{ "type": "bundle", "id": "bundle--5718d275-88d4-492e-9f07-43ee950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:29.000Z", "modified": "2016-04-21T15:07:29.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5718d275-88d4-492e-9f07-43ee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:29.000Z", "modified": "2016-04-21T15:07:29.000Z", "name": "OSINT - \u00e2\u20ac\u0153Operation C-Major\u00e2\u20ac\u009d Actors Also Used Android, BlackBerry Mobile Spyware Against Targets", "published": "2016-04-21T15:15:02Z", "object_refs": [ "observed-data--5718d28f-6890-4731-95e4-4b42950d210f", "url--5718d28f-6890-4731-95e4-4b42950d210f", "x-misp-attribute--5718d2a3-a008-4c0d-ba56-4ec7950d210f", "indicator--5718d4f3-98c0-40be-a296-40f8950d210f", "indicator--5718d4f3-43a4-4bbd-bf88-40c4950d210f", "indicator--5718d4f3-ba78-4f00-a3d3-4232950d210f", "indicator--5718d4f4-ef9c-46a2-8d75-4f77950d210f", "indicator--5718d4f4-d518-44d4-aef8-442a950d210f", "indicator--5718d4f5-e228-4ed6-b03a-4bff950d210f", "indicator--5718d4f5-cdac-47c9-ae00-43d2950d210f", "indicator--5718d4f5-84c8-4878-b3a9-4d19950d210f", "indicator--5718d54c-be50-4f58-83e2-408c950d210f", "indicator--5718d54d-2990-4cb5-9bfd-4883950d210f", "indicator--5718d54d-4be0-4e06-9405-4d66950d210f", "indicator--5718d54e-8b80-4d4b-9b3f-48a3950d210f", "indicator--5718d54e-7dc8-49eb-9432-449a950d210f", "indicator--5718d54e-6f18-48bd-aa39-43f1950d210f", "indicator--5718d54f-23a8-44b0-86b4-46a7950d210f", "indicator--5718d54f-8be4-4981-8136-4bb4950d210f", "indicator--5718d54f-e3d0-4a0a-9f5c-45a8950d210f", "indicator--5718e3a8-eef0-4849-81fd-470c950d210f", "indicator--5718ecb1-fb28-4bb5-85e0-40b702de0b81", "indicator--5718ecb2-9428-4848-83fb-405b02de0b81", "observed-data--5718ecb2-efec-4668-8f3e-493002de0b81", "url--5718ecb2-efec-4668-8f3e-493002de0b81", "indicator--5718ecb3-1d2c-47aa-b21c-474302de0b81", "indicator--5718ecb3-71bc-491c-8314-48ad02de0b81", "observed-data--5718ecb3-9f58-4d1a-8e7f-408f02de0b81", "url--5718ecb3-9f58-4d1a-8e7f-408f02de0b81", "indicator--5718ecb4-03c4-4676-ac2e-4c5002de0b81", "indicator--5718ecb4-dd44-44ee-9cd3-4b0702de0b81", "observed-data--5718ecb4-8b60-44dd-bc05-483e02de0b81", "url--5718ecb4-8b60-44dd-bc05-483e02de0b81", "indicator--5718ecb5-a7d0-4a52-bd6c-4bcd02de0b81", "indicator--5718ecb5-fa50-4255-823a-4b5702de0b81", "observed-data--5718ecb5-1ad4-4fb3-9889-4b1802de0b81", "url--5718ecb5-1ad4-4fb3-9889-4b1802de0b81", "indicator--5718ecb6-a3fc-4ab9-ad1a-48ce02de0b81", "indicator--5718ecb6-117c-45d3-951e-4c0402de0b81", "observed-data--5718ecb7-3c5c-4b28-8cf0-46f402de0b81", "url--5718ecb7-3c5c-4b28-8cf0-46f402de0b81", "indicator--5718ecb7-a578-4bc5-b9c2-48b602de0b81", "indicator--5718ecb7-3210-4790-b39c-4cba02de0b81", "observed-data--5718ecb8-7d80-4ee0-9656-43f602de0b81", "url--5718ecb8-7d80-4ee0-9656-43f602de0b81", "indicator--5718ecb8-1018-4832-8633-448602de0b81", "indicator--5718ecb9-5f4c-48f3-80c9-413202de0b81", "observed-data--5718ecb9-acdc-4965-83d0-4a9c02de0b81", "url--5718ecb9-acdc-4965-83d0-4a9c02de0b81", "indicator--5718ecb9-67b8-422e-b4d1-4f8202de0b81", "indicator--5718ecba-bc08-4277-9a9f-473002de0b81", "observed-data--5718ecba-61b8-46ad-aef6-4bc502de0b81", "url--5718ecba-61b8-46ad-aef6-4bc502de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718d28f-6890-4731-95e4-4b42950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:15:59.000Z", "modified": "2016-04-21T13:15:59.000Z", "first_observed": "2016-04-21T13:15:59Z", "last_observed": "2016-04-21T13:15:59Z", "number_observed": 1, "object_refs": [ "url--5718d28f-6890-4731-95e4-4b42950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718d28f-6890-4731-95e4-4b42950d210f", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/operation-c-major-actors-also-used-android-blackberry-mobile-spyware-targets/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5718d2a3-a008-4c0d-ba56-4ec7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:16:19.000Z", "modified": "2016-04-21T13:16:19.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Last March, we reported on Operation C-Major, an active information theft campaign that was able to steal sensitive information from high profile targets in India. The campaign was able to steal large amounts of data despite using relatively simple malware because it used clever social engineering tactics against its targets. In this post, we will focus on the mobile part of their operation and discuss in detail several Android and BlackBerry apps they are using. Based on our investigation, the actors behind Operation C-Major were able to keep their Android malware on Google Play for months and they advertised their apps on Facebook pages which have thousands of likes from high profile targets." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d4f3-98c0-40be-a296-40f8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:26:26.000Z", "modified": "2016-04-21T13:26:26.000Z", "description": "Smesh app", "pattern": "[file:hashes.SHA1 = '24f52c5f909d79a70e6e2a4e89aa7816b5f24aec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:26:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d4f3-43a4-4bbd-bf88-40c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:26:31.000Z", "modified": "2016-04-21T13:26:31.000Z", "description": "Smesh app", "pattern": "[file:hashes.SHA1 = '202f11c5cf2b9df8bf8ab766a33cd0e6d7a5161a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:26:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d4f3-ba78-4f00-a3d3-4232950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:26:38.000Z", "modified": "2016-04-21T13:26:38.000Z", "description": "Smesh app", "pattern": "[file:hashes.SHA1 = '31ac19091fd5347568b130d7150ed867ffe38c28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:26:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d4f4-ef9c-46a2-8d75-4f77950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:26:56.000Z", "modified": "2016-04-21T13:26:56.000Z", "description": "Smesh app", "pattern": "[file:hashes.SHA1 = '6919aa3a9d5e193a1d48e05e7bf320d795923ea7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:26:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d4f4-d518-44d4-aef8-442a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:26:42.000Z", "modified": "2016-04-21T13:26:42.000Z", "description": "Smesh app", "pattern": "[file:hashes.SHA1 = 'c48a5d639430e08980f1aeb5af49310692f2701b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:26:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d4f5-e228-4ed6-b03a-4bff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:26:52.000Z", "modified": "2016-04-21T13:26:52.000Z", "description": "Smesh app", "pattern": "[file:hashes.SHA1 = '1ce6b3f02fe2e4ee201bdab2c1e4f6bb5a8da1b1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:26:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d4f5-cdac-47c9-ae00-43d2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:26:48.000Z", "modified": "2016-04-21T13:26:48.000Z", "description": "Smesh app", "pattern": "[file:hashes.SHA1 = '59aec5002684de8cc8c27f7512ed70c094e4bd20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:26:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d4f5-84c8-4878-b3a9-4d19950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:26:45.000Z", "modified": "2016-04-21T13:26:45.000Z", "description": "Smesh app", "pattern": "[file:hashes.SHA1 = '552e3a16dd36ae4a3d4480182124a3f6701911f2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:26:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54c-be50-4f58-83e2-408c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:40.000Z", "modified": "2016-04-21T13:27:40.000Z", "description": "Ringster", "pattern": "[file:hashes.SHA1 = 'c544e5d8c6f38bb199283f11f799da8f3bb3807f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54d-2990-4cb5-9bfd-4883950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:41.000Z", "modified": "2016-04-21T13:27:41.000Z", "description": "Ringster", "pattern": "[file:hashes.SHA1 = 'a13568164c0a8f50d76d9ffa6e34e31674a3afc8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54d-4be0-4e06-9405-4d66950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:41.000Z", "modified": "2016-04-21T13:27:41.000Z", "description": "Androrat", "pattern": "[file:hashes.SHA1 = '9288811c9747d151eab4ec708b368fc6cc4e2cb5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54e-8b80-4d4b-9b3f-48a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:42.000Z", "modified": "2016-04-21T13:27:42.000Z", "description": "Androrat", "pattern": "[file:hashes.SHA1 = '94c74a9e5d1aab18f51487e4e47e5995b7252c4b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54e-7dc8-49eb-9432-449a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:42.000Z", "modified": "2016-04-21T13:27:42.000Z", "description": "Androrat", "pattern": "[file:hashes.SHA1 = 'decf429be7d469292827c3b873f7e61076ffbba1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54e-6f18-48bd-aa39-43f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:42.000Z", "modified": "2016-04-21T13:27:42.000Z", "description": "Androrat", "pattern": "[file:hashes.SHA1 = 'f86302da2d38bf60f1ea9549b2e21a34fe655b33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54f-23a8-44b0-86b4-46a7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:43.000Z", "modified": "2016-04-21T13:27:43.000Z", "description": "India Sena News", "pattern": "[file:hashes.SHA1 = 'b142e4b75a4562cdaad5cc2610d31594d2ed17c3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54f-8be4-4981-8136-4bb4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:43.000Z", "modified": "2016-04-21T13:27:43.000Z", "description": "BlackBerry spyware", "pattern": "[file:hashes.SHA1 = 'abcb176578df44c2be7173b318abe704963052b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718d54f-e3d0-4a0a-9f5c-45a8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T13:27:43.000Z", "modified": "2016-04-21T13:27:43.000Z", "description": "BlackBerry spyware", "pattern": "[file:hashes.SHA1 = '16318c4e4f94a5c4018b05955975771637b306b4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T13:27:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718e3a8-eef0-4849-81fd-470c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T14:28:56.000Z", "modified": "2016-04-21T14:28:56.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'mpjunkie.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T14:28:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb1-fb28-4bb5-85e0-40b702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:29.000Z", "modified": "2016-04-21T15:07:29.000Z", "description": "BlackBerry spyware - Xchecked via VT: 16318c4e4f94a5c4018b05955975771637b306b4", "pattern": "[file:hashes.SHA256 = 'a2d9ef1e249a08737d183177116cba1ed03c411d257d4b8ab66064c9affda057']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb2-9428-4848-83fb-405b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:30.000Z", "modified": "2016-04-21T15:07:30.000Z", "description": "BlackBerry spyware - Xchecked via VT: 16318c4e4f94a5c4018b05955975771637b306b4", "pattern": "[file:hashes.MD5 = '5e5a6fd42417c98fdc0a2c9391876d7a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ecb2-efec-4668-8f3e-493002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:30.000Z", "modified": "2016-04-21T15:07:30.000Z", "first_observed": "2016-04-21T15:07:30Z", "last_observed": "2016-04-21T15:07:30Z", "number_observed": 1, "object_refs": [ "url--5718ecb2-efec-4668-8f3e-493002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ecb2-efec-4668-8f3e-493002de0b81", "value": "https://www.virustotal.com/file/a2d9ef1e249a08737d183177116cba1ed03c411d257d4b8ab66064c9affda057/analysis/1461189256/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb3-1d2c-47aa-b21c-474302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:31.000Z", "modified": "2016-04-21T15:07:31.000Z", "description": "BlackBerry spyware - Xchecked via VT: abcb176578df44c2be7173b318abe704963052b2", "pattern": "[file:hashes.SHA256 = '7ef9af07a8a5f76a9b80349b1aeac59b25fcda1fb731e03797c682ad85f6e396']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb3-71bc-491c-8314-48ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:31.000Z", "modified": "2016-04-21T15:07:31.000Z", "description": "BlackBerry spyware - Xchecked via VT: abcb176578df44c2be7173b318abe704963052b2", "pattern": "[file:hashes.MD5 = '9201801719ebf4c6d8b4adf0425a35dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ecb3-9f58-4d1a-8e7f-408f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:31.000Z", "modified": "2016-04-21T15:07:31.000Z", "first_observed": "2016-04-21T15:07:31Z", "last_observed": "2016-04-21T15:07:31Z", "number_observed": 1, "object_refs": [ "url--5718ecb3-9f58-4d1a-8e7f-408f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ecb3-9f58-4d1a-8e7f-408f02de0b81", "value": "https://www.virustotal.com/file/7ef9af07a8a5f76a9b80349b1aeac59b25fcda1fb731e03797c682ad85f6e396/analysis/1461189249/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb4-03c4-4676-ac2e-4c5002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:32.000Z", "modified": "2016-04-21T15:07:32.000Z", "description": "India Sena News - Xchecked via VT: b142e4b75a4562cdaad5cc2610d31594d2ed17c3", "pattern": "[file:hashes.SHA256 = '5bbcd8a7856e037418c0ac1c0c987476e3210f577beffcdfe2eceebc19c5644d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb4-dd44-44ee-9cd3-4b0702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:32.000Z", "modified": "2016-04-21T15:07:32.000Z", "description": "India Sena News - Xchecked via VT: b142e4b75a4562cdaad5cc2610d31594d2ed17c3", "pattern": "[file:hashes.MD5 = 'e6a0066676cab0144eb6055f67d917e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ecb4-8b60-44dd-bc05-483e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:32.000Z", "modified": "2016-04-21T15:07:32.000Z", "first_observed": "2016-04-21T15:07:32Z", "last_observed": "2016-04-21T15:07:32Z", "number_observed": 1, "object_refs": [ "url--5718ecb4-8b60-44dd-bc05-483e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ecb4-8b60-44dd-bc05-483e02de0b81", "value": "https://www.virustotal.com/file/5bbcd8a7856e037418c0ac1c0c987476e3210f577beffcdfe2eceebc19c5644d/analysis/1461073518/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb5-a7d0-4a52-bd6c-4bcd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:33.000Z", "modified": "2016-04-21T15:07:33.000Z", "description": "Androrat - Xchecked via VT: f86302da2d38bf60f1ea9549b2e21a34fe655b33", "pattern": "[file:hashes.SHA256 = 'f529ccdee54c53e4c02366713ec2d2e8ff629fe56b2f5778f9f7d31f809e4446']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb5-fa50-4255-823a-4b5702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:33.000Z", "modified": "2016-04-21T15:07:33.000Z", "description": "Androrat - Xchecked via VT: f86302da2d38bf60f1ea9549b2e21a34fe655b33", "pattern": "[file:hashes.MD5 = 'dfd2eca84919418da2fa617fc51e9de5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ecb5-1ad4-4fb3-9889-4b1802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:33.000Z", "modified": "2016-04-21T15:07:33.000Z", "first_observed": "2016-04-21T15:07:33Z", "last_observed": "2016-04-21T15:07:33Z", "number_observed": 1, "object_refs": [ "url--5718ecb5-1ad4-4fb3-9889-4b1802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ecb5-1ad4-4fb3-9889-4b1802de0b81", "value": "https://www.virustotal.com/file/f529ccdee54c53e4c02366713ec2d2e8ff629fe56b2f5778f9f7d31f809e4446/analysis/1461051345/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb6-a3fc-4ab9-ad1a-48ce02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:34.000Z", "modified": "2016-04-21T15:07:34.000Z", "description": "Androrat - Xchecked via VT: decf429be7d469292827c3b873f7e61076ffbba1", "pattern": "[file:hashes.SHA256 = '8b64a32e386d7cc51bb761bee8959bb5cac20e79ae1e549b04b7354e67bdee66']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb6-117c-45d3-951e-4c0402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:34.000Z", "modified": "2016-04-21T15:07:34.000Z", "description": "Androrat - Xchecked via VT: decf429be7d469292827c3b873f7e61076ffbba1", "pattern": "[file:hashes.MD5 = '11ba93d968bd96e9e9c9418ea1fdcbbc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ecb7-3c5c-4b28-8cf0-46f402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:35.000Z", "modified": "2016-04-21T15:07:35.000Z", "first_observed": "2016-04-21T15:07:35Z", "last_observed": "2016-04-21T15:07:35Z", "number_observed": 1, "object_refs": [ "url--5718ecb7-3c5c-4b28-8cf0-46f402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ecb7-3c5c-4b28-8cf0-46f402de0b81", "value": "https://www.virustotal.com/file/8b64a32e386d7cc51bb761bee8959bb5cac20e79ae1e549b04b7354e67bdee66/analysis/1461051347/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb7-a578-4bc5-b9c2-48b602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:35.000Z", "modified": "2016-04-21T15:07:35.000Z", "description": "Androrat - Xchecked via VT: 94c74a9e5d1aab18f51487e4e47e5995b7252c4b", "pattern": "[file:hashes.SHA256 = '563ebffbcd81d41e3ddb7b6ed580a2b17a6a6e14ec6bf208c9c22d7a296de7ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb7-3210-4790-b39c-4cba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:35.000Z", "modified": "2016-04-21T15:07:35.000Z", "description": "Androrat - Xchecked via VT: 94c74a9e5d1aab18f51487e4e47e5995b7252c4b", "pattern": "[file:hashes.MD5 = 'af046d94f254a3f85a0ba731562a05c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ecb8-7d80-4ee0-9656-43f602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:36.000Z", "modified": "2016-04-21T15:07:36.000Z", "first_observed": "2016-04-21T15:07:36Z", "last_observed": "2016-04-21T15:07:36Z", "number_observed": 1, "object_refs": [ "url--5718ecb8-7d80-4ee0-9656-43f602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ecb8-7d80-4ee0-9656-43f602de0b81", "value": "https://www.virustotal.com/file/563ebffbcd81d41e3ddb7b6ed580a2b17a6a6e14ec6bf208c9c22d7a296de7ae/analysis/1461073437/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb8-1018-4832-8633-448602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:36.000Z", "modified": "2016-04-21T15:07:36.000Z", "description": "Androrat - Xchecked via VT: 9288811c9747d151eab4ec708b368fc6cc4e2cb5", "pattern": "[file:hashes.SHA256 = 'e6753bba53d7cca4a534c3089f24cd0546462667d110c0d48974f9e76714fe1c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb9-5f4c-48f3-80c9-413202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:37.000Z", "modified": "2016-04-21T15:07:37.000Z", "description": "Androrat - Xchecked via VT: 9288811c9747d151eab4ec708b368fc6cc4e2cb5", "pattern": "[file:hashes.MD5 = 'ce59958c01e437f4bdc68b4896222b8e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ecb9-acdc-4965-83d0-4a9c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:37.000Z", "modified": "2016-04-21T15:07:37.000Z", "first_observed": "2016-04-21T15:07:37Z", "last_observed": "2016-04-21T15:07:37Z", "number_observed": 1, "object_refs": [ "url--5718ecb9-acdc-4965-83d0-4a9c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ecb9-acdc-4965-83d0-4a9c02de0b81", "value": "https://www.virustotal.com/file/e6753bba53d7cca4a534c3089f24cd0546462667d110c0d48974f9e76714fe1c/analysis/1461217726/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecb9-67b8-422e-b4d1-4f8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:37.000Z", "modified": "2016-04-21T15:07:37.000Z", "description": "Ringster - Xchecked via VT: a13568164c0a8f50d76d9ffa6e34e31674a3afc8", "pattern": "[file:hashes.SHA256 = '8babf68a96861c8495580b5ecf54d8e9e1c76fc89fb72a322c94e74796db4e19']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ecba-bc08-4277-9a9f-473002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:38.000Z", "modified": "2016-04-21T15:07:38.000Z", "description": "Ringster - Xchecked via VT: a13568164c0a8f50d76d9ffa6e34e31674a3afc8", "pattern": "[file:hashes.MD5 = 'c4cd2f9ba10c0f773a8ec56045d3b398']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:07:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ecba-61b8-46ad-aef6-4bc502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:07:38.000Z", "modified": "2016-04-21T15:07:38.000Z", "first_observed": "2016-04-21T15:07:38Z", "last_observed": "2016-04-21T15:07:38Z", "number_observed": 1, "object_refs": [ "url--5718ecba-61b8-46ad-aef6-4bc502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ecba-61b8-46ad-aef6-4bc502de0b81", "value": "https://www.virustotal.com/file/8babf68a96861c8495580b5ecf54d8e9e1c76fc89fb72a322c94e74796db4e19/analysis/1461226275/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }