Merge pull request #225 from Delta-Sierra/master

More ransomwares and other clusters
This commit is contained in:
Alexandre Dulaunoy 2018-06-18 10:02:36 +02:00 committed by GitHub
commit 9687a32581
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 128 additions and 12 deletions

View file

@ -4290,9 +4290,19 @@
] ]
}, },
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§" "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§"
},
{
"value": "MysteryBot",
"description": "Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/"
]
},
"uuid": "53e2e7e8-70a8-11e8-b0f8-33fcf651adaf"
} }
], ],
"version": 8, "version": 9,
"uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa",
"description": "Android malware galaxy based on multiple open sources.", "description": "Android malware galaxy based on multiple open sources.",
"authors": [ "authors": [

View file

@ -666,7 +666,8 @@
{ {
"meta": { "meta": {
"refs": [ "refs": [
"https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html" "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/"
], ],
"ransomnotes": [ "ransomnotes": [
"https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png",
@ -1068,7 +1069,9 @@
"refs": [ "refs": [
"https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html", "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html",
"https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/", "https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/",
"https://twitter.com/PolarToffee/status/824705553201057794" "https://twitter.com/PolarToffee/status/824705553201057794",
"https://twitter.com/demonslay335/status/1004351990493741057",
"https://twitter.com/demonslay335/status/1004803373747572736"
], ],
"ransomnotes": [ "ransomnotes": [
"How decrypt files.hta", "How decrypt files.hta",
@ -2431,7 +2434,9 @@
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/",
"https://twitter.com/fwosar/status/812421183245287424", "https://twitter.com/fwosar/status/812421183245287424",
"https://decrypter.emsisoft.com/globeimposter", "https://decrypter.emsisoft.com/globeimposter",
"https://twitter.com/malwrhunterteam/status/809795402421641216" "https://twitter.com/malwrhunterteam/status/809795402421641216",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
"https://twitter.com/GrujaRS/status/1004661259906768896"
], ],
"ransomnotes": [ "ransomnotes": [
"https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg",
@ -2439,7 +2444,8 @@
], ],
"encryption": "AES", "encryption": "AES",
"extensions": [ "extensions": [
".crypt" ".crypt",
".emilysupp"
], ],
"date": "December 2016" "date": "December 2016"
}, },
@ -9454,11 +9460,13 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/", "https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/",
"https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/" "https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/",
"https://twitter.com/demonslay335/status/1005133410501787648"
], ],
"extensions": [ "extensions": [
".ihsdj", ".ihsdj",
".kgpvwnr" ".kgpvwnr",
".ndpyhss"
], ],
"ransomnotes": [ "ransomnotes": [
"READ_ME_FOR_DECRYPT_[id].txt", "READ_ME_FOR_DECRYPT_[id].txt",
@ -9565,7 +9573,9 @@
"https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/", "https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/",
"https://twitter.com/malwrhunterteam/status/923847744137154560", "https://twitter.com/malwrhunterteam/status/923847744137154560",
"https://twitter.com/struppigel/status/926748937477939200", "https://twitter.com/struppigel/status/926748937477939200",
"https://twitter.com/demonslay335/status/968552114787151873" "https://twitter.com/demonslay335/status/968552114787151873",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
"https://twitter.com/malwrhunterteam/status/1004048636530094081"
], ],
"extensions": [ "extensions": [
".Encrypted[BaYuCheng@yeah.net].XiaBa", ".Encrypted[BaYuCheng@yeah.net].XiaBa",
@ -9602,7 +9612,8 @@
".XiaoBa31", ".XiaoBa31",
".XiaoBa32", ".XiaoBa32",
".XiaoBa33", ".XiaoBa33",
".XiaoBa34" ".XiaoBa34",
".AdolfHitler"
], ],
"ransomnotes": [ "ransomnotes": [
"https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg", "https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg",
@ -9610,7 +9621,9 @@
"_@XiaoBa@_.bmp", "_@XiaoBa@_.bmp",
"_@Explanation@_.hta", "_@Explanation@_.hta",
"_XiaoBa_Info_.hta", "_XiaoBa_Info_.hta",
"_XiaoBa_Info_.bmp" "_XiaoBa_Info_.bmp",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De8WvF_X0AARtYr[1].jpg",
"# # DECRYPT MY FILE # #.bmp"
] ]
}, },
"uuid": "ef094aa6-4465-11e8-81ce-739cce28650b" "uuid": "ef094aa6-4465-11e8-81ce-739cce28650b"
@ -9743,12 +9756,94 @@
] ]
}, },
"uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 " "uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 "
},
{
"value": "DiskDoctor",
"description": "new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT",
"meta": {
"refs": [
"https://id-ransomware.blogspot.com/2018/06/scarab-diskdoctor-ransomware.html",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/"
],
"extensions": [
".DiskDoctor"
],
"ransomnotes": [
"HOW TO RECOVER ENCRYPTED FILES.TXT",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De2sj4GW0AAuQer[1].jpg"
],
"synonyms": [
"Scarab-DiskDoctor"
]
},
"uuid": "aa66e0c2-6fb5-11e8-851d-4722b7b3e9b9"
},
{
"value": "RedEye",
"description": "Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
"https://twitter.com/JakubKroustek/status/1004463935905509376",
"https://bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html"
],
"extensions": [
".RedEye"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/DfCO0T2WsAQvclJ[1].jpg"
]
},
"uuid": "e675e8fa-7065-11e8-95e0-cfdc107099d8"
},
{
"value": "Aurora Ransomware",
"description": "Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.",
"meta": {
"refs": [
"https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
"https://twitter.com/demonslay335/status/1004435398687379456"
],
"ransomnotes": [
"#RECOVERY-PC#.txt",
"==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #=========================="
]
},
"uuid": "3ee0664e-706d-11e8-800d-9f690298b437"
},
{
"value": "PGPSnippet Ransomware",
"meta": {
"refs": [
"https://twitter.com/demonslay335/status/1005138187621191681"
],
"extensions": [
".digiworldhack@tutanota.com"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/pgpsnippet-variant.jpg"
]
},
"uuid": "682ff7ac-7073-11e8-8c8b-bf1271b8800b"
},
{
"value": "Spartacus Ransomware",
"meta": {
"refs": [
"https://twitter.com/demonslay335/status/1005136022282428419"
],
"extensions": [
".SF"
]
},
"uuid": "fe42c270-7077-11e8-af82-d7bf7e6ab8a9"
} }
], ],
"source": "Various", "source": "Various",
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
"name": "Ransomware", "name": "Ransomware",
"version": 23, "version": 24,
"type": "ransomware", "type": "ransomware",
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
} }

View file

@ -2,7 +2,7 @@
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"name": "Tool", "name": "Tool",
"source": "MISP Project", "source": "MISP Project",
"version": 74, "version": 75,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -4312,6 +4312,17 @@
"https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html" "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
] ]
} }
},
{
"uuid": "9f926c84-72cb-11e8-a1f2-676d779700ba",
"value": "ClipboardWalletHijacker",
"description": "The malware's purpose is to intercept content recorded in the Windows clipboard, look for strings resembling Bitcoin and Ethereum addresses, and replace them with ones owned by the malware's authors. ClipboardWalletHijacker's end-plan is to hijack BTC and ETH transactions, so victims unwittingly send funds to the malware's authors.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/clipboard-hijacker-targeting-bitcoin-and-ethereum-users-infects-over-300-0000-pcs/",
"https://blog.360totalsecurity.com/en/new-cryptominer-hijacks-your-bitcoin-transaction-over-300000-computers-have-been-attacked/"
]
}
} }
], ],
"authors": [ "authors": [