mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
This commit is contained in:
commit
28456545be
8 changed files with 208 additions and 6 deletions
|
@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c
|
||||||
- [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources.
|
- [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources.
|
||||||
- [clusters/banker.json](clusters/banker.json) - A list of banker malware.
|
- [clusters/banker.json](clusters/banker.json) - A list of banker malware.
|
||||||
- [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer.
|
- [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer.
|
||||||
|
- [clusters/backdoor.json](clusters/backdoor.json) - A list of backdoor malware.
|
||||||
- [clusters/botnet.json](clusters/botnet.json) - A list of known botnets.
|
- [clusters/botnet.json](clusters/botnet.json) - A list of known botnets.
|
||||||
- [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits.
|
- [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits.
|
||||||
- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.
|
- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.
|
||||||
|
|
24
clusters/backdoor.json
Normal file
24
clusters/backdoor.json
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{
|
||||||
|
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
|
||||||
|
"description": "A list of backdoor malware.",
|
||||||
|
"source": "Open Sources",
|
||||||
|
"version": 1,
|
||||||
|
"values": [
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"date": "July 2018.",
|
||||||
|
"refs": [
|
||||||
|
"https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
|
||||||
|
"value": "WellMess",
|
||||||
|
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"authors": [
|
||||||
|
"raw-data"
|
||||||
|
],
|
||||||
|
"type": "backdoor",
|
||||||
|
"name": "Backdoor"
|
||||||
|
}
|
|
@ -2,7 +2,7 @@
|
||||||
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
|
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
|
||||||
"description": "A list of banker malware.",
|
"description": "A list of banker malware.",
|
||||||
"source": "Open Sources",
|
"source": "Open Sources",
|
||||||
"version": 9,
|
"version": 10,
|
||||||
"values": [
|
"values": [
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -595,6 +595,70 @@
|
||||||
"value": "Backswap",
|
"value": "Backswap",
|
||||||
"uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0"
|
"uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A",
|
||||||
|
"https://www.symantec.com/security-center/writeup/2011-041411-0912-99"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"URLZone",
|
||||||
|
"Shiotob"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Bebloh",
|
||||||
|
"uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.johannesbader.ch/2015/02/the-dga-of-banjori/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"MultiBanker 2",
|
||||||
|
"BankPatch",
|
||||||
|
"BackPatcher"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Banjori",
|
||||||
|
"uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Qadars",
|
||||||
|
"uuid": "a717c873-6670-447a-ba98-90db6464c07d"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Sisron",
|
||||||
|
"uuid": "610a136c-820d-4f5f-b66c-ae298923dc55"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Ranbyus",
|
||||||
|
"uuid": "6720f960-0382-479b-a0f8-f9e008995af4"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Fobber",
|
||||||
|
"uuid": "da124511-463c-4514-ad05-7ec8db1b38aa"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
"description": "botnet galaxy",
|
"description": "botnet galaxy",
|
||||||
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
|
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
|
||||||
"source": "MISP Project",
|
"source": "MISP Project",
|
||||||
"version": 6,
|
"version": 8,
|
||||||
"values": [
|
"values": [
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -513,6 +513,16 @@
|
||||||
"value": "Mirai",
|
"value": "Mirai",
|
||||||
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185"
|
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"value": "XorDDoS",
|
||||||
|
"uuid": "5485d149-79b5-451e-b48c-a020eced3515",
|
||||||
|
"description": "XOR DDOS is a Linux trojan used to perform large-scale DDoS",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://en.wikipedia.org/wiki/Xor_DDoS"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -629,6 +639,68 @@
|
||||||
},
|
},
|
||||||
"value": "Trik Spam Botnet",
|
"value": "Trik Spam Botnet",
|
||||||
"uuid": "c68d5e64-7485-11e8-8625-2b14141f0501"
|
"uuid": "c68d5e64-7485-11e8-8625-2b14141f0501"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Mad Max"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Madmax",
|
||||||
|
"uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Pushdo",
|
||||||
|
"uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.us-cert.gov/ncas/alerts/TA15-105A"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Simda",
|
||||||
|
"uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://en.wikipedia.org/wiki/Virut"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Virut",
|
||||||
|
"uuid": "cc1432a1-6580-4338-b119-a43236528ea1"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Beebone",
|
||||||
|
"uuid": "49b13880-9baf-4ae0-9171-814094b03d89"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital",
|
||||||
|
"https://www.symantec.com/security-center/writeup/2010-070108-5941-99"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Mdrop-CSK",
|
||||||
|
"Agent-OCF"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"value": "Bamital",
|
||||||
|
"uuid": "07815089-e2c6-4084-9a62-3ece7210f33f"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"authors": [
|
"authors": [
|
||||||
|
|
|
@ -9974,6 +9974,15 @@
|
||||||
},
|
},
|
||||||
"uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2"
|
"uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"value": "DirCrypt",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "cdcc59a0-955e-412d-b481-8dff4bce6fdf"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"value": "DBGer Ransomware",
|
"value": "DBGer Ransomware",
|
||||||
"description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.",
|
"description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.",
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
{
|
{
|
||||||
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
|
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
|
||||||
"description": "A list of malware stealer.",
|
"name": "Stealer",
|
||||||
"source": "Open Sources",
|
"source": "Open Sources",
|
||||||
"version": 1,
|
"version": 2,
|
||||||
"values": [
|
"values": [
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -25,11 +25,24 @@
|
||||||
"description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.",
|
"description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.",
|
||||||
"value": "TeleGrab",
|
"value": "TeleGrab",
|
||||||
"uuid": "a6780288-24eb-4006-9ddd-062870c6feec"
|
"uuid": "a6780288-24eb-4006-9ddd-062870c6feec"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"meta": {
|
||||||
|
"date": "July 2018.",
|
||||||
|
"refs": [
|
||||||
|
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
|
||||||
|
"https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers",
|
||||||
|
"https://malware.lu/articles/2018/05/04/azorult-stealer.html"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"description": "It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.",
|
||||||
|
"value": "AZORult",
|
||||||
|
"uuid": "a646edab-5c6f-4a79-8a6c-153535259e16"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"authors": [
|
"authors": [
|
||||||
"raw-data"
|
"raw-data"
|
||||||
],
|
],
|
||||||
"type": "stealer",
|
"type": "stealer",
|
||||||
"name": "Stealer"
|
"description": "A list of malware stealer."
|
||||||
}
|
}
|
||||||
|
|
|
@ -3201,6 +3201,16 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b"
|
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "The Big Bang",
|
||||||
|
"description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://research.checkpoint.com/apt-attack-middle-east-big-bang/",
|
||||||
|
"https://blog.talosintelligence.com/2017/06/palestine-delphi.html"
|
||||||
|
]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"name": "Threat actor",
|
"name": "Threat actor",
|
||||||
|
@ -3215,5 +3225,5 @@
|
||||||
],
|
],
|
||||||
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
|
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
|
||||||
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
|
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
|
||||||
"version": 44
|
"version": 45
|
||||||
}
|
}
|
||||||
|
|
9
galaxies/backdoor.json
Normal file
9
galaxies/backdoor.json
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"description": "Malware Backdoor galaxy.",
|
||||||
|
"type": "backdoor",
|
||||||
|
"version": 1,
|
||||||
|
"name": "Backdoor",
|
||||||
|
"icon": "door-open",
|
||||||
|
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
|
||||||
|
"namespace": "misp"
|
||||||
|
}
|
Loading…
Reference in a new issue