From 2a708933526954296b40eb07fcb291d84722bf13 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 27 Apr 2020 15:03:25 +0200 Subject: [PATCH] chg: [jq] JSON fixed --- clusters/banker.json | 6 ++-- clusters/ransomware.json | 60 +++++++++++++++++++------------------- clusters/rat.json | 6 ++-- clusters/threat-actor.json | 8 ++--- clusters/tool.json | 12 ++++---- 5 files changed, 46 insertions(+), 46 deletions(-) diff --git a/clusters/banker.json b/clusters/banker.json index 33b18c8..3cbacec 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -1183,14 +1183,14 @@ "value": "CamuBot" }, { + "description": "Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.", "meta": { "refs": [ "https://thehackernews.com/2018/08/mexico-banking-malware.html" ] }, - "description": "Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.", - "value": "Dark Tequila", - "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f" + "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f", + "value": "Dark Tequila" } ], "version": 16 diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 4897b51..9d50186 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -7936,9 +7936,6 @@ "description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC", "meta": { "encryption": "TripleDES", - "synonyms": [ - "JobCrypter" - ], "extensions": [ ".locked", ".css" @@ -7954,6 +7951,9 @@ "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", "https://twitter.com/malwrhunterteam/status/828914052973858816", "http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html" + ], + "synonyms": [ + "JobCrypter" ] }, "uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a", @@ -11196,6 +11196,9 @@ "meta": { "payment-method": "Bitcoin", "price": "0.05 (300 $)", + "ransomnotes": [ + "https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png" + ], "refs": [ "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html", @@ -11203,9 +11206,6 @@ "https://securelist.com/bad-rabbit-ransomware/82851/", "http://www.intezer.com/notpetya-returns-bad-rabbit/" ], - "ransomnotes": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png" - ], "synonyms": [ "BadRabbit", "Bad-Rabbit" @@ -13644,46 +13644,46 @@ ] }, "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff", - "value": "Clop", + "value": "Clop" }, { - "value": "PornBlackmailer", "description": "A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/" - ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/malware/b/blackmailware/pornblackmailer/ransom-note.jpg" - ] - }, - "uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c" - }, - { - "value": "KingOuroboros", - "description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.", - "meta": { - "refs": [ - "https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html" ], - "ransomnotes": [ - "Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted." + "refs": [ + "https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/" ] }, - "uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6" + "uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c", + "value": "PornBlackmailer" }, { - "value": "MAFIA Ransomware", - "description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.", + "description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.", "meta": { - "synonyms": [ - "Mafia" + "ransomnotes": [ + "Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted." ], "refs": [ - "https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html" + "https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html" ] }, - "uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2" + "uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6", + "value": "KingOuroboros" + }, + { + "description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.", + "meta": { + "refs": [ + "https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html" + ], + "synonyms": [ + "Mafia" + ] + }, + "uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2", + "value": "MAFIA Ransomware" }, { "description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip", diff --git a/clusters/rat.json b/clusters/rat.json index 21c0947..9c8f5b3 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3421,14 +3421,14 @@ "value": "InnfiRAT" }, { + "description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/" ] }, - "description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.", - "value": "KeyBase", - "uuid": "b3cfd21f-b637-42ff-b118-2803630b718a" + "uuid": "b3cfd21f-b637-42ff-b118-2803630b718a", + "value": "KeyBase" }, { "description": "Apparently existing since 2018", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 72df387..db18c07 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7876,7 +7876,6 @@ "value": "APT-C-34" }, { - "value": "Golden RAT", "description": "Since November 2014, the Golden Rat Organization (APT-C-27) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. The attack platform has gradually expanded from the beginning of the Windows platform to the Android platform.", "meta": { "refs": [ @@ -7888,10 +7887,10 @@ "APT-C-27" ] }, - "uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0" + "uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0", + "value": "Golden RAT" }, { - "value": "luoxk", "description": "Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.", "meta": { "refs": [ @@ -7899,7 +7898,8 @@ ], "since": "2017" }, - "uuid": "69e11692-691e-4bfb-9557-4e2a271684ed" + "uuid": "69e11692-691e-4bfb-9557-4e2a271684ed", + "value": "luoxk" }, { "description": "The activities of some non-governmental organizations (NGOs) challenge governments on politically sensitive issues such as social, humanitarian, and environmental policies. As a result, these organizations are often exposed to increased government-directed threats aimed at monitoring their activities, discrediting their work, or stealing their intellectual property. BRONZE PRESIDENT is a likely People's Republic of China (PRC)-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks. Secureworks® Counter Threat Unit (CTU) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014.", diff --git a/clusters/tool.json b/clusters/tool.json index bf7af31..048a550 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7917,24 +7917,24 @@ "value": "NBTScan" }, { + "description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.", "meta": { "refs": [ "https://securelist.com/a-mining-multitool/86950/" ] }, - "description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.", - "value": "PowerGhost", - "uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809" + "uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809", + "value": "PowerGhost" }, { + "description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.", "meta": { "refs": [ "https://research.checkpoint.com/vbetaly/" ] }, - "description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.", - "value": "VBEtaly", - "uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498" + "uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498", + "value": "VBEtaly" }, { "description": "ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectorsin the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper. ",