From 27805ca768777b24f05e7441c1018eadf81b8117 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 9 Aug 2018 15:55:36 +0200 Subject: [PATCH] add tools used by SamSam --- clusters/ransomware.json | 4 +- clusters/tool.json | 115 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 114 insertions(+), 5 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index d4bf5d8..7df66af 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -7968,7 +7968,9 @@ "MIKOPONI.exe", "RikiRafael.exe", "showmehowto.exe", - "SamSam Ransomware" + "SamSam Ransomware", + "SamSam", + "Samsam" ], "extensions": [ ".encryptedAES", diff --git a/clusters/tool.json b/clusters/tool.json index 4cf5737..0c309f8 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2,7 +2,7 @@ "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "source": "MISP Project", - "version": 81, + "version": 82, "values": [ { "meta": { @@ -4445,9 +4445,116 @@ "meta": { "refs": [ "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" - ], - "synonyms": [ - "" + ] + } + }, + { + "value": "JexBoss", + "description": "A tool for testing and exploiting vulnerabilities in JBoss Application Servers.", + "uuid": "509fc49c-9bd8-11e8-ade9-af561325f046", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "reGeorg", + "description": "“Provides TCP tunneling over HTTP and bolts a SOCKS4/5 proxy on top of it, so, reGeorg is a fully-functional SOCKS proxy and gives ability to analyze target internal network.”", + "uuid": "2c62f08a-9bd9-11e8-9e20-db9ec0d2b277", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "Hyena", + "description": "An Active Directory and Windows system management software, which can be used for remote administration of servers and workstations.", + "uuid": "511d1000-9bd8-11e8-8477-8f5bcff04fb0", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "csvde.exe", + "description": "Imports and exports data from Active Directory Lightweight Directory Services (AD LDS) using files that store data in the comma-separated value (CSV) format.", + "uuid": "521721a8-9bd8-11e8-b26e-efd4142476e4", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "NLBrute", + "description": "A tool to brute-force Remote Desktop Protocol (RDP) passwords.", + "uuid": "49ebf3e4-9bda-11e8-b1c1-8bdbfc744293", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "xDedic RDP Patch", + "description": "Used to create new RDP user accounts.", + "uuid": "52be6512-9bd8-11e8-8bab-f7d8a88482ed", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "xDedic SysScan", + "description": "Used to profile servers for potential sale on the dark net", + "uuid": "52dae6ce-9bd8-11e8-a230-7bca2e015ba5", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "Wmiexec", + "description": "A PsExec-like tool, which executes commands through Windows Management Instrumentation (WMI).", + "uuid": "52f7f890-9bd8-11e8-a731-ab637e0833b4", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "RDPWrap", + "description": "Allows a user to be logged in both locally and remotely at the same time.", + "uuid": "5316eb7e-9bd8-11e8-8587-eb328b3dd314", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "PsExec", + "description": "A light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. When a command is executed on a remote computer using PsExec, then the service PSEXESVC will be installed on that system, which means that an executable called psexesvc.exe will execute the commands.", + "uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" + ] + } + }, + { + "value": "PAExec", + "description": "A PsExec-like tool, which lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first. When the PAExec service is running on the remote computer, the name of the source system is added to service’s name, e.g., paexec--.exe, which can help to identify the entry point of the attack.", + "uuid": "6e76f29c-9bd8-11e8-97ae-8f7b8be65f0c", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf" ] } }