{ "type": "bundle", "id": "bundle--5a216518-dd10-4191-9ac8-4919950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:37:22.000Z", "modified": "2017-12-03T06:37:22.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a216518-dd10-4191-9ac8-4919950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:37:22.000Z", "modified": "2017-12-03T06:37:22.000Z", "name": "OSINT - Google Discovers New Tizi Android Spyware", "published": "2017-12-03T06:37:37Z", "object_refs": [ "indicator--5a2167bd-e750-4d4a-b4f2-4c20950d210f", "indicator--5a2167bd-5f98-45bc-a1b5-4862950d210f", "indicator--5a2167bd-e184-46a4-98e8-43eb950d210f", "indicator--5a2167bd-d7fc-4be3-ab49-488d950d210f", "indicator--5a2167bd-5ebc-4c51-9b93-4f70950d210f", "indicator--5a2167bd-fb5c-4b49-b44f-43c6950d210f", "observed-data--5a216d15-6b0c-4b76-9e83-41a6950d210f", "url--5a216d15-6b0c-4b76-9e83-41a6950d210f", "x-misp-attribute--5a216d33-5f44-4643-a153-4bb2950d210f", "indicator--5a2398ff-ea08-42ea-a97e-bb2c02de0b81", "indicator--5a2398ff-7da0-457c-9904-bb2c02de0b81", "observed-data--5a2398ff-21e4-4169-b6c8-bb2c02de0b81", "url--5a2398ff-21e4-4169-b6c8-bb2c02de0b81", "indicator--5a2398ff-8f34-41cb-9e82-bb2c02de0b81", "indicator--5a2398ff-2ad0-4330-b947-bb2c02de0b81", "observed-data--5a2398ff-ddf4-4e19-9f96-bb2c02de0b81", "url--5a2398ff-ddf4-4e19-9f96-bb2c02de0b81", "indicator--5a239900-6dfc-4a68-aef0-bb2c02de0b81", "indicator--5a239900-6ad0-4ebd-bc73-bb2c02de0b81", "observed-data--5a239900-da84-4a68-89a5-bb2c02de0b81", "url--5a239900-da84-4a68-89a5-bb2c02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:source-type=\"blog-post\"", "Android Malware", "malware_classification:malware-category=\"Spyware\"", "misp-galaxy:android=\"Tizi\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2167bd-e750-4d4a-b4f2-4c20950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "pattern": "[file:name = 'com.press.nasa.com.tanofresh']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2167bd-5f98-45bc-a1b5-4862950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "description": "com.press.nasa.com.tanofresh", "pattern": "[file:hashes.SHA256 = '4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2167bd-e184-46a4-98e8-43eb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "pattern": "[file:name = 'com.dailyworkout.tizi']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2167bd-d7fc-4be3-ab49-488d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "description": "com.dailyworkout.tizi", "pattern": "[file:hashes.SHA256 = '7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2167bd-5ebc-4c51-9b93-4f70950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "pattern": "[file:name = 'com.system.update.systemupdate']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2167bd-fb5c-4b49-b44f-43c6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "description": "com.system.update.systemupdate", "pattern": "[file:hashes.SHA256 = '7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a216d15-6b0c-4b76-9e83-41a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "first_observed": "2017-12-03T06:26:07Z", "last_observed": "2017-12-03T06:26:07Z", "number_observed": 1, "object_refs": [ "url--5a216d15-6b0c-4b76-9e83-41a6950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a216d15-6b0c-4b76-9e83-41a6950d210f", "value": "https://www.bleepingcomputer.com/news/security/google-discovers-new-tizi-android-spyware/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a216d33-5f44-4643-a153-4bb2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Google's security team discovered a new strain of Android malware, named Tizi, and which has been used primarily to target users in African countries.\r\n\r\nCategorized as spyware, Google says Tizi can carry out a wide range of operations, but most focus on social media apps and activity." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2398ff-ea08-42ea-a97e-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "description": "com.system.update.systemupdate - Xchecked via VT: 7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e", "pattern": "[file:hashes.SHA1 = '184152328f8662006376b6a0b5a50f5f9219c8ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2398ff-7da0-457c-9904-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "description": "com.system.update.systemupdate - Xchecked via VT: 7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e", "pattern": "[file:hashes.MD5 = '9d073c17499632150dc72ac92590780d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a2398ff-21e4-4169-b6c8-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "first_observed": "2017-12-03T06:26:07Z", "last_observed": "2017-12-03T06:26:07Z", "number_observed": 1, "object_refs": [ "url--5a2398ff-21e4-4169-b6c8-bb2c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a2398ff-21e4-4169-b6c8-bb2c02de0b81", "value": "https://www.virustotal.com/file/7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e/analysis/1512003768/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2398ff-8f34-41cb-9e82-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "description": "com.dailyworkout.tizi - Xchecked via VT: 7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f", "pattern": "[file:hashes.SHA1 = '501ca245120882a82021c8b8a2e5304b6e03eef5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2398ff-2ad0-4330-b947-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "description": "com.dailyworkout.tizi - Xchecked via VT: 7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f", "pattern": "[file:hashes.MD5 = 'abe47a9e7d8da5c3a4f7579b61e9d72f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a2398ff-ddf4-4e19-9f96-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:07.000Z", "modified": "2017-12-03T06:26:07.000Z", "first_observed": "2017-12-03T06:26:07Z", "last_observed": "2017-12-03T06:26:07Z", "number_observed": 1, "object_refs": [ "url--5a2398ff-ddf4-4e19-9f96-bb2c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a2398ff-ddf4-4e19-9f96-bb2c02de0b81", "value": "https://www.virustotal.com/file/7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f/analysis/1512160033/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a239900-6dfc-4a68-aef0-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:08.000Z", "modified": "2017-12-03T06:26:08.000Z", "description": "com.press.nasa.com.tanofresh - Xchecked via VT: 4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7", "pattern": "[file:hashes.SHA1 = '7ebdea26b6a0b7e9e7606d70c187ab0be934386e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a239900-6ad0-4ebd-bc73-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:08.000Z", "modified": "2017-12-03T06:26:08.000Z", "description": "com.press.nasa.com.tanofresh - Xchecked via VT: 4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7", "pattern": "[file:hashes.MD5 = 'd0da76c2f0c5aa3ef5af897bec2f0e52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-03T06:26:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a239900-da84-4a68-89a5-bb2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-03T06:26:08.000Z", "modified": "2017-12-03T06:26:08.000Z", "first_observed": "2017-12-03T06:26:08Z", "last_observed": "2017-12-03T06:26:08Z", "number_observed": 1, "object_refs": [ "url--5a239900-da84-4a68-89a5-bb2c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a239900-da84-4a68-89a5-bb2c02de0b81", "value": "https://www.virustotal.com/file/4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7/analysis/1512212017/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }