{ "Event": { "analysis": "2", "date": "2017-04-23", "extends_uuid": "", "info": "OSINT - FlexSpy Application Analysis", "publish_timestamp": "1492981296", "published": true, "threat_level_id": "3", "timestamp": "1492981249", "uuid": "58fce117-452c-42ed-a2dc-b64a950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#3a7300", "local": false, "name": "circl:incident-classification=\"malware\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1492967971", "to_ids": false, "type": "link", "uuid": "58fce124-1a0c-4d73-904b-dbd5950d210f", "value": "http://www.cybermerchantsofdeath.com/blog/2017/04/23/FlexiSpy.html", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0c9100", "local": false, "name": "admiralty-scale:source-reliability=\"f\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1492967972", "to_ids": false, "type": "text", "uuid": "58fce13b-fadc-4e55-a0d4-46ea950d210f", "value": "On 04/22/2017 FlexiDie released source code and binaries for FlexiSpy\u00e2\u20ac\u2122s mobile spyware program. Being a good reverse engineer that I am, my analysis is below. The IOC section is intended for other reverse engineers and antivirus vendors. General Overview is intended for journalists. I will release a detailed technical teardown in a day or two.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0c9100", "local": false, "name": "admiralty-scale:source-reliability=\"f\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "(found in com.vvt.phoenix.prot.test.CSMTest", "deleted": false, "disable_correlation": false, "timestamp": "1492967795", "to_ids": true, "type": "url", "uuid": "58fce173-d508-4f0f-8a89-dba6950d210f", "value": "http://58.137.119.229/RainbowCore/" }, { "category": "Network activity", "comment": "found in source//location_capture/tests/location_capture_tests/src/com/vvt/locationcapture/tests/Location_capture_testsActivity.java:", "deleted": false, "disable_correlation": false, "timestamp": "1492967796", "to_ids": true, "type": "url", "uuid": "58fce174-1b68-4e69-b27f-dba6950d210f", "value": "http://trkps.com/m.php?lat=%f&long=%f&t=%s&i=%s&z=5" }, { "category": "Network activity", "comment": "On port 8880", "deleted": false, "disable_correlation": false, "timestamp": "1492967797", "to_ids": true, "type": "url", "uuid": "58fce175-c7b4-4488-8f4d-dba6950d210f", "value": "http://202.176.88.55" }, { "category": "Network activity", "comment": "Another IP address was found commented out in the code base //private String mUrl =", "deleted": false, "disable_correlation": false, "timestamp": "1492967868", "to_ids": true, "type": "ip-dst", "uuid": "58fce1bc-783c-4960-a449-dba5950d210f", "value": "202.176.88.55" }, { "category": "Network activity", "comment": "(found in com.vvt.phoenix.prot.test.CSMTest)", "deleted": false, "disable_correlation": false, "timestamp": "1492967869", "to_ids": true, "type": "ip-dst", "uuid": "58fce1bd-c0a4-4862-a657-dba5950d210f", "value": "58.137.119.229" }, { "category": "Network activity", "comment": "In sample comments", "deleted": false, "disable_correlation": false, "timestamp": "1492981246", "to_ids": true, "type": "ip-dst", "uuid": "58fd15fe-c4ac-4a6c-bbd3-4815950d210f", "value": "58.137.119.224" }, { "category": "Network activity", "comment": "In sample comments", "deleted": false, "disable_correlation": false, "timestamp": "1492981248", "to_ids": true, "type": "ip-dst", "uuid": "58fd1600-dcf8-4103-af30-4e0f950d210f", "value": "58.137.119.239" } ] } }