MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #283 from cvandeplas/master 

fixes + relations with malpedia
pull/284/head
Alexandre Dulaunoy 2018-10-12 13:42:23 +02:00 committed by GitHub
parent 4ff2a45cbb f26a4f2806
commit d04bf9d806
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
60 changed files with 14475 additions and 6549 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
clusters/android.json
View File

@ -29,6 +29,15 @@
"GhostCtrl"
]
},
"related": [
{
"dest-uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a01e1d0b-5303-4d11-94dc-7db74f3d599d",
"value": "Andr/Dropr-FH"
},
@ -50,6 +59,15 @@
"https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/"
]
},
"related": [
{
"dest-uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d10f8cd5-0077-4d8f-9145-03815a68dd33",
"value": "RedAlert2"
},
@ -70,6 +88,15 @@
"https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/"
]
},
"related": [
{
"dest-uuid": "10d0115a-00b4-414e-972b-8320a2bb873c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6671bb0b-4fab-44a7-92f9-f641a887a0aa",
"value": "DoubleLocker"
},
@ -91,6 +118,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "426ead34-b3e6-45c7-ba22-5b8f3b8214bd",
@ -103,6 +137,29 @@
"https://clientsidedetection.com/lokibot___the_first_hybrid_android_malware.html"
]
},
"related": [
{
"dest-uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4793a29b-1191-4750-810e-9301a6576fc4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "fbda9705-677b-4c5b-9b0b-13b52eff587c",
"value": "LokiBot"
},
@ -115,6 +172,15 @@
"https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers"
]
},
"related": [
{
"dest-uuid": "85975621-5126-40cb-8083-55cbfa75121b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4ed03b03-a34f-4583-9db1-6c58a4bd952b",
"value": "BankBot"
},
@ -188,6 +254,15 @@
"https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99"
]
},
"related": [
{
"dest-uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "60857664-0671-4b12-ade9-86ee6ecb026a",
"value": "Switcher"
},
@ -259,6 +334,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3d3aa832-8847-47c5-9e31-ef13ab7ab6fb",
@ -311,6 +393,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ce1a9641-5bb8-4a61-990a-870e9ef36ac1",
@ -762,6 +851,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "620981e8-49c8-486a-b30c-359702c8ffbc",
@ -1094,6 +1190,22 @@
"https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99"
]
},
"related": [
{
"dest-uuid": "4b2ab902-811e-4b50-8510-43454d77d027",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c359c74e-4155-4e66-a344-b56947f75119",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c17f6e4b-70c5-42f8-a91b-19d73485bd04",
"value": "Crisis"
},
@ -3349,6 +3461,15 @@
"https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99"
]
},
"related": [
{
"dest-uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "05f5a051-d7a2-4757-a2f0-d685334d9374",
"value": "Rootnik"
},
@ -3660,6 +3781,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "dadccdda-a4c2-4021-90b9-61a394e602be",
@ -3714,6 +3842,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
@ -4463,8 +4605,6 @@
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/"
]
},
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
"value": "HenBox",
"related": [
{
"dest-uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
@ -4473,7 +4613,9 @@
],
"type": "similar"
}
]
],
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
"value": "HenBox"
},
{
"description": "Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.",
@ -4482,6 +4624,15 @@
"https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/"
]
},
"related": [
{
"dest-uuid": "0a53ace4-98ae-442f-be64-b8e373948bde",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "53e2e7e8-70a8-11e8-b0f8-33fcf651adaf",
"value": "MysteryBot"
},
@ -4492,29 +4643,38 @@
"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
]
},
"related": [
{
"dest-uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3e19d162-9ee1-11e8-b8d7-d32141691f1f",
"value": "Skygofree"
},
{
"value": "BusyGasper",
"description": "A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/"
]
},
"uuid": "1c8e8070-bfe2-11e8-8c3e-7f31c66687a2"
"uuid": "1c8e8070-bfe2-11e8-8c3e-7f31c66687a2",
"value": "BusyGasper"
},
{
"value": "Triout",
"description": "Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/"
]
},
"uuid": "08965226-c8a9-11e8-ad82-b3fe44882268"
"uuid": "08965226-c8a9-11e8-ad82-b3fe44882268",
"value": "Triout"
}
],
"version": 14
"version": 15
}

21
clusters/backdoor.json
View File

@ -5,7 +5,6 @@
"description": "A list of backdoor malware.",
"name": "Backdoor",
"source": "Open Sources",
"version": 2,
"type": "backdoor",
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"values": [
@ -17,11 +16,19 @@
"https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
]
},
"value": "WellMess",
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
"related": [
{
"dest-uuid": "d84ebd91-58f6-459f-96a1-d028a1719914",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd",
"value": "WellMess"
},
{
"value": "Rosenbridge",
"description": "The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.\n\nWhile the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.\n\nThe rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well.",
"meta": {
"date": "August 2018",
@ -31,7 +38,9 @@
"https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf"
]
},
"uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786"
"uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786",
"value": "Rosenbridge"
}
]
],
"version": 3
}

410
clusters/banker.json
View File

@ -34,6 +34,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e",
@ -60,6 +67,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b662c253-5c87-4ae6-a30e-541db0845f67",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f3813bbd-682c-400d-8165-778be6d3f91f",
@ -91,6 +105,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "66781866-f064-467d-925d-5e5f290352f0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e",
@ -119,6 +147,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3",
@ -151,6 +193,22 @@
"https://lokalhost.pl/gozi_tree.txt"
]
},
"related": [
{
"dest-uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369",
"value": "Gozi ISFB"
},
@ -176,6 +234,22 @@
"http://archive.is/I7hi8#selection-217.0-217.6"
]
},
"related": [
{
"dest-uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924",
"value": "IAP"
},
@ -203,6 +277,15 @@
"Zeus Terdot"
]
},
"related": [
{
"dest-uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2eb658ed-aff4-4253-a21f-9059b133ce17",
"value": "Zloader Zeus"
},
@ -218,6 +301,15 @@
"VM Zeus"
]
},
"related": [
{
"dest-uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "09d1cad8-6b06-48d7-a968-5b17bbe9ca65",
"value": "Zeus VM"
},
@ -229,6 +321,15 @@
"https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/"
]
},
"related": [
{
"dest-uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8914802c-3aca-4a0d-874a-85ac7a1bc505",
"value": "Zeus Sphinx"
},
@ -261,6 +362,15 @@
"Maple"
]
},
"related": [
{
"dest-uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d",
"value": "Zeus KINS"
},
@ -276,6 +386,15 @@
"Chtonic"
]
},
"related": [
{
"dest-uuid": "9441a589-e23d-402d-9603-5e55e3e33971",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6deb9f26-969b-45aa-9222-c23663fd6ef8",
"value": "Chthonic"
},
@ -294,6 +413,22 @@
"Trickloader"
]
},
"related": [
{
"dest-uuid": "a7dbd72f-8d53-48c6-a9db-d16e7648b2d4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c824813c-9c79-4917-829a-af72529e8329",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "07e3260b-d80c-4c86-bd28-8adc111bbec6",
"value": "Trickbot"
},
@ -316,6 +451,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "15e969e6-f031-4441-a49b-f401332e4b00",
@ -351,6 +493,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5594b171-32ec-4145-b712-e7701effffdd",
@ -376,6 +525,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26",
@ -409,6 +565,27 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "66781866-f064-467d-925d-5e5f290352f0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "16794655-c0e2-4510-9169-f862df104045",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7ca93488-c357-44c3-b246-3f88391aca5a",
@ -432,6 +609,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "542161c0-47a4-4297-baca-5ed98386d228",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2",
@ -465,6 +649,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a",
@ -480,6 +671,15 @@
"https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/"
]
},
"related": [
{
"dest-uuid": "495377c4-1be5-4c65-ba66-94c221061415",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8a3d46db-d3b4-4f89-99e2-d1f0de3f484c",
"value": "Corebot"
},
@ -508,6 +708,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e",
@ -529,6 +743,29 @@
"Werdlod"
]
},
"related": [
{
"dest-uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "80acc956-d418-42e3-bddf-078695a01289",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c",
"value": "Retefe"
},
@ -543,6 +780,15 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/"
]
},
"related": [
{
"dest-uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d939e802-acb2-4881-bdaf-ece1eccf5699",
"value": "ReactorBot"
},
@ -554,6 +800,15 @@
"https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/"
]
},
"related": [
{
"dest-uuid": "59717468-271e-4d15-859a-130681c17ddb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "aa3fc68c-413c-4bfb-b4cd-bca7094da985",
"value": "Matrix Banker"
},
@ -592,6 +847,15 @@
"https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/"
]
},
"related": [
{
"dest-uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9eb89081-3245-423a-995f-c1d78ce39619",
"value": "Citadel"
},
@ -615,6 +879,15 @@
"https://securelist.com/ice-ix-not-cool-at-all/29111/ "
]
},
"related": [
{
"dest-uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "1d4a5704-c6fb-4bbb-92b2-88dc67f86339",
"value": "Ice IX"
},
@ -642,6 +915,15 @@
"Murofet"
]
},
"related": [
{
"dest-uuid": "f7081626-130a-48d5-83a9-759b3ef198ec",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0b097926-2e1a-4134-8ab9-4c16d0cca0fc",
"value": "Licat"
},
@ -666,6 +948,15 @@
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
]
},
"related": [
{
"dest-uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9d67069c-b778-486f-8158-53f5dcd05d08",
"value": "IcedID"
},
@ -695,6 +986,29 @@
"https://objective-see.com/blog/blog_0x25.html#Dok"
]
},
"related": [
{
"dest-uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "80acc956-d418-42e3-bddf-078695a01289",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0",
"value": "Dok"
},
@ -719,6 +1033,15 @@
"lsmo"
]
},
"related": [
{
"dest-uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194",
"value": "Smominru"
},
@ -729,6 +1052,15 @@
"https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0"
]
},
"related": [
{
"dest-uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "844417c6-a404-4c4e-8e93-84db596d725b",
"value": "DanaBot"
},
@ -754,6 +1086,15 @@
"Shiotob"
]
},
"related": [
{
"dest-uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27",
"value": "Bebloh"
},
@ -768,6 +1109,15 @@
"BackPatcher"
]
},
"related": [
{
"dest-uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52",
"value": "Banjori"
},
@ -777,6 +1127,15 @@
"https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/"
]
},
"related": [
{
"dest-uuid": "080b2071-2d69-4b76-962e-3d0142074bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a717c873-6670-447a-ba98-90db6464c07d",
"value": "Qadars"
},
@ -795,6 +1154,15 @@
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
]
},
"related": [
{
"dest-uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6720f960-0382-479b-a0f8-f9e008995af4",
"value": "Ranbyus"
},
@ -804,6 +1172,15 @@
"https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks"
]
},
"related": [
{
"dest-uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "da124511-463c-4514-ad05-7ec8db1b38aa",
"value": "Fobber"
},
@ -814,6 +1191,15 @@
"https://research.checkpoint.com/banking-trojans-development/"
]
},
"related": [
{
"dest-uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a088c428-d0bb-49c8-9ed7-dcced0c74754",
"value": "Karius"
},
@ -826,19 +1212,37 @@
"https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/"
]
},
"related": [
{
"dest-uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5b42af8e-8fdc-11e8-bf48-f32ff64d5502",
"value": "Kronos"
},
{
"value": "CamuBot",
"description": "A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components.\nCamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ "
]
},
"uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87"
"related": [
{
"dest-uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87",
"value": "CamuBot"
}
],
"version": 13
"version": 14
}

257
clusters/botnet.json
View File

@ -31,6 +31,15 @@
"Lodeight"
]
},
"related": [
{
"dest-uuid": "f09af1cc-cf9d-499a-9026-e783a3897508",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d530ea76-9bbc-4276-a2e3-df04e0e5a14c",
"value": "Bagle"
},
@ -72,6 +81,15 @@
"Anserin"
]
},
"related": [
{
"dest-uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "415a3667-4ac4-4718-a6ea-617540a4abb1",
"value": "Torpig"
},
@ -104,6 +122,15 @@
"Costrat"
]
},
"related": [
{
"dest-uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9bca63cc-f0c7-4704-9c5f-b5bf473a9b43",
"value": "Rustock"
},
@ -117,6 +144,15 @@
"Bachsoy"
]
},
"related": [
{
"dest-uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "27a7fd9b-ec9a-4f4a-b3f5-a3b81c71970a",
"value": "Donbot"
},
@ -132,6 +168,15 @@
"Mutant"
]
},
"related": [
{
"dest-uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "35e25aad-7c39-4a1d-aa17-73fa638362e8",
"value": "Cutwail"
},
@ -157,6 +202,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6e1168e6-7768-4fa2-951f-6d6934531633",
@ -185,6 +237,15 @@
"https://en.wikipedia.org/wiki/Lethic_botnet"
]
},
"related": [
{
"dest-uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a73e150f-1431-4f72-994a-4000405eff07",
"value": "Lethic"
},
@ -218,6 +279,15 @@
"Kukacka"
]
},
"related": [
{
"dest-uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6fe5f49d-48b5-4dc2-92f7-8c94397b9c96",
"value": "Sality"
},
@ -246,6 +316,15 @@
"Kido"
]
},
"related": [
{
"dest-uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ab49815e-8ba6-41ec-9f51-8a9587334069",
"value": "Conficker"
},
@ -294,6 +373,15 @@
"Mondera"
]
},
"related": [
{
"dest-uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ca11e3f2-cda1-45dc-bed1-8708fa9e27a6",
"value": "Gheg"
},
@ -329,6 +417,15 @@
"Hydraflux"
]
},
"related": [
{
"dest-uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0d58f329-1356-468c-88ab-e21fbb64c02b",
"value": "Asprox"
},
@ -480,6 +577,15 @@
"Alureon"
]
},
"related": [
{
"dest-uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "61a17703-7837-4cc9-b022-b5ed6b30efc1",
"value": "TDL4"
},
@ -512,6 +618,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
@ -528,6 +641,15 @@
"Hlux"
]
},
"related": [
{
"dest-uuid": "7d69892e-d582-4545-8798-4a9a84a821ea",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "07b10419-e8b5-4b5f-a179-77fc9b127dc6",
"value": "Kelihos"
},
@ -546,6 +668,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "542161c0-47a4-4297-baca-5ed98386d228",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8ed81090-f098-4878-b87e-2d801b170759",
@ -605,6 +734,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "17e12216-a303-4a00-8283-d3fe92d0934c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
@ -638,6 +774,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e77cf495-632a-4459-aad1-cdf29d73683f",
@ -647,6 +790,15 @@
"meta": {
"date": "April 2017"
},
"related": [
{
"dest-uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa",
"value": "BetaBot"
},
@ -659,6 +811,15 @@
"https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/"
]
},
"related": [
{
"dest-uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67",
"value": "Hajime"
},
@ -685,6 +846,15 @@
"Hide 'N Seek"
]
},
"related": [
{
"dest-uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f",
"value": "Hide and Seek"
},
@ -727,6 +897,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "ec67f206-6464-48cf-a012-3cdfc1278488",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
@ -797,6 +974,15 @@
"https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/"
]
},
"related": [
{
"dest-uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0",
"value": "Pushdo"
},
@ -806,6 +992,15 @@
"https://www.us-cert.gov/ncas/alerts/TA15-105A"
]
},
"related": [
{
"dest-uuid": "467ee29c-317f-481a-a77c-69961eb88c4d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c",
"value": "Simda"
},
@ -815,6 +1010,15 @@
"https://en.wikipedia.org/wiki/Virut"
]
},
"related": [
{
"dest-uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "cc1432a1-6580-4338-b119-a43236528ea1",
"value": "Virut"
},
@ -842,7 +1046,6 @@
"value": "Bamital"
},
{
"value": "Gafgyt",
"description": "Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWalls Global Management System (GMS).",
"meta": {
"refs": [
@ -853,10 +1056,26 @@
"Bashlite"
]
},
"uuid": "40795af6-b721-11e8-9fcb-570c0b384135"
"related": [
{
"dest-uuid": "5fe338c6-723e-43ed-8165-43d95fa93689",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "81917a93-6a70-4334-afe2-56904c1fafe9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "40795af6-b721-11e8-9fcb-570c0b384135",
"value": "Gafgyt"
},
{
"value": "Sora",
"description": "Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora's original author soon moved on to developing the Mirai Owari version, shortly after Sora's creation.",
"meta": {
"refs": [
@ -889,28 +1108,48 @@
"type": "variant-of"
}
],
"uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56"
"uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56",
"value": "Sora"
},
{
"value": "Torii",
"description": " we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.",
"meta": {
"refs": [
"https://blog.avast.com/new-torii-botnet-threat-research",
"https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/"
]
}
},
"related": [
{
"dest-uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "92f38212-94e2-4d70-9b5e-e977eb1e7b79",
"value": "Torii"
},
{
"value": "Persirai",
"description": "A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/"
]
},
"uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c"
"related": [
{
"dest-uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c",
"value": "Persirai"
}
],
"version": 15
"version": 16
}

2
clusters/branded_vulnerability.json
View File

@ -149,13 +149,13 @@
"value": "ImageTragick"
},
{
"description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.",
"meta": {
"logo": [
"http://blacknurse.dk/____impro/1/onewebmedia/blacknurse2.png?etag=W%2F%2214e7-5761287d%22&sourceContentType=image%2Fpng&ignoreAspectRatio&resize=200%2B200&extract=0%2B40%2B200%2B114"
]
},
"uuid": "3c2325e4-b740-11e8-9504-b32b4d974add",
"description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.",
"value": "Blacknurse"
}
],

18
clusters/exploit-kit.json
View File

@ -287,6 +287,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
@ -570,6 +577,15 @@
"Neutrino-v"
]
},
"related": [
{
"dest-uuid": "3760920e-4d1a-40d8-9e60-508079499076",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "218ae39b-2f92-4355-91c6-50cce319d26d",
"value": "Neutrino"
},
@ -745,5 +761,5 @@
"value": "Unknown"
}
],
"version": 10
"version": 11
}

16068
clusters/malpedia.json
View File

File diff suppressed because it is too large Load Diff

25
clusters/microsoft-activity-group.json
View File

@ -205,28 +205,37 @@
"value": "ZIRCONIUM"
},
{
"value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard",
"description": "This threat actor uses social engineering and spear phishing to target military and defense organizations in India, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
],
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-suspected-victims": [
"India"
],
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
],
"synonyms": [
"C-Major",
"Transparent Tribe"
]
},
"uuid": "2a410eea-a9da-11e8-b404-37b7060746c8"
"related": [
{
"dest-uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2a410eea-a9da-11e8-b404-37b7060746c8",
"value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
}
],
"version": 5
"version": 6
}

561
clusters/mitre-enterprise-attack-malware.json
View File

@ -156,6 +156,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
@ -174,6 +181,15 @@
"NetC"
]
},
"related": [
{
"dest-uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704",
"value": "Net Crawler - S0056"
},
@ -197,6 +213,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "82c644ab-550a-4a83-9b35-d545f4719069",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
@ -261,6 +284,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
@ -328,6 +358,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
@ -376,6 +413,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f",
@ -416,6 +467,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
@ -512,6 +570,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0",
@ -665,6 +730,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f",
@ -738,6 +810,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a70e93a7-3578-47e1-9926-0818979ed866",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
@ -755,6 +834,15 @@
"WinMM"
]
},
"related": [
{
"dest-uuid": "6a100902-7204-4f20-b838-545ed86d4428",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
"value": "WinMM - S0059"
},
@ -785,6 +873,15 @@
"Sys10"
]
},
"related": [
{
"dest-uuid": "2ae57534-6aac-4025-8d93-888dab112b45",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
"value": "Sys10 - S0060"
},
@ -917,6 +1014,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
@ -941,6 +1045,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6",
@ -1002,6 +1113,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
@ -1019,6 +1137,15 @@
"Reaver"
]
},
"related": [
{
"dest-uuid": "826c31ca-2617-47e4-b236-205da3881182",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"value": "Reaver - S0172"
},
@ -1034,6 +1161,15 @@
"Misdat"
]
},
"related": [
{
"dest-uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"value": "Misdat - S0083"
},
@ -1057,6 +1193,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f108215f-3487-489d-be8b-80e346d32518",
@ -1112,6 +1255,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
@ -1144,6 +1294,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a61fc694-a88a-484d-a648-db35b49932fd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
@ -1161,6 +1318,15 @@
"Rover"
]
},
"related": [
{
"dest-uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"value": "Rover - S0090"
},
@ -1191,6 +1357,15 @@
"PowerDuke"
]
},
"related": [
{
"dest-uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"value": "PowerDuke - S0139"
},
@ -1267,6 +1442,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b42378e0-f147-496f-992a-26a49705395b",
@ -1309,6 +1491,15 @@
"Anunak"
]
},
"related": [
{
"dest-uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4",
"value": "Carbanak - S0030"
},
@ -1437,6 +1628,15 @@
"Nioupale"
]
},
"related": [
{
"dest-uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"value": "Daserf - S0187"
},
@ -1560,6 +1760,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
@ -1666,6 +1873,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
@ -1722,6 +1936,15 @@
"NETEAGLE"
]
},
"related": [
{
"dest-uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"value": "NETEAGLE - S0034"
},
@ -1818,6 +2041,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3d8e547d-9456-4f32-a895-dc86134e282f",
@ -1874,6 +2104,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
@ -1906,6 +2143,15 @@
"POWRUNER"
]
},
"related": [
{
"dest-uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"value": "POWRUNER - S0184"
},
@ -1938,6 +2184,15 @@
"Pteranodon"
]
},
"related": [
{
"dest-uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"value": "Pteranodon - S0147"
},
@ -2037,6 +2292,15 @@
"AIRBREAK"
]
},
"related": [
{
"dest-uuid": "fd419da6-5c0d-461e-96ee-64397efac63b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b",
"value": "Orz - S0229"
},
@ -2067,6 +2331,15 @@
"Kasidet"
]
},
"related": [
{
"dest-uuid": "3760920e-4d1a-40d8-9e60-508079499076",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"value": "Kasidet - S0088"
},
@ -2108,6 +2381,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
@ -2126,6 +2406,15 @@
"Darkmoon"
]
},
"related": [
{
"dest-uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "310f437b-29e7-4844-848c-7220868d074a",
"value": "Darkmoon - S0209"
},
@ -2156,6 +2445,15 @@
"BBSRAT"
]
},
"related": [
{
"dest-uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"value": "BBSRAT - S0127"
},
@ -2180,6 +2478,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3477a25d-e04b-475e-8330-39f66c10cc01",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
@ -2252,6 +2557,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4",
@ -2285,6 +2597,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
@ -2422,6 +2741,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
@ -2462,6 +2788,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
@ -2479,6 +2812,15 @@
"TDTESS"
]
},
"related": [
{
"dest-uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
"value": "TDTESS - S0164"
},
@ -2519,6 +2861,15 @@
"TURNEDUP"
]
},
"related": [
{
"dest-uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c",
"value": "TURNEDUP - S0199"
},
@ -2644,6 +2995,15 @@
"Helminth"
]
},
"related": [
{
"dest-uuid": "19d89300-ff97-4281-ac42-76542e744092",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"value": "Helminth - S0170"
},
@ -2702,6 +3062,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
@ -2726,6 +3100,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
@ -2745,6 +3126,15 @@
"ProjectSauron"
]
},
"related": [
{
"dest-uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"value": "Remsec - S0125"
},
@ -2815,6 +3205,15 @@
"WhiteBear"
]
},
"related": [
{
"dest-uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"value": "Gazer - S0168"
},
@ -2832,6 +3231,15 @@
"SeaDesk"
]
},
"related": [
{
"dest-uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"value": "SeaDuke - S0053"
},
@ -2890,6 +3298,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
@ -2974,6 +3389,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3a26ee44-3224-48f3-aefb-3978c972d928",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e",
@ -3013,6 +3435,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe",
@ -3051,6 +3480,15 @@
"FinSpy"
]
},
"related": [
{
"dest-uuid": "541b64bc-87ec-4cc2-aaee-329355987853",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858",
"value": "FinFisher - S0182"
},
@ -3074,6 +3512,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565",
@ -3098,6 +3543,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4df1b257-c242-46b0-b120-591430066b6f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
@ -3130,6 +3582,15 @@
"Felismus"
]
},
"related": [
{
"dest-uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"value": "Felismus - S0171"
},
@ -3171,6 +3632,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d3afa961-a80c-4043-9509-282cdf69ab21",
@ -3188,6 +3656,15 @@
"RTM"
]
},
"related": [
{
"dest-uuid": "e6952b4d-e96d-4641-a88f-60074776d553",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"value": "RTM - S0148"
},
@ -3334,6 +3811,15 @@
"DownPaper"
]
},
"related": [
{
"dest-uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"value": "DownPaper - S0186"
},
@ -3493,6 +3979,15 @@
"pngdowner"
]
},
"related": [
{
"dest-uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d",
"value": "pngdowner - S0067"
},
@ -3508,6 +4003,15 @@
"SslMM"
]
},
"related": [
{
"dest-uuid": "009db412-762d-4256-8df9-eb213be01ffd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"value": "SslMM - S0058"
},
@ -3623,6 +4127,15 @@
"OnionDuke"
]
},
"related": [
{
"dest-uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b136d088-a829-432c-ac26-5529c26d4c7e",
"value": "OnionDuke - S0052"
},
@ -3709,6 +4222,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
@ -3731,6 +4251,15 @@
"DRIFTWOOD"
]
},
"related": [
{
"dest-uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
"value": "RawPOS - S0169"
},
@ -3757,6 +4286,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6b62e336-176f-417b-856a-8552dd8c44e1",
@ -3776,6 +4312,15 @@
"Enfal"
]
},
"related": [
{
"dest-uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad",
"value": "Lurid - S0010"
},
@ -3865,6 +4410,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
@ -3886,5 +4445,5 @@
"value": "ELMER - S0064"
}
],
"version": 5
"version": 6
}

36
clusters/mitre-enterprise-attack-tool.json
View File

@ -139,6 +139,15 @@
"UACMe"
]
},
"related": [
{
"dest-uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"value": "UACMe - S0116"
},
@ -302,6 +311,15 @@
"gsecdump"
]
},
"related": [
{
"dest-uuid": "8410d208-7450-407d-b56c-e5c1ced19632",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
"value": "gsecdump - S0008"
},
@ -427,6 +445,15 @@
"HUC Packet Transmit Tool"
]
},
"related": [
{
"dest-uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"value": "HTRAN - S0040"
},
@ -751,6 +778,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
@ -772,5 +806,5 @@
"value": "Invoke-PSImage - S0231"
}
],
"version": 5
"version": 6
}

395
clusters/mitre-malware.json
View File

@ -49,6 +49,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "SOUNDBITE"
@ -139,6 +146,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "TEXTMATE"
@ -156,6 +170,15 @@
],
"uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704"
},
"related": [
{
"dest-uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Net Crawler"
},
{
@ -178,6 +201,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "82c644ab-550a-4a83-9b35-d545f4719069",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "BlackEnergy"
@ -233,6 +263,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Backdoor.Oldrea"
@ -260,6 +297,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "ChChes"
@ -333,6 +377,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Downdelph"
@ -400,6 +451,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Komplex"
@ -485,6 +543,15 @@
],
"uuid": "22addc7b-b39f-483d-979a-1b35147da5de"
},
"related": [
{
"dest-uuid": "6a100902-7204-4f20-b838-545ed86d4428",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "WinMM"
},
{
@ -507,6 +574,15 @@
],
"uuid": "7f8730af-f683-423f-9ee1-5f6875a80481"
},
"related": [
{
"dest-uuid": "2ae57534-6aac-4025-8d93-888dab112b45",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Sys10"
},
{
@ -608,6 +684,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "BS2005"
@ -663,6 +746,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "PlugX"
@ -683,6 +773,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4df1b257-c242-46b0-b120-591430066b6f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "POSHSPY"
@ -696,6 +793,15 @@
],
"uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039"
},
"related": [
{
"dest-uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Misdat"
},
{
@ -741,6 +847,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "MoonWind"
@ -772,6 +885,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a61fc694-a88a-484d-a648-db35b49932fd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Crimson"
@ -785,6 +905,15 @@
],
"uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38"
},
"related": [
{
"dest-uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Rover"
},
{
@ -807,6 +936,15 @@
],
"uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a"
},
"related": [
{
"dest-uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "PowerDuke"
},
{
@ -880,6 +1018,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "PoisonIvy"
@ -897,6 +1042,15 @@
],
"uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4"
},
"related": [
{
"dest-uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Carbanak"
},
{
@ -1029,6 +1183,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "XTunnel"
@ -1081,6 +1242,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Sakula"
@ -1125,6 +1293,15 @@
],
"uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2"
},
"related": [
{
"dest-uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "NETEAGLE"
},
{
@ -1209,6 +1386,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Regin"
@ -1233,6 +1417,15 @@
],
"uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd"
},
"related": [
{
"dest-uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Pteranodon"
},
{
@ -1300,6 +1493,15 @@
],
"uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2"
},
"related": [
{
"dest-uuid": "3760920e-4d1a-40d8-9e60-508079499076",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Kasidet"
},
{
@ -1341,6 +1543,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "CHOPSTICK"
@ -1365,6 +1574,15 @@
],
"uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80"
},
"related": [
{
"dest-uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "BBSRAT"
},
{
@ -1388,6 +1606,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3477a25d-e04b-475e-8330-39f66c10cc01",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Elise"
@ -1428,6 +1653,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Uroburos"
@ -1460,6 +1692,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "POWERSOURCE"
@ -1676,6 +1915,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "CORESHELL"
@ -1694,6 +1947,15 @@
],
"uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8"
},
"related": [
{
"dest-uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Remsec"
},
{
@ -1732,6 +1994,15 @@
],
"uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14"
},
"related": [
{
"dest-uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "SeaDuke"
},
{
@ -1785,6 +2056,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "ADVSTORESHELL"
@ -1816,6 +2094,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3a26ee44-3224-48f3-aefb-3978c972d928",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "NetTraveler"
@ -1836,6 +2121,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Dyre"
@ -1873,6 +2165,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "ComRAT"
@ -1895,6 +2194,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Winnti"
@ -1934,6 +2240,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a70e93a7-3578-47e1-9926-0818979ed866",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "RedLeaves"
@ -1947,6 +2260,15 @@
],
"uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841"
},
"related": [
{
"dest-uuid": "e6952b4d-e96d-4641-a88f-60074776d553",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "RTM"
},
{
@ -2026,6 +2348,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "EvilGrab"
@ -2176,6 +2505,15 @@
],
"uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d"
},
"related": [
{
"dest-uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "pngdowner"
},
{
@ -2187,6 +2525,15 @@
],
"uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421"
},
"related": [
{
"dest-uuid": "009db412-762d-4256-8df9-eb213be01ffd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "SslMM"
},
{
@ -2273,6 +2620,15 @@
],
"uuid": "b136d088-a829-432c-ac26-5529c26d4c7e"
},
"related": [
{
"dest-uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "OnionDuke"
},
{
@ -2315,6 +2671,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Derusbi"
@ -2342,6 +2705,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Epic"
@ -2360,6 +2730,15 @@
],
"uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad"
},
"related": [
{
"dest-uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Lurid"
},
{
@ -2443,6 +2822,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "JHUHUGIT"
@ -2459,5 +2852,5 @@
"value": "ELMER"
}
],
"version": 5
"version": 6
}

16
clusters/mitre-mobile-attack-intrusion-set.json
View File

@ -72,11 +72,25 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"value": "APT28 - G0007"
}
],
"version": 4
"version": 5
}

59
clusters/mitre-mobile-attack-malware.json
View File

@ -20,6 +20,15 @@
"AndroRAT"
]
},
"related": [
{
"dest-uuid": "80447111-8085-40a4-a052-420926091ac6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93",
"value": "AndroRAT - MOB-S0008"
},
@ -49,6 +58,15 @@
"DualToy"
]
},
"related": [
{
"dest-uuid": "8269e779-db23-4c94-aafb-36ee94879417",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"value": "DualToy - MOB-S0031"
},
@ -161,6 +179,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a",
@ -301,6 +326,15 @@
"WireLurker"
]
},
"related": [
{
"dest-uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"value": "WireLurker - MOB-S0028"
},
@ -413,6 +447,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c",
@ -550,6 +591,15 @@
"Charger"
]
},
"related": [
{
"dest-uuid": "6e0545df-8df6-4990-971c-e96c4c60d561",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950",
"value": "Charger - MOB-S0039"
},
@ -588,6 +638,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c",
@ -610,5 +667,5 @@
"value": "XcodeGhost - MOB-S0013"
}
],
"version": 4
"version": 5
}

16
clusters/mitre-mobile-attack-tool.json
View File

@ -27,11 +27,25 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4",
"value": "Xbot - MOB-S0014"
}
],
"version": 4
"version": 5
}

36
clusters/mitre-tool.json
View File

@ -88,6 +88,15 @@
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
},
"related": [
{
"dest-uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "UACMe"
},
{
@ -187,6 +196,15 @@
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"related": [
{
"dest-uuid": "8410d208-7450-407d-b56c-e5c1ced19632",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "gsecdump"
},
{
@ -319,6 +337,15 @@
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
},
"related": [
{
"dest-uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "HTRAN"
},
{
@ -451,6 +478,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Cobalt Strike"
@ -472,5 +506,5 @@
"value": "Reg"
}
],
"version": 5
"version": 6
}

679
clusters/ransomware.json
View File

File diff suppressed because it is too large Load Diff

332
clusters/rat.json
View File

@ -22,20 +22,29 @@
{
"description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage. ",
"meta": {
"refs": [
"https://blog.lookout.com/mobile-threat-jaderat",
"https://www.cfr.org/interactive/cyber-operations/jaderat"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Ethnic minorities in China"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://blog.lookout.com/mobile-threat-jaderat",
"https://www.cfr.org/interactive/cyber-operations/jaderat"
]
},
"related": [
{
"dest-uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926",
"value": "JadeRAT"
},
@ -95,6 +104,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0",
@ -177,6 +193,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8a21ae06-d257-48a0-989b-1c9aebedabc2",
@ -288,6 +311,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b76d9845-815c-4e77-9538-6b737269da2f",
@ -343,6 +373,15 @@
"https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html"
]
},
"related": [
{
"dest-uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "41f45758-0376-42a8-bc07-8f2ffbee3ad2",
"value": "Bozok"
},
@ -366,6 +405,15 @@
"http://www.nbcnews.com/id/41584097/ns/technology_and_science-security/t/cybergate-leaked-e-mails-hint-corporate-hacking-conspiracy/"
]
},
"related": [
{
"dest-uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c3cf4e88-704b-4d7c-8185-ee780804f3d3",
"value": "CyberGate"
},
@ -425,6 +473,15 @@
"JacksBot"
]
},
"related": [
{
"dest-uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "1df62d96-88f8-473c-94a2-252eb360ba62",
"value": "jRAT"
},
@ -436,6 +493,15 @@
"https://leakforums.net/thread-479505"
]
},
"related": [
{
"dest-uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "669a0e4d-9760-49fc-bdf5-0471f84e0c76",
"value": "jSpy"
},
@ -494,6 +560,15 @@
"PredatorPain"
]
},
"related": [
{
"dest-uuid": "31615066-dbff-4134-b467-d97a337b408b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "42a97a5d-ee33-492a-b20f-758ecdbf1aed",
"value": "Predator Pain"
},
@ -583,6 +658,15 @@
"https://www.volexity.com/blog/2017/03/23/have-you-been-haunted-by-the-gh0st-rat-today/"
]
},
"related": [
{
"dest-uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3",
"value": "Gh0st RAT"
},
@ -635,6 +719,15 @@
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
]
},
"related": [
{
"dest-uuid": "05252643-093b-4070-b62f-d5836683a9fa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6efa425c-3731-44fd-9224-2a62df061a2d",
"value": "Quasar RAT"
},
@ -667,6 +760,15 @@
"https://github.com/shotskeber/Ratty"
]
},
"related": [
{
"dest-uuid": "da032a95-b02a-4af2-b563-69f686653af4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a51f07ae-ab2c-45ee-aa9c-1db7873e7bb4",
"value": "Ratty"
},
@ -964,6 +1066,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d5d3f9de-21b5-482e-b716-5f2f13182990",
@ -1231,6 +1340,15 @@
"https://www.rekings.com/spynote-v4-android-rat/"
]
},
"related": [
{
"dest-uuid": "31592c69-d540-4617-8253-71ae0c45526c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ea727e26-b3de-44f8-86c5-11a912c7a8aa",
"value": "SpyNote"
},
@ -1530,6 +1648,15 @@
"https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat"
]
},
"related": [
{
"dest-uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8c49da10-2b59-42c4-81e6-75556decdecb",
"value": "Cobian RAT"
},
@ -1693,6 +1820,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9223bf17-7e32-4833-9574-9ffd8c929765",
@ -1786,6 +1920,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "663f8ef9-4c50-499a-b765-f377d23c1070",
@ -1872,6 +2013,15 @@
"meta": {
"date": "2010"
},
"related": [
{
"dest-uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ee73e375-3ac2-4ce0-b24b-74fd82d52864",
"value": "Erebus"
},
@ -2044,6 +2194,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f",
@ -2075,6 +2232,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44",
@ -2121,6 +2285,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a61fc694-a88a-484d-a648-db35b49932fd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0",
@ -2231,6 +2402,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5b930a23-7d88-481f-8791-abc7b3dd93d2",
@ -2271,6 +2449,15 @@
"http://securityaffairs.co/wordpress/51202/cyber-crime/govrat-2-0-attacks.html"
]
},
"related": [
{
"dest-uuid": "9fbb5822-1660-4651-9f57-b6f83a881786",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b6ddc2c6-5890-4c60-9b10-4274d1a9cc22",
"value": "GovRAT"
},
@ -2352,6 +2539,15 @@
"https://omnirat.eu/en/"
]
},
"related": [
{
"dest-uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f091dfcb-07f4-4414-849e-c644e7327d94",
"value": "OmniRAT"
},
@ -2512,6 +2708,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3",
@ -2526,6 +2729,15 @@
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html"
]
},
"related": [
{
"dest-uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f647cca0-7416-47e9-8342-94b84dd436cc",
"value": "Remcos"
},
@ -2537,6 +2749,15 @@
"https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/"
]
},
"related": [
{
"dest-uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d840e5af-3e6b-49af-ab82-fb4f8740bf55",
"value": "Client Maximus"
},
@ -2580,6 +2801,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a70e93a7-3578-47e1-9926-0818979ed866",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e",
@ -2593,6 +2821,15 @@
"http://www.securityweek.com/rurktar-malware-espionage-tool-development"
]
},
"related": [
{
"dest-uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "40bce827-4049-46e4-8323-3ab58f0f00bc",
"value": "Rurktar"
},
@ -2667,6 +2904,15 @@
"https://objective-see.com/blog/blog_0x25.html"
]
},
"related": [
{
"dest-uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b7cea5fe-d3fe-47cf-ba82-104c90e130ff",
"value": "MacSpy"
},
@ -2692,6 +2938,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab",
@ -2747,6 +3000,15 @@
"https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928"
]
},
"related": [
{
"dest-uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7362581a-a7d1-4060-b225-e227f2df2b60",
"value": "htpRAT"
},
@ -2765,6 +3027,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e0bea149-2def-484f-b658-f782a4f94815",
@ -2839,6 +3108,15 @@
"https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/"
]
},
"related": [
{
"dest-uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "cd6527d1-17a7-4825-8b4b-56e113d0efb1",
"value": "ARS VBS Loader"
},
@ -2850,6 +3128,15 @@
"https://labs.bitdefender.com/wp-content/uploads/downloads/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/"
]
},
"related": [
{
"dest-uuid": "271752e3-67ca-48bc-ade2-30eec11defca",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5a3df9d7-82de-445e-a218-406b970600d7",
"value": "RadRAT"
},
@ -2860,6 +3147,15 @@
"https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat"
]
},
"related": [
{
"dest-uuid": "18419355-fd28-41a6-bffe-2df68a7166c4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3c1003a2-8364-467a-b9b8-fcc19724a9b5",
"value": "FlawedAmmyy"
},
@ -2881,6 +3177,15 @@
"https://blog.talosintelligence.com/2018/05/navrat.html"
]
},
"related": [
{
"dest-uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6ea032a0-d54a-463b-b016-2b7b9b9a5b7e",
"value": "NavRAT"
},
@ -2901,6 +3206,15 @@
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/"
]
},
"related": [
{
"dest-uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b533439d-b060-4c90-80e0-9dce67b0c6fb",
"value": "Sisfader"
},
@ -2926,7 +3240,6 @@
"value": "Hallaj PRO RAT"
},
{
"value": "NukeSped",
"description": "This threat can install other malware on your PC, including Trojan:Win32/NukeSped.B!dha and Trojan:Win32/NukeSped.C!dha. It can show you a warning message that says your files will be made publically available if you don't follow the malicious hacker's commands. \n",
"meta": {
"refs": [
@ -2938,8 +3251,9 @@
"https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018"
]
},
"uuid": "5d0369ee-c718-11e8-b328-035ed1bdca07"
"uuid": "5d0369ee-c718-11e8-b328-035ed1bdca07",
"value": "NukeSped"
}
],
"version": 18
"version": 19
}

11
clusters/stealer.json
View File

@ -16,6 +16,15 @@
"https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap"
]
},
"related": [
{
"dest-uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e7080bce-99b5-4615-a798-a192ed89bd5a",
"value": "Nocturnal Stealer"
},
@ -44,5 +53,5 @@
"value": "AZORult"
}
],
"version": 2
"version": 3
}

379
clusters/threat-actor.json
View File

@ -1111,8 +1111,6 @@
"Royal APT"
]
},
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"value": "Mirage",
"related": [
{
"dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
@ -1121,7 +1119,9 @@
],
"type": "similar"
}
]
],
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"value": "Mirage"
},
{
"description": "PLA Navy",
@ -2751,6 +2751,15 @@
"Mythic Leopard"
]
},
"related": [
{
"dest-uuid": "2a410eea-a9da-11e8-b404-37b7060746c8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905",
"value": "Operation C-Major"
},
@ -5073,6 +5082,17 @@
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”",
"meta": {
"capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"Iraq",
"United Kingdom",
"Pakistan",
"Israel"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"mode-of-operation": "IT compromise, information gathering and recon against industrial orgs",
"refs": [
"https://dragos.com/adversaries.html",
@ -5084,18 +5104,7 @@
"OilRig",
"Greenbug"
],
"victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America",
"cfr-suspected-victims": [
"Iraq",
"United Kingdom",
"Pakistan",
"Israel"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
"victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America"
},
"related": [
{
@ -5190,6 +5199,14 @@
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor compromises the networks of companies involved in electric power, specifically looking for intellectual property and information about the companies operations.",
"meta": {
"capabilities": "Encoded binaries in documents, evasion techniques",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"United States"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs",
"refs": [
"https://dragos.com/adversaries.html",
@ -5201,15 +5218,7 @@
"Lazarus",
"Hidden Cobra"
],
"victimology": "Electric Utilities, US",
"cfr-suspected-victims": [
"United States"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
"victimology": "Electric Utilities, US"
},
"related": [
{
@ -5234,6 +5243,14 @@
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti",
"meta": {
"capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"Turkey"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
"refs": [
"https://dragos.com/adversaries.html",
@ -5245,15 +5262,7 @@
"Dragonfly2",
"Berserker Bear"
],
"victimology": "Turkey, Europe, US",
"cfr-suspected-victims": [
"Turkey"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
"victimology": "Turkey, Europe, US"
},
"uuid": "a08ab076-33c1-4350-b021-650c34277f2d",
"value": "DYMALLOY"
@ -5332,6 +5341,26 @@
{
"description": "Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger",
"meta": {
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"United States",
"Japan",
"Taiwan",
"India",
"Canada",
"China",
"Thailand",
"Israel",
"Australia",
"Republic of Korea",
"Russia",
"Iran"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/",
"https://www.secureworks.com/research/bronze-union",
@ -5347,26 +5376,6 @@
"Bronze Union",
"ZipToken",
"Iron Tiger"
],
"cfr-suspected-victims": [
"United States",
"Japan",
"Taiwan",
"India",
"Canada",
"China",
"Thailand",
"Israel",
"Australia",
"Republic of Korea",
"Russia",
"Iran"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
]
},
"related": [
@ -5398,24 +5407,24 @@
{
"description": "The Rancor groups attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.",
"meta": {
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Singapore",
"Cambodia"
],
"cfr-target-category": [
"Government",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
"https://www.cfr.org/interactive/cyber-operations/rancor"
],
"synonyms": [
"Rancor group"
],
"cfr-suspected-victims": [
"Singapore",
"Cambodia"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
],
"country": "CN"
]
},
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
"value": "RANCOR"
@ -5473,8 +5482,6 @@
"value": "RedAlpha"
},
{
"value": "APT-C-35",
"uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
"description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organizations new attack activity, confirmed and exposed the gangs targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization",
"meta": {
"refs": [
@ -5483,36 +5490,34 @@
"synonyms": [
"DoNot Team"
]
}
},
"uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
"value": "APT-C-35"
},
{
"value": "TempTick",
"description": "This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/temptick"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"South Korea",
"Japan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-target-category": [
"Government",
"Private sector"
],
"country": "CN"
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/temptick"
]
},
"uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762"
"uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762",
"value": "TempTick"
},
{
"value": "Operation Parliament",
"description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-parliament",
"https://securelist.com/operation-parliament-who-is-doing-what/85237/"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"Palestine",
"United Arab Emirates",
@ -5542,22 +5547,23 @@
"Oman",
"Denmark"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-parliament",
"https://securelist.com/operation-parliament-who-is-doing-what/85237/"
]
},
"uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d"
"uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d",
"value": "Operation Parliament"
},
{
"value": "Inception Framework",
"description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"South Africa",
"Malaysia",
@ -5565,22 +5571,22 @@
"Suriname",
"United Kingdom"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework"
]
},
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca"
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
"value": "Inception Framework"
},
{
"value": "Winnti Umbrella",
"description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"South Korea",
@ -5588,14 +5594,15 @@
"China",
"Japan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
],
"country": "CN"
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
]
},
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"related": [
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
@ -5618,26 +5625,26 @@
],
"type": "similar"
}
]
],
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"value": "Winnti Umbrella"
},
{
"value": "HenBox",
"description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/henbox"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Uighurs"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Civil society"
],
"country": "CN"
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/henbox"
]
},
"uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
"related": [
{
"dest-uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
@ -5646,53 +5653,52 @@
],
"type": "similar"
}
]
],
"uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
"value": "HenBox"
},
{
"value": "Mustang Panda",
"description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mustang-panda"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Civil society"
],
"country": "CN"
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mustang-panda"
]
},
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339"
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
"value": "Mustang Panda"
},
{
"value": "Thrip",
"description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/thrip",
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"United States"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/thrip",
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
]
},
"uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc"
"uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc",
"value": "Thrip"
},
{
"value": " Stealth Mango and Tangelo ",
"description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo"
],
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-suspected-victims": [
"Pakistan",
"Iraq",
@ -5703,28 +5709,30 @@
"India",
"United States"
],
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
],
"country": "PK"
"cfr-type-of-incident": "Espionage",
"country": "PK",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo"
]
},
"uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c"
"uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c",
"value": " Stealth Mango and Tangelo "
},
{
"value": "PowerPool",
"description": "Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.\n\nA security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.\n\nMore specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\\Windows\\Task.\n\nThe vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.\n\nA couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.\n\nThe group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.\n\nThe researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/"
]
},
"uuid": "abd89986-b1b0-11e8-b857-efe290264006"
"uuid": "abd89986-b1b0-11e8-b857-efe290264006",
"value": "PowerPool"
},
{
"value": "Bahamut",
"description": "Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.",
"meta": {
"refs": [
@ -5732,10 +5740,10 @@
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
]
},
"uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7"
"uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7",
"value": "Bahamut"
},
{
"value": "Iron Group",
"description": "Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.",
"meta": {
"refs": [
@ -5745,40 +5753,35 @@
"Iron Cyber Group"
]
},
"uuid": "6a0ea861-229a-45a6-98f5-228f69b43905"
"uuid": "6a0ea861-229a-45a6-98f5-228f69b43905",
"value": "Iron Group"
},
{
"value": "Operation BugDrop",
"description": "This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-bugdrop"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Ukraine",
"Austria",
"Russia",
"Saudi Arabia"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
],
"country": "RU"
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-bugdrop"
]
},
"uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1"
"uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1",
"value": "Operation BugDrop"
},
{
"value": "Red October",
"description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/red-october"
],
"synonyms": [
"the Rocra"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"Belgium",
@ -5796,15 +5799,19 @@
"Vietnam",
"Italy"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
],
"country": "RU"
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/red-october"
],
"synonyms": [
"the Rocra"
]
},
"uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"related": [
{
"dest-uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
@ -5813,15 +5820,14 @@
],
"type": "same-as"
}
]
],
"uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"value": "Red October"
},
{
"value": "Cloud Atlas",
"description": "This threat actor targets governments and diplomatic organizations for espionage purposes.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"India",
@ -5829,14 +5835,15 @@
"Czech Republic",
"Belarus"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government"
],
"country": "RU"
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas"
]
},
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"related": [
{
"dest-uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
@ -5845,33 +5852,34 @@
],
"type": "same-as"
}
]
],
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"value": "Cloud Atlas"
},
{
"value": "Unnamed Actor",
"description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/unnamed-actor"
],
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"China",
"Myanmar",
"Hong Kong",
"Taiwan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Civil society",
"Government"
],
"country": "CN"
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/unnamed-actor"
]
},
"uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e"
"uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e",
"value": "Unnamed Actor"
},
{
"value": "COBALT DICKENS",
"description": "”A threat group associated with the Iranian government. The threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.”",
"meta": {
"refs": [
@ -5882,10 +5890,10 @@
"Cobalt Dickens"
]
},
"uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a"
"uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a",
"value": "COBALT DICKENS"
},
{
"value": "MageCart",
"description": "Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.",
"meta": {
"refs": [
@ -5893,22 +5901,21 @@
"https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/"
]
},
"uuid": "0768fd50-c547-11e8-9aa5-776183769eab"
"uuid": "0768fd50-c547-11e8-9aa5-776183769eab",
"value": "MageCart"
},
{
"value": "Domestic Kitten",
"description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/"
]
},
"uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee"
"uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee",
"value": "Domestic Kitten"
},
{
"value": "FASTCash",
"description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.",
"uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
"related": [
{
"dest-uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
@ -5917,8 +5924,10 @@
],
"type": "similar"
}
]
],
"uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
"value": "FASTCash"
}
],
"version": 69
"version": 70
}

1180
clusters/tool.json
View File

File diff suppressed because it is too large Load Diff

8
galaxies/android.json
View File

@ -1,9 +1,9 @@
{
"description": "Android malware galaxy based on multiple open sources.",
"type": "android",
"version": 3,
"name": "Android",
"icon": "android",
"name": "Android",
"namespace": "misp",
"type": "android",
"uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa",
"namespace": "misp"
"version": 3
}

8
galaxies/backdoor.json
View File

@ -1,9 +1,9 @@
{
"description": "Malware Backdoor galaxy.",
"type": "backdoor",
"version": 1,
"name": "Backdoor",
"icon": "door-open",
"name": "Backdoor",
"namespace": "misp",
"type": "backdoor",
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"namespace": "misp"
"version": 1
}

8
galaxies/banker.json
View File

@ -1,9 +1,9 @@
{
"description": "Banking malware galaxy.",
"type": "banker",
"version": 3,
"name": "Banker",
"icon": "usd",
"name": "Banker",
"namespace": "misp",
"type": "banker",
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"namespace": "misp"
"version": 3
}

8
galaxies/botnet.json
View File

@ -1,9 +1,9 @@
{
"description": "Botnet galaxy.",
"type": "botnet",
"version": 2,
"name": "Botnet",
"icon": "sitemap",
"name": "Botnet",
"namespace": "misp",
"type": "botnet",
"uuid": "90ccdf38-1649-11e8-b8bf-e7326d553087",
"namespace": "misp"
"version": 2
}

8
galaxies/branded_vulnerability.json
View File

@ -1,9 +1,9 @@
{
"description": "List of known vulnerabilities and exploits",
"type": "branded-vulnerability",
"version": 2,
"name": "Branded Vulnerability",
"icon": "bug",
"name": "Branded Vulnerability",
"namespace": "misp",
"type": "branded-vulnerability",
"uuid": "fda8c7c2-f45a-11e7-9713-e75dac0492df",
"namespace": "misp"
"version": 2
}

8
galaxies/cert-eu-govsector.json
View File

@ -1,9 +1,9 @@
{
"type": "cert-eu-govsector",
"name": "Cert EU GovSector",
"description": "Cert EU GovSector",
"version": 2,
"icon": "globe",
"name": "Cert EU GovSector",
"namespace": "misp",
"type": "cert-eu-govsector",
"uuid": "68858a48-b898-11e7-91ce-bf424ef9b662",
"namespace": "misp"
"version": 2
}

8
galaxies/exploit-kit.json
View File

@ -1,9 +1,9 @@
{
"type": "exploit-kit",
"name": "Exploit-Kit",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"version": 4,
"icon": "internet-explorer",
"name": "Exploit-Kit",
"namespace": "misp",
"type": "exploit-kit",
"uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01",
"namespace": "misp"
"version": 4
}

8
galaxies/malpedia.json
View File

@ -1,9 +1,9 @@
{
"description": "Malware galaxy based on Malpedia archive.",
"type": "malpedia",
"version": 1,
"name": "Malpedia",
"icon": "shield",
"name": "Malpedia",
"namespace": "misp",
"type": "malpedia",
"uuid": "1d1c9af9-37fa-4deb-a928-f9b0abc7354a",
"namespace": "misp"
"version": 1
}

8
galaxies/microsoft-activity-group.json
View File

@ -1,9 +1,9 @@
{
"name": "Microsoft Activity Group actor",
"type": "microsoft-activity-group",
"description": "Activity groups as described by Microsoft",
"version": 3,
"icon": "user-secret",
"name": "Microsoft Activity Group actor",
"namespace": "misp",
"type": "microsoft-activity-group",
"uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505",
"namespace": "misp"
"version": 3
}

10
galaxies/mitre-attack-pattern.json
View File

@ -1,9 +1,9 @@
{
"description": "ATT&CK Tactic",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"version": 5,
"type": "mitre-attack-pattern",
"name": "Attack Pattern",
"icon": "map",
"namespace": "deprecated"
"name": "Attack Pattern",
"namespace": "deprecated",
"type": "mitre-attack-pattern",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"version": 5
}

6
galaxies/mitre-course-of-action.json
View File

@ -1,9 +1,9 @@
{
"version": 6,
"description": "ATT&CK Mitigation",
"icon": "chain",
"name": "Course of Action",
"description": "ATT&CK Mitigation",
"namespace": "deprecated",
"type": "mitre-course-of-action",
"uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e",
"namespace": "deprecated"
"version": 6
}

10
galaxies/mitre-enterprise-attack-attack-pattern.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Attack Pattern",
"type": "mitre-enterprise-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 4,
"icon": "map",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Attack Pattern",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-attack-pattern",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 4
}

10
galaxies/mitre-enterprise-attack-course-of-action.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Course of Action",
"type": "mitre-enterprise-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 4,
"icon": "chain",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Course of Action",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-course-of-action",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 4
}

10
galaxies/mitre-enterprise-attack-intrusion-set.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack -Intrusion Set",
"type": "mitre-enterprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",
"version": 4,
"icon": "user-secret",
"namespace": "mitre-attack"
"name": "Enterprise Attack -Intrusion Set",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-intrusion-set",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",
"version": 4
}

10
galaxies/mitre-enterprise-attack-malware.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Malware",
"type": "mitre-enterprise-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a",
"version": 4,
"icon": "optin-monster",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Malware",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-malware",
"uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a",
"version": 4
}

10
galaxies/mitre-enterprise-attack-relationship.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Relationship",
"type": "mitre-enterprise-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 4,
"icon": "link",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Relationship",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 4
}

10
galaxies/mitre-enterprise-attack-tool.json
View File

@ -1,9 +1,9 @@
{
"name": "Enterprise Attack - Tool",
"type": "mitre-enterprise-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3",
"version": 4,
"icon": "gavel",
"namespace": "mitre-attack"
"name": "Enterprise Attack - Tool",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-tool",
"uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3",
"version": 4
}

8
galaxies/mitre-intrusion-set.json
View File

@ -1,9 +1,9 @@
{
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"description": "Name of ATT&CK Group",
"version": 7,
"icon": "user-secret",
"type": "mitre-intrusion-set",
"name": "Intrusion Set",
"namespace": "deprecated"
"namespace": "deprecated",
"type": "mitre-intrusion-set",
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"version": 7
}

12
galaxies/mitre-malware.json
View File

@ -1,9 +1,9 @@
{
"type": "mitre-malware",
"version": 5,
"name": "Malware",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"icon": "optin-monster",
"description": "Name of ATT&CK software",
"namespace": "deprecated"
"icon": "optin-monster",
"name": "Malware",
"namespace": "deprecated",
"type": "mitre-malware",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"version": 5
}

10
galaxies/mitre-mobile-attack-attack-pattern.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Attack Pattern",
"type": "mitre-mobile-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5",
"version": 4,
"icon": "map",
"namespace": "mitre-attack"
"name": "Mobile Attack - Attack Pattern",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-attack-pattern",
"uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5",
"version": 4
}

10
galaxies/mitre-mobile-attack-course-of-action.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Course of Action",
"type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c",
"version": 4,
"icon": "chain",
"namespace": "mitre-attack"
"name": "Mobile Attack - Course of Action",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-course-of-action",
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c",
"version": 4
}

10
galaxies/mitre-mobile-attack-intrusion-set.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Intrusion Set",
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62",
"version": 4,
"icon": "user-secret",
"namespace": "mitre-attack"
"name": "Mobile Attack - Intrusion Set",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-intrusion-set",
"uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62",
"version": 4
}

10
galaxies/mitre-mobile-attack-malware.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18",
"version": 4,
"icon": "optin-monster",
"namespace": "mitre-attack"
"name": "Mobile Attack - Malware",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-malware",
"uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18",
"version": 4
}

10
galaxies/mitre-mobile-attack-relationship.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Relationship",
"type": "mitre-mobile-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede",
"version": 4,
"icon": "link",
"namespace": "mitre-attack"
"name": "Mobile Attack - Relationship",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-relationship",
"uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede",
"version": 4
}

10
galaxies/mitre-mobile-attack-tool.json
View File

@ -1,9 +1,9 @@
{
"name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91",
"version": 4,
"icon": "gavel",
"namespace": "mitre-attack"
"name": "Mobile Attack - Tool",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-tool",
"uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91",
"version": 4
}

10
galaxies/mitre-pre-attack-attack-pattern.json
View File

@ -1,9 +1,9 @@
{
"name": "Pre Attack - Attack Pattern",
"type": "mitre-pre-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1f665850-1708-11e8-9cfe-4792b2a91402",
"version": 4,
"icon": "map",
"namespace": "mitre-attack"
"name": "Pre Attack - Attack Pattern",
"namespace": "mitre-attack",
"type": "mitre-pre-attack-attack-pattern",
"uuid": "1f665850-1708-11e8-9cfe-4792b2a91402",
"version": 4
}

10
galaxies/mitre-pre-attack-intrusion-set.json
View File

@ -1,9 +1,9 @@
{
"name": "Pre Attack - Intrusion Set",
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e",
"version": 4,
"icon": "user-secret",
"namespace": "mitre-attack"
"name": "Pre Attack - Intrusion Set",
"namespace": "mitre-attack",
"type": "mitre-pre-attack-intrusion-set",
"uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e",
"version": 4
}

8
galaxies/mitre-pre-attack-relationship.json
View File

@ -1,9 +1,9 @@
{
"uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae",
"description": "Mitre Relationship",
"version": 5,
"icon": "link",
"type": "mitre-pre-attack-relationship",
"name": "Pre Attack - Relationship",
"namespace": "mitre-attack"
"namespace": "mitre-attack",
"type": "mitre-pre-attack-relationship",
"uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae",
"version": 5
}

8
galaxies/mitre-tool.json
View File

@ -1,9 +1,9 @@
{
"name": "Tool",
"type": "mitre-tool",
"description": "Name of ATT&CK software",
"icon": "gavel",
"version": 5,
"name": "Tool",
"namespace": "deprecated",
"type": "mitre-tool",
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
"namespace": "deprecated"
"version": 5
}

8
galaxies/preventive-measure.json
View File

@ -1,9 +1,9 @@
{
"name": "Preventive Measure",
"type": "preventive-measure",
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"version": 3,
"icon": "shield",
"name": "Preventive Measure",
"namespace": "misp",
"type": "preventive-measure",
"uuid": "8168995b-adcd-4684-9e37-206c5771505a",
"namespace": "misp"
"version": 3
}

8
galaxies/ransomware.json
View File

@ -1,9 +1,9 @@
{
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
"type": "ransomware",
"version": 4,
"name": "Ransomware",
"icon": "btc",
"name": "Ransomware",
"namespace": "misp",
"type": "ransomware",
"uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078",
"namespace": "misp"
"version": 4
}

8
galaxies/rat.json
View File

@ -1,9 +1,9 @@
{
"type": "rat",
"name": "RAT",
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
"version": 3,
"icon": "eye",
"name": "RAT",
"namespace": "misp",
"type": "rat",
"uuid": "06825db6-4797-11e7-ac4d-af25fdcdd299",
"namespace": "misp"
"version": 3
}

8
galaxies/sector.json
View File

@ -1,9 +1,9 @@
{
"type": "sector",
"name": "Sector",
"description": "Activity sectors",
"version": 2,
"icon": "industry",
"name": "Sector",
"namespace": "misp",
"type": "sector",
"uuid": "e1bb134c-ae4d-11e7-8aa9-f78a37325439",
"namespace": "misp"
"version": 2
}

8
galaxies/stealer.json
View File

@ -1,9 +1,9 @@
{
"description": "Malware stealer galaxy.",
"type": "stealer",
"version": 1,
"name": "Stealer",
"icon": "key",
"name": "Stealer",
"namespace": "misp",
"type": "stealer",
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
"namespace": "misp"
"version": 1
}

8
galaxies/tds.json
View File

@ -1,9 +1,9 @@
{
"type": "tds",
"name": "TDS",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"version": 4,
"icon": "cart-arrow-down",
"name": "TDS",
"namespace": "misp",
"type": "tds",
"uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01",
"namespace": "misp"
"version": 4
}

8
galaxies/threat-actor.json
View File

@ -1,9 +1,9 @@
{
"name": "Threat Actor",
"type": "threat-actor",
"description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.",
"version": 3,
"icon": "user-secret",
"name": "Threat Actor",
"namespace": "misp",
"type": "threat-actor",
"uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3",
"namespace": "misp"
"version": 3
}

8
galaxies/tool.json
View File

@ -1,9 +1,9 @@
{
"type": "tool",
"name": "Tool",
"description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"version": 3,
"icon": "optin-monster",
"name": "Tool",
"namespace": "misp",
"type": "tool",
"uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b",
"namespace": "misp"
"version": 3
}

6
jq_all_the_things.sh
View File

@ -6,6 +6,7 @@
for dir in `find . -name "*.json"`
do
echo validating ${dir}
# python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();"
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
@ -16,14 +17,15 @@ set -x
for dir in clusters/*.json
do
python3 tools/add_missing_uuid.py -f ${dir}
# Beautify it
cat ${dir} | jq . | sponge ${dir}
cat ${dir} | jq --sort-keys . | sponge ${dir}
done
for dir in galaxies/*.json
do
# Beautify it
cat ${dir} | jq . | sponge ${dir}
cat ${dir} | jq --sort-keys . | sponge ${dir}
done
cat schema_clusters.json | jq . | sponge schema_clusters.json

9
tools/add_missing_uuid.py Normal file → Executable file
View File

@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import json
@ -9,13 +9,16 @@ parser = argparse.ArgumentParser(description='Add missing uuids in clusters')
parser.add_argument("-f", "--filename", required=True, help="name of the cluster")
args = parser.parse_args()
if 'mitre-' in args.filename:
exit()
with open(args.filename) as json_file:
data = json.load(json_file)
json_file.close()
for value in data['values']:
if 'uuid' not in value:
if not value.get('uuid'):
value['uuid'] = str(uuid.uuid4())
with open(args.filename, 'w') as json_file:
json.dump(data, json_file, indent=4)
json.dump(data, json_file, indent=2, sort_keys=True, ensure_ascii=False)

4
tools/gen_mapping.py
View File

@ -54,7 +54,8 @@ type_mapping = {
# 'mitre-mobile-attack-course-of-action': '',
'mitre-pre-attack-intrusion-set': 'actor',
# 'mitre-enterprise-attack-relationship': '',
'tds': 'tool'
'tds': 'tool',
'malpedia': 'tool'
}
@ -103,6 +104,7 @@ if __name__ == '__main__':
# ignore the galaxies that are not relevant for us
if galaxy not in type_mapping:
print("Ignoring galaxy '{}' as it is not in the mapping.".format(galaxy))
continue
# process the entries in each cluster