw2JVI44Ts1Fd/Pndesq/sFOLsCK4nwEe0YhxODQssWvEeFPCemP8Mi8VNmnPQj3lX1gNec/o0XoqOLnsezRir15y0sXVfQjVr9g1YrG2QwdnhyWnzwTxoQqyIZ+qqtJTwcnnkFy6Rrx582Y9VQenROUito3YZEtkzvfCNOkasp8Paxj7It9tpmvEIGkGjvd/9NFHatqvvJ4d+jF06xb8tZbzUegGne+/al5Dzmb7moJ+7UENuZWuEeOfPfzzWlNTo84Auemmm/QSf/J+1XJelm3wBlSVluq56BX6w5SvXSNH6qn8oREj/8X5iybMu0suAmvE7vzGtG3bNj1VGIVoUGsP7VC3386cqW7DsvrKK/VUMMLYV2jEgCENjhw5kipBCawRL1myRN264ZcnxiA7dOiQrimcI2vXRjoqZduSgeo2rGFdg2xw333+uZ6Kn1AaMerMwyboFLJgwQI9Zwc0gCguFpPPnyFRiXvqE2okfvzxx1Nn037wwQeqDteyWHjhhWraFmG+ie/vWWhtQ4668SKYmf+o4ocd/m2VOvNfWUlBshFYI8ZwUG6l+ocVTidyj6xj42DTOJS1pn17PZe9X3zWU92ajVWmX9te9zVtW0PONBpn3ATSiJE6PPDAA7rmbJ27ePF7fbqohBGlbGjINqQOQT+HwCLx9OnTU+dZYdoP269nEeROv2xe8IMiZiOMwRj9wD4M6zdI4T+Whk09eugpO+FbY/eoUXoudyUHNuip9ILsjbe4VSs9Fa2oor5VjRhs+LrLRtjPE40434ZciH1ZiMfM6RHNnWtOY5AN9xBN5nL0Dc72jQnjpMgw4CvSxg9elNeaLvTrt2/vG2xsHJmgw/yxsjI91zj5oef+YKcLEtmIap/Z9N7Y80wyCCIPjVpjb/Ll8x8KtBEvv+QSPRUOHN+3NajY+aw8xC0qm9BYMx1eS9dQUZ9tIw7DvgkTYrHfY9cyDkybpqeygwu+uGXTMK5b+ntnTuWa1J8VcgvpGmS/tePUsnRXLU1nx44dqiuiu3z99dd6jeigT7P7PELbxa4Rg5/okK4R//u//7uey01j0TVOStu2dVZceqmei59YNmI/vBoxXHDBBXoqswk756nGihw2TJI6uEtY8Lf/5p51f5fHne+9hItxy790cSANAWO24RJcMt+qVSv1lQ2VJ+q6ieIKSmiwG6t2q/lilM/Ya7bK6aMe5unXQZNGi4EJzUaMW2nEQaQFMgYZtus1DgZu5Ti5FKwnY2fgGLt5Cxh7w1xf1jXrhMxLrzCZRjEH+ytGOTfi7du36zlvR48eLfjlCsB8o+Gbb75x2rdvr+qlEVO8BdqIMVYwRrJEujFx4kR1DbhCu/fee1O/9s2SbU5M9gusEb/00kv1cuWuXbuq/FkU6nhjvj/sCmLXSOwwPUONCTQSAy6e/dBDD6lTtLt06aJr6xoxOp0XojFLjmiWv/u7v9NLY4ANOqPAG/Enn3yibgcMGOB5xR1THP4Nsg4bdAM5N2L32RovvPBCvbM43Msbgw
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1512310223" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5a2405b7-b2e8-47ac-899f-495c02de0b81" ,
"value" : "20171114-ELF-2.png" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
}
]
}
}