MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 14:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SloppyLemming relationsships

Browse source
This commit is contained in:
Delta-Sierra 2024-09-27 14:23:01 +02:00
parent 60340edb22
commit 70b0823947
5 changed files with 143 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
clusters/backdoor.json
View file

@ -488,7 +488,17 @@
],
"uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff",
"value": "TERRIBLETEA"
},
{
"description": "Merdoor is a fully-featured backdoor that appears to have been in existence since 2018.\nThe backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
]
},
"uuid": "8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4",
"value": "Merdoor"
}
],
"version": 19
"version": 20
}

24
clusters/botnet.json
View file

@ -2031,7 +2031,29 @@
},
"uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff",
"value": "Ztorg"
},
{
"meta": {
"refs": [
"https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router",
"https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd"
],
"synonyms": [
"7777"
]
},
"uuid": "3e027dad-9c0a-437e-9938-dd3cf13b0c22",
"value": "Quad7"
},
{
"meta": {
"refs": [
"https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router"
]
},
"uuid": "963d898f-dc48-409e-8069-aaa51ad6664c",
"value": "63256 botnet"
}
],
"version": 35
"version": 36
}

11
clusters/ransomware.json
View file

@ -1494,6 +1494,15 @@
"HavocCrypt Ransomware"
]
},
"related": [
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"value": "Havoc"
},
@ -29684,5 +29693,5 @@
"value": "orca"
}
],
"version": 133
"version": 134
}

90
clusters/threat-actor.json
View file

@ -15215,6 +15215,15 @@
"Outrider Tiger"
]
},
"related": [
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"value": "Fishing Elephant"
},
@ -16710,9 +16719,88 @@
"https://blog.cloudflare.com/unraveling-sloppylemming-operations/"
]
},
"related": [
{
"dest-uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
}
],
"uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"value": "SloppyLemming"
}
],
"version": 314
"version": 315
}

12
clusters/tool.json
View file

@ -1882,7 +1882,8 @@
"refs": [
"http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html",
"https://blogs.cisco.com/security/talos/opening-zxshell",
"https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox"
"https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
],
"synonyms": [
"Sensode"
@ -9208,6 +9209,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "similar"
},
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
@ -11075,5 +11083,5 @@
"value": "SLIVER"
}
],
"version": 173
"version": 174
}