MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [jq] JSON fixed

pull/541/head
Alexandre Dulaunoy 2020-04-27 15:03:25 +02:00
parent a428ad565e
commit 2a70893352
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
5 changed files with 46 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
clusters/banker.json
View File

@ -1183,14 +1183,14 @@
"value": "CamuBot"
},
{
"description": "Dark Tequila has primarily been designed to steal victims financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.",
"meta": {
"refs": [
"https://thehackernews.com/2018/08/mexico-banking-malware.html"
]
},
"description": "Dark Tequila has primarily been designed to steal victims financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.",
"value": "Dark Tequila",
"uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f"
"uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f",
"value": "Dark Tequila"
}
],
"version": 16

60
clusters/ransomware.json
View File

@ -7936,9 +7936,6 @@
"description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC",
"meta": {
"encryption": "TripleDES",
"synonyms": [
"JobCrypter"
],
"extensions": [
".locked",
".css"
@ -7954,6 +7951,9 @@
"http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html",
"https://twitter.com/malwrhunterteam/status/828914052973858816",
"http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html"
],
"synonyms": [
"JobCrypter"
]
},
"uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a",
@ -11196,6 +11196,9 @@
"meta": {
"payment-method": "Bitcoin",
"price": "0.05 (300 $)",
"ransomnotes": [
"https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png"
],
"refs": [
"http://blog.talosintelligence.com/2017/10/bad-rabbit.html",
"https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html",
@ -11203,9 +11206,6 @@
"https://securelist.com/bad-rabbit-ransomware/82851/",
"http://www.intezer.com/notpetya-returns-bad-rabbit/"
],
"ransomnotes": [
"https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png"
],
"synonyms": [
"BadRabbit",
"Bad-Rabbit"
@ -13644,46 +13644,46 @@
]
},
"uuid": "21b349c3-ede2-4e11-abda-1444eb272eff",
"value": "Clop",
"value": "Clop"
},
{
"value": "PornBlackmailer",
"description": "A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/malware/b/blackmailware/pornblackmailer/ransom-note.jpg"
]
},
"uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c"
},
{
"value": "KingOuroboros",
"description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.",
"meta": {
"refs": [
"https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html"
],
"ransomnotes": [
"Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted."
"refs": [
"https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/"
]
},
"uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6"
"uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c",
"value": "PornBlackmailer"
},
{
"value": "MAFIA Ransomware",
"description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.",
"description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.",
"meta": {
"synonyms": [
"Mafia"
"ransomnotes": [
"Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted."
],
"refs": [
"https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html"
"https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html"
]
},
"uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2"
"uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6",
"value": "KingOuroboros"
},
{
"description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.",
"meta": {
"refs": [
"https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html"
],
"synonyms": [
"Mafia"
]
},
"uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2",
"value": "MAFIA Ransomware"
},
{
"description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip",

6
clusters/rat.json
View File

@ -3421,14 +3421,14 @@
"value": "InnfiRAT"
},
{
"description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/"
]
},
"description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.",
"value": "KeyBase",
"uuid": "b3cfd21f-b637-42ff-b118-2803630b718a"
"uuid": "b3cfd21f-b637-42ff-b118-2803630b718a",
"value": "KeyBase"
},
{
"description": "Apparently existing since 2018",

8
clusters/threat-actor.json
View File

@ -7876,7 +7876,6 @@
"value": "APT-C-34"
},
{
"value": "Golden RAT",
"description": "Since November 2014, the Golden Rat Organization (APT-C-27) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. The attack platform has gradually expanded from the beginning of the Windows platform to the Android platform.",
"meta": {
"refs": [
@ -7888,10 +7887,10 @@
"APT-C-27"
]
},
"uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0"
"uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0",
"value": "Golden RAT"
},
{
"value": "luoxk",
"description": "Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.",
"meta": {
"refs": [
@ -7899,7 +7898,8 @@
],
"since": "2017"
},
"uuid": "69e11692-691e-4bfb-9557-4e2a271684ed"
"uuid": "69e11692-691e-4bfb-9557-4e2a271684ed",
"value": "luoxk"
},
{
"description": "The activities of some non-governmental organizations (NGOs) challenge governments on politically sensitive issues such as social, humanitarian, and environmental policies. As a result, these organizations are often exposed to increased government-directed threats aimed at monitoring their activities, discrediting their work, or stealing their intellectual property. BRONZE PRESIDENT is a likely People's Republic of China (PRC)-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks. Secureworks® Counter Threat Unit (CTU) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014.",

12
clusters/tool.json
View File

@ -7917,24 +7917,24 @@
"value": "NBTScan"
},
{
"description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attackers profits. Therefore, its not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malwares proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.",
"meta": {
"refs": [
"https://securelist.com/a-mining-multitool/86950/"
]
},
"description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attackers profits. Therefore, its not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malwares proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.",
"value": "PowerGhost",
"uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809"
"uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809",
"value": "PowerGhost"
},
{
"description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.",
"meta": {
"refs": [
"https://research.checkpoint.com/vbetaly/"
]
},
"description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.",
"value": "VBEtaly",
"uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498"
"uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498",
"value": "VBEtaly"
},
{
"description": "ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectorsin the Middle East. Based on the analysis of the malware and the attackers behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper. ",