{ "type": "bundle", "id": "bundle--5a39216d-e93c-4046-8ff5-bfd8950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T03:00:57.000Z", "modified": "2017-12-21T03:00:57.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a39216d-e93c-4046-8ff5-bfd8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T03:00:57.000Z", "modified": "2017-12-21T03:00:57.000Z", "name": "OSINT - Banking malware on Google Play targets Polish banks", "published": "2017-12-28T13:34:35Z", "object_refs": [ "observed-data--5a392180-b698-400a-9024-1536950d210f", "url--5a392180-b698-400a-9024-1536950d210f", "x-misp-attribute--5a3a24a1-2a94-44fa-88d7-46c0950d210f", "indicator--5a3a26cc-30dc-4013-8210-4b21950d210f", "indicator--5a3a26cd-2184-4b96-9018-4666950d210f", "indicator--5a3a26cd-adc0-4e15-ac10-4428950d210f", "indicator--5a3a26cd-7284-44be-9b2a-4461950d210f", "indicator--5a3a26cd-0fbc-446c-8323-464f950d210f", "indicator--5a3a26cd-ebe0-42da-880e-423a950d210f", "indicator--5a3a26cd-40dc-45f5-9e92-4e8e950d210f", "indicator--5a3a26cd-83a8-470d-b24a-4a56950d210f", "indicator--5a3a26cd-7ad0-48d3-8d55-4435950d210f", "indicator--5a3a26cd-4c38-47ad-9bfa-4715950d210f", "indicator--5a3a26cd-a3dc-432a-b5cb-4171950d210f", "indicator--5a3a26cd-cc3c-480c-8cb4-4612950d210f", "indicator--5a3a26cd-634c-4d09-826d-4a28950d210f", "indicator--5a3a26cd-6cd0-44dd-9c14-4ffa950d210f", "indicator--5a3a2774-9c5c-48e5-b05e-49bb950d210f", "indicator--5a3a2774-8a18-4838-a42e-47e6950d210f", "indicator--5a3a279c-ebc4-44ab-b54e-4c19950d210f", "indicator--5a3a27b5-7db0-4cbc-984b-47b9950d210f", "indicator--277a53e1-58de-48f5-a24b-1020de7738aa", "x-misp-object--026a1242-16cf-491b-9bab-2de522dfba23", "indicator--f011249c-b0da-4bd6-9043-07bcc2414922", "x-misp-object--faf365d9-29da-477a-b73d-a22e07c53249", "relationship--f10c3cc9-84ba-4d8a-9470-d356b4dac4e6", "relationship--8e1b8251-aca9-4d18-94d1-1e4f91517908" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:source-type=\"blog-post\"", "Banker", "ms-caro-malware-full:malware-family=\"Banker\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a392180-b698-400a-9024-1536950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "first_observed": "2017-12-20T09:17:53Z", "last_observed": "2017-12-20T09:17:53Z", "number_observed": 1, "object_refs": [ "url--5a392180-b698-400a-9024-1536950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a392180-b698-400a-9024-1536950d210f", "value": "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a3a24a1-2a94-44fa-88d7-46c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Another set of banking Trojans has found its way past Google Play\u00e2\u20ac\u2122s security mechanisms, this time targeting a number of Polish banks. The malware managed to sneak into Google Play disguised as seemingly legitimate apps \u00e2\u20ac\u0153Crypto Monitor\u00e2\u20ac\u009d, a cryptocurrency price tracking app, and \u00e2\u20ac\u0153StorySaver\u00e2\u20ac\u009d, a third-party tool for downloading stories from Instagram." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cc-30dc-4013-8210-4b21950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'com.comarch.mobile']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-2184-4b96-9018-4666950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'pl.bzwbk.bzwbk24']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-adc0-4e15-ac10-4428950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'com.getingroup.mobilebanking']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-7284-44be-9b2a-4461950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'pl.pkobp.iko']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-0fbc-446c-8323-464f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'pl.ing.mojeing']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-ebe0-42da-880e-423a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'wit.android.bcpBankingApp.millenniumPL']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-40dc-45f5-9e92-4e8e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'pl.mbank']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-83a8-470d-b24a-4a56950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'pl.bph']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-7ad0-48d3-8d55-4435950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'pl.fmbank.smart']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-4c38-47ad-9bfa-4715950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'eu.eleader.mobilebanking.pekao']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-a3dc-432a-b5cb-4171950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'eu.eleader.mobilebanking.pekao.firm']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-cc3c-480c-8cb4-4612950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'eu.eleader.mobilebanking.invest']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-634c-4d09-826d-4a28950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'eu.eleader.mobilebanking.raiffeisen']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a26cd-6cd0-44dd-9c14-4ffa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "pattern": "[file:name = 'com.konylabs.cbplpat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a2774-9c5c-48e5-b05e-49bb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "description": "Phishing server", "pattern": "[domain-name:value = 'nelis.at']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a2774-8a18-4838-a42e-47e6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:53.000Z", "modified": "2017-12-20T09:17:53.000Z", "description": "Phishing server", "pattern": "[domain-name:value = 'sdljfkh1313.win']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a279c-ebc4-44ab-b54e-4c19950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:04:28.000Z", "modified": "2017-12-20T09:04:28.000Z", "pattern": "[file:hashes.SHA1 = '57a96d024e61f683020be46173d74fad4cf05806' AND file:name = 'in.crypto.monitor.coins' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:04:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3a27b5-7db0-4cbc-984b-47b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:04:53.000Z", "modified": "2017-12-20T09:04:53.000Z", "pattern": "[file:hashes.SHA1 = '757ea52db39e9cdbf5e2e95485801e3e4b19020d' AND file:name = 'com.app.storysavernew' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:04:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--277a53e1-58de-48f5-a24b-1020de7738aa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:56.000Z", "modified": "2017-12-20T09:17:56.000Z", "pattern": "[file:hashes.MD5 = '5e9b289928004deade3fbfc20049abf5' AND file:hashes.SHA1 = '757ea52db39e9cdbf5e2e95485801e3e4b19020d' AND file:hashes.SHA256 = '204f2e5e18691156036cbcfc69fa759272a2180fba77a74415ccb2c7469a670b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--026a1242-16cf-491b-9bab-2de522dfba23", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:54.000Z", "modified": "2017-12-20T09:17:54.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/204f2e5e18691156036cbcfc69fa759272a2180fba77a74415ccb2c7469a670b/analysis/1513618446/", "category": "External analysis", "uuid": "5a3a2ac2-17e4-4668-bec1-4fb102de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "26/62", "category": "Other", "uuid": "5a3a2ac2-8e18-430c-9768-488302de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-18T17:34:06", "category": "Other", "uuid": "5a3a2ac2-1be0-4199-bcfc-423302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f011249c-b0da-4bd6-9043-07bcc2414922", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:57.000Z", "modified": "2017-12-20T09:17:57.000Z", "pattern": "[file:hashes.MD5 = '883c2183fecc06f1faab8fbab03186e6' AND file:hashes.SHA1 = '57a96d024e61f683020be46173d74fad4cf05806' AND file:hashes.SHA256 = '86aaed9017e3af5d1d9c8460f2d8164f14e14db01b1a278b4b93859d3cf982f5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:17:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--faf365d9-29da-477a-b73d-a22e07c53249", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:17:54.000Z", "modified": "2017-12-20T09:17:54.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/86aaed9017e3af5d1d9c8460f2d8164f14e14db01b1a278b4b93859d3cf982f5/analysis/1513240956/", "category": "External analysis", "uuid": "5a3a2ac2-bd34-4ab5-a5fe-439302de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "17/63", "category": "Other", "uuid": "5a3a2ac2-2b70-47a0-98c7-4be502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-14T08:42:36", "category": "Other", "uuid": "5a3a2ac2-e174-44ff-97a8-456f02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f10c3cc9-84ba-4d8a-9470-d356b4dac4e6", "created": "2017-12-28T13:34:34.000Z", "modified": "2017-12-28T13:34:34.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--277a53e1-58de-48f5-a24b-1020de7738aa", "target_ref": "x-misp-object--026a1242-16cf-491b-9bab-2de522dfba23" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8e1b8251-aca9-4d18-94d1-1e4f91517908", "created": "2017-12-28T13:34:35.000Z", "modified": "2017-12-28T13:34:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f011249c-b0da-4bd6-9043-07bcc2414922", "target_ref": "x-misp-object--faf365d9-29da-477a-b73d-a22e07c53249" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }