This commit is contained in:
Delta-Sierra 2020-10-30 16:14:02 +01:00
parent be672b8d3a
commit 88bbf8851c
3 changed files with 4 additions and 13214 deletions

View file

@ -279,13 +279,14 @@
"value": "PARINACOTA"
},
{
"value": "GADOLINIUM",
"description": "GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.\nHistorically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.",
"meta": {
"refs":[
"refs": [
"https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/"
]
}
},
"uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc",
"value": "GADOLINIUM"
}
],
"version": 9

View file

@ -1,56 +0,0 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import json
import argparse
import uuid
import re
parser = argparse.ArgumentParser(description='Sort ransomnotes.')
parser.add_argument("-f", "--filename", required=True, help="name of the cluster")
args = parser.parse_args()
if 'mitre-' in args.filename:
exit()
with open(args.filename) as json_file:
data = json.load(json_file)
json_file.close()
new_file = {}
for key in data:
if key != 'values':
new_file[key]=data[key]
else:
new_file['values']=[]
values = data[key]
for ransomware in values:
ransom_cluster= {}
for attribute in ransomware:
if attribute != 'meta':
ransom_cluster[attribute]=ransomware[attribute]
else:
ransom_cluster['meta']={}
meta = ransomware['meta']
for metadata in meta:
if metadata != 'ransomnotes':
ransom_cluster['meta'][metadata]=meta[metadata]
else:
for ransomnote in meta['ransomnotes']:
if ransomnote.startswith('http'):
if not ransom_cluster['meta'].get('ransomnotes-refs'):
ransom_cluster['meta']['ransomnotes-refs']=[]
ransom_cluster['meta']['ransomnotes-refs'].append(ransomnote)
elif re.search('\.([a-zA-Z0-9]){3,4}$',ransomnote):
if not ransom_cluster['meta'].get('ransomnotes-filenames'):
ransom_cluster['meta']['ransomnotes-filenames']=[]
ransom_cluster['meta']['ransomnotes-filenames'].append(ransomnote)
else:
if not ransom_cluster['meta'].get('ransomnotes'):
ransom_cluster['meta']['ransomnotes']=[]
ransom_cluster['meta']['ransomnotes'].append(ransomnote)
new_file['values'].append(ransom_cluster)
with open('ransom2.json', 'w') as json_file:
json.dump(new_file, json_file, indent=2, sort_keys=True, ensure_ascii=False)

File diff suppressed because one or more lines are too long