MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #300 from Delta-Sierra/master 

add several rqansomware and HookAds campaign
pull/306/head
Deborah Servili 2018-11-13 15:31:20 +01:00 committed by GitHub
parent a505995b79 ca33f1c2ce
commit 7a66de8dcb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 87 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
clusters/banker.json
View File

@ -980,7 +980,8 @@
"description": "It's a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0"
"https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0",
"https://www.bleepingcomputer.com/news/security/danabot-banking-malware-now-targeting-banks-in-the-us/"
]
},
"related": [

75
clusters/ransomware.json
View File

@ -3287,7 +3287,11 @@
".id-BCBEF350.[Beamsell@qq.com].bip",
".boost",
".[Darknes@420blaze.it].waifu",
".brrr"
".brrr",
".adobe",
".tron",
".AUDIT",
".cccmn"
],
"ransomnotes": [
"README.txt",
@ -3301,7 +3305,8 @@
"all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com",
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.",
"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg",
"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg"
"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg",
"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg"
],
"refs": [
"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html",
@ -3311,7 +3316,10 @@
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
"https://twitter.com/demonslay335/status/1049313390097813504",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/",
"https://twitter.com/JakubKroustek/status/1038680437508501504"
"https://twitter.com/JakubKroustek/status/1038680437508501504",
"https://twitter.com/demonslay335/status/1059521042383814657",
"https://twitter.com/demonslay335/status/1059940414147489792",
"https://twitter.com/JakubKroustek/status/1060825783197933568"
]
},
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
@ -11134,7 +11142,9 @@
],
"refs": [
"https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/",
"https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/"
"https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/",
"https://twitter.com/MarceloRivero/status/1059575186117328898",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/"
]
},
"uuid": "c49f88f6-c87d-11e8-b005-d76e8162ced5",
@ -11286,7 +11296,62 @@
},
"uuid": "e90a57b5-cd17-4dce-b83f-d007053c7b35",
"value": "Rektware"
},
{
"meta": {
"extensions": [
".mariacbc"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/9/moira.jpg"
],
"refs": [
"https://twitter.com/malwrhunterteam/status/1058775145005887489",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/"
],
"synonyms": [
"M@r1a",
"BlackHeart"
]
},
"uuid": "1009b7f3-e737-49fd-a872-1e0fd1df4c00",
"value": "M@r1a ransomware"
},
{
"description": "",
"meta": {
"extensions": [
"(enc) prepend"
],
"ransomnotes": [
"aboutYourFiles.txt",
"Hi. Thank you for using my program. If you're reading this, a lot of your files have\nbeen encrypted. To decrypt them, you need my decryption program. For this, I want 25 000 sek, I want\nthem in bitcoin. Email me when you've paid with details about the transaction. I'll give you two days.\nIf you have not paid in two days(from the day you received the email), It will cost 1000 sek more per day.\n If I have not heard from you after five days (from the day you received the email), I assume your files are not that\nimportant to you. So I'll delete your decryption-key, and you will never see your files again.\n\n\nAfter the payment, email me the following information:\n* the bitcoin address you sent from (important, write it down when you do the transaction)\n* the ID at the bottom of this document (this is important!! Otherwise I don't know which key belongs\nto you).\nThen I will send you the decryption-program and provide you with instructions of how to remove\nthe virus if you have not already figured it out.\n\n\nEmail:\naperfectday2018@protonmail.com\n\nBitcoin adress: \n1LX3tBkW161hoF5DbGzbrm3sdXaF6XHv2D\n\nMake sure to get the bitcoin adress right, copy and paste and double check. If you send the bitcoin\nto the wrong adress, it will be lost forever. You cant stop or regret a bitcoin transaction.\n\n\nIMPORTANT: \n\nDo not loose this document. You also have a copy of it on your desktop.\nDo NOT change any filenames!!! !!!\n\n\nThank you for the money, it means a lot to me. \n\n\n\nID: [redacted 13 numbers]"
],
"refs": [
"https://twitter.com/demonslay335/status/1059470985055875074",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/"
]
},
"uuid": "ad600737-6d5f-4771-ae80-3e434e29c749",
"value": "\"prepending (enc) ransomware\" (Not an official name)"
},
{
"meta": {
"extensions": [
".impect"
],
"ransomnotes": [
"how to get back you files.txt",
"Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com",
"https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg"
],
"refs": [
"https://twitter.com/demonslay335/status/1060921043957755904"
]
},
"uuid": "f7fa6978-c932-4e62-b4fc-3fbbbc195602",
"value": "PyCL Ransomware"
}
],
"version": 42
"version": 43
}

6
clusters/stealer.json
View File

@ -14,7 +14,9 @@
"meta": {
"date": "March 2018.",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap"
"https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap",
"https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/",
"https://traffic.moe/2018/11/10/index.html"
]
},
"related": [
@ -54,5 +56,5 @@
"value": "AZORult"
}
],
"version": 3
"version": 4
}

12
clusters/threat-actor.json
View File

@ -6002,7 +6002,17 @@
},
"uuid": "c2d5a052-dc30-11e8-9643-d76f3b9c94fa",
"value": "EvilTraffic"
},
{
"description": "HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/"
]
},
"uuid": "dce617eb-a3b6-4a9a-bd76-575c424f9761",
"value": "HookAds"
}
],
"version": 77
"version": 78
}