MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [galaxy] duplicate UUIDs removed

pull/869/head
Alexandre Dulaunoy 2023-09-26 11:17:44 +02:00
parent b79b75dba4
commit 67543e2437
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 0 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
clusters/malpedia.json
View File

@ -3029,18 +3029,6 @@
"uuid": "55626b63-4b9a-468e-92ae-4b09b303d0ed",
"value": "Unidentified APK 004"
},
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005"
],
"synonyms": [],
"type": []
},
"uuid": "084ebca7-91da-4d9c-8211-a18f358ac28b",
"value": "Unidentified APK 005"
},
{
"description": "Information stealer posing as a fake banking app, targeting Korean users.",
"meta": {
@ -34004,22 +33992,6 @@
"uuid": "db4ca498-5481-4b68-8024-edd51d552c38",
"value": "Makop"
},
{
"description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware",
"https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11",
"https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf",
"https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
"https://twitter.com/siri_urz/status/1221797493849018368"
],
"synonyms": [],
"type": []
},
"uuid": "db4ca498-5481-4b68-8024-edd51d552c38",
"value": "Makop Ransomware"
},
{
"description": "According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.",
"meta": {
@ -48033,19 +48005,6 @@
"uuid": "129163aa-8539-40ee-a627-0ac6775697b5",
"value": "SUGARRUSH"
},
{
"description": "According to Mandiant, SUGARUSH is a backdoor written to establish a connection with an embedded C2 and to execute CMD commands.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sugarush",
"https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping"
],
"synonyms": [],
"type": []
},
"uuid": "129163aa-8539-40ee-a627-0ac6775697b5",
"value": "SUGARUSH"
},
{
"description": "FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.",
"meta": {
@ -48896,20 +48855,6 @@
"uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3",
"value": "TDTESS"
},
{
"description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot"
],
"synonyms": [
"FINTEAM"
],
"type": []
},
"uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433",
"value": "TeamBot"
},
{
"description": "",
"meta": {
@ -50938,18 +50883,6 @@
"uuid": "bab52335-be9e-4fad-b68e-f124b0d69bbc",
"value": "Unidentified 058"
},
{
"description": "Was previously wrongly tagged as PoweliksDropper, now looking for additional context.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_061"
],
"synonyms": [],
"type": []
},
"uuid": "969d1054-b917-4fb8-b3f8-1e33926fdb65",
"value": "Unidentified 061 (Windows)"
},
{
"description": "This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.",
"meta": {
@ -51041,19 +50974,6 @@
"uuid": "f2979fee-603d-496e-a526-d622e9cba84f",
"value": "Unidentified 072 (Metamorfo Loader)"
},
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_073",
"https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/"
],
"synonyms": [],
"type": []
},
"uuid": "f049e626-7de2-4648-81db-53dfd34f2fab",
"value": "Unidentified 073 (Charming Kitten)"
},
{
"description": "",
"meta": {
@ -51200,32 +51120,6 @@
"uuid": "d7f1e6cf-1880-426a-881a-619309f32c37",
"value": "Unidentified 088 (Nim Ransomware)"
},
{
"description": "Downloader used in suspected APT attack against Vietnam.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089"
],
"synonyms": [
"5.t Downloader"
],
"type": []
},
"uuid": "685c9c30-aa9f-43ee-a262-43c17c350049",
"value": "Unidentified 089 (Downloader)"
},
{
"description": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_090"
],
"synonyms": [],
"type": []
},
"uuid": "565de3f5-7eb7-43ca-a9d9-b588dfd6a50a",
"value": "Unidentified 090 (Lazarus)"
},
{
"description": "Avast found this unidentified RAT, which abuses a code-signing certificate by the Philippine Navy. It is statically linked against OpenSSL 1.1.1g.",
"meta": {
@ -51368,32 +51262,6 @@
"uuid": "0ee92ce5-e33d-4393-a466-6b5f6a1ca6a5",
"value": "Unidentified 100 (APT-Q-12)"
},
{
"description": "Potential Lazarus sample.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_101",
"https://twitter.com/RedDrip7/status/1595365451495706624",
"https://securelist.com/bluenoroff-methods-bypass-motw/108383/"
],
"synonyms": [],
"type": []
},
"uuid": "cca4f240-ac69-437e-b02a-5483ebef5087",
"value": "Unidentified 101 (Lazarus?)"
},
{
"description": "Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_102"
],
"synonyms": [],
"type": []
},
"uuid": "6d22d9e1-b38d-4a6f-a4bb-1121ced4adfc",
"value": "Unidentified 102 (Donot)"
},
{
"description": "A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.",
"meta": {