From 397b37dcc825a1990389f7c2146be3e329f2d8f7 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 15 Jun 2018 15:14:42 +0200 Subject: [PATCH 1/3] add some ransomwares --- clusters/ransomware.json | 115 +++++++++++++++++++++++++++++++++++---- 1 file changed, 105 insertions(+), 10 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 80e617ad..f1c9a4f0 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -666,7 +666,8 @@ { "meta": { "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", @@ -1068,7 +1069,9 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html", "https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/", - "https://twitter.com/PolarToffee/status/824705553201057794" + "https://twitter.com/PolarToffee/status/824705553201057794", + "https://twitter.com/demonslay335/status/1004351990493741057", + "https://twitter.com/demonslay335/status/1004803373747572736" ], "ransomnotes": [ "How decrypt files.hta", @@ -2431,7 +2434,9 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", "https://twitter.com/fwosar/status/812421183245287424", "https://decrypter.emsisoft.com/globeimposter", - "https://twitter.com/malwrhunterteam/status/809795402421641216" + "https://twitter.com/malwrhunterteam/status/809795402421641216", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/", + "https://twitter.com/GrujaRS/status/1004661259906768896" ], "ransomnotes": [ "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", @@ -2439,7 +2444,8 @@ ], "encryption": "AES", "extensions": [ - ".crypt" + ".crypt", + ".emilysupp" ], "date": "December 2016" }, @@ -9454,11 +9460,13 @@ "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/", - "https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/" + "https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/", + "https://twitter.com/demonslay335/status/1005133410501787648" ], "extensions": [ ".ihsdj", - ".kgpvwnr" + ".kgpvwnr", + ".ndpyhss" ], "ransomnotes": [ "READ_ME_FOR_DECRYPT_[id].txt", @@ -9565,7 +9573,9 @@ "https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/", "https://twitter.com/malwrhunterteam/status/923847744137154560", "https://twitter.com/struppigel/status/926748937477939200", - "https://twitter.com/demonslay335/status/968552114787151873" + "https://twitter.com/demonslay335/status/968552114787151873", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/", + "https://twitter.com/malwrhunterteam/status/1004048636530094081" ], "extensions": [ ".Encrypted[BaYuCheng@yeah.net].XiaBa", @@ -9602,7 +9612,8 @@ ".XiaoBa31", ".XiaoBa32", ".XiaoBa33", - ".XiaoBa34" + ".XiaoBa34", + ".AdolfHitler" ], "ransomnotes": [ "https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg", @@ -9610,7 +9621,9 @@ "_@XiaoBa@_.bmp", "_@Explanation@_.hta", "_XiaoBa_Info_.hta", - "_XiaoBa_Info_.bmp" + "_XiaoBa_Info_.bmp", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De8WvF_X0AARtYr[1].jpg", + "# # DECRYPT MY FILE # #.bmp" ] }, "uuid": "ef094aa6-4465-11e8-81ce-739cce28650b" @@ -9743,12 +9756,94 @@ ] }, "uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 " + }, + { + "value": "DiskDoctor", + "description": "new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT", + "meta": { + "refs": [ + "https://id-ransomware.blogspot.com/2018/06/scarab-diskdoctor-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/" + ], + "extensions": [ + ".DiskDoctor" + ], + "ransomnotes": [ + "HOW TO RECOVER ENCRYPTED FILES.TXT", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De2sj4GW0AAuQer[1].jpg" + ], + "synonyms": [ + "Scarab-DiskDoctor" + ] + }, + "uuid": "aa66e0c2-6fb5-11e8-851d-4722b7b3e9b9" + }, + { + "value": "RedEye", + "description": "Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/", + "https://twitter.com/JakubKroustek/status/1004463935905509376", + "https://bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html" + ], + "extensions": [ + ".RedEye" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/DfCO0T2WsAQvclJ[1].jpg" + ] + }, + "uuid": "e675e8fa-7065-11e8-95e0-cfdc107099d8" + }, + { + "value": "Aurora Ransomware", + "description": "Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.", + "meta": { + "refs": [ + "https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/", + "https://twitter.com/demonslay335/status/1004435398687379456" + ], + "ransomnotes": [ + "#RECOVERY-PC#.txt", + "==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #==========================" + ] + }, + "uuid": "3ee0664e-706d-11e8-800d-9f690298b437" + }, + { + "value": "PGPSnippet Ransomware", + "meta": { + "refs": [ + "https://twitter.com/demonslay335/status/1005138187621191681" + ], + "extensions": [ + ".digiworldhack@tutanota.com" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/pgpsnippet-variant.jpg" + ] + }, + "uuid": "682ff7ac-7073-11e8-8c8b-bf1271b8800b" + }, + { + "value": "Spartacus Ransomware", + "meta": { + "refs": [ + "https://twitter.com/demonslay335/status/1005136022282428419" + ], + "extensions": [ + ".SF" + ] + }, + "uuid": "fe42c270-7077-11e8-af82-d7bf7e6ab8a9" } ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "name": "Ransomware", - "version": 23, + "version": 24, "type": "ransomware", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" } From 333db207911297cabfe2b07307865b3c8f989ed1 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 18 Jun 2018 08:41:52 +0200 Subject: [PATCH 2/3] add MysteryBot in android galaxy --- clusters/android.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/android.json b/clusters/android.json index f006e856..d6614bb1 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -4290,9 +4290,19 @@ ] }, "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86ยง" + }, + { + "value": "MysteryBot", + "description": "Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/" + ] + }, + "uuid": "53e2e7e8-70a8-11e8-b0f8-33fcf651adaf" } ], - "version": 8, + "version": 9, "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", "description": "Android malware galaxy based on multiple open sources.", "authors": [ From ab577afacd1317e5904067af580d85caa029dafb Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 18 Jun 2018 09:47:03 +0200 Subject: [PATCH 3/3] add ClipboardWalletHijacker --- clusters/tool.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5593653e..20bc955d 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2,7 +2,7 @@ "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "name": "Tool", "source": "MISP Project", - "version": 74, + "version": 75, "values": [ { "meta": { @@ -4312,6 +4312,17 @@ "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html" ] } + }, + { + "uuid": "9f926c84-72cb-11e8-a1f2-676d779700ba", + "value": "ClipboardWalletHijacker", + "description": "The malware's purpose is to intercept content recorded in the Windows clipboard, look for strings resembling Bitcoin and Ethereum addresses, and replace them with ones owned by the malware's authors. ClipboardWalletHijacker's end-plan is to hijack BTC and ETH transactions, so victims unwittingly send funds to the malware's authors.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/clipboard-hijacker-targeting-bitcoin-and-ethereum-users-infects-over-300-0000-pcs/", + "https://blog.360totalsecurity.com/en/new-cryptominer-hijacks-your-bitcoin-transaction-over-300000-computers-have-been-attacked/" + ] + } } ], "authors": [