MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Update tool.json

pull/353/head
LabyrINTh-Jim 2019-02-26 12:15:53 -05:00 committed by GitHub
parent 88da98e8dd
commit 60825b403e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 124 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
clusters/tool.json
View File

@ -7543,6 +7543,130 @@
"uuid": "588b97ff-3434-4aa1-a5fd-815e1bb0178b",
"value": "ANEL"
},
{
"description": "The first Brushaloader campaign that caught our attention was back in August 2018. It was initially notable because it was only using Polish language emails targeting Polish victims. Although it is common to see threats target users in multiple languages, attackers typically don't target a single European country. Below is a sample of one of the emails from that initial campaign and shows the characteristics that we would come to expect from Brushaloader: a RAR attachment containing a Visual Basic script that results in a Brushaloader infection ending in the eventual download and execution of Danabot.[[Citation: Palo Alto menuPass Feb 2017]]]",
"meta": {
"uuid": "2ad2441e-3913-11e9-b210-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html"
]
},
"value": "Brushaloader"
},
{
"description": "Icloader is a generic malware that largely behaves like adware. The samples are packed and have evasive checks to hinder the analysis and conceal the real activities. This family can inject code in the address space of other processes and upload files to a remote server.[[Citation: Threat Roundup for Feb. 15 to Feb. 22]]]",
"meta": {
"uuid": "3b880ee6-3914-11e9-b210-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/02/threat-roundup-for-feb-15-to-feb-22.html"
]
},
"value": "Icloader"
},
{
"description": "ATM Malware. Automation of all kinds is there to help people with their routine work, make it faster and simpler. Although ATM fraud is a very peculiar sort of work, some cybercriminals spend a lot of effort to automate it. In March 2018, we came across a fairly simple but effective piece of malware named WinPot. It was created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes. We called it ATMPot.[[Citation: Kaspersky Lab]]",
"meta": {
"uuid": "5e48ce90-390d-11e9-924b-d663bd873d93",
"refs": [
"https://securelist.com/atm-robber-winpot/89611/"
]
},
"value": "WinPot"
},
{
"description": "Segurança Informática (SI) Lab identified infection attempts aimed to install Muncy malware directed to the DHL shipment notifications. The malicious email messages contained a particular trojan spreading via phishing campaigns tailored to lure victims. [[Citation: SI-LAB The Muncy malware is on the rise]]]",
"meta": {
"uuid": "07ff6618-3915-11e9-b210-d663bd873d93",
"refs": [
"https://seguranca-informatica.pt/si-lab-the-muncy-malware-is-on-the-rise/#.XHQOLIhKiUm"
]
},
"value": "Muncy"
},
{
"description": "These variants of Valyria are malicious Microsoft Word documents that contain embedded VBA macros used to distribute other malware. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
"meta": {
"uuid": "4ec6c84c-3916-11e9-924b-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/02/threat-roundup-0208-0215.html"
]
},
"value": "Valyria"
},
{
"description": "These binaries are able to detect virtual machines and instrumented environments. They can also complicate the analysis with anti-disassembly and anti-debugging techniques. This family can install additional software and upload information to a remote server. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
"meta": {
"uuid": "6fd88d86-3916-11e9-b210-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/02/threat-roundup-0208-0215.html"
]
},
"value": "Cgok"
},
{
"description": "This family is highly malicious and executes other binaries. These samples contact remote servers, upload information collected on the victim's machine and have persistence. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
"meta": {
"uuid": "8b6c3674-3916-11e9-b210-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/02/threat-roundup-0208-0215.html"
]
},
"value": "Noon"
},
{
"description": "To this point, all discovered samples of this malware have targeted only macOS. The malware employs multiple levels of obfuscation and is capable of privilege escalation. Many of the initial DMGs are signed with a legitimate Apple developer ID and use legitimate system applications via bash to conduct all installation activity. Although most samples were DMG files, we also discovered .pkg, .iso, and .zip payloads. [[Citation: Carbon Black TAU Threat Intelligence]]]",
"meta": {
"uuid": "955fee68-3917-11e9-b210-d663bd873d93",
"refs": [
"https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/"
],
"synonyms": [
"OSX Shlayer",
"OSX/Shlayer"
]
},
"value": "Shlayer"
},
{
"description": "Win.Malware.Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include collecting system information, downloading/uploading files and dropping additional samples. [[Citation: Cisco Talos - Threat Roundup for Jan. 18 to Jan. 25]]]",
"meta": {
"uuid": "a06b047c-3918-11e9-b210-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/01/threat-roundup-0118-0125.html"
]
},
"value": "Kryptik"
},
{
"description": "SoftPulse is an adware that installs malicious software, leverages anti-virtual machine techniques and may access potentially sensitive information from local browsers. [[Citation: Cisco Talos - Threat Roundup for Feb. 1 to Feb. 8]]]",
"meta": {
"uuid": "318574ae-3925-11e9-b210-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/02/threat-roundup-0201-0208.html"
]
},
"value": "Softpulse"
},
{
"description": "PUA.Win.Trojan.00519ead is the denomination of a set of malicious adware samples that could leverage the AppInit DLL technique to achieve persistence and perform several DNS queries. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
"meta": {
"uuid": "31857724-3925-11e9-b210-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/02/threat-roundup-0201-0208.html"
]
},
"value": "00519ead"
},
{
"description": "This cluster includes .NET adware samples capable of code injection, opening a port to listen for incoming connections, disabling system restore, modifying files inside system directories, contacting blacklisted domains, modifying the registry and, in some cases, even copying itself to USB drives. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
"meta": {
"uuid": "3185788c-3925-11e9-b210-d663bd873d93",
"refs": [
"https://blog.talosintelligence.com/2019/02/threat-roundup-0201-0208.html"
]
},
"value": "Sanctionedmedia"
},
{
"description": "BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator.",
"meta": {