This commit is contained in:
Deborah Servili 2018-07-16 09:16:13 +02:00
commit 28456545be
8 changed files with 208 additions and 6 deletions

View file

@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c
- [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources. - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources.
- [clusters/banker.json](clusters/banker.json) - A list of banker malware. - [clusters/banker.json](clusters/banker.json) - A list of banker malware.
- [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer. - [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer.
- [clusters/backdoor.json](clusters/backdoor.json) - A list of backdoor malware.
- [clusters/botnet.json](clusters/botnet.json) - A list of known botnets. - [clusters/botnet.json](clusters/botnet.json) - A list of known botnets.
- [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits. - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits.
- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.

24
clusters/backdoor.json Normal file
View file

@ -0,0 +1,24 @@
{
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"description": "A list of backdoor malware.",
"source": "Open Sources",
"version": 1,
"values": [
{
"meta": {
"date": "July 2018.",
"refs": [
"https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
]
},
"description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
"value": "WellMess",
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
}
],
"authors": [
"raw-data"
],
"type": "backdoor",
"name": "Backdoor"
}

View file

@ -2,7 +2,7 @@
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832", "uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"description": "A list of banker malware.", "description": "A list of banker malware.",
"source": "Open Sources", "source": "Open Sources",
"version": 9, "version": 10,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -595,6 +595,70 @@
"value": "Backswap", "value": "Backswap",
"uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0" "uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0"
}, },
{
"meta": {
"refs": [
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A",
"https://www.symantec.com/security-center/writeup/2011-041411-0912-99"
],
"synonyms": [
"URLZone",
"Shiotob"
]
},
"value": "Bebloh",
"uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27"
},
{
"meta": {
"refs": [
"https://www.johannesbader.ch/2015/02/the-dga-of-banjori/"
],
"synonyms": [
"MultiBanker 2",
"BankPatch",
"BackPatcher"
]
},
"value": "Banjori",
"uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52"
},
{
"meta": {
"refs": [
"https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/"
]
},
"value": "Qadars",
"uuid": "a717c873-6670-447a-ba98-90db6464c07d"
},
{
"meta": {
"refs": [
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
]
},
"value": "Sisron",
"uuid": "610a136c-820d-4f5f-b66c-ae298923dc55"
},
{
"meta": {
"refs": [
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
]
},
"value": "Ranbyus",
"uuid": "6720f960-0382-479b-a0f8-f9e008995af4"
},
{
"meta": {
"refs": [
"https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks"
]
},
"value": "Fobber",
"uuid": "da124511-463c-4514-ad05-7ec8db1b38aa"
},
{ {
"meta": { "meta": {
"refs": [ "refs": [

View file

@ -2,7 +2,7 @@
"description": "botnet galaxy", "description": "botnet galaxy",
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
"source": "MISP Project", "source": "MISP Project",
"version": 6, "version": 8,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -513,6 +513,16 @@
"value": "Mirai", "value": "Mirai",
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185" "uuid": "fcdfd4af-da35-49a8-9610-19be8a487185"
}, },
{
"value": "XorDDoS",
"uuid": "5485d149-79b5-451e-b48c-a020eced3515",
"description": "XOR DDOS is a Linux trojan used to perform large-scale DDoS",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Xor_DDoS"
]
}
},
{ {
"meta": { "meta": {
"refs": [ "refs": [
@ -629,6 +639,68 @@
}, },
"value": "Trik Spam Botnet", "value": "Trik Spam Botnet",
"uuid": "c68d5e64-7485-11e8-8625-2b14141f0501" "uuid": "c68d5e64-7485-11e8-8625-2b14141f0501"
},
{
"meta": {
"refs": [
"https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml"
],
"synonyms": [
"Mad Max"
]
},
"value": "Madmax",
"uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66"
},
{
"meta": {
"refs": [
"https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/"
]
},
"value": "Pushdo",
"uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0"
},
{
"meta": {
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA15-105A"
]
},
"value": "Simda",
"uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c"
},
{
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Virut"
]
},
"value": "Virut",
"uuid": "cc1432a1-6580-4338-b119-a43236528ea1"
},
{
"meta": {
"refs": [
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions"
]
},
"value": "Beebone",
"uuid": "49b13880-9baf-4ae0-9171-814094b03d89"
},
{
"meta": {
"refs": [
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital",
"https://www.symantec.com/security-center/writeup/2010-070108-5941-99"
],
"synonyms": [
"Mdrop-CSK",
"Agent-OCF"
]
},
"value": "Bamital",
"uuid": "07815089-e2c6-4084-9a62-3ece7210f33f"
} }
], ],
"authors": [ "authors": [

View file

@ -9974,6 +9974,15 @@
}, },
"uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2" "uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2"
}, },
{
"value": "DirCrypt",
"meta": {
"refs": [
"https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/"
]
},
"uuid": "cdcc59a0-955e-412d-b481-8dff4bce6fdf"
},
{ {
"value": "DBGer Ransomware", "value": "DBGer Ransomware",
"description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.", "description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.",

View file

@ -1,8 +1,8 @@
{ {
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054", "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
"description": "A list of malware stealer.", "name": "Stealer",
"source": "Open Sources", "source": "Open Sources",
"version": 1, "version": 2,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -25,11 +25,24 @@
"description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.", "description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.",
"value": "TeleGrab", "value": "TeleGrab",
"uuid": "a6780288-24eb-4006-9ddd-062870c6feec" "uuid": "a6780288-24eb-4006-9ddd-062870c6feec"
},
{
"meta": {
"date": "July 2018.",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
"https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers",
"https://malware.lu/articles/2018/05/04/azorult-stealer.html"
]
},
"description": "It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.",
"value": "AZORult",
"uuid": "a646edab-5c6f-4a79-8a6c-153535259e16"
} }
], ],
"authors": [ "authors": [
"raw-data" "raw-data"
], ],
"type": "stealer", "type": "stealer",
"name": "Stealer" "description": "A list of malware stealer."
} }

View file

@ -3201,6 +3201,16 @@
] ]
}, },
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b" "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b"
},
{
"value": "The Big Bang",
"description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed Big Bang due to the attackers fondness for the Big Bang Theory TV show, after which some of the malwares modules are named.",
"meta": {
"refs": [
"https://research.checkpoint.com/apt-attack-middle-east-big-bang/",
"https://blog.talosintelligence.com/2017/06/palestine-delphi.html"
]
}
} }
], ],
"name": "Threat actor", "name": "Threat actor",
@ -3215,5 +3225,5 @@
], ],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823", "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 44 "version": 45
} }

9
galaxies/backdoor.json Normal file
View file

@ -0,0 +1,9 @@
{
"description": "Malware Backdoor galaxy.",
"type": "backdoor",
"version": 1,
"name": "Backdoor",
"icon": "door-open",
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"namespace": "misp"
}