misp-circl-feed/feeds/circl/misp/5718d275-88d4-492e-9f07-43ee950d210f.json

1146 lines
No EOL
48 KiB
JSON

{
"type": "bundle",
"id": "bundle--5718d275-88d4-492e-9f07-43ee950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:29.000Z",
"modified": "2016-04-21T15:07:29.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5718d275-88d4-492e-9f07-43ee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:29.000Z",
"modified": "2016-04-21T15:07:29.000Z",
"name": "OSINT - \u00e2\u20ac\u0153Operation C-Major\u00e2\u20ac\u009d Actors Also Used Android, BlackBerry Mobile Spyware Against Targets",
"published": "2016-04-21T15:15:02Z",
"object_refs": [
"observed-data--5718d28f-6890-4731-95e4-4b42950d210f",
"url--5718d28f-6890-4731-95e4-4b42950d210f",
"x-misp-attribute--5718d2a3-a008-4c0d-ba56-4ec7950d210f",
"indicator--5718d4f3-98c0-40be-a296-40f8950d210f",
"indicator--5718d4f3-43a4-4bbd-bf88-40c4950d210f",
"indicator--5718d4f3-ba78-4f00-a3d3-4232950d210f",
"indicator--5718d4f4-ef9c-46a2-8d75-4f77950d210f",
"indicator--5718d4f4-d518-44d4-aef8-442a950d210f",
"indicator--5718d4f5-e228-4ed6-b03a-4bff950d210f",
"indicator--5718d4f5-cdac-47c9-ae00-43d2950d210f",
"indicator--5718d4f5-84c8-4878-b3a9-4d19950d210f",
"indicator--5718d54c-be50-4f58-83e2-408c950d210f",
"indicator--5718d54d-2990-4cb5-9bfd-4883950d210f",
"indicator--5718d54d-4be0-4e06-9405-4d66950d210f",
"indicator--5718d54e-8b80-4d4b-9b3f-48a3950d210f",
"indicator--5718d54e-7dc8-49eb-9432-449a950d210f",
"indicator--5718d54e-6f18-48bd-aa39-43f1950d210f",
"indicator--5718d54f-23a8-44b0-86b4-46a7950d210f",
"indicator--5718d54f-8be4-4981-8136-4bb4950d210f",
"indicator--5718d54f-e3d0-4a0a-9f5c-45a8950d210f",
"indicator--5718e3a8-eef0-4849-81fd-470c950d210f",
"indicator--5718ecb1-fb28-4bb5-85e0-40b702de0b81",
"indicator--5718ecb2-9428-4848-83fb-405b02de0b81",
"observed-data--5718ecb2-efec-4668-8f3e-493002de0b81",
"url--5718ecb2-efec-4668-8f3e-493002de0b81",
"indicator--5718ecb3-1d2c-47aa-b21c-474302de0b81",
"indicator--5718ecb3-71bc-491c-8314-48ad02de0b81",
"observed-data--5718ecb3-9f58-4d1a-8e7f-408f02de0b81",
"url--5718ecb3-9f58-4d1a-8e7f-408f02de0b81",
"indicator--5718ecb4-03c4-4676-ac2e-4c5002de0b81",
"indicator--5718ecb4-dd44-44ee-9cd3-4b0702de0b81",
"observed-data--5718ecb4-8b60-44dd-bc05-483e02de0b81",
"url--5718ecb4-8b60-44dd-bc05-483e02de0b81",
"indicator--5718ecb5-a7d0-4a52-bd6c-4bcd02de0b81",
"indicator--5718ecb5-fa50-4255-823a-4b5702de0b81",
"observed-data--5718ecb5-1ad4-4fb3-9889-4b1802de0b81",
"url--5718ecb5-1ad4-4fb3-9889-4b1802de0b81",
"indicator--5718ecb6-a3fc-4ab9-ad1a-48ce02de0b81",
"indicator--5718ecb6-117c-45d3-951e-4c0402de0b81",
"observed-data--5718ecb7-3c5c-4b28-8cf0-46f402de0b81",
"url--5718ecb7-3c5c-4b28-8cf0-46f402de0b81",
"indicator--5718ecb7-a578-4bc5-b9c2-48b602de0b81",
"indicator--5718ecb7-3210-4790-b39c-4cba02de0b81",
"observed-data--5718ecb8-7d80-4ee0-9656-43f602de0b81",
"url--5718ecb8-7d80-4ee0-9656-43f602de0b81",
"indicator--5718ecb8-1018-4832-8633-448602de0b81",
"indicator--5718ecb9-5f4c-48f3-80c9-413202de0b81",
"observed-data--5718ecb9-acdc-4965-83d0-4a9c02de0b81",
"url--5718ecb9-acdc-4965-83d0-4a9c02de0b81",
"indicator--5718ecb9-67b8-422e-b4d1-4f8202de0b81",
"indicator--5718ecba-bc08-4277-9a9f-473002de0b81",
"observed-data--5718ecba-61b8-46ad-aef6-4bc502de0b81",
"url--5718ecba-61b8-46ad-aef6-4bc502de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718d28f-6890-4731-95e4-4b42950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:15:59.000Z",
"modified": "2016-04-21T13:15:59.000Z",
"first_observed": "2016-04-21T13:15:59Z",
"last_observed": "2016-04-21T13:15:59Z",
"number_observed": 1,
"object_refs": [
"url--5718d28f-6890-4731-95e4-4b42950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718d28f-6890-4731-95e4-4b42950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/operation-c-major-actors-also-used-android-blackberry-mobile-spyware-targets/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5718d2a3-a008-4c0d-ba56-4ec7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:16:19.000Z",
"modified": "2016-04-21T13:16:19.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Last March, we reported on Operation C-Major, an active information theft campaign that was able to steal sensitive information from high profile targets in India. The campaign was able to steal large amounts of data despite using relatively simple malware because it used clever social engineering tactics against its targets. In this post, we will focus on the mobile part of their operation and discuss in detail several Android and BlackBerry apps they are using. Based on our investigation, the actors behind Operation C-Major were able to keep their Android malware on Google Play for months and they advertised their apps on Facebook pages which have thousands of likes from high profile targets."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d4f3-98c0-40be-a296-40f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:26:26.000Z",
"modified": "2016-04-21T13:26:26.000Z",
"description": "Smesh app",
"pattern": "[file:hashes.SHA1 = '24f52c5f909d79a70e6e2a4e89aa7816b5f24aec']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:26:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d4f3-43a4-4bbd-bf88-40c4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:26:31.000Z",
"modified": "2016-04-21T13:26:31.000Z",
"description": "Smesh app",
"pattern": "[file:hashes.SHA1 = '202f11c5cf2b9df8bf8ab766a33cd0e6d7a5161a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:26:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d4f3-ba78-4f00-a3d3-4232950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:26:38.000Z",
"modified": "2016-04-21T13:26:38.000Z",
"description": "Smesh app",
"pattern": "[file:hashes.SHA1 = '31ac19091fd5347568b130d7150ed867ffe38c28']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:26:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d4f4-ef9c-46a2-8d75-4f77950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:26:56.000Z",
"modified": "2016-04-21T13:26:56.000Z",
"description": "Smesh app",
"pattern": "[file:hashes.SHA1 = '6919aa3a9d5e193a1d48e05e7bf320d795923ea7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:26:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d4f4-d518-44d4-aef8-442a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:26:42.000Z",
"modified": "2016-04-21T13:26:42.000Z",
"description": "Smesh app",
"pattern": "[file:hashes.SHA1 = 'c48a5d639430e08980f1aeb5af49310692f2701b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:26:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d4f5-e228-4ed6-b03a-4bff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:26:52.000Z",
"modified": "2016-04-21T13:26:52.000Z",
"description": "Smesh app",
"pattern": "[file:hashes.SHA1 = '1ce6b3f02fe2e4ee201bdab2c1e4f6bb5a8da1b1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:26:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d4f5-cdac-47c9-ae00-43d2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:26:48.000Z",
"modified": "2016-04-21T13:26:48.000Z",
"description": "Smesh app",
"pattern": "[file:hashes.SHA1 = '59aec5002684de8cc8c27f7512ed70c094e4bd20']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:26:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d4f5-84c8-4878-b3a9-4d19950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:26:45.000Z",
"modified": "2016-04-21T13:26:45.000Z",
"description": "Smesh app",
"pattern": "[file:hashes.SHA1 = '552e3a16dd36ae4a3d4480182124a3f6701911f2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:26:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54c-be50-4f58-83e2-408c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:40.000Z",
"modified": "2016-04-21T13:27:40.000Z",
"description": "Ringster",
"pattern": "[file:hashes.SHA1 = 'c544e5d8c6f38bb199283f11f799da8f3bb3807f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54d-2990-4cb5-9bfd-4883950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:41.000Z",
"modified": "2016-04-21T13:27:41.000Z",
"description": "Ringster",
"pattern": "[file:hashes.SHA1 = 'a13568164c0a8f50d76d9ffa6e34e31674a3afc8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54d-4be0-4e06-9405-4d66950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:41.000Z",
"modified": "2016-04-21T13:27:41.000Z",
"description": "Androrat",
"pattern": "[file:hashes.SHA1 = '9288811c9747d151eab4ec708b368fc6cc4e2cb5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54e-8b80-4d4b-9b3f-48a3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:42.000Z",
"modified": "2016-04-21T13:27:42.000Z",
"description": "Androrat",
"pattern": "[file:hashes.SHA1 = '94c74a9e5d1aab18f51487e4e47e5995b7252c4b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54e-7dc8-49eb-9432-449a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:42.000Z",
"modified": "2016-04-21T13:27:42.000Z",
"description": "Androrat",
"pattern": "[file:hashes.SHA1 = 'decf429be7d469292827c3b873f7e61076ffbba1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54e-6f18-48bd-aa39-43f1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:42.000Z",
"modified": "2016-04-21T13:27:42.000Z",
"description": "Androrat",
"pattern": "[file:hashes.SHA1 = 'f86302da2d38bf60f1ea9549b2e21a34fe655b33']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54f-23a8-44b0-86b4-46a7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:43.000Z",
"modified": "2016-04-21T13:27:43.000Z",
"description": "India Sena News",
"pattern": "[file:hashes.SHA1 = 'b142e4b75a4562cdaad5cc2610d31594d2ed17c3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54f-8be4-4981-8136-4bb4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:43.000Z",
"modified": "2016-04-21T13:27:43.000Z",
"description": "BlackBerry spyware",
"pattern": "[file:hashes.SHA1 = 'abcb176578df44c2be7173b318abe704963052b2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718d54f-e3d0-4a0a-9f5c-45a8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T13:27:43.000Z",
"modified": "2016-04-21T13:27:43.000Z",
"description": "BlackBerry spyware",
"pattern": "[file:hashes.SHA1 = '16318c4e4f94a5c4018b05955975771637b306b4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T13:27:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718e3a8-eef0-4849-81fd-470c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T14:28:56.000Z",
"modified": "2016-04-21T14:28:56.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'mpjunkie.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T14:28:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb1-fb28-4bb5-85e0-40b702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:29.000Z",
"modified": "2016-04-21T15:07:29.000Z",
"description": "BlackBerry spyware - Xchecked via VT: 16318c4e4f94a5c4018b05955975771637b306b4",
"pattern": "[file:hashes.SHA256 = 'a2d9ef1e249a08737d183177116cba1ed03c411d257d4b8ab66064c9affda057']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb2-9428-4848-83fb-405b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:30.000Z",
"modified": "2016-04-21T15:07:30.000Z",
"description": "BlackBerry spyware - Xchecked via VT: 16318c4e4f94a5c4018b05955975771637b306b4",
"pattern": "[file:hashes.MD5 = '5e5a6fd42417c98fdc0a2c9391876d7a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ecb2-efec-4668-8f3e-493002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:30.000Z",
"modified": "2016-04-21T15:07:30.000Z",
"first_observed": "2016-04-21T15:07:30Z",
"last_observed": "2016-04-21T15:07:30Z",
"number_observed": 1,
"object_refs": [
"url--5718ecb2-efec-4668-8f3e-493002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ecb2-efec-4668-8f3e-493002de0b81",
"value": "https://www.virustotal.com/file/a2d9ef1e249a08737d183177116cba1ed03c411d257d4b8ab66064c9affda057/analysis/1461189256/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb3-1d2c-47aa-b21c-474302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:31.000Z",
"modified": "2016-04-21T15:07:31.000Z",
"description": "BlackBerry spyware - Xchecked via VT: abcb176578df44c2be7173b318abe704963052b2",
"pattern": "[file:hashes.SHA256 = '7ef9af07a8a5f76a9b80349b1aeac59b25fcda1fb731e03797c682ad85f6e396']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb3-71bc-491c-8314-48ad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:31.000Z",
"modified": "2016-04-21T15:07:31.000Z",
"description": "BlackBerry spyware - Xchecked via VT: abcb176578df44c2be7173b318abe704963052b2",
"pattern": "[file:hashes.MD5 = '9201801719ebf4c6d8b4adf0425a35dc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ecb3-9f58-4d1a-8e7f-408f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:31.000Z",
"modified": "2016-04-21T15:07:31.000Z",
"first_observed": "2016-04-21T15:07:31Z",
"last_observed": "2016-04-21T15:07:31Z",
"number_observed": 1,
"object_refs": [
"url--5718ecb3-9f58-4d1a-8e7f-408f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ecb3-9f58-4d1a-8e7f-408f02de0b81",
"value": "https://www.virustotal.com/file/7ef9af07a8a5f76a9b80349b1aeac59b25fcda1fb731e03797c682ad85f6e396/analysis/1461189249/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb4-03c4-4676-ac2e-4c5002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:32.000Z",
"modified": "2016-04-21T15:07:32.000Z",
"description": "India Sena News - Xchecked via VT: b142e4b75a4562cdaad5cc2610d31594d2ed17c3",
"pattern": "[file:hashes.SHA256 = '5bbcd8a7856e037418c0ac1c0c987476e3210f577beffcdfe2eceebc19c5644d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb4-dd44-44ee-9cd3-4b0702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:32.000Z",
"modified": "2016-04-21T15:07:32.000Z",
"description": "India Sena News - Xchecked via VT: b142e4b75a4562cdaad5cc2610d31594d2ed17c3",
"pattern": "[file:hashes.MD5 = 'e6a0066676cab0144eb6055f67d917e0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ecb4-8b60-44dd-bc05-483e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:32.000Z",
"modified": "2016-04-21T15:07:32.000Z",
"first_observed": "2016-04-21T15:07:32Z",
"last_observed": "2016-04-21T15:07:32Z",
"number_observed": 1,
"object_refs": [
"url--5718ecb4-8b60-44dd-bc05-483e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ecb4-8b60-44dd-bc05-483e02de0b81",
"value": "https://www.virustotal.com/file/5bbcd8a7856e037418c0ac1c0c987476e3210f577beffcdfe2eceebc19c5644d/analysis/1461073518/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb5-a7d0-4a52-bd6c-4bcd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:33.000Z",
"modified": "2016-04-21T15:07:33.000Z",
"description": "Androrat - Xchecked via VT: f86302da2d38bf60f1ea9549b2e21a34fe655b33",
"pattern": "[file:hashes.SHA256 = 'f529ccdee54c53e4c02366713ec2d2e8ff629fe56b2f5778f9f7d31f809e4446']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb5-fa50-4255-823a-4b5702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:33.000Z",
"modified": "2016-04-21T15:07:33.000Z",
"description": "Androrat - Xchecked via VT: f86302da2d38bf60f1ea9549b2e21a34fe655b33",
"pattern": "[file:hashes.MD5 = 'dfd2eca84919418da2fa617fc51e9de5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ecb5-1ad4-4fb3-9889-4b1802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:33.000Z",
"modified": "2016-04-21T15:07:33.000Z",
"first_observed": "2016-04-21T15:07:33Z",
"last_observed": "2016-04-21T15:07:33Z",
"number_observed": 1,
"object_refs": [
"url--5718ecb5-1ad4-4fb3-9889-4b1802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ecb5-1ad4-4fb3-9889-4b1802de0b81",
"value": "https://www.virustotal.com/file/f529ccdee54c53e4c02366713ec2d2e8ff629fe56b2f5778f9f7d31f809e4446/analysis/1461051345/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb6-a3fc-4ab9-ad1a-48ce02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:34.000Z",
"modified": "2016-04-21T15:07:34.000Z",
"description": "Androrat - Xchecked via VT: decf429be7d469292827c3b873f7e61076ffbba1",
"pattern": "[file:hashes.SHA256 = '8b64a32e386d7cc51bb761bee8959bb5cac20e79ae1e549b04b7354e67bdee66']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb6-117c-45d3-951e-4c0402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:34.000Z",
"modified": "2016-04-21T15:07:34.000Z",
"description": "Androrat - Xchecked via VT: decf429be7d469292827c3b873f7e61076ffbba1",
"pattern": "[file:hashes.MD5 = '11ba93d968bd96e9e9c9418ea1fdcbbc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ecb7-3c5c-4b28-8cf0-46f402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:35.000Z",
"modified": "2016-04-21T15:07:35.000Z",
"first_observed": "2016-04-21T15:07:35Z",
"last_observed": "2016-04-21T15:07:35Z",
"number_observed": 1,
"object_refs": [
"url--5718ecb7-3c5c-4b28-8cf0-46f402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ecb7-3c5c-4b28-8cf0-46f402de0b81",
"value": "https://www.virustotal.com/file/8b64a32e386d7cc51bb761bee8959bb5cac20e79ae1e549b04b7354e67bdee66/analysis/1461051347/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb7-a578-4bc5-b9c2-48b602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:35.000Z",
"modified": "2016-04-21T15:07:35.000Z",
"description": "Androrat - Xchecked via VT: 94c74a9e5d1aab18f51487e4e47e5995b7252c4b",
"pattern": "[file:hashes.SHA256 = '563ebffbcd81d41e3ddb7b6ed580a2b17a6a6e14ec6bf208c9c22d7a296de7ae']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb7-3210-4790-b39c-4cba02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:35.000Z",
"modified": "2016-04-21T15:07:35.000Z",
"description": "Androrat - Xchecked via VT: 94c74a9e5d1aab18f51487e4e47e5995b7252c4b",
"pattern": "[file:hashes.MD5 = 'af046d94f254a3f85a0ba731562a05c5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ecb8-7d80-4ee0-9656-43f602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:36.000Z",
"modified": "2016-04-21T15:07:36.000Z",
"first_observed": "2016-04-21T15:07:36Z",
"last_observed": "2016-04-21T15:07:36Z",
"number_observed": 1,
"object_refs": [
"url--5718ecb8-7d80-4ee0-9656-43f602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ecb8-7d80-4ee0-9656-43f602de0b81",
"value": "https://www.virustotal.com/file/563ebffbcd81d41e3ddb7b6ed580a2b17a6a6e14ec6bf208c9c22d7a296de7ae/analysis/1461073437/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb8-1018-4832-8633-448602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:36.000Z",
"modified": "2016-04-21T15:07:36.000Z",
"description": "Androrat - Xchecked via VT: 9288811c9747d151eab4ec708b368fc6cc4e2cb5",
"pattern": "[file:hashes.SHA256 = 'e6753bba53d7cca4a534c3089f24cd0546462667d110c0d48974f9e76714fe1c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb9-5f4c-48f3-80c9-413202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:37.000Z",
"modified": "2016-04-21T15:07:37.000Z",
"description": "Androrat - Xchecked via VT: 9288811c9747d151eab4ec708b368fc6cc4e2cb5",
"pattern": "[file:hashes.MD5 = 'ce59958c01e437f4bdc68b4896222b8e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ecb9-acdc-4965-83d0-4a9c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:37.000Z",
"modified": "2016-04-21T15:07:37.000Z",
"first_observed": "2016-04-21T15:07:37Z",
"last_observed": "2016-04-21T15:07:37Z",
"number_observed": 1,
"object_refs": [
"url--5718ecb9-acdc-4965-83d0-4a9c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ecb9-acdc-4965-83d0-4a9c02de0b81",
"value": "https://www.virustotal.com/file/e6753bba53d7cca4a534c3089f24cd0546462667d110c0d48974f9e76714fe1c/analysis/1461217726/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecb9-67b8-422e-b4d1-4f8202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:37.000Z",
"modified": "2016-04-21T15:07:37.000Z",
"description": "Ringster - Xchecked via VT: a13568164c0a8f50d76d9ffa6e34e31674a3afc8",
"pattern": "[file:hashes.SHA256 = '8babf68a96861c8495580b5ecf54d8e9e1c76fc89fb72a322c94e74796db4e19']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5718ecba-bc08-4277-9a9f-473002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:38.000Z",
"modified": "2016-04-21T15:07:38.000Z",
"description": "Ringster - Xchecked via VT: a13568164c0a8f50d76d9ffa6e34e31674a3afc8",
"pattern": "[file:hashes.MD5 = 'c4cd2f9ba10c0f773a8ec56045d3b398']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-21T15:07:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5718ecba-61b8-46ad-aef6-4bc502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-21T15:07:38.000Z",
"modified": "2016-04-21T15:07:38.000Z",
"first_observed": "2016-04-21T15:07:38Z",
"last_observed": "2016-04-21T15:07:38Z",
"number_observed": 1,
"object_refs": [
"url--5718ecba-61b8-46ad-aef6-4bc502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5718ecba-61b8-46ad-aef6-4bc502de0b81",
"value": "https://www.virustotal.com/file/8babf68a96861c8495580b5ecf54d8e9e1c76fc89fb72a322c94e74796db4e19/analysis/1461226275/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}