Merge pull request #321 from Delta-Sierra/master

add AndroidOS_HidenAd
This commit is contained in:
Alexandre Dulaunoy 2019-01-10 09:50:07 +01:00 committed by GitHub
commit 96c9c14605
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 109 additions and 14 deletions

View file

@ -4629,7 +4629,17 @@
}, },
"uuid": "08965226-c8a9-11e8-ad82-b3fe44882268", "uuid": "08965226-c8a9-11e8-ad82-b3fe44882268",
"value": "Triout" "value": "Triout"
},
{
"description": "active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/adware-disguised-as-game-tv-remote-control-apps-infect-9-million-google-play-users/"
]
},
"uuid": "64ee0ae8-2e78-43bf-b81b-e7e5c2e30cd0",
"value": "AndroidOS_HidenAd"
} }
], ],
"version": 17 "version": 18
} }

View file

@ -3297,7 +3297,8 @@
".[cyberwars@qq.com].war", ".[cyberwars@qq.com].war",
".risk", ".risk",
".RISK", ".RISK",
".bkpx" ".bkpx",
".[newsantaclaus@aol.com].santa"
], ],
"ransomnotes": [ "ransomnotes": [
"README.txt", "README.txt",
@ -3312,7 +3313,8 @@
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.",
"https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg", "https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg",
"https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg", "https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg",
"https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg" "https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg",
"https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg"
], ],
"refs": [ "refs": [
"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html",
@ -3327,7 +3329,9 @@
"https://twitter.com/demonslay335/status/1059940414147489792", "https://twitter.com/demonslay335/status/1059940414147489792",
"https://twitter.com/JakubKroustek/status/1060825783197933568", "https://twitter.com/JakubKroustek/status/1060825783197933568",
"https://twitter.com/JakubKroustek/status/1064061275863425025", "https://twitter.com/JakubKroustek/status/1064061275863425025",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/",
"https://www.youtube.com/watch?v=qjoYtwLx2TI",
"https://twitter.com/GrujaRS/status/1072139616910757888"
] ]
}, },
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
@ -5663,7 +5667,8 @@
".WORK", ".WORK",
".SYSTEM", ".SYSTEM",
".MOLE66", ".MOLE66",
".BACKUP" ".BACKUP",
"[16 uppercase hex].SYS"
], ],
"ransomnotes": [ "ransomnotes": [
"HELP_YOUR_FILES.html (CryptXXX)", "HELP_YOUR_FILES.html (CryptXXX)",
@ -5679,7 +5684,9 @@
"Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", "Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number",
"!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!", "!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nbackuppc@tuta.io\n\nbackuppc@protonmail.com\n\nbackuppc1@protonmail.com\n\nb4ckuppc1@yandex.com\n\nb4ckuppc2@yandex.com\n\nbackuppc1@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[id] number" "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nbackuppc@tuta.io\n\nbackuppc@protonmail.com\n\nbackuppc1@protonmail.com\n\nb4ckuppc1@yandex.com\n\nb4ckuppc2@yandex.com\n\nbackuppc1@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[id] number",
"https://pbs.twimg.com/media/DuFQ4FdWoAMy7Hg.jpg",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nleab@tuta.io\n\nitprocessor@protonmail.com\n\npcambulance1@protonmail.com\n\nleablossom@yandex.com\n\nblossomlea@yandex.com\n\nleablossom@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[redacted lowercase GUID] number"
], ],
"refs": [ "refs": [
"http://www.nyxbone.com/malware/CryptoMix.html", "http://www.nyxbone.com/malware/CryptoMix.html",
@ -5692,7 +5699,8 @@
"https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/new-backup-cryptomix-ransomware-variant-actively-infecting-users/" "https://www.bleepingcomputer.com/news/security/new-backup-cryptomix-ransomware-variant-actively-infecting-users/",
"https://twitter.com/demonslay335/status/1072227523755470848"
], ],
"synonyms": [ "synonyms": [
"Zeta" "Zeta"
@ -10032,7 +10040,9 @@
".CRYPTO", ".CRYPTO",
".lolita", ".lolita",
".stevenseagal@airmail.cc", ".stevenseagal@airmail.cc",
".lol" ".lol",
".crypted034",
".ironhead"
], ],
"ransomnotes": [ "ransomnotes": [
"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT",
@ -10047,7 +10057,9 @@
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg",
"_How to restore files.TXT", "_How to restore files.TXT",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg" "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg",
"https://pbs.twimg.com/media/DuC07vPWkAAMekP.jpg",
"How to restore encrypted files.txt"
], ],
"refs": [ "refs": [
"https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/",
@ -10060,7 +10072,8 @@
"https://twitter.com/demonslay335/status/1007694117449682945", "https://twitter.com/demonslay335/status/1007694117449682945",
"https://twitter.com/demonslay335/status/1049316344183836672", "https://twitter.com/demonslay335/status/1049316344183836672",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
"https://twitter.com/Amigo_A_/status/1039105453735784448" "https://twitter.com/Amigo_A_/status/1039105453735784448",
"https://twitter.com/GrujaRS/status/1072057088019496960"
] ]
}, },
"uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4", "uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4",
@ -11567,15 +11580,19 @@
{ {
"meta": { "meta": {
"extensions": [ "extensions": [
".XY6LR" ".XY6LR",
".gerber5",
".FJ7QvaR9VUmi"
], ],
"ransomnotes": [ "ransomnotes": [
"https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg", "https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg",
"DECRYPT.txt" "DECRYPT.txt",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/14/Dt-APfCW0AADWV8[1].jpg"
], ],
"refs": [ "refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/",
"https://twitter.com/petrovic082/status/1071003939015925760" "https://twitter.com/petrovic082/status/1071003939015925760",
"https://twitter.com/Emm_ADC_Soft/status/1071716275590782976"
] ]
}, },
"uuid": "3bcc725f-6b89-4350-ad79-f50daa30f74e", "uuid": "3bcc725f-6b89-4350-ad79-f50daa30f74e",
@ -11612,7 +11629,75 @@
}, },
"uuid": "23fcbbf1-93ee-4baf-9082-67ca26553643", "uuid": "23fcbbf1-93ee-4baf-9082-67ca26553643",
"value": "JungleSec" "value": "JungleSec"
},
{
"description": "GrujaRS discovered the EQ Ransomware that drops a ransom note named README_BACK_FILES.htm and uses .f**k (censored) as its extension for encrypted files. May be GlobeImposter.",
"meta": {
"extensions": [
".fuck"
],
"ransomnotes": [
"README_BACK_FILES.htm",
"https://pbs.twimg.com/media/Dt4xTDjWwAEBjBh.jpg"
],
"refs": [
"https://twitter.com/GrujaRS/status/1071349228172124160",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-14th-2018-slow-week/",
"https://www.youtube.com/watch?v=uHYY6XZZEw4"
]
},
"uuid": "edd4c8d0-d971-40a6-b7c6-5c57a4b51e48",
"value": "EQ Ransomware"
},
{
"description": "extension \".Mercury\", note \"!!!READ_IT!!!.txt\" with 4 different 64-char hex as ID, 3 of which have dashes. Possible filemarker, same in different victim's files.",
"meta": {
"extensions": [
".mercury"
],
"ransomnotes": [
"!!!READ_IT!!!.txt",
"!!! ATTENTION, YOUR FILES WERE ENCRYPTED !!!\n\nPlease follow few steps below:\n\n1.Send us your ID.\n2.We can decrypt 1 file what would you make sure that we have decription tool!\n3.Then you'll get payment instruction and after payment you will get your decryption tool!\n\n\n Do not try to rename files!!! Only we can decrypt all your data!\n\n Contact us:\n\ngetmydata@india.com\nmydataback@aol.com\n\n Your ID:[redacted 64 uppercase hex]:[redacted 64 uppercase hex with dashes]\n[redacted 64 uppercase hex with dashes]:[redacted 64 uppercase hex with dashes]"
],
"refs": [
"https://twitter.com/demonslay335/status/1072164314608480257"
]
},
"uuid": "968cf828-0653-4d86-a01d-186db598f391",
"value": "Mercury Ransomware"
},
{
"meta": {
"extensions": [
".locked"
],
"ransomnotes": [
"ODSZYFRFUJ_PLIKI_TERAZ.txt",
"https://pbs.twimg.com/media/DuIsIoWXQAEGKlr.jpg"
],
"refs": [
"https://twitter.com/GrujaRS/status/1072468548977680385"
]
},
"uuid": "ea390fa7-94ac-4287-8a2d-c211330671b0",
"value": "Forma Ransomware"
},
{
"meta": {
"extensions": [
".djvu"
],
"ransomnotes": [
"_openme.txt",
"---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED ----------------------------------------------- \n\nDon't worry, you can return all your files!\nAll your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nThis software will decrypt all your encrypted files.\nWhat guarantees do we give to you?\nYou can send one of your encrypted file from your PC and we decrypt it for free.\nBut we can decrypt only 1 file for free. File must not contain valuable information\nDon't try to use third-party decrypt tools because it will destroy your files.\nDiscount 50% available if you contact us first 72 hours.\n\n---------------------------------------------------------------------------------------------------------------------------\n\n\nTo get this software you need write on our e-mail:\nhelpshadow@india.com\n\nReserve e-mail address to contact us:\nhelpshadow@firemail.cc\n\nYour personal ID:\n[redacted 43 alphanumeric chars]"
],
"refs": [
"https://twitter.com/demonslay335/status/1072907748155842565"
]
},
"uuid": "e37ddc9e-8ceb-4817-a17e-755aa379ed14",
"value": "Djvu"
} }
], ],
"version": 46 "version": 47
} }