MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-25 16:27:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #1022 from Delta-Sierra/main
Some checks failed
Python application / build (3.10) (push) Has been cancelled
Details
Python application / build (3.8) (push) Has been cancelled
Details
Python application / build (3.9) (push) Has been cancelled
Details

Browse source 
SloppyLemming relationsships
This commit is contained in:
Alexandre Dulaunoy 2024-09-30 15:36:35 +02:00 committed by GitHub
commit 7daede8894
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 144 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
[Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware. [Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *28* elements Category: *tool* - source: *Open Sources* - total: *29* elements
[[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] [[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -87,7 +87,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47
[Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy [Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy
Category: *tool* - source: *MISP Project* - total: *130* elements Category: *tool* - source: *MISP Project* - total: *132* elements
[[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)] [[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)]

12
clusters/backdoor.json
View file

@ -488,7 +488,17 @@
], ],
"uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff", "uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff",
"value": "TERRIBLETEA" "value": "TERRIBLETEA"
},
{
"description": "Merdoor is a fully-featured backdoor that appears to have been in existence since 2018.\nThe backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
]
},
"uuid": "8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4",
"value": "Merdoor"
} }
], ],
"version": 19 "version": 20
} }

24
clusters/botnet.json
View file

@ -2031,7 +2031,29 @@
}, },
"uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff", "uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff",
"value": "Ztorg" "value": "Ztorg"
},
{
"meta": {
"refs": [
"https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router",
"https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd"
],
"synonyms": [
"7777"
]
},
"uuid": "3e027dad-9c0a-437e-9938-dd3cf13b0c22",
"value": "Quad7"
},
{
"meta": {
"refs": [
"https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router"
]
},
"uuid": "963d898f-dc48-409e-8069-aaa51ad6664c",
"value": "63256 botnet"
} }
], ],
"version": 35 "version": 36
} }

9
clusters/ransomware.json
View file

@ -1494,6 +1494,15 @@
"HavocCrypt Ransomware" "HavocCrypt Ransomware"
] ]
}, },
"related": [
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396", "uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"value": "Havoc" "value": "Havoc"
}, },

90
clusters/threat-actor.json
View file

@ -15224,6 +15224,15 @@
"Outrider Tiger" "Outrider Tiger"
] ]
}, },
"related": [
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"value": "Fishing Elephant" "value": "Fishing Elephant"
}, },
@ -16738,9 +16747,88 @@
"https://blog.cloudflare.com/unraveling-sloppylemming-operations/" "https://blog.cloudflare.com/unraveling-sloppylemming-operations/"
] ]
}, },
"related": [
{
"dest-uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
}
],
"uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", "uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"value": "SloppyLemming" "value": "SloppyLemming"
} }
], ],
"version": 314 "version": 315
} }

12
clusters/tool.json
View file

@ -1882,7 +1882,8 @@
"refs": [ "refs": [
"http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html", "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html",
"https://blogs.cisco.com/security/talos/opening-zxshell", "https://blogs.cisco.com/security/talos/opening-zxshell",
"https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox" "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
], ],
"synonyms": [ "synonyms": [
"Sensode" "Sensode"
@ -9208,6 +9209,13 @@
"estimative-language:likelihood-probability=\"almost-certain\"" "estimative-language:likelihood-probability=\"almost-certain\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
} }
], ],
"uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d", "uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
@ -11075,5 +11083,5 @@
"value": "SLIVER" "value": "SLIVER"
} }
], ],
"version": 173 "version": 174
} }