{ "type": "bundle", "id": "bundle--56e9b21a-98fc-4d0e-ae29-4e53950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:33.000Z", "modified": "2016-03-16T19:28:33.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56e9b21a-98fc-4d0e-ae29-4e53950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:33.000Z", "modified": "2016-03-16T19:28:33.000Z", "name": "OSINT - AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device", "published": "2016-03-16T19:29:28Z", "object_refs": [ "observed-data--56e9b248-c8b4-40ab-977f-5ef7950d210f", "url--56e9b248-c8b4-40ab-977f-5ef7950d210f", "x-misp-attribute--56e9b25b-880c-46b8-8e3e-4757950d210f", "indicator--56e9b29f-c87c-4af3-a97f-4d47950d210f", "indicator--56e9b29f-363c-4673-8be4-4006950d210f", "indicator--56e9b29f-1674-48f9-8f1e-45e0950d210f", "indicator--56e9b30d-5d94-46b3-a850-4d2a950d210f", "indicator--56e9b30e-0360-4c96-bd7a-4b71950d210f", "indicator--56e9b30e-7498-4799-99e2-4a41950d210f", "indicator--56e9b30e-63f4-4e36-aa21-4ca2950d210f", "indicator--56e9b30f-9c50-44c7-ae2b-4f19950d210f", "indicator--56e9b30f-e5f0-4e6d-955f-45ac950d210f", "indicator--56e9b30f-ff78-461f-96c2-47fc950d210f", "indicator--56e9b310-28f8-4a9d-9d54-45bf950d210f", "indicator--56e9b310-0d74-4679-9d06-4682950d210f", "indicator--56e9b310-c480-4783-8a3d-4298950d210f", "indicator--56e9b311-39c8-4c61-b645-4801950d210f", "indicator--56e9b311-8d54-4c07-af17-47cf950d210f", "indicator--56e9b311-efb0-4da9-8671-438b950d210f", "indicator--56e9b311-c030-4206-8ab4-4d42950d210f", "indicator--56e9b312-5cdc-41cf-bffc-4450950d210f", "indicator--56e9b33e-182c-4cd2-9bb0-5ef5950d210f", "indicator--56e9b33f-c1f4-4de4-86ae-5ef5950d210f", "indicator--56e9b36a-195c-434c-ab05-5ef7950d210f", "indicator--56e9b36b-9118-420c-97a9-5ef7950d210f", "indicator--56e9b36b-a204-43cb-afe8-5ef7950d210f", "indicator--56e9b36b-2e90-4b0f-8fcf-5ef7950d210f", "indicator--56e9b36b-aa08-41eb-ad42-5ef7950d210f", "indicator--56e9b36c-5d88-47c6-be01-5ef7950d210f", "indicator--56e9b36c-195c-4267-8a9d-5ef7950d210f", "indicator--56e9b392-dda8-45c5-962f-4d6c950d210f", "indicator--56e9b392-3c78-47aa-8a65-4cfd950d210f", "indicator--56e9b393-81f8-41c0-8810-4c11950d210f", "indicator--56e9b3e1-0134-47b2-9d20-539002de0b81", "indicator--56e9b3e2-ce6c-43d0-902a-539002de0b81", "observed-data--56e9b3e2-3be0-4939-86f9-539002de0b81", "url--56e9b3e2-3be0-4939-86f9-539002de0b81", "indicator--56e9b3e2-9b9c-44a2-abdf-539002de0b81", "indicator--56e9b3e3-7ba0-4ecd-9ff2-539002de0b81", "observed-data--56e9b3e3-67f0-47a5-9734-539002de0b81", "url--56e9b3e3-67f0-47a5-9734-539002de0b81", "indicator--56e9b3e3-7db8-417f-a573-539002de0b81", "indicator--56e9b3e3-1dd4-4993-af5c-539002de0b81", "observed-data--56e9b3e4-13bc-47cf-8be4-539002de0b81", "url--56e9b3e4-13bc-47cf-8be4-539002de0b81", "indicator--56e9b3e4-eedc-4dac-8ddb-539002de0b81", "indicator--56e9b3e4-8904-4bb6-bb24-539002de0b81", "observed-data--56e9b3e5-bed0-4c2b-9ac2-539002de0b81", "url--56e9b3e5-bed0-4c2b-9ac2-539002de0b81", "indicator--56e9b3e5-1f30-4e40-b43a-539002de0b81", "indicator--56e9b3e5-8f30-4bbe-845b-539002de0b81", "observed-data--56e9b3e6-27b8-4ddc-a0e2-539002de0b81", "url--56e9b3e6-27b8-4ddc-a0e2-539002de0b81", "indicator--56e9b3e6-7228-4456-9bfc-539002de0b81", "indicator--56e9b3e6-c170-4338-8e5b-539002de0b81", "observed-data--56e9b3e6-7c80-4d07-b399-539002de0b81", "url--56e9b3e6-7c80-4d07-b399-539002de0b81", "indicator--56e9b3e7-c034-436b-8f5d-539002de0b81", "indicator--56e9b3e7-0b9c-4e9e-bed4-539002de0b81", "observed-data--56e9b3e7-970c-43e0-a3a7-539002de0b81", "url--56e9b3e7-970c-43e0-a3a7-539002de0b81", "indicator--56e9b3e7-4974-4ada-aa27-539002de0b81", "indicator--56e9b3e8-f0f4-4174-af9d-539002de0b81", "observed-data--56e9b3e8-75ec-4a33-8129-539002de0b81", "url--56e9b3e8-75ec-4a33-8129-539002de0b81", "indicator--56e9b3e8-27f0-4156-94ff-539002de0b81", "indicator--56e9b3e9-c564-4c77-b1f9-539002de0b81", "observed-data--56e9b3e9-f938-480c-821e-539002de0b81", "url--56e9b3e9-f938-480c-821e-539002de0b81", "indicator--56e9b3e9-a930-436c-baa8-539002de0b81", "indicator--56e9b3e9-5648-442a-98fc-539002de0b81", "observed-data--56e9b3ea-3c44-4c6d-9b5d-539002de0b81", "url--56e9b3ea-3c44-4c6d-9b5d-539002de0b81", "indicator--56e9b3ea-a06c-4039-b71e-539002de0b81", "indicator--56e9b3ea-39bc-4d31-a57e-539002de0b81", "observed-data--56e9b3eb-e118-470e-839d-539002de0b81", "url--56e9b3eb-e118-470e-839d-539002de0b81", "indicator--56e9b3eb-e7ec-4948-aeae-539002de0b81", "indicator--56e9b3eb-93a4-484b-b932-539002de0b81", "observed-data--56e9b3eb-2ca8-4f08-91af-539002de0b81", "url--56e9b3eb-2ca8-4f08-91af-539002de0b81", "indicator--56e9b3ec-f208-4010-a835-539002de0b81", "indicator--56e9b3ec-6ce4-4e54-9f0d-539002de0b81", "observed-data--56e9b3ec-390c-423c-aba8-539002de0b81", "url--56e9b3ec-390c-423c-aba8-539002de0b81", "indicator--56e9b3ed-f774-41a9-a3fe-539002de0b81", "indicator--56e9b3ed-bb24-451f-9f8e-539002de0b81", "observed-data--56e9b3ed-cabc-417f-be44-539002de0b81", "url--56e9b3ed-cabc-417f-be44-539002de0b81", "indicator--56e9b3ed-7924-4041-b2ca-539002de0b81", "indicator--56e9b3ee-f938-4289-b4d2-539002de0b81", "observed-data--56e9b3ee-69dc-46a7-9742-539002de0b81", "url--56e9b3ee-69dc-46a7-9742-539002de0b81", "indicator--56e9b3ee-5440-4e68-b64d-539002de0b81", "indicator--56e9b3ef-f41c-468b-a86e-539002de0b81", "observed-data--56e9b3ef-8398-4967-a74a-539002de0b81", "url--56e9b3ef-8398-4967-a74a-539002de0b81", "indicator--56e9b3ef-e360-4ef3-ba4d-539002de0b81", "indicator--56e9b3ef-da7c-4896-9ec2-539002de0b81", "observed-data--56e9b3f0-4efc-41e2-b727-539002de0b81", "url--56e9b3f0-4efc-41e2-b727-539002de0b81", "indicator--56e9b3f0-ce04-4ef3-b3b6-539002de0b81", "indicator--56e9b3f0-7e84-4d3d-9acf-539002de0b81", "observed-data--56e9b3f0-6120-4139-9553-539002de0b81", "url--56e9b3f0-6120-4139-9553-539002de0b81", "indicator--56e9b3f1-ec94-4b84-af15-539002de0b81", "indicator--56e9b3f1-e0f4-4400-8f2a-539002de0b81", "observed-data--56e9b3f1-8568-4416-8869-539002de0b81", "url--56e9b3f1-8568-4416-8869-539002de0b81", "indicator--56e9b3f2-c6c8-4f37-b17b-539002de0b81", "indicator--56e9b3f2-1954-474d-9234-539002de0b81", "observed-data--56e9b3f2-dfd8-44ff-a678-539002de0b81", "url--56e9b3f2-dfd8-44ff-a678-539002de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b248-c8b4-40ab-977f-5ef7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:21:44.000Z", "modified": "2016-03-16T19:21:44.000Z", "first_observed": "2016-03-16T19:21:44Z", "last_observed": "2016-03-16T19:21:44Z", "number_observed": 1, "object_refs": [ "url--56e9b248-c8b4-40ab-977f-5ef7950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b248-c8b4-40ab-977f-5ef7950d210f", "value": "http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56e9b25b-880c-46b8-8e3e-4757950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:22:03.000Z", "modified": "2016-03-16T19:22:03.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "We\u00e2\u20ac\u2122ve discovered a new family of iOS malware that successfully infected non-jailbroken devices we\u00e2\u20ac\u2122ve named \u00e2\u20ac\u0153AceDeceiver\u00e2\u20ac\u009d.\r\n\r\nWhat makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple\u00e2\u20ac\u2122s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector.\r\n\r\nAceDeceiver is the first iOS malware we\u00e2\u20ac\u2122ve seen that abuses certain design flaws in Apple\u00e2\u20ac\u2122s DRM protection mechanism \u00e2\u20ac\u201d namely FairPlay \u00e2\u20ac\u201d to install malicious apps on iOS devices regardless of whether they are jailbroken. This technique is called \u00e2\u20ac\u0153FairPlay Man-In-The-Middle (MITM)\u00e2\u20ac\u009d and has been used since 2013 to spread pirated iOS apps, but this is the first time we\u00e2\u20ac\u2122ve seen it used to spread malware. (The FairPlay MITM attack technique was also presented at the USENIX Security Symposium in 2014; however, attacks using this technique are still occurring successfully.)" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b29f-c87c-4af3-a97f-4d47950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:23:11.000Z", "modified": "2016-03-16T19:23:11.000Z", "description": "C2 Domains", "pattern": "[domain-name:value = 'tool.verify.i4.cn']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:23:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b29f-363c-4673-8be4-4006950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:23:11.000Z", "modified": "2016-03-16T19:23:11.000Z", "description": "C2 Domains", "pattern": "[domain-name:value = 'auth3.i4.cn']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:23:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b29f-1674-48f9-8f1e-45e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:23:11.000Z", "modified": "2016-03-16T19:23:11.000Z", "description": "C2 Domains", "pattern": "[domain-name:value = 'buy.app.i4.cn']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:23:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b30d-5d94-46b3-a850-4d2a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:01.000Z", "modified": "2016-03-16T19:25:01.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '0a8e29bd8fe0f5d4d6a8677454b1d01e97478dc4bc3666eaab6bbbf2f2e759bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b30e-0360-4c96-bd7a-4b71950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:02.000Z", "modified": "2016-03-16T19:25:02.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '1b6cf5abe2bd3d5bb84da8debd5ec563393d30995ce4afc6142dc3381ac69902']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b30e-7498-4799-99e2-4a41950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:02.000Z", "modified": "2016-03-16T19:25:02.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '352d1af3a5cef417dda688be2dd35c3f59841ea56c393a07f95a0bc5ab576448']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b30e-63f4-4e36-aa21-4ca2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:02.000Z", "modified": "2016-03-16T19:25:02.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '5bc7ceb48ca4951997d50425d5b34484505e4444a3e172ab846b2595104b7138']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b30f-9c50-44c7-ae2b-4f19950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:03.000Z", "modified": "2016-03-16T19:25:03.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '5bebcacfb5c541bd6ba7530aeb2971c20adb1beddb244e4367d40cd87bfc826d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b30f-e5f0-4e6d-955f-45ac950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:03.000Z", "modified": "2016-03-16T19:25:03.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '63e3cc1d00abef8ad6c2029e7f9a4831ec4c48682979a7385a940fb73cfc03a6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b30f-ff78-461f-96c2-47fc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:03.000Z", "modified": "2016-03-16T19:25:03.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '821f93bae8c067af71626ca84cdc20226df61c4c371e5eb6423d9439c8b8c25d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b310-28f8-4a9d-9d54-45bf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:04.000Z", "modified": "2016-03-16T19:25:04.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '86b8065d40c24e3702ed848ec28650b074a577f677375c094ed61a2efffce11b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b310-0d74-4679-9d06-4682950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:04.000Z", "modified": "2016-03-16T19:25:04.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = '9a4a40625efcc6f4de419db0bec9fbdfdc379918a95fba572ee56cffc13cd074']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b310-c480-4783-8a3d-4298950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:04.000Z", "modified": "2016-03-16T19:25:04.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = 'a504d47fdfa630bc1c474cdbdaf0dd82a46a08e5d662ecc1bffc57f3c409690e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b311-39c8-4c61-b645-4801950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:05.000Z", "modified": "2016-03-16T19:25:05.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = 'baa255dd7a0e52edf6e4f3082a6840800898969a3d17f2bcb6a88d0a94c5b795']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b311-8d54-4c07-af17-47cf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:05.000Z", "modified": "2016-03-16T19:25:05.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = 'bc5e3be07e65f25479cee7de8615b386c489c1253659ed7ca5526f86f5116374']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b311-efb0-4da9-8671-438b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:05.000Z", "modified": "2016-03-16T19:25:05.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = 'c41e3abd97e16b3d9514583eef613105006d69dffb2231badfd500d29eb113bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b311-c030-4206-8ab4-4d42950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:05.000Z", "modified": "2016-03-16T19:25:05.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = 'd879c6d96463b81e4f2085a565418c99b559a8803ca449442464a2b6cd728d97']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b312-5cdc-41cf-bffc-4450950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:06.000Z", "modified": "2016-03-16T19:25:06.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions)", "pattern": "[file:hashes.SHA256 = 'f6cabdc408e12912c07097c9956ceda2f7033e88c2ca59d7618b9256d3724f5c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b33e-182c-4cd2-9bb0-5ef5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:50.000Z", "modified": "2016-03-16T19:25:50.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM stripped)", "pattern": "[file:name = 'com.i4.picture.ipa' AND file:hashes.SHA256 = 'bc82efce99f149441a2fd730a961a0f7da58dd6c9c3b45597f5571f227a52309']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b33f-c1f4-4de4-86ae-5ef5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:25:51.000Z", "modified": "2016-03-16T19:25:51.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM stripped)", "pattern": "[file:name = 'aisiweb' AND file:hashes.SHA256 = 'ad7cfc29b0a9b6ade878d01084c68d0bbcde699e142652b00132317c04bcf730']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:25:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b36a-195c-434c-ab05-5ef7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:26:34.000Z", "modified": "2016-03-16T19:26:34.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected)", "pattern": "[file:hashes.SHA256 = '5894742146c02ba8af5390c91e4f0d2e5ad6cfaa2b916945ebb4fad633b054e3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:26:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b36b-9118-420c-97a9-5ef7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:26:35.000Z", "modified": "2016-03-16T19:26:35.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected)", "pattern": "[file:hashes.SHA256 = 'ba07f252801120b081c45a173fb1a205fea763ed827f05fb9beb5150ae297ccb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:26:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b36b-a204-43cb-afe8-5ef7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:26:35.000Z", "modified": "2016-03-16T19:26:35.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected)", "pattern": "[file:hashes.SHA256 = 'f7e50fdc4f20f0d25771a694eb3f3643c1842e3b14f06aaa5e8d9dab1c1851e9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:26:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b36b-2e90-4b0f-8fcf-5ef7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:26:35.000Z", "modified": "2016-03-16T19:26:35.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected)", "pattern": "[file:hashes.SHA256 = 'ca115f8a3751e4c0fc36b001e3c74d3ac167360a4a44fd1b373b25487de05820']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:26:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b36b-aa08-41eb-ad42-5ef7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:26:35.000Z", "modified": "2016-03-16T19:26:35.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected)", "pattern": "[file:hashes.SHA256 = '3e02b30a6a920a5bdc139270b1e731a4a8d7ab313e9c8d9af9fec611710b4d09']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:26:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b36c-5d88-47c6-be01-5ef7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:26:36.000Z", "modified": "2016-03-16T19:26:36.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected)", "pattern": "[file:hashes.SHA256 = '006c539fa6251e1d2142631c52d7c112bf5027335696eacd64794b8cf357d6d5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:26:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b36c-195c-4267-8a9d-5ef7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:26:36.000Z", "modified": "2016-03-16T19:26:36.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected)", "pattern": "[file:hashes.SHA256 = 'fbc26c14a3ff609332644f5d9702f07ace024961b7aa2c531df2715911b1c57d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:26:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b392-dda8-45c5-962f-4d6c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:27:14.000Z", "modified": "2016-03-16T19:27:14.000Z", "description": "Trojan.Win32.AceDeceiver", "pattern": "[file:hashes.SHA256 = 'ad313d8e65e72a790332280701bc2c2d68a12efbeba1b97ce3dde62abbb81c97']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:27:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b392-3c78-47aa-8a65-4cfd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:27:14.000Z", "modified": "2016-03-16T19:27:14.000Z", "description": "Trojan.Win32.AceDeceiver", "pattern": "[file:hashes.SHA256 = '9231166a2114f6b1c2d6cd6a57b5836e919ee5739d8868f07425d3c22697894e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:27:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b393-81f8-41c0-8810-4c11950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:27:15.000Z", "modified": "2016-03-16T19:27:15.000Z", "description": "Trojan.Win32.AceDeceiver", "pattern": "[file:hashes.SHA256 = '78a2cdade1b0715e4f3f372e86724ee10e241ad8821c6b8caa3e84fd7e78ba7e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:27:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e1-0134-47b2-9d20-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:33.000Z", "modified": "2016-03-16T19:28:33.000Z", "description": "Trojan.Win32.AceDeceiver - Xchecked via VT: 78a2cdade1b0715e4f3f372e86724ee10e241ad8821c6b8caa3e84fd7e78ba7e", "pattern": "[file:hashes.SHA1 = '4e176ae83e49bf9f3b5040063fec290d676af144']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e2-ce6c-43d0-902a-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:34.000Z", "modified": "2016-03-16T19:28:34.000Z", "description": "Trojan.Win32.AceDeceiver - Xchecked via VT: 78a2cdade1b0715e4f3f372e86724ee10e241ad8821c6b8caa3e84fd7e78ba7e", "pattern": "[file:hashes.MD5 = '3c1406453dbec9284caa1a10b4a83fd7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e2-3be0-4939-86f9-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:34.000Z", "modified": "2016-03-16T19:28:34.000Z", "first_observed": "2016-03-16T19:28:34Z", "last_observed": "2016-03-16T19:28:34Z", "number_observed": 1, "object_refs": [ "url--56e9b3e2-3be0-4939-86f9-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e2-3be0-4939-86f9-539002de0b81", "value": "https://www.virustotal.com/file/78a2cdade1b0715e4f3f372e86724ee10e241ad8821c6b8caa3e84fd7e78ba7e/analysis/1457925852/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e2-9b9c-44a2-abdf-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:34.000Z", "modified": "2016-03-16T19:28:34.000Z", "description": "Trojan.Win32.AceDeceiver - Xchecked via VT: 9231166a2114f6b1c2d6cd6a57b5836e919ee5739d8868f07425d3c22697894e", "pattern": "[file:hashes.SHA1 = '3496e1ad3f3e37b55a6db62a37ab8873067ac13d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e3-7ba0-4ecd-9ff2-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:35.000Z", "modified": "2016-03-16T19:28:35.000Z", "description": "Trojan.Win32.AceDeceiver - Xchecked via VT: 9231166a2114f6b1c2d6cd6a57b5836e919ee5739d8868f07425d3c22697894e", "pattern": "[file:hashes.MD5 = 'c1c335b98209ffa9336db47bfc0eea36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e3-67f0-47a5-9734-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:35.000Z", "modified": "2016-03-16T19:28:35.000Z", "first_observed": "2016-03-16T19:28:35Z", "last_observed": "2016-03-16T19:28:35Z", "number_observed": 1, "object_refs": [ "url--56e9b3e3-67f0-47a5-9734-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e3-67f0-47a5-9734-539002de0b81", "value": "https://www.virustotal.com/file/9231166a2114f6b1c2d6cd6a57b5836e919ee5739d8868f07425d3c22697894e/analysis/1458119899/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e3-7db8-417f-a573-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:35.000Z", "modified": "2016-03-16T19:28:35.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: fbc26c14a3ff609332644f5d9702f07ace024961b7aa2c531df2715911b1c57d", "pattern": "[file:hashes.SHA1 = '1aef2326a58d0977fc304ace15d89df291644315']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e3-1dd4-4993-af5c-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:35.000Z", "modified": "2016-03-16T19:28:35.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: fbc26c14a3ff609332644f5d9702f07ace024961b7aa2c531df2715911b1c57d", "pattern": "[file:hashes.MD5 = 'c79492a303547697453438d321af4c50']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e4-13bc-47cf-8be4-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:36.000Z", "modified": "2016-03-16T19:28:36.000Z", "first_observed": "2016-03-16T19:28:36Z", "last_observed": "2016-03-16T19:28:36Z", "number_observed": 1, "object_refs": [ "url--56e9b3e4-13bc-47cf-8be4-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e4-13bc-47cf-8be4-539002de0b81", "value": "https://www.virustotal.com/file/fbc26c14a3ff609332644f5d9702f07ace024961b7aa2c531df2715911b1c57d/analysis/1458143418/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e4-eedc-4dac-8ddb-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:36.000Z", "modified": "2016-03-16T19:28:36.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: 006c539fa6251e1d2142631c52d7c112bf5027335696eacd64794b8cf357d6d5", "pattern": "[file:hashes.SHA1 = '93da7b5307964190095ec16f8389246a58503530']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e4-8904-4bb6-bb24-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:36.000Z", "modified": "2016-03-16T19:28:36.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: 006c539fa6251e1d2142631c52d7c112bf5027335696eacd64794b8cf357d6d5", "pattern": "[file:hashes.MD5 = 'e777707b967cd2c4a312064397a5ef5c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e5-bed0-4c2b-9ac2-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:37.000Z", "modified": "2016-03-16T19:28:37.000Z", "first_observed": "2016-03-16T19:28:37Z", "last_observed": "2016-03-16T19:28:37Z", "number_observed": 1, "object_refs": [ "url--56e9b3e5-bed0-4c2b-9ac2-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e5-bed0-4c2b-9ac2-539002de0b81", "value": "https://www.virustotal.com/file/006c539fa6251e1d2142631c52d7c112bf5027335696eacd64794b8cf357d6d5/analysis/1458153149/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e5-1f30-4e40-b43a-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:37.000Z", "modified": "2016-03-16T19:28:37.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: 3e02b30a6a920a5bdc139270b1e731a4a8d7ab313e9c8d9af9fec611710b4d09", "pattern": "[file:hashes.SHA1 = '5e076abc86444d931d58b5d2f6ebfa04ec31a06e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e5-8f30-4bbe-845b-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:37.000Z", "modified": "2016-03-16T19:28:37.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: 3e02b30a6a920a5bdc139270b1e731a4a8d7ab313e9c8d9af9fec611710b4d09", "pattern": "[file:hashes.MD5 = 'ebfcecf97992fe3e707786462abb4fce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e6-27b8-4ddc-a0e2-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:38.000Z", "modified": "2016-03-16T19:28:38.000Z", "first_observed": "2016-03-16T19:28:38Z", "last_observed": "2016-03-16T19:28:38Z", "number_observed": 1, "object_refs": [ "url--56e9b3e6-27b8-4ddc-a0e2-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e6-27b8-4ddc-a0e2-539002de0b81", "value": "https://www.virustotal.com/file/3e02b30a6a920a5bdc139270b1e731a4a8d7ab313e9c8d9af9fec611710b4d09/analysis/1456021437/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e6-7228-4456-9bfc-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:38.000Z", "modified": "2016-03-16T19:28:38.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: ca115f8a3751e4c0fc36b001e3c74d3ac167360a4a44fd1b373b25487de05820", "pattern": "[file:hashes.SHA1 = 'aba46ac2c816530e96cf9bddeade627b8b17dcb2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e6-c170-4338-8e5b-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:38.000Z", "modified": "2016-03-16T19:28:38.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: ca115f8a3751e4c0fc36b001e3c74d3ac167360a4a44fd1b373b25487de05820", "pattern": "[file:hashes.MD5 = 'a3b156f679a915c0c7a255151d73965b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e6-7c80-4d07-b399-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:38.000Z", "modified": "2016-03-16T19:28:38.000Z", "first_observed": "2016-03-16T19:28:38Z", "last_observed": "2016-03-16T19:28:38Z", "number_observed": 1, "object_refs": [ "url--56e9b3e6-7c80-4d07-b399-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e6-7c80-4d07-b399-539002de0b81", "value": "https://www.virustotal.com/file/ca115f8a3751e4c0fc36b001e3c74d3ac167360a4a44fd1b373b25487de05820/analysis/1458143429/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e7-c034-436b-8f5d-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:39.000Z", "modified": "2016-03-16T19:28:39.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: f7e50fdc4f20f0d25771a694eb3f3643c1842e3b14f06aaa5e8d9dab1c1851e9", "pattern": "[file:hashes.SHA1 = 'b1b5d7e235d039457365f3e988b212838b84536d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e7-0b9c-4e9e-bed4-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:39.000Z", "modified": "2016-03-16T19:28:39.000Z", "description": "Trojan.iOS.AceDeceiver (App Store version, FairPlay DRM protected) - Xchecked via VT: f7e50fdc4f20f0d25771a694eb3f3643c1842e3b14f06aaa5e8d9dab1c1851e9", "pattern": "[file:hashes.MD5 = 'd2aff7f47c586aecb23b3d53b091c54c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e7-970c-43e0-a3a7-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:39.000Z", "modified": "2016-03-16T19:28:39.000Z", "first_observed": "2016-03-16T19:28:39Z", "last_observed": "2016-03-16T19:28:39Z", "number_observed": 1, "object_refs": [ "url--56e9b3e7-970c-43e0-a3a7-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e7-970c-43e0-a3a7-539002de0b81", "value": "https://www.virustotal.com/file/f7e50fdc4f20f0d25771a694eb3f3643c1842e3b14f06aaa5e8d9dab1c1851e9/analysis/1455284003/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e7-4974-4ada-aa27-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:39.000Z", "modified": "2016-03-16T19:28:39.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: f6cabdc408e12912c07097c9956ceda2f7033e88c2ca59d7618b9256d3724f5c", "pattern": "[file:hashes.SHA1 = '44247c68ed8faf16a758f330ccdde0e66f4a9f75']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e8-f0f4-4174-af9d-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:40.000Z", "modified": "2016-03-16T19:28:40.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: f6cabdc408e12912c07097c9956ceda2f7033e88c2ca59d7618b9256d3724f5c", "pattern": "[file:hashes.MD5 = '5d9b59db4b8cc84bd2e14f9e1768fb87']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e8-75ec-4a33-8129-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:40.000Z", "modified": "2016-03-16T19:28:40.000Z", "first_observed": "2016-03-16T19:28:40Z", "last_observed": "2016-03-16T19:28:40Z", "number_observed": 1, "object_refs": [ "url--56e9b3e8-75ec-4a33-8129-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e8-75ec-4a33-8129-539002de0b81", "value": "https://www.virustotal.com/file/f6cabdc408e12912c07097c9956ceda2f7033e88c2ca59d7618b9256d3724f5c/analysis/1455283844/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e8-27f0-4156-94ff-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:40.000Z", "modified": "2016-03-16T19:28:40.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: d879c6d96463b81e4f2085a565418c99b559a8803ca449442464a2b6cd728d97", "pattern": "[file:hashes.SHA1 = '98d6d7caa432ecea278fa33845eedad67189e042']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e9-c564-4c77-b1f9-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:41.000Z", "modified": "2016-03-16T19:28:41.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: d879c6d96463b81e4f2085a565418c99b559a8803ca449442464a2b6cd728d97", "pattern": "[file:hashes.MD5 = 'e2f05253fd536c7e01f6e0a4ce2b2b34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3e9-f938-480c-821e-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:41.000Z", "modified": "2016-03-16T19:28:41.000Z", "first_observed": "2016-03-16T19:28:41Z", "last_observed": "2016-03-16T19:28:41Z", "number_observed": 1, "object_refs": [ "url--56e9b3e9-f938-480c-821e-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3e9-f938-480c-821e-539002de0b81", "value": "https://www.virustotal.com/file/d879c6d96463b81e4f2085a565418c99b559a8803ca449442464a2b6cd728d97/analysis/1455283793/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e9-a930-436c-baa8-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:41.000Z", "modified": "2016-03-16T19:28:41.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: bc5e3be07e65f25479cee7de8615b386c489c1253659ed7ca5526f86f5116374", "pattern": "[file:hashes.SHA1 = '66a3758be788353d97ff04711fa2f4d8cb25c6b9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3e9-5648-442a-98fc-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:41.000Z", "modified": "2016-03-16T19:28:41.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: bc5e3be07e65f25479cee7de8615b386c489c1253659ed7ca5526f86f5116374", "pattern": "[file:hashes.MD5 = '3652db89ace912e15628b45b80cf389a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3ea-3c44-4c6d-9b5d-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:42.000Z", "modified": "2016-03-16T19:28:42.000Z", "first_observed": "2016-03-16T19:28:42Z", "last_observed": "2016-03-16T19:28:42Z", "number_observed": 1, "object_refs": [ "url--56e9b3ea-3c44-4c6d-9b5d-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3ea-3c44-4c6d-9b5d-539002de0b81", "value": "https://www.virustotal.com/file/bc5e3be07e65f25479cee7de8615b386c489c1253659ed7ca5526f86f5116374/analysis/1455283796/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ea-a06c-4039-b71e-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:42.000Z", "modified": "2016-03-16T19:28:42.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: baa255dd7a0e52edf6e4f3082a6840800898969a3d17f2bcb6a88d0a94c5b795", "pattern": "[file:hashes.SHA1 = 'e07702303f91cbf35e4deac600974cf94d5d27ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ea-39bc-4d31-a57e-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:42.000Z", "modified": "2016-03-16T19:28:42.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: baa255dd7a0e52edf6e4f3082a6840800898969a3d17f2bcb6a88d0a94c5b795", "pattern": "[file:hashes.MD5 = '1dc2584cd2c167907ae547bd4b040710']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3eb-e118-470e-839d-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:43.000Z", "modified": "2016-03-16T19:28:43.000Z", "first_observed": "2016-03-16T19:28:43Z", "last_observed": "2016-03-16T19:28:43Z", "number_observed": 1, "object_refs": [ "url--56e9b3eb-e118-470e-839d-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3eb-e118-470e-839d-539002de0b81", "value": "https://www.virustotal.com/file/baa255dd7a0e52edf6e4f3082a6840800898969a3d17f2bcb6a88d0a94c5b795/analysis/1455283796/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3eb-e7ec-4948-aeae-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:43.000Z", "modified": "2016-03-16T19:28:43.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: a504d47fdfa630bc1c474cdbdaf0dd82a46a08e5d662ecc1bffc57f3c409690e", "pattern": "[file:hashes.SHA1 = '620d3adc7717ded26643a63b86044151fdbb6f92']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3eb-93a4-484b-b932-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:43.000Z", "modified": "2016-03-16T19:28:43.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: a504d47fdfa630bc1c474cdbdaf0dd82a46a08e5d662ecc1bffc57f3c409690e", "pattern": "[file:hashes.MD5 = '5e74324567ab4ebe47044337beec6f99']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3eb-2ca8-4f08-91af-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:43.000Z", "modified": "2016-03-16T19:28:43.000Z", "first_observed": "2016-03-16T19:28:43Z", "last_observed": "2016-03-16T19:28:43Z", "number_observed": 1, "object_refs": [ "url--56e9b3eb-2ca8-4f08-91af-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3eb-2ca8-4f08-91af-539002de0b81", "value": "https://www.virustotal.com/file/a504d47fdfa630bc1c474cdbdaf0dd82a46a08e5d662ecc1bffc57f3c409690e/analysis/1455283794/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ec-f208-4010-a835-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:44.000Z", "modified": "2016-03-16T19:28:44.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 9a4a40625efcc6f4de419db0bec9fbdfdc379918a95fba572ee56cffc13cd074", "pattern": "[file:hashes.SHA1 = 'e807e8a8a8ba51b8b347f004ba6e549797bd21f3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ec-6ce4-4e54-9f0d-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:44.000Z", "modified": "2016-03-16T19:28:44.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 9a4a40625efcc6f4de419db0bec9fbdfdc379918a95fba572ee56cffc13cd074", "pattern": "[file:hashes.MD5 = '6a6d7ee4d87d824340e8e08c34ed7891']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3ec-390c-423c-aba8-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:44.000Z", "modified": "2016-03-16T19:28:44.000Z", "first_observed": "2016-03-16T19:28:44Z", "last_observed": "2016-03-16T19:28:44Z", "number_observed": 1, "object_refs": [ "url--56e9b3ec-390c-423c-aba8-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3ec-390c-423c-aba8-539002de0b81", "value": "https://www.virustotal.com/file/9a4a40625efcc6f4de419db0bec9fbdfdc379918a95fba572ee56cffc13cd074/analysis/1455283799/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ed-f774-41a9-a3fe-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:45.000Z", "modified": "2016-03-16T19:28:45.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 86b8065d40c24e3702ed848ec28650b074a577f677375c094ed61a2efffce11b", "pattern": "[file:hashes.SHA1 = 'e57b6ba70f03241330b11135db6fafc82c1ad436']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ed-bb24-451f-9f8e-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:45.000Z", "modified": "2016-03-16T19:28:45.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 86b8065d40c24e3702ed848ec28650b074a577f677375c094ed61a2efffce11b", "pattern": "[file:hashes.MD5 = '41e820885d1cc951a848fd586be3e894']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3ed-cabc-417f-be44-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:45.000Z", "modified": "2016-03-16T19:28:45.000Z", "first_observed": "2016-03-16T19:28:45Z", "last_observed": "2016-03-16T19:28:45Z", "number_observed": 1, "object_refs": [ "url--56e9b3ed-cabc-417f-be44-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3ed-cabc-417f-be44-539002de0b81", "value": "https://www.virustotal.com/file/86b8065d40c24e3702ed848ec28650b074a577f677375c094ed61a2efffce11b/analysis/1455283831/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ed-7924-4041-b2ca-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:45.000Z", "modified": "2016-03-16T19:28:45.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 821f93bae8c067af71626ca84cdc20226df61c4c371e5eb6423d9439c8b8c25d", "pattern": "[file:hashes.SHA1 = '3d09e43f6a089d93037f198b6344cdc5e9683285']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ee-f938-4289-b4d2-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:46.000Z", "modified": "2016-03-16T19:28:46.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 821f93bae8c067af71626ca84cdc20226df61c4c371e5eb6423d9439c8b8c25d", "pattern": "[file:hashes.MD5 = 'd6f664197eadfd8e080ccc0bbeee6e1e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3ee-69dc-46a7-9742-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:46.000Z", "modified": "2016-03-16T19:28:46.000Z", "first_observed": "2016-03-16T19:28:46Z", "last_observed": "2016-03-16T19:28:46Z", "number_observed": 1, "object_refs": [ "url--56e9b3ee-69dc-46a7-9742-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3ee-69dc-46a7-9742-539002de0b81", "value": "https://www.virustotal.com/file/821f93bae8c067af71626ca84cdc20226df61c4c371e5eb6423d9439c8b8c25d/analysis/1455283780/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ee-5440-4e68-b64d-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:46.000Z", "modified": "2016-03-16T19:28:46.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 5bebcacfb5c541bd6ba7530aeb2971c20adb1beddb244e4367d40cd87bfc826d", "pattern": "[file:hashes.SHA1 = '28a618de925cd017f2fd9a94f3de41b2d04fdccf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ef-f41c-468b-a86e-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:47.000Z", "modified": "2016-03-16T19:28:47.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 5bebcacfb5c541bd6ba7530aeb2971c20adb1beddb244e4367d40cd87bfc826d", "pattern": "[file:hashes.MD5 = '99910c48e7fc3bae3393013c8c797f43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3ef-8398-4967-a74a-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:47.000Z", "modified": "2016-03-16T19:28:47.000Z", "first_observed": "2016-03-16T19:28:47Z", "last_observed": "2016-03-16T19:28:47Z", "number_observed": 1, "object_refs": [ "url--56e9b3ef-8398-4967-a74a-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3ef-8398-4967-a74a-539002de0b81", "value": "https://www.virustotal.com/file/5bebcacfb5c541bd6ba7530aeb2971c20adb1beddb244e4367d40cd87bfc826d/analysis/1455283977/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ef-e360-4ef3-ba4d-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:47.000Z", "modified": "2016-03-16T19:28:47.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 5bc7ceb48ca4951997d50425d5b34484505e4444a3e172ab846b2595104b7138", "pattern": "[file:hashes.SHA1 = 'c8119fbd7b0cbddd0be957a44708b6a9b920f16a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3ef-da7c-4896-9ec2-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:47.000Z", "modified": "2016-03-16T19:28:47.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 5bc7ceb48ca4951997d50425d5b34484505e4444a3e172ab846b2595104b7138", "pattern": "[file:hashes.MD5 = '96724f179c3afd44ddcc60bed4a4089d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3f0-4efc-41e2-b727-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:48.000Z", "modified": "2016-03-16T19:28:48.000Z", "first_observed": "2016-03-16T19:28:48Z", "last_observed": "2016-03-16T19:28:48Z", "number_observed": 1, "object_refs": [ "url--56e9b3f0-4efc-41e2-b727-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3f0-4efc-41e2-b727-539002de0b81", "value": "https://www.virustotal.com/file/5bc7ceb48ca4951997d50425d5b34484505e4444a3e172ab846b2595104b7138/analysis/1455283785/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3f0-ce04-4ef3-b3b6-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:48.000Z", "modified": "2016-03-16T19:28:48.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 352d1af3a5cef417dda688be2dd35c3f59841ea56c393a07f95a0bc5ab576448", "pattern": "[file:hashes.SHA1 = 'ff33b12b8d51b6b863bc61777eef6c324e2db371']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3f0-7e84-4d3d-9acf-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:48.000Z", "modified": "2016-03-16T19:28:48.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 352d1af3a5cef417dda688be2dd35c3f59841ea56c393a07f95a0bc5ab576448", "pattern": "[file:hashes.MD5 = 'c6523b9cbce3dacd966ee7fac64e851a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3f0-6120-4139-9553-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:48.000Z", "modified": "2016-03-16T19:28:48.000Z", "first_observed": "2016-03-16T19:28:48Z", "last_observed": "2016-03-16T19:28:48Z", "number_observed": 1, "object_refs": [ "url--56e9b3f0-6120-4139-9553-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3f0-6120-4139-9553-539002de0b81", "value": "https://www.virustotal.com/file/352d1af3a5cef417dda688be2dd35c3f59841ea56c393a07f95a0bc5ab576448/analysis/1455283777/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3f1-ec94-4b84-af15-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:49.000Z", "modified": "2016-03-16T19:28:49.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 1b6cf5abe2bd3d5bb84da8debd5ec563393d30995ce4afc6142dc3381ac69902", "pattern": "[file:hashes.SHA1 = 'be9f56d1b5f20dae5fe354b63cf84a13bf15d1f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3f1-e0f4-4400-8f2a-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:49.000Z", "modified": "2016-03-16T19:28:49.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 1b6cf5abe2bd3d5bb84da8debd5ec563393d30995ce4afc6142dc3381ac69902", "pattern": "[file:hashes.MD5 = '6614bd786cd5e7d0c7fd419cf7cd79ac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3f1-8568-4416-8869-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:49.000Z", "modified": "2016-03-16T19:28:49.000Z", "first_observed": "2016-03-16T19:28:49Z", "last_observed": "2016-03-16T19:28:49Z", "number_observed": 1, "object_refs": [ "url--56e9b3f1-8568-4416-8869-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3f1-8568-4416-8869-539002de0b81", "value": "https://www.virustotal.com/file/1b6cf5abe2bd3d5bb84da8debd5ec563393d30995ce4afc6142dc3381ac69902/analysis/1455283786/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3f2-c6c8-4f37-b17b-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:50.000Z", "modified": "2016-03-16T19:28:50.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 0a8e29bd8fe0f5d4d6a8677454b1d01e97478dc4bc3666eaab6bbbf2f2e759bc", "pattern": "[file:hashes.SHA1 = 'f39d5ef8059196e38f0ef89bbe96f4cb8a58d2a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56e9b3f2-1954-474d-9234-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:50.000Z", "modified": "2016-03-16T19:28:50.000Z", "description": "Trojan.iOS.AceDeceiver (enterprise certificate signed versions) - Xchecked via VT: 0a8e29bd8fe0f5d4d6a8677454b1d01e97478dc4bc3666eaab6bbbf2f2e759bc", "pattern": "[file:hashes.MD5 = 'a63124c34c6d5b4b33113af4288e248c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-16T19:28:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56e9b3f2-dfd8-44ff-a678-539002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-16T19:28:50.000Z", "modified": "2016-03-16T19:28:50.000Z", "first_observed": "2016-03-16T19:28:50Z", "last_observed": "2016-03-16T19:28:50Z", "number_observed": 1, "object_refs": [ "url--56e9b3f2-dfd8-44ff-a678-539002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56e9b3f2-dfd8-44ff-a678-539002de0b81", "value": "https://www.virustotal.com/file/0a8e29bd8fe0f5d4d6a8677454b1d01e97478dc4bc3666eaab6bbbf2f2e759bc/analysis/1455283814/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }