{ "type": "bundle", "id": "bundle--f6098894-bbc6-4ee8-adbb-fc99b4c86f04", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:46:37.000Z", "modified": "2023-01-10T15:46:37.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--f6098894-bbc6-4ee8-adbb-fc99b4c86f04", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:46:37.000Z", "modified": "2023-01-10T15:46:37.000Z", "name": "OSINT - Godfather Trojan IOCs", "published": "2023-01-10T15:46:51Z", "object_refs": [ "indicator--582e28d6-70ac-49a8-9523-2a55359b3a53", "indicator--283be250-ecdc-4057-82d5-26c5d452dfbd", "indicator--9d2bc2c9-2361-472a-86bb-81f99ccd6a15", "indicator--c518b2f0-1417-4720-b578-13160b24e034", "indicator--326dcec3-ac72-47b8-bb76-01463bee1c91", "indicator--f9fcdd3d-3e6f-47b7-b1a8-319eb91f8dd9", "indicator--8fc32fd2-12be-4460-bc40-f3374a26f868", "indicator--67299acd-4ca5-499c-ba2c-47db1130e081", "indicator--7ac407eb-b23e-469e-bde7-a2b31abc5d40", "indicator--dfd9f51b-ef52-4b04-9f25-4a60c8bbbf0e", "indicator--f3c722b8-75c6-479f-8805-7f06e6062c6c", "indicator--a0f4eac1-dea6-4b7d-bda0-e69f09b65ce0", "indicator--4a91a0e3-a25a-488c-aef4-2af731657555", "indicator--6f9fd4b2-0c0d-4f5a-aa4a-184417889d0b", "indicator--7b1f707d-3eea-492d-8196-5dd13921360f", "indicator--748ec32a-a7c9-48f6-b189-3100b5ef40d8", "indicator--cea15d0d-fac6-47d1-b9ea-5775b446b814", "indicator--3c5664c2-98ff-499e-a915-2ef2fe2f6a88", "indicator--2e220ffc-630f-4348-89b3-a894961cbb7d", "indicator--8c02c3aa-e7c9-4e79-b9c8-d562835becb6", "indicator--ae613301-2400-48c4-b23c-df853f9d4f3d", "indicator--03574f55-8a78-4e36-add2-01b1f5c1df32", "indicator--0c7c6c3b-5b82-4e61-a380-1115cc8b8fed", "indicator--40fb7312-71a4-469c-89db-65f38ddb73ee", "indicator--91bbcc0a-5c71-4750-9f41-bf08b72bbd4b", "indicator--504c51f0-f3d2-43e6-b4d7-baac114828e9", "indicator--4edbf8e1-d4ab-4fe1-8ba9-d28268cc9b9f", "x-misp-object--00451894-1a23-462f-a90d-c0d852d9fe80", "x-misp-object--05d7898d-e645-406b-ba38-eb56f4e4bd13", "indicator--09799c14-87d6-4a36-9e61-f1353f49f50d", "x-misp-object--344f2b3c-8c0a-49fe-867b-5b9c7dcf4166", "x-misp-object--e6777be6-8b69-49a6-b286-521b557b108c" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-attack-pattern=\"Deliver Malicious App via Authorized App Store - T1475\"", "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1646\"", "veris:asset:variety=\"U - Mobile phone\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "tlp:clear" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582e28d6-70ac-49a8-9523-2a55359b3a53", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:08:13.000Z", "modified": "2023-01-10T15:08:13.000Z", "pattern": "[url:value = 'http://168.100.9.86/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:08:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--283be250-ecdc-4057-82d5-26c5d452dfbd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:08:13.000Z", "modified": "2023-01-10T15:08:13.000Z", "pattern": "[url:value = 'http://45.61.138.60/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:08:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9d2bc2c9-2361-472a-86bb-81f99ccd6a15", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:08:13.000Z", "modified": "2023-01-10T15:08:13.000Z", "pattern": "[url:value = 'http://50.18.3.26/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:08:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c518b2f0-1417-4720-b578-13160b24e034", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:08:13.000Z", "modified": "2023-01-10T15:08:13.000Z", "pattern": "[url:value = 'http://heikenmorgan.com/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:08:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--326dcec3-ac72-47b8-bb76-01463bee1c91", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:08:13.000Z", "modified": "2023-01-10T15:08:13.000Z", "pattern": "[url:value = 'https://banerrokutepera.com/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:08:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f9fcdd3d-3e6f-47b7-b1a8-319eb91f8dd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:08:13.000Z", "modified": "2023-01-10T15:08:13.000Z", "pattern": "[url:value = 'https://henkormerise.com/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:08:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8fc32fd2-12be-4460-bc40-f3374a26f868", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:09:18.000Z", "modified": "2023-01-10T15:09:18.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '168.100.9.86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--67299acd-4ca5-499c-ba2c-47db1130e081", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:09:18.000Z", "modified": "2023-01-10T15:09:18.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.61.138.60']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7ac407eb-b23e-469e-bde7-a2b31abc5d40", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:09:18.000Z", "modified": "2023-01-10T15:09:18.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.18.3.26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dfd9f51b-ef52-4b04-9f25-4a60c8bbbf0e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:09:18.000Z", "modified": "2023-01-10T15:09:18.000Z", "pattern": "[url:value = 'heikenmorgan.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f3c722b8-75c6-479f-8805-7f06e6062c6c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:09:18.000Z", "modified": "2023-01-10T15:09:18.000Z", "pattern": "[url:value = 'banerrokutepera.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a0f4eac1-dea6-4b7d-bda0-e69f09b65ce0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:09:18.000Z", "modified": "2023-01-10T15:09:18.000Z", "pattern": "[domain-name:value = 'henkormerise.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4a91a0e3-a25a-488c-aef4-2af731657555", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = '0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6f9fd4b2-0c0d-4f5a-aa4a-184417889d0b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = '38386f4fabd0bc7f7065eaee818717e89772fb3b1a3744df754c45778e353f70']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b1f707d-3eea-492d-8196-5dd13921360f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = '7664293fc1dde797940d857d1f16eb1e12a15b9126d704854f97df1bedc18758']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--748ec32a-a7c9-48f6-b189-3100b5ef40d8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = '9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cea15d0d-fac6-47d1-b9ea-5775b446b814", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = '9dfb5b4ad9aac36c2d7fbb93f8668faa819cb0df16f4a55d00f1cdda89c9a6d2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3c5664c2-98ff-499e-a915-2ef2fe2f6a88", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = 'a14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2e220ffc-630f-4348-89b3-a894961cbb7d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = 'b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8c02c3aa-e7c9-4e79-b9c8-d562835becb6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = 'c3dadb9a593523d1bf3fe76dabf375578119aff3110d92a1a4ee6db06742263a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ae613301-2400-48c4-b23c-df853f9d4f3d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = 'c4bace10849f23e9972e555ac2e30ac128b7a90017a0f76c197685a0c60def6d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--03574f55-8a78-4e36-add2-01b1f5c1df32", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = 'c79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0c7c6c3b-5b82-4e61-a380-1115cc8b8fed", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:23.000Z", "modified": "2023-01-10T15:10:23.000Z", "pattern": "[file:hashes.SHA256 = 'd652ac528102de3ebb42a973db639ae27f13738e005172e5ff8aac6e91f3f760']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:10:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--40fb7312-71a4-469c-89db-65f38ddb73ee", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:19:09.000Z", "modified": "2023-01-10T15:19:09.000Z", "description": "%KEY% is the key sent as a parameter in the requests mentioned above. %LOCALE% is the system language. The user-agent used when the request is executed is:", "pattern": "[network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' = 'Mozilla/5.0 (Linux; Android 9; SM-J730F Build/PPR12.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.181 Mobile Safari/537.36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:19:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"user-agent\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--91bbcc0a-5c71-4750-9f41-bf08b72bbd4b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:20:44.000Z", "modified": "2023-01-10T15:20:44.000Z", "pattern": "[domain-name:value = 'banerrokutepera.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:20:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--504c51f0-f3d2-43e6-b4d7-baac114828e9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:20:44.000Z", "modified": "2023-01-10T15:20:44.000Z", "pattern": "[domain-name:value = 'heikenmorgan.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:20:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4edbf8e1-d4ab-4fe1-8ba9-d28268cc9b9f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:20:44.000Z", "modified": "2023-01-10T15:20:44.000Z", "pattern": "[domain-name:value = 'pluscurrencyconverter.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:20:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--00451894-1a23-462f-a90d-c0d852d9fe80", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:10:04.000Z", "modified": "2023-01-10T15:10:04.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://1275.ru/ioc/1192/godfather-trojan-iocs/", "category": "External analysis", "uuid": "8dc384c7-67b9-4a8d-b449-f6804487902b" }, { "type": "text", "object_relation": "summary", "value": "Group-IB \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u0432 \u043e\u0444\u0438\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u043c \u043c\u0430\u0433\u0430\u0437\u0438\u043d\u0435 Google Play \u0431\u0430\u043d\u043a\u043e\u0432\u0441\u043a\u043e\u0433\u043e \u0442\u0440\u043e\u044f\u043d\u0430 Godfather, \u0433\u0434\u0435 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441 \u043c\u0430\u0441\u043a\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u043f\u043e\u0434 \u043b\u0435\u0433\u0430\u043b\u044c\u043d\u044b\u0435 \u043a\u0440\u0438\u043f\u0442\u043e\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f. \u0413\u0435\u043e\u0433\u0440\u0430\u0444\u0438\u044f \u0435\u0433\u043e \u0436\u0435\u0440\u0442\u0432 \u043e\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0435\u0442 16 \u0441\u0442\u0440\u0430\u043d \u043c\u0438\u0440\u0430, \u0430 \u0441\u043f\u0438\u0441\u043e\u043a \u0446\u0435\u043b\u0435\u0439 \u043d\u0430\u0441\u0447\u0438\u0442\u044b\u0432\u0430\u0435\u0442 \u0431\u043e\u043b\u0435\u0435 400 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u0431\u0430\u043d\u043a\u043e\u0432, \u043a\u0440\u0438\u043f\u0442\u043e\u0432\u0430\u043b\u044e\u0442\u043d\u044b\u0445 \u0431\u0438\u0440\u0436 \u0438 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u044b\u0445 \u043a\u043e\u0448\u0435\u043b\u044c\u043a\u043e\u0432.", "category": "Other", "uuid": "ae3e1b8d-b149-4551-9412-ebee765c9de5" }, { "type": "text", "object_relation": "type", "value": "Blog", "category": "Other", "uuid": "469bd9cb-bb87-404f-a325-624866e88da7" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--05d7898d-e645-406b-ba38-eb56f4e4bd13", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:11:09.000Z", "modified": "2023-01-10T15:11:09.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8", "category": "External analysis", "uuid": "cf926a0e-0c8a-46ea-9fe9-915e81b5e76e" }, { "type": "text", "object_relation": "detection-ratio", "value": "29/66", "category": "Other", "uuid": "1de1435a-1eb5-4bcf-8c82-5576ce32606c" } ], "x_misp_comment": "0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8: Enriched via the virustotal module", "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--09799c14-87d6-4a36-9e61-f1353f49f50d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:11:09.000Z", "modified": "2023-01-10T15:11:09.000Z", "description": "0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8: Enriched via the virustotal module", "pattern": "[file:hashes.MD5 = 'ec9f857999b4fc3dd007fdb786b7a8d1' AND file:hashes.SHA1 = '3fa48a36d22d848ad111b246ca94fa58088dbb7a' AND file:hashes.SHA256 = '0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8' AND file:hashes.SSDEEP = '98304:vDdInEpAOdLl2DfGjOmP34z09nmw3xAZMV8JiDQeZgUGdh0fr33dmh++0oEHi6Pz:5gE7tf3u09nmiOZmDid9h+CFZMXmwfXR' AND file:hashes.VHASH = 'ede26ab6fd89266ae46ad188b676ce54' AND file:x_misp_tlsh = 't1cb76125af718a86fc1f792324679522a66074c268743ea875968727c0dbbdc04f4bfcc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-01-10T15:11:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--344f2b3c-8c0a-49fe-867b-5b9c7dcf4166", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:14:14.000Z", "modified": "2023-01-10T15:14:14.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070", "category": "External analysis", "uuid": "0514771e-3eee-4ab7-bda0-005ada4ce08c" }, { "type": "text", "object_relation": "detection-ratio", "value": "22/66", "category": "Other", "uuid": "45c71feb-c0cf-41c7-ac50-eb21152dda6e" } ], "x_misp_comment": "9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070: Enriched via the virustotal module", "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e6777be6-8b69-49a6-b286-521b557b108c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-01-10T15:17:23.000Z", "modified": "2023-01-10T15:17:23.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://blog.group-ib.com/godfather-trojan", "category": "External analysis", "uuid": "288a1ec3-7867-48fa-aeb0-6718edaae63c" }, { "type": "text", "object_relation": "summary", "value": "The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges.\r\n\r\nFew people realize that hiding under Godfather\u2019s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers.", "category": "Other", "uuid": "76bfccf5-2126-4090-b782-fd2c85ba72db" }, { "type": "text", "object_relation": "type", "value": "Blog", "category": "Other", "uuid": "c402c0b0-0a54-40b1-825d-3a8b21f33917" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }