{ "type": "bundle", "id": "bundle--58fce117-452c-42ed-a2dc-b64a950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T21:00:49.000Z", "modified": "2017-04-23T21:00:49.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58fce117-452c-42ed-a2dc-b64a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T21:00:49.000Z", "modified": "2017-04-23T21:00:49.000Z", "name": "OSINT - FlexSpy Application Analysis", "published": "2017-04-23T21:01:36Z", "object_refs": [ "observed-data--58fce124-1a0c-4d73-904b-dbd5950d210f", "url--58fce124-1a0c-4d73-904b-dbd5950d210f", "x-misp-attribute--58fce13b-fadc-4e55-a0d4-46ea950d210f", "indicator--58fce173-d508-4f0f-8a89-dba6950d210f", "indicator--58fce174-1b68-4e69-b27f-dba6950d210f", "indicator--58fce175-c7b4-4488-8f4d-dba6950d210f", "indicator--58fce1bc-783c-4960-a449-dba5950d210f", "indicator--58fce1bd-c0a4-4862-a657-dba5950d210f", "indicator--58fd15fe-c4ac-4a6c-bbd3-4815950d210f", "indicator--58fd1600-dcf8-4103-af30-4e0f950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:incident-classification=\"malware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58fce124-1a0c-4d73-904b-dbd5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T17:19:31.000Z", "modified": "2017-04-23T17:19:31.000Z", "first_observed": "2017-04-23T17:19:31Z", "last_observed": "2017-04-23T17:19:31Z", "number_observed": 1, "object_refs": [ "url--58fce124-1a0c-4d73-904b-dbd5950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"f\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58fce124-1a0c-4d73-904b-dbd5950d210f", "value": "http://www.cybermerchantsofdeath.com/blog/2017/04/23/FlexiSpy.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58fce13b-fadc-4e55-a0d4-46ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T17:19:32.000Z", "modified": "2017-04-23T17:19:32.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"f\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "On 04/22/2017 FlexiDie released source code and binaries for FlexiSpy\u00e2\u20ac\u2122s mobile spyware program. Being a good reverse engineer that I am, my analysis is below. The IOC section is intended for other reverse engineers and antivirus vendors. General Overview is intended for journalists. I will release a detailed technical teardown in a day or two." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58fce173-d508-4f0f-8a89-dba6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T17:16:35.000Z", "modified": "2017-04-23T17:16:35.000Z", "description": "(found in com.vvt.phoenix.prot.test.CSMTest", "pattern": "[url:value = 'http://58.137.119.229/RainbowCore/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-23T17:16:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58fce174-1b68-4e69-b27f-dba6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T17:16:36.000Z", "modified": "2017-04-23T17:16:36.000Z", "description": "found in source//location_capture/tests/location_capture_tests/src/com/vvt/locationcapture/tests/Location_capture_testsActivity.java:", "pattern": "[url:value = 'http://trkps.com/m.php?lat=\\\\%f&long=\\\\%f&t=\\\\%s&i=\\\\%s&z=5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-23T17:16:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58fce175-c7b4-4488-8f4d-dba6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T17:16:37.000Z", "modified": "2017-04-23T17:16:37.000Z", "description": "On port 8880", "pattern": "[url:value = 'http://202.176.88.55']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-23T17:16:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58fce1bc-783c-4960-a449-dba5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T17:17:48.000Z", "modified": "2017-04-23T17:17:48.000Z", "description": "Another IP address was found commented out in the code base //private String mUrl =", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '202.176.88.55']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-23T17:17:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58fce1bd-c0a4-4862-a657-dba5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T17:17:49.000Z", "modified": "2017-04-23T17:17:49.000Z", "description": "(found in com.vvt.phoenix.prot.test.CSMTest)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '58.137.119.229']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-23T17:17:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58fd15fe-c4ac-4a6c-bbd3-4815950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T21:00:46.000Z", "modified": "2017-04-23T21:00:46.000Z", "description": "In sample comments", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '58.137.119.224']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-23T21:00:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58fd1600-dcf8-4103-af30-4e0f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-23T21:00:48.000Z", "modified": "2017-04-23T21:00:48.000Z", "description": "In sample comments", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '58.137.119.239']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-23T21:00:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }