From afe682cf3f53ccd79753fe5af2c0ad0bd2c3f9b8 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 16:52:59 +0100 Subject: [PATCH 01/19] Remove duplicate AlienSpy --- clusters/tool.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 9562a70..f81668a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -439,10 +439,6 @@ "value": "Dark Comet", "description": "RAT initialy identified in 2011 and still actively used." }, - { - "value": "AlienSpy", - "description": "RAT for Apple OS X platforms" - }, { "value": "Cadelspy", "meta": { From 93df12be35d13e560934988c5238db596c81c561 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 17:06:19 +0100 Subject: [PATCH 02/19] update apt28 tools --- clusters/tool.json | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index f81668a..7ae92a6 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -514,32 +514,38 @@ }, { "value": "CHOPSTICK", - "description": "backdoor", + "description": "backdoor used by apt28 ", "meta": { "synonyms": [ - "Xagent", "webhp", "SPLM", "(.v2 fysbis)" ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", + "type": [ + "Backdoor" ] } }, { "value": "EVILTOSS", - "description": "backdoor", + "description": "backdoor used by apt28", "meta": { "synonyms": [ "Sedreco", "AZZY", - "Xagent", "ADVSTORESHELL", "NETUI" ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", + "type": [ + "Backdoor" ] } }, From 7d62d8c3e7fd3b391873ba6545d4af2febb35053 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 17:08:43 +0100 Subject: [PATCH 03/19] cleanup zeus duplicate in alias and name --- clusters/tool.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 7ae92a6..032d723 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1387,8 +1387,7 @@ "meta": { "synonyms": [ "Trojan.Zbot", - "Zbot", - "ZeuS" + "Zbot" ], "refs": [ "https://en.wikipedia.org/wiki/Zeus_(malware)", From 8de827977ce93217b4c118245330a5e49349f057 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 19:21:41 +0100 Subject: [PATCH 04/19] Pimp nettraveler --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 032d723..bc3daf2 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -355,7 +355,20 @@ } }, { - "value": "NetTraveler" + "value": "NetTraveler", + "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", + "meta": { + "synonyms": [ + "TravNet", + "Netfile" + ], + "refs": [ + "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Winnti" From 0775bfce6298c3558741ebd5105b4fbc66327996 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 19:26:21 +0100 Subject: [PATCH 05/19] pimp winnti --- clusters/tool.json | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index bc3daf2..56e6d54 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -356,7 +356,7 @@ }, { "value": "NetTraveler", - "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", + "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", "meta": { "synonyms": [ "TravNet", @@ -371,7 +371,21 @@ } }, { - "value": "Winnti" + "value": "Winnti", + "description": "APT used As part of Operation SMN, Novetta analyzed recent versions of the Winnti malware. The samples, compiled from mid- to late 2014, exhibited minimal functional changes over the previous generations Kaspersky reported in 2013.", + "meta": { + "synonyms": [ + "Etso", + "SUQ", + "Agent.ALQHI" + ], + "refs": [ + "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Mimikatz", From 6e78746a6cb030003e3caebfa7a53438045fd450 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 19:37:10 +0100 Subject: [PATCH 06/19] pimp webc2 --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 56e6d54..b4a9d1c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -403,7 +403,17 @@ } }, { - "value": "WEBC2" + "value": "WEBC2", + "description": "Backdoor attribued to APT1", + "meta": { + "refs": [ + "https://github.com/gnaegle/cse4990-practical3", + "https://www.securestate.com/blog/2013/02/20/apt-if-it-aint-broke" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Pirpi", From ca68abc0e816c38e976d41bdd3bbf923cd97e9ef Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 19:56:17 +0100 Subject: [PATCH 07/19] Pimp Pirpi. Hard to say:) --- clusters/tool.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index b4a9d1c..cc6af7f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -417,9 +417,17 @@ }, { "value": "Pirpi", + "description": "Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization’s network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.", "meta": { + "synonyms": [ + "Badey", + "EXL" + ], "refs": [ "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ], + "type": [ + "Backdoor" ] } }, From cdc80e5596218bec148009f3ff6de91310e24bcc Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 20:02:34 +0100 Subject: [PATCH 08/19] Pimp RarStone --- clusters/tool.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index cc6af7f..ea337c4 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -432,7 +432,16 @@ } }, { - "value": "RARSTONE" + "value": "RARSTONE", + "description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it’s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "BACKSPACe" From 0d0ba42f1506d2c7b576220e309f4aa8ec6bee10 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 20:16:46 +0100 Subject: [PATCH 09/19] Pimp lecna/Backspace --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ea337c4..86fc948 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -444,7 +444,20 @@ } }, { - "value": "BACKSPACe" + "value": "BACKSPACe", + "description": "Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).", + "meta": { + "synonyms": [ + "Lecna" + ], + "refs": [ + "https://www2.fireeye.com/WEB-2015RPTAPT30.html", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "XSControl" From 51eee31c216a64a237fd3c7c6a9ac865893126cc Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 20:16:59 +0100 Subject: [PATCH 10/19] Pimp lecna/Backspace --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 86fc948..60ab344 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -444,7 +444,7 @@ } }, { - "value": "BACKSPACe", + "value": "Backspace", "description": "Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).", "meta": { "synonyms": [ From b400edbe9bad5514ebd641353d01d6e3c9d477a8 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 20:40:44 +0100 Subject: [PATCH 11/19] Update Xagent from aptnote Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web(02-23-2017) --- clusters/tool.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 60ab344..72f1a37 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1126,12 +1126,17 @@ }, { "value": "X-Agent", + "description": "This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.", "meta": { "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/", + "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq" ], "synonyms": [ "XAgent" + ], + "type": [ + "Backdoor" ] } }, From f4584f39005c176a1f1c06846903b3c1f6e3519c Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 22:41:51 +0100 Subject: [PATCH 12/19] pimp xscontrol --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 72f1a37..3025a76 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -460,7 +460,17 @@ } }, { - "value": "XSControl" + "value": "XSControl", + "description": "Backdoor user by he Naikon APT group", + "meta": { + "refs": [ + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://kasperskycontenthub.com/securelist/files/2015/05/TheNaikonAPT-MsnMM.pdf" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "NETEAGLE" @@ -628,6 +638,9 @@ ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "type": [ + "Backdoor" ] } }, From b865342f2e3c8bc0f2726f8e670c96245617e5e6 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 22:47:16 +0100 Subject: [PATCH 13/19] pimp xneteagle --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 3025a76..46a361b 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -473,7 +473,21 @@ } }, { - "value": "NETEAGLE" + "value": "Neteagle", + "description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as Scout and Norton.", + "meta": { + "refs": [ + "https://attack.mitre.org/wiki/Software/S0034", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [ + "scout", + "norton" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Agent.BTZ", From 2d658a657779df6087ab92e61091614f5d894b22 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 22:53:51 +0100 Subject: [PATCH 14/19] pimp comrat --- clusters/tool.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 46a361b..645896e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -491,9 +491,16 @@ }, { "value": "Agent.BTZ", + "description": "In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit.", "meta": { "synonyms": [ "ComRat" + ], + "refs": [ + "https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat" + ], + "type": [ + "Backdoor" ] } }, From 3774f0523730214c3a35b681e2ba6a3248317f51 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 23:07:42 +0100 Subject: [PATCH 15/19] Somes alias fetch from : https://attack.mitre.org/wiki/Groups --- clusters/threat-actor.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3197fee..c7d03b7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9,7 +9,8 @@ "Advanced Persistent Threat 1", "Byzantine Candor", "Group 3", - "TG-8223" + "TG-8223", + "Comment Group" ], "country": "CN", "refs": [ @@ -670,7 +671,9 @@ "synonyms": [ "Operation Cleaver", "Tarh Andishan", - "Alibaba" + "Alibaba", + "2889", + "TG-2889" ], "refs": [ "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" @@ -1100,6 +1103,10 @@ }, { "meta": { + "synonyms": [ + "TG-3390", + "Emissary Panda" + ], "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "https://attack.mitre.org" From f1ea577e9559ef4039741816573a32b3f0cbfd1f Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 23:24:51 +0100 Subject: [PATCH 16/19] pimp and agreggate turla --- clusters/tool.json | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 645896e..1a1513d 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -525,10 +525,22 @@ } }, { - "value": "Turla" - }, - { - "value": "Uroburos" + "value": "Turla", + "description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver).", + "meta": { + "synonyms": [ + "Snake", + "Uroburos", + "Urouros" + ], + "refs": [ + "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf" + ], + "type": [ + "Backdoor", + "Rootkit" + ] + } }, { "value": "Winexe" From 849ca3ebbc22315bd4ab6a53bc7ef3be05959ee1 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 23:38:50 +0100 Subject: [PATCH 17/19] Pimp Epic turla --- clusters/tool.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 1a1513d..6ca4454 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -517,10 +517,16 @@ "meta": { "synonyms": [ "Tavdig", - "Epic Turla" + "Epic Turla", + "WorldCupSec", + "TadjMakhal" ], "refs": [ + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" + ], + "type": [ + "Backdoor" ] } }, From 9eb2d097f2d49898a308999b6e129e2a80fd9ccb Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 27 Feb 2017 00:23:56 +0100 Subject: [PATCH 18/19] add a bunch of rat from ratdecoder list --- clusters/tool.json | 422 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 421 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 6ca4454..cfb99e2 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -518,7 +518,7 @@ "synonyms": [ "Tavdig", "Epic Turla", - "WorldCupSec", + "WorldCupSec", "TadjMakhal" ], "refs": [ @@ -1626,6 +1626,426 @@ ] } }, + { + "value": "adzok", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "albertino", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "arcom", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "blacknix", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "bluebanana", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "bozok", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "clientmesh", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "crimson", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "cybergate", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "darkcomet", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "darkrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "gh0st", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "greame", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "hawkeye", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "javadropper", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "lostdoor", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "luxnet", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "pandora", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "poisonivy", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "predatorpain", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "punisher", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "qrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "shadowtech", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "smallnet", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "spygate", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "template", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "tapaoux", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "vantom", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "virusrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "xena", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "xtreme", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "darkddoser", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "jspy", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "njrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "xrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, { "value": "PupyRAT", "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.", From 07cc13feb88a71521fec1adbec3d03f6b3c16c1d Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 27 Feb 2017 00:38:39 +0100 Subject: [PATCH 19/19] remove duplicate of ratdecode import --- clusters/tool.json | 33 ++++++++------------------------- 1 file changed, 8 insertions(+), 25 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index cfb99e2..fafb104 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -233,7 +233,8 @@ "Jorik" ], "refs": [ - "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" + "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf", + "https://github.com/kevthehermit/RATDecoders/blob/master/yaraRules/njRat.yar" ], "type": [ "Backdoor" @@ -1238,6 +1239,9 @@ "meta": { "refs": [ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ], + "type": [ + "Backdoor" ] } }, @@ -1247,6 +1251,9 @@ "meta": { "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" + ], + "type": [ + "Backdoor" ] } }, @@ -1710,18 +1717,6 @@ ] } }, - { - "value": "crimson", - "description": "Remote Access Trojan", - "meta": { - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ], - "type": [ - "Backdoor" - ] - } - }, { "value": "cybergate", "description": "Remote Access Trojan", @@ -2022,18 +2017,6 @@ ] } }, - { - "value": "njrat", - "description": "Remote Access Trojan", - "meta": { - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ], - "type": [ - "Backdoor" - ] - } - }, { "value": "xrat", "description": "Remote Access Trojan",