{ "type": "bundle", "id": "bundle--58e3e7e5-90d8-43f1-a070-4520950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:54:06.000Z", "modified": "2017-04-04T18:54:06.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58e3e7e5-90d8-43f1-a070-4520950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:54:06.000Z", "modified": "2017-04-04T18:54:06.000Z", "name": "OSINT - An Investigation of Chrysaor Malware on Android", "published": "2017-04-04T18:54:20Z", "object_refs": [ "observed-data--58e3e80a-1250-40c3-8ab6-4e18950d210f", "url--58e3e80a-1250-40c3-8ab6-4e18950d210f", "x-misp-attribute--58e3e82c-6c88-446e-9a88-4d98950d210f", "indicator--58e3e9c9-4b54-4ce9-8237-47fe950d210f", "x-misp-attribute--58e3e9da-6394-4d85-ac57-4029950d210f", "indicator--58e3ea29-86c0-4bb3-ab7b-40fb950d210f", "indicator--58e3ea87-fe34-448b-9b9e-4895950d210f", "indicator--58e3ea88-e9dc-47c8-a4cc-4c6f950d210f", "indicator--58e3ea89-1f78-412f-9941-4ac9950d210f", "indicator--58e3ea8a-2ca8-4972-8749-454e950d210f", "indicator--58e3ea8b-f844-4e71-a327-4547950d210f", "indicator--58e3eae1-8228-455b-b542-4227950d210f", "indicator--58e3eb2a-60ec-4774-ba81-4ccf02de0b81", "indicator--58e3eb2b-fec4-4fbb-9136-449b02de0b81", "observed-data--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81", "url--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81", "indicator--58e3eb2d-75e0-4eb4-a396-483c02de0b81", "indicator--58e3eb2e-9fc8-41a4-b604-4d7802de0b81", "observed-data--58e3eb2f-b968-413f-82c3-41f102de0b81", "url--58e3eb2f-b968-413f-82c3-41f102de0b81", "indicator--58e3eb30-c914-457f-8fbd-4d7602de0b81", "indicator--58e3eb31-3b7c-4aff-bf5b-494602de0b81", "observed-data--58e3eb32-eef4-4ed4-b8a4-42b802de0b81", "url--58e3eb32-eef4-4ed4-b8a4-42b802de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "misp-galaxy:tool=\"Chrysaor\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e3e80a-1250-40c3-8ab6-4e18950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "first_observed": "2017-04-04T18:51:11Z", "last_observed": "2017-04-04T18:51:11Z", "number_observed": 1, "object_refs": [ "url--58e3e80a-1250-40c3-8ab6-4e18950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e3e80a-1250-40c3-8ab6-4e18950d210f", "value": "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58e3e82c-6c88-446e-9a88-4d98950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "In this blog post, we describe Chrysaor, a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices, and how investigations like this help Google protect Android users from a variety of threats." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3e9c9-4b54-4ce9-8237-47fe950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "description": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target", "pattern": "[file:hashes.SHA256 = 'ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58e3e9da-6394-4d85-ac57-4029950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "labels": [ "misp:type=\"mobile-application-id\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Payload delivery", "x_misp_type": "mobile-application-id", "x_misp_value": "com.network.android" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3ea29-86c0-4bb3-ab7b-40fb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "description": "Pegasus for Android Samples", "pattern": "[file:hashes.SHA256 = '3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3ea87-fe34-448b-9b9e-4895950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "description": "com.network.android", "pattern": "[file:hashes.SHA256 = '98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3ea88-e9dc-47c8-a4cc-4c6f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "description": "com.binary.sms.receiver", "pattern": "[file:hashes.SHA256 = '9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3ea89-1f78-412f-9941-4ac9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "description": "com.android.copy", "pattern": "[file:hashes.SHA256 = 'e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3ea8a-2ca8-4972-8749-454e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "description": "com.android.copy", "pattern": "[file:hashes.SHA256 = '12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3ea8b-f844-4e71-a327-4547950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "description": "com.android.copy", "pattern": "[file:hashes.SHA256 = '6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3eae1-8228-455b-b542-4227950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:11.000Z", "modified": "2017-04-04T18:51:11.000Z", "description": "com.network.android", "pattern": "[file:hashes.SHA1 = '44f6d1caa257799e57f0ecaf4e2e216178f4cb3d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3eb2a-60ec-4774-ba81-4ccf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:22.000Z", "modified": "2017-04-04T18:51:22.000Z", "description": "com.binary.sms.receiver - Xchecked via VT: 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae", "pattern": "[file:hashes.SHA1 = '28f570754274db96bffa7ac4a53a5ede3508d82c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3eb2b-fec4-4fbb-9136-449b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:23.000Z", "modified": "2017-04-04T18:51:23.000Z", "description": "com.binary.sms.receiver - Xchecked via VT: 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae", "pattern": "[file:hashes.MD5 = 'cc9517aafb58279091ac17533293edc1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:24.000Z", "modified": "2017-04-04T18:51:24.000Z", "first_observed": "2017-04-04T18:51:24Z", "last_observed": "2017-04-04T18:51:24Z", "number_observed": 1, "object_refs": [ "url--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81", "value": "https://www.virustotal.com/file/9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae/analysis/1491317706/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3eb2d-75e0-4eb4-a396-483c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:25.000Z", "modified": "2017-04-04T18:51:25.000Z", "description": "Pegasus for Android Samples - Xchecked via VT: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86", "pattern": "[file:hashes.SHA1 = 'b6850881561265d89597d0d245b33dba3d7d3f47']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3eb2e-9fc8-41a4-b604-4d7802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:26.000Z", "modified": "2017-04-04T18:51:26.000Z", "description": "Pegasus for Android Samples - Xchecked via VT: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86", "pattern": "[file:hashes.MD5 = '3a69bfbe5bc83c4df938177e05cd7c7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e3eb2f-b968-413f-82c3-41f102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:27.000Z", "modified": "2017-04-04T18:51:27.000Z", "first_observed": "2017-04-04T18:51:27Z", "last_observed": "2017-04-04T18:51:27Z", "number_observed": 1, "object_refs": [ "url--58e3eb2f-b968-413f-82c3-41f102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e3eb2f-b968-413f-82c3-41f102de0b81", "value": "https://www.virustotal.com/file/3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86/analysis/1491309077/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3eb30-c914-457f-8fbd-4d7602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:28.000Z", "modified": "2017-04-04T18:51:28.000Z", "description": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target - Xchecked via VT: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5", "pattern": "[file:hashes.SHA1 = 'e5920f3723e62e1850157f09baf556006bf80f74']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e3eb31-3b7c-4aff-bf5b-494602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:29.000Z", "modified": "2017-04-04T18:51:29.000Z", "description": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target - Xchecked via VT: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5", "pattern": "[file:hashes.MD5 = '7c3ad8fec33465fed6563bbfabb5b13d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-04T18:51:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e3eb32-eef4-4ed4-b8a4-42b802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-04T18:51:30.000Z", "modified": "2017-04-04T18:51:30.000Z", "first_observed": "2017-04-04T18:51:30Z", "last_observed": "2017-04-04T18:51:30Z", "number_observed": 1, "object_refs": [ "url--58e3eb32-eef4-4ed4-b8a4-42b802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e3eb32-eef4-4ed4-b8a4-42b802de0b81", "value": "https://www.virustotal.com/file/ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5/analysis/1491313777/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }