160 lines
No EOL
5.1 KiB
JSON
160 lines
No EOL
5.1 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-04-23",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - FlexSpy Application Analysis",
|
|
"publish_timestamp": "1492981296",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1492981249",
|
|
"uuid": "58fce117-452c-42ed-a2dc-b64a950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#3b7500",
|
|
"local": "0",
|
|
"name": "circl:incident-classification=\"malware\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492967971",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58fce124-1a0c-4d73-904b-dbd5950d210f",
|
|
"value": "http://www.cybermerchantsofdeath.com/blog/2017/04/23/FlexiSpy.html",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0c9100",
|
|
"local": "0",
|
|
"name": "admiralty-scale:source-reliability=\"f\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492967972",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "58fce13b-fadc-4e55-a0d4-46ea950d210f",
|
|
"value": "On 04/22/2017 FlexiDie released source code and binaries for FlexiSpy\u00e2\u20ac\u2122s mobile spyware program. Being a good reverse engineer that I am, my analysis is below. The IOC section is intended for other reverse engineers and antivirus vendors. General Overview is intended for journalists. I will release a detailed technical teardown in a day or two.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0c9100",
|
|
"local": "0",
|
|
"name": "admiralty-scale:source-reliability=\"f\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "(found in com.vvt.phoenix.prot.test.CSMTest",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492967795",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "58fce173-d508-4f0f-8a89-dba6950d210f",
|
|
"value": "http://58.137.119.229/RainbowCore/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "found in source//location_capture/tests/location_capture_tests/src/com/vvt/locationcapture/tests/Location_capture_testsActivity.java:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492967796",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "58fce174-1b68-4e69-b27f-dba6950d210f",
|
|
"value": "http://trkps.com/m.php?lat=%f&long=%f&t=%s&i=%s&z=5"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 8880",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492967797",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "58fce175-c7b4-4488-8f4d-dba6950d210f",
|
|
"value": "http://202.176.88.55"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Another IP address was found commented out in the code base //private String mUrl =",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492967868",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "58fce1bc-783c-4960-a449-dba5950d210f",
|
|
"value": "202.176.88.55"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "(found in com.vvt.phoenix.prot.test.CSMTest)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492967869",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "58fce1bd-c0a4-4862-a657-dba5950d210f",
|
|
"value": "58.137.119.229"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "In sample comments",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492981246",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "58fd15fe-c4ac-4a6c-bbd3-4815950d210f",
|
|
"value": "58.137.119.224"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "In sample comments",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1492981248",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "58fd1600-dcf8-4103-af30-4e0f950d210f",
|
|
"value": "58.137.119.239"
|
|
}
|
|
]
|
|
}
|
|
} |