{ "type": "bundle", "id": "bundle--5939bc28-0960-4108-a244-9b8302de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5939bc28-0960-4108-a244-9b8302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "name": "OSINT - The Recorded Future Blog Malicious Android Applications Raise Concerns for Enterprises", "published": "2017-06-08T21:17:13Z", "object_refs": [ "x-misp-attribute--5939bc3c-f4e0-4c21-b28a-9b8302de0b81", "observed-data--5939bc4a-9ed4-414d-904c-123102de0b81", "url--5939bc4a-9ed4-414d-904c-123102de0b81", "indicator--5939bc87-f75c-45b9-8bfb-451602de0b81", "indicator--5939bcbb-c238-4f28-8c0d-9b8302de0b81", "indicator--5939bcbc-ae2c-481a-bed3-9b8302de0b81", "indicator--5939bcf1-5590-463a-be2a-468b02de0b81", "indicator--5939bcf2-dd18-42ee-97c1-467f02de0b81", "indicator--5939bcf2-ff50-4e75-9f8d-4e8b02de0b81", "indicator--5939bcf2-b21c-45aa-99bc-411102de0b81", "indicator--5939bcf3-4f34-4e78-89dd-4d8902de0b81", "indicator--5939be55-7f24-407f-b3e2-4ae602de0b81", "indicator--5939be55-64e0-4ebb-8ad3-421302de0b81", "indicator--5939be56-9b08-467f-ba3f-4b4e02de0b81", "indicator--5939be56-4238-449f-8a2b-4da902de0b81", "indicator--5939be57-6adc-45b8-93eb-4be902de0b81", "indicator--5939be57-8a0c-43b7-b823-438802de0b81", "indicator--5939be58-3cf4-4db2-898e-4f8b02de0b81", "indicator--5939be75-5f84-4a66-9080-4e0902de0b81", "observed-data--5939bec0-bd14-4861-83ef-440802de0b81", "url--5939bec0-bd14-4861-83ef-440802de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "ms-caro-malware:malware-platform=\"AndroidOS\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5939bc3c-f4e0-4c21-b28a-9b8302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"c\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The recent White House leaks allegedly began shortly after President Trump\u00e2\u20ac\u2122s inauguration. According to Wired, \u00e2\u20ac\u0153\u00e2\u20ac\u00a6 multiple reports indicate that Republican operatives and White House staffers are using end-to-end encrypted messaging app Confide [sic].\u00e2\u20ac\u009d Confide\u00e2\u20ac\u2122s website touts the product as \u00e2\u20ac\u0153Your Confidential Messenger. With encrypted messages that self-destruct, Confide gives you the comfort of knowing that your private messages will now truly stay that way.\u00e2\u20ac\u009d\r\n\r\nIOActive researchers subsequently pointed out vulnerabilities in the Confide app on Windows, macOS, and Android. Given the increasing popularity of encrypted messaging apps, Insikt Group was curious about other encrypted messaging apps that might be vulnerable to attack.\r\n\r\nThe curiosity led to exploration in ReversingLab\u00e2\u20ac\u2122s (Recorded Future\u00e2\u20ac\u2122s research partner) malicious file data, specifically Android files. An Android Spyware file surfaced in late 2016, labeled by ESET as Android/Spy.Kasandra.A trojan (variant), and G Data labeled it Android.Trojan-Spy.SandroRAT.A, more commonly known as DroidJack." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5939bc4a-9ed4-414d-904c-123102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "first_observed": "2017-06-08T21:16:40Z", "last_observed": "2017-06-08T21:16:40Z", "number_observed": 1, "object_refs": [ "url--5939bc4a-9ed4-414d-904c-123102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"c\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5939bc4a-9ed4-414d-904c-123102de0b81", "value": "https://www.recordedfuture.com/malicious-android-apps/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939bc87-f75c-45b9-8bfb-451602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "pattern": "[domain-name:value = 'telegram.ddns.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939bcbb-c238-4f28-8c0d-9b8302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "Before telegram.ddns[.]net resolved to 151.80.239.207, it briefly resolved to two different Iranian hosts, both belonging to Aria Shatel Company", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '151.246.17.181']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939bcbc-ae2c-481a-bed3-9b8302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "Before telegram.ddns[.]net resolved to 151.80.239.207, it briefly resolved to two different Iranian hosts, both belonging to Aria Shatel Company", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.57.118.202']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939bcf1-5590-463a-be2a-468b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "This DroidJack trojan is a DEX (Dalvik Executable) file containing 546 Java classes.", "pattern": "[file:hashes.MD5 = 'b21141025b43cd0b76882d24b9021281']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939bcf2-dd18-42ee-97c1-467f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "This DroidJack trojan is a DEX (Dalvik Executable) file containing 546 Java classes.", "pattern": "[file:hashes.SHA1 = '31a00dbcbe8c5e723c246f4760317c6785b5bc43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939bcf2-ff50-4e75-9f8d-4e8b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "This DroidJack trojan is a DEX (Dalvik Executable) file containing 546 Java classes.", "pattern": "[file:hashes.SHA256 = '6f875f8ff11ef51a23c1089c1bb197343f0a33c6f7f53f9f6c191e590e8ea4b3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939bcf2-b21c-45aa-99bc-411102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "This DroidJack trojan is a DEX (Dalvik Executable) file containing 546 Java classes.", "pattern": "[file:hashes.SHA256 = '7ccd62ec7cb90c1fea19736e241a25e10143fada72f453e3c9011383a7ab961d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939bcf3-4f34-4e78-89dd-4d8902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "This DroidJack trojan is a DEX (Dalvik Executable) file containing 546 Java classes.", "pattern": "[file:hashes.SHA256 = '6507e8569f0b7ffa993a36d98567984374d99193721a0420cbcb98404d849bac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939be55-7f24-407f-b3e2-4ae602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "elegram.ddns[.]net does not currently resolve to an IP address. In 2014, before the activity related to the malicious Android app, telegram.ddns[.]net originally resolved to a host in India. In 2015 the domain resolved to the following Iranian internet service providers:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.7.50.84']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939be55-64e0-4ebb-8ad3-421302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "elegram.ddns[.]net does not currently resolve to an IP address. In 2014, before the activity related to the malicious Android app, telegram.ddns[.]net originally resolved to a host in India. In 2015 the domain resolved to the following Iranian internet service providers:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.158.48.204']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939be56-9b08-467f-ba3f-4b4e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "elegram.ddns[.]net does not currently resolve to an IP address. In 2014, before the activity related to the malicious Android app, telegram.ddns[.]net originally resolved to a host in India. In 2015 the domain resolved to the following Iranian internet service providers:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.224.94.221']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939be56-4238-449f-8a2b-4da902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "elegram.ddns[.]net does not currently resolve to an IP address. In 2014, before the activity related to the malicious Android app, telegram.ddns[.]net originally resolved to a host in India. In 2015 the domain resolved to the following Iranian internet service providers:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.14.158.3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939be57-6adc-45b8-93eb-4be902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "elegram.ddns[.]net does not currently resolve to an IP address. In 2014, before the activity related to the malicious Android app, telegram.ddns[.]net originally resolved to a host in India. In 2015 the domain resolved to the following Iranian internet service providers:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.250.101.179']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939be57-8a0c-43b7-b823-438802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "elegram.ddns[.]net does not currently resolve to an IP address. In 2014, before the activity related to the malicious Android app, telegram.ddns[.]net originally resolved to a host in India. In 2015 the domain resolved to the following Iranian internet service providers:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.69.240.9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939be58-3cf4-4db2-898e-4f8b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "elegram.ddns[.]net does not currently resolve to an IP address. In 2014, before the activity related to the malicious Android app, telegram.ddns[.]net originally resolved to a host in India. In 2015 the domain resolved to the following Iranian internet service providers:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.69.240.10']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5939be75-5f84-4a66-9080-4e0902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:40.000Z", "modified": "2017-06-08T21:16:40.000Z", "description": "Recorded Future\u00e2\u20ac\u2122s full Intel Card for 151.80.239.207 contains relatively recent honeypot and blacklist sightings, specifically for RDP (remote desktop protocol) brute force authentication attempts.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '151.80.239.207']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-08T21:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5939bec0-bd14-4861-83ef-440802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-08T21:16:48.000Z", "modified": "2017-06-08T21:16:48.000Z", "first_observed": "2017-06-08T21:16:48Z", "last_observed": "2017-06-08T21:16:48Z", "number_observed": 1, "object_refs": [ "url--5939bec0-bd14-4861-83ef-440802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5939bec0-bd14-4861-83ef-440802de0b81", "value": "https://www.virustotal.com/file/6f875f8ff11ef51a23c1089c1bb197343f0a33c6f7f53f9f6c191e590e8ea4b3/analysis/1483115234/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }