From cb774002c989f72b9cecce3e642e5cadbbeb2824 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 2 Oct 2019 11:44:54 +0200
Subject: [PATCH 1/5] add Sodinokibi synonym

---
 clusters/ransomware.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index f5ca550..9d48f91 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -13444,6 +13444,9 @@
       "meta": {
         "refs": [
           "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"
+        ],
+        "synonyms": [
+          "REvil"
         ]
       },
       "uuid": "24bd9a4b-2b66-428b-8e1c-6b280b056c00",

From 0795eecd0114361130bf73eb81f4de91d1a0534b Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 7 Oct 2019 11:04:33 +0200
Subject: [PATCH 2/5] add PlugX rat sysnonyms

---
 clusters/rat.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index 70b21ab..7c2965f 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -1934,7 +1934,9 @@
           "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX"
         ],
         "synonyms": [
-          "Korplug"
+          "Korplug",
+          "SOGU",
+          "Scontroller"
         ]
       },
       "related": [

From 569d453ff2517875851079fd38ea482f4f734db8 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 7 Oct 2019 11:06:27 +0200
Subject: [PATCH 3/5] update version

---
 clusters/rat.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index 7c2965f..2fbafae 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3418,5 +3418,5 @@
       "value": "InnfiRAT"
     }
   ],
-  "version": 31
+  "version": 32
 }

From 5355910a8f17e4faf3f75d11f31b29eb2f3bcbdc Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 7 Oct 2019 13:38:40 +0200
Subject: [PATCH 4/5] add legitimate tools

---
 clusters/tool.json | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 69ae9bc..940a094 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7844,7 +7844,19 @@
       },
       "uuid": "a577bb0d-9732-449a-80f7-5e6c93e6046c",
       "value": "Reductor"
+    },
+    {
+      "value": "ProcDump",
+      "description": "Legitimate tool - command-line tool used to monitor a running process and dump memory depending on customcriteria. The attackers use this tool to dump the LSASS process to gatherWINDOWScredentials hashes"
+    },
+    {
+      "value": "CertMig",
+      "description": "Legitimate tool - command-line tool used to import and export certificates on a machine. The attackers use this toolto gather credentials used for VPN authentication to the clients’ networks"
+    },
+    {
+      "value": "Netscan",
+      "description": "Legitimate tool - tool used to scan IPv4/IPv6 networks and remotely execute PowerShell commands."
     }
   ],
-  "version": 125
+  "version": 126
 }

From c27385cfa4c855653fbeb2b1cbfb40f5a7d2ff7f Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 7 Oct 2019 14:38:16 +0200
Subject: [PATCH 5/5] jq

---
 clusters/tool.json | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 940a094..577e752 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7846,16 +7846,19 @@
       "value": "Reductor"
     },
     {
-      "value": "ProcDump",
-      "description": "Legitimate tool - command-line tool used to monitor a running process and dump memory depending on customcriteria. The attackers use this tool to dump the LSASS process to gatherWINDOWScredentials hashes"
+      "description": "Legitimate tool - command-line tool used to monitor a running process and dump memory depending on customcriteria. The attackers use this tool to dump the LSASS process to gatherWINDOWScredentials hashes",
+      "uuid": "1ae22855-c343-4ae9-8cab-522c9da938aa",
+      "value": "ProcDump"
     },
     {
-      "value": "CertMig",
-      "description": "Legitimate tool - command-line tool used to import and export certificates on a machine. The attackers use this toolto gather credentials used for VPN authentication to the clients’ networks"
+      "description": "Legitimate tool - command-line tool used to import and export certificates on a machine. The attackers use this toolto gather credentials used for VPN authentication to the clients’ networks",
+      "uuid": "fadd0d1f-b098-43ea-b7a6-50fb58aef9f6",
+      "value": "CertMig"
     },
     {
-      "value": "Netscan",
-      "description": "Legitimate tool - tool used to scan IPv4/IPv6 networks and remotely execute PowerShell commands."
+      "description": "Legitimate tool - tool used to scan IPv4/IPv6 networks and remotely execute PowerShell commands.",
+      "uuid": "bbba3a35-5064-4e60-ad4b-0ba16cc81a23",
+      "value": "Netscan"
     }
   ],
   "version": 126