2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-12-14 14:30:15 +00:00
|
|
|
"Event": {
|
|
|
|
"analysis": "2",
|
|
|
|
"date": "2016-11-15",
|
|
|
|
"extends_uuid": "",
|
|
|
|
"info": "OSINT - HackingTeam back for your Androids, now extra insecure!",
|
|
|
|
"publish_timestamp": "1479206679",
|
|
|
|
"published": true,
|
|
|
|
"threat_level_id": "2",
|
|
|
|
"timestamp": "1479206635",
|
|
|
|
"uuid": "582adfcb-6640-46bf-ba1f-4aca950d210f",
|
|
|
|
"Orgc": {
|
|
|
|
"name": "CIRCL",
|
|
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
|
|
},
|
|
|
|
"Tag": [
|
|
|
|
{
|
|
|
|
"colour": "#00223b",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#5f0077",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "ms-caro-malware:malware-platform=\"AndroidOS\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#ffffff",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "tlp:white",
|
|
|
|
"relationship_type": ""
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479204830",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "582adfde-3f7c-47f7-82ac-4146950d210f",
|
|
|
|
"value": "http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479204901",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "582ae025-fbc0-4426-b31c-4f6d950d210f",
|
|
|
|
"value": "07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479204901",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "582ae025-9014-49d4-8258-43e3950d210f",
|
|
|
|
"value": "ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479204901",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "582ae025-8698-43d4-b114-41bb950d210f",
|
|
|
|
"value": "e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479204902",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "582ae026-de30-4ef7-a4b9-49ca950d210f",
|
|
|
|
"value": "87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "- Xchecked via VT: 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206380",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "582ae5ec-8338-4d70-84bc-435e02de0b81",
|
|
|
|
"value": "03ea8043d16ecb9a462cc99d26b80889671e7621"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "- Xchecked via VT: 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206380",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "582ae5ec-addc-4442-928a-427e02de0b81",
|
|
|
|
"value": "badbbb8189d3aa6d0352bf8a02c1e79d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "- Xchecked via VT: 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206380",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "582ae5ec-7c10-4df6-bda2-4d6002de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c/analysis/1479180111/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "- Xchecked via VT: e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206381",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "582ae5ed-3c64-48ad-b8bb-4b3e02de0b81",
|
|
|
|
"value": "a65f80a623269307067416225ce2a6cfc0557ac4"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "- Xchecked via VT: e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206381",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "582ae5ed-c588-46b4-8052-40a402de0b81",
|
|
|
|
"value": "cbd1c2db9ffc6b67cea46d271594c2ae"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "- Xchecked via VT: e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206381",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "582ae5ed-7e94-4dfd-8e88-45be02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c/analysis/1479180040/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "- Xchecked via VT: ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206381",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "582ae5ed-5080-4e70-b5e4-4e0302de0b81",
|
|
|
|
"value": "f60c545f08c74de317458c416a8768835bafe41b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "- Xchecked via VT: ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206382",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "582ae5ee-a844-4b86-9e4e-449f02de0b81",
|
|
|
|
"value": "3c1055f19971d580ef9ced172d8eba3b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "- Xchecked via VT: ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206382",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "582ae5ee-92e0-45eb-9e4d-40f202de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818/analysis/1477481986/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "- Xchecked via VT: 07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206382",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "582ae5ee-97cc-4e28-8b99-45c702de0b81",
|
|
|
|
"value": "c0802514739173623a319db4551f88d2ca71bdb2"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "- Xchecked via VT: 07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206382",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "582ae5ee-4ef4-44ab-9022-46fa02de0b81",
|
|
|
|
"value": "60f0c18fae934d1033394d62951d5dc8"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "- Xchecked via VT: 07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206382",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "582ae5ee-9580-4da9-9118-48ad02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31/analysis/1479179966/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206445",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "582ae62d-3180-4824-b898-40af950d210f",
|
|
|
|
"value": "rule HackingTeam_Android : Android Implant\r\n{\r\n\tmeta:\r\n\t\tdescription = \"HackingTeam Android implant, known to detect version v4 - v7\"\r\n\t\tauthor = \"Tim 'diff' Strazzere <strazz@gmail.com>\"\r\n reference = \"http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/\"\r\n\t\tdate = \"2016-11-14\"\r\n\t\tversion = \"1.0\"\r\n strings:\r\n $decryptor = {\r\n 12 01 // const/4 v1, 0x0\r\n D8 00 ?? ?? // add-int/lit8 ??, ??, ??\r\n 6E 10 ?? ?? ?? 00 // invoke-virtual {??} -> String.toCharArray()\r\n 0C 04 // move-result-object v4\r\n 21 45 // array-length v5, v4\r\n 01 02 // move v2, v0\r\n 01 10 // move v0, v1\r\n 32 50 11 00 // if-eq v0, v5, 0xb\r\n 49 03 04 00 // aget-char v3, v4, v0\r\n DD 06 02 5F // and-int/lit8 v6, v2, 0x5f <- potentially change the hardcoded xor bit to ??\r\n B7 36 // xor-int/2addr v6, v3\r\n D8 03 02 ?? // and-int/lit8 v3, v2, ??\r\n D8 02 00 01 // and-int/lit8 v2, v0, 0x1\r\n 8E 66 // int-to-char v6, v6\r\n 50 06 04 00 // aput-char v6, v4, v0\r\n 01 20 // move v0, v2\r\n 01 32 // move v2, v3\r\n 28 F0 // goto 0xa\r\n 71 30 ?? ?? 14 05 // invoke-static {v4, v1, v5}, ?? -> String.valueOf()\r\n 0C 00 // move-result-object v0\r\n 6E 10 ?? ?? 00 00 // invoke-virtual {v0} ?? -> String.intern()\r\n 0C 00 // move-result-object v0\r\n 11 00 // return-object v0\r\n }\r\n // Below is the following string, however encoded as it would appear in the string table (length encoded, null byte padded)\r\n // Lcom/google/android/global/Settings;\r\n $settings = {\r\n 00 24 4C 63 6F 6D 2F 67 6F 6F 67 6C 65 2F 61 6E\r\n 64 72 6F 69 64 2F 67 6C 6F 62 61 6C 2F 53 65 74\r\n 74 69 6E 67 73 3B 00\r\n }\r\n // getSmsInputNumbers (Same encoded described above)\r\n $getSmsInputNumbers = {\r\n 00 12 67 65 74 53 6D 73 49 6E 70 75 74 4E 75 6D\r\n 62 65 72 73 00\r\n }\r\n condition:\r\n $decryptor and ($settings and $getSmsInputNumbers)\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Network activity",
|
|
|
|
"comment": "C2 for 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206520",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "ip-dst",
|
|
|
|
"uuid": "582ae678-60f4-49dd-9680-4533950d210f",
|
|
|
|
"value": "68.233.237.11"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Network activity",
|
|
|
|
"comment": "C2 for 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206549",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "ip-dst",
|
|
|
|
"uuid": "582ae695-7fd8-4183-b00e-484f950d210f",
|
|
|
|
"value": "66.232.100.221"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Network activity",
|
|
|
|
"comment": "RequestActionsToExecute - Request",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1479206635",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "582ae6df-a770-49ef-ad0b-4c77950d210f",
|
|
|
|
"value": "POST /UlisseREST/api/actions/RequestActionsToExecute HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/json\r\nAccept: application/json\r\nUser-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; BLU STUDIO 5.0 C Build/KOT49H)\r\nHost: 68.233.237.11\r\nAccept-Encoding: gzip\r\nContent-Length: 475\r\n{\"CommandLine\":\"\",\"CurrentDirectory\":\"\",\"Id\":\"8f4af21e-29fb-48e9-8b52-8cf87fcdec57\",\"LeaID\":\"00000000-0000-0000-0000-000000000000\",\"MachineName\":\"BLU BLU STUDIO 5.0 C BLU STUDIO 5.0 C IMEI: XXXXXXXXXXXXXXX IMSI: null\",\"OsType\":5,\"Platform\":\" Board:BLU STUDIO 5.0 C Brand:BLU Device:BLU STUDIO 5.0 C\",\"Version\":\"Release: 4.4.2 CodeName: REL Inc: eng.android.1441800693 SDK: 19\",\"ServicePack\":\"\",\"SystemDirectory\":\"\",\"UserDomainName\":\"\",\"UserName\":\"android\",\"ProcessorCount\":0}"
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
2023-12-14 14:30:15 +00:00
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
}
|