From 3838efb0bbaadf87076852ce2e7ec45e8bdcbc9e Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 26 Jun 2018 09:26:32 +0200
Subject: [PATCH 1/3] some updates

---
 clusters/botnet.json     | 14 +++++++++++++-
 clusters/ransomware.json |  6 ++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/clusters/botnet.json b/clusters/botnet.json
index b763c40..7bf90bd 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -2,7 +2,7 @@
   "description": "botnet galaxy",
   "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
   "source": "MISP Project",
-  "version": 5,
+  "version": 6,
   "values": [
     {
       "meta": {
@@ -617,6 +617,18 @@
       "description": "The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding",
       "value": "Pontoeb",
       "uuid": "bc60de19-27a5-4df8-a835-70781b923125"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/"
+        ],
+        "synonyms": [
+          "Trik Trojan"
+        ]
+      },
+      "value": "Trik Spam Botnet",
+      "uuid": "c68d5e64-7485-11e8-8625-2b14141f0501"
     }
   ],
   "authors": [
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index d7ccf5e..39a82cf 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -7966,7 +7966,8 @@
           "samsam.exe",
           "MIKOPONI.exe",
           "RikiRafael.exe",
-          "showmehowto.exe"
+          "showmehowto.exe",
+          "SamSam Ransomware"
         ],
         "extensions": [
           ".encryptedAES",
@@ -8014,7 +8015,8 @@
         "refs": [
           "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip",
           "http://blog.talosintel.com/2016/03/samsam-ransomware.html",
-          "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf"
+          "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf",
+          "https://www.bleepingcomputer.com/news/security/new-samsam-variant-requires-special-password-before-infection/"
         ]
       },
       "uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d"

From 1cd6bddf0c1ab9376192ec86c6f84fded5042117 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 26 Jun 2018 09:40:13 +0200
Subject: [PATCH 2/3] Add CFR.org metadata into the galaxy - Test

---
 clusters/threat-actor.json | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0d8182a..ef66a01 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2711,6 +2711,36 @@
         ]
       },
       "uuid": "1533bc1a-745a-11e8-90e3-efa3e975fef3s"
+    },
+    {
+      "value": "Iron Tiger",
+      "description": "This threat actor targets governments as well as technology, education, and telecommunications companies primarily in Asia and the United States, for the purpose of espionage.",
+      "meta": {
+        "refs": [
+          "https://www.cfr.org/interactive/cyber-operations/iron-tiger"
+        ],
+        "suspected victims": [
+          "United States",
+          "Japan",
+          "Taiwan",
+          "India",
+          "Canada",
+          "China",
+          "Thailand",
+          "Israel",
+          "Australia",
+          "Republic of Korea",
+          "Russia",
+          "Iran"
+        ],
+        "suspected state sponsor": "Unknown",
+        "type of incident": "Espionage",
+        "target category": [
+          "Government",
+          "Private sector"
+        ]
+      },
+      "uuid": "8e8e4ed8-7912-11e8-80be-671b4b5e7f92"
     }
   ],
   "name": "Threat actor",
@@ -2725,5 +2755,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 43
+  "version": 44
 }

From 6f9e6399815bf967111f3fbca1886053d90c0d9f Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 26 Jun 2018 10:07:14 +0200
Subject: [PATCH 3/3] add cfr prefix for cfr data - test

---
 clusters/threat-actor.json | 53 ++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 31 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ef66a01..d5738ea 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -452,7 +452,28 @@
           "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
           "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
           "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
-          "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/"
+          "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
+          "https://www.cfr.org/interactive/cyber-operations/iron-tiger"
+        ],
+        "cfr-suspected-victims": [
+          "United States",
+          "Japan",
+          "Taiwan",
+          "India",
+          "Canada",
+          "China",
+          "Thailand",
+          "Israel",
+          "Australia",
+          "Republic of Korea",
+          "Russia",
+          "Iran"
+        ],
+        "cfr-suspected-state-sponsor": "Unknown",
+        "cfr-type-of-incident": "Espionage",
+        "cfr-target-category": [
+          "Government",
+          "Private sector"
         ]
       },
       "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",
@@ -2711,36 +2732,6 @@
         ]
       },
       "uuid": "1533bc1a-745a-11e8-90e3-efa3e975fef3s"
-    },
-    {
-      "value": "Iron Tiger",
-      "description": "This threat actor targets governments as well as technology, education, and telecommunications companies primarily in Asia and the United States, for the purpose of espionage.",
-      "meta": {
-        "refs": [
-          "https://www.cfr.org/interactive/cyber-operations/iron-tiger"
-        ],
-        "suspected victims": [
-          "United States",
-          "Japan",
-          "Taiwan",
-          "India",
-          "Canada",
-          "China",
-          "Thailand",
-          "Israel",
-          "Australia",
-          "Republic of Korea",
-          "Russia",
-          "Iran"
-        ],
-        "suspected state sponsor": "Unknown",
-        "type of incident": "Espionage",
-        "target category": [
-          "Government",
-          "Private sector"
-        ]
-      },
-      "uuid": "8e8e4ed8-7912-11e8-80be-671b4b5e7f92"
     }
   ],
   "name": "Threat actor",