Merge pull request #221 from Delta-Sierra/master

New clusters
pull/225/head
Alexandre Dulaunoy 2018-06-07 09:56:12 +02:00 committed by GitHub
commit 75280287c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 48 additions and 6 deletions

View File

@ -5312,7 +5312,8 @@
".TEST", ".TEST",
".WORK", ".WORK",
".SYSTEM", ".SYSTEM",
".MOLE66" ".MOLE66",
".BACKUP"
], ],
"ransomnotes": [ "ransomnotes": [
"HELP_YOUR_FILES.html (CryptXXX)", "HELP_YOUR_FILES.html (CryptXXX)",
@ -5327,7 +5328,8 @@
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
"Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", "Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number",
"!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!" "!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nbackuppc@tuta.io\n\nbackuppc@protonmail.com\n\nbackuppc1@protonmail.com\n\nb4ckuppc1@yandex.com\n\nb4ckuppc2@yandex.com\n\nbackuppc1@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[id] number"
], ],
"refs": [ "refs": [
"http://www.nyxbone.com/malware/CryptoMix.html", "http://www.nyxbone.com/malware/CryptoMix.html",
@ -5339,7 +5341,8 @@
"https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/" "https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/new-backup-cryptomix-ransomware-variant-actively-infecting-users/"
] ]
}, },
"uuid": "c76110ea-15f1-4adf-a28d-c707374dbb3a" "uuid": "c76110ea-15f1-4adf-a28d-c707374dbb3a"
@ -9691,12 +9694,31 @@
] ]
}, },
"uuid": "39cb0268-528b-11e8-ac30-0fa44afdc8de" "uuid": "39cb0268-528b-11e8-ac30-0fa44afdc8de"
},
{
"value": "Sigrun Ransomware",
"description": "When Sigrun is executed it will first check \"HKEY_CURRENT_USER\\Keyboard Layout\\Preload\" to see if it is set to the Russian layout. If the computer is using a Russian layout, it will not encrypt the computer and just delete itself. Otherwise Sigrun will scan a computer for files to encrypt and skip any that match certain extensions, filenames, or are located in particular folders. ",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/sigrun-ransomware-author-decrypting-russian-victims-for-free/"
],
"extensions": [
".sigrun"
],
"ransomnotes": [
"SIGRUN 1.0 RANSOMWARE\n\nAll your important files are encrypted\n\nYour files has been encrypted by sigrun ransomware with unique decryption key.\n\nThere is only one way to get your files back: contact with us, pay, and get decryptor software. \n\nWe accept Bitcoin and Dash, you can find exchangers on https://www.bitcoin.com/buy-bitcoin and https://www.dash.org/exchanges/ and others.\n\nYou have unique idkey (in a yellow frame), write it in letter when contact with us.\n\nAlso you can decrypt 3 files for test, its guarantee what we can decrypt your files.\n\nIDKEY:\n>>> [id_key] <<<\nContact information:\n\nemail: sigrun_decryptor@protonmail.ch",
"~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~\n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun\n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\nBut don't worry! You still can restore it!\n\nIn order to restore it you need to contact with us via e-mail.\n\n-----------------------------------------------\n|Our e-mail is: sigrun_decryptor@protonmail.ch|\n-----------------------------------------------\n\nAs a proof we will decrypt 3 files for free!\n\nPlease, attach this to your message:\n[id_key]",
"RESTORE-SIGRUN.html",
"RESTORE-SIGRUN.txt"
]
},
"uuid": "5a53eec2-6993-11e8-a4d5-67480005dcbd"
} }
], ],
"source": "Various", "source": "Various",
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
"name": "Ransomware", "name": "Ransomware",
"version": 21, "version": 22,
"type": "ransomware", "type": "ransomware",
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
} }

View File

@ -2,7 +2,7 @@
"uuid": "312f8714-45cb-11e7-b898-135207cdceb9", "uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
"name": "RAT", "name": "RAT",
"source": "MISP Project", "source": "MISP Project",
"version": 9, "version": 10,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -2490,6 +2490,16 @@
"description": "Classic RAT that can download, upload, execute commands on the victim host and perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email", "description": "Classic RAT that can download, upload, execute commands on the victim host and perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email",
"value": "NavRAT", "value": "NavRAT",
"uuid": "6ea032a0-d54a-463b-b016-2b7b9b9a5b7e" "uuid": "6ea032a0-d54a-463b-b016-2b7b9b9a5b7e"
},
{
"meta": {
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA18-149A"
]
},
"description": "Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. ",
"value": "joanap",
"uuid": "caac1aa2-6982-11e8-8107-a331ae3511e7"
} }
], ],
"authors": [ "authors": [

View File

@ -2,7 +2,7 @@
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"name": "Tool", "name": "Tool",
"source": "MISP Project", "source": "MISP Project",
"version": 71, "version": 72,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -4252,6 +4252,16 @@
"https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/"
] ]
} }
},
{
"uuid": "4c057ade-6989-11e8-9efd-ab33ed427468",
"value": "Brambul",
"description": "Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.",
"meta": {
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA18-149A"
]
}
} }
], ],
"authors": [ "authors": [