adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/58ecc62a-e5bc-406f-adc6-4b65950d210f.json

154 lines
No EOL
6.2 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2017-04-11",
"extends_uuid": "",
"info": "OSINT - Ewind \u00e2\u20ac\u201c Adware in Applications\u00e2\u20ac\u2122 Clothing",
"publish_timestamp": "1491914164",
"published": true,
"threat_level_id": "3",
"timestamp": "1491913100",
"uuid": "58ecc62a-e5bc-406f-adc6-4b65950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
},
{
"colour": "#5f0077",
"name": "ms-caro-malware:malware-platform=\"AndroidOS\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912985",
"to_ids": false,
"type": "link",
"uuid": "58ecc66c-ea44-4888-9ff2-46e7950d210f",
"value": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-ewind-adware-applications-clothing/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912985",
"to_ids": false,
"type": "text",
"uuid": "58ecc67f-0374-40a3-8b83-4335950d210f",
"value": "Since mid-2016 we have observed multiple new samples of the Android Adware family \u00e2\u20ac\u0153Ewind\u00e2\u20ac\u009d. The actors behind this adware utilize a simple yet effective approach \u00e2\u20ac\u201c they download a popular, legitimate Android application, decompile it, add their malicious routines, then repackage the Android application package (APK). They then distribute the trojanized application using their own, Russian-language-targeted Android Application sites.\r\n\r\nSome of the popular Android applications that Ewind targets include GTA Vice City, AVG cleaner, Minecraft \u00e2\u20ac\u201c Pocket Edition, Avast! Ransomware Removal, VKontakte, and Opera Mobile.\r\n\r\nAlthough Ewind is fundamentally adware, monetization through displaying advertising on the victim device, it also includes other functionality such as collecting device data, and forwarding SMS messages to the attacker. The adware Trojan in fact potentially allows full remote access to the infected device.\r\n\r\nThe applications, injected advertising, application sites \u00e2\u20ac\u201c and, we believe, the attacker, are all Russian."
},
{
"category": "Payload installation",
"comment": "repackaged \u00e2\u20ac\u0153AVG Cleaner\u00e2\u20ac\u009d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912985",
"to_ids": true,
"type": "sha256",
"uuid": "58ecc6a4-5f4c-45c1-8d75-95c7950d210f",
"value": "9c61616a66918820c936297d930f22df5832063d6e5fc2bea7576f873e7a5cf3"
},
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912985",
"to_ids": true,
"type": "domain",
"uuid": "58ecc6fa-9080-4457-add8-8621950d210f",
"value": "mobincome.org"
},
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912985",
"to_ids": true,
"type": "domain",
"uuid": "58ecc6fb-0fcc-41f9-b95d-8621950d210f",
"value": "androwr.ru"
},
{
"category": "Artifacts dropped",
"comment": "Unique string (APK Defined service):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912985",
"to_ids": true,
"type": "pattern-in-file",
"uuid": "58ecc72d-a150-41e0-8e9c-4a12950d210f",
"value": "b93478b8cdba429894e2a63b70766f91"
},
{
"category": "Payload installation",
"comment": "an Ewind Trojanized sample of the MobCoin application",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912985",
"to_ids": true,
"type": "sha256",
"uuid": "58ecc7a0-1814-442d-9e7a-9f1d950d210f",
"value": "393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912985",
"to_ids": true,
"type": "filename",
"uuid": "58ecc8e2-419c-4fdc-8cdf-4fe7950d210f",
"value": "/shared_prefs/a5ca9525-c9ff-4a1d-bb42-87fed1ea0117.xml."
},
{
"category": "Payload installation",
"comment": "an Ewind Trojanized sample of the MobCoin application - Xchecked via VT: 393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912993",
"to_ids": true,
"type": "sha1",
"uuid": "58ecc921-8abc-4370-b935-945a02de0b81",
"value": "15cd380676f0cc0d9a14cc731c1d20746111d64d"
},
{
"category": "Payload installation",
"comment": "an Ewind Trojanized sample of the MobCoin application - Xchecked via VT: 393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912994",
"to_ids": true,
"type": "md5",
"uuid": "58ecc922-3568-4010-b6c4-945a02de0b81",
"value": "37182a56df80c3cf841f69ee9fcfe5ed"
},
{
"category": "External analysis",
"comment": "an Ewind Trojanized sample of the MobCoin application - Xchecked via VT: 393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1491912995",
"to_ids": false,
"type": "link",
"uuid": "58ecc923-51b4-4fde-8576-945a02de0b81",
"value": "https://www.virustotal.com/file/393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b/analysis/1486507244/"
}
]
}
}
Reference in a new issue View git blame Copy permalink