mirror of https://github.com/MISP/misp-galaxy
pull/594/head
Delta-Sierra
parent
be672b8d3a
commit
88bbf8851c
|
|
@ -279,13 +279,14 @@
|
|||
"value": "PARINACOTA"
|
||||
},
|
||||
{
|
||||
"value": "GADOLINIUM",
|
||||
"description": "GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.\nHistorically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.",
|
||||
"meta": {
|
||||
"refs":[
|
||||
"refs": [
|
||||
"https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/"
|
||||
]
|
||||
}
|
||||
},
|
||||
"uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc",
|
||||
"value": "GADOLINIUM"
|
||||
}
|
||||
],
|
||||
"version": 9
|
||||
|
|
|
|||
|
|
@ -1,56 +0,0 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
import json
|
||||
import argparse
|
||||
import uuid
|
||||
import re
|
||||
|
||||
parser = argparse.ArgumentParser(description='Sort ransomnotes.')
|
||||
parser.add_argument("-f", "--filename", required=True, help="name of the cluster")
|
||||
args = parser.parse_args()
|
||||
|
||||
if 'mitre-' in args.filename:
|
||||
exit()
|
||||
|
||||
with open(args.filename) as json_file:
|
||||
data = json.load(json_file)
|
||||
json_file.close()
|
||||
|
||||
new_file = {}
|
||||
for key in data:
|
||||
if key != 'values':
|
||||
new_file[key]=data[key]
|
||||
else:
|
||||
new_file['values']=[]
|
||||
values = data[key]
|
||||
for ransomware in values:
|
||||
ransom_cluster= {}
|
||||
for attribute in ransomware:
|
||||
if attribute != 'meta':
|
||||
ransom_cluster[attribute]=ransomware[attribute]
|
||||
else:
|
||||
ransom_cluster['meta']={}
|
||||
meta = ransomware['meta']
|
||||
for metadata in meta:
|
||||
if metadata != 'ransomnotes':
|
||||
ransom_cluster['meta'][metadata]=meta[metadata]
|
||||
else:
|
||||
for ransomnote in meta['ransomnotes']:
|
||||
if ransomnote.startswith('http'):
|
||||
if not ransom_cluster['meta'].get('ransomnotes-refs'):
|
||||
ransom_cluster['meta']['ransomnotes-refs']=[]
|
||||
ransom_cluster['meta']['ransomnotes-refs'].append(ransomnote)
|
||||
elif re.search('\.([a-zA-Z0-9]){3,4}$',ransomnote):
|
||||
if not ransom_cluster['meta'].get('ransomnotes-filenames'):
|
||||
ransom_cluster['meta']['ransomnotes-filenames']=[]
|
||||
ransom_cluster['meta']['ransomnotes-filenames'].append(ransomnote)
|
||||
else:
|
||||
if not ransom_cluster['meta'].get('ransomnotes'):
|
||||
ransom_cluster['meta']['ransomnotes']=[]
|
||||
ransom_cluster['meta']['ransomnotes'].append(ransomnote)
|
||||
new_file['values'].append(ransom_cluster)
|
||||
|
||||
with open('ransom2.json', 'w') as json_file:
|
||||
json.dump(new_file, json_file, indent=2, sort_keys=True, ensure_ascii=False)
|
||||
|
||||
13155
tools/ransomware-2.json
13155
tools/ransomware-2.json
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue