add tools used by SamSam

clusters/ransomware.json

@@ -7968,7 +7968,9 @@
           "MIKOPONI.exe",
           "RikiRafael.exe",
           "showmehowto.exe",
-          "SamSam Ransomware"
+          "SamSam Ransomware",
+          "SamSam",
+          "Samsam"
         ],
         "extensions": [
           ".encryptedAES",

clusters/tool.json

@@ -2,7 +2,7 @@
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "source": "MISP Project",
-  "version": 81,
+  "version": 82,
   "values": [
     {
       "meta": {
@@ -4445,9 +4445,116 @@
       "meta": {
         "refs": [
           "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/"
-        ],
-        "synonyms": [
-          ""
+        ]
+      }
+    },
+    {
+      "value": "JexBoss",
+      "description": "A tool for testing and exploiting vulnerabilities in JBoss Application Servers.",
+      "uuid": "509fc49c-9bd8-11e8-ade9-af561325f046",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "reGeorg",
+      "description": "“Provides TCP tunneling over HTTP and bolts a SOCKS4/5 proxy on top of it, so, reGeorg is a fully-functional SOCKS proxy and gives ability to analyze target internal network.”",
+      "uuid": "2c62f08a-9bd9-11e8-9e20-db9ec0d2b277",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "Hyena",
+      "description": "An Active Directory and Windows system management software, which can be used for remote administration of servers and workstations.",
+      "uuid": "511d1000-9bd8-11e8-8477-8f5bcff04fb0",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "csvde.exe",
+      "description": "Imports and exports data from Active Directory Lightweight Directory Services (AD LDS) using files that store data in the comma-separated value (CSV) format.",
+      "uuid": "521721a8-9bd8-11e8-b26e-efd4142476e4",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "NLBrute",
+      "description": "A tool to brute-force Remote Desktop Protocol (RDP) passwords.",
+      "uuid": "49ebf3e4-9bda-11e8-b1c1-8bdbfc744293",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "xDedic RDP Patch",
+      "description": "Used to create new RDP user accounts.",
+      "uuid": "52be6512-9bd8-11e8-8bab-f7d8a88482ed",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "xDedic SysScan",
+      "description": "Used to profile servers for potential sale on the dark net",
+      "uuid": "52dae6ce-9bd8-11e8-a230-7bca2e015ba5",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "Wmiexec",
+      "description": "A PsExec-like tool, which executes commands through Windows Management Instrumentation (WMI).",
+      "uuid": "52f7f890-9bd8-11e8-a731-ab637e0833b4",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "RDPWrap",
+      "description": "Allows a user to be logged in both locally and remotely at the same time.",
+      "uuid": "5316eb7e-9bd8-11e8-8587-eb328b3dd314",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "PsExec",
+      "description": "A light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. When a command is executed on a remote computer using PsExec, then the service PSEXESVC will be installed on that system, which means that an executable called psexesvc.exe will execute the commands.",
+      "uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
+        ]
+      }
+    },
+    {
+      "value": "PAExec",
+      "description": "A PsExec-like tool, which lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first. When the PAExec service is running on the remote computer, the name of the source system is added to service’s name, e.g., paexec-<id>-<source computer name>.exe, which can help to identify the entry point of the attack.",
+      "uuid": "6e76f29c-9bd8-11e8-97ae-8f7b8be65f0c",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
         ]
       }
     }