mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
Merge pull request #166 from Delta-Sierra/master
add Nautilus, Neuron and update GandCrab
This commit is contained in:
commit
41ee336099
2 changed files with 28 additions and 3 deletions
|
@ -9241,11 +9241,18 @@
|
|||
"date": "January 2018",
|
||||
"refs": [
|
||||
"https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/",
|
||||
"https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/"
|
||||
"https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/",
|
||||
"https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/"
|
||||
],
|
||||
"ransomnotes": [
|
||||
"GDCB-DECRYPT.txt",
|
||||
"---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!"
|
||||
"CRAB-Decrypt.txt",
|
||||
"---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!",
|
||||
"---= GANDCRAB =---\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[id]\n5. Follow the instructions on this page\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\nIf you can't download TOR and use it, or in your country TOR blocked, read it:\n1. Visit https://tox.chat/download.html\n2. Download and install qTOX on your PC.\n3. Open it, click \"New Profile\" and create profile.\n4. Search our contact - 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5\n5. In message please write your ID and wait our answer: 6361f798c4ba3647\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!"
|
||||
],
|
||||
"extensions": [
|
||||
".Crab",
|
||||
".CRAB"
|
||||
]
|
||||
},
|
||||
"uuid": "5920464b-e093-4fa0-a275-438dffef228f"
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
],
|
||||
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
||||
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
||||
"version": 54,
|
||||
"version": 55,
|
||||
"values": [
|
||||
{
|
||||
"meta": {
|
||||
|
@ -3831,6 +3831,24 @@
|
|||
]
|
||||
},
|
||||
"uuid": "231b7572-239f-11e8-8404-df420a5d403b"
|
||||
},
|
||||
{
|
||||
"value": "Neuron",
|
||||
"description": "Neuron consists of both client and server components. The Neuron client and Neuron service are written using the .NET framework with some codebase overlaps.\nThe Neuron client is used to infect victim endpoints and extract sensitive information from local client machines. The Neuron server is used to infect network infrastructure such as mail and web servers, and acts as local Command & Control (C2) for the client component. Establishing a local C2 limits interaction with the target network and remote hosts. It also reduces the log footprint of actor infrastructure and enables client interaction to appear more convincing as the traffic is contained within the target network. ",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20group%20using%20Neuron%20and%20Nautilus%20tools%20alongside%20Snake%20malware_0.pdf"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"value": "Nautilus",
|
||||
"description": "Nautilus is very similar to Neuron both in the targeting of mail servers and how client communications are performed. This malware is referred to as Nautilus due to its embedded internal DLL name “nautilus-service.dll”, again sharing some resemblance to Neuron.\nThe Nautilus service listens for HTTP requests from clients to process tasking requests such as executing commands, deleting files and writing files to disk",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20group%20using%20Neuron%20and%20Nautilus%20tools%20alongside%20Snake%20malware_0.pdf"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue