From 77cfaa8221380109ada0a589c2ef0165a0063967 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 6 Jul 2018 20:09:52 +0100 Subject: [PATCH 1/2] [add] new backdoor galaxy and cluster --- clusters/backdoor.json | 24 ++++++++++++++++++++++++ galaxies/backdoor.json | 9 +++++++++ 2 files changed, 33 insertions(+) create mode 100644 clusters/backdoor.json create mode 100644 galaxies/backdoor.json diff --git a/clusters/backdoor.json b/clusters/backdoor.json new file mode 100644 index 00000000..c0d2adb5 --- /dev/null +++ b/clusters/backdoor.json @@ -0,0 +1,24 @@ +{ + "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", + "description": "A list of backdoor malware.", + "source": "Open Sources", + "version": 1, + "values": [ + { + "meta": { + "date": "July 2018.", + "refs": [ + "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" + ] + }, + "description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.", + "value": "WellMess", + "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd" + } + ], + "authors": [ + "raw-data" + ], + "type": "backdoor", + "name": "Backdoor" +} diff --git a/galaxies/backdoor.json b/galaxies/backdoor.json new file mode 100644 index 00000000..6504c9c0 --- /dev/null +++ b/galaxies/backdoor.json @@ -0,0 +1,9 @@ +{ + "description": "Malware Backdoor galaxy.", + "type": "backdoor", + "version": 1, + "name": "Backdoor", + "icon": "door-open", + "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", + "namespace": "misp" +} From d35395445fbd94275227142b65c4a5823ad69652 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 6 Jul 2018 20:10:51 +0100 Subject: [PATCH 2/2] [add] new backdoor cluster --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 30bff4a0..a04ab83c 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources. - [clusters/banker.json](clusters/banker.json) - A list of banker malware. - [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer. +- [clusters/backdoor.json](clusters/backdoor.json) - A list of backdoor malware. - [clusters/botnet.json](clusters/botnet.json) - A list of known botnets. - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits. - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.