Merge pull request #245 from Delta-Sierra/master

add tools used by SamSam
This commit is contained in:
Alexandre Dulaunoy 2018-08-09 16:04:04 +02:00 committed by GitHub
commit e8ffc75d4a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 114 additions and 5 deletions

View file

@ -7968,7 +7968,9 @@
"MIKOPONI.exe",
"RikiRafael.exe",
"showmehowto.exe",
"SamSam Ransomware"
"SamSam Ransomware",
"SamSam",
"Samsam"
],
"extensions": [
".encryptedAES",

View file

@ -2,7 +2,7 @@
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"source": "MISP Project",
"version": 81,
"version": 82,
"values": [
{
"meta": {
@ -4445,9 +4445,116 @@
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/"
],
"synonyms": [
""
]
}
},
{
"value": "JexBoss",
"description": "A tool for testing and exploiting vulnerabilities in JBoss Application Servers.",
"uuid": "509fc49c-9bd8-11e8-ade9-af561325f046",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "reGeorg",
"description": "“Provides TCP tunneling over HTTP and bolts a SOCKS4/5 proxy on top of it, so, reGeorg is a fully-functional SOCKS proxy and gives ability to analyze target internal network.”",
"uuid": "2c62f08a-9bd9-11e8-9e20-db9ec0d2b277",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "Hyena",
"description": "An Active Directory and Windows system management software, which can be used for remote administration of servers and workstations.",
"uuid": "511d1000-9bd8-11e8-8477-8f5bcff04fb0",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "csvde.exe",
"description": "Imports and exports data from Active Directory Lightweight Directory Services (AD LDS) using files that store data in the comma-separated value (CSV) format.",
"uuid": "521721a8-9bd8-11e8-b26e-efd4142476e4",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "NLBrute",
"description": "A tool to brute-force Remote Desktop Protocol (RDP) passwords.",
"uuid": "49ebf3e4-9bda-11e8-b1c1-8bdbfc744293",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "xDedic RDP Patch",
"description": "Used to create new RDP user accounts.",
"uuid": "52be6512-9bd8-11e8-8bab-f7d8a88482ed",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "xDedic SysScan",
"description": "Used to profile servers for potential sale on the dark net",
"uuid": "52dae6ce-9bd8-11e8-a230-7bca2e015ba5",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "Wmiexec",
"description": "A PsExec-like tool, which executes commands through Windows Management Instrumentation (WMI).",
"uuid": "52f7f890-9bd8-11e8-a731-ab637e0833b4",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "RDPWrap",
"description": "Allows a user to be logged in both locally and remotely at the same time.",
"uuid": "5316eb7e-9bd8-11e8-8587-eb328b3dd314",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "PsExec",
"description": "A light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. When a command is executed on a remote computer using PsExec, then the service PSEXESVC will be installed on that system, which means that an executable called psexesvc.exe will execute the commands.",
"uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
},
{
"value": "PAExec",
"description": "A PsExec-like tool, which lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first. When the PAExec service is running on the remote computer, the name of the source system is added to services name, e.g., paexec-<id>-<source computer name>.exe, which can help to identify the entry point of the attack.",
"uuid": "6e76f29c-9bd8-11e8-97ae-8f7b8be65f0c",
"meta": {
"refs": [
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
]
}
}