MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-26 16:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge https://github.com/MISP/misp-galaxy

Browse source
This commit is contained in:
Deborah Servili 2018-07-16 09:16:13 +02:00
commit 28456545be
8 changed files with 208 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c
- [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources.
- [clusters/banker.json](clusters/banker.json) - A list of banker malware.
- [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer.
- [clusters/backdoor.json](clusters/backdoor.json) - A list of backdoor malware.
- [clusters/botnet.json](clusters/botnet.json) - A list of known botnets.
- [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits.
- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.

24
clusters/backdoor.json Normal file
View file

@ -0,0 +1,24 @@
{
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"description": "A list of backdoor malware.",
"source": "Open Sources",
"version": 1,
"values": [
{
"meta": {
"date": "July 2018.",
"refs": [
"https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
]
},
"description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
"value": "WellMess",
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
}
],
"authors": [
"raw-data"
],
"type": "backdoor",
"name": "Backdoor"
}

66
clusters/banker.json
View file

@ -2,7 +2,7 @@
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"description": "A list of banker malware.",
"source": "Open Sources",
"version": 9,
"version": 10,
"values": [
{
"meta": {
@ -595,6 +595,70 @@
"value": "Backswap",
"uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0"
},
{
"meta": {
"refs": [
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A",
"https://www.symantec.com/security-center/writeup/2011-041411-0912-99"
],
"synonyms": [
"URLZone",
"Shiotob"
]
},
"value": "Bebloh",
"uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27"
},
{
"meta": {
"refs": [
"https://www.johannesbader.ch/2015/02/the-dga-of-banjori/"
],
"synonyms": [
"MultiBanker 2",
"BankPatch",
"BackPatcher"
]
},
"value": "Banjori",
"uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52"
},
{
"meta": {
"refs": [
"https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/"
]
},
"value": "Qadars",
"uuid": "a717c873-6670-447a-ba98-90db6464c07d"
},
{
"meta": {
"refs": [
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
]
},
"value": "Sisron",
"uuid": "610a136c-820d-4f5f-b66c-ae298923dc55"
},
{
"meta": {
"refs": [
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
]
},
"value": "Ranbyus",
"uuid": "6720f960-0382-479b-a0f8-f9e008995af4"
},
{
"meta": {
"refs": [
"https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks"
]
},
"value": "Fobber",
"uuid": "da124511-463c-4514-ad05-7ec8db1b38aa"
},
{
"meta": {
"refs": [

74
clusters/botnet.json
View file

@ -2,7 +2,7 @@
"description": "botnet galaxy",
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
"source": "MISP Project",
"version": 6,
"version": 8,
"values": [
{
"meta": {
@ -513,6 +513,16 @@
"value": "Mirai",
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185"
},
{
"value": "XorDDoS",
"uuid": "5485d149-79b5-451e-b48c-a020eced3515",
"description": "XOR DDOS is a Linux trojan used to perform large-scale DDoS",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Xor_DDoS"
]
}
},
{
"meta": {
"refs": [
@ -629,6 +639,68 @@
},
"value": "Trik Spam Botnet",
"uuid": "c68d5e64-7485-11e8-8625-2b14141f0501"
},
{
"meta": {
"refs": [
"https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml"
],
"synonyms": [
"Mad Max"
]
},
"value": "Madmax",
"uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66"
},
{
"meta": {
"refs": [
"https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/"
]
},
"value": "Pushdo",
"uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0"
},
{
"meta": {
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA15-105A"
]
},
"value": "Simda",
"uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c"
},
{
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Virut"
]
},
"value": "Virut",
"uuid": "cc1432a1-6580-4338-b119-a43236528ea1"
},
{
"meta": {
"refs": [
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions"
]
},
"value": "Beebone",
"uuid": "49b13880-9baf-4ae0-9171-814094b03d89"
},
{
"meta": {
"refs": [
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital",
"https://www.symantec.com/security-center/writeup/2010-070108-5941-99"
],
"synonyms": [
"Mdrop-CSK",
"Agent-OCF"
]
},
"value": "Bamital",
"uuid": "07815089-e2c6-4084-9a62-3ece7210f33f"
}
],
"authors": [

9
clusters/ransomware.json
View file

@ -9974,6 +9974,15 @@
},
"uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2"
},
{
"value": "DirCrypt",
"meta": {
"refs": [
"https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/"
]
},
"uuid": "cdcc59a0-955e-412d-b481-8dff4bce6fdf"
},
{
"value": "DBGer Ransomware",
"description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.",

19
clusters/stealer.json
View file

@ -1,8 +1,8 @@
{
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
"description": "A list of malware stealer.",
"name": "Stealer",
"source": "Open Sources",
"version": 1,
"version": 2,
"values": [
{
"meta": {
@ -25,11 +25,24 @@
"description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.",
"value": "TeleGrab",
"uuid": "a6780288-24eb-4006-9ddd-062870c6feec"
},
{
"meta": {
"date": "July 2018.",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
"https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers",
"https://malware.lu/articles/2018/05/04/azorult-stealer.html"
]
},
"description": "It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.",
"value": "AZORult",
"uuid": "a646edab-5c6f-4a79-8a6c-153535259e16"
}
],
"authors": [
"raw-data"
],
"type": "stealer",
"name": "Stealer"
"description": "A list of malware stealer."
}

12
clusters/threat-actor.json
View file

@ -3201,6 +3201,16 @@
]
},
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b"
},
{
"value": "The Big Bang",
"description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed Big Bang due to the attackers fondness for the Big Bang Theory TV show, after which some of the malwares modules are named.",
"meta": {
"refs": [
"https://research.checkpoint.com/apt-attack-middle-east-big-bang/",
"https://blog.talosintelligence.com/2017/06/palestine-delphi.html"
]
}
}
],
"name": "Threat actor",
@ -3215,5 +3225,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 44
"version": 45
}

9
galaxies/backdoor.json Normal file
View file

@ -0,0 +1,9 @@
{
"description": "Malware Backdoor galaxy.",
"type": "backdoor",
"version": 1,
"name": "Backdoor",
"icon": "door-open",
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"namespace": "misp"
}