MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

guuid & + VenomKit

pull/222/head
Kafeine 2018-06-06 18:00:25 +01:00 committed by GitHub
parent 6c7d0f8684
commit 178d5219c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 115 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

181
clusters/exploit-kit.json
View File

@ -12,14 +12,16 @@
"Stegano EK"
],
"status": "Active"
}
},
"uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e"
},
{
"value": "Bingo",
"description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia",
"meta": {
"status": "Active"
}
},
"uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9"
},
{
"value": "Terror EK",
@ -33,7 +35,8 @@
"Neptune EK"
],
"status": "Active"
}
},
"uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9"
},
{
"value": "DealersChoice",
@ -48,7 +51,8 @@
"Sednit RTF EK"
],
"status": "Active"
}
},
"uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7"
},
{
"value": "DNSChanger",
@ -62,7 +66,8 @@
"RouterEK"
],
"status": "Active"
}
},
"uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1"
},
{
"value": "Disdain",
@ -72,7 +77,8 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/"
],
"status": "Active"
}
},
"uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96"
},
{
"value": "Kaixin",
@ -86,7 +92,8 @@
"CK vip"
],
"status": "Active"
}
},
"uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88"
},
{
"value": "Magnitude",
@ -103,7 +110,8 @@
"TopExp"
],
"status": "Active"
}
},
"uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1"
},
{
"value": "MWI",
@ -114,9 +122,10 @@
"https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf"
],
"status": "Active"
}
},
"uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324"
},
{
{
"value": "ThreadKit",
"description": "ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017",
"meta": {
@ -124,7 +133,19 @@
"https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware"
],
"status": "Active"
}
},
"uuid": "b8be783c-69a8-11e8-adc0-fa7ae01bbebc"
},
{
"value": "VenomKit",
"description": "VenomKit is the name given to a kit sold since april 2017 as \"Word 1day exploit builder\" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the \"Cobalt Gang\"",
"meta": {
"refs": [
""
],
"status": "Active"
},
"uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc"
},
{
"value": "RIG",
@ -143,7 +164,8 @@
"Meadgive"
],
"status": "Active"
}
},
"uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a"
},
{
"value": "Sednit EK",
@ -157,7 +179,8 @@
"SedKit"
],
"status": "Active"
}
},
"uuid": "c8b9578a-78be-420c-a29b-9214d09685c8"
},
{
"value": "Sundown-P",
@ -171,7 +194,8 @@
"CaptainBlack"
],
"status": "Active"
}
},
"uuid": "3235ae90-598b-45dc-b336-852817b271a8"
},
{
"value": "Bizarro Sundown",
@ -185,7 +209,8 @@
"Sundown-b"
],
"status": "Retired"
}
},
"uuid": "ef3b170e-3fbe-420b-b202-4689da137c50"
},
{
"value": "Hunter",
@ -198,7 +223,8 @@
"3ROS Exploit Kit"
],
"status": "Retired - Last seen 2017-02-06"
}
},
"uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c"
},
{
"value": "GreenFlash Sundown",
@ -211,7 +237,8 @@
"Sundown-GF"
],
"status": "Active"
}
},
"uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2"
},
{
"value": "Angler",
@ -228,7 +255,8 @@
"Axpergle"
],
"status": "Retired - Last seen: 2016-06-07"
}
},
"uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90"
},
{
"value": "Archie",
@ -238,7 +266,8 @@
"https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit"
],
"status": "Retired"
}
},
"uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1"
},
{
"value": "BlackHole",
@ -252,7 +281,8 @@
"BHEK"
],
"status": "Retired - Last seen: 2013-10-07"
}
},
"uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53"
},
{
"value": "Bleeding Life",
@ -267,7 +297,8 @@
"BL2"
],
"status": "Retired"
}
},
"uuid": "5abe6240-dce2-4455-8125-ddae2e651243"
},
{
"value": "Cool",
@ -283,7 +314,8 @@
"Styxy Cool"
],
"status": "Retired - Last seen: 2013-10-07"
}
},
"uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb"
},
{
"value": "Fiesta",
@ -298,7 +330,8 @@
"Fiexp"
],
"status": "Retired - Last Seen: beginning of 2015-07"
}
},
"uuid": "f50f860a-d795-4f4e-a170-8190f65499ad"
},
{
"value": "Empire",
@ -311,7 +344,8 @@
"RIG-E"
],
"status": "Retired - Last seen: 2016-12-29"
}
},
"uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86"
},
{
"value": "FlashPack",
@ -328,17 +362,8 @@
"Vintage Pack"
],
"status": "Retired - Last seen: middle of 2015-04"
}
},
{
"value": "Glazunov",
"description": "Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit",
"meta": {
"refs": [
"https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/"
],
"status": "Retired - Last seen: maybe end of 2013"
}
},
"uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1"
},
{
"value": "GrandSoft",
@ -354,7 +379,8 @@
"SofosFO"
],
"status": "Active"
}
},
"uuid": "180b6969-2aca-4642-b684-b57db8f0eff8"
},
{
"value": "HanJuan",
@ -367,7 +393,8 @@
"https://twitter.com/kafeine/status/562575744501428226"
],
"status": "Retired - Last seen: 2015-07"
}
},
"uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614"
},
{
"value": "Himan",
@ -380,7 +407,8 @@
"High Load"
],
"status": "Retired - Last seen: 2014-04"
}
},
"uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b"
},
{
"value": "Impact",
@ -390,7 +418,8 @@
"http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html"
],
"status": "Retired"
}
},
"uuid": "319357b4-3041-4a71-89c5-51be08041d1b"
},
{
"value": "Infinity",
@ -405,7 +434,8 @@
"Goon"
],
"status": "Retired - Last seen: 2014-07"
}
},
"uuid": "4b858835-7b31-4b94-8144-b5175da1551f"
},
{
"value": "Lightsout",
@ -417,7 +447,8 @@
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"
],
"status": "Unknown - Last seen: 2014-03"
}
},
"uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1"
},
{
"value": "Nebula",
@ -427,7 +458,8 @@
"http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html"
],
"status": "Retired - Last seen 2017-03-09"
}
},
"uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad"
},
{
"value": "Neutrino",
@ -443,7 +475,8 @@
"Neutrino-v"
],
"status": "Retired - Last seen 2017-04-10"
}
},
"uuid": "218ae39b-2f92-4355-91c6-50cce319d26d"
},
{
"value": "Niteris",
@ -457,7 +490,8 @@
"CottonCastle"
],
"status": "Unknown - Last seen: 2015-11"
}
},
"uuid": "b344133f-e223-4fda-8fb2-88ad7999e549"
},
{
"value": "Nuclear",
@ -473,7 +507,8 @@
"Neclu"
],
"status": "Retired - Last seen: 2015-04-30"
}
},
"uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d"
},
{
"value": "Phoenix",
@ -487,7 +522,8 @@
"PEK"
],
"status": "Retired"
}
},
"uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d"
},
{
"value": "Private Exploit Pack",
@ -501,7 +537,8 @@
"PEP"
],
"status": "Retired"
}
},
"uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3"
},
{
"value": "Redkit",
@ -513,7 +550,8 @@
"https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"
],
"status": "Retired"
}
},
"uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c"
},
{
"value": "Sakura",
@ -523,19 +561,25 @@
"http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html"
],
"status": "Retired - Last seen: 2013-09"
}
},
"uuid": "12af9112-3ac5-4422-858e-a22c293c6117"
},
{
"value": "SPL",
"description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV",
"meta": {
"refs": [
"http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/"
],
"status": "Retired - Last seen: 2015-04",
"synonyms": [
"SPL_Data",
"SPLNet",
"SPL2"
]
},
"uuid": "15936d30-c151-4051-835e-df327143ce76"
},
{
"value": "SPL",
"description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV",
"meta": {
"refs": ["http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/"],
"status": "Retired - Last seen: 2015-04",
"synonyms": ["SPL_Data",
"SPLNet",
"SPL2"],
}
},
{
"value": "Sundown",
"description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits",
@ -551,7 +595,8 @@
],
"status": "Retired - Last seen 2017-03-08",
"colour": "#C03701"
}
},
"uuid": "670e28c4-001a-4ba4-b276-441620225123"
},
{
"value": "Sweet-Orange",
@ -565,7 +610,8 @@
"Anogre"
],
"status": "Retired - Last seen: 2015-04-05"
}
},
"uuid": "222bc508-4d8d-4972-9cac-65192cfefd43"
},
{
"value": "Styx",
@ -577,7 +623,8 @@
"http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html"
],
"status": "Retired - Last seen: 2014-06"
}
},
"uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0"
},
{
"value": "WhiteHole",
@ -587,7 +634,8 @@
"http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html"
],
"status": "Retired - Last seen: 2013-12"
}
},
"uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370"
},
{
"value": "Unknown",
@ -598,10 +646,11 @@
"https://twitter.com/node5",
"https://twitter.com/kahusecurity"
]
}
},
"uuid": "00815961-3249-4e2e-9421-bb57feb73bb2"
}
],
"version": 5,
"version": 7,
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"authors": [