307 lines
No EOL
14 KiB
JSON
307 lines
No EOL
14 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--58ecc62a-e5bc-406f-adc6-4b65950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:18:20.000Z",
|
|
"modified": "2017-04-11T12:18:20.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--58ecc62a-e5bc-406f-adc6-4b65950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:18:20.000Z",
|
|
"modified": "2017-04-11T12:18:20.000Z",
|
|
"name": "OSINT - Ewind \u00e2\u20ac\u201c Adware in Applications\u00e2\u20ac\u2122 Clothing",
|
|
"published": "2017-04-11T12:36:04Z",
|
|
"object_refs": [
|
|
"observed-data--58ecc66c-ea44-4888-9ff2-46e7950d210f",
|
|
"url--58ecc66c-ea44-4888-9ff2-46e7950d210f",
|
|
"x-misp-attribute--58ecc67f-0374-40a3-8b83-4335950d210f",
|
|
"indicator--58ecc6a4-5f4c-45c1-8d75-95c7950d210f",
|
|
"indicator--58ecc6fa-9080-4457-add8-8621950d210f",
|
|
"indicator--58ecc6fb-0fcc-41f9-b95d-8621950d210f",
|
|
"x-misp-attribute--58ecc72d-a150-41e0-8e9c-4a12950d210f",
|
|
"indicator--58ecc7a0-1814-442d-9e7a-9f1d950d210f",
|
|
"indicator--58ecc8e2-419c-4fdc-8cdf-4fe7950d210f",
|
|
"indicator--58ecc921-8abc-4370-b935-945a02de0b81",
|
|
"indicator--58ecc922-3568-4010-b6c4-945a02de0b81",
|
|
"observed-data--58ecc923-51b4-4fde-8576-945a02de0b81",
|
|
"url--58ecc923-51b4-4fde-8576-945a02de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"ms-caro-malware:malware-platform=\"AndroidOS\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58ecc66c-ea44-4888-9ff2-46e7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:25.000Z",
|
|
"modified": "2017-04-11T12:16:25.000Z",
|
|
"first_observed": "2017-04-11T12:16:25Z",
|
|
"last_observed": "2017-04-11T12:16:25Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58ecc66c-ea44-4888-9ff2-46e7950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58ecc66c-ea44-4888-9ff2-46e7950d210f",
|
|
"value": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-ewind-adware-applications-clothing/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--58ecc67f-0374-40a3-8b83-4335950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:25.000Z",
|
|
"modified": "2017-04-11T12:16:25.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Since mid-2016 we have observed multiple new samples of the Android Adware family \u00e2\u20ac\u0153Ewind\u00e2\u20ac\u009d. The actors behind this adware utilize a simple yet effective approach \u00e2\u20ac\u201c they download a popular, legitimate Android application, decompile it, add their malicious routines, then repackage the Android application package (APK). They then distribute the trojanized application using their own, Russian-language-targeted Android Application sites.\r\n\r\nSome of the popular Android applications that Ewind targets include GTA Vice City, AVG cleaner, Minecraft \u00e2\u20ac\u201c Pocket Edition, Avast! Ransomware Removal, VKontakte, and Opera Mobile.\r\n\r\nAlthough Ewind is fundamentally adware, monetization through displaying advertising on the victim device, it also includes other functionality such as collecting device data, and forwarding SMS messages to the attacker. The adware Trojan in fact potentially allows full remote access to the infected device.\r\n\r\nThe applications, injected advertising, application sites \u00e2\u20ac\u201c and, we believe, the attacker, are all Russian."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ecc6a4-5f4c-45c1-8d75-95c7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:25.000Z",
|
|
"modified": "2017-04-11T12:16:25.000Z",
|
|
"description": "repackaged \u00e2\u20ac\u0153AVG Cleaner\u00e2\u20ac\u009d",
|
|
"pattern": "[file:hashes.SHA256 = '9c61616a66918820c936297d930f22df5832063d6e5fc2bea7576f873e7a5cf3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T12:16:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ecc6fa-9080-4457-add8-8621950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:25.000Z",
|
|
"modified": "2017-04-11T12:16:25.000Z",
|
|
"description": "C2",
|
|
"pattern": "[domain-name:value = 'mobincome.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T12:16:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ecc6fb-0fcc-41f9-b95d-8621950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:25.000Z",
|
|
"modified": "2017-04-11T12:16:25.000Z",
|
|
"description": "C2",
|
|
"pattern": "[domain-name:value = 'androwr.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T12:16:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--58ecc72d-a150-41e0-8e9c-4a12950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:25.000Z",
|
|
"modified": "2017-04-11T12:16:25.000Z",
|
|
"labels": [
|
|
"misp:type=\"pattern-in-file\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_category": "Artifacts dropped",
|
|
"x_misp_comment": "Unique string (APK Defined service):",
|
|
"x_misp_type": "pattern-in-file",
|
|
"x_misp_value": "b93478b8cdba429894e2a63b70766f91"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ecc7a0-1814-442d-9e7a-9f1d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:25.000Z",
|
|
"modified": "2017-04-11T12:16:25.000Z",
|
|
"description": "an Ewind Trojanized sample of the MobCoin application",
|
|
"pattern": "[file:hashes.SHA256 = '393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T12:16:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ecc8e2-419c-4fdc-8cdf-4fe7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:25.000Z",
|
|
"modified": "2017-04-11T12:16:25.000Z",
|
|
"pattern": "[file:name = '/shared_prefs/a5ca9525-c9ff-4a1d-bb42-87fed1ea0117.xml.']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T12:16:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ecc921-8abc-4370-b935-945a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:33.000Z",
|
|
"modified": "2017-04-11T12:16:33.000Z",
|
|
"description": "an Ewind Trojanized sample of the MobCoin application - Xchecked via VT: 393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b",
|
|
"pattern": "[file:hashes.SHA1 = '15cd380676f0cc0d9a14cc731c1d20746111d64d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T12:16:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ecc922-3568-4010-b6c4-945a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:34.000Z",
|
|
"modified": "2017-04-11T12:16:34.000Z",
|
|
"description": "an Ewind Trojanized sample of the MobCoin application - Xchecked via VT: 393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b",
|
|
"pattern": "[file:hashes.MD5 = '37182a56df80c3cf841f69ee9fcfe5ed']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T12:16:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58ecc923-51b4-4fde-8576-945a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T12:16:35.000Z",
|
|
"modified": "2017-04-11T12:16:35.000Z",
|
|
"first_observed": "2017-04-11T12:16:35Z",
|
|
"last_observed": "2017-04-11T12:16:35Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58ecc923-51b4-4fde-8576-945a02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58ecc923-51b4-4fde-8576-945a02de0b81",
|
|
"value": "https://www.virustotal.com/file/393ffeceae27421500c54e1cf29658869699095e5bca7b39100bf5f5ca90856b/analysis/1486507244/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |