From d8c83cf2d6e6a13343d624d3ba88defee2c96cae Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 18 Jun 2018 10:54:58 +0200
Subject: [PATCH 1/2] add cluster in threat actor

---
 clusters/threat-actor.json | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7b9b3d5..691ed44 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2678,6 +2678,29 @@
         ]
       },
       "uuid": "4defbf2e-4f73-11e8-807f-578d61da7568"
+    },
+    {
+      "value": "LuckyMouse",
+      "description": "Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/",
+          "https://www.secureworks.com/research/bronze-union",
+          "http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states",
+          "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
+          "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
+          "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/"
+        ],
+        "synonyms": [
+          "Emissary Panda",
+          "APT27",
+          "Threat Group 3390",
+          "Bronze Union",
+          "ZipToken",
+          "Iron Tiger"
+        ]
+      },
+      "uuid": "4af45fea-72d3-11e8-846c-d37699506c8d"
     }
   ],
   "name": "Threat actor",
@@ -2692,5 +2715,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 41
+  "version": 42
 }

From cee83f677e415b8fbbcee138cfab6d65b7c26a66 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 18 Jun 2018 14:30:51 +0200
Subject: [PATCH 2/2] more clusters

---
 clusters/ransomware.json | 30 +++++++++++++++++++++++++++++-
 clusters/tool.json       | 12 +++++++++++-
 2 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index f1c9a4f..61b8fc0 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -9838,12 +9838,40 @@
         ]
       },
       "uuid": "fe42c270-7077-11e8-af82-d7bf7e6ab8a9"
+    },
+    {
+      "value": "Donut",
+      "description": "S!Ri found a new ransomware called Donut that appends the .donut extension and uses the email donutmmm@tutanota.com.",
+      "meta": {
+        "refs": [
+          "https://twitter.com/siri_urz/status/1005438610806583296",
+          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-15th-2018-dbger-scarab-and-more/"
+        ],
+        "extensions": [
+          ".donut"
+        ],
+        "ransomnotes": [
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/15/DfQI_lnXUAAukGK[1].jpg"
+        ]
+      },
+      "uuid": "e57e1f4a-72da-11e8-8c0d-af46e8f393d2"
+    },
+    {
+      "value": "NemeS1S Ransomware",
+      "description": "Ransomware as a Service",
+      "meta": {
+        "refs": [
+          "https://twitter.com/Damian1338B/status/1005411102660923392",
+          "https://www.bleepingcomputer.com/news/security/nemes1s-raas-is-padcrypt-ransomwares-affiliate-system/"
+        ]
+      },
+      "uuid": "3ac0f41e-72e0-11e8-85a8-f7ae254ab629"
     }
   ],
   "source": "Various",
   "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
   "name": "Ransomware",
-  "version": 24,
+  "version": 25,
   "type": "ransomware",
   "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 20bc955..8304487 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -2,7 +2,7 @@
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
   "name": "Tool",
   "source": "MISP Project",
-  "version": 75,
+  "version": 76,
   "values": [
     {
       "meta": {
@@ -4323,6 +4323,16 @@
           "https://blog.360totalsecurity.com/en/new-cryptominer-hijacks-your-bitcoin-transaction-over-300000-computers-have-been-attacked/"
         ]
       }
+    },
+    {
+      "value": "TYPEFRAME",
+      "description": "Trojan malware",
+      "meta": {
+        "refs": [
+          "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
+        ]
+      },
+      "uuid": "8981aaca-72dc-11e8-8649-838c1b2613c5"
     }
   ],
   "authors": [